Check outgoing and incoming traffic to ensure that traffic is being routed appropriately for your test (e.g. you’re not sending traffic through the wrong VPN or proxy).
Run tcpdump and monitor the output to verify that traffic is going to/from the target. In some cases, save the output to a file as evidence of where the traffic went.
Actually spend a chunk of time on this. Use the information as key words to brute force directories, user names, passwords, function names, etc.
Grab the front page of the app and view the page source code to see if they have any revealing information (such as a Joomla header).
Analyze the information you’ve gathered in the previous steps, and perform research to identify the exploits and attack vectors.