Thursday, July 4, 2024
Latest:
Linux serverlinux web serverNETWORK ADMINISTRATIONS

How to Hack Web Apps with Caido

https://jh.live/pwyc || Jump into Pay What You Can training at whatever cost makes sense for you! https://jh.live/pwyc

Learn Cybersecurity – Name Your Price Training with John Hammond: https://nameyourpricetraining.com

WATCH MORE:
Dark Web & Cybercrime Investigations: https://www.youtube.com/watch?v=_GD5mPN_URM&list=PL1H1sBF1VAKVmjZZr162aUNCt2Uy5ozAG&index=4
Malware & Hacker Tradecraft: https://www.youtube.com/watch?v=LKR8cdfKeGw&list=PL1H1sBF1VAKWMn_3QPddayIypbbITTGZv&index=5

📧JOIN MY NEWSLETTER ➡ https://jh.live/email
🙏SUPPORT THE CHANNEL ➡ https://jh.live/patreon
🤝 SPONSOR THE CHANNEL ➡ https://jh.live/sponsor
🌎FOLLOW ME EVERYWHERE ➡ https://jh.live/twitter ↔ https://jh.live/linkedin ↔ https://jh.live/discord ↔ https://jh.live/instagram ↔ https://jh.live/tiktok
💥 SEND ME MALWARE ➡ https://jh.live/malware
🔥YOUTUBE ALGORITHM ➡ Like, Comment, & Subscribe!

source

by John Hammond

linux web server

You May Also Like

10 AÇÕES QUE PAGARAM MAIS DIVIDENDOS NOS ULTIMOS 10 ANOS

Openstack APIs

My New Favorite Tool For Linux Privilege Escalation

45 thoughts on “How to Hack Web Apps with Caido

  • 4:39 These days, if you're not using Firefox, you are using Chrome, even if your browser isn't called Chrome

  • Just using their root ca certs eh? How does that not give you the heebie jeebies?

  • I thought I was ahead of the game with an idea like this… and it exist.. am sad now D:

    10/10 video as always

  • 🎯 Key Takeaways for quick navigation:

    00:00 Caido is a new web application security testing tool designed to help security professionals and enthusiasts audit web applications efficiently and easily.

    00:15 Similar to Burp Suite and ZAP, Caido is written in Rust, making it fast and easy to extend with new capabilities and features.

    00:43 Caido allows you to search through and filter web requests and provides a structured workspace for managing different projects.

    00:58 Caido can be run on a desktop app or hosted remotely using the command-line interface, supporting cross-platform use on Mac, Linux, and Windows.

    01:39 To use Caido, you need to log in, create an account, and then access the Caido dashboard to manage settings and documentation.

    02:46 After setting up a project in Caido, it helps organize your workspace and allows you to switch between different projects easily.

    03:28 Caido provides a tour to set up a CA certificate for HTTPS, which is easier than in similar tools like Burp Suite.

    05:33 Caido's site map and navigation tools allow you to explore and test applications, starting with a lab setup using a vulnerable web app like DVWA.

    07:09 The setup of DVWA for testing includes spinning up the app using Docker and logging in with simple credentials to create a sandbox environment for testing.

    08:04 Caido's proxy intercept functionality is similar to Burp Suite's, allowing manipulation of HTTP requests and responses.

    10:22 Caido's filters and HTTPQL search query language provide advanced options for filtering and searching through HTTP requests.

    11:18 Caido's intercept mode allows you to manipulate and forward HTTP requests, similar to Burp Suite's proxy functionality.

    13:27 Caido's replay functionality lets you send requests repeatedly, similar to Burp Suite's repeater, but with better organization and cloud-based saving.

    16:52 Caido's automate feature parallels Burp Suite's Intruder, allowing for automated testing and fuzzing of web application inputs.

    18:29 Caido's documentation is detailed and continuously updated, providing resources for using and extending the tool's capabilities.

    20:24 The workspace section allows adding custom files like dictionary word lists for brute forcing and recon.

    21:06 By uploading a word list, you can automate brute force attacks and see the status of each attempt, including response codes and lengths.

    21:34 Caido's automate section shows ongoing tasks, and you can pause, filter, and examine individual requests and responses.

    22:14 Filtering options help identify successful attempts by response length or status, and responses can be previewed in HTML format.

    23:24 Caido supports quick access to commands and keyboard shortcuts, enhancing efficiency in navigating and using the tool.

    24:21 Export functionality logs activities and integrates with chatbots like ChatGPT for additional insights.

    24:35 Workflows in Caido allow custom logic execution when specific events occur, with passive and active workflow options.

    25:17 Workflow creation is intuitive with a drag-and-drop interface, enabling complex automation like shell commands and data processing.

    26:57 Testing a workflow can automate repetitive tasks, such as creating custom word lists or injecting payloads for testing vulnerabilities.

    27:38 Caido tracks actions in real-time, and you can validate automation results by checking created files or logs.

    28:59 Community workflows are available for sharing and reusing automation scripts, enhancing collaborative security testing efforts.

    29:14 Caido's development roadmap and town halls keep users informed about upcoming features and improvements, fostering community engagement.

    29:56 Caido, though in beta, offers substantial functionality and continues to evolve, aiming to compete with established tools like Burp Suite and ZAP.

    30:38 Caido's integration with educational resources like Antisyphon Training and Black Hills Information Security provides valuable learning opportunities.

    Made with HARPA AI

  • I miss the days when John Hammond taught people stuff, instead of just shilling for the highest bidder.

  • I still can’t get over the time I yelled “omg is that John Hammond” at the flamingo court yard at defcon 31 😂 the dude looked exhausted from all the fan meets, saw him getting bombed at the red team village, I low key ran away after yelling that.

    Heard about Caido from the critical thinking pod, been using it daily and even took the cbbh using only caido. Lil sad the team recently limited the projects to two on the free version tho.

  • Ok, so it’s burpsuit but modern…

  • Dear John from 2 years ago, please write John from today a letter on sponsors.

  • With burpsuite being so well established, tried and tested and trusted by many cybersecurity experts; I really don’t see why anyone would opt for another closed source project. I believe that if Caido was FOSS, it could place itself as a community driven streamlined and expansible alternative to burpsuite. Competing directly against it? I’m not exactly sure where its place lies. People love re writing everything in Rust, and I’m sure there would be plentiful of donors for an open project that could rival PortSwiggers tool. Pretty neat and streamlined interface, nonetheless

  • The program is impressive, and it's clear that the developers have invested significant effort in making it user-friendly. Some of its small features surpass those of Burp Suite. However, it lacks the "wow" factor and doesn't quite convince me to switch from Burp to Caido. As John mentioned, it’s still in an early phase, so this may improve over time. I will definitely keep an eye on its development!

  • Wow another one of these within a week. I think at this point it's best if I unsub and randomly check the channel for good content. Still wishing the best for you John.

  • class Memory:
    def __init__(self):
    self.msg_count = 0
    self.snippet_count = 0
    self.history = []
    self.predicting_snippets = []

    def add_msg(self, msg):
    self.msg_count += 1
    self.history.append(msg)

    def add_snippet(self, snippet):
    self.snippet_count += 1
    self.predicting_snippets.append(snippet)

    def get_history(self):
    return self.history

    def get_predicting_snippets(self):
    return self.predicting_snippets

    def predict_next(memory, user_input):
    predicting_snippets = memory.get_predicting_snippets()
    for snippet in predicting_snippets:
    print(snippet)

    memory = Memory()
    user_input = "" # Initialize user_input with an empty string
    task_complete = False
    while not task_complete:
    predict_next(memory, user_input)
    user_input = input("User's response: ")
    memory.add_msg(user_input)
    if user_input == "end conversation":
    task_complete = True

    print("Total Messages:", memory.msg_count)
    print("Total Snippets:", memory.snippet_count)

  • Interesting seeing the devs in the comments section. Hope they don't get too much flak thrown at them for making a thing.

    People can get very testy for some reason, forgetting that the devs they speak of are also humans.

  • Damn it, never heard of this tool… I'm developing a similar tool in Rust also, probably using the same platform as Caido (Tauri?)… now I feel a bit discouraged to keep working on it. My idea was to do something similar, mixing Insomnia, Postman and Burp, all in one. Kinda same features, fuzzers, in-browser proxy like info gathering while exploring a target… I don't know, I use this project to learn Rust but seeing this I'm not so sure anymore

  • Rn burp is still way better then caido in my opinion maybe in the future I will change but for now burp has more functionality then caido and I find it better

  • I did see Tyler ramsbey using caido few weeks ago it's a amazing tools i had forgotten about it , thanks John for making video on cadio

  • Wow, this video was awful. hope this shit isn't a trend.

  • These video have become so corporate and shit, where is the real hacking.

  • Pricing model is very attracting for a freelancer like myself compared to Burp $450/year, I'll give it a try, but I'm still good with Burp.

  • GOD NO. I thought this looked cool at first but all your projects are saved to their cloud. which puts a lot of trust in caido always acting in good faith and never being compromised. I would advise everyone strongly against using this at least until their is an option to use it locally.

  • I miss the days when cyber security "content creators" actually made content that wasn't paid advertising.

  • Not digging the tool, but thanks for the video. Very informative

  • 22:12 Honestly, the fact that Caido still can't properly auto-encode URL payloads (the spaces in the password create an invalid HTTP request, resulting in the 400 error) should be more embarrassing to the devs. They are aware of this, and the fact it's not fixed after 3 years of development is kinda ridiculous.

  • "It's just an .msi file Super easy, just click next next next"

    The skeleton of Bob Thomas has entered the chat.

  • Keep in mind… any projects that you have will be viewable to the Caido team. It will be on their servers. I am not going to use a tool that lets other people see my project. Who knows what kind of data that they will be able to see. I will stick to my local version of Burp.

  • idk i cant see anything wich makes it better then Burb accept its looks, i guess its made with rust but if the GUI is slow it does not give me anymore then the other one (gonna stick with burp for now o / )

    its not all bad like i said rust is nice and its still in public beta but i dont like either that its cloud bound you cant use it without account i dont like that

    tho i like the GUI but it is quite slow on Linux

Comments are closed.