Vega - Web Application Security Scanner

Vega is a free and open source web security scanner and web security testing platform to test the security of web applications. Vega can help you find and validate SQL Injection, Cross-Site Scripting (XSS), inadvertently disclosed sensitive information, and other vulnerabilities. It is written in Java, GUI based, and runs on Linux, OS X, and Windows.

Vega can help you find vulnerabilities such as: reflected cross-site scripting, stored cross-site scripting, blind SQL injection, remote file include, shell injection, and others. Vega also probes for TLS / SSL security settings and identifies opportunities for improving the security of your TLS servers.

Vega includes an automated scanner for quick tests and an intercepting proxy for tactical inspection. The Vega scanner finds XSS (cross-site scripting), SQL injection, and other vulnerabilities. Vega can be extended using a powerful API in the language of the web: Javascript.

How does Vega work?

Vega includes an automated scanner for quick tests and an intercepting proxy for tactical inspection. The Vega scanner finds XSS (cross-site scripting), SQL injection, and other vulnerabilities. It can be extended using a powerful API in the language of the web: Javascript.

vega-scanner
Vega interface

Vega Features:

  1. GUI Based
    Vega has a well-designed graphical user-interface.
  2. Multi-platform
    Vega is written in Java and runs on Linux, OS X, and Windows.
  3. Extensible
    Vega detection modules are written in Javascript. It is easy to create new attack modules using the rich API exposed by Vega.

Scanning with Vega

To start a scan that will crawl the entire site and only check for XSS:

  • Click scan > ‘start new scan’ .
  • In the dialog that appears, enter your target websites url as the ‘base’
  • Click next.

To scan a single page only:

  • Click ‘Choose a Target Scope’.
  • Then Click ‘Edit Scopes’.
  • Next, either add a new scope, or edit an existing one.
  • Add each url to the scope.
  • Click ‘OK’.

By default vega vulnerability scanner will scan for lots of different vulnerability types.

  • Header Injections.
  • Directory Traversal Attacks.
  • URL Injection Attacks.
  • XML Injection Attacks.
  • XSS Injections.
  • Blind SQL Injections.
  • Shell Injection Attacks.
  • Remote file include Attacks.
  • String Format attacks.
  • OS Command Injection Attacks.

You can download Vega from official website by this link.

Here you can find additional Vega web application security scanner wiki.

REVIEW OVERVIEW
Easy to use
Cross-platform
GTK requirement in Linux
Vulnerability detection effectivness
False Positives
Available scanning options
SUMMARY
Vega is cross platform open source web vulnerability scanning tool with flexible configuration options and possibility to write own addons using JavaScript. It has good amount of security checks available from the box and for free software has very good detection rate. If speak about false positives - in comparison to payed solutions it lose a bit, but difference are not so critical and with proper customization you can get proper results.
4.3
OVERALL SCORE
SHARE
Previous articleAutomated recon tool with PHP, cURL, wafw00f, WhatWeb, Whois
Next articleBlack Box Penetration Testing Tips & Tricks
Avatar
Uladzislau Murashka
https://www.cybersecuriosity.com
Penetration Testing & Information Security Specialist, Certified Ethical Hacker. Uladzislau Murashka provides information security and penetration testing services, IDS/IPS implementation and configuration, infrastructure security assessment and hardening, participates in bug bounty programs. CyberSecurity News & Articles: www.scanforsecurity.com and Penetration Testing Services: www.cybersecuriosity.com

RELATED ARTICLESMORE FROM AUTHOR