Back to qualys.com
4 posts

Qualys WAS Introduces Swagger Support for REST API Security Testing

In the world of application security, testing REST APIs for security flaws is important because APIs can have many of the same application-layer vulnerabilities as browser-based web applications. Examples are SQL injection, command injection, and remote code execution. With the recent release of Qualys Web Application Scanning (WAS) 6.0, testing your REST APIs is easier than ever thanks to support for Swagger.

About Swagger

Swagger is a widely-adopted specification that allows for programmatically describing REST APIs. This is accomplished via a Swagger file, which may be in either JSON or YAML format. The Swagger file provides all the details about the APIs and how to invoke them. This includes information like the HTTP verbs to use (GET, POST, PUT, etc.), the URL paths, allowable parameters and types, authentication mechanisms, and so on.

Continue reading …

Qualys WAS: New Detections for XML External Entities (XXE)

In the new 2017 edition of the OWASP Top 10, XML External Entities (XXE) make their first appearance at #A4 on the list. Qualys is pleased to announce that Qualys Web Application Scanning (WAS) engine 4.4 includes new detection capabilities for XXE vulnerabilities.

Continue reading …

Bugcrowd Integration Now Available in Qualys Web Application Scanning

The new version of Qualys Web Application Scanning, WAS 5.7, adds an integration with Bugcrowd for centralized viewing and triaging of both WAS automated vulnerability detections and vulnerabilities submitted by Bugcrowd’s approved security researchers.

Continue reading …

Cross-Site Request Forgery: What Happened to the Sleeping Giant?

A decade ago, cross-site request forgery (CSRF, often pronounced “c-surf”) was consideredCSRF to be a sleeping giant, preparing to wake and inflict havoc on the Worldwide Web.  But the doomsday scenario never materialized and you don’t even seem to hear much about it anymore.  In this blog post, part 1 of 2, I will explore this idea and try to understand why the CSRF giant never awoke.  First we’ll cover the overall threat landscape, trends, and some notable CSRF exploits throughout the years, including one from personal experience.

Continue reading …