Episode 138: Caido Tools and Workflows

Title: Transcript - Thu, 04 Sep 2025 16:45:31 GMT
Date: Thu, 04 Sep 2025 16:45:31 GMT, Duration: [00:22:42.39]
[00:00:01.12] - Justin Gardner
This helped me understand the app so much better and saved me so much time of having to like investigate all of these RPC IDs. It took about 15 minutes to set up and that investment paid massive dividends and I got a 20k bounty because of this. Best part of hacking when you can just, you know, critical things. Alrighty hackers, we got the this week in Bug bounty segment. Three entries this time. First one up is from a collaboration between Hackthebox and HackerOne. There's a AI red teaming CTF going on from September 9th to September 19th and it gives you an opportunity to try 10 different challenges. What do they say here? Over nine escalating challenges and one final boss. You'll work through AI powered apps where the goal is to override filters, bypass logic and extract data you shouldn't have access to. So if you are trying to kind of cut your teeth a little bit into AI red teaming, this is a cool opportunity to work with Hack the box and HackerOne. So check it out if you're interested. Link will be in the description. Next up is yes, We Hack. One of the. One of the amazing sponsors that we have the podcast just wanted to let us have us let you know that they are going to be at rootcon this year in the Philippines. They've got a team out there from September 25th to 26th. Definitely go say hi, interact with them. If you see them around, they'd love to meet you and hang out. And then also in line with yes We Hack, they recently released their hardware monitor Dojo challenge of the month. This time we got an LFI and it's looking pretty juicy you guys. Um, so definitely go check that out if you're wanting to refine some of those Ruby LFI related skills. All right, that's all we've got for this week in Bug Bounty segment. Let's head back to the show. All right hackers, here's the deal. This week we've had a bunch of cancellations and sickness and stuff like that. So this episode's gonna be a little bit on the fly and essentially it is. I was thinking to myself, what am I excited about? What do I want to go yap about for 15 minutes to give them an episode to listen to this week? And what I'm excited about is Caido. And so what I'm going to cover today is a couple new features and plugins that have been released in Caido over the past couple months that I think you should know about and that I use on a regular basis. All Right, so let's jump right into it. Whether you use Kaito or Burp, I think these are really important features to be aware of because they push the community forward in general. Right. So even if you. Even if you're not using Caido, maybe you should think about these features and how you can do them in Burp or, you know, sort of bring parity to the ecosystem there so that we can all enjoy better HTTP proxies. All right, so let's jump right into it. First one, sort of. And also I will add, this is sort of extracted from the presentation that I gave at defcon in part. I'm definitely not going to be able to go into as much detail as I did there, but this is a little bit of the content of what I talked about at defcon. So if you were there, sorry for the. For the repeat, but for the most of you, this will be newish content. Okay. For those of you familiar with Caido, there's this concept of httpql. And HTTPQL is something we use inside of Caido to query different sets of data throughout the Caido ecosystem. You know, sometimes we use it for search, sometimes we use it for filtering conditional things like match and replace or conditional intercept, that sort of thing. And one of the things I found myself doing pretty often was like, oh, I saw a request five minutes ago and I need that request and I'm scrolling and I can't find it, so I'm just going to search for it really quick. One of the things that Kido does allow you to do is search for the time that a request was created in. So I was sort of trying to get some workflows in place to figure out how to search quickly within Caido within a certain timeframe. And I built into this plugin called, even better, this feature called Common Filters. And essentially what it does is it gives you a list of filters. I'm going to go ahead and pull it up here because I can't remember which ones I have, but it's recent, which is within the last 5 minutes, 1 hour, 6 hours, 12 hours, 24 hours. And so you can just kind of attach timestamps really quickly to your HTTPQL queries and it will limit the amount of, you know, results that you get, which makes the search instantaneous and also allows you to sort of narrow in on the exact time frame that you want. So that's called Common Filters. They automatically update every minute so that you can get the latest, you know, updated version of that filter. And they're Very convenient to use. So check that out if you're using HTTPQL and Kaito. Also, another feature that I recently integrated into the even better plugin is Convert Workflow command palette entries. So a lot of people don't know this, but Kaito has a command palette that is pretty awesome in my opinion. And you can activate it by pressing Control K. And what the integration with Convert workflows will do is it will allow you to run. Um, hold on, my dog is barking. All right, dog has been dealt with. I'm back. Um, anyway, command palette entries have the various convert workflows that you define within Caido, which is super great. So you just type C and then the name of the convert workflow that you want to do, and it takes your currently selected text inside of Caido and runs the convert workflow on that. Uh, so if you're actively in Replay, you know, where you're modifying stuff, it makes it super easy to be like, okay, you know, URL, encode this. Basically code this super quickly with Command Pal without having to take your hands off the keyboard. If you're not inside of Replay or like an editable editor, it just copies it right to your clipboard, which is super nice for getting stuff into the right format so that you can use it later inside your clipboard. So I've been using this really often. This is like probably the feature that I've integrated into my workflow the quickest with Caido, you know, when a new feature comes out, because it just makes sense to have these right at the tip of your fingers. And using the command palette is just really nice because it's consistent with the way that I think about, oh, I need to, basically for Encode. So, you know, control K base 64 encode, boom, done. So definitely check those two features out. Those are in the even better plugin in the Caido store. Okay, Next thing I'm excited about, which I've talked about a couple times already, so, you know, just bear with me, guys, is the Notes plugin is amazing, and it really has changed the way that I make notes in Caido. Okay? And there's a couple reasons for that, but the feature that I use the most is the Windows Shift N feature in Notes, which you can be in Replay, you're doing your thing, you find a gadget, you find something you need to take a note on, and you just press Windows Shift N and it pops up in a little box that's attached to your current open note in Notes, and you can write whatever you want. In there. And it, there's a little box that's automatically checked that says attach current context. And what it will do is insert your note into the note that you have in your. In your Plugins Notes tab, but it will also attach the current Replay tab, like a beautiful graphical replacement representation of the, of the current note. So let me go ahead. And for those of you that are on. Those of you that are on YouTube, I'm going to go ahead and share my screen really quickly here so you can see what I'm talking about, because it is, it is quite nice. Here we are, here it is right here. So you can see, you know, the beautiful graphical representation of this specific request. And then you can click on it and jump right over into this, you know, HTTP requests in Replay. Super clean, very useful for making sure that you know where all of your requests are. And I use it constantly, really. I kind of struggled with taking notes before, but this makes it so easy that I actually do it now. One of the improvements that I would like to kind of see in this area, which is something we're thinking about implementing, is the ability to do voice notes. And I know Monke did a, a plugin a while back sort of, that had a feature like this, but it'd be really awesome if we could just press a key binding and then just say, bloody, bloody, bloody, bloody. Bah, you know, enter and, and that would be automatically converted into, into text and stored in the note for us. I think that would be the maximum amount of friction reduction. Like that would just make it super easy. But I guess you do have to have like your microphone and stuff like that. I don't, I don't normally hack like this with my microphone right next to my face and stuff. So, yeah, I guess, I guess there's some workshopping to do there, but I think it would still be really helpful. Yeah, I think that's good for notes. Definitely. Check it out if you're taking notes inside of your kind of environment. Next up is Shift Agents. And I've talked about Shift Agents, I believe once or twice before in the podcast, but I have recently started using them and it's super helpful. Okay, so what I've done is I've created a couple micro agents. And the one that actually has found me a vulnerability, or I guess this one's more of a gadget that I've chained into a vulnerability, is my domain restriction bypass micro agent. Okay, so for those of you that haven't heard of Shift Agents, let me explain what it is. Essentially, Shift Agents is the ability for you to define little micro agents within Caido. Okay. And so you can give it like, you know, system prompt or whatever. It's got all the tools to like modify your current replay tab and that sort of thing. And then you give it tasks and it creates a to do list. Goes through the to do list. If it finds something interesting, it creates a finding for you to alert you of what it found. Okay. So it allows you to sort of build your own hackbot workflows within Caido. And the one that I built, like I said, was a domain restriction bypass micro agent. And I had a scenario where I was looking at an open redirect, looking for an open redirect and I handed it off to this agent and it was able to go through my whole workflow successfully. You know, that I would have done manually. Okay, let's check the dots for regex. Let's, you know, check an ends with. Let's check an invalid, you know, parsing of, you know, the URL. Let's check Unicode normalization. And it was actually able to find a vulnerability via the, you know, AT sign at the front of the URL. And that was something that I had documented in the various, you know, system prompt sections that I passed into it. And then it was able to correctly identify that and create a finding with open redirect. So that saves me time and effort, right. First I give it a stab at it, right? So for those of you that haven't played around with it, essentially how it works is you open up a replay tab, you pop open the little age inside window, you give it the system prompt you want and then some just in time instructions, and then you essentially delegate that replay tab to the AI. Then you continue doing your thing, you come back, either it creates a finding and you see it on the side, or you come back and you can review what it did by tabbing back and forth between your replay session and seeing what exactly it did. So for me that's been working quite well. I was pleased that it was able to implement that. It saved me time. I think I've used less than $7 total right now as far as money goes, you know, to fund the AI on open router. Yeah, And I've had decent success with Gemini, that's the one I've been using currently. But I've heard from the Xbox write ups and stuff like that that GPT5 is like a big level up as far as hacking performance goes. So I'm excited to play around with that a little bit as well. So I think now is the time, you know, I guess without, without, you know, fighting it too much. This industry is going to change for sure within the next year and has changed already. You know, if you're not using AI at all in your workflow, you know, if you're not like at least having a Gemini tab open and being like, hey, you know, tell me about this, tell me about that, or using it to parse docs or, you know, attack vector ID 8 or do source code review, then you're behind, to be perfectly frank with you. But I think it's going to continue to progress in such a way that if you are not integrating AI directly into your workflow to save you time, then you're going to get even further behind. So I think now is a good time to start developing these micro agents. You don't have to use them constantly, but just realize that developing these micro agents is not a sunk cost because eventually they're gonna work. Eventually they're gonna work amazing, right? And as, as you start refining your prompt over time, that prompt, you know, can be ported. Okay, maybe Shift Agents is the thing you use, maybe you use something else, right? But those prompts can be ported into, you know, other AI assisted hacking systems. Okay, so go ahead and get started writing some, some, some system prompts. And I think Shift AI is a great, great place to do it. Okay, you can grab that in the Caido store. By the time this episode is out, the new version of Shift Agent should be integrated to Shift in the Caido plugin store. So go grab it, play around with it, write yourself a system prompt. These episodes are typically longer, right? They're not these little, little short episodes. So the time that you would have spent listening to CTB today, okay, go ahead and take that and build yourself at least one system prompt in Shift Agents and throw it at something this week. Okay, I think that'll be a good, a good step for most of you to start integrating AI into your actual hacking workflow. All right, next up is Drop, which is just super awesome. Okay, this is a plugin that I wrote in Architect and actually this is probably my crown jewel as far as engineering goes because it's a pretty sick plugin and it is end to end encrypted and it allows you to send like various objects in Caido. Imagine, replace roles, replay tabs, HTTP requests from HTTP history, scopes, filters, whatever, send it to your friend instantly within Caido. So all you do is you grab your friend's, you know, PGP Public key. You drop it into, into drop. You drop it into drop. See what I did there? You drop it into drop and then now you just literally on any object in Caido, top right corner, typically there's like a little drop button. You click that, click their name and then boom, it's in their Kaito instance. Super seamless, extremely easy to set up. Publicly hosted instance with full end to end encryption using pgp. You can read the spec and all the code is public so you can see exactly what we're running. Definitely use it. If you collaborate at all with people, it is extremely useful. All right, that's as far as it goes for plugins. Let me tell you guys about a couple more things and then we'll call it a wrap for today. Um, lately I have been having a lot of fun with workflows in Caido. Workflows are the way for you to do sort of quick and dirty automation within Caido and they are gaining a lot of capability and they're going to continue to gain a lot of capability over the next quarter or two. One of the things that I've been doing recently is using the auto session refresher functionality that I built in the workflow. And if you guys are interested in figuring out how to do this, you can go to Caido.rhinrader.com and I've got a lab there that I set up for the Becoming a Caido Power User workshop at defcon. And there's a little lab where you can download the workflow and that sort of thing. But the tldr of the situation is you can create a passive workflow in Caido that automatically looks at, for, you know, a specific host, grabs a specific set of cookies or cookies or whatever and then creates an environment variable which is like sort of a way to store data within Caido with those actual values. And then, and it just does that constantly. Anytime a request comes through HTTP history, then whenever you are looking to like send a request in Replay and you press send and it's like, oh, four, three, your session expired, you're like shit, now I gotta go create another Replay tab. And then no, everything gets so messy. So the, the right way to do it is have the session refresher automatically extract the session and then you just create a replay placeholder with that specific environment variable that's always updated and then you never have to worry about updating your session ever again and your session will always be live. So very, very useful piece of functionality there. The template workflow for that is@kaito.rhinoinder.com under the session Monitoring lab. So go ahead and check that out if you want to get your hands on it. Also, the latest version of Caido comes with. Finally, I convinced them to ship it my top level navigation highlighter plugin. Now, this is literally one of the most transformational things that I've ever seen in HTTP proxies, okay? And essentially what it does is it just uses SEC fetch headers to highlight top level navigations in Kydo, and that is finally shipped native with Caido, which is great. So just go to passive workflow, turn it on, and then when you do a top level navigation in your browser or an iframe level navigation, you'll see that highlighted inside of HTTP history, which makes it super easy to orient yourself within Caido if you're not using this. Your life will change when you use this, okay? So please just give it a shot, I'm begging you, because it is super helpful for orienting yourself in HTTP history. And I have literally no idea how I lived without it. Like, it takes forever to find any request now without this. I loaded up a raw version of Caido the other day and I was like, how does anybody do this in Burp or in raw Caido without this on? So definitely life changing. All right, last but not least, I wanted to share a little case study of how I used Caido workflows recently to really, really enhance my hacking experience. Okay, There's a target that I was hacking on that instead of sending requests to a specific path, they would just send it all to the same path and include an RPC id. Okay? That RPC ID was just a six digit alphanumeric string and it was super annoying because you could never tell what was happening in the app. However, in the JS files there was sort of a mapping. It wasn't a direct mapping. It was like, you know, a couple hundred characters separated, but they were always, you know, the same couple hundred characters separated between the RPC ID and the actual like name, human friendly name of whatever that RPC correlated to. So I was able to create a workflow plus match and replace rule system here that allowed me to sub in that ID the human readable value for that directly into the HTTP request at send time, which allowed me to understand this app so much better without having to constantly cross correlate these rpcids. Okay? So here's how I did it. I created a passive workflow and what that passive workflows run automatically anytime a request comes through HTTP history. That Passive workflow would look for a specific, you know, regex in the in JavaScript files, and it would extract the RPC ID to human readable path correlation, okay? And it would store that in a Caido environment variable. So now you've got a map of RPC ID to path boom. Extracted with passive workflows. Then I created a match and replace rule in Caido, which adds a query parameter, which first, you know, checks the regex to make sure that this request is, you know, the one of the requests that has the RPC id. And then it adds a query parameter to the request. So, and then, so let me. Let me be clear. The replacer for the matching replace was a workflow, right? So this is one of those sort of advanced workflows that you can do or advanced match and replace rules that you can do with Caido, where you match on a regex and then your replacer is actually generated by a convert workflow, okay? So you match on the regex, you extract the RPC ID from that regex, and inside of the convert workflow, you cross correlate that RPC ID with your all of your environment variables, right? And you say, okay, oh, I found the RPC id. Now I've got the corresponding path. Now let me go ahead and add a query parameter to that specific request that says human readable path equals. And then whatever you cross correlated it to, then I was able to look at the modified request in search and just use that as my HTTP history for now, where I could see the flow of the actual human readable versions of the HTTP requests as they were coming through. This helped me understand the app so much better and saved me so much time of having to investigate all of these RPC IDs. It took about 15 minutes to set up, and that investment paid massive dividends. And I got a 20k bounty because of this. And the 20k bounty was literally like an eye door in the front of this app, but nobody found it because everything was so obfuscated and hard to work on. So take some time, invest deeply in these sort of ways to improve your automation, and you'll find some really crazy stuff. All right, guys, that's a wrap for today. I gotta call it. Yeah, I know this isn't the typical episode, but I hope you guys enjoyed it and got something out of it. Anyway, all right, we'll see you next week. Peace. And that's a wrap on this episode of Critical Thinking. Thanks so much for watching to the end, y'. All. If you want more Critical Thinking, content. Or if you want to support the show, head over to CTBB Show Discord. You can hop in the community. There's lots of great high level hacking discussion happening there. On top of the master classes, hack alongs, exclusive content and a full time hunters guild. If you're a full time hunter, it's a great time. Trust me. All right, I'll see you there.