Biography

Chuhan Wang is a tenure-track Associate Professor in the School of Cyber Science and Engineering at Southeast University. He received the Ph.D. degree from the Network and Information Security Lab (NISL) at Tsinghua University, under the supervision of Prof. Haixin Duan and Prof. Jianjun Chen. He was a visiting scholar at the University of Illinois at Urbana-Champaign, working with Prof. Gang Wang. His research interests include network security, protocol security, web security, email security and Internet measurement. He has published many papers at top-tier academic conferences on network security, including Oakland S&P [2], USENIX Security [3], CCS [2], and NDSS [2]. His research findings have assisted companies such as Google, Apple, Yandex, Tencent, and Shopee in fixing security vulnerabilities. As a member of Redbud, a CTF team from Tsinghua University, he has won the ByteCTF 2020 championship along with several other CTF awards.

About Prospective Students: I am actively seeking self-motivated master’s students and undergraduate interns. If you are passionate about network security, web security, protocol security and related fields, and are eager to engage in cutting-edge security research, please feel free to reach out to me with your CV and research interests.

Recent News

  • [08/2025] Our paper about SMTP Smuggling was invited to present at Microsoft ResearchI Pre-USENIX Security Mini-Conference. Thanks to Prof. Gang Wang for presenting our work.
  • [08/2025] Our paper about SMTP Smuggling got accepted by USENIX Security 2025.
  • [07/2025] I have been qualified as a master’s advisor.
  • [06/2025] I have joined Southeast University as a tenure-track Associate Professor!
Interests
  • Network Security
  • Protocol Security
  • Web Security
  • Email Security
Education
  • Ph.D. in Cyberspace Security

    2019 - 2024, Tsinghua University

  • Visiting Scholar

    01/2024 - 07/2024, University of Illinois at Urbana-Champaign

  • B.E. in Computer Science

    2015 - 2019, Beijing Jiaotong University

Publications

(2025). Email Spoofing with SMTP Smuggling: How the Shared Email Infrastructures Magnify this Vulnerability. In USENIX Security ‘25. Seattle, WA, August 13–15, 2025. (Acceptance rate: 407/2385=17.1%).

PDF Cite Poster Slides Conference Page

(2024). Inbox Invasion: Exploiting MIME Ambiguities to Evade Email Attachment Detectors. In CCS ‘24. Salt Lake City, USA. October 14-18, 2024 (Acceptance rate: 331/1964=16.9%).

PDF Cite Conference Page

(2024). Where URLs Become Weapons: Automated Discovery of SSRF Vulnerabilities in Web Applications. In Oakland S&P ‘24. San Francisco, California, May 20–23, 2024. (Acceptance rate: 261/1,466=17.8%).

PDF Cite Conference Page

(2024). TuDoor Attack: Systematically Exploring and Exploiting Logic Vulnerabilities in DNS Response Pre-processing with Malformed Packets. In Oakland S&P ‘24. San Francisco, California, May 20–23, 2024. (Acceptance rate: 261/1,466=17.8%).

PDF Cite Conference Page

(2024). Uncovering Security Vulnerabilities in Real-world Implementation and Deployment of 5G Messaging Services. In WiSec ‘24. Seoul, Korea. May 27 - May 30, 2024. (Acceptance rate: 23/109=21.1%).

PDF Cite Conference Page

(2024). ReqsMiner: Automated Discovery of CDN Forwarding Request Inconsistencies and DoS Attacks with Grammar-based Fuzzing. In NDSS ‘24. San Diego, California, 26 February – 1 March, 2024. (Acceptance rate: 140/694=20.2%, Acceptance rate in summer: 41/211=19.4%, Acceptance rate in fall: 99/483=20.5%).

PDF Cite Conference Page

(2024). BreakSPF: How Shared Infrastructures Magnify SPF Vulnerabilities Across the Internet. In NDSS ‘24. San Diego, California, 26 February – 1 March, 2024. (Acceptance rate: 140/694=20.2%, Acceptance rate in summer: 41/211=19.4%, Acceptance rate in fall: 99/483=20.5%).

PDF Cite Conference Page

(2023). Under the Dark: A Systematical Study of Stealthy Mining Pools (Ab)use in the Wild. In CCS ‘23. Copenhagen, Denmark. November 26-30, 2023 (Acceptance rate: 234/1222=19.1%, Acceptance rate in first round: 76/427=17.8%, Acceptance rate in second round: 158/795=19.8%).

PDF Cite Conference Page

(2022). A Large-scale and Longitudinal Measurement Study of DKIM Deployment. In USENIX Security ‘22. BOSTON, MA, USA. August 10–12, 2022. (Acceptance rate: 256/1492=17.2%).

PDF Cite Slides Conference Page

(2021). Weak Links in Authentication Chains: A Large-scale Analysis of Email Sender Spoofing Attacks. In USENIX Security ‘21. Vancouver, BC, Canada. August 11-13, 2021 (Acceptance rate: 246/1316=18.7%).
ⓘ Both are first authors.

PDF Cite Slides Conference Page

Projects

Projects and Codes

*
NoSpoofing
NoSpoofing is a Chrome Extension. It is a UI notification scheme which can alert users that the emails they receive may be spoofing.

Misc

🏅 Awards

Scholarship

  • Short-term Visiting Scholarship, Tsinghua University, 2023
  • The 1st Class Outstanding Scholarship, Tsinghua University (2022, 2023)
  • Excellent Undergraduate Award, Beijing Municipal Commission of Education, 2019
  • The 1st Class Scholarship, Beijing Jiaotong University (2016, 2017, 2018)
  • China National Scholarship, 2016

CTF

  • The 3rd prize, Hongminggu CTF, 2023
  • The 3rd place, Aliyun CTF, 2023
  • The 2nd place, *CTF, 2021
  • The 2nd place, L3HCTF, 2021
  • 🏆 Champion, The 3rd ByteDance ByteCTF Finals (2020)

🔖 Patents

📝 Services

  • Session Chair of Securecomm, Hong Kong, 2023
  • TA for Class “Network Security Engineering and Practice”, Tsinghua University, 2022
  • TA for Class “Network Security Attack and Defense Practice”, Tsinghua University, 2023
  • TA for Class “Network Protocol Security Design and Analysis”, Tsinghua University, 2023
  • Lecturer for Datacon Summer Camp, 2022,2023

🙋‍♂️ Reviewers

  • Securecomm ‘23

🙋‍♂️ External Reviewers

  • EuroS&P ‘23

Contact