PwnDoc - Pentest Report Generator

(648 views)

PwnDoc is a pentest reporting application making it simple and easy to write your findings and generate a customizable Docx report. The main goal is to have more time to Pwn and less time to Doc by mutualizing data like vulnerabilities between users.

https://github.com/pwndoc/pwndoc

Features

  • Multiple Language support
  • Multiple Data support
  • Great Customization
    • Manage reusable Audit and Vulnerability Data
    • Create Custom Sections
    • Add custom fields to Vulnerabilities
  • Vulnerabilities Management
  • Multi-User reporting
  • Docx Report Generation
  • Docx Template customization

Installation

PwnDoc uses 3 containers: the backend, the frontend and the database.

Production

All 3 containers can be run at once using the docker-compose file in the root directory.

For production, usage make sure to change the JWT secret in «src/lib/auth.js» and certificates in «ssl» folder

Build and run Docker containers

docker-compose up -d --build

Display backend container logs

docker-compose logs -f pwndoc-backend

Stop/Start containers

docker-compose stop
docker-compose start

Remove containers

docker-compose down

Update

docker-compose down
git pull
docker-compose up -d --build

Application is accessible through https://localhost:8443
API is accessible through https://localhost:4242/api

Developpment

For development purposes, a specific docker-compose file can be used in each folder (backend/frontend).

Source code can be modified live and application will automatically reload on changes.

Build and run backend and database containers

docker-compose -f backend/docker-compose.dev.yml up -d --build

Display backend container logs

docker-compose -f backend/docker-compose.dev.yml logs -f pwndoc-backend

Stop/Start container

docker-compose -f backend/docker-compose.dev.yml stop
docker-compose -f backend/docker-compose.dev.yml start

Remove containers

docker-compose -f backend/docker-compose.dev.yml down

Application is accessible through http://localhost:8081
API is accessible through https://localhost:5252/api

Tests

For now, only backend tests have been written (it's a continuous work in progress)

Test files are located in backend/tests using Jest testing framework

Script run_tests.sh at the root folder can be used to launch tests :

Usage:        ./run_tests.sh -q|-f [-h, --help]

Options:
  -h, --help  Display help
  -q          Run quick tests (No build)
  -f          Run full tests (Build with no cache)

Don't use it in production as it will delete the production Database

Backup

It's possible, even recommended, to regularly backup the backend/mongo-data folder. It contains all the database.

To restore:

  • Stop containers
  • Replace the current backend/mongo-data folder with the backed up one
  • Start containers

Documentation

Multi-User reporting

Finding edition

Vulnerability management workflow

March 16, 2022

Author

Hakin9 TEAM
Hakin9 is a monthly magazine dedicated to hacking and cybersecurity. In every edition, we try to focus on different approaches to show various techniques - defensive and offensive. This knowledge will help you understand how most popular attacks are performed and how to protect your data from them. Our tutorials, case studies and online courses will prepare you for the upcoming, potential threats in the cyber security world. We collaborate with many individuals and universities and public institutions, but also with companies such as Xento Systems, CATO Networks, EY, CIPHER Intelligence LAB, redBorder, TSG, and others.
Subscribe
Notify of
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

0 Comments
Inline Feedbacks
View all comments
© HAKIN9 MEDIA SP. Z O.O. SP. K. 2023