I’m pleased to announce that WAS Engine 8.4 has been released to all Qualys platforms including private cloud platforms. This release is part of our ongoing effort to continuously improve the scanning engine in Qualys Web Application Scanning.
This update includes the following changes:
- Added new vulnerability tests:
- QID 150315 for NoSQL injection for MongoDB
- QID 150340 for an exposed Apache server-status page (this QID included in core detection scope)
- QIDs 150324 and 150326 for information disclosure issues in Atlassian Jira
- QIDs 150312, 150313, and 150321 for security flaws in vBulletin web forum software (these QIDs included in core detection scope)
- Implemented changes to QID 150300 (HTTP request smuggling) to reduce false positives.
- Implemented cookie testing optimization to reduce scan time for web apps having 20 or more cookies.
- Added informational finding QID 150325 to identify the presence of Adobe Experience Manager CMS.
- Improved the reporting format of QID 150141 (URL Matching Keyword Provided).
- Expanded XSS detection capability for an XSS power mode scan by implementing fuzzing of parameter names.
- Fixed scan errors that occurred when scanning certain apps.
As always, if you encounter any problems in your WAS scans, please open a support ticket by selecting Help–Contact Support while logged into the platform. Feel free to post a question over on the Qualys Community site as well.