Vega is a Web vulnerability scanner made by the Canadian company Subgraph and distributed as an Open Source tool. Besides being a scanner, it can be used as an interception proxy and perform, scans as we browse the target site.
We will use Vega to discover Web vulnerabilities in this recipe.
- Open Vega by selecting it from the Applications menu by navigating Applications | Kali Linux | Web Applications | Web Vulnerability Scanners | vega, or from the terminal:
vega -
Click on the Start New Scan button (
).
- A new dialog will pop up. In a box labeled Enter a base URI for scan: we enter
http://192.168.56.102/WackoPickoto scan that application:
- Click Next. Here we can select what modules to run over the application. Let's leave them as default.
- Click Finish to start the scan.
- When the scan is finished, we can check the results by navigating the Scan Alerts tree in the left. The vulnerability details will be shown in the right panel, as shown:
Vega works by first crawling the URL we specified as the target, identifying forms and other possible data inputs, such as cookies or request headers. Once they are found, Vega tries different inputs in them to identify vulnerabilities by analyzing the responses and matching them to known vulnerable patterns.
In Vega, we can scan a site or a group of sites that are put together in a scope, we can select what tests to perform by selecting the modules we will use in the scan; also, we can authenticate the site or sites using identities (pre-saved user/password combinations) or session cookies and exclude some parameters from testing.
As an important drawback, it doesn't have a report generation or data export feature, so we will have to see all the vulnerability descriptions and details in the Vega GUI.