I was recently testing a checkout payment system. It was the type of setup where everything seemed to be locked down and I had no findings for 2 days straight (most likely because I was looking at the wrong place)