Hacking Tutorials Web Applications Hacking

Hacking Photopea : SSRF is the new XSS

You know what’s more complex than X-Men timeline? This write up series. The previous article that I wrote about hacking Fotor happened at last, events discussed in this article happened after I pwned Pixlr which I will be going to post at last as a grand finale.

So I opened Photopea and clicked on the import from URL option, started monitoring the requests and entered URL of an image

ssrf to xss

I found out that the following endpoint is being used to load the image:


So the first thing I did was to check if it can load any other stuff then images.
I entered https://teamultimate.in in the url parameter and it got loaded.

rfi vs ssrf
Rule #69 If the web app includes and evaluates some arbitrary external resource provided by the user its RFI, otherwise its not.

So just for the sake of a quick test, I tried including http://somdev.me/rfi.txt but it didn’t get evaluated i.e. web app treated it like a text file.
Alright, what’s next? SSRF!
I tried to read the local files, cloud metadata and stuff but none of them worked. The only thing I had in hand was the ability to load pages being served over HTTP(S).

So I tried including my xss.html and it worked!


get location with xss

That’s all for now. Keep Learning! Keep Hacking!

Also Read: Salting And Salted Hashes Explained

About the author


I am Somdev Sangwan also known as D3V. I am n00b and I love computers and hacking. I am a python freak and your friendly neighborhood hacker.

Add Comment

Click here to post a comment

Subscribe Now

Subscribe for free and get latest articles delivered right into your inbox.

Thank you for subscribing.

Something went wrong.