The user realizes that the system trusts input from specific "internal" IP addresses. Using a tool like Burp Suite or a custom Python script, the user spoofs the X-Forwarded-For header.