I'd like to start telling that I'm rather new.. no this is my first "job".. well it's not even a real job it's just a test, ok enough.
I'll have to test his "content filtering service"
the proxy is based on Squid
http://en.wikipedia.org/wiki/Squid_%28software%29
and the content filtering part is managed by DansGuardian
http://en.wikipedia.org/wiki/DansGuardian
all the software is updated to the latest version and the content-filtering is based on (words weight / banned urls and IPs)
everything on an external CentOS machine

for the first tests I'll just have to test for filter evasion nothing hard yet
if this will go well i think he'll make me test it a little bit deeper

could you help me to compile something like a check list about the tests to do?
or just some tips/hints

P.S. I wasn't really sure about the section so feel free to move the post

Welcome aboard!

One suggestion would be think like the user that wants to avoid being filtered.  Use google and search for "anonymous proxies".  Click on each link until you are able to view the site.  Done!

If it passes that (you can't get to one), set up a anonymous proxy yourself and see if you can get to it.  (Does it block uncatagorized sites.)

Next...would be to see if there were any vulnerabilities.  But if it is patched fully, it might not be as easy.

Just some quick thoughts as I have gone through this with our content filter devices in the past. 

Thanks for the answers!

I've been successfully bypassing the filters using a proxy and tunneling (we had the same service at school)

my suggest to fix the proxy (if not elite) problem would be to block all the packets with a "Forwarded" header
and all the tor's endpoints
what you think about it?

Thank you xD

any idea how to fix it?
how to filter encrypted traffic.. i was thinking about a..MitM attack (a legit one) made by the proxy (our..their service), but I'm afraid it would mess with the certificates making all the MitM countermeasures go vane

I don't think you can filter out all tunneling.  You need to develop solid outbound access policy. For HTTP tunneling regularly check the logs and block the relay server. Check for CONNECT requests to odd ports etc.

Edit: Ketchup beat me to it.

The only option I can think of (or find) right now is to block HTTP CONNECT to all websites except the valid ones. Like I previously stated, you'll need o develop strong outbound access rules. If HTTPS is allowed to random sites users can always find a way to bypass the firewall.
If blocking access to all sites is not feasible then you can use various addons with squid to blacklist 'improper' websites. You can easily find a large number of URL blacklists.

I'm not sure about it. But I think that in the conflict of whitelist and blacklist, blacklist always wins. But in this case I think that squid shouldn't block whitelistedurl.mydomain.com unless you've added *mydomain.com in the blacklist. Someone more experienced should help here. However, I found links that might be helpful to you.
http://marc.info/?l=squidguard&m=108285256707491
http://marc.info/?l=squidguard&m=108260329925644&w=2

I haven't played with squid much, but typically if you have something white listed it'll get checked before the black list and always be allowed through.

I'm basing this off firewalls (ip tables, ip chains, and cisco asa), where the allowed traffic usually comes before the deny all statement at the end.

So as far as I understand it, you can have allowed.domain.com in the white list, and *.domain.com in the black list, but you should still be able to get to allowed.domain.com.

I could be wrong. Like I said I'm basing this off my firewall knowledge and applying proxy filters to that.

squid example: unfiltered adults, white listed kids, deny everything else