Vega is a free, open-source web security scanner (opens in new tab) written in Java and created to help cybersecurity professionals find and fix various web vulnerabilities such as SQL injection, cross-site scripting (XSS), shell injection, remote file inclusion (RFI), disclosure of sensitive information, and much more. Vega can also be utilized to probe TLS/SSL security settings and pinpoint possibilities for strengthening the security of TLS/SSL servers.
The security company standing behind this web scanner is Subgraph and it was set up in 2010 in Montreal (Quebec, Canada) where it still stands strong. In addition to Vega, the company has created the Subgraph operating system (OS) and a Tor client Orchid, and they offer other application security services such as penetration testing, code review, and training in secure web development.
Vega’s official site is far from fleshy in its design but offers a decent amount of information about Subgraph’s solutions, Vega included. It also features a blog where you can backtrack all updates for Subgraph’s products – however, it’s not a blog that’ll keep you busy.
If you’re into social networking or want to get in touch with the team behind Vega, you can do it via Twitter, GitHub, and LinkedIn.
Plans and pricing
As with similar security-related solutions, since Vega is both cost-free and open-source software there are no pricing models, nor plans for that matter. It runs on Windows, Linux, and Mac OS.
Vega is a Java tool and all its detection modules are written in JavaScript, which makes it easily extensible – so, if you want to create new attack modules you can clone Vega source code from the GitHub repository.
Features and functionality
Vega runs in two operating modes: as an automated scanner meant for swift tests, and as an intercepting proxy for more in-depth inspection.
As its name suggests, an automated scanner automatically crawls through websites and extracts links, processing forms, and running modules with a mission to discover and display XSS, SQL injection, and other web vulnerabilities (opens in new tab). Once supplied with login credentials, Vega’s web crawler can automatically log into sites of interest.
The intercepting proxy can be utilized to intercept the connection between users and servers and perform SSL interception for HTTP sites. It can be configured to analyze proxy traffic through multiple scanner modules. As users are browsing the target site through it, you can also configure the Vega proxy to run attack modules on it.
Vega supports two types of Java-based modules to conduct a vulnerability assessment – injection modules and response processing modules where the latter can process responses received by the scanner or the proxy server.
Interface and ease of use
If you’re not using one of the older versions of Kali Linux, Vega probably won’t come pre-installed, which suggests you’ll have to install the software on your own.
To install Vega, go hit the “Download” button on the main menu (and do the same on the next page), pick out the version of the Vega you wish to use, download the EXE file, and proceed to install Vega like any other app on your system. Alternatively, you can clone Vega from the GitHub repository by executing the right command in the terminal session on the Linux shell. In either case, your new web scanner should soon be ready for use.
To start your first scan, you can either click on the “Scan” button and select “Start New Scan” on the drop-down menu or simply hit the new scan icon at the top left corner. This will open the new scan wizard asking the user to either enter the uniform resource identifier (URI) directly in the “Scan Target” field or edit a target scope – then, click the “Next” button.
After this you’ll have to choose what injection modules and response processing modules you want to utilize during the scan – so, checkmark the ones you wish to use.
Once you tap into the “Finish” button, the scan will begin and the Vega log will start to show the information, the time of the crawling phase, and what it has found on the site. Vega classifies all scan alerts as low, medium, or high priority as they are shown in the “Scan Alerts” section – and this is just a glimpse into Vega’s scanning capabilities.
While Vega’s graphical user interface (GUI) looks well-designed, it’s obviously outdated which could confuse newcomers.
Customer support
As with other free, open-source web security scanners we’ve covered so far, there’s no 24/7 customer support with Vega – and understandably so.
However, if you’re into self-help services, you’ll be glad to hear that Vega has a well-supplied documentation section. It is split into three main categories: “Trying Vega” which covers core information and installation, “Using Vega” which deals with how-to guides, and “Extending Vega” which is focused on creating new modules. As far as we can see, these guides are pretty detailed although primarily text-based – so, no screenshots nor easy-to-follow video tutorials.
If you wish to work together with the team behind Vega, you’re welcome to contact them via phone and e-mail.
Competition
If you’re searching for something similar to Vega but with a modern, user-friendly dashboard, more comprehensive scanning coverage, and a 24/7/365 technical support team, you might want to check the Nessus vulnerability scanner – that is, if you don’t mind paying a pretty penny. In contrast, Vega won’t cost you a dime.
Fortunately, if you’re dying to try out Nessus but can’t because you’re working on a tight budget – give OpenVAS a chance. It’s a powerful, feature-rich vulnerability scanner that can perform large-scale assessments and a full range of network vulnerability tests. Also, it started its story as a spin-off of Nessus and was called GNessUs once.
If you don’t find Vega famous enough, try out a tried-and-true veteran of penetration testing and port scanning – yes, we’re thinking about Nmap. Like Vega, it’s free to use, so you won’t lose anything by putting it to the test.
Final verdict
Put the security of your web apps to the test and find (and fix) a wide variety of vulnerabilities by putting your trust in a cost-free yet competent, Java-based app called Vega.
It might not be the simplest web scanning tool to use, but when it comes to spotting SQL injection, cross-site scripting, and inadvertently disclosed information, Vega doesn’t fall far behind its proprietary counterparts.
