Web Application Scanning Engine Release 10.7
June 05, 2025
New Feature — API Discovery
We have now added support to discover the APIs used in your organisation. The API discovery helps you identify the vulnerable APIs and take corrective action to fix the vulnerabilities.
We are using Bruteforce to discover the Swagger and open API specification files. You can specify the IP addresses, IP address range, and FQDN of your assets to set the discovery scope.
Currently, only IPv4 addresses are supported to specify assets for API discovery.
New QIDs for WAS Engine
We have released the following new QIDs for Web Application Scanning Engine.
| Vulnerability ID | Category | Title | Description |
|---|---|---|---|
| 152285 | Information Gathering | Exclusion Criteria Configured in Scan | This QID gives you the details about the exclusion criteria configured in web application scans. The entities configured in the exclusion criteria are skipped in the web application scans. For example, excluded links, regexes, IPs, and so on. |
Updated QIDs for WAS Engine
We have updated the following new QIDs for Web Application Scanning Engine.
| Vulnerability ID | Category | Title | Description |
|---|---|---|---|
| 152098 | Vulnerability | Microsoft IIS Tilde Character Information Disclosure Vulnerability | We updated the QID 152098 detection logic to use the Option method for discovering the Microsoft IIS Tilde Character Information Disclosure Vulnerability. |
| 150152 | Information Gathering | Forms Crawled | The QID 150152 detects the forms submitted by the scanner to web applications. We have updated this QID to exclude the forms with external actions from being reported with this QID. The forms with external actions are reported with the QID 150014. |
Issues Addressed
The following important and notable issues are fixed in this release.
| Category/Component | Description |
|---|---|
| Authentication | We had an issue where users could not send the POST requests and forms using the browsers. This issue could lead to cross-site scripting and injection of malicious scripts into vulnerable web applications. We fixed this issue by providing support to send the POST requests and forms via browser. |
| Authentication | We fixed an issue where user authentication using certificates with the selenium script failed. Now, we use the client certificate provided with selenium script to authenticate the user. |
| False Positive | The out-of-scope forms were reported with QID 150144 as it did not evaluated the parent links of these forms. Now, we have added check to exclude the forms with out-of-scope parent link from being reported under this QID. |
| False Negative | QID 150545 and 150176 could report only some of the external HTTP JS files during the web application scan. Now, we identify all the external and internal JS files and report them under respective QIDs. |
| False Positive | We fixed the false positives reported for QID 150076, where DOM XSS vulnerabilities were reported even after the fix. Now, we have reset the crawl limit and QID limit to resolve this issue. |
| False Positives | QID 150124 reports web applications that can be framed and are prone to attack. We fixed the false positives for QID 150124, which was reported for the web applications that could not be framed. |
To know more about the latest QIDs released for WAS, refer to:
Web Application Detection — March 2025
Web Application Detection — April 2025