It is necessary to map the application entirely to look for vulnerabilities. Specifically, for application logic bugs, it is necessary to put effort into the following special zones when there is more interaction:

• Forms: It is not with the approach to inject something into the fields, but in order to understand what is happening with the data that is entered. Is it processed? Is it stored? Is it used by a service? Is this service internal or external? Is it processed by other applications? Ask yourself these questions when analyzing forms.
• User registration: One of the important sections is to look at whatever is related with user management. Try to understand how the application registers the users, how it determines the profile, and whether it has established an authorization level using a parameter entered by the user, for example, if the application identifies each user by groups, or if the application is using an external service to register the user, such as a single sign-on solution or an active directory. Also, if it is available, check for delete user options.
• Password recovery: In my personal experience, the password recovery flow is one of the most valuable places to look for bugs. Try to understand how the application contacts the user through the password reset, such as whether the application asks for a password reset or sends a new password directly to the user, whether a temporary password is created using patterns or a defined structure, or whether it uses an external service, such as SMS. Also, investigate the specific methods to change the password once the user is validated, because sometimes you can find authorization opportunities.
• Tokens, hashes, and information shared between applications: An online shop can send payment information to an external payment service, receive something, and confirm your order. This is because the applications share information, and this information is used to control the flow and take decisions. Try to understand what information is shared, the structure, and how the application knows that it has the correct information. The application can provided you with a bunch of possible vectors so that you can look for vulnerabilities. It is useful to look into the documentation of main services, where the structure of the data being used is defined.
• Web services: Currently, it is common for the applications' design to be web service-based. This means that each functionality consumes a web service to work by doing more scalable things with the applications. Actually, it is good, but it is necessary to put attention into the model's implementation, as it is possible to find vulnerabilities on it. Try to map all of the web services used, the entry points, and how are they consumed.