Web application protection is today's most important battleground between the victim, intruder, and web service resource. User AUTHENTICATION tends to be critical when a legitimate user of the web application abruptly ends the contact while the session is still active, and an unauthorized user chooses the same session to gain access to the device. For many corporations, risk detection is still a problem. In other cases, it is a usual way of operating that provides the requisite protection to keep the product free of weaknesses. Using various types of software to identify di� erent security vulnerabilities assists both developers and organizations in securely launching applications, saving time and money. Di� erent combinations of tools have been seen to enhance protection in recent years, but it has not been possible to combine the types of tools available on the market until the writing of this report. This paper aims to clarify vulnerabilities in broken AUTHENTICATION and session management. It is worth noting that if the creator practices the preventive techniques outlined in this article, the chances of exploitation being discussed are reduced. This paper revealed that the most powerful ways to exploit the Broken AUTHENTICATION and Session Management vulnerabilities of the web application in those domains are Session Miscon� guration assault and Cracking/ Guessing Weak Passwords. Correspondingly included techniques to defend AUTHENTICATION and the most important is using a robust encryption system, setting password rules, and securing the session ID.