XSS - not as easy as it used to be

I am preparing a lecture about web site security and was starting with good old XSS. I did a very similar lecture two and a half years ago and demonstrated some of the OWASP top 10 on a very big Israeli community site. As it happens the guys from this site finally realized that their site was much like Swiss cheese so the plugged most of the holes.
I thought it would be fun to create a simple asp.net site that will demonstrate the flaws I found back then in the community site. However it seems that with the new age of browsers (all major browsers) and with the new asp.net runtime it is very hard to perform even a simple XSS. I am not a big Microsoft fan (nor a fan of any other big corporate) but I must say that Microsoft did hell of a job making the asp.net almost completely idiot proof for newbie web developers. It checks query string for XSS and throws exceptions at you, it encodes stuff, it validates http request parts – it ruins all the fun :)

But don't worry – I already made the first page demonstrating some ways to perform XSS attacks. I will upload it to this blog sometime in the near future.