profile

Name

  • 이원평 (Lee Wonpyeong)
  • Safflower

Experience

  • Security Researcher, UnityLab

    2018.11. - 2021-02

Education

  • Undergraduate Student, Kwangwoon University

    2018.03. - Present

Project

Participation

  • Cyber Conflict Exercise 2020, Finalist

    Participated as team 이천쌀콘팬클럽

    2020.10.29. - 2020.10.29.

  • 사이버보안 빅데이터 챌린지 2019, Finalist (Track 6)

    Participated as team ‘or’1’=’1

    2019.10.04. - 2019.11.08.

  • Cyber Conflict Exercise 2019, Finalist (Blue team)

    Participated as team Re: 오타쿠모임

    2019.10.29. - 2019.10.30.

  • DEFCON 27 CTF, Finalist

    Participated as team SeoulPlusBadAss

    2019.08.08. - 2019.08.10.

  • Harekaze CTF 2019, 1st place

    Participated as team Yokosuka Hackers

    2019.05.18. - 2019.05.19.

  • TSG CTF 2019, 4th place

    Participated as team $wag

    2019.05.04. - 2019.05.05.

  • NEWSECU WINTER CTF 2019, 2nd place

    Participated as team $wag

    2019.01.28. - 2019.01.29.

  • InterKosen CTF 2019, 3rd place

    Participated as team KimchiPower

    2019.01.18. - 2019.01.20.

  • Cyber Conflict Exercise 2018, Finalist (Red team)

    Participated as team 오타쿠모임

    2018.10.29. - 2018.10.30.

  • CTFZone 2018, Finalist

    Participated as team GoGiSaJo

    2018.07.21. - 2018.07.22.

  • DIMI CTF 2018 Online, 2nd place

    Participated as team st4rburst

    2018.06.17. - 2018.06.17.

  • Harekaze CTF 2018, 3rd place

    Participated as team SeoulWesterns

    2018.02.10. - 2018.02.11.

  • Christmas CTF 2017, 1st place

    Participated as team 박광호 1인팀

    2017.12.25. - 2017.12.26.

  • Layer7 CTF 2017, 1st place (Adult)

    Participated as team 뉴올리언스 치킨버거 + 올엑스트라

    2017.09.22. - 2017.09.24.

  • 제1회 서울아이티고등학교 해킹방어대회, 2nd place (Adult)

    Participated as team Safflower

    2017.09.22. - 2017.09.23.

Provision

Exploitation

  • SuNiNaTaS, SuNiNaTaS

    • Arbitrary Private Post Read
    • Post Deletion CSRF
    • Comment Deletion CSRF
    • Post Deletion CSRF
    • Logout CSRF
    • Reflected XSS
    • Arbitrary Notice Post Write

    Reported to SuNiNaTaS (Hall Of Fame)

    2019.

  • Chromium, Google

    • XSS Auditor Bypass

    Reported to Google (Report)

    2019.04.18.

  • Naver Search, NAVER

    • Reflected XSS

    Reported to KISA (KVE-2019-0677)

    2019.

  • Naver Search, NAVER

    • Reflected XSS

    Reported to KISA (KVE-2019-0676)

    2019.

  • Asked Website, Asked

    • Stored XSS

    Reported to Asked

    2018.

  • HackerSchool Website, HackerSchool

    • SQL Injection

    Reported to HackerSchool

    2018.

  • Dothome Web Hosting, DOTHOME

    • Local Privilege Escalation
    • Remote Code Execution

    Reported to DOTHOME

    2018.

  • Gnuboard5, SIR

    • User Account Leak
    • Remote Code Execution

    Reported to KISA (KVE-2018-0510)

    2018.

  • Youngcart5, SIR

    • SQL Injection

    Reported to KISA (KVE-2018-0405)

    2018.

  • Gnuboard5, SIR

    • Reflected XSS
    • Remote Code Execution

    Reported to KISA (KVE-2018-0379)

    2018.

  • Gnuboard5, SIR

    • Reflected XSS
    • Remote Code Execution

    Reported to KISA (KVE-2018-0366)

    2018.

  • Gnuboard5, SIR

    • Reflected XSS
    • Remote Code Execution

    Reported to KISA (KVE-2018-0358)

    2018.

  • Gnuboard5, SIR

    • Reflected XSS
    • Remote Code Execution

    Reported to KISA (KVE-2018-0356)

    2018.

  • Youngcart5, SIR

    • Reflected XSS
    • Remote Code Execution

    Reported to KISA (KVE-2018-0346)

    2018.

  • Gnuboard5, SIR

    • User Account Leak

    Reported to KISA (KVE-2018-0109)

    2018.

  • Youngcart5, SIR

    • SQL Injection

    Reported to KISA (KVE-2018-0102)

    2018.

  • Youngcart5, SIR

    • SQL Injection

    Reported to KISA (KVE-2018-0101)

    2018.

  • Gnuboard5, SIR

    • Session ID Hijacking

    Reported to KISA (KVE-2018-0013)

    2018.

  • Gnuboard5, SIR

    • Reflected XSS
    • File Inclusion

    Reported to KISA (KVE-2017-1047)

    2017.

  • Naver Whale, NAVER

    • XSS Auditor Bypass

    Reported to KISA (KVE-2017-1040)

    2017.

  • Naver Whale, NAVER

    • XSS Auditor Bypass

    Reported to KISA (KVE-2017-1034)

    2017.

  • Gnuboard5, SIR

    • Board Admin Privilege Escalation

    Reported to KISA (KVE-2017-1029)

    2017.

  • Maps Marker Pro WordPress Plugin, Maps Marker

    • Arbitrary File Deletion

    Reported to HackerOne (Report)

    2017.11.14.

  • Maps Marker Pro WordPress Plugin, Maps Marker

    • SQL Injection

    Reported to HackerOne (Report)

    2017.10.08.

  • Maps Marker Pro WordPress Plugin, Maps Marker

    • SQL Injection

    Reported to HackerOne (Report)

    2017.09.27.

  • Maps Marker Pro WordPress Plugin, Maps Marker

    • SQL Injection

    Reported to HackerOne (Report)

    2017.09.26.

  • Maps Marker Pro WordPress Plugin, Maps Marker

    • SQL Injection

    Reported to HackerOne (Report)

    2017.09.26.

  • Maps Marker Pro WordPress Plugin, Maps Marker

    • SQL Injection

    Reported to HackerOne (Report)

    2017.09.26.

  • Maps Marker Pro WordPress Plugin, Maps Marker

    • SQL Injection

    Reported to HackerOne (Report)

    2017.09.26.

  • Naver Blog, NAVER

    • Clickjacking

    Reported to NAVER

    2016.

  • Naver Cafe, NAVER

  • Spoofing Grade

    Reported to NAVER

    2015.

  • XpressEngine, XEHub

    • Stored XSS

    Reported to KISA (KVE-2014-0083)

    2014.

Presentation

  • SQL Injection Attack & Defense, TeamLog of Sunrin Internet High School

    2018.09.03.

  • Web Application Exploitation, Nefus of Sunrin Internet High School

    2018.08.18.

Contact

Last updated at 2021-04-01.