Leaked DNS Query Detection - WPAD Proxy Request

medium Nessus Network Monitor Plugin ID 7202
New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Synopsis

An internal proxy discovery request has been leaked to the public realm.

Description

WPAD, or Web Proxy Auto-Discovery is a feature which enables some browsers to determine their web proxy settings automatically. WPAD requests are sent out through DNS and Netbios, relying on a locally configured WPAD server within the same network to provide proxy server information when requested. Through an error in DNS configuration, the remote host has sent a WPAD request to the public realm, potentially allowing for a man-in-the-middle (MiTM) attack to take place. A determined attacker who is able to register a gTLD with the same domain name could theoretically serve up false WPAD information, routing all web traffic through a proxy server of their control, allowing them to eavesdrop the connection.

Solution

Disable WPAD requests or ensure firewall settings are configured to drop any outbound 'WPAD' DNS lookups.

See Also

https://www.us-cert.gov/ncas/alerts/TA16-144A

http://www.nessus.org/u?ca979624

Plugin Details

Severity: Medium

ID: 7202

Version: 1.6

Family: Data Leakage

Published: 5/26/2016

Updated: 8/16/2018

Risk Information

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 4.1

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Temporal Vector: CVSS2#E:F/RL:OF/RC:C