Excel: CSV Injection – Digitalmunition

Videos 1588181069_maxresdefault.jpg

Published on March 27th, 2019 📆 | 3389 Views ⚑


Excel: CSV Injection

Today’s episode is about functionality that can be used for phishing attacks.
Subscribe: https://www.youtube.com/c/KacperSzurekEN?sub_confirmation=1

It may be found on every website that allows for exporting data to CSV format.
But how the text format can be used for the attack?
Excel is a spreadsheet created by Microsoft.
It provides a large number of built-in functions that simplify accounting.
If we want to use a formula in a given cell instead of a number or text, we must start it with the equality sign.
Then the program knows that here the code should be executed.
For example, we can calculate the average of numbers from given cells.
In this way, you can also create a link to the external website.
Or you can execute an external program.
This functionality is called DDE. Its syntax is very simple.
Microsoft realizes that this functionality can be used to execute dangerous code, so before launching it, it displays an appropriate message informing the user about potential consequences.
However, in reality many users keep allowing for the code execution because of habits or – ignorance.

Twitter: https://twitter.com/kacperszurek
Website: https://security.szurek.pl/
Github: https://github.com/kacperszurek/

Icon made by Freepik, mynamepong from www.flaticon.com

#from0topentestinghero #excel #csv


Tagged with:

3 Responses to Excel: CSV Injection

  1. vintprox says:

    How to really stay confident in business when ages come: throw away proprietary software and replace it with OSS 😁

Leave a Reply

Your email address will not be published. Required fields are marked *