I’m trying to figure out why this lab does not provide the “flag” for task 1.
I’m able to successfuly perform the API attack of manipulating user data as I was able to add $ credit to the account by falsely returning a quantity of items, mainly by using burp repearter feature.
However, the lab ask to see what the user name is after conduction that malicious operation, in my case the user name does not change.