Blackhat Arsenal 2012 Releases: Vega Open Source Web Application Scanner 1.0 Beta
Vega is an open source platform to test the security of web applications. Vega can help you find and validate SQL Injections, Cross-Site Scripting (XSS), inadvertently disclosed sensitive information, and other vulnerabilities. It is written in Java, GUI based, and runs on Linux, OS X, and Windows.
Subgraph Folks demoying Vega – The Very Promising Open Source Web Application Scanner
Vega includes an automated scanner for quick tests and an intercepting proxy for tactical inspection. Vega can be extended using a powerful API in the language of the web: Javascript.
Well this is the first time i met, David Mirza Ahmad & Hugo Fortier, the Folks at Subgraph (Company from Montreal) and the authors of Vega a really promising Open Source Web Application Scanner. The guys are really dedicated into what they are doing even making security services to fund their own project. That’s what i can call : Real Passion & Devotion. Ohh, by the way thanks for the “Recon 2012” Zippo :). Subgraph folks (Hugo) are also behind the Amazing Recon Security Event at Montreal
David Mirza quite relaxed and demoying Vega
New Improvements from VEGA
Automating Web Application Login
Vega now allows you to store authentication credentials as an ‘identity’ so that Vega can log in automatically during a scan. This includes basic, digest, and NTLM credentials.
For authenticating using forms, it is possible to associate stored login requests seen by the proxy with an identity. Vega can then replay those to log in when starting a scan.
Vega supports creation of ‘identities’ for scanning with authentication.
Adding a Login Request to a Macro
In the screenshot below, the user simply logs into the application through the Vega proxy, and then selects the stored login request during the creation of the macro. Binding this to an identity and then using the identity during a scan will let the scanner log itself in automatically prior to starting a scan.
Selecting requests for the macro identity.
Message Viewer Improvements
We’ve also cleaned up the message viewer, making the rendering nicer and adding small touches like searching (Ctrl-F) and menu-based copy and paste (right mouse click menu). For the module developer, it will be possible to tell the message viewer what to highlight and where to scroll to when a request is accessed through an alert.
Cleaner rendering in message viewer. Search, copy/paste, module-specified highlighting.
Module Refresh
Finally, we are doing a complete module refresh. This means existing modules will be made more reliable and efficient. And we have several new modules under development.
To stay tuned with the latest development release, you should grab it from Github
Next ToolsTube with David about the future of Vega and many exciting features to come