Vega is a cross-platform open source web security scanner written in Java and is GUI (Graphical User Interface) based. Vega can help detect vulnerabilities such as Reflected XSS (Cross-Site Scripting), Stored XSS, blind SQL Injection, RFI (Remote File Inclusion), shell injection, information disclosure, etc. Vega also examines for TLS/SSL security settings and presents us with suggestions for improving the security of the TLS server. Vega can be extended using a powerful API in the language of the web: JavaScript

Vega can be download from https://subgraph.com/vega/download/index.en.html for Windows, Linux, and MacOS.

Vega provides us with the following features as well:

  • Automated Scanner: Vega has an inbuilt web crawler which powers its automated scanner. It can log into websites as well, as long as valid user credentials are provided to it.
  • Intercepting Proxy: Vega can be used to communicated between clients and servers over SSL as well.
  • Proxy Scanner: Vega can be configured to run attack modules while the user is browsing the target site. This allows for semi-automated, user-driven security testing to ensure maximum code coverage.

Scanning a simple Web Page

For this demo, we will be scanning a simple web page called ‘test.php‘ that we have purposely made vulnerable to XSS. This simple exercise will allow us to check how effective of a tool Vega is.

The file ‘test.php‘ is hosted on our local server.

To start, open Vega and click on the red bullseye (marked in black) to start a new scan. A popup window will open asking us for information about the target. Since this is a basic scan we are dealing with, simply enter the URL (marked in blue) and click Next:

On the next page, we’ll be asked to select the vulnerabilities we can Vega to check for. For this demo, we have selected all:

In the next screen, we’ll be asked about the authentication details for the target website. Since we aren’t dealing with any authentication, we’ll leave it blank for now:

Vega gives us the option for excluding certain parameters from the scan. By default, it adds a few by itself. However, it also gives us the option to add more or remove the ones already added:

Once done, we can finally start our scan.

Once the scan is done, we can see the overview of the vulnerabilities found by Vega (marked in green) and a detailed version of the same by clicking on a particular vulnerability it found in the bottom-left hand side (marked in red):

Here we can see that Vega found that our page “test.php” is vulnerable to:

  • Cross Site Scripting
  • SQL Injection
  • It also found an HTTP error

Like all scanners, Vega also detects vulnerabilities that aren’t there, i.e., false positives. Now let’s have a look at the code of “test.php“:

As we can see that our page is vulnerable to Cross-Site Scripting but not to SQL Injection as there is no database connectivity. However, just to double check, we shall check for Cross-Site Scripting manually as well:

As we can see, our page is vulnerable to Cross-Site Scripting.

To see more information on the same and what Vega found out, we get deeper into the vulnerability it found out. Here, it tells us more information about what Cross-Site Scripting is, the kind of risk it possesses, the impact it can have on our web page, and the request parameter it used to detect the vulnerability (marked in purple):

To know more about the request parameter, click on the request parameter. Over here, we can see all the requests Vega made to the web application along with the responses it got back:

Scanning an Advance Web Application

For a further test, we will be using Damn Vulnerable Web Application (DVWA). It is an open source application on which we can practice various security tests at various levels. It can be downloaded from https://github.com/ethicalhack3r/DVWA. Installation instructions and setup is present with it.

Since DVA requires the user to login first, we’ll be using a proxy server to record the login sequence which then can be used by Vega. For us to do that, we first need to set our browser to use a proxy to 127.0.0.1:8888

Once done, we can now begin recording the login sequence:

To do that, select the proxy button on the top-right hand side (marked in dark blue). Then, to start recording, click on the green play icon the top-left hand side (marked in red) to begin recording. Once clicked, go to your browser and enter the credentials. When logged in, go back to Vega, and there you’ll be able to see the request that was made (marked in turquoise):

Now that the proxy has seen the login sequence, it can play it back. To do that, we go back to the scanner (marked in blue) and create a new Identity to save the login sequence. To create a new identity, click on the icon marked in red, name the identity and select macro from the drop-down below:

Once done, we will create a new Macro. Name the Macro, select add “Add Item” (marked in black) and select the POST request made by the proxy where the login takes place:

Once done, Click on Finish:

Now, we edit the Scan Scope. We do this to add the scope of the scan and exclude anything from the scope. This can be found Under “Scan“:

Ethical Hacking Training – Resources (InfoSec)

In this case, we’ll be adding the entire web application as the scope and exclude the logout link so that Vega doesn’t log itself out while scanning:

Now we begin our scan. To do that, we start by adding a new scan, by click on the red bullseye button (as we did in the first case). In this case, we select a target scope (marked in blue) rather than entering an URL:

Note: Untick the option under Web Model (marked in black)

Next, we again select the vulnerabilities we want Vega to scan for:

Once done, we now add the identity in which we have saved the macro for the login sequence:

Finally, we exclude any parameters (optional):

When done, Vega will start scanning our web application. Now wait and let Vega do its job.

Conclusion

Vega is decent scanner but being open source and cross-platform, it is put higher on the list than many. It possesses quite a lot features for a scanner however it is used by a very few even having various functionalities.