Name

  • Lee Wonpyeong
  • Safflower

Experience

  • Security Researcher, UnityLab
    2018.11. - Present

Education

  • Undergraduate Student, Kwangwoon University
    Now I’m taking a leave of absence from school.
    2018.03. - Present

Project

Participation

  • 사이버보안 빅데이터 챌린지 2019, Finalist (Track 6)
    Participated as team ‘or’1’=’1
    2019.10.04. - 2019.11.08.

  • Cyber Conflict Exercise 2019, Finalist (Blue team)
    Participated as team Re: 오타쿠모임
    2019.10.29. - 2019.10.30.

  • DEFCON 27 CTF, Finalist
    Participated as team SeoulPlusBadAss
    2019.08.08. - 2019.08.10.

  • Harekaze CTF 2019, 1st place
    Participated as team Yokosuka Hackers
    2019.05.18. - 2019.05.19.

  • TSG CTF 2019, 4th place
    Participated as team $wag
    2019.05.04. - 2019.05.05.

  • NEWSECU WINTER CTF 2019, 2nd place
    Participated as team $wag
    2019.01.28. - 2019.01.29.

  • InterKosen CTF 2019, 3rd place
    Participated as team KimchiPower
    2019.01.18. - 2019.01.20.

  • Cyber Conflict Exercise 2018, Finalist (Red team)
    Participated as team 오타쿠모임
    2018.10.29. - 2018.10.30.

  • CTFZone 2018, Finalist
    Participated as team GoGiSaJo
    2018.07.21. - 2018.07.22.

  • DIMI CTF 2018 Online, 2nd place
    Participated as team st4rburst
    2018.06.17. - 2018.06.17.

  • Harekaze CTF 2018, 3rd place
    Participated as team SeoulWesterns
    2018.02.10. - 2018.02.11.

  • Christmas CTF 2017, 1st place
    Participated as team 박광호 1인팀
    2017.12.25. - 2017.12.26.

  • Layer7 CTF 2017, 1st place (Adult)
    Participated as team 뉴올리언스 치킨버거 + 올엑스트라
    2017.09.22. - 2017.09.24.

  • 제1회 서울아이티고등학교 해킹방어대회, 2nd place (Adult)
    Participated as team Safflower
    2017.09.22. - 2017.09.23.

Provision

Exploitation

  • SuNiNaTaS, SuNiNaTaS

    • Arbitrary Private Post Read
    • Post Deletion CSRF
    • Comment Deletion CSRF
    • Post Deletion CSRF
    • Logout CSRF
    • Reflected XSS
    • Arbitrary Notice Post Write

    Reported to SuNiNaTaS (Hall Of Fame)
    2019.

  • Chromium, Google

    • XSS Auditor Bypass

    Reported to Google (Report)
    2019.04.18.

  • Naver Search, NAVER

    • Reflected XSS

    Reported to KISA (KVE-2019-0677)
    2019.

  • Naver Search, NAVER

    • Reflected XSS

    Reported to KISA (KVE-2019-0676)
    2019.

  • Asked Website, Asked

    • Stored XSS

    Reported to Asked
    2018.

  • HackerSchool Website, HackerSchool

    • SQL Injection

    Reported to HackerSchool
    2018.

  • Dothome Web Hosting, DOTHOME

    • Local Privilege Escalation
    • Remote Code Execution

    Reported to DOTHOME
    2018.

  • Gnuboard5, SIR

    • User Account Leak
    • Remote Code Execution

    Reported to KISA (KVE-2018-0510)
    2018.

  • Youngcart5, SIR

    • SQL Injection

    Reported to KISA (KVE-2018-0405)
    2018.

  • Gnuboard5, SIR

    • Reflected XSS
    • Remote Code Execution

    Reported to KISA (KVE-2018-0379)
    2018.

  • Gnuboard5, SIR

    • Reflected XSS
    • Remote Code Execution

    Reported to KISA (KVE-2018-0366)
    2018.

  • Gnuboard5, SIR

    • Reflected XSS
    • Remote Code Execution

    Reported to KISA (KVE-2018-0358)
    2018.

  • Gnuboard5, SIR

    • Reflected XSS
    • Remote Code Execution

    Reported to KISA (KVE-2018-0356)
    2018.

  • Youngcart5, SIR

    • Reflected XSS
    • Remote Code Execution

    Reported to KISA (KVE-2018-0346)
    2018.

  • Gnuboard5, SIR

    • User Account Leak

    Reported to KISA (KVE-2018-0109)
    2018.

  • Youngcart5, SIR

    • SQL Injection

    Reported to KISA (KVE-2018-0102)
    2018.

  • Youngcart5, SIR

    • SQL Injection

    Reported to KISA (KVE-2018-0101)
    2018.

  • Gnuboard5, SIR

    • Session ID Hijacking

    Reported to KISA (KVE-2018-0013)
    2018.

  • Gnuboard5, SIR

    • Reflected XSS
    • File Inclusion

    Reported to KISA (KVE-2017-1047)
    2017.

  • Naver Whale, NAVER

    • XSS Auditor Bypass

    Reported to KISA (KVE-2017-1040)
    2017.

  • Naver Whale, NAVER

    • XSS Auditor Bypass

    Reported to KISA (KVE-2017-1034)
    2017.

  • Gnuboard5, SIR

    • Board Admin Privilege Escalation

    Reported to KISA (KVE-2017-1029)
    2017.

  • Maps Marker Pro WordPress Plugin, Maps Marker

    • Arbitrary File Deletion

    Reported to HackerOne (Report)
    2017.11.14.

  • Maps Marker Pro WordPress Plugin, Maps Marker

    • SQL Injection

    Reported to HackerOne (Report)
    2017.10.08.

  • Maps Marker Pro WordPress Plugin, Maps Marker

    • SQL Injection

    Reported to HackerOne (Report)
    2017.09.27.

  • Maps Marker Pro WordPress Plugin, Maps Marker

    • SQL Injection

    Reported to HackerOne (Report)
    2017.09.26.

  • Maps Marker Pro WordPress Plugin, Maps Marker

    • SQL Injection

    Reported to HackerOne (Report)
    2017.09.26.

  • Maps Marker Pro WordPress Plugin, Maps Marker

    • SQL Injection

    Reported to HackerOne (Report)
    2017.09.26.

  • Maps Marker Pro WordPress Plugin, Maps Marker

    • SQL Injection

    Reported to HackerOne (Report)
    2017.09.26.

  • Naver Blog, NAVER

    • Clickjacking

    Reported to NAVER
    2016.

  • Naver Cafe, NAVER

    • Spoofing Grade

    Reported to NAVER
    2015.

  • XpressEngine, XEHub

    • Stored XSS

    Reported to KISA (KVE-2014-0083)
    2014.

Presentation

  • SQL Injection Attack & Defense, TeamLog of Sunrin Internet High School
    2018.09.03.

  • Web Application Exploitation, Nefus of Sunrin Internet High School
    2018.08.18.

Contact

Last updated at 2019-11-15.