While focusing on strengthening my web security fundamentals, I had temporarily paused bug bounty hunting. During this time, I was fully dedicated to learning core concepts and practicing labs, so I usually ignored the Medium emails I received every day.

One day, out of curiosity, I opened a Medium newsletter and noticed an article with a title similar to:

If you stuck in bug bounty, not getting bug , try this u will get valid bug which will bust your confidence.

That article was written by a security researcher who shared his journey in bug bounty hunting. One particular suggestion completely changed my perspective.

Why University Websites?

The researcher explained that beginners often feel demotivated by hunting on popular public platforms because those programs are extremely competitive. Experienced hunters dominate them, which reduces the chances for newcomers to find valid vulnerabilities.

Instead, he suggested hunting on self-hosted programs and less-targeted assets, especially college and university websites, which often have limited security resources.

At first, I ignored the idea because I was busy learning. But later, I decided to try my luck.

Target Selection

I used Google dorking to find university websites that publicly mentioned a security or vulnerability disclosure page. After choosing one such university, I created a user account on their portal. The entire process took less than five minutes.

None

While exploring the application, I noticed a feature called "Web Clips."

This functionality allowed users to import content from external websites and render it inside the application.

That instantly raised a red flag in my mind 😅

Initial Thought: SSRF?

Whenever an application fetches external URLs, Server-Side Request Forgery (SSRF) becomes a strong possibility.

To test this, I copied a Burp Collaborator URL and pasted it into the Web Clips input field, then submitted the request.

None

Proof of Concept

After submission, I opened Burp Collaborator and clicked "Poll now."

Within seconds, I received:

  • DNS interaction
  • HTTP request

This confirmed that the server was making outbound requests to my controlled endpoint.

Validation & Further Testing

To ensure the request wasn't originating from my own system, I checked the source IP using tools like dig and IP lookup services. The IP did not belong to my local machine, confirming it was a server-side request.

I attempted to exploit the SSRF further using different techniques, including cloud metadata access. However, the application enforced strict URL validation and rejected non-standard inputs.

Although I couldn't extract internal data, the SSRF vulnerability itself was clearly present and verifiable.

Responsible Disclosure

I responsibly reported the issue to the university's security team, providing full technical details and proof of concept.

At the time of writing this article, I have not yet received a response.

Final Thoughts

This experience reinforced an important lesson:

  • Beginners don't need to compete on overcrowded platforms to gain confidence.
  • Choosing less-targeted assets can significantly improve learning and success.
  • Strategy matters just as much as technical skill in bug bounty hunting.

If you're struggling to find bugs, don't quit — refine your approach.