ch4n3-yoon / README.md
ko
en
ja

Profile

  • Seokchan Yoon (known as @ch4n3.yoon or @scyoon)
  • Web Security Offensive Researcher
  • ch4n3.yoon@gmail.com
  • A CTF player of Demon, Aleph Infinite
  • Alternative & Indie Rock Lover 🎸🎧
  • I'm not perfectly fluent in Japanese, but I can speak it reasonably well. 🙆‍♂️

Military Progress

86.53675% done
74 days left until my official discharge from the military
말출(찍턴)까지 36일 남았습니다!

Music Recommendation

Education

Bachelor's Degree degree expected in Department of Computer Engineering, Kyung Hee University
2020.03 ~ Present
Korea Digital Media High School Department of Hacking Defense, Graduated
2017.03 ~ 2020.02

Work Experiences

Stealien - Senior Researcher, at Proactive Response Team
Jul 2020 - Present
Web service penetration testing, development of the penetration testing training service CDS (Cyber Drill System), and other infrastructure development

Achievements

2024

Finalist (1st), Warrior Division of the WhiteHat Contest 2024
hosted by Ministry of National Defense of the Republic of Korea
TEAM
키보드워리어플랫폼
Award from the Minister of National Defense of the Republic of Korea

2023

Finalist, University Division of the CODEGATE 2023
hosted by Ministry of Science and ICT of the Republic of Korea
TEAM
경희대미남해커들

2022

Finalist, University Division of the CODEGATE 2022
hosted by Ministry of Science and ICT of the Republic of Korea
TEAM
경희대미남해커들
Finalist (2nd), Public Sector of the Cyber Attack and Defense Competition 2022
hosted by National Intelligence Service of the Republic of Korea
TEAM
resilience
Award from the Director of the National Security Research Institute of the Republic of Korea
6th, HackTheon Sejong International University Students Cyber Security Competition 2022
hosted by Sejong Special Self-Governing City
TEAM
라임도둑
Award from the Director of the National Security Research Institute of the Republic of Korea

2021

Finalist (2nd), Public Sector of the Cyber Attack and Defense Competition 2021
hosted by National Intelligence Service of the Republic of Korea
TEAM
resilience
Award from the Director of the National Security Research Institute of the Republic of Korea

2019

Finalist (2nd), Student Division of the Cyber Operations Competition 2019
hosted by Ministry of National Defense of the Republic of Korea
TEAM
윤석찬TV구독과좋아요알림설정까지
Award from the Commander of the Cyber Operations Command of the Republic of Korea

2018

1st, Individual Preliminary of the Information Security Competition 2018
hosted by Ministry of Education of the Republic of Korea
Award from the President of Seoul Women's University
1st, Team Finals of the Information Security Competition 2018
hosted by Ministry of Education of the Republic of Korea
TEAM
문시우1인팀
Award from the Minister of Education of the Republic of Korea
3rd, National Youth Hacking Competition 2018
hosted by Korea Digital Media High School

2017

1st, Team Finals of the Information Security Competition 2017
hosted by Korea Education and Research Information Service
TEAM
4-day exploit
Award from the Director of Korea Education and Research Information Service
3rd, KMU X UBUNTU 1st CTF 2017
hosted by Ubuntu Korea Foundation

Disclosed Vulnerabilities

NAVER NAVER

NBB-1126 : Stored XSS in NAVER
NBB-1143 : SQL Injection in NAVER
NBB-1260 : Stored XSS in NAVER
NBB-2315 : Reflected XSS in NAVER
NBB-2316 : Reflected XSS in NAVER
NBB-2314 : Reflected XSS in NAVER

Python Python

CVE-2024-7592 : Quadratic complexity parsing cookies with backslashes
NVD Details

Django Django

CVE-2023-36053 : Potential regular expression denial of service vulnerability in EmailValidator/URLValidator
NVD Details
CVE-2024-24680 : Potential denial-of-service in intcomma template filter
NVD Details
CVE-2024-27351 : Potential regular expression denial-of-service in django.utils.text.Truncator.words()
NVD Details
CVE-2024-21520 : Cross-Site Scripting (XSS) in browserable API of django-rest-framework
NVD Details
CVE-2024-41991 : Potential denial-of-service vulnerability in django.utils.html.urlize() and AdminURLFieldWidget
NVD Details
CVE-2024-53908 : Potential SQL injection in `HasKey(lhs, rhs)` on Oracle
NVD Details
Django security releases issued: 5.1.4, 5.0.10, and 4.2.17

Apache Airflow Apache Airflow

CVE-2024-39877 : Apache Airflow - DAG Author Code Execution possibility in airflow-scheduler
NVD Details
CVE-2024-39863 : Apache Airflow - Potential XSS Vulnerability
NVD Details
CVE-2024-45034 : Apache Airflow - Authenticated DAG authors could execute code on scheduler nodes
NVD Details

Ruby Ruby

CVE-2024-41123 : DoS vulnerabilities in REXML
NVD Details

Ruby on Rails Ruby on Rails

CVE-2024-47887 : Possible ReDoS vulnerability in HTTP Token authentication in Action Controller
NVD Details
CVE-2024-41128 : Possible ReDoS vulnerability in query parameter filtering in Action Dispatch
NVD Details

Java Spring Java Spring

CVE-2024-38809 : Spring Framework DoS via conditional HTTP request
NVD Details

Media / Presentations

2020

Appeared as the youngest in-house researcher on KBS <Youth Job Project: The Boss is Crazy>
vod.kbs.co.kr

2021

Featured in Saramin Company Story <STEALIEN> episode
www.saramin.co.kr
Appeared in YouTube 'Inssa Damdangja' channel <STEALIEN> episode
www.youtube.com

2022

<Bug Cases and Secure Coding Techniques in Modern Web Services> (@STEALIEN Security Seminar; 3S)
www.boannews.comwww.youtube.com

2023

<Django 1-day Vulnerability Analysis> (@HackingCamp 26th 🇰🇷)
I analyzed and shared disclosed vulnerabilities with high severity to the Django Project in 2022. hackingcamp.org
<Django Framework N-day Vulnerability Analysis & Secure Coding Guide> (@CODEGATE 2023 🇰🇷)
Issued insecure usages in Django by analyzing 1-day vulnerabilities and provided secure coding guidance. codegate.org

2024

<Django Framework from a Hacker's Perspective> (@PyCon KR 10th)
2024.pycon.kr