
Seokchan Yoon
Offensive Web Security Researcher
Security Contributor of GitHub, Python, Django, Airflow, Ruby, Ruby-on-Rails, Java Spring
Education
Bachelor's Degree in Computer Science & Engineering (In Progress)
KyungHee University
Completed Vulnerability Analysis Track
Best of the Best, Korean Next-Generation Security Leader Training Program
Graduated from Dept. of Hacking Defense
Korea Digital Media Highschool
Work Experience
Unit [REDACTED], Private [REDACTED]
Research Institute under the Ministry of National Defense, Korea
- • Research and development of [REDACTED]
R&D / Proactive Response Team, Security Engineer
STEALIEN
- • Web penetration testing
- • Development and operation of educational systems (Cyber Drill System, Django + React) and CTF
- • Development and maintenance of internal tools, technical blogs, deployment systems, and other infrastructure
CTF Awards
2024 White Hat Contest Soldier Division
1st Placehosted by Ministry of National Defense, Korea
Minister of National Defense Award
2023 CODEGATE University Division
Finalisthosted by Ministry of Science and ICT, Korea
2022 CODEGATE University Division
Finalisthosted by Ministry of Science and ICT, Korea
2022 CCE (Cyber Conflict Exercise) Public Institution Sector Division
2nd Placehosted by National Intelligence Service, Korea
Director of National Security Research Institute Award
2022 HACKTHEON SEJONG National University Cybersecurity Competition
6st Placehosted by Sejong Special Self-Governing City, Korea
Director of National Security Research Institute Award
2021 CCE (Cyber Conflict Exercise) Public Institution Sector Division
2nd Placehosted by National Intelligence Service, Korea
Director of National Security Research Institute Award
2019 Cyber Operations Challenge Student Division
2nd Placehosted by Ministry of National Defense, Korea
Cyber Operations Commander Award
2018 Cybersecurity Competition Individual Preliminary Round
1st Placehosted by Ministry of Education, Korea
President of Seoul Women's University Award
2018 Cybersecurity Competition Team Finals
1st Placehosted by Ministry of Education, Korea
Minister of Education Award
2017 Cybersecurity Competition Team Finals
1st Placehosted by Korea Education and Research Information Service
Director of Korea Education and Research Information Service Award
Disclosed Vulnerabilities
CVE-2024-7592
Denial of ServiceA vulnerability in Python allows quadratic complexity parsing when handling cookies containing backslashes, potentially leading to performance degradation.
CVE-2023-36053
Regular Expression Denial of ServiceIn Django 3.2 before 3.2.20, 4 before 4.1.10, and 4.2 before 4.2.3, `EmailValidator` and `URLValidator` are subject to a potential ReDoS (regular expression denial of service) attack via a very large number of domain name labels of emails and URLs.
CVE-2024-24680
Denial of ServiceA vulnerability in the Django `intcomma` template filter could lead to a potential denial of service if certain crafted inputs are processed.
CVE-2024-27351
Regular Expression Denial of ServiceA vulnerability in Django's `Truncator.words()` function may allow a ReDoS attack under certain circumstances.
CVE-2024-21520
Cross-Site ScriptingThe browserable API of the Django Rest Framework is vulnerable to cross-site scripting due to improper sanitization of user-supplied inputs.
CVE-2024-41991
Denial of ServiceA vulnerability in Django's `urlize` function and `AdminURLFieldWidget` could allow for a denial of service under specific crafted input conditions.
CVE-2024-53908
SQL InjectionA vulnerability in the `HasKey` function in Django when using Oracle databases may allow a potential SQL injection.
CVE-2024-39877
Code ExecutionA vulnerability in Apache Airflow's scheduler allows DAG authors to execute arbitrary code, potentially compromising the scheduler node.
CVE-2024-39863
Cross-Site ScriptingImproper sanitization in Apache Airflow's web interface could lead to a cross-site scripting vulnerability.
CVE-2024-45034
Code ExecutionAuthenticated DAG authors in Apache Airflow can execute arbitrary code on scheduler nodes, leading to potential system compromise.
CVE-2024-41123
Denial of ServiceVulnerabilities in Ruby's REXML library allow attackers to cause a denial of service by crafting malicious XML inputs.
CVE-2024-47887
Regular Expression Denial of ServiceRuby on Rails' Action Controller is vulnerable to a potential regular expression denial of service when handling HTTP token authentication.
CVE-2024-41128
Regular Expression Denial of ServiceA vulnerability in Rails' Action Dispatch may allow a regular expression denial of service when filtering query parameters.
CVE-2024-38809
Denial of ServiceSpring Framework is vulnerable to a potential denial of service caused by a crafted conditional HTTP request.
HackerOne #2646500
Denial of ServiceGitHub is vulnerable to a potential denial of service caused by a malicously crafted HTTP request.
NBB-1126
Stored XSSNAVER is vulnerable to a stored-xss caused by a crafted payload.
NBB-1143
SQL InjectionNAVER is vulnerable to a SQL injection caused by a crafted payload.
NBB-1260
Stored XSSNAVER is vulnerable to a stored XSS caused by a crafted payload.
Talks
" Django Framework from a Hacker's Perspective " (in Korean)
PyCon KR 2024
" Analysis of Django Framework N-day Vulnerabilities and Secure Coding Guide " (in Korean)
CODEGATE 2023
" Django Framework 1-day Analysis " (in Korean)
26th Hacking Camp
" Bug Cases and Secure Coding in Modern Web Services " (in Korean)
STEALIEN Security Seminar