fmc

Qualys WAS 4.4 API Release Notification

Blog Post created by fmc on Nov 16, 2015

WAS API 4.4 includes improvements, giving you more ways to integrate your programs and API calls with Web Application Scanning (WAS). Looking for our API user guides? Just log in to your  account and go to Help > Resources.

 

What’s New

  • Option Profile API - Support for server error thresholds before stopping a scan
  • Scan API - Scan information now includes user who canceled a scan

 

Tell me about the base URL 

Our documentation and sample code use the API server URL for  US Platform 1. Do you have another base URL? If yes please use it instead.


 

Option Profile API - Support for server error thresholds before stopping a scan


Web applications can return different kinds of server side errors or error indicators using a WAS scan. Some of these are a sign of the server possibly getting overloaded (or unresponsive) due to the scan behavior or an alternate condition.


With this release we’ve added new controls to stop a scan on such errors and customize a threshold for conditions in the option profile: Timeout Error Threshold (default is 20) and Unexpected Error Threshold (default is 48). You can customize the threshold values and disable them by setting to 0.


Updated XSD: optionprofile.xsd


Option Profile CREATE API


1) Create Option Profile - with no error threshold specified (default values applied)


API Request:


curl -u "USERNAME:PASSWORD" -H "content-type: text/xml" -X "POST"

--data-binary @-

"https://qualysapi.qualys.com/qps/rest/3.0/create/was/optionprofile/" < file.xml

 

Note: “file.xml” contains the request POST data.


Request POST Data:


<ServiceRequest>

   <data>

      <OptionProfile> 

         <name><![CDATA[My OP - with no error threshold specified]]></name>  

      </OptionProfile>     

   </data>

</ServiceRequest>

 

XML response:


<?xml version="1.0" encoding="UTF-8"?>

<ServiceResponse xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

xsi:noNamespaceSchemaLocation="https://qualysapi.qualys.com/qps/xsd/3.0/was/optionprofile.xsd">

    <responseCode>SUCCESS</responseCode>

    <count>1</count>

    <data>

        <OptionProfile>

            <id>451935</id>

            <name>

                <![CDATA[My OP - with no error threshold specified]>

            </name>

            <owner>

                <id>4354</id>

                <username>acme_ak1</username>

                <firstName>

                    <![CDATA[Amy]]>

                </firstName>

                <lastName>

                    <![CDATA[Kim]]>

                </lastName>

            </owner>

            <isDefault>false</isDefault>

            <tags>

                <count>0</count>

            </tags>

            <formSubmission>BOTH</formSubmission>

            <maxCrawlRequests>300</maxCrawlRequests>

            <timeoutErrorThreshold>20</timeoutErrorThreshold>

            <unexpectedErrorThreshold>48</unexpectedErrorThreshold>

            <parameterSet>

                <id>0</id>

                <name>

                    <![CDATA[Initial Parameters]]>

                </name>

            </parameterSet>

            <ignoreBinaryFiles>false</ignoreBinaryFiles>

            <performance>LOW</performance>

            <bruteforceOption>MINIMAL</bruteforceOption>

            <comments>

                <count>0</count>

            </comments>

            <sensitiveContent>

                <creditCardNumber>false</creditCardNumber>

                <socialSecurityNumber>false</socialSecurityNumber>

            </sensitiveContent>

            <createdDate>2015-11-05T00:49:11Z</createdDate>

            <createdBy>

                <id>4354</id>

                <username>acme_ak1</username>

                <firstName>

                    <![CDATA[Amy]]>

                </firstName>

                <lastName>

                    <![CDATA[Kim]]>

                </lastName>

            </createdBy>

            <updatedDate>2015-11-05T00:49:11Z</updatedDate>

            <updatedBy>

                <id>4354</id>

                <username>acme_ak1</username>

                <firstName>

                    <![CDATA[Amy]]>

                </firstName>

                <lastName>

                    <![CDATA[Kim]]>

                </lastName>

            </updatedBy>

        </OptionProfile>

    </data>

</ServiceResponse>

 

2) Create Option Profile - with custom error threshold values


API Request:


curl -u "USERNAME:PASSWORD" -H "content-type: text/xml" -X "POST"

--data-binary @-

"https://qualysapi.qualys.com/qps/rest/3.0/create/was/optionprofile/" < file.xml

 

Note: “file.xml” contains the request POST data.


Request POST Data:


<ServiceRequest>

   <data>

      <OptionProfile> 

         <name><![CDATA[My OP - with custom error threshold]]></name>  

         <timeoutErrorThreshold>22</timeoutErrorThreshold>

         <unexpectedErrorThreshold>50</unexpectedErrorThreshold>

      </OptionProfile>     

   </data>

</ServiceRequest>

 

XML response:


<?xml version="1.0" encoding="UTF-8"?>

<ServiceResponse xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="https://qualysapi.qualys.com/qps/xsd/3.0/was/optionprofile.xsd">

    <responseCode>SUCCESS</responseCode>

    <count>1</count>

    <data>

        <OptionProfile>

            <id>454733</id>

            <name>

                <![CDATA[My OP - with custom error threshold]]>

            </name>

            <owner>

                <id>4354</id>

                <username>acme_ak1</username>

                <firstName>

                    <![CDATA[Amy]]>

                </firstName>

                <lastName>

                    <![CDATA[Kim]]>

                </lastName>

            </owner>

            <isDefault>false</isDefault>

            <tags>

                <count>0</count>

            </tags>

            <formSubmission>BOTH</formSubmission>

            <maxCrawlRequests>300</maxCrawlRequests>

            <timeoutErrorThreshold>22</timeoutErrorThreshold>

            <unexpectedErrorThreshold>50</unexpectedErrorThreshold>

            <parameterSet>

                <id>0</id>

                <name>

                    <![CDATA[Initial Parameters]]>

                </name>

            </parameterSet>

            <ignoreBinaryFiles>false</ignoreBinaryFiles>

            <performance>LOW</performance>

            <bruteforceOption>MINIMAL</bruteforceOption>

            <comments>

                <count>0</count>

            </comments>

            <sensitiveContent>

                <creditCardNumber>false</creditCardNumber>

                <socialSecurityNumber>false</socialSecurityNumber>

            </sensitiveContent>

            <createdDate>2015-11-12T00:00:23Z</createdDate>

            <createdBy>

...

 

3) Create Option Profile - with custom error threshold values as 0, to disable settings


API Request:


curl -u "USERNAME:PASSWORD" -H "content-type: text/xml" -X "POST"

--data-binary @-

"https://qualysapi.qualys.com/qps/rest/3.0/create/was/optionprofile/" < file.xml

 

Note: “file.xml” contains the request POST data.


Request POST Data:


<ServiceRequest>

   <data>

      <OptionProfile> 

         <name><![CDATA[My OP - with no threshold specified]]></name>  

         <timeoutErrorThreshold>0</timeoutErrorThreshold>

         <unexpectedErrorThreshold>0</unexpectedErrorThreshold>

      </OptionProfile>

   </data>

</ServiceRequest>

 

XML response:

<?xml version="1.0" encoding="UTF-8"?>

<ServiceResponse xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="https://qualysapi.qualys.com/qps/xsd/3.0/was/optionprofile.xsd">

    <responseCode>SUCCESS</responseCode>

    <count>1</count>

    <data>

        <OptionProfile>

            <id>453133</id>

            <name>

                <![CDATA[My OP - with no threshold specified]]>

            </name>

            <owner>

                <id>4354</id>

                <username>acme_ak1</username>

                <firstName>

                    <![CDATA[Amy]]>

                </firstName>

                <lastName>

                    <![CDATA[Kim]]>

                </lastName>

            </owner>

            <isDefault>false</isDefault>

            <tags>

                <count>0</count>

            </tags>

            <formSubmission>BOTH</formSubmission>

            <maxCrawlRequests>300</maxCrawlRequests>

            <parameterSet>

                <id>0</id>

                <name>

                    <![CDATA[Initial Parameters]]>

                </name>

            </parameterSet>

            <ignoreBinaryFiles>false</ignoreBinaryFiles>

            <performance>LOW</performance>

            <bruteforceOption>MINIMAL</bruteforceOption>

            <comments>

                <count>0</count>

            </comments>

            <sensitiveContent>

                <creditCardNumber>false</creditCardNumber>

                <socialSecurityNumber>false</socialSecurityNumber>

            </sensitiveContent>

            <createdDate>2015-11-07T01:29:24Z</createdDate>

            <createdBy>

...

 

Option Profile UPDATE API


Update Option Profile - with custom threshold values


API Request:


curl -u "USERNAME:PASSWORD" -H "content-type: text/xml" -X "POST"

--data-binary @-

"https://qualysapi.qualys.com/qps/rest/3.0/update/was/optionprofile/452933" < file.xml

 

Note: “file.xml” contains the request POST data.


Request POST Data:


ServiceRequest>

   <data>

      <OptionProfile>

         <name><![CDATA[My OP - with custom threshold values]]></name>  

         <timeoutErrorThreshold>200</timeoutErrorThreshold>

         <unexpectedErrorThreshold>20</unexpectedErrorThreshold>

      </OptionProfile>

   </data>

</ServiceRequest>

 

XML response:

<?xml version="1.0" encoding="UTF-8"?>

<ServiceResponse xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="https://qualysapi.qualys.com/qps/xsd/3.0/was/optionprofile.xsd">

    <responseCode>SUCCESS</responseCode>

    <count>1</count>

    <data>

        <OptionProfile>

            <id>452933</id>

        </OptionProfile>

    </data>

</ServiceResponse>

 

Option Profile GET API


GET Option Profile - with custom threshold values


API Request:


curl -u "USERNAME:PASSWORD"

"https://qualysapi.qualys.com/qps/rest/3.0/get/was/optionprofile/452933"

 

Note: “file.xml” contains the request POST data.


XML response:


<?xml version="1.0" encoding="UTF-8"?>

<ServiceResponse xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="https://qualysapi.qualys.com/qps/xsd/3.0/was/optionprofile.xsd">

    <responseCode>SUCCESS</responseCode>

    <count>1</count>

    <data>

        <OptionProfile>

            <id>452933</id>

            <name>

                <![CDATA[My OP - with custom threshold values]]>

            </name>

            <owner>

                <id>4354</id>

                <username>acme_ak1</username>

                <firstName>

                    <![CDATA[Amy]]>

                </firstName>

                <lastName>

                    <![CDATA[Kim]]>

                </lastName>

            </owner>

            <isDefault>false</isDefault>

            <tags>

                <count>0</count>

            </tags>

            <formSubmission>BOTH</formSubmission>

            <maxCrawlRequests>300</maxCrawlRequests>

            <timeoutErrorThreshold>200</timeoutErrorThreshold>

            <unexpectedErrorThreshold>20</unexpectedErrorThreshold>

            <parameterSet>

                <id>0</id>

                <name>

                    <![CDATA[Initial Parameters]]>

                </name>

            </parameterSet>

            <ignoreBinaryFiles>false</ignoreBinaryFiles>

            <performance>LOW</performance>

            <bruteforceOption>MINIMAL</bruteforceOption>

            <comments>

                <count>0</count>

            </comments>

            <sensitiveContent>

                <creditCardNumber>false</creditCardNumber>

                <socialSecurityNumber>false</socialSecurityNumber>

            </sensitiveContent>

            <createdDate>2015-11-05T21:54:17Z</createdDate>

            <createdBy>

                <id>4354</id>

                <username>acme_ak1</username>

                <firstName>

                    <![CDATA[Amy]]>

                </firstName>

                <lastName>

                    <![CDATA[Kim]]>

                </lastName>

            </createdBy>

            <updatedDate>2015-11-12T00:04:15Z</updatedDate>

            <updatedBy>

                <id>4354</id>

                <username>acme_ak1</username>

                <firstName>

                    <![CDATA[Amy]]>

                </firstName>

                <lastName>

                    <![CDATA[Kim]]>

                </lastName>

            </updatedBy>

        </OptionProfile>

    </data>

</ServiceResponse>

 

 

Scan API - Scan information now includes user who canceled a scan


Previously we did not provide information on the user who canceled a scan. We’ve updated the XML output for the Scan SEARCH API and Scan GET API.


Updated XSD: scan.xsd, wassscan.xsd


Scan SEARCH API


Search response shows user who canceled a scan


API request:


curl -u "USERNAME:PASSWORD" -H "content-type: text/xml" -X "POST"

--data-binary @-

"https://qualysapi.qualys.com/qps/rest/3.0/search/wasscan/" < file.xml

 

Note: “file.xml” contains the request POST data.


Request POST Data:


<ServiceRequest>

   <filters>

      <Criteria field="id" operator="IN">1447989</Criteria>   

   </filters>

</ServiceRequest>

 

XML output:

<?xml version="1.0" encoding="UTF-8"?>

<ServiceResponse xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="https://qualysapi.qualys.com/qps/xsd/3.0/was/scan.xsd">

    <responseCode>SUCCESS</responseCode>

    <count>1</count>

    <hasMoreRecords>false</hasMoreRecords>

    <data>

        <WasScan>

            <id>1447989</id>

            <name>

                <![CDATA[My Vulnerability Scan]]>

            </name>

            <reference>was/1446408743390.1856849</reference>

            <type>VULNERABILITY</type>

            <mode>ONDEMAND</mode>

            <multi>false</multi>

            <target>

                <webApp>

                    <id>2431279</id>

                    <name>

                        <![CDATA[127.0.0.1]]>

                    </name>

                    <url>

                        <![CDATA[http://127.0.0.1/]]>

                    </url>

                </webApp>

                <scannerAppliance>

                    <type>EXTERNAL</type>

                </scannerAppliance>

                <cancelOption>SPECIFIC</cancelOption>

            </target>

            <profile>

                <id>28147</id>

                <name>

                    <![CDATA[My Option Profile]]>

                </name>

            </profile>

            <launchedDate>2015-11-01T20:12:23Z</launchedDate>

            <launchedBy>

                <id>2226741</id>

                <username>acme_ak1</username>

                <firstName>

                    <![CDATA[Amy]]>

                </firstName>

                <lastName>

                    <![CDATA[Kim]]>

                </lastName>

            </launchedBy>

            <status>CANCELLED</status>

           <cancelMode>USER</cancelMode>

            <canceledBy>

                <id>9872437571</id>

                <username>acme_bb5</username>

            </canceledBy>

        </WasScan>

    </data>

</ServiceResponse>

 

Scan GET API


Get scan details shows user who canceled a scan


API request:


curl -u "USERNAME:PASSWORD"

"https://qualysapi.qualys.com/qps/rest/3.0/get/was/wasscan/1447989"

 

XML output:


<?xml version="1.0" encoding="UTF-8"?>

<ServiceResponse xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="https://qualysapi.qualys.com/qps/xsd/3.0/was/wasscan.xsd">

    <responseCode>SUCCESS</responseCode>

    <count>1</count>

    <data>

        <WasScan>

            <id>1447989</id>

            <name>

                <![CDATA[My Vulnerability Scan]]>

            </name>

            <reference>was/1446408743390.1856849</reference>

            <type>VULNERABILITY</type>

            <mode>ONDEMAND</mode>

            <progressiveScanning>false</progressiveScanning>

            <multi>false</multi>

            <target>

                <webApp>

                    <id>2431279</id>

                    <name>

                        <![CDATA[127.0.0.1]]>

                    </name>

                    <url>

                        <![CDATA[http://127.0.0.1/]]>

                    </url>

                </webApp>

                <scannerAppliance>

                    <type>EXTERNAL</type>

                </scannerAppliance>

                <cancelOption>SPECIFIC</cancelOption>

            </target>

            <profile>

                <id>28147</id>

                <name>

                    <![CDATA[My Option Profile]]>

                </name>

            </profile>

            <options>

                <count>15</count>

                <list>

                    <WasScanOption>

                        <name>My Authentication Record</name>

                        <value>

                            <![CDATA[None]]>

                        </value>

                    </WasScanOption>

                    <WasScanOption>

                        <name>Unexpected Error Threshold</name>

                        <value>

                            <![CDATA[48]]>

                        </value>

                    </WasScanOption>

                    <WasScanOption>

                        <name>Sensitive Content: Credit Card Numbers</name>

                        <value>

                            <![CDATA[false]]>

                        </value>

                    </WasScanOption>

                    <WasScanOption>

                        <name>Performance Settings</name>

                        <value>

                            <![CDATA[MEDIUM]]>

                        </value>

                    </WasScanOption>

                    <WasScanOption>

                        <name>Scanner Appliance</name>

                        <value>

                            <![CDATA[External]]>

                        </value>

                    </WasScanOption>

                    <WasScanOption>

                        <name>Detection Scope</name>

                        <value>

                            <![CDATA[COMPLETE]]>

                        </value>

                    </WasScanOption>

                    <WasScanOption>

                        <name>Crawling Form Submissions</name>

                        <value>

                            <![CDATA[NONE]]>

                        </value>

                    </WasScanOption>

                    <WasScanOption>

                        <name>Bruteforce Settings</name>

                        <value>

                            <![CDATA[MINIMAL]]>

                        </value>

                    </WasScanOption>

                    <WasScanOption>

                        <name>Option Profile Name</name>

                        <value>

                            <![CDATA[My Option Profile]]>

                        </value>

                    </WasScanOption>

                    <WasScanOption>

                        <name>Maximum Crawling Links</name>

                        <value>

                            <![CDATA[300]]>

                        </value>

                    </WasScanOption>

                    <WasScanOption>

                        <name>Timeout Error Threshold</name>

                        <value>

                            <![CDATA[20]]>

                        </value>

                    </WasScanOption>

                    <WasScanOption>

                        <name>Web Application Name</name>

                        <value>

                            <![CDATA[127.0.0.1]]>

                        </value>

                    </WasScanOption>

                    <WasScanOption>

                        <name>Request Parameter Set</name>

                        <value>

                            <![CDATA[Initial Parameters]]>

                        </value>

                    </WasScanOption>

                    <WasScanOption>

                        <name>Sensitive Content: Social Security Numbers (US)</name>

                        <value>

                            <![CDATA[false]]>

                        </value>

                    </WasScanOption>

                    <WasScanOption>

                        <name>Target URL</name>

                        <value>

                            <![CDATA[http://127.0.0.1/]]>

                        </value>

                    </WasScanOption>

                </list>

            </options>

            <launchedDate>2015-11-01T20:12:23Z</launchedDate>

            <launchedBy>

                <id>2226741</id>

                <username>acme_ak1</username>

                <firstName>

                    <![CDATA[Amy]]>

                </firstName>

                <lastName>

                    <![CDATA[Kim]]>

                </lastName>

            </launchedBy>

            <status>CANCELLED</status>

            <cancelMode>USER</cancelMode>

            <canceledBy>

                <id>9872437571</id>

                <username>acme_bb5</username>

            </canceledBy>

            <sendMail>true</sendMail>

        </WasScan>

    </data>

</ServiceResponse>

Outcomes