mosawalhi7/webarmor-audit

GitHub: mosawalhi7/webarmor-audit

WebArmor-Audit:专业网站安全审计工具,快速检测HTTP安全头、SSL/TLS漏洞和敏感文件。

Stars: 0 | Forks: 0

# WebArmor-Audit ### Production-Grade HTTP Security Headers Auditor & SSL/TLS Inspector [![Python](https://img.shields.io/badge/Python-3.9%2B-3776AB?style=for-the-badge&logo=python&logoColor=white)](https://python.org) [![License](https://img.shields.io/badge/License-MIT-green?style=for-the-badge)](LICENSE) [![Security](https://img.shields.io/badge/AppSec-Tool-critical?style=for-the-badge&logo=owasp&logoColor=white)](https://owasp.org) **A professional, Zero-Dependency core CLI security scanner designed for modern DevSecOps. It audits websites for HTTP security headers, CORS vulnerability compliance, security.txt configuration, SSL/TLS certificate validity and active protocols/cipher suite vulnerabilities, CSP bypass risks, redirect downgrades, cookie safety, and technology information leakage. Supports beautiful dark-mode HTML, JSON, SARIF, and Markdown reports with concurrent bulk scanning and thread-safe caching.** --- ### 🖥️ Dashboard & Report Preview #### 🌐 Interactive HTML Dashboard Report ![Premium Dark-Neon HTML Dashboard](https://static.pigsec.cn/wp-content/uploads/repos/2026/06/4d16b30f3f050542.png) #### 💻 Rich CLI Terminal Interface

Rich CLI Terminal Output - Part 1 Rich CLI Terminal Output - Part 2

--- [Key Features](#-key-features) • [Compare](#-how-webarmor-audit-compares) • [Installation](#-installation) • [Usage Recipes](#-usage-recipes) • [Advanced Audits](#-advanced-audits--checks) • [Configuration Profiles](#-configuration-profiles-toml) • [CI/CD & DevSecOps](#-cicd-integration--devsecops) • [Output Formats](#-output-formats) • [Project Structure](#-project-structure)
--- ## 🎯 Key Features | Feature | Capabilities | | :--- | :--- | | **🔍 Security Header Audit** | Inspects 6 critical headers (`CSP`, `HSTS`, `X-Frame-Options`, `X-Content-Type-Options`, `Referrer-Policy`, `Permissions-Policy`) with a smart grading system (A+ → F). | | **🔒 CORS Compliance** | Scans for origin misconfigurations, wildcard bindings with credentials, insecure protocols, and origin reflections. | | **🛡️ CSP Bypass Evaluator** | Parses Complex Content Security Policies, checking for wildcards, insecure CDNs (like `unpkg.com` or `cdnjs.cloudflare.com`), lack of standard fallback directives (`default-src`, `object-src`), and unsafe evaluators (`unsafe-inline`, `unsafe-eval`). | | **📂 security.txt Validation** | Validates RFC 9116 compliance for `.well-known/security.txt`, checking expiration timestamps, mandatory fields, contacts, and signature verification. | | **🌐 Protocol Auditing** | Identifies advanced server capability through socket-level ALPN verification for **HTTP/2** and response header parsing for **HTTP/3 (Alt-Svc)**. | | **🔒 SSL/TLS Active Scan** | Inspects certificate metadata and actively probes for supported protocol versions (TLS 1.0 - 1.3, SSLv3) and legacy weak ciphers (RC4, 3DES, NULL/anonymous, EXPORT) to prevent BEAST/SWEET32 attacks. | | **💥 Smart Path Fuzzer** | Active concurrent fuzzing of 20+ high-value paths (e.g. `.env`, `.git/HEAD`, backups) with body keyword verification to avoid false positives. | | **🎯 CWE / OWASP Mapping** | Maps all discovered vulnerabilities and recommendations to CWE IDs and OWASP Top 10 classifications. | | **🛡️ WAF Fingerprinting** | Fingerprints Web Application Firewalls (Cloudflare, AWS WAF, Akamai, Imperva, etc.) via cookie and header signatures. | | **🔗 Redirect Chain Tracker** | Traces multi-hop redirects, alerts on security protocol downgrades (HTTPS to HTTP), and detects credential leaks in the referral path. | | **🍪 Cookie & Leakage Scan** | Inspects cookies for `Secure`, `HttpOnly`, and `SameSite` flags. Detects framework/webserver information leaks (e.g. `Server`, `X-Powered-By`, `X-AspNet-Version`). | | **⚡ Thread-Safe Caching** | Locally caches audit reports in `.webarmor_cache.json` with custom TTL. Fully thread-safe using locking primitives for parallel execution. | | **🚀 Concurrent Bulk Scan** | Scans multiple target URLs concurrently using a python `ThreadPoolExecutor` and generates a consolidated interactive HTML dashboard. | | **🎨 Multi-Format Reports** | Exports to console-friendly **Markdown**, programmatic **JSON**, premium interactive **Dark-Neon HTML**, and **SARIF** (fully compatible with GitHub Security Alerts). | | **⚙️ Config Profiles** | Customize grade thresholds and grading weights, or track custom proprietary headers via simple **TOML** configurations. | | **🤖 CI/CD Fail-Safe** | Return non-zero exit codes using `--fail-under` or `--fail-score` to break CI pipelines when targets fall short of compliance thresholds. | --- ## ⚖️ How WebArmor-Audit Compares | Feature / Capability | WebArmor-Audit | Mozilla Observatory | OWASP ZAP | Nikto | | :--- | :---: | :---: | :---: | :---: | | **Zero-Dependency (Pure Python)** | ✅ **Yes** | ❌ No | ❌ No (Java) | ❌ No (Perl) | | **Active SSL/TLS Cipher Probing** | ✅ **Yes** | ❌ No (Passive Only) | ⚠️ Partial | ⚠️ Limited | | **Smart Fuzzer (No False 404s)** | ✅ **Yes** | ❌ No | ⚠️ Generic | ⚠️ High Noise | | **Automated WAF Fingerprinting** | ✅ **Yes** | ❌ No | ❌ No | ⚠️ Limited | | **SARIF Native Export (CI/CD)** | ✅ **Yes** | ❌ No | ✅ Yes | ❌ No | | **Execution Speed** | ⚡ **Ultra Fast** | ⚠️ Network Dependent | 🐢 Heavy/Slow | 🐢 Very Slow | | **Premium Dark-Neon HTML UI** | ✅ **Yes** | ✅ Yes (Web Only) | ❌ No | ❌ No | --- ## 📋 Security Checks Overview ### 1. HTTP Security Headers * **Content-Security-Policy (CSP):** Mitigates XSS, frame injection, and clickjacking. Evaluates directive strength. * **Strict-Transport-Security (HSTS):** Enforces HTTPS, validates `max-age` and `includeSubDomains`. * **X-Frame-Options (XFO):** Prevents clickjacking by restricting frame embedding (`DENY` or `SAMEORIGIN`). * **X-Content-Type-Options (XCTO):** Blocks MIME-type sniffing by enforcing `nosniff`. * **Referrer-Policy:** Controls information leakage in cross-origin HTTP requests. * **Permissions-Policy:** Limits hardware APIs and features accessible in the browser context. ### 2. CORS (Cross-Origin Resource Sharing) * Verifies that `Access-Control-Allow-Origin` is configured safely. * Alerts on dangerous configurations like wildcard origins combined with `Access-Control-Allow-Credentials: true`. * Detects insecure HTTP protocols defined in allowed origins. ### 3. security.txt (RFC 9116) * Checks for file availability under `.well-known/security.txt`. * Parses required fields: `Contact`, `Expires`, `Preferred-Languages`. * Validates expiration timestamp to warn on outdated configurations. ### 4. SSL/TLS Active Scanner & Certificate Analysis * Extracts SSL issuer name, valid-from, valid-to, and remaining lifespan. * **Active Protocol Probing:** Discovers supported and rejected protocol versions (TLS 1.0, TLS 1.1, TLS 1.2, TLS 1.3, SSLv3). * **Weak Cipher Scan:** Detects if the server accepts dangerous/legacy cipher suites (RC4, 3DES, NULL/anonymous, EXPORT). * Generates security alerts if certificate is invalid, expiring, or if the server supports legacy SSL/TLS versions or weak ciphers. ### 5. Smart Path Fuzzer (Sensitive File Scanning) * **Concurrent Probing:** Evaluates exposure of 20+ sensitive target directories and configuration backups in parallel. * **Keyword Response Matching:** Checks downloaded file buffers for specific markers (e.g. `DB_PASSWORD`, `ref:`, ` **This tool is provided for educational and authorized security assessment purposes only.** > > WebArmor-Audit is designed to help developers, security engineers, and system administrators evaluate the security posture of web applications they own or have explicit authorization to test. > > * Do **NOT** run this tool against third-party endpoints without prior written authorization. > * The author assumes **no liability** for misuse, data leaks, or damage caused by execution of this code. > ---
**Built with ❤️ for the AppSec & DevSecOps community** 🛡️ *Protecting the web, one header at a time.* 🛡️
标签:DevSecOps, HTTP安全头部, SSL/TLS漏洞, 上游代理, 敏感文件检测, 文档结构分析, 无误报, 日志审计, 服务器监控, 网络安全, 隐私保护, 零依赖