The IE 5 (and higher) Web Proxy Auto-Discovery (WPAD) feature enables
web clients to automatically detect proxy settings without user intervention.
The algorithm used by WPAD prepends the hostname "wpad" to
the fully-qualified domain name and progressively removes subdomains
until it either finds a WPAD server answering the hostname or reaches
the third-level domain. For instance, web clients in the domain a.b.microsoft.com
would query wpad.a.b.microsoft.com, wpad.b.microsoft.com, then wpad.microsoft.com.
A vulnerability arises because in international usage, the third-level
domain may not be trusted. A malicious user could set up a WPAD server
and serve proxy configuration commands of his or her choice.
- Create a standard netscape proxy auto config (PAC) file.
- Store the resultant file in the document root directory of a your
web server as wpad.dat (Not proxy.pac as you may have previously done).
You should be able to use an HTTP redirect if you want to store the
wpad.dat file somewhere else. You can probably even redirect wpad.dat
Redirect /wpad.dat http://other.server.com/proxy.pac
- Be sure than if you do nothing more, a url like http://www.your.domain.name/wpad.dat
should bring up the script text in your browser window.
- Insert the following entry into your web server mime.types file.
Maybe in addition to your pac file type, if you've done this before.
And then restart your web server, for new mime type to work.
(you can try to skip this step)
- Create/install/implement a DNS record so that wpad.your.domain.name
resolves to the host above where you have a functioning auto config
Also you can use Hosts file at your computer for creating mapping:
wpad.your.domain.name <IP-address your web-server>
- Assuming Internet Explorer 5, under "Tools", "Internet
Options", "Connections", "Settings" or "LAN
Settings", set ONLY "Use Automatic Configuration Script"
to be the URL for where your new wpad.dat file can be found. i.e.
Test that that all works as per your script and network. There's no
point continuing until this works...
- And finally, go back to the setup screen detailed in step 6 above,
and choose nothing except the "Automatically Detect Settings"
option, turning everything else off. Best to restart IE5, as you normally
do with any Microsoft product... And it should all work.
back to proxy FAQ