Web Proxy Autodiscovery Protocol

The Web Proxy Auto-Discovery Protocol (WPAD) is a method used by clients to locate the URL of a configuration file using DHCP and/or DNS discovery methods. Once detection and download of the configuration file is complete, it can be executed to determine the proxy for a specified URL. The WPAD protocol only outlines the mechanism for discovering the location of this file, but the most commonly deployed configuration file format is the proxy auto-config format originally designed by Netscape in 1996 for Netscape Navigator 2.0.^[1] The WPAD protocol was drafted by a consortium of companies including Inktomi Corporation, Microsoft Corporation, RealNetworks, Inc., and Sun Microsystems, Inc. (now Oracle Corp.). WPAD is documented in an INTERNET-DRAFT which expired in December 1999.^[2] However, WPAD is still supported by all major browsers.^[3]^[4] WPAD was first included with Internet Explorer 5.0.

Context

In order for all browsers in an organization to be supplied the same proxy policy, without configuring each browser manually, both the below technologies are required:

Proxy auto-config (PAC) standard: create and publish one central proxy configuration file. Details are discussed in a separate article.
Web Proxy Autodiscovery Protocol (WPAD) standard: ensure that an organization's browsers will find this file without manual configuration. This is the topic of this article.

The WPAD standard defines two alternative methods the system administrator can use to publish the location of the proxy configuration file, using the Dynamic Host Configuration Protocol (DHCP) or the Domain Name System (DNS):

Before fetching its first page, a web browser implementing this method sends the local DHCP server a DHCPINFORM query, and uses the URL from the WPAD option in the server's reply. If the DHCP server does not provide the desired information, DNS is used. If, for example, the network name of the user's computer is pc.department.branch.example.com, the browser will try the following URLs in turn until it finds a proxy configuration file within the domain of the client:

http://wpad.department.branch.example.com/wpad.dat
http://wpad.branch.example.com/wpad.dat
http://wpad.example.com/wpad.dat
http://wpad.com/wpad.dat (in incorrect implementations, see note in Security below)

(Note: These are examples and are not "live" URLs due to them employing the reserved domain name of "example.com".)

Additionally if the DNS query is unsuccessful then NetBios will be used.^[5]^[6]

Notes

DHCP has a higher priority than DNS: if DHCP provides the WPAD URL, no DNS lookup is performed. Notice that Firefox does not support DHCP, only DNS, and the same is true for Chrome on platforms other than Windows and for versions of Chrome older than version 13.^[3]^[4]

When constructing the query packet, DNS lookup removes the first part of the domain name (the client host name) and replaces it with wpad. Then, it "moves up" in the hierarchy by removing more parts of the domain name, until it finds a WPAD PAC file or leaves the current organisation.
The browser guesses where the organisation boundaries are. The guess is often right for domains like 'company.com' or 'university.edu', but wrong for 'company.co.uk' (see security below).
For DNS lookups, the path of the configuration file is always wpad.dat. For the DHCP protocol, any URL is usable. For traditional reasons, PAC files are often called proxy.pac (of course, files with this name will be ignored by the WPAD DNS search).
The MIME type of the configuration file must be "application/x-ns-proxy-autoconfig". See Proxy auto-config for more details.
Internet Explorer and Konqueror are currently the only browsers offering support for both the DHCP and DNS methods; the DNS method is supported by most major browsers.^[7]

Requirements

In order for WPAD to work, a few requirements have to be met:

In order to use DHCP, the server must be configured to serve up the "site-local" option 252 ("auto-proxy-config") with a string value of "http://example.com/wpad.dat" (without the quotes) where "example.com" is the address of a Web server (either an IP address in dotted quad format or a DNS name).
In order to use the DNS only method, a DNS entry is needed for a host named WPAD.
The host at the WPAD address must be able to serve a Web page.
In both cases, the Web server must be configured to serve the WPAD file with a MIME type of "application/x-ns-proxy-autoconfig".
If the DNS method is used, a file named wpad.dat must be located in the WPAD Web site's root directory.
The PAC files are discussed in the Proxy auto-config article.
Use caution when configuring a WPAD server in a virtual hosting environment. When automatic proxy detection is used, WinHTTP and WinINET in Internet Explorer 6 and earlier send a "Host: <IP address>" header and IE7+ and Firefox send a "Host: wpad" header. Therefore, it is recommended that the wpad.dat file be hosted under the default virtual host rather than its own.
Internet Explorer version 6.0.2900.2180.xpsp_sp2_rtm requests "wpad.da" instead of "wpad.dat" from the Web server.
If you are using Windows Server 2003 (or later) as your DNS server, you might have to disable the DNS Server Global Query Block List, or even modify the registry to edit the list of blocked queries.^[8]^[9]

Security

While greatly simplifying configuration of one organisation's web browsers, the WPAD protocol has to be used with care: simple mistakes can open doors for attackers to change what appears on a user's browser:

An attacker inside a network can set up a DHCP server that hands out the URL of a malicious PAC script.
If the network is 'company.co.uk' and the file http://wpad.company.co.uk/wpad.dat isn't served, the browsers will go on to request http://wpad.co.uk/wpad.dat. The browser doesn't determine whether this is still inside the organization. See http://wpad.com/ for an example.
The same method has been used with http://wpad.org.uk. This used to serve a wpad.dat file that would redirect all of the user's traffic to an internet auction site.
ISPs that have implemented DNS hijacking can break the DNS lookup of the WPAD protocol by directing users to a host that is not a proxy server.

Through the WPAD file, the attacker can point users' browsers to their own proxies and intercept and modify all of WWW traffic. Although a simplistic fix for Windows WPAD handling was applied in 2005, it only fixed the problem for the .com domain. A presentation at Kiwicon showed that the rest of the world was still critically vulnerable to this security hole, with a sample domain registered in New Zealand for testing purposes receiving proxy requests from all over the country at the rate of several a second.

Thus, an administrator should make sure that a user can trust all the DHCP servers in an organisation and that all possible wpad domains for the organisation are under control. Furthermore, if there's no wpad domain configured for an organisation, a user will go to whatever external location has the next wpad site in the domain hierarchy and use that for its configuration. This allows whoever registers the wpad subdomain in a particular country to perform a man-in-the-middle attack on large portions of that country's internet traffic by setting themselves as a proxy for all traffic or sites of interest.

On top of these traps, the WPAD method fetches a JavaScript file and executes it on all users browsers, even when they have disabled JavaScript for viewing web pages.

References

↑ "Navigator Proxy Auto-Config File Format". Netscape Navigator Documentation. March 1996. Archived from the original on 2007-03-07. Retrieved 2015-02-10.
↑ Gauthier, Paul; Josh Cohen, Martin Dunsmuir, Charles Perkins (1999-07-28). "Web Proxy Auto-Discovery Protocol (INTERNET-DRAFT)". IETF. Retrieved 2015-02-10.
↑ 3.0 3.1 "Chromium #18575: Non-Windows platforms: WPAD (proxy autodetect discovery) does not test DHCP". 2009-08-05. Retrieved 2015-02-10.
↑ 4.0 4.1 "Firefox #356831 - Proxy autodiscovery doesn't check DHCP (option 252". 2006-10-16. Retrieved 2015-02-10.
↑ "Troubleshooting Web Proxy Auto Discovery (WPAD) issues". GFI Software. Retrieved 2015-02-10.
↑ Hjelmvik, Erik (2012-07-17). "WPAD Man in the Middle". Retrieved 2015-02-10.
↑ "Konqueror: Automatic Proxy Discovery". KDE. 2013-05-20. Retrieved 2015-02-10.
↑ King, Michael (2010-02-17). "WPAD does not resolve in DNS". Retrieved 2015-02-10.
↑ "Removing WPAD from DNS block list". Microsoft TechNet. Retrieved 2015-02-10.

Features	Ad filtering Augmented browsing Bookmarks Bookmarklet Live bookmark Smart Bookmarks Browser extension Browser security Browser synchronizer comparison Cookies Download manager Favicon Incremental search Plug-in Privacy mode Tabs Universal Edit Button

Web standards	Acid tests Cascading Style Sheets HTML HTML5 JavaScript MathML OCSP SVG WebGL XHTML

Related topics	BrowserChoice.eu CRL HTTP HTTPS iLoo Internet suite Man-in-the-browser Mobile Web Offline reader PAC Pwn2Own Rich Internet application Site-specific browser SPDY SSL/TLS WebSocket Widget World Wide Web WPAD XML

Desktop

Blink-based	Chromium Chrome Dragon Opera SRWare Iron Vivaldi Yandex.Browser

WebKit-based	Arora Avant Dooble Epic Flock Fluid iCab Konqueror Lunascape Maxthon Midori OmniWeb Origyn Web Browser QtWeb QupZilla rekonq Safari Shiira Sleipnir Slimboat surf Torch Uzbl Web WebPositive xombrero

Trident-based	AOL Explorer Avant Deepnet Explorer GreenBrowser Internet Explorer Lunascape Maxthon MediaBrowser MenuBox NeoPlanet NetCaptor SlimBrowser SpaceTime UltraBrowser WebbIE ZAC Browser

Gecko-based	AT&T Pogo Avant Camino Firefox Conkeror GNU IceCat IceDragon Pale Moon Swiftfox Swiftweasel TenFourFox Timberwolf Waterfox xB Browser Galeon Ghostzilla K-Meleon Kazehakase Kirix Strata Lotus Symphony Lunascape Mozilla Beonex Communicator Classilla Netscape SeaMonkey

Text-based	ELinks Emacs/W3 Line Mode Browser Links Lynx Net-Tamer w3m

Other	abaco Amaya Arachne Arena Charon Dillo Gazelle IBM Home Page Reader IBrowse KidZui Microsoft Edge Mosaic Mothra NetPositive NetSurf

Mobile

WebKit-based	Android Browser BOLT Chrome Dolphin Browser Nintendo 3DS Internet Browser Maxthon Nokia Browser for Symbian Rockmelt Safari Silk Steel

Gecko-based	Firefox for mobile MicroB Minimo

Presto-based	Nintendo DS & DSi Browser Opera Mini Opera Mobile

Other	Blazer Deepfish Galio ibisBrowser Internet Explorer Mobile Iris Browser Konqueror Embedded Microsoft Edge NetFront Nokia Xpress Obigo Browser Skweezer Skyfire Teashark ThunderHawk UC Browser Vision WinWAP

Television and video game console

WebKit-based	Google TV NetFront Steam Overlay Wii U Internet Browser

Gecko-based	Kylo

Presto-based	Internet Channel

Other	Galio MSN TV (WebTV)

Software no longer in development shown in italics