While AJAX by itself doesn't create new security risks, it has a tendency to amplify the seriousness of several well-understood threats, including SQL injections, cross-site scripting and denial of service attacks, they said.
A case in point is this week's mass-mailing Yamanner worm, which took advantage of an apparent cross-site scripting error in Yahoo’s e-mail service to infect thousands of users.
The worm arrived in Yahoo e-mail user inboxes bearing the subject header "New Graphic Site" and was activated simply by a user opening the infected e-mail.
Such threats can be amplified in Web applications built with AJAX if proper care is not taken to validate user requests coming in via the browser, said Billy Hoffman, lead R&D engineer at Web security vendor SPI Dynamics in Atlanta.
AJAX is a programming technique that allows companies to make their Web sites more responsive to user input than pages built with HTML by enabling new content to be added to a Web page without needing the entire page to be reloaded.
The approach is more efficient than having an entire Web page reload every time content needs to be refreshed. But it also increases the amount of traffic flowing between the browser and the Web server, thus increasing the potential for attacks such as the Yammaner worm, Hoffman said.
"Right off the bat you have a lot more input that you have to validate" on the server side compared to traditional Web sites, he said. "With AJAX, you are opening a lot more doors into the application, so if you don't sanitise your user input" the potential for compromises also increases, he said.