How does a WPAD attack work and how can it be prevented?

How does a WPAD attack work and how can it be prevented?

If an attacker installs or points browsers to a malicious PAC file — for example, via a rogue access point or WPAD injection — they could instruct every browser on that network to use a proxy server under their control, enabling them to redirect, sniff or inject traffic as it passes through the proxy.

Do you need to disable WPAD by default?

Although all the vulnerabilities used in the WPAD attack have been patched, the research team still recommends that Microsoft users disable WPAD by default to prevent attacks that would take exploit the identified vulnerabilities.

Is there a vulnerability in the WPAD protocol?

The vulnerability, described by US-CERT (the United States Computer Emergency Readiness Team) in alert TA16-144A issued 23 May 2016, affects computers that are using WPAD. WPAD is short for Web Proxy Autodiscovery Protocol, a system that makes it easy for organisations to configure the many web browsers inside their network.

When do domain names attack : the WPAD name collision?

When domain names attack: the WPAD name collision vulnerability. A combination of poorly configured networks and new rules on internet domain names are giving cybercriminals a new and easy way to attack entire organisations, according to research out of the University of Michigan.

Is there a way to disable WPAD in Windows 10?

How to Disable WPAD on Windows 8 and 10. On Windows 10, you’ll find this option under Settings > Network & Internet > Proxy. On Windows 8, the same screen is available at PC Settings > Network Proxy. Just turn the “Automatically detect settings” option off to disable WPAD.

Is it safe to use WPAD on public WiFi?

However, WPAD can cause problems should you connect to a malicious public Wi-FI network. With WPAD enabled, that Wi-Fi network can automatically configure a proxy server in Windows.