To make things clear AJAX applications have two parts :
- Server side
- Client side
Now what the paper is talking about is the client side : playing with DOM,
Hijacking JavaScript by inserting malicious code ... but when could
this happen ? If a website is vulnerable to XSS ! And to protect your
website/application from XSS simply never trust any external data, it's
the general rule which is valid for all application development. And
when an application is vulnerable to XSS, I don't think we need to give
it a new name, because techniques of exploiting XSS bugs are countless.
So we talked about the client side which is vulnerable, but not harmful ! Back to the server-side of the AJAX
applications, now if we don't trust any external data, apply correct
validations and correct application design, our application will be
certainly vulnerable and in this case it could be harmful.
Conclusion
If your application is vulnerable to XSS, it is harmful - AJAX
is just the tool which have been always used nothing really new. The
only problem I see here is that many developers don't really care about
XSS bugs and don't find it harmful, so this will depend on your
application and need to do further investigations before making
conclusions.
