ASP.NET Server Side Comments

This is nothing new, just something I wanted to blog for a long time but always forgot.

Part of a web application penetration test/audit is to inspect the HTML for all kinds of interesting information, e.g. comments. You would not believe what you can find there sometimes, e.g.

<!– use sa/blank in production –>

ASP.NET has server side comments, they will not get rendered to the client. If you want to annotate your markup, better use them instead of normal HTML comments, e.g.

<%— server side comment, does not appear on the client —%>



This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s