Ajax applications may be less secure than standard Web applications. At a minimum, splitting an app into two distinct programmatic components—one for the browser, one for the server—appears to open up Ajax-specific vulnerabilities.

Although the ‘X’ in Ajax stands for XML, many Web 2.0 apps don’t actually use XML as a container for the data being sent to and from the client and server. Instead, they pass data as a JavaScript object or as code that can be evaluated in JavaScript, simplifying client-side processing.

The problem—recently highlighted in a Fortify Software advisory and originally described over a year ago—is that this approach leaves users vulnerable, in particular, to cross-site request forgery attacks. In such an attack, a Web site can cause your brow­ser to make requests to another domain name with your current session cookie for that site, and access the returned data by overriding default JavaScript functions.

This means a lot of Ajax applications must be updated. If the framework developers can’t get it right, what are the odds that an average developer can keep Ajax apps secure?