Recent Publications

. We Still Don’t Have Secure Cross-Domain Requests: an Empirical Study of CORS. In USENIX Security 2018.

PDF Code Slides Video

. Host of Troubles: Multiple Host Ambiguities in HTTP Implementations. In CCS 2016. (Best Paper Nominee)

PDF Slides Video

. Seeking Nonsense, Looking for Trouble: Efficient Promotional-Infection Detection through Semantic Inconsistency Search. In IEEE S&P 2016.


. Forwarding Loop Attacks in Content Delivery Networks. In NDSS 2016. (Distinguished Paper Award)

PDF Slides



  • “Hacking Intranet from outside: security problems of Cross Origin Resource Sharing (CORS)“, DEF CON China, 2018, Beijing.
  • “Host of Troubles attack”, The 2th China Cyber Security summit(CSS) 2016, Beijing.
  • “Improving IPv6 Attack Detector”, Free and Open Source Software conference (FOSSAISA) 2014, Cambodia.

Selected vulnerabilities:

  • CVE-2016-4553, Squid team evaluated it as a highest level(blocker) security vulnerability, which allowed an attacker to remotely poison the cache of any HTTP website with arbitrary content.
  • CVE-2016-4554, A critical security vulnerability in Squid, which was introduced to version 1.0 in 1996.
  • VU#938151, A new type of DoS attacks affecting all 16 CDNs we tested.

I am serving as an reviewer for IEEE/ACM Transactions on Networking(ToN).

Awards & Scholarships

  • Network Security Scholarship, China Internet Development Foundation, 2017
  • Distinguished Paper Award, Network and Distributed System Symposium (NDSS), 2016
  • National Scholarship, Ministry of Education, China, 2012
  • National Endeavor Scholarship, Ministry of Education, China, 2011


  • jianjun[AT]icsi[DOT]berkeley[DOT]edu
  • Suite 600, 1947 Center Street, Berkeley, CA, USA