caido-mode

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

Caido Mode Skill

Caido模式Skill

Overview

概述

Full-coverage CLI for Caido's API, built on the official

@caido/sdk-client

package. Covers:

HTTP History - Search, retrieve, replay, edit requests with HTTPQL
Replay & Sessions - Sessions, collections, entries, fuzzing
Scopes - Create and manage testing scopes (allowlist/denylist patterns)
Filter Presets - Save and reuse HTTPQL filter presets
Environments - Store test variables (victim IDs, tokens, etc.)
Findings - Create, list, update security findings
Tasks - Monitor and cancel background tasks
Projects - Switch between testing projects
Hosted Files - Manage files served by Caido
Intercept - Enable/disable request interception programmatically
Plugins - List installed plugins
Export - Convert requests to curl commands for PoCs
Health - Check Caido instance status

All traffic goes through Caido, so it appears in the UI for further analysis.

基于官方

@caido/sdk-client

包构建的全功能Caido API CLI，覆盖以下能力：

HTTP历史记录 - 使用HTTPQL搜索、查询、重放、编辑请求
重放与会话 - 会话、集合、条目、模糊测试
作用域 - 创建和管理测试作用域（允许/拒绝列表规则）
过滤器预设 - 保存和复用HTTPQL过滤器预设
环境 - 存储测试变量（受害者ID、令牌等）
漏洞发现结果 - 创建、列出、更新安全漏洞发现结果
任务 - 监控和取消后台任务
项目 - 在多个测试项目之间切换
托管文件 - 管理Caido提供的托管文件
拦截 - 程序化开启/关闭请求拦截
插件 - 列出已安装的插件
导出 - 将请求转换为curl命令用于PoC验证
健康检查 - 检查Caido实例运行状态

所有流量都会经过Caido，因此会在UI中展示便于进一步分析。

Why This Model?

为什么选择这个模式？

Cookies and auth tokens can be huge - session cookies, JWTs, CSRF tokens can easily be 1-2KB. Rather than manually copy-pasting:

Find an organic request in Caido's HTTP history that already has valid auth
Use
edit
to modify just what you need (path, method, body) while keeping all auth headers intact
Send it - response comes back with full context preserved

Cookie和身份验证令牌的体积通常很大——会话Cookie、JWT、CSRF令牌很容易达到1-2KB。无需手动复制粘贴：

在Caido的HTTP历史记录中找到已经带有有效身份验证信息的原生请求
使用
edit
命令仅修改你需要调整的部分（路径、方法、请求体），同时保留所有身份验证头不变
发送请求 - 返回的响应会保留完整上下文

Authentication Setup

身份验证设置

Setup (One-Time)

首次配置

Open Dashboard → Developer → Personal Access Tokens
Create a new token
Run:

bash

node ~/.claude/skills/caido-mode/caido-client.ts setup <your-pat>

打开控制面板 → 开发者 → 个人访问令牌
创建新令牌
运行：

bash

node ~/.claude/skills/caido-mode/caido-client.ts setup <your-pat>

Non-default Caido instance

非默认Caido实例配置

node ~/.claude/skills/caido-mode/caido-client.ts setup <pat> http://192.168.1.100:8080

Or set env var instead

也可以直接设置环境变量

export CAIDO_PAT=caido_xxxxx


The `setup` command validates the PAT via the SDK (which exchanges it for an access token), then saves both the PAT and the cached access token to `~/.claude/config/secrets.json`. Subsequent runs load the cached token directly, skipping the PAT exchange.

export CAIDO_PAT=caido_xxxxx


`setup`命令会通过SDK验证PAT（交换为访问令牌），然后将PAT和缓存的访问令牌都保存到`~/.claude/config/secrets.json`。后续运行会直接加载缓存的令牌，跳过PAT交换步骤。

Check Status

检查状态

bash

node ~/.claude/skills/caido-mode/caido-client.ts auth-status

bash

node ~/.claude/skills/caido-mode/caido-client.ts auth-status

How Auth Works

身份验证工作原理

The SDK uses a device code flow internally — the PAT auto-approves it and receives an access token + refresh token. A custom

SecretsTokenCache

(implementing the SDK's

TokenCache

interface) persists these tokens to secrets.json so they survive across CLI invocations.

Auth resolution:

CAIDO_PAT

env var →

secrets.json

PAT → error with setup instructions

SDK内部使用设备码流程——PAT会自动审批该流程并获取访问令牌+刷新令牌。自定义的

SecretsTokenCache

（实现了SDK的

TokenCache

接口）会将这些令牌持久化到secrets.json，因此在多次CLI调用之间令牌仍然有效。

身份验证优先级：

CAIDO_PAT

环境变量 →

secrets.json

中的PAT → 返回错误并提示配置指引

CLI Tool

CLI工具

Located at

~/.claude/skills/caido-mode/caido-client.ts

. All commands output JSON.

位于

~/.claude/skills/caido-mode/caido-client.ts

，所有命令输出为JSON格式。

HTTP History & Testing Commands

HTTP历史与测试命令

search - Search HTTP history with HTTPQL

search - 使用HTTPQL搜索HTTP历史记录

bash

node caido-client.ts search 'req.method.eq:"POST" AND resp.code.eq:200'
node caido-client.ts search 'req.host.cont:"api"' --limit 50
node caido-client.ts search 'req.path.cont:"/admin"' --ids-only
node caido-client.ts search 'resp.raw.cont:"password"' --after <cursor>

bash

node caido-client.ts search 'req.method.eq:"POST" AND resp.code.eq:200'
node caido-client.ts search 'req.host.cont:"api"' --limit 50
node caido-client.ts search 'req.path.cont:"/admin"' --ids-only
node caido-client.ts search 'resp.raw.cont:"password"' --after <cursor>

recent - Get recent requests

recent - 获取最近的请求

bash

node caido-client.ts recent
node caido-client.ts recent --limit 50

bash

node caido-client.ts recent
node caido-client.ts recent --limit 50

get / get-response - Retrieve full details

get / get-response - 查询完整详情

bash

node caido-client.ts get <request-id>
node caido-client.ts get <request-id> --headers-only
node caido-client.ts get-response <request-id>
node caido-client.ts get-response <request-id> --compact

bash

node caido-client.ts get <request-id>
node caido-client.ts get <request-id> --headers-only
node caido-client.ts get-response <request-id>
node caido-client.ts get-response <request-id> --compact

edit - Edit and replay (KEY FEATURE)

edit - 编辑并重放（核心功能）

Modifies an existing request while preserving all cookies/auth headers:

bash

undefined

修改现有请求，同时保留所有Cookie/身份验证头：

bash

undefined

Change path (IDOR testing)

修改路径（IDOR测试）

node caido-client.ts edit <id> --path /api/user/999

Change method and add body

修改方法并添加请求体

node caido-client.ts edit <id> --method POST --body '{"admin":true}'

Add/remove headers

添加/移除请求头

node caido-client.ts edit <id> --set-header "X-Forwarded-For: 127.0.0.1" node caido-client.ts edit <id> --remove-header "X-CSRF-Token"

Find/replace text anywhere in request

全局查找替换请求中的文本

node caido-client.ts edit <id> --replace "user123:::user456"

Combine multiple edits

组合多个编辑操作

node caido-client.ts edit <id> --method PUT --path /api/admin --body '{"role":"admin"}' --compact


| Option | Description |
|--------|-------------|
| `--method <METHOD>` | Change HTTP method |
| `--path <path>` | Change request path |
| `--set-header <Name: Value>` | Add or replace a header (repeatable) |
| `--remove-header <Name>` | Remove a header (repeatable) |
| `--body <content>` | Set request body (auto-updates Content-Length) |
| `--replace <from>:::<to>` | Find/replace text anywhere in request (repeatable) |

node caido-client.ts edit <id> --method PUT --path /api/admin --body '{"role":"admin"}' --compact


| 选项 | 描述 |
|--------|-------------|
| `--method <METHOD>` | 修改HTTP方法 |
| `--path <path>` | 修改请求路径 |
| `--set-header <Name: Value>` | 添加或替换请求头（可重复使用） |
| `--remove-header <Name>` | 移除请求头（可重复使用） |
| `--body <content>` | 设置请求体（自动更新Content-Length） |
| `--replace <from>:::<to>` | 全局查找替换请求中的文本（可重复使用） |

replay / send-raw - Send requests

replay / send-raw - 发送请求

bash

undefined

bash

undefined

Replay as-is

原样重放

node caido-client.ts replay <request-id>

Replay with custom raw

使用自定义原始请求重放

node caido-client.ts replay <id> --raw "GET /modified HTTP/1.1\r\nHost: example.com\r\n\r\n"

Send completely custom request

发送完全自定义的请求

node caido-client.ts send-raw --host example.com --port 443 --tls --raw "GET / HTTP/1.1\r\nHost: example.com\r\n\r\n"

undefined

node caido-client.ts send-raw --host example.com --port 443 --tls --raw "GET / HTTP/1.1\r\nHost: example.com\r\n\r\n"

undefined

export-curl - Convert to curl for PoCs

export-curl - 转换为curl命令用于PoC验证

bash

node caido-client.ts export-curl <request-id>

Outputs a ready-to-use curl command with all headers and body.

bash

node caido-client.ts export-curl <request-id>

输出开箱可用的curl命令，包含所有请求头和请求体。

Replay Sessions & Collections

重放会话与集合

Sessions

会话

bash

undefined

bash

undefined

Create replay session from an existing request

从现有请求创建重放会话

node caido-client.ts create-session <request-id>

ALWAYS rename sessions for easy identification in Caido UI

务必重命名会话，便于在Caido UI中识别

node caido-client.ts rename-session <session-id> "idor-user-profile"

List all replay sessions

列出所有重放会话

node caido-client.ts replay-sessions node caido-client.ts replay-sessions --limit 50

Delete replay sessions

删除重放会话

node caido-client.ts delete-sessions <session-id-1>,<session-id-2>

undefined

node caido-client.ts delete-sessions <session-id-1>,<session-id-2>

undefined

Collections

集合

Organize replay sessions into collections:

bash

undefined

将重放会话整理到集合中：

bash

undefined

List replay collections

列出重放集合

node caido-client.ts replay-collections node caido-client.ts replay-collections --limit 50

Create a collection

创建集合

node caido-client.ts create-collection "IDOR Testing"

Rename a collection

重命名集合

node caido-client.ts rename-collection <collection-id> "Auth Bypass Tests"

Delete a collection

删除集合

node caido-client.ts delete-collection <collection-id>

undefined

node caido-client.ts delete-collection <collection-id>

undefined

Fuzzing

模糊测试

bash

undefined

bash

undefined

Create automate session for fuzzing

创建用于模糊测试的自动化会话

node caido-client.ts create-automate-session <request-id>

Start fuzzing (configure payloads and markers in Caido UI first)

启动模糊测试（需先在Caido UI中配置payload和标记位）

node caido-client.ts fuzz <session-id>

---

node caido-client.ts fuzz <session-id>

---

Scope Management

作用域管理

Define what's in scope for your testing. Uses glob patterns.

bash

undefined

定义测试的覆盖范围，使用glob规则匹配。

bash

undefined

List all scopes

列出所有作用域

node caido-client.ts scopes

Create scope with allowlist and denylist

创建包含允许列表和拒绝列表的作用域

node caido-client.ts create-scope "Target Corp" --allow ".target.com,.target.io" --deny "*.cdn.target.com"

Update scope

更新作用域

node caido-client.ts update-scope <scope-id> --allow ".target.com,.api.target.com"

Delete scope

删除作用域

node caido-client.ts delete-scope <scope-id>


**Glob patterns:** `*.example.com` matches any subdomain of example.com.

---

node caido-client.ts delete-scope <scope-id>


**Glob规则说明：** `*.example.com`匹配example.com的所有子域名。

---

Filter Presets

过滤器预设

Save frequently used HTTPQL queries as named presets.

bash

undefined

将常用的HTTPQL查询保存为命名预设。

bash

undefined

List saved filters

列出已保存的过滤器

node caido-client.ts filters

Create filter preset

创建过滤器预设

node caido-client.ts create-filter "API Errors" --query 'req.path.cont:"/api/" AND resp.code.gte:400' node caido-client.ts create-filter "Auth Endpoints" --query 'req.path.regex:"/(login|auth|oauth)/"' --alias "auth"

Update filter

更新过滤器

node caido-client.ts update-filter <filter-id> --query 'req.path.cont:"/api/" AND resp.code.gte:500'

Delete filter

删除过滤器

node caido-client.ts delete-filter <filter-id>

---

node caido-client.ts delete-filter <filter-id>

---

Environment Variables

环境变量

Store testing variables that persist across sessions. Great for IDOR testing with multiple user IDs.

bash

undefined

存储跨会话持久化的测试变量，非常适合多用户ID的IDOR测试场景。

bash

undefined

List environments

列出所有环境

node caido-client.ts envs

Create environment

创建环境

node caido-client.ts create-env "IDOR-Test"

Set variables

设置变量

node caido-client.ts env-set <env-id> victim_user_id "user_456" node caido-client.ts env-set <env-id> attacker_token "eyJhbG..."

Select active environment

选择活跃环境

node caido-client.ts select-env <env-id>

Deselect environment

取消选择环境

node caido-client.ts select-env

Delete environment

删除环境

node caido-client.ts delete-env <env-id>

---

node caido-client.ts delete-env <env-id>

---

Findings

漏洞发现结果

Create, list, and update security findings. Shows up in Caido's Findings tab.

bash

undefined

创建、列出、更新安全漏洞发现结果，会在Caido的Findings标签页展示。

bash

undefined

List all findings

列出所有漏洞发现结果

node caido-client.ts findings node caido-client.ts findings --limit 50

Get a specific finding

获取指定漏洞详情

node caido-client.ts get-finding <finding-id>

Create finding linked to a request

创建关联到请求的漏洞发现结果

node caido-client.ts create-finding <request-id>
--title "IDOR in user profile endpoint"
--description "Can access other users' profiles by changing ID parameter"
--reporter "rez0"

With deduplication key (prevents duplicates)

配置去重键（避免重复上报）

node caido-client.ts create-finding <request-id>
--title "Auth bypass on /admin"
--dedupe-key "admin-auth-bypass"

Update finding

更新漏洞发现结果

node caido-client.ts update-finding <finding-id>
--title "Updated title"
--description "Updated description"

---

node caido-client.ts update-finding <finding-id>
--title "Updated title"
--description "Updated description"

---

Tasks

任务

Monitor and cancel background tasks (imports, exports, etc.).

bash

undefined

监控和取消后台任务（导入、导出等）。

bash

undefined

List all tasks

列出所有任务

node caido-client.ts tasks

Cancel a running task

取消运行中的任务

node caido-client.ts cancel-task <task-id>

---

node caido-client.ts cancel-task <task-id>

---

Project Management

项目管理

bash

undefined

bash

undefined

List all projects

列出所有项目

node caido-client.ts projects

Switch active project

切换活跃项目

node caido-client.ts select-project <project-id>

---

node caido-client.ts select-project <project-id>

---

Hosted Files

托管文件

bash

undefined

bash

undefined

List hosted files

列出托管文件

node caido-client.ts hosted-files

Delete hosted file

删除托管文件

node caido-client.ts delete-hosted-file <file-id>

---

node caido-client.ts delete-hosted-file <file-id>

---

Intercept Control

拦截控制

bash

undefined

bash

undefined

Check intercept status

检查拦截状态

node caido-client.ts intercept-status

Enable/disable interception

开启/关闭拦截

node caido-client.ts intercept-enable node caido-client.ts intercept-disable

---

node caido-client.ts intercept-enable node caido-client.ts intercept-disable

---

Info, Health & Plugins

信息、健康检查与插件

bash

undefined

bash

undefined

Current user info

当前用户信息

node caido-client.ts viewer

List installed plugins

列出已安装插件

node caido-client.ts plugins

Check Caido instance health (version, ready state)

检查Caido实例健康状态（版本、就绪状态）

node caido-client.ts health

---

node caido-client.ts health

---

Output Control

输出控制

Works with

get

get-response

replay

edit

send-raw

Flag	Description
`--max-body <n>`	Max response body lines (default: 200, 0=unlimited)
`--max-body-chars <n>`	Max body chars (default: 5000, 0=unlimited)
`--no-request`	Skip request raw in output
`--headers-only`	Only HTTP headers, no body
`--compact`	Shorthand: `--no-request --max-body 50 --max-body-chars 5000`

适用于

get

、

get-response

、

replay

、

edit

、

send-raw

命令：

标志	描述
`--max-body <n>`	响应体最大展示行数（默认：200，0=无限制）
`--max-body-chars <n>`	响应体最大展示字符数（默认：5000，0=无限制）
`--no-request`	输出中省略原始请求内容
`--headers-only`	仅展示HTTP头，不展示请求/响应体
`--compact`	简写标志：等价于 `--no-request --max-body 50 --max-body-chars 5000`

HTTPQL Reference

HTTPQL参考

Caido's query language for searching HTTP history.

CRITICAL: String values MUST be quoted. Integer values are NOT quoted.

Caido用于搜索HTTP历史记录的查询语言。

重要注意事项： 字符串值必须加引号，整数值不需要加引号。

Namespaces and Fields

命名空间与字段

Namespace	Field	Type	Description
`req`	`ext`	string	File extension (includes `.` )
`req`	`host`	string	Hostname
`req`	`method`	string	HTTP method (uppercase)
`req`	`path`	string	URL path
`req`	`query`	string	Query string
`req`	`raw`	string	Full raw request
`req`	`port`	int	Port number
`req`	`len`	int	Request body length
`req`	`created_at`	date	Creation timestamp
`req`	`tls`	bool	Is HTTPS
`resp`	`raw`	string	Full raw response
`resp`	`code`	int	Status code
`resp`	`len`	int	Response body length
`resp`	`roundtrip`	int	Roundtrip time (ms)
`row`	`id`	int	Request ID
`source`	-	special	`"intercept"` , `"replay"` , `"automate"` , `"workflow"`
`preset`	-	special	Filter preset reference

命名空间	字段	类型	描述
`req`	`ext`	string	文件扩展名（包含 `.` ）
`req`	`host`	string	主机名
`req`	`method`	string	HTTP方法（大写）
`req`	`path`	string	URL路径
`req`	`query`	string	查询字符串
`req`	`raw`	string	完整原始请求
`req`	`port`	int	端口号
`req`	`len`	int	请求体长度
`req`	`created_at`	date	创建时间戳
`req`	`tls`	bool	是否为HTTPS请求
`resp`	`raw`	string	完整原始响应
`resp`	`code`	int	响应状态码
`resp`	`len`	int	响应体长度
`resp`	`roundtrip`	int	往返耗时（毫秒）
`row`	`id`	int	请求ID
`source`	-	特殊字段	可选值 `"intercept"` 、 `"replay"` 、 `"automate"` 、 `"workflow"`
`preset`	-	特殊字段	过滤器预设引用

Operators

操作符

String:

eq

ne

cont

ncont

like

nlike

regex

nregex

Integer:

eq

ne

gt

gte

lt

lte

Boolean:

eq

ne

Logical:

AND

OR

, parentheses for grouping

字符串操作符：

eq

、

ne

、

cont

、

ncont

、

like

、

nlike

、

regex

、

nregex

整数操作符：

eq

、

ne

、

gt

、

gte

、

lt

、

lte

布尔操作符：

eq

、

ne

逻辑操作符：

AND

、

OR

，可使用括号分组

Example Queries

查询示例

httpql

undefined

httpql

undefined

POST requests with 200 responses

返回200状态的POST请求

req.method.eq:"POST" AND resp.code.eq:200

API requests

API相关请求

req.host.cont:"api" OR req.path.cont:"/api/"

Standalone string searches both req and resp

同时搜索请求和响应中的敏感字符串

"password" OR "secret" OR "api_key"

Error responses

错误响应

resp.code.gte:400 AND resp.code.lt:500

Large responses (potential data exposure)

大体积响应（潜在数据泄露）

resp.len.gt:100000

Slow endpoints

慢响应接口

resp.roundtrip.gt:5000

Auth endpoints by regex

正则匹配身份认证相关接口

req.path.regex:"/(login|auth|signin|oauth)/"

Replay/automate traffic only

仅展示重放/自动化测试产生的流量

source:"replay" OR source:"automate"

Date filtering

日期过滤

req.created_at.gt:"2024-01-01T00:00:00Z"

---

req.created_at.gt:"2024-01-01T00:00:00Z"

---

SDK Architecture

SDK架构

This CLI is built on

@caido/sdk-client

v0.1.4+, using a clean multi-file architecture:

caido-client.ts          # CLI entry point — arg parsing + command dispatch
lib/
  client.ts              # SDK Client singleton, SecretsTokenCache, auth config
  graphql.ts             # gql documents for features not yet in SDK
  output.ts              # Output formatting (truncation, headers-only, raw→curl)
  types.ts               # Shared types (OutputOpts)
  commands/
    requests.ts          # search, recent, get, get-response, export-curl
    replay.ts            # replay, send-raw, edit, sessions, collections, automate, fuzz
    findings.ts          # findings, get-finding, create-finding, update-finding
    management.ts        # scopes, filters, environments, projects, hosted-files, tasks
    intercept.ts         # intercept-status, intercept-enable, intercept-disable
    info.ts              # viewer, plugins, health, setup, auth-status

本CLI基于

@caido/sdk-client

v0.1.4+版本构建，采用清晰的多文件架构：

caido-client.ts          # CLI入口 — 参数解析 + 命令分发
lib/
  client.ts              # SDK Client单例、SecretsTokenCache、身份验证配置
  graphql.ts             # 尚未接入SDK的功能对应的gql语句
  output.ts              # 输出格式化（截断、仅展示头、原始请求转curl）
  types.ts               # 共享类型定义（OutputOpts）
  commands/
    requests.ts          # search、recent、get、get-response、export-curl
    replay.ts            # replay、send-raw、edit、sessions、collections、automate、fuzz
    findings.ts          # findings、get-finding、create-finding、update-finding
    management.ts        # scopes、filters、environments、projects、hosted-files、tasks
    intercept.ts         # intercept-status、intercept-enable、intercept-disable
    info.ts              # viewer、plugins、health、setup、auth-status

SDK Coverage

SDK覆盖范围

Most features use the high-level SDK directly:

SDK Method	Commands
`client.request.list()` , `.get()`	search, recent, get, get-response, export-curl
`client.replay.sessions.*`	create-session, replay-sessions, rename-session, delete-sessions
`client.replay.collections.*`	replay-collections, create-collection, rename-collection, delete-collection
`client.replay.send()`	replay, send-raw, edit
`client.finding.*`	findings, get-finding, create-finding, update-finding
`client.scope.*`	scopes, create-scope, update-scope, delete-scope
`client.filter.*`	filters, create-filter, update-filter, delete-filter
`client.environment.*`	envs, create-env, select-env, env-set, delete-env
`client.project.*`	projects, select-project
`client.hostedFile.*`	hosted-files, delete-hosted-file
`client.task.*`	tasks, cancel-task
`client.user.viewer()`	viewer
`client.health()`	health

Features not yet in the high-level SDK use

client.graphql.query()

client.graphql.mutation()

with

gql

tagged templates from

graphql-tag

. This is the proper SDK approach (typed documents through urql) — no raw fetch anywhere.

GraphQL Document	Commands
`INTERCEPT_OPTIONS_QUERY`	intercept-status
`PAUSE_INTERCEPT` / `RESUME_INTERCEPT`	intercept-enable, intercept-disable
`PLUGIN_PACKAGES_QUERY`	plugins
`CREATE_AUTOMATE_SESSION`	create-automate-session
`GET_AUTOMATE_SESSION`	fuzz (verify session)
`START_AUTOMATE_TASK`	fuzz (start task)

大多数功能直接使用高阶SDK实现：

SDK方法	对应命令
`client.request.list()` , `.get()`	search、recent、get、get-response、export-curl
`client.replay.sessions.*`	create-session、replay-sessions、rename-session、delete-sessions
`client.replay.collections.*`	replay-collections、create-collection、rename-collection、delete-collection
`client.replay.send()`	replay、send-raw、edit
`client.finding.*`	findings、get-finding、create-finding、update-finding
`client.scope.*`	scopes、create-scope、update-scope、delete-scope
`client.filter.*`	filters、create-filter、update-filter、delete-filter
`client.environment.*`	envs、create-env、select-env、env-set、delete-env
`client.project.*`	projects、select-project
`client.hostedFile.*`	hosted-files、delete-hosted-file
`client.task.*`	tasks、cancel-task
`client.user.viewer()`	viewer
`client.health()`	health

尚未接入高阶SDK的功能使用

client.graphql.query()

client.graphql.mutation()

配合

graphql-tag

提供的

gql

标签模板实现，这是官方推荐的SDK使用方式（通过urql实现类型化请求）——全程未使用原始fetch请求。

GraphQL语句	对应命令
`INTERCEPT_OPTIONS_QUERY`	intercept-status
`PAUSE_INTERCEPT` / `RESUME_INTERCEPT`	intercept-enable、intercept-disable
`PLUGIN_PACKAGES_QUERY`	plugins
`CREATE_AUTOMATE_SESSION`	create-automate-session
`GET_AUTOMATE_SESSION`	fuzz（验证会话）
`START_AUTOMATE_TASK`	fuzz（启动任务）

Workflow Examples

工作流示例

1. IDOR Testing (Primary Pattern)

1. IDOR测试（核心使用场景）

bash

undefined

bash

undefined

Find authenticated request

查找带身份验证的请求

node caido-client.ts search 'req.path.cont:"/api/user"' --limit 10

Create scope

创建作用域

node caido-client.ts create-scope "IDOR-Test" --allow "*.target.com"

Create environment for test data

创建测试数据环境

node caido-client.ts create-env "IDOR-Test" node caido-client.ts env-set <env-id> victim_id "user_999"

Test IDOR by changing user ID

修改用户ID测试IDOR漏洞

node caido-client.ts edit <request-id> --path /api/user/999

Mark as finding if it works

如果漏洞存在则创建漏洞记录

node caido-client.ts create-finding <request-id> --title "IDOR on /api/user/:id"

Export curl for PoC

导出curl命令用于PoC验证

node caido-client.ts export-curl <request-id>

undefined

node caido-client.ts export-curl <request-id>

undefined

2. Privilege Escalation Testing

2. 权限提升测试

bash

node caido-client.ts search 'req.path.cont:"/admin"' --limit 10
node caido-client.ts edit <id> --path /api/admin/users --method GET
node caido-client.ts edit <id> --method POST --body '{"role":"admin"}'

bash

node caido-client.ts search 'req.path.cont:"/admin"' --limit 10
node caido-client.ts edit <id> --path /api/admin/users --method GET
node caido-client.ts edit <id> --method POST --body '{"role":"admin"}'

3. Header Bypass Testing

3. 请求头绕过测试

bash

node caido-client.ts edit <id> --set-header "X-Forwarded-For: 127.0.0.1"
node caido-client.ts edit <id> --set-header "X-Original-URL: /admin"
node caido-client.ts edit <id> --remove-header "X-CSRF-Token"

bash

node caido-client.ts edit <id> --set-header "X-Forwarded-For: 127.0.0.1"
node caido-client.ts edit <id> --set-header "X-Original-URL: /admin"
node caido-client.ts edit <id> --remove-header "X-CSRF-Token"

4. Fuzzing with Automate

4. 自动化模糊测试

bash

node caido-client.ts create-automate-session <request-id>

bash

node caido-client.ts create-automate-session <request-id>

Configure payload markers and wordlists in Caido UI

在Caido UI中配置payload标记位和字典

node caido-client.ts fuzz <session-id>

undefined

node caido-client.ts fuzz <session-id>

undefined

5. Filter + Analyze Pattern

5. 过滤+分析模式

bash

undefined

bash

undefined

Save useful filters

保存常用过滤器

node caido-client.ts create-filter "API 4xx" --query 'req.path.cont:"/api/" AND resp.code.gte:400 AND resp.code.lt:500' node caido-client.ts create-filter "Large Responses" --query 'resp.len.gt:100000' node caido-client.ts create-filter "Sensitive Data" --query '"password" OR "secret" OR "api_key" OR "token"'

Quick search using preset alias

使用预设别名快速搜索

node caido-client.ts search 'preset:"API 4xx"' --limit 20

---

node caido-client.ts search 'preset:"API 4xx"' --limit 20

---

Instructions for Claude

给Claude的使用指引

PREFER
edit
OVER
replay --raw
- preserves cookies/auth automatically
Workflow: Search → find request with valid auth → use that ID for all tests via
```
edit
```
Don't dump raw requests into context - use
```
--compact
```
or
```
--headers-only
```
when exploring
Always check auth first:
```
health
```
to verify connection, then
```
recent --limit 1
```
ALWAYS NAME REPLAY TABS:
```
rename-session <id> "idor-user-profile"
```
Create findings for anything interesting - they show up in Caido's Findings tab
Use
export-curl
when building PoCs for reports
Create filter presets for recurring searches to save typing
Use environments to store test data (victim IDs, tokens, etc.)
Output is JSON - parse response fields as needed

优先使用
edit
而非
replay --raw
- 可自动保留Cookie/身份验证信息
标准工作流：搜索 → 找到带有效身份验证的请求 → 使用该请求ID通过
```
edit
```
命令执行所有测试
不要将原始请求直接存入上下文 - 探索阶段使用
```
--compact
```
或
```
--headers-only
```
参数
始终优先检查身份验证状态：先执行
```
health
```
验证连接，再执行
```
recent --limit 1
```
务必命名重放标签页：执行
```
rename-session <id> "idor-user-profile"
```
所有有价值的发现都要创建漏洞记录 - 会同步到Caido的Findings标签页
编写报告PoC时使用
export-curl
为高频搜索创建过滤器预设，减少重复输入
使用环境变量存储测试数据（受害者ID、令牌等）
输出为JSON格式 - 可按需解析响应字段

Performance & Context Optimization

性能与上下文优化

```
search
```
/
```
recent
```
omit
```
raw
```
field (~200 bytes per request, safe for 100+)
```
get
```
fetches
```
raw
```
(~5-20KB per request, fetch only what you need)
Use
```
--limit
```
aggressively (start with 5-10)
Use
```
--compact
```
flag for quick exploration
Filter server-side with HTTPQL, not client-side

```
search
```
/
```
recent
```
命令默认省略
```
raw
```
字段（每个请求约节省200字节，可安全返回100+条结果）
```
get
```
命令会拉取
```
raw
```
字段（每个请求约5-20KB，仅按需拉取）
尽量使用
```
--limit
```
限制返回数量（初始查询建议设为5-10）
快速探索时使用
```
--compact
```
标志
优先使用HTTPQL在服务端过滤，而非客户端过滤

Error Handling

错误处理

Auth errors: Run

node caido-client.ts auth-status

to check, re-setup with

node caido-client.ts setup <pat>

Connection refused: Caido not running →
```
node caido-client.ts health
```
InstanceNotReadyError: Caido is starting up, wait and retry

身份验证错误：运行

node caido-client.ts auth-status

检查状态，重新执行

node caido-client.ts setup <pat>

配置

连接被拒绝：Caido未运行 → 执行
```
node caido-client.ts health
```
检查
InstanceNotReadyError：Caido正在启动，请等待后重试