Profile Picture

Seokchan Yoon

Offensive Web Security Researcher

Security Contributor of GitHub, Python, Django, Airflow, Ruby, Ruby-on-Rails, Java Spring

Education

March 2020 - Present

Bachelor's Degree in Computer Science & Engineering (In Progress)

KyungHee University

July 2017 - May 2020

Completed Vulnerability Analysis Track

Best of the Best, Korean Next-Generation Security Leader Training Program

March 2017 - February 2020

Graduated from Dept. of Hacking Defense

Korea Digital Media Highschool

Work Experience

September 2023 - March 2025

Unit [REDACTED], Private [REDACTED]

Research Institute under the Ministry of National Defense, Korea

  • • Research and development of [REDACTED]
July 2020 - June 2023

R&D / Proactive Response Team, Security Engineer

STEALIEN

  • • Web penetration testing
  • • Development and operation of educational systems (Cyber Drill System, Django + React) and CTF
  • • Development and maintenance of internal tools, technical blogs, deployment systems, and other infrastructure

CTF Awards

2024 White Hat Contest Soldier Division

1st Place

hosted by Ministry of National Defense, Korea

Minister of National Defense Award

2023 CODEGATE University Division

Finalist

hosted by Ministry of Science and ICT, Korea

2022 CODEGATE University Division

Finalist

hosted by Ministry of Science and ICT, Korea

2022 CCE (Cyber Conflict Exercise) Public Institution Sector Division

2nd Place

hosted by National Intelligence Service, Korea

Director of National Security Research Institute Award

2022 HACKTHEON SEJONG National University Cybersecurity Competition

6st Place

hosted by Sejong Special Self-Governing City, Korea

Director of National Security Research Institute Award

2021 CCE (Cyber Conflict Exercise) Public Institution Sector Division

2nd Place

hosted by National Intelligence Service, Korea

Director of National Security Research Institute Award

2019 Cyber Operations Challenge Student Division

2nd Place

hosted by Ministry of National Defense, Korea

Cyber Operations Commander Award

2018 Cybersecurity Competition Individual Preliminary Round

1st Place

hosted by Ministry of Education, Korea

President of Seoul Women's University Award

2018 Cybersecurity Competition Team Finals

1st Place

hosted by Ministry of Education, Korea

Minister of Education Award

2017 Cybersecurity Competition Team Finals

1st Place

hosted by Korea Education and Research Information Service

Director of Korea Education and Research Information Service Award

Disclosed Vulnerabilities

Python Python

CVE-2024-7592

Denial of Service
Internals

A vulnerability in Python allows quadratic complexity parsing when handling cookies containing backslashes, potentially leading to performance degradation.

Django Django

CVE-2023-36053

Regular Expression Denial of Service
Internals

In Django 3.2 before 3.2.20, 4 before 4.1.10, and 4.2 before 4.2.3, `EmailValidator` and `URLValidator` are subject to a potential ReDoS (regular expression denial of service) attack via a very large number of domain name labels of emails and URLs.

Django Django

CVE-2024-24680

Denial of Service
Templates

A vulnerability in the Django `intcomma` template filter could lead to a potential denial of service if certain crafted inputs are processed.

Django Django

CVE-2024-27351

Regular Expression Denial of Service
Utilities

A vulnerability in Django's `Truncator.words()` function may allow a ReDoS attack under certain circumstances.

Django Django

CVE-2024-21520

Cross-Site Scripting
Rest Framework

The browserable API of the Django Rest Framework is vulnerable to cross-site scripting due to improper sanitization of user-supplied inputs.

Django Django

CVE-2024-41991

Denial of Service
Utilities

A vulnerability in Django's `urlize` function and `AdminURLFieldWidget` could allow for a denial of service under specific crafted input conditions.

Django Django

CVE-2024-53908

SQL Injection
Database

A vulnerability in the `HasKey` function in Django when using Oracle databases may allow a potential SQL injection.

Apache Apache Airflow

CVE-2024-39877

Code Execution
Scheduler

A vulnerability in Apache Airflow's scheduler allows DAG authors to execute arbitrary code, potentially compromising the scheduler node.

Apache Apache Airflow

CVE-2024-39863

Cross-Site Scripting
Web Interface

Improper sanitization in Apache Airflow's web interface could lead to a cross-site scripting vulnerability.

Apache Apache Airflow

CVE-2024-45034

Code Execution
Scheduler

Authenticated DAG authors in Apache Airflow can execute arbitrary code on scheduler nodes, leading to potential system compromise.

Ruby Ruby

CVE-2024-41123

Denial of Service
REXML

Vulnerabilities in Ruby's REXML library allow attackers to cause a denial of service by crafting malicious XML inputs.

Ruby Ruby on Rails

CVE-2024-47887

Regular Expression Denial of Service
Action Controller

Ruby on Rails' Action Controller is vulnerable to a potential regular expression denial of service when handling HTTP token authentication.

Ruby Ruby on Rails

CVE-2024-41128

Regular Expression Denial of Service
Action Dispatch

A vulnerability in Rails' Action Dispatch may allow a regular expression denial of service when filtering query parameters.

Java Java Spring

CVE-2024-38809

Denial of Service
Framework

Spring Framework is vulnerable to a potential denial of service caused by a crafted conditional HTTP request.

GitHub GitHub

HackerOne #2646500

Denial of Service
GitHub & GitHub Enterprise

GitHub is vulnerable to a potential denial of service caused by a malicously crafted HTTP request.

NAVER NAVER

NBB-1126

Stored XSS
NAVER service

NAVER is vulnerable to a stored-xss caused by a crafted payload.

NAVER NAVER

NBB-1143

SQL Injection
NAVER service

NAVER is vulnerable to a SQL injection caused by a crafted payload.

NAVER NAVER

NBB-1260

Stored XSS
NAVER service

NAVER is vulnerable to a stored XSS caused by a crafted payload.

Talks

2024

" Django Framework from a Hacker's Perspective " (in Korean)

PyCon KR 2024

2023

" Analysis of Django Framework N-day Vulnerabilities and Secure Coding Guide " (in Korean)

CODEGATE 2023

2023

" Django Framework 1-day Analysis " (in Korean)

26th Hacking Camp

2022

" Bug Cases and Secure Coding in Modern Web Services " (in Korean)

STEALIEN Security Seminar

Blogs