Frequently asked questions
We have listed the most common questions about our security scans for you below. If you cannot find the answer to your question, please let us know by filling in our contact form.
For our penetration test (also called a pentest) we perform advanced automated Web Application and Network scans, as well as thorough manual checks. It simulates a cyber-attack to prove where a hacker might be able to exploit systems. Our ethical hackers use advanced automated and thorough manual tests as malicious hackers do to find dangerous vulnerabilities in web applications.
The Penetration Testing Execution Standard (PTES) is a comprehensive framework of guidelines, procedures and techniques for conducting and managing penetration testing activities. This standard methodology was created to address the need for a consistent and structured approach to penetration testing, with the goal of producing consistent and reliable results.
The PTES standard consists of seven phases, including planning and scoping, information gathering, threat modelling, vulnerability identification, exploitation, post-exploitation, and reporting, all explained below.
- Planning – The preparation phase for the pentest.
- Information gathering – In this phase information about the target system is gathered.
- Threat modelling – This is a procedure for optimising application, system or business process security by identifying objectives and vulnerabilities, and then defining countermeasures to prevent or mitigate the effects of threats to the system.
- Vulnerability analysis – This phase discovers and validates vulnerabilities.
- Exploitation – In this phase they try to exploit the previously identified and validated vulnerabilities.
- Post-exploitation – This phase maintains control over the target system and collects data.
- Reporting – A detailed analysis of an organisation’s technical security risks that covers many facets of an organisation’s security posture, such as vulnerabilities, high-low priority concerns, and suggested remediations.
We can perform a Vulnerability Pentest (according to PTES), Infrastructure Pentest (internal and external), WIFI and LAN access test, API test, App endpoint test, Phishing test, and Code review/App analysis. Together we determine your goals up front to maximise the information you gain from our tests.
For more information and pricing: https://forus-p.com/en/pentests/
Forus-P considers Magento v1.* a high risk, because, since June 2020, Magento version 1.* is no longer supported. This can cause dangerous vulnerabilities in the website.
You may have upgraded your website to Magento v2. Or maybe your website is now running on another platform. When this has been done well before next year’s scan, feel free to request a rescan from us. For this, you can send an email to email@example.com.
For Thuiswinkel and BeCommerce members ‘risk temporarily accepted’ means that a website that runs on Magento v1.* is listed as unsafe in our system, but temporarily approved for the certification. This only applies until the next scan. We are aware that switching to Magento v2 or another platform takes time. This gives you the opportunity to arrange this. We do, of course, recommend that you do this as soon as possible. And in any case, install all available patches in the meantime.
Having a subscription to MageOne and installing all patches available for Magento v1.* is an absolute must. This can prevent many issues. Unfortunately, we cannot automatically check whether all patches have been installed correctly. In addition, it is possible that there are still vulnerabilities for which no patch is available. That is why it is important to switch to Magento v2 or another platform as soon as possible.
However, we are aware that this can be a long process. To avoid many manual checks, for the Thuiswinkel and BeCommerce certification, it has been decided to mark all Magento version 1 installations as unsafe, but to approve the scan until next year.
It is important to change to Magento v2 or another platform as soon as possible. In the meantime make sure to install all patches of MageOne. This is to prevent issues that may otherwise occur.
After the scan
Is a rescan necessary after solving vulnerabilities or can we check it ourselves?
Yes the website must be scanned again. New vulnerabilities may have emerged in the meantime. If we do not run the scan again, we will never be able to give a safe result.
If the previous scan was a while ago, it could happen that a new scan reports new issues. This may be because changes have been made in the meantime, for example by updating a plugin. Hackers are also continuously developing new ways to attack websites. These new vulnerabilities are regularly added to our scanner.
For security reasons, the reports can only be downloaded for 7 days. You can request a new report by sending an email to firstname.lastname@example.org.
With a secure website you can place our ForusP Secure logo on your website, but only if your website is scanned by us at least once a month and identified vulnerabilities are resolved within 30 days. Our secure logo can inspire more trust among your (potential) customers and achieve a higher conversion rate. Detailed information can be found on: https://forus-p.com/en/veiligheid-seal/.
You will receive an email from email@example.com with a download link to your secured report. For security reasons we will send the personal password in a separate email. If you haven’t received our email, please first check your spam. No password? Email us at firstname.lastname@example.org for help.
During the scan our scanner will try to fill out all forms (including order forms). This test can cause an extreme amount of email traffic. This means your website allows this without limitation. And if we can cause this much traffic, so can someone else!
To prevent these so called “mail bombs” you can take the following precautions before the scan takes place:
- Any emails/orders from the email address “email@example.com” can be deleted or blocked on your mail server, for instance by blacklisting this email address.
- We recommend placing additional security on all available forms. Google reCaptcha is the most commonly used solution for this.
High risk vulnerabilities need to be fixed as soon as possible. This is mandatory for Thuiswinkel and BeCommerce certification. To increase the security of your website, we also recommend solving any medium and low risks.
We will ask you to resolve all high risk vulnerabilities as soon as possible. Please keep in mind that hackers will not ignore the rest. After resolving the issues you can request a rescan. If you are a member of Thuiswinkel and/or BeCommerce this is required to pass the certification. You can send your rescan request to firstname.lastname@example.org.
During the scan
We will place orders, but not if we need to pay for them directly. Afterpay orders can be placed automatically for example, but orders that need to be paid for outside the domain or need manual actions (such as Ideal or Paypal) will not be completed. You can recognise the scanner’s orders (usually large and strange orders) by the account veiligheidsscan using the email address “email@example.com”.
Yes it can. The scanner will cause higher traffic than normal, but this is only noticeable if you are using a low capacity (shared) server.
The scan can run up to 25 hours, depending on the size and complexity of your website.
You can submit your own security report (for example a pentest report) which must include the scan date, who performed the scan and a short summary that shows no high risk issues were found. We would like to point out that we have been known to find high risk issues even though a pentest did not identify them.
A firewall will most likely categorise our scanner as a bot and will block us. A hacker can often find and abuse vulnerabilities manually. A firewall can help prevent some attacks (automatic and manual) but certainly not all. There are plenty of vulnerabilities that can be exploited within the intervention of a firewall.
Whitelisting our IP-range can be done temporarily for the duration of the scan. You can always contact us to agree on a specific date/start time by sending an email to firstname.lastname@example.org.
Our scanner needs to be able to log in automatically. This will allow us to scan everything behind the login. It is important, especially since this is usually where personal data is stored. Any reCaptchas on forms can remain in place, just not the reCaptcha used for the login. You can either disable this specific reCaptcha for the duration of the scan (max. 25 hours) or you can whitelist the IP range of our scanner for that specific reCaptcha (184.108.40.206/24 (220.127.116.11-18.104.22.168) 2001:1478:1100:4000::/64).
Sites are often truly identical when using a language module. If there are multiple copies of a site (even just for language), small differences can occur, for example by using different plugins. A difference can also occur because an update was not performed on all sites. Any vulnerabilities will always need to be fixed on all sites.
We will perform the security scan on the entire website. It is important to include subdomains, especially if there is a direct link from the main website. Vulnerabilities can be found just as easily on subdomains.
We will perform the security scan on the entire website. The login is important as vulnerabilities are often found behind the login and can be abused by hackers.
Because test environments often cause issues and slight differences, we prefer to scan on live websites.
For Thuiswinkel members we will only scan live environments. If this is not possible, please contact Thuiswinkel.
No you cannot. Our scanner needs up to 25 hours to complete a scan. By using a time limit there is a high probability the scan will not be performed in full and will miss possible vulnerabilities. Basically we cannot guarantee the quality of the scan when a time limit is in place.
Yes you can. We can start scans 24/7.
To make sure the scan will run without issues, the following needs to have been arranged:
- To prevent our scanner from getting blocked during the scan, our entire IP range 22.214.171.124/24 (126.96.36.199-188.8.131.52) 2001:1478:1100:4000::/64 needs to be whitelisted. Our scanner will use a random IP-address from this range for the scan. Our user agent can be recognised by the word “ForusP”.
- If you have pages behind a login that is protected by a reCaptcha, you will need to disable this reCaptcha during the scan (max. 25 hours) or you can whitelist the IP-addresses for our scanner. Any other reCaptchas do not need to be disabled. It is extremely important for us to be able to scan behind the login, especially when personal data is stored.
- Lots of emails and/or orders from our email account email@example.com means your website will allow this without restriction. And if we can cause this, anyone else can as well! A reCaptcha on all forms and/or a redirect/blacklisting on your mail server can help prevent this.
- Please check the backup procedure of your site before we execute the scan.
To perform an effective scan and to limit problems during the scan, extensive preparation is necessary. After sending you the scan announcement, we start mapping out the website and testing the log in automatically using the scanner (if there is a customer account on your website). Preparations can cause a small increase in traffic on your website. The actual scan will be performed in the announced week (or agreed upon date).
The estimated Peak Bandwidth value is not known exactly. Our supplier Qualys says: The scan performance is optimised for medium bandwidth use’.
Our scanner sends a maximum of 4 requests at a time with 400 milliseconds artificial sleep time before issuing the next request. If you are using a low capacity shared server we can decrease the scan intensity.
Our user agent can be recognised by the word “ForusP”.
The scanner uses a random IP address from the following range: 184.108.40.206/24 (220.127.116.11-18.104.22.168) 2001:1478:1100:4000::/64.
How does the scan work?
Our security scan can cause more network traffic than normal, but it is usually only noticeable when using a shared server. The scan can run up to 25 hours and the increased traffic can be noticed mostly in the beginning of the scan when our scanner is indexing the pages.
If you would like to monitor the scan you can request a specific date/start time with us. We can start a scan 24/7. If there are any performance problems, please contact us directly so that we can stop the scan. You can also block our IP address in that case, but please inform us if you choose to do this.
Our scanner searches for known vulnerabilities (including the OWASP Top10) by trying out different pieces of code on forms and pages. These codes can result in actions that can be abused by hackers to steal or manipulate data. Our scanner does not execute any malicious actions, but will report these as a vulnerability. We will only test the software of the web application on the submitted domain, including subdomains.
We perform our Web Application Scan (WAS) with QualysGuard. Our scans are prepared manually and after the scan we perform a manual check before sending the report. This is not a pentest. A pentest is partly performed manually and is many times more extensive.