1. The form only shows name and email fields

2. But the API request body includes a role field

3. In vulnerable mode: Change "role" to "admin" in the request body and hit Send

4. In secure mode: The server strips the role field and ignores it