Qualys has 294 QIDs related to Web Application category. Could you tell me which are non-invasive and which are aggressive?
I would not characterize any WAS QIDs as "invasive". Some involve active tests, such as XSS and SQL injection tests, while some are passive tests, such as observing whether attributes are missing from cookies.
Thanks Dave. Please tell me if I decide to run Full Scan for web application with some active forms (like contacts, questionnaire, etc) will Qualys try to complete the fields and submit all requests?
What about SQL Injection and XSS? Will Qualys run many request to these forms?
Yes, WAS will submit the forms during the scan. During test phase it will send the POST request many times with different payloads for XSS, SQL injection, etc in the different fields. Therefore, if the form causes an email to be sent to someone (e.g., a Feedback or Contact Us form), you may want to configure a POST Data Black List for those forms to avoid the person getting bombarded with emails.
Retrieving data ...