
PwnDoc is a pentest reporting application making it simple and easy to write your findings and generate a customizable Docx report. The main goal is to have more time to Pwn and less time to Doc by mutualizing data like vulnerabilities between users.
https://github.com/pwndoc/pwndoc
Features
- Multiple Language support
- Multiple Data support
- Great Customization
- Manage reusable Audit and Vulnerability Data
- Create Custom Sections
- Add custom fields to Vulnerabilities
- Vulnerabilities Management
- Multi-User reporting
- Docx Report Generation
- Docx Template customization
Installation
PwnDoc uses 3 containers: the backend, the frontend and the database.
Production
All 3 containers can be run at once using the docker-compose file in the root directory.
For production, usage make sure to change the JWT secret in «src/lib/auth.js» and certificates in «ssl» folder
Build and run Docker containers
docker-compose up -d --build
Display backend container logs
docker-compose logs -f pwndoc-backend
Stop/Start containers
docker-compose stop
docker-compose start
Remove containers
docker-compose down
Update
docker-compose down
git pull
docker-compose up -d --build
Application is accessible through https://localhost:8443
API is accessible through https://localhost:4242/api
Developpment
For development purposes, a specific docker-compose file can be used in each folder (backend/frontend).
Source code can be modified live and application will automatically reload on changes.
Build and run backend and database containers
docker-compose -f backend/docker-compose.dev.yml up -d --build
Display backend container logs
docker-compose -f backend/docker-compose.dev.yml logs -f pwndoc-backend
Stop/Start container
docker-compose -f backend/docker-compose.dev.yml stop
docker-compose -f backend/docker-compose.dev.yml start
Remove containers
docker-compose -f backend/docker-compose.dev.yml down
Application is accessible through http://localhost:8081
API is accessible through https://localhost:5252/api
Tests
For now, only backend tests have been written (it's a continuous work in progress)
Test files are located in backend/tests
using Jest testing framework
Script run_tests.sh
at the root folder can be used to launch tests :
Usage: ./run_tests.sh -q|-f [-h, --help]
Options:
-h, --help Display help
-q Run quick tests (No build)
-f Run full tests (Build with no cache)
Don't use it in production as it will delete the production Database
Backup
It's possible, even recommended, to regularly backup the backend/mongo-data
folder. It contains all the database.
To restore:
- Stop containers
- Replace the current
backend/mongo-data
folder with the backed up one - Start containers
Documentation
Multi-User reporting
Finding edition
Vulnerability management workflow
Author

- Hakin9 is a monthly magazine dedicated to hacking and cybersecurity. In every edition, we try to focus on different approaches to show various techniques - defensive and offensive. This knowledge will help you understand how most popular attacks are performed and how to protect your data from them. Our tutorials, case studies and online courses will prepare you for the upcoming, potential threats in the cyber security world. We collaborate with many individuals and universities and public institutions, but also with companies such as Xento Systems, CATO Networks, EY, CIPHER Intelligence LAB, redBorder, TSG, and others.
Latest Articles
Blog2022.12.13What are the Common Security Weaknesses of Cloud Based Networks?
Blog2022.10.12Vulnerability management with Wazuh open source XDR
Blog2022.08.29Deception Technologies: Improving Incident Detection and Response by Alex Vakulov
Blog2022.08.25Exploring the Heightened Importance of Cybersecurity in Mobile App Development by Jeff Kalwerisky