WAS Engine 6.6 Released

Document created by Dave Ferguson Employee on Apr 18, 2019Last modified by Dave Ferguson Employee on Apr 18, 2019
Version 2Show Document
  • View in full screen mode

Hello all -


WAS Engine 6.6 has been released to all Qualys platforms including private cloud platforms.  This release is part of our ongoing effort to continuously improve the WAS scanning engine.  This update includes the following changes.


  • A new detection for information disclosure via HTTP response header has been added.  The QID is 150210.  It will be reported, for example, when the web server or application server version is disclosed in the "Server" response header.  This is an informational finding, not a vulnerability.
  • A new detection for a stored XSS vulnerability in "Yuzo Related Posts" WordPress plugin has been added.  The QID is 150238.
  • Retesting certain types of vulnerabilities now takes less time.
  • Improvement to handle non-standard cookie values that contain a double quote.
  • Internal browser engine can now handle redirection response after successful NTLM authentication.
  • Removed misleading message about login brute force testing under QID 150097.
  • QIDs related to security headers are no longer reported for 3xx responses.
  • Fixed an issue where standard authentication failed when the password contained unexpected characters.
  • Fixed an issue where some requests were not properly routed through proxy.


If you encounter any problems in your WAS scans, please open a support ticket by selecting Help--Contact Support while logged into the platform.  Feel free to post a question here on the Qualys Community site as well.


- Dave