Hello, I’m Fengyu Liu, a Ph.D. student in the System and Software Security Laboratory at Fudan University, advised by Prof. Yuan Zhang and Prof. Min Yang. I am also the captain of Whitzard, a great CTF team at Fudan University.
My research interests includes web security and LLM-based agent security. To date, I have published 8 papers at top-tier international security conferences, including IEEE S&P, ACM CCS, and USENIX Security, with one receiving the Distinguished Paper Award at S&P’25. Moreover, my research has been adopted by leading companies such as Alibaba, ByteDance, and Huawei, and acknowledged in security advisories by major tech companies including Apple, Microsoft, and Intel.
🔥 News
- [2025.08] 🎉 One paper accepted by CCS 2025!
- [2025.08] 🎉 One paper received Honerable Mention Award at USENIX Security 2025!
- [2025.06] 🎉 Three papers accepted by USENIX Security 2025!
- [2025.05] 🎉 One talk accepted by BlackHat USA 2025!
- [2025.05] 🎉 Our paper received Distinguished Paper Award at IEEE S&P 2025!
- [2025.03] 🎉 One paper accepted by CCS 2025!
- [2025.03] 🎉 One paper accepted by S&P 2025!
- [2024.12] 🎉 One paper accepted by USENIX Security 2025!
- [2024.09] 🎉 One paper accepted by S&P 2025!
📝 Publications
-
CCS'25Be Aware of What You Let Pass: Demystifying URL-based Authentication Bypass Vulnerability in Java Web Applications [PDF]
Qiyi Zhang*, Fengyu Liu*, Zihan Lin, Yuan Zhang.
In Proceedings of the 32nd ACM Conference on Computer and Communications Security (CCS), October 2025. (CCF-A) -
USENIX Security'25Make Agent Defeat Agent: Automatic Detection of Taint-Style Vulnerabilities in LLM-based Agents [PDF]
Fengyu Liu, Yuan Zhang, Jiaqi Luo, Jiarun Dai, Tian Chen, Letian Yuan, Zhengmin Yu, Youkun Shi, Ke Li, Hao Chen, Min Yang.
In Proceedings of the 34th USENIX Security Symposium (USENIX Security), August 2025. (CCF-A) -
USENIX Security'25Pig in a Poke: Automatically Detecting and Exploiting Link Following Vulnerabilities in Windows File Operations [PDF]
Bocheng Xiang, Yuan Zhang, Fengyu Liu, Hao Huang, Zihan Lin, Min Yang.
In Proceedings of the 34th USENIX Security Symposium (USENIX Security), August 2025. (CCF-A)
★ Honerable Mention Award (6.1%=25/407) -
USENIX Security'25XSSky: Detecting XSS Vulnerabilities through Local Path-Persistent Fuzzing [PDF]
Youkun Shi, Yuan Zhang, Tianhao Bai, Feng Xue, Jiarun Dai, Fengyu Liu, Lei Zhang, Xiapu Luo, Min Yang.
In Proceedings of the 34th USENIX Security Symposium (USENIX Security), August 2025. (CCF-A) -
CCS'25BACScan: Automatic Black-Box Detection of Broken-Access-Control Vulnerabilities in Web Applications [PDF]
Fengyu Liu, Yuan Zhang, Enhao Li, Wei Meng, Youkun Shi, Qianheng Wang, Chenlin Wang, Zihan Lin, Min Yang.
In Proceedings of the 32nd ACM Conference on Computer and Communications Security (CCS), October 2025. (CCF-A) -
S&P'25Detecting Taint-Style Vulnerabilities in Microservice-Structured Web Applications [PDF]
Fengyu Liu, Yuan Zhang, Tian Chen, Youkun Shi, Guangliang Yang, Zihan Lin Min Yang, Junyao He, Qi Li.
In Proceedings of the 46th IEEE Symposium on Security and Privacy (S&P), May 2025. (CCF-A)
★ Distinguished Paper Award (<1% submission), Presented at BlackHat USA 2025 [Talk Abstract] -
USENIX Security'25Effective Directed Fuzzing with Hierarchical Scheduling for Web Vulnerability Detection [PDF]
Zihan Lin, Yuan Zhang, Jiarun Dai, Xinyou Huang, Bocheng Xiang, Guangliang Yang, Letian Yuan, Lei Zhang, Fengyu Liu, Tian Chen, Min Yang.
In Proceedings of the 34th USENIX Security Symposium (USENIX Security), August 2025. (CCF-A) -
S&P'25MOCGuard: Automatically Detecting Missing-Owner-Check Vulnerabilities in Java Web Applications [PDF]
Fengyu Liu, Youkun Shi, Yuan Zhang, Guangliang Yang, Enhao Li, Min Yang.
In Proceedings of the 46th IEEE Symposium on Security and Privacy (S&P), May 2025. (CCF-A)
📖 Educations
- 2021.09 - now, Ph.D, Fudan University, School of Computer Science.
- 2017.09 - 2021.06, B.Eng, Northwestern Polytechnical University, School of Computer Science.
💻 Internships
- 2020.04 - 2025.04, Keen Lab, Tencent, China.
- 2019.07 - 2019.09, Lark, ByteDance, China.