Qualys Blog

www.qualys.com

QualysGuard WAS 3.2 New Features

QualysGuard WAS 3.2 provides improved control over how and when scans are performed and boosts the efficiency of developers in diagnosing issues with their web applications.

Feature highlights include: A granular scan progress display, specific scan cancel time, binary file exclusions and many usability enhancements.

QualysGuard WAS 3.2 will be released in production in mid-February. Details about the release schedule are at the end of this blog post.

Scanning Enhancements

Track Scan Progress:  Track the current status of a scan in progress in the scan view window. The new Scan Progress section shows you the current progress of your scan and the scan start time. This provides users with positive confirmation that the scan is progressing and the web application is continuing to respond during testing.  The Stats section tells you the number of links collected, crawled and the number of requests performed.

scan_progress

Define a Default Option Profile for Your Subscription: Now you can make any option profile the default for your subscription. This option profile will be selected automatically each time you launch a scan, unless a different option profile is defined for the target web application. This makes it easy to make sure by default users will use an appropriate option profile that is best for your organization.  Setting the default is available only to users with full scope and permissions.

default_op

Ignore Common Binary Files Based on File Extension:  We’ve added an option profile setting called “Ignore common binary files based on file extensions.” This can dramatically reduce the amount of time needed to scan a web application that contains many of these types of files.  When enabled, scans will ignore files with these extensions: .pdf, .zip and .doc.   This setting will be turnedon by default when you create new option profiles.

op_ignore_binary

Cancel a Scan at a Precise Time:   Previously, when launching or scheduling a scan you could only choose to cancel the scan after a certain number of hours. With this release, you can choose to cancel the scan at a precise time in scan settings under Cancel scan. This enables you to be sure you stop a scan before the end of a defined scan window without worrying about when the scan starts.

scan_cancel_time

Reporting Enhancements

Export Vulnerability Payload Response in HTML:   Now you can provide more details to developers for vulnerabilties identified in scanning.  You can view vulnerability detections in a few spots –in web application reports, in scan reports, and under Web Applications > Detections.In the vulnerability details, you’ll notice a new Export icon in the payload responsesection. Click this icon to export the payload response.

detection_export

This export option is also available for the Information Gathered results in your scan reports and web application reports.

detection_export_2

When results exceed 5000 characters they will be truncated to ensure good browser performance. You have the option to export the full contents ofthe report.

truncated_results

Move a Report to a New Browser Window:   This makes it easy to do side-by-side comparisons, saving time. It also increases the number of reports you can have open at one time. Go to Reports and create a report. Click New window to move the report to a new browser window.

report_new_window

You can edit and download your report in the new window just as you would within the UI.

report_new_window_2

Select Timezone Used for Dates in Report:    Dates in reports default to the timeszone set in the user’s account settings. When you download a report, you now have the option to select a timezone we’ll use to display all dates in your saved report. In the previous release, all dates in saved reports appeared in GMT.

rpt_timezone

Web Application Enhancements

Use Save As to Create a New Web Application:   Save time by creating a new web application based on an existing one, then edit the settings as needed. Go to Web Applications > Web Applications,  hover over a web application and choose Save As from the menu.

web_ap_save_as

Move a Sitemap to a New Browser Window: You can keep your sitemap open in a separate browser window while working in the WAS UI. All the functionality of the sitemap remains available in the new window. Go to Web Applications > Web Applications, hover over a web application and choose View Sitemap from the menu. Click the red outlined icon in the upper right corner to move the sitemap to a new window.

sitemap_breakout

Server Authentication Record – Realm not required:  The Realm field is no longer required when configuring a basic server authentication record.

Usability Enhancements

Improved Usability of Datalists

Improved Navigation

When the total number of records exceeds the number of records per page, click to select the range of records you want to display. You’ll notice that the currently displayed range is highlighted.

improved_nav

Improved Actions Menu

You’ll notice the Actions menu now displays the number of items you’ve selected for the action.

New Sort By Options

The settings menu now provides several options under Sort By.

Online Help Improvements:

When you select Help > Online help, we’ll display help specific to your current location in the UI. For example, if you’re working with scans, the help will appear as shown.

online_help

You’ll also notice a new Launch Help link in the title bar of each wizard. Click this link to view help related to your current workflow. For example when launching a scan click this link to view scan related help.

report_new_window_2

CVSS Scoring Updates for Cross-Site Scripting (XSS) QIDs

Enhanced Scoring Consistency

To bring additional consistency in CVSS base scoring for similar Cross-Site Scripting Vulnerabilities which will enable better risk calculation by users, QualysGuard WAS will adjust the current CVSS scoring for the QIDs below.  The new CVSS score of 4.3 is based on a median score calculation identifed by analysis of existing vulnerability scores.

QIDs updated to CVSS base score of 4.3

  • 150000
  • 150001
  • 150002
  • 150013
  • 150046
  • 150048
  • 150062
  • 150076
  • 150090
  • 150092

API Enhancements

Tip: What’s my platform

Release Schedule

For details about the release dates for specific platforms and to subscribe to release notifications by email, please see the following:

Leave a Reply