A QA Engineer walks into a B͏̴͡͡Ą̛Ŗ̴
August 21, 2015 7:15 AM   Subscribe

The Big List of Naughty Strings is a Github repository containing a long list of hypothetical user inputs that can potentially wreck havoc on a computer program, including SQL Injection, malformed and evil HTML, stupid Unicode gimmicks, or innocuous phrases that look like profanity.
posted by schmod (27 comments total) 56 users marked this as a favorite
 
Little Bobby Tables would approve.
posted by tempythethird at 7:18 AM on August 21, 2015 [13 favorites]


Why, yes. My customers have been editing their XML files by hand in Microsoft Word.

I know, right?

Oh, yeah. The smart quotes are awesome. We love parsing those!
posted by schmod at 7:20 AM on August 21, 2015 [14 favorites]


The SQL Injection SuperPAC is also a thing.
posted by schmod at 7:21 AM on August 21, 2015 [10 favorites]


[edited to remove bad url]
posted by you at 7:22 AM on August 21, 2015 [6 favorites]


Considering the recent Ashley Madison hack, we should all look within, using the best tools available.
posted by mrdaneri at 7:33 AM on August 21, 2015


Ohh. Very cool resource. I'm definitely going to use some or all of these in my cucumber test scripts. Last year we had a production issue with what we called "The Günter bug" in the code that handles the input stream from another system. One of the patients whose records we were processing was named Günter and our code barfed when it tried to process his records.
posted by octothorpe at 7:37 AM on August 21, 2015 [4 favorites]


I hope Günter wasn't of mixed German/Irish heritage. I've worked on applications that failed on Irish names, e.g., O'Malley.
posted by tippiedog at 7:44 AM on August 21, 2015 [1 favorite]




We had narwhalling, from a CMS bug that first manifested with a particular picture of a narwhal. Instead of placing the picture in the nicely-sized illo slot on the page, it turned it into an enormous backdrop. Turned out to be a particular edge case in original picture dimensions that then propagated through the autoscaler and flummoxed the layout compositor (roughly; the code wasn't compartmentalised quite that neatly).

We soon discovered that this could actually look really, really nice and "Have you tried narwhalling that?" became a thing.

Of course, this Interfered With The Ads and so it got fixed quickly, despite us setting it to a low priority. Unlike the ones that just caused pain and made five minute jobs last half an hour. They're probably still there.

(Today, my online banking system asked me to revalidate. It has three ID questions - what was your father's mother's first name, that sort of thing, and you get to pick those three out of a total of six options. One I had no answer for, one I had multiple answers for, and of the remaining four, two wouldn't accept the correct answers because they contained punctuation (a surprise, of course, it kept until after I'd entered an answer. It told me off for this in an angry, yet almost illegible, red text on grey, with "You have made an error, you are bad and stupid" phrasing. Lovely). So, if I ever have to use them, I'll have to remember how I deliberately mis-stated one of the answers. Welcome to 2015.)
posted by Devonian at 8:03 AM on August 21, 2015 [6 favorites]


So, if I ever have to use them, I'll have to remember how I deliberately mis-stated one of the answers. Welcome to 2015.

I treat these as additional passwords: random and different for each site. The only thing I consider is making them easy to say over the phone if needed. It's obnoxious and I hate them, since they just make everything more insecure anyway.
posted by bonje at 8:13 AM on August 21, 2015 [3 favorites]


Not just computer programs, apparently, since they also include this test case:
# Human injection
#
# Strings which may cause human to reinterpret worldview
If you're reading this, you've been in a coma for almost 20 years now. We're trying a new technique. We don't know where this message will end up in your dream, but we hope it works. Please wake up, we miss you.
posted by traveler_ at 8:21 AM on August 21, 2015 [32 favorites]


should probably come with a *MEMETIC HAZARD* warning
posted by indubitable at 8:44 AM on August 21, 2015 [6 favorites]


This thread is convincing me to use Günter O'Malley-Callaghan Jr. as the first item on my upcoming "List of Troublesome Names for Software".
posted by evilangela at 8:48 AM on August 21, 2015 [11 favorites]


These are great! Thanks for posting!
posted by bookdragoness at 9:37 AM on August 21, 2015


I'm going to be using this today. Thanks!
posted by maurice at 9:56 AM on August 21, 2015


I think the first time I ever tried to sign up for anything "online" (it was a dial-up BBS in the early 90s, if you were wondering) I was asked to enter my first and last name and the system barfed on the apostrophe in O'Mara. At that point I had the sneaking suspicion that I was in for a lifetime of difficulties.
posted by komara at 10:06 AM on August 21, 2015 [3 favorites]


Does anyone actually screen for this: (╯°□°)╯︵ ┻━┻) ?
posted by ZeusHumms at 10:16 AM on August 21, 2015 [5 favorites]


Needs more Roko's Basilisk in the “Human Injection” section. Or maybe it doesn't.
posted by acb at 10:39 AM on August 21, 2015 [3 favorites]


Does anyone actually screen for this: (╯°□°)╯︵ ┻━┻) ?

Yes in the sense that your system shouldn't explode when somebody submits emoticons like that.
posted by Pyry at 11:46 AM on August 21, 2015 [1 favorite]


'); FLIP TABLE (╯°□°)╯;--
posted by Gordafarin at 1:18 PM on August 21, 2015 [24 favorites]


The developers at work are going to hate me. I might have to log a new risk on the risk register. Risk: Testers may log issues that include strings that cause a fatal crash of the bug tracking system.
posted by xchmp at 4:48 PM on August 21, 2015 [6 favorites]


I don't get a couple of the Scunthorpe-problem strings. What's wrong with 'mocha'? Is 'Linda Callahan' in there just because it contains 'call'?
posted by pompomtom at 8:47 PM on August 21, 2015


The answers are in the Wikipedia article the section refers to. ("mocha" triggered over-sensitive "contains Javascript" filters. "Callahan" contains the word "allah" which triggered a "not allowed in account names" filter.)
posted by We had a deal, Kyle at 9:00 PM on August 21, 2015 [3 favorites]


Ta!
posted by pompomtom at 9:09 PM on August 21, 2015


I don't get a couple of the Scunthorpe-problem strings.

My favorite Scunthorpe problem was a chat system that wouldn't let us use the word ass, but would let us use the word butt. So, we quickly realized while gaming that we had to buttbuttinate our enemies.

It was so bad it was good.
posted by eriko at 5:39 AM on August 22, 2015 [6 favorites]


QA Engineer walks into a bar.
Orders a beer.
Orders 0 beers.
Orders 999999999 beers.
Orders a lizard.
Orders -1 beers.
Orders a sfdeljknesv.

posted by dmit at 8:59 AM on August 22, 2015 [18 favorites]


I love this. Soon, our developers will learn to hate it. :rubs mandibles together:
posted by XtinaS at 9:13 AM on August 22, 2015 [3 favorites]


« Older Nobody knows what the hell they're doing.   |   "I don't recall anybody literally throwing up in... Newer »


This thread has been archived and is closed to new comments