ZAP Your Minions (Part 1)

In a previous blog post, I talked about the importance of empowering your developers with security tools, such as Arachni and W3AF.  Last week, while getting caught up on some security-related mailing lists, I came across a platform created by Mozilla called Minion, which is designed to do just that.  From the Mozilla Wiki:

Minion is an open source Security Automation platform. The 0.3 release of Minion allows Development, QA, and Security team members to perform automated web security scans with a set of tools, and re-execute those scans as needed.

While the Minion platform on its own can provide immediate value simply for the functionality it exposes, such as rapidly generating security tests, the "meat" of Minion comes in the form of its plugins and of particular interest for a quick setup are the below plugins:

  • https://github.com/mozilla/minion-zap-plugin
  • https://github.com/mozilla/minion-skipfish-plugin
  • https://github.com/mozilla/minion-nmap-plugin

For getting started with Minion, you have two options.  First, you can visit the Github page for the project and follow the build/installation instructions from there to roll your own install, or you can download a link to the virtual appliance found towards the bottom of the page located here.  The appliance itself is a Virtual Box image which means that you will of course need Virtual Box installed should you opt to use the appliance.  To keep it short, simple and sweet, in this post we'll download the appliance just to see what its capabilities are out of the box.

After downloading and installing Virtual Box, we can then download the appliance image and simply import it into VB.  Once the import completes, boot the VM and log in using the below info:

Once you have imported and started the VM, you can SSH into the VM with the following username and password: username: vagrant password: vagrant

Yes. This is a Vagrant VM. You can actually create one yourself from scratch using [1]. Note this script is still in its early adoption stage so there might be bugs.

Proceed from login, you can find .bash_aliases contains several useful aliases.

Do startsuper to start all the servers and workers. You can check supervisor managed processes by typing super status. This part is explained in [2]

Finally, if this is your first time, you can setup your database:

$ benv && minion-db-init

benv just enters the backend's virtualenv.

and then navigate to http://<vm_ip>:8080

One issue that I did run into, even after running minion-db-init, was that when I logged in, the Minion frontent showed "You do not have any sites in Minion yet."  Whether or not this is an issue of RTFM, I was able to fix this by running "$ minion-create-user another.email.address@domain.com Name administrator."  After logging in with this e-mail address, I saw a screen similar to the below:

MinionUI

If you've made it this far, congratulations!  Since this is my first Minion install, between now and next week, I'll be looking into the plugins, working on automating scans, and seeing what else Minion can do out of the box.  Be sure to check back for the next post which will cover adding users, groups, sites, and executing scans as well as the plugin architecture!