{
  "entrypoint_kind": "tcp_peer",
  "entrypoint_detail": "Malicious TCP HTTP peer returns javax.faces.ViewState; actual built ZAP ViewState add-on response panel processes a real HttpMessage from that TCP response",
  "service_started": true,
  "healthcheck_passed": true,
  "target_path_reached": true,
  "runtime_stack": [
    "python3 malicious HTTP TCP server",
    "OpenJDK",
    "built ZAP ViewState add-on .zap",
    "ExtensionHttpPanelViewStateView.ResponseSplitBodyViewStateViewFactory",
    "HttpPanelViewStateView.dataChanged",
    "ViewStateModel.getData",
    "JSFViewState.decode",
    "ObjectInputStream.readObject"
  ],
  "proof_artifacts": [
    "logs/reproduction_steps.log",
    "logs/build_vuln.log",
    "logs/build_fixed.log",
    "logs/vuln_harness_1.log",
    "logs/vuln_harness_2.log",
    "logs/fixed_harness_1.log",
    "logs/fixed_harness_2.log",
    "logs/server_vuln_1.log",
    "logs/server_vuln_2.log",
    "logs/server_fixed_1.log",
    "logs/server_fixed_2.log",
    "repro/artifacts/product_path_harness.java",
    "repro/artifacts/payload.b64",
    "repro/artifacts/vuln_marker_1.txt",
    "repro/artifacts/vuln_marker_2.txt",
    "repro/artifacts/vuln_rce_output_1.txt",
    "repro/artifacts/vuln_rce_output_2.txt",
    "repro/artifacts/fix.patch",
    "repro/artifacts/source_identity.txt"
  ],
  "notes": "confirmed: actual vulnerable .zap response panel path deserializes attacker ViewState from TCP response and executes command; actual fixed .zap lacks JSF registration and blocks the same response; confirmed=true"
}
