Qualys WAS Engine 8.0 Released

Dave Ferguson

I’m pleased to announce that the Web Application Scanning (WAS) Engine 8.0 has been released to all Qualys platforms, including private cloud platforms.

WAS Engine 8.0 is an important release because the scanner’s internal browser engine has been updated. There are many benefits to the new browser engine and you may see differences in your scan results for certain web apps. However, you may see no difference at all for other web apps. This is expected, because every web application is unique. At the end of the day, it depends on the design and technological makeup of the application.

In general the new browser engine enables WAS to perform better when it comes to crawling modern web applications that use the latest features of JavaScript and/or HTML5. Scans with 8.0 may be able to crawl more links (either regular links or AJAX links) or authenticate successfully where it couldn’t before. You may also see new vulnerabilities being reported. Better crawling translates into better scan coverage and improved results overall.

Another advantage of the updated browser engine is comprehensive support for Content-Security-Policy (CSP). For example, web developers often use CSP and the frame-ancestors directive to prevent clickjacking attacks instead of using the older X-Frame-Options method. Prior to 8.0, WAS only recognized X-Frame-Options, which led to clickjacking vulnerability (QID 150124) being reported even when the pages were protected with CSP. That is no longer happening with 8.0. But you’ll still know that X-Frame-Options is not used if QID 150081 is reported.

We expect WAS Engine 8.0 to perform well and benefit all customers. However, if you encounter any problems in your WAS scans, please let us know by opening a support ticket by selecting Help–Contact Support while logged into the platform. Feel free to post a question on the Qualys Community site as well.

Happy scanning.