Friday, January 24, 2020

Fedora 31 : The twa web auditor tool.

This tool comes with a good intro: A tiny web auditor with strong opinions.
The tool named twa takes one domain at a time and use these dependencies: bash 4, curl, dig, jq, and nc, along with the POSIX system.
The project can be found at GitHub repository but I can be install easy on Fedora 31 distro:
[root@desk mythcat]# dnf install twa.noarch 
Last metadata expiration check: 0:06:08 ago on Fri 24 Jan 2020 01:57:53 PM EET.
Dependencies resolved.
================================================================================
 Package       Architecture     Version                  Repository        Size
================================================================================
Installing:
 twa           noarch           1.8.0-3.fc31             fedora            18 k

Transaction Summary
================================================================================
Install  1 Package

Total download size: 18 k
Installed size: 30 k
Is this ok [y/N]: y
Downloading Packages:
twa-1.8.0-3.fc31.noarch.rpm                      10 kB/s |  18 kB     00:01    
--------------------------------------------------------------------------------
Total                                           6.7 kB/s |  18 kB     00:02     
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                        1/1 
  Installing       : twa-1.8.0-3.fc31.noarch                                1/1 
  Running scriptlet: twa-1.8.0-3.fc31.noarch                                1/1 
  Verifying        : twa-1.8.0-3.fc31.noarch                                1/1 

Installed:
  twa-1.8.0-3.fc31.noarch                                                       

Complete!
Let's see some examples with google website responses and this tool:
[mythcat@desk ~]$ twa google.com
FAIL(google.com): TWA-0102: HTTP redirects to HTTP (not secure)
FAIL(google.com): TWA-0205: Strict-Transport-Security missing
MEH(google.com): TWA-0206: X-Frame-Options is 'sameorigin', consider 'deny'
FAIL(google.com): TWA-0209: X-Content-Type-Options missing
FAIL(google.com): TWA-0210: X-XSS-Protection is '0'; XSS filtering disabled
FAIL(google.com): TWA-0214: Referrer-Policy missing
FAIL(google.com): TWA-0219: Content-Security-Policy missing
FAIL(google.com): TWA-0220: Feature-Policy missing
PASS(google.com): Site sends 'Server', but probably only a vendor ID: gws
PASS(google.com): Site doesn't send 'X-Powered-By'
PASS(google.com): Site doesn't send 'Via'
PASS(google.com): Site doesn't send 'X-AspNet-Version'
PASS(google.com): Site doesn't send 'X-AspNetMvc-Version'
PASS(google.com): No SCM repository at: http://google.com/.git/HEAD
PASS(google.com): No SCM repository at: http://google.com/.hg/store/00manifest.i
PASS(google.com): No SCM repository at: http://google.com/.svn/entries
PASS(google.com): No environment file at: http://google.com/.env
PASS(google.com): No environment file at: http://google.com/.dockerenv
PASS(google.com): No config file at: http://google.com/config.xml
PASS(google.com): No config file at: http://google.com/config.json
PASS(google.com): No config file at: http://google.com/config.yaml
PASS(google.com): No config file at: http://google.com/config.yml
PASS(google.com): No config file at: http://google.com/config.ini
^C
The output result line looks like this:
TYPE(domain): explanation where TYPE is one of PASS, MEH, FAIL, UNK, SKIP, and FATAL., see the output example:
PASS: The test passed with flying color.
MEH: The test passed, but with one or more things that could be improved.
FAIL: The test failed and should be fixed.
UNK: The server gave us something we didn't understand.
SKIP: The server gave us something we understood, but that we don't handle yet.
FATAL: A really important test failed, and should be fixed immediately.
Another feature is scoring.
The score format is this: npasses nmehs nfailures nunknowns nskips totally_screwed.
Let's see one example:
[mythcat@desk ~]$ twa google.com | tscore
20 37 2 7 0 0 0
The tool can be used with Alpine Docker container.