Posted inWeb Security

CSV Macro Injection

CSV Macro Injection : It’s rather a trick to abuse the functionality…

Application security is quite a tricky domain. Just imagine for all those years when you thought something as a functionality of the application and suddenly it turns out to be a vulnerability which can be exploited to take down your system completely. CSV Macro Injection/Formula Injection is also one of those. We will look into it in detail that how a simple and such useful feature can become vulnerable and abuse the complete CIA triangle.

We can’t deny the usefulness of spreadsheets in our daily IT/Non-IT life. If you have bulk data and you want it to edit, sort, represent, compute(we really can do more stuffs than this as well) repetitively the excel and CSV is the correct file format for you. In computing, a comma-separated values (CSV) file stores tabular data (numbers and text) in plain text. Each line of the file is a data record.

Each record consists of one or more fields, separated by commas. The use of the comma as a field separator is the source of the name for this file format. The CSV file format is not standard. The basic idea of separating fields with a comma is clear, but that idea complicates when the field data may also contain commas or even line-breaks. CSV implementations may not handle such field data, or they may use quotation marks to surround the field. Quotation does not solve everything: some fields may need embedded quotation marks, so a CSV implementation may include escape characters or escape sequences.

December 30, 2016
Posted inWeb Security

Is your CAPTCHA Strong enough !!

We have seen a lot of DoS (Denial of Service) attacks in recent times. An old but promising solution to DoS attacks in web applications is to have CAPTCHA implemented in the publicly available form/pages.  However, all CAPTCHA implementations are not quite safe, and some implementations would give the user a headache.

man image

There are recent developments on simplifying CAPTCHA- But on simplifying, some developers forget the purpose of CAPTCHA.
Well, what is the purpose of using CAPTCHA?

In simple words CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) is a program to ‘ensure’ that the user is a human.

Almost 80% of custom CAPTCHA implementations are found to be unsafe during our evaluations. So what all are the measures to make sure the application has safe and simple CAPTCHA?

March 18, 2016