You are here

How to find software bugs

BugsI'm really not trying to find bugs in software but for some reason, I keep finding them.

By now, I figured out some rules which seem to make it much more likely to find bugs in software even though it is marked as being stable or production ready:

  • Ensure that your user name contains special characters (if supported)

    "Ch'Ih-Yu" is a very good example as I can't name the amount of possible SQL injections and weird double-escaping I found just by having this as my nickname.

  • Use a non-standard system locale other than en_US

    de_DE seems to work quite well as is switches the standard decimal separator from "." to ",". I managed to find broken SQL generator implementations that way as the decimal separator was taken from the locale which was then misinterpreted as a field separator.

  • Use <html> tags where they are not expected

    Using (fake) HTML tags such as <big>mess</big> in your form submissions seems to be a good way to find cases where someone was lazy with their user input handling. While I've seen implementations which strip everything which looks remotely like HTML without even notifying the user, I've also seen much worse cases where the HTML tags were actually rendered and interpreted by the browser.

  • Be a "power user"

    Using more than just the standard feature set which is used by the majority of ordinary users seems to be another good way to stumble across weird software behavior. I learned that the hard way by having my IDE destroy all my version control working copies when it did a recursive operation on all projects within my workspace instead of just the one I had selected.

Did you stumble across "facepalm bugs" in production software yourself? Let me know. Leave a comment.

served by