[HackerNotes Ep. 138] Caido Tools and Workflows

In this episode: Rhyno talks about Caido tools, workflows and gives us a list of some of the Caido tools that have caught his interest + how he’s using them to find bugs.

Author

Yujilik
September 18, 2025

Hacker TL;DR

  • Integrating AI microagents into your workflow with Shift Agents: create domain-specific agents that can run autonomous tests while you work on other things. The better you are at creating those microagents the easier your life become as tools like Gemini, Claude and GPT get better and better.

  • Automate session management with the Auto Session Refresher: workflow that passively monitors authentication cookies/tokens, extracts and stores them as environment variables, then dynamically updates your replay requests, eliminating manual session refreshing during long testing sessions

  • Enhance collaboration with Drop: plugin for sharing objects (requests, rules, replay tabs, scopes) directly between Caido instances, maintaining security (your messages are PGP encrypted) while simplifying collaboration between your hacking mates.

Hackernotes;

This episode covers some productivity enhancing features and plugins for Caido that can improve your hacking workflow. While the content is Caido focused, many concepts could inspire similar implementations in other proxying tools like Burp or ZAP. This week’s episode was quick and so will be this HackerNotes, enjoy!

EvenBetter - Command Palette and Common Filters

The EvenBetter plugin introduces quite a lot of cool features and improvements to Caido, so Justin decided to improve it by adding a time filter there so you can quickly filter for requests made in a certain period of time, so you get more relevant results when you search for stuff.

The second feature he added integrates convert workflows into Caido's command palette (accessible via Ctrl+K). You can quickly apply them to selected text from any context, for example, if you need to base64 encode a string, you can highlight the text, press Ctrl+K, type "C" followed by the name of your encode workflow, and it will transform the text immediately. If you're in an editable context like the Replay tab, it modifies the text in place. If you’re not in an editable environment it copies the result directly to your clipboard, which is quite handy.

You can toggle both of these EvenBetter features on the EvenBetter menu:

Notes++ - Quick Notes

The Notes++ plugin improves the note-taking experience in Caido a lot. Win+Shift+N opens a note input dialog from anywhere in Caido. When you find something interesting you can trigger this shortcut, write down your observation and that’s it. Checking the “attach current context” button logs exactly what you were looking at when you made the note and adds a clickable context to it, allowing you to jump back to whatever you were looking at later.

Shift Agents - AI Automationn

A TLDR for what Shift Agents is: AI micro agent framework in Caido that has all it needs to perform any actions on your behalf, all you have to do is tell it to test X Y Z and it will do it. Just be specific with what you want and you won’t have any problems with it. Rez0 did a quick demo in Ep 136, and here’s a clip of Shift (unintentionally) finding an XSS in Caido itself:

The workflow for using Shift Agents is straightforward:

  • Open a Replay tab with the request you want to analyse

  • Open the agent side window and provide your system prompt

  • Add just-in-time instructions

  • Delegate the Replay tab to the AI

  • Continue your work while the agent runs tests

  • Review findings or examine what the agent did in your replay session

Rhyno shared a cool story with a domain restriction bypass microagent he created. When testing for open redirects he delegated the task to Shift, which automatically ran through a set of tests including regex bypasses, "ends with" checks, URL parsing issues, and Unicode normalisation tests. Shift discovered a vulnerability using the @ sign prefix in URLs and then created a finding with the details.

Justin said that he spends less than $7 on AI costs using OpenRouter with Gemini while getting meaningful results, GPT5 is getting better at hacking so Shift is probably going to get even better as a natural consequence.

AI microagents are not perfect as of now, but the prompts you develop can be ported to future AI systems, so the investment in creating good system prompts now will pay dividends as AI capabilities improve. It doesn’t matter what you’re using to build your microagents, we’re recommending Shift because we built it and we use it on a daily basis. The important thing is: if you’re not actively trying to integrate AI into your workflow, you’re definitely behind.

Drop - Secure Collaboration for Hackers

Drop is a collaboration plugin designed to simplify sharing objects between Caido users. It's end-to-end encrypted using PGP, allowing hackers to securely share various Caido objects including match and replace rules, replay tabs, HTTP requests, scopes, and filters.

The setup process is simple: import your friend's PGP public key into Drop, and then you can share objects directly from within Caido. Most Caido objects have a Drop button somewhere; clicking it and selecting a recipient immediately sends the object to their Caido instance.

Justin did a quick demo when he released it a few months ago:

Auto Session Refresher

This workflow solves the common issue of session expiration during testing. It works by:

  • Creating a passive workflow that monitors HTTP history for specific authentication cookies or tokens

  • Automatically extracting these values and storing them in Caido environment variables

  • Using these environment variables as placeholders in replay requests

With this setup, your replay requests always use the most recent session values, eliminating the need to manually refresh sessions or create new replay tabs when sessions expire. The template for this workflow is available at caido.rhynorater.com under the “Session Monitor” lab.

Top-Level Navigation Highlighter

Now shipped natively with Caido, this passive workflow uses Sec-Fetch headers to highlight top-level navigations in the HTTP history. This makes it a lot easier to identify page loads versus background requests in your traffic history, making it much faster to orient yourself in the traffic history. To activate it, simply enable the passive workflow in Caido workflows settings.

RPC IDs Case Study with Caido Workflows

Rhyno was dealing with an application that used obfuscated RPC IDs instead of human friendly endpoint paths. These six-digit alphanumeric strings made the application difficult to understand since all requests went to the same path with different RPC IDs. However, he discovered that JavaScript files contained mappings between these IDs and human-readable names, though not in a straightforward format.

He created an advanced workflow solution that:

  • Used a passive workflow to automatically scan JavaScript files for the RPC ID mappings using regex

  • Extracted these mappings and stored them in Caido environment variables

  • Created a match and replace rule that identified requests containing RPC IDs

  • Used a convert workflow as the replacer, which extracted the RPC ID from the request, cross-referenced it with the stored mappings, and added a query parameter with the human-readable path

This allowed him to view modified requests in search with the human-readable paths added as parameters, making the application flow much more understandable. This 15 minute investment in automation with helping him discover an IDOR that earned a $20,000 bounty. The vulnerability was in plain sight but had been missed by others due to the obfuscation.

That’s it for the week,

and as always, keep hacking!