diff --git a/.agents/skills/grill-me/SKILL.md b/.agents/skills/grill-me/SKILL.md new file mode 100644 index 00000000..bd04394c --- /dev/null +++ b/.agents/skills/grill-me/SKILL.md @@ -0,0 +1,10 @@ +--- +name: grill-me +description: Interview the user relentlessly about a plan or design until reaching shared understanding, resolving each branch of the decision tree. Use when user wants to stress-test a plan, get grilled on their design, or mentions "grill me". +--- + +Interview me relentlessly about every aspect of this plan until we reach a shared understanding. Walk down each branch of the design tree, resolving dependencies between decisions one-by-one. For each question, provide your recommended answer. + +Ask the questions one at a time. + +If a question can be answered by exploring the codebase, explore the codebase instead. diff --git a/.vitepress/components/Navbar.vue b/.vitepress/components/Navbar.vue index 6def1572..dd1e75c3 100644 --- a/.vitepress/components/Navbar.vue +++ b/.vitepress/components/Navbar.vue @@ -3,7 +3,7 @@ import { useRoute } from "vitepress"; import type { DefaultTheme } from "vitepress"; import { computed } from "vue"; -import { appNavbar, dashboardNavbar } from "../navbars"; +import { appNavbar, burpSuiteNavbar, dashboardNavbar } from "../navbars"; const route = useRoute(); @@ -17,6 +17,10 @@ const navItemsWithLinks = computed(() => { return dashboardNavbar.filter( (item): item is DefaultTheme.NavItemWithLink => "link" in item, ); + } else if (route.path.startsWith("/burp-suite/")) { + return burpSuiteNavbar.filter( + (item): item is DefaultTheme.NavItemWithLink => "link" in item, + ); } return []; }); diff --git a/.vitepress/config.mts b/.vitepress/config.mts index 8052ffc3..bc7515f6 100644 --- a/.vitepress/config.mts +++ b/.vitepress/config.mts @@ -4,8 +4,8 @@ import llmstxt from "vitepress-plugin-llms"; import type { DefaultTheme } from "vitepress"; import MermaidExample from "./mermaid"; -import { appNavbar, dashboardNavbar } from "./navbars"; -import { appSidebars, dashboardSidebars } from "./sidebars"; +import { appNavbar, burpSuiteNavbar, dashboardNavbar } from "./navbars"; +import { appSidebars, burpSuiteSidebars, dashboardSidebars } from "./sidebars"; // https://vitepress.dev/reference/site-config export default defineConfig({ @@ -78,6 +78,15 @@ export default defineConfig({ items: dashboardNavbar, }, }, + { + component: "NavItem", + props: { + text: "Migrating from Burp Suite", + link: "/burp-suite/core/overview", + activeMatch: "^/burp-suite(/|$)", + items: burpSuiteNavbar, + }, + }, { component: "NavItem", props: { @@ -98,6 +107,8 @@ export default defineConfig({ "/dashboard/quickstart/": dashboardSidebars.quickstartSidebar, "/dashboard/guides/": dashboardSidebars.guidesSidebar, "/dashboard/concepts/": dashboardSidebars.conceptsSidebar, + "/burp-suite/core/": burpSuiteSidebars.coreSidebar, + "/burp-suite/extensibility/": burpSuiteSidebars.extensibilitySidebar, }, outline: { diff --git a/.vitepress/navbars/burp-suite.ts b/.vitepress/navbars/burp-suite.ts new file mode 100644 index 00000000..13c17408 --- /dev/null +++ b/.vitepress/navbars/burp-suite.ts @@ -0,0 +1,6 @@ +import type { DefaultTheme } from "vitepress"; + +export const burpSuiteNavbar: DefaultTheme.NavItemWithLink[] = [ + { text: "Core", link: "/burp-suite/core/overview" }, + { text: "Extensibility", link: "/burp-suite/extensibility/overview" }, +]; diff --git a/.vitepress/navbars/index.ts b/.vitepress/navbars/index.ts index 4fdfc4dd..b828c772 100644 --- a/.vitepress/navbars/index.ts +++ b/.vitepress/navbars/index.ts @@ -1,2 +1,3 @@ export * from "./app"; +export * from "./burp-suite"; export * from "./dashboard"; diff --git a/.vitepress/sidebars/app/reference.ts b/.vitepress/sidebars/app/reference.ts index 14d43140..67a8ca21 100644 --- a/.vitepress/sidebars/app/reference.ts +++ b/.vitepress/sidebars/app/reference.ts @@ -9,8 +9,8 @@ export const referenceSidebar: DefaultTheme.SidebarItem[] = [ link: "/app/reference/", }, { - text: "Burp Suite vs Caido", - link: "/app/reference/burp_vs_caido", + text: "Migrating from Burp Suite", + link: "/burp-suite/core/overview", }, { text: "CLI Options", diff --git a/.vitepress/sidebars/burp-suite/core.ts b/.vitepress/sidebars/burp-suite/core.ts new file mode 100644 index 00000000..11277e63 --- /dev/null +++ b/.vitepress/sidebars/burp-suite/core.ts @@ -0,0 +1,20 @@ +import type { DefaultTheme } from "vitepress"; + +export const coreSidebar: DefaultTheme.SidebarItem[] = [ + { + text: "Core", + items: [ + { text: "Overview", link: "/burp-suite/core/overview" }, + { text: "Browser & Setup", link: "/burp-suite/core/browser-and-setup" }, + { + text: "Project & Configuration", + link: "/burp-suite/core/project-and-configuration", + }, + { text: "Target & Scope", link: "/burp-suite/core/target-and-scope" }, + { text: "Tools", link: "/burp-suite/core/tools" }, + { text: "AI", link: "/burp-suite/core/ai" }, + { text: "Scans", link: "/burp-suite/core/scans" }, + { text: "Reporting", link: "/burp-suite/core/reporting" }, + ], + }, +]; diff --git a/.vitepress/sidebars/burp-suite/extensibility.ts b/.vitepress/sidebars/burp-suite/extensibility.ts new file mode 100644 index 00000000..17336fcc --- /dev/null +++ b/.vitepress/sidebars/burp-suite/extensibility.ts @@ -0,0 +1,16 @@ +import type { DefaultTheme } from "vitepress"; + +export const extensibilitySidebar: DefaultTheme.SidebarItem[] = [ + { + text: "Extensibility", + items: [ + { text: "Overview", link: "/burp-suite/extensibility/overview" }, + { text: "Extensions", link: "/burp-suite/extensibility/extensions" }, + { text: "Bambdas", link: "/burp-suite/extensibility/bambdas" }, + { + text: "Custom Scan Checks", + link: "/burp-suite/extensibility/custom-scan-checks", + }, + ], + }, +]; diff --git a/.vitepress/sidebars/burp-suite/index.ts b/.vitepress/sidebars/burp-suite/index.ts new file mode 100644 index 00000000..f300f00f --- /dev/null +++ b/.vitepress/sidebars/burp-suite/index.ts @@ -0,0 +1,2 @@ +export * from "./core"; +export * from "./extensibility"; diff --git a/.vitepress/sidebars/index.ts b/.vitepress/sidebars/index.ts index bdd913a9..c061c214 100644 --- a/.vitepress/sidebars/index.ts +++ b/.vitepress/sidebars/index.ts @@ -1,2 +1,3 @@ export * as appSidebars from "./app"; +export * as burpSuiteSidebars from "./burp-suite"; export * as dashboardSidebars from "./dashboard"; diff --git a/render.yaml b/render.yaml index e20ece89..f8b98be0 100644 --- a/render.yaml +++ b/render.yaml @@ -50,6 +50,12 @@ services: - type: redirect source: /troubleshooting/* destination: /app/troubleshooting/* + - type: redirect + source: /app/reference/burp_vs_caido + destination: /burp-suite/core/overview + - type: redirect + source: /app/reference/burp_vs_caido.html + destination: /burp-suite/core/overview domains: - docs.caido.io envVars: diff --git a/src/app/reference/burp_vs_caido.md b/src/app/reference/burp_vs_caido.md index 08d8f871..5f200851 100644 --- a/src/app/reference/burp_vs_caido.md +++ b/src/app/reference/burp_vs_caido.md @@ -1,73 +1,3 @@ --- -description: "A side-by-side reference of common Burp Suite features and where to find their counterparts in Caido." +redirect: /burp-suite/core/overview --- - -# Burp Suite vs Caido - -This page provides a mapping of Burp Suite features to their counterparts in Caido. - -## Tools - -| Burp Suite | Caido | -|------------|-------| -| Dashboard | [Plugins](/app/quickstart/plugins.md) | -| Target | [Sitemap](/app/quickstart/sitemap.md)/[Scopes](/app/quickstart/scopes.md)/[Findings](/app/quickstart/findings.md) | -| Burp's browser | [Using a Preconfigured Browser](/app/guides/preconfigured_browser.md) | -| Proxy | [Intercept](/app/quickstart/intercept.md)/[HTTP History](/app/quickstart/http_history.md)/[WS History](/app/quickstart/ws_history.md)/[Match & Replace](/app/quickstart/match_replace.md) | -| Scanner | [Scanner](https://github.com/caido-community/scanner) | -| Intruder | [Automate](/app/quickstart/automate.md) | -| Repeater | [Replay](/app/quickstart/replay.md) | -| Decoder | [Convert Workflows](/app/concepts/workflows_intro.md#convert-workflows) | -| Comparer | [Compare](https://github.com/amrelsagaei/Compare) | -| Logger | [Search](/app/quickstart/search.md)/[Cerebrum](https://github.com/DewSecOff/Caido-Plugin-Cerebrum) | -| Collaborator | [QuickSSRF](https://github.com/caido-community/quickssrf)/[OmniOAST](https://github.com/hahwul/OmniOAST) | -| Search | [HTTPQL](/app/reference/httpql.md) | -| Organizer | [Findings](/app/quickstart/findings.md) | -| Filter settings | [Filters](/app/quickstart/filters.md) | - -## Extensions - -::: info -The functionality of many Burp Suite Bambdas, custom scan checks, and extensions can be implemented using [workflows](http://localhost:5173/app/concepts/workflows_intro.html) in Caido or by [defining checks for the Scanner plugin](https://github.com/caido-community/scanner#check-definition). -::: - -| Burp Suite | Caido | -|------------|-------| -| Param Miner | [ParamFinder](https://github.com/bebiksior/ParamFinder) | -| JWT Editor | [JWT Analyzer](https://github.com/amrelsagaei/JWT-Analyzer) | -| JS Miner | [Data Grep](https://github.com/caido-community/data-grep) | -| Active Scan++ | [Scanner: Custom Checks](https://github.com/caido-community/scanner#check-definition) | -| Content Type Converter | [Convert Tools](https://github.com/caido-community/convert-tools) | -| Logger++ | [Search](/app/guides/search_filtering.md) | -| Hackvertor | [Convert Workflows](/app/concepts/workflows_intro.html#convert-workflows) | -| 403 Bypasser | [403Bypasser](https://github.com/bebiksior/Caido403Bypasser) | -| InQL | [GraphQL Analyzer](https://github.com/amrelsagaei/GraphQL-Analyzer) | -| Autorize/Auth Analyzer | [Autorize](https://github.com/caido-community/autorize) | -| Auth Analyzer | [Authify](https://github.com/saltify7/Authify) | -| Bypass WAF| [Passive Workflows](/app/concepts/workflows_intro.html#passive-workflows) | -| Reflected Parameters | [Passive Workflows](/app/concepts/workflows_intro.html#passive-workflows) | -| Sensitive Discoverer | [Passive Workflows](/app/concepts/workflows_intro.html#passive-workflows) | -| Additional Scanner Checks | [Scanner: Custom Checks](https://github.com/caido-community/scanner#check-definition)/[Passive Workflows](/app/concepts/workflows_intro.html#passive-workflows) | -| CORS*, Additional CORS Checks | [Scanner: Custom Checks](https://github.com/caido-community/scanner#check-definition)/[Passive Workflows](/app/concepts/workflows_intro.html#passive-workflows) | -| Request Minimizer | [Squash](https://github.com/evanconnelly/squash) | -| Add Custom Header | [Add a Header Workflow](/app/tutorials/add_header.md) | -| CSP Auditor | [CSP Auditor](https://github.com/GangGreenTemperTatum/csp-auditor) | -| AuthMatrix | [AuthMatrix](https://github.com/caido-community/authmatrix) | -| AWS Signer | [Resign AWS Requests Workflow](/app/tutorials/aws_signature.md) | -| Notes | [Notes++](https://github.com/caido-community/NotesPlusPlus) | -| YesWeBurp | [YesWeCaido](https://github.com/yeswehack/yeswecaido) | -| Burp Share Requests | [Drop](https://github.com/caido-community/drop) | - -## AI - -| Burp Suite | Caido | -|------------|-------| -| Using Burp AI in Repeater | [Shift](https://github.com/caido-community/shift) | -| Generating AI-powered explanations | [Prompting the Assistant to Explain Requests](/app/guides/assistant_explain.md) | -| Automating tasks with custom actions | [Shift](https://github.com/caido-community/shift) | - -::: tip Additional Caido AI Plugins - -- [Chatio](https://github.com/amrelsagaei/Chatio) -- [Ebka AI Assistant](https://github.com/Slonser/Ebka-Caido-AI) -::: diff --git a/src/burp-suite/core/ai.md b/src/burp-suite/core/ai.md new file mode 100644 index 00000000..ca16513c --- /dev/null +++ b/src/burp-suite/core/ai.md @@ -0,0 +1,74 @@ +--- +description: "Map Burp Suite Pro AI features to Caido AI plugins." +--- + +# Burp AI + +Burp Suite Pro AI features and their Caido equivalents. + +## Available + +### Generating AI-powered explanations + +Burp can generate natural-language explanations of HTTP requests and responses from Repeater. + +Caido offers the **Chatio** and **Shift** community plugins to explain and analyze HTTP traffic in natural language. **Chatio** provides a dedicated chat interface for security-focused Q&A; **Shift** adds in-context explanations and analysis on requests in **Replay**. + +#### Resources + +- [Chatio](https://github.com/caido-community/Chatio) (GitHub) +- [Shift](https://github.com/caido-community/shift) (GitHub) +- [Shift Tutorial](/app/tutorials/shift.md) + +### Using Burp AI in Repeater + +In Burp, AI actions run directly inside Repeater tabs to modify or analyze the current request. + +Caido offers the **Shift** plugin for AI-assisted request editing alongside native **Replay**. Shift provides in-context AI actions on requests, similar to Burp AI in Repeater. + +#### Resources + +- [Shift](https://github.com/caido-community/shift) (GitHub) +- [Shift Tutorial](/app/tutorials/shift.md) +- [Replay](/app/quickstart/replay.md) + +## Indirectly Available + +### Burp AI + +Burp AI is PortSwigger's built-in assistant for explaining requests, suggesting payloads, and running custom actions inside Repeater. + +Caido does not ship a single bundled AI product like Burp AI. Use **Shift** (including **Shift Agents** for autonomous background tasks) and **Chatio** for explanations, payload suggestions, and request editing. Each plugin manages its own API keys rather than a central credits system. + +#### Resources + +- [Shift](https://github.com/caido-community/shift) (GitHub) +- [Shift Tutorial](/app/tutorials/shift.md) +- [Chatio](https://github.com/caido-community/Chatio) (GitHub) + +### Automating tasks with custom actions + +Burp AI custom actions automate repetitive Repeater tasks with prompts and predefined workflows. + +Caido offers **Shift Agents** to assign autonomous background tasks to a model, and **Shift** custom prompts for repeatable AI actions on requests. Caido also covers non-AI repetitive task automation through native **Workflows** and **Automate**. + +#### Resources + +- [Shift Tutorial](/app/tutorials/shift.md) +- [Shift](https://github.com/caido-community/shift) (GitHub) +- [Workflows](/app/quickstart/workflows.md) +- [Automate](/app/quickstart/automate.md) + +## Not Available + +### AI credits + +Burp tracks AI usage through a credits system tied to your PortSwigger subscription. + +Caido has no central AI credits system. AI plugins such as **Shift** and **Chatio** use your own API keys (OpenAI, Anthropic, etc.) or plugin-specific billing configured in each plugin's settings. + +#### Resources + +- [Shift Tutorial](/app/tutorials/shift.md) +- [Shift](https://github.com/caido-community/shift) (GitHub) +- [Chatio](https://github.com/caido-community/Chatio) (GitHub) diff --git a/src/burp-suite/core/browser-and-setup.md b/src/burp-suite/core/browser-and-setup.md new file mode 100644 index 00000000..ac588adc --- /dev/null +++ b/src/burp-suite/core/browser-and-setup.md @@ -0,0 +1,85 @@ +--- +description: "Map Burp Suite Pro browser, mobile, and setup features to Caido." +--- + +# Browser & Setup + +Burp Suite Pro browser integration, transport, and setup features and their Caido equivalents. + +## Available + +### Testing mobile applications + +Burp proxies traffic from iOS and Android devices through the intercepting proxy. + +Caido supports proxying mobile device traffic the same way as Burp: install Caido's CA certificate on the device and point the proxy settings to your Caido instance. Caido supports mobile proxying natively through its listening proxy. + +#### Resources + +- [Setup](/app/quickstart/setup.md) +- [Managing CA Certificates](/app/guides/ca_certificate_managing.md) +- [Importing CA Certificates](/app/guides/ca_certificate_importing.md) +- [Android Introduction Tutorial](/app/tutorials/android_introduction.md) + +### External browser configuration + +Burp lets you use a system browser other than its embedded browser with the proxy. + +Caido supports using a **preconfigured browser** or manually set any browser's proxy to point at Caido. Caido does not require its own embedded browser for proxy testing. + +#### Resources + +- [Using a Preconfigured Browser](/app/guides/preconfigured_browser.md) +- [FoxyProxy Guide](/app/guides/foxyproxy.md) +- [ZeroOmega Guide](/app/guides/zeroomega.md) + +### Invisible proxying + +Burp forwards non-proxy-aware clients through the proxy without explicit proxy configuration. + +Caido offers an **Invisible Proxy** setup to intercept traffic from clients that cannot be configured to use an explicit proxy. This requires network-level forwarding similar to Burp's invisible proxying mode. + +#### Resources + +- [Invisible Proxy Tutorial](/app/tutorials/invisible_proxy.md) +- [Invisible Proxying Guide](/app/guides/invisible_proxying.md) + +### Managing CA certificates + +Burp lets you install and manage its CA certificate for intercepting HTTPS traffic. + +Caido lets you export and install its CA certificate from **Settings → Network → TLS**. Certificate management is built into Caido's network settings rather than a separate Burp-style CA tool tab. + +#### Resources + +- [Setup](/app/quickstart/setup.md) +- [Managing CA Certificates](/app/guides/ca_certificate_managing.md) +- [Importing CA Certificates](/app/guides/ca_certificate_importing.md) + +## Indirectly Available + +### Burp's browser + +Burp ships a Chromium-based browser preconfigured to proxy through Burp with DOM Invader integration. + +Caido supports configuring a **preconfigured browser** to proxy through Caido automatically. The **PwnFox** plugin integrates multi-profile Firefox containers for parallel sessions. Caido does not ship an embedded browser with DOM testing integration like Burp's browser; pair a system browser with **DOMLogger++** for partial DOM sink monitoring. + +#### Resources + +- [Using a Preconfigured Browser](/app/guides/preconfigured_browser.md) +- [Setup](/app/quickstart/setup.md) +- [PwnFox](https://github.com/caido-community/pwnfox) (GitHub) +- [DOMLogger++](https://github.com/kevin-mizu/domloggerpp-caido) (GitHub) + +## Not Available + +### Testing with HTTP/2 + +Burp lets you send and manipulate HTTP/2 requests, including exclusive attacks. + +Caido does not support HTTP/2 in the intercepting proxy or in **Replay**. Traffic is handled over HTTP/1.1; HTTP/2-specific testing and attacks are not available in Caido today. + +#### Resources + +- [Replay](/app/quickstart/replay.md) +- [Intercept](/app/quickstart/intercept.md) diff --git a/src/burp-suite/core/overview.md b/src/burp-suite/core/overview.md new file mode 100644 index 00000000..05ece5fd --- /dev/null +++ b/src/burp-suite/core/overview.md @@ -0,0 +1,29 @@ +--- +description: "Map Burp Suite Pro built-in features to Caido." +--- + +# Core + +This section maps **Burp Suite Pro** built-in tools and product features to Caido. + +## How to use this section + +1. **Search by Burp name** — Use the site search or your browser's find-in-page for the Burp feature you used (for example, `Intruder`, `HTTP history`, or `Collaborator`). +2. **Open the matching page** — Pick the page that best fits what you used in Burp. New to Caido? Start with [Browser & Setup](/burp-suite/core/browser-and-setup), then [Tools](/burp-suite/core/tools). +3. **Read the mapping** — Entries are grouped under **Available**, **Indirectly Available**, and **Not Available**. Each entry explains the Caido equivalent, how it differs from Burp, and links under **Resources**. + +::: tip New to Caido? +After finding your equivalents, continue with the [Application quickstart](/app/quickstart/). +::: + +## Pages + +- **[Browser & Setup](/burp-suite/core/browser-and-setup)** — Browser, mobile, proxy, and TLS setup. +- **[Project & Configuration](/burp-suite/core/project-and-configuration)** — Project files, sessions, macros, and saved configuration. +- **[Target & Scope](/burp-suite/core/target-and-scope)** — Site map, scope, and target management. +- **[Tools](/burp-suite/core/tools)** — Proxy, Repeater, Intruder, Decoder, Collaborator, Logger, and other Burp tools. +- **[AI](/burp-suite/core/ai)** — Burp AI features and Caido AI plugins (Shift, Chatio). +- **[Scans](/burp-suite/core/scans)** — Scanner, live tasks, and scan operations. +- **[Reporting](/burp-suite/core/reporting)** — Exporting findings and reports. + +Looking for BApps, Bambdas, or custom scan checks? See [Extensibility](/burp-suite/extensibility/overview). diff --git a/src/burp-suite/core/project-and-configuration.md b/src/burp-suite/core/project-and-configuration.md new file mode 100644 index 00000000..07823ab1 --- /dev/null +++ b/src/burp-suite/core/project-and-configuration.md @@ -0,0 +1,66 @@ +--- +description: "Map Burp Suite Pro project files and configuration to Caido." +--- + +# Project & Configuration + +Burp Suite Pro project files, session handling, and configuration features and their Caido equivalents. + +## Available + +### Project files + +Burp saves and restores project state including traffic, site map, and configuration. + +Caido offers native **Workspaces** to manage projects and persist traffic, scope, and configuration within an instance. Caido also exports traffic separately through **Exports** when you need portable data outside the workspace. + +#### Resources + +- [Workspace](/app/quickstart/workspace.md) +- [Exports](/app/quickstart/exports.md) +- [Recovering Projects](/app/guides/projects_recovering.md) +- [Project Backups](/app/guides/projects_backups.md) + +## Indirectly Available + +### Session handling rules + +Burp automatically modifies requests based on session state using macros and rules. + +Caido has no native session handling rule engine like Burp. Caido supports session and identity switching through **Environment Variables** (store tokens and credentials per context), **Workflows** (inject or refresh values on traffic), and **Match & Replace** rules (swap headers or cookies when rules are enabled). The **Authswap** community plugin adds quick switching between authentication contexts during manual testing. This covers many Burp session workflows but requires explicit setup rather than Burp's integrated macros and rules. + +#### Resources + +- [Environment Variables](/app/quickstart/environment.md) +- [Workflows](/app/quickstart/workflows.md) +- [Match & Replace](/app/quickstart/match_replace.md) +- [Refresh Authentication Tutorial](/app/tutorials/refresh_authentication.md) +- [Authswap](https://github.com/caido-community/authswap) (GitHub) + +### Macros + +Burp records sequences of requests and replays them to maintain session state. + +Caido offers **Workflows** as the equivalent for defining sequences of actions—such as sending requests, transforming traffic, or chaining steps based on responses. You build workflows in the editor rather than recording a macro, but they cover the same multi-step automation use cases as Burp macros. + +#### Resources + +- [Workflows](/app/quickstart/workflows.md) +- [Creating Workflows](/app/guides/workflows_creating.md) +- [Refresh Authentication Tutorial](/app/tutorials/refresh_authentication.md) + +### Configuration library + +Burp exports specific settings as shareable configuration files and saves configuration profiles for reuse across projects. + +Caido has no unified configuration library like Burp. Instead, many feature pages offer their own export so you can save settings to disk, version-control them, and import them into new projects—workflows, filters, scopes, match-and-replace rules, and environment variables, each from its own interface. Some objects, such as **global workflows**, are available across all projects in an instance by default; switch a workflow to project-specific scope when you want it limited to one workspace. + +#### Resources + +- [Workflows](/app/quickstart/workflows.md) +- [Creating Workflows](/app/guides/workflows_creating.md) +- [Filters](/app/quickstart/filters.md) +- [Scopes](/app/quickstart/scopes.md) +- [Match & Replace](/app/quickstart/match_replace.md) +- [Environment Variables](/app/quickstart/environment.md) +- [Workspace](/app/quickstart/workspace.md) diff --git a/src/burp-suite/core/reporting.md b/src/burp-suite/core/reporting.md new file mode 100644 index 00000000..1da4c73d --- /dev/null +++ b/src/burp-suite/core/reporting.md @@ -0,0 +1,22 @@ +--- +description: "Map Burp Suite Pro reporting features to Caido." +--- + +# Reporting + +Burp Suite Pro reporting and export features and their Caido equivalents. + +## Indirectly Available + +### Generating a report + +Burp exports scan results and findings as formatted HTML or XML reports. + +Caido tracks issues in native **Findings** and exports raw traffic data through **Exports**. Caido does not ship formatted HTML or XML report generation like Burp; use **Findings** for issue tracking, **Exports** for external reporting tools, or the **Notify** plugin to push findings to notification platforms. + +#### Resources + +- [Findings](/app/quickstart/findings.md) +- [Exports](/app/quickstart/exports.md) +- [Exporting Requests](/app/guides/exports_requests.md) +- [Notify](https://github.com/MDGDSS/caido-notify) (GitHub) diff --git a/src/burp-suite/core/scans.md b/src/burp-suite/core/scans.md new file mode 100644 index 00000000..e7615346 --- /dev/null +++ b/src/burp-suite/core/scans.md @@ -0,0 +1,107 @@ +--- +description: "Map Burp Suite Pro Scanner and scan operations to Caido." +--- + +# Scans + +Burp Suite Pro Scanner, live tasks, and scan operations and their Caido equivalents. + +## Available + +### Scanner + +Burp includes an automated vulnerability scanner for passive and active testing. + +Caido offers the community **Scanner** plugin for automated vulnerability scanning in Caido. Active and passive scanning is provided by this plugin and can be extended with custom checks. + +#### Resources + +- [Scanner](https://github.com/caido-community/scanner) (GitHub) +- [Scanner Tutorial](/app/tutorials/scanner.md) + +### Configuring scans + +Burp lets you adjust scan speed, insertion points, and audit checks for Scanner. + +Caido lets you configure scan behavior through the **Scanner** plugin's custom check definitions and native **Workflows**. Check selection is plugin- and workflow-specific rather than a unified scan configuration UI. + +#### Resources + +- [Scanner: Custom Checks](https://github.com/caido-community/scanner#check-definition) (GitHub) +- [Workflows](/app/quickstart/workflows.md) + +### Running scans + +Burp launches full crawl-and-audit or targeted scans against web applications. + +Caido supports running active scans with the **Scanner** plugin and targeted fuzzing with native **Automate**. Combine both for coverage similar to Burp's integrated scanner. + +#### Resources + +- [Scanner](https://github.com/caido-community/scanner) (GitHub) +- [Automate](/app/quickstart/automate.md) +- [Scanner Tutorial](/app/tutorials/scanner.md) + +### Scanning specific HTTP messages + +Burp runs an audit against selected requests rather than an entire site. + +Caido lets you send selected requests from **HTTP History** to the **Scanner** plugin or **Automate**. This matches Burp's "scan selected items" workflow using Caido's context menu and traffic views. + +#### Resources + +- [HTTP History](/app/quickstart/http_history.md) +- [Scanner](https://github.com/caido-community/scanner) (GitHub) +- [Automate](/app/quickstart/automate.md) + +### Viewing scan results + +Burp lets you review discovered issues, audit items, and event logs from scans. + +Caido lets you review results in native **Findings** and the **Scanner** plugin's results view. Caido centralizes tracked issues in Findings rather than Burp's separate scan issue tabs. + +#### Resources + +- [Findings](/app/quickstart/findings.md) +- [Scanner](https://github.com/caido-community/scanner) (GitHub) + +## Indirectly Available + +### Live tasks + +Burp runs continuous background crawling and auditing of in-scope traffic as you browse. + +Caido offers native **Passive Workflows** for real-time traffic analysis as you browse. For active auditing, Caido supports running the **Scanner** plugin against selected requests. Caido does not have a single "live tasks" panel like Burp; background analysis is workflow-driven. + +#### Resources + +- [Passive Workflows](/app/concepts/workflows_intro.md#passive-workflows) +- [Workflows](/app/quickstart/workflows.md) +- [Scanner](https://github.com/caido-community/scanner) (GitHub) + +### Application logins + +Burp lets you provide credentials or recorded login sequences so Scanner can test authenticated areas. + +Caido lets you store credentials in native **Environment Variables**, record login flows manually in **Replay**, and use the **NTLM Authentication** plugin for NTLM-protected applications. Caido does not support Burp-style recorded login sequences or a login configuration library. + +#### Resources + +- [Environment Variables](/app/quickstart/environment.md) +- [Replay](/app/quickstart/replay.md) +- [Automate](/app/quickstart/automate.md) +- [Refresh Authentication Tutorial](/app/tutorials/refresh_authentication.md) +- [NTLM Authentication](https://github.com/caido-community/ntlm) (GitHub) + +## Not Available + +### Resource pools + +Burp limits concurrent scan threads to control resource usage during scans. + +Caido has no resource pool for throttling scan concurrency. Throttle **Automate** campaigns manually or add delays in workflows to control request rate. + +#### Resources + +- [Avoiding Rate-Limiting Protections](/app/guides/automate_rate_limiting.md) +- [Workflows](/app/quickstart/workflows.md) diff --git a/src/burp-suite/core/target-and-scope.md b/src/burp-suite/core/target-and-scope.md new file mode 100644 index 00000000..788b8021 --- /dev/null +++ b/src/burp-suite/core/target-and-scope.md @@ -0,0 +1,69 @@ +--- +description: "Map Burp Suite Pro Target and Scope features to Caido." +--- + +# Target & Scope + +Burp Suite Pro target management, site map, and scope features and their Caido equivalents. + +## Available + +### Target + +Burp provides a view of in-scope hosts, site structure, and discovered content. + +Caido splits target management across native **Sitemap**, **Scopes**, and **Findings** rather than a single Target tab. Sitemap shows discovered structure, Scopes define what is in bounds, and Findings tracks notable items — together covering Burp Target's role. + +#### Resources + +- [Sitemap](/app/quickstart/sitemap.md) +- [Scopes](/app/quickstart/scopes.md) +- [Findings](/app/quickstart/findings.md) + +### Site map + +Burp displays a tree view of discovered hosts, directories, and endpoints. + +Caido offers native **Sitemap** that displays discovered hosts and endpoints in a tree view. It is populated from proxied traffic; the **Crawler** community plugin can automate discovery to extend the sitemap beyond manual browsing. + +#### Resources + +- [Sitemap](/app/quickstart/sitemap.md) +- [Viewing the Sitemap](/app/guides/sitemap_viewing.md) +- [Crawler](https://github.com/caido-community/crawler) (GitHub) + +### Scope + +Burp lets you define which hosts and URLs are in scope for testing. + +Caido offers native **Scopes** to define in-scope hosts and URL patterns. Scoped traffic can be highlighted and filtered across views, similar to Burp's scope configuration. + +#### Resources + +- [Scopes](/app/quickstart/scopes.md) +- [Defining Scopes](/app/guides/scopes_defining.md) +- [Applying Scopes](/app/guides/scopes_applying.md) + +### Issue definitions + +Burp lets you customize how Scanner reports and categorizes issue types. + +Caido lets you define custom finding types through the **Scanner** plugin's custom check definitions. Custom issue types are plugin-driven rather than a built-in editor. + +#### Resources + +- [Scanner: Custom Checks](https://github.com/caido-community/scanner#check-definition) (GitHub) + +## Indirectly Available + +### Crawl paths + +Burp visualizes how its crawler reached specific endpoints. + +Caido has no crawl-path visualization like Burp's crawler tree. Caido lets you review discovered endpoints in **Sitemap**, run the **Crawler** plugin for automated discovery, or use **Workflows** for custom crawling logic. + +#### Resources + +- [Sitemap](/app/quickstart/sitemap.md) +- [Workflows](/app/quickstart/workflows.md) +- [Crawler](https://github.com/caido-community/crawler) (GitHub) diff --git a/src/burp-suite/core/tools.md b/src/burp-suite/core/tools.md new file mode 100644 index 00000000..64fa409f --- /dev/null +++ b/src/burp-suite/core/tools.md @@ -0,0 +1,344 @@ +--- +description: "Map Burp Suite Pro tools to Caido equivalents." +--- + +# Tools + +Burp Suite Pro tools — Proxy, Repeater, Intruder, utilities, and related features — and their Caido equivalents. + +## Available + +### Command palette + +Burp provides a quick-access launcher for tools, settings, and actions via the keyboard. + +Caido includes a native command palette opened with `Ctrl/Cmd+K`. It exposes navigation, plugin commands, and shortcuts rather than Burp's tool-centric launcher, but serves the same quick-access purpose. + +#### Resources + +- [Command Shortcuts](/app/reference/command_shortcuts.md) + +### Search + +Burp provides global search across its tools for requests, issues, and configuration. + +Caido offers native **Search** with **HTTPQL** to query captured traffic across your project. Search replaces Burp's cross-tool search with a traffic-focused query language rather than a unified issue-and-config index. + +#### Resources + +- [Search](/app/quickstart/search.md) +- [HTTPQL](/app/reference/httpql.md) +- [Search Filtering](/app/guides/search_filtering.md) + +### Context menu + +Burp offers right-click actions on requests, responses, and site map entries. + +Caido provides native context menu actions on requests and responses in HTTP History, Replay, and related views. Available actions depend on the current view and installed plugins. + +#### Resources + +- [Context Menu Options](/app/reference/context_menu.md) + +### Filter settings + +Burp applies shared filter configuration across its tables and views. + +Caido offers native **Filters** that apply across traffic tables and can be combined with HTTPQL. Filters are view-scoped rather than a single global filter profile shared by every Burp tool. + +#### Resources + +- [Filters](/app/quickstart/filters.md) +- [Applying Filters](/app/guides/filters_applying.md) +- [Defining Filters](/app/guides/filters_defining.md) + +### Proxy + +Burp captures HTTP/S traffic through an intercepting proxy between your browser and target applications. + +Caido offers native **Intercept** and **HTTP History** to handle proxied traffic capture. Intercept pauses traffic for review; HTTP History stores the full log. Together they cover Burp Proxy's core workflow without a separate Proxy tool tab. + +#### Resources + +- [Intercept](/app/quickstart/intercept.md) +- [HTTP History](/app/quickstart/http_history.md) +- [Intercepting Traffic](/app/guides/intercept_traffic.md) + +### Proxy intercept + +Burp lets you pause, inspect, and modify individual requests and responses in flight. + +Caido offers native **Intercept** to pause, inspect, and forward or drop individual requests and responses. Behavior matches Burp's intercept queue, integrated into Caido's main traffic workflow. + +#### Resources + +- [Intercept](/app/quickstart/intercept.md) +- [Intercepting Traffic](/app/guides/intercept_traffic.md) + +### HTTP history + +Burp maintains a persistent log of all proxied HTTP traffic with filtering and search. + +Caido offers native **HTTP History** as the persistent traffic log. It supports filtering, search, and sending entries to Replay or Automate. It is the primary workspace for reviewing proxied HTTP traffic. + +#### Resources + +- [HTTP History](/app/quickstart/http_history.md) +- [Filtering HTTP History](/app/guides/http_history_filtering.md) + +### WebSockets history + +Burp captures and inspects WebSocket messages proxied through the proxy. + +Caido offers native **WS History** to capture WebSocket frames proxied through the instance. It provides a dedicated view for WebSocket traffic separate from HTTP History. + +#### Resources + +- [WS History](/app/quickstart/ws_history.md) + +### Match and replace + +Burp automatically modifies requests or responses matching defined rules as they pass through the proxy. + +Caido offers native **Match & Replace** to apply rules to traffic in transit, similar to Burp's match-and-replace rules. Rules can target requests, responses, and specific scopes. + +#### Resources + +- [Match & Replace](/app/quickstart/match_replace.md) +- [Match & Replace Reference](/app/reference/match_replace.md) +- [Testing Match & Replace Rules](/app/guides/match_replace_testing.md) + +### Repeater + +Burp lets you manually modify and resend individual HTTP requests to observe response changes. + +Caido offers native **Replay** to edit and resend individual requests. Replay is accessed from HTTP History and the context menu rather than a dedicated Repeater tab, but supports the same manual request manipulation workflow. + +#### Resources + +- [Replay](/app/quickstart/replay.md) +- [Resending Requests](/app/guides/replay_resending.md) +- [Sending Requests to Replay](/app/guides/replay_requests.md) + +### Intruder + +Burp performs automated payload injection for fuzzing, brute-forcing, and enumeration attacks. + +Caido offers native **Automate** for payload-based attacks. Automate supports wordlists, numeric ranges, multiple payload sets, and preprocessors — covering Burp Intruder's core fuzzing and brute-force workflows with a different UI model. + +#### Resources + +- [Automate](/app/quickstart/automate.md) +- [Sending Requests to Automate](/app/guides/automate_requests.md) +- [Sending Payloads from a Wordlist](/app/guides/automate_wordlists.md) + +### Inspector + +Burp provides a structured view of request and response components (headers, parameters, cookies). + +Caido does not have a separate Inspector panel. Request and response components are edited inline in **Replay**, **HTTP History**, and **Automate** using built-in structured editors. Headers, parameters, and cookies are accessible without switching to a dedicated tool. + +#### Resources + +- [Replay](/app/quickstart/replay.md) +- [HTTP History](/app/quickstart/http_history.md) + +### Message editor + +Burp lets you edit HTTP messages in raw and parsed form across its tools. + +Caido builds native message editors into **Replay**, **Intercept**, and **Automate**. You can switch between structured and raw editing within each view rather than using a shared editor component across separate Burp tabs. The **Hex** community plugin adds hex view and edit modes in HTTP History and Replay. + +#### Resources + +- [Replay](/app/quickstart/replay.md) +- [Intercept](/app/quickstart/intercept.md) +- [Automate](/app/quickstart/automate.md) +- [Request and Response Modes](/app/guides/request_response_modes.md) +- [Hex](https://github.com/hahwul/Hex) (GitHub) + +### Decoder + +Burp encodes, decodes, and hashes data in common formats. + +Caido offers native **Convert Workflows** to transform data between formats. The **Convert Tools** community plugin adds a Decoder-like toolbox for on-demand encoding, decoding, and format conversion. Unlike Burp's standalone Decoder tab, Caido combines workflow-driven conversion with optional plugin utilities. + +#### Resources + +- [Convert Workflows](/app/concepts/workflows_intro.md#convert-workflows) +- [Workflows](/app/quickstart/workflows.md) +- [Convert Tools](https://github.com/caido-community/convert-tools) (GitHub) + +### Comparer + +Burp compares requests, responses, and arbitrary data with word-level and byte-level diffing. + +Caido offers the community **Compare** plugin to diff requests and responses. Caido does not ship a native Comparer tab; diffing is handled by a dedicated plugin. + +#### Resources + +- [Compare](https://github.com/caido-community/Compare) (GitHub) + +### Sequencer + +Sequencer analyzes the randomness of session tokens and CSRF tokens. + +Caido offers the **Sequencer** community plugin to collect tokens from traffic and run statistical randomness tests, similar to Burp Sequencer. Install it from the Community Store in **Plugins**. + +#### Resources + +- [Sequencer](https://github.com/caido-community/sequencer) (GitHub) +- [Installing Plugins](/app/guides/plugins_installing.md) + +### Collaborator + +Burp includes an out-of-band interaction server for detecting blind SSRF, XXE, and similar vulnerabilities. + +Caido supports out-of-band interaction testing through community plugins such as **QuickSSRF**, **OmniOAST**, or **SLCyber Tools** (Surf for SSRF). Caido does not ship a built-in Collaborator server; dedicated plugins provide the same capability. + +#### Resources + +- [QuickSSRF](https://github.com/caido-community/quickssrf) (GitHub) +- [OmniOAST](https://github.com/hahwul/OmniOAST) (GitHub) +- [SLCyber Tools](https://github.com/caido-community/slcyber-tools) (GitHub) + +### Logger + +Burp captures and reviews traffic from all tools in a unified log. + +Caido offers native **Search** that queries all captured traffic across the project, covering much of Burp Logger's review workflow. Caido also supports enhanced logging with custom fields through the **Cerebrum** plugin. + +#### Resources + +- [Search](/app/quickstart/search.md) +- [Search Filtering](/app/guides/search_filtering.md) +- [Cerebrum](https://github.com/DewSecOff/Caido-Plugin-Cerebrum) (GitHub) + +### Organizer + +Organizer stores and annotates interesting requests for later review. + +Caido offers native **Findings** to track notable requests and issues. Findings serves a similar annotation and review purpose to Burp Organizer, tied to Caido's findings model rather than a separate request collection. + +#### Resources + +- [Findings](/app/quickstart/findings.md) + +### Content discovery + +Burp brute-forces hidden directories and files on a web server. + +Caido offers native **Automate** with wordlists to brute-force paths and files, and the **Crawler** community plugin for automated sitemap and endpoint discovery. Together they cover Burp's content discovery and crawl-driven enumeration workflows. + +#### Resources + +- [Automate](/app/quickstart/automate.md) +- [Sending Payloads from a Wordlist](/app/guides/automate_wordlists.md) +- [Crawler](https://github.com/caido-community/crawler) (GitHub) + +### Generate CSRF PoC + +Burp builds cross-site request forgery proof-of-concept HTML from captured requests. + +Caido offers the **CSRF PoC Generator** community plugin to build CSRF proof-of-concept HTML from captured requests. Install it from the Community Store and generate PoCs from HTTP History or Replay. + +#### Resources + +- [CSRF PoC Generator](https://github.com/BugBountyzip/CaidoCSRF) (GitHub) + +## Indirectly Available + +### Dashboard + +Burp provides a central hub that shows scan progress, issue summaries, and task status. + +Caido does not have a single dashboard tab. Instead, traffic-centric views like HTTP History and Search are the default workspace, and some community plugins ship their own dashboard pages for scanning or authorization testing. + +#### Resources + +- [Plugins](/app/quickstart/plugins.md) +- [Scanner](https://github.com/caido-community/scanner) (GitHub) +- [Autorize](https://github.com/caido-community/autorize) (GitHub) + +### Customizing Burp's layout + +Burp lets you rearrange tabs, split panes, and customize the UI layout. + +Caido has a fixed application layout and does not support Burp-style tab rearrangement. For custom views, community plugins can add dedicated pages through the plugin SDK. + +#### Resources + +- [Creating a Page](https://developer.caido.io/guides/page.html) (developer docs) + +### Engagement tools + +Burp bundles a suite of utilities for target analysis, content discovery, and PoC generation. + +Caido does not bundle engagement utilities into a single tool suite. Equivalent workflows are spread across native features like **Sitemap** and **Automate**, plus purpose-built plugins such as **Exploit Generator**, **CSRF PoC Generator**, and **Crawler**. + +#### Resources + +- [Sitemap](/app/quickstart/sitemap.md) +- [Automate](/app/quickstart/automate.md) +- [Exploit Generator](https://github.com/stealthcopter/CaidoExploitGenerator) (GitHub) +- [CSRF PoC Generator](https://github.com/BugBountyzip/CaidoCSRF) (GitHub) +- [Crawler](https://github.com/caido-community/crawler) (GitHub) + +### Target analyzer + +Target analyzer summarizes a target's technology stack, content types, and dynamic URLs. + +Caido has no dedicated target analyzer. Caido lets you review technology hints in **HTTP History** responses, use passive workflows to flag stack indicators, and install plugins such as **JS Analyzer** or **RetireJS Scanner** for JavaScript and library analysis on captured traffic. + +#### Resources + +- [HTTP History](/app/quickstart/http_history.md) +- [Passive Workflows](/app/concepts/workflows_intro.md#passive-workflows) +- [JS Analyzer](https://github.com/caido-community/JS-Analyzer) (GitHub) +- [RetireJS Scanner](https://github.com/bensh/caido-retirejs) (GitHub) + +### Manual testing simulator + +The manual testing simulator simulates user interactions for manual testing scenarios. + +Caido offers native **Replay** for manual request-level testing, or a **preconfigured browser** for browser-based interaction. The **PwnFox** plugin integrates multi-container browser profiles for parallel sessions. Caido does not ship a dedicated interaction simulator like Burp's manual testing simulator. + +#### Resources + +- [Replay](/app/quickstart/replay.md) +- [Using a Preconfigured Browser](/app/guides/preconfigured_browser.md) +- [PwnFox](https://github.com/caido-community/pwnfox) (GitHub) + +### DOM Invader + +Burp supports browser-based testing for DOM XSS, prototype pollution, and web message vulnerabilities. + +Caido has no built-in DOM Invader equivalent. The **DOMLogger++** plugin pairs with a browser extension to monitor and debug JavaScript sinks using customizable rules — partial coverage for DOM-focused testing, not Burp's full in-browser attack surface. + +#### Resources + +- [Replay](/app/quickstart/replay.md) +- [Passive Workflows](/app/concepts/workflows_intro.md#passive-workflows) +- [DOMLogger++](https://github.com/kevin-mizu/domloggerpp-caido) (GitHub) + +## Not Available + +### Clickbandit + +Clickbandit generates clickjacking proof-of-concept overlays against a target page. + +Caido has no clickjacking PoC generator. Build PoCs manually with HTML iframes and verify framing protections by replaying requests and inspecting response headers. + +#### Resources + +- [Replay](/app/quickstart/replay.md) + +### Infiltrator + +Infiltrator modifies compiled class files to test deserialization and injection in Java applications. + +Caido has no equivalent to Infiltrator's bytecode manipulation. Use external Java instrumentation tools for class-level testing and Caido's Replay for HTTP-level request manipulation. + +#### Resources + +- [Replay](/app/quickstart/replay.md) diff --git a/src/burp-suite/extensibility/bambdas.md b/src/burp-suite/extensibility/bambdas.md new file mode 100644 index 00000000..a45ff7cb --- /dev/null +++ b/src/burp-suite/extensibility/bambdas.md @@ -0,0 +1,24 @@ +--- +description: "Map Burp Suite Pro Bambdas to Caido workflows and plugins." +--- + +# Bambdas + +Burp Suite Pro Bambdas — in-app JavaScript snippets — and their Caido equivalents. + +## Indirectly Available + +### Bambdas + +Bambdas are lightweight JavaScript snippets that run inside Burp for filtering, custom actions, and UI automation. + +Caido offers native **Workflows** for traffic filtering, transformation, and passive or active analysis — the closest equivalent to Bambdas that operate on requests and responses. The **Workflows Store** plugin distributes community workflow packages similar to sharing Bambda snippets. Caido also supports UI-level automation through plugins with custom pages and commands via the plugin SDK. Workflows replace Bambdas' traffic logic; plugins replace Bambdas' UI automation. + +#### Resources + +- [Workflows](/app/concepts/workflows_intro.md) +- [Workflows Quickstart](/app/quickstart/workflows.md) +- [Creating Workflows](/app/guides/workflows_creating.md) +- [Workflow JavaScript](/app/guides/workflows_javascript.md) +- [Workflows Store](https://github.com/caido-community/workflows) (GitHub) +- [Creating a Page](https://developer.caido.io/guides/page.html) (developer docs) diff --git a/src/burp-suite/extensibility/custom-scan-checks.md b/src/burp-suite/extensibility/custom-scan-checks.md new file mode 100644 index 00000000..108dca64 --- /dev/null +++ b/src/burp-suite/extensibility/custom-scan-checks.md @@ -0,0 +1,26 @@ +--- +description: "Map Burp Suite Pro custom scan checks to Caido Scanner and workflows." +--- + +# Custom Scan Checks + +Burp Suite Pro custom scan checks and their Caido equivalents. + +::: info Related BApps +Several BApp Store extensions also add scan checks — for example, Active Scan++ and Additional Scanner Checks. See [Extensions](/burp-suite/extensibility/extensions) for those mappings. +::: + +## Available + +### Custom scan checks + +Burp lets you define passive and active scan rules in BCheck format or via the custom scan checks API. + +Caido lets you define custom checks through the **Scanner** plugin's check definition API for active and passive vulnerability detection. Caido also supplements this with **Passive Workflows** for traffic-level rules that run on every request. Caido splits scanning between the Scanner plugin (issue detection) and workflows (traffic analysis) rather than a single BCheck format. + +#### Resources + +- [Scanner: Custom Checks](https://github.com/caido-community/scanner#check-definition) (GitHub) +- [Passive Workflows](/app/concepts/workflows_intro.md#passive-workflows) +- [Workflows](/app/quickstart/workflows.md) +- [Scanner Tutorial](/app/tutorials/scanner.md) diff --git a/src/burp-suite/extensibility/extensions.md b/src/burp-suite/extensibility/extensions.md new file mode 100644 index 00000000..e1836c8f --- /dev/null +++ b/src/burp-suite/extensibility/extensions.md @@ -0,0 +1,293 @@ +--- +description: "Map Burp Suite Pro BApp Store extensions to Caido plugins." +--- + +# Extensions (BApp Store) + +Burp Suite Pro BApp Store extensions and popular community plugin equivalents in Caido. + +## Available + +### Extensions (BApp Store) + +Burp provides an extension marketplace for installing third-party and official BApps. + +Caido uses a native **Community Store** for extensions listed in the [caido/store](https://github.com/caido/store) catalog, plus manual installation from GitHub. Plugins are the primary extensibility model in Caido, equivalent to Burp's BApp Store but with a different distribution and API. + +#### Resources + +- [Plugins](/app/quickstart/plugins.md) +- [Installing Plugins](/app/guides/plugins_installing.md) +- [Managing Plugins](/app/guides/plugins_managing.md) +- [Caido plugin store catalog](https://github.com/caido/store) (GitHub) + +### Param Miner + +Param Miner discovers hidden parameters, headers, and cache-busting inputs. + +Caido offers the **ParamFinder** community plugin. Caido does not include hidden-parameter discovery natively; this capability comes from a plugin modeled after Burp's Param Miner. + +#### Resources + +- [ParamFinder](https://github.com/caido-community/ParamFinder) (GitHub) + +### JWT Editor + +JWT Editor decodes, edits, and resigns JSON Web Tokens inside Burp. + +Caido offers the **JWT Analyzer** community plugin for JWT decoding, editing, and analysis within Caido. JWT handling is plugin-based rather than a built-in editor. + +#### Resources + +- [JWT Analyzer](https://github.com/caido-community/JWT-Analyzer) (GitHub) +- [Decode JWT Tutorial](/app/tutorials/decode_jwt.md) + +### JS Miner + +JS Miner mines JavaScript files for endpoints, secrets, and interesting strings. + +Caido offers the **Data Grep** and **JS Analyzer** community plugins to extract patterns and analyze JavaScript in captured traffic. Together they cover much of JS Miner's endpoint and secret discovery through passive analysis. + +#### Resources + +- [Data Grep](https://github.com/caido-community/data-grep) (GitHub) +- [JS Analyzer](https://github.com/caido-community/JS-Analyzer) (GitHub) + +### Content Type Converter + +Content Type Converter converts request and response bodies between content types. + +Caido offers the **Convert Tools** community plugin for content-type conversion. Caido's native **Convert Workflows** also handle many encoding transformations. + +#### Resources + +- [Convert Tools](https://github.com/caido-community/convert-tools) (GitHub) +- [Convert Workflows](/app/concepts/workflows_intro.md#convert-workflows) + +### 403 Bypasser + +403 Bypasser attempts path and header mutations to bypass 403 Forbidden responses. + +Caido offers the **403Bypasser** community plugin for automated 403 bypass attempts. This is a dedicated plugin rather than a native feature. + +#### Resources + +- [403Bypasser](https://github.com/caido-community/Caido403Bypasser) (GitHub) + +### InQL + +InQL provides GraphQL introspection, query building, and analysis inside Burp. + +Caido offers the **GraphQL Analyzer** community plugin for GraphQL testing in Caido. GraphQL-specific analysis is plugin-provided rather than built in. + +#### Resources + +- [GraphQL Analyzer](https://github.com/caido-community/GraphQL-Analyzer) (GitHub) + +### Autorize + +Autorize tests access controls by replaying requests with different session tokens. + +Caido offers the **Autorize** community plugin for automated authorization testing. **Authswap** can complement it by switching between authentication contexts during manual testing. + +#### Resources + +- [Autorize](https://github.com/caido-community/autorize) (GitHub) +- [Autorize Tutorial](/app/tutorials/autorize.md) +- [Authswap](https://github.com/caido-community/authswap) (GitHub) + +### Auth Analyzer + +Auth Analyzer compares responses across multiple authorization contexts to find access control flaws. + +Caido offers the **Authify** community plugin for multi-context authorization comparison and analysis. + +#### Resources + +- [Authify](https://github.com/saltify7/Authify) (GitHub) + +### Request Minimizer + +Request Minimizer strips unnecessary headers and parameters to find minimal viable requests. + +Caido offers the **Squash** community plugin to minimize requests. Request minimization is plugin-based rather than a native Burp-style tool. + +#### Resources + +- [Squash](https://github.com/evanconnelly/squash) (GitHub) + +### CSP Auditor + +CSP Auditor analyzes Content-Security-Policy headers for weaknesses. + +Caido offers the **CSP Auditor** community plugin for CSP analysis. CSP-specific auditing is provided by a plugin rather than a native tool. + +#### Resources + +- [CSP Auditor](https://github.com/caido-community/csp-auditor) (GitHub) + +### AuthMatrix + +AuthMatrix tests authorization across roles with a matrix of requests and sessions. + +Caido offers the **AuthMatrix** community plugin for role-based authorization matrix testing. It provides a dedicated UI for cross-role comparison similar to Burp's AuthMatrix extension. + +#### Resources + +- [AuthMatrix](https://github.com/caido-community/authmatrix) (GitHub) + +### Notes + +Notes lets you attach notes and annotations to requests inside Burp. + +Caido offers the **Notes++** community plugin for request annotations. Caido's native **Findings** can track issues, but rich per-request notes are plugin-provided. + +#### Resources + +- [Notes++](https://github.com/caido-community/NotesPlusPlus) (GitHub) +- [Findings](/app/quickstart/findings.md) + +### YesWeBurp + +YesWeBurp shares Burp requests with teammates through YesWeHack tooling. + +Caido offers the **YesWeCaido** community plugin for YesWeHack-compatible request sharing. This is a direct port of the collaboration workflow for Caido. + +#### Resources + +- [YesWeCaido](https://github.com/yeswehack/yeswecaido) (GitHub) + +### Burp Share Requests + +Burp Share Requests enables collaborative request sharing between Burp users. + +Caido offers the **Drop** community plugin to share requests with teammates. Collaborative sharing is plugin-based rather than a native Caido feature. + +#### Resources + +- [Drop](https://github.com/caido-community/drop) (GitHub) +- [Drop Tutorial](/app/tutorials/drop.md) + +## Indirectly Available + +### Active Scan++ + +Active Scan++ adds active scan checks beyond Burp Scanner's defaults. + +Caido lets you implement additional checks through the **Scanner** plugin's custom check definitions, and install scan-focused plugins such as **Mass Assignment Radar** or **RetireJS Scanner** for extra coverage. Active Scan++'s extra checks map to custom scanner rules and community plugins rather than a single BApp. + +#### Resources + +- [Scanner: Custom Checks](https://github.com/caido-community/scanner#check-definition) (GitHub) +- [Mass Assignment Radar](https://github.com/sp1r1tt/Mass-Assignment-Radar) (GitHub) +- [RetireJS Scanner](https://github.com/bensh/caido-retirejs) (GitHub) + +### Logger++ + +Logger++ provides enhanced logging with custom fields and filtering beyond Burp Logger. + +Caido offers native **Search** for traffic querying, the **Data Grep** plugin to extract fields from traffic, or the **Cerebrum** plugin for enhanced logging with custom fields. Logger++'s advanced logging maps to Search plus optional plugins. + +#### Resources + +- [Search](/app/quickstart/search.md) +- [Search Filtering](/app/guides/search_filtering.md) +- [Data Grep](https://github.com/caido-community/data-grep) (GitHub) +- [Cerebrum](https://github.com/DewSecOff/Caido-Plugin-Cerebrum) (GitHub) + +### Hackvertor + +Hackvertor transforms data with tag-based encoding, decoding, and encryption pipelines. + +Caido offers native **Convert Workflows** for tag-based transformations, plus the **Convert Tools** and **HackerUtils** community plugins for encoding pipelines and manual-test utilities. Hackvertor's pipeline model is similar to Caido's workflow-driven conversion, though with different syntax. + +#### Resources + +- [Convert Workflows](/app/concepts/workflows_intro.md#convert-workflows) +- [Workflows](/app/quickstart/workflows.md) +- [Convert Tools](https://github.com/caido-community/convert-tools) (GitHub) +- [HackerUtils](https://github.com/caido-community/hackerutils) (GitHub) + +### Bypass WAF + +Bypass WAF applies passive and active techniques to evade web application firewalls during testing. + +Caido offers **Passive Workflows** to transform traffic, native **Automate** for payload tuning, and WAF-focused plugins such as **403Bypasser**, **Host Header Injector**, **Nomad-ip**, and **SLCyber Tools** (Surf). Caido has no single WAF-bypass BApp; the workflow is distributed across native features and plugins. + +#### Resources + +- [Passive Workflows](/app/concepts/workflows_intro.md#passive-workflows) +- [Automate](/app/quickstart/automate.md) +- [403Bypasser](https://github.com/caido-community/Caido403Bypasser) (GitHub) +- [Host Header Injector](https://github.com/oksuzkayra/host-header-injector) (GitHub) +- [Nomad-ip](https://github.com/caido-community/nomad-ip) (GitHub) +- [SLCyber Tools](https://github.com/caido-community/slcyber-tools) (GitHub) + +### Reflected Parameters + +Reflected Parameters highlights parameters reflected in responses for XSS and injection testing. + +Caido offers **Passive Workflows** to flag reflected parameters in proxied traffic. Reflection detection is workflow-driven rather than a dedicated extension tab. + +#### Resources + +- [Passive Workflows](/app/concepts/workflows_intro.md#passive-workflows) +- [Workflows](/app/quickstart/workflows.md) + +### Sensitive Discoverer + +Sensitive Discoverer finds sensitive data patterns in HTTP traffic. + +Caido offers **Passive Workflows** to match sensitive data patterns in traffic automatically, and the **Data Grep** plugin to extract and surface patterns from requests and responses. Custom workflow rules and grep rules replace Burp's Sensitive Discoverer checks. + +#### Resources + +- [Passive Workflows](/app/concepts/workflows_intro.md#passive-workflows) +- [Workflows](/app/quickstart/workflows.md) +- [Data Grep](https://github.com/caido-community/data-grep) (GitHub) + +### Additional Scanner Checks + +Additional Scanner Checks provides community passive checks that extend Burp Scanner coverage. + +Caido lets you add checks through the **Scanner** plugin's custom check API and **Passive Workflows**. Extended scanner coverage in Caido is defined by you rather than installed as a BApp. + +#### Resources + +- [Scanner: Custom Checks](https://github.com/caido-community/scanner#check-definition) (GitHub) +- [Passive Workflows](/app/concepts/workflows_intro.md#passive-workflows) + +### CORS / Additional CORS Checks + +CORS checks detect cross-origin misconfigurations and related issues. + +Caido lets you implement CORS checks through the **Scanner** plugin's custom checks or **Passive Workflows**. Caido does not ship built-in CORS scanning; Caido lets you define checks to match your methodology. + +#### Resources + +- [Scanner: Custom Checks](https://github.com/caido-community/scanner#check-definition) (GitHub) +- [Passive Workflows](/app/concepts/workflows_intro.md#passive-workflows) + +### Add Custom Header + +Add Custom Header adds or modifies headers on requests passing through the proxy. + +Caido lets you build a native **workflow** to add headers to proxied traffic, use **Match & Replace** for simpler header injection, or install the **Template** plugin for reusable match-and-replace rule templates. The **Host Header Injector** plugin automates Host-header payload variations. + +#### Resources + +- [Add a Header Tutorial](/app/tutorials/add_header.md) +- [Match & Replace](/app/quickstart/match_replace.md) +- [Template](https://github.com/MDGDSS/caido-template) (GitHub) +- [Host Header Injector](https://github.com/oksuzkayra/host-header-injector) (GitHub) + +### AWS Signer + +AWS Signer signs AWS API requests with SigV4 credentials inside Burp. + +Caido supports AWS signing through the **Resign AWS Requests** workflow tutorial pattern to sign AWS requests in Caido. AWS signing is implemented as a workflow rather than a standalone BApp. + +#### Resources + +- [Resign AWS Requests Tutorial](/app/tutorials/aws_signature.md) +- [Workflows](/app/quickstart/workflows.md) diff --git a/src/burp-suite/extensibility/overview.md b/src/burp-suite/extensibility/overview.md new file mode 100644 index 00000000..8dc10fa6 --- /dev/null +++ b/src/burp-suite/extensibility/overview.md @@ -0,0 +1,25 @@ +--- +description: "Map Burp Suite Pro extensibility features to Caido plugins and workflows." +--- + +# Extensibility + +This section maps **Burp Suite Pro** extensibility features — extensions, Bambdas, and custom scan checks — to Caido. + +## How to use this section + +1. **Search by Burp name** — Look for the extension or pattern you used in Burp (for example, `Param Miner`, `Bambdas`, or `custom scan checks`). +2. **Pick the right page** — Use **Extensions** for named BApps, **Bambdas** for Burp scripts, or **Custom Scan Checks** for BChecks and custom scanner rules. +3. **Read the mapping** — Entries are grouped under **Available**, **Indirectly Available**, and **Not Available**. Each entry explains the Caido equivalent, how it differs from Burp, and links under **Resources**. + +::: info Workflows and custom checks +Many Burp Bambdas, custom scan checks, and extensions can be rebuilt with [Workflows](/app/concepts/workflows_intro.md) or [Scanner custom checks](https://github.com/caido-community/scanner#check-definition). +::: + +## Pages + +- **[Extensions](/burp-suite/extensibility/extensions)** — BApp Store extensions and popular community plugin equivalents. +- **[Bambdas](/burp-suite/extensibility/bambdas)** — Burp's in-app JavaScript snippets. +- **[Custom Scan Checks](/burp-suite/extensibility/custom-scan-checks)** — User-defined passive and active scan rules. + +For built-in Burp tools like Proxy and Repeater, see [Core](/burp-suite/core/overview). diff --git a/src/burp-suite/index.md b/src/burp-suite/index.md new file mode 100644 index 00000000..5f200851 --- /dev/null +++ b/src/burp-suite/index.md @@ -0,0 +1,3 @@ +--- +redirect: /burp-suite/core/overview +--- diff --git a/src/index.md b/src/index.md index 5c61e2c5..1e611feb 100644 --- a/src/index.md +++ b/src/index.md @@ -18,7 +18,10 @@ hero: text: Dashboard link: /dashboard/ - theme: alt - text: Build Plugins + text: Migrating from Burp Suite + link: /burp-suite/core/overview + - theme: alt + text: Build Plugins link: https://developer.caido.io features: