TotalAppSec Release 2.9 | Web Application Scanning Release 1.29

July 05, 2026

TotalAppSec TotalAppSec

Access Control Testing for API Assets

You can now validate authorization controls for API assets directly within the platform, without additional tools or manual coordination.

With Access Control Testing, you can:

  • Test user access against authorized resources and detect privilege escalation.
  • Validate role-based and user-specific access restrictions across endpoints.
  • Configure Broken User Authentication (BUA), Broken Function Level Authorization (BFLA), and Broken Object Level Authorization (BOLA) test criteria on individual API assets, targeting the OWASP API Security Top 10.
  • Retrieve structured results for access violations, permission issues, and misconfigurations, and incorporate findings into your reporting.

Configure Access Control Test Criteria

To configure Access Control Test criteria:

  1. Navigate to Applications > APIs tab. 
  2. Select an API asset, and click Access Control Testing.  

Access Control Testing for API

The following table describes the three criteria and their configuration options.

Criterion What it tests Endpoint Selection Authentication Record Restriction 
Broken User Authentication (BUA) Whether disabled/locked or logged-out account credentials can reach API endpoints All endpoints (automatic selection) API Key or Bearer Token 
Broken Function Level Authorization (BFLA) Whether a lower-privilege role can access endpoints restricted to higher-privilege roles All Endpoints, Pick from List, or Match by Query Any API authentication record type
Broken Object Level Authorization (BOLA) Whether a user can access object-level data belonging to another user or role All Endpoints, Pick from List, or Match by Query Any API authentication record type

Integrate Access Control Testing in Scans and Schedules

To include BUA, BFLA, or BOLA testing in a scan, select the corresponding checkboxes under API Security Testing in the on-demand vulnerability scan or vulnerability scan schedule configuration.

API Security Testing in Vulnerability Scan Settings.

If you clear a checkbox, that test type is excluded from the scan. These controls apply only to API assets in the scan target.

New QQL Tokens for Asset Discovery using Access Control Testing 

The following new QQL tokens are available in the APIs tab. 

Tab  QQL Token Name Description 
APIs application.endpointCount Use this token to find API assets by number of configured endpoints.
application.hasAccessControlConfig Use this token to find API assets with at least one access control test criterion configured. 
application.accessControlConfig Use this token to find API assets which have the access control config defined: Broken Function Level Authorization, Broken Object Level Authorization, Broken User Authentication.

Enhancements for Green Window Scheduling 

The following enhancements are available for green window scheduling. 

Information Messages for Progressive Scans with Insufficient Maximum Crawl Links

Vulnerability scan schedule creation 

When creating a vulnerability scan schedule, an information message is displayed if the selected Option Profile has Maximum Links To Crawl set to a value lower than 150. For optimal progressive scanning, use an Option Profile with Maximum Links To Crawl set to 150 or higher. You can select a different Option Profile or create a new one before proceeding.

This check helps ensure that progressive scans continue discovering new application content. The WAS scan engine crawls the first 150 links during each scan progression. When the crawl limit is set below 150, the same links are re-crawled at each progression, reducing scan coverage and preventing the scan from advancing to new areas of the application.

Option profile creation

An informational message is displayed for the Max Links field on the Option Profile creation or edit screen when progressive scanning is enabled for your account, recommending a value above 150.

This message appears regardless of the scan type currently associated with the profile, as a single Option Profile can be reused across multiple schedules.

Green Window Duration Validation

While configuring a Green Window on the scan schedule flow, if the configured window length is less than three hours, an inline warning message is displayed recommending a longer duration.

The scan engine reserves 15% of the Green Window for crawling, so a short window leaves very little time to crawl past the first 100 links, causing progressive scans to stall without explanation. This message helps you set a Green Window long enough for scans to progress as expected.

The message is advisory and does not block scheduling. 

Authorization Code with PKCE Support for OAuth 2.0 Authentication 

A new grant type, Authorization Code (with PKCE), is available for OAuth 2.0 authentication. You can configure PKCE-based authentication flows directly in TotalAppSec for scanning APIs used by mobile apps and single-page applications (SPAs), covering a broader range of modern API authentication configurations without workarounds.

To set up the OAuth 2.0 authentication with the new grant type:

  1. Navigate to the Authentication tab, and click New Authentication Record > API.
  2. In the create authentication record workflow, for Auth Type - OAuth 2.0, in the Grant Type list, select Authorization Code (With PKCE).

New grant type Authorization Code with PKCE in authentication record creation.

Discover Potential Web Applications in Microsoft Azure Cloud using TotalCloud 

TotalAppSec now extends its TotalCloud (TC) integration to discover potential web applications from Azure Cloud, in addition to the existing AWS Cloud support. This expansion strengthens your organization's web application security posture by automatically identifying and cataloging public-facing web applications across your cloud environments using the Microsoft Azure connector.

To enable this feature, contact your Technical Account Manager or Qualys Support representative. 

Prerequisites

Before you begin, ensure the following product versions are installed and active:

  • Qualys TotalCloud
  • Qualys Connector 

Workflow

Once the connection with TotalCloud is activated, the Discovery > Sources tab displays Microsoft Azure connectors available under your subscription. Once the Connector runs a scan, it retrieves potential web applications discovered on your publicly exposed Microsoft Azure cloud assets. The number of discovered web applications is displayed in the Sources tab. 

TotalCloud Integration - Azure Connector.

You can click the web application number to view the list of potential web applications in the Discovered Web Applications tab.

You can add the discovered web applications to your subscription and perform scans to assess the vulnerabilities. The Web Applications tab displays these web applications with the prefix Discovered Web Application.

DNS Override for API Assets

DNS override configuration is now available for API assets, extending the support previously available for Web assets. This brings consistent network configuration across both asset types. This is especially useful when the same hostname resolves to different servers across environments, or when your API is behind a load balancer. DNS override ensures scan traffic reaches the intended server, for example, your staging or internal endpoint, rather than a production instance.

If you scan APIs running in staging or internal environments, you can now direct scan traffic to the correct server without waiting for DNS record changes or involving your infrastructure team.

DNS override supports both Swagger and Postman API configurations.

You can select a DNS override record while creating or editing an API asset.

To add a DNS override record:

  1. In the APIs tab, click New API to create a new API asset or edit an existing API asset. 
  2. In the Additional Configurations page, switch the Default DNS Override toggle ON. 

Default DNS Override toggle in Additional Configuration in API creation workflow.

You can select a DNS override record from the available records or click Create Record to add a new record. Each record maps a hostname to a specific IP address or internal endpoint.

 

TotalAppSec Web Application Scanning  TotalAppSec and Web Application Scanning 

Debug Scan Support for Test Authentication

We have extended the debug scan support to Authentication Test scans, which were previously available only for vulnerability scans. You can now enable a debug option in the Authentication Test scan settings to obtain detailed diagnostic output when a scan fails or produces unexpected results. This reduces time spent investigating authentication configuration issues without requiring a separate tool or mode.

The API asset must have a test authentication record configuration defined.

To enable the debug scan, select a web application and click Test Authentication in the Quick Actions menu. In the Launch New Scan: Authentication Test > Scan Settings, select the Enable Debug Scan checkbox. 

Enable Debug Scan in the Scan Settings page in the Test Authentication scan.

 Debug scan for Authentication Test is supported only for single-test authentication runs. Multi-scan and scheduled scan configurations do not include this option.

CSV and XML Report Enhancements for Web Application and Scan Reports

Web application and scan reports downloaded in Comma-Separated Value CSV V2, or Extensible Markup Language (XML) formats now include new fields, and deliver faster download performance. The new fields provide security teams with richer vulnerability context to prioritize and remediate findings and focus on the prioritized risks.

New Fields in Web Application Report and Scan Report

The following new columns are now available after the existing columns in both the web application and scan reports:

  • CVE - A comma-separated list of Common Vulnerabilities and Exposures (CVEs) associated with the QID.
  • QDS - The Qualys Detection Score assigned to the QID.
  • TTR - The Time to Remediation, the estimated time to remediate the QID.
  • CVSS V3 Base - The intrinsic severity of a vulnerability on a scale of 0.0–10.0.
  • CVSS V3 Temporal - The Base Score of a vulnerability based on factors that change over time, specifically measuring the current risk level.
  • CVSS V3 Attack Vector - The metric indicates the context by which a vulnerability can be exploited.

The following new field is available only in the web application report:

TruRisk™ Score - The TruRisk™ score associated with the web application, giving you a risk-based view of your security posture.

Obsolete Column Values in Web Application Report and Scan Reports

The CVSS Base and CVSS Temporal columns in both web application and scan reports display NA, as these fields are not used. 

 The report structure and sequence remain unchanged, ensuring that existing automation and integrations continue to work without modification.

Enhanced Time Zone Configuration

You can now define a preferred time zone in the profile, either the browser time zone or a custom user-defined time zone. The defined time zone applies across all scheduled scans and reports.

Previously, this option was unavailable, causing scheduling inconsistencies for users in different time zones.

Time zone setting in the user profile.

Enhanced Scan Status Display

The Scans tab displays a dedicated UI status for the error code -5001 as ERROR directly within the interface.

Error status for scan error -5001

Previously, this condition was not represented with a distinct status, requiring manual investigation of scan outcomes. This enhancement helps you to quickly identify the cause of a scan failure and proceed directly to remediation, minimizing the need for additional investigation.

The Action Logs now displays the specific reason for the failure, such as interrupted due to timeout, rather than a generic message.

Action Logs mentioning the specific timeout error message.

 

Enhanced Application Report Download Limits

The report download limit is increased to 100,000 records per report for CSV, XML, and CSV V2 formats. This limit applies to application reports for web applications and APIs.

Issues Addressed

The following reported and notable customer issues are fixed in this release.

Application Category/Component Description

TAS and WAS

Asset Purging 

We fixed an issue where deleted or purged web applications were not visible in audit logs, preventing users from identifying who performed deletion actions. 

The audit logging mechanism is updated to record deletion events with relevant asset details. Users can now view accurate deletion history, including the user and timestamp, in the Audit Log, improving traceability and investigative capabilities.

TAS and WAS

Scan launch 

The user experienced delays of 4–5 minutes before scan initiation while launching scans using scanner pools.

The underlying database query is now optimized, and scans are now launched as expected.

TAS and WAS

Scheduled scan 

We resolved an issue where users could not open or edit existing scan schedules due to a 500 Internal Server Error in the Web Application Scanning UI. The issue occurred when schedules contained duplicate email addresses in the notification recipients list.

Now, the duplicate email entries are removed during processing, and the user can open, view, and edit the schedules without errors.

TAS and WAS

Option profile 

We fixed an issue where tag-based scheduled scans targeting a single web application did not use the option profile assigned to that web application.

Scans now correctly use the web application's assigned option profile.

TAS and WAS

Scan status

We fixed an issue where timed-out scans displayed an incorrect status of Scanner Not Available, causing confusion.

The status mapping is corrected, and scan statuses now accurately reflect timeout and interrupted behavior in the user interface and logs.

TAS and WAS

Authentication record

We fixed an issue that prevented non-super users with WAS Manager permission from updating credentials in Selenium-based authentication records.

The validation logic is now updated, and users can now update credentials successfully.

TAS and WAS 

Scans

We fixed an issue where the scans were not deleted even when global delete settings were configured.

The issue has been resolved, and scans are now deleted as expected.

TAS and WAS

Scans

We fixed an issue where users observed findings stuck in the Canceling state after a scan was canceled, while the scan itself reflected the correct "Canceled" status.

The findings now correctly transition to the final status when a scan is canceled.

TAS and WAS 

QQL search 

We fixed an issue where searching with the QQL token application, isScanScheduled:false, took more than three minutes to return results for large datasets.

The issue is resolved. Query performance is optimized, reducing execution time and delivering faster, more efficient search results.

TAS and WAS

Scans

We fixed an issue where users observed scans remaining stuck in a running state after being canceled by the system, with no status update reflected in the user interface.

The issue is resolved, and the scan statuses now update correctly when a scan is canceled.

TAS and WAS

Option profile 

We fixed an issue where system-defined option profiles displayed with incorrect ownership and were incorrectly available for editing and deletion.

The issue is resolved. The option profiles, Authentication Test, API Compliance Options, API Initial Options, and SSL TLS, cannot be edited or deleted. The following option profiles, Log4Shell Options, Initial WAS Options, and user-created option profiles remain editable.

TAS and WAS

Web application 

We fixed an issue where attempting to view a web application with no owner assigned resulted in an error, blocking access to the application.

The issue is resolved, and the users can now view and manage such web applications without errors.