parlov docs
Oracle ClassesExistence OracleError Message GranularityDELETE — Error Message Granularity

DELETE — Error Message Granularity

Focuses on state constraint violations under the Error Message Granularity class.

Implemented

Focuses on state constraint violations under the Error Message Granularity class.

409 / 403 — Foreign Key and Lock Violations

Vector

Triggering foreign key or application-level lock errors. Even if an attacker does not have permission to delete an object, the server may evaluate relational constraints before returning a generalized error, leaking internal graph edges.

Example

DELETE /api/organizations/123 HTTP/1.1
Host: target.com

HTTP/1.1 409 Conflict
{"error": "Cannot delete organization with active subscriptions"}

---

DELETE /api/organizations/999 HTTP/1.1
Host: target.com

HTTP/1.1 404 Not Found
{"error": "Organization not found"}

Leaking Response / Methodology

  • What leaks: The application evaluates business logic ("active subscriptions") before or instead of authorization, revealing both existence and relationship data.
  • Detection method: Send DELETE requests to varied object IDs. Compare the error strings for business logic constraints vs. standard Not found messages.

Elicitation: Business Logic / State Conflict

Destructive

Mechanism: Triggering relational database constraints or application state locks by performing disallowed actions. The server must find the parent or target resource to evaluate these specific rules.

Isolated Variable: A standard, authenticated mutation request targeting a resource in a state that blocks the mutation (e.g., active dependencies).

Oracle Signal: 409 with a state-specific error (exists) vs 404 (does not exist).

DELETE — Existing Resource

DELETE /api/organizations/1001 HTTP/1.1
Host: target.com
HTTP/1.1 409 Conflict
Content-Type: application/json

{"error": "Cannot delete organization with active subscriptions"}

DELETE — Non-Existing Resource

DELETE /api/organizations/9999 HTTP/1.1
Host: target.com
HTTP/1.1 404 Not Found
Content-Type: application/json

{"error": "Organization not found"}

Mitigation: Verify resource existence first and return a 404. If the resource exists, ensure state conflict messages do not leak internal relational mapping metrics (e.g., active subscription counts).

PUT / PATCH — Error Message Granularity

Focuses on schema validation and type coercion under the Error Message Granularity class.

Cross-Method Patterns

Oracles that exploit request-level validation and apply across multiple HTTP methods under the Error Message Granularity class.

On this page

409 / 403 — Foreign Key and Lock Violations
Elicitation: Business Logic / State Conflict