An OWASP note suggests that direct object references are considered insecure in some contexts. They defined "direct object reference" as follows:
“A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, database record, or key, as a URL or form parameter.”
Someone suggests a solution to this problem:
An object reference map is first populated with a list of authorized values which are temporarily stored in the session. When the user requests a field (ex: color=654321), the application does a lookup in this map from the session to determine the appropriate column name. If the value does not exist in this limited map, the user is not authorized. Reference maps should not be global (i.e. include every possible value), they are temporary maps/dictionaries that are only ever populated with authorized values.
However, somebody else argues on the Wiki that DOR’s are really insecure only for files, directories. That person adds:
There is no way to practically DOR all database primary keys in a real enterprise or post-enterprise system.
My question is, how insecure are direct object references to database primary keys? Can you provide concrete examples of vulnerabilities? How often do people go to extraordinary lengths (as suggested by the first person) to mask ALL database keys?