phalcon api end point has been hacked

[EhsanJamshidi]

Hi, I built an API, after a while a person claimed he hacked the API endpoint and found a bug in the saving process of the user model.

any idea where should I start to look.

[niden]

Start with your saving process. Check if all the input is sanitized, also check where you store the credentials for the API. Also check how often you invalidate the credentials i.e if you use a token based approach you need to invalidate the token preferably as soon as the request is done so that the next request can get a new token.