There is always something new to learn… Didn’t know this little trick. A very simple example:
A website has a reflected XSS vulnerability (echoes the parameter abc in this example), but escapes " to ". We use the property that web browser do not send the fragment part of an URI (everything after the hash character #) to the web server:
Ever been Rick Roll’d by Google? How does this link look like?
Credit goes to Marshall Whittaker, see http://seclists.org/fulldisclosure/2010/Jul/188.
The technique behind it is quite simple:
1. Find a Google query that shows your desired page on top. With query modifiers like intitle: inurl: site: it’s quite easy
2. Construct a Google URL to send a “I’m Feeling Lucky” query
3. Percent encode your Google query from 1 and the button name (“‘I’m Feeling Lucky”) to obfuscate
4. Prepend your Google query with a lot of %20 to fool the browser URL preview in the footer. Hovering over the link will not show the percent decoded URL!
Update: The Google query was additionally appended with %20, so it looks the same in Firefox 5