You have to understand the data at a structural level and how it flows through the application. Then you can identify entry points to access that data using non-traditional methods that the developers may not have considered when implementing security features.
That, or get lucky by clicking around a lot.