48

A tiny web auditor with strong opinions

 6 years ago
source link: https://www.tuicool.com/articles/hit/jeQN3yq
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
neoserver,ios ssh client

twa

A t iny w eb a uditor with strong opinions.

Usage

Dependencies

You'll need bash , awk , curl , and nc , along with a fairly POSIX system.

Auditing

# Audit a site.
$ twa google.com
> FAIL(google.com): HTTP redirects to HTTP (not secure)
> FAIL(google.com): Strict-Transport-Security missing
> MEH(google.com): X-Frame-Options is 'sameorigin', consider 'deny'?
> FAIL(google.com): X-Content-Type-Options missing
> PASS(google.com): X-XSS-Protection specifies mode=block
> FAIL(google.com): Referrer-Policy missing
> FAIL(google.com): Content-Security-Policy missing
> FAIL(google.com): Feature-Policy missing
> PASS(google.com): Site sends 'Server', but probably only a vendor ID: gws
> PASS(google.com): Site doesn't send 'X-Powered-By'
> PASS(google.com): Site doesn't send 'Via'
> PASS(google.com): Site doesn't send 'X-AspNet-Version'
> PASS(google.com): Site doesn't send 'X-AspNetMvc-Version'
> PASS(google.com): No SCM repository at: http://google.com/.git/HEAD
> PASS(google.com): No SCM repository at: http://google.com/.hg/store/00manifest.i
> PASS(google.com): No SCM repository at: http://google.com/.svn/entries

# Audit a site, and be verbose.
$ twa -v google.com

# Audit a site and its www subdomain.
$ twa -w google.com

twa takes one domain at a time, and only audits more than one domain at once in the -w case. If you need to audit multiple domains, run it multiple times.

Each result line comprises a test result, and looks like this:

TYPE(domain): explanation

where TYPE is one of PASS , MEH , FAIL , UNK , SKIP , and FATAL : 

PASS
MEH
FAIL
UNK
SKIP
FATAL

Scoring

twa can be used alongside tscore , which provides a basic scoring mechanism: 

$ twa google.com | tscore
> 35 9 1 6 0 0 0

The score format is score npasses nmehs nfailures nunknowns nskips totally_screwed , so you can do: 

$ read -r score npasses nmehs nfailures nunknowns nskips totally_screwed < <(twa google.com | tscore)
$ echo "score: ${score}"

Like twa , tscore is opinionated. You can change its opinions (i.e., its score weights) by editing it.

Contributing

Check out the contributing guidelines .


report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK