Abstract

Formula Injection (or Spreadsheet Formula Injection) vulnerability affects applications that export spreadsheet files which are dynamically constructed from inadequately validated input data. Many modern web applications and frameworks offer spreadsheet export functionality, allowing users to download data in a .csv or .xls file suitable for handling in spreadsheet applications like Microsoft Excel and OpenOffice Calc. The resulting spreadsheet’s cells often contain input from untrusted sources such as survey responses, transaction details, and user-supplied addresses. Once injected, it affects application end-users that access the application exported spreadsheet files. Successful exploitation can lead to impacts such as client-sided command injection, code execution or remote ex-filtration of contained confidential data

Speaker

Chirag Savla

Chirag Savla is a Cyber Security professional with 9+ years of experience. His areas of interest include penetration testing, red teaming, azure and active directory security, and post-exploitation research. He prefers to create open-source tools and explore new attack methodologies in his leisure. He has worked extensively on Azure, Active Directory attacks, defense, and bypassing detection mechanisms. He is an author of multiple Open Source tools such as Process Injection, Callidus, etc. He has presented at multiple conferences and local meetups and has trained people in international conferences like Blackhat, BSides Milano, Wild West Hackin’ Fest.
He blogs at https://3xpl01tc0d3r.blogspot.com
Twitter: @chiragsavla94
Github: https://github.com/3xpl01tc0d3r

Timing

Starts at Saturday August 13 2016, 12:30 PM. The sessions runs for about 1 hour.

Resources