Bypassing ASP validaterequest?

[Liuser]

ASP.net enables validaterequest filter by default on its installation. For those unfamiliar with this, it is essentially a filter that checks for potential malicious cross site scripting and injections into forms.

Reading ProCheckup's research paper, they formulated attack vectors mainly revolving around this to bypass the filter:

Code:

<~/XSS/*- */STYLE=xss:e/**/xpression(alert('XSS'))>

However, this was 2 years ago, and it appears to not work any longer with the most recent patches (I found a post of a user during my googling who is experimenting the same results as well).

My google-fu may be weak, however I have not come upon anything new, has anyone else? Tips? I also noticed quite a few people bashing on the validaterequest filter within the past year on other forums saying it is weak, however with no reason as to why it is weak. If anyone can shed some light on this as well, it would be much appreciated.

I am performing these tests legally, and am just seeking to better myself in the web assessment division.

[compaq]

Hi Liuser
I'm guessing because of the ~ ,IIS could be looking for chars in the ranch of 0x01-0x20/25, and stop reading whats after that, maybe some strcmp function, some parts of code in the function that does length checking can break out, like a null was sent , eg x3ax11x11x11, but there are 100s of dwords that can do it, the code above might at the start might have one of those combinations
in google chrome
file:///?%fe?
has the same type of logic , in the url bar, the ? stopps reading it as a address , but a var
just a guess

[Liuser]

I appreciate the input and lead compaq. You have me thinking about what is occurring under the hood of ASP. I will integrate your suggestions while I continue my fuzzing.