Stopping CSV & Formula Injection Attacks
By Tom Seest
At BestCybersecurityNews, we help entrepreneurs, solopreneurs, young learners, and seniors learn more about cybersecurity.
Modern web applications often provide the functionality to export data into spreadsheets for safe storage. Such information often entails sensitive material that must be handled with care.
An attacker can place a malicious formula into any parameter exported to a CSV file and open this file by their victim, automatically activating their formula and carrying out their plan.
Table Of Contents
Many web applications provide functionality for exporting data onto spreadsheet files like CSV for easy viewing. While these features are convenient, they often contain sensitive data that must be handled securely. Unfortunately, exporting spreadsheets may expose users to serious risks if an application does not adequately validate input – this vulnerability is known as CSV Injection or Formula Injection attacks.
These attacks take many forms, and all rely on social engineering techniques to entice victims into opening a CSV file. This may involve simply encouraging victims to click a malicious link within an email, social media post, or elsewhere online; alternatively, an attacker could create a script that generates CSV files with commands set for execution on victim machines.
The most prevalent attack technique involves injecting malicious formulae that begin with the character “=,” as most spreadsheet programs, such as Microsoft Excel, interpret any value beginning with this character as being part of a formula. Execution of such code may perform any number of malicious tasks, including stealing usernames and passwords, launching remote commands/applications on victims’ systems remotely, or even taking control of machines using what is known as DDE (Dynamical Data Exchange) attacks.
Developers can implement a defense similar to how XSS sanitizers remove script injection. Instead of simply removing or escaping characters, developers can add another character at the beginning of strings so they are no longer treated as formulae when loaded into Excel. One popular solution is adding a single quote character at the start. However, this won’t always work due to some special characters such as percent sign or equal sign being required in some instances.
Although this approach provides effective protection, it will only prevent an attacker from using formulae to inject payloads directly into a CSV file. They could still create hyperlinks, which would trigger different forms of exploits.
CSV Injection, also known as DDE Formulas, is a form of malware attack that uses spreadsheet software to access host systems and either execute malicious code or collect information from them. While most people associate such attacks with email spam campaigns that spread ransomware infections on machines, CSV Injection attacks can also occur via websites.
Exploitable vulnerabilities involve web applications that fail to properly sanitize user input that is exported or read as a CSV file, such as Microsoft Teams or LibreOffice Calc document management platforms. For instance, when downloading meeting reports via Microsoft Teams, all attendees and their names will be exported as a CSV file that contains characters used as DDE formulae that, when opened in either Excel or LibreOffice, will execute as formulae and cause irreparable harm.
DDE formulas are an indirect means of code injection that bypasses normal validation in Excel. An attacker could use these formulas to bypass validation by forging dialog boxes requesting user approval to execute code and launch programs directly instead. Here is an example showing an SUM formula with an appended command that opens a calculator program locally.
Attacks against CSV files can be reduced by raising awareness among users about the risks associated with clicking links in untrustworthy files and by ensuring web applications that create or import CSV files have proper security measures in place – for instance, disabling user interface for editing these types of files so as to prevent accidental activation of features that could execute code or pull data from host systems. Furthermore, adding special characters like an apostrophe ensures these parameters will not be treated as formulae when viewing in MS Excel.
If an end user downloads a CSV file that was dynamically created from poorly validated input data, an application could embed malicious code that allows an attacker to use this spreadsheet program for illicit activities like OS command execution or remote exfiltration of confidential data.
The attack exploits the fact that spreadsheet programs evaluate cell content beginning with “=” as formulae, enabling an attacker to insert formulae that may lead to unexpected actions by targeting spreadsheet programs. An attacker could, for instance, insert the “HYPERLINK” function, which creates a link leading back to an item stored on a network server when someone clicks it – Microsoft Excel would then open and funnel any data contained therein back toward its attacker’s server.
An attacker could utilize the “EQUALS” function of Excel to produce calculations in their target spreadsheet that yield values equal to any number they specify; this allows them to obtain sensitive data such as passwords or bank account details from victims’ machines.
Microsoft Windows computers present another threat via Dynamic Data Exchange (DDE), a feature that enables Excel to communicate directly with other applications on the victim’s computer. An attacker could leverage DDE by inserting an equal sign (=) in a CSV file field that could then be read by Excel as a command line argument and leading directly into the terminal, for instance, to launch DDoS attacks against remote servers.
As with other web attacks, CSV injection attacks require some form of social engineering in order to induce victims to download and click the file, thus opening them up to malicious links that lead to the download and execution of malware. This could happen via email, social media posts, or simply asking a victim directly to click a link in front of them.
At present, these threats can be mitigated through proper web application security controls such as whitelist validation of untrusted input. Simply put, this means only certain characters from a list can appear as input, while any others are rejected and this approach should be adopted by all websites as their standard approach.
CSV injection is an advanced attack technique that involves placing malicious content into software like spreadsheets to exploit web application vulnerabilities. It takes advantage of how spreadsheet software interprets entries beginning with “=” as formulas and exploits this fact to achieve success. An attacker can inject code into any cell of software and have it execute automatically by itself, potentially performing any number of malicious activities ranging from breaching system security by accessing data or trying to exfiltrate information to harming computer architecture by running remote commands, running programs or opening connections with remote endpoints – making this attack so dangerous it usually falls outside the scope of bug bounty programs.
To prevent CSV injection attacks, all untrusted input must first be filtered and escaped before passing to the database. This can be accomplished by conducting whitelist validation on all input and excluding characters that start with =, Plus (+), Minus (-), or At (@). Likewise, users should not be permitted to enter characters that do not conform with an allowed value set.
Also, it would be prudent for all users to be informed that CSV files contain embedded hyperlinks, which could lead to malware infections or ransomware attacks. Finally, having an effective security infrastructure in place that can detect and prevent such attacks before they take place would also be valuable.
CSV injection attacks can also leverage the same vulnerability that allows DDE and embedded links to interact. This technique uses malicious hyperlinks inserted within spreadsheet files; when clicked by unsuspecting users, these hyperlinks connect back to hackers’ servers, where hackers have full access to compromise victim systems and steal information.
All of these attacks share a similar flaw in that they exploit vulnerable spreadsheet software to launch malicious commands and scripts that execute harmful commands and scripts, often to gain access to private or sensitive information, steal credentials, or hijack systems by opening remote connections. It is vitally important that organizations implement strong security infrastructures to guard against such vulnerabilities in order to guard against these types of attacks.
Please share this post with your friends, family, or business associates who may encounter cybersecurity attacks.