formula injection by chirag savla
Post on 22-Feb-2017
338 Views
Preview:
TRANSCRIPT
• Formula Injection (or Spreadsheet Formula Injection) vulnerability
affects applications that export spreadsheet files which are dynamically
constructed from inadequately validated input data.
• Many modern web applications and frameworks offer spreadsheet
export functionality, allowing users to download data in a .csv or .xls file
suitable for handling in spreadsheet applications like Microsoft Excel
and OpenOffice Calc.
• Thus resulting spreadsheet’s cells often contain input from untrusted
sources such as survey responses, transaction details, and user-
supplied addresses. Once injected, it affects application end-users that
access the application exported spreadsheet files.
• Successful exploitation can lead to impacts such as client-sided
command injection, code execution or remote ex-filtration of contained
confidential data.
• When can some one exploit Formula / CSV Injection ?
Formula Injection can be exploited when the application has export to
excel functionality.
happens on spreadsheet files which are dynamically constructed from
inadequately validated input data
• What can be done using Formula / CSV Injection ?
Successful execution can help attacker to carry out client-sided
command inject, remote code execution or can download some
malware on the system.
• What are the payload used to test / exploit Formula / CSV
Injection ?
Any excel formula can be used to test formula injection.
Eg:- =sum(10+10)
• What else can be used to exploit Formula / CSV Injection ?
1) Macros
2) PowerShell
• Different ways of writing formula in excel
We can write formula in excel starting with
1) =
2) +
3) -
4) @
• Making the Payload a Success on different platforms (Advance
Payload)
The formula injection flaw occurs due to the concept of Dynamic Data
Exchange (DDE). DDE is a protocol for interprocess communication
under Windows supported by Microsoft Excel, LibreOffice and
Apache OpenOffice.
In Libreoffice and Apache Openoffice, it can be invoked using the following formula: =DDE(server; file; item; mode)
Example: this one launches calc.exe =DDE("cmd";"/C calc";"__DdeLink_60_870516294") In Microsoft Excel it can be invoked using: =cmd|'/C calc.exe'!Z0
• Preventing formula injection is the concern for every application
that generates spreadsheets comprising user-supplied content.
• At present, the best defence strategy is prefixing cells that start
with ‘=’ and ‘+’ with an apostrophe or a Space. This will ensure
that the cell isn’t interpreted as a formula.
• As an added advantage Microsoft Excel the apostrophe itself will
not be displayed.
• HTMLEncoding for special characters can be used as prevention.
• Input validation for = or + characters can be put in place on client
and server side.
• https://pentestmag.com/formula-injection/
• http://www.contextis.com/resources/blog/comma-separated-
vulnerabilities/
• https://appsec-labs.com/portal/formula-injection/
top related