Client-side Comments |
Overview Applications may contain comments within the client-side source code. Common locations include HTML and JavaScript comments. ![]() Discovery Methodology While these comments are not visible in the browser, they can be seen by using the browsers "View Source"/"View Page Source" feature. Also, tools and techniques are availble to automatically parse comments from an entire site. Exploitation Comments can be seen in clear-text. Tools are available to help automate examination of entire sites. Print comments of default pages for list of servers
while read HOST; do echo -n $HOST:; curl -v --silent --connect-timeout 2 --max-time 3 $HOST 2>&1 | grep -A 100 "<\!--"; echo; done < hosts.txt
Print comments from a copy of a site (i.e. from spidering with wget)
wget -r http://localhost/mutillidae
grep -r -A 10 "<\!--" *
NMAP: Sweeping for comments
nmap -p 80,443 -v -Pn --script=http-comments-displayer --open -iL hosts.txt
Example There is a sensitive comment on the Mutillidae Home page. Visit the Home page. View the page source to see comments. Videos |