CSV Injection
CSV Injection, also known as Formula Injection, occurs when websites embed untrusted input inside CSV files. When a spreadsheet program such as Microsoft Excel or LibreOffice Calc is used to open a CSV, any cells starting with = will be interpreted by the software as a formula.
Such vulnerabilities can lead to the following issues:
- Hijacking the user’s computer by exploiting vulnerabilities in the spreadsheet software, such as CVE-2014-3524.
- Hijacking the user’s computer by exploiting the user’s tendency to ignore security warnings in spreadsheets that they downloaded from their own website.
- Exfiltrating contents from the spreadsheet, or other open spreadsheets.
One such example is where the application captures data and stores it directly without sanitizing inputs.
In this application, the protection mechanism is reading the first letter and if it has any of the following such as
There by phishing a victim into giving a shell if popped a CMD.
In this application, the protection mechanism is reading the first letter and if it has any of the following such as
- Equals to (=)
- Plus (+)
- Minus (-)
- At (@)
- Tab (0x09)
- Carriage return (0x0D)
There by phishing a victim into giving a shell if popped a CMD.
