Security of Java based AJAX frameworks: Security challenges in the Web 2.0 era

Unfortunately, while AJAX incorporates the bestcapabilities of both thick-client and thin-clientarchitectures, it is vulnerable to the same attacksthat affect both types of applications. Thick-clientapplications are insecure because they could bedecompiled and analyzed by an attacker. The sameproblem exists with AJAX applications - in fact evenmore so, because in most cases the attacker does noteven need to go to the effort of decompiling theprogram. Knowing the attack surface and thearchitectural weakness of a chosen AJAX frameworklays the foundation for a software architect todesign and develop secure and enterprise-ready AJAXweb applications. This paper does not only discussgeneral vulnerabilities of AJAX-based webapplications, but reflects these in a real-worldexample showing the attack surface for applicationsbuilt with state-of-the-art AJAX frameworks likeJBoss Seam and Google Web Toolkit. The findings ofthis paper help software architects and developers toget a practical understanding of potential attacks.They are a contribution to increase the security ofweb applications.