parlov docs
Oracle ClassesExistence OracleError Message GranularityPOST — Error Message Granularity

POST — Error Message Granularity

Focuses on creation constraints and relationship conflicts under the Error Message Granularity class.

Implemented

Focuses on creation constraints and relationship conflicts under the Error Message Granularity class.

409 / 400 — State Conflicts

Vector

Forcing state collisions during resource creation. When attaching a new resource to an existing parent or entity, the application may leak the state or existence of that parent through verbose error messages.

Example

POST /api/documents/123/comments HTTP/1.1
Host: target.com
{"text": "Hello"}

HTTP/1.1 409 Conflict
{"error": "Cannot attach comment to locked document"}

---

POST /api/documents/999/comments HTTP/1.1
Host: target.com
{"text": "Hello"}

HTTP/1.1 404 Not Found
{"error": "Document not found"}

Leaking Response / Methodology

  • What leaks: The error message explicitly details the internal state of the referenced object ("locked"), proving both its existence and its state, while a non-existent object results in a generic 404 message.
  • Detection method: Attempt to create resources attached to different parent IDs and diff the JSON error or detail attributes.

Elicitation: Business Logic / State Conflict

Destructive

Mechanism: Triggering relational database constraints or application state locks by performing disallowed actions. The server must find the parent or target resource to evaluate these specific rules.

Isolated Variable: A standard, authenticated mutation request targeting a resource in a state that blocks the mutation (e.g., active dependencies).

Oracle Signal: 409 with a state-specific error (exists) vs 404 (does not exist).

Elicitation: Content-Type Mismatches & Payload Truncation

Destructive

Mechanism: Sending intentionally truncated payloads to trigger parsing layers. If the application routes the URL before parsing the body, a syntactically invalid body will throw a parse error for existing IDs, but a 404 for missing ones.

Isolated Variable: A truncated JSON body that violates JSON syntax.

Oracle Signal: 400 with a parser exception (exists) vs 404 (does not exist).

POST — Existing Resource

POST /api/documents/1001/comments HTTP/1.1
Host: target.com
Content-Type: application/json
Content-Length: 10

{"text": "
HTTP/1.1 400 Bad Request
Content-Type: application/json

{"error": "SyntaxError: Unexpected end of JSON input"}

POST — Non-Existing Resource

POST /api/documents/9999/comments HTTP/1.1
Host: target.com
Content-Type: application/json
Content-Length: 10

{"text": "
HTTP/1.1 404 Not Found
Content-Type: application/json

{"error": "Not Found"}

Mitigation: Move request payload parsing to a global middleware layer that runs before route resolution.

GET — Error Message Granularity

Focuses on query parameter constraints and resource-aware validation errors under the Error Message Granularity class.

PUT / PATCH — Error Message Granularity

Focuses on schema validation and type coercion under the Error Message Granularity class.

On this page

409 / 400 — State Conflicts
Elicitation: Business Logic / State Conflict
Elicitation: Content-Type Mismatches & Payload Truncation