Microsoft

How can we improve Content Moderator?

Security Issue - SSL Cookie Without Secure Flag Set & Cross Site Scripting (XSS)

There are a few concerns for which we need justification or if applicable a fix to resolve issue. We contacted the support team and they suggested to mention the issue in this form as well for PG tracking. Here is the response I got from Support team:

"Issue 1:
The cookie we see below is an affinity cookie being dropped by Azure Websites infra for more efficient routing. Having said that, the Review API itself is stateless and does not have any user sessions. We will plan to get this rectified in our next release.

Issue 2:
We will create a backlog item to address this, this will require us to stop returning user submitted urls in response."

Can you have a look at the below issues and provide justification/resolution for issues:

1. SSL Cookie Without Secure Flag Set
a. Cognitive services:
i. Content Moderator - https://westus.api.cognitive.microsoft.com/contentmoderator/review/v1.0
ii. Bing Image Search - https://imagesearch-v7-east-staging.cosmos.ai/bing/v7.0/images

b. Test Data
The application is not using Cookie Secure attribute while sending the session cookie
POST /contentmoderator/review/v1.0/teams/staginggroup/jobs?
ContentType=Image&ContentId=&WorkflowName=stagingworkflow HTTP/1.1
Content-Length: 94
User-Agent: Apache-HttpClient/4.5.2 (Java/1.8.0_162)
Host: apim-staging-api.cosmos.ai
Connection: close
Content-Type: application/json
Ocp-Apim-Subscription-Key: 1731c62b50904712a6257524553258b4
HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 50
Content-Type: application/json; charset=utf-8
Expires: -1
apim-request-id: ec53d50a-ce2b-469e-b8ce-67bb1046699c
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
x-content-type-options: nosniff
Set-Cookie:
ARRAffinity=dc25d04f2a8abc60d2bb1be44906a7c85a9b1295a853f48934ce009dbb34616d;Path=/;HttpOnly;Domai
n=reviewservice.azurewebsites.net
X-AspNet-Version: 4.0.30319

2. Cross Site Scripting (XSS)
a. Cognitive services:
i. Content Moderator -
https://westus.api.cognitive.microsoft.com/contentmoderator/lists/v1.0
https://westus.api.cognitive.microsoft.com/contentmoderator/moderate/v1.0
https://westus.api.cognitive.microsoft.com/contentmoderator/review/v1.0
ii. Bing Image Search -
https://api.cognitive.microsoft.com/bing/v7.0/images
b. Test Data:
The application is not sanitizing the special characters and reflecting them back to the client
browser. This vulnerability might get executed if this being utilized by HTML page.
POST /contentmoderator/lists/v1.0/imagelists/294954/images HTTP/1.1
Content-Length: 117
User-Agent: Apache-HttpClient/4.5.2 (Java/1.8.0_162)
Host: apim-staging-api.cosmos.ai
Connection: close
Content-Type: application/json
Ocp-Apim-Subscription-Key: c5f45503bf7c4f09bc4a4fba91f69930
{
"DataRepresentation":"URL",
"Value":"https:\/
\/moderatorsampleimages.blob.core.windows.net\/samples\/img_300.jpgpmmag<script>alert(1)
<\/script>qg94v"
}
HTTP/1.1 400 Bad Request
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 260
Content-Type: application/json; charset=utf-8
Expires: -1
apim-request-id: 1bd336aa-02d3-4845-94b5-2dd22716f0bc
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
x-content-type-options: nosniff
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Wed, 27 Jun 2018 18:51:17 GMT
Connection: close
{"Message":"Error","TrackingId":null,"Errors":[{"Title":"ImageDownloadError.","Message":"Could
not download image from url:
https://moderatorsampleimages.blob.core.windows.net/samples/img_300.jpgpmmag<script>alert(1)
</script>qg94v: Response Code: NotFound "}]}

1 vote
Sign in
Check!
(thinking…)
Reset
or sign in with
  • facebook
  • google
    Password icon
    Signed in as (Sign out)

    We’ll send you updates on this idea

    JATIN SHARMA shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

    0 comments

    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      Signed in as (Sign out)
      Submitting...

      Feedback and Knowledge Base