Hello.
How do you guys test Moodle security? Do you test the server your Moodle is on?
Do you use any pentesting tools?
The Open University regularly does penetration testing of our Moodle sites. and judging by the forum posts, other people do too.
Note that there are several common mistakes that secruity testers make when testing Moodle.
For example I bet they will tell you both:
- Moodle lacks XSRF protection.
- Moodle should not put the session identifier (sesskey) in the URL.
However, Moodle's 'sesskey' is not a session identifier, and it is XSRF protection. So, be careful how you interpret any results you get.