Skip to content
View ch4n3-yoon's full-sized avatar
:octocat:
:octocat:

Highlights

  • Pro

Organizations

@sullivanproject @stealien @TG-WinG

Block or report ch4n3-yoon

Block user

Prevent this user from interacting with your repositories and sending you notifications. Learn more about blocking users.

You must be logged in to block users.

Please don't include any personal information such as legal names or email addresses. Maximum 100 characters, markdown supported. This note will be visible to only you.
Report abuse

Contact GitHub support about this userโ€™s behavior. Learn more about reporting abuse.

Report abuse
ch4n3-yoon/README.md

Profile

  • Seokchan Yoon (@ch4n3.yoon)
  • [email protected]
  • A CTF player ๐Ÿ‡ฐ๐Ÿ‡ท
  • Web Security Researcher @ STEALIEN (2020.07. ~ 2023.06.)

Achievements/Awards

  • Finalist, CODEGATE 2023 UNIVERSITY (team: ๊ฒฝํฌ๋Œ€๋ฏธ๋‚จํ•ด์ปค๋“ค)
  • Finalist, CODEGATE 2022 UNIVERSITY (team: ๊ฒฝํฌ๋Œ€๋ฏธ๋‚จํ•ด์ปค๋“ค)
  • Finalist (2nd, ๊ตญ๊ฐ€๋ณด์•ˆ์—ฐ๊ตฌ์†Œ์žฅ์ƒ), 2022 ์‚ฌ์ด๋ฒ„๊ณต๊ฒฉ๋ฐฉ์–ด๋Œ€ํšŒ(CCE) ๊ณต๊ณต๋ถ€๋ฌธ Quals (team: resilience)
  • Finalist (2nd, ๊ตญ๊ฐ€๋ณด์•ˆ์—ฐ๊ตฌ์†Œ์žฅ์ƒ), 2021 ์‚ฌ์ด๋ฒ„๊ณต๊ฒฉ๋ฐฉ์–ด๋Œ€ํšŒ(CCE) ๊ณต๊ณต๋ถ€๋ฌธ Quals (team: resilience)
  • 3rd, 2020 Kyunghee University Hackathon (team 1๋“ฑ๋ชปํ•˜๋ฉด๋™๋ฐ˜์ž…๋Œ€)
  • Finalist (2nd, ์‚ฌ์ด๋ฒ„์ž‘์ „์‚ฌ๋ น๊ด€์ƒ), 2019 ์‚ฌ์ด๋ฒ„์ž‘์ „๊ฒฝ์—ฐ๋Œ€ํšŒ ํ•™์ƒ๋ถ€ (team ์œค์„์ฐฌTV๊ตฌ๋…๊ณผ์ข‹์•„์š”์•Œ๋ฆผ์„ค์ •๊นŒ์ง€)
  • ๊ฐœ์ธ์ „ ์ตœ์šฐ์ˆ˜์ƒ (1st, ์„œ์šธ์—ฌ๋Œ€ ์ด์žฅ์ƒ), 2018 ์ œ 4ํšŒ ์ •๋ณด๋ณด์•ˆ๊ฒฝ์ง„๋Œ€ํšŒ ๊ฐœ์ธ์˜ˆ์„ 
  • ๋‹จ์ฒด์ „ ์ตœ์šฐ์ˆ˜์ƒ (1st, ๊ต์œก๋ถ€ ์žฅ๊ด€์ƒ), 2018 ์ œ 4ํšŒ ์ •๋ณด๋ณด์•ˆ๊ฒฝ์ง„๋Œ€ํšŒ ๋‹จ์ฒด๋ณธ์„  (team ๋ฌธ์‹œ์šฐ1์ธํŒ€)
  • Finalist (18th), CODEGATE 2018 JUNIOR
  • 2nd, 2018 ์ œ 3ํšŒ ์ „๊ตญ์ฒญ์†Œ๋…„๋ชจ์˜ํ•ดํ‚น๋Œ€ํšŒ
  • 3rd, 2018 ์ œ 16ํšŒ SMARTEEN APP CLUB AppJam Hackathon
  • ๋‹จ์ฒด์ „ ์ตœ์šฐ์ˆ˜์ƒ (1st, ํ•œ๊ตญ๊ต์œกํ•™์ˆ ์ •๋ณด์›์žฅ์ƒ), 2017 ์ œ 3ํšŒ ์ •๋ณด๋ณด์•ˆ๊ฒฝ์ง„๋Œ€ํšŒ ๋‹จ์ฒด๋ณธ์„  (team 4-day exploit)
  • ์šฐ์ˆ˜์ƒ(2nd), 2017 KMU(๊ตญ๋ฏผ๋Œ€ํ•™๊ต) X UBUNTU 1st CTF

Disclosed Vulnerabilities

NAVER

  • NBB-1126, Stored XSS
  • NBB-1143, SQL Injection
  • NBB-1260, Stored XSS
  • NBB-2315, Reflected XSS
  • NBB-2316, Reflected XSS
  • NBB-2314, Reflected XSS

Python

  • CVE-2024-7592: Quadratic complexity parsing cookies with backslashes

Django

  • CVE-2023-36053: Potential regular expression denial of service vulnerability in EmailValidator/URLValidator
  • CVE-2024-24680: Potential denial-of-service in intcomma template filter
  • CVE-2024-27351: Potential regular expression denial-of-service in django.utils.text.Truncator.words()
  • CVE-2024-21520: Cross-Site Scripting (XSS) in browserable API of django-rest-framework
  • CVE-2024-41991: Potential denial-of-service vulnerability in django.utils.html.urlize() and AdminURLFieldWidget

Apache Airflow

  • CVE-2024-39877: Apache Airflow: DAG Author Code Execution possibility in airflow-scheduler
  • CVE-2024-39863: Apache Airflow: Potential XSS Vulnerability
  • CVE-2024-45034: Apache Airflow: Authenticated DAG authors could execute code on scheduler nodes

Ruby

  • CVE-2024-41123: DoS vulnerabilities in REXML

Ruby on Rails

  • CVE-2024-47887: Possible ReDoS vulnerability in HTTP Token authentication in Action Controller
  • CVE-2024-41128: Possible ReDoS vulnerability in query parameter filtering in Action Dispatch

Java Spring

  • CVE-2024-38809: Spring Framework DoS via conditional HTTP request

Media / Presentations

2020

2021

2022

2023

  • <Django 1-day Vulnerability Analysis> (@HackingCamp 26th ๐Ÿ‡ฐ๐Ÿ‡ท)
    • I analyzed and shared disclosed vulnerabilities with high severity to Django Project, 2022
    • Reference: http://hackingcamp.org/
  • <Django Framework N-day Vulnerability Analysis & Secure Coding Guide> (@CODEGATE 2023 ๐Ÿ‡ฐ๐Ÿ‡ท)

2024

  • <ํ•ด์ปค์˜ ๊ด€์ ์—์„œ ๋ฐ”๋ผ๋ณธ Django Framework> (@PyCon KR 10th)

Pinned Loading

  1. encode/django-rest-framework encode/django-rest-framework Public

    Web APIs for Django. ๐ŸŽธ

    Python 28.5k 6.8k

  2. rails/rails-html-sanitizer rails/rails-html-sanitizer Public

    Ruby 309 83

  3. ruby/rexml ruby/rexml Public

    REXML is an XML toolkit for Ruby

    Ruby 141 67

  4. dimigo-Couple-Searching dimigo-Couple-Searching Public

    ๋””๋ฏธ๊ณ  ์ปคํ”Œ ํƒ์ง€ ํ”„๋กœ๊ทธ๋žจ

    Python 42 4

  5. write-ups write-ups Public

    ํ•ดํ‚น๋Œ€ํšŒ ๋ฐ ์›Œ๊ฒŒ์ž„ ๋ฌธ์ œ ํ’€์ด

    Python 5 1

  6. Chrome-Dino-with-Body-Language Chrome-Dino-with-Body-Language Public

    2020-1H ๊ฒฝํฌ๋Œ€ํ•™๊ต ์›นํŒŒ์ด์„ ํ”„๋กœ๊ทธ๋ž˜๋ฐ ํ…€ํ”„๋กœ์ ํŠธ

    HTML 4