• Does Qualys offers Requester & Approve approach 

    Hello, How I can create a user process in Qualys like Requester and Approval approach. Like one user "A" needs to create a scan and while initiating the scan the User "B" needs to approve to do the scanning. Is any a...
    Santhanakrishnan D
    last modified by Santhanakrishnan D
  • APIs and TAG Groups

    Hello All,   Can somebody help regarding the following:     The plan is to do the following:   Step #1- Create an API call to create a TAG Group Step #2- Create an API call to add a list o...
    Elias Diab
    last modified by Elias Diab
  • Dashboards and Reporting Resources - Start Here

    Welcome to Dashboards and Reporting   Welcome to our Dashboards and Reporting space.  Here we will begin to collaboratively and constructively collect relevant legacy ...
    last modified by DMFezzaReed
  • Nginx Virtual host discovered - 150142

    I'm trying to satisfy a security requirement within our organization which reports "Virtual host discovered - 150142" against one of our web servers. We don't explicitly have any servers / virtual hosts configure...
    Aslesh Tati
    created by Aslesh Tati
  • SmartScan - how does it work in details?

    Hello Everyone. Last few days I've done many tests with profiles when SmartScan was enabled (level 2 and level 5) and when SmartScan was disabled. First I can tell you I do not see any differences between profile with...
    last modified by pawelpietrzynski
  • How to exclude AJAX scan from SmartScan

    Always if I enable SmartScan (no matter which level) Qualys generate many AJAX requests. As you see the links below this scan has no value. Does anyone know how to exclude this from scan? I exclude this QID "1501...
    created by pawelpietrzynski
  • How to exclude cookie and static files from scan

    Hi Guys. I would like to create new scan profile and I want to exclude scans Cookies and static files (like jpg, mp4, ico, etc). What is the best way to do it? Should I add some specific QIDs to exclusion in Scan Prof...
    last modified by pawelpietrzynski
  • Crawl settings - how to add domain with one subdomain

    Hello Guys. I've seen if I add in "Web application URL" domain e.g. example.com Qualys does not scan URL with "www" subdomain (e.g. www.example.com). If I add in "Web application URL" domain e.g. www.example.com ...
    created by pawelpietrzynski
  • WAS scan configuration if SSO link is different from Scan URL

    I need a scan a web application (https://xyz.com) with SSO but the issue is the application URL(https://xyz.com) and SSO URL(https://abc.com) is different. The problems I'm facing are listed below. If I access https:...
    Santhanakrishnan D
    last modified by Santhanakrishnan D
  • Aggressive and non-invasive QIDs

    Qualys has 294 QIDs related to Web Application category. Could you tell me which are non-invasive and which are aggressive? 
    last modified by pawelpietrzynski
  • Limited-scope user has access to modules outside of Role-defined limits

    We setup our WAS security personnel with permissions limiting them to WAS and Reporting from within Role Management over a year ago. However, during a recent audit, we found that these users actually have access ...
    Robert Sloan
    last modified by Robert Sloan
  • Slow HTTP POST vulnerability (QID 150085)-Any Workaround?

    Hi Qualys Community, Qualys has detected Slow HTTP POST vulnerability (QID 150085) on one of the deployed web applications. Here is the Remediation Strategy mentioned by Qualys (https://blog.qualys.com/se...
    Ahmed Tariq
    created by Ahmed Tariq
  • Malicious code not found by WAS

    Hi there,   I can't seem to find the right settings i think.  I installed a private-webserver with malicious code (php-reverse-shell.php / shell.php (webshell) and a shell.jsp). They are located in root a...
    Bert Alting
    last modified by Bert Alting
  • Progressive Scanning Explained

    Progressive scanning is a feature within Qualys Web Application Scanning (WAS) that is now available to all customers. The intent and goal of progressive scanning is to add a mechanism to effectively scan very large w...
    Dave Ferguson
    last modified by Dave Ferguson
  • New Detections Rolling Out for Vulnerable CMSs and CMS Plugins

    In a previous post, we described how Qualys WAS added new informational QIDs to report CMS versions and CMS plugins found on your scanned web applications.  Now, as part of the continuous improvement of the scann...
    Dave Ferguson
    last modified by Dave Ferguson
  • Scanning a SOAP webservice for vulnerabilities

    I tried running a Qualys web application scan on below WSDL http://www.myorg.com/services/Handling?WSDL and received the error message   "Failed to parse the WSDL due to following error in the WSDL. Schema Pa...
    Steve P
    last modified by Steve P
  • New QID for vulnerabilities in Oracle WebLogic Server

    The WebLogic Server product of Oracle Middleware Fusion is widely used as a middle-tier application server to run Java web applications.  Recently, Oracle released their Critical Patch Update for April 2020 that ...
    Dave Ferguson
    last modified by Dave Ferguson
  • API Testing with Postman Collections

    This article describes how to set up vulnerability scanning of your API using Qualys WAS with a Postman Collection.  Initial support for Postman Collections in WAS was released in October 2019.   Postman Col...
    Ed Arnold
    last modified by Ed Arnold
  • Qualys WAS Connector for Bamboo

    We are pleased to announce that the Qualys WAS Connector for Bamboo is now available.  Bamboo by Atlassian is a popular commercial CI/CD tool. The Qualys WAS Connector for Bamboo is a native plugin for Bamboo tha...
    Dave Ferguson
    last modified by Dave Ferguson
  • API Access to Vulnerability History status

    Hi - Revisiting a previous topic with a slightly different question. When i look at a Web Application Report online, select the Vulnerabilities section, I can see a list of vulnerabilities with various ...
    last modified by wkolatac