Intentional flaw: backend trusts a hidden input flag from the browser.
Credentials: client_user / client123
client_user / client123
Reset Back