Vega scanner tutorial for beginners in kali linux

This is a simple Vega scanner tutorial for beginners on XSS scanning with vega scanner in kali linux.

VEGA is an open-source web security scanner, written in java with a GUI. you can scan for XSS issues and can also scan for SQL injection vulnerabilities. In this short introduction tutorial I’ll explain how to do a basic XSS scan for an entire site, but also explain how you can set VEGA to scan a single page. You can find more here

Vega scanner tutorial for beginners

Kali linux already has vega vulnerability scanner installed, so you don’t need to install it. To start VEGA, just go to:

Applications > Kali Linux > Web Applications > Web Vulnerability Scanners > VEGA.

VEGA will launch.

Vega scanner tutorial for beginners

Scanning with VEGA

To start a scan that will crawl the entire site and only check for XSS:

  • Click scan > ‘start new scan’ .
  • In the dialog that appears, enter your target websites url as the ‘base’
  • Click next.

To scan a single page only:

  • Click ‘Choose a Target Scope’.
  • Then Click ‘Edit Scopes’.
  • Next, either add a new scope, or edit an existing one.
  • Add each url to the scope.
  • Click ‘OK’.

By default vega vulnerability scanner will scan for lots of different vulnerability types.

Header Injections.
Directory Traversal Attacks.
URL Injection Attacks.
XML Injection Attacks.
XSS Injections.
Blind SQL Injections.
Shell Injection Attacks.
Remote file include Attacks.
String Format attacks.
OS Command Injection Attacks.

This is just the first page of the modules section, there are quite a lot to choose from!

XSS Scanning with VEGA scanner

To scan only for XSS you need to:

Unselect all the pre selected options.
(Just click the checkbox next to the expanders for both the categories – injection modules and response processing modules) then:

Under injection modules, Click ‘XSS’.

Click ‘finish’ and wait till the scan completes.

There is excellent documentation available:
Vega wiki

(The section on the vega-proxy is probably what you want to read…)

You might want to also check my metasploit tutorial