Skip to content
Vulnerability scanner for OFX servers
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.


Vulnerability scanner for OFX servers.

ofxpostern is a CLI tool which fingerprints an OFX service, describes its capabilities, and assesses its security.


ofxpostern is written in Python 3 with few external dependencies. It has only been tested on Linux.

  1. git clone
  2. cd ofxpostern
  3. pip install -r requirements.txt


./ [-f FID] [-o ORG] url


./ -o Cavion -f 11135

The Financial Identifer (FID) and Organization (ORG) are sometimes optional, sometimes required depending on the Financial Institution.

A current list of public OFX servers is available at

Security Scan

A small number of security tests are implemented. All are done with anonymous credentials.

  • Check that TLS is required
  • Check for correct application/x-ofx content-type
  • Check for web server / framework version disclosure
  • Check for MFA support within the protocol
  • Check password policy
  • Check for username disclosure
  • Check for NULL return values
  • Check for Internal Server Error 500
  • Check for internal IP address disclosure


Within the script the cache global variable can be enabled to store text copies of all OFX protocol responses to $HOME/.ofxpostern/.

You can’t perform that action at this time.