Comments in Code







Risk Rating:


From the very start of your programming life, you are told over and over again to use comments within your code to ensure that other people reading it can understand the flow of the program. This is good practice for development systems; however, before this code is transferred onto production systems, all revealing information, including comments, should be removed to ensure that information leakage is minimized.

These comments provide attackers with an insight into the development of the web application, allowing them to see exactly what the code is doing. This saves the attackers time and may provide them with enough insight to understand how any security mechanisms may be bypassed. This is often the case when security has been implemented within JavaScript or Java Applets, which are ultimately controlled by the attacker. JavaScript is able to be modified directly, or simply turned off, and Java Applets are able to be decompiled to reveal the source code, allowing client-side security mechanisms to be enumerated and bypassed.

Comments within HTML source code may reveal software types and versions, developer names and contact information, old source-code that is no longer used, and even usernames and passwords. Hidden fields are similar to comments in that they quite often leak sensitive information including full filesystem paths, internal IP addresses or system names, and confidential information, such as banking details and account numbers.

Was this article helpful?

0 0
The Ultimate Computer Repair Guide

The Ultimate Computer Repair Guide

Read how to maintain and repair any desktop and laptop computer. This Ebook has articles with photos and videos that show detailed step by step pc repair and maintenance procedures. There are many links to online videos that explain how you can build, maintain, speed up, clean, and repair your computer yourself. Put the money that you were going to pay the PC Tech in your own pocket.

Get My Free Ebook

Post a comment