hacking, owasp, web application security

The BodgeIT Store Series #7, Change your Passwords via a GET Request – #bodgeit #infosec #pentest #appsec #webapp

Happy hacking!

Today’s blog post is #7 in the BodgeIt Store series.

To view the blog post #6 click HERE.

Today’s topic is we’re going to change our password via a GET request.

Let’s get started.

We were able to log into the application without supplying a password – click HERE to read it.

Logging into the application as user1@thebodgeitstore.com’ OR ‘1’=’1

We get the following:


Clicking on the user1@thebodgeitstore.com link we see:


Let’s view the page source of the webpage:


We see that the update password is looking for a POST, but we need to send it as a GET. How are we going to solve this?

Let’s do a right click on one of the text boxes and select “inspect element”.

From there we see:


Double clicking on the form method we’re going to change the method from POST to GET.


Going back to the password page, we can select the password to anything. I am going to use “hello”, and press “Submit”



We we’re able to change our password, through a GET request.

Let’s see if our solution was accepted.


Our solution was accepted (as the challenge is now green)!

2 thoughts on “The BodgeIT Store Series #7, Change your Passwords via a GET Request – #bodgeit #infosec #pentest #appsec #webapp”

  1. Hi birdofbeauty12! I’m a computer science student and I’m super interested in pen testing! I had a go at the BodgeIt store site, so this series was super super fun for me to read, thank you so much for posting it 😀 I’m still trying to figure out how to do the other puzzles, and I’m struggling a little, so I was wondering if you might have any tips as to how to solve those? Thanks and keep up the great work!

  2. what happened with “Force someone to add an item to their basket when they visit your webpage” and “Level 3: Display a popup using: alert(“XSS”)” ?.
    could you solve it?

Leave a Reply