Missing the point
Really? Because what typifies a well-formed AJAX request is that it is an individual request with parameters that match the schema offered by the server. For an attack to actually work as an attack, it would have to be either a significant number of requests, or have specifically malformed parameters, or both. I wouldn't hire a programmer who couldn't craft a server app to check for well-formedness, and I wouldn't pay a security pro who couldn't identify a significant increase in traffic as a problem.
"Potentially it provides a bridge between external internet applications and internal intranet applications behind the firewall."
EVERY system is insecure when implemented unwisely.
People with any sense (or paranoia) turn off both as well as most of the standard add-ons.
Yeah, let me know how that works for you. :-)
If you're a working stiff like myself, your employer probably requires you to leave your browser in "complete web-slut" mode to do your job. If you are _lucky_, you only need to turn it on to check that your payroll deposit was made, apply for vacation, change or even check your health-care benefits, fill in your status reports, etc. If not so lucky, pretty much every document you need is behind a "content management system" that makes Arthur Dent's little adventure finding his demolition notice look like a walk in the park. OK, Central Park, at night, but still...
almost to obvious!
As I truly share the thoughts of the previous commenter’s, I think this could truly pose a threat as being one of those things too obvious to detect