Can you find [flaws and vulnerabilities] by just looking at the html output?

You can find hints by looking for HTML forms and the fields they contain. If some fields look like they might hold things like database field names or email addresses, they're a natural candidate to attempt to hack. If they hold things like object IDs, people will try faking a form submit with a different object ID, just to see if they can view or modify other data.