...
This prevents attackers from directly targeting unauthorized resources. For example, instead of using the resource's resource’s database key, a drop down list of six resources authorized for the current user could use the numbers 1 to 6 to indicate which value the user selected. The application has to map the per-user indirect reference back to the actual database key on the server. OWASP's OWASP’s ESAPI includes both sequential and random access reference maps that developers can use to eliminate direct object references.
...