- Notifications
You must be signed in to change notification settings - Fork53
A tiny web auditor with strong opinions.
License
trailofbits/twa
Folders and files
Name | Name | Last commit message | Last commit date | |
---|---|---|---|---|
Repository files navigation
Atinywebauditor with strong opinions.
You'll needbash
4,curl
,dig
,jq
, andnc
, along with a fairly POSIX system.
testssl.sh
is an optional dependency.
# Audit a site.$ twa google.com> FAIL(google.com): TWA-0102: HTTP redirects to HTTP (not secure)> FAIL(google.com): TWA-0205: Strict-Transport-Security missing> MEH(google.com): TWA-0206: X-Frame-Options is'sameorigin', consider'deny'> FAIL(google.com): TWA-0209: X-Content-Type-Options missing> PASS(google.com): X-XSS-Protection specifies mode=block> FAIL(google.com): TWA-0214: Referrer-Policy missing> FAIL(google.com): TWA-0219: Content-Security-Policy missing> FAIL(google.com): TWA-0220: Feature-Policy missing> PASS(google.com): Site sends'Server', but probably only a vendor ID: gws> PASS(google.com): Site doesn't send'X-Powered-By'> PASS(google.com): Site doesn't send'Via'> PASS(google.com): Site doesn't send'X-AspNet-Version'> PASS(google.com): Site doesn't send'X-AspNetMvc-Version'> PASS(google.com): No SCM repository at: http://google.com/.git/HEAD> PASS(google.com): No SCM repository at: http://google.com/.hg/store/00manifest.i> PASS(google.com): No SCM repository at: http://google.com/.svn/entries> PASS(google.com): No environment file at: http://google.com/.env> PASS(google.com): No environment file at: http://google.com/.dockerenv# Audit a site, and be verbose (on stderr)$ twa -v example.com# Audit a site and emit results in CSV$ twa -c example.com# Audit a site and its www subdomain$ twa -w example.com# Audit a site and include testssl# Requires either `testssl` or `testssl.sh` on your $PATH$ twa -s example.com# Audit a site without scanning common development ports$ twa -d example.com
twa
takes one domain at a time, and only audits more than one domain at once in the-w
case.If you need to audit multiple domains, run it multiple times.
Each result line comprises a test result, and looks like this:
TYPE(domain): explanation
whereTYPE
is one ofPASS
,MEH
,FAIL
,UNK
,SKIP
, andFATAL
:
PASS
: The test passed with flying colors.MEH
: The test passed, but with one or more things that could be improved.FAIL
: The test failed, and should be fixed.UNK
: The server gave us something we didn't understand.SKIP
: The server gave us something we understood, but that we don't handle yet.FATAL
: A really important test failed, and should be fixed immediately.
If theTYPE
is negative (i.e.MEH
,FAIL
, orFATAL
), the explanation will be prefixed witha reference code with the formatTWA-XXYY
, whereXX
is the stage that the result occurred inandYY
is a unique identifier for the result.
twa
can be used alongsidetscore
, which provides a basic scoring mechanism:
$ twa google.com| tscore> 35 9 1 6 0 0 0
The score format isscore npasses nmehs nfailures nunknowns nskips totally_screwed
, so you can do:
$read -r score npasses nmehs nfailures nunknowns nskips totally_screwed<<(twa google.com| tscore)$echo"score:${score}"
Liketwa
,tscore
is opinionated. You can change its opinions (i.e., its score weights)by editing it.
twa
can be used from a lightweight (29MB) Alpine Docker container.
To run it from a Docker container:
$ docker build -t trailofbis/twa.$ docker run --rm -t trailofbits/twa -vw google.com
Check out thecontributing guidelines.
About
A tiny web auditor with strong opinions.