customer-engineering/gitex2026
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
gitex2026/aasd/docs/CHANGELOG.md
administrator 4f533c6c8f feat: complete AASD booth application rewrite 
- Replace email input with domain input (no data collection)
- Interactive subdomain selection flow with live progress
- IP fast-path (skip discovery for IP addresses)
- HTTPS/TLS-based subdomain probing (5000-name SecLists wordlist)
- Wildcard DNS detection with TLS cert validation filter
- Rename reports: visitor_{token}.html and consultant_{token}.html
- Remove domain-scan dependency (ineffective without API keys)
- Fix race condition in discovery vs scan phase
- Rearrange repo structure: AttackSurface/ -> aasd/src/
- Add live probe progress counter in frontend
- Admin dashboard shows consultant report only when file exists
2026-04-28 12:45:45 +00:00

108 lines
6.5 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Changelog
All notable changes to this project will be documented in this file.
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
## [2026-04.1] - 2026-04-28
### Added
- **Domain input replaces email input** — no more data-collection appearance, direct domain entry
- **Interactive subdomain selection** — discovery pauses to show a list of probed subdomains, visitor picks one to scan
- **IP fast-path** — when an IP address is entered, subdomain discovery is skipped entirely and GoTestWAF scans directly
- **DNS probe with wildcard detection** — detects wildcard DNS (`*.domain.com`) and relies on TLS validation to filter real services from catch-all noise
- **TLS certificate validation** as the definitive subdomain filter — Go's HTTPS client validates cert + hostname, distinguishing real services from wildcard defaults
- **Wordlist-based subdomain probing** — loads 5000 common names from SecLists (`/opt/aasd/subdomains.txt`), replaces hardcoded 40-name list
- **Live probe progress** — frontend shows "Checking 142/5000 subdomains…" with animated pulse during discovery
- **Report naming** — `visitor_{token}.html` for user-facing reports, `consultant_{token}.html` for GoTestWAF output
- **Admin dashboard enhanced** — consultant report link only shown when file exists on disk; shows "No WAF report (target unreachable)" when GoTestWAF didn't produce output
- **Race condition guard** — `discoverSubdomains` now uses mutex-guarded status check to prevent overwriting `scanning` status back to `awaiting_selection`
### Changed
- **Pipeline restructured** — discovery phase now pauses (status `awaiting_selection`) for user to pick a target, then scan phase runs
- **Removed domain-scan binary** (43MB) — was ineffective without API keys, always timed out at 15s; replaced by direct HTTPS/TLS wordlist probe
- **ProbeSubdomains** now accepts `projectRoot` for wordlist path and `onProgress` callback for live progress
- **GoTestWAF report naming** — changed from `report_{token}_{domain}.html` to `consultant_{token}.html`
- **QR code URL** corrected to point to `visitor_{token}.html` instead of `report_{token}.html`
- **Config** — `base_url` set to `https://aasd.sechpoint.app`, admin password set to `Git3x2o26`
- **Directory structure reorganized** — `AttackSurface/` flattened to `aasd/src/`; removed stale `dist/` and `reports/` from source
- **Frontend** — step sequencer simplified to 3 steps (Domain Discovery, WAF Scan, AI Report); added subdomain selection panel
- **Frontend status** — adds `animate-pulse` CSS class to status dot during discovery
- **Admin dashboard** — back-end now checks `HasConsultantReport` by testing file existence, template conditionally shows link or "no report" text
### Fixed
- **Crash on IP submission** — `GenerateFallbackHTML` panicked on empty subdomains slice; now sets `Subdomains` to `[IP]` for IP fast-path
- **Race condition** — `discoverSubdomains` goroutine could overwrite `scanning` status set by `SelectAndScan`; now guarded by mutex check
- **Consultant report 404** — admin dashboard no longer shows broken link when GoTestWAF didn't produce output
- **GoTestWAF report naming mismatch** — GoTestWAF output file name now matches QR code and dashboard links
- **Early selection rejected with proper error** — `SelectAndScan` returns 400 Bad Request with explanation instead of 500 Internal Error
### Removed
- **Email capture** — entire email validation, extraction, and storage removed; domain is now the primary input
- **domain-scan binary** — removed from `/opt/aasd/` (43MB) and from build pipeline
- **`discover.go`** — entire file removed (dead code after domain-scan removal)
- **`FindMostCriticalSubdomain`** — heuristic scoring function removed (all subdomains now presented to user)
- **`CriticalDomain`** field — removed from `ScanResult` struct
- **Old report naming** — `{token}.html``visitor_{token}.html`, `report_{token}.html``consultant_{token}.html`
- **AttackSurface/** directory — reorganized into `aasd/src/`
## [0.3.0] - 2026-04-22
### Added
- Comprehensive email validation with regex pattern
- Domain security validation (path traversal prevention, length limits)
- Graceful shutdown with OS signal handling (SIGINT, SIGTERM)
- Context propagation for GoTestWAF scan cancellation
- Reports static file serving endpoint (`/reports/*`)
- Go 1.25.0 compiler support
- Scan status polling endpoint (`/scan-status/:domain`) for real-time updates
### Changed
- GoTestWAF command flags updated for compatibility:
- Removed invalid `--testCase "all"` flag
- Added `--reportFormat html` flag for HTML report generation
- Fixed report file naming consistency
- Improved error handling throughout application
- Enhanced code quality with Go idiomatic patterns
- Updated main.go with proper context management
### Fixed
- **Critical**: GoTestWAF integration bugs causing scan failures
- **Critical**: Missing `--reportFormat` flag preventing HTML report generation
- **Critical**: Report file mismatch between stored results and generated files
- **Security**: Weak email validation allowing malformed input
- **Security**: Path traversal vulnerability in domain handling
- **Code Quality**: Monolithic function structure violating 50-line limit
- **Concurrency**: Potential race conditions in map access
- **Resource Leaks**: Goroutines not properly cancelled on shutdown
- **Missing Feature**: Reports not served via web endpoint
### Removed
- Invalid GoTestWAF flag `--testCase "all"` (not supported in current version)
## [0.2.0] - 2026-04-21
### Added
- Gin web framework dependency installed
- POST `/start` endpoint with email domain extraction and validation
- Static file serving (`/static`, `/`, `/simulation`)
- Inmemory storage for scan results with threadsafe mutex
- Basic HTML frontend: capture page (`index.html`) with QR placeholder
- Simulation page (`simulation.html`) with JavaScript step sequencer
- Consultant dashboard (`/admindashboard`) with results table
- GoTestWAF binary integration (background execution with flags)
- Reports directory autocreation
- Server listens on `0.0.0.0:8080` for booth WiFi access
### Changed
- Project structure refined: `AttackSurface/{bin,src,docs}`
- Git repository initialized with `main` branch
- Go 1.24.4 installed via official binary
## [0.1.0] - 2026-04-21
### Added
- Project initialization based on PROJECT_PLAN.md
- Basic directory structure for Go web application
- GoTestWAF binary integration (planned)
Reference in a new issue View git blame Copy permalink