Seokchan Yoon

Seokchan Yoon

Hi guys! I'm Seokchan Yoon (Channy), a security researcher working at Seoul, Korea.

Bypassing DOMPurify for Successful XSS Execution: namespace confusion

Bypassing DOMPurify for Successful XSS Execution: namespace confusion

Introduce In the past, I often recommended the DOMPurify library as a robust solution for preventing XSS vulnerabilities, particularly when a web service needs to render HTML code input by users. Its effectiveness was such that I believed bypassing it to execute an XSS attack was virtually impossible, especially when

Do not use `maildev` anyway 💣

Do not use `maildev` anyway 💣

Introduce Do you guys know maildev application to run temporary mail server? maildev is open-sourced SMTP Server + Web Interface for viewing and testing emails during development. To say conclusionally, DO NOT USE THIS SOFTWARE. Hackers can force-write existing source codes and completely takeover the server. This program has not been

XSS Exception Bypass using Hoisting 🧙‍♂️

XSS Exception Bypass using Hoisting 🧙‍♂️

Recently, I stumbled upon some intriguing XSS tricks on Twitter and couldn't resist sharing my solutions. Let's dive into a fascinating XSS challenge and explore how we can outsmart it with JavaScript's hoisting mechanism. Somebody asked me recently if you can exploit an XSS scenario like this: x.y(1,

CVE-2023-36053: Potential ReDoS in EmailValidator/URLValidator

CVE-2023-36053: Potential ReDoS in EmailValidator/URLValidator

Hi! This is Seokchan Yoon studying Offensive Security in Korea. 🇰🇷 __ 1. Introduction On July 3rd, 2023, my first CVE was published! * https://www.djangoproject.com/weblog/2023/jul/03/security-releases/ * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36053 You can briefly check the details of the vulnerability that I

Scanning ReDoS in Python Automatically

Scanning ReDoS in Python Automatically

Hi, this is Seokchan Yoon. I'm currently taking a compiler course at KyungHee University this semester. Despite the short duration, I've had the pleasure of delving into intriguing topics, ranging from Lexing and Parsing algorithms to Abstract Syntax Trees (AST), Intermediate Representations (IR), and basic compiler optimization techniques. It has

팀플은 좀 더 공격적일 필요가 있다.

팀플은 좀 더 공격적일 필요가 있다.

재학하는 4년 동안, 그리고 실무를 맡으면서 경험했었던 수많은 팀플들에서 굉장히 공통적인 특성을 발견했는데 바로 "사린다는 것". 상대방이 공격당한다고 느낄 것만 같아서, 그리고 그와 동시에 나에게도 그 공격이 돌아올까봐 겁나서 자신의 의견을 못 내고 쭈뼛쭈뼛 굴고야 마는것이다. 이게 뭐가 문제인지는 다들 한 번 쯤 경험해 봤을 것이다.회의 딱 시작해놓고 무슨

Kyung Hee University's SW Security Competition: From Concept to Reality

Kyung Hee University's SW Security Competition: From Concept to Reality

Introduction Hi, I'm Seokchan Yoon. It's been a long time that I'm posting an article on my new blog 😅 Last year, in 2022, I had the honor of organizing a security competition for the students at my university, Kyung Hee University in Korea. It was a unique experience that I