Skip to content

Releases: inflictx/Arsenal

v1.2.1 - HIGH + MEDIUM content backlog

Choose a tag to compare

@inflictx inflictx released this 01 Jul 15:49

v1.2.1 - HIGH + MEDIUM bug-bounty content backlog

New payload cards and ready-to-run scripts, both locales (RU + EN).

CVE payload cards + PoC scripts

Payloads

  • Swagger UI ?configUrl= DOM-XSS via a remote spec
  • PasteJacking / clipboard blind XSS
  • Google / Gemini API-key abuse (validate, billable call, referrer/app bypass)

Recon / discovery scripts

  • Swagger configUrl probe + WordPress XML-RPC abuse (API scripts)
  • IIS 8.3 short-name enumeration (discovery)
  • S3-URL-from-JS harvester (origin & buckets)
  • waymore pipeline (wayback / archive)

Seed 5294 entries. All gates green (tsc 0, vitest 18/18, server + static builds). The live demo auto-redeploys to GitHub Pages.

v1.2.0: Recon Tools

Choose a tag to compare

@inflictx inflictx released this 01 Jul 14:44

🛰️ Recon Tools: a new offline recon crafters tab

A new Recon Tools module (#/recon) with three offline crafters that only ASSEMBLE what you run yourself (the app never touches the network):

  • Wayback CDX query builder: match types, extension filters and presets, plus copy-paste post-processing recipes (gau/waybackurls harvest, uro dedup, gf classification, id_ deleted-file recovery, PDF secret scan).
  • IDN homograph generator: 0-click account takeover via punycode email. Crafts domain-part and username-part look-alikes with the on-the-wire form and the full attack workflow, plus a defensive analyzer that decodes xn-- and flags confusable characters.
  • Dork builder: 20 Google dork categories + GitHub code-search + Shodan pivots, with a multi-engine Open and a custom builder.

Bilingual RU/EN, standard Copy buttons, wrapped in the shared lab container. Content researched and verified (CDX semantics against the wayback CDX source; confusable code points and xn-- examples against Python unicodedata/punycode; dork operators against each engine's current docs).

Also since v1.1.0

  • Localized the Copy / Copied confirmation (RU/EN).
  • Large deep-audit and content-correctness pass: ranker overhaul, ~60 payload / checklist / chain fixes, reverse-shell byte-encoding, DNS-rebinding guard, payload-shaped CVE additions.

All gates green: tsc, vitest 18/18, server and static builds. The live demo auto-redeploys to GitHub Pages.

ARS3NAL v1.1.0 — Attack Chains, offline labs, EN content

Choose a tag to compare

@inflictx inflictx released this 29 Jun 05:46

Offline arsenal for pentesters and bug bounty hunters. Fully offline, RU/EN.

New: Attack Chains

92 leveled kill-chains across 11 domains (injection, access control, recon, OAuth/SSO, SSRF, client-side, auth/2FA logic, file upload, API/GraphQL, modern web, AI/LLM). Each step expands the matching payload / script / command / checklist inline and deep-links into the right module. Difficulty levels (Newbie / Intermediate / Advanced), target-context tokens, step progress, collapsible domain tree, search highlight, keyboard nav, and alternative/branch step markers.

New: offline labs and templates

  • OAuth / SSO Lab — assemble an /authorize URL and apply attack vectors that actually mutate it.
  • JWT Workshop — client-side WebCrypto crafter: alg:none, RS256->HS256 confusion, kid/jku tricks, HS256 sign, with a stale-token indicator.
  • Report Templates — per-class skeletons with CWE + CVSS, severity filter, copy / export .md, and unfilled-token highlighting.

Bilingual

Attack Chains and Report Templates now ship full English content (RU/EN toggle).

Correctness and fixes

  • Inline matches are now exact-or-note: no more irrelevant payload/checklist/script surfacing in a step.
  • Cmd-K opens chains and report templates directly.
  • Fixed broken Python RCE payloads (__include__ -> __import__) and a non-executing /etc/passwd privesc payload.

Live demo: https://inflictx.github.io/Arsenal/

ARS3NAL v1.0.0

Choose a tag to compare

@inflictx inflictx released this 26 Jun 14:17

First stable release. ARS3NAL is an offline arsenal for pentesters and bug bounty hunters: payloads, click-to-build commands, GTFOBins, scripts, checklists, and one search across everything. Fully offline, RU/EN.

What's new in 1.0

📜 Scripts module

110 full, copy-paste-and-run pentest scripts (Python / Bash / JS / HTML PoC) across 27 categories: boolean / time / error / UNION blind SQLi extractors, JWT forging, SSRF & XXE OOB listeners, IDOR matrices, recon pipelines, cloud / k8s probes, CVE PoCs and more. Filterable by group and language, each with its dependencies, parameters and safety badges. RU and EN.

⭐ Favorites everywhere

Star any payload, command, GTFOBin, script or Burp page from its reader and find it all under Favorites.

🎯 Consistent target substitution

Set your target / LHOST once; {TARGET}/{LHOST}, the *_IP placeholders and example hosts now resolve the same way across Payloads and Commands.

💾 Safer backups

A backup now contains only your personal layer (custom entries, favorites, notes, checklist progress, engagements). Restoring no longer wipes the bundled reference content.

Plus a pass of UX and audit fixes

  • Copy buttons fixed on long, horizontally-scrolling code blocks.
  • Checklist payload suggestions reworked for better coverage and fewer duplicates.
  • Recon command builders, command-builder mode fixes, the command palette opens Scripts and Notes, and many smaller fixes throughout.

Live demo: https://inflictx.github.io/Arsenal/

v0.3.0 — editable cards, target substitution, merge import, new content

Choose a tag to compare

@inflictx inflictx released this 24 Jun 18:07

Editable personal layer, smarter target substitution, merge-import backups, and new content.

  • Create / edit / delete reference cards (payloads), "only mine" filter, mine badge. Edits survive re-seed (is_custom).
  • Backup: new Merge mode (add a backup's personal data without wiping current), with dedup, alongside Replace.
  • Target substitution: set TARGET/LHOST once, example hosts in payloads are rewritten to them (with a target badge), in sync with Commands / RevShell / Engagements.
  • New content (RU + EN): Subdomain Takeover, Web Cache Poisoning, hashcat cracking-rules reference.
  • Hardening: input validation (no 500s on junk ids/bodies), findings->targets FK cascade, safe JSON parsing.
  • Quality: cleared all strict TypeScript errors; added typecheck + unit-test gates to CI.

Audited (logic/UI + architecture): no critical or high-severity bugs; httpApi/localApi parity verified; bilingual i18n complete.

v0.2.0 - Bilingual (RU / EN)

Choose a tag to compare

@inflictx inflictx released this 24 Jun 10:44

ARS3NAL is now bilingual: a one-click RU / EN toggle switches the whole interface and most reference content.

What's new

  • Language toggle (RU / EN) in the top bar; choice is remembered.
  • English added for: the UI, payloads (~1500), GTFOBins (all 458), the command builder, Burp docs, wordlists, and all 70 operational checklists.
  • Checklist progress (your ticked items) is shared across both languages.
  • Russian README (README.ru.md) with a language switcher.
  • Per-locale data layer: works both in the local server build and the static GitHub Pages demo (data/ru + data/en).

Notes

  • The embedded CyberChef tool keeps its Russian-localized UI for now.
  • Payloads, commands and code stay technical / verbatim in both languages.

Live demo: https://inflictx.github.io/Arsenal/