Protected URLs

You can protect critical endpoints to prevent unintended consequences during testing. This allows you to fine-tune the attack surface within the attackable domains defined by your scope configuration.

  • Scope boundaries define which domains are accessible and which should be attacked, see Scope configuration.
  • Protected URLs allow you to control the treatment of specific URLs within the attackable domains.

Identify endpoints to limit or block access to

Consider defining special treatment for endpoints in these categories:

  • Auth-only to allow XBOW to contact but not test authentication endpoints.
  • Block URL to stop XBOW accessing high-risk production functionality (such as financial transactions, database writes) and credential management endpoints (such as password resets, account deletion).

For more information, see Controlling access to sensitive endpoints.

Note: If XBOW has defined any URLs as “Auth-only”, these are needed for authentication or session management. Do not change these settings as it could lead to user lockout and stalled testing.

Specifying a protected URL

Each protected URL applies to specific paths or patterns on attackable domains and can be marked as “Blocked” or “Auth-only”. Ensure that you allow “Auth-only” access to endpoints that are needed for authentication.

Both Enterprise and Lightspeed users can protect URL paths before starting an assessment. Once an assessment starts, the protected URL paths cannot be modified.

Endpoints to consider

  • Credential management, for example:
    • Password reset and change endpoints
    • Account recovery workflows
    • Account deletion functionality
    • Account lockout mechanisms
  • High-risk production functionality, for example:
    • Financial transactions and payment processing
    • Payment gateways or billing services
    • Direct writes to production databases
    • Irreversible business workflows
  • Calls to out-of-scope systems, for example:
    • ERP systems
    • CRM platforms
    • Partner APIs
    • External integrations not included in the test scope

Troubleshooting protected URLs

Incomplete assessments

Symptom: Assessment completes quickly with limited findings or skips entire sections of the application.

Possible causes:

  • URL rules are too broad and prevent legitimate testing
  • Critical API endpoints are inadvertently blocked
  • Pattern-based rules match unintended URLs

Solutions:

  • Review rule patterns for overly broad matches
  • Narrow rules to specific endpoints rather than entire paths
  • Remove rules that prevent testing of intended functionality

Authentication failures during testing

Symptom: XBOW cannot maintain authenticated sessions during testing.

Possible causes:

  • Session management endpoints are blocked
  • Token refresh endpoints are blocked
  • Authentication validation endpoints are blocked

Solutions:

  • Ensure session management endpoints are set to “Auth-only” and not “Blocked”
  • Allow access to token refresh and validation endpoints
  • Review authentication flow to identify critical endpoints