truestack 0.2.0

Security-aware technology fingerprinting — detects what is really running, not what the version string claims
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73

> Part of the [Santh](https://santh.dev) security research ecosystem.

# truestack — Security-aware technology fingerprinting

[![CI](https://github.com/santhsecurity/truestack/actions/workflows/ci.yml/badge.svg)](https://github.com/santhsecurity/truestack/actions/workflows/ci.yml) [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT) [![Crates.io](https://img.shields.io/crates/v/truestack)](https://crates.io/crates/truestack)

Security-aware technology fingerprinting for web servers.

Unlike traditional fingerprinting tools that report what the version string claims, `truestack` is designed to determine the **true** security posture of a target — including detection of backported patches, behavioural differential probing, and CVE correlation.

## Features

- **TOML-driven rule engine** — signal-based detection from HTTP headers, response bodies, and cookies. Rules are easily extensible.
- **Standalone CLI** — Run fingerprinting directly from the command line.
- **Security header auditing** — checks for HSTS, CSP, X-Frame-Options, and more. Includes deep CSP bypass analysis.
- **Favicon hashing** — Shodan-compatible MurmurHash3 for cross-service pivot (`http.favicon.hash:{value}`).
- **Zero-config core** — fingerprinting runs on raw data `&[(K, V)]` and `&str` without requiring a specific HTTP client. Optional `fetch` feature provides async fetching helpers.

## CLI Usage

Install the `truestack` binary:

```bash
cargo install --path .
```

Scan a URL:

```bash
truestack https://example.com --favicon --format json
```

Load custom rules:

```bash
truestack https://example.com --rules-dir ./my-rules/
```

## Library Usage

```rust
use truestack::fingerprints;
use truestack::security_headers;

fn main() {
    // 1. Detect technologies from headers and body
    let headers = vec![
        ("Server".to_string(), "nginx/1.21.0".to_string()),
        ("X-Powered-By".to_string(), "Express".to_string()),
    ];
    let body = "<html><body>__NEXT_DATA__</body></html>";
    
    let techs = fingerprints::detect(&headers, body);
    for tech in techs {
        println!("Found: {} (version: {:?})", tech.name, tech.version);
    }
    
    // 2. Audit security headers
    let findings = security_headers::audit(&headers);
    for finding in findings {
        println!("Security Finding [{}]: {}", finding.severity.as_str(), finding.title);
        println!("  {}", finding.detail);
    }
}
```

### Optional Features

- **`fetch`**: Enables `truestack::favicon::fetch_hash` which uses `reqwest` to download a favicon and compute its Shodan hash.

## License

MIT