302-based header injection can be really useful to leak?query data by putting them in the #fragment. Many web servers are configured in a way to redirect http://site.com/%23lol to http://www.site. They kill initial encoding, putting query data in locationhash.hash. And this is a vulnerability. There are just thousands of open-redirects out there leaking access_token-s. I personally found an open redirect leaking user’s token on 2 out of 3 huge websites i checked.”]
Source: http://homakov.blogspot.com/2014/01/path-encoding-vulnerability-in-httpswww.html