I'm new to both web development and security, and I was wondering whether there is some kind of reference web application that doesn't follow any of the security best practices. Something like a "Security hello world" :).
On OWASP's site there are code examples for almost every threat, I was wondering whether there is an application that would put them all together.
I would like to use it to both test my knowledge while trying to find the flaws, and to run and understand ESAPI with it.
Meanwhile a colleague of mine pointed me to OWASP's complete (and up-to-date) list of deliberately vulnerable web applications. There's so many of them, I really have to work on my googling aptitudes...