The IE 5 (and higher) Web Proxy Auto-Discovery (WPAD) feature enables web clients to automatically detect proxy settings without user intervention. The algorithm used by WPAD prepends the hostname "wpad" to the fully-qualified domain name and progressively removes subdomains until it either finds a WPAD server answering the hostname or reaches the third-level domain. For instance, web clients in the domain a.b.microsoft.com would query wpad.a.b.microsoft.com, wpad.b.microsoft.com, then wpad.microsoft.com. A vulnerability arises because in international usage, the third-level domain may not be trusted. A malicious user could set up a WPAD server and serve proxy configuration commands of his or her choice.

  1. Create a standard netscape proxy auto config (PAC) file.
  2. Store the resultant file in the document root directory of a your web server as wpad.dat (Not proxy.pac as you may have previously done). You should be able to use an HTTP redirect if you want to store the wpad.dat file somewhere else. You can probably even redirect wpad.dat to proxy.pac:
    Redirect /wpad.dat http://other.server.com/proxy.pac
  3. Be sure than if you do nothing more, a url like http://www.your.domain.name/wpad.dat should bring up the script text in your browser window.
  4. Insert the following entry into your web server mime.types file. Maybe in addition to your pac file type, if you've done this before.
    application/x-ns-proxy-autoconfig     dat
    And then restart your web server, for new mime type to work.
    (you can try to skip this step)
  5. Create/install/implement a DNS record so that wpad.your.domain.name resolves to the host above where you have a functioning auto config script running.
    Also you can use Hosts file at your computer for creating mapping:
    wpad.your.domain.name <IP-address your web-server>
  6. Assuming Internet Explorer 5, under "Tools", "Internet Options", "Connections", "Settings" or "LAN Settings", set ONLY "Use Automatic Configuration Script" to be the URL for where your new wpad.dat file can be found. i.e. http://wpad.your.domain.name/wpad.dat
    Test that that all works as per your script and network. There's no point continuing until this works...
  7. And finally, go back to the setup screen detailed in step 6 above, and choose nothing except the "Automatically Detect Settings" option, turning everything else off. Best to restart IE5, as you normally do with any Microsoft product... And it should all work.

back to proxy FAQ


We know that now you're in

Seattle, United States
Everyone on the internet knows that!
How protect yourself?
I don't care