Kontakt zu YouCard

Contact us

x
Call us at +49 6441 4459 80

We’re happy to receive your request.

Contact form

Youcard Kartensysteme Pastikkarten bedrucken - Formular

Submit your request conveniently via the contact form

Email

Or contact us
by email at:

V6 Patched - Hpp

Many APIs accept array-style parameters (user[role]=admin). The unpatched v6 failed to recursively sanitize nested arrays, allowing an attacker to insert rogue key-value pairs that bypassed authorization middleware. The hpp v6 patched release implements deep recursion limits and type-safe array merging.

sudo apt-get update
sudo apt-get install libmodsecurity3=3.0.8

SecRule &ARGS "@gt 1" "id:100001,phase:2,deny,msg:'HPP attempt over IPv6',logdata:%MATCHED_VAR_NAME"

cd /usr/local/src/nginx-1.24.0
patch -p1 < /path/to/hpp-v6-fix.patch
./configure --with-http_ssl_module --add-module=../ngx_http_hpp_filter_module
make && make install

http 
    hpp_normalize on;
    hpp_priority last;   # or 'first' based on security policy

You can test if your endpoint is vulnerable to HPP over IPv6 using a simple curl command from an IPv6-enabled host: hpp v6 patched

curl -g -6 "https://yourdomain.com/api/login?role=guest&role=admin" -H "Host: yourdomain.com"

If the response shows admin privileges despite the initial guest parameter, your system is vulnerable. Many APIs accept array-style parameters ( user[role]=admin )

To test IPv6-specific pollution:

curl -6 --header "X-Forwarded-For: [2001:db8::1]" "https://yourdomain.com/vuln-endpoint?action=view&action=edit"