I’m pleased to announce that WAS Engine 8.3 has been released to all Qualys platforms including private cloud platforms. This release is part of our ongoing effort to continuously improve the scanning engine in Qualys Web Application Scanning.
This update includes the following changes:
- Introduced informational finding QID 150245 for missing X-Frame-Options header. This QID is included in core detection scope and replaces QID 150081, a potential vulnerability that has now been deprecated. Both 150245 and 150081 will be reported until such time that 150081 is retired. The reason for the new QID is that reporting a potential vulnerability for missing X-Frame-Options is no longer appropriate since other clickjacking defenses now exist, such as Content-Security Policy (CSP). Note – existing QID 150124 has not changed and will continue to be reported if a clickjacking vulnerability is found.
- Implemented QID 150300 as an initial vulnerability detection for HTTP request smuggling. The specific technique used for this detection is described in section 3.3 at https://paper.seebug.org/1049/. This QID has been added to core detection scope.
- Added 3 new QIDs to core detection scope for Oracle WebLogic vulnerabilities:
- QID 150305 – this detection covers CVE-2020-14625, CVE-2020-14644, and CVE-2020-14687
- QID 150306 – this detection covers CVE-2020-2697, CVE-2020-14588, CVE-2020-14622, CVE-2020-14645, CVE-2020-14652, and CVE-2020-14589
- QID 150309 – this detection covers CVE-2020-2519, CVE-2020-2544, CVE-2020-2547, CVE-2020-2550, and CVE-2020-2551
- Added QID 150317 to core detection scope for a remote code execution vulnerability in Apache Struts (CVE-2019-0230).
- Added 2 new detections for Atlassian Jira vulnerabilities:
- QID 150310 – this covers CVE-2020-14172
- QID 150311 – this covers CVE-2020-4022, CVE-2020-4024, and CVE-2020-4025
- Added informational finding QID 150308 to report explicit URLs that are provided as part of the scan configuration.
- Fixed an issue in the CMS version detection logic that caused an error when scanning certain apps.
- Improved the detection logic for QID 150114 to reduce false negatives for arbitrary file upload vulnerabilities.
- Addressed an issue in crawl phase where state and country input fields were not being properly set with data.
- Improved the reporting of QID 150152 (Forms Crawled) to include the URL of the page where the form was found.
- Fixed a false negative for QID 150244 (Magento CMS Detected).
As always, if you encounter any problems in your WAS scans, please open a support ticket by selecting Help–Contact Support while logged into the platform. Feel free to post a question over on the Qualys Community site as well.