Seokchan Yoon
Offensive Web Security Researcher
Security Contributor of GitHub, Python, Django, Airflow, Ruby, Ruby-on-Rails, Java Spring
Education
Bachelor's Degree in Computer Science & Engineering (In Progress)
KyungHee University
Completed Vulnerability Analysis Track
Best of the Best, Korean Next-Generation Security Leader Training Program
Graduated from Dept. of Hacking Defense
Korea Digital Media Highschool
Work Experience
Security Team Member (Volunteer)
Airflow Security Team, Apache Software Foundation USA
- • Reviewing and addressing security vulnerabilities in Apache Airflow
- • Collaborating with the open-source community
- • Maintaining the security posture of the project in accordance with ASF guidelines
Security Researcher
Zellic.io USA
- • Security audit of Web2 components within the Web3 ecosystem
Unit [REDACTED], Private [REDACTED]
Research Institute under the Ministry of National Defense, Korea
- • Research and development of [REDACTED]
R&D / Proactive Response Team, Security Engineer
STEALIEN
- • Web penetration testing
- • Development and operation of educational systems (Cyber Drill System, Django + React) and CTF
- • Development and maintenance of internal tools, technical blogs, deployment systems, and other infrastructure
CTF Awards
2025 CCE (Cyber Conflict Exercise)
Finalist- hosted by National Intelligence Service, Korea
- Team: 경희대미남해커들 (KHU's hansome hackers)
2025 DEF CON CTF 33
Finalist- hosted by Nautilus Institute
- Team: Cold Fusion
🏆 2024 White Hat Contest
- hosted by Ministry of National Defense, Korea
- Team: 키보드워리어플랫폼 (Keyboard Warrior Platform)
1st, Korea Defense Minister Award
2023 CODEGATE
Finalist- hosted by Ministry of Science and ICT, Korea
- Team: 경희대미남해커들 (KHU's hansome hackers)
2022 CODEGATE
Finalist- hosted by Ministry of Science and ICT, Korea
- Team: 경희대미남해커들 (KHU's hansome hackers)
🏆 2022 CCE (Cyber Conflict Exercise)
- hosted by National Intelligence Service, Korea
- Team: resilience
2nd, Korea Security Research Institute Director Award
🏆 2022 HACKTHEON SEJONG National University Cybersecurity Competition
- hosted by Sejong Special Self-Governing City, Korea
- Team: 라임도둑 (Lime Thief)
6st, Korea Security Research Institute Director Award
🏆 2021 CCE (Cyber Conflict Exercise)
- hosted by National Intelligence Service, Korea
- Team: resilience
2nd, Korea Security Research Institute Director Award
🏆 2019 Cyber Operations Challenge
- hosted by Ministry of National Defense, Korea
- Team: 윤석찬TV구독과좋아요알림설정까지
2nd, Korea Cyber Command Award
🏆 2018 Cybersecurity Competition
- hosted by Ministry of Education, Korea
1st, SWU President Award
🏆 2018 Cybersecurity Competition
- hosted by Ministry of Education, Korea
- Team: 문시우1인팀 (munsiwoo 1-person team)
1st, Education Minister Award
🏆 2017 Cybersecurity Competition
- hosted by Korea Education and Research Information Service
- Team: 4-day exploit
1st, KERIS Director Award
Disclosed Vulnerabilities
CVE-2024-7592
Denial of ServiceA vulnerability in Python allows quadratic complexity parsing when handling cookies containing backslashes, potentially leading to performance degradation.
CVE-2023-36053
Regular Expression Denial of ServiceIn Django 3.2 before 3.2.20, 4 before 4.1.10, and 4.2 before 4.2.3, `EmailValidator` and `URLValidator` are subject to a potential ReDoS (regular expression denial of service) attack via a very large number of domain name labels of emails and URLs.
CVE-2024-24680
Denial of ServiceA vulnerability in the Django `intcomma` template filter could lead to a potential denial of service if certain crafted inputs are processed.
CVE-2024-27351
Regular Expression Denial of ServiceA vulnerability in Django's `Truncator.words()` function may allow a ReDoS attack under certain circumstances.
CVE-2024-21520
Cross-Site ScriptingThe browserable API of the Django Rest Framework is vulnerable to cross-site scripting due to improper sanitization of user-supplied inputs.
CVE-2024-41991
Denial of ServiceA vulnerability in Django's `urlize` function and `AdminURLFieldWidget` could allow for a denial of service under specific crafted input conditions.
CVE-2024-53908
SQL InjectionA vulnerability in the `HasKey` function in Django when using Oracle databases may allow a potential SQL injection.
CVE-2025-48432
Log InjectionInternal HTTP response logging used request.path directly, allowing control characters (e.g. newlines or ANSI escape sequences) to be written unescaped into logs.
CVE-2024-39877
Code ExecutionA vulnerability in Apache Airflow's scheduler allows DAG authors to execute arbitrary code, potentially compromising the scheduler node.
CVE-2024-39863
Cross-Site ScriptingImproper sanitization in Apache Airflow's web interface could lead to a cross-site scripting vulnerability.
CVE-2024-45034
Code ExecutionAuthenticated DAG authors in Apache Airflow can execute arbitrary code on scheduler nodes, leading to potential system compromise.
CVE-2024-41123
Denial of ServiceVulnerabilities in Ruby's REXML library allow attackers to cause a denial of service by crafting malicious XML inputs.
CVE-2024-47887
Regular Expression Denial of ServiceRuby on Rails' Action Controller is vulnerable to a potential regular expression denial of service when handling HTTP token authentication.
CVE-2024-41128
Regular Expression Denial of ServiceA vulnerability in Rails' Action Dispatch may allow a regular expression denial of service when filtering query parameters.
CVE-2024-38809
Denial of ServiceSpring Framework is vulnerable to a potential denial of service caused by a crafted conditional HTTP request.
HackerOne #2646500
Denial of ServiceGitHub is vulnerable to a potential denial of service caused by a malicously crafted HTTP request.
NBB-1126
Stored XSSNAVER is vulnerable to a stored-xss caused by a crafted payload.
NBB-1143
SQL InjectionNAVER is vulnerable to a SQL injection caused by a crafted payload.
NBB-1260
Stored XSSNAVER is vulnerable to a stored XSS caused by a crafted payload.
Talks
" Django Framework from a Hacker's Perspective " (in Korean)
PyCon KR 2024
" Analysis of Django Framework N-day Vulnerabilities and Secure Coding Guide " (in Korean)
CODEGATE 2023
" Django Framework 1-day Analysis " (in Korean)
26th Hacking Camp
" Bug Cases and Secure Coding in Modern Web Services " (in Korean)
STEALIEN Security Seminar