Vulnerability scanner for OFX servers.
ofxpostern is a CLI tool which fingerprints an OFX service, describes its capabilities, and assesses its security.
ofxpostern is written in Python 3 with few external dependencies. It has only been tested on Linux.
git clone [email protected]:sdann/ofxpostern.gitcd ofxposternpip install -r requirements.txt
./ofxpostern.py [-f FID] [-o ORG] url
Example:
./ofxpostern.py -o Cavion -f 11135 https://ofx.lanxtra.com/ofx/servlet/Teller
The Financial Identifer (FID) and Organization (ORG) are sometimes optional, sometimes required depending on the Financial Institution.
A current list of public OFX servers is available at https://ofxhome.com/.
A small number of security tests are implemented. All are done with anonymous credentials.
- Check that TLS is required
- Check for correct application/x-ofx content-type
- Check for web server / framework version disclosure
- Check for MFA support within the protocol
- Check password policy
- Check for username disclosure
- Check for NULL return values
- Check for Internal Server Error 500
- Check for internal IP address disclosure
Within the ofxpostern.py script the cache global variable can be enabled to store text copies of all OFX protocol responses to $HOME/.ofxpostern/.