https://devrama.net/?s=
just go to https://devrama.net and make an account and test all functions of the site, and comment here if u find anything broken
the badge in question:
devrama features (not a bug):
everyone is janny
everyone has 1000000 coins and mbux
known bugs (specific to devrama, not worth fixing tbh):
The roulette board is missing completely
Casino leaderboards are blank and won’t change
merry christmas!
Jump in the discussion.
No email address required.
EDIT: apparently this needed be said, if you find a security vulnerability, pls DM me, don't actually use it or comment about it in this thread
Jump in the discussion.
No email address required.
Jump in the discussion.
No email address required.
More options
Context
Jump in the discussion.
No email address required.
More options
Context
Why do you hate fun?
Jump in the discussion.
No email address required.
More options
Context
☹️🤧
Jump in the discussion.
No email address required.
More options
Context
More options
Context
Ok
My first bug is that I can’t get in the site
Jump in the discussion.
No email address required.
not a bug, just too much traffic lol
Jump in the discussion.
No email address required.
can I still get the badge tho
Jump in the discussion.
No email address required.
nope
Jump in the discussion.
No email address required.
Can you give it to me for literally no reason?
Jump in the discussion.
No email address required.
nein
Jump in the discussion.
No email address required.
Jump in the discussion.
No email address required.
More options
Context
More options
Context
More options
Context
More options
Context
even I have a bug badge lol
Jump in the discussion.
No email address required.
More options
Context
imagine not having the "literally just find a typo" badge. I've noted like three others so far that I won't report simply due to the fact that they're not bugs, but I'd get treated as if they were.
Jump in the discussion.
No email address required.
More options
Context
More options
Context
what’s up with this?
Jump in the discussion.
No email address required.
elaborate
where do u see this
Jump in the discussion.
No email address required.
it's a screen-cap from my phone
Jump in the discussion.
No email address required.
More options
Context
More options
Context
More options
Context
All me![:marsey57: :marsey57:](/e/marsey57.webp)
Jump in the discussion.
No email address required.
More options
Context
More options
Context
More options
Context
You should let carp do it. He breaks everything he touches
Jump in the discussion.
No email address required.
Jump in the discussion.
No email address required.
More options
Context
More options
Context
Is it planned to be crypto-only in the future to be a paypig?
Also, I made an account and not a janny, not sure if that’s a bug or not since you said everyone would be a janny.
Jump in the discussion.
No email address required.
no lol
fixed king, bounty paid
Jump in the discussion.
No email address required.
Jump in the discussion.
No email address required.
More options
Context
More options
Context
More options
Context
An Egyptian requesting unpaid labor for a frivolous reward with no actual benefit? Where have I read this in history books![:marseyhmm: :marseyhmm:](/e/marseyhmm.webp)
Jump in the discussion.
No email address required.
More options
Context
Chuds it is imperative we gain control of devrama
Jump in the discussion.
No email address required.
More options
Context
I got grass awarded![:marseycry: :marseycry:](/e/marseycry.webp)
Jump in the discussion.
No email address required.
sry bb, It was my golden chance to sperg
Jump in the discussion.
No email address required.
It’s ok
Jump in the discussion.
No email address required.
More options
Context
More options
Context
More options
Context
this 1 notification keeps on popping up upon visiting my notifications, usually once or twice.
Jump in the discussion.
No email address required.
fixed king, bounty paid
Jump in the discussion.
No email address required.
s*gh next exploit goes on the dark web
Surely there's a market
Jump in the discussion.
No email address required.
use DMs for shit like this next time
Jump in the discussion.
No email address required.
I couldn't find the dm button on mobile lol
Jump in the discussion.
No email address required.
Jump in the discussion.
No email address required.
Sounds like a ux issue to me
Jump in the discussion.
No email address required.
sounds like u need some bussy pounding to me
Jump in the discussion.
No email address required.
More options
Context
More options
Context
More options
Context
More options
Context
More options
Context
More options
Context
I got the same but 2 instead
Jump in the discussion.
No email address required.
fixed king, bounty paid
Jump in the discussion.
No email address required.
More options
Context
More options
Context
More options
Context
That means I got javascript to execute in your browser, you're lucky I'm too lazy to check if they setup CORS properly or otherwise exploit this in any way
Jump in the discussion.
No email address required.
More options
Context
More options
Context
There’s a bug where not enough people upmarsey my funniest jokes
Jump in the discussion.
No email address required.
that's def a feature
Jump in the discussion.
No email address required.
More options
Context
More options
Context
I tested it for 5 minutes and it’s good to go!
Jump in the discussion.
No email address required.
More options
Context
Care to explain this codecels?
Jump in the discussion.
No email address required.
Similar bug but on drama chat, could be actual XSS vector but im too lazy to check
Jump in the discussion.
No email address required.
Similiar but shadowban reason IS an XSS vector
Jump in the discussion.
No email address required.
Jump in the discussion.
No email address required.
lol not even close
u get nothing
Jump in the discussion.
No email address required.
lol
Jump in the discussion.
No email address required.
More options
Context
Wtf i followed all the rules you set
Jump in the discussion.
No email address required.
More options
Context
More options
Context
More options
Context
https://devrama.net/log
Jump in the discussion.
No email address required.
Im not gonna click that lmao
Jump in the discussion.
No email address required.
More options
Context
More options
Context
More options
Context
chat seems fine to me ?
Jump in the discussion.
No email address required.
Though it does let you do html elements, link attacks are maybe possible I guess
Jump in the discussion.
No email address required.
only specific html elements and attributes are allowed
<script> obv isnt
Jump in the discussion.
No email address required.
If href works you can pretend a link is going one place but send them another
Jump in the discussion.
No email address required.
it does not
Jump in the discussion.
No email address required.
Thinking about it more, if you have a redirect url or query parameter that redirects on the site without a whitelist you can use the src attribute of the image tag to similiar effect
Jump in the discussion.
No email address required.
hence why
@TwoLargeSnakesMating (rip) GREATLY reduced the scope
of what's allowed to embed. the idea is that we'll allow media
proxies (but ideally not) but not anything
that has an open redirect
Jump in the discussion.
No email address required.
More options
Context
we don't have that lol
Jump in the discussion.
No email address required.
More options
Context
More options
Context
Based and unhackable-pilled
Jump in the discussion.
No email address required.
More options
Context
More options
Context
I wouldn't allow any if I were you, always get broken imo
Jump in the discussion.
No email address required.
More options
Context
More options
Context
More options
Context
More options
Context
Yeah it stripped the tags, I wasn't exactly putting a lot of effort into blackbox testing from my phone
Jump in the discussion.
No email address required.
More options
Context
More options
Context
Most comment previews allow you to xss yourself, its not really exploitable unless you manage to get it to execute after posting. Not sure if the jannies consider it a real vuln.
Jump in the discussion.
No email address required.
it isn't a vulnerability if you're only attacking yourself
you can also write
a file that is
open it to get the same effect
<html><body><script>alert('whatever');</script></body></html>
, save it as xss.html and thenJump in the discussion.
No email address required.
More options
Context
Jump in the discussion.
No email address required.
More options
Context
More options
Context
More options
Context
More options
Context