diff --git a/main/project/WebContent/lesson_plans/InsecureLogin.html b/main/project/WebContent/lesson_plans/InsecureLogin.html
new file mode 100644
index 000000000..a33256309
--- /dev/null
+++ b/main/project/WebContent/lesson_plans/InsecureLogin.html
@@ -0,0 +1,14 @@
+<div align="Center">
+<p><b>Lesson Plan Title:</b> Insecure Login</p>
+</div>
+<p><b>Concept / Topic To Teach:</b> </p>
+<!-- Start Instructions -->
+Sensitive data should never sent in plaintext! Often applications 
+switch to a secure connection after the authorization. An attacker
+could just sniff the login and use the gathered information to
+break into an account. A good webapplication always takes care of
+encrypting sensitive data.
+<p><b>General Goal(s):</b> </p>
+See how easy it is to sniff a password in plaintext.<br>
+Understand the advantages of encrypting the login data!
+<!-- Stop Instructions -->
diff --git a/main/project/WebContent/lesson_solutions/InsecureLogin.html b/main/project/WebContent/lesson_solutions/InsecureLogin.html
new file mode 100644
index 000000000..785a95bb6
--- /dev/null
+++ b/main/project/WebContent/lesson_solutions/InsecureLogin.html
@@ -0,0 +1,61 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>Insecure Login</title>
+<link rel="stylesheet" type="text/css" href="/WebGoat/lesson_solutions/formate.css">
+</head>
+<body>
+<p><b>Lesson Plan Title:</b>Insecure Login</p>
+
+<p><b>Concept / Topic To Teach:</b><br/>
+Sensitive data should never sent in plaintext! 
+Often applications switch to a secure connection after the authorization. 
+An attacker could just sniff the login and use the gathered information 
+to break into an account. A good webapplication always takes care of 
+encrypting sensitive data.
+</p> 
+
+<p><b>General Goal(s):</b><br/>
+See how easy it is to sniff a password in plaintext. <br>
+Understand the advantages of encrypting the login data! 
+</p>
+
+<b>Solution:</b><br/>
+<p>This lesson has two stages. In the first stage you try to sniff a password
+which is sent in plaintext. In the second stage you try the same
+but on a secure connection.</p>
+<p>You need a client server setup for this lesson. Please refer
+to the Tomcat Setup in the Introduction section.</p>
+
+<b>Stage 1</b>
+<p>Start a sniffer. If you do not have one we recommend wireshark, which 
+is free: <a href="http://www.wireshark.org/"> Wireshark</a>. Make sure 
+you are capturing on the right interface. Click on
+the submit button ans stop the capturing. Now analyze the captured data.</p>
+<div align="center">
+<img src="stub">
+<font size="2"> <b>Figure 1: Sniffed Traffic</b></font>
+</div>
+<p>As you can see we are interested in the HTTP Post request (marked blue) as
+the password is transmitted there. The field for the password has
+the name clear_pass and has as value sniffy. Of course
+this is also the correct answer and you are done with stage 1.</p>
+
+<b>Stage 2</b>
+<p>
+Now you have to switch to a secure connection. You archive this
+by changing the URL from http://... to https://... Sniff again the traffic
+as you have done in stage 1. As you will see there is not sent the password
+in plaintext. The server communicates with the application over a secure layer
+the so called Transport Layer Security (TLS) also called Secure Socket Layer (SSL).
+TLS is a hybrid encrypting protocol. A master secret is built to communicate.
+This master secret is built by using SHA-1 and MD5. All traffic between 
+the Server and the Cleint is encrypted.</p>
+
+
+
+
+
+</body>
+</html>
\ No newline at end of file