How does the scan work?
Our security scan can cause more network traffic than normal, but it is usually only noticeable when using a shared server. The scan can run up to 25 hours and the increased traffic can be noticed mostly in the beginning of the scan when our scanner is indexing the pages.
If you would like to monitor the scan you can request a specific date/start time with us. We can start a scan 24/7. If there are any performance problems, please contact us directly so that we can stop the scan. You can also block our IP address in that case, but please inform us if you choose to do this.
We perform our Web Application Scan (WAS) with QualysGuard. This is not a pentest. A pentest is partly performed manually and is many times more extensive. Our scans are prepared manually and after the scan we perform a manual check before sending the report.
Our scanner searches for known vulnerabilities (including the OWASP Top10) by trying out different pieces of code on forms and pages. These codes can result in actions that can be abused by hackers to steal or manipulate data. Our scanner does not execute any malicious actions, but will report these as a vulnerability. We will only test the software of the web application on the submitted domain, including subdomains.
Our user agent can be recognised by the word “ForusP”.
The scanner uses a random IP address from the following range: 188.8.131.52/24 (184.108.40.206-220.127.116.11) 2001:1478:1100:4000::/64.
The estimated Peak Bandwidth value is not known exactly. Our supplier Qualys says: The scan performance is optimised for medium bandwidth use’.
Our scanner sends a maximum of 4 requests at a time with 400 milliseconds artificial sleep time before issuing the next request. If you are using a low capacity shared server we can decrease the scan intensity.
A firewall will most likely categorise our scanner as a bot and will block us. A hacker can often find and abuse vulnerabilities manually. A firewall can help prevent some attacks (automatic and manual) but certainly not all. There are plenty of vulnerabilities that can be exploited within the intervention of a firewall.
Whitelisting our IP-range can be done temporarily for the duration of the scan. You can always contact us to agree on a specific date/start time by sending an email to firstname.lastname@example.org.
Our scanner needs to be able to log in automatically. This will allow us to scan everything behind the login. It is important, especially since this is usually where personal data is stored. Any reCaptchas on forms can remain in place, just not the reCaptcha used for the login. You can either disable this specific reCaptcha for the duration of the scan (max. 25 hours) or you can whitelist the IP range of our scanner for that specific reCaptcha (18.104.22.168/24 (22.214.171.124-126.96.36.199) 2001:1478:1100:4000::/64).
To make sure the scan will run without issues, the following needs to have been arranged:
- To prevent our scanner from getting blocked during the scan, our entire IP range 188.8.131.52/24 (184.108.40.206-220.127.116.11) 2001:1478:1100:4000::/64 needs to be whitelisted. Our scanner will use a random IP-address from this range for the scan. Our user agent can be recognised by the word “ForusP”.
- If you have pages behind a login that is protected by a reCaptcha, you will need to disable this reCaptcha during the scan (max. 25 hours) or you can whitelist the IP-addresses for our scanner. Any other reCaptchas do not need to be disabled. It is extremely important for us to be able to scan behind the login, especially when personal data is stored.
- Lots of emails and/or orders from our email account email@example.com means your website will allow this without restriction. And if we can cause this, anyone else can as well! A reCaptcha on all forms and/or a redirect/blacklisting on your mail server can help prevent this.
- Please check the backup procedure of your site before we execute the scan.
You can submit your own security report (for example a pentest report) which must include the scan date, who performed the scan and a short summary that shows no high risk issues were found. We would like to point out that we have been known to find high risk issues even though a pentest did not identify them.
Sites are often truly identical when using a language module. If there are multiple copies of a site (even just for language), small differences can occur, for example by using different plugins. A difference can also occur because an update was not performed on all sites. Any vulnerabilities will always need to be fixed on all sites.
To perform an effective scan and to limit problems during the scan, extensive preparation is necessary. After sending you the scan announcement, we start mapping out the website and testing to log in automatically using the scanner (if there is a customer account on your website). Preparations can cause a small increase in traffic on your website. The actual scan will be performed in the announced week (or agreed upon date).
We will perform the security scan on the entire website. Including the login is very important since vulnerabilities are often found behind the login and can be abused by hackers.
We will perform the security scan on the entire website. It is important to include subdomains, especially if there is a direct link from the main website. Vulnerabilities can be found just as easily on subdomains.
Because test environments often cause issues and slight differences, we prefer to scan on live websites.
For Thuiswinkel members we will only scan live environments. If this is not possible, please contact Thuiswinkel.
No you cannot. Our scanner needs up to 25 hours to complete a scan. By using a time limit there is a high probability the scan will not be performed in full and will miss possible vulnerabilities. Basically we cannot guarantee the quality of the scan when a time limit is in place.
Yes you can. We can start scans 24/7.
During the scan
We will place orders, but not if we need to pay for them directly. Afterpay orders can be placed automatically for example, but orders that need to be paid for outside the domain or need manual actions (such as Ideal or Paypal) will not be completed. You can recognise the scanner’s orders (usually large and strange orders) by the account veiligheidsscan using the email address “firstname.lastname@example.org”.
No, extensive information can be found here: https://forus-p.com/en/privacy-policy/.
The scan can run up to 25 hours, depending on the size and complexity of your website.
Yes it can. The scanner will cause higher traffic than normal, but this is only noticeable if you are using a low capacity (shared) server.
After the scan
During the scan our scanner will try to fill out all forms (including order forms). This test can cause an extreme amount of email traffic. This means your website allows this without limitation. And if we can cause this much traffic, so can anyone else!
To prevent these so called “mail bombs” you can take the following precautions before the scan takes place:
- Any emails/orders from the email adres “email@example.com” can be deleted or blocked on your mail server, for instance by blacklisting this email address.
- We recommend placing additional security on all available forms. Google reCaptcha is the most commonly used solution for this.
We will ask you to resolve all high risk vulnerabilities as soon as possible. Please keep in mind that hackers will not ignore the rest. After resolving the issues you can request a rescan. If you are a member of Thuiswinkel and/or BeCommerce this is required to pass the certification. You can send your rescan request to firstname.lastname@example.org.
For security reasons, the reports can only be downloaded for 7 days. You can request a new report by sending an email to email@example.com.
The website must be scanned again. It is not so simple that a specific section can be easily checked by you. New vulnerabilities may also have emerged in the meantime. If we do not run the scan again, we will never be able to give a safe result.
You will receive an email from firstname.lastname@example.org with a download link to your secured report. For security reasons we will send the personal password in a separate email. If you haven’t received our email, please first check your spam. No password? Email us at email@example.com for help.
If the previous scan was a while ago, it could happen that a new scan reports new issues. This may be because changes have been made in the meantime, for example by updating a plugin. Hackers are also continuously developing new ways to attack websites. These new vulnerabilities are regularly added to our scanner.
High risk vulnerabilities need to be fixed as soon as possible. This is mandatory for Thuiswinkel and BeCommerce certification. To increase the security of your website, we also recommend solving any medium and low risks.
With a secure website you can place our ForusP Secure logo on your website, but only if your website is scanned by us at least once a month and identified vulnerabilities are resolved within 30 days. Our secure logo can inspire more trust among your (potential) customers and achieve a higher conversion rate. Detailed information can be found on: https://forus-p.com/en/veiligheid-seal/.