Compliance Failure: Missing Privacy Policy - http://zero.webappsecurity.com:80/privacy.htm
Created by: armorcodegithubqa[bot]
Category: Compliance Failure: Missing Privacy Policy Scan Type: Dynamic CheckType: Best Practices Abstract: A Privacy Policy was not supplied by the web application within the scope of this audit. Many legislative initiatives require that organizations place a publicly accessible document within their web application that defines their information privacy policy. As a general rule, these information privacy policies must detail what information an organization collects, the purpose for collecting it, potential avenues of disclosure, and any methods of addressing potential grievances. Various laws governing privacy policies include the Gramm-Leach-Bliley Act, Health Insurance Portability and Accountability Act (HIPAA), the California Online Privacy Protection Act of 2003, European Union's Data Protection Directive and others.
Request: GET /privacy.htm HTTP/1.1 Referer: http://zero.webappsecurity.com:80/ User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322) Accept: / Pragma: no-cache Host: zero.webappsecurity.com X-Scan-Memo: Category="Audit"; Function="createStateRequestFromAttackDefinition"; SID="399EC037C2FD4E092FC361249ABB6CC0"; PSID="3B5C6D4258EDE9E2520272F502F91B6B"; SessionType="AuditAttack"; CrawlType="None"; AttackType="Search"; OriginatingEngineID="d746d28a-5727-4f66-9d65-98c65fe276e3"; AttackSequence="0"; AttackParamDesc="%2fprivacy.htm"; AttackParamIndex="0"; AttackParamSubIndex="0"; CheckId="5546"; Engine="Privacy+Policy+Not+Present"; Retry="False"; SmartMode="NonServerSpecificOnly"; ThreadId="39"; ThreadType="AuditDBReaderSessionDrivenAudit"; Connection: Keep-Alive Cookie: CustomCookie=WebInspect69383ZXB3FCEA2CCD6849B0A63D3EFF65615601Y3637;status=yes;username=Admin;userid=admin;sessionid=C9C006CB3F9B8B111F4D2C8AB5EF7AA50001;ASPSESSIONIDCARBTACT=FFDJMBECGJJGDMKLNPHKPKBB
File Path: //zero.webappsecurity.com:0
Mitigation: Declare a comprehensive privacy policy for the website, and ensure that it is accessible from every page that seeks personal information from users. To verify the fix, rescan the site in order to discover and audit the newly added resources.
Descriptions:
Any standard web application privacy policy should include the following components:
- A description of the intended purpose for collecting the data.
- A description of the use of the data.
- Methods for limiting the use and disclosure of the information.
- A list of the types of third parties to whom the information might be disclosed.
- Contact information for inquires and complaints.