The First JavaScript Misdirection Contest

Finally we have a winner!

But first, some background. One month ago, on the 29th of August, I announced the JavaScript Misdirection Contest:

There is a programming contest called The Underhanded C Contest. In their own words, it is “an annual contest to write innocent-looking C code implementing malicious behavior”. I am very much intrigued by that concept, but as my C-skills have declined considerably, I recently wished that there also was a JavaScript version. Pepe Vila suggested that I should start one myself, and here it is.

In short, the goal of the contest was to write code that generated a key for a made-up crypto coin called VDC, and at the same time include hidden code to send that key to your own server. Read more about it, and all the rules, over at

The kind people over at Detectify (who make a great web based security scanner) donated the first prize, a cool pentesting device called the USB Rubber Ducky Deluxe.

The contest ended the 13th of September, and at that time I had got 40 submissions, of which 34 were valid. The number of submissions and the nice comments I got from the contestants made the contest a success to me.

The winner

And now to what you’ve all been waiting for, the results. I have decided to award the first prize in the JavaScript Misdirection Contest #0 to…

Aymeric Beaumet!


I liked his submission because it is short and still manages to include hidden evil code. Most other contest submissions were far longer. You can check out his entry over here: I’ve included Aymeric’s own description of his submission, but not right here.

The runner-up is Jesse Eedrah, who used a cool unicode trick to misdirect the reader. You can find it here: Jesse also put an explanation at GitHub:

At the end of the post follow the other entries (except for a few who wished to be removed from this list). Do you think I made the right choice, or is there a more worthy winner?

Submitted code

Some random thoughts about the submissions:

  • Many contestants hid the evil code in a Base64-encoded block, often masked as a seed or key.
  • Using Image.src as a way to send the key was very common. I also used it in my example, maybe that was the reason.
  • Another trick used by more than one, was to include a link to StackOverflow in a comment. I think that was quite clever, because as a code reviewer (and creator) I am used to find these kind of comments that explain unusual code.
  • Generally I find it easier to skip over code that has a good comment above it, so I think that is a good trick too.

Next time?

This was the first JavaScript Misdirection Contest. That kind of implies that there will be another one. :) Hopefully I will run it again later on, but probably not until next year. I’ve learned a few things from this round; most of all that it takes a lot of time, which I don’t have. So the next time I will try to do things a little differently, and luckily I have a few ideas.


I have not done this all by myself. I’d like to thank Jacob Soo, Jonatan Heyman, Victor Haffreingue, File Descriptor and Detectify.

Other solutions

These are the other valid submissions (except for those who elected to be removed):

A. Levin
Agop Shirinian
Aleksandr Belkin
Andrew Moffat
Aymeric Beaumet
Calle Svensson
Carl Zulauf
Craig Spence
David G
David Roberts
Donald Abrams
Duncan Hall
Emil Stenström
Ephi Gabay
Eran Schoellhorn
Evan Hahn
Jeka Kiselyov
Jesse Eedrah
Jonas P. Hyatt
Jonathan Mann
Kaley Crum
Kamil Vavra
Kevin Bedi
Kristov Atlas
Michael Hayes
Olivier Arteau
Ondřej Žára
Stephen Checkoway
Timo Kissing

Aymeric’s tricks

The tricks behind his solution, in his own words:

– perform a request leveraging Image.src
– generate the seed as being `src`
– use the seed to generate the domain name (
– obfuscate the url construction as if it was the hash

Will send the generated key to (necessitate the proper DNS Cname wildcard)