At times, there are findings/detections reported by Qualys WAS against URLs that are, in fact, not vulnerable and in such case, the detected issues come under the category of false positive. If these false positives are not filtered/ignored at the root i.e. in the Qualys WAS portal they would keep appearing again and again in subsequent reports.
The purpose of this article is to list out the steps that would be helpful in filtering out the false positives from the reports of Qualys WAS, which in turn sets application and security team free from the unproductive job of removing the FP at their end.
There are two approaches to deal with FP in Qualys WAS. Based on the application’s requirement the appropriate solution approach can be chosen.
Qualys Identifiers (QID)
In Qualys, each vulnerability is tracked by Qualys Identifiers(QIDs). Hence, excluding a vulnerability means we need to exclude the specific QID. The below screenshot depicts a Qualys WAS scan with listed vulnerabilities.
Let’s consider a vulnerability with QID-150084 as false positive (highlighted in Screenshot 2) for the scanned application. We would like this vulnerability not to show up in future reports/scans.
Solution 1: Removing FP from subsequent scans (Using Option Profile)
To suppress this vulnerability in subsequent scans, launch a new scan (Screenshot 3)
In scan settings, Follow the below steps:
- Create an Option profile.
- After creating the option profile, in Detection Scope of Option Profile, create a Custom search list (as shown in Screenshot 4).
- Add the QID that is identified as false positive after 1st scan to the search list (150084) and provide a name to the search list. In this case, IVD exclude is the search list name...
Once the setting is done launch the scan including the created option profile (as shown in Screenshot 5).
Review the scan settings to check whether the Option profile is included before the scan starts (as shown in Screenshot 6).
Verifying whether the QID-150084 is ignored in subsequent scans
Check the vulnerability results after the new scan is completed and verify that the QID-150084 that was considered as false positive is not present in the vulnerability list of next scan results (as shown in Screenshot 7)
This can be confirmed in the scan report also (as shown in Screenshot 8).
Solution 2: Ignore FP from Detection List
After the scan gets finished, go to the Web Application then click on Quick Actions menu. Select FindDetections (as shown in Screenshot 9)
Search for the QID that is regarded as false positive, click on Quick Actions menu then Ignore(as shown in screenshot 10)
A Popup window appears for confirmation of the vulnerability to be false positive (as shown in Screenshot 11)
After clicking on OK, the vulnerability is marked as false positive (as shown in Screenshot 12).
What happens next?
The ignored detection's status label is grayed out in the current report and in the detection list. By default, the detection will not appear in future reports on the same web application or scan.
Permission to ignore detections?
WAS user roles and permissions determining whether users have permission to ignore detections. To ignore detections, the WAS remediation permission "Ignore findings" must be granted to the user's role.
Did display ignore detections in reports?
Create a web application report or scan report, click Edit in the report header, go to Filters, scroll to Remediation Filters and select one of the include options.
How to reactivate an ignored detection?
Navigate to the details of the vulnerability or sensitive content and click the "Reactivate" link. The detection will no longer be ignored in reports on that web application, and the status will no longer be grayed out in the Detections list.
Authored By - Vikash Anand Patnaik
TCS Cyber Security Practice