WAS Engine 7.3 has been released to all Qualys platforms including private cloud platforms. This release is part of our ongoing effort to continuously improve the WAS scanning engine. This update includes the following changes.
- Added a new detection (QID 150260) for server-side include (SSI) injection.
- Improved the detection capability for open redirect vulnerabilities.
- Fixed an out-of-memory issue that occurred in crawl phase for certain web apps having a high number of XHRs with large request bodies.
- Made a change so that if SQL injection (QID 150003) is reported due to a returned SQL error, then QID 150022 (Verbose Error Message) is now also reported assuming it's enabled in the scan.
- Fuzzing on query parameters is now performed in case of API scanning using Postman Collections.
- If a Swagger file parsing error occurs, the error message now appears at the top of Results section of QID 150195 so it is easier to find.
- Made changes to support the upcoming out-of-band vulnerability detection mechanism.
If you encounter any problems in your WAS scans, please open a support ticket by selecting Help--Contact Support while logged into the platform. Feel free to post a question here on the Qualys Community site as well.