1. Web Security Academy
  2. XXE injection
  3. Lab

Lab: Exploiting XXE via image file upload

This lab lets users attach avatars to comments and uses the Apache Batik library to process avatar image files.

To solve the lab, upload an image that displays the contents of the /etc/hostname file after processing. Then use the "Submit solution" button to submit the value of the server hostname.


The SVG image format uses XML.

Want to track your progress and have a more personalized learning experience? (It's free!)

Sign up Login