According to a study, nine out of ten web applications have security vulnerabilities. Recent events proved that not only old legacy sites were successfully attacked, but also new and recent applications, built with the best intentions and also with security in mind. We will have a look at common attacks, new attacks, and new twists to old attacks that demonstrate why so many websites may be compromised. We will have a look at recent attacks that made mainstream media, analyze some aspects of them, and will provide guidelines and best practices to become website ten out of ten. This session, as usual, comes with code and demos.