The Complete Web Application Penetration Test Guide

Have questions about a web application penetration test? We have you covered in this blog. This is our complete web application penetration test guide which will briefly introduce all of the other blogs we’ve written on the topic and provide a link to more detailed information, should you need it.

What is a Web Application Penetration Test?

In simple terms, a web application penetration test identifies any vulnerabilities in your web application and assesses the impact of those vulnerabilities through exploitation attempts. This test emulates an attacker who is trying to attack your organization through your web application. Depending on what the application’s primary purpose is, the threats can vary wildly. Check out our blog on what questions a web application penetration test answers for some examples. Also, if you need further information on what a web application penetration is, try this blog. Finally, it is important for you to know the difference between a vulnerability scan and a penetration test.

When is the Right Time for a Web Application Penetration Test?

If you are still developing the application, you are very wise to consider a web application penetration test before the site is live and exposed to potential threats. With that being said, there is a sweet spot to making sure you can get the most out of the test. As a general rule, you need the application to be fully functional, but not have been “pushed to production” yet. If the functionality is not fully implemented, it is hard for a penetration tester to know whether something he or she did caused it to stop working, or if it wasn’t working in the first place. Likewise, if the site is already live and in use, it is already exposed, which could lead to a breach. Click here for more information on when to test a new application.

What Steps Are Involved?

Our testing methodology spells out every step that our engineers take when performing the test. In general terms, the project will start with a kickoff call that will set forth the rules of engagement. Once the test starts, the engineer will holistically and methodically review all aspects of the web application including the underlying server, unauthenticated portions, and each authenticated role of the application. Once testing is finished, detailed documentation will be created based on the results and it will go through a detailed quality assurance process. Then we jump on a call with you to discuss all the findings.

Whenever you are considering a web application penetration test, it is important that the methodology is based on an industry-recognized standard. This ensures that the test meets all of the compliance requirements you need, but also makes sure the engineer is giving you an unbiased, holistic view of your risk. Our methodology is based on the OWASP testing guide, NIST 800-115, and the Penetration Testing Execution Standard.

How Long Does a Test Typically Take?

When planning for a penetration test, it’s helpful to have an idea of how long the process takes. This includes scoping, planning, execution, documentation, etc. This helps you better prepare for testing activities and can help prevent emergency situations where you need a test done in an unreasonable amount of time. Ultimately, the execution timeline will depend on the size/scope of the application being tested but can range from 1 to 3 weeks usually. Scoping and contract signatures are usually the most time consuming part of the process however, so if you need a test completed, it’s best to engage sooner rather than later to make sure all pre-requisites are in place to meet any deadlines. You can read more about what goes into determining testing time for a web application penetration test and what the typical phases of an assessment are here.

How Much Does It Cost?

In general, the cost of a web application penetration test is directly related to the amount of time it will take an engineer to give you a thorough review. This is generally calculated by the number of roles in an application (admin, user, etc.), however other factors do weigh in. Some of the other factors include whether APIs are involved, the number of pages, if after- hours testing is required, and any unique reporting requirements. To give you a basic idea, a small web application with one role will cost around $4,790, while a complex web application could cost upwards of $8,000. Click here for more information about how cost is calculated.

What Tools are Typically Used in a Web Application Penetration Test?

While tooling can certainly vary depending on the target application(s) in scope, most testers have a core set of tools that are applicable for just about every test. The biggest one we use is Burp Suite Professional, which is an intercepting proxy to capture, analyze, and manipulate all traffic to/from an application. But it also does so much more, providing testers with an extensible framework for scanning, creating customized tools, fuzzing, etc. Beyond Burp Suite, there are other favorites that fill specific roles, such as Dirsearch (directory bruteforcing), SQLmap (SQL injection exploitation), and many more.


As we write more blogs, we will be sure to keep this up to date. In the meantime, if you have any questions or want to get a detailed quote for your web application assessment, reach out to us and we will be happy to help.