Hi, my name is

Amr Waseif.

I build tools and secure systems.

I'm a cybersecurity student and developer focused on Python toolmaking, network privacy, and exploring embedded hardware. I enjoy creating native applications from scratch and understanding how technologies interact under the hood.

View my vulnerability reports
Amr Waseif

Background & Qualifications

Technical Focus

My expertise lies at the intersection of offensive security and robust software development. I actively research vulnerabilities through CTFs and responsible bug bounty disclosures while engineering offline-first applications and privacy-focused tools.

  • Offensive Security: Web Exploitation, DFIR, Bug Bounty, Capture The Flag (CTF)
  • Development: Native Python Tooling (CustomTkinter, Eel), Streamlit
  • Network Privacy: Obfuscation Protocols, Traffic Encryption
  • Hardware: ESP32 Embedded Systems, Real-time Telemetry

Achievements & Certifications

Certificate of Appreciation

Nov 2025

Panasonic CSIRT

Acknowledged for discovering and reporting a vulnerability on connect.na.panasonic.com

Certificate of Appreciation

Nov 2025

Panasonic CSIRT

Acknowledged for discovering and reporting a vulnerability on panasonic.aero

Top 15% Placement

Feb 2025

N0PS CTF

Focus: Web Exploitation, Pwn

دورة فحص الانظمة | NMAP Course

Apr 2025

s7ee7 platform

Skills: Network Scanning, Reconnaissance

تعلم البرمجة مع البايثون - من الصفر

Apr 2025

s7ee7 platform

Skills: Python Programming, Scripting

Featured Projects

Offline Retail POS System

An enterprise-grade, offline-first supermarket management and inventory system. Built using a Python backend with an Eel and Tailwind CSS frontend to ensure speed and local data security.

  • Python
  • Eel
  • Tailwind
  • SQLite

Localify Music Player

A strictly local audio player designed with CustomTkinter. Features a sleek UI with custom `.lrc` lyrics synchronization parsing, completely independent of external APIs or trackers.

  • Python
  • CustomTkinter
  • Audio Parsing

ESP32 Hardware Monitor

A real-time performance telemetry dashboard utilizing a LilyGO T-Display ESP32 board. It receives JSON data over the network to display precise GPU/CPU temperatures and consumption metrics.

  • C++
  • ESP32
  • Hardware
  • JSON

SecurePass Manager

A simple, offline password manager built with Python and CustomTkinter. It features secure encryption (Fernet), master password protection, auto-lock, and a built-in password generator. Perfect for managing credentials locally without cloud storage.

  • Python
  • CustomTkinter
  • Cryptography

Vulnerability Disclosures

Reflected XSS on Panasonic Connect Nov 07, 2025

Executive Summary:

A security vulnerability was found on the connect.na.panasonic.com search page. The search function incorrectly trusts user input, allowing an attacker's code to run in a victim's browser. An attacker can create a special link, and anyone who clicks it could have their account or data stolen.

Vulnerability Details:

  • Host: connect.na.panasonic.com
  • Endpoint: /search
  • Parameter: q (the search box)
  • Severity: High

How to See the Bug (Proof of Concept):

  1. Navigate to the search page on connect.na.panasonic.com.
  2. In the search bar, type or paste the following text:
    3. <img src=x onerror=prompt(1)>
  3. Submit the search.
  4. Result: An alert box will pop up on your screen. This proves that the page ran the code instead of just searching for the text.

What an Attacker Can Do (Impact):

  • Steal Sessions: If a user is logged in, an attacker can steal their session cookie and take over their account.
  • Steal Passwords: The attacker can show a fake login box and trick the user into typing their password.
  • Redirect Users: An attacker can automatically send visitors to a different, malicious website.

Appendix A: Other Tested Payloads

<image src=1 href=1 onerror="javascript:alert(1)"></image>

</scrip</script>t><img src =q onerror=prompt(8)>

<img src=xss onerror=alert(1)>

<a aa aaa aaaa aaaaa aaaaaa aaaaaaa aaaaaaaa aaaaaaaaa aaaaaaaaaa href=j&#97v&#97script&#x3A;&#97lert(1)>ClickMe

<iframe %00 src="&Tab;javascript:prompt(1)&Tab;"%00>

/iframe/src/<iframe/src="<iframe/src=@"/onload=prompt(1) /iframe/src/>

&#00;</form><input type&#61;"date" onfocus="alert(1)">

<marquee onstart='javascript:alert&#x28;1&#x29;'>^__^

</BODY></HTML><style>body{background:red;}</style>
Reflected XSS on Panasonic.aero Nov 05, 2025

Summary:

A reflected Cross-Site Scripting (XSS) vulnerability exists on the Panasonic.aero website. Unsanitized user input in the search feature is reflected back into the page, allowing arbitrary JavaScript execution in the visitor’s browser.

Affected URL:

https://www.panasonic.aero/search?q=%3Cimage%20src%20%3Dq%20onerror%3Dprompt%288%29%3E

Steps to Reproduce (PoC):

  1. Navigate to https://www.panasonic.aero/
  2. In the search bar, input the following payload:
    3. <image src =q onerror=prompt(8)>
  3. Submit the search query.
  4. The payload executes, displaying an alert box with the number "8," confirming JavaScript injection.

Impact & Severity:

Severity: High — reflected XSS affecting end users.
Successful exploitation allows an attacker to execute arbitrary JavaScript in the victim’s browser, which may lead to session hijacking, data theft, phishing, or webpage manipulation.

Recommendations:

  • Sanitize and HTML-encode user input before rendering on the page.
  • Properly escape output in templates.
  • Implement a strict Content Security Policy (CSP).
  • Validate and reject HTML tags or event attributes in user-supplied input.

Latest Articles

Web / Pwn

NOPS CTF 2025 Breakdown
Forensics / DFIR

Timestomp (EG-CERT) Writeup