Introduction
Web application proxy tools are ubiquitous in a penetration tester’s toolkit, whether for testing a web, mobile, or desktop application. If the application sends network traffic over HTTP(S), a web application proxy will be used as part of the penetration test.
They come in multiple forms, from the widely popular Burp Suite and ZAP, to the lesser known mitmproxy, Fiddler, or Charles proxies. All proxy tools have some ever-present functionality, such as the ability to intercept and manipulate traffic as it is sent, or to replay requests with altered values. Some proxies like Burp Suite and ZAP, include the ability to perform automated testing against the application requests, to help the tester identify vulnerabilities.
Recently a new tool has come onto the market. While it is still in beta, the tool called Caido is gaining popularity. Developed by a team of three, they state over 10,00 users at the time of writing and over 40 paid customers. They also have recently announced that Justin Gardner (@Rhynorater) and Ben Sadeghipour (@NahamSec), two well-known personalities in the bug bounty world, have joined the Caido development team as advisors.
Like other proxies, there are different pricing plans for using Caido. There are currently three plans available:
- The free plan – which restricts the amount of functionality you can access, .
- The paid plan costs $200 a year – which provides access to all functionality in the application.
- The team plan, which costs $30 per month per user, allows centralised management of Caido across a team and includes custom features.
While it is more or a traditional proxy, without the automated testing capabilities of Burp Suite or ZAP, there are a few features of Caido that are making it popular.
Installation
Caido can be installed straight from the website available at https://caido.io; it can be installed and run on Windows, Linux, and macOS systems. There are two options for installation, : a desktop application or a command-line interface (CLI). The desktop application is fully functional for Windows and macOS users, but is currently experimental for Linux users. While the CLI version is available for all systems. These options for installation allow Caido to be run locally on a tester’s system or hosted remotely on a server specified by the tester.
Features
Projects
Similar to other web application proxies, Caido allows users to create projects. However, unlike other proxies, these projects can be accessed at any time without restarting the proxy. They can be accessed from either the Workspace option at the bottom of the menu or at the top of the screen.
Figure 1
Built-in Browser
A recent feature in Caido, which other proxy tools such as Burp Suite or ZAP have long contained, is the ability to spawn a browser from within Caido. Currently, this only works for Chrome-based browsers.
By selecting the Chrome symbol at the top of the screen, we get prompted to select the browser we can to open.
Figure 2
This will spawn an instance of the browser, that is already proxied through Caido, with all the relevant certificates trusted.
Figure 3
Replay Collections
The Replay functionality in Caido works similarly to that found in other proxy tools; a request can be selected from the history and sent to Replay. However, in Caido there is the ability to create collections of requests.
Figure 4
This allows testers to have multiple different requests grouped together for application functionality or for various tests they may be performing at a time, such as cross-site scripting or SQL injection.
Workflows
Workflows in Caido allow a tester to easily create an automated system that will perform actions depending on various states that Caido may encounter. For example, a tester could create a workflow that would run a locally installed tool if they encounter a certain hostname, or URL in a website.
Depending on the plan used, this functionality is limited. The free version can only create one passive workflow and five convert workflows (decode/encode base64, for example).
Figure 5
Assistant
Another useful functionality for a tester is the Assistant, which is only available in paid plans. This allows us to ask certain questions about what we are testing to help us in our penetration test, such as why a cross-site scripting payload may not be working in a browser.
Figure 6
Conclusion
Caido is a new and up-and-coming web application proxy tool. It is being regularly updated by the development team and does have some useful functionality in it for a penetration tester.
However, it has not reached its full potential yet. This will be a tool to watch, which could potentially join Burp Suite and ZAP as one of the go-to proxies for web application testing.