1. Navigate to the XML External Entity Injection page, that is, through Others | XML External Entity Injection | XML Validator:

2. While on the XML Validator page, perform the example XML that is provided on the page. Click on the Validate XML button:

3. Switch to Burp Proxy| HTTP history tab and look for the request you just submitted to validate the XML. Right-click and send the request to the repeater:

4. Note the value provided in the xml parameter:

5. Use Burp Proxy Interceptor to replace this XML parameter value with the following payload. This new payload will make a request to a file on the operating system that should be restricted from view, namely, the /etc/passwd file:

<?xml version="1.0"?>
    <!DOCTYPE change-log[
        <!ENTITY systemEntity SYSTEM "../../../../etc/passwd">
    ]>
    <change-log>
        <text>&systemEntity;</text>
    </change-log>

Since there are odd characters and spaces in the new XML message, let's type this payload into the Decoder section and URL-encode it before we paste it into the xml parameter. 

6. Switch to the Decoder section, type or paste the new payload into the text area. Click the Encode as… button and select the URL option from the drop-down listing. Then, copy the URL-encoded payload using Ctrl + C. Make sure you copy all of the payload by scrolling to the right:

7. Switch to the Burp Proxy Intercept tab. Turn the interceptor on with the Intercept is on button.
8. Return to the Firefox browser and reload the page. As the request is paused, replace the current value of the xml parameter with the new URL-encoded payload:

9. Click the Forward button. Turn interceptor off by toggling the button to Intercept is off.
10. Note that the returned XML now shows the contents of the /etc/passwd file! The XML parser granted us access to the /etc/passwd file on the operating system: