twa v1.10 releases: tiny web auditor with strong opinions
twa
A tiny web auditor with strong opinions.
Install
Docker
twa can be used from a lightweight (29MB) Alpine Docker container.
To install it from Docker Hub:
$ docker pull trailofbits/twa
or, to build it manually:
$ git clone https://github.com/trailofbits/twa.git
$ cd twa
$ docker build -t twa .
$ docker run -it twa:latest -vw google.com
Usage
Auditing
twa takes one domain at a time and only audits more than one domain at once in the -w case. If you need to audit multiple domains, run it multiple times.
Each result line comprises a test result, and looks like this:
TYPE(domain): explanation
where TYPE is one of PASS, MEH, FAIL, UNK, SKIP, and FATAL:
- PASS: The test passed with flying colors.
- MEH: The test passed, but with one or more things that could be improved.
- FAIL: The test failed and should be fixed.
- UNK: The server gave us something we didn’t understand.
- SKIP: The server gave us something we understood, but that we don’t handle yet.
- FATAL: A really important test failed, and should be fixed immediately.
Scoring
twa can be used alongside score, which provides a basic scoring mechanism:
$ twa google.com | tscore
> 35 9 1 6 0 0 0
The score format is score npasses nmehs nfailures nunknowns nskips totally_screwed, so you can do:
$ read -r score npasses nmehs nfailures nunknowns nskips totally_screwed < <(twa google.com | tscore)
$ echo "score: ${score}"
Like twa, tscore is opinionated. You can change its opinions (i.e., its score weights) by editing it.
Copyright (c) 2018 William Woodruff <william @ yossarian.net>
Source: https://github.com/trailofbits/