Does the application send any dynamic output without first encoding it?
Does the application enforce a specific character set in the web.config file or on a per-page basis?
Does the application filter input and encode output with the DHTML innerHTML property, insertAdjacentElement method, insertAdjacentHTML method TEXTAREA element and TextArea object?
Could the programmers use innerText rather than innerHTML?
Do frame and iframe elements have the Security attribute set to restricted?
Do forms use GET when a POST would be more appropriate?
Do sensitive transactions require multiple steps, including user confirmation?
Do forms check the referer headers to verify the source of input?
Can users enter IMG or hyperlink tags to perform a CSRF attack?
Does the HTML content contain employee names, e-mail addresses, phone numbers that could be used in a social engineering attack?
Do HTML meta tags reveal unnecessary information?
Does the HTML content contain any unnecessary comments?
Does the application use structured error handling to avoid the default ASP.NET error handler?
Do error handlers always fail securely?
Do errors reveal too much information?
Does the application use generic error handlers rather than the built-in error handlers?
Do log files contain user passwords, credit card numbers, or other sensitive information?
Are all debugging, tracing, and detailed error messages turned off in production applications?