XLS/CSV Injection
XLS/CSV Injection, also known as Formula Injection or CSV Injection, occurs when a malicious user inputs data into an application that is later exported to an XLS or CSV file.
Example Tests for XLS/CSV Injection
When performing a penetration test, you can use various payloads to test for XLS/CSV injection vulnerabilities. Below are some example commands and payloads that can be used to test if an application is vulnerable to XLS/CSV injection.
Example Payloads for CSV Injection
Basic Hyperlink Injection
Potentially Dangerous Formula
External Data Fetch
Testing Methodology
Injecting Payloads:
Identify fields in the application where you can input data that will be exported to XLS or CSV files.
Input the example payloads into these fields.
Export and Analysis:
Export the data to an XLS or CSV file from the application.
Open the exported file with a text editor to verify that the payloads are correctly injected.
Open the file with a spreadsheet program (e.g., Microsoft Excel) to see if the payloads execute as formulas.
Observation and Mitigation:
Observe the behaviour of the application and the spreadsheet program to detect any execution of malicious payloads.
Recommend encoding or sanitising the input data to prevent such injections.
Last updated