WillB

QualysGuard WAS 3.5 API Release Notification

Blog Post created by WillB on Jul 15, 2014

A new release of QualysGuard WAS, Version 3.5 which includes an API update, is targeted for release in late July and early August 2014.

 

More information on specific release dates that correspond to the QualysGuard platforms can be found on the platform release blog pages.

 

 

This API notification provides an early preview into the coming API changes in QualysGuard WAS 3.5, allowing you to proactively identify any changes that might be required for your automated scripts or programs that utilize the API methods described below.  There is one API modification in this release:

 

  • Scan Get API – Updated to support the new custom form parameter set feature

 

Full release notes will be available to customers on the day of the release. 

 

API Enhancements

    

Scan Get API – Custom Form Parameters - Sample Request


curl -u "USERNAME:PASSWORD" -H "content-type: text/xml" "http://qualysapi.qualys.com/qps/rest/3.0/get/was/scan/801678"

 

 

XML ouput (parameter set is Initial Parameters):

 

 

<?xml version="1.0" encoding="UTF-8"?>

<ServiceResponse xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://qualysapi.qualys.com/qps/xsd/3.0/was/scan.xsd">

<responseCode>SUCCESS</responseCode>

<count>1</count>

<data>

   <WasScan>

     <id>801678</id>

     <name><![CDATA[My Scan]]></name>

     <reference>was/1405370728457.1775165</reference>

     <type>VULNERABILITY</type>

     <mode>ONDEMAND</mode>

     <multi>false</multi>

     <target>

       <webApp>

         <id>2112993</id>

         <name><![CDATA[My Scan]]></name>

         <url><![CDATA[http://10.10.31.55/merchant/2.2/themerchant]]></url>

       </webApp>

       <webAppAuthRecord>

         <id>128557</id>

         <name><![CDATA[Myy Authentication Record]]></name>

       </webAppAuthRecord>

       <scannerAppliance>

         <type>EXTERNAL</type>

       </scannerAppliance>

     </target>

     <profile>

       <id>160333</id>

       <name><![CDATA[300 links]]></name>

     </profile>

     <options>

       <count>14</count>

       <list>

         <WasScanOption>

           <name>Web Application Authentication Record Name</name>

           <value><![CDATA[My Authentication Record]]></value>

         </WasScanOption>

         <WasScanOption>

           <name>Detection Scope</name>

           <value><![CDATA[COMPLETE]]></value>

         </WasScanOption>

         <WasScanOption>

           <name>Sensitive Content: Custom Contents</name>

           <value><![CDATA[zip code social security password]]></value>

         </WasScanOption>

         <WasScanOption>

           <name>Scanner Appliance</name>

           <value><![CDATA[External (IP: 10.10.21.148, Scanner: 7.8.37-1, WAS: 3.6.35-1, Signatures: 2.2.752-1)]]></value>

         </WasScanOption>

         <WasScanOption>

           <name>Target URL</name>

           <value><![CDATA[http://10.10.31.55/merchant/2.2/themerchant]]></value>

         </WasScanOption>

         <WasScanOption>

           <name>Performance Settings</name>

           <value><![CDATA[LOW]]></value>

         </WasScanOption>

         <WasScanOption>

           <name>Sensitive Content: Social Security Numbers (US)</name>

           <value><![CDATA[true]]></value>

         </WasScanOption>

         <WasScanOption>

           <name>Sensitive Content: Credit Card Numbers</name>

           <value><![CDATA[true]]></value>

         </WasScanOption>

         <WasScanOption>

           <name>Maximum Crawling Links</name>

           <value><![CDATA[300]]></value>

         </WasScanOption>

         <WasScanOption>

           <name>Bruteforce Settings</name>

           <value><![CDATA[MINIMAL]]></value>

         </WasScanOption>

         <WasScanOption>

           <name>Option Profile Name</name>

           <value><![CDATA[300 links]]></value>

         </WasScanOption>

         <WasScanOption>

           <name>Crawling Form Submissions</name>

           <value><![CDATA[BOTH]]></value>

         </WasScanOption>

         <WasScanOption>

           <name>Request Parameter Set</name>

           <value><![CDATA[Initial Parameters]]></value>

         </WasScanOption>

         <WasScanOption>

           <name>Web Application Name</name>

           <value><![CDATA[My Web Application]]></value>

         </WasScanOption>

       </list>

     </options>

     <launchedDate>2014-07-14T20:45:28Z</launchedDate>

     <launchedBy>

       <id>45941</id>

       <username>acme_ss</username>

       <firstName><![CDATA[Sarah]]></firstName>

       <lastName><![CDATA[Smith]]></lastName>

     </launchedBy>

     <status>FINISHED</status>

     <scanDuration>385</scanDuration>

   </WasScan>

</data>

</ServiceResponse>

 

Scan Get API – Custom Form Parameters - Sample Partial Response


<?xml version="1.0" encoding="UTF-8"?>

<ServiceResponse

   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://qualysapi.qualys.com/qps/xsd/3.0/was/scan.xsd">

   <responseCode>SUCCESS</responseCode>

   <count>1</count>

   <data>

       <WasScan>

           <id>34593</id>

           ...

           <options>

               <count>14</count>

               <list>

                   ...

                   <WasScanOption>

                       <name>Request Parameter Set</name>

                       <value>

                           <![CDATA[My custom parameter set]]>

                       </value>

                   </WasScanOption>

                   ...

               </list>

           </options>        

           ...

       </WasScan>

   </data>

</ServiceResponse>

 

 

 

What is the <baseurl>?

 

This is the API server URL where your QualysGuard account islocated. For an account on US Platform 1 this is <qualysapi.qualys.com>,on US Platform 2 this is <qualysapi.qg2.apps.qualys.com>, on EU Platformthis is <qualysapi.qualys.eu>.

Outcomes