A comprehensive penetration testing toolkit for OFX (Open Financial Exchange) servers
OFXpwn is a modular penetration testing framework designed specifically for security assessments of OFX (Open Financial Exchange) servers. Born from real-world pentesting needs, this tool addresses the gap in publicly available security testing tools for financial protocols.
OFX is a unified specification for the electronic exchange of financial data between financial institutions, businesses, and consumers via the Internet. It's used by applications like Quicken, QuickBooks, Microsoft Money, and GnuCash to download transactions and account information.
- Specialized: Purpose-built for OFX security testing
- Modular: Run individual tests or comprehensive scans
- Flexible: Config-driven with runtime overrides
- Comprehensive: Covers authentication, protocol fuzzing, info disclosure, and more
- Professional: Built by pentesters, for pentesters
Authentication Testing
- Default credential bruteforce
- SQL/LDAP injection testing
- Username enumeration
- Parameter fuzzing (CLIENTUID, FID, ORG, APPID/APPVER)
- Rate limiting and account lockout detection
- Custom credential lists
Protocol Security
- XXE (XML External Entity) attacks
- SGML/XML parser fuzzing
- Field overflow testing
- Encoding attacks
Reconnaissance
- Version fingerprinting
- Capability discovery (PROFRQ)
- Account enumeration (ACCTINFORQ)
- Server enumeration
- Technology detection
Exploitation
- IDOR (Insecure Direct Object Reference) testing
- SQL injection
- XSS testing
- Command injection
- Path traversal
Infrastructure
- SSL/TLS assessment
- HTTP header analysis
- Directory enumeration
- Security misconfiguration detection
- Python 3.8 or higher
- pip package manager
- (Optional) Burp Suite or similar proxy for traffic analysis
# Clone the repository
git clone https://github.com/pect0ral/ofxpwn.git
cd ofxpwn
# Create virtual environment
python3 -m venv venv
source venv/bin/activate # On Windows: venv\Scripts\activate
# Install dependencies
pip install -r requirements.txt
# Install ofxpwn
pip install -e .ofxpwn --version
ofxpwn --help# Copy example config
cp config.example.yaml myconfig.yaml
# Edit with your target details
nano myconfig.yaml# List available modules
ofxpwn list
# Run reconnaissance
ofxpwn run recon/fingerprint --config myconfig.yaml
# Run authentication testing
ofxpwn run auth/default_creds --config myconfig.yaml
# Run everything (YOLO mode)
ofxpwn all --config myconfig.yamlResults are saved to the output/ directory:
output/logs/- Detailed logsoutput/reports/- Test resultsoutput/evidence/- Request/response samples
OFXpwn is organized into five categories of security tests:
| Module | Description |
|---|---|
auth/login |
Test authentication with user-supplied credentials |
auth/default_creds |
Test common default credentials |
auth/injection |
SQL/LDAP injection in authentication fields |
auth/bruteforce |
Credential brute-force with wordlists |
auth/param_fuzzer |
Systematically fuzz auth parameters (CLIENTUID, FID, ORG, APPID/APPVER) |
auth/rate_limiting |
NEW Test for rate limiting, account lockout, and brute force protection |
| Module | Description |
|---|---|
recon/fingerprint |
Server version detection and OFX version enumeration |
recon/profile |
Unauthenticated profile information disclosure (PROFRQ) |
recon/accounts |
NEW Enumerate accessible accounts (ACCTINFORQ) |
| Module | Description |
|---|---|
exploit/xxe |
XML External Entity (XXE) vulnerability testing |
exploit/idor |
NEW IDOR testing via account ID manipulation and access control bypass |
| Module | Description |
|---|---|
fuzz/protocol |
OFX protocol fuzzing with malformed requests |
fuzz/fields |
Field overflow and edge case testing |
| Module | Description |
|---|---|
infra/ssl |
SSL/TLS configuration and certificate assessment |
infra/headers |
HTTP security header analysis |
infra/directories |
Common directory and file enumeration |
# Test for default credentials
ofxpwn run auth/default_creds --config myconfig.yaml
# With runtime overrides
ofxpwn run auth/default_creds \
--config myconfig.yaml \
--target https://ofx.example.com/ofx \
--proxy http://127.0.0.1:8080 \
--org "MYORG" \
--fid "12345"
# Test for XXE vulnerabilities
ofxpwn run exploit/xxe --config myconfig.yaml --output /tmp/xxe-test
# Fingerprint the server
ofxpwn run recon/fingerprint --config myconfig.yaml --verbose# Run all authentication tests
ofxpwn scan --category auth --config myconfig.yaml
# Run all reconnaissance tests
ofxpwn scan --category recon --config myconfig.yaml
# Run all exploitation modules
ofxpwn scan --category exploit --config myconfig.yaml# Run comprehensive security assessment
ofxpwn all --config myconfig.yaml
# With custom output directory
ofxpwn all --config myconfig.yaml --output /path/to/results
# Aggressive mode (faster, noisier)
ofxpwn all --config myconfig.yaml --aggressive# Get help for specific commands
ofxpwn run --help
ofxpwn scan --help
ofxpwn all --help
# List available modules
ofxpwn list
ofxpwn list --category authOFXpwn uses YAML configuration files. See config.example.yaml for all options.
# Target OFX server
target:
url: "https://ofx.example.com/OFXServer/ofxsrvr.dll"
org: "ORGNAME"
fid: "12345"
# HTTP proxy (optional)
proxy:
enabled: true
url: "http://127.0.0.1:8080"
verify_ssl: false
# Output settings
output:
directory: "./output"
save_requests: true
save_responses: true
# Testing configuration
testing:
max_threads: 50
timeout: 30
rate_limit: 0 # requests per second, 0 = unlimitedAll config values can be overridden at runtime:
ofxpwn auth/bruteforce \
--target https://different.server.com/ofx \
--proxy http://localhost:8080 \
--threads 10 \
--timeout 60- Usage Guide - Detailed usage instructions
- Module Reference - Complete module documentation
- CLI Quick Reference - Command reference and examples
This tool was developed during a real-world penetration test of a financial system using the OFX protocol. I found a lack of comprehensive, modern security testing tools for OFX implementations and decided to create one to fill this gap.
- Security Innovation's 2018 OFX Direct Connect research
- OWASP Web Security Testing Guide
- Real-world penetration testing experience
- Community feedback and contributions
Research has shown that many OFX implementations suffer from:
- Lack of multi-factor authentication (especially OFX 1.x)
- Information disclosure through verbose errors
- XML-based attacks (XXE in OFX 2.x)
- Weak input validation
- Missing security headers
OFXpwn helps identify these and other security issues.
- OFX Specification - Official OFX protocol documentation
- OFX Developer's Guide - Technical implementation guide
- Intuit FI Directory - Comprehensive list of financial institutions with their FID, ORG, and OFX endpoints. Extremely useful for identifying correct FID values during testing.
- Security Innovation: Your Bank's Digital Side Door - 2018 research on OFX Direct Connect vulnerabilities
- ofxpostern - Original OFX security scanner (inspiration for this tool)
IMPORTANT: This tool is designed for authorized security testing only.
- Authorized penetration tests with written permission
- Security research in controlled environments
- Educational purposes with proper lab setup
- Bug bounty programs that explicitly allow testing
- Unauthorized access to systems
- Testing without explicit permission
- Any illegal or malicious activity
- Violating terms of service
You are responsible for obtaining proper authorization before testing any system.
We welcome contributions!
- Report bugs and issues via GitHub Issues
- Suggest new modules or features
- Improve documentation
- Submit pull requests
- Share your OFX testing experiences
# Fork and clone the repository
git clone https://github.com/yourusername/ofxpwn.git
cd ofxpwn
# Create virtual environment
python3 -m venv venv
source venv/bin/activate
# Install in development mode
pip install -e .
pip install pytest
# Run tests
pytest tests/This project is licensed under the MIT License - see LICENSE file for details.
Mike Piekarski - pect0ral
Security Consultant at Breach Craft
- Security Innovation for their OFX research and ofxpostern tool
- The OFX specification authors
- Intuit for maintaining the financial institution directory
- The security research community
- All contributors to this project
This tool is provided "as-is" for educational and authorized testing purposes. The author is not responsible for any misuse or damage caused by this tool. Always obtain proper authorization before testing any system.
Created by Mike Piekarski | Breach Craft