- Notifications
You must be signed in to change notification settings - Fork52
A tiny web auditor with strong opinions.
License
trailofbits/twa
Folders and files
| Name | Name | Last commit message | Last commit date | |
|---|---|---|---|---|
Repository files navigation
Atinywebauditor with strong opinions.
You'll needbash 4,curl,dig,jq, andnc, along with a fairly POSIX system.
testssl.sh is an optional dependency.
# Audit a site.$ twa google.com> FAIL(google.com): TWA-0102: HTTP redirects to HTTP (not secure)> FAIL(google.com): TWA-0205: Strict-Transport-Security missing> MEH(google.com): TWA-0206: X-Frame-Options is'sameorigin', consider'deny'> FAIL(google.com): TWA-0209: X-Content-Type-Options missing> PASS(google.com): X-XSS-Protection specifies mode=block> FAIL(google.com): TWA-0214: Referrer-Policy missing> FAIL(google.com): TWA-0219: Content-Security-Policy missing> FAIL(google.com): TWA-0220: Feature-Policy missing> PASS(google.com): Site sends'Server', but probably only a vendor ID: gws> PASS(google.com): Site doesn't send'X-Powered-By'> PASS(google.com): Site doesn't send'Via'> PASS(google.com): Site doesn't send'X-AspNet-Version'> PASS(google.com): Site doesn't send'X-AspNetMvc-Version'> PASS(google.com): No SCM repository at: http://google.com/.git/HEAD> PASS(google.com): No SCM repository at: http://google.com/.hg/store/00manifest.i> PASS(google.com): No SCM repository at: http://google.com/.svn/entries> PASS(google.com): No environment file at: http://google.com/.env> PASS(google.com): No environment file at: http://google.com/.dockerenv# Audit a site, and be verbose (on stderr)$ twa -v example.com# Audit a site and emit results in CSV$ twa -c example.com# Audit a site and its www subdomain$ twa -w example.com# Audit a site and include testssl# Requires either `testssl` or `testssl.sh` on your $PATH$ twa -s example.com# Audit a site without scanning common development ports$ twa -d example.com
twa takes one domain at a time, and only audits more than one domain at once in the-w case.If you need to audit multiple domains, run it multiple times.
Each result line comprises a test result, and looks like this:
TYPE(domain): explanationwhereTYPE is one ofPASS,MEH,FAIL,UNK,SKIP, andFATAL:
PASS: The test passed with flying colors.MEH: The test passed, but with one or more things that could be improved.FAIL: The test failed, and should be fixed.UNK: The server gave us something we didn't understand.SKIP: The server gave us something we understood, but that we don't handle yet.FATAL: A really important test failed, and should be fixed immediately.
If theTYPE is negative (i.e.MEH,FAIL, orFATAL), the explanation will be prefixed witha reference code with the formatTWA-XXYY, whereXX is the stage that the result occurred inandYY is a unique identifier for the result.
twa can be used alongsidetscore, which provides a basic scoring mechanism:
$ twa google.com| tscore> 35 9 1 6 0 0 0
The score format isscore npasses nmehs nfailures nunknowns nskips totally_screwed, so you can do:
$read -r score npasses nmehs nfailures nunknowns nskips totally_screwed<<(twa google.com| tscore)$echo"score:${score}"
Liketwa,tscore is opinionated. You can change its opinions (i.e., its score weights)by editing it.
twa can be used from a lightweight (29MB) Alpine Docker container.
To run it from a Docker container:
$ docker build -t trailofbis/twa.$ docker run --rm -t trailofbits/twa -vw google.comCheck out thecontributing guidelines.
About
A tiny web auditor with strong opinions.
Topics
Resources
License
Security policy
Uh oh!
There was an error while loading.Please reload this page.
Stars
Watchers
Forks
Packages0
Uh oh!
There was an error while loading.Please reload this page.