Comprehensive educational resource for XML External Entity (XXE) vulnerabilities
A production-ready, static site providing in-depth guides, code examples, and an interactive payload generator for understanding, testing, and preventing XXE injection attacks.
π Live Site: xxe.page (if deployed)
XXE.page is a comprehensive educational platform covering all aspects of XML External Entity vulnerabilities, from fundamental concepts to advanced exploitation techniques and prevention strategies across multiple programming languages and frameworks.
- 27 Comprehensive Guides organized into 7 categories
- Interactive Payload Generator with 6 payload types
- Language-Specific Prevention for Java, .NET, PHP, Python, Node.js, Ruby, and Go
- Real-World Code Examples (vulnerable and secure implementations)
- Testing Methodology with tools and techniques
- Dark Mode Support with responsive design
- Syntax Highlighting for all code examples
- Static Site Generation for fast, secure deployment
- XML & DTD Basics
- Entity Processing
- Classic XXE
- Blind XXE
- Parameter Entities
- File Upload XXE
- File Disclosure
- Server-Side Request Forgery (SSRF)
- Denial of Service (Billion Laughs)
- RCE Escalation
- SOAP Services
- SAML Authentication
- JSON-to-XML Converters
- SVG Processors
- Document Parsers (DOCX, XLSX, etc.)
- Java (JAX-WS, JAXB, DOM, SAX)
- .NET (XmlReader, XDocument, WCF)
- PHP (libxml, SimpleXML, DOMDocument)
- Python (lxml, xml.etree, defusedxml)
- Node.js (libxmljs, fast-xml-parser)
- Ruby (Nokogiri, REXML, Ox)
- Go (encoding/xml, etree)
- Testing Methodology
- Payload Design
- Testing Tools
- Secure Patterns
- Defense-in-Depth Strategy
- Node.js 20.9.0 or later
- npm 10.1.0 or later
# Clone the repository
git clone https://github.com/Wh1t3Fox/xxe.page.git
cd xxe.page
# Install dependencies
npm install
# Start development server
npm run devVisit http://localhost:3000 to view the site.
# Build static site
npm run build
# Serve production build
npm startThe static site will be generated in the out/ directory.
xxe.page/
βββ components/ # React components
β βββ CodeBlock.js # Syntax-highlighted code display
β βββ CodeComparison.js # Side-by-side vulnerable/secure code
β βββ Layout.js # Page layout wrapper
β βββ Navigation.js # Top navigation bar
β βββ Sidebar.js # Collapsible guide navigation
β βββ SeverityBadge.js # CVSS severity indicators
β βββ TabbedCode.js # Multi-language code tabs
β
βββ data/
β βββ guides/ # 27 comprehensive guide JSON files
β β βββ xml-basics.json
β β βββ classic-xxe.json
β β βββ java-prevention.json
β β βββ ...
β βββ navigation.json # Site navigation structure
β
βββ lib/
β βββ guideLoader.js # Guide data loading utilities
β
βββ pages/
β βββ _app.js # Next.js app wrapper
β βββ index.js # Home page
β βββ about.js # About page
β βββ payloads.js # Interactive payload generator
β βββ references.js # External references
β βββ guide/
β βββ [...slug].js # Dynamic guide pages (SSG)
β
βββ styles/
β βββ globals.css # Global styles with Tailwind
β
βββ public/ # Static assets
βββ out/ # Production build output
βββ tailwind.config.js # Tailwind CSS configuration
βββ next.config.js # Next.js configuration
The payload generator (/payloads) allows security professionals to create custom XXE test payloads:
-
Payload Types:
- File Disclosure (classic XXE)
- Blind XXE (out-of-band exfiltration)
- SSRF (Server-Side Request Forgery)
- Parameter Entity (advanced blind XXE)
- Error-Based XXE
- Billion Laughs (DoS)
-
Customization:
- Platform selection (Linux/Windows)
- Target file selection with presets
- Callback URL configuration
- Protocol selection (file://, php://, expect://)
- Custom entity names
- Encoding options
-
Export Options:
- Copy to clipboard
- Download as XML file
- Live preview with syntax highlighting
Every guide includes:
- Vulnerable code demonstrating the security issue
- Secure code showing proper mitigation
- Attack payloads for testing
- Prevention checklists
- Language-specific configurations
- Mobile-friendly layouts
- Collapsible navigation on small screens
- Dark mode support
- Optimized typography for readability
- Touch-friendly interactive elements
- Framework: Next.js 16 (React 19)
- Styling: Tailwind CSS 3.4
- Syntax Highlighting: react-syntax-highlighter
- Markdown: react-markdown with remark-gfm
- Build: Static Site Generation (SSG)
# Start development server with hot reload
npm run dev
# Build for production
npm run build
# Serve production build locally
npm start
# Lint code (if configured)
npm run lint- Create a new JSON file in
data/guides/:
{
"id": "guide-slug",
"category": "vulnerabilities",
"title": "Guide Title",
"description": "Brief description",
"severity": "critical",
"cvssScore": 9.0,
"sections": [
{
"id": "section-id",
"title": "Section Title",
"type": "text",
"content": "Markdown content here..."
},
{
"id": "code-example",
"title": "Code Example",
"type": "code",
"code": {
"language": "java",
"code": "// Code here",
"isVulnerable": true,
"filename": "Example.java"
}
}
],
"relatedTopics": ["other-guide-slug"],
"references": [
{
"title": "Reference Title",
"url": "https://example.com"
}
]
}-
Add the guide to
data/navigation.json -
Rebuild the site:
npm run build
The site is built as a static export and can be deployed to any static hosting platform:
GitHub Pages:
npm run build
# Push the 'out' directory to gh-pages branchNetlify:
# Build command: npm run build
# Publish directory: outVercel:
# Framework Preset: Next.js
# Output Directory: outAWS S3 + CloudFront:
npm run build
aws s3 sync out/ s3://your-bucket-nameNo environment variables are required for basic deployment. The site is fully static.
All guides include practical, testable examples:
- Code Examples: Both vulnerable and secure implementations
- Test Payloads: Ready-to-use XXE payloads for authorized testing
- Validation Steps: How to verify vulnerabilities and fixes
- Prevention Checklists: Actionable security measures
Contributions are welcome! Here's how you can help:
- Report Issues: Found a bug or error? Open an issue
- Suggest Guides: Ideas for new content? Create a feature request
- Submit Pull Requests:
- Fork the repository
- Create a feature branch (
git checkout -b feature/new-guide) - Commit your changes
- Push to the branch
- Open a Pull Request
- Follow existing guide structure and formatting
- Include both vulnerable and secure code examples
- Provide references to authoritative sources (OWASP, CWE, vendor docs)
- Test all code examples before submission
- Ensure markdown renders correctly
- Update navigation.json when adding guides
This project is open source and available for educational purposes. All content is provided for security education and authorized testing only.
- OWASP for XXE prevention guidelines and cheat sheets
- PortSwigger for XXE research and testing methodology
- Security community for vulnerability disclosures and research
- Next.js team for the excellent framework
- Tailwind CSS for the utility-first CSS framework
- GitHub Issues: For bugs, questions, and feature requests
- Security Reports: Responsible disclosure appreciated
This project is for educational purposes only. The tools, techniques, and payloads provided are intended for:
- Authorized security testing with explicit permission
- Security research in controlled environments
- Educational training for security professionals
- Defensive security implementation
Unauthorized use is illegal and unethical. Always obtain proper authorization before testing any system you do not own or have explicit permission to test.
Built with β€οΈ for the security community
Last Updated: December 2024