"But in the rush to add interactive features, security has often been overlooked. Several high profile attacks have exploited weaknesses in sites using Web 2.0 technologies. The Yamanner worm hit Yahoo mail users, exploiting JavaScript and Ajax code to collect email addresses, while the Samy and Spaceflash worms spread among MySpace users changing buddy lists and profile information. Such attacks have heightened concerns that Web 2.0, and Ajax in particular, are introducing new threats to life on the Web.

Ajax is not that new and it hasn't introduced new vulnerabilities, just variations of old ones. The problem is that Ajax applications tend to be very complex. There are many more interactions between the browser and server, and pages can even pull in content from other sites. This makes it difficult to test the many possible permutations of user and service interaction, allowing old vulnerabilities such as cross-site scripting (XSS) flaws to be unwittingly introduced in to the application." - TechTarget

Article Link: http://searchsecurity.techtarget.com/columnItem/....