Hpp V6 Patched -

In early 2024, a medium-sized payment processor suffered a data breach traced to an unpatched HPP v6 vulnerability. The attacker:

Result: $470,000 in fraudulent transactions over 72 hours.

Post-mortem: The team had only tested HPP over IPv4. The root cause was the missing HPP v6 patched status on their HAProxy instances. After applying HAProxy 2.6.4+ (the patched version) and adding IPv6-aware parameter normalization rules, the attack path was closed. hpp v6 patched

In HTTP/2, parameter names can contain pseudo-headers or colons.
:param=good¶m=bad – Could confuse reverse proxies.

Before the patch, an attacker could send an HTTP request over IPv6 containing: In early 2024, a medium-sized payment processor suffered

GET /payment?amount=100&user=alice HTTP/1.1
Host: vulnerable.com
X-Forwarded-For: [2001:db8::1]
Duplicate parameters hidden in IPv6 hop-by-hop options.

The unpached system would:

After applying the HPP v6 patch:

For those who want the nitty-gritty details, here is the raw changelog:

[04/20/2024] - v6.0.1 (Patched)
- FIXED: Memory leakage in KernelHandler causing crash on exit.
- FIXED: Incompatibility with API v4 endpoints.
- IMPROVED: Reduced async wait times on load.
- REMOVED: Deprecated legacy loader calls.

Have you encountered an issue not listed here? Please open a ticket on our [GitHub/Issue Tracker] or join the discussion on our [Discord/Forum]. Result: $470,000 in fraudulent transactions over 72 hours