This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "CSV Injection"

From OWASP
Jump to: navigation, search
(Created page with "CSV Excel Macro Injection also known as CEMI. Many web applications allow the user to download content such as templates for invoices or user settings to a CSV file. Many use...")
 
(rewrite and add relevant links)
Line 1: Line 1:
CSV Excel Macro Injection also known as CEMI.
+
CSV Injection, also known as Formula Injection, occurs when websites embed untrusted input inside CSV files.
  
Many web applications allow the user to download content such as templates for invoices or user settings to a CSV file. Many users choose to open the CSV file in either Excel,Libre Office or Open Office.
+
When a spreadsheet program such as Microsoft Excel or LibreOffice Calc is used to open a CSV, any cells starting with '=' will be interpreted by the software as a formula. Maliciously crafted formulas can be used for three key attacks:
When a web application does not properly validate the contents of the CSV file, it could lead to contents of a cell or many cells being executed.
+
* Hijacking the user's computer by exploiting vulnerabilities in the spreadsheet software, such as CVE-2014-3524
 +
* Hijacking the user's computer by exploiting the user's tendency to ignore security warnings in spreadsheets that they downloaded from their own website
 +
* Exfiltrating contents from the spreadsheet, or other open spreadsheets.
  
More info, probably first report of its kind:
+
This attack is difficult to mitigate, and explicitly disallowed from quite a few bug bounty programs. To remediate it, ensure that no cells begin with any of the following characters:
*[https://hackerone.com/reports/72785 CSV Injection Hackerone]
+
* Equals  to ("=")
*[http://www.contextis.com/resources/blog/comma-separated-vulnerabilities/ CSV Vulnerabilities]
+
* Plus ("+")
 +
* Minus ("-")
 +
* At ("@")
  
This attack exploits the trust of the user in two ways:
+
For further information, please refer to the following articles:
1. The user trusts the site that the content is coming from.
+
 
2. The user assumes that it is only a csv file and that it won't contain functions or macro's and won't care about any warnings from Excel about potential malicious
+
*[https://www.contextis.com/resources/blog/comma-separated-vulnerabilities/ Comma Separated Vulnerabilities]
functionality in the file.
+
*[https://www.youtube.com/watch?v=SC7AkclnG2g Video showing CSV Injection against Piwik]
 +
*[http://georgemauer.net/2017/10/07/csv-injection.html Stealing Google Docs via CSV Injection]

Revision as of 16:03, 26 October 2017

CSV Injection, also known as Formula Injection, occurs when websites embed untrusted input inside CSV files.

When a spreadsheet program such as Microsoft Excel or LibreOffice Calc is used to open a CSV, any cells starting with '=' will be interpreted by the software as a formula. Maliciously crafted formulas can be used for three key attacks:

  • Hijacking the user's computer by exploiting vulnerabilities in the spreadsheet software, such as CVE-2014-3524
  • Hijacking the user's computer by exploiting the user's tendency to ignore security warnings in spreadsheets that they downloaded from their own website
  • Exfiltrating contents from the spreadsheet, or other open spreadsheets.

This attack is difficult to mitigate, and explicitly disallowed from quite a few bug bounty programs. To remediate it, ensure that no cells begin with any of the following characters:

  • Equals to ("=")
  • Plus ("+")
  • Minus ("-")
  • At ("@")

For further information, please refer to the following articles:

Retrieved from "https://wiki.owasp.org/index.php?title=CSV_Injection&oldid=234672"