ASP.NET Server Side Comments

This is nothing new, just something I wanted to blog for a long time but always forgot.

Part of a web application penetration test/audit is to inspect the HTML for all kinds of interesting information, e.g. comments. You would not believe what you can find there sometimes, e.g.

<!– use sa/blank in production –>

ASP.NET has server side comments, they will not get rendered to the client. If you want to annotate your markup, better use them instead of normal HTML comments, e.g.

<%— server side comment, does not appear on the client —%>

 

 

This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s