RACON (The Stealthy Bandit Recon) is a Chrome extension designed for lightweight web reconnaissance and quick detection of potential security issues directly from the browser.
RACON follows a defensive-first approach:
- No active exploitation
- No sending of harmful payloads
- No modification of target systems
- No brute-force or automated attacks
All operations are performed using:
- public information
- browser responses
- client-side configuration
- and artifacts intentionally exposed to users
RACON is a practical, read-only reconnaissance tool — not a simulation or falsified analysis.
RACON is intended for education, self-audit, and raising web security awareness. Use without explicit authorization from the system owner or for illegal activities is strictly the user's responsibility.
Use only on systems that you own, manage, or have written permission to audit.
Many web security incidents are caused by misconfiguration, exposed information, or basic oversights — not advanced exploits.
RACON aims to provide fast visibility into an application's attack surface without heavy tools, leaving the browser, or moving into active exploitation.
Primary goals:
- Help early-stage recon safely
- Increase awareness for developers & security teams
- Ease light audits before deeper testing
- Provide an educational, transparent tool
RACON is not an exploit framework — it is an observation tool.
RACON provides 12 main modules:
- Tech Stack Detection — Identify frameworks, libraries, and technologies.
- CMS Detection — Detect common CMS (e.g., WordPress).
- Subdomain Enumeration — Collect publicly-known subdomains.
- Endpoint Discovery — Find API endpoints and internal URLs.
- External Assets Listing — List third-party domains and services.
- Email Extraction — Extract exposed public email addresses.
- SQL Injection Indicator — Identify potential SQL injection patterns (non-exploitative).
- XSS Indicator — Find potential XSS sinks and reflected inputs.
- Sensitive Files Check — Check for presence of sensitive files (
.env,.git,.bak, etc.). - API Key Detection — Detect possible client-side API key leaks.
- Security Headers Audit — Audit headers (CSP, HSTS, X-Frame-Options, etc.).
- Cookie Security Audit — Analyze cookie attributes (
HttpOnly,Secure,SameSite).
All modules are read-only and non-intrusive.
- Clone or download the repository.
- Open Chrome and go to:
chrome://extensions/
- Enable Developer Mode.
- Click Load unpacked.
- Select the RACON folder.
- The extension is ready to use.
- Visit a target website.
- Click the RACON icon in the Chrome toolbar.
- Run the desired module(s).
- Review the displayed results.
- Use results for audits, documentation, or learning.
If you find RACON useful, consider supporting its development via donation.
DANA: 085756444803
Your support helps keep the project maintained and improved.
This project is released under the MIT License.
🦝 Recon smart. Stay stealthy.
Built by Muh. Agus Tri Ananda