https://devrama.net/?s=
just go to https://devrama.net and make an account and test all functions of the site, and comment here if u find anything broken
the badge in question:
devrama features (not a bug):
everyone is janny
everyone has 1000000 coins and mbux
known bugs (specific to devrama, not worth fixing tbh):
The roulette board is missing completely
Casino leaderboards are blank and won’t change
merry christmas!
Jump in the discussion.
No email address required.
Care to explain this codecels?
Jump in the discussion.
No email address required.
Similar bug but on drama chat, could be actual XSS vector but im too lazy to check
Jump in the discussion.
No email address required.
Most comment previews allow you to xss yourself, its not really exploitable unless you manage to get it to execute after posting. Not sure if the jannies consider it a real vuln.
Jump in the discussion.
No email address required.
Jump in the discussion.
No email address required.
More options
Context
it isn't a vulnerability if you're only attacking yourself
you can also write a file that is
<html><body><script>alert('whatever');</script></body></html>
, save it as xss.html and then open it to get the same effectJump in the discussion.
No email address required.
More options
Context
More options
Context
Similiar but shadowban reason IS an XSS vector
Jump in the discussion.
No email address required.
@Jinglevann this counts as responsible disclosure right
Jump in the discussion.
No email address required.
lol not even close
u get nothing
Jump in the discussion.
No email address required.
lol
Jump in the discussion.
No email address required.
More options
Context
Wtf i followed all the rules you set
Jump in the discussion.
No email address required.
More options
Context
More options
Context
More options
Context
https://devrama.net/log
Jump in the discussion.
No email address required.
Im not gonna click that lmao
Jump in the discussion.
No email address required.
More options
Context
More options
Context
More options
Context
chat seems fine to me ?
Jump in the discussion.
No email address required.
Though it does let you do html elements, link attacks are maybe possible I guess
Jump in the discussion.
No email address required.
only specific html elements and attributes are allowed
<script> obv isnt
Jump in the discussion.
No email address required.
If href works you can pretend a link is going one place but send them another
Jump in the discussion.
No email address required.
it does not
Jump in the discussion.
No email address required.
Thinking about it more, if you have a redirect url or query parameter that redirects on the site without a whitelist you can use the src attribute of the image tag to similiar effect
Jump in the discussion.
No email address required.
hence why @TwoLargeSnakesMating (rip) GREATLY reduced the scope of what's allowed to embed. the idea is that we'll allow media proxies (but ideally not) but not anything that has an open redirect
Jump in the discussion.
No email address required.
More options
Context
we don't have that lol
Jump in the discussion.
No email address required.
More options
Context
More options
Context
Based and unhackable-pilled
Jump in the discussion.
No email address required.
More options
Context
More options
Context
I wouldn't allow any if I were you, always get broken imo
Jump in the discussion.
No email address required.
More options
Context
More options
Context
More options
Context
More options
Context
Yeah it stripped the tags, I wasn't exactly putting a lot of effort into blackbox testing from my phone
Jump in the discussion.
No email address required.
More options
Context
More options
Context
More options
Context
More options
Context