WAS Engine 7.2 Released

Document created by Dave Ferguson Employee on Oct 8, 2019Last modified by Dave Ferguson Employee on Oct 11, 2019
Version 4Show Document
  • View in full screen mode



WAS Engine 7.2 has been released to all Qualys platforms including private cloud platforms.  This release is part of our ongoing effort to continuously improve the WAS scanning engine.  This update includes the following changes.


  • Added a new detection (QID 150264) to report when an ASP.NET or JSF application uses an unencrypted ViewState. Failing to encrypt the ViewState potentially allows for dangerous deserialization attacks.
  • Released two new informational QIDs related to API testing with Postman Collections (QIDs 150257 and 150265).
  • Implemented fuzzing of PUT and PATCH methods for API testing with Postman Collections.
  • Change to handle a Swagger file parsing error when security objects are used but not defined in securityDefinitions.
  • Fixed a false positive for QID 150135 (Missing or Misconfigured HSTS header).
  • Enhanced the response section for QID 150263 (Insecure Transport) to provide better evidence of the vulnerability.
  • Fixed a false negative for certain XSS vulnerabilities where the reflection occurs within JavaScript.
  • Fixed a syntax error in the browser engine that occurred when a function and variable had the same name.
  • Addressed a false positive for QID 150122 and 150123 (missing Secure and HttpOnly flags) that occurred when an existing cookie is updated via JavaScript.
  • Fixed an issue where fuzzing tests were not performed when the action attribute of the form includes a "#" character.
  • Made changes to reduce the number of requests required for Blind Elephant fingerprinting tests.


If you encounter any problems in your WAS scans, please open a support ticket by selecting Help--Contact Support while logged into the platform.  Feel free to post a question here on the Qualys Community site as well.


- Dave