Frequently
Asked
Questions

Security scans

Penetratietesten

How does the scan work?

Is your scan a pentest?

We perform our Web Application Scan (WAS) with QualysGuard. Our scans are prepared manually and after the scan we perform a manual check before sending the report. This is not a pentest. A pentest is partly performed manually and is many times more extensive.

How does the security scan work?

Our scanner searches for known vulnerabilities (including the OWASP Top10) by trying out different pieces of code on forms and pages. These codes can result in actions that can be abused by hackers to steal or manipulate data. Our scanner does not execute any malicious actions, but will report these as a vulnerability. We will only test the software of the web application on the submitted domain, including subdomains.

Will your scan result in high traffic on my site?

Our security scan can cause more network traffic than normal, but it is usually only noticeable when using a shared server. The scan can run up to 25 hours and the increased traffic can be noticed mostly in the beginning of the scan when our scanner is indexing the pages.

If you would like to monitor the scan you can request a specific date/start time with us. We can start a scan 24/7. If there are any performance problems, please contact us directly so that we can stop the scan. You can also block our IP address in that case, but please inform us if you choose to do this.

Preparations

How do you prepare for a scan?

To perform an effective scan and to limit problems during the scan, extensive preparation is necessary. After sending you the scan announcement, we start mapping out the website and testing the log in automatically using the scanner (if there is a customer account on your website). Preparations can cause a small increase in traffic on your website. The actual scan will be performed in the announced week (or agreed upon date).

Which preparations should I be taking?

To make sure the scan will run without issues, the following needs to have been arranged:

  • To prevent our scanner from getting blocked during the scan, our IP addresses need to be whitelisted: 144.24.249.196 and 132.226.222.205 and 154.16.73.227. Our scanner will use a random IP-address from this range for the scan. Our user agent can be recognised by the word “ForusP”.
  • If you have pages behind a login that is protected by a reCaptcha, you will need to disable this reCaptcha during the scan (max. 25 hours) or you can whitelist the IP-addresses for our scanner. Any other reCaptchas do not need to be disabled. It is extremely important for us to be able to scan behind the login, especially when personal data is stored.
  • Lots of emails and/or orders from our email account veiligheidsscan@forus-p.nl means your website will allow this without restriction. And if we can cause this, anyone else can as well! A reCaptcha on all forms and/or a redirect/blacklisting on your mail server can help prevent this.
  • Please check the backup procedure of your site before we execute the scan.
Can I ask for a specific scan date and/or start time?

Yes you can. We can start scans 24/7.

Can I ask for a time limit?

No you cannot. Our scanner needs up to 25 hours to complete a scan. By using a time limit there is a high probability the scan will not be performed in full and will miss possible vulnerabilities. Basically we cannot guarantee the quality of the scan when a time limit is in place.

Can the scan be performed on a test environment?

Because test environments often cause issues and slight differences, we prefer to scan on live websites.

For Thuiswinkel members we will only scan live environments. If this is not possible, please contact Thuiswinkel.

Can you scan without the login?

We will perform the security scan on the entire website. The login is important as vulnerabilities are often found behind the login and can be abused by hackers.

Can you exclude a subdomain?

We will perform the security scan on the entire website. It is important to include subdomains, especially if there is a direct link from the main website. Vulnerabilities can be found just as easily on subdomains.

I have multiple identical sites on the same server; do they all need to be scanned?

Sites are often truly identical when using a language module. If there are multiple copies of a site (even just for language), small differences can occur, for example by using different plugins. A difference can also occur because an update was not performed on all sites. Any vulnerabilities will always need to be fixed on all sites.

Why do I have to disable the Captcha on the login page?

Our scanner needs to be able to log in automatically. This will allow us to scan everything behind the login. It is important, especially since this is usually where personal data is stored. Any Captchas on forms can remain in place, just not the Captcha used for the login. You can either disable this specific reCaptcha for the duration of the scan (max. 25 hours) or you can whitelist the IP addresses of our scanner for that specific Captcha (144.24.249.196 and 132.226.222.205 and 154.16.73.227).

Why is our firewall (an important part of our security) being bypassed?

A firewall will most likely categorise our scanner as a bot and will block us. A hacker can often find and abuse vulnerabilities manually. A firewall can help prevent some attacks (automatic and manual) but certainly not all. There are plenty of vulnerabilities that can be exploited within the intervention of a firewall.

Whitelisting our IP-range can be done temporarily for the duration of the scan. You can always contact us to agree on a specific date/start time by sending an email to support@forus-p.com.

We check the security of our website on a regular basis: is your scan necessary?

You can submit your own security report (for example a pentest report) which must include the scan date, who performed the scan and a short summary that shows no high risk issues were found. We would like to point out that we have been known to find high risk issues even though a pentest did not identify them.

During the scan

How long will the scan take?

The scan can run up to 25 hours, depending on the size and complexity of your website.

Can the website remain operational during the scan?

Yes it can. The scanner will cause higher traffic than normal, but this is only noticeable if you are using a low capacity (shared) server.

Will the scanner place any orders?

We will place orders, but not if we need to pay for them directly. Afterpay orders can be placed automatically for example, but orders that need to be paid for outside the domain or need manual actions (such as Ideal or Paypal) will not be completed. You can recognise the scanner’s orders (usually large and strange orders) by the account veiligheidsscan using the email address “veiligheidsscan@forus-p.nl”.

Will the scan collect, store or ask for personal data?

No it does not but further information can be found on our privacy policy: https://forus-p.com/en/privacypolicy/.

Technical

Which IP-addresses does the scanner use?

The scanner uses one of the following IP addresses:

144.24.249.196

132.226.222.205

154.16.73.227

Which user-agents does the scanner use?

Our user agent can be recognised by the word “ForusP”.

What is the estimated Peak Traffic value (in RPS) during the scan?

Our scanner sends a maximum of 4 requests at a time with 400 milliseconds artificial sleep time before issuing the next request. If you are using a low capacity shared server we can decrease the scan intensity.

What is the Peak Bandwidth value (in Gbps) during the scan?

The estimated Peak Bandwidth value is not known exactly. Our supplier Qualys says: The scan performance is optimised for medium bandwidth use’.

After the scan

What should I do when the scan result is unsafe?

We will ask you to resolve all high risk vulnerabilities as soon as possible. Please keep in mind that hackers will not ignore the rest. After resolving the issues you can request a rescan. If you are a member of Thuiswinkel and/or BeCommerce this is required to pass the certification. You can send your rescan request to support@forus-p.com.

Do I have to resolve all vulnerabilities?

High risk vulnerabilities need to be fixed as soon as possible. This is mandatory for Thuiswinkel and BeCommerce certification. To increase the security of your website, we also recommend solving any medium and low risks.

Why did I receive so many emails (or orders) and what can I do to prevent this?

During the scan our scanner will try to fill out all forms (including order forms). This test can cause an extreme amount of email traffic. This means your website allows this without limitation. And if we can cause this much traffic, so can someone else!

To prevent these so called “mail bombs” you can take the following precautions before the scan takes place:

  • Any emails/orders from the email address “veiligheidsscan@forus-p.nl” can be deleted or blocked on your mail server, for instance by blacklisting this email address.
  • We recommend placing additional security on all available forms. Google reCaptcha is the most commonly used solution for this.
I received the report, but can I get a password?

You will receive an email from qualys@qualys.net with a download link to your secured report. For security reasons we will send the personal password in a separate email. If you haven’t received our email, please first check your spam. No password? Email us at support@forus-p.com for help.

My password isn’t working. Why can’t I open the report?

For security reasons, the reports can only be downloaded for 7 days. You can request a new report by sending an email to support@forus-p.com.

Can I use the ForusP Secure logo on my website?

With a secure website you can place our ForusP Secure logo on your website, but only if your website is scanned by us at least once a month and identified vulnerabilities are resolved within 30 days. Our secure logo can inspire more trust among your (potential) customers and achieve a higher conversion rate. Detailed information can be found on: https://forus-p.com/en/secure-logo

Why are vulnerabilities found in this scan and not in the previous one?

If the previous scan was a while ago, it could happen that a new scan reports new issues. This may be because changes have been made in the meantime, for example by updating a plugin. Hackers are also continuously developing new ways to attack websites. These new vulnerabilities are regularly added to our scanner.

Is a rescan necessary after solving vulnerabilities or can we check it ourselves?

Yes the website must be scanned again. New vulnerabilities may have emerged in the meantime. If we do not run the scan again, we will never be able to give a safe result.

Magento

Why is Magento v1.* considered a high risk?

Forus-P considers Magento v1.* a high risk, because, since June 2020, Magento version 1.* is no longer supported. This can cause dangerous vulnerabilities in the website.

What should I do when my website uses Magento v2?

You may have upgraded your website to Magento v2. Or maybe your website is now running on another platform. When this has been done well before next year’s scan, feel free to request a rescan from us. For this, you can send an email to support@forus-p.com.

Will my website be safe when all patches are installed?

Having a subscription to MageOne and installing all patches available for Magento v1.* is an absolute must. This can prevent many issues. Unfortunately, we cannot automatically check whether all patches have been installed correctly. In addition, it is possible that there are still vulnerabilities for which no patch is available. That is why it is important to switch to Magento v2 or another platform as soon as possible.

However, we are aware that this can be a long process. To avoid many manual checks, for the Thuiswinkel and BeCommerce certification, it has been decided to mark all Magento version 1 installations as unsafe, but to approve the scan until next year.

What does ‘risk temporarily accepted’ mean for the Thuiswinkel and/or BeCommerce certification?

For Thuiswinkel and BeCommerce members ‘risk temporarily accepted’ means that a website that runs on Magento v1.* is listed as unsafe in our system, but temporarily approved for the certification. This only applies until the next scan. We are aware that switching to Magento v2 or another platform takes time. This gives you the opportunity to arrange this. We do, of course, recommend that you do this as soon as possible. And in any case, install all available patches in the meantime.

What should I do when my website uses Magento v1.*?

It is important to change to Magento v2 or another platform as soon as possible. In the meantime make sure to install all patches of MageOne. This is to prevent issues that may otherwise occur.

All Questions

What is a penetration test?

For our penetration test (also called a pentest) we perform advanced automated Web Application and Network scans, as well as thorough manual checks. It simulates a cyber-attack to prove where a hacker might be able to exploit systems. Our ethical hackers use advanced automated and thorough manual tests as malicious hackers do to find dangerous vulnerabilities in web applications.

What is The Penetration Testing Execution Standard (PTES)?

The Penetration Testing Execution Standard (PTES) is a comprehensive framework of guidelines, procedures and techniques for conducting and managing penetration testing activities. This standard methodology was created to address the need for a consistent and structured approach to penetration testing, with the goal of producing consistent and reliable results.

The PTES standard consists of seven phases, including planning and scoping, information gathering, threat modelling, vulnerability identification, exploitation, post-exploitation, and reporting, all explained below.

  1. Planning – The preparation phase for the pentest.
  2. Information gathering – In this phase information about the target system is gathered.
  3. Threat modelling – This is a procedure for optimising application, system or business process security by identifying objectives and vulnerabilities, and then defining countermeasures to prevent or mitigate the effects of threats to the system.
  4. Vulnerability analysis – This phase discovers and validates vulnerabilities.
  5. Exploitation – In this phase they try to exploit the previously identified and validated vulnerabilities.
  6. Post-exploitation – This phase maintains control over the target system and collects data.
  7. Reporting – A detailed analysis of an organisation’s technical security risks that covers many facets of an organisation’s security posture, such as vulnerabilities, high-low priority concerns, and suggested remediations.
What types of pentests do you do?

We can perform a Vulnerability Pentest (according to PTES), Infrastructure Pentest (internal and external), WIFI and LAN access test, API test, App endpoint test, Phishing test, and Code review/App analysis. Together we determine your goals up front to maximise the information you gain from our tests.

For more information and pricing: https://forus-p.com/en/pentests/

INTERESSE OF ADVIES NODIG?

Are you interested in one of our services? Fill out your contact details and we will contact you within 24 hours on business days. For security reasons we store the minimum amount of personal information. We prefer to contact you for more information.

We will only use your personal information for the intended purpose. Please read our privacy policy for more information.

* Required