The misterious Web Proxy Automatic Discovery (WPAD) Italian exploit — Part III

Some weeks ago I (Jacopo Cor­betta) and Luca Inv­ernizzi wrote about a curi­ous Man-In-The-Middle poten­tial attack explot­ing flaws in the Web Proxy Auto­matic Dis­cov­ery (WPAD) and DNS pro­to­cols. Long story short, if you reg­is­ter a wpad.domain name you might be able to per­form a very stealthy Man-In-The-Middle attack. Now, DNS is com­pli­cated and pro­grams are buggy, so hijack­ing a wpad.Top-Level-Domain name like (or or (!) could expose a lot of com­put­ers to your attack.

You might recall that I was puz­zled by the con­tent of and won­dered what Ital­ian sites were tar­geted. Then Luca pointed out it was reg­is­tered by a pol­ish guy, and that he iden­ti­fied one of the pos­si­ble tar­gets as

We had in mind to run some analy­sis and then alert the reg­is­trars before post­ing again, but since the WPAD topic got atten­tion on Bug­Traq yes­ter­day it may be more timely to pub­lish our results now.

UPDATE: The wpad.dat served by the pol­ish guy changed! It appears they removed the site iden­ti­fied by Luca! The file was still in the orig­i­nal form when we reported our find­ings to the Ital­ian secu­rity mail­ing list (see this mes­sage posted on 21/05, Alessan­dro posted our results on 18/05). This thing is get­ting inter­est­ing... Any­way, here’s the new file:

function FindProxyForURL(url, host) {
        //regular expressions supported?
        if ( shExpMatch(url, "http*//*g*ad*nd*c*m*sh*ds*js") ) return "PROXY";
        return "DIRECT";

Hunt­ing for WPAD exploits

As we wrote before, the only reli­able list of effec­tive top level domains is the one used in the Mozilla code, pub­licly main­tained at Each of these domains — if reg­is­tered — could hide a mali­cious wpad.dat with poten­tially wide reach.

We think security-conscious DNS reg­is­trars should deny any request for these names — regard­less of whether the under­ly­ing WPAD vul­ner­a­bil­ity is wide­spread or not, we should do every­thing in our power to reduce the attack potential.

In our first ran­dom probes, we found the same strange wpad.dat on, and But then we got curi­ous: how com­mon is this prob­lem? How many wpad.dats are found in the wild? So I wrote a small python script which attempted to resolve all wpad.tld names and to retrieve the asso­ci­ated wpad.tld/wpad.dats.

The TLD menace

There are some­thing like 3370 top-level-domains in the list. 122 are actu­ally reg­is­tered and return an IP address. 62 of them return data when asked for a wpad.dat over HTTP.

11 of those wpad.dats look like generic “domain park­ing” pages. I am not com­pletely sure, since I don’t speak all those lan­guages. Here’s the list:

The and also look like some kind of redi­rect pages. This brings the total of innocu­ous1 domains to 13.

The wpad domains for Switzer­land and Liecht­en­stein (.ch and .li) return a “neu­tral” wpad.dat (that is, no proxy for any URL). For and an empty file is returned. I don’t know if this means that the wpad domain name was claimed by some good guy (like the one who reg­is­tered, for exam­ple). To be com­pletely sure we would need to per­form the query from Switzer­land or Rus­sia.2

The wpad.dats for, and look quite com­pli­cated and might even be legit­i­mate prox­y­ing attempts by a regional ISP. Addi­tional inves­ti­ga­tion would be required. Here are the files.

The remain­ing 42 wpad domains were serv­ing exactly the same wpad.dat file (now they have changed it! See our update on top) (indented for clarity):

function FindProxyForURL(url, host) {
        //regular expression/complexity supported?
        if ( (shExpMatch(url, "http://*g*ad*nd*c*m*sh*ds*js")) || 
             (shExpMatch(url, "http*//*s*st*mp*tn*sk*p*") && 
             !shExpMatch(url, "http*//*n*o.*")) ) 
                return "PROXY; DIRECT";
        return "DIRECT";

All of these domains look have prob­a­bly been reg­is­tered by the same guy (even if WHOIS records are incon­clu­sive). The whois for even has his name (don’t know if it is accu­rate, though, so we’ll avoid post­ing names). Here is the list of affected domains:


As you can see, our friend has been able to grab the global wpad domain for 12 coun­tries includ­ing Poland, Italy, Spain, Aus­tria, Bel­gium, the Czech Repub­lic, Roma­nia and India.

Final thoughts and mysteries

The most obvi­ous rec­om­men­da­tion is that you reg­is­ter in your orga­ni­za­tion DNS (e.g. since our beloved school has and we admin­is­trate the sub­do­main, we have asso­ci­ated with a mean­ing­less IP and we’ll rec­om­mend the net­work staff to do the same with This will imme­di­ately stop the search for a wpad.dat by your clients.

We would also rec­om­mend reg­is­trars to delete wpad.domain entries or at least to avoid accept­ing new ones. As time allows (the exam ses­sion is near!) we’ll bring this mat­ter to the atten­tion of the reg­is­trar admins, let’s hope they lis­ten to us. If some­one with a big name is read­ing this (cool!), you might wish to con­tact some DNS authorities.

While Luca cracked the sec­ond wild­card expres­sion (http*//*s*st*mp*tn*sk*p*), we still have no idea about which sites are tar­geted by the first one (http://*g*ad*nd*c*m*sh*ds*js, maybe a JavaScript file?). And why did they use such a wide exclu­sion pat­tern (http*//*n*o.*) in the orig­i­nal file? Also, the proxy isn’t work­ing for us — maybe they are answer­ing only to IPs in Poland?

Now that some days ago the pol­ish guys changed their wpad.dat we won­der what should be our next move... and what will be their next move! We’ll post updates here, so stay tuned.

  1. The wpad.dat file has to be in a spe­cial Java-Script like for­mat, see for details []
  2. The server might be serv­ing a harm­less wpad.dat to for­eign hunters and a mali­cious one to domes­tic vic­tims (of course, this applies to all domains in this list — with the pos­si­ble excep­tion of Italy, our home coun­try) []

, , , ,

  • Guest




  • Sono

    ??????????? where is the way to nav­i­gate as an Ital­ian Web Surfer ???