Try traditional injections

Use API requests that are vulnerable to injection: Send input to be directly executed by the API’s supporting technologies (web application, database, or OS running on the server), bypassing input validation measures.

  1. Discover requests that accept user input

  2. Test for XSS/XAS

  3. Perform database-specific attacks or operating system injection