We all know how popular Ajax is getting and with its increasing popularity it will certainly attract undue attention. Security issues would crop up as hackers might try to exploit it. The applications of Ajax are executed on a user's machine and a small amount of data is exchanged with the server and hence you are not required to ReLoad the entire webpage. This makes your page more responsive. It makes use of Java Script's XMLHttpRequest object which could be set to operate behind the scenes asynchronously and triggered by a timer or user keystrokes. This implies that JavaScript code on a web page could connect to web servers independently of the user and pull in cross domain content.

There are chances that Ajax could be exploited as most of the web applications comply with a similar origin policy which compels them to connect to the server which delivered the base page but this is not applicable to Ajax scripts. There is always a fear of malicious scripts stealing data stored in cookies or directly accessing the originating server. For e.g. cross site scripting vulnerabilities could be easily exploited.

Michael Cobb has stated five steps as to how you could thwart these threats:

1. The key coding discipline of never trusting the client still applies, so any security controls should be implemented on the server and never controlled by the user.

2. Initially, keep the application straightforward. Reducing and simplifying any Ajax calls makes it easier to evaluate all possible types of requests that can be generated by a page or application during security testing.

3. Document and explain how the application communicates with the server and handles the responses it receives. Cover such issues as SSL connections for sensitive information.

4. Complete security testing prior to moving the application online, with special emphasis placed on checking for access control and input validation flaws.

5. Visit the Web Application Security Project for help with developing secure Ajax applications.