Google fixed cross-site scripting (XSS) issues in the Caja toolkit, which works inside the Google Docs and Google Developers services.
Google engineers developed Caja to protect against Web-based attacks such as XSS, phishing, and others. Unfortunately, it needs an XSS fix.
What is at work is Caja’s tool fails to sanitize various types of XSS attacks, said Polish security researcher Michal Bentkowski, who found the vulnerability, in a blog post.
Bentkowski created an XSS payload that tried to run code under the general “window” object, from where XSS attacks are most efficient.
He discovered he could go around Caja XSS filters by spelling out the “window” object using Unicode text. A simple example was spelling “window” as “u0077indow,” where “u0077” represented the “w” character in Unicode code. Other variations were possible since Caja didn’t sanitize Unicode characters.
Attackers could have created malicious Google Docs files containing Google Apps Scripts that, when a visitor loaded the page, would carry out an XSS attack on their browser, stealing cookies and executing malicious actions on their side.
After the researcher helped Google fix the problems on the Google Docs service, Bentkowski also found a similar issue on the Google Developers domain, where the Caja tool runs demonstrations.