Web Application Scanning Engine Release 10.16
April 23, 2026
Cross-Site Framing Detection
We have added a new detection for Cross-Site Framing. Qualys ID (QID) 531006 is now reported during the crawl phase.
Cross-Frame Scripting (XFS) is a web attack technique that exploits specific browser vulnerabilities by loading a valid website within an <iframe>. With this detection, you can discover security risks posed by missing security headers, mitigate XFS vulnerabilities, prevent Clickjacking, and reduce hidden entry points for attackers.
Reduced Connection Timeouts in Web Application Testing
We have reduced connection timeouts for slow server responses in web application testing using Common Gateway Interface (CGI). When a server responds slowly, the connection timeout is reduced to allow the scan to continue with other tests, reducing the overall scan time.
Command Injection Support in Power Mode
We have added support for Command Injection in power mode through special configurations, enabling in-depth scanning with additional system payloads.
Traditional payload scanning may miss certain detections that depend on specific payloads or environment configurations. Command Injection in Power Mode enables you to discover command injection vulnerabilities that may otherwise go undetected.
To enable this feature, contact Qualys Support.
Custom Signatures Support for 64-Bit Scanners
We have extended custom signatures support to all 64-bit scanners. Custom signatures are an existing feature that allows you to create signatures for specific detections, including PATH traversal, file extensions, backup files, sensitive data disclosure on specific files, crafted headers, and open redirect vulnerabilities.
Improved Redundant Link Reporting
When a link is collected during crawling, it must pass a series of filtering conditions before being added to the crawl queue. Redundancy checks are applied as one of these conditions. A link that passes the redundancy check must still pass all remaining conditions before it is queued for crawling. Links that do not meet all conditions are discarded.
As a result, crawled URLs reported under QID 150140 may not appear in QID 150009.
Enhancements for API Security
The following enhancements are available for the API security feature in TotalAppSec.
Improved Authentication Handling for Swagger API Requests
Authentication handling is improved for scans using Selenium script authentication with a Swagger file. With this enhancement, cookies collected after Selenium authentication are now used for API Security scans, especially when parsing the OpenAPI file and discovering endpoints within the in-scope domain.
Previously, although the Selenium script executed successfully and generated cookies, the cookies were not included in subsequent API requests, resulting in 401 responses.
Issues Addressed
The following important and notable issues are fixed in this release.
| Category/Component | Description |
|---|---|
| API Security scans | We fixed an issue where Postman scans did not parse and test all endpoints. Postman scans now continue parsing and testing all endpoints without interruption. |
| Authentication | We fixed an issue where a vulnerability scan error occurred when custom authentication with a Login URL was configured. The issue was observed when the scan resulted in an error during the static ID analysis test phase. |
| Detection | We fixed the Clickjacking vulnerability detection issue when third-party analytics requests were made in a web application. |
| Authentication | We fixed an issue where parametrized credentials from authentication records were not applied during Selenium authentication, resulting in authentication failure. Parameterized credential support for Selenium authentication is now working as expected. |
Qualys Notification: Application Security Detections Published in March 2026