trailofbits
Add a flag to only show certain audit conditions.
An idea to have a new flag to display certain audit conditions. Normal example run.
$ twa google.com
FAIL(google.com): TWA-0102: HTTP redirects to HTTP (not secure)
FAIL(google.com): TWA-0205: Strict-Transport-Security missing
MEH(google.com): TWA-0206: X-Frame-Options is 'sameorigin', consider 'deny'
FAIL(google.com): TWA-0209: X-Content-Type-Options missing
FAIL(google.com): TWA-0210: X-XSS-Protection is '0'; XSS filtering disabled
FAIL(google.com): TWA-0214: Referrer-Policy missing
FAIL(google.com): TWA-0219: Content-Security-Policy missing
FAIL(google.com): TWA-0220: Feature-Policy missing
PASS(google.com): Site sends 'Server', but probably only a vendor ID: gws
PASS(google.com): Site doesn't send 'X-Powered-By'
PASS(google.com): Site doesn't send 'Via'
(OMITTED)
Example to show only FAIL conditions. Note, both MEH and PASS types have been removed from this request.
$ twa -t FAIL google.com
FAIL(google.com): TWA-0102: HTTP redirects to HTTP (not secure)
FAIL(google.com): TWA-0205: Strict-Transport-Security missing
FAIL(google.com): TWA-0209: X-Content-Type-Options missing
FAIL(google.com): TWA-0210: X-XSS-Protection is '0'; XSS filtering disabled
FAIL(google.com): TWA-0214: Referrer-Policy missing
FAIL(google.com): TWA-0219: Content-Security-Policy missing
FAIL(google.com): TWA-0220: Feature-Policy missing
(OMITTED)
Example to show only PASS conditions.
$ twa -t PASS google.com
PASS(google.com): Site sends 'Server', but probably only a vendor ID: gws
PASS(google.com): Site doesn't send 'X-Powered-By'
PASS(google.com): Site doesn't send 'Via'
(OMITTED)
Maybe this idea is a bit overkill since you can simply use grep to achieve the same result.
Example to show only FAIL conditions using grep.
$ twa google.com | grep -e FAIL
FAIL(google.com): TWA-0102: HTTP redirects to HTTP (not secure)
FAIL(google.com): TWA-0205: Strict-Transport-Security missing
FAIL(google.com): TWA-0209: X-Content-Type-Options missing
FAIL(google.com): TWA-0210: X-XSS-Protection is '0'; XSS filtering disabled
FAIL(google.com): TWA-0214: Referrer-Policy missing
FAIL(google.com): TWA-0219: Content-Security-Policy missing
FAIL(google.com): TWA-0220: Feature-Policy missing
(OMITTED)
I'm open to discussion for constructive criticism or alternative suggestions to the idea.
Thanks for opening the discussion!
I'm personally so-so on this feature: I think I'd prefer people to use grep (for one-off, interactive filtering) or the CSV mode + programmatic filtering for more structured usage. However, I'll leave this open to solicit feedback from others.
Some open questions that should be resolved:
- What about showing multiple audit conditions? Would that be
-t MEH -t FAILor-t MEH,FAIL? Both? - What if I want to show all audits above a particular level? A new user might be surprised that
-t FAILhidesFATALaudits.
Some open questions that should be resolved:
- What about showing multiple audit conditions? Would that be
-t MEH -t FAILor-t MEH,FAIL? Both?
Good point. The easiest solution is to just use grep.
Example filtering for both MEH and FAIL.
$ twa google.com | grep -E 'MEH|FAIL'
FAIL(google.com): TWA-0102: HTTP redirects to HTTP (not secure)
FAIL(google.com): TWA-0205: Strict-Transport-Security missing
MEH(google.com): TWA-0206: X-Frame-Options is 'sameorigin', consider 'deny'
FAIL(google.com): TWA-0209: X-Content-Type-Options missing
FAIL(google.com): TWA-0210: X-XSS-Protection is '0'; XSS filtering disabled
FAIL(google.com): TWA-0214: Referrer-Policy missing
FAIL(google.com): TWA-0219: Content-Security-Policy missing
FAIL(google.com): TWA-0220: Feature-Policy missing
(OMITTED)
No need to re-invent the wheel in this scenario.
- What if I want to show all audits above a particular level? A new user might be surprised that
-t FAILhidesFATALaudits.
Interesting. I would assume some sort of hierarchy value would be required to determine the importance of each condition type with FATAL being the highest and PASS being the lowest