survey

WPAD: Waiting Patiently for an Announced Disaster

Authors:

Elyssa Boulila,

Marc DacierAuthors Info & Claims

ACM Computing Surveys, Volume 55, Issue 10

Article No.: 217, Pages 1 - 29

https://doi.org/10.1145/3565361

Published: 02 February 2023 Publication History

Get Access

Abstract

The Web Proxy Auto-Discovery protocol (wpad ) is widely used despite being flawed. Its purpose is to enable a client machine to autonomously identify an appropriate proxy, if any, to connect to. This can be useful in corporate networks, for example. Its vulnerabilities range from enabling an attacker to execute code remotely on client machines, to carry out SSL MITM attacks, to subvert Windows NTLM authentication, or even to steal Google authentication tokens. Several publications, talks, and blog posts have tried to raise awareness about some of these security issues. 23 distinct CVEs have been published. Nevertheless, wpad runs by default on Windows machines, and most users are unaware of its existence. Our goal is to offer within a single publication a survey of all the known vulnerabilities surrounding wpad, a presentation of some novel threats related to this protocol, as well as a description of mitigation and detection techniques to prevent the exploitation of its vulnerabilities. We hope that this publication will be an eye opener for all those concerned with the security of their networks and that the offered mitigation techniques will help them to deal with the numerous threats that wpad brings to their environments.

A Appendix

Table A.1 lists all the acronyms mentioned in the article and their definitions.

Table A.1.

Acronym	Definition
ALG	Application Level Gateway
CAS	Code Access Security
CURL	Configuration URL
CVE	Common Vulnerabilities and Exposures
DHCP	Dynamic Host Configuration Protocol
DNS	Domain Name System
FQDN	Fully qualified domain name
HITB	Hack In The Box
HTML	HyperText Markup Language
HTTP	Hypertext Transfer Protocol
HTTPS	Hypertext Transfer Protocol Secure
HVD	Highly vulnerable domains
IANA	Internet Assigned Numbers Authority
IEEE	Institute of Electrical and Electronics Engineers
ISP	Internet Service Provider
LAN	Local area network
LLMNR	Link-Local Multicast Name Resolution
MDNS	Multicast dns
MITM	Man In The Middle
NASK	Naukowa i Akademicka Sieć Komputerowa
NBNS	NetBIOS Name Service
NG-FW	Next-Generation Firewall
NTLM	NT (New Technology) LAN Manager
OS	Operating System
PAC	Proxy Auto-Configuration
PBP	Pretty-Bad-Proxy
RFC	Request for Comments
SLP	Service Location Protocol
SMB	Server Message Block
SRV	Service Record
SSL	Secure Sockets Layer
TLD	Top-level domain
TLS	Transport Layer Security
TXT	Text Record
URL	Uniform Resource Locator
VPN	Virtual private network
WAF	Web application firewall
WINS	Windows Internet Name Service
WPAD	Web Proxy Auto-Discovery

Table A.1. List of Acronyms and their Definitions

References

[1]

B. Aboba and S. Cheshire. 2002. Dynamic Host Configuration Protocol (DHCP) Domain Search Option. RFC 3397. RFC Editor.

Abstract

A Appendix

References

Cited By

Index Terms

Recommendations

A novel algorithm to prevent man in the middle attack in LAN environment

Man-in-the-Middle Attack to the HTTPS Protocol

Cookie-Proxy: A Scheme to Prevent SSLStrip Attack

Comments

Information

Published In

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Cited By

Get Access

Login options

Full Access

View options

PDF

eReader

Full Text

HTML Format

Figures

Other

Share

Share this Publication link

Share on social media

Affiliations