If you want the detail how to learn about web application security, please go to the Source.
Internet-accessible
Google Gruyere
This one is from Google and you can do it both online and as a local install. zero.webappsecurity.com (HP)
I happen to know this one is o.k. to scan. demo.testfire.net (IBM) test.acunetix.com (Acunetix) testphp.vulnweb.com (Acunetix) testasp.acunetix.com (Acunetix) testaspnet.acunetix.com (Acunetix) Cenzic's Crack Me Bank Hacker Test
This one is not like the others; it's not a full website you'd scan, but rather more like a puzzle where you proceed through various levels. Hax.tor
Another challenge, similar to Hacker Test. The Enigma Group
A beginner-focused online resource for web hacking. HACKME Game
A software security learning game. OWASP Hackademic
An OWASP project aimed at helping people learn web security through a series of challenges. Test Page for the x5s Tool
A test page for XSS meant to be used with the X5S tool.
Download and Configure
- Broken Web Apps Project (OWASP)
This is the one you want first; it has over a dozen broken web apps to play with. - Bonsai Moth
A VMware image with a collection of broken web applications that you can use for testing web scanners and static analysis tools as well as providing an intro to webappsec. - Web Security Dojo (Maven)
Similar to OWASP's Broken Web Apps project, i.e. multiple broken web apps in one place. - Webgoat (OWASP)
This is the grand pubah of the testing sites because it includes training with it. Note that it's on the Broken Web Apps image listed above. - Damn Vulnerable Web App
- BadStore
- Hackme Bank (McAfee)
- Hackme Casino (McAfee)
- Hackme Books (McAfee)
- Hackme Shipping (McAfee)
- Hackme Travel (McAfee)
- Moth (Bonsai)
- SecuriBench (Stanford)
- Vicnum (ipsaplus)
- Google Gruyere
This one is from Google and you can do it both online and as a local install. - Bodgeit
This is a project named Bodgeit hosted with Google. - The Butterfly
- Exploit.co.il
- Hackxor
- LampSecurity
- MultiDae
- Insecure Web App Project (OWASP)
- Vicnum (OWASP)
- Peruggia
- Puzzlemall
- SQLol
- SQLol
- WackoPicko
- Web Security Dojo
Additional Resources
Source: http://danielmiessler.com/projects/webappsec_testing_resources/#methodologies%23