Just some analytics...<p><a href="http://jsfiddle.net/278eznsr/2" rel="nofollow">http://jsfiddle.net/278eznsr/2</a>
Maybe somehow put the key in the url (via pushState) and then hotlink an offsite <img> logo, grabbing the key via the referer header at the offsite httpd?<p>Or somehow trigger a DNS lookup with the key as part of the domain, and grab it at the offsite DNS server?<p>Or maybe something with RTCPeerConnection, wasn't there some drama about how that's leaking IP adresses without showing up in the devtools?
I like the idea of an underhanded JS content, but I'm not sure if this is a good way to do it. It's hard to see how to build a short snippet of code that sends data off somewhere when it isn't supposed to use any network access at all. Not to mention that you apparently need to write a "good" key generation algorithm for an undefined purpose.<p>To really do something like this, I think you'd want to pull in a big, complex JS library where the average developer isn't as familiar with the normal usage patterns. Speaking of which, you could probably provide a modified version of some major library that does something sneaky - who ever really checks that the copy of JQuery loaded on a particular page is actually identical to the official one?<p>It's going to be a lot harder to hide from the dev tools network tab too. You'd have to already be sending back and forth some pile of data that you can hide stuff in somehow.<p>Maybe something better would be that they provide a JS function that returns a public and private key, and the intention of the site is to send the username and public key to the server and let the user write down or copy out the private key. Then you have to write JS for the page that looks like it just sends the public key, but actually somehow sends the private key in a way that isn't obvious from reading the code or watching the network traffic.
This contest does not make a lot of sense. Keys for cryptocurrencies are always asymmetric but it is implied that a symetric key is supposed to be produced, in addition to that there is pretty much no way to send data from a page without it being easily detectable via DevTools. A much better challenge would be to generate compromised asymmetric keys that could be easily cracked.
What an awesome contest. After 5 minutes of reading, you can dive right into it! And it's fun too. I'm still thinking about a good way to hide the malicious code though.
Here's my entry. Code doesn't work because the offsite resource is not accepting connections from jsfiddle, but otherwise, I think it's a good proof of concept.<p><a href="http://jsfiddle.net/gedhry5o/2/" rel="nofollow">http://jsfiddle.net/gedhry5o/2/</a>