As others in the Twitter thread referenced in the README have also
noted, the original test payload that uses
`class.module.classLoader.URLs` is prone to false negatives because not
every classloader implementation has a `getURLs()` method.
While several alternative test payloads have been suggested, this PR
uses `class.module.classLoader.definedPackages%5B0%5D=0` because the
`getDefinedPackages()` method was added to the ClassLoader API in JDK 9
(so it’s another strong signal of vulnerability, and less likely to
cause false positives) and the method is `final`, so custom classloader
implementations can not change its behavior in a way that would cause
false positives or negatives.
This PR also fixes a bug when no `CVE-2022-22965.uri` script argument
was provided and adds support for testing with other HTTP request
methods including POST. The `CVE-2022-22965.uri` argument is renamed to
`CVE-2022-22965.path` for clarity, and a new optional
`CVE-2022-22965.method` argument is added, which can be set to change
the HTTP request method from `GET` (the default) to another valid method
(e.g. `POST`, `PUT`, etc.).