Since Ajax Web applications exist on both the client and the server, they include the following security issues:
- Create a larger attack surface with many more inputs to secure
- Expose internal functions of the Web application server
- Allow a client-side script to access third-party resources with no builtin security mechanisms
AJAX implementations require a trust relationship between the client and server — a relationship that can be exploited by an attacker...
The JavaScript in the Ajax engine traps the user commands and makes function calls in clear text to the server. Browser requests and Ajax engine requests look identical. The server is incapable of discerning a request made by JavaScript and a request made in response to a user action. This fact means it is very difficult for an individual to prove that they did not do a certain action.
It also means that JavaScript can make a request for a resource using Ajax that occurs in the background without the user’s knowledge. The browser will automatically add the necessary authentication or state-keeping information such as cookies to the request. JavaScript code can then access the response to this hidden request and then send more requests. This expansion of JavaScript functionality increases the possible damage of a Cross-Site Scripting (XSS) attack.
Read the whole, excellent Article "AJAX Security Dangers" by Bill Hoffmann.
