WillB

Qualys WAS 4.0 API Release Notification

Blog Post created by WillB on Nov 4, 2014

A new release of Qualys WAS, Version 4.0 which includes an API update, is targeted for release in mid-December.

 

This API notification provides an early preview into the coming API changes in Qualys WAS 4.0, allowing you to proactively identify any changes that might be required for your automated scripts or programs that utilize the API methods.  Two API modifications in this release may impact existing API implementations and requires a 30-day notification.  Additional API features that are new will be included at a later date, along with additional details and examples.

 

Full release notes will be available to customers on the day of the release.

 

API Enhancements: Updates to Web App API

We updated the XSD of the Web App API to provide the screenshot of the initial page for those web applications that have already been scanned.

 

Base64 Encoding

In order to encode the screenshots, we use urlSafe base64 encoding solution, like other elements in our APIs (http://search.cpan.org/~kazuho/MIME-Base64-URLSafe-0.01/lib/MIME/Base64/URLSafe.pm for a good explanation):

 

Following characters will therefore be replaced in the base64 contents:

  • / with _
  • + with -

 

Sample Response:

 

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
evaluation: false
Content-Type: application/xml
Transfer-Encoding: chunked
Date: Tue, 09 Sep 2014 06:33:49 GMT
<?xml version="1.0" encoding="UTF-8"?>
<ServiceResponse xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://demoxx.qualys.com/portal-api/xsd/3.0/was/webapp.xsd">
  <responseCode>SUCCESS</responseCode>
  <count>1</count>
  <data>
    <WebApp>
      <id>324836</id>
      <name><![CDATA[Web App with SA 'is_quays_demo']]></name>
      <url><![CDATA[http://10.1.1.238]]></url>
      <os>Linux 2.4-2.6 / Embedded Device / F5 Networks Big-IP</os>
      <owner>
        <id>123056</id>
        <username>quays_at3</username>
        <firstName><![CDATA[John]]></firstName>
        <lastName><![CDATA[Doe]]></lastName>
      </owner>
      <scope>ALL</scope>
      <attributes>
        <count>0</count>
      </attributes>
      <defaultProfile>
        <id>1072</id>
        <name><![CDATA[Initial WAS Optionss]]></name>
      </defaultProfile>
      <defaultScanner>
        <type>INTERNAL</type>
        <friendlyName><![CDATA[DEV.FR.01]]></friendlyName>
      </defaultScanner>
      <scannerLocked>true</scannerLocked>
      <urlBlacklist>
        <count>1</count>
        <list>
          <UrlEntry regex="true"><![CDATA[http://www.demoxx.com/*]]></UrlEntry>
        </list>
      </urlBlacklist>
      <urlWhitelist>
        <count>0</count>
      </urlWhitelist>
      <postDataBlacklist>
        <count>0</count>
      </postDataBlacklist>
      <authRecords>
        <count>2</count>
        <list>
          <WebAppAuthRecord>
            <id>1910</id>
            <name><![CDATA[test 2]]></name>
          </WebAppAuthRecord>
          <WebAppAuthRecord>
            <id>1909</id>
            <name><![CDATA[test (ID=1909,Web App with SA 'is_quays_demo')]]></name>
          </WebAppAuthRecord>
        </list>
      </authRecords>
      <useRobots>IGNORE</useRobots>
      <useSitemap>false</useSitemap>
      <malwareMonitoring>false</malwareMonitoring>
      <tags>
        <count>0</count>
      </tags>
      <comments>
        <count>0</count>
      </comments>
      <isScheduled>true</isScheduled>
      <lastScan>
        <id>31193</id>
        <name><![CDATA[Was Scan Test 1 - 2014-05-23]]></name>
      </lastScan>
      <createdBy>
        <id>123056</id>
        <username>quays_demo</username>
        <firstName><![CDATA[Axels]]></firstName>
        <lastName><![CDATA[Tex]]></lastName>
      </createdBy>
      <createdDate>2012-02-16T15:35:49Z</createdDate>
      <updatedBy>
        <id>123056</id>
        <username>quays_demo</username>
        <firstName><![CDATA[John]]></firstName>
        <lastName><![CDATA[Doe]]></lastName>
      </updatedBy>
      <updatedDate>2014-08-28T12:39:51Z</updatedDate>
      <screenshot><![CDATA[_9j_4AAQSkZJRgABAQEAegBrAAD_2wBDAAYEBQYFBAYGBQYHBwYIChAKCgkJChQODwwQFxQYGBcUFhYaHSUfGhsjHBYW......  SHORTENED FOR BREVITY.......KKKKACiiigD__2Q]]></screenshot>
    </WebApp>
  </data>
</ServiceResponse>







 

 

 

API Enhancements: New Severity Levels Appendix added to XML Reports

The update below does not directly impact API calls, but does impact XML and other formats of reports that may be processed via API scripts and is therefore included in this notice.

 

We’ll include the new Severity Levels appendix in Scan and Web Application Reports by default. This helps you understand what the severity levels mean. When the Severity Levels appendix is included, the section /APPENDIX/SEVERITY_CATEGORY_LIST appears in the XML reports with a description for each finding category (vulnerabilities, sensitive contents, information gathered) and severity level.

 

Example XML Web App Report

 

 

<?xml version="1.0" encoding="UTF-8"?>
<WAS_WEBAPP_REPORT>
    <HEADER>
        <NAME><![CDATA[Web Application Report]]></NAME>
        <DESCRIPTION><![CDATA[Each targeted web application is listed with the total number of detected vulnerabilities and sensitive content.]]></DESCRIPTION>
        <GENERATION_DATETIME>2014-11-03T21:44:17Z</GENERATION_DATETIME>
        <COMPANY_INFO>
            <NAME><![CDATA[Qualys Demo]></NAME>
            <ADDRESS><![CDATA[324242 34535]]></ADDRESS>
            <CITY><![CDATA[any]]></CITY>
            <STATE><![CDATA[None]]></STATE>
            <COUNTRY>Togo</COUNTRY>
            <ZIP_CODE><![CDATA[23123123]]></ZIP_CODE>
        </COMPANY_INFO>
        <USER_INFO>
            <NAME><![CDATA[Demo Demolast]]></NAME>
            <USERNAME>quays_demo</USERNAME>
        </USER_INFO>
    </HEADER>
    <FILTERS>
        <FILTER>
            <NAME><![CDATA[FINDING_STATUS]]></NAME>
            <VALUE>New,Active,Re-Opened</VALUE>
        </FILTER>
    </FILTERS>
    <TARGET>
        <WEB_APPLICATIONS>
            <WEB_APPLICATION><![CDATA[test bamboo]]></WEB_APPLICATION>
        </WEB_APPLICATIONS>
    </TARGET>
    <RESULTS>
        <WEB_APPLICATION>
            <ID>1576755669</ID>
            <NAME><![CDATA[test bamboo]]></NAME>
            <VULNERABILITY_LIST>
...(removed for brevity)
        </WEB_APPLICATION>
    <APPENDIX>
        <WEB_APPLICATION>
            <ID>1576755669</ID>
            <NAME><![CDATA[test bamboo]]></NAME>
            <URL><![CDATA[http://www.demoapp.com]]></URL>
            <OWNER>Demo DemoLast (quays_demo)</OWNER>
            <OPERATING_SYSTEM><![CDATA[Linux 2.4-2.6 / Embedded Device / F5 Networks Big-IP]]></OPERATING_SYSTEM>
            <SCOPE>Limit to URL hostname</SCOPE>
        </WEB_APPLICATION>
        <SEVERITY_CATEGORY_LIST>
            <SEVERITY_CATEGORY>
                <NAME><![CDATA[VULNERABILITY]]></NAME>
                <DESCRIPTION><![CDATA[Vulnerabilities (QIDs) are design flaws, programming errors, or mis-configurations that make your web application and web application platform susceptible to malicious attacks. Depending on the level of the security risk, the successful exploitation of a vulnerability can vary from the disclosure of information to a complete compromise of the web application and/or the web application platform. Even if the web application isn't fully compromised, an exploited vulnerability could still lead to the web application being used to launch attacks against users of the site.]]></DESCRIPTION>
                <SEVERITY_LEVEL_LIST>
                    <SEVERITY_LEVEL>
                        <SEVERITY>1</SEVERITY>
                        <LEVEL>Minimal</LEVEL>
                        <DESCRIPTION><![CDATA[Basic information disclosure (e.g. web server type, programming language) might enable intruders to discover other vulnerabilities, but lack of this information does not make the vulnerability harder to find.]]></DESCRIPTION>
                    </SEVERITY_LEVEL>
                    <SEVERITY_LEVEL>
                        <SEVERITY>2</SEVERITY>
                        <LEVEL>Medium</LEVEL>
                        <DESCRIPTION><![CDATA[Intruders may be able to collect sensitive information about the application platform, such as the precise version of software used. With this information, intruders can easily exploit known vulnerabilities specific to software versions. Other types of sensitive information might disclose a few lines of source code or hidden directories.]]></DESCRIPTION>
                    </SEVERITY_LEVEL>
                    <SEVERITY_LEVEL>
                        <SEVERITY>3</SEVERITY>
                        <LEVEL>Serious</LEVEL>
                        <DESCRIPTION><![CDATA[Vulnerabilities at this level typically disclose security-related information that could result in misuse or an exploit. Examples include source code disclosure or transmitting authentication credentials over non-encrypted channels.]]></DESCRIPTION>
                    </SEVERITY_LEVEL>
                    <SEVERITY_LEVEL>
                        <SEVERITY>4</SEVERITY>
                        <LEVEL>Critical</LEVEL>
                        <DESCRIPTION><![CDATA[Intruders can exploit the vulnerability to gain highly sensitive content or affect other users of the web application. Examples include certain types of cross-site scripting and SQL injection attacks.]]></DESCRIPTION>
                    </SEVERITY_LEVEL>
                    <SEVERITY_LEVEL>
                        <SEVERITY>5</SEVERITY>
                        <LEVEL>Urgent</LEVEL>
                        <DESCRIPTION><![CDATA[Intruders can exploit the vulnerability to compromise the web application's data store, obtain information from other users' accounts, or obtain command execution on a host in the web application's architecture.]]></DESCRIPTION>
                    </SEVERITY_LEVEL>
                </SEVERITY_LEVEL_LIST>
            </SEVERITY_CATEGORY>
            <SEVERITY_CATEGORY>
                <NAME><![CDATA[SENSITIVE_CONTENT]]></NAME>
                <DESCRIPTION><![CDATA[Sensitive content may be detected based on known patterns (credit card numbers, social security numbers) or custom patterns (strings, regular expressions), depending on the option profile used. Intruders may gain access to sensitive content that could result in misuse or other exploits.]]></DESCRIPTION>
                <SEVERITY_LEVEL_LIST>
                    <SEVERITY_LEVEL>
                        <SEVERITY>1</SEVERITY>
                        <LEVEL>Minimal</LEVEL>
                        <DESCRIPTION><![CDATA[Sensitive content was found in the web server response. During our scan of the site form(s) were found with field(s) for credit card number or social security number. This information disclosure could result in a confidentiality breach and could be a target for intruders. For this reason we recommend caution.]]></DESCRIPTION>
                    </SEVERITY_LEVEL>
                    <SEVERITY_LEVEL>
                        <SEVERITY>2</SEVERITY>
                        <LEVEL>Medium</LEVEL>
                        <DESCRIPTION><![CDATA[Sensitive content was found in the web server response. Specifically our service found a certain sensitive content pattern (defined in the option profile). This information disclosure could result in a confidentiality breach and could be a target for intruders. For this reason we recommend caution.]]></DESCRIPTION>
                    </SEVERITY_LEVEL>
                    <SEVERITY_LEVEL>
                        <SEVERITY>3</SEVERITY>
                        <LEVEL>Serious</LEVEL>
                        <DESCRIPTION><![CDATA[Sensitive content was found in the web server response - a valid social security number or credit card information. This infomation disclosure could result in a confidentiality breach, and it gives intruders access to valid sensitive content that could be misused.]]></DESCRIPTION>
                    </SEVERITY_LEVEL>
                </SEVERITY_LEVEL_LIST>
            </SEVERITY_CATEGORY>
            <SEVERITY_CATEGORY>
                <NAME><![CDATA[INFORMATION_GATHERED]]></NAME>
                <DESCRIPTION><![CDATA[Information Gathered issues (QIDs) include visible information about the web application's platform, code, or architecture. It may also include information about users of the web application.]]></DESCRIPTION>
                <SEVERITY_LEVEL_LIST>
                    <SEVERITY_LEVEL>
                        <SEVERITY>1</SEVERITY>
                        <LEVEL>Minimal</LEVEL>
                        <DESCRIPTION><![CDATA[Intruders may be able to retrieve sensitive information related to the web application platform.]]></DESCRIPTION>
                    </SEVERITY_LEVEL>
                    <SEVERITY_LEVEL>
                        <SEVERITY>2</SEVERITY>
                        <LEVEL>Medium</LEVEL>
                        <DESCRIPTION><![CDATA[Intruders may be able to retrieve sensitive information related to internal functionality or business logic of the web application.]]></DESCRIPTION>
                    </SEVERITY_LEVEL>
                    <SEVERITY_LEVEL>
                        <SEVERITY>3</SEVERITY>
                        <LEVEL>Serious</LEVEL>
                        <DESCRIPTION><![CDATA[Intruders may be able to detect highly sensitive data, such as personally identifiable information (PII) about other users of the web application.]]></DESCRIPTION>
                    </SEVERITY_LEVEL>
                </SEVERITY_LEVEL_LIST>
            </SEVERITY_CATEGORY>
        </SEVERITY_CATEGORY_LIST>
    </APPENDIX>
</WAS_WEBAPP_REPORT>







 

 

What is the <baseurl>?

This is the API server URL where your Qualys account is located. For an account on US Platform 1, this is <qualysapi.qualys.com>; on US Platform 2, this is <qualysapi.qg2.apps.qualys.com>; on EU Platform, this is <qualysapi.qualys.eu>.

Outcomes