Daniel Púa

On non-rooted devices, critical data should never be left openly in the `/shared_prefs` file; it should either be moved to a secure area or kept encrypted in a sandbox. Failure to do so can pose serious risks (especially for financial applications). For Android applications, I strongly recommend learning about Frida or hooking techniques. @intigriti #bugbountytip #bugbountytips #infosec #recon #android

geohot.github.io//blog/jekyll/u… This is a really good read. I like how this guy brings a lot of what he speaks on back to this idea of “creating more value than you consume”.

I didn't really want to get involved in the discussion about the "death of CTF" because of AI. But the conversations on Twitter keep going, so I'll express my thoughts in this thread. For those too lazy to read — CTF will live on. For the rest, I suggest reading the thread below.

Top FFUF Commands 🚀 Ready to fuzz faster? ffuf is the go-to tool for modern web reconnaissance, and this cheat sheet has the top commands you need. Uncover hidden directories, fuzz parameters, and discover subdomains with incredible speed. ⭐️ Save this post! It's a must-have for any web pentest or bug bounty hunt. 👇 What's your favorite wordlist for fuzzing? Share it below!

CTF for the post LLM era: deploy real up-to-date open source projects and put flag in /flag.txt

@devploit @rootedcon @freepik @alvarodh5 @Julioxus @bertrandlorente It was our honor to have you participate in HackerNight! Congrats on the rewards!! 💪

Proud moment at @rootedcon 🚀 A few of us from @freepik just landed on the leaderboard of the @intigriti Live Hacking Event — and even got an extra bonus for making it there! Always fun to push skills together with the team. @alvarodh5 @Julioxus @bertrandlorente

Hitting 403/401 errors during testing? 🧐 Nomore403 by @devploit is an advanced bypass tool that automates several different techniques to get past access restrictions, from header manipulation to HTTP method tampering! The tool also features auto-calibration, concurrent scanning, and customizable payloads! 😎 Check it out! 👇 🔗 github.com/devploit/nomor…

Tired of hitting 403 errors during your security testing?  NoMore403 by @devploit automates bypass techniques to get past those pesky restrictions.  Try it at 👇 github.com/devploit/nomor…

Captures Android network traffic without proxies or certificates github.com/ProxymanApp/at…

If client-side bugs are your game, read this.⏬

This is one of the most informative writeups I've come across on Prompt Injection: aikido.dev/blog/promptpwn…

🐞If you hunt modern web apps, this guide is worth your time. A deep dive into Next.js security testing covering real attack surfaces — SSRF, XSS, CSTI/SSTI, cache issues, data leaks, and more — with a mindset tailored for bug hunters and pentesters. Frameworks evolve fast, and so do their flaws. Understanding how Next.js handles rendering, routing, APIs, and caching can open doors to impactful findings. Great work by @daoud_youssef — definitely adding this to my testing workflow. 🔥deepstrike.io/blog/nextjs-se… #BugBounty #AppSec #WebSecurity #Pentesting #NextJS #CyberSecurity #SecurityResearch

PRO Tips with Claude Code: The "deny" list overrides `bypassPermissions` So you can basically enable bypassPermissions and then deny every command you're afraid AI can do Simple and safe

Today is my last day at Anthropic. I resigned. Here is the letter I shared with my colleagues, explaining my decision.

New OpenClaw vulnerability: If you talk to your bot via iMessage, the allowlist might not protect you at all. Allowlist matches phone numbers, but many telecoms don’t enforce number ownership. On those networks, anyone can spoof an allowed number and message your bot.

racing Opus 4.6 against 4.5 to max out a Runescape account