Make sure you are not logged into the application. If you are, click the Logout button from the top menu. 

1. Within Mutillidae, browse to the User Lookup (SQL) Page and select OWASP 2013 | A1 Injection (SQL) | SQLi – Extract Data | User Info (SQL):

2. Type user for Name and user for Password, and click View Account Details. You should see the results shown in the next screenshot. This is the account we will test provisioning functions against, using REST calls:

Through Spidering, Burp can find /api or /rest folders. Such folders are clues that an application is REST API enabled. A tester needs to determine which functions are available through these API calls.

3. For Mutillidae, the /webservices/rest/ folder structure offers account provisioning through REST API calls.
4. To go directly to this structure within Mutillidae, select Web Services | REST | SQL Injection | User Account Management:

You are presented with a screen describing the supported REST calls and parameters required for each call:

5. Let's try to invoke one of the REST calls. Go to the Proxy | HTTP history table and select the latest request you sent from the menu, to get to the User Account Management page. Right-click and send this request to Repeater:

6. In Burp's Repeater, add the ?, followed by a parameter name/value pair of username=user to the URL. The new URL should be as follows:

/mutillidae/webservices/rest/ws-user-account.php?username=user

7. Click the Go button and notice we are able to retrieve data as an unauthenticated user! No authentication token is required to perform such actions:

8. Let's see what else we can do. Using the SQL Injection string given on the User Account Management page, let's attempt to dump the entire user table.
9. Append the following value after username=:

user'+union+select+concat('The+password+for+',username,'+is+',+password),mysignature+from+accounts+--+

The new URL should be the following one:

/mutillidae/webservices/rest/ws-user-account.php?username=user'+union+select+concat('The+password+for+',username,'+is+',+password),mysignature+from+accounts+--+

10. Click the Go button after making the change to the username parameter. Your request should look as shown in the following screenshot:

11. Notice we dumped all of the accounts in the database, displaying all usernames, passwords, and signatures:

12. Armed with this information, return to Proxy | HTTP History, select the request you made to see the User Account Management page, right-click, and send to Repeater.
13. In Repeater, modify the GET verb and replace it with DELETE within the Raw tab of the Request:

14. Move to the Params tab, click the Add button, and add two Body type parameters: first, a username with the value set to user, and second, a password with the value set to user, and then click the Go button:

15. Notice we deleted the account! We were able to retrieve information and even modify (delete) rows within the database without ever showing an API key or authentication token!