cariddi occupies a useful niche. It is not a full browser crawler, not a replacement for your whole pipeline. It takes URLs or hosts, crawls quickly, and extracts web artifacts. It finds obvious high-value items: endpoints, JavaScript references, exposed secrets.

You have httpx, Katana, Photon, ffuf, arjun, or nuclei. cariddi fits alongside these tools. It is not usually the first or the last tool used. It serves as an efficient extraction layer, turning live hosts into actionable intelligence for testing.

cariddi gets the job done, providing endpoints, JavaScript references, exposed secrets.

What cariddi Does

cariddi is a Go-based web crawler. It takes domains or URLs from stdin, crawls each target, and extracts endpoints, file paths, JavaScript URLs, and external links.

cariddi is designed for pipeline thinkers. Feed it targets from subfinder, assetfinder, or httpx, and let it crawl.

The tool pulls out internal paths, linked APIs, referenced JS files, and embedded URLs, requiring no babysitting.

As it crawls, cariddi scans content for secrets, tokens, API keys, and sensitive file extensions. Many crawlers simply provide URLs, but cariddi extracts security value from HTML and JavaScript.

The stdin/stdout design makes cariddi scalable. You can pipe targets in and pipe output out, chaining it with your workflow. No format conversions or intermediate files are needed. Disk space usage is reduced.

What cariddi Extracts

Endpoint and Path Discovery

cariddi starts by recursively crawling internal links. It extracts URL paths, parameterized URLs, and API-like endpoints from HTML and JavaScript. On a typical target, this quickly expands your view from a homepage and obvious routes to a larger map of the application's surface.

Page source and linked JS reveal more than the UI shows. Internal APIs, hidden routes, admin panels, and versioned endpoints often appear there before fuzzing. cariddi harvests these references without manual page inspection.

Endpoints pile up fast. You get a sprawling list of endpoints.

Secrets Detection

cariddi scans discovered content for sensitive strings. API keys, auth tokens, AWS credentials, private keys. It looks for regex patterns matching these. Not semantic analysis, just pattern matching. Often that's enough to catch obvious mistakes.

File Extension Hunting

Want to surface specific files? PDFs, configs, backups. cariddi filters for those during the crawl. It saves time compared to manual review or post-processing with grep and scripts.

That's it.

Pipeline Integration and Core Flags

cariddi fits right into your existing pipeline, reading from stdin and writing to stdout. You can drop it in after live host discovery.

Feed it httpx output, use a domains.txt file, or pass in filtered subdomains or in-scope URLs. It acts like a Unix-style recon tool, not a standalone app.

The essential flags to use are: The -s flag enables secrets detection, which you should use by default on authorized targets. The -e flag hunts for file extensions. The -ef flag lets you specify extensions. The -c flag controls concurrency, allowing you to balance speed and target sensitivity. The -d flag sets crawl depth, controlling how aggressively cariddi explores targets.

The output options include: The -plain flag gives you cleaner output for piping into other tools. JSON mode preserves structured output with the -json flag, which is useful for databases, log enrichment, or custom processing. Structured output helps correlate sources and deduplicate in mature setups.

You use cariddi on your targets and get output, then pipe it further. The tool does one job and does it well. You integrate it into your process and use it daily. JSON output can feed enrichment pipelines and write results to a database. You can choose what to do with flat text and adjust the flags to fit your workflow.

cariddi vs Photon and Katana

Photon is an obvious comparison, similar goals, different methods. It pulls out emails, links, files, and secrets. Photon is Python. On big lists, it's slow.

Cariddi handles bulk better. You can push a lot of hosts through and get results faster, with no waiting.

Katana is the modern rival. It is also Go-based. Katana is better at handling JavaScript-heavy apps. Single-page applications are no problem. Headless browsing gives it an edge.

A key difference is how each handles different types of sites. Standard HTML sites and mixed estates are a good fit for cariddi, which offers fast and broad extraction. Modern single-page applications and sites requiring deeper coverage are better suited to Katana.

Cariddi is faster and has a simpler pipeline. Photon still works, but it is slow. Katana owns JavaScript rendering. Cariddi extracts data from sites such as

Bug Bounty Workflow Applications

Cariddi Use Cases

Post-subdomain enumeration is where cariddi shines. httpx tells you what's live. cariddi shows what those live assets expose, and that's when your scope becomes attack surface.

Running cariddi with -s early on makes sense, as it finds high-value secrets such as JavaScript keys, leaked tokens, and credentials. You then check the likely matches and skip the rest.

cariddi's output feeds other tools. The tools ffuf, arjun, and nuclei all take endpoint lists. The stdin/stdout design makes integration seamless, with no manual reformatting needed. You can crawl and then test.

Limitations

The biggest limitation is simple: cariddi doesn't render JavaScript. Heavily client-side apps have incomplete coverage. Important routes only show up after browser execution, cariddi misses them.

It's an active crawler. It generates HTTP requests, follows links, and shows up in logs. It's not for passive collection phases. Run it where active testing is allowed.

Secrets detection uses patterns, which can lead to common false positives. Some findings are real credentials, while others are placeholders, public tokens, or random strings that match a regex. Treat output as triage material.

For bug bounty hunters and pentesters, this trade-off is good. cariddi isn't perfect. It's fast, composable, and useful. It earns a spot in the pipeline and it works.