{"id":13537693,"url":"https://github.com/trailofbits/twa","last_synced_at":"2025-05-15T10:07:17.373Z","repository":{"id":33030327,"uuid":"148557771","full_name":"trailofbits/twa","owner":"trailofbits","description":"A tiny web auditor with strong opinions.","archived":false,"fork":false,"pushed_at":"2025-01-22T15:40:42.000Z","size":185,"stargazers_count":589,"open_issues_count":4,"forks_count":52,"subscribers_count":6,"default_branch":"master","last_synced_at":"2025-05-12T05:54:17.674Z","etag":null,"topics":["auditing","hacktoberfest","security","web-security"],"latest_commit_sha":null,"homepage":"https://trailofbits.github.io/twa","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/trailofbits.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2018-09-13T00:15:42.000Z","updated_at":"2025-05-11T01:25:52.000Z","dependencies_parsed_at":"2022-07-16T05:00:38.246Z","dependency_job_id":"7bbf2445-8cbb-453e-bac0-b6e6ffcbe917","html_url":"https://github.com/trailofbits/twa","commit_stats":null,"previous_names":[],"tags_count":20,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/trailofbits%2Ftwa","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/trailofbits%2Ftwa/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/trailofbits%2Ftwa/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/trailofbits%2Ftwa/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/trailofbits","download_url":"https://codeload.github.com/trailofbits/twa/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254319720,"owners_count":22051073,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["auditing","hacktoberfest","security","web-security"],"created_at":"2024-08-01T09:01:02.218Z","updated_at":"2025-05-15T10:07:12.355Z","avatar_url":"https://github.com/trailofbits.png","language":"Shell","readme":"twa\n===\n\n[![CI](https://github.com/trailofbits/twa/actions/workflows/ci.yml/badge.svg)](https://github.com/trailofbits/twa/actions/workflows/ci.yml)\n[![Repology - Repositories](https://img.shields.io/repology/repositories/twa)](https://repology.org/project/twa/versions)\n\n\nA **t**iny **w**eb **a**uditor with strong opinions.\n\n## Usage\n\n### Dependencies\n\nYou'll need `bash` 4, `curl`, `dig`, `jq`, and `nc`, along with a fairly POSIX system.\n\n[`testssl.sh`](https://github.com/drwetter/testssl.sh) is an optional dependency.\n\n### Auditing\n\n```bash\n# Audit a site.\n$ twa google.com\n\u003e FAIL(google.com): TWA-0102: HTTP redirects to HTTP (not secure)\n\u003e FAIL(google.com): TWA-0205: Strict-Transport-Security missing\n\u003e MEH(google.com): TWA-0206: X-Frame-Options is 'sameorigin', consider 'deny'\n\u003e FAIL(google.com): TWA-0209: X-Content-Type-Options missing\n\u003e PASS(google.com): X-XSS-Protection specifies mode=block\n\u003e FAIL(google.com): TWA-0214: Referrer-Policy missing\n\u003e FAIL(google.com): TWA-0219: Content-Security-Policy missing\n\u003e FAIL(google.com): TWA-0220: Feature-Policy missing\n\u003e PASS(google.com): Site sends 'Server', but probably only a vendor ID: gws\n\u003e PASS(google.com): Site doesn't send 'X-Powered-By'\n\u003e PASS(google.com): Site doesn't send 'Via'\n\u003e PASS(google.com): Site doesn't send 'X-AspNet-Version'\n\u003e PASS(google.com): Site doesn't send 'X-AspNetMvc-Version'\n\u003e PASS(google.com): No SCM repository at: http://google.com/.git/HEAD\n\u003e PASS(google.com): No SCM repository at: http://google.com/.hg/store/00manifest.i\n\u003e PASS(google.com): No SCM repository at: http://google.com/.svn/entries\n\u003e PASS(google.com): No environment file at: http://google.com/.env\n\u003e PASS(google.com): No environment file at: http://google.com/.dockerenv\n\n# Audit a site, and be verbose (on stderr)\n$ twa -v example.com\n\n# Audit a site and emit results in CSV\n$ twa -c example.com\n\n# Audit a site and its www subdomain\n$ twa -w example.com\n\n# Audit a site and include testssl\n# Requires either `testssl` or `testssl.sh` on your $PATH\n$ twa -s example.com\n\n# Audit a site without scanning common development ports\n$ twa -d example.com\n```\n\n`twa` takes one domain at a time, and only audits more than one domain at once in the `-w` case.\nIf you need to audit multiple domains, run it multiple times.\n\nEach result line comprises a test result, and looks like this:\n\n```\nTYPE(domain): explanation\n```\n\nwhere `TYPE` is one of `PASS`, `MEH`, `FAIL`, `UNK`, `SKIP`, and `FATAL`:\n\n* `PASS`: The test passed with flying colors.\n* `MEH`: The test passed, but with one or more things that could be improved.\n* `FAIL`: The test failed, and should be fixed.\n* `UNK`: The server gave us something we didn't understand.\n* `SKIP`: The server gave us something we understood, but that we don't handle yet.\n* `FATAL`: A really important test failed, and should be fixed immediately.\n\nIf the `TYPE` is negative (i.e. `MEH`, `FAIL`, or `FATAL`), the explanation will be prefixed with\na reference code with the format `TWA-XXYY`, where `XX` is the stage that the result occurred in\nand `YY` is a unique identifier for the result.\n\n### Scoring\n\n`twa` can be used alongside `tscore`, which provides a basic scoring mechanism:\n\n```bash\n$ twa google.com | tscore\n\u003e 35 9 1 6 0 0 0\n```\n\nThe score format is `score npasses nmehs nfailures nunknowns nskips totally_screwed`, so you can do:\n\n```bash\n$ read -r score npasses nmehs nfailures nunknowns nskips totally_screwed \u003c \u003c(twa google.com | tscore)\n$ echo \"score: ${score}\"\n```\n\nLike `twa`, `tscore` is opinionated. You can change its opinions (i.e., its score weights)\nby editing it.\n\n### Docker\n\n`twa` can be used from a lightweight (29MB) Alpine Docker container.\n\nTo run it from a Docker container:\n\n```bash\n$ docker build -t trailofbis/twa .\n$ docker run --rm -t trailofbits/twa -vw google.com\n```\n\n## Contributing\n\nCheck out the [contributing guidelines](CONTRIBUTING.md).\n","funding_links":[],"categories":["\u003ca id=\"9eee96404f868f372a6cbc6769ccb7f8\"\u003e\u003c/a\u003e新添加的","Shell","\u003ca id=\"9eee96404f868f372a6cbc6769ccb7f8\"\u003e\u003c/a\u003e工具","security"],"sub_categories":["\u003ca id=\"31185b925d5152c7469b963809ceb22d\"\u003e\u003c/a\u003e新添加的"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftrailofbits%2Ftwa","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftrailofbits%2Ftwa","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftrailofbits%2Ftwa/lists"}