Image for post
Image for post


CSV Injection, also known as Formula Injection, occurs when websites embed untrusted input inside CSV files. When a spreadsheet program such as Microsoft Excel or LibreOffice Calc is used to open a CSV, any cells starting with ‘=’ will be interpreted by the software as a formula. Maliciously crafted formulas can be used for three key attacks:

  • Hijacking the user’s computer by exploiting vulnerabilities in the spreadsheet software, such as CVE-2014–3524.
  • Hijacking the user’s computer by exploiting the user’s tendency to ignore security warnings in spreadsheets that they downloaded from their own website.
  • Exfiltrating contents from the spreadsheet, or other open spreadsheets. …

Image for post
Image for post

A short time ago, I had to set up a private Burp Collaborator Server to avoid possible leaks of my client´s sensitive information. I want to clarify that this guide is based on the one written by Fabio Pires, all merit is yours.

If you work with Burp and do not know what collaborator is, please check this documentation first.

Table of contents

  1. Azure machine and port forwarding
  2. Get a free custom domain
  3. Make a collaborator configuration file
  4. Create files needed to generate and move certificates
  5. Get certificates from Let´s Encrypt
  6. Run Collaborator
  7. Configure Burp Suite to use private Collaborator
  8. Acknowledgement

1. Azure machine and port forwarding

Deploy a Linux machine on Azure and open the following ports, I have used a Ubuntu Server 18.04. …

Image for post
Image for post

👋 Hi again, guys

Lately, I am dedicating my little free time to audit open source software, mainly those that are web-based.

This time, I want to share with you some Cross-Site Request Forgery (CSRF) that I found in PHP Server Monitor 3.3.1 open source software, I hope to share more with you in the future.

What is a CSRF?

Cross-Site Request Forgery is a type of malicious technique where unauthorized commands are transmitted from a user that the web application trusts.

Therefore, if we get a user of the application to execute a payload previously prepared by us, we will successfully exploit this vulnerability. …


Javier Olmedo

Security Researcher & Ethical Hacker - Author blog

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store