Movatterモバイル変換


[0]ホーム

URL:


Skip to content

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

Sign up

A tiny web auditor with strong opinions.

License

NotificationsYou must be signed in to change notification settings

trailofbits/twa

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

CIRepology - Repositories

Atinywebauditor with strong opinions.

Usage

Dependencies

You'll needbash 4,curl,dig,jq, andnc, along with a fairly POSIX system.

testssl.sh is an optional dependency.

Auditing

# Audit a site.$ twa google.com> FAIL(google.com): TWA-0102: HTTP redirects to HTTP (not secure)> FAIL(google.com): TWA-0205: Strict-Transport-Security missing> MEH(google.com): TWA-0206: X-Frame-Options is'sameorigin', consider'deny'> FAIL(google.com): TWA-0209: X-Content-Type-Options missing> PASS(google.com): X-XSS-Protection specifies mode=block> FAIL(google.com): TWA-0214: Referrer-Policy missing> FAIL(google.com): TWA-0219: Content-Security-Policy missing> FAIL(google.com): TWA-0220: Feature-Policy missing> PASS(google.com): Site sends'Server', but probably only a vendor ID: gws> PASS(google.com): Site doesn't send'X-Powered-By'> PASS(google.com): Site doesn't send'Via'> PASS(google.com): Site doesn't send'X-AspNet-Version'> PASS(google.com): Site doesn't send'X-AspNetMvc-Version'> PASS(google.com): No SCM repository at: http://google.com/.git/HEAD> PASS(google.com): No SCM repository at: http://google.com/.hg/store/00manifest.i> PASS(google.com): No SCM repository at: http://google.com/.svn/entries> PASS(google.com): No environment file at: http://google.com/.env> PASS(google.com): No environment file at: http://google.com/.dockerenv# Audit a site, and be verbose (on stderr)$ twa -v example.com# Audit a site and emit results in CSV$ twa -c example.com# Audit a site and its www subdomain$ twa -w example.com# Audit a site and include testssl# Requires either `testssl` or `testssl.sh` on your $PATH$ twa -s example.com# Audit a site without scanning common development ports$ twa -d example.com

twa takes one domain at a time, and only audits more than one domain at once in the-w case.If you need to audit multiple domains, run it multiple times.

Each result line comprises a test result, and looks like this:

TYPE(domain): explanation

whereTYPE is one ofPASS,MEH,FAIL,UNK,SKIP, andFATAL:

  • PASS: The test passed with flying colors.
  • MEH: The test passed, but with one or more things that could be improved.
  • FAIL: The test failed, and should be fixed.
  • UNK: The server gave us something we didn't understand.
  • SKIP: The server gave us something we understood, but that we don't handle yet.
  • FATAL: A really important test failed, and should be fixed immediately.

If theTYPE is negative (i.e.MEH,FAIL, orFATAL), the explanation will be prefixed witha reference code with the formatTWA-XXYY, whereXX is the stage that the result occurred inandYY is a unique identifier for the result.

Scoring

twa can be used alongsidetscore, which provides a basic scoring mechanism:

$ twa google.com| tscore> 35 9 1 6 0 0 0

The score format isscore npasses nmehs nfailures nunknowns nskips totally_screwed, so you can do:

$read -r score npasses nmehs nfailures nunknowns nskips totally_screwed<<(twa google.com| tscore)$echo"score:${score}"

Liketwa,tscore is opinionated. You can change its opinions (i.e., its score weights)by editing it.

Docker

twa can be used from a lightweight (29MB) Alpine Docker container.

To run it from a Docker container:

$ docker build -t trailofbis/twa.$ docker run --rm -t trailofbits/twa -vw google.com

Contributing

Check out thecontributing guidelines.


[8]ページ先頭

©2009-2025 Movatter.jp