This is different from most of the other vulnerabilities as it exploits some flaws in the logic of the application or some of the technologies it is built upon. Tips: be on the lookout for new functionality and consider company's entire infrastructure (Yahoo's 260,000 public IPs, one of them disclosing
phpinfo()). This is where you really need to understand the system (Rails allowing multiple assignment/querying of parameters without permission checking.
Amozon S3 buckets seem to be a common vulnerable spot since the configuration can be tricky. Anyone can find your buckets using Amazon tools and possibly a few simple scripts (examples are Shopify or HackeOne not adding permission checking to their buckets).