{"id":51355866,"url":"https://github.com/inflictx/Arsenal","last_synced_at":"2026-07-07T19:00:31.678Z","repository":{"id":367032486,"uuid":"1278099295","full_name":"inflictx/Arsenal","owner":"inflictx","description":"Offline-first, searchable arsenal for pentesting \u0026 bug bounty: payloads, a click-to-build command generator, GTFOBins, wordlists, embedded CyberChef, reverse shells, checklists \u0026 an engagement tracker.","archived":false,"fork":false,"pushed_at":"2026-07-01T15:49:05.000Z","size":72218,"stargazers_count":142,"open_issues_count":3,"forks_count":22,"subscribers_count":1,"default_branch":"main","last_synced_at":"2026-07-01T17:27:54.571Z","etag":null,"topics":["appsec","bug-bounty","ctf","cyberchef","gtfobins","infosec","offensive-security","payloads","pentesting","red-team","reverse-shell","security-tools"],"latest_commit_sha":null,"homepage":"https://inflictx.github.io/Arsenal/","language":"CSS","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/inflictx.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-06-23T13:12:21.000Z","updated_at":"2026-07-01T15:49:07.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/inflictx/Arsenal","commit_stats":null,"previous_names":["inflictx/arsenal"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/inflictx/Arsenal","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/inflictx%2FArsenal","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/inflictx%2FArsenal/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/inflictx%2FArsenal/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/inflictx%2FArsenal/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/inflictx","download_url":"https://codeload.github.com/inflictx/Arsenal/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/inflictx%2FArsenal/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":35239467,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-07-07T02:00:07.222Z","response_time":90,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["appsec","bug-bounty","ctf","cyberchef","gtfobins","infosec","offensive-security","payloads","pentesting","red-team","reverse-shell","security-tools"],"created_at":"2026-07-02T20:00:27.776Z","updated_at":"2026-07-07T19:00:31.672Z","avatar_url":"https://github.com/inflictx.png","language":"CSS","funding_links":[],"categories":["Lists of cyber security resources","Tools"],"sub_categories":[],"readme":"\u003ch1 align=\"center\"\u003eARS3NAL\u003c/h1\u003e\n\n\u003cp align=\"center\"\u003e\u003cb\u003eEnglish\u003c/b\u003e · \u003ca href=\"README.ru.md\"\u003eРусский\u003c/a\u003e\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003cb\u003eA local, offline-first arsenal for pentesting \u0026amp; bug bounty.\u003c/b\u003e\u003cbr\u003e\n  Clickable attack chains, payloads, a click-to-build command generator, GTFOBins, ready-to-run\n  scripts, wordlists, an embedded CyberChef, reverse shells, a Burp reference, operational\n  checklists and an engagement tracker. One fast, searchable, editable app that runs on your machine.\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003cimg alt=\"license\" src=\"https://img.shields.io/badge/license-GPL--3.0-496dff\"\u003e\n  \u003cimg alt=\"stack\" src=\"https://img.shields.io/badge/stack-Fastify%20%2B%20SQLite%20%2B%20Vite%20TS-8250df\"\u003e\n  \u003cimg alt=\"offline\" src=\"https://img.shields.io/badge/offline-first-22c55e\"\u003e\n  \u003cimg alt=\"ui\" src=\"https://img.shields.io/badge/UI-RU%20%2B%20EN-496dff\"\u003e\n  \u003cimg alt=\"docker\" src=\"https://img.shields.io/badge/self--host-docker%20compose-2496ed?logo=docker\u0026logoColor=white\"\u003e\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\u003cb\u003e▶ \u003ca href=\"https://inflictx.github.io/Arsenal/\"\u003eLive demo\u003c/a\u003e\u003c/b\u003e — runs entirely in your browser, nothing to install (your data stays in your browser).\u003c/p\u003e\n\n![ARS3NAL command builder — click flags, the command assembles itself](screenshots/commands.gif)\n\n\u003e No telemetry. No cloud. No account. Your data lives in a local SQLite file and never\n\u003e leaves the box. Stop juggling 30 browser tabs and a folder of `.md` cheatsheets.\n\n\u003e ⚠️ **For authorized security testing and education only.** See [Disclaimer](#-disclaimer).\n\n\u003e 🌐 **Bilingual (Russian / English)** — a one-click toggle switches the interface and most\n\u003e reference content (payloads, GTFOBins, commands, Burp docs, wordlists) between RU and EN.\n\u003e Payloads, commands and code themselves stay technical.\n\n---\n\n## ✨ Highlights\n\n### 🔗 Attack Chains: from a finding to impact, step by step *(new)*\n92 curated, clickable kill-chains across 11 categories (IDOR / access control, recon, injection,\nOAuth / SSO, SSRF, client-side XSS / CSRF, auth / 2FA / logic, file upload / LFI, API / GraphQL,\nmodern web, AI / LLM). Each chain is tagged by level (Newbie / Intermediate / Advanced) so a\nnewcomer can start easy and climb. Every step is a goal plus a concrete payload or command, with a\none-click jump straight into the matching Payloads / Scripts / Commands entry, and they are grounded\nin real CVEs and disclosed reports. Paste your two accounts, client_id or redirect_uri into the\ncontext tokens and the steps fill themselves in.\n\n### 🛰️ Recon Tools: Wayback CDX, IDN homograph email-ATO, dorks *(new)*\nThree offline recon crafters that only assemble what *you* run. A **Wayback CDX query builder**\n(match types, extension filters, presets) with copy-paste post-processing recipes (gau/waybackurls\nharvest, `uro` dedup, `gf` classification, `id_` deleted-file recovery, PDF secret scan). An **IDN\nhomograph generator** for 0-click account takeover via punycode email: it crafts the domain-part and\nusername-part look-alikes plus their on-the-wire form and the full attack workflow, with a defensive\nanalyzer that decodes `xn--` and flags confusables. And a **dork builder** with 20 Google categories\nplus GitHub code-search and Shodan pivots.\n\n\u003cp\u003e\n  \u003cimg src=\"screenshots/recon.png\" width=\"49%\" alt=\"Wayback CDX query builder\"\u003e\n  \u003cimg src=\"screenshots/recon-homograph.png\" width=\"49%\" alt=\"IDN homograph email-ATO generator\"\u003e\n\u003c/p\u003e\n\n### 🧰 Offline attack labs: OAuth/SSO + JWT *(new)*\nInteractive crafters that assemble, never fire. The OAuth / SSO Lab builds a malicious `/authorize`\nURL (redirect_uri bypass, PKCE downgrade, state/CSRF, token leak, nOAuth) you paste into Burp. The\nJWT Workshop decodes a token and forges it in the browser: alg:none, RS256 to HS256 key confusion,\nkid path-traversal / SQLi, re-sign with a weak secret.\n\n### 📝 Report Templates *(new)*\nPer-class report skeletons (IDOR, OAuth ATO, SSRF, XSS, SQLi, RCE, auth, LLM and more) with a CWE\nand a pre-filled CVSS:3.1 vector. The active engagement target and your context tokens substitute\ninto the text; copy the whole report or export it to `.md`.\n\n### 🛠️ Command builder — assemble commands by clicking flags\nThe headline feature. Pick a tool, toggle the flags you want, and the command assembles\nitself with **verified, documented flags** (each flag is explained, RU/EN). Set your\n**Target / LHOST once** in the top bar and it's substituted into *every* tool's examples\nlive — no more find-and-replace on `10.10.x.x`. Save assembled commands to your own\n**“Готовые команды”** library (persists in the DB, drag-to-reorder). 59 tools have the\nbuilder (nmap, ffuf, sqlmap, gobuster, hashcat, …); the rest are rich Markdown references.\n\n![Command builder with nmap](screenshots/commands.png)\n\n### ⌨️ One search across everything\nA ⌘K palette that searches **every** payload, command, GTFOBin, wordlist and doc at once\n(SQLite FTS5), so you find the thing without remembering which module it lives in.\n\n![Global search — type once, jump straight to the result](screenshots/search.gif)\n\n### ⚡ Curated payloads — 63 categories\nHand-curated from PayloadsAllTheThings (~1500 entries): detection-first ordering, real\ncopy-ready payloads, diagrams and tables, with tips (RU/EN). Not a noisy auto-dump.\n\n![Payloads](screenshots/payloads.gif)\n\n### 📜 Scripts — 110 ready-to-run scripts *(new in 1.0)*\nFull copy-paste-and-run scripts (Python / Bash / JS / HTML PoC) across 27 categories, not\none-liners: boolean / time / error / UNION blind SQLi extractors, JWT forging, SSRF \u0026amp; XXE\nout-of-band listeners, IDOR matrices, recon pipelines, cloud / k8s probes, CVE PoCs and more.\nFilter by group and language; each script lists its dependencies, parameters and safety\nbadges (destructive / paid / root). All original code, RU / EN.\n\n### 🧪 CyberChef — embedded \u0026amp; offline\nThe full official CyberChef build, embedded right in the app, re-themed to match and with\nits UI localized to Russian. Encode, decode and crypto right inside ARS3NAL, offline.\n\n![Embedded CyberChef](screenshots/cyberchef.png)\n\n### 🐧 GTFOBins — all 458, RU / EN\nEvery GTFOBins binary with function/context filter chips (shell, file-read, sudo, SUID…)\nand technique notes in Russian and English.\n\n![GTFOBins](screenshots/gtfobins.png)\n\n### 🐚 Reverse-shell generator\nrevshells.com-grade: reverse / bind / msfvenom / listeners, with shell and encoding\nselectors (base64 / URL / PowerShell). Your LHOST is shared with the rest of the app.\n\n![Reverse shell generator](screenshots/revshell.png)\n\n### ☑️ Operational checklists\n70 per-vulnerability checklists (web + AD / cloud / priv-esc / pivoting) you tick off —\nprogress persists — with a research panel and inline ⚡ payload cross-links per item.\n\n![Checklists](screenshots/checklists.gif)\n\n### 🎯 Engagements \u0026amp; findings\nA per-target workspace: host / LHOST / scope / notes + a findings tracker (severity,\nstatus, repro) + **Markdown report export**. The active target feeds `{TARGET}` / `{LHOST}`\ninto the command builder and reverse-shell generator.\n\n![Engagements](screenshots/engagements.png)\n\n### 📚 Wordlists reference \u0026amp; 🟠 Burp reference\nA curated guide to the top wordlists (canonical paths + GitHub links + “what each is for”),\nand a reference for the Burp Suite desktop workflow (RU/EN).\n\n\u003cp\u003e\n  \u003cimg src=\"screenshots/wordlists.png\" width=\"49%\" alt=\"Wordlists\"\u003e\n  \u003cimg src=\"screenshots/burp.png\" width=\"49%\" alt=\"Burp reference\"\u003e\n\u003c/p\u003e\n\nPlus **Notes** (personal Markdown), **Favorites** (★ across every module) and **Backup**\n(export/import your personal layer as one JSON; restoring never touches the bundled reference content).\n\n---\n\n## 🚀 Run\n\n**Two ways:** the [**live demo**](https://inflictx.github.io/Arsenal/) runs client-only in your\nbrowser (reference content is bundled; your notes/targets/progress live in the browser's\nIndexedDB). For the full local app with your own SQLite database and editable content, run it\nyourself:\n\nDouble-click **`start.bat`** (first run installs deps, seeds the DB and builds the UI),\nthen open \u003chttp://localhost:7331\u003e.\n\nOr manually (Node.js 18+):\n\n```bash\nnpm install\nnpm run seed     # one-time: build data/arsenal.db from the bundled sources\nnpm run build\nnpm run start    # http://localhost:7331\n```\n\nOr with **Docker** (only Docker itself required):\n\n```bash\ndocker compose up -d        # build + run in the background\n# open http://localhost:7331\ndocker compose down         # stop; your data stays in the named volume\n```\n\nThe image seeds the content DB on first run; your custom entries, notes and favorites persist in the `arsenal-data` volume across restarts. To use a different port, edit `docker-compose.yml` and add the new `host:port` to `ALLOWED_HOSTS` so the built-in local-only guard allows it.\n\nDev mode: `npm run dev` (Vite + Fastify with live reload). Tests: `npm test`.\n\n## 🗂️ Layout\n\n- `server/` — Fastify API + SQLite (better-sqlite3, FTS5)\n- `seed/` — parsers that build the DB (curated payloads, checklists, commands, Burp docs, GTFOBins, wordlist refs)\n- `web/` — Vite + vanilla-TypeScript SPA (no framework)\n- `data/arsenal.db` — **your** data; custom entries, notes, engagements and checklist progress are never overwritten by re-seeding, and the DB is git-ignored so nothing personal is ever published.\n\n## 🔒 Privacy\n\nEverything is local. Notes, targets, findings and saved commands live only in\n`data/arsenal.db` (git-ignored). The seed pipeline rebuilds all *reference* content from\nsource, so ignoring the DB loses nothing.\n\n## ⚖️ Disclaimer\n\nARS3NAL is a reference and productivity tool for **authorized** security testing,\n**CTF/learning**, and defensive research. Use it **only** against systems you own or have\nexplicit written permission to test. You are solely responsible for your actions and for\ncomplying with all applicable laws. The authors accept no liability for misuse or damage.\nFull text: [`DISCLAIMER.md`](DISCLAIMER.md).\n\n## 🙏 Acknowledgements\n\nARS3NAL is mostly a fast, offline, searchable front-end over other people's excellent work.\nHuge thanks to:\n\n- **[GTFOBins](https://github.com/GTFOBins/GTFOBins.github.io)** — Unix binary abuse techniques *(GPL-3.0)*\n- **[PayloadsAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings)** by swisskyrepo \u0026amp; contributors — payloads, methodology, diagrams *(MIT)*\n- **[reverse-shell-generator](https://github.com/0dayCTF/reverse-shell-generator)** by Ryan Montgomery / 0dayCTF — reverse/bind/msfvenom/listener data *(MIT)*\n- **[CyberChef](https://github.com/gchq/CyberChef)** by GCHQ — embedded offline build *(Apache-2.0)*\n- **[SecLists](https://github.com/danielmiessler/SecLists)** by Daniel Miessler — wordlist references *(MIT)*\n- **[Burp Suite documentation](https://portswigger.net/burp/documentation)** by PortSwigger — basis for the Burp reference module\n- **[Open Sans](https://fonts.google.com/specimen/Open+Sans)** *(Apache-2.0)* and **[Source Code Pro](https://github.com/adobe-fonts/source-code-pro)** by Adobe *(SIL OFL-1.1)* — fonts\n\nFull per-source license details: [`THIRD_PARTY.md`](THIRD_PARTY.md).\n\n## 📄 License\n\n**GPL-3.0** (see [`LICENSE`](LICENSE)) — required because ARS3NAL bundles GPL-3.0 GTFOBins data.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Finflictx%2FArsenal","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Finflictx%2FArsenal","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Finflictx%2FArsenal/lists"}