In this recipe, we first noticed that the employee IDs are given to the client as values in a list and sent to the server as request parameters, so we tried and changed the employee_id parameter to get information from an employee we shouldn't have access to.

After that, we noticed, by checking the Inspector, that all buttons have the same name, action, and their values are the action to be taken when pressed. This can be confirmed by checking the requests in the Network tab of the Developer Tools. So, if we have actions such as SearchStaff, ViewProfile, and ListStaff, maybe DeleteProfile would do the thing the challenge asks for. After we changed the ViewProfile button's value and clicked on it, we verified our assumption was correct, and we can delete any user (or perform any action) in this application by manipulating the values of the HTML elements with the tools any web browser includes.