Published on March 27th, 2019 📆 | 3389 Views ⚑3
Excel: CSV Injection
Today’s episode is about functionality that can be used for phishing attacks.
It may be found on every website that allows for exporting data to CSV format.
But how the text format can be used for the attack?
Excel is a spreadsheet created by Microsoft.
It provides a large number of built-in functions that simplify accounting.
If we want to use a formula in a given cell instead of a number or text, we must start it with the equality sign.
Then the program knows that here the code should be executed.
For example, we can calculate the average of numbers from given cells.
In this way, you can also create a link to the external website.
Or you can execute an external program.
This functionality is called DDE. Its syntax is very simple.
Microsoft realizes that this functionality can be used to execute dangerous code, so before launching it, it displays an appropriate message informing the user about potential consequences.
However, in reality many users keep allowing for the code execution because of habits or – ignorance.
Icon made by Freepik, mynamepong from www.flaticon.com
#from0topentestinghero #excel #csv