parlov 0.1.0

HTTP oracle detection tool — systematic probing for RFC-compliant information leakage.
parlov-0.1.0 is not a library.

parlov

HTTP oracle detection tool — systematic probing for RFC-compliant information leakage.

HTTP servers that faithfully implement RFC 9110 often leak protected internal state through deterministic differences in status codes. parlov detects those differential signals, classifies their severity, and reports whether an application is vulnerable to oracle-based enumeration.

cargo install parlov

usage

# GET existence check
parlov existence \
  --target "https://api.example.com/users/{id}" \
  --baseline-id "1001" \
  --method GET

# POST registration enumeration
parlov existence \
  --target "https://api.example.com/register" \
  --baseline-id "alice@corp.com" \
  --method POST \
  --body '{"email": "{id}", "password": "test123"}'

# HEAD — lightweight, no response body
parlov existence \
  --target "https://api.example.com/users/{id}/avatar" \
  --baseline-id "1001" \
  --method HEAD

# with auth header
parlov existence \
  --target "https://api.example.com/projects/{id}" \
  --baseline-id "proj-abc" \
  --method GET \
  --header "Authorization: Bearer eyJhbG..."

options

Flag Description
--target URL template with {id} placeholder
--baseline-id Resource ID known to exist
--probe-id Resource ID to test (defaults to random UUIDv4)
--method HTTP method (defaults to GET)
--header Request header in Name: Value format (repeatable)
--body Body template with {id} placeholder

exit codes

Code Meaning
0 Success
1 Runtime error

license

MIT OR Apache-2.0