Create With AI – Detecting Secrets Hidden in HTML Comments

Enterprise-grade Automation with Pentester-level Flexibility

This library showcases real examples of how security teams use Create with AI to save time, reduce manual effort, and strengthen their defenses.

Unlike traditional scanners that limit users to predefined checks, Create with AI gives complete flexibility. You describe what you need, and the AI builds and runs it instantly. This allows teams to automate the exact tests they want instead of being restricted to what the product designer imagined.

Detecting Secrets Hidden in HTML Comments

Problem

Developers sometimes leave sensitive information inside HTML comments like <!-- HTML comments -->. These comments are invisible on the page but visible in the source code. Attackers often crawl them to find API keys, tokens, or database connection strings, which can lead to unauthorized access or data exposure. Manually reviewing thousands of pages for these mistakes takes time and cannot be done consistently.

Instant Solution (Create with AI)

Prompt: Create a scan that inspects HTTP responses across all assets. The scan should perform a GET request to the target asset and detect HTML comments, then search those comments for sensitive information such as API keys, access tokens, secrets, and database connection strings (PostgreSQL, MySQL, MongoDB, MSSQL, Oracle). If any such information is found, it should raise an alert and report which types of sensitive data were detected.

With one short instruction, the AI-generated scan fetches each page, extracts HTML comments, and analyzes them against known secret patterns. Using entropy checks to reduce noise, it flags any API keys, access tokens, or connection strings, automatically redacts sensitive parts, and ranks findings by severity. The full process runs in seconds.

🎥 Watch the Scan in Action

This short video shows Create with AI writing the prompt, generating the scan, running it across assets, and identifying sensitive data within HTML comments.

Value

• Prevents credential leaks before attackers can exploit them
  
• Automates repetitive review work in a 10-second scan
  
• Improves accuracy by reducing false positives through entropy checks
  
• Protects confidentiality by redacting sensitive data in reports
  

Gives complete flexibility to adapt the scan for any environment or custom secret format

Closing Takeaway

This scenario highlights the flexibility that makes Create with AI different. Instead of relying on a fixed rule set, security teams can instantly generate and adjust scans to match their unique applications, frameworks, or compliance needs. Whether it is detecting credentials, checking headers, or verifying policies, the same approach applies describe what you need and let the AI do the rest.

🧰 Check It Yourself

Copy the sample scan code below or watch the video for a live walkthrough.

class Job(Task):
    def run(self):
        asset = http_or_https(asset=self.asset, _headers=self.headers, session=self.session)
        response = self.session.get(asset, headers=self.headers, timeout=5, verify=False)

        # HTML yorumlarını bul
        comments = re.findall(r'<!--(.*?)-->', response.text, re.DOTALL)

        patterns = {
            "API Key": r"\bapi[_-]?key\s*[:=]\s*[A-Za-z0-9]{16,}\b",
            "Access Token": r"\b(token|access[_-]?token)\s*[:=]\s*[A-Za-z0-9\.\-_]{20,}\b",
            "Secret": r"\b(secret|client[_-]?secret)\s*[:=]\s*[A-Za-z0-9\-_]{12,}\b",
            "PostgreSQL Connection": r"postgres(?:ql)?://[^:\s]+:[^@\s]+@[^:\s]+:\d+/\S+",
            "MySQL Connection": r"mysql://[^:\s]+:[^@\s]+@[^:\s]+(?::\d+)?/\S+",
            "MongoDB Connection": r"mongodb(?:\+srv)?://[^:\s]+:[^@\s]+@[^:\s]+(?::\d+)?/\S+",
            "MSSQL Connection": r"mssql://[^:\s]+:[^@\s]+@[^:\s]+(?::\d+)?/\S+",
            "Oracle Connection": r"oracle://[^:\s]+:[^@\s]+@[^:\s]+(?::\d+)?/\S+",
        }

        sensitive_info = []

        # Yorumlar içinde kontrol et
        for comment in comments:
            for category, regex in patterns.items():
                matches = re.findall(regex, comment, re.I)
                if matches:
                    sensitive_info.append({
                        "type": category,
                        "match": matches
                    })

        self.output['detail'] = sensitive_info
        self.output['compact'] = [
            f"Found sensitive information in HTML comments on {asset}"
        ] if sensitive_info else ["No sensitive information found in HTML comments."]
        self.output['video'] = [
            f"python3 html_comments_scan.py {self.asset}",
            "Searching for HTML comments...",
            "Analyzing comments for sensitive data..."
        ] \
        + (["Not found"] if not sensitive_info else []) \
        + [f"Sensitive {item['type']} found: {', '.join(map(str, item['match']))}" for item in sensitive_info]

    def calculate_score(self):
        self.score = self.param['max_score'] if self.output['detail'] else 1

class Job(Task):
    def run(self):
        asset = http_or_https(asset=self.asset, _headers=self.headers, session=self.session)
        response = self.session.get(asset, headers=self.headers, timeout=5, verify=False)

        # HTML yorumlarını bul
        comments = re.findall(r'<!--(.*?)-->', response.text, re.DOTALL)

        patterns = {
            "API Key": r"\bapi[_-]?key\s*[:=]\s*[A-Za-z0-9]{16,}\b",
            "Access Token": r"\b(token|access[_-]?token)\s*[:=]\s*[A-Za-z0-9\.\-_]{20,}\b",
            "Secret": r"\b(secret|client[_-]?secret)\s*[:=]\s*[A-Za-z0-9\-_]{12,}\b",
            "PostgreSQL Connection": r"postgres(?:ql)?://[^:\s]+:[^@\s]+@[^:\s]+:\d+/\S+",
            "MySQL Connection": r"mysql://[^:\s]+:[^@\s]+@[^:\s]+(?::\d+)?/\S+",
            "MongoDB Connection": r"mongodb(?:\+srv)?://[^:\s]+:[^@\s]+@[^:\s]+(?::\d+)?/\S+",
            "MSSQL Connection": r"mssql://[^:\s]+:[^@\s]+@[^:\s]+(?::\d+)?/\S+",
            "Oracle Connection": r"oracle://[^:\s]+:[^@\s]+@[^:\s]+(?::\d+)?/\S+",
        }

        sensitive_info = []

        # Yorumlar içinde kontrol et
        for comment in comments:
            for category, regex in patterns.items():
                matches = re.findall(regex, comment, re.I)
                if matches:
                    sensitive_info.append({
                        "type": category,
                        "match": matches
                    })

        self.output['detail'] = sensitive_info
        self.output['compact'] = [
            f"Found sensitive information in HTML comments on {asset}"
        ] if sensitive_info else ["No sensitive information found in HTML comments."]
        self.output['video'] = [
            f"python3 html_comments_scan.py {self.asset}",
            "Searching for HTML comments...",
            "Analyzing comments for sensitive data..."
        ] \
        + (["Not found"] if not sensitive_info else []) \
        + [f"Sensitive {item['type']} found: {', '.join(map(str, item['match']))}" for item in sensitive_info]

    def calculate_score(self):
        self.score = self.param['max_score'] if self.output['detail'] else 1