Sergei Ovchinnikov
Security researcher
Melbourne, Florida, United States
Actions
Sergei Ovchinnikov is a Principal Security Engineer at SoftwareONE, where I am architect security frameworks for cloud-native SaaS platforms and builds coverage-guided API fuzzing tools. With over a decade of experience spanning penetration testing, vulnerability research, and application security engineering,I am specialize in breaking and securing distributed microservices. I have a US patent(submitted) in differential coverage-guided feedback fuzzing for REST APIs and has previously spoken at security conferences including DefCamp and OFFZone. I am hold OSCP, OSWE, and CRTE certifications and a Master's in Cryptology.
Links
Area of Expertise
Topics
UpsideFuzzer: Zero-Harness Coverage-Guided API Fuzzing for .NET Microservices
Fuzzing REST APIs is a nightmare. To find deep business-logic bugs, your payload must survive three brutal layers of validation: it must be valid HTTP, it must be valid JSON, and it must pass the application's strict internal rules (like specific string lengths, regex patterns, or enums).
Black-box tools like RESTler are great at generating valid JSON from OpenAPI specs, but they are completely blind to code coverage and fail hard at business logic. Coverage-guided fuzzers like AFL can see the code, but their byte-level mutations instantly break the HTTP/JSON structure, making their feedback useless.
In this talk, I will introduce UpsideFuzzer, a new open-source framework that combines the best of both worlds for .NET applications.
I will demonstrate how UpsideFuzzer found 127%-169% more code paths than Microsoft's RESTler and uncovered multiple hidden 500 crashes (including Null Reference Exception) in popular .NET platforms like `nopCommerce` and `eShopOnWeb`.
Please note that Sessionize is not responsible for the accuracy or validity of the data provided by speakers. If you suspect this profile to be fake or spam, please let us know.
Jump to top