When APIs are used, it good to see their responses in respect to edited requests. They may give errors that show vulnerabilities or give out information that isn’t supposed to be seen.
The requests of every page should be captured and examined. The below example shows capturing of the below example shows captured request of showing basket.
The id and the products ID can be changed to view different results. Here it shows the error that the basketID needs to be unique (also try put negative numbers where there shouldn’t be like amount, maybe might bring negative total price).
You may change storage SQL like making a comment saying author is the admin as shown below.
When sending a request, sometimes the response API shows information that can be manipulated. In the example we have registration done, but the response says isAdmin:false.
What about if the registration was done with isAdmin forced into true by the repeater in the request. It saves the new user as an admin.