Guide to information leakage

What exactly is information leakage? Well, information leakage is the process of potentially valuable information being leaked to the wrong person. In our use case, its the process of where developers have accidentally left sensitive information in HTML comments while building a website. This information can range from credentials to database information. You can see an example below.

<form action="" method="post">
  <label>Password: </label>
  <input type="password" name="password" />
  <button>Login</button>
  <!-- password = kjXTsR87t75fTDXX! -->
</form>

As you can see from the example above the developer has placed the password in the source code so they don't forget while they're testing the website. Unfortunately, it seems that they have forgotten to remove the password from the comments and so any unauthorized person would be able to login.

How does arctil look for information leakage?

Arctil comes with a number of specified key words which it looks for within HTML comments, should it find any of these key words it will report it as "potential information leakage" and so you'll be able to take a second look to see if this is the case.

Currently this cannot be edited with custom checks although this is something which may be implemented in future variations.

Still need help?

Are you having trouble using arctil? Why not try reaching out to our Community Forum.

Alternatively, you can try contacting us through the Contact page.