RFD Checker

Command line security tool to check whether a given URL is vulnerable to RFD - Reflected File Download. This tool was developed by David Sopas @dsopas and Paulo Silva @pauloasilva_com with the main purpose of validating and automating the search for the RFD web attack vector.

Usage

$ rfd-checker -h
RFD Checker (by @dsopas and @pauloasilva_com)

Usage: rfd-checker -target=URL
Options:
  -header value
        Request header e.g. "Cookie: SESSID=a16fb"
  -target string
        Target URL
  -h --help
        Prints this help

Examples

$ go run rfd-checker.go -target="https://0xhack.com/webminar_rfd/json.php?callback=jQuery" -header="User-Agent: RFD-Checker" -header="Cookie: PHPSESSID=123"
Target URL: https://0xhack.com/webminar_rfd/json.php?callback=jQuery
Permissive query parameters: callback
Permissive URL: https://0xhack.com/webminar_rfd/json.php.bat?callback=jQuery

• Permissive query parameteres: a comma separated list of permissive query string parameters
• Permissive URL: "no" if the URL is not permissive, otherwise computed URL (e.g. https://0xhack.com/webminar_rfd/json.php.bat?callback=jQuery)

If you want to test a batch of URLs, exported from Burp, for example, you can place them, one per line, on a text file and run

$ cat inputs.txt | xargs -I url go run ./rfd-checker.go -target=url

Or

$ cat inputs.txt | xargs -I url ./rfd-checker -target=url

Build

$ go build rfd-checker.go

Resources

• Reflected File Download - A New Web Attack Vector
• Reflected File Download Cheat Sheet
• Practical Reflected File Download and JSONP
• RFD: Still Threatening the Biggest Names on the Web