Define authentication for testing

If your target requires authentication, you need to create a test account for XBOW and configure how XBOW should authenticate during testing.

Publicly accessible targets

If your target is publicly accessible without authentication, on the “Target configuration” page:

• Lightspeed users select I want to perform an unauthenticated test
• Enterprise users leave the “Credential set” area blank.

Then see Configure your server to allow XBOW requests.

Define authentication details

On the “Target configuration” page, use the “Credential set” area to tell XBOW how to log in to your target using a test account. For guidance on creating a test account, see Using a dedicated test account.

Supported authentication methods:

• Username and password, including multi-factor authentication (MFA)
• Magic link
• Social login, for example, “Login with GitHub”
• Basic HTTP authentication and static “bearer token”

Username and password

1. Define the Username and Password of the account to use for testing.
2. If the account uses multi-factor authentication (MFA) with Time-based One-Time Password (TOTP), configure MFA access:
   • Allow XBOW to receive email (for email-based MFA): Click to create a temporary email address for MFA during testing.
   • Upload OTP QR code (for authenticator apps): Upload an image file with the QR code used to add the account to an authenticator.
   • Paste an OTP URL (for authenticator apps): If you have the OTP URL (starting with otpauth://), copy it to your clipboard and use the paste button to upload it.
3. If the account supports single sign-on (SSO) with a link sent to users by email, click Allow XBOW to receive email to create a temporary email address. Supported for Okta and similar identity and access management systems (IAM).

Tip: XBOW does not support TOTP sent using SMS or other forms of MFA. If your target uses an unsupported form of MFA, we recommend temporarily disabling MFA for the duration of the test.

Magic link

If authentication requires users to receive email and click a link in the message, click Allow XBOW to receive email to create a temporary email address for validating accounts.

Social login

If your target supports authentication using a social account, enter the username and password for that account in the Username and Password fields.

• Supported: GitHub and Microsoft accounts
• Not supported: Google accounts. Google blocks XBOW test requests even after successful authentication.

Basic HTTP authentication and static bearer token

1. Scroll down the page to the Authorization header section and click to expand it.

2. From the dropdown menu, select an authentication option (default is None):

   • Basic auth: Use to authenticate with a username and password.
   • Bearer token: Use to authenticate with a static bearer token or API key.
   • Custom: Use to authenticate with a custom value.

Note: Tokens and API keys need to be valid during the whole assessment process.

Provide additional guidance

This is not usually needed, but if you have a complex or unusual method of authenticating, you can give XBOW instructions on how to authenticate with the details you provide in the “Credential set” area.

1. Locate the Specific authentication instructions section and click to expand it.
2. Write step-by-step authentication instructions using the credentials you provided above. Write clear, detailed instructions that a human security tester could follow.

Next steps

1. Provide XBOW with context to guide testing (optional)
2. Configure your server to allow XBOW requests