Withstanding an attack from a motivated hacker is one of most important responsibilities a system administrator must undertake. This is especially true for websites that may contain sensitive customer information and a high volume of users. So it's important for a sysadmin to take proactive measures to find and fix vulnerabilities in their websites.
One tool that can help do this is Vega Vulnerability Scanner, a free, open-source, graphical web-auditing tool developed by the security company Subgraph. This tool contains several interesting features such as a proxy scanner, but we'll be focusing on the automated security testing aspect that can help us find and validate SQL injection, cross-site scripting (XSS), inadvertently disclosed sensitive information, and many other vulnerabilities.
There are similar web application scanners to Vega. Portswigger's Burp Suite Scanner and Netsparker's Security Scanner both ofter premium vulnerability scanners but Vega's scanner can perform many of the same tasks at no cost. Vega's scanner makes finding and understanding the severity of web application vulnerabilities simple by clearly and concisely displaying useful resources with every scan.
Since the Vega Vulnerability Scanner usually comes preinstalled on most versions of Kali Linux, you should be good to go if you're using a Kali system. If you're not sure whether or not your Kali setup has it already, you can run the apt-get command seen below in a terminal. You'll get a message saying it's already installed if you do have it already, and if not, it will install it for you.
apt-get update && apt-get install vega
If you're using the BlackArch penetration distribution, you can install the Vega Vulnerability Scanner with the below command. BlackArch doesn't use the APT package manager, so we'll use Pacman. I won't be going over any other details in the following steps that cover using BlackArch, but it's a similar process, so it shouldn't be too hard for you to follow along.
pacman -S vega
In Kali Linux, tools are automatically sorted into categories, so click on "Applications," then hover over the "Web Application Analysis" category, and click on "Vega." Depending on if you're using something like XFCE, a lightweight version of Kali, the Applications menu may look a bit different. You could also just search for "Vega" from the "Show Applications" screen.
After starting an application for the first time, I like to view the available preferences and options. In the top-left corner, click on the "Window" menu, then view the "Preferences," which I'll walk you through in the next two steps.
If you prefer to anonymize your Vega scans and proxy all connections, check the "Enable SOCKS proxy" option under General, and enter a proxy address and port. If you're using Tor, enter the default Tor address and port (127.0.0.1:9050). This will help conceal the origin of your scans. Otherwise, if you're using a free or premium proxy service, choose the address and port you prefer.
If you decide to proxy Vega scans over Tor, you may also consider changing Vega's user-agent to the Tor Browser user-agent. This will help you access some (but not all) websites that block Tor HTTP requests.
To modify the Vega user-agent, click on the "Scanner" category and enter the Tor Browser user-agent next to User-Agent. Then click "Apply" and "OK" to save the changes. Below is the current Tor Browser user-agent as of Feb. 2018.
Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0
The Tor Browser user-agent will change with every major Tor Browser update. To find the latest user-agent, open an up-to-date Tor Browser and enter about:config into the URL bar. If you see a warning popup, select "I accept the risk," then type useragent.override in the Search bar.
Double-clicking the entry that shows up will prompt a popup and allow you to copy the user-agent string. Alternatively, you can also right-click and select "Copy" on the value.
Another thing in the Scanner menu you may want to modify is the Maximum number of requests per second to send option. By default, the software is set to 25 requests per second.
Depending on the scenario, this might be too many or too few requests per second. Assuming you have permission to scan a website with Vega, ten requests per second is probably a good place to start. With sites you own, 100 requests per second might be more appropriate. It's entirely up to you.
You won't notice much increase in processing power using more requests per second, so it's safe to set that number to something high. Don't worry; Vega isn't a DDoS tool. Your internet bandwidth and the bandwidth of the website will automatically throttle the requests.
That's about it for Vega's preferences. The Listener settings in "Proxy" are preferences unrelated to the scanner. The "Debug" preferences in the Scanner section are there for Vega developers.
Now that we have Vega installed and configured, we're now ready to start scanning a website. To start scanning, open the "Scan" menu in the top left and click on "Start New Scan." Vega will prompt us with the Select a Scan Target window. Enter your target URL into the box under Scan Target, then hit "Next."
Vega has dozens of modules designed to find a wide range of common web server vulnerabilities such as SQL, XSS, and XML injection vulnerabilities. If you want to enable all of the scanner modules, just make sure all are selected, and click "Finish" to start scanning the website. Otherwise, deselect the modules you're not interested in testing first.
Note: We don't need to adjust the Authentication Options or Parameters, the next two pages in the options if you keep selecting "Next," so that's why we just select "Finish" after choosing our modules.
A scan can take anywhere from 2 minutes to 8 hours to complete depending on the size of the website and the requests per second we set earlier in the article. You'll know the scan has started when the website appears in the Scan Alerts tab and alerts begin to propagate. When the scan is done running, you'll get a report detailing any vulnerabilities found.
When the scan is complete, Vega will clearly and concisely display a summary of the alerts.
If Vega reports a "High" alert, don't panic. Vega's modules are sensitive and sometimes produce false positive alerts for vulnerabilities that may not actually exist. False positives aren't necessarily a bad thing. That being said, it's a good idea to comb through the report and manually investigate each alert. Think of these alerts as areas worth further investigating and not definitive indications that something needs to be fixed.
Vega does a fantastic job of explaining what each alert means, their impact on our websites, and ways to remedy the vulnerabilities. It also includes useful references that may help us better understand how to deal with the vulnerabilities.
Clicking on one of the alerts will display tons of useful information.
Vega is an excellent tool to help security researchers better understand web application penetration testing. Its vast selection of modules allows even novice users to dig deep into potential security risks and assess their severity to websites. Anyone interested in improving the security of their website and enhancing their web hacking skills will come to love Vega and its ease of use, or at least, I hope so.