To avoid possible licensing issues in the case of a "pro" or "hosted" version in the future.

Currently, templates are rendered on the Golang side, with no AngularJS routing/templating. It might be cleaner to further separate the architecture into a strict AngularJS frontend and a Golang backend (API). This would minimize the Golang handlers needed for basic frontend work.

Will need to work around authentication!

Currently, the code architecture for $resource handling and validation is pretty messy and scattered around, with some logic in modals, and some login in the root scope.

I'd like to clean this up to have all the logic in the modals (since that's where changes are staged and validated), with the returned result being the already validated object.

Example (as it is now)

// In main controller
$scope.saveTemplate = function(template) {
        var newTemplate = new TemplateService(template);
        if ($scope.newTemplate) {
            newTemplate.$save({}, function() {
                $scope.templates.push(newTemplate);
                $scope.mainTableParams.reload()
                return ""
            }, function(error){
              console.log(error.data)
              return error.data.message
            });
        } else {
            newTemplate.$update({
                id: newTemplate.id
            })
        }
        $scope.template = {
            name: '',
            html: '',
            text: '',
        };
    }

// In modal controller
$scope.ok = function(template) {
        message = $scope.saveTemplate(template)
        if (message == "") {
          $modalInstance.close();
        } else {
          $scope.errorFlash(message)
        }
    };

This is messy, unreadable, and unreliable.

The ability to use a target's employment position would be pretty standard practice in phishing campaigns.

This should be added as a standard attribute for the Target model.

To make the UX consistent, the app should have meaningful error flashes (in the modal!) when invalid input is submitted, as well as success flashes (on the main page) when input is valid.

Missing flashes for:

• templates
• users & groups
• etc.

For each IP that opens the email or clicks the link, we should add a bubble on a geomap.

Knowing when a user opens a phishing email would be a huge addition to test metrics. This can be done a couple of ways:

• Adding an image in the email with a source of phishing_server/track.png?id={{.Id}}
• Adding an image in the email with a source of {{.Url}}/full/url/event/track?id={{.Id}}

As it stands, since we are inserting the <base> tag immediately before the </head> closing tag, we lose the base on any previous relative resource links.

By placing this right after the opening <head> tag, we can fix this.

The API docs suck. That's not ok.

I have some ideas to update the docs to be cleaner and more comprehensive. It'll involve getting rid of Swagger, which has positives and downsides. I'll keep this issue open to keep track of progress.

When a user clicks a phishing link, it would be ideal to have the IP address stored in models.Result record for geoip lookups later.

Currently, controllers.js is approx. 1k lines long. I'd like to break this up into manageable chunks, perhaps making a controllers/ directory with a file for each resource type/page.

Would be nice to add automatic SSL cert generation (self-signed) and make a config option to run the webserver via HTTPS.

The API returns a 400 when hitting POST /api/campaigns

It would be nice to have a "Add Tracker" button on the email template modal that adds the {{.Tracker}} to the template.

Currently, we can use template values in the HTML and email Text fields, but are not able to put template values in the subject.

Currently, editing a page doesn't work with the following message:

Uncaught TypeError: Cannot read property 'id' of undefined

I believe this is due to not setting the save(idx) onclick event correctly.

If a template is created without files, a NullPointerException error is thrown in JS when trying to edit the template and add new files to it.

CKEditor has plugins that allow us to make custom buttons that insert templates into the HTML. It would be handy to have buttons that easily insert integration into things like beef, metasploit, etc. as well as automatically inserting login forms, or links to the phishing url.

It would be a neat feature to be able to connect to a users email (given credentials) to automatically import a template from their mailbox.

That would make it easier then "View Source" from the email.

Currently, we fire an event when an email is opened (using a {{.Tracker}}), but we don't actually set the status of the campaign.Result object to Email Opened.

This might not be possible due to the lack of visibility from TLS, but it would be a nice addition if the client could view the full SMTP transaction performed to send the mail to the target.

The ability to copy/paste original email "source" into a modal which is then parsed into a template would make creating templates much easier.

Additional features, such as tracking removal, automatically changing links, etc. could be added in the future.

There are conditions that cause attachments to be repeated when opening/closing the template edit modal. Need to track down and fix.

When creating a landing page, I'd like the ability to clone a site automatically. This would be an endpoint that takes in a URL and returns the HTML for the page. This would be put in the scope.page model to be easily saved.

Maybe also consider resolving external CSS, JS, etc.?

With a test use case of approx. 15,000 targets, the frontend is a bit sluggish.

I believe this can be fixed by implementing API pagination, making all requests asynchronous, etc.

The timeline is currently just a bunch of blue dots. I recommend having the following colors:

Grey - Error
Yellow/Orange - Email Opened
Red - Email Clicked

Currently, it looks like CKEditor will strip inline css styles on an <a> tag when the link is edited.

I have opened a ticket with the CKEditor team to get this resolved.

To mimic the functionality had in Highcharts, it would be nice to implement zooming in timelines (line charts) in Chartist.js.

This will likely be an upstream patch to the original project.

Would be nice to add gzip support as a middleware HTTP handler.

Some companies (specifically pentesting companies) would like to group gophish users by teams.

This might be a "pro" or paid feature. We'll see 😄

Right now, the golang dependencies aren't maintained. This may cause issues if users go get the package and the dependencies have been updated.

Recommended to use the 1.5 vendor experiment or godeps.

The ability to setup and schedule campaign in advance would add some pretty solid benefits automated campaign generation.

This might require a db schema update, so I'll probably put this at 0.2.

It would be beneficial to have some default payloads for phishing emails. Things like basic word docs with macros enabled, etc.

I tried go run gophish.go, and it's always closing immediately.

I found it might because the 80 port need root, however root may have different GOPATH.

It would be nice to have a nice set of default (non-copyright infringing!) templates and landing pages.

When filling out a template, we shouldn't assume the user knows all the template variables that are possible.

It would be user friendly to have an "autocomplete" feature that can show what variables are available.

The /api/import/group endpoint allows for importing a CSV containing First Name, Last Name, etc.

Unfortunately, when the targets are sent back by the API endpoint after parsing the CSV, the names are ignored.

Need to fix the issue where when the user pressed "tab" to autocomplete a typeahead selection, the input is filled with the JSON representation of the entire object.

Looks like the root cause is that we need to bind our autocomplete function to the typeahead:autocomplete event for each typeahead object.

I'm starting to lean towards the idea that I don't need AngularJS. I'm not using the data-binding as much as I thought I would, and the entire thing is a fairly hacky implementation right now.

Angular is nice, but I think it might be cleaner if I migrate everything to vanilla JQuery.

This is related to #37, but involves the front-end work of actually setting the Landing page on the campaign modal.

Right now, only a few template values are supported. This issue is to implement the ability for users to create their own template values on the fly.

This value should be the "Name" part of the SMTP From line, with a fallback to the email if the name is blank.

Right now, editing groups (PUT /api/groups/:id) is implemented by iterating through the given targets to see if they exist in the group. If not, they are created. If there are targets in the group that are not given, they are created.

This does not allow us to actually edit the target details, which is a bug.

There are two implementations I can see happening:

• Using jinzhu/gorm to handle the many-2-many relationship (new feature added recently)
• Do a naive delete all / insert all operation. Might be a bit more IO, but would make it simple.

Need the ability to filter API results using params.

I've been originally just using an IP address as the URL template variable in campaigns, but this should be configurable per-campaign.

It will be up to the user to ensure that the URL is reachable and points to the phish admin listener (the ability to send a test email will help with this!)

It shouldn't take an API expert to grab the results into a usable CSV format.

Specifically, the "Export" option should allow for CSV exporting of campaign results.

Currently, we support the creation of landing pages, but they aren't actually used for anything (fail!).

Need to setup the Phish Handler to read the landing page and serve that as HTML when a target clicks the link.

Before launching a campaign, it would help if the admin could send a test email to himself/herself to ensure all looks good.

Need to use the moment.js plugin for datatables to make sorting work again.

This will be tricky, and I might have to implement a Go ldap library, but it would be a great feature to have.