diff --git a/webgoat-lessons/csrf/pom.xml b/webgoat-lessons/csrf/pom.xml
new file mode 100644
index 000000000..3845faaa4
--- /dev/null
+++ b/webgoat-lessons/csrf/pom.xml
@@ -0,0 +1,11 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <artifactId>csrf</artifactId>
+    <packaging>jar</packaging>
+    <parent>
+        <groupId>org.owasp.webgoat.lesson</groupId>
+        <artifactId>webgoat-lessons-parent</artifactId>
+        <version>8.0-SNAPSHOT</version>
+    </parent>
+</project>
\ No newline at end of file
diff --git a/webgoat-lessons/csrf/src/main/resources/plugin/CSRF/html/XXE.html b/webgoat-lessons/csrf/src/main/resources/plugin/CSRF/html/XXE.html
new file mode 100644
index 000000000..e10652683
--- /dev/null
+++ b/webgoat-lessons/csrf/src/main/resources/plugin/CSRF/html/XXE.html
@@ -0,0 +1,178 @@
+<html xmlns:th="http://www.thymeleaf.org">
+
+<div class="lesson-page-wrapper">
+    <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
+    <!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
+    which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
+    <div class="adoc-content" th:replace="doc:XXE_plan.adoc"></div>
+</div>
+
+<div class="lesson-page-wrapper">
+    <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
+    <!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
+    which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
+    <div class="adoc-content" th:replace="doc:XXE_intro.adoc"></div>
+</div>
+
+<div class="lesson-page-wrapper">
+    <!-- reuse this block for each 'page' of content -->
+    <!-- sample ascii doc content for second page -->
+    <div class="adoc-content" th:replace="doc:XXE_simple.adoc"></div>
+    <!-- if including attack, reuse this section, leave classes in place -->
+    <div class="attack-container">
+        <!-- using attack-form class on your form will allow your request to be ajaxified and stay within the display framework for webgoat -->
+        <!-- you can write your own custom forms, but standard form submission will take you to your endpoint and outside of the WebGoat framework -->
+        <!-- of course, you can write your own ajax submission /handling in your own javascript if you like -->
+        <form class="attack-form" accept-charset="UNKNOWN" prepareData="register" method="POST" name="form"
+              action="/WebGoat/XXE/simple" contentType="application/xml">
+            <script th:src="@{/plugin_lessons/plugin/XXE/js/xxe.js}"
+                    language="JavaScript"></script>
+            <div id="lessonContent">
+                <strong>Registration form</strong>
+                <form prepareData="register" accept-charset="UNKNOWN" method="POST" name="form" action="#attack/307/100">
+                    <table>
+                        <tr>
+                            <td>Username</td>
+                            <td><input name="username" value="" type="TEXT"/></td>
+                        </tr>
+                        <tr>
+                            <td>E-mail</td>
+                            <td><input name="email" value="" type="TEXT"/></td>
+                        </tr>
+                        <tr>
+                            <td>Password</td>
+                            <td><input name="email" value="" type="TEXT"/></td>
+                        </tr>
+                        <tr>
+                            <td></td>
+                            <td align="right"><input type="submit" id="registerButton" value="Sign up"/></td>
+                        </tr>
+                    </table>
+                    <br/>
+                    <br/>
+                </form>
+                <div class="attack-feedback"></div>
+                <div class="attack-output"></div>
+            </div>
+        </form>
+        <div id='registration_success'></div>
+    </div>
+    <!-- do not remove the two following div's, this is where your feedback/output will land -->
+    <div class="attack-feedback"></div>
+    <div class="attack-output"></div>
+    <!-- ... of course, you can move them if you want to, but that will not look consistent to other lessons -->
+</div>
+
+<div class="lesson-page-wrapper">
+    <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
+    <!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
+    which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
+    <div class="adoc-content" th:replace="doc:XXE_changing_content_type.adoc"></div>
+    <div class="attack-container">
+        <!-- using attack-form class on your form will allow your request to be ajaxified and stay within the display framework for webgoat -->
+        <!-- you can write your own custom forms, but standard form submission will take you to your endpoint and outside of the WebGoat framework -->
+        <!-- of course, you can write your own ajax submission /handling in your own javascript if you like -->
+        <form class="attack-form" accept-charset="UNKNOWN" prepareData="registerJson" method="POST" name="form"
+              action="/WebGoat/XXE/content-type" contentType="application/json">
+            <script th:src="@{/plugin_lessons/plugin/XXE/js/xxe.js}"
+                    language="JavaScript"></script>
+            <div id="lessonContent">
+                <strong>Registration form</strong>
+                <form prepareData="registerJson" accept-charset="UNKNOWN" method="POST" name="form" action="#attack/307/100">
+                    <table>
+                        <tr>
+                            <td>Username</td>
+                            <td><input name="username" value="" type="TEXT"/></td>
+                        </tr>
+                        <tr>
+                            <td>E-mail</td>
+                            <td><input name="email" value="" type="TEXT"/></td>
+                        </tr>
+                        <tr>
+                            <td>Password</td>
+                            <td><input name="email" value="" type="TEXT"/></td>
+                        </tr>
+                        <tr>
+                            <td></td>
+                            <td align="right"><input type="submit" value="Sign up"/></td>
+                        </tr>
+                    </table>
+                    <br/>
+                    <br/>
+                </form>
+                <div class="attack-feedback"></div>
+                <div class="attack-output"></div>
+            </div>
+        </form>
+    </div>
+</div>
+
+
+<div class="lesson-page-wrapper">
+    <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
+    <!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
+    which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
+    <div class="adoc-content" th:replace="doc:XXE_overflow.adoc"></div>
+</div>
+
+<div class="lesson-page-wrapper">
+    <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
+    <!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
+    which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
+    <div class="adoc-content" th:replace="doc:XXE_blind.adoc"></div>
+</div>
+
+<div class="lesson-page-wrapper">
+    <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
+    <!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
+    which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
+    <div class="adoc-content" th:replace="doc:XXE_blind_assignment.adoc"></div>
+    <div class="attack-container">
+        <!-- using attack-form class on your form will allow your request to be ajaxified and stay within the display framework for webgoat -->
+        <!-- you can write your own custom forms, but standard form submission will take you to your endpoint and outside of the WebGoat framework -->
+        <!-- of course, you can write your own ajax submission /handling in your own javascript if you like -->
+        <form class="attack-form" accept-charset="UNKNOWN" prepareData="registerJson" method="POST" name="form"
+              action="/WebGoat/XXE/content-type" contentType="application/json">
+            <script th:src="@{/plugin_lessons/plugin/XXE/js/xxe.js}"
+                    language="JavaScript"></script>
+            <div id="lessonContent">
+                <strong>Registration form</strong>
+                <form prepareData="registerJson" accept-charset="UNKNOWN" method="POST" name="form" action="#attack/307/100">
+                    <table>
+                        <tr>
+                            <td>Username</td>
+                            <td><input name="username" value="" type="TEXT"/></td>
+                        </tr>
+                        <tr>
+                            <td>E-mail</td>
+                            <td><input name="email" value="" type="TEXT"/></td>
+                        </tr>
+                        <tr>
+                            <td>Password</td>
+                            <td><input name="email" value="" type="TEXT"/></td>
+                        </tr>
+                        <tr>
+                            <td></td>
+                            <td align="right"><input type="submit" value="Sign up"/></td>
+                        </tr>
+                    </table>
+                    <br/>
+                    <br/>
+                </form>
+                <div class="attack-feedback"></div>
+                <div class="attack-output"></div>
+            </div>
+        </form>
+    </div>
+</div>
+
+
+<div class="lesson-page-wrapper">
+    <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
+    <!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
+    which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
+    <div class="adoc-content" th:replace="doc:XXE_mitigation.adoc"></div>
+</div>
+
+
+</html>
\ No newline at end of file
diff --git a/webgoat-lessons/csrf/src/main/resources/plugin/CSRF/js/xxe.js b/webgoat-lessons/csrf/src/main/resources/plugin/CSRF/js/xxe.js
new file mode 100644
index 000000000..b38c2d9c2
--- /dev/null
+++ b/webgoat-lessons/csrf/src/main/resources/plugin/CSRF/js/xxe.js
@@ -0,0 +1,15 @@
+webgoat.customjs.register = function () {
+    var xml = '<?xml version="1.0"?>' +
+        '<user>' +
+        '  <username>' + 'test' + '</username>' +
+        '  <password>' + 'test' + '</password>' +
+        '</user>';
+    return xml;
+}
+webgoat.customjs.registerJson = function () {
+    var json = '{' +
+        '  "user":' + '"test"' +
+        '  "password":' + '"test"' +
+        '}';
+    return json;
+}
diff --git a/webgoat-lessons/csrf/src/main/resources/plugin/CSRF/lessonPlans/en/CSRF_GET.adoc b/webgoat-lessons/csrf/src/main/resources/plugin/CSRF/lessonPlans/en/CSRF_GET.adoc
new file mode 100644
index 000000000..b0271a5f7
--- /dev/null
+++ b/webgoat-lessons/csrf/src/main/resources/plugin/CSRF/lessonPlans/en/CSRF_GET.adoc
@@ -0,0 +1,10 @@
+== CSRF with a GET request
+
+This is the most easiest CSRF attack to perform. For example you receive an e-mail with the following content:
+
+`<a href="http://bank.com/transfer?account_number_from=123456789&account_number_to=987654321&amount=100000">View my Pictures!</a>`
+
+If the user is still logged in to the website of bank.com this simple GET request will transfer money from one account to another.
+Of course in most cases the website might have multiple controls to approve the request.
+
+
diff --git a/webgoat-lessons/csrf/src/main/resources/plugin/CSRF/lessonPlans/en/CSRF_intro.adoc b/webgoat-lessons/csrf/src/main/resources/plugin/CSRF/lessonPlans/en/CSRF_intro.adoc
new file mode 100644
index 000000000..3cfda81aa
--- /dev/null
+++ b/webgoat-lessons/csrf/src/main/resources/plugin/CSRF/lessonPlans/en/CSRF_intro.adoc
@@ -0,0 +1,27 @@
+=== What is a Crosse-site request forgery?
+
+Cross-site request forgery, also known as one-click attack or session riding and abbreviated as CSRF
+(sometimes pronounced sea-surf) or XSRF, is a type of malicious exploit of a website where unauthorized commands are transmitted
+from a user that the website trusts. Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF
+exploits the trust that a site has in a user's browser.
+
+A cross-site request forgery is a confused deputy attack against a web browser. CSRF commonly has the following characteristics:
+
+* It involves sites that rely on a user's identity.
+* It exploits the site's trust in that identity.
+* It tricks the user's browser into sending HTTP requests to a target site.
+* It involves HTTP requests that have side effects.
+
+At risk are web applications that perform actions based on input from trusted and authenticated users without requiring the user to authorize
+the specific action. A user who is authenticated by a cookie saved in the user's web browser could unknowingly send an HTTP request to a site
+that trusts the user and thereby causes an unwanted action.
+
+CSRF attacks target functionality that causes a state change on the server, such as changing the victim's email address or password, or purchasing
+something. Forcing the victim to retrieve data doesn't benefit an attacker because the attacker doesn't receive the response, the victim does.
+As such, CSRF attacks target state-changing requests.
+
+Let's continue with some exercises to address way to perform a CSRF request.
+
+
+
+
diff --git a/webgoat-lessons/csrf/src/main/resources/plugin/CSRF/lessonPlans/en/CSRF_plan.adoc b/webgoat-lessons/csrf/src/main/resources/plugin/CSRF/lessonPlans/en/CSRF_plan.adoc
new file mode 100644
index 000000000..1cb953de9
--- /dev/null
+++ b/webgoat-lessons/csrf/src/main/resources/plugin/CSRF/lessonPlans/en/CSRF_plan.adoc
@@ -0,0 +1,10 @@
+= Cross-site request forgery (CSRF)
+
+== Concept
+
+This lesson teaches how to what a CSRF attack is and how it can be abused and protected against.
+
+== Goals
+
+* The user should have basic knowledge of JavaScript
+* The user will learn to perform a CSRF attack and how to protected against it.
diff --git a/webgoat-lessons/csrf/src/main/resources/plugin/CSRF/secret.txt b/webgoat-lessons/csrf/src/main/resources/plugin/CSRF/secret.txt
new file mode 100644
index 000000000..e4ec56814
--- /dev/null
+++ b/webgoat-lessons/csrf/src/main/resources/plugin/CSRF/secret.txt
@@ -0,0 +1 @@
+WebGoat 8 rocks...
\ No newline at end of file