• Formula Injection (or Spreadsheet Formula Injection) vulnerability

affects applications that export spreadsheet files which are dynamically

constructed from inadequately validated input data.

• Many modern web applications and frameworks offer spreadsheet

export functionality, allowing users to download data in a .csv or .xls file

suitable for handling in spreadsheet applications like Microsoft Excel

and OpenOffice Calc.

• Thus resulting spreadsheet’s cells often contain input from untrusted

sources such as survey responses, transaction details, and user-

supplied addresses. Once injected, it affects application end-users that

access the application exported spreadsheet files.

• Successful exploitation can lead to impacts such as client-sided

command injection, code execution or remote ex-filtration of contained

confidential data.

• When can some one exploit Formula / CSV Injection ?

Formula Injection can be exploited when the application has export to

excel functionality.

happens on spreadsheet files which are dynamically constructed from

inadequately validated input data

• What can be done using Formula / CSV Injection ?

Successful execution can help attacker to carry out client-sided

command inject, remote code execution or can download some

malware on the system.

• What are the payload used to test / exploit Formula / CSV

Injection ?

Any excel formula can be used to test formula injection.

Eg:- =sum(10+10)

• What else can be used to exploit Formula / CSV Injection ?

1) Macros

2) PowerShell

• Different ways of writing formula in excel

We can write formula in excel starting with

1) =

2) +

3) -

4) @

• Making the Payload a Success on different platforms (Advance

Payload)

The formula injection flaw occurs due to the concept of Dynamic Data

Exchange (DDE). DDE is a protocol for interprocess communication

under Windows supported by Microsoft Excel, LibreOffice and

Apache OpenOffice.

In Libreoffice and Apache Openoffice, it can be invoked using the following formula: =DDE(server; file; item; mode)

Example: this one launches calc.exe =DDE("cmd";"/C calc";"__DdeLink_60_870516294") In Microsoft Excel it can be invoked using: =cmd|'/C calc.exe'!Z0

• Preventing formula injection is the concern for every application

that generates spreadsheets comprising user-supplied content.

• At present, the best defence strategy is prefixing cells that start

with ‘=’ and ‘+’ with an apostrophe or a Space. This will ensure

that the cell isn’t interpreted as a formula.

• As an added advantage Microsoft Excel the apostrophe itself will

not be displayed.

• HTMLEncoding for special characters can be used as prevention.

• Input validation for = or + characters can be put in place on client

and server side.

• https://pentestmag.com/formula-injection/

• http://www.contextis.com/resources/blog/comma-separated-

vulnerabilities/

• https://appsec-labs.com/portal/formula-injection/