Mostly vulnerability testing and fuzzing to find bugs as well as just looking at public bug reports, then investigate and understand the bugs to see if it’s exploitable.

Basically, lots of code is tested to make sure that things that “make sense” work. It’s fairly common for people to fail to test the edge cases and error cases, so a common attack methods is automate data entry, generate files to give the program, etc, and just keep doing it over an over, but each time trying something a little different. Fuzzing for example is where you just randomly insert errors into the data you give the program, see if it handles it. Websites are commonly vulnerable to SQL injection, so you can try putting quotes and semicolons in fields and see if it breaks anything.

If something breaks, then you investigate why, often you’re looking for things like “XYZ crashed because abc is not valid code”, then you look at the test and see that abc is actually part of the data entry, so it might imply that if it was code it would run, so you enter code there and see if it works.