All Posts

63 posts

New & Improved Qualys WAS Burp Extension Now Available

Last year we released the initial version of the Qualys WAS Burp extension to positive reviews.  Customers welcomed the ability to send Burp-identified issues into Qualys Web Application Scanning (WAS) for centralized viewing and reporting of automated scanner findings plus manual pen-test issues from Burp.

Now we are pleased to announce the release of version 2 of the Qualys WAS Burp extension.  In addition to the previous functionality, this version allows you to import a WAS finding directly into Burp Repeater to manually validate the vulnerability.  Even better is that this new capability works with both Burp Suite Professional and Burp Suite Community Edition.

Continue reading …

Enhanced API Scanning with Postman Support in Qualys WAS

Due to the fast-growing usage of REST APIs, having a way to test them for vulnerabilities in an automated, reliable way is more important than ever.  Automated testing of APIs is a little trickier than for web applications.  You can’t simply enter a starting URL for the scanner and click “Go”.  Additional setup is required to describe the API endpoints for the scanner.  The good news is that Qualys Web Application Scanning (WAS) offers multiple ways to set up a scan for your APIs.

Up to now Qualys WAS has provided two methods to set up scanning of your APIs:

  1. Proxy capture method
  2. Swagger/OpenAPI file method

Now, WAS supports a 3rd method – Postman Collections. As we’ll explain, this method can provide better vulnerability testing compared to the others.

Continue reading …

Qualys Cloud Platform 2.41 New Features

This release of the Qualys Cloud Platform version 2.41 includes updates and new features for new Gov clouds in AssetView / CloudView and Web Application Scanning, highlights as follows.

Continue reading …

Qualys Cloud Platform 2.40 New Features

This release of the Qualys Cloud Platform version 2.40 includes updates and new features for Web Application Scanning, highlights as follows.

Continue reading …

Qualys Cloud Platform 2.39 New Features

This release of the Qualys Cloud Platform version 2.39 includes updates and new features for Out-of-Band Configuration Assessment (OCA), Vulnerability Management, and Web Application Scanning, highlights as follows.

Continue reading …

Qualys Cloud Platform 2.38 New Features

This release of the Qualys Cloud Platform version 2.38 includes updates and new features for AssetView, Web Application Firewall, and Web Application Scanning, highlights as follows.

Continue reading …

Jenkins Plugin v2 for Qualys WAS Now Available

We are pleased to announce that the Qualys WAS Jenkins plugin v2 is now available.  This version of the plugin introduces new features to facilitate automation, and a more user-friendly design.

Continue reading …

Qualys Cloud Platform 2.37 New Features

This release of the Qualys Cloud Platform version 2.37 includes updates and new features for Security Assessment Questionnaire and Web Application Scanning, highlights as follows.

Continue reading …

Qualys Cloud Platform 2.36 New Features

This release of the Qualys Cloud Platform version 2.36 includes updates and new features for AssetView (Cloud Assets and Cloud Agents) and Web Application Scanning, highlights as follows.

Continue reading …

Detecting Insecure Cookies with Qualys Web Application Scanning

Cookies are ubiquitous in today’s modern web applications. If an attacker can acquire a user’s session cookie by exploiting a cross-site scripting (XSS) vulnerability, by sniffing an unencrypted HTTP connection, or by some other means, then they can potentially hijack a user’s valid session. Obviously, this can have negative implications for an organization and its users, including theft of sensitive application data or unauthorized/harmful actions.

Qualys Web Application Scanning reports when it discovers a cookie delivered over an HTTPS channel without the “secure” attribute set. This detection is useful for verifying correct coding practices for individual web applications & developers, and across your entire organization. Cookies marked with the secure attribute will never be sent over an unencrypted (non-HTTPS) connection, which keeps them safe from prying eyes that may be sniffing network traffic.

Continue reading …