๐๐ผ About Me
Hi, there! Iโm Jingcheng Yang. You can also call me Jesse. Iโm a first-year PhD student from Tsinghua Universityโs Network and Information Security Lab (NISL), advised by Prof. Jianjun Chen.
My research interests include Web Security, Protocol Security, and AI Security. I focus on systematically discovering protocol vulnerabilities and building automated vulnerability mining systems, as well as constructing agents to more efficiently uncover security flaws. Additionally, I am committed to building a more secure Internet infrastructure. I have submitted contributions to the IETF to supplement the JWT Best Current Practice (BCP), which were incorporated into the latest version of draft-ietf-oauth-rfc8725bis.
Beyond research, I am also a CTF player in Tsinghua Universityโs CTF team Redbud, specializing in the Web Security.
๐ฅ News
- [Feb. 2026] Iโm so honoured to have been selected into the IETF Elite Talent Program (IETFโ่ๆ่ฎกๅโ). See you in IETF 125 Shenzhen!
๐ Publications
Token Time Bomb: Evaluating JWT Implementations for Vulnerability Discovery
Jingcheng Yang, Enze Wang, Jianjun Chen, Qi Wang, Yuheng Zhang, Haixin Duan, Wei Xie, Baosheng Wang
2026 Network and Distributed System Security (NDSS) Symposium
@inproceedings{yang2025token,
title = {Token Time Bomb: Evaluating JWT Implementations for Vulnerability Discovery},
author = {Yang, Jingcheng and Wang, Enze and Chen, Jianjun and Wang, Qi and Zhang, Yuheng and Duan, Haixin and Xie, Wei and Wang, Baosheng},
booktitle = {Proceedings of the 32nd Network and Distributed System Security Symposium (NDSS)},
year = {2025},
publisher = {Internet Society},
doi = {10.14722/ndss.2025.24116},
url = {https://www.ndss-symposium.org/ndss-paper/token-time-bomb-evaluating-jwt-implementations-for-vulnerability-discovery/}
}
SIPConfusion: Exploiting SIP Semantic Ambiguities for Caller ID and SMS Spoofing
Qi Wang, Jianjun Chen, Jingcheng Yang, Jiahe Zhang, Yaru Yang, Haixin Duan
2026 Network and Distributed System Security (NDSS) Symposium
@inproceedings{wang2026sipconfusion,
title = {SIPconfusion: Exploiting SIP Semantic Ambiguities for Caller ID and SMS Spoofing},
author = {Wang, Qi and Chen, Jianjun and Yang, Jingcheng and Zhang, Jiahe and Yang, Yaru and Duan, Haixin},
booktitle = {Proceedings of the 33rd Network and Distributed System Security Symposium (NDSS)},
year = {2026},
publisher = {Internet Society},
url = {https://www.ndss-symposium.org/ndss-paper/sipconfusion-exploiting-sip-semantic-ambiguities-for-caller-id-and-sms-spoofing/}
}
๐ Honors and Awards
| 2025 | Outstanding Undergraduate Award, Sichuan Province (Top 3% in the Province). |
| 2023 | National Scholarship, Ministry of Education of China (Top 0.2% in China). |
๐ Educations
| 2025 โ | Ph.D., Network and Information Security Lab, Institute for Network Sciences and Cyberspace, Tsinghua University. |
| 2021 โ 2025 | B.Eng. in Cyber Science and Engineering, Sichuan University. |
๐ Services
External Reviewer
| 2026 | Network and Distributed System Security Symposium (NDSS) ACM Asia Conference on Computer and Communications Security (AsiaCCS) |
| 2025 | ACM Conference on Computer and Communications Security (CCS) IEEE European Symposium on Security and Privacy (EuroS&P) Network and Distributed System Security Symposium (NDSS) |
๐ Selected Competition Awards
| 2025 | 6th Place, at the 1st Tencent Intelligent Penetration Testing Challenge. 5th, at Black Hat MEA CTF Final with Redbud. 1st Prize, at QiangWang Cup CTF with Redbud. 4th, at XCTF Final with Redbud. |
| 2022 | Silver Medal, at ACM-ICPC Asia Nanjing Regional Contest. |
๐ StarBugs
I have discovered some vulnerabilities in popular OSS. A selective list of them is shown below.
| Project | Vulnerability | Advisory |
|---|---|---|
| Anonymous GitHub | XSS | GHSA-g485-8j3v-p6x8 |
| Anything LLM | RCE | CVE-2026-32626 |
| Shiro | ACL Bypass | CVE-2026-23903 |
| Asterisk | Identity forgery | CVE-2025-47779 |
| Jetty | Parsing Difference | CVE-2025-11143 |
| GoLang/NET/URL | Parsing Difference | CVE-2025-47912 |
| CXF | DoS | CVE-2024-32007 |
| telemeter | Authentication Bypass | CVE-2024-5037 |
| wildfly-elytron | Authentication Bypass | CVE-2024-1233 |
| nimbus-jose-jwt | DoS | CVE-2023-52428 |