quick cheat sheet : https://www.gracefulsecurity.com/xxe-cheatsheet/
java : https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
get hash with XXE : https://medium.com/@canavaroxum/xxe-on-windows-system-then-what-76d571d66745
prevent : https://www.linuxsecrets.com/owasp-wiki/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet.html#JAXP_DocumentBuilderFactory.2C_SAXParserFactory_and_DOM4J jaxb : https://stackoverflow.com/questions/12977299/prevent-xxe-attack-with-jaxb, https://github.com/mbechler/marshalsec
https://securitycafe.ro/2017/11/03/tricking-java-serialization-for-a-treat/
https://2013.appsecusa.org/2013/wp-content/uploads/2013/12/WhatYouDidntKnowAboutXXEAttacks.pdf
Evasion : https://media.blackhat.com/eu-13/briefings/Osipov/bh-eu-13-XML-data-osipov-wp.pdf
A real xml tutorial : https://riptutorial.com/xml/example/12825/external-parsed-entities
https://phonexicum.github.io/infosec/xxe.html
https://gist.github.com/zeropwn/59f17727dfaba239b0ace6f33b752974
https://www.ubercomp.com/posts/2014-01-16_facebook_remote_code_execution
https://blog.detectify.com/2014/04/11/how-we-got-read-access-on-googles-production-servers/ https://web-in-security.blogspot.com/2014/11/detecting-and-exploiting-xxe-in-saml.html
https://www.liquid-technologies.com/XML/DocType.aspx
https://www.xml.com/pub/a/2002/07/31/xinclude.html
https://mohemiv.com/all/exploiting-xxe-with-local-dtd-files/
ftp server : https://github.com/RhinoSecurityLabs/Security-Research/blob/master/tools/python/xxe-server.py
https://securityonline.info/xxer/ https://github.com/TheTwitchy/xxer/blob/master/xxer.py https://info.ninadmathpati.com/resources/web-app-pentest/xxe
jar:// : https://docs.oracle.com/javase/8/docs/api/java/net/JarURLConnection.html