Web Application Testing: Vega

Type n0where
Reporter N0where
Modified 2011-07-06T01:03:00


Vega is an open source platform to test the security of web applications. Vega can help you find and validate SQL Injections, Cross-Site Scripting (XSS), inadvertently disclosed sensitive information, and other vulnerabilities. It is written in Java, GUI based, and runs on Linux, OS X, and Windows.

Vega includes an automated scanner for quick tests and an intercepting proxy for tactical inspection. Vega can be extended using a powerful API in the language of the web: Javascript

What does it do?

Vega runs in two modes of operation: as an automated scanner, and as an intercepting proxy.

Automated scanner

The automated scanner automatically crawls websites, extracting links, processing forms, and running modules on possible injection points it discovers. These modules can do things like automatically submit requests that fuzz parameters, for example, to test for things like cross-site scripting (XSS) or SQL injection.

Intercepting proxy

The intercepting proxy allows for detailed analysis of browser-application interaction. When enabled, the proxy listens on localhost as a proxy server. When a browser uses the Vega proxy, requests and responses are visible to Vega. Vega can be told to set ”breakpoints”, interception criteria for outgoing requests (from the browser) or incoming responses (from the server). These requests and responses are held in a state where they are editable until released.

Scanning proxy

Vega can also fuzz parameters and actively test pages that match the target scope as you visit them through the proxy.

Response processing

Vega supports modules that process responses, typically looking for information (”grep” modules). Response processing modules can process responses received by either the scanner or the proxy.

Shared knowledge base

Beneath the hood is a database where information, including requests and responses, can be shared among components.

Web Application Testing: Vega documentation


Vega stores information about the current and past scans in a “workspace”. Clearing the workspace will remove all scan data, including alerts and saved requests/responses. To do so, select the “File” menu item and click on “Reset Current Workspace”.


Vega scans websites recursively, building an internal representation of the site in a tree-like data structure comprised of entities known as “path state nodes”. Path state nodes can be directories, files, or files with POST or GET parameters. Complex websites can result in long scans and large path state data structures, so Vega offers configurable parameters that limit the scan scope in the scanner preferences. To access these parameters, click on the Window menu item and choose “Preferences”. There are two sets of preferences associated with the scanner: Scanner preferences and Scanner debugging. Select Scanner debugging.

Web Application Testing: Vega download