or3stis / apparatus Goto Github PK

Current security suggestions are hardcoded in the app. They can only be changed when the app updates.

Security suggestion should be moved to a plug-in system, where the user can dynamically edit them.

See title

The logic for the settings file runs after the browser window is created. In certain cases, when the application is installed on a new machine, it cannot detect the file before creating the window. The main issue is that the tool cannot detect the default settings file, that is used to restore the settings to their original configuration.

The color theme in the setting window does not mirror the color theme of the main window.

ASTo doesn't prompt the user for a save (while there are unsaved changes) on:

- [ ] app quit

• user navigates to the phases menu

Please provide the AppImage for download on https://github.com/Or3stis/apparatus/releases, thanks.

The app shows the same window reload notifications in dev and in normal mode.

Dev should not have any notifications.

When a function creates a notification bubble it is shown in the notification area. When the bubble has not content, it is rendered as a small empty bubble.

The correct functionality would be to not render empty bubbles at all.

The javascript event listener is added to the button after a graph is loaded. That only happens when a user selects a graph to load or start a new graph. If the user cancels the action, the logic that adds the event listener to the button is not run.

1. Move the logic for the home button to separate module that runs once the button UI is rendered.
2. Detect the cancel event and then highlight the home button, the show to the user that they need to revert to the home screen.

When pressing the No option during the phase transition function all the bubbles in the message area are cleared.

Only the transition bubble should be removed when pressing No

There is no indication on the UI that no vulnerabilities are found based on the current keywords.

We should include a bubble saying no vulnerabilities were found or something similar.

On certain loaded graphs when adding a new node you get an error in the console node ID already exists.

The user needs to add several nodes in order to reach the correct numbering.

Possible solution: Find the ID of the last node and use that as starting point. If there are no node (empty graph) start on ID 1.

In Electron 5.0.0, node integration will be disabled by default.

The settings windows need to bet set with {nodeIntegration: true} in the webPreferences

Hello folks,

After install the program in kali 2.0 kernel 4.9.0, look the error below:

root@kali:~/Programs/apparatus# npm start

[email protected] start /root/Programs/apparatus
electron main.js

sh: 1: electron: not found

npm ERR! [email protected] start: electron main.js
npm ERR! Exit status 127
npm ERR!
npm ERR! Failed at the [email protected] start script.
npm ERR! This is most likely a problem with the apparatus package,
npm ERR! not with npm itself.
npm ERR! Tell the author that this fails on your system:
npm ERR! electron main.js
npm ERR! You can get their info via:
npm ERR! npm owner ls apparatus
npm ERR! There is likely additional logging output above.
npm ERR! System Linux 4.9.0-kali4-amd64
npm ERR! command "/usr/bin/nodejs" "/usr/bin/npm" "start"
npm ERR! cwd /root/Programs/apparatus
npm ERR! node -v v4.8.3
npm ERR! npm -v 1.4.21
npm ERR! code ELIFECYCLE
npm WARN This failure might be due to the use of legacy binary "node"
npm WARN For further explanations, please read
/usr/share/doc/nodejs/README.Debian

npm ERR!
npm ERR! Additional logging details can be found in:
npm ERR! /root/Programs/apparatus/npm-debug.log
npm ERR! not ok code 0

root@kali:~/Programs/apparatus# node --version
v4.8.3

Any idea to fix the problem?

Thanks in advance

Need to check whether a metamodel window is open before creating a new one. Otherwise, a new window is created when the metamodel is typed.

If a metamodel window exists, enable focus on that window.

Check whether the correct motemodel is shown. If the user has opened the design phase metamodel and then navigated to the implementation phase, ASTo should display the correct one.

Issue:

• When ASTo is working as an app, the setting window doesn't user store data.

Solution:

• The settings module needs to be reworked to store use data in the OS location of the application, not in the source file of the app.

When a user generates a model from a pcapng file, ASTo pairs the application's ports with their running services. For example, if an application is running on port 443, ASTo will display `HTTP (encrypted) along the port number.

ASTo uses the app/src/imp/commonPorts.js to compare the ports numbers of the generated model with the commonPorts object.

The commonPorts.js module isn't as expensive as it could be, and there a lot of common ports missing from the list.

Certain services require a tag, besides the service name. Encrypted services, such as SSH, HTTPS has the encrypted tag.

The current tags are encrypted, p2p, malicious, chat, gaming, streaming, but additional ones can be used.

This is a very easy issue for first time contributors and may lead to further enhancement of the pcapng import feature.

Explicitly state that ASTo does not use analytics of any kind or sends any type of telemetry information.

For the vulnerability identification, the application uses a third-party API endpoint. That API point can be configured by the user, the app's settings window, to point to any vulnerability database (it can even be hosted locally).

The current codebase is written in javascript with a minimum set of dependencies.

The compelling benefit of typescript and webpack, in the case of ASTo, is better development tooling (especially the autocompletion offered from the typings files). This will allow other developers to improve the functionality of the tool or develop their own.

The transition of the current codebase will be made on a different fork. The fork will be merged in the main branch after all the code has been converted in typescript.

The vulnerability identification function doesn't not empty the keyword list when a user clicks it. Instead, it concatenates the previous keywords with the present keywords and repeats the search.

If a console command is the same word as a node attribute inside the model, the command will be executed but the node will not be highlighted. For example, if a node attribute is validate, when I type validate in the console, ASTo will validate the model instead of highlighting the node.

So far there are very few console keywords and the chances of clashing with the model values are slim. But that might change in the future.

A simple solution could be to prefix console commands with something like :, similar to vim. That will make easier to add command autocompletion and command shortcuts, such as allowing a user to quickly type:v instead of :validate.

The console commands are in the app/src/keybinding.js. The logic is the commands() function in the middle of the module. The various cases in the switch statement specify the allowed commands.

This is an excellent first issue for anyone looking to contribute 😄

Currently ASTo sends the requests the vulnerability database without asking for confirmation.

That request is over HTTPS and sends the keywords to an external database by default. Some users may not be comfortable with that behavior.

It is best to add a confirmation button that could be disabled by an option.

Typing :metamodel on the console opens window with the metamodel of the current phase. If that window is minimized, typing :metamodel again doesn't restore the already open window.