Provide XBOW with context to guide testing

You can optionally upload artifacts to give XBOW more context about how your application is built. This information is used to guide testing either generally or focused on a specific part of the test process.

Tip: If you retest the application or run a new assessment, any context you added to the configuration is reused.

Upload source code and documentation (all users)

You can upload source code and documentation files to provide the whole test process with additional information about your application. For guidance on format and what to include, see Artifacts supported to guide testing.

  1. On the “Target configuration” page, locate the “Source code and documentation” area (lightspeed) or “Source code” area (Enterprise).
  2. Click Click to upload to open the File library manager.
  3. Drag and drop files on the drop zone, or click Select files to use a file selection dialog.
  4. Enable the Include toggle for each file you want to add to the configuration of the assessment.

Define a brief for the assessment (Enterprise users only)

The Assessment guidance feature is in Public preview and subject to change. This functionality is available only to Enterprise users.

For more information, see Guiding XBOW testing for experts.

Add guidance to the configuration

The workflow for adding guidance to the Attack surface, Priorities, and Attack strategy cards is similar. Some cards have additional options. These are described in the relevant sections. The Validation card has limited functionality in this preview release.

  1. Click the card to open a dialog. There are two columns:

    • Left column has access to the file library for the application and a free-form text box.
    • Right column shows what will be added to the configuration when you save your changes.

  2. Click Select files to analyzed to display the file library manager.

    1. Upload any new files you want to add to the library.
    2. Select Include for any files you want to analyze to provide guidance.
    3. Close the file library manager.

  3. Optional, add any content to the free-form field.

  4. Click Analyze to process any included files or free-form text.

    The information you provided is analyzed for context that is relevant for the current card. All the relevant information identified is shown in the column on the right.

  5. Review the information.

  6. Delete anything you do not want to add to the configuration of the assessment.

  7. Click Save to save the context to the configuration.

Use the file library

Each file that you upload to XBOW is stored in a file library that is shared by your organization. When anyone in your organization runs an assessment, they can choose to provide context from library files or newly uploaded files.

  • View files already in the library: Open the “File library manager” dialog from a card under “Assessment guidance”. For example, under “Priorities” click Select files to analyze. All files that contain information in a format supported by that card are listed.

  • Add new files to the library: Open the File library manager dialog and add new files. These will be available to all users in your organization.

  • Provide an assessment with information: Open the File library manager dialog, locate the file to add, and toggle the Include option.

    Screenshot of the File library manager. One file is marked for inclusion in the assessment (outlined orange).

    In this example, the user has selected the openproject_api.json file to define endpoints for the assessment. The swagger.yaml file will be ignored.

Attack surface

  • Allow the assessment to discover endpoints by running AI agents. Skip this card.
  • Provide detailed information for all endpoints by including the API specification. The specification provides the requirements for each endpoint, so less experimentation is needed to design attack payloads, saving time and attack credits.
  • Ensure key endpoints are attacked by including a list of endpoints. By default, the assessment will run AI agents to discover additional endpoints to attack.
  • Restrict assessment to named endpoints by including a list of endpoints and enabling the Limit testing to the listed endpoints option.

When the “Endpoints” column has the data you want to add to the configuration for this assessment, click Save to save your changes.

Priorities

  • Attack all endpoints and features equally. Skip this card.
  • Focus attacks on specific features by providing guidance in the free-form field or by including a specification.
  • Reduce attacks on partially implemented features by providing guidance in the free-form field or including a file that defines out-of-scope areas of the application.

When the “Assessment priorities” column has the data you want to add to the configuration for this assessment, click Save to save your changes.

Attack strategy

  • Use knowledge from previous tests as a starting point for new attacks by including a security report.
  • Provide hints for specific types of attack with a plain-text description of how XBOW should approach the attack on your application. For example, if you know the application is exposed to SQL injection from a specific route, you can describe it here.
  • Define preconditions required by specific endpoints, that is, what conditions must be met before attacking a specific endpoint, for example: authentication state, required parameters, or setup steps.
  • Run a comprehensive test of all attack types by keeping the default selection of “Threat vectors”.
  • Focus the assessment on a subset of attack types by expanding “Threat vectors” and clearing selection from some of the types.

When the “Strategies” column has the data you want to add to the configuration for this assessment, click Save to save your changes.

Validation

Create and hide a canary token. If XBOW is able to retrieve the token, this provides evidence that an attack was successful. This approach is useful for many vulnerabilities but essential for proving the existence of vulnerabilities in business logic.

Defining a canary token

Canary tokens are secrets or markers that you hide inside the application. You add them to a location that should not be accessible with the test account you created for XBOW testing. If XBOW retrieves a canary token during an assessment, it becomes a verified exploit with no ambiguity. For details, see Validate results with canary tokens.

Next step