This is a simple Vega scanner tutorial for beginners on XSS scanning with vega scanner in kali linux.
VEGA is an open-source web security scanner, written in java with a GUI. you can scan for XSS issues and can also scan for SQL injection vulnerabilities. In this short introduction tutorial I’ll explain how to do a basic XSS scan for an entire site, but also explain how you can set VEGA to scan a single page. You can find more here
Vega scanner tutorial for beginners
Kali linux already has vega vulnerability scanner installed, so you don’t need to install it. To start VEGA, just go to:
Applications > Kali Linux > Web Applications > Web Vulnerability Scanners > VEGA.
VEGA will launch.
Scanning with VEGA
To start a scan that will crawl the entire site and only check for XSS:
- Click scan > ‘start new scan’ .
- In the dialog that appears, enter your target websites url as the ‘base’
- Click next.
To scan a single page only:
- Click ‘Choose a Target Scope’.
- Then Click ‘Edit Scopes’.
- Next, either add a new scope, or edit an existing one.
- Add each url to the scope.
- Click ‘OK’.
By default vega vulnerability scanner will scan for lots of different vulnerability types.
Directory Traversal Attacks.
URL Injection Attacks.
XML Injection Attacks.
Blind SQL Injections.
Shell Injection Attacks.
Remote file include Attacks.
String Format attacks.
OS Command Injection Attacks.
This is just the first page of the modules section, there are quite a lot to choose from!
XSS Scanning with VEGA scanner
To scan only for XSS you need to:
Unselect all the pre selected options.
(Just click the checkbox next to the expanders for both the categories – injection modules and response processing modules) then:
Under injection modules, Click ‘XSS’.
Click ‘finish’ and wait till the scan completes.
There is excellent documentation available:
(The section on the vega-proxy is probably what you want to read…)
You might want to also check my metasploit tutorial