For web applications, a web spider such as the one in OWASP ZAP, the one in the Burp suite, or the one in the Paros proxy can help.
When you find an input location, document it and record what tests you performed to help avoid duplication of effort. For web applications, you want to know:
-
The URI of the request.
-
The parameters for the URI, including any optional ones and hidden ones.
-
The method (GET, POST).
-
The cookies used and set.
-
All HTTP headers the system might use.
Testing for other vulnerabilities also needs this information.