Caido, a web security toolkit, is built by hackers for hackers and has established itself as a leading choice for penetration testers, bug bounty hunters, and other security professionals alike. Caido provides a robust, yet intuitive, set of features that enables you to identify vulnerabilities in web applications in an efficient and organized manner.
Developed by a team of three, with an advisory board including Ben Sadeghipour (@NahamSec) and Justin Gardner (@Rhynorater), Caido helps others succeed in their security testing endeavors.
“We started Caido to give hackers a tool that feels modern, reliable, and thoughtfully designed—something we’d want to use every day and one that’s approachable even if you’re a beginner.” – Ian Bouchard, Caido Cofounder
In addition to the default toolkit, web hackers can automate processes with Caido by creating custom extensions using the languages they are most familiar with: HTML, CSS, and JavaScript. This flexibility allows users to do the following:
Using Caido is almost like collaborating with another hacker, without the obligation to split the bounty payment.
Don’t have any development experience? Don’t worry. Members of the Caido community publish extensions they have built that you can download for free from the in-app store or official repositories.
Caido is extremely budget-friendly, and subscription holders gain access to additional features such as the Assistant, Caido’s artificial intelligence (AI) large language model (LLM) that is specifically tailored for security research.
Even with only the free tier of Caido, you can expect the following:
By the end of this guide, you will be able to try your hand at web application hacking using Caido as your toolkit solution.
Let’s begin with a little background information…
The Hypertext Transfer Protocol (HTTP), the protocol that facilitates web traffic, uses a client/server model. To most people, the client in this relationship is their browser (Chrome, Safari, Firefox, etc.). On the other side of this relationship, the server is the entity providing the resources that the browser needs to display a web page/web application.
In this context, “resources” refer to items such as the following:
To communicate with the server, a client will send HTTP requests. There are different types of request methods:
When a server receives these requests, it will parse them and determine the appropriate HTTP responses.
Think of this exchange as two people sending mail to each other:
If the HTML document contains references to additional resources, additional requests will be made.
Some modern web applications also make use of WebSocket messages to exchange data, which are initiated over HTTP. We will only briefly discuss this communication method in this article because the majority of web traffic consists of requests and responses.
By sitting in between your browser and web servers, Caido becomes a proxy server, giving you the ability to view, intercept, and modify HTTP requests and responses to conduct web application security testing.
Using our example from earlier, you can think of Caido as a tool that lets you open the letters your browser and server send to each other. You can read and change what is written, before it reaches its intended recipient.
Normally, users interact with web applications in the intended manner designed by their developers. Predictable user behavior is much easier to defend against. Web applications expect certain requests and will reply with programmatically predetermined responses.
Developers don’t expect that the average user is able to meddle with requests and responses. However, with Caido, you can. It is through this subversion of expectations that you can find weaknesses in systems and get paid for reporting them.
To download and install Caido, view the guide for your operating system:
On initial launch, you will be guided through the basic configuration steps. This includes the following:
On the left-hand side of Caido is a navigation menu that contains the different feature interfaces. Clicking on a listed feature will present its own page.
Throughout Caido, you will see a number of tables. The table rows store HTTP requests.
The requests can be sorted in ascending or descending order based on column category. To determine which columns you can sort by, hover your mouse cursor over the column names. If your cursor turns into a hand icon, you can toggle the listing order by clicking.
In certain tables, you can also include/exclude columns by clicking on the gear icon button in the lower-right corner.
By clicking on a traffic table row, the selected HTTP request/response pair will be displayed in their own panes.
Some panes allow you to edit the requests and responses directly.
The image icon button in the top-right corner of the response pane will render the web page as it would be displayed in your browser window. To enable this feature, click on the account icon button in the top-right corner of Caido, select Settings, and click the Install now button in the Rendering interface.
In the bottom-left corner of each pane are Pretty buttons that you can use to toggle between the raw representation of a request and a formatted representation for easier readability.
In the bottom-left corner of the response pane is the response’s size in bytes and a millisecond value that lets you know how long it took to receive the response.
Clicking the caret buttons will expand the tree representation of the domain to reveal its directories, files, and the associated request-and-response pairs.
The Intercept, Replay, and Automate feature interfaces give you the ability to view, modify, and control web traffic.
With Caido running and the proxy settings enabled, clicking the >> Forwarding button will switch Caido to || Queuing mode. In this mode, you can intercept requests before they are sent to the server or intercept responses before they are sent to your browser.
From the Intercept interface, you can choose to intercept requests, responses, or both by clicking on their buttons. The pause icon will be displayed when intercept is enabled and two right-facing carets will be displayed when intercept is disabled.
In this configuration, both requests and responses will be held.
As web traffic accumulates, you can view all the intercepted requests and responses in the Intercept traffic tables.
Once you are done inspecting or modifying a request or response, you can send it on its way by clicking the Forward button. Alternatively, you can choose to not pass on a request or response by clicking the Drop button.
Although being able to intercept traffic is amazing, you will need to backtrack through your browsing to view or modify a certain request or response again.
With the Replay feature, you can resubmit individual requests as many times as you wish, allowing you to quickly test how various modifications alter a returned response.
By clicking within a request, you can send it to Replay via the keyboard shortcut CTRL + R or by right-clicking and selecting Send to Replay from the context menu.
The request in the Replay interface.
As you forward a request over and over with the Send button, Caido will record its history in what is referred to as a “session.” The number of times a request has been recorded is displayed in the bottom of the request pane.
This feature allows you to keep track of the modifications made. To navigate through a request’s history, use the back and forward arrow buttons.
When requests are sent to Replay, they can be selected by their numerical tab. However, requests can easily become lost when you have sent multiple to Replay. To quickly identify a specific request, you can change the tab name by right-clicking on the tab and selecting the Rename option.
To create a request from scratch, click on the + New Session button.
You can remove a request from the Replay interface by clicking the X icon in its tab. If you accidentally do this, don’t worry—the request will still be accessible by expanding the Default Collection.
Collections help you stay organized by giving you the ability to group requests. To create a new collection, click on the down arrow to the right of the + New Session button and click the revealed New Collection button.
This will add a New collection entry to the list. Right-clicking on a collection entry will present various options, including + Add session, Rename, and Delete. To move a request from one collection to another, simply click + hold + drag the request into the desired collection.
With Caido’s Automate feature, you can submit requests programmatically. You can accomplish this by adding one or more placeholders to a request and then defining payload values that will be inserted.
Using Automate, you can iterate through a vast number of payload values in a fraction of the time it would take to manually modify requests and send them with Intercept or Replay.
By clicking within a request, you can send it to Automate via the keyboard shortcut CTRL + M or by right-clicking and selecting Send to Automate from the context menu.
Like Replay, Automate request tabs can also be renamed and requests can be created from scratch by clicking on the + New Session button.
To select a value to be replaced, click + hold + drag. This will highlight it and then click the + button.
Next, from the Payload tab, select a payload Type:
In the Preprocessors tab is a variety of different options for modifying the payload value before a request is sent:
Any preprocessors applied will be included in the Active preprocessors list.
The Settings tab gives you further control over the Automate session:
Once you are done configuring your Automate session, click the Run button to execute it. In the tab that opens, the payload requests will be included within the traffic table.
The Sitemap, HTTP History, and Search feature interfaces give you the ability to view all of the web traffic that has been proxied through or generated by Caido.
As you proxy web traffic, the Sitemap interface lists the structure of your target web application as a hierarchical tree. Clicking on the caret icons of a domain will expand the tree, revealing the proxied directories, the files they contain, and the associated request/response pairs.
The HTTP History interface displays a table that contains all of the traffic that has been proxied through Caido.
In addition to all of the traffic that has been proxied through Caido, the Search interface traffic table also includes all of the traffic that has been generated by Caido itself.
The Source column identifies which Caido feature the request originated from.
The WS History interface contains a table that lists all of the WebSocket Streams and their associated messages. Click on a row from the Stream Messages table to view a message.
HTTPQL lets you search for the exact requests or responses you are looking for, while the Filters and Scope feature interfaces give you the ability to dictate which requests are listed in the traffic tables.
HTTPQL is a query language that takes an object, accesses one of its fields, applies an operator, and uses a comparison value.
By entering queries in the input field above a traffic table, you can search for specific requests and responses.
The request extension contains the string “js.” All requests for JavaScript files will be displayed in the traffic table.
As you type your queries, Caido will display autocomplete suggestions.
View the official documentation for detailed information on HTTPQL in Caido.
Since traffic tables can quickly become overwhelming, you can also define exactly what requests should be excluded from display by creating filter presets within the Filter interface.
Two filter presets are included by default: No Images and No Styling.
With the No Images filter preset applied, requests for images will not be included in the traffic tables.
With the No Styling filter preset applied, requests for style resources will not be included in the traffic tables.
As you can see, these filters are created using HTTPQL syntax. To create a new filter, click on the + New Preset button, name the preset, supply an alias (aliases can be used to reference the filter preset programmatically), define the HTTPQL expression, and click the Save button.
To enable or disable the application of filter presets, click on the Advanced button located to the right of the HTTPQL query input field above a traffic table.
Clicking this button will reveal a selection pane on the right-hand side of Caido. Here, you can enable a filter preset by filling its checkbox or disable it by clearing its checkbox.
By defining either the In Scope or Out of Scope domains, you can create filters that will determine which requests are displayed in the traffic tables.
To create a scope preset, click on the + New Preset button.
Next, within the editor, provide a name for the preset and define the target domains to include/exclude. To account for varying subdomains and top-level domains/extended top-level domains, use the * character as a wildcard. The listed domains will be compared to the value of a request’s Host header.
With this scope preset active, any requests with a Host header value that includes example (such as www.example.com) will be displayed in the traffic table and any requests that include google or bing will not be displayed.
Once you are done, click the Save button. Your scope preset will be added to the container that is located to the left of the editor.
Now, you can switch between these display filters by selecting a scope preset from the dropdown menu that is included in all the feature interfaces that have a traffic table.
You can also manage scope targets through the Add in Scope and Add out of Scope options available in a request’s right-click context menu.
The Assistant, Environment, and Match & Replace feature interfaces assist in increasing efficiency and give you the ability to perform more advanced testing techniques.
The Assistant is Caido’s security-focused AI LLM integration. The available models have been fine-tuned to help provide answers to any questions you may have about topics such as traffic content and possible attack vectors. The Assistant is also able to generate proofs of concept for Cross-Site Request Forgery attacks.
Currently, the models available are GPT-4o Mini, GPT-3.5 Turbo, and GTP-4o.
You can interact with the Assistant by either manually submitting prompts through its interface or right-clicking on a request/response and selecting from the available options in the context menu.
View the official documentation for detailed information on the Assistant.
With the Environment feature, you can define sets of variables to easily switch between different configurations.
To create an environment variable, click on the + Add button, name the variable, provide a value, select either the Plaintext or Secret display option, and click Save.
View the official documentation to learn how to use environment variables in Replay requests.
By creating Match & Replace rules, you can automate the modification of requests and responses as they pass through the proxy. These rules are comprised of the following components:
The Section of a rule refers to the portion of the request/response that the rule will apply to.
Certain sections include additional Section Action options.
The actions available to the Request Query section are as follows:
The actions available to the Request Header and Response Header sections are as follows:
The Matcher specifies which value will be replaced. The available matching strategies are as follows:
The Replacer specifies the replacement value. The available options are as follows:
View the official documentation for guides on creating Match & Replace rules for three different use cases.
The Files and Exports feature interfaces give you the ability to upload and produce files.
As briefly discussed earlier, the Files interface is used to upload files that can be selected from when using the Hosted File payload type in an Automate session. Once a file has been processed, it will be listed in the table.
You can rename an uploaded file by clicking the pencil icon, providing a new name, and then clicking the floppy disc icon to save the changes. You can delete a file by clicking on the trash can icon.
The Exports interface will list HTTP History and Search traffic table requests that you have exported using the Export dropdown menu. You can choose to export all request rows or just the ones currently listed in either JSON or CSV format.
Once added to the list, you can download, rename, and delete the file using the respective row buttons.
The Plugins and Workflows interfaces give you the ability to create and install custom extensions to further the functionality of Caido. Both extension types make use of the Findings interface to alert you when a condition has been satisfied. This ensures you are notified when a discovery is made.
Through the Plugins interface, you can install and manage plugin packages.
If you are lacking in development experience, a variety of plugins are already available for download. Many were created by Caido team members and members of the Caido community.
To gain access to the Community Store, you will need to agree to the disclaimer located at the bottom of the interface by checking the checkbox, stating that you understand the risks associated with third-party code.
With access, you can view the details of each plugin by clicking on the caret button to the left of a plugin’s name.
To add a plugin to your Caido instance, click the + Install button of the desired plugin’s row. Once installation is complete, the plugin will be added to the navigation menu under a new Plugins section.
To remove a plugin, select the Installed tab and click the Uninstall button in the Actions column of the plugin’s row.
To get started with developing your own plugins, view the Getting Started guide. The official developer.caido.io website also includes numerous guides to assist you in plugin development, accessible via the content menu navigation bar on the left.
Refer to the SDK references to view the various services and functionalities available to both the frontend and backend plugin components.
Workflows allow you to create, save, and reuse custom actions or sequences of actions. This enables you to automate multistep processes, improving the efficiency of your testing.
There are three types of workflows:
Workflows can be scoped to be project-specific or globally available across all projects. To toggle between the two settings, click on the Switch to project-specific and Switch to global text in the Type column of a workflow’s row.
Caido comes preinstalled with a number of Convert workflows. To access them, select the Convert tab in the interface.
To access a specific workflow, click on the pencil icon in the Actions column of the workflow’s row.
Convert workflows feature Input and Output fields. Data conversions can be performed by supplying input and clicking on the Run button.
You can also click + hold + drag to highlight a value in either a request/response, right-click to open the context menu, and use a Convert workflow to change its format. This can be done in either Preview or Replace mode.
A variety of workflows are also available for immediate installation. The repository of community-created workflows is available via the Workflows Store plugin.
To get started with creating your own workflows, view the following guides:
Refer to the workflow SDK for JavaScript Nodes to view the various services and functionalities available.
The Findings interface displays all the alerts produced by workflows and plugins that generate Finding objects.
The source of a Finding is listed in the Reporters pane. You can view the Findings of a specific source by clicking on its name.
Click on a table row to view the Finding’s details and associated request/response pair. Be aware that Findings are project-specific.
With Caido in your arsenal, you are armed with everything you need to hack web applications. Its design has been meticulously crafted to streamline the bug-hunting process.
Stop just browsing the web and start owning it.
As usual, to read more about Caido, check out the official website and documentation. Are you a student? Caido supports those in pursuit of higher education. If you are currently enrolled in an accredited university, college, or recognized academic institution, you can get a full year of premium access for free!
Until next time,
Ninjeeter