customer-engineering/gitex2026
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
gitex2026/aasd/docs/STATE_OF_DEVELOPMENT.md
administrator 42e2fb6ef2 feat: port 8000 + GITEX 2026 Nairobi hub page, improved scan messaging 
- Change server port from 8080 to 8000
- Redesign index.html as GITEX 2026 Nairobi hub (app launcher)
- Add /aasd route serving AASD-specific landing page
- Add '← GITEX 2026 Hub' links to simulation, admin, and AASD pages
- Show 'Could Not Scan Target' message when GoTestWAF fails
- Increase GoTestWAF timeout from 120s to 300s
- Update install.sh, docs, and gitignore for bin/ as local-only
2026-05-14 11:46:10 +00:00

103 lines
4.3 KiB
Markdown
Raw Blame History

# State of Development
**Version**: 2026-04.1 | **Last Updated**: 2026-04-28
## Booth Flow
```
Visitor enters: example.com
POST /start → ProbeSubdomains() checks 5000 names via HTTPS/TLS
Live progress: "Checking 142 / 5000 subdomains…"
Discovered subdomains shown — visitor picks one
GoTestWAF scans selected subdomain against Wallarm endpoint
AI generates resilience narrative (or fallback)
Visitor sees report with QR code; consultant accesses full GoTestWAF output
```
## Key Features
| Feature | Status | Details |
|---------|--------|---------|
| **Domain Input** | ✅ Complete | Replaced email — no data-collection appearance |
| **Subdomain Discovery** | ✅ Complete | 5000-name SecLists wordlist, HTTPS/TLS probe |
| **Wildcard DNS Detection** | ✅ Complete | Filters catch-all via TLS cert validation |
| **Live Probe Progress** | ✅ Complete | Frontend shows "checked N / total" with pulse |
| **Interactive Selection** | ✅ Complete | User picks which subdomain to scan |
| **IP Fast-Path** | ✅ Complete | Skips discovery, scans IP directly |
| **GoTestWAF Integration** | ✅ Complete | 120s timeout, consultant_{token}.html output |
| **AI Narrative** | ✅ Complete | DeepSeek API (fallback HTML when unavailable) |
| **Admin Dashboard** | ✅ Complete | Basic auth, per-scan consultant report links |
| **Report Serving** | ✅ Complete | visitor_{token}.html + consultant_{token}.html |
| **QR Code** | ✅ Complete | Booth scanning workflow |
| **Graceful Shutdown** | ✅ Complete | SIGINT/SIGTERM handling |
| **Booth Network** | ✅ Complete | Binds to 0.0.0.0:8000 |
## Technical Specifications
| Aspect | Value |
|--------|-------|
| **Language** | Go 1.25.0 |
| **Framework** | Gin web framework |
| **Subdomain Wordlist** | 5000 names (SecLists) |
| **Probe Concurrency** | 10 workers, 3s timeout |
| **Probe Duration** | ~2 minutes for 5000 names |
| **WAF Scanner** | GoTestWAF (120s timeout) |
| **AI Provider** | DeepSeek API (optional, graceful fallback) |
| **Reports** | Static HTML at /opt/aasd/reports/ |
| **Storage** | Scan metadata: in-memory; Reports: files on disk |
| **Deployment** | systemd service at /opt/aasd/ |
| **Credentials** | sechpoint / Git3x2o26 |
## Deployment
```
/opt/aasd/
├── aasd 31M — Compiled binary
├── config.yaml — Server URL, admin creds, AI key
├── prompt.txt — DeepSeek system prompt
├── subdomains.txt — 5000-name wordlist
├── gotestwaf 27M — WAF scanner binary
├── gotestwaf-config.yaml — HTTP headers for scans
├── testcases/ — GoTestWAF attack payloads
├── static/ — Frontend HTML/JS
├── templates/ — Admin dashboard template
├── reports/ — Generated scan reports
└── logs/ — Server logs
```
## API Endpoints
| Endpoint | Method | Description |
|----------|--------|-------------|
| `/` | GET | Landing page (domain input) |
| `/start` | POST | Submit domain, start discovery pipeline |
| `/select-subdomain` | GET | Subdomain selection page |
| `/select-subdomain` | POST | Select target, start GoTestWAF scan |
| `/analysing` | GET | Scan progress page |
| `/scan-status/:token` | GET | Poll scan status (JSON) |
| `/admin-dashboard` | GET | Consultant dashboard (basic auth) |
| `/api/scans` | GET | Scan list (JSON) |
| `/report-data/:token` | GET | Raw scan result (JSON) |
| `/reports/*` | GET | Static report files |
| `/qrcode` | GET | QR code generator |
| `/email-report` | POST | Send report via email |
| `/simulation` | GET | Legacy alias for /analysing |
## Known Limitations
- **Scan results are in-memory** — restarting the service clears all scan metadata (reports on disk survive)
- **GoTestWAF requires HTTPS** — targets without HTTPS will fail to scan (fallback report generated)
- **Probe takes ~2 minutes** for 5000 names at 10 concurrent workers with 3s timeout
- **Wildcard DNS + Zoraxy defaults** — subdomains that return the exact same Zoraxy default page may be filtered out even if they exist (rare edge case)
## Next Steps
- Production deployment with proper SSL termination via Zoraxy
- DeepSeek API key configuration for AI-powered reports
- Fine-tune wordlist for booth-relevant domains
Reference in a new issue View git blame Copy permalink