Web Proxy Autodiscovery Protocol
Encyclopedia
The Web Proxy Auto-Discovery Protocol (WPAD) is a method used by clients to locate a URL of a configuration file using DHCP and/or DNS discovery methods. Once detection and download of the configuration file is complete it can be executed to determine the proxy for a specified URL. The WPAD protocol only outlines the mechanism for discovering the location of this file, but the most commonly deployed configuration file format is the Proxy auto-config
format originally designed by Netscape
in 1996 for Netscape Navigator 2.0
.
The WPAD protocol was drafted by a consortium of companies including Inktomi Corporation, Microsoft Corporation
, RealNetworks, Inc.
, and Sun Microsystems, Inc.
. WPAD is documented in an INTERNET-DRAFT which expired in December 1999. However WPAD is still supported by all major browsers. WPAD was first included with Internet Explorer 5.0
.
The WPAD standard defines two alternative methods the system administrator can use to publish the location of the proxy configuration file, using the Dynamic Host Configuration Protocol
(DHCP) or the Domain Name System
(DNS):
Before fetching its first page, a web browser
implementing this method sends the local DHCP server a DHCPINFORM query, and uses the URL from the WPAD option in the server's reply. If the DHCP server does not provide the desired information, DNS is used. If, for example, the network name of the user's computer is pc.department.branch.example.com, the browser will try the following URLs in turn until it finds a proxy configuration file within the domain of the client:
(Note: These are examples and may not be live URLs.)
Through the WPAD file, the attacker can point users' browsers to their own proxies and intercept and modify all of WWW traffic. Although a simplistic fix for Windows WPAD handling was applied in 2005, it only fixed the problem for the .com domain. A presentation at Kiwicon
showed that the rest of the world was still critically vulnerable to this security hole, with a sample domain registered in New Zealand for testing purposes receiving proxy requests from all over the country at the rate of several a second.
Thus, an administrator should make sure that a user can trust all the DHCP servers in an organisation and that all possible wpad domains for the organisation are under control. Furthermore, if there's no wpad domain configured for an organisation, a user will go to whatever external location has the next wpad site in the domain hierarchy and use that for its configuration. This allows whoever registers the wpad subdomain in a particular country to perform a man-in-the-middle attack
on large portions of that country's internet traffic by setting themselves as a proxy for all traffic or sites of interest.
On top of these traps, the WPAD method fetches a JavaScript file and executes it on all users browsers, even when they have disabled JavaScript for viewing web pages.
Proxy auto-config
A proxy auto-config file defines how web browsers and other user agents can automatically choose the appropriate proxy server for fetching a given URL....
format originally designed by Netscape
Netscape
Netscape Communications is a US computer services company, best known for Netscape Navigator, its web browser. When it was an independent company, its headquarters were in Mountain View, California...
in 1996 for Netscape Navigator 2.0
Netscape Navigator
Netscape Navigator was a proprietary web browser that was popular in the 1990s. It was the flagship product of the Netscape Communications Corporation and the dominant web browser in terms of usage share, although by 2002 its usage had almost disappeared...
.
The WPAD protocol was drafted by a consortium of companies including Inktomi Corporation, Microsoft Corporation
Microsoft
Microsoft Corporation is an American public multinational corporation headquartered in Redmond, Washington, USA that develops, manufactures, licenses, and supports a wide range of products and services predominantly related to computing through its various product divisions...
, RealNetworks, Inc.
RealNetworks
RealNetworks, Inc. is a provider of Internet media delivery software and services based in Downtown Seattle, Washington, United States. The company is the creator of RealAudio, a compressed audio format; RealVideo, a compressed video format; RealPlayer, a media player; RealDownloader, a download...
, and Sun Microsystems, Inc.
Sun Microsystems
Sun Microsystems, Inc. was a company that sold :computers, computer components, :computer software, and :information technology services. Sun was founded on February 24, 1982...
. WPAD is documented in an INTERNET-DRAFT which expired in December 1999. However WPAD is still supported by all major browsers. WPAD was first included with Internet Explorer 5.0
Internet Explorer 5
Microsoft Internet Explorer 5 was a graphical web browser released in March 1999 by Microsoft, primarily for Microsoft Windows, but initially with versions available for Apple Macintosh, Sun Solaris, and HP-UX. It was one of the main participants of the first browser war...
.
Context
In order for all browsers in an organization to be supplied the same proxy policy, without configuring each browser manually, both the below technologies are required:- Proxy auto-configProxy auto-configA proxy auto-config file defines how web browsers and other user agents can automatically choose the appropriate proxy server for fetching a given URL....
(PAC) standard: create and publish one central proxy configuration file. Details are discussed in a separate article. - Web Proxy Autodiscovery Protocol (WPAD) standard: ensure that an organization's browsers will find this file without manual configuration. This is the topic of this article.
The WPAD standard defines two alternative methods the system administrator can use to publish the location of the proxy configuration file, using the Dynamic Host Configuration Protocol
Dynamic Host Configuration Protocol
The Dynamic Host Configuration Protocol is a network configuration protocol for hosts on Internet Protocol networks. Computers that are connected to IP networks must be configured before they can communicate with other hosts. The most essential information needed is an IP address, and a default...
(DHCP) or the Domain Name System
Domain name system
The Domain Name System is a hierarchical distributed naming system for computers, services, or any resource connected to the Internet or a private network. It associates various information with domain names assigned to each of the participating entities...
(DNS):
Before fetching its first page, a web browser
Web browser
A web browser is a software application for retrieving, presenting, and traversing information resources on the World Wide Web. An information resource is identified by a Uniform Resource Identifier and may be a web page, image, video, or other piece of content...
implementing this method sends the local DHCP server a DHCPINFORM query, and uses the URL from the WPAD option in the server's reply. If the DHCP server does not provide the desired information, DNS is used. If, for example, the network name of the user's computer is pc.department.branch.example.com, the browser will try the following URLs in turn until it finds a proxy configuration file within the domain of the client:
-
http://wpad.department.branch.example.com/wpad.dat -
http://wpad.branch.example.com/wpad.dat -
http://wpad.example.com/wpad.dat -
http://wpad.com/wpad.dat (in incorrect implementations, see note in Security below)
(Note: These are examples and may not be live URLs.)
Requirements
In order for WPAD to work, a few requirements have to be met:- In order to use DHCP, the server must be configured to serve up the "site-local" option 252 ("auto-proxy-config") with a string value of "
http://example.com/wpad.dat " (without the quotes) where "example.com" is the address of a Web server (either an IPInternet ProtocolThe Internet Protocol is the principal communications protocol used for relaying datagrams across an internetwork using the Internet Protocol Suite...
address in dotted quadDot-decimal notationDot-decimal notation is a presentation format for numerical data. It consists of a string of decimal numbers, each pair separated by a full stop ....
format or a DNSDomain name systemThe Domain Name System is a hierarchical distributed naming system for computers, services, or any resource connected to the Internet or a private network. It associates various information with domain names assigned to each of the participating entities...
name). - In order to use the DNS only method, a DNS entry is needed for a host named WPAD.
- The host at the WPAD address must be able to serve a Web pageWeb pageA web page or webpage is a document or information resource that is suitable for the World Wide Web and can be accessed through a web browser and displayed on a monitor or mobile device. This information is usually in HTML or XHTML format, and may provide navigation to other web pages via hypertext...
. - In both cases, the Web server must be configured to serve the WPAD file with a MIME type of "application/x-ns-proxy-autoconfig".
- If the DNS method is used, a file named wpad.dat must be located in the WPAD Web site's root directoryRoot directoryIn computer file systems, the root directory is the first or top-most directory in a hierarchy. It can be likened to the root of a tree — the starting point where all branches originate.-Metaphor:...
. - The PAC files are discussed in the Proxy auto-configProxy auto-configA proxy auto-config file defines how web browsers and other user agents can automatically choose the appropriate proxy server for fetching a given URL....
article. - Use caution when configuring a WPAD server in a virtual hostingVirtual hostingVirtual hosting is a method for hosting multiple domain names on a server using a single IP address. This allows one server to share its resources, such as memory and processor cycles, in order to use its resources more efficiently....
environment. When automatic proxy detection is used, WinHTTP and WinINET in Internet Explorer 6 and earlier send a "Host:" header and IE7+ and Firefox send a "Host: wpad" header. Therefore, it is recommended that the wpad.dat file be hosted under the default virtual host rather than its own. - Internet Explorer version 6.0.2900.2180.xpsp_sp2_rtm requests "wpad.da" instead of "wpad.dat" from the Web server.
Security
While greatly simplifying configuration of one organisation's web browsers, the WPAD protocol has to be used with care: simple mistakes can open doors for attackers to change what appears on a user's browser:- An attacker inside a network can set up a DHCP server that hands out the URL of a malicious PAC script.
- If the network is 'company.co.uk' and the file
http://wpad.company.co.uk/wpad.dat isn't served, the browsers will go on to requesthttp://wpad.co.uk/wpad.dat . The browser doesn't determine whether this is still inside the organization. See http://wpad.com/ for an example. - The same method has been used with
http://wpad.org.uk . This used to serve a wpad.dat file that would redirect all of the user's traffic to an internet auction site. - ISP's that have implemented DNS hijackingDNS hijackingDNS hijacking or DNS redirection is the practice of redirecting the resolution of Domain Name System names to other DNS servers. This is done for malicious purposes such as phishing; for self-serving purposes by Internet service providers to direct users' HTTP traffic via the ISP's own webservers...
can break the DNS lookup of the WPAD protocol by directing users to a host that is not a proxy server.
Through the WPAD file, the attacker can point users' browsers to their own proxies and intercept and modify all of WWW traffic. Although a simplistic fix for Windows WPAD handling was applied in 2005, it only fixed the problem for the .com domain. A presentation at Kiwicon
Kiwicon
Kiwicon is an all-ages computer security conference organised by members of the hacker and computer security community of New Zealand....
showed that the rest of the world was still critically vulnerable to this security hole, with a sample domain registered in New Zealand for testing purposes receiving proxy requests from all over the country at the rate of several a second.
Thus, an administrator should make sure that a user can trust all the DHCP servers in an organisation and that all possible wpad domains for the organisation are under control. Furthermore, if there's no wpad domain configured for an organisation, a user will go to whatever external location has the next wpad site in the domain hierarchy and use that for its configuration. This allows whoever registers the wpad subdomain in a particular country to perform a man-in-the-middle attack
Man-in-the-middle attack
In cryptography, the man-in-the-middle attack , bucket-brigade attack, or sometimes Janus attack, is a form of active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other...
on large portions of that country's internet traffic by setting themselves as a proxy for all traffic or sites of interest.
On top of these traps, the WPAD method fetches a JavaScript file and executes it on all users browsers, even when they have disabled JavaScript for viewing web pages.
External links
- IETF 1999: Web Proxy Auto-Discovery Protocol — Expired internet draft.
- Waikato Linux Users Group Wiki 2004: WPAD
- ProxyPACFiles.com Practical guide to writing and managing proxy PAC files with samples, tips, lessons learned, etc.
- FindProxyForURL.com — A Proxy Auto-Configuration Resources (PAC File & WPAD Examples)
- Proxy configuration notes for Konqueror
- AutoProxy for Windows; Fully Automatic Proxy configuration tool for Internet Explorer and Firefox based on network location profiles (freeware)
- How to configure web proxy autodiscovery in your network - Scenario on how to configure DHCP, DNS and PAC file in a windows network
- Windows 2000 Server Auto-Discovery Setup