Skip to content

HTTPQL

HTTPQL is the query language used in Caido that gives you the ability to filter traffic. The constructing primitives of an HTTPQL filter clause, in order of position, are the:

  1. Namespace
  2. Field
  3. Operator
  4. Value
Parts of a filter clause

TIP

The development of fields is ongoing. To request a field, submit a templated issue.

Namespaces

INFO

Namespaces are project-specific.

NamespaceDescription
reqAll proxied HTTP requests.
respAll proxied HTTP responses.
presetFilter presets.
rowA request's numerical identifier in the traffic tables.
sourceThe Caido feature source (only available in the Search interface).

NOTE

The preset and source namespaces do not have any fields available and instead take direct values.

Fields

req

Available FieldsDescriptionValue Type
created_atThe date and time the request was sent.Date/Time: RFC3339 (2024-06-24T17:03:48+00:00) / ISO 8601 (2024-06-24T17:03:48+0000) / RFC2822 (Mon, 24 Jun 2024 17:03:48 +0000) / RFC7231 (Mon, 24 Jun 2024 17:03:48 GMT) / ISO9075 (2024-06-24T17:03:48Z)
extThe extension of the requested file.String/Byte
hostThe value of the request's Host header.String/Byte
lenThe request size in bytes (includes request line, headers, and body data).Integer
methodThe HTTP method used for the request.String/Byte
pathThe URL path (includes files).String/Byte
portThe port of the target server.Integer
queryThe URL query string (excludes the leading ?).String/Byte
rawThe full raw data of the request (includes request line, headers, and body data).String/Byte
tlsIf the connection used TLS/SSL encryption.Boolean (true/false)

resp

Available FieldsDescriptionValue Type
codeThe status code of the reponse.Integer
lenThe response size in bytes (includes response line, headers, and body data).Integer
rawThe full raw data of the response (includes response line, headers, and body data).String/Byte
roundtripThe total request/response cycle time (in milliseconds).Integer

row

Available FieldDescriptionValue Type
idThe numerical identifier of a request's traffic table row.Integer

Operators

OperatorDescriptionValue TypeAdditional Details
eqEqual to the supplied value.String/Byte, IntegerCase sensitive. Requires leading . character for ext field.
gtGreater than the supplied value.Date/Time, Integer
gteGreater than or equal to the supplied value.Integer
ltLess than the supplied value.Date/Time, Integer
lteLess than or equal to the supplied value.Integer
neNot equal to the supplied value.String/Byte, IntegerCase sensitive. Requires leading . character for ext field.
contContains the supplied value.String/ByteCase insensitive.
likeThe SQLite LIKE Operator.String/ByteCase sensitive for Unicode characters beyond the ASCII range.
ncontDoes not contain the supplied value.String/ByteCase insensitive.
nlikeThe SQLite NOT LIKE Operator.String/ByteCase sensitive for Unicode characters beyond the ASCII range.
regexMatches to the regular expression.String/ByteRust-flavored syntax.
nregexDoes not match to the regular expression.String/ByteRust-flavored syntax.

TIP

In SQLite - the % character matches zero or more characters (%.js matches .map.js) and the _ character matches one character (v_lue matches vAlue). Visit https://regex101.com/ and select Rust syntax to test regular expressions.

NOTE

Not all regex features are currently supported by Caido (such as look-ahead expressions) as they are not included in the regex library of Rust.

Values

preset

Available ValuesExample
A filter preset's alias.preset:"no-images"
A filter preset's name.preset:"No Images"

source

Available ValuesAdditional DetailsExample
automate, intercept, plugin, replay, workflowRequires lowercase. Autocomplete is not supported.source:"plugin"

NOTE

The source namespace is only available in the Search interface. If no results are returned, ensure the inclusion of the source is enabled in the Advanced options menu.

TIP

Entering a string (such as "my value") into the HTTPQL input field will search across both requests and responses. The supplied string is replaced at runtime by:

sql
(req.raw.cont:"my value" OR resp.raw.cont:"my value")

Queries

Queries are composed of multiple filter clauses that are combined together using logical operators and logical grouping.

A full HTTPQL Query

Logical Operators

OperatorDescription
ANDBoth the left and right clauses must be true.
OREither the left or right clause must be true.

INFO

Operators are case insensitive. Both have the same priority.

Logical Grouping

Caido supports the priority of operations: AND has a higher priority than OR.

  • <Clause1> AND <Clause2> OR <Clause3> is equivalent to ((<Clause1> AND <Clause2>) OR <Clause3>).
  • <Clause1> OR <Clause2> AND <Clause3> is equivalent to (<Clause1> OR (<Clause2> AND <Clause3>)).
  • <Clause1> AND <Clause2> AND <Clause3> is equivalent to ((<Clause1> AND <Clause2>) AND <Clause3>).

TIP

While parentheses are optional, we recommend using them to make your logical grouping clear.