Dimension scores are derived from public data and fields; weighted into the composite. Reference only.
parlov is an HTTP oracle detection tool positioned as a black-box differential scanner. Rather than emphasizing direct access to protected data, it examines differences in an API’s response surface under controlled requests to determine whether protected state is being exposed through HTTP behaviors that are “standards-compliant but exploitable.” A typical example given on the page is: when a resource exists but the user lacks permission, the API returns 403; when the resource does not exist, it returns 404. Both responses are RFC-compliant on their own, but together they can reveal whether the resource exists.
In terms of features and use cases, parlov mainly targets enumeration-related security risks: whether a resource exists, whether an account is registered, whether a tenant is active, whether an operation is allowed, and similar cases. Its analysis is based on RFC 9110 semantics, focusing on differences in status codes, error messages, redirect behavior, caching and conditional request headers, validation responses, and more. It is suitable for replacing one-off manual checks with a more systematic approach to detecting HTTP response differences. As for language/framework support, the collected text only indicates that it can be installed via cargo install parlov; it does not mention support for any specific web framework.
The text does not provide commercial pricing, license details, or open-/closed-source information, so it is not possible to determine whether it is free, open source, or has an enterprise edition. In terms of deployment, it appears to be a locally installable command-line tool, but there is no visible information about SaaS, server-side deployment, a self-hosted dashboard, API/SDK, or CI/CD integrations.
Its strength is that it focuses on a very specific problem area: detecting “legitimate response differences” that are often overlooked in API authorization and enumeration risk testing. Basing its approach on HTTP standard semantics also helps reduce conceptual ambiguity. The installation entry point is simple and friendly to developers familiar with Cargo. The main limitation is the lack of public information: there are no details on report formats, authentication configuration, large-scale scanning, false-positive control, or integration capabilities. Detection quality will also depend on the tester’s ability to design meaningful control requests.
parlov is suitable for application security teams, penetration testers, and API backend engineers to use in authorization testing, resource enumeration risk audits, and pre-launch security checks. The collected text does not indicate how accessible it is from China, and it is unclear whether its domain and documentation can be accessed reliably without workarounds. If Cargo dependency downloads are slow, configuring a domestic mirror may be necessary. Alternative or complementary tools include Burp Suite, OWASP ZAP, Nuclei, and ffuf.
⚠ This review is compiled from public sources and does not constitute a purchase recommendation. Verify all facts on the vendor's official site. Verify on nosy.cc official site.
nosy.cc is an Unknown Dev Tools provider. TG4G tracks its product information, an overall rating of 6.0/10, and a China-accessibility score of Workable. Click "Visit Official Site" to reach nosy.cc directly.