Everybody, Let's VAddy!

Quickstart Guide for Continuous Web Security Testing with VAddy

FAQ

Registering Your Server

Can I delete the verification file after I have registered my server?

No. If you delete the verification file, scans will be cancelled before they begin.

Can I scan a test server that uses basic authentication or is behind a firewall that restricts access?

If your server uses basic authentication, you can enter an ID and password in the appropriate text fields when you register the server with VAddy.

If your server is behind a firewall that restricts access, configure your firewall to allow connections from the two IP addresses shown at the bottom of the server list screen that you see when you login.

Crawling

Why do I have to crawl my site before I can scan it?

VAddy needs to know which URLs and parameters to scan, so you must crawl them first. This also allows you to scan applications that require login credentials as well as hidden pages that can't be reached via links. Furthermore, this has the advantage of reducing scan times by skipping pages that you don't need to scan.

If I register crawl data several times, which will be used during security scans?

Only the latest crawl data will be used to scan your site.

Because you can't combine data from multiple crawling sessions, you should cover all of your access patterns whenever you register crawl data. This is easy to do if you record all of your access patterns with Selenium or some other browser automation tool.

What happens if I view another site while I'm registering URLs to crawl?

If you attempt to view another site through VAddy's proxy server, you will encounter a 403 Forbidden error; that site's URL will not be recorded with the crawl data.

What is "Edit Whitelisted IP Addresses"?

If a third party were to discover your verification filename, that party could—unbeknownst to you—change the URLs registered with your crawl data. For additional security, you can also restrict the IP addresses that are allowed to register crawl data.

Connections from all IP addresses are allowed by default; to only allow connections from your own network, register the appropriate IP addresses.

Scanning

Is it safe to scan production servers?

We don't allow you to scan production servers. If we did, VAddy requests could register garbage data with your production servers or even delete existing data.

What does "Num of scan request" mean on the scan results screen?

This is the number of HTTP requests that were sent to your server in the process of scanning it.

To check for both SQL injection and XSS vulnerabilities, VAddy currently sends at least two requests for each URL parameter. For example, it would send 4 scan (HTTP) requests for http://example.com/check.cgi?foo=aaa&bar=bbb: 2 HTTP requests to test foo and 2 HTTP requests to test bar.

What if "Num of scan requests" is 0?

This means that no scan requests were sent. When you registered crawl data, you may not have accessed any URLs that can be scanned. For example, you may have only accessed static (e.g. HTML and GIF) files, or you may have accessed the URL that is used to stop crawling immediately after the URL that is used to start crawling.

VAddy only scans GET and POST requests that have parameters. GET requests include parameters in the URL (e.g. “foo=aaa&bar=bbb”).

What does "Parameter Name of problem" mean on the detailed scan results page?

The indicated parameter caused a problem in the given URL. Figure out what is wrong with the parameter and fix it in your application's code.

For example, if foo is the problematic parameter and VAddy shows that it has a cross-site scripting vulnerability, try escaping the HTML entities in foo before displaying it on your site.

Why was my scan cancelled?

Either VAddy could not find your verification file or it timed out trying to reach your server.

If you have removed the verification file, please reinstall it. If there was a timeout, try reducing the number of URLs that you register in your crawl data.

Teams

Can I use VAddy with my team? (Standard,Professional)

Yes! You can register and set access permissions for up to 5 team members per domain on the Standard plan, or for up to 50 team members per domain on the Professional plan.

How do access permissions work? (Standard,Professional)

Each user account registered with a domain has one of three types of access permissions:

  • The domain’s owner can add and remove servers; add and remove team members; register and view crawl data; run scans; and view scan results.
  • A user with write access can register and view crawl data, run scans, and view scan results.
  • A user with read access can view crawl data and scan results.

Note that each domain inherits all the abilities and limitations of its owner’s plan (including how long scans can run and which vulnerabilities they test). For example, if the owner of www.example.com is on the Professional plan, every team member who can access www.example.com also receives all the benefits of the Professional plan on that domain.

Yes! You can register and set access permissions for up to 5 team members per domain on the Standard plan, or for up to 50 team members per domain on the Professional plan.

How do I add team members? (Standard,Professional)

Once your team members have signed up for their own VAddy accounts, you can add them to any domain you control by selecting the domain from the admin dashboard or Select Server menu.

Billing

Will I receive a refund if I downgrade or cancel my plan before the end of the month? (Standard,Professional)

No, we don’t offer prorated billing or refunds.

When will I be billed? (Standard,Professional)

We process payments at the start of each month for the previous month’s usage.

If I switch to another plan before the end of the month, when will that change take effect? (Standard,Professional)

You can start using your new plan immediately, but we won’t bill you at your new rate until the start of the next month.

Can I pay in my local currency? (Standard,Professional)

All of our prices are in U.S. dollars. If your credit card is denominated in another currency, your credit card company will automatically charge you in that currency at the current exchange rate.

Can I request a receipt? (Standard,Professional)

We don’t currently issue receipts, but you should be able to use your credit card statement as proof of payment, instead.

Miscellaneous

Can I run VAddy on my intranet?

We only offer a cloud-based service at the present time, though we are aware that some of our customers would prefer an on-premises solution.

Please contact info@vaddy.net to report any problems with the site.
We also welcome your opinions and feature requests,
which will be used to guide future development.