Web Application Scanning Engine Release 10.8
June 23, 2025
New QIDs
We have released the following new QIDs for the Web Application Scanning Engine.
| Vulnerability ID | Category | Title | Description |
|---|---|---|---|
| 150226 | Information Gathering | Sensitive data or payment page exposed on an unauthenticated URI | This QID reports the payment pages that can be accessed without authentication. It also caters to the PCI Compliance requirement 6.4.3. |
Updated QID
We have updated the QIDs for the Web Application Scanning Engine.
| Vulnerability ID | Category | Title | Description |
|---|---|---|---|
| 150100 | Information Gathering | Selenium Diagnostic | This QID reports the Selenium script diagnostics. We have updated this QID to report the response code details of the failed Selenium script. Also, we have updated the QID 150100 to report only Selenium script failure, and excluded CSS links and external domain links from being reported. |
WAS Engine Enhancements
Detect SSL QIDs for HTTP URLs
We have added support for detecting SSL QIDs for HTTP URLs on next-generation web applications when HTTP URLs are redirected to HTTPS URLs.
This helps you report the SSL/TLS certificate-related issues using the SSL QIDs. This enhancement also helps you cater to the PCI DSS 4.0 requirement 6.4.3, which mandates organizations to report vulnerabilities for payment pages that can be accessed without authentication.
Launch PCI Scans with Next Generation WAS
We have introduced an option to launch the PCI scans with the next-generation WAS. This new enhancement helps you achieve PCI compliance by reporting the vulnerabilities mandated in the PCI requirements.
Support YAML Specification Files in Bruteforce Detections
We have added support to detect the Swagger/OpenAPI specification files with YAML content in Bruteforce detections. Earlier, we only detected the specification files with JSON content.
This enhancement ensures comprehensive detection for API Specification files.
Issues Addressed
The following important and notable issues are fixed in this release.
| Category/Component | Description |
|---|---|
| QID Detection | We fixed an issue where the SSL/TLS Certificate-related issues for the HTTP URL were not reported. Now, we report the SSL QIDs when the HTTP URLs are redirected to HTTPS URLs for the Next Generation browsers. |
| Authentication | We fixed an issue where URL authentication using the Selenium script was failing for WAS Scan by making suitable code changes. |
| Authentication | We fixed an issue where authentication using the Selenium script and New Technology LAN Manager (NTLM) was failing. Now, we have added a check to fetch the credentials from the correct URL server. |
| Retesting | QIDs 150122 and 150123 were not getting retested, as these QIDs were reported multiple times for different URLs. Now, we have updated the reporting behavior for QID 150122 and 150123 to use a unique identifier for reporting cookies. |
| False Negatives | We fixed the false negatives SSL-related QIDs, where these QIDs were not reporting the SSL/TLS certificate information for the next generation WAS. We added support to run the scans for the next generation WAS using FQDN to resolve this issue. |
| False Negatives | We fixed false negatives for QIDs 150545 and 150176, where they only reported a few of the unknown external HTTP JavaScript URLs. Now, we report all the unknown external JavaScript URLs. |
To know more about the latest QIDs released for WAS, refer to: