In this recipe, the insecure XML parser receives the request within the XML for the /etc/passwd file residing on the server. Since there is no validation performed on the XML request due to a weakly-configured parser, the resource is freely provided to the attacker.