When the information managed by an application is not meant to be public, a mechanism is required to verify that a user is allowed to see certain data; this is called authentication. The most common authentication method in web applications nowadays is the use of a username or identifier and a secret password combination.

HTTP is a stateless protocol, which means it treats all requests as unique and doesn't have a way of relating two as belonging to the same user, so the application also requires a way of distinguishing requests from different users and allowing them to perform tasks that may require a series of requests performed by the same user and multiple users connected at the same time. This is called session management. Session identifiers in cookies are the most used session management method in modern web applications, although bearer tokens (values containing user identification information sent in the Authorization header of each request) are growing in popularity in certain types of applications, such as backend web services.

In this chapter, we will cover the procedures to detect some of the most common vulnerabilities in web application authentication and session management, and how an attacker may abuse such vulnerabilities in order to gain access to restricted information.