I'd like to add a few more examples of what we think when looking at a feature/web page:
- Here's a required field, if I post the form and omit the name-value pairs, does the application reject the call?
- Here's a date field, does it reject dates too far in the past or future (01/01/10000) and reject/convert dates that don't exist (02/29/2000 or 03/54/2012)
- Here's an input field that holds text that will be shown on other pages, what happens if I put HTML in there?
- Here's an input field, will it correctly handle new name-value pairs (&this=that&)?
- Here's a signin form, if I enter a bad username or password, will it provide hints that can be used to mine usernames?
- Here's a forgot password form, can it be used to mine valid email addresses?
But people also need to keep in mind that we're *assurance* and not *insurance*. While we can catch a lot of bugs before the end-users see them, it really is up to the developers to produce quality code in the first place. There are few things harder, more expensive, and time consuming than trying to test quality into code.