Edge Case: Input Validation and Injection Prevention
all
Persona: security-tester
Touchpoint: /api/contact, /api/newsletter, /onboard
Preconditions
- API endpoints are live
- Input validation is implemented
Steps
| # | Action | Expected Result |
|---|---|---|
| 1 | Send XSS payload in contact form name field | API returns 200 or 400. Server does NOT crash (status < 500). Payload is sanitized. |
| 2 | Send SQL injection in contact message field | API returns 200 or 400. Server does NOT crash. Payload is escaped/parameterized. |
| 3 | Send newsletter email: user@localhost | API accepts or rejects. No 500 error. Weak validation (just @) is acceptable if documented. |
| 4 | Send newsletter email: no @ sign (not-an-email) | API returns 400 Bad Request. Invalid email rejected. |
| 5 | Send onboard email: user@localhost | API returns 400 (stricter validation than newsletter). Rejects invalid domain. |
| 6 | Send chatbot message: 2001 characters | API returns 400 with error 'Message too long'. Max message size enforced (2000 chars). |
| 7 | Send chatbot message: special chars (emoji, Unicode) | API accepts and processes. Emoji/Unicode handled correctly. No 400 unless truly invalid. |
| 8 | Send phone number in contact: invalid format | API accepts phone as-is (no strict validation) or provides helpful error. No 500. |
| 9 | Send empty required fields | API returns 400 with field-specific error messages. No 500. |
Known Failure Modes
- XSS or SQLi payload crashes server — critical security issue
- Inconsistent email validation — confuses users (newsletter accepts, onboard rejects)
- Message size limit not enforced — enables spam/DoS
- Empty field validation returns 500 instead of 400 — poor error handling
References
- Playwright spec:
e2e/edge-input-validation.spec.ts - Code files:
Notes
Tests input validation across all major API endpoints. Key scenarios: XSS/SQLi injection, email validation consistency, message length limits, Unicode handling. All tests assert status < 500 (no crash). Payloads should be safely rejected or sanitized. Email validation is stricter in onboard (financial form) vs newsletter.