Returns details for a finding on a web application which is in the user’s scope. See “Search findings” to find a record ID to use as input? See Search Findings.
Get Finding Details API also gives you the Qualys detection score (QDS) for the WAS detections in the API response.
Permissions required - User must have WAS module enabled. User account must have these permissions: Access Permission “API Access”. The output includes findings for web applications in the user's scope.
The element “id” (integer) is required, where “id” identifies a finding (WebAppVuln, WebAppIg, or WebAppSensitiveContent).
Let us view details for the web application with the ID 1729432.
API request
curl -n -u "USERNAME:PASSWORD" "https://qualysapi.qualys.com/qps/rest/3.0/get/was/finding/1729432"
XML response
<?xml version="1.0" encoding="UTF-8"?>
<ServiceResponse xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="https://qualysapi.qualys.com/qps/xsd/3.0/was/finding.xsd">
<responseCode>SUCCESS</responseCode>
<count>1</count>
<data>
<Finding>
<id>1729432</id>
<uniqueId>8a2c4d51-6d28-2b92-e053-2943720a74ab</uniqueId>
<qid>150117</qid>
<name>
<![CDATA[Path-Based Cross-Site Scripting (XSS)]]>
</name>
<type>VULNERABILITY</type>
<findingType>QUALYS</findingType>
<group>XSS</group>
<cwe>
<count>1</count>
<list>
<long>79</long>
</list>
</cwe>
<owasp>
<count>1</count>
<list>
<OWASP>
<name>
<![CDATA[Cross-Site Scripting (XSS)]]>
</name>
<url>
<![CDATA[https://www.owasp.org/index.php/Top_10-2017_A7-Cross-Site_Scripting_(XSS)]]>
</url>
<code>7</code>
</OWASP>
</list>
</owasp>
<wasc>
<count>1</count>
<list>
<WASC>
<name>
<![CDATA[Cross-Site Scripting]]>
</name>
<url>
<![CDATA[http://projects.webappsec.org/w/page/13246920/WASC]]>
</url>
<code>8</code>
</WASC>
</list>
</wasc>
<resultList>
<count>1</count>
<list>
<Result>
<authentication>false</authentication>
<ajax>false</ajax>
<payloads>
<count>1</count>
<list>
<PayloadInstance>
<payload>
<![CDATA[@APPEND@/%22%3e%3cimg%20src%3dq%20onerror%3dalert(9)%3e]]>
</payload>
<request>
<method>
<![CDATA[GET]]>
</method>
<link>
<![CDATA[http://funkytown.vuln.qa.qualys.com/cassium/traversal/page_48/%22%3e%3cimg%20src%3dq%20onerror%3dalert(9)%3e]]>
</link>
<headers>
<![CDATA[UmVmZXJlcjogaHR0cDovL2Z1bmt5dG93bi52dWxuLnFhLnF1YWx5cy5jb20vY2Fzc2l1bS94c3MvDQpDb29raWU6IFBIUFNFU1NJRD00ODlmNTI4ZjUxNWE1MTY3MjM0OTQwNzExYTE1MWM0MDsNCg==]]>
</headers>
</request>
<response>
<![CDATA[<html><head><title>Welcome to page page_48/\"><img src=q onerror=alert(9)></title></head><body><h1>Welcome to page page_48/\"><img src=q onerror=alert(9)></h1>Click <a href='/cassium/traversal/page_49'>here</a> to go to the next page.Click<a href='/cassium/traversal/page_47'>here</a> to go back to the previous page.</body></html>
You can fetch details of a finding using uniqueId.
API request
curl -n -u "USERNAME:PASSWORD" "https://qualysapi.qualys.com/qps/rest/3.0/get/was/finding/8a2c4d51-6d28-2b92-e053-2943720a74ab"
XML response
<?xml version="1.0" encoding="UTF-8"?>
<ServiceResponse xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://qualysapi.qualys.com/qps/xsd/3.0/was/finding.xsd">
<responseCode>SUCCESS</responseCode>
<count>1</count>
<data>
<Finding>
<id>132990</id>
<uniqueId>8a2c4d51-6d28-2b92-e053-2943720a74ab</uniqueId>
<qid>150004</qid>
<name>
<![CDATA[Path-Based Vulnerability]]>
</name>
<type>VULNERABILITY</type>
<findingType>QUALYS</findingType>
<group>PATH</group>
<cwe>
<count>1</count>
<list>
<long>22</long>
</list>
</cwe>
...
<isIgnored>false</isIgnored>
<retest/>
</Finding>
</data>
</ServiceResponse>
Let us view the two groups for issues of type Information Gathered:
- Diagnostic IG (general information about the scan)
- Weakness IG (issues that are security weakness or conflict with best practices)
The response accordingly reflects to which group the issue belongs.
API request
curl -n -u "USERNAME:PASSWORD" "https://qualysapi.qualys.com/qps/rest/3.0/get/was/finding/713223"
XML response
<?xml version="1.0" encoding="UTF-8"?>
<ServiceResponse xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="https://qualysapi.qualys.com/qps/xsd/3.0/was/finding.xsd">
<responseCode>SUCCESS</responseCode>
<count>1</count>
<data>
<Finding>
<id>713223</id>
<uniqueId>8c9c933f-04f1-f77e-e053-294f2c0ab892</uniqueId>
<qid>150014</qid>
<name>
<![CDATA[External Form Actions Discovered]]>
</name>
<type>INFORMATION_GATHERED</type>
<findingType>QUALYS</findingType>
<group>IG_DIAG</group>
<resultList>
<count>1</count>
<list>
....
</tags>
</webApp>
</Finding>
</data>
</ServiceResponse>
Let us fetch details of a finding that includes different types of SSL/TLS and Certificate issues. Depending on the type of the finding, the details are listed in Information Gathered and Information Disclosure type. The different types of SSL/TLS and certificate issues that we support are:
- SSL Data with Certificate Fingerprint
- SSL Data with Prop
- SSL Data with Kex
- SSL Data with Ciphers
The finding you view could include one or multiple issues for an issue type that is listed above. The name tag indicates the type of the issue.
API request
curl -n -u "USERNAME:PASSWORD" "https://qualysapi.qualys.com/qps/rest/3.0/get/was/finding/581856"
XML response (SSL Data with Certificate Fingerprint)
<?xml version="1.0" encoding="UTF-8"?>
<ServiceResponse xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="https://qualysapi.qualys.com/qps/xsd/3.0/was/finding.xsd">
<responseCode>SUCCESS</responseCode>
<count>1</count>
<data>
<Finding>
<id>581856</id>
<uniqueId>d6a88c61-fcda-4f46-9767-1d8cb521d953</uniqueId>
<qid>86002</qid>
<name>
<![CDATA[SSL Certificate - Information]]>
</name>
<type>INFORMATION_GATHERED</type>
<findingType>QUALYS</findingType
...
<sslDataInfoList>
<list>
<SSLDataInfo>
<certificateFingerprint>291126AC8ED272F71EDF06E5B76BBECD1C811769D4FE988DE95FF848AFEBCF6A</certificateFingerprint>
</SSLDataInfo>
</list>
</sslDataInfoList>
</sslData>
</Finding>
</data>undefined</ServiceResponse>
This example shows the finding details with QDS.
API Request
curl -n -u "USERNAME:PASSWORD"
"<qualys_base_url>/qps/rest/3.0/get/was/finding/131201"
Response
<?xml version="1.0" encoding="UTF-8"?>
<ServiceResponse
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="
<qualys_base_url>/qps/xsd/3.0/was/finding.
xsd">
<responseCode>SUCCESS</responseCode>
<count>1</count>
<data>
<Finding>
<id>131201</id>
<uniqueId>f29f2c61-46de-4a96-a809-714dc76040bd</uniqueId>
<qid>0</qid>
<detectionScore>0</detectionScore>
<name>
<![CDATA[XXX to RCE]]>
</name>
<type>VULNERABILITY</type>
<potential>false</potential>
<findingType>BUGCROWD</findingType>
<severity>5</severity>
<status>NEW</status>
<firstDetectedDate>2017-05-18T16:23:39Z</firstDetectedDate>
<lastDetectedDate>2017-05-18T16:24:23Z</lastDetectedDate>
<lastTestedDate>2017-05-18T16:24:23Z</lastTestedDate>
<timesDetected>1</timesDetected>
<webApp>
<id>39725630</id>
<name>
<![CDATA[Copy of Test web app for audit logs]]>
</name>
<url>
<![CDATA[http://10.11.68.26]]>
</url>
<tags>
<count>1</count>
<list>
<Tag>
<id>133578207</id>
<name>
<![CDATA[Test Tag]]>
</name>
</Tag>
</list>
</tags>
</webApp>
<isIgnored>false</isIgnored>
<updatedDate>2023-09-06T12:22:58Z</updatedDate>
</Finding>
</data>
</ServiceResponse>
<platform API server>/qps/xsd/3.0/was/finding.xsd