diff --git a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/SolutionConstants.java b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/SolutionConstants.java
index 333d29b2c..79881e6e4 100644
--- a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/SolutionConstants.java
+++ b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/SolutionConstants.java
@@ -11,7 +11,5 @@ public interface SolutionConstants {
     //TODO should be random generated when starting the server
     String PASSWORD = "!!webgoat_admin_1234!!";
     String PASSWORD_TOM = "thisisasecretfortomonly";
-    String PASSWORD_LARRY = "larryknows";
-    String JWT_PASSWORD = "victory";
     String ADMIN_PASSWORD_LINK = "375afe1104f4a487a73823c50a9292a2";
 }
diff --git a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge3/Assignment3.java b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge3/Assignment3.java
deleted file mode 100644
index 2fd355bd3..000000000
--- a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge3/Assignment3.java
+++ /dev/null
@@ -1,150 +0,0 @@
-package org.owasp.webgoat.plugin.challenge3;
-
-import com.beust.jcommander.internal.Lists;
-import com.fasterxml.jackson.databind.ObjectMapper;
-import com.google.common.collect.EvictingQueue;
-import com.google.common.collect.Maps;
-import com.google.common.io.Files;
-import lombok.SneakyThrows;
-import lombok.extern.slf4j.Slf4j;
-import org.joda.time.DateTime;
-import org.joda.time.format.DateTimeFormat;
-import org.joda.time.format.DateTimeFormatter;
-import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.assignments.AssignmentPath;
-import org.owasp.webgoat.assignments.AttackResult;
-import org.owasp.webgoat.plugin.Flag;
-import org.owasp.webgoat.session.WebSession;
-import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.beans.factory.annotation.Value;
-import org.springframework.http.MediaType;
-import org.springframework.web.bind.annotation.RequestBody;
-import org.springframework.web.bind.annotation.RequestHeader;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.ResponseBody;
-
-import javax.annotation.PostConstruct;
-import javax.xml.bind.JAXBContext;
-import javax.xml.bind.Unmarshaller;
-import javax.xml.stream.XMLInputFactory;
-import javax.xml.stream.XMLStreamReader;
-import java.io.File;
-import java.io.IOException;
-import java.io.StringReader;
-import java.nio.charset.Charset;
-import java.util.Collection;
-import java.util.Map;
-
-import static org.springframework.http.MediaType.ALL_VALUE;
-import static org.springframework.http.MediaType.APPLICATION_JSON_VALUE;
-import static org.springframework.web.bind.annotation.RequestMethod.GET;
-import static org.springframework.web.bind.annotation.RequestMethod.POST;
-
-/**
- * @author nbaars
- * @since 4/8/17.
- */
-@AssignmentPath("/challenge/3")
-@Slf4j
-public class Assignment3 extends AssignmentEndpoint {
-
-    @Value("${webgoat.server.directory}")
-    private String webGoatHomeDirectory;
-    @Autowired
-    private WebSession webSession;
-    private static DateTimeFormatter fmt = DateTimeFormat.forPattern("yyyy-MM-dd, HH:mm:ss");
-
-    private static final Map<String, EvictingQueue<Comment>> userComments = Maps.newHashMap();
-    private static final EvictingQueue<Comment> comments = EvictingQueue.create(100);
-    private static final String secretContents = "Congratulations you may now collect your flag";
-
-    static {
-        comments.add(new Comment("webgoat", DateTime.now().toString(fmt), "Silly cat...."));
-        comments.add(new Comment("guest", DateTime.now().toString(fmt), "I think I will use this picture in one of my projects."));
-        comments.add(new Comment("guest", DateTime.now().toString(fmt), "Lol!! :-)."));
-    }
-
-    @PostConstruct
-    @SneakyThrows
-    public void copyFile() {
-        File targetDirectory = new File(webGoatHomeDirectory);
-        if (!targetDirectory.exists()) {
-            targetDirectory.mkdir();
-        }
-        log.info("Copied secret.txt to: {}", targetDirectory);
-        Files.write(secretContents, new File(targetDirectory, "secret.txt"), Charset.defaultCharset());
-    }
-
-    @RequestMapping(method = GET, produces = MediaType.APPLICATION_JSON_VALUE)
-    @ResponseBody
-    public Collection<Comment> retrieveComments() {
-        Collection<Comment> allComments = Lists.newArrayList();
-        Collection<Comment> xmlComments = userComments.get(webSession.getUserName());
-        if (xmlComments != null) {
-            allComments.addAll(xmlComments);
-        }
-        allComments.addAll(comments);
-        return allComments;
-    }
-
-    @RequestMapping(method = POST, consumes = ALL_VALUE, produces = APPLICATION_JSON_VALUE)
-    @ResponseBody
-    public AttackResult createNewComment(@RequestBody String commentStr, @RequestHeader("Content-Type") String contentType) throws Exception {
-        Comment comment = null;
-        AttackResult attackResult = failed().build();
-        if (APPLICATION_JSON_VALUE.equals(contentType)) {
-            comment = parseJson(commentStr);
-            comment.setDateTime(DateTime.now().toString(fmt));
-            comment.setUser(webSession.getUserName());
-            comments.add(comment);
-        }
-        if (MediaType.APPLICATION_XML_VALUE.equals(contentType)) {
-            //Do not show these comments to all users
-            comment = parseXml(commentStr);
-            comment.setDateTime(DateTime.now().toString(fmt));
-            comment.setUser(webSession.getUserName());
-            EvictingQueue<Comment> comments = userComments.getOrDefault(webSession.getUserName(), EvictingQueue.create(100));
-            comments.add(comment);
-            userComments.put(webSession.getUserName(), comments);
-        }
-        if (checkSolution(comment)) {
-            attackResult = success().feedback("challenge.solved").feedbackArgs(Flag.FLAGS.get(3)).build();
-        }
-        return attackResult;
-    }
-
-    private boolean checkSolution(Comment comment) {
-        if (comment.getText().contains(secretContents)) {
-            comment.setText("Congratulations to " + webSession.getUserName() + " for finding the flag!! Check your original response where you posted the XXE attack ");
-            comments.add(comment);
-            return true;
-        }
-        return false;
-    }
-
-    public static Comment parseXml(String xml) throws Exception {
-        JAXBContext jc = JAXBContext.newInstance(Comment.class);
-
-        XMLInputFactory xif = XMLInputFactory.newFactory();
-        xif.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, true);
-        xif.setProperty(XMLInputFactory.IS_VALIDATING, false);
-
-        xif.setProperty(XMLInputFactory.SUPPORT_DTD, true);
-        XMLStreamReader xsr = xif.createXMLStreamReader(new StringReader(xml));
-
-        Unmarshaller unmarshaller = jc.createUnmarshaller();
-        return (Comment) unmarshaller.unmarshal(xsr);
-    }
-
-    private Comment parseJson(String comment) {
-        ObjectMapper mapper = new ObjectMapper();
-        try {
-            return mapper.readValue(comment, Comment.class);
-        } catch (IOException e) {
-            return new Comment();
-        }
-    }
-
-
-}
-
diff --git a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge3/Challenge3.java b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge3/Challenge3.java
deleted file mode 100644
index 91a05d4ea..000000000
--- a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge3/Challenge3.java
+++ /dev/null
@@ -1,39 +0,0 @@
-package org.owasp.webgoat.plugin.challenge3;
-
-import com.google.common.collect.Lists;
-import org.owasp.webgoat.lessons.Category;
-import org.owasp.webgoat.lessons.NewLesson;
-
-import java.util.List;
-
-/**
- * @author nbaars
- * @since 3/21/17.
- */
-public class Challenge3 extends NewLesson {
-
-    @Override
-    public Category getDefaultCategory() {
-        return Category.CHALLENGE;
-    }
-
-    @Override
-    public List<String> getHints() {
-        return Lists.newArrayList();
-    }
-
-    @Override
-    public Integer getDefaultRanking() {
-        return 10;
-    }
-
-    @Override
-    public String getTitle() {
-        return "challenge3.title";
-    }
-
-    @Override
-    public String getId() {
-        return "Challenge3";
-    }
-}
diff --git a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge3/Comment.java b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge3/Comment.java
deleted file mode 100644
index 0ea3e0d07..000000000
--- a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge3/Comment.java
+++ /dev/null
@@ -1,24 +0,0 @@
-package org.owasp.webgoat.plugin.challenge3;
-
-import lombok.AllArgsConstructor;
-import lombok.Getter;
-import lombok.NoArgsConstructor;
-import lombok.Setter;
-
-import javax.xml.bind.annotation.XmlRootElement;
-
-/**
- * @author nbaars
- * @since 4/8/17.
- */
-@Getter
-@Setter
-@AllArgsConstructor
-@NoArgsConstructor
-@XmlRootElement
-public class Comment {
-    private String user;
-    private String dateTime;
-    private String text;
-}
-
diff --git a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge4/Assignment4.java b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge4/Assignment4.java
deleted file mode 100644
index 199ac4d62..000000000
--- a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge4/Assignment4.java
+++ /dev/null
@@ -1,17 +0,0 @@
-package org.owasp.webgoat.plugin.challenge4;
-
-import lombok.extern.slf4j.Slf4j;
-import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.assignments.AssignmentPath;
-
-/**
- * @author nbaars
- * @since 5/3/17.
- */
-@AssignmentPath("/challenge/4")
-@Slf4j
-public class Assignment4 extends AssignmentEndpoint {
-
-    //just empty, posting the flag will mark the challenge as done as well no need to specify an endpoint here
-
-}
diff --git a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge4/Challenge4.java b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge4/Challenge4.java
deleted file mode 100644
index 0e878d761..000000000
--- a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge4/Challenge4.java
+++ /dev/null
@@ -1,39 +0,0 @@
-package org.owasp.webgoat.plugin.challenge4;
-
-import com.google.common.collect.Lists;
-import org.owasp.webgoat.lessons.Category;
-import org.owasp.webgoat.lessons.NewLesson;
-
-import java.util.List;
-
-/**
- * @author nbaars
- * @since 3/21/17.
- */
-public class Challenge4 extends NewLesson {
-
-    @Override
-    public Category getDefaultCategory() {
-        return Category.CHALLENGE;
-    }
-
-    @Override
-    public List<String> getHints() {
-        return Lists.newArrayList();
-    }
-
-    @Override
-    public Integer getDefaultRanking() {
-        return 10;
-    }
-
-    @Override
-    public String getTitle() {
-        return "challenge4.title";
-    }
-
-    @Override
-    public String getId() {
-        return "Challenge4";
-    }
-}
diff --git a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge4/Views.java b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge4/Views.java
deleted file mode 100644
index e9f47594c..000000000
--- a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge4/Views.java
+++ /dev/null
@@ -1,16 +0,0 @@
-package org.owasp.webgoat.plugin.challenge4;
-
-/**
- * @author nbaars
- * @since 4/30/17.
- */
-public class Views {
-    interface GuestView {
-    }
-
-    interface UserView extends GuestView {
-    }
-
-    interface AdminView extends UserView {
-    }
-}
diff --git a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge4/Vote.java b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge4/Vote.java
deleted file mode 100644
index ccb51c3b1..000000000
--- a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge4/Vote.java
+++ /dev/null
@@ -1,49 +0,0 @@
-package org.owasp.webgoat.plugin.challenge4;
-
-import com.fasterxml.jackson.annotation.JsonView;
-import lombok.Getter;
-import lombok.Setter;
-
-/**
- * @author nbaars
- * @since 5/2/17.
- */
-@Getter
-public class Vote {
-    @JsonView(Views.GuestView.class)
-    private final String title;
-    @JsonView(Views.GuestView.class)
-    private final String information;
-    @JsonView(Views.GuestView.class)
-    private final String imageSmall;
-    @JsonView(Views.GuestView.class)
-    private final String imageBig;
-    @JsonView(Views.UserView.class)
-    private int numberOfVotes;
-    @JsonView(Views.AdminView.class)
-    @Setter
-    private String flag;
-    @JsonView(Views.UserView.class)
-    private boolean votingAllowed = true;
-    @JsonView(Views.UserView.class)
-    private long average = 0;
-
-
-    public Vote(String title, String information, String imageSmall, String imageBig, int numberOfVotes, int totalVotes) {
-        this.title = title;
-        this.information = information;
-        this.imageSmall = imageSmall;
-        this.imageBig = imageBig;
-        this.numberOfVotes = numberOfVotes;
-        this.average = calculateStars(totalVotes);
-    }
-
-    public void incrementNumberOfVotes(int totalVotes) {
-        this.numberOfVotes = this.numberOfVotes + 1;
-        this.average = calculateStars(totalVotes);
-    }
-
-    private long calculateStars(int totalVotes) {
-        return Math.round(((double) numberOfVotes / (double) totalVotes) * 4);
-    }
-}
\ No newline at end of file
diff --git a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge4/VotesEndpoint.java b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge4/VotesEndpoint.java
deleted file mode 100644
index 619e35c13..000000000
--- a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge4/VotesEndpoint.java
+++ /dev/null
@@ -1,124 +0,0 @@
-package org.owasp.webgoat.plugin.challenge4;
-
-import com.google.common.collect.Maps;
-import io.jsonwebtoken.*;
-import org.apache.commons.lang3.StringUtils;
-import org.springframework.http.HttpStatus;
-import org.springframework.http.ResponseEntity;
-import org.springframework.http.converter.json.MappingJacksonValue;
-import org.springframework.web.bind.annotation.*;
-
-import javax.annotation.PostConstruct;
-import javax.servlet.http.Cookie;
-import javax.servlet.http.HttpServletResponse;
-import java.util.Collection;
-import java.util.Date;
-import java.util.Map;
-import java.util.concurrent.TimeUnit;
-
-import static java.util.Comparator.comparingLong;
-import static java.util.Optional.ofNullable;
-import static java.util.stream.Collectors.toList;
-import static org.owasp.webgoat.plugin.Flag.FLAGS;
-import static org.owasp.webgoat.plugin.SolutionConstants.JWT_PASSWORD;
-
-/**
- * @author nbaars
- * @since 4/23/17.
- */
-@RestController
-@RequestMapping("/votings")
-public class VotesEndpoint {
-
-    private static String validUsers = "TomJerrySylvester";
-
-    private static int totalVotes = 38929;
-    private Map<String, Vote> votes = Maps.newHashMap();
-
-    @PostConstruct
-    public void initVotes() {
-        votes.put("Admin lost password", new Vote("Admin lost password",
-                "In this challenge you will need to help the admin and find the password in order to login",
-                "challenge1-small.png", "challenge1.png", 36000, totalVotes));
-        votes.put("Vote for your favourite",
-                new Vote("Vote for your favourite",
-                        "In this challenge ...",
-                        "challenge5-small.png", "challenge5.png", 30000, totalVotes));
-        votes.put("Get it for free",
-                new Vote("Get it for free",
-                        "The objective for this challenge is to buy a Samsung phone for free.",
-                        "challenge2-small.png", "challenge2.png", 20000, totalVotes));
-        votes.put("Photo comments",
-                new Vote("Photo comments",
-                        "n this challenge you can comment on the photo you will need to find the flag somewhere.",
-                        "challenge3-small.png", "challenge3.png", 10000, totalVotes));
-    }
-
-    @GetMapping("/login")
-    public void login(@RequestParam("user") String user, HttpServletResponse response) {
-        if (validUsers.contains(user)) {
-            Map<String, Object> claims = Maps.newHashMap();
-            claims.put("admin", "false");
-            claims.put("user", user);
-            String token = Jwts.builder()
-                    .setIssuedAt(new Date(System.currentTimeMillis() + TimeUnit.DAYS.toDays(10)))
-                    .setClaims(claims)
-                    .signWith(SignatureAlgorithm.HS512, JWT_PASSWORD)
-                    .compact();
-            Cookie cookie = new Cookie("access_token", token);
-            response.addCookie(cookie);
-            response.setStatus(HttpStatus.OK.value());
-        } else {
-            Cookie cookie = new Cookie("access_token", "");
-            response.addCookie(cookie);
-            response.setStatus(HttpStatus.UNAUTHORIZED.value());
-        }
-    }
-
-    @GetMapping
-    public MappingJacksonValue getVotes(@CookieValue(value = "access_token", required = false) String accessToken) {
-        MappingJacksonValue value = new MappingJacksonValue(votes.values().stream().sorted(comparingLong(Vote::getAverage).reversed()).collect(toList()));
-        if (StringUtils.isEmpty(accessToken)) {
-            value.setSerializationView(Views.GuestView.class);
-        } else {
-            try {
-                Jwt jwt = Jwts.parser().setSigningKey(JWT_PASSWORD).parse(accessToken);
-                Claims claims = (Claims) jwt.getBody();
-                String user = (String) claims.get("user");
-                boolean isAdmin = Boolean.valueOf((String) claims.get("admin"));
-                if ("Guest".equals(user) || !validUsers.contains(user)) {
-                    value.setSerializationView(Views.GuestView.class);
-                } else {
-                    ((Collection<Vote>) value.getValue()).forEach(v -> v.setFlag(FLAGS.get(4)));
-                    value.setSerializationView(isAdmin ? Views.AdminView.class : Views.UserView.class);
-                }
-            } catch (JwtException e) {
-                value.setSerializationView(Views.GuestView.class);
-            }
-        }
-        return value;
-    }
-
-    @PostMapping(value = "{title}")
-    @ResponseBody
-    @ResponseStatus(HttpStatus.ACCEPTED)
-    public ResponseEntity<?> vote(@PathVariable String title, @CookieValue(value = "access_token", required = false) String accessToken) {
-        if (StringUtils.isEmpty(accessToken)) {
-            return ResponseEntity.status(HttpStatus.UNAUTHORIZED).build();
-        } else {
-            try {
-                Jwt jwt = Jwts.parser().setSigningKey(JWT_PASSWORD).parse(accessToken);
-                Claims claims = (Claims) jwt.getBody();
-                String user = (String) claims.get("user");
-                if (validUsers.contains(user)) {
-                    ofNullable(votes.get(title)).ifPresent(v -> v.incrementNumberOfVotes(totalVotes));
-                    return ResponseEntity.accepted().build();
-                } else {
-                    return ResponseEntity.status(HttpStatus.UNAUTHORIZED).build();
-                }
-            } catch (JwtException e) {
-                return ResponseEntity.status(HttpStatus.UNAUTHORIZED).build();
-            }
-        }
-    }
-}
diff --git a/webgoat-lessons/challenge/src/main/resources/css/challenge3.css b/webgoat-lessons/challenge/src/main/resources/css/challenge3.css
deleted file mode 100644
index 3bc2ca4eb..000000000
--- a/webgoat-lessons/challenge/src/main/resources/css/challenge3.css
+++ /dev/null
@@ -1,75 +0,0 @@
-/* Component: Posts */
-.post .post-heading {
-    height: 95px;
-    padding: 20px 15px;
-}
-.post .post-heading .avatar {
-    width: 60px;
-    height: 60px;
-    display: block;
-    margin-right: 15px;
-}
-.post .post-heading .meta .title {
-    margin-bottom: 0;
-}
-.post .post-heading .meta .title a {
-    color: black;
-}
-.post .post-heading .meta .title a:hover {
-    color: #aaaaaa;
-}
-.post .post-heading .meta .time {
-    margin-top: 8px;
-    color: #999;
-}
-.post .post-image .image {
-    width:20%;
-    height: 40%;
-}
-.post .post-description {
-    padding: 5px;
-}
-.post .post-footer {
-    border-top: 1px solid #ddd;
-    padding: 15px;
-}
-.post .post-footer .input-group-addon a {
-    color: #454545;
-}
-.post .post-footer .comments-list {
-    padding: 0;
-    margin-top: 20px;
-    list-style-type: none;
-}
-.post .post-footer .comments-list .comment {
-    display: block;
-    width: 100%;
-    margin: 20px 0;
-}
-.post .post-footer .comments-list .comment .avatar {
-    width: 35px;
-    height: 35px;
-}
-.post .post-footer .comments-list .comment .comment-heading {
-    display: block;
-    width: 100%;
-}
-.post .post-footer .comments-list .comment .comment-heading .user {
-    font-size: 14px;
-    font-weight: bold;
-    display: inline;
-    margin-top: 0;
-    margin-right: 10px;
-}
-.post .post-footer .comments-list .comment .comment-heading .time {
-    font-size: 12px;
-    color: #aaa;
-    margin-top: 0;
-    display: inline;
-}
-.post .post-footer .comments-list .comment .comment-body {
-    margin-left: 50px;
-}
-.post .post-footer .comments-list .comment > .comments-list {
-    margin-left: 50px;
-}
\ No newline at end of file
diff --git a/webgoat-lessons/challenge/src/main/resources/css/challenge4.css b/webgoat-lessons/challenge/src/main/resources/css/challenge4.css
deleted file mode 100644
index 590e2a4b0..000000000
--- a/webgoat-lessons/challenge/src/main/resources/css/challenge4.css
+++ /dev/null
@@ -1,12 +0,0 @@
-a.list-group-item {
-    height:auto;
-}
-a.list-group-item.active small {
-    color:#fff;
-}
-.stars {
-    margin:20px auto 1px;
-}
-.img-responsive {
-    min-width: 100%;
-}
\ No newline at end of file
diff --git a/webgoat-lessons/challenge/src/main/resources/html/Challenge3.html b/webgoat-lessons/challenge/src/main/resources/html/Challenge3.html
deleted file mode 100644
index 62255ab95..000000000
--- a/webgoat-lessons/challenge/src/main/resources/html/Challenge3.html
+++ /dev/null
@@ -1,72 +0,0 @@
-<!DOCTYPE html>
-
-<html xmlns:th="http://www.thymeleaf.org">
-
-
-<div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:Challenge_3.adoc"></div>
-    <link rel="stylesheet" type="text/css" th:href="@{/lesson_css/challenge3.css}"/>
-    <script th:src="@{/lesson_js/challenge3.js}" language="JavaScript"></script>
-    <div class="attack-container">
-        <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
-
-        <div class="container-fluid">
-            <div class="panel post">
-                <div class="post-heading">
-                    <div class="pull-left image">
-                        <img th:src="@{/images/avatar1.png}"
-                             class="img-circle avatar" alt="user profile image"/>
-                    </div>
-                    <div class="pull-left meta">
-                        <div class="title h5">
-                            <a href="#"><b>John Doe</b></a>
-                            uploaded a photo.
-                        </div>
-                        <h6 class="text-muted time">24 days ago</h6>
-                    </div>
-                </div>
-
-                <div class="post-image">
-                    <img th:src="@{images/cat.jpg}" class="image" alt="image post"/>
-                </div>
-
-                <div class="post-description">
-
-                </div>
-                <div class="post-footer">
-                    <div class="input-group">
-                        <input class="form-control" id="commentInput" placeholder="Add a comment" type="text"/>
-                        <span class="input-group-addon">
-                                <i id="postComment" class="fa fa-edit" style="font-size: 20px"></i>
-                            </span>
-                    </div>
-                    <ul class="comments-list">
-                        <div id="list">
-                        </div>
-                    </ul>
-                </div>
-            </div>
-        </div>
-
-        <form class="attack-form" method="POST" name="form" action="/WebGoat/challenge/flag">
-            <div class="form-group">
-                <div class="input-group">
-                    <div class="input-group-addon"><i class="fa fa-flag-checkered" aria-hidden="true"
-                                                      style="font-size:20px"></i></div>
-                    <input type="text" class="form-control" id="flag" name="flag"
-                           placeholder="a7179f89-906b-4fec-9d99-f15b796e7208"/>
-                </div>
-                <div class="input-group" style="margin-top: 10px">
-                    <button type="submit" class="btn btn-primary">Submit flag</button>
-                </div>
-            </div>
-
-        </form>
-
-
-        <br/>
-        <div class="attack-feedback"></div>
-        <div class="attack-output"></div>
-    </div>
-</div>
-</html>
\ No newline at end of file
diff --git a/webgoat-lessons/challenge/src/main/resources/html/Challenge4.html b/webgoat-lessons/challenge/src/main/resources/html/Challenge4.html
deleted file mode 100644
index f760beffe..000000000
--- a/webgoat-lessons/challenge/src/main/resources/html/Challenge4.html
+++ /dev/null
@@ -1,75 +0,0 @@
-<!DOCTYPE html>
-
-<html xmlns:th="http://www.thymeleaf.org">
-
-
-<div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:Challenge_4.adoc"></div>
-    <link rel="stylesheet" type="text/css" th:href="@{/lesson_css/challenge4.css}"/>
-    <script th:src="@{/lesson_js/bootstrap.min.js}" language="JavaScript"></script>
-    <script th:src="@{/lesson_js/challenge4.js}" language="JavaScript"></script>
-    <div class="attack-container">
-        <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
-        <div class="container-fluid">
-
-            <div class="row">
-
-                <div class="well">
-                    <div class="pull-right">
-                        <div class="dropdown">
-                            <button type="button" data-toggle="dropdown" class="btn btn-default dropdown-toggle">
-                                <i class="fa fa-user"></i> <span class="caret"></span>
-                            </button>
-                            <ul class="dropdown-menu dropdown-menu-left">
-                                <li role="presentation"><a role="menuitem" tabindex="-1"
-                                                           onclick="javascript:login('Guest')"
-                                                           th:text="Guest">current</a></li>
-                                <li role="presentation"><a role="menuitem" tabindex="-1"
-                                                           onclick="javascript:login('Tom')"
-                                                           th:text="Tom">current</a></li>
-                                <li role="presentation"><a role="menuitem" tabindex="-1"
-                                                           onclick="javascript:login('Jerry')"
-                                                           th:text="Jerry">current</a></li>
-                                <li role="presentation"><a role="menuitem" tabindex="-1"
-                                                           onclick="javascript:login('Sylvester')"
-                                                           th:text="Sylvester">current</a></li>
-                            </ul>
-                        </div>
-                        <div>
-                            <p class="text-right">Welcome back, <b><span id="name"></span></b></p>
-                        </div>
-                    </div>
-
-                    <div>
-                        <h3>Vote for your favorite</h3>
-                    </div>
-                    <div id ="votesList" class="list-group">
-
-                    </div>
-                </div>
-            </div>
-        </div>
-
-        <br/>
-        <form class="attack-form" method="POST" name="form" action="/WebGoat/challenge/flag">
-            <div class="form-group">
-                <div class="input-group">
-                    <div class="input-group-addon"><i class="fa fa-flag-checkered" aria-hidden="true"
-                                                      style="font-size:20px"></i></div>
-                    <input type="text" class="form-control" id="flag" name="flag"
-                           placeholder="a7179f89-906b-4fec-9d99-f15b796e7208"/>
-                </div>
-                <div class="input-group" style="margin-top: 10px">
-                    <button type="submit" class="btn btn-primary">Submit flag</button>
-                </div>
-            </div>
-
-        </form>
-
-        <br/>
-        <div class="attack-feedback"></div>
-        <div class="attack-output"></div>
-    </div>
-</div>
-
-</html>
\ No newline at end of file
diff --git a/webgoat-lessons/challenge/src/main/resources/i18n/WebGoatLabels.properties b/webgoat-lessons/challenge/src/main/resources/i18n/WebGoatLabels.properties
index e79acbac5..267502639 100644
--- a/webgoat-lessons/challenge/src/main/resources/i18n/WebGoatLabels.properties
+++ b/webgoat-lessons/challenge/src/main/resources/i18n/WebGoatLabels.properties
@@ -2,7 +2,6 @@ challenge0.title=WebGoat Challenge
 challenge1.title=Admin lost password
 challenge2.title=Get it for free
 challenge3.title=Photo comments
-challenge4.title=Voting
 challenge5.title=Without password
 challenge6.title=Creating a new account
 challenge7.title=Admin password reset
diff --git a/webgoat-lessons/challenge/src/main/resources/images/cat.jpg b/webgoat-lessons/challenge/src/main/resources/images/cat.jpg
deleted file mode 100644
index e0e1fb983..000000000
Binary files a/webgoat-lessons/challenge/src/main/resources/images/cat.jpg and /dev/null differ
diff --git a/webgoat-lessons/challenge/src/main/resources/js/challenge3.js b/webgoat-lessons/challenge/src/main/resources/js/challenge3.js
deleted file mode 100644
index fb902e050..000000000
--- a/webgoat-lessons/challenge/src/main/resources/js/challenge3.js
+++ /dev/null
@@ -1,45 +0,0 @@
-$(document).ready(function () {
-    $("#postComment").on("click", function () {
-        var commentInput = $("#commentInput").val();
-        $.ajax({
-            type: 'POST',
-            url: 'challenge/3',
-            data: JSON.stringify({text: commentInput}),
-            contentType: "application/json",
-            dataType: 'json'
-        }).then(
-            function () {
-                getChallenges();
-                $("#commentInput").val('');
-            }
-        )
-    })
-
-    var html = '<li class="comment">' +
-        '<div class="pull-left">' +
-        '<img class="avatar" src="images/avatar1.png" alt="avatar"/>' +
-        '</div>' +
-        '<div class="comment-body">' +
-        '<div class="comment-heading">' +
-        '<h4 class="user">USER</h4>' +
-        '<h5 class="time">DATETIME</h5>' +
-        '</div>' +
-        '<p>COMMENT</p>' +
-        '</div>' +
-        '</li>';
-
-    getChallenges();
-
-    function getChallenges() {
-        $("#list").empty();
-        $.get("challenge/3", function (result, status) {
-            for (var i = 0; i < result.length; i++) {
-                var comment = html.replace('USER', result[i].user);
-                comment = comment.replace('DATETIME', result[i].dateTime);
-                comment = comment.replace('COMMENT', result[i].text);
-                $("#list").append(comment);
-            }
-
-        });
-    }
-})
\ No newline at end of file
diff --git a/webgoat-lessons/challenge/src/main/resources/js/challenge4.js b/webgoat-lessons/challenge/src/main/resources/js/challenge4.js
deleted file mode 100644
index 5c9d6a38d..000000000
--- a/webgoat-lessons/challenge/src/main/resources/js/challenge4.js
+++ /dev/null
@@ -1,84 +0,0 @@
-$(document).ready(function () {
-    login('Guest');
-})
-
-function login(user) {
-    $("#name").text(user);
-    $.ajax({
-        url: "votings/login?user=" + user,
-        complete: function (result, status) {
-            getVotings();
-        }
-    });
-}
-
-var html = '<a href="#" class="list-group-item ACTIVE">' +
-    '<div class="media col-md-3">' +
-    '<figure> ' +
-    '<img class="media-object img-rounded" src="images/IMAGE_SMALL" alt="placehold.it/350x250"/>' +
-    '</figure>' +
-    '</div> ' +
-    '<div class="col-md-6">' +
-    '<h4 class="list-group-item-heading">TITLE</h4>' +
-    '<p class="list-group-item-text">INFORMATION</p>' +
-    '</div>' +
-    '<div class="col-md-3 text-center">' +
-    '<h2 HIDDEN_VIEW_VOTES>NO_VOTES' +
-    '<small HIDDEN_VIEW_VOTES> votes</small>' +
-    '</h2>' +
-    '<button type="button" id="TITLE" class="btn BUTTON btn-lg btn-block" onclick="vote(this.id)">Vote Now!</button>' +
-    '<div style="visibility:HIDDEN_VIEW_RATING;" class="stars"> ' +
-    '<span class="glyphicon glyphicon-star"></span>' +
-    '<span class="glyphicon glyphicon-star"></span>' +
-    '<span class="glyphicon glyphicon-star"></span>' +
-    '<span class="glyphicon glyphicon-star-empty"></span>' +
-    '</div>' +
-    '<p HIDDEN_VIEW_RATING>Average AVERAGE<small> /</small>4</p>' +
-    '</div>' +
-    '<div class="clearfix"></div>' +
-    '</a>';
-
-function getVotings() {
-    $("#votesList").empty();
-    $.get("votings/", function (result, status) {
-        for (var i = 0; i < result.length; i++) {
-            var voteTemplate = html.replace('IMAGE_SMALL', result[i].imageSmall);
-            if (i === 0) {
-                voteTemplate = voteTemplate.replace('ACTIVE', 'active');
-                voteTemplate = voteTemplate.replace('BUTTON', 'btn-default');
-            } else {
-                voteTemplate = voteTemplate.replace('ACTIVE', '');
-                voteTemplate = voteTemplate.replace('BUTTON', 'btn-primary');
-            }
-            voteTemplate = voteTemplate.replace(/TITLE/g, result[i].title);
-            voteTemplate = voteTemplate.replace('INFORMATION', result[i].information || '');
-            voteTemplate = voteTemplate.replace('NO_VOTES', result[i].numberOfVotes || '');
-            voteTemplate = voteTemplate.replace('AVERAGE', result[i].average || '');
-
-            var hidden = (result[i].numberOfVotes === undefined ? 'hidden' : '');
-            voteTemplate = voteTemplate.replace(/HIDDEN_VIEW_VOTES/g, hidden);
-            hidden = (result[i].average === undefined ? 'hidden' : '');
-            voteTemplate = voteTemplate.replace(/HIDDEN_VIEW_RATING/g, hidden);
-
-            $("#votesList").append(voteTemplate);
-        }
-    })
-}
-
-function vote(title) {
-    var user = $("#name").text();
-    if (user === 'Guest') {
-        alert("As a guest you are not allowed to vote, please login first.")
-    } else {
-        $.ajax({
-            type: 'POST',
-            url: 'votings/' + title
-        }).then(
-            function () {
-                getVotings();
-            }
-        )
-    }
-}
-
-
diff --git a/webgoat-lessons/challenge/src/main/resources/lessonPlans/en/Challenge_3.adoc b/webgoat-lessons/challenge/src/main/resources/lessonPlans/en/Challenge_3.adoc
deleted file mode 100644
index 396cbfa0f..000000000
--- a/webgoat-lessons/challenge/src/main/resources/lessonPlans/en/Challenge_3.adoc
+++ /dev/null
@@ -1 +0,0 @@
-Changing language can help you find the 'secret' file
\ No newline at end of file
diff --git a/webgoat-lessons/challenge/src/main/resources/lessonPlans/en/Challenge_4.adoc b/webgoat-lessons/challenge/src/main/resources/lessonPlans/en/Challenge_4.adoc
deleted file mode 100644
index 883d4be45..000000000
--- a/webgoat-lessons/challenge/src/main/resources/lessonPlans/en/Challenge_4.adoc
+++ /dev/null
@@ -1 +0,0 @@
-Try to change to a different user, maybe you can find the flag?
\ No newline at end of file
diff --git a/webgoat-lessons/challenge/src/test/java/org/owasp/webgoat/plugin/challenge4/VotesEndpointTest.java b/webgoat-lessons/challenge/src/test/java/org/owasp/webgoat/plugin/challenge4/VotesEndpointTest.java
deleted file mode 100644
index 322cf8873..000000000
--- a/webgoat-lessons/challenge/src/test/java/org/owasp/webgoat/plugin/challenge4/VotesEndpointTest.java
+++ /dev/null
@@ -1,161 +0,0 @@
-package org.owasp.webgoat.plugin.challenge4;
-
-import org.hamcrest.CoreMatchers;
-import org.junit.Before;
-import org.junit.Test;
-import org.junit.runner.RunWith;
-import org.mockito.runners.MockitoJUnitRunner;
-import org.owasp.webgoat.plugin.Flag;
-import org.springframework.test.web.servlet.MockMvc;
-import org.springframework.test.web.servlet.MvcResult;
-import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
-
-import javax.servlet.http.Cookie;
-
-import static org.springframework.security.test.web.servlet.response.SecurityMockMvcResultMatchers.unauthenticated;
-import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.*;
-import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standaloneSetup;
-
-/**
- * @author nbaars
- * @since 5/2/17.
- */
-@RunWith(MockitoJUnitRunner.class)
-public class VotesEndpointTest {
-
-    private MockMvc mockMvc;
-
-    @Before
-    public void setup() {
-        VotesEndpoint votesEndpoint = new VotesEndpoint();
-        votesEndpoint.initVotes();
-        new Flag().initFlags();
-        this.mockMvc = standaloneSetup(votesEndpoint).build();
-    }
-
-    @Test
-    public void loginWithUnknownUser() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.get("/votings/login")
-                .param("user", "uknown"))
-                .andExpect(unauthenticated());
-    }
-
-    @Test
-    public void loginWithTomShouldGiveJwtToken() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.get("/votings/login")
-                .param("user", "Tom"))
-                .andExpect(status().isOk()).andExpect(cookie().exists("access_token"));
-    }
-
-    @Test
-    public void loginWithGuestShouldNotGiveJwtToken() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.get("/votings/login")
-                .param("user", "Guest"))
-                .andExpect(unauthenticated()).andExpect(cookie().value("access_token", ""));
-    }
-
-    @Test
-    public void userShouldSeeMore() throws Exception {
-        MvcResult mvcResult = mockMvc.perform(MockMvcRequestBuilders.get("/votings/login")
-                .param("user", "Tom"))
-                .andExpect(status().isOk()).andExpect(cookie().exists("access_token")).andReturn();
-        mockMvc.perform(MockMvcRequestBuilders.get("/votings")
-                .cookie(mvcResult.getResponse().getCookie("access_token")))
-                .andExpect(jsonPath("$.[*].numberOfVotes").exists());
-    }
-
-    @Test
-    public void guestShouldNotSeeNumberOfVotes() throws Exception {
-        MvcResult mvcResult = mockMvc.perform(MockMvcRequestBuilders.get("/votings/login")
-                .param("user", "Guest"))
-                .andExpect(unauthenticated()).andExpect(cookie().exists("access_token")).andReturn();
-        mockMvc.perform(MockMvcRequestBuilders.get("/votings")
-                .cookie(mvcResult.getResponse().getCookie("access_token")))
-                .andExpect(jsonPath("$.[*].numberOfVotes").doesNotExist());
-    }
-
-    @Test
-    public void adminShouldSeeFlags() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.get("/votings")
-                .cookie(new Cookie("access_token", "eyJhbGciOiJub25lIn0.eyJhZG1pbiI6InRydWUiLCJ1c2VyIjoiSmVycnkifQ.")))
-                .andExpect(jsonPath("$.[*].flag").isNotEmpty());
-    }
-
-    @Test
-    public void votingIsNotAllowedAsGuest() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.post("/votings/Get it for free"))
-                .andExpect(unauthenticated());
-    }
-
-    @Test
-    public void normalUserShouldBeAbleToVote() throws Exception {
-        MvcResult mvcResult = mockMvc.perform(MockMvcRequestBuilders.get("/votings/login")
-                .param("user", "Tom"))
-                .andExpect(status().isOk()).andExpect(cookie().exists("access_token")).andReturn();
-        mockMvc.perform(MockMvcRequestBuilders.post("/votings/Get it for free")
-                .cookie(mvcResult.getResponse().getCookie("access_token")));
-        mockMvc.perform(MockMvcRequestBuilders.get("/votings/")
-                .cookie(mvcResult.getResponse().getCookie("access_token")))
-                .andExpect(jsonPath("$..[?(@.title == 'Get it for free')].numberOfVotes", CoreMatchers.hasItem(20001)));
-    }
-
-    @Test
-    public void votingForUnknownLessonShouldNotCrash() throws Exception {
-        MvcResult mvcResult = mockMvc.perform(MockMvcRequestBuilders.get("/votings/login")
-                .param("user", "Tom"))
-                .andExpect(status().isOk()).andExpect(cookie().exists("access_token")).andReturn();
-        mockMvc.perform(MockMvcRequestBuilders.post("/votings/UKNOWN_VOTE")
-                .cookie(mvcResult.getResponse().getCookie("access_token"))).andExpect(status().isAccepted());
-    }
-
-    @Test
-    public void votingWithInvalidToken() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.post("/votings/UKNOWN_VOTE")
-                .cookie(new Cookie("access_token", "abc"))).andExpect(unauthenticated());
-    }
-
-    @Test
-    public void gettingVotesWithInvalidToken() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.get("/votings/")
-                .cookie(new Cookie("access_token", "abc"))).andExpect(unauthenticated());
-    }
-
-    @Test
-    public void gettingVotesWithUnknownUserInToken() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.get("/votings/")
-                .cookie(new Cookie("access_token", "eyJhbGciOiJub25lIn0.eyJhZG1pbiI6InRydWUiLCJ1c2VyIjoiVW5rbm93biJ9.")))
-                .andExpect(unauthenticated())
-                .andExpect(jsonPath("$.[*].numberOfVotes").doesNotExist());
-    }
-
-    @Test
-    public void gettingVotesForUnknownShouldWork() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.get("/votings/")
-                .cookie(new Cookie("access_token", "eyJhbGciOiJub25lIn0.eyJ1c2VyIjoiVW5rbm93biJ9.")))
-                .andExpect(unauthenticated())
-                .andExpect(jsonPath("$.[*].numberOfVotes").doesNotExist());
-    }
-
-    @Test
-    public void gettingVotesForKnownWithoutAdminFieldShouldWork() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.get("/votings/")
-                .cookie(new Cookie("access_token", "eyJhbGciOiJub25lIn0.eyJ1c2VyIjoiVG9tIn0.")))
-                .andExpect(status().isOk())
-                .andExpect(jsonPath("$.[*].numberOfVotes").exists());
-    }
-
-    @Test
-    public void gettingVotesWithEmptyToken() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.get("/votings/")
-                .cookie(new Cookie("access_token", "")))
-                .andExpect(status().isOk())
-                .andExpect(jsonPath("$.[*].numberOfVotes").doesNotExist());
-    }
-
-    @Test
-    public void votingAsUnknownUserShouldNotBeAllowed() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.post("/votings/Get it for free")
-                .cookie(new Cookie("access_token", "eyJhbGciOiJub25lIn0.eyJ1c2VyIjoiVW5rbm93biJ9.")))
-                .andExpect(unauthenticated());
-    }
-}
\ No newline at end of file