Well it was interesting to see that on a recent article by Help-Net Security they report that Cross Site Scripting was the number one security issue that plagues Web 2.0 technologies. This is a pretty interesting take one one fairly major issue - not that XSS is or isn’t bad but how AJAX increases the attack surface.
To quote the article:
I think the only difference between AJAX applications and normal web applications from an XSS perspective is that I’ve seen more examples where application developers attempt to do the escaping at the client level rather than at the server level. That creates several attack points instead of just one. Instead of just having to encode the output at the server level now it muddies the water.
So while I don’t think AJAX adds any additional attack vectors it definitely does increase the attack surface area and the potential for exploitation. Further attacks against web 2.0 technologies will be released in the future as browser technology evolves but for now things are about the same as they have been for traditional web applications. Muddying the water is bad, trust me.