Web Proxy Autodiscovery Protocol
The Web Proxy Auto-Discovery Protocol ( WPAD ; German " Web proxy auto recognition protocol " ) is a protocol with which web clients (such as a browser ) can automatically find web proxies to be used within a computer network by using a proxy autoconfiguration (PAC) File is saved under a guessable URL , for example http://wpad.example.com/wpad.dat
. The Proxy Auto-Config file format was originally developed by Netscape Communications in 1996 for Netscape Navigator 2.0.
WPAD makes it possible to instruct all web clients in an organization to use the same proxy servers without having to manually configure each one. This is supported by the popular browsers Mozilla Firefox , Google Chrome and Internet Explorer in the current versions, but also by other programs and desktop environments such as Unity .
history
WPAD was designed by a consortium of Inktomi Corporation , Microsoft , RealNetworks and Sun Microsystems (now Oracle Corporation ). WPAD is documented as an Internet Draft , which, however, expired in December 1999. Nevertheless, WPAD is still supported by all popular browsers. In Internet Explorer WPAD was with Version 5 introduced.
context
In order to instruct all browsers in an organization to choose their proxy according to the same rules without having to configure everything manually, two technologies are necessary.
- The Proxy Auto Config (PAC) standard
- A central proxy configuration file is created. (Details in the relevant article).
- The Web Proxy Autodiscovery Protocol (WPAD) standard
- This ensures that the individual browsers find this file automatically. That is what this article is about.
The WPAD standard defines several alternative methods by which the system administrator can publish the location of the proxy configuration file:
- Dynamic Host Configuration Protocols (DHCP)
- Domain Name Systems (DNS A / CNAME, "Well Known Aliases")
- Service Location Protocols (SVRLOC / SLP) (optional)
- DNS SRV records
- DNS TXT "service: URLs"
Before the first page is queried, a web browser that knows the method sends a DHCPINFORM request to the local DHCP server and then uses the URL that is given to it in the WPAD option of the response. If the DHCP server does not have the required information, the DNS is used. If, for example, the FQDN (Fully Qualified Domain Name) of the computer pc.department.branch.example.com
is, the browser will query the following URLs one after the other until it finds a proxy configuration file.
http://wpad.department.branch.example.com/wpad.dat
http://wpad.branch.example.com/wpad.dat
http://wpad.example.com/wpad.dat
http://wpad/wpad.dat
- Possibly also
http://wpad.com/wpad.dat
(see #Safety )
Remarks
- DHCP has a higher priority than DNS: If DHCP supplies a WPAD URL, no DNS query is carried out.
- During the DNS query, the first part of the address (which presumably represents the client identifier) is removed and replaced by
wpad
. Then it moves up the hierarchy by removing more parts of the domain name until it finds a WPAD-PAC file or leaves the respective organization. - The browser tries to guess where the organization is exiting. This estimate applies to domains according to the pattern
firma.com
oruniversitaet.edu
often, but iscompany.co.uk
incorrect , for example (see #Security ). - With the DNS query, the path of the configuration file is always
wpad.dat
. Any URL can be used with the DHCP protocol. For traditional reasons, the names of the PAC files are oftenproxy.pac
(of course files with this name are ignored by the WPAD DNS lookup). - DNS query with Microsoft Internet Explorer 6 under Windows XP sends as
host
the IP address, so the WPAD web server should be configured so that it can be addressed as a name-based VirtualHost with all possible host names in the HTTP / 1.1 request
Example for Apache:
NameVirtualHost192.168.xx.yy
ServerNamewpad.sub.domain.tld
ServerAliaswpad
ServerAlias192.168.xx.yy
- The MIME type of the configuration file must be
application/x-ns-proxy-autoconfig
. See also: Proxy Auto-Config .
Checklist
For WPAD to work, a few conditions must be met.
- To use DHCP, the DHCP must be configured in such a way that it delivers the
site-local
option 252 (auto-proxy-config
) with a string value ofhttp://xxx.yyy.zzz.qqq/wpad.dat
, wherebyxxx.yyy.zzz.qqq
the IP address of a web server must be. (It might be better to use a domain name instead of a numeric IP address). If you use Microsoft's DHCP server, you should check that ofserver options
each server and thatscope options
of each area. - Furthermore, in order to use DHCP, the computer must be a DHCP client. In other words, the browsers (Internet Explorer and Firefox) do not send their own (new) DHCP requests, but only use the WPAD option 252 assigned previously (when the IP address was initially assigned to the network card via DHCP). If the computer If DHCP is _not_ active in the network card settings, the browser will not send a DHCP request either.
- To use DNS, a DNS record is required for a host named WPAD.
- edit the DNS block list for Windows 2003 DNS server with MS09-008 [1]
- for Windows 2008 DNS Server edit the DNS block list Technet article on DNS block list
- The WPAD host must be able to deliver a website .
- In both cases, the web server must be configured in such a way that it delivers .dat files with the MIME type
application/x-ns-proxy-autoconfig
. - A file called wpad.dat must be in the main directory of the WPAD site.
- Examples of PAC files in the article Proxy Auto-Config .
safety
While it simplifies the configuration of an organization's web browsers, the WPAD protocol must be handled with caution, as even small mistakes can lead to catastrophic attacks.
- An attacker within the network can set up a DHCP server that outputs the URL of a malicious PAC script.
- If the respective organization has a domain according to the pattern
company.co.uk
orcompany.com
and there is nohttp://wpad.company.co.uk/wpad.dat
or nohttp://wpad.company.com/wpad.dat
available within the network , some browsers willhttp://wpad.co.uk/wpad.dat bzw. http://wpad.com/wpad.dat
ask further questions because they may not make a difference between the domain of the organization and a top-level or national domain. The accesses to the web server from wpad domains likehttp://wpad.com/
show this very clearly.
An attacker can use the WPAD file to redirect all querying browsers to their proxies and then intercept and modify all traffic.
It should therefore be ensured that all DHCP servers within an organization can be trusted and that all WPAD domains that can result from the respective domain are under the control of the respective organization.
In addition to these dangers, the WPAD basically fetches a JavaScript file that runs on all browsers on the system, even if JavaScript has been disabled in web pages.
Individual evidence
- ↑ Navigator Proxy Auto-Config File Format . In: Netscape Navigator Documentation . March 1996. Archived from the original on March 7, 2007. Retrieved February 10, 2015.
- ^ Paul Gauthier: Web Proxy Auto-Discovery Protocol (INTERNET-DRAFT) . In: IETF . July 28, 1999. Retrieved February 10, 2015.
- ↑ Chromium # 18575: Non-Windows platforms: WPAD (proxy autodetect discovery) does not test DHCP . August 5, 2009. Retrieved February 10, 2015.
- ↑ Firefox # 356831 - Proxy autodiscovery doesn't check DHCP (option 252) . October 16, 2006. Retrieved February 10, 2015.
Web links
- IETF 1999: Web Proxy Auto-Discovery Protocol - Expired Internet Draft (English)
- IETF 2000: Web Proxy Auto-Discovery Protocol - Expired Internet Draft (English)
- IETF 1999: The wpad Abstract Service Type - expired Internet Draft for finding the Web Proxy Auto-Discovery configuration file through the Service Location Protocol (English)
- wpad.com - the website on which almost all uninterrupted WPAD requests from .com domains end up ( memento from January 6, 2009 in the Internet Archive )
- http://www.fam-hauck.de/wiki/index.php/Automatische_Proxy-Konfiguration_(WPAD)
- Waikato Linux Users Group Wiki 2004: WPAD (English)
- Search google for proxy filetype: pac
- Excellent "Frequently Given Answer": Automatic proxy HTTP server configuration in web browsers (English)