Here is an example of a manipulated request which has been handled by a HttpListener. I think the problem should be somewhere here: https://github.com/mono/mono/blob/a31c107f59298053e4ff17fd09b2fa617b75c1ba/mcs/class/System/System.Net/HttpListenerRequest.cs#L162 where the hostname validation is not sufficient.
GET /index.html HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:24.0) Gecko/20140319 Firefox/24.0 Iceweasel/24.4.0
Accept-Encoding: gzip, deflate Connection: keep-alive Cache-Control: max-age=0
The response looks like this:
HTTP/1.1 400 Bad Request Content-Type: text/html; charset=utf-8 Server: Mono-HTTPAPI/1.0 Date: Thu, 17 Apr 2014 15:30:50 GMT Content-Length: 103 Connection: Close
<h1>Bad Request (Invalid url: http://"><script>alert(123)</script>:80/index.html)</h1>