Profile Picture

윤석찬

Offensive Web Security Researcher

Security Contributor of GitHub, Python, Django, Airflow, Ruby, Ruby-on-Rails, Java Spring

Education

2020년 03월 - Present

컴퓨터공학과 재학

경희대학교

2017년 07월 - 2018년 05월

취약점분석트랙 수료

차세대 보안리더 양성 프로그램 Best of the Best 6기

2017년 03월 - 2020년 02월

해킹방어과 졸업

한국디지털미디어고등학교

Work Experience

2023년 09월 - 2025년 03월

OO부대, OO병

국방부 산하 연구소

  • • OO 연구 개발
2020년 07월 - 2023년 06월

R&D / 선제대응팀, Security Engineer

스틸리언

  • • 웹 모의해킹
  • • 교육시스템 (Cyber Drill System, Django + React) 개발 및 CTF 운영
  • • 사내 기술 관리 도구, 기술블로그, 배포시스템 등 인프라 개발 및 유지보수

CTF Awards

2024 화이트햇 콘테스트 용사부문

1st Place

국방부 주최

국방부장관상

2023 CODEGATE 대학부

Finalist

과학기술정보통신부 주최

2022 CODEGATE 대학부

Finalist

과학기술정보통신부 주최

2022 사이버공격방어대회 공공부문

2nd Place

국가정보원 주최

국가보안연구소장상

2022 HACKTHEON SEJONG 전국대학생사이버보안경진대회

6st Place

세종특별자치시 주최

국가보안연구소장상

2021 사이버공격방어대회 공공부문

2nd Place

국가정보원 주최

국가보안연구소장상

2019 사이버작전경연대회 학생부

2nd Place

국방부 주최

사이버작전사령관상

2018 정보보안경진대회 개인예선

1st Place

교육부 주최

서울여대 총장상

2018 정보보안경진대회 단체본선

1st Place

교육부 주최

교육부 장관상

2018 전국청소년모의해킹대회

3rd Place

한국디지털미디어고등학교 주최

2017 정보보안경진대회 단체본선

1st Place

한국교육학술정보원 주최

한국교육학술정보원장상

2017 KMU X UBUNTU 1st CTF

3rd Place

한국우분투재단 주최

Disclosed Vulnerabilities

Python Python

CVE-2024-7592

Denial of Service
Internals

A vulnerability in Python allows quadratic complexity parsing when handling cookies containing backslashes, potentially leading to performance degradation.

Django Django

CVE-2023-36053

Regular Expression Denial of Service
Internals

In Django 3.2 before 3.2.20, 4 before 4.1.10, and 4.2 before 4.2.3, `EmailValidator` and `URLValidator` are subject to a potential ReDoS (regular expression denial of service) attack via a very large number of domain name labels of emails and URLs.

Django Django

CVE-2024-24680

Denial of Service
Templates

A vulnerability in the Django `intcomma` template filter could lead to a potential denial of service if certain crafted inputs are processed.

Django Django

CVE-2024-27351

Regular Expression Denial of Service
Utilities

A vulnerability in Django's `Truncator.words()` function may allow a ReDoS attack under certain circumstances.

Django Django

CVE-2024-21520

Cross-Site Scripting
Rest Framework

The browserable API of the Django Rest Framework is vulnerable to cross-site scripting due to improper sanitization of user-supplied inputs.

Django Django

CVE-2024-41991

Denial of Service
Utilities

A vulnerability in Django's `urlize` function and `AdminURLFieldWidget` could allow for a denial of service under specific crafted input conditions.

Django Django

CVE-2024-53908

SQL Injection
Database

A vulnerability in the `HasKey` function in Django when using Oracle databases may allow a potential SQL injection.

Apache Apache Airflow

CVE-2024-39877

Code Execution
Scheduler

A vulnerability in Apache Airflow's scheduler allows DAG authors to execute arbitrary code, potentially compromising the scheduler node.

Apache Apache Airflow

CVE-2024-39863

Cross-Site Scripting
Web Interface

Improper sanitization in Apache Airflow's web interface could lead to a cross-site scripting vulnerability.

Apache Apache Airflow

CVE-2024-45034

Code Execution
Scheduler

Authenticated DAG authors in Apache Airflow can execute arbitrary code on scheduler nodes, leading to potential system compromise.

Ruby Ruby

CVE-2024-41123

Denial of Service
REXML

Vulnerabilities in Ruby's REXML library allow attackers to cause a denial of service by crafting malicious XML inputs.

Ruby Ruby on Rails

CVE-2024-47887

Regular Expression Denial of Service
Action Controller

Ruby on Rails' Action Controller is vulnerable to a potential regular expression denial of service when handling HTTP token authentication.

Ruby Ruby on Rails

CVE-2024-41128

Regular Expression Denial of Service
Action Dispatch

A vulnerability in Rails' Action Dispatch may allow a regular expression denial of service when filtering query parameters.

Java Java Spring

CVE-2024-38809

Denial of Service
Framework

Spring Framework is vulnerable to a potential denial of service caused by a crafted conditional HTTP request.

GitHub GitHub

HackerOne #2646500

Denial of Service
GitHub & GitHub Enterprise

GitHub is vulnerable to a potential denial of service caused by a malicously crafted HTTP request.

NAVER NAVER

NBB-1126

Stored XSS
NAVER service

NAVER is vulnerable to a stored-xss caused by a crafted payload.

NAVER NAVER

NBB-1143

SQL Injection
NAVER service

NAVER is vulnerable to a SQL injection caused by a crafted payload.

NAVER NAVER

NBB-1260

Stored XSS
NAVER service

NAVER is vulnerable to a stored XSS caused by a crafted payload.

Talks

2024

" 해커의 관점에서 바라본 Django Framework " (한국어)

PyCon KR 2024

2023

" Django Framework N-day 취약점 분석과 시큐어 코딩 가이드 " (한국어)

CODEGATE 2023

2023

" Django 프레임워크 1-day analysis " (한국어)

제 26회 해킹캠프

2022

" 모던 웹 서비스에서의 버그케이스와 시큐어코딩 " (한국어)

STEALIEN Security Semiar

Blogs