A tiny web auditor with strong opinions.
Clone or download
woodruffw twa: CAA checks (#29)
* twa: CAA checks

* twa: Tweak UNK on unknown CAA flags

* README: Note `dig` dependency
Latest commit 697d025 Sep 25, 2018

README.md

twa

Build Status Docker Build Status

A tiny web auditor with strong opinions.

Usage

Dependencies

You'll need bash 4, curl, dig, and nc, along with a fairly POSIX system.

Auditing

# Audit a site.
$ twa google.com
> FAIL(google.com): HTTP redirects to HTTP (not secure)
> FAIL(google.com): Strict-Transport-Security missing
> MEH(google.com): X-Frame-Options is 'sameorigin', consider 'deny'?
> FAIL(google.com): X-Content-Type-Options missing
> PASS(google.com): X-XSS-Protection specifies mode=block
> FAIL(google.com): Referrer-Policy missing
> FAIL(google.com): Content-Security-Policy missing
> FAIL(google.com): Feature-Policy missing
> PASS(google.com): Site sends 'Server', but probably only a vendor ID: gws
> PASS(google.com): Site doesn't send 'X-Powered-By'
> PASS(google.com): Site doesn't send 'Via'
> PASS(google.com): Site doesn't send 'X-AspNet-Version'
> PASS(google.com): Site doesn't send 'X-AspNetMvc-Version'
> PASS(google.com): No SCM repository at: http://google.com/.git/HEAD
> PASS(google.com): No SCM repository at: http://google.com/.hg/store/00manifest.i
> PASS(google.com): No SCM repository at: http://google.com/.svn/entries

# Audit a site, and be verbose.
$ twa -v google.com

# Audit a site and its www subdomain.
$ twa -w google.com

twa takes one domain at a time, and only audits more than one domain at once in the -w case. If you need to audit multiple domains, run it multiple times.

Each result line comprises a test result, and looks like this:

TYPE(domain): explanation

where TYPE is one of PASS, MEH, FAIL, UNK, SKIP, and FATAL:

  • PASS: The test passed with flying colors.
  • MEH: The test passed, but with one or more things that could be improved.
  • FAIL: The test failed, and should be fixed.
  • UNK: The server gave us something we didn't understand.
  • SKIP: The server gave us something we understood, but that we don't handle yet.
  • FATAL: A really important test failed, and should be fixed immediately.

Scoring

twa can be used alongside tscore, which provides a basic scoring mechanism:

$ twa google.com | tscore
> 35 9 1 6 0 0 0

The score format is score npasses nmehs nfailures nunknowns nskips totally_screwed, so you can do:

$ read -r score npasses nmehs nfailures nunknowns nskips totally_screwed < <(twa google.com | tscore)
$ echo "score: ${score}"

Like twa, tscore is opinionated. You can change its opinions (i.e., its score weights) by editing it.

Docker

twa can be used from a lightweight (29MB) Alpine Docker container.

To install it from Docker Hub:

$ docker pull trailofbits/twa

or, to build it manually:

$ git clone https://github.com/trailofbits/twa.git
$ cd twa
$ docker build -t twa .
$ docker run -it twa:latest -vw google.com

Contributing

Check out the contributing guidelines.