Web applications attacks/HTML comments
Jump to navigation
Jump to search
Description
HTML comments enable developers to put comments in the code of a HTML page. It helps future developers to better understand the code. These comments, unlike PHP comments, are visible in the page that is sent to the browser. Hackers massively use these comments because it can provide useful information (passwords, hidden pages or directories, etc.).
Example
- WebGoat, Discover Clues in The HTML lesson shows that it is necessary to control comments in HTML source code before publishing an application.
- HackThisSite.org, Basic, Level 1 shows how to discover a password that has been placed into comments in the HTML source code.
Protection
Avoid putting critical information in HTML comments.
Tools
Web Application Attack and Audit Framework (W3AF) is an automated tool that enables to detect web applications vulnerabilities. It has a "findComment" plugin, included in the "grep" module, that automatizes the detection of comments in the source code of HTML pages.