Post

Information Disclosure – Sensitive HTML Comment Exposure | Vellichor Press

Posted Updated
Information Disclosure – Sensitive HTML Comment Exposure | Vellichor Press
Information Disclosure – Sensitive HTML Comment Exposure | Vellichor Press
By
3 min read
Information Disclosure – Sensitive HTML Comment Exposure | Vellichor Press

Lab: Vellichor Press

Overview

Vellichor Press is a literary magazine that recently launched a redesigned website. While the public-facing homepage appears polished and complete, development artifacts were accidentally left behind during deployment.

The challenge revolves around reviewing the HTML source code rather than interacting with visible application functionality.

A developer note embedded within an HTML comment discloses sensitive internal information, including an administrative shortcut and the challenge flag.

This is a classic example of information disclosure caused by exposing development notes in production content.

Objective

Inspect the website source code and identify sensitive information exposed through HTML comments.

Vulnerability Identification

This challenge is primarily an Information Disclosure vulnerability.

Classification Hierarchy

A02 - Security Misconfiguration └── Sensitive Information Exposure └── Source Code Disclosure └── Sensitive Data in HTML Comments

Reconnaissance

Navigate to the homepage:

1

https://05de337b-4065-marginalia-4212d.challenges.webverselabs-pro.com/

The visible page appears normal.

The challenge description provides two important clues:

1

draft admin note sits where nobody scrolls

and

1

Some notes are louder in the source than they are on the page

These hints suggest examining the underlying HTML source.

Exploitation

Step 1 - View Page Source

Open the page source using:

1

Ctrl + U

or

1

Right Click → View Page Source

Review the HTML document.

Step 2 - Inspect HTML Comments

Within the source code, a developer comment is discovered:

1
2
3
4
5
6
7
8
9
10

<!--
  TODO(elias): remove before final launch. Tracking note while the
  reconciliation script runs against the Stripe export — do NOT push
  this to production after Tuesday's deploy.

  admin shortcut (drafts pane):  /staff/admin?token=stripe-recon-2026
  reconcile internal-ref:        WEBVERSE{......}

  — e.l, 2026-03-12, 11:48 ET. Removed by:                       .
-->

The comment contains multiple pieces of sensitive information.

Step 3 - Analyze the Disclosure

The exposed comment reveals:

1
2
3
4

Administrative endpoint
Internal reconciliation details
Development notes
Challenge flag

Most importantly:

1

WEBVERSE{......}

The flag is directly disclosed through the page source.

No additional interaction is required.

Proof of Exploitation

Location

1

HTML Source Code

Exposed Comment

1
2
3
4
5

<!--
Developer note
Administrative shortcut
Internal reference
-->

Flag

1

WEBVERSE{......}

Impact

An attacker can discover:

  • Internal endpoints
  • Administrative URLs
  • API references
  • Credentials
  • Tokens
  • Debug information
  • Sensitive operational notes

Although comments are invisible in the rendered page, they remain accessible to anyone who views the source.

In real-world environments, HTML comments have exposed:

  • API keys
  • Cloud credentials
  • Internal IP addresses
  • Administrative interfaces
  • Temporary passwords
  • Source code references

Mitigation

Remove Development Comments

Development notes should never be deployed to production.

Review Source Before Release

Perform deployment reviews to identify:

1
2
3
4
5

TODO
FIXME
DEBUG
TEMP
INTERNAL

artifacts.

Use Automated Scanning

Static analysis and CI/CD checks can detect sensitive content before deployment.

Separate Documentation from Production Code

Internal notes should be stored in:

1
2
3

Issue trackers
Project management systems
Documentation repositories

rather than application source code.

Conduct Security Reviews

Review:

1
2
3
4
5

HTML
JavaScript
CSS
Source Maps
Comments

for exposed information.

Real-World Insight

Information disclosure vulnerabilities frequently originate from development shortcuts that survive into production deployments.

Developers often leave:

1

<!-- TODO: Remove before launch -->

comments containing information that was never intended for public consumption.

Attackers routinely inspect page source, JavaScript files, source maps, and comments during reconnaissance because these locations frequently reveal sensitive information.

The Vellichor Press challenge demonstrates a fundamental lesson:

If the browser receives the data, the user can read the data. Hidden is not the same as protected.

A02 - Security Misconfiguration, Information Disclosure
webversepro information-disclosure source-code-review html-comments client-side security-misconfiguration
This post is licensed under CC BY 4.0 by the author.