...
This prevents attackers from directly targeting unauthorized resources. For example, instead of using the resource's resource’s database key, a drop down list of six resources authorized for the current user could use the numbers 1 to 6 to indicate which value the user selected. The application has to map the per-user indirect reference back to the actual database key on the server. OWASP's OWASP’s ESAPI includes both sequential and random access reference maps that developers can use to eliminate direct object references.
...
http://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/org/owasp/esapi/AccessController.html
Learn More:
- OWASP Top 10-2007 on Insecure Dir Object References
- ESAPI Access Reference Map
- ESAPI Access Control API (See isAuthorizedForData(), isAuthorizedForFile(), isAuthorizedForFunction())
- CWE Entry 639 on Insecure Direct Object Reference
- CWE Entry 22 on Path Traversal (an example of a Direct Object Reference attack)