WebGoat – cause everyone else is doing it!

The unzip and run insecure J2EE web application… at least under windows…

WebGoat is a deliberately insecure J2EE web application maintained by OWASP designed to teach web application security lessons. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat application. For example, in one of the lessons the user must use SQL injection to steal fake credit card numbers. The application is a realistic teaching environment, providing users with hints and code to further explain the lesson.

http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
http://code.google.com/p/webgoat/