XXE Injection is a type of attack against an application that parses XML input. The most interesting aspect of parsing XML input files is that they can contain code that points to a file on the server itself. In a bit of detail, well go over the full scope of what external entities can be, including files hosted on the web via FTP and HTTP. After sending the request with the above as POST data, the victim server will respond with its own /etc/passwd: “You have logged in as user Ed””]
Source: https://depthsecurity.com/blog/exploitation-xml-external-entity-xxe-injection