WAS Engine 7.6 Released

Document created by Dave Ferguson Employee on Mar 6, 2020
Version 1Show Document
  • View in full screen mode

Greetings!  This is to announce that WAS Engine 7.6 has been released to all Qualys platforms including private cloud platforms.  This release is part of our ongoing effort to continuously improve the WAS scanning engine.


This update includes the following changes.


  • Implemented a new informational QID to report when a web application is not using subresource integrity (SRI). The QID is 150261. Using SRI is a recommended defense against certain attacks including JavaScript-based malware like Magecart.
  • Implemented a new informational QID to report when cookies are missing the SameSite attribute. The QID is 150277.
  • Added a new detection for CVE-2020-1938, a vulnerability in Tomcat's Apache JServ Protocol (AJP).  The QID is 150282.
  • Added a new detection for a misconfiguration in Magento CMS where cache files are leaked.  The QID is 150283.
  • Fixed an issue where the vulnerable parameter for an out-of-band detection was not being reported.
  • Fixed a false positive for QID 150246 (PRSSI vulnerability) for the case where protocol is omitted from the URL in the href attribute.
  • Implemented several changes to better detect persistent/stored cross-site scripting (XSS).
  • Fixed a false positive for QID 150117 (Path-based XSS).
  • Fixed an issue where the response after Selenium script authentication was not being tested for missing or misconfigured security headers.
  • Made changes to address a false negative for QID 150076 (DOM-based XSS).
  • Improved crawling on certain sites where a 404 response with an empty body is returned.


As always, if you encounter any problems in your WAS scans, please open a support ticket by selecting Help--Contact Support while logged into the platform.  Feel free to post a question here on the Qualys Community site as well.


 - Dave