Caido: audit web applications with efficiency and ease

Caido

Caido aims to help security professionals and enthusiasts audit web applications with efficiency and ease.

Feature

Sitemap

The Sitemap feature allows you to visualize the structure of any website that is proxied through Caido.

It keeps track of domains, folders, and requests, as well as any variations in query parameters and post bodies. The Sitemap page provides a clear, hierarchical view of the website’s structure, making it easy to identify and explore different parts of the site.

 

The Sitemap page displays a tree-like structure, with the root node representing the root domain of the website. Each branch of the tree represents a subdomain or subfolder, and the leaves of the tree represent individual requests. You can click on any node to expand or collapse it, revealing or hiding its child nodes.

Listing requests

You can also list all the requests that belong to a specific branch of the Sitemap tree by clicking on a tree node. The request table will be updated to display all the associated requests with details like the request method, path, status code, and response length.

Intercept

The Intercept feature allows you to view requests and responses as they pass through the proxy. The Intercept page shows a table of all requests that have been proxied through Caido, along with details such as the request method, host, path, status code, and length.

 

Filtering

The Intercept page provides several ways to filter and scope the requests displayed. These filters and scoping options can be useful to focus on specific requests or to exclude certain requests from the list.

You can filter requests by:

  • File Extension
  • Method
  • Port
  • Path
  • Status Code

 

History

The History feature provides a comprehensive view of all the requests that have been generated by tools, such as the automate and replay features, in addition to requests that are proxied through Caido. The History page is similar to the Intercept page, with the same layout, filtering, and scoping options.

 

Filtering

In addition to all the filter options available in Intercept, you can also filter by source tool (Replay, Intercept, Automate).

 

Scope

The Scope feature allows you to filter requests throughout the app by creating presets of in-scope and out-of-scope hosts. Currently, scoping is only available for the history and intercept pages.

Creating a scope preset

The Scope feature is split into two panes, the left pane contains the list of scope presets, and the right pane contains the details for a scope preset. To create a new scope preset, follow these steps:

  1. In the left pane, click on the “New Preset” button.
  2. In the right pane, enter a name for the new preset in the “Preset Name” field.
  3. Write the name of the host you want to add to the scope preset. You can use the wildcard characters ‘%’ and ‘_’ to create your presets.
  4. Choose the type of the entry (in-scope or out-of-scope) and click “Add”.
  5. Click the “Save” button to create the preset.

 

Using scope presets

Once you have created a scope preset, you can apply it to the intercept and history pages by selecting it from the “Scope Preset” dropdown located in the top left corner of each page.

When you select a scope preset from the dropdown, the table in the page will be filtered based on the hosts defined in the selected scope preset.

 

audit web applications

Install & Use