While playing around looking for a way to catch xss exploitation on a web application honeypot I’ve stumbled on the the problem of logging DOM XSS injections performed in the fragment portion of the URL. As specified by the RFCs browsers are not required to send the fragment to the server since it should be used only for client-side purposes. This is a problem in a scenario where a web app honeypot is involved because we would want to log everything that could expose a potential attack.
