parlov docs
Oracle ClassesExistence OracleStatus Code DiffPOSTForcing 413 Content Too Large

Forcing 413 Content Too Large

Per RFC 9110 §15.5.14, a server returns 413 when the request content exceeds size limits.

Implemented

Mechanism: Per RFC 9110 §15.5.14, a server returns 413 when the request content exceeds size limits. If the application enforces size limits after resolving the resource (per-resource limits), existing resources return 413 while non-existing ones return 404.

Isolated Variable: Only the payload size changes. Headers and structure remain valid.

Oracle Signal: 413 (exists, per-resource limit hit) vs 404 (does not exist).

POST — Existing Parent Resource (File Upload)

POST /api/documents/doc-abc/attachments HTTP/1.1
Host: target.com
Content-Type: multipart/form-data; boundary=----Boundary
Content-Length: 52428800

------Boundary
Content-Disposition: form-data; name="file"; filename="large.bin"
Content-Type: application/octet-stream

<50 MB of binary data>
------Boundary--

HTTP/1.1 413 Content Too Large

vs. 404 when document doc-abc does not exist.

💡 Content-Length spoofing shortcut: Declare a massive Content-Length while sending a small body. Many servers check Content-Length against their limit before reading the full body, returning 413 immediately.

💡 Distinguishing global vs per-resource limits: Compare an oversized request to a known-valid resource, a known-invalid resource, and a non-resource path. If all return 413, the limit is global (no oracle). If only the valid resource returns 413, the oracle is confirmed.

Mitigation: Enforce body size limits at the reverse proxy or global middleware layer before routing to resource-specific handlers.

Forcing 409 Uniqueness Constraint

Per RFC 9110 §15.5.10, a server returns 409 Conflict when the request conflicts with the current state.

Forcing 415 Unsupported Media Type

Per RFC 9110 §15.5.16, a server returns 415 when the content type is not supported.