PwnDoc – Pentest Report Generator

Stella Sebastian
Posted by Stella Sebastian December 26, 2020

superior_hosting_service

PwnDoc is a pentest reporting application making it simple and easy to write your findings and generate a customizable Docx report. The main goal is to have more time to Pwn and less time to Doc by mutualizing data like vulnerabilities between users.

Features

  • Multiple Language support
  • Multiple Data support
  • Great Customization
    • Manage reusable Audit and Vulnerability Data
    • Create Custom Sections
    • Add custom fields to Vulnerabilities
  • Vulnerabilities Management
  • Multi-User reporting
  • Docx Report Generation
  • Docx Template customization

Installation

PwnDoc uses 3 containers: the backend, the frontend and the database.

Production

All 3 containers can be run at once using the docker-compose file in the root directory.

For production usage make sure to change the JWT secret in «src/lib/auth.js» and certificates in «ssl» folder

Build and run Docker containers

docker-compose up -d --build

Display backend container logs

docker-compose logs -f pwndoc-backend

Stop/Start containers

docker-compose stop
docker-compose start

Remove containers

docker-compose down

Update

docker-compose down
git pull
docker-compose up -d --build

Application is accessible through https:// localhost: 8443
API is accessible through https:// localhost: 4242 /api

When using Firefox, a certificate exception must be added for the backend. For that go to 
https:// localhost: 4242/api/users/init

Developpment

For development purposes, a specific docker-compose file can be used in each folder (backend/frontend).

Source code can be modified live and application will automatically reload on changes.

Build and run backend and database containers

docker-compose -f backend/docker-compose.dev.yml up -d --build

Display backend container logs

docker-compose -f backend/docker-compose.dev.yml logs -f pwndoc-backendPentest Report Generator

Stop/Start container

docker-compose -f backend/docker-compose.dev.yml stop
docker-compose -f backend/docker-compose.dev.yml start

Remove containers

docker-compose -f backend/docker-compose.dev.yml down

Application is accessible through http:// localhost :8081
API is accessible through https:// localhost :5252/api

Tests

For now, only backend tests have been written (it’s a continuous work in progress)

Test files are located in backend/tests using Jest testing framework

Script run_tests.sh at the root folder can be used to launch tests :

Usage:        ./run_tests.sh -q|-f [-h, --help]

Options:
  -h, --help  Display help
  -q          Run quick tests (No build)
  -f          Run full tests (Build with no cache)

Don’t use it in production as it will delete the production Database

Backup

It’s possible, even recommended, to regularly backup the backend/mongo-data folder. It contains all the database.

To restore:

  • Stop containers
  • Replace the current backend/mongo-data folder with the backed up one
  • Start containers

Documentation

https://github.com/pwndoc/pwndoc

Multi-User reporting

audit_finding_demo.gif
create_and_update_finding.gif
Vulnerability Scanning

Tags: