does Qualys tries to make code injection ? in case the site is not strong enough, can Qualys damage the site or make it unavailable ? or it’s just a harmless simulation ?
The Qualys Web Application Scanning (WAS) module does indeed check for OWASP-type flaws such as Code Injection, Cross-Site Scripting, Broken Authentication, etc. WAS tests are against the actual web application rather than a simulation, however the tool does not contain any malicious payloads or exploits to damage the site. The WAS scanner intelligently throttles the test to prevent a denial of service condition from occurring.
First and foremost, can a scan cause an issue with a site YES. What damage can occur often depends more on the specific functions and implementation of the site.
For instance, if a site is say listing a bunch of records to the screen and click the right link on the record would delete the record then a simple discovery/spider would delete the data. Could be destructive depending on your view.
It is always a good idea to try and do the scan on a site that has already been backed up and restore tested; good security as well.
Retrieving data ...