From d1bf80a67007c1062ff25d10a384ec40d0f60fea Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Sat, 8 Apr 2017 08:04:16 +0200
Subject: [PATCH] First steps for challenge 2

---
 .../org/owasp/webgoat/plugin/Challenge2.java  |  31 ++++++
 .../owasp/webgoat/plugin/ShopEndpoint.java    |  71 +++++++++++++
 .../webgoat/plugin/SolutionConstants.java     |   1 +
 .../src/main/resources/css/challenge2.css     |  33 +++++++
 .../src/main/resources/html/Challenge.html    |  93 +++++++++++++++++-
 .../main/resources/images/samsung-black.jpg   | Bin 0 -> 12078 bytes
 .../main/resources/images/samsung-grey.jpg    | Bin 0 -> 11227 bytes
 .../src/main/resources/js/challenge2.js       |  33 +++++++
 8 files changed, 258 insertions(+), 4 deletions(-)
 create mode 100644 webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/Challenge2.java
 create mode 100644 webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/ShopEndpoint.java
 create mode 100644 webgoat-lessons/challenge/src/main/resources/css/challenge2.css
 create mode 100644 webgoat-lessons/challenge/src/main/resources/images/samsung-black.jpg
 create mode 100644 webgoat-lessons/challenge/src/main/resources/images/samsung-grey.jpg
 create mode 100644 webgoat-lessons/challenge/src/main/resources/js/challenge2.js

diff --git a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/Challenge2.java b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/Challenge2.java
new file mode 100644
index 000000000..8bc916874
--- /dev/null
+++ b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/Challenge2.java
@@ -0,0 +1,31 @@
+package org.owasp.webgoat.plugin;
+
+import org.owasp.webgoat.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.assignments.AssignmentPath;
+import org.owasp.webgoat.assignments.AttackResult;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
+import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.web.bind.annotation.ResponseBody;
+
+import java.io.IOException;
+
+import static org.owasp.webgoat.plugin.SolutionConstants.SUPER_COUPON_CODE;
+
+/**
+ * @author nbaars
+ * @since 4/6/17.
+ */
+@AssignmentPath("/challenge/2")
+public class Challenge2 extends AssignmentEndpoint {
+
+    @RequestMapping(method = RequestMethod.POST)
+    public
+    @ResponseBody
+    AttackResult completed(@RequestParam String couponCode) throws IOException {
+        if (SUPER_COUPON_CODE.equals(couponCode)) {
+            return success().feedback("challenge.solved").feedbackArgs(Flag.FLAGS.get(2)).build();
+        }
+        return failed().build();
+    }
+}
diff --git a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/ShopEndpoint.java b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/ShopEndpoint.java
new file mode 100644
index 000000000..fc0323613
--- /dev/null
+++ b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/ShopEndpoint.java
@@ -0,0 +1,71 @@
+package org.owasp.webgoat.plugin;
+
+import com.beust.jcommander.internal.Lists;
+import lombok.AllArgsConstructor;
+import lombok.Getter;
+import org.apache.commons.lang3.RandomStringUtils;
+import org.springframework.http.MediaType;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.PathVariable;
+import org.springframework.web.bind.annotation.RestController;
+
+import java.util.List;
+
+import static org.owasp.webgoat.plugin.SolutionConstants.SUPER_COUPON_CODE;
+
+/**
+ * @author nbaars
+ * @since 4/6/17.
+ */
+@RestController
+public class ShopEndpoint {
+
+    @AllArgsConstructor
+    private class CouponCodes {
+
+        @Getter
+        private List<CouponCode> codes = Lists.newArrayList();
+
+        public boolean contains(String code) {
+            return codes.stream().anyMatch(c -> c.getCode().equals(code));
+        }
+    }
+
+    @AllArgsConstructor
+    @Getter
+    private class CouponCode {
+        private String code;
+        private int discount;
+    }
+
+    private CouponCodes couponCodes;
+
+    public ShopEndpoint() {
+        List<CouponCode> codes = Lists.newArrayList();
+        for (int i = 0; i < 9; i++) {
+            codes.add(new CouponCode(RandomStringUtils.random(10), i * 100));
+        }
+        this.couponCodes = new CouponCodes(codes);
+    }
+
+    @GetMapping(value = "/coupons/{user}", produces = MediaType.APPLICATION_JSON_VALUE)
+    public CouponCodes getDiscountCodes(@PathVariable String user) {
+        if ("Tom".equals(user)) {
+            return couponCodes;
+        }
+        return null;
+    }
+
+    @GetMapping(value = "/coupons/valid/{code}", produces = MediaType.APPLICATION_JSON_VALUE)
+    public boolean isValidCouponCode(@PathVariable String code) {
+        return couponCodes.contains(code);
+    }
+
+    @GetMapping(value = "/coupons", produces = MediaType.APPLICATION_JSON_VALUE)
+    public CouponCodes coupons() {
+        List<CouponCode> all = Lists.newArrayList();
+        all.addAll(this.couponCodes.getCodes());
+        all.add(new CouponCode(SUPER_COUPON_CODE, 100));
+        return new CouponCodes(all);
+    }
+}
diff --git a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/SolutionConstants.java b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/SolutionConstants.java
index dda05d492..5450e02ae 100644
--- a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/SolutionConstants.java
+++ b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/SolutionConstants.java
@@ -9,5 +9,6 @@ package org.owasp.webgoat.plugin;
 public interface SolutionConstants {
 
     String PASSWORD = "!!webgoat_admin_1234!!";
+    String SUPER_COUPON_CODE = "get_if_for_free";
 
 }
diff --git a/webgoat-lessons/challenge/src/main/resources/css/challenge2.css b/webgoat-lessons/challenge/src/main/resources/css/challenge2.css
new file mode 100644
index 000000000..7bca52cbe
--- /dev/null
+++ b/webgoat-lessons/challenge/src/main/resources/css/challenge2.css
@@ -0,0 +1,33 @@
+ul > li{margin-right:25px;font-weight:lighter;cursor:pointer}
+li.active{border-bottom:3px solid silver;}
+
+.item-photo{display:flex;justify-content:center;align-items:center;border-right:1px solid #f6f6f6;}
+.menu-items{list-style-type:none;font-size:11px;display:inline-flex;margin-bottom:0px;margin-top:20px}
+.btn-success{width:100%;border-radius:0px;}
+.section{width:100%;margin-left:-15px;padding:2px;padding-left:15px;padding-right:15px;background:#f8f9f9}
+.title-price{margin-top:30px;margin-bottom:0px;color:black}
+.title-attr{margin-top:0px;margin-bottom:0px;color:black;}
+.btn-minus{cursor:pointer;font-size:7px;display:flex;align-items:center;padding:5px;padding-left:10px;padding-right:10px;border:1px solid gray;border-radius:2px;border-right:0px;}
+.btn-plus{cursor:pointer;font-size:7px;display:flex;align-items:center;padding:5px;padding-left:10px;padding-right:10px;border:1px solid gray;border-radius:2px;border-left:0px;}
+div.section > div {width:100%;display:inline-flex;}
+div.section > div > input {margin:0px;padding-left:5px;font-size:10px;padding-right:5px;max-width:18%;text-align:center;}
+.attr,.attr2{cursor:pointer;margin-right:5px;height:20px;font-size:10px;padding:2px;border:1px solid gray;border-radius:2px;}
+.attr.active,.attr2.active{ border:1px solid orange;}
+
+@media (max-width: 426px) {
+    .container {margin-top:0px !important;}
+    .container > .row{padding:0px !important;}
+    .container > .row > .col-xs-12.col-sm-5{
+        padding-right:0px ;
+    }
+    .container > .row > .col-xs-12.col-sm-9 > div > p{
+        padding-left:0px !important;
+        padding-right:0px !important;
+    }
+    .container > .row > .col-xs-12.col-sm-9 > div > ul{
+        padding-left:10px !important;
+
+    }
+    .section{width:104%;}
+    .menu-items{padding-left:0px;}
+}
\ No newline at end of file
diff --git a/webgoat-lessons/challenge/src/main/resources/html/Challenge.html b/webgoat-lessons/challenge/src/main/resources/html/Challenge.html
index b6bc7f41e..59de297d1 100644
--- a/webgoat-lessons/challenge/src/main/resources/html/Challenge.html
+++ b/webgoat-lessons/challenge/src/main/resources/html/Challenge.html
@@ -36,11 +36,13 @@
             </div>
         </div>
 
-        <form class="form-inline"  method="POST" name="form" action="/WebGoat/challenge/flag">
+        <form class="form-inline" method="POST" name="form" action="/WebGoat/challenge/flag">
             <div class="form-group">
                 <div class="input-group">
-                    <div class="input-group-addon"><i class="fa fa-flag-checkered" aria-hidden="true" style="font-size:20px"></i></div>
-                    <input type="text" class="form-control" id="flagInput" placeholder="a7179f89-906b-4fec-9d99-f15b796e7208"/>
+                    <div class="input-group-addon"><i class="fa fa-flag-checkered" aria-hidden="true"
+                                                      style="font-size:20px"></i></div>
+                    <input type="text" class="form-control" id="flagInput1"
+                           placeholder="a7179f89-906b-4fec-9d99-f15b796e7208"/>
                 </div>
             </div>
             <button type="submit" class="btn btn-primary">Submit flag</button>
@@ -49,7 +51,90 @@
         <br/>
         <div class="attack-feedback"></div>
         <div class="attack-output"></div>
-
     </div>
 </div>
+
+
+<div class="lesson-page-wrapper">
+    <link rel="stylesheet" type="text/css" th:href="@{/lesson_css/challenge2.css}"/>
+    <script th:src="@{/lesson_js/challenge2.js}" language="JavaScript"></script>
+    <div class="attack-container">
+        <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
+        <div class="container">
+            <div class="row">
+                <div class="col-xs-3 item-photo">
+                    <img style="max-width:100%;" th:src="@{/images/samsung-black.jpg}"/>
+                </div>
+                <div class="col-xs-5" style="border:0px solid gray">
+                    <h3>Samsung Galaxy S8 Plus 64GB Android Phone</h3>
+                    <h5 style="color:#337ab7">Manufacturer <a href="http://www.samsung.com">Samsung</a> ·
+                        <small style="color:#337ab7">(5054 reviews)</small>
+                    </h5>
+
+                    <h6 class="title-price">
+                        <small>PRICE</small>
+                    </h6>
+                    <h3 style="margin-top:0px;">US $899</h3>
+
+                    <div class="section">
+                        <h6 class="title-attr" style="margin-top:15px;">
+                            <small>COLOR</small>
+                        </h6>
+                        <div>
+                            <div class="attr" style="width:25px;background:#5a5a5a;"></div>
+                            <div class="attr" style="width:25px;background:white;"></div>
+                        </div>
+                    </div>
+                    <div class="section" style="padding-bottom:5px;">
+                        <h6 class="title-attr">
+                            <small>CAPACITY</small>
+                        </h6>
+                        <div>
+                            <div class="attr2">16 GB</div>
+                            <div class="attr2">32 GB</div>
+                        </div>
+                    </div>
+                    <div class="section" style="padding-bottom:20px;">
+                        <h6 class="title-attr">
+                            <small>QUANTITY</small>
+                        </h6>
+                        <div>
+                            <div class="btn-minus"><span class="glyphicon glyphicon-minus"></span></div>
+                            <input value="1"/>
+                            <div class="btn-plus"><span class="glyphicon glyphicon-plus"></span></div>
+                        </div>
+                    </div>
+
+                    <div class="section" style="padding-bottom:20px;">
+                        <button class="btn btn-success"><span style="margin-right:20px"
+                                                              class="glyphicon glyphicon-shopping-cart"
+                                                              aria-hidden="true"></span>Buy
+                        </button>
+                        <h6><a href="#"><span class="glyphicon glyphicon-heart-empty" style="cursor:pointer;"></span>
+                            Like</a></h6>
+                    </div>
+                </div>
+            </div>
+        </div>
+        <br/>
+        <div>
+            <form class="form-inline" method="POST" name="form" action="/WebGoat/challenge/flag">
+                <div class="form-group">
+                    <div class="input-group">
+                        <div class="input-group-addon"><i class="fa fa-flag-checkered" aria-hidden="true"
+                                                          style="font-size:20px"></i></div>
+                        <input type="text" class="form-control" id="flagInpu2"
+                               placeholder="a7179f89-906b-4fec-9d99-f15b796e7208"/>
+                    </div>
+                </div>
+                <button type="submit" class="btn btn-primary">Submit flag</button>
+            </form>
+        </div>
+
+        <br/>
+        <div class="attack-feedback"></div>
+        <div class="attack-output"></div>
+    </div>
+</div>
+
 </html>
\ No newline at end of file
diff --git a/webgoat-lessons/challenge/src/main/resources/images/samsung-black.jpg b/webgoat-lessons/challenge/src/main/resources/images/samsung-black.jpg
new file mode 100644
index 0000000000000000000000000000000000000000..7b0c1f809f8822b3f63d0cfafc325c9c47a9b3b0
GIT binary patch
literal 12078
zcmb7qbyOQ&*KdMDkszfIpad&Ypg6&b7J@^N;zf%D3ofO&7I$~I;!>RA4#lBZDORLt
zX`yh_=Xv|R-@5Dmb0?WKGrv9S%s%_<^E-R*nft~24FE_%R$dkW1Ofm+)DLjK0tf=&
zVqxQ8W8vap<KW@pJ|G|`BEZKdpdxz+B8Sk>(?e)zX&G7g*cqR2Gt<&?h;eZ93knMh
zGdvZS5r<0i2?+}V@$m2n@Cm>~L|{QCS|-8&@9n-DK#T+I1#F=M=>cfOKy+f@eII}t
zr6UG9O3D9jKs0nr43xGgsTK$TL`Or%z`!EJ!p26!{?j2eVss1=I&MrXNp(_s6C}T&
zvwvJIHW>pCuK--r#Wk<4XPTT(Dn23cp@ykbeeWhCvsOU<_fw{VM^B_>%*-uN%~AsY
z-TwPb01yoW6CEX@BSt*|4Ty=l;ja{kM$FBFPC`njP9{lzzYM@fsf$vA7$6QfW|1mg
z>u8mB7r@+^YX$ZO3McLe%Vnmo3k5yAIqITfaIVt(U7*>yllvs9iv2*mxyCK2ziFXf
zWv$D*zk<?2CcA<q72?)1%-n`Id)(30{_>HxuieXM&pcCdmSdJ2o<xy1s|B3Nh6z0F
zxLA24YtNabt&+qx>v0b#8wEMgj4HiDFf7~oUzThB&~Vld+Y9)1k$ti=Pdma*TlC0R
zu;xxZqBsilU7qU+DPo2%x{fen3z<0C&MB_Id1q&GTR{9v)&1Ns=eFP>gZ{f3XIWD2
z{uhRKiH5f;miGXbzPEqR`e8fC2k8MnF7p4hK3q#%_~VtppVrf}1hp77Fk+cRmK*N@
z6)YV00Quw2KTVUoP56Af{PCwO+k2arcV)u_RmQk{LqN>teX;fNO7TR~S2ORr(hu(e
zUnxpsQ7vbG+i4U3DZp@%{w=C{@=m=xJ?eSfX)jq!;mm>wB7MgO?*VUn3bwv7N?Z8b
zxR*JzSH5Renj>CKN!Hxe-Z*{Tr>ick{zz4?<NY*?s&~F^QerR6>)$rDQLjbkmC(*<
zS5LO7ap>X*8x36<t|V(wMekH(oUz5}W`|05eKXW|7E8QR`Rwyle^;ZStqfR5I^8iC
z;@ObB+Dg*i`EX!(Y1eAnvB}eJl+Skic%tv|Fc!QTamd@TK!q@Gv#?VL{&8h@Ahuft
zPaUoLU7Q)?t@>~#7Do#7AlCc&>U<m3BNKh-R?GXa1|$-yzeD4^XXu0ceN$}zJ4Ha5
znbPiopf-A3Adb-09Z&Yy(yT4VN=TAG2$4WVc6Hogu)TftNAw!N{!`r|YX_M~zI3y9
z^+{Lz7k2IwpY`UdOVXpAr45uY8`U|Q_#d#WWGAPY^uwS4PnFO{sbxNk#WFsL(Q^J*
zuZA5eJ->W0EYcbqvP#}+t1#&Y@JRq|qY7RuPaA_tgUpjISon7zP{<|(J^fh~X(2jy
zJ(qqc8YYSC7u6nzFC~@>XY6SZT0_Dp$);5zZ>hvxSby4GzBxUu7W?|Em?KxMgvYv$
zh-4~mwk-9Bu$QB;#@Xbjaa!=F$2*kPkdlkbxB4AVP06ehXsDQP%I+2lG18TUzRu#^
zDf)<>o>pGW`Bu6Y(eSG#pC~LV<B77uk9$Man+YCoj~RI7i;$kFeww5O$CEEiO%nzx
zr0&k)+01g(kx?r5tS^!7sg8=PioUVY%<(@b!3iLXt`_Eu&VbPrYmZpZa4_c<qC1I6
z<h!zIWRbg@;JwxT)oFD-&kJ{%?ACur4+(DMTA6l`<=C4uTbdtKd0?0w`~tofC1^sH
zmaGwExtx=}uFChuW|(|(N<%0@Nl5-6GJw`Wxr&f49lhZoa`yJq#kt%-O|`pTYe8cf
zu%PZK<8-bh);rh^KzZpZvZ$eSu4E3l6rgQ4)u<O;saSBB9<wNNQzsD2YS(d7GmHLp
z;L$HV$rCHXQ%A9bA2dr#3#SVWorODb)lQGRijf-DJHS`iQ`>YnXsu7qX72%SDiclw
zL^@|aEEym?*YAGXT-nAy^e;Z~HTwQRo>Q2^Cy4*(EqQCt+G(%k$;*{VF{qDr>;f8C
z|3-aqrZnoM(Bcrq$42z;MkT6q1_DbHzw;%B_C5o*(>IuMGkM1`kG*Naf2Bd9G>`#G
z)(>nMp%Q${Th<c=>;@5W^T8RyNt+e&TSankvcO+Q5F0tBXllI;H~^QKeT21WiXr78
z6NE;iLiLfhsVNaZd7gq{WT1c5CI>MaR^;ys(#oRo69O~y1P}>z?1E4|_<)E$BKdRD
z2dNQ!WEu98CM5zVSnm@(bH`xD2+5ctcy6WSAdSHjGX|j{wVmnE*=ltWtBXi}s^DCq
z%7n3dz^3d5tEQ`P3?dVk<P*J=F<suz*RqBY0;y?R2~R=ZN-Y$hbVzZJTYO==b$RiJ
zlHHQoKH-UL*5ZYQTMJP*8wK3{OP4K}nbm}xl%zS&XJfn#z66=r#sfAAn41}Qn#J(X
zcJgyz(6}(fIL4&MHdzbX^C(_;DT4ZJ`W@Gr`G5^e_fHcH^thc$df9fr`2l6#px^a-
zc+Aj81RiAuKO%}-%}J0ZqQ27-kI`|WYXfM8<#h-Vzc>@FUh^wjK3+6AQtw#IGz2K^
zksgLUV$VkKRGoX4<8=-!kXVeh6y)5Fwjcg5t!YBe&RE}|o$q``qB?!~1r~FaF7EM6
z(smtN?<cuez<E`(mdmgdsBX%@%uCcsoAw^S{wv_{+dBt!l*csQRXi^;GgDj>@Yflh
z3}O=<RUr<G9CLi>-9u2hFyxuWv0b_y&OqOxfOK53)I>UuO9vP@6A)i9YgZq1fatvh
zj6n>~`lT_2f@-_7fO_Up_RP5MHb??DQ#mgwNlzpIO*QSAoJIk^xG{)-S3DjIcOg9%
zK*b!v>bDd9o<_5$y6i+hFUSuov@rm{@RGFh%JGE)et~w8U`J!ksC23mbB>j2vzb`U
zL~<?y{lkDM>4W8i7`px_9+~iSHavT4YkQC(20C}<WR?KE3bh(9j&oUj?>u?zS}kX$
zTzdM%-NDG(e)89<5?9!C1v{3WbM(h$vNQv30(bMBkFag=6MpLLq~UaSeoQR<L~IIf
z$}F{O06>yE(@{AyQFG4bVlGMvzl3|v%!zohuncabn7ZVyPZvaasB;tvoSAveRia&P
zGt22Wa5st-MGZLAA}mwy&waE7kf2V8a_6B`+C&(JNivAm-;h67-<4m}p!cfopKkA%
z6lYr6q{b+vcIJT;_DMjfqYKiNhDYIrBjLeJ)$RmhoxwD+$?Xk+klx_}iJ7ZL_%Hj1
z#o&d}3@qV~p{5ZlZY%GavG%f*`)S)B<q0?hR=s&ACh56rdn@_j*NZ<`(|<6>SBW1G
z#R{O{5PyT0UT>UMeO_L3&c4KGTb^xNsOz8mjOS21ZTw5;6)8vL-JF@3&Kmx=G}83a
zFrnY&H}*5e`8P4Pd|D5sg>j&nGraCjdBev5SBW8cqbz8PU45o>crQc_V+#K@wwINo
zsIv+pXk>+11Hm1r(^|>Pln)zaqIxV{$X_Tqr+{uGtymKZVk|c1fadGrBy{IeLToah
z0I`j52t!i@uzbF!ua1#mdzp)E7!&p{Ft6>#*W~HVkIWPaF6$dDRL(!oGCg|%%xoqi
zsR*2u3*!GU!Ta7xI}$>S&GZOZ$pKaE#C?x+oUZD{*c?&i&oSy87XfF1wdeF3ewiL5
zjsA)*!G;KpvFm9!+UU+#De?a%6V62!z?UqTQApEfWvzzFNA|kW4`bl>V0k=AK4r3y
z2IFse%gQw=C{$Z}vRhdR1AFjePyG}l{SymI2f2?C%X%9yhDNd*8y|iz7cW_jfsIvH
z8Uou>W<Nz|*i>tUOl$Stnr?XKMNc?QFb{Ykxnl!(RovP)K`%c`;xEy+L4DW;giRT3
z%=5JlLICj^fuj<P=wMY$j;PCl@vb6IGmZR~{MQ*96k=;G6xT4JlA0Mi;VcHD-PFB}
zumz!WrV5=or1zk1U+ctAnN#(~YG;coM!|LB9&}d?y|C)FOVV&s(sZBqA9*|Esgjqj
zgFP=IQ2ZeMKm0K85B7&Mq!0gc#>t4G)+Z($sZmMKdSj2ij<bhdBOOoLS876UP#64N
zBbBzMb~}CtRc<^IaX~m(vK<j|xv(%ducx2e=F0VhL_k_ewg)`R!B)n0#)>!|saW{_
z#cvkM454;Sq^UZaVU}Q4%tv6UT+qzc(zdDQ<$+d}Y-|<0Ac{P~#h(Nn8>1K9dYkaI
zg{JI1z?UwsU^|dIUsAm%+6o+N$@eQ^F2yEwctVJ=)EPzz1pzYicw{W&;j2N+om*8B
z-9KOmVS#NP2c`r-pi**caG{?BLwa(G42{xidxT1?GUP#!8^xiT*s*u5*o1Q~E;2Jj
zk_(uIUUQY}Bix?^zU5&0fQ^fL#QzG$UjQm$jOCr+XQPIs!9!;Yam=y@I%-U&!&I{J
z&@?#sb!@n1i*Yy+D(3Fr)#q%*x&s!O8G2aWf+W6<Q_hy7%X_*23_x;;(8fNf6@%uk
zKn5~doXQC}SZ*0@6q|#TD#A;$)&e$CYz+<=KZeKG?+a(4EAdw&xY~hbnGq3DjpbY^
z+*4<e55OD+1<hZw?OSHjlo7ZKHO{P2^j<#+`><u>@$&;uBG1AU<e!Hrj}L~k%H+ya
z_8MVINfQ?0J`W0k($nN_mis>lrzFMGm*ihs%V*P94Yjn9C-`W4E7kTdTU`BRkS{0(
z`M<C~3{vqAg9Mzr^_;%*-hS$v<n_X{&G>rYf81eV!@0){<^h4mczFiP3!98l@Ge&i
zoGUAaH0Ew``eSRUayn=3;)*&MWw~rNO)}+&NBS@r@IJm0=aa^&MpBd6d8cpeY|9##
zl_hsB6u1hS+2Xy30v(?Bd8AGwShQW#rs4Ev#M52r2ty^!vBwc6i}<E^lp%4HBl7Vk
zEwVL*BRQ$X)5%_^N+)v+S-}I){0u(^P;7oykc!3AWnDr@IEjenu`AfEk}rK{0ZDhv
zNgP_^1wZ^;^qbZNA-o*?$xBcJzr`NHO(16_8TNK|fkdCk6JpJ3unCwMq^sNVcsyAv
z@GkYSm%{4;m=Lzfq<{9cns9=}q6{t<E*G|KA#!KYI&#8!wazWL!p&#6iJ#+`deL1`
zs`!bp1cdNwjPj9%u~GL9-_DXyZcg!@zIL>hRm&qR)8T4*^tSG&k3g73ey|G#AK}On
z^%!qT-8x)EA?z!i>>0I_e+~v=Tl0H_&di7611%iF-eVcqWvQG~ykaI2`Xf!02e%NP
z?o;MIP9dSAOG6J>RxLI`EHl=L<x9NZIHz6q8_<UFV_YcAURslg&%fAUVN8&CgaH~o
ztM|5M;z9%8O`zi!Uov1RVYHTfy^_zZjBV9zu#akD^dGYLA7U6-xDNaef&9fbyI5To
zloIJ45Mb^c1%DyG8Ctjpuw6u)zwJMb@!dxFCh07({ce{=nD%Eg#Llv%v=L_yi5-0M
zz;2tQFXwIsVr0VU`HYfWwwfk5`wmscnU&RQ;LqH!(g-sBmCeH3C^B^=<djZfTxkSP
zz_JPN%dEMq#|a3L2jL7*RcF0rTcoqRV|Ll64gh&iDt1JK!o)+ijtzeQ0cpw9LnWZF
z!50vih;K@kJ;L8W(lI<Thz4!}tWWNA3B*AZ4L%|?a#`ZR;gSMO77<qlvp1rqA~Nz_
zNY*C*DZHYFi%V!pz-RAkI$9JsNuJC)C3fZqFq6+l?N<VftF{1_YqKodx_-LHdY4NB
zcPybC8)TeW6G*z8{)vzTc*trBfH}WVViPJF=O@G;vd=f+sj}3z6KJhMi|t+IK$Dqx
zGimeMp8yH$meY|rlZaJ#!Y9E<JPMPJwvdQWb>724eEqr%>?M<vm!-#XRx#lrg~FF}
z+$_C9e9!8uR&4C{h2EDP6=*+znDl@r>bc`1mfgDgsMZVBZ+g6FUtbF^4Asv*%64n+
zdpcP-jl!t@VwgXL{|O3`1O7WuUZT|m?sY4*zmuPFl+E&^AC_xlG%=7_yf>|_t#H5*
z<837=`-qFk;-K)%@=lsR6<X|uNFXQWPc((HFZUKygq9X_hi0ubj`l-a(i_piU|8Hq
z8@9uC!6r34c52=P>70ol7AbW8CBD=^f<z)t2ra>1+&r%vfCEm*Q;?(_cnoo4!;AKj
zOOIhX5l)N-K>Z}KrO;j~nW9mxr4z!Kn#h8+!H4}ynb)dFwGYhYIMfl2Zv>!D%3OxK
z>O_U}odtS7BJ3E^&Tt8+&y>9#TY3m>W2vEoWZyz&EM5u(uKqGx>*&QjcT_iZ2}ceM
zO-8Wx4+2XHkfwn1X&%6w<>65=`-<1X;)-GCabRhvHsv())yi@WvEoPgn_=w5!Y0I1
z?GlwD*=a;JdU<PM2%$Otj1~hWf-5-?&@4^;=2t$&ad+IJB-Aj>IZOc`N`XZfDiskk
zaOT)p_ZkerBwJ)^DS()&Im@bpd|2!ISjc43vUsAc>0K1&J7)A|q+KCaMR|_Pn$<dX
zWwWlYvG^xRtkX#JR}wv^q|x|w$q5keStDY)XEwv9xrBOyL$dKwKh{e0gvw_>H~(gE
zOu1HA;k>*Ka)8FzPRFc0m|79+neTj&o!friXt5INM*n2X?;cRex!c-in!Nh?o5(WR
zx^l38>Z?jWw5>lAS+VcWMDBMl804RvQ*7kq=y)tt{kHrzDJtrz!|YgHHBYw+fF?m+
zDD@aG_=qAJm)<GMtkK8;fK|~N$W`toApS%G7{B#}#PuG~iI}eRLMq*uF<B+??tj$f
z;7Fc$<E;UP#AVVb<hAyw_V!9<;xp^UlllRBl7LoN1|Gcu7|xH2Wc<g97eZ^Gv5<rl
zXJw|MV?POD0uyDaic+D;B0#cGb+YMjFVUhVHqP!+3I<LJ7e*MiJh+GwJ$4LvOET*!
z1s;j%qgdr2jRk+*SCe&`ep1S+q6Yylxwt9FnM7BpWGWD0go>#v7%3V9u$`37-C*)S
z3F5&BsUZAWGz^pT++2#|7v^eRADZi1>I-!0*7h0}jM1w?xieJ^gH2z%&OrzH;w2>>
za+G|-KT)TiZR#SNxMZ~VR@~xPn6dKt{$ZgO5Y=CIA|9~4A}7}0`b&$b^O4>a198jz
zb6+)smtQ&4_gnLDbgV*Od=zM!YF;)Pbr%$fepd7wyki<RCR4rF{-ySf$?9+N=8Z~Q
z;}ejbNGNY1Q8A3ETMkoxZboZhJvwueUlXio@O>B|r(f%p7<0DSG)~mJi6N3qN5@0x
zJQ(1JCg~<ksH<Spq7)dLO+3!u9T-}%pLnaL;l!B|P8^G;u#H7ZfCzlI0^u4y7Av!v
zu@KfYT0Zj5o-r5*<U1dF{9Ds}&`XYF%RnhUKhsRWKZl1`X-=prElLh!5h#&Xa>4IY
zjlfggLmKa+d$qKx@*T7o?4+BO1JIn1Vx2A_jrM`dzZv>Lw?5RDNNes1kgQoqCJB&U
zI>Z1^J&4lLxeXT<A>&4%mMHfS9nL&UKu8zV+Kvm#U@068hb3VE^ZgPvk=~=3=9$A%
zGB`zz*KY2mVH$cd?v`GG&dcJ&)o+uePl6Z3!rwC3-UE*BfKFoNW=Q*?g%!T%*M?u*
z+$@@g7n9wZl%1`bGGK&AX0AsMe<~J#(EDTiXV632jyTRxRGISSZN>EHgg)&6$NIF*
zJs?SEv1*MdWHem!9P;C7R@YqByG9L}?MG!QoK&{IVo0v0`&da&UZqD$IJ@}w2%EvO
zd15ySKu}82`B>3QUrXrbp1gcW!S{gaIG!(Hrh|<%`x4f1?*95Y42dm|GRO~JrMP#6
z*+XHM#T3(Gmk-jrcfxG<0Er*VM`b=qg=JfP$#;8_$*lsB<Z(Wd7y=Y!`h7~1oFhPF
zA97eDw=qf?1?H3s-V0~pl(Hs-sn9bkn__)nAttd9!B%Sn&C@%-5MV4+P?Hx<+wdm=
zB~eT4<iaNTq>$9O*sMb%HW+fL+1oX7WD)ufp_X1ziiq!rC%RP03)c2qh5<PD0IR&x
zyD6ifrB1@eGxkf&-KvUHlJkAC=hsHTf3c5m;rrETEK=lpn2w0?<j*mORqhCtyi$U|
z12h>~mSOjV{H>emFY&tv1=mlh<Uh%;$%5UP3SZ-u+6rxu0GKtddmGn?g3rsFJE{u@
zLimg7pMgJ^8SUM?MCAxo^^YN8kZ4eB3VCBtCLn>DiIfrGDypFvKABy{0tZ6)KrWZ8
znG}w*r8=w3z~V_C2qMQ}D>s1$7sE;p!!$kq2Xq)k?U#1n;CZr*3if0brhDr>*Gd$}
zY-GESEEorYi?KVz@^M>XP|02iVYk8{T9~@R&H$w&4|7{B0U`{ECM}cQmu+74F?hx~
zGDzu80n0Kmk2Ae!D6&|MpFX|naa7_On}&zS?@)OM6Ke6P(pWmizBGUI8VKQ{sE9hA
z&73Ygi_JE7!~@v3ndZ6kcB~B~5mZDEWMopvwT7<{xjUc?Z<pofUKqP7(A=juSvYmG
z=|%c?b<V!(`h%(cZ!G66{NO(}NBZoZ4m)4I+-?(^Mn>(O4kGD&FaB7Xslb7#_vf6n
zBJi7HC<y<l&zI8ORqEHW5vfDmgZ2FT3o1|LYK4ou->n)PdFR1c!HI0EX8F^KIP9FE
z!j@~%+>~drdFLagMz~loDd5BtZc2X~FcU^N8t)GAY_}yj*Cutr`81h-(Wf9%G$mZW
z^qj~9NE|&rMQkhyg?{%H#GblDoJU61TGjH73=Y|Gj)7yrBtj>GN+rTjdtACq*@>~8
zfH<kV%cbO)dnp4f8?a@{C!fM1F~{-#51IC+&pysh+fY#;Xhz&hqY@DmbN;uyagMl^
z`4`Lmo3Q*hIq^qTxZWUFeKdVBmli12VyLz5%Ebd}Yx5icKb+Ufp{SYseXv90y+XTz
za~&NUc`PComc&A%c9?s{0!|DfgTUl*ha?tdm?62gOubyDeW>crgwO9`J;v|nd(j~O
zAbQeR|C%tBpdbhgmW30fp$6}j%9SF2!4_TNGT1&^M+z{<AgW;@Ys#tQ?Z8@T;#n1$
zd?t4iyeF2i@$D7;q?*y26>-qXn?~Bsx&LCWKNZVAnEzp<hXaBIgEWJ4a^DTJ{tW9d
z@>2cwVN?{U!!7rT=E1H*jGNd&mY3_+mn=U}5<3T74a%mmVG2Qhv8WT2;!<=Hvr;bf
zAbwmme^4?B1SZ3@6NDqBO%44}#lyhOy)2>@L;%-+!|VM?vjLYsO>{P{(e8a%N~cli
zy3Gao_;=U$ah9deo*(^##r$tf__k=lkVh?uo$nFFnlE*VxE5`Xo9lpJ#vsS!+^hK7
zIz55)YX{-dU}ST;vIjW6oX#r|rDq(j38-Nhr3=cBg7#z}Hl%rs5E-T*DGY@$Nr^B;
z>KO>NVgd0J5+<n#WfCbTkN`36Fe#8u-tPPOi4t7@mRDppl}cs#I^5^$p3l|$|JF6H
zR<Fao|G^~wrXuHFnMDiA|0?+iHU25$ns<r~oX=1(3}<H<DuyX+sOn03JEf%^1re&{
zrk-nBzeYKRw7DOQrpT+|3!#YZY#EGkc(M^xPK+VxXW4+VD7sn}j-P+2ieK2jw&la$
z__`c6DX$VF1+t>ijVxwjWbTDYEW&bd>0WRJNxh*b#<%9+A(2(f!NqxTVH3ZyxwMvs
zr)Y9Kej-mL`~T4T?(_A#|MbN6Zv{s9|LV!Be|yq?CuILmPoe}JZpE`SD}36;R)3VY
zKb<Y1a9nv!#3O#fc*_!8$U}?=lYyAilWyWr;zTA)`NyW<Iq67@vC_%o(qTA;!KLUh
ztl&~GNidy!umFgM825W@kOrN+t=Q+R{c?Si<HHlU>~OQ(J%E1A(}vckqU*1XH$>dG
z_;-`@?igOa{kt0MxC$xO{p-S<&;Fxgij{$x=dF{$Z;hW%slXwhA0O>%DXiPaxSf}m
z8daex0OLVY9yVO%!!>@SHAMt}ymwQUOoI-TgVXCD8wNL#VU44vCreci=3xkuO2AWM
zjUAH5Q)1~&BkqO4$qRb}cu1t;iE-$A3!8~`JND`1?ZuWl_8Cl8mh8n&lJkBnw;lh-
zpE)txX^By@j;M2P-R*CgBTEH-^bebYAG|vek5<en_hni}xwZp!Gn~;^=1!qk(O_kM
zPETKJ>;Ss`TI)G}Nx<G^^_2+v@q2Vkb-IRK{CmJUlRvWliho7ATtncb)R>%_)4^M%
zV|1pd16AmX@u$%Gy>o1&#>oe4F`g{_6d@v2#y7;ZiDC2T6E}NpO##~Q-i(V48$L^K
zad#x1`HNr*%@$&Rp3<5EybLrh7P{U@Hd~zT0O~*T1U#IY!rtOu)KL*Gm4T<kwk;h@
zXOr2;*T_T1q1x=w#t&_L9_TaIvB&8iB>QE}P5aLnz4<#vJ?;rx%KzGB{_i{&EE_Rw
z*h0M=s6o9PKn>PsAB~@!6D<Sh*E_8_*Q(o<c1#s^lP)csvFF8d`~fQ&8E*iy{Xvn~
zYE6na1gXD*$QO!q+l^EnsgeRJ^+f2;HaatuTfqEZyRmbi<L)n2p4zS`cOH<f+Lv|w
zAlfpJ_Bh+BPqULfTkR|+R?B(2fJP<y1)l2@RZ$k<t|V}nzvnaBLooO|p9j5BU?zk8
zo5+ellA$7brH4oM1j5q{Ulk#m;z|>@@YSu@Md4?Xn`;keW2+AuLxm1v4}K4jUT7~q
zm@S`rgQPKdb&&N@k1yWEW}>lRuVbuq(OC(U&*%M68(TIy>NS{^fU}>6n~MQ$XzzwN
zu$HIt4NiB-$HhpR@Hi|$0$L6lSFsEQ2|0Tt>jMo2S~RJ-IDa|^Q*$#Dd4KcGLuK}C
zylu1O5;cc5-VT^f){D-AwF`2QDF&x!qE$qvXeT27NxNEPFD+VMuE9gEqYT&oF7Bv>
z{HTQd--7%<b7b<C`RqT8?@aqWXBdK@^7_@7gnT&4csD&PU3c|W$wRrHyk6)VafAoE
z-DXGOt?h?-uTcEmYfN>=UqHXwD5h3Xt{CnIo%Q=4t*%!0kEm=KDQpZi3u!qxEmWw(
zgrhG-1o#2B+WHEO^txdh5YUxloUr>|Ygf~#QsX4Y1~XT^ty^$EII>KkNZtx+$h)Iw
zYHHF3Z*HMD&@57^m+;d828gtO<8DUF=(ZD{HQ4bFPfZ6LPg|4U=>3W`d43P5N?EK7
zxmv}#5Nx3Mj@^~Uru5YJhe%D2+p2jJm0>>q8N<2GBX8~td3O3L?lf;+^se~)C8}YC
z1nOOREZhM}g7d2M-n+o^x<+F8i)>tHz1NaE;!K&t!HT7BEaPZR>1_h@2hBHPdM=}V
zA)%&#vz-cru5cQ~vOc}cDekHX?0_{SzR9)AG<^Pdgt@khH5dC2wV;nLc({J?g`|)2
zB`EWa)Ozt{fk)Yu*<Uh{eNtwB`V7t5)ZBDKnO)a|RGHt2TajeSvQ4l<#kwee($&Gs
zT(Kixkn_ig+C6}{qU|p^Z+dSrI6w34lD?H_EB?zdPtV*m-u)?=n;@fhPe)xZRkz!O
zw{9lCB%d6_3}Xwdah>Xp`;sQ^m9gLz^)#ezofZ=_*=E>R31~T%X@L5iqR1aoHNlY<
zV2dg@&#&o+m0nKE>QNbb6|cW`pih!g{tOstSlSBX^j_N^!IGY@Iet%VNWhFUxo)Fr
z_x>e@8Lu!lhsAknnjufOHYZ<&C^YA;(sFOw#Nco=q$OaYj5Itt=Tc|(q~Z}4HncwS
z=~M56+z&}?vAr|gS`*CofCsv-ZMqvAq%|seGQS^a9c53INKqfSKA_ka`o5L#iAYm;
zr!x|5?I(f8qtjR_%8T&`N?kJ?lseL+Pjf{6nF5<Kkbr}!mr!r7sY1C<V3g%Uqm3ai
zpkKKgoxA(gAU(qdPU!8A@ftX8xniJ+2qO%IqTy`RE?dm(uj*@?FeOm{-E~}p(C^B|
z3KUv6^R$w{&_L`d?YR2)$E<<`ubXm*usU|-54S8VR*tB=)BA%b3K!7ys1MWP{6(d*
zN|$M@JXvzAPU35t+)f`LUaOT)>jZ3YONXS%W$9`zUsb<<QFUNSk^RJRH&r(^>7w7Y
zjGC07cDqun%U)-}gb^AGwZ4ncb7(5>K2-yFJmlqS36^XYO?>UY-9%)Ao?#r_H>i8X
zj9kv;BVzn0S8McPvR3LF@37GqJTustk}Jcof$;2^l0ay@`;&)QaofpR;x6_ET6qnk
z@t^9U0|r{hT;=O-1G`2sM^pCz5a*ZrH#CTC-Gc`aH;_+!KNP+{b|JdkFsyj(@o&+N
zzv-}q0u>hO+H!LLSyRtrelz^T5<CBTS1cdRRuO;ZhTiS@;mt$R)Z5`c2$Jo_!SCR=
zJO(9OZr%GAG$0om%TT9-aA#kgF-rsf0c|sDcmP!jAR|C`#)LqW{6(Ae5Q1CFJulCO
z#CXJI?^EB@CbV&zS&Nsg<2|9R3VW`Cv$dw#svhIr=qn7b#4)q%h1zcZi7{ZVyVJbx
zN1AB*3Pqd+xQThQRY&8Q)j<Gy!xJBCeOoSRtQR|$Tx7=$2;n*XUI<8o6>2u;U9HGX
z9tHvf&^x$~+(@i9`^0`8ZWmj$M_0g@r8LIb5?2Xizg03jc}dG(RxLrWO{YjgK9!D`
zRL?DS>l$y_OTnhOHvl-il&lFjdmXbmD%4)>52G60HIQX$jdPFXnG-9q8wAN-JJFMt
zd2j4mLEXxddcUR^GO?LVFlI?N;Ca2AJm8VJ2b32+e7psQ4KD$lbU7-=v<$c!{DGtd
zO&_hZQ?bMbpLzEf&Mfm84SSmcK1J+Y*gJmE`;r_tY`Jp8cHI|_W=1^3K28tI6vlDI
z^RGF1V@xPN(MU)UVq8U&Vai5AFR1}v6TW!Oi7vq-LT*_?JB(=iW+&hi-udZJZ+NX@
zF<CQSsDb_E$>UGRABrh}w-P|hx<MB~BI|*Cky-nzDs=t|4TmgicPiONiLHZ6TH!61
zN^Jv?Ld=PwuXtD4DbI)bt>!-?7StGPz-X|0z*+Fp-@wMP>gYPbmzFd1+TY#qKWWFS
zr*?DygvAa21~{)Y-zwHubGLU2Ro|7~#$!b_rxO@Y;SW=?H9-Z-XI^VHtwEoLq7!CG
zRkl{C)b|@j^6##j3@Pk~U3|^T-sL~G!cQUL#%5M$=b45O0G?8Az3(!yCf-#p(K>SW
z$C7QOuSEAt4rj=r70!O&(vA(|_-4*0c2JbWBb15;&}FYY90K5y4n@zIYT$R-f~%37
z6eY=d3d@tmP!)hI+}w+t%BBu5pm&;Q^Y&3Fu(BfYBVE$kE;eDQy#X)lL{%K;WQ$aE
zR@TQ%Tn?H%i+2J;gK$qN1@3Hf7$c$ehjtT;v*4T~8}-=!wZgs;<>4yp<0SmvuI0J)
zg}pQ3EV8jC7ZRBN@bjVp_P|0%C4QsZ45)0b1q=0v65?H;*XoGg>ny>KI?Qkd^Ex0Y
z=T@;pPy9gqViq(Xy!$-Q58u}kLe{WH$}|C$6HPRvGe>{o5}EMP2D<H4z&@=QT<O6c
z>X|Tr7X)p9P4ZLZ>LJCpDRwdu$(Onb9*I&N8#Xgv7J1boiY7T|3>psAUzX2bmSMO4
zE@m>Fs+8F>b|8HMd-3{tMMhy`N4s}2)iba?x?<!=e@BOfpe%JrXq?W~9A-Z<Zfv&~
zZ){YZpvz-D#_=jJ6fY6`x1Hhn-!KDh4Qq3i>MG0YPyF6_IEl6FiTWPoTHii>KR$@=
z1t!w)%DvGiWq;Na6~um4?&#1pEZu7vtS`b|Jc^2GDr>mOE~%k#ynuS)5fFLMEgai!
z20ph?4-z!k4S0L4%~?4bK^Q(J)G?ABJ@5RSB-Pi7tFzYEXq`%fH`QRKT4zJ|V<_Jb
zp*gTTXm7Gnlb~+$farv|*<OQK;CS>#(eQg#e2pswW9wk6vckJCKSG=Lzux9h!M)cC
zsfOqYS{ag=L=N0^-4&KILpqkeKR|tFHtp<{Z(>v6(apmVleHhSa^y0O{q~o8ug8vl
zu>KBz&4OSJyWDyMi2*FI_?=!!a~bbFpb06yP8;w2BP7EQZ8rMHNXK`Nuf9hS)fBa^
zvUTu_4m!~B<$HpSA^??iXzUwif-lBDnkLY1_SdnaU-rBokq*RWii7cqJTQ)CG;hpn
zud!S{7CVvuB@fn*Tiqyec`PDO;wr;MSf*_E$uBM%7??hv(cWP8nSJeiMdLSF)mk}+
zJ^3QVwoS!4?w5LtBK7DLGYs?-3q^R59MG>p5TY<k+df9u(-g$_om07}J<@!<?II>f
zqmzgx!$NPOcx+V+%x){2i*G^*>DxnnQaR&g4!Yryyju>x>6<xJZgw_<d7=7rxHybi
z^^9xh=4<$?hqjW{WBY80CpgZhovT^m*3b4IJh%1r4sh=sR2e0;U6>8^LlVe;YE`ti
zJ3^o*lgpZ)YRcKg%3H8-qbUqFwU)X1!e)gj0qo;nu4mzv_A$+D!kv3{OPzN+$6@F#
zlN%ibwyWf`sp1xXKJO+nSW6HNkNcK1C!WldvWdE7`kmvepo*woq7ndtM-#7f*g(N#
z950uix@Wa}S0No7RB1kgY^KZycz~Flj<5@kGCGpL{>yLTxvoX8+g;>vh(J4o=tIGV
zm|o&byo>qK-{;F3-AMPBj|45X6M{6}FTYi6^Qb0m_+e>#SP`m!q?}<iU&{Ru3v_av
zkkH<jTO>7FR$sj+D}o4_NRVGDjjA%KV#{e!lL~$&sj)5cLqQlXhiUzTnoKY=>bebe
z&3v2kc3%=q`iuECVUJ}m=S(#>*OV-a^iKYQ%;nin&fhZue5|Ou{s>>48Qv73l4lqG
z=O}3hrfR&eOKv!xk^gN>ZsDHIn}1p&%X)Ap|9d7-wq(ftIFUF{iQ^!P;`|;!2N&qw
zKb>A#c(WgpP=5n5t*pT7AW(_Lb(|r$=sdC0J3;80I8wVHQuTJ-1vPdsU8?%8D7w0;
zR8BlcD-ZqqkJOX&IzqQ&np-j7*Ki)M8W=3BA$EvirX@D2M=fE_gT^G&YhPDFB&978
zQX}(8RYm0Lc`x!3_dkK=8>|4Rz(45E-{C0wD@{LGYcKg_;YehR*Hyst*;2`oAG>CU
zZIbY!;_>=C4c>?(tcFRC2MI4*DhEL$b71DcFe#AKx3)~_-}%iaNm;eWh|be0AFpca
zcc>gv*RK4sOw&?MyFmQI7CE4!EoZ*M7gQvL?d`Pp%~}6C`0?itKgS)m$mr0hR$6}B
zG@s(B+JC-1KpjE;#aG{U`Mbi@k5;;}wD0JoKwNA8iZG8BCJ?@$JREdS*YouCKGx39
zA7bYJAb5c*DeAxeG`RD5H7={)EM=4xl$*WQVfnaGFSMiIK|jF);i=hlwjAX)kz^f8
o)JP9<{hVTAX<@%^y{tcVrkTDDA9o<!4wJZ`!@;1#5x-yhKU?mLv;Y7A

literal 0
HcmV?d00001

diff --git a/webgoat-lessons/challenge/src/main/resources/images/samsung-grey.jpg b/webgoat-lessons/challenge/src/main/resources/images/samsung-grey.jpg
new file mode 100644
index 0000000000000000000000000000000000000000..2dd9ea557277b710e667092b47c4d2a01bf5ba35
GIT binary patch
literal 11227
zcmb7qbzD?W_y5w3bc4jwA+dBwcf-=4gs`x5BPt~z-L>@63kw3fG%83+r?Mc;f^;Yb
zieEm@^LhUG{rQ{w$GvyXyk^e4&zbj}Gxz@e^mh|LrLV204Zy(x0C4Uuz~5ECO8^NW
z5it=V2{92dDJcmV1;afGa&ih*I(jMwPIhi?PWJovfdU{AAfE*P{rjTIq7u@w3JMB5
z!Vfhc%4vY)6=ZQpNl7WlDOm2^W0B>(&nx@?UH-lUP!r<}0_O2>xB<A-IC#`Je}@2U
zcRCW_{G;ms3LXFl7oXrx+dHWR6#xehhX4<sjGTy&fZ#t9!o{P;C!pbyAXGD><#rAr
zk^}_?#bjl-w$ITqFshqdf?aYd+ve$cWMnlg-b+cl#toeFYHG#4<kzm+x&YpF%5*o}
z|1;tpM!0zRcM=Zj{|NAK0C@k?28S9Kk4A!vR?X}$20(r%!KKEd20R3Or_X!-DBqx_
z94Uw8Mkdus%H?zgH=Ix$(NBd;Kyy2gM3g*gc2;#20KEgUefE~OqMd!__M)^OR)KYN
z-bi)`Ysp#TKo6iuTJh+6+qe92L8uQ~BPOb?Eg2Qecy=M?a&f%mU6K*xI1v4;GwwEJ
ze9g-UWYiD6B&z0^=xk6P_qe?0@`$XnZu0mRa{WLtn|mbDS12^xo|6|7%<W^M_QR?F
zg@^l<PV0mC)sI-KD9-B#N~l3+{~G^ZG_NXYavp!xGqLrzlI=f<?wTAe{I`ibR1fGT
z01pIN)m7h#%l{*mJMNG8Ju-9q+h8h->(vKcN=U^z(nRZrQ{Nj`qMHle^WKPOgZI8~
zJ4Kz!MoB&ta@q;I;<;?Jm{no)yI-hw`&;jpvE_cD#vaG;e)dW!D_IIgbrT#C$yodB
zfzy5Q#1G0zw~S}^s<u=lj-A{x@L25jdlF!{5D)^be19u;!{qefS=Fb4_Y`jrK0Vv|
zX<cH%1Z6p&$LwkBAxKfm;@6KleS0gf68DT1#qCE5o;ij8Zk+!7q+0DHlEdHCAKGhX
zF7Pz)X0QodbHt!B#ZX@Zt?4}^>|)z+IS^qlYO*R?{h(scTtl2!SorkIqpwbsWi|46
zM<->NRr=#km`ALRoPX>;ogeHTDm`V?0$-|(+56;M7m2Mrv{~D559-dLM2^O+y-7Zf
zKpkVqT9H9(9;v2Diq3{9j^AR&F2<Tx;y+er>zariH%hfAuAg?<?To9m8ROitLiX{N
z{qHe5J?y-aU+z%j$g6;GaN>SjJ&3IG^Xt}aX#Z5{D)=p_WfOeN$eupxDbxKp-5#0{
z*oW(S;75sG$bt@e+l#(fg|R>BIT7=m?JiWioO5KwL*rXIN?HuIUp)wmCc26z=CvIo
zC9sj+d`NU-74?PYdE-OL92q=l5#}>Z#+B>ui4D9Fp&&#uS@g_&s=_%*C=nFPIUYRb
zpL}n5H1jH#^);&%s0Vms^A{lbeZ|260Ie4;GJf>Z95LL2>*xBX$+OWn3Fo}^)@}Ou
zIr?eOLC(oPokn<5FD@fWIy$qNwHHfQa}JfuSkIrMEgO0`h-gKkinu;~_ZqA30rCuv
z{w(Ml+@E08IPj9PW`fMh@hn023ql`aYDs$zGVc-3OvZ-tcoKFxltX5`eu<~*NRw=*
z%Bp(yn`=S$6TDUC`{p_wUM~Dhy{=OvLG9e;@nfVg{oB?Z5@u?ShZQCIm&;vNeGL6P
zDofi=7cwx^ABMjGlm}Wd^ns`I@-dJt#gRwq=3`H(pu<wAW!IS6pyYP>PRe?pmC-9q
zl7Ht{jdv_KJP#$EKiznxc!?zmZrT1U=otwH3YYBTL{qUyf3fX*uh3HdXVb?9dz<vn
z^v6eC`;iI`^Us^2iXwjpn1V-DvYRL$4<nR~--Ih?$h?LIjXj*oxDr}UOT`E)2Iz$t
znIN#ev(|GNFU0MnH(+%@qpA{!iTPse*Pr_yrJ}JnNjVZ1Zy6XRPAV_yk9rjayRO?#
zI)?mL{G`V9=jucVbw)5hFw`Bf2d$4%tB;{RW|@ymC?kp2!sGgcuE*Sbr=(BmV58pc
zz5Pm!b}#nnL&PUqeDu_%(q(%00Ok&`i1y+PADQ%?<w<2vi*j1FUnSoKh%9_%q61{2
z4&in?l&HkTWD3IgkiGPT_UN%yiz00?Kr$kg;0%w!=q9hAPkk^%0nwm24zG4MttsFs
zBAG-%28At29%=8cjW0IR*SsQfvyilAoRux^t0&wE3E)obc*$Z01xStUb9{<<CxG7R
z2-e(UIk4y?+bE=9?J;AgiZp<DE@zVY7$+-`w^iV~(|7rZ1x&I8s50on4!8J<lCw*9
z(^v>V+WK!EsF==~KaB+xEx6lZ(^(Ly9uEX)XdIgvdQj|8wdwS6LP6q+F+l43Z{};G
zR8s<BLJ5Q<ELsGh_jzVJs3fd^5ScD>qMzO*eZ5`kB8!8=jvZmS5Upc;7mJR%7;Z!*
z2IgKpA*)Ed=%xMjfZ>Ca1B*Pi_|onkZ|kBd&f8cD7}fG#mcS=s5IbVn_Zh(qFwSvx
z(Wvqmi-p#y=hez2pyIMXaJ<58J6QtFFbpB!oiV@rHWe~Ei$Ks2jYtjXGQ?2X_d^0H
zvfx#q-}i0u`KdXfqsGoUUQEktjK!Y>$W6z0Xrw-&S029?41o@quZAXgpY-=wO>fvN
zg#}+od|^=8jT`8kEfwZM=F{G?J|_{Q%mC$FAO1ON{|f-?U0&w&DgX}gg-uSTZa#Y4
zB8o?dyo7oKM>SNm2bjZI{_KH_OD|n=$Xqvr5bknH?n1c24s4i`M18f3O=qZ{GQYnm
z!6oUF#N<r!FwesE@CJZ-RuMBZJ6$(l8lk?=B)>Va>LeI0&o-yY?Evz5<`saeO><bL
zgiDjwwtVo!+pLo=orS`5ZNjn|FIJ|Eu)2{(kFiI*t)!9;m^LPJW8J+nC13h=+)GL)
zY0kD-JCk_v!t_}h%E}>xhwr0mD|fbGInOS27dHIjFW>?qX&B6uP7^5hp<w{7KFbC<
zHm6)!Gjq^m#;s<hlgP<zSubtIr;+1?Q~D5rg9%>^O9ohyIY?DnafcYm1taphgiZBk
z^!?euFn66SO1XHPI=k1)-*7>~dA@j%q>`j&9n(Zs2@p+^XD%TF)`UgSc0gp?;t#LY
zK>T!wU<#+4a4OVBa!D}36-eTS?P?uF$~PYT5LdczWZ+w;@@4ffDt&`aJ`OVc9(NH8
zpIS|ACNtd_lU;6=5p*hYJ=ImZvk-q<vaR!dvo|jb_|_kJ(XXa_eGYy2%^XE?{~>70
z&p4h^-l)pkFNqBx_FbOS^EcSbSx*{%GBc`@K0?burMs?cR@4G~tfIxJcNxN(+{$1G
zyn011tZKj+gx~<JQ|q#3YG$}iVVBaE*62%34HsXT%R{PW_+zQxQ&82FwxVQt94+?>
za(o$S^wy-|I3n^ED)_ZRwciya9Y(suu@29ZyV`EhyU|#2w$GzOs1=Xz8twdm&zgEA
zF1W%<Pu7eexFIFh;;pT(&QtLM)YGRwm3$#S!08bV*LX$wu~O<MvP#W-*t7O=C?geM
zHY>ZdP*zBxBKZ)3VRA2QU3_0JaG^Q-j@1q*BG;*&^dy7!RuH!+okUWiF3+)jrSP*5
zk@_%l48_D=t7ZbIb>n-5hQ}$u3F8p^_SVl-KZ?VI2xAvLIs-|tq&VjKVW#Q6GBCt+
zQd58^bDn1%tl~E9OKkn?*yC5sO{Lw^T}UT_H|P}4A1?HqAph-Fnf;sOg#|KYDD4a4
zuSc>$TI=`J^^QN!For9W+!@5g4TS0a^i}N-*f)$;OdUmUc|1~V5n1-?AtKEyzuoyh
z6PD4J?M8oWaNi}znk{xQU50S>$!xt&{LA1cv-Ftkc><`>YJPn@Peiw`Ue0S6V<$r{
zFF{8W<$!pY8g8W>TNZP4xZ6wNa6j`wbx7gtntEkF#GQX^d-G5d&AH@`%9Fri<F<9x
zQuj>hqd%|+_N4miFGZJ7qmpL{)aQTGlUHVaZq(k5NC8s5;GAEJQT#<~%YA=Uca|*}
z@tAUkY{z-e$zf+S(4#A~0xNx>h3ZKQ#U-iL&kd9wTFgF#4&_yd_@k?;O9r%dJ@o^O
z*uqQLwxL}FfpP~CBUPcgXkGt-L@h5qH>!9XpD?)Q@r)XL-;uL2rnbU89fW8}u2VKE
za^Mun1%f%I&3<KqM?0!Sf7LTY6XOLwCZDU2K??zAY2>Omm$PwZkZLb8HM)?bFW0bC
zVNLAabqB&)pj}%Nw9CPSkcPE#=j1@Z^us|9qzfX$ussaqxcL>BSKJLhBdX+`s>`ue
zQ?!VT>ASOr7lgQ&dS_Sl_3g6L#%>fCVk|5R=sn+`uj;OCuJ;kvVrn7T1!}UW&Cc0V
zC%SoQS#}e@Z^dGKS?FsCQpj7cFbZnKuf?T@NMZYn^#z!hRb<f+r7gR?MfC9rzDo@W
znRI<h$uDPDBRPh{3|7coL6WipT|8kU#TK<DGY5s*9OaxBB$P1o(IA36X5MU`g%U@S
zOs_TYl>R=#J($NlMZg&#zu26+p3JnyNv#S}E4+&F%Tu!o-C`SL?X!+hO{ZB%s_-a-
z2_sY89g8#8l31mhPjM7esM`naB;*#m?V#q5aTM2C2&8P$^(m{#+RyFs#EIw2Kvk5$
zg78>jTMIkR945lZIgMOhcv8b0u}k3CVXRlRDj=Bijl)!+<*PD6(IrFsekrGgqR;*O
z{Zn)wKcU8@*UrPlqS{E16A$AuK1%quA^kmV6r=w9_myt6W~CP<cK(z`e`;+mEN(XY
zy@^2YUjX#Mqu)`7NZaCR>A5GL{{qkjEkExsSwFCM2=(#WXJ?Ui><T(?pVOUt?~re4
z^`+#uSj;43X=usQb_=$M^SIh$rzA1S>sIQUiyY=khZ16KQ`GvNgQ2T?ku|Ht4)E@s
z+D*QwuLeHJhHyHeEKef}-Zcy2PGZ7r<@7ZwKvjgr@#PZs;IDPPB8>4WHya=3Dwu}k
zwN!0p>*d$u?3VmiN1GPCGfR8^Bn<j-Sjmv8ty%dAl-VXVs8#7l)`4z4euXR4NZ1<3
z4u7q&w2;pBb@KV;?B=mR)(8P!QpC3DDxbhWP%xZRE`e)X%S+@5JX6EDeoC&fZ4Te8
z&>X@>$D}2Pt-Z)M0M7X8H}1T*jw`aNp2QheH`IKRZ@(ZgEQuMzA%s1F=U`L`OE%L#
z9a&Te!rmt;ES7geZQq?Q#xg!!!7Z<JKM(kY70U#Hx`KDRo5$oG+J4CO2T{2$i2V5v
z<>ajNmfgWmD+0Qlp!4(nxIWiit;G6Jrsyw#9%|r{t|y^yL-sU@Oy$%3N%va~J;Dwz
zi~cN=9E##xnvW_03(~9Qsln*KfXjFGx|*>lu^a`C8lU+cI!ZPo^~QAB61+4u<G|-?
zQ&niAIGrF4J3s`{E7D`i59wgMX;soMmTFliXj}1!^5{;{a6x7q5No`y+2fIUQpiq_
zo3ug`Dk3`TB`#hkEqo&H68#B?PZfrgB^{eHd}W@`H#zx$T_^U*i1)IaLosnhz>wEY
zzp;{7(l<bCFn7aGDe}Tc-D*P;!&CBLZvti!&&sN<M)K$Oj;p^c9dH6d2!t{{KfnaY
z80At`XAhcQcgn<I5R;sJ0NpRzuIDN-{jKmRFOd<vVlclOF{wmoj3LVO`H?6NTcJaM
zpH<udM7mxL#-<L>HJ)bzEG}>jgGJ&jN9&{sd*Dd?1|BNE`YCknc~NbT|CHf^LTV;v
z7L%z*qy>a%O!H1%tI>Dw-M8ZU3z!^U=<+b{E*s<PG?>wJ>H*b7dh~m%6Au(Fia*ow
zKhz5fh;pBt@sh1>PfGFxt@d6uPaR}w&(ZD#1Z9A-OcfU0gG5=OFBBv>MsHw=>E?}J
zxhkibqkFC{($lDv+U*9VhXNOcrAA0bScC{DC?RI#6jffhC4OA{T>5?_a1IgW_D;{m
zCXyAyc(AoD-p>l_Xp4K&_$VGqq>K}UAL#xt55lsbUJsrI-WO`cYpa;`(@N8C+tdmi
z^E30#Wxg;^TcSg%dooS(4!9vOw&~roIa!v~Nm%3-V%9YP)~f~wBp3%o3>gJ)qJ?E}
zsFjKv8?%ZY1udqB2qf4EYM%;C`f&9fAHq1PcV}26GRg6trW9-Jm?t40G<HIe8m%iG
z#aXa(0?HC9K!eH41<AH~zuYY>OrU!|2gtHluHM2^Z^<m``0}8H0XcXKqMtnULZX)f
zSo6J2c({cEBIw6Hs|xFX<$f<P^EgshtqwRz8QME%&nYipJbS%x#+qr2L2u?{(TxW^
z&wR&d@TI@?DON05B}jEhh*B%4G)qXVAVllvQ#B^>h9RsHIGZ!p-cOQQvh?}JHsUW}
z=PuCo#sG0PEfkudoyy35h2y_~C42J)>UB@}mkDJ;CyozP#GnOfLEyVt7L4hULl$=$
z(p5uCNKz}Ek+xWi#JFw7^IloS6(m@j86t$+Dw;voin0(npekoQPZe!Rv&*Kef{7mu
z*rkFKkag<KYYmTRUJriuYPXA(g?*SWB}wUC#OKd@CtDX=Mdl{8E&sKt*xG@3AMaRA
ztg7Ln(QFpB@WG8h{OrKkj?6~OAmM9;Tga1$?WXn;9MYyquHpAl`pT)PVn@1(g=XFL
z+6p0>sN|Rd5;VJmWqu`Bsj`<$BIzPkuF(()7%Mts$%40G%_mQ7q@SWKPZk!>hx1`+
z)G&Ix<K0gkYxkfz1|C7_2?|Mg3)c(Uq+E90d|R>-0%*RjM4+U7G1`LQtI|pEgr<bi
zubT8cJn8)OTep%qWA4WC<Ah^tY3=LbqfaQ;;#^cub>><OUvv}l&BOCB|7xfH<aWB|
zUo*ig<kTe(rs8(WNQ9Stu_=8VFY~4A^4Cs=I~X&+#LY>5K{8mRSBNN*8^*N}9MKBL
zw6xFnn>Tmpi$dCM;Zr)~c>_$48EF+#O;Vwy<e3?fJiFut^(I4Ic_As<52jw)p0RZ=
zT_|}pvg3ByYVBTDDa}$=TIZ53UMz`==*S8R4(HL200>ouu0sKXsuxw;S`s8YObED*
z8eCAC-qhCxMbDa>IVh;ZACC&nH4l<78(N6X6L@L~r{#bgsRb~Zt>MMrqay+xPK`dz
zd_6{{5H6Ho00_nd{&+NDDTjYuOXMzK{PkV^3frg)(u6J$D@AeuW)pz+*4T<=<ct^@
zN1OR%x#h6Ab)t~>)Ki0@#j0|%mEy{C{U=DuJ)$v|<!w48v!wb_#T^S35;@p8n5#s0
zPF(`uY}ylAnl;W8Ow1F>2cUv@nb5R{Ufopw-1}ATH2hjJl90nU4>7XZkrk}O5`~}9
z>7t<2uk!E494Q+#d>5-e8SgCBx_STR-pBS|Ku3cChrWk>20Mece*xqv^)G6?35`7&
z`TaFQb#)abO&_u94I9om1PU<KM@*<!3b3S^PH0ro6KBV58!zK!&2h<T*?Df8W>?Je
zjLg0-AYhbfK@b}a+0_tFF2XH%`JzctoX72Jm4YESbnsR+xI?K~HAfy525&yyMwYKe
z+A7bPYUCbW_2aDHbLz5RxeXx#(h5R*yVleTpy=8Zq3D?Sn(hT&h$5?lmZ!tG5Uz|u
z7i3co=+aemT!n*Whm;v8l104iiA5>K@{z0dHv=eE7mEec^1>UfP*N8?{7<sGfNrf>
z()X;ia6>OE^aZp6Az(+&RF6`tH|-awDVE4U&<r@EGo7;MzD6C-(T={N1x6chng03f
z7m8WC7l|K7S{I?PZ~ublcI~_WkHb!+R84RF+1lWsnfc-7s4)%APhDuEzt|G_3rNtK
z8~gp?lisvOM7`OtWjaEw%bivZU%jxJKtEOJSt)^KF{0G;HTSV#N`3B_Qf;t4eM^I8
zhQqAQu68%c6C@km0hQfxZpx*aJb-gjn=QBGveATV&^$WwLXL$Et(vWBuRmXRs&~fw
zPN#q>QQiZH72m=$XQ*~_;FA@X(#Mj9wiOO}@YsD7%9MX+p`EawV%Nx&W*;Z6AEWfx
zL!tXHk*5^|f>8<uc285%?dSB)R(@!$=+KUZ2w`f0_Tz1`<f=K@h=ZZ5o@Sh#?TbSl
z)QbPod4YV-LZt_KFJst<La^Ug!k9H?>%IPNJlegJEiozXqlC?~;Y(6dj()ID<Lyqt
zo4XqJ-%8J)?iF`$-$mn+|8u|n(1>@S<CtgVEgrumMMuYHY@%*%f1TY?Zh}_Z?TW9I
zwh!&XQ&wvAY(cs`)jVJuDe&BkmvayJ2-a+)foRHxZ&_AcSZHd~<1TRuR4cO8r2zTx
zPeBCurJP_NKBSNz2!RAvv++uj&SXvFd~H@zs4#eND72%)f}7-nHb**Fb&7m(YjR_h
z%T${X%bV9x_9O{}3>V?{3r$i+hz%JDPaW7&IyZ8Vy;>vO3!LD2@2KNKkDGX=l>i>K
zB$e$LZCEdAm44Twof#x8&n=@3B2p9w!CQRuPSe^XE2~T?ovBhq&Co5b8|olinynE7
z=n(s&X|_(^cBFxtAd&M__acjRO>hoVr<p{VL!dD~$<WhmOrX(w-jF7a?pLj^UxOa%
zFLis-g*GSbWS0xwa~dwY<xuJOom#uNi?EB7|3&nwS84BUAK7kH(mzOc6UjAM-TR~V
z<{5AK`B-O-pS-V>h6{JJ;XV+kAD8U1M*~hV=hYGy(g)J$;^(GT&sh!_#b`-nn)xFN
zy~@Zl^B%F(cqY=e^Q9P_DA9X*pN7$WVEfZ0BP+`awNR}uT#tPA4$q|9XWdGN5d5x-
zLK3WDtInPemKV$J{)8agfgp{7Cq~S;k#4-3gaEb;Dyt{a5~;hZufAx&ntxO$tFjRf
z7adtuvPwvp;;Fr<w@^Ou9K7|EuKiWjCb>MD{Ec&rAaG;Y4D7Oxj<4<BA2w`_X?oAg
zM(O6Mg(u1a5vrnXbjs^6uVqBZ!659(4L&;GS+9P~LbrCTz0cdU$q%*)!+r_%TFr~;
zBtnxZo+&}ue?v1`?ApVW?$ScO|0O7Quze}-W8MER<-Jgs5PN=y;{M>uKMd$|`p0F>
zy<|7gEHH3)+K!lRrNLRqIaw{b8n=u*XO4uFf3QZ2bBPYmjA?NT;p0UjUEdXGxZDt(
zY)ZbJQ#6~3>q3=RO6*^ipr2OzZjh2;?lYNHQi}F@12{EYB%BE^srjqN(8t3$C*DUA
zX#=vnv!zUvKDi#R+`tA}7{`*3L;G#9mm@-_mPhn^!*9+qb?r`lK!U^Zliaym;3Yee
z%9S~A$V&!nj|mS)YNJv(G2JwxY$fA|VpoCM(T=_QMEoWcHny6u*+cwm_ScWOrG?4S
zdfP}C$HkkM*==DW$~$*Qd`5kH@czsP<z)Xj&c3*dFy(`Fif>!qe*v*t^W8<rWCYKY
zp$_ad6I~o`0)X29KsxKI&zmgQY*&oi8lytM>rLw8B7^^WjwO?v&X`q8fggv(5I2+L
z-MFqGOA=KzEgeuCTTU9BYc@zb2h2^=tk06?Lu5^u@;<KA=B3y(m8$lHHqO76xqb@|
z+97I53whuZ=I1cu#<11XzV7_(0(tNhT+r=&#(JP9{2=iCy6kNBK*a9-K7%_my~R&K
z_)j)l-CGyE_^--K55X0WYjLA32=s*b;b2`lZV@vIiy^o}wIwO9ykM?jDK{;oI@1IZ
zEqJ5_T%c#EvE-?S>x0eYL1qXSOS0T-u_+xI+LDAX0wrW}IW(lm4?tdeE3R=svwa&g
za#8W%`7`JXy?1cz^`)`-7iG%3U7?Vp^vS7B<j5}?{fV{L-_yPV+ngfY|7>rlFwFb_
zI=aT|?;daT+3)=0R`@B%@F@tF<|Z)DG{?}wveul(a-{)3IVoBXm`kGBAV5!pcv@dw
zoo9|nvsltiGO`@1&*SN;l>eeUCMKj4l-wem%q49aj_;n?^u>Wr^Ru9#FuZ9?4YuY!
zS6x_6GqQ?nH2v#$m+~{Oqw)$w<sBsp-z|)%KbBqyMme>*o!UIRJ2vF~_kL&nUqfrp
zv(7@7^I-qz+I|e4)F-lmZ^l=wgkJwHt)Lli+9mSD=)!)j8UzQ*eZuaRNylHHI)_3o
zk<)&U2o6n}G4@KW$@$xU3^2qur{|QP*F{3yy#wXWAn$a{u9t$XwU-9`xbm0L849{<
zeU-AKi|%1le%r>RF+9XU4r~imG2?PJ-liq>u_bvtVC{yxDZfO(VGUs2Ltcd^mTrhF
zBTHv}1f?KYvySGTIxijer9CW`mtvGx($W~lD?BD`c|s3=vxTVhlCuZbPq|NUI@7Ns
zPJpon+4{c09Q{fAnanz*l_xmJ(Ff0on$w^SKV}{}4gAk!<7=;f$o!&lV0W^9db@PO
z|FZp-vDxdqp)fnhQS|7>8dY|;u{(A5zA%Tin567vWR-kl!anmG`p5!*sDPNk7dsVe
z_qeWwvSP;BlclntD5sdm9cq4wx$O#dJK~3oNvJvRwSvBDl0uuS{FH(h@==cRXB=Im
zPn&Maz9)Qr<;s=4Ak~#uft63MioJR?^Wm#OeYcijeI>J`4lfHflhYVZ8ca)VDVe4z
zNf#%`&!sEPMGC}LIm1(mvq>9^!9=owiV0popr9_9nxzNVW-JQ(1S|-zt@I)tfZbn?
zCH%%-?aP{N{EPHYJ412B&@W%h4s=X`@VlR;Pp?HoqL{HS`knqoLH~bfIC5A=K0!z7
zMh*P~hs$}?(T6W*Q5a;^d4AO3w-5Gz0Ug3i+dsDUtO7Jbi0?L&&_MiMGna586~Pir
zeL`mS!D;b$M;NJGve>V~x0PjFbR+%Hv7G>dM{TQ*sF`76jz9K|OTN2)iuSIeyEmj_
z{EcA1vGZyt2+9j^42k_6yU4O~ptte%L*Mrl_PW3pI;kvcRy+@10bWWr_AJ#h5|@)t
zsyp3Js#$_85Y77jm({P~mKuu#h|KUH3y3*$1K_3GkR>-Dj}H8q!;3e0B9;}FiNJDB
zP;xfs*UNYFTS%>a4IEibc-%eq<!%l4#Bn_S+8oqIT(cN8{_UbpGeiH5Ayp{;Vao6S
zVM-Cke5Va`q|QHqUHnmgXGeS9qEq*Y)qJp?$M1U%!@YtZzJ<S$i+EAr<qmr_O+QDD
zieDKA&{8F7E}CnS&)Jy{`Uja&>0(RL7;0iKp83)Xvti3*^K)$*4myqgsN<EY^-3?=
zoF(-4qt!3TlsgI2;UC-9Yom$8*uy)&eJtl$WIq))ZlVZSU(1|Yqx7F7-rUj}vOQ~H
zt!g{6%eVi%_o_K8g`Gd3=Z3x}QEsBg&Z|mCmLHV<8aDo{O;!Gzo!P40xqwEGK=<v)
zTRJu41#p!O@MPQXm6_(sar23T&C^5b8dH9&=R?NcdCjDRQ=A}d89W!ql*>lkz<BmY
zF1a~{Ygm>pi$H!AgJPuPu5Nq9PrAJKQe*|kse&QTGw#THt9!RwWt_X<E{EX%hZ&Rp
zx6J-!#+R2z!6pUJj;yTKnSlHm)j9Ks42Qipv=hAnEa_w|u}&I(XDjKcWz!}r{lTF}
zZ}#8X+Z&4R8E239_l1A|@zGcDThLj#N7iHiHMm`G%7Qa8Gc_!D3N5v}J9<Nk6=fjV
zjI4t3x2ZKc30S{~%=>WVDmn#^?fP+ky~3rUd}P?T5Nl)k8e85Z$fbp=Ks`*if)g$m
zRJ+G(iV;M0LG+6Y?dzwwjJ9;G?0~-DIp+MIHc(53tvdazRO<JCOwmtSPmXK!*tI-Y
zWa_g0DKi&pf@n0gAzIbGTH6*1tzW)}F0Jt4wCT@2UH)o?)qRKUZ)RhB6$5^8)_0Q6
zEzi8hq9Q0wR^Y_^N5SO5uWMQ*5Al7_SFXr5?a+<_>ThY*IFyU>8>=AHSGMHWM;AFV
zshKkU!uN+=qsH0aesSgSL!rWFcQH_q(e(UBix9?Adt@8KQaj$_p7zv}GEBgPptr03
zq1D^uDDMrPx9F3hfJKR}ALQCKPgXnHzQfpLbR?%ztS$RDUTB=z1lYh6WjdO-gET_~
z0G2z253I__zC(CW(x-jAnbtCIUPcHYeZX7NTLHQ^8g^_80Bmv;i?ph2nZi=aZwrsw
zIws{H`gP~Mqif^6#Jf+2*;Y<_iG6;RyaP*n*WaBnpKHQMyf@+xOJw`<BXy*Qf`w%(
z@w_?;*$s|IPs1IMeckzS8vRd|g52f42ln$FVN4HYEOzW`7asRj4tOQY!-6RRbK#%!
z*RJJokGt~Ty1fxGOMl+{SZC~I`8OS>2j?^VzYbg2Q(Em}vQJTkPA`BZ*q<TypYERd
z6nB1pS9E+Ta(_6ZWa9zaOAB=_87u6pgx}g-{=yluA~R6<T6t43ruKz0X<eUHkW&aS
zSRfej)xe|wX1aFn3AJv}9%m@66Owee*j*&MtC-@9LRNBiaAA-6`9$?;l($pVsDNFe
zLZbOS_2oWa#pi1hc3i{M^ER&{pH-Q#GuRiGTJ7bf>Nkh^LKpgVSJu>mv~<+d=n9<%
z$=K9LRh3)({sJJzk*i%uD?4nRd|H%^X||#5O=;d4xRE(6-;Rdm&<|wj0|JQ>A-&pI
z-QXF|VpUkAL327(RZQzSM&RRC*osEFA-qtDx|9~036F87tM<|d$;f*!Re8uJf$YMb
zd>S3(%|i!BLq2O&jT0aEM-xViIKfKV;5`l>iS#ejx<pgh%gMvj@H{iOGlLB57WB&m
z=JkoO3zV@b3}_(k;;A#W+fJVGF7YSv!#b%h_XOfWveJZpdNUc0NYCN>ka(HUrvZ2A
z9idX0uzCh6S5XmCyF>6|B}JLzMZfRAYd-Ja@XbFYf^R`-rDOh2(x`mX`Pjyd!CP^M
zrCN6rJsUM5r?@_`;<n!pde2rV&SxWJ#or6w=Ut?~kVjq><Tx>+YmfU%ehB=io|@~`
zSeSik?RVd1^w|-DZ9lqcWMCk$!>6SUCm9NwiXx=i`a(J(Gk<#j^14O(&C=>d!F}UW
z0~QJ)aDCGSm4x=kkY=skfY45R>6R%!G;{IuP}y6%6>R4f&-#7+<05h++*Cg>ZNAiY
zM@lApW^?~F)DN~XS-wSj_!HeZ>4()psh}|fz9`!m^342_S4#AX-l0&l2T**PvqAah
zBi25HJmpMZxFT!?D|;oN=qFZ3N-P?8yL|h^82$~}tCb(ALJRV9bu4z!k$zusU<m^I
zmVICle$%SwUbf&CvA=>%Yxc8g7=zn~p1B|&_XxkaZq<*<9g#2djH+n-$@#U>zl+En
z-PEQtzEs)O)l6~Y8j?sgc4CaD6ZqKrOtbxD_%m}A9L?}O4pY2l0Xr5A&9P&&6xr|V
zp1?Kg=-H^YYGEZp<DbN@Iut>!h|sjn;QcziL>f`p*pcQ*8fwO=W=hukbf8g`<MDOl
z$IuOjWozA^+~{mA0v-<KFa0xLjD_F2+Ipl)ch3s7DN;8$wD$rX5`S2=-r8JOD7Mj0
z8=GMoHb>DxpFU%I8mcJ2Y{pxUYFqQb_f@Ex6{0-6TjDqt1!aEi1&ntzCyyvMT*oc<
zyq~7y<SL+A6RqUY7zmtMJ*uK$TD5+}r;O+;jtpz7l|xF>Uiim2wS&E#(4XXgXQ)^M
zma+S^nd}1A$o9|Hba16%_=0;<?z+5Hq)^}b5-R`b*D3`pmQ0M(&``doT;R;{+q;?h
zNS#1O3G7()cZW@13OdLo>_@%=@=D@#P8Q$LV;n-lKa;Uu6zDT^GBvV#x|7etD1-&w
zHbHrG_d&sD?3@n@Wnf2W$Dlxl%tu7$qI96ha1Kh=!5fl*UdL93$gOq*_hh!febF+j
z+h&W)H;p}3-CgAZ)S46XXKzOCB?PW2wY0tsW~g0^!fe%FHZk|I`>+yIt-#A_<8pFI
ze=Zs)0<*vHeln_k8N<88$^YBxh1<gjd#$hk`G3ixTrZg8@;c?9``Pu4MdT#r0lfCA
z_{97%u=5YrhjGp#!v4fCR2K3ksr<u+7h2rh{>@cK;z6U%=M&xI7qfq8JumNh<&f}p
zpJ_l|B%yxd>bQkQLxVBTmiSl<{MPelpVN9>Swt?p9qBY`oHBQ*?&v>!^cSFs=^I-A
z_TUWe6XlLHbjzRVx4$_keza2i9U1kU7J4IzGz`uk?T`FVWuDx%2?Xd*(Ie_sUXL`?
zEYSR%h*4LSwQS<w>reZdhYSmq>POO`I~rUP-cm=8T`dx!SxWZClNB{0<UWg>$+@P*
z){Msfy4T7uIT1E2dgNPmB2}`{Rfczna-+O-h-+0&IqtOeUM?)bB+HGd<?Y1q@O4(W
z_shtw(D|gxBuK#1pjrSnYEL6zwykEio*);{JFg~NqQ!ZsnVulPUdtnPLOcY<v=yQq
zfC3%OX6q%TMA)5hsu^fj@mzeUJ6(M=U3a6Ntw++f>LupmBNh7oM?CZq?G&A9VNE0n
z^Hu=89xtDDuTPXh`3b4h3HtY86iN_So#V6I6J~kG>X!YVp+6Vz9xSS>{le^SLmp!2
zW$b<2(P)$FcwlbEX|KsN-_-}FL)7o>M@rS%S!sybsEh|?7Lo9%eZBqMaY4o&{@dWP
z0E5r8e*p?6a(7MsE24KfLm8cpC5rOB6*#|BqB^R%53};tW{rn`zdzIp!j&M-m6R3N
UOc-4XG?&x^zSIL|=losyKcD{;1ONa4

literal 0
HcmV?d00001

diff --git a/webgoat-lessons/challenge/src/main/resources/js/challenge2.js b/webgoat-lessons/challenge/src/main/resources/js/challenge2.js
new file mode 100644
index 000000000..a9e649e8c
--- /dev/null
+++ b/webgoat-lessons/challenge/src/main/resources/js/challenge2.js
@@ -0,0 +1,33 @@
+$(document).ready(function(){
+    //-- Click on detail
+    $("ul.menu-items > li").on("click",function(){
+        $("ul.menu-items > li").removeClass("active");
+        $(this).addClass("active");
+    })
+
+    $(".attr,.attr2").on("click",function(){
+        var clase = $(this).attr("class");
+
+        $("." + clase).removeClass("active");
+        $(this).addClass("active");
+    })
+
+    //-- Click on QUANTITY
+    $(".btn-minus").on("click",function(){
+        var now = $(".section > div > input").val();
+        if ($.isNumeric(now)){
+            if (parseInt(now) -1 > 0){ now--;}
+            $(".section > div > input").val(now);
+        }else{
+            $(".section > div > input").val("1");
+        }
+    })
+    $(".btn-plus").on("click",function(){
+        var now = $(".section > div > input").val();
+        if ($.isNumeric(now)){
+            $(".section > div > input").val(parseInt(now)+1);
+        }else{
+            $(".section > div > input").val("1");
+        }
+    })
+})
\ No newline at end of file