API Security in Web Application Scanning
Limited Customer Release
Introduction
Web Application Scanning (WAS) can scan REST APIs, allowing users to upload Swagger/Postman collections or Burp proxy captures to the web application. However, as APIs are represented as web applications in WAS, the API scanning capacity was not clearly communicated.
With this release, we are introducing a dedicated API scanning feature. The new API scanning feature enhances WAS with new QIDs, coverage of the OWASP API Top 10, and compliance verification tools for OpenAPI or Swagger.
Prerequisites
The following application versions are required for the API Security feature:
- Web Application Scanning 1.14.0.0 and later
- NextGen WAS Engine 10.1.1 and later
- Qualys Cloud Platform 3.18.0.0 and later
Release 1.16
View API Endpoints
With this release, Web Application Scanning discovers unique endpoints from the swagger file uploaded in the API assets when a vulnerability or compliance scan is performed for an API asset. You can view the API endpoints in the Applications > API tab.
In the API tab, click Endpoints to view the API endpoints. The API endpoints are defined with the method and path.
To view detections for the specific endpoints, click an endpoint and select Find Detections from the Quick Actions menu.
The Detections tab displays the findings for the selected endpoint ID.
New Tokens
The following tokens are added to the API tab to search for Endpoints with specific conditions.
| Token | Description |
|---|---|
| endpoint.id | Use an integer value to find the endpoint with the specified ID. |
| endpoint.created | Use a specific date to find endpoints created on the given date or range. |
| endpoint.igCount | Use an integer value to find endpoints with a specified number of detections for information gathered. |
| endpoint.lastScanned | Use a specific date or date range to find endpoints last scanned on the specified date or date range. |
| endpoint.level1VulnCount | Use an integer value to find endpoints by the total number of level 1 confirmed vulnerabilities. |
| endpoint.level2VulnCount | Use an integer value to find endpoints by the total number of level 2 confirmed vulnerabilities. |
| endpoint.level3VulnCount | Use an integer value to find endpoints by the total number of level 3 confirmed vulnerabilities. |
| endpoint.level4VulnCount | Use an integer value to find endpoints by the total number of level 4 confirmed vulnerabilities. |
| endpoint.level5VulnCount | Use an integer value to find endpoints by a total number of level 5 confirmed vulnerabilities. |
| endpoint.method | Use a text value to find endpoints with the selected method. |
| endpoint.path | Use values within quotes or backticks to find endpoints with the given text in the API path. |
| endpoint.risk | Use an integer value to find endpoints with the specified security risk value. |
| endpoint.sensitiveContentCount | Use an integer value to find endpoints with a specified number of sensitive content reported. |
| endpoint.totalVulnCount | Use an integer value to find endpoints with a specified number of total vulnerabilities. |
| endpoint.updated | Use a specific date or date range to find endpoints updated on the given date or date range. |
| endpoint.visibility | Use a text value to find endpoints with the selected visibility for an endpoint: EXTERNAL, INTERNAL. |
| endpoint.vulnerability.ignoredReactivateDate | Use a specific date or date range to find all endpoints for which detections with ignore reactive date is the given date or date range. |
| endpoint.vulnerability.patchable | Use the values true | false to find endpoints with patchable detections. |
| endpoint.vulnerability.fixedDate | Use a specific date or date range to find endpoints with detections marked fixed on the given date or date range. |
| endpoint.vulnerability.cweIds | Use values within quotes or backticks to find endpoints associated with a given CWE ID. |
| endpoint.vulnerability.param | Use values within quotes or backticks to find endpoints for which detections with the specified parameter used to confirm the detection. |
| endpoint.vulnerability.title | Use values within quotes or backticks to find endpoints for which detections with the specified name. |
| endpoint.vulnerability.lastDetectedDate | Use a specific date or date range to find all endpoints with detections last detected on the given date or date range. |
| endpoint.vulnerability.cveIds | Use values within quotes or backticks to find endpoints with detections associated with the given CVE ID. |
| endpoint.vulnerability.ignoredReason | Use a text value to find endpoints with detections with the selected ignored reasons: RISK_ACCEPTED, FALSE_POSITIVE, NOT_APPLICABLE. |
| endpoint.vulnerability.severity | Use an integer value to find endpoints with detections having the specified severity level. |
| endpoint.vulnerability.firstDetectionDate | Use a specific date or date range to find all the endpoints with detections first detected on the given date or date range. |
| endpoint.vulnerability.cvss3Info.baseScore | Use an integer value to find endpoints with detections having the specified CVSS3 base score value. |
| endpoint.vulnerability.isIgnored | Use the values true | false to find endpoints with the ignored detections. |
| endpoint.vulnerability.criticality | Use a text value to find endpoints with detections of the selected criticality: HIGH, MEDIUM, LOW, NONE. |
| endpoint.vulnerability.owaspApiTopTen.id | Use an integer to find endpoints with detections with the given OWASP API top ten 2023 category ID. |
| endpoint.vulnerability.retestStatus | Use a text value to find endpoints with detections with the selected retest statuses: NO_RETEST, UNDER_RETEST, RETESTED, CANCELING, CANCELED. |
| endpoint.vulnerability.id | Use an integer value to find the endpoint with the given detection ID. |
| endpoint.vulnerability.owaspApiTopTen.name | Use a text value to find endpoints with detections with the given OWASP API top ten 2023 category name. |
| endpoint.vulnerability.typeDetected | Use a text value to find endpoints with detections for the selected types: CONFIRMED_VULNERABILITY, POTENTIAL_VULNERABILITY, SENSITIVE_CONTENT, INFORMATION_GATHERED. |
| endpoint.vulnerability.patchId | Use an integer value to find detection with the specified patch ID. |
| endpoint.vulnerability.originalSeverity | Use an integer value to find detections with the Qualys standard severity for the detection. |
| endpoint.vulnerability.status | Use a text value to find detections with these statuses: NEW, ACTIVE, REOPENED, FIXED, PROTECTED. |
| endpoint.vulnerability.detectionScore | Use an integer value to find endpoints with detections with the specified Qualys Detection Score (QDS) value, which ranges from 1 to 100. |
| endpoint.vulnerability.isCisaKnownExploitable | Use the values true | false to find endpoints with detections that are CISA known exploited vulnerabilities. |
| endpoint.vulnerability.cisaKnown Exploits.cisaKEVAddedDate |
Use this token to find endpoints with detections based on the date when CISA known exploitable vulnerability is added. The date is added in the YYYY-MM-DD format. |
| endpoint.vulnerability.cisaKnownExploits. cisaKEVDueDate |
Use this token to find endpoints with detections based on the due date for CISA known exploitable vulnerability. The date is added in the YYYY-MM-DD format. |
| endpoint.vulnerability.ignoredBy.username | Use values within quotes or backticks to find endpoints with detections ignored by a user with the specified username. |
| endpoint.vulnerability.qid | Use an integer value to find endpoints with detections for the specified QID. |
| endpoint.vulnerability.ignoredComment | Use values within quotes or backticks to find endpoints with detections having the specified ignored comment. |
| endpoint.vulnerability.uuid | Use values within quotes or backticks to find endpoints with the specified UUID. |
| endpoint.vulnerability.comment | Use values within quotes or backticks to find endpoints with detections having the specified comment (external reference). |
| endpoint.vulnerability.groupName | Use values within quotes or backticks to find endpoints with detections having a given group name. |
| endpoint.vulnerability.groupTitle | Use values within quotes or backticks to find endpoints with detections with a given group title. |
| endpoint.vulnerability.ignoredDate | Use a specific date or date range to find endpoints with detections ignored on the given date or date range. |
| endpoint.vulnerability.ignoredBy.lastName | Use values within quotes or backticks to find endpoints with detections ignored by a user with the specified last name. |
| endpoint.vulnerability.owaspTopTen.name | Use values within quotes or backticks to find endpoints with detections associated with a given OWASP top ten 2021 category name. |
| endpoint.vulnerability.age | Select a range to find endpoints with detections with the specified age (in days). |
| endpoint.vulnerability.lastTestedDate | Use a specific date or date range to find endpoints with detections that were last tested on the given date or date range. |
| endpoint.vulnerability.cvss3Info.temporalScore | Use an integer value to find endpoints with detections having the specified CVSS3 temporal score value. |
| endpoint.vulnerability.ignoredBy.firstName | Use values within quotes or backticks to find endpoints with detections ignored by a user with the specified first name. |
| endpoint.vulnerability.ttr | Use an integer value or select a range to find endpoints with the detections having the specified Time to Remediation (TTR) value in days. |
| endpoint.vulnerability.url | Use values within quotes or backticks to find endpoints with detections with the specified URL. |
| endpoint.vulnerability.owaspTopTen.id | Use an integer value to find endpoints with detections having the given OWASP top ten 2021 category ID. |
| endpoint.vulnerability.timesDetected | Use an integer value to find endpoints with detections by the number of times it is detected. |
| endpoint.vulnerability.paramType | Use values within quotes or backticks to find endpoints with detections for which the specified parameter type is used to confirm the detection. |
The following tokens are added to the API tab to search for Application with the specific endpoint type.
| Token | Description |
|---|---|
| application.apiEndpointType | Use a text value to find applications with certain endpoint types: BURP_PROXY, POSTMAN, SWAGGER, NONE. |
The following tokens are added to the Detections tab.
| Token | Description |
|---|---|
| vulnerability.endpoint.id | Use an integer value to find detections for the specified endpoint ID. |
Certificate Data in API Details
With this release, the Web Application Scanning displays the certificate data generated during the SSL scan from WAS scan normalization. The certificate information processed by Certificate View is displayed in the Certificate tab in the Application Details.
If you click the certificate link, the certificate details page contains all the details related to the certificate, such as its validity, issued to, issued by, fingerprints, hosts, certificate path, and so on. You can also search through the list of certificates using QQL tokens in the Certificate View. For the token help, refer to Certificate View Online Help.
Release 1.14
Changes in User Interface
New Tab – APIs
The APIs tab is added under Applications to display the list of APIs in your subscription. The APIs tab displays the API name, last scanned date, updated date, and tags. The tab displays the vulnerability level of the application with the number of open vulnerabilities and the TruRisk™ score calculated for the APIs, which indicates the API application's vulnerability level.
You can perform the following actions on the APIs in the list using the Quick Actions menu:
- View and edit API records
- View vulnerability report
- Launch vulnerability and compliance scan
- Add and remove tags
- Add comment
- Purge or remove API asset
- Clone existing API records using the Save As option
For more information on APIs tab, see View your APIs.
Scans
You can launch a vulnerability and compliance scan for APIs from the Scans tab. The compliance scan is available only for API with Swagger API.
For the compliance scan, you must create a new option profile named Api Compliance Option Profile.
For details on how to launch a compliance scan, refer to Launch Compliance Scan.
Currently, API scan scheduling is not supported.
Detections
The Detections tab displays API detections with web application detections.
All the actions available in the Quick Actions menu for web application detections are also available for the API detections.
Retesting for API vulnerabilities is available for the vulnerabilities identified through a vulnerability scan and not for vulnerabilities found during a compliance scan.
Online Reports
You can generate application reports and scan reports for API, which are displayed in the Online Reports tab.
The Download button is currently unavailable for application or scan reports for APIs.
KnowledgeBase
New API QIDs are added and visible on the Knowledge Base data list. OWASP API Top Ten 2023 categories are added, and API QIDs are mapped against these categories.
A new category – API Security is added to the WAS KnowledgeBase with the list of API compliance-related QIDs.
New Tokens
The following new tokens are added for the APIs
| Tab | Token Name | Description |
|---|---|---|
| Detections | vulnerability.owaspApiTopTen.id | Use an integer value to find detections with the given OWASP API Top Ten 2023 category ID. |
| vulnerability.owaspApiTopTen.name | Use a text value to find scans with detections with the given OWASP API top ten 2023 category name. | |
| Scans | scan.findings.owaspApiTopTen.id | Use an integer to find scans with detections with the given OWASP API top ten 2023 category ID. |
| scan.findings.owaspApiTopTen.name | Use a text value to find scans with detections with the given OWASP API top ten 2023 category name. | |
| KnowledgeBase | vulnDef.owaspApiTopTen.id | Use an integer value to search QIDs the given OWASP API top ten 2023 category ID. |
| vulnDef.owaspApiTopTen.name | Use values within quotes or backticks to search QIDs with the given OWASP API top ten 2023 category name. |
Updated Tokens
The following token is modified.
| Tab | Token Name | Description |
|---|---|---|
| Scans | scan.type | A new value—COMPLIANCE is added to find the compliance scan from the list of scans. |