All web apps with a specific vulnerability, Python script

Document created by Parag Baxi on Sep 13, 2012Last modified by Parag Baxi on Oct 3, 2012
Version 4Show Document
  • View in full screen mode

Note: This is not supported by Qualys, it is community built. Thanks to Jason Kent and Qnimbus for the solution below.


Provide the dates after which you want to process scans (optional), provide the QID you want to find, the script will then iterate through all application scans and find those findings and their results.


So, you can run this against all web application scan results and look for the SQLi QID and it will show you the findings in a text file with the QID number for the filename.


What's new

2012-09-20: Changed text format to CSV. Can now handle scans that have no vulnerabilities. Workaround for random authorization error.



$ python -h

usage: [-h] [-d DATE] -q QID -p PASSWORD -u USERNAME



Prints out QID vulnerabilities to QID.txt from most recent webapp scans.



optional arguments:

  -h, --help            show this help message and exit

  -d DATE, --date DATE  Only search scans launched after DATE. Format must be


  -q QID, --qid QID     List web applications vulnerable to QID.

  -p PASSWORD, --password PASSWORD

                        Corresponding QualysGuard WAS v2 API password.

  -u USERNAME, --username USERNAME

                        QualysGuard WAS v2 API username.




  • Python 2.7
  • lxml

It's fairly simple to install these packages using pip.

How to install libraries

Install pip:

$ curl | sudo python

Install libraries:

$ sudo pip install lxml


  • Python 2.7 on Mac 10.7. Other Mac OS versions may work. Comment if they do or don't please.


The libraries are packaged with the script in one directory. Mac 10.7 required. Comment if you would like a Windows package.

Compiled for Mac 10.6+ users out there. This compiled code will require Python 2.7.