Exploit identified web vulnerabilities (SQLi, XSS, IDOR, authentication bypass, etc.). - Demonstrate access to patient records using synthetic test data. *Do not access, modify, or exfiltrate real patient data.* - Test API endpoints for authorization flaws — can a standard patient user access anothe