How To Test For CSV Injection

Testing For CSV Injection

If you are not familiar with the concept of CSV Injection, we suggest that you review the article entitled “What is CSV Injection ?“.

For testing to be relevant, we assume you have a requirement to process an untrusted CSV file; that is, one that was produced in a manner that you cannot be sure does not contain CSV Injection strings.  Detecting CSV payloads is as simple as recognizing which, if any, formulas are considered “legal” by your application/process.

Once again, we will use Microsoft Excel as our target application, but similar technique would be used for Google Sheets

CSV Injection Sentinel Strings

The meta-characters for Microsoft Excel that signal the start of a formula are: =, +, -. or @, and their appearance at the start of a CSV cell value can be used to detect the injection of malicious content.

The following Regular Expression (RE) can be used to find the rows of a CSV file containing cells representing formulas:  “^[=+-@],|,[=+-@]“.  (Note that this is an “Extended” RE in Unix/Linux.)

If your CSV files should not contain any formulas, then any match will be indicative of CSV Injection.  If formulas are allowed, you will need to define a more specific RE to catch offending cell values.

For additional information about preventing and/or fixing this vulnerability within a web-application, please see the article entitled “How to Prevent CSV Injection“.

About Affinity IT Security

We hope you found this article to be useful. Affinity IT Security is available to help you with your security testing and  train your developers and testers.  In fact, we train developers and IT staff how to hack applications and networks.

Perhaps it was a network scan or website vulnerability test that brought you here.  If so, you are likely researching how to find, fix, or avoid a particular vulnerability.  We urge you to be proactive and ensure that key individuals in your organization understand not only this issue, but also are more broadly aware of application security.

Contact us to learn how to better protect your enterprise.



Although every effort has been made to provide the most useful and highest quality information, it is unfortunate but inevitable that some errors, omissions, and typographical mistakes will appear in these articles. Consequently, Affinity IT Security will not be responsible for any loss or damages resulting directly or indirectly from any error, misunderstanding, software defect, example, or misuse of any content herein.