Ajax Security Basics and testing

I’ve recently had a chance to write some Ajax in a side project that I’ve been working on and through use of it I started thinking about how one could easily use it to do evil things. Doing evil things reminds me of security testing, and I haven’t had an opportunity to test an application that uses Ajax but am pretty interested in finding some good exploits when I do get the chance. Before you get all “You had the chance to test it Brent, didn’t you test YOUR Ajax code Brent? You’re in Software QA and you don’t test your own code?”. Let me tell you that I did think about it being exploited, and if it did it wouldn’t really matter in my situation. šŸ™‚

But while thinking about it, I did find the following article on Ajax Security Basics that would help a tester start thinking about how to attack the technology. After working with it, and reading the article, when I think about how dangerous this could be to an application I rank it up there with the danger of using <frames>. Are any of you testing Ajax applications? Do you have any advice or test cases you’d be willing to share?