1. Web Security Academy
  2. XXE injection
  3. Lab

Lab: Exploiting XXE via image file upload


This lab lets users attach avatars to comments and uses the Apache Batik library to process avatar image files.

To solve the lab, upload an image that displays the contents of the /etc/hostname file after processing. Then use the "Submit solution" button to submit the value of the server hostname.