Issue:

The bulk upload XXE vulnerability has not been fixed.

Test 1: Web Server Not Fixed

Try uploading a file with a XXE to locate a web server. Example: http://xxe-nginx:4002. You can find an example of this payload in the lesson text.


Test 2: Secrets File Not Fixed

Try uploading a file with a XXE to secret files from the server. Example: file:///etc/passwd. You can find an example of this payload in the lesson text.

Did this answer your question?