Skip navigation

A new release of Qualys WAS, Version 4.0 which includes an API update, is targeted for release in mid-December.  The updated APIs for WAS 4.0 enable customers to fully automate and integrate the Qualys WAS solution with their existing applications.  WAS APIs enable customers to perform all the major functions within WAS including creating web applications to scan, launching and scheduling scans, and running and retrieving reports.  The APIs enable custom integrations with GRC tools, bug tracking systems and web application firewalls (WAFs) just to name a few. 

 

The exact dates for the release depend on the platform your subscription is on.  The release dates by platform are as follows:

 

The specified item was not found.

The specified item was not found.

The specified item was not found.

 

A review of the many new UI features and enhancements can be found at The specified item was not found.

 

This API notification provides an early preview into the coming API changes in Qualys WAS 4.0, allowing you to proactively identify any changes that might be required for your automated scripts or programs that utilize the API methods.  Two API modifications in this release may impact existing API implementations and required a 30-day notification which can be found at Qualys WAS 4.0 API Release Notification.  The changes below are based on a limited release feature Progressive Scanning and therefore should not impact any subscription without the feature enabled.

 

Full release notes will be available to customers on the day of the release.

 

Details are in the attached document - high level summary of APIs updated:

 

Progressive Scanning

 

Web App API,

  • Schema: webapp.xsd
  • Create/Update Web Application
  • GET web application

 

Scan API

  • Schema: scan.xsd / wasscan.xsd
  • Launch Scan
  • GET scan

 

Schedule API

  • Schema: schedule.xsd / wasscanschedule.xsd
  • Create/update Schedule
  • Get Schedule

 

Scan Report (XML)

 

Findings API

  • Schema: finding.xsd
  • Get Finding

 

See attached PDF for details of changes and examples.

 

 

What is the <baseurl>?

This is the API server URL where your Qualys account is located. For an account on US Platform 1, this is <qualysapi.qualys.com>; on US Platform 2, this is <qualysapi.qg2.apps.qualys.com>; on EU Platform, this is <qualysapi.qualys.eu>.

A new release of Qualys Cloud Suite, Version 8.3, includes an API update which is targeted for release in December 2014.

 

This API notification provides an early preview into the coming API changes in Qualys Cloud Suite 8.3, allowing you to proactively identify new opportunities to automate your Qualys service or to integrate with other applications.


Please review the attached document below for more details about the 8.3 API Features.

 

Full release notes will be available to customers on the day of the release.

 

API Enhancements

New Authentication Vault API v2: The new Vault API (/api/2.0/fo/vault) allows you to manage authentication vaults for authentication records that use them. Using this API you can list vaults, create new vaults, update and view vault settings, and delete vaults. Permissions: Managers, Unit Managers and Scanners can view vaults and their settings. Managers can perform more functions (create, update, delete). Unit Managers can perform these functions if they are granted the permission "Create/edit authentication records/vaults".

 

What is the <baseurl>?

This is the API server URL where your Qualys account is located. For an account on US Platform 1, this is <qualysapi.qualys.com>; on US Platform 2, this is <qualysapi.qg2.apps.qualys.com>; on EU Platform, this is <qualysapi.qualys.eu>.

A new release of Qualys WAS, Version 4.0 which includes an API update, is targeted for release in mid-December.

 

This API notification provides an early preview into the coming API changes in Qualys WAS 4.0, allowing you to proactively identify any changes that might be required for your automated scripts or programs that utilize the API methods.  Two API modifications in this release may impact existing API implementations and requires a 30-day notification.  Additional API features that are new will be included at a later date, along with additional details and examples.

 

Full release notes will be available to customers on the day of the release.

 

API Enhancements: Updates to Web App API

We updated the XSD of the Web App API to provide the screenshot of the initial page for those web applications that have already been scanned.

 

Base64 Encoding

In order to encode the screenshots, we use urlSafe base64 encoding solution, like other elements in our APIs (http://search.cpan.org/~kazuho/MIME-Base64-URLSafe-0.01/lib/MIME/Base64/URLSafe.pm for a good explanation):

 

Following characters will therefore be replaced in the base64 contents:

  • / with _
  • + with -

 

Sample Response:

 

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
evaluation: false
Content-Type: application/xml
Transfer-Encoding: chunked
Date: Tue, 09 Sep 2014 06:33:49 GMT
<?xml version="1.0" encoding="UTF-8"?>
<ServiceResponse xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://demoxx.qualys.com/portal-api/xsd/3.0/was/webapp.xsd">
  <responseCode>SUCCESS</responseCode>
  <count>1</count>
  <data>
    <WebApp>
      <id>324836</id>
      <name><![CDATA[Web App with SA 'is_quays_demo']]></name>
      <url><![CDATA[http://10.1.1.238]]></url>
      <os>Linux 2.4-2.6 / Embedded Device / F5 Networks Big-IP</os>
      <owner>
        <id>123056</id>
        <username>quays_at3</username>
        <firstName><![CDATA[John]]></firstName>
        <lastName><![CDATA[Doe]]></lastName>
      </owner>
      <scope>ALL</scope>
      <attributes>
        <count>0</count>
      </attributes>
      <defaultProfile>
        <id>1072</id>
        <name><![CDATA[Initial WAS Optionss]]></name>
      </defaultProfile>
      <defaultScanner>
        <type>INTERNAL</type>
        <friendlyName><![CDATA[DEV.FR.01]]></friendlyName>
      </defaultScanner>
      <scannerLocked>true</scannerLocked>
      <urlBlacklist>
        <count>1</count>
        <list>
          <UrlEntry regex="true"><![CDATA[http://www.demoxx.com/*]]></UrlEntry>
        </list>
      </urlBlacklist>
      <urlWhitelist>
        <count>0</count>
      </urlWhitelist>
      <postDataBlacklist>
        <count>0</count>
      </postDataBlacklist>
      <authRecords>
        <count>2</count>
        <list>
          <WebAppAuthRecord>
            <id>1910</id>
            <name><![CDATA[test 2]]></name>
          </WebAppAuthRecord>
          <WebAppAuthRecord>
            <id>1909</id>
            <name><![CDATA[test (ID=1909,Web App with SA 'is_quays_demo')]]></name>
          </WebAppAuthRecord>
        </list>
      </authRecords>
      <useRobots>IGNORE</useRobots>
      <useSitemap>false</useSitemap>
      <malwareMonitoring>false</malwareMonitoring>
      <tags>
        <count>0</count>
      </tags>
      <comments>
        <count>0</count>
      </comments>
      <isScheduled>true</isScheduled>
      <lastScan>
        <id>31193</id>
        <name><![CDATA[Was Scan Test 1 - 2014-05-23]]></name>
      </lastScan>
      <createdBy>
        <id>123056</id>
        <username>quays_demo</username>
        <firstName><![CDATA[Axels]]></firstName>
        <lastName><![CDATA[Tex]]></lastName>
      </createdBy>
      <createdDate>2012-02-16T15:35:49Z</createdDate>
      <updatedBy>
        <id>123056</id>
        <username>quays_demo</username>
        <firstName><![CDATA[John]]></firstName>
        <lastName><![CDATA[Doe]]></lastName>
      </updatedBy>
      <updatedDate>2014-08-28T12:39:51Z</updatedDate>
      <screenshot><![CDATA[_9j_4AAQSkZJRgABAQEAegBrAAD_2wBDAAYEBQYFBAYGBQYHBwYIChAKCgkJChQODwwQFxQYGBcUFhYaHSUfGhsjHBYW......  SHORTENED FOR BREVITY.......KKKKACiiigD__2Q]]></screenshot>
    </WebApp>
  </data>
</ServiceResponse>







 

 

 

API Enhancements: New Severity Levels Appendix added to XML Reports

The update below does not directly impact API calls, but does impact XML and other formats of reports that may be processed via API scripts and is therefore included in this notice.

 

We’ll include the new Severity Levels appendix in Scan and Web Application Reports by default. This helps you understand what the severity levels mean. When the Severity Levels appendix is included, the section /APPENDIX/SEVERITY_CATEGORY_LIST appears in the XML reports with a description for each finding category (vulnerabilities, sensitive contents, information gathered) and severity level.

 

Example XML Web App Report

 

 

<?xml version="1.0" encoding="UTF-8"?>
<WAS_WEBAPP_REPORT>
    <HEADER>
        <NAME><![CDATA[Web Application Report]]></NAME>
        <DESCRIPTION><![CDATA[Each targeted web application is listed with the total number of detected vulnerabilities and sensitive content.]]></DESCRIPTION>
        <GENERATION_DATETIME>2014-11-03T21:44:17Z</GENERATION_DATETIME>
        <COMPANY_INFO>
            <NAME><![CDATA[Qualys Demo]></NAME>
            <ADDRESS><![CDATA[324242 34535]]></ADDRESS>
            <CITY><![CDATA[any]]></CITY>
            <STATE><![CDATA[None]]></STATE>
            <COUNTRY>Togo</COUNTRY>
            <ZIP_CODE><![CDATA[23123123]]></ZIP_CODE>
        </COMPANY_INFO>
        <USER_INFO>
            <NAME><![CDATA[Demo Demolast]]></NAME>
            <USERNAME>quays_demo</USERNAME>
        </USER_INFO>
    </HEADER>
    <FILTERS>
        <FILTER>
            <NAME><![CDATA[FINDING_STATUS]]></NAME>
            <VALUE>New,Active,Re-Opened</VALUE>
        </FILTER>
    </FILTERS>
    <TARGET>
        <WEB_APPLICATIONS>
            <WEB_APPLICATION><![CDATA[test bamboo]]></WEB_APPLICATION>
        </WEB_APPLICATIONS>
    </TARGET>
    <RESULTS>
        <WEB_APPLICATION>
            <ID>1576755669</ID>
            <NAME><![CDATA[test bamboo]]></NAME>
            <VULNERABILITY_LIST>
...(removed for brevity)
        </WEB_APPLICATION>
    <APPENDIX>
        <WEB_APPLICATION>
            <ID>1576755669</ID>
            <NAME><![CDATA[test bamboo]]></NAME>
            <URL><![CDATA[http://www.demoapp.com]]></URL>
            <OWNER>Demo DemoLast (quays_demo)</OWNER>
            <OPERATING_SYSTEM><![CDATA[Linux 2.4-2.6 / Embedded Device / F5 Networks Big-IP]]></OPERATING_SYSTEM>
            <SCOPE>Limit to URL hostname</SCOPE>
        </WEB_APPLICATION>
        <SEVERITY_CATEGORY_LIST>
            <SEVERITY_CATEGORY>
                <NAME><![CDATA[VULNERABILITY]]></NAME>
                <DESCRIPTION><![CDATA[Vulnerabilities (QIDs) are design flaws, programming errors, or mis-configurations that make your web application and web application platform susceptible to malicious attacks. Depending on the level of the security risk, the successful exploitation of a vulnerability can vary from the disclosure of information to a complete compromise of the web application and/or the web application platform. Even if the web application isn't fully compromised, an exploited vulnerability could still lead to the web application being used to launch attacks against users of the site.]]></DESCRIPTION>
                <SEVERITY_LEVEL_LIST>
                    <SEVERITY_LEVEL>
                        <SEVERITY>1</SEVERITY>
                        <LEVEL>Minimal</LEVEL>
                        <DESCRIPTION><![CDATA[Basic information disclosure (e.g. web server type, programming language) might enable intruders to discover other vulnerabilities, but lack of this information does not make the vulnerability harder to find.]]></DESCRIPTION>
                    </SEVERITY_LEVEL>
                    <SEVERITY_LEVEL>
                        <SEVERITY>2</SEVERITY>
                        <LEVEL>Medium</LEVEL>
                        <DESCRIPTION><![CDATA[Intruders may be able to collect sensitive information about the application platform, such as the precise version of software used. With this information, intruders can easily exploit known vulnerabilities specific to software versions. Other types of sensitive information might disclose a few lines of source code or hidden directories.]]></DESCRIPTION>
                    </SEVERITY_LEVEL>
                    <SEVERITY_LEVEL>
                        <SEVERITY>3</SEVERITY>
                        <LEVEL>Serious</LEVEL>
                        <DESCRIPTION><![CDATA[Vulnerabilities at this level typically disclose security-related information that could result in misuse or an exploit. Examples include source code disclosure or transmitting authentication credentials over non-encrypted channels.]]></DESCRIPTION>
                    </SEVERITY_LEVEL>
                    <SEVERITY_LEVEL>
                        <SEVERITY>4</SEVERITY>
                        <LEVEL>Critical</LEVEL>
                        <DESCRIPTION><![CDATA[Intruders can exploit the vulnerability to gain highly sensitive content or affect other users of the web application. Examples include certain types of cross-site scripting and SQL injection attacks.]]></DESCRIPTION>
                    </SEVERITY_LEVEL>
                    <SEVERITY_LEVEL>
                        <SEVERITY>5</SEVERITY>
                        <LEVEL>Urgent</LEVEL>
                        <DESCRIPTION><![CDATA[Intruders can exploit the vulnerability to compromise the web application's data store, obtain information from other users' accounts, or obtain command execution on a host in the web application's architecture.]]></DESCRIPTION>
                    </SEVERITY_LEVEL>
                </SEVERITY_LEVEL_LIST>
            </SEVERITY_CATEGORY>
            <SEVERITY_CATEGORY>
                <NAME><![CDATA[SENSITIVE_CONTENT]]></NAME>
                <DESCRIPTION><![CDATA[Sensitive content may be detected based on known patterns (credit card numbers, social security numbers) or custom patterns (strings, regular expressions), depending on the option profile used. Intruders may gain access to sensitive content that could result in misuse or other exploits.]]></DESCRIPTION>
                <SEVERITY_LEVEL_LIST>
                    <SEVERITY_LEVEL>
                        <SEVERITY>1</SEVERITY>
                        <LEVEL>Minimal</LEVEL>
                        <DESCRIPTION><![CDATA[Sensitive content was found in the web server response. During our scan of the site form(s) were found with field(s) for credit card number or social security number. This information disclosure could result in a confidentiality breach and could be a target for intruders. For this reason we recommend caution.]]></DESCRIPTION>
                    </SEVERITY_LEVEL>
                    <SEVERITY_LEVEL>
                        <SEVERITY>2</SEVERITY>
                        <LEVEL>Medium</LEVEL>
                        <DESCRIPTION><![CDATA[Sensitive content was found in the web server response. Specifically our service found a certain sensitive content pattern (defined in the option profile). This information disclosure could result in a confidentiality breach and could be a target for intruders. For this reason we recommend caution.]]></DESCRIPTION>
                    </SEVERITY_LEVEL>
                    <SEVERITY_LEVEL>
                        <SEVERITY>3</SEVERITY>
                        <LEVEL>Serious</LEVEL>
                        <DESCRIPTION><![CDATA[Sensitive content was found in the web server response - a valid social security number or credit card information. This infomation disclosure could result in a confidentiality breach, and it gives intruders access to valid sensitive content that could be misused.]]></DESCRIPTION>
                    </SEVERITY_LEVEL>
                </SEVERITY_LEVEL_LIST>
            </SEVERITY_CATEGORY>
            <SEVERITY_CATEGORY>
                <NAME><![CDATA[INFORMATION_GATHERED]]></NAME>
                <DESCRIPTION><![CDATA[Information Gathered issues (QIDs) include visible information about the web application's platform, code, or architecture. It may also include information about users of the web application.]]></DESCRIPTION>
                <SEVERITY_LEVEL_LIST>
                    <SEVERITY_LEVEL>
                        <SEVERITY>1</SEVERITY>
                        <LEVEL>Minimal</LEVEL>
                        <DESCRIPTION><![CDATA[Intruders may be able to retrieve sensitive information related to the web application platform.]]></DESCRIPTION>
                    </SEVERITY_LEVEL>
                    <SEVERITY_LEVEL>
                        <SEVERITY>2</SEVERITY>
                        <LEVEL>Medium</LEVEL>
                        <DESCRIPTION><![CDATA[Intruders may be able to retrieve sensitive information related to internal functionality or business logic of the web application.]]></DESCRIPTION>
                    </SEVERITY_LEVEL>
                    <SEVERITY_LEVEL>
                        <SEVERITY>3</SEVERITY>
                        <LEVEL>Serious</LEVEL>
                        <DESCRIPTION><![CDATA[Intruders may be able to detect highly sensitive data, such as personally identifiable information (PII) about other users of the web application.]]></DESCRIPTION>
                    </SEVERITY_LEVEL>
                </SEVERITY_LEVEL_LIST>
            </SEVERITY_CATEGORY>
        </SEVERITY_CATEGORY_LIST>
    </APPENDIX>
</WAS_WEBAPP_REPORT>







 

 

What is the <baseurl>?

This is the API server URL where your Qualys account is located. For an account on US Platform 1, this is <qualysapi.qualys.com>; on US Platform 2, this is <qualysapi.qg2.apps.qualys.com>; on EU Platform, this is <qualysapi.qualys.eu>.

Filter Blog

By date: By tag: