Skip to content
RFD Checker - security CLI tool to test Reflected File Download issues
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.

RFD Checker

GPL3 Go Report Card

Command line security tool to check whether a given URL is vulnerable to RFD - Reflected File Download. This tool was developed by David Sopas @dsopas and Paulo Silva @pauloasilva_com with the main purpose of validating and automating the search for the RFD web attack vector.


$ rfd-checker -h
RFD Checker (by @dsopas and @pauloasilva_com)

Usage: rfd-checker -target=URL
  -header value
        Request header e.g. "Cookie: SESSID=a16fb"
  -target string
        Target URL
  -h --help
        Prints this help


$ go run rfd-checker.go -target="" -header="User-Agent: RFD-Checker" -header="Cookie: PHPSESSID=123"
Target URL:
Permissive query parameters: callback
Permissive URL:

If you want to test a batch of URLs, exported from Burp, for example, you can place them, one per line, on a text file and run

$ cat inputs.txt | xargs -I url go run ./rfd-checker.go -target=url


$ cat inputs.txt | xargs -I url ./rfd-checker -target=url

RFD checker diagram


$ go build rfd-checker.go


You can’t perform that action at this time.