Availability / Unreachable Resources Included
Description
Unreachable resources included is a type of Availability vulnerability that occurs in web and API applications, according to the CWE directory. This vulnerability occurs when an application includes resources such as files, directories or other system components that are inaccessible to the application, either due to incorrect configuration or incorrect authorization. As described in the OWASP Testing Guide, these resources can be exploited by attackers to gain unauthorized access to parts of the application or system.
Risk
This vulnerability can lead to several security issues, including unauthorized access to sensitive data, unauthorized modification of the application, or even full system compromise. Risk assessment should be done and the security controls should be updated to mitigate the risk of this vulnerability.
Solution
The solution to this vulnerability is to ensure that the application does not include any unreachable resources. This can be done by checking the application configuration and making sure any resources that are included are correctly configured and correctly authorized.
Example
The following example shows how an attacker could exploit an unreachable resource vulnerability on a web application:
GET /api/users HTTP/1.1
Host: example.com
HTTP/1.1 200 OK
Content-Type: application/json
[
{
"username": "admin",
"password": "/private/passwords.txt"
}
]
In this example, the application is returning a file path to a private file, which could be exploited by an attacker to gain access to the file.