What is CSV Injection Vulnerability?

CSV Injection, also known as Formula Injection, happens when websites include untrusted information into CSV files.

When a spreadsheet program, such as Microsoft Excel or LibreOffice Calc, is used to open a CSV file, any cells beginning with = are interpreted as a formula by the software. Maliciously designed formulae can be used for three different types of attacks:

  • Exploiting vulnerabilities in spreadsheet software, such as CVE-2014-3524, to get access to the user’s computer.
  • Hijacking the user’s machine by taking advantage of the user’s proclivity to disregard security warnings in spreadsheets downloaded from their own website.
  • Extraction of data from a spreadsheet or other open spreadsheets.

This exploit is difficult to prevent and is specifically prohibited by a number of bug reward programs. To fix it, make sure that no cells start with any of the following characters:

  • Equals to (=)
  • Plus (+)
  • Minus (-)
  • At (@)
  • Tab (0x09)
  • Carriage return (0x0D)

Keep in mind that simply ensuring that untrusted user input does not begin with these characters is insufficient. You must also be mindful of the field separator (e.g., ‘,’ or ‘;’) and quotes (e.g., ‘,’ or “), since attackers may use these to start a new cell and then insert the harmful character in the middle of the user input, but at the beginning of a cell.

Alternatively, perform the following sanitization to each field of the CSV so that the spreadsheet editor can read the information as text:

  • Each cell field should be surrounded by double quotations.
  • Add a single quotation to the beginning of each cell field.
  • Using an extra double quotation, escape each double quote.

Two examples:

InputEscaped Output
=1+2";=1+2"'=1+2"";=1+2"
=1+2'" ;,=1+2"'=1+2'"" ;,=1+2"

ZOFixer.com security scan helps to find this vulnerability in your web application, you can easily use it by registering on our website and activating the 30-day trial.

Leave a Comment

Scroll to Top