Web Proxy Autodiscovery Protocol

From Wikipedia, the free encyclopedia

The Web Proxy Autodiscovery Protocol (WPAD), is a method used in the Microsoft Internet Explorer (and others) web browser to automatically locate a proxy auto-config file and use this to configure the browser's web proxy settings.

The method, devised by Microsoft, is available as an IETF internet draft "draft-ietf-wrec-wpad-01". The draft expired in December 1999 and has not, as of 2007, become an internet standard. Nevertheless, Internet Explorer and other major browsers such as Mozilla Firefox and Opera retain this functionality.

Contents 1 Context 2 Notes 3 Check list 4 Site-local options 5 Security 6 External links 7 F.A.Q.

[edit] Context

In order to instruct all browsers in your organization to use the same proxy policy, without configuring each browser manually, you need one of two technologies:

• Proxy auto-config (PAC) standard: create and publish one central proxy configuration file. Details are discussed in a separate article.

• Web Proxy Autodiscovery Protocol (WPAD) standard: ensure that your organization's browsers will find this file without manual configuration. This is the topic of this article.

The WPAD standard defines two alternative methods how the system administrator can publish the location of the proxy configuration file, using the Dynamic Host Configuration Protocol (DHCP) or the Domain Name System (DNS):

Before fetching its first page, a web browser implementing this method sends the local DHCP server a DHCPINFORM query, and uses the URL from the WPAD option in the server's reply. If the DHCP server does not provide the desired information, DNS is used. If, for example, the network name of the user's computer is pc.department.branch.example.com, the browser will try the following URLs in turn until it finds a proxy configuration file:

• http://wpad.department.branch.example.com/wpad.dat
• http://wpad.branch.example.com/wpad.dat
• http://wpad.example.com/wpad.dat
• http://wpad.com/wpad.dat

(Note: These are examples and may not be live URLs.)

[edit] Notes

• '''DHCP has a higher priority than DNS: if DHCP provides the WPAD URL, no DNS lookup is performed......*

DNS lookup removes the first part of the domain name (presumably the client identifier) and replaces it with wpad. Then, it "moves up" in the hierarchy by removing more parts of the domain name, until it finds a WPAD PAC file or leaves the current organisation.

• The browser guesses where the organisation boundaries are. The guess is often right for domains like 'company.com' or 'university.edu', but wrong for 'company.co.uk' (see security below).

• For DNS lookups, the path of the configuration file is always wpad.dat. For the DHCP protocol, any URL is usable. For traditional reasons, PAC files are often called proxy.pac (of course, files with this name will be ignored by the WPAD DNS search).

• The MIME type of the configuration file must be "application/x-ns-proxy-autoconfig". Please read Proxy auto-config for more details.

[edit] Check list

In order for WPAD to work, a few requirements have to be met:

• If you want to use DHCP, then the DHCP must be configured to serve up the "site-local" option 252 ("auto-proxy-config") with a string value of "http://xxx.yyy.zzz.qqq/wpad.dat" (without the quotes) where xxx.yyy.zzz.qqq is the IP address of a web server. (It might be better to use a domain name rather than a numeric IP address).

• If you want to use DNS, then a DNS entry is needed for a host named WPAD.
• The host WPAD must be able to serve a web page.

• IN BOTH CASES, the web server must be configured to set up dat files with a MIME type of "application/x-ns-proxy-autoconfig".
• The file named wpad.dat must be located in the WPAD web site's root folder.
• Examples for PAC files are shown in Proxy auto-config.

• Use caution when configuring a WPAD server in a Virtual hosting environment. When automatic proxy detection is used, Internet Explorer sends a "Host: <IP address>" header and Firefox sends a "Host: wpad" header. This is unexpected behavior, therefore, it is recommended that the wpad.dat file be hosted under the default Virtual Host rather than its own.

[edit] Site-local options

RFC 2131 defined the options from 128-254 to be "site local". The meaning of this is that the site's systems administrator - not a software programmer, not a corporate executive at Cisco, not any external body - a Sysadmin of your network to allocate from this space. This is done without involving IANA to avoid the duplication of assignments, and can only be guaranteed so long as your network's administrators are the ones doing this site-local allocation.

In later years, it was discerned that perhaps 128-254 options were perhaps a few more than were really necessary (that, and the space from 1-127 was running dry). RFC 3942 redefined the site-local space to be those options from 224 to 254.

It is non-reference and improper to continue using option 252 for WPAD, or any other purpose, unless you yourself are the site-local administrator and configured _both_ the server and client to process and consume these options.

[edit] Security

While greatly simplifying configuration of one organisation's web browsers, the WPAD protocol has to be used with care: simple mistakes can open doors for attackers to change what appears on your browsers:

• An attacker inside your network can setup a DHCP server that hands out, in its leases, the URL of a malicious PAC script.
• If your network is 'company.co.uk' or 'company.com' and, for some reason you don't serve a file http://wpad.company.co.uk/wpad.dat respective http://wpad.company.com/wpad.dat, the browsers will go on to request http://wpad.co.uk/wpad.dat respective http://wpad.com/wpad.dat. The browser just doesn't think about if this is still inside your organisation or not. See http://wpad.com/ for details.
• The same method has been used with http://wpad.org.uk respective http://wpad.org.uk. This instead serves a wpad.dat file which points to a new Free to list Online auction website, www.eebuy.co.uk, so users with incorrectly configured browsers find that the only website they can view is www.eebuy.co.uk

Through the WPAD file, the attacker can point your browsers to his own proxies and intercept and modify all of your WWW traffic.

Thus, you should make sure that you can trust all the DHCP servers in your organisation and that all possible wpad domains for your organisation are under your control.

On top of these traps, the WPAD basically fetches a JavaScript file and executes it on all your browsers, even when they have disabled JavaScript for viewing web pages.

[edit] External links

• IETF 1999: Web Proxy Auto-Discovery Protocol — Expired internet draft (Implement at your own peril.)
• http://wpad.com/ — where all unmatched WPAD traffic from .com domains goes to.
• Waikato Linux Users Group Wiki 2004: WPAD
• http://www.monash.edu.au/proxy-secure.pac
• Excellent "Frequently Given Answer": Automatic proxy HTTP server configuration in web browsers

[edit] F.A.Q.

• How to configure browsers for WPAD?