WPAD stands for Web Proxy Auto-Discovery protocol. At this point in time it’s still supported by most browsers although it is an old protocol now. Most companies don’t rely on WPAD because of its inherent vulnerability to man in the middle attacks.
How WPAD Works
WPAD tells a Web browser what internet proxy to use when a user on a network requests a Web page. Specifically, WPAD shows the browser where to go to access a WPAD.dat configuration file that then provides the network details to the Web browser.
The WPAD protocol lets a domain admin point to a WPAD.dat config file using either DHCP or DNS. Admins might find this convenient since they can manage proxy settings for a company from a single point. Most admins do not use this method due to the non-secure nature of WPAD.
When a Web browser is asked to get a Web page, it first attempts to connect to a DHCP Server, and if that fails, then using a DNS query. FireFox is an exception since it only uses the DNS query. If even the DNS query fails, then the browser tries to use WINS (NetBIOS)
For DHCP any type of URL is usable. Conversely, a standard DNS query tries serveral options where it traverses the URL looking for the wpad.dat file:
So, for example, if your browser is trying to reach
http://mysite.com
Then the DNS attempt would be:
http://wpad.mysite.com/wpad.dat
If you have a URL that has several levels to it then the resolution failover takes several steps, which can result in a failed URL. So for example:
http://mysite.org.uk/
This URL would be a possible problem since the DNS attempts would be:
http://wpad.mysite.org.uk/wpad.dat http://wpad.org.uk/wpad.dat
As you can see, the second attempt has nothing to do with our mysite.gov.ca domain, and is a possible source of problems. In fact it was the case that the domain http://wpad.org.uk was set to serve a wpad.dat file that would set the user’s traffic to an auction site.
Anatomy of WPAD
The MIME type of a wpad.dat file is: application/x-ns-proxy-autoconfig
The request sent by a browser on discovery is:
GET /wpad.dat HTTP/1.0
Inside the wpad.dat PAC (Proxy Auto-Config) file is a JavaScript function called FindProxyForUrl that tells the browser what server to use as a proxy for all subsequent Web requests.
function FindProxyForUrl(url, host){ return "PROXY proxy.mySite.com:80 DIRECT"; }
Disabling WPAD Auto-Discovery in Internet Explorer
For client browsers, make sure that IE is not set to automatically detect LAN settings:
- Click Tools –> Internet Options
- Click the ‘Connections’ tab
- Click the LAN Settings button
- Uncheck the checkbox ‘Automatically detect settings’
Helpful Links to WPAD Resources
Here is a Wikipedia entry explaining the PAC file format in detail:
http://en.wikipedia.org/wiki/Proxy_auto-config
Here are the steps for checking for WPAD on your DHCP Server:
http://technet.microsoft.com/en-us/library/bb794881.aspx
Microsoft instructions to troubleshoot WPAD problems:
http://technet.microsoft.com/en-us/library/cc302643.aspx
WPAD can be used by attackers on a network to compromise the network using man in the middle attacks. Have a look at this article for a detailed look into WPAD man in the middle attack forensics
http://www.netresec.com/?page=Blog&month=2012-07&post=WPAD-Man-in-the-Middle
Justin Cooney 