I think finding holes can be a matter of developing dry, ironic sense of humor.
A hole is more or less a bug that can pushed a bit further.
It has a lot of similarities to a joke. You thought your code "meant" X but really it "means" Y. SQL injection is a way of "saying" something that your "audience" wasn't quite expecting. It's a lot the jokes that start "he put the frozen turkey in the back of his truck and drove off ... and then ... and then" with lots of unexpected results.
My totally non-expert opinion is that if you practice finding this stuff amusing, you'll see more and more of it.
A hole is more or less a bug that can pushed a bit further. It has a lot of similarities to a joke. You thought your code "meant" X but really it "means" Y. SQL injection is a way of "saying" something that your "audience" wasn't quite expecting. It's a lot the jokes that start "he put the frozen turkey in the back of his truck and drove off ... and then ... and then" with lots of unexpected results.
My totally non-expert opinion is that if you practice finding this stuff amusing, you'll see more and more of it.