• Diniz Martins

Vega | Web Security Scanner

Vega is a free and open source web security scanner and web security testing platform to test the security of web applications. It can help you find and validate SQL Injection, Cross-Site Scripting (XSS), inadvertently disclosed sensitive information and other vulnerabilities. It is written in Java, GUI based and runs on Linux, OS X, and Windows.

When you start Vega for the first time, you will be in the scanner perspective. Vega has two perspectives: The scanner, and the proxy. We'll start the introduction with the scanner. The Vega scanner is an automated security testing tool that crawls a website, analyzing page content to find links and form parameters. Vega finds injection points, referred to as path state nodes, and runs modules written in Javascript to analyze them. Vega also runs Javascript modules on all responses sent back from the server during the scan.


Vega scans websites recursively, building an internal representation of the site in a tree-like data structure comprised of entities known as "path state nodes". Path state nodes can be directories, files, or files with POST or GET parameters. Complex websites can result in long scans and large path state data structures, so Vega offers configurable parameters that limit the scan scope in the scanner preferences. To access these parameters, click on the Window menu item and choose "Preferences". There are two sets of preferences associated with the scanner: Scanner preferences and Scanner debugging. Select Scanner debugging.


◾️ You can download Vega file right HERE ◾️


First test on Vega:

- Click on “Start New Scan” button in the top left corner. A new pop-up would open-up.

- Enter the website’s URI to scan it against vulnerabilities and loopholes. After entering all the details hit the “Next” button and choose the modules to run, It is recommended to choose all the modules for better testing and after you finish it, You will the scanner in progress and once the scan is completed you would see the results.


Vega will start crawling the target web application. Vega sends many requests. This is because in addition to analyzing the page content, the crawling engine does several tests on each potential path, trying to determine if it is a file or a directory. Vega also compares pages to each other, and tries to figure out what the 404 page looks like. Vega modules also send their own requests.

The scan progress will be indicated with a progress bar. Note that the total number of links to crawl will grow as Vega discovers new ones and generates variations to perform the above described tests, so the finish time will be a moving target. The preferences described at the start of this tutorial control the parameters that limit scope of the scan.

To stop an active scan, click the red icon with an "x" next to the new scan button.


Here you go. We ran the scanner on the above-mentioned link and the results are as follows:

You can see the requests/response results:



39 views0 comments

Recent Posts

See All

Ping & Send WhatsApp Message

In this post we will show you how to create a ping monitoring tool and send the result message to your phone using WhatsApp. First you need to enable a developer mode on you Excel to make it works. No

Browser Extensions

You know what software your target is running but how do you determine what vulnerabilities it has? The whole point of l earning a target technology stack is so you can use this information to find as

NMAP | Essential Commands

Nmap or Network Mapper is undoubtedly the best reconnaissance tool used by modern penetration testers. This open-source application has come a long way since its inception and proved to be a game-chan