On 11/10/2016 20:30, Thomas Ptacek wrote:
> (This comes up a lot because people who don’t do large-scale testing tend
> to believe XSS is something you can safely test for everywhere).
Even small scale (but high event) focussed testing can have unexpected
results, case in point as happened some time ago on a remote application
test. In short the basic fuzzing of a small form field killed the
corporate mail server. It turned out that at some point early in the
applications life cycle the developer added an email alert on every
error condition. This continued through the application life cycle until
Live except at this point the email list was up to about 30. Needless to
say, at over 5K errors a second the mail server quickly packed its bags
and went down the pub. At that point I was reminded of Frank Heidt's oft
commented "The emergent property of an avalanche is a grain of sand".
Testing of any kind can produce unexpected outcomes, a fact unlikely to
surprise this audience but it's something that's still overlooked.
Dailydave mailing list