This is what I learn to Approach API Pentesting :smile:

  1. Check Documentation and read it properly

  2. Note every endpoint from documentation and play with it and understand it for what actually it is doing

  3. Play with token from documentation

  4. Vulnerability is there just play with those tokens

Like Might be any endpoint showing users or sensitive creds to us which is suppose to be no needing

Like may be such endpoint leaking tokens for admin ?

Like might be there is SQLI on those endpoints like on tokens header, on tokens parameter[get or post], on any json post

Like even it can show sensitive things by changing content type from json to xml or xml to json ?

Like may be there is IDOR between those users ? etc

  1. Check POST data for user creation endpoint

    try how many length of username they are accepting?

    **Can we use Regex DDOS here ? [If they are using some regex for usernames] **

    **Like => aakash123 => small letter and in end number **

    Then try => this multiple time and check response

    If response is large => Regex DDOS possible