I came across a nice post by Greg Murray on recommendations for AJAX component writers. It’s a summary of a larger document. I particularly liked this point:
Protect your serverside assets
Never put business logic or server-side access code in JavaScript.
Be careful for example when exposing
JSF method/value binding expressions like #{SomeBean.someMethod} or
classes/methods names to be invoked on the server as it exposes your
internal domain model and could be exploited. If you provide such a
mechanism make sure a JavaScript client can call only the
methods intended to be available to the client. Never put SQL
statements in JavaScript code. Always remember JavaScript code is
visible to the client with the click of a button.Always validate request parameters on the server regardless of whether the request originated from an AJAX client or not.
I see plenty of Ajax applications or enhancements being written that access a backend via simple CRUD messages, making it simple for an attacker to gain access to your persistence layer/database. I’d go a step further to say that you ought to treat DHTML/Javascript as just a rendering tier, keeping your display and validation logic and its interactions with the business tier (provided you’re using the knee jerk n-tier design) on the server side.
