This is what I learn to Approach API Pentesting :smile:
Check Documentation and read it properly
Note every endpoint from documentation and play with it and understand it for what actually it is doing
Play with token from documentation
Vulnerability is there just play with those tokens
Like Might be any endpoint showing users or sensitive creds to us which is suppose to be no needing
Like may be such endpoint leaking tokens for admin ?
Like might be there is SQLI on those endpoints like on tokens header, on tokens parameter[get or post], on any json post
Like even it can show sensitive things by changing content type from json to xml or xml to json ?
Like may be there is IDOR between those users ? etc
Check POST data for user creation endpoint
try how many length of username they are accepting?
**Can we use Regex DDOS here ? [If they are using some regex for usernames] **
**Like => aakash123 => small letter and in end number **
Then try => this multiple time and check response
If response is large => Regex DDOS possible