Every web browser is equiped with Web Proxy Autodiscovery Protocol (WPAD), and it is enabled by default. WPAD protocol isu used to locate a domain's proxy server and route all web requests to it. This is a serious security concern because if a web server is hacked, and one file is changed, all traffic to that website can be hijacked without the user being aware that they have been redirected to a malicious website.

WPAD modifies the settings in the browser on how it connects to the Internet. Web browsers initially check for a Javascript file such as wpad.domain.tld/wpad.dat that contains instructions for the browser when connecting to a website. Then, when requesting pages, the local DHCP client tries to query the WPAD URL when requesting web pages. The browser will refer back to DNS if it cannot locate the WPAD or PAC file.

The javascript in the wpad.dat or proxy.pac files, which redirects your web browser, is executed automatically, even if you have javascript disabled. If the web server that you are visiting has been compromised in this way, you will be redirected to an imposter or malicious proxy server. At that point, you could have malicious software installed on your computer or have your username and password stolen by immitation web pages.

Example script:

function FindProxyForURL(url,host){
// loopback if ( host == "127.0.0.1" || host == "localhost" ) return "DIRECT";
if ( dnsDomainIs(host, "somedomain.dom") ) return "PROXY proxy.example.dom:8080; DIRECT";
if ( isInNet(host, "192.168.1.0","255.255.255.0") ) return "PROXY proxy.example.dom:8080";
return "DIRECT";}

How to protect yourself: be aware of the address in the address bar of your browser. If it looks fishy, leave the website by closing the web browser. If you get popup windows with warnings, use the [alt][F4] key combination to close them. Don't click on them. For the safest web browsing, use a secure operating system such as Linux or Mac.