Orange Tsai

Cheng-Da Tsai, aka Orange Tsai, is the principal security researcher of DEVCORE and the core member of CHROOT security group in Taiwan. He is also the champion and got the "Master of Pwn" title in Pwn2Own 2021. In addition, Orange has spoken at several top conferences such as Black Hat USA/ASIA, DEF CON, HITCON, HITB GSEC/AMS, CODE BLUE, POC, and WooYun! Currently, Orange is a 0day researcher focusing on web/application security. His research got not only the Pwnie Awards winner for "Best Server-Side Bug" of 2019/2021 but also 1st place in "Top 10 Web Hacking Techniques" of 2017/2018. Orange also enjoys bug bounties in his free time. He is enthusiastic about the RCE bugs and uncovered RCEs in numerous vendors such as Twitter, Facebook, Uber, Apple, GitHub, Amazon, etc. You can find him on Twitter @orange_8361 and blog http://blog.orange.tw/

• @orange_8361
• Dynamic Presentation Playlist

Presentations:

• 2022-08-12 17:00 - DEF CON 30 (2022) - Let's Dance in the Cache - Destabilizing Hash Table on Microsoft IIS
• 2022-08-10 13:30 - Black Hat USA 2022 - Let's Dance in the Cache - Destabilizing Hash Table on Microsoft IIS
• 2021-08-06 15:00 - DEF CON 29 (2021) - ProxyLogon is Just the Tip of the Iceberg, A New Attack Surface on Microsoft Exchange Server!
• 2021-08-05 15:20 - Black Hat USA 2021 - ProxyLogon is Just the Tip of the Iceberg: A New Attack Surface on Microsoft Exchange Server!
• 2019-09-28 11:30 - RomHack 2019 - Infiltrating Corporate Intranet Like NSA - Pre-auth RCE on Leading SSL VPNs
• 2019-08-09 12:00 - DEF CON 27 (2019) - Infiltrating Corporate Intranet Like NSA ̶Pre-auth RCE on Leading SSL VPNs
• 2019-08-07 14:40 - Black Hat USA 2019 - Infiltrating Corporate Intranet Like NSA - Pre-auth RCE on Leading SSL VPNs
• 2018-08-10 12:00 - DEF CON 26 (2018) - Breaking Paser Logic: Take Your Path Normalization Off and Pop 0days Out!
• 2018-08-08 16:00 - Black Hat USA 2018 - Breaking Parser Logic: Take Your Path Normalization off and Pop 0days Out!
• 2018-03-22 14:15 - Black Hat Asia 2018 - A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages!
• 2017-07-28 12:00 - DEF CON 25 (2017) - A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages!
• 2017-07-27 17:00 - Black Hat USA 2017 - A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages!

Copresenters:

• Meh Chang
  • 2019-09-28 11:30 - RomHack 2019 - Infiltrating Corporate Intranet Like NSA - Pre-auth RCE on Leading SSL VPNs
  • 2019-08-09 12:00 - DEF CON 27 (2019) - Infiltrating Corporate Intranet Like NSA ̶Pre-auth RCE on Leading SSL VPNs
  • 2019-08-07 14:40 - Black Hat USA 2019 - Infiltrating Corporate Intranet Like NSA - Pre-auth RCE on Leading SSL VPNs