Integrating with VAddy - Automated API endpoint diagnostics

The VAddy-integrated Kuroco system can perform periodic vulnerability diagnoses on all API endpoints configured via the back-end. This tutorial explains how to integrate VAddy into Kuroco.

Specifications on the official VAddy website are subject to changes without notice. Therefore, the steps in this tutorial may differ from the actual operation procedures on VAddy. For the latest information, refer to the VAddy Docs.

1. Sign up for VAddy

In the left sidebar menu, click [External system integration] -> [VAddy].

Image from Gyazo

Click the [Click here to signup for VAddy] link at the top of the VAddy screen.

Image from Gyazo

You will be redirected to the external VAddy signup page.

Image from Gyazo

2. Create a project

VAddy does not allow you to scan the production server. To run a diagnosis, first verify the fully qualified domain name (FQDN) via the steps below. Click [External system integration] -> [VAddy] in the Kuroco sidebar menu.

Image from Gyazo

Verify that the URL displayed in the "Server FQDN" field contains the domain name kuroco-vaddy.com. This will be the FQDN used to run diagnoses.

Image from Gyazo

Create a project on the VAddy screen by following the VAddy Quickstart Guide. For the Server FQDN, specify https:// and enter the URL of the kuroco-vaddy.com domain you verified earlier.

Image from Gyazo

After you have created the project, save the Project ID and Project number. The project number is the number at the end of the URL.

Image from Gyazo

3. Verify the server ownership

Next, configure the ownership verification file by entering its filename on Kuroco. On the VAddy project page, copy the name of the verification file.

Image from Gyazo

Input the filename (starting in vaddy- and ending in .html) on the Kuroco management screen and click [Update].

Image from Gyazo

After entering the filename, go to the VAddy project top page and click [Verify].

Image from Gyazo

You will be redirected to the verify server owner page. Change the verification URL from http to https by clicking [Change directory/extension].

Image from Gyazo

Click the [Verify] button.

Image from Gyazo

Clicking the owner verification URL directly will give you a 403 error. Instead, VAddy will access the URL and perform the authentication on their end.

4. Get the API Auth Key

Go to the VAddy WebAPI page by clicking [Your username] -> [WebAPI] in the top menu.

Image from Gyazo

Click [Create WebAPI Key].

Image from Gyazo

Copy your User ID (VADDY_USER) and API Auth Key (VADDY_TOKEN).

Image from Gyazo

That is everything for the VAddy website. Since the Kuroco system automatically registers endpoints for the automated vulnerability diagnosis, you do not need to perform Step 2: Crawling manually.

5. Configure the relevant Kuroco settings

In Kuroco's left sidebar menu, click [External system integration] -> [VAddy].

Image from Gyazo

Enter the following information which you obtained from 2. Create a project and 4. Get the API Auth Key:

  • User ID (VADDY_USER)
  • API Auth Key (VADDY_TOKEN)
  • Project ID
  • Project number

Then, click [Update]

Image from Gyazo

You have now successfully integrated VAddy into Kuroco. The system will run periodic, automated diagnoses every day at 18:00 UTC to monitor the vulnerability of your Kuroco site.

Image from Gyazo