DELETE
Status code differentials observed via DELETE requests.
Status code differentials observed via DELETE requests. All strategies in this section are OperationDestructive risk tier — may trigger irreversible state changes.
Elicitation Strategies
200 / 204 vs 404
Vector
Server returns 204 No Content (or 200 OK) when a DELETE request successfully deletes an existing resource. If a resource does not exist, the server returns 404 Not Found (or 410 Gone if it tracks deletions). This binary differential is a definitive existence oracle.
Example
DELETE /api/users/123 HTTP/1.1
Host: target.com
HTTP/1.1 204 No Content
---
DELETE /api/users/999 HTTP/1.1
Host: target.com
HTTP/1.1 404 Not Found
Content-Length: 27
{"error":"user not found"}Leaking Response / Methodology
- What leaks: 204 vs 404 confirms user 123 existed and is now deleted.
202 vs 404
Vector
Server returns 202 Accepted when a DELETE request on an existing resource is queued for async deletion. Nonexistent resources bypass the queue entirely and return 404 Not Found.
Example
DELETE /api/users/123 HTTP/1.1
Host: target.com
HTTP/1.1 202 Accepted
Content-Length: 42
{"status":"queued for deletion"}
---
DELETE /api/users/999 HTTP/1.1
Host: target.com
HTTP/1.1 404 Not Found
Content-Length: 27
{"error":"user not found"}Leaking Response / Methodology
- What leaks: 202 vs 404 confirms user 123 exists. The async queueing confirms the resource was found during the initial routing layer validation.
409 vs 404
Vector
Server returns 409 Conflict when a DELETE request fails due to the current state of an existing resource (e.g., trying to delete a user that has active dependencies/projects). A nonexistent resource returns 404.
Example
DELETE /api/users/123 HTTP/1.1
Host: target.com
HTTP/1.1 409 Conflict
Content-Length: 64
{"error":"conflict","detail":"user has active projects"}
---
DELETE /api/users/999 HTTP/1.1
Host: target.com
HTTP/1.1 404 Not Found
Content-Length: 27
{"error":"user not found"}Leaking Response / Methodology
- What leaks: 409 vs 404 confirms user 123 exists. The 409 body leaks constraints about the resource's state (e.g., the user has active projects).
405 vs 404
Vector
Server returns 405 Method Not Allowed (with RFC-mandated Allow header listing supported methods) for existing resources that don't support the requested method, but 404 for nonexistent resources. The Allow header is a bonus — it enumerates the exact methods the resource accepts, mapping the API surface. Works with any method the resource doesn't support.
Example
DELETE /api/users/123 HTTP/1.1
Host: target.com
HTTP/1.1 405 Method Not Allowed
Allow: GET, HEAD, PATCH
Content-Length: 52
{"error":"method not allowed","allowed":["GET","HEAD","PATCH"]}
---
DELETE /api/users/999 HTTP/1.1
Host: target.com
HTTP/1.1 404 Not Found
Content-Length: 27
{"error":"user not found"}Leaking Response / Methodology
- What leaks: 405 vs 404 confirms user 123 exists. The
Allowheader is RFC 9110 §15.5.6 mandatory on 405 responses — the server cannot suppress it without violating the spec. The allowed methods enumerate the resource's full API surface (e.g.,GET, HEAD, PATCHreveals it's readable and updatable but not deletable). DiffAllowheaders across resource types to fingerprint resource categories.
Cross-Method Oracles
The following oracles are not DELETE-specific but are observable via DELETE requests.
411 vs 404
Vector
Per RFC 9110 §15.5.12, a server returns 411 Length Required when the request lacks a Content-Length header and the server refuses to accept it without one. Although DELETE requests typically have no body, some servers enforce Content-Length: 0 on all requests. If this check occurs after resolving the resource, existing resources trigger 411 while nonexistent ones return 404.
Example
DELETE /api/users/123 HTTP/1.1
Host: target.com
Transfer-Encoding: chunked
0
HTTP/1.1 411 Length Required
---
DELETE /api/users/999 HTTP/1.1
Host: target.com
Transfer-Encoding: chunked
0
HTTP/1.1 404 Not Found
{"error":"user not found"}
```http
#### Leaking Response / Methodology
- **What leaks:** 411 vs 404 confirms user 123 exists. The server resolved the resource before checking for `Content-Length`.