We now came back to Mutillidae. This time, we will use the OWASP 2013 | A1 - Injection (SQL) | Bypass Authentication | Login exercise:
- First, send a request with any non-existent user and password so the login fails
- Send the request to Burp Suite's Repeater and submit it so we can have a reference response.
- Once in Repeater, we will test SQL Injection vector in the User-Agent header and append '+and+'1'=' to the header's value.
- If we compare the responses of both requests, we will see that the one with the injection is a few bytes bigger than the original one, as shown in the following screenshot:

- To ease the process of ...