mirror of
https://github.com/0x5t4l1n/hunting.git
synced 2026-05-26 19:36:33 +00:00
copilot-swe-agent[bot]
0a48c19312
Co-authored-by: Stalin-143 <161853795+Stalin-143@users.noreply.github.com>
43 lines
1.6 KiB
Markdown
43 lines
1.6 KiB
Markdown
# CSV Injection (Formula Injection)
|
|
|
|
## Description
|
|
CSV Injection (also known as Formula Injection) is a vulnerability that occurs when websites embed untrusted input inside CSV files. When a spreadsheet application (like Microsoft Excel, LibreOffice Calc, or Google Sheets) opens a CSV file containing malicious formulas, it may execute the formulas, leading to arbitrary command execution, information disclosure, or other attacks.
|
|
|
|
## Common Attack Vectors
|
|
- Export functionality (user data, reports, analytics)
|
|
- Contact forms that export to CSV
|
|
- User profile data exports
|
|
- Order history exports
|
|
- Any feature that generates downloadable CSV files
|
|
- Import/Export features in CRM systems
|
|
- Billing and invoice downloads
|
|
- Survey results exports
|
|
|
|
## Testing Approach
|
|
Submit formula characters (=, +, -, @, \t, \r) followed by commands or formulas in:
|
|
- Name fields
|
|
- Address fields
|
|
- Comment/description fields
|
|
- Any user-controllable data that might be exported to CSV
|
|
|
|
## Risk Impact
|
|
- Remote code execution via DDE (Dynamic Data Exchange)
|
|
- Information disclosure (reading local files)
|
|
- SSRF (Server-Side Request Forgery)
|
|
- Credential theft
|
|
- Malware distribution
|
|
|
|
## Common Vulnerable Patterns
|
|
- Direct export of user input to CSV without sanitization
|
|
- Missing CSV encoding/escaping
|
|
- Lack of formula character stripping
|
|
- Client-side only validation
|
|
|
|
## Payloads
|
|
See `csv-injection-payloads.txt` for a comprehensive list of CSV injection payloads covering:
|
|
- Formula injection techniques
|
|
- DDE (Dynamic Data Exchange) attacks
|
|
- Command execution payloads
|
|
- Data exfiltration methods
|
|
- Multi-application compatibility
|