🤓
TurvSec Wiki
  • 👨‍💻Who is Mr Turvey
  • Blogs and Notes
    • Techie Blogs
      • Troubleshooting Nessus
      • Bypassing CAPTCHA
      • How to Proxy Linux Traffic
    • Miscellaneous Blogs
      • PSD2 and Open Banking
      • Cheap Pen Testing
      • Top 10 Pen Testing Tools
      • Scoping Web Applications
  • Web App Testing
    • 🌍Content Discovery
      • 🔎Subdomain Enumeration
      • 📃Dir & Page Enumeration
    • 💉Injections
      • CSV Injection
    • 🕸️JSON WEB TOKENS
    • 🔏Testing SSL/TLS
    • 📮Testing APIs with POSTMAN
  • Offensive Security
    • 🎣Phishing with Evilginx2
    • 🔐WPA2 Cracking
  • Physical Security
    • 👨‍✈️Social Engineering
  • Tools
    • Burp2API - BurpSuite to JSON
    • allthewayback - Search Wayback
    • Thicc - Thick App Testing Aid
Powered by GitBook
On this page
  1. Web App Testing
  2. Injections

CSV Injection

How to find and exploit CSV injection.

PreviousInjectionsNextJSON WEB TOKENS

Last updated 2 years ago

Many web applications offer spreadsheet export functionality which allows users to download data in a .csv or .xls file suitable for handling in spreadsheet applications like Microsoft Excel.

The resulting spreadsheet cells often contain input from untrusted sources, e.g user input. This functionality can be exploited by inserting arbitrary characters into forms that are exportable, which then enables an attacker to formulate an attack payload which is executed when the file is downloaded.

For example, imagine a website that allows you to enter events and then export the whole list. You may find that you can input a CSV payload into the event title field, like so:

=cmd|' /C calc'!A0

When downloaded, this payload may then execute within the spreadsheet, like so:

That is CSV injection in a nutshell. Obviously, the payload could be malware rather than calc.exe.

Recommendations

User input should always be considered as an untrusted source and as a result any input/output should be encoded. In this case, ensure that forms which can be exported contain only alphanumeric characters and cannot be modified to add arbitrary characters.

💉
Inputting payload into event title.
Payload executed to open calc.exe