A blog website that allows users to post comments.
Manually test every possible point of entry where it seems data is stored and then shown back in areas that other users have access to, eg.:
Comments on a blog
User profile information
Sometimes developers think limiting input values on the client-side is good enough protection, so changing values to something the web application wouldn't be expecting is a good source of discovering stored XSS, e.g. an age field that is expecting an integer from a dropdown menu, but instead, you manually send the request rather than using the form allowing you to try malicious payloads.