Michael Scheidell

A little frusterated

Discussion created by Michael Scheidell on May 10, 2017
Latest reply on May 12, 2017 by Sheela Sarva

Spent 15 minutes manually finding xss problems and 16 hours trying to get WAS to find and report on them.

Tried different selenium scripts to find the form (in this case, it was a 'Search:...' box).   I don't think QUALYS put anything into the form except for a simple alert('XSS') (if at that)

 

Finally decided to dummy up a burp.xml file with the input I used in the manual tests and import it, but... you can't produce a report with the burp results.  

Not only isn't it included in the scan report, but there appears to be no way to actually print the burp issues except for a print screen.

 

This means I can't even show the client the printed report (the overall says 'low'), and doesn't show any OWASP references and the High,Medium,Low only shows low even though the burp xml says high.

Outcomes