Follow every link you find and examine what they return. View source. View output from curl. Follow everything and play. The initial foothold is the easy bit, it just requires ferocious curiosity about where things go and what they do.
Then again, you could argue the whole of NetSec requires this, so I’m not really saying anything new.