To secure AJAX requests and responses, developers should use techniques such as setting appropriate HTTP headers, using CSRF tokens and implementing authentication mechanisms.

A bit more snooping around uncovered that the AJAX eval () preview script wasn’t secured by a CSRF token which could easily be exploited by a malicious hacker.

Of the 12 popular AJAX frameworks investigated by Fortify, only one—DWR 2.0—is designed to prevent malicious scripters from exploiting potential CSRF vulnerabilities.