Artifacts supported to guide testing

Upload source code, documentation, and other artifacts to guide XBOW penetration testing. For more information, see Guiding XBOW testing and Guiding XBOW testing for experts.

File size limit

The maximum size is 5 GB per file.

Source code upload

Upload artifacts as a file archive in tar.gz because this provides optimal compression.

What to include

  • Core source code: main business logic, APIs, and user interface
  • Configuration files, for example: config.yaml, .env.example, appsettings.json
  • Documentation: architecture diagrams, API specifications, or internal design notes
  • Dependency manifests: such as package.json, requirements.txt, or pom.xml

What to exclude

  • .git/ directories or version history which XBOW does not use
  • Media assets like images, videos, or other large binary files
  • Internationalization packs (i18n) with large translation sets
  • Third-party binaries or library folders (node_modules/, vendor/)
  • Build outputs (dist/, bin/, target/)
  • Any canary tokens you have added to the application for attack agents to discover

For more information about canary tokens, see Using canary tokens.

Assessment guidance uploads

This feature is in Public preview and subject to change. This functionality is available only to Enterprise users. In this release, the Validation card does not support uploads.

Supported formats

Upload artifacts in one of the following formats or enter freeform text directly.

  • PDF: .pdf
  • Markdown: .md
  • Plain text: .txt
  • Word document: .doc, .docx
  • JSON: .json
  • YAML: .yml, .yaml
  • XML: .xml

Attack surface

Tell XBOW about the endpoints you want to test either by uploading a file or entering details in a text box. XBOW searches the input looking for endpoints.

InputHandling
OpenAPI, Swagger, SOAP (json, yaml) filesDeterministic endpoint extraction
PDF, MD, TXT, DOC, DOCX, XML filesAI-assisted endpoint extraction
Free textAI-assisted endpoint extraction

The endpoints are included in the attack surface of the application. Alternatively, you can limit the attack surface to the uploaded endpoints only.

Priorities

Tell XBOW about any areas of your application and any security concerns you want to test or to exclude from assessment. The information you upload as files or enter in the text box is processed by AI and the results reported. For example:

InputResult
Prioritize authorization and injectionWill focus on authorization server-side injection
Out of scope: user deletion functionalityWill spend less time on delete user
Thoroughly audit the integration with StripeWill focus on create payment process payment refund payment receive webhook validate webhook

Each of the keywords identified represents an area of endpoints, such as create payment, or an attack type, such as server-side injection. The orchestrator will direct extra attack agents to test endpoints defined as focus on and fewer agents to test endpoints defined as spend less time on. The same approach is used for attack types.

Attack strategy

By default, XBOW performs a comprehensive assessment across all attack types. You can disable some of the default attack types to focus more deeply on the remaining types.

You can also provide XBOW with additional information to guide attacks. For example:

  • Example payloads
  • Attack strategies that you want to test
  • Known vulnerability patterns that you want to explore further

This information is used by the attack agents to guide their testing.