Inclusion of Sensitive Information in Source Code Comments

Description

This vulnerability occurs when developers leave sensitive details within source code comments. These can include internal file paths, hidden URLs, inactive code snippets, credentials, or other information meant for internal use only.

Extended Description

Comments containing sensitive data act as a roadmap for attackers. By scanning these comments, an attacker can uncover the application's internal structure, discover hidden files or administrative endpoints, and piece together how the software works, significantly reducing the effort needed to plan an attack. To prevent this, treat comments as part of your public-facing code. Establish a review process to scrub comments before deployment, and use environment variables or secure configuration files for any operational details like paths or links. Remember, if it shouldn't be seen by users, it shouldn't be in the comments.

Common Consequences 1

Scope: Confidentiality

Impact: Read Application Data

Detection Methods 1

Automated Static AnalysisHigh

Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

Potential Mitigations 1

Phase: Distribution

Remove comments which have sensitive information about the design/implementation of the application. Some of the comments may be exposed to the user and affect the security posture of the application.

Demonstrative Examples 1

The following comment, embedded in a JSP, will be displayed in the resulting HTML output.

Code Example:Bad
JSP
jsp

Observed Examples 3

CVE-2007-6197Version numbers and internal hostnames leaked in HTML comments.

CVE-2007-4072CMS places full pathname of server in HTML comment.

CVE-2009-2431blog software leaks real username in HTML comment.