{"id":13840805,"url":"https://github.com/dsopas/rfd-checker","last_synced_at":"2025-07-11T09:33:13.914Z","repository":{"id":57541126,"uuid":"128742116","full_name":"dsopas/rfd-checker","owner":"dsopas","description":"RFD Checker - security CLI tool to test Reflected File Download issues","archived":false,"fork":false,"pushed_at":"2019-02-26T16:48:28.000Z","size":26,"stargazers_count":61,"open_issues_count":0,"forks_count":19,"subscribers_count":7,"default_branch":"master","last_synced_at":"2024-08-05T17:25:54.252Z","etag":null,"topics":["bugbounty","golang","infosec","pentest","rfd","security"],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/dsopas.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2018-04-09T08:49:05.000Z","updated_at":"2024-03-26T20:17:24.000Z","dependencies_parsed_at":"2022-09-18T00:00:46.463Z","dependency_job_id":null,"html_url":"https://github.com/dsopas/rfd-checker","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dsopas%2Frfd-checker","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dsopas%2Frfd-checker/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dsopas%2Frfd-checker/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dsopas%2Frfd-checker/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/dsopas","download_url":"https://codeload.github.com/dsopas/rfd-checker/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":225712721,"owners_count":17512466,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bugbounty","golang","infosec","pentest","rfd","security"],"created_at":"2024-08-04T17:00:56.256Z","updated_at":"2024-11-21T10:30:46.767Z","avatar_url":"https://github.com/dsopas.png","language":"Go","funding_links":[],"categories":["Go","Go (531)"],"sub_categories":[],"readme":"RFD Checker\n===========\n[![GPL3](https://camo.githubusercontent.com/268d96c6dd81f1fff98b19675ef5867412a2a223/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f6c6963656e73652d47504c332d627269676874677265656e2e7376673f7374796c653d666c61742d737175617265)](https://github.com/dsopas/rfd-checker/blob/master/LICENSE.md) [![Go Report Card](https://goreportcard.com/badge/github.com/dsopas/rfd-checker)](https://goreportcard.com/report/github.com/dsopas/rfd-checker)\n\nCommand line security tool to check whether a given URL is vulnerable to RFD -\nReflected File Download. This tool was developed by David Sopas [@dsopas][1]\nand Paulo Silva [@pauloasilva_com][2] with the main purpose of validating and\nautomating the search for the RFD web attack vector.\n\n## Usage\n\n```\n$ rfd-checker -h\nRFD Checker (by @dsopas and @pauloasilva_com)\n\nUsage: rfd-checker -target=URL\nOptions:\n  -header value\n        Request header e.g. \"Cookie: SESSID=a16fb\"\n  -target string\n        Target URL\n  -h --help\n        Prints this help\n```\n\n### Examples\n\n```shell\n$ go run rfd-checker.go -target=\"https://0xhack.com/webminar_rfd/json.php?callback=jQuery\" -header=\"User-Agent: RFD-Checker\" -header=\"Cookie: PHPSESSID=123\"\nTarget URL: https://0xhack.com/webminar_rfd/json.php?callback=jQuery\nPermissive query parameters: callback\nPermissive URL: https://0xhack.com/webminar_rfd/json.php.bat?callback=jQuery\n```\n\n* Permissive query parameteres: a comma separated list of permissive query\n  string parameters\n* Permissive URL: \"no\" if the URL is not permissive, otherwise computed URL\n  (e.g. https://0xhack.com/webminar_rfd/json.php.bat?callback=jQuery)\n\nIf you want to test a batch of URLs, exported from Burp, for example, you can\nplace them, one per line, on a text file and run\n\n```shell\n$ cat inputs.txt | xargs -I url go run ./rfd-checker.go -target=url\n``` \n\nOr\n\n```shell\n$ cat inputs.txt | xargs -I url ./rfd-checker -target=url\n```\n\n![RFD checker diagram](https://0xhack.com/rfd_checker.png)\n\n## Build\n\n```\n$ go build rfd-checker.go\n```\n\n## Resources\n\n* [Reflected File Download - A New Web Attack Vector][3]\n* [Reflected File Download Cheat Sheet][4]\n* [Practical Reflected File Download and JSONP][5]\n* [RFD: Still Threatening the Biggest Names on the Web][6]\n\n[1]: https://www.twitter.com/dsopas\n[2]: https://www.twitter.com/pauloasilva_com\n[3]: https://www.blackhat.com/docs/eu-14/materials/eu-14-Hafif-Reflected-File-Download-A-New-Web-Attack-Vector.pdf\n[4]: https://www.davidsopas.com/reflected-file-download-cheat-sheet/\n[5]: http://blog.davidvassallo.me/2014/11/02/practical-reflected-file-download-and-jsonp/\n[6]: https://info.checkmarx.com/resources/webinars/rfd-still-threatening-the-biggest-names-web-on-demand?hsCtaTracking=70be984d-c6b2-4eb6-a280-32ac7aa6a520%7C17df43d5-14db-4b83-ad12-09f16270754f\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdsopas%2Frfd-checker","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdsopas%2Frfd-checker","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdsopas%2Frfd-checker/lists"}