Missing the point
Really? Because what typifies a well-formed AJAX request is that it is an individual request with parameters that match the schema offered by the server. For an attack to actually work as an attack, it would have to be either a significant number of requests, or have specifically malformed parameters, or both. I wouldn't hire a programmer who couldn't craft a server app to check for well-formedness, and I wouldn't pay a security pro who couldn't identify a significant increase in traffic as a problem.
"Potentially it provides a bridge between external internet applications and internal intranet applications behind the firewall."
EVERY system is insecure when implemented unwisely.