Threat Class :Information Leakage
Reason :AppScan discovered HTML comments containing what appears to be sensitive information.
Technical Description :Many web application programmers use HTML comments to help debug the application when needed. While adding general comments is very useful, some programmers tend to leave important data, such as: filenames related to the web application, old links or links which were not meant to be browsed by users, old code fragments, etc. An attacker who finds these comments can map the application's structure and files, expose hidden parts of the site, and study the fragments of code to reverse engineer the application, which may help develop further attacks against the site.
Risk :It is possible to gather sensitive information about the web application such as usernames, passwords, machine name and/or sensitive file locations
Mitigation: [1] Do not leave any vital information such as filenames or file paths in HTML comments.
[2] Remove traces of previous (or future) site links in the production site comments.
[3] Avoid placing sensitive information in HTML comments.
[4] Make sure that HTML comments do not include source code fragments.
[5] Make sure that no vital information was left behind by programmers.
Threat Class :Information Leakage Reason :AppScan discovered HTML comments containing what appears to be sensitive information. Technical Description :Many web application programmers use HTML comments to help debug the application when needed. While adding general comments is very useful, some programmers tend to leave important data, such as: filenames related to the web application, old links or links which were not meant to be browsed by users, old code fragments, etc. An attacker who finds these comments can map the application's structure and files, expose hidden parts of the site, and study the fragments of code to reverse engineer the application, which may help develop further attacks against the site. Risk :It is possible to gather sensitive information about the web application such as usernames, passwords, machine name and/or sensitive file locations
Mitigation: [1] Do not leave any vital information such as filenames or file paths in HTML comments. [2] Remove traces of previous (or future) site links in the production site comments. [3] Avoid placing sensitive information in HTML comments. [4] Make sure that HTML comments do not include source code fragments. [5] Make sure that no vital information was left behind by programmers.
https://qa.armorcode.ai/#/findings/5858747