Zhengyu Liu
I am currently a second-year Ph.D. student in Computer Science at Johns Hopkins University, advised by Prof. Yinzhi Cao. Before joining JHU, I received my bachelor's degree in Cybersecurity from Sichuan University. During my undergrad, I was very fortunate to be advised by Prof. Cheng Huang.
My research interest lies in Web Security and AI Software Security, especially leveraging program analysis approaches to detect/exploit/patch vulnerabilities in real-world complex applications and systems.
Besides, I am a CTF pwn&web player. I lead the team Z0D1AC (JHU academic team) and is a member of thehackerscrew (international team, Top 10 on CTFTime.org).
[New!!] My talk about DOM Clobbering just got accepted to the DEFCON 33 main stage! See you in Las Vegas this August!
Email /
GitHub /
Blog /
CV /
Google Scholar / 
Linkedin
|
|
The First Large-Scale Systematic Study of Python Class Pollution Vulnerability
Zhengyu Liu, Jiacheng Zhong, Jianjia Yu, Muxi Lyu, Zifeng Kang, and Yinzhi Cao
paper /
poster /
code /
slides /
To appear in the proceedings of IEEE Symposium on Security and Privacy (S&P Oakland), 2026
|
The DOMino Effect: Detecting and Exploiting DOM Clobbering Gadgets via Concolic Execution with Symbolic DOM
Zhengyu Liu, Theo Lee, Jianjia Yu, Zifeng Kang, and Yinzhi Cao
paper /
poster /
code /
slides /
USENIX Security Symposium, 2025
■
Artifact Badges: Artifacts Available, Artifacts Functional, Results Reproduced
■
Honorable Mentions (Top 6% among accepted papers)
|
Follow My Flow: Unveiling Client-Side Prototype Pollution Gadgets from One Million Real-World Websites
Zifeng Kang, Muxi Lyu, Zhengyu Liu, Jianjia Yu, Runqi Fan, Song Li, and Yinzhi Cao
paper /
poster /
code /
slides /
IEEE Symposium on Security and Privacy (S&P Oakland), 2025
■
Distinguished Paper Award
|
Undefined-oriented Programming: Detecting and Chaining Prototype Pollution Gadgets in Node.js Template Engines for Malicious Consequences
Zhengyu Liu, Kecheng An, and Yinzhi Cao
paper /
poster /
code /
slides /
IEEE Symposium on Security and Privacy (S&P Oakland), 2024
■
Nominee of Top 10 Web Hacking Techniques of 2024 by PortSwigger
|
A Framework for Threat Intelligence Extraction and Fusion
Yongyan Guo, Zhengyu Liu, Cheng Huang, Nannan Wang
paper /
poster /
code /
slides /
Computer & Security
|
Coreference Resolution for Cybersecurity Entity: Towards Explicit, Comprehensive Cybersecurity Knowledge Graph with Low Redundancy
Zhengyu Liu, Haochen Su, Nannan Wang, Cheng Huang
paper /
poster /
code /
slides /
EAI International Conference on Security and Privacy in Communication Networks (SecureComm), 2022
|
CyberRel: Joint Entity and Relation Extraction for Cybersecurity Concepts
Yongyan Guo, Zhengyu Liu, Cheng Huang, Jiayong Liu, Wangyuan Jing, Ziwang Wang, Yanghao Wang
paper /
poster /
code /
slides /
International Conference on Information and Communications Security (ICICS), 2022
■
Best Student Paper Award
|
A Sybil Detection Method in OSN based on DistilBERT and Double-SN-LSTM for text analysis
Xiaojie Xu, Jian Dong, Zhengyu Liu, Jin Yang, et al.
paper /
poster /
code /
slides /
EAI International Conference on Security and Privacy in Communication Networks (SecureComm), 2021
|
From Static to Smart: LLM-enhanced Static Analysis on Web Application Vulnerability Detection
Ant Group SRC Annual Celebration, June 2025
slides /
video /
|
The DOMino Effect: Automated Detection and Exploitation of DOM Clobbering Vulnerability at Scale
DEFCON 33, Las Vegas, Aug 2025
slides /
video /
|
Capture The Flags
Team member @ TheHackersCrew
Won 17 medals for the year of 2024, 7 Gold + 5 Silver + 5 Bronze
|
2023 Jan. - Now |
Co-lead @ The Group Z0D1AC
Achieved 2nd place RaymondJamesCTF 2024 ($5000 cash prize), 3rd place RaymondJamesCTF 2023 ($2500 cash prize), etc.
|
2022 Oct. - Now |
|
Selected Honors & Awards
Notable Artifact Reviewer, USENIX Security 2025 |
2025 Aug |
Cybersecurity Elite Honor, School of Cyber Science and Engineering, Sichuan University |
2022 May |
The 404 Scholarship, School of Cyber Science and Engineering, Sichuan University |
2022 Dec. |
First Class Scholarship, School of Cyber Science and Engineering, Sichuan University |
2021 Sep. |
Outstanding Student Honor, Sichuan University |
2020 & 2021 |
Finalist (with Team 42-b3yond-6ug), DARPA AI Cyber Challenge (AIxCC) |
2024 Aug. |
The 9th Place, 2021 ByteDance Security AI Competition, ByteDance(TikTok) |
2021 Nov. |
The 2nd Place, School of Computing Summer Workshop, National University of Singapore |
2021 July |
Excellent Thesis, Innovation and Entrepreneurship Training Program for College Students |
2020 Sep. |
Third Prize (¥30,000), The 4th “Qiangwang Cup” National Cybersecurity Challenge |
2020 Sep. |
|
Professional Services
External Reviewer
- Annual Computer Security Applications Conference (ACSAC '25)
- Symposium on Research in Attacks, Intrusions, and Defenses (RAID '25)
- Workshop on Measurements, Attacks, and Defenses for the Web (MADWeb '25)
- IEEE Symposium on Security and Privacy (S&P '25, '26)
- USENIX Security Symposium (Usenix '24, '25, '26)
- IEEE Computer Security Foundations Symposium (CSF '24)
- Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA '24)
Artifact Evaluation Committee
- Network and Distributed System Security Symposium (NDSS '26)
- The ACM Conference on Computer and Communications Security (CCS '25)
- USENIX Security Symposium (Usenix '25)
|
Experiences
Security Research Intern, Siemens |
2025 June. - 2025 Aug. |
Course Assistant, EN.445/645 Practical Cryptographic Systems (25 Spring), JHU |
2025 Feb. - 2025 May. |
Course Assistant, EN.601.340/440/640 Web Security (23 Fall), JHU |
2023 Sep. - 2023 Dec. |
Research Assistant, JHU, Advisor: Dr. Yinzhi Cao |
2023 June - 2023 Aug. |
Research Assistant, Sichuan University, Advisor: Dr. Cheng Huang |
2020 Aug. - 2022 June |
|
StarBugs
I have discovered some vulnerabilities in popular OSS (over 40 CVEs in repos with >1K stars on GitHub), as well as in products maintained by companies including Google, Microsoft, Meta, and Ant Group (Alipay).
A selective list of them is shown below.
|
|