gitex2026/aasd/docs/CHANGELOG.md

Changelog

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

[2026-04.1] - 2026-04-28

Added

• Domain input replaces email input — no more data-collection appearance, direct domain entry
• Interactive subdomain selection — discovery pauses to show a list of probed subdomains, visitor picks one to scan
• IP fast-path — when an IP address is entered, subdomain discovery is skipped entirely and GoTestWAF scans directly
• DNS probe with wildcard detection — detects wildcard DNS (*.domain.com) and relies on TLS validation to filter real services from catch-all noise
• TLS certificate validation as the definitive subdomain filter — Go's HTTPS client validates cert + hostname, distinguishing real services from wildcard defaults
• Wordlist-based subdomain probing — loads 5000 common names from SecLists (/opt/aasd/subdomains.txt), replaces hardcoded 40-name list
• Live probe progress — frontend shows "Checking 142/5000 subdomains…" with animated pulse during discovery
• Report naming — visitor_{token}.html for user-facing reports, consultant_{token}.html for GoTestWAF output
• Admin dashboard enhanced — consultant report link only shown when file exists on disk; shows "No WAF report (target unreachable)" when GoTestWAF didn't produce output
• Race condition guard — discoverSubdomains now uses mutex-guarded status check to prevent overwriting scanning status back to awaiting_selection

Changed

• Pipeline restructured — discovery phase now pauses (status awaiting_selection) for user to pick a target, then scan phase runs
• Removed domain-scan binary (43MB) — was ineffective without API keys, always timed out at 15s; replaced by direct HTTPS/TLS wordlist probe
• ProbeSubdomains now accepts projectRoot for wordlist path and onProgress callback for live progress
• GoTestWAF report naming — changed from report_{token}_{domain}.html to consultant_{token}.html
• QR code URL corrected to point to visitor_{token}.html instead of report_{token}.html
• Config — base_url set to https://aasd.sechpoint.app, admin password set to Git3x2o26
• Directory structure reorganized — AttackSurface/ flattened to aasd/src/; removed stale dist/ and reports/ from source
• Frontend — step sequencer simplified to 3 steps (Domain Discovery, WAF Scan, AI Report); added subdomain selection panel
• Frontend status — adds animate-pulse CSS class to status dot during discovery
• Admin dashboard — back-end now checks HasConsultantReport by testing file existence, template conditionally shows link or "no report" text

Fixed

• Crash on IP submission — GenerateFallbackHTML panicked on empty subdomains slice; now sets Subdomains to [IP] for IP fast-path
• Race condition — discoverSubdomains goroutine could overwrite scanning status set by SelectAndScan; now guarded by mutex check
• Consultant report 404 — admin dashboard no longer shows broken link when GoTestWAF didn't produce output
• GoTestWAF report naming mismatch — GoTestWAF output file name now matches QR code and dashboard links
• Early selection rejected with proper error — SelectAndScan returns 400 Bad Request with explanation instead of 500 Internal Error

Removed

• Email capture — entire email validation, extraction, and storage removed; domain is now the primary input
• domain-scan binary — removed from /opt/aasd/ (43MB) and from build pipeline
• discover.go — entire file removed (dead code after domain-scan removal)
• FindMostCriticalSubdomain — heuristic scoring function removed (all subdomains now presented to user)
• CriticalDomain field — removed from ScanResult struct
• Old report naming — {token}.html → visitor_{token}.html, report_{token}.html → consultant_{token}.html
• AttackSurface/ directory — reorganized into aasd/src/

[0.3.0] - 2026-04-22

Added

• Comprehensive email validation with regex pattern
• Domain security validation (path traversal prevention, length limits)
• Graceful shutdown with OS signal handling (SIGINT, SIGTERM)
• Context propagation for GoTestWAF scan cancellation
• Reports static file serving endpoint (/reports/*)
• Go 1.25.0 compiler support
• Scan status polling endpoint (/scan-status/:domain) for real-time updates

Changed

• GoTestWAF command flags updated for compatibility:
  • Removed invalid --testCase "all" flag
  • Added --reportFormat html flag for HTML report generation
  • Fixed report file naming consistency
• Improved error handling throughout application
• Enhanced code quality with Go idiomatic patterns
• Updated main.go with proper context management

Fixed

• Critical: GoTestWAF integration bugs causing scan failures
• Critical: Missing --reportFormat flag preventing HTML report generation
• Critical: Report file mismatch between stored results and generated files
• Security: Weak email validation allowing malformed input
• Security: Path traversal vulnerability in domain handling
• Code Quality: Monolithic function structure violating 50-line limit
• Concurrency: Potential race conditions in map access
• Resource Leaks: Goroutines not properly cancelled on shutdown
• Missing Feature: Reports not served via web endpoint

Removed

• Invalid GoTestWAF flag --testCase "all" (not supported in current version)

[0.2.0] - 2026-04-21

Added

• Gin web framework dependency installed
• POST /start endpoint with email domain extraction and validation
• Static file serving (/static, /, /simulation)
• In‑memory storage for scan results with thread‑safe mutex
• Basic HTML frontend: capture page (index.html) with QR placeholder
• Simulation page (simulation.html) with JavaScript step sequencer
• Consultant dashboard (/admin‑dashboard) with results table
• GoTestWAF binary integration (background execution with flags)
• Reports directory auto‑creation
• Server listens on 0.0.0.0:8080 for booth Wi‑Fi access

Changed

• Project structure refined: AttackSurface/{bin,src,docs}
• Git repository initialized with main branch
• Go 1.24.4 installed via official binary

[0.1.0] - 2026-04-21

Added

• Project initialization based on PROJECT_PLAN.md
• Basic directory structure for Go web application
• GoTestWAF binary integration (planned)