The attack surface is more as there are more inputs to be secured.
It also exposes the internal functions of the applications.
Failure to protect authentication information and sessions.
There is a very narrow line between client-side and server-side, hence there are possibilities of committing security mistakes.
Here is an example for AJAX Security −
Step 1 − We need to try to add more rewards to your allowed set of reward using XML injection. Below is the snapshot of the scenario.
Step 2 − Make sure that we intercept both request and response using Burp Suite. Settings of the same as shown below.
Step 3 − Enter the account number as given in the scenario. We will be able to get a list of all rewards that we are eligible for. We are eligible for 3 rewards out of 5.
Step 4 − Now let us click 'Submit' and see what we get in the response XML. As shown below the three rewards that are we are eligible are passed to us as XML.
Step 5 − Now let us edit those XMLs and add the other two rewards as well.
Step 6 − Now all the rewards would be displayed to the user for them to select. Select the ones that we added and click 'Submit'.
Step 7 − The following message appears saying, "* Congratulations. You have successfully completed this lesson."
Client side −
Server side −