Vulnerability scanner for OFX servers
Switch branches/tags
Nothing to show
Clone or download
Latest commit 2363535 Oct 31, 2018


Vulnerability scanner for OFX servers.

ofxpostern is a CLI tool which fingerprints an OFX service, describes its capabilities, and assesses its security.


ofxpostern is written in Python 3 with few external dependencies. It has only been tested on Linux.

  1. git clone
  2. cd ofxpostern
  3. pip install -r requirements.txt


./ [-f FID] [-o ORG] url


./ -o Cavion -f 11135

The Financial Identifer (FID) and Organization (ORG) are sometimes optional, sometimes required depending on the Financial Institution.

A current list of public OFX servers is available at

Security Scan

A small number of security tests are implemented. All are done with anonymous credentials.

  • Check that TLS is required
  • Check for correct application/x-ofx content-type
  • Check for web server / framework version disclosure
  • Check for MFA support within the protocol
  • Check password policy
  • Check for username disclosure
  • Check for NULL return values
  • Check for Internal Server Error 500
  • Check for internal IP address disclosure


Within the script the cache global variable can be enabled to store text copies of all OFX protocol responses to $HOME/.ofxpostern/.