Hacking using Web Proxies

About This Chapter

This is a 2+ hour hands-on masterclass featuring Justin Gardner and Gal Nagli, Justin is one of the world's top bug bounty hunters and host of the Critical Thinking podcast. he walks you through Caido from installation to real-world hacking.

Hacking with Web Proxies

Every HTTP request your browser makes can be intercepted, inspected, and modified. This is the foundation of web application hacking - and Caido is a tool that makes it possible as a Web Proxy.

In this chapter, you'll learn how to use a web proxy to see exactly what's happening between your browser and a website, and how to manipulate that traffic to find vulnerabilities.

What You'll Learn:

The written content below is your reference guide - use it alongside the video.

What is a Web Proxy?

Normally, when you click a link or submit a form, your browser sends an HTTP request directly to the website's server. You see the pretty rendered page, but you never see the raw data being exchanged.

A web proxy sits between your browser and the internet:

Browser → Caido (Proxy) → Internet → Website

This allows you to:

- See every HTTP request and response in raw form

- Intercept requests before they're sent

- Modify parameters, headers, cookies—anything

- Replay requests with different values

- Automate brute-force attacks on parameters

This is how hackers find vulnerabilities like IDOR, authentication bypasses, and broken access controls.

Setting Up Caido

Step 1: Download and Install

Download Caido from caido.io and install the desktop app for your operating system.

Step 2: Create an Instance

1. Open Caido and click New Instance

2. Give it a name (e.g., "Bug Bounty")

3. Set the port to `8080` (standard proxy port)

4. Click Create

Step 3: Create an Account

Caido requires a free account for full features. Click Create Account, verify your email, then log in.

Step 4: Configure Your Browser

Option A: Use Caido's Built-in Browser (Easiest)

Click the browser icon in Caido to launch a pre-configured browser. No setup needed.

Option B: Use Your Normal Browser

1. Install a proxy extension like FoxyProxy

2. Configure it to route traffic through 127.0.0.1:8080

3. Download Caido's CA certificate (click the person icon → CA Certificate)

4. Install the certificate as a trusted root authority

Step 5: Create a Project

Projects keep your work organized by target:

- Click Create Project

- Name it after your target (e.g., "Wiz", "Google", "Capital One")

- Switch between projects instantly from the top-left dropdown

Core Features

HTTP History

Where you'll spend most of your time.

HTTP History shows every request your browser makes while proxying through Caido:

- Request table - Lists all requests with method, host, path, status code

- Request/Response pane - Shows the raw HTTP data

- Pretty print / Raw / Preview - Different ways to view responses

Pro tip: Look for requests highlighted in red - these are top-level page navigations. Everything else is sub-resources (JavaScript, images, API calls).

HTTPQL (Filtering)

Modern websites generate hundreds of requests. HTTPQL lets you filter to what matters:

# Only show requests to a specific host

req.host.cont:"api.example.com"

# Hide responses containing "try again"

resp.raw.ncont:"try again"

# Only show requests with specific status codes
resp.code.eq:200

# Filter by response length (useful for finding outliers)

resp.length.neq:4495

Save frequently-used filters as presets for quick access.

Scope

Scope defines which hosts you want to see. Set your target's domains as "in scope" to filter out noise from analytics, CDNs, and third-party services.

# Example scope: anything with "wiz" in the hostname

wiz

Intercept

Intercept pauses requests before they're sent, allowing you to modify them in real-time:

1. Enable Intercept from the sidebar

2. Perform an action in your browser

3. The request appears in Caido - modify it

4. Click Forward to send, or Drop to cancel

Use cases:

- Change a `user_id` parameter to access another user's data

- Modify a `role` field from "user" to "admin"

- Test how the server handles unexpected input

Replay

Replay lets you resend requests with modifications without using the browser:

1. Right-click any request → Send to Replay

2. Modify parameters, headers, or body

3. Click Send to see the response

4. Use the back/forward buttons to compare responses

Pro tip: Rename your Replay tabs (e.g., "IDOR - user_id", "Auth Bypass Test") to stay organized.

Replay Collections

As you test, you'll accumulate many Replay tabs. Organize them:

- Collections - Group related requests (e.g., "Vulnerabilities", "Gadgets")

- Right-click → Move - Move tabs between collections

- Search - Find tabs by name, host, or path

Automate

Automate is Caido's brute-forcing tool. Use it to test many values against a parameter:

1. Right-click a request → Send to Automate

2. Highlight the value you want to fuzz

3. Click Mark (or press the hotkey)

4. Choose your payload source:

- Simple List - Enter values manually

- Numbers - Range of integers (e.g., 1-1000)

- Hosted File - Use an uploaded wordlist

5. Click Run

Example: Finding IDOR

GET /api/users/§1§/profile

Mark the user ID, set Numbers from 1-100, and look for responses with different content lengths - those are other users' profiles.

Files (Wordlists)

Upload wordlists for use in Automate:

1. Go to Files in the sidebar

2. Click Upload

3. Select your wordlist file

Recommended wordlists:

- Assetnote Wordlists - HTTP Archive directories and parameters

- SecLists - General-purpose fuzzing lists

Match & Replace

Automatically modify requests or responses as they flow through Caido:

Use cases:

- Change your `role` from "user" to "admin" on every request

- Remove security headers to test client-side behavior

- Add custom headers for testing

Important: Modifying your browser's view doesn't mean you found a vulnerability. The vulnerability exists only when the server returns data it shouldn't.

Workflows

Workflows automate actions based on conditions:

- Passive Workflows - Run automatically on matching requests (e.g., highlight all requests to `/api/admin`)

- Convert Workflows - Transform requests (e.g., decode base64 parameters)

Essential Plugins

EvenBetter

UI improvements and quality-of-life features.

Notes++

Take notes with full context:

- Press `Shift+Cmd+N` (Mac) or `Shift+Win+N` (Windows) from Replay

- Your note automatically links to the current request

- Click the note later to jump back to that exact request

Param Finder

Discover hidden HTTP parameters:

1. Right-click a request → Plugins → Param Finder

2. Choose: Query params, Body params, or Headers

3. It brute-forces thousands of parameter names

4. Review findings for parameters that change the response

Labs to Practice

Complete these labs at labs.caido.io

1. HTTP Hunt Lottery - Use HTTP History to find hidden data

2. Too Many Requests - Use Filters to find the needle in the haystack

3. IDOR Lab - Use Replay and Automate to access other users' data

Key Takeaways

- See everything - HTTP History shows what's really happening

- Filter the noise - Use HTTPQL and Scope to focus on what matters

- Test with Replay - Modify and resend requests without the browser

- Automate at scale - Brute-force parameters with Automate

- Stay organized - Use Projects, Collections, and Notes

Fun Quiz