The Port80 folks have just posted about how AJAX applications are no less secure than normal web applications. They make some good arguments – the best of which is that if developers aren’t paying attention to input validation for web applications they are unlikely to pay attention to input validation for AJAX-enabled applications. However, AJAX is just so new and exciting we have seen far too many developers who know better go an do stupid stuff when they start building AJAX apps. The cause: they get too enamored with what they CAN do rather than what they SHOULD do.
The problem isn’t a breakdown in the coding idioms that help to avoid technical security vulnerabilities. Rather the problem is the breakdown in attack/threat/risk modeling that helps to prevent logical vulnerabilities. Web 2.0 is new enough that these patterns aren’t well understood yet and that is why AJAX applications are more prone to insecurity than traditional web applications.
dan _at_ denimgroup.com