Minion is a security testing framework built by Mozilla to bridge the gap between developers and security testers. To do so, it enables developers to scan with a wide variety of security tools, using a simple HTML-based interface.
It consists of three umbrella projects:
- Minion Frontend, a Python, angular.js, and Bootstrap-based website that provides a HTML interface to authenticate and authorize users, manage sites, initiate scans, and report issues
- Minion Backend, a Python, Flask, and Twisted-based backend that provides an API for the Minion Frontend, and acts as a middleman between the frontend and external security tools
- Minion VM, a repository of recipes to allow quick installations of Minion either via Vagrant or Docker
Functionality
Minion has limited scanning functionality built into itself. Instead, it relies on the large variety of pre-existing open source and commercial scanning tools. These plugins include:
- Minion ZAP, which utilizes the OWASP Zed Attack Proxy
- Minion Nmap, utilizing the Nmap network scanner
- Minion Skipfish, utilizing the Skipfish reconnaissance tool
- Minion SSLyze, utilizing the SSLyze TLS scanner
- Minion SSL, which uses the sslscan TLS scanner
You can download Minion here:
Back-end: minion-backendv0.3.zip
Front-end: minion-frontend-v0.4.zip
Or read more here.
Andy says
Surprised that they support ZAP and not Burp Suite. Seems like it would be of very limited value to security testers until they add that in.