Web Cache Poisoning leads to XSS and DoS

@nokline and @bombon were able to utilize URL parser confusion in combination with reflected XSS under https://glassdoor.com/Job/ and https://glassdoor.com/mz-survey/interview/collectQuestions_input.htm/ by caching XSS payloads via cookie and header params into a stored XSS for URLs /Award/* and /List/* endpoints. The above combination allowed the self-reflected XSS to be converted to a stored XSS which was cached to a local CDN for a duration of approximately 10 mins. To affect all of the users, researchers specified that they can theoretically target all CDNs and loop every 10 mins to keep the cache loaded with stored XSS. We resolved the above by 1. Fixing the XSS by handling the output encoding appropriately. 2. Tightening up caching rules to be more strict on /Awards/ and /List/ endpoints. Given the tricky nature of this finding, we are grateful that the researchers were cooperative and helped us all the way through the investigation. Thanks once again and looking forward to more findings from you.