WAS Engine 6.5 Released

Document created by Dave Ferguson Employee on Mar 15, 2019Last modified by Dave Ferguson Employee on Mar 25, 2019
Version 3Show Document
  • View in full screen mode

Hello all -


WAS Engine 6.5 has been released to all Qualys platforms including private cloud platforms.  This release is part of our ongoing effort to continuously improve the WAS scanning engine.  This update includes the following changes.


  • Improved detection capability for path-based vulnerability (QID 150004) when a 302 redirect occurs.
  • New informational QID for an insecurely-configured X-XSS-Protection header (QID 150205).
  • Addressed XSS false negatives when response code is 500.
  • When parsing a Swagger file, path parameters are now extracted and used for fuzzing.
  • Added error handling to catch invalid path fuzzing rules.
  • Scanner now has better recognition of authentication loss during the crawl phase.
  • Added support for IndexedDB to internal browser engine.
  • Applied patches to internal browser engine to improve crawling for certain apps.
  • Implemented multi-threading for time-based tests for better efficiency & performance.
  • Added limit to the number of instances reported for verbose error message (QID 150022).
  • Capped the number of redundant WebSocket links that are reported under informational QID 150167.


If you encounter any problems in your WAS scans, please open a support ticket by selecting Help--Contact Support while logged into the platform.  Feel free to post a question here on the Qualys Community site as well.


- Dave