以下消息来自幻影论坛[Ph4nt0m]邮件组
 
Since the early days of ASP.NET there has been a heavy reliance on the request validation performed to mitigate cross-site scripting issues as many of the WebControls do not perform any encoding.  In ASP.NET v1.1 the request validation performed was fairly restrictive.  It looked for tags, expressions, on strings (onClick, etc), javascript:, and "&#".  After reviewing an ASP.NET 2.0 site I found these protections have been simplified to just look for tags and "&#".<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />

This has a number of interesting security impacts as any 1.1 site which relies on these protections as mitigation’s to security issues will find themselves vulnerable once they upgrade.  It would be interesting to know Microsoft’s reasons for removing these checks.  I would assume it caused to many customer issues, perhaps interfered with <?xml:namespace prefix = st1 ns = "urn:schemas-microsoft-com:office:smarttags" />AJAX in some way.

To recap, asp.net v1.1 performed the following checks:

  1. Look for "&#"

  2. Look for ‘<’ then alphas or ! or / (tags)

  3. Look for "script:"

  4. Look for on handlers (onXXX=)

  5. Look for “expression(“

  6. Skip elements named "__VIEWSTATE"

While asp.net v2.0 and higher performs the following:

  1. Look for &#

  2. Look for ‘<’ then alphas or ! or / (tags)

  3. Skip elements with names prefixed with double underscore (__)

As you can see the 2.0 version is much weaker than 1.1.

Enjoy!