Web application security is a significant piece in any web-based business or organization. Developers of websites and web-based applications codes may be vulnerable to acquire some control of the site, and perhaps the hosting server itself. Vulnerabilities on web applications may occur due to lack of validation or sanitization in form inputs, security misconfiguration, application design flaws, and lack of access control and authentications. 

One of the most popular web application security frameworks, The Open Web Application Security Project® (OWASP), provides developers and technologists with sources to secure the web. One of their essential documents is OWASP Top 10, a standard awareness document for developers and web application security.

Using the OWASP Top 10 is perhaps the most effective first step towards changing a web application security culture to produce more secure code. Here is the latest OWASP Top 10 vulnerabilities list;

1. Injection
2. Broken Authentication
3. Sensitive Data Exposure
4. XML External Entities (XXE)
5. Broken Access control
6. Security Misconfigurations
7. Cross-Site Scripting (XSS)
8. Insecure Deserialization
9. Using Components with Known Vulnerabilities
10. Insufficient Logging and Monitoring

PDF – OWASP Top 10 – 2017 The Ten Most Critical Web Application Security Risks

The PortSwigger Web Security is one of the best organization to learn web application exploitation with their tool BurpSuite. They provide free Web Security Academy to practice web application exploitation. 

LINK – PortSwigger Web Security Academy

Here is the useful YouTube playlist to learn OWASP Top 10 Vulnerabilities;