Slideshow: Five common Web application vulnerabilities and mitigations
Insecure direct object references are another common security weakness in Web applications. They are the result of application developers coding under the assumption that rules will always be followed by users. In this case, an attacker may be able to guess a user's ID and resubmit a data request if that user's account ID is shown in the page URL or in a hidden field. Such sensitive data is often incorrectly exposed in URLs, hidden form fields, drop-down list boxes, JavaScript code and so on.
To prevent attackers from taking advantage of insecure direct object references, applications should use random, unpredictable IDs and file and object names. The actual names of objects should also never be exposed, and when a user tries to access a sensitive file, their authorization to do so should be verified every time, not just once.