"AJAX is a combination of JavaScript and XML. Both have security issues that AJAX helps to facilitate," said Jason Bloomberg, an analyst with ZapThink LLC, a Baltimore-based consultancy specializing in XML and Web services.

For example, AJAX environments can provide more opportunties for hackers to launch SQL injection attacks, he said. These are attacks directed against Web applications that use client-supplied data to execute database queries. AJAX environments can present more opportunties for hackers to inject malformed SQL queries and compromise applications if proper validation measures are not taken, he said.

"The main concern is that AJAX involves new approaches in providing functionality at the browser interface," Bloomberg said. "So developers are more likely to make mistakes where traditionally they would know how to build a secure Web site."

If adequate server-side protections do not exist, AJAX can leave more doors open for malicious clients to send corrupted data, expose back-end applications that were not previously vulnerable and allow unauthenticated users to quickly elevate their privileges, said Mandeep Khera, vice president of marketing with Cenzic Inc., a Santa Clara, Calif.-based vendor of application testing tools.

Companies certainly need to be aware of such risks, said Tim Farmer, manager of the software architect team at Choice Homes Inc. in Arlington, Texas. But for the moment, at least, "the benefits that you get from AJAX outweigh the risks -- so long as you make good decisions on what kind of information you are exposing out there," Farmer said.