Richard Brain has published a whitepaper on bypassing .NET XSS protection.

"The Microsoft .NET framework comes with a request validation feature, configurable by the ValidateRequest [1] setting. ValidateRequest has been a feature of ASP.NET since version 1.1. This feature consists of a series of filters, designed to prevent classic web input validation attacks such as HTML injection and XSS (Cross-site Scripting). This paper introduces script injection payloads that bypass ASP .NET web validation filters and also details the trial-and-error procedure that was followed to reverse-engineer such filters by analyzing .NET debug errors.

It is worth noting that the techniques included in this paper are meant to be used when ValidateRequest is enabled, which is the default setting of ASP .NET. ValidateRequest can be enabled or disabled on a per-page basis or as an application-wide configuration.

Many developers lack proper security training, and being time-constrained rely on ASP .NET‟s advertised protective abilities to guard their applications. Automated application testing for HTML injection will likely be prevented by the ValidateRequest filters. This ultimately means that tests to ensure that applications have been written following secure programming guidelines can be invalidated.

It is important to mention that Microsoft officially states that their .NET request validation cannot replace an effective validation layer restricting untrusted input variables."

Whitepaper: http://www.procheckup.com/PDFs/bypassing-dot-NET-ValidateRequest.pdf