Skip navigation
1 2 Previous Next

API Notifications

20 Posts authored by: WillB

A new release of Qualys WAS, Version 4.1 which includes an API update, is targeted for release in late April/early May depending on the platform.  See platform release dates at the end of this post  for more information.  The updated APIs for WAS 4.1 enhance the ability to fully automate and integrate the Qualys WAS solution with other customer applications.  WAS APIs enable customers to perform all the major functions within WAS including creating web applications to scan, launching and scheduling scans, and running and retrieving reports.  The APIs enable custom integrations with GRC tools, bug tracking systems and web application firewalls (WAFs) just to name a few.

 

This API notification provides an early preview into the coming API changes in Qualys WAS 4.1, allowing you to proactively identify any changes that might be required for your automated scripts or programs that utilize the API methods. For more information on the new user interface (UI) features in WAS 4.1 see Qualys WAS 4.1 New Features.

 

Contents

This notification now describes all changes and additions to the WAS API based on features in WAS 4.1. It has been updated from the previously published notification that describes only the changes to XML and CSV output which could impact existing API implementations.

 

Below is a summary of the enhancements to the WAS API - this post also has an attached document with more details including example API calls for developers.

 

Full release notes will be available to customers on the day of the release.

 

 

Virtual Patch Support

WAS 4.1 lets you install virtual patches for selected vulnerabilities (detections) when your account has WAS and WAF enabled. Once installed we’ll automatically add firewall rules to block exploitation of the selected vulnerabilities. We’ve added new capabilities to the Finding API and Report API to help you manage virtual patches.

 

Finding API

  • Get Finding - now returns a patch reference element if a virtual patch is present
  • Search/Count Findings - new patch filter to identify findings with virtual patches

 

Report API

  • Create/Update Report - When creating or updating a report, you can choose to include/not include findings with virtual patches.

 

 

Proxy Support

WAS 4.1 lets you to define a proxy using the user interface and then apply the proxy to web application settings and/or scan settings for internal appliance based scans. You can reference the proxy ID for WAS service calls as shown below. Note that Proxy Support is a limited release feature - contact your technical account manager (TAM)  if you would like to be included in this limited release.

 

Web App API

  • Create/Update Web Application - add a default proxy id (already defined in UI)

 

Scan API

  • Launch Scan - specify the proxy to use for the scan

 

Scan Schedule API

  • Create/update Schedule - specify the proxy to use for the scan

 

 

New Search Parameters

New search parameters are available for Search and  Count requests in the Option Profile API.

 

Option Profile API

New Parameters

  • UsedByWebApps - filter profiles if used/not used by web applications
  • usedBySchedule - Filter profiles used/not used by scan schedules
  • owner.id - Filter profiles based on owner's user ID
  • owner.name - Filter profiles based on owner's full name (first and last name)
  • owner.username - Filter profiles based on owner's username (like acme_ab3)

 

 

Platform Release Dates

Qualys WAS 4.1 Release Notification - Available May 4th, 2015 on US Platform 1

Qualys WAS 4.1 Release Notification - Available April 28th, 2015 on US Platform 2

Qualys WAS 4.1 Release Notification - Available April 30th, 2015 on EU Platform

 

 

 

 

Original WAS 4.1 API Notification

Below is the original blog post published February 27, 2015 describing only the changes to XML and CSV output in the WAS API which could impact existing API implementations. All information below is included above - it is provided for reference.

 

A new release of Qualys WAS, Version 4.1 which includes an API update, is targeted for release in late March/early April 2015.  The updated APIs for WAS 4.1 enhance the ability to fully automate and integrate the Qualys WAS solution with their existing applications.  WAS APIs enable customers to perform all the major functions within WAS including creating web applications to scan, launching and scheduling scans, and running and retrieving reports.  The APIs enable custom integrations with GRC tools, bug tracking systems and web application firewalls (WAFs) just to name a few.

 

This API notification provides an early preview into the coming API changes in Qualys WAS 4.1, allowing you to proactively identify any changes that might be required for your automated scripts or programs that utilize the API methods.  One API modification in this release may impact existing API implementations and requires a 30-day notification.  The API changes have been made to enable proxy support for internal WAS scanning.  Proxy support will be a limited release feature.

 

Full release notes will be available to customers on the day of the release.

 

Proxy Support

Note:  A proxy is defined within the WAS user interface, then can be referenced by Proxy ID in the web service calls as shown below.

 

 

Web App API

  • Schema: webapp.xsd
  • Create/Update Web Application
  • GET web application

 

Sample API Request to update the web application default proxy:

<ServiceRequest>
  <data>
    <WebApp>
      <proxy><id>355538</id></proxy>
    </WebApp>
  </data>
</ServiceRequest>

















 

 

 

Scan API

  • Schema: scan.xsd / wasscan.xsd
  • Launch Scan

 

Sample API Request to launch a scan with a proxy set:

<ServiceRequest>
    <data>
        <WasScan>
            <name>New scan launched from API By Snehal</name>
            <type>DISCOVERY</type>
            <target>
                <webApp>
                    <id>353737</id>
                </webApp>
  <!-- <webAppAuthRecord>
  <id>0</id>
  </webAppAuthRecord>-->
  <proxy>
  <id>354736</id>
  </proxy>
            </target>
            <profile>
                <id>1072</id>
            </profile>

        </WasScan>
    </data>
</ServiceRequest>

















 

 

 

Schedule API

  • Schema: schedule.xsd / wasscanschedule.xsd
  • Create/update Schedule
  • Get Schedule

 

Sample API Request to schedule a scan with a proxy set:

<ServiceRequest>
<data>
  <WasScanSchedule>
    <name><![CDATA[scheduling Notification - from API- devtest1 ]]></name>
    <type>DISCOVERY</type>
    <active>true</active>
    <scheduling>
      <cancelAfterNHours>4</cancelAfterNHours>
      <startDate>2014-08-20T09:50:14Z</startDate>
      <timeZone>
        <code>US/Arizona</code>
        <offset>-07:00</offset>
      </timeZone>
      <occurrenceType>ONCE</occurrenceType>
    </scheduling>
    <notification>
      <active>true</active>
        <delay>
                <nb>555</nb>
                <scale>HOUR</scale>
        </delay>
        <message><![CDATA[This is from API...]]></message>
    </notification>
    <target>
      <webApp>
                        <id>324538</id>
      </webApp>
      <scannerAppliance>
        <type>INTERNAL</type>
      </scannerAppliance>
    <proxy>
  <id>355538</id>
      </proxy>
    </target>
    <profile>
        <id>1963</id>
      </profile>
  </WasScanSchedule>
</data>
</ServiceRequest>

















A new release of Qualys WAS, Version 4.0 which includes an API update, is targeted for release in mid-December.  The updated APIs for WAS 4.0 enable customers to fully automate and integrate the Qualys WAS solution with their existing applications.  WAS APIs enable customers to perform all the major functions within WAS including creating web applications to scan, launching and scheduling scans, and running and retrieving reports.  The APIs enable custom integrations with GRC tools, bug tracking systems and web application firewalls (WAFs) just to name a few. 

 

The exact dates for the release depend on the platform your subscription is on.  The release dates by platform are as follows:

 

Qualys WAS 4.0 Release Notification - Available December 15, 2014 on US Platform 1

Qualys WAS 4.0 Release Notification - Available December 10, 2014 on US Platform 2

Qualys WAS 4.0 Release Notification - Available December 11, 2014 on EU Platform

 

A review of the many new UI features and enhancements can be found at Qualys WAS 4.0 New Features

 

This API notification provides an early preview into the coming API changes in Qualys WAS 4.0, allowing you to proactively identify any changes that might be required for your automated scripts or programs that utilize the API methods.  Two API modifications in this release may impact existing API implementations and required a 30-day notification which can be found at Qualys WAS 4.0 API Release Notification.  The changes below are based on a limited release feature Progressive Scanning and therefore should not impact any subscription without the feature enabled.

 

Full release notes will be available to customers on the day of the release.

 

Details are in the attached document - high level summary of APIs updated:

 

Progressive Scanning

 

Web App API,

  • Schema: webapp.xsd
  • Create/Update Web Application
  • GET web application

 

Scan API

  • Schema: scan.xsd / wasscan.xsd
  • Launch Scan
  • GET scan

 

Schedule API

  • Schema: schedule.xsd / wasscanschedule.xsd
  • Create/update Schedule
  • Get Schedule

 

Scan Report (XML)

 

Findings API

  • Schema: finding.xsd
  • Get Finding

 

See attached PDF for details of changes and examples.

 

 

What is the <baseurl>?

This is the API server URL where your Qualys account is located. For an account on US Platform 1, this is <qualysapi.qualys.com>; on US Platform 2, this is <qualysapi.qg2.apps.qualys.com>; on EU Platform, this is <qualysapi.qualys.eu>.

A new release of Qualys WAS, Version 4.0 which includes an API update, is targeted for release in mid-December.

 

This API notification provides an early preview into the coming API changes in Qualys WAS 4.0, allowing you to proactively identify any changes that might be required for your automated scripts or programs that utilize the API methods.  Two API modifications in this release may impact existing API implementations and requires a 30-day notification.  Additional API features that are new will be included at a later date, along with additional details and examples.

 

Full release notes will be available to customers on the day of the release.

 

API Enhancements: Updates to Web App API

We updated the XSD of the Web App API to provide the screenshot of the initial page for those web applications that have already been scanned.

 

Base64 Encoding

In order to encode the screenshots, we use urlSafe base64 encoding solution, like other elements in our APIs (http://search.cpan.org/~kazuho/MIME-Base64-URLSafe-0.01/lib/MIME/Base64/URLSafe.pm for a good explanation):

 

Following characters will therefore be replaced in the base64 contents:

  • / with _
  • + with -

 

Sample Response:

 

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
evaluation: false
Content-Type: application/xml
Transfer-Encoding: chunked
Date: Tue, 09 Sep 2014 06:33:49 GMT
<?xml version="1.0" encoding="UTF-8"?>
<ServiceResponse xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://demoxx.qualys.com/portal-api/xsd/3.0/was/webapp.xsd">
  <responseCode>SUCCESS</responseCode>
  <count>1</count>
  <data>
    <WebApp>
      <id>324836</id>
      <name><![CDATA[Web App with SA 'is_quays_demo']]></name>
      <url><![CDATA[http://10.1.1.238]]></url>
      <os>Linux 2.4-2.6 / Embedded Device / F5 Networks Big-IP</os>
      <owner>
        <id>123056</id>
        <username>quays_at3</username>
        <firstName><![CDATA[John]]></firstName>
        <lastName><![CDATA[Doe]]></lastName>
      </owner>
      <scope>ALL</scope>
      <attributes>
        <count>0</count>
      </attributes>
      <defaultProfile>
        <id>1072</id>
        <name><![CDATA[Initial WAS Optionss]]></name>
      </defaultProfile>
      <defaultScanner>
        <type>INTERNAL</type>
        <friendlyName><![CDATA[DEV.FR.01]]></friendlyName>
      </defaultScanner>
      <scannerLocked>true</scannerLocked>
      <urlBlacklist>
        <count>1</count>
        <list>
          <UrlEntry regex="true"><![CDATA[http://www.demoxx.com/*]]></UrlEntry>
        </list>
      </urlBlacklist>
      <urlWhitelist>
        <count>0</count>
      </urlWhitelist>
      <postDataBlacklist>
        <count>0</count>
      </postDataBlacklist>
      <authRecords>
        <count>2</count>
        <list>
          <WebAppAuthRecord>
            <id>1910</id>
            <name><![CDATA[test 2]]></name>
          </WebAppAuthRecord>
          <WebAppAuthRecord>
            <id>1909</id>
            <name><![CDATA[test (ID=1909,Web App with SA 'is_quays_demo')]]></name>
          </WebAppAuthRecord>
        </list>
      </authRecords>
      <useRobots>IGNORE</useRobots>
      <useSitemap>false</useSitemap>
      <malwareMonitoring>false</malwareMonitoring>
      <tags>
        <count>0</count>
      </tags>
      <comments>
        <count>0</count>
      </comments>
      <isScheduled>true</isScheduled>
      <lastScan>
        <id>31193</id>
        <name><![CDATA[Was Scan Test 1 - 2014-05-23]]></name>
      </lastScan>
      <createdBy>
        <id>123056</id>
        <username>quays_demo</username>
        <firstName><![CDATA[Axels]]></firstName>
        <lastName><![CDATA[Tex]]></lastName>
      </createdBy>
      <createdDate>2012-02-16T15:35:49Z</createdDate>
      <updatedBy>
        <id>123056</id>
        <username>quays_demo</username>
        <firstName><![CDATA[John]]></firstName>
        <lastName><![CDATA[Doe]]></lastName>
      </updatedBy>
      <updatedDate>2014-08-28T12:39:51Z</updatedDate>
      <screenshot><![CDATA[_9j_4AAQSkZJRgABAQEAegBrAAD_2wBDAAYEBQYFBAYGBQYHBwYIChAKCgkJChQODwwQFxQYGBcUFhYaHSUfGhsjHBYW......  SHORTENED FOR BREVITY.......KKKKACiiigD__2Q]]></screenshot>
    </WebApp>
  </data>
</ServiceResponse>







 

 

 

API Enhancements: New Severity Levels Appendix added to XML Reports

The update below does not directly impact API calls, but does impact XML and other formats of reports that may be processed via API scripts and is therefore included in this notice.

 

We’ll include the new Severity Levels appendix in Scan and Web Application Reports by default. This helps you understand what the severity levels mean. When the Severity Levels appendix is included, the section /APPENDIX/SEVERITY_CATEGORY_LIST appears in the XML reports with a description for each finding category (vulnerabilities, sensitive contents, information gathered) and severity level.

 

Example XML Web App Report

 

 

<?xml version="1.0" encoding="UTF-8"?>
<WAS_WEBAPP_REPORT>
    <HEADER>
        <NAME><![CDATA[Web Application Report]]></NAME>
        <DESCRIPTION><![CDATA[Each targeted web application is listed with the total number of detected vulnerabilities and sensitive content.]]></DESCRIPTION>
        <GENERATION_DATETIME>2014-11-03T21:44:17Z</GENERATION_DATETIME>
        <COMPANY_INFO>
            <NAME><![CDATA[Qualys Demo]></NAME>
            <ADDRESS><![CDATA[324242 34535]]></ADDRESS>
            <CITY><![CDATA[any]]></CITY>
            <STATE><![CDATA[None]]></STATE>
            <COUNTRY>Togo</COUNTRY>
            <ZIP_CODE><![CDATA[23123123]]></ZIP_CODE>
        </COMPANY_INFO>
        <USER_INFO>
            <NAME><![CDATA[Demo Demolast]]></NAME>
            <USERNAME>quays_demo</USERNAME>
        </USER_INFO>
    </HEADER>
    <FILTERS>
        <FILTER>
            <NAME><![CDATA[FINDING_STATUS]]></NAME>
            <VALUE>New,Active,Re-Opened</VALUE>
        </FILTER>
    </FILTERS>
    <TARGET>
        <WEB_APPLICATIONS>
            <WEB_APPLICATION><![CDATA[test bamboo]]></WEB_APPLICATION>
        </WEB_APPLICATIONS>
    </TARGET>
    <RESULTS>
        <WEB_APPLICATION>
            <ID>1576755669</ID>
            <NAME><![CDATA[test bamboo]]></NAME>
            <VULNERABILITY_LIST>
...(removed for brevity)
        </WEB_APPLICATION>
    <APPENDIX>
        <WEB_APPLICATION>
            <ID>1576755669</ID>
            <NAME><![CDATA[test bamboo]]></NAME>
            <URL><![CDATA[http://www.demoapp.com]]></URL>
            <OWNER>Demo DemoLast (quays_demo)</OWNER>
            <OPERATING_SYSTEM><![CDATA[Linux 2.4-2.6 / Embedded Device / F5 Networks Big-IP]]></OPERATING_SYSTEM>
            <SCOPE>Limit to URL hostname</SCOPE>
        </WEB_APPLICATION>
        <SEVERITY_CATEGORY_LIST>
            <SEVERITY_CATEGORY>
                <NAME><![CDATA[VULNERABILITY]]></NAME>
                <DESCRIPTION><![CDATA[Vulnerabilities (QIDs) are design flaws, programming errors, or mis-configurations that make your web application and web application platform susceptible to malicious attacks. Depending on the level of the security risk, the successful exploitation of a vulnerability can vary from the disclosure of information to a complete compromise of the web application and/or the web application platform. Even if the web application isn't fully compromised, an exploited vulnerability could still lead to the web application being used to launch attacks against users of the site.]]></DESCRIPTION>
                <SEVERITY_LEVEL_LIST>
                    <SEVERITY_LEVEL>
                        <SEVERITY>1</SEVERITY>
                        <LEVEL>Minimal</LEVEL>
                        <DESCRIPTION><![CDATA[Basic information disclosure (e.g. web server type, programming language) might enable intruders to discover other vulnerabilities, but lack of this information does not make the vulnerability harder to find.]]></DESCRIPTION>
                    </SEVERITY_LEVEL>
                    <SEVERITY_LEVEL>
                        <SEVERITY>2</SEVERITY>
                        <LEVEL>Medium</LEVEL>
                        <DESCRIPTION><![CDATA[Intruders may be able to collect sensitive information about the application platform, such as the precise version of software used. With this information, intruders can easily exploit known vulnerabilities specific to software versions. Other types of sensitive information might disclose a few lines of source code or hidden directories.]]></DESCRIPTION>
                    </SEVERITY_LEVEL>
                    <SEVERITY_LEVEL>
                        <SEVERITY>3</SEVERITY>
                        <LEVEL>Serious</LEVEL>
                        <DESCRIPTION><![CDATA[Vulnerabilities at this level typically disclose security-related information that could result in misuse or an exploit. Examples include source code disclosure or transmitting authentication credentials over non-encrypted channels.]]></DESCRIPTION>
                    </SEVERITY_LEVEL>
                    <SEVERITY_LEVEL>
                        <SEVERITY>4</SEVERITY>
                        <LEVEL>Critical</LEVEL>
                        <DESCRIPTION><![CDATA[Intruders can exploit the vulnerability to gain highly sensitive content or affect other users of the web application. Examples include certain types of cross-site scripting and SQL injection attacks.]]></DESCRIPTION>
                    </SEVERITY_LEVEL>
                    <SEVERITY_LEVEL>
                        <SEVERITY>5</SEVERITY>
                        <LEVEL>Urgent</LEVEL>
                        <DESCRIPTION><![CDATA[Intruders can exploit the vulnerability to compromise the web application's data store, obtain information from other users' accounts, or obtain command execution on a host in the web application's architecture.]]></DESCRIPTION>
                    </SEVERITY_LEVEL>
                </SEVERITY_LEVEL_LIST>
            </SEVERITY_CATEGORY>
            <SEVERITY_CATEGORY>
                <NAME><![CDATA[SENSITIVE_CONTENT]]></NAME>
                <DESCRIPTION><![CDATA[Sensitive content may be detected based on known patterns (credit card numbers, social security numbers) or custom patterns (strings, regular expressions), depending on the option profile used. Intruders may gain access to sensitive content that could result in misuse or other exploits.]]></DESCRIPTION>
                <SEVERITY_LEVEL_LIST>
                    <SEVERITY_LEVEL>
                        <SEVERITY>1</SEVERITY>
                        <LEVEL>Minimal</LEVEL>
                        <DESCRIPTION><![CDATA[Sensitive content was found in the web server response. During our scan of the site form(s) were found with field(s) for credit card number or social security number. This information disclosure could result in a confidentiality breach and could be a target for intruders. For this reason we recommend caution.]]></DESCRIPTION>
                    </SEVERITY_LEVEL>
                    <SEVERITY_LEVEL>
                        <SEVERITY>2</SEVERITY>
                        <LEVEL>Medium</LEVEL>
                        <DESCRIPTION><![CDATA[Sensitive content was found in the web server response. Specifically our service found a certain sensitive content pattern (defined in the option profile). This information disclosure could result in a confidentiality breach and could be a target for intruders. For this reason we recommend caution.]]></DESCRIPTION>
                    </SEVERITY_LEVEL>
                    <SEVERITY_LEVEL>
                        <SEVERITY>3</SEVERITY>
                        <LEVEL>Serious</LEVEL>
                        <DESCRIPTION><![CDATA[Sensitive content was found in the web server response - a valid social security number or credit card information. This infomation disclosure could result in a confidentiality breach, and it gives intruders access to valid sensitive content that could be misused.]]></DESCRIPTION>
                    </SEVERITY_LEVEL>
                </SEVERITY_LEVEL_LIST>
            </SEVERITY_CATEGORY>
            <SEVERITY_CATEGORY>
                <NAME><![CDATA[INFORMATION_GATHERED]]></NAME>
                <DESCRIPTION><![CDATA[Information Gathered issues (QIDs) include visible information about the web application's platform, code, or architecture. It may also include information about users of the web application.]]></DESCRIPTION>
                <SEVERITY_LEVEL_LIST>
                    <SEVERITY_LEVEL>
                        <SEVERITY>1</SEVERITY>
                        <LEVEL>Minimal</LEVEL>
                        <DESCRIPTION><![CDATA[Intruders may be able to retrieve sensitive information related to the web application platform.]]></DESCRIPTION>
                    </SEVERITY_LEVEL>
                    <SEVERITY_LEVEL>
                        <SEVERITY>2</SEVERITY>
                        <LEVEL>Medium</LEVEL>
                        <DESCRIPTION><![CDATA[Intruders may be able to retrieve sensitive information related to internal functionality or business logic of the web application.]]></DESCRIPTION>
                    </SEVERITY_LEVEL>
                    <SEVERITY_LEVEL>
                        <SEVERITY>3</SEVERITY>
                        <LEVEL>Serious</LEVEL>
                        <DESCRIPTION><![CDATA[Intruders may be able to detect highly sensitive data, such as personally identifiable information (PII) about other users of the web application.]]></DESCRIPTION>
                    </SEVERITY_LEVEL>
                </SEVERITY_LEVEL_LIST>
            </SEVERITY_CATEGORY>
        </SEVERITY_CATEGORY_LIST>
    </APPENDIX>
</WAS_WEBAPP_REPORT>







 

 

What is the <baseurl>?

This is the API server URL where your Qualys account is located. For an account on US Platform 1, this is <qualysapi.qualys.com>; on US Platform 2, this is <qualysapi.qg2.apps.qualys.com>; on EU Platform, this is <qualysapi.qualys.eu>.

A new release of Qualys WAS, Version 3.6 which includes new APIs, is targeted for release in late September.

 

This API notification provides an early preview into the coming API additions in Qualys WAS 3.6, allowing you to identify new opportunities to automate your Qualys service or to integrate with other applications.  Qualys WAS 3.6 includes some modifications to existing APIs that required 30 day notification that can be viewed here QualysGuard WAS 3.6 API Release Notification.

 

 

Full release notes will be available to customers on the day of the release. 

 

API Enhancements

New Findings API

The new Findings API (<baseURL>/qps/rest/3.0/<operation>/was/finding) lets you manage the findings (detections) returned from your web application scans.  This provides organizations with an easy way to integrate with an organizations trouble ticketing system that may want to track the status of vulnerabilities. It also provides a way to automate taking actions to ignore or activate vulnerabilities based on events from external systems such as risk management or bug tracking applications.

The API developer guide that includes examples and detailed instructions will be available on the date of the release.  These operations are available:

  • Count
  • Search
  • Get
  • Ignore
  • Activate

 

New Option Profile API

The new Option Profile API (<baseURL>/qps/rest/3.0/<operation>/was/optionprofile) lets you manage option profiles and customize the various scanning options.  The Option Profile API enables automation and integration with the Qualys WAS Option Profile used for scanning.  Option profiles can be created dynamically via API scripts or via integration with external systems.  The API developer guide that includes examples and detailed instructions will be available on the date of the release. 

These operations are available:

  • Count
  • Search
  • Get
  • Create
  • Update
  • Delete

 

What is the <baseurl>?

 

This is the API server URL where your QualysGuard account is located. For an account on US Platform 1, this is <qualysapi.qualys.com>; on US Platform 2, this is <qualysapi.qg2.apps.qualys.com>; on EU Platform, this is <qualysapi.qualys.eu>.

A new release of QualysGuard WAS, Version 3.6 which includes an API update, is targeted for release in late September.

 

This API notification provides an early preview into the coming API changes in QualysGuard WAS 3.6, allowing you to proactively identify any changes that might be required for your automated scripts or programs that utilize the API methods.  One API modification in this release may impact existing API implementations and requires a 30-day notification.  Additional API features that are new will be included at a later date, along with additional details and examples.

 

Full release notes will be available to customers on the day of the release. 

 

API Enhancements

 

Updates to Schedules API

 

We updated the XSD of the schedule API to provide new information about each schedule’s last scan date.  The lastScan element was added to the WasScanSchedule object to represent the last scan.

 

Update to WasScanSchedule.xsd:

 

<complexType name="WasScanSchedule">
  <sequence>
    <element name="id" type="long" />
    <element name="name" type="qcommon:Cdata" />
    <element name="owner" type="Q1:User" />
    <element name="active" type="boolean" />
    <element name="type" type="Q1:WasScanType" />
    <element name="target" type="Q1:WasScanTarget" />
    <element name="profile" type="Q1:WasScanOptionProfile" />
    <element name="scheduling" type="Q1:SchedulePlanification" />
    <element name="notification" type="Q1:ScheduleNotification" />
    <element name="nextLaunchDate" type="dateTime" />
    <element name="launchedCount" type="long" />
    <element name="lastScan" type="Q1:WasScan" />
    <element name="createdDate" type="dateTime" />
    <element name="createdBy" type="Q1:User" />
    <element name="updatedDate" type="dateTime" />
    <element name="updatedBy" type="Q1:User" />
  </sequence>
</complexType>
















 

 

Schedule API – GET

We’ve updated the Schedule GET API (<baseURL>/qps/rest/3.0/get/was/wasscanschedule).

 

Example API call:

curl -s -k -H 'Content-type: text/xml' -H 'user: quays_xx2' -H 'password: demoxx' 'http://demoapi.qa.qualys.com/qps/rest/3.0/get/was/schedule/93264000'

 

Response:

<?xml version="1.0" encoding="UTF-8"?>
<ServiceResponse xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://platd-papi01.qa.qualys.com:50012/qps/xsd/3.0/was/schedule.xsd">
  <responseCode>SUCCESS</responseCode>
  <count>1</count>
  <data>
    <WasScanSchedule>
      <id>93264000</id>
      <name><![CDATA[Web Application Vulnerability Scan - Test with Sched - 2014-May-02]]></name>
      <owner>
        <id>334527</id>
        <username>quays_xx2</username>
        <firstName><![CDATA[demoFirstName]]></firstName>
        <lastName><![CDATA[demoLastName]]></lastName>
      </owner>
      <active>false</active>
      <type>VULNERABILITY</type>
      <target>
        <webApp>
          <id>1065774000</id>
          <name><![CDATA[Test with Sched]]></name>
          <url><![CDATA[http://10.10.1.100]]></url>
        </webApp>
        <scannerAppliance>
          <type>EXTERNAL</type>
        </scannerAppliance>
      </target>
      <profile>
        <id>59426</id>
        <name><![CDATA[30 links]]></name>
      </profile>
      <scheduling>
        <startDate>2014-05-02T11:59:00Z</startDate>
        <timeZone>
          <code>America/Dawson</code>
          <offset>-07:00</offset>
        </timeZone>
        <occurrenceType>DAILY</occurrenceType>
        <occurrence>
          <dailyOccurrence>
            <everyNDays>1</everyNDays>
          </dailyOccurrence>
        </occurrence>
      </scheduling>
      <notification>
        <active>false</active>
        <reschedule>false</reschedule>
        <delay>
          <nb>1</nb>
          <scale>DAY</scale>
        </delay>
        <message><![CDATA[A QualysGuard scan is scheduled to start soon.]]></message>
      </notification>
      <launchedCount>2</launchedCount>
      <lastScan>
        <id>14930848885</id>
        <name><![CDATA[Web Application Vulnerability Scan - Test with Sched - 2014-May-02]]></name>
        <reference>was/1399921142279.127704</reference>
        <launchedDate>2014-05-12T18:59:01Z</launchedDate>
        <status>FINISHED</status>
        <scanDuration>129</scanDuration>
      </lastScan>
      <createdDate>2014-05-02T18:55:49Z</createdDate>
      <createdBy>
        <id>334527</id>
        <username>quays_xx2</username>
        <firstName><![CDATA[demoFirstName]]></firstName>
        <lastName><![CDATA[demoLastName]]></lastName>
      </createdBy>
      <updatedDate>2014-05-13T18:59:01Z</updatedDate>
      <updatedBy>
        <id>334527</id>
        <username>quays_hv2</username>
        <firstName><![CDATA[demoFirstName]]></firstName>
        <lastName><![CDATA[demoLastName]]></lastName>
      </updatedBy>
    </WasScanSchedule>
  </data>
</ServiceResponse>












 

Schedule API – SEARCH

We’ve updated the Schedule Search API (<baseURL>/qps/rest/3.0/search/was/wasscanschedule).

 

API request:

New filters are available as input parameters.

  • lastScan - List schedules (with operator=NONE)
  • lastScan.launchedDate - Search schedules based on their last scan date
  • lastScan.status - Search schedules based on their last scan status

 

Example API Call:

cat search_schedule.xml | curl -s -k -X POST -H 'Content-type: text/xml' -H 'user: quays_xx2' -H 'password: demo' -d @- 'http://demoapi.qa.qualys.com/qps/rest/3.0/search/was/schedule/'

 

Contents of search_schedule.xml:

<ServiceRequest>
        <filters>
                <Criteria field="lastScan" operator="NONE"></Criteria>
        </filters>
</ServiceRequest>



Response:

<?xml version="1.0" encoding="UTF-8"?>
<ServiceResponse xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://demoapi.qa.qualys.com/qps/xsd/3.0/was/schedule.xsd">
  <responseCode>SUCCESS</responseCode>
  <count>1</count>
  <hasMoreRecords>false</hasMoreRecords>
  <data>
    <WasScanSchedule>
      <id>171425669</id>
      <name><![CDATA[Web Application Vulnerability Scan - 2014-Aug-19]]></name>
      <owner>
        <id>8792415669</id>
      </owner>
      <active>false</active>
      <type>VULNERABILITY</type>
      <target>
        <webApp>
          <id>1296335669</id>
          <name><![CDATA[Copy of New WA 1]]></name>
          <url><![CDATA[http://10.10.1.100]]></url>
        </webApp>
        <webAppAuthRecord>
          <id>175535669</id>
          <name><![CDATA[AR1]]></name>
        </webAppAuthRecord>
        <scannerAppliance>
          <type>EXTERNAL</type>
        </scannerAppliance>
      </target>
      <profile>
        <id>716315669</id>
        <name><![CDATA[Copy of Initial WAS Options]]></name>
      </profile>
      <scheduling>
        <startDate>2014-08-19T12:30:00Z</startDate>
        <timeZone>
          <code>America/Dawson</code>
          <offset>-07:00</offset>
        </timeZone>
        <occurrenceType>ONCE</occurrenceType>
      </scheduling>
      <createdDate>2014-08-19T19:30:49Z</createdDate>
      <updatedDate>2014-08-19T19:30:50Z</updatedDate>
    </WasScanSchedule>
  </data>
</ServiceResponse>


 

Example API Call:

cat search_schedule.xml | curl -s -k -X POST -H 'Content-type: text/xml' -H 'user: quays_xx2' -H 'password: demo' -d @- 'http://demoapi.qa.qualys.com/qps/rest/3.0/search/was/schedule/'

 

Contents of search_schedule.xml:

<ServiceRequest>
        <filters>
        <Criteria field="lastScan.status" operator="IN">FINISHED,ERROR</Criteria>
        <Criteria field="lastScan.launchedDate" operator="LESSER">2014-08-19</Criteria>
        </filters>
</ServiceRequest>



Response:

<?xml version="1.0" encoding="UTF-8"?>
<ServiceResponse xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://demoapi.qa.qualys.com/qps/xsd/3.0/was/schedule.xsd">
  <responseCode>SUCCESS</responseCode>
  <count>6</count>
  <hasMoreRecords>false</hasMoreRecords>
  <data>
    <WasScanSchedule>
      <id>6527</id>
      <name><![CDATA[Sched Scan - New Webapp in 2.2.1]]></name>
      <owner>
        <id>334527</id>
      </owner>
      <active>false</active>
      <type>VULNERABILITY</type>
      <target>
        <webApp>
          <id>95933</id>
          <name><![CDATA[New Webapp in 2.2.1]]></name>
          <url><![CDATA[http://10.10.1.100]]></url>
        </webApp>
        <webAppAuthRecord>
          <id>8753</id>
          <name><![CDATA[AR1]]></name>
        </webAppAuthRecord>
        <scannerAppliance>
          <type>EXTERNAL</type>
        </scannerAppliance>
      </target>
      <profile>
        <id>59426</id>
        <name><![CDATA[30 links]]></name>
      </profile>
      <scheduling>
        <startDate>2014-02-06T12:42:00Z</startDate>
        <timeZone>
          <code>America/Dawson</code>
          <offset>-07:00</offset>
        </timeZone>
        <occurrenceType>DAILY</occurrenceType>
        <occurrence>
          <dailyOccurrence>
            <everyNDays>1</everyNDays>
          </dailyOccurrence>
        </occurrence>
      </scheduling>
      <lastScan>
        <id>1485287</id>
        <launchedDate>2014-02-19T20:42:01Z</launchedDate>
        <status>FINISHED</status>
      </lastScan>
      <createdDate>2014-02-06T20:39:07Z</createdDate>
      <updatedDate>2014-02-20T20:42:01Z</updatedDate>
    </WasScanSchedule>
    <WasScanSchedule>
      <id>93264000</id>
      <name><![CDATA[Web Application Vulnerability Scan - Test with Sched - 2014-May-02]]></name>
      <owner>
        <id>334527</id>
      </owner>
      <active>false</active>
      <type>VULNERABILITY</type>
      <target>
        <webApp>
          <id>1065774000</id>
          <name><![CDATA[Test with Sched]]></name>
          <url><![CDATA[http://10.10.10.10]]></url>
        </webApp>
        <scannerAppliance>
          <type>EXTERNAL</type>
        </scannerAppliance>
      </target>
      <profile>
        <id>59426</id>
        <name><![CDATA[30 links]]></name>
      </profile>
      <scheduling>
        <startDate>2014-05-02T11:59:00Z</startDate>
        <timeZone>
          <code>America/Dawson</code>
          <offset>-07:00</offset>
        </timeZone>
        <occurrenceType>DAILY</occurrenceType>
        <occurrence>
          <dailyOccurrence>
            <everyNDays>1</everyNDays>
          </dailyOccurrence>
        </occurrence>
      </scheduling>
      <lastScan>
        <id>14930848885</id>
        <launchedDate>2014-05-12T18:59:01Z</launchedDate>
        <status>FINISHED</status>
      </lastScan>
      <createdDate>2014-05-02T18:55:49Z</createdDate>
      <updatedDate>2014-05-13T18:59:01Z</updatedDate>
    </WasScanSchedule>
    <WasScanSchedule>
      <id>95274000</id>
      <name><![CDATA[Sched Notification Test 2]]></name>
      <owner>
        <id>334527</id>
      </owner>
      <active>false</active>
      <type>VULNERABILITY</type>
      <target>
        <webApp>
          <id>95738</id>
          <name><![CDATA[NWS Test]]></name>
          <url><![CDATA[http://demoapp.vuln.qa.qualys.com:8081]]></url>
        </webApp>
        <scannerAppliance>
          <type>EXTERNAL</type>
        </scannerAppliance>
      </target>
      <profile>
        <id>59426</id>
        <name><![CDATA[30 links]]></name>
      </profile>
      <scheduling>
        <startDate>2014-05-02T16:14:00Z</startDate>
        <timeZone>
          <code>America/Dawson</code>
          <offset>-07:00</offset>
        </timeZone>
        <occurrenceType>DAILY</occurrenceType>
        <occurrence>
          <dailyOccurrence>
            <everyNDays>1</everyNDays>
          </dailyOccurrence>
        </occurrence>
      </scheduling>
      <lastScan>
        <id>14932848885</id>
        <launchedDate>2014-05-12T23:14:02Z</launchedDate>
        <status>FINISHED</status>
      </lastScan>
      <createdDate>2014-05-02T23:07:48Z</createdDate>
      <updatedDate>2014-05-13T23:14:05Z</updatedDate>
    </WasScanSchedule>
    <WasScanSchedule>
      <id>97354000</id>
      <name><![CDATA[Test Sched Notification (May 7 GMT)]]></name>
      <owner>
        <id>334527</id>
      </owner>
      <active>false</active>
      <type>VULNERABILITY</type>
      <target>
        <webApp>
          <id>1061764000</id>
          <name><![CDATA[Blacklist New Scan Settings check]]></name>
          <url><![CDATA[http://10.10.1.100]]></url>
        </webApp>
        <webAppAuthRecord>
          <id>8753</id>
          <name><![CDATA[AR1]]></name>
        </webAppAuthRecord>
        <scannerAppliance>
          <type>EXTERNAL</type>
        </scannerAppliance>
      </target>
      <profile>
        <id>55784</id>
        <name><![CDATA[Initial WAS Options]]></name>
      </profile>
      <scheduling>
        <startDate>2014-05-06T18:22:00Z</startDate>
        <timeZone>
          <code>America/Dawson</code>
          <offset>-07:00</offset>
        </timeZone>
        <occurrenceType>DAILY</occurrenceType>
        <occurrence>
          <dailyOccurrence>
            <everyNDays>1</everyNDays>
          </dailyOccurrence>
        </occurrence>
      </scheduling>
      <lastScan>
        <id>14929668885</id>
        <launchedDate>2014-05-12T01:22:02Z</launchedDate>
        <status>FINISHED</status>
      </lastScan>
      <createdDate>2014-05-06T23:17:23Z</createdDate>
      <updatedDate>2014-05-13T01:22:02Z</updatedDate>
    </WasScanSchedule>
    <WasScanSchedule>
      <id>99314000</id>
      <name><![CDATA[Sched Sanity Test (May 7)]]></name>
      <owner>
        <id>334528</id>
      </owner>
      <active>false</active>
      <type>VULNERABILITY</type>
      <target>
        <webApp>
          <id>1083684000</id>
          <name><![CDATA[BlackList Test (as-is)]]></name>
          <url><![CDATA[http://10.10.1.100]]></url>
        </webApp>
        <scannerAppliance>
          <type>EXTERNAL</type>
        </scannerAppliance>
      </target>
      <profile>
        <id>55784</id>
        <name><![CDATA[Initial WAS Options]]></name>
      </profile>
      <scheduling>
        <startDate>2014-05-07T15:52:00Z</startDate>
        <timeZone>
          <code>America/Dawson</code>
          <offset>-07:00</offset>
        </timeZone>
        <occurrenceType>DAILY</occurrenceType>
        <occurrence>
          <dailyOccurrence>
            <everyNDays>1</everyNDays>
          </dailyOccurrence>
        </occurrence>
      </scheduling>
      <nextLaunchDate>2014-08-13T22:52:00Z</nextLaunchDate>
      <lastScan>
        <id>14930878885</id>
        <launchedDate>2014-05-12T22:52:02Z</launchedDate>
        <status>FINISHED</status>
      </lastScan>
      <createdDate>2014-05-07T22:49:51Z</createdDate>
      <updatedDate>2014-08-13T20:15:05Z</updatedDate>
    </WasScanSchedule>
    <WasScanSchedule>
      <id>99324000</id>
      <name><![CDATA[Sched Sanity Test - w/ notification (May 7)]]></name>
      <owner>
        <id>334527</id>
      </owner>
      <active>false</active>
      <type>VULNERABILITY</type>
      <target>
        <webApp>
          <id>1083684000</id>
          <name><![CDATA[BlackList Test (as-is)]]></name>
          <url><![CDATA[http://10.10.1.100]]></url>
        </webApp>
        <webAppAuthRecord>
          <id>8753</id>
          <name><![CDATA[AR1]]></name>
        </webAppAuthRecord>
        <scannerAppliance>
          <type>EXTERNAL</type>
        </scannerAppliance>
      </target>
      <profile>
        <id>55784</id>
        <name><![CDATA[Initial WAS Options]]></name>
      </profile>
      <scheduling>
        <startDate>2014-05-07T16:15:00Z</startDate>
        <timeZone>
          <code>America/Dawson</code>
          <offset>-07:00</offset>
        </timeZone>
        <occurrenceType>DAILY</occurrenceType>
        <occurrence>
          <dailyOccurrence>
            <everyNDays>1</everyNDays>
          </dailyOccurrence>
        </occurrence>
      </scheduling>
      <nextLaunchDate>2014-08-15T23:15:00Z</nextLaunchDate>
      <lastScan>
        <id>14932858885</id>
        <launchedDate>2014-05-12T23:15:00Z</launchedDate>
        <status>FINISHED</status>
      </lastScan>
      <createdDate>2014-05-07T23:04:37Z</createdDate>
      <updatedDate>2014-08-15T01:02:18Z</updatedDate>
    </WasScanSchedule>
  </data>
</ServiceResponse>


 

 

What is the <baseurl>?

 

This is the API server URL where your QualysGuard account is located. For an account on US Platform 1, this is <qualysapi.qualys.com>; on US Platform 2, this is <qualysapi.qg2.apps.qualys.com>; on EU Platform, this is <qualysapi.qualys.eu>.

A new release of QualysGuard WAS, Version 3.5 which includes an API update, is targeted for release in late July and early August 2014.

 

More information on specific release dates that correspond to the QualysGuard platforms can be found on the platform release blog pages.

 

 

This API notification provides an early preview into the coming API changes in QualysGuard WAS 3.5, allowing you to proactively identify any changes that might be required for your automated scripts or programs that utilize the API methods described below.  There is one API modification in this release:

 

  • Scan Get API – Updated to support the new custom form parameter set feature

 

Full release notes will be available to customers on the day of the release. 

 

API Enhancements

    

Scan Get API – Custom Form Parameters - Sample Request


curl -u "USERNAME:PASSWORD" -H "content-type: text/xml" "http://qualysapi.qualys.com/qps/rest/3.0/get/was/scan/801678"

 

 

XML ouput (parameter set is Initial Parameters):

 

 

<?xml version="1.0" encoding="UTF-8"?>

<ServiceResponse xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://qualysapi.qualys.com/qps/xsd/3.0/was/scan.xsd">

<responseCode>SUCCESS</responseCode>

<count>1</count>

<data>

   <WasScan>

     <id>801678</id>

     <name><![CDATA[My Scan]]></name>

     <reference>was/1405370728457.1775165</reference>

     <type>VULNERABILITY</type>

     <mode>ONDEMAND</mode>

     <multi>false</multi>

     <target>

       <webApp>

         <id>2112993</id>

         <name><![CDATA[My Scan]]></name>

         <url><![CDATA[http://10.10.31.55/merchant/2.2/themerchant]]></url>

       </webApp>

       <webAppAuthRecord>

         <id>128557</id>

         <name><![CDATA[Myy Authentication Record]]></name>

       </webAppAuthRecord>

       <scannerAppliance>

         <type>EXTERNAL</type>

       </scannerAppliance>

     </target>

     <profile>

       <id>160333</id>

       <name><![CDATA[300 links]]></name>

     </profile>

     <options>

       <count>14</count>

       <list>

         <WasScanOption>

           <name>Web Application Authentication Record Name</name>

           <value><![CDATA[My Authentication Record]]></value>

         </WasScanOption>

         <WasScanOption>

           <name>Detection Scope</name>

           <value><![CDATA[COMPLETE]]></value>

         </WasScanOption>

         <WasScanOption>

           <name>Sensitive Content: Custom Contents</name>

           <value><![CDATA[zip code social security password]]></value>

         </WasScanOption>

         <WasScanOption>

           <name>Scanner Appliance</name>

           <value><![CDATA[External (IP: 10.10.21.148, Scanner: 7.8.37-1, WAS: 3.6.35-1, Signatures: 2.2.752-1)]]></value>

         </WasScanOption>

         <WasScanOption>

           <name>Target URL</name>

           <value><![CDATA[http://10.10.31.55/merchant/2.2/themerchant]]></value>

         </WasScanOption>

         <WasScanOption>

           <name>Performance Settings</name>

           <value><![CDATA[LOW]]></value>

         </WasScanOption>

         <WasScanOption>

           <name>Sensitive Content: Social Security Numbers (US)</name>

           <value><![CDATA[true]]></value>

         </WasScanOption>

         <WasScanOption>

           <name>Sensitive Content: Credit Card Numbers</name>

           <value><![CDATA[true]]></value>

         </WasScanOption>

         <WasScanOption>

           <name>Maximum Crawling Links</name>

           <value><![CDATA[300]]></value>

         </WasScanOption>

         <WasScanOption>

           <name>Bruteforce Settings</name>

           <value><![CDATA[MINIMAL]]></value>

         </WasScanOption>

         <WasScanOption>

           <name>Option Profile Name</name>

           <value><![CDATA[300 links]]></value>

         </WasScanOption>

         <WasScanOption>

           <name>Crawling Form Submissions</name>

           <value><![CDATA[BOTH]]></value>

         </WasScanOption>

         <WasScanOption>

           <name>Request Parameter Set</name>

           <value><![CDATA[Initial Parameters]]></value>

         </WasScanOption>

         <WasScanOption>

           <name>Web Application Name</name>

           <value><![CDATA[My Web Application]]></value>

         </WasScanOption>

       </list>

     </options>

     <launchedDate>2014-07-14T20:45:28Z</launchedDate>

     <launchedBy>

       <id>45941</id>

       <username>acme_ss</username>

       <firstName><![CDATA[Sarah]]></firstName>

       <lastName><![CDATA[Smith]]></lastName>

     </launchedBy>

     <status>FINISHED</status>

     <scanDuration>385</scanDuration>

   </WasScan>

</data>

</ServiceResponse>

 

Scan Get API – Custom Form Parameters - Sample Partial Response


<?xml version="1.0" encoding="UTF-8"?>

<ServiceResponse

   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://qualysapi.qualys.com/qps/xsd/3.0/was/scan.xsd">

   <responseCode>SUCCESS</responseCode>

   <count>1</count>

   <data>

       <WasScan>

           <id>34593</id>

           ...

           <options>

               <count>14</count>

               <list>

                   ...

                   <WasScanOption>

                       <name>Request Parameter Set</name>

                       <value>

                           <![CDATA[My custom parameter set]]>

                       </value>

                   </WasScanOption>

                   ...

               </list>

           </options>        

           ...

       </WasScan>

   </data>

</ServiceResponse>

 

 

 

What is the <baseurl>?

 

This is the API server URL where your QualysGuard account islocated. For an account on US Platform 1 this is <qualysapi.qualys.com>,on US Platform 2 this is <qualysapi.qg2.apps.qualys.com>, on EU Platformthis is <qualysapi.qualys.eu>.

A new release of QualysGuard WAS, Version 3.3, is targeted for release in late March and early April 2014.

 

More information on specific release dates that correspond to the QualysGuard platforms can be found on the platform release blog pages which will be updated no less than 15 days prior to the release of WAS 3.3.

 

 

This API notification provides an early preview into the coming API changes in QualysGuard WAS 3.3, allowing you to proactively identify any changes that might be required for your automated scripts or programs that utilize the API methods described below.  There are 3 primary API changes in this release:

 

  • Web Application Report XML – Ignored Sensitive Content
  • Report Create API – Storage Limit Response
  • Scan Cancel API – Update

 

Full release notes will be available to customers on the day of the release. 

 

API Enhancements

 

Web Application Report XML – Ignored Sensitive Content

The “Ignored” tag appears for a sensitive content detection when the detection has been marked as ignored. 

 

...

<SENSITIVE_CONTENT_LIST>

  <SENSITIVE_CONTENT>

    ...

    <IGNORED>true</IGNORED>

    <IGNORE_INFORMATION>

        <REASON>RISK_ACCEPTED</REASON>

        <DATE>2014-02-21T20:42:48Z</DATE>

        <USER><![CDATA[John Smith (acme_js)]]></USER>

        <COMMENT><![CDATA[Not an issue]]></COMMENT>

    </IGNORE_INFORMATION>

...

 

 

Report Create API – Storage Limit Response

A new error message appears in the response XML if the report storage limit has been reached when you make an API request using the report creation API (https://<baseurl>/3.0/create/was/report).

 

 

...

<ServiceResponse>

  <responseCode>OTHER_ERROR</responseCode>

  <responseErrorDetails>

    <errorMessage>Your [subscription|user] storage limit of 200.0 Mb has been reached.</errorMessage>

    <errorResolution>Delete existing reports and try again.</errorResolution>

  </responseErrorDetails>

</ServiceResponse>

...

 

 

Scan Cancel API – Update

Using the Scan Cancel API (https://<baseurl>/3.0/cancel/was/scan/<id>) now you can cancel any unfinished scan regardless of status.

 

What is the <baseurl>?

 

This is the API server URL where your QualysGuard account islocated. For an account on US Platform 1 this is <qualysapi.qualys.com>,on US Platform 2 this is <qualysapi.qg2.apps.qualys.com>, on EU Platformthis is <qualysapi.qualys.eu>.

A new release of QualysGuard WAS, Version 3.2, is targeted for release in US production in February 2014. The exact release date has not yet been set.  This release contains changes to the APIs that requires a 30-day notification.  Only the API changes that impact existing APIs are included in the 30 day notification.  The notification will be updated to include any new API functionality at least 15 days prior to release. 

 

More information on specific release dates that correspond to the platforms can be found on the platform release blog pages which will be updated no less than 15 days prior to the release of WAS 3.2.

 

 

This API notification provides an early preview into the coming API changes in QualysGuard WAS 3.2, allowing you to proactively identify any changes that might be required for your automated scripts or programs that utilize the API methods described below.  There are 3 primary API changes in this release:

 

  • Ignore Binary Files Tag Added to XML Reports
  • New cancelScanTime Element
  • Scan Status Data Reported

 

Full release notes will be available to customers on the day of the release. 

 

WAS WebApp and Schedule API now available to Express Lite Customers

Are you a QualysGuard Express Lite User? Now you can use the capabilities of the WAS Scan and Schedule APIs as described in the QualysGuard WAS API User Guide if you have the WAS API option enabled.

 

Ignore Binary Files Tag Added to XML Reports

A new XML tag appears in XML reports to tell you whether the new Ignore Binary Files option profile setting was turned on for the scan being reported on. If yes, the scan ignored files with these extensions: .pdf, .zip and .doc.

 

Scan Results XML

“Ignore Binary Files” is included in the XML output when a user downloads scan results in XML format.

 

Scan Results v3 XML - “Ignore Binary Files” appears in the scan results v3 XML format under the new WasScanOption tag. The v3 XML format is returned when a you make an API request using the download scan API (…/3.0/download/was/wasscan/<id>).

 

...

<WasScanOption>

    <name>Ignore Binary Files</name>

    <value>true</value>

</WasScanOption>

...

 

 

Scan Results v2 XML - “Ignore Binary Files” appears in the scan results v2 XML format (for version 2 and earlier) under the new SCAN_INFO tag. The v2 XML format is returned:

- when a you make an API request using the download scan API (…/2.0/download/was/wasscan/<id>)

- when you select the Download action for a scan using the user interface

 

 

 

 

...

<SUMMARY>

   <SCAN_SUMMARY>

      <SCAN_INFO>

          <KEY>Title</KEY>

          <VALUE><![CDATA[Vulnerability Scan - Ignore Binary On]]></VALUE>

      </SCAN_INFO>

...

 

 

Scan Details v3 XML - “Ignore Binary Files” appears in the scan results v3 XML format under the new WasScanOption tag. The v3 XML format is returned when a you make an API request using the get scan API (…/3.0/get/was/wasscan/<id>).

 

<WasScanOption>

   <name>Ignore Binary Files</name>

   <value><![CDATA[true]]></value>

</WasScanOption>

 

 

Report XML

“Ignore Binary Files” appears in the report XML in the appendix section when you make an API request using the download report API (…/3.0/download/was/report/<id>).

 

...

<APPENDIX_LIST>

    <APPENDIX>

        <VALUE_LIST>

            <VALUE name="Ignore Binary Types">true</VALUE>

 

 

New cancelScanTime Element

The new cancelScanTime element defines the precise hour to cancel a scan.

 

Launch Scan API

Using the launch scan API (…/3.0/launch/was/wasscan) you can include cancelScanTime as a name/value pair in your request POST data.

 

...

<options>

   <WasScanOption>

      <name>cancelScanTime</name>

      <value><![CDATA[1]]></value>

   </WasScanOption>

</options>

...

 

 

Create a Scan Schedule API

Using the create a scan schedule API (…/3.0/create/was/wasscanschedule) you can include cancelScanTime in your request POST data using the cancelTime element

 

 

<scheduling>

        <occurrenceType>WEEKLY</occurrenceType>

        <occurrence>

         <weeklyOccurrence>

                <everyNWeeks>5</everyNWeeks>

                <onDays>

                        <WeekDay>MONDAY</WeekDay>

                        <WeekDay>SATURDAY</WeekDay>

                        <WeekDay>SUNDAY</WeekDay>

                </onDays>

         </weeklyOccurrence>

        </occurrence>

        <timeZone>

          <code>Africa/Ceuta</code>

        </timeZone>

        <startDate>2012-08-01T10:00:00Z</startDate>

        <cancelTime>11:00</cancelTime>

</scheduling>

 

 

 

 

Get Scan Schedule XML

Using the get a scan schedule API (…/3.0/get/was/wassc anschedule/<id>) the XML output includes the cancelScanTime element if the scan cancel time setting is defined for the schedule.

 

 

      <scheduling>

        <startDate>2014-01-13T17:00:00Z</startDate>

        <timeZone>

          <code>Etc/GMT-3</code>

          <offset>+03:00</offset>

        </timeZone>

        <occurrenceType>ONCE</occurrenceType>

        <cancelTime>11:00</cancelTime>

      </scheduling>

 

 

 

New Scan Status Data Reported

Scan Results XML

Using the retrieve scan results API (.../3.0/download/was/wasscan/<id>) the XML output will show the number of links collected, and the average response time.

 

<summary>

    <crawlDuration>16</crawlDuration>

    <testDuration>138</testDuration>

    <linksCollected>10</linksCollected>

    <linksCrawled>1</linksCrawled>

    <nbRequests>503</nbRequests>

    <averageResponseTime>0.001554</averageResponseTime>

    <resultsStatus>SUCCESSFUL</resultsStatus>

    <authStatus>NONE</authStatus>

    <os>Linux 2.4-2.6 / Embedded Device / F5 Networks Big-IP</os>

</summary>

 

 

 

Get Scan Status XML

Using the get a scan schedule API (…/3.0/get/was/wassc anschedule/<id>) the XML output includes the cancelScanTime element if the scan cancel time setting is defined for the schedule.

<ServiceResponse xmlns:xsi="http://www.w3.org/2001/XMLSchemainstance" xsi:noNamespaceSchemaLocation="https://qualysapi.qualys.com/qps/xsd/3.0/was/wasscan.xsd">

  <responseCode>SUCCESS</responseCode>

  <count>1</count>

  <data>

    <WasScan>

      <id>21993</id>

      <status>FINISHED</status>

      <summary>

            <linksCollected>12</linksCollected>

            <linksCrawled>5</linksCrawled>

            <nbRequests>89</nbRequests>

            <averageResponseTime>0.01234</averageResponseTime>

      </summary>

    </WasScan>

  </data>

</ServiceResponse>

 

 

 

Scan Details XML

Using the get scan details API (…/3.0/get/was/wasscan/<id>) the XML XML output will show links collected, links crawled, the number of requests performed and the average response time

<summary>

   <crawlDuration>16</crawlDuration>

   <testDuration>138</testDuration>

   <linksCollected>10</linksCollected>

   <linksCrawled>1</linksCrawled>

   <nbRequests>503</nbRequests>

   <averageResponseTime>0.001554</averageResponseTime>

   <resultsStatus>SUCCESSFUL</resultsStatus>

   <authStatus>NONE</authStatus>

   <os>Linux 2.4-2.6 / Embedded Device / F5 Networks Big-IP</os>

</summary>

 

 

 

A new release of QualysGuard WAS, Version 3.1, will be available in production in mid-November 2013. The exact date depends on the platform and this release contains changes to the APIs that requires a 30-day notification. APIs will be updated for each platform on the same day version 3.1 is released. 

 

 

More information on specific release dates that correspond to the platforms can be found here:

 

 

 

This API notification provides an early preview into the coming API changes in QualysGuard WAS 3.1, allowing you to proactively identify any changes that might be required for your automated scripts or programs that utilize the API methods described below.  There are 2 primary API changes in this release:

 

  • New API for Managing Authentication Records
  • WAS Reports in XML – Findings are now Base64 Encoded

 

Full release notes will be available to customers on the day of the release.

 

New API for Managing Authentication Records

With WAS 3.1 we’re introducing a new API for managing authentication records called WebAppAuthRecord. This new API allows you to:

  • Manage authentication records independently from web application settings
  • Easily create an authentication record once and associate it with multiple web applications
  • Perform all authentication record operations – create, update, delete, get details, search and count

 

The new WebAppAuthRecord resource is located at this URL:

  • https://qualysapi.qualys.com/qps/rest/3.0/<operation>/was/webappauthrecord
    (where “qualysapi.qualys.com” is the QualysGuard API server URL for your QualysGuard platform, in this case US Platform 1. )

Supported Operations

 

  • Count authentication records
    <base URL for platform>/qps/3.0/count/was/webappauthrecord
  • Search authentication records
    <base URL for platform>/qps/3.0/search/was/webappauthrecord
  • Get authentication record details
    <base URL for platform>/qps/3.0/get/was/webappauthrecord
  • Create a new authentication record
    <base URL for platform>/qps/3.0/create/was/webappauthrecord
  • Update an authentication record
    <base URL for platform>/qps/3.0/update/was/webappauthrecord
  • Delete an authentication record
    <base URL for platform>/qps/3.0/delete/was/webappauthrecord

 

New XSD - The WebAppAuthRecord object is independent from the WebApp object. There’s a new webappauthrecord.xsd (…/qps/xsd/3.0/was/webappauthrecord.xsd). WebAppAuthRecord object has these new attributes:

 

<xs:complexType name="WebAppAuthRecord">
 <xs:all>
  <xs:element name="id" type="xs:long" minOccurs="0"/>
  <xs:element name="name" type="Cdata" minOccurs="0"/>
  <xs:element name="owner" type="User" minOccurs="0"/>
  <xs:element name="formRecord" type="WebAppAuthFormRecord" minOccurs="0"/>
  <xs:element name="serverRecord" type="WebAppAuthServerRecord" minOccurs="0"/>
  <xs:element name="tags" type="TagList" minOccurs="0"/>
  <xs:element name="comments" type="CommentList" minOccurs="0"/>
  <xs:element name="createdDate" type="xs:dateTime" />
  <xs:element name="createdBy" type="User" />
  <xs:element name="updatedDate" type="xs:dateTime" />
  <xs:element name="updatedBy" type="User" />
 </xs:all>
</xs:complexType>

 

Changes to the Web Application API

The WebApp API has been updated for this release.  Supported Operations – Please note these 2 changes:

  1. You will associate an authentication record with the web application using the CREATE and UPDATE operations (you can’t create the record within the web application settings as before). Just provide the id element as input with your API request.
  2. An API request to view web applications and get details (SEARCH and GET operations) returns only the ID and name for the web application.

 

 

XSD updates - The webapp.xsd has been updated (…/qps/xsd/3.0/was/webapp.xsd). Please note these changes:

1) The WebApp object still contains a list of WebAppAuthRecord elements (no changes):

 

<xs:complexType name="WebApp"> 
  <xs:all> 
     ... 
     <xs:element name="authRecords" type="WebAppAuthRecordList" minOccurs="0"/> 
     ... 
  </xs:all> 
</xs:complexType>

 

2) The WebAppAuthRecord elements allow only the id and name attributes (other attributes are no longer supported).

 

<xs:complexType name="WebAppAuthRecord">
  <xs:all>
    <xs:element name="id" type="xs:long" minOccurs="0"/>
    <xs:element name="name" type="Cdata" minOccurs="0"/>
  </xs:all>
</xs:complexType>

 

 

Creating Authentication Records and Apply them to Web Applications

Using the WAS API Version 3.1 you’ll first create independent authentication record(s) and link them to your web application. Then you’re ready to launch authenticated scans against your web application.

 

Step 1: Create Authentication Record(s)

Create new authentication record(s) and tell us how to authenticate to your web application. The sample request below indicates form authentication will be used. You can create multiple authentication records as needed for your various web applications. (You must have the new Create authentication record permission enabled under Web Application authentication record permissions.)

 

Request:

curl -u "USERNAME:PASSWORD" -H "Content-type: text/xml" -X "POST" --data-binary @-
"https://qualysapi.qualys.com/qps/rest/3.0/create/was/webappauthrecord/" < file.xml

Note: “file.xml” contains the request POST data.

 

Request POST Data:

<?xml version="1.0" encoding="UTF-8"?>
<ServiceRequest>
 <data>
  <WebAppAuthRecord>
   <name><![CDATA[From API - Form]]></name>
   <formRecord>
    <type>STANDARD</type>
    <sslOnly>true</sslOnly>
    <fields>
     <set>
      <WebAppAuthFormRecordField>
       <name><![CDATA[password]]></name>
       <value><![CDATA[12345]]></value>
      </WebAppAuthFormRecordField>
      <WebAppAuthFormRecordField>
       <name><![CDATA[username]]></name>
       <value><![CDATA[user]]></value>
      </WebAppAuthFormRecordField>
     </set>
    </fields>
   </formRecord>
   <comments>
    <set>
     <Comment>
      <contents><![CDATA[This is a comment]]></contents>
     </Comment>
    </set>
   </comments>
   <tags>
    <set>
     <Tag>
      <id>102609</id>
     </Tag>
    </set>
   </tags>
  </WebAppAuthRecord>
 </data>
</ServiceRequest>

 

Step 2: Add Authentication Record(s) to web application settings

Add authentication record(s) to web application settings by creating or updating each web application you want to authenticate to. You just need to add the authentication record ID. Note the same authentication record can be linked to multiple web applications. (As long as you have permission to create/update web applications under WAS Asset Permissions, you can add authentication records to web app settings.)

 

Request:

curl -u "USERNAME:PASSWORD" -H "Content-type: text/xml" -X "POST" --data-binary @-
"https://qualysapi.qualys.com/qps/rest/3.0/update/was/webapp/324539" < file.xml

Note: “file.xml” contains the request POST data.

 

Request POST Data:

<ServiceRequest>
 <data>
  <WebApp>
   <authRecords>
    <add>
      <WebAppAuthRecord><id>1688</id></WebAppAuthRecord>
      <WebAppAuthRecord><id>1689</id></WebAppAuthRecord>
      <WebAppAuthRecord><id>1690</id></WebAppAuthRecord>
      <WebAppAuthRecord><id>1691</id></WebAppAuthRecord>
    </add>
   </authRecords>
  </WebApp>
 </data>
</ServiceRequest>

 

Step 3: Check web application details

The web application details will include all web application settings and the authentication record(s) you’ve added. At scan time we’ll attempt authentication using all of the web application’s records.

 

Request:

curl -u "USERNAME:PASSWORD" -H "Content-type: text/xml" -X "POST" --data-binary @-
"https://qualysapi.qualys.com/qps/rest/3.0/get/was/webapp/324539"

 

Step 4: Start your scan

Launch a scan using the WasScan API at this URL:  https://qualysapi.qualys.com/qps/rest/3.0/launch/was/wascan

A major release of QualysGuard WAS, Version 3.0, will be available as follows:

  • US Production 2 - May 7, 2013
  • US Production 1 - May 14, 2013
  • EU Production - May 21, 2013

 

This update includes enhancements to the web application API to add the new Malware Monitoring capability introduced in WAS 3.0. This release is completely transparent to users and will require no scheduled downtime. The release will occur between 12 PM PDT (19:00 GMT) and 8 PM PDT (03:00 AM GMT next day).

 

This API notification provides an early preview into the coming API changes, allowing you to proactively identify any changes that might be required for your automated scripts or programs that use the following functions or XML outputs All changes for WAS 3.0 should not impact existing API implementations as they are additive.

 

 

PlatformAPI Location
US Production 1qualysapi.qualys.com
US Production 2qualysapi.qg2.apps.qualys.com
EU Production 1qualysapi.qualys.eu

 

Introducing Malware Monitoring for Web Applications

We're pleased to announce that we've integrated malware detection capability into WAS to make it easy for you to perform scans that detect not only web application vulnerabilities, but also malware that may infect the same web properties. Now there's an easy way to combine web application scanning and malware detection to ensure that your Internet-facing web sites are free from web application vulnerabilities and malware. Web site malware is typically found only on Internet-facing web applications. To learn more about these scan types, refer to the WAS 3.0 feature announcement on Qualys Community.

 

 

WebApp Create and Update API

The new “malwareMonitoring” element is used to enable Malware Monitoring when creating or updating a web application using the WebApplication API. You can choose to start it sometime in the future using  the “malwareScheduleTime” and“malwareScheduleTimeZone” elements. The site owner will receive an email notification if any malware is detect when “malwareNotification=true” is used.

 

Example - Create a web application and enable Malware Monitoring

 

Request:
 
curl -u "USERNAME:PASSWORD" -H"Content-type: text/xml" -X "POST" --data-binary @- 
"https://qualysapi.qualys.com/qps/rest/3.0/create/was/webapp/"< file.xml

Note: “file.xml”contains the request POST data.

Request POST Data:

<ServiceRequest>
 <data>
   <WebApp>
     <name>My Web Application</name>
     <url>http://mywebapp.com</url>
     <malwareMonitoring>true</malwareMonitoring>
      <malwareNotification>true</malwareNotification>
      <malwareScheduleTime>23:59</malwareScheduleTime>
      <malwareScheduleTimeZone>
         <code>America/Vancouver</code>
      </malwareScheduleTimeZone>
   </WebApp>
 </data>
</ServiceRequest>

 


Response:

<?xml version="1.0"encoding="UTF-8"?>
<ServiceResponse xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="https://qualysapi.qualys.com/qps/xsd/3.0/was/webapp.xsd">
 <responseCode>SUCCESS</responseCode>
 <count>1</count>
 <data>
   <WebApp>
     <id>119</id>
     <name><![CDATA[My Web Application]]></name>
     <url><![CDATA[http://mywebapp.com]]></url>
     <owner>
       <id>123</id>
       <username>username</username>
       <firstName><![CDATA[John]]></firstName>
       <lastName><![CDATA[Smith]]></lastName>
     </owner>
     <scope>ALL</scope>
     <attributes>
       <count>0</count>
       <list/>
     </attributes>
     <defaultScanner>
       <type>EXTERNAL</type>
     </defaultScanner>
      <urlBlacklist>
       <count>0</count>
       <list/>
     </urlBlacklist>
     <urlWhitelist>
       <count>0</count>
       <list/>
     </urlWhitelist>
     <postDataBlacklist>
       <count>0</count>
       <list/>
     </postDataBlacklist>
     <authRecords>
       <count>0</count>
     </authRecords>
     <useRobots>IGNORE</useRobots>
     <useSitemap>false</useSitemap>
     <malwareMonitoring>true</malwareMonitoring>
     <malwareNotification>true</malwareNotification>
     <malwareScheduleTime>23:59</malwareScheduleTime>
     <malwareScheduleTimeZone>
       <code>America/Vancouver</code>
       <offset>-07:00</offset>
     </malwareScheduleTimeZone>
     <tags>
       <count>0</count>
     </tags>
     <comments>
        <count>0</count>
     </comments>
     <isScheduled>false</isScheduled>
     <createdBy>
       <id>123</id>
       <username>username</username>
       <firstName><![CDATA[John]]></firstName>
       <lastName><![CDATA[Smith]]></lastName>
      </createdBy>
     <createdDate>2013-03-21T20:16:06Z</createdDate>
     <updatedBy>
       <id>123</id>
       <username>username</username>
       <firstName><![CDATA[John]]></firstName>
       <lastName><![CDATA[Smith]]></lastName>
     </updatedBy>
      <updatedDate>2013-03-21T20:16:07Z</updatedDate>
   </WebApp>
 </data>
</ServiceResponse>

 

WebApp Get API

A new XML “malwareMonitoring” element will be added to theWebApp element to let user know if the malware monitoring is enabled. The value for this new element is a boolean so will be true or false. If true, you’ll also see the “malwareScheduleTime”, “malwareScheduleTimeZone” and“malwareNotification” elements.

 

Example - Get Web Application Details

Get webapplication details for a web application ID 16833.

 

Request:

curl -n -u “USERNAME:PASSWORD”"https://qualysapi.qualys.com/qps/rest/3.0/get/was/webapp/16833"
 
Response:

<?xmlversion="1.0" encoding="UTF-8"?>
<ServiceResponsexmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
xsi:noNamespaceSchemaLocation="https://qualysapi.qualys.com/qps/xsd/3.0/was/wasscan.xsd">
 <responseCode>SUCCESS</responseCode>
  <count>1</count>
  <data>
    <WasScan>
      <id>16833</id>
…
    <malwareMonitoring>true</malwareMonitoring>
    <malwareNotification>true</malwareNotification>
    <malwareScheduleTime>23:59</malwareScheduleTime>
    <malwareScheduleTimeZone>
       <code>America/Vancouver</code>
    </malwareScheduleTimeZone>

 

WebApp Delete API

When a web application monitored for Malware is deleted, thecorresponding domain for malware scanning (in the MDS module) will be deleted.

 

Release Notes

Full release notes will be available to customers from within the Resources section of your QualysGuard account with the WAS 3.0 release.

A new release of QualysGuard WAS, Version 2.4.2, will be available in production in the US datacenter March 5th, 2013 and in the EU datacenter March 14th 2013.  This update includes enhancements to many reporting capabilities available via the API, making it easier to integrate WAS with other security solutions.   This release is completely transparent to users and will require no scheduled downtime. The release will occur between 12 PM PST (20:00 GMT) and 8 PM PST (04:00 AM GMT next day).

 

This API notification provides an early preview into the coming API changes, allowing you to proactively identify any changes that might be required for your automated scripts or programs that use the following functions or XML outputs.  All changes to existing APIs were included in the notification posted on January 24th, 2013.  This updated notification includes all changes for WAS 2.4.2 including new API methods that will not impact existing API implementations.

 

Create Report 

With QualysGuard WAS 2.4.2  in both the WebAppReport and ScanReport elements, the searchlists XML element used to define search lists to include will be renamed as includedSearchLists. It will still contain a list of SearchList elements. 

 

Web Application and Scan Reports — Show Vulnerabilities by Status

We’ve added a new VULNERABILITIES_BY_STATUS option to allow you to show vulnerabilities by status in reports. For a Web Application Report this option can be added to the WebAppReportGraph element. For a Scan Report this option can be added to the ScanReportGraph element.

 

Example - Create a web application report

 

Create a web application report in encrypted PDF format, requesting the vulnerabilities by status graph.

 

Request:

curl -u "USERNAME:PASSWORD" -H "content-type: text/xml" -X "POST" -d @-"https://qualysapi.qualys.com/qps/rest/3.0/create/was/webapp_report" <file.xml

Note: “file.xml” contains the request POST data.
  
Request POST Data:
<ServiceRequest>
  <data>
    <Report>
      <name><![CDATA[My Web Application Report]]></name>
        <description><![CDATA[A simple WebApp report]]></description>
        <format>PDF_ENCRYPTED</format>
        <password>PASSWORD</password>
        <distributionList>
          <set>
            <EmailAddress>EMAIL ADDRESS</EmailAddress>
            <EmailAddress>EMAIL ADDRESS</EmailAddress>
          </set>
        </distributionList>
        <type>WAS_WEBAPP_REPORT</type>
        <config>
          <webAppReport>
            <target>
              <tags>
                <Tag>
                  <id>243130</id>
                </Tag>
                <Tag>
                  <id>243132</id>
                </Tag>
                </tags>
                <webapps>
                  <WebApp>
                    <id>532510</id>
                  </WebApp> 
                  <WebApp>
                    <id>532601</id>
                  </WebApp>
                </webapps>
              </target>
              <display>
                <contents>
                  <WebAppReportContent>DESCRIPTION</WebAppReportContent>
                  <WebAppReportContent>SUMMARY</WebAppReportContent>
                  <WebAppReportContent>GRAPHS</WebAppReportContent>
                  <WebAppReportContent>RESULTS</WebAppReportContent>
                </contents>
                <graphs>
                  <WebAppReportGraph>VULNERABILITIES_BY_GROUP</WebAppReportGraph>
                  <WebAppReportGraph>VULNERABILITIES_BY_STATUS</WebAppReportGraph>
                </graphs>
                <groups>
                  <WebAppReportGroup>GROUP</WebAppReportGroup>
                  <WebAppReportGroup>OWASP</WebAppReportGroup>
                  <WebAppReportGroup>WASC</WebAppReportGroup>
                </groups>
                <options>
                  <rawLevels>true</rawLevels>
                </options>
                </display>
                <filters>
                  <searchlists>
                    <SearchList>
                      <id>43147</id>
                    </SearchList>
                    </searchlists>
                    <url>http://www.mysite.com/help.html</url>
                    <status>
                      <WebAppFindingStatus>ACTIVE</WebAppFindingStatus>
                      <WebAppFindingStatus>REOPENED</WebAppFindingStatus>
                    </status>
                  </filters>
                </webAppReport>
              </config>
            </Report>
        </data>
     </ServiceRequest>

Response:

<?xml version="1.0" encoding="UTF-8"?>
<ServiceResponse xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="https://qualysapi.qualys.com/qps/xsd/3.0/was/report.xsd">
<responseCode>SUCCESS</responseCode>
  <count>1</count>
  <data>
    <Report>
      <id>2629</id>
    </Report>
  </data>
</ServiceResponse>


 

The following changes will be reflected in the schema:

<xs:simpleType name="WebAppReportGraph">
        <xs:restriction base="xs:string">
            <xs:enumeration value="VULNERABILITIES_BY_SEVERITY" />
            <xs:enumeration value="VULNERABILITIES_BY_STATUS" />
            <xs:enumeration value="VULNERABILITIES_BY_GROUP" />
            <xs:enumeration value="VULNERABILITIES_BY_OWASP" />
            <xs:enumeration value="VULNERABILITIES_BY_WASC" />
            <xs:enumeration value="SENSITIVE_CONTENTS_BY_GROUP" />
            <xs:enumeration value="MOST_VULNERABLE_WEB_APPLICATIONS" />
            <xs:enumeration value="MOST_VULNERABLE_URLS" />
            <xs:enumeration value="OPERATING_SYSTEMS_DETECTED" />
        </xs:restriction>
    </xs:simpleType>


    <xs:simpleType name="ScanReportGraph">
        <xs:restriction base="xs:string">
            <xs:enumeration value="VULNERABILITIES_BY_SEVERITY" />
            <xs:enumeration value="VULNERABILITIES_BY_STATUS" />
            <xs:enumeration value="VULNERABILITIES_BY_GROUP" />
            <xs:enumeration value="VULNERABILITIES_BY_OWASP" />
            <xs:enumeration value="VULNERABILITIES_BY_WASC" />
            <xs:enumeration value="SENSITIVE_CONTENTS_BY_GROUP" />
            <xs:enumeration value="MOST_VULNERABLE_URLS" />
        </xs:restriction>
    </xs:simpleType>



 

Web Application and Scan Reports — Use Search Lists to Exclude Vulnerabilities

 

We’ve added the ability to use search lists to identify vulnerabilities to be excluded from a Web Application Report or a Scan Report. The searchLists element used to identify vulnerabilities to include in the report has been renamed includedSearchLists, and we have added the new element excludedSearchLists for identifying vulnerabilities to be excluded from the report.

 

Example - Create a scan report

Create a scan report in PDF format, using search lists to include and exclude vulnerabilities.

 

Example: Request post XML for generating a scan report with both included and excluded search lists via the API:

 

Request:

curl -u "USERNAME:PASSWORD" -H "content-type: text/xml" -X "POST" -d @-
"https://qualysapi.qualys.com/qps/rest/3.0/create/was/scan_report" < file.xml

Note: “file.xml” contains the request POST data.


Request POST Data:
<ServiceRequest>
  <data>
    <Report>
      <name><![CDATA[with all parameters HTML_ZIPPED]]></name>
      <description><![CDATA[A simple scan report]]></description>
      <format>PDF</format>
      <type>WAS_SCAN_REPORT</type>
      <config>
        <scanReport>
          <target>
            <scans>
              <WasScan>
                <id>104268</id>
              </WasScan>
            </scans>
          </target>
          <display>
            <contents>
              <ScanReportContent>DESCRIPTION</ScanReportContent>
              <ScanReportContent>SUMMARY</ScanReportContent>
              <ScanReportContent>GRAPHS</ScanReportContent>
              <ScanReportContent>RESULTS</ScanReportContent>
              <ScanReportContent>INDIVIDUAL_RECORDS</ScanReportContent>
              <ScanReportContent>RECORD_DETAILS</ScanReportContent>
              <ScanReportContent>ALL_RESULTS</ScanReportContent>
              <ScanReportContent>APPENDIX</ScanReportContent>
            </contents>
            <graphs>
              <ScanReportGraph>VULNERABILITIES_BY_SEVERITY</ScanReportGraph>
              <ScanReportGraph>VULNERABILITIES_BY_GROUP</ScanReportGraph>
              <ScanReportGraph>VULNERABILITIES_BY_OWASP</ScanReportGraph>
              <ScanReportGraph>VULNERABILITIES_BY_WASC</ScanReportGraph>
              <ScanReportGraph>SENSITIVE_CONTENTS_BY_GROUP</ScanReportGraph>
            </graphs>
            <groups>
              <ScanReportGroup>URL</ScanReportGroup>
              <ScanReportGroup>GROUP</ScanReportGroup>
              <ScanReportGroup>OWASP</ScanReportGroup>
              <ScanReportGroup>WASC</ScanReportGroup>
              <ScanReportGroup>STATUS</ScanReportGroup>
              <ScanReportGroup>CATEGORY</ScanReportGroup>
              <ScanReportGroup>QID</ScanReportGroup>
            </groups>
            <options>
              <rawLevels>true</rawLevels>
            </options>
          </display>
          <filters>
            <includedSearchLists>
              <SearchList>
                <id>35</id>
              </SearchList>
              <SearchList>
                <id>125</id>
              </SearchList>
            </includedSearchLists>
            <excludedSearchLists>
              <SearchList>
                <id>128</id>
              </SearchList>
              <SearchList>
                <id>125</id>
              </SearchList>
            </excludedSearchLists>
            <url>http://www.mysite.com/help.html</url>
            <status>
              <ScanFindingStatus>NEW</ScanFindingStatus>
              <ScanFindingStatus>ACTIVE</ScanFindingStatus>
              <ScanFindingStatus>REOPENED</ScanFindingStatus>
            </status>
          </filters>
        </scanReport>
      </config>
    </Report>
  </data>
</ServiceRequest>

Response:

<?xml version="1.0" encoding="UTF-8"?>
<ServiceResponse xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="https://qualysapi.qualys.com/qps/xsd/3.0/was/report.xsd">
<responseCode>SUCCESS</responseCode>
  <count>1</count>
  <data>
    <Report>
      <id>3629</id>
    </Report>
  </data>
</ServiceResponse>

 

 

To support the exclusion search lists the following changes will be reflected in the report.xsd schema:

 

<xs:complexType name="WebAppReport">
        ...
            <xs:element name="filters" minOccurs="0" maxOccurs="1">
                <xs:complexType>
                    <xs:sequence>
                        <xs:element name="includedSearchlists" minOccurs="0">
                            <xs:complexType>
                                <xs:sequence>
                                    <xs:element name="SearchList" type="SearchList" minOccurs="0" maxOccurs="unbounded"></xs:element>
                                </xs:sequence>
                            </xs:complexType>
                        </xs:element>
                        <xs:element name="excludedSearchlists" minOccurs="0">
                            <xs:complexType>
                                <xs:sequence>
                                    <xs:element name="SearchList" type="SearchList" minOccurs="0" maxOccurs="unbounded"></xs:element>
                                </xs:sequence>
                            </xs:complexType>
                        </xs:element>
...



 

Rename "Do Not Apply" Reason

 

The 2.4.2 release will rename the "Do Not Apply" reason to "Not Applicable".

 

A schema change in report.xsd will be required, as the IgnoredReason element will be updated to support this change:

           <xs:simpleType name="IgnoredReason">

                <xs:restriction base="xs:string">
                    <xs:enumeration value="FALSE_POSITIVE"/>
                    <xs:enumeration value="RISK_ACCEPTED"/>
                    <xs:enumeration value="NOT_APPLICABLE"/>
                </xs:restriction>
            </xs:simpleType>




 

 

Web Application Report — Show Ignored Vulnerabilities by Type

 

We’ve added two new filter elements to the Web Application Report API to allow you to show ignored vulnerabilities in the report. The element showIgnored can be used with one of these values: ONLY to show only ignored vulnerabilities or BOTH to show both ignored and non-ignored vulnerabilities.

 

If you use the showIgnored element, you have the option to use the IgnoredReasonList  element to specify the types of ignored vulnerabilities to show (FALSE_POSITIVE, RISK_ACCEPTED, NOT_APPLICABLE).

 

Example - Create a web application report

Create a web application report in encrypted PDF format, requesting both ignored and non-ignored vulnerabilities and all three ignored vulnerability types.

 

Request:

curl -u "USERNAME:PASSWORD" -H "content-type: text/xml" -X "POST" -d @-"https://qualysapi.qualys.com/qps/rest/3.0/create/was/webapp_report" <file.xml

Note: “file.xml” contains the request POST data.

Request POST Data:
<ServiceRequest>
  <data>
    <Report>
      <name><![CDATA[My Web Application Report]]></name>
        <description><![CDATA[A simple WebApp report]]></description>
        <format>PDF_ENCRYPTED</format>
        <password>PASSWORD</password>
        <distributionList>
          <set>
            <EmailAddress>EMAIL ADDRESS</EmailAddress>
            <EmailAddress>EMAIL ADDRESS</EmailAddress>
          </set>
        </distributionList>
        <type>WAS_WEBAPP_REPORT</type>
        <config>
          <webAppReport>
            <target>
              <tags>
                <Tag>
                  <id>243130</id>
                </Tag>
                <Tag>
                  <id>243132</id>
                </Tag>
                </tags>
                <webapps>
                  <WebApp>
                    <id>532510</id>
                  </WebApp> 
                  <WebApp>
                    <id>532601</id>
                  </WebApp>
                </webapps>
              </target>
              <display>
                <contents>
                  <WebAppReportContent>DESCRIPTION</WebAppReportContent>
                  <WebAppReportContent>SUMMARY</WebAppReportContent>
                  <WebAppReportContent>GRAPHS</WebAppReportContent>
                  <WebAppReportContent>RESULTS</WebAppReportContent>
                </contents>
                <graphs>
                  <WebAppReportGraph>VULNERABILITIES_BY_GROUP</WebAppReportGraph>
                  <WebAppReportGraph>VULNERABILITIES_BY_OWASP</WebAppReportGraph>
                  <WebAppReportGraph>VULNERABILITIES_BY_WASC</WebAppReportGraph>
                  <WebAppReportGraph>VULNERABILITIES_BY_STATUS</WebAppReportGraph>
                </graphs>
                <groups>
                  <WebAppReportGroup>GROUP</WebAppReportGroup>
                  <WebAppReportGroup>OWASP</WebAppReportGroup>
                  <WebAppReportGroup>WASC</WebAppReportGroup>
                </groups>
                <options>
                  <rawLevels>true</rawLevels>
                </options>
                </display>
                <filters>
                  <searchlists>
                    <SearchList>
                      <id>43147</id>
                    </SearchList>
                    </searchlists>
                    <url>http://www.mysite.com/help.html</url>
                    <status>
                      <WebAppFindingStatus>ACTIVE</WebAppFindingStatus>
                      <WebAppFindingStatus>REOPENED</WebAppFindingStatus>
<WebAppFindingStatusRemediationShowIgnored>BOTH></WebAppFindingStatusRemediationShowIgnored>
                        <IgnoredReasonList>
                          <FALSE_POSITIVE>
                          <RISK_ACCEPTED>
                          <NOT_APPLICABLE>
                        </IgnoredReasonList>
                    </status>
                  </filters>
                </webAppReport>
              </config>
            </Report>
        </data>
     </ServiceRequest>

Response:

<?xml version="1.0" encoding="UTF-8"?>
<ServiceResponse xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="https://qualysapi.qualys.com/qps/xsd/3.0/was/report.xsd">
<responseCode>SUCCESS</responseCode>
  <count>1</count>
  <data>
    <Report>
      <id>2629</id>
    </Report>
  </data>
</ServiceResponse>

 

A new WebAppReport/filters/status/remediation/showIgnored element will be added, accepting following values:

  • ONLY - Show only ignored vulnerabilities in report
  • BOTH - Show both non-ignored and ignored vulnerabilities in report

This element shall be included only if the user wants to include ignored vulnerabilities. If not specified, the report will not include ignored vulnerabilities at all.

 

If the user specified the showIgnored element, he may specify an optional WebAppReport/filters/status/remediation/IgnoredReasonList element used to specify what types of ignored vulnerabilities he wants to include.  The following updates will be reflected in the schema:


<xs:element name="WebAppReport">   
   ...
   <xs:element name="filters" minOccurs="0" maxOccurs="1">
       ...
       <xs:element name="remediation" minOccurs="0">
           <xs:element name="showIgnored" type="ShowIgnoredOption"/>
           <xs:element name="IgnoredReasonList" minOccurs="0">
             <xs:complexType>
                <xs:sequence>
                    <xs:element name="status" type="IgnoredReason" minOccurs="1"/>
                </xs:sequence>
             </xs:complexType>
           </xs:element>
       </xs:element>

 
<xs:simpleType name="ShowIgnoredOption">
    <xs:restriction base="xs:string">
        <xs:enumeration value="ONLY"/>
        <xs:enumeration value="BOTH"/>
    </xs:restriction>
</xs:simpleType>
    
<xs:simpleType name="IgnoredReason">
    <xs:restriction base="xs:string">
        <xs:enumeration value="FALSE_POSITIVE"/>
        <xs:enumeration value="RISK_ACCEPTED"/>
        <xs:enumeration value="NOT_APPLICABLE"/>
    </xs:restriction>
</xs:simpleType>

 

Report Find and Get Methods

 

This API will return for each report its size in a SIZE XML element. Corresponding XPATH will be RECORD/SIZE.   The value will be numeric and will represent the size in bytes.


Note: this will require a change in the report.xsd schema to reflect this new element in the Report object.

Example Response from FIND method:


<ServiceResponse xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://localhost:8080/qps-api-provider/xsd/3.0/was/report.xsd">

  <responseCode>SUCCESS</responseCode>
  <count>11</count>
  <hasMoreRecords>false</hasMoreRecords>
  <data>
    ...
    <Report>
      <id>2787</id>
      <name><![CDATA[Catalog Report]]></name>
      <owner>
        <id>123056</id>
        <username>quays_at3</username>
        <firstName><![CDATA[John]]></firstName>
        <lastName><![CDATA[Doe]]></lastName>
      </owner>
      <type>WAS_CATALOG_REPORT</type>
      <format>HTML_BASE64</format>
      <status>COMPLETE</status>
      <size>1245872</size>
      <creationDate>2012-12-18T15:53:02Z</creationDate>
      <tags>
        <count>0</count>
      </tags>
    </Report>
  </data>
</ServiceResponse>


 

 

Example of Response from GET method:


<ServiceResponse xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://localhost:8080/qps-api-provider/xsd/3.0/was/report.xsd">
  <responseCode>SUCCESS</responseCode>
  <count>1</count>
  <data>
    <Report>
      <id>2787</id>
      <name><![CDATA[Catalog Report]]></name>
      <owner>
        <id>123056</id>
        <username>quays_at3</username>
        <firstName><![CDATA[John]]></firstName>
        <lastName><![CDATA[Doe]]></lastName>
      </owner>
      <type>WAS_CATALOG_REPORT</type>
      <format>HTML_BASE64</format>
      <status>COMPLETE</status>
      <size>1245872</size>
      <creationDate>2012-12-18T15:53:02Z</creationDate>
      <lastDownloadDate>2012-12-18T15:53:11Z</lastDownloadDate>
      <downloadCount>1</downloadCount>
      <tags>
        <count>0</count>
      </tags>
    </Report>
  </data>
</ServiceResponse>

 

 

Scorecard and Catalog Reports — Date Format Change

 

For the Scorecard Report and the Catalog Report, We’ve simplified the scanDate filter element. You no longer need to include hours, minutes and seconds. The value for the scanDate and endDate elements is now yyyy-mm-dd.

 

Example - Create a scorecard report

 

Create a scorecard report in PDF format, filtered by scan date range.

Request:
 
curl -u "USERNAME:PASSWORD" -H "content-type: text/xml" -X "POST" -d @-
"https://qualysapi.qualys.com/qps/rest/3.0/create/was/???" < file.xml

Note: “file.xml” contains the request POST data.

Request POST Data: 
<ServiceRequest>
  <data>
    <Report>
      <name><![CDATA[with all parameters PDF with rawLevel false]]></name>
      <description><![CDATA[A simple scorecard report]]></description>
      <format>PDF</format>
      <type>WAS_SCORECARD_REPORT</type>
      <config>
        <scorecardReport>
          <target>
            <tags>
              <Tag>
                <id>243130</id>
              </Tag>
            </tags>
          </target>
          <display>
            <contents>
              <ScorecardReportContent>DESCRIPTION</ScorecardReportContent>
              <ScorecardReportContent>SUMMARY</ScorecardReportContent>
              <ScorecardReportContent>GRAPHS</ScorecardReportContent>
              <ScorecardReportContent>RESULTS</ScorecardReportContent>
            </contents>
            <graphs>
         <ScorecardReportGraph>VULNERABILITIES_BY_GROUP</ScorecardReportGraph>
         <ScorecardReportGraph>VULNERABILITIES_BY_OWASP</ScorecardReportGraph>
         <ScorecardReportGraph>VULNERABILITIES_BY_WASC</ScorecardReportGraph>
           </graphs>
           <groups>
             <scorecardReportGroup>GROUP</ScorecardReportGroup>
             <ScorecardReportGroup>OWASP</ScorecardReportGroup>
             <ScorecardReportGroup>WASC</ScorecardReportGroup>
           </groups>
           <options>
             <rawLevels>false</rawLevels>
           </options>
            </display>
            <filters>
              <searchlists>
                <SearchList>
                  <id>43147</id>
                </SearchList>
                <SearchList>
                  <id>43147</id>
                </SearchList>
              </searchlists>
              <scanDate>
                <startDate>2012-08-28</startDate>
                <endDate>2012-10-28</endDate>
              </scanDate>
              <scanStatus>NO_HOST_ALIVE</scanStatus>
              <scanAuthStatus>NONE</scanAuthStatus> 
            </filters>
          </scorecardReport>
        </config>
      /Report>
   </data>
</ServiceRequest>

Response:
 
<?xml version="1.0" encoding="UTF-8"?>
<ServiceResponse xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"  
xsi:noNamespaceSchemaLocation="https://qualysapi.qualys.com/qps/xsd/3.0/was/report.xsd">
<responseCode>SUCCESS</responseCode>
  <count>1</count>
  <data>
    <Report>
      <id>4629</id>
    </Report>
  </data>
</ServiceResponse>

 

 

 

WAS Reports — Add Report Size Information

Report size in bytes is now provided in the response for FIND and GET requests for all WAS reports.  This is new and will not impact existing API calls.

 

 

Example - Create a catalog report in HTML_BASE64 format.    

 

Request:

 

curl -u "USERNAME:PASSWORD" -H "content-type: text/xml" -X "POST" -d @-

"https://qualysapi.qualys.com/qps/rest/3.0/create/was/scan_report" < file.xml

 

 

Response:

 

<?xml version="1.0" encoding="UTF-8"?>

<ServiceResponse xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="https://qualysapi.qualys.com/qps/xsd/3.0/was/report.xsd">

 

  <responseCode>SUCCESS</responseCode>

  <count>1</count>

  <data>

    <Report>

      <id>2787</id>

      <name><![CDATA[Catalog Report]]></name>

      <owner>

        <id>123056</id>

        <username>quays_at3</username>

        <firstName><![CDATA[John]]></firstName>

        <lastName><![CDATA[Doe]]></lastName>

      </owner>

      <type>WAS_CATALOG_REPORT</type>

      <format>HTML_BASE64</format>

      <status>COMPLETE</status>

      <size>1245872</size>

      <creationDate>2012-12-18T15:53:02Z</creationDate>

      <lastDownloadDate>2012-12-18T15:53:11Z</lastDownloadDate>

      <downloadCount>1</downloadCount>

      <tags>

        <count>0</count>

      </tags>

    </Report>

  </data>

</ServiceResponse>

 

 


 

 

Simplified API URL

We’ve simplified the URL for WAS scan and schedule requests. The object alias “wasscan” has been renamed to “scan” and the alias “wasschedule” has been renamed to “schedule”. For example, the URL for requesting the current scan count has been changed as follows:

 

from:

https://qualysapi.qualys.com/qps/rest/3.0/count/was/wasscan

 

to:

https://qualysapi.qualys.com/qps/rest/3.0/count/was/scan

 

If you are developing new functions you should use the new URLs.  No changes are necessary to your existing API requests. You can continue to use the object alias “wasscan” and “wasschedule” if you wish.  However at a later time these may be deprecated.

 

 

 

Full release notes will be available to customers from within the Resources section of your QualysGuard account with the WAS 2.4.2 release.

A release of QualysGuard® Web Application Scanning 2.4.1 with a new scan option will be available in production in the EU on February 7, 2013. This release is completely transparent to users and will require no scheduled downtime. The release will occur between 20:00 GMT and 04:00 AM GMT next day.

 

Cancel Scan After (n) Hours

We’ve added a new optional element to the API for launching an on-demand scan, using the Launch New Scan API (/qps/rest/3.0/launch/was/wasscan). The new optional element, cancelAfterNHours enables you to specify a number of hours after which the scan will be canceled.  When specified, the scan will stop after the selected running time and the scan will have a status of Canceled. Partial scan results may be available if security tests were performed before the scan was canceled.

 

When used, this element is included in the XML output returned using the View Scan Details API (/qps/rest/3.0/get/was/wasscan/<id>) and Retrieve Results of a Scan API (/qps/rest/3.0/download/was/wasscan/<id>).

 

Full details regarding these updates will be available in the WAS API User Guide on the day of the release.

 

Example: Launch a new discovery scan on the web application with the ID 323126 using the option profile with the ID 1021. Set scan to cancel after 1 hour.

 

 

Request:


curl -u "USERNAME:PASSWORD" -H "content-type: text/xml" -X "POST" -d @- "https://qualysapi.qualys.com/qps/rest/3.0/launch/was/wasscan" < file.xml

 

Note: “file.xml” contains the request POST data below:

 

Request POST Data:

 

<ServiceRequest>

  <data>

    <WasScan>

      <name>New scan launched from API</name>

      <type>DISCOVERY</type>

      <target>

        <webApp>

          <id>323126</id>

        </webApp>

      </target>

      <profile>

        <id>1021</id>

      </profile>

      <options>

        <WasScanOption>

          <name>Cancel After 1 hour</name>

          <value>1</value>

        </WasScanOption>

      </options>

    </WasScan>

  </data>

</ServiceRequest>

 

 

Response:

<?xmlversion="1.0" encoding="UTF-8"?>

<ServiceResponsexmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

xsi:noNamespaceSchemaLocation="https://qualysapi.qualys.com/qps/xsd/3.0/was/wasscan.xsd">

<responseCode>SUCCESS</responseCode>

  <count>1</count>

  <data>

    <WasScan>

      <id>16954</id>

    </WasScan>

  </data>

</ServiceResponse>

 

 

To receive more information on QualysGuard WAS 2.4.1, please visit the QualysGuard WAS community or contact your Technical Account Manager or Qualys' Technical Support Department at support@qualys.com.

A release of QualysGuard® Web Application Scanning 2.4.1 with a new scan option will be available in production in the US on January 31, 2013. This release is completely transparent to users and will require no scheduled downtime. The release will occur between 12 PM PST (20:00 GMT) and 8 PM PST (04:00 AM GMT next day).

 

Cancel Scan After (n) Hours

We’ve added a new optional element to the API for launching an on-demand scan, using the Launch New Scan API (/qps/rest/3.0/launch/was/wasscan). The new optional element, cancelAfterNHours enables you to specify a number of hours after which the scan will be canceled.  When specified, the scan will stop after the selected running time and the scan will have a status of Canceled. Partial scan results may be available if security tests were performed before the scan was canceled.

 

When used, this element is included in the XML output returned using the View Scan Details API (/qps/rest/3.0/get/was/wasscan/<id>) and Retrieve Results of a Scan API (/qps/rest/3.0/download/was/wasscan/<id>).

 

Full details regarding these updates will be available in the WAS API User Guide on the day of the release.

 

Example: Launch a new discovery scan on the web application with the ID 323126 using the option profile with the ID 1021. Set scan to cancel after 1 hour.

 

 

Request:


curl -u "USERNAME:PASSWORD" -H "content-type: text/xml" -X "POST" -d @- "https://qualysapi.qualys.com/qps/rest/3.0/launch/was/wasscan" < file.xml

 

Note: “file.xml” contains the request POST data below:

 

Request POST Data:

 

<ServiceRequest>

  <data>

    <WasScan>

      <name>New scan launched from API</name>

      <type>DISCOVERY</type>

      <target>

        <webApp>

          <id>323126</id>

        </webApp>

      </target>

      <profile>

        <id>1021</id>

      </profile>

      <options>

        <WasScanOption>

          <name>Cancel After 1 hour</name>

          <value>1</value>

        </WasScanOption>

      </options>

    </WasScan>

  </data>

</ServiceRequest>

 

 

Response:

<?xmlversion="1.0" encoding="UTF-8"?>

<ServiceResponsexmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

xsi:noNamespaceSchemaLocation="https://qualysapi.qualys.com/qps/xsd/3.0/was/wasscan.xsd">

<responseCode>SUCCESS</responseCode>

  <count>1</count>

  <data>

    <WasScan>

      <id>16954</id>

    </WasScan>

  </data>

</ServiceResponse>

 

 

To receive more information on QualysGuard WAS 2.4.1, please visit the QualysGuard WAS community or contact your Technical Account Manager or Qualys' Technical Support Department at support@qualys.com.

A release of QualysGuard® Web Application Scanning 2.4 with a new report creation API method will be available in production in the EU on December 18, 2012. This release is completely transparent to users and will require no scheduled downtime. The release will occur between 20:00 GMT and 08:00 AM GMT next day.

 

QualysGuard WAS 2.4 includes one new report creation method to the API services which were first made available in the 2.2 release. This notification provides an early preview of this new method.

 

Report Creation API

The Report Creation API has been added to the WAS Report API to allow you to create WAS reports based on security information collected by the most recent scans of your web applications. Using the Report Creation API you can create these reports: Web Application Report, Scan Report, Scorecard Report and Catalog Report. For each report you can choose one of these formats: HTML (ZIP), Web Archive (HTML), PDF, PDF Encrypted, XML, CVS, Microsoft Word (DOC) and PowerPoint (PPT).

 

Full details regarding these updates will be available in the WAS API User Guide on the day of the release.

 

Example: Create a web application report in encrypted PDF format, setting both tags and web applications for the target.

 

Request:

 

curl -u "USERNAME:PASSWORD" -H "content-type: text/xml" -X "POST" -d @-

"https://qualysapi.qualys.com/qps/rest/3.0/create/was/webapp_report" < file.xml

 

 

Note: “file.xml” contains the request POST data below:

 

Request POST Data:

 

<ServiceRequest>

  <data>

    <Report>

      <name><![CDATA[My Web Application Report]]></name>

        <description><![CDATA[A simple WebApp report]]></description>

        <format>PDF_ENCRYPTED</format>

        <password>PASSWORD</password>

        <distributionList>

          <set>

            <EmailAddress>EMAIL ADDRESS</EmailAddress>

            <EmailAddress>EMAIL ADDRESS</EmailAddress>

          </set>

        </distributionList>

        <type>WAS_WEBAPP_REPORT</type>

        <config>

          <webAppReport>

            <target>

              <tags>

                <Tag>

                  <id>243130</id>

                </Tag>

                <Tag>

                  <id>243132</id>

                </Tag>

                </tags>

                <webapps>

                  <WebApp>

                    <id>532510</id>

                  </WebApp>

                  <WebApp>

                    <id>532601</id>

                  </WebApp>

                </webapps>

              </target>

              <display>

                <contents>

                  <WebAppReportContent>DESCRIPTION</WebAppReportContent>

                  <WebAppReportContent>SUMMARY</WebAppReportContent>

                  <WebAppReportContent>GRAPHS</WebAppReportContent>

                  <WebAppReportContent>RESULTS</WebAppReportContent>

                </contents>

                <graphs>

              <WebAppReportGraph>VULNERABILITIES_BY_GROUP</WebAppReportGraph>

              <WebAppReportGraph>VULNERABILITIES_BY_OWASP</WebAppReportGraph>

               <WebAppReportGraph>VULNERABILITIES_BY_WASC</WebAppReportGraph>

                </graphs>

                <groups>

                  <WebAppReportGroup>GROUP</WebAppReportGroup>

                  <WebAppReportGroup>OWASP</WebAppReportGroup>

                  <WebAppReportGroup>WASC</WebAppReportGroup>

                </groups>

                <options>

                  <rawLevels>true</rawLevels>

                </options>

                </display>

                <filters>

                  <searchlists>

                    <SearchList>

                      <id>43147</id>

                    </SearchList>

                    </searchlists>

                    <url>http://www.mysite.com/help.html</url>

                    <status>

                      <WebAppFindingStatus>ACTIVE</WebAppFindingStatus>

                      <WebAppFindingStatus>REOPENED</WebAppFindingStatus>

                    </status>

                  </filters>

                </webAppReport>

              </config>

            </Report>

        </data>

     </ServiceRequest>

 

 

Response:

<?xml version="1.0" encoding="UTF-8"?>

<ServiceResponse xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="https://qualysapi.qualys.com/qps/xsd/3.0/was/report.xsd">

<responseCode>SUCCESS</responseCode>

  <count>1</count>

  <data>

    <Report>

      <id>2629</id>

    </Report>

  </data>

</ServiceResponse>

 

 

 

To receive more information on QualysGuard WAS 2.4, please visit the Qualys Community at https://community.qualys.com or contact your Technical Account Manager or Qualys' Technical Support Department at support@qualys.com.

A release of QualysGuard® Web Application Scanning 2.4 with a new report creation API method will be available in production in the US on December 13*, 2012. This release is completely transparent to users and will require no scheduled downtime. The release will occur between 12 PM PST (20:00 GMT) and 12 AM PST (08:00 AM GMT next day).

 

*Update: Due to the recent identification of additional platform dependencies the release date has been moved to December 13th to accomodate additional quality assurance testing and ensure a high quality release.  We regret any inconvenience related to this change in schedule.

 

QualysGuard WAS 2.4 includes one new report creation method to the API services which were first made available in the 2.2 release. This notification provides an early preview of this new method.

 

Report Creation API

The Report Creation API has been added to the WAS Report API to allow you to create WAS reports based on security information collected by the most recent scans of your web applications. Using the Report Creation API you can create these reports: Web Application Report, Scan Report, Scorecard Report and Catalog Report. For each report you can choose one of these formats: HTML (ZIP), Web Archive (HTML), PDF, PDF Encrypted, XML, CVS, Microsoft Word (DOC) and PowerPoint (PPT).

 

Full details regarding these updates will be available in the WAS API User Guide on the day of the release.

 

Example: Create a web application report in encrypted PDF format, setting both tags and web applications for the target.

 

Request:

 

curl -u "USERNAME:PASSWORD" -H "content-type: text/xml" -X "POST" -d @-

"https://qualysapi.qualys.com/qps/rest/3.0/create/was/webapp_report" < file.xml

 

 

Note: “file.xml” contains the request POST data below:

 

Request POST Data:

 

<ServiceRequest>

  <data>

    <Report>

      <name><![CDATA[My Web Application Report]]></name>

        <description><![CDATA[A simple WebApp report]]></description>

        <format>PDF_ENCRYPTED</format>

        <password>PASSWORD</password>

        <distributionList>

          <set>

            <EmailAddress>EMAIL ADDRESS</EmailAddress>

            <EmailAddress>EMAIL ADDRESS</EmailAddress>

          </set>

        </distributionList>

        <type>WAS_WEBAPP_REPORT</type>

        <config>

          <webAppReport>

            <target>

              <tags>

                <Tag>

                  <id>243130</id>

                </Tag>

                <Tag>

                  <id>243132</id>

                </Tag>

                </tags>

                <webapps>

                  <WebApp>

                    <id>532510</id>

                  </WebApp>

                  <WebApp>

                    <id>532601</id>

                  </WebApp>

                </webapps>

              </target>

              <display>

                <contents>

                  <WebAppReportContent>DESCRIPTION</WebAppReportContent>

                  <WebAppReportContent>SUMMARY</WebAppReportContent>

                  <WebAppReportContent>GRAPHS</WebAppReportContent>

                  <WebAppReportContent>RESULTS</WebAppReportContent>

                </contents>

                <graphs>

              <WebAppReportGraph>VULNERABILITIES_BY_GROUP</WebAppReportGraph>

              <WebAppReportGraph>VULNERABILITIES_BY_OWASP</WebAppReportGraph>

               <WebAppReportGraph>VULNERABILITIES_BY_WASC</WebAppReportGraph>

                </graphs>

                <groups>

                  <WebAppReportGroup>GROUP</WebAppReportGroup>

                  <WebAppReportGroup>OWASP</WebAppReportGroup>

                  <WebAppReportGroup>WASC</WebAppReportGroup>

                </groups>

                <options>

                  <rawLevels>true</rawLevels>

                </options>

                </display>

                <filters>

                  <searchlists>

                    <SearchList>

                      <id>43147</id>

                    </SearchList>

                    </searchlists>

                    <url>http://www.mysite.com/help.html</url>

                    <status>

                      <WebAppFindingStatus>ACTIVE</WebAppFindingStatus>

                      <WebAppFindingStatus>REOPENED</WebAppFindingStatus>

                    </status>

                  </filters>

                </webAppReport>

              </config>

            </Report>

        </data>

     </ServiceRequest>

 

 

Response:

<?xml version="1.0" encoding="UTF-8"?>

<ServiceResponse xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="https://qualysapi.qualys.com/qps/xsd/3.0/was/report.xsd">

<responseCode>SUCCESS</responseCode>

  <count>1</count>

  <data>

    <Report>

      <id>2629</id>

    </Report>

  </data>

</ServiceResponse>

 

 

 

To receive more information on QualysGuard WAS 2.4, please visit the Qualys Community at https://community.qualys.com or contact your Technical Account Manager or Qualys' Technical Support Department at support@qualys.com.