- Notifications
You must be signed in to change notification settings - Fork53
A tiny web auditor with strong opinions.
License
trailofbits/twa
Folders and files
| Name | Name | Last commit message | Last commit date | |
|---|---|---|---|---|
Repository files navigation
Atinywebauditor with strong opinions.
You'll needbash 4,curl,dig,jq, andnc, along with a fairly POSIX system.
testssl.sh is an optional dependency.
# Audit a site.$ twa google.com> FAIL(google.com): TWA-0102: HTTP redirects to HTTP (not secure)> FAIL(google.com): TWA-0205: Strict-Transport-Security missing> MEH(google.com): TWA-0206: X-Frame-Options is'sameorigin', consider'deny'> FAIL(google.com): TWA-0209: X-Content-Type-Options missing> PASS(google.com): X-XSS-Protection specifies mode=block> FAIL(google.com): TWA-0214: Referrer-Policy missing> FAIL(google.com): TWA-0219: Content-Security-Policy missing> FAIL(google.com): TWA-0220: Feature-Policy missing> PASS(google.com): Site sends'Server', but probably only a vendor ID: gws> PASS(google.com): Site doesn't send'X-Powered-By'> PASS(google.com): Site doesn't send'Via'> PASS(google.com): Site doesn't send'X-AspNet-Version'> PASS(google.com): Site doesn't send'X-AspNetMvc-Version'> PASS(google.com): No SCM repository at: http://google.com/.git/HEAD> PASS(google.com): No SCM repository at: http://google.com/.hg/store/00manifest.i> PASS(google.com): No SCM repository at: http://google.com/.svn/entries> PASS(google.com): No environment file at: http://google.com/.env> PASS(google.com): No environment file at: http://google.com/.dockerenv# Audit a site, and be verbose (on stderr)$ twa -v example.com# Audit a site and emit results in CSV$ twa -c example.com# Audit a site and its www subdomain$ twa -w example.com# Audit a site and include testssl# Requires either `testssl` or `testssl.sh` on your $PATH$ twa -s example.com# Audit a site without scanning common development ports$ twa -d example.com
twa takes one domain at a time, and only audits more than one domain at once in the-w case.If you need to audit multiple domains, run it multiple times.
Each result line comprises a test result, and looks like this:
TYPE(domain): explanationwhereTYPE is one ofPASS,MEH,FAIL,UNK,SKIP, andFATAL:
PASS: The test passed with flying colors.MEH: The test passed, but with one or more things that could be improved.FAIL: The test failed, and should be fixed.UNK: The server gave us something we didn't understand.SKIP: The server gave us something we understood, but that we don't handle yet.FATAL: A really important test failed, and should be fixed immediately.
If theTYPE is negative (i.e.MEH,FAIL, orFATAL), the explanation will be prefixed witha reference code with the formatTWA-XXYY, whereXX is the stage that the result occurred inandYY is a unique identifier for the result.
twa can be used alongsidetscore, which provides a basic scoring mechanism:
$ twa google.com| tscore> 35 9 1 6 0 0 0
The score format isscore npasses nmehs nfailures nunknowns nskips totally_screwed, so you can do:
$read -r score npasses nmehs nfailures nunknowns nskips totally_screwed<<(twa google.com| tscore)$echo"score:${score}"
Liketwa,tscore is opinionated. You can change its opinions (i.e., its score weights)by editing it.
twa can be used from a lightweight (29MB) Alpine Docker container.
To run it from a Docker container:
$ docker build -t trailofbis/twa.$ docker run --rm -t trailofbits/twa -vw google.comCheck out thecontributing guidelines.
About
A tiny web auditor with strong opinions.