Vulnerability in ASP.NET ValidateRequest

The folks at ProCheckUp have found another vulnerability in the ValidateRequest functionality. This is the input filtering that is used by Microsoft in .NET to try and prevent XSS attacks. The attack relies on a number of browser specific ricks such as comments to bypass the filtering. This is not the first time vulnerability has been found in ValidateRequest and we're sure it won't be the last. And still some people persist in using it as their sole line of defense against XSS attacks, even against Microsoft's own recommendations.

The entire paper can be found here.