Finally we have a winner!
But first, some background. One month ago, on the 29th of August, I announced the JavaScript Misdirection Contest:
There is a programming contest called The Underhanded C Contest. In their own words, it is “an annual contest to write innocent-looking C code implementing malicious behavior”. I am very much intrigued by that concept, but as my C-skills have declined considerably, I recently wished that there also was a JavaScript version. Pepe Vila suggested that I should start one myself, and here it is.
In short, the goal of the contest was to write code that generated a key for a made-up crypto coin called VDC, and at the same time include hidden code to send that key to your own server. Read more about it, and all the rules, over at misdirect.ion.land.
The kind people over at Detectify (who make a great web based security scanner) donated the first prize, a cool pentesting device called the USB Rubber Ducky Deluxe.
The contest ended the 13th of September, and at that time I had got 40 submissions, of which 34 were valid. The number of submissions and the nice comments I got from the contestants made the contest a success to me.
The winner
And now to what you’ve all been waiting for, the results. I have decided to award the first prize in the JavaScript Misdirection Contest #0 to…
Aymeric Beaumet!
Congratulations!
I liked his submission because it is short and still manages to include hidden evil code. Most other contest submissions were far longer. You can check out his entry over here: http://jsfiddle.net/c6z0kb4g/0 I’ve included Aymeric’s own description of his submission, but not right here.
The runner-up is Jesse Eedrah, who used a cool unicode trick to misdirect the reader. You can find it here: http://jsfiddle.net/afswj8cL/0 Jesse also put an explanation at GitHub: https://github.com/eedrah/Javascript-Misdirection-Entry
At the end of the post follow the other entries (except for a few who wished to be removed from this list). Do you think I made the right choice, or is there a more worthy winner?
Submitted code
Some random thoughts about the submissions:
- Many contestants hid the evil code in a Base64-encoded block, often masked as a seed or key.
- Using Image.src as a way to send the key was very common. I also used it in my example, maybe that was the reason.
- Another trick used by more than one, was to include a link to StackOverflow in a comment. I think that was quite clever, because as a code reviewer (and creator) I am used to find these kind of comments that explain unusual code.
- Generally I find it easier to skip over code that has a good comment above it, so I think that is a good trick too.
Next time?
This was the first JavaScript Misdirection Contest. That kind of implies that there will be another one. :) Hopefully I will run it again later on, but probably not until next year. I’ve learned a few things from this round; most of all that it takes a lot of time, which I don’t have. So the next time I will try to do things a little differently, and luckily I have a few ideas.
Thanks
I have not done this all by myself. I’d like to thank Jacob Soo, Jonatan Heyman, Victor Haffreingue, File Descriptor and Detectify.
Other solutions
These are the other valid submissions (except for those who elected to be removed):
Aymeric’s tricks
The tricks behind his solution, in his own words:
– perform a request leveraging Image.src
– generate the seed as being `src`
– use the seed to generate the domain name (src.sr)
– obfuscate the url construction as if it was the hashWill send the generated key to __generated_key__.src.sr (necessitate the proper DNS Cname wildcard)