Insecure direct object reference.

An example of an insecure direct reference object is where an on-line banking application allows a user to transfer money between accounts. Perhaps the possible accounts to transfer money to are listed in a drop-down which displays friendly account names and returns the account number as a request parameter.

<select>
  <option value="0012345678>Joint account</option>
  <option value="0087654321>Savings account</option>
</select>

So the form sends the account number as a request parameter, and this value is open for a hacker to substitute his own value for the account number.

Instead of using account numbers or database keys for the values in options, it is safer to put the create a map who's keys are simple sequences and where the values are the account numbers or database keys. Put the map into the user's session and use the keys of the map in the options.

Map<String, String> accountsMap = new HashMap<String, String>();
accountsMap.put("1", "0012345678");
accountsMap.put("2", "0087654321");
session.setAttribute("accounts", accountsMap);

<select>
  <option value="1">Joint account</option>
  <option value="2">Savings account</option>
</select>

So the parameter value that comes back from the form is not a database key or account number, just a sequence.

Another way to guard against attacks is to validate on the server that the user is authorised to use the account number in the request parameter.