In this recipe, we were testing for SQL Injection in a login form but noticed, by analyzing the server's responses, that the User-Agent header was being reflected and took that as an indicator of a possible XSS vulnerability. Then, we successfully exploited the XSS by appending an <IMG> tag to the header.
Header values, particularly User-Agent, are very commonly stored in application and web server logs, which causes payloads sent in such headers to not being processed directly by the target application, but by SIEM (Security Information and Event Manager) systems and other log analyzers and aggregators, which may also be vulnerable.