TERRA ReconOS · Security Workspace Platform · Bug Bounty

Recon. Analyze. Own the surface.

31 passive scan modules across 6 categories. LLM-powered attack chain correlation. BuggyOS browser workspace with Terra Vault encrypted storage. All scan requests originate from your browser — your IP, your accountability.

31
Scan Modules
6
Module Categories
0
Server HTTP to target*
E2E
Encrypted Vault
TERRA ReconOS
terra reconos — security workspace v7.0 · 31 modules · buggyos + terra vault
How It Works

Four phases. One workspace.

From URL to actionable intelligence — all inside your browser.

01
🔍
Passive Recon
31 modules across 6 categories run in parallel from your browser. Headers, JS secrets, GraphQL, certificate transparency, Wayback, DOM security — all from your IP.
02
🧠
AI Analysis
Claude Haiku correlates findings into attack chains. Not just a list — a structured playbook with exploitability scores, false-positive flags, and next steps per finding.
03
BuggyOS Workspace
Browser-based OS environment. Manage findings, take notes, run recon tools, and store sensitive data — all inside a desktop-like workspace that runs in any browser.
04
🔐
Terra Vault
End-to-end encrypted local storage. API keys, credentials, and tokens stored with PBKDF2 + AES-256-GCM. Master password never leaves your device.
31 Passive Modules · 6 Categories

Everything runs
from your browser.

No server proxying. No shared IP. Scan data stays yours.

🛡️
Security Headers
CSP, HSTS, X-Frame-Options, Referrer-Policy, Permissions-Policy — weak value detection, not just presence.
core
🔍
JS Analysis
Extracts API endpoints, scans for 15 secret patterns — AWS keys, Stripe, JWT, Firebase, Slack. Low-FP tuning.
core
🔌
API Surface
GraphQL introspection, Swagger/OpenAPI discovery, JWT decode + algorithm audit, WebSocket detection.
core
🧬
Tech Fingerprint
30+ technology signals. EOL PHP detection, CMS identification, third-party tracker enumeration.
core
🧱
WAF Detection
12 WAF/CDN vendor signatures. Context-aware risk: no WAF + no headers = High. WAF detected = downgraded.
core
📂
Path Discovery
60+ paths in parallel batches. Critical findings GET-verified to eliminate HEAD false positives.
core
🔐
Auth Surface
Maps login, OAuth, SAML, 2FA endpoints. Detects missing CSRF. HTTP method audit (TRACE, DEBUG).
core
🔓
Info Leakage
14 DB error patterns, stack traces, path disclosure. SQLi via explicit error strings — no size comparison.
core
📜
Wayback History
5000 historical URLs via CDX API. Discovers old endpoints, parameter names, sensitive file extensions.
core
🔎
CT Subdomains
Certificate Transparency via crt.sh. Auto-categorizes dev, admin, CI/CD, database, VPN. Probes high-value subs.
core
📄
Security.txt & OIDC
RFC 9116 parser, bug bounty platform detection, .well-known/ exploration: OpenID config, JWKS, mobile associations.
core
🤖
AI Code Patterns
9 signature vulns in LLM-generated code: JWT algo confusion, placeholder creds, SQL concat, CORS reflection, path traversal.
AI-specific
🔒
SSL / TLS + DNS
Server-side TLS probes, cert expiry, weak keys. SPF, DMARC, CAA records. Dangling CNAME takeover detection.
server-side
Verification Pass
Post-scan accuracy layer: re-evaluates CORS, cookies, rate limit, path findings. Removes false positives, upgrades confirmed.
accuracy
🕵️
JS Secrets Deep
Extended secret scanning across all loaded JS bundles. Entropy analysis for high-confidence key detection.
extended
🗺️
Source Maps
Detects exposed .map files. Reconstructs original source structure, finds internal paths and comments.
extended
🔷
GraphQL Recon
Schema introspection, mutation enumeration, batching attack surface, subscription endpoint discovery.
extended
🌐
DOM Security
Client-side DOM XSS sinks, postMessage listeners, dangerous innerHTML usage, eval patterns.
extended
📡
HTTP Methods
Probes for TRACE, CONNECT, PUT, DELETE. Detects method override headers. DAV extension discovery.
extended
🎯
Subdomain Takeover
CNAME chain analysis against 30+ SaaS fingerprints. Detects dangling DNS pointing to unclaimed services.
extended
🪙
OAuth / JWT Audit
Token algorithm confusion detection, implicit flow risks, state parameter validation, PKCE enforcement check.
extended
🔌
WebSocket Recon
ws:// vs wss:// detection, origin policy audit, subprotocol enumeration, message format fingerprinting.
extended
🧩
SRI Integrity
Detects third-party scripts and stylesheets loaded without Subresource Integrity hashes.
extended
🚪
Exposed Panels
Admin, monitoring, CI/CD, and debug panel discovery. Grafana, Jenkins, Kibana, phpMyAdmin, Adminer.
extended
📁
File Exposure
Sensitive file discovery: backups, configs, logs, database dumps, compiled artifacts. 80+ path patterns.
extended
↔️
CORS Deep
Origin reflection testing, null origin bypass, credentials-allowed wildcard detection across all endpoints.
deep
📝
SSTI Indicators
Template injection surface detection via error fingerprinting. Identifies Jinja2, Twig, Freemarker, Velocity patterns.
deep
🎭
Favicon Hash
MMH3 favicon hashing for technology fingerprinting. Cross-references Shodan hash database.
deep
📦
XXE Surface
XML upload endpoint detection, Content-Type flexibility probing, entity processing indicator checks.
deep
↩️
CRLF Injection
Header injection surface via URL parameters, path segments, and redirect destinations.
deep
☠️
Cache Poisoning
Unkeyed header detection, cache key normalization issues, poisoning via Host header and X-Forwarded-Host.
deep
* SSL/TLS and DNS run server-side (require socket access). All other 29 modules run from your browser.
Expert AI Analysis

Findings are data.
Context is intelligence.

🧠 Claude Haiku

Attack chain correlation — not a checklist

Most scanners list findings independently. TERRA ReconOS correlates: .git exposed → source code → hardcoded credentials → admin panel. That's a critical attack chain, not three Medium findings.

The expert system also flags false positives — CORS wildcards on public CDN endpoints, or rate limit headers absent because Cloudflare handles it silently. Context matters.

6
Analysis layers
$0.002
Avg cost/scan
~8s
Analysis time
⛓ Attack Chain Example — Auto-Generated
C
.git/config accessible — full source code downloadable via git clone
H
Source analysis reveals hardcoded DB credentials in config/database.php
H
/phpmyadmin found accessible — DB management panel exposed
C
Full database compromise via credential reuse — CRITICAL chain
🎯 Next step: git clone https://target.com/.git, grep for DB_ variables, attempt phpmyadmin login.
BuggyOS · Browser Workspace

Your security workspace.
Runs in any browser.

A full desktop environment built into TERRA ReconOS. Manage findings, store secrets, run tools — no install, no setup.

🖥️
Full Desktop Environment
Window manager, taskbar, system tray, desktop icons, drag-and-drop file management. Runs entirely in your browser.
📁
Virtual File System
Persistent file manager backed by PHP. Create, edit, move, and organize your recon notes and findings as files.
💻
Built-in Terminal
Full terminal emulator with virtual filesystem commands. ls, cd, cat, mkdir, grep — for power users.
🧪
Bug Engine + Sandbox
Intentionally unstable OS simulator. Bugs are features. Perfect for learning how OS-level chaos affects security posture.
📦
App Launcher
Text editor, image viewer, PDF reader, music player, process manager, snapshot manager — all built-in apps.
⬡ Launch BuggyOS →
BUGGY/OS — Unstable Edition · v1.0
📁
Files
💻
Terminal
📝
Editor
🔐
Vault
📊
Monitor
📸
Snapshots
🎵
Player
⚙️
Settings
💻 Terminal
> ls /home
notes/ findings/ tools/
> cat findings/xss.txt
[CONFIRMED] XSS on /search
>
FilesTerminal
CPU 12%HP 94%09:41
Terra Vault · Encrypted Storage

Your secrets stay
on your device.

End-to-end encrypted local storage layer for API keys, tokens, and credentials. Server never sees your master password or plaintext data.

🔑
Master Password Auth
Create a master password on registration. Never stored anywhere. Used only to derive an encryption key on your device.
PBKDF2 (600,000 iterations)
SHA-256 hash function
Key derivation client-side only
🛡️
AES-256-GCM Encryption
Every secret encrypted with AES-256-GCM before it touches storage. Random 12-byte IV per secret. Authenticated encryption.
Encrypt: vault.setSecret("openai", key)
Decrypt: vault.getSecret("openai")
Apps never access crypto directly
🔷
Shape-Based Recovery
Forgot your master password? Recover using your email + the 4 geometric shapes you selected at registration. 10 shapes, pick 4.
10 shapes: Circle, Triangle, Square,
Rectangle, Rhombus, Trapezoid,
Pentagon, Hexagon, Star + more
15-minute recovery token
Comparison

Where TERRA fits.

Not a replacement for Burp. A smarter starting point — with a workspace built in.

Feature TERRA ReconOS Nikto Nuclei Burp Suite Pro Manual
Scan modules31 across 6 categories~40 checks1000+ templatesActive + passiveManual
Setup requiredBrowser onlyInstall + CLIInstall + templatesInstall + licenseNone
Scan origin IP✓ Your IPServer/VPSServer/VPSYour IPYour IP
LLM attack chain analysis✓ Claude Haiku
Browser workspace (OS)✓ BuggyOS
Encrypted secret storage✓ Terra Vault E2EPartialDIY
CT subdomain discovery✓ + categorizedTemplateManual
Wayback URL history✓ 5000 URLsPluginManual
False positive context✓ WAF/CORS awareHigh FPTemplate-dep.Manual reviewHuman
Active vulnerability testing✕ Passive only
CostAPI key onlyFreeFree$449/yrFree
Architecture

Hybrid by design.

Scan from your browser, store locally encrypted, correlate on server. Built for accountability.

🌐 Browser Scan Layer (your IP)
29 modules make direct HTTP requests from your browser. The target sees your IP — same as manual testing.
👤Your browser → target.com
📡Headers, JS, paths, certs, DOM
🌍archive.org (Wayback CDX)
🔎crt.sh (Certificate Transparency)
🧠api.anthropic.com (AI analysis)
✓ Your IP is logged per scan for full accountability
⚙️ Server + Local Storage Layer
2 modules require server-side execution. Vault secrets stored locally encrypted — server never sees plaintext.
🔒TLS socket → target:443 (cert, protocols)
🌍dns_get_record (SPF, DMARC, CAA)
💾Scan fingerprints → MariaDB
🔐Terra Vault → IndexedDB (AES-256-GCM)
BuggyOS → PHP virtual filesystem
Master key never stored — derived from password each session
TERRA RECONOS · v7.0

Start hunting smarter.

31 passive modules. AI attack chains. BuggyOS workspace.
Terra Vault encrypted storage. Everything in one platform.

Internal use only · Legal bug bounty targets only · Your IP is logged per scan