URL-based access control can be circumvented
Task
This website has an unauthenticated admin panel at /admin, but a front-end system has been configured to block external access to that path. However, the back-end application is built on a framework that supports the X-Original-URL header.
To solve the lab, access the admin panel and delete the user carlos.
Solution
The task description says it all but you can bypass the access control by using `X-Original-URL header. One clue is an error message is pretty simple and generic, often used by a fronetend server (CDN, WAF, etc.). Backend servers tend to provide more app specific error messages.
Access to /?username=carlos with the header X-Original-URL: /admin/delete will solve the lab. The point is you need to set a parameter to the real query string not X-Original-URL and only specify the path with it.