Next, we will take a look at the MySubaru web application and inspect all HTTP requests and responses. The MySubaru web application contains additional options that the mobile applications do not have such as adding authorized users or changing the account pin number. Follow the same steps when proxying the web application traffic, but ensure all state configuration changes, such as the ones listed as follows, are clicked and analyzed:
- Login/Logout
- Lock/Unlock
- Honk the horn
- Flash the lights
- Locate the vehicle
- View the vehicle health report
- Edit vehicle details
- Add a vehicle
- Add and remove authorized users
- Change pin
- Change password
- Change security questions
- Change personal account details
All differences between the web application and mobile applications should be noted. So far, a major difference between the web and mobile apps is how remote service API requests are sent to Subaru servers. The API endpoint remains the same for all applications, which can be useful if we uncover a vulnerability to exploit.
The following screenshot displays the HTTP history in Burp Suite with color coding for all applications:
