diff --git a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson6a.java b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson6a.java
index 4e9e2a372..b22d09d37 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson6a.java
+++ b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson6a.java
@@ -2,6 +2,7 @@
 package org.owasp.webgoat.plugin;
 
 import org.owasp.webgoat.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.assignments.AssignmentHints;
 import org.owasp.webgoat.assignments.AssignmentPath;
 import org.owasp.webgoat.assignments.AttackResult;
 import org.owasp.webgoat.session.UserSessionData;
@@ -45,6 +46,7 @@ import java.io.IOException;
  * @created October 28, 2003
  */
 @AssignmentPath("/CrossSiteScripting/attack6a")
+@AssignmentHints(value = {"xss-reflected-6a-hint-1", "xss-reflected-6a-hint-2", "xss-reflected-6a-hint-3", "xss-reflected-6a-hint-4"})
 public class CrossSiteScriptingLesson6a extends AssignmentEndpoint {
     @Autowired
     UserSessionData userSessionData;
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/i18n/WebGoatLabels.properties b/webgoat-lessons/cross-site-scripting/src/main/resources/i18n/WebGoatLabels.properties
index e3aecac2d..66cb0a4cc 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/resources/i18n/WebGoatLabels.properties
+++ b/webgoat-lessons/cross-site-scripting/src/main/resources/i18n/WebGoatLabels.properties
@@ -11,7 +11,11 @@ xss-reflected-5a-hint-4=Just try purchasing something. You want your script to b
 xss-reflected-5b-success=Correct ... because <ul><li>The script was not triggered by the URL/QueryString</li><li>Even if you use the attack URL in a new tab, it won't execute (becuase of response type). Try it if you like.</li></ul>
 xss-reflected-5b-failure=Nope, pretty easy to guess now though.
 xss-reflected-6a-success=Correct! Now, see if you can send in an exploit to that route in the next assignment.
-xss-reflected-6a-failure=No, look at the example. Check the <a href="/WebGoat/js/goatApp/view/GoatRouter.js" target="_blank">GoatRouter.js</a> file. It should be pretty easy to determine.
+xss-reflected-6a-failure=Sorry that's not correct. Look at the example again to understand what a valid route looks like. If you're stuck... hints might help.
+xss-reflected-6a-hint-1=To search through the client side code, use the developer tools of your browser. (If you don't know how to use them, check the <i>Developer Tools</i> Lesson in the general category.)
+xss-reflected-6a-hint-2=Since you are looking for application code, check the WebGoat/js/goatApp folder for a file that could handle the routes.
+xss-reflected-6a-hint-3=Make sure you add the base route at the start, when submitting your solution.
+xss-reflected-6a-hint-4=Still didn't find it? Check the <a href="/WebGoat/js/goatApp/view/GoatRouter.js" target="_blank">GoatRouter.js</a> file. It should be pretty easy to determine.
 xss.lesson1.failure=Are you sure? Try using a tab from a different site.
 xss-dom-message-success=Correct, I hope you didn't cheat, using the console!
 xss-dom-message-failure=Incorrect, keep trying. It should be obvious in the log when you are successful.