OWASP Toronto Chapter - July Meetup
OWASP Toronto Chapter hosted an event that was sponsored by a couple employees at Security Compass. Adam Greenhill presentation on Export to RCE gives a basic introduction to data within CSV files.
Who is OWASP?
Before we dive into the the write-up, for those who don’t know what OWASP is, OWASP (The Open Web Applicaiton Security Project) is a community based not-for-profit charitable organization focused on improving the security of web applications. OWASP’s core principles is that all material be freely available and accessible to the public - making it possible for anyone to enhance their own web application security. OWASP is best-known for their OWASP Top 10 most critical security risks.
Adam is a Senior Security Consultant at Security Compass. His talk focuses on CSV injection, and will touch on all aspects of the vulnerability (how it works, how to mitigate it, and a quick demo).
What is CSV?
CSV (Comma Separted Values) is file format used to store tabular data. such as a spreadsheet or database. CSV formatted files can be imported and exported from programs; the most commonly known and used one is Microsoft Excel.
So, what is CSV Injection?
According to OWASP, CSV Injection, also known as as formula injection, occurs when a websites embed untrusted input inside CSV files.
Basically, when a spreadsheet program like Microsoft Excel is used to open a CSV file, any cells starting with a ‘=’ will be interpreted by the software as a formula.
Using craft formulas can be used for three key attacks:
- Hijacking user’s computer by exploiting vulnerabilities in the spreadsheet sotware
- Hijacking the users computer by exploiting the user’s tendency to ignore security warnings in spreadsheets they download
- Exfiltrating contents from the spreadsheet, or other open spreadsheets
Common web apps that utilize CSV files
There are three common web applications that heavily use CSV files:
- Financial websites
- CMS backip functionality
- Geographic data
Ensuring you stay safe, make sure to verify that the CSV files you donwload from these common websites are verified and safe to download.
Mitigating CSV Injection
To remediate the attack, ensure that the cells in the CSV file do not begin with any of the following characters:
- Equals to (“=”)
- Plus (“+”)
- Minus (“-“)
- At (“@”)
Increase Excel security
To further increase the security of Excel, disabling Dynamic Data Exchange are intended to help protect users form attacks who utilize DDE to spread malware.
- Dynamic Data Exchange Server Lookup - if this option is checked, DDE servers that are already running will be visible and usable.
- Dynamic Data Exchange Server Launch (not recommended) - if this option is checked, Excel will start DDE servers that are not already running, and allows data to be sent out of excel
- Understand the technologies that you’re working with
- Sanitize your inputs
- Sanitize your outputs
- If you’re not using it disable it