As a part-time bug bounty hunter, I’ve found reducing friction in my testing to be especially important. Being able to quickly look at the behavior of an application to take advantage of downtime is very important to me.

With that I’ve come up with a bit of an uncommon workflow where I not only proxy traffic from iOS devices, but will also look through the request history and even modify and replay requests, all from my iPhone or iPad.

My setup: I use the Surge app anytime I’m proxying traffic from an iOS device. Depending on my testing, I do this in either of the ways below.

Standalone: Surge can do a lot on its own. It can intercept, display, and even replay HTTP traffic.

Upstream to Caido: This is my most frequent flow. I use the Termius app to open an SSH tunnel to reach my Caido instance on my VPS. I configure Surge to proxy upstream to Caido.

Sometimes, I’m doing this with my Caido instance open on my laptop in front of me, and using Surge + Termius simply as an easy way to proxy traffic to Caido. Other times, I’m looking at or working with the traffic directly within Surge, but it’s also being saved in Caido for later review or testing if needed.

How to build a similar setup:

VPS

I use an AWS EC2 t3.medium instance for multiple purposes, including running Caido. You can use any VPS, though. In fact, this may be overkill for Caido alone.

For Caido alone, you likely only need 500 MB - 1 GB of RAM (Per the Caido devs, Caido itself requires around 200 MB of RAM under load.)

Storage depends on how much traffic you anticipate storing. Currently, I have a 120 GB EBS volume. My largest Caido project is over 8 GB, but most are around 1 GB or less.

Caido

  • On your VPS, download the Linux CLI version - https://caido.io/download
    • i.e. for version 0.38.0: wget https://storage.googleapis.com/caido-releases/v0.38.0/caido-cli-v0.38.0-linux-x86_64.tar.gz
    • Extract the Caido executable from the archive
      • tar -xvf caido-cli-v0.38.0-linux-x86_64.tar.gz
    • Set Caido to run when your VPS boots up
      • open your crontab file:
      • crontab -e
      • add the below line to your crontab file:
      • @reboot ./caido-cli
      • save your crontab file and exit
  • Reboot your VPS and confirm that Caido is running
    • ps aux | grep caido

Follow the Caido VPS instructions to access Caido from your laptop: https://docs.caido.io/guides/user_guide/vps.html

Termius

  • Download Termius - https://apps.apple.com/us/app/termius-terminal-ssh-client/id549039908
  • Under the Keychain tab, import the SSH key for your VPS
  • Under the Hosts tab, add the IP/hostname of your VPS, the username, and select the key you’ve already added
  • Under the Port Forwarding tab, create a new port forwarding
    • Select Local forwarding
    • Enter port 1337 as the local port (it can be any number, but you’re a hacker, so you use 1337 anywhere you can)
    • Select your VPS as the host
    • Enter 127.0.0.1 as the destination host
    • Enter 8080 as the destination port
    • Create a label, such as Caido Forwarding
    • Save
  • Tap the name of the port forwarding rule to connect
  • On your iOS device, open 127.0.0.1:1337 to confirm you can reach Caido
  • While you don’t need to log into Caido from the iOS device, be sure an active project is open in Caido before attempting to proxy traffic to the server

Surge

  • Download Surge - https://apps.apple.com/us/app/surge-5/id1442620678
  • Under the Capture tab, open MitM -> Configure
  • Tap Generate a new CA Certificate
  • Enable the option to Skip Server Certificate Verification
  • Enable MitM over HTTP/2
  • Tap Install CA Certificate to System
  • Open iOS Settings -> Profile Downloaded
    • Tap Install
  • Open iOS Settings -> General -> About -> Certificate Trust Settings
    • Enable Full Trust for the Surge Generated CA
  • Back in Surge, under the General tab - > Outbound Mode
    • Tap Global Proxy
    • Add New Proxy
      • Name: Caido
      • Type: HTTP
      • Server: 127.0.0.1
      • Port: 1337
      • Skip Certificate Verification: Enabled
      • Tap Done
      • Switch the Outbound Mode from Direct Outbound to Global Proxy
  • Under the Capture Tab, enable HTTP Capture and MitM
  • Under HTTP Capture -> Settings -> MITM Hostnames
    • set the only rule to a value of * to capture all traffic
  • In the top right of the app, tap Setup and allow the VPN profile install
  • If everything has worked correctly, the app should show as connected
  • Under Capture -> HTTP Capture - > Request List, you can view captured traffic
  • When viewing a given request, you can tap the horizontal ellipsis menu - > Replay to replay the request, including with modifications

For more in-depth review, replay attempts, or automation, you can switch to a laptop to view and interact with the traffic you’ve captured via Caido.