Web Proxy Auto-Discovery Protocol Explained and Configured

Author

Reads 9.7K

A modern data center featuring a computer setup with monitor and keyboard, emphasizing technology infrastructure.
Credit: pexels.com, A modern data center featuring a computer setup with monitor and keyboard, emphasizing technology infrastructure.

The Web Proxy Auto-Discovery (WPAD) protocol is a clever way for devices to automatically find a web proxy server on a network. It's like having a personal assistant that helps you find the right proxy server.

WPAD uses a combination of DNS and HTTP requests to discover the proxy server. This is done by sending a request to the server with a specific URL, which returns the location of the proxy server.

The WPAD protocol was first introduced in 1999 and has since become a widely adopted standard. It's supported by most major browsers and operating systems, including Windows, macOS, and Linux.

WPAD is especially useful in environments where the proxy server's address is not fixed, such as in schools or large corporations. It allows devices to automatically detect the proxy server's address and connect to it.

Why Disable WPAD

Disabling WPAD can prevent attackers from capturing user credentials and performing MITM attacks, as explained in Example 2. This is a serious security risk that can be mitigated by disabling WPAD.

Credit: youtube.com, Disable Web Proxy Auto Discovery (WPAD) in Windows 11 [Guide]

To disable WPAD, you need to set a DWORD value to 1 in the registry subkey, as mentioned in Example 1. This will stop WPAD detection for all proxy detection calls made through WinHTTP.

In addition to setting the registry key, WPAD should also be disabled in the Windows Settings UI, as recommended in Example 1. This is because third-party apps and Internet browsers may rely on these settings for Proxy Auto-Discovery.

Disabling WPAD will require you to manually configure all proxies, as stated in Example 1. This can be a hassle, but it's a necessary step to ensure security.

Here are the main attack scenarios that WPAD can be exploited for:

  • An attacker can capture user credentials (hashes) from victim workstations with 0 interaction from the user.
  • An attacker can act as a malicious web proxy and inspect unencrypted web traffic or otherwise perform MITM attacks.

By disabling WPAD, you can significantly reduce the risk of these attacks occurring.

Testing and Configuration

Testing and configuration is a crucial part of the Web Proxy Auto-Discovery Protocol (WPAD). To test if WPAD requests are being made, you can use Wireshark to capture packets on your network interface.

Credit: youtube.com, Hacks Weekly #35: Configuring Out Web Proxy Auto-Discovery

Apply a packet filter to look for DNS requests containing "wpad". This will show you if your device is making WPAD requests.

If you've applied the registry keys correctly, you should see a significant reduction in WPAD requests. Here's what you're looking for:

If you're still seeing WPAD requests after applying the registry keys, it's likely that your configuration isn't correct.

Testing Methodology

To test whether WPAD requests are being made, you can use a simplified method involving Wireshark.

First, install Wireshark and start a packet capture for your network interface. Apply the packet filter dns.qry.name contains "wpad".

Disconnect your network interface, but don't disable it, as this will stop your packet capture.

Upon reconnecting your network interface to the network, you should immediately see WPAD DNS requests being made if you haven't applied the registry keys.

Here's an example of what this looks like on a default install of Windows 11: WPAD key & Proxy setting unconfigured - Default.

If you've applied the registry keys correctly, your system should look like this: WPAD key & Proxy setting configured - After GPO.

Wpad - Proxy in Browser einstellen

Credit: youtube.com, How To Setup PROXY SERVER Settings In Google Chrome | Proxy Settings On Windows 10 PC

To set up a proxy in your browser using WPAD, you'll need to install a web-server software on a system to be used as your WPAD server and configure it to listen on the default port 80.

The WPAD server should be configured to use the MIME-Type "application/x-ns-proxy-autoconfig" for the file extension ".dat". This will allow the browser to recognize the WPAD file.

Create a file named "wpad.dat" containing JavaScript code with a single function "FindProxyForURL" conforming to the Proxy-Auto-Config (PAC) convention. This file should be tested with both Internet Explorer and Firefox for cross-browser compatibility.

Update your DNS server to resolve "wpad.YOURDOMAIN.COM" to the web-server designated to host your WPAD/PAC settings "wpad.dat" file.

Here's a step-by-step guide to setting up WPAD:

  • Install IIS or other web-server software on a system to be used as your WPAD server.
  • Configure the web-server to use the correct MIME-Type and file extension.
  • Create the "wpad.dat" file with the correct JavaScript code.
  • Update the DNS server to resolve "wpad.YOURDOMAIN.COM" to the web-server.
  • Place the "wpad.dat" file in the document root of the web-server.

By following these steps, you should be able to set up a proxy in your browser using WPAD.

Windows 10

Windows 10 has WPAD enabled by default, which can create issues when connecting to malicious public wireless networks. This can lead to security risks.

Credit: youtube.com, Windows 10 : How to Start or Stop WinHTTP Web Proxy Auto Discovery Service

To disable WPAD in Windows 10, you'll need to set a DWORD value for the following registry subkey to 1: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinHttp\Parameters. This will stop WPAD detection for all proxy detection calls made through the Windows HTTP Services (WinHTTP) API.

Even with this registry key set, applications can still resolve the name "WPAD" by calling Domain Name System (DNS) directly. For example, running nslookup WPAD still resolves the name by using DNS.

Disabling WPAD in the Windows Settings UI is also important, as third-party apps and Internet browsers may rely on these settings for Proxy Auto-Discovery. You'll need to manually configure all proxies after disabling WPAD.

Here's a quick rundown of the risks associated with WPAD:

• An attacker can capture user credentials (hashes) from victim workstations with 0 interaction from the user.

• An attacker can act as a malicious web proxy and inspect unencrypted web traffic or otherwise perform MITM attacks.

Check this out: Windows Azure down

Disable WPAD

Disable WPAD to prevent malicious attacks. Starting in Windows Server 2019 and Windows 10, version 1809, you can disable WPAD by setting a DWORD value for the registry subkey to 1.

A unique perspective: Windows Live Toolbar

Close-up of a network server rack with blinking LEDs, showcasing Ethernet connections and patch panels.
Credit: pexels.com, Close-up of a network server rack with blinking LEDs, showcasing Ethernet connections and patch panels.

You'll need to manually configure all proxies after disabling WPAD. The registry key stops WPAD detection for all proxy detection calls made through the Windows HTTP Services (WinHTTP) API.

To disable WPAD, you can set the registry key in the Windows Settings UI. This is important because third-party apps and Internet browsers may rely on these settings for Proxy Auto-Discovery.

You can also use a Group Policy Object (GPO) to disable WPAD. To do this, navigate to Computer/User Configuration -> Preferences -> Windows Settings -> Registry and create a new registry item.

Here's how to create a GPO to disable WPAD:

This GPO needs to be applied to OUs where your computer objects live.

Alternatively, you can create a hosts file entry for WPAD. This can prevent malicious WPAD servers from being resolved.

To create a hosts file entry for WPAD, add a line to the hosts file located at C:\Windows\System32\Drivers\etc\hosts.

For more insights, see: Zone File

Frequently Asked Questions

Is it safe to disable WinHTTP web proxy auto-discovery service?

Disabling WinHTTP web proxy auto-discovery is generally safe, but it may prevent automatic proxy configuration.

How does auto detect proxy work?

When auto detect proxy is enabled, the system searches for a central proxy configuration URL and downloads the proxy settings if found. This allows the system to dynamically locate and use the available proxies for the request.

Thomas Goodwin

Lead Writer

Thomas Goodwin is a seasoned writer with a passion for exploring the intersection of technology and business. With a keen eye for detail and a knack for simplifying complex concepts, he has established himself as a trusted voice in the tech industry. Thomas's writing portfolio spans a range of topics, including Azure Virtual Desktop and Cloud Computing Costs.

Love What You Read? Stay Updated!

Join our community for insights, tips, and more.