I keep trying to hammer home the message of having layered security measures. Even so I am still bad / lazy at it. I like that microsoft has included request filtering right into asp to help prevent xss attacks. This filtering means that someone can not submit a comment to a blog that contains something like this: <script>alert("Ping");</script>. While that is not harmfull you can see the power of it.

But security is like an onion and should have many layers. Although we rely on having the request filtering on what happens if someone finds a way around it? Are you validating user input? Or relying on microsoft to do it for you? I am the first one to say that I am relying on microsoft to do it for me (I am terrible, I know).

I just got an email stating that someone had found a way to bypass the microsoft request filtering. While this is not something in the wild that I have heard about its possible. There are no details on this as I assume the person who discovered it is working with Microsoft to patch this vulnerability (more info here).

So just another lesson to not rely on some "cure all" technology but to use it as a suppliment to your own security.