• New Detections Rolling Out for Vulnerable CMSs and CMS Plugins

    In a previous post, we described how Qualys WAS added new informational QIDs to report CMS versions and CMS plugins found on your scanned web applications.  Now, as part of the continuous improvement of the scann...
    Dave Ferguson
    last modified by Dave Ferguson
    • 2
    • 0
    • 1

  • WAF Understanding the basic

    Hi guys,   I m new to Qualys WAF platform, we recently bought licence for Qualys WAF, AM, etc.   I am having some problems understanding Qualys WAF, so , I have installed it on my virtual platform, success...
    tarik B
    last modified by tarik B
    • 1
    • 0
    • 2

  • Web Shell Detection in WAS

    Recently, the WAS scan engine began testing for the presence of known web shells via QID 150239.  This QID is included in Core detection scope.  If a web shell is found, it means the scanned application has ...
    Dave Ferguson
    last modified by Robert Dell'Immagine
    • 1
    • 0
    • 0

  • WAS Engine 7.3 Released

    Greetings!   WAS Engine 7.3 has been released to all Qualys platforms including private cloud platforms.  This release is part of our ongoing effort to continuously improve the WAS scanning engine.  Th...
    Dave Ferguson
    last modified by Dave Ferguson
    • 2
    • 0
    • 0

  • Unauthenticated scan finds assets/urls that I can't browse to...

    I'm sure this question will show my ignorance--but I am running an unauthenticated scan on an application and am seeing findings on URLs that I can't even browse to.  When I try to browse to them, I get redirecte...
    Jamie Crow
    last modified by Jamie Crow
    • 0
    • 0
    • 3

  • Configuring a Web Application w/ Explicit URLs to Crawl

    I am working on configuring a web application for scanning which requires the use of "Explicit URLs to Crawl" and I'm running to some issues. I'm hoping the community can help point me in the right direction. Please c...
    sufttwf0dfrvcmjpbgo=
    last modified by sufttwf0dfrvcmjpbgo=
    • 1
    • 0
    • 1

  • WAS Authenticated Scan Issue

    Recently, we had an issue while performing Authenticated Web Application Scanning. The scanner created random users about 60 users (username which is similar to sql injection command) and also it posted the pending tr...
    Anyl Mjn
    last modified by Anyl Mjn
    • 0
    • 0
    • 1

  • Authentication scan

    I'm new in Qualys, I don't know how to scan authentication scan,  I have tried basic and selenium script, but it's  failing.    Here is the script content :   <?xml version="1.0" encoding...
    Rajesh Sharma
    last modified by Rajesh Sharma
    • 0
    • 0
    • 1

  • About "No Web Service" status

    As a user of Qualys WAS, you may occasionally see a scan end with "No Web Service" status.  It occurs more commonly when scanning an internal web application using a scanner appliance.  This status typically...
    Dave Ferguson
    last modified by Dave Ferguson
    • 1
    • 2
    • 3

  • Jenkins Plugin for Qualys WAS

    The Jenkins plugin for Qualys WAS empowers DevOps teams to build application vulnerability scans into their CI/CD processes. By integrating and automating scans in this manner, application security testing is accompli...
    Dave Ferguson
    last modified by Dave Ferguson
    • 4
    • 3
    • 0

  • Rest API scan with SWAGGER URL

    Hello, we are starting to use Qualys to scan rest APIs. We have tried to perform scan with Postaman collection with uploading a variables which is clear more or less. Now we want to try a option with Swagger. So we n...
    Pavel Galatik
    last modified by Pavel Galatik
    • 0
    • 0
    • 1

  • Handling SSO in Qualys WAS

    A common authentication mechanism used by web applications is single sign-on (SSO).  This introduces complexity and can cause some confusion when it comes to authenticating and scanning with Qualys WAS.  ...
    Dave Ferguson
    last modified by Dave Ferguson
    • 7
    • 2
    • 4

  • Problem canceling authentication test

    I canceled the authentication test, deleted the web application, deleted all settings I made in Qualys, deleted the VM, "reseted" the entire account. The authentication test is in the state of "canceling" and not chan...
    Flavio Rossi
    last modified by Flavio Rossi
    • 0
    • 0
    • 1

  • Issues in including Selenium script for WAS

    Help me to sort out the below problem....      When we are performing a was scan using selenium script which is created using qualys recorder when we run a test case manually it is working then when ...
    manikanth
    last modified by manikanth
    • 0
    • 0
    • 8

  • Form submission

    Hello ! 1- what is the use of modify form submission for GET, POST, GET&POST, None ?  2- The use of changing user agent in option profile ?
    Moderan Amoussou
    last modified by Moderan Amoussou
    • 3
    • 0
    • 1

  • QID 150009

    Hello !  can someone explaine to me the two numbers beside the word ''Finding'' when you click on QID 150009 ?  one number is in blue color and the seconde one is in grey. 
    Moderan Amoussou
    last modified by Moderan Amoussou
    • 2
    • 0
    • 3

  • SSL Checks in WAS

    How can we include SSL/TLS validation and SSL certificate mismatch checks as part of the web application scanning?
    Venkata Tirthala
    last modified by Venkata Tirthala
    • 3
    • 0
    • 3

  • Authentication record for application in different language

    We have an application which is in French. The login screen has the fields in French i.e, "S'identifier" (for Username) and "Mot de passe" (for password). While creating the authentication record, if i select as e.g:...
    Suraj M
    last modified by Suraj M
    • 1
    • 1
    • 5

  • Redundant Links

    Hello,  I want to know the meaning of Redundant Links when scanning web applications and a use case. Thank you.
    Moderan Amoussou
    last modified by Moderan Amoussou
    • 2
    • 0
    • 1

  • HTTP vs HTTPS for a site

    If i configure a site as specifically HTTPS does the scanner check to see if the site also listens on HTTP ?     The same the other way around ?    I'd almost expect the site to scan on HTTP...
    Robo Scan
    last modified by Robo Scan
    • 3
    • 0
    • 5