Exploiting vulnerabilities in Johnson & Johnson web apps

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://eaton-works.com/2026/06/24/jnj-webapp-hacks
• Blog Title: Exploiting vulnerabilities in Johnson & Johnson web apps
• Suggested Section: Pentesting Web -> Web API Pentesting / Login Bypass / OAuth to Account Takeover; possibly add notes under Browser-exposed secrets, localStorage identity spoofing, and client-side SSO/MSAL authorization bypass testing

🎯 Content Summary

Overview

The blog post documents two separate Johnson & Johnson web application vulnerabilities found by Eaton and published on June 24, 2026. Both issues had the same root security failure: Microsoft SSO/MSAL was used mainly as a client-side gate, while backend APIs did not properly validate the Microsoft Bearer token or enforce server-side authorization. No CVE is mentioned.

The first issue affected a Campus Recruiting application and exposed details of ne...

🔧 Technical Details

Client-side MSAL bypass to test backend authorization: If a web app uses MSAL, OAuth, or SSO only as a frontend route guard, an attacker can patch the JavaScript so the account lookup logic always returns a fake logged-in account. This does not bypass a properly protected backend, but it quickly reveals APIs that fail to validate Bearer tokens. The correct defense is to validate access tokens server-side on every sensitive API request, including signature, issuer, audience, expiration, scopes, roles, and tenant/user authorization.

Browser-exposed API key abuse: Any API key embedded in frontend JavaScript must be treated as public. If backend or cloud APIs accept a static key shipped to the browser, an attacker can extract it from the bundle and replay the same calls outside the intended UI. In the J&J Campus Recruiting case, the frontend MSAL token was not used by the APIs; the real access control was a hardcoded API key for AWS APIs, so p...

🤖 Agent Actions

Updated src/pentesting-web/oauth-to-account-takeover.md.

Added a new section covering:

• frontend-only MSAL/OAuth route-guard bypass testing
• JS bundle/API discovery before SSO redirect
• localStorage / sessionStorage identity spoofing
• pre-auth session GUID bootstrap abuse
• browser-exposed static API key misuse
• server-side token validation requirements for Microsoft Entra / MSAL APIs

Also added references to:

• Eaton’s J&J writeup
• Microsoft token validation docs
• Microsoft scopes/app roles verification docs

Validation:

• git diff --check passed
• mdbook build could not run because mdbook is not installed in this environment (/bin/bash: mdbook: command not found)

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://eaton-works.com/2026/06/24/jnj-webapp-hacks

Content Categories: Based on the analysis, this content was categorized under "Pentesting Web -> Web API Pentesting / Login Bypass / OAuth to Account Takeover; possibly add notes under Browser-exposed secrets, localStorage identity spoofing, and client-side SSO/MSAL authorization bypass testing".

Repository Maintenance:

• MD Files Formatting: 978 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0