How long does website penetration testing take?
Penetration testing is usually billed by the number of hours the security auditors (pen testers) spend on a project, many of us face the same question: how long does a penetration test take and so how much will it cost? In this blog post we will try to clarify how much time a web penetration test should normally take.
Today, when a tiny XSS may easily lead to full website compromise, and fully-automated vulnerability scanning is no longer sufficient to correctly identify all vulnerabilities on your website, website owners and administrators are switching to web penetration testing.
However, as penetration testing is usually billed by the number of hours the security auditors (pen testers) spend on a project, many of us face the same question: how long does a penetration test take and so how much will it cost? In this blog post we will try to clarify how much time a web penetration test should normally take.
First of all, one should remember that a universal one-size-fits-all rule does not exist. Some online scanning services calculate the package you need by the number of pages your web application contains. Although it seems to be a pretty reasonable approach, we are skating on very thin ice, because the term “page” can mean different things to different people.
A default and up2date installation of WordPress with no third-party plugins is a very secure system that may contain tens of thousands of web pages that would be running the same engine. In this case it would be enough to verify that WordPress is up2date and is properly configured, and the auditors will have nothing to do with each page on the website. An alternative case may be a self-written application on PHP, consisting of just a dozen scripts accepting several HTTP parameters each. However, this case will require much more time to test each parameter of every script to ensure that all potential attack vectors are tested.
Some vendors try to calculate the time necessary for a security assessment or a penetration test by a total number of parameters a web application accepts altogether. Technically speaking it’s a pretty reasonable approach, but practically speaking it fails as well. Not only it’s a tough task to calculate all the HTTP parameters, but for example, every page on a website may have one HTTP parameter such as “referrer” or “page_number” that is handled within one PHP function for every page – it will be sufficient to test this function just once, as if it is vulnerable – all the pages will contain the same vulnerability. Of course we may assume that each page has its own function to handle this parameter, but it’s a pretty rare situation.
Another dangerous practice we recently witnessed on the market consists of offering a limited number of pages to be tested during a security assessment. It gives a false feeling of security to website owners when they pay to test the majority of the pages. It’s enough to have just one vulnerable script (omitted during a security test) to be the victim of a hacked website.
Another frequent approach is to calculate the time the security assessment will take by the attack types against your web application. It may appear reasonable at the beginning, but it’s a very dangerous practice as well. Some services only offer to test the most common vulnerabilities, such XSS and SQL injections, however, today many more types of vulnerabilities can lead to a website compromise. Application logic and authentication bypass flaws dominate critical vulnerabilities that are erroneously removed from the test list both by security vendors and customers.
As a conclusion, the most efficient and effective approach to penetration testing a website consists of asking web security professionals to examine your web application, carefully analyze it, and propose the most appropriate approach.
This is why for our on-demand web application pentesting service ImmuniWeb® we have introduced free security advice from our web security experts – just leave your website URL and we will come back to you with a personalized proposal within the next 24 hours!