윤석찬
Offensive Web Security Researcher
Security Contributor of GitHub, Python, Django, Airflow, Ruby, Ruby-on-Rails, Java Spring
Education
컴퓨터공학과 재학
경희대학교
취약점분석트랙 수료
차세대 보안리더 양성 프로그램 Best of the Best 6기
해킹방어과 졸업
한국디지털미디어고등학교
Work Experience
OO부대, OO병
국방부 산하 연구소
- • OO 연구 개발
R&D / 선제대응팀, Security Engineer
스틸리언
- • 웹 모의해킹
- • 교육시스템 (Cyber Drill System, Django + React) 개발 및 CTF 운영
- • 사내 기술 관리 도구, 기술블로그, 배포시스템 등 인프라 개발 및 유지보수
CTF Awards
2024 화이트햇 콘테스트 용사부문
1st Place국방부 주최
국방부장관상
2023 CODEGATE 대학부
Finalist과학기술정보통신부 주최
2022 CODEGATE 대학부
Finalist과학기술정보통신부 주최
2022 사이버공격방어대회 공공부문
2nd Place국가정보원 주최
국가보안연구소장상
2022 HACKTHEON SEJONG 전국대학생사이버보안경진대회
6st Place세종특별자치시 주최
국가보안연구소장상
2021 사이버공격방어대회 공공부문
2nd Place국가정보원 주최
국가보안연구소장상
2019 사이버작전경연대회 학생부
2nd Place국방부 주최
사이버작전사령관상
2018 정보보안경진대회 개인예선
1st Place교육부 주최
서울여대 총장상
2018 정보보안경진대회 단체본선
1st Place교육부 주최
교육부 장관상
2018 전국청소년모의해킹대회
3rd Place한국디지털미디어고등학교 주최
2017 정보보안경진대회 단체본선
1st Place한국교육학술정보원 주최
한국교육학술정보원장상
2017 KMU X UBUNTU 1st CTF
3rd Place한국우분투재단 주최
Disclosed Vulnerabilities
CVE-2024-7592
Denial of ServiceA vulnerability in Python allows quadratic complexity parsing when handling cookies containing backslashes, potentially leading to performance degradation.
CVE-2023-36053
Regular Expression Denial of ServiceIn Django 3.2 before 3.2.20, 4 before 4.1.10, and 4.2 before 4.2.3, `EmailValidator` and `URLValidator` are subject to a potential ReDoS (regular expression denial of service) attack via a very large number of domain name labels of emails and URLs.
CVE-2024-24680
Denial of ServiceA vulnerability in the Django `intcomma` template filter could lead to a potential denial of service if certain crafted inputs are processed.
CVE-2024-27351
Regular Expression Denial of ServiceA vulnerability in Django's `Truncator.words()` function may allow a ReDoS attack under certain circumstances.
CVE-2024-21520
Cross-Site ScriptingThe browserable API of the Django Rest Framework is vulnerable to cross-site scripting due to improper sanitization of user-supplied inputs.
CVE-2024-41991
Denial of ServiceA vulnerability in Django's `urlize` function and `AdminURLFieldWidget` could allow for a denial of service under specific crafted input conditions.
CVE-2024-53908
SQL InjectionA vulnerability in the `HasKey` function in Django when using Oracle databases may allow a potential SQL injection.
CVE-2024-39877
Code ExecutionA vulnerability in Apache Airflow's scheduler allows DAG authors to execute arbitrary code, potentially compromising the scheduler node.
CVE-2024-39863
Cross-Site ScriptingImproper sanitization in Apache Airflow's web interface could lead to a cross-site scripting vulnerability.
CVE-2024-45034
Code ExecutionAuthenticated DAG authors in Apache Airflow can execute arbitrary code on scheduler nodes, leading to potential system compromise.
CVE-2024-41123
Denial of ServiceVulnerabilities in Ruby's REXML library allow attackers to cause a denial of service by crafting malicious XML inputs.
CVE-2024-47887
Regular Expression Denial of ServiceRuby on Rails' Action Controller is vulnerable to a potential regular expression denial of service when handling HTTP token authentication.
CVE-2024-41128
Regular Expression Denial of ServiceA vulnerability in Rails' Action Dispatch may allow a regular expression denial of service when filtering query parameters.
CVE-2024-38809
Denial of ServiceSpring Framework is vulnerable to a potential denial of service caused by a crafted conditional HTTP request.
HackerOne #2646500
Denial of ServiceGitHub is vulnerable to a potential denial of service caused by a malicously crafted HTTP request.
NBB-1126
Stored XSSNAVER is vulnerable to a stored-xss caused by a crafted payload.
NBB-1143
SQL InjectionNAVER is vulnerable to a SQL injection caused by a crafted payload.
NBB-1260
Stored XSSNAVER is vulnerable to a stored XSS caused by a crafted payload.
Talks
" 해커의 관점에서 바라본 Django Framework " (한국어)
PyCon KR 2024
" Django Framework N-day 취약점 분석과 시큐어 코딩 가이드 " (한국어)
CODEGATE 2023
" Django 프레임워크 1-day analysis " (한국어)
제 26회 해킹캠프
" 모던 웹 서비스에서의 버그케이스와 시큐어코딩 " (한국어)
STEALIEN Security Semiar