Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


WPAD File on External Web Server

Posted on 2009-05-12
Medium Priority
Last Modified: 2012-05-06
Is it safe and what the potential security risks of storing my proxy WPAD.dat file on an external web server?  I don't have an internal one to host this file and I don't want to add an internal web server just for this purpose.
Question by:ibidata
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
  • 2
LVL 10

Expert Comment

ID: 24370537
It will need to resolve as wpad.DOMAIN_SUFFIX_IN_SEARCH_ORDER.TLD for the pc to find it. You could secure that url by ip access lists perhaps.

I don't know of any .pac javascript processing vulnerabilities, but controlling your browser wouldn't be too hard at that point...

Expert Comment

ID: 24372565
Question is: what for?

If it's for some laptops, totally disconnected from your company network, they don't need this WPAD/PAC file to be available. They are probably directly connected to the Internet when they're outside
Remember that the failsafe behaviour of "proxy autodetection" is: if the wpad.server/wpad.dat file is not found => direct connection

If it's because your only choice is to store this file on your only web server, available internally as well as externally, you might set up virtual hosts (apache) or "sites" (iis) to restrict access if possible

About the risk:
The only risk might be to let someone know some details about your internal network; IP ranges, some hosts names ? depending on what's in your wpad.dat file

Give us some more detail if needed

Author Comment

ID: 24373747
The reason what for is because we don't currently have an internal web server and I want to lock down port 80/443 on our firewall LAN -> WAN so they must use the proxy to get out on the Internet.  I also want it to be automatic so that visitors who connect to our network and are given an IP via DHCP will also be routed through the proxy.  

I tried putting the WPAD file on a file share with Everyone having read access and then use DHCP option 252 to notify the clients of the location but it doesn't appear to be working for workstations not on the domain.  So I'm left with putting a WPAD DNS record and having them get the automatic proxy information that way.

I hope that answers your questions and gives you a little more information.  Thanks for your help.
Simplify Your Workload with One Tool

How do you combat today’s intelligent hacker while managing multiple domains and platforms? By simplifying your workload with one tool. With Lunarpages hosting through Plesk Onyx, you can:

Automate SSL generation and installation with two clicks
Experience total server control


Expert Comment

ID: 24373778
Ok, all we've said is still true
Unless your wpad.dat file has valuable information inside (I don't think so), you can make it available everywhere
Maybe you can restrict the destination IP on server side to restrict it to your company gateway
LVL 10

Expert Comment

ID: 24373838
The risk is as stated external users could see information on your subnets, proxy exceptions and proxy server ips. Also is they are able to compromise the server they could give your users a list their own proxy servers and trick them into downloading whatever they desired, compromising all civilization. Somewhat far fetched though..


Expert Comment

ID: 24374005
lanboyo: Hopefully he won't allow any outgoing connection on any port (and certainly not 80, 3128 and so on) from his internal network, except to that specfic web server. The rest must go through his [transparent] proxy
So even with a compromised wpad.dat, one won't get anywhere...

it's only a question of seeing ip ranges, host names and so on
now, having only one external web server, I do believe this user will only have one subnet, like 192.168, some host names, like proxy.hiscompany.com. No big deal

Author Comment

ID: 24374315
How will workstations that are not a part of our domain get the proxy information?  Will that be through DHCP or DNS?  Does the DHCP option 252 and/or DNS method work for both IE and firefox?

Accepted Solution

mchkorg earned 375 total points
ID: 24375491
1) if your dhcp (I'm not talking of option 252) gives them an address+a DNS server
2) and if they are able to get to your wpad web server from there
=> you'll just have to tell them to set their browsers to "proxy auto-detection" and that's all

About point 2) : I'm thinking about possible network restrictions if these people are on separated vlan, separated ip range and so on
Usuaully, you just want them to be able to talk to your proxy to get outside, nothing more

"proxy auto-detection" works fine with firefox, IE (and every browser I guess)
If server is found => the PAC file applies
 If not => the browser tries a direct access
 You just have to configure all these browsers with proxy auto-detection. Via GPO if possible (there is a specific sourceforge project for firefox+GPO - I didn't test)
If your proxy is configured as transparent (meaning, all outgoing trafic to port 80 is redirect via your main firewall to your proxy port), it'll work even if you don't activate anything in your browser's proxy settings - https won't work

ok ?
look here too, I already explained some things about WPAD: http://www.experts-exchange.com/Networking/Protocols/DHCP/Q_24343652.html

LVL 10

Expert Comment

ID: 24396953
Solution is true, however there are some caveots.

Dhcp option 252 is pretty hit and miss in my experience.

If a pc has downloaded a proxy.dat file in the past, and autodiscovery fails, it will use the osl one.
There are ssl solutions for proxying.

Expert Comment

ID: 24398913
I didn't see this behaviour in my last tests (I was checking the proxy logs when the WPAD was forced to be able unavailable)
Maybe it's depending on the browser (and version)


Featured Post

Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question