Web Proxy Autodiscovery Protocol

In order for all browsers in an organization to be configured without manual configuration of each browser, it is necessary that the following two technologies work:

• Proxy auto-config standard (PAC): you need to create and make available a configuration file. Various details of this are described in different articles;
• Web Proxy Autodiscovery Protocol ( WPAD ) standard: you must ensure that all browsers in an organization can find this file without specifying its location manually. This article describes this process.

The WPAD standard describes two alternative methods for distributing configuration file location information for system administrators using the Dynamic Host Configuration Protocol (DHCP) or Domain Name System (DNS).

Before the first page is loaded, the browser uses this technology to send a DHCPINFORM request to the local DHCP server and uses the resulting URL from the WPAD server response option. If the DHCP server cannot provide the required information, then DNS is used. If, for example, the DNS name of the computer is pc.department.branch.example.com , the browser will try to access the following URLs to find the configuration file:

• http://wpad.department.branch.example.com/wpad.dat
• http://wpad.branch.example.com/wpad.dat
• http://wpad.example.com/wpad.dat
• http://wpad.com/wpad.dat (note security note)

(These are just URL examples)

• DHCP takes precedence over DNS: if DHCP provides a WPAD URL, the DNS is not used. Firefox does not use DHCP, only DNS .
• In the DNS query, the first part of the domain name is dropped (describing the client name) and replaced by wpad . Then there is a "move up" in the hierarchy of domain names until the address of the location of the configuration file is found or the domain of the organization is left.
• The browser is trying to determine the domain of the organization and is trying to substitute domain names like 'company.com' or 'university.edu', but not 'company.co.uk' (note the security note).
• For a DNS query, it is assumed that the name of the configuration file is always wpad.dat . When using the DHCP protocol, any valid URL can be used. Historically, the PAC file is usually called proxy.pac (of course, this name is ignored when using the DNS method).
• The MIME type of the configuration file must be exactly "application / x-ns-proxy-autoconfig". Please read the proxy auto-config for details.
• Now only Internet Explorer and Konqueror support both methods (DHCP and DNS), the DNS method is supported by most modern browsers.

In order for WPAD to work, the following conditions must be met:

• When using DHCP, it is necessary for the server to provide “site-local” option 252 (“auto-proxy-config”) with a string value of the form “http: //xxx.yyy.zzz.qqq/wpad.dat” (without quotes, of course ), where xxx.yyy.zzz.qqq is the web server address (in any form: IP or DNS ).
• When using DNS, a record of the WPAD host name is required.
• WPAD host should be able to issue web pages .
• In both cases, the web server must be configured to issue dat files with the MIME type "application / x-ns-proxy-autoconfig" .
• The file named wpad.dat should be located on the WPAD host in the root directory .
• An example of a PAC file can be viewed in Proxy auto-config .
• Be careful when configuring a WPAD server virtual hosting environment. When a proxy is detected automatically, Internet Explorer sends a “Host: <IP address>” view header, and Firefox sends a “Host: wpad” header. All this can lead to unpredictable server behavior, so it is recommended that the wpad.dat file be located in the default Virtual Host.
• Internet Explorer version 6.0.2900.2180.xpsp_sp2_rtm requests from the web server "wpad.da" instead of "wpad.dat".
• Beginning with Windows 2008 and subsequent security updates "MS09-008 for Windows Server 2003 DNS and WINS servers", the Global query block list technology is used. It is forcibly forbidden to resolve WPAD, ISATAP addresses in DNS in order to counter attacks on spoofing WPAD server.

Together with the ability to configure all browsers in an organization immediately, the WPAD protocol should be used very carefully - simple errors can open the door to attackers to make changes through user browsers:

• An attacker within the network can start a DHCP server that will offer a fake PAC script.
• If the domain of the organization is “company.co.uk” and the file http://wpad.company.co.uk/wpad.dat does not exist, then browsers will try to access http://wpad.co.uk/wpad.dat. The browser cannot determine when it leaves the organization’s domain. A good example is http://wpad.com/
• The same applies to http://wpad.org.uk. For example, if you use the wpad.dat file from a similar site, you can redirect all user traffic to an online auction site.
• ISPs that use DNS hijacking technology can suppress a DNS request using the WPAD protocol, redirecting users to a site that is not a proxy.

Through a WPAD file, an attacker can redirect user browsers to his own proxy, interfere with the transfer and modify all www traffic. Despite making the simplest change for Windows in WPAD management in 2005, it only protects against problems using the .com domain. The Kiwicon presentation plot shows what carelessness can turn into with regard to even a small vulnerability, when a simple domain in New Zealand was registered for tests and within a few seconds proxy requests from all countries began to arrive.

Of course, the administrator must be sure that users can trust all DHCP servers in the organization and that all possible WPAD domains for the organization are under control.

Moreover, if the wpad-domain is not configured for organization, then users can reach some external, next wpad-domain and use it for self-configuration. Registering such a subdomain in a particular country will allow man-in-the-middle (“man in the middle”) attacks to take place over a huge share of Internet traffic throughout the country, if you additionally install a proxy server and wrap all traffic on it.

And in conclusion, it is necessary to mention that the WPAD method actually searches for and downloads the JavaScript file, and then executes it in the browser, where, however, JavaScript can already be disabled in the settings.

• Stefaan Pouseele. Understand the process of automatically configuring Web Proxy and the firewall client in ISA Server 2004 (Undefined) . Red Line Software (June 11, 2005). The appeal date is May 14, 2010. Archived on April 23, 2012.
• de Boyne Pollard, Jonathan Automatic proxy HTTP server configuration in web browsers (Unreferenced) . Frequently Given Answers (2004). Archived April 23, 2012.
• Chris Paget. WPAD - Attacking the Proxy (Undefeated) (2007). Archived April 23, 2012.
• David W. Hankins. HOWTO: WPAD (Neopr.) (2008). Archived April 23, 2012.

• IETF 1999: Web Proxy Auto-Discovery Protocol - Expired internet draft.
• http://wpad.com/ - where all unmatched WPAD traffic from .com domains goes to.
• Waikato Linux Users Group Wiki 2004: WPAD
• FindProxyForURL.com - A Proxy Auto-Configuration Resources (PAC File & WPAD Examples)
• Proxy configuration notes for Konqueror
• AutoProxy for Windows ; Fully Automatic Proxy configuration tool for Internet Explorer and Firefox based on network location profiles (freeware)
• Navigator Proxy Auto-Config File Format ( translation ) - Description of the format of the PAC file