Google Fixes Caja Toolkit Holes

Tuesday, July 12, 2016 @ 01:07 PM gHale


Google fixed cross-site scripting (XSS) issues in the Caja toolkit, which works inside the Google Docs and Google Developers services.

Caja is a safer implementation of the JavaScript virtual iframes feature that allows developers to write code in JS, HTML, and CSS, and have it run inside an iframe that employs a subset of HTML, CSS, and a single JavaScript function with no variables.

RELATED STORIES
Malware Uses Tor for OS X Backdoor
Updated Tor Browser Releases
Exploit Kit Hides with Tor
Hacking Costs on Decline

Google engineers developed Caja to protect against Web-based attacks such as XSS, phishing, and others. Unfortunately, it needs an XSS fix.

What is at work is Caja’s tool fails to sanitize various types of XSS attacks, said Polish security researcher Michal Bentkowski, who found the vulnerability, in a blog post.

Bentkowski created an XSS payload that tried to run code under the general “window” object, from where XSS attacks are most efficient.

He discovered he could go around Caja XSS filters by spelling out the “window” object using Unicode text. A simple example was spelling “window” as “u0077indow,” where “u0077″ represented the “w” character in Unicode code. Other variations were possible since Caja didn’t sanitize Unicode characters.

Attackers could have created malicious Google Docs files containing Google Apps Scripts that, when a visitor loaded the page, would carry out an XSS attack on their browser, stealing cookies and executing malicious actions on their side.

After the researcher helped Google fix the problems on the Google Docs service, Bentkowski also found a similar issue on the Google Developers domain, where the Caja tool runs demonstrations.