We tried accessing the /admin panel with the wiener user’s session token but got the response as Access Denied
We set the GET request to / and used the X-Original-Url header set to /admin, and we were able to access the admin panel as the web app replaced the header’s value with the initial request
We changed the request method to POST and added the username parameter value to the body, then accessed /admin/delete using the X-Original-Url header and solved the lab by deleting the carlos user
We verified that the user was deleted:
