By Dan Cornell
Presumably most folks have seen about the Yahoo Mail worm that surfaced today. This was bad enough and an excellent example of the security perils associated with AJAX.
This will get even worse as more and more organizations build so-called mashup sites. It is bad enough when your organization controls all of the AJAX endpoints your application talks to. You have enough to worry about writing secure AJAX functions and guarding against cross site scripting attacks on your own application. With mashups your applications has to pull content from a variety of applications - some created by your organization or under your control, and others from potentially untrusted third parties. This drastically alters your architecture and requires careful risk analysis if it is going to be done in a secure manner. There are some slides addressing this issue in my original OWASP San Antonio presentation about AJAX security and sprajax.
Organizations and developers seem to be so enamored with what they can do with AJAX when they should be focused on what they should do. With great power comes great responsibility...
dan _at_ denimgroup.com
PS - I am getting close to the next release of sprajax which will have some support for the Google Web Toolkit (GWT). I have been busy and on the road this week and haven't had time to get this finished. I might release some interim code that enumerates the GWT service endpoints but doesn't yet do the fuzzing.