twa

A tiny web auditor with strong opinions.

Usage

Dependencies

You'll need bash 4, curl, dig, jq, and nc, along with a fairly POSIX system.

testssl.sh is an optional dependency.

Auditing

# Audit a site.
$ twa google.com
> FAIL(google.com): TWA-0102: HTTP redirects to HTTP (not secure)
> FAIL(google.com): TWA-0205: Strict-Transport-Security missing
> MEH(google.com): TWA-0206: X-Frame-Options is 'sameorigin', consider 'deny'
> FAIL(google.com): TWA-0209: X-Content-Type-Options missing
> PASS(google.com): X-XSS-Protection specifies mode=block
> FAIL(google.com): TWA-0214: Referrer-Policy missing
> FAIL(google.com): TWA-0219: Content-Security-Policy missing
> FAIL(google.com): TWA-0220: Feature-Policy missing
> PASS(google.com): Site sends 'Server', but probably only a vendor ID: gws
> PASS(google.com): Site doesn't send 'X-Powered-By'
> PASS(google.com): Site doesn't send 'Via'
> PASS(google.com): Site doesn't send 'X-AspNet-Version'
> PASS(google.com): Site doesn't send 'X-AspNetMvc-Version'
> PASS(google.com): No SCM repository at: http://google.com/.git/HEAD
> PASS(google.com): No SCM repository at: http://google.com/.hg/store/00manifest.i
> PASS(google.com): No SCM repository at: http://google.com/.svn/entries
> PASS(google.com): No environment file at: http://google.com/.env
> PASS(google.com): No environment file at: http://google.com/.dockerenv

# Audit a site, and be verbose (on stderr)
$ twa -v example.com

# Audit a site and emit results in CSV
$ twa -c example.com

# Audit a site and its www subdomain
$ twa -w example.com

# Audit a site and include testssl
# Requires either `testssl` or `testssl.sh` on your $PATH
$ twa -s example.com

# Audit a site without scanning common development ports
$ twa -d example.com

twa takes one domain at a time, and only audits more than one domain at once in the -w case. If you need to audit multiple domains, run it multiple times.

Each result line comprises a test result, and looks like this:

TYPE(domain): explanation

where TYPE is one of PASS, MEH, FAIL, UNK, SKIP, and FATAL:

• PASS: The test passed with flying colors.
• MEH: The test passed, but with one or more things that could be improved.
• FAIL: The test failed, and should be fixed.
• UNK: The server gave us something we didn't understand.
• SKIP: The server gave us something we understood, but that we don't handle yet.
• FATAL: A really important test failed, and should be fixed immediately.

If the TYPE is negative (i.e. MEH, FAIL, or FATAL), the explanation will be prefixed with a reference code with the format TWA-XXYY, where XX is the stage that the result occurred in and YY is a unique identifier for the result.

Scoring

twa can be used alongside tscore, which provides a basic scoring mechanism:

$ twa google.com | tscore
> 35 9 1 6 0 0 0

The score format is score npasses nmehs nfailures nunknowns nskips totally_screwed, so you can do:

$ read -r score npasses nmehs nfailures nunknowns nskips totally_screwed < <(twa google.com | tscore)
$ echo "score: ${score}"

Like twa, tscore is opinionated. You can change its opinions (i.e., its score weights) by editing it.

Docker

twa can be used from a lightweight (29MB) Alpine Docker container.

To run it from a Docker container:

$ docker run --rm -t trailofbits/twa -vw google.com

or, to build it manually:

$ git clone https://github.com/trailofbits/twa.git
$ cd twa
$ docker build -t trailofbits/twa .
$ docker run --rm -t trailofbits/twa -vw google.com

Contributing

Check out the contributing guidelines.