OWASP’s Broken Web Applications Project includes a collection of deliberately broken web applications with tutorials to help students master the various attack vectors. The project is designed to lead the user to a better understanding of web application security. The Damn Vulnerable Web Application is a good place for a beginner to start and includes the (apparently necessary?) warning that “damn vulnerable!” Pretty much every attack vector you could think of has been deliberately included in this application, making it a one-stop shop of low-hanging fruit at the farmer’s market of pick-your-own vulnerabilities.”]