CSV Injection [Medium (6.8) to High (8.0)] #20
Comments
|
Thanks for reporting this. After research and evaluation, the conclusion is that this is not a platform security issue. CSV is a plain text format (the format is defined in RFC 4180) that has no active content, and may be imported and used by various other systems, not just spreadsheets. It is the client spreadsheet software (e.g. Excel, OpenOffice) that interprets the text values. For example, Excel will warn about executing commands. This is similar to the interpretation of the Google security team. If the export is meant specifically for spreadsheets, then the Excel format should be chosen instead of CSV. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
CSV Injection, also known as Formula Injection, occurs when websites embed untrusted input inside CSV files.
Details
The web application embeds untrusted user input inside the "Account ID" and "Account Name" field, there is likely more fields that are vulnerable to this, however this is just an example. In this case a simple formula was used but an attacker can use a malicious formula that might download a file from the internet and have it executed to gain access.
The following shows the CSV injection point:
Download the CSV:
Open the CSV file and observe the output:
Impact
When a spreadsheet program such as Microsoft Excel or LibreOffice Calc is used to open a CSV, any cells starting with '=' will be interpreted by the software as a formula. Maliciously crafted formulas can be used for three key attacks:
Recommendation
This attack is difficult to mitigate, and explicitly disallowed from quite a few bug bounty programs. To remediate it, ensure that no cells begin with any of the following characters:
References
https://www.owasp.org/index.php/CSV_Injection
The text was updated successfully, but these errors were encountered: