Caido is a modern web security proxy built for speed and day-to-day usability. If you’re coming from tools like Burp or ZAP, the core workflow will feel familiar—intercept traffic, inspect requests/responses, replay and mutate calls—but Caido’s UI and plugin ecosystem make it feel more like a streamlined “security workbench” than a collection of panels.

Everything in this post assumes authorized testing only (bug bounty scope, your own systems, or explicit permission).

What Caido does (the short version)

At its core, Caido sits between your client (browser/app) and the target:

  • Proxy + Intercept: capture and modify traffic live
  • HTTP History: browse and filter everything you’ve touched
  • Replay: resend requests quickly while changing parameters/headers/body
  • Match & Replace: automate edits (tokens, headers, test payloads)
  • Scope + Sitemap: keep your focus on what actually matters
  • Findings: document issues with reproducible steps

Where Caido really starts to shine is when you add plugins to match your workflow.

Plugins: the “toolbox” approach

Plugins are add-ons that appear as first-class tools in the sidebar. They’re designed to reduce friction for common tasks—parameter discovery, token analysis, authorization testing, SSRF proof, and more.

Below are the plugins I use most often and what they’re good for.

QuickSSRF

QuickSSRF is for SSRF testing where you want clean out-of-band (OOB) proof. It generates unique callback URLs and tracks interactions like DNS/HTTP hits, which is perfect for confirming “the server actually made a request.”

Typical use cases:

  • webhook “test URL” fields
  • link preview / unfurl features
  • PDF rendering services that fetch remote assets
  • integrations that fetch data from a user-supplied URL
# Example idea: generate a unique SSRF callback URL (conceptually)
echo "Use the generated OOB URL in the target parameter and watch for DNS/HTTP hits."

Param Finder

Param Finder helps discover hidden or unexpected parameters—query, body, and sometimes headers—that can change application behavior. This is great when you’re mapping an app and want to find “extra knobs” without guessing manually.

What it’s good for:

  • alternate parameter names (legacy or mobile vs web)
  • feature flags and toggles
  • debug parameters
  • endpoints that behave differently with one extra field
# Manual workflow example: take a request, then systematically try candidate parameters
echo "Replay request -> add candidate params -> compare responses"

EventBetter

Some applications are event-heavy (streams, event endpoints, lots of small calls). EventBetter aims to make that traffic easier to work with—better visibility, filtering, or ergonomics depending on the plugin version.

Why it helps:

  • reduces noise when an app “chatters”
  • makes it easier to follow the flow during dynamic UIs

403 Bypasser (access control validation)

This plugin is useful for quickly validating whether a 403 is truly enforced or only blocked by a superficial check. In practice, this supports access control assessment (still within scope and responsibly).

Good for:

  • confirming whether a path is protected consistently
  • quickly trying common request variations (headers/path patterns) to test enforcement
# Responsible framing: you’re validating enforcement, not “teaching bypass”
echo "Test variations -> confirm consistent 403 enforcement -> document behavior"

RetireJS Scanner

RetireJS Scanner flags potentially outdated/vulnerable JavaScript libraries. It’s a fast signal, not a guaranteed vulnerability—but it’s useful for triage and prioritization.

How I use it:

  • treat findings as “leads”
  • verify exploitability in context (version alone isn’t enough)
  • check where the library is actually used (reachable code paths matter)

JWT Analyzer

JWT Analyzer makes JWTs painless: decode, view claims, check expiry, inspect header/algorithm, and understand how the token changes across flows.

Great for:

  • debugging auth flows
  • spotting overly-trusting claims
  • validating token rotation behavior
  • quickly comparing tokens between users/sessions
# Common practical step: inspect token expiry and claims before/after an action
echo "Capture JWT -> decode -> compare -> replay with controlled changes (if allowed)"

Autorize

Autorize supports systematic authorization testing: “Does user A see something user B should not?” It encourages clean comparisons across identities/sessions, which is exactly what you want for IDOR/Broken Access Control checks.

Best used with:

  • a stable baseline request
  • clearly separated sessions (different cookies/tokens)
  • consistent response comparison

Scanner

Caido scanners (plugin-based) typically provide rule/signature-style checks. I treat this as a “radar”: useful to surface suspicious patterns early, but never a substitute for manual verification.

Workflows Store

Workflows Store is all about repeatability—saving and reusing sequences of actions. If you do bug bounty work regularly, this is one of those “compounding returns” plugins: less click-work, more consistency.

YesWeCaido and Shift

These are the productivity/QoL category: small improvements that make day-to-day testing smoother. Once you adapt your muscle memory to a few shortcuts and better navigation, you spend more time thinking and less time fighting the UI.

A simple day-to-day workflow

Here’s a realistic loop that works well in Caido:

  1. Set Scope early to avoid noise
  2. Use HTTP History to tag and group key flows
  3. Run Param Finder to widen the input surface
  4. Use QuickSSRF when any feature fetches URLs remotely
  5. For auth: JWT Analyzer + Autorize
  6. Use RetireJS Scanner as a quick frontend triage signal
  7. Write up verified issues as Findings with clear reproduction steps

Closing thoughts

Caido’s core proxy features are solid—but the real advantage is how quickly you can move from “I saw a request” to “I tested it systematically and documented proof.” Plugins are what turn Caido into a tailored toolkit for your exact workflow.