CSV Injection, also known as Formula Injection, happens when websites include untrusted information into CSV files.
When a spreadsheet program, such as Microsoft Excel or LibreOffice Calc, is used to open a CSV file, any cells beginning with = are interpreted as a formula by the software. Maliciously designed formulae can be used for three different types of attacks:
- Exploiting vulnerabilities in spreadsheet software, such as CVE-2014-3524, to get access to the user’s computer.
- Hijacking the user’s machine by taking advantage of the user’s proclivity to disregard security warnings in spreadsheets downloaded from their own website.
- Extraction of data from a spreadsheet or other open spreadsheets.
This exploit is difficult to prevent and is specifically prohibited by a number of bug reward programs. To fix it, make sure that no cells start with any of the following characters:
- Equals to (
=
) - Plus (
+
) - Minus (
-
) - At (
@
) - Tab (
0x09
) - Carriage return (
0x0D
)
Keep in mind that simply ensuring that untrusted user input does not begin with these characters is insufficient. You must also be mindful of the field separator (e.g., ‘,’ or ‘;’) and quotes (e.g., ‘,’ or “), since attackers may use these to start a new cell and then insert the harmful character in the middle of the user input, but at the beginning of a cell.
Alternatively, perform the following sanitization to each field of the CSV so that the spreadsheet editor can read the information as text:
- Each cell field should be surrounded by double quotations.
- Add a single quotation to the beginning of each cell field.
- Using an extra double quotation, escape each double quote.
Two examples:
Input | Escaped Output |
---|---|
=1+2";=1+2 | "'=1+2"";=1+2" |
=1+2'" ;,=1+2 | "'=1+2'"" ;,=1+2" |
ZOFixer.com security scan helps to find this vulnerability in your web application, you can easily use it by registering on our website and activating the 30-day trial.