Web Application Scanning Engine Release 10.15
April 8, 2026
With this release of WAS Engine, we have introduced the following updates.
Traceroute QID Reported on All WAS Scans
We have enhanced QID 530030 to display the Traceroute output from the Qualys External Scanner to the target application. With this enhancement, you can view Traceroute diagnostics directly within the scan results for WAS and TAS external scans.
With the Traceroute diagnostics, you can identify and resolve connectivity issues faster, proactively work with your network teams to allow Qualys scanner IPs, and quickly restore scanning operations.
Information on Number of POSTs/Submissions Against a Form Page
With this release, QID 150605 is enhanced to include information related to the number of POST requests executed in each test phase against a Form page.
Report Third-Party Authentication Schemes
QID 150900 now reports the details of the third-party authentication implementation detected during the scan, including Okta, OAuth, GitHub, Google, and Facebook.
This helps identify and prevent security risks, such as data breaches, vendor dependency, data leakage, and unauthorized access resulting from insecure API configurations between your application and third-party vendors.
Better Scan Execution Summary
We have introduced QID 150606 to provide a more user-intuitive and easy-to-understand scan execution summary, similar to QID 150021.
The QID reports scan metadata, including the total number of links and parameters tested, the total number of requests per phase, the time required to complete each phase, and the phase status.
Extended Optimization for Image Files
We have now extended the feature to ignore links with specified binary extensions for image and CSS files. When the Ignore common binary files based on file extensions checkbox is selected in the Option Profile > Scan Parameters, URLs with image extensions, png, jpeg, jpg, gif, bmp, svg, tiff, tif, and css are now excluded during crawling.
This helps avoid crawling static image files, prevents the crawl queue from filling with non-testable file types, and reduces the overall scan time.
Removal of Unnecessary Ajax Links from Crawl Queue
We have removed unnecessary Ajax links, including fragments, from the list of crawled links, as these links are not requested over the wire. This reduces crawl time and helps progressive scans complete faster. QID 150497 is reported as part of this improvement.
Enhancements for API Security
The following enhancements are available for the API security feature in TotalAppSec.
DNS Override Support for Postman Scans
We have added support for the DNS override feature in Postman scans. You can configure IP and DNS mappings, which will be used when requesting API endpoints during the scan.
Client Certificate Authentication Support for Swagger Scans
We have added support for client certificate authentication in Swagger scans. You can now upload a client certificate to authenticate Swagger endpoints that require specific client certificates.
Issues Addressed
The following important and notable issues are fixed in this release.
| Category/Component | Description |
|---|---|
|
Report |
We fixed an issue where the response body was not reported when a cached response contained the payload. This is now correctly reported in QID 530592. |
|
Scan |
We improved redundancy optimization to generate rewrite rules for JPG and other file extensions. This helps avoid crawling static image files and reduces the overall scan time. |
|
Scan |
We fixed an issue that caused scan failure during the Web Services Description Language (WSDL) Enumeration Phase when unsupported complex type operations were encountered. Scans now parse WSDL files containing complexType SOAP headers, and QID 150087 is reported. |
|
Scan |
We fixed an issue where session cookies received after successful Selenium authentication were not added to the cookie jar for Swagger and Postman scans, resulting in 401 errors for endpoints that require session cookie authentication. Scans will now correctly send session cookies along with subsequent HTTP requests to Swagger endpoints. |
|
Authentication |
We fixed an issue where WAS was incorrectly sending Authorization headers with certain prefixes. Prefixes, including Basic and NTLM, are now ignored and handled through server authentication if configured and present in the web application. |
|
Sensitive information handling |
We have fixed the issue in the handling of sensitive fields in authentication records. Fields including OAuth, client_id, client_secret, username, and password are now masked in scan reports. |
Qualys Notification: Application Security Detections Published in February 2026