Security & Red Team
ilusm ships offensive modules. Here is why, what they do, and the rules for using them.
Authorized use only. These modules are for security professionals, researchers, and students working on systems they own or have explicit written permission to test. Unauthorized use is illegal and unethical. ilusm and its contributors bear no responsibility for misuse.
Why ilusm ships offensive modules
ilusm is a general-purpose language with a bias toward backend, network, and security tooling. Security professionals need the same quality of tooling as web developers. Hiding these capabilities behind a separate install or pretending they do not exist does not make anyone safer - it just makes the tools worse.
Every offensive module in ilusm is:
- Documented with the same care as
txtorjson - Flagged with a
# dual-usecomment in the source - Covered by the responsible use policy below
- Taught in context - general-purpose lessons first
Responsible use policy
- Get written permission before testing any system you do not own.
- Scope your work. Only test what is explicitly in scope.
- Report findings. Disclose vulnerabilities to the affected party.
- Do not weaponize. Do not use these tools to cause harm, disrupt services, or steal data.
- Understand the law. Computer fraud laws vary by jurisdiction. Know yours.
Module index
Web AppSec
| Module | Ships | Description |
|---|---|---|
xss | shipped | XSS payload generation and detection |
sqli | shipped | SQL injection payload helpers |
csrf | shipped | CSRF token analysis |
cors | shipped | CORS misconfiguration detection |
hdr | shipped | HTTP header analysis |
auth | shipped | Authentication helpers |
Recon & OSINT
| Module | Ships | Description |
|---|---|---|
osint | shipped | OSINT / open source intelligence |
dns | shipped | DNS lookup, zone transfer, subdomain enum |
whois | shipped | WHOIS lookup |
scan | shipped | Port scanning helpers |
geo | shipped | IP geolocation |
Binary & memory
| Module | Ships | Description |
|---|---|---|
bin | shipped | Binary data manipulation |
asm | shipped | Assembly helpers |
ffi | shipped | Foreign function interface |
mal | shipped | Malware analysis helpers |
det | shipped | Detection / AV evasion analysis |
Cryptography
| Module | Ships | Description |
|---|---|---|
cry | shipped | Hashing, HMAC, symmetric encryption |
cryx | shipped | Extended crypto: RSA, ECC, DH |
crya | shipped | Asymmetric crypto helpers |
jwt | shipped | JWT encode/decode/verify |
kylg | shipped | Key logging (authorized testing) |
Network & protocol
| Module | Ships | Description |
|---|---|---|
net | shipped | HTTP client |
icmp | shipped | ICMP / ping |
dos | shipped | DoS testing helpers (authorized only) |
c2 | shipped | C2 framework helpers (authorized only) |
Fuzzing
| Module | Ships | Description |
|---|---|---|
fuzz | shipped | Fuzzing harness and mutation engine |
fuz | shipped | Fuzzy string matching |
Teaching guidelines
When teaching security with ilusm:
- Start with the general-purpose lesson (e.g., "how HTTP works") before the offensive application
- Always include the authorization requirement in the lesson
- Use lab environments (VMs, CTF platforms, intentionally vulnerable apps)
- Pair every attack technique with its defensive countermeasure
Reporting vulnerabilities in ilusm
If you find a security issue in ilusm itself (the runtime, compiler, or stdlib), do not open a public issue. Contact the maintainers directly. See Legal for the disclosure process.