Client-side Comments

Overview Applications may contain comments within the client-side source code. Common locations include HTML and JavaScript comments. Video Tutorials Discovery Methodology While these comments are not visible in the browser, they can be seen by using the browsers "View Source"/"View Page Source" feature. Also, tools and techniques are availble to automatically parse comments from an entire site. Exploitation Comments can be seen in clear-text. Tools are available to help automate examination of entire sites. Print comments of default pages for list of servers while read HOST; do echo -n $HOST:; curl -v --silent --connect-timeout 2 --max-time 3 $HOST 2>&1 | grep -A 100 "<\!--"; echo; done < hosts.txt Print comments from a copy of a site (i.e. from spidering with wget) wget -r http://localhost/mutillidae grep -r -A 10 "<\!--" * NMAP: Sweeping for comments nmap -p 80,443 -v -Pn --script=http-comments-displayer --open -iL hosts.txt Example There is a sensitive comment on the Mutillidae Home page. Visit the Home page. View the page source to see comments. Videos How to use WGET to clone a Web Site How to Sweep a Web Site for HTML Comments Finding Comments and File Metadata using Multiple Techniques