Qualys WAS Engine 8.2 Released

Dave Ferguson

Last updated on: September 16, 2020

I’m pleased to announce that Qualys WAS Engine 8.2 has been released to all Qualys platforms including private cloud platforms. This release is part of our ongoing effort to continuously improve the Web Application Scanning scan engine.

This release includes the following changes:

  • Added two new vulnerability tests to core detection scope. This includes:
    • QID 150298 for SSRF to the AWS metadata service
    • QID 150307 for SSRF via host header injection (this detection leverages Qualys Periscope)
  • Corrected a problem with the reporting format of cookie-related QIDs.
  • Fixed a false positive for QID 150051 (Open Redirect) when the payload is reflected in the body of a 301/302 response.
  • Changes to reduce memory consumption for subresource integrity (SRI) testing and to correct a false positive for QID 150261.
  • Fixed a false positive for QID 150001 (Reflected XSS) for certain cases where the scanner’s payload is reflected within JavaScript context.
  • Corrected an issue that caused Selenium-based authentication to fail when the target application uses certain CSP configuration.
  • Added support for application/problem+json and application/problem+xml mime types.
  • Fixed a false negative for QID 150076 (DOM-based XSS).
  • Fixed a false positive for QID 150135 (Missing HSTS).

As always, if you encounter any problems in your WAS scans, please open a support ticket by selecting Help–Contact Support while logged into the platform. Feel free to post a question on the Qualys Community site as well.

Happy scanning.

Share your Comments

Comments

Your email address will not be published. Required fields are marked *