Today I learned about WPAD = Web Proxy Autodiscovery Protocol. The “Security” section of the Wikipedia article is a bit alarming.
WPAD is a bit of Javascript that your machine downloads from a pre-specified URL (like http://wpad/wpad.dat) to decide which proxy to use for which URL. The local DHCP+DNS configuration should trap that URL request and provide the correct JS for the client to configure itself.
I wonder if web browsers use their own HTTP engine for downloading this file? If so, could a malicious browser plugin rewrite this file to inject a MITM proxy?
https://en.wikipedia.org/wiki/Web_Proxy_Autodiscovery_Protocol