08/15/17: Vega Web Application Vulnerability Scanner | Security Bulletin

Threat Summary


Vega is a commercial web application vulnerability scanner and security testing platform developed by Subgraph. The tool is designed to help developers find and validate SQL injection, XSS, and other vulnerabilities.



  1. The attacker sends a request to the server.
  2. The server responds to the attacker.


The scanner must be capable of contacting the target host.

Vulnerability Description

The Vega vulnerability scanner is commonly used during the reconnaissance phase of an attack to enumerate any paths, files, or parameters of a web/application server to further understand the environment or to discover any vulnerable entry points. Out of the box, Vega can discover XSS, SQL-I, ShellShock, and more. It can be extended using JavaScript.

If a Vega vulnerability scan is detected, then this is a good indication that there is currently an attacker enumerating the web/application server, and there is a chance that vulnerabilities could be discovered. This could be an authorized professional pentest or scan, or an unauthorized attacker.

Alert Logic Coverage

Alert Logic® has evaluated its customer base for exposure to the exploit and has developed signatures for mitigating the threat depending on the security service in place. 

The Network-Based Intrusion Detection System (IDS) has been updated with the new signatures for this exploit when detected via Alert Logic Threat Manager™. If this signature is detected, an incident is generated in the Alert Logic console.

Detection of this threat is provided via Alert Logic ActiveWatch™ for the Web Security Manager™ service. Depending on your deployment of Web Security Manager, you will receive an incident (for out-of-band deployment) or the threat will be actively blocked and rejected (for the inline Web Security Manager Premier deployment) if an exploit attempt is observed.

Recommendations for Mitigation

To prevent scans from this tool, a web-application firewall (WAF) could be developed to drop requests before it hits the web/application server, or the attacking IP could be blocked at the perimeter firewall to prevent any further reconnaissance.

Upon discovery of an exploit attempt, customers are advised to perform the following actions:

  • Confirm if the scan is authorized or unauthorized.
  • Block the attacker at the perimeter firewall or WAF.
Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request


Please sign in to leave a comment.