ProHoster > Blog > internet news > Vigolium v0.1.13-beta

Vigolium v0.1.13-beta

Initial public release published Vigolium v0.1.13-beta ā€” a vulnerability scanner for web applications that combines classic deterministic scanning with agent-based auditing based on LLM. The project is available on GitHub and is distributed under a license GNU AGPLv3; the commercial part is moved to the cloud CloudConsole, while the scanner core is declared to be open.

Vigolium offers two main operating modes: vigolium scanā€”a standard multi-stage scan with content search, browser spidering, and active and passive auditing; and vigolium agentā€”an agent-based mode where LLM selects modules, plans attacks, generates custom JavaScript extensions, and combines dynamic testing with source code auditing.

According to current module reference book, Vigolium includes 251 verification modules, of them 154 active Šø 97 passiveActive modules send modified requests and employ fuzzing, injections, and behavioral analysis, while passive modules analyze existing request/response pairs without generating additional traffic.

Capabilities

  • Native Scan is a standard deterministic scan.
    The Vigolium scan mode is designed for quick and repeatable checks. It goes through several phases: external data collection, content discovery, browser/SPA spidering, and auditing. This mode is convenient for CI, regular checks, and situations where predictable results are important without the need for LLM.

  • Agentic Scan ā€” agent-based audit with LLM.
    Vigolium agent mode uses the built-in runtime oliumThe agent can independently search for endpoints, select modules, run checks, analyze code, run SAST, and re-check findings. Autopilot, Swarm, and Query mode scenarios are supported: from autonomous target scanning to one-time requests for code review, endpoint searches, and secret discovery.

  • XSS, SQLi, NoSQLi, SSTI, LFI, RCE, XXE and SSRF checks.
    The module reference lists checks for reflected XSS, error-based SQL injections, boolean-based blind SQLi, NoSQL injections, server-side template injection, local file inclusion, command injection, XXE, SSRF, and out-of-band vulnerabilities. Findings are rated on a severity scale from critical to info and a confidence scale of certain, firm, and tentative.

  • OAST checks for "blind" vulnerabilities.
    Vigolium can check for blind XSS, blind SSRF, blind XXE, and blind RCE via callback mechanisms, including interactsh. This is necessary for cases where the vulnerability doesn't manifest itself directly in the HTTP response, but the server makes an external DNS/HTTP request or performs a deferred action.

  • Value-aware mutation is a mutation of parameters that takes into account the meaning of the value.
    The scanner classifies parameters by semantic type: number, UUID, JWT, email, and other variants, and then selects mutations based on the context. This should reduce noise compared to the crude insertion of identical payloads into all fields.

  • Support for different input formats.
    Inputs include URLs, OpenAPI/Swagger specifications, Postman collections, Burp Suite data, cURL, and Nuclei JSONL. URLs can also be passed via stdin and individual scan phases can be triggered.

  • Authenticated scanning and IDOR/BOLA checks.
    Vigolium supports multiple sessions simultaneously: sessions can be passed inline, loaded from files, or described as full login flows with token extraction. This is used for horizontal and vertical access control checks, including IDOR/BOLA and privilege escalation.

  • Checking frameworks and typical leaks.
    The list of modules includes checks for Next.js, Spring/Java, Django, Flask, FastAPI, Laravel, Symfony, Rails, Express, and ASP.NET/IIS. For example, for Spring, public Actuator endpoints, Spring Boot Admin, Spring Cloud Config, H2 Console, Jolokia, and Java application server consoles are checked; for Next.js, leaks via /_next/data, SSRF in Image Optimizer, and middleware bypasses are checked.

  • JavaScript extensions.
    Users can write their own modules and hooks in JavaScript using the built-in JS engine with a session-aware HTTP API. One important limitation: such extensions can execute arbitrary commands and are not sandboxed, so they should be treated as regular executable code.

  • Separate triage phase for results.
    In LLM-assisted security testing, the problem of plausible but non-reproducible findings often arises. Vigolium's author describes triage as a separate pass: first, the scanner collects candidates, then a separate check re-verifies each finding against the evidence.

  • Budget limits for agent mode.
    For agent-based scanning, you can limit tokens, the number of tool invocations, the number of triage iterations, and the total execution time. This is important for CI and fixed-time penetration tests: the agent shouldn't endlessly "dig" a single target and burn through budget on unhelpful hypotheses.

  • Reports, queue and scaling.
    Native Scan features a concurrent worker pool, per-host rate limiting, a hybrid queue in memory, on-disk, or in Redis, and self-contained HTML reports. Console, JSON, and HTML output are available.

  • Server mode, API, and integration with Burp Suite.
    Vigolium can run as an API server, accept traffic, enable a transparent HTTP proxy, and automatically scan received data. A separate extension, burp-vigolium, is mentioned for Burp Suite, allowing you to send live traffic to the Vigolium server.

  • Workbench and Console.
    In addition to the CLI, the project describes Workbench ā€” a self-hosted dashboard for visualizing results, managing projects, and tracking findings. Console ā€” a cloud-based commercial layer for managed scanning, centralized reporting, collaboration, and inspection planning.

Installation

The project offers installation via shell script, npm, Docker, Homebrew, Bun, and building from source. Requirements for building from source are listed in the README. Go 1.26+ Šø bun 1.3.11+.

curl -fsSL https://vigolium.com/install.sh | bash

npm install -g @vigolium/vigolium

docker pull j3ssie/vigolium:latest
docker run --rm j3ssie/vigolium:latest scan -h

The developers specifically warn that Vigolium is an offensive security tool: agent mode runs without a sandbox and has full access to the shell, file system, and host network, while extensions can also execute arbitrary commands. Therefore, it is recommended to run agent-based scans in a single-use container or virtual machine limited to the specific testing environment.

Source: linux.org.ru

Buy reliable hosting for sites with DDoS protection, VPS VDS servers šŸ”„ Buy reliable website hosting with DDoS protection, VPS VDS servers | ProHoster