I am trying to improve my API pentesting skills. Especially for APIs which communicate with a front-end desktop or mobile app. I’ve checked out the Pluralsight course by Troy Hunt called Hack Your API First. I also watched the video API Security 101 on Bugcrowd university. My question is, how do you successfully experiment with APIs which require authentication? In those tutorials, I see the researchers intercepting requests and changing data. However, because many real-world services are using OAuth, multiple session tokens, anti-csrf token, etc, that the backend often will not even let me resubmit the same request twice because the tokens no longer match. This prevents me from experimenting properly and even using a tool such as Burp Repeater. Has anyone else encountered this and do you have any tips for testing these bulky real-world services?
I have experienced this in API BUG fuzzing as well and would like to know if there is a special header for the token. I have found plenty of endpoints and always get the 401 unauthorized or api-key not found etc. If some more experienced bughunter could explain this it would be much appreciated.
Regards,
LUCID