Choosing a target to test
XBOW currently supports testing interactive web applications and their APIs.
If your target does not have a web application interface or does not meet other requirements, contact XBOW to discuss your needs before starting an assessment.
Tip: Support for penetration testing of other targets is on our roadmap.
Target requirements
- Web application with its API: XBOW does not support testing APIs without an interactive web application.
- Accessible login or no authentication required: Unless you want to test a publicly available application, XBOW must be able to authenticate with the application. If the web application requires MFA (multi-factor authentication), you must be able to authenticate using one-time codes from email or TOTP (Time-based One-Time Passwords) from an authenticator app.
- Support for Chrome browsers: XBOW agents use Chrome-based functionality.
Ensuring full test coverage
- Modern infrastructure: Applications using end-of-life servers, services, or SSL certificates produce limited or unreliable results.
- Suitable test account: For applications that require authentication, XBOW can only test what the test account can access. Make sure that any test account has:
- Realistic data that reflects real-world usage.
- Sufficient resources to handle test load without performance or stability issues.
- Appropriate permissions so that all functionality to be tested is accessible.
- Fully onboarded so that the account is ready to use.
Preparing for efficient testing
- Activity-based session expiry: This prevents test sessions expiring while still active.
- Concurrent sessions supported: By default, multiple agents test the target by logging in with the test account details. If concurrent sessions are not supported, the assessment will take longer as only one agent can test at a time.