Hello, My Korean name is Siwoo Mun.
I'm security researcher at RAON Whitehat, mainly focus on web app exploitation.
I'm playing CTF as member of CodeRed, Aleph Infinite

Awards

• ~ Present
  • 4th, DEFCON CTF 31 Final, Las Vegas (team HypeBoy)
  • 3rd, 2022 Whitehat Contest Final (team 오리고기파티)
  • 2nd, Hayyim CTF 2022 (team Yamong Clinic)
  • 3rd, DEFCON CTF 30 Final, Las Vegas (team StarBugs)
  • 4th, WACON CTF 2022 Quals(team 팀 평균연령42세)
  • 4th, DEFCON CTF 29 Final (team StarBugs)
  • 5th, SECCON CTF 2022 Final, Tokyo (team Cha shu)
  • Finalist, Cyber Conflict Exercise 2022


• 2020
  • 1st, m0leCon 2020 (team AlPray)
  • Finalist, 화이트햇 콘테스트 (team Uneducated People)
  • Finalist, 사이버 공격방어대회(CCE) Quals (team 흥부부대찌개)
  • Finalist, CONFidence CTF 2020 Teaser (team CodeRed)
  • Finalist, Midnight Sun CTF 2020 Quals (team CodeRed)
  • Finalist, 0CTF/TCTF 2020 Quals (team Heart Breaker)
  • Finalist, DEFCON CTF 28 (team StarBugs)


• 2019
  • 1st , HolyShield CTF 2019 Junior (team HeungbuBudaeJjigae) - rewarded $1,000 USD
  • 1st , WhiteHat Contest 2019 Junior Final (team Uneducated people) - rewarded $5,000 USD
  • 1st , SUA CTF 3th (team BOB8TH_VULN_ANALYSIS)
  • 2nd , The Hacking Championship Junior 2019 (team HeungbuBudaeJjigae)
  • 3rd , Belluminar CTF 2019 (team Aleph Infinite)
  • 5th , ISITDTU CTF Final (team Aleph Infinite)
  • 5th , Timisoara CTF (team Munahnhae)
  • 9th , DEFCON CTF 27 Quals (team CGC)
  • 14th , PlaidCTF 2019 (team CGC)
  • Finalist, DEFCON CTF 27 (team CGC)
  • Finalist (5th), ISITDTU CTF Final (team Aleph Infinite)
  • Finalist (4th), Codegate CTF 2019 Junior (team munsiwoooooo)
  • Finalist (4th), 2019 DVP Global Blockchain CTF (team HeungbuBudaeJjigae) - rewarded $3,000 USD


• 2018
  • 1st , 2018 CyberGuardians (team Layer7) - rewarded $5,000 USD
  • 2nd , Timisoara CTF, Romania (team NextLine) - rewarded $300 USD
  • 3rd , Harekaze CTF (team SeoulWesterns)
  • 3rd , 제 1회 KO-WORLD 해킹방어대회 (team phpandrust) - rewarded $1,000 USD
  • Finalist (13th), DEFCON CTF 26, Las Vegas (team C.G.K.S)
  • Finalist (8th), Cyber Conflict Exercise, Jeju (team 야몽클리닉/Red Team)
  • 은상, 2018 대한민국 육군해킹방어대회 (The Republic of Korea Army Attack and Defense Contest)


• 2017
  • 1st , Christmas CTF 2017 (team 박광호 1인팀) - rewarded $800 USD
  • 3rd , Kookmin Univ & Ubuntu CTF 2017 (team 새싹보끔밥)
  • 4th , Neverland CTF 2017 (team gazoku - solo)
  • 8th , SECUINSIDE CTF Quals 2017 (team FHF)

• 2021
  • HackerOne
    • Starbucks: rewarded $6,000 USD
    • Starbucks: rewarded $1,440 USD
    • Starbucks: rewarded $4,770 USD
  • Bugcamp
    • CISSP: rewarded $120 USD
  • GNUBOARD5
    • XSS (<=5.4.13.1) - 2021.06.24 (commit log, write up)


• 2020
  • Bugcrowd
    • Atlassian: Jira Service Desk: rewarded $600 USD
    • Bitdefender: rewarded $300 USD
  • HackerOne
    • Starbucks: rewarded $1,500 USD
    • Steam(store.steampowered.com): rewarded $400 USD
    • Ford
  • Naver Bug Bounty Program
    • found 15+ vulns - rewarded $2,000 USD
  • Node.js NPM modules
    (NodeJS Module Vulnerability Automation Analysis, Best of the Best 8th)
    
    • CVE-2020-7719, CVE-2020-7700, CVE-2020-7702
    • CVE-2020-7717, CVE-2020-7715, CVE-2020-7716
    • CVE-2020-7707, CVE-2020-7721, CVE-2020-7701
    • CVE-2020-7724, CVE-2020-7727, CVE-2020-7718
    • CVE-2020-7725, CVE-2020-7722, CVE-2020-7703
    • CVE-2020-7704, CVE-2020-7714, CVE-2020-7706
    • CVE-2020-7723


• 2019
  • HackerOne
    • μtorrent: Reflected XSS
    • afreecaTV: found 13+ vulns including SQL Injection
  • Naver Bug Bounty Program
    • found 8+ vulns: rewarded $1,200 USD
  • GNUBOARD5
    • SQL Injection (<=5.4.0.1) - 2019.09.08
    • XSS (<=5.4.0.1) - 2019.09.08
    • Authentication bypass (<=5.4.0.1) - 2019.09.08
  • DVP Bug Bounty
    • Gate.io: SQL Injection (DVP-2019-30029) - rewarded 4.5 ETH
    • Gate.io: DOM Based XSS (DVP-2019-30165, DVP-2019-30149) - rewarded 0.250 ETH


• 2018
  • KISA Bug Bounty Program
    • NAVER: SQL Injection(KVE-2018-1301) - rewarded $1,000 USD


• 2017
  • NAVER PER(Privacy Enhancement Reward)
    • found 25+ vulns (XSS, Open Redirect)

Education/Work Experience

• K-Shield Junior, 멘토(Mentor)
  • Position: 멘토(Mentor)
  • Date: 2022.10 ~ 2022.12


• RAON Whitehat, 핵심연구팀  
  • Position: Security Researcher
  • Date: 2021.09 ~ present
  • Task: 모의해킹, R&D


• Best of the Best 8th, KITRI  
  • Position: Mentee (취약점분석트랙)
  • Date: 2019.07 ~ 2020.04
  • Detail: KITRI, BoB


• CSSA IoTcube, Korea.Univ    
  • Task: Security vulnerability analysis in open source Blockchain project
  • Position: Internship
  • Date: 2018.07 ~ 2018.09
  • Detail: CSSA,  IoTcube


• Sunrin Internet High School  
  • Position: Student (정보통신과)
  • Date: 2017.03 ~ 2020.02
  • Detail: sunrint.hs.kr

Speaker

• CodeGate 2019 (First prize was awarded)    
  • Title: PHP Trick Trip
  • Content: PHP의 여러 보안 이슈와 취약점을 통해 웹 해킹 공격으로 이어질 수 있는 버그에 대해 다루며,
     Zend 엔진을 분석해본 경험을 토대로 버그가 발생하는 논리적 이유와 이를 분석했던 과정을 소개하는 발표
  • Date: 2019.03.27
  • Detail: 후기, 코드게이트 홈페이지, 발표자료(pdf)
  • Award: 발표 최우수상, 한국인터넷진흥원장상

• 빗썸 청소년 사이버 보안 캠프, Bithumb    
  • Title: 쉽고 간단하게 배워보는 정보보안 Tip
  • Content: 개인정보가 유출될 수 있는 여러 상황을 예를들며 이를 사전에 예방하는 방법을 소개하는 발표
  • Date: 2018.11.23
  • Detail: 인터넷 기사, 빗썸 홈페이지

• HackingCamp 18, PoC Security    
  • Title: Security option bypass 101
  • Content: PHP의 open_basedir, disable_functions 옵션을 우회하는 여러 방법에 대해 소개하는 발표
  • Date: 2018.09.02
  • Detail: 해킹캠프 홈페이지

Organizer

• 2019
  • 2019 Belluminar CTF 문제 출제
  • 2019 Christmas CTF (사이트 개발, 문제 출제, 운영) - @munsiwoo/christmas-ctf-platform
  • 2019 Layer7 CTF (사이트 개발, 운영)
  • 2019 선린인터넷고등학교 고등해커 (예선/본선 운영, 사이트 개발, 문제 출제)
  • 2019 선린인터넷고등학교 교내해킹방어대회 (문제 출제- Github)


• 2018
  • 2018 선린인터넷고등학교 고등해커 (예선/본선 운영, 사이트 구현, 문제 출제)
  • 2018 선린인터넷고등학교 교내해킹방어대회 (운영, 문제 출제)
  • PoC Security HackingCamp18 CTF (문제 출제 - Github)
  • 2018 Layer7 CTF (대회 운영, 문제 출제, Github)
  • 2018 H3X0R CTF (문제 출제 - Github)


• 2017
  • 2017 PoC Security Belluminar CTF (대회 참가, 문제 출제, Github)
  • 2017 PoC Security Power of XX (문제 출제, Github)
  • 2017 Layer7 CTF (대회 운영, 문제 출제, Github)
  • 2017 H3X0R CTF (대회 운영, 문제 출제)

Projects

• 2019
  • PHP CTF Platform, GitHub
  • Automatic Analysis for Node.js Modules, (Best of the best 8th / NerdJS)
    • DAPP: automatic detection and analysis of prototype pollution vulnerability in Node.js modules
      Springer, International Journal of Information Security (IJIS) (SCIE)에 게재
      https://link.springer.com/article/10.1007/s10207-020-00537-0
  • PHP Trick Trip, (Presented at the codegate 2019, GitHub)
  • Munfoozer, Dynamic XSS fuzzer


• 2018
  • Simple MVC Framework in PHP, GitHub