| ||
Imagine going to a web site to buy a car at any price you want! This could happen if the web site uses data from an HTML hidden form to determine the car price. Remember, theres nothing stopping a user from looking at the source content, and then sending an updated form with a massively reduced price (using Perl, for example) back to the server. Hidden fields are not really hidden at all.
Another common problem is Magic URLs: many web-based applications carry authentication information or other important data in URLs. In some cases, this data should not be made public, because it can be used to hijack or manipulate a session. In other cases, Magic URLs are used as an ad hoc form of access control, as opposed to using credential-based systems. In other words, users present their IDs and passwords to the system and upon successful authentication, the system creates tokens to represent the users.