Last Updated: February 25, 2016
· blockjon

How I harmlessly pwn'ed a competitor with Javascript

Early in my career, I was looking through our Apache logs when I noticed something I never thought I’d see: HTTP GET requests for the .js file I wrote to power our company’s amortization calculator... but with an HTTP REFERER of our competitor’s website domain.

I confirmed that yes, they were script src’ing to our js file.

That evening, we decided to launch a new version of our calculator using a new Javascript file. I wondered what we should do with that old Javascript file which we were not using anymore. hm…… :)

Starting that evening, requests for our old js file caused an alert box to appear which said “You are now being redirected to our new site and calculator” and it redirected to our site.

I wish I could have been a fly on the wall at our competitor’s site to see the bewildered look on their faces. I almost feel bad for what must have been the junior developer who included our file.

Say Thanks

10 Responses
Add your response

0  kgzflqgis lpmbxrafbf1kyixnoadbxrqwff 83qjcaaw8kynsnttqflt93tonh1pxqhvtita2v

Beautiful :) Love it when that happens. Must be a pretty lame competitor if the only way they can compete is by essentially stealing what you've done! One word to them - KARMA!! :) Peace.

over 1 year ago ·

This case highlights it being wise to poke around your Apache logs regularly, rather than strictly relying on Google Analytics.

over 1 year ago ·
Avatar ika

Well played!

over 1 year ago ·

I did something very similar once. I developed a Javascript "API" for a client, who then refused to pay up saying that the project has been canned. I later realized that he is still using my API, so I just put some code which freezes up the browser. The client had to explain to all his clients why their dashboards stopped working and hanging their browsers (it was a B2B business).

A few hours later, I got a very angry call from him. I told him I was just doing some tests in javascript attacks, and I was not expecting him to still use my API after he decided that he doesn't need it. He didn't say a word and hung up the call.

over 1 year ago ·

Blood on the wall in the "IT apartment"

over 1 year ago ·

Damn, that was awesome. Hi-five over wi-fi!

over 1 year ago ·
617022 551395294890791 592328078 o

awesome !!!

over 1 year ago ·

One day google with do this with their javascript CDN. Whole internet get redirected to google plus.

over 1 year ago ·


over 1 year ago ·

@hostonnet: That's not in their interest: web developers would stop using the CDN and they would not be able to track users anymore.

over 1 year ago ·