Had this question posed from a friend in my last London post:
What do you think of AJAX? Do you know of security concerns?
Since you asked...
Security concerns with AJAX
And what about programmers today? Most are familiar with the security risks of standard controls, and are in the habit of checking what is submitted very carefully. (Or at least hopefully they are!) But when you use a canned library to abstract the complexity behind passing an XMLHttpRequest, it means you think less about the possible loopholes that attackers will certainly be probing. When selecting a library to use, programmers and architects should test to see if there are specifically any buffer overflow risks with the string data being passed in. If in doubt, try passing in an inordinately large set of data and see what exceptions surface and where. And once a library is chosen then when coding there must be careful checks on all the parameters coming into the server-side AJAX methods to weed out values outside the norm and provide a consistent enforcement of all role-based security.
.NET 2.0 is well-prepared for AJAX
In the .NET camp ASP.NET 2.0 now has provision for asynchronous callbacks, which makes implementing AJAX much easier. In fact three of the new controls in 2.0 already use these asynchronous callbacks for a smoother user experience: GridView, DetailsView, and TreeView. Pretty slick implementations there.
So I'm definitely not trying to steer anyone away from AJAX in this post. I'm just hoping that security will be maintained as more people adopt this excellent feature in their sites.