A web application's source code comments may include sensitive keywords or data that could pave the way for malicious hackers to craft better attacks against a web application. Developers add these comments to make the code easier for people to understand, but they are generally ignored by compilers.
This is one of the most overlooked security issues. Despite this benefit, some developers may leave important data – connection strings, administrative or test accounts credentials – providing critical information for attackers to tailor attacks against a website. Attackers could use it to find out more about the web application's structure, files, and the hidden parts of a website.
You can add or remove item(s) from the Sensitive Keyword Patterns list in the Knowledge Base tab of the New Scan Policy window in Acunetix 360. Acunetix 360 uses these items from the keyword patterns to identify the sensitive keywords in the comments. The comment result in your scan can vary depending on this list.
Once the scan is completed, all comments are listed under the Comments node in the Knowledge Base, highlighted in red and bold. You can access the same information in the Knowledge Base Report and Knowledge Base Tab.
Acunetix 360 forms Knowledge Base nodes on its findings. If the Comments node is not listed, it means that Acunetix 360 did not find any.
For further information, see Knowledge Base Nodes.
How to View the Comments Node in Acunetix 360
- Log in to Acunetix 360.
- From the main menu, click Scans, then Recent Scans. The Recent Scans window is displayed.
- Next to the relevant website, click Report.
- From the Technical Report section, click the Knowledge Base tab.
- Click the Comments node. The information is displayed in a Comments tab.