Checking configurations before assessment
Before beginning a security assessment, XBOW runs a configuration check to validate that your environment is ready for testing.
Tip: This preflight phase will take several minutes, but it reduces your chances of waiting until the end of the assessment to find incomplete or inaccurate results.
What happens during checking
XBOW checks that it can:
Until all three checks pass, you cannot run an assessment.
Connecting to the target URL
XBOW tries to confirm that the target application is accessible and responsive.
If this check fails, verify that:
- The application is running and deployed at the expected URL.
- Network connectivity is not blocked by a firewall.
- The application is not timing out or returning errors.
Authenticating with the target
XBOW attempts to authenticate using the credentials or other details you provided to ensure that it can log in and access the application.
If this check fails, verify that:
- The credentials match your application’s test account.
- The test account has not been disabled or expired.
- The test account has sufficient permissions to access the application.
- The CAPTCHA process is turned off for the test account.
Discovering domains to test
XBOW performs a preliminary exploration to identify application endpoints, user workflows, and any third-party services or APIs.
All domains discovered are displayed in a “Scope” area below the check status. Target domains and subdomains are marked as Attackable while third-party sites are marked as Allow Visit.
XBOW tests only the domains marked as “Attackable” and will visit any sites marked as “Allow Visit” without attacking them. You can change the setting for each domain. If you have an Enterprise account, you can also add missing domains.
Allowing XBOW to visit third-party sites your target relies on is critical to the success of your assessment. For more information see, Run assessment and Scope configuration.