Back in November I posted a list of intentionally vulnerable web applications for educational purposes. You can find that list here: http://www.system7.org/2009/11/05/test-your-web-pentest-skillz/
A new one to add to the list is OWASP’s Broken Web Application Project. There was a great talk at Shmoocon about the project. This project might end up taking the gold medal in vulnerable web application projects. They plan to include versions of actual applications you see in the wild (Yazd, WordPress, phpBB) and all of the other web app testing projects (Damn Vulnerable Web App, Mutillidae, WebGoat).