ZAP Your Minions (Part 2)

When we left off last week, we had just gotten started with Minion by Mozilla and while we did (superficially) cover plugins, setting up the virtual machine, and adding users, there's still a lot more we can learn about this awesome and powerful framework.  For the sake of keeping things simple, let's keep working with out out-of-the-box VM and get familiar with users, groups, and scans.

Running Your First Scan

Like many other role-based access control setups, Minion uses the familiar of concepts of groups and users with the default roles of "users" and "administrators."  Before we can kick off our first scan, let's create a group and add a user to this group so that they can execute scans against the target site.  For the sake of testing, we'll be using the demo site, which is a popular insecure web app created by IBM.

As seen in the below image, when logged in as an administrator, navigate to the groups tab and add a group with whatever details you see fit.


Now that we have created our first group, we need to add a user and place them in this group.  Just like we did in the above step, navigate to the "users" tab and create the appropriate user.  Once this is done, navigate to the "sites" tab, and add a site.  For our purposes, this will be  When adding a site, we must select a test plan for the site, which in this case will use ZAP, which is a very well known and well respected web application vulnerability scanner, intercepting proxy, fuzzer, and much more.  The last step is use the group editor to add the scan user and the site that this user can run scans against.  Once this is completed, your "Group Editor" tab should show something similar to the below for your "Scan Users," group.


Whew!  Now that we have all that done, we can run our first scan.  Go back to the home page as a user with scanning privileges, and you should see something similar to the next image.


Just in case you need confirmation of the next step, clicking "scan" will start your first scan against the target site.  Depending on the size of the size, how many and what plugins you've enabled, your scan may complete any time between very quickly and much much longer.  Once your scan is completed, the scan results will be available to you in the "details" tab of the appropriate site.

One additional thing worth noting which I wish I had mentioned in my previous post is one step during the setup of the VM.  When you first log into the VM, you need to run the command "startsuper."  Once this command runs, you will be asked to import sites and groups.  For a more populated list of sites and groups, enter option 3 which will import all.  Once the import has completed and you have access to the interface, your user to all groups for a much more robust list of sites you can scan, as well as give you a better idea of the look and feel of the application.


Wrapping It Up

At a glance, Minion has a tremendous amount of potential as a tool which empowers developers to start doing their own security testing.  If you're a seasoned application security professional, out of the box, Minion may not offer you a whole slew of new tools and techniques, however, it can definitely be used to help developers run their own routine security scans to catch bugs as early as possible, which is invaluable.

As always, thanks for reading and a huge thanks to Mozilla, the developers of Minion, ZAP, Skipfish and many more FOSS tools that are helping us make security better.