Manage your reports

How do I create a report?

Can I open the report in a new window?

Who can create reports?

How can I reproduce QID 150022 Verbose Error Message?

How do I edit report content?

Why should I add tags to a report?

How do I see the detection results?

OWASP Top 10

Want to remove certain detections from reports?

Export Detection Results

Want to include ignored detections in reports?

Tell me about the preview pane

Want to include customized footer in reports?

Tell me about security risk

View, Filter and Repeat

Tell me about vulnerability status

How do I save and download reports?

Setting a default report format

How many web applications can I include in a report?

Get visibility on WAF-blocked vulnerabilities

How many reports can I save in the reports list?

Tell me about Vulnerability Details in Reports

Can we compare the results of findings between scan reports?

 


How do I create a report?

Go to Reports and select New Report. Tell us which report you want to create and then identify the target of the report. We recommend you schedule reports (daily, weekly or monthly) to get fresh reports showing your current security status. It just takes a minute - go to Reports > Schedules and select New Schedule.

Who can create reports?

User roles and permissions determine whether users have WAS Reporting Permissions; these permissions include Create Report, Edit Report and Delete Report. To see a user's assigned user roles and scope, go to the Administration utility. You’ll see this option on the application picker. Learn more

How do I edit report settings?

Click the Edit Report button in the top right corner of the report. Use the wizard to change settings like the name, the report target, set filters and choose content. Once you click Save we'll create the report again with the new settings. (Tip - Turn on help tips in the title bar of the Report Edit window to view online help for each filter setting.)

How do I see the detection results?

Want to remove certain detections from reports?

It's easy to remove certain detections from web application or scan reports using the ignore option. You'll select detections and mark them as false positive, not applicable or risk accepted. You can do this within a web application report/scan report or from the detections list.  Learn more

Want to include ignored detections in reports?

It's easy to include ignored detections from web application or scan reports using the remediation filters. You can configure the filter in the report template or edit the web application report/scan report. Once you opt to include ignored findings in the report, you can further choose types of ignored findings:false positive, not applicable or risk accepted to be included in the report.

Can I schedule reactivation of a detection?

Want to include customized footer in your report?

It's easy to include customized footer. Define the customized footer text  in the report template and it will be displayed in the WAS reports: Web application report and scan report (HTML and PDF formats). You can use the report template when you generate the report to view the custom footer. Show me

View, filter and repeat

Your web application report is interactive. You can edit the settings and filter the content to focus on the information that's currently most important.

- Click Edit Report in the header section and use the wizard to rename the report and apply content filters.

- Click Save and we'll re-run the report with your changes.

- Click the "New window" link in the report header to move the report to a new browser window. This makes side-by-side comparisons easy. It also increases the number of reports you can have open at one time.

How do I save and download reports?

Each report you create opens on its own tab in the Report Management window. You can download your open reports in multiple formats, and those reports are also saved to the reports list to be viewed and downloaded by authorized users.

Save and download an interactive report

Download a report from the Report List

Easy way to download datalists as reports

Your report will be saved in 2 places: 1) your report list, and 2) your local file system. Your report will be removed from the report list in 7 days (when it expires).

How many reports can I save in the reports list?

The user storage limit setting determines the maximum amount of WAS report data each user can save on our Cloud Platform. Did you see an error message when saving a report? We recommend you delete some existing reports and try again. Learn more

How many web applications can I include in a report?

Number of Web Applications

Online Report

Download Report

Less than or equal to 100

Yes

Yes

101 to 500

No

Yes

More than 500

No

No

Can I open the report in a new window?

Yes, just click this icon Separate window icon. in the report header to move the report to a new window of your browser. Moving reports to separate browser windows enables you to do side-by-side comparisons. It also increases the number of reports you can have open at one time. All the interactive features of your report are available in the new browser window.

How can I reproduce QID 150022 Verbose Error Message?

There are multiple way to reproduce QID 150022. You could either use WAS Burp extension or use information provided in web application scan report.

In general, one of the easiest ways to reproduce a finding (including QID 150022) is by using the Qualys WAS Burp extension. With this you can import the exact request sent by WAS into Burp Repeater. Then you can manually test in real time (assuming you have access to the target web application or API) by sending the request and seeing the response.

Alternatively, you can try to reproduce to QID 150022 ("Verbose Error Message") using the information provided in the report details. We'll focus on two injection points: the Query-String and Form Inputs. Click here to learn more.

Why should I add tags to a report?

Tagging is a way of organizing reports, web applications and other configurations. When you download a report involving a tagged web application, you'll notice we suggest adding the web application's tags to the report. Tags are one of the many options we provide for filtering the report list. Tags also enable other users to access to your reports. Users whose scopes have tags in common with your reports can access those reports.

OWASP Top 10

The OWASP Top 10 is one of the most common ways to categorize web application risks and vulnerabilities. The vulnerability detection in Qualys Web Application Scanning (WAS) are mapped to the 2017 edition of the OWASP Top 10.

The reports (web application, scan and scorecard) provide a graph listing the OWASP top 10 vulnerabilities. The Vulnerability Details in the report also provides a clickable link with OWASP details. You can click the link and view the further details about the vulnerability.

Can I export detection details?

Yes, you can export the payload response to your local file system in HTML. Just click the Export icon in the Payloads section.

Export option in the payload response window.

Tell me about the preview pane

The preview pane appears under the reports list when you click anywhere in a report row. The report preview shows the title and type, the user who generated the report, the report status and report size in megabytes. Hover over the size to see the actual size in bytes. Click the Actions menu to take actions on the report. To download the report, click Download. You'll notice the Downloads field tells you the number of times the report has been downloaded by users in the subscription.

Preview pane displaying details of the web applicaton report you select from the list.

Tell me about security risk

The security risk rating (high, medium, low) reflects the maximum severity level of all vulnerabilities included in the report. Ignored vulnerabilities are not included.

Icon for high security risk rating.

At least one non-fixed vulnerability with severity level 4 or 5 is included in the report.

Icon for medium security risk rating.

At least one non-fixed vulnerability with severity level 3 is included in the report, and no vulnerabilities with severity level 4 or 5 are included in the report.

Icon for low security risk rating.

At least one non-fixed vulnerability with severity level 1 or 2 is included in the report, and no vulnerabilities with severity level 3, 4 or 5 are included in the report.

Tell me about vulnerability status

You'll see the status of detected vulnerabilities in the Results section of Web Application Reports and Scan Reports. We continuously update the status of detected vulnerabilities in your account, based on the most recent scan results.

Each vulnerability instance is assigned a status - New, Active, Fixed or  Reopened.

Diagram displaying the various states of a vulnerability and the flow among them.

What does the status mean?

Can we compare the results of findings between scan reports?

A comparative analysis of changes in scan results between incremental scan reports are also displayed in the Information Gathered details. When you expand the Results section you can see the changes from previous scans highlighted in multiple colors. Disable the Highlight changes from the previous scan option to hide the comparative analysis. By default this option is enabled.

Results section in Information Gathered Details of a scan report.

Setting a default report format

It's easy to set a default format for downloading reports. Just edit your profile settings - select My Profile under your user name (in the top right corner).

Get visibility on WAF-blocked vulnerabilities

In your scan settings enable the ScanTrust option to allow Qualys scanners to scan through the WAF and enhance assessment and reporting. Learn more

Tell me about Vulnerability Details in Reports

We provide you with complete and raw HTTP request for detections. The reports downloaded in PDF and HTML format also display complete and raw HTTP request for detections (except for Information Gathered (IG) vulnerabilities).

The WAS reports in PDF or HTML format displayed link, method, POST data, headers and snippets of the response body. The downloaded reports (PDF and HTML) also display full request headers and full request body for vulnerabilities. The complete requests and responses will help you to reproduce or validate the issue. Show me