Security testing
Scanit offers penetration tests, vulnerability assessments and web application audits.
Learn ethical hacking.
Scanit offers 5-day training on ethical hacking.
  1. What is a browser?

    A browser is a program that lets you surf the web. Currently the most popular browsers are Microsoft Internet Explorer and Mozilla Firefox.

    A browser runs on your computer. When you type in a URL or click a link, your browser sends a request to the remote server specified in URL. For example, if you surf to www.scanit.be your browser will send a request to Scanit's web server. The web server will send back a reply - usually a web page. Your browser will receive it and show it to you. Sometimes the browser will call other programs to display types of data it doesn't know how to deal with. For example if you click on a link to PDF document your browser will start a program that displays PDF files, for example Adobe Acrobat Reader.

  2. What is a browser bug?

    In programmers slang "bug" is a mistake in a program. Just like everybody else programmers tend to make mistakes. A bug can be a result of a typo (a programmer typed "+" where he should have put "-") or logical mistakes.

    Browsers, just like any other programs have bugs. Most bugs are just annoying. But some bugs can be exploited to violate the security of your computer. You browser receives and processes data sent to it by web sites. A web site can send your browser some data that exploits a bug in a browser and violates your computer's security.

  3. Who can exploit bugs in a browser?

    A web site operator can modify his web site so that it attempts to exploit the browsers of all the visitors. Or a hacker can break into a web site and put in some code to hack into the browsers of all the visitors. Some email programs (for example, Microsoft Outlook and Outlook Express and Netscape Messenger) use the browser to display email messages. Someone can send you an email message that will be displayed by your browser and exploit a bug in your browser.

  4. What they can do to me?

    Different security bugs can allow different attacks. Some bugs make the browser download and run a program supplied by a web site without asking your permission and without giving you a warning. In this case the attacker can do anything to your computer - erase your files, infect you with a virus, install remote control software, snoop on your emails, etc. Other bugs are less disasterous. They can allow, for example, to read portions of some files on your computer.

  5. Why would they want to do it?

    If you use your computer to play games, surf the web and send emails to your friends and relatives you are probably not in top ten targets for evil hackers. Unfortunately that does not mean you have nothing to worry about. Viruses and worms don't care about who you are. They infect anything they can. Quite a few worms and viruses use browser bugs as a means of propagation, for example, Nimda and Klez.

  6. What is Java? What can it do? Is it secure?

    In the early days of the web browsers could only display texts and pictures. The web pages were static, that means the page was displayed and didn't change. To add some interactivity to the web, for example, menus, pop-ups, etc., various techniques were developed. One of them is Java.

    Java is a programming language. It can be used to make all kinds of computer software. A special case is using Java inside web pages. A small Java program called an applet is embedded directly into the web page. When you view the web page, the applet is downloaded and executed on your computer.

    Allowing arbitrary programs to run on your computer is dangerous. To make Java applets safe for the users, the designers restricted what Java applets can do. Java applet is not executed by your computer directly, but instead it is run by Java Virtual Machine in something called "sandbox". The sandbox prevents a Java applet to do things that can be dangerous. A Java applet is not allowed to access files on your hard drive, it cannot start programs installed on your computer and it can only talk over the network to the server it was downloaded from. All these restrictions make Java applets quite safe.

    However Java Virtual Machine can contain security bugs that a malicious Java applet can exploit thus violating security restrictions.

  7. What is Javascript? What can it do? Is it secure?

    Javascript (sometimes called Jscript or Active Scripting) is another technology that makes web pages interactive. Pieces of Javascript code can be embedded directly into web pages and executed by the browser when it displays the web page. Javascript was designed mainly for the use inside the browser. It has functions to open new browser windows, to change content inside windows, to manipulate images and so on. It generally cannot read or write files on your computer, make network connections or execute programs.

    Another important security restriction on Javascript is "Same Origin Policy". It means that Javascript code downloaded from one web site cannot access pages and windows opened by other web sites. If you surf to your corporate Intranet site or Internet banking site in one browser window and some malicious web site in another window, Javascript from malicious web site will not be able to read your corporate secrets or account balance.

    Generally Javascript is quite safe. However bugs in browsers can allow Javascript programs to violate restictions imposed on them and cause security problems.

  8. What are cookies? What if someone steals my cookies?

    Cookie is a small piece of data that a web site asks your browser to remember. Whenever you surf to the web site this piece of data is sent back. Usually web sites use cookies to keep user's settings and preferences, for example language settings. Some web sites will keep all the preferences in a database on the server and use a cookie to reference the data in the database.

    Some web sites require login and password or some other kind of authentication to use them. When you log in successfully the web site sends you a cookie with a session ID. When your browser sends the cookie back the web site knows that you have already logged on and it does not need to ask your password again.

    Cookies are not programs so they cannot do anything to your computer. If one web site sends you a cookie other web sites generally cannot read it.

    Sometimes a bug in a browser allows one web site to read cookies set by another web site. The impact of this depends on how sensitive the information in the cookie is. If it just stores your language preference it is probably not a big deal. If there is a session ID for your Internet banking web site, and attacker can use it to access your Internet banking without knowing your password.

  9. What is "Same origin policy" in Javascript?

    Same origin policy is one of the main security safeguards in Javascript. A script can only access windows and documents that have same origin - that means they were loaded from the same web site. This prevents scripts from one web site access content from another web site you might have opened in another window.

    Some bugs in browsers lead to violation of the same origin policy. A script from a malicious web site can, for example, open a window with a document from your local computer. Normally same origin policy will not allow the script to read the data in this new window, because its origin is your local machine, and the script's origin is a remote web site. If same origin policy can be bypassed the script will be able to read all or portions of data in the file.

    Conclusion: "same origin policy" protects data coming from one web site from being acessible by scripts from other web sites. It also disallows scripts downloaded from the web to read your local files.

  10. I have an antivirus software. Does it keep me safe from browser security problems?

    To a certain extent. Antivirus programs generally look for fixed pieces of data called "signatures". An antivirus keeps a database of signatures for all known viruses. If the antivirus finds a signature in a file it decides that the file is infected with a virus. Antiviruses can check the files "on-the-fly", so if you surf to a web page your antivirus might check the web page for virus signatures.

    The most important thing to remember is that antiviruses mostly search for known viruses. It means that if some worm or virus exploits a browser bug to spread itself you will be only protected from it by an antivirus after:

    • the antivirus company has received the virus and has analyzed it
    • the antivirus company has added the signature for this virus to the signature database
    • you installed fresh signature database on your computer
    If some browser bug is not exploited by some worm or virus, antivirus does not know about it. If a new version of a worm or virus appears that exploits the same bug, antivirus might not detect it.

    The conclusion is that antivirus software can save you a lot of trouble and at least limit the damage that can be caused by browser bugs. Unfortunately it is not a complete protection.

  11. I have a firewall. Does it keep me safe from browser security problems?

    There are two kinds of firewalls - network firewalls and personal firewalls. Network firewalls are generally used in large networks, for example by companies. Personal firewalls are generally used by home users.

    Network firewalls sit between the organization's network and the Internet and decide which traffic can pass in and out. Generally network firewalls make decisions based on the type of traffic (is it email, web traffic or something else?) but not the content of traffic (is it a harmless email or does it contain a virus?). So, most network firewalls will happily pass the traffic that exploits browser bugs, because it is just a web traffic for them.

    Personal firewalls run on the end-user's computer. Apart from checking types of traffic like network firewalls do, they also check which program generated this traffic. If a malicious web site exploits a bug in your browser and makes it download and run a program, your personal firewall will probably warn you when the program will try to connect somewhere over the network.

    Unfortunately firewalls are useless to detect or prevent exploitation of other kinds of bugs, such as "same origin policy" violations.

    The conclusion is that network firewalls do not protect from browser bug exploits at all unless they have some antivirus or content filtering capabilities (see below). Personal firewalls can help you detect and limit the impact of some browser bug exploits but do not protect you from them.

  12. How do I protect myself from browser security problems?

    Every time a security bug is discovered in a browser the vendor of a browser issues a patch to correct the bug. You can usually download and install the patches for free. Browser Security Test report provides you with the links to the patches that correct problems found in your browser.

    Microsoft Internet Explorer users on Windows can use Windows Update to install current patches and keep their browser up to date. To use it choose "Windows Update" in your "Start" menu or navigate to http://windowsupdate.microsoft.com. Windows Update will check what patches you have installed and what patches are missing and let you install the missing ones. Please follow instructions and install at least all critical and recommended patches.

  13. Is this browser vulnerability test dangerous? Will you try to infect me with viruses or steal my personal data? How do you test if I am vulnerable or not?

    We tried our best to make a safe and convenient tool for you to check your browser security. We don't modify any data on your computer. No data is copied from your computer during the tests. We do not install any software on your computer.

    In order to test if your browser is vulnerable or not we attempt to exploit the vulnerability. For example, if the vulnerability allows a web site to read local files we actually attempt to read a file. However we do not send the data we read from the file over the network and we don't store this data anywhere. If a bug allows a web site to run a program on your computer we send a small harmless program written in Visual Basic Script to your browser. If the program gets executed it contacts our web server to tell it that you are vulnerable. It does not do anything else.

    We tested various versions of browsers to exclude tests that crash them. However we cannot guarantee that the tests never crash your browser.

  14. My antivirus software reports viruses, trojans or exploits when I run Browser Security Tests. What are you doing?

    We are not installing any trojans or attempting to infect you with viruses. Your antivirus is doing its job. It detects the exploit we are attempting and warns you about it. The virus or trojan it detects is some malicious software that uses the same bug we test for to propagate. Apart from exploiting same browser bug the Browser Security Test and the virus have nothing in common.

    The antivirus can stop the exploit, so even if your browser is vulnerable, the vulnerability will not be detected. You have a choice here: you can either test your system as a whole - let the antivirus do its job and see which exploits still get through - or you can test only your browser security. If you want to test how well your browser itself resists the attack you need to disable your antivirus for the time of the test. You can even run two tests - one with antivirus software enabled and another with it disabled and see what difference your antivirus software makes.

  15. My personal firewall says that 'Windows Scripting Host' is trying to establish connection to your server. What is going on?

    This means that your web browser contains high risk vulnerabilities. As mentioned above, tiny harmless program (Microsoft Visual Basic Script) gets downloaded and executed on your computer during some of the tests. The only purpose of this program is to report the vulnerability to our website, so it will be included in the report. We recommend that you accept those connections. Otherwise, you will miss the most serious vulnerabilities in your report.

  16. Why do I need cookies to run the test? Isn't allowing cookies insecure?

    The test uses cookies to track sessions. When you run the test, your browser sends multiple requests to our web site. To be able to tell which requests belong to which user we use a session id, which is specific to the user. This session ID is stored in the cookie and is sent to the web site with each request. Thus the web site knows which user originated the request.

    An alternative to cookies would be sending session IDs in the URL, which would be even less secure than a cookie.

  17. Why do you want me to enable Javascript for the test? Do you want me to lower my security?

    You are more secure without Javascript than with Javascript. A lot of browser security problems are problems in Javascript implementation. However there are some bugs that can be exploited even when Javascript is disabled.

    We use Javascript quite intensively during the test, both for the inner workings of the test (displaying progress bar, starting each individual test, etc.) and for exploiting vulnerabilities. Implementing the test engine that will not use Javascript is currently beyond our reach. It means that if you want to get some results from our test, you need Javascript enabled.

  18. The test finds some vulnerabilities when I disable my popup blocking software and no vulnerabilities when I enable it. My popup killer protects me! Why do you want me to disable it?

    Popup blocking software does not protect you from the vulnerabilities, it just prevents our testing engine from working properly. Our test opens a separate window for each individual test, and this is what a popup killer prevents. Most exploits do not need to open popup windows in order to work.

    You can use your popup killer to block unwanted advertisement, but don't rely on it as a security measure.

  19. The test says I am running Windows NT 5.1 and I am actually running Windows XP. Why is that?

    Windows XP gets identified as Windows NT 5.1. This is because Internet Explorer sends the following identification: "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" So Windows NT 5.1 and Windows XP is the same thing. The test will run correctly.

  20. How do I enable or disable JavaScript?

    In Internet Explorer: In Internet Explorer JavaScript is called ActiveScripting. It can be enabled/disabled by Tools->Options, choose Security tab, click "Custom Level...", find "Scripting" - > Active scripting. In Mozilla or Netscape: Click Edit->Preferences. Choose Advanced->Scripts and Plugins. In the right pane check or uncheck "Navigator" under "Enable JavaScript for"

  21. I don't know how to disable my popup killer. How can I still run the test? I tried to disable popup killer but the test still does not work? What can I do?

    Most popup killers have a "white list" - a list of sites that are allowed to open popups. You might try to add bcheck.scanit.be to the white list of your popup killer.

  22. Why don't you show the vulnerability statistics by browser type?

    We don't provide this statistics for a reason. This kind of statistics would be misleading, because it will reflect what vulnerabilities we test, rather then what browsers are vulnerable.

    We most closely track Internet Explorer vulnerabilities (because the majority of people use IE), then Mozilla/Firefox, then Opera. We don't have any tests for Macintosh browsers (though there are known vulnerabilities) and we don't track vulnerabilities for less common browsers (K-Meleon, Galeon, etc.). So, if we post statistics saying that, for example, all iCabs came out clean, it would be misleading. It is not because iCab is absolutely secure, it is because we don't test for iCab vulnerabilities.