emoji-award-marseywholesome
Unable to load image
/h/meta Emoji Award given by @HomosexuaI: "marseywholesome" House Furry
@Aevann's profile picture @Aevann's hat
Aevann capy/bara world's largest rodent  1yr ago (devrama.net) Edited 1yr ago 1,196 thread views #134631
Reported by:

im too lazy to test so i need testers for new update --- badge and 1k mbux for each bug u find :marseycapy:

https://devrama.net/?s=

just go to https://devrama.net and make an account and test all functions of the site, and comment here if u find anything broken

the badge in question:

![](https://rdrama.net/i/badges/7.webp?b=6)

devrama features (not a bug):

  • everyone is janny

  • everyone has 1000000 coins and mbux

known bugs (specific to devrama, not worth fixing tbh):

  • The roulette board is missing completely

  • Casino leaderboards are blank and won’t change

merry christmas!

EDIT: apparently this needed be said, if you find a security vulnerability, pls DM me, don't actually use it or comment about it in this thread

125
New Old Top Bottom Controversial Random
Jump in the discussion.

No email address required.

EDIT: apparently this needed be said, if you find a security vulnerability, pls DM me, don't actually use it or comment about it in this thread

Jump in the discussion.

No email address required.

:#marseytroublemaker:

Jump in the discussion.

No email address required.

:marseyxd:

Jump in the discussion.

No email address required.

Why do you hate fun?

:#marseydisagree:

Jump in the discussion.

No email address required.

☹️🤧

Jump in the discussion.

No email address required.

Ok

My first bug is that I can’t get in the site

![](/images/16721084164736087.webp)

Jump in the discussion.

No email address required.

not a bug, just too much traffic lol

Jump in the discussion.

No email address required.

can I still get the badge tho

Jump in the discussion.

No email address required.

nope

Jump in the discussion.

No email address required.

Can you give it to me for literally no reason?

Jump in the discussion.

No email address required.

nein

Jump in the discussion.

No email address required.

:marseysulk:

Jump in the discussion.

No email address required.

even I have a bug badge lol

Jump in the discussion.

No email address required.

imagine not having the "literally just find a typo" badge. I've noted like three others so far that I won't report simply due to the fact that they're not bugs, but I'd get treated as if they were.

Give me your money and I'll annoy people with it :space: https://i.rdrama.net/images/16965516366194396.webp

Jump in the discussion.

No email address required.

what’s up with this?

![](/images/16721118294775498.webp)

Jump in the discussion.

No email address required.

elaborate

where do u see this

Jump in the discussion.

No email address required.

it's a screen-cap from my phone

Jump in the discussion.

No email address required.

All me :marsey57:

![](/images/16721155178704598.webp)

Jump in the discussion.

No email address required.

You should let carp do it. He breaks everything he touches

Jump in the discussion.

No email address required.

:#marseycarpjannie2:

Jump in the discussion.

No email address required.

Is it planned to be crypto-only in the future to be a paypig?

![](/images/16721085616041358.webp)

Also, I made an account and not a janny, not sure if that’s a bug or not since you said everyone would be a janny.

Jump in the discussion.

No email address required.

Is it planned to be crypto-only in the future to be a paypig?

no lol

Also, I made an account and not a janny, not sure if that’s a bug or not since you said everyone would be a janny.

fixed king, bounty paid

Jump in the discussion.

No email address required.

:#chadthanksqueencapy:

Jump in the discussion.

No email address required.

An Egyptian requesting unpaid labor for a frivolous reward with no actual benefit? Where have I read this in history books :marseyhmm:

Jump in the discussion.

No email address required.

Chuds it is imperative we gain control of devrama

![](/images/16721089490362413.webp)

Jump in the discussion.

No email address required.

I got grass awarded :marseycry:

Jump in the discussion.

No email address required.

sry bb, It was my golden chance to sperg

Jump in the discussion.

No email address required.

It’s ok

![](/images/16721100546646857.webp)

Jump in the discussion.

No email address required.

this 1 notification keeps on popping up upon visiting my notifications, usually once or twice.

![](/images/16721144264201138.webp)

Jump in the discussion.

No email address required.

fixed king, bounty paid

Jump in the discussion.

No email address required.

s*gh next exploit goes on the dark web

Surely there's a market

Jump in the discussion.

No email address required.

use DMs for shit like this next time

Jump in the discussion.

No email address required.

I couldn't find the dm button on mobile lol

Jump in the discussion.

No email address required.

![](/images/1672117974649164.webp)

Jump in the discussion.

No email address required.

Sounds like a ux issue to me

Jump in the discussion.

No email address required.

sounds like u need some bussy pounding to me

:hump:

Jump in the discussion.

No email address required.

I got the same but 2 instead

Jump in the discussion.

No email address required.

fixed king, bounty paid

Jump in the discussion.

No email address required.

That means I got javascript to execute in your browser, you're lucky I'm too lazy to check if they setup CORS properly or otherwise exploit this in any way

Jump in the discussion.

No email address required.

There’s a bug where not enough people upmarsey my funniest jokes

Jump in the discussion.

No email address required.

that's def a feature

Jump in the discussion.

No email address required.

I tested it for 5 minutes and it’s good to go!

:#chadfixedkingcapy:

![](https://files.catbox.moe/y2zrro.png)

Jump in the discussion.

No email address required.

Care to explain this codecels?

![](/images/16721133012454925.webp)

Jump in the discussion.

No email address required.

Similar bug but on drama chat, could be actual XSS vector but im too lazy to check

Jump in the discussion.

No email address required.

Similiar but shadowban reason IS an XSS vector

Jump in the discussion.

No email address required.

@Jinglevann this counts as responsible disclosure right

Jump in the discussion.

No email address required.

lol not even close

u get nothing

Jump in the discussion.

No email address required.

lol

:#marseysmug3:

Jump in the discussion.

No email address required.

Wtf i followed all the rules you set

Jump in the discussion.

No email address required.

https://devrama.net/log

Jump in the discussion.

No email address required.

Im not gonna click that lmao

Jump in the discussion.

No email address required.

Similar bug but on drama chat, could be actual XSS vector but im too lazy to check

chat seems fine to me ?

Jump in the discussion.

No email address required.

Though it does let you do html elements, link attacks are maybe possible I guess

Jump in the discussion.

No email address required.

only specific html elements and attributes are allowed

<script> obv isnt

Jump in the discussion.

No email address required.

If href works you can pretend a link is going one place but send them another

Jump in the discussion.

No email address required.

it does not

Jump in the discussion.

No email address required.

Thinking about it more, if you have a redirect url or query parameter that redirects on the site without a whitelist you can use the src attribute of the image tag to similiar effect

Jump in the discussion.

No email address required.

hence why @TwoLargeSnakesMating (rip) GREATLY reduced the scope :marseypedosnipe: of what's allowed to embed. the idea is that we'll allow media :marseyjourno: proxies (but ideally not) but not anything :marseycoleporter: that has an open redirect

Jump in the discussion.

No email address required.

we don't have that lol

Jump in the discussion.

No email address required.

More comments

Based and unhackable-pilled

Jump in the discussion.

No email address required.

I wouldn't allow any if I were you, always get broken imo

Jump in the discussion.

No email address required.

Yeah it stripped the tags, I wasn't exactly putting a lot of effort into blackbox testing from my phone

Jump in the discussion.

No email address required.

Most comment previews allow you to xss yourself, its not really exploitable unless you manage to get it to execute after posting. Not sure if the jannies consider it a real vuln.

Jump in the discussion.

No email address required.

it isn't a vulnerability if you're only attacking yourself

you can also write :marseychudnotes: a file that is <html><body><script>alert('whatever');</script></body></html>, save it as xss.html and then :marseytransflag: open it to get the same effect

Jump in the discussion.

No email address required.

Most comment previews allow you to xss yourself, its not really exploitable until its exploitable

Jump in the discussion.

No email address required.


Link copied to clipboard
Action successful!
Error, please refresh the page and try again.