Web Proxy Autodiscovery Protocol

The Web Proxy Auto-Discovery Protocol ( WPAD ; German " Web proxy auto recognition protocol " ) is a protocol with which web clients (such as a browser ) can automatically find web proxies to be used within a computer network by using a proxy autoconfiguration (PAC) File is saved under a guessable URL , for example http://wpad.example.com/wpad.dat. The Proxy Auto-Config file format was originally developed by Netscape Communications in 1996 for Netscape Navigator 2.0.

WPAD makes it possible to instruct all web clients in an organization to use the same proxy servers without having to manually configure each one. This is supported by the popular browsers Mozilla Firefox , Google Chrome and Internet Explorer in the current versions, but also by other programs and desktop environments such as Unity .

history

WPAD was designed by a consortium of Inktomi Corporation , Microsoft , RealNetworks and Sun Microsystems (now Oracle Corporation ). WPAD is documented as an Internet Draft , which, however, expired in December 1999. Nevertheless, WPAD is still supported by all popular browsers. In Internet Explorer WPAD was with Version 5 introduced.

context

In order to instruct all browsers in an organization to choose their proxy according to the same rules without having to configure everything manually, two technologies are necessary.

The Proxy Auto Config (PAC) standard: A central proxy configuration file is created. (Details in the relevant article).
The Web Proxy Autodiscovery Protocol (WPAD) standard: This ensures that the individual browsers find this file automatically. That is what this article is about.

The WPAD standard defines several alternative methods by which the system administrator can publish the location of the proxy configuration file:

Dynamic Host Configuration Protocols (DHCP)
Domain Name Systems (DNS A / CNAME, "Well Known Aliases")
Service Location Protocols (SVRLOC / SLP) (optional)
DNS SRV records
DNS TXT "service: URLs"

Before the first page is queried, a web browser that knows the method sends a DHCPINFORM request to the local DHCP server and then uses the URL that is given to it in the WPAD option of the response. If the DHCP server does not have the required information, the DNS is used. If, for example, the FQDN (Fully Qualified Domain Name) of the computer pc.department.branch.example.comis, the browser will query the following URLs one after the other until it finds a proxy configuration file.

http://wpad.department.branch.example.com/wpad.dat
http://wpad.branch.example.com/wpad.dat
http://wpad.example.com/wpad.dat
http://wpad/wpad.dat
Possibly also http://wpad.com/wpad.dat(see #Safety )

Remarks

DHCP has a higher priority than DNS: If DHCP supplies a WPAD URL, no DNS query is carried out.
During the DNS query, the first part of the address (which presumably represents the client identifier) is removed and replaced by wpad. Then it moves up the hierarchy by removing more parts of the domain name until it finds a WPAD-PAC file or leaves the respective organization.
The browser tries to guess where the organization is exiting. This estimate applies to domains according to the pattern firma.comor universitaet.eduoften, but is company.co.ukincorrect , for example (see #Security ).
With the DNS query, the path of the configuration file is always wpad.dat. Any URL can be used with the DHCP protocol. For traditional reasons, the names of the PAC files are often proxy.pac(of course files with this name are ignored by the WPAD DNS lookup).
DNS query with Microsoft Internet Explorer 6 under Windows XP sends as hostthe IP address, so the WPAD web server should be configured so that it can be addressed as a name-based VirtualHost with all possible host names in the HTTP / 1.1 request

Example for Apache:

NameVirtualHost 192.168.xx.yy
ServerName wpad.sub.domain.tld
ServerAlias wpad
ServerAlias 192.168.xx.yy

The MIME type of the configuration file must be application/x-ns-proxy-autoconfig. See also: Proxy Auto-Config .

Checklist

For WPAD to work, a few conditions must be met.

To use DHCP, the DHCP must be configured in such a way that it delivers the site-localoption 252 ( auto-proxy-config) with a string value of http://xxx.yyy.zzz.qqq/wpad.dat, whereby xxx.yyy.zzz.qqqthe IP address of a web server must be. (It might be better to use a domain name instead of a numeric IP address). If you use Microsoft's DHCP server, you should check that of server optionseach server and that scope optionsof each area.
Furthermore, in order to use DHCP, the computer must be a DHCP client. In other words, the browsers (Internet Explorer and Firefox) do not send their own (new) DHCP requests, but only use the WPAD option 252 assigned previously (when the IP address was initially assigned to the network card via DHCP). If the computer If DHCP is _not_ active in the network card settings, the browser will not send a DHCP request either.
To use DNS, a DNS record is required for a host named WPAD.
edit the DNS block list for Windows 2003 DNS server with MS09-008 [1]
for Windows 2008 DNS Server edit the DNS block list Technet article on DNS block list
The WPAD host must be able to deliver a website .
In both cases, the web server must be configured in such a way that it delivers .dat files with the MIME type application/x-ns-proxy-autoconfig.
A file called wpad.dat must be in the main directory of the WPAD site.
Examples of PAC files in the article Proxy Auto-Config .

safety

While it simplifies the configuration of an organization's web browsers, the WPAD protocol must be handled with caution, as even small mistakes can lead to catastrophic attacks.

An attacker within the network can set up a DHCP server that outputs the URL of a malicious PAC script.
If the respective organization has a domain according to the pattern company.co.ukor company.comand there is no http://wpad.company.co.uk/wpad.dator no http://wpad.company.com/wpad.datavailable within the network , some browsers will http://wpad.co.uk/wpad.dat bzw. http://wpad.com/wpad.datask further questions because they may not make a difference between the domain of the organization and a top-level or national domain. The accesses to the web server from wpad domains like http://wpad.com/show this very clearly.

An attacker can use the WPAD file to redirect all querying browsers to their proxies and then intercept and modify all traffic.

It should therefore be ensured that all DHCP servers within an organization can be trusted and that all WPAD domains that can result from the respective domain are under the control of the respective organization.

In addition to these dangers, the WPAD basically fetches a JavaScript file that runs on all browsers on the system, even if JavaScript has been disabled in web pages.

Individual evidence

↑ Navigator Proxy Auto-Config File Format . In: Netscape Navigator Documentation . March 1996. Archived from the original on March 7, 2007. Retrieved February 10, 2015.
^ Paul Gauthier: Web Proxy Auto-Discovery Protocol (INTERNET-DRAFT) . In: IETF . July 28, 1999. Retrieved February 10, 2015.
↑ Chromium # 18575: Non-Windows platforms: WPAD (proxy autodetect discovery) does not test DHCP . August 5, 2009. Retrieved February 10, 2015.
↑ Firefox # 356831 - Proxy autodiscovery doesn't check DHCP (option 252) . October 16, 2006. Retrieved February 10, 2015.

Web links

[1] Navigator Proxy Auto-Config File Format . In: Netscape Navigator Documentation . March 1996. Archived from the original on March 7, 2007. Retrieved February 10, 2015.

[2] Paul Gauthier: Web Proxy Auto-Discovery Protocol (INTERNET-DRAFT) . In: IETF . July 28, 1999. Retrieved February 10, 2015.

[chrome-3] Chromium # 18575: Non-Windows platforms: WPAD (proxy autodetect discovery) does not test DHCP . August 5, 2009. Retrieved February 10, 2015.

[firefox-4] Firefox # 356831 - Proxy autodiscovery doesn't check DHCP (option 252) . October 16, 2006. Retrieved February 10, 2015.