Appearance
PAC/WPAD Hygiene — No Direct Fallback
Validate that PAC/WPAD misconfiguration or outage does not permit direct egress, HTTPS CONNECT to non-proxy endpoints, or bypass of designated proxy identity/pinning.
Objectives
- Enforce proxy-only routing despite PAC/WPAD errors or manipulation.
- Deny CONNECT and direct paths; maintain certificate/pinning requirements.
Preconditions
- Enterprise proxy designated with identity/pinning.
- PAC/WPAD discovery present in environment (can be misconfigured for test).
Suite
| ID | Canonical IDs | Flow | Procedure | Expected Outcome |
|---|---|---|---|---|
| INTEG-PAC-FALLBACK-01 | NET-EGRESS-08, NET-EGRESS-12, NET-EGRESS-10 | PAC/WPAD Hygiene — No Direct Fallback | 1) Introduce PAC/WPAD error (unreachable/invalid script). 2) Attempt HTTPS and CONNECT to external endpoints. 3) Attempt direct HTTP/HTTPS using environment variables or explicit host:port. | Denied; no direct fallback; audit shows proxyEnforced: true with appropriate reason (PAC/WPAD failure or pinning) and action: "deny". |
Evidence Requirements
networkevents:action,reason,proxyEnforced,alpn/protocol,integrity.hash.
