pagvac from ProCheckUp released an advisory on how to bypass ASP.NET XSS validation.

This attack is only possible with Internet Explorer users as it exploits the old IE CSS comment hack; a very creative find indeed from the guys at ProCheckUp.

Proof of Concept:

Alert box injection - simply provided for testing purposes
(may cause DoS issues on Internet Explorer)
http://target/vuln-search.aspx?term=</XSS/*-*/STYLE=xss:e/**/xpression
(alert('XSS'))>

ASP.NET will also escape double quotes(“), so although a number .NET servers are vulnerable to this, it is somewhat mitigated by this fact.

ASP Auditor (with a little mod) could be used to test if your web server(s) are vulnerable. Let me know if your interested. I hope to add this check to the tool shortly.