Having completed my incursion into Metasploiitable 2 I’m beginning my foray into Mutillidae II.
Before starting the manual hands-on stuff I thought I’d throw some automated scanners at the web app for fun and see what results they might generate for me.
Mutillidea version 2.6.5 is hosted on my Windows 7 system using XAMPP and i’m scanning from Kali Linux.
Subgraph Vega is:
a platform for testing the security of web applications. Vega is GUI based, written in Java, and runs on Linux, OS X, and Windows. Vega can be easily extended with modules written in Javascript.
The GUI is very simple and intuitive. This can be used as an automated scanner or intercepting proxy. I chose the automated scanner option (start new scan) input the url, choose the injection and response processing modules, select finish, and off it goes, Simple as that.
My only complaint is there doesn’t seem to be the facility to export findings into xml or any other format.
Here’s the summary:
And drilling down a little further:
And further still:
All in all, a very fast, easy to use, webapp scanner.
I’m not attempting to exploit any of this information at this point.