parlov docs
Oracle ClassesExistence OracleStatus Code Diff

Status Code Diff

The server returns different HTTP status codes for existing vs. nonexistent resources on the same endpoint.

Implemented

The server returns different HTTP status codes for existing vs. nonexistent resources on the same endpoint. This is the most common and most exploitable existence oracle vector.

The mechanism is structural: when a server's request pipeline resolves the target resource before evaluating constraints (authentication, authorization, content negotiation, preconditions, rate limits), the constraint check only fires for existing resources. Nonexistent resources short-circuit to 404 before the constraint is ever evaluated. The status code differential between "failed at constraint check" and "failed at resource lookup" reveals which path executed โ€” and therefore whether the resource exists.

A 403 Forbidden vs. 404 Not Found directly confirms existence. A 410 Gone vs. 404 confirms historical existence. Dozens of other code pairs create the same binary signal.

Elicitation Strategies

Techniques for actively forcing a server into a state that leaks an existence oracle via status code differential, organized by the type of request manipulation required.

๐Ÿ› ๏ธ Playbook Contribution Instructions

To expand this playbook with concrete examples, follow this methodology for each technique:

  1. Provide a Concrete Request/Response Pair: Do not just say "send a bad header." Provide an exact, copy-pasteable raw HTTP request block and the expected raw HTTP response.
  1. Warn if Destructive: If a technique uses state-mutating methods (POST/PUT/PATCH/DELETE) that may alter or destroy data, mark it with a โš ๏ธ Destructive warning. This playbook is intended for testing against your own servers or those you have explicit permission to test.
  1. Isolate the Variable: The payload should change only one thing from a standard request. If you change multiple variables, you cannot definitively prove which layer of the pipeline caused the differential.
  1. Account for Method Variations: If a technique works differently depending on the HTTP method, provide separate Request/Response examples demonstrating the variance.
  1. Document the Mitigation: For each successful elicitation technique, include a brief note on how to fix the routing pipeline to collapse the oracle.

Establishing the Baseline

  • Standard Baseline: Send well-formed GET/HEAD to a known-invalid ID (Expected: 404).
  • Creation Baseline: Send valid POST/PUT/PATCH to a known-invalid ID (Expected: 404 or 201).

Cross-Method Techniques

Elicitation techniques that apply across all HTTP methods, independent of the specific method used.

Auth & Privilege Elicitation

Rate-Limit Elicitation

Timing-Based Elicitation

By Method

GET

HEAD

POST

PATCH

DELETE

PUT

Existence Oracle

An existence oracle is any observable behavior difference in a server's response that reveals whether a protected resource exists โ€” without requiring access to the resource itself.

GET

Status code differentials observed via GET requests.

On this page

Elicitation Strategies
Establishing the Baseline
Cross-Method Techniques
By Method