Defending AJAX-enabled Web Applications