diff --git a/webgoat-lessons/idor/src/main/java/org/owasp/webgoat/plugin/IDOREditOtherProfiile.java b/webgoat-lessons/idor/src/main/java/org/owasp/webgoat/plugin/IDOREditOtherProfiile.java
index e63ef9de1..c2a509f45 100644
--- a/webgoat-lessons/idor/src/main/java/org/owasp/webgoat/plugin/IDOREditOtherProfiile.java
+++ b/webgoat-lessons/idor/src/main/java/org/owasp/webgoat/plugin/IDOREditOtherProfiile.java
@@ -45,11 +45,12 @@ import java.util.Map;
 @Path("IDOR/profile/{userId}")
 public class IDOREditOtherProfiile extends AssignmentEndpoint {
 
-    @Autowired UserSessionData userSessionData;
+    @Autowired
+    private UserSessionData userSessionData;
 
-    @RequestMapping(method = RequestMethod.PUT, consumes = "application/json")
+    @PutMapping(consumes = "application/json")
     public @ResponseBody
-    AttackResult completed(@PathVariable("userId") String userId, @RequestParam UserProfile userSubmittedProfile) {
+    AttackResult completed(@PathVariable("userId") String userId, @RequestBody UserProfile userSubmittedProfile) {
 
         String authUserId = (String)userSessionData.getValue("idor-authenticated-user-id");
         // this is where it starts ... accepting the user submitted ID and assuming it will be the same as the logged in userId and not checking for proper authorization
diff --git a/webgoat-lessons/idor/src/main/java/org/owasp/webgoat/plugin/IDORLogin.java b/webgoat-lessons/idor/src/main/java/org/owasp/webgoat/plugin/IDORLogin.java
index 593dc9527..d0994ad8e 100644
--- a/webgoat-lessons/idor/src/main/java/org/owasp/webgoat/plugin/IDORLogin.java
+++ b/webgoat-lessons/idor/src/main/java/org/owasp/webgoat/plugin/IDORLogin.java
@@ -4,10 +4,7 @@ import org.owasp.webgoat.endpoints.AssignmentEndpoint;
 import org.owasp.webgoat.lessons.AttackResult;
 
 import org.owasp.webgoat.session.UserSessionData;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.RequestMethod;
-import org.springframework.web.bind.annotation.RequestParam;
-import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.bind.annotation.*;
 
 import javax.servlet.http.HttpServletRequest;
 import javax.ws.rs.Path;
@@ -66,10 +63,8 @@ public class IDORLogin extends AssignmentEndpoint {
 
     }
 
-    @RequestMapping(method = RequestMethod.POST)
-    public @ResponseBody
-    AttackResult completed(@RequestParam String username, @RequestParam String password, HttpServletRequest request) throws IOException {
-
+    @PostMapping
+    public @ResponseBody AttackResult completed(@RequestParam String username, @RequestParam String password) {
         initIDORInfo();
         UserSessionData userSessionData = getUserSessionData();