hunting/CSV-Injection

CSV Injection (Formula Injection)

Description

CSV Injection (also known as Formula Injection) is a vulnerability that occurs when websites embed untrusted input inside CSV files. When a spreadsheet application (like Microsoft Excel, LibreOffice Calc, or Google Sheets) opens a CSV file containing malicious formulas, it may execute the formulas, leading to arbitrary command execution, information disclosure, or other attacks.

Common Attack Vectors

• Export functionality (user data, reports, analytics)
• Contact forms that export to CSV
• User profile data exports
• Order history exports
• Any feature that generates downloadable CSV files
• Import/Export features in CRM systems
• Billing and invoice downloads
• Survey results exports

Testing Approach

Submit formula characters (=, +, -, @, \t, \r) followed by commands or formulas in:

• Name fields
• Address fields
• Comment/description fields
• Any user-controllable data that might be exported to CSV

Risk Impact

• Remote code execution via DDE (Dynamic Data Exchange)
• Information disclosure (reading local files)
• SSRF (Server-Side Request Forgery)
• Credential theft
• Malware distribution

Common Vulnerable Patterns

• Direct export of user input to CSV without sanitization
• Missing CSV encoding/escaping
• Lack of formula character stripping
• Client-side only validation

Payloads

See csv-injection-payloads.txt for a comprehensive list of CSV injection payloads covering:

• Formula injection techniques
• DDE (Dynamic Data Exchange) attacks
• Command execution payloads
• Data exfiltration methods
• Multi-application compatibility