Leave Burp on and browse the app
inurl
parameters and file extensions<meta name="referer" content="never">
https://attacker.com/test?target.com
or https://target.attacker.com/
)ID/UUID leaks
Bruteforcing
Change HTTP methods (e.g. from POST for deletion to DELETE, from POST to GET, etc.)
Add/Change the requested filetype