Recently I started creating a CTF challenge based on Drupal 8. I want to create a REST API parameter that will be vulnerable to SQLi. Even if this isn't something I should ask for here, I decided to do it in case anyone who knows Drupal is willing to help. I don't know Drupal much and I'm not sure about configuration.
What I'm trying to do is to configure Drupal to make API calls every time someone clicks on a user profile and this call should be exposed. When anyone opens, for example, Chrome/Firefox developer tools the API request can be seen.
Something like this:
I'm not sure how to configure such an API request in Drupal, and also later then tweak it to be vulnerable, as I haven't actually dealt with Drupal config files before. I have a website mostly done and I created user accounts with accessible profiles. I also installed API modules to set up RESTful Web Services, however at this point I'm a little lost and any guidance would be much appreciated.