Google engineers have fixed a couple of XSS (cross-site scripting) issues in the company’s Caja toolkit, used to support scripting features inside the Google Docs and Google Developers services.
Google engineers developed Caja with the sole purpose to protect against Web-based attacks such as XSS, phishing, and others.
Caja is currently at the base of the company’s Google Apps Script, a scripting language used for Google Docs in the same way Microsoft Office uses macros.
Google Docs had its own “macro” Achilles heel
Polish security researcher Michal Bentkowskithat Google’s Caja tool fails to sanitize various types of XSS attacks.
The researcher created an XSS payload which tried to run code under the general “window” object, from where XSS attacks are most efficient.
He discovered that he could go around Caja XSS filters by spelling out the “window” object using Unicode text. A simple example was to spell “window” as “u0077indow”, where “u0077” represented the “w” character in Unicode code. Other variations were possible since Caja didn’t sanitize Unicode characters.
Attackers could have created malicious Google Docs files that contained Google Apps Scripts that when a visitor loaded the page, would carry out an XSS attack on his browser, stealing cookies and executing malicious actions on his side.
Same issue affected the Google Developers domain
After the researcher helped Google fix the issues on the Google Docs service, Bentkowski also discovered a similar issue on the Google Developers domain, where the Caja tool was also deployed to run various demos.
He even created a YouTube video of his Google Developers exploit that ran XSS and clickjacking attacks.