I was reading an article that was posted yesterday about various AJAX security vulnerabilities that was pretty interesting. It documents how many AJAX frameworks allow GET requests to hi-jack JSON messages and process them as desired. This is a big deal since any sensitive information included within a JSON message would be viewable to a clever CSRF (Cross Site Request Forgery) hacker.
Microsoft's Scott Guthrie cleared up the issue with regard to the ASP.NET AJAX framework today. He wrote up a great post describing how the framework automatically disables GET requests by default (the UpdatePanel uses POST operations) and they add a special application/json content type header that is checked. The architects of the ASP.NET AJAX framework did a great job thinking this through and ensuring that the framework prevented these types of attacks "out of the box".
Read Scott's blog about how ASP.NET AJAX prevents CSRF out of the box here.
On a side note, who comes up with acronyms like CSRF anyway? Is there some company that specializes in clever acronyms and standardizes them? I wonder what their hourly rate is. :-)