Best Practices Report

 Scan Name: WebScantest
 Date: 12/13/2011 4:15:27 PM
 Authenticated User: (none)
 Total Links / Attackable Links: 266 / 218
 Target URL: http://www.webscantest.com/
 Reports:

Summary


This information has been gathered during a scan of your web application. By checking your online properties for issues such as missing privacy statements, insecure data collection forms, cookie presence and third-party links, the scan generates an automatic checklist of potential best practice issues. By taking advantage of this information, you can then proactively filter and prioritize identified issues to ensure faster remediation of your organization's most critical privacy concerns.

Best Practice Details


Issue Answer

General

All pages link to one of the site's approved privacy policy pages: (Details Expand )

-FALSE

All pages include P3P headers:

-FALSE
Click here for more information.

Site has avoided "web beacons":

+TRUE
Web Beacons can allow third-parties to monitor the activity of customers at a site. This may be a source of concern to your Privacy policy.

Site uses the POST method for all form submissions: (Details Expand )

-FALSE
Forms that submit over the GET protocol can often present privacy problems to users of public terminals because their form submission values would be visible in the browser's history.

When submitting sensitive data, process prevents browser form cache:

-FALSE
Form POSTs involving sensitive data should result in a 302 to prevent browsers from caching credentials in browser "Form Cache".

Site includes shopping cart (e-commerce) functionality:

Informational only.FALSE
Using a secure protocol for Login is critical to avoid easy theft of user credentials.

User Accounts / Sessions

Login only allowed over secure protocol (SSL): (Details Expand )

-FALSE
Using a secure protocol for Login is critical to avoid easy theft of user credentials.

Login process prevents Browser Form Cache:

+TRUE
Form POSTs should result in a 302 to prevent browsers from caching credentials in browser "Form Cache".

Login process prevents Session ID Trapping:

+TRUE
When logging in the user should be given a new Session ID to prevent escalating privileges for an attacker.

Session cookie deleted when browser is closed:

-FALSE
Allowing users to stay logged after closing the browser may present privacy and security concerns at public terminals.

Site includes a user registration form:

Informational only.FALSE

Site includes a "Change Password" form:

Informational only.FALSE

Site includes a license agreement form:

Informational only.FALSE

Personal Data

Site collects credit card information:

Informational only.FALSE
Sites that collect this type of information have a greater responsibility and liability to protect their users from identity theft.

Site collects Social Security Numbers:

Informational only.FALSE
Sites that collect this type of information have a greater responsibility and liability to protect their users from identity theft.

Site collects email addresses:

Informational only.TRUE

Site collects customer names:

Informational only.TRUE

Site collects customer mailing addresses:

Informational only.TRUE

Site collects customer phone numbers:

Informational only.FALSE

Site collects customer birth dates:

Informational only.FALSE

Privacy Pages Found

URL In approved list?
http://www.google.com:80/privacy/ FALSE
http://www.webscantest.com:80/privacy.php FALSE
NT OBJECTives Inc.