Anil John posted some observations about cross-site scripting attacks and the mitigations offered by ASP.NET 1.1.
Matt Lyons did an XSS demo explaining some of this at the 2003 PDC Security Symposium. His demo is in the middle session: SECSYM2 – Security Symposium: Putting Security Theory Into Practice: Processes and Policies. Check it out here. You need to navigate through the Symposia heading.
Update: I really messed up the attribution on this. Anil was linking to an entry by Julie Lerman.