I found this link to an interesting article on AJAX Security yesterday on the Secure Coding Mailing List, posted by Kenneth R. van Wyk. The article is by Stewart Twynham of Bawden Quinn Associates. The key points to take away are in the summary:
The AJAX "Top 5" security tips:
To succeed - you must start with good planning. Efforts should be focussed on reducing and simplifying the AJAX calls, and creating a standard format for responses that follows convention (ideally XML) where possible.
Follow best practice from sites such as the Open Web Application Security Project. This especially includes checking for Access Control and Input Validation flaws, whilst ensuring sensitive information travels over SSL rather than in the clear.
Never assume that Server Side AJAX checks for Access Control or User Input Validation will replace the need for final re-checking at the Server. Adding AJAX controls will never reduce your validation workload, they will only increase it.
Finally, you must be prepared to exercise a tight reign over your development team. Wonderful ideas using AJAX may sound compelling, but you should consider saving them for version 2, whilst you focus on building a rock-solid version 1.
I think the article is timely with the increased focus on AJAX in the web development space, and I have also wondered about the security implications of using AJAX in our applications without thought or pre-planning for security. Take a look at the article. What is your company or development project doing now for security when using AJAX (or some similar variation)?
Update (2/20/2006): Eric Pascarello mentioned in the comments he was interviewed recently by TechTarget on Ajax security. You can read the article here, but here is his list of things to watch for in developing with Ajax:
Pascarello's Rules of Thumb for Ajax Security:
1. If you use user authentication, make sure you check for it on the request page!
2. Check for SQL injections.
4. Keep the business logic on the server!
5. Don't assume every request is real!
6. Check the data with validation!
7. Look at the request's header information and make sure it is correct.
Great list! It goes back to the security mantra: Don't trust user input!