Web Application Scanning Engine Release 10.14

March 24, 2026

With this release of WAS Engine, we have introduced the following updates.

HTTP/2 Protocol Support

The scanning engine now supports applications using the HTTP/2 protocol. Applications enabled with HTTP/2 can be crawled and tested for vulnerabilities.

QID 150730 is reported when a connection over HTTP/2 protocol.

Improved URL Pattern Handling

We have enhanced the auto-generated rules to avoid matching the redundant URLs on base URLs and improve accuracy in identifying redundant patterns for similar URLs.

Enhanced Reporting for OAuth2 Detection

We have enhanced QID 150958 to report the exact URL that returns the access token. This change helps identify instances where OAuth2 Implicit Grant Type is used.

The Implicit grant type is deprecated by OAuth 2.0 Security Best Current Practices and may expose access tokens through browser history, referrer headers, or client-side scripts.

Detection of JWT Tokens Using Symmetric Algorithms in Response Headers

A new QID 150922 is now reported when JWT tokens using symmetric algorithms are detected in response headers. This detection highlights potential risks where symmetric algorithms are used for token signing. Misconfigurations may allow misuse of keys or increase the risk of token forgery and brute-force attacks.

To mitigate this risk, review the JWT token configuration and ensure only the intended signature algorithm is used.

Enhanced Proxy Connection Handling

Proxy connection handling is enhanced for WAS scans, especially for scans launched using intranet scanners.

Configuring a proxy to handle connections on ports 80 (HTTP) and 443 (HTTPS) involves specifying the proxy's address and port in the scan settings. As these are the default ports for web traffic, WAS scans now automatically handle them during scanning. For any other ports, the scan appends the port and initiates the HTTP request through the configured proxy.

Enhancements for API Security

The following enhancements are available for the API security feature in TotalAppSec.

Support for Client Certificate Authentication in Postman Collection Scans

Extended Support for Client Certificate Upload - You can now upload client certificate-based certificates for Postman collection scans.

Earlier, the client certificate authentication was not supported in Postman collection scans. With this change, you can now scan APIs that require client certificate authentication.

Proxy Bypass for Configured Endpoints

You can now configure endpoints to bypass proxy settings. When a proxy is configured, users can designate specific endpoints to bypass the proxy. HTTP requests to those endpoints will be sent directly without routing through the proxy.

Issues Addressed

The following important and notable issues are fixed in this release.

Category/Component	Description
NTLM Authentication	NTLM authentication success was not reported when the authentication domain differed from the base URI domain, and the authentication status was unknown. This issue is resolved. The scanner now attempts NTLM authentication and correctly reports successful authentication in such cases.

Category/Component

Description

NTLM Authentication

NTLM authentication success was not reported when the authentication domain differed from the base URI domain, and the authentication status was unknown.

This issue is resolved. The scanner now attempts NTLM authentication and correctly reports successful authentication in such cases.

Last updated: April, 2026