Frequently asked questions
We have listed the most common questions about our security scans for you below. If you cannot find the answer to your question, please let us know by filling in our contact form.
How does the scan work?
We perform our Web Application Scan (WAS) with QualysGuard. This is not a pentest. A pentest is partly performed manually and is many times more extensive. Our scans are prepared manually and after the scan we perform a manual check before sending the report.
Our scanner searches for known vulnerabilities (including the OWASP Top10) by trying out different pieces of code on forms and pages. These codes can result in actions that can be abused by hackers to steal or manipulate data. Our scanner does not execute any malicious actions, but will report these as a vulnerability. We will only test the software of the web application on the submitted domain, including subdomains.
Our security scan can cause more network traffic than normal, but it is usually only noticeable when using a shared server. The scan can run up to 25 hours and the increased traffic can be noticed mostly in the beginning of the scan when our scanner is indexing the pages.
If you would like to monitor the scan you can request a specific date/start time with us. We can start a scan 24/7. If there are any performance problems, please contact us directly so that we can stop the scan. You can also block our IP address in that case, but please inform us if you choose to do this.
The scanner uses a random IP address from the following range: 220.127.116.11/24 (18.104.22.168-22.214.171.124) 2001:1478:1100:4000::/64.
Our user agent can be recognised by the word “ForusP”.
Our scanner sends a maximum of 4 requests at a time with 400 milliseconds artificial sleep time before issuing the next request. If you are using a low capacity shared server we can decrease the scan intensity.
The estimated Peak Bandwidth value is not known exactly. Our supplier Qualys says: The scan performance is optimised for medium bandwidth use’.
To perform an effective scan and to limit problems during the scan, extensive preparation is necessary. After sending you the scan announcement, we start mapping out the website and testing to log in automatically using the scanner (if there is a customer account on your website). Preparations can cause a small increase in traffic on your website. The actual scan will be performed in the announced week (or agreed upon date).
To make sure the scan will run without issues, the following needs to have been arranged:
- To prevent our scanner from getting blocked during the scan, our entire IP range 126.96.36.199/24 (188.8.131.52-184.108.40.206) 2001:1478:1100:4000::/64 needs to be whitelisted. Our scanner will use a random IP-address from this range for the scan. Our user agent can be recognised by the word “ForusP”.
- If you have pages behind a login that is protected by a reCaptcha, you will need to disable this reCaptcha during the scan (max. 25 hours) or you can whitelist the IP-addresses for our scanner. Any other reCaptchas do not need to be disabled. It is extremely important for us to be able to scan behind the login, especially when personal data is stored.
- Lots of emails and/or orders from our email account email@example.com means your website will allow this without restriction. And if we can cause this, anyone else can as well! A reCaptcha on all forms and/or a redirect/blacklisting on your mail server can help prevent this.
- Please check the backup procedure of your site before we execute the scan.
Yes you can. We can start scans 24/7.
No you cannot. Our scanner needs up to 25 hours to complete a scan. By using a time limit there is a high probability the scan will not be performed in full and will miss possible vulnerabilities. Basically we cannot guarantee the quality of the scan when a time limit is in place.
Because test environments often cause issues and slight differences, we prefer to scan on live websites.
For Thuiswinkel members we will only scan live environments. If this is not possible, please contact Thuiswinkel.
We will perform the security scan on the entire website. Including the login is very important since vulnerabilities are often found behind the login and can be abused by hackers.
We will perform the security scan on the entire website. It is important to include subdomains, especially if there is a direct link from the main website. Vulnerabilities can be found just as easily on subdomains.
Sites are often truly identical when using a language module. If there are multiple copies of a site (even just for language), small differences can occur, for example by using different plugins. A difference can also occur because an update was not performed on all sites. Any vulnerabilities will always need to be fixed on all sites.
Our scanner needs to be able to log in automatically. This will allow us to scan everything behind the login. It is important, especially since this is usually where personal data is stored. Any reCaptchas on forms can remain in place, just not the reCaptcha used for the login. You can either disable this specific reCaptcha for the duration of the scan (max. 25 hours) or you can whitelist the IP range of our scanner for that specific reCaptcha (220.127.116.11/24 (18.104.22.168-22.214.171.124) 2001:1478:1100:4000::/64).
A firewall will most likely categorise our scanner as a bot and will block us. A hacker can often find and abuse vulnerabilities manually. A firewall can help prevent some attacks (automatic and manual) but certainly not all. There are plenty of vulnerabilities that can be exploited within the intervention of a firewall.
Whitelisting our IP-range can be done temporarily for the duration of the scan. You can always contact us to agree on a specific date/start time by sending an email to firstname.lastname@example.org.
You can submit your own security report (for example a pentest report) which must include the scan date, who performed the scan and a short summary that shows no high risk issues were found. We would like to point out that we have been known to find high risk issues even though a pentest did not identify them.
During the scan
The scan can run up to 25 hours, depending on the size and complexity of your website.
Yes it can. The scanner will cause higher traffic than normal, but this is only noticeable if you are using a low capacity (shared) server.
We will place orders, but not if we need to pay for them directly. Afterpay orders can be placed automatically for example, but orders that need to be paid for outside the domain or need manual actions (such as Ideal or Paypal) will not be completed. You can recognise the scanner’s orders (usually large and strange orders) by the account veiligheidsscan using the email address “email@example.com”.
No, extensive information can be found here: https://forus-p.com/en/privacy-policy/.
After the scan
We will ask you to resolve all high risk vulnerabilities as soon as possible. Please keep in mind that hackers will not ignore the rest. After resolving the issues you can request a rescan. If you are a member of Thuiswinkel and/or BeCommerce this is required to pass the certification. You can send your rescan request to firstname.lastname@example.org.
High risk vulnerabilities need to be fixed as soon as possible. This is mandatory for Thuiswinkel and BeCommerce certification. To increase the security of your website, we also recommend solving any medium and low risks.
During the scan our scanner will try to fill out all forms (including order forms). This test can cause an extreme amount of email traffic. This means your website allows this without limitation. And if we can cause this much traffic, so can anyone else!
To prevent these so called “mail bombs” you can take the following precautions before the scan takes place:
- Any emails/orders from the email adres “email@example.com” can be deleted or blocked on your mail server, for instance by blacklisting this email address.
- We recommend placing additional security on all available forms. Google reCaptcha is the most commonly used solution for this.
You will receive an email from firstname.lastname@example.org with a download link to your secured report. For security reasons we will send the personal password in a separate email. If you haven’t received our email, please first check your spam. No password? Email us at email@example.com for help.
With a secure website you can place our ForusP Secure logo on your website, but only if your website is scanned by us at least once a month and identified vulnerabilities are resolved within 30 days. Our secure logo can inspire more trust among your (potential) customers and achieve a higher conversion rate. Detailed information can be found on: https://forus-p.com/en/veiligheid-seal/.
For security reasons, the reports can only be downloaded for 7 days. You can request a new report by sending an email to firstname.lastname@example.org.
If the previous scan was a while ago, it could happen that a new scan reports new issues. This may be because changes have been made in the meantime, for example by updating a plugin. Hackers are also continuously developing new ways to attack websites. These new vulnerabilities are regularly added to our scanner.
The website must be scanned again. It is not so simple that a specific section can be easily checked by you. New vulnerabilities may also have emerged in the meantime. If we do not run the scan again, we will never be able to give a safe result.
Forus-P considers Magento v1.* a high risk, because, since June 2020, Magento version 1.* is no longer supported. This can cause dangerous vulnerabilities in the website.
It is important to change to Magento v2 or another platform as soon as possible. In the meantime make sure to install all patches of MageOne. This is to prevent issues that may otherwise occur.
Having a subscription to MageOne and installing all patches available for Magento v1.* is an absolute must. This can prevent many issues. Unfortunately, we cannot automatically check whether all patches have been installed correctly. In addition, it is possible that there are still vulnerabilities for which no patch is available. That is why it is important to switch to Magento v2 or another platform as soon as possible.
However, we are aware that this can be a long process. To avoid many manual checks, for the Thuiswinkel and BeCommerce certification, it has been decided to mark all Magento version 1 installations as unsafe, but to approve the scan until next year.
For Thuiswinkel and BeCommerce members ‘risk temporarily accepted’ means that a website that runs on Magento v1.* is listed as unsafe in our system, but temporarily approved for the certification. This only applies until the next scan. We are aware that switching to Magento v2 or another platform takes time. This gives you the opportunity to arrange this. We do, of course, recommend that you do this as soon as possible. And in any case, install all available patches in the meantime.
You may have upgraded your website to Magento v2. Or maybe your website is now running on another platform. When this has been done well before next year’s scan, feel free to request a rescan from us. For this, you can send an email to email@example.com.