Active testing only with written authorisation
~/tholim_
← Research & tooling
Open tool · v2.1 · maintained

Surface Audit — eighteen checks across six surfaces, in twenty-five seconds.

A passive web reconnaissance tool we built for our own engagements and now maintain in the open. Drop a domain, get back a signed report assembled from the reference implementations the public security community already trusts. One HTTPS GET to your origin; everything else queried from public services.

Free · email required for delivery · 25-90 sec depending on Wayback / nuclei latency

Checks
18
Reference tools
10
Median runtime
25 sec
Origin requests
1 GET
Cache TTL
24 h
§00 · Topology

Apex domain, every reachable subdomain, one aggregated report.

Schematic of how the audit fans out. Each subdomain is graded independently — green where posture passes, amber on weak ciphers or missing headers, red where exposure is exploitable, dashed where reachability is unverified. Findings flow into a single signed report with per-host evidence.

Attack surface · what we map schematic
apex DOMAIN www ok api.v1 info staging warn old.cdn fail vpn-eu ? REPORT F · 0/100 tls 1.0 no dmarc 5 subdom 0 cve js signed ✓ APEX → SUBDOMAINS → AGGREGATED REPORT
§01 · Coverage

Every line maps to a reference implementation.

You can verify any finding directly against the upstream tool listed beside it. We do not invent scoring layers. If Mozilla says F, we say F. If sslyze flags TLS 1.0, we flag TLS 1.0.

§01·01
HTTP & headers
  • Mozilla Observatory v2 API
    developer.mozilla.org/observatory

    Letter grade A+ → F across HSTS, CSP, X-Frame-Options, Referrer-Policy, X-Content-Type-Options, Cookies, SRI, CORS, Redirection. Same scoring algorithm Mozilla uses on developer.mozilla.org/observatory.

  • hstspreload.org status check
    hstspreload.org/api/v2/status

    Authoritative lookup against the Chrome HSTS preload list maintained by Chromium. The same list shipped in every Chromium-based browser release.

§01·02
TLS posture
  • sslyze + nassl
    github.com/nabla-c0d3/sslyze

    Per-protocol cipher enumeration (TLS 1.0 / 1.1 / 1.2 / 1.3), certificate chain inspection, Heartbleed (CVE-2014-0160), ROBOT (CVE-2017-13099), insecure renegotiation. Mozilla TLS profile compliance check.

  • Native JA4S server fingerprint
    github.com/FoxIO-LLC/ja4

    FoxIO 2024 spec implementation in pure Python — parses raw ServerHello bytes, no scapy, no privileged sockets. Annotates known CDN / hosting fingerprints. Both TLS 1.3 and TLS 1.2 forced handshakes for high-entropy fingerprinting.

§01·03
Application surface
  • RetireJS official CLI
    github.com/RetireJS/retire.js

    Every <script src=> on the homepage is fetched and matched against the upstream RetireJS CVE database. Includes 15 popular libraries (Vue, Angular, Ember, etc.) that need a JS runtime to detect — supported through native func-handler implementations.

  • ProjectDiscovery nuclei
    github.com/projectdiscovery/nuclei

    9 000+ community templates: known CVEs, exposures (.env, .git, debug panels), takeover candidates, framework misconfigurations. Configurable severity filter, defaults to critical + high + medium.

§01·04
Reconnaissance
  • subfinder (10+ passive sources)
    github.com/projectdiscovery/subfinder

    Passive subdomain enumeration via free providers — chaos, securitytrails, virustotal, alienvault, hackertarget, threatcrowd, et al. No DNS bruteforce.

  • crt.sh certificate transparency
    crt.sh

    Queries the Sectigo-operated public CT log aggregator. Often the most surprising part of the report — historical certificates reveal subdomains your team forgot existed.

  • Wayback Machine CDX API
    archive.org/help/wayback-cdx

    Historical URL extraction with retry on Internet Archive 503s. Flags interesting paths (/admin, /backup, .env, .git, swagger, graphql, /jenkins, /kibana, /grafana).

§01·05
Threat intelligence
  • AlienVault OTX (free)
    otx.alienvault.com

    Pulse memberships and reputation score for the resolved domain. No key required.

  • Shodan InternetDB (free)
    internetdb.shodan.io

    Open ports, CVEs, and CPEs on the resolved IP. No key, no rate limit. The 24-hour cache layer in front of it prevents repeat-run rate-limit hits anyway.

  • VirusTotal · urlscan.io · AbuseIPDB
    virustotal.com · urlscan.io · abuseipdb.com

    Optional API-keyed feeds. Domain reputation, prior public submissions, IP abuse-confidence score. Activated automatically when keys are configured in the environment.

§01·06
Email & domain posture
  • WHOIS RDAP (3-endpoint fallback)
    RFCs 7480-7484

    Domain registration, registrar identity, expiry date, name-server set. Falls back through Verisign, rdap.net, rdap.org until one returns parseable JSON.

  • SPF · DMARC · 70 DKIM selectors
    RFC 7208 · 7489 · 6376

    Email authentication posture. SPF and DMARC record presence and content. 70 common DKIM selectors brute-checked. A missing DMARC alone means anyone can spoof your domain in Gmail and Outlook.

§02 · Sample output

What the report actually looks like.

Real run against a known-vulnerable test domain. Trimmed to the most informative lines — the full delivered report includes evidence captures, raw tool output, and remediation notes for every red and yellow item.

tholim audit example.com v2.1 · 22.6 s · cached
FAIL Mozilla ObservatoryF · 0/100
FAIL TLS deep · sslyzeTLS 1.0 enabled
FAIL DMARC recordmissing
WARN HSTS preload listnot preloaded
WARN Cookies postureSameSite missing
PASS retire.js · 5 scriptsno CVE
PASS SPF recordconfigured
PASS Mixed contentnone
INFO WHOIS / RDAPNameCheap, exp 2026-12
INFO Subdomains · CT2 hostnames
INFO Subdomains · subfinder8 hostnames
INFO JA4S TLS fingerprintCloudflare
INFO Favicon mmh3-1907152279
INFO Shodan InternetDB12 ports open
INFO AlienVault OTX0 pulses
INFO Wayback historical147 URLs · 6 flagged
3 critical · 2 warnings · 11 informational signed · valid 24h · share token deferred
§03 · What it touches, what it does not

Strict separation between passive and active.

The surface scan is passive by construction. It uses public sources to assemble the same picture an attacker would gather from a coffee shop. No exploit, no brute, no traffic to your origin past one HTTPS GET to fetch the homepage HTML.

What it does — passive
  • One HTTPS GET to your apex domain to fetch the home page HTML and headers
  • Pulls each <script src> URL once for retire.js inspection
  • One TLS handshake to your :443 for sslyze and JA4S analysis
  • DNS lookups via Cloudflare DoH
  • Queries to public services: Mozilla, hstspreload.org, crt.sh, Wayback, OTX, Shodan InternetDB
What it does not do
  • No login or session interaction
  • No exploit payloads, no SQL injection probes, no XSS reflection tests
  • No subdomain bruteforce — only passive sources for enumeration
  • No directory or file fuzzing, no port scanning
  • No active vulnerability scan against your origin (nuclei runs only with explicit verified-owner authorisation)
§04 · Source & license

Public source, defender-aligned licence.

The Surface Audit code is released under a permissive licence. It is built on existing open-source security tools — Mozilla Observatory, sslyze, RetireJS, ProjectDiscovery's nuclei and subfinder — and stitches them into a single uniform output. Patches and issue reports welcome.

Repository
github.com/tholim/surface-audit
v2.1 · MIT-style licence · public release pending

Want the deep version run for your domain?

The verified deep audit adds nuclei templates, subdomain takeover scanning, manual triage, and per-finding remediation notes — free, after ownership is proved.

Request the deep audit →