Skip to main content
The proxy tool provides comprehensive HTTP traffic analysis and manipulation capabilities for web application security testing. It captures, filters, and allows modification of HTTP requests and responses.

Key Features

  • Request Capture: Automatic capture of all proxied traffic
  • Request Replay: Repeat requests with modifications
  • Scope Management: Filter traffic by domain patterns
  • Sitemap Discovery: Hierarchical view of discovered endpoints
  • HTTPQL Filtering: Powerful query language for request filtering
  • Request Search: Regex search within request/response data

Tools

list_requests

List and filter proxy requests using HTTPQL with pagination.
httpql_filter
string
HTTPQL filter using Caido’s syntax:Integer fields (port, code, roundtrip, id) - eq, gt, gte, lt, lte, ne:
  • resp.code.eq:200, resp.code.gte:400, req.port.eq:443
Text/byte fields (ext, host, method, path, query, raw) - regex:
  • req.method.regex:"POST", req.path.regex:"/api/.*", req.host.regex:".*.com"
Date fields (created_at) - gt, lt with ISO formats:
  • req.created_at.gt:"2024-01-01T00:00:00Z"
Special: source:intercept, preset:"name"
start_page
integer
default:"1"
Starting page (1-based)
end_page
integer
default:"1"
Ending page (1-based, inclusive)
page_size
integer
default:"50"
Requests per page
sort_by
string
default:"timestamp"
Sort field: “timestamp”, “host”, “status_code”, “response_time”, “response_size”
sort_order
string
default:"desc"
Sort direction: “asc” or “desc”
scope_id
string
Scope ID to filter requests (use scope_rules to manage scopes)

view_request

View request/response data with search and pagination.
request_id
string
required
Request ID
part
string
default:"request"
Which part to return: “request” or “response”
search_pattern
string
Regex pattern to search content. Common patterns:
  • API endpoints: r"/api/[a-zA-Z0-9._/-]+"
  • URLs: r"https?://[^\\s<>"\']+"
  • Parameters: r'[?&][a-zA-Z0-9_]+=([^&\\s<>"\']+)'
page
integer
default:"1"
Page number for pagination
page_size
integer
default:"50"
Lines per page

send_request

Send a simple HTTP request through proxy.
method
string
required
HTTP method (GET, POST, etc.)
url
string
required
Target URL
headers
dict
Headers as key-value pairs (e.g., {"key": "value"})
body
string
Request body
timeout
integer
default:"30"
Request timeout in seconds

repeat_request

Repeat an existing proxy request with modifications for pentesting.
request_id
string
required
ID of the original request to repeat (from list_requests)
modifications
dict
Changes to apply to the original request:
  • url: New URL or modify existing one
  • params: Dict to update query parameters
  • headers: Dict to add/update headers
  • body: New request body (replaces original)
  • cookies: Dict to add/update cookies

scope_rules

Manage proxy scope patterns for domain/file filtering using Caido’s scope system.
action
string
required
Scope action:
  • get: Get specific scope by ID or list all if no ID
  • update: Update existing scope (requires scope_id and scope_name)
  • list: List all available scopes
  • create: Create new scope (requires scope_name)
  • delete: Delete scope (requires scope_id)
allowlist
list
Domain patterns to include. Examples: [“*.example.com”, “api.test.com”]
denylist
list
Patterns to exclude. Common extensions: [“.gif”, “.jpg”, “.png”, “.css”, “.js”, “.ico”, “.svg”, “woff”, “.ttf”]
scope_id
string
Specific scope ID to operate on (required for get, update, delete)
scope_name
string
Name for scope (required for create, update)

list_sitemap

View hierarchical sitemap of discovered attack surface from proxied traffic.
scope_id
string
Scope ID to filter sitemap entries
parent_id
string
ID of parent entry to expand. If None, returns root domains.
depth
string
default:"DIRECT"
“DIRECT”: Only immediate children. “ALL”: All descendants recursively.
page
integer
default:"1"
Page number for pagination (30 entries per page)

view_sitemap_entry

Get detailed information about a specific sitemap entry and related requests.
entry_id
string
required
ID of the sitemap entry to examine

Examples

Filtering Requests

# POST requests to API with 200 responses
list_requests(
    httpql_filter='req.method.eq:"POST" AND req.path.cont:"/api/"',
    sort_by="response_time",
    scope_id="scope123"
)

# Find API endpoints in response
view_request(
    request_id="123",
    part="response",
    search_pattern=r"/api/[a-zA-Z0-9._/-]+"
)

Request Replay

# Modify POST body payload
repeat_request(
    request_id="req_789",
    modifications={
        "body": '{"username":"admin","password":"admin"}'
    }
)

# Modify headers and parameters
repeat_request(
    request_id="req_456",
    modifications={
        "headers": {"X-Custom-Header": "value"},
        "params": {"debug": "true"},
        "cookies": {"session": "new_token"}
    }
)

Scope Management

# Create API-only scope
scope_rules(
    action="create",
    scope_name="API Testing",
    allowlist=["api.example.com", "*.api.com"],
    denylist=["*.gif", "*.jpg", "*.png", "*.css", "*.js"]
)

# List all scopes
scope_rules(action="list")

# Get specific scope
scope_rules(
    action="get",
    scope_id="scope123"
)

Sitemap Discovery

# List root domains
list_sitemap()

# Expand specific directory
list_sitemap(
    parent_id="entry_456",
    depth="DIRECT"
)

# View entry details
view_sitemap_entry(
    entry_id="entry_789"
)

Proper Workflow

1

Browse Target

Use browser_action to browse the target application and generate traffic
2

Capture Traffic

Use list_requests() to see captured proxy traffic
3

Analyze Requests

Use view_request() to examine specific requests and responses
4

Test Modifications

Use repeat_request() to modify and test specific requests
This mirrors real pentesting: browse → capture → analyze → test

Sitemap Entry Kinds

  • DOMAIN: Root domains (example.com)
  • DIRECTORY: Path directories (/api/, /admin/)
  • REQUEST: Individual endpoints
  • REQUEST_BODY: POST/PUT body variations
  • REQUEST_QUERY: GET parameter variations
Check hasDescendants=true to identify entries worth expanding. Use parent_id from any entry to drill down into subdirectories.

Scope Pattern Syntax

  • Empty allowlist = allow all domains
  • Denylist overrides allowlist
  • Glob patterns:
    • * (any characters)
    • ? (single character)
    • [abc] (one of)
    • [a-z] (range)
    • [^abc] (none of)
Each scope has unique ID and can be used with list_requests(scope_id=...)

Build docs developers (and LLMs) love

Get started for freeTalk to us