diff --git a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge3/Challenge3.java b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge3/Challenge3.java
new file mode 100644
index 000000000..b1d22364a
--- /dev/null
+++ b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge3/Challenge3.java
@@ -0,0 +1,106 @@
+package org.owasp.webgoat.plugin.challenge3;
+
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.google.common.collect.EvictingQueue;
+import org.joda.time.DateTime;
+import org.owasp.webgoat.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.assignments.AssignmentPath;
+import org.owasp.webgoat.assignments.AttackResult;
+import org.owasp.webgoat.plugin.Flag;
+import org.owasp.webgoat.session.WebSession;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.http.MediaType;
+import org.springframework.web.bind.annotation.*;
+
+import javax.xml.bind.JAXBContext;
+import javax.xml.bind.Unmarshaller;
+import javax.xml.stream.XMLInputFactory;
+import javax.xml.stream.XMLStreamReader;
+import java.io.IOException;
+import java.io.StringReader;
+import java.util.Collection;
+
+import static org.springframework.http.MediaType.ALL_VALUE;
+import static org.springframework.http.MediaType.APPLICATION_JSON_VALUE;
+import static org.springframework.web.bind.annotation.RequestMethod.GET;
+import static org.springframework.web.bind.annotation.RequestMethod.POST;
+
+/**
+ * @author nbaars
+ * @since 4/8/17.
+ */
+@AssignmentPath("/challenge3")
+public class Challenge3 extends AssignmentEndpoint {
+
+    @Autowired
+    private WebSession webSession;
+    private static final EvictingQueue<Comment> comments = EvictingQueue.create(100);
+
+    static {
+        comments.add(new Comment("webgoat", DateTime.now().toString(), "Silly cat...."));
+        comments.add(new Comment("guest", DateTime.now().toString(), "I think I will use this picture in one of my projects."));
+        comments.add(new Comment("guest", DateTime.now().toString(), "Lol!! :-)."));
+    }
+
+    @RequestMapping(method = GET, produces = APPLICATION_JSON_VALUE)
+    @ResponseBody
+    public Collection<Comment> retrieveComments() {
+        return comments;
+    }
+
+    @RequestMapping(method = POST, consumes = ALL_VALUE, produces = APPLICATION_JSON_VALUE)
+    @ResponseBody
+    public AttackResult createNewUser(@RequestBody String commentStr, @RequestHeader("Content-Type") String contentType) throws Exception {
+        Comment comment = new Comment();
+        AttackResult attackResult = failed().build();
+        if (APPLICATION_JSON_VALUE.equals(contentType)) {
+            comment = parseJson(commentStr);
+            comment.setDateTime(DateTime.now().toString());
+            comment.setUser(webSession.getUserName());
+        }
+        if (MediaType.APPLICATION_XML_VALUE.equals(contentType)) {
+            comment = parseXml(commentStr);
+            comment.setDateTime(DateTime.now().toString());
+            comment.setUser(webSession.getUserName());
+        }
+
+        if (checkSolution(comment)) {
+            attackResult = success().feedback("challenge.solved").feedbackArgs(Flag.FLAGS.get(2)).build();
+        }
+        return attackResult;
+    }
+
+    private boolean checkSolution(Comment comment) {
+        if (comment.getComment().contains("Congratulations you may now collect your flag")) {
+            comment.setComment("Congratulations to " + webSession.getUserName() + " for finding the flag!!");
+            return true;
+        }
+        return false;
+    }
+
+    public static Comment parseXml(String xml) throws Exception {
+        JAXBContext jc = JAXBContext.newInstance(Comment.class);
+
+        XMLInputFactory xif = XMLInputFactory.newFactory();
+        xif.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, true);
+        xif.setProperty(XMLInputFactory.IS_VALIDATING, false);
+
+        xif.setProperty(XMLInputFactory.SUPPORT_DTD, true);
+        XMLStreamReader xsr = xif.createXMLStreamReader(new StringReader(xml));
+
+        Unmarshaller unmarshaller = jc.createUnmarshaller();
+        return (Comment) unmarshaller.unmarshal(xsr);
+    }
+
+    private Comment parseJson(String comment) {
+        ObjectMapper mapper = new ObjectMapper();
+        try {
+            return mapper.readValue(comment, Comment.class);
+        } catch (IOException e) {
+            return new Comment();
+        }
+    }
+
+
+}
+
diff --git a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge3/Comment.java b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge3/Comment.java
new file mode 100644
index 000000000..0effcab0b
--- /dev/null
+++ b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge3/Comment.java
@@ -0,0 +1,21 @@
+package org.owasp.webgoat.plugin.challenge3;
+
+import lombok.AllArgsConstructor;
+import lombok.Getter;
+import lombok.NoArgsConstructor;
+import lombok.Setter;
+
+/**
+ * @author nbaars
+ * @since 4/8/17.
+ */
+@Getter
+@Setter
+@AllArgsConstructor
+@NoArgsConstructor
+public class Comment {
+    private String user;
+    private String dateTime;
+    private String comment;
+}
+
diff --git a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge3/CommentsEndpoint.java b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge3/CommentsEndpoint.java
new file mode 100644
index 000000000..afee36dac
--- /dev/null
+++ b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge3/CommentsEndpoint.java
@@ -0,0 +1,33 @@
+package org.owasp.webgoat.plugin.challenge3;
+
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RestController;
+
+/**
+ * @author nbaars
+ * @since 4/8/17.
+ */
+@RestController
+@RequestMapping("challenge-comments")
+public class CommentsEndpoint {
+
+//
+//    private final WebSession webSession;
+//
+//    public CommentsEndpoint(WebSession webSession) {
+//        this.webSession = webSession;
+//
+//    }
+//
+//
+//
+//
+//
+//    @PostMapping
+//    public Collection<Comment> addComment(String comment) {
+//        String s = StringUtils.abbreviate(comment, 100);
+//        comments.add(new Comment(webSession.getUserName(), DateTime.now().toString(), s));
+//        return comments;
+//    }
+
+}
diff --git a/webgoat-lessons/challenge/src/main/resources/css/challenge3.css b/webgoat-lessons/challenge/src/main/resources/css/challenge3.css
new file mode 100644
index 000000000..3bc2ca4eb
--- /dev/null
+++ b/webgoat-lessons/challenge/src/main/resources/css/challenge3.css
@@ -0,0 +1,75 @@
+/* Component: Posts */
+.post .post-heading {
+    height: 95px;
+    padding: 20px 15px;
+}
+.post .post-heading .avatar {
+    width: 60px;
+    height: 60px;
+    display: block;
+    margin-right: 15px;
+}
+.post .post-heading .meta .title {
+    margin-bottom: 0;
+}
+.post .post-heading .meta .title a {
+    color: black;
+}
+.post .post-heading .meta .title a:hover {
+    color: #aaaaaa;
+}
+.post .post-heading .meta .time {
+    margin-top: 8px;
+    color: #999;
+}
+.post .post-image .image {
+    width:20%;
+    height: 40%;
+}
+.post .post-description {
+    padding: 5px;
+}
+.post .post-footer {
+    border-top: 1px solid #ddd;
+    padding: 15px;
+}
+.post .post-footer .input-group-addon a {
+    color: #454545;
+}
+.post .post-footer .comments-list {
+    padding: 0;
+    margin-top: 20px;
+    list-style-type: none;
+}
+.post .post-footer .comments-list .comment {
+    display: block;
+    width: 100%;
+    margin: 20px 0;
+}
+.post .post-footer .comments-list .comment .avatar {
+    width: 35px;
+    height: 35px;
+}
+.post .post-footer .comments-list .comment .comment-heading {
+    display: block;
+    width: 100%;
+}
+.post .post-footer .comments-list .comment .comment-heading .user {
+    font-size: 14px;
+    font-weight: bold;
+    display: inline;
+    margin-top: 0;
+    margin-right: 10px;
+}
+.post .post-footer .comments-list .comment .comment-heading .time {
+    font-size: 12px;
+    color: #aaa;
+    margin-top: 0;
+    display: inline;
+}
+.post .post-footer .comments-list .comment .comment-body {
+    margin-left: 50px;
+}
+.post .post-footer .comments-list .comment > .comments-list {
+    margin-left: 50px;
+}
\ No newline at end of file
diff --git a/webgoat-lessons/challenge/src/main/resources/html/Challenge.html b/webgoat-lessons/challenge/src/main/resources/html/Challenge.html
index ee1e3363d..e1baebd44 100644
--- a/webgoat-lessons/challenge/src/main/resources/html/Challenge.html
+++ b/webgoat-lessons/challenge/src/main/resources/html/Challenge.html
@@ -65,77 +65,76 @@
               method="POST" name="form"
               action="/WebGoat/challenge/2"
               enctype="application/json;charset=UTF-8">
-            <div class="container">
-                <input id="discount" type="hidden" value="0"/>
-                <div class="row">
-                    <div class="col-xs-3 item-photo">
-                        <img style="max-width:100%;" th:src="@{/images/samsung-black.jpg}"/>
-                    </div>
-                    <div class="col-xs-5" style="border:0px solid gray">
-                        <h3>Samsung Galaxy S8 Plus Android Phone</h3>
-                        <h5 style="color:#337ab7"><a href="http://www.samsung.com">Samsung</a> ·
-                            <small style="color:#337ab7">(124421 reviews)</small>
-                        </h5>
 
-                        <h6 class="title-price">
-                            <small>PRICE</small>
+            <input id="discount" type="hidden" value="0"/>
+            <div class="row">
+
+                <div class="col-xs-3 item-photo">
+                    <img style="max-width:100%;" th:src="@{/images/samsung-black.jpg}"/>
+                </div>
+                <div class="col-xs-5" style="border:0px solid gray">
+                    <h3>Samsung Galaxy S8</h3>
+                    <h5 style="color:#337ab7"><a href="http://www.samsung.com">Samsung</a> ·
+                        <small style="color:#337ab7">(124421 reviews)</small>
+                    </h5>
+
+                    <h6 class="title-price">
+                        <small>PRICE</small>
+                    </h6>
+                    <h3 style="margin-top:0px;"><span>US $</span><span id="price">899</span></h3>
+
+                    <div class="section">
+                        <h6 class="title-attr" style="margin-top:15px;">
+                            <small>COLOR</small>
                         </h6>
-                        <h3 style="margin-top:0px;"><span>US $</span><span id="price">899</span></h3>
-
-                        <div class="section">
-                            <h6 class="title-attr" style="margin-top:15px;">
-                                <small>COLOR</small>
-                            </h6>
-                            <div>
-                                <div class="attr" style="width:25px;background:lightgrey;"></div>
-                                <div class="attr" style="width:25px;background:black;"></div>
-                            </div>
+                        <div>
+                            <div class="attr" style="width:25px;background:lightgrey;"></div>
+                            <div class="attr" style="width:25px;background:black;"></div>
                         </div>
-                        <div class="section" style="padding-bottom:5px;">
-                            <h6 class="title-attr">
-                                <small>CAPACITY</small>
-                            </h6>
-                            <div>
-                                <div class="attr2">64 GB</div>
-                                <div class="attr2">128 GB</div>
-                            </div>
+                    </div>
+                    <div class="section" style="padding-bottom:5px;">
+                        <h6 class="title-attr">
+                            <small>CAPACITY</small>
+                        </h6>
+                        <div>
+                            <div class="attr2">64 GB</div>
+                            <div class="attr2">128 GB</div>
                         </div>
-                        <div class="section" style="padding-bottom:20px;">
-                            <h6 class="title-attr">
-                                <small>QUANTITY</small>
-                            </h6>
-                            <div>
-                                <div class="btn-minus"><span class="glyphicon glyphicon-minus"></span></div>
-                                <input class="quantity" value="1"/>
-                                <div class="btn-plus"><span class="glyphicon glyphicon-plus"></span></div>
-                            </div>
+                    </div>
+                    <div class="section" style="padding-bottom:5px;">
+                        <h6 class="title-attr">
+                            <small>QUANTITY</small>
+                        </h6>
+                        <div>
+                            <div class="btn-minus"><span class="glyphicon glyphicon-minus"></span></div>
+                            <input class="quantity" value="1"/>
+                            <div class="btn-plus"><span class="glyphicon glyphicon-plus"></span></div>
                         </div>
+                    </div>
 
-                        <div class="section" style="padding-bottom:20px;">
-                            <h6 class="title-attr">
-                                <small>CHECKOUT CODE</small>
-                            </h6>
+                    <div class="section" style="padding-bottom:5px;">
+                        <h6 class="title-attr">
+                            <small>CHECKOUT CODE</small>
+                        </h6>
+                        <!--
+                          Checkout code: webgoat, owasp, owasp-webgoat
+                        -->
+                        <input name="checkoutCode" class="checkoutCode" value=""/>
 
-                            <!--
-                              Checkout code: webgoat, owasp, owasp-webgoat
-                            -->
-                            <input name="checkoutCode" class="checkoutCode" value=""/>
+                    </div>
 
-                        </div>
-
-                        <div class="section" style="padding-bottom:20px;">
-                            <button type="submit" class="btn btn-success"><span style="margin-right:20px"
-                                                                                class="glyphicon glyphicon-shopping-cart"
-                                                                                aria-hidden="true"></span>Buy
-                            </button>
-                            <h6><a href="#"><span class="glyphicon glyphicon-heart-empty"
-                                                  style="cursor:pointer;"></span>
-                                Like</a></h6>
-                        </div>
+                    <div class="section" style="padding-bottom:20px;">
+                        <button type="submit" class="btn btn-success"><span style="margin-right:20px"
+                                                                            class="glyphicon glyphicon-shopping-cart"
+                                                                            aria-hidden="true"></span>Buy
+                        </button>
+                        <h6><a href="#"><span class="glyphicon glyphicon-heart-empty"
+                                              style="cursor:pointer;"></span>
+                            Like</a></h6>
                     </div>
                 </div>
-
             </div>
+
         </form>
         <br/>
         <div>
@@ -158,4 +157,98 @@
     </div>
 </div>
 
+
+<div class="lesson-page-wrapper">
+    <div class="adoc-content" th:replace="doc:Challenge_3.adoc"></div>
+    <link rel="stylesheet" type="text/css" th:href="@{/lesson_css/challenge3.css}"/>
+    <script th:src="@{/lesson_js/challenge3.js}" language="JavaScript"></script>
+    <div class="attack-container">
+        <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
+        <div class="panel post">
+            <div class="post-heading">
+                <div class="pull-left image">
+                    <img th:src="@{/images/avatar1.png}"
+                         class="img-circle avatar" alt="user profile image"/>
+                </div>
+                <div class="pull-left meta">
+                    <div class="title h5">
+                        <a href="#"><b>John Doe</b></a>
+                        uploaded a photo.
+                    </div>
+                    <h6 class="text-muted time">24 days ago</h6>
+                </div>
+            </div>
+
+            <div class="post-image">
+                <img th:src="@{images/cat.jpg}" class="image" alt="image post"/>
+            </div>
+
+            <div class="post-description">
+
+            </div>
+            <div class="post-footer">
+                <div class="input-group">
+                    <input class="form-control" id="commentInput" placeholder="Add a comment" type="text"/>
+                    <span class="input-group-addon">
+                                <i id="postComment" class="fa fa-edit"></i>
+                            </span>
+                </div>
+                <ul class="comments-list">
+                    <div id="list">
+                        <li class="comment">
+                            <div class="pull-left">
+                                <img class="avatar"
+                                     src="http://bootdey.com/img/Content/avatar/avatar1.png"
+                                     alt="avatar"/>
+                            </div>
+                            <div class="comment-body">
+                                <div class="comment-heading">
+                                    <h4 class="user">John dOE</h4>
+                                    <h5 class="time">7 minutes ago</h5>
+                                </div>
+                                <p>I really love this picture. I really wish i could have been
+                                    there.</p>
+                            </div>
+                        </li>
+                        <li class="comment">
+                            <div class="pull-left" href="javascript:void(0);">
+                                <img class="avatar"
+                                     src="http://bootdey.com/img/Content/avatar/avatar2.png"
+                                     alt="avatar"/>
+                            </div>
+                            <div class="comment-body">
+                                <div class="comment-heading">
+                                    <h4 class="user">John Doe</h4>
+                                    <h5 class="time">3 minutes ago</h5>
+                                </div>
+                                <p>I think I might you this for one of my projects.</p>
+                            </div>
+                        </li>
+                        <li class="comment">
+                            <div class="pull-left" href="javascript:void(0);">
+                                <img class="avatar"
+                                     src="http://bootdey.com/img/Content/avatar/avatar4.png"
+                                     alt="avatar"/>
+                            </div>
+                            <div class="comment-body">
+                                <div class="comment-heading">
+                                    <h4 class="user">John Doe</h4>
+                                    <h5 class="time">10 seconds ago</h5>
+                                </div>
+                                <p>Wow! This is gorgeous.</p>
+                            </div>
+                        </li>
+                    </div>
+                </ul>
+            </div>
+        </div>
+
+
+        <br/>
+        <div class="attack-feedback"></div>
+        <div class="attack-output"></div>
+    </div>
+</div>
+
+
 </html>
\ No newline at end of file
diff --git a/webgoat-lessons/challenge/src/main/resources/images/avatar1.png b/webgoat-lessons/challenge/src/main/resources/images/avatar1.png
new file mode 100644
index 000000000..4ea864f90
Binary files /dev/null and b/webgoat-lessons/challenge/src/main/resources/images/avatar1.png differ
diff --git a/webgoat-lessons/challenge/src/main/resources/images/cat.jpg b/webgoat-lessons/challenge/src/main/resources/images/cat.jpg
new file mode 100644
index 000000000..e0e1fb983
Binary files /dev/null and b/webgoat-lessons/challenge/src/main/resources/images/cat.jpg differ
diff --git a/webgoat-lessons/challenge/src/main/resources/js/challenge3.js b/webgoat-lessons/challenge/src/main/resources/js/challenge3.js
new file mode 100644
index 000000000..be9cb11f0
--- /dev/null
+++ b/webgoat-lessons/challenge/src/main/resources/js/challenge3.js
@@ -0,0 +1,15 @@
+$(document).ready(function () {
+    $("#postComment").on("blur", function () {
+        var comment = $("#commentInput").val();
+        $.post("challenge3", function (result, status) {
+            var json;
+            json = '{' +
+                '   "comment":' + '"' + comment + '"'
+                '}';
+        })
+    })
+
+    $.get("challenge3", function (result, status) {
+        alert("Hello");
+    })
+})
\ No newline at end of file
diff --git a/webgoat-lessons/challenge/src/main/resources/lessonPlans/en/Challenge_1.adoc b/webgoat-lessons/challenge/src/main/resources/lessonPlans/en/Challenge_1.adoc
index 3a0b7ee9f..4f77d8158 100644
--- a/webgoat-lessons/challenge/src/main/resources/lessonPlans/en/Challenge_1.adoc
+++ b/webgoat-lessons/challenge/src/main/resources/lessonPlans/en/Challenge_1.adoc
@@ -1 +1 @@
-=== Admin forgot password can you help?
\ No newline at end of file
+==== Admin forgot password can you help?
\ No newline at end of file
diff --git a/webgoat-lessons/challenge/src/main/resources/lessonPlans/en/Challenge_2.adoc b/webgoat-lessons/challenge/src/main/resources/lessonPlans/en/Challenge_2.adoc
index 6849340ea..526593266 100644
--- a/webgoat-lessons/challenge/src/main/resources/lessonPlans/en/Challenge_2.adoc
+++ b/webgoat-lessons/challenge/src/main/resources/lessonPlans/en/Challenge_2.adoc
@@ -1 +1 @@
-=== No need to pay...
\ No newline at end of file
+No need to pay...
\ No newline at end of file
diff --git a/webgoat-lessons/challenge/src/main/resources/lessonPlans/en/Challenge_3.adoc b/webgoat-lessons/challenge/src/main/resources/lessonPlans/en/Challenge_3.adoc
new file mode 100644
index 000000000..ac1f2776e
--- /dev/null
+++ b/webgoat-lessons/challenge/src/main/resources/lessonPlans/en/Challenge_3.adoc
@@ -0,0 +1 @@
+Changing language can have dramatic effects
\ No newline at end of file
diff --git a/webgoat-lessons/xxe/src/main/resources/js/xxe.js b/webgoat-lessons/xxe/src/main/resources/js/xxe.js
index b38c2d9c2..3cf292d83 100644
--- a/webgoat-lessons/xxe/src/main/resources/js/xxe.js
+++ b/webgoat-lessons/xxe/src/main/resources/js/xxe.js
@@ -7,8 +7,9 @@ webgoat.customjs.register = function () {
     return xml;
 }
 webgoat.customjs.registerJson = function () {
-    var json = '{' +
-        '  "user":' + '"test"' +
+   var json;
+    json = '{' +
+        '   "user":' + '"test"' +
         '  "password":' + '"test"' +
         '}';
     return json;