Waris Damkham
Offensive Security Engineer & AI Security Researcher
Explore my skills, research, and hands-on security projects below.
About Me
I am an Offensive Security Engineer, Penetration Tester, and AI Security Researcher with a strong passion for Linux 🐧, Cybersecurity 🔒, AI 🤖, and DevOps ⚙️. My expertise spans Offensive Security, AI-driven threat research, Web security, and Mobile security, with hands-on experience in penetration testing and security assessments. I have led significant research projects, including the development of an Automated COVID-19 Screening Framework Using Deep CNN With Chest X-Ray Medical Images, research on Detecting Vulnerable OAuth 2.0 Implementations in Android Applications, and the creation of Practical Mobile-Based Services for Identification of Chicken Diseases From Fecal Images. These projects have been presented at conferences and featured in publications. I am actively seeking full-time opportunities where I can continue to grow, gain valuable industry insights, and contribute innovatively to a collaborative security research environment.
Skills & Tools
Experience
Key Responsibilities:
- Performed penetration testing across Web, Mobile, API, and Network environments for over 80 projects annually, covering KBTG and its subsidiaries.
- Acted as project owner for 4 major security assessment projects in 2025, leading end-to-end execution and reporting.
- Served as a core member in Red Team operations (Red Team Campaign), leading and executing advanced threat simulation and detection exercises.
- Created comprehensive summary reports of security findings in both Thai and English, ensuring clear communication with stakeholders
- Led the development of an automated reporting system and collaborated with the team to design reporting formats and styles.
- Significantly reduced response time for critical vulnerability alerts by building automation solutions using Power Apps, Power Automate, and Python.
- Conducted AI security research focused on both Offensive (Red Team) and Defensive (Blue Team).
- Collaborated closely with the Threat Intelligence team to support real-time alerting.
- Presented findings and shared AI threat insights during TBCert sessions and internal security briefings.
- Delivered knowledge-sharing sessions on AI security to regional KBTG teams.
Skills: Penetration test · Kali linux · Burp Suite · AI Security · Reporting · Power Automate · Power Apps
Key Responsibilities:
- Conducted in-depth penetration testing of IT infrastructure, identifying vulnerabilities in operating systems, applications, configurations, and user behavior.
- Specialized in web, mobile, and software vulnerability assessments following OWASP Top 10 and industry best practices.
- Delivered detailed security reports with actionable remediation steps to strengthen clients’ overall security posture.
- Worked cross-functionally with development and infrastructure teams to ensure timely remediation of security risks.
- Successfully completed 16 security assessment projects during the engagement.
Skills: Penetration test · Kali linux · Burp Suite · OWSAP · Vulnerability Assessment
Key Responsibilities:
- Assisted in conducting penetration tests on software, mobile, and web applications using tools such as Kali Linux and Burp Suite.
- Followed OWASP best practices to identify and document security vulnerabilities and simulate real-world cyberattacks.
- Performed vulnerability assessments on KPMG’s internal network using Nessus and other scanning tools.
- Contributed to the development of a secure internal website, incorporating security-by-design principles.
- Completed 2 penetration testing projects and 1 vulnerability assessment project, improving communication of complex findings to stakeholders.
- Gained practical expertise in offensive security while actively pursuing continuous learning in a dynamic threat landscape.
Skills: Penetration test · Kali linux · Burp Suite · OWSAP · Cybersecurity · Vulnerability Assessment
Key Responsibilities:
- Conducted research on OAuth 2.0 implementations in Android applications and browser extensions, focusing on vulnerabilities related to Cross-Site Request Forgery (CSRF).
- Evaluated critical security parameters such as the state value and authorization code to determine resilience against CSRF attacks.
- Developed a custom Android application and analyzed real-world apps and extensions to assess OAuth integration practices.
- Identified insecure implementations that exposed users to potential token hijacking and session fixation risks
- Contributed to the development of a benchmark for future security audits of Android apps and browser extensions using OAuth 2.0, promoting safer authentication design.
- Presented research findings at the Workshop on Cyber Forensics, Security, and E-discovery, part of the 23rd IEEE International Conference on Software Quality, Reliability, and Security (QRS 2023).
Skills: Android Development · OAuth2.0 · Application Security · Security · Cybersecurity · Java
Key Responsibilities:
- Contributed to a research project focused on automated COVID-19 diagnosis using deep learning and chest X-ray images.
- Developed and evaluated a convolutional neural network (CNN) model enhanced by transfer learning for accurate COVID-19 screening.
- Utilized Grad-CAM visualizations to interpret model predictions and enhance explainability for medical practitioners.
- Conducted experiments on publicly available datasets to assess model performance in terms of accuracy, precision, recall, and F-measure.
- Demonstrated expertise in artificial intelligence, deep learning, and medical image analysis applied to real-world health challenges.
- Published research findings at the 2022 6th International Conference on Information Technology (InCIT).
Skills: Public Speaking · Jupyter · Convolutional Neural Networks (CNN) · Deep Learning · Artificial Intelligence (AI) · Communication · Python
News Conference Paper Show Credential Conference Certifications
Education
Activities and societies:
Activities and societies:
Activities and societies:
Projects
Publications
CVE-2025-14366 - Eyewear prescription form <= 6.0.1 - Missing Authorization to Unauthenticated Arbitrary WooCommerce Product Creation
Published in Wordfence
The Eyewear prescription form plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 6.0.1. This is due to missing authorization checks on the SubmitCatProductRequest AJAX action. This makes it possible for unauthenticated attackers to create arbitrary WooCommerce products with custom names, prices, and category assignments via the 'Name', 'Price', and 'Parent' parameters.
CVE-2025-14068 - WPNakama <= 0.6.3 - Unauthenticated SQL Injection via "order_by" Parameter
Published in Wordfence
The WPNakama plugin for WordPress is vulnerable to time-based SQL Injection via the "order_by" parameter in all versions up to, and including, 0.6.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
CVE-2025-14166 - WPMasterToolKit (WPMTK) <= 2.13.0 - Authenticated (Contributor+) Code Injection
Published in Wordfence
The WPMasterToolKit plugin for WordPress is vulnerable to PHP Code Injection in all versions up to, and including, 2.13.0. This is due to the plugin allowing Author-level users to create and execute arbitrary PHP code through the Code Snippets feature without proper capability checks. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute arbitrary PHP code on the server, leading to remote code execution, privilege escalation, and complete site compromise.
CVE-2025-12782 - Beaver Builder – WordPress Page Builder <= 2.9.4 - Missing Authorization to Authenticated (Contributor+) Builder Status Tampering
Published in Wordfence
The Beaver Builder – WordPress Page Builder plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.9.4. This is due to the plugin not properly verifying a user's authorization in the disable() function. This makes it possible for authenticated attackers, with contributor level access and above, to disable the Beaver Builder layout on arbitrary posts and pages, causing content integrity issues and layout disruption on those pages.
Practical Mobile Based Services for Identification of Chicken Diseases From Fecal Images
Presented at IEEE Region 10 Conference 2024 (TENCON 2024)
Poultry farming is crucial to the food chain, and chicken health directly impacts product quality and safety. Diagnosing poultry diseases using polymerase chain reaction is costly, particularly for small farms. To address this, we developed a mobile-based service for farmers, enabling the identification of common chicken diseases from fecal images via a Line account. Our system achieved 86.49% segmentation precision and 95.93% classification accuracy on a large dataset, offering a practical and accessible tool for local farmers.
Detecting Vulnerable OAuth 2.0 Implementations in Android Applications
Presented at the Workshop on Cyber Forensics, Security, and E-discovery, as part of the 23rd IEEE International Conference on Software Quality, Reliability, and Security, 2023.
OAuth 2.0, commonly used for authorization, can be susceptible to CSRF attacks in Android applications. To address this, we developed an Android app to assess other apps' use of the OAuth 2.0 state parameter—a key defense against CSRF. Our analysis, conducted on both Chrome and the default browser, evaluates whether Android apps using OAuth 2.0 are adequately protected against CSRF attacks. Our research aims to protect users by highlighting apps with potentially vulnerable OAuth 2.0 implementations.
Automated COVID-19 Screening Framework Using Deep CNN With Chest X-Ray Medical Images
Presented at The 6th International Conference on Information Technology (InCIT2022)
An automated COVID-19 screening framework using chest X-ray images is proposed in this study. It leverages artificial intelligence techniques and transfer learning for accurate diagnosis. The framework extracts features using transfer learning and applies modified deep neural networks. Grad-CAM visualization supports the predicted diagnosis. Experimental results demonstrate superior performance compared to other deep learning techniques. This framework has the potential to aid in early COVID-19 diagnosis and alleviate the burden on radiologists.
Certifications
.png)
.png)
.png)
.png)
Competitions
UMass CTF is back and better than ever this year! Get ready to dive into a thrilling array of challenges that will test your skills and push your limits. Participants can look forward to tackling intricate puzzles in Reverse Engineering, unlocking the mysteries of Cryptography, uncovering clues in Forensics, navigating the complex world of Binary Exploitation, and outsmarting defenses in Web Exploitation. Plus, we've got a host of miscellaneous challenges that are sure to surprise and engage. Don't miss out on the action-packed excitement at UMass CTF!
Skills: Cybersecurity, Web Exploitation, Forensics, Cryptography, Radio Steganography , Misc, Reverse Engineering, Pwn
Blog
Hello everyone! My name is Waris Damkham, and I'm currently a fourth-year student in Information and Communication Technology at Mahidol University. I was fortunate to secure an internship at the Cybersecurity Laboratory in the Faculty of Information Science and Engineering at Ritsumeikan University.[...]
My Resume
warris-m~$cat Contact & FollowI'm always open to discussions, collaborations, or just a chat. Feel free to reach out through any of the platforms below or drop me an email.