parlov docs
MethodologyThe Differential Principle

The Differential Principle

Why a single HTTP response proves nothing, and how paired inputs drive every oracle parlov detects.

Implemented

Every oracle in parlov is a differential — the difference in behavior between two controlled inputs. Never a single response in isolation. Always a comparison.

The inputs are:

  • Baseline — a request using a known-valid input (an existing resource ID, a registered email, a valid username). This is the control.
  • Probe — an identical request using a suspect or known-invalid input (a nonexistent resource ID, an unregistered email, a random UUID). This is the experimental condition.

Everything else is held constant: same endpoint, same method, same headers, same body structure. The only variable is the input identifier. Any difference in the server's response — status code, headers, body content, timing — is a signal.

A single response proves nothing. A 403 on its own could mean anything. But a 403 for one input and a 404 for another, with all else equal, is a differential that confirms the server distinguishes between the two inputs internally and exposes that distinction externally.

This principle applies uniformly across all oracle classes. Existence oracles diff status codes. Authentication oracles diff error messages. Timing oracles diff response latencies. The surface changes; the method does not.

Methodology

How parlov detects information leakage through RFC-compliant server behavior.

RFC Compliance as the Source

Oracles exist because servers implement RFCs correctly. The server is not broken — it is leaking through correct behavior.