I do not think AJAX exposes internals more than traditional web apps, but it might well lead to a more featurefull HTTP interface and therefore increase the range of things that can be attacked. The more you shift work onto the client the bigger this effect becomes.
Even in a tradiaional web app how do you know that your a backend was really called by pressing a button on its front end? AFAIK this is too difficult and instead the focus is usually on making sure the backend does what is supposed to do and nothing else. This might include not doing anything for those not duly authorised.
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds