HTML Comments

An HTML comment is defined as a block of text enclosed within  tags. The browser ignores everything enclosed within these tags when it renders the page for display. However, comments remain a part of the HTML source code and are displayed when the user chooses the View Source option in the browser.

Developers and Web content authors use comments to insert placeholders and annotations in the HTML code. Every programmer is taught the importance of putting appropriate comments in the source code.

In legacy software applications, comments are removed by the compiler when executable binaries are generated. Hence comments never end up being a security issue as far as information disclosure is concerned. In the case of HTML, comments end up being transmitted to the Web browser.

What can an attacker gather from HTML comments? Generally, the comments include:

Revision history

Developer or author details

Cross-references with other areas of the Web application

Reminders and placeholders

Comments inserted automatically by Web applications

Old commented-out code

Many times we are asked: "How much of this stuff do you really find on actual sites?" See for yourself. The examples presented are only slightly modified to conceal the identities of the Web sites and servers that carry these pages.

Revision History

As a Web application undergoes changes, developers tend to maintain a change log within the source code of the application. In the case of static HTML files, especially those that comprise the main Web page and other points of entry into the application, developers tend to embed the revision history in these files. The part opener Case Study shows how the hacker learned critical information by looking at the revision history embedded in comments in the news section of www.acme-art.com.

Developer or Author Details

Many times, developers or Web content authors leave details in the comments in the HTML code. This is a common practice if many developers are working on the same resources and files.

A typical example of a developer comment found in the HTML comments is:

<!-- Changed by: John Smith, Mon Mar  6 13:13:25 2000-->

<BASE HREF="http://www.blueballoon.com/store/">

<LINK REV="made" HREF="mailto:jsmith@blueballoon.com">

Cross-References to Other Areas of the Web Application

Most Web applications consist of many distinct files and scripts linked to one another. In many cases, HTML comments contain information about how files are cross-referenced to one another and also give details on application functionality, as in:

<!-- Called by /login/login.php -->

Reminders and Placeholders

In many cases, HTML comments act as a string around the finger, to remind the application or content writer about some important aspects of that particular resource. Such information within HTML comments is valuable when gathering information about application functionality.

Some reminders can be fairly harmless. An example of such a reminder is:

<!-- MAIN DOCUMENT TABLE: TOP-->

<table border="0" width="770" cellspacing="0" cellpadding="0">

<!-- this row establishes the spacing of the internal cells -->

<tr><td width="165"><!-- navigation block -->

<img src="/global/resources/blank.gif" width="165" height="16" border="0"></td>

<td width="605"><!-- content block --><img src="/global/resources/blank.gif"

width="605" height="16" border="0"></td></tr>

<!-- HEADER-LOGO -->

However, other reminders or placeholders can reveal sensitive information, such as:

<!-- Make sure that /var/www/html/conf/shopping_cart.conf is updated -->

<!-- before making changes to this file -->

<!-- PUT NEW PRODUCTS HERE -->

<!-- BEGINNING OF LEFT SIDE MENU -->

  <TABLE BORDER="0" CELLPADDING="2" CELLSPACING="2">

  <TR><TD ALIGN="LEFT" WIDTH="380" VALIGN="TOP">

The comment says it all. A hacker reading this code would immediately jump to the browser window and send off a request for http://server/conf/shopping_cart.conf to see if the shopping cart configuration file could be recovered.

Another example of careless information leakage in placeholder comments is:

<!--start header code-->

  <table cellspacing=0 cellpadding=0 border=0>

  <tr>

  <td width=225>&nbsp;</td>

  <!-- ad goes here! -->

  <nobr><a href="/promos/default.asp">

  <B><FONT STYLE="font-size: 11px" COLOR=#333399>

  Save 25% on Apartments.</FONT></B></a></nobr>

  <!-- end ad -->

  </td>

  </tr>

   </table>

<!-- strPath c:\webroot\daily\home\Default.asp-->

<!-- apt_tab hom-->

Comments Inserted by Web Application Servers

Some Web application servers and Web content authoring tools insert their own comments in the generated HTML code. These comments may not directly give away any sensitive information, but if analyzed carefully, they do reveal which technologies are at work on the Web server or which tools were used to compose the Web page. Examples of such comments include:

<!-- ImageReady Preload Script (splash.psd) -->

<!-- Vignette StoryServer 4 Sun Jan 13 00:04:01 -->

<!-- NCompass Resolution Template File -->

<!-- Lotus-Domino (Release 5.0.9 - November 16, 2001 on AIX) -->

These comments are inserted by Adobe ImageReady, Vignette Story- Server, NCompass (now Microsoft Content Management Server), and Lotus Domino Server, respectively.

Old "Commented-Out" Code

As Web pages undergo changes, content authors tend to create a copy of the content, comment-out the old copy, and edit the new copy to preserve formatting. Some important information often ends up being leaked in the commented-out content. Such an instance is:

<!--

<P> <A HREF="http://some-server.com/~xyzzy/picons.zip">Host icons database</A>

This isn't needed to run Application X, but it makes traceroute a little

prettier. It's a repackaged version of the

<A HREF="http://www.faqs.org/faqs/picons-faq/">Picons</A> domain database.

If you'd like to see your domain added, send it to the picons maintainers

and I'll import it for the next release of Application X.

-->

Note that the Web content author gave away the fact that a user account called "xyzzy" is present on the server.

In the acme-art.com credit card theft case, the hacker accessed user homepage directories http://www.acme-art.com/~kmp/ and http://www.acme-art.com/~ajq/ to get the source code of the CGI scripts used on www.acme-art.com. Information leakage, as illustrated in the preceding comments, can lead to such a situation.