Releases: inflictx/Arsenal
Release list
v1.2.1 - HIGH + MEDIUM content backlog
v1.2.1 - HIGH + MEDIUM bug-bounty content backlog
New payload cards and ready-to-run scripts, both locales (RU + EN).
CVE payload cards + PoC scripts
- React2Shell - unauth RSC Flight RCE (CVE-2025-55182)
- PDF.js FontMatrix JS execution on PDF render (CVE-2024-4367)
- Grafana "Ghost" - client-side traversal -> plugin XSS -> ATO (CVE-2025-4123)
Payloads
- Swagger UI
?configUrl=DOM-XSS via a remote spec - PasteJacking / clipboard blind XSS
- Google / Gemini API-key abuse (validate, billable call, referrer/app bypass)
Recon / discovery scripts
- Swagger configUrl probe + WordPress XML-RPC abuse (API scripts)
- IIS 8.3 short-name enumeration (discovery)
- S3-URL-from-JS harvester (origin & buckets)
- waymore pipeline (wayback / archive)
Seed 5294 entries. All gates green (tsc 0, vitest 18/18, server + static builds). The live demo auto-redeploys to GitHub Pages.
v1.2.0: Recon Tools
🛰️ Recon Tools: a new offline recon crafters tab
A new Recon Tools module (#/recon) with three offline crafters that only ASSEMBLE what you run yourself (the app never touches the network):
- Wayback CDX query builder: match types, extension filters and presets, plus copy-paste post-processing recipes (gau/waybackurls harvest,
urodedup,gfclassification,id_deleted-file recovery, PDF secret scan). - IDN homograph generator: 0-click account takeover via punycode email. Crafts domain-part and username-part look-alikes with the on-the-wire form and the full attack workflow, plus a defensive analyzer that decodes
xn--and flags confusable characters. - Dork builder: 20 Google dork categories + GitHub code-search + Shodan pivots, with a multi-engine Open and a custom builder.
Bilingual RU/EN, standard Copy buttons, wrapped in the shared lab container. Content researched and verified (CDX semantics against the wayback CDX source; confusable code points and xn-- examples against Python unicodedata/punycode; dork operators against each engine's current docs).
Also since v1.1.0
- Localized the Copy / Copied confirmation (RU/EN).
- Large deep-audit and content-correctness pass: ranker overhaul, ~60 payload / checklist / chain fixes, reverse-shell byte-encoding, DNS-rebinding guard, payload-shaped CVE additions.
All gates green: tsc, vitest 18/18, server and static builds. The live demo auto-redeploys to GitHub Pages.
ARS3NAL v1.1.0 — Attack Chains, offline labs, EN content
Offline arsenal for pentesters and bug bounty hunters. Fully offline, RU/EN.
New: Attack Chains
92 leveled kill-chains across 11 domains (injection, access control, recon, OAuth/SSO, SSRF, client-side, auth/2FA logic, file upload, API/GraphQL, modern web, AI/LLM). Each step expands the matching payload / script / command / checklist inline and deep-links into the right module. Difficulty levels (Newbie / Intermediate / Advanced), target-context tokens, step progress, collapsible domain tree, search highlight, keyboard nav, and alternative/branch step markers.
New: offline labs and templates
- OAuth / SSO Lab — assemble an
/authorizeURL and apply attack vectors that actually mutate it. - JWT Workshop — client-side WebCrypto crafter: alg:none, RS256->HS256 confusion, kid/jku tricks, HS256 sign, with a stale-token indicator.
- Report Templates — per-class skeletons with CWE + CVSS, severity filter, copy / export .md, and unfilled-token highlighting.
Bilingual
Attack Chains and Report Templates now ship full English content (RU/EN toggle).
Correctness and fixes
- Inline matches are now exact-or-note: no more irrelevant payload/checklist/script surfacing in a step.
- Cmd-K opens chains and report templates directly.
- Fixed broken Python RCE payloads (
__include__->__import__) and a non-executing/etc/passwdprivesc payload.
Live demo: https://inflictx.github.io/Arsenal/
ARS3NAL v1.0.0
First stable release. ARS3NAL is an offline arsenal for pentesters and bug bounty hunters: payloads, click-to-build commands, GTFOBins, scripts, checklists, and one search across everything. Fully offline, RU/EN.
What's new in 1.0
📜 Scripts module
110 full, copy-paste-and-run pentest scripts (Python / Bash / JS / HTML PoC) across 27 categories: boolean / time / error / UNION blind SQLi extractors, JWT forging, SSRF & XXE OOB listeners, IDOR matrices, recon pipelines, cloud / k8s probes, CVE PoCs and more. Filterable by group and language, each with its dependencies, parameters and safety badges. RU and EN.
⭐ Favorites everywhere
Star any payload, command, GTFOBin, script or Burp page from its reader and find it all under Favorites.
🎯 Consistent target substitution
Set your target / LHOST once; {TARGET}/{LHOST}, the *_IP placeholders and example hosts now resolve the same way across Payloads and Commands.
💾 Safer backups
A backup now contains only your personal layer (custom entries, favorites, notes, checklist progress, engagements). Restoring no longer wipes the bundled reference content.
Plus a pass of UX and audit fixes
- Copy buttons fixed on long, horizontally-scrolling code blocks.
- Checklist payload suggestions reworked for better coverage and fewer duplicates.
- Recon command builders, command-builder mode fixes, the command palette opens Scripts and Notes, and many smaller fixes throughout.
Live demo: https://inflictx.github.io/Arsenal/
v0.3.0 — editable cards, target substitution, merge import, new content
Editable personal layer, smarter target substitution, merge-import backups, and new content.
- Create / edit / delete reference cards (payloads), "only mine" filter, mine badge. Edits survive re-seed (is_custom).
- Backup: new Merge mode (add a backup's personal data without wiping current), with dedup, alongside Replace.
- Target substitution: set TARGET/LHOST once, example hosts in payloads are rewritten to them (with a target badge), in sync with Commands / RevShell / Engagements.
- New content (RU + EN): Subdomain Takeover, Web Cache Poisoning, hashcat cracking-rules reference.
- Hardening: input validation (no 500s on junk ids/bodies), findings->targets FK cascade, safe JSON parsing.
- Quality: cleared all strict TypeScript errors; added typecheck + unit-test gates to CI.
Audited (logic/UI + architecture): no critical or high-severity bugs; httpApi/localApi parity verified; bilingual i18n complete.
v0.2.0 - Bilingual (RU / EN)
ARS3NAL is now bilingual: a one-click RU / EN toggle switches the whole interface and most reference content.
What's new
- Language toggle (RU / EN) in the top bar; choice is remembered.
- English added for: the UI, payloads (~1500), GTFOBins (all 458), the command builder, Burp docs, wordlists, and all 70 operational checklists.
- Checklist progress (your ticked items) is shared across both languages.
- Russian README (README.ru.md) with a language switcher.
- Per-locale data layer: works both in the local server build and the static GitHub Pages demo (data/ru + data/en).
Notes
- The embedded CyberChef tool keeps its Russian-localized UI for now.
- Payloads, commands and code stay technical / verbatim in both languages.
Live demo: https://inflictx.github.io/Arsenal/