Using Asynchronous JavaScript and XML (AJAX) to jazz up corporate web sites may leave them vulnerable to years-old attacks, according to security researchers.

Billy Hoffman, lead research and development engineer at web security vendor SPI Dynamics, said at the Black Hat conference last week that many web developers are not paying attention to basic AJAX security issues.

AJAX allows a website to refresh content without reloading the entire page.

Among the biggest threats, said Hoffman, is that poorly coded AJAX sites can provide hackers with an opening to change the order in which a program executes functions.

"Any secrets stored in JavaScript will be found and exploited," Hoffman said in a white paper he wrote with Bryan Sullivan, development manager at SPI. "This is a far easier mistake to make in an AJAX application than in a traditional web application because the client plays a larger role in data processing, presentation and possibly storage."

Hoffman and Sullivan explained the security holes to attendees during a session at the conference.