Seokchan Yoon

## Profile

- Seokchan Yoon (@ch4n3.yoon, @scyoon)

- Security Researcher / CTF Player of BlueWater (WaterPaddler) / [Bug Bounty Hunter](https://hackerone.com/scyoon)

- ch4n3.yoon@gmail.com

## Work Experiences

- **Security Team Member @ Airflow of Apache Software Foundation** (2025.07. - now)

- **Security Researcher @ Zellic.io** (2025.04. - now)

- `[REDACTED]` Researcher @ `[REDACTED]` Research Institute under Ministry of National Defense, Korea (2023.09. - 2025.03.)

- Web Security Researcher @ STEALIEN (2020.07. - 2023.06.)

## Achievements/Awards

### 2025

- **2025 DEF CON 33 CTF**  

 Finalist (team: Cold Fusion)

- **2025 Cyber Conflict Exercise (CCE) General Division**  

 (사이버공격방어대회) Finalist, hosted by the National Intelligence Service, Korea

### 2024

- **2024 White Hat Contest Soldier Division**  

 (화이트햇 콘테스트) **1st Place**, hosted by the Ministry of National Defense, Korea  

 Awarded the Minister of National Defense Award (___국방부 장관상___)

### 2023

- **2023 CODEGATE University Division**  

 Finalist, hosted by the Ministry of Science and ICT, Korea

### 2022

- **2022 CODEGATE University Division**  

 Finalist, hosted by the Ministry of Science and ICT, Korea

- **2022 Cyber Conflict Exercise (CCE) Public Institution Sector Division**  

 (사이버공격방어대회) **2nd Place**, hosted by the National Intelligence Service, Korea  

 Awarded the Director of National Security Research Institute Award (___국가보안연구소장상___)

- **2022 HACKTHEON SEJONG National University Cybersecurity Competition**  

 6th Place, hosted by Sejong Special Self-Governing City, Korea  

 Awarded the Director of National Security Research Institute Award (___국가보안연구소장상___)

### 2021

- **2021 Cyber Conflict Exercise (CCE) Public Institution Sector Division**  

 (사이버공격방어대회) **2nd Place**, hosted by the National Intelligence Service, Korea

 Awarded the Director of National Security Research Institute Award (___국가보안연구소장상___)

### 2019

- **2019 Cyber Operations Challenge Student Division**  

 (사이버작전경연대회) **2nd Place**, hosted by the Ministry of National Defense, Korea  

 Awarded the Cyber Operations Commander Award (___사이버작전사령관상___)

### 2018

- **2018 Cybersecurity Competition Individual Preliminary Round**  

 (정보보안경진대회) **1st Place**, hosted by the Ministry of Education, Korea  

 Awarded the President of Seoul Women's University Award (___서울여자대학교 총장상___)

- **2018 Cybersecurity Competition Team Finals**  

 (정보보안경진대회) **1st Place**, hosted by the Ministry of Education, Korea  

 Awarded the Minister of Education Award (___교육부 장관상___)

### 2017

- **2017 Cybersecurity Competition Team Finals**  

 (정보보안경진대회) **1st Place**, hosted by the Korea Education and Research Information Service  

 Awarded the Director of Korea Education and Research Information Service Award (___한국교육학술정보원장상___)

## Disclosed Vulnerabilities

### NAVER

- NBB-1126, Stored XSS

- NBB-1143, SQL Injection

- NBB-1260, Stored XSS

- NBB-2315, Reflected XSS

- NBB-2316, Reflected XSS

- NBB-2314, Reflected XSS

### Python

- CVE-2024-7592: Quadratic complexity parsing cookies with backslashes

### Django

- CVE-2023-36053: Potential regular expression denial of service vulnerability in `EmailValidator`/`URLValidator`

- CVE-2024-24680: Potential denial-of-service in intcomma template filter

- CVE-2024-27351: Potential regular expression denial-of-service in `django.utils.text.Truncator.words()`

- CVE-2024-21520: Cross-Site Scripting (XSS) in browserable API of [django-rest-framework](https://github.com/encode/django-rest-framework)

- CVE-2024-41991: Potential denial-of-service vulnerability in `django.utils.html.urlize()` and `AdminURLFieldWidget`

- CVE-2024-53908: Potential SQL injection in `HasKey(lhs, rhs)` on Oracle

- CVE-2025-48432: Potential log injection via unescaped request path

### Apache Airflow

- CVE-2024-39877: Apache Airflow: DAG Author Code Execution possibility in `airflow-scheduler`

- CVE-2024-39863: Apache Airflow: Potential XSS Vulnerability

- CVE-2024-45034: Apache Airflow: Authenticated DAG authors could execute code on scheduler nodes

### Ruby 

- CVE-2024-41123: DoS vulnerabilities in REXML

### Ruby on Rails

- CVE-2024-47887: Possible ReDoS vulnerability in HTTP Token authentication in Action Controller

- CVE-2024-41128: Possible ReDoS vulnerability in query parameter filtering in Action Dispatch

### Java Spring

- CVE-2024-38809: Spring Framework DoS via conditional HTTP request

## Media / Presentations

### 2020

- KBS <청년일자리프로젝트 사장님이 美쳤어요> 사내 최연소 연구원으로 출연

  - [https://vod.kbs.co.kr/index.html?source=episode&sname=vod&stype=vod&program_code=T2016-0639&program_id=PS-2020170106-01-000&section_code=05&broadcast_complete_yn=&local_station_code=00](https://vod.kbs.co.kr/index.html?source=episode&sname=vod&stype=vod&program_code=T2016-0639&program_id=PS-2020170106-01-000&section_code=05&broadcast_complete_yn=&local_station_code=00)

### 2021

- 사람인 기업스토리 <스틸리언> 편 출연

  - [https://www.saramin.co.kr/zf_user/guide/movie/fun-view?page=7&keyword=&category=&sort=&seq=433&count=10](https://www.saramin.co.kr/zf_user/guide/movie/fun-view?page=7&keyword=&category=&sort=&seq=433&count=10)

- 유튜브 ‘인싸담당자’ 채널 <스틸리언> 편 출연

  - [https://www.youtube.com/watch?v=ueslFj2Dbgc](https://www.youtube.com/watch?v=ueslFj2Dbgc)

### 2022

- <모던 웹 서비스에서의 버그케이스와 시큐어코딩> (@STEALIEN Security Semiar; 3S)

  - For English Reader, <Bug Cases and Secure Coding Techniques, in Modern Web Services>

  - Related Press Releases (Kor): [https://www.boannews.com/media/view.asp?idx=107983&kind=](https://www.boannews.com/media/view.asp?idx=107983&kind=)

  - Replay: [https://www.youtube.com/watch?v=6YgSTZ9i7Vk](https://www.youtube.com/watch?v=6YgSTZ9i7Vk)

### 2023

- <Django 1-day Vulnerability Analysis> (@HackingCamp 26th 🇰🇷)

  - I analyzed and shared disclosed vulnerabilities with high severity to Django Project, 2022

  - Reference: [http://hackingcamp.org/](http://hackingcamp.org/)

- <Django Framework N-day Vulnerability Analysis & Secure Coding Guide> (@CODEGATE 2023 🇰🇷)

  - I issued some insecure usages in django with analyzing 1-day vulnerabilities and gave secure coding guide 

  - Reference: [https://codegate.org/sub/conference](https://codegate.org/sub/conference)

### 2024

- <해커의 관점에서 바라본 Django Framework> (@PyCon KR 10th)

  - https://2024.pycon.kr/