Run assessment

After a successful configuration check, review and finalize your scope configuration before starting the assessment.

Important: You cannot change domain scopes or blocked URLs after you start an assessment.

Review domain scope

The “Scope” section of the “Configuration check” page shows the domains identified during authentication and discovery checks. Each domain displays a suggested rule type. Target domains and subdomains are marked as Attackable while third-party sites are marked as Allow Visit.

Verify critical domains are included

Automated discovery may not capture all application components. Many applications use multiple subdomains or services that are not exercised during initial authentication. Review the proposed scope to ensure all critical domains are included.

Note: Enterprise users can add missing domains to the configuration. Lightspeed users should contact XBOW if a critical domain is missing.

1. In the “Add domain” field at the end of the domain list, enter the missing domain.
2. Click Add scope to add the domain to the list.

Check domain rule types

Each domain is defined as Attackable, Allow Visit, or Blocked. Verify that all domains have the appropriate rule type and edit any incorrect assignments.

• Attackable: Domains that XBOW actively tests for vulnerabilities. Use this for your application’s core functionality.
• Allow Visit: Domains that XBOW can visit but not attack. Use this for third-party services required for application functionality, such as authentication providers, CDNs, or domains serving static assets.
• Blocked: Domains that XBOW cannot access or test. Use this sparingly, only for domains that should never be accessed. Any domain not explicitly listed is treated as blocked by default.

Best practice: Leave domains defined as “Blocked” only if you are certain that the site functions normally in a web browser without any access to them. For more information, see Scope configuration.

Configure URLs for special treatment (optional)

Allow access to sensitive endpoints during testing only for authentication or block access entirely. For example, you typically want to allow access to credential management endpoints only for authentication and to block access to financial management endpoints. See Controlling access to sensitive endpoints to learn more about why you might want to configure special treatment for some endpoints.

Note: If XBOW has defined any URLs as “Auth-only”, these are needed for authentication or session management. Do not change these settings as it could lead to user lockout and incomplete testing.

Add URLs for special treatment

1. Expand the “Blocked URLs” area within the “Scope” section.
2. Choose a match type and define the endpoint or endpoint pattern.
   • Exactly matches: Use to match a single endpoint.
   • Starts with: Use to match a group of endpoints that share the same prefix.
   • Includes: Use to match a group of endpoints with a shared element.
   • Regexp matches: Use to match a group of endpoints where the pattern is more complex.
3. Click Block URL to add a row with your definition. Update the behavior to Auth-only if needed.
4. Use the “Simulator” area to verify that the pattern matches all relevant variations (for example, /api/delete and /api/v1/delete).
5. Ensure legitimate testing paths remain accessible.

Start your assessment

Once you’ve reviewed and confirmed your scope configuration:

1. Click Start assessment.
2. XBOW begins systematically testing your application for vulnerabilities.
3. Monitor progress on the assessment dashboard.

Next steps

• Explore and fix XBOW results