The Web Proxy Auto-Discovery Protocol (WPAD) is often used to allow a client machine to automatically discover a configuration file and execute the file to configure the machine. For example, an organization may use the WPAD protocol to automatically configure multiple web browsers on multiple computing machines with the same policy. Client machines typically use WPAD to determine what network proxy server to use, based on the configuration file, through searching for a WPAD server. Unfortunately, attackers can create a malicious WPAD server, posing as a legitimate server, to attack an organization. Attackers can also set up a domain with a naming convention that a browser may mistake for a legitimate WPAD server. For example, using common hierarchical naming conventions through a Domain Name System (DNS) service, browsers may search for a Uniform Resource Locator (URL) that might be expected to lead to a WPAD server. An attacker may take control of a URL that could be included in this search and pose as a legitimate WPAD URL or data file. A client browser may then unknowingly allow the attacker access through downloading malicious files or accessing a fake WPAD server.
Traditional methods to deter WPAD attacks generally recommend discontinuing use of the WPAD protocol or modifying browsers to close loopholes. However, many systems may still rely on the use of WPAD. Other traditional security methods may require access to DNS servers or changes in infrastructure or browser behavior, which may not be feasible for clients. Furthermore, many methods are geared toward prevention of external WPAD attacks and do not consider the possibility of a local attack from within an organization or client network. The instant disclosure, therefore, identifies and addresses a need for improved systems and methods for automatically blocking WPAD attacks.