Blocked URLs

You can protect critical endpoints to prevent unintended consequences during testing. This allows you to fine-tune the attack surface within the attackable domains defined by your scope configuration.

  • Scope boundaries define which domains are accessible and which should be attacked, see Scope configuration.
  • Blocked URLs allow you to control the treatment of specific URLs within the attackable domains.

Identify endpoints to limit or block access to

Consider defining special treatment for endpoints in these categories:

  • Auth-only to allow XBOW to contact but not test credential management endpoints (such as password resets, account deletion).
  • Block URL to stop XBOW accessing high-risk production functionality (such as financial transactions, database writes).

For more information, see Controlling access to sensitive endpoints.

Note: If XBOW has defined any URLs as “Auth-only”, these are needed for authentication or session management. Do not change these settings as it could lead to user lockout and incomplete testing.

Specifying URLs

Each restricted URL applies to specific paths or patterns on attackable domains and can be marked as “Blocked URL” or “Auth-only”. Ensure that you allow “Auth-only” access to endpoints that are needed for authentication.

Both Enterprise and Lightspeed users can define URL paths for special treatment before starting an assessment. Once an assessment starts, the URL paths cannot be modified.

Endpoints to consider

  • Credential management, for example:
    • Password reset and change endpoints
    • Account recovery workflows
    • Account deletion functionality
    • Account lockout mechanisms
  • High-risk production functionality, for example:
    • Financial transactions and payment processing
    • Payment gateways or billing services
    • Direct writes to production databases
    • Irreversible business workflows
  • Calls to out-of-scope systems, for example:
    • ERP systems
    • CRM platforms
    • Partner APIs
    • External integrations not included in the test scope

Troubleshooting blocked URLs

Incomplete assessments

Symptom: Assessment completes quickly with limited findings or skips entire sections of the application.

Possible causes:

  • URL blocks are too broad and prevent legitimate testing
  • Critical API endpoints are inadvertently blocked
  • Pattern-based blocks match unintended URLs

Solutions:

  • Review URL block patterns for overly broad matches
  • Narrow blocks to specific endpoints rather than entire paths
  • Remove blocks that prevent testing of intended functionality

Authentication failures during testing

Symptom: XBOW cannot maintain authenticated sessions during testing.

Possible causes:

  • Session management endpoints are blocked
  • Token refresh endpoints are blocked
  • Authentication validation endpoints are blocked

Solutions:

  • Ensure session management endpoints are not blocked
  • Allow token refresh and validation endpoints
  • Review authentication flow to identify critical endpoints