Web Application Scanning Release 1.21

May 28, 2025

Enhancements in Authentication Record

Authentication Records creation is enhanced with the following changes to improve the security and efficiency of authentication records.

Option to Add URL for Standard and Custom Authentication

While creating an authentication record with form authentication, you can now specify the login page URL for standard and custom authentication types.

Currently, while performing test authentication, the scanner crawls all pages to identify the login form to authenticate. The addition of a login page URL simplifies form identification that needs authentication, prevents unnecessary crawling, and ensures faster login request submission.

A new field, Login URL, is available when you select Custom or Standard Login type for the Form Record authentication.

URL field added for Custom and Standard authentication.

Addition of Header Injection

We have added new fields in the authentication records to add headers to be injected in an encrypted format. The headers are injected by the scanner service while scanning web applications.

This enhancement ensures secure storage and restricted access to headers and prevents unauthorized visibility.

Header Injection in new Authentication Record workflow.

Enhancements in Scan Schedule

The Progressive Scanning and Cancel Scan options are now moved from the Scan Settings to the Scheduling page in the create and edit scan schedule workflow.

If the progressive scanning is activated, we have added an option to end the scheduled scan only after the entire progression is finished. You can select the Stop Scan After Completion checkbox to stop the scan only after progressive scanning is completed.

The following image displays the changes in the Scheduling page of the scan schedule creation workflow.

Progressive Scan and Cancel Scan options in the Scheduling page.

Addition of Group By Option

The Group By option is now available in the Detections, Scan List, Schedules in the Scans, Reports tabs, and tabs under Configuration. With the Group By option, you can quickly sort the data in the tabs.

For example, the following image displays the Group By options available in the Detections tab.

Group by option in Detections tab.

Customized Advanced Filter in Scan List and Detections Tab

We have now added the Advanced filter option to the Scan List and Detections tab, with which you can search through the datalist quickly using multiple criteria without entering the QQL tokens manually. You can also add customized filters to the list of existing Advanced filters and add more search criteria based on the QQL tokens.

The advanced filters help in quick searches with multiple and complex criteria without entering the QQL tokens manually.

Example of Customized Advanced Filter

The following image presents an example of advanced filters in the Detections tab, where the Status is an existing advanced filter, and Application Type is the customized filter added to the search.

example of customized advance filter in detections tab.

New Tokens in the Schedules Tab in Scans

The following tokens are added to the Schedules tab under Scans.

Token Name	Description
asset.name	Use this token to find scan schedules associated with the given asset name.
scan.schedule.created	Use this token to find scan schedules created on a specific date or within a specific date range.
scan.schedule.updated	Use this token to find scan schedules updated on a specific date or within a specific date range.
scan.schedule.multi	Use this token to find scan schedules where multiple scan targets - web applications or API assets are included.
scan.schedule.included.tags.name	Use this token to find scan schedules based on the tags included while defining the scan target.
scan.schedule.excluded.tags.name	Use this token to find scan schedules based on the tags excluded while defining the scan target.
scan.schedule.invalid	Use this token to find invalid scan schedules, that is, the scan schedules for which the target or option profile has been deleted.
scan.schedule.retest	Use this token to find scan schedules for retest scans.

Create Distribution Group in Report Scheduling

While creating or editing a report schedule, you can now create a new distribution group to which the notification must be sent.

Create distribution group in report scheduling.

Issues Addressed

The following notable and important issues are fixed in this release.

Category/Component	Description
Scheduled Scan	We fixed an issue where authentication failed for the scheduled scans as the scan used an old authentication record, even if the new authentication record was assigned.
WAS Engine version	We fixed an issue where the Help > About View dialog box displayed an incorrect version of WAS Engine. The issue is fixed, and the correct WAS Engine version is available in the About View dialog box.
Dashboard, TruRisk widget	In the TruRisk widget, the hyperlink added for the TruRisk score was not clickable. The hyperlink is removed now as the TruRisk score indicates a combined score for web applications and API assets (for TAS accounts).
QQL Tokens	No QQL token was available to find the scan schedules associated with the specific asset name. We have now added the asset.name token to find scan schedules with the specific asset names. For details on the asset.name and other tokens added to the Schedule tab in Scans, see New Tokens in Schedules Tab in Scans.
Scan count	A discrepancy was observed in the scan count in the Scans tab and scan count fetched by API /qps/rest/3.0/search/was/wasscan. The issue is resolved now.
Burp report import	We fixed an issue where the user encountered issues while importing the burp report.