24 Jun 2020

STEP 1: Install Vega​

The Vega Vulnerability Scanner used to come preinstalled on older versions of Kali Linux, but if you're on a newer OS version, you'll likely need to install it. But there's a way to check real quick. First, make sure your packages are all up to date.
Now, check to see if you have Vega installed already with: ~$ sudo install vega

To install Vega, you'll need to download the Vega file and unzip it. But first, to make sure you don't get any further errors, configure dpkg. Then, we need to install some dependencies and tools. Vega needs WebKit 1.0, or it won't install; Java is also needed; and unzip will unzip the Vega file that'll be downloaded.

If you get an error installing libwebkitgtk-1.0-0, try adding the following line to your /etc/apt/sources.list file with nano or another editor, then try installing libwebkitgtk-1.0-0 again after a quick sudo apt update.

deb bionic main universe

Now, if everything installed correctly, head to Subgraph's website, the maker of Vega, to get the download link for the correct version of Vega that you need. Don't download it here — copy the link. If you need the 64-bit Linux version, you can use the link in the next command below.

Now, use wget to install the zip file on your system. You can first cd into the folder that you want the download to be saved if you want.

Then, to see what the zip file is called, do a listing with ls to copy the file's name.

Then unarchive it with the unzip utility we installed.
And that's it for installing Vega on your Kali or other Linux system. However, for Vega to open successfully later, you may need to switch what version of Java you're using. If you think you're already running Java 8 in manual mode, you don't need to do this. If you're not sure, use this to switch to Java 8 in manual mode since newer Java versions won't work with Vega:

~$ sudo update-alternatives --config java

There are 2 choices for the alternative java (providing /usr/bin/java).

Selection Path Priority Status
* 0 /usr/lib/jvm/java-11-openjdk-amd64/bin/java 1111 auto mode
1 /usr/lib/jvm/java-11-openjdk-amd64/bin/java 1111 manual mode
2 /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java 1081 manual mode

Press <enter> to keep the current choice[*], or type selection number: 2
update-alternatives: using /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java to provide /usr/bin/java (java)

STEP 2 : Start Vega​

In previo us versions of Kali that had Vega preinstalled, you could go to Applications –> Web Application Analysis —> Vega. But now, cd into the Vega folder, then do an ls of it.

~$ cd vega
~/vega$ ls

about_files features plugins Vega xml
about.html icon.xpm scripts Vega.ini
configuration templates Vega.png

The tool we need in there to start Vega is "Vega," so start it with:

~/vega$ sudo ./Vega

If it worked, great, you should see Vega's start screen before Vega opens all the way. If it didn't, make sure you're using the right Java version as described in Step 1.

STEP 3 : Configure Vega​

After starting an application for the first time, I like to view the available preferences and options. In the top-left corner, click on the "Window" menu, then view the "Preferences," which I'll walk you through in the next two sections.

Proxy Vega HTTP Requests (Optional)​

If you prefer to anonymize your Vega scans and proxy all connections, check the "Enable SOCKS proxy" option under "General," and enter a proxy address and port. If you're using Tor, enter the default Tor address and port (, which should be auto-populated already. This will help conceal the origin of your scans. Otherwise, if you're using a free or premium proxy service, choose the address and port you prefer.

Use Tor's User-Agent (Optional)​

If you decide to proxy Vega scans over Tor, you may also consider changing Vega's user-agent to the Tor Browser user-agent. This will help you access some (but not all) websites that block Tor HTTP requests.

To modify the Vega user-agent, click on the "Scanner" category and enter the Tor Browser user-agent next to "User-Agent." Then click "Apply" and "OK" to save the changes. Below is the current Tor Browser user-agent as of December 2020.

The Tor Browser user-agent will change with every major Tor Browser update. To find the latest user-agent, you used to be able to go to about:config in the Tor Browser and double-click on general.useragent.override. But that option has been gone since Firefox 71. Instead, open a Tor tab, and ask "What's my user agent" in the search bar, and it should tell you if you're using DuckDuckGo.

Moderate HTTP Requests (Optional)​

Another thing in the "Scanner" menu you may want to modify is the "Maximum number of requests per second to send" option. By default, the software is set to 25 requests per second.

Depending on the scenario, this might be too many or too few requests per second. Assuming you have permission to scan a website with Vega, ten requests per second is probably a good place to start. With sites you own, 100 requests per second might be more appropriate. It's entirely up to you.

You won't notice much increase in processing power using more requests per second, so it's safe to set that number to something high. Don't worry; Vega isn't a DDoS tool. Your internet bandwidth and the bandwidth of the website will automatically throttle the requests.

That's about it for Vega's preferences. The Listener settings in "Proxy" are preferences unrelated to the scanner. The "Debug" preferences in the Scanner section are there for Vega developers.

STEP 4 : Scan a Website with Vega​

Now that we have Vega installed and configured, we're now ready to start scanning a website. To start scanning, use the Control-N shortcut, click the Start New Scan icon in the top left, or click on "Scan" in the menu bar and choose "Start New Scan." Vega will prompt us with the Select a Scan Target window. Enter your target URL into the box under "Scan Target," then hit "Next."
Vega has dozens of modules designed to find a wide range of common web server vulnerabilities such as SQL, XSS, and XML injection vulnerabilities. If you want to enable all of the scanner modules, make sure "Injection Modules" is checked. If not, expand "Injection Modules" and select the ones you want, and deselect the ones you don't.

You could click "Next" a few times to adjust Authentication Options or Parameters, but we don't need to. So instead, click "Finish" to start scanning the website.
A scan can take anywhere from two minutes to eight hours to complete depending on the website's size and the requests per second we set earlier in the article. You'll know the scan has started when the website appears in the Scan Alerts tab and alerts begin to propagate. When the scan is done running, you'll get a report detailing any vulnerabilities found.

STEP 5 : Interpret Vega's Alerts​

When the scan is complete, Vega will clearly and concisely display a summary of the alerts.

If Vega reports a "High" alert, don't panic. Vega's modules are sensitive and sometimes produce false positive alerts for vulnerabilities that may not actually exist. False positives aren't necessarily a bad thing. That being said, it's a good idea to comb through the report and manually investigate each alert. Think of these alerts as areas worth further investigating and not definitive indications that something needs to be fixed.

Vega does a fantastic job explaining what each alert means, their impact on our websites, and ways to remedy the vulnerabilities. It also includes useful references that may help us better understand how to deal with the vulnerabilities.

Clicking on one of the alerts will display tons of useful information.

Vega Can Help Keep Your Website Secure​

Vega is an excellent tool to help security researchers better understand web application penetration testing. Its vast selection of modules allows even novice users to dig deep into potential security risks and assess their severity to websites. Anyone interested in improving their website's security and enhancing their web hacking skills will come to love Vega and its ease of use.

Similar threads