Web Application Scanning Engine Release 10.10
August 06, 2025
With this release of WAS Engine, we have introduced the following updates.
New QIDs
We have released the following new QIDs for the Web Application Scanning Engine.
| Vulnerability ID | Category | Title | Description |
|---|---|---|---|
| 150207 | Information Gathering | Content Security Policy insecure configuration | We have introduced this QID to detect the unsafe-inline directives used in src-directives. These detections help in protecting the users from XSS attacks. |
| 150216 | Information Gathering | CSP Meta Element Found | This QID detects the CSP meta elements in HTTP headers, which helps avoid content injection attacks and limited CSRF attacks. |
| 570013 | Information Gathering | API endpoints where authentication failed | This QID detects the API endpoints where authentication failed with error code 401. |
| 570012 | Information Gathering | API endpoints with authentication type | This QID checks for all types of authorization in Swagger and Postman and reports them. This QID cannot report the detection for the endpoints that do not use authorization. |
| 580565 | Vulnerability | JWT token does not have ''exp'' expiry field | This QID reports the detection for JWT tokens that do not have an expiry field in the token payload. |
| 580566 | Vulnerability | JWT token is using weak secret | This QID reports the weak secrets in JWT tokens used in API endpoint authentication. |
Updated QIDs
We have updated the following QIDs for the Web Application Scanning Engine.
| Vulnerability ID | Category | Title | Descriptions |
|---|---|---|---|
| 150572 | Vulnerability | JWT token in Authorization header uses symmetric algorithm | We updated QID 150572 to report JWT token-related vulnerabilities. Now, this QID can report the symmetric algorithms used in the JWT token's authorization header. |
Report all True Instances of WebCGI-Based Detection
We have updated the WebCGI QIDs to report additional findings when multiple paths are vulnerable to the same QID. Earlier, only a single instance of WebCGI QID was reported for multiple vulnerable paths.
This enhancement help you identify the different endpoints vulnerable to same QID.
Issues Addressed
The following important and notable issues are fixed in this release.
| Category/Component | Description |
|---|---|
| Authentication | We fixed an issue where empty form fields were processed during the custom authentication, resulting in a run-time error. Now, we efficiently handle the empty form fields and quote (") characters in the form submit element to resolve this. |
| Reporting | We updated the QID 150767 to report the complete headers for Postman scans. |
| Authentication | We fixed the discrepancy between QID 150767 and QID 150172 for some endpoints where QID 150767 returned response 401 (unauthorized) and QID 150172 returned response 200 (OK). |
| Reporting | We fixed an issue where QID 150100 did not report the crawl scripts. Now, we reorder the crawl scripts to ensure consistent and clear reporting for the crawl scripts. |
| Reporting | We fixed an issue where some of the links with double quotes (" ") were extracted and URL encoded during crawling. Now, we crawl the links with double quotes without any URL encoding. |
Qualys Notification: Web Application Detections Published in July 2025