emoji-award-marseywholesome
Unable to load image
Reported by:

im too lazy to test so i need testers for new update --- badge and 1k mbux for each bug u find :marseycapy:

https://devrama.net/?s=

just go to https://devrama.net and make an account and test all functions of the site, and comment here if u find anything broken

the badge in question:

![](https://rdrama.net/i/badges/7.webp?b=6)

devrama features (not a bug):

  • everyone is janny

  • everyone has 1000000 coins and mbux

known bugs (specific to devrama, not worth fixing tbh):

  • The roulette board is missing completely

  • Casino leaderboards are blank and won’t change

merry christmas!

EDIT: apparently this needed be said, if you find a security vulnerability, pls DM me, don't actually use it or comment about it in this thread

125
Jump in the discussion.

No email address required.

Similar bug but on drama chat, could be actual XSS vector but im too lazy to check

Jump in the discussion.

No email address required.

Similar bug but on drama chat, could be actual XSS vector but im too lazy to check

chat seems fine to me ?

Jump in the discussion.

No email address required.

Though it does let you do html elements, link attacks are maybe possible I guess

Jump in the discussion.

No email address required.

only specific html elements and attributes are allowed

<script> obv isnt

Jump in the discussion.

No email address required.

If href works you can pretend a link is going one place but send them another

Jump in the discussion.

No email address required.

it does not

Jump in the discussion.

No email address required.

Thinking about it more, if you have a redirect url or query parameter that redirects on the site without a whitelist you can use the src attribute of the image tag to similiar effect

Jump in the discussion.

No email address required.

we don't have that lol

Jump in the discussion.

No email address required.

<a href={{{any rdrama path here}}}>www.bing.com{{{<}}}/a>

Does work for local link misdirection in the rdrama chat, are you sure there's no jwt/oauth/sso redirect url functionality? Im on my phone (vacation) so i cant check github

Jump in the discussion.

No email address required.

More comments

hence why @TwoLargeSnakesMating (rip) GREATLY reduced the scope :marseypedosnipe: of what's allowed to embed. the idea is that we'll allow media :marseyjourno: proxies (but ideally not) but not anything :marseycoleporter: that has an open redirect

Jump in the discussion.

No email address required.

Based and unhackable-pilled

Jump in the discussion.

No email address required.

I wouldn't allow any if I were you, always get broken imo

Jump in the discussion.

No email address required.

Yeah it stripped the tags, I wasn't exactly putting a lot of effort into blackbox testing from my phone

Jump in the discussion.

No email address required.

Similiar but shadowban reason IS an XSS vector

Jump in the discussion.

No email address required.

@Jinglevann this counts as responsible disclosure right

Jump in the discussion.

No email address required.

lol not even close

u get nothing

Jump in the discussion.

No email address required.

lol

:#marseysmug3:

Jump in the discussion.

No email address required.

Wtf i followed all the rules you set

Jump in the discussion.

No email address required.

Jump in the discussion.

No email address required.

Im not gonna click that lmao

Jump in the discussion.

No email address required.

Most comment previews allow you to xss yourself, its not really exploitable unless you manage to get it to execute after posting. Not sure if the jannies consider it a real vuln.

Jump in the discussion.

No email address required.

it isn't a vulnerability if you're only attacking yourself

you can also write :marseychudnotes: a file that is <html><body><script>alert('whatever');</script></body></html>, save it as xss.html and then :marseytransflag: open it to get the same effect

Jump in the discussion.

No email address required.

Most comment previews allow you to xss yourself, its not really exploitable until its exploitable

Jump in the discussion.

No email address required.

Link copied to clipboard
Action successful!
Error, please refresh the page and try again.