Caido v0.30 releases: audit web applications with efficiency and ease

Caido

Caido aims to help security professionals and enthusiasts audit web applications with efficiency and ease.

Feature

Sitemap

The Sitemap feature allows you to visualize the structure of any website that is proxied through Caido.

It keeps track of domains, folders, and requests, as well as any variations in query parameters and post bodies. The Sitemap page provides a clear, hierarchical view of the website’s structure, making it easy to identify and explore different parts of the site.

The Sitemap page displays a tree-like structure, with the root node representing the root domain of the website. Each branch of the tree represents a subdomain or subfolder, and the leaves of the tree represent individual requests. You can click on any node to expand or collapse it, revealing or hiding its child nodes.

Listing requests

You can also list all the requests that belong to a specific branch of the Sitemap tree by clicking on a tree node. The request table will be updated to display all the associated requests with details like the request method, path, status code, and response length.

Intercept

The Intercept feature allows you to view requests and responses as they pass through the proxy. The Intercept page shows a table of all requests that have been proxied through Caido, along with details such as the request method, host, path, status code, and length.

audit web applications

Filtering

The Intercept page provides several ways to filter and scope the requests displayed. These filters and scoping options can be useful to focus on specific requests or to exclude certain requests from the list.

You can filter requests by:

  • File Extension
  • Method
  • Port
  • Path
  • Status Code

 

History

The History feature provides a comprehensive view of all the requests that have been generated by tools, such as the automate and replay features, in addition to requests that are proxied through Caido. The History page is similar to the Intercept page, with the same layout, filtering, and scoping options.

Filtering

In addition to all the filter options available in Intercept, you can also filter by source tool (Replay, Intercept, Automate).

Scope

The Scope feature allows you to filter requests throughout the app by creating presets of in-scope and out-of-scope hosts. Currently, scoping is only available for the history and intercept pages.

Creating a scope preset

The Scope feature is split into two panes, the left pane contains the list of scope presets, and the right pane contains the details for a scope preset. To create a new scope preset, follow these steps:

  1. In the left pane, click on the “New Preset” button.
  2. In the right pane, enter a name for the new preset in the “Preset Name” field.
  3. Write the name of the host you want to add to the scope preset. You can use the wildcard characters ‘%’ and ‘_’ to create your presets.
  4. Choose the type of the entry (in-scope or out-of-scope) and click “Add”.
  5. Click the “Save” button to create the preset.

audit web applications

Using scope presets

Once you have created a scope preset, you can apply it to the intercept and history pages by selecting it from the “Scope Preset” dropdown located in the top left corner of each page.

When you select a scope preset from the dropdown, the table in the page will be filtered based on the hosts defined in the selected scope preset.

audit web applications

Changelog v0.30

Features
#197: Default filters
#229: Custom filters
#562: Disable match&replace rule directly from the active rules section
#566: Wireshark like filters
#570: Steps to duplicate a replay entry are unclear
#613: Load .bashrc for workflow shell nodes
#634: Search Tab Re-work
#646: Make Convert output popups an option for Replay as well
#663: Improve match and replace UX
#666: Move Intercept Requests / Intercept Responses options outside of Options menu
#672: Keep “+ Add workflow” in workflow context menu even if user already has a workflow
#674: Base64 decode node should work regardless of padding

Bugs
#595: Prettify JSON regardless of Content Type
#649: Remote instance in desktop doesn’t display the same as local instance
#659: Revisiting shell node workflow shows incorrect timeout number on the UI
#668: Selected workflow doesn’t persist after leaving page

Install & Use