Security News > 2021 > September > Poisoned proxy PACs! The NPM package with a network-wide security hole…
Perry rediscovered this risk recently, when he decided to use a popular NPM package called Proxy-Agent to provide the proxy support he wanted in his HTTP Toolkit product.
Numerous corporate-style tools exist to help computers on a network locate their official internal proxies automatically, including PAC, short for proxy auto-configuration, and WPAD, short for web proxy auto-discovery.
A PAC file consists of JavaScript that can dynamically determine whether a proxy is needed, and if so where to find it on the network.
PAC files provide a way to distribute complex proxy rules, as a single file that maps a variety of URLs to different proxies.
If you already have the power to alter an organisation's proxy setup, then you can simply redirect everyone on the network to a fake proxy anyway, with or without any JavaScript bugs in the equation.
Hacking a network by overtly reconfiguring every computer to start using a different proxy server is much more likely to produce troublesome side-effects that will get noticed, reported and investigated.