Plugin Spotlight: Office Files List

Attackers have access to a great deal of public information about your organization. Public web sites, domain records, routing information and several other sources can provide an attacker with useful information to launch attacks. Public documents posted on your web site contain metadata that can be very useful to an attacker. Metadata, in the context of the documents created within your organization, is information about the document itself. This can include who created it, their email address, the creation date, the software used to create and publish it and the software version and platform. This information can then be used to create client-side attacks that specifically target individuals and the software they are using.

Nessus plugin 11419, Office files list, attempts to discover the documents that are located on the target web site. Currently this plugin checks for the following document types:

Running this plugin against web sites produces a report that lists each document and type found:

When performing vulnerability scans and assessments against your web servers, make sure you also examine the documents being distributed on the web server. Manual inspection is required to ensure that no sensitive information is contained within the document. A further step is required to ensure that document metadata has been removed. Periodic audits using Nessus, especially of your public facing web servers, will aid in the discovery of documents that may leak too much information to attackers. Plugin 11419 helps you find this information before the attackers do.You may also consider implementing a “Metadata Scrubber”, such as the Office add-in made freely available by Microsoft called “Remove hidden data”.

Resources

• "Document Metadata, The Silent Killer" Research Paper by Larry Pesce
• Office 2007 Metadata - Video tutorial on how to extract metadata from Office 2007 documents
• FOCA - An online or downloadable tool for extracting document metadata