How to control YouTube categorization bypass in ProxySG
Article ID: 168987
Asset Management SolutionData Center Security Monitoring EditionProxySG Software - SGOS
Customer is having policy to control access to certain YouTube categories. For eg: Denying access to YouTube categories “Movies” & “Entertainment”. Clients may try to modify the url in the request which may break YouTube categorization. This will make the YouTube category control not working as expected.
YouTube categorization is provided by YouTube when queried with the individual Video-ID. ProxySG takes this from the url as in the example below
If customer modifies this url and add an extra "/v/" after the domain, categorization will fail. This video will be then considered as “Uncategorized” and may get allowed depending on the customer policies.
There are multiple ways to bypass categorization in YouTube and the above is just one such modification. The attached policy to this article is updated with known bypass methods.
This url modification can be dealt by adding policy to redirect any request with the extra “/v/” back to its original form.
; Rule to redirect modified YT requests to Original form <proxy> url.domain="youtube.com" url.path.prefix="/v/watch" action.YT_Redirect_1(yes) url.path.prefix="/v?" action.YT_Redirect_2(yes) url.path.prefix="/e?" action.YT_Redirect_3(yes) url.path.prefix="/TV" action.YT_Redirect_4(yes)
define action YT_Redirect_1 redirect( 307, "https://www.youtube.com/v/(.*)", "https://www.youtube.com/$(1)" ) end
define action YT_Redirect_2 redirect( 307, "https://www.youtube.com/v(.*)", "https://www.youtube.com/watch$(1)" ) end
define action YT_Redirect_3 redirect( 307, "https://www.youtube.com/e(.*)", "https://www.youtube.com/watch$(1)" ) end
define action YT_Redirect_4 redirect(307, "https://www.youtube.com/(?i)TV\?v=(.*)", "https://www.youtube.com/watch?v=$(1)" ) end