Could someone take a look at this excercise in the Advanced XSS and CSRF module. I have been stuck on it for weeks and I am going around in circles. I am pretty sure I have identified the type of CORS misconfiguration due to the reflection of a random input i added in the appropriate header but i cannot seem to get the API key. I am not sure if i am modifying the example payload correctly
I dont want the answer just a nudge.
TIA