This time I took permission from the zoom team to test out-of-scope applications. However, they did not accept at first but later they said they will accept only if the vulnerability comes under the P1 or P2 category.


Let's dig into OOS

#7 Remember Part-1 #2 where they fixed CSRF by adding wp-nonce, Later I bypassed that by using another logged-in zoom user “wp-nonce” token to perform a successful CSRF attack everything looks fine as of now but this won't come under the P1 or P2 category. Now comes the XSS, there are few fields where I can…


A quick Introduction about Myself, I am Rakesh Thodupunoori working as a security consultant in a Reputed Company and a part-time bug bounty hunter.

This is my first writeup, I will try to be more clear but not step by step, you may find many mistakes while reading, if possible let me know via a direct message which helps me to fix my mistakes from the next writeup.

This series of writeups are on Zoom Applications, and how I made ~22,000$ from Zoom applications. I am going to explain from where I started and where it all ended.


Rakesh Thodupunoori

Security Consultant | Bugbounty Hunter

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store