ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.
How to control YouTube categorization bypass in ProxySG
Article ID: 168987
Updated On:
Products
Asset Management Solution
Data Center Security Monitoring Edition
ProxySG Software - SGOS
Issue/Introduction
Customer is having policy to control access to certain YouTube categories. For eg: Denying access to YouTube categories “Movies” & “Entertainment”. Clients may try to modify the url in the request which may break YouTube categorization. This will make the YouTube category control not working as expected.
Cause
YouTube categorization is provided by YouTube when queried with the individual Video-ID. ProxySG takes this from the url as in the example below
https://www.youtube.com/watch?v=0WWzgGyAH6Y
If customer modifies this url and add an extra "/v/" after the domain, categorization will fail. This video will be then considered as “Uncategorized” and may get allowed depending on the customer policies.
https://www.youtube.com/v/watch?v=0WWzgGyAH6Y
There are multiple ways to bypass categorization in YouTube and the above is just one such modification. The attached policy to this article is updated with known bypass methods.
https://www.youtube.com/watch?v=0WWzgGyAH6Y
If customer modifies this url and add an extra "/v/" after the domain, categorization will fail. This video will be then considered as “Uncategorized” and may get allowed depending on the customer policies.
https://www.youtube.com/v/watch?v=0WWzgGyAH6Y
There are multiple ways to bypass categorization in YouTube and the above is just one such modification. The attached policy to this article is updated with known bypass methods.
Resolution
This url modification can be dealt by adding policy to redirect any request with the extra “/v/” back to its original form.
; Rule to redirect modified YT requests to Original form
<proxy> url.domain="youtube.com"
url.path.prefix="/v/watch" action.YT_Redirect_1(yes)
url.path.prefix="/v?" action.YT_Redirect_2(yes)
url.path.prefix="/e?" action.YT_Redirect_3(yes)
url.path.prefix="/TV" action.YT_Redirect_4(yes)
define action YT_Redirect_1
redirect( 307, "https://www.youtube.com/v/(.*)", "https://www.youtube.com/$(1)" )
end
define action YT_Redirect_2
redirect( 307, "https://www.youtube.com/v(.*)", "https://www.youtube.com/watch$(1)" )
end
define action YT_Redirect_3
redirect( 307, "https://www.youtube.com/e(.*)", "https://www.youtube.com/watch$(1)" )
end
define action YT_Redirect_4
redirect(307, "https://www.youtube.com/(?i)TV\?v=(.*)", "https://www.youtube.com/watch?v=$(1)" )
end
Policy is also attached to this article
; Rule to redirect modified YT requests to Original form
<proxy> url.domain="youtube.com"
url.path.prefix="/v/watch" action.YT_Redirect_1(yes)
url.path.prefix="/v?" action.YT_Redirect_2(yes)
url.path.prefix="/e?" action.YT_Redirect_3(yes)
url.path.prefix="/TV" action.YT_Redirect_4(yes)
define action YT_Redirect_1
redirect( 307, "https://www.youtube.com/v/(.*)", "https://www.youtube.com/$(1)" )
end
define action YT_Redirect_2
redirect( 307, "https://www.youtube.com/v(.*)", "https://www.youtube.com/watch$(1)" )
end
define action YT_Redirect_3
redirect( 307, "https://www.youtube.com/e(.*)", "https://www.youtube.com/watch$(1)" )
end
define action YT_Redirect_4
redirect(307, "https://www.youtube.com/(?i)TV\?v=(.*)", "https://www.youtube.com/watch?v=$(1)" )
end
Policy is also attached to this article
Attachments
Feedback
Yes
No
Powered by
