Forum Discussion

davidfisher's avatar
Sep 29, 2018

PHP Auction Site is not vulnerable..?

I downloaded the file here: https://devcentral.f5.com/articles/configuring-the-big-ip-and-php-hack-it-yourself-auction-site

And I am trying out the discover parameter tampering vul from the ASM 13 lab guide by entering a nick for a different user:

http://asmauction.com/user_menu.php?nick=allwyn

And I am nicely being dropped at the login page as if this a damn good secure app, lol.

Is there some updated version of this auction site that I should be using?

1 Reply

  • nathe's avatar
    nathe
    Icon for Cirrocumulus rankCirrocumulus

    I've just tested my lab PHP Auction site. This works once you are already authenticated. So login as user joe and then change the parameter to someone else. This will show you their Control Panel. Works for me.

     

    Hope this helps,

     

    N