A web application's source code comments may include sensitive keywords or data that could pave the way for malicious hackers to craft better attacks against a web application. Developers add these comments to make the code easier for people to understand, but they are generally ignored by compilers.
This is one of the most overlooked security issues. Despite this benefit, some developers may leave important data – connection strings, administrative or test accounts credentials – providing critical information for attackers to tailor attacks against a website. Attackers could use it to find out more about the web application's structure, files, and the hidden parts of a website.
You can add or remove item(s) from the Sensitive Keyword Patterns list in the Knowledge Base tab of the New Scan Policy window in Netsparker Enterprise, or in the Comments tab of the Knowledge Base tab in the Scan Policy Editor in Netsparker Standard. Netsparker uses these items from the keyword patterns to identify the sensitive keywords in the comments. The comment result in your scan can vary depending on this list.
Once the scan is completed, all comments are listed under the Comments node in the Knowledge Base, highlighted in red and bold. You can access the same information in the Knowledge Base Report and Knowledge Base Tab.
Netsparker produces Knowledge Base nodes based on its findings. If the Comments node is not listed, it means that Netsparker did not find any.
For further information, see Knowledge Base Nodes.
How to View the Comments Node in Netsparker Enterprise
- Log in to Netsparker Enterprise.
- From the main menu, click Scans, then Recent Scans. The Recent Scans window is displayed.
- Next to the relevant website, click Report.
- From the Technical Report section, click the Knowledge Base tab.
- Click the Comments node. The information is displayed in a Comments tab.
How to View the Comments Node in Netsparker Standard
- Open Netsparker Standard.
- Start a Scan or open a previously saved scan.
- The Knowledge Base is displayed on the right of the Scan Summary Dashboard. (If it is hidden, display it again using the Knowledge Base icon on the View tab on the ribbon. Alternatively, click the Reset Layout icon on the View tab, then close the Activity/Progress/Logs panes to give maximum viewing space.)
- Ensure that the Knowledge Base Viewer is also displayed. (If it is hidden, you can display it again using the Knowledge Base Viewer button on the View tab. You may also want to close the Activity/Progress/Logs panes.)
- Click the Comments node in the Knowledge Base. All detected Comments are displayed in the Knowledge Base Viewer.