Returns list of findings (vulnerabilities, sensitive contents, information gathered) found in web applications which are in the user’s scope.
Search Findings API also gives you the Qualys detection score (QDS) for the WAS detections in the API response.
Permissions required - User must have WAS module enabled. User account must have these permissions: Access Permission “API Access”. The output includes findings in the user's scope.
These elements are optional and act as filters. When multiple elements are specified, parameters are combined using a logical AND.
Click here for available operators
|
Parameter |
Mandatory /Optional |
Data Type |
Description |
|---|---|---|---|
|
id |
Optional |
integer |
ID of the finding (WebAppVuln, WebAppIg, or WebAppSensitiveContent). |
|
uniqueId |
Optional |
value |
The 36-bit unique id assigned to the finding. For example: <Finding> |
|
qid |
Optional |
integer |
Qualys ID assigned to the detection. |
|
name |
Optional |
text |
Name of the detection finding. |
|
type |
Optional |
keyword |
Type of the finding: VULNERABILITY, SENSITIVE_CONTENT, or INFORMATION_GATHERED. |
|
url |
Optional |
text |
URL of the web application on which the finding was detected. |
|
webApp.tags.id |
Optional |
date |
ID of the tag associated with the web application on which the finding was detected. |
|
webApp.tags.name |
Optional |
text |
Name of the tag associated with the web application on which the finding was detected. |
|
status |
Optional |
keyword |
Status of the finding: NEW, ACTIVE, REOPENED, PROTECTED and FIXED. |
|
patch |
Optional |
integer-long |
Use WAF to protect against vulnerabilities by installing virtual patches. |
|
webApp.id |
Optional |
integer |
ID of the web application on which the finding was detected. |
|
webApp.name |
Optional |
text |
Name of the web application on which the finding was detected. |
|
severity |
Optional |
integer |
Severity of the finding. |
|
externalRef |
Optional |
string |
Tip - Use operator IS EMPTY for findings with empty external references. |
|
ignoredDate |
Optional |
date |
The date on which the finding was marked to ignore. |
|
ignoredReason |
Optional |
keyword |
The reason for which the finding is ignored: FALSE_POSITIVE, RISK_ACCEPTED or NOT_APPLICABLE |
|
group |
Optional |
keyword |
XSS, SQL, INFO, PATH, CC, SSN_US or CUSTOM |
|
owasp.name |
Optional |
text |
Name of the OWASP vulnerability. |
|
owasp.code |
Optional |
integer |
Code associated with the OWASP vulnerability |
|
wasc.name |
Optional |
text |
Name of the vulnerability. |
|
wasc.code |
Optional |
integer |
Code of the vulnerability. |
|
cwe.id |
Optional |
integer |
ID associated with CWE. |
|
firstDetectedDate |
Optional |
date |
The date when the finding was first detected in the web application, |
|
lastDetectedDate |
Optional |
date |
The date when the finding was last detected in the web application. |
|
lastTestedDate |
Optional |
date |
The date when the finding was last tested in the web application. |
|
timesDetected |
Optional |
integer |
The count indicates the number of times the finding was detected. |
|
severity level |
Optional |
integer |
The severity associated with the finding:1,2,3,4,5 |
API request
curl -u "USERNAME:PASSWORD" -H "content-type: text/xml" -X "POST" --data-binary @- "<qualys_base_url>/qps/rest/3.0/search/was/finding/" < file.xml
Note: “file.xml” contains the request POST data.
Request POST data
<ServiceRequest>
<preferences>
<verbose>true</verbose>
</preferences>
<filters>
<Criteria field="id" operator="EQUALS">156582</Criteria>
</filters>
</ServiceRequest>
XML response
<?xml version="1.0" encoding="UTF-8"?>
<ServiceResponse
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="https://qualysapi.qualys.com/qps/xsd/3.0/was/finding.xsd">
<responseCode>SUCCESS</responseCode>
<count>1</count>
<hasMoreRecords>false</hasMoreRecords>
<data>
<Finding>
<id>156582</id>
<uniqueId>8a2c4d51-6d28-2b92-e053-2943720a74ab</uniqueId>
<qid>150124</qid>
<name>
<![CDATA[Clickjacking - Framable Page]]>
</name>
<type>VULNERABILITY</type>
<findingType>QUALYS</findingType>
<cwe>
<count>1</count>
<list>
<long>451</long>
</list>
</cwe>
<owasp>
<count>1</count>
<list>
<OWASP>
<name>
<![CDATA[Security Misconfiguration]]>
</name>
<url>
<![CDATA[https://www.owasp.org/index.php/Top_10-2017_A6-Security_Misconfiguration]]>
</url>
<code>6</code>
</OWASP>
</list>
</owasp>
<wasc>
<count>1</count>
<list>
<WASC>
<name>
<![CDATA[Application Misconfiguration]]>
</name>
<url>
<![CDATA[http://projects.webappsec.org/w/page/13246914/WASC]]>
</url>
<code>15</code>
</WASC>
</list>
</wasc>
<resultList>
<count>1</count>
<list>
<Result>
<authentication>false</authentication>
<ajax>false</ajax>
<payloads>
<count>1</count>
<list>
<PayloadInstance>
<payload>
<![CDATA[N/A]]>
</payload>
<request>
<method>
<![CDATA[GET]]>
</method>
<link>
<![CDATA[http://funkytown.vuln.qa.qualys.com/cassium/xss/]]>
</link>
<headers>
<![CDATA[]]>
</headers>
</request>
<response>
<![CDATA[The URI was framed.
]]>
</response>
</PayloadInstance>
</list>
</payloads>
</Result>
</list>
</resultList>
<severity>3</severity>
<url>
<![CDATA[http://funkytown.vuln.qa.qualys.com/cassium/xss/]]>
</url>
<status>ACTIVE</status>
<firstDetectedDate>2017-04-28T09:36:13Z</firstDetectedDate>
<lastDetectedDate>2018-02-21T09:03:32Z</lastDetectedDate>
<lastTestedDate>2018-02-21T09:03:32Z</lastTestedDate>
<timesDetected>3</timesDetected>
<webApp>
<id>286824</id>
<name>
<![CDATA[webapp]]>
</name>
<url>
<![CDATA[http://funkytown.vuln.qa.qualys.com:80/cassium/xss/]]>
</url>
<tags>
<count>2</count>
<list>
<Tag>
<id>8753812</id>
<name>
<![CDATA[Multiscan]]>
</name>
</Tag>
<Tag>
<id>9029017</id>
<name>
<![CDATA[TagWebapp1]]>
</name>
</Tag>
</list>
</tags>
</webApp>
<isIgnored>true</isIgnored>
<ignoredReason>FALSE_POSITIVE</ignoredReason>
<ignoredBy>
<id>1056860</id>
<username>user_john</username>
<firstName>
<![CDATA[John]]>
</firstName>
<lastName>
<![CDATA[Doe]]>
</lastName>
</ignoredBy>
<ignoredDate>2019-03-04T03:19:29Z</ignoredDate>
<ignoredComment>
<![CDATA[This is test comment]]>
</ignoredComment>
<retest/>
</Finding>
</data>
</ServiceResponse>
API request
curl -u "USERNAME:PASSWORD" -H "content-type: text/xml" -X "POST" --data-binary @- "https://qualysapi.qualys.com/qps/rest/3.0/search/was/finding/" < file.xml
Note: “file.xml” contains the request POST data.
Request POST data
<ServiceRequest>
<filters>
<Criteria field="id" operator="EQUALS">935943</Criteria>
</filters>
</ServiceRequest>
XML response
<?xml version="1.0" encoding="UTF-8"?>
<ServiceResponse
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="https://qualysapi.qualys.com/qps/xsd/3.0/was/finding.xsd">
<responseCode>SUCCESS</responseCode>
<count>1</count>
<hasMoreRecords>false</hasMoreRecords>
<data>
<Finding>
<id>935943</id>
<uniqueId>8a2c4d51-6d28-2b92-e053-2943720a74ab</uniqueId>
<qid>150117</qid>
<name>
<![CDATA[Path-Based Cross-Site Scripting (XSS)]]>
</name>
<type>VULNERABILITY</type>
<findingType>QUALYS</findingType>
<severity>5</severity>
<url>
<![CDATA[http://funkytown.vuln.qa.example.com/cassium/traversal/page_48/%22%3e%3cimg%20src%3dq%20onerror%3dalert(9)%3e]]>
</url>
<status>ACTIVE</status>
<firstDetectedDate>2017-04-04T06:15:33Z</firstDetectedDate>
<lastDetectedDate>2017-04-04T06:16:20Z</lastDetectedDate>
<lastTestedDate>2017-04-04T06:16:20Z</lastTestedDate>
<timesDetected>3</timesDetected>
<webApp>
<id>4080112</id>
<name>
<![CDATA[web app 1491286489688]]>
</name>
<url>
<![CDATA[http://funkytown.vuln.qa.example.com:80/cassium/xss/]]>
</url>
</webApp>
<isIgnored>true</isIgnored>
</Finding>
</data>
</ServiceResponse>
API request
curl -u "USERNAME:PASSWORD" -H "content-type: text/xml" -X "POST" --data-binary @- "https://qualysapi.qualys.com/qps/rest/3.0/search/was/finding/" < file.xml
Note: “file.xml” contains the request POST data.
Request POST data
<ServiceRequest>
<filters>
<Criteria field="id" operator="EQUALS">935943</Criteria>
</filters>
</ServiceRequest>
XML response
<?xml version="1.0" encoding="UTF-8"?>
<ServiceResponse
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="https://qualysapi.qualys.com/qps/xsd/3.0/was/finding.xsd">
<responseCode>SUCCESS</responseCode>
<count>1</count>
<hasMoreRecords>false</hasMoreRecords>
<data>
<Finding>
<id>935943</id>
<uniqueId>8a2c4d51-6d28-2b92-e053-2943720a74ab</uniqueId>
<qid>150117</qid>
<name>
<![CDATA[Path-Based Cross-Site Scripting (XSS)]]>
</name>
<type>VULNERABILITY</type>
<findingType>QUALYS</findingType>
<severity>5</severity>
<url>
<![CDATA[http://funkytown.vuln.qa.example.com/cassium/traversal/page_48/%22%3e%3cimg%20src%3dq%20onerror%3dalert(9)%3e]]>
</url>
<status>ACTIVE</status>
<firstDetectedDate>2017-04-04T06:15:33Z</firstDetectedDate>
<lastDetectedDate>2017-04-04T06:16:20Z</lastDetectedDate>
<lastTestedDate>2017-04-04T06:16:20Z</lastTestedDate>
<timesDetected>3</timesDetected>
<webApp>
<id>4080112</id>
<name>
<![CDATA[web app 1491286489688]]>
</name>
<url>
<![CDATA[http://funkytown.vuln.qa.example.com:80/cassium/xss/]]>
</url>
</webApp>
<isIgnored>true</isIgnored>
</Finding>
</data>
As every uniqueId is unique, using uniqueId, you could search for the exact finding.
API request
curl -u "USERNAME:PASSWORD" -H "content-type: text/xml" -X "POST" --data-binary @- "https://qualysapi.qualys.com/qps/rest/3.0/search/was/finding/" < file.xml
Note: “file.xml” contains the request POST data.
Request POST data
<ServiceRequest>
<filters>
<Criteria field="uniqueId" operator="EQUALS">8a2c4d51-6d28-2b92-e053-2943720a74ab</Criteria>
</filters>
</ServiceRequest>
XML response
<?xml version="1.0" encoding="UTF-8"?>
<ServiceResponse xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://qualysapi.qualys.com/qps/xsd/3.0/was/finding.xsd">
<responseCode>SUCCESS</responseCode>
<count>1</count>
<hasMoreRecords>false</hasMoreRecords>
<data>
<Finding>
<id>132990</id>
<uniqueId>8a2c4d51-6d28-2b92-e053-2943720a74ab</uniqueId>
<qid>150004</qid>
<name>
<![CDATA[Path-Based Vulnerability]]>
</name>
<type>VULNERABILITY</type>
<findingType>QUALYS</findingType>
<cwe>
<count>1</count>
<list>
<long>22</long>
</list>
</cwe>
...
</webApp>
<isIgnored>false</isIgnored>
<retest/>
</Finding>
</data>undefined</ServiceResponse>
This example shows you how to search findings using detection ID. It also displays the QDS for the finding.
API Request
curl -u "USERNAME:PASSWORD" -H "content-type: text/xml" -X "POST" --databinary @-"https://
<qualys_base_url>/qps/rest/3.0/search/was/finding/"<file.xml>
API Request Body
<?xml version="1.0" encoding="UTF-8" ?>
<ServiceRequest>
<preferences>
<verbose>true</verbose>
</preferences>
<filters>
<Criteria field="id" operator="EQUALS">131201</Criteria>
</filters>
</ServiceRequest>
Response
<?xml version="1.0" encoding="UTF-8"?>
<ServiceResponse
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="
<qualys_base_url>/qps/xsd/3.0/was/finding.
xsd">
<responseCode>SUCCESS</responseCode>
<count>1</count>
<hasMoreRecords>false</hasMoreRecords>
<data>
<Finding>
<id>131201</id>
<uniqueId>f29f2c61-46de-4a96-a809-714dc76040bd</uniqueId>
<qid>0</qid>
<detectionScore>0</detectionScore>
<type>VULNERABILITY</type>
<potential>false</potential>
<findingType>BUGCROWD</findingType>
<severity>5</severity>
<status>NEW</status>
<firstDetectedDate>2017-05-18T16:23:39Z</firstDetectedDate>
<lastDetectedDate>2017-05-18T16:24:23Z</lastDetectedDate>
<lastTestedDate>2017-05-18T16:24:23Z</lastTestedDate>
<timesDetected>1</timesDetected>
<webApp>
<id>39725630</id>
<name>
<![CDATA[Copy of Test web app for audit logs]]>
</name>
<url>
<![CDATA[http://10.11.68.26]]>
</url>
<tags>
<count>1</count>
<list>
<Tag>
<id>133578207</id>
<name>
<![CDATA[Test Tag]]>
</name>
</Tag>
</list>
</tags>
</webApp>
<isIgnored>false</isIgnored>
<updatedDate>2023-09-06T12:22:58Z</updatedDate>
</Finding>
</data>
</ServiceResponse>
<platform API server>/qps/xsd/3.0/was/finding.xsd