[https://www.glassdoor.com] - Web Cache Deception Leads to gdtoken Disclosure

A web cache deception issue was reported by @bombon For the exploit to trigger, the victim must be logged-in to Glassdoor and must also visit an attacker-controlled page that makes the victim hit the caching page, programmatically fetch the cached CSRF token (gdToken), and forge and send a request on the victim's behalf leading to CSRF attacks. We have resolved this by eliminating the caching of the CSRF token. Thanks, @bombon for the great find, and looking forward to more findings from you