In this chapter, we reviewed different ways in which web applications perform user authentication to restrict access to privileged resources or sensitive information and looked at how the session is maintained, given that HTTP doesn't have a built-in session management functionality. The most common approaches for doing this in today's web applications are form-based authentication and session IDs sent in cookies.

We also examined the most common security failure points in authentication and session management, how attackers can exploit them using built-in browser tools, or through other tools included in Kali Linux, such as Burp Suite, OWASP ZAP, and THC Hydra.

In the last section, we discussed some best practices that may prevent or mitigate authentication and session management flaws by requiring authentication for all privileged components of the application using complex, random session IDs and enforcing a strong password policy. These are some of the most important preventative and mitigation techniques for such flaws.

In the next chapter we will cover the most common kinds of injection vulnerabilities, how to detect and exploit them in a penetration test and also the measures required to take in order to fix the applications and prevent attacks through these techniques from being successful.