1. Using the Vega Scanner


Introduction

When you start Vega for the first time, you will be in the scanner perspective. Vega has two perspectives: The scanner, and the proxy. We'll start the introduction with the scanner. The Vega scanner is an automated security testing tool that crawls a website, analyzing page content to find links and form parameters. Vega finds injection points, referred to as path state nodes, and runs modules written in Javascript to analyze them. Vega also runs Javascript modules on all responses sent back from the server during the scan.

The scanner perspective

Scanner perspective

The screenshot above shows the complete Vega scanner perspective. The parts that comprise it, such as "Website View", "Scan Info", etc., are moveable. To restore to the original layout, click on the "Window" menu item and select "Reset Perspective". This will reassemble the UI parts into this arrangement. This does not affect the data or operation of any current scan.

Workspaces

Vega stores information about the current and past scans in a "workspace". Clearing the workspace will remove all scan data, including alerts and saved requests/responses. To do so, select the "File" menu item and click on "Reset Current Workspace".

Preferences

Vega scans websites recursively, building an internal representation of the site in a tree-like data structure comprised of entities known as "path state nodes". Path state nodes can be directories, files, or files with POST or GET parameters. Complex websites can result in long scans and large path state data structures, so Vega offers configurable parameters that limit the scan scope in the scanner preferences. To access these parameters, click on the Window menu item and choose "Preferences". There are two sets of preferences associated with the scanner: Scanner preferences and Scanner debugging. Select Scanner debugging.

Scanner Preferences

The scan limits are set in the scanner preferences. These include the following parameters:

  • Total number of path descendants

    This is the total children of a node + all its children. Children of a path state node could be its subdirectories, or its parameters, with one node for each in a set of parameters.

  • Total number of child paths for a single node

    Limits on the number of children per node (subdirectories + files + parameters).

  • Maximum path depth

    The limit on the heirarchy of path state nodes (e.g. /level1/level2/level3/level4..)

  • Maximum number of duplicate path elements The maximum number of permitted duplicate, adjacent path nodes. For example: /images/images/images.

  • Maximum length of strings to display in alert reports

    The alerts can include text from the module, such as the response body. The level of permitted module verbosity can be configured here by the user.

  • Maximum number of requests to send per second

    This setting regulates the speed at which Vega scans.

Scanner Debugging

The scanner debugging preferences contain settings intended for use during module development or debugging.

  • Log all scanner requests

    By default, Vega only saves the requests and responses that generate alerts within its database. Enabling this will result in all requests and responses being saved. They will be accessible from the message viewer.

  • Display debug output in console Enabling this will cause Vega to output verbose logging to the console.

Starting your first scan

To start a scan, click the new scan icon at the top left corner. Alternatively, you can select the "Scan" menu bar item and click on "Start new Scan".

This will cause the New Scan wizard to open.

New scan wizard

The user can either supply a base URI As the target, or edit a target scope. Target scopes allow multiple base URIs and exclusions that will not be scanned by Vega. Another way to add or remove resources from a target path is via the web view.

For this tutorial, we will just enter a base URI. Clicking next will advance to the next wizard page.

Modules

Scanner modules

Modules are units of extended functionality written in Javascript (the Vega engine is written in Java, but includes the ​Rhino JS interpreter). Vega supports two kinds of modules:

Basic Modules

These run on path state nodes and perform active fuzzing, including:

URIs that are known to be files or directories
URIs with parameters, with each parameter being a distinct path state node 

Response Processing Modules

These run on all responses that are returned from the server. They can be considered "grep" modules.

Both types of modules can store information in the shared knowledge base and generate XML-based alerts.

Remember: experiment with Vega on servers that belong to you and are not in production use.

Authentication and cookies

Authentication and cookies

Vega supports the configuration of credentials for performing automated scans while authenticated to the application or server. These credentials include:

  • Basic HTTP
  • Digest HTTP
  • NTLM
  • Macro (form based authentication)

Credentials must be configured using Identities. The Vega Identities feature has its own Wiki page. There is also a short video tutorial here: https://www.youtube.com/watch?v=Yw2UbKivkgQ.

Vega also permits the configuration of cookies that will be sent with all scanner requests. These can be added individually through the Wizard UI.

Running a Scan

Vega will start crawling the target web application. Vega sends many requests. This is because in addition to analyzing the page content, the crawling engine does several tests on each potential path, trying to determine if it is a file or a directory. Vega also compares pages to each other, and tries to figure out what the 404 page looks like. Vega modules also send their own requests.

The scan progress will be indicated with a progress bar. Note that the total number of links to crawl will grow as Vega discovers new ones and generates variations to perform the above described tests, so the finish time will be a moving target. The preferences described at the start of this tutorial control the parameters that limit scope of the scan.

To stop an active scan, click the red icon with an "x" next to the new scan button.

Website View

Vega will build a list in the top right corner of the paths crawled and seen. The greyed-out paths are those that that have not been accessed. Vega will not crawl links on other websites.

Alerts

Scan Results Current and Past

As the scan progresses, instances of alerts will appear in the summary box shown in the previous screenshot. The alerts that correspond to each instance can be found in the box to the lower right.

Scan Alerts

Opening up the scan results will reveal a tree of alerts, with severity at the highest level, followed by type, and then path instance. Both current and previous scan results for the workspace are listed. The target icon representing the current scan will be blinking until it is finished.

Clicking on an alert will open it in the central pane. To return to the scan summary, click on the top-level item in the alerts tree in the Scan Alerts view, in the bottom right corner.

The alert incorporates both dynamic content from the module and static content from a corresponding XML file. One great feature about alerts is the link to the saved request and response. To slide open a fastview with the message editor, click on the request link towards the bottom of the alert.

Viewing saved requests and responses from within alerts

Alert Request Link

Clicking a request link like the one shown above will pop open the message viewer, with the associated request and response already selected:

Here the details of the request and response can be viewed. The request can also be replayed by right clicking it in the request list just above the message content boxes. Doing this will open up the request editor, which is documented more extensively in the proxy tutorial.

Fastview Icons

Another way to get to the request viewer is to click on the icon in the status bar, in the bottom left corner. This will open up the fast view in a manner similar to when the request link is clicked on in an alert. There is also a fastview link to the console, which blinks when there is error output that has not been seen.

Continue to the next user guide: Using the Vega Proxy (pt. 2 of 4)

Home > Vega-Scanner

Have feedback on Vega? Our documentation? Please tell us.