Network Communication / Out-Of-Band Resource Load (HTTP)
Out-of-band resource load (HTTP) is a vulnerability in Network Communication as classified in the CWE (Common Weakness Enumeration) directory under CWE-917. It occurs when a Web and API application or Infrastructure allows a third party to access resources without first authenticating them. This vulnerability can be exploited when the resource is loaded from the same origin as the page that it is loaded from. The OWASP Testing Guide recommends using a secure transport layer to prevent this vulnerability.
The risk of Out-of-band resource load (HTTP) can be assessed as high. It can allow a malicious actor to access sensitive information without authentication, effectively bypassing security protocols. This can result in data leakage and other vulnerabilities that can harm the organization.
The best way to fix Out-of-band resource load (HTTP) vulnerability is to use a secure transport layer such as HTTPS. This will ensure that the resource is loaded securely, and any malicious actors will be blocked from accessing it. Additionally, a web application firewall can be used to monitor traffic and block any malicious requests.
This code snippet shows how to make an HTTP request to a sensitive resource. Without proper security measures in place, a malicious actor can make the same request and view the response.