Long time ago I said, that we’ll run into the same security problems we already started to fix in our web applications at the point, where we start using AJAX aka. Web 2.0 stuff. For example XSS is well known in the web development since a while and many developer try to avoid such vulnerabilities in their code which could be PHP, JSP, ASP or even others. Now they are confronted with AJAX and everyone should implement it in new and even already existing applications. The problem is now, that the developers aren’t aware of the security risks of sending HTTP requests from a script to their application. To say it more clearly, many developers aren’t aware of the fact, that all the data which will be transfered by Javascript are visible and can be modified by everyone. This means, that everyone can manipulate the requests, which will be sent to your application, even if the target for the requests isn’t thought to be accessible by users. Of course this is always the case but it’s not as clear as in old school web application development.
I was ill today and so I thought that it would be time to give a proof on what I said long time ago and so I was looking for a target. Because I never had a look at facebook.com anyway and it’s one of the big players in the AJAX world, it was a good place for make the final test of my assertion.
First I was checking some input fields with basic XSS test but not the crazy decoded stuff or something similar. Of course I found no vulnerabilities this way 
Then I started analyzing the Javascript stuff aka. AJAX. It took me just about 2 minutes to find the first XSS hole and in the next 5 minutes I found even more. At this point I’ve stopped with my test because this was the proof to me: AJAX is Evil!
For those of you who would like to test it yourself, login to your facebook.com account, choose one of the following links and replace [uid] with your own uid. These links show four non-persistent (reflected) XSS which aren’t that dangerous on the first view but it shows that using AJAX can lead to new security holes in an application.
XSS 1
XSS 2
XSS 3 (no uid of target needed, just login)
XSS 4
PS: If AJAX is Evil (it is!), why is Google using it anyway? 
Ajax, in and of itself, isn’t evil, just as PHP isn’t evil (yes, I know it has its own internal flaws, but most of the problems come from outside the core). Developers who ignore good security rules are evil. Developers need to realize that nothing that comes from outside their personal code is going to be clean; there is no security gained in obscurity.
Hi John,
of course you’re right, AJAX isn’t evil itself because of Javascript and XML aren’t (at least from my point of view) at all. The problem is that as I wrote in my blog posting, developers aren’t aware of the threads which they have to deal with when they’re using AJAX, even if the problems are the same as they already know about. So the answer to the question, if the technologies for AJAX (Javascript and XML) are evil is as I already wrote NO but the answer of the question if it’s evil to use AJAX for everything just for make it good looking, even if the developers don’t know the risks is YES. So I really have to say, that the title of my blog posting isn’t perfect but I think people will get the point anyway
Nice article. I just wanted to say what John said. But the article is good because when I do AJAX stuff, I spend most time for testing and optimizing it, and that often results in having less time to check the incoming data on the server side.
Sven,
Nice article, I always enjoy reading your site. Its funny how new implementations of code always introduces the same vulnerabilities. Ajax just adds another complex layer that allows for worms to spread (e.g. Samy). Phishing XSS = Owned, I’m not sure may people get that. Keep up the good articles.
travis
http://travisaltman.com
Good post.
Hmmm, I am tempted to try this.