From ee5a12d2051b5a00cb235102f78f7435bea5d6be Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@outlook.com>
Date: Tue, 31 Jan 2017 17:52:33 +0100
Subject: [PATCH] Provide Server-side service to support UI localization #265
 (#322)

merging
---
 .../org/owasp/webgoat/MvcConfiguration.java   |  17 ++-
 .../AssignmentEndpoint.java                   |  46 +++++--
 .../AssignmentHints.java                      |   2 +-
 .../AssignmentPath.java                       |   4 +-
 .../webgoat/assignments/AttackResult.java     |  94 +++++++++++++
 .../{endpoints => assignments}/Endpoint.java  |  26 ++--
 ...ReloadableResourceMessageBundleSource.java |  24 ----
 .../org/owasp/webgoat/i18n/LabelManager.java  |  78 -----------
 .../org/owasp/webgoat/i18n/LabelProvider.java | 128 ------------------
 .../java/org/owasp/webgoat/i18n/Messages.java |  67 +++++++++
 .../owasp/webgoat/lessons/AttackResult.java   |  72 ----------
 .../plugins/MessagePropertiesMerger.java      |  72 ++++++++++
 .../org/owasp/webgoat/plugins/Plugin.java     |   8 +-
 .../webgoat/plugins/PluginsExtractor.java     |  22 +--
 .../owasp/webgoat/service/HintService.java    |   1 -
 .../owasp/webgoat/service/LabelService.java   |  36 ++---
 .../webgoat/service/LessonInfoService.java    |  12 +-
 .../service/LessonProgressService.java        |   4 +-
 .../resources/i18n/WebGoatLabels.properties   |   7 -
 .../i18n/WebGoatLabels_de.properties          |   7 -
 .../i18n/WebGoatLabels_en.properties          |   7 -
 .../i18n/WebGoatLabels_fr.properties          |   7 -
 .../i18n/WebGoatLabels_ru.properties          |   7 -
 .../main/resources/i18n/messages.properties   |  52 +++++++
 .../resources/i18n/messages_de.properties     |  32 +++++
 .../resources/i18n/messages_fr.properties     |  32 +++++
 .../resources/i18n/messages_nl.properties     |  49 +++++++
 .../resources/i18n/messages_ru.properties     |  32 +++++
 .../resources/static/js/goatApp/goatApp.js    |   2 +-
 .../js/goatApp/view/LessonContentView.js      |   4 +-
 .../static/js/goatApp/view/TitleView.js       |   2 +-
 .../src/main/resources/templates/login.html   |  61 +++++----
 .../main/resources/templates/main_new.html    |  24 ++--
 .../webgoat/plugins/PluginTestHelper.java     |  31 -----
 .../webgoat/service/HintServiceTest.java      |   5 -
 .../webgoat/service/LabelServiceTest.java     |  18 +--
 .../service/LessonProgressServiceTest.java    |   6 +-
 .../owasp/webgoat/util/LabelProviderTest.java |  34 -----
 .../java/org/owasp/webgoat/plugin/Attack.java |  12 +-
 .../org/owasp/webgoat/plugin/Salaries.java    |   2 +-
 .../plugin/CrossSiteScriptingLesson1.java     |  18 ++-
 .../plugin/CrossSiteScriptingLesson5a.java    |  16 +--
 .../plugin/CrossSiteScriptingLesson5b.java    |  24 +---
 .../plugin/CrossSiteScriptingLesson6a.java    |  24 +---
 .../plugin/CrossSiteScriptingLesson6b.java    |  26 ++--
 .../webgoat/plugin/DOMCrossSiteScripting.java |  11 +-
 .../plugin/i18n/WebGoatLabels.properties      |   2 +
 .../plugin/HttpBasicsInterceptRequest.java    |  59 --------
 .../webgoat/plugin/HttpBasicsLesson.java      |  51 +++----
 .../owasp/webgoat/plugin/HttpBasicsQuiz.java  |  23 ++--
 .../plugin/i18n/WebGoatLabels.properties      |   5 +-
 .../plugin/HttpBasicsInterceptRequest.java    |  15 +-
 .../plugin/i18n/WebGoatLabels.properties      |  15 +-
 .../webgoat/plugin/IDORDiffAttributes.java    |  13 +-
 .../webgoat/plugin/IDOREditOtherProfiile.java |  42 +++---
 .../org/owasp/webgoat/plugin/IDORLogin.java   |  20 ++-
 .../webgoat/plugin/IDORViewOtherProfile.java  |  19 +--
 .../webgoat/plugin/IDORViewOwnProfile.java    |   5 +-
 .../plugin/IDORViewOwnProfileAltUrl.java      |  15 +-
 .../webgoat/plugin/ViewOtherUserProfile.java  |  13 +-
 .../plugin/i18n/WebGoatLabels.properties      |  26 ++++
 .../webgoat/plugin/SqlInjectionLesson5a.java  |  31 ++---
 .../webgoat/plugin/SqlInjectionLesson5b.java  |  30 ++--
 .../webgoat/plugin/SqlInjectionLesson6a.java  |  30 ++--
 .../webgoat/plugin/SqlInjectionLesson6b.java  |  26 ++--
 .../plugin/i18n/WebGoatLabels.properties      |  10 ++
 .../plugin/BlindSendFileAssignment.java       |  11 +-
 .../webgoat/plugin/ContentTypeAssignment.java |  17 +--
 .../java/org/owasp/webgoat/plugin/Ping.java   |   2 +-
 .../org/owasp/webgoat/plugin/SimpleXXE.java   |  19 ++-
 .../plugin/i18n/WebGoatLabels.properties      |  37 +++++
 71 files changed, 875 insertions(+), 926 deletions(-)
 rename webgoat-container/src/main/java/org/owasp/webgoat/{endpoints => assignments}/AssignmentEndpoint.java (70%)
 rename webgoat-container/src/main/java/org/owasp/webgoat/{endpoints => assignments}/AssignmentHints.java (89%)
 rename webgoat-container/src/main/java/org/owasp/webgoat/{endpoints => assignments}/AssignmentPath.java (78%)
 create mode 100644 webgoat-container/src/main/java/org/owasp/webgoat/assignments/AttackResult.java
 rename webgoat-container/src/main/java/org/owasp/webgoat/{endpoints => assignments}/Endpoint.java (89%)
 delete mode 100644 webgoat-container/src/main/java/org/owasp/webgoat/i18n/ExposedReloadableResourceMessageBundleSource.java
 delete mode 100644 webgoat-container/src/main/java/org/owasp/webgoat/i18n/LabelManager.java
 delete mode 100644 webgoat-container/src/main/java/org/owasp/webgoat/i18n/LabelProvider.java
 create mode 100644 webgoat-container/src/main/java/org/owasp/webgoat/i18n/Messages.java
 delete mode 100644 webgoat-container/src/main/java/org/owasp/webgoat/lessons/AttackResult.java
 create mode 100644 webgoat-container/src/main/java/org/owasp/webgoat/plugins/MessagePropertiesMerger.java
 delete mode 100644 webgoat-container/src/main/resources/i18n/WebGoatLabels.properties
 delete mode 100644 webgoat-container/src/main/resources/i18n/WebGoatLabels_de.properties
 delete mode 100644 webgoat-container/src/main/resources/i18n/WebGoatLabels_en.properties
 delete mode 100644 webgoat-container/src/main/resources/i18n/WebGoatLabels_fr.properties
 delete mode 100644 webgoat-container/src/main/resources/i18n/WebGoatLabels_ru.properties
 create mode 100644 webgoat-container/src/main/resources/i18n/messages.properties
 create mode 100644 webgoat-container/src/main/resources/i18n/messages_de.properties
 create mode 100644 webgoat-container/src/main/resources/i18n/messages_fr.properties
 create mode 100644 webgoat-container/src/main/resources/i18n/messages_nl.properties
 create mode 100644 webgoat-container/src/main/resources/i18n/messages_ru.properties
 delete mode 100644 webgoat-container/src/test/java/org/owasp/webgoat/plugins/PluginTestHelper.java
 delete mode 100644 webgoat-container/src/test/java/org/owasp/webgoat/util/LabelProviderTest.java
 delete mode 100644 webgoat-lessons/http-basics/src/main/java/org/owasp/webgoat/plugin/HttpBasicsInterceptRequest.java
 create mode 100644 webgoat-lessons/xxe/src/main/resources/plugin/i18n/WebGoatLabels.properties

diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/MvcConfiguration.java b/webgoat-container/src/main/java/org/owasp/webgoat/MvcConfiguration.java
index 4028d2ca4..96940764a 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/MvcConfiguration.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/MvcConfiguration.java
@@ -31,6 +31,7 @@
 package org.owasp.webgoat;
 
 import com.google.common.collect.Sets;
+import org.owasp.webgoat.i18n.Messages;
 import org.owasp.webgoat.session.Course;
 import org.owasp.webgoat.session.LabelDebugger;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -38,13 +39,14 @@ import org.springframework.beans.factory.annotation.Qualifier;
 import org.springframework.context.ApplicationContext;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.web.servlet.LocaleResolver;
 import org.springframework.web.servlet.config.annotation.ResourceHandlerRegistry;
 import org.springframework.web.servlet.config.annotation.ViewControllerRegistry;
 import org.springframework.web.servlet.config.annotation.WebMvcConfigurerAdapter;
+import org.springframework.web.servlet.i18n.SessionLocaleResolver;
 import org.thymeleaf.extras.springsecurity4.dialect.SpringSecurityDialect;
 import org.thymeleaf.spring4.SpringTemplateEngine;
 import org.thymeleaf.spring4.templateresolver.SpringResourceTemplateResolver;
-import org.thymeleaf.templatemode.StandardTemplateModeHandlers;
 import org.thymeleaf.templateresolver.TemplateResolver;
 
 import java.io.File;
@@ -114,6 +116,19 @@ public class MvcConfiguration extends WebMvcConfigurerAdapter {
         registry.addResourceHandler("/plugin_lessons/**").addResourceLocations("file:///" + pluginTargetDirectory.toString() + "/");
     }
 
+    @Bean
+    public Messages messageSource() {
+        Messages messages = new Messages(localeResolver());
+        messages.setBasename("classpath:/i18n/messages");
+        return messages;
+    }
+
+    @Bean
+    public LocaleResolver localeResolver() {
+        SessionLocaleResolver slr = new SessionLocaleResolver();
+        return slr;
+    }
+
     @Bean
     public HammerHead hammerHead(Course course) {
         return new HammerHead(course);
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/endpoints/AssignmentEndpoint.java b/webgoat-container/src/main/java/org/owasp/webgoat/assignments/AssignmentEndpoint.java
similarity index 70%
rename from webgoat-container/src/main/java/org/owasp/webgoat/endpoints/AssignmentEndpoint.java
rename to webgoat-container/src/main/java/org/owasp/webgoat/assignments/AssignmentEndpoint.java
index 0d8f42b1c..260fc3c6f 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/endpoints/AssignmentEndpoint.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/assignments/AssignmentEndpoint.java
@@ -1,9 +1,8 @@
-/**
- * ************************************************************************************************
+/*
  * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
  * please see http://www.owasp.org/
  * <p>
- * Copyright (c) 2002 - 20014 Bruce Mayhew
+ * Copyright (c) 2002 - 2017 Bruce Mayhew
  * <p>
  * This program is free software; you can redistribute it and/or modify it under the terms of the
  * GNU General Public License as published by the Free Software Foundation; either version 2 of the
@@ -23,19 +22,15 @@
  * projects.
  * <p>
  */
-package org.owasp.webgoat.endpoints;
+package org.owasp.webgoat.assignments;
 
 import lombok.Getter;
-import org.owasp.webgoat.i18n.LabelManager;
-import org.owasp.webgoat.i18n.LabelProvider;
-import org.owasp.webgoat.lessons.AttackResult;
+import org.owasp.webgoat.i18n.Messages;
 import org.owasp.webgoat.session.UserSessionData;
 import org.owasp.webgoat.session.UserTracker;
 import org.owasp.webgoat.session.WebSession;
 import org.springframework.beans.factory.annotation.Autowired;
 
-import javax.ws.rs.Path;
-
 /**
  * Each lesson can define an endpoint which can support the lesson. So for example if you create a lesson which uses JavaScript and
  * needs to call out to the server to fetch data you can define an endpoint in that lesson. WebGoat will pick up this endpoint and
@@ -53,11 +48,10 @@ public abstract class AssignmentEndpoint extends Endpoint {
 	private WebSession webSession;
     @Autowired
     private UserSessionData userSessionData;
-    @Autowired
     @Getter
-    private LabelManager labelProvider;
+    @Autowired
+    private Messages messages;
 
-  
 	//// TODO: 11/13/2016 events better fit?
     protected AttackResult trackProgress(AttackResult attackResult) {
         if (attackResult.assignmentSolved()) {
@@ -80,4 +74,32 @@ public abstract class AssignmentEndpoint extends Endpoint {
     public final String getPath() {
         return this.getClass().getAnnotationsByType(AssignmentPath.class)[0].value();
     }
+
+    /**
+     * Convenience method for create a successful result:
+     *
+     * - Assignment is set to solved
+     * - Feedback message is set to 'assignment.solved'
+     *
+     * Of course you can overwrite these values in a specific lesson
+     *
+     * @return a builder for creating a result from a lesson
+     */
+    protected AttackResult.AttackResultBuilder success() {
+        return AttackResult.builder(messages).lessonCompleted(true).feedback("assignment.solved");
+    }
+
+    /**
+     * Convenience method for create a failed result:
+     *
+     * - Assignment is set to not solved
+     * - Feedback message is set to 'assignment.not.solved'
+     *
+     * Of course you can overwrite these values in a specific lesson
+     *
+     * @return a builder for creating a result from a lesson
+     */
+    protected AttackResult.AttackResultBuilder failed() {
+        return AttackResult.builder(messages).lessonCompleted(false).feedback("assignment.not.solved");
+    }
 }
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/endpoints/AssignmentHints.java b/webgoat-container/src/main/java/org/owasp/webgoat/assignments/AssignmentHints.java
similarity index 89%
rename from webgoat-container/src/main/java/org/owasp/webgoat/endpoints/AssignmentHints.java
rename to webgoat-container/src/main/java/org/owasp/webgoat/assignments/AssignmentHints.java
index 5b9829587..6d29dbe6f 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/endpoints/AssignmentHints.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/assignments/AssignmentHints.java
@@ -1,4 +1,4 @@
-package org.owasp.webgoat.endpoints;
+package org.owasp.webgoat.assignments;
 
 import java.lang.annotation.ElementType;
 import java.lang.annotation.Retention;
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/endpoints/AssignmentPath.java b/webgoat-container/src/main/java/org/owasp/webgoat/assignments/AssignmentPath.java
similarity index 78%
rename from webgoat-container/src/main/java/org/owasp/webgoat/endpoints/AssignmentPath.java
rename to webgoat-container/src/main/java/org/owasp/webgoat/assignments/AssignmentPath.java
index 9212c47d5..9147a1820 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/endpoints/AssignmentPath.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/assignments/AssignmentPath.java
@@ -1,6 +1,4 @@
-package org.owasp.webgoat.endpoints;
-
-import org.springframework.core.annotation.AliasFor;
+package org.owasp.webgoat.assignments;
 
 import java.lang.annotation.ElementType;
 import java.lang.annotation.Retention;
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/assignments/AttackResult.java b/webgoat-container/src/main/java/org/owasp/webgoat/assignments/AttackResult.java
new file mode 100644
index 000000000..207575c8c
--- /dev/null
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/assignments/AttackResult.java
@@ -0,0 +1,94 @@
+/*
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
+ * <p>
+ * Copyright (c) 2002 - 2017 Bruce Mayhew
+ * <p>
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ * <p>
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ * <p>
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ * <p>
+ * Getting Source ==============
+ * <p>
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
+ * projects.
+ * <p>
+ */
+
+package org.owasp.webgoat.assignments;
+
+import lombok.AllArgsConstructor;
+import lombok.Getter;
+import org.owasp.webgoat.i18n.Messages;
+
+@AllArgsConstructor
+public class AttackResult {
+
+    public static class AttackResultBuilder {
+
+        private boolean lessonCompleted;
+        private Messages messages;
+        private Object[] feedbackArgs;
+        private String feedbackResourceBundleKey;
+        private String output;
+        private Object[] outputArgs;
+
+        public AttackResultBuilder(Messages messages) {
+            this.messages = messages;
+        }
+
+        public AttackResultBuilder lessonCompleted(boolean lessonCompleted) {
+            this.lessonCompleted = lessonCompleted;
+            this.feedbackResourceBundleKey = "lesson.completed";
+            return this;
+        }
+
+        public AttackResultBuilder feedbackArgs(Object... args) {
+            this.feedbackArgs = args;
+            return this;
+        }
+
+        public AttackResultBuilder feedback(String resourceBundleKey) {
+            this.feedbackResourceBundleKey = resourceBundleKey;
+            return this;
+        }
+
+        public AttackResultBuilder output(String output) {
+            this.output = output;
+            return this;
+        }
+
+        public AttackResultBuilder outputArgs(Object... args) {
+            this.outputArgs = args;
+            return this;
+        }
+
+        public AttackResult build() {
+            return new AttackResult(lessonCompleted, messages.getMessage(feedbackResourceBundleKey, feedbackArgs), messages.getMessage(output, output, outputArgs));
+        }
+    }
+
+    @Getter
+    private boolean lessonCompleted;
+    @Getter
+    private String feedback;
+    @Getter
+    private String output;
+
+
+    public static AttackResultBuilder builder(Messages messages) {
+        return new AttackResultBuilder(messages);
+    }
+
+    public boolean assignmentSolved() {
+        return lessonCompleted;
+    }
+}
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/endpoints/Endpoint.java b/webgoat-container/src/main/java/org/owasp/webgoat/assignments/Endpoint.java
similarity index 89%
rename from webgoat-container/src/main/java/org/owasp/webgoat/endpoints/Endpoint.java
rename to webgoat-container/src/main/java/org/owasp/webgoat/assignments/Endpoint.java
index 20e824c14..46f8e47a9 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/endpoints/Endpoint.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/assignments/Endpoint.java
@@ -1,17 +1,8 @@
-package org.owasp.webgoat.endpoints;
-
-import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.beans.factory.annotation.Qualifier;
-import org.springframework.boot.actuate.endpoint.mvc.MvcEndpoint;
-
-import java.io.File;
-
-/**
- * ************************************************************************************************
+/*
  * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
  * please see http://www.owasp.org/
  * <p>
- * Copyright (c) 2002 - 20014 Bruce Mayhew
+ * Copyright (c) 2002 - 2017 Bruce Mayhew
  * <p>
  * This program is free software; you can redistribute it and/or modify it under the terms of the
  * GNU General Public License as published by the Free Software Foundation; either version 2 of the
@@ -30,11 +21,16 @@ import java.io.File;
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
  * projects.
  * <p>
- *
- * @author nbaars
- * @version $Id: $Id
- * @since November 13, 2016
  */
+
+package org.owasp.webgoat.assignments;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Qualifier;
+import org.springframework.boot.actuate.endpoint.mvc.MvcEndpoint;
+
+import java.io.File;
+
 public abstract class Endpoint implements MvcEndpoint {
 
     @Autowired
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/i18n/ExposedReloadableResourceMessageBundleSource.java b/webgoat-container/src/main/java/org/owasp/webgoat/i18n/ExposedReloadableResourceMessageBundleSource.java
deleted file mode 100644
index bfa3d1ff8..000000000
--- a/webgoat-container/src/main/java/org/owasp/webgoat/i18n/ExposedReloadableResourceMessageBundleSource.java
+++ /dev/null
@@ -1,24 +0,0 @@
-package org.owasp.webgoat.i18n;
-
-import org.springframework.context.support.ReloadableResourceBundleMessageSource;
-
-import java.util.Locale;
-import java.util.Properties;
-
-/**
- * <p>ExposedReloadableResourceMessageBundleSource class.</p>
- * Extends the reloadable message source with a way to get all messages
- *
- * @author zupzup
- */
-
-public class ExposedReloadableResourceMessageBundleSource extends ReloadableResourceBundleMessageSource {
-    /**
-     * Gets all messages for presented Locale.
-     * @param locale user request's locale
-     * @return all messages
-     */
-    public Properties getMessages(Locale locale) {
-        return getMergedProperties(locale).getProperties();
-    }
-}
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/i18n/LabelManager.java b/webgoat-container/src/main/java/org/owasp/webgoat/i18n/LabelManager.java
deleted file mode 100644
index 5421e057a..000000000
--- a/webgoat-container/src/main/java/org/owasp/webgoat/i18n/LabelManager.java
+++ /dev/null
@@ -1,78 +0,0 @@
-
-package org.owasp.webgoat.i18n;
-
-import org.owasp.webgoat.session.LabelDebugger;
-import org.springframework.stereotype.Component;
-
-import java.io.Serializable;
-import java.util.Locale;
-
-
-/**
- *************************************************************************************************
- *
- *
- * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
- * please see http://www.owasp.org/
- *
- * Copyright (c) 2002 - 20014 Bruce Mayhew
- *
- * This program is free software; you can redistribute it and/or modify it under the terms of the
- * GNU General Public License as published by the Free Software Foundation; either version 2 of the
- * License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License along with this program; if
- * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
- * 02111-1307, USA.
- *
- * Getting Source ==============
- *
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for
- * free software projects.
- *
- * @version $Id: $Id
- * @author dm
- */
-@Component
-public class LabelManager
-{
-	private static final long serialVersionUID = 1L;
-
-	private LabelProvider labelProvider;
-	private LabelDebugger labelDebugger;
-	private Locale locale = new Locale(LabelProvider.DEFAULT_LANGUAGE);
-
-	/**
-	 * <p>Constructor for LabelManagerImpl.</p>
-	 *
-	 * @param labelProvider a {@link LabelProvider} object.
-	 */
-	protected LabelManager(LabelProvider labelProvider, LabelDebugger labelDebugger) {
-		this.labelDebugger = labelDebugger;
-		this.labelProvider = labelProvider;
-	}
-
-	/** {@inheritDoc} */
-	public void setLocale(Locale locale)
-	{
-		if (locale != null)
-		{
-			this.locale = locale;
-		}
-	}
-
-	/** {@inheritDoc} */
-	public String get(String labelKey, Object... params)
-	{
-		String label = labelProvider.get(locale, labelKey, params);
-		if (labelDebugger.isEnabled()) {
-			label = "<font color=\"#00CD00\">" + label + "</font>";
-		}
-		return label;
-	}
-
-}
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/i18n/LabelProvider.java b/webgoat-container/src/main/java/org/owasp/webgoat/i18n/LabelProvider.java
deleted file mode 100644
index cdb50ee35..000000000
--- a/webgoat-container/src/main/java/org/owasp/webgoat/i18n/LabelProvider.java
+++ /dev/null
@@ -1,128 +0,0 @@
-
-package org.owasp.webgoat.i18n;
-
-import org.springframework.context.support.ReloadableResourceBundleMessageSource;
-import org.springframework.core.io.Resource;
-import org.springframework.core.io.ResourceLoader;
-import org.springframework.core.io.UrlResource;
-import org.springframework.stereotype.Component;
-
-import java.net.MalformedURLException;
-import java.nio.file.Path;
-import java.util.*;
-
-
-/**
- * *************************************************************************************************
- *
- *
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
- *
- * Copyright (c) 2002 - 20014 Bruce Mayhew
- *
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
- *
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
- *
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
- *
- * Getting Source ==============
- *
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
- * for free software projects.
- *
- * @version $Id: $Id
- * @author dm
- */
-@Component
-public class LabelProvider {
-    /** Constant <code>DEFAULT_LANGUAGE="Locale.ENGLISH.getLanguage()"</code> */
-    public final static String DEFAULT_LANGUAGE = Locale.ENGLISH.getLanguage();
-
-    private static final List<Locale> SUPPORTED = Arrays.asList(Locale.GERMAN, Locale.FRENCH, Locale.ENGLISH,
-            Locale.forLanguageTag("ru"));
-    private final ExposedReloadableResourceMessageBundleSource labels = new ExposedReloadableResourceMessageBundleSource();
-    private static final ExposedReloadableResourceMessageBundleSource pluginLabels = new ExposedReloadableResourceMessageBundleSource();
-
-    /**
-     * <p>Constructor for LabelProvider.</p>
-     */
-    public LabelProvider() {
-        labels.setBasename("classpath:/i18n/WebGoatLabels");
-        labels.setFallbackToSystemLocale(false);
-        labels.setUseCodeAsDefaultMessage(true);
-        pluginLabels.setParentMessageSource(labels);
-    }
-
-    /**
-     * <p>updatePluginResources.</p>
-     *
-     * @param propertyFile a {@link java.nio.file.Path} object.
-     */
-    public static void updatePluginResources(final Path propertyFile) {
-        pluginLabels.setBasename("WebGoatLabels");
-        pluginLabels.setFallbackToSystemLocale(false);
-        pluginLabels.setUseCodeAsDefaultMessage(true);
-        pluginLabels.setResourceLoader(new ResourceLoader() {
-            @Override
-            public Resource getResource(String location) {
-                try {
-                    return new UrlResource(propertyFile.toUri());
-                } catch (MalformedURLException e) {
-                    throw new RuntimeException(e);
-                }
-            }
-
-            @Override
-            public ClassLoader getClassLoader() {
-                return Thread.currentThread().getContextClassLoader();
-            }
-        });
-        pluginLabels.clearCache();
-    }
-
-    /**
-     * <p>get.</p>
-     *
-     * @param locale a {@link java.util.Locale} object.
-     * @param strName a {@link java.lang.String} object.
-     * @return a {@link java.lang.String} object.
-     */
-    public String get(Locale locale, String strName, Object... params) {
-        return pluginLabels.getMessage(strName, params, useLocaleOrFallbackToEnglish(locale));
-    }
-
-    private Locale useLocaleOrFallbackToEnglish(Locale locale) {
-        return SUPPORTED.contains(locale) ? locale : Locale.ENGLISH;
-    }
-
-    /**
-     * <p>getLabels.</p>
-     * Returns a merged map of all the labels for a specified language or the
-     * default language, if the given language is not supported
-     *
-     * @param locale The Locale to get all the labels for
-     * @return A Map of all properties with their values
-     */
-    public Map<String, String> getLabels(Locale locale) {
-        Properties messages = labels.getMessages(locale);
-        messages.putAll(pluginLabels.getMessages(useLocaleOrFallbackToEnglish(locale)));
-        Map<String,String> labelsMap = new HashMap<>();
-        for (Map.Entry<Object, Object> entry : messages.entrySet()) {
-            if (entry.getKey() != null && entry.getValue() != null) {
-                labelsMap.put(entry.getKey().toString(), entry.getValue().toString());
-            }
-        }
-        return labelsMap;
-    }
-
-}
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/i18n/Messages.java b/webgoat-container/src/main/java/org/owasp/webgoat/i18n/Messages.java
new file mode 100644
index 000000000..e0e61583c
--- /dev/null
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/i18n/Messages.java
@@ -0,0 +1,67 @@
+/*
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
+ * <p>
+ * Copyright (c) 2002 - 2017 Bruce Mayhew
+ * <p>
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ * <p>
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ * <p>
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ * <p>
+ * Getting Source ==============
+ * <p>
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
+ * projects.
+ * <p>
+ */
+package org.owasp.webgoat.i18n;
+
+import lombok.AllArgsConstructor;
+import org.springframework.context.support.ReloadableResourceBundleMessageSource;
+import org.springframework.web.context.request.RequestContextHolder;
+import org.springframework.web.context.request.ServletRequestAttributes;
+import org.springframework.web.servlet.LocaleResolver;
+
+import java.util.Locale;
+import java.util.Properties;
+
+/**
+ * <p>ExposedReloadableResourceMessageBundleSource class.</p>
+ * Extends the reloadable message source with a way to get all messages
+ *
+ * @author zupzup
+ */
+@AllArgsConstructor
+public class Messages extends ReloadableResourceBundleMessageSource {
+
+    private final LocaleResolver localeResolver;
+
+    /**
+     * Gets all messages for presented Locale.
+     * @return all messages
+     */
+    public Properties getMessages() {
+        return getMergedProperties(resolveLocale()).getProperties();
+    }
+
+    public String getMessage(String code, Object... args) {
+        return getMessage(code, args, resolveLocale());
+    }
+
+    public String getMessage(String code, String defaultValue, Object... args) {
+        return super.getMessage(code, args, defaultValue, resolveLocale());
+    }
+
+    private Locale resolveLocale() {
+        return localeResolver.resolveLocale(((ServletRequestAttributes) RequestContextHolder.currentRequestAttributes()).getRequest());
+    }
+
+}
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/AttackResult.java b/webgoat-container/src/main/java/org/owasp/webgoat/lessons/AttackResult.java
deleted file mode 100644
index ca4219849..000000000
--- a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/AttackResult.java
+++ /dev/null
@@ -1,72 +0,0 @@
-package org.owasp.webgoat.lessons;
-
-import lombok.Getter;
-
-/**
- * ************************************************************************************************
- * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
- * please see http://www.owasp.org/
- * <p>
- * Copyright (c) 2002 - 20014 Bruce Mayhew
- * <p>
- * This program is free software; you can redistribute it and/or modify it under the terms of the
- * GNU General Public License as published by the Free Software Foundation; either version 2 of the
- * License, or (at your option) any later version.
- * <p>
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- * <p>
- * You should have received a copy of the GNU General Public License along with this program; if
- * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
- * 02111-1307, USA.
- * <p>
- * Getting Source ==============
- * <p>
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
- * projects.
- * <p>
- *
- * @author WebGoat
- * @version $Id: $Id
- * @since August 13, 2016
- */
-@Getter
-public class AttackResult {
-
-    private boolean assignmentCompleted;
-    private String feedback;
-    private String output;
-
-    public static AttackResult success() {
-        return AttackResult.success("Congratulations");
-    }
-
-    public static AttackResult success(String feedback) {
-        return success(feedback, "");
-    }
-
-    public static AttackResult success(String feedback, String output) {
-        AttackResult attackResult = new AttackResult();
-        attackResult.assignmentCompleted = true;
-        attackResult.feedback = feedback;
-        attackResult.output = output;
-        return attackResult;
-    }
-
-    public static AttackResult failed(String feedback) {
-        return failed(feedback, "");
-    }
-
-    public static AttackResult failed(String feedback, String output) {
-        AttackResult attackResult = new AttackResult();
-        attackResult.assignmentCompleted = false;
-        attackResult.feedback = feedback;
-        attackResult.output = output;
-        return attackResult;
-    }
-
-    public boolean assignmentSolved() {
-        return assignmentCompleted;
-    }
-}
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/plugins/MessagePropertiesMerger.java b/webgoat-container/src/main/java/org/owasp/webgoat/plugins/MessagePropertiesMerger.java
new file mode 100644
index 000000000..7983614a8
--- /dev/null
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/plugins/MessagePropertiesMerger.java
@@ -0,0 +1,72 @@
+/*
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
+ * <p>
+ * Copyright (c) 2002 - 2017 Bruce Mayhew
+ * <p>
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ * <p>
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ * <p>
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ * <p>
+ * Getting Source ==============
+ * <p>
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
+ * projects.
+ * <p>
+ */
+package org.owasp.webgoat.plugins;
+
+import com.google.common.primitives.Bytes;
+import lombok.SneakyThrows;
+
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.FileOutputStream;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.util.Properties;
+import java.util.stream.Stream;
+
+/**
+ * Merges the main message.properties with the plugins WebGoatLabels
+ */
+public class MessagePropertiesMerger {
+
+    private final File targetDirectory;
+
+    public MessagePropertiesMerger(File targetDirectory) {
+        this.targetDirectory = targetDirectory;
+    }
+
+    @SneakyThrows
+    public void mergeAllLanguage() {
+        try(Stream<Path> paths = Files.walk(new File(targetDirectory, "plugin/i18n/").toPath())) {
+            paths.filter(Files::isRegularFile).forEach(filePath -> merge(filePath));
+        }
+    }
+
+    @SneakyThrows
+    public void merge(Path propertyFile) {
+        Properties messageProperties = new Properties();
+        String messagePropertyFileName = propertyFile.getFileName().toString().replace("WebGoatLabels", "messages");
+        messageProperties.load(Thread.currentThread().getContextClassLoader().getResourceAsStream("i18n/" + messagePropertyFileName));
+        preparePropertyFile(propertyFile);
+        messageProperties.load(new FileInputStream(propertyFile.toFile()));
+        messageProperties.store(new FileOutputStream(new File(Thread.currentThread().getContextClassLoader().getResource("i18n/" + messagePropertyFileName).toURI())), "WebGoat message properties");
+    }
+
+    @SneakyThrows
+    private void preparePropertyFile(Path propertyFile) {
+        byte[] lines = Files.readAllBytes(propertyFile);
+        lines = Bytes.concat(lines, System.lineSeparator().getBytes());
+        Files.write(propertyFile, lines);
+    }
+}
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/plugins/Plugin.java b/webgoat-container/src/main/java/org/owasp/webgoat/plugins/Plugin.java
index 797994051..319921aa1 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/plugins/Plugin.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/plugins/Plugin.java
@@ -3,10 +3,10 @@ package org.owasp.webgoat.plugins;
 import com.google.common.base.Optional;
 import com.google.common.collect.Lists;
 import lombok.Getter;
-import org.owasp.webgoat.endpoints.AssignmentEndpoint;
-import org.owasp.webgoat.endpoints.AssignmentHints;
-import org.owasp.webgoat.endpoints.AssignmentPath;
-import org.owasp.webgoat.endpoints.Endpoint;
+import org.owasp.webgoat.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.assignments.AssignmentHints;
+import org.owasp.webgoat.assignments.AssignmentPath;
+import org.owasp.webgoat.assignments.Endpoint;
 import org.owasp.webgoat.lessons.AbstractLesson;
 import org.owasp.webgoat.lessons.Assignment;
 import org.owasp.webgoat.lessons.NewLesson;
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/plugins/PluginsExtractor.java b/webgoat-container/src/main/java/org/owasp/webgoat/plugins/PluginsExtractor.java
index 933294333..177ffd483 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/plugins/PluginsExtractor.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/plugins/PluginsExtractor.java
@@ -3,28 +3,15 @@ package org.owasp.webgoat.plugins;
 import com.google.common.collect.Lists;
 import lombok.extern.slf4j.Slf4j;
 import org.apache.commons.io.FileUtils;
-import org.owasp.webgoat.i18n.LabelProvider;
 import org.springframework.util.ResourceUtils;
 
-import java.io.File;
-import java.io.FileOutputStream;
-import java.io.IOException;
-import java.io.InputStream;
-import java.io.OutputStream;
+import java.io.*;
 import java.net.URL;
-import java.nio.file.FileVisitResult;
-import java.nio.file.Files;
-import java.nio.file.Path;
-import java.nio.file.Paths;
-import java.nio.file.SimpleFileVisitor;
+import java.nio.file.*;
 import java.nio.file.attribute.BasicFileAttributes;
 import java.util.Enumeration;
 import java.util.List;
-import java.util.concurrent.Callable;
-import java.util.concurrent.CompletionService;
-import java.util.concurrent.ExecutorCompletionService;
-import java.util.concurrent.ExecutorService;
-import java.util.concurrent.Executors;
+import java.util.concurrent.*;
 import java.util.zip.ZipEntry;
 import java.util.zip.ZipFile;
 
@@ -150,8 +137,7 @@ public class PluginsExtractor {
                             plugin.getOriginationJar());
                 }
             }
-            LabelProvider.updatePluginResources(
-                    pluginTargetDirectory.toPath().resolve("plugin/i18n/WebGoatLabels.properties"));
+            new MessagePropertiesMerger(pluginTargetDirectory).mergeAllLanguage();
             return plugins;
         } finally {
             executorService.shutdown();
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/service/HintService.java b/webgoat-container/src/main/java/org/owasp/webgoat/service/HintService.java
index e2479c551..f6d290aed 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/service/HintService.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/service/HintService.java
@@ -6,7 +6,6 @@
 package org.owasp.webgoat.service;
 
 import com.google.common.collect.Lists;
-import org.owasp.webgoat.i18n.LabelManager;
 import org.owasp.webgoat.lessons.AbstractLesson;
 import org.owasp.webgoat.lessons.Assignment;
 import org.owasp.webgoat.lessons.Hint;
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/service/LabelService.java b/webgoat-container/src/main/java/org/owasp/webgoat/service/LabelService.java
index 72d779036..81ecf0b97 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/service/LabelService.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/service/LabelService.java
@@ -30,7 +30,7 @@ package org.owasp.webgoat.service;
 
 import lombok.AllArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
-import org.owasp.webgoat.i18n.LabelProvider;
+import org.owasp.webgoat.i18n.Messages;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.MediaType;
 import org.springframework.http.ResponseEntity;
@@ -39,10 +39,12 @@ import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
+import org.springframework.web.servlet.LocaleResolver;
+import org.springframework.web.servlet.i18n.SessionLocaleResolver;
 
 import javax.servlet.http.HttpServletRequest;
 import java.util.Locale;
-import java.util.Map;
+import java.util.Properties;
 
 
 /**
@@ -50,19 +52,23 @@ import java.util.Map;
  *
  * @author zupzup
  */
-
 @RestController
 @Slf4j
 @AllArgsConstructor
 public class LabelService {
 
     public static final String URL_LABELS_MVC = "/service/labels.mvc";
-    private final LabelProvider labelProvider;
+    private LocaleResolver localeResolver;
+    private Messages messages;
 
     /**
-     * Fetches labels for given language
-     * If no language is provided, the language is determined from the request headers
-     * Otherwise, fall back to default language
+     * We use Springs session locale resolver which also gives us the option to change the local later on. For
+     * now it uses the accept-language from the HttpRequest. If this language is not found it will default back
+     * to messages.properties.
+     *
+     * Note although it is possible to use Spring language interceptor we for now opt for this solution, the UI
+     * will always need to fetch the labels with the new language set by the user. So we don't need to intercept each
+     * and every request to see if the language param has been set in the request.
      *
      * @param lang the language to fetch labels for (optional)
      * @return a map of labels
@@ -70,18 +76,12 @@ public class LabelService {
      */
     @GetMapping(path = URL_LABELS_MVC, produces = MediaType.APPLICATION_JSON_VALUE)
     @ResponseBody
-    public ResponseEntity<Map<String, String>> fetchLabels(@RequestParam(value = "lang", required = false) String lang, HttpServletRequest request) {
-        Locale locale;
-        if (StringUtils.isEmpty(lang)) {
-            log.debug("No language provided, determining from request headers");
-            locale = request.getLocale();
-            if (locale != null) {
-                log.debug("Locale set to {}", locale);
-            }
-        } else {
-            locale = Locale.forLanguageTag(lang);
+    public ResponseEntity<Properties> fetchLabels(@RequestParam(value = "lang", required = false) String lang, HttpServletRequest request) {
+        if (!StringUtils.isEmpty(lang)) {
+            Locale locale = Locale.forLanguageTag(lang);
+            ((SessionLocaleResolver)localeResolver).setDefaultLocale(locale);
             log.debug("Language provided: {} leads to Locale: {}", lang, locale);
         }
-        return new ResponseEntity<>(labelProvider.getLabels(locale), HttpStatus.OK);
+        return new ResponseEntity<>(messages.getMessages(), HttpStatus.OK);
     }
 }
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/service/LessonInfoService.java b/webgoat-container/src/main/java/org/owasp/webgoat/service/LessonInfoService.java
index eb1e00ca8..927868f3e 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/service/LessonInfoService.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/service/LessonInfoService.java
@@ -1,10 +1,9 @@
 package org.owasp.webgoat.service;
 
-import org.owasp.webgoat.i18n.LabelManager;
+import lombok.AllArgsConstructor;
 import org.owasp.webgoat.lessons.AbstractLesson;
 import org.owasp.webgoat.lessons.LessonInfoModel;
 import org.owasp.webgoat.session.WebSession;
-import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
@@ -17,15 +16,10 @@ import org.springframework.web.bind.annotation.RestController;
  * @version $Id: $Id
  */
 @RestController
+@AllArgsConstructor
 public class LessonInfoService {
 
     private final WebSession webSession;
-    private final LabelManager labelManager;
-
-    public LessonInfoService(WebSession webSession, LabelManager labelManager) {
-        this.webSession = webSession;
-        this.labelManager = labelManager;
-    }
 
     /**
      * <p>getLessonInfo.</p>
@@ -36,7 +30,7 @@ public class LessonInfoService {
     public @ResponseBody
     LessonInfoModel getLessonInfo() {
         AbstractLesson lesson = webSession.getCurrentLesson();
-        return new LessonInfoModel(labelManager.get(lesson.getTitle()), false, false, false);
+        return new LessonInfoModel(lesson.getTitle(), false, false, false);
     }
 
 }
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/service/LessonProgressService.java b/webgoat-container/src/main/java/org/owasp/webgoat/service/LessonProgressService.java
index fff1452ba..2a6387ac2 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/service/LessonProgressService.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/service/LessonProgressService.java
@@ -4,7 +4,6 @@ import com.google.common.collect.Lists;
 import com.google.common.collect.Maps;
 import lombok.AllArgsConstructor;
 import lombok.Getter;
-import org.owasp.webgoat.i18n.LabelManager;
 import org.owasp.webgoat.lessons.AbstractLesson;
 import org.owasp.webgoat.lessons.Assignment;
 import org.owasp.webgoat.lessons.LessonInfoModel;
@@ -29,7 +28,6 @@ import java.util.Map;
 @AllArgsConstructor
 public class LessonProgressService {
 
-    private LabelManager labelManager;
     private UserTracker userTracker;
     private WebSession webSession;
 
@@ -47,7 +45,7 @@ public class LessonProgressService {
         boolean lessonCompleted = false;
         if (lessonTracker != null) {
             lessonCompleted = lessonTracker.isLessonSolved();
-            successMessage = labelManager.get("LessonCompleted");
+            successMessage = "LessonCompleted"; //@todo we still use this??
         }
         json.put("lessonCompleted", lessonCompleted);
         json.put("successMessage", successMessage);
diff --git a/webgoat-container/src/main/resources/i18n/WebGoatLabels.properties b/webgoat-container/src/main/resources/i18n/WebGoatLabels.properties
deleted file mode 100644
index 1f622dd2f..000000000
--- a/webgoat-container/src/main/resources/i18n/WebGoatLabels.properties
+++ /dev/null
@@ -1,7 +0,0 @@
-#General
-LessonCompleted=Congratulations. You have successfully completed this lesson.
-RestartLesson=Restart this Lesson
-SolutionVideos=Solution Videos
-ErrorGenerating=Error generating
-InvalidData=Invalid Data
-Go!=Go!
diff --git a/webgoat-container/src/main/resources/i18n/WebGoatLabels_de.properties b/webgoat-container/src/main/resources/i18n/WebGoatLabels_de.properties
deleted file mode 100644
index ea2065e0c..000000000
--- a/webgoat-container/src/main/resources/i18n/WebGoatLabels_de.properties
+++ /dev/null
@@ -1,7 +0,0 @@
-#General
-LessonCompleted=Herzlichen Gl\u00fcckwunsch! Sie haben diese Lektion erfolgreich abgeschlossen.
-RestartLesson=Lektion neu beginnen
-SolutionVideos=L\u00f6sungsvideos
-ErrorGenerating=Fehler beim Generieren von
-InvalidData=Ung\u00fcltige Daten
-Go!=Los gehts!
diff --git a/webgoat-container/src/main/resources/i18n/WebGoatLabels_en.properties b/webgoat-container/src/main/resources/i18n/WebGoatLabels_en.properties
deleted file mode 100644
index 1f622dd2f..000000000
--- a/webgoat-container/src/main/resources/i18n/WebGoatLabels_en.properties
+++ /dev/null
@@ -1,7 +0,0 @@
-#General
-LessonCompleted=Congratulations. You have successfully completed this lesson.
-RestartLesson=Restart this Lesson
-SolutionVideos=Solution Videos
-ErrorGenerating=Error generating
-InvalidData=Invalid Data
-Go!=Go!
diff --git a/webgoat-container/src/main/resources/i18n/WebGoatLabels_fr.properties b/webgoat-container/src/main/resources/i18n/WebGoatLabels_fr.properties
deleted file mode 100644
index ebc86bb21..000000000
--- a/webgoat-container/src/main/resources/i18n/WebGoatLabels_fr.properties
+++ /dev/null
@@ -1,7 +0,0 @@
-#General
-LessonCompleted=F\u00e9licitations. Vous avez termin\u00e9 cette le\u00e7on avec succ\u00e9s.
-RestartLesson=Recommencer cette le\u00e7on
-SolutionVideos=Solution vid\u00e9os
-ErrorGenerating=Error generating
-InvalidData=Donn\u00e9e invalide
-Go!=Go!
diff --git a/webgoat-container/src/main/resources/i18n/WebGoatLabels_ru.properties b/webgoat-container/src/main/resources/i18n/WebGoatLabels_ru.properties
deleted file mode 100644
index 0c3b80ca0..000000000
--- a/webgoat-container/src/main/resources/i18n/WebGoatLabels_ru.properties
+++ /dev/null
@@ -1,7 +0,0 @@
-#General
-LessonCompleted=\u041f\u043e\u0437\u0434\u0440\u0430\u0432\u043b\u044f\u044e. \u0412\u044b \u043f\u043e\u043b\u043d\u043e\u0441\u0442\u044c\u044e \u043f\u0440\u043e\u0448\u043b\u0438 \u0434\u0430\u043d\u043d\u044b\u0439 \u0443\u0440\u043e\u043a.
-RestartLesson=\u041d\u0430\u0447\u0430\u043b\u044c \u0441\u043d\u0430\u0447\u0430\u043b\u0430
-SolutionVideos=\u0412\u0438\u0434\u0435\u043e \u0441 \u0440\u0435\u0448\u0435\u043d\u0438\u0435\u043c
-ErrorGenerating=\u041f\u0440\u043e\u0438\u0437\u043e\u0448\u043b\u0430 \u043e\u0448\u0438\u0431\u043a\u0430
-InvalidData=\u041d\u0435\u0432\u0435\u0440\u043d\u044b\u0435 \u0434\u0430\u043d\u043d\u044b\u0435
-Go!=\u0412\u043f\u0435\u0440\u0451\u0434!
diff --git a/webgoat-container/src/main/resources/i18n/messages.properties b/webgoat-container/src/main/resources/i18n/messages.properties
new file mode 100644
index 000000000..fc9e1791e
--- /dev/null
+++ b/webgoat-container/src/main/resources/i18n/messages.properties
@@ -0,0 +1,52 @@
+#
+# This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+# please see http://www.owasp.org/
+# <p>
+# Copyright (c) 2002 - 2017 Bruce Mayhew
+# <p>
+# This program is free software; you can redistribute it and/or modify it under the terms of the
+# GNU General Public License as published by the Free Software Foundation; either version 2 of the
+# License, or (at your option) any later version.
+# <p>
+# This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# General Public License for more details.
+# <p>
+# You should have received a copy of the GNU General Public License along with this program; if
+# not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+# 02111-1307, USA.
+# <p>
+# Getting Source ==============
+# <p>
+# Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
+# projects.
+# <p>
+#
+
+lesson.completed=Congratulations. You have successfully completed this lesson.
+assignment.solved=Congratulations. You have successfully complete the assignment.
+assignment.not.solved=Sorry the solution is not correct, please try again.
+RestartLesson=Restart this Lesson
+SolutionVideos=Solution Videos
+ErrorGenerating=Error generating
+InvalidData=Invalid Data
+Go!=Go!
+password=Password
+username=Username
+logged_out=You've been logged out successfully.
+invalid_username_password=Invalid username and password.
+login.page.title=Login Page
+accounts.build.in=The following accounts are built into WebGoat
+accounts.table.account=Account
+accounts.table.user=User
+accounts.table.password=Password
+logout=Logout
+version=Version
+build=Build
+report.card=Report card
+about=About WebGoat
+contact=Contact Us
+show.hints=Show hints
+lesson.overview=Lesson overview
+reset.lesson=Reset lesson
+sign.in=Sign in
diff --git a/webgoat-container/src/main/resources/i18n/messages_de.properties b/webgoat-container/src/main/resources/i18n/messages_de.properties
new file mode 100644
index 000000000..152981238
--- /dev/null
+++ b/webgoat-container/src/main/resources/i18n/messages_de.properties
@@ -0,0 +1,32 @@
+#
+# This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+# please see http://www.owasp.org/
+# <p>
+# Copyright (c) 2002 - 2017 Bruce Mayhew
+# <p>
+# This program is free software; you can redistribute it and/or modify it under the terms of the
+# GNU General Public License as published by the Free Software Foundation; either version 2 of the
+# License, or (at your option) any later version.
+# <p>
+# This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# General Public License for more details.
+# <p>
+# You should have received a copy of the GNU General Public License along with this program; if
+# not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+# 02111-1307, USA.
+# <p>
+# Getting Source ==============
+# <p>
+# Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
+# projects.
+# <p>
+#
+
+#General
+LessonCompleted=Herzlichen Gl\u00fcckwunsch! Sie haben diese Lektion erfolgreich abgeschlossen.
+RestartLesson=Lektion neu beginnen
+SolutionVideos=L\u00f6sungsvideos
+ErrorGenerating=Fehler beim Generieren von
+InvalidData=Ung\u00fcltige Daten
+Go!=Los gehts!
diff --git a/webgoat-container/src/main/resources/i18n/messages_fr.properties b/webgoat-container/src/main/resources/i18n/messages_fr.properties
new file mode 100644
index 000000000..340a11bd7
--- /dev/null
+++ b/webgoat-container/src/main/resources/i18n/messages_fr.properties
@@ -0,0 +1,32 @@
+#
+# This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+# please see http://www.owasp.org/
+# <p>
+# Copyright (c) 2002 - 2017 Bruce Mayhew
+# <p>
+# This program is free software; you can redistribute it and/or modify it under the terms of the
+# GNU General Public License as published by the Free Software Foundation; either version 2 of the
+# License, or (at your option) any later version.
+# <p>
+# This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# General Public License for more details.
+# <p>
+# You should have received a copy of the GNU General Public License along with this program; if
+# not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+# 02111-1307, USA.
+# <p>
+# Getting Source ==============
+# <p>
+# Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
+# projects.
+# <p>
+#
+
+#General
+LessonCompleted=F\u00e9licitations. Vous avez termin\u00e9 cette le\u00e7on avec succ\u00e9s.
+RestartLesson=Recommencer cette le\u00e7on
+SolutionVideos=Solution vid\u00e9os
+ErrorGenerating=Error generating
+InvalidData=Donn\u00e9e invalide
+Go!=Go!
diff --git a/webgoat-container/src/main/resources/i18n/messages_nl.properties b/webgoat-container/src/main/resources/i18n/messages_nl.properties
new file mode 100644
index 000000000..2370be9d4
--- /dev/null
+++ b/webgoat-container/src/main/resources/i18n/messages_nl.properties
@@ -0,0 +1,49 @@
+#
+# This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+# please see http://www.owasp.org/
+# <p>
+# Copyright (c) 2002 - 2017 Bruce Mayhew
+# <p>
+# This program is free software; you can redistribute it and/or modify it under the terms of the
+# GNU General Public License as published by the Free Software Foundation; either version 2 of the
+# License, or (at your option) any later version.
+# <p>
+# This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# General Public License for more details.
+# <p>
+# You should have received a copy of the GNU General Public License along with this program; if
+# not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+# 02111-1307, USA.
+# <p>
+# Getting Source ==============
+# <p>
+# Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
+# projects.
+# <p>
+#
+LessonCompleted=Gefeliciteerd, je hebt de les succesvol afgerond.
+RestartLesson=Herstart de les
+SolutionVideos=Video oplossingen
+ErrorGenerating=Fout opgetreden tijdens generatie
+InvalidData=Ongeldige invoer
+Go!=Go!
+password=Wachtwoord
+username=Gebruikersnaam
+logged_out=Je bent succesvol uitgelogd.
+invalid_username_password=Ongeldige gebruikersnaam/wachtwoord combinatie
+login.page.title=Inlog pagina
+accounts.build.in=De volgende account zijn standaard beschikbaar binnen WebGoat
+accounts.table.account=Account
+accounts.table.user=Gebruikersnaam
+accounts.table.password=Wachtwoord
+logout=Uitloggen
+version=Versie
+build=Build
+report.card=Rapport
+about=Over WebGoat
+contact=Neem contact met ons op
+show.hints=Toon hints
+lesson.overview=Overzicht les
+reset.lesson=Herstart les
+sign.in=Log in
\ No newline at end of file
diff --git a/webgoat-container/src/main/resources/i18n/messages_ru.properties b/webgoat-container/src/main/resources/i18n/messages_ru.properties
new file mode 100644
index 000000000..436a81ee5
--- /dev/null
+++ b/webgoat-container/src/main/resources/i18n/messages_ru.properties
@@ -0,0 +1,32 @@
+#
+# This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+# please see http://www.owasp.org/
+# <p>
+# Copyright (c) 2002 - 2017 Bruce Mayhew
+# <p>
+# This program is free software; you can redistribute it and/or modify it under the terms of the
+# GNU General Public License as published by the Free Software Foundation; either version 2 of the
+# License, or (at your option) any later version.
+# <p>
+# This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# General Public License for more details.
+# <p>
+# You should have received a copy of the GNU General Public License along with this program; if
+# not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+# 02111-1307, USA.
+# <p>
+# Getting Source ==============
+# <p>
+# Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
+# projects.
+# <p>
+#
+
+#General
+LessonCompleted=\u041f\u043e\u0437\u0434\u0440\u0430\u0432\u043b\u044f\u044e. \u0412\u044b \u043f\u043e\u043b\u043d\u043e\u0441\u0442\u044c\u044e \u043f\u0440\u043e\u0448\u043b\u0438 \u0434\u0430\u043d\u043d\u044b\u0439 \u0443\u0440\u043e\u043a.
+RestartLesson=\u041d\u0430\u0447\u0430\u043b\u044c \u0441\u043d\u0430\u0447\u0430\u043b\u0430
+SolutionVideos=\u0412\u0438\u0434\u0435\u043e \u0441 \u0440\u0435\u0448\u0435\u043d\u0438\u0435\u043c
+ErrorGenerating=\u041f\u0440\u043e\u0438\u0437\u043e\u0448\u043b\u0430 \u043e\u0448\u0438\u0431\u043a\u0430
+InvalidData=\u041d\u0435\u0432\u0435\u0440\u043d\u044b\u0435 \u0434\u0430\u043d\u043d\u044b\u0435
+Go!=\u0412\u043f\u0435\u0440\u0451\u0434!
diff --git a/webgoat-container/src/main/resources/static/js/goatApp/goatApp.js b/webgoat-container/src/main/resources/static/js/goatApp/goatApp.js
index 5b1db8549..430ffaf0e 100644
--- a/webgoat-container/src/main/resources/static/js/goatApp/goatApp.js
+++ b/webgoat-container/src/main/resources/static/js/goatApp/goatApp.js
@@ -14,7 +14,7 @@ define(['jquery',
         return {
             initApp: function () {
                 var locale = localStorage.getItem('locale') || 'en';
-                $.getJSON('service/labels.mvc?lang=' +  locale, function(data) {
+                $.getJSON('service/labels.mvc', function(data) {
                     window.polyglot = new Polyglot({phrases: data});
                     asyncErrorHandler.init();
                     var goatRouter = new Router();
diff --git a/webgoat-container/src/main/resources/static/js/goatApp/view/LessonContentView.js b/webgoat-container/src/main/resources/static/js/goatApp/view/LessonContentView.js
index 1c51bcfd1..84915c81f 100644
--- a/webgoat-container/src/main/resources/static/js/goatApp/view/LessonContentView.js
+++ b/webgoat-container/src/main/resources/static/js/goatApp/view/LessonContentView.js
@@ -148,13 +148,13 @@ define(['jquery',
         },
 
         renderFeedback: function(feedback) {
-            this.$curFeedback.html(feedback || "");
+            this.$curFeedback.html(polyglot.t(feedback) || "");
             this.$curFeedback.show(400)
 
         },
 
         renderOutput: function(output) {
-            this.$curOutput.html(output || "");
+            this.$curOutput.html(polyglot.t(output) || "");
             this.$curOutput.show(400)
         },
 
diff --git a/webgoat-container/src/main/resources/static/js/goatApp/view/TitleView.js b/webgoat-container/src/main/resources/static/js/goatApp/view/TitleView.js
index f1698b9ec..6c00ff189 100644
--- a/webgoat-container/src/main/resources/static/js/goatApp/view/TitleView.js
+++ b/webgoat-container/src/main/resources/static/js/goatApp/view/TitleView.js
@@ -6,7 +6,7 @@ function($,_,Backbone) {
 		el:'#header #lesson-title-wrapper',
 		
 		render:function(title) {
-			var lessonTitleEl = $('<h1>',{id:'lesson-title',text:title});
+			var lessonTitleEl = $('<h1>',{id:'lesson-title',text:polyglot.t(title)});
 			this.$el.html(lessonTitleEl);
 		}
 	});
diff --git a/webgoat-container/src/main/resources/templates/login.html b/webgoat-container/src/main/resources/templates/login.html
index a7c7095c4..5b2f8a9d1 100644
--- a/webgoat-container/src/main/resources/templates/login.html
+++ b/webgoat-container/src/main/resources/templates/login.html
@@ -1,64 +1,71 @@
 <!DOCTYPE html>
 <html xmlns="http://www.w3.org/1999/xhtml" xmlns:th="http://www.thymeleaf.org">
 <head>
-    <title>Login Page</title>
-    <!--  CSS -->
-    <link rel="stylesheet" type="text/css" th:href="@{/css/main.css}" />
-    <link rel="stylesheet" type="text/css" th:href="@{/plugins/bootstrap/css/bootstrap.min.css}" />
-    <link rel="stylesheet" type="text/css" th:href="@{/css/font-awesome.min.css}" />
-    <link rel="stylesheet" type="text/css" th:href="@{/css/animate.css}" />
+    <title th:text="#{login.page.title}">Login Page</title>
+    <link rel="stylesheet" type="text/css" th:href="@{/css/main.css}"/>
+    <link rel="stylesheet" type="text/css" th:href="@{/plugins/bootstrap/css/bootstrap.min.css}"/>
+    <link rel="stylesheet" type="text/css" th:href="@{/css/font-awesome.min.css}"/>
+    <link rel="stylesheet" type="text/css" th:href="@{/css/animate.css}"/>
 </head>
 <body>
 <section id="container">
     <header id="header">
-        <!--logo start-->
         <div class="brand">
             <a href="${pageContext.request.contextPath}/start.mvc" class="logo"><span>Web</span>Goat</a>
         </div>
-        <!--logo end-->
         <div class="toggle-navigation toggle-left">
-
-        </div><!--toggle navigation end-->
-        <div class="lessonTitle" >
-
-        </div><!--lesson title end-->
+        </div>
+        <div class="lessonTitle">
+        </div>
 
     </header>
     <section class="main-content-wrapper">
 
-        <section id="main-content" >
+        <section id="main-content">
             <div th:if="${param.error}">
-                Invalid username and password.
+                <p th:text="#{invalid_username_password}">Invalid username and password.</p>
             </div>
             <div th:if="${param.logout}">
-                You've been logged out successfully.
+                <p th:text="#{logged_out}">You've been logged out successfully.</p>
             </div>
             <br/><br/>
             <form th:action="@{/login}" method='POST' style="width: 400px;">
                 <div class="form-group">
-                    <label for="exampleInputEmail1">Username</label>
-                    <input autofocus="dummy_for_thymeleaf_parser" type="text" class="form-control" id="exampleInputEmail1" placeholder="Username" name='username'/>
+                    <label for="exampleInputEmail1" th:text="#{username}">Username</label>
+                    <input autofocus="dummy_for_thymeleaf_parser" type="text" class="form-control"
+                           id="exampleInputEmail1" placeholder="Username" name='username' value="guest"/>
                 </div>
                 <div class="form-group">
-                    <label for="exampleInputPassword1">Password</label>
-                    <input type="password" class="form-control" id="exampleInputPassword1" placeholder="Password" name='password'/>
+                    <label for="exampleInputPassword1" th:text="#{password}">Password</label>
+                    <input type="password" class="form-control" id="exampleInputPassword1" placeholder="Password"
+                           name='password' value="guest"/>
                 </div>
-                <button class="btn btn-large btn-primary" type="submit">Sign in</button>
+                <button class="btn btn-large btn-primary" type="submit" th:text="#{sign.in}">Sign in</button>
             </form>
             <br/><br/>
-            <h4>The following accounts are built into Webgoat</h4>
+            <h4 th:text="#{accounts.build.in}">The following accounts are built into Webgoat</h4>
             <table class="table table-bordered" style="width:400px;">
                 <thead>
-                <tr class="warning"><th>Account</th><th>User</th><th>Password</th></tr>
+                <tr class="warning">
+                    <th th:text="#{accounts.table.account}">Account</th>
+                    <th th:text="#{accounts.table.user}">User</th>
+                    <th th:text="#{accounts.table.password}">Password</th>
+                </tr>
                 </thead>
                 <tbody>
-                <tr><td>Webgoat User</td><td>guest</td><td>guest</td></tr>
-                <tr><td>Webgoat Admin</td><td>webgoat</td><td>webgoat</td></tr>
+                <tr>
+                    <td>Webgoat User</td>
+                    <td>guest</td>
+                    <td>guest</td>
+                </tr>
+                <tr>
+                    <td>Webgoat Admin</td>
+                    <td>webgoat</td>
+                    <td>webgoat</td>
+                </tr>
                 </tbody>
             </table>
             <br/><br/>
-
-
         </section>
     </section>
 </section>
diff --git a/webgoat-container/src/main/resources/templates/main_new.html b/webgoat-container/src/main/resources/templates/main_new.html
index 91afb5e30..cb86fdbd3 100644
--- a/webgoat-container/src/main/resources/templates/main_new.html
+++ b/webgoat-container/src/main/resources/templates/main_new.html
@@ -62,7 +62,7 @@
                     <i class="fa fa-user"></i> <span class="caret"></span>
                 </button>
                 <ul class="dropdown-menu dropdown-menu-left">
-                    <li role="presentation"><a role="menuitem" tabindex="-1" th:href="@{/login(logout)}">Logout</a></li>
+                    <li role="presentation"><a role="menuitem" tabindex="-1" th:href="@{/login(logout)}" th:text="#{logout}">Logout</a></li>
                     <li role="presentation" class="divider"></li>
                     <li role="presentation" class="disabled"><a role="menuitem" tabindex="-1" href="#">User: <span
                             th:text="${#authentication.name}"></span></a>
@@ -73,12 +73,10 @@
                     </a>
                     </li>
                     <li role="presentation" class="divider"></li>
-                    <li role="presentation"><a role="menuitem" tabindex="-1" href="#developer-controls">Show developer
-                        controls</a></li>
-                    <li role="presentation" class="disabled"><a role="menuitem" tabindex="-1" href="#">Version: <span
+                    <li role="presentation" class="disabled"><a role="menuitem" tabindex="-1" href="#" th:text="#{version}">Version: <span
                             th:text="${@environment.getProperty('webgoat.build.version')}"></span></a>
                     </li>
-                    <li role="presentation" class="disabled"><a role="menuitem" tabindex="-1" href="#">Build:
+                    <li role="presentation" class="disabled"><a role="menuitem" tabindex="-1" href="#" th:text="#{build}">Build:
                         <span th:text="${@environment.getProperty('webgoat.build.number')}"></span></a></li>
 
                 </ul>
@@ -88,7 +86,7 @@
                     <!--<i class="fa fa-cog"></i>-->
                 <!--</button>-->
                 <button type="button" id="report-card-button" class="btn btn-default right_nav_button button-up"
-                        title="Report card">
+                        th:title="#{report.card}">
                     <a href="#reportCard"><i class="fa fa-bar-chart-o"></i></a>
                 </button>
                 <!--<button type="button" id="user-management" class="btn btn-default right_nav_button"-->
@@ -96,12 +94,12 @@
                     <!--<i class="fa fa-users"></i>-->
                 <!--</button>-->
             </div>
-            <button type="button" id="about-button" class="btn btn-default right_nav_button" title="About WebGoat"
+            <button type="button" id="about-button" class="btn btn-default right_nav_button" title="#{about}"
                     data-toggle="modal" data-target="#about-modal">
                 <i class="fa fa-info"></i>
             </button>
             <a href="mailto:${contactEmail}?Subject=Webgoat%20feedback" target="_top">
-                <button type="button" class="btn btn-default right_nav_button" data-toggle="tooltip" title="Contact Us">
+                <button type="button" class="btn btn-default right_nav_button" data-toggle="tooltip" th:title="#{contact}">
                     <i class="fa fa-envelope"></i>
                 </button>
             </a>
@@ -139,16 +137,12 @@
                                         <i class="fa fa-code"/>
                                     </button>
                                     <button class="btn btn-primary btn-xs btn-danger help-button"
-                                            id="show-hints-button">Show Hints
+                                            id="show-hints-button" th:text="#{show.hints}">Show hints
                                     </button>
-                                    <!--<button class="btn btn-primary btn-xs btn-danger help-button" id="show-attack-button">-->
-                                    <!--Attack It-->
-                                    <!--</button>-->
                                     <button class="btn btn-primary btn-xs btn-danger help-button"
-                                            id="show-lesson-overview-button">Lesson overview
+                                            id="show-lesson-overview-button" th:text="#{lesson.overview}">Lesson overview
                                     </button>
-                                    <button class="btn btn-xs help-button" id="restart-lesson-button">
-                                        Reset Lesson
+                                    <button class="btn btn-xs help-button" id="restart-lesson-button" th:text="#{reset.lesson}">Reset Lesson
                                     </button>
                                 </div>
 
diff --git a/webgoat-container/src/test/java/org/owasp/webgoat/plugins/PluginTestHelper.java b/webgoat-container/src/test/java/org/owasp/webgoat/plugins/PluginTestHelper.java
deleted file mode 100644
index d979d064a..000000000
--- a/webgoat-container/src/test/java/org/owasp/webgoat/plugins/PluginTestHelper.java
+++ /dev/null
@@ -1,31 +0,0 @@
-package org.owasp.webgoat.plugins;
-
-import java.io.IOException;
-import java.net.URISyntaxException;
-import java.nio.file.Files;
-import java.nio.file.Path;
-import java.nio.file.Paths;
-
-public class PluginTestHelper {
-
-    private static Path tempDirectory;
-
-    public static Path createTmpDir() throws IOException {
-        tempDirectory = Files.createTempDirectory(PluginTestHelper.class.getSimpleName());
-        tempDirectory.toFile().deleteOnExit();
-        return tempDirectory;
-    }
-
-    public static Path pathForLoading() throws IOException, URISyntaxException {
-        Path path = Paths.get(PluginTestHelper.class.getProtectionDomain().getCodeSource().getLocation().toURI());
-        return Paths.get(path.toString(), "org/owasp/webgoat/plugins");
-    }
-
-//    public static Plugin createPluginFor(Class pluginClass) throws Exception {
-//        Path pluginTargetPath = Files.createDirectory(Paths.get(tempDirectory.toString(), "pluginTargetPath"));
-//        Map<String, byte[]> classes = new HashMap<>();
-//        classes.put(pluginClass.getName(), Files.readAllBytes(Paths.get(pathForLoading().toString(), pluginClass.getSimpleName() + ".class")));
-//        Plugin plugin = new Plugin(pluginTargetPath, classes);
-//        return plugin;
-//    }
-}
diff --git a/webgoat-container/src/test/java/org/owasp/webgoat/service/HintServiceTest.java b/webgoat-container/src/test/java/org/owasp/webgoat/service/HintServiceTest.java
index d57fa2a56..df108e770 100644
--- a/webgoat-container/src/test/java/org/owasp/webgoat/service/HintServiceTest.java
+++ b/webgoat-container/src/test/java/org/owasp/webgoat/service/HintServiceTest.java
@@ -8,19 +8,14 @@ import org.junit.runner.RunWith;
 import org.mockito.Mock;
 import org.mockito.Mockito;
 import org.mockito.runners.MockitoJUnitRunner;
-import org.owasp.webgoat.i18n.LabelManager;
 import org.owasp.webgoat.lessons.AbstractLesson;
 import org.owasp.webgoat.lessons.Assignment;
 import org.owasp.webgoat.session.WebSession;
 import org.springframework.test.web.servlet.MockMvc;
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
 
-import static org.junit.Assert.*;
-import static org.mockito.AdditionalAnswers.returnsFirstArg;
-import static org.mockito.Matchers.anyString;
 import static org.mockito.Mockito.when;
 import static org.owasp.webgoat.service.HintService.URL_HINTS_MVC;
-import static org.owasp.webgoat.service.LabelService.URL_LABELS_MVC;
 import static org.springframework.test.web.servlet.result.MockMvcResultHandlers.print;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
diff --git a/webgoat-container/src/test/java/org/owasp/webgoat/service/LabelServiceTest.java b/webgoat-container/src/test/java/org/owasp/webgoat/service/LabelServiceTest.java
index fce5ae93e..ae783dca2 100644
--- a/webgoat-container/src/test/java/org/owasp/webgoat/service/LabelServiceTest.java
+++ b/webgoat-container/src/test/java/org/owasp/webgoat/service/LabelServiceTest.java
@@ -1,10 +1,9 @@
 package org.owasp.webgoat.service;
 
-import org.assertj.core.util.Maps;
 import org.hamcrest.CoreMatchers;
 import org.junit.Test;
 import org.junit.runner.RunWith;
-import org.owasp.webgoat.i18n.LabelProvider;
+import org.owasp.webgoat.session.Course;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.boot.test.autoconfigure.web.servlet.WebMvcTest;
 import org.springframework.boot.test.mock.mockito.MockBean;
@@ -13,9 +12,6 @@ import org.springframework.test.context.junit4.SpringRunner;
 import org.springframework.test.web.servlet.MockMvc;
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
 
-import java.util.Locale;
-
-import static org.mockito.Mockito.when;
 import static org.owasp.webgoat.service.LabelService.URL_LABELS_MVC;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
@@ -49,30 +45,28 @@ import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.
  * @version $Id: $Id
  * @since November 29, 2016
  */
-@WebMvcTest(value = {LabelService.class, LabelProvider.class})
+@WebMvcTest(value = {LabelService.class})
 @RunWith(SpringRunner.class)
 public class LabelServiceTest {
 
     @Autowired
     public MockMvc mockMvc;
     @MockBean
-    private LabelProvider labelProvider;
+    private Course course;
 
     @Test
     @WithMockUser(username = "guest", password = "guest")
     public void withoutLocale() throws Exception {
-        when(labelProvider.getLabels(Locale.ENGLISH)).thenReturn(Maps.newHashMap("key", "value"));
         mockMvc.perform(MockMvcRequestBuilders.get(URL_LABELS_MVC))
                 .andExpect(status().isOk())
-                .andExpect(jsonPath("key", CoreMatchers.is("value")));
+                .andExpect(jsonPath("password", CoreMatchers.is("Password")));
     }
 
     @Test
     @WithMockUser(username = "guest", password = "guest")
     public void withLocale() throws Exception {
-        when(labelProvider.getLabels(Locale.GERMAN)).thenReturn(Maps.newHashMap("key", "value"));
-        mockMvc.perform(MockMvcRequestBuilders.get(URL_LABELS_MVC).param("lang", "de"))
+        mockMvc.perform(MockMvcRequestBuilders.get(URL_LABELS_MVC).param("lang", "nl"))
                 .andExpect(status().isOk())
-                .andExpect(jsonPath("key", CoreMatchers.is("value")));
+                .andExpect(jsonPath("password", CoreMatchers.is("Wachtwoord")));
     }
 }
\ No newline at end of file
diff --git a/webgoat-container/src/test/java/org/owasp/webgoat/service/LessonProgressServiceTest.java b/webgoat-container/src/test/java/org/owasp/webgoat/service/LessonProgressServiceTest.java
index c3c781b4e..b89d4fa23 100644
--- a/webgoat-container/src/test/java/org/owasp/webgoat/service/LessonProgressServiceTest.java
+++ b/webgoat-container/src/test/java/org/owasp/webgoat/service/LessonProgressServiceTest.java
@@ -6,7 +6,6 @@ import org.junit.Test;
 import org.junit.runner.RunWith;
 import org.mockito.Mock;
 import org.mockito.runners.MockitoJUnitRunner;
-import org.owasp.webgoat.i18n.LabelManager;
 import org.owasp.webgoat.lessons.AbstractLesson;
 import org.owasp.webgoat.lessons.Assignment;
 import org.owasp.webgoat.session.LessonTracker;
@@ -65,9 +64,6 @@ public class LessonProgressServiceTest {
     private LessonTracker lessonTracker;
     @Mock
     private WebSession websession;
-    @Mock
-    private LabelManager labelManager;
-
 
     @Before
     public void setup() {
@@ -75,7 +71,7 @@ public class LessonProgressServiceTest {
         when(userTracker.getLessonTracker(any())).thenReturn(lessonTracker);
         when(websession.getCurrentLesson()).thenReturn(lesson);
         when(lessonTracker.getLessonOverview()).thenReturn(Maps.newHashMap(assignment, true));
-        this.mockMvc = MockMvcBuilders.standaloneSetup(new LessonProgressService(labelManager, userTracker, websession)).build();
+        this.mockMvc = MockMvcBuilders.standaloneSetup(new LessonProgressService(userTracker, websession)).build();
     }
 
     @Test
diff --git a/webgoat-container/src/test/java/org/owasp/webgoat/util/LabelProviderTest.java b/webgoat-container/src/test/java/org/owasp/webgoat/util/LabelProviderTest.java
deleted file mode 100644
index 8b5874519..000000000
--- a/webgoat-container/src/test/java/org/owasp/webgoat/util/LabelProviderTest.java
+++ /dev/null
@@ -1,34 +0,0 @@
-package org.owasp.webgoat.util;
-
-import org.hamcrest.CoreMatchers;
-import org.junit.Test;
-import org.owasp.webgoat.i18n.LabelProvider;
-
-import java.util.Locale;
-
-import static org.junit.Assert.assertThat;
-
-public class LabelProviderTest  {
-
-    @Test
-    public void defaultLabelsShouldBePresent() {
-        LabelProvider labelProvider = new LabelProvider();
-        assertThat(labelProvider.get(Locale.ENGLISH, "LessonCompleted"), CoreMatchers.equalTo(
-                "Congratulations. You have successfully completed this lesson."));
-    }
-
-    @Test
-    public void shouldFallBackToEnglishIfLanguageNotSupported() {
-        LabelProvider labelProvider = new LabelProvider();
-        assertThat(labelProvider.get(Locale.CHINESE, "LessonCompleted"), CoreMatchers.equalTo(
-                "Congratulations. You have successfully completed this lesson."));
-    }
-
-    @Test
-    public void shouldUseProvidedLanguageIfSupported() {
-        LabelProvider labelProvider = new LabelProvider();
-        assertThat(labelProvider.get(Locale.GERMAN, "RestartLesson"), CoreMatchers.equalTo(
-                "Lektion neu beginnen"));
-    }
-
-}
\ No newline at end of file
diff --git a/webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/plugin/Attack.java b/webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/plugin/Attack.java
index db0e73bb6..2c43c9df2 100644
--- a/webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/plugin/Attack.java
+++ b/webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/plugin/Attack.java
@@ -1,15 +1,13 @@
 package org.owasp.webgoat.plugin;
 
-import org.owasp.webgoat.endpoints.AssignmentEndpoint;
-import org.owasp.webgoat.endpoints.AssignmentHints;
-import org.owasp.webgoat.endpoints.AssignmentPath;
-import org.owasp.webgoat.lessons.AttackResult;
+import org.owasp.webgoat.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.assignments.AssignmentPath;
+import org.owasp.webgoat.assignments.AttackResult;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
 
-import javax.ws.rs.Path;
 import java.io.IOException;
 
 /**
@@ -47,9 +45,9 @@ public class Attack extends AssignmentEndpoint {
     @RequestMapping(method = RequestMethod.POST)
     public @ResponseBody AttackResult completed(@RequestParam String answer) throws IOException {
         if ("450000".equals(answer)) {
-            return trackProgress(AttackResult.success());
+            return trackProgress(success().build());
         } else {
-            return trackProgress(AttackResult.failed("You are close, try again"));
+            return trackProgress(failed().build());
         }
     }
 }
diff --git a/webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/plugin/Salaries.java b/webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/plugin/Salaries.java
index 902f06642..16d4a1e90 100644
--- a/webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/plugin/Salaries.java
+++ b/webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/plugin/Salaries.java
@@ -6,7 +6,7 @@ package org.owasp.webgoat.plugin;
 
 import com.google.common.collect.Lists;
 import com.google.common.collect.Maps;
-import org.owasp.webgoat.endpoints.Endpoint;
+import org.owasp.webgoat.assignments.Endpoint;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.w3c.dom.Node;
diff --git a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson1.java b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson1.java
index 5da607d10..084cff5c6 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson1.java
+++ b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson1.java
@@ -1,19 +1,17 @@
 
 package org.owasp.webgoat.plugin;
 
-import java.io.IOException;
-
-import javax.servlet.http.HttpServletRequest;
-import javax.ws.rs.Path;
-
-import org.owasp.webgoat.endpoints.AssignmentEndpoint;
-import org.owasp.webgoat.endpoints.AssignmentPath;
-import org.owasp.webgoat.lessons.AttackResult;
+import org.owasp.webgoat.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.assignments.AssignmentPath;
+import org.owasp.webgoat.assignments.AttackResult;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
 
+import javax.servlet.http.HttpServletRequest;
+import java.io.IOException;
+
 
 
 /***************************************************************************************************
@@ -52,9 +50,9 @@ public class CrossSiteScriptingLesson1 extends AssignmentEndpoint {
 	@RequestMapping(method = RequestMethod.POST)
 	public @ResponseBody AttackResult completed(@RequestParam String answer_xss_1, HttpServletRequest request) throws IOException {
 	    if (answer_xss_1.toString().toLowerCase().equals("yes")) {
-	        return trackProgress(AttackResult.success());
+	        return trackProgress(success().build());
 	    } else {
-	        return trackProgress(AttackResult.failed("Are you sure?  Try using a tab from a different site."));
+	        return trackProgress(failed().feedback("xss.lesson1.failure").build());
 	    }
 	}
 }
diff --git a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson5a.java b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson5a.java
index 2d9e21f64..857939090 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson5a.java
+++ b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson5a.java
@@ -1,19 +1,17 @@
 
 package org.owasp.webgoat.plugin;
 
-import java.io.IOException;
-
-import javax.servlet.http.HttpServletRequest;
-import javax.ws.rs.Path;
-
-import org.owasp.webgoat.endpoints.AssignmentEndpoint;
-import org.owasp.webgoat.endpoints.AssignmentPath;
-import org.owasp.webgoat.lessons.AttackResult;
+import org.owasp.webgoat.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.assignments.AssignmentPath;
+import org.owasp.webgoat.assignments.AttackResult;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
 
+import javax.servlet.http.HttpServletRequest;
+import java.io.IOException;
+
 
 
 /***************************************************************************************************
@@ -64,6 +62,6 @@ public class CrossSiteScriptingLesson5a extends AssignmentEndpoint {
        	cart.append("<p>We have chaged credit card:" + field1 + "<br />");
        	cart.append(   "                             ------------------- <br />");
        	cart.append(   "                               $" + totalSale);
-        return trackProgress(AttackResult.failed(cart.toString()));
+        return trackProgress(failed().output(cart.toString()).build());
 	}
 }
\ No newline at end of file
diff --git a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson5b.java b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson5b.java
index 63a763fb8..d09d0daf2 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson5b.java
+++ b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson5b.java
@@ -2,24 +2,8 @@ package org.owasp.webgoat.plugin;
 
 
 
-import java.io.IOException;
-import java.sql.Connection;
-import java.sql.ResultSet;
-import java.sql.ResultSetMetaData;
-import java.sql.SQLException;
-import java.sql.Statement;
-
-import javax.servlet.http.HttpServletRequest;
-import javax.ws.rs.Path;
-
-import org.owasp.webgoat.endpoints.AssignmentEndpoint;
-import org.owasp.webgoat.endpoints.AssignmentPath;
-import org.owasp.webgoat.lessons.AttackResult;
-import org.owasp.webgoat.session.DatabaseUtilities;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.RequestMethod;
-import org.springframework.web.bind.annotation.RequestParam;
-import org.springframework.web.bind.annotation.ResponseBody;
+import org.owasp.webgoat.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.assignments.AssignmentPath;
 
 
 
@@ -55,7 +39,7 @@ import org.springframework.web.bind.annotation.ResponseBody;
  */
 @AssignmentPath("/CrossSiteScripting/attack5b")
 public class CrossSiteScriptingLesson5b extends AssignmentEndpoint {
-
+/*
 	@RequestMapping(method = RequestMethod.POST)
 	public @ResponseBody AttackResult completed(@RequestParam String userid, HttpServletRequest request) throws IOException {
 		return injectableQuery(userid);
@@ -225,6 +209,6 @@ public class CrossSiteScriptingLesson5b extends AssignmentEndpoint {
 //
 //    }
 
- 
+ */
 
 }
diff --git a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson6a.java b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson6a.java
index 136495158..67b2ab912 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson6a.java
+++ b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson6a.java
@@ -1,24 +1,8 @@
 
 package org.owasp.webgoat.plugin;
 
-import java.io.IOException;
-import java.sql.Connection;
-import java.sql.ResultSet;
-import java.sql.ResultSetMetaData;
-import java.sql.SQLException;
-import java.sql.Statement;
-
-import javax.servlet.http.HttpServletRequest;
-import javax.ws.rs.Path;
-
-import org.owasp.webgoat.endpoints.AssignmentEndpoint;
-import org.owasp.webgoat.endpoints.AssignmentPath;
-import org.owasp.webgoat.lessons.AttackResult;
-import org.owasp.webgoat.session.DatabaseUtilities;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.RequestMethod;
-import org.springframework.web.bind.annotation.RequestParam;
-import org.springframework.web.bind.annotation.ResponseBody;
+import org.owasp.webgoat.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.assignments.AssignmentPath;
 
 
 
@@ -54,7 +38,7 @@ import org.springframework.web.bind.annotation.ResponseBody;
  */
 @AssignmentPath("/CrossSiteScripting/attack6a")
 public class CrossSiteScriptingLesson6a extends AssignmentEndpoint {
-
+/*
 	@RequestMapping(method = RequestMethod.POST)
 	public @ResponseBody AttackResult completed(@RequestParam String userid_6a, HttpServletRequest request) throws IOException {
 		return injectableQuery(userid_6a);
@@ -224,6 +208,6 @@ public class CrossSiteScriptingLesson6a extends AssignmentEndpoint {
 //
 //    }
 
- 
+*/
 
 }
diff --git a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson6b.java b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson6b.java
index 251eb8c4f..d58cbe90a 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson6b.java
+++ b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson6b.java
@@ -1,24 +1,22 @@
 
 package org.owasp.webgoat.plugin;
 
-import java.io.IOException;
-import java.sql.Connection;
-import java.sql.ResultSet;
-import java.sql.SQLException;
-import java.sql.Statement;
-
-import javax.servlet.http.HttpServletRequest;
-import javax.ws.rs.Path;
-
-import org.owasp.webgoat.endpoints.AssignmentEndpoint;
-import org.owasp.webgoat.endpoints.AssignmentPath;
-import org.owasp.webgoat.lessons.AttackResult;
+import org.owasp.webgoat.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.assignments.AssignmentPath;
+import org.owasp.webgoat.assignments.AttackResult;
 import org.owasp.webgoat.session.DatabaseUtilities;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
 
+import javax.servlet.http.HttpServletRequest;
+import java.io.IOException;
+import java.sql.Connection;
+import java.sql.ResultSet;
+import java.sql.SQLException;
+import java.sql.Statement;
+
 
 
 /***************************************************************************************************
@@ -57,9 +55,9 @@ public class CrossSiteScriptingLesson6b extends AssignmentEndpoint {
 	@RequestMapping(method = RequestMethod.POST)
 	public @ResponseBody AttackResult completed(@RequestParam String userid_6b, HttpServletRequest request) throws IOException {
 	    if (userid_6b.toString().equals(getPassword())) {
-	        return trackProgress(AttackResult.success());
+	        return trackProgress(success().build());
 	    } else {
-	        return trackProgress(AttackResult.failed("You are close, try again"));
+	        return trackProgress(failed().build());
 	    }
 	}
 
diff --git a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/DOMCrossSiteScripting.java b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/DOMCrossSiteScripting.java
index 6c030865b..0acb4e38b 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/DOMCrossSiteScripting.java
+++ b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/DOMCrossSiteScripting.java
@@ -1,15 +1,14 @@
 package org.owasp.webgoat.plugin;
 
-import org.owasp.webgoat.endpoints.AssignmentEndpoint;
-import org.owasp.webgoat.endpoints.AssignmentPath;
-import org.owasp.webgoat.lessons.AttackResult;
+import org.owasp.webgoat.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.assignments.AssignmentPath;
+import org.owasp.webgoat.assignments.AttackResult;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
 
 import javax.servlet.http.HttpServletRequest;
-import javax.ws.rs.Path;
 import java.io.IOException;
 
 /**
@@ -24,9 +23,9 @@ public class DOMCrossSiteScripting extends AssignmentEndpoint {
             throws IOException {
         
         if (param1 == 42 && param2 == 24 && request.getHeader("webgoat-requested-by").equals("dom-xss-vuln")) {
-            return trackProgress(AttackResult.success("well done!"));
+            return trackProgress(success().build());
         } else {
-            return trackProgress(AttackResult.failed("keep trying!"));
+            return trackProgress(failed().build());
         }
     }
 }
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/plugin/i18n/WebGoatLabels.properties b/webgoat-lessons/cross-site-scripting/src/main/resources/plugin/i18n/WebGoatLabels.properties
index 6ad457235..2b0bc8c70 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/resources/plugin/i18n/WebGoatLabels.properties
+++ b/webgoat-lessons/cross-site-scripting/src/main/resources/plugin/i18n/WebGoatLabels.properties
@@ -6,3 +6,5 @@ SqlStringInjectionHint1=The application is taking your input and inserting it at
 SqlStringInjectionHint2=This is the code for the query being built and issued by WebGoat:<br><br> "SELECT * FROM user_data WHERE last_name = "accountName"
 SqlStringInjectionHint3=Compound SQL statements can be made by joining multiple tests with keywords like AND and OR. Try appending a SQL statement that always resolves to true
 SqlStringInjectionHint4=Try entering [ smith' OR '1' = '1 ].
+
+xss.lesson1.failure=Are you sure? Try using a tab from a different site.
\ No newline at end of file
diff --git a/webgoat-lessons/http-basics/src/main/java/org/owasp/webgoat/plugin/HttpBasicsInterceptRequest.java b/webgoat-lessons/http-basics/src/main/java/org/owasp/webgoat/plugin/HttpBasicsInterceptRequest.java
deleted file mode 100644
index 8118e076b..000000000
--- a/webgoat-lessons/http-basics/src/main/java/org/owasp/webgoat/plugin/HttpBasicsInterceptRequest.java
+++ /dev/null
@@ -1,59 +0,0 @@
-package org.owasp.webgoat.plugin;
-
-import org.owasp.webgoat.endpoints.AssignmentEndpoint;
-import org.owasp.webgoat.endpoints.AssignmentHints;
-import org.owasp.webgoat.endpoints.AssignmentPath;
-import org.owasp.webgoat.lessons.AttackResult;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.RequestMethod;
-import org.springframework.web.bind.annotation.RequestParam;
-import org.springframework.web.bind.annotation.ResponseBody;
-
-import javax.servlet.http.HttpServletRequest;
-import java.io.IOException;
-
-/**
- * *************************************************************************************************
- *
- *
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
- *
- * Copyright (c) 2002 - 20014 Bruce Mayhew
- *
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
- *
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
- *
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
- *
- * Getting Source ==============
- *
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
- * for free software projects.
- *
- * For details, please see http://webgoat.github.io
- *
- * @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
- * @created October 28, 2003
- */
-@AssignmentPath("/HttpBasics/intercept-request")
-public class HttpBasicsInterceptRequest extends AssignmentEndpoint {
-
-	@RequestMapping(method = RequestMethod.GET)
-	public @ResponseBody AttackResult completed(HttpServletRequest request) throws IOException {
-		if (request.getHeader("x-request-intercepted").toLowerCase().equals("true") && request.getParameter("changeMe").equals("Requests are tampered easily")) {
-            return trackProgress(AttackResult.success("Well done, you tampered the request as expected"));
-		} else {
-            return trackProgress(AttackResult.failed("Please try again. Make sure to make all the changes. And case sensitivity may matter ... or not, you never know!"));
-        }
-	}
-}
\ No newline at end of file
diff --git a/webgoat-lessons/http-basics/src/main/java/org/owasp/webgoat/plugin/HttpBasicsLesson.java b/webgoat-lessons/http-basics/src/main/java/org/owasp/webgoat/plugin/HttpBasicsLesson.java
index 2561fe4bd..7edd90697 100644
--- a/webgoat-lessons/http-basics/src/main/java/org/owasp/webgoat/plugin/HttpBasicsLesson.java
+++ b/webgoat-lessons/http-basics/src/main/java/org/owasp/webgoat/plugin/HttpBasicsLesson.java
@@ -1,48 +1,44 @@
 package org.owasp.webgoat.plugin;
 
-import com.beust.jcommander.internal.Lists;
-import org.owasp.webgoat.endpoints.AssignmentEndpoint;
-import org.owasp.webgoat.endpoints.AssignmentHints;
-import org.owasp.webgoat.endpoints.AssignmentPath;
-import org.owasp.webgoat.lessons.AttackResult;
+import org.owasp.webgoat.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.assignments.AssignmentHints;
+import org.owasp.webgoat.assignments.AssignmentPath;
+import org.owasp.webgoat.assignments.AttackResult;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
 
-import javax.servlet.http.HttpServletRequest;
-import javax.ws.rs.Path;
 import java.io.IOException;
-import java.util.List;
 
 /**
  * *************************************************************************************************
- *
- *
+ * <p>
+ * <p>
  * This file is part of WebGoat, an Open Web Application Security Project
  * utility. For details, please see http://www.owasp.org/
- *
+ * <p>
  * Copyright (c) 2002 - 20014 Bruce Mayhew
- *
+ * <p>
  * This program is free software; you can redistribute it and/or modify it under
  * the terms of the GNU General Public License as published by the Free Software
  * Foundation; either version 2 of the License, or (at your option) any later
  * version.
- *
+ * <p>
  * This program is distributed in the hope that it will be useful, but WITHOUT
  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
  * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
- *
+ * <p>
  * You should have received a copy of the GNU General Public License along with
  * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
  * Place - Suite 330, Boston, MA 02111-1307, USA.
- *
+ * <p>
  * Getting Source ==============
- *
+ * <p>
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
  * for free software projects.
- *
+ * <p>
  * For details, please see http://webgoat.github.io
  *
  * @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
@@ -52,12 +48,17 @@ import java.util.List;
 @AssignmentHints({"http-basics.hints.http_basics_lesson.1"})
 public class HttpBasicsLesson extends AssignmentEndpoint {
 
-	@RequestMapping(method = RequestMethod.POST)
-	public @ResponseBody AttackResult completed(@RequestParam String person) throws IOException {
-	    if (!person.toString().equals("")) {
-	        return trackProgress(AttackResult.success(getLabelProvider().get("http-basics.reversed", new StringBuffer(person).reverse().toString())));
-	    } else {
-	        return trackProgress(AttackResult.failed(getLabelProvider().get("http-basics.close")));
-	    }
-	}
+    @RequestMapping(method = RequestMethod.POST)
+    public
+    @ResponseBody
+    AttackResult completed(@RequestParam String person) throws IOException {
+        if (!person.toString().equals("")) {
+            return trackProgress(success()
+                .feedback("http-basics.reversed")
+                .feedbackArgs(new StringBuffer(person).reverse().toString())
+                .build());
+        } else {
+            return trackProgress(failed().feedback("http-basics.close").build());
+        }
+    }
 }
diff --git a/webgoat-lessons/http-basics/src/main/java/org/owasp/webgoat/plugin/HttpBasicsQuiz.java b/webgoat-lessons/http-basics/src/main/java/org/owasp/webgoat/plugin/HttpBasicsQuiz.java
index ed1de9152..8611928fc 100644
--- a/webgoat-lessons/http-basics/src/main/java/org/owasp/webgoat/plugin/HttpBasicsQuiz.java
+++ b/webgoat-lessons/http-basics/src/main/java/org/owasp/webgoat/plugin/HttpBasicsQuiz.java
@@ -1,24 +1,18 @@
 package org.owasp.webgoat.plugin;
 
-import com.beust.jcommander.internal.Lists;
-import org.owasp.webgoat.endpoints.AssignmentEndpoint;
-import org.owasp.webgoat.endpoints.AssignmentHints;
-import org.owasp.webgoat.endpoints.AssignmentPath;
-import org.owasp.webgoat.lessons.AttackResult;
+import org.owasp.webgoat.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.assignments.AssignmentHints;
+import org.owasp.webgoat.assignments.AssignmentPath;
+import org.owasp.webgoat.assignments.AttackResult;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
 
 import javax.servlet.http.HttpServletRequest;
-import javax.ws.rs.Path;
 import java.io.IOException;
-import java.util.List;
 
 /**
- * *************************************************************************************************
- *
- *
  * This file is part of WebGoat, an Open Web Application Security Project
  * utility. For details, please see http://www.owasp.org/
  *
@@ -55,16 +49,15 @@ public class HttpBasicsQuiz extends AssignmentEndpoint {
 	@RequestMapping(method = RequestMethod.POST)
 	public @ResponseBody AttackResult completed(@RequestParam String answer, @RequestParam String magic_answer, @RequestParam String magic_num, HttpServletRequest request) throws IOException {
         if ("POST".equals(answer.toUpperCase()) && magic_answer.equals(magic_num)) {
-	        return trackProgress(AttackResult.success());
+	        return trackProgress(success().build());
 	    } else {
-	    	StringBuffer message = new StringBuffer();
 	    	if (!"POST".equals(answer.toUpperCase())) {
-	    		message.append(getLabelProvider().get("http-basics.incorrect"));
+                return trackProgress(failed().feedback("http-basics.incorrect").build());
  			}
 	    	if (!magic_answer.equals(magic_num)){
-	    		message.append(getLabelProvider().get("http-basics.magic"));
+                return trackProgress(failed().feedback("http-basics.magic").build());
 	    	}
-	        return trackProgress(AttackResult.failed(getLabelProvider().get("http-basics.close", message.toString())));
 	    }
+	    return trackProgress(failed().build());
 	}
 }
diff --git a/webgoat-lessons/http-basics/src/main/resources/plugin/i18n/WebGoatLabels.properties b/webgoat-lessons/http-basics/src/main/resources/plugin/i18n/WebGoatLabels.properties
index 673e9e318..df11be6e9 100644
--- a/webgoat-lessons/http-basics/src/main/resources/plugin/i18n/WebGoatLabels.properties
+++ b/webgoat-lessons/http-basics/src/main/resources/plugin/i18n/WebGoatLabels.properties
@@ -10,6 +10,5 @@ http-basics.hints.http_basic_quiz.2=Try to intercept the request with <a href='h
 
 http-basics.reversed=The server has reversed your name: {0}
 
-http-basics.close=You are close, try again: {0}
-http-basics.incorrect=the HTTP Command is incorrect.
-http-basics.magic=the magic number is incorrect.
\ No newline at end of file
+http-basics.incorrect=You are close, try again: the HTTP Command is incorrect.
+http-basics.magic=You are close, try again: the magic number is incorrect.
\ No newline at end of file
diff --git a/webgoat-lessons/http-proxies/src/main/java/org/owasp/webgoat/plugin/HttpBasicsInterceptRequest.java b/webgoat-lessons/http-proxies/src/main/java/org/owasp/webgoat/plugin/HttpBasicsInterceptRequest.java
index 36c764821..ee8f9ef64 100644
--- a/webgoat-lessons/http-proxies/src/main/java/org/owasp/webgoat/plugin/HttpBasicsInterceptRequest.java
+++ b/webgoat-lessons/http-proxies/src/main/java/org/owasp/webgoat/plugin/HttpBasicsInterceptRequest.java
@@ -1,12 +1,10 @@
 package org.owasp.webgoat.plugin;
 
-import org.owasp.webgoat.endpoints.AssignmentEndpoint;
-import org.owasp.webgoat.endpoints.AssignmentHints;
-import org.owasp.webgoat.endpoints.AssignmentPath;
-import org.owasp.webgoat.lessons.AttackResult;
+import org.owasp.webgoat.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.assignments.AssignmentPath;
+import org.owasp.webgoat.assignments.AttackResult;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
-import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
 
 import javax.servlet.http.HttpServletRequest;
@@ -49,11 +47,12 @@ import java.io.IOException;
 public class HttpBasicsInterceptRequest extends AssignmentEndpoint {
 
 	@RequestMapping(method = RequestMethod.GET)
-	public @ResponseBody AttackResult completed(HttpServletRequest request) throws IOException {
+	public @ResponseBody
+	AttackResult completed(HttpServletRequest request) throws IOException {
 		if (request.getHeader("x-request-intercepted").toLowerCase().equals("true") && request.getParameter("changeMe").equals("Requests are tampered easily")) {
-            return trackProgress(AttackResult.success("Well done, you tampered the request as expected"));
+            return trackProgress(success().feedback("http-proxies.intercept.success").build());
 		} else {
-            return trackProgress(AttackResult.failed("Please try again. Make sure to make all the changes. And case sensitivity may matter ... or not, you never know!"));
+            return trackProgress(failed().feedback("http-proxies.intercept.failure").build());
         }
 	}
 }
\ No newline at end of file
diff --git a/webgoat-lessons/http-proxies/src/main/resources/plugin/i18n/WebGoatLabels.properties b/webgoat-lessons/http-proxies/src/main/resources/plugin/i18n/WebGoatLabels.properties
index c640e4e79..2140e3ed4 100644
--- a/webgoat-lessons/http-proxies/src/main/resources/plugin/i18n/WebGoatLabels.properties
+++ b/webgoat-lessons/http-proxies/src/main/resources/plugin/i18n/WebGoatLabels.properties
@@ -1,15 +1,4 @@
-http-basics.EnterYourName=Enter your Name
-http-basics.Go!=Go!
 http-proxies.title=HTTP Proxies
 
-
-http-basics.hints.http_basics_lesson.1=Type in your name and press 'go'
-http-basics.hints.http_basic_quiz.1=Turn on Show Parameters or other features
-http-basics.hints.http_basic_quiz.2=Try to intercept the request with <a href='https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project' title='Link to ZAP'>OWASP ZAP</a>
-
-
-http-basics.reversed=The server has reversed your name: {0}
-
-http-basics.close=You are close, try again: {0}
-http-basics.incorrect=the HTTP Command is incorrect.
-http-basics.magic=the magic number is incorrect.
\ No newline at end of file
+http-proxies.intercept.success=Well done, you tampered the request as expected
+http-proxies.intercept.failure=Please try again. Make sure to make all the changes. And case sensitivity may matter ... or not, you never know!
\ No newline at end of file
diff --git a/webgoat-lessons/idor/src/main/java/org/owasp/webgoat/plugin/IDORDiffAttributes.java b/webgoat-lessons/idor/src/main/java/org/owasp/webgoat/plugin/IDORDiffAttributes.java
index d925c90fb..2cde6b967 100644
--- a/webgoat-lessons/idor/src/main/java/org/owasp/webgoat/plugin/IDORDiffAttributes.java
+++ b/webgoat-lessons/idor/src/main/java/org/owasp/webgoat/plugin/IDORDiffAttributes.java
@@ -1,15 +1,14 @@
 package org.owasp.webgoat.plugin;
 
-import org.owasp.webgoat.endpoints.AssignmentEndpoint;
-import org.owasp.webgoat.endpoints.AssignmentPath;
-import org.owasp.webgoat.lessons.AttackResult;
+import org.owasp.webgoat.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.assignments.AssignmentPath;
+import org.owasp.webgoat.assignments.AttackResult;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
 
 import javax.servlet.http.HttpServletRequest;
-import javax.ws.rs.Path;
 import java.io.IOException;
 
 /**
@@ -51,13 +50,13 @@ public class IDORDiffAttributes extends AssignmentEndpoint {
         attributes = attributes.trim();
         String[] diffAttribs = attributes.split(",");
         if (diffAttribs.length < 2) {
-            return AttackResult.failed("You did not list two attributes, comma delimited");
+            return trackProgress(failed().feedback("idor.diff.attributes.missing").build());
         }
         if (diffAttribs[0].toLowerCase().trim().equals("userid") && diffAttribs[1].toLowerCase().trim().equals("role") ||
                 diffAttribs[1].toLowerCase().trim().equals("userid") && diffAttribs[0].toLowerCase().trim().equals("role")) {
-            return trackProgress(AttackResult.success("Correct, the two attributes not displayed are userId & role. Keep those in mind"));
+            return trackProgress(success().feedback("idor.diff.success").build());
         } else {
-            return trackProgress(AttackResult.failed("Try again. Look in your browser dev tools or Proxy and compare to what's displayed on the screen."));
+            return trackProgress(failed().feedback("idor.diff.failure").build());
         }
     }
 }
diff --git a/webgoat-lessons/idor/src/main/java/org/owasp/webgoat/plugin/IDOREditOtherProfiile.java b/webgoat-lessons/idor/src/main/java/org/owasp/webgoat/plugin/IDOREditOtherProfiile.java
index 9b48499f7..1d196030c 100644
--- a/webgoat-lessons/idor/src/main/java/org/owasp/webgoat/plugin/IDOREditOtherProfiile.java
+++ b/webgoat-lessons/idor/src/main/java/org/owasp/webgoat/plugin/IDOREditOtherProfiile.java
@@ -1,18 +1,12 @@
 package org.owasp.webgoat.plugin;
 
-import org.owasp.webgoat.endpoints.AssignmentEndpoint;
-import org.owasp.webgoat.endpoints.AssignmentPath;
-import org.owasp.webgoat.lessons.AttackResult;
+import org.owasp.webgoat.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.assignments.AssignmentPath;
+import org.owasp.webgoat.assignments.AttackResult;
 import org.owasp.webgoat.session.UserSessionData;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.web.bind.annotation.*;
 
-import javax.servlet.http.HttpServletRequest;
-import javax.ws.rs.Path;
-import java.io.IOException;
-import java.util.HashMap;
-import java.util.Map;
-
 /**
  * ************************************************************************************************
  * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
@@ -65,28 +59,42 @@ public class IDOREditOtherProfiile extends AssignmentEndpoint {
             // we will persist in the session object for now in case we want to refer back or use it later
             userSessionData.setValue("idor-updated-other-profile",currentUserProfile);
             if (currentUserProfile.getRole() <= 1 && currentUserProfile.getColor().toLowerCase().equals("red")) {
-                return trackProgress(AttackResult.success("Well done, you have modified someone else's profile (as displayed below)",currentUserProfile.profileToMap().toString()));
+                return trackProgress(success()
+                    .feedback("idor.edit.profile.success1")
+                    .output(currentUserProfile.profileToMap().toString())
+                    .build());
             }
 
             if (currentUserProfile.getRole() > 1 && currentUserProfile.getColor().toLowerCase().equals("red")) {
-                return trackProgress(AttackResult.success("Close ... you've got the technique. Now try for a lower role number)",currentUserProfile.profileToMap().toString()));
+                return trackProgress(success()
+                        .feedback("idor.edit.profile.failure1")
+                        .output(currentUserProfile.profileToMap().toString())
+                        .build());
             }
 
             if (currentUserProfile.getRole() <= 1 && !currentUserProfile.getColor().toLowerCase().equals("red")) {
-                return trackProgress(AttackResult.success("Close ... you've got the technique. Now change the color in their profile to red.)",currentUserProfile.profileToMap().toString()));
+                return trackProgress(success()
+                    .feedback("idor.edit.profile.failure2")
+                    .output(currentUserProfile.profileToMap().toString())
+                    .build());
             }
 
             // else
-            return trackProgress(AttackResult.success("Try again. Use the hints if you need to.",currentUserProfile.profileToMap().toString()));
-
+            return trackProgress(failed().
+                feedback("idor.edit.profile.failure3")
+                .output(currentUserProfile.profileToMap().toString())
+                .build());
         } else if (userSubmittedProfile.getUserId().equals(authUserId)) {
-            return AttackResult.failed("Modifying your own profile is good, but we want to do this to Buffalo Bill's profile.");
+            return failed().feedback("idor.edit.profile.failure4").build();
         }
 
         if (currentUserProfile.getColor().equals("black") && currentUserProfile.getRole() <= 1 ) {
-            return trackProgress(AttackResult.success("Good work! View the updated profile below",userSessionData.getValue("idor-updated-own-profile").toString()));
+            return trackProgress(success()
+                .feedback("idor.edit.profile.success2")
+                .output(userSessionData.getValue("idor-updated-own-profile").toString())
+                .build());
         } else {
-            return trackProgress(AttackResult.failed("Please try again. Use the hints if need be."));
+            return trackProgress(failed().feedback("idor.edit.profile.failure3").build());
         }
 
     }
diff --git a/webgoat-lessons/idor/src/main/java/org/owasp/webgoat/plugin/IDORLogin.java b/webgoat-lessons/idor/src/main/java/org/owasp/webgoat/plugin/IDORLogin.java
index edb96fe5b..6552bb453 100644
--- a/webgoat-lessons/idor/src/main/java/org/owasp/webgoat/plugin/IDORLogin.java
+++ b/webgoat-lessons/idor/src/main/java/org/owasp/webgoat/plugin/IDORLogin.java
@@ -1,16 +1,13 @@
 package org.owasp.webgoat.plugin;
 
-import org.owasp.webgoat.endpoints.AssignmentEndpoint;
-import org.owasp.webgoat.endpoints.AssignmentHints;
-import org.owasp.webgoat.endpoints.AssignmentPath;
-import org.owasp.webgoat.lessons.AttackResult;
+import org.owasp.webgoat.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.assignments.AssignmentHints;
+import org.owasp.webgoat.assignments.AssignmentPath;
+import org.owasp.webgoat.assignments.AttackResult;
 
 import org.owasp.webgoat.session.UserSessionData;
 import org.springframework.web.bind.annotation.*;
 
-import javax.servlet.http.HttpServletRequest;
-import javax.ws.rs.Path;
-import java.io.IOException;
 import java.util.HashMap;
 import java.util.Map;
 
@@ -67,9 +64,8 @@ public class IDORLogin extends AssignmentEndpoint {
     }
 
     @PostMapping
-    public
     @ResponseBody
-    AttackResult completed(@RequestParam String username, @RequestParam String password) {
+    public AttackResult completed(@RequestParam String username, @RequestParam String password) {
         initIDORInfo();
         UserSessionData userSessionData = getUserSessionData();
 
@@ -77,12 +73,12 @@ public class IDORLogin extends AssignmentEndpoint {
             if ("tom".equals(username) && idorUserInfo.get("tom").get("password").equals(password)) {
                 userSessionData.setValue("idor-authenticated-as", username);
                 userSessionData.setValue("idor-authenticated-user-id", idorUserInfo.get(username).get("id"));
-                return trackProgress(AttackResult.success("You are now logged in as " + username + ". Please proceed."));
+                return trackProgress(success().feedback("idor.login.success").feedbackArgs(username).build());
             } else {
-                return trackProgress(AttackResult.failed("credentials provided are not correct"));
+                return trackProgress(failed().feedback("idor.login.failure").build());
             }
         } else {
-            return trackProgress(AttackResult.failed("credentials provided are not correct"));
+            return trackProgress(failed().feedback("idor.login.failure").build());
         }
     }
 
diff --git a/webgoat-lessons/idor/src/main/java/org/owasp/webgoat/plugin/IDORViewOtherProfile.java b/webgoat-lessons/idor/src/main/java/org/owasp/webgoat/plugin/IDORViewOtherProfile.java
index 1ce215c5a..c90188097 100644
--- a/webgoat-lessons/idor/src/main/java/org/owasp/webgoat/plugin/IDORViewOtherProfile.java
+++ b/webgoat-lessons/idor/src/main/java/org/owasp/webgoat/plugin/IDORViewOtherProfile.java
@@ -1,10 +1,9 @@
 package org.owasp.webgoat.plugin;
 
 
-import org.owasp.webgoat.endpoints.AssignmentEndpoint;
-import org.owasp.webgoat.endpoints.AssignmentPath;
-import org.owasp.webgoat.endpoints.Endpoint;
-import org.owasp.webgoat.lessons.AttackResult;
+import org.owasp.webgoat.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.assignments.AssignmentPath;
+import org.owasp.webgoat.assignments.AttackResult;
 import org.owasp.webgoat.session.UserSessionData;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.web.bind.annotation.PathVariable;
@@ -12,11 +11,7 @@ import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.ResponseBody;
 
-import javax.servlet.ServletException;
-import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
-import javax.ws.rs.Path;
-import java.io.IOException;
 import java.util.HashMap;
 import java.util.Map;
 
@@ -69,15 +64,15 @@ public class IDORViewOtherProfile extends AssignmentEndpoint{
                 UserProfile requestedProfile = new UserProfile(userId);
                 // secure code would ensure there was a horizontal access control check prior to dishing up the requested profile
                 if (requestedProfile.getUserId().equals("2342388")){
-                    return trackProgress(AttackResult.success("Well done, you found someone else's profile",requestedProfile.profileToMap().toString()));
+                    return trackProgress(success().feedback("idor.view.profile.success").output(requestedProfile.profileToMap().toString()).build());
                 } else {
-                    return trackProgress((AttackResult.failed("You're on the right path, try a different id")));
+                    return trackProgress(failed().feedback("idor.view.profile.close1").build());
                 }
             } else {
-                return trackProgress((AttackResult.failed("Try again. You need to use the same method/URL you used to access your own profile via direct object reference.")));
+                return trackProgress(failed().feedback("idor.view.profile.close2").build());
             }
         }
-        return trackProgress((AttackResult.failed("Try again. ")));
+        return trackProgress(failed().build());
     }
 
 }
diff --git a/webgoat-lessons/idor/src/main/java/org/owasp/webgoat/plugin/IDORViewOwnProfile.java b/webgoat-lessons/idor/src/main/java/org/owasp/webgoat/plugin/IDORViewOwnProfile.java
index 488e21f3f..36c226e10 100644
--- a/webgoat-lessons/idor/src/main/java/org/owasp/webgoat/plugin/IDORViewOwnProfile.java
+++ b/webgoat-lessons/idor/src/main/java/org/owasp/webgoat/plugin/IDORViewOwnProfile.java
@@ -1,7 +1,7 @@
 package org.owasp.webgoat.plugin;
 
 
-import org.owasp.webgoat.endpoints.Endpoint;
+import org.owasp.webgoat.assignments.Endpoint;
 import org.owasp.webgoat.session.UserSessionData;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -12,12 +12,9 @@ import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import java.io.IOException;
-import com.google.common.collect.Lists;
 
 import java.util.HashMap;
-import java.util.List;
 import java.util.Map;
-import java.util.Objects;
 
 /**
  * ************************************************************************************************
diff --git a/webgoat-lessons/idor/src/main/java/org/owasp/webgoat/plugin/IDORViewOwnProfileAltUrl.java b/webgoat-lessons/idor/src/main/java/org/owasp/webgoat/plugin/IDORViewOwnProfileAltUrl.java
index 21df72a00..f0473443f 100644
--- a/webgoat-lessons/idor/src/main/java/org/owasp/webgoat/plugin/IDORViewOwnProfileAltUrl.java
+++ b/webgoat-lessons/idor/src/main/java/org/owasp/webgoat/plugin/IDORViewOwnProfileAltUrl.java
@@ -1,10 +1,9 @@
 package org.owasp.webgoat.plugin;
 
 
-import org.owasp.webgoat.endpoints.AssignmentEndpoint;
-import org.owasp.webgoat.endpoints.AssignmentPath;
-import org.owasp.webgoat.endpoints.Endpoint;
-import org.owasp.webgoat.lessons.AttackResult;
+import org.owasp.webgoat.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.assignments.AssignmentPath;
+import org.owasp.webgoat.assignments.AttackResult;
 import org.owasp.webgoat.session.UserSessionData;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.web.bind.annotation.*;
@@ -65,17 +64,17 @@ public class IDORViewOwnProfileAltUrl extends AssignmentEndpoint{
                 String[] urlParts = url.split("/");
                 if (urlParts[0].equals("WebGoat") && urlParts[1].equals("IDOR") && urlParts[2].equals("profile") && urlParts[3].equals(authUserId)) {
                     UserProfile userProfile = new UserProfile(authUserId);
-                    return trackProgress(AttackResult.success("congratultions, you have used the alternate Url/route to view your own profile.",userProfile.profileToMap().toString()));
+                    return trackProgress(success().feedback("idor.view.own.profile.success").output(userProfile.profileToMap().toString()).build());
                 } else {
-                    return trackProgress(AttackResult.failed("please try again. The alternoute route is very similar to the previous way you viewed your profile. Only one difference really"));
+                    return trackProgress(failed().feedback("idor.view.own.profile.failure1").build());
                 }
 
             } else {
-                return trackProgress(AttackResult.failed("You need to authenticate as tom first."));
+                return trackProgress(failed().feedback("idor.view.own.profile.failure2").build());
             }
         } catch (Exception ex) {
             System.out.println(ex.getMessage());
-            return AttackResult.failed("an error occurred with your request");
+            return failed().feedback("an error occurred with your request").build();
         }
     }
 
diff --git a/webgoat-lessons/idor/src/main/java/org/owasp/webgoat/plugin/ViewOtherUserProfile.java b/webgoat-lessons/idor/src/main/java/org/owasp/webgoat/plugin/ViewOtherUserProfile.java
index 7e35fc4f3..622b8f5ac 100644
--- a/webgoat-lessons/idor/src/main/java/org/owasp/webgoat/plugin/ViewOtherUserProfile.java
+++ b/webgoat-lessons/idor/src/main/java/org/owasp/webgoat/plugin/ViewOtherUserProfile.java
@@ -1,9 +1,9 @@
 package org.owasp.webgoat.plugin;
 
 import com.google.common.collect.Lists;
-import org.owasp.webgoat.endpoints.AssignmentEndpoint;
-import org.owasp.webgoat.endpoints.AssignmentPath;
-import org.owasp.webgoat.lessons.AttackResult;
+import org.owasp.webgoat.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.assignments.AssignmentPath;
+import org.owasp.webgoat.assignments.AttackResult;
 import org.owasp.webgoat.session.UserSessionData;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.web.bind.annotation.PathVariable;
@@ -13,7 +13,6 @@ import org.springframework.web.bind.annotation.ResponseBody;
 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
-import javax.ws.rs.Path;
 import java.io.IOException;
 import java.util.HashMap;
 import java.util.List;
@@ -43,7 +42,7 @@ public class ViewOtherUserProfile extends AssignmentEndpoint {
 
         if (userSessionData.getValue("idor-authenticated-as") == null) {
             json.add(errorMap);
-            return trackProgress(AttackResult.failed("You must authenticate first"));
+            return trackProgress(failed().feedback("idor.view.other.profile.failure1").build());
         } else {
             if (userSessionData.getValue("idor-authenticated-as").equals("bill") || userSessionData.getValue("idor-authenticated-as").equals("tom")) {
                 System.out.println("**** authenticated as " + userSessionData.getValue("idor-authenticated-as"));
@@ -52,11 +51,11 @@ public class ViewOtherUserProfile extends AssignmentEndpoint {
                 //secure code would check to make sure authUserId matches userId or some similar access control
                 // ... and in this endpoint, we won't bother with that
                 UserProfile userProfile = new UserProfile(userId);
-                return trackProgress(AttackResult.failed("still working"));
+                return trackProgress(failed().feedback("idor.view.other.profile.failure2").build());
             }
         }
         // else
-        return trackProgress(AttackResult.failed("fall back"));
+        return trackProgress(failed().build());
     }
 
 
diff --git a/webgoat-lessons/idor/src/main/resources/plugin/i18n/WebGoatLabels.properties b/webgoat-lessons/idor/src/main/resources/plugin/i18n/WebGoatLabels.properties
index 24b49aea3..a1cf4b076 100644
--- a/webgoat-lessons/idor/src/main/resources/plugin/i18n/WebGoatLabels.properties
+++ b/webgoat-lessons/idor/src/main/resources/plugin/i18n/WebGoatLabels.properties
@@ -1,3 +1,29 @@
 idor.title=Insecure Direct Object References
 
 idor.hints.idor_login=Log in first
+
+
+idor.diff.attributes.missing=You did not list two attributes, comma delimited
+idor.diff.success=Correct, the two attributes not displayed are userId & role. Keep those in mind
+idor.diff.failure=Try again. Look in your browser dev tools or Proxy and compare to what's displayed on the screen.
+
+idor.edit.profile.success1=Well done, you have modified someone else's profile (as displayed below)
+idor.edit.profile.success2=Good work! View the updated profile below
+idor.edit.profile.failure1=Close ... you've got the technique. Now try for a lower role number
+idor.edit.profile.failure2=Close ... you've got the technique. Now change the color in their profile to red.)
+idor.edit.profile.failure3=Try again. Use the hints if you need to.
+idor.edit.profile.failure4=Modifying your own profile is good, but we want to do this to Buffalo Bill's profile.
+
+idor.login.success=You are now logged in as {0}. Please proceed.
+idor.login.failure=Credentials provided are not correct
+
+idor.view.profile.success=Well done, you found someone else's profile
+idor.view.profile.close1=You're on the right path, try a different id
+idor.view.profile.close2=Try again. You need to use the same method/URL you used to access your own profile via direct object reference.
+
+idor.view.own.profile.success=Congratulations, you have used the alternate Url/route to view your own profile.
+idor.view.own.profile.failure1=Please try again. The alternate route is very similar to the previous way you viewed your profile. Only one difference really
+idor.view.own.profile.failure2=You need to authenticate as tom first.
+
+idor.view.other.profile.failure1=You must authenticate first
+idor.view.other.profile.failure2=<<still working>>
\ No newline at end of file
diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/SqlInjectionLesson5a.java b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/SqlInjectionLesson5a.java
index b39c16567..c7dbb59b8 100644
--- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/SqlInjectionLesson5a.java
+++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/SqlInjectionLesson5a.java
@@ -1,25 +1,19 @@
 
 package org.owasp.webgoat.plugin;
 
-import java.io.IOException;
-import java.sql.Connection;
-import java.sql.ResultSet;
-import java.sql.ResultSetMetaData;
-import java.sql.SQLException;
-import java.sql.Statement;
-
-import javax.servlet.http.HttpServletRequest;
-import javax.ws.rs.Path;
-
-import org.owasp.webgoat.endpoints.AssignmentEndpoint;
-import org.owasp.webgoat.endpoints.AssignmentPath;
-import org.owasp.webgoat.lessons.AttackResult;
+import org.owasp.webgoat.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.assignments.AssignmentPath;
+import org.owasp.webgoat.assignments.AttackResult;
 import org.owasp.webgoat.session.DatabaseUtilities;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
 
+import javax.servlet.http.HttpServletRequest;
+import java.io.IOException;
+import java.sql.*;
+
 
 
 /***************************************************************************************************
@@ -84,26 +78,25 @@ public class SqlInjectionLesson5a extends AssignmentEndpoint {
                     // If they get back more than one user they succeeded
                     if (results.getRow() >= 6)
                     {
-                    	return trackProgress(AttackResult.success("You have succeed: " + output.toString()));
+                    	return trackProgress(success().feedback("sql-injection.5a.success").feedbackArgs(output.toString()).build());
                    } else {
-                	   return trackProgress(AttackResult.failed("You are close, try again. " + output.toString()));
+                	   return trackProgress(failed().output(output.toString()).build());
                    }
-                    
                 }
                 else
                 {
-                	return trackProgress(AttackResult.failed("No Results Matched. Try Again. "));
+                	return trackProgress(failed().feedback("sql-injection.5a.no.results").build());
 
                 }
             } catch (SQLException sqle)
             {
             	
-            	return trackProgress(AttackResult.failed(sqle.getMessage()));
+            	return trackProgress(failed().output(sqle.getMessage()).build());
             }
         } catch (Exception e)
         {
         	e.printStackTrace();
-        	return trackProgress(AttackResult.failed( "ErrorGenerating" + this.getClass().getName() + " : " + e.getMessage()));
+        	return trackProgress(failed().output(this.getClass().getName() + " : " + e.getMessage()).build());
         }
     }
     
diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/SqlInjectionLesson5b.java b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/SqlInjectionLesson5b.java
index ecc5ae16e..c21a9e3e6 100644
--- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/SqlInjectionLesson5b.java
+++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/SqlInjectionLesson5b.java
@@ -2,25 +2,19 @@ package org.owasp.webgoat.plugin;
 
 
 
-import java.io.IOException;
-import java.sql.Connection;
-import java.sql.ResultSet;
-import java.sql.ResultSetMetaData;
-import java.sql.SQLException;
-import java.sql.Statement;
-
-import javax.servlet.http.HttpServletRequest;
-import javax.ws.rs.Path;
-
-import org.owasp.webgoat.endpoints.AssignmentEndpoint;
-import org.owasp.webgoat.endpoints.AssignmentPath;
-import org.owasp.webgoat.lessons.AttackResult;
+import org.owasp.webgoat.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.assignments.AssignmentPath;
+import org.owasp.webgoat.assignments.AttackResult;
 import org.owasp.webgoat.session.DatabaseUtilities;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
 
+import javax.servlet.http.HttpServletRequest;
+import java.io.IOException;
+import java.sql.*;
+
 
 
 /***************************************************************************************************
@@ -86,27 +80,27 @@ public class SqlInjectionLesson5b extends AssignmentEndpoint {
                     // If they get back more than one user they succeeded
                     if (results.getRow() >= 6)
                     {
-                    	return trackProgress(AttackResult.success("You have succeed: " + output.toString()));
+                    	return trackProgress(success().feedback("sql-injection.5b.success").feedbackArgs(output.toString()).build());
                    } else {
-                	   return trackProgress(AttackResult.failed("You are close, try again. " + output.toString()));
+                	   return trackProgress(failed().output(output.toString()).build());
                    }
                     
                 }
                 else
                 {
-                	return trackProgress(AttackResult.failed("No Results Matched. Try Again. "));
+                	return trackProgress(failed().feedback("sql-injection.5b.no.results").build());
 
 //                    output.append(getLabelManager().get("NoResultsMatched"));
                 }
             } catch (SQLException sqle)
             {
             	
-            	return trackProgress(AttackResult.failed(sqle.getMessage()));
+            	return trackProgress(failed().output(sqle.getMessage()).build());
             }
         } catch (Exception e)
         {
         	e.printStackTrace();
-        	return trackProgress(AttackResult.failed( "ErrorGenerating" + this.getClass().getName() + " : " + e.getMessage()));
+        	return trackProgress(failed().output(this.getClass().getName() + " : " + e.getMessage()).build());
         }
     }
     
diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/SqlInjectionLesson6a.java b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/SqlInjectionLesson6a.java
index bacb96201..5d852d439 100644
--- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/SqlInjectionLesson6a.java
+++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/SqlInjectionLesson6a.java
@@ -1,25 +1,19 @@
 
 package org.owasp.webgoat.plugin;
 
-import java.io.IOException;
-import java.sql.Connection;
-import java.sql.ResultSet;
-import java.sql.ResultSetMetaData;
-import java.sql.SQLException;
-import java.sql.Statement;
-
-import javax.servlet.http.HttpServletRequest;
-import javax.ws.rs.Path;
-
-import org.owasp.webgoat.endpoints.AssignmentEndpoint;
-import org.owasp.webgoat.endpoints.AssignmentPath;
-import org.owasp.webgoat.lessons.AttackResult;
+import org.owasp.webgoat.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.assignments.AssignmentPath;
+import org.owasp.webgoat.assignments.AttackResult;
 import org.owasp.webgoat.session.DatabaseUtilities;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
 
+import javax.servlet.http.HttpServletRequest;
+import java.io.IOException;
+import java.sql.*;
+
 
 
 /***************************************************************************************************
@@ -86,26 +80,26 @@ public class SqlInjectionLesson6a extends AssignmentEndpoint {
                     // If they get back more than one user they succeeded
                     if (results.getRow() >= 6)
                     {
-                    	return trackProgress(AttackResult.success("You have succeed: " + output.toString()));
+                    	return trackProgress(success().feedback("sql-injection.6b.success").feedbackArgs(output.toString()).build());
                    } else {
-                	   return trackProgress(AttackResult.failed("You are close, try again. " + output.toString()));
+                	   return trackProgress(failed().output(output.toString()).build());
                    }
                     
                 }
                 else
                 {
-                	return trackProgress(AttackResult.failed("No Results Matched. Try Again. "));
+                	return trackProgress(failed().feedback("sql-injection.6b.no.results").build());
 
                 }
             } catch (SQLException sqle)
             {
             	
-            	return trackProgress(AttackResult.failed(sqle.getMessage()));
+            	return trackProgress(failed().output(sqle.getMessage()).build());
             }
         } catch (Exception e)
         {
         	e.printStackTrace();
-        	return trackProgress(AttackResult.failed( "ErrorGenerating" + this.getClass().getName() + " : " + e.getMessage()));
+        	return trackProgress(failed().output(this.getClass().getName() + " : " + e.getMessage()).build());
         }
     }
     
diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/SqlInjectionLesson6b.java b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/SqlInjectionLesson6b.java
index bd5f7f607..2bf828c90 100644
--- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/SqlInjectionLesson6b.java
+++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/SqlInjectionLesson6b.java
@@ -1,24 +1,22 @@
 
 package org.owasp.webgoat.plugin;
 
-import java.io.IOException;
-import java.sql.Connection;
-import java.sql.ResultSet;
-import java.sql.SQLException;
-import java.sql.Statement;
-
-import javax.servlet.http.HttpServletRequest;
-import javax.ws.rs.Path;
-
-import org.owasp.webgoat.endpoints.AssignmentEndpoint;
-import org.owasp.webgoat.endpoints.AssignmentPath;
-import org.owasp.webgoat.lessons.AttackResult;
+import org.owasp.webgoat.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.assignments.AssignmentPath;
+import org.owasp.webgoat.assignments.AttackResult;
 import org.owasp.webgoat.session.DatabaseUtilities;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
 
+import javax.servlet.http.HttpServletRequest;
+import java.io.IOException;
+import java.sql.Connection;
+import java.sql.ResultSet;
+import java.sql.SQLException;
+import java.sql.Statement;
+
 
 
 /***************************************************************************************************
@@ -57,9 +55,9 @@ public class SqlInjectionLesson6b extends AssignmentEndpoint {
 	@RequestMapping(method = RequestMethod.POST)
 	public @ResponseBody AttackResult completed(@RequestParam String userid_6b, HttpServletRequest request) throws IOException {
 	    if (userid_6b.toString().equals(getPassword())) {
-	        return trackProgress(AttackResult.success());
+	        return trackProgress(success().build());
 	    } else {
-	        return trackProgress(AttackResult.failed("You are close, try again"));
+	        return trackProgress(failed().build());
 	    }
 	}
 
diff --git a/webgoat-lessons/sql-injection/src/main/resources/plugin/i18n/WebGoatLabels.properties b/webgoat-lessons/sql-injection/src/main/resources/plugin/i18n/WebGoatLabels.properties
index 6ad457235..93f845687 100644
--- a/webgoat-lessons/sql-injection/src/main/resources/plugin/i18n/WebGoatLabels.properties
+++ b/webgoat-lessons/sql-injection/src/main/resources/plugin/i18n/WebGoatLabels.properties
@@ -6,3 +6,13 @@ SqlStringInjectionHint1=The application is taking your input and inserting it at
 SqlStringInjectionHint2=This is the code for the query being built and issued by WebGoat:<br><br> "SELECT * FROM user_data WHERE last_name = "accountName"
 SqlStringInjectionHint3=Compound SQL statements can be made by joining multiple tests with keywords like AND and OR. Try appending a SQL statement that always resolves to true
 SqlStringInjectionHint4=Try entering [ smith' OR '1' = '1 ].
+
+
+sql-injection.5a.success=You have succeed:
+sql-injection.5a.no.results=No results matched. Try Again.
+
+sql-injection.5b.success=You have succeed:
+sql-injection.5b.no.results=No results matched. Try Again.
+
+sql-injection.6b.success=You have succeed:
+sql-injection.6b.no.results=No results matched. Try Again.
\ No newline at end of file
diff --git a/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/BlindSendFileAssignment.java b/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/BlindSendFileAssignment.java
index 45092502a..f08258245 100644
--- a/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/BlindSendFileAssignment.java
+++ b/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/BlindSendFileAssignment.java
@@ -2,16 +2,15 @@ package org.owasp.webgoat.plugin;
 
 import com.google.common.base.Joiner;
 import org.apache.commons.lang.exception.ExceptionUtils;
-import org.owasp.webgoat.endpoints.AssignmentEndpoint;
-import org.owasp.webgoat.endpoints.AssignmentPath;
-import org.owasp.webgoat.lessons.AttackResult;
+import org.owasp.webgoat.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.assignments.AssignmentPath;
+import org.owasp.webgoat.assignments.AttackResult;
 import org.springframework.http.MediaType;
 import org.springframework.web.bind.annotation.RequestBody;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.ResponseBody;
 
-import javax.ws.rs.Path;
 import java.io.File;
 import java.nio.file.Files;
 import java.nio.file.Paths;
@@ -66,9 +65,9 @@ public class BlindSendFileAssignment extends AssignmentEndpoint {
         boolean solved = lines.stream().filter(l -> l.contains("WebGoat 8 rocks...")).findFirst().isPresent();
         logFile.delete();
         if (solved) {
-            return AttackResult.success(String.format("Contents of the file is: %s", Joiner.on('\n').join(lines)));
+            return success().output("xxe.blind.output").outputArgs(Joiner.on('\n').join(lines)).build();
         } else {
-            return AttackResult.failed("Try again...", error);
+            return failed().output(error).build();
         }
     }
 
diff --git a/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/ContentTypeAssignment.java b/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/ContentTypeAssignment.java
index 23bb4e6c0..0b2fa3611 100644
--- a/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/ContentTypeAssignment.java
+++ b/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/ContentTypeAssignment.java
@@ -1,9 +1,10 @@
 package org.owasp.webgoat.plugin;
 
 import com.fasterxml.jackson.databind.ObjectMapper;
-import org.owasp.webgoat.endpoints.AssignmentEndpoint;
-import org.owasp.webgoat.endpoints.AssignmentPath;
-import org.owasp.webgoat.lessons.AttackResult;
+import org.owasp.webgoat.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.assignments.AssignmentHints;
+import org.owasp.webgoat.assignments.AssignmentPath;
+import org.owasp.webgoat.assignments.AttackResult;
 import org.springframework.http.MediaType;
 import org.springframework.web.bind.annotation.RequestBody;
 import org.springframework.web.bind.annotation.RequestHeader;
@@ -11,7 +12,6 @@ import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.ResponseBody;
 
-import javax.ws.rs.Path;
 import java.io.IOException;
 
 import static org.owasp.webgoat.plugin.SimpleXXE.checkSolution;
@@ -47,24 +47,25 @@ import static org.owasp.webgoat.plugin.SimpleXXE.parseXml;
  * @since November 17, 2016
  */
 @AssignmentPath("XXE/content-type")
+@AssignmentHints({"xxe.hints.content.type.xxe.1", "xxe.hints.content.type.xxe.2"})
 public class ContentTypeAssignment extends AssignmentEndpoint {
 
     @RequestMapping(method = RequestMethod.POST, consumes = MediaType.ALL_VALUE, produces = MediaType.APPLICATION_JSON_VALUE)
     @ResponseBody
     public AttackResult createNewUser(@RequestBody String userInfo, @RequestHeader("Content-Type") String contentType) throws Exception {
         User user = new User();
-        AttackResult attackResult = AttackResult.failed("Try again!");
+        AttackResult attackResult = failed().build();
         if (MediaType.APPLICATION_JSON_VALUE.equals(contentType)) {
             user = parseJson(userInfo);
-            attackResult = AttackResult.failed("You are posting JSON which does not work with a XXE");
+            attackResult = failed().feedback("xxe.content.type.feedback.json").build();
         }
         if (MediaType.APPLICATION_XML_VALUE.equals(contentType)) {
             user = parseXml(userInfo);
-            attackResult = AttackResult.failed("You are posting XML but there is no XXE attack performed");
+            attackResult = failed().feedback("xxe.content.type.feedback.xml").build();
         }
 
         if (checkSolution(user)) {
-            attackResult = AttackResult.success(String.format("Welcome %s", user.getUsername()));
+            attackResult = success().output("xxe.content.output").outputArgs(user.getUsername()).build();
         }
         return attackResult;
     }
diff --git a/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/Ping.java b/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/Ping.java
index d6f591c9a..618c1e3a3 100644
--- a/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/Ping.java
+++ b/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/Ping.java
@@ -1,7 +1,7 @@
 package org.owasp.webgoat.plugin;
 
 import lombok.extern.slf4j.Slf4j;
-import org.owasp.webgoat.endpoints.Endpoint;
+import org.owasp.webgoat.assignments.Endpoint;
 import org.springframework.web.bind.annotation.RequestHeader;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
diff --git a/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/SimpleXXE.java b/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/SimpleXXE.java
index 908174412..eff49b9d3 100644
--- a/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/SimpleXXE.java
+++ b/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/SimpleXXE.java
@@ -1,16 +1,16 @@
 package org.owasp.webgoat.plugin;
 
 import org.apache.commons.exec.OS;
-import org.owasp.webgoat.endpoints.AssignmentEndpoint;
-import org.owasp.webgoat.endpoints.AssignmentPath;
-import org.owasp.webgoat.lessons.AttackResult;
+import org.owasp.webgoat.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.assignments.AssignmentHints;
+import org.owasp.webgoat.assignments.AssignmentPath;
+import org.owasp.webgoat.assignments.AttackResult;
 import org.springframework.http.MediaType;
 import org.springframework.web.bind.annotation.RequestBody;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.ResponseBody;
 
-import javax.ws.rs.Path;
 import javax.xml.bind.JAXBContext;
 import javax.xml.bind.Unmarshaller;
 import javax.xml.stream.XMLInputFactory;
@@ -47,6 +47,7 @@ import java.io.StringReader;
  * @since November 17, 2016
  */
 @AssignmentPath("XXE/simple")
+@AssignmentHints({"xxe.hints.simple.xxe.1", "xxe.hints.simple.xxe.2", "xxe.hints.simple.xxe.3", "xxe.hints.simple.xxe.4"})
 public class SimpleXXE extends AssignmentEndpoint {
 
     private final static String[] DEFAULT_LINUX_DIRECTORIES = {"usr", "opt", "var"};
@@ -57,13 +58,11 @@ public class SimpleXXE extends AssignmentEndpoint {
     public AttackResult createNewUser(@RequestBody String userInfo) throws Exception {
         User user = parseXml(userInfo);
         if (checkSolution(user)) {
-          return AttackResult.success("Congratulation", String.format("Welcome %s you can now login to our website", user.getUsername()));
-        }
-        if (userInfo.contains("<!DOCTYPE")) {
-            return AttackResult.failed("Try again you did include a doctype in the xml!");
-        } else {
-            return AttackResult.failed(String.format("Welcome %s you can now login to our website", user.getUsername()));
+          return trackProgress(success()
+              .output("xxe.simple.output")
+              .outputArgs(user.getUsername()).build());
         }
+        return trackProgress(failed().build());
     }
 
     public static User parseXml(String xml) throws Exception {
diff --git a/webgoat-lessons/xxe/src/main/resources/plugin/i18n/WebGoatLabels.properties b/webgoat-lessons/xxe/src/main/resources/plugin/i18n/WebGoatLabels.properties
new file mode 100644
index 000000000..b00425df3
--- /dev/null
+++ b/webgoat-lessons/xxe/src/main/resources/plugin/i18n/WebGoatLabels.properties
@@ -0,0 +1,37 @@
+#
+# This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+# please see http://www.owasp.org/
+# <p>
+# Copyright (c) 2002 - 2017 Bruce Mayhew
+# <p>
+# This program is free software; you can redistribute it and/or modify it under the terms of the
+# GNU General Public License as published by the Free Software Foundation; either version 2 of the
+# License, or (at your option) any later version.
+# <p>
+# This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# General Public License for more details.
+# <p>
+# You should have received a copy of the GNU General Public License along with this program; if
+# not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+# 02111-1307, USA.
+# <p>
+# Getting Source ==============
+# <p>
+# Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
+# projects.
+# <p>
+#
+xxe.simple.output=Welcome {0} you can now login to our website
+xxe.content.type.feedback.json=You are posting JSON which does not work with a XXE
+xxe.content.type.feedback.xml=You are posting XML but there is no XXE attack performed
+xxe.content.output=Welcome {0} you can now login to our website
+xxe.blind.output=Contents of the file is:
+
+xxe.hints.simple.xxe.1=Try submitting the form and see what happens
+xxe.hints.simple.xxe.2=XXE stands for XML External Entity attack
+xxe.hints.simple.xxe.3=Try to include your own DTD
+xxe.hints.simple.xxe.4=Try to include a doctype (<!DOCTYPE...) in the xml
+
+xxe.hints.content.type.xxe.1=Take a look at the content type
+xxe.hints.content.type.xxe.2=Does the endpoint only accept json messages?
\ No newline at end of file