Web application or website are widely used to provide functionality that allows companies to build and maintain relationships with their customers. The information stored by web applications is often confidential and, if obtained by malicious attackers, its exposure could result in susbtantial losses for both consumers and companies. SQL Injection and Cross Site Scripting are attacks that aiming web application database vulnerabilities. Its can allow malicious attackers to manipulate web server database that can cause various data lost, information thieving, and incosistent of data. Therefore, this research propose the Open Web Application Security Project (OWASP) ModSecurity Core Rule et which can help administrator securing the web servers. OWASP operate by blocking IP Address which try to breaking the security rule, monitoring network traffic and preventing suspicious network requesting from outside.All request by the client will be filter by the OWASP ModSecurity first before send it into web application and getting response. For the result, OWASP ModSecurity successfully securing Web Application from SQL Injection (manual ), SQL Injection using SQLmap exploitation tool and also Cross Site Scripting using XSSer exploitation tools, but in otherside, ModSecurity failed to detect and securing web application from Cross Site Scripting Stored type which test by using BeEF Exploitation tool. Using OWASP ModSecurity didn’t affect the web application performance. Key Word: Web Application, SQL Injection, Cros Site Scripting, Open Web Application Security Project.