Zhengyu Liu

I am currently a second-year Ph.D. student in Computer Science at Johns Hopkins University, advised by Prof. Yinzhi Cao. Before joining JHU, I received my bachelor's degree in Cybersecurity from Sichuan University. During my undergrad, I was very fortunate to be advised by Prof. Cheng Huang.

My research interest lies in Web Security, Software Security and AI for Security, especially leveraging program analysis approaches to detect/exploit/patch vulnerabilities in real-world complex applications and systems.

Besides, I am a CTF pwn&web player. I lead the team Z0D1AC (JHU academic team) and is a member of thehackerscrew (international team, Top 10 on CTFTime.org).

I played with team 42-b3yond-6ug in the AIxCC competition, where we were awarded $2 million and advanced to the final competition (Top 7) in August 2025.

Email /  GitHub  /  Blog  /  CV  /  Google Scholar  /  Linkedin

profile photo

Publications

Follow My Flow: Unveiling Client-Side Prototype Pollution Gadgets from One Million Real-World Websites


Zifeng Kang, Muxi Lyu, Zhengyu Liu, Jianjia Yu, Runqi Fan, Song Li, and Yinzhi Cao
paper / poster / code / slides /
To appear at IEEE Symposium on Security and Privacy (S&P Oakland), 2025

Undefined-oriented Programming: Detecting and Chaining Prototype Pollution Gadgets in Node.js Template Engines for Malicious Consequences


Zhengyu Liu, Kecheng An, and Yinzhi Cao
paper / poster / code / slides /
IEEE Symposium on Security and Privacy (S&P Oakland), 2024
Nominee of Top 10 Web Hacking Techniques of 2024 by PortSwigger

A Framework for Threat Intelligence Extraction and Fusion


Yongyan Guo, Zhengyu Liu, Cheng Huang, Nannan Wang
paper / poster / code / slides /
Computer & Security

Coreference Resolution for Cybersecurity Entity: Towards Explicit, Comprehensive Cybersecurity Knowledge Graph with Low Redundancy


Zhengyu Liu, Haochen Su, Nannan Wang, Cheng Huang
paper / poster / code / slides /
EAI International Conference on Security and Privacy in Communication Networks (SecureComm), 2022

CyberRel: Joint Entity and Relation Extraction for Cybersecurity Concepts


Yongyan Guo, Zhengyu Liu, Cheng Huang, Jiayong Liu, Wangyuan Jing, Ziwang Wang, Yanghao Wang
paper / poster / code / slides /
International Conference on Information and Communications Security (ICICS), 2022
Best Student Paper Award

A Sybil Detection Method in OSN based on DistilBERT and Double-SN-LSTM for text analysis


Xiaojie Xu, Jian Dong, Zhengyu Liu, Jin Yang, et al.
paper / poster / code / slides /
EAI International Conference on Security and Privacy in Communication Networks (SecureComm), 2021

Capture The Flags

Team member @ TheHackersCrew
Won 17 medals for the year of 2024, 7 Gold + 5 Silver + 5 Bronze
2023 Jan. - Now
Co-lead @ The Group Z0D1AC
Achieved 2nd place RaymondJamesCTF 2024 ($5000 cash prize),
3rd place RaymondJamesCTF 2023 ($2500 cash prize), etc.
2022 Oct. - Now

Selected Honors & Awards

Cybersecurity Elite Honor, School of Cyber Science and Engineering, Sichuan University 2022 May
The 404 Scholarship, School of Cyber Science and Engineering, Sichuan University 2022 Dec.
First Class Scholarship, School of Cyber Science and Engineering, Sichuan University 2021 Sep.
Outstanding Student Honor, Sichuan University 2020 & 2021

Finalist (with Team 42-b3yond-6ug), DARPA AI Cyber Challenge (AIxCC) 2024 Aug.
The 9th Place, 2021 ByteDance Security AI Competition, ByteDance(TikTok) 2021 Nov.
The 2nd Place, School of Computing Summer Workshop, National University of Singapore 2021 July
Excellent Thesis, Innovation and Entrepreneurship Training Program for College Students 2020 Sep.
Third Prize (¥30,000), The 4th “Qiangwang Cup” National Cybersecurity Challenge 2020 Sep.

Professional Services

External Reviewer

IEEE Symposium on Security and Privacy (S&P '25)
USENIX Security Symposium (Usenix '24, '25)
IEEE Computer Security Foundations Symposium (CSF 24')
Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA '24)

Artifact Evaluation Committee

USENIX Security Symposium (Usenix '25)

Experiences

Course Assistant, EN.601.340/440/640 Web Security (23 Fall), JHU 2023 Sep. - 2023 Dec.
Research Assistant, JHU, Advisor: Dr. Yinzhi Cao 2023 June - 2023 Aug.
Research Assistant, Sichuan University, Advisor: Dr. Cheng Huang 2020 Aug. - 2022 June

StarBugs

I have discovered many vulnerabilities in popular OSS (20+ CVEs in repos with >1K stars on GitHub), as well as in products maintained by companies including Google and Meta. A selective list of them is shown below.

CVE-2024-43805 Jupyter Notebook/JupyterLab Stored XSS
CVE-2024-38354 Hackmd.io Stored XSS
CVE-2024-49362 joplin (Electron App) RCE
CVE-2024-43788 Webpack DOM Clobbering
CVE-2024-47885 Astro DOM Clobbering

Design and source code from Jon Barron's website