parlov docs
MethodologyAuth Contexts

Auth Contexts

The three perspectives from which every oracle must be evaluated. The same endpoint can have an oracle in one context and none in another.

Implemented

Every oracle must be evaluated across three authentication contexts, because the oracle that exists — and its severity — depends entirely on who is observing it:

  1. Unauthenticated — no credentials. The server has no identity for the caller. An oracle here means anyone on the internet can enumerate resources.
  2. Authenticated, no access — valid credentials, but the resource is off-limits. The server knows who the caller is and rejects the request. An oracle here means authenticated users can discover resources they shouldn't know about.
  3. Authenticated, has access — valid credentials, resource is readable. Confirms existence and may return the full resource representation (IDOR).

The same endpoint can have an oracle in one context and no oracle in another. A server might normalize 403/404 for unauthenticated callers but leak the differential to authenticated ones, or vice versa.

parlov evaluates one auth context per invocation. The operator runs it multiple times with different credentials to cover all three perspectives. The tool does not compare across authentication levels internally — that composition is left to the operator.

The Scan Pipeline

Code orchestration from input to verdict — the four stages, workspace layout, crate boundaries, and the Probe and Analyzer traits.

Vectors

The HTTP method axis used to probe the same resource. Each method has distinct RFC semantics that create distinct oracle surfaces.