Skip to content

ARS3NAL v1.1.0 — Attack Chains, offline labs, EN content

Choose a tag to compare

@inflictx inflictx released this 29 Jun 05:46

Offline arsenal for pentesters and bug bounty hunters. Fully offline, RU/EN.

New: Attack Chains

92 leveled kill-chains across 11 domains (injection, access control, recon, OAuth/SSO, SSRF, client-side, auth/2FA logic, file upload, API/GraphQL, modern web, AI/LLM). Each step expands the matching payload / script / command / checklist inline and deep-links into the right module. Difficulty levels (Newbie / Intermediate / Advanced), target-context tokens, step progress, collapsible domain tree, search highlight, keyboard nav, and alternative/branch step markers.

New: offline labs and templates

  • OAuth / SSO Lab — assemble an /authorize URL and apply attack vectors that actually mutate it.
  • JWT Workshop — client-side WebCrypto crafter: alg:none, RS256->HS256 confusion, kid/jku tricks, HS256 sign, with a stale-token indicator.
  • Report Templates — per-class skeletons with CWE + CVSS, severity filter, copy / export .md, and unfilled-token highlighting.

Bilingual

Attack Chains and Report Templates now ship full English content (RU/EN toggle).

Correctness and fixes

  • Inline matches are now exact-or-note: no more irrelevant payload/checklist/script surfacing in a step.
  • Cmd-K opens chains and report templates directly.
  • Fixed broken Python RCE payloads (__include__ -> __import__) and a non-executing /etc/passwd privesc payload.

Live demo: https://inflictx.github.io/Arsenal/