Out-of-Band (OOB) vulnerabilities occur when an attacker can trigger actions in the application that result in network or server interactions outside the normal request/response flow. Unlike in-band attacks (where the attacker sees immediate results), out-of-band vulnerabilities rely on the application making secondary requests to attacker-controlled infrastructure or external systems. This technique is commonly used to exploit blind injection scenarios such as Blind SQL Injection, Blind Command Injection, or Blind Server-Side Request Forgery (SSRF), where feedback is not immediately returned to the attacker via the application's response.

Examples and vectors:

• Blind SQL Injection OOB: Injected payloads cause the database server to initiate a DNS or HTTP request to an attacker-controlled server, revealing information indirectly.
• Blind Command Injection OOB: Application executes system commands that reach external servers or trigger outbound network connections.
• SSRF: Attacker submits URLs or parameters that make the server fetch remote resources, potentially exfiltrating internal data or contacting internal network services.
• Blind XXE OOB: Malformed XML triggers the server to send a request (e.g., DNS, HTTP) to an external endpoint controlled by the attacker.

Why it happens:

• Applications process untrusted input without proper sanitization or validation.
• Servers or back-end systems have the capability to initiate network connections or execute commands.
• Lack of monitoring and outbound request controls allows OOB payloads to go undetected.

Impacts:

• Data Exfiltration: Sensitive information can be sent to attacker-controlled servers.
• Network Reconnaissance: Attackers can map internal networks or cloud services indirectly.
• Remote Code Execution: When OOB interactions allow commands to be executed on the server.
• Blind Exploitation: Attackers can exploit vulnerabilities even without immediate feedback from the application.

Detection indicators:

• Outbound network traffic to unusual or unexpected external hosts.
• DNS, HTTP, or SMTP requests triggered by application behavior.
• Security scans identifying parameters that generate out-of-band interactions.

Mitigation focuses on input validation, network segmentation, and monitoring:

1. Validate and Sanitize Input
   Block or properly encode input that may trigger OOB interactions.

2. Limit Outbound Requests
   Restrict server capabilities to initiate external network connections unless required. Use network allowlists where possible.

3. Use Parameterized Queries and Safe APIs
   Prevent SQL, command, or XML injection that can result in OOB behavior.

4. Monitor Outbound Traffic
   Detect unusual DNS, HTTP, or SMTP requests from the application to identify attempted OOB attacks.

5. Harden Server Configuration
   Disable unnecessary services and limit system commands that can be invoked by the application.

6. Implement Logging and Alerting
   Log attempts to reach external servers and configure alerts for anomalous behavior.

7. Security Testing
   Include blind and out-of-band injection testing in penetration tests and automated scanning.

8. Network Segmentation
   Isolate sensitive internal resources to reduce the impact of potential OOB attacks.

• CWE 918: Server-Side Request Forgery (SSRF)
• CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H