Though information is passed through the querystring for the server requests shown in this article, that does not make the web application vulnerable to SQL injection techniques. Potentially, vulnerable, yes. Actual vulnerability depends on how the server is validating the data. Though certainly the password shouldn't be passed through without SSL as shown above, there's nothing inherently wrong with the way information is being sent via asynchronous JS.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/infocus/1879/711#711