There is always something new to learn… Didn’t know this little trick. A very simple example:
A website has a reflected XSS vulnerability (echoes the parameter abc in this example), but escapes " to ". We use the property that web browser do not send the fragment part of an URI (everything after the hash character #) to the web server:
http://example.com/index.php?abc=<script>eval(location.hash.slice(1))</script>#alert(“XSS!!!”);
See the page above for more advanced examples. This technique solves the escaping problem and the server logs never show the Javascript attack code.