If it's a question of where I would start, in the first hour:
Once I get a good baseline of their public API, I try to imagine the type of development team that built the site:
After that, I know where to go next. For example, if I see sloppy session management, can trigger 500 errors, and I think they're a junior team, I'll start looking for errors related to manipulating session data.
If I've got nothing after an hour, I usually give up. Usually, however, there's some thread to pull.
If you have the opportunity to set up an app-level account, there's still a non-trivial number of sites that you can get a basic idea of the implementation-language by the characters you're not allowed to use in passwords. Sadly, many of them are banking-sites. :p
We're a place where coders share, stay up-to-date and grow their careers.
We strive for transparency and don't collect excess data.