trailofbits/twa

Add a flag to only show certain audit conditions.

GatewayBit opened this issue · 2 comments

An idea to have a new flag to display certain audit conditions.
Normal example run.

$ twa google.com

FAIL(google.com): TWA-0102: HTTP redirects to HTTP (not secure)
FAIL(google.com): TWA-0205: Strict-Transport-Security missing
MEH(google.com): TWA-0206: X-Frame-Options is 'sameorigin', consider 'deny'
FAIL(google.com): TWA-0209: X-Content-Type-Options missing
FAIL(google.com): TWA-0210: X-XSS-Protection is '0'; XSS filtering disabled
FAIL(google.com): TWA-0214: Referrer-Policy missing
FAIL(google.com): TWA-0219: Content-Security-Policy missing
FAIL(google.com): TWA-0220: Feature-Policy missing
PASS(google.com): Site sends 'Server', but probably only a vendor ID: gws
PASS(google.com): Site doesn't send 'X-Powered-By'
PASS(google.com): Site doesn't send 'Via'
(OMITTED)

Example to show only FAIL conditions. Note, both MEH and PASS types have been removed from this request.

$ twa -t FAIL google.com

FAIL(google.com): TWA-0102: HTTP redirects to HTTP (not secure)
FAIL(google.com): TWA-0205: Strict-Transport-Security missing
FAIL(google.com): TWA-0209: X-Content-Type-Options missing
FAIL(google.com): TWA-0210: X-XSS-Protection is '0'; XSS filtering disabled
FAIL(google.com): TWA-0214: Referrer-Policy missing
FAIL(google.com): TWA-0219: Content-Security-Policy missing
FAIL(google.com): TWA-0220: Feature-Policy missing
(OMITTED)

Example to show only PASS conditions.

$ twa -t PASS google.com

PASS(google.com): Site sends 'Server', but probably only a vendor ID: gws
PASS(google.com): Site doesn't send 'X-Powered-By'
PASS(google.com): Site doesn't send 'Via'
(OMITTED)

Maybe this idea is a bit overkill since you can simply use grep to achieve the same result.

Example to show only FAIL conditions using grep.

$ twa google.com | grep -e FAIL

FAIL(google.com): TWA-0102: HTTP redirects to HTTP (not secure)
FAIL(google.com): TWA-0205: Strict-Transport-Security missing
FAIL(google.com): TWA-0209: X-Content-Type-Options missing
FAIL(google.com): TWA-0210: X-XSS-Protection is '0'; XSS filtering disabled
FAIL(google.com): TWA-0214: Referrer-Policy missing
FAIL(google.com): TWA-0219: Content-Security-Policy missing
FAIL(google.com): TWA-0220: Feature-Policy missing
(OMITTED)

I'm open to discussion for constructive criticism or alternative suggestions to the idea.

Thanks for opening the discussion!

I'm personally so-so on this feature: I think I'd prefer people to use grep (for one-off, interactive filtering) or the CSV mode + programmatic filtering for more structured usage. However, I'll leave this open to solicit feedback from others.

Some open questions that should be resolved:

  • What about showing multiple audit conditions? Would that be -t MEH -t FAIL or -t MEH,FAIL? Both?
  • What if I want to show all audits above a particular level? A new user might be surprised that -t FAIL hides FATAL audits.

Some open questions that should be resolved:

  • What about showing multiple audit conditions? Would that be -t MEH -t FAIL or -t MEH,FAIL? Both?

Good point. The easiest solution is to just use grep.
Example filtering for both MEH and FAIL.

$ twa google.com | grep -E 'MEH|FAIL'

FAIL(google.com): TWA-0102: HTTP redirects to HTTP (not secure)
FAIL(google.com): TWA-0205: Strict-Transport-Security missing
MEH(google.com): TWA-0206: X-Frame-Options is 'sameorigin', consider 'deny'
FAIL(google.com): TWA-0209: X-Content-Type-Options missing
FAIL(google.com): TWA-0210: X-XSS-Protection is '0'; XSS filtering disabled
FAIL(google.com): TWA-0214: Referrer-Policy missing
FAIL(google.com): TWA-0219: Content-Security-Policy missing
FAIL(google.com): TWA-0220: Feature-Policy missing
(OMITTED)

No need to re-invent the wheel in this scenario.

  • What if I want to show all audits above a particular level? A new user might be surprised that -t FAIL hides FATAL audits.

Interesting. I would assume some sort of hierarchy value would be required to determine the importance of each condition type with FATAL being the highest and PASS being the lowest