Skip to content

PAC/WPAD Hygiene — No Direct Fallback

Validate that PAC/WPAD misconfiguration or outage does not permit direct egress, HTTPS CONNECT to non-proxy endpoints, or bypass of designated proxy identity/pinning.

Objectives

  • Enforce proxy-only routing despite PAC/WPAD errors or manipulation.
  • Deny CONNECT and direct paths; maintain certificate/pinning requirements.

Preconditions

  • Enterprise proxy designated with identity/pinning.
  • PAC/WPAD discovery present in environment (can be misconfigured for test).

Suite

IDCanonical IDsFlowProcedureExpected Outcome
INTEG-PAC-FALLBACK-01NET-EGRESS-08, NET-EGRESS-12, NET-EGRESS-10PAC/WPAD Hygiene — No Direct Fallback1) Introduce PAC/WPAD error (unreachable/invalid script). 2) Attempt HTTPS and CONNECT to external endpoints. 3) Attempt direct HTTP/HTTPS using environment variables or explicit host:port.Denied; no direct fallback; audit shows proxyEnforced: true with appropriate reason (PAC/WPAD failure or pinning) and action: "deny".

Evidence Requirements

  • network events: action, reason, proxyEnforced, alpn/protocol, integrity.hash.