JdeBPJun 30, 2025

@zombiewarrior @kebokyo @neil

If they truly did nothing, that would probably be better.

What they actually do is turn the setting off where most people test it to check that it is doing what it claims, i.e. running a WWW browser or suchlike application interactively, whilst covertly leaving it on in non-interactive but pretty serious parts of the system.

Until one day you fiddle with the #ProxyAutoConfiguration file, thinking that it's not in use, and you find that your supposedly dummy HTTP server is getting a lot of requests.

https://mastodonapp.uk/@JdeBP/114696051410902443

#WPAD #Microsoft #MicrosoftWindows

JdeBP (@[email protected])

I've run ktrace/truss on the HTTP server as the easiest way to find out what requests it was receiving, given that they're either being conveniently downgraded from HTTPS to a CONNECT over HTTP, or were in HTTP already. There is good news and there is bad news. The good news is that there's nothing particularly new amongst the URLs. Microsoft discloses a lot, but not all, of them. A couple belong to other companies, but the connections to Microsoft, Google, et al. are overt. The bad news is that these are things like certificate revocation lists from Google, other certificate information, your Microsoft account login on Windows Live, Bing Maps, Windows Defender updates, and various other stuff. And they're all vulnerable to a WPAD attack on an untrusted LAN (e.g. your favourite Internet café) that has been known about for over 20 years. And, importantly, that the system administrator *thinks is turned off*. #MicrosoftWindows #WPAD #ProxyAutoConfiguration #infosec

Mastodon App UK
Show threadJdeBPJun 30, 2025

@kebokyo @neil

My biggest security concern this year wasn't anything to do with my static content servers, or even the machine they are running on, at all.

It was the fact that if one turns off WWW Proxy Auto Discovery in #MicrosoftWindows system settings, it turns out not to actually turn it off for some fairly vital things like the auto-updates for Windows and Office.

Top #Microsoft tip: Act as if #WPAD is always on, because it turns out that it is.

#ProxyAutoConfiguration

Show threadJdeBPJun 17, 2025

My educated first guess is that this is some side-effect on the proxy settings of Session 0 Isolation, or HKLM versus HKCU, or something.

Certainly all of the session 1 programs running on the desktop as the logged-in user appear to be obeying the proxy settings shown in System Settings. The HTTP server pointed to by the PAC file isn't getting any hijacked traffic from any WWW browsers, or from Electron(-like) apps.

#MicrosoftWindows #WPAD #ProxyAutoConfiguration #infosec

Show threadJdeBPJun 17, 2025

I've run ktrace/truss on the HTTP server as the easiest way to find out what requests it was receiving, given that they're either being conveniently downgraded from HTTPS to a CONNECT over HTTP, or were in HTTP already.

There is good news and there is bad news.

The good news is that there's nothing particularly new amongst the URLs. Microsoft discloses a lot, but not all, of them. A couple belong to other companies, but the connections to Microsoft, Google, et al. are overt.

The bad news is that these are things like certificate revocation lists from Google, other certificate information, your Microsoft account login on Windows Live, Bing Maps, Windows Defender updates, and various other stuff. And they're all vulnerable to a WPAD attack on an untrusted LAN (e.g. your favourite Internet café) that has been known about for over 20 years.

And, importantly, that the system administrator *thinks is turned off*.

#MicrosoftWindows #WPAD #ProxyAutoConfiguration #infosec

JdeBPJun 16, 2025

There's something inside #MicrosoftWindows that does not respect the system settings and *always* uses Web Proxy Auto-Discovery.

I have WPAD turned off on my Windows machines, and recently fiddled with the LAN's wpad.dat thinking that nothing would be using it, making it point to a dummy proxy.

The dummy proxy is currently logging a lot of repetitive HTTP requests coming in from what appear to be internal Microsoft services. I've seen digicert.com. , pki.goog. , and cdn.office.net. URLs, so far. I've tested the WWW browsers, and they're definitely respecting the system proxy settings.

It's not that these requests are being made. It's that they're being routed as instructed by a PAC file where a system administrator has *turned off WPAD* because of its vulnerability to hijacking by whoever controls DHCP/proxy DNS on the LAN. I just hijacked myself. Others are probably not so lucky.

#WPAD #ProxyAutoConfiguration #infosec