{
  "same_root_cause": true,
  "confidence": 0.96,
  "parent_trigger": {
    "entrypoint_kind": "proxied_http_response_body",
    "entrypoint_detail": "Malicious server response contains hidden input name=javax.faces.ViewState with Base64 Java serialized object.",
    "factory": "ExtensionHttpPanelViewStateView$ResponseSplitBodyViewStateViewFactory",
    "parser_branch": "ViewStateModel VS_ACTION_RESPONSE uses Jericho HTML input parsing."
  },
  "variant_trigger": {
    "entrypoint_kind": "proxied_http_request_body",
    "entrypoint_detail": "HTTP request body contains form parameter javax.faces.ViewState=<Base64 Java serialized object>.",
    "factory": "ExtensionHttpPanelViewStateView$RequestSplitBodyViewStateViewFactory",
    "parser_branch": "ViewStateModel VS_ACTION_REQUEST uses StandardParameterParser and URLDecoder."
  },
  "shared_sink": {
    "file_path": "addOns/viewstate/src/main/java/org/zaproxy/zap/extension/viewstate/zap/utils/JSFViewState.java",
    "function": "JSFViewState.decode",
    "sink": "ObjectInputStream.readObject()"
  },
  "shared_fix_point": {
    "file_path": "addOns/viewstate/src/main/java/org/zaproxy/zap/extension/viewstate/ViewStateModel.java",
    "line": 62,
    "description": "Fixed commit comments out shared javax.faces.ViewState registration, preventing both request and response models from constructing JSFViewState."
  },
  "why_not_bypass": "Although the request body path is distinct from the response body path, both paths depend on the same constructor-populated viewstateParams registration. The fixed commit removes that registration globally, and runtime evidence shows no deserialization on the fixed request-panel path."
}
