From cebf74cd10b8e2af1c51a33125632811df4feb9c Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Sat, 8 Apr 2017 22:15:58 +0200
Subject: [PATCH] Challenge 3: First setup completed

---
 .../webgoat/plugin/challenge3/Challenge3.java | 106 +++++++++
 .../webgoat/plugin/challenge3/Comment.java    |  21 ++
 .../plugin/challenge3/CommentsEndpoint.java   |  33 +++
 .../src/main/resources/css/challenge3.css     |  75 ++++++
 .../src/main/resources/html/Challenge.html    | 213 +++++++++++++-----
 .../src/main/resources/images/avatar1.png     | Bin 0 -> 28394 bytes
 .../src/main/resources/images/cat.jpg         | Bin 0 -> 9095 bytes
 .../src/main/resources/js/challenge3.js       |  15 ++
 .../resources/lessonPlans/en/Challenge_1.adoc |   2 +-
 .../resources/lessonPlans/en/Challenge_2.adoc |   2 +-
 .../resources/lessonPlans/en/Challenge_3.adoc |   1 +
 .../xxe/src/main/resources/js/xxe.js          |   5 +-
 12 files changed, 409 insertions(+), 64 deletions(-)
 create mode 100644 webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge3/Challenge3.java
 create mode 100644 webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge3/Comment.java
 create mode 100644 webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge3/CommentsEndpoint.java
 create mode 100644 webgoat-lessons/challenge/src/main/resources/css/challenge3.css
 create mode 100644 webgoat-lessons/challenge/src/main/resources/images/avatar1.png
 create mode 100644 webgoat-lessons/challenge/src/main/resources/images/cat.jpg
 create mode 100644 webgoat-lessons/challenge/src/main/resources/js/challenge3.js
 create mode 100644 webgoat-lessons/challenge/src/main/resources/lessonPlans/en/Challenge_3.adoc

diff --git a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge3/Challenge3.java b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge3/Challenge3.java
new file mode 100644
index 000000000..b1d22364a
--- /dev/null
+++ b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge3/Challenge3.java
@@ -0,0 +1,106 @@
+package org.owasp.webgoat.plugin.challenge3;
+
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.google.common.collect.EvictingQueue;
+import org.joda.time.DateTime;
+import org.owasp.webgoat.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.assignments.AssignmentPath;
+import org.owasp.webgoat.assignments.AttackResult;
+import org.owasp.webgoat.plugin.Flag;
+import org.owasp.webgoat.session.WebSession;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.http.MediaType;
+import org.springframework.web.bind.annotation.*;
+
+import javax.xml.bind.JAXBContext;
+import javax.xml.bind.Unmarshaller;
+import javax.xml.stream.XMLInputFactory;
+import javax.xml.stream.XMLStreamReader;
+import java.io.IOException;
+import java.io.StringReader;
+import java.util.Collection;
+
+import static org.springframework.http.MediaType.ALL_VALUE;
+import static org.springframework.http.MediaType.APPLICATION_JSON_VALUE;
+import static org.springframework.web.bind.annotation.RequestMethod.GET;
+import static org.springframework.web.bind.annotation.RequestMethod.POST;
+
+/**
+ * @author nbaars
+ * @since 4/8/17.
+ */
+@AssignmentPath("/challenge3")
+public class Challenge3 extends AssignmentEndpoint {
+
+    @Autowired
+    private WebSession webSession;
+    private static final EvictingQueue<Comment> comments = EvictingQueue.create(100);
+
+    static {
+        comments.add(new Comment("webgoat", DateTime.now().toString(), "Silly cat...."));
+        comments.add(new Comment("guest", DateTime.now().toString(), "I think I will use this picture in one of my projects."));
+        comments.add(new Comment("guest", DateTime.now().toString(), "Lol!! :-)."));
+    }
+
+    @RequestMapping(method = GET, produces = APPLICATION_JSON_VALUE)
+    @ResponseBody
+    public Collection<Comment> retrieveComments() {
+        return comments;
+    }
+
+    @RequestMapping(method = POST, consumes = ALL_VALUE, produces = APPLICATION_JSON_VALUE)
+    @ResponseBody
+    public AttackResult createNewUser(@RequestBody String commentStr, @RequestHeader("Content-Type") String contentType) throws Exception {
+        Comment comment = new Comment();
+        AttackResult attackResult = failed().build();
+        if (APPLICATION_JSON_VALUE.equals(contentType)) {
+            comment = parseJson(commentStr);
+            comment.setDateTime(DateTime.now().toString());
+            comment.setUser(webSession.getUserName());
+        }
+        if (MediaType.APPLICATION_XML_VALUE.equals(contentType)) {
+            comment = parseXml(commentStr);
+            comment.setDateTime(DateTime.now().toString());
+            comment.setUser(webSession.getUserName());
+        }
+
+        if (checkSolution(comment)) {
+            attackResult = success().feedback("challenge.solved").feedbackArgs(Flag.FLAGS.get(2)).build();
+        }
+        return attackResult;
+    }
+
+    private boolean checkSolution(Comment comment) {
+        if (comment.getComment().contains("Congratulations you may now collect your flag")) {
+            comment.setComment("Congratulations to " + webSession.getUserName() + " for finding the flag!!");
+            return true;
+        }
+        return false;
+    }
+
+    public static Comment parseXml(String xml) throws Exception {
+        JAXBContext jc = JAXBContext.newInstance(Comment.class);
+
+        XMLInputFactory xif = XMLInputFactory.newFactory();
+        xif.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, true);
+        xif.setProperty(XMLInputFactory.IS_VALIDATING, false);
+
+        xif.setProperty(XMLInputFactory.SUPPORT_DTD, true);
+        XMLStreamReader xsr = xif.createXMLStreamReader(new StringReader(xml));
+
+        Unmarshaller unmarshaller = jc.createUnmarshaller();
+        return (Comment) unmarshaller.unmarshal(xsr);
+    }
+
+    private Comment parseJson(String comment) {
+        ObjectMapper mapper = new ObjectMapper();
+        try {
+            return mapper.readValue(comment, Comment.class);
+        } catch (IOException e) {
+            return new Comment();
+        }
+    }
+
+
+}
+
diff --git a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge3/Comment.java b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge3/Comment.java
new file mode 100644
index 000000000..0effcab0b
--- /dev/null
+++ b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge3/Comment.java
@@ -0,0 +1,21 @@
+package org.owasp.webgoat.plugin.challenge3;
+
+import lombok.AllArgsConstructor;
+import lombok.Getter;
+import lombok.NoArgsConstructor;
+import lombok.Setter;
+
+/**
+ * @author nbaars
+ * @since 4/8/17.
+ */
+@Getter
+@Setter
+@AllArgsConstructor
+@NoArgsConstructor
+public class Comment {
+    private String user;
+    private String dateTime;
+    private String comment;
+}
+
diff --git a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge3/CommentsEndpoint.java b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge3/CommentsEndpoint.java
new file mode 100644
index 000000000..afee36dac
--- /dev/null
+++ b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge3/CommentsEndpoint.java
@@ -0,0 +1,33 @@
+package org.owasp.webgoat.plugin.challenge3;
+
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RestController;
+
+/**
+ * @author nbaars
+ * @since 4/8/17.
+ */
+@RestController
+@RequestMapping("challenge-comments")
+public class CommentsEndpoint {
+
+//
+//    private final WebSession webSession;
+//
+//    public CommentsEndpoint(WebSession webSession) {
+//        this.webSession = webSession;
+//
+//    }
+//
+//
+//
+//
+//
+//    @PostMapping
+//    public Collection<Comment> addComment(String comment) {
+//        String s = StringUtils.abbreviate(comment, 100);
+//        comments.add(new Comment(webSession.getUserName(), DateTime.now().toString(), s));
+//        return comments;
+//    }
+
+}
diff --git a/webgoat-lessons/challenge/src/main/resources/css/challenge3.css b/webgoat-lessons/challenge/src/main/resources/css/challenge3.css
new file mode 100644
index 000000000..3bc2ca4eb
--- /dev/null
+++ b/webgoat-lessons/challenge/src/main/resources/css/challenge3.css
@@ -0,0 +1,75 @@
+/* Component: Posts */
+.post .post-heading {
+    height: 95px;
+    padding: 20px 15px;
+}
+.post .post-heading .avatar {
+    width: 60px;
+    height: 60px;
+    display: block;
+    margin-right: 15px;
+}
+.post .post-heading .meta .title {
+    margin-bottom: 0;
+}
+.post .post-heading .meta .title a {
+    color: black;
+}
+.post .post-heading .meta .title a:hover {
+    color: #aaaaaa;
+}
+.post .post-heading .meta .time {
+    margin-top: 8px;
+    color: #999;
+}
+.post .post-image .image {
+    width:20%;
+    height: 40%;
+}
+.post .post-description {
+    padding: 5px;
+}
+.post .post-footer {
+    border-top: 1px solid #ddd;
+    padding: 15px;
+}
+.post .post-footer .input-group-addon a {
+    color: #454545;
+}
+.post .post-footer .comments-list {
+    padding: 0;
+    margin-top: 20px;
+    list-style-type: none;
+}
+.post .post-footer .comments-list .comment {
+    display: block;
+    width: 100%;
+    margin: 20px 0;
+}
+.post .post-footer .comments-list .comment .avatar {
+    width: 35px;
+    height: 35px;
+}
+.post .post-footer .comments-list .comment .comment-heading {
+    display: block;
+    width: 100%;
+}
+.post .post-footer .comments-list .comment .comment-heading .user {
+    font-size: 14px;
+    font-weight: bold;
+    display: inline;
+    margin-top: 0;
+    margin-right: 10px;
+}
+.post .post-footer .comments-list .comment .comment-heading .time {
+    font-size: 12px;
+    color: #aaa;
+    margin-top: 0;
+    display: inline;
+}
+.post .post-footer .comments-list .comment .comment-body {
+    margin-left: 50px;
+}
+.post .post-footer .comments-list .comment > .comments-list {
+    margin-left: 50px;
+}
\ No newline at end of file
diff --git a/webgoat-lessons/challenge/src/main/resources/html/Challenge.html b/webgoat-lessons/challenge/src/main/resources/html/Challenge.html
index ee1e3363d..e1baebd44 100644
--- a/webgoat-lessons/challenge/src/main/resources/html/Challenge.html
+++ b/webgoat-lessons/challenge/src/main/resources/html/Challenge.html
@@ -65,77 +65,76 @@
               method="POST" name="form"
               action="/WebGoat/challenge/2"
               enctype="application/json;charset=UTF-8">
-            <div class="container">
-                <input id="discount" type="hidden" value="0"/>
-                <div class="row">
-                    <div class="col-xs-3 item-photo">
-                        <img style="max-width:100%;" th:src="@{/images/samsung-black.jpg}"/>
-                    </div>
-                    <div class="col-xs-5" style="border:0px solid gray">
-                        <h3>Samsung Galaxy S8 Plus Android Phone</h3>
-                        <h5 style="color:#337ab7"><a href="http://www.samsung.com">Samsung</a> ·
-                            <small style="color:#337ab7">(124421 reviews)</small>
-                        </h5>
 
-                        <h6 class="title-price">
-                            <small>PRICE</small>
+            <input id="discount" type="hidden" value="0"/>
+            <div class="row">
+
+                <div class="col-xs-3 item-photo">
+                    <img style="max-width:100%;" th:src="@{/images/samsung-black.jpg}"/>
+                </div>
+                <div class="col-xs-5" style="border:0px solid gray">
+                    <h3>Samsung Galaxy S8</h3>
+                    <h5 style="color:#337ab7"><a href="http://www.samsung.com">Samsung</a> ·
+                        <small style="color:#337ab7">(124421 reviews)</small>
+                    </h5>
+
+                    <h6 class="title-price">
+                        <small>PRICE</small>
+                    </h6>
+                    <h3 style="margin-top:0px;"><span>US $</span><span id="price">899</span></h3>
+
+                    <div class="section">
+                        <h6 class="title-attr" style="margin-top:15px;">
+                            <small>COLOR</small>
                         </h6>
-                        <h3 style="margin-top:0px;"><span>US $</span><span id="price">899</span></h3>
-
-                        <div class="section">
-                            <h6 class="title-attr" style="margin-top:15px;">
-                                <small>COLOR</small>
-                            </h6>
-                            <div>
-                                <div class="attr" style="width:25px;background:lightgrey;"></div>
-                                <div class="attr" style="width:25px;background:black;"></div>
-                            </div>
+                        <div>
+                            <div class="attr" style="width:25px;background:lightgrey;"></div>
+                            <div class="attr" style="width:25px;background:black;"></div>
                         </div>
-                        <div class="section" style="padding-bottom:5px;">
-                            <h6 class="title-attr">
-                                <small>CAPACITY</small>
-                            </h6>
-                            <div>
-                                <div class="attr2">64 GB</div>
-                                <div class="attr2">128 GB</div>
-                            </div>
+                    </div>
+                    <div class="section" style="padding-bottom:5px;">
+                        <h6 class="title-attr">
+                            <small>CAPACITY</small>
+                        </h6>
+                        <div>
+                            <div class="attr2">64 GB</div>
+                            <div class="attr2">128 GB</div>
                         </div>
-                        <div class="section" style="padding-bottom:20px;">
-                            <h6 class="title-attr">
-                                <small>QUANTITY</small>
-                            </h6>
-                            <div>
-                                <div class="btn-minus"><span class="glyphicon glyphicon-minus"></span></div>
-                                <input class="quantity" value="1"/>
-                                <div class="btn-plus"><span class="glyphicon glyphicon-plus"></span></div>
-                            </div>
+                    </div>
+                    <div class="section" style="padding-bottom:5px;">
+                        <h6 class="title-attr">
+                            <small>QUANTITY</small>
+                        </h6>
+                        <div>
+                            <div class="btn-minus"><span class="glyphicon glyphicon-minus"></span></div>
+                            <input class="quantity" value="1"/>
+                            <div class="btn-plus"><span class="glyphicon glyphicon-plus"></span></div>
                         </div>
+                    </div>
 
-                        <div class="section" style="padding-bottom:20px;">
-                            <h6 class="title-attr">
-                                <small>CHECKOUT CODE</small>
-                            </h6>
+                    <div class="section" style="padding-bottom:5px;">
+                        <h6 class="title-attr">
+                            <small>CHECKOUT CODE</small>
+                        </h6>
+                        <!--
+                          Checkout code: webgoat, owasp, owasp-webgoat
+                        -->
+                        <input name="checkoutCode" class="checkoutCode" value=""/>
 
-                            <!--
-                              Checkout code: webgoat, owasp, owasp-webgoat
-                            -->
-                            <input name="checkoutCode" class="checkoutCode" value=""/>
+                    </div>
 
-                        </div>
-
-                        <div class="section" style="padding-bottom:20px;">
-                            <button type="submit" class="btn btn-success"><span style="margin-right:20px"
-                                                                                class="glyphicon glyphicon-shopping-cart"
-                                                                                aria-hidden="true"></span>Buy
-                            </button>
-                            <h6><a href="#"><span class="glyphicon glyphicon-heart-empty"
-                                                  style="cursor:pointer;"></span>
-                                Like</a></h6>
-                        </div>
+                    <div class="section" style="padding-bottom:20px;">
+                        <button type="submit" class="btn btn-success"><span style="margin-right:20px"
+                                                                            class="glyphicon glyphicon-shopping-cart"
+                                                                            aria-hidden="true"></span>Buy
+                        </button>
+                        <h6><a href="#"><span class="glyphicon glyphicon-heart-empty"
+                                              style="cursor:pointer;"></span>
+                            Like</a></h6>
                     </div>
                 </div>
-
             </div>
+
         </form>
         <br/>
         <div>
@@ -158,4 +157,98 @@
     </div>
 </div>
 
+
+<div class="lesson-page-wrapper">
+    <div class="adoc-content" th:replace="doc:Challenge_3.adoc"></div>
+    <link rel="stylesheet" type="text/css" th:href="@{/lesson_css/challenge3.css}"/>
+    <script th:src="@{/lesson_js/challenge3.js}" language="JavaScript"></script>
+    <div class="attack-container">
+        <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
+        <div class="panel post">
+            <div class="post-heading">
+                <div class="pull-left image">
+                    <img th:src="@{/images/avatar1.png}"
+                         class="img-circle avatar" alt="user profile image"/>
+                </div>
+                <div class="pull-left meta">
+                    <div class="title h5">
+                        <a href="#"><b>John Doe</b></a>
+                        uploaded a photo.
+                    </div>
+                    <h6 class="text-muted time">24 days ago</h6>
+                </div>
+            </div>
+
+            <div class="post-image">
+                <img th:src="@{images/cat.jpg}" class="image" alt="image post"/>
+            </div>
+
+            <div class="post-description">
+
+            </div>
+            <div class="post-footer">
+                <div class="input-group">
+                    <input class="form-control" id="commentInput" placeholder="Add a comment" type="text"/>
+                    <span class="input-group-addon">
+                                <i id="postComment" class="fa fa-edit"></i>
+                            </span>
+                </div>
+                <ul class="comments-list">
+                    <div id="list">
+                        <li class="comment">
+                            <div class="pull-left">
+                                <img class="avatar"
+                                     src="http://bootdey.com/img/Content/avatar/avatar1.png"
+                                     alt="avatar"/>
+                            </div>
+                            <div class="comment-body">
+                                <div class="comment-heading">
+                                    <h4 class="user">John dOE</h4>
+                                    <h5 class="time">7 minutes ago</h5>
+                                </div>
+                                <p>I really love this picture. I really wish i could have been
+                                    there.</p>
+                            </div>
+                        </li>
+                        <li class="comment">
+                            <div class="pull-left" href="javascript:void(0);">
+                                <img class="avatar"
+                                     src="http://bootdey.com/img/Content/avatar/avatar2.png"
+                                     alt="avatar"/>
+                            </div>
+                            <div class="comment-body">
+                                <div class="comment-heading">
+                                    <h4 class="user">John Doe</h4>
+                                    <h5 class="time">3 minutes ago</h5>
+                                </div>
+                                <p>I think I might you this for one of my projects.</p>
+                            </div>
+                        </li>
+                        <li class="comment">
+                            <div class="pull-left" href="javascript:void(0);">
+                                <img class="avatar"
+                                     src="http://bootdey.com/img/Content/avatar/avatar4.png"
+                                     alt="avatar"/>
+                            </div>
+                            <div class="comment-body">
+                                <div class="comment-heading">
+                                    <h4 class="user">John Doe</h4>
+                                    <h5 class="time">10 seconds ago</h5>
+                                </div>
+                                <p>Wow! This is gorgeous.</p>
+                            </div>
+                        </li>
+                    </div>
+                </ul>
+            </div>
+        </div>
+
+
+        <br/>
+        <div class="attack-feedback"></div>
+        <div class="attack-output"></div>
+    </div>
+</div>
+
+
 </html>
\ No newline at end of file
diff --git a/webgoat-lessons/challenge/src/main/resources/images/avatar1.png b/webgoat-lessons/challenge/src/main/resources/images/avatar1.png
new file mode 100644
index 0000000000000000000000000000000000000000..4ea864f90009013d7d30ea3fb8c70b1f49c7e4b8
GIT binary patch
literal 28394
zcmeI(<yRZe8z}JL?#10(Bv^rB#fk=ZcPkn!XekcGic4{Kx8R|;6k4=+fa31X_wu{<
zocmYsBFT%{otfRUJDGXr`FvATk;B2HzytsQI12KgG+ut^|Mx*hefj?OrN0>f5ENDT
zB&p@Sc=YAQ>&<*i$#bO7-o&Gu?VKUsO?QUKLA9X!NhjL%0D`5Zr6Vlefig3uH=W86
zhROl^mnF#*Bta<2ln^4%AkT!rV3{}~WI%U4<JAw$uK7sZ-qHTxQE6Y@g|Fc?E980Y
z1zBa?^pWILv}VgykKXUO5PrI<{aS4E>xcSuiSpi2>l(>_w!WLOg1b*QYouQtRy&27
z?PsI9pYI)1XIh*L?;kHF2X5{HPP!jzZmEw^e*Smn_jtG!U>a~&d}o~T@$Mgy;r->b
zYRX!@Ml=a$ndiaWOpUR~q`T64^DI50&c<13d(DcAJZkHrbNC6c29<=1WLo5;lM#k&
za}oUxFnY7<r@BlFK<yKBUe<f0g}XlljHPla<HI{}C<WeZ`d|DKlpdtPFsFh>C|w=Q
zm*R;(syPaz_ryu`v4qrH;7SX3k_3VT?PvdaGUqWQDE-0D3EG)0*BnYtRGD;K>lXWR
zHLHuLMf>&9HQmZO9so6wzxu-Jdr;k4CK-Z?=y(<&hya@c80mj8;mbhN=u^em3WJqB
z`paXKPV&}$yoHCv#{x9)deD;YgakUVmPv1hI@A?BA36V=RFxobF!yTn*0+>nvLs3B
z$#_s8F`<xAS5SP6KJl*q^~e%~M2RSXNbVRP3^3qjHfTrWU`#oxvf?fuufitjn1sy*
zZH7?On9&)}@H(Qaxnz{<BLM(OICUPbZbekkZWrxhT#Hs^7WW25B)F@a8Fw8(s%KVQ
zTo7|S!b#{cGbR@61Z{F~8-oiBs6n1;QEyhph<6OP0x$5;XOUH5wl7$<w~g?uT9wzu
zm#G;d)PXJ#!OTX~Grjn>;Dx7b^7ko$)+r3>jAYbwpdw)`Ckbz}%ubp>c7pfal{EWw
znn^6mj=cjgkhYn=<n<ppT8wz+^OemE?}$@OG<X!Fq?nnZ1X_5==uie7q@yM+&y9_M
ziF7+zz7*Tfa-A9%Mr_L(PJ1s7vEW9_!if}j#UA|@UlTgHE^-T;nd*5uaxu@5dc+YC
zB~#Pg38NJt5Floii^~nPdBC!f1k`*OXv#8LbsmSEQFDtmur2da#K-l2{xn=xheZ9%
zA|8E#=UInAWd2>!6O{af(ntqLn+(mfc&~vKh}ejfd`mhG57Q&A55|$$jKS0|(9fVF
zz%EUC)91g*S-c>G?BWUl<~niKYG6f=_o|C)$wNS6K|1mu`)lZ$0dKAHHrw`UaND;G
z2HjU512mPz#^q7)^5-?;yeSr;;)6li1}a(AhOITF@5|(i5SW-Gj#6RKlkmoG@;cWI
z1Ox8a(61Hc5e6ZZpF`%G&+sc85g?>PKX%Xu)tUdwN@pc!a(uU7=!_^&?8@ha#+!zd
zelynhBIO?nVn87~l&Xx4_=UW1QFi6VmSYus`Ey6x(;O<8lK`w>+i{0HKVAWh0-$T2
z72<B1ltKh^IA*t1*lei+Zl3N<q4)>@+pDMzuMs7WYY{#c;zU0_4~SKfJsk;MeG<tn
zW#w0J3;??xarB)Q>|0-hm6G-6RK*D#&fezRp+y_j7?1Oc`dHL*M1_JxEvmn$lJ<Vg
z$j~D#xx?!@OgnD7if+>y<asfEMG)BaE};D{rdu`P&1yW~$AS!2Emh|%qR$IG%|5DZ
z!7(6BkBO{FbgiGaM7GZF?PufxY^mWqfD|gPq$2@mrOi*bS(q^+74dP+zk(-H#>m?%
zLfic?7`4qU5^%GenL-Lox_l8i)E)|&M^23a8r?2zU0yV;HB;=2r-Xw&4FZd|q^m*A
zJ19kPQd58W<D*Ybi%l2`Y7is}Ep2^IWt4Y=LDt5_X*%%W8@bY{L_5OJh2oE8s)D13
zPn=Gfd|9JdC2v1(9ug#r&?mKfJ`c{_(ciR0&Z1hw>8+zhK8-NlJjkbrD&T(JecRQ9
zNSbzb&{>v+I`B@hb7{U-H;v`;;L}j5a?xm)5CKsjYW(^tl+}-DQ;76$Ks-3!*^Sf;
zxlTxBo7tK4ugN<=jl3JiX1RS}x%S<cip!#I>YjpvDtdK<QN<k{)nb<=R#j@$zj_st
z%1XqBO1ewz(sHDoxqH0WZ?qRMn5>wL9Ww(iKYBVZ#Ms~+s}u_r?mo8&bq9`e`9i;R
zs|k8>l1a0dJ}DKVU8`4QnN(JvJ<|<XU1<%SqJy|rHcZId+u((qQB8AX<;$}w$j!Jg
z^2M%djGUw~Ry&j&yUznfK{Jh(l<t}ce4}WB-XkB(%c-M7SO{FXvKs_=JsMjJMs~N`
z*=+zdOoJ!?vc0B5yR}3u^Awn|WQ$O|JAcP2H}0t&lNs>&1pfVWC_vr@O~!Mp+m_xC
zJ1Ajs8<sB3>Wk58ZvCK6B0^%DSZVQ5{-O8F(4`~j`@Aa8-pJr*epEdO@(6aFqyZAR
z`Uii*uMIe3`oF?t56nyViF}o#zq}fMR)5w+C5ZsumbzEwO~Bo+)_gK+YRO0uYoe&#
z9Ymp75@@VAGnOA5^LPz=S!~0136uVvh5@fk76ZqkyHM)jd@9P8RvW8WeD_}12y>e_
zntKB|VF>XB@oo^a>0aDTUoPY2bA!NW5z&Q#Rwz$#vt$erLS*D@S<zf$bt59IU%sud
z8%v$h^IOC>zD0_cfpW}uE|tv=)9lOjf-S+$uLVWU5R*4t=zt9(V|@|hzmD-X@n+w4
zZFdLi^Q9U8U}s-o+&Qw}Rhi!HPTLjDB`HrMsr4&3eWK!Ch{HYo2IS%5gcaL=3TdKp
zHY^b?<}oNI{=mB-hh8Ba#k}+<ACw!5ZJg-YbqE=zIAv=Ft5(hsvYEq&BSm`0hU4O_
ziW<IY>i<B7^JbHq1P{eqncU0512VF^F_Gq`Ir)&bRq=aMCQSxDp=AmEHQwwUn84-|
z$s+ZO2C+<R#bIkn#U9pu$~hYdI;Ow_9;2Kv)6a~oN^xgsW()JX5TaJWK<WM>9P0KA
zt)`V{@Zj~m<_}XUI88Q9j1j*vUrNg&s8b_pqO!`>H+#4EiE^UfY(3+-Md&}@CE=}U
zDpuPrH6XIgODHEJO`h3Dg*-4wcgu!g37MIE7qqqwH;TfQSnsf_`ka<GcIiL=7}(42
z26^wKCtjrfjulm8VcM~=Edw8*8|yV7r(uI=i<*{e$y0R~rV@v(2AlCE(D<!(9iqqN
zXjQTuTWP==SXc5_w0_Rb)*{qu*}lVG6x!*F*_Mh9YXB_{tQiDMsbN&XR;RuPEPa$~
z(>Y+d^h!1X+xuWJ%->?;a5>H7p<1vuIQ%#M%L1GmmSH?|trK5XNiDXPP2Hj*w~d!S
z@+2%2j76ao|NKuHhtvbi6+xU=Gp4|dy<zB^=$W0z(sJ9BuxZeDeeD+BfJ;0=F6@h$
zk1AmI8|E&k|3ToeGc<@#+SIq*N0tl<r7x#$6XMg0F8`x{2FZ~si?pjBf1+IGU8kST
z`o9Odl!kYzM5;F6ILnzJ4f9hNv8mDr_E-PtvazYdG9mten??RZgg?qAqKa5Ff<fnV
zVSS!!IVBXzP#{YRl1<dyMFz?XbztAp>Fc_ehUeE*!ouRCR~D?x6Pq%%z%p*|;LI-T
zonSO`FKjX)e$jAj;KAK*svWnBH>mJLH_R@GU(~=Vrf69CCXW>uL5oV>Mv97Ph=tze
zce$<{02mVgu*Gan`ZRU~8yIxx9X1In<&K3}+qz3?|Kl5gE9-m~D=`18?4m~G^s|Po
zI}Bb(4Grc^nsFWK2*R?br~QJw6RsG%r?HXS0B^`)v_`9f;pCdY6T61}C(`*RxdFP^
z@CF*E%{QX57n6ZOnyhmJuE35*_14CsUUmeiNf1`JJrn$A9BLoQnx$>H@oYV~kFvu8
z1}i5zkO~hsQX>Bh&~LRgN;>BB0NI*@%>|PhHxS-;$i7E_+Ot6Q-1gj5bf-dwolBQD
z!(89>`0pZyfMzpa+Px1N0|7Gp1`ga})TUqqoU_Xn@d$6BCe;LfD(>|lKTO33%@8)o
z1lBvD-XA~piE*HMoHO*b+<W?G&h<cmA_@n&(ch!s!<b8jAPYlL67Zf|yOl=ofYYqj
z8RjD{flmh+DeahjnkHEwdlzhr`AQ)z)!rZwtG#}Im+r5=o!&;W<}lnX$`u8!s0=P2
zRq6bfhYHuY{MOq3kCNZsN{1H7uA<7@e~4$0IFOyWH;mspCmw@G{X>101gfTF+6=4H
zkKoaTvk%c&tCE1I!V}2<ugqNe2v>TirVEh37Fq}b@jJl=D(LU6;bH3o`VUOQJ034h
zx`64O%N2uuqK^55{q;|PI^b*~!yA4V`)Hd;2g+!NIeN8YAdVtHr#j50CboYrH~}cX
z%1%VeWt#zjXtTdT=QW1=nt+-a<TPWth3bPOl_$(*#5BVl<Jo+#m$N91B3)#st`u5d
zy7_YPc`^6d0HZxTU_YmJJy1|r^x_ks1|4aXN~=YO4h^m-4tA}=>QXO2NCTFu8U#ga
zOFKv`?DPEF-+Va>3mE4qg9!A_L;|;!g`eL3-J9X4hhho=bbW)PEsfn&Ufu@}d(;YM
zs2+bmNIM9t0+F))r4OV=6?$og&iTMn1$!)DDes$)$&zvID0`}V7(i_<oYpGuY=er=
z7(jftKCKFR-hbBo^zzHfrr><-9R9g26eD4(*$RH>pcjrV&KaME@joRTE_hT?%2miu
z43AbbD|F+r=LDe2kqzip<SWVA_plLgtzlcp7a^@0f3W+R3&&0TTFA5rz<hbmYv<~Y
z4P1^m;tWR=-%Y+RVuos!=7OW5sgxihC9|LmaWc4~4lUc!H4SlV^%3RK!?v>Uy``qG
zSb--xx;A#i+B)AYjRXNZ^ps;6Yw~Nu=O3H0KjAQ2yqnLv2QN)LLoB)36THT83<b5T
z#&C>;J-<wm7&X|JMUA?5j)9mPsG;fk2#7u8qgX)+y}#*vumj|Q@&2j-aaa1^m{{`+
zRfX%>e|U(jBj?V)t5q`u*V~uboAg!CCkm|i+Lgh=s6}WxJgWXh%vd1GduGxG#^U^9
zhk~J~oqc~lWx$<veG)x|E42My&Wp6S>R3H9X%`n;AZs^lxG$#6rkv+tp&U^WQ%Wsz
zOR_jOI)ZKK%nw|r*OaR+29I%S(%cKSOSN5b{)5cvDRES2$UHn-3iGv78|Tc9#oIIP
z_Wp3C4_!0Po}VnbAnGQ_O~bf}FE1JsAy{BOJMZspi9$A;^GUW1pb^l$Gd7weC%f*J
zxE1>t?bY47NvZg55SPwlSEHIzrA88pGKEQ5u7o}&Q7LK8nJbKGqW5Td1Tab<Q8(yi
z?on%%;Pv=YNr66yAg^V1o>>KNB7CM%)fG(tyLWe%BaS{PBvd6s_B*e@a8jmau)Rv3
zf*Y%<1sb<NZV)n7(-UsAHXycn6zJ)-fIdwW88)Ee&;C_jij0jg%8Nsxw9O=aF$MS9
ze+~I>Y?kC`^QK-JmAp#v3~O~SbE$N>mb9SPV~F-<jLc)8V#gd2mVJsw=FnBqJF%XE
z^|kkfs;lKrQ@PK#YkN06|9zQZS_8>cQ*<-uV6c(hSCd7onYGvX@*d^zrQ6`#h7Vrb
zD~mTd{}Zn9a`<m8eLME#qO1LVrOQOE|FddK1*3q7qi?HQ#NWYo1_V;amqo`%t5Iow
zkNtK(3$XjW=k*Ok90L~{fS5h-u|)i7jJ8ZJS{4!i590oDDhEQzz2~!WW!qVJAtJdJ
z#Ew*t-7%aEJhJs%{_<=SLyspbWlB+JG5G=xy7E;bq-arqe09Fq^=9Yw)vB!%Z=y4v
zq($6&4F#X#Wv`DVrcoiKPVRD8z71bx#`|v?3bm8aqIZJ1!@Uk>aLxN$a%V^-z9H)!
zuw0P>_<Qfg{|o!U@Bbau(?Qkp>#i(c#HB0se9+@Np2?@nA42r*k7t=AS_hN=*(kQK
zgXDBVD#8B48N=s4MuM!aF@;eQ$c=tdE|f;4A%eRKMD&~OOd|{w@pRV0_mzAm=3s00
zO;6+eJ*QR^zjZY>zISscnqD57(HsBmPPTb^6q|j%=!xQyijpZn<Sp}Ua+Eq~kk!~4
zDZuwt@8&OeKV00<<ms+4^|uN>&{x;_TVGuv(Lf4zWy{)&JyaXeM1W%dbY?`;-0Ezm
zUK4DN^;r*-uAqnSLdg2^;&OG5^1_QE(<K$>e}{;nc)0gHmhH-}V=wvXCOf^C1h-n@
z%szu=Rq%d$BajA0PEJxxMYE|o;vkVsH%dEH<{CCc(a`EqUimxMWGdr9wq==q`5?sy
z6_2tv1xJHo4q*eVnU{9Y^>AvwoH<qisn}>aD#`hy7WPb=HQ$!L$*p)Lva>z~2eA$I
zf$C%&srK|Y<IAPJE_yB3b#yT?O~uyhszQe)O#ggJ5#8w(B*Wd2ZyWoz*$Z+hJ;@YW
zQYp64<>xaH`v?6^wmP!wBvNp_u%1r3a!RR}&I;O1hj%<%Emd_%CF^dhDeiP%VaM)u
zH%|A&!D=t3`N^sNU0nQ)(Zkw*41@X~*8PTxj5A(hS}hrf)@Z<*O}0@AhGPsGivUEI
zSv#;Xjo}zJ$D;MSsti$>!1h26L*-E2m7HhF;MG8g$nHSOCZYrc8Gre$iK?p0vtrLm
zmqLV>V@Y=9MVZy68ymmfSOZm(&X$d4?}j6r(GTekLE_&n%^<t5vyP$fG=!$AH758m
z-tJ!XV!|dIWRD}|PpEylMQQV@nOZ(JX>|#D{2q;6qi&VV!SQOSW&a*{#Ckkpa<WA}
zeILE~-DlY`pyzzFCY3VDKF*VRydV=c=nrw!18xTj1<h@9aqqM{DAQ0c8%aC}0t>6h
z+;@++E;gP-KYaNVi0zK)lSVogV@q4SllJ`&?4xnYfx7V6N5MBdO03}e8T;8Pb@|n|
zXcN7LFH^;>Cx?vBJSs6WmxVVeEBW~4y3D6@FYkwlBfa@QU6V>1yT=&nr-52lWOz;v
zkN^NRY#FlZj9LpQ)V{;|{19&4<Y0+VZPM`DN|fEnIEf3;V*QIy*v(9QWWMiWE4ZAN
zYJmWijfX^@6p0QS=steZQ_hsyPY>s1$`uu7H_w@Gtt~nb(TM<zWo`P7y9!m08=8p>
zF(7$Y2w5=x{BlAo;Mi$8);H){?-5OCgoOsVL<VXz^Ez<8EOMp1!x~*-|GNrDm-0km
z>mOp!4&IEkYzm$4`S$b|EaVk^VMvODAr#)0HwL~QdrIhUolSaVDRsBPk9OIDFWCej
z*V(8c$BXR=Rr6iv8VKC-3HWBlFF~I@>_9W5$ibB^k*~hQu!*B)6tWpfK;FiBSDlcv
z-nwht7>W8>DzQb}z>?I??Z%#EyOSNNm!bd`UBvhwHQj@rtNA+D?~m8+s_+H@lr7JQ
z5wk7g33}z0l@t$f3gjBK=3#03x138@S^=0(o(s-P{<}`@UsyytGXKb^$GCSUb_)Ku
z$KEo=S;u)pUrS8ukeTS=vtN`z!agDl_K#({S0K3GXUn_n=|8EEwn#&Id=4Tl*@Y`-
zXR1ROKn+LX?Ib~<4gx60@@#JQva>)+zF`(b+A&@qc<rb=NuY7Bb0(Z0hj|2l{J0d`
z#}2K!7O>qh(id4FF@jf9-~b`LWANbB7$w(A!vKxx`Q&ULZK3d!?rU2=Fb|T6u+n$c
zLt=rDDwYvaM^<?t>U=fjyi;%UtXc}0ksMx1{EBC#6{VO^OV{WfozLZQY7Gts2V=n2
zoA<IxG2-9Tb<)%DmA>3XzH2t4Ee8f-z!!Tg#a4RUHOF0_My-MF9C>{Y(M~&&w#I8M
zF>G;80z-v}^P}r4qCp^QTQ8T>9}UT2y(p`gGg2TiBHn=`-c|ywmPM1_UDfbKfisc&
ze9t8O_^`mSyoZj|sgOpwkt4R@4CRHSuLT3s5x)z{Lq6-R9l!tAQA7XU#>~Zl*MV&7
z7n!2_AYRcJ>BQ3N$v`8kN5@-nZ0z`tqB^W*BmIDoes{M%aZ#^j*Eol?alxGrw#%@(
zyPy)B6S=X5@Mxh4&kV-N3!4Oly24B;SXe9)q%dhFvDdn}HLoiWucfJC8;jiRFtPT`
zo<0Nwv8%hm|Br_9cg#fW5#6r*nyf`@18U03@|p5M7Y!<q<Mx7bXJpKCXHNNtXcOKq
ziiOPW*oPbv<wH55ultHbs1Tkq_FrUkNhIWE!!+}0Hn=A;2bgZgCwJ!q7u@)lcJs^Q
zQ>Tju8!~5zMDggd><Ex2rGEEu0lVeEiT5Vs^;o|sFIFmr0=TxJ=GHl-UN;RJ<>0X~
zxYUpNXfZ76pn+eK2tcb%J!-v8ktgNT@Xj*>Y6^ZDBezka9x7nS&`G@4AlJjxWlq!S
z#p$&J)j^#hlRP(p2*n&%))|ndAPvtY%6M+C-R%r<Yn%$yD0f4E-2#>pHxO;>$)iGY
zT-bcjnA`1cav8Gm3h!`N;O_L~kT<m0zCf-iSkS6>r{VWG5I@`*0^S?;{2nXCGe)q<
zW(1)8oct@g9rq9vHCOAFq6Z+(8HuCt2|$nU7=V6=jKLjin33W|*f5p<ZUJ`1!>=K*
zd>QCbTx)c>khsuBvgm-?a&zx{9IaG0y}b7t?1zP+E9;x!8_aK~`j&>X7)k(<-MuhN
zE!Y2AI5(-ppx>i(xbiqr^qa1TkKP)|qd}bVSijSDfY_0}i6`ao)3sS9jelT+#g>Gl
zS-f11KlbQep08@_p5_Ys#zUNj@iG_#Ry#b4H>qe%KS-*o92M@AzC6<r_`!BcmX4Sz
zFk#-W@_LR**}6t_>^C$73b5LC@Y#ujf7VOP<B?bG2M{e$pFcTC`0PL2E9uH)awEtu
zd;BtwMv&FZ9EVv<xHH4~*ht|!SFS5^=2DpP<G>RoLk`QyhEA|F!&IkKZysgIRC!je
z@+`gz!Mu=EA~{_p)Gx%M?bP|0dQH{qrm94aIjqE~n4yJLf2*1Oq?H6Tx+Tkvaw-D&
zE@*HXS;gXh!>-nFfz>?B*~IQ+`+fZi1*yX8ec$n@<C{fTxFwBBcHW0FM^AgGy3C!x
z`Yp7L-;``e@WvTm1)n>W8Y7&2<<regHG#y{ITfV$<VQBStMo5Fc3CVm$#l@FlQSwA
zw_xDr>N>TBGg-$<Cw|}0@DMMAi18$(u$-KWjeddY)lo`y?Vj+QMCS=?2YzG$^$EtX
zZ?Gr1e_jkCeZl?4BjrIA<_@JSk2Ie8k5j66E>4Tahlw|cH8L4%I<}ub0f2@lhG)FY
zLPx6*WJ3(gkWJ=94I&7p1m|MPRnog`F$FHPawox7yA%Bu8<R-Iw=iqXRjwW4pXx6!
zE{P3<;A=!kv?0pyNhtedNdJnihxw<n73Lm}dJ%H2MALh&Bw<bSXg2WK*bO332d6N>
z<c!Jt*4wC3PR1k!yBWXuT(xza8;g0}bH+NLAx-T%SQr7zr=Y@{WsZ_99~<b<gTKvq
zss*Ug4NI)>M(NP5=gXAw2#*?8iIs<4)qxB466Gl3fH6b*r)q}lS&?sy;$JojyHX0n
zMh7H__0K8BT~@N{XEPVsx!(RnQ-N==SveH691@^HtM1C&4n(OjS(?i~Z7bna+M{RR
zUnk~Dn|7bIrJm^MzV$<x51HMRG0PyOz-Sn;5!FGHB%`b-VLU!Cd2bkqMTy@%*`iyu
zpHCaQ)A&HWd2V3;a{^n4Z*%F|NtzJl)8Vv*OTA+H;W+jYjCrWTY8L-W=y#>`a?=+|
zjPK@5i3iW4_4GWo^08lgFe=LVdvFD``b$F(CrIFgDzwrvosB-J8D6^)U&yiQKB$v!
zCPa&O`C?jwaqQNNE_we=8fDIl7d@-$U?fqmP2m~|mXvEt#~BZE(W>BhW48%s^jeed
zR3sX0hT2Ewb_85YdVcOS&t>wBK&$hX8`5JCOJJ_*IDVwv-Cypmy??J#+AvV46v%8D
zpoX&Wa91k+j3?Y_rZ?=J|12DY<wRMR)1dgF=*gCTWI<1LA%ng$6kZH4A{6_jTN(a{
zXnjK186m&%w2`Fdl0O|RX2d7Sf&L#YMxom;Qb$^Dna*s|tPLgu+|Fy;_ICdmGCZwf
zyIxPrbqNGu4lN*6uruP0ircrd`29Ajw&BG7&|uJ={;aW}Dt&81YH!MHwNIo?@C|ba
zNC%@AgaD<|k`8dC(n=*omb8X$etoP+umy`52xc7Dk`bMYaCBB!=pSbx!(=v%ksH@L
zplE>()z%h+npaKVZ{cB`^oT}YX`ubad<GKbJyxcO3idaLU3NQRCkR!df({wj0-SB=
zgt#&Ic%`7lB+UO!rUb;o=6*#=3ka8oE(U=n=IT(Bt2<T(<F4LT8u!(~3yAc42STyY
z{#sP*TN9ry5AQvk>izVg7Z<0H3wP{Uo}jh=Ya~8()R}MYjudD<Jwn$=2wN9m)y^+W
zsZ-ZykEWNY7O;2^UljF`7`C+nj|5p#w}1S+^d>o)RZ^wYoG#zXXUUfZy6iiM1+Jzz
zxF-kTurZPm1|pGl22SA0Lx-AHtC92cG=#GI2|1x~&SXCQLyIq>f&ltdpCB-8PNtKC
z2*~u!thtvneE(0kww|tu(AKv*=7oWT#SoCnKbf3#YH0j3L&(_PTY7zd<hCyp7~W<~
zf<JdUSNTZFwTVCFFu=5#yHG#zb8)#hEKyO7s3}*|s0pg(V;Tvqz1PSwVazQmmoBKe
zh9??U=f}XDhc^3_QAsIo{Pe*I(>5HwO@ND}<+zk9DLgFJba?R5mW(iKXpC1(zlHX1
z5kjz}J^iIcSF2G@5s1Bc=EGynSMPBUvG*q-%+i4m*|CmCumc%>1>}p~=SX6shJT1+
zMj||SnGra3AB@MapdTdZI#$r=_gv0PLV1ZAGaSD@-RgnBBRpKVZz^CY9S&9<s^ycV
zCo&wIb+>h1i35T46(Kg~&S!}2jaKOxK<MVcb^=r2`qQElh4W`sUTB@Ul)Zi>!$1BR
zo|Y8C(k$?J^u>^t^|}#+yZl!K0Z(9-Hm+=_9J~5>gzX&)M~Xdq9uFhd1B)bGNV^kj
zwbcHk=rYzdAKNeb=DKbO=cqpO4D-r6YgjScf4bSdVLgTF->%RpST&BS%w%77Wzim!
z?VzL(1MW~-`@F=@v94nk`NW-_-@seEgG5*17J=I1Lr}b9Qiao{Xg+DJI9o`5TrR(W
zUs;)!-vX#i(~+GS=ILqSEulYv{{cQ>aIux9h&uQ!wP1uOCJbNC7Cf-O`kmCr)du|S
zzXB3%?cKLLn1<rgh;EeV#@bRZA(6EFI*^Iy2mW*H>R89+w?C$ER}^$`PHL$Nx5yaP
z)$bmyX3LX)^Zx5jZ7&ijo*7A;`(&c+k$cdg*gg|2uMH9eo2xX~+bIhv3iynS*M;l<
z+x|2cgLjMzDU0ZS%+!E4XmVyjghUjZ7D-$-lyF$YE$jl8!c6AFD`T`5(JL?8FIklI
zUl#AlS+;g72<8rw_6vJEEs(TmTlR$(g{|l1$X-w80}+HOKa|2ykV&afTS`XRp<US{
z#3u>?y74<U&8xT4{XV?8eXzj0rK81~IeWe8NlJ-jnLCUPuR3ou(f`DLeS41udK#c6
z;bXf1{xYNUeO2LuP1QjZ&Kt_ODko%k6cH3ZV<#tEr-8<ZdUB>Pz0(hcF(u-ummFc|
z(^j{PmXCdeZ6Ja?fMomof15iE&$)I899-3v)%Bo^x;Z`fyPVEv+lZHX-r*=t@FY_n
zZKAlNqMcajWyyz(jL^*{C^!mctadjvU!IQxD?}SgFdcz6M0={WMf3q5`KyX)u2YBL
zJduW4md29U40n0BZPv}W#yJ{<Ms8#L4svfhJ=zFUCVy(9P&<W;@M!%vsK^nU|5GyR
zqk-T%rr43k!#`JA`rR39-(8AEr;4xTpw})8-IJ(2DsYW3HAfNgE(4cTtw>w*>gq+%
zOJYC}R!4d>c~MsX9={<{B0~l|*qF)hw&3b|-S{QKM-Ld)CxfB|q$ysLII?S_arX-$
zjSvql0`+$Wol6WpP4Hh-P#9EN5#iK;rv1{*eopfCLe2>*gEf(X4*o-!bJAVnO7Hv*
z`q@3#7I|a+V3niy2_r;-?1K$oD~mJ;D#OjM#3=?l@J;Z=$Z_zEGS_miA!S4s{hR;o
zu=-nKahDmmaS{;$2H?VvD{}8FT_l&_-o>NQ6$Z8|qxYJaM)D5pX?82WX7-1gBD=!B
z#d(P>epJmm@i*VIW82fo1u7kL1cLcbY}=C`_^2}%zK@n%mmpbo7b8g<E>*<c(m1j`
zvV*D*e8S(1-^Zz_>`7WDwMX-XNP4wcecRDFG|98}A5&p&T1xj2a-_HJMUnE2o=*e%
z;dG%UZ>HGZdhGc3{x&;I8e>6c`$bMH%d9Vsq49*{!EMWAJWNf3$ngOPn6QkNRnwn9
zUpiS-*I(7+$+@UxnQp$~L*CuUNF|O|EE86qzNEXZB@P_p>Hr<rRrv1dkp-NYxZ^wx
z^M$?#gdob>VzT_nA1GwB@n#k7@()Jm;4_zoT|D}u?%pQ4dbs}5YHxE*jjs!M<0ku~
zESg_y;6E+4{E2HF#XyiVNd+R=rMr-{0ZVOL_#dV=-gG*YM;kZxzNK<EK+u{*3n8f0
zZbl)HX%WVwC0=>Nj09>`QGJI21d1mhY=2T?)K6*JF7a{tZ;L4(<`}@o4ft8XcsvOq
zgl$?Y-BNvxC}v&5`$r0>Pmq|ss-ozi0^8zHS*~<e@qH}pd&lw_0qAg66cx`lki+;~
zrTemzkqhDGDT>sUwHi##$T^~nr?uB@>bEq@#IG=8qPs-&<;wP~ZVLrqzb6*zE@xPo
z?M+4^Z8erw5DY~AIaxPS)sbGM=o{<P#)DZDG#!VFiqgokNJ)z4!XkiB8jDO9+Bb+t
zDoUkV(aurDKR4ID+TN@Rq6EuKhx9oJCntecM|=RXO07RZ<aQ9cko)}ztei2Bh71J?
zyrBu>l<>mMZDeUdU#)zKSkFX&g!SD~aZzsNu%~ba6F@hVhgUTYr#!kcrNF$#gF)nb
zS@zLZb5X9PVLQYH6Smch5lj}9W@VCMZ`bNBZ5$;U<Y}O1tg(?~SBgQ}n&!dVm^Dzx
z%BYUhW!39$C~7>x^^({l9Wx$nDP2q<b=7!*Dw|kTDNOQ?941v234+9D?xGyVt0g#c
zn`lWvtagnQr~=2r)XMi4IBV5#jt;BkVPSNF=@jpb-rC1#`O@Q}DKHWpNBHp|KmoBz
zkQzsS5=+>Zl|-wR!y3D;(B&H@YHD(RRHO6qcP2$?&E{psDrQXZL`g)tz%zRODzmyo
zwgWMZ4Jm2Ba*Y-%30U9w+@v!!D<J_>p9BFa+P>A5T%d<E8W0RBE(u!KzlR3JVn`$u
zlN{57nm_qsS1a_q^s`F39aK$$1Z)G2k0H3a)#Mw`1=GS6(Y!jbfm~e}3r{)68kK{A
zpkt;j8Q+nu|5PxV`B999Mb8jlis24XGZpIas87Bl)^AmWATK2l8cm_Ot>Vtm;?xPw
zG9>W8+pbP;+=cpe<eDFZpIV~bNA%fDsK~SSi`+j4yd-aV<F-8{5<xfgdn<_+ggnWN
zOn&?Z8-Z^2*I$C}{au|_PI<NYFXb7A!>(_sVOv^J!8n7Qj3JqmMGm;;0HDlV_!XT)
z%B9<4vwApTE29^-8RHFZJ+Sg1J7h4zmmeRZ)XBG*Es*YKXzK?IpJ^L1dl^UnQMFr-
zr|o=Kh|&z9M($BMG@6A}D|05r`L7L&Dolg&Z8<^{DN66w3=XO*HHAxsP~cHh{9irR
z!KM{%mO|Ta>}RhI5rV5Ks@5XX<SblLILIXDb>qCW(1d=yONpXF0^h-xPZMYSfL=^T
zlQhSFVaz#GW99t%oy8=b`6`rSs|z7}_ff7v!Y})u!dLk4#iW!yz4M&Nn&u5;zi)(p
z#%F+(G@&@9-h;5nu^S}tEZs(@bVtYqkdvA--EM6;za@r5L9WQdwb!z*9*NXovEHkW
zr6L3Y%5*|ci&uG0BXxv86r@NJrv#nHuOJVG>Ue#q2-&nhIcma_HY;5BDrjh&YU7dx
z)R5gX7#!7hII#SPY4V!DpDZQ~Kp3mudmETGT!rn({rE9%oKj;`@ud#~c3<^Hu6X%^
z4znoFz>Xi9-IGR6Xd(g4#&9wfY!R^J`Mie+J0J~Y>g#Zgnl6u;p6$EadU?KBG<|aI
z4Efgnu!D!?g9pAYQ&h0mAbDx~t*~sbvsqxa9@(fCWK~++iK}%y(pzkPVlHu3vc&XU
zF6;yMRNI0Q07x4$)_|5E7S6ligZFe!C2U<V#7AYeLvMAGrv$zphE?q0#sG{60;3Ti
zU-rtl2OAoDV7mc-B~+YGy;FMrmWMQWsj>8<lIzJw;@+|X(sraLg!%x0CBA0yqimtK
zF}NHQGH5swBU;^#{^R4$U8R&O%WpCbY1VXCT0MHvw>ocBcCAYUX8&=#G@~92f^gOz
z-2#az0ZW1oYUoF~*$QZ++6o*QD*XWNWLLeD9oe3$976s&XQv;<ovbR&O%tR|mX4|h
zYtKjc7_@=x0NsALMWB<Ter9TuPbMVx;4@9LJx!ai%UkLZN=n%+(9m>9L7V!5VZ}q+
zpF-+{@<QSPEXQ2W4_??Q6Xa9^y5r)tGSrKU6)hPXZ~j-^3>=Yq(ov<&bf&~Vq#pA9
zM4`CxD`tMkMMP9!Z4?alU5xj6rMl7SWK(wNe8|TaSHjbBQ%Tr7aP8OxEe5AgSZ<v1
zV)CIt`0q;^Bp{8|x4w`_tlc{b7tfvm6{xnCK9M}X9B;;Xp!Vl??H)X99A7x=iI3Wl
zcOsQ;1W2kvbp5N*c)=X|>z6*IGxAbDZ+g+qe0m=1pIrpI9~&(a4{mty4wku1$EiKM
z{pa@q9mqAKSPr`b39blSFN68-ec#LTv)a&uyG=AivkK9^70Zrk4a=JeLCA?`*T>=~
z&4)kvZ6V6S4QA<f9jO(eXJZ!#<~iwH+p%|RhI~BOMy)qB1SiMV14zEz-L5cI1ZYM1
zxe`#n*48?+4*>D+ozxPprmfyTrQzg(oLPszSrTh#9NsWv<0E@RxZB@=@lNI~cFInW
z&zb1iNw>n6-I;=Q63;sj{n6IJ)-NOkRTQ|d%%F;cmv+_y=})D3OzcdnXMEvg{`eN#
zmi*#h4j799d11F=)9Of}r(`)sA0_>Me)tZgBH?}h_4HA2r=`Y^k;nA$d5*38-1~x~
z0_rJqw`!7%`|_6(SUIW#ZqG3VlEzqFhv^BV#*sr579R7Pyo~VJxQpg_Exk;a?xfi=
z9<y(|=r;M#QF9GGsvG{ijRTU|#F1~BI?2Bqx3yksr@v_H^icBLoLOnp^7*giNF*eR
zI*>iy;NKP^;|RbH3gI=@7YL6dC)^*-$}Kz1yl;9OTMTZ&vws)BH5`v#iai353w925
zJ^R3e7UL&VDQtmD>HD6fr*CayI}X2Ckhji6N7Vg`Ex)m^HFAp%(5H(ncbPPXx$@f$
z7AwYf2&ax{Cu8;d^hTK3#O%@jR5y=t|A}O2YD{q>JL_j@GQ96Nn<fs9xMYHM^YM_4
z8&>!5Kgu8^iof|LwP`mhDDa9A<P#kxQplk#8fG6A_1}fbo!Fv=D%#KPwS!F?m5af1
zo)xMOLy%%3)WV!mN|_xUm6D6f5~kQw{}`mrUMTlR8ur02jwUSGM(>sWrkZnhe-%<n
zFqv%if4RxBgU#3ea(_(NR2f3B^)Jy_uL`bEH*4OflZ57iux-NMf6(QYEMjN=ak`uo
z9UkpEY`OHenVvf5S}dDa!qf9kFaJDzd`vCEbh(>q)-TuwKad@4^{Jb^?~nQP6Z-x}
zZMZVT&R@{r#?#oqiJJ#qoYc0ZU>Y^aRF7ZZ%B4T^G>hnh@AJvzQF)ywwL1qTP9Qbe
zymri1Lp{COxH)V08*33^pb_&I9EhV8GMl;M{KdhJ6csgFdzU>THT9Y{Hy@vX9jG<j
z<2PV!;W5FZ99(hYVZV;=`t`uQ^~#<h01v~j+ANDu>t{Fbj44-Kv;;pkOh#n;iwYy_
zWnrqgYSD`AalC2T=%4(8hy#}C*=6&lR#QHMwQC$UNA;y5PGid7-T6+tx8ngG0V8(m
zhQ#l(vjihYOD;<`f=r_xMs7^!OK^$tZWC2(p6Ga$X{xfV#C7^>3+igM=KrwcmAP&!
z8N7d@6z<G(1=M)tT|}>y^6OXcMet;3d6@}3?U+zXmmQ~DoIl)G`$v=}9d3Qxj|jL;
zZfX7+GS^&Y9Y~kl0(lB-xpDrdcx#lu@jxjuLo6Y}U)_3okFe})8KsSrT<fRGw#y~$
z720_t?%%5D=saC|iJxf<sCh$o7^PPSWR#mSz2AulQjjSW%(|jBQzObH`4x+9wH&eW
z*gxTMJ7m*zu;klRtnH+}-9V!;#CUXk#gl@48?2&ytTKNdzEI((sOI!Tg}4+lJ+{+x
zcMWU@e%${|O}CJz4sdKu>wHNz$_Pa<BgVtpv_{arjG%3q8dy^GM<XM<9QcE?;m=uW
za$*9As8MwO2hoVuto8Xr(!rE#vU=)OsBZ`n+xHAAL5M~Af%ZNgVC1TEme;sc?p?2z
zRL=aS_F!w4NZZ!wXo3W-UsCuJ)_YUCJ}uWyHi_@kbTVyYBMiQGhxxS^gW+MZW3~Lj
zEWyg}XSGJKSE%uR|9L_tnm+NZD*d|O9`&5B`H`5WlT18trAL;S8D*9=jZ6vWGeX@N
zf#ey3ys|ti)pB6prIJJtT{V#Q+gKK*^76Y?7ty)cBLURRi9}9mRzD0bj$^a^bkNs%
zXPT$dxkjaXmo;FX-}hW~(b`c{#l!EIyy-OKCzMAMkQ&*K-6LL~2j)+Si)T+-j;QV*
zaHDr=yNwn9n{iS$>J5)2TZ~mP15rTpROL4OBg3ET$1v$Lo@>59(9^YMywrIH9)jOg
zib5HDSkoj7$SdqSYqD7bJikopVO3!Ww0plSC1Ragtc2xx37tgDr_K=HkYIKETl?De
z+cQDC>Ed7WEz;qgOPmIWvq#HcT~)L6rIq-{{}%mR`%kD0kc*bYAtp3}d#N16yo~As
zZ~7skCR9txCPhh<v*cP5-`Ydpu(QXAmtiY>vmJP_|L7_`eqySY$)VXUd2yO)3dau-
z%SF$#?x)nMhmK|g!d7sFyST8}{xro7y-gs^!gNK_rqY(U8(r|3y75#~5bV)buv3e-
zdxr)*#C3hi7$haQG!^+(8r@36Oky@kgP8_(futb(^{xm!_x$&h^K4?H3kZQ^noe=h
zwCKx<B6bE06y$~Ub&%p=Y<>F0>QrE5#3Lk1h+Uy~SmhmvBd~PRUOS6v)*ZsG!_TcB
z*q|Y5X<9?q;W{TWocGL3rsY3N4&~T`VKRoez{Kn38Bi#_bq&EXm6-d8Z!_u`8PDEl
zqyaLrr;+k_pL4L)*7uXOi)iZ{5Ba_0yAW|!U!rzl5_N}!UVNgS$jK@9oU0&VBl;RY
z<Uk_$lY4uK(_0XR*}LK&=9O&-ziQvGufYZ&BofTLbc<GD2pq%!Yi6>;k?zpGO=2kF
z7D7|U9Mvr|e~>l3AXfqHwQl&@ejZ@562mMl9*y%qPHl8Z7|GN@3Jz+y=jOzh1RV2X
zk4x-9khW5&Z~D62Tv$0S#l{>3ev@L2mJxQD<hM@XvOitUJCHJDw#VNi;@+ydaRq&Y
z`SUut5}H}P*PrMoVuvk{ad;vhmzL{Whh*wNQ1bvlGiZJDXik><x{shTMI$NX7j%^t
z`rEZiZRL?BGc~98!^^!qF_*0(Cu<;*<|hEC(14qKzK*bPe-W*jPIJ+iY+Ks(sxD#6
z6=|sJTy)n<RGrKbEBt!Q-RIdkta5Yk^L7eFj}1&OYlFtk^dAd~k((0Mb&7FKx+g<<
z``Z9sj>8g3p(W$oyGgNB9klfCE(MLGKxPl=bgeqR>cHZ26j<-}zh(IkP^<C*q^8W6
zDvFYdm95en{QX?phXL=}wuf4+ps~7+bHS77zw|^-)drpJsGa~)jWVt6Xr({fv^KZq
z4(4WYNqgy;=a4jVqvIq}{>BZzKUUvc)0<TTu^?&Le0?r~=0tZ~M>Zv5P`#w!whb*>
zl30h2j5>JvtRkZf5Y5?Ri~aY0a#GodCHCG|$WKnUiMxC%qKMcKvvzOP6&Q0SpGvQF
zXeJ>dupi*Kaw5P)`jeiTd6v}f&vE0oix%=sq95r}zE8C()0R;SZ3rAIq9M-k!~;Ne
zOS-l%GqRCeE|#HOIGUJX3dR?~QQ+D|k;z?e)pTo4iK!~}H$Sz<mGR=wI2`O;;kTGn
zRFrg=yOA#$eSo{5IU6n$?LH5^B0*kV5tf_#j6VQvkAaE4=VkWFx5Y`WPaXpu1J;&j
zR5tw^!>1L56<U2-5c}a7AwN?ojWD<lZN`pi=g1FFUUN@{SU@T^Fokhqq@LijhKnpm
zT#URs%2r?ltr%Amon?|<=Z%z<+v!J|_Wt<?S3P=T<6~!oWa|Hfg#;Kz7KbB?P1rXM
zA@B0C_G$X?A1Xm{pT8Cp7XEye`svc%zP!?~adbQXQnkW_`KOntdVvfj_O=#LZCt!o
z{?`ND_;ybf{)8;#kZ4P!CxI_0q;6GG7TSLVqIpo`MEgAwjSz}y+nPNurhfe5g9grd
zj5MIXrPKW{Fxs*Yq;~folHt+rH|s;Txff0cP>@miR3l{;{OuLpy`sBUboYwxUeVnv
zx_d=;ujuX--Myl_S9JG^?q1Q|E4q6{cdzK~72Um}yH|Agitb*~-7C6#MR%|0?iJm=
zqPtgg_loXb(cLS$dqsDz=<XHWy`sBUboYwxUeVnvx_d=;ujuX--Myl_S9JG^?q1Q|
iE4q6{cdzK~72Um}yH|Agitb*~-7C6#MR)%X-Tfb4sYlZQ

literal 0
HcmV?d00001

diff --git a/webgoat-lessons/challenge/src/main/resources/images/cat.jpg b/webgoat-lessons/challenge/src/main/resources/images/cat.jpg
new file mode 100644
index 0000000000000000000000000000000000000000..e0e1fb983d4a3215381a3373fe69b02d5ee3a73f
GIT binary patch
literal 9095
zcmb7pS5OmN)NSZRYCs6Rm{3FSB1k7dXdxnm-m6FxlwLybq4yR*s&oNCrAjZMDDcri
zh)5L$MDX|CnSbWK-hE!qoV91|ea@VRHGBR2@^=$Jr>mu-1t1^*00{mqz~5B>8bCox
z24n!<XJBApV!F=^Vr69pftXoAoNUaXe>)Hdh>ev)fSZF2!okYSE5QR16c!Z~1#wBq
zONqz{h=>XkP*PITP}8u|(XonfaBzwIe}u4zu!xA<-;V%#aspz&01*K%fRLVmh@Rl@
z5P<z(k0b>Dr`7)rLI42~2`Mod`9IW{4nROiL`+UZLQG0bLH#d<fRG+Q#6t{}P$eN{
zFt+oFJk2O?VdU+f+ai-xJ9_|@LfB*OOZ&E}oA~*^$gF5<XJUr%$v8xzD?0`ThyPK6
z2mnO?Z@K@=Nkse);i3O`PDn`j5B}eF{#66=5J@no8uQvo{#^l35&g@cC!z;D2Aui1
zE0*80?^3TAg~N-vMx@pyLR$TVW-E&{naH%y;uoEG*(bQLYa3qj#yBVM2uYq}rgXK0
zPP!WbxqC1>=@-1y*BZ4gYJ0Q><S$#8jC**C9Vfk_vqa>#JtWHU^j1+Yas1%SkZ+`}
z4wR^Ppjnl8WKad-Y(~PDCqMoG+ST8<(8H;dD@ZQimeEyEO8y;b*sRzZXO)@T;N!Hm
z3fqs;IT_VfNhjDK^LxPysl$PFB_4Hit40OWA-+&qfb6UFH1KP5+$Ho-eJ=IxiBEV+
z(2LU;prM>bC%upfxhgi`Y~D4UBIndX;$4<5n!Uo&Jk^<L#^8YqSu$M<QI>gyN&+UG
zdl!Y|*Ca~TO##Lwxd8{Nb#!R%Kh#CaRhgt??mZ{I`c!*Z^4bi-#xy;NJ`!oIYAjt>
z%alCV_l7=tU@6h9e<W9v{1>22S{`wisyGz%tM^++BK(#$!PK8es?jZ1n(Q)NeNCo+
z=*1yZ%@@eZg)hCcnu)CcoCMFZs_d&oz-I^`Nb}Fri*D^CYNo*WjE4|~*H_vN9<p^`
zs_<6#AwXchNngEt1ahKVP)PIJt_O#W8*8>xcI7_2)qGCWHy{w1>n;0Qx9t{Z_m8I9
zc$Z=pHwAlHVw#jAt`-!3nf;9^MVIy)=0EV~_2HHg@ePNSZs(5W>Z$f|I4)C!LMTWY
z4L2o|lI$(JdV@cf0DkX(4Z!0$fYE+0zuY!_yDb>wgRer{CwiT^*C0vb$e~QjPN(j?
zw$Ca0ZIzmnrOudqzp4rN>KI?GuC=Yq?Lg%udEwUE?_Ls6TZ(a6)Jc7(g%V~;7M@k^
zo)=L?SQn#{2a|d2P34e=wc9=O!6Uv8u=EBGko&}vR4N6O1H92((+plGy=9SCgB0}3
z2^xMxcm@daq%)zdk_EOyNqBa<A^&m)nb#elo=QJ2I{t8|OqCymTXE57=ElkYh{Y2#
zlo;t!&0gBgFR}CQF$U>48sZ(pb2IMlEJI1Evz<u|+pTU}1LUIbinD!B&SXyHuYXVJ
zw0hiesy;s4yEOZy6xv=^uic8XfayT8#NWw*zMuXDOo%<mJ>vR39sd`gY<LL|JaqYa
zbpOse@DKD0_T~wWT<yYtQ*EfwD6b4d(UWl^4$28~Vb#+}2pG#zMCOkoz#@JGdIC^U
z-Mwwvp3jj@2a6?HJsW=k&kk(<?BAeADrVcK3S}pIiEH)lUQBbgqU|p3^0E~T4(3GM
z5T0LWvtJ8{TQ1+bw0Q{}{0nfUvKG_I%qf<3+RzjIh&g82Tj6u*%dus((dn>}&HC_t
z(eE!n3-uRpJ;L_A+}SizDz6*9_ZLu4LNsocRBVL9eC3CUo@*aw;yBbQP>>0-jBfUx
zH&}XyS%foTjL?&`XTGP**=<r@Cp3mdQcrIy>pjYxrtR^XB~CufxO}G#O1MN{uJ>q8
zOq&P+mESAJj6Y=~7W#PN)pqv1!UW4z-rTm{dr;n=E1i_o1WhY$vcWP@zNV#fE8y%F
zuC`@3{J+N$b%5s`EKfZH{L==NxP5`n@jqT@V?*m^)EaPv$n3D@B68_vgSD(z;}IJh
z0((Dh+~Uf%&d?_0Sh;bKw^zt}LWOVB_kV0Gqoce}J`_n*bKH4HilBi&mD@cU5_`En
zcj68o(i3_p2ve_&n7c}TtDzsdjGlzBB7%=Lfr?x6IB?W!_@m%G8d{n^JQCySPhVZG
zOBk_D#Eo;L*hZ`!(&YZOgV_qhc;dYSmv}T|pI&u41VeZWKPb)NGB*6<2rG-Mf3vFd
zjfu$U0yF!0#4e&_b=<*Od=>8x#Ad?Ha!x|G?Z!Rc#fn>mYehIhnzE9*0R4G(hG^R6
zap&do7LRClIfs#l1YzP)h37}HblsdqUxx*DL>LFx3^+mR6~j>G<?^-vz%M_k#3Tg7
zNmd$DG*9sTnqq#N1=)B7Jpt;pmNDznNqVO%BtNoO3tpp8pu9Ydc_yL?Ynf0bk(|xU
zr=U3FwqwYN)!W*LOP1LX{bT!ODLG?f08}r)3;GeMbo?{MmXEebK|yYDo%PaTGSAn|
z`mWitmNRr8#~gZw*4Y`S?DjiByEux_?b@k7W}u|z%xVaJv^gR7GO!0gv}Ui7dNV*-
zxfaH83G-I`9a28jE4(qnA?USn9!HwW7OS*G9$1<setJj}7+x8s#!^ZS;lj#3(tfE*
zMr?=AW!0Qf0Xr+%9bcls{2vO{ip3#9#!x`uaqN8w`p-S4ApQ?nKQsU2+BZIy{ob!K
zdLE`p9MbH(v3F0nd3{LEdDori_%>YRbiaXHJuswfmg~{wApeJS_x@y`(>J<<a}e>|
z(onlhiMJttY^|=}Kh6T=NO{XU5XFtWH@c|OdS<+Bmu21^xI~G05dG&;jeB0X`y`gH
zZ;MtnEreIKzxq+Pv)$N9>;cu~{0t9GL4m{BpK=5}S$HmvQFDpWP}Phq^gJ5SM;i`u
z97<5^DV=8eTyEMopO!;+sYx650LK#XY2g~=lOpjW*1`1lPTBkDJ<Bi`=bx?78k!%8
zao=~9!_s@2PtQPVhK6FP;&;V6O!wZ8UL^Lp`M8)U3x+-Ix=1px68i6uoi&u!B|jB#
z#XN{LRo-%XX#YJRTNh<oq<Y2@zp;FzlZS4UA$~0Cv!CHs);==0X4D&Z`d9#ees%fK
zZfC+u_Sp}PB8R#`2g_kJk6el&Pd-1-(D1V~9o_s(B+b^D>--9HYx6|cj4R@#KFG*i
zkpG2MWnoH6V}V~VbupwGrFnAG?PSY!WW+G8;D0<Y1=U}zuxB(Q?y}gqqz>xi&DC>r
z)X~Fyd;CKBOd4y~7?3?>j+)5am7}5W<W#m^-p@`+i8h~;wN+8on+5uOo%>YtB2p#a
zH%XR%FUx69ph_i?o@TCQF!k5;zNgN^IT`0VM4F_7Nxkf=1pVhvA4H#vvwo;V5WOaI
z5$lo81(8n7dnbo<&lp#O?&5{tE451~C>~!A=u{v5A*L8<9I}Jw@7#}1y%PstcDXD8
zpA4qq7(zYvfEe0LwfLrb@AH^@&b!{X*BViUx3ozbZd@e>r>;g}*E?GAMiJ}=pqKq?
zgSm!}xM_Y5#yIT{u*as;e46K&#e^v>s0i4hUiteFV{G2DRZJFtA|NK?(ngc`oTTua
z1m+r@8F6s8D0ZDqf_8CjQI3;fc?Y=FAd*TVwTgZ<R1mcG7@I9=2U9+%k?K83dGvDC
zqy(XfLUF){0u3hhTw1ardXOj|+uh6vPWo511pt%?!9A#`4Ox)&_W+9r*`>LVC)})L
z;wB;{<UOXXk|Y{wWN99_l{ZfM1@?$SY*kcSHT~AFL}<!T8hMfD==Zi2!MIo8Gjxo)
zptu+-*m0nbni}Bw(?*9R3Elek`I@DJ#+qN~tsCronL!uHSfug%f(f&#7epfCkU0_i
zF6DG06gpbv^HVt;Y)ca6{kg{rr1H$_?WTguhZgpq_5i!p--8+N!b{E61K9Geicb^u
z=C^jp(}8jW2~puOTWT9uR>EE%#G1T#k*u~Kuejuyr+YvCtdW-{{q|qaQid=q!@I$0
zbi8*+wC|7D?vFp6AEg>EJI%FKljVwdu%xp)WDHQ7_?8-QsnTG~d$wWc10tFAnK8~R
zzE@55+VLcR%BPdt5}TG19op2shEy6Htkhb>zu}6+LOrhMhomjQUl8J@a>Zi~Uy02Q
z3a!vF;4yf|9f^LQj8dR4J%YOR`wmp%`V<eMz}#==DeC^2=3Mx2nvbO(<pL$}A<u17
zc|cfmGu2%Yt@W)|s&ig6{YfzO-l)Wfq-&SmqbC(%GmVKk$mWO`iJl6bDlHJ}^+>%@
zM?gq-VzDbM_xQh@2-Qo~K#^EWpFK8n*{mvV`8}3CNJCvthc(R3cml1MT}dT}<7&6i
zT$LWkj2KLSDmi@Gb-lsiu+_icv}X3VO)B5{e8(g{bCb(B7Usnea5&7oc#BwcBK7Qe
z)N0=RAda5)Q`UvGrMZ<LM8I4Z#x2!h*6dB=Y3ZNJ7sU%AKS-u9s(3L5<t2@vgIj;=
zYuz2dxV|x~=A~4N=RQuD;WW`sSqzddD85M>eNt{?;PNn)eMPW6w8ph?8y)mVxn({$
z+)}xv-(|kqs=@dXeLQV%GMPP>>pi<q5!adyo$`AJ#0q|~3P1jPD6P-$n`60f9kQkA
zHJ=tHUheu(;<P5!A><+Rh2ozrjQh=I2AnA9X*RKQ)z{jCg%$p_r)#j@a!h`-GIT!#
z<q?~0WZtHCiHH!B=-G`>p>hTAMkl-YTW44%M7o+Vy*4Fg*Lp;3F*T2K5xTe$LN+X9
z*OKP>)qqyna4!PN5v7GYrB!xHHnA30X;|xoAcgQ$|ICqZcTVNPPt)HlqnyMd{h9X6
z6zg&Xw8bJ$v9SDTZly4nWHZBAQ#5j%KM^LqOEl~|i=9(Rr6dvCp+#A5>wOy}*kV26
z;Hlz%PP=0^Ztk>>(p1_WtQ|vpJ);0Xnn9YI$%{GodM)Fe4m@G)C~E#VdGUOWbyc%$
zQ+*_8gYUZREXCdlcRp3c1ypd_7EcYeLoq`PhQSgJC0bJWwy7K%5h7*x_@SKp+fqLJ
zOMDmB>!DcB&q#GSv&3N+#8(JK@Hmt$*`skq0M6(wC)KjW@w>9V@cuLB&_BS({w@n6
z8_;=CIWHxi@?G9JAvK)Wr2gud%snvR%}j`sbVvMHLAS2GQ3WQj#WrYuMEduh2k)YY
zI%5lMui*BQKYFtL2L4aUpPaVVa0S!?veIcDyo_?vGTw*9rF<=2q%fgAgpR4%(KtcW
z@Cs-}t4HE{pkR0mk0t{U(Y}oV#dil3E4G8bS}g?*7P%JL_0*J_O&&a7N#$6Q9+aJ6
zn!HGT4n2C4dSNHo8{|(ltNR#T0zSLea57UeOfjI_dmLNBw!_-Sg5RPfeoOnyZp-!I
zm#w|bE7iA9@0ukNo<T0c)#>w77s}xOg#H4u?90IglsSznmoT$^e44foVUGLf&tYLL
z!t5b~^Ck3%6g2yk1s6(*J4x}Zd~NeI@@jM4zIm`oe(Al0_Zs4;jc)HA;uS-h$!Y3!
z(3CuF*tbt-_tqmcS#$m0mQ%BvCd}-NbUl|&!rW5MFSq~9@L<yu8CHzZQ`pm{Z`4JU
z>!frE(C^0;z0&BgUAxk*a_uhnoo(EFInsb{l!X2FGHP46x+>Y#3%pJ2J2e+CL&Gz)
zQi&Yc1vM1_@HUZGnu|5s&~zhJ2jc<xMO$-I>gnidj;N=^Sh5rH_Uv&*(l>D1GJ?A?
zo#*mt_6T#;)NNMDF^lA;g4uFY^pyFfCTz1{gh3BAIhJTXd9Af?<)1Q?m5c=W%6}?q
zk~`C%S~52tEyBJQ1V@Q;kKAaw9ddM{Jb$b5Fpxl2Ow{D89}~fT?B*%6?O0%Cml_R9
z?aj@39WkWSzT#px18)s&KW4;H!PXt#A=@twp)Js2Y^7QZQr6aso%i=#ndh(a_LlVQ
zv_9^_jyr~2sDid!=DW_WHG^ewTBwfuwKPFE*P}^&_jIhlgc*-bJad?ahTQ8bWdm`d
zK!LGft*Z00-)hk-V3U1XpyG>nQXvH2mirr;i8omrOB6n0G1O+qv^E4ZKm`F`&KiHm
z*XcA$s^Q1+PWDHOZQneKB$3w_wP8^y$q)727QY1bB4Z(}GTI3j@n0KTYT||ln;aIL
zlDa>AB;U+yHQ<asWOX3L!3!+>cK-qd&;*8Mr|77yIxU3)b!=iN8P-h+Jl6DMpeE(f
zj#FL0DZ=O{NJ}O0Io^gL%is0JJf~Uf?tnJ|PhlL#;Oda5*(}JTE+5)JPq91Yxh;cI
z@093wZI6U)wy#={2j3$`#fxH0#!E7wx6YQ>OxbTZNi&dNa_<^<`O|8j-1*-QuA=;8
zwHuUruI?f|Pt{h_@aR?P$t;Z5`#<x0?51gLR%IXTJ9SEmRQR^MY|}$30k0Lod*y~A
zy1H+%8F&s!w}N?H_o>#&aDA7&jGNET`L8iM(?sfD#<T9{m^my-qZq7@&PNSq^<hJB
zS_5LO66@mTnY%Veazxxlu6kE4^*+mfuJ!}ylLcE6L#ndxOED8h2u6fvAoE12z#@lb
z>r7+L61#0e;dPV}Z|huL=a2xueHBpwi%OBJrWVTxlWAd!XgoqXIlFo`qdjNPwLpOI
z9w$<I3v?t``NX-%NvQFXyb`;qa)u3(t#ZA;Tm_v3!1Ja_ys(O7lM5v+**CBbh{;|R
zm_dZfBVUv(c(bi>!6CfS5bmQJ9z4#;Za#BNL{0bE>u@C1=7r84Fk6aB>(_JT(^Ln^
z4w?OUJW#LE`_X&wh<5v6;Z@Gb7F7fLR)5?Q0Rx%kH*Y*W%a`3i@vBQSUzQ_bzof`K
zKlZwiOXECM66KKhaBh=48XAA1&+<6BXs#-^Gy#Y}qTTRHx*)+>)Ba;}?vlbmsY_U2
z)OV(EGu^UD<>$GiafpwjkC_#&)X|u-WHCBPLM&Bz%yHw4xmvA8$Ey$HiZ!cj`%IlW
zuuL)Mtefs1>kb@^OgkdSPG{n~`t=mQA_Cu{P4x@s8@yeQq{5Q)1JjcIJgD|`<tSmj
z?3{GF2DA92XQJ58vdYHA=IGr4;N>SRDfnf(7F0Skqo1F>`{QzhmkRxJAro5ow(sPw
zQjQ8}uBAz_vaUB_Am1g;EJbC@bZArZrFg??#L#7tT{y~6$3$xMME=yZV{YY>J0^4)
z8yRmRr=8gJl1AY?()kds?4!t}i(BbfS!z#b%If+f_$Jl3wBW6=5I?i14}YrjgCLGU
zfPr_U{PQ8HS3|3Ala3ce(35jM#>XAPywxYk0$K+J$un>=EVSOZS3%i(_*rzyR$)M>
zM0~bvksmQ;pH|I5#FN_Zk>qQ(yJitM`*Xkt=9h^MdrK+T17z``!xLAeDTJC$*>6mp
zHy@JQMQ;mcmNKkytJE)UcoWfxJ5qToCgq+crh`$bq4(Nes%MrCblbxTP0PHw{{kGz
zcC4H6VtGxP6K}I5D7<_`<%=GY1I=!_nTbgqa!ZW4|4B*5KQ?Xja3k-jL57Q1R+fU<
zY~HeU_vWCli_?;wdy^&41thi1e<tYs1q|wT6O9wzDBAybelj9t#jmGi+EQgQyGbXU
zFlsUxKkIQHWBJjNaG4&@Qq15XSslYJ^^uV6JZT~<JG<>exKJuTU$m10bG0LyE(;6c
z_jcK*TW+9~;Vt1ZJF)CA$PZP`yt2*;*~XzXS&O274_p3be}eOLv@3xs^HGhOii~%s
zOVY1ret5(ImmKwuekAUmUKHXRztY~YEEGK)9kfGXn9vAP*cgZ27dh~e@k4nNvZ7wK
zIRegNG<{m+iF%vYMpzQA2zNhc1)`NjEcJ57v-bCBT&-(Z6BQB!HoLs-2iePU7}!8N
zFE;r>ZJr7HkMBdt6hl7(o|Ds5z?+E_?#zrV49Fju4WLnpn>8aTdA`>HwiuoApsk2T
zUg_%W*M6mD$PlYDJ8R1=SBn->{`CX*kg`!xtLx2Kxx!aOyo0^v{m!o+)rD-bnTM;Q
zNRlmdjlT~Es=cu`S2Phk?qnXhYMDiqKI_z7g~8iI7Sf-HbN3*JWahPZSSjM}>ajb&
zN5b(Wnj>Z3Ka?AH3X%V6K{|x5I(;7@E!2xReR)_SpZX-G#oejLAK&RXrjpOi-5}~f
znjf^K1Bf968ZK^|KP>cmQsI=x!@LI(LM5-Z;<Dq^>+s+lX~6A&m5c4h=C~epS76qS
zQqGnRI7_Lb&YQ(BsEF9917xn5q!$duw^donIUC&U|3n<)^$8%g_s_O1>$&^jZ~1UZ
zJegvy?SgKmbF)~UsCaWw(g2$36)0-1_SeEVa*x+~OsbRYqJu&9Zbmhr;`-AIhc9`-
z&Pjg(GVS33Q}<D@zks><54iBVR@<ws^EYz1o=B|c0i|WFu5M0(8+m@HrU@fm`Y^Y>
zrcRaZMRggT1=yLSQH2#Z(l{JfZzfT}lD>u{*zK^1b+BpFn%+Ri+)E`_GQktARloco
zN6re$hZJ$^MC+pnzNKr*QpXMyw9R>Wfgxzs35B4Hz!dfyP-aLu0*8g{2ZLh<n1w#o
ze;?EZ1D!@~+3)hFgbf1({KI04AI``wix40jTk<HEpQzaM<TT#@@SsO-#lZf<?q2D-
zs0*0kWgO?6IPzVaw%D@9ZZP~%2qTIDKY2iwWieE3U;l^qe%^_8PqkL{YD}4VfaI@4
zt+}C3y7VurzKRr!T9Q)o;n%32En0YXpF_VQC~MZ21@!q4iFBrKf)2RRaj%;UhWp5n
z{u!lJ(ya-XM)`=0aYQ3<al5_YXWZ=0&rqA)wA&v4$7#Sl>lYr2NuIR<33VFHNrHm;
z0j}WS`26FWj!RQH7be-#wj<sw>n~L*WIg#G>k2U{#BV{%hdQ_F2I0?aPCNfiJC5%m
zDA`w(3Y@3Ft(0Qp!9#?qeSV=7(K~VDy@aTK7|-oix_jpj9E;~Y+hx|X@dw$jqH=^S
z^~Ij7MqiU>D-gtbvL!v1|JwJ23ggbM3?K!mGqxe+hyT0f1Z7^n{t{;#fL^A24`oXg
zH;DtZE%gy=0okL3<jB_YqY?S1wvXw<ya#=C#L}s|erv2CKVM&w8{L4<?(8U;CUm{a
z2j36Tv0NofMC!f;{tSN{tqP!}@$xWpMskZYZr|}jh+b^E4T>3Ji7N~oISFa-uZ<Y{
z7vGJOGwUwB_~%K4Yvscz7{n6Zjv3$DPTPqd+I#I}4*iz0_&U~dkJ9r1p|Lylp<S@<
z8F^{I(SU^h=a9A5q(-#`LDQRuHPfZCHux+wMX)#}A`7{Zqqi;$x&!SmPU&SxFpVwM
z&SwgZx#sg!t@SqM>oq#*NIUTZ#33sW9cNa8^n{OOeML;3kxmGH9nXfAO`8x1Oqz6M
zBLdJ;h~ww%J&&#7wLg%B?D+w&4%GOT_hPAXDN!(8fVu7jwz@%xcY65O3rGOImB9n`
z{d~9L8Q$JJ4?YZ6Q8m)hmvx-uPA_{<jLLS*cWvg?Y;wn<1{PE$f3+TuB6q`>0Bv;G
zE>HUptp~ry-bAlLmkPlH*ikhccoO4;h1db2Y9N~W@tj9Pvy0dM#~<`dMI@`1okmqk
z^5+40Pebj!mP@w1VxS68xVhO+(#cX!tBR1@n38}oX5x2KzNo|{FIg!`3R?_Z+ht*b
z?5)tyyO6#6Rl;ov_NX`VMYU1(Lsh)z0gh>1o13<GL-VBuhu<eO7jHNUkQbt;4CT8;
zx8+F&(a1KP9<wMhN<m}MywA&R*qN*(aJLq&u&uh<J_}j+mU^L<!pX7>oU=nJqdeLO
zPNGV(Dt~G$y<#Omsj8CWgs!)zvvD)+%b~sZZ`@oPq&4QKU*TJYa+)-q%@2&siV?(U
zylb!mVYh9UTzZj9jgEQs#P3MQ&D5Af;0zSTZiyC*mbRf^Z`LJfn%uf`6xBq4v;2%z
zIz5$boL4lK-~!oi!%JBUFJKwZ3On=L+h#PnxfAT9=%tpA^GkNtZv~055%>Yo@UPP|
z;mfym;T_)t-ZoV_nfM)B1-~uHEpChNa_LLi9&`WIKGlliUqK|e|B4YYf!t5O{Mux%
zVy455ZB${a>X%;ojFrKKjO9Gh!6cBk<Yo&1+dHNTq3M{<6fgj3@3HSu>$k=fR^=z1
zpFP@P!rmI~<vRC-5GpWuwm_o2wfH$<BEpmfE~XIFVd?kMd@o1b-9|sP<#2N1Nr69l
zdC&aUF3UK4SYOySU4?{#U;u&fQ2EcH@!#X6xoZ5=5jps*?xz9cuTguo8&2_EM6xe&
z5>E#g=C9NrPg9T9!W<%vL(jNG*tH>W>xi!(>#$3`oFs-_xd(#D_x4Omdz1{5!NSZ0
zrDwpi;v*j+i--rLG^azk0kt1zU#V0ibH?$^ka?{GTBNBbKi~*g0{io$k!0(Ok*NPL
zK@0{+bcENwHFdIt9(&B%?X_At2~J>egi&{BspF3RJT9g#*u)yV6qm3`5UnH4UT_c(
z*4L@&QOF#eR;;3YGFoZ$RA|^5qobGh>Yo|F()_1v9%{SQMK(YI{9-$k|L^-)iYH)P
z$G}^$_t{oT$xF0;-m0{Izjzk&6~bIo8}?H+#-j)kY16Ap>~Lv+Pp0IvQ-_<PMirl9
zN;7gobh6e%C<CJDyFktOJbf6<R;-;@uY>CJP3NBk?q=2LK97Rb(qz#A0s+nYOEd<h
zoe6bCNtU;D5tK&uc)hh=4COs4fuAy|`Ct3lJ#ex0g|b<eQ(ThBh+2w#S=Ah5LYjmd
z6j<(eTvbSTQA<3MgsBfp#8G547rRQyzIImrnd&=yI=G?Ztw(6xEtf+r=)QVmu<q{C
z_6+_>PD?*#yl=^+UgKAag1hDJv{jvNjb3O$KUGATS{?w%0ZDjgona&UAZhNxr9=1M
zwbU5%F(j{f0zA;Q+D<&5MO0?j%)C{J^(N@8q|{)o9`_TN{P|FP5I;&Fh$Np0i^;&i
zU}e=3ajkBv$c`q@dW{ABf)U3F{N-q6mH;DWAs|%~uc!4Nin=`52fg`RAh=GQ(3NCS
zK%9!b|9o4%&k*TIRC9ry+(XC76G%v={RJ2&aoMq1QHaCgN9p;(?ujumX1V{ohD6Cy
z_MI_kk25YI)45_!M!0D8$vR-Ni=4S{r5Q|0B+sT?)G-0C^*!=agM^I<+S82*RHlp@
z9TNYrm+y<Sl#b#%SpK07$j7T)k9Jld67CF1BbJ_#D9>S|uq)2XQJx+7BBG1|<8l<z
z0}Usf%FmWkvX*rVWf0DdCVb`EYl!ivg(}iOA$#8~hRG#1=Lv_SHjU1AZM}PWvF|l+
z+Hb#?UAM4X=i28>yDBP=OcuJQy?bHHOyWn7kCOk?@bWg#3T7`(*da~z^CM2AJ*>1-
zHz!~6nba&gR#y!J%t#^#qzT?`5dRpNKJ+2kX?NP`U>Aoh%ecytr-=q3->gx;@5^%(
zBOIP#VvH4T5@e6{$wKJuk}(&Z+L>{G+y-jdb_YffNmBf$V~3|8iI(41@f$mj@U&YS
zeOk6fI;GZssIos!Kvodr115N%j?a&$T;KHC0<acgU_vbHiVfr<d13b-kZXdQX$%72
zUYe;ocfiIX0?%TFTypOuY{tX9D-#daL#PCr7(1u9+bzr(b#!%;=%WW>Xdi3f;UlBS
zmdd%isE3{hz1hH%S1r$(_9z+cp3to<jN6jZ-pyTWye4h|ck74>M*k^Si#`@4KL2b6
zIN6<?V;}n#Rx^CIPs#W&3)?JB@?MDWy#yg2MtyJ~k&H3q`s`(iO7OBVeuMm_(ffY5
zy2S7X>!5Dl6HCc5&n>lB<!S7_vTcL&zkvAoedIh`Zu39M7)pvGgBF3{8H=u`(L;y@
z{kaGunuQ^dQCSJD#9a-UKE1D;K~ZGGlgju<jgyh#3#``un?cBLRY8jgD&G^dfYAXt
iI0mT0&BeV<LOJ0R8$<lKCWt}RWQUSbz%Bgm^8WzK+1DNb

literal 0
HcmV?d00001

diff --git a/webgoat-lessons/challenge/src/main/resources/js/challenge3.js b/webgoat-lessons/challenge/src/main/resources/js/challenge3.js
new file mode 100644
index 000000000..be9cb11f0
--- /dev/null
+++ b/webgoat-lessons/challenge/src/main/resources/js/challenge3.js
@@ -0,0 +1,15 @@
+$(document).ready(function () {
+    $("#postComment").on("blur", function () {
+        var comment = $("#commentInput").val();
+        $.post("challenge3", function (result, status) {
+            var json;
+            json = '{' +
+                '   "comment":' + '"' + comment + '"'
+                '}';
+        })
+    })
+
+    $.get("challenge3", function (result, status) {
+        alert("Hello");
+    })
+})
\ No newline at end of file
diff --git a/webgoat-lessons/challenge/src/main/resources/lessonPlans/en/Challenge_1.adoc b/webgoat-lessons/challenge/src/main/resources/lessonPlans/en/Challenge_1.adoc
index 3a0b7ee9f..4f77d8158 100644
--- a/webgoat-lessons/challenge/src/main/resources/lessonPlans/en/Challenge_1.adoc
+++ b/webgoat-lessons/challenge/src/main/resources/lessonPlans/en/Challenge_1.adoc
@@ -1 +1 @@
-=== Admin forgot password can you help?
\ No newline at end of file
+==== Admin forgot password can you help?
\ No newline at end of file
diff --git a/webgoat-lessons/challenge/src/main/resources/lessonPlans/en/Challenge_2.adoc b/webgoat-lessons/challenge/src/main/resources/lessonPlans/en/Challenge_2.adoc
index 6849340ea..526593266 100644
--- a/webgoat-lessons/challenge/src/main/resources/lessonPlans/en/Challenge_2.adoc
+++ b/webgoat-lessons/challenge/src/main/resources/lessonPlans/en/Challenge_2.adoc
@@ -1 +1 @@
-=== No need to pay...
\ No newline at end of file
+No need to pay...
\ No newline at end of file
diff --git a/webgoat-lessons/challenge/src/main/resources/lessonPlans/en/Challenge_3.adoc b/webgoat-lessons/challenge/src/main/resources/lessonPlans/en/Challenge_3.adoc
new file mode 100644
index 000000000..ac1f2776e
--- /dev/null
+++ b/webgoat-lessons/challenge/src/main/resources/lessonPlans/en/Challenge_3.adoc
@@ -0,0 +1 @@
+Changing language can have dramatic effects
\ No newline at end of file
diff --git a/webgoat-lessons/xxe/src/main/resources/js/xxe.js b/webgoat-lessons/xxe/src/main/resources/js/xxe.js
index b38c2d9c2..3cf292d83 100644
--- a/webgoat-lessons/xxe/src/main/resources/js/xxe.js
+++ b/webgoat-lessons/xxe/src/main/resources/js/xxe.js
@@ -7,8 +7,9 @@ webgoat.customjs.register = function () {
     return xml;
 }
 webgoat.customjs.registerJson = function () {
-    var json = '{' +
-        '  "user":' + '"test"' +
+   var json;
+    json = '{' +
+        '   "user":' + '"test"' +
         '  "password":' + '"test"' +
         '}';
     return json;