Vulnerability management is an essential part of both compliance and security. From a compliance perspective, frameworks such as SOC 2 and ISO require organizations to have a vulnerability management program in place. From a security standpoint, proactive management of vulnerabilities helps reduce the risk of breaches and builds trust with customers and prospects.
Configure a XBOW Penetration Test
From the left-hand navigation panel, select Pen tests.
Select Create new test.
Enter in the target URL.
We recommend testing on a staging environment if it fully mirrors your production environment. If your staging environment does not mirror production, run the test on your production environment.
If the site requires authentication, include a username and password.
If the site does not require authentication, select "this site does not use authentication".
Optional:
If you have any infrastructure in place to protect your site from abuse (a firewall, for example), we recommend allowlisting these IP addresses to ensure XBOW can properly scan your domain.
13.59.171.92
18.220.171.27
3.131.87.64
3.137.71.91
3.18.165.130
3.21.131.137
3.21.217.89
3.22.165.38
Optional Configuration
From the optional configuration section, you can include specific HTTP headers to be included on requests to your site made during the test.
You can also select the max request per second. We recommend the default value of 50 requests per second.
Rates too low will lead to very long-running tests.
Rates too high will result in a large load to your domains.
When ready, select "Check for access"
This may take a few moments.
Review the Scope
Select the domains and subdomains to be included in the test by toggling options on or off.
If on, select the type of test you would like performed.
Attack: Domains set to "Attack" will be in scope for the penetration test and included in your quote.
Visit: Domains set to "Visit" will not be tested but are accessible during the penetration test. This is typically helpful for SSO sign in where a user might need to navigate to an external site (e.g., Okta) to sign in.
Select Save.
Name and Schedule the Test
Provide a name for the test.
Select the approved time window, if targeting a production environment, scheduling during off hours can avoid disruption.
Provide consent, and verify you are the owner of the website and consent to the penetration test.
Select Continue to pricing.
X bow will provide you will a quote for the test, should you choose to move forward, select Launch test.
Xbow Scans
XBOW's comprehensive scan identifies:
Local file inclusion (LFI)
Detects when an application loads or exposes local files in an unsafe way.
Exposed secrets
Identifies hardcoded or leaked sensitive data such as API keys, tokens, or credentials.
Cross-site scripting (XSS)
Flags injection points where malicious scripts could be executed in the browser.
SQL injection (SQLi)
Detects unsafe database queries that could be manipulated to access or alter data.
Open redirect
Flags redirects that can be abused to send users to untrusted or malicious destinations.
Application specific
Highlights flaws unique to the application’s custom logic or implementation.
Server-side request forgery (SSRF)
Identifies cases where the server can be tricked into making unauthorized requests.
Remote code execution (RCE)
Detects vulnerabilities that allow arbitrary code to be executed on the server.
Cache poisoning
Surfaces weaknesses that could allow malicious content to be stored and served from a cache.
Please note:
Authentication setup: We currently only support authenticated scans with username and password login. We do not currently support social logins, 2FA of any type, or CAPTCHAs. You should also disable account lockout limits on testing accounts.
Site stability and security: Please ensure that you are testing against a production site or a staging site that mirrors production closely. An under-resourced site may lead to a partial test. Please also disable any security tooling, such as a WAF, against XBOW's IP addresses (below) before running the test.
Scoping and rate limiting: please scope the test to the resources you want to test as closely as possible. Tests that are too narrow or too broad will run as defined and may reduce the value of the test.
Tests also use a requests-per-second setting that determines how quickly the test runs. We recommend the default value of 50 requests per second.
Rates too low will lead to very long-running tests.
Rates too high will result in a large load to your domains.