Skip to content
Knowledge base Updated: February 5, 2026

What is WPAD (Web Proxy Auto-Discovery Protocol) and How Does It Work?

WPAD is an outdated protocol that can expose your company to network traffic hijacking. Understand how it works, what risks it creates, and how to disable it to protect your network with nFlo experts.

Marcin Godula Marcin Godula

In complex corporate networks, managing the configuration of hundreds or thousands of computers is an enormous challenge. It was precisely in response to the need to simplify one such task – proxy server configuration – that the WPAD (Web Proxy Auto-Discovery Protocol) was created. Its goal was to create a mechanism that would allow web browsers to automatically, without any user or administrator intervention, find and apply appropriate proxy server settings.

The idea was noble, but as often happens in the technology world, a solution designed in a different internet era has today become a source of serious and difficult-to-patch security threats. The aggressive and “chatty” nature of the WPAD protocol makes it an ideal vector for attackers to conduct Man-in-the-Middle attacks and take full control of the victim’s network traffic. In this article, we will explain how WPAD works, why it is so dangerous, and most importantly – why every security-conscious organization should disable it and replace it with more modern, secure solutions.

What is the WPAD Protocol and What Problem with Proxy Server Configuration in Large Networks Does It Solve?

WPAD, or Web Proxy Auto-Discovery Protocol, is a protocol whose goal is to automate the proxy server configuration process in web browsers and other applications. A proxy server acts as an intermediary between the user’s computer and the internet, which in corporate environments is often used for content filtering, security, or access control.

The problem WPAD was meant to solve was purely operational in nature. In a large organization where hundreds or thousands of people work, manually configuring proxy settings on each computer is extremely time-consuming and error-prone. Moreover, mobile workers who move between different locations (office, home, hotel network) often require different proxy settings depending on where they are. WPAD was designed to eliminate this problem.

The idea was simple: instead of configuring each computer manually, you just need to place a special configuration file (usually named wpad.dat) in one central location on the network. The computer, upon connecting to the network, was supposed to automatically find the address of this file using the WPAD protocol, download it, and apply the proxy settings contained in it. This simplified management and ensured that all users in a given location use consistent, correct configuration. Unfortunately, the mechanisms used for this “auto-discovery” turned out to be the main source of its current security problems.

📚 Read the complete guide: IAM / Zero Trust: Zarządzanie tożsamością i dostępem - od podstaw do Zero Trust

How Does the Automatic Proxy Settings Detection Mechanism Work in Web Browsers?

The automatic detection mechanism is enabled by default in most popular operating systems (especially in Windows) and browsers. When the “Automatically detect settings” option is checked, the browser, at each startup or network change, begins an aggressive process of searching for the proxy configuration file known as PAC (Proxy Auto-Config).

The PAC file, in the WPAD context most often named wpad.dat, is actually a small text file containing JavaScript code. Inside this file is a function that, based on the URL the user wants to connect to, decides whether the request should be sent directly to the internet or through a specified proxy server. This allows creating complex rules, e.g., “send traffic to internal company systems directly, and route all other traffic through proxy server X.”

For the browser to apply these rules, it must first find and download the wpad.dat file. And this is exactly where the WPAD protocol comes into action. The browser starts a multi-step procedure of “discovering” the location of this file, using two basic network protocols for this purpose: DHCP and DNS. It is this search process, running in the background without the user’s knowledge, that creates an opportunity for attackers to feed the browser a fake, malicious configuration file.

What Methods (DHCP, DNS) Are Used by WPAD to Locate the Configuration File?

To find the location of the wpad.dat file, the WPAD protocol uses two main, sequential methods. This process is automated and aggressive, meaning the computer will try successive steps until it succeeds or exhausts all possibilities.

Method 1: DHCP (Dynamic Host Configuration Protocol) The first step is querying the DHCP server. DHCP is a protocol that automatically assigns IP addresses and other network settings to computers upon connecting to the network. As part of its options, the DHCP server can be configured to respond to client queries with a special option 252, which contains the exact URL of the PAC configuration file, e.g., http://proxy-config.company.local/wpad.dat. If the browser receives this information, it downloads the file from the indicated location and ends the discovery process. This is the preferred and safest method in controlled corporate environments.

Method 2: DNS (Domain Name System) If the DHCP server does not provide information about the PAC file (which is standard in most networks, especially public ones), the computer moves to a much riskier DNS-based method. It begins a series of DNS queries, trying to find a server named “wpad” in its domain and parent domains. For example, if an employee’s computer is in the domain marketing.warsaw.company.com.pl, it will sequentially send queries for:

  • wpad.marketing.warsaw.company.com.pl

  • wpad.warsaw.company.com.pl

  • wpad.company.com.pl

  • wpad.com.pl (in some older or misconfigured systems)

If any of these queries succeeds and the DNS server returns an IP address for a host named “wpad,” the browser will try to download the configuration file from http://wpad.[domain]/wpad.dat. It is this “climbing” mechanism up the DNS tree that creates enormous room for abuse, especially in public networks.

What Serious Security Threats Are Associated with the WPAD Protocol, Especially in Untrusted Networks?

The threats associated with the WPAD protocol stem directly from its aggressive and trust-based discovery mechanism. In a controlled corporate network where the administrator manages DHCP and DNS servers, this protocol can be relatively safe. However, the moment an employee with a laptop that has WPAD enabled connects to an untrusted network – such as public Wi-Fi in a hotel, at an airport, or even to a home network – they become an extremely easy target for attack.

The main threat is that anyone who controls the local network can easily impersonate a WPAD server. An attacker on the same Wi-Fi network can run a fake DHCP server that responds to the victim’s query saying the wpad.dat file is on a server controlled by the attacker. Even simpler, the attacker can register a server named “wpad” on the local network and wait for the victim’s computer to find it through DNS queries.

When the victim’s browser downloads and applies the malicious wpad.dat file planted by the attacker, disaster strikes. The attacker gains full control over the victim’s network traffic. They can direct all browser traffic (including to banks, email, or corporate systems) through their own controlled proxy server.

As a result, the attacker can:

  • Eavesdrop and intercept all unencrypted communication (HTTP traffic).

  • Steal authentication data (logins and passwords), even those sent in basic HTTP authentication.

  • Conduct advanced SSL stripping attacks, degrading HTTPS connections to HTTP to intercept sensitive data.

  • Replace content on visited pages, for example by injecting malware, fake login forms, or advertisements.

This attack is extremely dangerous because it is completely invisible to the user – their browser simply “works,” and they have no idea that all their traffic is being filtered and analyzed by a criminal.

How Can Attackers Hijack Network Traffic by Impersonating a WPAD Server?

Hijacking network traffic through a WPAD attack is relatively simple from a technical standpoint and does not require advanced tools. The attacker only needs to be on the same local network as the victim (e.g., on the same café Wi-Fi network) and exploit one of the two discovery mechanisms.

Attack Using DNS: This is the most common and simplest scenario. The attacker, after connecting to the network, simply configures their own laptop to respond to queries for the hostname “wpad.” They use protocols like LLMNR and NBT-NS, which are used in local networks to resolve names when the DNS server doesn’t respond. The victim’s computer, searching for the configuration file, broadcasts to the network: “who is wpad?” The attacker’s computer responds: “I am wpad, here is my IP address.” The victim’s browser, trusting this response, connects to the attacker’s machine, downloads the malicious wpad.dat file, and sets the hacker’s computer as its proxy server.

Attack Using DHCP: This scenario is slightly more complex but equally effective. The attacker runs a fake DHCP server on the local network (a so-called “rogue DHCP”). Then, using various techniques, they try to “win” against the legitimate DHCP server (e.g., the Wi-Fi router) and be the first to respond to a network configuration query from a newly connected victim device. In their fake DHCP response, in addition to the IP address, they also send option 252 pointing to their malicious server as the wpad.dat file location.

In both cases, after downloading the malicious wpad.dat file, the victim’s browser is fully controlled by the attacker. This file can contain simple instructions, e.g., “route all traffic through my proxy server,” or more advanced logic, e.g., “route traffic to banks and social media through my server, and let the rest go directly,” to make the attack harder to detect.

Why Do Security Experts Often Recommend Disabling WPAD?

The recommendation to disable the WPAD protocol is today almost a unanimous position in the entire global cybersecurity expert community. This is because the risks associated with this outdated protocol far outweigh its potential benefits, and much safer, modern alternatives exist for automatic proxy configuration.

The main reason is the fundamental design flaw of the protocol. WPAD was created in a time when the internet was a place with a much higher level of trust, and mobile work and public Wi-Fi networks were not as common. Its mechanism based on “aggressive discovery” and trust in responses received from the local network is completely unsuited to today’s environment, where we must assume that any network outside our own is potentially hostile. As shown, impersonating a WPAD server on an untrusted network is trivially easy.

Secondly, much safer alternatives exist. In managed corporate environments, proxy configuration can be securely and centrally distributed using Group Policy Objects (GPO) in Active Directory domains or using Mobile Device Management (MDM) systems. This eliminates the need for using dangerous discovery mechanisms.

Thirdly, in many modern networks proxy servers are becoming less important. Their role in content filtering and security is increasingly being taken over by advanced Next-Generation Firewalls (NGFW) and endpoint protection systems (EPP/EDR), which work independently of proxy configuration in the browser. Given the high risk and availability of better solutions, keeping the WPAD protocol enabled, especially on mobile devices, is asking for trouble and creating an unnecessary, enormous security gap.

How to Check if WPAD is Active and How to Safely Disable It in Windows?

Checking whether the automatic proxy settings detection feature (which uses WPAD) is active in Windows is relatively simple. This can be done from the system settings. Disabling this feature is a key step in securing the computer against attacks related to this protocol.

How to Check WPAD Status in Windows 10/11:

  • Open Settings (you can do this by clicking the Start menu and the gear icon, or using the shortcut Win + I).

  • Go to the “Network & internet” section.

  • In the left menu, select “Proxy”.

  • In the “Automatic proxy setup” section, look at the switch next to the “Automatically detect settings” option. If it is on, it means WPAD is active and the computer will try to automatically find the configuration file.

How to Safely Disable WPAD: To disable WPAD, simply in the same place (Settings -> Network & internet -> Proxy) slide the “Automatically detect settings” switch to the “Off” position. This simple action immediately stops the auto-discovery process and protects the computer from having malicious configuration planted in untrusted networks.

In a corporate environment, disabling this feature should not be left to individual users. The IT department should centrally manage this setting using Group Policy Objects (GPO) in the Active Directory domain. This allows simultaneously disabling WPAD on all computers in the company and prevents it from being accidentally re-enabled by the user. Alternatively, this change can be made in the system registry, but the GPO method is preferred in managed environments.

What Are Safer Alternatives for Automatic Proxy Configuration in a Corporate Environment?

Although the WPAD protocol is considered dangerous, the need for centralized and automated proxy settings management in large companies still exists. Fortunately, there are much safer and more controlled alternatives that allow achieving the same goal without exposing the organization to risk.

The most popular and standard method in Microsoft-based environments is using Group Policy Objects (GPO) in Active Directory domains. An administrator can create a central policy that defines proxy server settings and then assign it to appropriate organizational units, user groups, or computers. When a user logs into the domain, their computer automatically downloads and applies these settings. This method is secure because configuration is distributed through a trusted, authenticated channel within the corporate network, not through a dangerous discovery mechanism. GPO also allows precise definition of different policies for different user groups.

Another safe method is explicitly configuring the PAC script URL. Instead of relying on auto-discovery (WPAD), the administrator can directly specify in the GPO policy or another way (e.g., through a login script) the URL in the browser settings where the PAC configuration file is located (e.g., http://configuration.company.local/proxy.pac). In this scenario, the computer no longer performs the dangerous search for the “wpad” server but immediately connects to a known, trusted address on the internal network.

In modern environments where large numbers of mobile and remote devices are managed, proxy configuration is increasingly distributed using Mobile Device Management (MDM) or Unified Endpoint Management (UEM) platforms, such as Microsoft Intune. These allow centrally sending configuration (including proxy settings) to all managed devices, regardless of where they are located.

What Were the Most Notable Attacks and Vulnerabilities Exploiting WPAD Protocol Weaknesses?

Although the WPAD protocol rarely makes headlines in media reports about spectacular cyberattacks, its weaknesses have been repeatedly described and demonstrated by security researchers at major hacker conferences such as Black Hat and DEF CON. Attacks exploiting WPAD are often a quiet, initial stage of a larger operation that allows the attacker to gain an initial foothold in the network.

One of the most well-known problems that drew attention to WPAD-related threats is the vulnerability related to DNS query “leakage” outside the local network. Security researchers discovered that under certain conditions, the Windows system’s search mechanism for the “wpad” server did not stop at the corporate domain but continued “climbing” up the DNS tree. This led to sending queries to the public internet for domains such as wpad.com or wpad.co.uk. Cybercriminals, anticipating this, massively registered such domains. Any corporate laptop that sent such a query after connecting to the internet connected to the criminals’ server, downloaded a malicious wpad.dat file, and began sending all its network traffic through their proxy servers, including potentially confidential company data.

Another notable example was demonstrations showing how easy it is to conduct a WPAD attack on public Wi-Fi. Researchers repeatedly showed live how in a matter of seconds, using simple equipment (like a Raspberry Pi) and publicly available software, you could hijack the network traffic of victims who had the default auto-detect settings feature enabled in a café or airport. These demonstrations raised awareness of how real and easy to execute this threat is.

WPAD weaknesses were also exploited by malware. Some malware families, after infecting a computer, modified system settings to permanently point to a malicious proxy server controlled by attackers, providing them with continuous insight into the victim’s activity. Although these attacks rarely make front-page news, they represent a constant and real threat, especially for mobile users.

What Group Policies (GPO) Can Be Applied to Manage Proxy Settings in a Domain?

Group Policy Objects (GPO) in the Active Directory environment are the most powerful and effective tool for central management of Windows workstation configuration, including proxy server settings. They allow the administrator to define a uniform configuration and enforce it on all computers in the domain, eliminating risks associated with manual settings and the dangerous WPAD protocol.

To manage proxy settings, the administrator can use the GPO editor and navigate to the appropriate section. These settings are usually found in two places: in User Configuration (applies to the logged-in user, regardless of the computer) and in Computer Configuration (applies to the computer, regardless of the logged-in user). The path is usually: Policies > Administrative Templates > Windows Components > Internet Explorer > Control Panel > Connections.

The administrator has several key policies available. The most important is “Disable changing proxy settings”. Enabling this policy causes the proxy configuration options in system settings to become “grayed out” for the user and they cannot modify them themselves. This is a key safeguard that prevents accidental or intentional disabling of corporate configuration.

Next, the administrator can directly define proxy settings using the policy “Proxy settings per user (or per computer)”. Within this policy, you can disable the “Automatically detect settings” option, which centrally deactivates the WPAD protocol, and then specify a specific address and port of the corporate proxy server or provide a URL to a PAC configuration script. Thanks to GPO flexibility, different policies can be created for different user groups, for example, different for office workers and different for laptop users who often work in the field.

Network monitoring for WPAD-related activity is an important element of proactive defense, especially in large and complex environments where you’re not always sure that this protocol has been disabled on all devices. Effective monitoring allows detection of both attack attempts from outside and misconfigured or infected devices inside the network.

The basic method is DNS query analysis. The security team should configure the DNS server monitoring system to log and alert on any queries for a host named “wpad”. Regular appearance of such queries from inside the corporate network is a signal that there are still computers with auto-discovery enabled. Analyzing the source IP address of such a query allows quick location of the problematic device and taking remedial action.

Another step is DHCP server log monitoring. You should check whether an unauthorized (so-called “rogue”) DHCP server has appeared on the network trying to distribute its own settings, including malicious option 252. Many modern network switches have a “DHCP Snooping” feature that helps protect against this type of attack.

The most comprehensive insight is provided by SIEM (Security Information and Event Management) systems and network traffic analysis tools (NTA/NDR). They can be configured with dedicated correlation rules and alerts that will automatically inform about any activity related to the WPAD protocol. Moreover, advanced NDR systems, analyzing traffic using machine learning, can detect anomalies that may indicate a successful WPAD attack – for example, when a computer suddenly starts routing all its web traffic to one unusual IP address on the local network, which may be the attacker’s proxy server.

How Do Network Security Audits Conducted by nFlo Help Detect and Eliminate Risks Associated with Outdated and Dangerous Protocols Like WPAD?

At nFlo, we understand that modern network security is based not only on implementing new technologies but also on systematically identifying and eliminating old, inherited risks. Outdated and dangerous protocols like WPAD often remain enabled in corporate networks due to lack of awareness or configuration oversights, creating quiet but very dangerous “back doors” for attackers.

As part of our comprehensive network security audits, we conduct in-depth analysis of your infrastructure configuration in search of such weaknesses. Our experts actively scan the internal network, analyze network traffic, and verify the configuration of key services such as DNS and DHCP to detect any traces of WPAD protocol activity. We check whether workstations are sending WPAD queries and whether there is any host in the network that could respond to them in an unauthorized manner.

Our audits are not limited to passive analysis. As part of controlled tests, we simulate attacker actions, attempting to impersonate a WPAD server in a test network segment. This allows practically and tangibly demonstrating how easy it is to hijack network traffic from a misconfigured computer and what business risk is associated with this.

The result of our audit is a detailed report that not only points to the existence of a problem but provides specific, ready-to-implement recommendations. We show how to step-by-step disable WPAD on workstations, how to configure Group Policies (GPO) for central management of this setting, and what secure alternatives to implement for proxy configuration. By working with nFlo, you gain certainty that your network is free from outdated and dangerous protocols that could undermine the foundations of your security.

Learn key terms related to this article in our cybersecurity glossary:

  • Network Security — Network security is a set of practices, technologies, and strategies aimed at…
  • Backup — Backup, also known as a backup copy or safety copy, is the process of creating…
  • Cybersecurity — Cybersecurity is a collection of techniques, processes, and practices used to…
  • Cybersecurity Incident Management — Cybersecurity incident management is the process of identifying, analyzing,…
  • Wireless Network Security — Wireless network security refers to the measures and practices used to protect…

Learn More

Explore related articles in our knowledge base:

Explore Our Services

Need cybersecurity support? Check out:

Tags:

Network Cybersecurity Backup Vulnerabilities IAM

Share:

Talk to an expert

Have questions about this topic? Get in touch with our specialist.

Sales Representative
Grzegorz Gnych

Grzegorz Gnych

Sales Representative

+48 664 003 003grzegorz.gnych@nflo.pl
Response within 24 hours
Free consultation
Individual approach

Providing your phone number will speed up contact.

Want to Reduce IT Risk and Costs?

Book a free consultation - we respond within 24h

Response in 24h Free quote No obligations
Book a Call +48 22 487 86 36

Or download free guide:

Download NIS2 Checklist