Running D:/WUSL/4th yr 1st sem/Traffic-Counting-Using-OpenCV-and-Python-Backed-by-Firebase-master/main code.py
Traceback (most recent call last):
File "C:\Program Files\JetBrains\PyCharm Edu 2018.1.3\helpers\pydev\pydev_run_in_console.py", line 52, in run_file
pydev_imports.execfile(file, globals, locals) # execute the script
File "C:\Program Files\JetBrains\PyCharm Edu 2018.1.3\helpers\pydev\_pydev_imps\_pydev_execfile.py", line 18, in execfile
exec(compile(contents+"\n", file, 'exec'), glob, loc)
File "D:/WUSL/4th yr 1st sem/Traffic-Counting-Using-OpenCV-and-Python-Backed-by-Firebase-master/main code.py", line 10, in <module>
File "C:\Program Files\JetBrains\PyCharm Edu 2018.1.3\helpers\pydev\_pydev_bundle\pydev_import_hook.py", line 19, in do_import
module = self._system_import(name, *args, **kwargs)
ModuleNotFoundError: No module named 'requests'
PyDev console: starting.
To be exploited, an IDOR issue must be combined with an Access Control issue because it's the Access Control issue that "allow" the attacker to access to the object for which he have guessed the identifier through is enumeration attack.
So long as you have proper access controls in place, and return the same error for accounts that the current user doesn't have permission to access as for accounts which don't exist, there shouldn't be any problems.
Depending on what you're doing, you might be able to drop the querystring and deduce the record to display based on the currently logged-in user. Or you could replace the IDs with a Guid, which would be much harder to enumerate.
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer