Tips:

check all get & post parameter

check all request headers

check store and retrive functionality

Tools:

sqlmap