Security expert introduction to XBOW

  • Enterprise only

This introduction gives an overview of advanced features of particular interest to security experts.

Defining an attack surface

When you configure an assessment, you can brief XBOW on where to focus AI attack agents:

  • Upload an API specification or information about the endpoints you want to make sure are tested (Assessment guidance, Attack surface card)
  • List the endpoints you want to test and limit testing to this list (Assessment guidance, Attack surface card)
  • If some features or components are higher risk, you can direct more testing effort there and less toward low-priority areas, for example: new code, recently changed logic, known-sensitive operations (Assessment guidance, Priorities card)

For more information, see Define a brief for the assessment.

Refining the domains and endpoints to attack

After your configuration is verified in a preflight check, a list of domains is shown with XBOW’s determination of whether they should be attackable, visits allowed, or blocked entirely.

You can edit the access allowed for each domain. In addition, you can define endpoints or endpoint patterns where all access is blocked, or that can only be accessed for authentication. (Configuration checks page, Scope)

For more information, see Excluding domains and sensitive endpoints from attack.

Giving attack agents a flying start

You may have domain knowledge about likely vulnerabilities. In this case, you can share this information with XBOW to ensure effective and efficient testing, getting the most impact from each attack credit.

For example, you suspect or know that specific endpoints are exposed to SQL injection, or that an endpoint requires authentication before an attack can be attempted.

Use the Assessment guidance, Attack strategy card to share your knowledge. For more information, see Define a brief for the assessment.

Setting up safe attack points

No matter how much you trust your pentesters, you want to avoid exposing sensitive data. You can add canary tokens to your application and challenge XBOW to attack your site to get to them. This focuses the attack on retrieving test data.

This approach is the only way to clearly verify flaws in business logic. It’s also the best way to verify SQL injection, local file read, or remote code execution vulnerabilities.

For more information, see Validate results with canary tokens.