其他分享
首页 > 其他分享> > CSV Injection

CSV Injection

作者:互联网

CSV Injection

Author: Timo Goosen, Albinowax
Contributor(s): kingthorin

CSV Injection, also known as Formula Injection, occurs when websites embed untrusted input inside CSV files.

When a spreadsheet program such as Microsoft Excel or LibreOffice Calc is used to open a CSV, any cells starting with = will be interpreted by the software as a formula. Maliciously crafted formulas can be used for three key attacks:

This attack is difficult to mitigate, and explicitly disallowed from quite a few bug bounty programs. To remediate it, ensure that no cells begin with any of the following characters:

Keep in mind that it is not sufficient to make sure that the untrusted user input does not start with these characters. You also need to take care of the field separator (e.g., ‘,’, or ‘;’) and quotes (e.g., ', or "), as attackers could use this to start a new cell and then have the dangerous character in the middle of the user input, but at the beginning of a cell.

Alternatively, apply the following sanitization to each field of the CSV, so that their content will be read as text by the spreadsheet editor:

Two examples:

InputEscaped Output
=1+2";=1+2 "'=1+2"";=1+2"
=1+2'" ;,=1+2 "'=1+2'"" ;,=1+2"

For further information, please refer to the following articles:

 

标签:spreadsheet,cell,field,user,Injection,CSV
来源: https://www.cnblogs.com/chucklu/p/15232798.html