5.1 KiB
5.1 KiB
AASD — API Attack Surface Discovery
Interactive booth application for GITEX 2026. Visitors enter a corporate email, and AASD runs a full attack surface discovery pipeline:
Email → Domain Discovery → GoTestWAF Scan → AI Resilience Report
Architecture
Visitor Email
│
▼
┌─────────────────┐
│ /start (POST) │ Email validation + domain extraction
└────────┬────────┘
│
▼
┌─────────────────┐
│ domain-scan │ Passive subdomain enumeration (15s timeout)
└────────┬────────┘
│
▼
┌─────────────────┐
│ GoTestWAF │ WAF penetration test against Wallarm endpoint (120s)
└────────┬────────┘
│
▼
┌─────────────────┐
│ DeepSeek AI │ Generate resilience narrative from scan results
└────────┬────────┘
│
▼
┌─────────────────┐
│ HTML Report │ Static report served at /reports/<token>.html
└─────────────────┘
Tech Stack
| Component | Technology |
|---|---|
| Backend | Go 1.25 — Gin web framework |
| Frontend | HTML, JavaScript, Tailwind CSS (CDN) |
| WAF Scanner | GoTestWAF |
| Domain Discovery | domain-scan |
| AI Narrative | DeepSeek API |
| SMTP (OpenXchange) |
Quick Start (Development)
# Option 1: Deploy via install script
cd AttackSurface
sudo bash install.sh
# Option 2: Run from dist/ directly
cd AttackSurface/dist
./aasd
# Option 3: Build from source
cd AttackSurface/src
go build -o ../dist/aasd ./cmd/aasd/
cd ../dist
./aasd
Endpoints
| Path | Description | Auth |
|---|---|---|
/ |
Frontend landing page (email entry) | Public |
/start (POST) |
Submit email, trigger scan pipeline | Public |
/analysing |
Scan progress visualization | Public |
/simulation |
Legacy alias for /analysing |
Public |
/scan-status/:token |
Poll scan status (JSON) | Public |
/qrcode?text=... |
QR code generator | Public |
/admin-dashboard |
Consultant dashboard | Basic Auth |
/email-report (POST) |
Send report via email | Public |
/reports/* |
Generated static reports | Public |
/report-data/:token |
Raw scan result JSON | Public |
/api/scans |
Scan summaries (JSON) | Public |
Configuration
Edit dist/config.yaml (or /opt/aasd/config.yaml after install) with your values:
ai:
api_key: "sk-..." # DeepSeek API key for AI narratives
server:
base_url: "https://..." # Public URL for QR codes & email links
admin:
password: "..." # Admin dashboard password
Alternatively, set these via environment variables:
AASD_BASE_URL— public-facing URLAASD_AI_API_KEY— DeepSeek API keyAASD_ADMIN_PASSWORD— admin dashboard passwordSMTP_HOST,SMTP_PORT,SMTP_USERNAME,SMTP_PASSWORD,SMTP_FROM— SMTP config
Deployment (Production)
See install.sh for automated deployment. The script:
- Creates an
appsystem user if it doesn't exist - Downloads the pre-built release archive from GitHub
- Extracts to
/opt/aasd - Creates a systemd service (
aasd.service) for auto-start on boot - Prompts for required configuration values
Systemd Service Management
sudo systemctl start aasd # Start the server
sudo systemctl stop aasd # Stop the server
sudo systemctl restart aasd # Restart
sudo systemctl status aasd # Check status
sudo journalctl -u aasd -f # Follow logs
Version
2026-04.1 — See CHANGELOG.md for full history.
Project Structure
AttackSurface/
├── dist/ # Deployment directory (self-contained)
│ ├── aasd # Compiled Go binary
│ ├── config.yaml # Application configuration
│ ├── prompt.txt # DeepSeek AI system prompt
│ ├── gotestwaf # GoTestWAF binary
│ ├── domain-scan # Domain discovery tool
│ ├── testcases/ # GoTestWAF test cases
│ ├── static/ # Frontend HTML/JS
│ ├── templates/ # Go HTML templates
│ ├── reports/ # Generated scan reports
│ └── logs/ # Server logs
├── src/ # Go source code
│ ├── cmd/aasd/ # Main entry point
│ ├── internal/ # Core packages (scanner, ai, mailer, report)
│ ├── static/ # Frontend source files
│ ├── templates/ # Template source files
│ └── gotestwaf/ # Vendored GoTestWAF
├── docs/ # Documentation
│ ├── CHANGELOG.md
│ └── DEVELOPMENT_STATUS.md
├── install.sh # Automated deployment script
├── VERSION
└── README.md # This file
License
Proprietary — For internal event use at GITEX 2026.