Hey there,
The main question I want to clarify before digging too deep is that Rick mentioned using DNS to verify that the payload went through. If I'm testing if a vulnerability exists, ZAP is going to need some response from the web server. I'm curious, however, if there is a limit to how intrusive/active the response can be? DNS would be great and seems to be quite minimal, but I do think it'd be quite easier to just ping ZAP for all payloads, regardless of the backend.
Thanks,
Alex