Given a specific API endpoint at Dropbox, how would you identify potential injection or broken access control vulnerabilities?