14 DAY TRIAL // Google engineers have fixed a couple of XSS (cross-site scripting) issues in the company's Caja toolkit, used to support scripting features inside the Google Docs and Google Developers services.
Caja is a safer implementation of the JavaScript virtual iframes feature that allows developers to write code in JS, HTML, and CSS, and have it run inside an iframe that employs a subset of HTML, CSS, and a single JavaScript function with no variables.
Google engineers developed Caja for the sole purpose of protecting against Web-based attacks such as XSS, phishing, and others.
Caja is currently at the base of the company's Google Apps Script, a scripting language used for Google Docs in the same way Microsoft Office uses macros.
Google Docs had its own "macro" Achilles heel
Polish security researcher Michal Bentkowski discovered that Google's Caja tool fails to sanitize various types of XSS attacks.
The researcher created an XSS payload that tried to run code under the general "window" object, from where XSS attacks are most efficient.
He discovered that he could go around Caja XSS filters by spelling out the "window" object using Unicode text. A simple example was spelling "window" as "u0077indow," where "u0077" represented the "w" character in Unicode code. Other variations were possible since Caja didn't sanitize Unicode characters.
Attackers could have created malicious Google Docs files that contained Google Apps Scripts that, when a visitor loaded the page, would carry out an XSS attack on their browser, stealing cookies and executing malicious actions on their side.
The same issue affected the Google Developers domain
After the researcher helped Google fix the problems on the Google Docs service, Bentkowski also discovered a similar issue on the Google Developers domain, where the Caja tool was also deployed to run various demos.
He even created a YouTube video of his Google Developers exploit that ran XSS and clickjacking attacks.
