Web Proxy Autodiscovery Protocol

The Web Proxy Autodiscovery Protocol ( WPAD ) is a protocol that enables web clients ( like a browser ) to use web proxies can be found automatically within a computer network by using a proxy autoconfiguration (PAC ) file is saved under a guessable URL example http://wpad.example.com/wpad.dat.

WPAD makes it possible to get all Web clients of an organization to use the same proxy server without having to configure each individually crafted. This is also supported by the popular browsers Mozilla Firefox, Google Chrome and Internet Explorer in the current versions.

Context

To all browsers an organization to instruct, to choose their proxy by the same rules, without having to configure everything manually, two technologies are necessary.

The WPAD standard defines several alternative methods by which the system administrator can publish the location of the proxy configuration file:

  • Dynamic Host Configuration Protocol ( DHCP)
  • Domain Name System (DNS A / CNAME, " Well Known Aliases " )
  • Service Location Protocol ( SVRLOC / SLP ) (optional)
  • DNS SRV Records
  • DNS TXT "service: URLs "

Before the first page is requested, sends a web browser that has mastered the method, the local DHCP server receives a request DHCPINFORM and then uses the URL that is told in the WPAD option of the response. If the DHCP server is not the desired information, the DNS will be used. For example, if the FQDN (Fully Qualified Domain Name ) is the computer pc.department.branch.example.com, so the browser is sequentially query the following URLs until it finds a proxy configuration file.

  • Http://wpad.department.branch.example.com/wpad.dat
  • Http://wpad.branch.example.com/wpad.dat
  • Http://wpad.example.com/wpad.dat
  • Http://wpad/wpad.dat
  • You may also http://wpad.com/wpad.dat (see # Security )

Comments

  • DHCP has a higher priority than DNS: If DHCP provides a WPAD URL is performed any DNS query.
  • In the DNS query, the first part of the address ( which presumably represents the client identifier ) is removed and replaced by wpad. Then it moves up in the hierarchy by other parts of the domain name be removed until it finds a WPAD PAC file or the relevant organization will leave.
  • The browser tries to guess where the organization is left. This estimate is true in domains according to the pattern firma.com or universitaet.edu often, however, is for example company.co.uk wrong (see # security).
  • In the DNS query the path of the configuration file is always wpad.dat. When DHCP protocol, any URL can be used. For traditional reasons, the name of the PAC files are often proxy.pac (of course, files of this name of the WPAD DNS lookup ignored).
  • DNS query with Microsoft Internet Explorer 6 on Windows XP as host sends the IP address, so the WPAD server should be configured so that it can be addressed as a name-based virtual host with all possible host names in HTTP/1.1-Request

Example for Apache:

NameVirtualHost 192.168.xx.yy Server Name wpad.sub.domain.tld ServerAlias ​​wpad ServerAlias ​​192.168.xx.yy The MIME type of the configuration file must be application / x- ns -proxy- autoconfig. See also: Proxy Auto -Config.

Checklist

This WPAD works, some conditions must be met.

  • To use DHCP, the DHCP must be configured so that it delivers site -local- option 252 (auto -proxy- config) with a string value of http://xxx.yyy.zzz.qqq/wpad.dat must xxx.yyy.zzz.qqq with the IP address of a web server to be. ( It might be better to use a domain name instead of a numeric IP address). If you use Microsoft DHCP server, so you should check the server options for each server and scope options of each region.
  • Further, in order to use DHCP, the computer is a DHCP Client be. Send In other words, the browser (Internet Explorer and Firefox) from no own ( new ) DHCP requests, but they use only the previously ( in the initial assignment of the IP address to the network card via DHCP ) assigned WPAD option 252 If the computer in the network card settings DHCP _not_ active, also has the browser does not send DHCP request is.
  • To use DNS, a DNS entry for a host named WPAD is required.
  • Edit in Windows 2003 DNS server with MS09- 008, the DNS block list
  • In Windows 2008 DNS server the DNS block list edit Technet article to DNS block list
  • The WPAD host must be able to deliver a website.
  • In both cases, the Web server must be configured so that it application / x- ns -proxy- autoconfig delivers. Dat files with the MIME type.
  • A file named wpad.dat must be in the root directory of the WPAD page.
  • Examples of PAC files in Article Proxy Auto -Config.

Security

While it simplifies the configuration of the Web browser of an organization, the WPAD protocol must be treated with caution, since small errors already can make momentous attacks possible.

  • An attacker within the network can set up a DHCP server issuing the URL of a malicious PAC script.
  • If the respective organization domain according to the model company.co.uk or company.com and there is no http://wpad.company.co.uk/wpad.dat or http://wpad.company.com within the network / wpad.dat available, so some browsers are at http://wpad.co.uk/wpad.dat or http://wpad.com/wpad.dat continue to ask, because if appropriate, any difference between the domain of the organization and make a top-level or national domain. The accesses to the web server from wpad domains such as http://wpad.com/ show this very clearly.

Through the WPAD file, an attacker could redirect all interrogating browser to its proxies and then intercept all traffic and modify.

Therefore, it should be ensured that all DHCP servers can be trusted within an organization and that all WPAD domains that may arise from the domain in question, under the control of this organization.

In addition to these dangers brings the WPAD basically a JavaScript file that runs on all browsers of the system, even if JavaScript has been disabled in Web pages.

Client (computing) Uniform Resource Locator
815283
de