A tiny web auditor with strong opinions.
You'll need bash
4, curl
, dig
, jq
, and nc
, along with a fairly POSIX system.
testssl.sh
is an optional dependency.
# Audit a site.
$ twa google.com
> FAIL(google.com): TWA-0102: HTTP redirects to HTTP (not secure)
> FAIL(google.com): TWA-0205: Strict-Transport-Security missing
> MEH(google.com): TWA-0206: X-Frame-Options is 'sameorigin', consider 'deny'
> FAIL(google.com): TWA-0209: X-Content-Type-Options missing
> PASS(google.com): X-XSS-Protection specifies mode=block
> FAIL(google.com): TWA-0214: Referrer-Policy missing
> FAIL(google.com): TWA-0219: Content-Security-Policy missing
> FAIL(google.com): TWA-0220: Feature-Policy missing
> PASS(google.com): Site sends 'Server', but probably only a vendor ID: gws
> PASS(google.com): Site doesn't send 'X-Powered-By'
> PASS(google.com): Site doesn't send 'Via'
> PASS(google.com): Site doesn't send 'X-AspNet-Version'
> PASS(google.com): Site doesn't send 'X-AspNetMvc-Version'
> PASS(google.com): No SCM repository at: http://google.com/.git/HEAD
> PASS(google.com): No SCM repository at: http://google.com/.hg/store/00manifest.i
> PASS(google.com): No SCM repository at: http://google.com/.svn/entries
> PASS(google.com): No environment file at: http://google.com/.env
> PASS(google.com): No environment file at: http://google.com/.dockerenv
# Audit a site, and be verbose (on stderr)
$ twa -v example.com
# Audit a site and emit results in CSV
$ twa -c example.com
# Audit a site and its www subdomain
$ twa -w example.com
# Audit a site and include testssl
# Requires either `testssl` or `testssl.sh` on your $PATH
$ twa -s example.com
# Audit a site without scanning common development ports
$ twa -d example.com
twa
takes one domain at a time, and only audits more than one domain at once in the -w
case.
If you need to audit multiple domains, run it multiple times.
Each result line comprises a test result, and looks like this:
TYPE(domain): explanation
where TYPE
is one of PASS
, MEH
, FAIL
, UNK
, SKIP
, and FATAL
:
PASS
: The test passed with flying colors.MEH
: The test passed, but with one or more things that could be improved.FAIL
: The test failed, and should be fixed.UNK
: The server gave us something we didn't understand.SKIP
: The server gave us something we understood, but that we don't handle yet.FATAL
: A really important test failed, and should be fixed immediately.
If the TYPE
is negative (i.e. MEH
, FAIL
, or FATAL
), the explanation will be prefixed with
a reference code with the format TWA-XXYY
, where XX
is the stage that the result occurred in
and YY
is a unique identifier for the result.
twa
can be used alongside tscore
, which provides a basic scoring mechanism:
$ twa google.com | tscore
> 35 9 1 6 0 0 0
The score format is score npasses nmehs nfailures nunknowns nskips totally_screwed
, so you can do:
$ read -r score npasses nmehs nfailures nunknowns nskips totally_screwed < <(twa google.com | tscore)
$ echo "score: ${score}"
Like twa
, tscore
is opinionated. You can change its opinions (i.e., its score weights)
by editing it.
twa
can be used from a lightweight (29MB) Alpine Docker container.
To run it from a Docker container:
$ docker build -t trailofbis/twa .
$ docker run --rm -t trailofbits/twa -vw google.com
Check out the contributing guidelines.