Unfortunately, while AJAX incorporates the best capabilities of both thick-client and thin-client architectures, it is vulnerable to the same attacks that affect both types of applications. Thick-client applications are insecure because they could be decompiled and analyzed by an attacker. The same problem exists with AJAX applications - in fact even more so, because in most cases the attacker does not even need to go to the effort of decompiling the program. Knowing the attack surface and the architectural weakness of a chosen AJAX framework lays the foundation for a software architect to design and develop secure and enterprise-ready AJAX web applications. This paper does not only discuss general vulnerabilities of AJAX-based web applications, but reflects these in a real-world example showing the attack surface for applications built with state-of-the-art AJAX frameworks like JBoss Seam and Google Web Toolkit. The findings of this paper help software architects and developers to get a practical understanding of potential attacks. They are a contribution to increase the security of web applications.