diff --git a/common/activity.mk b/common/activity.mk
new file mode 100644
index 00000000..d6474816
--- /dev/null
+++ b/common/activity.mk
@@ -0,0 +1,39 @@
+INTERNAL_PORT := 80
+CONT_NAME := ${IMG_NAME}
+FILE_FLAG := ../flag
+FLAG := $(shell cat $(FILE_FLAG))
+
+ifndef CONT_NAME
+$(error You need to set a name for IMG_NAME variable(e.g. sss-web-01_activity-name).)
+endif
+
+ifndef FILE_TEMPLATE
+$(error You need to set a path for FILE_TEMPLATE.)
+endif
+
+ifndef FILE_SRC
+$(error You need to set a path for FILE_SRC.)
+endif
+
+ifndef EXTERNAL_PORT
+$(error You need to set EXTERNAL_PORT variable.)
+endif
+
+run: generate build
+	docker run -d -p $(EXTERNAL_PORT):$(INTERNAL_PORT) --name $(CONT_NAME) -t $(IMG_NAME)
+
+build: generate
+	docker build -t $(IMG_NAME) -f Dockerfile ..
+
+generate:
+	sed 's/__TEMPLATE__/$(FLAG)/g' $(FILE_TEMPLATE) > $(FILE_SRC)
+
+stop:
+	docker stop $(CONT_NAME)
+
+clean: stop
+	docker rm $(IMG_NAME)
+	docker image rm $(IMG_NAME):latest
+	rm $(FILE_SRC)
+
+.PHONY: run build generate stop clean
diff --git a/web-basics-browser-security-model/activities/cockroach/README.md b/web-basics-browser-security-model/activities/cockroach/README.md
new file mode 100644
index 00000000..26b50938
--- /dev/null
+++ b/web-basics-browser-security-model/activities/cockroach/README.md
@@ -0,0 +1,19 @@
+# Name
+
+Web: Web basics and browser security model: Cockroach
+
+## Description
+
+Get the flag from [cockroach](http://141.85.224.157:8080/cockroach/).
+What happened?
+Get the flag!
+
+Score: 25
+
+## Vulnerability
+
+The flag is displayed only if the `DELETE` method is called for the exposed route.
+
+## Exploit
+
+Solution in `./sol/solution`.
diff --git a/web-basics-browser-security-model/activities/cockroach/deploy/Dockerfile b/web-basics-browser-security-model/activities/cockroach/deploy/Dockerfile
new file mode 100644
index 00000000..dd3d62dd
--- /dev/null
+++ b/web-basics-browser-security-model/activities/cockroach/deploy/Dockerfile
@@ -0,0 +1,10 @@
+FROM tiangolo/uwsgi-nginx-flask:python3.8
+
+# copy over our requirements.txt file
+COPY src/requirements.txt /tmp/
+
+# upgrade pip and install required python packages
+RUN pip3 install --no-cache-dir -r /tmp/requirements.txt && mkdir app
+
+# copy over our app code
+COPY src/main.py /app
diff --git a/web-basics-browser-security-model/activities/cockroach/deploy/Makefile b/web-basics-browser-security-model/activities/cockroach/deploy/Makefile
new file mode 100644
index 00000000..6c3ac8b9
--- /dev/null
+++ b/web-basics-browser-security-model/activities/cockroach/deploy/Makefile
@@ -0,0 +1,6 @@
+EXTERNAL_PORT := 8080
+IMG_NAME := sss-web-01_cockroach
+FILE_TEMPLATE := ../src/main.template.py
+FILE_SRC := ../src/main.py
+
+include activity.mk
diff --git a/web-basics-browser-security-model/activities/cockroach/deploy/activity.mk b/web-basics-browser-security-model/activities/cockroach/deploy/activity.mk
new file mode 120000
index 00000000..ebadabe9
--- /dev/null
+++ b/web-basics-browser-security-model/activities/cockroach/deploy/activity.mk
@@ -0,0 +1 @@
+../../../../common/activity.mk
\ No newline at end of file
diff --git a/web-basics-browser-security-model/activities/cockroach/flag b/web-basics-browser-security-model/activities/cockroach/flag
new file mode 100644
index 00000000..706d874a
--- /dev/null
+++ b/web-basics-browser-security-model/activities/cockroach/flag
@@ -0,0 +1 @@
+SSS{You_smashed_it}
diff --git a/web-basics-browser-security-model/activities/cockroach/src/main.template.py b/web-basics-browser-security-model/activities/cockroach/src/main.template.py
new file mode 100644
index 00000000..89e8c8d7
--- /dev/null
+++ b/web-basics-browser-security-model/activities/cockroach/src/main.template.py
@@ -0,0 +1,14 @@
+# SPDX-License-Identifier: BSD-3-Clause
+
+from flask import Flask
+
+app = Flask(__name__)
+
+
+@app.route("/cockroach", methods=["DELETE"])
+def delete_this_bastard():
+    return "__TEMPLATE__"
+
+
+if __name__ == "__main__":
+    app.run(host="127.0.0.1")
diff --git a/web-basics-browser-security-model/activities/cockroach/src/requirements.txt b/web-basics-browser-security-model/activities/cockroach/src/requirements.txt
new file mode 100644
index 00000000..37837a81
--- /dev/null
+++ b/web-basics-browser-security-model/activities/cockroach/src/requirements.txt
@@ -0,0 +1,6 @@
+click==8.0.1
+Flask==2.0.1
+itsdangerous==2.0.1
+Jinja2==3.0.1
+MarkupSafe==2.0.1
+Werkzeug==2.0.1
diff --git a/web-basics-browser-security-model/activities/eyes/README.md b/web-basics-browser-security-model/activities/eyes/README.md
new file mode 100644
index 00000000..1d488a70
--- /dev/null
+++ b/web-basics-browser-security-model/activities/eyes/README.md
@@ -0,0 +1,18 @@
+# Name
+
+Web: Web basics and browser security model: Eyes
+
+## Description
+
+Get the flag from [eyes](http://141.85.224.118:8081/eyes).
+
+Score: 25
+
+## Vulnerability
+
+The flag is hidden somewhere in the source code.
+Check CSS style.
+
+## Exploit
+
+Script in `./sol/solution`.
diff --git a/web-basics-browser-security-model/activities/eyes/deploy/Dockerfile b/web-basics-browser-security-model/activities/eyes/deploy/Dockerfile
new file mode 100644
index 00000000..44e6fb5b
--- /dev/null
+++ b/web-basics-browser-security-model/activities/eyes/deploy/Dockerfile
@@ -0,0 +1,3 @@
+FROM php:7.2-apache
+
+COPY /src/index.html /var/www/html/eyes/
diff --git a/web-basics-browser-security-model/activities/eyes/deploy/Makefile b/web-basics-browser-security-model/activities/eyes/deploy/Makefile
new file mode 100644
index 00000000..82c4bb40
--- /dev/null
+++ b/web-basics-browser-security-model/activities/eyes/deploy/Makefile
@@ -0,0 +1,6 @@
+EXTERNAL_PORT := 8081
+IMG_NAME := sss-web-01_eyes
+FILE_TEMPLATE := ../src/index.template.html
+FILE_SRC := ../src/index.html
+
+include activity.mk
diff --git a/web-basics-browser-security-model/activities/eyes/deploy/activity.mk b/web-basics-browser-security-model/activities/eyes/deploy/activity.mk
new file mode 120000
index 00000000..ebadabe9
--- /dev/null
+++ b/web-basics-browser-security-model/activities/eyes/deploy/activity.mk
@@ -0,0 +1 @@
+../../../../common/activity.mk
\ No newline at end of file
diff --git a/web-basics-browser-security-model/activities/eyes/flag b/web-basics-browser-security-model/activities/eyes/flag
new file mode 100644
index 00000000..87fc87cc
--- /dev/null
+++ b/web-basics-browser-security-model/activities/eyes/flag
@@ -0,0 +1 @@
+SSS{almost_in_plain_site}
\ No newline at end of file
diff --git a/web-basics-browser-security-model/activities/eyes/src/index.template.html b/web-basics-browser-security-model/activities/eyes/src/index.template.html
new file mode 100644
index 00000000..fbac534d
--- /dev/null
+++ b/web-basics-browser-security-model/activities/eyes/src/index.template.html
@@ -0,0 +1,369 @@
+
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+  <head>
+    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
+    <title>Apache2 Debian Default Page: It works</title>
+    <style type="text/css" media="screen">
+  * {
+    margin: 0px 0px 0px 0px;
+    padding: 0px 0px 0px 0px;
+  }
+
+  body, html {
+    padding: 3px 3px 3px 3px;
+
+    background-color: #D8DBE2;
+
+    font-family: Verdana, sans-serif;
+    font-size: 11pt;
+    text-align: center;
+  }
+
+  div.main_page {
+    position: relative;
+    display: table;
+
+    width: 800px;
+
+    margin-bottom: 3px;
+    margin-left: auto;
+    margin-right: auto;
+    padding: 0px 0px 0px 0px;
+
+    border-width: 2px;
+    border-color: #212738;
+    border-style: solid;
+
+    background-color: #FFFFFF;
+
+    text-align: center;
+  }
+
+  div.page_header {
+    height: 99px;
+    width: 100%;
+
+    background-color: #F5F6F7;
+  }
+
+  div.page_header span {
+    margin: 15px 0px 0px 50px;
+
+    font-size: 180%;
+    font-weight: bold;
+  }
+
+  div.page_header img {
+    margin: 3px 0px 0px 40px;
+
+    border: 0px 0px 0px;
+  }
+
+  div.table_of_contents {
+    clear: left;
+
+    min-width: 200px;
+
+    margin: 3px 3px 3px 3px;
+
+    background-color: #FFFFFF;
+
+    text-align: left;
+  }
+
+  div.table_of_contents_item {
+    clear: left;
+
+    width: 100%;
+
+    margin: 4px 0px 0px 0px;
+
+    background-color: #FFFFFF;
+
+    color: #000000;
+    text-align: left;
+  }
+
+  div.table_of_contents_item a {
+    margin: 6px 0px 0px 6px;
+  }
+
+  div.content_section {
+    margin: 3px 3px 3px 3px;
+
+    background-color: #FFFFFF;
+
+    text-align: left;
+  }
+
+  div.content_section_text {
+    padding: 4px 8px 4px 8px;
+
+    color: #000000;
+    font-size: 100%;
+  }
+
+  div.content_section_text pre {
+    margin: 8px 0px 8px 0px;
+    padding: 8px 8px 8px 8px;
+
+    border-width: 1px;
+    border-style: dotted;
+    border-color: #000000;
+
+    background-color: #F5F6F7;
+
+    font-style: italic;
+  }
+
+  div.content_section_text p {
+    margin-bottom: 6px;
+  }
+
+  div.content_section_text ul, div.content_section_text li {
+    padding: 4px 8px 4px 16px;
+  }
+
+  div.section_header {
+    padding: 3px 6px 3px 6px;
+
+    background-color: #8E9CB2;
+
+    color: #FFFFFF;
+    font-weight: bold;
+    font-size: 112%;
+    text-align: center;
+  }
+
+  div.section_header_red {
+    background-color: #CD214F;
+  }
+
+  /* __TEMPLATE__ */
+  div.section_header_grey {
+    background-color: #9F9386;
+  }
+
+  .floating_element {
+    position: relative;
+    float: left;
+  }
+
+  div.table_of_contents_item a,
+  div.content_section_text a {
+    text-decoration: none;
+    font-weight: bold;
+  }
+
+  div.table_of_contents_item a:link,
+  div.table_of_contents_item a:visited,
+  div.table_of_contents_item a:active {
+    color: #000000;
+  }
+
+  div.table_of_contents_item a:hover {
+    background-color: #000000;
+
+    color: #FFFFFF;
+  }
+
+  div.content_section_text a:link,
+  div.content_section_text a:visited,
+   div.content_section_text a:active {
+    background-color: #DCDFE6;
+
+    color: #000000;
+  }
+
+  div.content_section_text a:hover {
+    background-color: #000000;
+
+    color: #DCDFE6;
+  }
+
+  div.validator {
+  }
+    </style>
+  </head>
+  <body>
+    <div class="main_page">
+      <div class="page_header floating_element">
+        <img src="/icons/openlogo-75.png" alt="Debian Logo" class="floating_element"/>
+        <span class="floating_element">
+          Apache2 Debian Default Page
+        </span>
+      </div>
+<!--      <div class="table_of_contents floating_element">
+        <div class="section_header section_header_grey">
+          TABLE OF CONTENTS
+        </div>
+        <div class="table_of_contents_item floating_element">
+          <a href="#about">About</a>
+        </div>
+        <div class="table_of_contents_item floating_element">
+          <a href="#changes">Changes</a>
+        </div>
+        <div class="table_of_contents_item floating_element">
+          <a href="#scope">Scope</a>
+        </div>
+        <div class="table_of_contents_item floating_element">
+          <a href="#files">Config files</a>
+        </div>
+      </div>
+-->
+      <div class="content_section floating_element">
+
+
+        <div class="section_header section_header_red">
+          <div id="about"></div>
+          It works!
+        </div>
+        <div class="content_section_text">
+          <p>
+                This is the default welcome page used to test the correct
+                operation of the Apache2 server after installation on Debian systems.
+                If you can read this page, it means that the Apache HTTP server installed at
+                this site is working properly. You should <b>replace this file</b> (located at
+                <tt>/var/www/html/index.html</tt>) before continuing to operate your HTTP server.
+          </p>
+
+
+          <p>
+                If you are a normal user of this web site and don't know what this page is
+                about, this probably means that the site is currently unavailable due to
+                maintenance.
+                If the problem persists, please contact the site's administrator.
+          </p>
+
+        </div>
+        <div class="section_header">
+          <div id="changes"></div>
+                Configuration Overview
+        </div>
+        <div class="content_section_text">
+          <p>
+                Debian's Apache2 default configuration is different from the
+                upstream default configuration, and split into several files optimized for
+                interaction with Debian tools. The configuration system is
+                <b>fully documented in
+                /usr/share/doc/apache2/README.Debian.gz</b>. Refer to this for the full
+                documentation. Documentation for the web server itself can be
+                found by accessing the <a href="/manual">manual</a> if the <tt>apache2-doc</tt>
+                package was installed on this server.
+
+          </p>
+          <p>
+                The configuration layout for an Apache2 web server installation on Debian systems is as follows:
+          </p>
+          <pre>
+/etc/apache2/
+|-- apache2.conf
+|       `--  ports.conf
+|-- mods-enabled
+|       |-- *.load
+|       `-- *.conf
+|-- conf-enabled
+|       `-- *.conf
+|-- sites-enabled
+|       `-- *.conf
+          </pre>
+          <ul>
+                        <li>
+                           <tt>apache2.conf</tt> is the main configuration
+                           file. It puts the pieces together by including all remaining configuration
+                           files when starting up the web server.
+                        </li>
+
+                        <li>
+                           <tt>ports.conf</tt> is always included from the
+                           main configuration file. It is used to determine the listening ports for
+                           incoming connections, and this file can be customized anytime.
+                        </li>
+
+                        <li>
+                           Configuration files in the <tt>mods-enabled/</tt>,
+                           <tt>conf-enabled/</tt> and <tt>sites-enabled/</tt> directories contain
+                           particular configuration snippets which manage modules, global configuration
+                           fragments, or virtual host configurations, respectively.
+                        </li>
+
+                        <li>
+                           They are activated by symlinking available
+                           configuration files from their respective
+                           *-available/ counterparts. These should be managed
+                           by using our helpers
+                           <tt>
+                                a2enmod,
+                                a2dismod,
+                           </tt>
+                           <tt>
+                                a2ensite,
+                                a2dissite,
+                            </tt>
+                                and
+                           <tt>
+                                a2enconf,
+                                a2disconf
+                           </tt>. See their respective man pages for detailed information.
+                        </li>
+
+                        <li>
+                           The binary is called apache2. Due to the use of
+                           environment variables, in the default configuration, apache2 needs to be
+                           started/stopped with <tt>/etc/init.d/apache2</tt> or <tt>apache2ctl</tt>.
+                           <b>Calling <tt>/usr/bin/apache2</tt> directly will not work</b> with the
+                           default configuration.
+                        </li>
+          </ul>
+        </div>
+
+        <div class="section_header">
+            <div id="docroot"></div>
+                Document Roots
+        </div>
+
+        <div class="content_section_text">
+            <p>
+                By default, Debian does not allow access through the web browser to
+                <em>any</em> file apart of those located in <tt>/var/www</tt>,
+                <a href="http://httpd.apache.org/docs/2.4/mod/mod_userdir.html" rel="nofollow">public_html</a>
+                directories (when enabled) and <tt>/usr/share</tt> (for web
+                applications). If your site is using a web document root
+                located elsewhere (such as in <tt>/srv</tt>) you may need to whitelist your
+                document root directory in <tt>/etc/apache2/apache2.conf</tt>.
+            </p>
+            <p>
+                The default Debian document root is <tt>/var/www/html</tt>. You
+                can make your own virtual hosts under /var/www. This is different
+                to previous releases which provides better security out of the box.
+            </p>
+        </div>
+
+        <div class="section_header">
+          <div id="bugs"></div>
+                Reporting Problems
+        </div>
+        <div class="content_section_text">
+          <p>
+                Please use the <tt>reportbug</tt> tool to report bugs in the
+                Apache2 package with Debian. However, check <a
+                href="http://bugs.debian.org/cgi-bin/pkgreport.cgi?ordering=normal;archive=0;src=apache2;repeatmerged=0"
+                rel="nofollow">existing bug reports</a> before reporting a new bug.
+          </p>
+          <p>
+                Please report bugs specific to modules (such as PHP and others)
+                to respective packages, not to the web server itself.
+          </p>
+        </div>
+
+
+
+
+      </div>
+    </div>
+    <div class="validator">
+    </div>
+  </body>
+</html>
+
diff --git a/web-basics-browser-security-model/activities/gimme/README.md b/web-basics-browser-security-model/activities/gimme/README.md
new file mode 100644
index 00000000..1d269f85
--- /dev/null
+++ b/web-basics-browser-security-model/activities/gimme/README.md
@@ -0,0 +1,18 @@
+# Name
+
+Web: Web basics and browser security model: Gimme
+
+## Description
+
+Get the flag from [gimme](http://141.85.224.157:8082/gimme) (now it’s safe! no more cockroaches :D).
+Try to add a new resource.
+
+Score: 25
+
+## Vulnerability
+
+The flag is displayed only if the `POST` method is called with a body of length equal to 35 for the exposed route.
+
+## Exploit
+
+Script in `./sol/solution`.
diff --git a/web-basics-browser-security-model/activities/gimme/deploy/Dockerfile b/web-basics-browser-security-model/activities/gimme/deploy/Dockerfile
new file mode 100644
index 00000000..dd3d62dd
--- /dev/null
+++ b/web-basics-browser-security-model/activities/gimme/deploy/Dockerfile
@@ -0,0 +1,10 @@
+FROM tiangolo/uwsgi-nginx-flask:python3.8
+
+# copy over our requirements.txt file
+COPY src/requirements.txt /tmp/
+
+# upgrade pip and install required python packages
+RUN pip3 install --no-cache-dir -r /tmp/requirements.txt && mkdir app
+
+# copy over our app code
+COPY src/main.py /app
diff --git a/web-basics-browser-security-model/activities/gimme/deploy/Makefile b/web-basics-browser-security-model/activities/gimme/deploy/Makefile
new file mode 100644
index 00000000..c596252c
--- /dev/null
+++ b/web-basics-browser-security-model/activities/gimme/deploy/Makefile
@@ -0,0 +1,6 @@
+EXTERNAL_PORT := 8082
+IMG_NAME := sss-web-01_gimme
+FILE_TEMPLATE := ../src/main.template.py
+FILE_SRC := ../src/main.py
+
+include activity.mk
diff --git a/web-basics-browser-security-model/activities/gimme/deploy/activity.mk b/web-basics-browser-security-model/activities/gimme/deploy/activity.mk
new file mode 120000
index 00000000..ebadabe9
--- /dev/null
+++ b/web-basics-browser-security-model/activities/gimme/deploy/activity.mk
@@ -0,0 +1 @@
+../../../../common/activity.mk
\ No newline at end of file
diff --git a/web-basics-browser-security-model/activities/gimme/flag b/web-basics-browser-security-model/activities/gimme/flag
new file mode 100644
index 00000000..88d9e37d
--- /dev/null
+++ b/web-basics-browser-security-model/activities/gimme/flag
@@ -0,0 +1 @@
+SSS{dont_forget_the_content_length}
\ No newline at end of file
diff --git a/web-basics-browser-security-model/activities/gimme/src/main.template.py b/web-basics-browser-security-model/activities/gimme/src/main.template.py
new file mode 100644
index 00000000..974518e7
--- /dev/null
+++ b/web-basics-browser-security-model/activities/gimme/src/main.template.py
@@ -0,0 +1,23 @@
+# SPDX-License-Identifier: BSD-3-Clause
+
+from flask import Flask, request
+
+app = Flask(__name__)
+
+
+@app.route("/gimme", methods=["POST"])
+def post_method_with_content_type():
+    body = request.data
+    flag = "__TEMPLATE__"
+
+    if not body:
+        return "Did you miss something?"
+
+    if len(body) == len(flag):
+        return flag
+
+    return "Not great, not terrible! You should try 35 :)"
+
+
+if __name__ == "__main__":
+    app.run(host="127.0.0.1")
diff --git a/web-basics-browser-security-model/activities/gimme/src/requirements.txt b/web-basics-browser-security-model/activities/gimme/src/requirements.txt
new file mode 100644
index 00000000..e616642b
--- /dev/null
+++ b/web-basics-browser-security-model/activities/gimme/src/requirements.txt
@@ -0,0 +1,6 @@
+click==8.0.1
+Flask==2.0.1
+itsdangerous==2.0.1
+Jinja2==3.0.1
+MarkupSafe==2.0.1
+Werkzeug==2.0.1
\ No newline at end of file
diff --git a/web-basics-browser-security-model/activities/give-to-get/README.md b/web-basics-browser-security-model/activities/give-to-get/README.md
new file mode 100644
index 00000000..b6fc3ae4
--- /dev/null
+++ b/web-basics-browser-security-model/activities/give-to-get/README.md
@@ -0,0 +1,17 @@
+# Name
+
+Web: Web basics and browser security model: Give to get
+
+## Description
+
+Get the flag from [give-to-get](http://141.85.224.118:8084/give-to-get/).
+
+Score: 50
+
+## Vulnerability
+
+The flag is displayed only if you send a query parameter with `?ask=flag`.
+
+## Exploit
+
+Script in `./sol/solution`.
diff --git a/web-basics-browser-security-model/activities/give-to-get/deploy/Dockerfile b/web-basics-browser-security-model/activities/give-to-get/deploy/Dockerfile
new file mode 100644
index 00000000..6e68e606
--- /dev/null
+++ b/web-basics-browser-security-model/activities/give-to-get/deploy/Dockerfile
@@ -0,0 +1,3 @@
+FROM php:7.2-apache
+
+COPY /src/index.php /var/www/html/give-to-get/
diff --git a/web-basics-browser-security-model/activities/give-to-get/deploy/Makefile b/web-basics-browser-security-model/activities/give-to-get/deploy/Makefile
new file mode 100644
index 00000000..820281b8
--- /dev/null
+++ b/web-basics-browser-security-model/activities/give-to-get/deploy/Makefile
@@ -0,0 +1,6 @@
+EXTERNAL_PORT := 8084
+IMG_NAME := sss-web-01_give-to-get
+FILE_TEMPLATE := ../src/index.template.php
+FILE_SRC := ../src/index.php
+
+include activity.mk
diff --git a/web-basics-browser-security-model/activities/give-to-get/deploy/activity.mk b/web-basics-browser-security-model/activities/give-to-get/deploy/activity.mk
new file mode 120000
index 00000000..ebadabe9
--- /dev/null
+++ b/web-basics-browser-security-model/activities/give-to-get/deploy/activity.mk
@@ -0,0 +1 @@
+../../../../common/activity.mk
\ No newline at end of file
diff --git a/web-basics-browser-security-model/activities/give-to-get/flag b/web-basics-browser-security-model/activities/give-to-get/flag
new file mode 100644
index 00000000..0a43293f
--- /dev/null
+++ b/web-basics-browser-security-model/activities/give-to-get/flag
@@ -0,0 +1 @@
+SSS{giving_is_receiving}
\ No newline at end of file
diff --git a/web-basics-browser-security-model/activities/give-to-get/src/index.template.php b/web-basics-browser-security-model/activities/give-to-get/src/index.template.php
new file mode 100644
index 00000000..cd873322
--- /dev/null
+++ b/web-basics-browser-security-model/activities/give-to-get/src/index.template.php
@@ -0,0 +1,17 @@
+<!doctype html>
+<html>
+	<head>
+		<title>This is the title of the webpage!</title>
+	</head>
+	<body>
+		<?php
+			$message='<p>You have to <strong>ask</strong> for the <strong>flag</strong> to <strong>get</strong> it!</p>';
+			if (isset($_GET['ask']) && !empty($_GET['ask'])) {
+				if ($_GET['ask'] == "flag") {
+					$message='<p>__TEMPLATE__</p>';
+				}
+			}
+			echo $message;
+		?>
+	</body>
+</html>
diff --git a/web-basics-browser-security-model/activities/give-to-post/README.md b/web-basics-browser-security-model/activities/give-to-post/README.md
new file mode 100644
index 00000000..28b7ac53
--- /dev/null
+++ b/web-basics-browser-security-model/activities/give-to-post/README.md
@@ -0,0 +1,17 @@
+# Name
+
+Web: Web basics and browser security model: Give to post
+
+## Description
+
+Get the flag from [give-to-post](http://141.85.224.118:8085/give-to-post/).
+
+Score: 50
+
+## Vulnerability
+
+The flag is displayed only if you send form data (application/x-www-form-urlencoded) with ask=flag.
+
+## Exploit
+
+Script in `./sol/solution`.
diff --git a/web-basics-browser-security-model/activities/give-to-post/deploy/Dockerfile b/web-basics-browser-security-model/activities/give-to-post/deploy/Dockerfile
new file mode 100644
index 00000000..372c12d4
--- /dev/null
+++ b/web-basics-browser-security-model/activities/give-to-post/deploy/Dockerfile
@@ -0,0 +1,3 @@
+FROM php:7.2-apache
+
+COPY /src/index.php /var/www/html/give-to-post/
diff --git a/web-basics-browser-security-model/activities/give-to-post/deploy/Makefile b/web-basics-browser-security-model/activities/give-to-post/deploy/Makefile
new file mode 100644
index 00000000..d9a46083
--- /dev/null
+++ b/web-basics-browser-security-model/activities/give-to-post/deploy/Makefile
@@ -0,0 +1,6 @@
+EXTERNAL_PORT := 8085
+IMG_NAME := sss-web-01_give-to-post
+FILE_TEMPLATE := ../src/index.template.php
+FILE_SRC := ../src/index.php
+
+include activity.mk
diff --git a/web-basics-browser-security-model/activities/give-to-post/deploy/activity.mk b/web-basics-browser-security-model/activities/give-to-post/deploy/activity.mk
new file mode 120000
index 00000000..ebadabe9
--- /dev/null
+++ b/web-basics-browser-security-model/activities/give-to-post/deploy/activity.mk
@@ -0,0 +1 @@
+../../../../common/activity.mk
\ No newline at end of file
diff --git a/web-basics-browser-security-model/activities/give-to-post/flag b/web-basics-browser-security-model/activities/give-to-post/flag
new file mode 100644
index 00000000..ab8cf337
--- /dev/null
+++ b/web-basics-browser-security-model/activities/give-to-post/flag
@@ -0,0 +1 @@
+SSS{this_is_how_we_roll}
diff --git a/web-basics-browser-security-model/activities/give-to-post/src/index.template.php b/web-basics-browser-security-model/activities/give-to-post/src/index.template.php
new file mode 100644
index 00000000..8824852b
--- /dev/null
+++ b/web-basics-browser-security-model/activities/give-to-post/src/index.template.php
@@ -0,0 +1,17 @@
+<!doctype html>
+<html>
+	<head>
+		<title>This is the title of the webpage!</title>
+	</head>
+	<body>
+		<?php
+			$message='<p>You have to <strong>ask</strong> for the <strong>flag</strong> to <strong>post</strong> it!</p>';
+			if (isset($_POST['ask']) && !empty($_POST['ask'])) {
+				if ($_POST['ask'] == "flag") {
+					$message='<p>__TEMPLATE__</p>';
+				}
+			}
+			echo $message . "\n";
+		?>
+	</body>
+</html>
diff --git a/web-basics-browser-security-model/activities/king-kong/README.md b/web-basics-browser-security-model/activities/king-kong/README.md
new file mode 100644
index 00000000..276be3b0
--- /dev/null
+++ b/web-basics-browser-security-model/activities/king-kong/README.md
@@ -0,0 +1,17 @@
+# Name
+
+Web: Web basics and browser security model: King-Kong
+
+## Description
+
+Get the flag from [king-kong](http://141.85.224.118:8086/king-kong/).
+
+Score: 25
+
+## Vulnerability
+
+The flag is displayed only if you send a request with `User-Agent` changed to `King-Kong`.
+
+## Exploit
+
+Script in `./sol/solution`.
diff --git a/web-basics-browser-security-model/activities/king-kong/deploy/Dockerfile b/web-basics-browser-security-model/activities/king-kong/deploy/Dockerfile
new file mode 100644
index 00000000..dd41e1ea
--- /dev/null
+++ b/web-basics-browser-security-model/activities/king-kong/deploy/Dockerfile
@@ -0,0 +1,3 @@
+FROM php:7.2-apache
+
+COPY /src/index.php /var/www/html/king-kong/
diff --git a/web-basics-browser-security-model/activities/king-kong/deploy/Makefile b/web-basics-browser-security-model/activities/king-kong/deploy/Makefile
new file mode 100644
index 00000000..fb29848e
--- /dev/null
+++ b/web-basics-browser-security-model/activities/king-kong/deploy/Makefile
@@ -0,0 +1,6 @@
+EXTERNAL_PORT := 8086
+IMG_NAME := sss-web-01_king-kong
+FILE_TEMPLATE := ../src/index.template.php
+FILE_SRC := ../src/index.php
+
+include activity.mk
diff --git a/web-basics-browser-security-model/activities/king-kong/deploy/activity.mk b/web-basics-browser-security-model/activities/king-kong/deploy/activity.mk
new file mode 120000
index 00000000..ebadabe9
--- /dev/null
+++ b/web-basics-browser-security-model/activities/king-kong/deploy/activity.mk
@@ -0,0 +1 @@
+../../../../common/activity.mk
\ No newline at end of file
diff --git a/web-basics-browser-security-model/activities/king-kong/flag b/web-basics-browser-security-model/activities/king-kong/flag
new file mode 100644
index 00000000..11fb6d40
--- /dev/null
+++ b/web-basics-browser-security-model/activities/king-kong/flag
@@ -0,0 +1 @@
+SSS{godzilla_got_nothing_on_me}
diff --git a/web-basics-browser-security-model/activities/king-kong/src/index.template.php b/web-basics-browser-security-model/activities/king-kong/src/index.template.php
new file mode 100644
index 00000000..61fbdfb1
--- /dev/null
+++ b/web-basics-browser-security-model/activities/king-kong/src/index.template.php
@@ -0,0 +1,17 @@
+<!doctype html>
+<html>
+	<head>
+		<title>This is the title of the webpage!</title>
+	</head>
+	<body>
+		<?php
+			$message='<p>I only answer to King-Kong!</p>';
+			if (isset($_SERVER['HTTP_USER_AGENT'])) {
+				if ($_SERVER['HTTP_USER_AGENT'] == 'King-Kong') {
+					$message='<p>__TEMPLATE__</p>\n';
+				}
+			}
+			echo $message . "\n";
+		?>
+	</body>
+</html>
diff --git a/web-basics-browser-security-model/activities/lame-login/README.md b/web-basics-browser-security-model/activities/lame-login/README.md
new file mode 100644
index 00000000..30d536dd
--- /dev/null
+++ b/web-basics-browser-security-model/activities/lame-login/README.md
@@ -0,0 +1,21 @@
+# Name
+
+Web: Web basics and browser security model: Lame Login
+
+## Description
+
+Get the flag from [lame-login](http://141.85.224.157:8087/lamelogin).
+
+Score: 50
+
+## Vulnerability
+
+In the source you can observe two hashes:
+username=d033e22ae348aeb5660fc2140aec35850c4da997(SHA)=admin
+password=62d5a7eab7c13e99e355dd05b0377a6d01a8fa99(SHA)=Password123$
+
+Then you can use the hashes to login.
+
+## Exploit
+
+Script in `./sol/solution`.
diff --git a/web-basics-browser-security-model/activities/lame-login/deploy/Dockerfile b/web-basics-browser-security-model/activities/lame-login/deploy/Dockerfile
new file mode 100644
index 00000000..10095d18
--- /dev/null
+++ b/web-basics-browser-security-model/activities/lame-login/deploy/Dockerfile
@@ -0,0 +1,10 @@
+FROM tiangolo/uwsgi-nginx-flask:python3.8
+
+# copy over our requirements.txt file
+COPY src/requirements.txt /tmp/
+
+# upgrade pip and install required python packages
+RUN pip3 install --no-cache-dir -r /tmp/requirements.txt && mkdir -p  app/templates
+
+# copy over our app code
+COPY src/ /app
diff --git a/web-basics-browser-security-model/activities/lame-login/deploy/Makefile b/web-basics-browser-security-model/activities/lame-login/deploy/Makefile
new file mode 100644
index 00000000..d048448b
--- /dev/null
+++ b/web-basics-browser-security-model/activities/lame-login/deploy/Makefile
@@ -0,0 +1,6 @@
+EXTERNAL_PORT := 8087
+IMG_NAME := sss-web-01_lame-login
+FILE_TEMPLATE := ../src/main.template.py
+FILE_SRC := ../src/main.py
+
+include activity.mk
diff --git a/web-basics-browser-security-model/activities/lame-login/deploy/activity.mk b/web-basics-browser-security-model/activities/lame-login/deploy/activity.mk
new file mode 120000
index 00000000..ebadabe9
--- /dev/null
+++ b/web-basics-browser-security-model/activities/lame-login/deploy/activity.mk
@@ -0,0 +1 @@
+../../../../common/activity.mk
\ No newline at end of file
diff --git a/web-basics-browser-security-model/activities/lame-login/flag b/web-basics-browser-security-model/activities/lame-login/flag
new file mode 100644
index 00000000..60217519
--- /dev/null
+++ b/web-basics-browser-security-model/activities/lame-login/flag
@@ -0,0 +1 @@
+SSS{come_ooon_dude}
\ No newline at end of file
diff --git a/web-basics-browser-security-model/activities/lame-login/src/main.template.py b/web-basics-browser-security-model/activities/lame-login/src/main.template.py
new file mode 100644
index 00000000..810b6562
--- /dev/null
+++ b/web-basics-browser-security-model/activities/lame-login/src/main.template.py
@@ -0,0 +1,25 @@
+# SPDX-License-Identifier: BSD-3-Clause
+
+from flask import Flask, request, render_template
+
+app = Flask(__name__)
+
+
+@app.route("/login", methods=["GET"])
+def login():
+    username = request.args.get("username")
+    password = request.args.get("password")
+
+    if username == "admin" and password == "Password123$":
+        return "__TEMPLATE__"
+
+    return "Neaahh"
+
+
+@app.route("/lamelogin", methods=["GET"])
+def lamelogin():
+    return render_template("index.html")
+
+
+if __name__ == "__main__":
+    app.run(host="127.0.0.1")
diff --git a/web-basics-browser-security-model/activities/lame-login/src/requirements.txt b/web-basics-browser-security-model/activities/lame-login/src/requirements.txt
new file mode 100644
index 00000000..e616642b
--- /dev/null
+++ b/web-basics-browser-security-model/activities/lame-login/src/requirements.txt
@@ -0,0 +1,6 @@
+click==8.0.1
+Flask==2.0.1
+itsdangerous==2.0.1
+Jinja2==3.0.1
+MarkupSafe==2.0.1
+Werkzeug==2.0.1
\ No newline at end of file
diff --git a/web-basics-browser-security-model/activities/lame-login/src/templates/index.html b/web-basics-browser-security-model/activities/lame-login/src/templates/index.html
new file mode 100644
index 00000000..7f72295b
--- /dev/null
+++ b/web-basics-browser-security-model/activities/lame-login/src/templates/index.html
@@ -0,0 +1,19 @@
+<html>
+
+    <head>
+        <title>Lame Login</title>
+    </head>
+
+    <h2>This is the best login ever</h2>
+
+    <!-- TODO - remove the line below
+         d033e22ae348aeb5660fc2140aec35850c4da99762d5a7eab7c13e99e355dd05b0377a6d01a8fa99 -->
+
+    <form action="/login" method="get">
+        Username:<input type="text" name="username"></br>
+        Password:<input type="text" name="password"></br>
+        <input type="submit" value="Submit">
+    </form>
+
+
+</html>
diff --git a/web-basics-browser-security-model/activities/my-special-name/README.md b/web-basics-browser-security-model/activities/my-special-name/README.md
new file mode 100644
index 00000000..114457e0
--- /dev/null
+++ b/web-basics-browser-security-model/activities/my-special-name/README.md
@@ -0,0 +1,20 @@
+# Name
+
+Web: Web basics and browser security model: My Special Name
+
+## Description
+
+Get the flag from [special-name](http://141.85.224.157:80/my-special-name).
+Retrieve all the names and you will get the flag.
+Use the **name-id** parameter.
+
+Score: 50
+
+## Vulnerability
+
+The flag is displayed only if the `GET` method with `name-id` as query parameter is called for the exposed route.
+You must give it values between 0 and 100 to find the flag.
+
+## Exploit
+
+Script in `./sol/solution`.
diff --git a/web-basics-browser-security-model/activities/my-special-name/deploy/Dockerfile b/web-basics-browser-security-model/activities/my-special-name/deploy/Dockerfile
new file mode 100644
index 00000000..dd3d62dd
--- /dev/null
+++ b/web-basics-browser-security-model/activities/my-special-name/deploy/Dockerfile
@@ -0,0 +1,10 @@
+FROM tiangolo/uwsgi-nginx-flask:python3.8
+
+# copy over our requirements.txt file
+COPY src/requirements.txt /tmp/
+
+# upgrade pip and install required python packages
+RUN pip3 install --no-cache-dir -r /tmp/requirements.txt && mkdir app
+
+# copy over our app code
+COPY src/main.py /app
diff --git a/web-basics-browser-security-model/activities/my-special-name/deploy/Makefile b/web-basics-browser-security-model/activities/my-special-name/deploy/Makefile
new file mode 100644
index 00000000..55a439ed
--- /dev/null
+++ b/web-basics-browser-security-model/activities/my-special-name/deploy/Makefile
@@ -0,0 +1,6 @@
+EXTERNAL_PORT := 8088
+IMG_NAME := sss-web-01_my-special-name
+FILE_TEMPLATE := ../src/main.template.py
+FILE_SRC := ../src/main.py
+
+include activity.mk
diff --git a/web-basics-browser-security-model/activities/my-special-name/deploy/activity.mk b/web-basics-browser-security-model/activities/my-special-name/deploy/activity.mk
new file mode 120000
index 00000000..ebadabe9
--- /dev/null
+++ b/web-basics-browser-security-model/activities/my-special-name/deploy/activity.mk
@@ -0,0 +1 @@
+../../../../common/activity.mk
\ No newline at end of file
diff --git a/web-basics-browser-security-model/activities/my-special-name/flag b/web-basics-browser-security-model/activities/my-special-name/flag
new file mode 100644
index 00000000..75531921
--- /dev/null
+++ b/web-basics-browser-security-model/activities/my-special-name/flag
@@ -0,0 +1 @@
+SSS{th3_Intrud3r}
\ No newline at end of file
diff --git a/web-basics-browser-security-model/activities/my-special-name/src/main.template.py b/web-basics-browser-security-model/activities/my-special-name/src/main.template.py
new file mode 100644
index 00000000..a056b0a3
--- /dev/null
+++ b/web-basics-browser-security-model/activities/my-special-name/src/main.template.py
@@ -0,0 +1,123 @@
+# SPDX-License-Identifier: BSD-3-Clause
+
+from flask import Flask, request
+
+
+app = Flask(__name__)
+
+
+NICE_NAMES = [
+    "albattani",
+    "allen",
+    "almeida",
+    "antonelli",
+    "agnesi",
+    "archimedes",
+    "ardinghelli",
+    "aryabhata",
+    "austin",
+    "babbage",
+    "banach",
+    "banzai",
+    "bardeen",
+    "bartik",
+    "bassi",
+    "beaver",
+    "bell",
+    "benz",
+    "bhabha",
+    "black",
+    "blackburn",
+    "blackwell",
+    "bohr",
+    "booth",
+    "borg",
+    "bose",
+    "bouman",
+    "boyd",
+    "brahmagupta",
+    "brattain",
+    "brown",
+    "buck",
+    "burnell",
+    "cannon",
+    "carson",
+    "cartwright",
+    "carver",
+    "cerf",
+    "chandrasekhar",
+    "chaplygin",
+    "chatelet",
+    "chatterjee",
+    "chebyshev",
+    "cohen",
+    "clarke",
+    "colden",
+    "cori",
+    "cray",
+    "curran",
+    "curie",
+    "darwin",
+    "davinci",
+    "dewdney",
+    "dhawan",
+    "diffie",
+    "galileo",
+    "dijkstra",
+    "dirac",
+    "driscoll",
+    "dubinsky",
+    "easley",
+    "edison",
+    "einstein",
+    "elbakyan",
+    "elgamal",
+    "elion",
+    "ellis",
+    "engelbart",
+    "euclid",
+    "euler",
+    "faraday",
+    "feistel",
+    "fermat",
+    "fermi",
+    "feynman",
+    "franklin",
+    "gagarin",
+    "__TEMPLATE__",
+    "galois",
+    "ganguly",
+    "gates",
+    "gauss",
+    "germain",
+    "goldberg",
+    "goldstine",
+    "goldwasser",
+    "golick",
+    "goodall",
+    "gould",
+    "greider",
+    "grothendieck",
+    "haibt",
+    "hamilton",
+    "haslett",
+    "hawking",
+    "hellman",
+    "heisenberg",
+    "hermann",
+    "herschel",
+    "chaum",
+    "moore",
+]
+
+
+@app.route("/my-special-name", methods=["GET"])
+def my_special_name():
+    name_id = int(request.args.get("name-id"))
+    if name_id >= 100:
+        return NICE_NAMES[name_id % 100]
+    return NICE_NAMES[name_id]
+
+
+if __name__ == "__main__":
+    app.run(host="127.0.0.1")
diff --git a/web-basics-browser-security-model/activities/my-special-name/src/requirements.txt b/web-basics-browser-security-model/activities/my-special-name/src/requirements.txt
new file mode 100644
index 00000000..e616642b
--- /dev/null
+++ b/web-basics-browser-security-model/activities/my-special-name/src/requirements.txt
@@ -0,0 +1,6 @@
+click==8.0.1
+Flask==2.0.1
+itsdangerous==2.0.1
+Jinja2==3.0.1
+MarkupSafe==2.0.1
+Werkzeug==2.0.1
\ No newline at end of file
diff --git a/web-basics-browser-security-model/activities/name/README.md b/web-basics-browser-security-model/activities/name/README.md
new file mode 100644
index 00000000..20746215
--- /dev/null
+++ b/web-basics-browser-security-model/activities/name/README.md
@@ -0,0 +1,17 @@
+# Name
+
+Web: Web basics and browser security model: Name
+
+## Description
+
+Get the flag from [name](http://141.85.224.118:8089/name/).
+
+Score: 25
+
+## Vulnerability
+
+The flag is displayed if you access `name/the_flag.html`.
+
+## Exploit
+
+Script in `./sol/solution`.
diff --git a/web-basics-browser-security-model/activities/name/deploy/Dockerfile b/web-basics-browser-security-model/activities/name/deploy/Dockerfile
new file mode 100644
index 00000000..6ca83a46
--- /dev/null
+++ b/web-basics-browser-security-model/activities/name/deploy/Dockerfile
@@ -0,0 +1,3 @@
+FROM php:7.2-apache
+
+COPY /src /var/www/html/name/
diff --git a/web-basics-browser-security-model/activities/name/deploy/Makefile b/web-basics-browser-security-model/activities/name/deploy/Makefile
new file mode 100644
index 00000000..b9809e40
--- /dev/null
+++ b/web-basics-browser-security-model/activities/name/deploy/Makefile
@@ -0,0 +1,6 @@
+EXTERNAL_PORT := 8089
+IMG_NAME := sss-web-01_name
+FILE_TEMPLATE := ../src/the_flag.template.html
+FILE_SRC := ../src/the_flag.html
+
+include activity.mk
diff --git a/web-basics-browser-security-model/activities/name/deploy/activity.mk b/web-basics-browser-security-model/activities/name/deploy/activity.mk
new file mode 120000
index 00000000..ebadabe9
--- /dev/null
+++ b/web-basics-browser-security-model/activities/name/deploy/activity.mk
@@ -0,0 +1 @@
+../../../../common/activity.mk
\ No newline at end of file
diff --git a/web-basics-browser-security-model/activities/name/flag b/web-basics-browser-security-model/activities/name/flag
new file mode 100644
index 00000000..14a92a2b
--- /dev/null
+++ b/web-basics-browser-security-model/activities/name/flag
@@ -0,0 +1 @@
+SSS{my_name_is_who}
diff --git a/web-basics-browser-security-model/activities/name/src/index.html b/web-basics-browser-security-model/activities/name/src/index.html
new file mode 100644
index 00000000..37e443f1
--- /dev/null
+++ b/web-basics-browser-security-model/activities/name/src/index.html
@@ -0,0 +1,10 @@
+<!doctype html>
+<html>
+	<head>
+		<title>This is the title of the webpage!</title>
+	</head>
+	<body>
+		<p>This is an example paragraph. Anything in the <strong>body</strong> tag will appear on the page, just like this <strong>p</strong> tag and its contents.</p>
+		<p>It's not complicated. Get <b>the_flag</b>.</p>
+	</body>
+</html>
diff --git a/web-basics-browser-security-model/activities/name/src/the_flag.template.html b/web-basics-browser-security-model/activities/name/src/the_flag.template.html
new file mode 100644
index 00000000..405102cd
--- /dev/null
+++ b/web-basics-browser-security-model/activities/name/src/the_flag.template.html
@@ -0,0 +1,9 @@
+<!doctype html>
+<html>
+	<head>
+		<title>Flag!</title>
+	</head>
+	<body>
+		<p>__TEMPLATE__</p>
+	</body>
+</html>
diff --git a/web-basics-browser-security-model/activities/one-by-one/README.md b/web-basics-browser-security-model/activities/one-by-one/README.md
new file mode 100644
index 00000000..1a83d854
--- /dev/null
+++ b/web-basics-browser-security-model/activities/one-by-one/README.md
@@ -0,0 +1,17 @@
+# Name
+
+Web: Web basics and browser security model: One-by-One
+
+## Description
+
+Get the flag from [one-by-one](http://141.85.224.118:8090/one-by-one/).
+
+Score: 50
+
+## Vulnerability
+
+The flag is displayed character by character after a new request is sent.
+
+## Exploit
+
+Script in `./sol/solution`.
diff --git a/web-basics-browser-security-model/activities/one-by-one/deploy/Dockerfile b/web-basics-browser-security-model/activities/one-by-one/deploy/Dockerfile
new file mode 100644
index 00000000..378999de
--- /dev/null
+++ b/web-basics-browser-security-model/activities/one-by-one/deploy/Dockerfile
@@ -0,0 +1,3 @@
+FROM php:7.2-apache
+
+COPY /src /var/www/html/one-by-one/
diff --git a/web-basics-browser-security-model/activities/one-by-one/deploy/Makefile b/web-basics-browser-security-model/activities/one-by-one/deploy/Makefile
new file mode 100644
index 00000000..a65e7068
--- /dev/null
+++ b/web-basics-browser-security-model/activities/one-by-one/deploy/Makefile
@@ -0,0 +1,6 @@
+EXTERNAL_PORT := 8090
+IMG_NAME := sss-web-01_one-by-one
+FILE_TEMPLATE := ../src/index.template.php
+FILE_SRC := ../src/index.php
+
+include activity.mk
diff --git a/web-basics-browser-security-model/activities/one-by-one/deploy/activity.mk b/web-basics-browser-security-model/activities/one-by-one/deploy/activity.mk
new file mode 120000
index 00000000..ebadabe9
--- /dev/null
+++ b/web-basics-browser-security-model/activities/one-by-one/deploy/activity.mk
@@ -0,0 +1 @@
+../../../../common/activity.mk
\ No newline at end of file
diff --git a/web-basics-browser-security-model/activities/one-by-one/flag b/web-basics-browser-security-model/activities/one-by-one/flag
new file mode 100644
index 00000000..000fe027
--- /dev/null
+++ b/web-basics-browser-security-model/activities/one-by-one/flag
@@ -0,0 +1 @@
+SSS{this_is_a_very_long_flag_for_which_you_should_have_a_script_so_as_not_to_get_bored}
\ No newline at end of file
diff --git a/web-basics-browser-security-model/activities/one-by-one/src/index.template.php b/web-basics-browser-security-model/activities/one-by-one/src/index.template.php
new file mode 100644
index 00000000..6f0e5d65
--- /dev/null
+++ b/web-basics-browser-security-model/activities/one-by-one/src/index.template.php
@@ -0,0 +1,19 @@
+<?php
+	session_start();
+	$flag = '__TEMPLATE__';
+	if (!isset($_SESSION['count'])) {
+		$_SESSION['count'] = 0;
+	} else {
+		$_SESSION['count'] = ($_SESSION['count'] + 1) % strlen($flag);
+	}
+	echo "<p>" . $flag[$_SESSION['count']] . "</p>\n";
+?>
+
+<!doctype html>
+<html>
+	<head>
+		<title>This is the title of the webpage!</title>
+	</head>
+	<body>
+	</body>
+</html>
diff --git a/web-basics-browser-security-model/activities/produce-consume/README.md b/web-basics-browser-security-model/activities/produce-consume/README.md
new file mode 100644
index 00000000..e595546a
--- /dev/null
+++ b/web-basics-browser-security-model/activities/produce-consume/README.md
@@ -0,0 +1,19 @@
+# Name
+
+Web: Web basics and browser security model: Produce-Consume
+
+## Description
+
+Get the flag from [produce-consume](http://141.85.224.118:8091/produce-consume/).
+
+See resource [files](https://github.com/security-summer-school/web/tree/master/web-basics-browser-security-model/activities/produce-consume).
+
+Score: 75
+
+## Vulnerability
+
+The flag is displayed if you use the `PHPSESSID` cookie from `produce.php` to `consume.php`.
+
+## Exploit
+
+Script in `./sol/solution`.
diff --git a/web-basics-browser-security-model/activities/produce-consume/deploy/Dockerfile b/web-basics-browser-security-model/activities/produce-consume/deploy/Dockerfile
new file mode 100644
index 00000000..f619539b
--- /dev/null
+++ b/web-basics-browser-security-model/activities/produce-consume/deploy/Dockerfile
@@ -0,0 +1,3 @@
+FROM php:7.2-apache
+
+COPY /src /var/www/html/produce-consume/
diff --git a/web-basics-browser-security-model/activities/produce-consume/deploy/Makefile b/web-basics-browser-security-model/activities/produce-consume/deploy/Makefile
new file mode 100644
index 00000000..2b59ebf3
--- /dev/null
+++ b/web-basics-browser-security-model/activities/produce-consume/deploy/Makefile
@@ -0,0 +1,6 @@
+EXTERNAL_PORT := 8091
+IMG_NAME := sss-web-01_produce-consume
+FILE_TEMPLATE := ../src/consume.template.php
+FILE_SRC := ../src/consume.php
+
+include activity.mk
diff --git a/web-basics-browser-security-model/activities/produce-consume/deploy/activity.mk b/web-basics-browser-security-model/activities/produce-consume/deploy/activity.mk
new file mode 120000
index 00000000..ebadabe9
--- /dev/null
+++ b/web-basics-browser-security-model/activities/produce-consume/deploy/activity.mk
@@ -0,0 +1 @@
+../../../../common/activity.mk
\ No newline at end of file
diff --git a/web-basics-browser-security-model/activities/produce-consume/flag b/web-basics-browser-security-model/activities/produce-consume/flag
new file mode 100644
index 00000000..11bcd1e4
--- /dev/null
+++ b/web-basics-browser-security-model/activities/produce-consume/flag
@@ -0,0 +1 @@
+SSS{seven_years_of_bad_luck}
diff --git a/web-basics-browser-security-model/activities/produce-consume/public/consume.php b/web-basics-browser-security-model/activities/produce-consume/src/consume.template.php
similarity index 100%
rename from web-basics-browser-security-model/activities/produce-consume/public/consume.php
rename to web-basics-browser-security-model/activities/produce-consume/src/consume.template.php
diff --git a/web-basics-browser-security-model/activities/produce-consume/public/index.php b/web-basics-browser-security-model/activities/produce-consume/src/index.php
similarity index 100%
rename from web-basics-browser-security-model/activities/produce-consume/public/index.php
rename to web-basics-browser-security-model/activities/produce-consume/src/index.php
diff --git a/web-basics-browser-security-model/activities/produce-consume/public/produce.php b/web-basics-browser-security-model/activities/produce-consume/src/produce.php
similarity index 100%
rename from web-basics-browser-security-model/activities/produce-consume/public/produce.php
rename to web-basics-browser-security-model/activities/produce-consume/src/produce.php
diff --git a/web-basics-browser-security-model/activities/readme/README.md b/web-basics-browser-security-model/activities/readme/README.md
new file mode 100644
index 00000000..8d460614
--- /dev/null
+++ b/web-basics-browser-security-model/activities/readme/README.md
@@ -0,0 +1,17 @@
+# Name
+
+Web: Web basics and browser security model: Readme
+
+## Description
+
+Get the flag from [readme](http://141.85.224.118:8092/readme/).
+
+Score: 25
+
+## Vulnerability
+
+The flag is showing up in the URL after clicking on the hyperlink.
+
+## Exploit
+
+Script in `./sol/solution`.
diff --git a/web-basics-browser-security-model/activities/readme/deploy/Dockerfile b/web-basics-browser-security-model/activities/readme/deploy/Dockerfile
new file mode 100644
index 00000000..a7156c01
--- /dev/null
+++ b/web-basics-browser-security-model/activities/readme/deploy/Dockerfile
@@ -0,0 +1,3 @@
+FROM php:7.2-apache
+
+COPY /src /var/www/html/readme/
diff --git a/web-basics-browser-security-model/activities/readme/deploy/Makefile b/web-basics-browser-security-model/activities/readme/deploy/Makefile
new file mode 100644
index 00000000..04dd69e2
--- /dev/null
+++ b/web-basics-browser-security-model/activities/readme/deploy/Makefile
@@ -0,0 +1,6 @@
+EXTERNAL_PORT := 8092
+IMG_NAME := sss-web-01_readme
+FILE_TEMPLATE := ../src/index.template.html
+FILE_SRC := ../src/index.html
+
+include activity.mk
diff --git a/web-basics-browser-security-model/activities/readme/deploy/activity.mk b/web-basics-browser-security-model/activities/readme/deploy/activity.mk
new file mode 120000
index 00000000..ebadabe9
--- /dev/null
+++ b/web-basics-browser-security-model/activities/readme/deploy/activity.mk
@@ -0,0 +1 @@
+../../../../common/activity.mk
\ No newline at end of file
diff --git a/web-basics-browser-security-model/activities/readme/flag b/web-basics-browser-security-model/activities/readme/flag
new file mode 100644
index 00000000..6640a15a
--- /dev/null
+++ b/web-basics-browser-security-model/activities/readme/flag
@@ -0,0 +1 @@
+SSS{do_not_kill_the_messenger}
diff --git a/web-basics-browser-security-model/activities/readme/src/index.template.html b/web-basics-browser-security-model/activities/readme/src/index.template.html
new file mode 100644
index 00000000..7b6f6fc7
--- /dev/null
+++ b/web-basics-browser-security-model/activities/readme/src/index.template.html
@@ -0,0 +1,10 @@
+<!doctype html>
+<html>
+	<head>
+		<title>This is the title of the webpage!</title>
+	</head>
+	<body>
+		<p>This is an example paragraph. Anything in the <strong>body</strong> tag will appear on the page, just like this <strong>p</strong> tag and its contents.</p>
+		<p>The flag is <a href="readme.html?flag=__TEMPLATE__">here</a></p>
+	</body>
+</html>
diff --git a/web-basics-browser-security-model/activities/readme/src/readme.html b/web-basics-browser-security-model/activities/readme/src/readme.html
new file mode 100644
index 00000000..a4204796
--- /dev/null
+++ b/web-basics-browser-security-model/activities/readme/src/readme.html
@@ -0,0 +1,9 @@
+<!doctype html>
+<html>
+	<head>
+		<title>This is the title of the webpage!</title>
+	</head>
+	<body>
+		<p>Look at this nice flag.</p>
+	</body>
+</html>
diff --git a/web-basics-browser-security-model/activities/surprise/README.md b/web-basics-browser-security-model/activities/surprise/README.md
new file mode 100644
index 00000000..941e6dd5
--- /dev/null
+++ b/web-basics-browser-security-model/activities/surprise/README.md
@@ -0,0 +1,18 @@
+# Name
+
+Web: Web basics and browser security model: Surprise
+
+## Description
+
+Get the flag from [surprise](http://141.85.224.157:8093/surprise/).
+Try to modify an existing resource at this location.
+
+Score: 50
+
+## Vulnerability
+
+The flag is displayed only if the `PUT` method is called with contenty-type `application/json` and a JSON body with the `name` key for the exposed route.
+
+## Exploit
+
+Script in `./sol/solution`.
diff --git a/web-basics-browser-security-model/activities/surprise/deploy/Dockerfile b/web-basics-browser-security-model/activities/surprise/deploy/Dockerfile
new file mode 100644
index 00000000..dd3d62dd
--- /dev/null
+++ b/web-basics-browser-security-model/activities/surprise/deploy/Dockerfile
@@ -0,0 +1,10 @@
+FROM tiangolo/uwsgi-nginx-flask:python3.8
+
+# copy over our requirements.txt file
+COPY src/requirements.txt /tmp/
+
+# upgrade pip and install required python packages
+RUN pip3 install --no-cache-dir -r /tmp/requirements.txt && mkdir app
+
+# copy over our app code
+COPY src/main.py /app
diff --git a/web-basics-browser-security-model/activities/surprise/deploy/Makefile b/web-basics-browser-security-model/activities/surprise/deploy/Makefile
new file mode 100644
index 00000000..3f2cce1b
--- /dev/null
+++ b/web-basics-browser-security-model/activities/surprise/deploy/Makefile
@@ -0,0 +1,6 @@
+EXTERNAL_PORT := 8093
+IMG_NAME := sss-web-01_surprise
+FILE_TEMPLATE := ../src/main.template.py
+FILE_SRC := ../src/main.py
+
+include activity.mk
diff --git a/web-basics-browser-security-model/activities/surprise/deploy/activity.mk b/web-basics-browser-security-model/activities/surprise/deploy/activity.mk
new file mode 120000
index 00000000..ebadabe9
--- /dev/null
+++ b/web-basics-browser-security-model/activities/surprise/deploy/activity.mk
@@ -0,0 +1 @@
+../../../../common/activity.mk
\ No newline at end of file
diff --git a/web-basics-browser-security-model/activities/surprise/flag b/web-basics-browser-security-model/activities/surprise/flag
new file mode 100644
index 00000000..97467565
--- /dev/null
+++ b/web-basics-browser-security-model/activities/surprise/flag
@@ -0,0 +1 @@
+SSS{valar_morghulis}
diff --git a/web-basics-browser-security-model/activities/surprise/src/main.template.py b/web-basics-browser-security-model/activities/surprise/src/main.template.py
new file mode 100644
index 00000000..445efa4e
--- /dev/null
+++ b/web-basics-browser-security-model/activities/surprise/src/main.template.py
@@ -0,0 +1,28 @@
+# SPDX-License-Identifier: BSD-3-Clause
+
+from flask import Flask, request
+
+
+app = Flask(__name__)
+
+
+@app.route("/surprise", methods=["PUT"])
+def put_method_with_content_type():
+
+    flag = "__TEMPLATE__"
+
+    if not request.content_type:
+        return "I don't understand you :("
+
+    if request.content_type == "application/json":
+
+        if "name" in request.json:
+            name = request.json["name"]
+            return "\n".join(
+                [f"Well done my friend, {name}! Here is your surprise:", flag]
+            )
+
+        return "Better! Give me your 'name' in this format"
+
+    else:
+        return "Good! But we should start using same language"
diff --git a/web-basics-browser-security-model/activities/surprise/src/requirements.txt b/web-basics-browser-security-model/activities/surprise/src/requirements.txt
new file mode 100644
index 00000000..e616642b
--- /dev/null
+++ b/web-basics-browser-security-model/activities/surprise/src/requirements.txt
@@ -0,0 +1,6 @@
+click==8.0.1
+Flask==2.0.1
+itsdangerous==2.0.1
+Jinja2==3.0.1
+MarkupSafe==2.0.1
+Werkzeug==2.0.1
\ No newline at end of file