Deliberately Insecure Web Application: OWASP WebGoat
From the webpage:
WebGoat is a deliberately insecure web application maintained by OWASP designed to teach web application security lessons. You can install and practice with WebGoat in either J2EE or WebGoat for .Net in ASP.NET. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat applications.
WebGoat for J2EE is written in Java and therefore installs on any platform with a Java virtual machine. Once deployed, the user can go through the lessons and track their progress with the scorecard.
…
WebGoat’s scorecards are a feature not found when hacking Office of Personnel Management (OPM). Hacks of the OPM are reported by its inspector general and more generally in the computer security press.