Web application testing

[subdriven at gmail.com (Aaron)]

Hello, all!

There may come a time where I'll have to do some web application
testing. I was wondering if this wonderful group had some good
resources for best practices, good reporting methodologies, estimates
of time involved to just do basic testing, etc. Of course since it
will be web application testing it is going to require doing XSS, SQL
injection testing/attacking, and possibly some code review.

I'm also wondering how most people go about this sort of test. I am
not sure I would feel comfortable testing against a live system in
case I manage to really destroy stuff so I would have to test against
a copy or a test/dev site. From the experiences others have had, is
that something the customer usually provides or do they hand over the
basics of the application and it becomes my responsibility to set it
up in a lab environment? Is there a rule of thumb for time estimates
for these kinds of tests or is it just a shot in the dark guess?

Thanks in advance for any insight!

Aaron