Security News > 2021 > September > Poisoned proxy PACs! The NPM package with a network-wide security hole…

Poisoned proxy PACs! The NPM package with a network-wide security hole…
2021-09-06 18:28

Perry rediscovered this risk recently, when he decided to use a popular NPM package called Proxy-Agent to provide the proxy support he wanted in his HTTP Toolkit product.

Numerous corporate-style tools exist to help computers on a network locate their official internal proxies automatically, including PAC, short for proxy auto-configuration, and WPAD, short for web proxy auto-discovery.

A PAC file consists of JavaScript that can dynamically determine whether a proxy is needed, and if so where to find it on the network.

PAC files provide a way to distribute complex proxy rules, as a single file that maps a variety of URLs to different proxies.

If you already have the power to alter an organisation's proxy setup, then you can simply redirect everyone on the network to a fake proxy anyway, with or without any JavaScript bugs in the equation.

Hacking a network by overtly reconfiguring every computer to start using a different proxy server is much more likely to produce troublesome side-effects that will get noticed, reported and investigated.


News URL

https://nakedsecurity.sophos.com/2021/09/06/poisoned-proxy-pacs-the-npm-package-with-a-network-wide-security-hole/