Is there AJAX security risk when using WebAsyst web services?

We have recently added several improvements to WebAsyst by utilizing AJAX technology. Since AJAX functions are written in JavaScript, it requires that WebAsyst users set their browser to allow JavaScript running on their computer. This in turn has caused some of our clients to raise JavaScript security concerns. Some fear that a webpage containing JavaScript code can potentially be vulnerable to privacy attacks, clearing a way to retrieve someone else’s Internet cookies or other sensitive information.

These are fair questions, especially if your database is hosted on a server other than your own (as it is in the case of WebAsyst hosted users). There exist several security issues in web development technologies that can potentially create security problems. However, most of them (Cross-Site Scripting (XSS), Cross-Site Security Forgery (XSRF)) are not unique to AJAX. They have been known and worked on before. In fact, the level of security that software can provide depends entirely on how well code developers understand the technology and its flaws.

The security level of WebAsyst accounts has not changed since we have introduced AJAX; neither did WebAsyst developers’ team approach towards the software they produce. Our software team members are experienced developers; they stay on track of both new technology innovations and their potential security issues, which they take very seriously. As a result, WebAsyst software is least vulnerable to software piracy as possible, and our customers are guaranteed completely confidential access to their information.

There has been a lot of research done on the topic of Web 2.0 and AJAX security. For more information you can consult the following resources:

JavaScript Tutorial from www.howtocreate.co.uk/
AJAX security page from www.cgisecurity.com/
“Attacking AJAX Web Applications”, August 2006 Black Hat conference presentation by iSEC