Vega Review | Tech Radar

Vega is a free and open source web security scanner (opens in a new tab) written in Java and created to help cybersecurity professionals find and fix various web vulnerabilities such as SQL injection, cross-site scripting (XSS), shell injection, remote file inclusion (RFI), disclosure of sensitive information, and much more. Vega can also be used to probe TLS/SSL security settings and identify opportunities for hardening TLS/SSL server security.

The security company behind this web scanner is Subgraph and it was established in 2010 in Montreal (Quebec, Canada) where it is still going strong. In addition to Vega, the company has created the Subgraph operating system (OS) and a Tor Orchid client, and offers other application security services such as penetration testing, code review, and development training. Secure Web.

The official Vega site is far from meaty in design but offers a decent amount of information on Subgraph’s solutions, Vega included. It also features a blog where you can go back on all Subgraph product updates. However, this is not a blog that will keep you busy.

If you love social media or want to connect with the team behind Vega, you can do so via Twitter, GitHub, and LinkedIn.


(Image credit: Vega)

Packages and rates

As with similar security-related solutions, since Vega is both free and open-source software, there are no pricing models, or plans for that matter. It works on Windows, Linux and Mac OS.

Vega is a Java tool and all of its detection modules are written in JavaScript, which makes it easily extensible. So, if you want to create new attack modules, you can clone the Vega source code from the GitHub repository.

Features and Functions

Vega operates in two modes: as an automated scanner for quick testing and as an intercept proxy for closer inspection.


(Image credit: Vega)

As the name suggests, an automated scanner automatically crawls websites and extracts links, processes forms, and runs modules with the mission of discovering and displaying XSS, SQL injection, and other web vulnerabilities. (opens in a new tab). Once provided with login credentials, Vega’s web crawler can automatically log in to sites of interest.

The interception proxy can be used to intercept the connection between users and servers and perform SSL interception for HTTP sites. It can be configured to scan proxy traffic through multiple scanner modules. When users browse to the target site, you can also configure the Vega proxy to run attack modules there.

Vega supports two types of Java-based modules for performing vulnerability assessment: injection modules and response processing modules, the latter of which can process responses received by the scanner or proxy server.


(Image credit: Vega)

Interface and ease of use

If you’re not using one of the older versions of Kali Linux, Vega probably won’t come pre-installed, suggesting you’ll have to install the software yourself.

To install Vega, click on the “Download” button in the main menu (and do the same on the next page), choose the version of Vega you want to use, download the EXE file and proceed with the installation of Vega as n any other application on your system. Alternatively, you can clone Vega from the GitHub repository by running the correct command in the terminal session on the Linux shell. Either way, your new web scanner should be ready to use soon.

To start your first scan, you can either click the “Scan” button and select “Start New Scan” from the drop-down menu, or simply click the new scan icon in the top left corner. This will open the new Analysis Wizard asking the user to either enter the Uniform Resource Identifier (URI) directly into the “Analysis Target” field or edit a target scope – then click the ” Next”.

After that, you will need to choose which injection modules and response processing modules you want to use during the analysis. Check the ones you want to use.

Once you press the “Finish” button, the scan will begin and the Vega log will start showing the information, time of the crawl phase and what it found on the site. Vega categorizes all scan alerts as low, medium, or high priority as listed in the “Scan Alerts” section – and this is just an overview of Vega’s scan capabilities.

While Vega’s Graphical User Interface (GUI) looks well-designed, it’s obviously outdated, which might confuse newcomers.


(Image credit: Vega)

Customer service

As with the other free and open-source web security scanners we’ve covered so far, there’s no 24/7 customer support with Vega – and that’s understandable.

However, if you like self-help services, you’ll be happy to hear that Vega has a well-stocked documentation section. It is divided into three main categories: “Trying Vega” which covers basic information and installation, “Using Vega” which covers how-to guides, and “Extending Vega” which focuses on creating new modules. As far as we can see, these guides are quite detailed although mostly text-based – so no screenshots or easy-to-follow video tutorials.

If you want to work with the team behind Vega, you can contact them by phone and email.


(Image credit: Vega)


If you’re looking for something similar to Vega but with a modern, user-friendly dashboard, more comprehensive scanning coverage, and a 24/7/365 technical support team, you might want to check out the Nessus Vulnerability Scanner – that is, if you don’t mind paying a pretty penny. In contrast, Vega won’t cost you a dime.

Luckily, if you’re dying to try Nessus but can’t because your budget is tight, give OpenVAS a shot. It is a powerful and feature-rich vulnerability scanner that can perform large-scale assessments and a full range of network vulnerability tests. Also, it started its story as a spin-off of Nessus and was formerly called GnessUs.

If you can’t find Vega famous enough, try a proven veteran of penetration testing and port scanning – yes, we’re thinking Nmap. Like Vega, it’s free to use, so you won’t lose anything by testing it.

final verdict

Put your web application security to the test and find (and fix) a wide variety of vulnerabilities by trusting a free yet capable Java application called Vega.

It might not be the easiest web analytics tool to use, but when it comes to spotting SQL injection, cross-site scripting, and inadvertent leaked information, Vega is no match. far behind its proprietary counterparts.

Comments are closed.