*If its a small web application and its an authenticated black box assessment, a brief understanding of the application's functionality (i.e. business logic )and the number of pages and fields will be enough to scope it. As the application is small you just test everything with full coverage. Testing to pre-defined holistic criteria aligned to key security controls is the best way to get the coverage over the vast array of vulnerabilities that result from failure of these key controls.
* If the application is large and complex then you will need to take a risk based sample based approach. If it is say a banking application you may need to test everything, If its a less risky application you may be able to test a sample of functions and a sample of fields in these functions.
* The approach I take in scoping large complex web applications is along these lines:
- conduct a risk assessment, identify the key threats to confidentiality, integrity and availability and the functions that an attacker would need to abuse to do this, (think parameter manipulation )and the key controls accross the application (e.g. Authentication, session management and input validation) that prevent such attacks. You will need information such as architecture documentation, application use cases etc. to understand the application in order to risk assess it.
- The next step is to write a test plan so that stakeholders know what the approach is to testing, what will be covered and what will not. The test plan should also outline what test data and test environments are required. On big projects it is also important to stage testing in line with the application's development so all defects are not identified at the last minute with no time to remediate before go live. The integration of static code analysis during the development should be considered and complemented with manual targeted web application testing of key controls. (i.e. Use SCA to test if input validation function applied to all fields correctly and then manually test the input validation function for vulnerabilities).
- After the test plan has been written, then you can accurately scope the assessment in terms of effort and hence cost.