Soraf — Security Researcher & Bug Bounty Hunter

// About Me

Security Researcher with strong expertise in web application security and real-world vulnerability discovery. Demonstrated impact through responsible disclosure of security vulnerabilities for international organizations including UNESCO, World Health Organization, UNICEF, Adyen, the U.S. Department of Education, University of York, University of Sheffield, and Utrecht University.

Actively involved in penetration testing, security research, and vulnerability assessment with a strong focus on web-based attack vectors. Possesses solid reporting skills with the ability to clearly communicate technical findings and provide actionable remediation guidance.

Penetration Testing Bug Bounty CTF Player Security Research Responsible Disclosure

// Skills

Security Tools

Burp Suite Metasploit Nuclei Nmap Wireshark OWASP ZAP ffuf Gobuster

Web Security

Cross-Site Scripting (XSS) SQL Injection (SQLi) Server-Side Request Forgery Auth Bypass Broken Access Control Business Logic Testing API Hacking

Active / Passive Recon

Subfinder Amass Httpx Shodan Assetfinder Censys Github Recon Wayback Machine

Core concepts

Web Fundamentals Linux Operations JavaScript Python Basics OSI Model Bash Scripting

// Hall of Fame & Recognition

Recognized for responsible vulnerability disclosure by international organizations

World Health Organization

Received Hall of Fame recognition from WHO for responsibly reporting security vulnerabilities.

UNESCO

Received Hall of Fame recognition from UNESCO for responsibly reporting security vulnerabilities.

UNICEF

Received Hall of Fame recognition from UNICEF for responsibly reporting security vulnerabilities.

U.S. Dept. of Education

Received Certificate of Recognition from the U.S. Dept. of Education for responsible disclosure.

University of Sheffield

Received Hall of Fame recognition from Univ. of Sheffield for responsibly reporting security vulnerabilities.

University of York

Received Hall of Fame recognition from University of York for responsibly reporting security vulnerabilities.

// Projects & Tools

Real-world security research and tools

  ____ _               _          _ ____  
 / ___| |__   ___  ___| |_       | / ___| 
| |  _| '_ \ / _ \/ __| __|   _  | \___ \ 
| |_| | | | | (_) \__ \ |_   | |_| |___) |
 \____|_| |_|\___/|___/\__|   \___/|____/

GhostJS

A powerful Python-based security scanner that crawls domains to find JavaScript files and detects sensitive information like API keys, secrets, and hardcoded URLs using pattern matching and entropy analysis.

Problem Solved: Modern web applications often leak critical infrastructure data inside complex JavaScript bundles. GhostJS automates the deep extraction and analysis of these files across large attack surfaces into intuitive reports.

Python Regex Entropy Analysis Automation

⚡ Fully automated detection & reporting View Details →

 ██████   ███████   █████    ██████  ████████  ██████    ███████  ██   ██  ███████  ██       ██       
 ██   ██  ██       ██   ██  ██           ██         ██   ██       ██   ██  ██       ██       ██       
 ██████   █████    ███████  ██           ██     █████    ███████  ███████  █████    ██       ██       
 ██   ██  ██       ██   ██  ██           ██    ██             ██  ██   ██  ██       ██       ██       
 ██   ██  ███████  ██   ██   ██████      ██    ███████   ███████  ██   ██  ███████  ███████  ███████  
 █ █ █ █  █ █ █ █  █ █ █ █   █ █ █       █     █ █ █ █   █ █ █ █  █ █ █ █  █ █ █ █  █ █ █ █  █ █ █ █  
 █   █      █      █   █     █                 █         █        █   █      █         █   █        
     █           █         █                               █                        █

React2Shell

A proof-of-concept automated vulnerability scanner and exploit tool designed to safely test environments for CVE-2025-55182 (React Server Components RCE). Includes multi-target scanning support.

Problem Solved: Verifying the true impact of supply-chain RCEs across massive deployments is highly complex manually. React2Shell automates secure, localized command testing (like `whoami`) across hundreds of assets quickly and silently.

Python Exploit Dev CVE-2025-55182

⚡ Multi-threaded RCE Validation View Details →

  ___                  ____                      _           
 / _ \  ___  _ __  ___/ ___|_ __ __ ___      _| | ___ _ __ 
| | | |/ _ \| '_ \/ __| |   | '__/ _` \ \ /\ / / |/ _ \ '__|
| |_| | (_) | |_) \__ \ |___| | | (_| |\ V  V /| |  __/ |   
 \___/ \___/| .__/|___/\____|_|  \__,_| \_/\_/ |_|\___|_|   
            |_|

OopsCrawler

A Python-based recursive web crawler that scans websites for broken links, blocked paths, and HTTP errors. Generates detailed CSV reports for site maintenance.

Problem Solved: Manually checking every link on a large website for dead ends is impossible. OopsCrawler automates the entire process, recursively crawling domains and reporting only problematic links to ensure high availability.

Python Requests BeautifulSoup Automation

⚡ High-speed recursive link validation View Details →

PROGRESS 85%

Initializing security protocols...

// Project Under Development

Currently architecting an impactful security solution designed to make a significant contribution to Bangladesh's cybersecurity ecosystem.

// CTF & Competitions

2026

HackerOne Bug Hunt

Finalist

2025

Technonext Cyber Invasion

Finalist

2025

DIU CyberCon National CTF

Finalist

2023

Bugcrowd Hacker Cup 3

Top 20 Team Position - Worldwide

// Certifications

Certified Web App Penetration Testing Apprentice (kWAPTA)

Knight Squad Academy

Web Application Security Fundamentals Manual Web Penetration Testing Access Control Flaws (IDOR) Session Handling Reconnaissance Techniques Threat Modeling Exploitation of XSS Injection Attacks

Google Cybersecurity Professional Certificate

Coursera / Google

Ethical Hacking Information Security Information Security Management Security Research Vulnerability Assessment

CAPIJ — Certified API Hacking Junior

The XSS Rat

API Security API Penetration Testing API Testing OWASP API Top 10 Broken Object Level Authorization (BOLA) Web API Vulnerabilities

Certified Cybersecurity Educator Professional (CCEP)

Red Team Leaders

Fundamentals & Network Security Information Security Architecture Identity & Access Management (IAM) Offensive Security & Threat Modeling Cloud Security Cryptography Leading Security Teams

Certified AppSec Practitioner v2 (CAP)

The SecOps Group

OWASP Top 10 Manual Testing API Testing Secure Coding Principles Ethical Hacking Threat Assessment Threat & Vulnerability Management Cyber Threat Hunting (CTH)

Certified Network Security Practitioner (CNSP)