What is CSV Injection?
By Vedant Jain
The Full form of CSV is Comma Separated Values which basically used for storing data in form Tables (Columns & Rows) in the plain text format.
An overview of CSV Injection commonly known as formula Injection comes when websites embedded untrusted input inside CSV files a lot times these formulas are caused because of certain characters are allowed with in outputting of CSV files these characters are +, -, =, @
A lot of times when applications open CSV files containing formulas upon opening the formula does get executed so an attacker at times could utilize this to execute malicious code or even launch or perform various applications.
As an example, here is an online payment website in which we already have a transaction that has been made here but just for kind of demonstration purposes we can see the we have the option here in the upper right-hand corner to edit the customers details.
Now we are able to insert a malicious formula into the first name field of this customer. So, in this malicious code we are inserting the Equal Sign (=) CMD with pipe (|) is basically stating where we are going to executing a command here and this command specifically is going to execute the calc.exe which is basically the Calculator Application. That’s really in Windows essence that’s a calculator application.
We are able to save the data successfully that is malicious formula as the customers first name here.
In this Demo application it does allow for a user to export the transactions to a CSV file so obviously if we are able to save the customers first name with that malicious formula successfully and we export there transactions it the customers first name does get exported into the CSV we potentially could have an opportunity here were once the CSV file downloaded and open in like Microsoft excel this formula could get executed and allowing us to execute applications on the windows.
So now we did open the downloaded CSV file in the Microsoft excel does prompt the user to that there is some formulas within this file that it did not know what it might do but does prompt the user to say that there is potentially could be something malicious here. It only click yes to execute if we know exactly what is going on within the CSV file. Microsoft Excel here is trying to help the end-user prevent from the malicious code form actually being executed.
We go ahead and Click yes we can see here my calculator has executed Successfully and run due to the formula that was exported in the First Name of the online payment application.
How to Mitigate CSV Injection?
There are some ways that end-user/companies can actually mitigate this issue now.
We need to determine that our application produce import and export any sort of CSV files and essentially looking at the content that is going to be exported into those CSV files and there are some way to prevent any sort of CSV injection or formula Injection.
- Whitelisting Various Input Validation: Restrict the Characters like ‘+’, ’-‘, ’@’, ’=’
- Encoding the output: Prepending the cells with a specific character adding a space single tick to the beginning of the cell as well as are moving any sort of tab characters within that cell