Insecure Deserialization Add-On Inquiry

[Alex Mayfield]

Hey there,

This will be my first contribution to any OSS. I was assigned this issue (https://github.com/zaproxy/zaproxy/issues/4112#issuecomment-2598559325) on GitHub and have been looking into how to implement it before I work on the actual coding.

The main question I want to clarify before digging too deep is that Rick mentioned using DNS to verify that the payload went through. If I'm testing if a vulnerability exists, ZAP is going to need some response from the web server. I'm curious, however, if there is a limit to how intrusive/active the response can be? DNS would be great and seems to be quite minimal, but I do think it'd be quite easier to just ping ZAP for all payloads, regardless of the backend.

Thanks,

Alex

[kingthorin+zap]

DNS is almost universally allowed outbound. ICMP ping may not be. HTTP/HTTPS to non-standard ports may be blocked.

This should leverage the OAST add-on for payloads and DNS/HTTP interactions. (IMHO)