Qualys WAS Engine 8.10 Released

Qualys Web Application Scanning Engine 8.10 has been released to all Qualys platforms including private cloud platforms. This release is part of our ongoing effort to continuously improve the scanning engine in Qualys Web Application Scanning.

This update includes the following changes:

• Exclude Cookies from the following QIDs through Parameter Exclusions:
  • 150103 – Secure Cookies set by Insecure Connection
  • 150121 – Session Cookie (Authentication Related) Does Not Contain the “HTTPOnly” Attribute
  • 150122 – Cookie Does Not Contain the “secure” Attribute
  • 150123 – Cooke Does Not Contain the “HTTPOnly” Attribute
  • 150159 – Session Cookie Set over Non-HTTPS Connection
  • 150160 – Session Cookie (Authentication Related) Set over Non-HTTPS Connection
  • 150161 – Session Cookie Does Not Contain the “secure” Attribute
• API testing improvements with OpenAPI, Swagger, and Postman Collections.
• Improvements for testing certain Angular applications
• Reporting improvements to 150020 – Links Rejected By Crawl Scope or Exclusion List

Additionally, QID 150081 (X-Frame-Options header is not set) – a severity 1 potential vulnerability – has been deprecated in alignment with the Content-Security-Policy: frame-ancestors directive which obsoletes X-Frame-Options headers in modern browsers. The Information Gathered QID 150245 (Missing header: X-Frame-Options) will still be reported.

As always, if you encounter any problems in your WAS scans, please open a support ticket by selecting Help > Contact Support while logged into the platform. Feel free to post a question on Qualys Community as well.

Happy scanning.