1 2 3 Previous Next 132 Posts tagged with the was tag
fmc

Qualys WAS 4.5 New Features

Posted by fmc in Qualys Technology on Jan 11, 2016

As a follow-up to our recent major release Qualys Web Application Scanning (WAS) 4.3 and our last release of WAS 4.4, we have added a few new features, tweaks and clarifications in WAS 4.5 to allow further optimizations of scans as well as deliver some optimizations to Progressive Scanning in particular. Customers can also now receive more comprehensive CSV reporting on their scans. This allows customers to continue to deliver targeted web application security metrics to all the stakeholders while ensuring a successful web application security program meets the protection of all organizational demands.

 

Feature Highlights

  • Display WAS Engine Version in the WAS UI
  • Condense and clarify CSV reporting
  • Additional Progressive Scanning option for a single scan when in multi-scan mode
  • Increased default scan error threshold values while still allowing customization

 

* Please review attached release notes for all details.

 

Releases are announced 15 days before the deployment date on the Platform Status page.

A new release of Qualys WAS, Version 4.5 which includes API updates and updated report formats, is targeted for release in January. The specific day will differ depending on the platform.  Platform release dates will be published on the Qualys Status page when available.  The updated APIs for WAS 4.5 give you more ways to integrate your programs and API calls with Web Application Scanning (WAS).

 

The Qualys WAS API 4.5 gives you more ways to integrate your programs and API calls with Web Application Scanning (WAS). Looking for our API user guides? Just log in to your account and go to Help > Resources.

 

What’s New

  • Scan API - default authentication for scans
  • Search Scan API - new CANCELED keyword
  • Finding API - payloads element removed from XSD
  • JSON Support
  • Condensed CSV output for Web App and Scan Reports

 

Please see the attached PDF for all API details and changes including examples and API base URLs.

A new release of Qualys WAS, Version 4.5 which includes API updates and updated report formats, is targeted for release in January. The specific day will differ depending on the platform.  See platform release dates for more information.  The updated APIs for WAS 4.5 give you more ways to integrate your programs and API calls with Web Application Scanning (WAS).

 

What’s New

  1. Search Scan API - new CANCELED keyword
  2. Condensed CSV output for Web App and Scan Reports

 

Search Scan API - new CANCELED keyword

The Search Scan API allows you to search for scans that have been canceled. We updated the Criteria “status” to CANCELED, to make it consistent in the WAS application. (In previous releases it was CANCELLED).

 

Affected API: /qps/rest/3.0/search/was/scan/

Updated XSD: scan.xsd, wassscan.xsd

 

Condensed CSV output for Web App and Scan Reports

Now you’ll get more condensed versions of your Web Application Reports and Scan Reports in CSV format. The reports display each vulnerability and sensitive content using a single line.

 

 

Looking for our API user guides? Just log in to your account and go to Help > Resources.

 

Please see the attached PDF for all API details and changes including examples and API base URLs.

A new release of Qualys Cloud Agent Platform v1.3.1 and Qualys Web Application Scanning v4.4 is scheduled to be released in production on the Qualys US Platform 1 on December 7, 2015 between 10:30 AM PST (18:30 UTC) and 5:00 PM PST (01:00 UTC next day).

 

The deployment is completely transparent to users and will require no downtime.

 

To receive notifications by email, please subscribe at US Platform 1


For details on the new features, see:

  • Qualys Cloud Agent Platform 1.3.1: This patch release to the platform UI and Data Processing for Agent-related capabilities.  It includes several improvements to the display of existing data for Agent data sources, along with many usability and performance improvements for Agent Management and AssetView.
  • Qualys WAS 4.4 API Release Notification
  • Qualys WAS 4.4 New Features

A new release of Qualys Cloud Agent Platform v1.3.1 and Qualys Web Application Scanning v4.4, is scheduled to be released in production on the Qualys US Platform 2 on December 1, 2015 between 10:30 AM PST (18:30 UTC) and 5:00 PM PST (01:00 UTC next day).

 

The deployment is completely transparent to users and will require no downtime.

 

To receive notifications by email, please subscribe at US Platform 2.


For details on the new features, see:

  • Qualys Cloud Agent Platform 1.3.1: This patch release to the platform UI and Data Processing for Agent-related capabilities.  It includes several improvements to the display of existing data for Agent data sources, along with many usability and performance improvements for Agent Management and AssetView.
  • Qualys WAS 4.4 API Release Notification
  • Qualys WAS 4.4 New Features

A new release of Qualys Cloud Agent Platform v1.3.1 and Qualys Web Application Scanning v4.4 is scheduled to be released in production on the Qualys EU Platform on 2 December, 2015 between 18:30 UTC and 01:00 UTC next day.

 

The deployment is completely transparent to users and will require no downtime.

 

To receive notifications by email, please subscribe at EU Platform.


For details on the new features, see:

  • Qualys Cloud Agent Platform 1.3.1: This patch release to the platform UI and Data Processing for Agent-related capabilities.  It includes several improvements to the display of existing data for Agent data sources, along with many usability and performance improvements for Agent Management and AssetView.
  • Qualys WAS 4.4 API Release Notification
  • Qualys WAS 4.4 New Features
fmc

Qualys WAS 4.4 New Features

Posted by fmc in Qualys Technology on Nov 16, 2015

As a follow-up to our recent major release WAS 4.3, we have added a few new features, tweaks and clarifications in WAS 4.4 to allow further customizations of scans. Customers can also now receive clearer and enhanced feedback on the behavior and coverage of their scans. This will also allow customers to continue to deliver targeted web application security metrics to all the stakeholders while ensuring a successful web application security program meets the protection of all organizational demands.

 

Feature highlights include:

 

  • Report Templates - We have added a run action in preview button
  • We have removed non-expiring reports for the WAS purge feature
  • We now publish information on the user who canceled a scan
  • Clarification and support for server error thresholds before stopping a scan
  • WAS Scan Emails - Include Qualys username in the recipients email

 

 

Report Templates - We have added a run action in preview button

 

The report template datalist provides a quick run action, which allows users to run a report using this template. This would be the most logical action for this object, but this action was somewhat hidden as you needed to open the Actions menu to see this. Therefore, we have made the report template run action more visible to the user, so that they can more easily and visibly launch reports.

1.png

2.png

We have removed non-expiring reports for the WAS purge feature

 

With a previous reporting feature released with WAS 3.0 we allowed users to create reports of their web applications before they deleted or purged them.

These particular reports were unique, whereas all other reports generated in the application expired after a specific number of days. The reports however, did not. This logic was to allow users to keep a history of all their web applications. This led to unwanted and excessive data storage.

 

Web Application Purge Confirmation Dialog

 

The purge confirmation dialog has been updated to add a note that the report to be generated will expire in a specific number of days; the number being defined by the customer’s WAS module setting Report Life Time. Please note, by default this is set to 7 days.

3.png

Report Generation

 

The generation of the report remains the same. The only change is that reports are no longer marked as non-expiring. A look at the preview panel confirms that the report will indeed expire.


4.png

Web Application Delete Confirmation Dialog

 

The same changes apply for this dialog, where the layout has been updated to better distinguish the sections. Also a note has been added to notify users that the report to be generated will expire.

5.png

Existing Non-Expiring Reports

 

This feature will impact existing reports that do not expire, by updating their status to make them expire 30 days after the release of this feature in production.

 

Notification

 

To make sure that all users may see this information, a notification will be added for 30 days after the release to explain that the reports that did not have an expiration date will now expire in 30 days, and that users should make sure to download them if they wish to keep them.

6.png


We now publish information on the user who canceled a scan

 

When a scan is canceled, we previously displayed the status as canceled and we only provided in the action log, the information on who canceled the scan. But we did not display this information when viewing the scan information in main scan dialog panel. This has now been changed to reflect the user who canceled the scan.

7.png

 

Clarification and support for server error thresholds before stopping a scan

 

Web applications can return different kinds of server side error or error indicators during a WAS scan. Some of these are a sign of the server possibly getting overloaded (or unresponsive) due to the scan behavior or an alternate condition.

 

Customers have had different expectations about how our WAS engine should react to these server errors. Our clients have asked us to provide better controls on whether to stop scan on such errors and customize a threshold for such conditions. Now, two new options are now provided to the end user:

  • Stop on timeout errors more than 20 (customizable)
  • Stop on unexpected errors more than 48 (customizable)

8.png

 

WAS Scan Emails - Include Qualys username in the recipients email

 

When sending WAS scan emails, we now show each recipient's name and username from their Qualys account, depending on if this data can be extracted.

 

When sending a scan completion email, the list of recipients will be updated to display along with the email address, the account name, using format

 

email address <account name>

 

The account name value will depend on if one or more accounts are found for the same email address:

 

If only one account is found, the account name will be "user first name, user last name, username".

 

Ex: John Doe (quays_jd01)

 

If more than one account is found for an email address, the account name value will consist of just the username of the accounts, separated by comma.

 

Ex: quays_ty5,quays_tq58,quays_ty4

WAS API 4.4 includes improvements, giving you more ways to integrate your programs and API calls with Web Application Scanning (WAS). Looking for our API user guides? Just log in to your  account and go to Help > Resources.

 

What’s New

  • Option Profile API - Support for server error thresholds before stopping a scan
  • Scan API - Scan information now includes user who canceled a scan

 

Tell me about the base URL 

Our documentation and sample code use the API server URL for  US Platform 1. Do you have another base URL? If yes please use it instead.


Account Login
Base URL
US Platform 1https://qualysapi.qualys.com/
US Platform 2https://qualysapi.qg2.apps.qualys.com/
EU Platform

https://qualysapi.qualys.eu

 

Option Profile API - Support for server error thresholds before stopping a scan


Web applications can return different kinds of server side errors or error indicators using a WAS scan. Some of these are a sign of the server possibly getting overloaded (or unresponsive) due to the scan behavior or an alternate condition.


With this release we’ve added new controls to stop a scan on such errors and customize a threshold for conditions in the option profile: Timeout Error Threshold (default is 20) and Unexpected Error Threshold (default is 48). You can customize the threshold values and disable them by setting to 0.


Updated XSD: optionprofile.xsd


Option Profile CREATE API


1) Create Option Profile - with no error threshold specified (default values applied)


API Request:


curl -u "USERNAME:PASSWORD" -H "content-type: text/xml" -X "POST"

--data-binary @-

"https://qualysapi.qualys.com/qps/rest/3.0/create/was/optionprofile/" < file.xml

 

Note: “file.xml” contains the request POST data.


Request POST Data:


<ServiceRequest>

   <data>

      <OptionProfile> 

         <name><![CDATA[My OP - with no error threshold specified]]></name>  

      </OptionProfile>     

   </data>

</ServiceRequest>

 

XML response:


<?xml version="1.0" encoding="UTF-8"?>

<ServiceResponse xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

xsi:noNamespaceSchemaLocation="https://qualysapi.qualys.com/qps/xsd/3.0/was/optionprofile.xsd">

    <responseCode>SUCCESS</responseCode>

    <count>1</count>

    <data>

        <OptionProfile>

            <id>451935</id>

            <name>

                <![CDATA[My OP - with no error threshold specified]>

            </name>

            <owner>

                <id>4354</id>

                <username>acme_ak1</username>

                <firstName>

                    <![CDATA[Amy]]>

                </firstName>

                <lastName>

                    <![CDATA[Kim]]>

                </lastName>

            </owner>

            <isDefault>false</isDefault>

            <tags>

                <count>0</count>

            </tags>

            <formSubmission>BOTH</formSubmission>

            <maxCrawlRequests>300</maxCrawlRequests>

            <timeoutErrorThreshold>20</timeoutErrorThreshold>

            <unexpectedErrorThreshold>48</unexpectedErrorThreshold>

            <parameterSet>

                <id>0</id>

                <name>

                    <![CDATA[Initial Parameters]]>

                </name>

            </parameterSet>

            <ignoreBinaryFiles>false</ignoreBinaryFiles>

            <performance>LOW</performance>

            <bruteforceOption>MINIMAL</bruteforceOption>

            <comments>

                <count>0</count>

            </comments>

            <sensitiveContent>

                <creditCardNumber>false</creditCardNumber>

                <socialSecurityNumber>false</socialSecurityNumber>

            </sensitiveContent>

            <createdDate>2015-11-05T00:49:11Z</createdDate>

            <createdBy>

                <id>4354</id>

                <username>acme_ak1</username>

                <firstName>

                    <![CDATA[Amy]]>

                </firstName>

                <lastName>

                    <![CDATA[Kim]]>

                </lastName>

            </createdBy>

            <updatedDate>2015-11-05T00:49:11Z</updatedDate>

            <updatedBy>

                <id>4354</id>

                <username>acme_ak1</username>

                <firstName>

                    <![CDATA[Amy]]>

                </firstName>

                <lastName>

                    <![CDATA[Kim]]>

                </lastName>

            </updatedBy>

        </OptionProfile>

    </data>

</ServiceResponse>

 

2) Create Option Profile - with custom error threshold values


API Request:


curl -u "USERNAME:PASSWORD" -H "content-type: text/xml" -X "POST"

--data-binary @-

"https://qualysapi.qualys.com/qps/rest/3.0/create/was/optionprofile/" < file.xml

 

Note: “file.xml” contains the request POST data.


Request POST Data:


<ServiceRequest>

   <data>

      <OptionProfile> 

         <name><![CDATA[My OP - with custom error threshold]]></name>  

         <timeoutErrorThreshold>22</timeoutErrorThreshold>

         <unexpectedErrorThreshold>50</unexpectedErrorThreshold>

      </OptionProfile>     

   </data>

</ServiceRequest>

 

XML response:


<?xml version="1.0" encoding="UTF-8"?>

<ServiceResponse xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="https://qualysapi.qualys.com/qps/xsd/3.0/was/optionprofile.xsd">

    <responseCode>SUCCESS</responseCode>

    <count>1</count>

    <data>

        <OptionProfile>

            <id>454733</id>

            <name>

                <![CDATA[My OP - with custom error threshold]]>

            </name>

            <owner>

                <id>4354</id>

                <username>acme_ak1</username>

                <firstName>

                    <![CDATA[Amy]]>

                </firstName>

                <lastName>

                    <![CDATA[Kim]]>

                </lastName>

            </owner>

            <isDefault>false</isDefault>

            <tags>

                <count>0</count>

            </tags>

            <formSubmission>BOTH</formSubmission>

            <maxCrawlRequests>300</maxCrawlRequests>

            <timeoutErrorThreshold>22</timeoutErrorThreshold>

            <unexpectedErrorThreshold>50</unexpectedErrorThreshold>

            <parameterSet>

                <id>0</id>

                <name>

                    <![CDATA[Initial Parameters]]>

                </name>

            </parameterSet>

            <ignoreBinaryFiles>false</ignoreBinaryFiles>

            <performance>LOW</performance>

            <bruteforceOption>MINIMAL</bruteforceOption>

            <comments>

                <count>0</count>

            </comments>

            <sensitiveContent>

                <creditCardNumber>false</creditCardNumber>

                <socialSecurityNumber>false</socialSecurityNumber>

            </sensitiveContent>

            <createdDate>2015-11-12T00:00:23Z</createdDate>

            <createdBy>

...

 

3) Create Option Profile - with custom error threshold values as 0, to disable settings


API Request:


curl -u "USERNAME:PASSWORD" -H "content-type: text/xml" -X "POST"

--data-binary @-

"https://qualysapi.qualys.com/qps/rest/3.0/create/was/optionprofile/" < file.xml

 

Note: “file.xml” contains the request POST data.


Request POST Data:


<ServiceRequest>

   <data>

      <OptionProfile> 

         <name><![CDATA[My OP - with no threshold specified]]></name>  

         <timeoutErrorThreshold>0</timeoutErrorThreshold>

         <unexpectedErrorThreshold>0</unexpectedErrorThreshold>

      </OptionProfile>

   </data>

</ServiceRequest>

 

XML response:

<?xml version="1.0" encoding="UTF-8"?>

<ServiceResponse xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="https://qualysapi.qualys.com/qps/xsd/3.0/was/optionprofile.xsd">

    <responseCode>SUCCESS</responseCode>

    <count>1</count>

    <data>

        <OptionProfile>

            <id>453133</id>

            <name>

                <![CDATA[My OP - with no threshold specified]]>

            </name>

            <owner>

                <id>4354</id>

                <username>acme_ak1</username>

                <firstName>

                    <![CDATA[Amy]]>

                </firstName>

                <lastName>

                    <![CDATA[Kim]]>

                </lastName>

            </owner>

            <isDefault>false</isDefault>

            <tags>

                <count>0</count>

            </tags>

            <formSubmission>BOTH</formSubmission>

            <maxCrawlRequests>300</maxCrawlRequests>

            <parameterSet>

                <id>0</id>

                <name>

                    <![CDATA[Initial Parameters]]>

                </name>

            </parameterSet>

            <ignoreBinaryFiles>false</ignoreBinaryFiles>

            <performance>LOW</performance>

            <bruteforceOption>MINIMAL</bruteforceOption>

            <comments>

                <count>0</count>

            </comments>

            <sensitiveContent>

                <creditCardNumber>false</creditCardNumber>

                <socialSecurityNumber>false</socialSecurityNumber>

            </sensitiveContent>

            <createdDate>2015-11-07T01:29:24Z</createdDate>

            <createdBy>

...

 

Option Profile UPDATE API


Update Option Profile - with custom threshold values


API Request:


curl -u "USERNAME:PASSWORD" -H "content-type: text/xml" -X "POST"

--data-binary @-

"https://qualysapi.qualys.com/qps/rest/3.0/update/was/optionprofile/452933" < file.xml

 

Note: “file.xml” contains the request POST data.


Request POST Data:


ServiceRequest>

   <data>

      <OptionProfile>

         <name><![CDATA[My OP - with custom threshold values]]></name>  

         <timeoutErrorThreshold>200</timeoutErrorThreshold>

         <unexpectedErrorThreshold>20</unexpectedErrorThreshold>

      </OptionProfile>

   </data>

</ServiceRequest>

 

XML response:

<?xml version="1.0" encoding="UTF-8"?>

<ServiceResponse xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="https://qualysapi.qualys.com/qps/xsd/3.0/was/optionprofile.xsd">

    <responseCode>SUCCESS</responseCode>

    <count>1</count>

    <data>

        <OptionProfile>

            <id>452933</id>

        </OptionProfile>

    </data>

</ServiceResponse>

 

Option Profile GET API


GET Option Profile - with custom threshold values


API Request:


curl -u "USERNAME:PASSWORD"

"https://qualysapi.qualys.com/qps/rest/3.0/get/was/optionprofile/452933"

 

Note: “file.xml” contains the request POST data.


XML response:


<?xml version="1.0" encoding="UTF-8"?>

<ServiceResponse xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="https://qualysapi.qualys.com/qps/xsd/3.0/was/optionprofile.xsd">

    <responseCode>SUCCESS</responseCode>

    <count>1</count>

    <data>

        <OptionProfile>

            <id>452933</id>

            <name>

                <![CDATA[My OP - with custom threshold values]]>

            </name>

            <owner>

                <id>4354</id>

                <username>acme_ak1</username>

                <firstName>

                    <![CDATA[Amy]]>

                </firstName>

                <lastName>

                    <![CDATA[Kim]]>

                </lastName>

            </owner>

            <isDefault>false</isDefault>

            <tags>

                <count>0</count>

            </tags>

            <formSubmission>BOTH</formSubmission>

            <maxCrawlRequests>300</maxCrawlRequests>

            <timeoutErrorThreshold>200</timeoutErrorThreshold>

            <unexpectedErrorThreshold>20</unexpectedErrorThreshold>

            <parameterSet>

                <id>0</id>

                <name>

                    <![CDATA[Initial Parameters]]>

                </name>

            </parameterSet>

            <ignoreBinaryFiles>false</ignoreBinaryFiles>

            <performance>LOW</performance>

            <bruteforceOption>MINIMAL</bruteforceOption>

            <comments>

                <count>0</count>

            </comments>

            <sensitiveContent>

                <creditCardNumber>false</creditCardNumber>

                <socialSecurityNumber>false</socialSecurityNumber>

            </sensitiveContent>

            <createdDate>2015-11-05T21:54:17Z</createdDate>

            <createdBy>

                <id>4354</id>

                <username>acme_ak1</username>

                <firstName>

                    <![CDATA[Amy]]>

                </firstName>

                <lastName>

                    <![CDATA[Kim]]>

                </lastName>

            </createdBy>

            <updatedDate>2015-11-12T00:04:15Z</updatedDate>

            <updatedBy>

                <id>4354</id>

                <username>acme_ak1</username>

                <firstName>

                    <![CDATA[Amy]]>

                </firstName>

                <lastName>

                    <![CDATA[Kim]]>

                </lastName>

            </updatedBy>

        </OptionProfile>

    </data>

</ServiceResponse>

 

 

Scan API - Scan information now includes user who canceled a scan


Previously we did not provide information on the user who canceled a scan. We’ve updated the XML output for the Scan SEARCH API and Scan GET API.


Updated XSD: scan.xsd, wassscan.xsd


Scan SEARCH API


Search response shows user who canceled a scan


API request:


curl -u "USERNAME:PASSWORD" -H "content-type: text/xml" -X "POST"

--data-binary @-

"https://qualysapi.qualys.com/qps/rest/3.0/search/wasscan/" < file.xml

 

Note: “file.xml” contains the request POST data.


Request POST Data:


<ServiceRequest>

   <filters>

      <Criteria field="id" operator="IN">1447989</Criteria>   

   </filters>

</ServiceRequest>

 

XML output:

<?xml version="1.0" encoding="UTF-8"?>

<ServiceResponse xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="https://qualysapi.qualys.com/qps/xsd/3.0/was/scan.xsd">

    <responseCode>SUCCESS</responseCode>

    <count>1</count>

    <hasMoreRecords>false</hasMoreRecords>

    <data>

        <WasScan>

            <id>1447989</id>

            <name>

                <![CDATA[My Vulnerability Scan]]>

            </name>

            <reference>was/1446408743390.1856849</reference>

            <type>VULNERABILITY</type>

            <mode>ONDEMAND</mode>

            <multi>false</multi>

            <target>

                <webApp>

                    <id>2431279</id>

                    <name>

                        <![CDATA[127.0.0.1]]>

                    </name>

                    <url>

                        <![CDATA[http://127.0.0.1/]]>

                    </url>

                </webApp>

                <scannerAppliance>

                    <type>EXTERNAL</type>

                </scannerAppliance>

                <cancelOption>SPECIFIC</cancelOption>

            </target>

            <profile>

                <id>28147</id>

                <name>

                    <![CDATA[My Option Profile]]>

                </name>

            </profile>

            <launchedDate>2015-11-01T20:12:23Z</launchedDate>

            <launchedBy>

                <id>2226741</id>

                <username>acme_ak1</username>

                <firstName>

                    <![CDATA[Amy]]>

                </firstName>

                <lastName>

                    <![CDATA[Kim]]>

                </lastName>

            </launchedBy>

            <status>CANCELLED</status>

           <cancelMode>USER</cancelMode>

            <canceledBy>

                <id>9872437571</id>

                <username>acme_bb5</username>

            </canceledBy>

        </WasScan>

    </data>

</ServiceResponse>

 

Scan GET API


Get scan details shows user who canceled a scan


API request:


curl -u "USERNAME:PASSWORD"

"https://qualysapi.qualys.com/qps/rest/3.0/get/was/wasscan/1447989"

 

XML output:


<?xml version="1.0" encoding="UTF-8"?>

<ServiceResponse xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="https://qualysapi.qualys.com/qps/xsd/3.0/was/wasscan.xsd">

    <responseCode>SUCCESS</responseCode>

    <count>1</count>

    <data>

        <WasScan>

            <id>1447989</id>

            <name>

                <![CDATA[My Vulnerability Scan]]>

            </name>

            <reference>was/1446408743390.1856849</reference>

            <type>VULNERABILITY</type>

            <mode>ONDEMAND</mode>

            <progressiveScanning>false</progressiveScanning>

            <multi>false</multi>

            <target>

                <webApp>

                    <id>2431279</id>

                    <name>

                        <![CDATA[127.0.0.1]]>

                    </name>

                    <url>

                        <![CDATA[http://127.0.0.1/]]>

                    </url>

                </webApp>

                <scannerAppliance>

                    <type>EXTERNAL</type>

                </scannerAppliance>

                <cancelOption>SPECIFIC</cancelOption>

            </target>

            <profile>

                <id>28147</id>

                <name>

                    <![CDATA[My Option Profile]]>

                </name>

            </profile>

            <options>

                <count>15</count>

                <list>

                    <WasScanOption>

                        <name>My Authentication Record</name>

                        <value>

                            <![CDATA[None]]>

                        </value>

                    </WasScanOption>

                    <WasScanOption>

                        <name>Unexpected Error Threshold</name>

                        <value>

                            <![CDATA[48]]>

                        </value>

                    </WasScanOption>

                    <WasScanOption>

                        <name>Sensitive Content: Credit Card Numbers</name>

                        <value>

                            <![CDATA[false]]>

                        </value>

                    </WasScanOption>

                    <WasScanOption>

                        <name>Performance Settings</name>

                        <value>

                            <![CDATA[MEDIUM]]>

                        </value>

                    </WasScanOption>

                    <WasScanOption>

                        <name>Scanner Appliance</name>

                        <value>

                            <![CDATA[External]]>

                        </value>

                    </WasScanOption>

                    <WasScanOption>

                        <name>Detection Scope</name>

                        <value>

                            <![CDATA[COMPLETE]]>

                        </value>

                    </WasScanOption>

                    <WasScanOption>

                        <name>Crawling Form Submissions</name>

                        <value>

                            <![CDATA[NONE]]>

                        </value>

                    </WasScanOption>

                    <WasScanOption>

                        <name>Bruteforce Settings</name>

                        <value>

                            <![CDATA[MINIMAL]]>

                        </value>

                    </WasScanOption>

                    <WasScanOption>

                        <name>Option Profile Name</name>

                        <value>

                            <![CDATA[My Option Profile]]>

                        </value>

                    </WasScanOption>

                    <WasScanOption>

                        <name>Maximum Crawling Links</name>

                        <value>

                            <![CDATA[300]]>

                        </value>

                    </WasScanOption>

                    <WasScanOption>

                        <name>Timeout Error Threshold</name>

                        <value>

                            <![CDATA[20]]>

                        </value>

                    </WasScanOption>

                    <WasScanOption>

                        <name>Web Application Name</name>

                        <value>

                            <![CDATA[127.0.0.1]]>

                        </value>

                    </WasScanOption>

                    <WasScanOption>

                        <name>Request Parameter Set</name>

                        <value>

                            <![CDATA[Initial Parameters]]>

                        </value>

                    </WasScanOption>

                    <WasScanOption>

                        <name>Sensitive Content: Social Security Numbers (US)</name>

                        <value>

                            <![CDATA[false]]>

                        </value>

                    </WasScanOption>

                    <WasScanOption>

                        <name>Target URL</name>

                        <value>

                            <![CDATA[http://127.0.0.1/]]>

                        </value>

                    </WasScanOption>

                </list>

            </options>

            <launchedDate>2015-11-01T20:12:23Z</launchedDate>

            <launchedBy>

                <id>2226741</id>

                <username>acme_ak1</username>

                <firstName>

                    <![CDATA[Amy]]>

                </firstName>

                <lastName>

                    <![CDATA[Kim]]>

                </lastName>

            </launchedBy>

            <status>CANCELLED</status>

            <cancelMode>USER</cancelMode>

            <canceledBy>

                <id>9872437571</id>

                <username>acme_bb5</username>

            </canceledBy>

            <sendMail>true</sendMail>

        </WasScan>

    </data>

</ServiceResponse>

fmc

Qualys WAS 4.3 New Features

Posted by fmc in Qualys Technology on Oct 19, 2015

It’s important to customize your web application scans just as much as your web applications. We get that. With Qualys WAS 4.3, organizations now have the ability to easily further customize their scans based upon their web apps and specific properties thereof. Customers can also now received clearer and enhanced feedback on the behavior and coverage of their scans. This will also allow customers to continue to deliver targeted web application security metrics to all the stakeholders while ensuring a successful web application security program meets the protection of all organizational demands.

 

Feature Highlights

  • Override DNS for WAS Scans
  • Enhanced Support for Sitemap for Scans
  • Enhanced Patchable Detections Logic
  • Clarify Time Limit Exceeded and Time Limit Reached and Scan Timeout
  • Enhanced WAS Scan Reports
  • Implement Web Application Custom Attributes
  • User Customizable Mail Settings for When Scan is Launched
  • Enhance Tag Selection Component in WAS Module
  • WAS Search Lists - Deprecate Compliance Type options

 

Override DNS for WAS Scans

Our customers wanted to be able to override DNS for the FQDN included in the web application target specification. This would allow customers to scan web apps that may be in development and no DNS entry yet exists, or that there is a different IP address associated with the web application in the development or QA environment than what is available in DNS (typically the production IP). Previously customers would have had to stand up a special DNS server that the appliance uses to be able to manipulate the target IP for these situations, and many of our customers do not have this ability. Most customers can just update their own 'hosts' file on their local system to accomplish the DNS override for their system, but there is no way to do this for the Qualys appliance. Now, you can!

 

WAS UI > DNS Overrides Section

 

A new sub-tab under Configuration is added to display list of available DNS override records:

1.png

DNS override list has following Actions available:

 

If user is having permission to create new DNS override record then this button will be enabled.

3.png

 

This will allow the user to edit the existing DNS override record.

 

The Preview Panel has the name of the DNS override, last updated by, last updated date, tags, and number of web applications associated with the record.

 

Upon clicking on the number of web applications, you will see a new dialog which shows a list of web applications associated with it.

 

A new step is added in web application create/edit/view dialog to bind DNS Override records with Web Application. Only these selected records will be available while launching scan/schedule for this web application

 

Scan report will show DNS override record name.

 

Enhanced Support for Sitemap for Scans

This feature is brought to you so you will now be able to display the sitemap results for a specific scan exactly as it is done already for WebApps. WebApplications blacklist and whitelist can now be created from the directory tree!

 

From the Scan List a new "View Sitemap" action can be launched if a scan is selected.

 

This Sitemap action is also accessible from the context menu.

  f.png

Or from the Preview panel.

 

This action opens a Sitemap window the same way as it is in the WebApp section except that data are taken from a scan result.

 

Enhanced Patchable Detections Logic

 

  1. ) Enable Add Patch action even when patch cannot be added

 

The WAS > Web Applications > Detections section allows users to add a virtual patch to a vulnerability. The contextual action "Install Patch" is however only enabled when WAF module is enabled in subscription and that the web application has WAF module provisioned. This will lead this action for most users disabled, without them the possibility to understand why the feature is disabled.

We now allow for enabling the Install Patch action in Detections datalist in all cases and explain to the user why the action cannot be performed. This will allow user to understand the need of activating WAF module to enhance their security.

 

When clicking the action, we would display a dialog explaining that user cannot add a patch because <the correct reason> and we explain steps to enable the feature.

 

When WAF module is not enabled at all in subscription, we will display a dialog explaining that WAF module needs first to be added to the subscription to have virtual patches installed.

 

A description of the WAF module will help user understand the goal of WAF, and a list of steps will be added to make it clear to the users what needs to be done to have virtual patches feature available.

p1.png

When WAF module is enabled in subscription, but the web application on which the vulnerability is not yet provisioned on WAF side, we will explain to user that the application needs now to be added to this module in order to apply the patch.

 

  1. ) Add Patchable Filter for WAS Detections

 

This feature provides customers a detection filter that allows them to see only patchable/not patchable detections. Doing so will make it very easy to apply virtual patches and not cause customer to try each one and get confused on why the option is not available for many in the list.

 

The datalist will provide a new filter Patchable Status with following options:

 

  1. Patchable - Show all detections for which WAF module would be able to create a patch for.
  2. Not Patchable - Show all detections that cannot be patched by Qualys WAF

p4.png


Clarify Time Limit Exceeded and Time Limit Reached and Scan Timeout

The "Time Limit Exceeded" status indicates that the scan went beyond the time limit when in fact the scan was actually stopped at the time limit. This change will provide clarification that the scan did not go beyond the time limit set by the user.

 

We now display Time Limit Reached instead of Time Limit Exceeded for following components:

  1. Status column
  2. Last Scan Status filter
  3. Preview Panel

 

The view dialog will also display the new Time Limit Reached value in its Overview panel.

l1.png

We now display Time Limit Reached instead of Time Limit Exceeded for following components:

    a. Last Scan Status

    b. Filter Preview Panel

 

Another issue that has been raised is the problem of scans stopping before the end of the scan, because they reached an internal threshold of target connection / timeout errors.

 

However the UI reports the scan status as Finished, leading the user to think that the scan thoroughly assessed the web application, which can lead to confusion/frustration. This has been fixed. To help with this feature, the WAS scan engine team has fixed the Critical error conditions for WAS scans, listing the different error cases that we have to support when monitoring scan or processing scan results.

t.png


Enhanced WAS Scan Reports

Current scan reports display a status along each detection, which corresponds to the status when comparing vulnerability detection among all scans selected.

This means that when only one scan is selected, the status always displays NEW, which is misinterpreted by users as being a vulnerability newly discovered for the web application in that scan. This is now corrected!

 

The main changes are:

  1. ) For scan reports, we will add a mention for the Status filter to explain when this filter is effectively used
  2. )  Whenever it is possible we will not show the Status filter options when only one scan is selected
  3. ) For any scan report generated with only one scan, we will not add anymore the finding status

 

The Scan Report view dialog will add in the Filter step, Vulnerability Filters > State Filter section a notification block explaining to users its application context.

 

If only one scan is selected, the status options in Filter step will be replaced by notification block explaining that the status filter has no meaning in this context.

 

When more than one scan is selected, we will display the usual notification block explaining how status is computed in scan reports.

 


Implement Web Application Custom Attributes

Users requested that they would like to associate to each asset, different information, like their internal host ID. This feature changes the details of a web application, in order to support custom attributes for them.

 

We removed Information data section on "Application details" of web application dialog.

 

Asset details additions.

ca.png

When you edit a web application on which has previous business information data, these old fields data are always displayed. In order to remove them, click on remove link. The save process will delete these old information and won't be displayed the next edit time.

 

Custom attributes filter results.

For this, we added a combobox on the filter results left panel for "Custom Name Attribute." Below, we have a search field used to find the associated "Custom Value Attribute." These two fields allow values which are not present in the datalist.

cx.png



User Customizable Mail Settings for When Scan is Launched

After successful completion or cancellation of scan, an email notification is sent to an email address or set of email addresses. Now you have the ability to disable this for automation testing purpose for example.

 

Scan settings edition step on scan dialog

mm.png


Enhance Tag Selection Component in WAS Module

This feature enhances the current tags selection component used in the WAS Webapp/Scorecard reports to look and work the same as the one implemented in VM and other modules, for consistency.

 

Example as follows:

zt.png


WAS Search Lists - Deprecate Compliance Type Options

Compliance Type - PCI has been removed from Create/Edit Dynamic Search List dialog.

 

To open the advanced search panel:

  1. Launch Create Dynamic Searchlist>Go to Criteria tab>Set Criteria
  2. Click Test button>Click Advanced Search button

 

Please see attached screenshot:

fin.png

Release Schedule

For details about the release dates for specific platforms and to subscribe to release notifications by email, please see the following:

A new release of Qualys WAS, Version 4.3 which includes API updates, is targeted for release in October. The specific day will differ depending on the platform.  See platform release dates for more information.  The updated APIs for WAS 4.3 enhance the ability to fully automate and integrate the Qualys WAS solution with other customer applications.  WAS APIs enable customers to perform all the major functions within WAS including creating web applications to scan, launching and scheduling scans, and running and retrieving reports.  The APIs enable custom integrations with GRC tools, bug tracking systems and web application firewalls (WAFs) just to name a few.

 

This API notification provides an early preview into the coming API changes in Qualys WAS 4.3, allowing you to proactively identify any changes that might be required for your automated scripts or programs that utilize the API methods.

 

Please refer to attached document ( WAS 4.3 API Release Notification.pdf ) for full details and examples with full XML output.

 

API Enhancements

 

  • Option Profile API - Update Owner
  • DNS Override Settings
  • Disable Scan Complete Notification
  • Custom Attributes for Web Apps

 

Option Profile API - Update Owner

 

The Option Profile API has been updated to allow users to update the option profile owner. A new owner / id element has been added.

 

API Request:

 

curl -u "USERNAME:PASSWORD" -H "content-type: text/xml" -X "POST"

--data-binary @-

"https://qualysapi.qualys.com/qps/rest/3.0/update/was/optionprofil

e/123456" < file.xml

 

Note: “file.xml” contains the request POST data.

 

Request POST Data:

 

<ServiceRequest>

   <data>

      <OptionProfile>

         <owner><id>123456</id></owner>

      </OptionProfile>

   </data>

</ServiceRequest>

 

DNS Override Settings

 

For this release users can define DNS override settings and apply them to scans. We’ve made updates to multiple WAS APIs to support this capability. DNS override settings are defined using the WAS user interface. The mappings you define will override the DNS associated with the target web application URL.

 

WebApp API

 

Updated XSD: webapp.xsd

 

New section for WebApp CREATE and UPDATE

 

Assign DNS override settings, one or more records, to a web application when making requests to create and update web applications. Records are specified in the dnsOverrides section.

 

API request (CREATE):

 

curl -u "USERNAME:PASSWORD" -H "Content-type: text/xml" -X "POST" --data-binary @- "https://qualysapi.qualys.com/qps/rest/3.0/create/was/webapp/" < file.xml

 

Note: “file.xml” contains the request POST data.

 

Request POST data:

 

<ServiceRequest>

   <data>

      <WebApp>

         <name><![CDATA[My Web App]]></name>

         <url><![CDATA[http://test.com]]></url>

         <scope>ALL</scope>

         <defaultScanner>

            <type>EXTERNAL</type>

            </defaultScanner>

            <scannerLocked>false</scannerLocked>

      <dnsOverrides>

         <set>

            <DnsOverride>

               <id>2022</id>

            </DnsOverride>

         </set>

      </dnsOverrides>

      <useRobots>IGNORE</useRobots>

      <useSitemap>false</useSitemap>

      <malwareMonitoring>false</malwareMonitoring>

   </WebApp>

</data>

</ServiceRequest>

 

Updated response from WebApp GET


When a web application has default DNS override settings defined, the new dnsOverrides element lists the record(s) containing the DNS override settings.


API request:

 

curl -u "USERNAME:PASSWORD" "https://qualysapi.qualys.com/qps/rest/3.0/get/was/webapp/2508873"

 

Scan API

 

Updated XSD: scan.xsd, wasscan.xsd

 

New attribute for Scan LAUNCH

 

Use the new dnsOverride element to specify DNS override settings, one or more records.

 

API request:

 

curl -u "USERNAME:PASSWORD" -H "content-type: text/xml" -X "POST" --data-binary @-  "https://qualysapi.qualys.com/qps/rest/3.0/launch/was/wasscan" < file.xml

Note: “file.xml” contains the request POST data.

 

Request POST data:

 

<ServiceRequest>

   <data>

      <WasScan>

         <name><![CDATA[Launch Scan from API with DNS Override)]]></name>

         <type>VULNERABILITY</type>

         <target>

            <webApp>

               <id>2461682</id>

            </webApp>

            <scannerAppliance>

               <type>EXTERNAL</type>

            </scannerAppliance>

            <dnsOverride><id>3220</id></dnsOverride>

         </target>

         <profile><id>395933</id></profile>

      </WasScan>

   </data>

</ServiceRequest>

 

Updated response from Scan GET

 

When a scan has DNS override settings defined, the dnsOverride element lists DNS override settings (record) to be used for scanning.

 

API request:

 

curl -u "USERNAME:PASSWORD" "https://qualysapi.qualys.com/qps/rest/3.0/get/was/wasscan/1381602"

 

Scan Schedule API

 

Updated XSD: schedule.xsd, wasscanschedule.xsd

 

New attribute for Schedule CREATE and UPDATE


Use the new dnsOverride element to specify DNS override settings.

 

API request (CREATE):

 

curl -u "USERNAME:PASSWORD" -H "content-type: text/xml" -X "POST" --data-binary @-  "https://qualysapi.qualys.com/qps/rest/3.0/create/was/wasscanschedule" < file.xml

 

Request POST data:

 

<ServiceRequest>

<data>

   <WasScanSchedule>

     <name><![CDATA[My Scan Schedule]]></name>

     <type>VULNERABILITY</type>

     <active>false</active>   

     <scheduling>

        <!--<cancelTime>15:00</cancelTime> -->

        <cancelAfterNHours>7</cancelAfterNHours>

       <startDate>2013-09-30T13:11:00Z</startDate>

       <timeZone>

         <code>America/Dawson</code>

       </timeZone>

       <occurrenceType>ONCE</occurrenceType>

     </scheduling>

     <target>

            <webApp>

               <id>2461682</id>

            </webApp>

       <scannerAppliance>

         <type>EXTERNAL</type>

       </scannerAppliance>

       <cancelOption>DEFAULT</cancelOption>

       <dnsOverride><id>3220</id></dnsOverride>

     </target>

     <profile>

        <id>395933</id>

     </profile>

   </WasScanSchedule>

</data>

</ServiceRequest>

 

API request (UPDATE):

 

curl -u "USERNAME:PASSWORD" -H "content-type: text/xml" -X "POST" --data-binary @-  "https://qualysapi.qualys.com/qps/rest/3.0/update/was/wasscanschedule/340194" < file.xml

 

Request POST data:

 

<ServiceRequest>

<data>

   <WasScanSchedule>

       <target>

         <dnsOverride><id>3220</id></dnsOverride>

     </target>

   </WasScanSchedule>

</data>

</ServiceRequest>

 

Updated response from Schedule GET


When a scan schedule has DNS override settings defined, the dnsOverride element lists the DNS override settings to be used for scanning.

 

API request:

 

curl -u "USERNAME:PASSWORD" "https://qualysapi.qualys.com/qps/rest/3.0/get/was/wasscanschedule/340194" < file.xml

 

Request POST data:

 

<ServiceRequest>

<data>

   <WasScanSchedule>

       <target>

         <dnsOverride><id>3220</id></dnsOverride>

     </target>

   </WasScanSchedule>

</data>

</ServiceRequest>

 

Disable Scan Complete Notification

 

By default we’ll send email notifications to users when a scan completes. Now you can disable this notification when making a request to launch a scan or schedule a scan. The Using the WAS API just specify <sendMail>false</sendMail> as shown below for your scan or schedule request.

 

Scan API Update

 

Updated XSD: scan.xsd, wasscan.xsd

 

New attribute for Scan LAUNCH

 

Use new sendMail attribute to disable scan complete email notifications.

 

API request:

 

curl -u "USERNAME:PASSWORD" -H "content-type: text/xml" -X "POST" --data-binary @-  "https://qualysapi.qualys.com/qps/rest/3.0/launch/was/wasscan" < file.xml

 

Note: “file.xml” contains the request POST data.

 

Request POST data:

 

<ServiceRequest>

  <data>

    <WasScan>

      <name><![CDATA[My Vulnerability Scan]]></name>

      <type>VULNERABILITY</type>

      <target>

        <webApp>

          <id>2376280</id>

        </webApp>

        <scannerAppliance>

          <type>EXTERNAL</type>

        </scannerAppliance>

        <cancelOption>DEFAULT</cancelOption>

      </target>

       <sendMail>false</sendMail>

    </WasScan>

  </data>

</ServiceRequest>

 

Update to Scan GET

 

New sendMail element in the XML output.

 

API request:

 

curl -u "USERNAME:PASSWORD" "https://qualysapi.qualys.com/qps/rest/3.0/get/was/wasscan/1382978"

 

Scan Schedule API

 

Updated XSD: schedule.xsd, wasscanschedule.xsd

 

New attribute for Schedule CREATE and UPDATE


Use new sendMail attribute to disable scan complete email notifications.

 

API request (UPDATE):

 

curl -u "USERNAME:PASSWORD" -H "content-type: text/xml" -X "POST" --data-binary @-  "https://qualysapi.qualys.com/qps/rest/3.0/update/was/wasscanschedule" < file.xml

 

Request POST data:

 

<ServiceRequest>

  <data>

    <WasScanSchedule>

      <notification>

        <active>true</active>

        <delay>

          <nb>4</nb>

          <scale>DAY</scale>

        </delay>

        <recipients>

          <set>         <EmailAddress><![CDATA[name1@company.com]]></EmailAddress>         <EmailAddress><![CDATA[name2@company.com]]></EmailAddress>                 <EmailAddress><![CDATA[name3@company.com]]></EmailAddress>          

          </set>

        </recipients>

        <message><![CDATA[The schedule notification message]]></message>      

      </notification>

       <sendMail>false</sendMail>

    </WasScanSchedule>

  </data>

</ServiceRequest>

 

Update to Schedule GET

 

New sendMail element in the XML output.

 

API request:

 

curl -u "USERNAME:PASSWORD" -H "content-type: text/xml" -X "POST" --data-binary @- "https://qualysapi.qualys.com/qps/rest/3.0/get/was/wasscanschedule/1688” < file.xml

 

Custom Attributes for Web Apps


WAS 4.3 gives you the ability to assign custom attributes to your web applications. Using the WebApp API you can add, update and search custom attributes.

 

Web App API

 

Updated XSD: webapp.xsd

 

Web App SEARCH supports searching custom attributes

 

Search custom attributes using the new field attribute for the Criteria element.

 

API request:

 

curl -u "USERNAME:PASSWORD" -H "content-type: text/xml" -X "POST" --data-binary @- "https://qualysapi.qualys.com/qps/rest/3.0/search/was/webapp" < file.xml

 

Note: “file.xml” contains the request POST data.

 

Request POST data (CONTAINS):

 

Find web applications that have a custom attribute name “Function” and this attribute has a value that contains “web” (case insensitive search).

 

<ServiceRequest>

       <filters>

         <Criteria field="attributes" name="Function"  operator="CONTAINS">web</Criteria>

       </filters>

</ServiceRequest>

 

Request POST data (EQUALS):

 

Find web applications that have a custom attribute name “Function” and this attribute has a value that is equal to “web”.

 

<ServiceRequest>

       <filters>

         <Criteria field="attributes" name="Function" operator="EQUALS">web</Criteria>

       </filters>

</ServiceRequest>

 

Request POST data (NOT EQUALS):

 

Find web applications that have a custom attribute name “Function” and this attribute has a value not equal to “web”.

 

<ServiceRequest>

       <filters>

         <Criteria field="attributes" name="Function" operator="NOT EQUALS">web</Criteria>

       </filters>

</ServiceRequest>

 

New section for WebApp CREATE

 

When custom attributes are defined they appear in the XML output in the new attributes element.

 

API request (CREATE):

 

Create a new web app with custom attributes.

 

curl -u "USERNAME:PASSWORD" -H "Content-type: text/xml" -X "POST" --data-binary @- "https://qualysapi.qualys.com/qps/rest/3.0/create/was/webapp/" < file.xml

 

Note: “file.xml” contains the request POST data.

 

Request POST data:

 

<ServiceRequest>

  <data>

    <WebApp>

        <name><![CDATA[Custom Attribute via API]]></name> <url><![CDATA[http://funkytown.vuln.qa.qualys.com:80/updated_web_app_name/]]></url>

        <attributes>

            <set>

            <Attribute>

             <name>Custom key 1</name>

             <value><![CDATA[Custom value 1]]></value>

            </Attribute>

            </set>

        </attributes>

    </WebApp>

   </data>

</ServiceRequest>


New section for WebApp UPDATE

 

Add, update and remove attribute names and values using the new input attribute “attributes”.

 

API request (UDATE sample 1):

 

Modify existing custom attribute value.

 

curl -u "USERNAME:PASSWORD" -H "Content-type: text/xml" -X "POST"

--data-binary @- "https://qualysapi.qualys.com/qps/rest/3.0/update/was/webapp/2514679" < file.xml

 

Note: “file.xml” contains the request POST data.

 

Request POST data:

 

ServiceRequest>

  <data>

        <WebApp>

            <attributes>

                <update>

                    <Attribute>

                     <name>Custom key 1</name>

                     <value><![CDATA[Custom value 2]]></value>

                    </Attribute>

                </update>

            </attributes>

        </WebApp>

  </data>

</ServiceRequest>

 

API request (UDATE sample 2):

 

Add new custom attribute value.

 

curl -u "USERNAME:PASSWORD" -H "Content-type: text/xml" -X "POST"

--data-binary @- "https://qualysapi.qualys.com/qps/rest/3.0/update/was/webapp/2514679" < file.xml

 

Note: “file.xml” contains the request POST data.

 

Request POST data:

 

<ServiceRequest>

  <data>

        <WebApp>

            <attributes>

                <add>

                    <Attribute>

                     <name>Custom key 3</name>

                     <value><![CDATA[Custom value 3]]></value>

                    </Attribute>

                </add>

            </attributes>

        </WebApp>

  </data>

</ServiceRequest>

 

API request (UDATE sample 3):


Remove existing custom attribute value.

 

curl -u "USERNAME:PASSWORD" -H "Content-type: text/xml" -X "POST"

--data-binary @- "https://qualysapi.qualys.com/qps/rest/3.0/update/was/webapp/2514679" < file.xml

 

Note: “file.xml” contains the request POST data.

 

Request POST data:

 

<ServiceRequest>

  <data>

        <WebApp>

            <attributes>

                <remove>

                    <Attribute>

                     <name>Custom key 3</name>

                    </Attribute>

                </remove>

            </attributes>

        </WebApp>

  </data>

</ServiceRequest>


A new release of Qualys WAS, Version 4.3 which includes API updates, is targeted for release in October. The specific day will differ depending on the platform.  See platform release dates for more information.  The updated APIs for WAS 4.3 enhance the ability to fully automate and integrate the Qualys WAS solution with other customer applications.  WAS APIs enable customers to perform all the major functions within WAS including creating web applications to scan, launching and scheduling scans, and running and retrieving reports.  The APIs enable custom integrations with GRC tools, bug tracking systems and web application firewalls (WAFs) just to name a few.

 

 

This API notification provides an early preview into the coming API changes in Qualys WAS 4.3, allowing you to proactively identify any changes that might be required for your automated scripts or programs that utilize the API methods.


 

API Enhancements

 

Scan Status Enhancements


We’ve improved the reporting of scan status to help users better understand scan status. Enhancements include:

 

“Time Limit Exceeded” has been changed to "Time Limit Reached"

The status “Time Limit Exceeded” is no longer used.


Updated Status “No Web Service Detected”

We will now report this status when QID 150111 is reported in the scan results (element WEB_SITE/IGS/IG/QID).


New Status “Service Errors Detected”

This new status tells you the scan stopped before completion due to service errors related to timeouts during the scan, for example exceeding connection timeouts/error threshold.


New Status “Scan Internal Error”

This new status tells you the scan encountered an unexpected and unrecoverable error, which forced it to stop assessment.

 

 

Scan API

 

Updated XSD: scan.xsd/wasscan.xsd

 

New filters for Scan COUNT, Scan SEARCH

 

Includes scans with the new status using the resultsStatus filter.

 

New values for resultsStatus
TIME_LIMIT_REACHEDInclude scans with scan status “Time Limit Reached”. Previous filter TIME_LIMIT_EXCEEDED is no longer valid.
SERVICE_ERRORInclude scans with scan status “Service Errors Detected”
SCAN_INTERNAL_ERRORInclude scans with scan status “Scan Internal Error”

 


Sample for Scan COUNT

API request:

 

curl -u "USERNAME:PASSWORD" -H "content-type: text/xml" -X "POST" --data-binary @-  "https://qualysapi.qualys.com/qps/rest/3.0/count/was/wasscan" < file.xml

 

Note: “file.xml” contains the request POST data.

 

Request POST data:

 

<ServiceRequest>

  <filters>

      <Criteria field="resultsStatus" operator="IN">SERVICE_ERROR, SCAN_INTERNAL_ERROR</Criteria>

  </filters>

</ServiceRequest>

 

Response:

 

<?xml version="1.0" encoding="UTF-8"?>

<ServiceResponse xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="https://qualysapi.qualys.com/qps/xsd/3.0/was/wasscan.xsd">

    <responseCode>SUCCESS</responseCode>

    <count>38</count>

</ServiceResponse>

 

Updated response from Scan SEARCH, Scan GET

 

The resultsStatus element in the XML output now reports one of the new scan status values as appropriate: TIME_LIMIT_REACHED, SERVICE_ERROR, SCAN_INTERNAL_ERROR.

 

Sample for Scan SEARCH

 

Request POST data:

 

<ServiceRequest>

  <filters>

      <Criteria field="resultsStatus" operator="IN">SERVICE_ERROR, SCAN_INTERNAL_ERROR, TIME_LIMIT_REACHED</Criteria>

      <Criteria field="id" operator="IN">1352324,1327378,1353021</Criteria>

  </filters>

</ServiceRequest>

 

Response:

 

<?xml version="1.0" encoding="UTF-8"?>

<ServiceResponse xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="https://qualysapi.qualys.com/qps/xsd/3.0/was/wasscan.xsd">

  <responseCode>SUCCESS</responseCode>

  <count>3</count>

  <hasMoreRecords>false</hasMoreRecords>

  <data>

    <WasScan>

      <id>1327378</id>

      <name><![CDATA[TLE Test]]></name>

      <reference>was/1438303380031.1842885</reference>

      <type>VULNERABILITY</type>

      <mode>ONDEMAND</mode>

      <multi>false</multi>

      <target>

        <webApp>

          <id>1901948</id>

          <name><![CDATA[My Web App WAF]]></name>

          <url><![CDATA[http://10.10.26.238/waf]]></url>

        </webApp>

        <scannerAppliance>

          <type>EXTERNAL</type>

        </scannerAppliance>

        <cancelOption>SPECIFIC</cancelOption>

      </target>

      <profile>

        <id>69923</id>

        <name><![CDATA[My Profile 23]]></name>

      </profile>

      <launchedDate>2015-07-31T00:43:00Z</launchedDate>

      <launchedBy>

        <id>4354</id>

        <username>acme_ab1</username>

        <firstName><![CDATA[John]]></firstName>

        <lastName><![CDATA[Smith]]></lastName>

      </launchedBy>

      <status>FINISHED</status>

      <summary>

        <crawlDuration>141</crawlDuration>

        <testDuration>47</testDuration>

        <linksCrawled>30</linksCrawled>

        <nbRequests>3466</nbRequests>

        <resultsStatus>TIME_LIMIT_REACHED</resultsStatus>

        <authStatus>NONE</authStatus>

        <os>Linux 2.4-2.6 / Embedded Device / F5 Networks Big-IP</os>

      </summary>

    </WasScan>

    <WasScan>

      <id>1352324</id>

      <name><![CDATA[Schedule proxy Internal - Proxy out of scope to subuser]]></name>

      <reference>was/1441617604130.1847313</reference>

      <type>VULNERABILITY</type>

      <mode>SCHEDULED</mode>

      <multi>false</multi>

      <target>

        <webApp>

          <id>2309688</id>

          <name><![CDATA[My Web App BOQ]]></name>

          <url><![CDATA[http://10.10.26.238/boq/]]></url>

        </webApp>

        <scannerAppliance>

          <type>INTERNAL</type>

          <friendlyName><![CDATA[acme_sa1]]></friendlyName>

        </scannerAppliance>

        <proxy>

          <id>1425</id>

          <name><![CDATA[My Proxy]]></name>

          <url><![CDATA[http://10.10.10.11]]></url>

        </proxy>

      </target>

      <profile>

        <id>270541</id>

        <name><![CDATA[My Profile 41]]></name>

      </profile>

      <launchedDate>2015-09-07T09:20:04Z</launchedDate>

      <launchedBy>

        <id>4355</id>

        <username>qualys_ag2</username>

        <firstName><![CDATA[Alan]]></firstName>

        <lastName><![CDATA[Green]]></lastName>

      </launchedBy>

      <status>FINISHED</status>

      <summary>

        <crawlDuration>774</crawlDuration>

        <testDuration>4</testDuration>

        <linksCrawled>300</linksCrawled>

        <nbRequests>2785</nbRequests>

        <resultsStatus>SERVICE_ERROR</resultsStatus>

        <authStatus>NONE</authStatus>

        <os>Linux 2.4-2.6 / Embedded Device / F5 Networks Big-IP</os>

      </summary>

    </WasScan>

    <WasScan>

      <id>1353021</id>

      <name><![CDATA[Sched Vulnerability Scan - 2.7.0.10 WA - 2015-Mar-09]]></name>

      <reference>was/1441488303443.1847104</reference>

      <type>VULNERABILITY</type>

      <mode>SCHEDULED</mode>

      <multi>false</multi>

      <target>

        <webApp>

          <id>2284474</id>

          <name><![CDATA[My Web App 238]]></name>

          <url><![CDATA[http://10.10.26.238]]></url>

        </webApp>

        <scannerAppliance>

          <type>EXTERNAL</type>

        </scannerAppliance>

      </target>

      <profile>

        <id>139359</id>

        <name><![CDATA[My Profile 59]]></name>

      </profile>

      <launchedDate>2015-09-05T21:25:03Z</launchedDate>

      <launchedBy>

        <id>4354</id>

        <username>acme_ag2</username>

        <firstName><![CDATA[Alan]]></firstName>

        <lastName><![CDATA[Green]]></lastName>

      </launchedBy>

      <status>FINISHED</status>

      <summary>

        <resultsStatus>SCAN_INTERNAL_ERROR</resultsStatus>

        <authStatus>NONE</authStatus>

      </summary>

    </WasScan>

  </data>

</ServiceResponse>

 

Sample for Scan GET Output (for SCAN_INTERNAL_ERROR)

 

Response:

 

<?xml version="1.0" encoding="UTF-8"?>

<ServiceResponse xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="https://qualysapi.qualys.com/qps/xsd/3.0/was/scan.xsd">

  <responseCode>SUCCESS</responseCode>

  <count>1</count>

  <data>

    <WasScan>

      <id>1353021</id>

      <name><![CDATA[Sched Vulnerability Scan - 2.7.0.10 WA - 2015-Mar-09]]></name>

      <reference>was/1441488303443.1847104</reference>

      <type>VULNERABILITY</type>

      <mode>SCHEDULED</mode>

      <progressiveScanning>true</progressiveScanning>

      <multi>false</multi>

      <target>

        <webApp>

          <id>2284474</id>

          <name><![CDATA[My Web App 238]]></name>

          <url><![CDATA[http://10.10.26.238]]></url>

        </webApp>

        <scannerAppliance>

          <type>EXTERNAL</type>

        </scannerAppliance>

      </target>

      <profile>

        <id>139359</id>

        <name><![CDATA[My Profile 59]]></name>

      </profile>

      <options>

        <count>14</count>

        <list>

          <WasScanOption>

            <name>Web Application Authentication Record Name</name>

            <value><![CDATA[None]]></value>

          </WasScanOption>

          <WasScanOption>

            <name>Sensitive Content: Credit Card Numbers</name>

            <value><![CDATA[false]]></value>

          </WasScanOption>

          <WasScanOption>

            <name>Performance Settings</name>

            <value><![CDATA[LOW]]></value>

          </WasScanOption>

          <WasScanOption>

            <name>Scanner Appliance</name>

            <value><![CDATA[External (IP: 10.10.21.160, Scanner: 7.14.37-1, WAS: 3.9.50-1, Signatures: 2.3.30-1)]]></value>

          </WasScanOption>

          <WasScanOption>

            <name>Detection Scope</name>

            <value><![CDATA[COMPLETE]]></value>

          </WasScanOption>

          <WasScanOption>

            <name>Crawling Form Submissions</name>

            <value><![CDATA[BOTH]]></value>

          </WasScanOption>

          <WasScanOption>

            <name>Bruteforce Settings</name>

            <value><![CDATA[EXHAUSTIVE]]></value>

          </WasScanOption>

          <WasScanOption>

            <name>Option Profile Name</name>

            <value><![CDATA[10 Links edit]]></value>

          </WasScanOption>

          <WasScanOption>

            <name>Maximum Crawling Links</name>

            <value><![CDATA[10]]></value>

          </WasScanOption>

          <WasScanOption>

            <name>Web Application Name</name>

            <value><![CDATA[My Web App]]></value>

          </WasScanOption>

          <WasScanOption>

            <name>Request Parameter Set</name>

            <value><![CDATA[My Parameter Set]]></value>

          </WasScanOption>

          <WasScanOption>

            <name>Sensitive Content: Social Security Numbers (US)</name>

            <value><![CDATA[false]]></value>

          </WasScanOption>

          <WasScanOption>

            <name>Cancel At</name>

            <value><![CDATA[1441557900000]]></value>

          </WasScanOption>

          <WasScanOption>

            <name>Target URL</name>

            <value><![CDATA[http://10.10.26.238]]></value>

          </WasScanOption>

        </list>

      </options>

      <launchedDate>2015-09-05T21:25:03Z</launchedDate>

      <launchedBy>

        <id>4354</id>

        <username>acme_ag2</username>

        <firstName><![CDATA[Alan]]></firstName>

        <lastName><![CDATA[Green]]></lastName>

      </launchedBy>

      <status>FINISHED</status>

      <scanDuration>171606</scanDuration>

      <summary>

        <resultsStatus>SCAN_INTERNAL_ERROR</resultsStatus>

        <authStatus>NONE</authStatus>

      </summary>

      <sendMail>true</sendMail>

    </WasScan>

  </data>

</ServiceResponse>

 

Report API

 

Updated XSD: report.xsd

 

For Scorecard Report creation request, you can include scans with the status “Service Errors Detected” by specifying the filters/scanStatus element with the value SERVICE_ERROR.

 

API request:

 

curl -u "USERNAME:PASSWORD" -H "content-type: text/xml" -X "POST" --data-binary @-

"https://qualysapi.qualys.com/qps/rest/3.0/create/was/report" < file.xml

 

Note: “file.xml” contains the request POST data.

 

Request POST data:

 

<ServiceRequest>

  <data>

    <Report>

      <name><![CDATA[My Scorecard Report]]></name>

      <description><![CDATA[A simple scorecard report]]> </description>

      <format>PDF</format>

      <type>WAS_SCORECARD_REPORT</type>

      <config>

        <scorecardReport>

          <target>

            <tags>

              <Tag>

                <id>243130</id>

              </Tag>

            </tags>

          </target>

          <display>

            <contents>              <ScorecardReportContent>DESCRIPTION</ScorecardReportContent>              <ScorecardReportContent>SUMMARY</ScorecardReportContent>              <ScorecardReportContent>GRAPHS</ScorecardReportContent>              <ScorecardReportContent>RESULTS</ScorecardReportContent>

            </contents>

            <graphs>        <ScorecardReportGraph>VULNERABILITIES_BY_GROUP</ScorecardReportGraph>        <ScorecardReportGraph>VULNERABILITIES_BY_OWASP</ScorecardReportGraph>        <ScorecardReportGraph>VULNERABILITIES_BY_WASC</ScorecardReportGraph>

          </graphs>

          <groups>

            <ScorecardReportGroup>GROUP</ScorecardReportGroup>

            <ScorecardReportGroup>OWASP</ScorecardReportGroup>

            <ScorecardReportGroup>WASC</ScorecardReportGroup>

          </groups>

          <options>

            <rawLevels>false</rawLevels>

          </options>

            </display>

            <filters>

                <scanDate>

                <startDate>2014-06-28</startDate>

                <endDate>2014-07-28</endDate>

              </scanDate>

              <scanStatus>SERVICE_ERROR</scanStatus>

              <scanAuthStatus>NONE</scanAuthStatus>

            </filters>

          </scorecardReport>

        </config>

      </Report>

  </data>

</ServiceRequest>

A new release of Qualys WAS, Version 4.1 is scheduled to be released in production on the Qualys EU Platform on April 30th, 2015 between 17:30 UTC and 00:00 UTC next day.

 

The deployment is completely transparent to users and will require no downtime.

 

Release Details:  Qualys WAS 4.1 includes integrated virtual patching for web applications protected by Qualys WAF to ensure attacks against identified vulnerabilities are blocked,  proxy support to provide enhanced logging and visibility, as well as many other usability improvements that will save users time and effort during everyday web application scanning tasks. For more information on new features, see Qualys WAS 4.1 New Features.

 

To continue to receive notifications by email, please subscribe at EU Platform.

A new release of Qualys WAS, Version 4.1 is scheduled to be released in production on the Qualys US Platform 1 on May 4th, 2015 between 10:30AM PDT (17:30 UTC) and 5:00 PM PDT (00:00 UTC next day).

 

The deployment is completely transparent to users and will require no downtime.

 

Release Details:  Qualys WAS 4.1 includes integrated virtual patching for web applications protected by Qualys WAF to ensure attacks against identified vulnerabilities are blocked,  proxy support to provide enhanced logging and visibility, as well as many other usability improvements that will save users time and effort during everyday web application scanning tasks. For more information on new features, see Qualys WAS 4.1 New Features.

 

To continue to receive notifications by email, please subscribe at US Platform 1.

A new release of Qualys WAS, Version 4.1 which includes an API update, is targeted for release in late April/early May depending on the platform.  See platform release dates at the end of this post  for more information.  The updated APIs for WAS 4.1 enhance the ability to fully automate and integrate the Qualys WAS solution with other customer applications.  WAS APIs enable customers to perform all the major functions within WAS including creating web applications to scan, launching and scheduling scans, and running and retrieving reports.  The APIs enable custom integrations with GRC tools, bug tracking systems and web application firewalls (WAFs) just to name a few.

 

This API notification provides an early preview into the coming API changes in Qualys WAS 4.1, allowing you to proactively identify any changes that might be required for your automated scripts or programs that utilize the API methods. For more information on the new user interface (UI) features in WAS 4.1 see Qualys WAS 4.1 New Features.

 

Contents

This notification now describes all changes and additions to the WAS API based on features in WAS 4.1. It has been updated from the previously published notification that describes only the changes to XML and CSV output which could impact existing API implementations.

 

Below is a summary of the enhancements to the WAS API - this post also has an attached document with more details including example API calls for developers.

 

Full release notes will be available to customers on the day of the release.

 

 

Virtual Patch Support

WAS 4.1 lets you install virtual patches for selected vulnerabilities (detections) when your account has WAS and WAF enabled. Once installed we’ll automatically add firewall rules to block exploitation of the selected vulnerabilities. We’ve added new capabilities to the Finding API and Report API to help you manage virtual patches.

 

Finding API

  • Get Finding - now returns a patch reference element if a virtual patch is present
  • Search/Count Findings - new patch filter to identify findings with virtual patches

 

Report API

  • Create/Update Report - When creating or updating a report, you can choose to include/not include findings with virtual patches.

 

 

Proxy Support

WAS 4.1 lets you to define a proxy using the user interface and then apply the proxy to web application settings and/or scan settings for internal appliance based scans. You can reference the proxy ID for WAS service calls as shown below. Note that Proxy Support is a limited release feature - contact your technical account manager (TAM)  if you would like to be included in this limited release.

 

Web App API

  • Create/Update Web Application - add a default proxy id (already defined in UI)

 

Scan API

  • Launch Scan - specify the proxy to use for the scan

 

Scan Schedule API

  • Create/update Schedule - specify the proxy to use for the scan

 

 

New Search Parameters

New search parameters are available for Search and  Count requests in the Option Profile API.

 

Option Profile API

New Parameters

  • UsedByWebApps - filter profiles if used/not used by web applications
  • usedBySchedule - Filter profiles used/not used by scan schedules
  • owner.id - Filter profiles based on owner's user ID
  • owner.name - Filter profiles based on owner's full name (first and last name)
  • owner.username - Filter profiles based on owner's username (like acme_ab3)

 

 

Platform Release Dates

Qualys WAS 4.1 Release Notification - Available May 4th, 2015 on US Platform 1

Qualys WAS 4.1 Release Notification - Available April 28th, 2015 on US Platform 2

Qualys WAS 4.1 Release Notification - Available April 30th, 2015 on EU Platform

 

 

 

 

Original WAS 4.1 API Notification

Below is the original blog post published February 27, 2015 describing only the changes to XML and CSV output in the WAS API which could impact existing API implementations. All information below is included above - it is provided for reference.

 

A new release of Qualys WAS, Version 4.1 which includes an API update, is targeted for release in late March/early April 2015.  The updated APIs for WAS 4.1 enhance the ability to fully automate and integrate the Qualys WAS solution with their existing applications.  WAS APIs enable customers to perform all the major functions within WAS including creating web applications to scan, launching and scheduling scans, and running and retrieving reports.  The APIs enable custom integrations with GRC tools, bug tracking systems and web application firewalls (WAFs) just to name a few.

 

This API notification provides an early preview into the coming API changes in Qualys WAS 4.1, allowing you to proactively identify any changes that might be required for your automated scripts or programs that utilize the API methods.  One API modification in this release may impact existing API implementations and requires a 30-day notification.  The API changes have been made to enable proxy support for internal WAS scanning.  Proxy support will be a limited release feature.

 

Full release notes will be available to customers on the day of the release.

 

Proxy Support

Note:  A proxy is defined within the WAS user interface, then can be referenced by Proxy ID in the web service calls as shown below.

 

 

Web App API

  • Schema: webapp.xsd
  • Create/Update Web Application
  • GET web application

 

Sample API Request to update the web application default proxy:

<ServiceRequest>
  <data>
    <WebApp>
      <proxy><id>355538</id></proxy>
    </WebApp>
  </data>
</ServiceRequest>

















 

 

 

Scan API

  • Schema: scan.xsd / wasscan.xsd
  • Launch Scan

 

Sample API Request to launch a scan with a proxy set:

<ServiceRequest>
    <data>
        <WasScan>
            <name>New scan launched from API By Snehal</name>
            <type>DISCOVERY</type>
            <target>
                <webApp>
                    <id>353737</id>
                </webApp>
  <!-- <webAppAuthRecord>
  <id>0</id>
  </webAppAuthRecord>-->
  <proxy>
  <id>354736</id>
  </proxy>
            </target>
            <profile>
                <id>1072</id>
            </profile>

        </WasScan>
    </data>
</ServiceRequest>

















 

 

 

Schedule API

  • Schema: schedule.xsd / wasscanschedule.xsd
  • Create/update Schedule
  • Get Schedule

 

Sample API Request to schedule a scan with a proxy set:

<ServiceRequest>
<data>
  <WasScanSchedule>
    <name><![CDATA[scheduling Notification - from API- devtest1 ]]></name>
    <type>DISCOVERY</type>
    <active>true</active>
    <scheduling>
      <cancelAfterNHours>4</cancelAfterNHours>
      <startDate>2014-08-20T09:50:14Z</startDate>
      <timeZone>
        <code>US/Arizona</code>
        <offset>-07:00</offset>
      </timeZone>
      <occurrenceType>ONCE</occurrenceType>
    </scheduling>
    <notification>
      <active>true</active>
        <delay>
                <nb>555</nb>
                <scale>HOUR</scale>
        </delay>
        <message><![CDATA[This is from API...]]></message>
    </notification>
    <target>
      <webApp>
                        <id>324538</id>
      </webApp>
      <scannerAppliance>
        <type>INTERNAL</type>
      </scannerAppliance>
    <proxy>
  <id>355538</id>
      </proxy>
    </target>
    <profile>
        <id>1963</id>
      </profile>
  </WasScanSchedule>
</data>
</ServiceRequest>

















A new release of Qualys WAS, Version 4.0 is scheduled to be released in production on the Qualys US Platform 1 on December 15, 2014 between 11 AM PST (19:00 UTC) and 5:00 PM PST (01:00 UTC next day). 

(Note: updated for switch to PST - updated conversions for UTC)

 

The deployment is completely transparent to users and will require no downtime.

 

Release Details:  Qualys WAS 4.0 includes Progressive Scanning to enhance vulnerability testing coverage and provide automated test continuation from scan to scan, improving scan results and providing flexible scheduling options that will ease the burden on understaffed IT Security teams.  The new Reporting Templates will enable organizations to deliver targeted application security metrics to each stakeholder in the program, whether it is for the CISO who wants a high level summary with graphs, or the developer who just wants to know the details of the vulnerabilities that need to be fixed.    For more information on new features, see Qualys WAS 4.0 New Features

 

To continue to receive notifications by email, please subscribe at US Platform 1.