WAS Engine 6.1 has been released to all Qualys platforms including private cloud platforms. This new release is part of our ongoing effort to continuously improve the WAS scanning engine. This update includes the following enhancements.
- New detection for Edge Side Include (ESI) injection. QID 150232 will be reported if this vulnerability is detected by the WAS scanning engine.
- New detection for CVE-2017-1000486, a remote code execution vulnerability in PrimeFaces. QID 150231 will be reported if this vulnerability is detected.
- Improved vulnerability detection on login pages when Selenium authentication is used.
- Changes to better identify when a web application is using WebSockets. QID 150167 is reported when WebSocket links are found.
- Changes to avoid the scanner running out-of-memory under certain circumstances.
- Changes to address false negatives for QID 150051 (open redirect) with relative URLs.
If you encounter any problems in your WAS scans, please open a support ticket by selecting Help--Contact Support while logged into the platform. Feel free to post a question here on the Qualys Community site as well.