CSV Injection

Many web applications offer spreadsheet export functionality which allows users to download data in a .csv or .xls file suitable for handling in spreadsheet applications like Microsoft Excel.

The resulting spreadsheet cells often contain input from untrusted sources, e.g user input. This functionality can be exploited by inserting arbitrary characters into forms that are exportable, which then enables an attacker to formulate an attack payload which is executed when the file is downloaded.

For example, imagine a website that allows you to enter events and then export the whole list. You may find that you can input a CSV payload into the event title field, like so:

=cmd|' /C calc'!A0

When downloaded, this payload may then execute within the spreadsheet, like so:

That is CSV injection in a nutshell. Obviously, the payload could be malware rather than calc.exe.

Recommendations

User input should always be considered as an untrusted source and as a result any input/output should be encoded. In this case, ensure that forms which can be exported contain only alphanumeric characters and cannot be modified to add arbitrary characters.