Hello all -
WAS Engine 6.4 has been released to all Qualys platforms including private cloud platforms. This release is part of our ongoing effort to continuously improve the WAS scanning engine. This update includes the following enhancements.
- Two new informational QIDs have been added for the X-Content-Type-Options response header. Specifically, QID 150202 will be reported when this header is not set by the scanned web application and QID 150203 is reported if the header is set but misconfigured.
- Informational QID 150204 has been added to report when the X-Xss-Protection response header is not set by the web application.
- Informational QID 150206 has been added to report when the Content-Security-Policy response header is not set by the web application.
- A new detection has been added to report when an IIS web server discloses its internal IP address when a missing or null Host header is sent in the request. QID 150234 will be reported for this vulnerability.
- Changes were made to improve the reliability of the retest feature.
- Better detection was implemented for WebSocket. QID 150167 is reported when the web application is found to use WebSocket.
- A fix was done to ensure all files with binary extensions are ignored when they are supposed to be.
If you encounter any problems in your WAS scans, please open a support ticket by selecting Help--Contact Support while logged into the platform. Feel free to post a question here on the Qualys Community site as well.