Cache Deception Without Path Confusion

We discussed this vulnerability during Episode 245 on 26 February 2024

Just another caching issue, this time we’ve got a GraphQL API that is being used to serve some static files/content. Those requests that should be cached include a reqIdentifier parameter in the URL that acts as the cache key. So an attacker can craft a GraphQL query that will return user information from an authenticated user include the reqIdentifier parameter and then when the victim visits the page it will be cached so the attacker can see the response.