Good, bad and my favourite bug

Some bugs are bad; some of them are terrifying. But not ALL software errors are bad. The importance and severity of defects varies. Sometimes the benefit derived from removing an error is less than the cost of removing it.

As working as a tester, I have found hundreds of different bugs during my work and free-time. I will demonstrate some of them for you (Mostly those found during free-time :o). Let’s start with my favourite defect: The (HTML) injection. The idea is to insert code to a free field. The magic comes from the fact that page echoes the invalid input. (Dictionary)

This kind of bug might be quite dangerous when some of the following conditions are met:

  1. Input is saved and viewed to other users. This enables example Cross Site Scripting (XSS)
  2. Injection makes possible to execute SQL statements (See example)
  3. Some illegal services are used through injection

I have found that this kind of defect is quite common. Even if it is common, it is quite easy to fix. As a rule of thumb, all inputs should be validated and special characters shouldn’t be allowed if they are not really necessary. In many cases characters and numbers are enough. If somebody has a cool solution for the input validation, please share it with us…

No comments: