Scott Guthrie has a great post on how to limit your exposure to JSON hijacking in ASP.NET AJAX 1.0.
What's JSON hijacking?
The good news? ASP.NET AJAX do not enable HTTP GET requests by default. So that will help.
Also, ASP.NET AJAX enforces content-type header validation. This protects you because a malicious code insertion would find it very difficult to set the Content-Type appropriately, and then ASP.NET will barf on it.
He explains it much better than I. Read the whole thing.