Target types

XBOW currently supports testing web applications and their APIs. Web applications are websites with interactive features such as forms, dashboards, or user accounts. See Choosing a target to test.

Expected target behavior

Testing assumes by default that the web application meets the following requirements:

  • Complete environment: Fully functional, with no pending onboarding steps or incomplete setup flows
  • Concurrent sessions supported: Allows multiple simultaneous authenticated sessions per user across different devices.
  • Activity-based sessions: Uses activity-based expiration for sessions rather than fixed timeouts (for example, sessions remain active as long as requests are being made). This allows active tests to use their sessions until completion, avoiding interruptions from premature expiration.
  • Supported authentication method: XBOW must be able to authenticate with the application or API. See Authentication methods.
  • Support for Chrome browsers: Testing is carried out using Chrome-based functionality.

Incompatible targets

Not all applications are suitable for XBOW testing. The following conditions can make an application incompatible, potentially leading to failed assessments or limited findings:

Network accessibility issues

  • Not publicly accessible from the internet
  • Unable to allowlist XBOW IP addresses in firewall or WAF
  • Behind VPN or network configurations that block XBOW access

Application quality issues

  • Test or toy applications that are unstable or not representative of production systems
  • Applications with incomplete functionality or pending setup requirements
  • Presence of test flags, markers, or pre-inserted payloads that may interfere with testing

Infrastructure limitations

  • End-of-life servers, services, or SSL certificates
  • Insufficient resource provisioning leading to performance or stability issues under test load
  • Lack of support for modern Chrome-based browsers

Session and authentication incompatibilities

  • Inability to support multiple concurrent authenticated sessions
  • Fixed session timeouts that expire too quickly for testing
  • Authentication methods not supported by XBOW. See Authentication methods

Getting help

If your target does not have a web application interface or does not match these expectations, contact XBOW to discuss your needs before starting an assessment.

Note: Support for penetration testing of other target types is on our roadmap.