Greetings! This is to let you know that WAS Engine 7.5 has been released to all Qualys platforms including private cloud platforms. This release is part of our ongoing effort to continuously improve the WAS scanning engine.
This update includes the following changes.
- Implemented Qualys Periscope, a new detection mechanism for vulnerabilities such as SSRF (QID 150258), SMTP header injection (QID 150255), and blind XXE injection (QID 150179).
- Added a new detection for path-relative stylesheet import (PRSSI) vulnerabilities. The QID is 150246.
- Added a new detection for CVE-2020-7047 and CVE-2020-7048 for vulnerabilities in the WordPress Database Reset plugin. The QID is 150274.
- New detections for known vulnerabilities in Magento. The QIDs are 154054, 154055, and 154056.
- Made changes to reduce memory consumption during testing of API endpoints having a large number of parameters.
- Made changes to allow for larger Postman Collection files for API scans.
- Fixed an issue where presence of favicon.ico sometimes caused server-based authentication to fail.
- For a SQL error message seen in crawl phase, QID 150022 (Verbose Error Message) is now reported, in addition to QID 150056 (SQL Error Message).
- Fixed an issue where authentication status was sometimes reported as "Not Used" even though a Selenium auth script was provided.
As always, if you encounter any problems in your WAS scans, please open a support ticket by selecting Help--Contact Support while logged into the platform. Feel free to post a question here on the Qualys Community site as well.