Web Application Scanning Engine Release 10.12
January 14, 2025
With this release of WAS Engine, we have introduced the following updates.
New QIDs
We have released the following new QIDs for the Web Application Scanning Engine.
| Vulnerability ID | Category | Title | Description |
|---|---|---|---|
| 530423 | Vulnerability | XSS in Fileupload Form | We introduced QID 530423 to detect XSS vulnerabilities in file upload forms submitted to web browsers. This detection helps in reporting the exploitable user data submitted to web browsers. |
| 150226 | Information Gathering | Pages Collecting Sensitive Information | We introduced this QID to report sensitive fields such as email, city, address, and zip code that are collected on pages without requiring any security context. This helps identify potential privacy and security concerns where sensitive information is exposed without proper protection. |
Updated QIDs
We have updated the following QIDs for the Web Application Scanning Engine.
| Vulnerability ID | Category | Title | Descriptions |
|---|---|---|---|
| 150151 | Vulnerability | Basic Auth over HTTP | QID 150151 reports the basic authentication schemes over the HTTP protocol during web application scans. We updated the QID 150151 to report basic authentication schemes over HTTPS protocols as well. |
| 150009 | Information Gathering | Links Crawled | The QID detects and lists the links crawled in the web application scan. We update this QID to skip the commented links on web pages from crawling. |
| 530030 | Information Gathering | Network Diagnostics | We updated the QID 530030 to include a Traceroute from the scanner to the remote host. This helps users troubleshoot and debug connectivity issues between the scanner and the target application more effectively. |
| 150009 | Information Gathering | Scan Configuration | This enhancement introduces a special configuration to skip crawling links that appear in HTML comments. |
| 150021 | Information Gathering | Authentication Scan Stop | We introduced this QID to report an improvement in authentication scans when a LOGIN_URL is configured. When configured, the scan uses this URL for authentication without performing additional crawling, improving scan efficiency. |
Limit Crawling in Authentication Scans
We updated the web application authentication scan workflow to stop crawling when the authentication is complete for the web application. Earlier, the authentication scans continued even after web application authentication was complete.
This enhancement reduces the crawling time and optimizes the web application authentication scan durations.
Issues Addressed
The following important and notable issues are fixed in this release.
| Category/Component | Description |
|---|---|
| Authentication | We fixed an issue where the authentication status was determined after crawling, which resulted in longer wait times. Now, WAS reports whether the scan was authenticated successfully immediately after the scan completes. |
| Authentication | We fixed an issue where the web application links could not be authenticated, as the authentication tokens were not captured during the web application scans, resulting in the 401 and 403 errors for certain HTTP requests made through service workers. |
| Crawling Links | We fixed an issue where WAS was sending incorrect requests for XMLHTTP Requests (XHR) links, which caused incorrect crawling and errors like page not found or unauthorized. |
| Vulnerability Reporting | We updated the QID 150076 to include exploitation backtrace details. The report now provides both source and sink locations, which helps users to better understand how the vulnerability was triggered and improve remediation guidance. |
| API Parsing | We fixed an issue where Swagger files were causing parsing errors. WAS now supports parsing Swagger files up to 10 MB, improving API scanning reliability and coverage. |
| Pages Collecting Sensitive Information | We fixed an issue where login pages were incorrectly reported under QID 150226. |
Qualys Notification: Web Application Detections Published in September 2025
Qualys Notification: Web Application Detections Published in October 2025