Also, the eszett or scharfes S (ß) is used. It exists only in a lowercase version since it can never occur at the beginning of a word (there are a few loan words starting with an s followed by a z (e.g. Szegediner Krautfleisch but that is not the same as the eszett which counts as one letter).

In all caps it is converted to SS….

There’s a new unicode symbol for the capital version, but a lot of old applications will still force that into an SS. So a word like confuße might get uppercased to CONFUSSE, and if you set the string to the maxlength, uppercasing it will blow that up.

To be honest, I did discover this when I was working on an application for a German customer and I (and only I of a team of far more seasoned QA people than I at the time) sought out the German alphabet to learn its vagaries.

I just ruined a little of my mystique, didn’t I?

However, if your application might possibly be localized to German, you have my permission to use this. Use this new power only for good. Strangely, though, QA good means evil to everyone else, but that’s not our fault.

Remember to check your form fields for these bad dogs when you can.

(Link courtesy the Twitterverse.)

You can view that sample here.

I hope that my regular readers and especially those of you who got here by a Google search find it useful for your testing documentation.

Click for full size

It offers the user the opportunity to enter some sort of contest to go to Nashville. It’s obviously a Web browser in kiosk mode, but this one has a full keyboard with a trackball and two mouse buttons. Uh oh.

So I click the Contest Rules link at the bottom and get the contest rules, which has a naked link at the top that takes you back to the form. But hover over the link and right click and…. Uh oh.

Click for full size

What happens if I open that in a new window? Hello, Internet!

Click for full size

So a user has complete access to the Internet. Go where you want. Get all the malware you want. I didn’t try to see if a regular download and install worked, but I would not doubt it. What happen if I ALT+TAB?

Click for full size

Lookie there! Lookie there! It’s the command line. A little CTRL+C action and I have access to issue commands to the machine and maybe even the network.

So is that Cat-5 cable running out of the back of the box connected to the airport network itself or a dedicated safe portal to the Internet? Given what we’ve seen here, what do you think?

If you’re ever called to check out a kiosk application, not only should you run through the form the kiosk will host, but you should get a kiosk itself and run it through its paces and look outside the confines of the application to look for security pitfalls.

You need to check out the user interface action. This kiosk gives the user all the normal tools that users need for full input opportunity to the Internet. Some kiosks only have touchpads or touchscreens. Here are a couple of things to think about:

• Know your keyboard shortcuts. Most people don’t know these keyboard shortcuts, but they do things to your active window (even your kiosked browser). What can you do with that?
• Know your internal browser behavior. I remember seeing a kiosk with only a touchscreen that offered the Web sites of a building’s residents. Within a touchscreen environment, you would think you’re limited to navigating through links in the browser window. You would be wrong. mailto: links trigger the helper application associated with e-mail. What can you do when you try that?
• What happens when you unplug the machine and plug it back in? It reboots, probably, affording you the ability to go into alternate bootup scenarios and whatnot. Should your user have access to that? Probably not.

To begin vetting kiosks, you need to think outside the terms of your application and think in terms of the technologies that encapsulate it. The better you understand those and can identify the ways users could interact with the whole kiosk, the better you can prevent them from doing so inappropriately.

But what happens if you put in the return e-mail address of your company’s newsletter?

In certain circumstances, when your organization composes and compiles those e-mails on its own, you might find that entering the newsletter return address in one of your organization’s other automatic e-mail generating applications will trigger an e-mail to your entire newsletter list or some other e-mail, such as an open relay response.

It’s a damn dirty trick, and you should try it on your organization before someone else does.

As a rule, your organization should make sure that the user cannot enter those sorts of e-mail addresses, but it should allow you to test using individual e-mail addresses internally.

Sure, the keyboard, mouse, and data import features are some of the several obvious ways that data gets into your system. Are there any others? Scanners perhaps? Photo recognition or OCR?

You’ve got to be devious to be a tester whom I respect.

For example, B– here gets his information prepopulated:

Click for full size

Now, if you go to the www subdomain, you are recognized as a guest:

Click for full size

Now, you know what the first thing I would check and one thing that nobody else would check at Thomas’s interactive agency, don’t you?

If you use a name it doesn’t recognize as the subdomain, you might’ve successfully Captain Kirked the machine:

 
Click for full size

Does that look like an infinite loop to you?  I cannot say because:

1. Dammit, Jim, I a tester, not a theologian!  I cannot argue the nature of the Infinite!
2. I was not patient enough to see if it ever came up with something useable; after a couple minutes, it had not.  The browser made the clicking noise, and the blank screen above displayed again and again.

Sure, Quick Testing tips advises you to increment a number in the querystring to see what happens.  Here at QAHY, we say do everything to the querystring and see what happens.  Including the subdomain.

Here’s a handy tool called File Destructor that creates invalid files with different extensions of determined size that you can use when running your corrupt file tests.

It’s designed to create files you can send to teachers to support a “the computer ate my homework” excuse, but we in QA can subvert that, can’t we? We can subvert anything.

Here’s the situation.  You’re a user in tiny Grantwood Village, a mostly forgotten municipality in St. Louis County, Missouri, who wants to go to Circuit City because….well, okay, maybe it is an outrageous use case, but it fails:

1. Go to the Circuit City home page.
2. Click the Store Locator link at top.
3. Store Locator displays:
   
   In the City edit box, type grantwood village.
4. From the State drop-down list, select Missouri.
5. Click Find.
6. Uh oh.  According to Circuit City, Grantwood Village does not exist:
   Much to the chagrin of Grantwood Village.Well, then, type the zip code of Lakeshire, Missouri (63121) into the Zip code edit box.  Funny, though, Lakeshire is even smaller than Grantwood Village, as it’s essentially a small subdivision with a post office.
7. Click Find again.
8. The application acts as though the zip code is invalid:
   

This occurs whether you click the Find button underneath the Zip code edit box or underneath the City/State combination.  Don’t get me started about the design wisdom of putting two controls on a form that do the same thing.  You cannot convince me of its utility, and I disbelieve in your value of symmetry.

In this form, if the application detects a value in the latter, it ignores the former, period.  So it does sort of handle Or (you need to enter something in one or the other), it does not handle both (And) correctly.  Even though someone will probably encounter the situation of entering data in both forms.

And, when you’re feeling particularly nasty (which is to say, every day of the week), remember to try 87894.  This is an invalid zip code, and if your application doesn’t handle nonexistent zip codes (not merely strings that are not five numbers) or relies on a Web service call or whatnot to an application that does not handle nonexistent zip codes, hilarity ensues.

“But what if you just, say, pull the plug? A Finally block won’t execute when the computer is turned off!”

If you need me, I’ll be in the server room.