diff --git a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/Challenge2.java b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/Challenge2.java
new file mode 100644
index 000000000..8bc916874
--- /dev/null
+++ b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/Challenge2.java
@@ -0,0 +1,31 @@
+package org.owasp.webgoat.plugin;
+
+import org.owasp.webgoat.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.assignments.AssignmentPath;
+import org.owasp.webgoat.assignments.AttackResult;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
+import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.web.bind.annotation.ResponseBody;
+
+import java.io.IOException;
+
+import static org.owasp.webgoat.plugin.SolutionConstants.SUPER_COUPON_CODE;
+
+/**
+ * @author nbaars
+ * @since 4/6/17.
+ */
+@AssignmentPath("/challenge/2")
+public class Challenge2 extends AssignmentEndpoint {
+
+    @RequestMapping(method = RequestMethod.POST)
+    public
+    @ResponseBody
+    AttackResult completed(@RequestParam String couponCode) throws IOException {
+        if (SUPER_COUPON_CODE.equals(couponCode)) {
+            return success().feedback("challenge.solved").feedbackArgs(Flag.FLAGS.get(2)).build();
+        }
+        return failed().build();
+    }
+}
diff --git a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/ShopEndpoint.java b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/ShopEndpoint.java
new file mode 100644
index 000000000..fc0323613
--- /dev/null
+++ b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/ShopEndpoint.java
@@ -0,0 +1,71 @@
+package org.owasp.webgoat.plugin;
+
+import com.beust.jcommander.internal.Lists;
+import lombok.AllArgsConstructor;
+import lombok.Getter;
+import org.apache.commons.lang3.RandomStringUtils;
+import org.springframework.http.MediaType;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.PathVariable;
+import org.springframework.web.bind.annotation.RestController;
+
+import java.util.List;
+
+import static org.owasp.webgoat.plugin.SolutionConstants.SUPER_COUPON_CODE;
+
+/**
+ * @author nbaars
+ * @since 4/6/17.
+ */
+@RestController
+public class ShopEndpoint {
+
+    @AllArgsConstructor
+    private class CouponCodes {
+
+        @Getter
+        private List<CouponCode> codes = Lists.newArrayList();
+
+        public boolean contains(String code) {
+            return codes.stream().anyMatch(c -> c.getCode().equals(code));
+        }
+    }
+
+    @AllArgsConstructor
+    @Getter
+    private class CouponCode {
+        private String code;
+        private int discount;
+    }
+
+    private CouponCodes couponCodes;
+
+    public ShopEndpoint() {
+        List<CouponCode> codes = Lists.newArrayList();
+        for (int i = 0; i < 9; i++) {
+            codes.add(new CouponCode(RandomStringUtils.random(10), i * 100));
+        }
+        this.couponCodes = new CouponCodes(codes);
+    }
+
+    @GetMapping(value = "/coupons/{user}", produces = MediaType.APPLICATION_JSON_VALUE)
+    public CouponCodes getDiscountCodes(@PathVariable String user) {
+        if ("Tom".equals(user)) {
+            return couponCodes;
+        }
+        return null;
+    }
+
+    @GetMapping(value = "/coupons/valid/{code}", produces = MediaType.APPLICATION_JSON_VALUE)
+    public boolean isValidCouponCode(@PathVariable String code) {
+        return couponCodes.contains(code);
+    }
+
+    @GetMapping(value = "/coupons", produces = MediaType.APPLICATION_JSON_VALUE)
+    public CouponCodes coupons() {
+        List<CouponCode> all = Lists.newArrayList();
+        all.addAll(this.couponCodes.getCodes());
+        all.add(new CouponCode(SUPER_COUPON_CODE, 100));
+        return new CouponCodes(all);
+    }
+}
diff --git a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/SolutionConstants.java b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/SolutionConstants.java
index dda05d492..5450e02ae 100644
--- a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/SolutionConstants.java
+++ b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/SolutionConstants.java
@@ -9,5 +9,6 @@ package org.owasp.webgoat.plugin;
 public interface SolutionConstants {
 
     String PASSWORD = "!!webgoat_admin_1234!!";
+    String SUPER_COUPON_CODE = "get_if_for_free";
 
 }
diff --git a/webgoat-lessons/challenge/src/main/resources/css/challenge2.css b/webgoat-lessons/challenge/src/main/resources/css/challenge2.css
new file mode 100644
index 000000000..7bca52cbe
--- /dev/null
+++ b/webgoat-lessons/challenge/src/main/resources/css/challenge2.css
@@ -0,0 +1,33 @@
+ul > li{margin-right:25px;font-weight:lighter;cursor:pointer}
+li.active{border-bottom:3px solid silver;}
+
+.item-photo{display:flex;justify-content:center;align-items:center;border-right:1px solid #f6f6f6;}
+.menu-items{list-style-type:none;font-size:11px;display:inline-flex;margin-bottom:0px;margin-top:20px}
+.btn-success{width:100%;border-radius:0px;}
+.section{width:100%;margin-left:-15px;padding:2px;padding-left:15px;padding-right:15px;background:#f8f9f9}
+.title-price{margin-top:30px;margin-bottom:0px;color:black}
+.title-attr{margin-top:0px;margin-bottom:0px;color:black;}
+.btn-minus{cursor:pointer;font-size:7px;display:flex;align-items:center;padding:5px;padding-left:10px;padding-right:10px;border:1px solid gray;border-radius:2px;border-right:0px;}
+.btn-plus{cursor:pointer;font-size:7px;display:flex;align-items:center;padding:5px;padding-left:10px;padding-right:10px;border:1px solid gray;border-radius:2px;border-left:0px;}
+div.section > div {width:100%;display:inline-flex;}
+div.section > div > input {margin:0px;padding-left:5px;font-size:10px;padding-right:5px;max-width:18%;text-align:center;}
+.attr,.attr2{cursor:pointer;margin-right:5px;height:20px;font-size:10px;padding:2px;border:1px solid gray;border-radius:2px;}
+.attr.active,.attr2.active{ border:1px solid orange;}
+
+@media (max-width: 426px) {
+    .container {margin-top:0px !important;}
+    .container > .row{padding:0px !important;}
+    .container > .row > .col-xs-12.col-sm-5{
+        padding-right:0px ;
+    }
+    .container > .row > .col-xs-12.col-sm-9 > div > p{
+        padding-left:0px !important;
+        padding-right:0px !important;
+    }
+    .container > .row > .col-xs-12.col-sm-9 > div > ul{
+        padding-left:10px !important;
+
+    }
+    .section{width:104%;}
+    .menu-items{padding-left:0px;}
+}
\ No newline at end of file
diff --git a/webgoat-lessons/challenge/src/main/resources/html/Challenge.html b/webgoat-lessons/challenge/src/main/resources/html/Challenge.html
index b6bc7f41e..59de297d1 100644
--- a/webgoat-lessons/challenge/src/main/resources/html/Challenge.html
+++ b/webgoat-lessons/challenge/src/main/resources/html/Challenge.html
@@ -36,11 +36,13 @@
             </div>
         </div>
 
-        <form class="form-inline"  method="POST" name="form" action="/WebGoat/challenge/flag">
+        <form class="form-inline" method="POST" name="form" action="/WebGoat/challenge/flag">
             <div class="form-group">
                 <div class="input-group">
-                    <div class="input-group-addon"><i class="fa fa-flag-checkered" aria-hidden="true" style="font-size:20px"></i></div>
-                    <input type="text" class="form-control" id="flagInput" placeholder="a7179f89-906b-4fec-9d99-f15b796e7208"/>
+                    <div class="input-group-addon"><i class="fa fa-flag-checkered" aria-hidden="true"
+                                                      style="font-size:20px"></i></div>
+                    <input type="text" class="form-control" id="flagInput1"
+                           placeholder="a7179f89-906b-4fec-9d99-f15b796e7208"/>
                 </div>
             </div>
             <button type="submit" class="btn btn-primary">Submit flag</button>
@@ -49,7 +51,90 @@
         <br/>
         <div class="attack-feedback"></div>
         <div class="attack-output"></div>
-
     </div>
 </div>
+
+
+<div class="lesson-page-wrapper">
+    <link rel="stylesheet" type="text/css" th:href="@{/lesson_css/challenge2.css}"/>
+    <script th:src="@{/lesson_js/challenge2.js}" language="JavaScript"></script>
+    <div class="attack-container">
+        <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
+        <div class="container">
+            <div class="row">
+                <div class="col-xs-3 item-photo">
+                    <img style="max-width:100%;" th:src="@{/images/samsung-black.jpg}"/>
+                </div>
+                <div class="col-xs-5" style="border:0px solid gray">
+                    <h3>Samsung Galaxy S8 Plus 64GB Android Phone</h3>
+                    <h5 style="color:#337ab7">Manufacturer <a href="http://www.samsung.com">Samsung</a> ·
+                        <small style="color:#337ab7">(5054 reviews)</small>
+                    </h5>
+
+                    <h6 class="title-price">
+                        <small>PRICE</small>
+                    </h6>
+                    <h3 style="margin-top:0px;">US $899</h3>
+
+                    <div class="section">
+                        <h6 class="title-attr" style="margin-top:15px;">
+                            <small>COLOR</small>
+                        </h6>
+                        <div>
+                            <div class="attr" style="width:25px;background:#5a5a5a;"></div>
+                            <div class="attr" style="width:25px;background:white;"></div>
+                        </div>
+                    </div>
+                    <div class="section" style="padding-bottom:5px;">
+                        <h6 class="title-attr">
+                            <small>CAPACITY</small>
+                        </h6>
+                        <div>
+                            <div class="attr2">16 GB</div>
+                            <div class="attr2">32 GB</div>
+                        </div>
+                    </div>
+                    <div class="section" style="padding-bottom:20px;">
+                        <h6 class="title-attr">
+                            <small>QUANTITY</small>
+                        </h6>
+                        <div>
+                            <div class="btn-minus"><span class="glyphicon glyphicon-minus"></span></div>
+                            <input value="1"/>
+                            <div class="btn-plus"><span class="glyphicon glyphicon-plus"></span></div>
+                        </div>
+                    </div>
+
+                    <div class="section" style="padding-bottom:20px;">
+                        <button class="btn btn-success"><span style="margin-right:20px"
+                                                              class="glyphicon glyphicon-shopping-cart"
+                                                              aria-hidden="true"></span>Buy
+                        </button>
+                        <h6><a href="#"><span class="glyphicon glyphicon-heart-empty" style="cursor:pointer;"></span>
+                            Like</a></h6>
+                    </div>
+                </div>
+            </div>
+        </div>
+        <br/>
+        <div>
+            <form class="form-inline" method="POST" name="form" action="/WebGoat/challenge/flag">
+                <div class="form-group">
+                    <div class="input-group">
+                        <div class="input-group-addon"><i class="fa fa-flag-checkered" aria-hidden="true"
+                                                          style="font-size:20px"></i></div>
+                        <input type="text" class="form-control" id="flagInpu2"
+                               placeholder="a7179f89-906b-4fec-9d99-f15b796e7208"/>
+                    </div>
+                </div>
+                <button type="submit" class="btn btn-primary">Submit flag</button>
+            </form>
+        </div>
+
+        <br/>
+        <div class="attack-feedback"></div>
+        <div class="attack-output"></div>
+    </div>
+</div>
+
 </html>
\ No newline at end of file
diff --git a/webgoat-lessons/challenge/src/main/resources/images/samsung-black.jpg b/webgoat-lessons/challenge/src/main/resources/images/samsung-black.jpg
new file mode 100644
index 000000000..7b0c1f809
Binary files /dev/null and b/webgoat-lessons/challenge/src/main/resources/images/samsung-black.jpg differ
diff --git a/webgoat-lessons/challenge/src/main/resources/images/samsung-grey.jpg b/webgoat-lessons/challenge/src/main/resources/images/samsung-grey.jpg
new file mode 100644
index 000000000..2dd9ea557
Binary files /dev/null and b/webgoat-lessons/challenge/src/main/resources/images/samsung-grey.jpg differ
diff --git a/webgoat-lessons/challenge/src/main/resources/js/challenge2.js b/webgoat-lessons/challenge/src/main/resources/js/challenge2.js
new file mode 100644
index 000000000..a9e649e8c
--- /dev/null
+++ b/webgoat-lessons/challenge/src/main/resources/js/challenge2.js
@@ -0,0 +1,33 @@
+$(document).ready(function(){
+    //-- Click on detail
+    $("ul.menu-items > li").on("click",function(){
+        $("ul.menu-items > li").removeClass("active");
+        $(this).addClass("active");
+    })
+
+    $(".attr,.attr2").on("click",function(){
+        var clase = $(this).attr("class");
+
+        $("." + clase).removeClass("active");
+        $(this).addClass("active");
+    })
+
+    //-- Click on QUANTITY
+    $(".btn-minus").on("click",function(){
+        var now = $(".section > div > input").val();
+        if ($.isNumeric(now)){
+            if (parseInt(now) -1 > 0){ now--;}
+            $(".section > div > input").val(now);
+        }else{
+            $(".section > div > input").val("1");
+        }
+    })
+    $(".btn-plus").on("click",function(){
+        var now = $(".section > div > input").val();
+        if ($.isNumeric(now)){
+            $(".section > div > input").val(parseInt(now)+1);
+        }else{
+            $(".section > div > input").val("1");
+        }
+    })
+})
\ No newline at end of file