Not run into this before (ASP built in detection), anyone know how this works and what it's based on?

It's based on two routines that are called by the System.Web.HttpRequest class during it's validation and parsing phase.

The relevant code is :

internal static bool IsDangerousString(string s, out int matchIndex)
{
matchIndex = 0;
int startIndex = 0;
while (true)
{
int num2 = s.IndexOfAny(startingChars, startIndex);
if (num2 < 0)
{
return false;
}
if (num2 == (s.Length - 1))
{
return false;
}
matchIndex = num2;
char ch = s[num2];
if (ch != '&')
{
if ((ch == '<') && ((IsAtoZ(s[num2 + 1]) || (s[num2 + 1] == '!')) || (s[num2 + 1] == '/')))
{
return true;
}
}
else if (s[num2 + 1] == '#')
{
return true;
}
startIndex = num2 + 1;
}
}




internal static bool IsDangerousUrl(string s)
{
if (string.IsNullOrEmpty(s))
{
return false;
}
s = s.Trim();
int length = s.Length;
if (((((length > 4) && ((s[0] == 'h') || (s[0] == 'H'))) && ((s[1] == 't') || (s[1] == 'T'))) && (((s[2] == 't') || (s[2] == 'T')) && ((s[3] == 'p') || (s[3] == 'P')))) && ((s[4] == ':') || (((length > 5) && ((s[4] == 's') || (s[4] == 'S'))) && (s[5] == ':'))))
{
return false;
}
if (s.IndexOf(':') == -1)
{
return false;
}
return true;
}

You can use Lutz Roeder's Reflector to view the code directly in the System.Web.CrossSiteScriptingValidation class.

btw, does this forum support [ code ] tags?

Ha, thanks. I'm too lazy to install visual studio etc. it seems reasonably effective, at least it detects tags or events and some keywords. There is definitely scope to work around it though given it's "blacklisting" approach.

ive come across a lot of sites with this.
but if the XSS is into a link or into javascript you can still exploit using quotes, onmouse events and other javascript if your in tags

http://www.xssed.com/archive/author=PaPPy/