Hi, well I would say test the session variables (like tokens) they are using, for example the lifespan, the information that is send on them and the format (if you could predict them)
Also if you see requests with ids try to make them vary, maybe that way you could get some sensible information.
Look at the headers of the applications (actually there is a topic about that on Secure headers for REST).
Look the certificates and protocols of the pages
On files terms check the extentions, the content and the file size, most of the time people check the extention and the file size but forget the content.
There is a similar post on Tips for searching vulnerabilities, you can find other alternatives there.