diff --git a/.gitignore b/.gitignore
index 549b59a14..3f7a13aae 100644
--- a/.gitignore
+++ b/.gitignore
@@ -50,4 +50,5 @@ webgoat-lessons/vulnerable-components/dependency-reduced-pom.xml
 webgoat.lck
 webgoat.log
 webgoat.properties
-webgoat.script
\ No newline at end of file
+webgoat.script
+TestClass.class
diff --git a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingMitigation.java b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingMitigation.java
new file mode 100644
index 000000000..c970bbb08
--- /dev/null
+++ b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingMitigation.java
@@ -0,0 +1,64 @@
+package org.owasp.webgoat.plugin;
+
+import org.owasp.webgoat.lessons.Category;
+import org.owasp.webgoat.lessons.NewLesson;
+
+import java.util.ArrayList;
+import java.util.List;
+
+/**
+ * ************************************************************************************************
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
+ * <p>
+ * Copyright (c) 2002 - 20014 Bruce Mayhew
+ * <p>
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ * <p>
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ * <p>
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ * <p>
+ * Getting Source ==============
+ * <p>
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
+ * projects.
+ * <p>
+ *
+ * @author WebGoat
+ * @version $Id: $Id
+ * @since October 12, 2016
+ */
+public class CrossSiteScriptingMitigation extends NewLesson {
+    @Override
+    public Category getDefaultCategory() {
+        return Category.XSS;
+    }
+
+    @Override
+    public List<String> getHints() {
+        List<String> hints = new ArrayList<String>();
+        return hints;
+    }
+
+    @Override
+    public Integer getDefaultRanking() {
+        return 3;
+    }
+
+    @Override
+    public String getTitle() {
+        return "xss-mitigation.title";
+    }
+
+    @Override
+    public String getId() {
+        return "CrossSiteScriptingMitigation";
+    }
+}
diff --git a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingStored.java b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingStored.java
new file mode 100644
index 000000000..e6078dc01
--- /dev/null
+++ b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingStored.java
@@ -0,0 +1,64 @@
+package org.owasp.webgoat.plugin;
+
+import org.owasp.webgoat.lessons.Category;
+import org.owasp.webgoat.lessons.NewLesson;
+
+import java.util.ArrayList;
+import java.util.List;
+
+/**
+ * ************************************************************************************************
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
+ * <p>
+ * Copyright (c) 2002 - 20014 Bruce Mayhew
+ * <p>
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ * <p>
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ * <p>
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ * <p>
+ * Getting Source ==============
+ * <p>
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
+ * projects.
+ * <p>
+ *
+ * @author WebGoat
+ * @version $Id: $Id
+ * @since October 12, 2016
+ */
+public class CrossSiteScriptingStored extends NewLesson {
+    @Override
+    public Category getDefaultCategory() {
+        return Category.XSS;
+    }
+
+    @Override
+    public List<String> getHints() {
+        List<String> hints = new ArrayList<String>();
+        return hints;
+    }
+
+    @Override
+    public Integer getDefaultRanking() {
+        return 2;
+    }
+
+    @Override
+    public String getTitle() {
+        return "xss-stored.title";
+    }
+
+    @Override
+    public String getId() {
+        return "CrossSiteScriptingStored";
+    }
+}
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/html/CrossSiteScripting.html b/webgoat-lessons/cross-site-scripting/src/main/resources/html/CrossSiteScripting.html
index 64e7a03e1..6c4d87ff7 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/resources/html/CrossSiteScripting.html
+++ b/webgoat-lessons/cross-site-scripting/src/main/resources/html/CrossSiteScripting.html
@@ -222,89 +222,4 @@
 		<!-- ... of course, you can move them if you want to, but that will not look consistent to other lessons -->
 	</div>
 </div>
-
-<div class="lesson-page-wrapper">
-	<div class="adoc-content" th:replace="doc:CrossSiteScripting_content7.adoc"></div>
-</div>
-
-<div class="lesson-page-wrapper">
-
-	<div class="adoc-content" th:replace="doc:CrossSiteScripting_content7b.adoc"></div>
-
-	<!-- comment area -->
-    <link rel="stylesheet" type="text/css" th:href="@{/lesson_css/stored-xss.css}"/>
-	<script th:src="@{/lesson_js/stored-xss.js}" language="JavaScript"></script>
-
-		<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
-
-		<div class="container-fluid">
-			<div class="panel post">
-				<div class="post-heading">
-					<div class="pull-left image">
-						<img th:src="@{/images/avatar1.png}"
-							 class="img-circle avatar" alt="user profile image"/>
-					</div>
-					<div class="pull-left meta">
-						<div class="title h5">
-							<a href="#"><b>John Doe</b></a>
-							uploaded a photo.
-						</div>
-						<h6 class="text-muted time">24 days ago</h6>
-					</div>
-				</div>
-
-				<div class="post-image">
-					<img th:src="@{images/cat.jpg}" class="image" alt="image post"/>
-				</div>
-
-				<div class="post-description">
-
-				</div>
-				<div class="post-footer">
-					<div class="input-group">
-						<input class="form-control" id="commentInput" placeholder="Add a comment" type="text"/>
-						<span class="input-group-addon">
-                                <i id="postComment" class="fa fa-edit" style="font-size: 20px"></i>
-                            </span>
-					</div>
-					<ul class="comments-list">
-						<div id="list">
-						</div>
-					</ul>
-				</div>
-			</div>
-		</div>
-		<!-- end comments -->
-
-	<div class="adoc-content" th:replace="doc:CrossSiteScripting_content7c.adoc"></div>
-
-	<div class="attack-container">
-		<!-- this will be where they can store the additional comment -->
-		<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
-
-		<form class="attack-form" accept-charset="UNKNOWN"
-			  method="POST" name="DOMFollowUp"
-			  action="/WebGoat/CrossSiteScripting/stored-xss-follow-up"
-			  enctype="application/json;charset=UTF-8">
-			<input name="successMessage" value="" type="TEXT" />
-			<input name="submitMessage" value="Submit" type="SUBMIT"/>
-		</form>
-		<!-- do not remove the two following div's, this is where your feedback/output will land -->
-		<div class="attack-feedback"></div>
-		<div class="attack-output"></div>
-		<!-- ... of course, you can move them if you want to, but that will not look consistent to other lessons -->
-	</div>
-</div>
-
-<div class="lesson-page-wrapper">
-    <!-- overview of XSS defenses -->
-    <div class="adoc-content" th:replace="doc:CrossSiteScripting_content8.adoc"></div>
-</div>
-
-<div class="lesson-page-wrapper">
-    <!-- links to OWASP XSS resources mainly -->
-    <div class="adoc-content" th:replace="doc:CrossSiteScripting_content9.adoc"></div>
-</div>
-
-
 </html>
\ No newline at end of file
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/html/CrossSiteScriptingMitigation.html b/webgoat-lessons/cross-site-scripting/src/main/resources/html/CrossSiteScriptingMitigation.html
new file mode 100644
index 000000000..46a1eb3c8
--- /dev/null
+++ b/webgoat-lessons/cross-site-scripting/src/main/resources/html/CrossSiteScriptingMitigation.html
@@ -0,0 +1,21 @@
+<!DOCTYPE html>
+
+<html xmlns:th="http://www.thymeleaf.org">
+
+<div class="lesson-page-wrapper">
+	<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
+	<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
+    which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
+	<div class="adoc-content" th:replace="doc:CrossSiteScriptingMitigation_plan.adoc"></div>
+</div>
+<div class="lesson-page-wrapper">
+	<!-- overview of XSS defenses -->
+	<div class="adoc-content" th:replace="doc:CrossSiteScripting_content8.adoc"></div>
+</div>
+
+<div class="lesson-page-wrapper">
+	<!-- links to OWASP XSS resources mainly -->
+	<div class="adoc-content" th:replace="doc:CrossSiteScripting_content9.adoc"></div>
+</div>
+
+</html>
\ No newline at end of file
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/html/CrossSiteScriptingStored.html b/webgoat-lessons/cross-site-scripting/src/main/resources/html/CrossSiteScriptingStored.html
new file mode 100644
index 000000000..1d8eaa308
--- /dev/null
+++ b/webgoat-lessons/cross-site-scripting/src/main/resources/html/CrossSiteScriptingStored.html
@@ -0,0 +1,85 @@
+<!DOCTYPE html>
+
+<html xmlns:th="http://www.thymeleaf.org">
+
+<div class="lesson-page-wrapper">
+	<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
+	<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
+    which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
+	<div class="adoc-content" th:replace="doc:CrossSiteScriptingStored_plan.adoc"></div>
+</div>
+
+<div class="lesson-page-wrapper">
+	<div class="adoc-content" th:replace="doc:CrossSiteScripting_content7.adoc"></div>
+</div>
+
+<div class="lesson-page-wrapper">
+
+	<div class="adoc-content" th:replace="doc:CrossSiteScripting_content7b.adoc"></div>
+
+	<!-- comment area -->
+	<link rel="stylesheet" type="text/css" th:href="@{/lesson_css/stored-xss.css}"/>
+	<script th:src="@{/lesson_js/stored-xss.js}" language="JavaScript"></script>
+
+	<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
+
+	<div class="container-fluid">
+		<div class="panel post">
+			<div class="post-heading">
+				<div class="pull-left image">
+					<img th:src="@{/images/avatar1.png}"
+						 class="img-circle avatar" alt="user profile image"/>
+				</div>
+				<div class="pull-left meta">
+					<div class="title h5">
+						<a href="#"><b>John Doe</b></a>
+						uploaded a photo.
+					</div>
+					<h6 class="text-muted time">24 days ago</h6>
+				</div>
+			</div>
+
+			<div class="post-image">
+				<img th:src="@{images/cat.jpg}" class="image" alt="image post"/>
+			</div>
+
+			<div class="post-description">
+
+			</div>
+			<div class="post-footer">
+				<div class="input-group">
+					<input class="form-control" id="commentInput" placeholder="Add a comment" type="text"/>
+					<span class="input-group-addon">
+                                <i id="postComment" class="fa fa-edit" style="font-size: 20px"></i>
+                            </span>
+				</div>
+				<ul class="comments-list">
+					<div id="list">
+					</div>
+				</ul>
+			</div>
+		</div>
+	</div>
+	<!-- end comments -->
+
+	<div class="adoc-content" th:replace="doc:CrossSiteScripting_content7c.adoc"></div>
+
+	<div class="attack-container">
+		<!-- this will be where they can store the additional comment -->
+		<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
+
+		<form class="attack-form" accept-charset="UNKNOWN"
+			  method="POST" name="DOMFollowUp"
+			  action="/WebGoat/CrossSiteScripting/stored-xss-follow-up"
+			  enctype="application/json;charset=UTF-8">
+			<input name="successMessage" value="" type="TEXT" />
+			<input name="submitMessage" value="Submit" type="SUBMIT"/>
+		</form>
+		<!-- do not remove the two following div's, this is where your feedback/output will land -->
+		<div class="attack-feedback"></div>
+		<div class="attack-output"></div>
+		<!-- ... of course, you can move them if you want to, but that will not look consistent to other lessons -->
+	</div>
+</div>
+
+</html>
\ No newline at end of file
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/i18n/WebGoatLabels.properties b/webgoat-lessons/cross-site-scripting/src/main/resources/i18n/WebGoatLabels.properties
index 880258b1d..36e433c58 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/resources/i18n/WebGoatLabels.properties
+++ b/webgoat-lessons/cross-site-scripting/src/main/resources/i18n/WebGoatLabels.properties
@@ -1,5 +1,7 @@
 # XSS success, failure messages and hints
 xss.title=Cross Site Scripting
+xss-stored.title=Cross Site Scripting (stored)
+xss-mitigation.title=Cross Site Scripting (mitigation)
 xss-reflected-5a-success=well done, but alerts aren't very impressive are they? Please continue.
 xss-reflected-5a-failure=Try again. We do want to see this specific javascript (in case you are trying to do something more fancy)
 xss-reflected-5b-success=Correct ... because <ul><li>The script was not triggered by the URL/QueryString</li><li>Even if you use the attack URL in a new tab, it won't execute (becuase of response type). Try it if you like.</li></ul>
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScriptingMitigation_plan.adoc b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScriptingMitigation_plan.adoc
new file mode 100644
index 000000000..4a562e0dc
--- /dev/null
+++ b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScriptingMitigation_plan.adoc
@@ -0,0 +1,15 @@
+== Concept 
+
+This lesson describes what is Cross-Site Scripting (XSS) and how it can be manipulated to perform tasks that were not the original intent of the developer.
+
+== Goals
+
+* The user should have a basic understand how XSS works.
+* The user will understand the best practices for defending against XSS injection attacks
+* The user will demonstrate knowledge on:
+** Reflected XSS Injection
+** Stored XSS Injection
+** Dom-Based XSS Injection
+
+
+
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScriptingStored_plan.adoc b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScriptingStored_plan.adoc
new file mode 100644
index 000000000..4a562e0dc
--- /dev/null
+++ b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScriptingStored_plan.adoc
@@ -0,0 +1,15 @@
+== Concept 
+
+This lesson describes what is Cross-Site Scripting (XSS) and how it can be manipulated to perform tasks that were not the original intent of the developer.
+
+== Goals
+
+* The user should have a basic understand how XSS works.
+* The user will understand the best practices for defending against XSS injection attacks
+* The user will demonstrate knowledge on:
+** Reflected XSS Injection
+** Stored XSS Injection
+** Dom-Based XSS Injection
+
+
+