AnsweredAssumed Answered

How to exclude request parameter

Question asked by Reddy Gujja on Sep 26, 2014

During my web application scan ATG adds "_requestid=" param at the end of the URL. When I generate the report based on two scans, Qualys reports same vulnerability as New because of the url being different in each scan due to the _requestid param added to url. I want to be able to generate the report saying "exclude _requestid param from the url" so I do not get duplicate vulnerability reported as New. Here is an example

 

scan 1: XSS Vulnerability on URL: http://testmysite.com/myvalidParam=user_id&_requestid=1020

scan 2: XSS Vulnerability on URL: http://testmysite.com/myvalidParam=user_id&_requestid=5245

 

When generating the report Qualys says 1 new vulnerability found and lists http://testmysite.com/myvalidParam=user_id&_requestid=1020 as new XSS vulnerability, how to avoid it?

 

Thank you

Reddy Gujja

Outcomes