Scope configuration

XBOW enforces domain scope boundaries at the network level during assessments. Proper scope configuration ensures comprehensive testing while protecting out-of-scope systems.

Domain scope rules

After the configuration check phase, XBOW proposes initial scope rules based on domains accessed during authentication and discovery. Review these rules to ensure all application components are included but only the planned domains are attacked.

Target domains and subdomains are marked as Attackable while third-party sites are marked as Allow Visit.

Domain rule types

  • Attackable: Actively tested for vulnerabilities. Use this only for domains that are part of your application’s core functionality. For example:
    • Primary application domain, such as www.example.com
    • API endpoints, such as api.example.com or graphql.example.com
    • Internal services, such as internal.example.com
    • AI or specialized services, such as llm.example.com
  • Allow Visit: Visit but do not test. Use this for domains that support application functionality but should not be tested. For example:
    • Content delivery networks (CDNs)
    • Analytics or telemetry services
    • External domains serving assets required for application rendering, such as JavaScript files, fonts, and images
    • Third-party authentication providers
    • SSO services
  • Blocked: Do not access or test. Use this only for domains that should never be accessed. Any domain not explicitly listed in the scope is treated as blocked.

Note: Lightspeed users are prevented from setting “Attackable” for a third-party domain.

Troubleshooting scope issues

Most scoping problems are the result of blocking a domain that the attackable domains need access to for functionality that’s being tested. This manifests in different ways according to the purpose of the blocked domain.

Incomplete assessments

Symptom: Assessment completes quickly with limited findings or authentication failures occur during testing.

Possible causes:

  • Critical domains are blocked or missing from scope
  • JavaScript assets required for application logic are blocked
  • Authentication-related domains are not accessible

Solutions:

  • Add missing domains to scope as “Attackable” or “Allow Visit”
  • Review authentication flows to identify required domains
  • Configure authentication providers as “Allow Visit” rather than “Blocked”

Application rendering issues

Symptom: XBOW reports difficulty identifying UI elements or navigating the application.

Possible causes:

  • Static assets (images, fonts, stylesheets) are blocked
  • CDN domains are not accessible
  • Required JavaScript files cannot load

Solutions:

  • Configure CDN domains as “Allow Visit”
  • Ensure static asset domains are accessible
  • Review browser console errors to identify blocked resources

Failed authentication

Symptom: XBOW cannot maintain authenticated sessions during testing.

Possible causes:

  • Authentication-related domains are blocked
  • Session management services are not accessible
  • Token refresh endpoints are out of scope

Solutions:

  • Configure authentication providers as “Allow Visit”
  • Add session management domains to scope
  • Ensure token refresh endpoints are accessible