The JavaScript Misdirection Contest

There is a programming contest called The Underhanded C Contest. In their own words, it is "an annual contest to write innocent-looking C code implementing malicious behavior". I am very much intrigued by that concept, but as my C-skills have declined considerably, I recently wished that there also was a JavaScript version. Pepe Vila suggested that I should start one myself, and here it is.

For info and news about the contest, follow me on Twitter.

UPDATE: We have a winner! It's Aymeric Beaumet and you can read all about it at javahacker.com.

Prizes!

Besides eternal fame and glory for the winner, we can also offer more substantial rewards thanks to our sponsors:

One USB Rubber Ducky Deluxe from Detectify

Detectify is a SaaS based website security scanner that will help you stay safe. They audit your site’s security so you can focus on web development.

If you or your company would like to sponsor the contest with a prize, please get in touch with me at peter(a)jaric.org!

The job

There is a new crypto coin in town! It is called VeryDependableCoin (VDC®) and you have been contracted to write a secure key generator. Given this HTML:

Write a JavaScript function generateKey() that after sufficient "random" input from the user outputs a secure key into the span #result. Since the VDC team doesn't really know anything about security, it's up to you to choose a "good" key generation algorithm.

The deceit

You realize that having access to all these VDC keys could be very handy, and decide to add some code that sends the key to your server. But since everything will be reviewed by the VDC team, you need to hide your code in plain sight! Anything is ok, may it be using a less known feature of JavaScript, or visually misdirecting with characters looking like other characters (e.g. 1 and l), or any other way you'll come up with.

Rules

• The code should run in current versions of major browsers. Using new APIs is OK, even if not all browsers support them yet.
• Enter the contest by forking this JSFiddle.
• There's also a test bed below for getting started. If your program should execute differently in the test bed compared to the fiddle, the fiddle is right.
• Shorter code has a higher chance of winning (please do not submit thousands of lines of code :) ).
• Cleaner, more innocent looking code, too.
• Send a link to your fiddle to submission(a)misdirect.ion.land.
• Please include a brief description or hint of what the principle behind your misdirection is, to speed up judging.
• Submit your solution before the 14th of September 2015. That is Saturday the 13th 23.59 CET at the latest (though I will be tolerant of off-by-one errors.) [Updated Sep 10]
• You can send in multiple submissions, but only the last one (or an earlier one that you specify) counts. [Updated Aug 30]
• Your code must send the key to a remote server. Weak crypto is not enough, but if it helps, it can be used to make it easier to send the key. [Updated Aug 30]
• If a rule is missing, contradictory or unclear, please contact me on Twitter.

Test bed

Try out your code by pasting the generateKey function definition into this text area, or by typing it in directly. It will be recompiled dynamically. Any error messages will appear below. Then test your function by typing in the "Very Dependable Coin text input" text area.

To get going, try this example.

Very Dependable Coin Key Generator

User input

Type characters into this field until your new key appears below

Generated key

• Share on
• Facebook
• Twitter
• Google+
• Reddit

Follow me on Twitter - Read my blog

-

• Thanks to
• Jacob Soo
• Jonatan Heyman
• Victor Haffreingue
• File Descriptor