I've been having some difficulties running Qualys over an ajax based web application:
1 - For the most part, the app seams unreachable for Qualys. It does not navigate through the app. It just identifies clickable elements but, apparently doesn't perform the click action.
2 - I've written a Selenium script to help Qualys to follow to a specific app section, to no avail. There's no log entry for the script execution.
3 - I tried to limit the scan to a specific attack (XSS) to facilitate the analysis and found out that on a form that is on the landing page of the app, Qualys only tries to inject letters ('a', 'b', 'c'), not code. Also it doesn't actually submit the form, as the form does not have a classic 'submit' action, but it has an Ajax function attached to a button.
4 - I used the 'progressive scan' feature to force Qualys to ignore the area that was already scanned but, it detects the same vulnerabilities.
I'm surely doing something wrong here...