parlov 0.7.0

HTTP oracle detection tool — systematic probing for RFC-compliant information leakage.
Documentation

parlov

HTTP oracle detection tool — systematic probing for RFC-compliant information leakage.

HTTP servers that faithfully implement RFC 9110 often leak protected internal state through deterministic differences in status codes, cache-conditional responses, and response metadata. parlov detects those differential signals, scores confidence with per-signal normative weighting, and reports whether an application is vulnerable to oracle-based enumeration.

cargo install parlov

usage

manual probe (existence)

# GET existence check
parlov existence \
  --target "https://api.example.com/users/{id}" \
  --baseline-id "1001" \
  --method GET

# POST registration enumeration
parlov existence \
  --target "https://api.example.com/register" \
  --baseline-id "alice@corp.com" \
  --method POST \
  --body '{"email": "{id}", "password": "test123"}'

# HEAD — lightweight, no response body
parlov existence \
  --target "https://api.example.com/users/{id}/avatar" \
  --baseline-id "1001" \
  --method HEAD

# with auth header
parlov existence \
  --target "https://api.example.com/projects/{id}" \
  --baseline-id "proj-abc" \
  --method GET \
  --header "Authorization: Bearer eyJhbG..."

automated scan (scan)

# default: all vectors, safe risk
parlov scan \
  --target "https://api.example.com/users/{id}" \
  --baseline-id "1001"

# specific vector with risk ceiling
parlov scan \
  --target "https://api.example.com/users/{id}" \
  --baseline-id "1001" \
  --vector cache-probing:safe

# mixed risk per vector
parlov scan \
  --target "https://api.example.com/users/{id}" \
  --baseline-id "1001" \
  --vector status-code-diff:method-destructive \
  --vector cache-probing:safe \
  --vector error-message-granularity:safe

# specific vector with risk ceiling
parlov scan \
  --target "https://api.example.com/users/{id}" \
  --baseline-id "1001" \
  --vector redirect-diff:safe

# specific strategy
parlov scan \
  --target "https://api.example.com/users/{id}" \
  --baseline-id "1001" \
  --strategy cp-if-none-match

# SARIF output for CI integration
parlov scan \
  --target "https://api.example.com/users/{id}" \
  --baseline-id "1001" \
  --format sarif

40 strategies across four detection vectors (17 status-code-diff + 8 cache-probing + 7 error-message-granularity + 8 redirect-diff). Each finding includes a confidence score, impact class, severity, and deterministic finding ID for cross-run deduplication.

options

global

Flag Description
--format Output format: table (default), json, sarif

existence subcommand

Flag Description
--target URL template with {id} placeholder
--baseline-id Resource ID known to exist
--probe-id Resource ID to test (defaults to random UUIDv4)
--method HTTP method (defaults to GET)
--header Request header in Name: Value format (repeatable)
--body Body template with {id} placeholder

scan subcommand

Flag Description
--target URL template with {id} placeholder
--baseline-id Resource ID known to exist
--probe-id Resource ID to test (defaults to random UUIDv4)
--header Request header in Name: Value format (repeatable)
--vector Detection vector with optional risk ceiling (repeatable)
--risk Global risk ceiling for all vectors
--strategy Run specific strategy by ID (repeatable)
--alt-credential Alternative credential header for scope manipulation
--known-duplicate Known duplicate value for uniqueness strategies
--state-field State field name for state transition strategies

exit codes

Code Meaning
0 Success
1 Runtime error

license

MIT OR Apache-2.0