User: Your software doesn't use the #WPAD Proxy
Support: Please try to reach the server using #Edge with --use-system-proxy-resolvers
User: These are #Chromium flags, not applicable to Edge, and Edge already uses the System Proxy settings.
Support: 🙄
If only people would do what the support told them to do, and not try to be smarter than them.
PSA: Chromium (and Edge) use the Chromium proxy parser, unless explicitely told to use the WinHTTP proxy resolver.
If they truly did nothing, that would probably be better.
What they actually do is turn the setting off where most people test it to check that it is doing what it claims, i.e. running a WWW browser or suchlike application interactively, whilst covertly leaving it on in non-interactive but pretty serious parts of the system.
Until one day you fiddle with the #ProxyAutoConfiguration file, thinking that it's not in use, and you find that your supposedly dummy HTTP server is getting a lot of requests.
I've run ktrace/truss on the HTTP server as the easiest way to find out what requests it was receiving, given that they're either being conveniently downgraded from HTTPS to a CONNECT over HTTP, or were in HTTP already. There is good news and there is bad news. The good news is that there's nothing particularly new amongst the URLs. Microsoft discloses a lot, but not all, of them. A couple belong to other companies, but the connections to Microsoft, Google, et al. are overt. The bad news is that these are things like certificate revocation lists from Google, other certificate information, your Microsoft account login on Windows Live, Bing Maps, Windows Defender updates, and various other stuff. And they're all vulnerable to a WPAD attack on an untrusted LAN (e.g. your favourite Internet café) that has been known about for over 20 years. And, importantly, that the system administrator *thinks is turned off*. #MicrosoftWindows #WPAD #ProxyAutoConfiguration #infosec
My biggest security concern this year wasn't anything to do with my static content servers, or even the machine they are running on, at all.
It was the fact that if one turns off WWW Proxy Auto Discovery in #MicrosoftWindows system settings, it turns out not to actually turn it off for some fairly vital things like the auto-updates for Windows and Office.
Top #Microsoft tip: Act as if #WPAD is always on, because it turns out that it is.
My educated first guess is that this is some side-effect on the proxy settings of Session 0 Isolation, or HKLM versus HKCU, or something.
Certainly all of the session 1 programs running on the desktop as the logged-in user appear to be obeying the proxy settings shown in System Settings. The HTTP server pointed to by the PAC file isn't getting any hijacked traffic from any WWW browsers, or from Electron(-like) apps.
I've run ktrace/truss on the HTTP server as the easiest way to find out what requests it was receiving, given that they're either being conveniently downgraded from HTTPS to a CONNECT over HTTP, or were in HTTP already.
There is good news and there is bad news.
The good news is that there's nothing particularly new amongst the URLs. Microsoft discloses a lot, but not all, of them. A couple belong to other companies, but the connections to Microsoft, Google, et al. are overt.
The bad news is that these are things like certificate revocation lists from Google, other certificate information, your Microsoft account login on Windows Live, Bing Maps, Windows Defender updates, and various other stuff. And they're all vulnerable to a WPAD attack on an untrusted LAN (e.g. your favourite Internet café) that has been known about for over 20 years.
And, importantly, that the system administrator *thinks is turned off*.
The hijacking method itself isn't new, by the way. I wrote about trusting DHCP servers back in 2004. I control what my DHCP server hands out in leases, and I also control what wpad.$searchdomain on my LAN is.
So it's not that this #WPAD hijacking is possible. It's that for some parts of #MicrosoftWindows it is apparently impossible *to prevent* by turning off automatic proxy setup.
For parts of the system that are pulling the wpad.dat file every half hour, and appear to be doing things with trust certificates, over HTTP.
https://jdebp.uk/FGA/web-browser-auto-proxy-configuration.html#Security
There's something inside #MicrosoftWindows that does not respect the system settings and *always* uses Web Proxy Auto-Discovery.
I have WPAD turned off on my Windows machines, and recently fiddled with the LAN's wpad.dat thinking that nothing would be using it, making it point to a dummy proxy.
The dummy proxy is currently logging a lot of repetitive HTTP requests coming in from what appear to be internal Microsoft services. I've seen digicert.com. , pki.goog. , and cdn.office.net. URLs, so far. I've tested the WWW browsers, and they're definitely respecting the system proxy settings.
It's not that these requests are being made. It's that they're being routed as instructed by a PAC file where a system administrator has *turned off WPAD* because of its vulnerability to hijacking by whoever controls DHCP/proxy DNS on the LAN. I just hijacked myself. Others are probably not so lucky.
Spotted at #WCEU!
Taco Verdonschot, WP Accessibility Day organizer, leads a panel of industry experts for live website reviews.
Amber Hinds, WPAD co-lead organizer, joins him, along with Marieke van de Rakt and Jono Alderson, bringing practical feedback and fresh perspectives.
Session info https://europe.wordcamp.org/2025/session/live-website-reviews-by-industry-experts/
#WCEU2025 #WPAccessibility #WordPress #WPAD
-8-
Why are you still using my server for your internet access - Thomas Boejstrup Johansen
Ah, WPAD — now that's a name I haven't heard in a long time.
Short for "Web Proxy Auto-Discovery", WPAD is a protocol for machines on local networks to get their proxy configuration. Invented by Netscape in 1996, this protocol has been deprecated for a LONG time — in 1999, today marking its 25th anniversary.
WPAD is pretty simple — it uses the network name of the user's machine to search for a wpad.dat file, going from more specific to broad. For example, if the network name is pc.team.dep.org.com, a WPAD implementation will try to fetch wpad.team.dep.org.com/wpad.dat, wpad.dep.org.com/wpad.dat and wpad.org.com/wpad.dat in order as long as the last one wasn't found.
wpad.dat is a Proxy Auto-Config (PAC) file - a JavaScript file running in a limited environment. It implements a function that takes a URL and decides on the proxy server for the request (or DIRECT, for no proxy).
So why is this interesting? It happens that many implementations do an additional step, stripping the domain all the way to wpad.com/wpad.dat.
This is on the public internet! Thus this implementation takes a PAC file from a stranger and uses it as the device's proxy configuration.
Luckily, notable WPAD TLDs — com, org, and net — are protected and cannot be registered. However, others are fair game!
In his excellent talk, Thomas reveals that he was able to register wpad.dk (the TLD for Denmark) alongside a few more.
He set up a simple PAC file directing all traffic back to p.wpad.dk, with interesting information like the domain, private and public IP addresses of the client. The proxy always responds with an error message, while Thomas was able to record details about the access.
Here's the stats: 90K requests a day, totaling a whopping 1.1 billion (!!) requests in a year. They span the entire world but mostly from Europe.
The HTTP GET requests were made to many file extensions, like thousands of credentials and over half a million executables. About 200k URLs also included credentials in parameters! Interestingly, the server has received POST requests too, with their entire body!
The clients' User-Agents show how the WPAD issue is not solely a Microsoft problem but spans almost every possible client in existence — Linux, Apple, and many distinct applications are affected.
During his research, Thomas also looked at wpad.dat files on other TLDs, finding some suspiciously malicious — one redirecting unencrypted requests through their proxy, and another one stealing ad requests, possibly for revenue theft!
The talk is great, containing hilarious tidbits about the research and the feedback form on the proxy. These vulnerabilities display both the ingenuity of researchers and the difficulty of fully deprecating a problematic service once it's deeply ingrained in systems.
Pawning countries at top level domain by just buying one specific domain name ‘wpad.tld’, come hear about this more the 25+ years old issue and the research ...
Klienci UPC i Play skarżą się na problemy z routerami i przechwytywanie ruchu DNS
Od mniej więcej miesiąca otrzymujemy zgłoszenia od klientów posiadających routery od UPC (przypomnijmy, że firma jest obecnie przebrandowana na Play). Jedni widzą ostrzeżenia od swoich antywirusów inni skarżą się na spadki prędkości. Wszystkich łączy to, że routery od UPC zaczęły im ustawiać suffix DNS na adres utopia[.]net.
Oto, jak sprawę przedstawia jeden z czytelników:
Tydzien temu w srode internet (z UPC/Play) zaczal mi szwankowac (spadki predkosci z oferowanego 1000 bylo raptem 170 mbps. Zadzwonilem do ISP, zaproponowali mi technika. Do sieci miałem podpiety swoj PC – LAN, Laptop z pracy i laptop żony. Laptop z pracy nie chcial sie łaczyc na WIFI – cisco anyconnect zatrzymywalo sie na authenticating i nie szlo dalej. Sprawdzilem hotspot z telefonu – DZIALA. LAN dziala ale spadki predkosci …
W sobotę przyjechal technik – okazalo sie ze cos router szwankuje, dal mi “nowy” i heja. Działało 1 dzien. Na drugi dzien znow spadki takie jak wczesniej. We wlasciwosciach karty sieciowej widze ze po IPv6 – brak dostepu do internetu. W cmd wpisalem ipconfig /all i wyplulo mi:
Connection-specific DNS Suffix . : utopia.net
Zlapalem sie za glowe WTF. Na reddicie czy innych forach pisza ze DNS hijacked.
Drugi z czytelników napisał tak:
Od 2 dni Norton pokazuje mi blokadę próby włamania na komputer przez utopia[.]net. Dziwne jest to, że nic nie pobierałem i nie wiem jakim cudem mógłbym złapać wirusa. Pobrałem malwarebytes i cała noc skanowałem komputer. Po długim dłubaniu co może być przyczyną tego problemu sprawdziłem Ipconfig w cmd i w suffix DNS pokazuje mi się cały czas utopie.
A trzeci zauważył, że…
DHCP próbuje wstrzyknąc mi plik WPAD z domeny .
Czwarty z kolei zwrócił uwagę, że pojawiły [...]
AliveDevil
JdeBP
WordPress Accessibility Day
Tal
Niebezpiecznik News