diff --git a/webgoat-lessons/insecure-login/pom.xml b/webgoat-lessons/insecure-login/pom.xml
new file mode 100755
index 000000000..aac10ceef
--- /dev/null
+++ b/webgoat-lessons/insecure-login/pom.xml
@@ -0,0 +1,34 @@
+
+ 4.0.0
+ insecure-login
+ jar
+
+ org.owasp.webgoat.lesson
+ webgoat-lessons-parent
+ 8.0-SNAPSHOT
+
+
+
+
+ org.springframework.boot
+ spring-boot-starter-test
+ test
+
+
+ org.springframework.security
+ spring-security-test
+ 4.1.3.RELEASE
+ test
+
+
+ junit
+ junit
+ ${junit.version}
+ jar
+ test
+
+
+
+
+
diff --git a/webgoat-lessons/insecure-login/src/main/java/org/owasp/webgoat/plugin/InsecureLogin.java b/webgoat-lessons/insecure-login/src/main/java/org/owasp/webgoat/plugin/InsecureLogin.java
new file mode 100755
index 000000000..6d8108e63
--- /dev/null
+++ b/webgoat-lessons/insecure-login/src/main/java/org/owasp/webgoat/plugin/InsecureLogin.java
@@ -0,0 +1,63 @@
+package org.owasp.webgoat.plugin;
+
+import com.beust.jcommander.internal.Lists;
+import org.owasp.webgoat.lessons.Category;
+import org.owasp.webgoat.lessons.NewLesson;
+
+import java.util.List;
+
+/**
+ * ************************************************************************************************
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
+ *
+ * Copyright (c) 2002 - 20014 Bruce Mayhew
+ *
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Getting Source ==============
+ *
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
+ * projects.
+ *
+ *
+ * @author WebGoat
+ * @version $Id: $Id
+ * @since October 12, 2016
+ */
+public class InsecureLogin extends NewLesson {
+ @Override
+ public Category getDefaultCategory() {
+ return Category.INSECURE_COMMUNICATION;
+ }
+
+ @Override
+ public List getHints() {
+ return Lists.newArrayList();
+ }
+
+ @Override
+ public Integer getDefaultRanking() {
+ return 1;
+ }
+
+ @Override
+ public String getTitle() {
+ return "insecure-login.title";
+ }
+
+ @Override
+ public String getId() {
+ return "InsecureLogin";
+ }
+}
diff --git a/webgoat-lessons/insecure-login/src/main/java/org/owasp/webgoat/plugin/InsecureLoginTask.java b/webgoat-lessons/insecure-login/src/main/java/org/owasp/webgoat/plugin/InsecureLoginTask.java
new file mode 100755
index 000000000..e5895f39c
--- /dev/null
+++ b/webgoat-lessons/insecure-login/src/main/java/org/owasp/webgoat/plugin/InsecureLoginTask.java
@@ -0,0 +1,59 @@
+package org.owasp.webgoat.plugin;
+
+import org.owasp.webgoat.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.assignments.AssignmentPath;
+import org.owasp.webgoat.assignments.AttackResult;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
+import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.web.bind.annotation.ResponseBody;
+
+import javax.servlet.http.HttpServletRequest;
+import java.io.IOException;
+
+/**
+ * *************************************************************************************************
+ *
+ *
+ * This file is part of WebGoat, an Open Web Application Security Project
+ * utility. For details, please see http://www.owasp.org/
+ *
+ * Copyright (c) 2002 - 20014 Bruce Mayhew
+ *
+ * This program is free software; you can redistribute it and/or modify it under
+ * the terms of the GNU General Public License as published by the Free Software
+ * Foundation; either version 2 of the License, or (at your option) any later
+ * version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+ * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
+ * details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
+ * Place - Suite 330, Boston, MA 02111-1307, USA.
+ *
+ * Getting Source ==============
+ *
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
+ * for free software projects.
+ *
+ * For details, please see http://webgoat.github.io
+ *
+ * @author Bruce Mayhew WebGoat
+ * @created October 28, 2003
+ */
+@AssignmentPath("/InsecureLogin/task")
+public class InsecureLoginTask extends AssignmentEndpoint {
+
+ @RequestMapping(method = RequestMethod.POST)
+ public
+ @ResponseBody
+ AttackResult completed(@RequestParam String username, @RequestParam String password) throws IOException {
+ if (username.toString().equals("CaptainJack") && password.toString().equals("BlackPearl")) {
+ return trackProgress(success().build());
+ }
+ return trackProgress(failed().build());
+ }
+}
diff --git a/webgoat-lessons/insecure-login/src/main/resources/html/InsecureLogin.html b/webgoat-lessons/insecure-login/src/main/resources/html/InsecureLogin.html
new file mode 100755
index 000000000..04798c65f
--- /dev/null
+++ b/webgoat-lessons/insecure-login/src/main/resources/html/InsecureLogin.html
@@ -0,0 +1,45 @@
+
+
+
+
+
+
+
+
diff --git a/webgoat-lessons/insecure-login/src/main/resources/i18n/WebGoatLabels.properties b/webgoat-lessons/insecure-login/src/main/resources/i18n/WebGoatLabels.properties
new file mode 100755
index 000000000..dc4f1874f
--- /dev/null
+++ b/webgoat-lessons/insecure-login/src/main/resources/i18n/WebGoatLabels.properties
@@ -0,0 +1,4 @@
+insecure-login.title=Insecure Login
+
+insecure-login.intercept.success=Welcome, CaptainJack!
+insecure-login.intercept.failure=Wrong username or password
diff --git a/webgoat-lessons/insecure-login/src/main/resources/js/credentials.js b/webgoat-lessons/insecure-login/src/main/resources/js/credentials.js
new file mode 100755
index 000000000..b7387c623
--- /dev/null
+++ b/webgoat-lessons/insecure-login/src/main/resources/js/credentials.js
@@ -0,0 +1,6 @@
+function submit_secret_credentials() {
+ var xhttp = new XMLHttpRequest();
+ xhttp['open']('POST', '#attack/307/100', true);
+ //sending the request is obfuscated, to descourage js reading
+ var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))
+}
\ No newline at end of file
diff --git a/webgoat-lessons/insecure-login/src/main/resources/lessonPlans/en/InsecureLogin_Intro.adoc b/webgoat-lessons/insecure-login/src/main/resources/lessonPlans/en/InsecureLogin_Intro.adoc
new file mode 100755
index 000000000..f4fac8471
--- /dev/null
+++ b/webgoat-lessons/insecure-login/src/main/resources/lessonPlans/en/InsecureLogin_Intro.adoc
@@ -0,0 +1,7 @@
+
+== Concept
+Encryption is a very inportant tool for secure communication. In this lesson, we will find out, why it should always be employed when sending sensitive data.
+
+== Goals
+* The user should have a basic understanding of packet sniffer usage
+* The user will be able to intercept and read an unencrypted requests
\ No newline at end of file
diff --git a/webgoat-lessons/insecure-login/src/main/resources/lessonPlans/en/InsecureLogin_Task.adoc b/webgoat-lessons/insecure-login/src/main/resources/lessonPlans/en/InsecureLogin_Task.adoc
new file mode 100755
index 000000000..e6e7fea56
--- /dev/null
+++ b/webgoat-lessons/insecure-login/src/main/resources/lessonPlans/en/InsecureLogin_Task.adoc
@@ -0,0 +1,4 @@
+=== Let's try
+Click the "log in" button to send a request containing login credentials of another user.
+Then, write these credentials into the appropriate fields and submit to confirm.
+Try using a packet sniffer to intercept the request.
diff --git a/webgoat-lessons/pom.xml b/webgoat-lessons/pom.xml
index f19b0ba3c..c0bd2241a 100644
--- a/webgoat-lessons/pom.xml
+++ b/webgoat-lessons/pom.xml
@@ -19,6 +19,7 @@
cross-site-scripting
http-basics
http-proxies
+ insecure-login
jwt
sql-injection
xxe
diff --git a/webgoat-server/pom.xml b/webgoat-server/pom.xml
index 8dff0cda9..2708a0055 100644
--- a/webgoat-server/pom.xml
+++ b/webgoat-server/pom.xml
@@ -116,6 +116,11 @@
idor
${project.version}
+
+ org.owasp.webgoat.lesson
+ insecure-login
+ ${project.version}
+
org.owasp.webgoat.lesson
jwt