Web has become an integral part of information era. Increasing internet connectivity has given web applications huge space to explore their frontier. As a result of increased dependence web has become a major target for exploitation in recent years. Every year many websites security is being compromised due to certain vulnerabilities while designing. Studying various vulnerabilities every time is a difficult task. Goal and threat displaying are vital exercises of security necessities building: goals express why a framework is required, while threats rouse the requirement for security. Sadly, existing methodologies for the most part consider goals and threats independently, and in this manner disregard the shared impact between them. In order to estimate vulnerability of the website certain threat models have been developed. For security evaluation and design fault prediction these models are very useful. Various organizations have already started to evaluate their web applications based on threat model analysis. From the audit, it creates the impression that nobody development demonstrate is alluded to as a standard or favored model for web application development. In any case, agile development models appear to have increased more consideration, most likely because of the different partners that are associated with talking about security perspectives, as opposed to a couple of individuals from the development group. It shows up additionally that there is consistency in the utilization of the danger demon starting system, most likely because of its effectiveness in managing various types of vulnerabilities. In the process of impact assessment, disaster management this method is very useful. Attack tree model is a model in which behavior of an attack is evaluated based on the schematic diagram of the attack on web application. In this paper, an implementation of three common attacks is performed and respective attack tree model is constructed. Threat model analysis for custom website created is also done. Certain attack preventive techniques is discussed for strengthening the web applications. This paper covers implementation part as well as conceptual part of the web attacks. Copyright © 2019 American Scientific Publishers All rights reserved.