IE 5.0 WPAD Spoofing - 24 Aug 1999

IE 5.0 Subject to WPAD Spoofing
Reported December 01, 1999 by
Tim Adam

Microsoft Internet Explorer 5.0


According to the report, "The IE 5 Web Proxy Auto-Discovery (WPAD) feature enables web clients to automatically detect proxy settings without user intervention. The algorithm used by WPAD prepends the hostname "wpad" to the fully-qualified domain name and progressively removes subdomains until it either finds a WPAD server answering the hostname or reaches the third-level domain."

"For instance, web clients in the domain would query,, then A vulnerability arises because in international usage, the third-level domain may not be trusted. A malicious user could set up a WPAD server and serve proxy configuration commands of his or her choice."


Microsoft issued a new version, IE 5.01 (also located here,) that remedies this problem.  Be sure to read the FAQ, and Support Online article Q247733 regarding this matter. In addition, you may wish to read the IETF Protocol Internet Draft for WPAD.

Discovered by
Tim Adam

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.