Cheat Sheet:
http://web-in-security.blogspot.in/2016/03/xxe-cheat-sheet.html
Prevention:
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet
Exploitation:
http://www.silentrobots.com/blog/2015/12/14/xe-cheatsheet-update/
http://blog.h3xstream.com/2014/06/identifying-xml-external-entity.html
https://blog.bugcrowd.com/advice-from-a-researcher-xxe
Parsers
XML Parsers can have an effect on XXE attacks so it is important to consider how to invoke the parsers in safe manner.
...
- DoS attacks - Apply a DeclHandler
- XXE/XXEP/URL Invocation attacks - Apply an EntityResolver
- Quirks: The features external-general-entities and external-parameter-entities are not supported.
...
Safe Coding Practices
http://www.safecode.org/publication/SAFECode_Dev_Practices0211.pdf
Threat Modeling
https://www.microsoft.com/en-us/sdl/adopt/threatmodeling.aspx