We used a SQLi wordlist from wfuzz within Burp Intruder to test many different payloads within the same username field. Examine the response for each attack in the results table to determine whether the payload successfully performed a SQL injection.

The construction of SQL injection payloads requires some knowledge of the backend database and the particular syntax required.