diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/WebSecurityConfig.java b/webgoat-container/src/main/java/org/owasp/webgoat/WebSecurityConfig.java
index bd1e5a5f8..6d6e9db31 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/WebSecurityConfig.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/WebSecurityConfig.java
@@ -64,6 +64,7 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
         security.and()
                 .logout()
                 .permitAll();
+        http.headers().cacheControl().disable();
 
     }
 
diff --git a/webgoat-container/src/main/resources/static/css/main.css b/webgoat-container/src/main/resources/static/css/main.css
index c05467ad1..dc79eafd1 100644
--- a/webgoat-container/src/main/resources/static/css/main.css
+++ b/webgoat-container/src/main/resources/static/css/main.css
@@ -925,4 +925,10 @@ cookie-container {
 
 .help-button {
   margin-right:4px;
+}
+
+/* ATTACK DISPLAY */
+
+div.attack-container {
+    display:none;
 }
\ No newline at end of file
diff --git a/webgoat-container/src/main/resources/static/js/goatApp/controller/LessonController.js b/webgoat-container/src/main/resources/static/js/goatApp/controller/LessonController.js
index 17f77bbab..4fedc2bf5 100644
--- a/webgoat-container/src/main/resources/static/js/goatApp/controller/LessonController.js
+++ b/webgoat-container/src/main/resources/static/js/goatApp/controller/LessonController.js
@@ -98,10 +98,11 @@ define(['jquery',
                     hasPlan:this.lessonInfoModel.get('hasPlan'),
                     hasSolution:this.lessonInfoModel.get('hasSolution'),
                     hasSource:this.lessonInfoModel.get('hasSource'),
-                    hasHints:(this.lessonInfoModel.get('numberHints') > 0),
+                    hasHints:(this.lessonInfoModel.get('numberHints') > 0)
+                    //hasAttack:this.lessonInfo.get('hasAttack') // TODO: add attack options
                 });
 
-                this.listenTo(this.helpControlsView,'plan:show',this.hideShowHelps);
+                this.listenTo(this.helpControlsView,'attack:show',this.hideShowAttack);
                 this.listenTo(this.helpControlsView,'solution:show',this.hideShowHelps);    
                 this.listenTo(this.helpControlsView,'hints:show',this.onShowHints)
                 this.listenTo(this.helpControlsView,'source:show',this.hideShowHelps);
@@ -128,7 +129,6 @@ define(['jquery',
                     this.lessonHintView = new HintView();
                     this.cookieView = new CookieView();
 
-
                     //TODO: instantiate model with values (not sure why was not working before)
                     var paramModel = new ParamModel({});
                     paramModel.set('scrParam',this.lessonContent.get('scrParam'));
@@ -180,6 +180,17 @@ define(['jquery',
                 this.lessonHintView.render();
             };
 
+            this.hideShowAttack = function (options) { // will likely expand this to encompass
+                if (options.show) {
+                    $('div#attack-container').show();
+                    $('div#attack-container div.modal-header button.close, #about-modal div.modal-footer button').unbind('click').on('click', function() {
+                        $('div#attack-container').hide(200);
+                    });
+                    //this.lessonView.makeFormsAjax();
+                    //this.lessonView.ajaxifyAttackHref();
+                }
+            };
+
             this.restartLesson = function() {
                 var self=this;
                 var fragment = "attack/" + self.scr + "/" + self.menu;
diff --git a/webgoat-container/src/main/resources/static/js/goatApp/view/HelpControlsView.js b/webgoat-container/src/main/resources/static/js/goatApp/view/HelpControlsView.js
index 2a3e6da6b..86235a16f 100644
--- a/webgoat-container/src/main/resources/static/js/goatApp/view/HelpControlsView.js
+++ b/webgoat-container/src/main/resources/static/js/goatApp/view/HelpControlsView.js
@@ -29,8 +29,8 @@ function($,_,Backbone) {
 			if (this.hasSolution) {
 				this.$el.find('#show-solution-button').unbind().on('click',_.bind(this.showSolution,this)).show();
 			}
-			if (this.hasPlan) {
-				this.$el.find('#show-plan-button').unbind().on('click',_.bind(this.showPlan,this)).show();
+			if (true) { //FIXME: change to this.hasAttack
+				this.$el.find('#show-attack-button').unbind().on('click',_.bind(this.showAttack,this)).show();
 			}
 			if (this.hasHints) {
 				this.$el.find('#show-hints-button').unbind().on('click',_.bind(this.showHints,this)).show();
@@ -48,8 +48,8 @@ function($,_,Backbone) {
 			this.trigger('solution:show','solution');
 		},
 
-		showPlan: function() {
-			this.trigger('plan:show','plan');
+		showAttack: function() {
+			this.trigger('attack:show',{show:true});
 		},
 
 		showHints: function() {
diff --git a/webgoat-container/src/main/resources/static/js/goatApp/view/LessonContentView.js b/webgoat-container/src/main/resources/static/js/goatApp/view/LessonContentView.js
index d51bf5946..fedb09450 100644
--- a/webgoat-container/src/main/resources/static/js/goatApp/view/LessonContentView.js
+++ b/webgoat-container/src/main/resources/static/js/goatApp/view/LessonContentView.js
@@ -25,21 +25,21 @@ define(['jquery',
         //TODO: reimplement this in custom fashion maybe?
         makeFormsAjax: function () {
             var options = {
-                success:this.reLoadView.bind(this),
+                success:this.onAttackExecution.bind(this),
                 url: this.model.urlRoot,
                 type:'GET'
                 // $.ajax options can be used here too, for example: 
                 //timeout:   3000 
             };
             //hook forms //TODO: clarify form selectors later
-            $("form").ajaxForm(options);
+            $("form.attack-form").ajaxForm(options);
         },
 
         ajaxifyAttackHref: function() {  // rewrite any links with hrefs point to relative attack URLs             
             var self = this;
             // The current LessonAdapter#getLink() generates a hash-mark link.  It will not match the mask below.
             // Besides, the new MVC code registers an event handler that will reload the lesson according to the route.
-            $.each($('a[href^="attack?"]'),function(i,el) {
+            $.each($('a[href^="attack?"]'),function(i,el) { //FIXME: need to figure out what to do here ...
                 var url = $(el).attr('href');
                 $(el).unbind('click').attr('href','#').attr('link',url);
                 //TODO pull currentMenuId
@@ -54,10 +54,15 @@ define(['jquery',
             });
         },
 
-        reLoadView: function(content) {
-            this.model.setContent(content);
-            this.render();
+        onAttackExecution: function(feedback) {
+            console.log('attack executed')
+            this.renderFeedback(feedback);
+        },
+
+        renderFeedback: function(feedback) {
+            this.$el.find('feedback').html(feedback);
         }
+
     });
 
     
diff --git a/webgoat-container/src/main/resources/templates/main_new.html b/webgoat-container/src/main/resources/templates/main_new.html
index ad9585803..beea32f46 100644
--- a/webgoat-container/src/main/resources/templates/main_new.html
+++ b/webgoat-container/src/main/resources/templates/main_new.html
@@ -113,13 +113,12 @@
                             <button class="btn btn-primary btn-xs btn-danger help-button" id="show-solution-button">Show
                                 Solution
                             </button>
-                            <button class="btn btn-primary btn-xs btn-danger help-button" id="show-plan-button">Show
-                                Plan
-                            </button>
                             <button class="btn btn-primary btn-xs btn-danger help-button" id="show-hints-button">Show
                                 Hints
                             </button>
-                            <button class="btn btn-xs help-button" id="restart-lesson-button">Restart Lesson</button>
+                            <button class="btn btn-primary btn-xs btn-danger help-button" id="show-attack-button">Attack It
+                            </button>
+                            <button class="btn btn-xs help-button" id="restart-lesson-button">Reset Lesson</button>
                         </div>
                         <div class="lesson-hint" id="lesson-hint-container">
                             <h4>Hints</h4>