Interested in a commercial VPN?

Try Private Internet Access via this link and we'll get affiliate revenue. It's an easy way to support Vega!

About Vega

Subgraph Vega

What is Vega?

Vega is a platform for testing the security of web applications. Vega is GUI based, written in Java, and runs on Linux, OS X, and Windows. Vega can be easily extended with modules written in Javascript.

Vega is developed by Subgraph, an open source security startup based in Montreal, Canada

What does it do?

Vega runs in two modes of operation: as an automated scanner, and as an intercepting proxy.

Automated scanner

The automated scanner automatically crawls websites, extracting links, processing forms, and running modules on possible injection points it discovers. These modules can do things like automatically submit requests that fuzz parameters, for example, to test for things like cross-site scripting (XSS) or SQL injection.

Intercepting proxy

The intercepting proxy allows for detailed analysis of browser-application interaction. When enabled, the proxy listens on localhost as a proxy server. When a browser uses the Vega proxy, requests and responses are visible to Vega. Vega can be told to set ''breakpoints'', interception criteria for outgoing requests (from the browser) or incoming responses (from the server). These requests and responses are held in a state where they are editable until released.

Scanning proxy

Vega can also fuzz parameters and actively test pages that match the target scope as you visit them through the proxy.

Response processing

Vega supports modules that process responses, typically looking for information (''grep'' modules). Response processing modules can process responses received by either the scanner or the proxy.

Shared knowledge base

Beneath the hood is a database where information, including requests and responses, can be shared among components.

Alerts

Both types of modules are capable of generating alerts that incorporate a combination of dynamic content from the module, and static content in an XML file specified by the alert.

What's in Vega?

Vega would not have been possible without the generous contributions of the open source and security research communities.

With much appreciation, we acknowledge that Vega is built upon the work of many other individuals and projects, and includes code from the following:

The Eclipse Foundation

The Apache Software Foundation

The Mozilla Foundation

Jonathan Headley

Google, Inc.

The Vega scanner owes much to the innovative work implemented in Skipfish by Michal Zalewski.

Have feedback on our documentation? Please tell us.