This test attacks the system that parse XML input.
In the following example we can try insert the following xml file that will display &xee which will be file://etc/passwd to call password. These xxe codes can be found online.
We then try upload it on the page that can take documents.
When we intercept it using burp suite, We can see the uploaded xml file and the data inside it, specifically etc/passwd at the bottom
Forward to repeater
Once sent we get location for password.
We can try change etc/passwd to etc/shadow and resend to see first password (root) in the shadow file.
Things to consider: