Qualys WAS Engine 8.23 Released

Qualys Web Application Scanning Engine 8.23 has been released to all Qualys platforms including private cloud platforms. This release is part of our ongoing effort to continuously improve the scanning engine in Qualys Web Application Scanning.

This update includes the following changes:

• Removed dependency on QIDs 150033, 150034, 150016 and 150080. These will be deprecated in future as replacement QIDs 150601, 150602, 150603, and 150604 are already released.
• SQL Injection 500 syntax errors will be reported in QID 150056 instead of QIDs 150003/150047.
• Report non-Swagger or OpenAPI json file as an invalid in QID 150291.
• Improved reporting for Login Brute Force QID 150049 to report logout response body.
• Backoffice option to enable Postman scan to launch using Duktape embedded JavaScript engine or standard WAS browser engine.

New vulnerabilities with this product release:

• QID 150632 Web Cache Deception Detection
• QID 150630 Detection for Access-Control-Allow-Origin header weak wildcard configuration
• QID 150631 Active Cross-Origin resource sharing
• QID 150188 Apache Struts Remote Code Execution Vulnerability to detect using out of band mechanism

As always, if you encounter any problems in your WAS scans, please open a support ticket by selecting Help > Contact Support while logged into the platform. Feel free to post a question on Qualys Community as well.

Happy Scanning.