Resources

What is XXE (XML external entity) injection? Tutorial & Examples | Web Security AcademyWebSecAcademy

XML External Entity (XXE) Processing | OWASP Foundationowasp.org

XML External Entity Prevention - OWASP Cheat Sheet Seriescheatsheetseries.owasp.org

XXE - XEE - XML External Entity - HackTricksbook.hacktricks.xyz

A Deep Dive into XXE InjectionSynack

Forcing XXE Reflection through Server Error MessagesNetSPI

• OWASP XML External Entity (XXE) Prevention Cheat Sheet

• Timothy Morgan’s 2014 Paper: XML Schema, DTD, and Entity Attacks - A Compendium of Known Techniques

• Precursor presentation of above paper - at OWASP AppSec USA 2013

• CWE-611: Information Exposure Through XML External Entity Reference

• CWE-827: Improper Control of Document Type Definition

• Sascha Herzog’s Presentation on XML External Entity Attacks - at OWASP AppSec Germany 2010

• PostgreSQL XXE vulnerability

• SharePoint and DotNetNuke XXE Vulnerabilities, in French

• XML Denial of Service Attacks and Defenses (in .NET)

• Early (2002) BugTraq Article on XXE

• http://www.synacktiv.fr/ressources/synacktiv_drupal_xxe_services.pdf