The biggest problem of Web 2.0 is, any user and every user can try arbitrary input as the applications allow through forms or any other input fields. And adding a “emoji” is a test to me which is meaningful. Maybe the developers can think of 100 ways that a user will not include an emoji inside the form text fields, but developer shouldn’t forget about the combinations a brain can generate based on a situation / context, and also the emotions inside the brain which can make user do anything. Following is an example that I can think of,
A house owner is safeguarding his house with CCTV, well-trained dogs, sensors and what not. Even after having all these security measures, there is still a chance that a thief can get into the house with his / her skills. Also, there is a chance that a thief may be scared. You see that we have both the combination and both are valid ones. So is an “emoji”.
I repeat, any user and every user has the freedom of arbitrary input and if application lacks the validation mechanisms or doesn’t sanitize the inputs, the stakeholders just need to rely on their luck and prayer to the god (And the prayer is to not make any user think about such inputs). And we are doing a serious business here and we don’t rely on prayers and luck when we deal with software development.
Here are some of the high-level ideas that I can talk about,
// Sanitize every input through the text field
// Maintain alert feature to administrator if users try to use some inputs that can pose possible threats (For instance: if someone uses , stop them from using it by HTML encoding. Once stopped, also alert the administrator about this so that administrator is aware of this and can take necessary measures and also sets high-alert).
// I would use “Web Developer” add-on to quickly learn about the form values including the HTML tag attributes (You can download the “Web Developer” addon on Firefox at https://addons.mozilla.org/en-US/firefox/addon/web-developer/?src=ss) You could quickly use Forms utility in Web Developer addon to display the “Form Details”.
I will be looking at maxlength attributes, enabled / disabled values, autocomplete values if on / off, form POST request value and more details in order to test them and question their existence.
// I love Fuzzing and love to use Fuzzer from OWASP (You can read more about Fuzzing at https://www.owasp.org/index.php/Fuzzing and also there are tools listed and frameworks listed in the end of the article on the webpage)
// Now, fuzzing is not really sufficient. I would love to create a script that exercises across all the characters that exist in the computer world. I would use “Character Map” as my source to input characters in the input fields / form and record the results (request / response if its a website / web application).
// I would look for HTTP headers of forms. For instance if there is caching. What happens if a user makes some entry in the input fields which is invalid, but clicks on the submit form. The request is sent to the server, but server responds with an error for that input field (invalid data). But, the user is surprised to see that all the data in other input fields is also deleted or wiped off (Now, this can be very irritating and is a caching issue).
// Also, I would try to learn more about the code being used to create these input fields / form. Is there any third-party code being reused? Or else there is some JS framework being used without questioning it for its quality? And some more questions (I cannot think of now as I am sleepy :D).
These are some things that I can think of as of now. This is very smaller set of ideas for me and is just an example. Every application poses a different challenge and my ideas are exploratory when I start testing them or start creating a test strategy to test them. I hope this example (high-level) helps!