ARS3NAL v1.1.0 — Attack Chains, offline labs, EN content
Offline arsenal for pentesters and bug bounty hunters. Fully offline, RU/EN.
New: Attack Chains
92 leveled kill-chains across 11 domains (injection, access control, recon, OAuth/SSO, SSRF, client-side, auth/2FA logic, file upload, API/GraphQL, modern web, AI/LLM). Each step expands the matching payload / script / command / checklist inline and deep-links into the right module. Difficulty levels (Newbie / Intermediate / Advanced), target-context tokens, step progress, collapsible domain tree, search highlight, keyboard nav, and alternative/branch step markers.
New: offline labs and templates
- OAuth / SSO Lab — assemble an
/authorizeURL and apply attack vectors that actually mutate it. - JWT Workshop — client-side WebCrypto crafter: alg:none, RS256->HS256 confusion, kid/jku tricks, HS256 sign, with a stale-token indicator.
- Report Templates — per-class skeletons with CWE + CVSS, severity filter, copy / export .md, and unfilled-token highlighting.
Bilingual
Attack Chains and Report Templates now ship full English content (RU/EN toggle).
Correctness and fixes
- Inline matches are now exact-or-note: no more irrelevant payload/checklist/script surfacing in a step.
- Cmd-K opens chains and report templates directly.
- Fixed broken Python RCE payloads (
__include__->__import__) and a non-executing/etc/passwdprivesc payload.
Live demo: https://inflictx.github.io/Arsenal/