Caido Mode Skill：基于官方SDK的Caido API全覆盖CLI工具，提升安全测试效率

caido-mode by caido/skills

433 周安装量

88 GitHub Stars

GitHub

安装命令

npx skills add https://github.com/caido/skills --skill caido-mode

自动化测试安全

🇨🇳中文介绍

Caido Mode Skill

概述

基于官方 @caido/sdk-client 包构建的 Caido API 全覆盖 CLI。涵盖：

HTTP 历史记录 - 使用 HTTPQL 搜索、检索、重放、编辑请求
重放与会话 - 会话、集合、条目、模糊测试
范围 - 创建和管理测试范围（允许列表/拒绝列表模式）
过滤器预设 - 保存和重用 HTTPQL 过滤器预设
环境变量 - 存储测试变量（受害者 ID、令牌等）
发现项 - 创建、列出、更新安全发现项
任务 - 监控和取消后台任务
项目 - 在测试项目之间切换
托管文件 - 管理由 Caido 提供的文件
拦截 - 以编程方式启用/禁用请求拦截
插件 - 列出已安装的插件
导出 - 将请求转换为 curl 命令以用于 PoC
健康状态 - 检查 Caido 实例状态

所有流量都通过 Caido，因此会显示在 UI 中以供进一步分析。

为什么选择此模式？

Cookie 和身份验证令牌可能非常大 - 会话 Cookie、JWT、CSRF 令牌很容易达到 1-2KB。与其手动复制粘贴：

在 Caido 的 HTTP 历史记录中找到一个已经具有有效身份验证的原始请求
使用仅修改您需要的内容（路径、方法、正文），同时保持所有身份验证标头完好无损

广告位招租

在这里展示您的产品或服务

触达数万 AI 开发者，精准高效

联系我们

设置（一次性）

打开仪表板 → 开发者 → 个人访问令牌
创建一个新令牌
运行：

node ~/.claude/skills/caido-mode/caido-client.ts setup <your-pat>

# 非默认 Caido 实例
node ~/.claude/skills/caido-mode/caido-client.ts setup <pat> http://192.168.1.100:8080

# 或者设置环境变量
export CAIDO_PAT=caido_xxxxx

setup 命令通过 SDK 验证 PAT（将其交换为访问令牌），然后将 PAT 和缓存的访问令牌都保存到 ~/.claude/config/secrets.json。后续运行直接加载缓存的令牌，跳过 PAT 交换。

node ~/.claude/skills/caido-mode/caido-client.ts auth-status

身份验证工作原理

SDK 内部使用设备代码流程 - PAT 自动批准它并接收访问令牌 + 刷新令牌。自定义的 SecretsTokenCache（实现 SDK 的 TokenCache 接口）将这些令牌持久化到 secrets.json，以便它们在 CLI 调用之间保持有效。

身份验证解析顺序：CAIDO_PAT 环境变量 → secrets.json PAT → 显示设置说明的错误

位于 ~/.claude/skills/caido-mode/caido-client.ts。所有命令输出 JSON。

HTTP 历史记录和测试命令

search - 使用 HTTPQL 搜索 HTTP 历史记录

node caido-client.ts search 'req.method.eq:"POST" AND resp.code.eq:200'
node caido-client.ts search 'req.host.cont:"api"' --limit 50
node caido-client.ts search 'req.path.cont:"/admin"' --ids-only
node caido-client.ts search 'resp.raw.cont:"password"' --after <cursor>

recent - 获取最近的请求

node caido-client.ts recent
node caido-client.ts recent --limit 50

get / get-response - 检索完整详细信息

node caido-client.ts get <request-id>
node caido-client.ts get <request-id> --headers-only
node caido-client.ts get-response <request-id>
node caido-client.ts get-response <request-id> --compact

edit - 编辑和重放（关键功能）

修改现有请求，同时保留所有 Cookie/身份验证标头：

# 更改路径（IDOR 测试）
node caido-client.ts edit <id> --path /api/user/999

# 更改方法并添加正文
node caido-client.ts edit <id> --method POST --body '{"admin":true}'

# 添加/移除标头
node caido-client.ts edit <id> --set-header "X-Forwarded-For: 127.0.0.1"
node caido-client.ts edit <id> --remove-header "X-CSRF-Token"

# 在请求中的任何位置查找/替换文本
node caido-client.ts edit <id> --replace "user123:::user456"

# 组合多个编辑
node caido-client.ts edit <id> --method PUT --path /api/admin --body '{"role":"admin"}' --compact

选项	描述
`--method <METHOD>`	更改 HTTP 方法
`--path <path>`	更改请求路径
`--set-header <Name: Value>`	添加或替换标头（可重复）
`--remove-header <Name>`	移除标头（可重复）
`--body <content>`	设置请求正文（自动更新 Content-Length）
`--replace <from>:::<to>`	在请求中的任何位置查找/替换文本（可重复）

replay / send-raw - 发送请求

# 原样重放
node caido-client.ts replay <request-id>

# 使用自定义原始数据重放
node caido-client.ts replay <id> --raw "GET /modified HTTP/1.1\r\nHost: example.com\r\n\r\n"

# 发送完全自定义的请求
node caido-client.ts send-raw --host example.com --port 443 --tls --raw "GET / HTTP/1.1\r\nHost: example.com\r\n\r\n"

export-curl - 转换为 curl 以用于 PoC

node caido-client.ts export-curl <request-id>

输出一个包含所有标头和正文的即用型 curl 命令。

重放会话和集合

# 从现有请求创建重放会话
node caido-client.ts create-session <request-id>

# 始终重命名会话以便在 Caido UI 中轻松识别
node caido-client.ts rename-session <session-id> "idor-user-profile"

# 列出所有重放会话
node caido-client.ts replay-sessions
node caido-client.ts replay-sessions --limit 50

# 删除重放会话
node caido-client.ts delete-sessions <session-id-1>,<session-id-2>

将重放会话组织到集合中：

# 列出重放集合
node caido-client.ts replay-collections
node caido-client.ts replay-collections --limit 50

# 创建集合
node caido-client.ts create-collection "IDOR Testing"

# 重命名集合
node caido-client.ts rename-collection <collection-id> "Auth Bypass Tests"

# 删除集合
node caido-client.ts delete-collection <collection-id>

# 为模糊测试创建自动化会话
node caido-client.ts create-automate-session <request-id>

# 开始模糊测试（首先在 Caido UI 中配置有效负载和标记）
node caido-client.ts fuzz <session-id>

定义测试范围。使用 glob 模式。

# 列出所有范围
node caido-client.ts scopes

# 创建带有允许列表和拒绝列表的范围
node caido-client.ts create-scope "Target Corp" --allow "*.target.com,*.target.io" --deny "*.cdn.target.com"

# 更新范围
node caido-client.ts update-scope <scope-id> --allow "*.target.com,*.api.target.com"

# 删除范围
node caido-client.ts delete-scope <scope-id>

Glob 模式： *.example.com 匹配 example.com 的任何子域。

将常用的 HTTPQL 查询保存为命名预设。

# 列出保存的过滤器
node caido-client.ts filters

# 创建过滤器预设
node caido-client.ts create-filter "API Errors" --query 'req.path.cont:"/api/" AND resp.code.gte:400'
node caido-client.ts create-filter "Auth Endpoints" --query 'req.path.regex:"/(login|auth|oauth)/"' --alias "auth"

# 更新过滤器
node caido-client.ts update-filter <filter-id> --query 'req.path.cont:"/api/" AND resp.code.gte:500'

# 删除过滤器
node caido-client.ts delete-filter <filter-id>

存储跨会话持久化的测试变量。非常适合用于多用户 ID 的 IDOR 测试。

# 列出环境
node caido-client.ts envs

# 创建环境
node caido-client.ts create-env "IDOR-Test"

# 设置变量
node caido-client.ts env-set <env-id> victim_user_id "user_456"
node caido-client.ts env-set <env-id> attacker_token "eyJhbG..."

# 选择活动环境
node caido-client.ts select-env <env-id>

# 取消选择环境
node caido-client.ts select-env

# 删除环境
node caido-client.ts delete-env <env-id>

创建、列出和更新安全发现项。显示在 Caido 的“发现项”选项卡中。

# 列出所有发现项
node caido-client.ts findings
node caido-client.ts findings --limit 50

# 获取特定发现项
node caido-client.ts get-finding <finding-id>

# 创建与请求关联的发现项
node caido-client.ts create-finding <request-id> \
  --title "IDOR in user profile endpoint" \
  --description "Can access other users' profiles by changing ID parameter" \
  --reporter "rez0"

# 使用去重键（防止重复）
node caido-client.ts create-finding <request-id> \
  --title "Auth bypass on /admin" \
  --dedupe-key "admin-auth-bypass"

# 更新发现项
node caido-client.ts update-finding <finding-id> \
  --title "Updated title" \
  --description "Updated description"

监控和取消后台任务（导入、导出等）。

# 列出所有任务
node caido-client.ts tasks

# 取消正在运行的任务
node caido-client.ts cancel-task <task-id>

# 列出所有项目
node caido-client.ts projects

# 切换活动项目
node caido-client.ts select-project <project-id>

# 列出托管文件
node caido-client.ts hosted-files

# 删除托管文件
node caido-client.ts delete-hosted-file <file-id>

# 检查拦截状态
node caido-client.ts intercept-status

# 启用/禁用拦截
node caido-client.ts intercept-enable
node caido-client.ts intercept-disable

信息、健康状态和插件

# 当前用户信息
node caido-client.ts viewer

# 列出已安装的插件
node caido-client.ts plugins

# 检查 Caido 实例健康状态（版本、就绪状态）
node caido-client.ts health

适用于 get、get-response、replay、edit、send-raw：

标志	描述
`--max-body <n>`	最大响应正文行数（默认值：200，0=无限制）
`--max-body-chars <n>`	最大正文字符数（默认值：5000，0=无限制）
`--no-request`	输出中跳过请求原始数据
`--headers-only`	仅 HTTP 标头，无正文
`--compact`	简写：`--no-request --max-body 50 --max-body-chars 5000`

Caido 用于搜索 HTTP 历史记录的查询语言。

关键：字符串值必须用引号括起来。整数值不用引号。

命名空间和字段

命名空间	字段	类型	描述
`req`	`ext`	string	文件扩展名（包含 `.`）
`req`	`host`	string	主机名
`req`	`method`	string	HTTP 方法（大写）
`req`	`path`	string	URL 路径
`req`	`query`	string	查询字符串
`req`	`raw`	string	完整原始请求
`req`	`port`	int	端口号
`req`	`len`	int	请求正文长度
`req`	`created_at`	date	创建时间戳
`req`	`tls`	bool	是否为 HTTPS
`resp`	`raw`	string	完整原始响应
`resp`	`code`	int	状态码
`resp`	`len`	int	响应正文长度
`resp`	`roundtrip`	int	往返时间（毫秒）
`row`	`id`	int	请求 ID
`source`	-	special	`"intercept"`、`"replay"`、`"automate"`、`"workflow"`
`preset`	-	special	过滤器预设引用

字符串： eq、ne、cont、ncont、like、nlike、regex、nregex 整数： eq、ne、gt、gte、lt、lte 布尔值： eq、ne 逻辑： AND、OR、括号用于分组

# POST 请求且响应为 200
req.method.eq:"POST" AND resp.code.eq:200

# API 请求
req.host.cont:"api" OR req.path.cont:"/api/"

# 独立字符串搜索请求和响应
"password" OR "secret" OR "api_key"

# 错误响应
resp.code.gte:400 AND resp.code.lt:500

# 大响应（潜在数据暴露）
resp.len.gt:100000

# 慢端点
resp.roundtrip.gt:5000

# 通过正则表达式匹配身份验证端点
req.path.regex:"/(login|auth|signin|oauth)/"

# 仅重放/自动化流量
source:"replay" OR source:"automate"

# 日期过滤
req.created_at.gt:"2024-01-01T00:00:00Z"

此 CLI 基于 @caido/sdk-client v0.1.4+ 构建，采用清晰的多文件架构：

caido-client.ts          # CLI 入口点 - 参数解析 + 命令分发
lib/
  client.ts              # SDK 客户端单例，SecretsTokenCache，身份验证配置
  graphql.ts             # 用于尚未集成到 SDK 中的功能的 gql 文档
  output.ts              # 输出格式化（截断、仅标头、原始数据→curl）
  types.ts               # 共享类型（OutputOpts）
  commands/
    requests.ts          # search, recent, get, get-response, export-curl
    replay.ts            # replay, send-raw, edit, sessions, collections, automate, fuzz
    findings.ts          # findings, get-finding, create-finding, update-finding
    management.ts        # scopes, filters, environments, projects, hosted-files, tasks
    intercept.ts         # intercept-status, intercept-enable, intercept-disable
    info.ts              # viewer, plugins, health, setup, auth-status

大多数功能直接使用高级 SDK：

SDK 方法	命令
`client.request.list()`、`.get()`	search, recent, get, get-response, export-curl
`client.replay.sessions.*`	create-session, replay-sessions, rename-session, delete-sessions
`client.replay.collections.*`	replay-collections, create-collection, rename-collection, delete-collection
`client.replay.send()`	replay, send-raw, edit
`client.finding.*`	findings, get-finding, create-finding, update-finding
`client.scope.*`	scopes, create-scope, update-scope, delete-scope
`client.filter.*`	filters, create-filter, update-filter, delete-filter
`client.environment.*`	envs, create-env, select-env, env-set, delete-env
`client.project.*`	projects, select-project
`client.hostedFile.*`	hosted-files, delete-hosted-file
`client.task.*`	tasks, cancel-task
`client.user.viewer()`	viewer
`client.health()`	health

尚未集成到高级 SDK 中的功能使用 client.graphql.query()/client.graphql.mutation() 和来自 graphql-tag 的 gql 标记模板。这是正确的 SDK 方法（通过 urql 的类型化文档）- 没有任何地方使用原始 fetch。

GraphQL 文档	命令
`INTERCEPT_OPTIONS_QUERY`	intercept-status
`PAUSE_INTERCEPT` / `RESUME_INTERCEPT`	intercept-enable, intercept-disable
`PLUGIN_PACKAGES_QUERY`	plugins
`CREATE_AUTOMATE_SESSION`	create-automate-session
`GET_AUTOMATE_SESSION`	fuzz（验证会话）
`START_AUTOMATE_TASK`	fuzz（启动任务）

1. IDOR 测试（主要模式）

# 查找经过身份验证的请求
node caido-client.ts search 'req.path.cont:"/api/user"' --limit 10

# 创建范围
node caido-client.ts create-scope "IDOR-Test" --allow "*.target.com"

# 为测试数据创建环境
node caido-client.ts create-env "IDOR-Test"
node caido-client.ts env-set <env-id> victim_id "user_999"

# 通过更改用户 ID 测试 IDOR
node caido-client.ts edit <request-id> --path /api/user/999

# 如果成功，标记为发现项
node caido-client.ts create-finding <request-id> --title "IDOR on /api/user/:id"

# 导出 curl 以用于 PoC
node caido-client.ts export-curl <request-id>

2. 权限提升测试

node caido-client.ts search 'req.path.cont:"/admin"' --limit 10
node caido-client.ts edit <id> --path /api/admin/users --method GET
node caido-client.ts edit <id> --method POST --body '{"role":"admin"}'

3. 标头绕过测试

node caido-client.ts edit <id> --set-header "X-Forwarded-For: 127.0.0.1"
node caido-client.ts edit <id> --set-header "X-Original-URL: /admin"
node caido-client.ts edit <id> --remove-header "X-CSRF-Token"

4. 使用 Automate 进行模糊测试

node caido-client.ts create-automate-session <request-id>
# 在 Caido UI 中配置有效负载标记和单词列表
node caido-client.ts fuzz <session-id>

5. 过滤 + 分析模式

# 保存有用的过滤器
node caido-client.ts create-filter "API 4xx" --query 'req.path.cont:"/api/" AND resp.code.gte:400 AND resp.code.lt:500'
node caido-client.ts create-filter "Large Responses" --query 'resp.len.gt:100000'
node caido-client.ts create-filter "Sensitive Data" --query '"password" OR "secret" OR "api_key" OR "token"'

# 使用预设别名快速搜索
node caido-client.ts search 'preset:"API 4xx"' --limit 20

优先使用 edit 而非 replay --raw - 自动保留 Cookie/身份验证
工作流：搜索 → 找到具有有效身份验证的请求 → 使用该 ID 通过 edit 进行所有测试
不要将原始请求转储到上下文中 - 探索时使用 --compact 或 --headers-only
始终首先检查身份验证：health 验证连接，然后 recent --limit 1
始终命名重放标签页：rename-session <id> "idor-user-profile"
为任何有趣的内容创建发现项 - 它们会显示在 Caido 的“发现项”选项卡中
构建报告 PoC 时使用 export-curl
创建过滤器预设以保存常用搜索，避免重复输入
使用环境变量存储测试数据（受害者 ID、令牌等）
输出为 JSON - 根据需要解析响应字段

性能和上下文优化

search/recent 省略 raw 字段（每个请求约 200 字节，100+ 个请求是安全的）
get 获取 raw（每个请求约 5-20KB，仅获取所需内容）
积极使用 --limit（从 5-10 开始）
快速探索时使用 --compact 标志
使用 HTTPQL 在服务器端过滤，而非在客户端

身份验证错误：运行 node caido-client.ts auth-status 检查，使用 node caido-client.ts setup <pat> 重新设置
连接被拒绝：Caido 未运行 → node caido-client.ts health
InstanceNotReadyError：Caido 正在启动，请等待并重试

caido-plugin-dev - 用于构建 Caido 插件（后端 + 前端）
spider - 使用 Katana 进行爬取（使用 Caido 作为代理）
website-fuzzing - 在 hunt6 上进行远程 ffuf 模糊测试
JsAnalyzer - 用于流量发现文件的 JS 分析

🇺🇸English

Caido Mode Skill

Overview

Full-coverage CLI for Caido's API, built on the official @caido/sdk-client package. Covers:

HTTP History - Search, retrieve, replay, edit requests with HTTPQL
Replay & Sessions - Sessions, collections, entries, fuzzing
Scopes - Create and manage testing scopes (allowlist/denylist patterns)
Filter Presets - Save and reuse HTTPQL filter presets
Environments - Store test variables (victim IDs, tokens, etc.)
Findings - Create, list, update security findings
Tasks - Monitor and cancel background tasks
Projects - Switch between testing projects
Hosted Files - Manage files served by Caido
Intercept - Enable/disable request interception programmatically
Plugins - List installed plugins
Export - Convert requests to curl commands for PoCs
Health - Check Caido instance status

All traffic goes through Caido, so it appears in the UI for further analysis.

Why This Model?

Cookies and auth tokens can be huge - session cookies, JWTs, CSRF tokens can easily be 1-2KB. Rather than manually copy-pasting:

Find an organic request in Caido's HTTP history that already has valid auth
Useedit to modify just what you need (path, method, body) while keeping all auth headers intact
Send it - response comes back with full context preserved

Authentication Setup

Setup (One-Time)

Open Dashboard → Developer → Personal Access Tokens
Create a new token
Run:

node ~/.claude/skills/caido-mode/caido-client.ts setup <your-pat>

# Non-default Caido instance
node ~/.claude/skills/caido-mode/caido-client.ts setup <pat> http://192.168.1.100:8080

# Or set env var instead
export CAIDO_PAT=caido_xxxxx

The setup command validates the PAT via the SDK (which exchanges it for an access token), then saves both the PAT and the cached access token to ~/.claude/config/secrets.json. Subsequent runs load the cached token directly, skipping the PAT exchange.

Check Status

node ~/.claude/skills/caido-mode/caido-client.ts auth-status

How Auth Works

The SDK uses a device code flow internally — the PAT auto-approves it and receives an access token + refresh token. A custom SecretsTokenCache (implementing the SDK's TokenCache interface) persists these tokens to secrets.json so they survive across CLI invocations.

Auth resolution: CAIDO_PAT env var → secrets.json PAT → error with setup instructions

CLI Tool

Located at ~/.claude/skills/caido-mode/caido-client.ts. All commands output JSON.

HTTP History & Testing Commands

search - Search HTTP history with HTTPQL

node caido-client.ts search 'req.method.eq:"POST" AND resp.code.eq:200'
node caido-client.ts search 'req.host.cont:"api"' --limit 50
node caido-client.ts search 'req.path.cont:"/admin"' --ids-only
node caido-client.ts search 'resp.raw.cont:"password"' --after <cursor>

recent - Get recent requests

node caido-client.ts recent
node caido-client.ts recent --limit 50

get / get-response - Retrieve full details

node caido-client.ts get <request-id>
node caido-client.ts get <request-id> --headers-only
node caido-client.ts get-response <request-id>
node caido-client.ts get-response <request-id> --compact

edit - Edit and replay (KEY FEATURE)

Modifies an existing request while preserving all cookies/auth headers:

# Change path (IDOR testing)
node caido-client.ts edit <id> --path /api/user/999

# Change method and add body
node caido-client.ts edit <id> --method POST --body '{"admin":true}'

# Add/remove headers
node caido-client.ts edit <id> --set-header "X-Forwarded-For: 127.0.0.1"
node caido-client.ts edit <id> --remove-header "X-CSRF-Token"

# Find/replace text anywhere in request
node caido-client.ts edit <id> --replace "user123:::user456"

# Combine multiple edits
node caido-client.ts edit <id> --method PUT --path /api/admin --body '{"role":"admin"}' --compact

Option	Description
`--method <METHOD>`	Change HTTP method
`--path <path>`	Change request path
`--set-header <Name: Value>`	Add or replace a header (repeatable)
`--remove-header <Name>`	Remove a header (repeatable)
`--body <content>`	Set request body (auto-updates Content-Length)
`--replace <from>:::<to>`

replay / send-raw - Send requests

# Replay as-is
node caido-client.ts replay <request-id>

# Replay with custom raw
node caido-client.ts replay <id> --raw "GET /modified HTTP/1.1\r\nHost: example.com\r\n\r\n"

# Send completely custom request
node caido-client.ts send-raw --host example.com --port 443 --tls --raw "GET / HTTP/1.1\r\nHost: example.com\r\n\r\n"

export-curl - Convert to curl for PoCs

node caido-client.ts export-curl <request-id>

Outputs a ready-to-use curl command with all headers and body.

Replay Sessions & Collections

Sessions

# Create replay session from an existing request
node caido-client.ts create-session <request-id>

# ALWAYS rename sessions for easy identification in Caido UI
node caido-client.ts rename-session <session-id> "idor-user-profile"

# List all replay sessions
node caido-client.ts replay-sessions
node caido-client.ts replay-sessions --limit 50

# Delete replay sessions
node caido-client.ts delete-sessions <session-id-1>,<session-id-2>

Collections

Organize replay sessions into collections:

# List replay collections
node caido-client.ts replay-collections
node caido-client.ts replay-collections --limit 50

# Create a collection
node caido-client.ts create-collection "IDOR Testing"

# Rename a collection
node caido-client.ts rename-collection <collection-id> "Auth Bypass Tests"

# Delete a collection
node caido-client.ts delete-collection <collection-id>

Fuzzing

# Create automate session for fuzzing
node caido-client.ts create-automate-session <request-id>

# Start fuzzing (configure payloads and markers in Caido UI first)
node caido-client.ts fuzz <session-id>

Scope Management

Define what's in scope for your testing. Uses glob patterns.

# List all scopes
node caido-client.ts scopes

# Create scope with allowlist and denylist
node caido-client.ts create-scope "Target Corp" --allow "*.target.com,*.target.io" --deny "*.cdn.target.com"

# Update scope
node caido-client.ts update-scope <scope-id> --allow "*.target.com,*.api.target.com"

# Delete scope
node caido-client.ts delete-scope <scope-id>

Glob patterns: *.example.com matches any subdomain of example.com.

Filter Presets

Save frequently used HTTPQL queries as named presets.

# List saved filters
node caido-client.ts filters

# Create filter preset
node caido-client.ts create-filter "API Errors" --query 'req.path.cont:"/api/" AND resp.code.gte:400'
node caido-client.ts create-filter "Auth Endpoints" --query 'req.path.regex:"/(login|auth|oauth)/"' --alias "auth"

# Update filter
node caido-client.ts update-filter <filter-id> --query 'req.path.cont:"/api/" AND resp.code.gte:500'

# Delete filter
node caido-client.ts delete-filter <filter-id>

Environment Variables

Store testing variables that persist across sessions. Great for IDOR testing with multiple user IDs.

# List environments
node caido-client.ts envs

# Create environment
node caido-client.ts create-env "IDOR-Test"

# Set variables
node caido-client.ts env-set <env-id> victim_user_id "user_456"
node caido-client.ts env-set <env-id> attacker_token "eyJhbG..."

# Select active environment
node caido-client.ts select-env <env-id>

# Deselect environment
node caido-client.ts select-env

# Delete environment
node caido-client.ts delete-env <env-id>

Findings

Create, list, and update security findings. Shows up in Caido's Findings tab.

# List all findings
node caido-client.ts findings
node caido-client.ts findings --limit 50

# Get a specific finding
node caido-client.ts get-finding <finding-id>

# Create finding linked to a request
node caido-client.ts create-finding <request-id> \
  --title "IDOR in user profile endpoint" \
  --description "Can access other users' profiles by changing ID parameter" \
  --reporter "rez0"

# With deduplication key (prevents duplicates)
node caido-client.ts create-finding <request-id> \
  --title "Auth bypass on /admin" \
  --dedupe-key "admin-auth-bypass"

# Update finding
node caido-client.ts update-finding <finding-id> \
  --title "Updated title" \
  --description "Updated description"

Tasks

Monitor and cancel background tasks (imports, exports, etc.).

# List all tasks
node caido-client.ts tasks

# Cancel a running task
node caido-client.ts cancel-task <task-id>

Project Management

# List all projects
node caido-client.ts projects

# Switch active project
node caido-client.ts select-project <project-id>

Hosted Files

# List hosted files
node caido-client.ts hosted-files

# Delete hosted file
node caido-client.ts delete-hosted-file <file-id>

Intercept Control

# Check intercept status
node caido-client.ts intercept-status

# Enable/disable interception
node caido-client.ts intercept-enable
node caido-client.ts intercept-disable

Info, Health & Plugins

# Current user info
node caido-client.ts viewer

# List installed plugins
node caido-client.ts plugins

# Check Caido instance health (version, ready state)
node caido-client.ts health

Output Control

Works with get, get-response, replay, edit, send-raw:

Flag	Description
`--max-body <n>`	Max response body lines (default: 200, 0=unlimited)
`--max-body-chars <n>`	Max body chars (default: 5000, 0=unlimited)
`--no-request`	Skip request raw in output
`--headers-only`	Only HTTP headers, no body
`--compact`	Shorthand: `--no-request --max-body 50 --max-body-chars 5000`

HTTPQL Reference

Caido's query language for searching HTTP history.

CRITICAL : String values MUST be quoted. Integer values are NOT quoted.

Namespaces and Fields

Namespace	Field	Type	Description
`req`	`ext`	string	File extension (includes `.`)
`req`	`host`	string	Hostname
`req`	`method`

Operators

String: eq, ne, cont, ncont, like, nlike, regex, nregex Integer: eq, ne, gt, gte, , , , , parentheses for grouping

Example Queries

# POST requests with 200 responses
req.method.eq:"POST" AND resp.code.eq:200

# API requests
req.host.cont:"api" OR req.path.cont:"/api/"

# Standalone string searches both req and resp
"password" OR "secret" OR "api_key"

# Error responses
resp.code.gte:400 AND resp.code.lt:500

# Large responses (potential data exposure)
resp.len.gt:100000

# Slow endpoints
resp.roundtrip.gt:5000

# Auth endpoints by regex
req.path.regex:"/(login|auth|signin|oauth)/"

# Replay/automate traffic only
source:"replay" OR source:"automate"

# Date filtering
req.created_at.gt:"2024-01-01T00:00:00Z"

SDK Architecture

This CLI is built on @caido/sdk-client v0.1.4+, using a clean multi-file architecture:

caido-client.ts          # CLI entry point — arg parsing + command dispatch
lib/
  client.ts              # SDK Client singleton, SecretsTokenCache, auth config
  graphql.ts             # gql documents for features not yet in SDK
  output.ts              # Output formatting (truncation, headers-only, raw→curl)
  types.ts               # Shared types (OutputOpts)
  commands/
    requests.ts          # search, recent, get, get-response, export-curl
    replay.ts            # replay, send-raw, edit, sessions, collections, automate, fuzz
    findings.ts          # findings, get-finding, create-finding, update-finding
    management.ts        # scopes, filters, environments, projects, hosted-files, tasks
    intercept.ts         # intercept-status, intercept-enable, intercept-disable
    info.ts              # viewer, plugins, health, setup, auth-status

SDK Coverage

Most features use the high-level SDK directly:

SDK Method	Commands
`client.request.list()`, `.get()`	search, recent, get, get-response, export-curl
`client.replay.sessions.*`	create-session, replay-sessions, rename-session, delete-sessions
`client.replay.collections.*`	replay-collections, create-collection, rename-collection, delete-collection
`client.replay.send()`	replay, send-raw, edit
`client.finding.*`	findings, get-finding, create-finding, update-finding

Features not yet in the high-level SDK use client.graphql.query()/client.graphql.mutation() with gql tagged templates from graphql-tag. This is the proper SDK approach (typed documents through urql) — no raw fetch anywhere.

GraphQL Document	Commands
`INTERCEPT_OPTIONS_QUERY`	intercept-status
`PAUSE_INTERCEPT` / `RESUME_INTERCEPT`	intercept-enable, intercept-disable
`PLUGIN_PACKAGES_QUERY`	plugins
`CREATE_AUTOMATE_SESSION`	create-automate-session
`GET_AUTOMATE_SESSION`	fuzz (verify session)

Workflow Examples

1. IDOR Testing (Primary Pattern)

# Find authenticated request
node caido-client.ts search 'req.path.cont:"/api/user"' --limit 10

# Create scope
node caido-client.ts create-scope "IDOR-Test" --allow "*.target.com"

# Create environment for test data
node caido-client.ts create-env "IDOR-Test"
node caido-client.ts env-set <env-id> victim_id "user_999"

# Test IDOR by changing user ID
node caido-client.ts edit <request-id> --path /api/user/999

# Mark as finding if it works
node caido-client.ts create-finding <request-id> --title "IDOR on /api/user/:id"

# Export curl for PoC
node caido-client.ts export-curl <request-id>

2. Privilege Escalation Testing

node caido-client.ts search 'req.path.cont:"/admin"' --limit 10
node caido-client.ts edit <id> --path /api/admin/users --method GET
node caido-client.ts edit <id> --method POST --body '{"role":"admin"}'

3. Header Bypass Testing

node caido-client.ts edit <id> --set-header "X-Forwarded-For: 127.0.0.1"
node caido-client.ts edit <id> --set-header "X-Original-URL: /admin"
node caido-client.ts edit <id> --remove-header "X-CSRF-Token"

4. Fuzzing with Automate

node caido-client.ts create-automate-session <request-id>
# Configure payload markers and wordlists in Caido UI
node caido-client.ts fuzz <session-id>

5. Filter + Analyze Pattern

# Save useful filters
node caido-client.ts create-filter "API 4xx" --query 'req.path.cont:"/api/" AND resp.code.gte:400 AND resp.code.lt:500'
node caido-client.ts create-filter "Large Responses" --query 'resp.len.gt:100000'
node caido-client.ts create-filter "Sensitive Data" --query '"password" OR "secret" OR "api_key" OR "token"'

# Quick search using preset alias
node caido-client.ts search 'preset:"API 4xx"' --limit 20

Instructions for Claude

PREFERedit OVER replay --raw - preserves cookies/auth automatically
Workflow : Search → find request with valid auth → use that ID for all tests via edit
Don't dump raw requests into context - use --compact or --headers-only when exploring
Always check auth first : health to verify connection, then recent --limit 1
ALWAYS NAME REPLAY TABS : rename-session <id> "idor-user-profile"
Create findings for anything interesting - they show up in Caido's Findings tab

Performance & Context Optimization

search/recent omit raw field (~200 bytes per request, safe for 100+)
get fetches raw (~5-20KB per request, fetch only what you need)
Use --limit aggressively (start with 5-10)
Use --compact flag for quick exploration
Filter server-side with HTTPQL, not client-side

Error Handling

Auth errors : Run node caido-client.ts auth-status to check, re-setup with node caido-client.ts setup <pat>
Connection refused : Caido not running → node caido-client.ts health
InstanceNotReadyError : Caido is starting up, wait and retry

Related Skills

caido-plugin-dev - For building Caido plugins (backend + frontend)
spider - Crawling with Katana (uses Caido as proxy)
website-fuzzing - Remote ffuf fuzzing on hunt6
JsAnalyzer - JS analysis for traffic-discovered files

Weekly Installs

Repository

caido/skills

GitHub Stars

First Seen

5 days ago

Security Audits

Gen Agent Trust HubPass SocketPass SnykFail

Installed on

opencode84

amp84

codex84

gemini-cli83

github-copilot83

cline83

代码审查最佳实践指南：完整流程、安全与性能审查清单

12,400 周安装

START_AUTOMATE_TASK

Useexport-curl when building PoCs for reports

Create filter presets for recurring searches to save typing

Use environments to store test data (victim IDs, tokens, etc.)

Output is JSON - parse response fields as needed

Caido Mode Skill：基于官方SDK的Caido API全覆盖CLI工具，提升安全测试效率

🇨🇳中文介绍

Caido Mode Skill

概述

为什么选择此模式？

相关 Skills

身份验证设置

设置（一次性）

检查状态

身份验证工作原理

CLI 工具

HTTP 历史记录和测试命令

search - 使用 HTTPQL 搜索 HTTP 历史记录

recent - 获取最近的请求

get / get-response - 检索完整详细信息

edit - 编辑和重放（关键功能）

replay / send-raw - 发送请求

export-curl - 转换为 curl 以用于 PoC

重放会话和集合

会话

集合

模糊测试

范围管理

过滤器预设

环境变量

发现项

任务

项目管理

托管文件

拦截控制

信息、健康状态和插件

输出控制

HTTPQL 参考

命名空间和字段

运算符

查询示例

SDK 架构

SDK 覆盖范围

工作流示例

1. IDOR 测试（主要模式）

2. 权限提升测试

3. 标头绕过测试

4. 使用 Automate 进行模糊测试

5. 过滤 + 分析模式

Claude 使用说明

性能和上下文优化

错误处理

相关技能

🇺🇸English

Caido Mode Skill

Overview

Why This Model?

Authentication Setup

Setup (One-Time)

Check Status

How Auth Works

CLI Tool

HTTP History & Testing Commands

search - Search HTTP history with HTTPQL

recent - Get recent requests

get / get-response - Retrieve full details

edit - Edit and replay (KEY FEATURE)

replay / send-raw - Send requests

export-curl - Convert to curl for PoCs

Replay Sessions & Collections

Sessions

Collections

Fuzzing

Scope Management

Filter Presets

Environment Variables

Findings

Tasks

Project Management

Hosted Files

Intercept Control

Info, Health & Plugins

Output Control

HTTPQL Reference

Namespaces and Fields