Forbid JS-Injections in ASP.NET

I found a site which uses ASP.NET and some users use JS-injections to steal datas from other users and the admins didn't fixed the problem for a month.

So my idea was to mail them a function which fixes the securityhole, but I'm not familiar with ASP.NET.

What is the best way to increase the security and forbid JS-Injections? "<script></script>", "<script type="text/javascript"></script>" and "<script type="text/javascript" src="somesite/cookiestealer,js"></script>" is not filtered.

Edit: I didn't test it, but I think iframes are also not filtered like other HTML tags.

just don't do it, not worth it, they might fix it over time and if not then it's still not your business to make a creepy script which might mess up their entire site.

The easiest solution for corporate-driven sites is deploying a WAF and/or IDS. I encourage you mail the company you found to be vulnerable, and explain, in layman's terms, that their website might pose a possible security threat to them.

WAFs are a great way to help mitigate risk inherent in applications. For IIS (as they are running ASP) you can use an ISAPI filter called WebKnight. For those of you familiar with URLScan, WebKnight has all the functionality provided in URLScan plus quite a few additional features. Tuning it is pretty simple, it comes with an .exe build the xml configuration and most of it is check-boxes.

It's important to note tho, that while WAFs are good to have as part of an overall security posture, they do not replace penetration tests and code reviews.