Part 4 takes the attack vector previously copied and injects it into the successful call from step 1. Then the client is run with this malicious data as the params and the attack is verified.