CSV Injection
Comma Separated Values (CSV) Injection
Overview of the Vulnerability
Applications will often embed unsafe input in exported spreadsheets targeting desktop applications such as Excel or LibreOffice, or their cloud application equivalents. A malicious attacker can leverage this unsafe input to exfiltrate data from users, or deliver malicious binary to users downloading their input controlled file. Unsafe CSV formulas in CSV files within the application allow malicious attackers to deliver payloads or exfiltrate data using specifically crafted input.
Business Impact
CSV injection can lead to reputational damage for the business due to a loss in confidence and trust by users. It can also result in indirect financial loss to the business if an attacker is able to exfiltrate data.
Steps to Reproduce
Navigate to the following endpoint: {{value}}
{{action}} to export a CSV file
Observe that the CSV file is using unsafe input:
{{screenshot}}
Craft a malicious CSV file to exfiltrate data by using the following payload:
{{payload}}
Upload to publicly accessible endpoint
Proof of Concept (PoC)
The screenshot(s) below demonstrates the CSV injection:
{{screenshot}}
Recommendation(s)
It is recommended to sanitize the input fields of CSVs so that the content is read as text only by the spreadsheet editor
For more information, please see:
Last updated