Log in
Log in
Log in
Book a Demo
Get Started
630.5K 456.9K 7.8K
Back to Repositories

Testing Yoast SEO Author Sitemap User Enumeration in WPScan

This test suite validates the Yoast SEO Author Sitemap functionality in WPScan, focusing on user enumeration through XML sitemaps. The tests verify proper handling of sitemap responses and user information extraction.

Test Coverage Overview

The test suite provides comprehensive coverage of the YoastSeoAuthorSitemap finder class, specifically focusing on the aggressive user enumeration method.

  • Tests XML response handling for empty and populated sitemaps
  • Validates user information extraction including usernames and confidence levels
  • Covers edge cases like non-XML responses and empty user lists
  • Verifies proper URL handling and subdirectory configurations

Implementation Analysis

The implementation follows RSpec’s behavior-driven development approach, utilizing context-based test organization and shared examples. The tests employ stub_request for HTTP interaction mocking and leverage fixture files for test data. The code demonstrates proper separation of concerns and modular test structure.

Technical Details

  • RSpec testing framework with subject/let syntax
  • WebMock for HTTP request stubbing
  • Fixture-based test data management
  • Behavior-driven test organization
  • Mock objects for target configuration

Best Practices Demonstrated

The test suite exemplifies several testing best practices including isolated test cases, descriptive context blocks, and proper mock object usage. The code maintains high readability through well-structured describe/context blocks and clear expectation statements. Fixture usage ensures test data consistency and maintainability.

wpscanteam/wpscan

spec/app/finders/users/yoast_seo_author_sitemap_spec.rb

            
# frozen_string_literal: true

describe WPScan::Finders::Users::YoastSeoAuthorSitemap do
  subject(:finder) { described_class.new(target) }
  let(:target)     { WPScan::Target.new(url) }
  let(:url)        { 'http://wp.lab/' }
  let(:fixtures)   { FINDERS_FIXTURES.join('users', 'yoast_seo_author_sitemap') }

  describe '#aggressive' do
    before do
      allow(target).to receive(:sub_dir).and_return(false)

      stub_request(:get, finder.sitemap_url).to_return(body: body)
    end

    context 'when not an XML response' do
      let(:body) { '' }

      its(:aggressive) { should eql([]) }
    end

    context 'when an XML response' do
      context 'when no usernames disclosed' do
        let(:body) { File.read(fixtures.join('no_usernames.xml')) }

        its(:aggressive) { should eql([]) }
      end

      context 'when usernames disclosed' do
        let(:body) { File.read(fixtures.join('usernames.xml')) }

        it 'returns the expected array of users' do
          users = finder.aggressive

          expect(users.size).to eql 2

          expect(users.first.username).to eql 'editor'
          expect(users.first.confidence).to eql 100
          expect(users.first.interesting_entries).to eql ['http://wp.lab/author-sitemap.xml']

          expect(users.last.username).to eql 'admin'
          expect(users.last.confidence).to eql 100
          expect(users.last.interesting_entries).to eql ['http://wp.lab/author-sitemap.xml']
        end
      end
    end
  end
end