I hope that all the AJAX and REST people will take the opportunity to review Amit Klein's work [1] on XMLHttpRequest among other attack patterns, so that the Web 2.0 people understand how absolutely trivial it is to subvert these schemes. SOAP/WS-*/SAML has added a lot of useful security mechanisms, but AJAX may be DOA looks to be security standpoint.
Since Web 2.0 has improved on lots of Web 1.0 features, can they also please update their not sufficient for Web 1.0 security model while they are it?
Andrew van der Stock has some slides on the litany of problems that is the Ajax security oxymoron.
Comments