
The JavaScript Misdirection Contest - SomeoneWeird
http://misdirect.ion.land/
======
im3w1l
Just some analytics...

[http://jsfiddle.net/278eznsr/2](http://jsfiddle.net/278eznsr/2)

------
0x0
Maybe somehow put the key in the url (via pushState) and then hotlink an
offsite <img> logo, grabbing the key via the referer header at the offsite
httpd?

Or somehow trigger a DNS lookup with the key as part of the domain, and grab
it at the offsite DNS server?

Or maybe something with RTCPeerConnection, wasn't there some drama about how
that's leaking IP adresses without showing up in the devtools?

------
ufmace
I like the idea of an underhanded JS content, but I'm not sure if this is a
good way to do it. It's hard to see how to build a short snippet of code that
sends data off somewhere when it isn't supposed to use any network access at
all. Not to mention that you apparently need to write a "good" key generation
algorithm for an undefined purpose.

To really do something like this, I think you'd want to pull in a big, complex
JS library where the average developer isn't as familiar with the normal usage
patterns. Speaking of which, you could probably provide a modified version of
some major library that does something sneaky - who ever really checks that
the copy of JQuery loaded on a particular page is actually identical to the
official one?

It's going to be a lot harder to hide from the dev tools network tab too.
You'd have to already be sending back and forth some pile of data that you can
hide stuff in somehow.

Maybe something better would be that they provide a JS function that returns a
public and private key, and the intention of the site is to send the username
and public key to the server and let the user write down or copy out the
private key. Then you have to write JS for the page that looks like it just
sends the public key, but actually somehow sends the private key in a way that
isn't obvious from reading the code or watching the network traffic.

~~~
Someone
_" You'd have to already be sending back and forth some pile of data"_

I would probably attempt to do it by only loading data. Use some bits of your
locally generated pseudorandom bits to select a set of random bits from an
external site to supposedly increase the randomness of the data (yes, that's
nonsense, but less obvious then uploading the key directly), but though the
sequence of requested URLs leak the locally generated pseudorandom bits and
thus the key.

------
tyho
This contest does not make a lot of sense. Keys for cryptocurrencies are
always asymmetric but it is implied that a symetric key is supposed to be
produced, in addition to that there is pretty much no way to send data from a
page without it being easily detectable via DevTools. A much better challenge
would be to generate compromised asymmetric keys that could be easily cracked.

~~~
ceronman
I think you're missing the point of the contest. This is not about
cryptography. The key generation is just an excuse. The fact that you can
detect a connection with DevTools is irrelevant. The idea is too write code
that is clean, readable, and innocent looking, but does something "malicious".
It's just about having fun obfuscating code, not to write the next exploit.

~~~
tyho
Then it would have been far better to ask people to code a subtle XSS exploit.

------
Kenji
What an awesome contest. After 5 minutes of reading, you can dive right into
it! And it's fun too. I'm still thinking about a good way to hide the
malicious code though.

------
tariqali34
Here's my entry. Code doesn't work because the offsite resource is not
accepting connections from jsfiddle, but otherwise, I think it's a good proof
of concept.

[http://jsfiddle.net/gedhry5o/2/](http://jsfiddle.net/gedhry5o/2/)

