← All Challenges
Challenge 36 of 66

Entity Expander

🟠 Hard Injection +100 XP

An XML parser accepts user input without disabling external entities. Inject an XXE payload to read /etc/flag from the server.

Entity Expander // sandbox
Define an external entity that references file:///etc/flag, then use it in the XML body.

🏆 Challenge Complete!

+100 XP earned
Next Challenge →
← Prev Next →