Web Application Scanning Engine Release 10.13
January 22, 2025
With this release of WAS Engine, we have introduced the following updates.
New QIDs
We have released the following new QIDs for the Web Application Scanning Engine.
| Vulnerability ID | Category | Title | Description |
|---|---|---|---|
| 530592 | Vulnerability | Web Cache Poisoning Found | Web cache poisoning is a cyberattack where an attacker manipulates a web cache into storing a malicious HTTP response, which is then served to other unsuspecting users who request the same resource. This attack exploits vulnerabilities in how web servers and caches handle unvalidated user input, potentially turning a single malicious request into a widespread attack affecting many users. |
| 530028 | Practice | Anti-Skimming Measures Missing | Web skimming attacks refers to a particular form of cyberattack in which hackers insert malicious JavaScript code into digital commerce websites (directly or through their third-party providers). JavaScript running on a web page can access all data entered into form fields on that page. Scan will identify missing CSP policies, broken Sub Resource Integrity or integrity checks for JavaScripts. If any of these are not configured properly or missing there is potential chance of skimming attacks. |
| 150007 | Information Gathering | AlmaLinux 9.2 ESU TuxCare Security Update for kernel | TuxCare is an expansion of CloudLinux KernelCare and Extended Lifecycle Support brands. TuxCare Extended Lifecycle Support (ELS) service provides security updates, system enhancement patches, and selected bug fixes for older versions of various Linux distributions. This distribution has either reached the end of standard support from vendors or has reached End of Life (EOL). The service coverage includes updates for the Linux kernel and a list of essential packages that are integral to server operations. |
| 150604 | Practice | Sensitive Content In HTML | Sensitive content was discovered within the Web server's response. |
Updated QIDs
We have updated the following QIDs for the Web Application Scanning Engine.
| Vulnerability ID | Category | Title | Descriptions |
|---|---|---|---|
| 150087 | Information Gathering | Web Service Found | We improved WSDL file handling during crawling and brute-force discovery. The engine now reports all web services associated with each discovered WSDL and correctly handles malformed WSDL files. Issues with invalid WSDL files are now reported under QID 150087. |
| 530465 | Information Gathering | Redundant Links Optimization Rules | We updated the wording for QID 530465 – Redundant Links Optimization Rules. WAS scans now crawl all links to identify redundant links and generate informational rewrite rules for duplicate links detected during the crawl phase. |
| 150041 | Information Gathering | Links Rejected | We updated QID 150041 to improve the accuracy of links reported as not crawled due to whitelist or blacklist filters. When both filters are configured, whitelisted links are now crawled unless they also match blacklist criteria. |
Issues Addressed
The following important and notable issues are fixed in this release.
| Category/Component | Description |
|---|---|
| Selenium script | We fixed an issue where link status was not reported when a Selenium script failed due to post-execution validation errors, such as regex mismatches. Links discovered during Selenium execution are now reported with response status under QID 150100 for all Selenium failures, including element-not-found and regex validation errors. |
| Data Handling | We fixed an issue where sensitive data in URIs was not masked in some QIDs. The engine now sanitizes URIs to mask passwords and newly added authentication headers before reporting. |
| Vulnerability Detection | We fixed an issue where HTTP response details were not displayed for vulnerability QID 152098. When the detected response had a content length of zero, the response body was not available, and the Result section appeared blank in the UI. The engine now handles such cases correctly to ensure consistent reporting behavior. |
| API Scanning | We fixed an issue where QID 150263 was not reported for redirect responses in Postman/APISEC scans. The engine now correctly reports this QID for insecure HTTP links that do not redirect to HTTPS, including 200, 4xx, and 5xx responses. |
| Authentication | We fixed an issue where authentication failed during WAS scans due to errors encountered while the application was loading during Selenium execution. The engine now handles such load-time errors more reliably to ensure successful authentication during scans. |
| Crawling | We fixed an issue where URLs skipped as redundant under QID 150140 were incorrectly listed under Links Crawled (QID 150009). The QID 150009 results now report unique links crawled and HTML forms submitted by the scanner, as expected. |
| Response Handling | We fixed memory issues that occurred when processing large or slow HTTP response pages for certain web applications. The engine now handles such responses more efficiently, improving scan stability. |
Qualys Notification: Web Application Detections Published in November 2025
Qualys Notification: Web Application Detections Published in December 2025