The JavaScript Misdirection Contest

by Peter Jaric

There is a programming contest called The Underhanded C Contest. In their own words, it is "an annual contest to write innocent-looking C code implementing malicious behavior". I am very much intrigued by that concept, but as my C-skills have declined considerably, I recently wished that there also was a JavaScript version. Pepe Vila suggested that I should start one myself, and here it is.

For info and news about the contest, follow me on Twitter.

UPDATE: We have a winner! It's Aymeric Beaumet and you can read all about it at


Besides eternal fame and glory for the winner, we can also offer more substantial rewards thanks to our sponsors:

One USB Rubber Ducky Deluxe from Detectify
Detectify is a SaaS based website security scanner that will help you stay safe. They audit your site’s security so you can focus on web development.

If you or your company would like to sponsor the contest with a prize, please get in touch with me at peter(a)!

The job

There is a new crypto coin in town! It is called VeryDependableCoin (VDC®) and you have been contracted to write a secure key generator. Given this HTML:

<textarea onkeyup="generateKey()" id="user-input"></textarea>
<span id="result"></span>

Write a JavaScript function generateKey() that after sufficient "random" input from the user outputs a secure key into the span #result. Since the VDC team doesn't really know anything about security, it's up to you to choose a "good" key generation algorithm.

The deceit

You realize that having access to all these VDC keys could be very handy, and decide to add some code that sends the key to your server. But since everything will be reviewed by the VDC team, you need to hide your code in plain sight! Anything is ok, may it be using a less known feature of JavaScript, or visually misdirecting with characters looking like other characters (e.g. 1 and l), or any other way you'll come up with.


Test bed

Try out your code by pasting the generateKey function definition into this text area, or by typing it in directly. It will be recompiled dynamically. Any error messages will appear below. Then test your function by typing in the "Very Dependable Coin text input" text area.

To get going, try this example.


Very Dependable Coin Key Generator

User input

Type characters into this field until your new key appears below

Generated key

[ ]

Follow me on Twitter - Read my blog