Abstract
Since the boost of mobile devices popularity, both operating systems and mobile applications have become more complex which in turn transfers into greater vulnerability to hackers' attacks. Penetration testing is aimed at detection of security gaps in mobile systems. On the other hand, Progressive Web uses Web browser API to enhance the range of functionalities to cross-platform. Thus, this paper focuses on mobile Web application penetration tests of Progressive Web. First, some new functionalities were evaluated for vulnerabilities, then an in-depth analysis of the Web push functionalities was carried out. External resources, which deliver Web push services, were explored for the libraries security. Then, Man-in-the-Middle attack on Subresource Integrity Mechanism (SIM) was analyzed to exploit the vulnerabilities detected.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Chalupnik, R., Kedziora, M., Jozwiak, P., Jozwiak, I.: Correspondent sensitive encryption standard (CSES) algorithm in insecure communication channel. In: International Conference on Dependability and Complex Systems, pp. 90–98. Springer, Heidelberg (2019)
Braun, F., Akhawe, D., Weinberger, J., West, M.: Subresourceintegrity. In: W3C Working Draft, vol. 3, pp. 3655–3682 (2014)
Callegati, F., Cerroni, W., Ramilli, M.: Man-in-the-Middle attack to the https protocol. IEEE Secur. Priv. 7(1), 78–81 (2009)
Cortesi, A., Hils, M., Kriechbaumer, T.: Contributors. Mitmdump (2010)
Cortesi, A., Hils, M., Kriechbaumer, T.: Contributors. Mitmproxy: A free and open source interactive HTTPS proxy, 2010–. [Version 5.0] (2010)
GoogleDevelopers.Introductiontoserviceworker. https://developers.google.com/Web/ilt/pwa/introduction-to-service-worker, Accessed 19 Dec 2019
GoogleDevelopers.ProgressiveWebappchecklist. https://developers.google.com/Web/Progressive-Web-apps/checklist, Accessed 17 Dec 2019
Python Software Foundation. json—json encoder and decoder. Accessed 23 Dec 2019
W3Techs. Usage of javascript libraries for Websites. https://w3techs.com/technologies/overview/javascript_library, Accessed 20 Dec 2019
Hodges, J., Jackson, C., Barth, A.: Rfc 6797: Http strict transport security (hsts). IETF (2012). https://tools.ietf.org/html/rfc6797
Kügler, D.: Man in the Middle attacks on bluetooth. In: International Conference on Financial Cryptography, pp. 149–161. Springer, Heidelberg (2003)
Lee, J., Kim, H., Park, J., Shin, I., Son, S.: Pride and prejudice in progressive web apps: abusing native app-like features in Web applications. In: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, pp. 1731–1746. ACM (2018)
Luotonen, A., Altis, K.: World-wide Web proxies. Comput. Netw. ISDN Syst. 27(2), 147–154 (1994)
Meyer, U., Wetzel, S.: A Man-in-the-middle attack on umts. In: Proceedings of the 3rd ACM workshop on Wireless security, pp. 90–97. ACM (2004)
W3C. W3c recommendation (2015). https://www.w3.org/TR/2015/REC-notifications-20151022/, Accessed 19 Dec 2019
Poza, D.: Why you should not Manage your users’ identities. https://auth0.com/blog/why-you-should-not-Manage-your-users-identities/, Accessed 20 Dec 2019
W3C. Application cache as part of the w3c recommendation. https://html.spec.whatwg.org/multipage/offline.html#appcache, Accessed 17 Dec 2019
Singh, A.: Proxy.py – a lightweight, single file http proxy server in python (2018). Accessed 23 Dec 2019
Kołaczek, G., Mizera-Pietraszko, J.: Security framework for dynamic service-oriented IT systems. J. Inf. Telecommun. 2, 428–448 (2018). https://doi.org/10.1080/24751839.2018.1479926
Kołaczek, G., Mizera-Pietraszko, J.: Analysis of dynamic service oriented systems for security related problems detection. In: 2017 IEEE International Conference on Innovations in Intelligent Systems and Applications (INISTA), Gdynia, pp. 472–477 (2017). https://doi.org/10.1109/INISTA.2017.8001206
Stock, B., Johns, M., Steffens, M., Backes, M.: How the Web tangled itself: uncovering the history of client-side Web (in) security. In: 26th {USENIX} Security Symposium ({USENIX} Security 17), pp. 971–987 (2017)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Wróbel, T., Kędziora, M., Szczepanik, M., Jóźwiak, P.P., Jóźwiak, A.M., Mizera–Pietraszko, J. (2021). Progressive Mobile Web Application Subresource Tampering During Penetration Testing. In: Barolli, L., Woungang, I., Enokido, T. (eds) Advanced Information Networking and Applications. AINA 2021. Lecture Notes in Networks and Systems, vol 225. Springer, Cham. https://doi.org/10.1007/978-3-030-75100-5_26
Download citation
DOI: https://doi.org/10.1007/978-3-030-75100-5_26
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-75099-2
Online ISBN: 978-3-030-75100-5
eBook Packages: Intelligent Technologies and RoboticsIntelligent Technologies and Robotics (R0)