TY - JOUR
T1 - WPAD: Waiting Patiently for an Announced Disaster
AU - Boulila, Elyssa
AU - Dacier, Marc
N1 - KAUST Repository Item: Exported on 2023-02-27
Acknowledgements: We want to express our deepest gratitude to the members of the Farsight and the Corelight companies, Redteam.pl and nask for having helped us in our investigations reported in Section 4.1. In particular, we want to thank, by alphabetical order, Przemek Jaroszewski, Piotr Kijewski, Pawel Pawlinski, Vern Paxson, Paul Vixie, and Adam Ziaja.
PY - 2023/2/2
Y1 - 2023/2/2
N2 - The Web Proxy Auto-Discovery protocol (wpad 1) is widely used despite being flawed. Its purpose is to enable a client machine to autonomously identify an appropriate proxy, if any, to connect to. This can be useful in corporate networks, for example. Its vulnerabilities range from enabling an attacker to execute code remotely on client machines, to carry out SSL MITM attacks, to subvert Windows NTLM authentication, or even to steal Google authentication tokens. Several publications, talks, and blog posts have tried to raise awareness about some of these security issues. 23 distinct CVEs have been published. Nevertheless, wpad runs by default on Windows machines, and most users are unaware of its existence. Our goal is to offer within a single publication a survey of all the known vulnerabilities surrounding wpad, a presentation of some novel threats related to this protocol, as well as a description of mitigation and detection techniques to prevent the exploitation of its vulnerabilities. We hope that this publication will be an eye opener for all those concerned with the security of their networks and that the offered mitigation techniques will help them to deal with the numerous threats that wpad brings to their environments.
AB - The Web Proxy Auto-Discovery protocol (wpad 1) is widely used despite being flawed. Its purpose is to enable a client machine to autonomously identify an appropriate proxy, if any, to connect to. This can be useful in corporate networks, for example. Its vulnerabilities range from enabling an attacker to execute code remotely on client machines, to carry out SSL MITM attacks, to subvert Windows NTLM authentication, or even to steal Google authentication tokens. Several publications, talks, and blog posts have tried to raise awareness about some of these security issues. 23 distinct CVEs have been published. Nevertheless, wpad runs by default on Windows machines, and most users are unaware of its existence. Our goal is to offer within a single publication a survey of all the known vulnerabilities surrounding wpad, a presentation of some novel threats related to this protocol, as well as a description of mitigation and detection techniques to prevent the exploitation of its vulnerabilities. We hope that this publication will be an eye opener for all those concerned with the security of their networks and that the offered mitigation techniques will help them to deal with the numerous threats that wpad brings to their environments.
UR - http://hdl.handle.net/10754/681743
UR - https://dl.acm.org/doi/10.1145/3565361
UR - http://www.scopus.com/inward/record.url?scp=85148108017&partnerID=8YFLogxK
U2 - 10.1145/3565361
DO - 10.1145/3565361
M3 - Article
SN - 1557-7341
VL - 55
JO - ACM Computing Surveys
JF - ACM Computing Surveys
IS - 10
ER -