A case in point is this week's mass-mailing Yamanner worm, which took advantage of an apparent cross-site scripting error in Yahoo!'s e-mail service to infect thousands of users. The worm arrived in Yahoo e-mail user inboxes bearing the subject header "New Graphic Site" and was activated simply by a user opening the infected e-mail.
The approach is more efficient than having an entire Web page reload every time content needs to be refreshed. But it also increases the amount of traffic flowing between the browser and the Web server, thus increasing the potential for attacks such as the Yammaner worm, Hoffman said.
"Right off the bat you have a lot more input that you have to validate" on the server side compared to traditional Web sites, he said. "With AJAX, you are opening a lot more doors into the application, so if you don't sanitize your user input" the potential for compromises also increases, he said.
For example, AJAX environments can provide more opportunties for hackers to launch SQL injection attacks, he said. These are attacks directed against Web applications that use client-supplied data to execute database queries. AJAX environments can present more opportunties for hackers to inject malformed SQL queries and compromise applications if proper validation measures are not taken, he said.
"The main concern is that AJAX involves new approaches in providing functionality at the browser interface," Bloomberg said. "So developers are more likely to make mistakes where traditionally they would know how to build a secure Web site."
If adequate server-side protections do not exist, AJAX can leave more doors open for malicious clients to send corrupted data, expose back-end applications that were not previously vulnerable and allow unauthenticated users to quickly elevate their privileges, said Mandeep Khera, vice president of marketing with Cenzic, a California-based vendor of application testing tools.
Companies certainly need to be aware of such risks, said Tim Farmer, manager of the software architect team at Choice Homes in Texas. But for the moment, at least, "the benefits that you get from AJAX outweigh the risks -- so long as you make good decisions on what kind of information you are exposing out there," Farmer said.
As part of an effort to make its Web site more dynamic, Choice Homes is using AJAX-like functions in Adobe Systems' Macromedia Flash Remoting technology to present property-related information from its back-end servers. But the company is taking care to ensure that no business critical data is exposed, "so we've really had no reason to lock it down," Farmer said.
"AJAX and security is something that brings fear into a developer's eyes," said Eric Pascarello, co-author of AJAX in Action and moderator of Javaranch.com a forum for Java developers. But the fact is that a lot of the security concerns are not unique to AJAX, he said.
One of the biggest mistakes is the failure to validate data on the server, Pascarello said.
"What you need to fear is stupidity by a developer," he said. "The flaw is in developers trusting the data that is being sent from the client. Anyone should know that the data can not be trusted."