{ "id": "cc2abb4f-5a41-4718-881b-5633a25c9fa9", "created_at": "2026-04-06T00:07:02.553679Z", "updated_at": "2026-04-10T03:20:39.424859Z", "deleted_at": null, "sha1_hash": "93c5acae6e5d294ae3433e7e2d5959ac1177cc2d", "title": "All You Need to Know About CSV Injection and Excel Macro Injection Attacks", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 204738, "plain_text": "All You Need to Know About CSV Injection and Excel Macro\r\nInjection Attacks\r\nBy Sandeep Kamble\r\nPublished: 2021-01-10 · Archived: 2026-04-05 19:48:52 UTC\r\nWhat is CSV Injection?\r\nDemonstration of CSV excel macro injection:\r\nTechnical Analysis of the Vulnerability:\r\nTechnical Details of the above CSV Injection payload:\r\nRecommendations\r\nWhat is CSV Injection?\r\nCSV Excel Macro Injection, also known as Formula Injection or CSV Injection, is an attack technique that we use\r\nin the day-to-day penetration testing of the application.\r\nCSV injection is a vulnerability that affects applications that have the export spreadsheet functionality. These\r\nspreadsheets generate dynamically from invalidated or unfiltered user inputs. Modern web applications offer\r\nspreadsheet export functions these days. This allows the user to download data in a .csv file format or .xls file\r\nformat. This is suitable for handling spreadsheet applications like MS-Excel and OpenOffice Calc, as a result of\r\nwhich the cells in the spreadsheets can contain inputs from untrusted sources. As a result, the end-user who is\r\naccessing the exported spreadsheet can be affected.\r\nThis vulnerability can be used by an attacker to execute attacks such as client-side command injection or code\r\ninjection. Basically, the attack scenario for this is purely targeting the user(s) who download the Excel file\r\nnaturally. We usually disregard this attack as a non-issue. However, websites should still be aware that the\r\ninformation they are exporting can potentially affect the users.\r\nDemonstration of CSV excel macro injection:\r\nCSV excel macro injection can be exploited when the application supports export to excel functionality.\r\nThis happens in spreadsheet files, which dynamically generate from invalid input data.\r\nCSV Injection Payloads used to test and exploit:\r\nWe can use formulas, which we use in excel for carrying out operations to test formula injection on websites.\r\nEg: =sum(10+10)\r\nhttps://blog.securelayer7.net/how-to-perform-csv-excel-macro-injection/\r\nPage 1 of 4\n\nExample of CSV Injection:\r\nAs you can see, once we click on the export excel option, the records automatically export to an excel file with the\r\n.xls format. Thus, this allows us to download the .xls file\r\nTechnical Analysis of the Vulnerability:\r\nThis vulnerability occurs due to the concept of dynamic data exchange (DDE). DDE is a protocol for interprocess\r\ncommunication under Windows supported by MS-Excel, LibreOffice, and Apache OpenOffice.\r\nDDE Function Format:\r\nThe DDE function is in the following format:\r\n=DDE(server; file; item; mode)\r\nSo by using some malicious arguments, it is possible to remotely execute applications or commands on the\r\nvictim’s computer of whoever opens the document.\r\nCommon CSV Injection Payload\r\nSo, the most common CSV Injection payload used is:\r\n=cmd|’ /C calc’!A0\r\nTechnical Details of the above CSV Injection payload:\r\nhttps://blog.securelayer7.net/how-to-perform-csv-excel-macro-injection/\r\nPage 2 of 4\n\ncmd: The name the server can respond to whenever a client is trying to access the server.\r\n/C calc: The specific file or command name—in this case, ‘calc’ (i.e., calc.exe).\r\n!A0: The item name that specifies the unit of data that a server can respond to when the client is requesting\r\nthe data.\r\nSo our final DDE call becomes:\r\nDDE (“cmd”;”/C calc”;”!A0″)\r\nAs you can see in the above screenshots, our payload adds to the input fields. Now, once we export this record to\r\nan excel file, our payload informs the program to run an application called cmd.exe with the command /C calc\r\nwhich executes calc.exe from the command line.\r\nOnce the excel file is open calc.exe will be executed as shown in the screenshot below.\r\nAlternative Payloads:\r\nMostly, these payloads are all fine and well. But, sometimes the = character filters out. However, we can use\r\nsome different combinations such as @, + or -. So, the current payload of choice for exploiting this as a proof of\r\nconcept is:\r\n@SUM(1+1)*cmd|' /C calc'!A0\r\nhttps://blog.securelayer7.net/how-to-perform-csv-excel-macro-injection/\r\nPage 3 of 4\n\nWe can use any formula starting with:\r\n=\r\n+\r\n–\r\n@\r\nRecommendations\r\nIn conclusion, I recommend that it is always a good practice not to trust user inputs and to always encode the\r\noutput. Also, for the successful execution of the formula, an attacker will have to use the ‘-‘, ‘=’, and the pipe (|) is\r\nused to execute the binary in the excel software. Hence, it is strongly recommended to filter the ‘- ‘, ‘|’, ‘+’, and \r\n‘=’  to mitigate this vulnerability.\r\nReferences\r\n[1] Download Vulnerable Code here\r\n[2] CSV Injection : https://blog.zsec.uk/csv-dangers-mitigations/\r\n[3] Comma Separated Vulnerabilities\r\nSource: https://blog.securelayer7.net/how-to-perform-csv-excel-macro-injection/\r\nhttps://blog.securelayer7.net/how-to-perform-csv-excel-macro-injection/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://blog.securelayer7.net/how-to-perform-csv-excel-macro-injection/" ], "report_names": [ "how-to-perform-csv-excel-macro-injection" ], "threat_actors": [], "ts_created_at": 1775434022, "ts_updated_at": 1775791239, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/93c5acae6e5d294ae3433e7e2d5959ac1177cc2d.pdf", "text": "https://archive.orkl.eu/93c5acae6e5d294ae3433e7e2d5959ac1177cc2d.txt", "img": "https://archive.orkl.eu/93c5acae6e5d294ae3433e7e2d5959ac1177cc2d.jpg" } }