When pen testing web sites that use applets to enforce business rules, it's a good idea to decompile the applet and poke around it. Here are some of the things we've come across that helped us test the application better:

• Hard coded secrets, passwords, symmetric keys and once even an embedded private key
• Weak "custom encryption" logic that could be reverse engineered easily
• Inadequate input validation logic and the boundary conditions being tested for
• A structured listing of business rules that helped us refine our Threat model
• The "secret handshake" used for authenticating the applet to the servlet

This isn't rocket science. All it takes is a Java decompiler and a few hours of analysis. We use DJ Decompiler, it's a graphical interface built over the JAD decompiler for Java.