GoGuardian Bypass Test Page

Defensive Security Testing - BBobop Tool #2063b
Iframe Tests Techniques Remediation
AUTHORIZED TESTING ONLY. This page is designed for school IT security teams to test whether their GoGuardian deployment blocks common bypass techniques. Deploy this page on a test server and access it from a managed student Chromebook to verify your filters catch these vectors.

What This Tests

Students commonly bypass GoGuardian by embedding blocked content inside iframes on trusted domains (like Google Sites). If GoGuardian only checks the parent page URL and not iframe sources, blocked content loads freely.

This page simulates that technique. Each test below embeds an iframe pointing to a different destination. If your GoGuardian deployment is properly configured, the iframe content should be blocked or empty. If it loads, you have a bypass vulnerability.

Test 1: Web Proxy Iframe

Embeds a popular web proxy site in an iframe. Students use this to browse blocked sites through the proxy.

LIVE TEST - IFRAME EMBED
Click a button above to run the test. If the proxy site loads in the iframe, your filter has a bypass vulnerability.

Test 2: Google Translate Proxy

Google Translate can act as a proxy by translating a blocked page. Since translate.google.com is typically whitelisted, the blocked content passes through.

LIVE TEST - GOOGLE TRANSLATE PROXY
If the translated page loads, Google Translate is acting as an unfiltered proxy on your network.

Test 3: Google Cache Proxy

Google's web cache (webcache.googleusercontent.com) serves cached copies of pages. Since it's a Google domain, it often bypasses filters.

LIVE TEST - GOOGLE CACHE
If cached content loads, googleusercontent.com needs to be inspected by your filter.

Test 4: Data URI / Blob Injection

Students can inject HTML into an iframe using data URIs or JavaScript blob URLs, bypassing URL-based filtering entirely since there's no network request to intercept.

LIVE TEST - DATA URI INJECTION
If injected content renders, your CSP headers need to block data: and blob: sources in iframes.

Known Bypass Techniques Reference

These are the most common techniques students use to bypass GoGuardian as of 2026:

  1. Google Sites iframe: Create a Google Site, embed a web proxy in an iframe. GoGuardian whitelists *.google.com.
  2. Google Translate proxy: Use translate.google.com/translate?u=blocked-site to proxy through Google.
  3. Google Cache: Access webcache.googleusercontent.com for cached versions of blocked pages.
  4. DNS-over-HTTPS: Change Chrome's DoH settings to bypass DNS-level filtering. Goes over port 443.
  5. Web proxies: CroxyProxy, Hide.me, KProxy — new ones appear daily.
  6. Chrome extensions: Install VPN/proxy extensions if extension management isn't locked down.
  7. Incognito/Guest mode: Escape the managed profile where GoGuardian runs.
  8. DevTools injection: Use Chrome DevTools to modify GoGuardian extension behavior or inject bypass scripts.
  9. Task Manager kill: Use Chrome's Task Manager (Shift+Esc) to kill the GoGuardian extension process.
  10. chrome://flags: Enable experimental features that can disable extension enforcement.
  11. USB boot: Boot from USB to bypass ChromeOS management entirely.
  12. SSH tunneling: If port 22 is open, create a SOCKS proxy tunnel to an external server.
  13. Tor Browser: If Tor entry nodes aren't blocked at the firewall, full anonymized browsing.
  14. AMP Cache: Use cdn.ampproject.org to load AMP versions of blocked pages through Google's CDN.

Remediation Checklist

For each technique above, here's how to defend:

  1. Iframe inspection: Configure GoGuardian/firewall to inspect iframe src attributes, not just top-level URLs.
  2. Block Translate proxy mode: In Google Admin Console, restrict Google Translate for student OUs.
  3. Block cache domains: Add webcache.googleusercontent.com to your URL blocklist.
  4. Block DoH endpoints: Block dns.google, cloudflare-dns.com, dns.quad9.net at firewall level.
  5. Category-based filtering: Use a web filter with proxy/anonymizer category blocking that updates daily.
  6. Extension whitelist: Set ExtensionInstallBlocklist to ['*'], only allow approved extensions.
  7. Disable incognito/guest: IncognitoModeAvailability=1, BrowserGuestModeEnabled=false in Chrome policy.
  8. Disable DevTools: DeveloperToolsAvailability=2 in Chrome policy.
  9. Disable Task Manager kill: TaskManagerEndProcessEnabled=false in Chrome policy.
  10. Block chrome://flags: Add to URLBlocklist in Chrome policy.
  11. Disable USB boot: Require verified boot mode in Google Admin Console.
  12. Block outbound SSH: Block port 22 outbound on student VLANs.
  13. Block Tor: Use a Tor exit node blocklist feed on your firewall.
  14. Block AMP cache: Add cdn.ampproject.org to blocklist if not needed.
GoGuardian Bypass Test Page - BBobop Tool #2063b - Defensive Security Testing Only