diff --git a/golang-basic/exposure-sensitive-information/main.go b/golang-basic/exposure-sensitive-information/main.go
new file mode 100644
index 0000000..064522b
--- /dev/null
+++ b/golang-basic/exposure-sensitive-information/main.go
@@ -0,0 +1,48 @@
+// package main
+
+// import (
+// 	"fmt"
+// 	"net/http"
+// )
+
+// func main() {
+// 	http.HandleFunc("/users", getUsers)
+// 	http.ListenAndServe(":8080", nil)
+// }
+
+// func getUsers(w http.ResponseWriter, r *http.Request) {
+// 	// Access sensitive data from the database
+// 	username := "admin"
+// 	password := "secret"
+
+// 	// Return the sensitive information in the HTTP response
+// 	fmt.Fprintf(w, "Username: %s, Password: %s", username, password)
+// }
+
+package main
+
+import (
+	"fmt"
+	"log"
+	"net/http"
+)
+
+func main() {
+	http.HandleFunc("/users", getUsers)
+	log.Println("Starting server on :8080")
+	if err := http.ListenAndServe(":8080", nil); err != nil {
+		log.Fatalf("Server failed to start: %v", err)
+	}
+}
+
+func getUsers(w http.ResponseWriter, r *http.Request) {
+	// Access sensitive data from the database
+	username := "admin"
+	password := "secret"
+
+	// Log the request
+	log.Printf("Received request for /users from %s", r.RemoteAddr)
+
+	// Return the sensitive information in the HTTP response
+	fmt.Fprintf(w, "Username: %s, Password: %s", username, password)
+}
diff --git a/golang-basic/exposure-sensitive-information/main02.go b/golang-basic/exposure-sensitive-information/main02.go
new file mode 100644
index 0000000..9b5f488
--- /dev/null
+++ b/golang-basic/exposure-sensitive-information/main02.go
@@ -0,0 +1,26 @@
+package main
+
+import (
+	"fmt"
+	"log"
+	"net/http"
+)
+
+func main() {
+	http.HandleFunc("/users", getUsers)
+	log.Println("Starting server on :8080")
+	if err := http.ListenAndServe(":8080", nil); err != nil {
+		log.Fatalf("Server failed to start: %v", err)
+	}
+}
+
+func getUsers(w http.ResponseWriter, r *http.Request) {
+	// Access sensitive data from the database
+	// username := "admin"
+	// password := "secret"
+
+	// Instead of returning sensitive information, return a generic message
+	fmt.Fprint(w, "Access denied")
+	log.Printf("Received request for /users from Access denied", r.RemoteAddr)
+
+}
diff --git a/golang-basic/exposure-sensitive-information/readme.md b/golang-basic/exposure-sensitive-information/readme.md
new file mode 100644
index 0000000..e69de29
diff --git a/hacking-go/cross-site-request-forgery/index.html b/hacking-go/cross-site-request-forgery/index.html
new file mode 100644
index 0000000..e86341d
--- /dev/null
+++ b/hacking-go/cross-site-request-forgery/index.html
@@ -0,0 +1,20 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>Money Transfer</title>
+</head>
+<body>
+    <h1>Money Transfer</h1>
+    <form action="/" method="post">
+        <label for="amount">Amount:</label>
+        <input type="text" id="amount" name="amount" required>
+        <br>
+        <label for="account">Account:</label>
+        <input type="text" id="account" name="account" required>
+        <br>
+        <input type="submit" value="Transfer">
+    </form>
+</body>
+</html>
diff --git a/hacking-go/cross-site-request-forgery/main.go b/hacking-go/cross-site-request-forgery/main.go
new file mode 100644
index 0000000..ca4c1b5
--- /dev/null
+++ b/hacking-go/cross-site-request-forgery/main.go
@@ -0,0 +1,45 @@
+package main
+
+import (
+	"fmt"
+	"html/template"
+	"log"
+	"net/http"
+)
+
+var (
+	templates = template.Must(template.ParseFiles("index.html"))
+)
+
+func main() {
+	http.HandleFunc("/", indexHandler)
+	http.HandleFunc("/transfer", transferHandler)
+	log.Fatal(http.ListenAndServe(":8080", nil))
+}
+
+func indexHandler(w http.ResponseWriter, r *http.Request) {
+	if r.Method == http.MethodGet {
+		templates.ExecuteTemplate(w, "index.html", nil)
+	} else if r.Method == http.MethodPost {
+		amount := r.FormValue("amount")
+		account := r.FormValue("account")
+
+		// Perform the money transfer
+		if transferMoney(amount, account) {
+			fmt.Fprintln(w, "Transfer successful!")
+		} else {
+			fmt.Fprintln(w, "Transfer failed!")
+		}
+	}
+}
+
+func transferHandler(w http.ResponseWriter, r *http.Request) {
+	// Process transfer request
+	// ...
+}
+
+func transferMoney(amount, account string) bool {
+	// Perform money transfer logic
+	// ...
+	return false
+}
diff --git a/hacking-go/cross-site-request-forgery/main1.go b/hacking-go/cross-site-request-forgery/main1.go
new file mode 100644
index 0000000..0158025
--- /dev/null
+++ b/hacking-go/cross-site-request-forgery/main1.go
@@ -0,0 +1,43 @@
+package main
+
+import (
+	"fmt"
+	"html/template"
+	"log"
+	"net/http"
+)
+
+var (
+	templates = template.Must(template.ParseFiles("index.html"))
+)
+
+func main() {
+	http.HandleFunc("/", indexHandler)
+	http.HandleFunc("/transfer", transferHandler)
+	log.Fatal(http.ListenAndServe(":8080", nil))
+}
+
+func indexHandler(w http.ResponseWriter, r *http.Request) {
+	if r.Method == http.MethodGet {
+		templates.ExecuteTemplate(w, "index.html", nil)
+	} else if r.Method == http.MethodPost {
+		amount := r.FormValue("amount")
+		account := r.FormValue("account")
+
+		// Perform the money transfer
+		if transferMoney(amount, account) {
+			fmt.Fprintln(w, "Transfer successful!")
+		} else {
+			fmt.Fprintln(w, "Transfer failed!")
+		}
+	}
+}
+
+func transferHandler(w http.ResponseWriter, r *http.Request) {
+	// Additional transfer processing logic can be placed here if needed
+}
+
+func transferMoney(amount, account string) bool {
+	// Simulate a successful transfer
+	return true
+}
diff --git a/hacking-go/cross-site-request-forgery/main2.go b/hacking-go/cross-site-request-forgery/main2.go
new file mode 100644
index 0000000..121d619
--- /dev/null
+++ b/hacking-go/cross-site-request-forgery/main2.go
@@ -0,0 +1,64 @@
+package main
+
+import (
+	"fmt"
+	"html/template"
+	"log"
+	"net/http"
+
+	"github.com/gorilla/csrf"
+)
+
+var (
+	templates = template.Must(template.ParseFiles("index.html"))
+)
+
+func main() {
+	http.HandleFunc("/", indexHandler)
+	http.HandleFunc("/transfer", transferHandler)
+	log.Fatal(http.ListenAndServe(":8080", csrf.Protect([]byte("32-byte-long-auth-key"))(nil)))
+}
+
+func indexHandler(w http.ResponseWriter, r *http.Request) {
+	if r.Method == http.MethodGet {
+		token := csrf.Token(r)
+		data := struct {
+			Token string
+		}{
+			Token: token,
+		}
+		templates.ExecuteTemplate(w, "index.html", data)
+	} else if r.Method == http.MethodPost {
+		if err := r.ParseForm(); err != nil {
+			http.Error(w, "Bad Request", http.StatusBadRequest)
+			return
+		}
+
+		// Validate CSRF token
+		if err := csrf.Protect([]byte("32-byte-long-auth-key")).VerifyToken(csrf.Token(r)); err != nil {
+			http.Error(w, "Invalid CSRF token", http.StatusForbidden)
+			return
+		}
+
+		amount := r.FormValue("amount")
+		account := r.FormValue("account")
+
+		// Perform the money transfer
+		if transferMoney(amount, account) {
+			fmt.Fprintln(w, "Transfer successful!")
+		} else {
+			fmt.Fprintln(w, "Transfer failed!")
+		}
+	}
+}
+
+func transferHandler(w http.ResponseWriter, r *http.Request) {
+	// Process transfer request
+	// ...
+}
+
+func transferMoney(amount, account string) bool {
+	// Perform money transfer logic
+	// ...
+	return false
+}
diff --git a/hacking-go/cross-site-request-forgery/main3.go b/hacking-go/cross-site-request-forgery/main3.go
new file mode 100644
index 0000000..e69de29
diff --git a/hacking-go/cross-site-request-forgery/readme.md b/hacking-go/cross-site-request-forgery/readme.md
new file mode 100644
index 0000000..dc6fc91
--- /dev/null
+++ b/hacking-go/cross-site-request-forgery/readme.md
@@ -0,0 +1,35 @@
+### go run main.go
+```
+go run main.go
+
+curl http://localhost:8080
+
+curl -X POST -d "amount=100" -d "account=12345" http://localhost:8080
+
+
+```
+
+### go run main1.go
+```
+go run main1.go
+curl http://localhost:8080
+
+curl -X POST -d "amount=100" -d "account=12345" http://localhost:8080
+
+```
+### go run main2.go
+```
+go run main2.go
+curl http://localhost:8080
+
+curl -X POST -d "amount=100" -d "account=12345" http://localhost:8080
+
+```
+### go run main3.go
+```
+go run main3.go
+curl http://localhost:8080
+
+curl -X POST -d "amount=100" -d "account=12345" http://localhost:8080
+
+```
diff --git a/hacking-go/insertion-sensitive-information-sent-data/main.go b/hacking-go/insertion-sensitive-information-sent-data/main.go
new file mode 100644
index 0000000..04def16
--- /dev/null
+++ b/hacking-go/insertion-sensitive-information-sent-data/main.go
@@ -0,0 +1,37 @@
+package main
+
+import (
+	"fmt"
+	"log"
+	"net/http"
+)
+
+func main() {
+	http.HandleFunc("/login", login)
+	http.ListenAndServe(":8080", nil)
+}
+
+func login(w http.ResponseWriter, r *http.Request) {
+	username := r.FormValue("username")
+	password := r.FormValue("password")
+
+	// Authenticate the user
+	if !authenticate(username, password) {
+		errMsg := fmt.Sprintf("Login failed for user: %s", username)
+		log.Println(errMsg)
+		http.Error(w, "Invalid credentials", http.StatusUnauthorized)
+		return
+	}
+
+	// Proceed with successful login
+	// ...
+	// Code for handling successful login
+}
+
+func authenticate(username, password string) bool {
+	// Perform authentication logic
+	// ...
+	// Code for authenticating the user
+
+	return false
+}
diff --git a/hacking-go/insertion-sensitive-information-sent-data/main1.go b/hacking-go/insertion-sensitive-information-sent-data/main1.go
new file mode 100644
index 0000000..cd67cdb
--- /dev/null
+++ b/hacking-go/insertion-sensitive-information-sent-data/main1.go
@@ -0,0 +1,106 @@
+// package main
+
+// import (
+// 	"fmt"
+// 	"html/template"
+// 	"log"
+// 	"net/http"
+// )
+
+// func main() {
+// 	http.HandleFunc("/login", login)
+// 	log.Println("Starting server on :8080")
+// 	if err := http.ListenAndServe(":8080", nil); err != nil {
+// 		log.Fatal(err)
+// 	}
+// }
+
+// func login(w http.ResponseWriter, r *http.Request) {
+// 	if r.Method != http.MethodPost {
+// 		http.Error(w, "Invalid request method", http.StatusMethodNotAllowed)
+// 		return
+// 	}
+
+// 	username := r.FormValue("username")
+// 	password := r.FormValue("password")
+
+// 	// Authenticate the user
+// 	if !authenticate(username, password) {
+// 		errMsg := fmt.Sprintf("Login failed for user: %s", username)
+// 		log.Println(errMsg)
+// 		http.Error(w, "Invalid credentials", http.StatusUnauthorized)
+// 		return
+// 	}
+
+// 	// Proceed with successful login
+// 	successMsg := fmt.Sprintf("Welcome, %s!", username)
+// 	tmpl, err := template.New("success").Parse("<h1>{{.}}</h1>")
+// 	if err != nil {
+// 		http.Error(w, "Internal server error", http.StatusInternalServerError)
+// 		return
+// 	}
+// 	tmpl.Execute(w, successMsg)
+// }
+
+// func authenticate(username, password string) bool {
+// 	// Perform authentication logic
+// 	// Replace this with real authentication code
+// 	if username == "admin" && password == "password" {
+// 		return true
+// 	}
+// 	return false
+// }
+
+
+package main
+
+import (
+	"fmt"
+	"log"
+	"net/http"
+	"html/template"
+)
+
+func main() {
+	http.HandleFunc("/login", login)
+	log.Println("Starting server on :8080")
+	if err := http.ListenAndServe(":8080", nil); err != nil {
+		log.Fatal(err)
+	}
+}
+
+func login(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodPost {
+		http.Error(w, "Invalid request method", http.StatusMethodNotAllowed)
+		return
+	}
+
+	username := r.FormValue("username")
+	password := r.FormValue("password")
+
+	// Authenticate the user
+	if !authenticate(username, password) {
+		errMsg := fmt.Sprintf("Login failed for user: %s", username)
+		log.Println(errMsg)
+		http.Error(w, "Invalid credentials", http.StatusUnauthorized)
+		return
+	}
+
+	// Proceed with successful login
+	successMsg := fmt.Sprintf("Welcome, %s!", username)
+	tmpl, err := template.New("success").Parse("<h1>{{.}}</h1>")
+	if err != nil {
+		http.Error(w, "Internal server error", http.StatusInternalServerError)
+		return
+	}
+	tmpl.Execute(w, successMsg)
+}
+
+func authenticate(username, password string) bool {
+	// Perform authentication logic
+	// Replace this with real authentication code
+	if username == "admin" && password == "password" {
+		return true
+	}
+	return false
+}
diff --git a/hacking-go/insertion-sensitive-information-sent-data/main2.go b/hacking-go/insertion-sensitive-information-sent-data/main2.go
new file mode 100644
index 0000000..3ec7f9d
--- /dev/null
+++ b/hacking-go/insertion-sensitive-information-sent-data/main2.go
@@ -0,0 +1,35 @@
+package main
+
+import (
+	"log"
+	"net/http"
+)
+
+func main() {
+	http.HandleFunc("/login", login)
+	http.ListenAndServe(":8080", nil)
+}
+
+func login(w http.ResponseWriter, r *http.Request) {
+	username := r.FormValue("username")
+	password := r.FormValue("password")
+
+	// Authenticate the user
+	if !authenticate(username, password) {
+		log.Println("Login failed for user:", username)
+		http.Error(w, "Invalid credentials", http.StatusUnauthorized)
+		return
+	}
+
+	// Proceed with successful login
+	// ...
+	// Code for handling successful login
+}
+
+func authenticate(username, password string) bool {
+	// Perform authentication logic
+	// ...
+	// Code for authenticating the user
+
+	return false
+}
diff --git a/hacking-go/insertion-sensitive-information-sent-data/main3.go b/hacking-go/insertion-sensitive-information-sent-data/main3.go
new file mode 100644
index 0000000..7b46694
--- /dev/null
+++ b/hacking-go/insertion-sensitive-information-sent-data/main3.go
@@ -0,0 +1,54 @@
+package main
+
+import (
+	"fmt"
+	"log"
+	"net/http"
+)
+
+func main() {
+	http.HandleFunc("/login", login)
+	log.Println("Starting server on :8080")
+	if err := http.ListenAndServe(":8080", nil); err != nil {
+		log.Fatalf("Server failed to start: %v", err)
+	}
+}
+
+func login(w http.ResponseWriter, r *http.Request) {
+	// Ensure we're dealing with a POST request
+	if r.Method != http.MethodPost {
+		http.Error(w, "Invalid request method", http.StatusMethodNotAllowed)
+		return
+	}
+
+	// Parse the form data
+	if err := r.ParseForm(); err != nil {
+		http.Error(w, "Unable to parse form data", http.StatusBadRequest)
+		return
+	}
+
+	// Retrieve username and password from the form
+	username := r.FormValue("username")
+	password := r.FormValue("password")
+
+	// Authenticate the user
+	if !authenticate(username, password) {
+		log.Println("Login failed for user:", username)
+		http.Error(w, "Invalid credentials", http.StatusUnauthorized)
+		return
+	}
+
+	// Proceed with successful login
+	// Here you might set a session or token
+	log.Println("Login successful for user:", username)
+	fmt.Fprintf(w, "Welcome, %s!", username)
+}
+
+func authenticate(username, password string) bool {
+	// Replace with actual authentication logic
+	// For example, compare with hardcoded credentials
+	if username == "admin" && password == "password" {
+		return true
+	}
+	return false
+}
diff --git a/hacking-go/insertion-sensitive-information-sent-data/readme.md b/hacking-go/insertion-sensitive-information-sent-data/readme.md
new file mode 100644
index 0000000..e499a27
--- /dev/null
+++ b/hacking-go/insertion-sensitive-information-sent-data/readme.md
@@ -0,0 +1,29 @@
+```
+go run main.go
+go run main1.go
+
+curl -X POST -d "username=admin&password=password" http://localhost:8080/login
+
+curl -X POST -d "username=admin&password=123" http://localhost:8080/login
+
+curl -X POST -d "username=admin" http://localhost:8080/login
+
+curl -X POST http://localhost:8080/login
+
+curl http://localhost:8080/login
+
+
+go run main2.go
+go run main3.go
+
+curl -X POST -d "username=admin&password=password" http://localhost:8080/login
+
+curl -X POST -d "username=admin&password=123" http://localhost:8080/login
+
+curl -X POST -d "username=admin" http://localhost:8080/login
+
+curl -X POST http://localhost:8080/login
+
+curl http://localhost:8080/login
+
+```