Client-side Comments

Overview Applications may contain comments within the client-side source code. Common locations include HTML and JavaScript comments. Discovery Methodology While these comments are not visible in the browser, they can be seen by using the browsers "View Source"/"View Page Source" feature. Also, tools and techniques are availble to automatically parse comments from an entire site. Exploitation Comments can be seen in clear-text. Tools are available to help automate examination of entire sites. Print comments of default pages for list of servers while read HOST; do echo -n $HOST:; curl -v --silent --connect-timeout 2 --max-time 3 $HOST 2>&1 | grep -A 100 "<\!--"; echo; done < hosts.txt Print comments from a copy of a site (i.e. from spidering with wget) wget -r http://localhost/mutillidae grep -r -A 10 "<\!--" * NMAP: Sweeping for comments nmap -p 80,443 -v -Pn --script=http-comments-displayer --open -iL hosts.txt Example There is a sensitive comment on the Mutillidae Home page. Visit the Home page. View the page source to see comments. Videos Click here to watch How to use WGET to clone a Web Site Click here to watch How to Sweep a Web Site for HTML Comments Click here to watch Finding Comments and File Metadata using Multiple Techniques