Banking, ecommerce, and a number of other websites increasingly offer spreadsheet export functionality within their applications to help users download .XLS and .CSV files to be used with Microsoft Excel and OpenOffice Calc.
These spreadsheets often contain inputs from untrusted sources. Did you know that transactional details, survey responses and other user-supplied fields in these files can be used to attack your website?
“Download as a CSV” feature sometime does not properly “escape” fields. This allows an adversary to turn a field into active content so when a response team download the csv and open it, the active content gets executed. Vulnerability also known as “Formula Injection”.
Here is the scenario to reproduce this issue:
Suppose there is a web application where one can add the company’s branches and locations. End user can view the list and can also download the entire list as a CSV file. See the screenshot below:
Insert calc payload in “Branch name”.
Payload: -2+3+cmd|’ /C calc’!A0
Payload code executed successfully:
Protection with the Indusface AppTrana:
Given that the ‘comma separated values’ are widely used and are an important part of the business process, you need to secure the server against malicious intents hidden in the file fields. Our security experts can create a custom rule to ensure that all fields are properly “escaped” before returning the CSV file to the user.
If you are an existing Indusface customer, request for the custom rule through our TAS Portal. And if you aren’t, find out how Indusface AppTrana can help you detect, protect, and monitor for this issue and many others at our Guided Product Tour. We also continuously gather reputation data based on IPs, machines, and other parameters to identify people violating the rule and use the observations to correlate the data with other possible attacks on your website.
Ashish Tandon, CEO & Founder, Indusface
Ashish Tandon is a successful first-generation entrepreneur with a rare combination of strong technology understanding and business expertise. Under his leadership as founder & CEO, Indusface has been recognised as an award-winning Application Security as a Service company with a multi-million $ ARR, fast growing, bootstrapped and profitable. Ashish has also successfully lead and exited several ventures in the areas of Security, Internet services and cloud based mobile and video communication solutions in the past. He is closely associated with the Government and Industry bodies of India in drafting of various Software Products & Security related acts, regulations & policies.