As many business have moved to blend AJAX into older Web applications or asked their programmers to begin working with the language, the lack of experience in securing AJAX, or writing the code altogether, has become startlingly clear, according to the expert, whose company was recently purchased by Hewlett-Packard.
"When you have a dumb terminal like a traditional browser handling AJAX, you can throw in all sorts of dummy data in and get back verbose error responses that give away information on local file systems," Hoffman said. "These aren't the sort of things that will bubble up in typical quality assurance tests; developers are just starting to become more aware of how they need to approach security for traditional Web applications. With AJAX it becomes much more sophisticated to even identify these problems."
The researcher said that the AJAX security issue is far worse than it was even one year ago because so many more sites have added the code to their applications. Online behemoths including Google, MySpace, and Yahoo have already identified major AJAX-oriented weaknesses in their sites.
For smaller companies with fewer resources, fixing the issues won't be as easily pulled off as it has been by the larger Web applications firms, he said.
The SPI researchers offered some advice to companies who use AJAX on to how to best protect themselves, such as applying authentication tools for every request the applications carry out or fixing software vulnerabilities themselves so that AJAX can't be used to access the flaws. But the best advice is to use extreme caution whenever applying the language, they said.
"As a last resort you want to consider abstinence from AJAX -- only use it when absolutely necessary, not just because you can," Sullivan said. "If you're updating 80 to 90 percent of your pages in AJAX, that's probably not a good idea."
Despite the SPI experts' warnings, some security researchers maintain that AJAX is not really the underlying issue at hand and that the technology is just another vehicle that can be used to exploit common vulnerabilities such as SQL injections that can be delivered in many other formats.
Respected security researcher Robert Hansen, better known by his screen name "RSnake," said that blaming AJAX for the issues doesn't make much sense, despite the viability of the attacks that the SPI experts demonstrated.
"There isn't any vulnerability in AJAX that's to blame. These are attacks that could be successfully carried out on almost any type of Web application," Hansen said. "AJAX has certainly had the effect of making it harder for testers to assess the security of applications, but AJAX doesn't really change anything in terms of the degree of vulnerability; it's just another avenue that's being made available to attackers."