0xBugatti/PentestOPS

# PentesterOPS Dashboard A comprehensive penetration testing operations dashboard for managing projects, tasks, findings, clients, and assets. Built with Next.js, Express, and MongoDB.    ## 🚀 Features - **Project Management**: Organize penetration testing projects with tasks, pages, and team collaboration - **Task Management**: Kanban board, table, and card views with filtering, search, and subtasks - **Finding Management**: Track security findings with CWE database integration - **Client Management**: Manage clients with photos, links, and metadata - **Asset Management**: Track and manage assets linked to projects and tasks - **Rich Text Editor**: Notion-like pages with Editor.js (headings, paragraphs, code, tables, callouts, toggles) - **Checklists**: Create reusable checklists and link them to tasks - **Comments**: Threaded comments on tasks and findings - **File Attachments**: Upload PDFs, DOCX, XLSX, CSV, ZIP, and images - **Version History**: Track changes with diff viewing and restore - **Global Search**: Full-text search across all entities - **Dark Mode**: Optimized dark theme for technical workflows - **Single Container Deployment**: Easy deployment with Docker ## 📋 Table of Contents - [Tech Stack](#tech-stack) - [Prerequisites](#prerequisites) - [Quick Start](#quick-start) - [Development](#development) - [Docker Deployment](#docker-deployment) - [VPS Deployment](#vps-deployment) - [Configuration](#configuration) - [API Documentation](#api-documentation) - [Project Structure](#project-structure) - [Troubleshooting](#troubleshooting) ## 🛠 Tech Stack - **Frontend**: Next.js 14 (App Router), React, TypeScript, TailwindCSS - **Backend**: Node.js, Express, TypeScript - **Database**: MongoDB with Mongoose - **Authentication**: JWT with refresh tokens - **Rich Text Editor**: Editor.js with multiple plugins - **File Storage**: Local filesystem with multer - **Containerization**: Docker (single container) ## 📦 Prerequisites - **Node.js**: 18+ - **Docker**: Latest version (for containerized deployment) - **MongoDB**: 5.0+ (or use MongoDB Atlas) - **Git**: For cloning the repository ## 🚀 Quick Start ### Local Development 1. **Clone the repository** git clone https://github.com/yourusername/MyPentest-Dashboard.git cd MyPentest-Dashboard 2. **Install dependencies** # Install root dependencies npm install # Install frontend dependencies cd frontend && npm install && cd .. # Install backend dependencies cd backend && npm install && cd .. 3. **Configure environment variables** Create `.env` file in the root directory: # Backend NODE_ENV=development BACKEND_PORT=4000 MONGODB_URI=mongodb://localhost:27017/pentest-dashboard JWT_SECRET=your-jwt-secret-key JWT_REFRESH_SECRET=your-refresh-secret-key CORS_ORIGIN=http://localhost:3000 ALLOW_REGISTRATION=true MAX_FILE_SIZE=10485760 UPLOAD_DIR=./backend/uploads # Frontend NEXT_PUBLIC_API_URL=http://localhost:4000 Generate secure secrets: openssl rand -base64 32 # For JWT_SECRET openssl rand -base64 32 # For JWT_REFRESH_SECRET 4. **Start MongoDB** # Using Docker docker run -d --name mongodb -p 27017:27017 mongo:latest # Or use MongoDB Atlas (update MONGODB_URI in .env) 5. **Run development servers** # From root directory npm run dev 6. **Access the application** - Frontend: http://localhost:3000 - Backend API: http://localhost:4000 7. **Create admin user** # Register via the UI at /login, or use seed script: node scripts/seed-admin.js ## 🐳 Docker Deployment ### Single Container (Recommended) The application uses a single Docker container that includes MongoDB, backend, and frontend. #### Build and Run # Build the image docker build -t pentestops-dashboard:latest . # Run the container docker run -d \ --name pentestops \ --restart unless-stopped \ -p 3000:3000 \ -p 4000:4000 \ -p 27017:27017 \ -v pentestops-data:/data/db \ -v pentestops-uploads:/app/uploads \ -e JWT_SECRET=$(openssl rand -base64 32) \ -e JWT_REFRESH_SECRET=$(openssl rand -base64 32) \ -e NODE_ENV=production \ -e CORS_ORIGIN=https://yourdomain.com \ -e ALLOW_REGISTRATION=false \ pentestops-dashboard:latest #### Using Environment File Create `.env` file: NODE_ENV=production BACKEND_PORT=4000 FRONTEND_PORT=3000 MONGODB_URI=mongodb://localhost:27017/pentest-dashboard JWT_SECRET=your-super-secret-jwt-key JWT_REFRESH_SECRET=your-super-secret-refresh-key CORS_ORIGIN=https://yourdomain.com ALLOW_REGISTRATION=false MAX_FILE_SIZE=10485760 UPLOAD_DIR=/app/uploads NEXT_PUBLIC_API_URL=https://yourdomain.com Run with environment file: docker run -d \ --name pentestops \ --restart unless-stopped \ -p 3000:3000 \ -p 4000:4000 \ -v pentestops-data:/data/db \ -v pentestops-uploads:/app/uploads \ --env-file .env \ pentestops-dashboard:latest #### Container Management # View logs docker logs -f pentestops # Stop container docker stop pentestops # Start container docker start pentestops # Restart container docker restart pentestops # Remove container docker stop pentestops && docker rm pentestops ## 🌐 Deployment 1. **Install Docker** curl -fsSL https://get.docker.com -o get-docker.sh sudo sh get-docker.sh sudo systemctl start docker sudo systemctl enable docker 2. **Clone and deploy** cd /opt sudo git clone https://github.com/yourusername/MyPentest-Dashboard.git pentestops cd pentestops sudo chmod +x deploy.sh sudo ./deploy.sh The `deploy.sh` script will: - Create application directory - Generate secure JWT secrets - Build Docker image - Start container with all services 3. **Access application** - Frontend: `http://your-vps-ip:3000` - Backend API: `http://your-vps-ip:4000` ### Domain & SSL Setup 1. **Install Nginx and Certbot** sudo apt update sudo apt install -y nginx certbot python3-certbot-nginx 2. **Configure Nginx** Create `/etc/nginx/sites-available/pentestops`: server { listen 80; server_name yourdomain.com www.yourdomain.com; location / { proxy_pass http://localhost:3000; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } } server { listen 80; server_name api.yourdomain.com; location / { proxy_pass http://localhost:4000; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; client_max_body_size 10M; } } Enable site: sudo ln -s /etc/nginx/sites-available/pentestops /etc/nginx/sites-enabled/ sudo rm /etc/nginx/sites-enabled/default sudo nginx -t sudo systemctl reload nginx 3. **Get SSL Certificate** sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com -d api.yourdomain.com 4. **Update environment variables** Edit `/opt/pentestops/.env`: CORS_ORIGIN=https://yourdomain.com NEXT_PUBLIC_API_URL=https://api.yourdomain.com Restart container: sudo docker restart pentestops ### Security Hardening 1. **Configure firewall** sudo apt install -y ufw sudo ufw allow 22/tcp sudo ufw allow 80/tcp sudo ufw allow 443/tcp sudo ufw enable 2. **Disable root SSH login** sudo nano /etc/ssh/sshd_config # Set: PermitRootLogin no sudo systemctl restart sshd 3. **Set up automatic backups** # Create backup script sudo nano /opt/pentestops/backup.sh #!/bin/bash BACKUP_DIR="/opt/backups/pentestops" DATE=$(date +%Y%m%d_%H%M%S) mkdir -p $BACKUP_DIR docker exec pentestops mongodump --archive=/tmp/backup.archive --db=pentest-dashboard docker cp pentestops:/tmp/backup.archive $BACKUP_DIR/mongodb_$DATE.archive tar -czf $BACKUP_DIR/uploads_$DATE.tar.gz /opt/pentestops/uploads find $BACKUP_DIR -type f -mtime +7 -delete Make executable and schedule: chmod +x /opt/pentestops/backup.sh crontab -e # Add: 0 2 * * * /opt/pentestops/backup.sh ## ⚙️ Configuration ### Environment Variables #### Backend | Variable | Description | Default | Required | |----------|-------------|---------|----------| | `NODE_ENV` | Environment mode | `development` | No | | `BACKEND_PORT` | Backend API port | `4000` | No | | `MONGODB_URI` | MongoDB connection string | `mongodb://localhost:27017/pentest-dashboard` | Yes | | `JWT_SECRET` | JWT token secret | - | Yes | | `JWT_REFRESH_SECRET` | Refresh token secret | - | Yes | | `CORS_ORIGIN` | Allowed CORS origins | `*` | No | | `ALLOW_REGISTRATION` | Allow public registration | `true` | No | | `MAX_FILE_SIZE` | Max file upload size (bytes) | `10485760` (10MB) | No | | `UPLOAD_DIR` | Upload directory path | `./uploads` | No | #### Frontend | Variable | Description | Default | Required | |----------|-------------|---------|----------| | `NEXT_PUBLIC_API_URL` | Backend API URL | `http://localhost:4000` | Yes | | `NODE_ENV` | Environment mode | `development` | No | ### File Upload Types The application supports the following file types: - **Images**: JPG, JPEG, PNG, GIF, WebP - **Documents**: PDF, DOC, DOCX - **Spreadsheets**: XLS, XLSX, CSV - **Text**: TXT - **Archives**: ZIP Maximum file size: 10MB (configurable via `MAX_FILE_SIZE`) ## 📚 API Documentation ### Authentication - `POST /api/auth/register` - Register new user - `POST /api/auth/login` - Login - `POST /api/auth/refresh` - Refresh access token - `GET /api/auth/profile` - Get user profile - `PUT /api/auth/profile` - Update user profile ### Projects - `GET /api/projects` - List all projects - `POST /api/projects` - Create project - `GET /api/projects/:id` - Get project details - `PUT /api/projects/:id` - Update project - `DELETE /api/projects/:id` - Delete project ### Tasks - `GET /api/tasks` - List all tasks - `POST /api/tasks` - Create task - `GET /api/tasks/:id` - Get task details - `PUT /api/tasks/:id` - Update task - `DELETE /api/tasks/:id` - Delete task ### Findings - `GET /api/findings` - List all findings - `POST /api/findings` - Create finding - `GET /api/findings/:id` - Get finding details - `PUT /api/findings/:id` - Update finding - `DELETE /api/findings/:id` - Delete finding ### Clients - `GET /api/clients` - List all clients - `POST /api/clients` - Create client - `GET /api/clients/:id` - Get client details - `PUT /api/clients/:id` - Update client - `DELETE /api/clients/:id` - Delete client ### Pages (Checklists) - `GET /api/pages` - List all pages - `POST /api/pages` - Create page - `GET /api/pages/:slug` - Get page details - `PUT /api/pages/:slug` - Update page - `DELETE /api/pages/:slug` - Delete page ### CWE Database - `GET /api/cwes` - List all CWEs - `GET /api/cwes/:id` - Get CWE details - `POST /api/cwes/import` - Import CWE database from CSV ### Attachments - `POST /api/attachments` - Upload file - `GET /api/attachments/:id/download` - Download file - `GET /api/attachments/:id/view` - View file (images) ### Search - `GET /api/search?q=query` - Global search All API endpoints require authentication except: - `/api/auth/register` (if `ALLOW_REGISTRATION=true`) - `/api/auth/login` - `/api/attachments/:id/view` (public images) ## 📁 Project Structure MyPentest-Dashboard/ ├── frontend/ # Next.js frontend application │ ├── app/ # Next.js app router pages │ ├── components/ # React components │ ├── lib/ # Utilities and API client │ ├── public/ # Static assets │ └── types/ # TypeScript types ├── backend/ # Express backend API │ ├── src/ │ │ ├── routes/ # API routes │ │ ├── models/ # Mongoose models │ │ ├── middleware/ # Express middleware │ │ ├── config/ # Configuration files │ │ └── utils/ # Utility functions │ └── uploads/ # File uploads directory ├── scripts/ # Utility scripts │ ├── seed-admin.js # Create admin user │ └── test-crud.js # Test CRUD operations ├── Dockerfile # Single container Dockerfile ├── docker-entrypoint.sh # Container entrypoint script ├── deploy.sh # VPS deployment script └── README.md # This file ## 📝 License MIT License - see LICENSE file for details

标签：自动化攻击