Best way to find some ideas is probably to search for past exploits run on popular websites, e.g. for an authentication vulnerability, what Moonpig did
For CSRF here's a good article with an example, and a real-world exploit in Shopify
For broken access control, maybe something like 'accidentally' letting unauthenticated users access an API (e.g. maybe the API takes a username rather than a signed token for verification?)
Seems a pretty fun project tbh, wish my Master's had more content like this. Best of luck!
I'm sorry, I have the same camera dvr system located at two different locations. Here is a lot of what occurred from my internet company at one location
https://bitninja.io/incidentReport.php?details=dd4aa7e7dc30777f19