This is nothing new, just something I wanted to blog for a long time but always forgot.

Part of a web application penetration test/audit is to inspect the HTML for all kinds of interesting information, e.g. comments. You would not believe what you can find there sometimes, e.g.

<!– use sa/blank in production –>

ASP.NET has server side comments, they will not get rendered to the client. If you want to annotate your markup, better use them instead of normal HTML comments, e.g.

<%— server side comment, does not appear on the client —%>