or3stis / apparatus Goto Github PK
View Code? Open in Web Editor NEWA graphical security analysis tool for IoT networks
Home Page: https://or3stis.github.io/apparatus/
License: MIT License
A graphical security analysis tool for IoT networks
Home Page: https://or3stis.github.io/apparatus/
License: MIT License
Current security suggestions are hardcoded in the app. They can only be changed when the app updates.
Security suggestion should be moved to a plug-in system, where the user can dynamically edit them.
See title
The logic for the settings file runs after the browser window is created. In certain cases, when the application is installed on a new machine, it cannot detect the file before creating the window. The main issue is that the tool cannot detect the default settings file, that is used to restore the settings to their original configuration.
The color theme in the setting window does not mirror the color theme of the main window.
ASTo doesn't prompt the user for a save (while there are unsaved changes) on:
- [ ] app quit
Line 34 in 32cd196
Please provide the AppImage for download on https://github.com/Or3stis/apparatus/releases, thanks.
The app shows the same window reload notifications in dev and in normal mode.
Dev should not have any notifications.
When a function creates a notification bubble it is shown in the notification area. When the bubble has not content, it is rendered as a small empty bubble.
The correct functionality would be to not render empty bubbles at all.
The javascript event listener is added to the button after a graph is loaded. That only happens when a user selects a graph to load or start a new graph. If the user cancels the action, the logic that adds the event listener to the button is not run.
When pressing the No
option during the phase transition function all the bubbles in the message area are cleared.
Only the transition bubble should be removed when pressing No
There is no indication on the UI that no vulnerabilities are found based on the current keywords.
We should include a bubble saying no vulnerabilities were found
or something similar.
On certain loaded graphs when adding a new node you get an error in the console node ID already exists
.
The user needs to add several nodes in order to reach the correct numbering.
Possible solution: Find the ID of the last node and use that as starting point. If there are no node (empty graph) start on ID 1.
In Electron 5.0.0, node integration will be disabled by default.
The settings windows need to bet set with {nodeIntegration: true}
in the webPreferences
Hello folks,
After install the program in kali 2.0 kernel 4.9.0, look the error below:
root@kali:~/Programs/apparatus# npm start
[email protected] start /root/Programs/apparatus
electron main.js
sh: 1: electron: not found
npm ERR! [email protected] start: electron main.js
npm ERR! Exit status 127
npm ERR!
npm ERR! Failed at the [email protected] start script.
npm ERR! This is most likely a problem with the apparatus package,
npm ERR! not with npm itself.
npm ERR! Tell the author that this fails on your system:
npm ERR! electron main.js
npm ERR! You can get their info via:
npm ERR! npm owner ls apparatus
npm ERR! There is likely additional logging output above.
npm ERR! System Linux 4.9.0-kali4-amd64
npm ERR! command "/usr/bin/nodejs" "/usr/bin/npm" "start"
npm ERR! cwd /root/Programs/apparatus
npm ERR! node -v v4.8.3
npm ERR! npm -v 1.4.21
npm ERR! code ELIFECYCLE
npm WARN This failure might be due to the use of legacy binary "node"
npm WARN For further explanations, please read
/usr/share/doc/nodejs/README.Debian
npm ERR!
npm ERR! Additional logging details can be found in:
npm ERR! /root/Programs/apparatus/npm-debug.log
npm ERR! not ok code 0
root@kali:~/Programs/apparatus# node --version
v4.8.3
Any idea to fix the problem?
Thanks in advance
Need to check whether a metamodel window is open before creating a new one. Otherwise, a new window is created when the metamodel
is typed.
If a metamodel window exists, enable focus on that window.
Check whether the correct motemodel is shown. If the user has opened the design phase metamodel and then navigated to the implementation phase, ASTo should display the correct one.
Issue:
Solution:
When a user generates a model from a pcapng file, ASTo pairs the application's ports with their running services. For example, if an application is running on port 443, ASTo will display `HTTP (encrypted) along the port number.
ASTo uses the app/src/imp/commonPorts.js
to compare the ports numbers of the generated model with the commonPorts
object.
The commonPorts.js
module isn't as expensive as it could be, and there a lot of common ports missing from the list.
Certain services require a tag, besides the service name. Encrypted services, such as SSH, HTTPS has the encrypted
tag.
The current tags are encrypted
, p2p
, malicious
, chat
, gaming
, streaming
, but additional ones can be used.
This is a very easy issue for first time contributors and may lead to further enhancement of the pcapng import
feature.
Explicitly state that ASTo does not use analytics of any kind or sends any type of telemetry information.
For the vulnerability identification, the application uses a third-party API endpoint. That API point can be configured by the user, the app's settings window, to point to any vulnerability database (it can even be hosted locally).
The current codebase is written in javascript with a minimum set of dependencies.
The compelling benefit of typescript and webpack, in the case of ASTo, is better development tooling (especially the autocompletion offered from the typings files). This will allow other developers to improve the functionality of the tool or develop their own.
The transition of the current codebase will be made on a different fork. The fork will be merged in the main branch after all the code has been converted in typescript.
The vulnerability identification function doesn't not empty the keyword list when a user clicks it. Instead, it concatenates the previous keywords with the present keywords and repeats the search.
If a console command is the same word as a node attribute inside the model, the command will be executed but the node will not be highlighted. For example, if a node attribute is validate
, when I type validate
in the console, ASTo will validate the model instead of highlighting the node.
So far there are very few console keywords and the chances of clashing with the model values are slim. But that might change in the future.
A simple solution could be to prefix console commands with something like :
, similar to vim. That will make easier to add command autocompletion and command shortcuts, such as allowing a user to quickly type:v
instead of :validate
.
The console commands are in the app/src/keybinding.js
. The logic is the commands()
function in the middle of the module. The various cases
in the switch
statement specify the allowed commands.
This is an excellent first issue for anyone looking to contribute ๐
Currently ASTo sends the requests the vulnerability database without asking for confirmation.
That request is over HTTPS and sends the keywords to an external database by default. Some users may not be comfortable with that behavior.
It is best to add a confirmation button that could be disabled by an option.
Typing :metamodel
on the console opens window with the metamodel of the current phase. If that window is minimized, typing :metamodel
again doesn't restore the already open window.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.