CSV Injection

CSV/Formula Injection occurs when websites embed untrusted input inside CSV files. This often occurs when a user has write access over a data entry that can be exported by a manager or administrator of the application. An attacker can craft a malicious formula to redirect the user to a phishing site or execute a reverse shell on the system.

Testing

Input one of the following formulas into an exported field and download the document to see if it executes successfully.

# Simple payload to confirm the existence of CSV Injection
=1336+1

# Insert an arbitrary link into the document.
=HYPERLINK("https://parzival.sh")

# Spawn calc.exe, this will require security settings disabled in Excel.
=cmd|' /C calc'!xxx

Mitigations

One of the most basic recommendations to remediate CSV Injection, ensure that no cells begin with any of the following characters:

• Equals to (=)

• Plus (+)

• Minus (-)

• At (@)

• Tab (0x09)

• Carriage return (0x0D)

It is recommended to reference the article provided by OWASP on mitigating CSV Injection to completely remediate this vulnerability. It should also be noted that this attack can often times be difficult to mitigate.

Considerations

Often times CSV Injection is not seen as a major issue as many bug bounty programs define this vulnerability as being out of scope for reward. Often times this is due to the fact that there is minimal impact with modern day protections, and also many vendors see this as an issue with Microsoft rather than their application:

In consequence, this issue should be mitigated by applications which import/interpret data from external sources such as CSV files, as e.g. Microsoft Excel does by displaying a warning. In other words, the proper fix should be applied when opening CSV files, not when when creating them.

CSV formula injection | Google Bug HuntersGoogleVRP

References

CSV Injection | OWASP Foundationowasp.org

Web Application Security, Testing, & Scanning - PortSwiggerportswigger.net