While it is possible to conduct manual security testing, it is very difficult. Not only would you need to know the pages that need to be hit, but you would need to know the commands/calls that are executed, you would need to know the format or the parameters in the commands/calls. There will still be some areas that could be missed.
Are there any ways to manually do security testing without using tools?
I am looking for ways to manually do some security testing without using any tools. Is this possible?
The answer is it depends. You can learn a lot from the OWASP (https://www.owasp.org/index.php/Main_Page) project and other such sites for how to test flaws manually. The reality is that many of these are hard to detect under dynamic execution. Some defects are better spotted with static code analysis (code review), or using static code analysis tools.