DHIS2 is a web application originally designed for collecting and aggregating statistical health data. DHIS2 is used in 60 different countries, each with its own implementation. In recent years there has been a shift towards collecting personal and sensitive data. That increases the need for a secure web application. Health data is a desired goal for cybercriminals, and cybercrime is rising in our society. This thesis aims to investigate the security risk of the web application DHIS2 and analyze it up against the Top 10 security risks rated by the Open Web Application Security Project (OWASP). It also investigates if the Top 10 list reflects the security challenges of DHIS2. With ethical hacking methodologies, I try to determine what the security risk of DHIS2 is and suggest methods of mitigation. I also use risk rating to calculate the severity of the discovered vulnerabilities. The results of this research show some successful attacks against DHIS2 and identify cross-site scripting as the greatest security risk. Likelihood, impact, and potential consequences are discussed. The results of this thesis also show that the OWASP Top 10 reflects the security risks of DHIS2, at least to some degree.