Returns list of OWSP findings found in web applications which are in the user’s scope.
Permissions required - User must have WAS module enabled. User account must have these permissions: Access Permission “API Access”. WAS Permissions- "Access OWASP ZAP Report" and "Finding read OWASP ZAP ". The output includes findings in the user's scope.
These elements are optional and act as filters. When multiple elements are specified, parameters are combined using a logical AND.
Click here for available operators
|
Parameter |
Mandatory /Optional |
Data Type |
Description |
|---|---|---|---|
|
id |
Optional |
integer |
ID of the finding. |
|
uniqueId |
Optional |
value |
The 36-bit unique id assigned to the finding. For example: <Finding> |
|
name |
Optional |
text |
Name of the detection finding. |
|
alertRef |
Optional |
string |
Reference of OWASP ZAP alert. |
|
webApp.id |
Optional |
integer |
ID of the web application on which the finding was detected. |
|
webApp.name |
Optional |
string |
Name of the web application on which the finding was detected. |
|
webApp.tags |
Optional |
integer |
The tags associated with the web application being scanned. Note: This parameter supports operator="NONE". |
|
webApp.tags.id |
Optional |
integer |
The tag ID assigned to web application being scanned. |
|
webApp.tags.name |
Optional |
string |
Name of the tag associated with the web application on which the finding was detected. |
API request
curl -u "USERNAME:PASSWORD" -H "content-type: text/xml" -X "POST" -data-binary @"<qualys_base_url>/qps/rest/3.0/search/was/owaspzapfinding" < file.xml
Request POST data
<ServiceRequest>
<filters>
<Criteria field="id" operator="EQUALS">1002</Criteria>
</filters>
</ServiceRequest>
XML response
<?xml version="1.0" encoding="UTF-8"?>
<ServiceResponse
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="<qualys_base_url>
/qps/xsd/3.0/was/owaspzapfinding.xsd">
<responseCode>SUCCESS</responseCode>
<count>1</count>
<hasMoreRecords>false</hasMoreRecords>
<data>
<OwaspZapFinding>
<id>1002</id>
<uniqueId>f2b03430-87d5-450b-98c5-6ce210b41e8c</uniqueId>
<findingType>OWASPZAP</findingType>
<pluginid>10035</pluginid>
<alertRef>10035</alertRef>
<alert>Strict-Transport-Security Header Not Set</alert>
<name>Strict-Transport-Security Header Not Set</name>
<riskcode>1</riskcode>
<confidence>3</confidence>
<riskdesc>Low (High)</riskdesc>
<confidencedesc>High</confidencedesc>
<desc>
HTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTPS connections (i.e. HTTP layered over TLS/SSL). HSTS is an IETF standards track protocol and is specified in RFC 6797.
</desc>
<count>1</count>
<solution>
Ensure that your web server, application server, load balancer, etc. is configured to enforce Strict-TransportSecurity.</solution>
<reference>https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Tra nsport_Security_Cheat_Sheet.html https://owasp.org/www-community/Security_Headers http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security http://caniuse.com/stricttransportsecurity http://tools.ietf.org/html/rfc6797</reference>
<cweid>319</cweid>
<wascid>15</wascid>
<sourceid>8</sourceid>
<tags>
<list>
<OwaspZapTag>
<tag>OWASP_2021_A05</tag>
<link>https://owasp.org/Top10/A05_2021Security_Misconfiguration/</link>
</OwaspZapTag>
<OwaspZapTag>
<tag>OWASP_2017_A06</tag>
<link>https://owasp.org/www-project-topten/2017/A6_2017-Security_Misconfiguration.html</link>
</OwaspZapTag>
</list>
</tags>
<instances>
<list>
<Instance>
<uri>https://www.googletagservices.com/tag/js/gpt.js</uri>
<method>GET</method>
<requestheader>GET https://www.googletagservices.com/tag/js/gpt.js HTTP/1.1 Host: www.googletagservices.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="107", "Chromium";v="107", "Not=A?Brand";v="24" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: */* Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: script Referer: https://jsonlint.com/ Accept-Language: en-US,en;q=0.9
</requestheader>
<responseheader>HTTP/1.1 200 OK Vary: Accept-Encoding Content-Type: text/javascript Cross-Origin-Resource-Policy: cross-origin Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="adsgpt-scs" Report-To: {"group":"ads-gptscs","max_age":2592000,"endpoints":[{"url&q uot;:"https://csp.withgoogle.com/csp/report-to/ads-gpt-scs"}]}Qualys Cloud Platform v3.x WAS API: New API for OWASP ZAP Findings 61 Timing-Allow-Origin: * Content-Length: 80512 Date: Thu, 17 Nov 2022 05:20:21 GMT Expires: Thu, 17 Nov 2022 05:20:21 GMT Cache-Control: private, max-age=900, stale-while-revalidate=3600 ETag: "1394 / 793 of 1000 / last-modified: 1668639967" X-Content-Type-Options: nosniff Server: sffe X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
</responseheader>
</Instance>
</list>
</instances>
</OwaspZapFinding>
</data>
</ServiceResponse>
<platform API server>/qps/xsd/3.0/was/owaspzap.xsd