Zhengyu Liu

I am currently a first-year Ph.D. student in Computer Science at Johns Hopkins University, advised by Prof. Yinzhi Cao. Before joining JHU, I received my bachelor's degree in Cybersecurity from Sichuan University. During my undergrad, I was very fortunate to be advised by Prof. Cheng Huang.

My research interest lies in Web Security, Software Security and AI for Security, especially leveraging program analysis approaches to automatically detect/exploit/patch vulnerabilities in real-world complex applications, software and system.

Besides, I am a CTF player specializing in pwn and web challenges. I lead the team Z0D1AC (JHU academic team) and is a member of thehackerscrew (international team, Top 10 in CTFTime.org).

I played with team 42-b3yond-6ug in the AIxCC competition, where we were awarded $2 million and advanced to the final competition (Top 7) in August 2025.

Email /  GitHub  /  Blog  /  CV  /  Google Scholar  /  Linkedin

profile photo

Publications

Follow My Flow: Unveiling Client-Side Prototype Pollution Gadgets from One Million Real-World Websites


Zifeng Kang, Muxi Lyu, Zhengyu Liu, Jianjia Yu, Runqi Fan, Song Li, and Yinzhi Cao
To appear at IEEE Symposium on Security and Privacy (S&P Oakland), 2025

Undefined-oriented Programming: Detecting and Chaining Prototype Pollution Gadgets in Node.js Template Engines for Malicious Consequences


Zhengyu Liu, Kecheng An, and Yinzhi Cao
IEEE Symposium on Security and Privacy (S&P Oakland), 2024

A Framework for Threat Intelligence Extraction and Fusion


Yongyan Guo, Zhengyu Liu, Cheng Huang, Nannan Wang
Computer & Security

Coreference Resolution for Cybersecurity Entity: Towards Explicit, Comprehensive Cybersecurity Knowledge Graph with Low Redundancy


Zhengyu Liu, Haochen Su, Nannan Wang, Cheng Huang
EAI International Conference on Security and Privacy in Communication Networks (SecureComm), 2022

CyberRel: Joint Entity and Relation Extraction for Cybersecurity Concepts


Yongyan Guo, Zhengyu Liu, Cheng Huang, Jiayong Liu, Wangyuan Jing, Ziwang Wang, Yanghao Wang
International Conference on Information and Communications Security (ICICS), 2022
Best Student Paper Award

A Sybil Detection Method in OSN based on DistilBERT and Double-SN-LSTM for text analysis


Xiaojie Xu, Jian Dong, Zhengyu Liu, Jin Yang, et al.
EAI International Conference on Security and Privacy in Communication Networks (SecureComm), 2021

Capture The Flags

Team member @ TheHackersCrew
Won 17 medals for the year of 2023, 8 Gold + 4 Silver + 3 Bronze
2023 Jan. - Now
Co-lead @ The Group Z0D1AC
Achieved 2nd place RaymondJamesCTF 2024 ($5000 cash prize),
3rd place RaymondJamesCTF 2023 ($2500 cash prize), etc.
2022 Oct. - Now

Selected Honors & Awards

Cybersecurity Elite Honor, School of Cyber Science and Engineering, Sichuan University 2022 May
The 404 Scholarship, School of Cyber Science and Engineering, Sichuan University 2022 Dec.
First Class Scholarship, School of Cyber Science and Engineering, Sichuan University 2021 Sep.
Outstanding Student Honor, Sichuan University 2020 & 2021

The 9th Place, 2021 ByteDance Security AI Competition, ByteDance(TikTok) 2021 Nov.
The 2nd Place, School of Computing Summer Workshop, National University of Singapore 2021 July
Excellent Thesis, Innovation and Entrepreneurship Training Program for College Students 2020 Sep.
Third Prize, The 4th “Qiangwang Cup” National Cybersecurity Challenge 2020 Sep.

Professional Services

External Reviewer

(Usenix '25) 34th USENIX Security Symposium
(Usenix '24) 33rd USENIX Security Symposium
(CSF 24') 37th IEEE Computer Security Foundations Symposium
(DIMVA '24) 21th Conference on Detection of Intrusions and Malware & Vulnerability Assessment

Experiences

Course Assistant, EN.601.340/440/640 Web Security (23 Fall), JHU 2023 Sep. - 2023 Dec.
Research Assistant, JHU, Advisor: Dr. Yinzhi Cao 2023 June - 2023 Aug.
Research Assistant, Sichuan University, Advisor: Dr. Cheng Huang 2020 Aug. - 2022 June

StarBugs

A selective list of zero-day vulnerabilities I have discovered in the past.
CVE-2024-43805 Jupyter Notebook/JupyterLab Stored XSS
CVE-2024-38354 Hackmd.io Stored XSS
CVE-2024-49362 joplin (Electron App) RCE
CVE-2024-43788 Webpack DOM Clobbering
CVE-2024-47885 Astro DOM Clobbering

Design and source code from Jon Barron's website