Web Application Scanning Engine Release 10.11
September 12, 2025
With this release, we are introducing the following new enhancements for the Web Application Scanning Engine.
WAS Engine Enhancements
Support Custom DNS for IPv6 Assets
We have introduced the support of Custom Domain Name System (DNS) for IPv6 Assets. Previously, Custom DNS was supported only for the IPv4 assets. Now, you can set up the custom DNS for your IPv6 assets.
- The custom DNS helps you achieve the following goals:
- Improved Asset Discovery in Complex Networks
- Accurate Vulnerability Mapping
- DNS Override for Controlled Scanning
- Enhanced Security Posture
Exclude Secondary Browser Requests from Crawling
We have extended the support to exclude the secondary browser requests from crawling by enforcing the browser-level regex enforcement. This enhancement helps you exclude the links or forms that exceed a defined threshold for number of input fields or parameters from crawling.
This will reduce the link crawling time during a scan and optimize the scan time.
Contact Qualys Support or your Technical Account Manager to acquire this feature in your subscription.
Skip Incomplete Parameter Test Phase During the Scan
With this enhancement, WAS scan will mark a phase as completed in case the scan is stuck in parameter, path-based, header, or cookie test phases. When WAS Scan is stuck in the same phase for two scans, we mark that phase as completed and move on to the next phase of the scan. This improvement is applicable to applications having large links with many parameters and the progressive scans stuck in a particular phase.
This enhancement ensures that the entire web application is properly scanned and the correct vulnerabilities are detected. This gives you better visibility into security threats of web applications where parameter test phases are not completed.
New QIDs
We released the following new QIDs for the Web Application Scanning Engine.
| Vulnerability ID | Category | Title | Description |
|---|---|---|---|
| 150958 | Information Gathering | Microsoft Windows SMBv3 Compression Remote Code Execution Vulnerability | This QID detects the vulnerability that allows remote attackers to execute arbitrary code on vulnerable assets using specially crafted packets. Qualys detects this vulnerability by checking the Windows OS version and patch level. It uses remote unauthenticated scanning to identify systems that have not applied the relevant Microsoft patch. |
| 151067 | Information Gathering | Potential issues using Implicit grant type EOL /Security Concerns | We introduced this QID to report the unsupported JavaScript libraries and closed projects. The obsolete and discontinued YUI and Crypto-JS found during the web application crawling are also reported. |
Updated QIDs
We updated the following QIDs for the Web Application Scanning Engine.
| Vulnerability ID | Category | Title | Description |
|---|---|---|---|
| 150021 | Information Gathering | Scan Diagnostics | The QID 150021 provides various details of the scan's performance and behavior. We have updated the reporting structure of this QID. Previously, we reported the presence of authentication headers at the start. Now we have moved this information to the end of the reporting section. |
| 150100 | Information Gathering | Selenium Diagnostic | This QID reports the Selenium script diagnostics. We have updated this QID to report the internal time-limit threshold during the Selenium script execution, caused by slow web pages or blocked requests. |
| 530290 | Information Gathering | SSL Certificate - Signature Verification Failed | This QID reports the internal redundant links. We have updated this QID to discard all the internal links that are marked as redundant. Previously, we added these links to the delayed queue. |
| 150042 | Information Gathering | Server Returns HTTP 500 Message For Request | This QID reports the HTTP 500 internal server error detected during crawling. We have updated this QID to report all the links with HTTP status code 5xx, such as 500 and 501, found during the crawling. |
| 150021 | Information Gathering | Scan Diagnostic — Reporting Issues | This QID reports the missing batches. We have updated this QID to report batch #2 and #3, even when no links are found for them during the scanning. |
Issues Addressed
The following important and notable issues are fixed in this release:
| Category/Component | Description |
|---|---|
| Authentication | We fixed an issue where the Selenium script failed to perform authentication because it could not identify the username during the WAS scan. |
| Reporting | We fixed an issue where click events were not getting registered for the dropdowns as they were taking more time to load. Now, we have improved the crawling process to resolve this issue. |
| False Positives | We fixed false positives for QID 150246 due to a response header check failure during the web application scans. Now, we check the response headers, even if they come from the cache. |
To know more about the latest QIDs released for WAS, refer to: Web Application Detections Published in August 2025