• Finding out legacy TLS v1.0

    I need to find out whether a given website still supports TLS v1.0 and tried customizing the default "Core" detection scope in WAS by adding a  "Custom Search Lists".   Unfortunately while adding ...
    Luca Gualteri
    last modified by Luca Gualteri
  • WAS Security Testing of Web Services

    Hello,   Qualys WAS supports basic security testing of SOAP based web services that have a Web Service Description Language (WSDL) file within the scope of the scan.  If WAS identifies a WSDL file that des...
    last modified by fmc
  • 150022 Verbose Error Message, Can't reproduce

    I'm receiving 150022 Verbose Error Message vulnerabilities in my WAS scan reports that I'm not able to reproduce.  All 11 of these vulnerabilities are showing a 500 error response "Server Error".   ...
    Bradley Buntin
    last modified by Bradley Buntin
  • Issues running WAS scan on web application that doesn't support IE

    Hi, I have an open case since last week with not much progress but hoping someone here might have an answer. I have 4 web apps to scan that no longer support IE. Selenium script is failing because it can't find the s...
    Matt MacDonald
    last modified by Matt MacDonald
  • Selenium IDE incompatible with Firefox 55

    WAS customers using Selenium scripts should not update to Firefox 55 at this time due to incompatibility with the Selenium IDE extension.   https://seleniumhq.wordpress.com/2017/08/09/firefox-55-and-selenium-ide/
    Dave Ferguson
    last modified by Dave Ferguson
  • MDS uses separate Scanner IP address

    Team,   I would like to know whether MDS module uses separate scanner , if so how to find that IP in scan reports . We could see the IP address in WAS reports but not in MDS Reports 
    last modified by shanmugammanian
  • New detection for CVE-2017-12611

    Greetings!   A new detection in WAS has been released for CVE-2017-12611.  This CVE is for another serious Apache Struts vulnerability.  In this case, a remote code execution (RCE) is possible when dev...
    Dave Ferguson
    created by Dave Ferguson
  • New detection for CVE-2017-9805

    Hi everyone,   Just letting you know that a new detection in WAS has been released for CVE-2017-9805.  This CVE is for a nasty vulnerability in Apache Struts (yes, another one) that occurs when the Struts R...
    Dave Ferguson
    last modified by Dave Ferguson
  • Qualys WAS Introduces Three New QIDs for Javascript Libraries and Content Management Systems

    Qualys Web Application Scanning (WAS) has added three new QIDs for; the use of Javascript libraries with known vulnerabilities (QID 150162), a listing of Javascript libraries used and detected (QID 150176) and our fir...
    created by fmc
  • 150004 Path-Based Vulnerability - possible false detection?

    150004 Path-Based Vulnerability - possible false detection?   I ran the Qualys scan recently and it reported 10 counts of path disclosure.  The vulnerability is showing up because we are getting a response o...
    James Curry
    last modified by James Curry
  • A little frusterated

    Spent 15 minutes manually finding xss problems and 16 hours trying to get WAS to find and report on them. Tried different selenium scripts to find the form (in this case, it was a 'Search:...' box).   I don't th...
    Michael Scheidell
    last modified by Michael Scheidell
  • Qualys WAS - API Access Issue

    Hi Team,   This is regarding Qualys WAS APIs We are trying to run Qualys WAS API using below command: curl -u "USERNAME:PASSWORD" "https://qualysapi.qualys.com/qps/rest/3.0/get/was/wasscan/ID" We replaced ID ...
    varun singhal
    last modified by varun singhal
  • Web Application List based on Tag Names

    Hi, I am trying to export WebApplication Lists based on Tags. Please let me know , is there anyway we can export all the Webapplications list in one short with all Tags present in it
    Shanmugam Manian
    last modified by Shanmugam Manian
  • WAS capabilities

    Hi, we have started using WAS.   Will like to ask the support from the community or the Qualys team to explain to what extent Qualys WAS supports analyzing the following technologies that are used in web app...
    last modified by marioc
  • Qualys WAS API Client - PrevQAPI

    In the holiday spirit PrevSec is sharing PrevQAPI - a free WAS API command line interface  that enhances the powerful WAS API with additional client-side features. PrevQAPI simplifies some of the most common ...
    Will Bechtel
    created by Will Bechtel
  • New WAS QID 150126 for Links With High Resource Consumption (HTTP Time Bandit)

    Qualys has released a new WAS QID, 150126, to detect links with high resource consumption. Description: Initially presented at DEFCON 21 by Qualys researchers Tigran Gevorgyan and Vaagn Toukharian, HTTP Time Band...
    Steve McBride
    created by Steve McBride
  • New WAS QID 150142 for Virtual Host Discovery

    Qualys WAS now includes a new Information Gathered QID, 150142, for Virtual Host Discovery using HOST headers in HTTP(s) requests.   Description: Web servers commonly serve multiple applications, configured as ...
    Steve McBride
    last modified by Steve McBride
  • How Does Qualys Risk Rank Web Application Vulnerabilities?

    Thank you to Boyd White for his hard work getting this all together.       How Does Qualys Risk Rank Web Application Vulnerabilities?   Every web application Qualys Identifier (QID) is assigne...
    last modified by fmc
  • New WAS QID 150134 for Bash Bug ShellShock

    Hello All, Please read this complete post regarding the new WAS QID 150134 for Bash Bug ShellShock. This QID will go live tonight (09/29/2014). ***PLEASE NOTE: We will be adding additional checks within the ...
    created by fmc
  • New WAS QID - 150129 Insufficient Session Protection/Regeneration - Details

    New WAS QID - 150129 Insufficient Session Protection/Regeneration - Details     Hello,   By the end of day, Tuesday 9/2/2014, Qualys will release a new QID for WAS. It is QID 150129 for Insufficient ...
    created by fmc