Web Application Scanning Engine Release 10.9
June 26, 2025
New QIDs
We have added the following New QIDs for Web Application Scanning Engine.
| Vulnerability ID | Category | Title | Description |
|---|---|---|---|
| 530030 | Information Gathering | Network Diagnostic | This QID reports the instances when the scanners cannot connect to the server. The QID contains the network scan diagnostic details for troubleshooting the connectivity issues. |
| 570009 | Information Gathering | X-RateLimit-Limit Headers Missing | The X-RateLimit Limit Headers indicate the maximum number of requests allowed for an API or service within a specific time interval. This QID reports the headers that are missing the X-RateLimit in the API Security scans. |
Enhancements
Authorization Tokens for Web Application Authentication
We have added support to authenticate web application users using authentication tokens. Now, you can add the authentication tokens to the authentication record. These tokens are used for authentication if the standard authentication fails.
Limit Crawling Time for WAS Scans
We have introduced a new feature in WAS Scan configurations to allow you to specify the crawling time as a percentage of total scan time and specify the cookies for testing. With this option you can limit the crawling time for WAS scans and control the number of cookies tested in the WAS scan.
This reduces the scan authentication and processing time and improves the scan performance.
We recommend using 10-15% of the total scan time for crawling for the optimized scan performance.
Selective Crawling for API Security Scans
With this release, we have updated the standards crawling process for API Scans to now include the base URI and requests that were parsed from Swagger/OpenAPI content.
This enhancement reduces the false positive detections and crawling time for API Security Scans.
Updated Standard, Custom, and Selenium Authentication
We have updated the Standard and Custom Authentication workflows to authenticate with user-provided login URLs. This enhancement reduces the authentication time as the crawling time is reduced. This enhancement also reduces the processing time for Selenium authentication as the unnecessary crawling is avoided.
If required, you can also provide the session tokens along with login URLs for authentication.
Support IPv6 Assets for PCI Scans
We have added support for IPv6 Assets in PCI Scans using WAS. This new enhancement is in-line with the increasing demand for IPv6 Asset scans in PCI. It also, increases the PCI Scan scope through WAS.
Issues Addressed
The following notable and important issues are fixed in this release.
| Category/Component | Description |
|---|---|
| Reporting | In certain cases, when Swagger parsing failed, a generic error was reported in QID 150291. Now, we have updated the QID 150291 to report a detailed error message to facilitate troubleshooting. |
| Reporting | We fixed an issue where QID 150152 could not correctly report the authentication forms and form count. |
| Scanning | We fixed an issue where the same cookies were tested twice during the web application scans. This reduces the scan time and prevents false positives from being reported. |
| False Positives | We updated the QID 152098 by implementing checkpoints to avoid false-positive reporting. |
| False Positives | We fixed false positives for the QID 150124, where it was reported for out-of-scope errors by allowing more time to complete the testing during web application scans. |
| False Positives | We fixed false positives for QID 150103 where false detections were reported for the links redirected from HTTP to HTTPS and cookies set on the HTTPS URLs. |
To know more about the latest QIDs released for WAS, refer to: