Blackhat Arsenal 2012 Releases: Vega Open Source Web Application Scanner 1.0 Beta

Blackhat Arsenal 2012 Releases: Vega Open Source Web Application Scanner 1.0 Beta

Vega is an open source platform to test the security of web applications. Vega can help you find and validate SQL Injections, Cross-Site Scripting (XSS), inadvertently disclosed sensitive information, and other vulnerabilities. It is written in Java, GUI based, and runs on Linux, OS X, and Windows.

Subgraph Folks demoying Vega – The Very Promising Open Source Web Application Scanner

Vega includes an automated scanner for quick tests and an intercepting proxy for tactical inspection. Vega can be extended using a powerful API in the language of the web: Javascript.

Well this is the first time i met, David Mirza Ahmad & Hugo Fortier, the Folks at Subgraph (Company from Montreal) and the authors of Vega a really promising Open Source Web Application Scanner. The guys are really dedicated into what they are doing even making security services to fund their own project. That’s what i can call : Real Passion & Devotion. Ohh, by the way thanks for the “Recon 2012” Zippo :). Subgraph folks (Hugo) are also behind the Amazing Recon Security Event at Montreal

David Mirza quite relaxed and demoying Vega

New Improvements from VEGA

Automating Web Application Login

Vega now allows you to store authentication credentials as an ‘identity’ so that Vega can log in automatically during a scan. This includes basic, digest, and NTLM credentials.

For authenticating using forms, it is possible to associate stored login requests seen by the proxy with an identity. Vega can then replay those to log in when starting a scan.

Vega supports creation of ‘identities’ for scanning with authentication.

Adding a Login Request to a Macro

In the screenshot below, the user simply logs into the application through the Vega proxy, and then selects the stored login request during the creation of the macro. Binding this to an identity and then using the identity during a scan will let the scanner log itself in automatically prior to starting a scan.

Selecting requests for the macro identity.

Message Viewer Improvements

We’ve also cleaned up the message viewer, making the rendering nicer and adding small touches like searching (Ctrl-F) and menu-based copy and paste (right mouse click menu). For the module developer, it will be possible to tell the message viewer what to highlight and where to scroll to when a request is accessed through an alert.

Cleaner rendering in message viewer. Search, copy/paste, module-specified highlighting.

Module Refresh

Finally, we are doing a complete module refresh. This means existing modules will be made more reliable and efficient. And we have several new modules under development.

To stay tuned with the latest development release, you should grab it from Github
Next ToolsTube with David about the future of Vega and many exciting features to come

NJ Ouchn

"Passion is needed for any great work, and for the revolution, passion and audacity are required in big doses"