WPAD: Waiting Patiently for an Announced Disaster

What is it about?

This publication offers a survey of all the known vulnerabilities surrounding the Web Proxy Auto-Discovery protocol (WPAD), a protocol which is widely used despite being flawed. Its purpose is to enable a client machine to autonomously identify an appropriate proxy, if any, to connect to. This can be useful in corporate networks, for example. Its vulnerabilities range from enabling an attacker to execute code remotely on client machines, to carry out SSL MITM attacks, to subvert Windows NTLM authentication or even to steal Google authentication tokens. Several publications, talks and blog posts have tried to raise awareness about some of these security issues. 23 distinct CVEs have been published. Nevertheless, WPAD runs today by default on Windows machines and most users are unaware of its existence. This article does not only discuss the vulnerabilities surrounding this protocol, it also presents some novel threats related to WPAD and multiple mitigation and detection techniques.

Featured Image

Why is it important?

We want to highlight the fact that this protocol is widely used despite being flawed. We hope that this publication will be an eye opener for all those concerned with the security of their networks and that the offered mitigation techniques will help them to deal with the numerous threats that WPAD brings to their environments.