WPAD: Waiting patiently for an announced disaster

Boulila, Elyssa; Dacier, Marc
ACM Computing Surveys, September 2022

The Web Proxy Auto-Discovery protocol (wpad1) is widely used despite being !awed. Its purpose is to enable a client machine to autonomously identify an appropriate proxy, if any, to connect to. This can be useful in corporate networks, for example. Its vulnerabilities range from enabling an attacker to execute code remotely on client machines, to carry out SSL MITM attacks, to subvert Windows NTLM authentication or even to steal Google authentication tokens. Several publications, talks and blog posts have tried to raise awareness about some of these security issues. 23 distinct CVEs have been published. Nevertheless, wpad runs by default on Windows machines and most users are unaware of its existence. Our goal is to o"er within a single publication a survey of all the known vulnerabilities surrounding wpad, a presentation of some novel threats related to this protocol, as well as a description of mitigation and detection techniques to prevent the exploitation of its vulnerabilities. We hope that this publication will be an eye opener for all those concerned with the security of their networks and that the o"ered mitigation techniques will help them to deal with the numerous threats that wpad brings to their environments.

Digital Security
Eurecom Ref:
© ACM, 2022. This is the author's version of the work. It is posted here by permission of ACM for your personal use. Not for redistribution. The definitive version was published in ACM Computing Surveys, September 2022 https://doi.org/10.1145/3565361

PERMALINK : https://www.eurecom.fr/publication/7066