Knockpy CSV Injection Vulnerability
Vulnerability
A CSV injection vulnerability exists in Knockpy version 4.1.1, allowing attackers to inject harmful formulas into CSV reports via unfiltered server headers. This vulnerability arises when Knockpy, during its subdomain brute-forcing process, sends a HEAD request to retrieve server response headers. If these headers contain spreadsheet formulas, they are executed automatically when the CSV file is opened in a spreadsheet application. The vulnerability can be exploited by manipulating server response headers to include malicious formulas, which are then reflected in the CSV report.
Impact
Exploitation of this vulnerability allows for CSV injection, where injected formulas are executed when the CSV file is opened in spreadsheet applications.
Reproduction
To reproduce this vulnerability, manipulate the server response headers to include a formula, such as '=1336+1'. Then, use Knockpy to scan the domain with the '-c' flag to save the report as a CSV file. The injected formula will execute when the CSV is opened in a spreadsheet application.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.