I had a watch today on the webcast How Hackers Reverse Engineer and Exploit an Ajax Application. There wasn't any new security issue as we already should know as AJAX or web application developers. Samples did show how to hack the AutoComplete.asmx web service (using ASP.NET AJAX) which was used on a demo web application using SQL Injection.
But one thing I noticed was very interessting in the question and answers box in Microsoft Live Meeting during the webcast:
Question: If I secure WebServices using FormAuthentication, will it prevent Hacking Ajax WebService?
Answer: No necessarily, it will reduce hacking by users who do not have credentials, but will not unilaterally secure your app.
Question: Does normally a web service require a security key to call that can prevent attacker from calling it successfully?
Answer: not unless you specifically develop your app that way ?
Question: Ajax-Client see data as clear text, Is this easier to hack than what a user sees in browser as clear text? (specially by marlicious js code by hacker fro Mashup)
Answer: No - both are pretty easy ..
Question: Sorry, I missed the first 20 minutes of the webcast, are you saying that it is good or bad to use ASP.NET AJAX, security-wise?
Answer: Good - but like ALL dev technology, you need to be doing the right things in your code !!
Question: FireBug showed MS-Ajax AutoComplete uses POST while Google-Suggest uses GET, any security issue? or Just SOAP vs. REST, comment on POST vs. GET
Answer: No - also, SOAP is not used by defualt using MS AJAX
Are we really read for AJAX? Are you ready writing secure web applications? I feel very bad when I see how easy it is to find open webs. A simple search for user filetype:asmx on Google returned me a long list of web services where sometimes it was possible to get a list of usernames. While web services are still developed (sometimes) unsecure, are AJAX applications more secure, now?