This is a simple tutorial on XSS scanning with vega scanner in kali linux.
VEGA is an open-source web security scanner, written in java with a GUI. you can scan for XSS issues and can also scan for SQL injection vulnerabilities. In this short introduction tutorial I’ll explain how to do a basic XSS scan for an entire site, but also explain how you can set VEGA to scan a single page. You can find more here
Kali linux already has vega vulnerability scanner installed, so you don’t need to install it. To start VEGA, just go to:
Applications > Kali Linux > Web Applications > Web Vulnerability Scanners > VEGA.
VEGA will launch.
To start a scan that will crawl the entire site and only check for XSS:
To scan a single page only:
By default vega vulnerability scanner will scan for lots of different vulnerability types.
Directory Traversal Attacks.
URL Injection Attacks.
XML Injection Attacks.
Blind SQL Injections.
Shell Injection Attacks.
Remote file include Attacks.
String Format attacks.
OS Command Injection Attacks.
This is just the first page of the modules section, there are quite a lot to choose from!
To scan only for XSS you need to:
Unselect all the pre selected options.
(Just click the checkbox next to the expanders for both the categories – injection modules and response processing modules) then:
Under injection modules, Click ‘XSS’.
Click ‘finish’ and wait till the scan completes.
There is excellent documentation available:
(The section on the vega-proxy is probably what you want to read…)