A buddy of mine sent me this interesting article: http://www.spidynamics.com/assets/documents/JSportscan.pdf The techniques described within aren't terribly damaging per se, but the idea that a hacker could use something like this as a first attack to narrow the scope of a second attack is pretty creative. Sometimes I think the security holes in Javascript will eventually lead to a user backlash where everybody turns it off and AJAX goes away.