Search Findings
Returns list of findings (vulnerabilities, sensitive contents, information gathered) found in web applications which are in the user’s scope. You can use the limitHistories parameter to limit the maximum number of previous records associated with a finding that can be returned in the API response. The limitHistories parameter reduces the processing time required to generate API response by control the number of records.
Search Findings API also gives you the Qualys detection score (QDS) for the WAS detection in the API response.
Permissions required: User must have WAS module enabled. User account must have these permissions: Access Permission API Access. The output includes findings in the user's scope.
Input ParametersInput Parameters
These elements are optional and act as filters. When multiple elements are specified, parameters are combined using a logical AND.
Click here for available operators
|
Parameter |
Mandatory /Optional |
Data Type |
Description |
|---|---|---|---|
|
id |
Optional |
integer |
ID of the finding (WebAppVuln, WebAppIg, or WebAppSensitiveContent). |
|
uniqueId |
Optional |
value |
The 36-bit unique id assigned to the finding. For example:
|
|
qid |
Optional |
integer |
Qualys ID assigned to the detection. |
|
name |
Optional |
text |
Name of the detection finding. |
|
type |
Optional |
keyword |
Type of the finding: VULNERABILITY, SENSITIVE_CONTENT, or INFORMATION_GATHERED. |
|
url |
Optional |
text |
URL of the web application on which the finding was detected. |
|
webApp.tags.id |
Optional |
date |
ID of the tag associated with the web application on which the finding was detected. |
|
webApp.tags.name |
Optional |
text |
Name of the tag associated with the web application on which the finding was detected. |
|
status |
Optional |
keyword |
Status of the finding: NEW, ACTIVE, REOPENED, PROTECTED and FIXED. |
|
patch |
Optional |
integer-long |
Use WAF to protect against vulnerabilities by installing virtual patches. |
|
webApp.id |
Optional |
integer |
ID of the web application on which the finding was detected. |
|
webApp.name |
Optional |
text |
Name of the web application on which the finding was detected. |
|
severity |
Optional |
integer |
Severity of the finding. |
|
externalRef |
Optional |
string |
Tip - Use operator IS EMPTY for findings with empty external references. |
|
ignoredDate |
Optional |
date |
The date on which the finding was marked to ignore. |
|
ignoredReason |
Optional |
keyword |
The reason for which the finding is ignored: FALSE_POSITIVE, RISK_ACCEPTED or NOT_APPLICABLE |
|
group |
Optional |
keyword |
XSS, SQL, INFO, PATH, CC, SSN_US or CUSTOM |
|
owasp.name |
Optional |
text |
Name of the OWASP vulnerability. |
|
owasp.code |
Optional |
integer |
Code associated with the OWASP vulnerability |
|
wasc.name |
Optional |
text |
Name of the vulnerability. |
|
wasc.code |
Optional |
integer |
Code of the vulnerability. |
|
cwe.id |
Optional |
integer |
ID associated with CWE. |
|
firstDetectedDate |
Optional |
date |
The date when the finding was first detected in the web application, |
|
lastDetectedDate |
Optional |
date |
The date when the finding was last detected in the web application. |
|
lastTestedDate |
Optional |
date |
The date when the finding was last tested in the web application. |
|
timesDetected |
Optional |
integer |
The count indicates the number of times the finding was detected. |
|
severity level |
Optional |
integer |
The severity associated with the finding:1,2,3,4,5 |
| limitHistories | Optional | integer |
Specify the number of previous records associated with a finding that the API should return in response. For example, if you provide 10 as a parameter value then 10 previous records associated with a finding are returned in API response. Default value is 0. By default, the API would not return any previous records associated with a finding. |
Sample - Search for finding with specific IDSample - Search for finding with specific ID
API request:
curl -u "USERNAME:PASSWORD" -H "content-type: text/xml" -X "POST" --data-binary @- "<qualys_base_url>/qps/rest/3.0/search/was/finding/" < file.xml
Note: “file.xml” contains the request POST data.
Request POST data:
<ServiceRequest>
<preferences>
<verbose>true</verbose>
</preferences>
<filters>
<Criteria field="id" operator="EQUALS">156582</Criteria>
</filters>
</ServiceRequest>
XML response:
<?xml version="1.0" encoding="UTF-8"?>
<ServiceResponse
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="https://qualysapi.qualys.com/qps/xsd/3.0/was/finding.xsd">
<responseCode>SUCCESS</responseCode>
<count>1</count>
<hasMoreRecords>false</hasMoreRecords>
<data>
<Finding>
<id>156582</id>
<uniqueId>8a2c4d51-6d28-2b92-e053-2943720a74ab</uniqueId>
<qid>150124</qid>
<name>
<![CDATA[Clickjacking - Framable Page]]>
</name>
<type>VULNERABILITY</type>
<findingType>QUALYS</findingType>
<cwe>
<count>1</count>
<list>
<long>451</long>
</list>
</cwe>
<owasp>
<count>1</count>
<list>
<OWASP>
<name>
<![CDATA[Security Misconfiguration]]>
</name>
<url>
<![CDATA[https://www.owasp.org/index.php/Top_10-2017_A6-Security_Misconfiguration]]>
</url>
<code>6</code>
</OWASP>
</list>
</owasp>
<wasc>
<count>1</count>
<list>
<WASC>
<name>
<![CDATA[Application Misconfiguration]]>
</name>
<url>
<![CDATA[http://projects.webappsec.org/w/page/13246914/WASC]]>
</url>
<code>15</code>
</WASC>
</list>
</wasc>
<resultList>
<count>1</count>
<list>
<Result>
<authentication>false</authentication>
<ajax>false</ajax>
<payloads>
<count>1</count>
<list>
<PayloadInstance>
<payload>
<![CDATA[N/A]]>
</payload>
<request>
<method>
<![CDATA[GET]]>
</method>
<link>
<![CDATA[http://funkytown.vuln.qa.qualys.com/cassium/xss/]]>
</link>
<headers>
<![CDATA[]]>
</headers>
</request>
<response>
<![CDATA[The URI was framed.
]]>
</response>
</PayloadInstance>
</list>
</payloads>
</Result>
</list>
</resultList>
<severity>3</severity>
<url>
<![CDATA[http://funkytown.vuln.qa.qualys.com/cassium/xss/]]>
</url>
<status>ACTIVE</status>
<firstDetectedDate>2017-04-28T09:36:13Z</firstDetectedDate>
<lastDetectedDate>2018-02-21T09:03:32Z</lastDetectedDate>
<lastTestedDate>2018-02-21T09:03:32Z</lastTestedDate>
<timesDetected>3</timesDetected>
<webApp>
<id>286824</id>
<name>
<![CDATA[webapp]]>
</name>
<url>
<![CDATA[http://funkytown.vuln.qa.qualys.com:80/cassium/xss/]]>
</url>
<tags>
<count>2</count>
<list>
<Tag>
<id>8753812</id>
<name>
<![CDATA[Multiscan]]>
</name>
</Tag>
<Tag>
<id>9029017</id>
<name>
<![CDATA[TagWebapp1]]>
</name>
</Tag>
</list>
</tags>
</webApp>
<isIgnored>true</isIgnored>
<ignoredReason>FALSE_POSITIVE</ignoredReason>
<ignoredBy>
<id>1056860</id>
<username>user_john</username>
<firstName>
<![CDATA[John]]>
</firstName>
<lastName>
<![CDATA[Doe]]>
</lastName>
</ignoredBy>
<ignoredDate>2019-03-04T03:19:29Z</ignoredDate>
<ignoredComment>
<![CDATA[This is test comment]]>
</ignoredComment>
<retest/>
</Finding>
</data>
</ServiceResponse>
Sample - Search with criteria: condensed responseSample - Search with criteria: condensed response
API request:
curl -u "USERNAME:PASSWORD" -H "content-type: text/xml" -X "POST" --data-binary @- "https://qualysapi.qualys.com/qps/rest/3.0/search/was/finding/" < file.xml
Note: “file.xml” contains the request POST data.
Request POST data:
<ServiceRequest>
<filters>
<Criteria field="id" operator="EQUALS">935943</Criteria>
</filters>
</ServiceRequest>
XML response:
<?xml version="1.0" encoding="UTF-8"?>
<ServiceResponse
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="https://qualysapi.qualys.com/qps/xsd/3.0/was/finding.xsd">
<responseCode>SUCCESS</responseCode>
<count>1</count>
<hasMoreRecords>false</hasMoreRecords>
<data>
<Finding>
<id>935943</id>
<uniqueId>8a2c4d51-6d28-2b92-e053-2943720a74ab</uniqueId>
<qid>150117</qid>
<name>
<![CDATA[Path-Based Cross-Site Scripting (XSS)]]>
</name>
<type>VULNERABILITY</type>
<findingType>QUALYS</findingType>
<severity>5</severity>
<url>
<![CDATA[http://funkytown.vuln.qa.example.com/cassium/traversal/page_48/%22%3e%3cimg%20src%3dq%20onerror%3dalert(9)%3e]]>
</url>
<status>ACTIVE</status>
<firstDetectedDate>2017-04-04T06:15:33Z</firstDetectedDate>
<lastDetectedDate>2017-04-04T06:16:20Z</lastDetectedDate>
<lastTestedDate>2017-04-04T06:16:20Z</lastTestedDate>
<timesDetected>3</timesDetected>
<webApp>
<id>4080112</id>
<name>
<![CDATA[web app 1491286489688]]>
</name>
<url>
<![CDATA[http://funkytown.vuln.qa.example.com:80/cassium/xss/]]>
</url>
</webApp>
<isIgnored>true</isIgnored>
</Finding>
</data>
</ServiceResponse>
Sample - Search with criteria: condensed responseSample - Search with criteria: condensed response
API request:
curl -u "USERNAME:PASSWORD" -H "content-type: text/xml" -X "POST" --data-binary @- "https://qualysapi.qualys.com/qps/rest/3.0/search/was/finding/" < file.xml
Note: “file.xml” contains the request POST data.
Request POST data:
<ServiceRequest>
<filters>
<Criteria field="id" operator="EQUALS">935943</Criteria>
</filters>
</ServiceRequest>
XML response:
<?xml version="1.0" encoding="UTF-8"?>
<ServiceResponse
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="https://qualysapi.qualys.com/qps/xsd/3.0/was/finding.xsd">
<responseCode>SUCCESS</responseCode>
<count>1</count>
<hasMoreRecords>false</hasMoreRecords>
<data>
<Finding>
<id>935943</id>
<uniqueId>8a2c4d51-6d28-2b92-e053-2943720a74ab</uniqueId>
<qid>150117</qid>
<name>
<![CDATA[Path-Based Cross-Site Scripting (XSS)]]>
</name>
<type>VULNERABILITY</type>
<findingType>QUALYS</findingType>
<severity>5</severity>
<url>
<![CDATA[http://funkytown.vuln.qa.example.com/cassium/traversal/page_48/%22%3e%3cimg%20src%3dq%20onerror%3dalert(9)%3e]]>
</url>
<status>ACTIVE</status>
<firstDetectedDate>2017-04-04T06:15:33Z</firstDetectedDate>
<lastDetectedDate>2017-04-04T06:16:20Z</lastDetectedDate>
<lastTestedDate>2017-04-04T06:16:20Z</lastTestedDate>
<timesDetected>3</timesDetected>
<webApp>
<id>4080112</id>
<name>
<![CDATA[web app 1491286489688]]>
</name>
<url>
<![CDATA[http://funkytown.vuln.qa.example.com:80/cassium/xss/]]>
</url>
</webApp>
<isIgnored>true</isIgnored>
</Finding>
</data>
Sample - Search finding using uniqueIdSample - Search finding using uniqueId
As every uniqueId is unique, using uniqueId, you could search for the exact finding.
API request:
curl -u "USERNAME:PASSWORD" -H "content-type: text/xml" -X "POST" --data-binary @- "https://qualysapi.qualys.com/qps/rest/3.0/search/was/finding/" < file.xml
Note: “file.xml” contains the request POST data.
Request POST data:
<ServiceRequest>
<filters>
<Criteria field="uniqueId" operator="EQUALS">8a2c4d51-6d28-2b92-e053-2943720a74ab</Criteria>
</filters>
</ServiceRequest>
XML response:
<?xml version="1.0" encoding="UTF-8"?>
<ServiceResponse xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://qualysapi.qualys.com/qps/xsd/3.0/was/finding.xsd">
<responseCode>SUCCESS</responseCode>
<count>1</count>
<hasMoreRecords>false</hasMoreRecords>
<data>
<Finding>
<id>132990</id>
<uniqueId>8a2c4d51-6d28-2b92-e053-2943720a74ab</uniqueId>
<qid>150004</qid>
<name>
<![CDATA[Path-Based Vulnerability]]>
</name>
<type>VULNERABILITY</type>
<findingType>QUALYS</findingType>
<cwe>
<count>1</count>
<list>
<long>22</long>
</list>
</cwe>
...
</webApp>
<isIgnored>false</isIgnored>
<retest/>
</Finding>
</data>undefined</ServiceResponse>
Sample - Search Findings with Specific Detection IDSample - Search Findings with Specific Detection ID
This example shows you how to search findings using detection ID. It also displays the QDS for the finding.
API request:
curl -u "USERNAME:PASSWORD" -H "content-type: text/xml" -X "POST" --databinary @-"https://
<qualys_base_url>/qps/rest/3.0/search/was/finding/"<file.xml>
API request body:
<?xml version="1.0" encoding="UTF-8" ?>
<ServiceRequest>
<preferences>
<verbose>true</verbose>
</preferences>
<filters>
<Criteria field="id" operator="EQUALS">131201</Criteria>
</filters>
</ServiceRequest>
Response:
<?xml version="1.0" encoding="UTF-8"?>
<ServiceResponse
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="
<qualys_base_url>/qps/xsd/3.0/was/finding.
xsd">
<responseCode>SUCCESS</responseCode>
<count>1</count>
<hasMoreRecords>false</hasMoreRecords>
<data>
<Finding>
<id>131201</id>
<uniqueId>f29f2c61-46de-4a96-a809-714dc76040bd</uniqueId>
<qid>0</qid>
<detectionScore>0</detectionScore>
<type>VULNERABILITY</type>
<potential>false</potential>
<findingType>BUGCROWD</findingType>
<severity>5</severity>
<status>NEW</status>
<firstDetectedDate>2017-05-18T16:23:39Z</firstDetectedDate>
<lastDetectedDate>2017-05-18T16:24:23Z</lastDetectedDate>
<lastTestedDate>2017-05-18T16:24:23Z</lastTestedDate>
<timesDetected>1</timesDetected>
<webApp>
<id>39725630</id>
<name>
<![CDATA[Copy of Test web app for audit logs]]>
</name>
<url>
<![CDATA[http://10.11.68.26]]>
</url>
<tags>
<count>1</count>
<list>
<Tag>
<id>133578207</id>
<name>
<![CDATA[Test Tag]]>
</name>
</Tag>
</list>
</tags>
</webApp>
<isIgnored>false</isIgnored>
<updatedDate>2023-09-06T12:22:58Z</updatedDate>
</Finding>
</data>
</ServiceResponse>
Sample: Limit Previous Records for Findings in API ResponseSample: Limit Previous Records for Findings in API Response
The following sample illustrates limiting the previous records that would be returned in the Search Findings API response, using the limitHistories parameter.
API request:
curl -u "USERNAME:PASSWORD" -H "content-type: text/xml" -X "POST" --data-binary @- "
<qualys_base_url>/qps/rest/3.0/search/was/finding/" < file.xml
The file.xml contains the request POST data.
API request body:
<ServiceRequest>
<preferences>
<limitResults>10</limitResults>
<verbose>true</verbose>
<custom>
<Preference name="limitHistories">2</Preference>
</custom>
</preferences>
<filters>
<Criteria field="id" operator="IN">149269</Criteria>
</filters>
</ServiceRequest>
API response:
<?xml version="1.0" encoding="UTF-8"?>
<ServiceResponse
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="<qualys_base_url>/qps/xsd/3.0/was/finding.xsd">
<responseCode>SUCCESS</responseCode>
<count>1</count>
<hasMoreRecords>false</hasMoreRecords>
<data>
<Finding>
<id>149269</id>
<uniqueId>1a2b3456-8c9d-123e-4567-f89g12h345a6</uniqueId>
<qid>150603</qid>
<detectionScore>55</detectionScore>
<name>
<![CDATA[U.S. Social Security Number Pattern Identified In HTML]]>
</name>
<type>SENSITIVE_CONTENT</type>
<potential>true</potential>
<findingType>QUALYS</findingType>
<cwe>
<count>1</count>
<list>
<long>201</long>
</list>
</cwe>
<owasp>
<count>1</count>
<list>
<OWASP>
<name>
<![CDATA[Cryptographic Failures]]>
</name>
<url>
<![CDATA[https://owasp.org/Top10/A02_2021-Cryptographic_Failures/]]>
</url>
<code>2</code>
</OWASP>
</list>
</owasp>
<wasc>
<count>1</count>
<list>
<WASC>
<name>
<![CDATA[INFORMATION LEAKAGE]]>
</name>
<url>
<![CDATA[http://projects.webappsec.org/w/page/12345678/WASC]]>
</url>
<code>13</code>
</WASC>
</list>
</wasc>
<resultList>
<count>1</count>
<list>
<Result>
<authentication>false</authentication>
<accessPath>
<count>3</count>
<list>
<Url>
<![CDATA[https://12.34.56.789/]]>
</Url>
<Url>
<![CDATA[https://12.34.56.789/boq/parseAction.php]]>
</Url>
<Url>
<![CDATA[https://12.34.56.789/boq/protected/]]>
</Url>
</list>
</accessPath>
<ajax>false</ajax>
<payloads>
<count>1</count>
<list>
<PayloadInstance>
<request>
<method>
<![CDATA[GET]]>
</method>
<link>
<![CDATA[https://12.34.56.789/boq/protected/Employee_List.html]]>
</link>
<headers>
<![CDATA[header_value]]>
</headers>
</request>
<response>
<![CDATA[133-96-xxxx]]>
</response>
</PayloadInstance>
</list>
</payloads>
</Result>
</list>
</resultList>
<severity>3</severity>
<url>
<![CDATA[https://12.34.56.789/boq/protected/Employee_List.html]]>
</url>
<status>ACTIVE</status>
<firstDetectedDate>2023-08-15T12:39:32Z</firstDetectedDate>
<lastDetectedDate>2023-08-20T20:56:00Z</lastDetectedDate>
<lastTestedDate>2023-08-20T20:56:00Z</lastTestedDate>
<timesDetected>2</timesDetected>
<webApp>
<id>456789321</id>
<name>
<![CDATA[bank of Qualys]]>
</name>
<url>
<![CDATA[https://12.34.56.789]]>
</url>
<tags>
<count>4</count>
<list>
<Tag>
<id>423456789</id>
<name>
<![CDATA[bank tag dynamic]]>
</name>
</Tag>
<Tag>
<id>323456789</id>
<name>
<![CDATA[perf-test-namecontains-10]]>
</name>
</Tag>
<Tag>
<id>223456789</id>
<name>
<![CDATA[perf-test-namecontains-1]]>
</name>
</Tag>
<Tag>
<id>123456789</id>
<name>
<![CDATA[CheckWebappReportlimit]]>
</name>
</Tag>
</list>
</tags>
</webApp>
<isIgnored>false</isIgnored>
<cvssV3>
<base>7.5</base>
<temporal>6.7</temporal>
<attackVector>Network</attackVector>
</cvssV3>
<history>
<set>
<WebAppFindingHistory>
<scanData>
<id>2345678</id>
<reference>was/1234567891234.1234567.1</reference>
<launchedDate>2024-10-22T08:47:10Z</launchedDate>
</scanData>
</WebAppFindingHistory>
<WebAppFindingHistory>
<scanData>
<id>1234567</id>
<reference>was/2234567891234.1234567.1</reference>
<launchedDate>2024-10-20T08:47:38Z</launchedDate>
</scanData>
</WebAppFindingHistory>
</set>
</history>
<updatedDate>2023-12-04T22:43:52Z</updatedDate>
</Finding>
</data>
</ServiceResponse>
XSD
<platform API server>/qps/xsd/3.0/was/finding.xsd