Google's Web Application Security Training Resource - Jarlsberg.appspot.com
Google Code University has released a distributable web application named jarlsberg coded in python which provides excellent examples of vulnerable application issues. This includes some common and less-than-common tests (Reflected XSS via AJAX!), including XSS, XSRF, DoS, Code Execution, SQLi, and various others.
Before this, people used webgoat, and other forms of vulnerable applications that came packaged in some of the more popular security live-cds. This makes all of those obsolete, as it is simple to setup and use, and to reset back to original state.
Although this application isn't as complex as many real web applications, its explanations of the issues, and exploitation hints, make it the perfect test-bed for a simple introductory course (and self-study material) into web application security testing (more to come on this soon!).