crawl/ReCrawl as X user
greggles - November 4, 2008 - 18:42
| Project: | Security scanner component for SimpleTest module |
| Version: | 6.x-1.0-beta1 |
| Component: | Code |
| Category: | feature request |
| Priority: | normal |
| Assigned: | ingo86 |
| Status: | fixed |
Jump to:
Description
I believe that the module needs to crawl the site as multiple users. The current module only scans as the anonymous user. However, different users will see vastly different parts of the site. Sometimes XSS weaknesses only manifest on admin pages of the site even if the content is added as a lower privileged user. Sometimes a user may see XSS because they have access content but not administer nodes.
So, I think ideally the settings page should have some new boxes:
1) Users to use for Crawl/ReCrawl which is either an arbitrary number of users, but should at least be three boxes for users.
2) The user account to use for the seeding
#1
The current module scans as administrative user. Look into the database table, the first link captured is the admin page.
Does it works bad for you?
#2
That does seem to work fine, but doesn't get a really representative view of the site. As http://drupal.org/node/270000 explains,
That's just for node access limitations, not even considering things like block visibility, but I think the point stands that the Crawl/ReCrawl should run as a variety of users to make sure that the site is safe under all conditions.
#3
In the new version for Drupal 7 I will surely add the feature you requested. Maybe, it's better to do a scan using a user for every role (escaping users that are part of more than one role), to be sure that everything is fine.
Thank you.