Skip to content
b3c9923
Compare
Choose a tag to compare

This release includes all changes from the v2.2.2-rc2 with minor bug fixes and adjustments following feedback and testing. The full changelog is here:

https://www.ghostwriter.wiki/change-logs/22-october-2021-v2.2.2

3c56960
Compare
Choose a tag to compare
Pre-release

This is a release candidate (RC) for v2.2.2. Read more here:

https://www.ghostwriter.wiki/change-logs/27-september-2021-v2.2.2-rc2

21a915e
Compare
Choose a tag to compare
Pre-release

This is a release candidate (RC) for v2.2.2. Read more here:

https://www.ghostwriter.wiki/change-logs/15-september-2021-v2.2.2-rc1

69bf304
Compare
Choose a tag to compare

This is a minor release with several small adjustments and a bug fix. See the changelog here: https://ghostwriter.wiki/change-logs/28-may-2021-v2.2.1

ee24eb2
Compare
Choose a tag to compare

This release includes all changes from the v2.2-rc1 with minor bug fixes and adjustments following feedback and testing. The full changelog is here:

https://ghostwriter.wiki/change-logs/10-may-2021-v2.2.0

b7f5ac5
Compare
Choose a tag to compare

Addressed several small issues discovered in the v2.1 release:

  • Fixed server error when trying to create a new project with an assignment or objective
  • Fixed edge case that could cause a new task below an objective to be duplicated
  • Fixed edge case that would flag a project target form as invalid if it had a note and did not also have both an IP address and hostname
  • Fixed toggle arrow working in reverse when a user marks an objective complete while tasks are expanded
  • Made it so objective completion percentage updates when a new task is added or deleted
  • Made it possible to use @ targets for Slack channels instead of only # channels
  • Will now uploaded_by values on report templates on the server-side
b7f5ac5
Compare
Choose a tag to compare

This is a release candidate (RC) for v2.2.0. This code is final unless anyone reports a bug or issue. We have bumped the minor version to 2.2 in recognition of several impactful changes:

https://ghostwriter.wiki/change-logs/13-april-2021-v2.2.0-rc1

4f601b3
Compare
Choose a tag to compare

This is a large release that contains many changes. Going forward, expect to see smaller releases and alpha/beta releases as we try new features.

The release is completely compatible with v2.0 (and earlier). You will need to perform database migrations, and new features require reloading the seed_data file to pre-load some new models–e.g., docker-compose -f local.yml run --rm django /seed_data

List of resolved issues, enhancements, and new features:

  • Implemented project scope tracking
    • Enabled tracking of one or more scope lists flagged as allowed/disallowed or requiring caution
    • Closes #59
  • Implemented project target tracking
    • Enabled tracking of specific hosts with notes
  • Committed redesigned project dashboards
    • Notable changes and adjustments:
      • Added a project calendar to track assignments, objectives, tasks, and project dates
      • Added new objective tracker with task management, prioritization, and sorting
  • Implemented a new server search in the side bar (under Servers) that searches all static servers, cloud servers in projects, and alternate addresses tied to servers
  • Added template linting checks for additional styles that may not be present in a report
  • Fixed downloads of document names that included periods and commas
  • Fixed evidence filenames with all uppercase extensions not appearing in reports
  • Fixed a recursive HTML/JavaScript escape in log entries
  • Fixed incorrect link in the menu for a point of contact under a client
    • Closes $141
    • Closes #142
      • Bug was inadvertently resolved with the new menus
      • Closing PR because it is no longer compatible
  • Fixed docker-compose errors related to latest verison of the crytpography library
  • Fixed possible issue with assigning a name to an AWS asset in the cloud monitor task
  • Closed loophole that could allow a non-unique domain name
    • Could lead to conflicting check-outs
  • Updated TinyMCE WYSIWYG editor and related JavaScript to v5.7.0
    • Resolved potential Cross-Site Scripting vulnerability discovered in previous version
  • Added Clipboard.js to support better, more flexible "click to copy to clipboard" in the UI
  • Added several new Jinja2 expressions, statements, and filters for Word DOCX reports
    • Added project_codename and client_codename (Closes #138)
    • Added expressions and filters for new objectives, targets, and scope lists
    • See wiki documentation
  • Improved page loading with certain large forms
    • WYSIWYG editor is now loaded much more selectively
    • Extra forms are no longer created by default when editing a project or client
      • Extra forms can still be added as needed
      • Extra forms still load automatically when creating a new project or client
  • Improved performance of operation log entry views with pagination
    • Very large logs could push browsers to their limits
  • Implemented initial support for WebSocket channels for reports
    • Groundwork for futurue enhancement – e.g., syncing updates between users editing the same report
  • Numerous minor bug fixes and style updates throughout
  • Fixed notifications going to the global Slack channel when project channels were available
  • Fixed uppercase file extensions blocking evidence files from appearing on pages
  • Fixed rare style exception with specific nested HTML elements
  • Added error handling for cases where an image file has a corrupted file header and can't be recognized for inserting into Word
  • Moved 99% of icons and style elements to the styles.css file
  • Updated styles and forms to make it clear what is placeholder text
  • Reverted the new finding form to a one-page form–i.e., no tabbed sections–to make it easier to use
  • Broke-up stylesheets for easier management of global variables
  • Fixed error in cloud monitor notification messages that caused messages to contain the same external IP addresses for all VPS instances
  • Fixed bug that caused delete actions on cloud server entries to not be committed
  • Fixed ref tags in findings that were ingored if they followed a ref tag with a different target
  • Fixed PowerPoint "Conclusion" slide's title
  • Fixed filtering for report template selection dropdowns that caused both document types to appear in all dropdown menus
  • Added project objectives to the report template variables
    • New template keywords: objectives (List), objectives_total (Int), objectives_complete (Int)
  • Modified project "complete" toggle and instructions for clarity
  • Set all domain names to lowercase and strip any spaces before creating or updating
    • Addressed cases where a user error could create a duplicate entry
  • Clicking prepended text (e.g., filter icon) on filter form fields will now submit the filter
  • Fixed error that could cause Oplog entries to not display
  • Oplog entries list now shows loading messages and properly displays "no entries" messages
  • Fixed incorrect filenames for CSV exports of Oplogs
124a9f7
Compare
Choose a tag to compare

Release Details

Read this post for full details and examples: https://posts.specterops.io/ghostwriter-v2-0-release-638cef16deb7

Also, this release included an overhaul of the documentation. The latest version is live at: https://ghostwriter.wiki/

Highlights

  • Upgraded to Django 3 and updated all dependencies
  • Initial commit of CommandCenter application and related configuration options
    • VirusTotal Configuration
    • Global Report Configuration
    • Slack Configuration
    • Company information
    • Namecheap Configuration
  • Initial support for adding users to groups for Role-Based Access Controls
  • Automated Activity Logging (Oplog application) moved out of beta
  • Implemented initial "overwatch" notifications
    • Domain check-out: alert if domain will expire soon and is not set to auto-renew
    • Domain check-out: alert if domain is marked as burned
    • Domain check-out: alert if domain has been previously used with selected client
  • Updated user interface elements
    • New tabbed dashboards for clients, projects, and domains
    • New inline forms for creating and managing clients and projects and related items
    • New sidebar menu to improve legibility
    • Migrated buttons and background tasks to WebSockets and AJAX for a more seamless experience
  • Initial release of refactored reporting engine
    • New drag-and-drop report management interface
    • Added many more options to the WYSIWYG editor's formatting menus
    • Initial support for rich text objects for Word documents
    • Added new filter_severity filter for Word templates
  • Initial support for report template and management
    • Upload report template files for Word and PowerPoint
    • New template linter to check and verify templates
  • Security updates and fixes
    • Resolved potential stored cross-site scripting in operational logs
    • Resolved unvalidated evidence file uploads and new note creation
      • Associated user account is now set server-side
    • Resolved issues with WebSocket authentication
    • Locked-down evidence uploads to close potential loopholes
      • Evidence form now only allows specific filetypes: md, txt, log, jpg, jpeg, png
      • Requesting an evidence file requires an active user session
  • Removed web scraping from domain health checks
  • Numerous bug fixes and enhancements to address reported issues