{
  "entrypoint_kind": "proxied_http_request_body",
  "entrypoint_detail": "An attacker-influenced HTTP request body containing javax.faces.ViewState is placed into a real ZAP HttpMessage and processed by the actual ViewState add-on request-panel view factory.",
  "service_started": true,
  "healthcheck_passed": true,
  "target_path_reached": true,
  "vulnerable_variant_confirmed": true,
  "fixed_version_bypass_confirmed": false,
  "runtime_stack": [
    "generated HTTP POST request body",
    "OpenJDK",
    "built ZAP ViewState add-on .zap",
    "ExtensionHttpPanelViewStateView.RequestSplitBodyViewStateViewFactory",
    "HttpPanelViewStateView.dataChanged",
    "ViewStateModel.getData",
    "JSFViewState.decode",
    "ObjectInputStream.readObject"
  ],
  "proof_artifacts": [
    "logs/vuln_variant_reproduction_steps.log",
    "logs/vuln_variant_build_vuln.log",
    "logs/vuln_variant_build_fixed.log",
    "logs/vuln_variant_request_vuln.log",
    "logs/vuln_variant_request_fixed.log",
    "vuln_variant/artifacts/request_variant_harness.java",
    "vuln_variant/artifacts/request_payload_vuln.b64",
    "vuln_variant/artifacts/request_payload_fixed.b64",
    "vuln_variant/artifacts/request_vuln_marker.txt",
    "vuln_variant/artifacts/request_vuln_rce_output.txt",
    "vuln_variant/artifacts/source_identity_request_variant.txt"
  ],
  "notes": "alternate request-panel trigger confirmed on vulnerable commit; fixed commit blocks it by removing JSF registration globally; no bypass"
}
