diff --git a/src/it/java/org/owasp/webgoat/ChallengeIntegrationTest.java b/src/it/java/org/owasp/webgoat/ChallengeIntegrationTest.java
index 133721eee..f7f4511f8 100644
--- a/src/it/java/org/owasp/webgoat/ChallengeIntegrationTest.java
+++ b/src/it/java/org/owasp/webgoat/ChallengeIntegrationTest.java
@@ -7,12 +7,14 @@ import java.util.Arrays;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
+import org.assertj.core.api.Assertions;
 import org.junit.jupiter.api.Test;
+import org.springframework.http.HttpStatus;
 
 public class ChallengeIntegrationTest extends IntegrationTest {
 
   @Test
-  public void testChallenge1() {
+  void testChallenge1() {
     startLesson("Challenge1");
 
     byte[] resultBytes =
@@ -67,7 +69,7 @@ public class ChallengeIntegrationTest extends IntegrationTest {
   }
 
   @Test
-  public void testChallenge5() {
+  void testChallenge5() {
     startLesson("Challenge5");
 
     Map<String, Object> params = new HashMap<>();
@@ -107,4 +109,62 @@ public class ChallengeIntegrationTest extends IntegrationTest {
             .get("find { it.username == \"" + this.getUser() + "\" }.flagsCaptured");
     assertTrue(capturefFlags.contains("Without password"));
   }
+
+  @Test
+  void testChallenge7() {
+    startLesson("Challenge7");
+    cleanMailbox();
+
+    // One should first be able to download git.zip from WebGoat
+    RestAssured.given()
+        .when()
+        .relaxedHTTPSValidation()
+        .cookie("JSESSIONID", getWebGoatCookie())
+        .get(url("/WebGoat/challenge/7/.git"))
+        .then()
+        .statusCode(200)
+        .extract()
+        .asString();
+
+    // Should send an email to WebWolf inbox this should give a hint to the link being static
+    RestAssured.given()
+        .when()
+        .relaxedHTTPSValidation()
+        .cookie("JSESSIONID", getWebGoatCookie())
+        .formParams("email", getUser() + "@webgoat.org")
+        .post(url("/WebGoat/challenge/7"))
+        .then()
+        .statusCode(200)
+        .extract()
+        .asString();
+
+    // Check whether email has been received
+    var responseBody =
+        RestAssured.given()
+            .when()
+            .relaxedHTTPSValidation()
+            .cookie("WEBWOLFSESSION", getWebWolfCookie())
+            .get(webWolfUrl("/mail"))
+            .then()
+            .extract()
+            .response()
+            .getBody()
+            .asString();
+    Assertions.assertThat(responseBody).contains("Hi, you requested a password reset link");
+
+    // Call reset link with admin link
+    String result =
+        RestAssured.given()
+            .when()
+            .relaxedHTTPSValidation()
+            .cookie("JSESSIONID", getWebGoatCookie())
+            .get(url("/challenge/7/reset-password/{link}"), "375afe1104f4a487a73823c50a9292a2")
+            .then()
+            .statusCode(HttpStatus.ACCEPTED.value())
+            .extract()
+            .asString();
+
+    String flag = result.substring(result.indexOf("flag") + 6, result.indexOf("flag") + 42);
+    checkAssignment(url("/WebGoat/challenge/flag"), Map.of("flag", flag), true);
+  }
 }
diff --git a/src/it/java/org/owasp/webgoat/IntegrationTest.java b/src/it/java/org/owasp/webgoat/IntegrationTest.java
index db551afeb..21ef208b1 100644
--- a/src/it/java/org/owasp/webgoat/IntegrationTest.java
+++ b/src/it/java/org/owasp/webgoat/IntegrationTest.java
@@ -11,6 +11,7 @@ import org.hamcrest.CoreMatchers;
 import org.hamcrest.MatcherAssert;
 import org.junit.jupiter.api.AfterEach;
 import org.junit.jupiter.api.BeforeEach;
+import org.springframework.http.HttpStatus;
 
 public abstract class IntegrationTest {
 
@@ -252,4 +253,14 @@ public abstract class IntegrationTest {
         .getBody()
         .asString();
   }
+
+  public void cleanMailbox() {
+    RestAssured.given()
+        .when()
+        .relaxedHTTPSValidation()
+        .cookie("WEBWOLFSESSION", getWebWolfCookie())
+        .delete(webWolfUrl("/mail"))
+        .then()
+        .statusCode(HttpStatus.ACCEPTED.value());
+  }
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/challenges/SolutionConstants.java b/src/main/java/org/owasp/webgoat/lessons/challenges/SolutionConstants.java
index 890d80d06..ea34d5ebe 100644
--- a/src/main/java/org/owasp/webgoat/lessons/challenges/SolutionConstants.java
+++ b/src/main/java/org/owasp/webgoat/lessons/challenges/SolutionConstants.java
@@ -32,6 +32,4 @@ public interface SolutionConstants {
 
   // TODO should be random generated when starting the server
   String PASSWORD = "!!webgoat_admin_1234!!";
-  String PASSWORD_TOM = "thisisasecretfortomonly";
-  String ADMIN_PASSWORD_LINK = "375afe1104f4a487a73823c50a9292a2";
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/challenges/challenge7/Assignment7.java b/src/main/java/org/owasp/webgoat/lessons/challenges/challenge7/Assignment7.java
index 475e59b37..31260e8e1 100644
--- a/src/main/java/org/owasp/webgoat/lessons/challenges/challenge7/Assignment7.java
+++ b/src/main/java/org/owasp/webgoat/lessons/challenges/challenge7/Assignment7.java
@@ -9,7 +9,6 @@ import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AttackResult;
 import org.owasp.webgoat.lessons.challenges.Email;
 import org.owasp.webgoat.lessons.challenges.Flags;
-import org.owasp.webgoat.lessons.challenges.SolutionConstants;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.core.io.ClassPathResource;
 import org.springframework.http.HttpStatus;
@@ -32,6 +31,8 @@ import org.springframework.web.client.RestTemplate;
 @Slf4j
 public class Assignment7 extends AssignmentEndpoint {
 
+  public static final String ADMIN_PASSWORD_LINK = "375afe1104f4a487a73823c50a9292a2";
+
   private static final String TEMPLATE =
       "Hi, you requested a password reset link, please use this <a target='_blank'"
           + " href='%s:8080/WebGoat/challenge/7/reset-password/%s'>link</a> to reset your"
@@ -56,15 +57,13 @@ public class Assignment7 extends AssignmentEndpoint {
 
   @GetMapping("/challenge/7/reset-password/{link}")
   public ResponseEntity<String> resetPassword(@PathVariable(value = "link") String link) {
-    if (link.equals(SolutionConstants.ADMIN_PASSWORD_LINK)) {
+    if (link.equals(ADMIN_PASSWORD_LINK)) {
       return ResponseEntity.accepted()
           .body(
               "<h1>Success!!</h1>"
                   + "<img src='/WebGoat/images/hi-five-cat.jpg'>"
                   + "<br/><br/>Here is your flag: "
-                  + "<b>"
-                  + flags.getFlag(7)
-                  + "</b>");
+                  + flags.getFlag(7));
     }
     return ResponseEntity.status(HttpStatus.I_AM_A_TEAPOT)
         .body("That is not the reset link for admin");
@@ -99,6 +98,6 @@ public class Assignment7 extends AssignmentEndpoint {
   @GetMapping(value = "/challenge/7/.git", produces = MediaType.APPLICATION_OCTET_STREAM_VALUE)
   @ResponseBody
   public ClassPathResource git() {
-    return new ClassPathResource("challenge7/git.zip");
+    return new ClassPathResource("lessons/challenges/challenge7/git.zip");
   }
 }
diff --git a/src/main/java/org/owasp/webgoat/webwolf/mailbox/MailboxController.java b/src/main/java/org/owasp/webgoat/webwolf/mailbox/MailboxController.java
index 6a3640bfd..e7a42214f 100644
--- a/src/main/java/org/owasp/webgoat/webwolf/mailbox/MailboxController.java
+++ b/src/main/java/org/owasp/webgoat/webwolf/mailbox/MailboxController.java
@@ -23,26 +23,27 @@
 package org.owasp.webgoat.webwolf.mailbox;
 
 import java.util.List;
-import lombok.AllArgsConstructor;
+import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.http.HttpStatus;
-import org.springframework.http.ResponseEntity;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.core.userdetails.UserDetails;
+import org.springframework.web.bind.annotation.DeleteMapping;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestBody;
+import org.springframework.web.bind.annotation.ResponseStatus;
 import org.springframework.web.bind.annotation.RestController;
 import org.springframework.web.servlet.ModelAndView;
 
 @RestController
-@AllArgsConstructor
+@RequiredArgsConstructor
 @Slf4j
 public class MailboxController {
 
   private final MailboxRepository mailboxRepository;
 
-  @GetMapping(value = "/mail")
+  @GetMapping("/mail")
   public ModelAndView mail() {
     UserDetails user =
         (UserDetails) SecurityContextHolder.getContext().getAuthentication().getPrincipal();
@@ -56,9 +57,15 @@ public class MailboxController {
     return modelAndView;
   }
 
-  @PostMapping(value = "/mail")
-  public ResponseEntity<?> sendEmail(@RequestBody Email email) {
+  @PostMapping("/mail")
+  @ResponseStatus(HttpStatus.CREATED)
+  public void sendEmail(@RequestBody Email email) {
     mailboxRepository.save(email);
-    return ResponseEntity.status(HttpStatus.CREATED).build();
+  }
+
+  @DeleteMapping("/mail")
+  @ResponseStatus(HttpStatus.ACCEPTED)
+  public void deleteAllMail() {
+    mailboxRepository.deleteAll();
   }
 }