I am looking into a web application vulnerability scanner for my organization. I would like a sample web application that is loaded with vulnerabilities (similar to metasploitable on the application side) to test various solutions on. Does anyone know of any?
I would like to compare the thoroughness of commercial solutions such as Accunetix with some of the free scanners such as darkmysqli, wapiti, w3af and the others that come with backtrack as well as my own manual testing in order to come up with hard numbers as well as get a feel for the tools.
EDIT: Yes I know I can install Wordpress 1.x, osCommerce (lol), or an old version of Joomla