[oMa37]

Quote:

Originally Posted by SlowARG Hi there. First, nice Webshop, i like this idea. Second, i've seen that this shop is vulnerable to Web Parameter Tampering, we can tamper POST data (such as price of skins/vehicles) and we can get them for free. Another way is executing the JavaScript code directly. So, the original request originates here: Code: <p><button type='button' class='btn btn-info' on‌Click='BuySkin(".$skins[$i][1].", ".$skins[$i][0].")'>Buy</button></p> We can execute JavaScript directly: Code: BuySkin(240, 0); Regards, Nobody.

Thanks for pointing that out for me, I will work on that.