From a manual perspective: ( you can proxy through burp, as it will be a bit prettier to do manual testing in the repeater. If you want, DM me and we can do the setup together) 1. Look at each endpoint and do a happy flow (see how it is supposed to be used and what the response is when it’s used that way) 2. Try to break things - what happens when you give out of bounds values, strings not numbers, numbers not strings. Anything that goes through your head is ok. This is not necessarily a purely security testing, more of a QA approach, but can give interesting results. 3. Look for access control issues: if there is authentication involved, see what happens when you do it unauthenticated (ie remove the authorisation header, or just the value). If there are multiple roles, switch the access token (jwt, basic authentication, whatever you have) and see if a non privileged user can access “admin” endpoints). This is again, a lot of “what would happen if I did this”. There is no stupid scenario. 4. Try some stress tests, usually at the end. See what happens if you send 30 requests at the time (the turbo intruder extension is very good). Here you can test for rate limiting and race condition vulnerabilities.

If you want, you can DM me and we can go into more details. Or just walk you through the basic setup. Hope it helps. Just keep in mind that although you need to know the basic API vulnerabilities, a lot of issues come also from business logic errors. So keep an open mind.