If you are developing an application that makes use of Ajax, for some Web 2.0 cleverness, please ensure that the API is locked down and secure.
It is vital to remember that any exposed api that your application might call behind the scenes via Javascript, can be discovered and called directly from 3rd party applications.
One of the biggest risks here are legacy projects that are Ajaxified by some “magic” converting process. Yes the process might work, and the end result might look a bit like Web 2.0, but how much of what used to be your internal API has not inadvertently been exposed to the entire world.
Furthermore since a lot more of the code base runs on the client side in an Ajaxified application, an attacker more visibility into the flow, types and process of a web application than in the old server side applications. This allows tinkering and alterations to be made, at runtime, on the client side. The server must not trust any input or flow control that happens on the client without strict validation.
Ajax ought to be used to make the user interface experience more pleasant, and speedy, but should not be trusted in any shape or form.
Another thing to consider are API calls that need to be made sequentially. You might know this, and always take care to call the functions in order, but what happens if an attacker does share the same conduct?
Examples were shown of a new class of denial of service attacks, that make use of the exposed API to entire introduce logical errors that might stall the application, or using the application and the API to max out resources that the application is controlling.
On this last point, an example was shown were an attacker could reserve all the seats on a flight, without making a single payment. The attacker used out of sequence function calls to the “behind the scenes” API to accomplish the task.
This scenario could easily have been avoided by forcing the function calls to be made in a specific order, by means of tokens, or by not making the API calls are granular to begin with.
Ajaxify with care.