Running D:/WUSL/4th yr 1st sem/Traffic-Counting-Using-OpenCV-and-Python-Backed-by-Firebase-master/main code.py
Traceback (most recent call last):
File "C:\Program Files\JetBrains\PyCharm Edu 2018.1.3\helpers\pydev\pydev_run_in_console.py", line 52, in run_file
pydev_imports.execfile(file, globals, locals) # execute the script
File "C:\Program Files\JetBrains\PyCharm Edu 2018.1.3\helpers\pydev\_pydev_imps\_pydev_execfile.py", line 18, in execfile
exec(compile(contents+"\n", file, 'exec'), glob, loc)
File "D:/WUSL/4th yr 1st sem/Traffic-Counting-Using-OpenCV-and-Python-Backed-by-Firebase-master/main code.py", line 10, in <module>
File "C:\Program Files\JetBrains\PyCharm Edu 2018.1.3\helpers\pydev\_pydev_bundle\pydev_import_hook.py", line 19, in do_import
module = self._system_import(name, *args, **kwargs)
ModuleNotFoundError: No module named 'requests'
PyDev console: starting.
To be exploited, an IDOR issue must be combined with an Access Control issue because it's the Access Control issue that "allow" the attacker to access to the object for which he have guessed the identifier through is enumeration attack.
So long as you have proper access controls in place, and return the same error for accounts that the current user doesn't have permission to access as for accounts which don't exist, there shouldn't be any problems.
Depending on what you're doing, you might be able to drop the querystring and deduce the record to display based on the currently logged-in user. Or you could replace the IDs with a Guid, which would be much harder to enumerate.
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
Assuming your variables are well-named, you're doing a subtree search off of a full DN. You want a search scope of "Base". A user object has no subtree; it's not a container like an OU.
Another suggestion, your structure is highly coupled and can be easily jacked up by very minor changes to the directory. Assuming that you're using a SAM Name for login, you can completely skip the SQL server.
If you really need the SQL, though, you're doing it wrong. Use a parameterized query to leverage the DBMS rather than pulling the whole table and iterating it locally. So many wasted cycles!
"Never attribute to malice that which can be explained by stupidity."
- Hanlon's Razor
Last Visit: 4-Apr-20 1:05 Last Update: 4-Apr-20 1:05