Summary

This release includes significant changes to Ghostwriter and several new features.

CHANGELOG

[4.1] - 3 April 2024

Added

• Added support for creating custom fields for findings, domains, servers, projects, clients, and activity log entries
  • Custom field types include text, integer, float, boolean, and formatted text
  • Custom fields can be added, edited, and deleted via the admin panel
  • Formatted text fields use the WYSIWYG editor for formatting
  • Formatting carries over to report templates like formatted text in findings
  • Custom fields are available in the report template context
  • Learn more: https://ghostwriter.wiki/
• Added support for using Jinja2 and report context data inside formatted text fields
  • You can reference {{ client.name }} to insert the client's name into a formatted text field
  • You can also use Jinja2 filters and functions to manipulate the data (e.g., {{ client.name|upper }} to make the client's name uppercase)
• Added the ability to preview formatted text fields in the interface
  • Formatted text fields can be previewed with the new "Preview" button that appears next to them in the interface
  • Any evidence referenced in the formatted text field will also be displayed in the preview (rather than just the reference text)
  • Jinja2 statements and expressions will appear as text in the preview as these must be evaluated in the report template
• Added support for tables in the WYSIWYG editor (Closes #355)
  • Tables use the Table Grid style in the Microsoft Word templates
  • Thank you for the contribution, @domwhewell!
• Added support for inserting page breaks in the WYSIWYG editor
  • Page breaks carry over to the Microsoft Word templates
• Added an option to "sanitize" activity logs as an alternative to deleting them to remove sensitive information
  • Sanitizing an activity log will remove selected data from all log entries in the log
• Added a new library for "observations"
  • These observations are similar to findings but much simpler
  • The base model includes a title, description, and tags and can be used to track positive observations for a project
  • The model is also highly customizable with support for custom fields (see the first item)
• Added user permissions to control who can create, edit, and delete observations in the library
• Added support for footer information (e.g., date, footer text, and slide numbers) in the PowerPoint report templates
  • The footer information is set in your slide deck templates
• Added a configuration option for the target report delivery date
  • The target date is configured as a number of business days from the project's end date
• Added a report configuration option to enforce title case for captions
  • If enabled, this option will enforce title case for all evidence captions in a report
  • An accompanying exclusion list allows you to specify words (e.g., articles) that should not be title cased
• Added a getExtraFieldSpec query to the GraphQL API that returns the extra field specification for a model
  • This query is useful for extensions that need to know the extra fields available for a model
• Added a note to the WYSIWYG editor to call-out it is possible to access a browser's context menu by using CTRL+right-click
• Added a new hostname configuration option to the General Settings in the admin panel
  • This option allows you to set the hostname for the Ghostwriter server
  • The hostname is used to generate links in Slack notifications and other places where a link to the server is needed

Changed

• The WYSIWYG editor's toolbar and context menu have been updated to support the new table and page break features and make it easier to apply styles
• Project and report dashboards were redesigned to improve the layout and support the new custom fields
• Report dashboards now display the global report configuration for easier reference
• Added tags to the lists of findings, domains, and servers
• Uploaded evidence files can now be linked to a report rather than a finding
  • This change allows evidence files to be used in multiple findings, and the new custom formatted text fields
• When viewing an evidence file, the file contents are now displayed in the interface as they will appear in the report
  • This change allows you to preview the evidence file's contents with your border and caption before adding it to a report
  • Border width + color and figure label come from the global report configuration in the admin panel
• PowerPoint slide decks now include "Assessment Timeline" and "Observations" slides
  • The "Assessment Timeline" slide includes a table pre-populated with the project's start date, end date, and target report delivery date
  • The "Observations" slide(s) are similar to the findings slides but for the new observations
• Reworked the reporting engine to reduce complexity and pave the way for future enhancements
  • This is mentioned here primarily for developers and integrators who may be working with the reporting engine
• Clicking the toast notification after adding a finding to a report will now take you to the report's findings tab
• Default values for extra fields are now set when creating a new entry with empty extra fields
  • Default values now appear in the edit forms for the entries
  • The default value must be set before creating the entry for it to appear in the form or be set as the default value
• Updated the pre-built Ghostwriter CLI binaries to v0.2.19

Deprecated

• The old "dot" variables used in findings (e.g., {{.project_start}} or {{.client}}) are no longer necessary and will be removed in a future release
  • The "dot" variables inserted some data previously unavailable while writing a finding inside Ghostwriter
  • The new support for Jinja2 composition inside the WYSIWYG editor makes these old "dot" variables redundant
  • The "dot" variables will still work in this release but are no longer referenced in the documentation
  • This deprecation does not include {{.ref }} or {{.caption }} which will continue to be used for captioning and creating cross-references references

Summary

This release includes some enhancements and bug fixes from v4.1.0-rc1.

CHANGELOG

[4.1-rc2] - 15 March 2024

Added

• Added a getExtraFieldSpec query to the GraphQL API that returns the extra field specification for a model
  • This query is useful for extensions that need to know the extra fields available for a model
• Added a note to the WYSIWYG editor to call-out it is possible to access a browser's context menu by using CTRL+right-click
• Added a new hostname configuration option to the General Settings in the admin panel
  • This option allows you to set the hostname for the Ghostwriter server
  • The hostname is used to generate links in Slack notifications and other places where a link to the server is needed

Changed

• Default values for extra fields are now set when creating a new entry with empty extra fields
  • Default values now appear in the edit forms for the entries
  • The default value must be set before creating the entry for it to appear in the form or be set as the default value

Summary

This is a release candidate for Ghostwriter v4.1.0. This version introduces numerous significant changes to Ghostwriter. Deploying this for production use is not recommended at this time. We are providing this release for testing and feedback. Please read about the change below and provide feedback to help us make this a great release!

We will update the Ghostwriter Wiki with documentation for these new features soon. We will publish the documentation when we are close to a final release to avoid any confusion. For now, please direct questions to the team in the #ghostwriter channel in our Slack Workspace (linked on the main README).

CHANGELOG

[4.1.0-rc1] - 22 February 2024

Added

• Added support for creating custom fields for findings, domains, servers, projects, clients, and activity log entries
  • Custom field types include text, integer, float, boolean, and formatted text
  • Custom fields can be added, edited, and deleted via the admin panel
  • Formatted text fields use the WYSIWYG editor for formatting
  • Formatting carries over to report templates like formatted text in findings
  • Custom fields are available in the report template context
• Added support for using Jinja2 and report context data inside formatted text fields
  • You can reference {{ client.name }} to insert the client's name into a formatted text field
  • You can also use Jinja2 filters and functions to manipulate the data (e.g., {{ client.name|upper }} to make the client's name uppercase)
• Added the ability to preview formatted text fields in the interface
  • Formatted text fields can be previewed with the new "Preview" button that appears next to them in the interface
  • Any evidence referenced in the formatted text field will also be displayed in the preview (rather than just the reference text)
  • Jinja2 statements and expressions will appear as text in the preview as these must be evaluated in the report template
• Added support for tables in the WYSIWYG editor (Closes #355)
  • Tables use the Table Grid style in the Microsoft Word templates
  • Thank you for the contribution, @domwhewell!
• Added support for inserting page breaks in the WYSIWYG editor
  • Page breaks carry over to the Microsoft Word templates
• Added an option to "sanitize" activity logs as an alternative to deleting them to remove sensitive information
  • Sanitizing an activity log will remove selected data from all log entries in the log
• Added a new library for "observations"
  • These observations are similar to findings but much simpler
  • The base model includes a title, description, and tags and can be used to track positive observations for a project
  • The model is also highly customizable with support for custom fields (see the first item)
• Added user permissions to control who can create, edit, and delete observations in the library
• Added support for footer information (e.g., date, footer text, and slide numbers) in the PowerPoint report templates
  • The footer information is set in your slide deck templates
• Added a configuration option for the target report delivery date
  • The target date is configured as a number of business days from the project's end date
• Added a report configuration option to enforce title case for captions
  • If enabled, this option will enforce title case for all evidence captions in a report
  • An accompanying exclusion list allows you to specify words (e.g., articles) that should not be title cased

Changed

• The WYSIWYG editor's toolbar and context menu have been updated to support the new table and page break features and make it easier to apply styles
• Project and report dashboards were redesigned to improve the layout and support the new custom fields
• Report dashboards now display the global report configuration for easier reference
• Added tags to the lists of findings, domains, and servers
• Uploaded evidence files can now be linked to a report rather than a finding
  • This change allows evidence files to be used in multiple findings, and the new custom formatted text fields
• When viewing an evidence file, the file contents are now displayed in the interface as they will appear in the report
  • This change allows you to preview the evidence file's contents with your border and caption before adding it to a report
  • Border width + color and figure label come from the global report configuration in the admin panel
• PowerPoint slide decks now include "Assessment Timeline" and "Observations" slides
  • The "Assessment Timeline" slide includes a table pre-populated with the project's start date, end date, and target report delivery date
  • The "Observations" slide(s) are similar to the findings slides but for the new observations
• Reworked the reporting engine to reduce complexity and pave the way for future enhancements
  • This is mentioned here primarily for developers and integrators who may be working with the reporting engine

Deprecated

• The old "dot" variables used in findings (e.g., {{.project_start}} or {{.client}}) are no longer necessary and will be removed in a future release
  • The "dot" variables inserted some data previously unavailable while writing a finding inside Ghostwriter
  • The new support for Jinja2 composition inside the WYSIWYG editor makes these old "dot" variables redundant
  • The "dot" variables will still work in this release but are no longer referenced in the documentation
  • This deprecation does not include {{.ref }} or {{.caption }} which will continue to be used for captioning and creating cross-references references

Summary

This release includes some minor bug fixes with enhancements to the GraphQL API to make it easier to automate interactions with project objectives.

CHANGELOG

[4.0.8] - 13 February 2024

Added

• Added GraphQL events to update deadline and markedComplete fields for project objectives and tasks when these objects are updated via the GraphQL API
• Added a filter_tags filter to the reporting engine to allow for filtering findings and other models by their tags

Fixed

• Fixed an issue with the template linter that could cause an error when retrieving undeclared variables under certain conditions

Changed

• Changed the user relationship for objective to assignedTo in the GraphQL schema to better reflect the relationship between objectives and users

Summary

This release resolves an issue introduced in v4.0.6 that affected accounts with periods in their usernames.

CHANGELOG

[4.0.7] - 31 January 2024

Fixed

• Fixed an issue with usernames with periods causing an error after login (Fixes #385)
• Fixed error that prevented using the "Clear" checkbox for the user avatar field in the admin panel (Fixes #385)

Summary

This release includes substantial enhancements to the activity log import feature and security fixes.

CHANGELOG

[4.0.6] - 25 January 2024

Fixed

• Fixed an issue with timestamps in the activity log that could cause an error when importing a csv file

Changed

• Activity log imports and exports now include the entry_identifier field
• Activity log imports now check for duplicate entries based on the entry_identifier field and update the existing entry instead of creating a new entry

Security

• Removed the /media location from the Nginx configuration to remove the potential for unauthorized access to uploaded files
  • Please see security advisory for details: https://github.com/GhostManager/Ghostwriter/security/advisories/GHSA-p796-9863-mwx8
• Updated Jinja2 to v3.1.3 to address CVE-2024-22195 (Reference CVE-2024-22195)

Summary

This includes some API enhancements and small bug fixes. The API changes should make it easier to automate tasks like project creation via the GraphQL API.

CHANGELOG

[4.0.5] - 12 January 2024

Added

• Added project contacts to the GraphQL schema
• Added user accounts to the GraphQL schema to allow more automation options for project management
  • Authenticated accounts can query name, username, email, phone number, and timezone
• Added timezone validation into PostgreSQL to prevent invalid timezones from being saved via the GraphQL API
• Added a new generateCodename mutation to the GraphQL API that generates a unique codename for new projects (or whatever else you want to use it for)

Fixed

• Fixed client contacts not loading properly in the drop-down on the project dashboard

Changed

• The contacts table is now clientContact in the GraphQL API schema for better consistency with other table names
• Updated the GraphQL schema data in DOCS to reflect the latest changes

Summary

This is a minor release with some bug fixes and small changes.

CHANGELOG

[4.0.4] - 8 January 2024

Added

• Added a new regex_search filter for report templates that allows you to search for a regular expression in a string

Fixed

• Fixed an edge case where a manually edited domain could remain marked as expired on the back end and prevent checkout

Security

• Resolved a potential XSS vulnerability with autocomplete for finding titles (Closes #374)

Summary

This release includes some quality-of-life improvements and minor adjustments. Happy holidays!

CHANGELOG

[4.0.3] - 15 December 2023

Added

• Added tracking for which VirusTotal scanners have flagged a domain as malicious to the health check task
• Added a new entry_identifier field to activity log entries to make it easier to identify entries when using the GraphQL API
  • The field is an open-ended text field that you can use to track a job ID, UUID, or other identifier for the entry
  • The field has no unique constraints at this time, so you can use it to track multiple entries with the same identifier
  • Logging extensions like the cobalt_sync project use this field to avoid duplicate entries when re-syncing
  • The field is hidden by default in the Ghostwriter web UI when viewing log entries

Fixed

• Fixed client contacts missing from the dropdown menu after assigning a contact (Fixed #175)

Changed

• Adjusted the wording of the reminder message sent for upcoming domain releases in Slack to make it clear the domain would remain checked out until the end of the project
• Improved the Slack message sent when domain names go from "healthy" to "burned"
• Expanded PowerPoint report generation to include new content with information about team members and objectives
• Removed character limits on log entry fields to allow for longer entries
  • This change is most useful for fields that track IP addresses
  • This resolves an issue that could arise when using the mythic_sync extension to sync logs with Mythic from a server host with multiple NICs and IPv6 addresses
• Updated the pre-built Ghostwriter CLI binaries to v0.2.17

Summary

This release includes some small changes to v4.0.0.

CHANGELOG

[4.0.2] - 14 November 2023

Fixed

• Fixed a report rendering error when a report had no findings
• Fixed an issue with search autocomplete and finding titles with single quotes
• Fixed links for editing scope lists and targets accessed from the project dashboard's dropdown menus

Changed

• The WYSIWYG editor will now automatically expand the height of the editor to fit the content as you type (up to the height of the browser window) (Closes #344)

Security

• Updated the TinyMCE WYSIWYG editor to v5.10.8 to incorporate security fixes into Ghostwriter's self-hosted files