" The hype surrounding AJAX and security risks is hard to miss.
Supposedly, this hot new technology responsible for compelling
web-based applications like Gmail and Google Maps harbors a dark secret
that opens the door to malicious hackers. Not exactly true. Even the
most experienced Web application developers and security experts have a
difficult time cutting through the buzzword banter to find the facts.
And, the fact is most websites are insecure, but AJAX is not the
culprit. Although AJAX does not make websites any less secure, it's
important to understand what does. "
"In Google Maps, a user may mouse-drag through street maps without
visiting additional pages. The mechanism for performing asynchronous
data transfers is a software library embedded in all modern web
browsers called XMLHTTPRequest (XHR) . XHR is the key to a website
earning the “AJAX” moniker. Otherwise, it’s just fancy JavaScript.
If you’re thinking that none of this sounds security related, you’re
right. AJAX technology makes website interactivity smoother and more
responsive. That’s it. Nothing changes on the web server, where
security is supposed to reside."
Ignoring the fact that I'm friends with Jeremiah I'm happy to see someone finally speak bluntly about ajax security issues.
Article Link: http://www.whitehatsec.com/home/resources/articles/files/myth_busting_ajax_insecurity.html
