PwnDoc - Pentest Report Generator


PwnDoc is a pentest reporting application making it simple and easy to write your findings and generate a customizable Docx report. The main goal is to have more time to Pwn and less time to Doc by mutualizing data like vulnerabilities between users.


  • Multiple Language support
  • Multiple Data support
  • Great Customization
    • Manage reusable Audit and Vulnerability Data
    • Create Custom Sections
    • Add custom fields to Vulnerabilities
  • Vulnerabilities Management
  • Multi-User reporting
  • Docx Report Generation
  • Docx Template customization


PwnDoc uses 3 containers: the backend, the frontend and the database.


All 3 containers can be run at once using the docker-compose file in the root directory.

For production, usage make sure to change the JWT secret in «src/lib/auth.js» and certificates in «ssl» folder

Build and run Docker containers

docker-compose up -d --build

Display backend container logs

docker-compose logs -f pwndoc-backend

Stop/Start containers

docker-compose stop
docker-compose start

Remove containers

docker-compose down


docker-compose down
git pull
docker-compose up -d --build

Application is accessible through https://localhost:8443
API is accessible through https://localhost:4242/api


For development purposes, a specific docker-compose file can be used in each folder (backend/frontend).

Source code can be modified live and application will automatically reload on changes.

Build and run backend and database containers

docker-compose -f backend/ up -d --build

Display backend container logs

docker-compose -f backend/ logs -f pwndoc-backend

Stop/Start container

docker-compose -f backend/ stop
docker-compose -f backend/ start

Remove containers

docker-compose -f backend/ down

Application is accessible through http://localhost:8081
API is accessible through https://localhost:5252/api


For now, only backend tests have been written (it's a continuous work in progress)

Test files are located in backend/tests using Jest testing framework

Script at the root folder can be used to launch tests :

Usage:        ./ -q|-f [-h, --help]

  -h, --help  Display help
  -q          Run quick tests (No build)
  -f          Run full tests (Build with no cache)

Don't use it in production as it will delete the production Database


It's possible, even recommended, to regularly backup the backend/mongo-data folder. It contains all the database.

To restore:

  • Stop containers
  • Replace the current backend/mongo-data folder with the backed up one
  • Start containers


Multi-User reporting

Finding edition

Vulnerability management workflow

March 16, 2022


Hakin9 TEAM
Hakin9 is a monthly magazine dedicated to hacking and cybersecurity. In every edition, we try to focus on different approaches to show various techniques - defensive and offensive. This knowledge will help you understand how most popular attacks are performed and how to protect your data from them. Our tutorials, case studies and online courses will prepare you for the upcoming, potential threats in the cyber security world. We collaborate with many individuals and universities and public institutions, but also with companies such as Xento Systems, CATO Networks, EY, CIPHER Intelligence LAB, redBorder, TSG, and others.
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Inline Feedbacks
View all comments
© HAKIN9 MEDIA SP. Z O.O. SP. K. 2023