What is a Cross Site Scripting (XSS) Attack ?
A Cross Site Scripting (XSS) Attack is where a hacker injects some client side script to a site by way of user input the site provides. This type of attacks can be used for malicious activities like hijacking cookies, or another user's session information. This can be done, for example through a textbox your site provides for users to enter some data, or through a query string. A malicious user can enter a JavaScript in these locations, and if your site does not validate the user input and return it to the browser then that script can execute in the users machine.
Protection in ASP.NET
ASP.NET validated the request form. This is done by adding a ValidateRequest attribute to the page or in the web.config. A page level ValidateRequest attribute looks as follows;
<%@ Page ... validateRequest="true" %>
A ValidateRequest attribute in Web.Config looks as follows;
<system.web>
<pages validateRequest="true" />
</system.web>
Request Validation is true by default.