Test all input fields for SQL injection, including less obvious vectors: sort parameters, filter expressions, search queries, and webhook URLs. - Test for NoSQL injection in any MongoDB-backed endpoints (search, analytics). - Test for server-side template injection (SSTI) in any feature that renders