Interesting. I was sure at first that the title should be "Jscript", but it really is JavaScript. It uses the MSHTML COM, this isn't the modern Edge/mswebview embedding but the legacy browser engine used by Internet Explorer. It's had lots of vulnerabilities over the users.

I always use -useb with iwr, only because it spits out lots of errors otherwise, I think most people do as well (this isn't an issue). The "system access" in the title might be misleading, the javascript code can't access system resources just the same as it can't if you were running it internet explorer, unless of course there was an exploit.

Also, for OP: Do you mean "access to the system it runs on"? Because I'm pretty sure it doesn't run with "SYSTEM" access (as in privileged user).

It's basically same as using headless chrome to download or scrape things. The Invoke-WebRequest cmdlet here ('curl' is the alias for it), let's you do things like pass the response to some other cmdlet and do stuff with it. You can for example check the status code (even with usebasicparsing/useb), I believe with full DOM rendering here does is that it lets you access the DOM post-render for script manipulation.

There are lots of legit uses for this, especially when it involves interacting with sites that are too outdated and internal, or external sites that publish important information but don't have a proper feed or api.

To do this with curl.exe proper would not be possible (get a fully rendered dom). Even without rendering the whole dom, parsing the html/xml using cli tools or a shell script is very difficult. What Invoke-webrequest does it doesn't 'pipe' or output the raw text response, but an object that contains the rawresponse ( (curl -useb https://news.ycombinator.com).rawresponse ) but also the body, the headers and a other details of the response for shell scripting.

Curl here is used generically, as in “client for url”? This is not cURL (https://en.wikipedia.org/wiki/CURL). I found it a bit confusing. My first thought was “I sure don’t remember curl running JavaScript from pages it fetches”.