I am highly recommend to read blog post describe how ATLAS framework preventing such hacks.
Quick summary of his post:
- ASP.NET Ajax webservices by default restrict calling them using HttpGet. But you can turn off this check by using attribute [ScriptMethod(UseHttpGet=true)]
- ASP.NET ajax framework using content-type validation.
Content-Type: application/json; charset=utf-8
One more time I’d like to mention that each ASP.NET developer should start using Microsoft Anti-Cross Site Scripting Library V1.5 to avoid common xss security holes in their web applications.