WAS Engine 7.1 has been released to all Qualys platforms including private cloud platforms. This release is part of our ongoing effort to continuously improve the WAS scanning engine. This update includes the following changes.
- A new detection for Insecure Transport has been added. If the scanner finds that communication over unencrypted HTTP is allowed, QID 150263 will be reported. This is true even if the entire site does not use "https" at all.
- A new detection for a directory traversal vulnerability in Pivotal Spring Framework (CVE-2018-1271) has been added. The QID is 150289.
- Informational QID 150208 has been added to report when the Referrer-Policy response header is not set by the web application.
- Informational QID 150262 has been added to report when the Feature-Policy response header is not set by the web application.
- Fixed an error that occurred during time-based tests on AJAX requests when a request times out.
- Fixed a false positive for QID 150192 (HTTP Response Header Injection).
- A new test has been added to detect common web shells. If a web shell is found, QID 150239 will be reported.
- A new detection has been added to report when ASP.NET debugging is enabled. The QID is 150243.
If you encounter any problems in your WAS scans, please open a support ticket by selecting Help--Contact Support while logged into the platform. Feel free to post a question here on the Qualys Community site as well.