About parlov

parlov is an HTTP oracle detection tool. It systematically probes web applications and APIs to identify information leakage through server behavior that is entirely correct — not broken, not misconfigured, just honest enough to reveal what it shouldn't.

parlov is named after Ivan Pavlov, the Russian scientist known for his work on conditioned reflexes. The tool mirrors his methodology: systematically observing normal behavioral responses to controlled stimuli to reveal hidden internal state.

The Premise

Web servers that faithfully implement HTTP specifications often leak information without realizing it. The differences in how a server responds to different inputs — status codes, response bodies, timing, headers, error messages — can reveal protected internal state to anyone watching closely enough.

parlov detects those differential signals, quantifies their severity, and reports whether an application is vulnerable to oracle-based enumeration.

The Oracle is Always a Differential

An oracle is never a single response. It's always the difference between two.

Request a resource that exists. Request one that doesn't. If the server responds differently — a 403 for one and a 404 for the other — it just told you which resource is real. You didn't need access. You just needed to observe the difference.

This isn't a bug. Servers behave this way because the specifications tell them to. Forbidden means the resource exists and you can't have it. Not Found means it doesn't exist at all. The server is being precise, and that precision is the leak.

What It Detects

Six oracle classes, each targeting a different way servers inadvertently reveal internal state:

  1. Existence Oracle — Reveals whether a resource exists based on how the server distinguishes forbidden access from missing resources.
  2. Authentication Oracle — Reveals valid usernames or email addresses through differences in how login, registration, and password-reset endpoints respond to valid versus invalid identities.
  3. Timing Oracle — Reveals internal state through measurable differences in response time — valid inputs often take longer to process than invalid ones.
  4. Verification Oracle — Reveals cryptographic validation pipeline ordering through differences in error messages for expired, malformed, or wrongly-signed credentials.
  5. Token Validation Oracle — Reveals which stage of token validation failed by returning different errors for expired tokens, wrong audiences, and invalid signatures.
  6. State Oracle — Reveals session or authentication state through differences in HTTP headers — rate-limit counters, cache directives, and security tokens that appear only for authenticated users.