24
edits
Changes
no edit summary
* Site hosted by developer
* Can be hosted or running locally
==Configuration Abstraction==
To pass data between components, a standard configuration and data scheme must be used. For Minion, we have decided to use JSON as the format for passing data. For example, the user interface will collect the necessary options, then call the task engine and pass it a JSON string of those options. The task engine will read the options, split them into new JSON strings as necessary to send to each installed tool (some tools may need different options than others). The tool will pass its results back to the task engine as a JSON string and the task engine will compile all returned results into a single JSON string which will be returned to the interface. The interface will deconstruct the string into human-readable results and display them on the results page.
===Basic Tool Requirements===
Each tool takes a number of base options as well as optional options that can improve the scan's accuracy or increase its functionality.
====Zed Attack Proxy====
Base options: URL
Optional: spider depth-level, CSRF tokens, authentication information, parameters to fuzz
====Garmr====
Base options: URL
Optional: parameters to test
Note: most options with Garmr involve output, which should be handled without interaction from the user.
====Skipfish====
Base options: URL
Optional: authentication credentials, cookie values, non-standard header information, scan time limit (see http://code.google.com/p/skipfish/wiki/SkipfishDoc for a full list)
Note: Skipfish has a lot of additional options that include domains to exclude in crawling, domains to ignore in testing, wordlist generation, folder output, etc. To make it as easy to use as possible, the Skipfish plugin should include defaults for all of these options so that the user will never need to worry about the options.
