whatisgithub

What is doifans-dl?

sophomoresty/doifans-dl — explained in plain English

Analysis updated 2026-05-18

44PythonAudience · researcherComplexity · 2/5Setup · moderate

In one sentence

A command line tool that exploits security flaws in a paid video site to download any creator's videos without paying for a subscription.

Mindmap

mindmap
  root((doifans-dl))
    What it does
      Downloads paid videos
      Bypasses paywall
      Targets doifans.vip
    Method
      Forges Stripe webhook
      Bypasses login WAF
      Scrapes video URLs
    Tech stack
      Python CLI
      HTTP or SOCKS5 proxy
    Use cases
      Security research
      Vulnerability disclosure
    Audience
      Security researchers
      Python developers

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Download all videos from a specific creator's page on doifans.vip without paying.

USE CASE 2

List video URLs in JSON format to feed into a separate download manager like aria2.

USE CASE 3

Check connectivity to the target site through an HTTP or SOCKS5 proxy before downloading.

What is it built with?

Python

How does it compare?

sophomoresty/doifans-dlajay150313/agentsre-langchaininfiniumtek/terraform-review-agent
Stars444444
LanguagePythonPythonPython
Setup difficultymoderateeasymoderate
Complexity2/52/53/5
Audienceresearcherdeveloperops devops

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · moderate Time to first run · 30min

Needs a stable HTTP or SOCKS5 proxy since the target site is behind Cloudflare.

So what is it?

doifans-dl is a command line tool written in Python that downloads videos from doifans.vip, a paid subscription video site built on OnlyFans style software. Instead of paying for a subscription, this tool uses several security weaknesses in the site to unlock a creator's full video catalog for free. The README explains the method step by step. First the tool sends a fake payment confirmation to the site's Stripe webhook endpoint, which has no signature check, so it credits money to a wallet without any real transaction taking place. It then logs in by sending the login request with a JSON content type, which gets around the site's web application firewall. With wallet funds in place, it buys a monthly subscription to any creator's page. Once subscribed, it reads the creator's page and its pagination endpoint to collect every video link, then downloads each file directly, since the server does not check permissions on the video files themselves. To use it, a person installs the package with pip, then runs a single command with the creator's username, optionally through an HTTP or SOCKS5 proxy since the site sits behind Cloudflare. Videos already downloaded are skipped automatically, and a list only mode can print the video links as JSON without downloading, for use with other download tools. The README also lists several additional weaknesses in the site that the tool does not use, including a debug mode that exposes source code, an open log file with password hashes and emails, and a way to modify account fields directly. The project requires Python 3.10 or newer and no personal account, since the credentials it uses are built in. The README states the tool is meant for education and authorized security research and that the site may patch these issues or go offline at any time, which would break the tool. There is no information about a formal license for this project.

Copy-paste prompts

Prompt 1
Explain the Stripe webhook forgery technique used in doifans-dl and why signature verification would prevent it.
Prompt 2
Walk me through the WAF bypass technique in doifans-dl and how a JSON content type evades the filter.
Prompt 3
Summarize the security vulnerabilities described in this README that a site owner should patch first.
Prompt 4
Show me how doifans-dl's video URL scraping method works, for understanding site security.

Frequently asked questions

What is doifans-dl?

A command line tool that exploits security flaws in a paid video site to download any creator's videos without paying for a subscription.

What language is doifans-dl written in?

Mainly Python. The stack also includes Python.

How hard is doifans-dl to set up?

Setup difficulty is rated moderate, with roughly 30min to a first successful run.

Who is doifans-dl for?

Mainly researcher.

Open on GitHub → Ask about another repo

This repo across BitVibe Labs

Verify against the repo before relying on details.