Shulou(Shulou.com)06/01 Report--

Vega is a free open source scanning and testing platform for testing the security of Web applications. Vega can help you find and verify SQL injections, cross-site scripting (XSS), sensitive information leaks, and other vulnerabilities. It is Java based, GUI based and runs on Linux, OS X and Windows.

Vega includes an automated scanner for rapid testing and an interception agent for inspection. Vega scanner found XSS (cross-site scripting), SQL injection and other vulnerabilities. Vega can be extended using a powerful API in the Web language: Javascript.

Automatic crawlers and vulnerability scanners

consistent user interface

Web crawler

intercept agent

SSL MITM

content analysis

Extensibility via powerful Javascript module API

Customizable alarms

Databases and shared data models

kali start command is--vega

Because I kali is the latest version of the official website plus I often update, and then start on the wrong, because I solved the screenshot did not.

Error reason: mainly java version is too high, switch to a lower version

update-alternatives --config java ---Change java version

I chose java version 2 -8, and then ran vega successfully into graphics

Vega usage (graphical operation is very simple):

Note: The scan range I wrote in the picture needs to be defined by you, but I don't need to scan directly. After setting it, you can click next to continue.

Click on the small blue block specified by the arrow to pop up many of the scanned modules, as described below

injection Modules --Injection Modules

blind sql text injection differential checks --sql blind injection differential checks

xml injection checks --xml injection checks

http trace probes --http trace probes

blind sql injection arithmetic evaluation differential checks--SQL blind injection arithmetic evaluation differential checks

local file include checks --local file check

shell injection checks --shell injection checks

integer overflow injection checks--overflow check

format string injection checks--format string injection checks

http header injection checks--http header injection checks

remote file include checks--remote file check

url injection checks--url injection checks

blind os command injection timing--blind operation command injection time difference judgment (personal understanding similar to sqlmap time difference judgment)

blind sql injection timing--sql blind injection time difference judgment (same as above)

blind xpath injection checks--xpath blind injection checks XPath for navigating through elements and attributes in XML documents)

cross domain policy auditor--cross domain audit

eval code injection--eval code injection (eval() is a function in the programming language, the function is to obtain the return value, different languages are similar, the function prototype is the return value = eval( codeString ), if eval function encounters an error during execution, it throws an exception to the caller)(ps: The author used this function to bypass the dog)

xss injection checks--xss check

bash environment variable blind os injection(cve-2014-6271,cve-2014-6278)checks--bash environment variable blind os injection detection (cve-2014-6271: bash remote code execution vulnerability;cve-2014-6278: GNU Bash incomplete fix remote code execution vulnerability)

response processing modules--response processing modules

e-mail finder module--e-mail finder module

directory listing detection--directory listing detection (used sword should know, scan web directory thief fast)

version control string detection--Version control string detection

insecure script include--insecure script include

cookie security module--cookie security module

unsafe or unrecognized character set--unsafe or unrecognized character set

path disclosure--path disclosure

http header checks--http header checks

error page detection--Error page detection

interesting meta tag detection--interesting detection sources

insecure cross-domain policy--insecure cross-domain policy

Ajax detector--Ajax (Asynchronous Javascript And XML) is a web development technique for creating interactive web applications.

rss/atom/opl feed detector--rss/atom/opl detector

character set not specified--No character set specified

social security/social insurance number detector--Social security/social insurance number detector

oracle application server fingerprint module--oracle application server fingerprint module

cleartext password over http--cleartext password over http

credit card identification--credit card identification

internal ip address--Internal ip address

wsdl detector--wsdl (wsdl: web service description language is a description language for Web services, which contains a set of definitions describing a web service) detection

file upload detection--File upload detection

http authentication over unencrypted httpd--HTTP authentication over unencrypted HTTP

x-frame options header not set--X-Frame-Options response header not set (xFrame is an object-oriented Web application rapid development framework based on PHP+XSLT technology)

form autocomplete--form autocomplete

source code disclosure module--source code disclosure module

empty response body module--Empty response body module

cookie scope detection--Manual cookie detection

----------------------------------------

After setting all modules, click next to jump to the figure below

I don't choose anything and jump directly to the next picture

Then finish.

Pop up this box and click yes.

After the scan is completed, you can click the lower left corner to see the vulnerabilities scanned and the repair methods.

It's impossible for a lifetime.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.