We are in the path to upgrade our vmware Infrastructure to 5.1 . Since Vcenter 5.1 has Web component ( Webclient) our security department wanted to do a penetration test to approve this upgrade. The Pen test vendor needs the following information to scope the pen test effort

1) Number of static pages

Generally anything ending in "HTML", although this would also include CSS, Javascript, and anything else that is not dynamically generated on the server-side

2) Number of scripts

We are not looking for the number underlying scripts (.asp, .cgi, .php, etc.), not the number of scripted pages, for example if an online shopping application had a "catalog.asp" script that could generate a description page for each of 2,000 items sold on the site we would still only count this as "1 script"

3) Number of parameters

Each script will have a number of parameters such as session IDs, usernames, passwords, page IDs, account numbers, etc.; this includes parameters that are passed via the URL, posted via forms, and stored in cookies; we need to know how many there are

4)Total pages

For static pages, scripts, and parameters we don't need exact numbers; a +/-10% estimate is close enough.

Can you help us answering this questions ?

Thanks