look for api documentation

/api
/swagger/index.html
/openapi.json

Look for api calls and explore endpoints / subpaths

Try HTTP verbs list (OPTIONS PATCH GET DELETE POST TRACE …) on endpoints

Change the content type, modify the Content-Type header, then reformat the request body accordingly. You can use the Content type converter BApp to automatically convert data submitted within requests between XML and JSON. (useless)

Look for secret parameters :

For example, consider a PATCH /api/users/ request, which enables users to update their username and email, and includes the following JSON:

{
    "username": "wiener",
    "email": "[email protected]",
}

A concurrent GET /api/users/123 request returns the following JSON:

{
    "id": 123,
    "name": "John Doe",
    "email": "[email protected]",
    "isAdmin": "false"
}

This may indicate that the hidden id and isAdmin parameters are bound to the internal user object, alongside the updated username and email parameters.

Server-side parameter pollution ( HTTP parameter pollution )

It occurs when a website embeds user input in a server-side request to an internal API without adequate encoding.