Insecure Deserialization Add-On Inquiry

30 views
Skip to first unread message

Alex Mayfield

unread,
Apr 23, 2025, 10:20:31 PMApr 23
to ZAP Developer Group
Hey there,

This will be my first contribution to any OSS. I was assigned this issue (https://github.com/zaproxy/zaproxy/issues/4112#issuecomment-2598559325) on GitHub and have been looking into how to implement it before I work on the actual coding.

The main question I want to clarify before digging too deep is that Rick mentioned using DNS to verify that the payload went through. If I'm testing if a vulnerability exists, ZAP is going to need some response from the web server. I'm curious, however, if there is a limit to how intrusive/active the response can be? DNS would be great and seems to be quite minimal, but I do think it'd be quite easier to just ping ZAP for all payloads, regardless of the backend.

Thanks,
Alex

kingthorin+zap

unread,
Apr 24, 2025, 8:54:24 AMApr 24
to ZAP Developer Group
DNS is almost universally allowed outbound. ICMP ping may not be. HTTP/HTTPS to non-standard ports may be blocked.
This should leverage the OAST add-on for payloads and DNS/HTTP interactions. (IMHO)
Reply all
Reply to author
Forward
0 new messages